1 #!/usr/local/bin/python3
3 # Copyright (c) 2014 The FreeBSD Foundation
4 # Copyright 2014 John-Mark Gurney
6 # Copyright 2019 Enji Cooper
8 # This software was developed by John-Mark Gurney under
9 # the sponsorship from the FreeBSD Foundation.
10 # Redistribution and use in source and binary forms, with or without
11 # modification, are permitted provided that the following conditions
13 # 1. Redistributions of source code must retain the above copyright
14 # notice, this list of conditions and the following disclaimer.
15 # 2. Redistributions in binary form must reproduce the above copyright
16 # notice, this list of conditions and the following disclaimer in the
17 # documentation and/or other materials provided with the distribution.
19 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 from fcntl import ioctl
42 from struct import pack as _pack
48 from cryptodevh import *
50 __all__ = [ 'Crypto', 'MismatchError', ]
52 class FindOp(dpkt.Packet):
59 class SessionOp(dpkt.Packet):
66 ('mackeylen', 'i', 0),
71 class SessionOp2(dpkt.Packet):
78 ('mackeylen', 'i', 0),
88 class CryptOp(dpkt.Packet):
101 class CryptAEAD(dpkt.Packet):
117 # h2py.py can't handle multiarg macros
118 CIOCGSESSION = 3224396645
119 CIOCFSESSION = 2147771238
121 CIOCASYMFEAT = 1074029417
122 CIOCKEY2 = 3230688107
123 CIOCFINDDEV = 3223610220
124 if platform.architecture()[0] == '64bit':
125 CIOCGSESSION2 = 3225445226
126 CIOCCRYPT = 3224396647
127 CIOCCRYPTAEAD = 3225445229
129 CIOCGSESSION2 = 3224396650
130 CIOCCRYPT = 3223085927
131 CIOCCRYPTAEAD = 3223872365
133 _cryptodev = os.open('/dev/crypto', os.O_RDWR)
135 def str_to_ascii(val):
136 if sys.version_info[0] >= 3:
137 if isinstance(val, str):
138 return val.encode("ascii")
141 def _findop(crid, name):
144 fop.name = str_to_ascii(name)
145 s = array.array('B', fop.pack_hdr())
146 ioctl(_cryptodev, CIOCFINDDEV, s, 1)
150 idx = fop.name.index(b'\x00')
151 name = fop.name[:idx]
155 return fop.crid, name
157 def array_tobytes(array_obj):
158 if sys.version_info[:2] >= (3, 2):
159 return array_obj.tobytes()
160 return array_obj.tostring()
163 if sys.version_info[0] >= 3:
170 return _findop(-1, name)[0]
173 def getcridname(crid):
174 return _findop(crid, '')[1]
176 def __init__(self, cipher=0, key=None, mac=0, mackey=None,
177 crid=CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_HARDWARE, maclen=None,
180 self._maclen = maclen
186 ses.keylen = len(key)
187 k = array.array('B', key)
188 ses.key = k.buffer_info()[0]
192 if mackey is not None:
193 ses.mackeylen = len(mackey)
194 mk = array.array('B', mackey)
195 ses.mackey = mk.buffer_info()[0]
197 if not cipher and not mac:
198 raise ValueError('one of cipher or mac MUST be specified.')
