/* $NetBSD: aes_impl.c,v 1.10 2022/11/05 17:36:33 jmcneill Exp $ */

/* $NetBSD: aes_impl.c,v 1.10 2022/11/05 17:36:33 jmcneill Exp $ */

/*-
* Copyright (c) 2020 The NetBSD Foundation, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: aes_impl.c,v 1.10 2022/11/05 17:36:33 jmcneill Exp $");

#include <sys/types.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/once.h>
#include <sys/sysctl.h>
#include <sys/systm.h>

#include <crypto/aes/aes.h>
#include <crypto/aes/aes_cbc.h>
#include <crypto/aes/aes_bear.h> /* default implementation */
#include <crypto/aes/aes_impl.h>
#include <crypto/aes/aes_xts.h>

static int aes_selftest_stdkeysched(void);

static const struct aes_impl *aes_md_impl __read_mostly;
static const struct aes_impl *aes_impl __read_mostly;

static int
sysctl_kern_crypto_aes_selected(SYSCTLFN_ARGS)
{
struct sysctlnode node;

KASSERTMSG(aes_impl != NULL,
"sysctl ran before AES implementation was selected");

node = *rnode;
node.sysctl_data = __UNCONST(aes_impl->ai_name);
node.sysctl_size = strlen(aes_impl->ai_name) + 1;
return sysctl_lookup(SYSCTLFN_CALL(&node));
}

SYSCTL_SETUP(sysctl_kern_crypto_aes_setup, "sysctl kern.crypto.aes setup")
{
const struct sysctlnode *cnode;
const struct sysctlnode *aes_node;

sysctl_createv(clog, 0, NULL, &cnode, 0, CTLTYPE_NODE, "crypto",
SYSCTL_DESCR("Kernel cryptography"),
NULL, 0, NULL, 0,
CTL_KERN, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &cnode, &aes_node, 0, CTLTYPE_NODE, "aes",
SYSCTL_DESCR("AES -- Advanced Encryption Standard"),
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &aes_node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_STRING, "selected",
SYSCTL_DESCR("Selected AES implementation"),
sysctl_kern_crypto_aes_selected, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
}

/*
* The timing of AES implementation selection is finicky:
*
* 1. It has to be done _after_ cpu_attach for implementations,
* such as AES-NI, that rely on fpu initialization done by
* fpu_attach.
*
* 2. It has to be done _before_ the cgd self-tests or anything
* else that might call AES.
*
* For the moment, doing it in module init works. However, if a
* driver-class module depended on the aes module, that would break.
*/

static int
aes_select(void)
{

KASSERT(aes_impl == NULL);

if (aes_selftest_stdkeysched())
panic("AES is busted");

if (aes_md_impl) {
if (aes_selftest(aes_md_impl))
aprint_error("aes: self-test failed: %s\n",
aes_md_impl->ai_name);
else
aes_impl = aes_md_impl;
}
if (aes_impl == NULL) {
if (aes_selftest(&aes_bear_impl))
aprint_error("aes: self-test failed: %s\n",
aes_bear_impl.ai_name);
else
aes_impl = &aes_bear_impl;
}
if (aes_impl == NULL)
panic("AES self-tests failed");

aprint_debug("aes: %s\n", aes_impl->ai_name);
return 0;
}

MODULE(MODULE_CLASS_MISC, aes, NULL);

static int
aes_modcmd(modcmd_t cmd, void *opaque)
{

switch (cmd) {
case MODULE_CMD_INIT:
return aes_select();
case MODULE_CMD_FINI:
return 0;
default:
return ENOTTY;
}
}

static void
aes_guarantee_selected(void)
{
#if 0
static once_t once;
int error;

