1 /* $OpenBSD: xform.c,v 1.59 2018/04/09 04:34:56 visa Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de), 6 * Damien Miller (djm@mindrot.org) and 7 * Mike Belopuhov (mikeb@openbsd.org). 8 * 9 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 10 * in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis. 19 * 20 * AES XTS implementation in 2008 by Damien Miller 21 * 22 * AES-GCM-16 and Chacha20-Poly1305 AEAD modes by Mike Belopuhov. 23 * 24 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 25 * Angelos D. Keromytis and Niels Provos. 26 * 27 * Copyright (C) 2001, Angelos D. Keromytis. 28 * 29 * Copyright (C) 2008, Damien Miller 30 * 31 * Copyright (C) 2010, 2015, Mike Belopuhov 32 * 33 * Permission to use, copy, and modify this software with or without fee 34 * is hereby granted, provided that this entire notice is included in 35 * all copies of any software which is or includes a copy or 36 * modification of this software. 37 * You may use this code under the GNU public license if you so wish. Please 38 * contribute changes back to the authors under this freer than GPL license 39 * so that we may further the use of strong encryption without limitations to 40 * all. 41 * 42 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 43 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 44 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 45 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 46 * PURPOSE. 47 */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/errno.h> 52 #include <sys/time.h> 53 #include <sys/kernel.h> 54 #include <machine/cpu.h> 55 56 #include <crypto/md5.h> 57 #include <crypto/sha1.h> 58 #include <crypto/sha2.h> 59 #include <crypto/rmd160.h> 60 #include <crypto/blf.h> 61 #include <crypto/cast.h> 62 #include <crypto/rijndael.h> 63 #include <crypto/aes.h> 64 #include <crypto/cryptodev.h> 65 #include <crypto/xform.h> 66 #include <crypto/gmac.h> 67 #include <crypto/chachapoly.h> 68 69 extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int); 70 71 int des_set_key(void *, caddr_t); 72 int des3_setkey(void *, u_int8_t *, int); 73 int blf_setkey(void *, u_int8_t *, int); 74 int cast5_setkey(void *, u_int8_t *, int); 75 int aes_setkey(void *, u_int8_t *, int); 76 int aes_ctr_setkey(void *, u_int8_t *, int); 77 int aes_xts_setkey(void *, u_int8_t *, int); 78 int null_setkey(void *, u_int8_t *, int); 79 80 void des3_encrypt(caddr_t, u_int8_t *); 81 void blf_encrypt(caddr_t, u_int8_t *); 82 void cast5_encrypt(caddr_t, u_int8_t *); 83 void aes_encrypt(caddr_t, u_int8_t *); 84 void null_encrypt(caddr_t, u_int8_t *); 85 void aes_xts_encrypt(caddr_t, u_int8_t *); 86 87 void des3_decrypt(caddr_t, u_int8_t *); 88 void blf_decrypt(caddr_t, u_int8_t *); 89 void cast5_decrypt(caddr_t, u_int8_t *); 90 void aes_decrypt(caddr_t, u_int8_t *); 91 void null_decrypt(caddr_t, u_int8_t *); 92 void aes_xts_decrypt(caddr_t, u_int8_t *); 93 94 void aes_ctr_crypt(caddr_t, u_int8_t *); 95 96 void aes_ctr_reinit(caddr_t, u_int8_t *); 97 void aes_xts_reinit(caddr_t, u_int8_t *); 98 void aes_gcm_reinit(caddr_t, u_int8_t *); 99 100 int MD5Update_int(void *, const u_int8_t *, u_int16_t); 101 int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 102 int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 103 int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 104 int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 105 int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 106 107 u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 108 u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 109 u_int32_t lzs_dummy(u_int8_t *, u_int32_t, u_int8_t **); 110 111 struct aes_ctr_ctx { 112 AES_CTX ac_key; 113 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 114 }; 115 116 struct aes_xts_ctx { 117 rijndael_ctx key1; 118 rijndael_ctx key2; 119 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 120 }; 121 122 /* Helper */ 123 void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int); 124 125 /* Encryption instances */ 126 