xref: /freebsd/sys/contrib/openzfs/module/icp/include/modes/modes.h (revision b2d2a78ad80ec68d4a17f5aef97d21686cb1e29b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_COMMON_CRYPTO_MODES_H
27 #define	_COMMON_CRYPTO_MODES_H
28 
29 #ifdef	__cplusplus
30 extern "C" {
31 #endif
32 
33 #include <sys/zfs_context.h>
34 #include <sys/crypto/common.h>
35 #include <sys/crypto/impl.h>
36 
37 /*
38  * Does the build chain support all instructions needed for the GCM assembler
39  * routines. AVX support should imply AES-NI and PCLMULQDQ, but make sure
40  * anyhow.
41  */
42 #if defined(__x86_64__) && defined(HAVE_AVX) && \
43     defined(HAVE_AES) && defined(HAVE_PCLMULQDQ)
44 #define	CAN_USE_GCM_ASM
45 extern boolean_t gcm_avx_can_use_movbe;
46 #endif
47 
48 #define	CCM_MODE			0x00000010
49 #define	GCM_MODE			0x00000020
50 
51 /*
52  * cc_keysched:		Pointer to key schedule.
53  *
54  * cc_keysched_len:	Length of the key schedule.
55  *
56  * cc_remainder:	This is for residual data, i.e. data that can't
57  *			be processed because there are too few bytes.
58  *			Must wait until more data arrives.
59  *
60  * cc_remainder_len:	Number of bytes in cc_remainder.
61  *
62  * cc_iv:		Scratch buffer that sometimes contains the IV.
63  *
64  * cc_lastp:		Pointer to previous block of ciphertext.
65  *
66  * cc_copy_to:		Pointer to where encrypted residual data needs
67  *			to be copied.
68  *
69  * cc_flags:		PROVIDER_OWNS_KEY_SCHEDULE
70  *			When a context is freed, it is necessary
71  *			to know whether the key schedule was allocated
72  *			by the caller, or internally, e.g. an init routine.
73  *			If allocated by the latter, then it needs to be freed.
74  *
75  *			CCM_MODE
76  */
77 struct common_ctx {
78 	void *cc_keysched;
79 	size_t cc_keysched_len;
80 	uint64_t cc_iv[2];
81 	uint64_t cc_remainder[2];
82 	size_t cc_remainder_len;
83 	uint8_t *cc_lastp;
84 	uint8_t *cc_copy_to;
85 	uint32_t cc_flags;
86 };
87 
88 typedef struct common_ctx common_ctx_t;
89 
90 /*
91  *
92  * ccm_mac_len:		Stores length of the MAC in CCM mode.
93  * ccm_mac_buf:		Stores the intermediate value for MAC in CCM encrypt.
94  *			In CCM decrypt, stores the input MAC value.
95  * ccm_data_len:	Length of the plaintext for CCM mode encrypt, or
96  *			length of the ciphertext for CCM mode decrypt.
97  * ccm_processed_data_len:
98  *			Length of processed plaintext in CCM mode encrypt,
99  *			or length of processed ciphertext for CCM mode decrypt.
100  * ccm_processed_mac_len:
101  *			Length of MAC data accumulated in CCM mode decrypt.
102  *
103  * ccm_pt_buf:		Only used in CCM mode decrypt.  It stores the
104  *			decrypted plaintext to be returned when
105  *			MAC verification succeeds in decrypt_final.
106  *			Memory for this should be allocated in the AES module.
107  *
108  */
109 typedef struct ccm_ctx {
110 	struct common_ctx ccm_common;
111 	uint32_t ccm_tmp[4];
112 	size_t ccm_mac_len;
113 	uint64_t ccm_mac_buf[2];
114 	size_t ccm_data_len;
115 	size_t ccm_processed_data_len;
116 	size_t ccm_processed_mac_len;
117 	uint8_t *ccm_pt_buf;
118 	uint64_t ccm_mac_input_buf[2];
119 	uint64_t ccm_counter_mask;
120 } ccm_ctx_t;
121 
122 #define	ccm_keysched		ccm_common.cc_keysched
123 #define	ccm_keysched_len	ccm_common.cc_keysched_len
124 #define	ccm_cb			ccm_common.cc_iv
125 #define	ccm_remainder		ccm_common.cc_remainder
126 #define	ccm_remainder_len	ccm_common.cc_remainder_len
127 #define	ccm_lastp		ccm_common.cc_lastp
128 #define	ccm_copy_to		ccm_common.cc_copy_to
129 #define	ccm_flags		ccm_common.cc_flags
130 
131 /*
132  * gcm_tag_len:		Length of authentication tag.
133  *
134  * gcm_ghash:		Stores output from the GHASH function.
135  *
136  * gcm_processed_data_len:
137  *			Length of processed plaintext (encrypt) or
138  *			length of processed ciphertext (decrypt).
139  *
140  * gcm_pt_buf:		Stores the decrypted plaintext returned by
141  *			decrypt_final when the computed authentication
142  *			tag matches the	user supplied tag.
143  *
144  * gcm_pt_buf_len:	Length of the plaintext buffer.
145  *
146  * gcm_H:		Subkey.
147  *
148  * gcm_Htable:		Pre-computed and pre-shifted H, H^2, ... H^6 for the
149  *			Karatsuba Algorithm in host byte order.
150  *
151  * gcm_J0:		Pre-counter block generated from the IV.
152  *
153  * gcm_len_a_len_c:	64-bit representations of the bit lengths of
154  *			AAD and ciphertext.
