NetBSD/sys/dev/cgd_crypto.c

616 lines
16 KiB
C

/* $NetBSD: cgd_crypto.c,v 1.15 2017/01/02 14:28:29 alnsn Exp $ */
/*-
* Copyright (c) 2002 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Roland C. Dowdeswell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Crypto Framework For cgd.c
*
* This framework is temporary and awaits a more complete
* kernel wide crypto implementation.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: cgd_crypto.c,v 1.15 2017/01/02 14:28:29 alnsn Exp $");
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <dev/cgd_crypto.h>
#include <crypto/rijndael/rijndael-api-fst.h>
#include <crypto/des/des.h>
#include <crypto/blowfish/blowfish.h>
#ifdef DIAGNOSTIC
#define DIAGPANIC(x) panic x
#else
#define DIAGPANIC(x)
#endif
/*
* The general framework provides only one generic function.
* It takes the name of an algorith and returns a struct cryptfuncs *
* for it. It is up to the initialisation routines of the algorithm
* to check key size and block size.
*/
static cfunc_init cgd_cipher_aes_cbc_init;
static cfunc_destroy cgd_cipher_aes_cbc_destroy;
static cfunc_cipher cgd_cipher_aes_cbc;
static cfunc_cipher_prep cgd_cipher_aes_cbc_prep;
static cfunc_init cgd_cipher_aes_xts_init;
static cfunc_destroy cgd_cipher_aes_xts_destroy;
static cfunc_cipher cgd_cipher_aes_xts;
static cfunc_cipher_prep cgd_cipher_aes_xts_prep;
static cfunc_init cgd_cipher_3des_init;
static cfunc_destroy cgd_cipher_3des_destroy;
static cfunc_cipher cgd_cipher_3des_cbc;
static cfunc_cipher_prep cgd_cipher_3des_cbc_prep;
static cfunc_init cgd_cipher_bf_init;
static cfunc_destroy cgd_cipher_bf_destroy;
static cfunc_cipher cgd_cipher_bf_cbc;
static cfunc_cipher_prep cgd_cipher_bf_cbc_prep;
static const struct cryptfuncs cf[] = {
{
.cf_name = "aes-xts",
.cf_init = cgd_cipher_aes_xts_init,
.cf_destroy = cgd_cipher_aes_xts_destroy,
.cf_cipher = cgd_cipher_aes_xts,
.cf_cipher_prep = cgd_cipher_aes_xts_prep,
},
{
.cf_name = "aes-cbc",
.cf_init = cgd_cipher_aes_cbc_init,
.cf_destroy = cgd_cipher_aes_cbc_destroy,
.cf_cipher = cgd_cipher_aes_cbc,
.cf_cipher_prep = cgd_cipher_aes_cbc_prep,
},
{
.cf_name = "3des-cbc",
.cf_init = cgd_cipher_3des_init,
.cf_destroy = cgd_cipher_3des_destroy,
.cf_cipher = cgd_cipher_3des_cbc,
.cf_cipher_prep = cgd_cipher_3des_cbc_prep,
},
{
.cf_name = "blowfish-cbc",
.cf_init = cgd_cipher_bf_init,
.cf_destroy = cgd_cipher_bf_destroy,
.cf_cipher = cgd_cipher_bf_cbc,
.cf_cipher_prep = cgd_cipher_bf_cbc_prep,
},
};
const struct cryptfuncs *
cryptfuncs_find(const char *alg)
{
for (size_t i = 0; i < __arraycount(cf); i++)
if (strcmp(cf[i].cf_name, alg) == 0)
return &cf[i];
return NULL;
}
typedef void (*cipher_func)(void *, void *, const void *, size_t);
static void
cgd_cipher_uio(void *privdata, cipher_func cipher,
struct uio *dstuio, struct uio *srcuio);
/*
* cgd_cipher_uio takes a simple cbc or xts cipher and iterates
* it over two struct uio's. It presumes that the cipher function
* that is passed to it keeps the IV state between calls.
