1/* $OpenBSD: xform.c,v 1.61 2021/10/22 12:30:53 bluhm Exp $ */ 2/* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de), 6 * Damien Miller (djm@mindrot.org) and 7 * Mike Belopuhov (mikeb@openbsd.org). 8 * 9 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 10 * in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis. 19 * 20 * AES XTS implementation in 2008 by Damien Miller 21 * 22 * AES-GCM-16 and Chacha20-Poly1305 AEAD modes by Mike Belopuhov. 23 * 24 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 25 * Angelos D. Keromytis and Niels Provos. 26 * 27 * Copyright (C) 2001, Angelos D. Keromytis. 28 * 29 * Copyright (C) 2008, Damien Miller 30 * 31 * Copyright (C) 2010, 2015, Mike Belopuhov 32 * 33 * Permission to use, copy, and modify this software with or without fee 34 * is hereby granted, provided that this entire notice is included in 35 * all copies of any software which is or includes a copy or 36 * modification of this software. 37 * You may use this code under the GNU public license if you so wish. Please 38 * contribute changes back to the authors under this freer than GPL license 39 * so that we may further the use of strong encryption without limitations to 40 * all. 41 * 42 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 43 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 44 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 45 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 46 * PURPOSE. 47 */ 48 49#include <sys/param.h> 50#include <sys/systm.h> 51#include <sys/errno.h> 52#include <sys/time.h> 53#include <sys/kernel.h> 54#include <machine/cpu.h> 55 56#include <crypto/md5.h> 57#include <crypto/sha1.h> 58#include <crypto/sha2.h> 59#include <crypto/rmd160.h> 60#include <crypto/blf.h> 61#include <crypto/cast.h> 62#include <crypto/rijndael.h> 63#include <crypto/aes.h> 64#include <crypto/cryptodev.h> 65#include <crypto/xform.h> 66#include <crypto/gmac.h> 67#include <crypto/chachapoly.h> 68 69extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int); 70 71int des_set_key(void *, caddr_t); 72int des3_setkey(void *, u_int8_t *, int); 73int blf_setkey(void *, u_int8_t *, int); 74int cast5_setkey(void *, u_int8_t *, int); 75int aes_setkey(void *, u_int8_t *, int); 76int aes_ctr_setkey(void *, u_int8_t *, int); 77int aes_xts_setkey(void *, u_int8_t *, int); 78int null_setkey(void *, u_int8_t *, int); 79 80void des3_encrypt(caddr_t, u_int8_t *); 81void blf_encrypt(caddr_t, u_int8_t *); 82void cast5_encrypt(caddr_t, u_int8_t *); 83void aes_encrypt(caddr_t, u_int8_t *); 84void null_encrypt(caddr_t, u_int8_t *); 85void aes_xts_encrypt(caddr_t, u_int8_t *); 86 87void des3_decrypt(caddr_t, u_int8_t *); 88void blf_decrypt(caddr_t, u_int8_t *); 89void cast5_decrypt(caddr_t, u_int8_t *); 90void aes_decrypt(caddr_t, u_int8_t *); 91void null_decrypt(caddr_t, u_int8_t *); 92void aes_xts_decrypt(caddr_t, u_int8_t *); 93 94void aes_ctr_crypt(caddr_t, u_int8_t *); 95 96void aes_ctr_reinit(caddr_t, u_int8_t *); 97void aes_xts_reinit(caddr_t, u_int8_t *); 98void aes_gcm_reinit(caddr_t, u_int8_t *); 99 100int MD5Update_int(void *, const u_int8_t *, u_int16_t); 101int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 102int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 103int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 104int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 105int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 106 107u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 108u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 109 110struct aes_ctr_ctx { 111 AES_CTX ac_key; 112 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 113}; 114 115struct aes_xts_ctx { 116 rijndael_ctx key1; 117 rijndael_ctx key2; 118 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 119}; 120 121/* Helper */ 122void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int); 123 124/* Encryption instances */ 