error = RUN_ONCE(&once, aes_select);
KASSERT(error == 0);
#endif
}

void
aes_md_init(const struct aes_impl *impl)
{

KASSERT(cold);
KASSERTMSG(aes_impl == NULL,
"AES implementation `%s' already chosen, can't offer `%s'",
aes_impl->ai_name, impl->ai_name);
KASSERTMSG(aes_md_impl == NULL,
"AES implementation `%s' already offered, can't offer `%s'",
aes_md_impl->ai_name, impl->ai_name);

aes_md_impl = impl;
}

static void
aes_setenckey(struct aesenc *enc, const uint8_t key[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_setenckey(enc, key, nrounds);
}

uint32_t
aes_setenckey128(struct aesenc *enc, const uint8_t key[static 16])
{
uint32_t nrounds = AES_128_NROUNDS;

aes_setenckey(enc, key, nrounds);
return nrounds;
}

uint32_t
aes_setenckey192(struct aesenc *enc, const uint8_t key[static 24])
{
uint32_t nrounds = AES_192_NROUNDS;

aes_setenckey(enc, key, nrounds);
return nrounds;
}

uint32_t
aes_setenckey256(struct aesenc *enc, const uint8_t key[static 32])
{
uint32_t nrounds = AES_256_NROUNDS;

aes_setenckey(enc, key, nrounds);
return nrounds;
}

static void
aes_setdeckey(struct aesdec *dec, const uint8_t key[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_setdeckey(dec, key, nrounds);
}

uint32_t
aes_setdeckey128(struct aesdec *dec, const uint8_t key[static 16])
{
uint32_t nrounds = AES_128_NROUNDS;

aes_setdeckey(dec, key, nrounds);
return nrounds;
}

uint32_t
aes_setdeckey192(struct aesdec *dec, const uint8_t key[static 24])
{
uint32_t nrounds = AES_192_NROUNDS;

aes_setdeckey(dec, key, nrounds);
return nrounds;
}

uint32_t
aes_setdeckey256(struct aesdec *dec, const uint8_t key[static 32])
{
uint32_t nrounds = AES_256_NROUNDS;

aes_setdeckey(dec, key, nrounds);
return nrounds;
}

void
aes_enc(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_enc(enc, in, out, nrounds);
}

void
aes_dec(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_dec(dec, in, out, nrounds);
}

void
aes_cbc_enc(struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_cbc_enc(enc, in, out, nbytes, iv, nrounds);
}

void
aes_cbc_dec(struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_cbc_dec(dec, in, out, nbytes, iv, nrounds);
}

void
aes_xts_enc(struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_xts_enc(enc, in, out, nbytes, tweak, nrounds);
}

void
aes_xts_dec(struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
uint32_t nrounds)
{

aes_guarantee_selected();
aes_impl->ai_xts_dec(dec, in, out, nbytes, tweak, nrounds);
}

void
aes_cbcmac_update1(const struct aesenc *enc, const uint8_t in[static 16],
size_t nbytes, uint8_t auth[static 16], uint32_t nrounds)
{

KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);

aes_guarantee_selected();
aes_impl->ai_cbcmac_update1(enc, in, nbytes, auth, nrounds);
}

void
aes_ccm_enc1(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t authctr[static 32],
uint32_t nrounds)
{

KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);

aes_guarantee_selected();
aes_impl->ai_ccm_enc1(enc, in, out, nbytes, authctr, nrounds);
}

void
aes_ccm_dec1(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t authctr[static 32],
uint32_t nrounds)
{

KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);

aes_guarantee_selected();
aes_impl->ai_ccm_dec1(enc, in, out, nbytes, authctr, nrounds);
}

