1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
26 * Copyright 2019 Joyent, Inc.
27 */
28
29#ifndef	_COMMON_CRYPTO_MODES_H
30#define	_COMMON_CRYPTO_MODES_H
31
32#ifdef	__cplusplus
33extern "C" {
34#endif
35
36#include <sys/strsun.h>
37#include <sys/systm.h>
38#include <sys/sysmacros.h>
39#include <sys/types.h>
40#include <sys/errno.h>
41#include <sys/rwlock.h>
42#include <sys/kmem.h>
43#include <sys/crypto/common.h>
44#include <sys/crypto/impl.h>
45
46#define	ECB_MODE			0x00000002
47#define	CBC_MODE			0x00000004
48#define	CTR_MODE			0x00000008
49#define	CCM_MODE			0x00000010
50#define	GCM_MODE			0x00000020
51#define	GMAC_MODE			0x00000040
52#define	CMAC_MODE			0x00000080
53
54/* Private flag for pkcs11_softtoken */
55#define	P11_DECRYPTED			0x80000000
56
57/*
58 * cc_keysched:		Pointer to key schedule.
59 *
60 * cc_keysched_len:	Length of the key schedule.
61 *
62 * cc_remainder:	This is for residual data, i.e. data that can't
63 *			be processed because there are too few bytes.
64 *			Must wait until more data arrives.
65 *
66 * cc_remainder_len:	Number of bytes in cc_remainder.
67 *
68 * cc_iv:		Scratch buffer that sometimes contains the IV.
69 *
70 * cc_lastp:		Pointer to previous block of ciphertext.
71 *
72 * cc_copy_to:		Pointer to where encrypted residual data needs
73 *			to be copied.
74 *
75 * cc_flags:		PROVIDER_OWNS_KEY_SCHEDULE
76 *			When a context is freed, it is necessary
77 *			to know whether the key schedule was allocated
78 *			by the caller, or internally, e.g. an init routine.
79 *			If allocated by the latter, then it needs to be freed.
80 *
81 *			ECB_MODE, CBC_MODE, CTR_MODE, or CCM_MODE
82 */
83struct common_ctx {
84	void *cc_keysched;
85	size_t cc_keysched_len;
86	uint64_t cc_iv[2];
87	uint64_t cc_remainder[2];
88	size_t cc_remainder_len;
89	uint8_t *cc_lastp;
90	uint8_t *cc_copy_to;
91	uint32_t cc_flags;
92};
93
94typedef struct common_ctx common_ctx_t;
95
96typedef struct ecb_ctx {
97	struct common_ctx ecb_common;
98	uint64_t ecb_lastblock[2];
99} ecb_ctx_t;
100
101#define	ecb_keysched		ecb_common.cc_keysched
102#define	ecb_keysched_len	ecb_common.cc_keysched_len
103#define	ecb_iv			ecb_common.cc_iv
104#define	ecb_remainder		ecb_common.cc_remainder
105#define	ecb_remainder_len	ecb_common.cc_remainder_len
106#define	ecb_lastp		ecb_common.cc_lastp
107#define	ecb_copy_to		ecb_common.cc_copy_to
108#define	ecb_flags		ecb_common.cc_flags
109
110/*
111 * max_remain			max bytes in cbc_remainder
112 */
113typedef struct cbc_ctx {
114	struct common_ctx cbc_common;
115	uint64_t cbc_lastblock[2];
116	size_t max_remain;
117} cbc_ctx_t;
118
119#define	cbc_keysched		cbc_common.cc_keysched
120#define	cbc_keysched_len	cbc_common.cc_keysched_len
121#define	cbc_iv			cbc_common.cc_iv
122#define	cbc_remainder		cbc_common.cc_remainder
123#define	cbc_remainder_len	cbc_common.cc_remainder_len
124#define	cbc_lastp		cbc_common.cc_lastp
125#define	cbc_copy_to		cbc_common.cc_copy_to
126#define	cbc_flags		cbc_common.cc_flags
127
128/*
129 * ctr_lower_mask		Bit-mask for lower 8 bytes of counter block.
130 * ctr_upper_mask		Bit-mask for upper 8 bytes of counter block.
