The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/opencrypto/cryptosoft.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ */
    2 
    3 /*-
    4  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
    5  * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting
    6  *
    7  * This code was written by Angelos D. Keromytis in Athens, Greece, in
    8  * February 2000. Network Security Technologies Inc. (NSTI) kindly
    9  * supported the development of this code.
   10  *
   11  * Copyright (c) 2000, 2001 Angelos D. Keromytis
   12  * Copyright (c) 2014 The FreeBSD Foundation
   13  * All rights reserved.
   14  *
   15  * Portions of this software were developed by John-Mark Gurney
   16  * under sponsorship of the FreeBSD Foundation and
   17  * Rubicon Communications, LLC (Netgate).
   18  *
   19  * Permission to use, copy, and modify this software with or without fee
   20  * is hereby granted, provided that this entire notice is included in
   21  * all source code copies of any software which is or includes a copy or
   22  * modification of this software.
   23  *
   24  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   25  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   26  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   27  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   28  * PURPOSE.
   29  */
   30 
   31 #include <sys/cdefs.h>
   32 __FBSDID("$FreeBSD$");
   33 
   34 #include <sys/param.h>
   35 #include <sys/systm.h>
   36 #include <sys/malloc.h>
   37 #include <sys/mbuf.h>
   38 #include <sys/module.h>
   39 #include <sys/sysctl.h>
   40 #include <sys/errno.h>
   41 #include <sys/random.h>
   42 #include <sys/kernel.h>
   43 #include <sys/uio.h>
   44 #include <sys/lock.h>
   45 #include <sys/rwlock.h>
   46 #include <sys/endian.h>
   47 #include <sys/limits.h>
   48 #include <sys/mutex.h>
   49 
   50 #include <crypto/blowfish/blowfish.h>
   51 #include <crypto/sha1.h>
   52 #include <opencrypto/rmd160.h>
   53 #include <opencrypto/cast.h>
   54 #include <opencrypto/skipjack.h>
   55 #include <sys/md5.h>
   56 
   57 #include <opencrypto/cryptodev.h>
   58 #include <opencrypto/cryptosoft.h>
   59 #include <opencrypto/xform.h>
   60 
   61 #include <sys/kobj.h>
   62 #include <sys/bus.h>
   63 #include "cryptodev_if.h"
   64 
   65 _Static_assert(AES_CCM_IV_LEN == AES_GCM_IV_LEN,
   66     "AES_GCM_IV_LEN must currently be the same as AES_CCM_IV_LEN");
   67 
   68 static  int32_t swcr_id;
   69 
   70 u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
   71 u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
   72 
   73 static  int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
   74 static  int swcr_authcompute(struct cryptodesc *, struct swcr_data *, caddr_t, int);
   75 static  int swcr_authenc(struct cryptop *crp);
   76 static  int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
   77 static  void swcr_freesession(device_t dev, crypto_session_t cses);
   78 
   79 /*
   80  * Apply a symmetric encryption/decryption algorithm.
   81  */
   82 static int
   83 swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
   84     int flags)
   85 {
   86         unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN];
   87         unsigned char *ivp, *nivp, iv2[EALG_MAX_BLOCK_LEN];
   88         struct enc_xform *exf;
   89         int i, j, k, blks, ind, count, ivlen;
   90         struct uio *uio, uiolcl;
   91         struct iovec iovlcl[4];
   92         struct iovec *iov;
   93         int iovcnt, iovalloc;
   94         int error;
   95 
   96         error = 0;
   97 
   98         exf = sw->sw_exf;
   99         blks = exf->blocksize;
  100         ivlen = exf->ivsize;
  101 
  102         /* Check for non-padded data */
  103         if (crd->crd_len % blks)
  104                 return EINVAL;
  105 
  106         if (crd->crd_alg == CRYPTO_AES_ICM &&
  107             (crd->crd_flags & CRD_F_IV_EXPLICIT) == 0)
  108                 return (EINVAL);
  109 
  110         /* Initialize the IV */
  111         if (crd->crd_flags & CRD_F_ENCRYPT) {
  112                 /* IV explicitly provided ? */
  113                 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
  114                         bcopy(crd->crd_iv, iv, ivlen);
  115                 else
  116                         arc4rand(iv, ivlen, 0);
  117 
  118                 /* Do we need to write the IV */
  119                 if (!(crd->crd_flags & CRD_F_IV_PRESENT))
  120                         crypto_copyback(flags, buf, crd->crd_inject, ivlen, iv);
  121 
  122         } else {        /* Decryption */
  123                 /* IV explicitly provided ? */
  124                 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
  125                         bcopy(crd->crd_iv, iv, ivlen);
  126                 else {
  127                         /* Get IV off buf */
  128                         crypto_copydata(flags, buf, crd->crd_inject, ivlen, iv);
