1/*	$OpenBSD: xform.c,v 1.61 2021/10/22 12:30:53 bluhm Exp $	*/
2/*
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de),
6 * Damien Miller (djm@mindrot.org) and
7 * Mike Belopuhov (mikeb@openbsd.org).
8 *
9 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
10 * in November 1995.
11 *
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
14 *
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * and Niels Provos.
17 *
18 * Additional features in 1999 by Angelos D. Keromytis.
19 *
20 * AES XTS implementation in 2008 by Damien Miller
21 *
22 * AES-GCM-16 and Chacha20-Poly1305 AEAD modes by Mike Belopuhov.
23 *
24 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
25 * Angelos D. Keromytis and Niels Provos.
26 *
27 * Copyright (C) 2001, Angelos D. Keromytis.
28 *
29 * Copyright (C) 2008, Damien Miller
30 *
31 * Copyright (C) 2010, 2015, Mike Belopuhov
32 *
33 * Permission to use, copy, and modify this software with or without fee
34 * is hereby granted, provided that this entire notice is included in
35 * all copies of any software which is or includes a copy or
36 * modification of this software.
37 * You may use this code under the GNU public license if you so wish. Please
38 * contribute changes back to the authors under this freer than GPL license
39 * so that we may further the use of strong encryption without limitations to
40 * all.
41 *
42 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
43 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
44 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
45 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
46 * PURPOSE.
47 */
48
49#include <sys/param.h>
50#include <sys/systm.h>
51#include <sys/errno.h>
52#include <sys/time.h>
53#include <sys/kernel.h>
54#include <machine/cpu.h>
55
56#include <crypto/md5.h>
57#include <crypto/sha1.h>
58#include <crypto/sha2.h>
59#include <crypto/rmd160.h>
60#include <crypto/blf.h>
61#include <crypto/cast.h>
62#include <crypto/rijndael.h>
63#include <crypto/aes.h>
64#include <crypto/cryptodev.h>
65#include <crypto/xform.h>
66#include <crypto/gmac.h>
67#include <crypto/chachapoly.h>
68
69extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int);
70
71int  des_set_key(void *, caddr_t);
72int  des3_setkey(void *, u_int8_t *, int);
73int  blf_setkey(void *, u_int8_t *, int);
74int  cast5_setkey(void *, u_int8_t *, int);
75int  aes_setkey(void *, u_int8_t *, int);
76int  aes_ctr_setkey(void *, u_int8_t *, int);
77int  aes_xts_setkey(void *, u_int8_t *, int);
78int  null_setkey(void *, u_int8_t *, int);
79
80void des3_encrypt(caddr_t, u_int8_t *);
81void blf_encrypt(caddr_t, u_int8_t *);
82void cast5_encrypt(caddr_t, u_int8_t *);
83void aes_encrypt(caddr_t, u_int8_t *);
84void null_encrypt(caddr_t, u_int8_t *);
85void aes_xts_encrypt(caddr_t, u_int8_t *);
86
87void des3_decrypt(caddr_t, u_int8_t *);
88void blf_decrypt(caddr_t, u_int8_t *);
89void cast5_decrypt(caddr_t, u_int8_t *);
90void aes_decrypt(caddr_t, u_int8_t *);
91void null_decrypt(caddr_t, u_int8_t *);
92void aes_xts_decrypt(caddr_t, u_int8_t *);
93
94void aes_ctr_crypt(caddr_t, u_int8_t *);
95
96void aes_ctr_reinit(caddr_t, u_int8_t *);
97void aes_xts_reinit(caddr_t, u_int8_t *);
98void aes_gcm_reinit(caddr_t, u_int8_t *);
99
100int MD5Update_int(void *, const u_int8_t *, u_int16_t);
101int SHA1Update_int(void *, const u_int8_t *, u_int16_t);
102int RMD160Update_int(void *, const u_int8_t *, u_int16_t);
103int SHA256Update_int(void *, const u_int8_t *, u_int16_t);
104int SHA384Update_int(void *, const u_int8_t *, u_int16_t);
105int SHA512Update_int(void *, const u_int8_t *, u_int16_t);
106
107u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
108u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
109
110struct aes_ctr_ctx {
111	AES_CTX		ac_key;
112	u_int8_t	ac_block[AESCTR_BLOCKSIZE];
113};
114
115struct aes_xts_ctx {
116	rijndael_ctx key1;
117	rijndael_ctx key2;
118	u_int8_t tweak[AES_XTS_BLOCKSIZE];
119};
120
121/* Helper */
