]> git.proxmox.com Git - mirror_zfs.git/blob - module/icp/io/aes.c
projects / mirror_zfs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rename fallthrough to zfs_fallthrough
[mirror_zfs.git] / module / icp / io / aes.c
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * AES provider for the Kernel Cryptographic Framework (KCF)
27 */
28
29 #include <sys/zfs_context.h>
30 #include <sys/crypto/common.h>
31 #include <sys/crypto/impl.h>
32 #include <sys/crypto/spi.h>
33 #include <sys/crypto/icp.h>
34 #include <modes/modes.h>
35 #define _AES_IMPL
36 #include <aes/aes_impl.h>
37 #include <modes/gcm_impl.h>
38
39 /*
40 * Mechanism info structure passed to KCF during registration.
41 */
42 static const crypto_mech_info_t aes_mech_info_tab[] = {
43 /* AES_ECB */
44 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
45 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
46 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
47 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
48 /* AES_CBC */
49 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
50 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
51 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
52 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
53 /* AES_CTR */
54 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
55 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
56 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
57 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
58 /* AES_CCM */
59 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
60 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
61 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
62 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
63 /* AES_GCM */
64 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
65 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
66 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
67 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
68 /* AES_GMAC */
69 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
70 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
71 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
72 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
73 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
74 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
75 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
76 };
77
78 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
79
80 static const crypto_control_ops_t aes_control_ops = {
81 aes_provider_status
82 };
83
84 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
85 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
86 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
87 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
88 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
89 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
90 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
91 crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
92 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
93 crypto_req_handle_t);
94 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
95 crypto_req_handle_t);
96
97 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
98 crypto_req_handle_t);
99 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
100 crypto_data_t *, crypto_req_handle_t);
101 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
102 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
103 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
104
105 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
106 crypto_req_handle_t);
107 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
108 crypto_data_t *, crypto_req_handle_t);
109 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
110 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
111 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
112
113 static const crypto_cipher_ops_t aes_cipher_ops = {
114 .encrypt_init = aes_encrypt_init,
115 .encrypt = aes_encrypt,
116 .encrypt_update = aes_encrypt_update,
117 .encrypt_final = aes_encrypt_final,
118 .encrypt_atomic = aes_encrypt_atomic,
119 .decrypt_init = aes_decrypt_init,
120 .decrypt = aes_decrypt,
121 .decrypt_update = aes_decrypt_update,
122 .decrypt_final = aes_decrypt_final,
123 .decrypt_atomic = aes_decrypt_atomic
124 };
125
126 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
127 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
128 crypto_spi_ctx_template_t, crypto_req_handle_t);
129 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
130 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
131 crypto_spi_ctx_template_t, crypto_req_handle_t);
132
133 static const crypto_mac_ops_t aes_mac_ops = {
134 .mac_init = NULL,
135 .mac = NULL,
136 .mac_update = NULL,
137 .mac_final = NULL,
138 .mac_atomic = aes_mac_atomic,
139 .mac_verify_atomic = aes_mac_verify_atomic
140 };
141
142 static int aes_create_ctx_template(crypto_provider_handle_t,
143 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
144 size_t *, crypto_req_handle_t);
145 static int aes_free_context(crypto_ctx_t *);
146
147 static const crypto_ctx_ops_t aes_ctx_ops = {
148 .create_ctx_template = aes_create_ctx_template,
149 .free_context = aes_free_context
150 };
151
152 static const crypto_ops_t aes_crypto_ops = {{{{{
153 &aes_control_ops,
154 NULL,
155 &aes_cipher_ops,
156 &aes_mac_ops,