  129                 }
  130         }
  131 
  132         if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
  133                 int error; 
  134 
  135                 if (sw->sw_kschedule)
  136                         exf->zerokey(&(sw->sw_kschedule));
  137 
  138                 error = exf->setkey(&sw->sw_kschedule,
  139                                 crd->crd_key, crd->crd_klen / 8);
  140                 if (error)
  141                         return (error);
  142         }
  143 
  144         iov = iovlcl;
  145         iovcnt = nitems(iovlcl);
  146         iovalloc = 0;
  147         uio = &uiolcl;
  148         if ((flags & CRYPTO_F_IMBUF) != 0) {
  149                 error = crypto_mbuftoiov((struct mbuf *)buf, &iov, &iovcnt,
  150                     &iovalloc);
  151                 if (error)
  152                         return (error);
  153                 uio->uio_iov = iov;
  154                 uio->uio_iovcnt = iovcnt;
  155         } else if ((flags & CRYPTO_F_IOV) != 0)
  156                 uio = (struct uio *)buf;
  157         else {
  158                 iov[0].iov_base = buf;
  159                 iov[0].iov_len = crd->crd_skip + crd->crd_len;
  160                 uio->uio_iov = iov;
  161                 uio->uio_iovcnt = 1;
  162         }
  163 
  164         ivp = iv;
  165 
  166         if (exf->reinit) {
  167                 /*
  168                  * xforms that provide a reinit method perform all IV
  169                  * handling themselves.
  170                  */
  171                 exf->reinit(sw->sw_kschedule, iv);
  172         }
  173 
  174         count = crd->crd_skip;
  175         ind = cuio_getptr(uio, count, &k);
  176         if (ind == -1) {
  177                 error = EINVAL;
  178                 goto out;
  179         }
  180 
  181         i = crd->crd_len;
  182 
  183         while (i > 0) {
  184                 /*
  185                  * If there's insufficient data at the end of
  186                  * an iovec, we have to do some copying.
  187                  */
  188                 if (uio->uio_iov[ind].iov_len < k + blks &&
  189                     uio->uio_iov[ind].iov_len != k) {
  190                         cuio_copydata(uio, count, blks, blk);
  191 
  192                         /* Actual encryption/decryption */
  193                         if (exf->reinit) {
  194                                 if (crd->crd_flags & CRD_F_ENCRYPT) {
  195                                         exf->encrypt(sw->sw_kschedule,
  196                                             blk);
  197                                 } else {
  198                                         exf->decrypt(sw->sw_kschedule,
  199                                             blk);
  200                                 }
  201                         } else if (crd->crd_flags & CRD_F_ENCRYPT) {
  202                                 /* XOR with previous block */
  203                                 for (j = 0; j < blks; j++)
  204                                         blk[j] ^= ivp[j];
  205 
  206                                 exf->encrypt(sw->sw_kschedule, blk);
  207 
  208                                 /*
  209                                  * Keep encrypted block for XOR'ing
  210                                  * with next block
  211                                  */
  212                                 bcopy(blk, iv, blks);
  213                                 ivp = iv;
  214                         } else {        /* decrypt */
  215                                 /*      
  216                                  * Keep encrypted block for XOR'ing
  217                                  * with next block
  218                                  */
  219                                 nivp = (ivp == iv) ? iv2 : iv;
  220                                 bcopy(blk, nivp, blks);
  221 
  222                                 exf->decrypt(sw->sw_kschedule, blk);
  223 
  224                                 /* XOR with previous block */
  225                                 for (j = 0; j < blks; j++)
  226                                         blk[j] ^= ivp[j];
  227 
  228                                 ivp = nivp;
  229                         }
  230 
  231                         /* Copy back decrypted block */
  232                         cuio_copyback(uio, count, blks, blk);
  233 
  234                         count += blks;
  235 
  236                         /* Advance pointer */
  237                         ind = cuio_getptr(uio, count, &k);
  238                         if (ind == -1) {
  239                                 error = EINVAL;
  240                                 goto out;
  241                         }
  242 
  243                         i -= blks;
  244 
  245                         /* Could be done... */
  246                         if (i == 0)
  247                                 break;