struct enc_xform enc_xform_3des = { 127 CRYPTO_3DES_CBC, "3DES", 128 8, 8, 24, 24, 384, 129 des3_encrypt, 130 des3_decrypt, 131 des3_setkey, 132 NULL 133 }; 134 135 struct enc_xform enc_xform_blf = { 136 CRYPTO_BLF_CBC, "Blowfish", 137 8, 8, 5, 56 /* 448 bits, max key */, 138 sizeof(blf_ctx), 139 blf_encrypt, 140 blf_decrypt, 141 blf_setkey, 142 NULL 143 }; 144 145 struct enc_xform enc_xform_cast5 = { 146 CRYPTO_CAST_CBC, "CAST-128", 147 8, 8, 5, 16, 148 sizeof(cast_key), 149 cast5_encrypt, 150 cast5_decrypt, 151 cast5_setkey, 152 NULL 153 }; 154 155 struct enc_xform enc_xform_aes = { 156 CRYPTO_AES_CBC, "AES", 157 16, 16, 16, 32, 158 sizeof(AES_CTX), 159 aes_encrypt, 160 aes_decrypt, 161 aes_setkey, 162 NULL 163 }; 164 165 struct enc_xform enc_xform_aes_ctr = { 166 CRYPTO_AES_CTR, "AES-CTR", 167 16, 8, 16+4, 32+4, 168 sizeof(struct aes_ctr_ctx), 169 aes_ctr_crypt, 170 aes_ctr_crypt, 171 aes_ctr_setkey, 172 aes_ctr_reinit 173 }; 174 175 struct enc_xform enc_xform_aes_gcm = { 176 CRYPTO_AES_GCM_16, "AES-GCM", 177 1, 8, 16+4, 32+4, 178 sizeof(struct aes_ctr_ctx), 179 aes_ctr_crypt, 180 aes_ctr_crypt, 181 aes_ctr_setkey, 182 aes_gcm_reinit 183 }; 184 185 struct enc_xform enc_xform_aes_gmac = { 186 CRYPTO_AES_GMAC, "AES-GMAC", 187 1, 8, 16+4, 32+4, 0, 188 NULL, 189 NULL, 190 NULL, 191 NULL 192 }; 193 194 struct enc_xform enc_xform_aes_xts = { 195 CRYPTO_AES_XTS, "AES-XTS", 196 16, 8, 32, 64, 197 sizeof(struct aes_xts_ctx), 198 aes_xts_encrypt, 199 aes_xts_decrypt, 200 aes_xts_setkey, 201 aes_xts_reinit 202 }; 203 204 struct enc_xform enc_xform_chacha20_poly1305 = { 205 CRYPTO_CHACHA20_POLY1305, "CHACHA20-POLY1305", 206 1, 8, 32+4, 32+4, 207 sizeof(struct chacha20_ctx), 208 chacha20_crypt, 209 chacha20_crypt, 210 chacha20_setkey, 211 chacha20_reinit 212 }; 213 214 struct enc_xform enc_xform_null = { 215 CRYPTO_NULL, "NULL", 216 4, 0, 0, 256, 0, 217 null_encrypt, 218 null_decrypt, 219 null_setkey, 220 NULL 221 }; 222 223 /* Authentication instances */ 224 struct auth_hash auth_hash_hmac_md5_96 = { 225 CRYPTO_MD5_HMAC, "HMAC-MD5", 226 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN, 227 (void (*) (void *)) MD5Init, NULL, NULL, 228 MD5Update_int, 229 (void (*) (u_int8_t *, void *)) MD5Final 230 }; 231 232 struct auth_hash auth_hash_hmac_sha1_96 = { 233 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 234 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN, 235 (void (*) (void *)) SHA1Init, NULL, NULL, 236 SHA1Update_int, 237 (void (*) (u_int8_t *, void *)) SHA1Final 238 }; 239 240 struct auth_hash auth_hash_hmac_ripemd_160_96 = { 241 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 242 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN, 243 (void (*)(void *)) RMD160Init, NULL, NULL, 244 RMD160Update_int, 245 (void (*)(u_int8_t *, void *)) RMD160Final 246 }; 247 248 struct auth_hash auth_hash_hmac_sha2_256_128 = { 249 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 250 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN, 251 (void (*)(void *)) SHA256Init, NULL, NULL, 252 SHA256Update_int, 253 (void (*)(u_int8_t *, void *)) SHA256Final 254 }; 255 256 struct auth_hash auth_hash_hmac_sha2_384_192 = { 257 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 258 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN, 259 (void (*)(void *)) SHA384Init, NULL, NULL, 260 SHA384Update_int, 261 (void (*)(u_int8_t *, void *)) SHA384Final 262 }; 263 264 struct auth_hash auth_hash_hmac_sha2_512_256 = { 265 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 266 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN, 267 (void (*)(void *)) SHA512Init, NULL, NULL, 268 SHA512Update_int, 269 (void (*)(u_int8_t *, void *)) SHA512Final 270 }; 271 272 struct auth_hash auth_hash_gmac_aes_128 = { 273 CRYPTO_AES_128_GMAC, "GMAC-AES-128", 274 16+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 275 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 276 AES_GMAC_Update, AES_GMAC_Final 277 }; 278 279 struct auth_hash auth_hash_gmac_aes_192 = { 280 CRYPTO_AES_192_GMAC, "GMAC-AES-192", 281 24+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 282 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 283 AES_GMAC_Update, AES_GMAC_Final 284 }; 285 286 struct auth_hash auth_hash_gmac_aes_256 = { 287 CRYPTO_AES_256_GMAC, "GMAC-AES-256", 288 32+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 289 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 290 AES_GMAC_Update, AES_GMAC_Final 291 }; 292 293 struct auth_hash auth_hash_chacha20_poly1305 = { 294 CRYPTO_CHACHA20_POLY1305_MAC, "CHACHA20-POLY1305", 295 CHACHA20_KEYSIZE+CHACHA20_SALT, POLY1305_BLOCK_LEN, POLY1305_TAGLEN, 296 sizeof(CHACHA20_POLY1305_CTX), CHACHA20_BLOCK_LEN, 297 Chacha20_Poly1305_Init, Chacha20_Poly1305_Setkey, 298 Chacha20_Poly1305_Reinit, Chacha20_Poly1305_Update, 299 Chacha20_Poly1305_Final 300 }; 301 302 /* Compression instance */ 303 struct comp_algo comp_algo_deflate = { 304 CRYPTO_DEFLATE_COMP, "Deflate", 305 90, deflate_compress, 306 deflate_decompress 307 }; 308 309 struct comp_algo comp_algo_lzs = { 310 CRYPTO_LZS_COMP, "LZS", 311 90, lzs_dummy, 312 lzs_dummy 313 }; 314 315 /* 316 * Encryption wrapper routines. 317 */ 318 void 319 des3_encrypt(caddr_t key, u_int8_t *blk) 320 { 321 des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1); 322 } 323 324 void 325 des3_decrypt(caddr_t key, u_int8_t *blk) 326 { 327 des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0); 328 } 329 330 int 331 des3_setkey(void *sched, u_int8_t *key, int len) 332 { 333 if (des_set_key(key, sched) < 0 || des_set_key(key + 8, sched + 128) 334 < 0 || des_set_key(key + 16, sched + 256) < 0) 335 return -1; 336 337 return 0; 338 } 339 340 void 341 blf_encrypt(caddr_t key, u_int8_t *blk) 342 { 343 blf_ecb_encrypt((blf_ctx *) key, blk, 8); 344 } 345 346 void 347 blf_decrypt(caddr_t key, u_int8_t *blk) 348 { 349 blf_ecb_decrypt((blf_ctx *) key, blk, 8); 350 } 351 352 int 353 blf_setkey(void *sched, u_int8_t *key, int len) 354 { 355 blf_key((blf_ctx *)sched, key, len); 356 357 return 0; 358 } 359 360 int 361 null_setkey(void *sched, u_int8_t *key, int len) 362 { 363 return 0; 364 } 365 366 void 367 null_encrypt(caddr_t key, u_int8_t *blk) 368 { 369 } 370 371 void 372 null_decrypt(caddr_t key, u_int8_t *blk) 373 { 374 } 375 376 void 377 cast5_encrypt(caddr_t key, u_int8_t *blk) 378 { 379 cast_encrypt((cast_key *) key, blk, blk); 380 } 381 382 void 383 cast5_decrypt(caddr_t key, u_int8_t *blk) 384 { 385 cast_decrypt((cast_key *) key, blk, blk); 386 } 387 388 int 389 cast5_setkey(void *sched, u_int8_t *key, int len) 390 { 391 cast_setkey((cast_key *)sched, key, len); 392 393 return 0; 394 } 395 396 void 397 aes_encrypt(caddr_t key, u_int8_t *blk) 398 { 399 AES_Encrypt((AES_CTX *)key, blk, blk); 400 } 401 402 void 403 aes_decrypt(caddr_t key, u_int8_t *blk) 404 { 405 AES_Decrypt((AES_CTX *)key, blk, blk); 406 } 407 408 int 409 aes_setkey(void *sched, u_int8_t *key, int len) 410 { 411 return AES_Setkey((AES_CTX *)sched, key, len); 412 } 413 414 void 415 aes_ctr_reinit(caddr_t key, u_int8_t *iv) 416 { 417 struct aes_ctr_ctx *ctx; 418 419 ctx = (struct aes_ctr_ctx *)key; 420 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 421 422 /* reset counter */ 423 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 424 } 425 426 void 427 aes_gcm_reinit(caddr_t key, u_int8_t *iv) 428 { 429 struct aes_ctr_ctx *ctx; 430 431 ctx = (struct aes_ctr_ctx *)key; 432 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 433 434 /* reset counter */ 435 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 436 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 437 } 438 439 void 440 aes_ctr_crypt(caddr_t key, u_int8_t *data) 441 { 442 struct aes_ctr_ctx *ctx; 443 u_int8_t keystream[AESCTR_BLOCKSIZE]; 444 int i; 445 446 ctx = (struct aes_ctr_ctx *)key; 447 /* increment counter */ 448 for (i = AESCTR_BLOCKSIZE - 1; 449 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 450 if (++ctx->ac_block[i]) /* continue on overflow */ 451 break; 452 