xref: /freebsd/tests/sys/opencrypto/cryptodev.py (revision 8657387683946d0c03e09fe77029edfe309eeb20) 
1#!/usr/bin/env python
2#
3# Copyright (c) 2014 The FreeBSD Foundation
4# Copyright 2014 John-Mark Gurney
5# All rights reserved.
6#
7# This software was developed by John-Mark Gurney under
8# the sponsorship from the FreeBSD Foundation.
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12# 1.  Redistributions of source code must retain the above copyright
13#     notice, this list of conditions and the following disclaimer.
14# 2.  Redistributions in binary form must reproduce the above copyright
15#     notice, this list of conditions and the following disclaimer in the
16#     documentation and/or other materials provided with the distribution.
17#
18# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28# SUCH DAMAGE.
29#
30# $FreeBSD$
31#
32
33import array
34import dpkt
35from fcntl import ioctl
36import os
37import signal
38from struct import pack as _pack
39
40from cryptodevh import *
41
42__all__ = [ 'Crypto', 'MismatchError', ]
43
44class FindOp(dpkt.Packet):
45	__byte_order__ = '@'
46	__hdr__ = ( ('crid', 'i', 0),
47		('name', '32s', 0),
48	)
49
50class SessionOp(dpkt.Packet):
51	__byte_order__ = '@'
52	__hdr__ = ( ('cipher', 'I', 0),
53		('mac', 'I', 0),
54		('keylen', 'I', 0),
55		('key', 'P', 0),
56		('mackeylen', 'i', 0),
57		('mackey', 'P', 0),
58		('ses', 'I', 0),
59	)
60
61class SessionOp2(dpkt.Packet):
62	__byte_order__ = '@'
63	__hdr__ = ( ('cipher', 'I', 0),
64		('mac', 'I', 0),
65		('keylen', 'I', 0),
66		('key', 'P', 0),
67		('mackeylen', 'i', 0),
68		('mackey', 'P', 0),
69		('ses', 'I', 0),
70		('crid', 'i', 0),
71		('pad0', 'i', 0),
72		('pad1', 'i', 0),
73		('pad2', 'i', 0),
74		('pad3', 'i', 0),
75	)
76
77class CryptOp(dpkt.Packet):
78	__byte_order__ = '@'
79	__hdr__ = ( ('ses', 'I', 0),
80		('op', 'H', 0),
81		('flags', 'H', 0),
82		('len', 'I', 0),
83		('src', 'P', 0),
84		('dst', 'P', 0),
85		('mac', 'P', 0),
86		('iv', 'P', 0),
87	)
88
89class CryptAEAD(dpkt.Packet):
90	__byte_order__ = '@'
91	__hdr__ = (
92		('ses',		'I', 0),
93		('op',		'H', 0),
94		('flags',	'H', 0),
95		('len',		'I', 0),
96		('aadlen',	'I', 0),
97		('ivlen',	'I', 0),
98		('src',		'P', 0),
99		('dst',		'P', 0),
100		('aad',		'P', 0),
101		('tag',		'P', 0),
102		('iv',		'P', 0),
103	)
104
105# h2py.py can't handle multiarg macros
106CRIOGET = 3221513060
107CIOCGSESSION = 3224396645
108CIOCGSESSION2 = 3225445226
109CIOCFSESSION = 2147771238
110CIOCCRYPT = 3224396647
111CIOCKEY = 3230688104
112CIOCASYMFEAT = 1074029417
113CIOCKEY2 = 3230688107
114CIOCFINDDEV = 3223610220
115CIOCCRYPTAEAD = 3225445229
116
117def _getdev():
118	fd = os.open('/dev/crypto', os.O_RDWR)
119	buf = array.array('I', [0])
120	ioctl(fd, CRIOGET, buf, 1)
121	os.close(fd)
122
123	return buf[0]
124
125_cryptodev = _getdev()
126
127def _findop(crid, name):
128	fop = FindOp()
129	fop.crid = crid
130	fop.name = name
131	s = array.array('B', fop.pack_hdr())
132	ioctl(_cryptodev, CIOCFINDDEV, s, 1)
133	fop.unpack(s)
134
135	try:
136		idx = fop.name.index('\x00')
137		name = fop.name[:idx]
138	except ValueError:
139		name = fop.name
140
141	return fop.crid, name
142
143class Crypto:
144	@staticmethod
145	def findcrid(name):
146		return _findop(-1, name)[0]
147
148	@staticmethod
149	def getcridname(crid):
150		return _findop(crid, '')[1]
151
152	def __init__(self, cipher=0, key=None, mac=0, mackey=None,
153	    crid=CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_HARDWARE):
154		self._ses = None
155		ses = SessionOp2()
156		ses.cipher = cipher
157		ses.mac = mac
158
159		if key is not None:
160			ses.keylen = len(key)
161			k = array.array('B', key)
162			ses.key = k.buffer_info()[0]
163		else:
164			self.key = None
165
166		if mackey is not None:
167			ses.mackeylen = len(mackey)
168			mk = array.array('B', mackey)
169			ses.mackey = mk.buffer_info()[0]
170			self._maclen = 16	# parameterize?
