2 * Copyright (c) 2017 Chelsio Communications, Inc.
4 * Copyright (c) 2021 The FreeBSD Foundation
5 * Written by: John Baldwin <jhb@FreeBSD.org>
7 * Portions of this software were developed by Ararat River
8 * Consulting, LLC under sponsorship of the FreeBSD Foundation.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * Copyright (c) 2004 Sam Leffler, Errno Consulting
33 * All rights reserved.
35 * Redistribution and use in source and binary forms, with or without
36 * modification, are permitted provided that the following conditions
38 * 1. Redistributions of source code must retain the above copyright
39 * notice, this list of conditions and the following disclaimer,
40 * without modification.
41 * 2. Redistributions in binary form must reproduce at minimum a disclaimer
42 * similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
43 * redistribution must be conditioned upon including a substantially
44 * similar Disclaimer requirement for further binary redistribution.
45 * 3. Neither the names of the above-listed copyright holders nor the names
46 * of any contributors may be used to endorse or promote products derived
47 * from this software without specific prior written permission.
50 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
51 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
52 * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
53 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
54 * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
55 * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
56 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
57 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
58 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
59 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
60 * THE POSSIBILITY OF SUCH DAMAGES.
66 * A different tool for checking hardware crypto support. Whereas
67 * cryptotest is focused on simple performance numbers, this tool is
68 * focused on correctness. For each crypto operation, it performs the
69 * operation once in software via OpenSSL and a second time via
70 * OpenCrypto and compares the results.
72 * cryptocheck [-vz] [-A aad length] [-a algorithm] [-d dev] [-I IV length]
77 * -z Run all algorithms on a variety of buffer sizes.
79 * Supported algorithms:
81 * hash Run all hash tests
82 * mac Run all mac tests
83 * cipher Run all cipher tests
84 * eta Run all encrypt-then-authenticate tests
85 * aead Run all authenticated encryption with associated data
89 * ripemd160 160-bit RIPEMD
91 * sha224 224-bit SHA-2
92 * sha256 256-bit SHA-2
93 * sha384 384-bit SHA-2
94 * sha512 512-bit SHA-2
99 * ripemd160hmac 160-bit RIPEMD HMAC
100 * sha1hmac SHA-1 HMAC
101 * sha224hmac 224-bit SHA-2 HMAC
102 * sha256hmac 256-bit SHA-2 HMAC
103 * sha384hmac 384-bit SHA-2 HMAC
104 * sha512hmac 512-bit SHA-2 HMAC
105 * gmac 128/192/256-bit GMAC
106 * gmac128 128-bit GMAC
107 * gmac192 192-bit GMAC
108 * gmac256 256-bit GMAC
112 * aes-cbc 128/192/256-bit AES-CBC
113 * aes-cbc128 128-bit AES-CBC
114 * aes-cbc192 192-bit AES-CBC
115 * aes-cbc256 256-bit AES-CBC
116 * aes-ctr 128/192/256-bit AES-CTR
117 * aes-ctr128 128-bit AES-CTR
118 * aes-ctr192 192-bit AES-CTR
119 * aes-ctr256 256-bit AES-CTR
120 * aes-xts 128/256-bit AES-XTS
121 * aes-xts128 128-bit AES-XTS
122 * aes-xts256 256-bit AES-XTS
123 * camellia-cbc 128/192/256-bit Camellia-CBC
124 * camellia-cbc128 128-bit Camellia-CBC
125 * camellia-cbc192 192-bit Camellia-CBC
126 * camellia-cbc256 256-bit Camellia-CBC
129 * Encrypt then Authenticate:
132 * Authenticated Encryption with Associated Data:
133 * aes-gcm 128/192/256-bit AES-GCM
134 * aes-gcm128 128-bit AES-GCM
135 * aes-gcm192 192-bit AES-GCM
136 * aes-gcm256 256-bit AES-GCM
137 * aes-ccm 128/192/256-bit AES-CCM
138 * aes-ccm128 128-bit AES-CCM
139 * aes-ccm192 192-bit AES-CCM
140 * aes-ccm256 256-bit AES-CCM
141 * chacha20-poly1305 Chacha20 with Poly1305 per RFC 8439
144 #include <sys/param.h>
145 #include <sys/sysctl.h>
155 #include <openssl/err.h>
156 #include <openssl/hmac.h>
158 #include <crypto/cryptodev.h>
166 static const struct alg {
170 enum { T_HASH, T_HMAC, T_GMAC, T_DIGEST, T_CIPHER, T_ETA, T_AEAD } type;
174 const EVP_CIPHER *(*evp_cipher)(void);
175 const EVP_MD *(*evp_md)(void);
178 { .name = "sha1", .mac = CRYPTO_SHA1, .type = T_HASH,
179 .evp_md = EVP_sha1 },
180 { .name = "sha224", .mac = CRYPTO_SHA2_224, .type = T_HASH,
181 .evp_md = EVP_sha224 },
182 { .name = "sha256", .mac = CRYPTO_SHA2_256, .type = T_HASH,
183 .evp_md = EVP_sha256 },
184 { .name = "sha384", .mac = CRYPTO_SHA2_384, .type = T_HASH,
185 .evp_md = EVP_sha384 },
186 { .name = "sha512", .mac = CRYPTO_SHA2_512, .type = T_HASH,
187 .evp_md = EVP_sha512 },
188 { .name = "ripemd160hmac", .mac = CRYPTO_RIPEMD160_HMAC, .type = T_HMAC,
189 .evp_md = EVP_ripemd160 },
190 { .name = "sha1hmac", .mac = CRYPTO_SHA1_HMAC, .type = T_HMAC,
191 .evp_md = EVP_sha1 },
192 { .name = "sha224hmac", .mac = CRYPTO_SHA2_224_HMAC, .type = T_HMAC,
193 .evp_md = EVP_sha224 },
194 { .name = "sha256hmac", .mac = CRYPTO_SHA2_256_HMAC, .type = T_HMAC,
195 .evp_md = EVP_sha256 },
196 { .name = "sha384hmac", .mac = CRYPTO_SHA2_384_HMAC, .type = T_HMAC,
197 .evp_md = EVP_sha384 },
198 { .name = "sha512hmac", .mac = CRYPTO_SHA2_512_HMAC, .type = T_HMAC,
199 .evp_md = EVP_sha512 },
200 { .name = "blake2b", .mac = CRYPTO_BLAKE2B, .type = T_HASH,
201 .evp_md = EVP_blake2b512 },
202 { .name = "blake2s", .mac = CRYPTO_BLAKE2S, .type = T_HASH,
203 .evp_md = EVP_blake2s256 },
204 { .name = "gmac128", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
