Illumos Crypto Port module added to enable native encryption in zfs

A port of the Illumos Crypto Framework to a Linux kernel module (found
in module/icp). This is needed to do the actual encryption work. We cannot
use the Linux kernel's built in crypto api because it is only exported to
GPL-licensed modules. Having the ICP also means the crypto code can run on
any of the other kernels under OpenZFS. I ended up porting over most of the
internals of the framework, which means that porting over other API calls (if
we need them) should be fairly easy. Specifically, I have ported over the API
functions related to encryption, digests, macs, and crypto templates. The ICP
is able to use assembly-accelerated encryption on amd64 machines and AES-NI
instructions on Intel chips that support it. There are place-holder
directories for similar assembly optimizations for other architectures
(although they have not been written).

Signed-off-by: Tom Caputi <[email protected]>
Signed-off-by: Tony Hutter <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Issue #4329

6 files changed, 2513 insertions, 0 deletions

diff --git a/module/icp/algs/modes/cbc.c b/module/icp/algs/modes/cbc.c
new file mode 100644
index 000000000..2cc94ec72
--- /dev/null
+++ b/module/icp/algs/modes/cbc.c
@@ -0,0 +1,305 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+
+/*
+ * Algorithm independent CBC functions.
+ */
+int
+cbc_encrypt_contiguous_blocks(cbc_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*encrypt)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+
+	if (length + ctx->cbc_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->cbc_remainder + ctx->cbc_remainder_len,
+		    length);
+		ctx->cbc_remainder_len += length;
+		ctx->cbc_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = (uint8_t *)ctx->cbc_iv;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->cbc_remainder_len > 0) {
+			need = block_size - ctx->cbc_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->cbc_remainder)
+			    [ctx->cbc_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->cbc_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		if (out == NULL) {
+			/*
+			 * XOR the previous cipher block or IV with the
+			 * current clear block.
+			 */
+			xor_block(lastp, blockp);
+			encrypt(ctx->cbc_keysched, blockp, blockp);
+
+			ctx->cbc_lastp = blockp;
+			lastp = blockp;
+
+			if (ctx->cbc_remainder_len > 0) {
+				bcopy(blockp, ctx->cbc_copy_to,
+				    ctx->cbc_remainder_len);
+				bcopy(blockp + ctx->cbc_remainder_len, datap,
+				    need);
+			}
+		} else {
+			/*
+			 * XOR the previous cipher block or IV with the
+			 * current clear block.
+			 */
+			xor_block(blockp, lastp);
+			encrypt(ctx->cbc_keysched, lastp, lastp);
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			/* copy block to where it belongs */
+			if (out_data_1_len == block_size) {
+				copy_block(lastp, out_data_1);
+			} else {
+				bcopy(lastp, out_data_1, out_data_1_len);
+				if (out_data_2 != NULL) {
+					bcopy(lastp + out_data_1_len,
+					    out_data_2,
+					    block_size - out_data_1_len);
+				}
+			}
+			/* update offset */
+			out->cd_offset += block_size;
+		}
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->cbc_remainder_len != 0) {
+			datap += need;
+			ctx->cbc_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->cbc_remainder, remainder);
+			ctx->cbc_remainder_len = remainder;
+			ctx->cbc_copy_to = datap;
+			goto out;
+		}
+		ctx->cbc_copy_to = NULL;
+
+	} while (remainder > 0);
+
+out:
+	/*
+	 * Save the last encrypted block in the context.
+	 */
+	if (ctx->cbc_lastp != NULL) {
+		copy_block((uint8_t *)ctx->cbc_lastp, (uint8_t *)ctx->cbc_iv);
+		ctx->cbc_lastp = (uint8_t *)ctx->cbc_iv;
+	}
+
+	return (CRYPTO_SUCCESS);
+}
+
+#define	OTHER(a, ctx) \
+	(((a) == (ctx)->cbc_lastblock) ? (ctx)->cbc_iv : (ctx)->cbc_lastblock)
+
+/* ARGSUSED */
+int
+cbc_decrypt_contiguous_blocks(cbc_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*decrypt)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+
+	if (length + ctx->cbc_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->cbc_remainder + ctx->cbc_remainder_len,
+		    length);
+		ctx->cbc_remainder_len += length;
+		ctx->cbc_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = ctx->cbc_lastp;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->cbc_remainder_len > 0) {
+			need = block_size - ctx->cbc_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->cbc_remainder)
+			    [ctx->cbc_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->cbc_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		/* LINTED: pointer alignment */
+		copy_block(blockp, (uint8_t *)OTHER((uint64_t *)lastp, ctx));
+
+		if (out != NULL) {
+			decrypt(ctx->cbc_keysched, blockp,
+			    (uint8_t *)ctx->cbc_remainder);
+			blockp = (uint8_t *)ctx->cbc_remainder;
+		} else {
+			decrypt(ctx->cbc_keysched, blockp, blockp);
+		}
+
+		/*
+		 * XOR the previous cipher block or IV with the
+		 * currently decrypted block.
+		 */
+		xor_block(lastp, blockp);
+
+		/* LINTED: pointer alignment */
+		lastp = (uint8_t *)OTHER((uint64_t *)lastp, ctx);
+
+		if (out != NULL) {
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			bcopy(blockp, out_data_1, out_data_1_len);
+			if (out_data_2 != NULL) {
+				bcopy(blockp + out_data_1_len, out_data_2,
+				    block_size - out_data_1_len);
+			}
+
+			/* update offset */
+			out->cd_offset += block_size;
+
+		} else if (ctx->cbc_remainder_len > 0) {
+			/* copy temporary block to where it belongs */
+			bcopy(blockp, ctx->cbc_copy_to, ctx->cbc_remainder_len);
+			bcopy(blockp + ctx->cbc_remainder_len, datap, need);
+		}
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->cbc_remainder_len != 0) {
+			datap += need;
+			ctx->cbc_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->cbc_remainder, remainder);
+			ctx->cbc_remainder_len = remainder;
+			ctx->cbc_lastp = lastp;
+			ctx->cbc_copy_to = datap;
+			return (CRYPTO_SUCCESS);
+		}
+		ctx->cbc_copy_to = NULL;
+
+	} while (remainder > 0);
+
+	ctx->cbc_lastp = lastp;
+	return (CRYPTO_SUCCESS);
+}
+
+int
+cbc_init_ctx(cbc_ctx_t *cbc_ctx, char *param, size_t param_len,
+    size_t block_size, void (*copy_block)(uint8_t *, uint64_t *))
+{
+	/*
+	 * Copy IV into context.
+	 *
+	 * If cm_param == NULL then the IV comes from the
+	 * cd_miscdata field in the crypto_data structure.
+	 */
+	if (param != NULL) {
+		ASSERT(param_len == block_size);
+		copy_block((uchar_t *)param, cbc_ctx->cbc_iv);
+	}
+
+	cbc_ctx->cbc_lastp = (uint8_t *)&cbc_ctx->cbc_iv[0];
+	cbc_ctx->cbc_flags |= CBC_MODE;
+	return (CRYPTO_SUCCESS);
+}
+
+/* ARGSUSED */
+void *
+cbc_alloc_ctx(int kmflag)
+{
+	cbc_ctx_t *cbc_ctx;
+
+	if ((cbc_ctx = kmem_zalloc(sizeof (cbc_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	cbc_ctx->cbc_flags = CBC_MODE;
+	return (cbc_ctx);
+}
diff --git a/module/icp/algs/modes/ccm.c b/module/icp/algs/modes/ccm.c
new file mode 100644
index 000000000..22aeb0a6a
--- /dev/null
+++ b/module/icp/algs/modes/ccm.c
@@ -0,0 +1,920 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+
+#if defined(__i386) || defined(__amd64)
+#include <sys/byteorder.h>
+#define	UNALIGNED_POINTERS_PERMITTED
+#endif
+
+/*
+ * Encrypt multiple blocks of data in CCM mode.  Decrypt for CCM mode
+ * is done in another function.
+ */
+int
+ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+	uint64_t counter;
+	uint8_t *mac_buf;
+
+	if (length + ctx->ccm_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
+		    length);
+		ctx->ccm_remainder_len += length;
+		ctx->ccm_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = (uint8_t *)ctx->ccm_cb;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->ccm_remainder_len > 0) {
+			need = block_size - ctx->ccm_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
+			    [ctx->ccm_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->ccm_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		/*
+		 * do CBC MAC
+		 *
+		 * XOR the previous cipher block current clear block.
+		 * mac_buf always contain previous cipher block.
+		 */
+		xor_block(blockp, mac_buf);
+		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+
+		/* ccm_cb is the counter block */
+		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb,
+		    (uint8_t *)ctx->ccm_tmp);
+
+		lastp = (uint8_t *)ctx->ccm_tmp;
+
+		/*
+		 * Increment counter. Counter bits are confined
+		 * to the bottom 64 bits of the counter block.