171		else:
172			self._maclen = None
173
174		if not cipher and not mac:
175			raise ValueError('one of cipher or mac MUST be specified.')
176		ses.crid = crid
177		#print `ses`
178		s = array.array('B', ses.pack_hdr())
179		#print `s`
180		ioctl(_cryptodev, CIOCGSESSION2, s, 1)
181		ses.unpack(s)
182
183		self._ses = ses.ses
184
185	def __del__(self):
186		if self._ses is None:
187			return
188
189		try:
190			ioctl(_cryptodev, CIOCFSESSION, _pack('I', self._ses))
191		except TypeError:
192			pass
193		self._ses = None
194
195	def _doop(self, op, src, iv):
196		cop = CryptOp()
197		cop.ses = self._ses
198		cop.op = op
199		cop.flags = 0
200		cop.len = len(src)
201		s = array.array('B', src)
202		cop.src = cop.dst = s.buffer_info()[0]
203		if self._maclen is not None:
204			m = array.array('B', [0] * self._maclen)
205			cop.mac = m.buffer_info()[0]
206		ivbuf = array.array('B', iv)
207		cop.iv = ivbuf.buffer_info()[0]
208
209		#print 'cop:', `cop`
210		ioctl(_cryptodev, CIOCCRYPT, str(cop))
211
212		s = s.tostring()
213		if self._maclen is not None:
214			return s, m.tostring()
215
216		return s
217
218	def _doaead(self, op, src, aad, iv, tag=None):
219		caead = CryptAEAD()
220		caead.ses = self._ses
221		caead.op = op
222		caead.flags = CRD_F_IV_EXPLICIT
223		caead.flags = 0
224		caead.len = len(src)
225		s = array.array('B', src)
226		caead.src = caead.dst = s.buffer_info()[0]
227		caead.aadlen = len(aad)
228		saad = array.array('B', aad)
229		caead.aad = saad.buffer_info()[0]
230
231		if self._maclen is None:
232			raise ValueError('must have a tag length')
233
234		if tag is None:
235			tag = array.array('B', [0] * self._maclen)
236		else:
237			assert len(tag) == self._maclen, `len(tag), self._maclen`
238			tag = array.array('B', tag)
239
240		caead.tag = tag.buffer_info()[0]
241
242		ivbuf = array.array('B', iv)
243		caead.ivlen = len(iv)
244		caead.iv = ivbuf.buffer_info()[0]
245
246		ioctl(_cryptodev, CIOCCRYPTAEAD, str(caead))
247
248		s = s.tostring()
249
250		return s, tag.tostring()
251
252	def perftest(self, op, size, timeo=3):
253		import random
254		import time
255
256		inp = array.array('B', (random.randint(0, 255) for x in xrange(size)))
257		out = array.array('B', inp)
258
259		# prep ioctl
260		cop = CryptOp()
261		cop.ses = self._ses
262		cop.op = op
263		cop.flags = 0
264		cop.len = len(inp)
265		s = array.array('B', inp)
266		cop.src = s.buffer_info()[0]
267		cop.dst = out.buffer_info()[0]
268		if self._maclen is not None:
269			m = array.array('B', [0] * self._maclen)
270			cop.mac = m.buffer_info()[0]
271		ivbuf = array.array('B', (random.randint(0, 255) for x in xrange(16)))
272		cop.iv = ivbuf.buffer_info()[0]
273
274		exit = [ False ]
275		def alarmhandle(a, b, exit=exit):
276			exit[0] = True
277
278		oldalarm = signal.signal(signal.SIGALRM, alarmhandle)
279		signal.alarm(timeo)
280
281		start = time.time()
282		reps = 0
283		while not exit[0]:
284			ioctl(_cryptodev, CIOCCRYPT, str(cop))
285			reps += 1
286
287		end = time.time()
288