157 NULL,
158 NULL,
159 NULL,
160 NULL,
161 NULL,
162 NULL,
163 NULL,
164 NULL,
165 NULL,
166 &aes_ctx_ops
167 }}}}};
168
169 static const crypto_provider_info_t aes_prov_info = {{{{
170 CRYPTO_SPI_VERSION_1,
171 "AES Software Provider",
172 CRYPTO_SW_PROVIDER,
173 NULL,
174 &aes_crypto_ops,
175 sizeof (aes_mech_info_tab) / sizeof (crypto_mech_info_t),
176 aes_mech_info_tab
177 }}}};
178
179 static crypto_kcf_provider_handle_t aes_prov_handle = 0;
180 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
181
182 int
183 aes_mod_init(void)
184 {
185 /* Determine the fastest available implementation. */
186 aes_impl_init();
187 gcm_impl_init();
188
189 /* Register with KCF. If the registration fails, remove the module. */
190 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle))
191 return (EACCES);
192
193 return (0);
194 }
195
196 int
197 aes_mod_fini(void)
198 {
199 /* Unregister from KCF if module is registered */
200 if (aes_prov_handle != 0) {
201 if (crypto_unregister_provider(aes_prov_handle))
202 return (EBUSY);
203
204 aes_prov_handle = 0;
205 }
206
207 return (0);
208 }
209
210 static int
211 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
212 {
213 void *p = NULL;
214 boolean_t param_required = B_TRUE;
215 size_t param_len;
216 void *(*alloc_fun)(int);
217 int rv = CRYPTO_SUCCESS;
218
219 switch (mechanism->cm_type) {
220 case AES_ECB_MECH_INFO_TYPE:
221 param_required = B_FALSE;
222 alloc_fun = ecb_alloc_ctx;
223 break;
224 case AES_CBC_MECH_INFO_TYPE:
225 param_len = AES_BLOCK_LEN;
226 alloc_fun = cbc_alloc_ctx;
227 break;
228 case AES_CTR_MECH_INFO_TYPE:
229 param_len = sizeof (CK_AES_CTR_PARAMS);
230 alloc_fun = ctr_alloc_ctx;
231 break;
232 case AES_CCM_MECH_INFO_TYPE:
233 param_len = sizeof (CK_AES_CCM_PARAMS);
234 alloc_fun = ccm_alloc_ctx;
235 break;
236 case AES_GCM_MECH_INFO_TYPE:
237 param_len = sizeof (CK_AES_GCM_PARAMS);
238 alloc_fun = gcm_alloc_ctx;
239 break;
240 case AES_GMAC_MECH_INFO_TYPE:
241 param_len = sizeof (CK_AES_GMAC_PARAMS);
242 alloc_fun = gmac_alloc_ctx;
243 break;
244 default:
245 rv = CRYPTO_MECHANISM_INVALID;
246 return (rv);
247 }
248 if (param_required && mechanism->cm_param != NULL &&
249 mechanism->cm_param_len != param_len) {
250 rv = CRYPTO_MECHANISM_PARAM_INVALID;
251 }
252 if (ctx != NULL) {
253 p = (alloc_fun)(kmflag);
254 *ctx = p;
255 }
256 return (rv);
257 }
258
259 /*
260 * Initialize key schedules for AES
261 */
262 static int
263 init_keysched(crypto_key_t *key, void *newbie)
264 {
265 /*
266 * Only keys by value are supported by this module.
267 */
268 switch (key->ck_format) {
269 case CRYPTO_KEY_RAW:
270 if (key->ck_length < AES_MINBITS ||
271 key->ck_length > AES_MAXBITS) {
272 return (CRYPTO_KEY_SIZE_RANGE);
273 }
274
275 /* key length must be either 128, 192, or 256 */
276 if ((key->ck_length & 63) != 0)
277 return (CRYPTO_KEY_SIZE_RANGE);
278 break;
279 default:
280 return (CRYPTO_KEY_TYPE_INCONSISTENT);
281 }
282
283 aes_init_keysched(key->ck_data, key->ck_length, newbie);
284 return (CRYPTO_SUCCESS);
285 }
286
287 /*
288 * KCF software provider control entry points.
289 */
290 static void
291 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
292 {
293 (void) provider;
294 *status = CRYPTO_PROVIDER_READY;
295 }
296
297 static int
298 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
299 crypto_key_t *key, crypto_spi_ctx_template_t template,
300 crypto_req_handle_t req)
301 {
302 return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
303 }
304
305 static int
306 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
307 crypto_key_t *key, crypto_spi_ctx_template_t template,
308 crypto_req_handle_t req)
309 {
310 return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
311 }
312
313
314
315 /*
316 * KCF software provider encrypt entry points.
317 */
318 static int
319 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
320 crypto_key_t *key, crypto_spi_ctx_template_t template,
321 crypto_req_handle_t req, boolean_t is_encrypt_init)
322 {
323 aes_ctx_t *aes_ctx;
324 int rv;
325 int kmflag;
326
327 /*
328 * Only keys by value are supported by this module.
329 */
330 if (key->ck_format != CRYPTO_KEY_RAW) {
331 return (CRYPTO_KEY_TYPE_INCONSISTENT);
332 }
333
334 kmflag = crypto_kmflag(req);
335 if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
336 != CRYPTO_SUCCESS)
337 return (rv);
338
339 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
340 is_encrypt_init);
341 if (rv != CRYPTO_SUCCESS) {
342 crypto_free_mode_ctx(aes_ctx);
343 return (rv);
344 }
345
346 ctx->cc_provider_private = aes_ctx;
347
348 return (CRYPTO_SUCCESS);
349 }
350
351 static void
352 aes_copy_block64(uint8_t *in, uint64_t *out)
353 {
354 if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
355 /* LINTED: pointer alignment */
356 out[0] = *(uint64_t *)&in[0];
357 /* LINTED: pointer alignment */
358 out[1] = *(uint64_t *)&in[8];
359 } else {
360 uint8_t *iv8 = (uint8_t *)&out[0];
361
362 AES_COPY_BLOCK(in, iv8);
363 }
364 }
365
366
367 static int
368 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
369 crypto_data_t *ciphertext, crypto_req_handle_t req)
370 {
371 int ret = CRYPTO_FAILED;
372
373 aes_ctx_t *aes_ctx;
374 size_t saved_length, saved_offset, length_needed;
375
376 ASSERT(ctx->cc_provider_private != NULL);
377 aes_ctx = ctx->cc_provider_private;
378
379 /*
380 * For block ciphers, plaintext must be a multiple of AES block size.
