1 /* $NetBSD: cgd_crypto.c,v 1.27 2020/07/25 22:14:35 riastradh Exp $ */
2 
3 /*-
4  * Copyright (c) 2002 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This code is derived from software contributed to The NetBSD Foundation
8  * by Roland C. Dowdeswell.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 /*
33  *  Crypto Framework For cgd.c
34  *
35  *        This framework is temporary and awaits a more complete
36  *        kernel wide crypto implementation.
37  */
38 
39 #include <sys/cdefs.h>
40 __KERNEL_RCSID(0, "$NetBSD: cgd_crypto.c,v 1.27 2020/07/25 22:14:35 riastradh Exp $");
41 
42 #include <sys/param.h>
43 #include <sys/kmem.h>
44 #include <sys/systm.h>
45 
46 #include <dev/cgd_crypto.h>
47 
48 #include <crypto/adiantum/adiantum.h>
49 #include <crypto/aes/aes.h>
50 #include <crypto/aes/aes_cbc.h>
51 #include <crypto/aes/aes_xts.h>
52 #include <crypto/blowfish/blowfish.h>
53 #include <crypto/des/des.h>
54 
55 /*
56  * The general framework provides only one generic function.
57  * It takes the name of an algorithm and returns a struct cryptfuncs *
58  * for it.  It is up to the initialisation routines of the algorithm
59  * to check key size and block size.
60  */
61 
62 static cfunc_init             cgd_cipher_aes_cbc_init;
63 static cfunc_destroy                    cgd_cipher_aes_cbc_destroy;
64 static cfunc_cipher           cgd_cipher_aes_cbc;
65 
66 static cfunc_init             cgd_cipher_aes_xts_init;
67 static cfunc_destroy                    cgd_cipher_aes_xts_destroy;
68 static cfunc_cipher           cgd_cipher_aes_xts;
69 
70 static cfunc_init             cgd_cipher_3des_init;
71 static cfunc_destroy                    cgd_cipher_3des_destroy;
72 static cfunc_cipher           cgd_cipher_3des_cbc;
73 
74 static cfunc_init             cgd_cipher_bf_init;
75 static cfunc_destroy                    cgd_cipher_bf_destroy;
76 static cfunc_cipher           cgd_cipher_bf_cbc;
77 
78 static cfunc_init             cgd_cipher_adiantum_init;
79 static cfunc_destroy                    cgd_cipher_adiantum_destroy;
80 static cfunc_cipher           cgd_cipher_adiantum_crypt;
81 
82 static const struct cryptfuncs cf[] = {
83           {
84                     .cf_name  = "aes-xts",
85                     .cf_init  = cgd_cipher_aes_xts_init,
86                     .cf_destroy         = cgd_cipher_aes_xts_destroy,
87                     .cf_cipher          = cgd_cipher_aes_xts,
88           },
89           {
90                     .cf_name  = "aes-cbc",
91                     .cf_init  = cgd_cipher_aes_cbc_init,
92                     .cf_destroy         = cgd_cipher_aes_cbc_destroy,
93                     .cf_cipher          = cgd_cipher_aes_cbc,
94           },
95           {
96                     .cf_name  = "3des-cbc",
97                     .cf_init  = cgd_cipher_3des_init,
98                     .cf_destroy         = cgd_cipher_3des_destroy,
99                     .cf_cipher          = cgd_cipher_3des_cbc,
100           },
101           {
102                     .cf_name  = "blowfish-cbc",
103                     .cf_init  = cgd_cipher_bf_init,
104                     .cf_destroy         = cgd_cipher_bf_destroy,
105                     .cf_cipher          = cgd_cipher_bf_cbc,
106           },
107           {
108                     .cf_name  = "adiantum",
109                     .cf_init  = cgd_cipher_adiantum_init,
110                     .cf_destroy         = cgd_cipher_adiantum_destroy,
111                     .cf_cipher          = cgd_cipher_adiantum_crypt,
112           },
113 };
114 const struct cryptfuncs *
cryptfuncs_find(const char * alg)115 cryptfuncs_find(const char *alg)
116 {
117 
118           for (size_t i = 0; i < __arraycount(cf); i++)
119                     if (strcmp(cf[i].cf_name, alg) == 0)
120                               return &cf[i];
121 
122           return NULL;
123 }
124 
125 /*
126  *  AES Framework
127  */
128 
129 struct aes_privdata {
130           struct aesenc       ap_enckey;
131           struct aesdec       ap_deckey;
132           uint32_t  ap_nrounds;
133 };
134 
135 static void *
cgd_cipher_aes_cbc_init(size_t keylen,const void * key,size_t * blocksize)136 cgd_cipher_aes_cbc_init(size_t keylen, const void *key, size_t *blocksize)
137 {