*
* We assume that the caller has ensured that each segment is evenly
* divisible by the block size, which for the cgd is a valid assumption.
* If we were to make this code more generic, we might need to take care
* of this case, either by issuing an error or copying the data.
*/
static void
cgd_cipher_uio(void *privdata, cipher_func cipher,
struct uio *dstuio, struct uio *srcuio)
{
const struct iovec *dst;
const struct iovec *src;
int dstnum;
int dstoff = 0;
int srcnum;
int srcoff = 0;
dst = dstuio->uio_iov;
dstnum = dstuio->uio_iovcnt;
src = srcuio->uio_iov;
srcnum = srcuio->uio_iovcnt;
for (;;) {
int l = MIN(dst->iov_len - dstoff, src->iov_len - srcoff);
u_int8_t *d = (u_int8_t *)dst->iov_base + dstoff;
const u_int8_t *s = (const u_int8_t *)src->iov_base + srcoff;
cipher(privdata, d, s, l);
dstoff += l;
srcoff += l;
/*
* We assume that {dst,src} == {dst,src}->iov_len,
* because it should not be possible for it not to be.
*/
if (dstoff == dst->iov_len) {
dstoff = 0;
dstnum--;
dst++;
}
if (srcoff == src->iov_len) {
srcoff = 0;
srcnum--;
src++;
}
if (!srcnum || !dstnum)
break;
}
}
/*
* AES Framework
*/
/*
* NOTE: we do not store the blocksize in here, because it is not
* variable [yet], we hardcode the blocksize to 16 (128 bits).
*/
struct aes_privdata {
keyInstance ap_enckey;
keyInstance ap_deckey;
};
struct aes_encdata {
keyInstance *ae_key; /* key for this direction */
u_int8_t ae_iv[CGD_AES_BLOCK_SIZE]; /* Initialization Vector */
};
static void *
cgd_cipher_aes_cbc_init(size_t keylen, const void *key, size_t *blocksize)
{
struct aes_privdata *ap;
if (!blocksize)
return NULL;
if (keylen != 128 && keylen != 192 && keylen != 256)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 128;
if (*blocksize != 128)
return NULL;
ap = malloc(sizeof(*ap), M_DEVBUF, 0);
if (!ap)
return NULL;
rijndael_makeKey(&ap->ap_enckey, DIR_ENCRYPT, keylen, key);
rijndael_makeKey(&ap->ap_deckey, DIR_DECRYPT, keylen, key);
return ap;
}
static void
cgd_cipher_aes_cbc_destroy(void *data)
{
struct aes_privdata *apd = data;
explicit_memset(apd, 0, sizeof(*apd));
free(apd, M_DEVBUF);
}
static void
cgd_cipher_aes_cbc_prep(void *privdata, char *iv,
const char *blkno_buf, size_t blocksize, int dir)
{
struct aes_privdata *apd = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_CBC, NULL);
KASSERT(cipher_ok > 0);
rijndael_blockEncrypt(&cipher, &apd->ap_enckey,
blkno_buf, blocksize * 8, iv);
if (blocksize > CGD_AES_BLOCK_SIZE) {
(void)memmove(iv, iv + blocksize - CGD_AES_BLOCK_SIZE,
CGD_AES_BLOCK_SIZE);
}
}
static void
aes_cbc_enc_int(void *privdata, void *dst, const void *src, size_t len)
{
struct aes_encdata *ae = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_CBC, ae->ae_iv);
KASSERT(cipher_ok > 0);
rijndael_blockEncrypt(&cipher, ae->ae_key, src, len * 8, dst);