/*
* Known-answer self-tests for the standard key schedule.
*/
static int
aes_selftest_stdkeysched(void)
{
static const uint8_t key[32] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
};
static const uint32_t rk128enc[] = {
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
0xfd74aad6, 0xfa72afd2, 0xf178a6da, 0xfe76abd6,
0x0bcf92b6, 0xf1bd3d64, 0x00c59bbe, 0xfeb33068,
0x4e74ffb6, 0xbfc9c2d2, 0xbf0c596c, 0x41bf6904,
0xbcf7f747, 0x033e3595, 0xbc326cf9, 0xfd8d05fd,
0xe8a3aa3c, 0xeb9d9fa9, 0x57aff350, 0xaa22f6ad,
0x7d0f395e, 0x9692a6f7, 0xc13d55a7, 0x6b1fa30a,
0x1a70f914, 0x8ce25fe3, 0x4ddf0a44, 0x26c0a94e,
0x35874347, 0xb9651ca4, 0xf4ba16e0, 0xd27abfae,
0xd1329954, 0x685785f0, 0x9ced9310, 0x4e972cbe,
0x7f1d1113, 0x174a94e3, 0x8ba707f3, 0xc5302b4d,
};
static const uint32_t rk192enc[] = {
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
0x13121110, 0x17161514, 0xf9f24658, 0xfef4435c,
0xf5fe4a54, 0xfaf04758, 0xe9e25648, 0xfef4435c,
0xb349f940, 0x4dbdba1c, 0xb843f048, 0x42b3b710,
0xab51e158, 0x55a5a204, 0x41b5ff7e, 0x0c084562,
0xb44bb52a, 0xf6f8023a, 0x5da9e362, 0x080c4166,
0x728501f5, 0x7e8d4497, 0xcac6f1bd, 0x3c3ef387,
0x619710e5, 0x699b5183, 0x9e7c1534, 0xe0f151a3,
0x2a37a01e, 0x16095399, 0x779e437c, 0x1e0512ff,
0x880e7edd, 0x68ff2f7e, 0x42c88f60, 0x54c1dcf9,
0x235f9f85, 0x3d5a8d7a, 0x5229c0c0, 0x3ad6efbe,
0x781e60de, 0x2cdfbc27, 0x0f8023a2, 0x32daaed8,
0x330a97a4, 0x09dc781a, 0x71c218c4, 0x5d1da4e3,
};
static const uint32_t rk256enc[] = {
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
0x13121110, 0x17161514, 0x1b1a1918, 0x1f1e1d1c,
0x9fc273a5, 0x98c476a1, 0x93ce7fa9, 0x9cc072a5,
0xcda85116, 0xdabe4402, 0xc1a45d1a, 0xdeba4006,
0xf0df87ae, 0x681bf10f, 0xfbd58ea6, 0x6715fc03,
0x48f1e16d, 0x924fa56f, 0x53ebf875, 0x8d51b873,
0x7f8256c6, 0x1799a7c9, 0xec4c296f, 0x8b59d56c,
0x753ae23d, 0xe7754752, 0xb49ebf27, 0x39cf0754,
0x5f90dc0b, 0x48097bc2, 0xa44552ad, 0x2f1c87c1,
0x60a6f545, 0x87d3b217, 0x334d0d30, 0x0a820a64,
0x1cf7cf7c, 0x54feb4be, 0xf0bbe613, 0xdfa761d2,
0xfefa1af0, 0x7929a8e7, 0x4a64a5d7, 0x40e6afb3,
0x71fe4125, 0x2500f59b, 0xd5bb1388, 0x0a1c725a,
0x99665a4e, 0xe04ff2a9, 0xaa2b577e, 0xeacdf8cd,
0xcc79fc24, 0xe97909bf, 0x3cc21a37, 0x36de686d,
};
static const uint32_t rk128dec[] = {
0x7f1d1113, 0x174a94e3, 0x8ba707f3, 0xc5302b4d,
0xbe29aa13, 0xf6af8f9c, 0x80f570f7, 0x03bff700,
0x63a46213, 0x4886258f, 0x765aff6b, 0x834a87f7,
