OpenZFS 4185 - add new cryptographic checksums to ZFS: SHA-512, Skein, Edon-R

Reviewed by: George Wilson <[email protected]>
Reviewed by: Prakash Surya <[email protected]>
Reviewed by: Saso Kiselkov <[email protected]>
Reviewed by: Richard Lowe <[email protected]>
Approved by: Garrett D'Amore <[email protected]>
Ported by: Tony Hutter <[email protected]>

OpenZFS-issue: https://www.illumos.org/issues/4185
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/45818ee

Porting Notes:
This code is ported on top of the Illumos Crypto Framework code:

    https://github.com/zfsonlinux/zfs/pull/4329/commits/b5e030c8dbb9cd393d313571dee4756fbba8c22d

The list of porting changes includes:

- Copied module/icp/include/sha2/sha2.h directly from illumos

- Removed from module/icp/algs/sha2/sha2.c:
	#pragma inline(SHA256Init, SHA384Init, SHA512Init)

- Added 'ctx' to lib/libzfs/libzfs_sendrecv.c:zio_checksum_SHA256() since
  it now takes in an extra parameter.

- Added CTASSERT() to assert.h from for module/zfs/edonr_zfs.c

- Added skein & edonr to libicp/Makefile.am

- Added sha512.S.  It was generated from sha512-x86_64.pl in Illumos.

- Updated ztest.c with new fletcher_4_*() args; used NULL for new CTX argument.

- In icp/algs/edonr/edonr_byteorder.h, Removed the #if defined(__linux) section
  to not #include the non-existant endian.h.

- In skein_test.c, renane NULL to 0 in "no test vector" array entries to get
  around a compiler warning.

- Fixup test files:
	- Rename <sys/varargs.h> -> <varargs.h>, <strings.h> -> <string.h>,
	- Remove <note.h> and define NOTE() as NOP.
	- Define u_longlong_t
	- Rename "#!/usr/bin/ksh" -> "#!/bin/ksh -p"
	- Rename NULL to 0 in "no test vector" array entries to get around a
	  compiler warning.
	- Remove "for isa in $($ISAINFO); do" stuff
	- Add/update Makefiles
	- Add some userspace headers like stdio.h/stdlib.h in places of
	  sys/types.h.

- EXPORT_SYMBOL *_Init/*_Update/*_Final... routines in ICP modules.

- Update scripts/zfs2zol-patch.sed

- include <sys/sha2.h> in sha2_impl.h

- Add sha2.h to include/sys/Makefile.am

- Add skein and edonr dirs to icp Makefile

- Add new checksums to zpool_get.cfg

- Move checksum switch block from zfs_secpolicy_setprop() to
  zfs_check_settable()

- Fix -Wuninitialized error in edonr_byteorder.h on PPC

- Fix stack frame size errors on ARM32
  	- Don't unroll loops in Skein on 32-bit to save stack space
  	- Add memory barriers in sha2.c on 32-bit to save stack space