(void)memcpy(ae->ae_iv, (u_int8_t *)dst +
(len - CGD_AES_BLOCK_SIZE), CGD_AES_BLOCK_SIZE);
}
static void
aes_cbc_dec_int(void *privdata, void *dst, const void *src, size_t len)
{
struct aes_encdata *ae = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_CBC, ae->ae_iv);
KASSERT(cipher_ok > 0);
rijndael_blockDecrypt(&cipher, ae->ae_key, src, len * 8, dst);
(void)memcpy(ae->ae_iv, (const u_int8_t *)src +
(len - CGD_AES_BLOCK_SIZE), CGD_AES_BLOCK_SIZE);
}
static void
cgd_cipher_aes_cbc(void *privdata, struct uio *dstuio,
struct uio *srcuio, const void *iv, int dir)
{
struct aes_privdata *apd = privdata;
struct aes_encdata encd;
(void)memcpy(encd.ae_iv, iv, CGD_AES_BLOCK_SIZE);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
encd.ae_key = &apd->ap_enckey;
cgd_cipher_uio(&encd, aes_cbc_enc_int, dstuio, srcuio);
break;
case CGD_CIPHER_DECRYPT:
encd.ae_key = &apd->ap_deckey;
cgd_cipher_uio(&encd, aes_cbc_dec_int, dstuio, srcuio);
break;
default:
DIAGPANIC(("%s: unrecognised direction %d", __func__, dir));
}
}
static void *
cgd_cipher_aes_xts_init(size_t keylen, const void *xtskey, size_t *blocksize)
{
struct aes_privdata *ap;
const char *key, *key2; /* XTS key is made of two AES keys. */
if (!blocksize)
return NULL;
if (keylen != 256 && keylen != 512)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 128;
if (*blocksize != 128)
return NULL;
ap = malloc(2 * sizeof(*ap), M_DEVBUF, 0);
if (!ap)
return NULL;
keylen /= 2;
key = xtskey;
key2 = key + keylen / CHAR_BIT;
rijndael_makeKey(&ap[0].ap_enckey, DIR_ENCRYPT, keylen, key);
rijndael_makeKey(&ap[0].ap_deckey, DIR_DECRYPT, keylen, key);
rijndael_makeKey(&ap[1].ap_enckey, DIR_ENCRYPT, keylen, key2);
return ap;
}
static void
cgd_cipher_aes_xts_destroy(void *data)
{
struct aes_privdata *apd = data;
explicit_memset(apd, 0, 2 * sizeof(*apd));
free(apd, M_DEVBUF);
}
static void
cgd_cipher_aes_xts_prep(void *privdata, char *iv,
const char *blkno_buf, size_t blocksize, int dir)
{
struct aes_privdata *apd = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_ECB, NULL);
KASSERT(cipher_ok > 0);
rijndael_blockEncrypt(&cipher, &apd[1].ap_enckey,
blkno_buf, blocksize * 8, iv);
}
static void
aes_xts_enc_int(void *privdata, void *dst, const void *src, size_t len)
{
struct aes_encdata *ae = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_XTS, ae->ae_iv);
KASSERT(cipher_ok > 0);
rijndael_blockEncrypt(&cipher, ae->ae_key, src, len * 8, dst);
(void)memcpy(ae->ae_iv, cipher.IV, CGD_AES_BLOCK_SIZE);
}
static void
aes_xts_dec_int(void *privdata, void *dst, const void *src, size_t len)
{
struct aes_encdata *ae = privdata;
cipherInstance cipher;
int cipher_ok __diagused;
cipher_ok = rijndael_cipherInit(&cipher, MODE_XTS, ae->ae_iv);
KASSERT(cipher_ok > 0);