381 * This test is only valid for ciphers whose blocksize is a power of 2.
382 */
383 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
384 == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
385 return (CRYPTO_DATA_LEN_RANGE);
386
387 ASSERT(ciphertext != NULL);
388
389 /*
390 * We need to just return the length needed to store the output.
391 * We should not destroy the context for the following case.
392 */
393 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
394 case CCM_MODE:
395 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
396 break;
397 case GCM_MODE:
398 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
399 break;
400 case GMAC_MODE:
401 if (plaintext->cd_length != 0)
402 return (CRYPTO_ARGUMENTS_BAD);
403
404 length_needed = aes_ctx->ac_tag_len;
405 break;
406 default:
407 length_needed = plaintext->cd_length;
408 }
409
410 if (ciphertext->cd_length < length_needed) {
411 ciphertext->cd_length = length_needed;
412 return (CRYPTO_BUFFER_TOO_SMALL);
413 }
414
415 saved_length = ciphertext->cd_length;
416 saved_offset = ciphertext->cd_offset;
417
418 /*
419 * Do an update on the specified input data.
420 */
421 ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
422 if (ret != CRYPTO_SUCCESS) {
423 return (ret);
424 }
425
426 /*
427 * For CCM mode, aes_ccm_encrypt_final() will take care of any
428 * left-over unprocessed data, and compute the MAC
429 */
430 if (aes_ctx->ac_flags & CCM_MODE) {
431 /*
432 * ccm_encrypt_final() will compute the MAC and append
433 * it to existing ciphertext. So, need to adjust the left over
434 * length value accordingly
435 */
436
437 /* order of following 2 lines MUST not be reversed */
438 ciphertext->cd_offset = ciphertext->cd_length;
439 ciphertext->cd_length = saved_length - ciphertext->cd_length;
440 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
441 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
442 if (ret != CRYPTO_SUCCESS) {
443 return (ret);
444 }
445
446 if (plaintext != ciphertext) {
447 ciphertext->cd_length =
448 ciphertext->cd_offset - saved_offset;
449 }
450 ciphertext->cd_offset = saved_offset;
451 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
452 /*
453 * gcm_encrypt_final() will compute the MAC and append
454 * it to existing ciphertext. So, need to adjust the left over
455 * length value accordingly
456 */
457
458 /* order of following 2 lines MUST not be reversed */
459 ciphertext->cd_offset = ciphertext->cd_length;
460 ciphertext->cd_length = saved_length - ciphertext->cd_length;
461 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
462 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
463 aes_xor_block);
464 if (ret != CRYPTO_SUCCESS) {
465 return (ret);
466 }
467
468 if (plaintext != ciphertext) {
469 ciphertext->cd_length =
470 ciphertext->cd_offset - saved_offset;
471 }
472 ciphertext->cd_offset = saved_offset;
473 }
474
475 ASSERT(aes_ctx->ac_remainder_len == 0);
476 (void) aes_free_context(ctx);
477
478 return (ret);
479 }
480
481
482 static int
483 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
484 crypto_data_t *plaintext, crypto_req_handle_t req)
485 {
486 int ret = CRYPTO_FAILED;
487
488 aes_ctx_t *aes_ctx;
489 off_t saved_offset;
490 size_t saved_length, length_needed;
491
492 ASSERT(ctx->cc_provider_private != NULL);
493 aes_ctx = ctx->cc_provider_private;
494
495 /*
496 * For block ciphers, plaintext must be a multiple of AES block size.
497 * This test is only valid for ciphers whose blocksize is a power of 2.
498 */
499 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
500 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
501 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
502 }
503
504 ASSERT(plaintext != NULL);
505
506 /*
507 * Return length needed to store the output.
508 * Do not destroy context when plaintext buffer is too small.
509 *
510 * CCM: plaintext is MAC len smaller than cipher text
511 * GCM: plaintext is TAG len smaller than cipher text
512 * GMAC: plaintext length must be zero
513 */
514 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
515 case CCM_MODE:
516 length_needed = aes_ctx->ac_processed_data_len;
517 break;
518 case GCM_MODE:
519 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
520 break;
521 case GMAC_MODE:
522 if (plaintext->cd_length != 0)
523 return (CRYPTO_ARGUMENTS_BAD);
524
525 length_needed = 0;
526 break;
527 default:
528 length_needed = ciphertext->cd_length;
529 }
530
531 if (plaintext->cd_length < length_needed) {
532 plaintext->cd_length = length_needed;
533 return (CRYPTO_BUFFER_TOO_SMALL);
534 }
535
536 saved_offset = plaintext->cd_offset;
537 saved_length = plaintext->cd_length;
538
539 /*
540 * Do an update on the specified input data.
