4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #ifndef _COMMON_CRYPTO_MODES_H
27 #define _COMMON_CRYPTO_MODES_H
33 #include <sys/zfs_context.h>
34 #include <sys/crypto/common.h>
35 #include <sys/crypto/impl.h>
38 * Does the build chain support all instructions needed for the GCM assembler
39 * routines. AVX support should imply AES-NI and PCLMULQDQ, but make sure
42 #if defined(__x86_64__) && defined(HAVE_AVX) && \
43 defined(HAVE_AES) && defined(HAVE_PCLMULQDQ)
44 #define CAN_USE_GCM_ASM
45 extern boolean_t gcm_avx_can_use_movbe;
48 #define ECB_MODE 0x00000002
49 #define CBC_MODE 0x00000004
50 #define CTR_MODE 0x00000008
51 #define CCM_MODE 0x00000010
52 #define GCM_MODE 0x00000020
53 #define GMAC_MODE 0x00000040
56 * cc_keysched: Pointer to key schedule.
58 * cc_keysched_len: Length of the key schedule.
60 * cc_remainder: This is for residual data, i.e. data that can't
61 * be processed because there are too few bytes.
62 * Must wait until more data arrives.
64 * cc_remainder_len: Number of bytes in cc_remainder.
66 * cc_iv: Scratch buffer that sometimes contains the IV.
68 * cc_lastp: Pointer to previous block of ciphertext.
70 * cc_copy_to: Pointer to where encrypted residual data needs
73 * cc_flags: PROVIDER_OWNS_KEY_SCHEDULE
74 * When a context is freed, it is necessary
75 * to know whether the key schedule was allocated
76 * by the caller, or internally, e.g. an init routine.
77 * If allocated by the latter, then it needs to be freed.
79 * ECB_MODE, CBC_MODE, CTR_MODE, or CCM_MODE
83 size_t cc_keysched_len;
85 uint64_t cc_remainder[2];
86 size_t cc_remainder_len;
92 typedef struct common_ctx common_ctx_t;
94 typedef struct ecb_ctx {
95 struct common_ctx ecb_common;
96 uint64_t ecb_lastblock[2];
99 #define ecb_keysched ecb_common.cc_keysched
100 #define ecb_keysched_len ecb_common.cc_keysched_len
101 #define ecb_iv ecb_common.cc_iv
102 #define ecb_remainder ecb_common.cc_remainder
103 #define ecb_remainder_len ecb_common.cc_remainder_len
104 #define ecb_lastp ecb_common.cc_lastp
105 #define ecb_copy_to ecb_common.cc_copy_to
106 #define ecb_flags ecb_common.cc_flags
108 typedef struct cbc_ctx {
109 struct common_ctx cbc_common;
110 uint64_t cbc_lastblock[2];
113 #define cbc_keysched cbc_common.cc_keysched
114 #define cbc_keysched_len cbc_common.cc_keysched_len
115 #define cbc_iv cbc_common.cc_iv
116 #define cbc_remainder cbc_common.cc_remainder
117 #define cbc_remainder_len cbc_common.cc_remainder_len
118 #define cbc_lastp cbc_common.cc_lastp
119 #define cbc_copy_to cbc_common.cc_copy_to
120 #define cbc_flags cbc_common.cc_flags
123 * ctr_lower_mask Bit-mask for lower 8 bytes of counter block.
124 * ctr_upper_mask Bit-mask for upper 8 bytes of counter block.
126 typedef struct ctr_ctx {
127 struct common_ctx ctr_common;
128 uint64_t ctr_lower_mask;
129 uint64_t ctr_upper_mask;
134 * ctr_cb Counter block.
136 #define ctr_keysched ctr_common.cc_keysched
137 #define ctr_keysched_len ctr_common.cc_keysched_len
138 #define ctr_cb ctr_common.cc_iv
139 #define ctr_remainder ctr_common.cc_remainder
140 #define ctr_remainder_len ctr_common.cc_remainder_len
141 #define ctr_lastp ctr_common.cc_lastp
142 #define ctr_copy_to ctr_common.cc_copy_to
143 #define ctr_flags ctr_common.cc_flags
147 * ccm_mac_len: Stores length of the MAC in CCM mode.
148 * ccm_mac_buf: Stores the intermediate value for MAC in CCM encrypt.
149 * In CCM decrypt, stores the input MAC value.
150 * ccm_data_len: Length of the plaintext for CCM mode encrypt, or
151 * length of the ciphertext for CCM mode decrypt.
152 * ccm_processed_data_len:
153 * Length of processed plaintext in CCM mode encrypt,
154 * or length of processed ciphertext for CCM mode decrypt.
155 * ccm_processed_mac_len:
156 * Length of MAC data accumulated in CCM mode decrypt.
158 * ccm_pt_buf: Only used in CCM mode decrypt. It stores the
159 * decrypted plaintext to be returned when
160 * MAC verification succeeds in decrypt_final.