289		signal.signal(signal.SIGALRM, oldalarm)
290
291		print 'time:', end - start
292		print 'perf MB/sec:', (reps * size) / (end - start) / 1024 / 1024
293
294	def encrypt(self, data, iv, aad=None):
295		if aad is None:
296			return self._doop(COP_ENCRYPT, data, iv)
297		else:
298			return self._doaead(COP_ENCRYPT, data, aad,
299			    iv)
300
301	def decrypt(self, data, iv, aad=None, tag=None):
302		if aad is None:
303			return self._doop(COP_DECRYPT, data, iv)
304		else:
305			return self._doaead(COP_DECRYPT, data, aad,
306			    iv, tag=tag)
307
308class MismatchError(Exception):
309	pass
310
311class KATParser:
312	def __init__(self, fname, fields):
313		self.fp = open(fname)
314		self.fields = set(fields)
315		self._pending = None
316
317	def __iter__(self):
318		while True:
319			didread = False
320			if self._pending is not None:
321				i = self._pending
322				self._pending = None
323			else:
324				i = self.fp.readline()
325				didread = True
326
327			if didread and not i:
328				return
329
330			if (i and i[0] == '#') or not i.strip():
331				continue
332			if i[0] == '[':
333				yield i[1:].split(']', 1)[0], self.fielditer()
334			else:
335				raise ValueError('unknown line: %s' % `i`)
336
337	def eatblanks(self):
338		while True:
339			line = self.fp.readline()
340			if line == '':
341				break
342
343			line = line.strip()
344			if line:
345				break
346
347		return line
348
349	def fielditer(self):
350		while True:
351			values = {}
352
353			line = self.eatblanks()
354			if not line or line[0] == '[':
355				self._pending = line
356				return
357
358			while True:
359				try:
360					f, v = line.split(' =')
361				except:
362					if line == 'FAIL':
363						f, v = 'FAIL', ''
364					else:
365						print 'line:', `line`
366						raise
367				v = v.strip()
368
369				if f in values:
370					raise ValueError('already present: %s' % `f`)
371				values[f] = v
372				line = self.fp.readline().strip()
373				if not line:
374					break
375
376			# we should have everything
377			remain = self.fields.copy() - set(values.keys())
378			# XXX - special case GCM decrypt
379			if remain and not ('FAIL' in values and 'PT' in remain):
380					raise ValueError('not all fields found: %s' % `remain`)
381
382			yield values
383
384def _spdechex(s):
385	return ''.join(s.split()).decode('hex')
386
387if __name__ == '__main__':
388	if True:
389		try:
390			crid = Crypto.findcrid('aesni0')
391			print 'aesni:', crid
392		except IOError:
393			print 'aesni0 not found'
394
395		for i in xrange(10):
396			try:
397				name = Crypto.getcridname(i)
398				print '%2d: %s' % (i, `name`)
399			except IOError:
400				pass
401	elif False:
402		kp = KATParser('/usr/home/jmg/aesni.testing/format tweak value input - data unit seq no/XTSGenAES128.rsp', [ 'COUNT', 'DataUnitLen', 'Key', 'DataUnitSeqNumber', 'PT', 'CT' ])
403		for mode, ni in kp:
404			print `i`, `ni`
405			for j in ni:
406				print `j`
407	elif False:
408		key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
