Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
11e94a8068
NetBSD/sys/dev/cgd_crypto.c
riastradh 04a6492d1e New cgd cipher adiantum. 
Adiantum is a wide-block cipher, built out of AES, XChaCha12,
Poly1305, and NH, defined in

   Paul Crowley and Eric Biggers, `Adiantum: length-preserving
   encryption for entry-level processors', IACR Transactions on
   Symmetric Cryptology 2018(4), pp. 39--61.

Adiantum provides better security than a narrow-block cipher with CBC
or XTS, because every bit of each sector affects every other bit,
whereas with CBC each block of plaintext only affects the following
blocks of ciphertext in the disk sector, and with XTS each block of
plaintext only affects its own block of ciphertext and nothing else.

Adiantum generally provides much better performance than
constant-time AES-CBC or AES-XTS software do without hardware
support, and performance comparable to or better than the
variable-time (i.e., leaky) AES-CBC and AES-XTS software we had
before.  (Note: Adiantum also uses AES as a subroutine, but only once
per disk sector.  It takes only a small fraction of the time spent by
Adiantum, so there's relatively little performance impact to using
constant-time AES software over using variable-time AES software for
it.)

Adiantum naturally scales to essentially arbitrary disk sector sizes;
sizes >=1024-bytes take the most advantage of Adiantum's design for
performance, so 4096-byte sectors would be a natural choice if we
taught cgd to change the disk sector size.  (However, it's a
different cipher for each disk sector size, so it _must_ be a cgd
parameter.)

The paper presents a similar construction HPolyC.  The salient
difference is that HPolyC uses Poly1305 directly, whereas Adiantum
uses Poly1395(NH(...)).  NH is annoying because it requires a
1072-byte key, which means the test vectors are ginormous, and
changing keys is costly; HPolyC avoids these shortcomings by using
Poly1305 directly, but HPolyC is measurably slower, costing about
1.5x what Adiantum costs on 4096-byte sectors.

For the purposes of cgd, we will reuse each key for many messages,
and there will be very few keys in total (one per cgd volume) so --
except for the annoying verbosity of test vectors -- the tradeoff
weighs in the favour of Adiantum, especially if we teach cgd to do
>>512-byte sectors.

For now, everything that Adiantum needs beyond what's already in the
kernel is gathered into a single file, including NH, Poly1305, and
XChaCha12.  We can split those out -- and reuse them, and provide MD
tuned implementations, and so on -- as needed; this is just a first
pass to get Adiantum implemented for experimentation.
2020-06-29 23:44:01 +00:00