541 */
542 ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
543 if (ret != CRYPTO_SUCCESS) {
544 goto cleanup;
545 }
546
547 if (aes_ctx->ac_flags & CCM_MODE) {
548 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
549 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
550
551 /* order of following 2 lines MUST not be reversed */
552 plaintext->cd_offset = plaintext->cd_length;
553 plaintext->cd_length = saved_length - plaintext->cd_length;
554
555 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
556 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
557 aes_xor_block);
558 if (ret == CRYPTO_SUCCESS) {
559 if (plaintext != ciphertext) {
560 plaintext->cd_length =
561 plaintext->cd_offset - saved_offset;
562 }
563 } else {
564 plaintext->cd_length = saved_length;
565 }
566
567 plaintext->cd_offset = saved_offset;
568 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
569 /* order of following 2 lines MUST not be reversed */
570 plaintext->cd_offset = plaintext->cd_length;
571 plaintext->cd_length = saved_length - plaintext->cd_length;
572
573 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
574 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
575 if (ret == CRYPTO_SUCCESS) {
576 if (plaintext != ciphertext) {
577 plaintext->cd_length =
578 plaintext->cd_offset - saved_offset;
579 }
580 } else {
581 plaintext->cd_length = saved_length;
582 }
583
584 plaintext->cd_offset = saved_offset;
585 }
586
587 ASSERT(aes_ctx->ac_remainder_len == 0);
588
589 cleanup:
590 (void) aes_free_context(ctx);
591
592 return (ret);
593 }
594
595
596 static int
597 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
598 crypto_data_t *ciphertext, crypto_req_handle_t req)
599 {
600 (void) req;
601 off_t saved_offset;
602 size_t saved_length, out_len;
603 int ret = CRYPTO_SUCCESS;
604 aes_ctx_t *aes_ctx;
605
606 ASSERT(ctx->cc_provider_private != NULL);
607 aes_ctx = ctx->cc_provider_private;
608
609 ASSERT(ciphertext != NULL);
610
611 /* compute number of bytes that will hold the ciphertext */
612 out_len = aes_ctx->ac_remainder_len;
613 out_len += plaintext->cd_length;
614 out_len &= ~(AES_BLOCK_LEN - 1);
615
616 /* return length needed to store the output */
617 if (ciphertext->cd_length < out_len) {
618 ciphertext->cd_length = out_len;
619 return (CRYPTO_BUFFER_TOO_SMALL);
620 }
621
622 saved_offset = ciphertext->cd_offset;
623 saved_length = ciphertext->cd_length;
624
625 /*
626 * Do the AES update on the specified input data.
627 */
628 switch (plaintext->cd_format) {
629 case CRYPTO_DATA_RAW:
630 ret = crypto_update_iov(ctx->cc_provider_private,
631 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
632 aes_copy_block64);
633 break;
634 case CRYPTO_DATA_UIO:
635 ret = crypto_update_uio(ctx->cc_provider_private,
636 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
637 aes_copy_block64);
638 break;
639 default:
640 ret = CRYPTO_ARGUMENTS_BAD;
641 }
642
643 /*
644 * Since AES counter mode is a stream cipher, we call
645 * ctr_mode_final() to pick up any remaining bytes.
646 * It is an internal function that does not destroy
647 * the context like *normal* final routines.
648 */
649 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
650 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
651 ciphertext, aes_encrypt_block);
652 }
653
654 if (ret == CRYPTO_SUCCESS) {
655 if (plaintext != ciphertext)
656 ciphertext->cd_length =
657 ciphertext->cd_offset - saved_offset;
658 } else {
659 ciphertext->cd_length = saved_length;
660 }
661 ciphertext->cd_offset = saved_offset;
662
663 return (ret);
664 }
665
666
667 static int
668 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
669 crypto_data_t *plaintext, crypto_req_handle_t req)
670 {
671 off_t saved_offset;
672 size_t saved_length, out_len;
673 int ret = CRYPTO_SUCCESS;
674 aes_ctx_t *aes_ctx;
675
676 ASSERT(ctx->cc_provider_private != NULL);
677 aes_ctx = ctx->cc_provider_private;
678
679 ASSERT(plaintext != NULL);
680
681 /*
682 * Compute number of bytes that will hold the plaintext.
683 * This is not necessary for CCM, GCM, and GMAC since these
684 * mechanisms never return plaintext for update operations.
685 */
686 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
687 out_len = aes_ctx->ac_remainder_len;
688 out_len += ciphertext->cd_length;
689 out_len &= ~(AES_BLOCK_LEN - 1);
690
691 /* return length needed to store the output */
692 if (plaintext->cd_length < out_len) {
693 plaintext->cd_length = out_len;
694 return (CRYPTO_BUFFER_TOO_SMALL);
695 }
696 }
697
698 saved_offset = plaintext->cd_offset;
699 saved_length = plaintext->cd_length;
700
701 if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
702 gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
703
704 /*
705 * Do the AES update on the specified input data.
706 */
707 switch (ciphertext->cd_format) {
708 case CRYPTO_DATA_RAW:
709 ret = crypto_update_iov(ctx->cc_provider_private,
710 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
711 aes_copy_block64);
712 break;
713 case CRYPTO_DATA_UIO:
714 ret = crypto_update_uio(ctx->cc_provider_private,
715 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
716 aes_copy_block64);
717 break;
718 default:
719 ret = CRYPTO_ARGUMENTS_BAD;
720 }
721
722 /*
723 * Since AES counter mode is a stream cipher, we call
724 * ctr_mode_final() to pick up any remaining bytes.