409		iv = _spdechex('00000000000000000000000000000001')
410		pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e')
411		#pt = _spdechex('00000000000000000000000000000000')
412		ct = _spdechex('f42c33853ecc5ce2949865fdb83de3bff1089e9360c94f830baebfaff72836ab5236f77212f1e7396c8c54ac73d81986375a6e9e299cfeca5ba051ed25e8d1affa5beaf6c1d2b45e90802408f2ced21663497e906de5f29341e5e52ddfea5363d628b3eb7806835e17bae051b3a6da3f8e2941fe44384eac17a9d298d2c331ca8320c775b5d53263a5e905059d891b21dede2d8110fd427c7bd5a9a274ddb47b1945ee79522203b6e297d0e399ef')
413
414		c = Crypto(CRYPTO_AES_ICM, key)
415		enc = c.encrypt(pt, iv)
416
417		print 'enc:', enc.encode('hex')
418		print ' ct:', ct.encode('hex')
419
420		assert ct == enc
421
422		dec = c.decrypt(ct, iv)
423
424		print 'dec:', dec.encode('hex')
425		print ' pt:', pt.encode('hex')
426
427		assert pt == dec
428	elif False:
429		key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
430		iv = _spdechex('00000000000000000000000000000001')
431		pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e0a3f')
432		#pt = _spdechex('00000000000000000000000000000000')
433		ct = _spdechex('f42c33853ecc5ce2949865fdb83de3bff1089e9360c94f830baebfaff72836ab5236f77212f1e7396c8c54ac73d81986375a6e9e299cfeca5ba051ed25e8d1affa5beaf6c1d2b45e90802408f2ced21663497e906de5f29341e5e52ddfea5363d628b3eb7806835e17bae051b3a6da3f8e2941fe44384eac17a9d298d2c331ca8320c775b5d53263a5e905059d891b21dede2d8110fd427c7bd5a9a274ddb47b1945ee79522203b6e297d0e399ef3768')
434
435		c = Crypto(CRYPTO_AES_ICM, key)
436		enc = c.encrypt(pt, iv)
437
438		print 'enc:', enc.encode('hex')
439		print ' ct:', ct.encode('hex')
440
441		assert ct == enc
442
443		dec = c.decrypt(ct, iv)
444
445		print 'dec:', dec.encode('hex')
446		print ' pt:', pt.encode('hex')
447
448		assert pt == dec
449	elif False:
450		key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
451		iv = _spdechex('6eba2716ec0bd6fa5cdef5e6d3a795bc')
452		pt = _spdechex('ab3cabed693a32946055524052afe3c9cb49664f09fc8b7da824d924006b7496353b8c1657c5dec564d8f38d7432e1de35aae9d95590e66278d4acce883e51abaf94977fcd3679660109a92bf7b2973ccd547f065ec6cee4cb4a72a5e9f45e615d920d76cb34cba482467b3e21422a7242e7d931330c0fbf465c3a3a46fae943029fd899626dda542750a1eee253df323c6ef1573f1c8c156613e2ea0a6cdbf2ae9701020be2d6a83ecb7f3f9d8e0a3f')
453		ct = _spdechex('f1f81f12e72e992dbdc304032705dc75dc3e4180eff8ee4819906af6aee876d5b00b7c36d282a445ce3620327be481e8e53a8e5a8e5ca9abfeb2281be88d12ffa8f46d958d8224738c1f7eea48bda03edbf9adeb900985f4fa25648b406d13a886c25e70cfdecdde0ad0f2991420eb48a61c64fd797237cf2798c2675b9bb744360b0a3f329ac53bbceb4e3e7456e6514f1a9d2f06c236c31d0f080b79c15dce1096357416602520daa098b17d1af427')
454		c = Crypto(CRYPTO_AES_CBC, key)
455
456		enc = c.encrypt(pt, iv)
457
458		print 'enc:', enc.encode('hex')
459		print ' ct:', ct.encode('hex')
460
461		assert ct == enc
462
463		dec = c.decrypt(ct, iv)
464
465		print 'dec:', dec.encode('hex')
466		print ' pt:', pt.encode('hex')
467
468		assert pt == dec
469	elif False:
