4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
25 #include <sys/zfs_context.h>
26 #include <modes/modes.h>
27 #include <sys/crypto/common.h>
28 #include <sys/crypto/impl.h>
29 #include <sys/byteorder.h>
34 /* Workaround for no XMM kernel thread save/restore */
35 #define KPREEMPT_DISABLE kpreempt_disable()
36 #define KPREEMPT_ENABLE kpreempt_enable()
39 #define KPREEMPT_DISABLE
40 #define KPREEMPT_ENABLE
43 extern void gcm_mul_pclmulqdq(uint64_t *x_in
, uint64_t *y
, uint64_t *res
);
44 static int intel_pclmulqdq_instruction_present(void);
55 * Perform a carry-less multiplication (that is, use XOR instead of the
56 * multiply operator) on *x_in and *y and place the result in *res.
58 * Byte swap the input (*x_in and *y) and the output (*res).
60 * Note: x_in, y, and res all point to 16-byte numbers (an array of two
64 gcm_mul(uint64_t *x_in
, uint64_t *y
, uint64_t *res
)
67 if (intel_pclmulqdq_instruction_present()) {
69 gcm_mul_pclmulqdq(x_in
, y
, res
);
74 static const uint64_t R
= 0xe100000000000000ULL
;
75 struct aes_block z
= {0, 0};
83 for (j
= 0; j
< 2; j
++) {
85 for (i
= 0; i
< 64; i
++, x
<<= 1) {
86 if (x
& 0x8000000000000000ULL
) {
91 v
.b
= (v
.a
<< 63)|(v
.b
>> 1);
94 v
.b
= (v
.a
<< 63)|(v
.b
>> 1);
100 res
[1] = htonll(z
.b
);
105 #define GHASH(c, d, t) \
106 xor_block((uint8_t *)(d), (uint8_t *)(c)->gcm_ghash); \
107 gcm_mul((uint64_t *)(void *)(c)->gcm_ghash, (c)->gcm_H, \
108 (uint64_t *)(void *)(t));
112 * Encrypt multiple blocks of data in GCM mode. Decrypt for GCM mode
113 * is done in another function.
116 gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t
*ctx
, char *data
, size_t length
,
117 crypto_data_t
*out
, size_t block_size
,
118 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
119 void (*copy_block
)(uint8_t *, uint8_t *),
120 void (*xor_block
)(uint8_t *, uint8_t *))
122 size_t remainder
= length
;
124 uint8_t *datap
= (uint8_t *)data
;
131 size_t out_data_1_len
;
133 uint64_t counter_mask
= ntohll(0x00000000ffffffffULL
);
135 if (length
+ ctx
->gcm_remainder_len
< block_size
) {
136 /* accumulate bytes here and return */
138 (uint8_t *)ctx
->gcm_remainder
+ ctx
->gcm_remainder_len
,
140 ctx
->gcm_remainder_len
+= length
;
141 ctx
->gcm_copy_to
= datap
;
142 return (CRYPTO_SUCCESS
);
145 lastp
= (uint8_t *)ctx
->gcm_cb
;
147 crypto_init_ptrs(out
, &iov_or_mp
, &offset
);
150 /* Unprocessed data from last call. */
151 if (ctx
->gcm_remainder_len
> 0) {
152 need
= block_size
- ctx
->gcm_remainder_len
;
154 if (need
> remainder
)
155 return (CRYPTO_DATA_LEN_RANGE
);
157 bcopy(datap
, &((uint8_t *)ctx
->gcm_remainder
)
158 [ctx
->gcm_remainder_len
], need
);
160 blockp
= (uint8_t *)ctx
->gcm_remainder
;
166 * Increment counter. Counter bits are confined
167 * to the bottom 32 bits of the counter block.
