git: 3a7ae9ce6dce - stable/13 - cryptocheck: Add Chacha20-Poly1305 AEAD coverage.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Thu, 21 Oct 2021 17:06:52 UTC
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=3a7ae9ce6dcea8cc5beb0dc3284e1b50a60eff1e

commit 3a7ae9ce6dcea8cc5beb0dc3284e1b50a60eff1e
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-02-18 17:23:36 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-21 15:51:22 +0000

    cryptocheck: Add Chacha20-Poly1305 AEAD coverage.
    
    - Make openssl_gcm_encrypt generic to AEAD ciphers (aside from CCM)
      and use it for Chacha20-Poly1305.
    
    - Use generic AEAD control constants instead of GCM/CCM specific names.
    
    Reviewed by:    cem
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D27838
    
    (cherry picked from commit 1bd9fc96d4e4a26bb0060698c07b6f13d19cd819)
---
 tools/tools/crypto/cryptocheck.c | 46 +++++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/tools/tools/crypto/cryptocheck.c b/tools/tools/crypto/cryptocheck.c
index efb68f8966ef..fc08396b45f5 100644
--- a/tools/tools/crypto/cryptocheck.c
+++ b/tools/tools/crypto/cryptocheck.c
@@ -120,6 +120,7 @@
  *	aes-ccm		128-bit AES-CCM
  *	aes-ccm192	192-bit AES-CCM
  *	aes-ccm256	256-bit AES-CCM
+ *	chacha20-poly1305 Chacha20 (96 bit nonce) with Poly1305 per RFC 8439
  */
 
 #include <sys/param.h>
@@ -149,6 +150,7 @@ static const struct alg {
 	int cipher;
 	int mac;
 	enum { T_HASH, T_HMAC, T_GMAC, T_CIPHER, T_ETA, T_AEAD } type;
+	int tag_len;
 	const EVP_CIPHER *(*evp_cipher)(void);
 	const EVP_MD *(*evp_md)(void);
 } algs[] = {
@@ -177,11 +179,11 @@ static const struct alg {
 	{ .name = "blake2s", .mac = CRYPTO_BLAKE2S, .type = T_HASH,
 	  .evp_md = EVP_blake2s256 },
 	{ .name = "gmac", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
-	  .evp_cipher = EVP_aes_128_gcm },
+	  .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_128_gcm },
 	{ .name = "gmac192", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
-	  .evp_cipher = EVP_aes_192_gcm },
+	  .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_192_gcm },
 	{ .name = "gmac256", .mac = CRYPTO_AES_NIST_GMAC, .type = T_GMAC,
-	  .evp_cipher = EVP_aes_256_gcm },
+	  .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_256_gcm },
 	{ .name = "aes-cbc", .cipher = CRYPTO_AES_CBC, .type = T_CIPHER,
 	  .evp_cipher = EVP_aes_128_cbc },
 	{ .name = "aes-cbc192", .cipher = CRYPTO_AES_CBC, .type = T_CIPHER,
@@ -201,17 +203,22 @@ static const struct alg {
 	{ .name = "chacha20", .cipher = CRYPTO_CHACHA20, .type = T_CIPHER,
 	  .evp_cipher = EVP_chacha20 },
 	{ .name = "aes-gcm", .cipher = CRYPTO_AES_NIST_GCM_16, .type = T_AEAD,
-	  .evp_cipher = EVP_aes_128_gcm },
+	  .tag_len = AES_GMAC_HASH_LEN, .evp_cipher = EVP_aes_128_gcm },
 	{ .name = "aes-gcm192", .cipher = CRYPTO_AES_NIST_GCM_16,
-	  .type = T_AEAD, .evp_cipher = EVP_aes_192_gcm },
+	  .type = T_AEAD, .tag_len = AES_GMAC_HASH_LEN,
+	  .evp_cipher = EVP_aes_192_gcm },
 	{ .name = "aes-gcm256", .cipher = CRYPTO_AES_NIST_GCM_16,
-	  .type = T_AEAD, .evp_cipher = EVP_aes_256_gcm },
+	  .type = T_AEAD, .tag_len = AES_GMAC_HASH_LEN,
+	  .evp_cipher = EVP_aes_256_gcm },
 	{ .name = "aes-ccm", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
-	  .evp_cipher = EVP_aes_128_ccm },
+	  .evp_cipher = EVP_aes_128_ccm, .tag_len = AES_CBC_MAC_HASH_LEN },
 	{ .name = "aes-ccm192", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
-	  .evp_cipher = EVP_aes_192_ccm },
+	  .evp_cipher = EVP_aes_192_ccm, .tag_len = AES_CBC_MAC_HASH_LEN },
 	{ .name = "aes-ccm256", .cipher = CRYPTO_AES_CCM_16, .type = T_AEAD,
-	  .evp_cipher = EVP_aes_256_ccm },
+	  .evp_cipher = EVP_aes_256_ccm, .tag_len = AES_CBC_MAC_HASH_LEN },
+	{ .name = "chacha20-poly1305", .cipher = CRYPTO_CHACHA20_POLY1305,
+	  .type = T_AEAD, .tag_len = POLY1305_HASH_LEN,
+	  .evp_cipher = EVP_chacha20_poly1305 },
 };
 