+		 */
+#ifdef _LITTLE_ENDIAN
+		counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
+		counter = htonll(counter + 1);
+#else
+		counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask;
+		counter++;
+#endif	/* _LITTLE_ENDIAN */
+		counter &= ctx->ccm_counter_mask;
+		ctx->ccm_cb[1] =
+		    (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
+
+		/*
+		 * XOR encrypted counter block with the current clear block.
+		 */
+		xor_block(blockp, lastp);
+
+		ctx->ccm_processed_data_len += block_size;
+
+		if (out == NULL) {
+			if (ctx->ccm_remainder_len > 0) {
+				bcopy(blockp, ctx->ccm_copy_to,
+				    ctx->ccm_remainder_len);
+				bcopy(blockp + ctx->ccm_remainder_len, datap,
+				    need);
+			}
+		} else {
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			/* copy block to where it belongs */
+			if (out_data_1_len == block_size) {
+				copy_block(lastp, out_data_1);
+			} else {
+				bcopy(lastp, out_data_1, out_data_1_len);
+				if (out_data_2 != NULL) {
+					bcopy(lastp + out_data_1_len,
+					    out_data_2,
+					    block_size - out_data_1_len);
+				}
+			}
+			/* update offset */
+			out->cd_offset += block_size;
+		}
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->ccm_remainder_len != 0) {
+			datap += need;
+			ctx->ccm_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->ccm_remainder, remainder);
+			ctx->ccm_remainder_len = remainder;
+			ctx->ccm_copy_to = datap;
+			goto out;
+		}
+		ctx->ccm_copy_to = NULL;
+
+	} while (remainder > 0);
+
+out:
+	return (CRYPTO_SUCCESS);
+}
+
+void
+calculate_ccm_mac(ccm_ctx_t *ctx, uint8_t *ccm_mac,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
+{
+	uint64_t counter;
+	uint8_t *counterp, *mac_buf;
+	int i;
+
+	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
+
+	/* first counter block start with index 0 */
+	counter = 0;
+	ctx->ccm_cb[1] = (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
+
+	counterp = (uint8_t *)ctx->ccm_tmp;
+	encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
+
+	/* calculate XOR of MAC with first counter block */
+	for (i = 0; i < ctx->ccm_mac_len; i++) {
+		ccm_mac[i] = mac_buf[i] ^ counterp[i];
+	}
+}
+
+/* ARGSUSED */
+int
+ccm_encrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint8_t *lastp, *mac_buf, *ccm_mac_p, *macp = NULL;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+	int i;
+
+	if (out->cd_length < (ctx->ccm_remainder_len + ctx->ccm_mac_len)) {
+		return (CRYPTO_DATA_LEN_RANGE);
+	}
+
+	/*
+	 * When we get here, the number of bytes of payload processed
+	 * plus whatever data remains, if any,
+	 * should be the same as the number of bytes that's being
+	 * passed in the argument during init time.
+	 */
+	if ((ctx->ccm_processed_data_len + ctx->ccm_remainder_len)
+	    != (ctx->ccm_data_len)) {
+		return (CRYPTO_DATA_LEN_RANGE);
+	}
+
+	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
+
+	if (ctx->ccm_remainder_len > 0) {
+
+		/* ccm_mac_input_buf is not used for encryption */
+		macp = (uint8_t *)ctx->ccm_mac_input_buf;
+		bzero(macp, block_size);
+
+		/* copy remainder to temporary buffer */
+		bcopy(ctx->ccm_remainder, macp, ctx->ccm_remainder_len);
+
+		/* calculate the CBC MAC */
+		xor_block(macp, mac_buf);
+		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+
+		/* calculate the counter mode */
+		lastp = (uint8_t *)ctx->ccm_tmp;
+		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, lastp);
+
+		/* XOR with counter block */
+		for (i = 0; i < ctx->ccm_remainder_len; i++) {
+			macp[i] ^= lastp[i];
+		}
+		ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
+	}
+
+	/* Calculate the CCM MAC */
+	ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
+	calculate_ccm_mac(ctx, ccm_mac_p, encrypt_block);
+
+	crypto_init_ptrs(out, &iov_or_mp, &offset);
+	crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+	    &out_data_1_len, &out_data_2,
+	    ctx->ccm_remainder_len + ctx->ccm_mac_len);
+
+	if (ctx->ccm_remainder_len > 0) {
+
+		/* copy temporary block to where it belongs */
+		if (out_data_2 == NULL) {
+			/* everything will fit in out_data_1 */
+			bcopy(macp, out_data_1, ctx->ccm_remainder_len);
+			bcopy(ccm_mac_p, out_data_1 + ctx->ccm_remainder_len,
+			    ctx->ccm_mac_len);
+		} else {
+
+			if (out_data_1_len < ctx->ccm_remainder_len) {
+
+				size_t data_2_len_used;
+
+				bcopy(macp, out_data_1, out_data_1_len);
+
+				data_2_len_used = ctx->ccm_remainder_len
+				    - out_data_1_len;
+
+				bcopy((uint8_t *)macp + out_data_1_len,
+				    out_data_2, data_2_len_used);
+				bcopy(ccm_mac_p, out_data_2 + data_2_len_used,
+				    ctx->ccm_mac_len);
+			} else {
+				bcopy(macp, out_data_1, out_data_1_len);
+				if (out_data_1_len == ctx->ccm_remainder_len) {
+					/* mac will be in out_data_2 */
+					bcopy(ccm_mac_p, out_data_2,
+					    ctx->ccm_mac_len);
+				} else {
+					size_t len_not_used = out_data_1_len -
+					    ctx->ccm_remainder_len;
+					/*
+					 * part of mac in will be in
+					 * out_data_1, part of the mac will be
+					 * in out_data_2
+					 */
+					bcopy(ccm_mac_p,
+					    out_data_1 + ctx->ccm_remainder_len,
+					    len_not_used);
+					bcopy(ccm_mac_p + len_not_used,
+					    out_data_2,
+					    ctx->ccm_mac_len - len_not_used);
+
+				}
+			}
+		}
+	} else {
+		/* copy block to where it belongs */
+		bcopy(ccm_mac_p, out_data_1, out_data_1_len);
+		if (out_data_2 != NULL) {
+			bcopy(ccm_mac_p + out_data_1_len, out_data_2,
+			    block_size - out_data_1_len);
+		}
+	}
+	out->cd_offset += ctx->ccm_remainder_len + ctx->ccm_mac_len;
+	ctx->ccm_remainder_len = 0;
+	return (CRYPTO_SUCCESS);
+}
+
+/*
+ * This will only deal with decrypting the last block of the input that
+ * might not be a multiple of block length.
+ */
+void
+ccm_decrypt_incomplete_block(ccm_ctx_t *ctx,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
+{
+	uint8_t *datap, *outp, *counterp;
+	int i;
+
+	datap = (uint8_t *)ctx->ccm_remainder;
+	outp = &((ctx->ccm_pt_buf)[ctx->ccm_processed_data_len]);
+
+	counterp = (uint8_t *)ctx->ccm_tmp;
+	encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
+
+	/* XOR with counter block */
+	for (i = 0; i < ctx->ccm_remainder_len; i++) {
+		outp[i] = datap[i] ^ counterp[i];
+	}
+}
+
+/*
+ * This will decrypt the cipher text.  However, the plaintext won't be
+ * returned to the caller.  It will be returned when decrypt_final() is
+ * called if the MAC matches
+ */
+/* ARGSUSED */
+int
+ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *cbp;
+	uint64_t counter;
+	size_t pt_len, total_decrypted_len, mac_len, pm_len, pd_len;
+	uint8_t *resultp;
+
+
+	pm_len = ctx->ccm_processed_mac_len;
+
+	if (pm_len > 0) {
+		uint8_t *tmp;
+		/*
+		 * all ciphertext has been processed, just waiting for
+		 * part of the value of the mac
+		 */
+		if ((pm_len + length) > ctx->ccm_mac_len) {
+			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
+		}
+		tmp = (uint8_t *)ctx->ccm_mac_input_buf;
+
+		bcopy(datap, tmp + pm_len, length);
+
+		ctx->ccm_processed_mac_len += length;
+		return (CRYPTO_SUCCESS);
+	}
+
+	/*
+	 * If we decrypt the given data, what total amount of data would
+	 * have been decrypted?
+	 */
+	pd_len = ctx->ccm_processed_data_len;
+	total_decrypted_len = pd_len + length + ctx->ccm_remainder_len;
+
+	if (total_decrypted_len >
+	    (ctx->ccm_data_len + ctx->ccm_mac_len)) {
+		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
+	}
+
+	pt_len = ctx->ccm_data_len;
+
+	if (total_decrypted_len > pt_len) {
+		/*
+		 * part of the input will be the MAC, need to isolate that
+		 * to be dealt with later.  The left-over data in
+		 * ccm_remainder_len from last time will not be part of the
+		 * MAC.  Otherwise, it would have already been taken out
+		 * when this call is made last time.