125const struct enc_xform enc_xform_3des = { 126 CRYPTO_3DES_CBC, "3DES", 127 8, 8, 24, 24, 384, 128 des3_encrypt, 129 des3_decrypt, 130 des3_setkey, 131 NULL 132}; 133 134const struct enc_xform enc_xform_blf = { 135 CRYPTO_BLF_CBC, "Blowfish", 136 8, 8, 5, 56 /* 448 bits, max key */, 137 sizeof(blf_ctx), 138 blf_encrypt, 139 blf_decrypt, 140 blf_setkey, 141 NULL 142}; 143 144const struct enc_xform enc_xform_cast5 = { 145 CRYPTO_CAST_CBC, "CAST-128", 146 8, 8, 5, 16, 147 sizeof(cast_key), 148 cast5_encrypt, 149 cast5_decrypt, 150 cast5_setkey, 151 NULL 152}; 153 154const struct enc_xform enc_xform_aes = { 155 CRYPTO_AES_CBC, "AES", 156 16, 16, 16, 32, 157 sizeof(AES_CTX), 158 aes_encrypt, 159 aes_decrypt, 160 aes_setkey, 161 NULL 162}; 163 164const struct enc_xform enc_xform_aes_ctr = { 165 CRYPTO_AES_CTR, "AES-CTR", 166 16, 8, 16+4, 32+4, 167 sizeof(struct aes_ctr_ctx), 168 aes_ctr_crypt, 169 aes_ctr_crypt, 170 aes_ctr_setkey, 171 aes_ctr_reinit 172}; 173 174const struct enc_xform enc_xform_aes_gcm = { 175 CRYPTO_AES_GCM_16, "AES-GCM", 176 1, 8, 16+4, 32+4, 177 sizeof(struct aes_ctr_ctx), 178 aes_ctr_crypt, 179 aes_ctr_crypt, 180 aes_ctr_setkey, 181 aes_gcm_reinit 182}; 183 184const struct enc_xform enc_xform_aes_gmac = { 185 CRYPTO_AES_GMAC, "AES-GMAC", 186 1, 8, 16+4, 32+4, 0, 187 NULL, 188 NULL, 189 NULL, 190 NULL 191}; 192 193const struct enc_xform enc_xform_aes_xts = { 194 CRYPTO_AES_XTS, "AES-XTS", 195 16, 8, 32, 64, 196 sizeof(struct aes_xts_ctx), 197 aes_xts_encrypt, 198 aes_xts_decrypt, 199 aes_xts_setkey, 200 aes_xts_reinit 201}; 202 203const struct enc_xform enc_xform_chacha20_poly1305 = { 204 CRYPTO_CHACHA20_POLY1305, "CHACHA20-POLY1305", 205 1, 8, 32+4, 32+4, 206 sizeof(struct chacha20_ctx), 207 chacha20_crypt, 208 chacha20_crypt, 209 chacha20_setkey, 210 chacha20_reinit 211}; 212 213const struct enc_xform enc_xform_null = { 214 CRYPTO_NULL, "NULL", 215 4, 0, 0, 256, 0, 216 null_encrypt, 217 null_decrypt, 218 null_setkey, 219 NULL 220}; 221 222/* Authentication instances */ 223const struct auth_hash auth_hash_hmac_md5_96 = { 224 CRYPTO_MD5_HMAC, "HMAC-MD5", 225 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN, 226 (void (*) (void *)) MD5Init, NULL, NULL, 227 MD5Update_int, 228 (void (*) (u_int8_t *, void *)) MD5Final 229}; 230 231const struct auth_hash auth_hash_hmac_sha1_96 = { 232 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 233 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN, 234 (void (*) (void *)) SHA1Init, NULL, NULL, 235 SHA1Update_int, 236 (void (*) (u_int8_t *, void *)) SHA1Final 237}; 238 239const struct auth_hash auth_hash_hmac_ripemd_160_96 = { 240 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 241 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN, 242 (void (*)(void *)) RMD160Init, NULL, NULL, 243 RMD160Update_int, 244 (void (*)(u_int8_t *, void *)) RMD160Final 245}; 246 247const struct auth_hash auth_hash_hmac_sha2_256_128 = { 248 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 249 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN, 250 (void (*)(void *)) SHA256Init, NULL, NULL, 251 SHA256Update_int, 252 (void (*)(u_int8_t *, void *)) SHA256Final 253}; 254 255const struct auth_hash auth_hash_hmac_sha2_384_192 = { 256 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 257 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN, 258 (void (*)(void *)) SHA384Init, NULL, NULL, 259 SHA384Update_int, 260 (void (*)(u_int8_t *, void *)) SHA384Final 261}; 262 263const struct auth_hash auth_hash_hmac_sha2_512_256 = { 264 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 265 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN, 266 (void (*)(void *)) SHA512Init, NULL, NULL, 267 SHA512Update_int, 268 (void (*)(u_int8_t *, void *)) SHA512Final 269}; 270 271const struct auth_hash auth_hash_gmac_aes_128 = { 272 CRYPTO_AES_128_GMAC, "GMAC-AES-128", 273 16+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 