xref: /freebsd/sys/dev/wg/crypto.h (revision 744bfb213144c63cbaf38d91a1c4f7aebb9b9fbc) 
1*744bfb21SJohn Baldwin /* SPDX-License-Identifier: MIT
2*744bfb21SJohn Baldwin  *
3*744bfb21SJohn Baldwin  * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4*744bfb21SJohn Baldwin  * Copyright (c) 2022 The FreeBSD Foundation
5*744bfb21SJohn Baldwin  */
6*744bfb21SJohn Baldwin 
7*744bfb21SJohn Baldwin #ifndef _WG_CRYPTO
8*744bfb21SJohn Baldwin #define _WG_CRYPTO
9*744bfb21SJohn Baldwin 
10*744bfb21SJohn Baldwin #include <sys/param.h>
11*744bfb21SJohn Baldwin 
12*744bfb21SJohn Baldwin struct mbuf;
13*744bfb21SJohn Baldwin 
14*744bfb21SJohn Baldwin int crypto_init(void);
15*744bfb21SJohn Baldwin void crypto_deinit(void);
16*744bfb21SJohn Baldwin 
17*744bfb21SJohn Baldwin enum chacha20poly1305_lengths {
18*744bfb21SJohn Baldwin 	XCHACHA20POLY1305_NONCE_SIZE = 24,
19*744bfb21SJohn Baldwin 	CHACHA20POLY1305_KEY_SIZE = 32,
20*744bfb21SJohn Baldwin 	CHACHA20POLY1305_AUTHTAG_SIZE = 16
21*744bfb21SJohn Baldwin };
22*744bfb21SJohn Baldwin 
23*744bfb21SJohn Baldwin #ifdef COMPAT_NEED_CHACHA20POLY1305
24*744bfb21SJohn Baldwin void
25*744bfb21SJohn Baldwin chacha20poly1305_encrypt(uint8_t *dst, const uint8_t *src, const size_t src_len,
26*744bfb21SJohn Baldwin 			 const uint8_t *ad, const size_t ad_len,
27*744bfb21SJohn Baldwin 			 const uint64_t nonce,
28*744bfb21SJohn Baldwin 			 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
29*744bfb21SJohn Baldwin 
30*744bfb21SJohn Baldwin bool
31*744bfb21SJohn Baldwin chacha20poly1305_decrypt(uint8_t *dst, const uint8_t *src, const size_t src_len,
32*744bfb21SJohn Baldwin 			 const uint8_t *ad, const size_t ad_len,
33*744bfb21SJohn Baldwin 			 const uint64_t nonce,
34*744bfb21SJohn Baldwin 			 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
35*744bfb21SJohn Baldwin 
36*744bfb21SJohn Baldwin void
37*744bfb21SJohn Baldwin xchacha20poly1305_encrypt(uint8_t *dst, const uint8_t *src,
38*744bfb21SJohn Baldwin 			  const size_t src_len, const uint8_t *ad,
39*744bfb21SJohn Baldwin 			  const size_t ad_len,
40*744bfb21SJohn Baldwin 			  const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
41*744bfb21SJohn Baldwin 			  const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
42*744bfb21SJohn Baldwin 
43*744bfb21SJohn Baldwin bool
44*744bfb21SJohn Baldwin xchacha20poly1305_decrypt(uint8_t *dst, const uint8_t *src,
45*744bfb21SJohn Baldwin 			  const size_t src_len,  const uint8_t *ad,
46*744bfb21SJohn Baldwin 			  const size_t ad_len,
47*744bfb21SJohn Baldwin 			  const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
48*744bfb21SJohn Baldwin 			  const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
49*744bfb21SJohn Baldwin #else
50*744bfb21SJohn Baldwin #include <sys/endian.h>
51*744bfb21SJohn Baldwin #include <crypto/chacha20_poly1305.h>
52*744bfb21SJohn Baldwin 
53*744bfb21SJohn Baldwin static inline void
54*744bfb21SJohn Baldwin chacha20poly1305_encrypt(uint8_t *dst, const uint8_t *src, const size_t src_len,
55*744bfb21SJohn Baldwin 			 const uint8_t *ad, const size_t ad_len,
56*744bfb21SJohn Baldwin 			 const uint64_t nonce,
57*744bfb21SJohn Baldwin 			 const uint8_t key[CHACHA20POLY1305_KEY_SIZE])
58*744bfb21SJohn Baldwin {
59*744bfb21SJohn Baldwin 	uint8_t nonce_bytes[8];