 static bool verbose;
@@ -1046,7 +1053,7 @@ openssl_gmac(const struct alg *alg, const EVP_CIPHER *cipher, const char *key,
 	if (EVP_EncryptFinal_ex(ctx, NULL, &outl) != 1)
 		errx(1, "OpenSSL %s (%zu) final failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AES_GMAC_HASH_LEN,
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, alg->tag_len,
 	    tag) != 1)
 		errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
@@ -1133,7 +1140,7 @@ out:
 }
 
 static void
-openssl_gcm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
+openssl_aead_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
     const char *key, const char *iv, const char *aad, size_t aad_len,
     const char *input, char *output, size_t size, char *tag)
 {
@@ -1168,7 +1175,7 @@ openssl_gcm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
 	if ((size_t)total != size)
 		errx(1, "OpenSSL %s (%zu) encrypt size mismatch: %d", alg->name,
 		    size, total);
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AES_GMAC_HASH_LEN,
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, alg->tag_len,
 	    tag) != 1)
 		errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
@@ -1177,7 +1184,7 @@ openssl_gcm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
 
 #ifdef notused
 static bool
-openssl_gcm_decrypt(const struct alg *alg, const EVP_CIPHER *cipher,
+openssl_aead_decrypt(const struct alg *alg, const EVP_CIPHER *cipher,
     const char *key, const char *iv, const char *aad, size_t aad_len,
     const char *input, char *output, size_t size, char *tag)
 {
@@ -1206,7 +1213,7 @@ openssl_gcm_decrypt(const struct alg *alg, const EVP_CIPHER *cipher,
 		errx(1, "OpenSSL %s (%zu) decrypt update failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
 	total = outl;
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, AES_GMAC_HASH_LEN,
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, alg->tag_len,
 	    tag) != 1)
 		errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
@@ -1235,10 +1242,10 @@ openssl_ccm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
 	if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1)
 		errx(1, "OpenSSL %s (%zu) ctx init failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_len, NULL) != 1)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, iv_len, NULL) != 1)
 		errx(1, "OpenSSL %s (%zu) setting iv length failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, AES_CBC_MAC_HASH_LEN, NULL) != 1)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, AES_CBC_MAC_HASH_LEN, NULL) != 1)
 		errx(1, "OpenSSL %s (%zu) setting tag length failed: %s", alg->name,
 		     size, ERR_error_string(ERR_get_error(), NULL));
 	if (EVP_EncryptInit_ex(ctx, NULL, NULL, (const u_char *)key,
@@ -1268,7 +1275,7 @@ openssl_ccm_encrypt(const struct alg *alg, const EVP_CIPHER *cipher,
 	if ((size_t)total != size)
 		errx(1, "OpenSSL %s (%zu) encrypt size mismatch: %d", alg->name,
 		    size, total);
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, AES_CBC_MAC_HASH_LEN,
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, AES_CBC_MAC_HASH_LEN,
 	    tag) != 1)
 		errx(1, "OpenSSL %s (%zu) get tag failed: %s", alg->name,
 		    size, ERR_error_string(ERR_get_error(), NULL));
@@ -1311,7 +1318,8 @@ ocf_aead(const struct ocf_session *ses, const char *iv, size_t iv_len,
 	return (0);
 }
 
-#define	AEAD_MAX_TAG_LEN	MAX(AES_GMAC_HASH_LEN, AES_CBC_MAC_HASH_LEN)
+#define	AEAD_MAX_TAG_LEN				\
+	MAX(MAX(AES_GMAC_HASH_LEN, AES_CBC_MAC_HASH_LEN), POLY1305_HASH_LEN)
 
 static void
 run_aead_test(const struct alg *alg, size_t aad_len, size_t size)
@@ -1368,7 +1376,7 @@ run_aead_test(const struct alg *alg, size_t aad_len, size_t size)
 		openssl_ccm_encrypt(alg, cipher, key, iv, iv_len, aad,
 		    aad_len, cleartext, ciphertext, size, control_tag);
 	else
-		openssl_gcm_encrypt(alg, cipher, key, iv, aad, aad_len,
+		openssl_aead_encrypt(alg, cipher, key, iv, aad, aad_len,
 		    cleartext, ciphertext, size, control_tag);
 
 	if (!ocf_init_aead_session(alg, key, key_len, &ses))