205 .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_128_gcm },
206 { .name = "gmac192", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
207 .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_192_gcm },
208 { .name = "gmac256", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
209 .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_256_gcm },
210 { .name = "poly1305", .mac = CRYPTO_POLY1305, .type = T_DIGEST,
211 .key_len = POLY1305_KEY_LEN, .pkey = EVP_PKEY_POLY1305 },
212 { .name = "aes-cbc128", .cipher = CRYPTO_AES_CBC, .type = T_CIPHER,
213 .evp_cipher = EVP_aes_128_cbc },
214 { .name = "aes-cbc192", .cipher = CRYPTO_AES_CBC, .type = T_CIPHER,
215 .evp_cipher = EVP_aes_192_cbc },
216 { .name = "aes-cbc256", .cipher = CRYPTO_AES_CBC, .type = T_CIPHER,
217 .evp_cipher = EVP_aes_256_cbc },
218 { .name = "aes-ctr128", .cipher = CRYPTO_AES_ICM, .type = T_CIPHER,
219 .evp_cipher = EVP_aes_128_ctr },
220 { .name = "aes-ctr192", .cipher = CRYPTO_AES_ICM, .type = T_CIPHER,
221 .evp_cipher = EVP_aes_192_ctr },
222 { .name = "aes-ctr256", .cipher = CRYPTO_AES_ICM, .type = T_CIPHER,
223 .evp_cipher = EVP_aes_256_ctr },
224 { .name = "aes-xts128", .cipher = CRYPTO_AES_XTS, .type = T_CIPHER,
225 .evp_cipher = EVP_aes_128_xts },
226 { .name = "aes-xts256", .cipher = CRYPTO_AES_XTS, .type = T_CIPHER,
227 .evp_cipher = EVP_aes_256_xts },
228 { .name = "camellia-cbc128", .cipher = CRYPTO_CAMELLIA_CBC,
229 .type = T_CIPHER, .evp_cipher = EVP_camellia_128_cbc },
230 { .name = "camellia-cbc192", .cipher = CRYPTO_CAMELLIA_CBC,
231 .type = T_CIPHER, .evp_cipher = EVP_camellia_192_cbc },
232 { .name = "camellia-cbc256", .cipher = CRYPTO_CAMELLIA_CBC,
233 .type = T_CIPHER, .evp_cipher = EVP_camellia_256_cbc },
234 { .name = "chacha20", .cipher = CRYPTO_CHACHA20, .type = T_CIPHER,
235 .evp_cipher = EVP_chacha20 },
236 { .name = "aes-gcm128", .cipher = CRYPTO_AES_NIST_GCM_16,
237 .type = T_AEAD, .tag_len = AES_GMAC_HASH_LEN,
238 .iv_sizes = { AES_GCM_IV_LEN }, .evp_cipher = EVP_aes_128_gcm },
239 { .name = "aes-gcm192", .cipher = CRYPTO_AES_NIST_GCM_16,
240 .type = T_AEAD, .tag_len = AES_GMAC_HASH_LEN,
241 .iv_sizes = { AES_GCM_IV_LEN }, .evp_cipher = EVP_aes_192_gcm },
242 { .name = "aes-gcm256", .cipher = CRYPTO_AES_NIST_GCM_16,
243 .type = T_AEAD, .tag_len = AES_GMAC_HASH_LEN,
244 .iv_sizes = { AES_GCM_IV_LEN }, .evp_cipher = EVP_aes_256_gcm },
245 { .name = "aes-ccm128", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
246 .tag_len = AES_CBC_MAC_HASH_LEN, .iv_sizes = { 12, 7, 8, 9, 10, 11, 13 },
247 .evp_cipher = EVP_aes_128_ccm },
248 { .name = "aes-ccm192", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
249 .tag_len = AES_CBC_MAC_HASH_LEN, .iv_sizes = { 12, 7, 8, 9, 10, 11, 13 },
250 .evp_cipher = EVP_aes_192_ccm },
251 { .name = "aes-ccm256", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
252 .tag_len = AES_CBC_MAC_HASH_LEN, .iv_sizes = { 12, 7, 8, 9, 10, 11, 13 },
253 .evp_cipher = EVP_aes_256_ccm },
254 { .name = "chacha20-poly1305", .cipher = CRYPTO_CHACHA20_POLY1305,
255 .type = T_AEAD, .tag_len = POLY1305_HASH_LEN,
256 .iv_sizes = { CHACHA20_POLY1305_IV_LEN, 8 },
257 .evp_cipher = EVP_chacha20_poly1305 },
260 static bool testall, verbose;
261 static int requested_crid;
262 static size_t aad_sizes[48], sizes[EALG_MAX_BLOCK_LEN * 2];
263 static u_int naad_sizes, nsizes;
264 static u_int iv_size;
270 "usage: cryptocheck [-vz] [-A aad size] [-a algorithm]\n"
271 " [-d dev] [-I IV size] [size ...]\n");
275 static const struct alg *
276 find_alg(const char *name)
280 for (i = 0; i < nitems(algs); i++)
281 if (strcasecmp(algs[i].name, name) == 0)
287 build_eta(const struct alg *cipher, const struct alg *mac)
292 assert(cipher->type == T_CIPHER);
293 assert(mac->type == T_HMAC);
294 eta = calloc(1, sizeof(*eta));
295 asprintf(&name, "%s+%s", cipher->name, mac->name);
297 eta->cipher = cipher->cipher;
300 eta->evp_cipher = cipher->evp_cipher;
301 eta->evp_md = mac->evp_md;
306 free_eta(struct alg *eta)
308 free(__DECONST(char *, eta->name));
313 build_eta_name(const char *name)
315 const struct alg *cipher, *mac;
316 const char *mac_name;
317 char *cp, *cipher_name;
319 cp = strchr(name, '+');
320 cipher_name = strndup(name, cp - name);
322 cipher = find_alg(cipher_name);
324 if (cipher == NULL || cipher->type != T_CIPHER)
325 errx(1, "Invalid cipher %s", cipher_name);
326 mac = find_alg(mac_name);
327 if (mac == NULL || mac->type != T_HMAC)
328 errx(1, "Invalid hmac %s", mac_name);
329 return (build_eta(cipher, mac));
338 fd = open("/dev/crypto", O_RDWR | O_CLOEXEC, 0);
340 err(1, "/dev/crypto");
346 * Called on exit to change kern.cryptodevallowsoft back to 0
348 #define CRYPT_SOFT_ALLOW "kern.cryptodevallowsoft"
351 reset_user_soft(void)
354 sysctlbyname(CRYPT_SOFT_ALLOW, NULL, NULL, &off, sizeof(off));
358 enable_user_soft(void)
362 size_t cursize = sizeof(curstate);
364 if (sysctlbyname(CRYPT_SOFT_ALLOW, &curstate, &cursize,
365 &on, sizeof(on)) == 0) {
367 atexit(reset_user_soft);
372 crlookup(const char *devname)
374 struct crypt_find_op find;
376 if (strncmp(devname, "soft", 4) == 0) {
378 return CRYPTO_FLAG_SOFTWARE;
382 strlcpy(find.name, devname, sizeof(find.name));
383 if (ioctl(devcrypto(), CIOCFINDDEV, &find) == -1)
384 err(1, "ioctl(CIOCFINDDEV)");
391 static struct crypt_find_op find;
393 if (crid == CRYPTO_FLAG_SOFTWARE)
395 else if (crid == CRYPTO_FLAG_HARDWARE)
398 bzero(&find, sizeof(find));
400 if (ioctl(devcrypto(), CIOCFINDDEV, &find) == -1)
401 err(1, "ioctl(CIOCFINDDEV): crid %d", crid);
