1eda14cbcSMatt Macy /*
2eda14cbcSMatt Macy * CDDL HEADER START
3eda14cbcSMatt Macy *
4eda14cbcSMatt Macy * The contents of this file are subject to the terms of the
5eda14cbcSMatt Macy * Common Development and Distribution License (the "License").
6eda14cbcSMatt Macy * You may not use this file except in compliance with the License.
7eda14cbcSMatt Macy *
8eda14cbcSMatt Macy * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*271171e0SMartin Matuska * or https://opensource.org/licenses/CDDL-1.0.
10eda14cbcSMatt Macy * See the License for the specific language governing permissions
11eda14cbcSMatt Macy * and limitations under the License.
12eda14cbcSMatt Macy *
13eda14cbcSMatt Macy * When distributing Covered Code, include this CDDL HEADER in each
14eda14cbcSMatt Macy * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15eda14cbcSMatt Macy * If applicable, add the following below this CDDL HEADER, with the
16eda14cbcSMatt Macy * fields enclosed by brackets "[]" replaced with your own identifying
17eda14cbcSMatt Macy * information: Portions Copyright [yyyy] [name of copyright owner]
18eda14cbcSMatt Macy *
19eda14cbcSMatt Macy * CDDL HEADER END
20eda14cbcSMatt Macy */
21eda14cbcSMatt Macy /*
22eda14cbcSMatt Macy * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23eda14cbcSMatt Macy * Use is subject to license terms.
24eda14cbcSMatt Macy */
25eda14cbcSMatt Macy
26eda14cbcSMatt Macy #include <sys/zfs_context.h>
27eda14cbcSMatt Macy #include <modes/modes.h>
28eda14cbcSMatt Macy #include <sys/crypto/common.h>
29eda14cbcSMatt Macy #include <sys/crypto/impl.h>
30eda14cbcSMatt Macy #include <sys/byteorder.h>
31eda14cbcSMatt Macy
32eda14cbcSMatt Macy /*
33eda14cbcSMatt Macy * Encrypt and decrypt multiple blocks of data in counter mode.
34eda14cbcSMatt Macy */
35eda14cbcSMatt Macy int
ctr_mode_contiguous_blocks(ctr_ctx_t * ctx,char * data,size_t length,crypto_data_t * out,size_t block_size,int (* cipher)(const void * ks,const uint8_t * pt,uint8_t * ct),void (* xor_block)(uint8_t *,uint8_t *))36eda14cbcSMatt Macy ctr_mode_contiguous_blocks(ctr_ctx_t *ctx, char *data, size_t length,
37eda14cbcSMatt Macy crypto_data_t *out, size_t block_size,
38eda14cbcSMatt Macy int (*cipher)(const void *ks, const uint8_t *pt, uint8_t *ct),
39eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *))
40eda14cbcSMatt Macy {
41eda14cbcSMatt Macy size_t remainder = length;
42eda14cbcSMatt Macy size_t need = 0;
43eda14cbcSMatt Macy uint8_t *datap = (uint8_t *)data;
44eda14cbcSMatt Macy uint8_t *blockp;
45eda14cbcSMatt Macy uint8_t *lastp;
46eda14cbcSMatt Macy void *iov_or_mp;
47eda14cbcSMatt Macy offset_t offset;
48eda14cbcSMatt Macy uint8_t *out_data_1;
49eda14cbcSMatt Macy uint8_t *out_data_2;