+		 */
+		size_t pt_part = pt_len - pd_len - ctx->ccm_remainder_len;
+
+		mac_len = length - pt_part;
+
+		ctx->ccm_processed_mac_len = mac_len;
+		bcopy(data + pt_part, ctx->ccm_mac_input_buf, mac_len);
+
+		if (pt_part + ctx->ccm_remainder_len < block_size) {
+			/*
+			 * since this is last of the ciphertext, will
+			 * just decrypt with it here
+			 */
+			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
+			    [ctx->ccm_remainder_len], pt_part);
+			ctx->ccm_remainder_len += pt_part;
+			ccm_decrypt_incomplete_block(ctx, encrypt_block);
+			ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
+			ctx->ccm_remainder_len = 0;
+			return (CRYPTO_SUCCESS);
+		} else {
+			/* let rest of the code handle this */
+			length = pt_part;
+		}
+	} else if (length + ctx->ccm_remainder_len < block_size) {
+			/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
+		    length);
+		ctx->ccm_remainder_len += length;
+		ctx->ccm_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->ccm_remainder_len > 0) {
+			need = block_size - ctx->ccm_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
+			    [ctx->ccm_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->ccm_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		/* Calculate the counter mode, ccm_cb is the counter block */
+		cbp = (uint8_t *)ctx->ccm_tmp;
+		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, cbp);
+
+		/*
+		 * Increment counter.
+		 * Counter bits are confined to the bottom 64 bits
+		 */
+#ifdef _LITTLE_ENDIAN
+		counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
+		counter = htonll(counter + 1);
+#else
+		counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask;
+		counter++;
+#endif	/* _LITTLE_ENDIAN */
+		counter &= ctx->ccm_counter_mask;
+		ctx->ccm_cb[1] =
+		    (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
+
+		/* XOR with the ciphertext */
+		xor_block(blockp, cbp);
+
+		/* Copy the plaintext to the "holding buffer" */
+		resultp = (uint8_t *)ctx->ccm_pt_buf +
+		    ctx->ccm_processed_data_len;
+		copy_block(cbp, resultp);
+
+		ctx->ccm_processed_data_len += block_size;
+
+		ctx->ccm_lastp = blockp;
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->ccm_remainder_len != 0) {
+			datap += need;
+			ctx->ccm_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->ccm_remainder, remainder);
+			ctx->ccm_remainder_len = remainder;
+			ctx->ccm_copy_to = datap;
+			if (ctx->ccm_processed_mac_len > 0) {
+				/*
+				 * not expecting anymore ciphertext, just
+				 * compute plaintext for the remaining input
+				 */
+				ccm_decrypt_incomplete_block(ctx,
+				    encrypt_block);
+				ctx->ccm_processed_data_len += remainder;
+				ctx->ccm_remainder_len = 0;
+			}
+			goto out;
+		}
+		ctx->ccm_copy_to = NULL;
+
+	} while (remainder > 0);
+
+out:
+	return (CRYPTO_SUCCESS);
+}
+
+int
+ccm_decrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t mac_remain, pt_len;
+	uint8_t *pt, *mac_buf, *macp, *ccm_mac_p;
+	int rv;
+
+	pt_len = ctx->ccm_data_len;
+
+	/* Make sure output buffer can fit all of the plaintext */
+	if (out->cd_length < pt_len) {
+		return (CRYPTO_DATA_LEN_RANGE);
+	}
+
+	pt = ctx->ccm_pt_buf;
+	mac_remain = ctx->ccm_processed_data_len;
+	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
+
+	macp = (uint8_t *)ctx->ccm_tmp;
+
+	while (mac_remain > 0) {
+
+		if (mac_remain < block_size) {
+			bzero(macp, block_size);
+			bcopy(pt, macp, mac_remain);
+			mac_remain = 0;
+		} else {
+			copy_block(pt, macp);
+			mac_remain -= block_size;
+			pt += block_size;
+		}
+
+		/* calculate the CBC MAC */
+		xor_block(macp, mac_buf);
+		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+	}
+
+	/* Calculate the CCM MAC */
+	ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
+	calculate_ccm_mac((ccm_ctx_t *)ctx, ccm_mac_p, encrypt_block);
+
+	/* compare the input CCM MAC value with what we calculated */
+	if (bcmp(ctx->ccm_mac_input_buf, ccm_mac_p, ctx->ccm_mac_len)) {
+		/* They don't match */
+		return (CRYPTO_INVALID_MAC);
+	} else {
+		rv = crypto_put_output_data(ctx->ccm_pt_buf, out, pt_len);
+		if (rv != CRYPTO_SUCCESS)
+			return (rv);
+		out->cd_offset += pt_len;
+	}
+	return (CRYPTO_SUCCESS);
+}
+
+int
+ccm_validate_args(CK_AES_CCM_PARAMS *ccm_param, boolean_t is_encrypt_init)
+{
+	size_t macSize, nonceSize;
+	uint8_t q;
+	uint64_t maxValue;
+
+	/*
+	 * Check the length of the MAC.  The only valid
+	 * lengths for the MAC are: 4, 6, 8, 10, 12, 14, 16
+	 */
+	macSize = ccm_param->ulMACSize;
+	if ((macSize < 4) || (macSize > 16) || ((macSize % 2) != 0)) {
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+
+	/* Check the nonce length.  Valid values are 7, 8, 9, 10, 11, 12, 13 */
+	nonceSize = ccm_param->ulNonceSize;
+	if ((nonceSize < 7) || (nonceSize > 13)) {
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+
+	/* q is the length of the field storing the length, in bytes */
+	q = (uint8_t)((15 - nonceSize) & 0xFF);
+
+
+	/*
+	 * If it is decrypt, need to make sure size of ciphertext is at least
+	 * bigger than MAC len
+	 */
+	if ((!is_encrypt_init) && (ccm_param->ulDataSize < macSize)) {
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+
+	/*
+	 * Check to make sure the length of the payload is within the
+	 * range of values allowed by q
+	 */
+	if (q < 8) {
+		maxValue = (1ULL << (q * 8)) - 1;
+	} else {
+		maxValue = ULONG_MAX;
+	}
+
+	if (ccm_param->ulDataSize > maxValue) {
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+	return (CRYPTO_SUCCESS);
+}
+
+/*
+ * Format the first block used in CBC-MAC (B0) and the initial counter
+ * block based on formatting functions and counter generation functions
+ * specified in RFC 3610 and NIST publication 800-38C, appendix A
+ *
+ * b0 is the first block used in CBC-MAC
+ * cb0 is the first counter block
+ *
+ * It's assumed that the arguments b0 and cb0 are preallocated AES blocks
+ *
+ */
+static void
+ccm_format_initial_blocks(uchar_t *nonce, ulong_t nonceSize,
+    ulong_t authDataSize, uint8_t *b0, ccm_ctx_t *aes_ctx)
+{
+	uint64_t payloadSize;
+	uint8_t t, q, have_adata = 0;
+	size_t limit;
+	int i, j, k;
+	uint64_t mask = 0;
+	uint8_t *cb;
+
+	q = (uint8_t)((15 - nonceSize) & 0xFF);
+	t = (uint8_t)((aes_ctx->ccm_mac_len) & 0xFF);
+
+	/* Construct the first octet of b0 */
+	if (authDataSize > 0) {
+		have_adata = 1;
+	}
+	b0[0] = (have_adata << 6) | (((t - 2)  / 2) << 3) | (q - 1);
+
+	/* copy the nonce value into b0 */
+	bcopy(nonce, &(b0[1]), nonceSize);
+
+	/* store the length of the payload into b0 */
+	bzero(&(b0[1+nonceSize]), q);
+
+	payloadSize = aes_ctx->ccm_data_len;
+	limit = 8 < q ? 8 : q;
+
+	for (i = 0, j = 0, k = 15; i < limit; i++, j += 8, k--) {
+		b0[k] = (uint8_t)((payloadSize >> j) & 0xFF);
+	}
+
+	/* format the counter block */
+
+	cb = (uint8_t *)aes_ctx->ccm_cb;
+
+	cb[0] = 0x07 & (q-1); /* first byte */
+
+	/* copy the nonce value into the counter block */
+	bcopy(nonce, &(cb[1]), nonceSize);
+
+	bzero(&(cb[1+nonceSize]), q);
+
+	/* Create the mask for the counter field based on the size of nonce */
+	q <<= 3;
+	while (q-- > 0) {
+		mask |= (1ULL << q);
+	}
+
+#ifdef _LITTLE_ENDIAN
+	mask = htonll(mask);
+#endif
+	aes_ctx->ccm_counter_mask = mask;
+
+	/*
+	 * During calculation, we start using counter block 1, we will
+	 * set it up right here.
+	 * We can just set the last byte to have the value 1, because
+	 * even with the biggest nonce of 13, the last byte of the
+	 * counter block will be used for the counter value.