131 */
132typedef struct ctr_ctx {
133	struct common_ctx ctr_common;
134	uint64_t ctr_lower_mask;
135	uint64_t ctr_upper_mask;
136	uint32_t ctr_tmp[4];
137} ctr_ctx_t;
138
139/*
140 * ctr_cb			Counter block.
141 */
142#define	ctr_keysched		ctr_common.cc_keysched
143#define	ctr_keysched_len	ctr_common.cc_keysched_len
144#define	ctr_cb			ctr_common.cc_iv
145#define	ctr_remainder		ctr_common.cc_remainder
146#define	ctr_remainder_len	ctr_common.cc_remainder_len
147#define	ctr_lastp		ctr_common.cc_lastp
148#define	ctr_copy_to		ctr_common.cc_copy_to
149#define	ctr_flags		ctr_common.cc_flags
150
151/*
152 *
153 * ccm_mac_len:		Stores length of the MAC in CCM mode.
154 * ccm_mac_buf:		Stores the intermediate value for MAC in CCM encrypt.
155 *			In CCM decrypt, stores the input MAC value.
156 * ccm_data_len:	Length of the plaintext for CCM mode encrypt, or
157 *			length of the ciphertext for CCM mode decrypt.
158 * ccm_processed_data_len:
159 *			Length of processed plaintext in CCM mode encrypt,
160 *			or length of processed ciphertext for CCM mode decrypt.
161 * ccm_processed_mac_len:
162 *			Length of MAC data accumulated in CCM mode decrypt.
163 *
164 * ccm_pt_buf:		Only used in CCM mode decrypt.  It stores the
165 *			decrypted plaintext to be returned when
166 *			MAC verification succeeds in decrypt_final.
167 *			Memory for this should be allocated in the AES module.
168 *
169 */
170typedef struct ccm_ctx {
171	struct common_ctx ccm_common;
172	uint32_t ccm_tmp[4];
173	size_t ccm_mac_len;
174	uint64_t ccm_mac_buf[2];
175	size_t ccm_data_len;
176	size_t ccm_processed_data_len;
177	size_t ccm_processed_mac_len;
178	uint8_t *ccm_pt_buf;
179	uint64_t ccm_mac_input_buf[2];
180	uint64_t ccm_counter_mask;
181} ccm_ctx_t;
182
183#define	ccm_keysched		ccm_common.cc_keysched
184#define	ccm_keysched_len	ccm_common.cc_keysched_len
185#define	ccm_cb			ccm_common.cc_iv
186#define	ccm_remainder		ccm_common.cc_remainder
187#define	ccm_remainder_len	ccm_common.cc_remainder_len
188#define	ccm_lastp		ccm_common.cc_lastp
189#define	ccm_copy_to		ccm_common.cc_copy_to
190#define	ccm_flags		ccm_common.cc_flags
191
192/*
193 * gcm_tag_len:		Length of authentication tag.
194 *
195 * gcm_ghash:		Stores output from the GHASH function.
196 *
197 * gcm_processed_data_len:
198 *			Length of processed plaintext (encrypt) or
199 *			length of processed ciphertext (decrypt).
200 *
201 * gcm_pt_buf:		Stores the decrypted plaintext returned by
202 *			decrypt_final when the computed authentication
203 *			tag matches the	user supplied tag.
204 *
205 * gcm_pt_buf_len:	Length of the plaintext buffer.
206 *
207 * gcm_H:		Subkey.
208 *
209 * gcm_J0:		Pre-counter block generated from the IV.
210 *
211 * gcm_len_a_len_c:	64-bit representations of the bit lengths of
212 *			AAD and ciphertext.
213 *
214 * gcm_kmflag:		Current value of kmflag. Used only for allocating
215 *			the plaintext buffer during decryption.