725 * It is an internal function that does not destroy
726 * the context like *normal* final routines.
727 */
728 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
729 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
730 aes_encrypt_block);
731 if (ret == CRYPTO_DATA_LEN_RANGE)
732 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
733 }
734
735 if (ret == CRYPTO_SUCCESS) {
736 if (ciphertext != plaintext)
737 plaintext->cd_length =
738 plaintext->cd_offset - saved_offset;
739 } else {
740 plaintext->cd_length = saved_length;
741 }
742 plaintext->cd_offset = saved_offset;
743
744
745 return (ret);
746 }
747
748 static int
749 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
750 crypto_req_handle_t req)
751 {
752 (void) req;
753 aes_ctx_t *aes_ctx;
754 int ret;
755
756 ASSERT(ctx->cc_provider_private != NULL);
757 aes_ctx = ctx->cc_provider_private;
758
759 if (data->cd_format != CRYPTO_DATA_RAW &&
760 data->cd_format != CRYPTO_DATA_UIO) {
761 return (CRYPTO_ARGUMENTS_BAD);
762 }
763
764 if (aes_ctx->ac_flags & CTR_MODE) {
765 if (aes_ctx->ac_remainder_len > 0) {
766 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
767 aes_encrypt_block);
768 if (ret != CRYPTO_SUCCESS)
769 return (ret);
770 }
771 } else if (aes_ctx->ac_flags & CCM_MODE) {
772 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
773 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
774 if (ret != CRYPTO_SUCCESS) {
775 return (ret);
776 }
777 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
778 size_t saved_offset = data->cd_offset;
779
780 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
781 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
782 aes_xor_block);
783 if (ret != CRYPTO_SUCCESS) {
784 return (ret);
785 }
786 data->cd_length = data->cd_offset - saved_offset;
787 data->cd_offset = saved_offset;
788 } else {
789 /*
790 * There must be no unprocessed plaintext.
791 * This happens if the length of the last data is
792 * not a multiple of the AES block length.
793 */
794 if (aes_ctx->ac_remainder_len > 0) {
795 return (CRYPTO_DATA_LEN_RANGE);
796 }
797 data->cd_length = 0;
798 }
799
800 (void) aes_free_context(ctx);
801
802 return (CRYPTO_SUCCESS);
803 }
804
805 static int
806 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
807 crypto_req_handle_t req)
808 {
809 (void) req;
810 aes_ctx_t *aes_ctx;
811 int ret;
812 off_t saved_offset;
813 size_t saved_length;
814
815 ASSERT(ctx->cc_provider_private != NULL);
816 aes_ctx = ctx->cc_provider_private;
817
818 if (data->cd_format != CRYPTO_DATA_RAW &&
819 data->cd_format != CRYPTO_DATA_UIO) {
820 return (CRYPTO_ARGUMENTS_BAD);
821 }
822
823 /*
824 * There must be no unprocessed ciphertext.
825 * This happens if the length of the last ciphertext is
826 * not a multiple of the AES block length.
827 */
828 if (aes_ctx->ac_remainder_len > 0) {
829 if ((aes_ctx->ac_flags & CTR_MODE) == 0)
830 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
831 else {
832 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
833 aes_encrypt_block);
834 if (ret == CRYPTO_DATA_LEN_RANGE)
835 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
836 if (ret != CRYPTO_SUCCESS)
837 return (ret);
838 }
839 }
840
841 if (aes_ctx->ac_flags & CCM_MODE) {
842 /*
843 * This is where all the plaintext is returned, make sure
844 * the plaintext buffer is big enough
845 */
846 size_t pt_len = aes_ctx->ac_data_len;
847 if (data->cd_length < pt_len) {
848 data->cd_length = pt_len;
849 return (CRYPTO_BUFFER_TOO_SMALL);
850 }
851
852 ASSERT(aes_ctx->ac_processed_data_len == pt_len);
853 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
854 saved_offset = data->cd_offset;
855 saved_length = data->cd_length;
856 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
857 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
858 aes_xor_block);
859 if (ret == CRYPTO_SUCCESS) {
860 data->cd_length = data->cd_offset - saved_offset;
861 } else {
862 data->cd_length = saved_length;
863 }
864
865 data->cd_offset = saved_offset;
866 if (ret != CRYPTO_SUCCESS) {
867 return (ret);
868 }
869 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
870 /*
871 * This is where all the plaintext is returned, make sure
872 * the plaintext buffer is big enough
873 */
874 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
875 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
876
877 if (data->cd_length < pt_len) {
878 data->cd_length = pt_len;
879 return (CRYPTO_BUFFER_TOO_SMALL);
880 }
881
882 saved_offset = data->cd_offset;
883 saved_length = data->cd_length;
884 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
885 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
886 if (ret == CRYPTO_SUCCESS) {
887 data->cd_length = data->cd_offset - saved_offset;
888 } else {
889 data->cd_length = saved_length;
890 }
891
892 data->cd_offset = saved_offset;
893 if (ret != CRYPTO_SUCCESS) {
894 return (ret);
895 }
896 }
897
898
899 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
900 data->cd_length = 0;
901 }
902
903 (void) aes_free_context(ctx);
904
905 return (CRYPTO_SUCCESS);
906 }
907
908 static int
909 aes_encrypt_atomic(crypto_provider_handle_t provider,
910 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
911 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
912 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
913 {
914 (void) provider, (void) session_id;
915 aes_ctx_t aes_ctx; /* on the stack */
916 off_t saved_offset;
917 size_t saved_length;
918 size_t length_needed;
919 int ret;
920
921 ASSERT(ciphertext != NULL);
922
923 /*
924 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
925 * be a multiple of AES block size.