+	 */
+	cb[15] = 0x01;
+}
+
+/*
+ * Encode the length of the associated data as
+ * specified in RFC 3610 and NIST publication 800-38C, appendix A
+ */
+static void
+encode_adata_len(ulong_t auth_data_len, uint8_t *encoded, size_t *encoded_len)
+{
+#ifdef UNALIGNED_POINTERS_PERMITTED
+	uint32_t	*lencoded_ptr;
+#ifdef _LP64
+	uint64_t	*llencoded_ptr;
+#endif
+#endif	/* UNALIGNED_POINTERS_PERMITTED */
+
+	if (auth_data_len < ((1ULL<<16) - (1ULL<<8))) {
+		/* 0 < a < (2^16-2^8) */
+		*encoded_len = 2;
+		encoded[0] = (auth_data_len & 0xff00) >> 8;
+		encoded[1] = auth_data_len & 0xff;
+
+	} else if ((auth_data_len >= ((1ULL<<16) - (1ULL<<8))) &&
+	    (auth_data_len < (1ULL << 31))) {
+		/* (2^16-2^8) <= a < 2^32 */
+		*encoded_len = 6;
+		encoded[0] = 0xff;
+		encoded[1] = 0xfe;
+#ifdef UNALIGNED_POINTERS_PERMITTED
+		lencoded_ptr = (uint32_t *)&encoded[2];
+		*lencoded_ptr = htonl(auth_data_len);
+#else
+		encoded[2] = (auth_data_len & 0xff000000) >> 24;
+		encoded[3] = (auth_data_len & 0xff0000) >> 16;
+		encoded[4] = (auth_data_len & 0xff00) >> 8;
+		encoded[5] = auth_data_len & 0xff;
+#endif	/* UNALIGNED_POINTERS_PERMITTED */
+
+#ifdef _LP64
+	} else {
+		/* 2^32 <= a < 2^64 */
+		*encoded_len = 10;
+		encoded[0] = 0xff;
+		encoded[1] = 0xff;
+#ifdef UNALIGNED_POINTERS_PERMITTED
+		llencoded_ptr = (uint64_t *)&encoded[2];
+		*llencoded_ptr = htonl(auth_data_len);
+#else
+		encoded[2] = (auth_data_len & 0xff00000000000000) >> 56;
+		encoded[3] = (auth_data_len & 0xff000000000000) >> 48;
+		encoded[4] = (auth_data_len & 0xff0000000000) >> 40;
+		encoded[5] = (auth_data_len & 0xff00000000) >> 32;
+		encoded[6] = (auth_data_len & 0xff000000) >> 24;
+		encoded[7] = (auth_data_len & 0xff0000) >> 16;
+		encoded[8] = (auth_data_len & 0xff00) >> 8;
+		encoded[9] = auth_data_len & 0xff;
+#endif	/* UNALIGNED_POINTERS_PERMITTED */
+#endif	/* _LP64 */
+	}
+}
+
+/*
+ * The following function should be call at encrypt or decrypt init time
+ * for AES CCM mode.
+ */
+int
+ccm_init(ccm_ctx_t *ctx, unsigned char *nonce, size_t nonce_len,
+    unsigned char *auth_data, size_t auth_data_len, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint8_t *mac_buf, *datap, *ivp, *authp;
+	size_t remainder, processed;
+	uint8_t encoded_a[10]; /* max encoded auth data length is 10 octets */
+	size_t encoded_a_len = 0;
+
+	mac_buf = (uint8_t *)&(ctx->ccm_mac_buf);
+
+	/*
+	 * Format the 1st block for CBC-MAC and construct the
+	 * 1st counter block.
+	 *
+	 * aes_ctx->ccm_iv is used for storing the counter block
+	 * mac_buf will store b0 at this time.
+	 */
+	ccm_format_initial_blocks(nonce, nonce_len,
+	    auth_data_len, mac_buf, ctx);
+
+	/* The IV for CBC MAC for AES CCM mode is always zero */
+	ivp = (uint8_t *)ctx->ccm_tmp;
+	bzero(ivp, block_size);
+
+	xor_block(ivp, mac_buf);
+
+	/* encrypt the nonce */
+	encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+
+	/* take care of the associated data, if any */
+	if (auth_data_len == 0) {
+		return (CRYPTO_SUCCESS);
+	}
+
+	encode_adata_len(auth_data_len, encoded_a, &encoded_a_len);
+
+	remainder = auth_data_len;
+
+	/* 1st block: it contains encoded associated data, and some data */
+	authp = (uint8_t *)ctx->ccm_tmp;
+	bzero(authp, block_size);
+	bcopy(encoded_a, authp, encoded_a_len);
+	processed = block_size - encoded_a_len;
+	if (processed > auth_data_len) {
+		/* in case auth_data is very small */
+		processed = auth_data_len;
+	}
+	bcopy(auth_data, authp+encoded_a_len, processed);
+	/* xor with previous buffer */
+	xor_block(authp, mac_buf);
+	encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+	remainder -= processed;
+	if (remainder == 0) {
+		/* a small amount of associated data, it's all done now */
+		return (CRYPTO_SUCCESS);
+	}
+
+	do {
+		if (remainder < block_size) {
+			/*
+			 * There's not a block full of data, pad rest of
+			 * buffer with zero
+			 */
+			bzero(authp, block_size);
+			bcopy(&(auth_data[processed]), authp, remainder);
+			datap = (uint8_t *)authp;
+			remainder = 0;
+		} else {
+			datap = (uint8_t *)(&(auth_data[processed]));
+			processed += block_size;
+			remainder -= block_size;
+		}
+
+		xor_block(datap, mac_buf);
+		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
+
+	} while (remainder > 0);
+
+	return (CRYPTO_SUCCESS);
+}
+
+int
+ccm_init_ctx(ccm_ctx_t *ccm_ctx, char *param, int kmflag,
+    boolean_t is_encrypt_init, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	int rv;
+	CK_AES_CCM_PARAMS *ccm_param;
+
+	if (param != NULL) {
+		ccm_param = (CK_AES_CCM_PARAMS *)param;
+
+		if ((rv = ccm_validate_args(ccm_param,
+		    is_encrypt_init)) != 0) {
+			return (rv);
+		}
+
+		ccm_ctx->ccm_mac_len = ccm_param->ulMACSize;
+		if (is_encrypt_init) {
+			ccm_ctx->ccm_data_len = ccm_param->ulDataSize;
+		} else {
+			ccm_ctx->ccm_data_len =
+			    ccm_param->ulDataSize - ccm_ctx->ccm_mac_len;
+			ccm_ctx->ccm_processed_mac_len = 0;
+		}
+		ccm_ctx->ccm_processed_data_len = 0;
+
+		ccm_ctx->ccm_flags |= CCM_MODE;
+	} else {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+		goto out;
+	}
+
+	if (ccm_init(ccm_ctx, ccm_param->nonce, ccm_param->ulNonceSize,
+	    ccm_param->authData, ccm_param->ulAuthDataSize, block_size,
+	    encrypt_block, xor_block) != 0) {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+		goto out;
+	}
+	if (!is_encrypt_init) {
+		/* allocate buffer for storing decrypted plaintext */
+		ccm_ctx->ccm_pt_buf = vmem_alloc(ccm_ctx->ccm_data_len,
+		    kmflag);
+		if (ccm_ctx->ccm_pt_buf == NULL) {
+			rv = CRYPTO_HOST_MEMORY;
+		}
+	}
+out:
+	return (rv);
+}
+
+void *
+ccm_alloc_ctx(int kmflag)
+{
+	ccm_ctx_t *ccm_ctx;
+
+	if ((ccm_ctx = kmem_zalloc(sizeof (ccm_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	ccm_ctx->ccm_flags = CCM_MODE;
+	return (ccm_ctx);
+}
diff --git a/module/icp/algs/modes/ctr.c b/module/icp/algs/modes/ctr.c
new file mode 100644
index 000000000..77ba28ddd
--- /dev/null
+++ b/module/icp/algs/modes/ctr.c
@@ -0,0 +1,238 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+#include <sys/byteorder.h>
+
+/*
+ * Encrypt and decrypt multiple blocks of data in counter mode.
+ */
+int
+ctr_mode_contiguous_blocks(ctr_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*cipher)(const void *ks, const uint8_t *pt, uint8_t *ct),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+	uint64_t lower_counter, upper_counter;
+
+	if (length + ctx->ctr_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->ctr_remainder + ctx->ctr_remainder_len,
+		    length);
+		ctx->ctr_remainder_len += length;
+		ctx->ctr_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = (uint8_t *)ctx->ctr_cb;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->ctr_remainder_len > 0) {
+			need = block_size - ctx->ctr_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->ctr_remainder)
+			    [ctx->ctr_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->ctr_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		/* ctr_cb is the counter block */
+		cipher(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb,
+		    (uint8_t *)ctx->ctr_tmp);
+
+		lastp = (uint8_t *)ctx->ctr_tmp;
+
+		/*
+		 * Increment Counter.