169 counter
= ntohll(ctx
->gcm_cb
[1] & counter_mask
);
170 counter
= htonll(counter
+ 1);
171 counter
&= counter_mask
;
172 ctx
->gcm_cb
[1] = (ctx
->gcm_cb
[1] & ~counter_mask
) | counter
;
174 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_cb
,
175 (uint8_t *)ctx
->gcm_tmp
);
176 xor_block(blockp
, (uint8_t *)ctx
->gcm_tmp
);
178 lastp
= (uint8_t *)ctx
->gcm_tmp
;
180 ctx
->gcm_processed_data_len
+= block_size
;
183 if (ctx
->gcm_remainder_len
> 0) {
184 bcopy(blockp
, ctx
->gcm_copy_to
,
185 ctx
->gcm_remainder_len
);
186 bcopy(blockp
+ ctx
->gcm_remainder_len
, datap
,
190 crypto_get_ptrs(out
, &iov_or_mp
, &offset
, &out_data_1
,
191 &out_data_1_len
, &out_data_2
, block_size
);
193 /* copy block to where it belongs */
194 if (out_data_1_len
== block_size
) {
195 copy_block(lastp
, out_data_1
);
197 bcopy(lastp
, out_data_1
, out_data_1_len
);
198 if (out_data_2
!= NULL
) {
199 bcopy(lastp
+ out_data_1_len
,
201 block_size
- out_data_1_len
);
205 out
->cd_offset
+= block_size
;
208 /* add ciphertext to the hash */
209 GHASH(ctx
, ctx
->gcm_tmp
, ctx
->gcm_ghash
);
211 /* Update pointer to next block of data to be processed. */
212 if (ctx
->gcm_remainder_len
!= 0) {
214 ctx
->gcm_remainder_len
= 0;
219 remainder
= (size_t)&data
[length
] - (size_t)datap
;
221 /* Incomplete last block. */
222 if (remainder
> 0 && remainder
< block_size
) {
223 bcopy(datap
, ctx
->gcm_remainder
, remainder
);
224 ctx
->gcm_remainder_len
= remainder
;
225 ctx
->gcm_copy_to
= datap
;
228 ctx
->gcm_copy_to
= NULL
;
230 } while (remainder
> 0);
232 return (CRYPTO_SUCCESS
);
237 gcm_encrypt_final(gcm_ctx_t
*ctx
, crypto_data_t
*out
, size_t block_size
,
238 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
239 void (*copy_block
)(uint8_t *, uint8_t *),
240 void (*xor_block
)(uint8_t *, uint8_t *))
242 uint64_t counter_mask
= ntohll(0x00000000ffffffffULL
);
243 uint8_t *ghash
, *macp
= NULL
;
247 (ctx
->gcm_remainder_len
+ ctx
->gcm_tag_len
)) {
248 return (CRYPTO_DATA_LEN_RANGE
);
251 ghash
= (uint8_t *)ctx
->gcm_ghash
;
253 if (ctx
->gcm_remainder_len
> 0) {
255 uint8_t *tmpp
= (uint8_t *)ctx
->gcm_tmp
;
258 * Here is where we deal with data that is not a
259 * multiple of the block size.