122void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int);
123
124/* Encryption instances */
125const struct enc_xform enc_xform_3des = {
126	CRYPTO_3DES_CBC, "3DES",
127	8, 8, 24, 24, 384,
128	des3_encrypt,
129	des3_decrypt,
130	des3_setkey,
131	NULL
132};
133
134const struct enc_xform enc_xform_blf = {
135	CRYPTO_BLF_CBC, "Blowfish",
136	8, 8, 5, 56 /* 448 bits, max key */,
137	sizeof(blf_ctx),
138	blf_encrypt,
139	blf_decrypt,
140	blf_setkey,
141	NULL
142};
143
144const struct enc_xform enc_xform_cast5 = {
145	CRYPTO_CAST_CBC, "CAST-128",
146	8, 8, 5, 16,
147	sizeof(cast_key),
148	cast5_encrypt,
149	cast5_decrypt,
150	cast5_setkey,
151	NULL
152};
153
154const struct enc_xform enc_xform_aes = {
155	CRYPTO_AES_CBC, "AES",
156	16, 16, 16, 32,
157	sizeof(AES_CTX),
158	aes_encrypt,
159	aes_decrypt,
160	aes_setkey,
161	NULL
162};
163
164const struct enc_xform enc_xform_aes_ctr = {
165	CRYPTO_AES_CTR, "AES-CTR",
166	16, 8, 16+4, 32+4,
167	sizeof(struct aes_ctr_ctx),
168	aes_ctr_crypt,
169	aes_ctr_crypt,
170	aes_ctr_setkey,
171	aes_ctr_reinit
172};
173
174const struct enc_xform enc_xform_aes_gcm = {
175	CRYPTO_AES_GCM_16, "AES-GCM",
176	1, 8, 16+4, 32+4,
177	sizeof(struct aes_ctr_ctx),
178	aes_ctr_crypt,
179	aes_ctr_crypt,
180	aes_ctr_setkey,
181	aes_gcm_reinit
182};
183
184const struct enc_xform enc_xform_aes_gmac = {
185	CRYPTO_AES_GMAC, "AES-GMAC",
186	1, 8, 16+4, 32+4, 0,
187	NULL,
188	NULL,
189	NULL,
190	NULL
191};
192
193const struct enc_xform enc_xform_aes_xts = {
194	CRYPTO_AES_XTS, "AES-XTS",
195	16, 8, 32, 64,
196	sizeof(struct aes_xts_ctx),
197	aes_xts_encrypt,
198	aes_xts_decrypt,
199	aes_xts_setkey,
200	aes_xts_reinit
201};
202
203const struct enc_xform enc_xform_chacha20_poly1305 = {
204	CRYPTO_CHACHA20_POLY1305, "CHACHA20-POLY1305",
205	1, 8, 32+4, 32+4,
206	sizeof(struct chacha20_ctx),
207	chacha20_crypt,
208	chacha20_crypt,
209	chacha20_setkey,
210	chacha20_reinit
211};
212
213const struct enc_xform enc_xform_null = {
214	CRYPTO_NULL, "NULL",
215	4, 0, 0, 256, 0,
216	null_encrypt,
217	null_decrypt,
218	null_setkey,
219	NULL
220};
221
222/* Authentication instances */
223const struct auth_hash auth_hash_hmac_md5_96 = {
224	CRYPTO_MD5_HMAC, "HMAC-MD5",
225	16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN,
226	(void (*) (void *)) MD5Init, NULL, NULL,
227	MD5Update_int,
228	(void (*) (u_int8_t *, void *)) MD5Final
229};
230
231const struct auth_hash auth_hash_hmac_sha1_96 = {
232	CRYPTO_SHA1_HMAC, "HMAC-SHA1",
233	20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN,
234	(void (*) (void *)) SHA1Init, NULL, NULL,
235	SHA1Update_int,
236	(void (*) (u_int8_t *, void *)) SHA1Final
237};
238
239const struct auth_hash auth_hash_hmac_ripemd_160_96 = {
240	CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
241	20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN,
242	(void (*)(void *)) RMD160Init, NULL, NULL,
243	RMD160Update_int,
244	(void (*)(u_int8_t *, void *)) RMD160Final
245};
246
247const struct auth_hash auth_hash_hmac_sha2_256_128 = {
248	CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
249	32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN,
250	(void (*)(void *)) SHA256Init, NULL, NULL,
251	SHA256Update_int,
252	(void (*)(u_int8_t *, void *)) SHA256Final
253};
254
255const struct auth_hash auth_hash_hmac_sha2_384_192 = {
256	CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
257	48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN,
258	(void (*)(void *)) SHA384Init, NULL, NULL,
259	SHA384Update_int,
260	(void (*)(u_int8_t *, void *)) SHA384Final
261};
262
263const struct auth_hash auth_hash_hmac_sha2_512_256 = {
264	CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
265	64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN,
266	(void (*)(void *)) SHA512Init, NULL, NULL,
267	SHA512Update_int,
268	(void (*)(u_int8_t *, void *)) SHA512Final
269};
270
271const struct auth_hash auth_hash_gmac_aes_128 = {
272	CRYPTO_AES_128_GMAC, "GMAC-AES-128",