205 s = array.array('B', ses.pack_hdr())
207 ioctl(_cryptodev, CIOCGSESSION2, s, 1)
213 if self._ses is None:
217 ioctl(_cryptodev, CIOCFSESSION, _pack('I', self._ses))
222 def _doop(self, op, src, iv, mac=None):
229 s = array.array('B', src)
230 cop.src = cop.dst = s.buffer_info()[0]
232 assert len(mac) == self._maclen, \
233 '%d != %d' % (len(tag), self._maclen)
234 if self._maclen is not None:
236 m = array.array('B', [0] * self._maclen)
238 m = array.array('B', mac)
239 cop.mac = m.buffer_info()[0]
240 ivbuf = array.array('B', str_to_ascii(iv))
241 cop.iv = ivbuf.buffer_info()[0]
244 ioctl(_cryptodev, CIOCCRYPT, bytes(cop))
250 if self._maclen is not None:
251 return s, array_tobytes(m)
255 def _doaead(self, op, src, aad, iv, tag=None):
257 caead.ses = self._ses
259 caead.flags = CRD_F_IV_EXPLICIT
262 src = str_to_ascii(src)
264 s = array.array('B', src)
265 caead.src = caead.dst = s.buffer_info()[0]
266 aad = str_to_ascii(aad)
267 caead.aadlen = len(aad)
268 saad = array.array('B', aad)
269 caead.aad = saad.buffer_info()[0]
271 if self._maclen is None:
272 raise ValueError('must have a tag length')
274 tag = str_to_ascii(tag)
276 tag = array.array('B', [0] * self._maclen)
278 assert len(tag) == self._maclen, \
279 '%d != %d' % (len(tag), self._maclen)
280 tag = array.array('B', tag)
282 caead.tag = tag.buffer_info()[0]
284 ivbuf = array.array('B', iv)
285 caead.ivlen = len(iv)
286 caead.iv = ivbuf.buffer_info()[0]
288 ioctl(_cryptodev, CIOCCRYPTAEAD, bytes(caead))
295 return s, array_tobytes(tag)
297 def perftest(self, op, size, timeo=3):
298 inp = array.array('B', (random.randint(0, 255) for x in range(size)))
299 inp = str_to_ascii(inp)
300 out = array.array('B', inp)
308 s = array.array('B', inp)
309 cop.src = s.buffer_info()[0]
310 cop.dst = out.buffer_info()[0]
311 if self._maclen is not None:
312 m = array.array('B', [0] * self._maclen)
313 cop.mac = m.buffer_info()[0]
314 ivbuf = array.array('B', (random.randint(0, 255) for x in range(16)))
315 cop.iv = ivbuf.buffer_info()[0]
318 def alarmhandle(a, b, exit=exit):
321 oldalarm = signal.signal(signal.SIGALRM, alarmhandle)
328 ioctl(_cryptodev, CIOCCRYPT, cop)
333 signal.signal(signal.SIGALRM, oldalarm)
335 print('time:', end - start)
336 print('perf MB/sec:', (reps * size) / (end - start) / 1024 / 1024)
338 def encrypt(self, data, iv, aad=None):
340 return self._doop(COP_ENCRYPT, data, iv)
342 return self._doaead(COP_ENCRYPT, data, aad,
345 def decrypt(self, data, iv, aad=None, tag=None):
347 return self._doop(COP_DECRYPT, data, iv, mac=tag)
349 return self._doaead(COP_DECRYPT, data, aad,
352 class MismatchError(Exception):
356 def __init__(self, fname, fields):
357 self.fields = set(fields)
361 self.field_re = re.compile(r"\[(?P<field>[^]]+)\]")
364 self.fp = open(self.fname)
367 def __exit__(self, exc_type, exc_value, exc_tb):
368 if self.fp is not None:
377 if self._pending is not None:
381 i = self.fp.readline()
385 if not i.startswith('#') and i.strip():
388 matches = self.field_re.match(i)
390 raise ValueError("Unknown line: %r" % (i))
391 yield matches.group("field"), self.fielditer()
395 line = self.fp.readline()
409 line = self.eatblanks()
410 if not line or line[0] == '[':
416 f, v = line.split(' =')
421 print('line:', repr(line))
426 raise ValueError('already present: %r' % repr(f))
428 line = self.fp.readline().strip()
432 # we should have everything
433 remain = self.fields.copy() - set(values.keys())
434 # XXX - special case GCM decrypt
435 if remain and not ('FAIL' in values and 'PT' in remain):
436 raise ValueError('not all fields found: %r' % repr(remain))