161 * Memory for this should be allocated in the AES module.
164 typedef struct ccm_ctx {
165 struct common_ctx ccm_common;
168 uint64_t ccm_mac_buf[2];
170 size_t ccm_processed_data_len;
171 size_t ccm_processed_mac_len;
173 uint64_t ccm_mac_input_buf[2];
174 uint64_t ccm_counter_mask;
177 #define ccm_keysched ccm_common.cc_keysched
178 #define ccm_keysched_len ccm_common.cc_keysched_len
179 #define ccm_cb ccm_common.cc_iv
180 #define ccm_remainder ccm_common.cc_remainder
181 #define ccm_remainder_len ccm_common.cc_remainder_len
182 #define ccm_lastp ccm_common.cc_lastp
183 #define ccm_copy_to ccm_common.cc_copy_to
184 #define ccm_flags ccm_common.cc_flags
187 * gcm_tag_len: Length of authentication tag.
189 * gcm_ghash: Stores output from the GHASH function.
191 * gcm_processed_data_len:
192 * Length of processed plaintext (encrypt) or
193 * length of processed ciphertext (decrypt).
195 * gcm_pt_buf: Stores the decrypted plaintext returned by
196 * decrypt_final when the computed authentication
197 * tag matches the user supplied tag.
199 * gcm_pt_buf_len: Length of the plaintext buffer.
203 * gcm_Htable: Pre-computed and pre-shifted H, H^2, ... H^6 for the
204 * Karatsuba Algorithm in host byte order.
206 * gcm_J0: Pre-counter block generated from the IV.
208 * gcm_len_a_len_c: 64-bit representations of the bit lengths of
209 * AAD and ciphertext.
211 * gcm_kmflag: Current value of kmflag. Used for allocating
212 * the plaintext buffer during decryption and a
213 * gcm_avx_chunk_size'd buffer for avx enabled encryption.
215 typedef struct gcm_ctx {
216 struct common_ctx gcm_common;
218 size_t gcm_processed_data_len;
219 size_t gcm_pt_buf_len;
222 * The relative positions of gcm_ghash, gcm_H and pre-computed
223 * gcm_Htable are hard coded in aesni-gcm-x86_64.S and ghash-x86_64.S,
224 * so please don't change (or adjust accordingly).
226 uint64_t gcm_ghash[2];
228 #ifdef CAN_USE_GCM_ASM
229 uint64_t gcm_Htable[12][2];
232 uint64_t gcm_len_a_len_c[2];
235 #ifdef CAN_USE_GCM_ASM
236 boolean_t gcm_use_avx;
240 #define gcm_keysched gcm_common.cc_keysched
241 #define gcm_keysched_len gcm_common.cc_keysched_len
242 #define gcm_cb gcm_common.cc_iv
243 #define gcm_remainder gcm_common.cc_remainder
244 #define gcm_remainder_len gcm_common.cc_remainder_len
245 #define gcm_lastp gcm_common.cc_lastp
246 #define gcm_copy_to gcm_common.cc_copy_to
247 #define gcm_flags gcm_common.cc_flags
249 #define AES_GMAC_IV_LEN 12
250 #define AES_GMAC_TAG_BITS 128
252 typedef struct aes_ctx {
262 #define ac_flags acu.acu_ecb.ecb_common.cc_flags
263 #define ac_remainder_len acu.acu_ecb.ecb_common.cc_remainder_len
264 #define ac_keysched acu.acu_ecb.ecb_common.cc_keysched
265 #define ac_keysched_len acu.acu_ecb.ecb_common.cc_keysched_len
266 #define ac_iv acu.acu_ecb.ecb_common.cc_iv
267 #define ac_lastp acu.acu_ecb.ecb_common.cc_lastp
268 #define ac_pt_buf acu.acu_ccm.ccm_pt_buf
269 #define ac_mac_len acu.acu_ccm.ccm_mac_len
270 #define ac_data_len acu.acu_ccm.ccm_data_len
271 #define ac_processed_mac_len acu.acu_ccm.ccm_processed_mac_len
272 #define ac_processed_data_len acu.acu_ccm.ccm_processed_data_len
273 #define ac_tag_len acu.acu_gcm.gcm_tag_len
275 typedef struct blowfish_ctx {
282 #define bc_flags bcu.bcu_ecb.ecb_common.cc_flags
283 #define bc_remainder_len bcu.bcu_ecb.ecb_common.cc_remainder_len
284 #define bc_keysched bcu.bcu_ecb.ecb_common.cc_keysched
285 #define bc_keysched_len bcu.bcu_ecb.ecb_common.cc_keysched_len
286 #define bc_iv bcu.bcu_ecb.ecb_common.cc_iv
287 #define bc_lastp bcu.bcu_ecb.ecb_common.cc_lastp
289 typedef struct des_ctx {
296 #define dc_flags dcu.dcu_ecb.ecb_common.cc_flags
297 #define dc_remainder_len dcu.dcu_ecb.ecb_common.cc_remainder_len
298 #define dc_keysched dcu.dcu_ecb.ecb_common.cc_keysched
299 #define dc_keysched_len dcu.dcu_ecb.ecb_common.cc_keysched_len
300 #define dc_iv dcu.dcu_ecb.ecb_common.cc_iv
301 #define dc_lastp dcu.dcu_ecb.ecb_common.cc_lastp
303 extern int ecb_cipher_contiguous_blocks(ecb_ctx_t *, char *, size_t,
304 crypto_data_t *, size_t, int (*cipher)(const void *, const uint8_t *,
307 extern int cbc_encrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
