xref: /freebsd/sys/contrib/openzfs/module/icp/algs/modes/modes.c (revision 43e29d03f416d7dda52112a29600a7c82ee1a91e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/zfs_context.h>
27 #include <modes/modes.h>
28 #include <sys/crypto/common.h>
29 #include <sys/crypto/impl.h>
30 
31 /*
32  * Initialize by setting iov_or_mp to point to the current iovec or mp,
33  * and by setting current_offset to an offset within the current iovec or mp.
34  */
35 void
36 crypto_init_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset)
37 {
38 	offset_t offset;
39 
40 	switch (out->cd_format) {
41 	case CRYPTO_DATA_RAW:
42 		*current_offset = out->cd_offset;
43 		break;
44 
45 	case CRYPTO_DATA_UIO: {
46 		zfs_uio_t *uiop = out->cd_uio;
47 		uint_t vec_idx;
48 
49 		offset = out->cd_offset;
50 		offset = zfs_uio_index_at_offset(uiop, offset, &vec_idx);
51 
52 		*current_offset = offset;
53 		*iov_or_mp = (void *)(uintptr_t)vec_idx;
54 		break;
55 	}
56 	} /* end switch */
57 }
58 
59 /*
60  * Get pointers for where in the output to copy a block of encrypted or
61  * decrypted data.  The iov_or_mp argument stores a pointer to the current
62  * iovec or mp, and offset stores an offset into the current iovec or mp.
63  */
64 void
65 crypto_get_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset,
66     uint8_t **out_data_1, size_t *out_data_1_len, uint8_t **out_data_2,
67     size_t amt)
68 {
69 	offset_t offset;
70 
71 	switch (out->cd_format) {
72 	case CRYPTO_DATA_RAW: {
73 		iovec_t *iov;
74 
75 		offset = *current_offset;
76 		iov = &out->cd_raw;
77 		if ((offset + amt) <= iov->iov_len) {
78 			/* one block fits */
79 			*out_data_1 = (uint8_t *)iov->iov_base + offset;
80 			*out_data_1_len = amt;
81 			*out_data_2 = NULL;
82 			*current_offset = offset + amt;
83 		}
84 		break;
85 	}
86 
87 	case CRYPTO_DATA_UIO: {
88 		zfs_uio_t *uio = out->cd_uio;
89 		offset_t offset;
90 		uint_t vec_idx;
91 		uint8_t *p;
92 		uint64_t iov_len;
93 		void *iov_base;
94 
95 		offset = *current_offset;
96 		vec_idx = (uintptr_t)(*iov_or_mp);
97 		zfs_uio_iov_at_index(uio, vec_idx, &iov_base, &iov_len);
98 		p = (uint8_t *)iov_base + offset;
99 		*out_data_1 = p;
100 
101 		if (offset + amt <= iov_len) {
102 			/* can fit one block into this iov */
103 			*out_data_1_len = amt;
104 			*out_data_2 = NULL;
105 			*current_offset = offset + amt;
106 		} else {
107 			/* one block spans two iovecs */
108 			*out_data_1_len = iov_len - offset;
109 			if (vec_idx == zfs_uio_iovcnt(uio)) {
110 				*out_data_2 = NULL;
111 				return;
112 			}
113 			vec_idx++;
114 			zfs_uio_iov_at_index(uio, vec_idx, &iov_base, &iov_len);
115 			*out_data_2 = (uint8_t *)iov_base;
116 			*current_offset = amt - *out_data_1_len;
117 		}
118 		*iov_or_mp = (void *)(uintptr_t)vec_idx;
119 		break;
120 	}
121 	} /* end switch */
122 }
123 
124 void
125 crypto_free_mode_ctx(void *ctx)
126 {
127 	common_ctx_t *common_ctx = (common_ctx_t *)ctx;
128 
129 	switch (common_ctx->cc_flags &
130 	    (ECB_MODE|CBC_MODE|CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) {
131 	case ECB_MODE:
132 		kmem_free(common_ctx, sizeof (ecb_ctx_t));
133 		break;
134 
135 	case CBC_MODE:
136 		kmem_free(common_ctx, sizeof (cbc_ctx_t));
137 		break;
138 
139 	case CTR_MODE:
140 		kmem_free(common_ctx, sizeof (ctr_ctx_t));
141 		break;
142 
143 	case CCM_MODE:
144 		if (((ccm_ctx_t *)ctx)->ccm_pt_buf != NULL)
145 			vmem_free(((ccm_ctx_t *)ctx)->ccm_pt_buf,
146 			    ((ccm_ctx_t *)ctx)->ccm_data_len);
147 
148 		kmem_free(ctx, sizeof (ccm_ctx_t));
149 		break;
150 
151 	case GCM_MODE:
152 	case GMAC_MODE:
153 		gcm_clear_ctx((gcm_ctx_t *)ctx);
154 		kmem_free(ctx, sizeof (gcm_ctx_t));
155 	}
156 }
157 
158 static void *
159 explicit_memset(void *s, int c, size_t n)
160 {
161 	memset(s, c, n);
162 	__asm__ __volatile__("" :: "r"(s) : "memory");
163 	return (s);
164 }
165 
166 /*
167  * Clear sensitive data in the context and free allocated memory.
168  *
169  * ctx->gcm_remainder may contain a plaintext remainder. ctx->gcm_H and
170  * ctx->gcm_Htable contain the hash sub key which protects authentication.
171  * ctx->gcm_pt_buf contains the plaintext result of decryption.
172  *
173  * Although extremely unlikely, ctx->gcm_J0 and ctx->gcm_tmp could be used for
174  * a known plaintext attack, they consist of the IV and the first and last
175  * counter respectively. If they should be cleared is debatable.
176  */
177 void
178 gcm_clear_ctx(gcm_ctx_t *ctx)
179 {
180 	explicit_memset(ctx->gcm_remainder, 0, sizeof (ctx->gcm_remainder));
181 	explicit_memset(ctx->gcm_H, 0, sizeof (ctx->gcm_H));
182 #if defined(CAN_USE_GCM_ASM)
183 	if (ctx->gcm_use_avx == B_TRUE) {
184 		ASSERT3P(ctx->gcm_Htable, !=, NULL);
185 		memset(ctx->gcm_Htable, 0, ctx->gcm_htab_len);
186 		kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
187 	}
188 #endif
189 	if (ctx->gcm_pt_buf != NULL) {
190 		memset(ctx->gcm_pt_buf, 0, ctx->gcm_pt_buf_len);
191 		vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
192 	}
193 	/* Optional */
194 	explicit_memset(ctx->gcm_J0, 0, sizeof (ctx->gcm_J0));
195 	explicit_memset(ctx->gcm_tmp, 0, sizeof (ctx->gcm_tmp));
196 }
197