60*744bfb21SJohn Baldwin 
61*744bfb21SJohn Baldwin 	le64enc(nonce_bytes, nonce);
62*744bfb21SJohn Baldwin 	chacha20_poly1305_encrypt(dst, src, src_len, ad, ad_len,
63*744bfb21SJohn Baldwin 				  nonce_bytes, sizeof(nonce_bytes), key);
64*744bfb21SJohn Baldwin }
65*744bfb21SJohn Baldwin 
66*744bfb21SJohn Baldwin static inline bool
67*744bfb21SJohn Baldwin chacha20poly1305_decrypt(uint8_t *dst, const uint8_t *src, const size_t src_len,
68*744bfb21SJohn Baldwin 			 const uint8_t *ad, const size_t ad_len,
69*744bfb21SJohn Baldwin 			 const uint64_t nonce,
70*744bfb21SJohn Baldwin 			 const uint8_t key[CHACHA20POLY1305_KEY_SIZE])
71*744bfb21SJohn Baldwin {
72*744bfb21SJohn Baldwin 	uint8_t nonce_bytes[8];
73*744bfb21SJohn Baldwin 
74*744bfb21SJohn Baldwin 	le64enc(nonce_bytes, nonce);
75*744bfb21SJohn Baldwin 	return (chacha20_poly1305_decrypt(dst, src, src_len, ad, ad_len,
76*744bfb21SJohn Baldwin 					  nonce_bytes, sizeof(nonce_bytes), key));
77*744bfb21SJohn Baldwin }
78*744bfb21SJohn Baldwin 
79*744bfb21SJohn Baldwin static inline void
80*744bfb21SJohn Baldwin xchacha20poly1305_encrypt(uint8_t *dst, const uint8_t *src,
81*744bfb21SJohn Baldwin 			  const size_t src_len, const uint8_t *ad,
82*744bfb21SJohn Baldwin 			  const size_t ad_len,
83*744bfb21SJohn Baldwin 			  const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
84*744bfb21SJohn Baldwin 			  const uint8_t key[CHACHA20POLY1305_KEY_SIZE])
85*744bfb21SJohn Baldwin {
86*744bfb21SJohn Baldwin 	xchacha20_poly1305_encrypt(dst, src, src_len, ad, ad_len, nonce, key);
87*744bfb21SJohn Baldwin }
88*744bfb21SJohn Baldwin 
89*744bfb21SJohn Baldwin static inline bool
90*744bfb21SJohn Baldwin xchacha20poly1305_decrypt(uint8_t *dst, const uint8_t *src,
91*744bfb21SJohn Baldwin 			  const size_t src_len,  const uint8_t *ad,
92*744bfb21SJohn Baldwin 			  const size_t ad_len,
93*744bfb21SJohn Baldwin 			  const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
94*744bfb21SJohn Baldwin 			  const uint8_t key[CHACHA20POLY1305_KEY_SIZE])
95*744bfb21SJohn Baldwin {
96*744bfb21SJohn Baldwin 	return (xchacha20_poly1305_decrypt(dst, src, src_len, ad, ad_len, nonce, key));
97*744bfb21SJohn Baldwin }
98*744bfb21SJohn Baldwin #endif
99*744bfb21SJohn Baldwin 
100*744bfb21SJohn Baldwin int
101*744bfb21SJohn Baldwin chacha20poly1305_encrypt_mbuf(struct mbuf *, const uint64_t nonce,
102*744bfb21SJohn Baldwin 			      const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
103*744bfb21SJohn Baldwin 
104*744bfb21SJohn Baldwin int
105*744bfb21SJohn Baldwin chacha20poly1305_decrypt_mbuf(struct mbuf *, const uint64_t nonce,
106*744bfb21SJohn Baldwin 			      const uint8_t key[CHACHA20POLY1305_KEY_SIZE]);
107*744bfb21SJohn Baldwin 
108*744bfb21SJohn Baldwin 
109*744bfb21SJohn Baldwin enum blake2s_lengths {
110*744bfb21SJohn Baldwin 	BLAKE2S_BLOCK_SIZE = 64,
111*744bfb21SJohn Baldwin 	BLAKE2S_HASH_SIZE = 32,
112*744bfb21SJohn Baldwin 	BLAKE2S_KEY_SIZE = 32
113*744bfb21SJohn Baldwin };
114*744bfb21SJohn Baldwin 
115*744bfb21SJohn Baldwin #ifdef COMPAT_NEED_BLAKE2S
116*744bfb21SJohn Baldwin struct blake2s_state {
117*744bfb21SJohn Baldwin 	uint32_t h[8];
118*744bfb21SJohn Baldwin 	uint32_t t[2];
119*744bfb21SJohn Baldwin 	uint32_t f[2];
120*744bfb21SJohn Baldwin 	uint8_t buf[BLAKE2S_BLOCK_SIZE];