50eda14cbcSMatt Macy size_t out_data_1_len;
51eda14cbcSMatt Macy uint64_t lower_counter, upper_counter;
52eda14cbcSMatt Macy
53eda14cbcSMatt Macy if (length + ctx->ctr_remainder_len < block_size) {
54eda14cbcSMatt Macy /* accumulate bytes here and return */
55da5137abSMartin Matuska memcpy((uint8_t *)ctx->ctr_remainder + ctx->ctr_remainder_len,
56da5137abSMartin Matuska datap,
57eda14cbcSMatt Macy length);
58eda14cbcSMatt Macy ctx->ctr_remainder_len += length;
59eda14cbcSMatt Macy ctx->ctr_copy_to = datap;
60eda14cbcSMatt Macy return (CRYPTO_SUCCESS);
61eda14cbcSMatt Macy }
62eda14cbcSMatt Macy
63eda14cbcSMatt Macy crypto_init_ptrs(out, &iov_or_mp, &offset);
64eda14cbcSMatt Macy
65eda14cbcSMatt Macy do {
66eda14cbcSMatt Macy /* Unprocessed data from last call. */
67eda14cbcSMatt Macy if (ctx->ctr_remainder_len > 0) {
68eda14cbcSMatt Macy need = block_size - ctx->ctr_remainder_len;
69eda14cbcSMatt Macy
70eda14cbcSMatt Macy if (need > remainder)
71eda14cbcSMatt Macy return (CRYPTO_DATA_LEN_RANGE);
72eda14cbcSMatt Macy
73da5137abSMartin Matuska memcpy(&((uint8_t *)ctx->ctr_remainder)
74da5137abSMartin Matuska [ctx->ctr_remainder_len], datap, need);
75eda14cbcSMatt Macy
76eda14cbcSMatt Macy blockp = (uint8_t *)ctx->ctr_remainder;
77eda14cbcSMatt Macy } else {
78eda14cbcSMatt Macy blockp = datap;
79eda14cbcSMatt Macy }
80eda14cbcSMatt Macy
81eda14cbcSMatt Macy /* ctr_cb is the counter block */
82eda14cbcSMatt Macy cipher(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb,
83eda14cbcSMatt Macy (uint8_t *)ctx->ctr_tmp);
84eda14cbcSMatt Macy
85eda14cbcSMatt Macy lastp = (uint8_t *)ctx->ctr_tmp;
86eda14cbcSMatt Macy
87eda14cbcSMatt Macy /*
88eda14cbcSMatt Macy * Increment Counter.
89eda14cbcSMatt Macy */
90eda14cbcSMatt Macy lower_counter = ntohll(ctx->ctr_cb[1] & ctx->ctr_lower_mask);
91eda14cbcSMatt Macy lower_counter = htonll(lower_counter + 1);
92eda14cbcSMatt Macy lower_counter &= ctx->ctr_lower_mask;
93eda14cbcSMatt Macy ctx->ctr_cb[1] = (ctx->ctr_cb[1] & ~(ctx->ctr_lower_mask)) |
94eda14cbcSMatt Macy lower_counter;
95eda14cbcSMatt Macy
96eda14cbcSMatt Macy /* wrap around */
97eda14cbcSMatt Macy if (lower_counter == 0) {
98eda14cbcSMatt Macy upper_counter =
99eda14cbcSMatt Macy ntohll(ctx->ctr_cb[0] & ctx->ctr_upper_mask);
100eda14cbcSMatt Macy upper_counter = htonll(upper_counter + 1);
101eda14cbcSMatt Macy upper_counter &= ctx->ctr_upper_mask;
102eda14cbcSMatt Macy ctx->ctr_cb[0] =
103eda14cbcSMatt Macy (ctx->ctr_cb[0] & ~(ctx->ctr_upper_mask)) |
104eda14cbcSMatt Macy upper_counter;
105eda14cbcSMatt Macy }
106eda14cbcSMatt Macy
107eda14cbcSMatt Macy /*
108eda14cbcSMatt Macy * XOR encrypted counter block with the current clear block.