+		 */
+		lower_counter = ntohll(ctx->ctr_cb[1] & ctx->ctr_lower_mask);
+		lower_counter = htonll(lower_counter + 1);
+		lower_counter &= ctx->ctr_lower_mask;
+		ctx->ctr_cb[1] = (ctx->ctr_cb[1] & ~(ctx->ctr_lower_mask)) |
+		    lower_counter;
+
+		/* wrap around */
+		if (lower_counter == 0) {
+			upper_counter =
+			    ntohll(ctx->ctr_cb[0] & ctx->ctr_upper_mask);
+			upper_counter = htonll(upper_counter + 1);
+			upper_counter &= ctx->ctr_upper_mask;
+			ctx->ctr_cb[0] =
+			    (ctx->ctr_cb[0] & ~(ctx->ctr_upper_mask)) |
+			    upper_counter;
+		}
+
+		/*
+		 * XOR encrypted counter block with the current clear block.
+		 */
+		xor_block(blockp, lastp);
+
+		if (out == NULL) {
+			if (ctx->ctr_remainder_len > 0) {
+				bcopy(lastp, ctx->ctr_copy_to,
+				    ctx->ctr_remainder_len);
+				bcopy(lastp + ctx->ctr_remainder_len, datap,
+				    need);
+			}
+		} else {
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			/* copy block to where it belongs */
+			bcopy(lastp, out_data_1, out_data_1_len);
+			if (out_data_2 != NULL) {
+				bcopy(lastp + out_data_1_len, out_data_2,
+				    block_size - out_data_1_len);
+			}
+			/* update offset */
+			out->cd_offset += block_size;
+		}
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->ctr_remainder_len != 0) {
+			datap += need;
+			ctx->ctr_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->ctr_remainder, remainder);
+			ctx->ctr_remainder_len = remainder;
+			ctx->ctr_copy_to = datap;
+			goto out;
+		}
+		ctx->ctr_copy_to = NULL;
+
+	} while (remainder > 0);
+
+out:
+	return (CRYPTO_SUCCESS);
+}
+
+int
+ctr_mode_final(ctr_ctx_t *ctx, crypto_data_t *out,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
+{
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+	uint8_t *p;
+	int i;
+
+	if (out->cd_length < ctx->ctr_remainder_len)
+		return (CRYPTO_DATA_LEN_RANGE);
+
+	encrypt_block(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb,
+	    (uint8_t *)ctx->ctr_tmp);
+
+	lastp = (uint8_t *)ctx->ctr_tmp;
+	p = (uint8_t *)ctx->ctr_remainder;
+	for (i = 0; i < ctx->ctr_remainder_len; i++) {
+		p[i] ^= lastp[i];
+	}
+
+	crypto_init_ptrs(out, &iov_or_mp, &offset);
+	crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+	    &out_data_1_len, &out_data_2, ctx->ctr_remainder_len);
+
+	bcopy(p, out_data_1, out_data_1_len);
+	if (out_data_2 != NULL) {
+		bcopy((uint8_t *)p + out_data_1_len,
+		    out_data_2, ctx->ctr_remainder_len - out_data_1_len);
+	}
+	out->cd_offset += ctx->ctr_remainder_len;
+	ctx->ctr_remainder_len = 0;
+	return (CRYPTO_SUCCESS);
+}
+
+int
+ctr_init_ctx(ctr_ctx_t *ctr_ctx, ulong_t count, uint8_t *cb,
+void (*copy_block)(uint8_t *, uint8_t *))
+{
+	uint64_t upper_mask = 0;
+	uint64_t lower_mask = 0;
+
+	if (count == 0 || count > 128) {
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+	/* upper 64 bits of the mask */
+	if (count >= 64) {
+		count -= 64;
+		upper_mask = (count == 64) ? UINT64_MAX : (1ULL << count) - 1;
+		lower_mask = UINT64_MAX;
+	} else {
+		/* now the lower 63 bits */
+		lower_mask = (1ULL << count) - 1;
+	}
+	ctr_ctx->ctr_lower_mask = htonll(lower_mask);
+	ctr_ctx->ctr_upper_mask = htonll(upper_mask);
+
+	copy_block(cb, (uchar_t *)ctr_ctx->ctr_cb);
+	ctr_ctx->ctr_lastp = (uint8_t *)&ctr_ctx->ctr_cb[0];
+	ctr_ctx->ctr_flags |= CTR_MODE;
+	return (CRYPTO_SUCCESS);
+}
+
+/* ARGSUSED */
+void *
+ctr_alloc_ctx(int kmflag)
+{
+	ctr_ctx_t *ctr_ctx;
+
+	if ((ctr_ctx = kmem_zalloc(sizeof (ctr_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	ctr_ctx->ctr_flags = CTR_MODE;
+	return (ctr_ctx);
+}
diff --git a/module/icp/algs/modes/ecb.c b/module/icp/algs/modes/ecb.c
new file mode 100644
index 000000000..04e6c5eaa
--- /dev/null
+++ b/module/icp/algs/modes/ecb.c
@@ -0,0 +1,143 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+
+/*
+ * Algorithm independent ECB functions.
+ */
+int
+ecb_cipher_contiguous_blocks(ecb_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*cipher)(const void *ks, const uint8_t *pt, uint8_t *ct))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+
+	if (length + ctx->ecb_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->ecb_remainder + ctx->ecb_remainder_len,
+		    length);
+		ctx->ecb_remainder_len += length;
+		ctx->ecb_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = (uint8_t *)ctx->ecb_iv;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->ecb_remainder_len > 0) {
+			need = block_size - ctx->ecb_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->ecb_remainder)
+			    [ctx->ecb_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->ecb_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		if (out == NULL) {
+			cipher(ctx->ecb_keysched, blockp, blockp);
+
+			ctx->ecb_lastp = blockp;
+			lastp = blockp;
+
+			if (ctx->ecb_remainder_len > 0) {
+				bcopy(blockp, ctx->ecb_copy_to,
+				    ctx->ecb_remainder_len);
+				bcopy(blockp + ctx->ecb_remainder_len, datap,
+				    need);
+			}
+		} else {
+			cipher(ctx->ecb_keysched, blockp, lastp);
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			/* copy block to where it belongs */
+			bcopy(lastp, out_data_1, out_data_1_len);
+			if (out_data_2 != NULL) {
+				bcopy(lastp + out_data_1_len, out_data_2,
+				    block_size - out_data_1_len);
+			}
+			/* update offset */
+			out->cd_offset += block_size;
+		}
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->ecb_remainder_len != 0) {
+			datap += need;
+			ctx->ecb_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->ecb_remainder, remainder);
+			ctx->ecb_remainder_len = remainder;
+			ctx->ecb_copy_to = datap;
+			goto out;
+		}
+		ctx->ecb_copy_to = NULL;
+
+	} while (remainder > 0);
+
+out:
+	return (CRYPTO_SUCCESS);
+}
+
+/* ARGSUSED */
+void *
+ecb_alloc_ctx(int kmflag)
+{
+	ecb_ctx_t *ecb_ctx;
+
+	if ((ecb_ctx = kmem_zalloc(sizeof (ecb_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	ecb_ctx->ecb_flags = ECB_MODE;
+	return (ecb_ctx);
+}
diff --git a/module/icp/algs/modes/gcm.c b/module/icp/algs/modes/gcm.c
new file mode 100644
index 000000000..9cd8ab1e9
--- /dev/null
+++ b/module/icp/algs/modes/gcm.c
@@ -0,0 +1,748 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+#include <sys/byteorder.h>
+
+#ifdef __amd64
+
+#ifdef _KERNEL
+/* Workaround for no XMM kernel thread save/restore */
+#define	KPREEMPT_DISABLE	kpreempt_disable()
+#define	KPREEMPT_ENABLE		kpreempt_enable()
+
+#else
+#define	KPREEMPT_DISABLE
+#define	KPREEMPT_ENABLE
+#endif	/* _KERNEL */
+
+extern void gcm_mul_pclmulqdq(uint64_t *x_in, uint64_t *y, uint64_t *res);
+static int intel_pclmulqdq_instruction_present(void);
+#endif	/* __amd64 */
+
+struct aes_block {
+	uint64_t a;
+	uint64_t b;
+};
+
+
+/*
+ * gcm_mul()
+ * Perform a carry-less multiplication (that is, use XOR instead of the
+ * multiply operator) on *x_in and *y and place the result in *res.
+ *
+ * Byte swap the input (*x_in and *y) and the output (*res).
+ *
+ * Note: x_in, y, and res all point to 16-byte numbers (an array of two
+ * 64-bit integers).