273	16+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
274	AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
275	AES_GMAC_Update, AES_GMAC_Final
276};
277
278const struct auth_hash auth_hash_gmac_aes_192 = {
279	CRYPTO_AES_192_GMAC, "GMAC-AES-192",
280	24+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
281	AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
282	AES_GMAC_Update, AES_GMAC_Final
283};
284
285const struct auth_hash auth_hash_gmac_aes_256 = {
286	CRYPTO_AES_256_GMAC, "GMAC-AES-256",
287	32+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
288	AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
289	AES_GMAC_Update, AES_GMAC_Final
290};
291
292const struct auth_hash auth_hash_chacha20_poly1305 = {
293	CRYPTO_CHACHA20_POLY1305_MAC, "CHACHA20-POLY1305",
294	CHACHA20_KEYSIZE+CHACHA20_SALT, POLY1305_BLOCK_LEN, POLY1305_TAGLEN,
295	sizeof(CHACHA20_POLY1305_CTX), CHACHA20_BLOCK_LEN,
296	Chacha20_Poly1305_Init, Chacha20_Poly1305_Setkey,
297	Chacha20_Poly1305_Reinit, Chacha20_Poly1305_Update,
298	Chacha20_Poly1305_Final
299};
300
301/* Compression instance */
302const struct comp_algo comp_algo_deflate = {
303	CRYPTO_DEFLATE_COMP, "Deflate",
304	90, deflate_compress,
305	deflate_decompress
306};
307
308/*
309 * Encryption wrapper routines.
310 */
311void
312des3_encrypt(caddr_t key, u_int8_t *blk)
313{
314	des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1);
315}
316
317void
318des3_decrypt(caddr_t key, u_int8_t *blk)
319{
320	des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0);
321}
322
323int
324des3_setkey(void *sched, u_int8_t *key, int len)
325{
326	if (des_set_key(key, sched) < 0 || des_set_key(key + 8, sched + 128)
327	    < 0 || des_set_key(key + 16, sched + 256) < 0)
328		return -1;
329
330	return 0;
331}
332
333void
334blf_encrypt(caddr_t key, u_int8_t *blk)
335{
336	blf_ecb_encrypt((blf_ctx *) key, blk, 8);
337}
338
339void
340blf_decrypt(caddr_t key, u_int8_t *blk)
341{
342	blf_ecb_decrypt((blf_ctx *) key, blk, 8);
343}
344
345int
346blf_setkey(void *sched, u_int8_t *key, int len)
347{
348	blf_key((blf_ctx *)sched, key, len);
349
350	return 0;
351}
352
353int
354null_setkey(void *sched, u_int8_t *key, int len)
355{
356	return 0;
357}
358
359void
360null_encrypt(caddr_t key, u_int8_t *blk)
361{
362}
363
364void
365null_decrypt(caddr_t key, u_int8_t *blk)
366{
367}
368
369void
370cast5_encrypt(caddr_t key, u_int8_t *blk)
371{
372	cast_encrypt((cast_key *) key, blk, blk);
373}
374
375void
376cast5_decrypt(caddr_t key, u_int8_t *blk)
377{
378	cast_decrypt((cast_key *) key, blk, blk);
379}
380
381int
382cast5_setkey(void *sched, u_int8_t *key, int len)
383{
384	cast_setkey((cast_key *)sched, key, len);
385
386	return 0;
387}
388
389void
390aes_encrypt(caddr_t key, u_int8_t *blk)
391{
392	AES_Encrypt((AES_CTX *)key, blk, blk);
393}
394
395void
396aes_decrypt(caddr_t key, u_int8_t *blk)
397{
398	AES_Decrypt((AES_CTX *)key, blk, blk);
399}
400
401int
402aes_setkey(void *sched, u_int8_t *key, int len)
403{
404	return AES_Setkey((AES_CTX *)sched, key, len);
405}
406
407void
408aes_ctr_reinit(caddr_t key, u_int8_t *iv)
409{
410	struct aes_ctr_ctx *ctx;
411
412	ctx = (struct aes_ctr_ctx *)key;
413	bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
414
415	/* reset counter */
416	bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
417}
418
419void
420aes_gcm_reinit(caddr_t key, u_int8_t *iv)
421{
422	struct aes_ctr_ctx *ctx;
423
424	ctx = (struct aes_ctr_ctx *)key;
425	bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
426
427	/* reset counter */
428	bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
429	ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */
430}
431
432void
433aes_ctr_crypt(caddr_t key, u_int8_t *data)
434{
435	struct aes_ctr_ctx *ctx;
436	u_int8_t keystream[AESCTR_BLOCKSIZE];
437	int i;
438
439	ctx = (struct aes_ctr_ctx *)key;
440	/* increment counter */
441	for (i = AESCTR_BLOCKSIZE - 1;
442	     i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