216 */
217typedef struct gcm_ctx {
218	struct common_ctx gcm_common;
219	size_t gcm_tag_len;
220	size_t gcm_processed_data_len;
221	size_t gcm_pt_buf_len;
222	uint32_t gcm_tmp[4];
223	uint64_t gcm_ghash[2];
224	uint64_t gcm_H[2];
225	uint64_t gcm_J0[2];
226	uint64_t gcm_len_a_len_c[2];
227	uint8_t *gcm_pt_buf;
228	int gcm_kmflag;
229} gcm_ctx_t;
230
231#define	gcm_keysched		gcm_common.cc_keysched
232#define	gcm_keysched_len	gcm_common.cc_keysched_len
233#define	gcm_cb			gcm_common.cc_iv
234#define	gcm_remainder		gcm_common.cc_remainder
235#define	gcm_remainder_len	gcm_common.cc_remainder_len
236#define	gcm_lastp		gcm_common.cc_lastp
237#define	gcm_copy_to		gcm_common.cc_copy_to
238#define	gcm_flags		gcm_common.cc_flags
239
240#define	AES_GMAC_IV_LEN		12
241#define	AES_GMAC_TAG_BITS	128
242
243typedef struct aes_ctx {
244	union {
245		ecb_ctx_t acu_ecb;
246		cbc_ctx_t acu_cbc;
247		ctr_ctx_t acu_ctr;
248		ccm_ctx_t acu_ccm;
249		gcm_ctx_t acu_gcm;
250	} acu;
251} aes_ctx_t;
252
253#define	ac_flags		acu.acu_ecb.ecb_common.cc_flags
254#define	ac_remainder_len	acu.acu_ecb.ecb_common.cc_remainder_len
255#define	ac_remainder		acu.acu_ecb.ecb_common.cc_remainder
256#define	ac_keysched		acu.acu_ecb.ecb_common.cc_keysched
257#define	ac_keysched_len		acu.acu_ecb.ecb_common.cc_keysched_len
258#define	ac_iv			acu.acu_ecb.ecb_common.cc_iv
259#define	ac_lastp		acu.acu_ecb.ecb_common.cc_lastp
260#define	ac_pt_buf		acu.acu_ccm.ccm_pt_buf
261#define	ac_mac_len		acu.acu_ccm.ccm_mac_len
262#define	ac_data_len		acu.acu_ccm.ccm_data_len
263#define	ac_processed_mac_len	acu.acu_ccm.ccm_processed_mac_len
264#define	ac_processed_data_len	acu.acu_ccm.ccm_processed_data_len
265#define	ac_tag_len		acu.acu_gcm.gcm_tag_len
266
267typedef struct blowfish_ctx {
268	union {
269		ecb_ctx_t bcu_ecb;
270		cbc_ctx_t bcu_cbc;
271	} bcu;
272} blowfish_ctx_t;
273
274#define	bc_flags		bcu.bcu_ecb.ecb_common.cc_flags
275#define	bc_remainder_len	bcu.bcu_ecb.ecb_common.cc_remainder_len
276#define	bc_keysched		bcu.bcu_ecb.ecb_common.cc_keysched
277#define	bc_keysched_len		bcu.bcu_ecb.ecb_common.cc_keysched_len
278#define	bc_iv			bcu.bcu_ecb.ecb_common.cc_iv
279#define	bc_lastp		bcu.bcu_ecb.ecb_common.cc_lastp
280
281typedef struct des_ctx {
282	union {
283		ecb_ctx_t dcu_ecb;
284		cbc_ctx_t dcu_cbc;
285	} dcu;
286} des_ctx_t;
287
288#define	dc_flags		dcu.dcu_ecb.ecb_common.cc_flags
289#define	dc_remainder_len	dcu.dcu_ecb.ecb_common.cc_remainder_len
290#define	dc_keysched		dcu.dcu_ecb.ecb_common.cc_keysched
291#define	dc_keysched_len		dcu.dcu_ecb.ecb_common.cc_keysched_len
292#define	dc_iv			dcu.dcu_ecb.ecb_common.cc_iv
293#define	dc_lastp		dcu.dcu_ecb.ecb_common.cc_lastp
294
295extern int ecb_cipher_contiguous_blocks(ecb_ctx_t *, char *, size_t,
296    crypto_data_t *, size_t, int (*cipher)(const void *, const uint8_t *,
297    uint8_t *));
298
299extern int cbc_encrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
300    crypto_data_t *, size_t,
301    int (*encrypt)(const void *, const uint8_t *, uint8_t *),
302    void (*copy_block)(uint8_t *, uint8_t *),
303    void (*xor_block)(uint8_t *, uint8_t *));
304
305extern int cbc_decrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
306    crypto_data_t *, size_t,
307    int (*decrypt)(const void *, const uint8_t *, uint8_t *),
308    void (*copy_block)(uint8_t *, uint8_t *),
309    void (*xor_block)(uint8_t *, uint8_t *));
310
311extern int ctr_mode_contiguous_blocks(ctr_ctx_t *, char *, size_t,
312    crypto_data_t *, size_t,
313    int (*cipher)(const void *, const uint8_t *, uint8_t *),
314    void (*xor_block)(uint8_t *, uint8_t *));
315
316extern int ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
317    crypto_data_t *, size_t,
318    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