481 lines
12 KiB
C
Raw Blame History

/* $NetBSD: cgd_crypto.c,v 1.26 2020/06/29 23:44:01 riastradh Exp $ */
/*-
* Copyright (c) 2002 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Roland C. Dowdeswell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Crypto Framework For cgd.c
*
* This framework is temporary and awaits a more complete
* kernel wide crypto implementation.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: cgd_crypto.c,v 1.26 2020/06/29 23:44:01 riastradh Exp $");
#include <sys/param.h>
#include <sys/kmem.h>
#include <sys/systm.h>
#include <dev/cgd_crypto.h>
#include <crypto/adiantum/adiantum.h>
#include <crypto/aes/aes.h>
#include <crypto/blowfish/blowfish.h>
#include <crypto/des/des.h>
/*
* The general framework provides only one generic function.
* It takes the name of an algorithm and returns a struct cryptfuncs *
* for it. It is up to the initialisation routines of the algorithm
* to check key size and block size.
*/
static cfunc_init cgd_cipher_aes_cbc_init;
static cfunc_destroy cgd_cipher_aes_cbc_destroy;
static cfunc_cipher cgd_cipher_aes_cbc;
static cfunc_init cgd_cipher_aes_xts_init;
static cfunc_destroy cgd_cipher_aes_xts_destroy;
static cfunc_cipher cgd_cipher_aes_xts;
static cfunc_init cgd_cipher_3des_init;
static cfunc_destroy cgd_cipher_3des_destroy;
static cfunc_cipher cgd_cipher_3des_cbc;
static cfunc_init cgd_cipher_bf_init;
static cfunc_destroy cgd_cipher_bf_destroy;
static cfunc_cipher cgd_cipher_bf_cbc;
static cfunc_init cgd_cipher_adiantum_init;
static cfunc_destroy cgd_cipher_adiantum_destroy;
static cfunc_cipher cgd_cipher_adiantum_crypt;
static const struct cryptfuncs cf[] = {
{
.cf_name = "aes-xts",
.cf_init = cgd_cipher_aes_xts_init,
.cf_destroy = cgd_cipher_aes_xts_destroy,
.cf_cipher = cgd_cipher_aes_xts,
},
{
.cf_name = "aes-cbc",
.cf_init = cgd_cipher_aes_cbc_init,
.cf_destroy = cgd_cipher_aes_cbc_destroy,
.cf_cipher = cgd_cipher_aes_cbc,
},
{
.cf_name = "3des-cbc",
.cf_init = cgd_cipher_3des_init,
.cf_destroy = cgd_cipher_3des_destroy,
.cf_cipher = cgd_cipher_3des_cbc,
},
{
.cf_name = "blowfish-cbc",
.cf_init = cgd_cipher_bf_init,
.cf_destroy = cgd_cipher_bf_destroy,
.cf_cipher = cgd_cipher_bf_cbc,
},
{
.cf_name = "adiantum",
.cf_init = cgd_cipher_adiantum_init,
.cf_destroy = cgd_cipher_adiantum_destroy,
.cf_cipher = cgd_cipher_adiantum_crypt,
},
};
const struct cryptfuncs *
cryptfuncs_find(const char *alg)
{
for (size_t i = 0; i < __arraycount(cf); i++)
if (strcmp(cf[i].cf_name, alg) == 0)
return &cf[i];
return NULL;
}
/*
* AES Framework
*/
struct aes_privdata {
struct aesenc ap_enckey;
struct aesdec ap_deckey;
uint32_t ap_nrounds;
};
static void *
cgd_cipher_aes_cbc_init(size_t keylen, const void *key, size_t *blocksize)
{
struct aes_privdata *ap;
if (!blocksize)
return NULL;
if (keylen != 128 && keylen != 192 && keylen != 256)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 128;
if (*blocksize != 128)
return NULL;
ap = kmem_zalloc(sizeof(*ap), KM_SLEEP);
switch (keylen) {
case 128:
aes_setenckey128(&ap->ap_enckey, key);
aes_setdeckey128(&ap->ap_deckey, key);
ap->ap_nrounds = AES_128_NROUNDS;
break;
case 192:
aes_setenckey192(&ap->ap_enckey, key);
aes_setdeckey192(&ap->ap_deckey, key);
ap->ap_nrounds = AES_192_NROUNDS;
break;
case 256:
aes_setenckey256(&ap->ap_enckey, key);