274 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 275 AES_GMAC_Update, AES_GMAC_Final 276}; 277 278const struct auth_hash auth_hash_gmac_aes_192 = { 279 CRYPTO_AES_192_GMAC, "GMAC-AES-192", 280 24+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 281 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 282 AES_GMAC_Update, AES_GMAC_Final 283}; 284 285const struct auth_hash auth_hash_gmac_aes_256 = { 286 CRYPTO_AES_256_GMAC, "GMAC-AES-256", 287 32+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), 288 AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, 289 AES_GMAC_Update, AES_GMAC_Final 290}; 291 292const struct auth_hash auth_hash_chacha20_poly1305 = { 293 CRYPTO_CHACHA20_POLY1305_MAC, "CHACHA20-POLY1305", 294 CHACHA20_KEYSIZE+CHACHA20_SALT, POLY1305_BLOCK_LEN, POLY1305_TAGLEN, 295 sizeof(CHACHA20_POLY1305_CTX), CHACHA20_BLOCK_LEN, 296 Chacha20_Poly1305_Init, Chacha20_Poly1305_Setkey, 297 Chacha20_Poly1305_Reinit, Chacha20_Poly1305_Update, 298 Chacha20_Poly1305_Final 299}; 300 301/* Compression instance */ 302const struct comp_algo comp_algo_deflate = { 303 CRYPTO_DEFLATE_COMP, "Deflate", 304 90, deflate_compress, 305 deflate_decompress 306}; 307 308/* 309 * Encryption wrapper routines. 310 */ 311void 312des3_encrypt(caddr_t key, u_int8_t *blk) 313{ 314 des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1); 315} 316 317void 318des3_decrypt(caddr_t key, u_int8_t *blk) 319{ 320 des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0); 321} 322 323int 324des3_setkey(void *sched, u_int8_t *key, int len) 325{ 326 if (des_set_key(key, sched) < 0 || des_set_key(key + 8, sched + 128) 327 < 0 || des_set_key(key + 16, sched + 256) < 0) 328 return -1; 329 330 return 0; 331} 332 333void 334blf_encrypt(caddr_t key, u_int8_t *blk) 335{ 336 blf_ecb_encrypt((blf_ctx *) key, blk, 8); 337} 338 339void 340blf_decrypt(caddr_t key, u_int8_t *blk) 341{ 342 blf_ecb_decrypt((blf_ctx *) key, blk, 8); 343} 344 345int 346blf_setkey(void *sched, u_int8_t *key, int len) 347{ 348 blf_key((blf_ctx *)sched, key, len); 349 350 return 0; 351} 352 353int 354null_setkey(void *sched, u_int8_t *key, int len) 355{ 356 return 0; 357} 358 359void 360null_encrypt(caddr_t key, u_int8_t *blk) 361{ 362} 363 364void 365null_decrypt(caddr_t key, u_int8_t *blk) 366{ 367} 368 369void 370cast5_encrypt(caddr_t key, u_int8_t *blk) 371{ 372 cast_encrypt((cast_key *) key, blk, blk); 373} 374 375void 376cast5_decrypt(caddr_t key, u_int8_t *blk) 377{ 378 cast_decrypt((cast_key *) key, blk, blk); 379} 380 381int 382cast5_setkey(void *sched, u_int8_t *key, int len) 383{ 384 cast_setkey((cast_key *)sched, key, len); 385 386 return 0; 387} 388 389void 390aes_encrypt(caddr_t key, u_int8_t *blk) 391{ 392 AES_Encrypt((AES_CTX *)key, blk, blk); 393} 394 395void 396aes_decrypt(caddr_t key, u_int8_t *blk) 397{ 398 AES_Decrypt((AES_CTX *)key, blk, blk); 399} 400 401int 402aes_setkey(void *sched, u_int8_t *key, int len) 403{ 404 return AES_Setkey((AES_CTX *)sched, key, len); 405} 406 407void 408aes_ctr_reinit(caddr_t key, u_int8_t *iv) 409{ 410 struct aes_ctr_ctx *ctx; 411 412 ctx = (struct aes_ctr_ctx *)key; 413 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 414 415 /* reset counter */ 416 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 417} 418 419void 420aes_gcm_reinit(caddr_t key, u_int8_t *iv) 421{ 422 struct aes_ctr_ctx *ctx; 423 424 ctx = (struct aes_ctr_ctx *)key; 425 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 426 427 /* reset counter */ 428 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 429 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 430} 431 432void 433aes_ctr_crypt(caddr_t key, u_int8_t *data) 434{ 435 struct aes_ctr_ctx *ctx; 436 u_int8_t keystream[AESCTR_BLOCKSIZE]; 437 int i; 438 439 ctx = (struct aes_ctr_ctx *)key; 440 /* increment counter */ 441 for (i = AESCTR_BLOCKSIZE - 1; 442 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 