138           struct    aes_privdata *ap;
139 
140           if (!blocksize)
141                     return NULL;
142           if (keylen != 128 && keylen != 192 && keylen != 256)
143                     return NULL;
144           if (*blocksize == (size_t)-1)
145                     *blocksize = 128;
146           if (*blocksize != 128)
147                     return NULL;
148           ap = kmem_zalloc(sizeof(*ap), KM_SLEEP);
149           switch (keylen) {
150           case 128:
151                     aes_setenckey128(&ap->ap_enckey, key);
152                     aes_setdeckey128(&ap->ap_deckey, key);
153                     ap->ap_nrounds = AES_128_NROUNDS;
154                     break;
155           case 192:
156                     aes_setenckey192(&ap->ap_enckey, key);
157                     aes_setdeckey192(&ap->ap_deckey, key);
158                     ap->ap_nrounds = AES_192_NROUNDS;
159                     break;
160           case 256:
161                     aes_setenckey256(&ap->ap_enckey, key);
162                     aes_setdeckey256(&ap->ap_deckey, key);
163                     ap->ap_nrounds = AES_256_NROUNDS;
164                     break;
165           }
166           return ap;
167 }
168 
169 static void
cgd_cipher_aes_cbc_destroy(void * data)170 cgd_cipher_aes_cbc_destroy(void *data)
171 {
172           struct aes_privdata *apd = data;
173 
174           explicit_memset(apd, 0, sizeof(*apd));
175           kmem_free(apd, sizeof(*apd));
176 }
177 
178 static void
cgd_cipher_aes_cbc(void * privdata,void * dst,const void * src,size_t nbytes,const void * blkno,int dir)179 cgd_cipher_aes_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
180     const void *blkno, int dir)
181 {
182           struct aes_privdata *apd = privdata;
183           uint8_t iv[CGD_AES_BLOCK_SIZE] __aligned(CGD_AES_BLOCK_SIZE) = {0};
184 
185           /* Compute the CBC IV as AES_k(blkno).  */
186           aes_enc(&apd->ap_enckey, blkno, iv, apd->ap_nrounds);
187 
188           switch (dir) {
189           case CGD_CIPHER_ENCRYPT:
190                     aes_cbc_enc(&apd->ap_enckey, src, dst, nbytes, iv,
191                         apd->ap_nrounds);
192                     break;
193           case CGD_CIPHER_DECRYPT:
194                     aes_cbc_dec(&apd->ap_deckey, src, dst, nbytes, iv,
195                         apd->ap_nrounds);
196                     break;
197           default:
198                     panic("%s: unrecognised direction %d", __func__, dir);
199           }
200 }
201 
202 /*
203  * AES-XTS
204  */
205 
206 struct aesxts {
207           struct aesenc       ax_enckey;
208           struct aesdec       ax_deckey;
209           struct aesenc       ax_tweakkey;
210           uint32_t  ax_nrounds;
211 };
212 
213 static void *
cgd_cipher_aes_xts_init(size_t keylen,const void * xtskey,size_t * blocksize)214 cgd_cipher_aes_xts_init(size_t keylen, const void *xtskey, size_t *blocksize)
215 {
216           struct aesxts *ax;
217           const char *key, *key2; /* XTS key is made of two AES keys. */
218 
219           if (!blocksize)
220                     return NULL;
221           if (keylen != 256 && keylen != 512)
222                     return NULL;
223           if (*blocksize == (size_t)-1)
224                     *blocksize = 128;
225           if (*blocksize != 128)
226                     return NULL;
227 
228           ax = kmem_zalloc(sizeof(*ax), KM_SLEEP);
229           keylen /= 2;
230           key = xtskey;
231           key2 = key + keylen / CHAR_BIT;
232 
233           switch (keylen) {
234           case 128:
235                     aes_setenckey128(&ax->ax_enckey, key);
236                     aes_setdeckey128(&ax->ax_deckey, key);
237                     aes_setenckey128(&ax->ax_tweakkey, key2);
238                     ax->ax_nrounds = AES_128_NROUNDS;
239                     break;
240           case 256:
241                     aes_setenckey256(&ax->ax_enckey, key);
242                     aes_setdeckey256(&ax->ax_deckey, key);
243                     aes_setenckey256(&ax->ax_tweakkey, key2);
244                     ax->ax_nrounds = AES_256_NROUNDS;
245                     break;
246           }
247 
248           return ax;
249 }
250 
251 static void