- Add filetest_001_pos.ksh checksum sanity test

- Add option to write psudorandom data in file_write utility

1 files changed, 183 insertions, 0 deletions

diff --git a/include/sys/skein.h b/include/sys/skein.h
new file mode 100644
index 000000000..2f649d6b2
--- /dev/null
+++ b/include/sys/skein.h
@@ -0,0 +1,183 @@
+/*
+ * Interface declarations for Skein hashing.
+ * Source code author: Doug Whiting, 2008.
+ * This algorithm and source code is released to the public domain.
+ *
+ * The following compile-time switches may be defined to control some
+ * tradeoffs between speed, code size, error checking, and security.
+ *
+ * The "default" note explains what happens when the switch is not defined.
+ *
+ *  SKEIN_DEBUG            -- make callouts from inside Skein code
+ *                            to examine/display intermediate values.
+ *                            [default: no callouts (no overhead)]
+ *
+ *  SKEIN_ERR_CHECK        -- how error checking is handled inside Skein
+ *                            code. If not defined, most error checking
+ *                            is disabled (for performance). Otherwise,
+ *                            the switch value is interpreted as:
+ *                                0: use assert()      to flag errors
+ *                                1: return SKEIN_FAIL to flag errors
+ */
+/* Copyright 2013 Doug Whiting. This code is released to the public domain. */
+#ifndef	_SYS_SKEIN_H_
+#define	_SYS_SKEIN_H_
+
+#ifdef  _KERNEL
+#include <sys/types.h>		/* get size_t definition */
+#else
+#include <stdint.h>
+#include <stdlib.h>
+#endif
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+enum {
+	SKEIN_SUCCESS = 0,	/* return codes from Skein calls */
+	SKEIN_FAIL = 1,
+	SKEIN_BAD_HASHLEN = 2
+};
+
+#define	SKEIN_MODIFIER_WORDS	(2)	/* number of modifier (tweak) words */
+
+#define	SKEIN_256_STATE_WORDS	(4)
+#define	SKEIN_512_STATE_WORDS	(8)
+#define	SKEIN1024_STATE_WORDS	(16)
+#define	SKEIN_MAX_STATE_WORDS	(16)
+
+#define	SKEIN_256_STATE_BYTES	(8 * SKEIN_256_STATE_WORDS)
+#define	SKEIN_512_STATE_BYTES	(8 * SKEIN_512_STATE_WORDS)
+#define	SKEIN1024_STATE_BYTES	(8 * SKEIN1024_STATE_WORDS)
+
+#define	SKEIN_256_STATE_BITS	(64 * SKEIN_256_STATE_WORDS)
+#define	SKEIN_512_STATE_BITS	(64 * SKEIN_512_STATE_WORDS)
+#define	SKEIN1024_STATE_BITS	(64 * SKEIN1024_STATE_WORDS)
+
+#define	SKEIN_256_BLOCK_BYTES	(8 * SKEIN_256_STATE_WORDS)
+#define	SKEIN_512_BLOCK_BYTES	(8 * SKEIN_512_STATE_WORDS)
+#define	SKEIN1024_BLOCK_BYTES	(8 * SKEIN1024_STATE_WORDS)
+
+typedef struct {
+	size_t hashBitLen;	/* size of hash result, in bits */
+	size_t bCnt;		/* current byte count in buffer b[] */
+	/* tweak words: T[0]=byte cnt, T[1]=flags */
+	uint64_t T[SKEIN_MODIFIER_WORDS];
+} Skein_Ctxt_Hdr_t;
+
+typedef struct {		/*  256-bit Skein hash context structure */
+	Skein_Ctxt_Hdr_t h;	/* common header context variables */
+	uint64_t X[SKEIN_256_STATE_WORDS];	/* chaining variables */
+	/* partial block buffer (8-byte aligned) */
+	uint8_t b[SKEIN_256_BLOCK_BYTES];
+} Skein_256_Ctxt_t;
+
+typedef struct {		/*  512-bit Skein hash context structure */
+	Skein_Ctxt_Hdr_t h;	/* common header context variables */
+	uint64_t X[SKEIN_512_STATE_WORDS];	/* chaining variables */
+	/* partial block buffer (8-byte aligned) */
+	uint8_t b[SKEIN_512_BLOCK_BYTES];
+} Skein_512_Ctxt_t;
+
+typedef struct {		/* 1024-bit Skein hash context structure */
+	Skein_Ctxt_Hdr_t h;	/* common header context variables */
+	uint64_t X[SKEIN1024_STATE_WORDS];	/* chaining variables */
+	/* partial block buffer (8-byte aligned) */
+	uint8_t b[SKEIN1024_BLOCK_BYTES];
+} Skein1024_Ctxt_t;
+
+/*   Skein APIs for (incremental) "straight hashing" */