440 # The CCM files use a bit of a different syntax that doesn't quite fit
441 # the generic KATParser. In particular, some keys are set globally at
442 # the start of the file, and some are set globally at the start of a
445 def __init__(self, fname):
451 self.fp = open(self.fname)
455 def __exit__(self, exc_type, exc_value, exc_tb):
456 if self.fp is not None:
459 def read_globals(self):
460 self.global_values = {}
462 line = self.fp.readline()
465 if line[0] == '#' or not line.strip():
472 f, v = line.split(' =')
474 print('line:', repr(line))
479 if f in self.global_values:
480 raise ValueError('already present: %r' % repr(f))
481 self.global_values[f] = v
483 def read_section_values(self, kwpairs):
484 self.section_values = self.global_values.copy()
485 for pair in kwpairs.split(', '):
486 f, v = pair.split(' = ')
487 if f in self.section_values:
488 raise ValueError('already present: %r' % repr(f))
489 self.section_values[f] = v
492 line = self.fp.readline()
495 if line[0] == '#' or not line.strip():
502 f, v = line.split(' =')
504 print('line:', repr(line))
513 if f in self.section_values:
514 raise ValueError('already present: %r' % repr(f))
515 self.section_values[f] = v
526 line = self.fp.readline()
530 if (line and line[0] == '#') or not line.strip():
534 section = line[1:].split(']', 1)[0]
535 self.read_section_values(section)
538 values = self.section_values.copy()
542 f, v = line.split(' =')
544 print('line:', repr(line))
549 raise ValueError('already present: %r' % repr(f))
551 line = self.fp.readline().strip()
558 return binascii.hexlify(''.join(s.split()))
560 if sys.version_info[0] < 3:
561 KATCCMParser.next = KATCCMParser.__next__
562 KATParser.next = KATParser.__next__
564 if __name__ == '__main__':
567 crid = Crypto.findcrid('aesni0')
568 print('aesni:', crid)
570 print('aesni0 not found')
574 name = Crypto.getcridname(i)
575 print('%2d: %r' % (i, repr(name)))
579 columns = [ 'COUNT', 'DataUnitLen', 'Key', 'DataUnitSeqNumber', 'PT', 'CT' ]
580 fname = '/usr/home/jmg/aesni.testing/format tweak value input - data unit seq no/XTSGenAES128.rsp'
581 with KATParser(fname, columns) as kp:
587 key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
588 iv = _spdechex('00000000000000000000000000000001')
589 pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e')
590 #pt = _spdechex('00000000000000000000000000000000')
591 ct = _spdechex('f42c33853ecc5ce2949865fdb83de3bff1089e9360c94f830baebfaff72836ab5236f77212f1e7396c8c54ac73d81986375a6e9e299cfeca5ba051ed25e8d1affa5beaf6c1d2b45e90802408f2ced21663497e906de5f29341e5e52ddfea5363d628b3eb7806835e17bae051b3a6da3f8e2941fe44384eac17a9d298d2c331ca8320c775b5d53263a5e905059d891b21dede2d8110fd427c7bd5a9a274ddb47b1945ee79522203b6e297d0e399ef')
593 c = Crypto(CRYPTO_AES_ICM, key)
594 enc = c.encrypt(pt, iv)
596 print('enc:', binascii.hexlify(enc))
597 print(' ct:', binascii.hexlify(ct))
601 dec = c.decrypt(ct, iv)
603 print('dec:', binascii.hexlify(dec))
604 print(' pt:', binascii.hexlify(pt))
608 key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
609 iv = _spdechex('00000000000000000000000000000001')
610 pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e0a3f')
611 #pt = _spdechex('00000000000000000000000000000000')
612 ct = _spdechex('f42c33853ecc5ce2949865fdb83de3bff1089e9360c94f830baebfaff72836ab5236f77212f1e7396c8c54ac73d81986375a6e9e299cfeca5ba051ed25e8d1affa5beaf6c1d2b45e90802408f2ced21663497e906de5f29341e5e52ddfea5363d628b3eb7806835e17bae051b3a6da3f8e2941fe44384eac17a9d298d2c331ca8320c775b5d53263a5e905059d891b21dede2d8110fd427c7bd5a9a274ddb47b1945ee79522203b6e297d0e399ef3768')
614 c = Crypto(CRYPTO_AES_ICM, key)