+ */
+void
+gcm_mul(uint64_t *x_in, uint64_t *y, uint64_t *res)
+{
+#ifdef __amd64
+	if (intel_pclmulqdq_instruction_present()) {
+		KPREEMPT_DISABLE;
+		gcm_mul_pclmulqdq(x_in, y, res);
+		KPREEMPT_ENABLE;
+	} else
+#endif	/* __amd64 */
+	{
+		static const uint64_t R = 0xe100000000000000ULL;
+		struct aes_block z = {0, 0};
+		struct aes_block v;
+		uint64_t x;
+		int i, j;
+
+		v.a = ntohll(y[0]);
+		v.b = ntohll(y[1]);
+
+		for (j = 0; j < 2; j++) {
+			x = ntohll(x_in[j]);
+			for (i = 0; i < 64; i++, x <<= 1) {
+				if (x & 0x8000000000000000ULL) {
+					z.a ^= v.a;
+					z.b ^= v.b;
+				}
+				if (v.b & 1ULL) {
+					v.b = (v.a << 63)|(v.b >> 1);
+					v.a = (v.a >> 1) ^ R;
+				} else {
+					v.b = (v.a << 63)|(v.b >> 1);
+					v.a = v.a >> 1;
+				}
+			}
+		}
+		res[0] = htonll(z.a);
+		res[1] = htonll(z.b);
+	}
+}
+
+
+#define	GHASH(c, d, t) \
+	xor_block((uint8_t *)(d), (uint8_t *)(c)->gcm_ghash); \
+	gcm_mul((uint64_t *)(void *)(c)->gcm_ghash, (c)->gcm_H, \
+	(uint64_t *)(void *)(t));
+
+
+/*
+ * Encrypt multiple blocks of data in GCM mode.  Decrypt for GCM mode
+ * is done in another function.
+ */
+int
+gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t remainder = length;
+	size_t need = 0;
+	uint8_t *datap = (uint8_t *)data;
+	uint8_t *blockp;
+	uint8_t *lastp;
+	void *iov_or_mp;
+	offset_t offset;
+	uint8_t *out_data_1;
+	uint8_t *out_data_2;
+	size_t out_data_1_len;
+	uint64_t counter;
+	uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
+
+	if (length + ctx->gcm_remainder_len < block_size) {
+		/* accumulate bytes here and return */
+		bcopy(datap,
+		    (uint8_t *)ctx->gcm_remainder + ctx->gcm_remainder_len,
+		    length);
+		ctx->gcm_remainder_len += length;
+		ctx->gcm_copy_to = datap;
+		return (CRYPTO_SUCCESS);
+	}
+
+	lastp = (uint8_t *)ctx->gcm_cb;
+	if (out != NULL)
+		crypto_init_ptrs(out, &iov_or_mp, &offset);
+
+	do {
+		/* Unprocessed data from last call. */
+		if (ctx->gcm_remainder_len > 0) {
+			need = block_size - ctx->gcm_remainder_len;
+
+			if (need > remainder)
+				return (CRYPTO_DATA_LEN_RANGE);
+
+			bcopy(datap, &((uint8_t *)ctx->gcm_remainder)
+			    [ctx->gcm_remainder_len], need);
+
+			blockp = (uint8_t *)ctx->gcm_remainder;
+		} else {
+			blockp = datap;
+		}
+
+		/*
+		 * Increment counter. Counter bits are confined
+		 * to the bottom 32 bits of the counter block.
+		 */
+		counter = ntohll(ctx->gcm_cb[1] & counter_mask);
+		counter = htonll(counter + 1);
+		counter &= counter_mask;
+		ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
+
+		encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb,
+		    (uint8_t *)ctx->gcm_tmp);
+		xor_block(blockp, (uint8_t *)ctx->gcm_tmp);
+
+		lastp = (uint8_t *)ctx->gcm_tmp;
+
+		ctx->gcm_processed_data_len += block_size;
+
+		if (out == NULL) {
+			if (ctx->gcm_remainder_len > 0) {
+				bcopy(blockp, ctx->gcm_copy_to,
+				    ctx->gcm_remainder_len);
+				bcopy(blockp + ctx->gcm_remainder_len, datap,
+				    need);
+			}
+		} else {
+			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
+			    &out_data_1_len, &out_data_2, block_size);
+
+			/* copy block to where it belongs */
+			if (out_data_1_len == block_size) {
+				copy_block(lastp, out_data_1);
+			} else {
+				bcopy(lastp, out_data_1, out_data_1_len);
+				if (out_data_2 != NULL) {
+					bcopy(lastp + out_data_1_len,
+					    out_data_2,
+					    block_size - out_data_1_len);
+				}
+			}
+			/* update offset */
+			out->cd_offset += block_size;
+		}
+
+		/* add ciphertext to the hash */
+		GHASH(ctx, ctx->gcm_tmp, ctx->gcm_ghash);
+
+		/* Update pointer to next block of data to be processed. */
+		if (ctx->gcm_remainder_len != 0) {
+			datap += need;
+			ctx->gcm_remainder_len = 0;
+		} else {
+			datap += block_size;
+		}
+
+		remainder = (size_t)&data[length] - (size_t)datap;
+
+		/* Incomplete last block. */
+		if (remainder > 0 && remainder < block_size) {
+			bcopy(datap, ctx->gcm_remainder, remainder);
+			ctx->gcm_remainder_len = remainder;
+			ctx->gcm_copy_to = datap;
+			goto out;
+		}
+		ctx->gcm_copy_to = NULL;
+
+	} while (remainder > 0);
+out:
+	return (CRYPTO_SUCCESS);
+}
+
+/* ARGSUSED */
+int
+gcm_encrypt_final(gcm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
+	uint8_t *ghash, *macp = NULL;
+	int i, rv;
+
+	if (out->cd_length <
+	    (ctx->gcm_remainder_len + ctx->gcm_tag_len)) {
+		return (CRYPTO_DATA_LEN_RANGE);
+	}
+
+	ghash = (uint8_t *)ctx->gcm_ghash;
+
+	if (ctx->gcm_remainder_len > 0) {
+		uint64_t counter;
+		uint8_t *tmpp = (uint8_t *)ctx->gcm_tmp;
+
+		/*
+		 * Here is where we deal with data that is not a
+		 * multiple of the block size.
+		 */
+
+		/*
+		 * Increment counter.
+		 */
+		counter = ntohll(ctx->gcm_cb[1] & counter_mask);
+		counter = htonll(counter + 1);
+		counter &= counter_mask;
+		ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
+
+		encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb,
+		    (uint8_t *)ctx->gcm_tmp);
+
+		macp = (uint8_t *)ctx->gcm_remainder;
+		bzero(macp + ctx->gcm_remainder_len,
+		    block_size - ctx->gcm_remainder_len);
+
+		/* XOR with counter block */
+		for (i = 0; i < ctx->gcm_remainder_len; i++) {
+			macp[i] ^= tmpp[i];
+		}
+
+		/* add ciphertext to the hash */
+		GHASH(ctx, macp, ghash);
+
+		ctx->gcm_processed_data_len += ctx->gcm_remainder_len;
+	}
+
+	ctx->gcm_len_a_len_c[1] =
+	    htonll(CRYPTO_BYTES2BITS(ctx->gcm_processed_data_len));
+	GHASH(ctx, ctx->gcm_len_a_len_c, ghash);
+	encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_J0,
+	    (uint8_t *)ctx->gcm_J0);
+	xor_block((uint8_t *)ctx->gcm_J0, ghash);
+
+	if (ctx->gcm_remainder_len > 0) {
+		rv = crypto_put_output_data(macp, out, ctx->gcm_remainder_len);
+		if (rv != CRYPTO_SUCCESS)
+			return (rv);
+	}
+	out->cd_offset += ctx->gcm_remainder_len;
+	ctx->gcm_remainder_len = 0;
+	rv = crypto_put_output_data(ghash, out, ctx->gcm_tag_len);
+	if (rv != CRYPTO_SUCCESS)
+		return (rv);
+	out->cd_offset += ctx->gcm_tag_len;
+
+	return (CRYPTO_SUCCESS);
+}
+
+/*
+ * This will only deal with decrypting the last block of the input that
+ * might not be a multiple of block length.
+ */
+static void
+gcm_decrypt_incomplete_block(gcm_ctx_t *ctx, size_t block_size, size_t index,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint8_t *datap, *outp, *counterp;
+	uint64_t counter;
+	uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
+	int i;
+
+	/*
+	 * Increment counter.