+int Skein_256_Init(Skein_256_Ctxt_t *ctx, size_t hashBitLen);
+int Skein_512_Init(Skein_512_Ctxt_t *ctx, size_t hashBitLen);
+int Skein1024_Init(Skein1024_Ctxt_t *ctx, size_t hashBitLen);
+
+int Skein_256_Update(Skein_256_Ctxt_t *ctx, const uint8_t *msg,
+    size_t msgByteCnt);
+int Skein_512_Update(Skein_512_Ctxt_t *ctx, const uint8_t *msg,
+    size_t msgByteCnt);
+int Skein1024_Update(Skein1024_Ctxt_t *ctx, const uint8_t *msg,
+    size_t msgByteCnt);
+
+int Skein_256_Final(Skein_256_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein_512_Final(Skein_512_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein1024_Final(Skein1024_Ctxt_t *ctx, uint8_t *hashVal);
+
+/*
+ * Skein APIs for "extended" initialization: MAC keys, tree hashing.
+ * After an InitExt() call, just use Update/Final calls as with Init().
+ *
+ * Notes: Same parameters as _Init() calls, plus treeInfo/key/keyBytes.
+ *          When keyBytes == 0 and treeInfo == SKEIN_SEQUENTIAL,
+ *              the results of InitExt() are identical to calling Init().
+ *          The function Init() may be called once to "precompute" the IV for
+ *              a given hashBitLen value, then by saving a copy of the context
+ *              the IV computation may be avoided in later calls.
+ *          Similarly, the function InitExt() may be called once per MAC key
+ *              to precompute the MAC IV, then a copy of the context saved and
+ *              reused for each new MAC computation.
+ */
+int Skein_256_InitExt(Skein_256_Ctxt_t *ctx, size_t hashBitLen,
+    uint64_t treeInfo, const uint8_t *key, size_t keyBytes);
+int Skein_512_InitExt(Skein_512_Ctxt_t *ctx, size_t hashBitLen,
+    uint64_t treeInfo, const uint8_t *key, size_t keyBytes);
+int Skein1024_InitExt(Skein1024_Ctxt_t *ctx, size_t hashBitLen,
+    uint64_t treeInfo, const uint8_t *key, size_t keyBytes);
+
+/*
+ * Skein APIs for MAC and tree hash:
+ *	Final_Pad: pad, do final block, but no OUTPUT type
+ *	Output:    do just the output stage
+ */
+int Skein_256_Final_Pad(Skein_256_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein_512_Final_Pad(Skein_512_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein1024_Final_Pad(Skein1024_Ctxt_t *ctx, uint8_t *hashVal);
+
+#ifndef	SKEIN_TREE_HASH
+#define	SKEIN_TREE_HASH (1)
+#endif
+#if	SKEIN_TREE_HASH
+int Skein_256_Output(Skein_256_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein_512_Output(Skein_512_Ctxt_t *ctx, uint8_t *hashVal);
+int Skein1024_Output(Skein1024_Ctxt_t *ctx, uint8_t *hashVal);
+#endif
+
+/*
+ * When you initialize a Skein KCF hashing method you can pass this param
+ * structure in cm_param to fine-tune the algorithm's defaults.
+ */
+typedef struct skein_param {
+	size_t	sp_digest_bitlen;		/* length of digest in bits */
+} skein_param_t;
+
+/* Module definitions */
+#ifdef	SKEIN_MODULE_IMPL
+#define	CKM_SKEIN_256				"CKM_SKEIN_256"
+#define	CKM_SKEIN_512				"CKM_SKEIN_512"
+#define	CKM_SKEIN1024				"CKM_SKEIN1024"
+#define	CKM_SKEIN_256_MAC			"CKM_SKEIN_256_MAC"
+#define	CKM_SKEIN_512_MAC			"CKM_SKEIN_512_MAC"
+#define	CKM_SKEIN1024_MAC			"CKM_SKEIN1024_MAC"
+
+typedef enum skein_mech_type {
+	SKEIN_256_MECH_INFO_TYPE,
+	SKEIN_512_MECH_INFO_TYPE,
+	SKEIN1024_MECH_INFO_TYPE,
+	SKEIN_256_MAC_MECH_INFO_TYPE,
+	SKEIN_512_MAC_MECH_INFO_TYPE,
+	SKEIN1024_MAC_MECH_INFO_TYPE
+} skein_mech_type_t;
+
+#define	VALID_SKEIN_DIGEST_MECH(__mech)				\
+	((int)(__mech) >= SKEIN_256_MECH_INFO_TYPE &&		\
+	(__mech) <= SKEIN1024_MECH_INFO_TYPE)
+#define	VALID_SKEIN_MAC_MECH(__mech)				\
+	((int)(__mech) >= SKEIN_256_MAC_MECH_INFO_TYPE &&	\
+	(__mech) <= SKEIN1024_MAC_MECH_INFO_TYPE)
+#endif	/* SKEIN_MODULE_IMPL */
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif	/* _SYS_SKEIN_H_ */