308 crypto_data_t *, size_t,
309 int (*encrypt)(const void *, const uint8_t *, uint8_t *),
310 void (*copy_block)(uint8_t *, uint8_t *),
311 void (*xor_block)(uint8_t *, uint8_t *));
313 extern int cbc_decrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
314 crypto_data_t *, size_t,
315 int (*decrypt)(const void *, const uint8_t *, uint8_t *),
316 void (*copy_block)(uint8_t *, uint8_t *),
317 void (*xor_block)(uint8_t *, uint8_t *));
319 extern int ctr_mode_contiguous_blocks(ctr_ctx_t *, char *, size_t,
320 crypto_data_t *, size_t,
321 int (*cipher)(const void *, const uint8_t *, uint8_t *),
322 void (*xor_block)(uint8_t *, uint8_t *));
324 extern int ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
325 crypto_data_t *, size_t,
326 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
327 void (*copy_block)(uint8_t *, uint8_t *),
328 void (*xor_block)(uint8_t *, uint8_t *));
330 extern int ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
331 crypto_data_t *, size_t,
332 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
333 void (*copy_block)(uint8_t *, uint8_t *),
334 void (*xor_block)(uint8_t *, uint8_t *));
336 extern int gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
337 crypto_data_t *, size_t,
338 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
339 void (*copy_block)(uint8_t *, uint8_t *),
340 void (*xor_block)(uint8_t *, uint8_t *));
342 extern int gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
343 crypto_data_t *, size_t,
344 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
345 void (*copy_block)(uint8_t *, uint8_t *),
346 void (*xor_block)(uint8_t *, uint8_t *));
348 int ccm_encrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
349 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
350 void (*xor_block)(uint8_t *, uint8_t *));
352 int gcm_encrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
353 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
354 void (*copy_block)(uint8_t *, uint8_t *),
355 void (*xor_block)(uint8_t *, uint8_t *));
357 extern int ccm_decrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
358 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
359 void (*copy_block)(uint8_t *, uint8_t *),
360 void (*xor_block)(uint8_t *, uint8_t *));
362 extern int gcm_decrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
363 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
364 void (*xor_block)(uint8_t *, uint8_t *));
366 extern int ctr_mode_final(ctr_ctx_t *, crypto_data_t *,
367 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
369 extern int cbc_init_ctx(cbc_ctx_t *, char *, size_t, size_t,
370 void (*copy_block)(uint8_t *, uint64_t *));
372 extern int ctr_init_ctx(ctr_ctx_t *, ulong_t, uint8_t *,
373 void (*copy_block)(uint8_t *, uint8_t *));
375 extern int ccm_init_ctx(ccm_ctx_t *, char *, int, boolean_t, size_t,
376 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
377 void (*xor_block)(uint8_t *, uint8_t *));
379 extern int gcm_init_ctx(gcm_ctx_t *, char *, size_t,
380 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
381 void (*copy_block)(uint8_t *, uint8_t *),
382 void (*xor_block)(uint8_t *, uint8_t *));
384 extern int gmac_init_ctx(gcm_ctx_t *, char *, size_t,
385 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
386 void (*copy_block)(uint8_t *, uint8_t *),
387 void (*xor_block)(uint8_t *, uint8_t *));
389 extern void calculate_ccm_mac(ccm_ctx_t *, uint8_t *,
390 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
392 extern void gcm_mul(uint64_t *, uint64_t *, uint64_t *);
394 extern void crypto_init_ptrs(crypto_data_t *, void **, offset_t *);
395 extern void crypto_get_ptrs(crypto_data_t *, void **, offset_t *,
396 uint8_t **, size_t *, uint8_t **, size_t);
398 extern void *ecb_alloc_ctx(int);
399 extern void *cbc_alloc_ctx(int);
400 extern void *ctr_alloc_ctx(int);
401 extern void *ccm_alloc_ctx(int);
402 extern void *gcm_alloc_ctx(int);
403 extern void *gmac_alloc_ctx(int);
404 extern void crypto_free_mode_ctx(void *);
405 extern void gcm_set_kmflag(gcm_ctx_t *, int);
411 #endif /* _COMMON_CRYPTO_MODES_H */