926 */
927 switch (mechanism->cm_type) {
928 case AES_CTR_MECH_INFO_TYPE:
929 case AES_CCM_MECH_INFO_TYPE:
930 case AES_GCM_MECH_INFO_TYPE:
931 case AES_GMAC_MECH_INFO_TYPE:
932 break;
933 default:
934 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
935 return (CRYPTO_DATA_LEN_RANGE);
936 }
937
938 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
939 return (ret);
940
941 bzero(&aes_ctx, sizeof (aes_ctx_t));
942
943 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
944 crypto_kmflag(req), B_TRUE);
945 if (ret != CRYPTO_SUCCESS)
946 return (ret);
947
948 switch (mechanism->cm_type) {
949 case AES_CCM_MECH_INFO_TYPE:
950 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
951 break;
952 case AES_GMAC_MECH_INFO_TYPE:
953 if (plaintext->cd_length != 0)
954 return (CRYPTO_ARGUMENTS_BAD);
955 zfs_fallthrough;
956 case AES_GCM_MECH_INFO_TYPE:
957 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
958 break;
959 default:
960 length_needed = plaintext->cd_length;
961 }
962
963 /* return size of buffer needed to store output */
964 if (ciphertext->cd_length < length_needed) {
965 ciphertext->cd_length = length_needed;
966 ret = CRYPTO_BUFFER_TOO_SMALL;
967 goto out;
968 }
969
970 saved_offset = ciphertext->cd_offset;
971 saved_length = ciphertext->cd_length;
972
973 /*
974 * Do an update on the specified input data.
975 */
976 switch (plaintext->cd_format) {
977 case CRYPTO_DATA_RAW:
978 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
979 aes_encrypt_contiguous_blocks, aes_copy_block64);
980 break;
981 case CRYPTO_DATA_UIO:
982 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
983 aes_encrypt_contiguous_blocks, aes_copy_block64);
984 break;
985 default:
986 ret = CRYPTO_ARGUMENTS_BAD;
987 }
988
989 if (ret == CRYPTO_SUCCESS) {
990 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
991 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
992 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
993 aes_xor_block);
994 if (ret != CRYPTO_SUCCESS)
995 goto out;
996 ASSERT(aes_ctx.ac_remainder_len == 0);
997 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
998 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
999 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1000 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1001 aes_copy_block, aes_xor_block);
1002 if (ret != CRYPTO_SUCCESS)
1003 goto out;
1004 ASSERT(aes_ctx.ac_remainder_len == 0);
1005 } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1006 if (aes_ctx.ac_remainder_len > 0) {
1007 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1008 ciphertext, aes_encrypt_block);
1009 if (ret != CRYPTO_SUCCESS)
1010 goto out;
1011 }
1012 } else {
1013 ASSERT(aes_ctx.ac_remainder_len == 0);
1014 }
1015
1016 if (plaintext != ciphertext) {
1017 ciphertext->cd_length =
1018 ciphertext->cd_offset - saved_offset;
1019 }
1020 } else {
1021 ciphertext->cd_length = saved_length;
1022 }
1023 ciphertext->cd_offset = saved_offset;
1024
1025 out:
1026 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1027 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1028 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1029 }
1030 #ifdef CAN_USE_GCM_ASM
1031 if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE) &&
1032 ((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
1033
1034 gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
1035
1036 bzero(ctx->gcm_Htable, ctx->gcm_htab_len);
1037 kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
1038 }
1039 #endif
1040
1041 return (ret);
1042 }
1043
1044 static int
1045 aes_decrypt_atomic(crypto_provider_handle_t provider,
1046 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1047 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1048 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1049 {
1050 (void) provider, (void) session_id;
1051 aes_ctx_t aes_ctx; /* on the stack */
1052 off_t saved_offset;
1053 size_t saved_length;
1054 size_t length_needed;
1055 int ret;
1056
1057 ASSERT(plaintext != NULL);
1058
1059 /*
1060 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1061 * be a multiple of AES block size.