cgd_cipher_aes_xts_destroy(void * cookie)252 cgd_cipher_aes_xts_destroy(void *cookie)
253 {
254           struct aesxts *ax = cookie;
255 
256           explicit_memset(ax, 0, sizeof(*ax));
257           kmem_free(ax, sizeof(*ax));
258 }
259 
260 static void
cgd_cipher_aes_xts(void * cookie,void * dst,const void * src,size_t nbytes,const void * blkno,int dir)261 cgd_cipher_aes_xts(void *cookie, void *dst, const void *src, size_t nbytes,
262     const void *blkno, int dir)
263 {
264           struct aesxts *ax = cookie;
265           uint8_t tweak[CGD_AES_BLOCK_SIZE];
266 
267           /* Compute the initial tweak as AES_k(blkno).  */
268           aes_enc(&ax->ax_tweakkey, blkno, tweak, ax->ax_nrounds);
269 
270           switch (dir) {
271           case CGD_CIPHER_ENCRYPT:
272                     aes_xts_enc(&ax->ax_enckey, src, dst, nbytes, tweak,
273                         ax->ax_nrounds);
274                     break;
275           case CGD_CIPHER_DECRYPT:
276                     aes_xts_dec(&ax->ax_deckey, src, dst, nbytes, tweak,
277                         ax->ax_nrounds);
278                     break;
279           default:
280                     panic("%s: unrecognised direction %d", __func__, dir);
281           }
282 }
283 
284 /*
285  * 3DES Framework
286  */
287 
288 struct c3des_privdata {
289           des_key_schedule    cp_key1;
290           des_key_schedule    cp_key2;
291           des_key_schedule    cp_key3;
292 };
293 
294 static void *
cgd_cipher_3des_init(size_t keylen,const void * key,size_t * blocksize)295 cgd_cipher_3des_init(size_t keylen, const void *key, size_t *blocksize)
296 {
297           struct    c3des_privdata *cp;
298           int       error = 0;
299           des_cblock *block;
300 
301           if (!blocksize)
302                     return NULL;
303           if (*blocksize == (size_t)-1)
304                     *blocksize = 64;
305           if (keylen != (DES_KEY_SZ * 3 * 8) || *blocksize != 64)
306                     return NULL;
307           cp = kmem_zalloc(sizeof(*cp), KM_SLEEP);
308           block = __UNCONST(key);
309           error  = des_key_sched(block, cp->cp_key1);
310           error |= des_key_sched(block + 1, cp->cp_key2);
311           error |= des_key_sched(block + 2, cp->cp_key3);
312           if (error) {
313                     explicit_memset(cp, 0, sizeof(*cp));
314                     kmem_free(cp, sizeof(*cp));
315                     return NULL;
316           }
317           return cp;
318 }
319 
320 static void
cgd_cipher_3des_destroy(void * data)321 cgd_cipher_3des_destroy(void *data)
322 {
323           struct c3des_privdata *cp = data;
324 
325           explicit_memset(cp, 0, sizeof(*cp));
326           kmem_free(cp, sizeof(*cp));
327 }
328 
329 static void
cgd_cipher_3des_cbc(void * privdata,void * dst,const void * src,size_t nbytes,const void * blkno,int dir)330 cgd_cipher_3des_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
331     const void *blkno, int dir)
332 {
333           struct    c3des_privdata *cp = privdata;
334           des_cblock zero;
335           uint8_t iv[CGD_3DES_BLOCK_SIZE];
336 
337           /* Compute the CBC IV as 3DES_k(blkno) = 3DES-CBC_k(iv=blkno, 0).  */
338           memset(&zero, 0, sizeof(zero));
339           des_ede3_cbc_encrypt(blkno, iv, CGD_3DES_BLOCK_SIZE,
340               cp->cp_key1, cp->cp_key2, cp->cp_key3, &zero, /*encrypt*/1);
341 
342           switch (dir) {
343           case CGD_CIPHER_ENCRYPT:
344                     des_ede3_cbc_encrypt(src, dst, nbytes,
345                         cp->cp_key1, cp->cp_key2, cp->cp_key3,
346                         (des_cblock *)iv, /*encrypt*/1);
347                     break;
348           case CGD_CIPHER_DECRYPT:
349                     des_ede3_cbc_encrypt(src, dst, nbytes,
350                         cp->cp_key1, cp->cp_key2, cp->cp_key3,
351                         (des_cblock *)iv, /*encrypt*/0);
352                     break;
353           default:
354                     panic("%s: unrecognised direction %d", __func__, dir);
355           }
356 }
357 
358 /*
359  * Blowfish Framework
360  */
361 
362 struct bf_privdata {
363           BF_KEY    bp_key;
364 };
365 
366 struct bf_encdata {