265 counter
= ntohll(ctx
->gcm_cb
[1] & counter_mask
);
266 counter
= htonll(counter
+ 1);
267 counter
&= counter_mask
;
268 ctx
->gcm_cb
[1] = (ctx
->gcm_cb
[1] & ~counter_mask
) | counter
;
270 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_cb
,
271 (uint8_t *)ctx
->gcm_tmp
);
273 macp
= (uint8_t *)ctx
->gcm_remainder
;
274 bzero(macp
+ ctx
->gcm_remainder_len
,
275 block_size
- ctx
->gcm_remainder_len
);
277 /* XOR with counter block */
278 for (i
= 0; i
< ctx
->gcm_remainder_len
; i
++) {
282 /* add ciphertext to the hash */
283 GHASH(ctx
, macp
, ghash
);
285 ctx
->gcm_processed_data_len
+= ctx
->gcm_remainder_len
;
288 ctx
->gcm_len_a_len_c
[1] =
289 htonll(CRYPTO_BYTES2BITS(ctx
->gcm_processed_data_len
));
290 GHASH(ctx
, ctx
->gcm_len_a_len_c
, ghash
);
291 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_J0
,
292 (uint8_t *)ctx
->gcm_J0
);
293 xor_block((uint8_t *)ctx
->gcm_J0
, ghash
);
295 if (ctx
->gcm_remainder_len
> 0) {
296 rv
= crypto_put_output_data(macp
, out
, ctx
->gcm_remainder_len
);
297 if (rv
!= CRYPTO_SUCCESS
)
300 out
->cd_offset
+= ctx
->gcm_remainder_len
;
301 ctx
->gcm_remainder_len
= 0;
302 rv
= crypto_put_output_data(ghash
, out
, ctx
->gcm_tag_len
);
303 if (rv
!= CRYPTO_SUCCESS
)
305 out
->cd_offset
+= ctx
->gcm_tag_len
;
307 return (CRYPTO_SUCCESS
);
311 * This will only deal with decrypting the last block of the input that
312 * might not be a multiple of block length.
315 gcm_decrypt_incomplete_block(gcm_ctx_t
*ctx
, size_t block_size
, size_t index
,
316 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
317 void (*xor_block
)(uint8_t *, uint8_t *))
319 uint8_t *datap
, *outp
, *counterp
;
321 uint64_t counter_mask
= ntohll(0x00000000ffffffffULL
);
326 * Counter bits are confined to the bottom 32 bits
328 counter
= ntohll(ctx
->gcm_cb
[1] & counter_mask
);
329 counter
= htonll(counter
+ 1);
330 counter
&= counter_mask
;
331 ctx
->gcm_cb
[1] = (ctx
->gcm_cb
[1] & ~counter_mask
) | counter
;
333 datap
= (uint8_t *)ctx
->gcm_remainder
;
334 outp
= &((ctx
->gcm_pt_buf
)[index
]);
335 counterp
= (uint8_t *)ctx
->gcm_tmp
;
337 /* authentication tag */
338 bzero((uint8_t *)ctx
->gcm_tmp
, block_size
);
339 bcopy(datap
, (uint8_t *)ctx
->gcm_tmp
, ctx
->gcm_remainder_len
);
341 /* add ciphertext to the hash */
342 GHASH(ctx
, ctx
->gcm_tmp
, ctx
->gcm_ghash
);
344 /* decrypt remaining ciphertext */
345 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_cb
, counterp
);
347 /* XOR with counter block */
348 for (i
= 0; i
< ctx
->gcm_remainder_len
; i
++) {
349 outp
[i
] = datap
[i
] ^ counterp
[i
];
355 gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t
*ctx
, char *data
, size_t length
,
356 crypto_data_t
*out
, size_t block_size
,
357 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
358 void (*copy_block
)(uint8_t *, uint8_t *),
359 void (*xor_block
)(uint8_t *, uint8_t *))
365 * Copy contiguous ciphertext input blocks to plaintext buffer.
366 * Ciphertext will be decrypted in the final.