rijndael_blockDecrypt(&cipher, ae->ae_key, src, len * 8, dst);
(void)memcpy(ae->ae_iv, cipher.IV, CGD_AES_BLOCK_SIZE);
}
static void
cgd_cipher_aes_xts(void *privdata, struct uio *dstuio,
struct uio *srcuio, const void *iv, int dir)
{
struct aes_privdata *apd = privdata;
struct aes_encdata encd;
(void)memcpy(encd.ae_iv, iv, CGD_AES_BLOCK_SIZE);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
encd.ae_key = &apd->ap_enckey;
cgd_cipher_uio(&encd, aes_xts_enc_int, dstuio, srcuio);
break;
case CGD_CIPHER_DECRYPT:
encd.ae_key = &apd->ap_deckey;
cgd_cipher_uio(&encd, aes_xts_dec_int, dstuio, srcuio);
break;
default:
DIAGPANIC(("%s: unrecognised direction %d", __func__, dir));
}
}
/*
* 3DES Framework
*/
struct c3des_privdata {
des_key_schedule cp_key1;
des_key_schedule cp_key2;
des_key_schedule cp_key3;
};
struct c3des_encdata {
des_key_schedule *ce_key1;
des_key_schedule *ce_key2;
des_key_schedule *ce_key3;
u_int8_t ce_iv[CGD_3DES_BLOCK_SIZE];
};
static void *
cgd_cipher_3des_init(size_t keylen, const void *key, size_t *blocksize)
{
struct c3des_privdata *cp;
int error = 0;
des_cblock *block;
if (!blocksize)
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 64;
if (keylen != (DES_KEY_SZ * 3 * 8) || *blocksize != 64)
return NULL;
cp = malloc(sizeof(*cp), M_DEVBUF, 0);
if (!cp)
return NULL;
block = __UNCONST(key);
error = des_key_sched(block, cp->cp_key1);
error |= des_key_sched(block + 1, cp->cp_key2);
error |= des_key_sched(block + 2, cp->cp_key3);
if (error) {
explicit_memset(cp, 0, sizeof(*cp));
free(cp, M_DEVBUF);
return NULL;
}
return cp;
}
static void
cgd_cipher_3des_destroy(void *data)
{
struct c3des_privdata *cp = data;
explicit_memset(cp, 0, sizeof(*cp));
free(cp, M_DEVBUF);
}
static void
cgd_cipher_3des_cbc_prep(void *privdata, char *iv,
const char *blkno_buf, size_t blocksize, int dir)
{
struct c3des_privdata *cp = privdata;
char zero_iv[CGD_3DES_BLOCK_SIZE];
memset(zero_iv, 0, sizeof(zero_iv));
des_ede3_cbc_encrypt(blkno_buf, iv, blocksize,
cp->cp_key1, cp->cp_key2, cp->cp_key3, (des_cblock *)zero_iv, 1);
if (blocksize > CGD_3DES_BLOCK_SIZE) {
(void)memmove(iv, iv + blocksize - CGD_3DES_BLOCK_SIZE,
CGD_3DES_BLOCK_SIZE);
}
}
static void
c3des_cbc_enc_int(void *privdata, void *dst, const void *src, size_t len)
{
struct c3des_encdata *ce = privdata;
des_ede3_cbc_encrypt(src, dst, len, *ce->ce_key1, *ce->ce_key2,
*ce->ce_key3, (des_cblock *)ce->ce_iv, 1);
(void)memcpy(ce->ce_iv, (const u_int8_t *)dst +
(len - CGD_3DES_BLOCK_SIZE), CGD_3DES_BLOCK_SIZE);
}
static void
c3des_cbc_dec_int(void *privdata, void *dst, const void *src, size_t len)
{
struct c3des_encdata *ce = privdata;
des_ede3_cbc_encrypt(src, dst, len, *ce->ce_key1, *ce->ce_key2,
*ce->ce_key3, (des_cblock *)ce->ce_iv, 0);
(void)memcpy(ce->ce_iv, (const u_int8_t *)src +