319    void (*copy_block)(uint8_t *, uint8_t *),
320    void (*xor_block)(uint8_t *, uint8_t *));
321
322extern int ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
323    crypto_data_t *, size_t,
324    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
325    void (*copy_block)(uint8_t *, uint8_t *),
326    void (*xor_block)(uint8_t *, uint8_t *));
327
328extern int gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
329    crypto_data_t *, size_t,
330    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
331    void (*copy_block)(uint8_t *, uint8_t *),
332    void (*xor_block)(uint8_t *, uint8_t *));
333
334extern int gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
335    crypto_data_t *, size_t,
336    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
337    void (*copy_block)(uint8_t *, uint8_t *),
338    void (*xor_block)(uint8_t *, uint8_t *));
339
340int ccm_encrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
341    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
342    void (*xor_block)(uint8_t *, uint8_t *));
343
344int gcm_encrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
345    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
346    void (*copy_block)(uint8_t *, uint8_t *),
347    void (*xor_block)(uint8_t *, uint8_t *));
348
349extern int ccm_decrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
350    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
351    void (*copy_block)(uint8_t *, uint8_t *),
352    void (*xor_block)(uint8_t *, uint8_t *));
353
354extern int gcm_decrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
355    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
356    void (*xor_block)(uint8_t *, uint8_t *));
357
358extern int cmac_mode_final(cbc_ctx_t *, crypto_data_t *,
359    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
360    void (*xor_block)(uint8_t *, uint8_t *));
361
362extern int ctr_mode_final(ctr_ctx_t *, crypto_data_t *,
363    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
364
365extern int cbc_init_ctx(cbc_ctx_t *, char *, size_t, size_t,
366    void (*copy_block)(uint8_t *, uint64_t *));
367
368extern int cmac_init_ctx(cbc_ctx_t *, size_t);
369
370extern int ctr_init_ctx(ctr_ctx_t *, ulong_t, uint8_t *,
371    void (*copy_block)(uint8_t *, uint8_t *));
372
373extern int ccm_init_ctx(ccm_ctx_t *, char *, int, boolean_t, size_t,
374    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
375    void (*xor_block)(uint8_t *, uint8_t *));
376
377extern int gcm_init_ctx(gcm_ctx_t *, char *, size_t,
378    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
379    void (*copy_block)(uint8_t *, uint8_t *),
380    void (*xor_block)(uint8_t *, uint8_t *));
381
382extern int gmac_init_ctx(gcm_ctx_t *, char *, size_t,
383    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
384    void (*copy_block)(uint8_t *, uint8_t *),
385    void (*xor_block)(uint8_t *, uint8_t *));
386
387extern void calculate_ccm_mac(ccm_ctx_t *, uint8_t *,
388    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
389
390extern void gcm_mul(uint64_t *, uint64_t *, uint64_t *);
391
392extern void crypto_init_ptrs(crypto_data_t *, void **, offset_t *);
393extern void crypto_get_ptrs(crypto_data_t *, void **, offset_t *,
394    uint8_t **, size_t *, uint8_t **, size_t);
395
396extern void *ecb_alloc_ctx(int);
397extern void *cbc_alloc_ctx(int);
398extern void *cmac_alloc_ctx(int);
399extern void *ctr_alloc_ctx(int);
400extern void *ccm_alloc_ctx(int);
401extern void *gcm_alloc_ctx(int);
402extern void *gmac_alloc_ctx(int);
403extern void crypto_free_mode_ctx(void *);
404extern void gcm_set_kmflag(gcm_ctx_t *, int);
405extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int);
406
407#ifdef	__cplusplus
408}
409#endif
410
411#endif	/* _COMMON_CRYPTO_MODES_H */
412