121*744bfb21SJohn Baldwin 	unsigned int buflen;
122*744bfb21SJohn Baldwin 	unsigned int outlen;
123*744bfb21SJohn Baldwin };
124*744bfb21SJohn Baldwin 
125*744bfb21SJohn Baldwin void blake2s_init(struct blake2s_state *state, const size_t outlen);
126*744bfb21SJohn Baldwin 
127*744bfb21SJohn Baldwin void blake2s_init_key(struct blake2s_state *state, const size_t outlen,
128*744bfb21SJohn Baldwin 		      const uint8_t *key, const size_t keylen);
129*744bfb21SJohn Baldwin 
130*744bfb21SJohn Baldwin void blake2s_update(struct blake2s_state *state, const uint8_t *in, size_t inlen);
131*744bfb21SJohn Baldwin 
132*744bfb21SJohn Baldwin void blake2s_final(struct blake2s_state *state, uint8_t *out);
133*744bfb21SJohn Baldwin 
134*744bfb21SJohn Baldwin static inline void blake2s(uint8_t *out, const uint8_t *in, const uint8_t *key,
135*744bfb21SJohn Baldwin 			   const size_t outlen, const size_t inlen, const size_t keylen)
136*744bfb21SJohn Baldwin {
137*744bfb21SJohn Baldwin 	struct blake2s_state state;
138*744bfb21SJohn Baldwin 
139*744bfb21SJohn Baldwin 	if (keylen)
140*744bfb21SJohn Baldwin 		blake2s_init_key(&state, outlen, key, keylen);
141*744bfb21SJohn Baldwin 	else
142*744bfb21SJohn Baldwin 		blake2s_init(&state, outlen);
143*744bfb21SJohn Baldwin 
144*744bfb21SJohn Baldwin 	blake2s_update(&state, in, inlen);
145*744bfb21SJohn Baldwin 	blake2s_final(&state, out);
146*744bfb21SJohn Baldwin }
147*744bfb21SJohn Baldwin #endif
148*744bfb21SJohn Baldwin 
149*744bfb21SJohn Baldwin #ifdef COMPAT_NEED_CURVE25519
150*744bfb21SJohn Baldwin enum curve25519_lengths {
151*744bfb21SJohn Baldwin         CURVE25519_KEY_SIZE = 32
152*744bfb21SJohn Baldwin };
153*744bfb21SJohn Baldwin 
154*744bfb21SJohn Baldwin bool curve25519(uint8_t mypublic[static CURVE25519_KEY_SIZE],
155*744bfb21SJohn Baldwin 		const uint8_t secret[static CURVE25519_KEY_SIZE],
156*744bfb21SJohn Baldwin 		const uint8_t basepoint[static CURVE25519_KEY_SIZE]);
157*744bfb21SJohn Baldwin 
158*744bfb21SJohn Baldwin static inline bool
159*744bfb21SJohn Baldwin curve25519_generate_public(uint8_t pub[static CURVE25519_KEY_SIZE],
160*744bfb21SJohn Baldwin 			   const uint8_t secret[static CURVE25519_KEY_SIZE])
161*744bfb21SJohn Baldwin {
162*744bfb21SJohn Baldwin 	static const uint8_t basepoint[CURVE25519_KEY_SIZE] = { 9 };
163*744bfb21SJohn Baldwin 
164*744bfb21SJohn Baldwin 	return curve25519(pub, secret, basepoint);
165*744bfb21SJohn Baldwin }
166*744bfb21SJohn Baldwin 
167*744bfb21SJohn Baldwin static inline void curve25519_clamp_secret(uint8_t secret[static CURVE25519_KEY_SIZE])
168*744bfb21SJohn Baldwin {
169*744bfb21SJohn Baldwin         secret[0] &= 248;
170*744bfb21SJohn Baldwin         secret[31] = (secret[31] & 127) | 64;
171*744bfb21SJohn Baldwin }
172*744bfb21SJohn Baldwin 
173*744bfb21SJohn Baldwin static inline void curve25519_generate_secret(uint8_t secret[CURVE25519_KEY_SIZE])
174*744bfb21SJohn Baldwin {
175*744bfb21SJohn Baldwin 	arc4random_buf(secret, CURVE25519_KEY_SIZE);
176*744bfb21SJohn Baldwin 	curve25519_clamp_secret(secret);
177*744bfb21SJohn Baldwin }
178*744bfb21SJohn Baldwin #else
179*744bfb21SJohn Baldwin #include <crypto/curve25519.h>
180*744bfb21SJohn Baldwin #endif
181*744bfb21SJohn Baldwin 
182*744bfb21SJohn Baldwin #endif
183