155  */
156 typedef struct gcm_ctx {
157 	struct common_ctx gcm_common;
158 	size_t gcm_tag_len;
159 	size_t gcm_processed_data_len;
160 	size_t gcm_pt_buf_len;
161 	uint32_t gcm_tmp[4];
162 	/*
163 	 * The offset of gcm_Htable relative to gcm_ghash, (32), is hard coded
164 	 * in aesni-gcm-x86_64.S, so please don't change (or adjust there).
165 	 */
166 	uint64_t gcm_ghash[2];
167 	uint64_t gcm_H[2];
168 #ifdef CAN_USE_GCM_ASM
169 	uint64_t *gcm_Htable;
170 	size_t gcm_htab_len;
171 #endif
172 	uint64_t gcm_J0[2];
173 	uint64_t gcm_len_a_len_c[2];
174 	uint8_t *gcm_pt_buf;
175 #ifdef CAN_USE_GCM_ASM
176 	boolean_t gcm_use_avx;
177 #endif
178 } gcm_ctx_t;
179 
180 #define	gcm_keysched		gcm_common.cc_keysched
181 #define	gcm_keysched_len	gcm_common.cc_keysched_len
182 #define	gcm_cb			gcm_common.cc_iv
183 #define	gcm_remainder		gcm_common.cc_remainder
184 #define	gcm_remainder_len	gcm_common.cc_remainder_len
185 #define	gcm_lastp		gcm_common.cc_lastp
186 #define	gcm_copy_to		gcm_common.cc_copy_to
187 #define	gcm_flags		gcm_common.cc_flags
188 
189 void gcm_clear_ctx(gcm_ctx_t *ctx);
190 
191 typedef struct aes_ctx {
192 	union {
193 		ccm_ctx_t acu_ccm;
194 		gcm_ctx_t acu_gcm;
195 	} acu;
196 } aes_ctx_t;
197 
198 #define	ac_flags		acu.acu_ccm.ccm_common.cc_flags
199 #define	ac_remainder_len	acu.acu_ccm.ccm_common.cc_remainder_len
200 #define	ac_keysched		acu.acu_ccm.ccm_common.cc_keysched
201 #define	ac_keysched_len		acu.acu_ccm.ccm_common.cc_keysched_len
202 #define	ac_iv			acu.acu_ccm.ccm_common.cc_iv
203 #define	ac_lastp		acu.acu_ccm.ccm_common.cc_lastp
204 #define	ac_pt_buf		acu.acu_ccm.ccm_pt_buf
205 #define	ac_mac_len		acu.acu_ccm.ccm_mac_len
206 #define	ac_data_len		acu.acu_ccm.ccm_data_len
207 #define	ac_processed_mac_len	acu.acu_ccm.ccm_processed_mac_len
208 #define	ac_processed_data_len	acu.acu_ccm.ccm_processed_data_len
209 #define	ac_tag_len		acu.acu_gcm.gcm_tag_len
210 
211 extern int ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
212     crypto_data_t *, size_t,
213     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
214     void (*copy_block)(uint8_t *, uint8_t *),
215     void (*xor_block)(uint8_t *, uint8_t *));
216 
217 extern int ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
218     crypto_data_t *, size_t,
219     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
220     void (*copy_block)(uint8_t *, uint8_t *),
221     void (*xor_block)(uint8_t *, uint8_t *));
222 
223 extern int gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
224     crypto_data_t *, size_t,
225     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
226     void (*copy_block)(uint8_t *, uint8_t *),
227     void (*xor_block)(uint8_t *, uint8_t *));
228 
229 extern int gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
230     crypto_data_t *, size_t,
231     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
232     void (*copy_block)(uint8_t *, uint8_t *),
233     void (*xor_block)(uint8_t *, uint8_t *));
234 
235 int ccm_encrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
236     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
237     void (*xor_block)(uint8_t *, uint8_t *));
238 
239 int gcm_encrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
240     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
241     void (*copy_block)(uint8_t *, uint8_t *),
242     void (*xor_block)(uint8_t *, uint8_t *));
243 
244 extern int ccm_decrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
245     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
246     void (*copy_block)(uint8_t *, uint8_t *),
247     void (*xor_block)(uint8_t *, uint8_t *));
248 
249 extern int gcm_decrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
250     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
251     void (*xor_block)(uint8_t *, uint8_t *));
252 
253 extern int ccm_init_ctx(ccm_ctx_t *, char *, int, boolean_t, size_t,
254     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
255     void (*xor_block)(uint8_t *, uint8_t *));
256 
257 extern int gcm_init_ctx(gcm_ctx_t *, char *, size_t,
258     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
259     void (*copy_block)(uint8_t *, uint8_t *),
260     void (*xor_block)(uint8_t *, uint8_t *));
261 
262 extern void calculate_ccm_mac(ccm_ctx_t *, uint8_t *,
263     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
264 
265 extern void gcm_mul(uint64_t *, uint64_t *, uint64_t *);
266 
267 extern void crypto_init_ptrs(crypto_data_t *, void **, offset_t *);
268 extern void crypto_get_ptrs(crypto_data_t *, void **, offset_t *,
269     uint8_t **, size_t *, uint8_t **, size_t);
270 
271 extern void *ccm_alloc_ctx(int);
272 extern void *gcm_alloc_ctx(int);
273 extern void crypto_free_mode_ctx(void *);
274 
275 #ifdef	__cplusplus
276 }
277 #endif
278 
279 #endif	/* _COMMON_CRYPTO_MODES_H */
280