369 new_len
= ctx
->gcm_pt_buf_len
+ length
;
370 new = vmem_alloc(new_len
, ctx
->gcm_kmflag
);
371 bcopy(ctx
->gcm_pt_buf
, new, ctx
->gcm_pt_buf_len
);
372 vmem_free(ctx
->gcm_pt_buf
, ctx
->gcm_pt_buf_len
);
374 return (CRYPTO_HOST_MEMORY
);
376 ctx
->gcm_pt_buf
= new;
377 ctx
->gcm_pt_buf_len
= new_len
;
378 bcopy(data
, &ctx
->gcm_pt_buf
[ctx
->gcm_processed_data_len
],
380 ctx
->gcm_processed_data_len
+= length
;
383 ctx
->gcm_remainder_len
= 0;
384 return (CRYPTO_SUCCESS
);
388 gcm_decrypt_final(gcm_ctx_t
*ctx
, crypto_data_t
*out
, size_t block_size
,
389 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
390 void (*xor_block
)(uint8_t *, uint8_t *))
398 uint64_t counter_mask
= ntohll(0x00000000ffffffffULL
);
399 int processed
= 0, rv
;
401 ASSERT(ctx
->gcm_processed_data_len
== ctx
->gcm_pt_buf_len
);
403 pt_len
= ctx
->gcm_processed_data_len
- ctx
->gcm_tag_len
;
404 ghash
= (uint8_t *)ctx
->gcm_ghash
;
405 blockp
= ctx
->gcm_pt_buf
;
407 while (remainder
> 0) {
408 /* Incomplete last block */
409 if (remainder
< block_size
) {
410 bcopy(blockp
, ctx
->gcm_remainder
, remainder
);
411 ctx
->gcm_remainder_len
= remainder
;
413 * not expecting anymore ciphertext, just
414 * compute plaintext for the remaining input
416 gcm_decrypt_incomplete_block(ctx
, block_size
,
417 processed
, encrypt_block
, xor_block
);
418 ctx
->gcm_remainder_len
= 0;
421 /* add ciphertext to the hash */
422 GHASH(ctx
, blockp
, ghash
);
426 * Counter bits are confined to the bottom 32 bits
428 counter
= ntohll(ctx
->gcm_cb
[1] & counter_mask
);
429 counter
= htonll(counter
+ 1);
430 counter
&= counter_mask
;
431 ctx
->gcm_cb
[1] = (ctx
->gcm_cb
[1] & ~counter_mask
) | counter
;
433 cbp
= (uint8_t *)ctx
->gcm_tmp
;
434 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_cb
, cbp
);
436 /* XOR with ciphertext */
437 xor_block(cbp
, blockp
);
439 processed
+= block_size
;
440 blockp
+= block_size
;
441 remainder
-= block_size
;
444 ctx
->gcm_len_a_len_c
[1] = htonll(CRYPTO_BYTES2BITS(pt_len
));
445 GHASH(ctx
, ctx
->gcm_len_a_len_c
, ghash
);
446 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_J0
,
447 (uint8_t *)ctx
->gcm_J0
);
448 xor_block((uint8_t *)ctx
->gcm_J0
, ghash
);
450 /* compare the input authentication tag with what we calculated */
451 if (bcmp(&ctx
->gcm_pt_buf
[pt_len
], ghash
, ctx
->gcm_tag_len
)) {
452 /* They don't match */
453 return (CRYPTO_INVALID_MAC
);
455 rv
= crypto_put_output_data(ctx
->gcm_pt_buf
, out
, pt_len
);
456 if (rv
!= CRYPTO_SUCCESS
)
458 out
->cd_offset
+= pt_len
;
460 return (CRYPTO_SUCCESS
);
464 gcm_validate_args(CK_AES_GCM_PARAMS
*gcm_param
)
469 * Check the length of the authentication tag (in bits).