409 0x10,0x54,0x11,0x48,0x45,0x12,0x4f,0x13,0x49,0x53,0x14,0x41,
410 0x15,0x16,0x4e,0x55,0x54,0x17,0x18,0x4a,0x4f,0x42,0x19,0x01
412 return 0x20+a[random()%nitems(a)];
416 alloc_buffer(size_t len)
422 for (i = 0; i < len; i++)
428 generate_iv(size_t len, const struct alg *alg)
432 iv = alloc_buffer(len);
433 switch (alg->cipher) {
435 /* Clear the low 32 bits of the IV to hold the counter. */
443 * Clear the low 64-bits to only store a 64-bit block
460 ocf_init_sop(struct session2_op *sop)
462 memset(sop, 0, sizeof(*sop));
463 sop->crid = requested_crid;
467 ocf_init_session(struct session2_op *sop, const char *type, const char *name,
468 struct ocf_session *ses)
473 if (ioctl(fd, CIOCGSESSION2, sop) < 0) {
474 warn("cryptodev %s %s not supported for device %s",
475 type, name, crfind(sop->crid));
481 ses->crid = sop->crid;
486 ocf_destroy_session(struct ocf_session *ses)
491 if (ioctl(ses->fd, CIOCFSESSION, &ses->ses) < 0)
492 warn("ioctl(CIOCFSESSION)");
496 ocf_init_cop(const struct ocf_session *ses, struct crypt_op *cop)
498 memset(cop, 0, sizeof(*cop));
503 ocf_init_caead(const struct ocf_session *ses, struct crypt_aead *caead)
505 memset(caead, 0, sizeof(*caead));
506 caead->ses = ses->ses;
510 ocf_hash(const struct alg *alg, const char *buffer, size_t size, char *digest,
513 struct ocf_session ses;
514 struct session2_op sop;
519 if (!ocf_init_session(&sop, "HASH", alg->name, &ses))
522 ocf_init_cop(&ses, &cop);
528 if (ioctl(ses.fd, CIOCCRYPT, &cop) < 0) {
529 warn("cryptodev %s (%zu) HASH failed for device %s", alg->name,
530 size, crfind(ses.crid));
531 ocf_destroy_session(&ses);
536 ocf_destroy_session(&ses);
541 openssl_hash(const struct alg *alg, const EVP_MD *md, const void *buffer,
542 size_t size, void *digest_out, unsigned *digest_sz_out)
550 mdctx = EVP_MD_CTX_create();
554 rc = EVP_DigestInit_ex(mdctx, md, NULL);
558 rc = EVP_DigestUpdate(mdctx, buffer, size);
562 rc = EVP_DigestFinal_ex(mdctx, digest_out, digest_sz_out);
566 EVP_MD_CTX_destroy(mdctx);
570 errx(1, "OpenSSL %s HASH failed%s: %s", alg->name, errs,
571 ERR_error_string(ERR_get_error(), NULL));
575 run_hash_test(const struct alg *alg, size_t size)
581 char control_digest[EVP_MAX_MD_SIZE], test_digest[EVP_MAX_MD_SIZE];
583 memset(control_digest, 0x3c, sizeof(control_digest));
584 memset(test_digest, 0x3c, sizeof(test_digest));
587 assert((size_t)EVP_MD_size(md) <= sizeof(control_digest));
589 buffer = alloc_buffer(size);
592 digest_len = sizeof(control_digest);
593 openssl_hash(alg, md, buffer, size, control_digest, &digest_len);
595 /* cryptodev HASH. */
596 if (!ocf_hash(alg, buffer, size, test_digest, &crid))
598 if (memcmp(control_digest, test_digest, sizeof(control_digest)) != 0) {
599 if (memcmp(control_digest, test_digest, EVP_MD_size(md)) == 0)
600 printf("%s (%zu) mismatch in trailer:\n",
603 printf("%s (%zu) mismatch:\n", alg->name, size);
604 printf("control:\n");
605 hexdump(control_digest, sizeof(control_digest), NULL, 0);
606 printf("test (cryptodev device %s):\n", crfind(crid));
607 hexdump(test_digest, sizeof(test_digest), NULL, 0);
612 printf("%s (%zu) matched (cryptodev device %s)\n",
613 alg->name, size, crfind(crid));
620 ocf_hmac(const struct alg *alg, const char *buffer, size_t size,
621 const char *key, size_t key_len, char *digest, int *cridp)
623 struct ocf_session ses;
624 struct session2_op sop;
628 sop.mackeylen = key_len;
631 if (!ocf_init_session(&sop, "HMAC", alg->name, &ses))
634 ocf_init_cop(&ses, &cop);
640 if (ioctl(ses.fd, CIOCCRYPT, &cop) < 0) {
641 warn("cryptodev %s (%zu) HMAC failed for device %s", alg->name,
642 size, crfind(ses.crid));
643 ocf_destroy_session(&ses);
648 ocf_destroy_session(&ses);
653 run_hmac_test(const struct alg *alg, size_t size)
657 u_int key_len, digest_len;
659 char control_digest[EVP_MAX_MD_SIZE], test_digest[EVP_MAX_MD_SIZE];
661 memset(control_digest, 0x3c, sizeof(control_digest));
662 memset(test_digest, 0x3c, sizeof(test_digest));
665 key_len = EVP_MD_size(md);
666 assert((size_t)EVP_MD_size(md) <= sizeof(control_digest));
668 key = alloc_buffer(key_len);
669 buffer = alloc_buffer(size);
672 digest_len = sizeof(control_digest);
673 if (HMAC(md, key, key_len, (u_char *)buffer, size,
674 (u_char *)control_digest, &digest_len) == NULL)
675 errx(1, "OpenSSL %s (%zu) HMAC failed: %s", alg->name,
676 size, ERR_error_string(ERR_get_error(), NULL));
678 /* cryptodev HMAC. */
679 if (!ocf_hmac(alg, buffer, size, key, key_len, test_digest, &crid))
681 if (memcmp(control_digest, test_digest, sizeof(control_digest)) != 0) {
682 if (memcmp(control_digest, test_digest, EVP_MD_size(md)) == 0)
683 printf("%s (%zu) mismatch in trailer:\n",
686 printf("%s (%zu) mismatch:\n", alg->name, size);
687 printf("control:\n");
688 hexdump(control_digest, sizeof(control_digest), NULL, 0);
689 printf("test (cryptodev device %s):\n", crfind(crid));
690 hexdump(test_digest, sizeof(test_digest), NULL, 0);
695 printf("%s (%zu) matched (cryptodev device %s)\n",
696 alg->name, size, crfind(crid));
704 openssl_cipher(const struct alg *alg, const EVP_CIPHER *cipher, const char *key,
705 const char *iv, const char *input, char *output, size_t size, int enc)
710 ctx = EVP_CIPHER_CTX_new();
712 errx(1, "OpenSSL %s (%zu) ctx new failed: %s", alg->name,
713 size, ERR_error_string(ERR_get_error(), NULL));
714 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key,
715 (const u_char *)iv, enc) != 1)
716 errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
717 size, ERR_error_string(ERR_get_error(), NULL));
718 EVP_CIPHER_CTX_set_padding(ctx, 0);
719 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl,