443 if (++ctx->ac_block[i]) /* continue on overflow */ 444 break; 445 AES_Encrypt(&ctx->ac_key, ctx->ac_block, keystream); 446 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 447 data[i] ^= keystream[i]; 448 explicit_bzero(keystream, sizeof(keystream)); 449} 450 451int 452aes_ctr_setkey(void *sched, u_int8_t *key, int len) 453{ 454 struct aes_ctr_ctx *ctx; 455 456 if (len < AESCTR_NONCESIZE) 457 return -1; 458 459 ctx = (struct aes_ctr_ctx *)sched; 460 if (AES_Setkey(&ctx->ac_key, key, len - AESCTR_NONCESIZE) != 0) 461 return -1; 462 bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE); 463 return 0; 464} 465 466void 467aes_xts_reinit(caddr_t key, u_int8_t *iv) 468{ 469 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 470 u_int64_t blocknum; 471 u_int i; 472 473 /* 474 * Prepare tweak as E_k2(IV). IV is specified as LE representation 475 * of a 64-bit block number which we allow to be passed in directly. 476 */ 477 memcpy(&blocknum, iv, AES_XTS_IVSIZE); 478 for (i = 0; i < AES_XTS_IVSIZE; i++) { 479 ctx->tweak[i] = blocknum & 0xff; 480 blocknum >>= 8; 481 } 482 /* Last 64 bits of IV are always zero */ 483 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 484 485 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 486} 487 488void 489aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 490{ 491 u_int8_t block[AES_XTS_BLOCKSIZE]; 492 u_int i, carry_in, carry_out; 493 494 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 495 block[i] = data[i] ^ ctx->tweak[i]; 496 497 if (do_encrypt) 498 rijndael_encrypt(&ctx->key1, block, data); 499 else 500 rijndael_decrypt(&ctx->key1, block, data); 501 502 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 503 data[i] ^= ctx->tweak[i]; 504 505 /* Exponentiate tweak */ 506 carry_in = 0; 507 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 508 carry_out = ctx->tweak[i] & 0x80; 509 ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in; 510 carry_in = carry_out >> 7; 511 } 512 ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in); 513 explicit_bzero(block, sizeof(block)); 514} 515 516void 517aes_xts_encrypt(caddr_t key, u_int8_t *data) 518{ 519 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 520} 521 522void 523aes_xts_decrypt(caddr_t key, u_int8_t *data) 524{ 525 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 526} 527 528int 529aes_xts_setkey(void *sched, u_int8_t *key, int len) 530{ 531 struct aes_xts_ctx *ctx; 532 533 if (len != 32 && len != 64) 534 return -1; 535 536 ctx = (struct aes_xts_ctx *)sched; 537 538 rijndael_set_key(&ctx->key1, key, len * 4); 539 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 540 541 return 0; 542} 543 544/* 545 * And now for auth. 546 */ 547 548int 549RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 550{ 551 RMD160Update(ctx, buf, len); 552 return 0; 553} 554 555int 556MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 557{ 558 MD5Update(ctx, buf, len); 559 return 0; 560} 561 562int 563SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 564{ 565 SHA1Update(ctx, buf, len); 566 return 0; 567} 568 569int 570SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 571{ 572 SHA256Update(ctx, buf, len); 573 return 0; 574} 575 576int 577SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 578{ 579 SHA384Update(ctx, buf, len); 580 return 0; 581} 582 583int 584SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 585{ 586 SHA512Update(ctx, buf, len); 587 return 0; 588} 589 590 591u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **); 592 593struct deflate_buf { 594 u_int8_t *out; 595 u_int32_t size; 596 int flag; 597}; 598 599/* 600 * And compression 601 */ 602 603u_int32_t 604deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 605{ 606 return deflate_global(data, size, 0, out); 607} 608 609u_int32_t 610deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 611{ 612 return deflate_global(data, size, 1, out); 613} 614