615 enc = c.encrypt(pt, iv)
617 print('enc:', binascii.hexlify(enc))
618 print(' ct:', binascii.hexlify(ct))
622 dec = c.decrypt(ct, iv)
624 print('dec:', binascii.hexlify(dec))
625 print(' pt:', binascii.hexlify(pt))
629 key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
630 iv = _spdechex('6eba2716ec0bd6fa5cdef5e6d3a795bc')
631 pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e0a3f')
632 ct = _spdechex('f1f81f12e72e992dbdc304032705dc75dc3e4180eff8ee4819906af6aee876d5b00b7c36d282a445ce3620327be481e8e53a8e5a8e5ca9abfeb2281be88d12ffa8f46d958d8224738c1f7eea48bda03edbf9adeb900985f4fa25648b406d13a886c25e70cfdecdde0ad0f2991420eb48a61c64fd797237cf2798c2675b9bb744360b0a3f329ac53bbceb4e3e7456e6514f1a9d2f06c236c31d0f080b79c15dce1096357416602520daa098b17d1af427')
633 c = Crypto(CRYPTO_AES_CBC, key)
635 enc = c.encrypt(pt, iv)
637 print('enc:', binascii.hexlify(enc))
638 print(' ct:', binascii.hexlify(ct))
642 dec = c.decrypt(ct, iv)
644 print('dec:', binascii.hexlify(dec))
645 print(' pt:', binascii.hexlify(pt))
649 key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
650 iv = _spdechex('b3d8cc017cbb89b39e0f67e2')
651 pt = _spdechex('c3b3c41f113a31b73d9a5cd4321030')
652 aad = _spdechex('24825602bd12a984e0092d3e448eda5f')
653 ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa7354')
654 ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa73')
655 tag = _spdechex('0032a1dc85f1c9786925a2e71d8272dd')
656 tag = _spdechex('8d11a0929cb3fbe1fef01a4a38d5f8ea')
658 c = Crypto(CRYPTO_AES_NIST_GCM_16, key)
660 enc, enctag = c.encrypt(pt, iv, aad=aad)
662 print('enc:', binascii.hexlify(enc))
663 print(' ct:', binascii.hexlify(ct))
667 print('etg:', binascii.hexlify(enctag))
668 print('tag:', binascii.hexlify(tag))
671 # Make sure we get EBADMSG
672 #enctag = enctag[:-1] + 'a'
673 dec, dectag = c.decrypt(ct, iv, aad=aad, tag=enctag)
675 print('dec:', binascii.hexlify(dec))
676 print(' pt:', binascii.hexlify(pt))
680 print('dtg:', binascii.hexlify(dectag))
681 print('tag:', binascii.hexlify(tag))
685 key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
686 iv = _spdechex('b3d8cc017cbb89b39e0f67e2')
689 pt = _spdechex('c3b3c41f113a31b73d9a5cd432103069')
690 aad = _spdechex('24825602bd12a984e0092d3e448eda5f')
691 ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa7354')
692 tag = _spdechex('0032a1dc85f1c9786925a2e71d8272dd')
694 c = Crypto(CRYPTO_AES_GCM_16, key)
696 enc, enctag = c.encrypt(pt, iv, aad=aad)
698 print('enc:', binascii.hexlify(enc))
699 print(' ct:', binascii.hexlify(ct))
703 print('etg:', binascii.hexlify(enctag))
704 print('tag:', binascii.hexlify(tag))
707 for i in range(100000):
708 c = Crypto(CRYPTO_AES_XTS, binascii.unhexlify('1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382'))
709 data = binascii.unhexlify('52a42bca4e9425a25bbc8c8bf6129dec')
710 ct = binascii.unhexlify('517e602becd066b65fa4f4f56ddfe240')
711 iv = _pack('QQ', 71, 0)
713 enc = c.encrypt(data, iv)
716 c = Crypto(CRYPTO_AES_XTS, binascii.unhexlify('1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382'))
717 data = binascii.unhexlify('52a42bca4e9425a25bbc8c8bf6129dec')
718 ct = binascii.unhexlify('517e602becd066b65fa4f4f56ddfe240')
719 iv = _pack('QQ', 71, 0)
721 enc = c.encrypt(data, iv)
724 dec = c.decrypt(enc, iv)
727 #c.perftest(COP_ENCRYPT, 192*1024, reps=30000)
730 key = binascii.unhexlify('1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382')
731 print('XTS %d testing:' % (len(key) * 8))
732 c = Crypto(CRYPTO_AES_XTS, key)
733 for i in [ 8192, 192*1024]:
734 print('block size: %d' % i)
735 c.perftest(COP_ENCRYPT, i)
736 c.perftest(COP_DECRYPT, i)