720 (const u_char *)input, size) != 1)
721 errx(1, "OpenSSL %s (%zu) cipher update failed: %s", alg->name,
722 size, ERR_error_string(ERR_get_error(), NULL));
724 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1)
725 errx(1, "OpenSSL %s (%zu) cipher final failed: %s", alg->name,
726 size, ERR_error_string(ERR_get_error(), NULL));
728 if ((size_t)total != size)
729 errx(1, "OpenSSL %s (%zu) cipher size mismatch: %d", alg->name,
731 EVP_CIPHER_CTX_free(ctx);
735 ocf_init_cipher_session(const struct alg *alg, const char *key, size_t key_len,
736 struct ocf_session *ses)
738 struct session2_op sop;
741 sop.keylen = key_len;
743 sop.cipher = alg->cipher;
744 return (ocf_init_session(&sop, "cipher", alg->name, ses));
748 ocf_cipher(const struct ocf_session *ses, const struct alg *alg, const char *iv,
749 const char *input, char *output, size_t size, int op)
753 ocf_init_cop(ses, &cop);
760 if (ioctl(ses->fd, CIOCCRYPT, &cop) < 0) {
761 warn("cryptodev %s (%zu) cipher failed for device %s",
762 alg->name, size, crfind(ses->crid));
770 run_cipher_test(const struct alg *alg, size_t size)
772 struct ocf_session ses;
773 const EVP_CIPHER *cipher;
774 char *buffer, *cleartext, *ciphertext;
776 u_int iv_len, key_len;
778 cipher = alg->evp_cipher();
779 if (size % EVP_CIPHER_block_size(cipher) != 0) {
782 "%s (%zu): invalid buffer size (block size %d)\n",
783 alg->name, size, EVP_CIPHER_block_size(cipher));
788 * XTS requires at least one full block so that any partial
789 * block at the end has cipher text to steal. Hardcoding the
790 * AES block size isn't ideal, but OpenSSL doesn't have a
791 * notion of a "native" block size.
793 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE &&
794 size < AES_BLOCK_LEN) {
796 printf("%s (%zu): invalid buffer size\n", alg->name,
801 key_len = EVP_CIPHER_key_length(cipher);
802 iv_len = EVP_CIPHER_iv_length(cipher);
804 key = alloc_buffer(key_len);
805 iv = generate_iv(iv_len, alg);
806 cleartext = alloc_buffer(size);
807 buffer = malloc(size);
808 ciphertext = malloc(size);
810 /* OpenSSL cipher. */
811 openssl_cipher(alg, cipher, key, iv, cleartext, ciphertext, size, 1);
812 if (size > 0 && memcmp(cleartext, ciphertext, size) == 0)
813 warnx("OpenSSL %s (%zu): cipher text unchanged", alg->name,
815 openssl_cipher(alg, cipher, key, iv, ciphertext, buffer, size, 0);
816 if (memcmp(cleartext, buffer, size) != 0) {
817 printf("OpenSSL %s (%zu): cipher mismatch:", alg->name, size);
818 printf("original:\n");
819 hexdump(cleartext, size, NULL, 0);
820 printf("decrypted:\n");
821 hexdump(buffer, size, NULL, 0);
825 if (!ocf_init_cipher_session(alg, key, key_len, &ses))
829 if (!ocf_cipher(&ses, alg, iv, cleartext, buffer, size, COP_ENCRYPT))
831 if (memcmp(ciphertext, buffer, size) != 0) {
832 printf("%s (%zu) encryption mismatch:\n", alg->name, size);
833 printf("control:\n");
834 hexdump(ciphertext, size, NULL, 0);
835 printf("test (cryptodev device %s):\n", crfind(ses.crid));
836 hexdump(buffer, size, NULL, 0);
841 if (!ocf_cipher(&ses, alg, iv, ciphertext, buffer, size, COP_DECRYPT))
843 if (memcmp(cleartext, buffer, size) != 0) {
844 printf("%s (%zu) decryption mismatch:\n", alg->name, size);
845 printf("control:\n");
846 hexdump(cleartext, size, NULL, 0);
847 printf("test (cryptodev device %s):\n", crfind(ses.crid));
848 hexdump(buffer, size, NULL, 0);
853 printf("%s (%zu) matched (cryptodev device %s)\n",
854 alg->name, size, crfind(ses.crid));
857 ocf_destroy_session(&ses);
866 ocf_init_eta_session(const struct alg *alg, const char *cipher_key,
867 size_t cipher_key_len, const char *auth_key, size_t auth_key_len,
868 struct ocf_session *ses)
870 struct session2_op sop;
873 sop.keylen = cipher_key_len;
874 sop.key = cipher_key;
875 sop.cipher = alg->cipher;
876 sop.mackeylen = auth_key_len;
877 sop.mackey = auth_key;
879 return (ocf_init_session(&sop, "ETA", alg->name, ses));
883 ocf_eta(const struct ocf_session *ses, const char *iv, size_t iv_len,
884 const char *aad, size_t aad_len, const char *input, char *output,
885 size_t size, char *digest, int op)
890 struct crypt_aead caead;
892 ocf_init_caead(ses, &caead);
895 caead.aadlen = aad_len;
896 caead.ivlen = iv_len;
903 ret = ioctl(ses->fd, CIOCCRYPTAEAD, &caead);
907 ocf_init_cop(ses, &cop);
915 ret = ioctl(ses->fd, CIOCCRYPT, &cop);
924 run_eta_test(const struct alg *alg, size_t aad_len, size_t size)
926 struct ocf_session ses;
927 const EVP_CIPHER *cipher;
929 char *buffer, *cleartext, *ciphertext;
930 char *iv, *auth_key, *cipher_key;
931 u_int iv_len, auth_key_len, cipher_key_len, digest_len;
933 char control_digest[EVP_MAX_MD_SIZE], test_digest[EVP_MAX_MD_SIZE];
935 cipher = alg->evp_cipher();
936 if (size % EVP_CIPHER_block_size(cipher) != 0) {
939 "%s (%zu, %zu): invalid buffer size (block size %d)\n",
940 alg->name, aad_len, size,
941 EVP_CIPHER_block_size(cipher));
945 /* See comment in run_cipher_test. */
946 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE &&
947 size < AES_BLOCK_LEN) {
949 printf("%s (%zu): invalid buffer size\n", alg->name,
954 memset(control_digest, 0x3c, sizeof(control_digest));
955 memset(test_digest, 0x3c, sizeof(test_digest));
959 cipher_key_len = EVP_CIPHER_key_length(cipher);
960 iv_len = EVP_CIPHER_iv_length(cipher);
961 auth_key_len = EVP_MD_size(md);
963 cipher_key = alloc_buffer(cipher_key_len);
964 iv = generate_iv(iv_len, alg);
965 auth_key = alloc_buffer(auth_key_len);
966 cleartext = alloc_buffer(aad_len + size);
967 buffer = malloc(aad_len + size);
968 ciphertext = malloc(aad_len + size);
970 /* OpenSSL encrypt + HMAC. */