aes_setdeckey256(&ap->ap_deckey, key);
ap->ap_nrounds = AES_256_NROUNDS;
break;
}
return ap;
}
static void
cgd_cipher_aes_cbc_destroy(void *data)
{
struct aes_privdata *apd = data;
explicit_memset(apd, 0, sizeof(*apd));
kmem_free(apd, sizeof(*apd));
}
static void
cgd_cipher_aes_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
const void *blkno, int dir)
{
struct aes_privdata *apd = privdata;
uint8_t iv[CGD_AES_BLOCK_SIZE] __aligned(CGD_AES_BLOCK_SIZE) = {0};
/* Compute the CBC IV as AES_k(blkno). */
aes_enc(&apd->ap_enckey, blkno, iv, apd->ap_nrounds);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
aes_cbc_enc(&apd->ap_enckey, src, dst, nbytes, iv,
apd->ap_nrounds);
break;
case CGD_CIPHER_DECRYPT:
aes_cbc_dec(&apd->ap_deckey, src, dst, nbytes, iv,
apd->ap_nrounds);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
}
}
/*
* AES-XTS
*/
struct aesxts {
struct aesenc ax_enckey;
struct aesdec ax_deckey;
struct aesenc ax_tweakkey;
uint32_t ax_nrounds;
};
static void *
cgd_cipher_aes_xts_init(size_t keylen, const void *xtskey, size_t *blocksize)
{
struct aesxts *ax;
const char *key, *key2; /* XTS key is made of two AES keys. */
if (!blocksize)
return NULL;
if (keylen != 256 && keylen != 512)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 128;
if (*blocksize != 128)
return NULL;
ax = kmem_zalloc(sizeof(*ax), KM_SLEEP);
keylen /= 2;
key = xtskey;
key2 = key + keylen / CHAR_BIT;
switch (keylen) {
case 128:
aes_setenckey128(&ax->ax_enckey, key);
aes_setdeckey128(&ax->ax_deckey, key);
aes_setenckey128(&ax->ax_tweakkey, key2);
ax->ax_nrounds = AES_128_NROUNDS;
break;
case 256:
aes_setenckey256(&ax->ax_enckey, key);
aes_setdeckey256(&ax->ax_deckey, key);
aes_setenckey256(&ax->ax_tweakkey, key2);
ax->ax_nrounds = AES_256_NROUNDS;
break;
}
return ax;
}
static void
cgd_cipher_aes_xts_destroy(void *cookie)
{
struct aesxts *ax = cookie;
explicit_memset(ax, 0, sizeof(*ax));
kmem_free(ax, sizeof(*ax));
}
static void
cgd_cipher_aes_xts(void *cookie, void *dst, const void *src, size_t nbytes,
const void *blkno, int dir)
{
struct aesxts *ax = cookie;
uint8_t tweak[CGD_AES_BLOCK_SIZE];
/* Compute the initial tweak as AES_k(blkno). */
aes_enc(&ax->ax_tweakkey, blkno, tweak, ax->ax_nrounds);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
aes_xts_enc(&ax->ax_enckey, src, dst, nbytes, tweak,
ax->ax_nrounds);
break;
case CGD_CIPHER_DECRYPT:
aes_xts_dec(&ax->ax_deckey, src, dst, nbytes, tweak,
ax->ax_nrounds);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
}
}
/*
* 3DES Framework
*/
struct c3des_privdata {
des_key_schedule cp_key1;
des_key_schedule cp_key2;
des_key_schedule cp_key3;
};
static void *
cgd_cipher_3des_init(size_t keylen, const void *key, size_t *blocksize)
{
struct c3des_privdata *cp;
int error = 0;
des_cblock *block;
if (!blocksize)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 64;
if (keylen != (DES_KEY_SZ * 3 * 8) || *blocksize != 64)
return NULL;
cp = kmem_zalloc(sizeof(*cp), KM_SLEEP);
block = __UNCONST(key);
error = des_key_sched(block, cp->cp_key1);
error |= des_key_sched(block + 1, cp->cp_key2);
error |= des_key_sched(block + 2, cp->cp_key3);
if (error) {
explicit_memset(cp, 0, sizeof(*cp));
kmem_free(cp, sizeof(*cp));
return NULL;
}
return cp;
}
static void
cgd_cipher_3des_destroy(void *data)
{
struct c3des_privdata *cp = data;