471 tag_len
= gcm_param
->ulTagBits
;
482 return (CRYPTO_MECHANISM_PARAM_INVALID
);
485 if (gcm_param
->ulIvLen
== 0)
486 return (CRYPTO_MECHANISM_PARAM_INVALID
);
488 return (CRYPTO_SUCCESS
);
492 gcm_format_initial_blocks(uchar_t
*iv
, ulong_t iv_len
,
493 gcm_ctx_t
*ctx
, size_t block_size
,
494 void (*copy_block
)(uint8_t *, uint8_t *),
495 void (*xor_block
)(uint8_t *, uint8_t *))
498 ulong_t remainder
= iv_len
;
499 ulong_t processed
= 0;
500 uint8_t *datap
, *ghash
;
501 uint64_t len_a_len_c
[2];
503 ghash
= (uint8_t *)ctx
->gcm_ghash
;
504 cb
= (uint8_t *)ctx
->gcm_cb
;
511 /* J0 will be used again in the final */
512 copy_block(cb
, (uint8_t *)ctx
->gcm_J0
);
516 if (remainder
< block_size
) {
517 bzero(cb
, block_size
);
518 bcopy(&(iv
[processed
]), cb
, remainder
);
519 datap
= (uint8_t *)cb
;
522 datap
= (uint8_t *)(&(iv
[processed
]));
523 processed
+= block_size
;
524 remainder
-= block_size
;
526 GHASH(ctx
, datap
, ghash
);
527 } while (remainder
> 0);
530 len_a_len_c
[1] = htonll(CRYPTO_BYTES2BITS(iv_len
));
531 GHASH(ctx
, len_a_len_c
, ctx
->gcm_J0
);
533 /* J0 will be used again in the final */
534 copy_block((uint8_t *)ctx
->gcm_J0
, (uint8_t *)cb
);
539 * The following function is called at encrypt or decrypt init time
543 gcm_init(gcm_ctx_t
*ctx
, unsigned char *iv
, size_t iv_len
,
544 unsigned char *auth_data
, size_t auth_data_len
, size_t block_size
,
545 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
546 void (*copy_block
)(uint8_t *, uint8_t *),
547 void (*xor_block
)(uint8_t *, uint8_t *))
549 uint8_t *ghash
, *datap
, *authp
;
550 size_t remainder
, processed
;
552 /* encrypt zero block to get subkey H */
553 bzero(ctx
->gcm_H
, sizeof (ctx
->gcm_H
));
554 encrypt_block(ctx
->gcm_keysched
, (uint8_t *)ctx
->gcm_H
,
555 (uint8_t *)ctx
->gcm_H
);
557 gcm_format_initial_blocks(iv
, iv_len
, ctx
, block_size
,
558 copy_block
, xor_block
);
560 authp
= (uint8_t *)ctx
->gcm_tmp
;
561 ghash
= (uint8_t *)ctx
->gcm_ghash
;
562 bzero(authp
, block_size
);
563 bzero(ghash
, block_size
);
566 remainder
= auth_data_len
;
568 if (remainder
< block_size
) {
570 * There's not a block full of data, pad rest of
573 bzero(authp
, block_size
);
574 bcopy(&(auth_data
[processed
]), authp
, remainder
);
575 datap
= (uint8_t *)authp
;
578 datap
= (uint8_t *)(&(auth_data
[processed
]));
579 processed
+= block_size
;
580 remainder
-= block_size
;
583 /* add auth data to the hash */
584 GHASH(ctx
, datap
, ghash
);
586 } while (remainder
> 0);
588 return (CRYPTO_SUCCESS
);
592 gcm_init_ctx(gcm_ctx_t
*gcm_ctx
, char *param
, size_t block_size
,
593 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
594 void (*copy_block
)(uint8_t *, uint8_t *),
595 void (*xor_block
)(uint8_t *, uint8_t *))
598 CK_AES_GCM_PARAMS
*gcm_param
;
601 gcm_param
= (CK_AES_GCM_PARAMS
*)(void *)param
;
603 if ((rv