972 memcpy(ciphertext, cleartext, aad_len);
973 openssl_cipher(alg, cipher, cipher_key, iv, cleartext + aad_len,
974 ciphertext + aad_len, size, 1);
975 if (size > 0 && memcmp(cleartext + aad_len, ciphertext + aad_len,
977 warnx("OpenSSL %s (%zu, %zu): cipher text unchanged",
978 alg->name, aad_len, size);
979 digest_len = sizeof(control_digest);
980 if (HMAC(md, auth_key, auth_key_len, (u_char *)ciphertext,
981 aad_len + size, (u_char *)control_digest, &digest_len) == NULL)
982 errx(1, "OpenSSL %s (%zu, %zu) HMAC failed: %s", alg->name,
983 aad_len, size, ERR_error_string(ERR_get_error(), NULL));
985 if (!ocf_init_eta_session(alg, cipher_key, cipher_key_len, auth_key,
989 /* OCF encrypt + HMAC. */
990 error = ocf_eta(&ses, iv, iv_len, aad_len != 0 ? cleartext : NULL,
991 aad_len, cleartext + aad_len, buffer + aad_len, size, test_digest,
994 warnc(error, "cryptodev %s (%zu, %zu) ETA failed for device %s",
995 alg->name, aad_len, size, crfind(ses.crid));
998 if (memcmp(ciphertext + aad_len, buffer + aad_len, size) != 0) {
999 printf("%s (%zu, %zu) encryption mismatch:\n", alg->name,
1001 printf("control:\n");
1002 hexdump(ciphertext + aad_len, size, NULL, 0);
1003 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1004 hexdump(buffer + aad_len, size, NULL, 0);
1007 if (memcmp(control_digest, test_digest, sizeof(control_digest)) != 0) {
1008 if (memcmp(control_digest, test_digest, EVP_MD_size(md)) == 0)
1009 printf("%s (%zu, %zu) enc hash mismatch in trailer:\n",
1010 alg->name, aad_len, size);
1012 printf("%s (%zu, %zu) enc hash mismatch:\n", alg->name,
1014 printf("control:\n");
1015 hexdump(control_digest, sizeof(control_digest), NULL, 0);
1016 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1017 hexdump(test_digest, sizeof(test_digest), NULL, 0);
1021 /* OCF HMAC + decrypt. */
1022 error = ocf_eta(&ses, iv, iv_len, aad_len != 0 ? ciphertext : NULL,
1023 aad_len, ciphertext + aad_len, buffer + aad_len, size, test_digest,
1026 warnc(error, "cryptodev %s (%zu, %zu) ETA failed for device %s",
1027 alg->name, aad_len, size, crfind(ses.crid));
1030 if (memcmp(cleartext + aad_len, buffer + aad_len, size) != 0) {
1031 printf("%s (%zu, %zu) decryption mismatch:\n", alg->name,
1033 printf("control:\n");
1034 hexdump(cleartext, size, NULL, 0);
1035 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1036 hexdump(buffer, size, NULL, 0);
1040 /* Verify OCF HMAC + decrypt fails with busted MAC. */
1041 test_digest[0] ^= 0x1;
1042 error = ocf_eta(&ses, iv, iv_len, aad_len != 0 ? ciphertext : NULL,
1043 aad_len, ciphertext + aad_len, buffer + aad_len, size, test_digest,
1045 if (error != EBADMSG) {
1048 "cryptodev %s (%zu, %zu) corrupt tag failed for device %s",
1049 alg->name, aad_len, size, crfind(ses.crid));
1052 "cryptodev %s (%zu, %zu) corrupt tag didn't fail for device %s",
1053 alg->name, aad_len, size, crfind(ses.crid));
1058 printf("%s (%zu, %zu) matched (cryptodev device %s)\n",
1059 alg->name, aad_len, size, crfind(ses.crid));
1062 ocf_destroy_session(&ses);
1072 openssl_gmac(const struct alg *alg, const EVP_CIPHER *cipher, const char *key,
1073 const char *iv, const char *input, size_t size, char *tag)
1075 EVP_CIPHER_CTX *ctx;
1078 ctx = EVP_CIPHER_CTX_new();
1080 errx(1, "OpenSSL %s (%zu) ctx new failed: %s", alg->name,
1081 size, ERR_error_string(ERR_get_error(), NULL));
1082 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
1083 (const u_char *)iv) != 1)
1084 errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
1085 size, ERR_error_string(ERR_get_error(), NULL));
1086 EVP_CIPHER_CTX_set_padding(ctx, 0);
1087 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)input,
1089 errx(1, "OpenSSL %s (%zu) update failed: %s",
1090 alg->name, size, ERR_error_string(ERR_get_error(), NULL));
1091 if (EVP_EncryptFinal_ex(ctx, NULL, &outl) != 1)
1092 errx(1, "OpenSSL %s (%zu) final failed: %s", alg->name,
1093 size, ERR_error_string(ERR_get_error(), NULL));
1094 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, alg->tag_len,
1096 errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
1097 size, ERR_error_string(ERR_get_error(), NULL));
1098 EVP_CIPHER_CTX_free(ctx);
1102 ocf_mac(const struct alg *alg, const char *input, size_t size, const char *key,
1103 size_t key_len, const char *iv, char *tag, int *cridp)
1105 struct ocf_session ses;
1106 struct session2_op sop;
1107 struct crypt_op cop;
1110 sop.mackeylen = key_len;
1113 if (!ocf_init_session(&sop, "MAC", alg->name, &ses))
1116 ocf_init_cop(&ses, &cop);
1123 if (ioctl(ses.fd, CIOCCRYPT, &cop) < 0) {
1124 warn("cryptodev %s (%zu) failed for device %s", alg->name,
1125 size, crfind(ses.crid));
1126 ocf_destroy_session(&ses);
1131 ocf_destroy_session(&ses);
1136 run_gmac_test(const struct alg *alg, size_t size)
1138 const EVP_CIPHER *cipher;
1139 char *iv, *key, *buffer;
1140 u_int iv_len, key_len;
1142 char control_tag[AES_GMAC_HASH_LEN], test_tag[AES_GMAC_HASH_LEN];
1144 cipher = alg->evp_cipher();
1146 memset(control_tag, 0x3c, sizeof(control_tag));
1147 memset(test_tag, 0x3c, sizeof(test_tag));
1149 key_len = EVP_CIPHER_key_length(cipher);
1150 iv_len = EVP_CIPHER_iv_length(cipher);
1152 key = alloc_buffer(key_len);
1153 iv = generate_iv(iv_len, alg);
1154 buffer = alloc_buffer(size);
1157 openssl_gmac(alg, cipher, key, iv, buffer, size, control_tag);
1160 if (!ocf_mac(alg, buffer, size, key, key_len, iv, test_tag, &crid))
1162 if (memcmp(control_tag, test_tag, sizeof(control_tag)) != 0) {
1163 printf("%s (%zu) mismatch:\n", alg->name, size);
1164 printf("control:\n");
