xref: /freebsd/sys/dev/cxgbe/crypto/t4_keyctx.c (revision 9e5787d2284e187abb5b654d924394a65772e004)
1 /*-
2  * Copyright (c) 2017-2019 Chelsio Communications, Inc.
3  * All rights reserved.
4  * Written by: John Baldwin <jhb@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/types.h>
32 #include <sys/malloc.h>
33 
34 #include <opencrypto/cryptodev.h>
35 #include <opencrypto/xform.h>
36 
37 #include "common/common.h"
38 #include "crypto/t4_crypto.h"
39 
40 /*
41  * Crypto operations use a key context to store cipher keys and
42  * partial hash digests.  They can either be passed inline as part of
43  * a work request using crypto or they can be stored in card RAM.  For
44  * the latter case, work requests must replace the inline key context
45  * with a request to read the context from card RAM.
46  *
47  * The format of a key context:
48  *
49  * +-------------------------------+
50  * | key context header            |
51  * +-------------------------------+
52  * | AES key                       |  ----- For requests with AES
53  * +-------------------------------+
54  * | Hash state                    |  ----- For hash-only requests
55  * +-------------------------------+ -
56  * | IPAD (16-byte aligned)        |  \
57  * +-------------------------------+  +---- For requests with HMAC
58  * | OPAD (16-byte aligned)        |  /
59  * +-------------------------------+ -
60  * | GMAC H                        |  ----- For AES-GCM
61  * +-------------------------------+ -
62  */
63 
64 /*
65  * Generate the initial GMAC hash state for a AES-GCM key.
66  *
67  * Borrowed from AES_GMAC_Setkey().
68  */
69 void
70 t4_init_gmac_hash(const char *key, int klen, char *ghash)
71 {
72 	static char zeroes[GMAC_BLOCK_LEN];
73 	uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)];
74 	int rounds;
75 
76 	rounds = rijndaelKeySetupEnc(keysched, key, klen * 8);
77 	rijndaelEncrypt(keysched, rounds, zeroes, ghash);
78 	explicit_bzero(keysched, sizeof(keysched));
79 }
80 
81 /* Copy out the partial hash state from a software hash implementation. */
82 void
83 t4_copy_partial_hash(int alg, union authctx *auth_ctx, void *dst)
84 {
85 	uint32_t *u32;
86 	uint64_t *u64;
87 	u_int i;
88 
89 	u32 = (uint32_t *)dst;
90 	u64 = (uint64_t *)dst;
91 	switch (alg) {
92 	case CRYPTO_SHA1:
93 	case CRYPTO_SHA1_HMAC:
94 		for (i = 0; i < SHA1_HASH_LEN / 4; i++)
95 			u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]);
96 		break;
97 	case CRYPTO_SHA2_224:
98 	case CRYPTO_SHA2_224_HMAC:
99 		for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
100 			u32[i] = htobe32(auth_ctx->sha224ctx.state[i]);
101 		break;
102 	case CRYPTO_SHA2_256:
103 	case CRYPTO_SHA2_256_HMAC:
104 		for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
105 			u32[i] = htobe32(auth_ctx->sha256ctx.state[i]);
106 		break;
107 	case CRYPTO_SHA2_384:
108 	case CRYPTO_SHA2_384_HMAC:
109 		for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
110 			u64[i] = htobe64(auth_ctx->sha384ctx.state[i]);
111 		break;
112 	case CRYPTO_SHA2_512:
113 	case CRYPTO_SHA2_512_HMAC:
114 		for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
115 			u64[i] = htobe64(auth_ctx->sha512ctx.state[i]);
116 		break;
117 	}
118 }
119 
120 void
121 t4_init_hmac_digest(struct auth_hash *axf, u_int partial_digest_len,
122     const char *key, int klen, char *dst)
123 {
124 	union authctx auth_ctx;
125 
126 	hmac_init_ipad(axf, key, klen, &auth_ctx);
127 	t4_copy_partial_hash(axf->type, &auth_ctx, dst);
128 
129 	dst += roundup2(partial_digest_len, 16);
130 
131 	hmac_init_opad(axf, key, klen, &auth_ctx);
132 	t4_copy_partial_hash(axf->type, &auth_ctx, dst);
133 
134 	explicit_bzero(&auth_ctx, sizeof(auth_ctx));
135 }
136 
137 /*
138  * Borrowed from cesa_prep_aes_key().
139  *
140  * NB: The crypto engine wants the words in the decryption key in reverse
141  * order.
142  */
143 void
144 t4_aes_getdeckey(void *dec_key, const void *enc_key, unsigned int kbits)
145 {
146 	uint32_t ek[4 * (RIJNDAEL_MAXNR + 1)];
147 	uint32_t *dkey;
148 	int i;
149 
150 	rijndaelKeySetupEnc(ek, enc_key, kbits);
151 	dkey = dec_key;
152 	dkey += (kbits / 8) / 4;
153 
154 	switch (kbits) {
155 	case 128:
156 		for (i = 0; i < 4; i++)
157 			*--dkey = htobe32(ek[4 * 10 + i]);
158 		break;
159 	case 192:
160 		for (i = 0; i < 2; i++)
161 			*--dkey = htobe32(ek[4 * 11 + 2 + i]);
162 		for (i = 0; i < 4; i++)
163 			*--dkey = htobe32(ek[4 * 12 + i]);
164 		break;
165 	case 256:
166 		for (i = 0; i < 4; i++)
167 			*--dkey = htobe32(ek[4 * 13 + i]);
168 		for (i = 0; i < 4; i++)
169 			*--dkey = htobe32(ek[4 * 14 + i]);
170 		break;
171 	}
172 	MPASS(dkey == dec_key);
173 	explicit_bzero(ek, sizeof(ek));
174 }
175