470		key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
471		iv = _spdechex('b3d8cc017cbb89b39e0f67e2')
472		pt = _spdechex('c3b3c41f113a31b73d9a5cd4321030')
473		aad = _spdechex('24825602bd12a984e0092d3e448eda5f')
474		ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa7354')
475		ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa73')
476		tag = _spdechex('0032a1dc85f1c9786925a2e71d8272dd')
477		tag = _spdechex('8d11a0929cb3fbe1fef01a4a38d5f8ea')
478
479		c = Crypto(CRYPTO_AES_NIST_GCM_16, key,
480		    mac=CRYPTO_AES_128_NIST_GMAC, mackey=key)
481
482		enc, enctag = c.encrypt(pt, iv, aad=aad)
483
484		print 'enc:', enc.encode('hex')
485		print ' ct:', ct.encode('hex')
486
487		assert enc == ct
488
489		print 'etg:', enctag.encode('hex')
490		print 'tag:', tag.encode('hex')
491		assert enctag == tag
492
493		# Make sure we get EBADMSG
494		#enctag = enctag[:-1] + 'a'
495		dec, dectag = c.decrypt(ct, iv, aad=aad, tag=enctag)
496
497		print 'dec:', dec.encode('hex')
498		print ' pt:', pt.encode('hex')
499
500		assert dec == pt
501
502		print 'dtg:', dectag.encode('hex')
503		print 'tag:', tag.encode('hex')
504
505		assert dectag == tag
506	elif False:
507		key = _spdechex('c939cc13397c1d37de6ae0e1cb7c423c')
508		iv = _spdechex('b3d8cc017cbb89b39e0f67e2')
509		key = key + iv[:4]
510		iv = iv[4:]
511		pt = _spdechex('c3b3c41f113a31b73d9a5cd432103069')
512		aad = _spdechex('24825602bd12a984e0092d3e448eda5f')
513		ct = _spdechex('93fe7d9e9bfd10348a5606e5cafa7354')
514		tag = _spdechex('0032a1dc85f1c9786925a2e71d8272dd')
515
516		c = Crypto(CRYPTO_AES_GCM_16, key, mac=CRYPTO_AES_128_GMAC, mackey=key)
517
518		enc, enctag = c.encrypt(pt, iv, aad=aad)
519
520		print 'enc:', enc.encode('hex')
521		print ' ct:', ct.encode('hex')
522
523		assert enc == ct
524
525		print 'etg:', enctag.encode('hex')
526		print 'tag:', tag.encode('hex')
527		assert enctag == tag
528	elif False:
529		for i in xrange(100000):
530			c = Crypto(CRYPTO_AES_XTS, '1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382'.decode('hex'))
531			data = '52a42bca4e9425a25bbc8c8bf6129dec'.decode('hex')
532			ct = '517e602becd066b65fa4f4f56ddfe240'.decode('hex')
533			iv = _pack('QQ', 71, 0)
534
535			enc = c.encrypt(data, iv)
536			assert enc == ct
537	elif True:
538		c = Crypto(CRYPTO_AES_XTS, '1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382'.decode('hex'))
539		data = '52a42bca4e9425a25bbc8c8bf6129dec'.decode('hex')
540		ct = '517e602becd066b65fa4f4f56ddfe240'.decode('hex')
541		iv = _pack('QQ', 71, 0)
542
543		enc = c.encrypt(data, iv)
544		assert enc == ct
545
546		dec = c.decrypt(enc, iv)
547		assert dec == data
548
549		#c.perftest(COP_ENCRYPT, 192*1024, reps=30000)
550
551	else:
552		key = '1bbfeadf539daedcae33ced497343f3ca1f2474ad932b903997d44707db41382'.decode('hex')
553		print 'XTS %d testing:' % (len(key) * 8)
554		c = Crypto(CRYPTO_AES_XTS, key)
555		for i in [ 8192, 192*1024]:
556			print 'block size: %d' % i
557			c.perftest(COP_ENCRYPT, i)
558			c.perftest(COP_DECRYPT, i)
559