0x74fc828d, 0x2b22479c, 0x3edcdae4, 0xf510789c,
0x8d09e372, 0x5fdec511, 0x15fe9d78, 0xcbcca278,
0x2710c42e, 0xd2d72663, 0x4a205869, 0xde323f00,
0x04f5a2a8, 0xf5c7e24d, 0x98f77e0a, 0x94126769,
0x91e3c6c7, 0xf13240e5, 0x6d309c47, 0x0ce51963,
0x9902dba0, 0x60d18622, 0x9c02dca2, 0x61d58524,
0xf0df568c, 0xf9d35d82, 0xfcd35a80, 0xfdd75986,
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
};
static const uint32_t rk192dec[] = {
0x330a97a4, 0x09dc781a, 0x71c218c4, 0x5d1da4e3,
0x0dbdbed6, 0x49ea09c2, 0x8073b04d, 0xb91b023e,
0xc999b98f, 0x3968b273, 0x9dd8f9c7, 0x728cc685,
0xc16e7df7, 0xef543f42, 0x7f317853, 0x4457b714,
0x90654711, 0x3b66cf47, 0x8dce0e9b, 0xf0f10bfc,
0xb6a8c1dc, 0x7d3f0567, 0x4a195ccc, 0x2e3a42b5,
0xabb0dec6, 0x64231e79, 0xbe5f05a4, 0xab038856,
0xda7c1bdd, 0x155c8df2, 0x1dab498a, 0xcb97c4bb,
0x08f7c478, 0xd63c8d31, 0x01b75596, 0xcf93c0bf,
0x10efdc60, 0xce249529, 0x15efdb62, 0xcf20962f,
0xdbcb4e4b, 0xdacf4d4d, 0xc7d75257, 0xdecb4949,
0x1d181f1a, 0x191c1b1e, 0xd7c74247, 0xdecb4949,
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
};
static const uint32_t rk256dec[] = {
0xcc79fc24, 0xe97909bf, 0x3cc21a37, 0x36de686d,
0xffd1f134, 0x2faacebf, 0x5fe2e9fc, 0x6e015825,
0xeb48165e, 0x0a354c38, 0x46b77175, 0x84e680dc,
0x8005a3c8, 0xd07b3f8b, 0x70482743, 0x31e3b1d9,
0x138e70b5, 0xe17d5a66, 0x4c823d4d, 0xc251f1a9,
0xa37bda74, 0x507e9c43, 0xa03318c8, 0x41ab969a,
0x1597a63c, 0xf2f32ad3, 0xadff672b, 0x8ed3cce4,
0xf3c45ff8, 0xf3054637, 0xf04d848b, 0xe1988e52,
0x9a4069de, 0xe7648cef, 0x5f0c4df8, 0x232cabcf,
0x1658d5ae, 0x00c119cf, 0x0348c2bc, 0x11d50ad9,
0xbd68c615, 0x7d24e531, 0xb868c117, 0x7c20e637,
0x0f85d77f, 0x1699cc61, 0x0389db73, 0x129dc865,
0xc940282a, 0xc04c2324, 0xc54c2426, 0xc4482720,
0x1d181f1a, 0x191c1b1e, 0x15101712, 0x11141316,
0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
};
static const struct {
unsigned len;
unsigned nr;
const uint32_t *enc, *dec;
} C[] = {
{ 16, AES_128_NROUNDS, rk128enc, rk128dec },
{ 24, AES_192_NROUNDS, rk192enc, rk192dec },
{ 32, AES_256_NROUNDS, rk256enc, rk256dec },
};
uint32_t rk[60];
unsigned i;

for (i = 0; i < __arraycount(C); i++) {
if (br_aes_ct_keysched_stdenc(rk, key, C[i].len) != C[i].nr)
return -1;
if (memcmp(rk, C[i].enc, 4*(C[i].nr + 1)))
return -1;
if (br_aes_ct_keysched_stddec(rk, key, C[i].len) != C[i].nr)
return -1;
if (memcmp(rk, C[i].dec, 4*(C[i].nr + 1)))
return -1;
}

return 0;
}