+	 * Counter bits are confined to the bottom 32 bits
+	 */
+	counter = ntohll(ctx->gcm_cb[1] & counter_mask);
+	counter = htonll(counter + 1);
+	counter &= counter_mask;
+	ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
+
+	datap = (uint8_t *)ctx->gcm_remainder;
+	outp = &((ctx->gcm_pt_buf)[index]);
+	counterp = (uint8_t *)ctx->gcm_tmp;
+
+	/* authentication tag */
+	bzero((uint8_t *)ctx->gcm_tmp, block_size);
+	bcopy(datap, (uint8_t *)ctx->gcm_tmp, ctx->gcm_remainder_len);
+
+	/* add ciphertext to the hash */
+	GHASH(ctx, ctx->gcm_tmp, ctx->gcm_ghash);
+
+	/* decrypt remaining ciphertext */
+	encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb, counterp);
+
+	/* XOR with counter block */
+	for (i = 0; i < ctx->gcm_remainder_len; i++) {
+		outp[i] = datap[i] ^ counterp[i];
+	}
+}
+
+/* ARGSUSED */
+int
+gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
+    crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t new_len;
+	uint8_t *new;
+
+	/*
+	 * Copy contiguous ciphertext input blocks to plaintext buffer.
+	 * Ciphertext will be decrypted in the final.
+	 */
+	if (length > 0) {
+		new_len = ctx->gcm_pt_buf_len + length;
+		new = vmem_alloc(new_len, ctx->gcm_kmflag);
+		bcopy(ctx->gcm_pt_buf, new, ctx->gcm_pt_buf_len);
+		vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
+		if (new == NULL)
+			return (CRYPTO_HOST_MEMORY);
+
+		ctx->gcm_pt_buf = new;
+		ctx->gcm_pt_buf_len = new_len;
+		bcopy(data, &ctx->gcm_pt_buf[ctx->gcm_processed_data_len],
+		    length);
+		ctx->gcm_processed_data_len += length;
+	}
+
+	ctx->gcm_remainder_len = 0;
+	return (CRYPTO_SUCCESS);
+}
+
+int
+gcm_decrypt_final(gcm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	size_t pt_len;
+	size_t remainder;
+	uint8_t *ghash;
+	uint8_t *blockp;
+	uint8_t *cbp;
+	uint64_t counter;
+	uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
+	int processed = 0, rv;
+
+	ASSERT(ctx->gcm_processed_data_len == ctx->gcm_pt_buf_len);
+
+	pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
+	ghash = (uint8_t *)ctx->gcm_ghash;
+	blockp = ctx->gcm_pt_buf;
+	remainder = pt_len;
+	while (remainder > 0) {
+		/* Incomplete last block */
+		if (remainder < block_size) {
+			bcopy(blockp, ctx->gcm_remainder, remainder);
+			ctx->gcm_remainder_len = remainder;
+			/*
+			 * not expecting anymore ciphertext, just
+			 * compute plaintext for the remaining input
+			 */
+			gcm_decrypt_incomplete_block(ctx, block_size,
+			    processed, encrypt_block, xor_block);
+			ctx->gcm_remainder_len = 0;
+			goto out;
+		}
+		/* add ciphertext to the hash */
+		GHASH(ctx, blockp, ghash);
+
+		/*
+		 * Increment counter.
+		 * Counter bits are confined to the bottom 32 bits
+		 */
+		counter = ntohll(ctx->gcm_cb[1] & counter_mask);
+		counter = htonll(counter + 1);
+		counter &= counter_mask;
+		ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
+
+		cbp = (uint8_t *)ctx->gcm_tmp;
+		encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb, cbp);
+
+		/* XOR with ciphertext */
+		xor_block(cbp, blockp);
+
+		processed += block_size;
+		blockp += block_size;
+		remainder -= block_size;
+	}
+out:
+	ctx->gcm_len_a_len_c[1] = htonll(CRYPTO_BYTES2BITS(pt_len));
+	GHASH(ctx, ctx->gcm_len_a_len_c, ghash);
+	encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_J0,
+	    (uint8_t *)ctx->gcm_J0);
+	xor_block((uint8_t *)ctx->gcm_J0, ghash);
+
+	/* compare the input authentication tag with what we calculated */
+	if (bcmp(&ctx->gcm_pt_buf[pt_len], ghash, ctx->gcm_tag_len)) {
+		/* They don't match */
+		return (CRYPTO_INVALID_MAC);
+	} else {
+		rv = crypto_put_output_data(ctx->gcm_pt_buf, out, pt_len);
+		if (rv != CRYPTO_SUCCESS)
+			return (rv);
+		out->cd_offset += pt_len;
+	}
+	return (CRYPTO_SUCCESS);
+}
+
+static int
+gcm_validate_args(CK_AES_GCM_PARAMS *gcm_param)
+{
+	size_t tag_len;
+
+	/*
+	 * Check the length of the authentication tag (in bits).
+	 */
+	tag_len = gcm_param->ulTagBits;
+	switch (tag_len) {
+	case 32:
+	case 64:
+	case 96:
+	case 104:
+	case 112:
+	case 120:
+	case 128:
+		break;
+	default:
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+	}
+
+	if (gcm_param->ulIvLen == 0)
+		return (CRYPTO_MECHANISM_PARAM_INVALID);
+
+	return (CRYPTO_SUCCESS);
+}
+
+static void
+gcm_format_initial_blocks(uchar_t *iv, ulong_t iv_len,
+    gcm_ctx_t *ctx, size_t block_size,
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint8_t *cb;
+	ulong_t remainder = iv_len;
+	ulong_t processed = 0;
+	uint8_t *datap, *ghash;
+	uint64_t len_a_len_c[2];
+
+	ghash = (uint8_t *)ctx->gcm_ghash;
+	cb = (uint8_t *)ctx->gcm_cb;
+	if (iv_len == 12) {
+		bcopy(iv, cb, 12);
+		cb[12] = 0;
+		cb[13] = 0;
+		cb[14] = 0;
+		cb[15] = 1;
+		/* J0 will be used again in the final */
+		copy_block(cb, (uint8_t *)ctx->gcm_J0);
+	} else {
+		/* GHASH the IV */
+		do {
+			if (remainder < block_size) {
+				bzero(cb, block_size);
+				bcopy(&(iv[processed]), cb, remainder);
+				datap = (uint8_t *)cb;
+				remainder = 0;
+			} else {
+				datap = (uint8_t *)(&(iv[processed]));
+				processed += block_size;
+				remainder -= block_size;
+			}
+			GHASH(ctx, datap, ghash);
+		} while (remainder > 0);
+
+		len_a_len_c[0] = 0;
+		len_a_len_c[1] = htonll(CRYPTO_BYTES2BITS(iv_len));
+		GHASH(ctx, len_a_len_c, ctx->gcm_J0);
+
+		/* J0 will be used again in the final */
+		copy_block((uint8_t *)ctx->gcm_J0, (uint8_t *)cb);
+	}
+}
+
+/*
+ * The following function is called at encrypt or decrypt init time
+ * for AES GCM mode.