AES_Encrypt(&ctx->ac_key, ctx->ac_block, keystream); 453 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 454 data[i] ^= keystream[i]; 455 explicit_bzero(keystream, sizeof(keystream)); 456 } 457 458 int 459 aes_ctr_setkey(void *sched, u_int8_t *key, int len) 460 { 461 struct aes_ctr_ctx *ctx; 462 463 if (len < AESCTR_NONCESIZE) 464 return -1; 465 466 ctx = (struct aes_ctr_ctx *)sched; 467 if (AES_Setkey(&ctx->ac_key, key, len - AESCTR_NONCESIZE) != 0) 468 return -1; 469 bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE); 470 return 0; 471 } 472 473 void 474 aes_xts_reinit(caddr_t key, u_int8_t *iv) 475 { 476 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 477 u_int64_t blocknum; 478 u_int i; 479 480 /* 481 * Prepare tweak as E_k2(IV). IV is specified as LE representation 482 * of a 64-bit block number which we allow to be passed in directly. 483 */ 484 memcpy(&blocknum, iv, AES_XTS_IVSIZE); 485 for (i = 0; i < AES_XTS_IVSIZE; i++) { 486 ctx->tweak[i] = blocknum & 0xff; 487 blocknum >>= 8; 488 } 489 /* Last 64 bits of IV are always zero */ 490 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 491 492 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 493 } 494 495 void 496 aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 497 { 498 u_int8_t block[AES_XTS_BLOCKSIZE]; 499 u_int i, carry_in, carry_out; 500 501 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 502 block[i] = data[i] ^ ctx->tweak[i]; 503 504 if (do_encrypt) 505 rijndael_encrypt(&ctx->key1, block, data); 506 else 507 rijndael_decrypt(&ctx->key1, block, data); 508 509 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 510 data[i] ^= ctx->tweak[i]; 511 512 /* Exponentiate tweak */ 513 carry_in = 0; 514 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 515 carry_out = ctx->tweak[i] & 0x80; 516 ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in; 517 carry_in = carry_out >> 7; 518 } 519 ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in); 520 explicit_bzero(block, sizeof(block)); 521 } 522 523 void 524 aes_xts_encrypt(caddr_t key, u_int8_t *data) 525 { 526 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 527 } 528 529 void 530 aes_xts_decrypt(caddr_t key, u_int8_t *data) 531 { 532 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 533 } 534 535 int 536 aes_xts_setkey(void *sched, u_int8_t *key, int len) 537 { 538 struct aes_xts_ctx *ctx; 539 540 if (len != 32 && len != 64) 541 return -1; 542 543 ctx = (struct aes_xts_ctx *)sched; 544 545 rijndael_set_key(&ctx->key1, key, len * 4); 546 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 547 548 return 0; 549 } 550 551 /* 552 * And now for auth. 553 */ 554 555 int 556 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 557 { 558 RMD160Update(ctx, buf, len); 559 return 0; 560 } 561 562 int 563 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 564 { 565 MD5Update(ctx, buf, len); 566 return 0; 567 } 568 569 int 570 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 571 { 572 SHA1Update(ctx, buf, len); 573 return 0; 574 } 575 576 int 577 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 578 { 579 SHA256Update(ctx, buf, len); 580 return 0; 581 } 582 583 int 584 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 585 { 586 SHA384Update(ctx, buf, len); 587 return 0; 588 } 589 590 int 591 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 592 { 593 SHA512Update(ctx, buf, len); 594 return 0; 595 } 596 597 598 u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **); 599 600 struct deflate_buf { 601 u_int8_t *out; 602 u_int32_t size; 603 int flag; 604 }; 605 606 /* 607 * And compression 608 */ 609 610 u_int32_t 611 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 612 { 613 return deflate_global(data, size, 0, out); 614 } 615 616 u_int32_t 617 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 618 { 619 return deflate_global(data, size, 1, out); 620 } 621 622 u_int32_t 623 lzs_dummy(u_int8_t *data, u_int32_t size, u_int8_t **out) 624 { 625 *out = NULL; 626 return (0); 627 } 628