explicit_memset(cp, 0, sizeof(*cp));
kmem_free(cp, sizeof(*cp));
}
static void
cgd_cipher_3des_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
const void *blkno, int dir)
{
struct c3des_privdata *cp = privdata;
des_cblock zero;
uint8_t iv[CGD_3DES_BLOCK_SIZE];
/* Compute the CBC IV as 3DES_k(blkno) = 3DES-CBC_k(iv=blkno, 0). */
memset(&zero, 0, sizeof(zero));
des_ede3_cbc_encrypt(blkno, iv, CGD_3DES_BLOCK_SIZE,
cp->cp_key1, cp->cp_key2, cp->cp_key3, &zero, /*encrypt*/1);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
des_ede3_cbc_encrypt(src, dst, nbytes,
cp->cp_key1, cp->cp_key2, cp->cp_key3,
(des_cblock *)iv, /*encrypt*/1);
break;
case CGD_CIPHER_DECRYPT:
des_ede3_cbc_encrypt(src, dst, nbytes,
cp->cp_key1, cp->cp_key2, cp->cp_key3,
(des_cblock *)iv, /*encrypt*/0);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
}
}
/*
* Blowfish Framework
*/
struct bf_privdata {
BF_KEY bp_key;
};
struct bf_encdata {
BF_KEY *be_key;
uint8_t be_iv[CGD_BF_BLOCK_SIZE];
};
static void *
cgd_cipher_bf_init(size_t keylen, const void *key, size_t *blocksize)
{
struct bf_privdata *bp;
if (!blocksize)
return NULL;
if (keylen < 40 || keylen > 448 || (keylen % 8 != 0))
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 64;
if (*blocksize != 64)
return NULL;
bp = kmem_zalloc(sizeof(*bp), KM_SLEEP);
if (!bp)
return NULL;
BF_set_key(&bp->bp_key, keylen / 8, key);
return bp;
}
static void
cgd_cipher_bf_destroy(void *data)
{
struct bf_privdata *bp = data;
explicit_memset(bp, 0, sizeof(*bp));
kmem_free(bp, sizeof(*bp));
}
static void
cgd_cipher_bf_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
const void *blkno, int dir)
{
struct bf_privdata *bp = privdata;
uint8_t zero[CGD_BF_BLOCK_SIZE], iv[CGD_BF_BLOCK_SIZE];
/* Compute the CBC IV as Blowfish_k(blkno) = BF_CBC_k(blkno, 0). */
memset(zero, 0, sizeof(zero));
BF_cbc_encrypt(blkno, iv, CGD_BF_BLOCK_SIZE, &bp->bp_key, zero,
/*encrypt*/1);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
/*encrypt*/1);
break;
case CGD_CIPHER_DECRYPT:
BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
/*encrypt*/0);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
}
}
/*
* Adiantum
*/
static void *
cgd_cipher_adiantum_init(size_t keylen, const void *key, size_t *blocksize)
{
struct adiantum *A;
if (!blocksize)
return NULL;
if (keylen != 256)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 128;
if (*blocksize != 128)
return NULL;
A = kmem_zalloc(sizeof(*A), KM_SLEEP);
adiantum_init(A, key);
return A;
}
static void
cgd_cipher_adiantum_destroy(void *cookie)
{
struct adiantum *A = cookie;
explicit_memset(A, 0, sizeof(*A));
kmem_free(A, sizeof(*A));
}
static void
cgd_cipher_adiantum_crypt(void *cookie, void *dst, const void *src,
size_t nbytes, const void *blkno, int dir)
{
/*
* Treat the block number as a 128-bit block. This is more
* than twice as big as the largest number of reasonable
* blocks, but it doesn't hurt (it would be rounded up to a
* 128-bit input anyway).
*/
const unsigned tweaklen = 16;
struct adiantum *A = cookie;
switch (dir) {
case CGD_CIPHER_ENCRYPT:
adiantum_enc(dst, src, nbytes, blkno, tweaklen, A);
break;
case CGD_CIPHER_DECRYPT:
adiantum_dec(dst, src, nbytes, blkno, tweaklen, A);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
}
}
Reference in New Issue View Git Blame Copy Permalink