1165 hexdump(control_tag, sizeof(control_tag), NULL, 0);
1166 printf("test (cryptodev device %s):\n", crfind(crid));
1167 hexdump(test_tag, sizeof(test_tag), NULL, 0);
1172 printf("%s (%zu) matched (cryptodev device %s)\n",
1173 alg->name, size, crfind(crid));
1182 openssl_digest(const struct alg *alg, const char *key, u_int key_len,
1183 const char *input, size_t size, char *tag, u_int tag_len)
1189 pkey = EVP_PKEY_new_raw_private_key(alg->pkey, NULL, key, key_len);
1191 errx(1, "OpenSSL %s (%zu) pkey new failed: %s", alg->name,
1192 size, ERR_error_string(ERR_get_error(), NULL));
1193 mdctx = EVP_MD_CTX_new();
1195 errx(1, "OpenSSL %s (%zu) ctx new failed: %s", alg->name,
1196 size, ERR_error_string(ERR_get_error(), NULL));
1197 if (EVP_DigestSignInit(mdctx, NULL, NULL, NULL, pkey) != 1)
1198 errx(1, "OpenSSL %s (%zu) digest sign init failed: %s",
1199 alg->name, size, ERR_error_string(ERR_get_error(), NULL));
1200 if (EVP_DigestSignUpdate(mdctx, input, size) != 1)
1201 errx(1, "OpenSSL %s (%zu) digest update failed: %s", alg->name,
1202 size, ERR_error_string(ERR_get_error(), NULL));
1204 if (EVP_DigestSignFinal(mdctx, tag, &len) != 1)
1205 errx(1, "OpenSSL %s (%zu) digest final failed: %s", alg->name,
1206 size, ERR_error_string(ERR_get_error(), NULL));
1207 EVP_MD_CTX_free(mdctx);
1208 EVP_PKEY_free(pkey);
1212 run_digest_test(const struct alg *alg, size_t size)
1217 char control_tag[EVP_MAX_MD_SIZE], test_tag[EVP_MAX_MD_SIZE];
1219 memset(control_tag, 0x3c, sizeof(control_tag));
1220 memset(test_tag, 0x3c, sizeof(test_tag));
1222 key_len = alg->key_len;
1224 key = alloc_buffer(key_len);
1225 buffer = alloc_buffer(size);
1227 /* OpenSSL Poly1305. */
1228 openssl_digest(alg, key, key_len, buffer, size, control_tag,
1229 sizeof(control_tag));
1232 if (!ocf_mac(alg, buffer, size, key, key_len, NULL, test_tag, &crid))
1234 if (memcmp(control_tag, test_tag, sizeof(control_tag)) != 0) {
1235 printf("%s (%zu) mismatch:\n", alg->name, size);
1236 printf("control:\n");
1237 hexdump(control_tag, sizeof(control_tag), NULL, 0);
1238 printf("test (cryptodev device %s):\n", crfind(crid));
1239 hexdump(test_tag, sizeof(test_tag), NULL, 0);
1244 printf("%s (%zu) matched (cryptodev device %s)\n",
1245 alg->name, size, crfind(crid));
1253 openssl_aead_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
1254 const char *key, const char *iv, size_t iv_len, const char *aad,
1255 size_t aad_len, const char *input, char *output, size_t size, char *tag)
1257 EVP_CIPHER_CTX *ctx;
1260 ctx = EVP_CIPHER_CTX_new();
1262 errx(1, "OpenSSL %s (%zu) ctx new failed: %s", alg->name,
1263 size, ERR_error_string(ERR_get_error(), NULL));
1264 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1)
1265 errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
1266 size, ERR_error_string(ERR_get_error(), NULL));
1267 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, iv_len, NULL) != 1)
1268 errx(1, "OpenSSL %s (%zu) setting iv length failed: %s", alg->name,
1269 size, ERR_error_string(ERR_get_error(), NULL));
1270 if (EVP_EncryptInit_ex(ctx, NULL, NULL, (const u_char *)key,
1271 (const u_char *)iv) != 1)
1272 errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
1273 size, ERR_error_string(ERR_get_error(), NULL));
1274 EVP_CIPHER_CTX_set_padding(ctx, 0);
1276 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
1278 errx(1, "OpenSSL %s (%zu) aad update failed: %s",
1280 ERR_error_string(ERR_get_error(), NULL));
1282 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl,
1283 (const u_char *)input, size) != 1)
1284 errx(1, "OpenSSL %s (%zu) encrypt update failed: %s", alg->name,
1285 size, ERR_error_string(ERR_get_error(), NULL));
1287 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1)
1288 errx(1, "OpenSSL %s (%zu) encrypt final failed: %s", alg->name,
1289 size, ERR_error_string(ERR_get_error(), NULL));
1291 if ((size_t)total != size)
1292 errx(1, "OpenSSL %s (%zu) encrypt size mismatch: %d", alg->name,
1294 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, alg->tag_len,
1296 errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
1297 size, ERR_error_string(ERR_get_error(), NULL));
1298 EVP_CIPHER_CTX_free(ctx);
1303 openssl_aead_decrypt(const struct alg *alg, const EVP_CIPHER *cipher,
1304 const char *key, const char *iv, const char *aad, size_t aad_len,
1305 const char *input, char *output, size_t size, char *tag)
1307 EVP_CIPHER_CTX *ctx;
1311 ctx = EVP_CIPHER_CTX_new();
1313 errx(1, "OpenSSL %s (%zu) ctx new failed: %s", alg->name,
1314 size, ERR_error_string(ERR_get_error(), NULL));
1315 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
1316 (const u_char *)iv) != 1)
1317 errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
1318 size, ERR_error_string(ERR_get_error(), NULL));
1319 EVP_CIPHER_CTX_set_padding(ctx, 0);
1321 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
1323 errx(1, "OpenSSL %s (%zu) aad update failed: %s",
1325 ERR_error_string(ERR_get_error(), NULL));
1327 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl,
1328 (const u_char *)input, size) != 1)
1329 errx(1, "OpenSSL %s (%zu) decrypt update failed: %s", alg->name,
1330 size, ERR_error_string(ERR_get_error(), NULL));
1332 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, alg->tag_len,
1334 errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
1335 size, ERR_error_string(ERR_get_error(), NULL));
1336 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1);
1339 errx(1, "OpenSSL %s (%zu) decrypt size mismatch: %d", alg->name,
1341 EVP_CIPHER_CTX_free(ctx);
1347 openssl_ccm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