443		if (++ctx->ac_block[i])   /* continue on overflow */
444			break;
445	AES_Encrypt(&ctx->ac_key, ctx->ac_block, keystream);
446	for (i = 0; i < AESCTR_BLOCKSIZE; i++)
447		data[i] ^= keystream[i];
448	explicit_bzero(keystream, sizeof(keystream));
449}
450
451int
452aes_ctr_setkey(void *sched, u_int8_t *key, int len)
453{
454	struct aes_ctr_ctx *ctx;
455
456	if (len < AESCTR_NONCESIZE)
457		return -1;
458
459	ctx = (struct aes_ctr_ctx *)sched;
460	if (AES_Setkey(&ctx->ac_key, key, len - AESCTR_NONCESIZE) != 0)
461		return -1;
462	bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE);
463	return 0;
464}
465
466void
467aes_xts_reinit(caddr_t key, u_int8_t *iv)
468{
469	struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key;
470	u_int64_t blocknum;
471	u_int i;
472
473	/*
474	 * Prepare tweak as E_k2(IV). IV is specified as LE representation
475	 * of a 64-bit block number which we allow to be passed in directly.
476	 */
477	memcpy(&blocknum, iv, AES_XTS_IVSIZE);
478	for (i = 0; i < AES_XTS_IVSIZE; i++) {
479		ctx->tweak[i] = blocknum & 0xff;
480		blocknum >>= 8;
481	}
482	/* Last 64 bits of IV are always zero */
483	bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
484
485	rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
486}
487
488void
489aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
490{
491	u_int8_t block[AES_XTS_BLOCKSIZE];
492	u_int i, carry_in, carry_out;
493
494	for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
495		block[i] = data[i] ^ ctx->tweak[i];
496
497	if (do_encrypt)
498		rijndael_encrypt(&ctx->key1, block, data);
499	else
500		rijndael_decrypt(&ctx->key1, block, data);
501
502	for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
503		data[i] ^= ctx->tweak[i];
504
505	/* Exponentiate tweak */
506	carry_in = 0;
507	for (i = 0; i < AES_XTS_BLOCKSIZE; i++) {
508		carry_out = ctx->tweak[i] & 0x80;
509		ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in;
510		carry_in = carry_out >> 7;
511	}
512	ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in);
513	explicit_bzero(block, sizeof(block));
514}
515
516void
517aes_xts_encrypt(caddr_t key, u_int8_t *data)
518{
519	aes_xts_crypt((struct aes_xts_ctx *)key, data, 1);
520}
521
522void
523aes_xts_decrypt(caddr_t key, u_int8_t *data)
524{
525	aes_xts_crypt((struct aes_xts_ctx *)key, data, 0);
526}
527
528int
529aes_xts_setkey(void *sched, u_int8_t *key, int len)
530{
531	struct aes_xts_ctx *ctx;
532
533	if (len != 32 && len != 64)
534		return -1;
535
536	ctx = (struct aes_xts_ctx *)sched;
537
538	rijndael_set_key(&ctx->key1, key, len * 4);
539	rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
540
541	return 0;
542}
543
544/*
545 * And now for auth.
546 */
547
548int
549RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
550{
551	RMD160Update(ctx, buf, len);
552	return 0;
553}
554
555int
556MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
557{
558	MD5Update(ctx, buf, len);
559	return 0;
560}
561
562int
563SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
564{
565	SHA1Update(ctx, buf, len);
566	return 0;
567}
568
569int
570SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
571{
572	SHA256Update(ctx, buf, len);
573	return 0;
574}
575
576int
577SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
578{
579	SHA384Update(ctx, buf, len);
580	return 0;
581}
582
583int
584SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
585{
586	SHA512Update(ctx, buf, len);
587	return 0;
588}
589
590
591u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **);
592
593struct deflate_buf {
594        u_int8_t *out;
595        u_int32_t size;
596        int flag;
597};
598
599/*
600 * And compression
601 */
602
603u_int32_t
604deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out)
605{
606	return deflate_global(data, size, 0, out);
607}
608
609u_int32_t
610deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out)
611{
612	return deflate_global(data, size, 1, out);
613}
614