1062 */
1063 switch (mechanism->cm_type) {
1064 case AES_CTR_MECH_INFO_TYPE:
1065 case AES_CCM_MECH_INFO_TYPE:
1066 case AES_GCM_MECH_INFO_TYPE:
1067 case AES_GMAC_MECH_INFO_TYPE:
1068 break;
1069 default:
1070 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1071 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1072 }
1073
1074 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1075 return (ret);
1076
1077 bzero(&aes_ctx, sizeof (aes_ctx_t));
1078
1079 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1080 crypto_kmflag(req), B_FALSE);
1081 if (ret != CRYPTO_SUCCESS)
1082 return (ret);
1083
1084 switch (mechanism->cm_type) {
1085 case AES_CCM_MECH_INFO_TYPE:
1086 length_needed = aes_ctx.ac_data_len;
1087 break;
1088 case AES_GCM_MECH_INFO_TYPE:
1089 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1090 break;
1091 case AES_GMAC_MECH_INFO_TYPE:
1092 if (plaintext->cd_length != 0)
1093 return (CRYPTO_ARGUMENTS_BAD);
1094 length_needed = 0;
1095 break;
1096 default:
1097 length_needed = ciphertext->cd_length;
1098 }
1099
1100 /* return size of buffer needed to store output */
1101 if (plaintext->cd_length < length_needed) {
1102 plaintext->cd_length = length_needed;
1103 ret = CRYPTO_BUFFER_TOO_SMALL;
1104 goto out;
1105 }
1106
1107 saved_offset = plaintext->cd_offset;
1108 saved_length = plaintext->cd_length;
1109
1110 if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1111 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1112 gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1113
1114 /*
1115 * Do an update on the specified input data.
1116 */
1117 switch (ciphertext->cd_format) {
1118 case CRYPTO_DATA_RAW:
1119 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1120 aes_decrypt_contiguous_blocks, aes_copy_block64);
1121 break;
1122 case CRYPTO_DATA_UIO:
1123 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1124 aes_decrypt_contiguous_blocks, aes_copy_block64);
1125 break;
1126 default:
1127 ret = CRYPTO_ARGUMENTS_BAD;
1128 }
1129
1130 if (ret == CRYPTO_SUCCESS) {
1131 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1132 ASSERT(aes_ctx.ac_processed_data_len
1133 == aes_ctx.ac_data_len);
1134 ASSERT(aes_ctx.ac_processed_mac_len
1135 == aes_ctx.ac_mac_len);
1136 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1137 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1138 aes_copy_block, aes_xor_block);
1139 ASSERT(aes_ctx.ac_remainder_len == 0);
1140 if ((ret == CRYPTO_SUCCESS) &&
1141 (ciphertext != plaintext)) {
1142 plaintext->cd_length =
1143 plaintext->cd_offset - saved_offset;
1144 } else {
1145 plaintext->cd_length = saved_length;
1146 }
1147 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1148 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1149 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1150 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1151 aes_xor_block);
1152 ASSERT(aes_ctx.ac_remainder_len == 0);
1153 if ((ret == CRYPTO_SUCCESS) &&
1154 (ciphertext != plaintext)) {
1155 plaintext->cd_length =
1156 plaintext->cd_offset - saved_offset;
1157 } else {
1158 plaintext->cd_length = saved_length;
1159 }
1160 } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1161 ASSERT(aes_ctx.ac_remainder_len == 0);
1162 if (ciphertext != plaintext)
1163 plaintext->cd_length =
1164 plaintext->cd_offset - saved_offset;
1165 } else {
1166 if (aes_ctx.ac_remainder_len > 0) {
1167 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1168 plaintext, aes_encrypt_block);
1169 if (ret == CRYPTO_DATA_LEN_RANGE)
1170 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1171 if (ret != CRYPTO_SUCCESS)
1172 goto out;
1173 }
1174 if (ciphertext != plaintext)
1175 plaintext->cd_length =
1176 plaintext->cd_offset - saved_offset;
1177 }
1178 } else {
1179 plaintext->cd_length = saved_length;
1180 }
1181 plaintext->cd_offset = saved_offset;
1182
1183 out:
1184 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1185 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1186 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1187 }
1188
1189 if (aes_ctx.ac_flags & CCM_MODE) {
1190 if (aes_ctx.ac_pt_buf != NULL) {
1191 vmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1192 }
1193 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1194 if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1195 vmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1196 ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1197 }
1198 #ifdef CAN_USE_GCM_ASM
1199 if (((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
1200 gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
1201
1202 bzero(ctx->gcm_Htable, ctx->gcm_htab_len);
1203 kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
1204 }
1205 #endif
1206 }
1207
1208 return (ret);
1209 }
1210
1211 /*
1212 * KCF software provider context template entry points.
1213 */
1214 static int
1215 aes_create_ctx_template(crypto_provider_handle_t provider,
1216 crypto_mechanism_t *mechanism, crypto_key_t *key,
1217 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1218 {
1219 (void) provider;
1220 void *keysched;
1221 size_t size;
1222 int rv;
1223
1224 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1225 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1226 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1227 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1228 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1229 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1230 return (CRYPTO_MECHANISM_INVALID);
1231
1232 if ((keysched = aes_alloc_keysched(&size,
1233 crypto_kmflag(req))) == NULL) {
1234 return (CRYPTO_HOST_MEMORY);
1235 }
1236
1237 /*
1238 * Initialize key schedule. Key length information is stored
1239 * in the key.