1348 const char *key, const char *iv, size_t iv_len, const char *aad,
1349 size_t aad_len, const char *input, char *output, size_t size, char *tag)
1351 EVP_CIPHER_CTX *ctx;
1354 ctx = EVP_CIPHER_CTX_new();
1356 errx(1, "OpenSSL %s/%zu (%zu, %zu) ctx new failed: %s",
1357 alg->name, iv_len, aad_len, size,
1358 ERR_error_string(ERR_get_error(), NULL));
1359 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1)
1360 errx(1, "OpenSSL %s/%zu (%zu, %zu) ctx init failed: %s",
1361 alg->name, iv_len, aad_len, size,
1362 ERR_error_string(ERR_get_error(), NULL));
1363 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, iv_len, NULL) != 1)
1365 "OpenSSL %s/%zu (%zu, %zu) setting iv length failed: %s",
1366 alg->name, iv_len, aad_len, size,
1367 ERR_error_string(ERR_get_error(), NULL));
1368 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, AES_CBC_MAC_HASH_LEN, NULL) != 1)
1370 "OpenSSL %s/%zu (%zu, %zu) setting tag length failed: %s",
1371 alg->name, iv_len, aad_len, size,
1372 ERR_error_string(ERR_get_error(), NULL));
1373 if (EVP_EncryptInit_ex(ctx, NULL, NULL, (const u_char *)key,
1374 (const u_char *)iv) != 1)
1375 errx(1, "OpenSSL %s/%zu (%zu, %zu) ctx init failed: %s",
1376 alg->name, iv_len, aad_len, size,
1377 ERR_error_string(ERR_get_error(), NULL));
1378 if (EVP_EncryptUpdate(ctx, NULL, &outl, NULL, size) != 1)
1380 "OpenSSL %s/%zu (%zu, %zu) unable to set data length: %s",
1381 alg->name, iv_len, aad_len, size,
1382 ERR_error_string(ERR_get_error(), NULL));
1385 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
1388 "OpenSSL %s/%zu (%zu, %zu) aad update failed: %s",
1389 alg->name, iv_len, aad_len, size,
1390 ERR_error_string(ERR_get_error(), NULL));
1392 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl,
1393 (const u_char *)input, size) != 1)
1394 errx(1, "OpenSSL %s/%zu (%zu, %zu) encrypt update failed: %s",
1395 alg->name, iv_len, aad_len, size,
1396 ERR_error_string(ERR_get_error(), NULL));
1398 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1)
1399 errx(1, "OpenSSL %s/%zu (%zu, %zu) encrypt final failed: %s",
1400 alg->name, iv_len, aad_len, size,
1401 ERR_error_string(ERR_get_error(), NULL));
1403 if ((size_t)total != size)
1404 errx(1, "OpenSSL %s/%zu (%zu, %zu) encrypt size mismatch: %d",
1405 alg->name, iv_len, aad_len, size, total);
1406 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, AES_CBC_MAC_HASH_LEN,
1408 errx(1, "OpenSSL %s/%zu (%zu, %zu) get tag failed: %s",
1409 alg->name, iv_len, aad_len, size,
1410 ERR_error_string(ERR_get_error(), NULL));
1411 EVP_CIPHER_CTX_free(ctx);
1415 ocf_init_aead_session(const struct alg *alg, const char *key, size_t key_len,
1416 size_t iv_len, struct ocf_session *ses)
1418 struct session2_op sop;
1421 sop.keylen = key_len;
1423 sop.cipher = alg->cipher;
1425 return (ocf_init_session(&sop, "AEAD", alg->name, ses));
1429 ocf_aead(const struct ocf_session *ses, const char *iv, size_t iv_len,
1430 const char *aad, size_t aad_len, const char *input, char *output,
1431 size_t size, char *tag, int op)
1433 struct crypt_aead caead;
1435 ocf_init_caead(ses, &caead);
1438 caead.aadlen = aad_len;
1439 caead.ivlen = iv_len;
1446 if (ioctl(ses->fd, CIOCCRYPTAEAD, &caead) < 0)
1451 #define AEAD_MAX_TAG_LEN \
1452 MAX(MAX(AES_GMAC_HASH_LEN, AES_CBC_MAC_HASH_LEN), POLY1305_HASH_LEN)
1455 max_ccm_buffer_length(size_t iv_len)
1457 const u_int L = 15 - iv_len;
1466 return (0xffffffff);
1468 return (0xffffffffff);
1470 return (0xffffffffffff);
1472 return (0xffffffffffffff);
1474 return (0xffffffffffffffff);
1477 return (0xffffffff);
1483 run_aead_test(const struct alg *alg, size_t aad_len, size_t size,
1486 struct ocf_session ses;
1487 const EVP_CIPHER *cipher;
1488 char *aad, *buffer, *cleartext, *ciphertext;
1492 char control_tag[AEAD_MAX_TAG_LEN], test_tag[AEAD_MAX_TAG_LEN];
1494 cipher = alg->evp_cipher();
1495 if (size % EVP_CIPHER_block_size(cipher) != 0) {
1498 "%s/%zu (%zu, %zu): invalid buffer size (block size %d)\n",
1499 alg->name, iv_len, aad_len, size,
1500 EVP_CIPHER_block_size(cipher));
1504 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE &&
1505 size > max_ccm_buffer_length(iv_len)) {
1507 printf("%s/%zu (%zu, %zu): invalid buffer size\n",
1508 alg->name, iv_len, aad_len, size);
1512 memset(control_tag, 0x3c, sizeof(control_tag));
1513 memset(test_tag, 0x3c, sizeof(test_tag));
1515 key_len = EVP_CIPHER_key_length(cipher);
1517 key = alloc_buffer(key_len);
1518 iv = generate_iv(iv_len, alg);
1519 cleartext = alloc_buffer(size);
1520 buffer = malloc(size);
1521 ciphertext = malloc(size);
1523 aad = alloc_buffer(aad_len);
1527 /* OpenSSL encrypt */
1528 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE)
1529 openssl_ccm_encrypt(alg, cipher, key, iv, iv_len, aad,
1530 aad_len, cleartext, ciphertext, size, control_tag);
1532 openssl_aead_encrypt(alg, cipher, key, iv, iv_len, aad,
1533 aad_len, cleartext, ciphertext, size, control_tag);
1535 if (!ocf_init_aead_session(alg, key, key_len, iv_len, &ses))
1539 error = ocf_aead(&ses, iv, iv_len, aad, aad_len, cleartext, buffer,
1540 size, test_tag, COP_ENCRYPT);
1542 warnc(error, "cryptodev %s/%zu (%zu, %zu) failed for device %s",
1543 alg->name, iv_len, aad_len, size, crfind(ses.crid));
1546 if (memcmp(ciphertext, buffer, size) != 0) {
1547 printf("%s/%zu (%zu, %zu) encryption mismatch:\n", alg->name,
1548 iv_len, aad_len, size);
1549 printf("control:\n");
1550 hexdump(ciphertext, size, NULL, 0);
1551 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1552 hexdump(buffer, size, NULL, 0);
1555 if (memcmp(control_tag, test_tag, sizeof(control_tag)) != 0) {