367           BF_KEY              *be_key;
368           uint8_t              be_iv[CGD_BF_BLOCK_SIZE];
369 };
370 
371 static void *
cgd_cipher_bf_init(size_t keylen,const void * key,size_t * blocksize)372 cgd_cipher_bf_init(size_t keylen, const void *key, size_t *blocksize)
373 {
374           struct    bf_privdata *bp;
375 
376           if (!blocksize)
377                     return NULL;
378           if (keylen < 40 || keylen > 448 || (keylen % 8 != 0))
379                     return NULL;
380           if (*blocksize == (size_t)-1)
381                     *blocksize = 64;
382           if (*blocksize != 64)
383                     return NULL;
384           bp = kmem_zalloc(sizeof(*bp), KM_SLEEP);
385           if (!bp)
386                     return NULL;
387           BF_set_key(&bp->bp_key, keylen / 8, key);
388           return bp;
389 }
390 
391 static void
cgd_cipher_bf_destroy(void * data)392 cgd_cipher_bf_destroy(void *data)
393 {
394           struct    bf_privdata *bp = data;
395 
396           explicit_memset(bp, 0, sizeof(*bp));
397           kmem_free(bp, sizeof(*bp));
398 }
399 
400 static void
cgd_cipher_bf_cbc(void * privdata,void * dst,const void * src,size_t nbytes,const void * blkno,int dir)401 cgd_cipher_bf_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
402     const void *blkno, int dir)
403 {
404           struct    bf_privdata *bp = privdata;
405           uint8_t zero[CGD_BF_BLOCK_SIZE], iv[CGD_BF_BLOCK_SIZE];
406 
407           /* Compute the CBC IV as Blowfish_k(blkno) = BF_CBC_k(blkno, 0).  */
408           memset(zero, 0, sizeof(zero));
409           BF_cbc_encrypt(blkno, iv, CGD_BF_BLOCK_SIZE, &bp->bp_key, zero,
410               /*encrypt*/1);
411 
412           switch (dir) {
413           case CGD_CIPHER_ENCRYPT:
414                     BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
415                         /*encrypt*/1);
416                     break;
417           case CGD_CIPHER_DECRYPT:
418                     BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
419                         /*encrypt*/0);
420                     break;
421           default:
422                     panic("%s: unrecognised direction %d", __func__, dir);
423           }
424 }
425 
426 /*
427  * Adiantum
428  */
429 
430 static void *
cgd_cipher_adiantum_init(size_t keylen,const void * key,size_t * blocksize)431 cgd_cipher_adiantum_init(size_t keylen, const void *key, size_t *blocksize)
432 {
433           struct adiantum *A;
434 
435           if (!blocksize)
436                     return NULL;
437           if (keylen != 256)
438                     return NULL;
439           if (*blocksize == (size_t)-1)
440                     *blocksize = 128;
441           if (*blocksize != 128)
442                     return NULL;
443 
444           A = kmem_zalloc(sizeof(*A), KM_SLEEP);
445           adiantum_init(A, key);
446 
447           return A;
448 }
449 
450 static void
cgd_cipher_adiantum_destroy(void * cookie)451 cgd_cipher_adiantum_destroy(void *cookie)
452 {
453           struct adiantum *A = cookie;
454 
455           explicit_memset(A, 0, sizeof(*A));
456           kmem_free(A, sizeof(*A));
457 }
458 
459 static void
cgd_cipher_adiantum_crypt(void * cookie,void * dst,const void * src,size_t nbytes,const void * blkno,int dir)460 cgd_cipher_adiantum_crypt(void *cookie, void *dst, const void *src,
461     size_t nbytes, const void *blkno, int dir)
462 {
463           /*
464            * Treat the block number as a 128-bit block.  This is more
465            * than twice as big as the largest number of reasonable
466            * blocks, but it doesn't hurt (it would be rounded up to a
467            * 128-bit input anyway).
468            */
469           const unsigned tweaklen = 16;
470           struct adiantum *A = cookie;
471 
472           switch (dir) {
473           case CGD_CIPHER_ENCRYPT:
474                     adiantum_enc(dst, src, nbytes, blkno, tweaklen, A);
475                     break;
476           case CGD_CIPHER_DECRYPT:
477                     adiantum_dec(dst, src, nbytes, blkno, tweaklen, A);
478                     break;
479           default:
480                     panic("%s: unrecognised direction %d", __func__, dir);
481           }
482 }
483