2 * Copyright (c) 2017-2019 Chelsio Communications, Inc.
4 * Written by: John Baldwin <jhb@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/types.h>
32 #include <sys/malloc.h>
34 #include <opencrypto/cryptodev.h>
35 #include <opencrypto/xform.h>
37 #include "common/common.h"
38 #include "crypto/t4_crypto.h"
41 * Crypto operations use a key context to store cipher keys and
42 * partial hash digests. They can either be passed inline as part of
43 * a work request using crypto or they can be stored in card RAM. For
44 * the latter case, work requests must replace the inline key context
45 * with a request to read the context from card RAM.
47 * The format of a key context:
49 * +-------------------------------+
50 * | key context header |
51 * +-------------------------------+
52 * | AES key | ----- For requests with AES
53 * +-------------------------------+
54 * | Hash state | ----- For hash-only requests
55 * +-------------------------------+ -
56 * | IPAD (16-byte aligned) | \
57 * +-------------------------------+ +---- For requests with HMAC
58 * | OPAD (16-byte aligned) | /
59 * +-------------------------------+ -
60 * | GMAC H | ----- For AES-GCM
61 * +-------------------------------+ -
65 * Generate the initial GMAC hash state for a AES-GCM key.
67 * Borrowed from AES_GMAC_Setkey().
70 t4_init_gmac_hash(const char *key, int klen, char *ghash)
72 static char zeroes[GMAC_BLOCK_LEN];
73 uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)];
76 rounds = rijndaelKeySetupEnc(keysched, key, klen * 8);
77 rijndaelEncrypt(keysched, rounds, zeroes, ghash);
78 explicit_bzero(keysched, sizeof(keysched));
81 /* Copy out the partial hash state from a software hash implementation. */
83 t4_copy_partial_hash(int alg, union authctx *auth_ctx, void *dst)
89 u32 = (uint32_t *)dst;
90 u64 = (uint64_t *)dst;
93 case CRYPTO_SHA1_HMAC:
94 for (i = 0; i < SHA1_HASH_LEN / 4; i++)
95 u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]);
98 case CRYPTO_SHA2_224_HMAC:
99 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
100 u32[i] = htobe32(auth_ctx->sha224ctx.state[i]);
102 case CRYPTO_SHA2_256:
103 case CRYPTO_SHA2_256_HMAC:
104 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
105 u32[i] = htobe32(auth_ctx->sha256ctx.state[i]);
107 case CRYPTO_SHA2_384:
108 case CRYPTO_SHA2_384_HMAC:
109 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
110 u64[i] = htobe64(auth_ctx->sha384ctx.state[i]);
112 case CRYPTO_SHA2_512:
113 case CRYPTO_SHA2_512_HMAC:
114 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
115 u64[i] = htobe64(auth_ctx->sha512ctx.state[i]);
121 t4_init_hmac_digest(struct auth_hash *axf, u_int partial_digest_len,
122 const char *key, int klen, char *dst)
124 union authctx auth_ctx;
126 hmac_init_ipad(axf, key, klen, &auth_ctx);
127 t4_copy_partial_hash(axf->type, &auth_ctx, dst);
129 dst += roundup2(partial_digest_len, 16);
131 hmac_init_opad(axf, key, klen, &auth_ctx);
132 t4_copy_partial_hash(axf->type, &auth_ctx, dst);
134 explicit_bzero(&auth_ctx, sizeof(auth_ctx));
138 * Borrowed from cesa_prep_aes_key().
140 * NB: The crypto engine wants the words in the decryption key in reverse
144 t4_aes_getdeckey(void *dec_key, const void *enc_key, unsigned int kbits)
146 uint32_t ek[4 * (RIJNDAEL_MAXNR + 1)];
150 rijndaelKeySetupEnc(ek, enc_key, kbits);
152 dkey += (kbits / 8) / 4;
156 for (i = 0; i < 4; i++)
157 *--dkey = htobe32(ek[4 * 10 + i]);
160 for (i = 0; i < 2; i++)
161 *--dkey = htobe32(ek[4 * 11 + 2 + i]);
162 for (i = 0; i < 4; i++)
163 *--dkey = htobe32(ek[4 * 12 + i]);
166 for (i = 0; i < 4; i++)
167 *--dkey = htobe32(ek[4 * 13 + i]);
168 for (i = 0; i < 4; i++)
169 *--dkey = htobe32(ek[4 * 14 + i]);
172 MPASS(dkey == dec_key);
173 explicit_bzero(ek, sizeof(ek));