1556 printf("%s/%zu (%zu, %zu) enc tag mismatch:\n", alg->name,
1557 iv_len, aad_len, size);
1558 printf("control:\n");
1559 hexdump(control_tag, sizeof(control_tag), NULL, 0);
1560 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1561 hexdump(test_tag, sizeof(test_tag), NULL, 0);
1566 error = ocf_aead(&ses, iv, iv_len, aad, aad_len, ciphertext,
1567 buffer, size, control_tag, COP_DECRYPT);
1569 warnc(error, "cryptodev %s/%zu (%zu, %zu) failed for device %s",
1570 alg->name, iv_len, aad_len, size, crfind(ses.crid));
1573 if (memcmp(cleartext, buffer, size) != 0) {
1574 printf("%s/%zu (%zu, %zu) decryption mismatch:\n", alg->name,
1575 iv_len, aad_len, size);
1576 printf("control:\n");
1577 hexdump(cleartext, size, NULL, 0);
1578 printf("test (cryptodev device %s):\n", crfind(ses.crid));
1579 hexdump(buffer, size, NULL, 0);
1583 /* Verify OCF decrypt fails with busted tag. */
1585 error = ocf_aead(&ses, iv, iv_len, aad, aad_len, ciphertext,
1586 buffer, size, test_tag, COP_DECRYPT);
1587 if (error != EBADMSG) {
1590 "cryptodev %s/%zu (%zu, %zu) corrupt tag failed for device %s",
1591 alg->name, iv_len, aad_len, size, crfind(ses.crid));
1594 "cryptodev %s/%zu (%zu, %zu) corrupt tag didn't fail for device %s",
1595 alg->name, iv_len, aad_len, size, crfind(ses.crid));
1600 printf("%s/%zu (%zu, %zu) matched (cryptodev device %s)\n",
1601 alg->name, iv_len, aad_len, size, crfind(ses.crid));
1604 ocf_destroy_session(&ses);
1614 run_test(const struct alg *alg, size_t aad_len, size_t size, size_t iv_len)
1617 switch (alg->type) {
1619 run_hash_test(alg, size);
1622 run_hmac_test(alg, size);
1625 run_gmac_test(alg, size);
1628 run_digest_test(alg, size);
1631 run_cipher_test(alg, size);
1634 run_eta_test(alg, aad_len, size);
1637 run_aead_test(alg, aad_len, size, iv_len);
1643 run_test_sizes(const struct alg *alg)
1647 switch (alg->type) {
1649 for (i = 0; i < nsizes; i++)
1650 run_test(alg, 0, sizes[i], 0);
1653 for (i = 0; i < naad_sizes; i++)
1654 for (j = 0; j < nsizes; j++)
1655 run_test(alg, aad_sizes[i], sizes[j], 0);
1658 for (i = 0; i < naad_sizes; i++) {
1659 for (j = 0; j < nsizes; j++) {
1661 run_test(alg, aad_sizes[i], sizes[j],
1664 for (k = 0; alg->iv_sizes[k] != 0; k++)
1665 run_test(alg, aad_sizes[i],
1666 sizes[j], alg->iv_sizes[k]);
1668 run_test(alg, aad_sizes[i], sizes[j],
1677 run_hash_tests(void)
1681 for (i = 0; i < nitems(algs); i++)
1682 if (algs[i].type == T_HASH)
1683 run_test_sizes(&algs[i]);
1691 for (i = 0; i < nitems(algs); i++)
1692 if (algs[i].type == T_HMAC || algs[i].type == T_GMAC ||
1693 algs[i].type == T_DIGEST)
1694 run_test_sizes(&algs[i]);
1698 run_cipher_tests(void)
1702 for (i = 0; i < nitems(algs); i++)
1703 if (algs[i].type == T_CIPHER)
1704 run_test_sizes(&algs[i]);
1710 const struct alg *cipher, *mac;
1714 for (i = 0; i < nitems(algs); i++) {
1716 if (cipher->type != T_CIPHER)
1718 for (j = 0; j < nitems(algs); j++) {
1720 if (mac->type != T_HMAC)
1722 eta = build_eta(cipher, mac);
1723 run_test_sizes(eta);
1730 run_aead_tests(void)
1734 for (i = 0; i < nitems(algs); i++)
1735 if (algs[i].type == T_AEAD)
1736 run_test_sizes(&algs[i]);
1740 run_prefix_tests(const char *prefix)
1745 prefix_len = strlen(prefix);
1746 for (i = 0; i < nitems(algs); i++)
1747 if (strlen(algs[i].name) >= prefix_len &&
1748 memcmp(algs[i].name, prefix, prefix_len) == 0)
1749 run_test_sizes(&algs[i]);
1753 main(int ac, char **av)
1755 const char *algname;
1756 const struct alg *alg;
1764 requested_crid = CRYPTO_FLAG_HARDWARE;
1768 while ((ch = getopt(ac, av, "A:a:d:I:vz")) != -1)
1771 if (naad_sizes >= nitems(aad_sizes)) {
1772 warnx("Too many AAD sizes, ignoring extras");
1775 aad_sizes[naad_sizes] = strtol(optarg, &cp, 0);
1777 errx(1, "Bad AAD size %s", optarg);
1784 requested_crid = crlookup(optarg);
1787 iv_size = strtol(optarg, &cp, 0);
1789 errx(1, "Bad IV size %s", optarg);
1804 if (nsizes >= nitems(sizes)) {
1805 warnx("Too many sizes, ignoring extras");
1808 sizes[nsizes] = strtol(av[0], &cp, 0);
1810 errx(1, "Bad size %s", av[0]);
1816 if (algname == NULL)
1817 errx(1, "Algorithm required");
1819 if (naad_sizes == 0) {
1821 for (i = 0; i <= 32; i++) {
1822 aad_sizes[naad_sizes] = i;
1827 while (base_size * 2 < 512) {
1829 assert(naad_sizes < nitems(aad_sizes));
1830 aad_sizes[naad_sizes] = base_size;
1841 for (i = 1; i <= EALG_MAX_BLOCK_LEN; i++) {
1846 for (i = EALG_MAX_BLOCK_LEN + 8;
1847 i <= EALG_MAX_BLOCK_LEN * 2; i += 8) {
1852 base_size = EALG_MAX_BLOCK_LEN * 2;
1853 while (base_size * 2 < 240 * 1024) {
1855 assert(nsizes < nitems(sizes));
1856 sizes[nsizes] = base_size;
1860 if (sizes[nsizes - 1] < 240 * 1024) {
1861 assert(nsizes < nitems(sizes));
1862 sizes[nsizes] = 240 * 1024;
1871 if (strcasecmp(algname, "hash") == 0)
1873 else if (strcasecmp(algname, "mac") == 0)
1875 else if (strcasecmp(algname, "cipher") == 0)
1877 else if (strcasecmp(algname, "eta") == 0)
1879 else if (strcasecmp(algname, "aead") == 0)
1881 else if (strcasecmp(algname, "gmac") == 0 ||
1882 strcasecmp(algname, "aes-cbc") == 0 ||
1883 strcasecmp(algname, "aes-ctr") == 0 ||
1884 strcasecmp(algname, "aes-xts") == 0 ||
1885 strcasecmp(algname, "camellia-cbc") == 0 ||
1886 strcasecmp(algname, "aes-gcm") == 0 ||
1887 strcasecmp(algname, "aes-ccm") == 0)
1888 run_prefix_tests(algname);
1889 else if (strcasecmp(algname, "all") == 0) {
1895 } else if (strchr(algname, '+') != NULL) {
1896 eta = build_eta_name(algname);
1897 run_test_sizes(eta);
1900 alg = find_alg(algname);
1902 errx(1, "Invalid algorithm %s", algname);
1903 run_test_sizes(alg);