109eda14cbcSMatt Macy */
110eda14cbcSMatt Macy xor_block(blockp, lastp);
111eda14cbcSMatt Macy
112eda14cbcSMatt Macy crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
113eda14cbcSMatt Macy &out_data_1_len, &out_data_2, block_size);
114eda14cbcSMatt Macy
115eda14cbcSMatt Macy /* copy block to where it belongs */
116da5137abSMartin Matuska memcpy(out_data_1, lastp, out_data_1_len);
117eda14cbcSMatt Macy if (out_data_2 != NULL) {
118da5137abSMartin Matuska memcpy(out_data_2, lastp + out_data_1_len,
119eda14cbcSMatt Macy block_size - out_data_1_len);
120eda14cbcSMatt Macy }
121eda14cbcSMatt Macy /* update offset */
122eda14cbcSMatt Macy out->cd_offset += block_size;
123eda14cbcSMatt Macy
124eda14cbcSMatt Macy /* Update pointer to next block of data to be processed. */
125eda14cbcSMatt Macy if (ctx->ctr_remainder_len != 0) {
126eda14cbcSMatt Macy datap += need;
127eda14cbcSMatt Macy ctx->ctr_remainder_len = 0;
128eda14cbcSMatt Macy } else {
129eda14cbcSMatt Macy datap += block_size;
130eda14cbcSMatt Macy }
131eda14cbcSMatt Macy
132eda14cbcSMatt Macy remainder = (size_t)&data[length] - (size_t)datap;
133eda14cbcSMatt Macy
134eda14cbcSMatt Macy /* Incomplete last block. */
135eda14cbcSMatt Macy if (remainder > 0 && remainder < block_size) {
136da5137abSMartin Matuska memcpy(ctx->ctr_remainder, datap, remainder);
137eda14cbcSMatt Macy ctx->ctr_remainder_len = remainder;
138eda14cbcSMatt Macy ctx->ctr_copy_to = datap;
139eda14cbcSMatt Macy goto out;
140eda14cbcSMatt Macy }
141eda14cbcSMatt Macy ctx->ctr_copy_to = NULL;
142eda14cbcSMatt Macy
143eda14cbcSMatt Macy } while (remainder > 0);
144eda14cbcSMatt Macy
145eda14cbcSMatt Macy out:
146eda14cbcSMatt Macy return (CRYPTO_SUCCESS);
147eda14cbcSMatt Macy }
148eda14cbcSMatt Macy
149eda14cbcSMatt Macy int
ctr_mode_final(ctr_ctx_t * ctx,crypto_data_t * out,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *))150eda14cbcSMatt Macy ctr_mode_final(ctr_ctx_t *ctx, crypto_data_t *out,
151eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
152eda14cbcSMatt Macy {
153eda14cbcSMatt Macy uint8_t *lastp;
154eda14cbcSMatt Macy void *iov_or_mp;
155eda14cbcSMatt Macy offset_t offset;
156eda14cbcSMatt Macy uint8_t *out_data_1;
157eda14cbcSMatt Macy uint8_t *out_data_2;
158eda14cbcSMatt Macy size_t out_data_1_len;
159eda14cbcSMatt Macy uint8_t *p;
160eda14cbcSMatt Macy int i;
161eda14cbcSMatt Macy
162eda14cbcSMatt Macy if (out->cd_length < ctx->ctr_remainder_len)
163eda14cbcSMatt Macy return (CRYPTO_DATA_LEN_RANGE);
164eda14cbcSMatt Macy
165eda14cbcSMatt Macy encrypt_block(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb,
166eda14cbcSMatt Macy (uint8_t *)ctx->ctr_tmp);
167eda14cbcSMatt Macy
168eda14cbcSMatt Macy lastp = (uint8_t *)ctx->ctr_tmp;
169eda14cbcSMatt Macy p = (uint8_t *)ctx->ctr_remainder;
