2 * Copyright (c) 2017-2019 Chelsio Communications, Inc.
4 * Written by: John Baldwin <jhb@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/types.h>
32 #include <sys/malloc.h>
34 #include <opencrypto/cryptodev.h>
35 #include <opencrypto/xform.h>
37 #include "common/common.h"
38 #include "crypto/t4_crypto.h"
41 * Crypto operations use a key context to store cipher keys and
42 * partial hash digests. They can either be passed inline as part of
43 * a work request using crypto or they can be stored in card RAM. For
44 * the latter case, work requests must replace the inline key context
45 * with a request to read the context from card RAM.
47 * The format of a key context:
49 * +-------------------------------+
50 * | key context header |
51 * +-------------------------------+
52 * | AES key | ----- For requests with AES
53 * +-------------------------------+
54 * | Hash state | ----- For hash-only requests
55 * +-------------------------------+ -
56 * | IPAD (16-byte aligned) | \
57 * +-------------------------------+ +---- For requests with HMAC
58 * | OPAD (16-byte aligned) | /
59 * +-------------------------------+ -
60 * | GMAC H | ----- For AES-GCM
61 * +-------------------------------+ -
65 * Generate the initial GMAC hash state for a AES-GCM key.
67 * Borrowed from AES_GMAC_Setkey().
70 t4_init_gmac_hash(const char *key, int klen, char *ghash)
72 static char zeroes[GMAC_BLOCK_LEN];
73 uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)];
76 rounds = rijndaelKeySetupEnc(keysched, key, klen * 8);
77 rijndaelEncrypt(keysched, rounds, zeroes, ghash);
80 /* Copy out the partial hash state from a software hash implementation. */
82 t4_copy_partial_hash(int alg, union authctx *auth_ctx, void *dst)
88 u32 = (uint32_t *)dst;
89 u64 = (uint64_t *)dst;
92 case CRYPTO_SHA1_HMAC:
93 for (i = 0; i < SHA1_HASH_LEN / 4; i++)
94 u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]);
97 case CRYPTO_SHA2_224_HMAC:
98 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
99 u32[i] = htobe32(auth_ctx->sha224ctx.state[i]);
101 case CRYPTO_SHA2_256:
102 case CRYPTO_SHA2_256_HMAC:
103 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
104 u32[i] = htobe32(auth_ctx->sha256ctx.state[i]);
106 case CRYPTO_SHA2_384:
107 case CRYPTO_SHA2_384_HMAC:
108 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
109 u64[i] = htobe64(auth_ctx->sha384ctx.state[i]);
111 case CRYPTO_SHA2_512:
112 case CRYPTO_SHA2_512_HMAC:
113 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
114 u64[i] = htobe64(auth_ctx->sha512ctx.state[i]);
120 t4_init_hmac_digest(struct auth_hash *axf, u_int partial_digest_len,
121 const char *key, int klen, char *dst)
123 union authctx auth_ctx;
125 hmac_init_ipad(axf, key, klen, &auth_ctx);
126 t4_copy_partial_hash(axf->type, &auth_ctx, dst);
128 dst += roundup2(partial_digest_len, 16);
130 hmac_init_opad(axf, key, klen, &auth_ctx);
131 t4_copy_partial_hash(axf->type, &auth_ctx, dst);
133 explicit_bzero(&auth_ctx, sizeof(auth_ctx));
137 * Borrowed from cesa_prep_aes_key().
139 * NB: The crypto engine wants the words in the decryption key in reverse
143 t4_aes_getdeckey(void *dec_key, const void *enc_key, unsigned int kbits)
145 uint32_t ek[4 * (RIJNDAEL_MAXNR + 1)];
149 rijndaelKeySetupEnc(ek, enc_key, kbits);
151 dkey += (kbits / 8) / 4;
155 for (i = 0; i < 4; i++)
156 *--dkey = htobe32(ek[4 * 10 + i]);
159 for (i = 0; i < 2; i++)
160 *--dkey = htobe32(ek[4 * 11 + 2 + i]);
161 for (i = 0; i < 4; i++)
162 *--dkey = htobe32(ek[4 * 12 + i]);
165 for (i = 0; i < 4; i++)
166 *--dkey = htobe32(ek[4 * 13 + i]);
167 for (i = 0; i < 4; i++)
168 *--dkey = htobe32(ek[4 * 14 + i]);
171 MPASS(dkey == dec_key);