+ */
+int
+gcm_init(gcm_ctx_t *ctx, unsigned char *iv, size_t iv_len,
+    unsigned char *auth_data, size_t auth_data_len, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	uint8_t *ghash, *datap, *authp;
+	size_t remainder, processed;
+
+	/* encrypt zero block to get subkey H */
+	bzero(ctx->gcm_H, sizeof (ctx->gcm_H));
+	encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_H,
+	    (uint8_t *)ctx->gcm_H);
+
+	gcm_format_initial_blocks(iv, iv_len, ctx, block_size,
+	    copy_block, xor_block);
+
+	authp = (uint8_t *)ctx->gcm_tmp;
+	ghash = (uint8_t *)ctx->gcm_ghash;
+	bzero(authp, block_size);
+	bzero(ghash, block_size);
+
+	processed = 0;
+	remainder = auth_data_len;
+	do {
+		if (remainder < block_size) {
+			/*
+			 * There's not a block full of data, pad rest of
+			 * buffer with zero
+			 */
+			bzero(authp, block_size);
+			bcopy(&(auth_data[processed]), authp, remainder);
+			datap = (uint8_t *)authp;
+			remainder = 0;
+		} else {
+			datap = (uint8_t *)(&(auth_data[processed]));
+			processed += block_size;
+			remainder -= block_size;
+		}
+
+		/* add auth data to the hash */
+		GHASH(ctx, datap, ghash);
+
+	} while (remainder > 0);
+
+	return (CRYPTO_SUCCESS);
+}
+
+int
+gcm_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	int rv;
+	CK_AES_GCM_PARAMS *gcm_param;
+
+	if (param != NULL) {
+		gcm_param = (CK_AES_GCM_PARAMS *)(void *)param;
+
+		if ((rv = gcm_validate_args(gcm_param)) != 0) {
+			return (rv);
+		}
+
+		gcm_ctx->gcm_tag_len = gcm_param->ulTagBits;
+		gcm_ctx->gcm_tag_len >>= 3;
+		gcm_ctx->gcm_processed_data_len = 0;
+
+		/* these values are in bits */
+		gcm_ctx->gcm_len_a_len_c[0]
+		    = htonll(CRYPTO_BYTES2BITS(gcm_param->ulAADLen));
+
+		rv = CRYPTO_SUCCESS;
+		gcm_ctx->gcm_flags |= GCM_MODE;
+	} else {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+		goto out;
+	}
+
+	if (gcm_init(gcm_ctx, gcm_param->pIv, gcm_param->ulIvLen,
+	    gcm_param->pAAD, gcm_param->ulAADLen, block_size,
+	    encrypt_block, copy_block, xor_block) != 0) {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+	}
+out:
+	return (rv);
+}
+
+int
+gmac_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
+    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
+    void (*copy_block)(uint8_t *, uint8_t *),
+    void (*xor_block)(uint8_t *, uint8_t *))
+{
+	int rv;
+	CK_AES_GMAC_PARAMS *gmac_param;
+
+	if (param != NULL) {
+		gmac_param = (CK_AES_GMAC_PARAMS *)(void *)param;
+
+		gcm_ctx->gcm_tag_len = CRYPTO_BITS2BYTES(AES_GMAC_TAG_BITS);
+		gcm_ctx->gcm_processed_data_len = 0;
+
+		/* these values are in bits */
+		gcm_ctx->gcm_len_a_len_c[0]
+		    = htonll(CRYPTO_BYTES2BITS(gmac_param->ulAADLen));
+
+		rv = CRYPTO_SUCCESS;
+		gcm_ctx->gcm_flags |= GMAC_MODE;
+	} else {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+		goto out;
+	}
+
+	if (gcm_init(gcm_ctx, gmac_param->pIv, AES_GMAC_IV_LEN,
+	    gmac_param->pAAD, gmac_param->ulAADLen, block_size,
+	    encrypt_block, copy_block, xor_block) != 0) {
+		rv = CRYPTO_MECHANISM_PARAM_INVALID;
+	}
+out:
+	return (rv);
+}
+
+void *
+gcm_alloc_ctx(int kmflag)
+{
+	gcm_ctx_t *gcm_ctx;
+
+	if ((gcm_ctx = kmem_zalloc(sizeof (gcm_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	gcm_ctx->gcm_flags = GCM_MODE;
+	return (gcm_ctx);
+}
+
+void *
+gmac_alloc_ctx(int kmflag)
+{
+	gcm_ctx_t *gcm_ctx;
+
+	if ((gcm_ctx = kmem_zalloc(sizeof (gcm_ctx_t), kmflag)) == NULL)
+		return (NULL);
+
+	gcm_ctx->gcm_flags = GMAC_MODE;
+	return (gcm_ctx);
+}
+
+void
+gcm_set_kmflag(gcm_ctx_t *ctx, int kmflag)
+{
+	ctx->gcm_kmflag = kmflag;
+}
+
+
+#ifdef __amd64
+
+#define	INTEL_PCLMULQDQ_FLAG (1 << 1)
+
+/*
+ * Return 1 if executing on Intel with PCLMULQDQ instructions,
+ * otherwise 0 (i.e., Intel without PCLMULQDQ or AMD64).
+ * Cache the result, as the CPU can't change.
+ *
+ * Note: the userland version uses getisax().  The kernel version uses
+ * is_x86_featureset().
+ */
+static int
+intel_pclmulqdq_instruction_present(void)
+{
+	static int cached_result = -1;
+	unsigned eax, ebx, ecx, edx;
+	unsigned func, subfunc;
+
+	if (cached_result == -1) { /* first time */
+		/* check for an intel cpu */
+		func = 0;
+		subfunc = 0;
+
+		__asm__ __volatile__(
+		    "cpuid"
+		    : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx)
+		    : "a"(func), "c"(subfunc));
+
+		if (memcmp((char *) (&ebx), "Genu", 4) == 0 &&
+		    memcmp((char *) (&edx), "ineI", 4) == 0 &&
+			memcmp((char *) (&ecx), "ntel", 4) == 0) {
+
+			func = 1;
+			subfunc = 0;
+
+			/* check for aes-ni instruction set */
+			__asm__ __volatile__(
+				"cpuid"
+				: "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx)
+				: "a"(func), "c"(subfunc));
+
+			cached_result = !!(ecx & INTEL_PCLMULQDQ_FLAG);
+		} else {
+			cached_result = 0;
+		}
+	}
+
+	return (cached_result);
+}
+
+#endif	/* __amd64 */
diff --git a/module/icp/algs/modes/modes.c b/module/icp/algs/modes/modes.c
new file mode 100644
index 000000000..1d33c4268
--- /dev/null
+++ b/module/icp/algs/modes/modes.c
@@ -0,0 +1,159 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/zfs_context.h>
+#include <modes/modes.h>
+#include <sys/crypto/common.h>
+#include <sys/crypto/impl.h>
+
+/*
+ * Initialize by setting iov_or_mp to point to the current iovec or mp,
+ * and by setting current_offset to an offset within the current iovec or mp.
+ */
+void
+crypto_init_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset)
+{
+	offset_t offset;
+
+	switch (out->cd_format) {
+	case CRYPTO_DATA_RAW:
+		*current_offset = out->cd_offset;
+		break;
+
+	case CRYPTO_DATA_UIO: {
+		uio_t *uiop = out->cd_uio;
+		uintptr_t vec_idx;
+
+		offset = out->cd_offset;
+		for (vec_idx = 0; vec_idx < uiop->uio_iovcnt &&
+		    offset >= uiop->uio_iov[vec_idx].iov_len;
+		    offset -= uiop->uio_iov[vec_idx++].iov_len)
+			;
+
+		*current_offset = offset;
+		*iov_or_mp = (void *)vec_idx;
+		break;
+	}
+	} /* end switch */
+}
+
+/*
+ * Get pointers for where in the output to copy a block of encrypted or
+ * decrypted data.  The iov_or_mp argument stores a pointer to the current
+ * iovec or mp, and offset stores an offset into the current iovec or mp.
+ */
+void
+crypto_get_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset,
+    uint8_t **out_data_1, size_t *out_data_1_len, uint8_t **out_data_2,
+    size_t amt)
+{
+	offset_t offset;
+
+	switch (out->cd_format) {
+	case CRYPTO_DATA_RAW: {
+		iovec_t *iov;
+
+		offset = *current_offset;
+		iov = &out->cd_raw;
+		if ((offset + amt) <= iov->iov_len) {
+			/* one block fits */
+			*out_data_1 = (uint8_t *)iov->iov_base + offset;
+			*out_data_1_len = amt;
+			*out_data_2 = NULL;
+			*current_offset = offset + amt;
+		}
+		break;
+	}
+
+	case CRYPTO_DATA_UIO: {
+		uio_t *uio = out->cd_uio;
+		iovec_t *iov;
+		offset_t offset;
+		uintptr_t vec_idx;
+		uint8_t *p;
+
+		offset = *current_offset;
+		vec_idx = (uintptr_t)(*iov_or_mp);
+		iov = (iovec_t *)&uio->uio_iov[vec_idx];
+		p = (uint8_t *)iov->iov_base + offset;
+		*out_data_1 = p;
+
+		if (offset + amt <= iov->iov_len) {
+			/* can fit one block into this iov */
+			*out_data_1_len = amt;
+			*out_data_2 = NULL;
+			*current_offset = offset + amt;
+		} else {
+			/* one block spans two iovecs */
+			*out_data_1_len = iov->iov_len - offset;
+			if (vec_idx == uio->uio_iovcnt)
+				return;
+			vec_idx++;
+			iov = (iovec_t *)&uio->uio_iov[vec_idx];
+			*out_data_2 = (uint8_t *)iov->iov_base;
+			*current_offset = amt - *out_data_1_len;
+		}
+		*iov_or_mp = (void *)vec_idx;
+		break;
+	}
+	} /* end switch */
+}
+
+void
+crypto_free_mode_ctx(void *ctx)
+{
+	common_ctx_t *common_ctx = (common_ctx_t *)ctx;
+
+	switch (common_ctx->cc_flags &
+	    (ECB_MODE|CBC_MODE|CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) {
+	case ECB_MODE:
+		kmem_free(common_ctx, sizeof (ecb_ctx_t));
+		break;
+
+	case CBC_MODE:
+		kmem_free(common_ctx, sizeof (cbc_ctx_t));
+		break;
+
+	case CTR_MODE:
+		kmem_free(common_ctx, sizeof (ctr_ctx_t));
+		break;
+
+	case CCM_MODE:
+		if (((ccm_ctx_t *)ctx)->ccm_pt_buf != NULL)
+			vmem_free(((ccm_ctx_t *)ctx)->ccm_pt_buf,
+			    ((ccm_ctx_t *)ctx)->ccm_data_len);
+
+		kmem_free(ctx, sizeof (ccm_ctx_t));
+		break;
+
+	case GCM_MODE:
+	case GMAC_MODE:
+		if (((gcm_ctx_t *)ctx)->gcm_pt_buf != NULL)
+			vmem_free(((gcm_ctx_t *)ctx)->gcm_pt_buf,
+			    ((gcm_ctx_t *)ctx)->gcm_pt_buf_len);
+
+		kmem_free(ctx, sizeof (gcm_ctx_t));
+	}
+}