(len - CGD_3DES_BLOCK_SIZE), CGD_3DES_BLOCK_SIZE);
}
static void
cgd_cipher_3des_cbc(void *privdata, struct uio *dstuio,
struct uio *srcuio, const void *iv, int dir)
{
struct c3des_privdata *cp = privdata;
struct c3des_encdata ce;
(void)memcpy(ce.ce_iv, iv, CGD_3DES_BLOCK_SIZE);
ce.ce_key1 = &cp->cp_key1;
ce.ce_key2 = &cp->cp_key2;
ce.ce_key3 = &cp->cp_key3;
switch (dir) {
case CGD_CIPHER_ENCRYPT:
cgd_cipher_uio(&ce, c3des_cbc_enc_int, dstuio, srcuio);
break;
case CGD_CIPHER_DECRYPT:
cgd_cipher_uio(&ce, c3des_cbc_dec_int, dstuio, srcuio);
break;
default:
DIAGPANIC(("%s: unrecognised direction %d", __func__, dir));
}
}
/*
* Blowfish Framework
*/
struct bf_privdata {
BF_KEY bp_key;
};
struct bf_encdata {
BF_KEY *be_key;
u_int8_t be_iv[CGD_BF_BLOCK_SIZE];
};
static void *
cgd_cipher_bf_init(size_t keylen, const void *key, size_t *blocksize)
{
struct bf_privdata *bp;
if (!blocksize)
return NULL;
if (keylen < 40 || keylen > 448 || (keylen % 8 != 0))
return NULL;
if (*blocksize == (size_t)-1)
*blocksize = 64;
if (*blocksize != 64)
return NULL;
bp = malloc(sizeof(*bp), M_DEVBUF, 0);
if (!bp)
return NULL;
BF_set_key(&bp->bp_key, keylen / 8, key);
return bp;
}
static void
cgd_cipher_bf_destroy(void *data)
{
struct bf_privdata *bp = data;
explicit_memset(bp, 0, sizeof(*bp));
free(bp, M_DEVBUF);
}
static void
cgd_cipher_bf_cbc_prep(void *privdata, char *iv,
const char *blkno_buf, size_t blocksize, int dir)
{
struct bf_privdata *bp = privdata;
char zero_iv[CGD_BF_BLOCK_SIZE];
memset(zero_iv, 0, sizeof(zero_iv));
BF_cbc_encrypt(blkno_buf, iv, blocksize, &bp->bp_key, zero_iv, 1);
if (blocksize > CGD_BF_BLOCK_SIZE) {
(void)memmove(iv, iv + blocksize - CGD_BF_BLOCK_SIZE,
CGD_BF_BLOCK_SIZE);
}
}
static void
bf_cbc_enc_int(void *privdata, void *dst, const void *src, size_t len)
{
struct bf_encdata *be = privdata;
BF_cbc_encrypt(src, dst, len, be->be_key, be->be_iv, 1);
(void)memcpy(be->be_iv, (u_int8_t *)dst +
(len - CGD_BF_BLOCK_SIZE), CGD_BF_BLOCK_SIZE);
}
static void
bf_cbc_dec_int(void *privdata, void *dst, const void *src, size_t len)
{
struct bf_encdata *be = privdata;
BF_cbc_encrypt(src, dst, len, be->be_key, be->be_iv, 0);
(void)memcpy(be->be_iv, (const u_int8_t *)src +
(len - CGD_BF_BLOCK_SIZE), CGD_BF_BLOCK_SIZE);
}
static void
cgd_cipher_bf_cbc(void *privdata, struct uio *dstuio,
struct uio *srcuio, const void *iv, int dir)
{
struct bf_privdata *bp = privdata;
struct bf_encdata be;
(void)memcpy(be.be_iv, iv, CGD_BF_BLOCK_SIZE);
be.be_key = &bp->bp_key;
switch (dir) {
case CGD_CIPHER_ENCRYPT:
cgd_cipher_uio(&be, bf_cbc_enc_int, dstuio, srcuio);
break;
case CGD_CIPHER_DECRYPT:
cgd_cipher_uio(&be, bf_cbc_dec_int, dstuio, srcuio);
break;
default:
DIAGPANIC(("%s: unrecognised direction %d", __func__, dir));
}
}