170eda14cbcSMatt Macy for (i = 0; i < ctx->ctr_remainder_len; i++) {
171eda14cbcSMatt Macy p[i] ^= lastp[i];
172eda14cbcSMatt Macy }
173eda14cbcSMatt Macy
174eda14cbcSMatt Macy crypto_init_ptrs(out, &iov_or_mp, &offset);
175eda14cbcSMatt Macy crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
176eda14cbcSMatt Macy &out_data_1_len, &out_data_2, ctx->ctr_remainder_len);
177eda14cbcSMatt Macy
178da5137abSMartin Matuska memcpy(out_data_1, p, out_data_1_len);
179eda14cbcSMatt Macy if (out_data_2 != NULL) {
180da5137abSMartin Matuska memcpy(out_data_2,
181da5137abSMartin Matuska (uint8_t *)p + out_data_1_len,
182da5137abSMartin Matuska ctx->ctr_remainder_len - out_data_1_len);
183eda14cbcSMatt Macy }
184eda14cbcSMatt Macy out->cd_offset += ctx->ctr_remainder_len;
185eda14cbcSMatt Macy ctx->ctr_remainder_len = 0;
186eda14cbcSMatt Macy return (CRYPTO_SUCCESS);
187eda14cbcSMatt Macy }
188eda14cbcSMatt Macy
189eda14cbcSMatt Macy int
ctr_init_ctx(ctr_ctx_t * ctr_ctx,ulong_t count,uint8_t * cb,void (* copy_block)(uint8_t *,uint8_t *))190eda14cbcSMatt Macy ctr_init_ctx(ctr_ctx_t *ctr_ctx, ulong_t count, uint8_t *cb,
191eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *))
192eda14cbcSMatt Macy {
193eda14cbcSMatt Macy uint64_t upper_mask = 0;
194eda14cbcSMatt Macy uint64_t lower_mask = 0;
195eda14cbcSMatt Macy
196eda14cbcSMatt Macy if (count == 0 || count > 128) {
197eda14cbcSMatt Macy return (CRYPTO_MECHANISM_PARAM_INVALID);
198eda14cbcSMatt Macy }
199eda14cbcSMatt Macy /* upper 64 bits of the mask */
200eda14cbcSMatt Macy if (count >= 64) {
201eda14cbcSMatt Macy count -= 64;
202eda14cbcSMatt Macy upper_mask = (count == 64) ? UINT64_MAX : (1ULL << count) - 1;
203eda14cbcSMatt Macy lower_mask = UINT64_MAX;
204eda14cbcSMatt Macy } else {
205eda14cbcSMatt Macy /* now the lower 63 bits */
206eda14cbcSMatt Macy lower_mask = (1ULL << count) - 1;
207eda14cbcSMatt Macy }
208eda14cbcSMatt Macy ctr_ctx->ctr_lower_mask = htonll(lower_mask);
209eda14cbcSMatt Macy ctr_ctx->ctr_upper_mask = htonll(upper_mask);
210eda14cbcSMatt Macy
211eda14cbcSMatt Macy copy_block(cb, (uchar_t *)ctr_ctx->ctr_cb);
212eda14cbcSMatt Macy ctr_ctx->ctr_lastp = (uint8_t *)&ctr_ctx->ctr_cb[0];
213eda14cbcSMatt Macy ctr_ctx->ctr_flags |= CTR_MODE;
214eda14cbcSMatt Macy return (CRYPTO_SUCCESS);
215eda14cbcSMatt Macy }
216eda14cbcSMatt Macy
217eda14cbcSMatt Macy void *
ctr_alloc_ctx(int kmflag)218eda14cbcSMatt Macy ctr_alloc_ctx(int kmflag)
219eda14cbcSMatt Macy {
220eda14cbcSMatt Macy ctr_ctx_t *ctr_ctx;
221eda14cbcSMatt Macy
222eda14cbcSMatt Macy if ((ctr_ctx = kmem_zalloc(sizeof (ctr_ctx_t), kmflag)) == NULL)
223eda14cbcSMatt Macy return (NULL);
224eda14cbcSMatt Macy
225eda14cbcSMatt Macy ctr_ctx->ctr_flags = CTR_MODE;
226eda14cbcSMatt Macy return (ctr_ctx);
227eda14cbcSMatt Macy }
228