= gcm_validate_args(gcm_param
)) != 0) {
607 gcm_ctx
->gcm_tag_len
= gcm_param
->ulTagBits
;
608 gcm_ctx
->gcm_tag_len
>>= 3;
609 gcm_ctx
->gcm_processed_data_len
= 0;
611 /* these values are in bits */
612 gcm_ctx
->gcm_len_a_len_c
[0]
613 = htonll(CRYPTO_BYTES2BITS(gcm_param
->ulAADLen
));
616 gcm_ctx
->gcm_flags
|= GCM_MODE
;
618 rv
= CRYPTO_MECHANISM_PARAM_INVALID
;
622 if (gcm_init(gcm_ctx
, gcm_param
->pIv
, gcm_param
->ulIvLen
,
623 gcm_param
->pAAD
, gcm_param
->ulAADLen
, block_size
,
624 encrypt_block
, copy_block
, xor_block
) != 0) {
625 rv
= CRYPTO_MECHANISM_PARAM_INVALID
;
632 gmac_init_ctx(gcm_ctx_t
*gcm_ctx
, char *param
, size_t block_size
,
633 int (*encrypt_block
)(const void *, const uint8_t *, uint8_t *),
634 void (*copy_block
)(uint8_t *, uint8_t *),
635 void (*xor_block
)(uint8_t *, uint8_t *))
638 CK_AES_GMAC_PARAMS
*gmac_param
;
641 gmac_param
= (CK_AES_GMAC_PARAMS
*)(void *)param
;
643 gcm_ctx
->gcm_tag_len
= CRYPTO_BITS2BYTES(AES_GMAC_TAG_BITS
);
644 gcm_ctx
->gcm_processed_data_len
= 0;
646 /* these values are in bits */
647 gcm_ctx
->gcm_len_a_len_c
[0]
648 = htonll(CRYPTO_BYTES2BITS(gmac_param
->ulAADLen
));
651 gcm_ctx
->gcm_flags
|= GMAC_MODE
;
653 rv
= CRYPTO_MECHANISM_PARAM_INVALID
;
657 if (gcm_init(gcm_ctx
, gmac_param
->pIv
, AES_GMAC_IV_LEN
,
658 gmac_param
->pAAD
, gmac_param
->ulAADLen
, block_size
,
659 encrypt_block
, copy_block
, xor_block
) != 0) {
660 rv
= CRYPTO_MECHANISM_PARAM_INVALID
;
667 gcm_alloc_ctx(int kmflag
)
671 if ((gcm_ctx
= kmem_zalloc(sizeof (gcm_ctx_t
), kmflag
)) == NULL
)
674 gcm_ctx
->gcm_flags
= GCM_MODE
;
679 gmac_alloc_ctx(int kmflag
)
683 if ((gcm_ctx
= kmem_zalloc(sizeof (gcm_ctx_t
), kmflag
)) == NULL
)
686 gcm_ctx
->gcm_flags
= GMAC_MODE
;
691 gcm_set_kmflag(gcm_ctx_t
*ctx
, int kmflag
)
693 ctx
->gcm_kmflag
= kmflag
;
699 #define INTEL_PCLMULQDQ_FLAG (1 << 1)
702 * Return 1 if executing on Intel with PCLMULQDQ instructions,
703 * otherwise 0 (i.e., Intel without PCLMULQDQ or AMD64).
704 * Cache the result, as the CPU can't change.
706 * Note: the userland version uses getisax(). The kernel version uses
707 * is_x86_featureset().
710 intel_pclmulqdq_instruction_present(void)
712 static int cached_result
= -1;
713 unsigned eax
, ebx
, ecx
, edx
;
714 unsigned func
, subfunc
;
716 if (cached_result
== -1) { /* first time */
717 /* check for an intel cpu */
721 __asm__
__volatile__(
723 : "=a" (eax
), "=b" (ebx
), "=c" (ecx
), "=d" (edx
)
724 : "a"(func
), "c"(subfunc
));
726 if (memcmp((char *) (&ebx
), "Genu", 4) == 0 &&
727 memcmp((char *) (&edx
), "ineI", 4) == 0 &&
728 memcmp((char *) (&ecx
), "ntel", 4) == 0) {
733 /* check for aes-ni instruction set */
734 __asm__
__volatile__(
736 : "=a" (eax
), "=b" (ebx
), "=c" (ecx
), "=d" (edx
)
737 : "a"(func
), "c"(subfunc
));
739 cached_result
= !!(ecx
& INTEL_PCLMULQDQ_FLAG
);
745 return (cached_result
);