1240 */
1241 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1242 bzero(keysched, size);
1243 kmem_free(keysched, size);
1244 return (rv);
1245 }
1246
1247 *tmpl = keysched;
1248 *tmpl_size = size;
1249
1250 return (CRYPTO_SUCCESS);
1251 }
1252
1253
1254 static int
1255 aes_free_context(crypto_ctx_t *ctx)
1256 {
1257 aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1258
1259 if (aes_ctx != NULL) {
1260 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1261 ASSERT(aes_ctx->ac_keysched_len != 0);
1262 bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1263 kmem_free(aes_ctx->ac_keysched,
1264 aes_ctx->ac_keysched_len);
1265 }
1266 crypto_free_mode_ctx(aes_ctx);
1267 ctx->cc_provider_private = NULL;
1268 }
1269
1270 return (CRYPTO_SUCCESS);
1271 }
1272
1273
1274 static int
1275 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1276 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1277 boolean_t is_encrypt_init)
1278 {
1279 int rv = CRYPTO_SUCCESS;
1280 void *keysched;
1281 size_t size = 0;
1282
1283 if (template == NULL) {
1284 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1285 return (CRYPTO_HOST_MEMORY);
1286 /*
1287 * Initialize key schedule.
1288 * Key length is stored in the key.
1289 */
1290 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1291 kmem_free(keysched, size);
1292 return (rv);
1293 }
1294
1295 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1296 aes_ctx->ac_keysched_len = size;
1297 } else {
1298 keysched = template;
1299 }
1300 aes_ctx->ac_keysched = keysched;
1301
1302 switch (mechanism->cm_type) {
1303 case AES_CBC_MECH_INFO_TYPE:
1304 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1305 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1306 break;
1307 case AES_CTR_MECH_INFO_TYPE: {
1308 CK_AES_CTR_PARAMS *pp;
1309
1310 if (mechanism->cm_param == NULL ||
1311 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1312 return (CRYPTO_MECHANISM_PARAM_INVALID);
1313 }
1314 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1315 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1316 pp->cb, aes_copy_block);
1317 break;
1318 }
1319 case AES_CCM_MECH_INFO_TYPE:
1320 if (mechanism->cm_param == NULL ||
1321 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1322 return (CRYPTO_MECHANISM_PARAM_INVALID);
1323 }
1324 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1325 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1326 aes_xor_block);
1327 break;
1328 case AES_GCM_MECH_INFO_TYPE:
1329 if (mechanism->cm_param == NULL ||
1330 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1331 return (CRYPTO_MECHANISM_PARAM_INVALID);
1332 }
1333 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1334 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1335 aes_xor_block);
1336 break;
1337 case AES_GMAC_MECH_INFO_TYPE:
1338 if (mechanism->cm_param == NULL ||
1339 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1340 return (CRYPTO_MECHANISM_PARAM_INVALID);
1341 }
1342 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1343 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1344 aes_xor_block);
1345 break;
1346 case AES_ECB_MECH_INFO_TYPE:
1347 aes_ctx->ac_flags |= ECB_MODE;
1348 }
1349
1350 if (rv != CRYPTO_SUCCESS) {
1351 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1352 bzero(keysched, size);
1353 kmem_free(keysched, size);
1354 }
1355 }
1356
1357 return (rv);
1358 }
1359
1360 static int
1361 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1362 CK_AES_GCM_PARAMS *gcm_params)
1363 {
1364 /* LINTED: pointer alignment */
1365 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1366
1367 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1368 return (CRYPTO_MECHANISM_INVALID);
1369
1370 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1371 return (CRYPTO_MECHANISM_PARAM_INVALID);
1372
1373 if (params->pIv == NULL)
1374 return (CRYPTO_MECHANISM_PARAM_INVALID);
1375
1376 gcm_params->pIv = params->pIv;
1377 gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1378 gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1379
1380 if (data == NULL)
1381 return (CRYPTO_SUCCESS);
1382
1383 if (data->cd_format != CRYPTO_DATA_RAW)
1384 return (CRYPTO_ARGUMENTS_BAD);
1385
1386 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1387 gcm_params->ulAADLen = data->cd_length;
1388 return (CRYPTO_SUCCESS);
1389 }
1390
1391 static int
1392 aes_mac_atomic(crypto_provider_handle_t provider,
1393 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1394 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1395 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1396 {
1397 CK_AES_GCM_PARAMS gcm_params;
1398 crypto_mechanism_t gcm_mech;
1399 int rv;
1400
1401 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1402 != CRYPTO_SUCCESS)
1403 return (rv);
1404
1405 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1406 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1407 gcm_mech.cm_param = (char *)&gcm_params;
1408
1409 return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1410 key, &null_crypto_data, mac, template, req));
1411 }
1412
1413 static int
1414 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1415 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1416 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1417 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1418 {
1419 CK_AES_GCM_PARAMS gcm_params;
1420 crypto_mechanism_t gcm_mech;
1421 int rv;
1422
1423 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1424 != CRYPTO_SUCCESS)
1425 return (rv);
1426
1427 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1428 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1429 gcm_mech.cm_param = (char *)&gcm_params;
1430
1431 return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1432 key, mac, &null_crypto_data, template, req));
1433 }
ZFS On Linux mirror for PVE