  248                 }
  249 
  250                 while (uio->uio_iov[ind].iov_len >= k + blks && i > 0) {
  251                         uint8_t *idat;
  252                         size_t nb, rem;
  253 
  254                         nb = blks;
  255                         rem = MIN((size_t)i,
  256                             uio->uio_iov[ind].iov_len - (size_t)k);
  257                         idat = (uint8_t *)uio->uio_iov[ind].iov_base + k;
  258 
  259                         if (exf->reinit) {
  260                                 if ((crd->crd_flags & CRD_F_ENCRYPT) != 0 &&
  261                                     exf->encrypt_multi == NULL)
  262                                         exf->encrypt(sw->sw_kschedule,
  263                                             idat);
  264                                 else if ((crd->crd_flags & CRD_F_ENCRYPT) != 0) {
  265                                         nb = rounddown(rem, blks);
  266                                         exf->encrypt_multi(sw->sw_kschedule,
  267                                             idat, nb);
  268                                 } else if (exf->decrypt_multi == NULL)
  269                                         exf->decrypt(sw->sw_kschedule,
  270                                             idat);
  271                                 else {
  272                                         nb = rounddown(rem, blks);
  273                                         exf->decrypt_multi(sw->sw_kschedule,
  274                                             idat, nb);
  275                                 }
  276                         } else if (crd->crd_flags & CRD_F_ENCRYPT) {
  277                                 /* XOR with previous block/IV */
  278                                 for (j = 0; j < blks; j++)
  279                                         idat[j] ^= ivp[j];
  280 
  281                                 exf->encrypt(sw->sw_kschedule, idat);
  282                                 ivp = idat;
  283                         } else {        /* decrypt */
  284                                 /*
  285                                  * Keep encrypted block to be used
  286                                  * in next block's processing.
  287                                  */
  288                                 nivp = (ivp == iv) ? iv2 : iv;
  289                                 bcopy(idat, nivp, blks);
  290 
  291                                 exf->decrypt(sw->sw_kschedule, idat);
  292 
  293                                 /* XOR with previous block/IV */
  294                                 for (j = 0; j < blks; j++)
  295                                         idat[j] ^= ivp[j];
  296 
  297                                 ivp = nivp;
  298                         }
  299 
  300                         count += nb;
  301                         k += nb;
  302                         i -= nb;
  303                 }
  304 
  305                 /*
  306                  * Advance to the next iov if the end of the current iov
  307                  * is aligned with the end of a cipher block.
  308                  * Note that the code is equivalent to calling:
  309                  *      ind = cuio_getptr(uio, count, &k);
  310                  */
  311                 if (i > 0 && k == uio->uio_iov[ind].iov_len) {
  312                         k = 0;
  313                         ind++;
  314                         if (ind >= uio->uio_iovcnt) {
  315                                 error = EINVAL;
  316                                 goto out;
  317                         }
  318                 }
  319         }
  320 
  321 out:
  322         if (iovalloc)
  323                 free(iov, M_CRYPTO_DATA);
  324 
  325         return (error);
  326 }
  327 
  328 static int __result_use_check
  329 swcr_authprepare(struct auth_hash *axf, struct swcr_data *sw, u_char *key,
  330     int klen)
  331 {
  332         int k;
  333 
  334         klen /= 8;
  335 
  336         switch (axf->type) {
  337         case CRYPTO_MD5_HMAC:
  338         case CRYPTO_SHA1_HMAC:
  339         case CRYPTO_SHA2_224_HMAC:
  340         case CRYPTO_SHA2_256_HMAC:
  341         case CRYPTO_SHA2_384_HMAC:
  342         case CRYPTO_SHA2_512_HMAC:
  343         case CRYPTO_NULL_HMAC:
  344         case CRYPTO_RIPEMD160_HMAC:
  345                 for (k = 0; k < klen; k++)
  346                         key[k] ^= HMAC_IPAD_VAL;
  347         
  348                 axf->Init(sw->sw_ictx);
  349                 axf->Update(sw->sw_ictx, key, klen);
  350                 axf->Update(sw->sw_ictx, hmac_ipad_buffer, axf->blocksize - klen);
  351         
  352                 for (k = 0; k < klen; k++)
  353                         key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
  354         
  355                 axf->Init(sw->sw_octx);
  356                 axf->Update(sw->sw_octx, key, klen);
  357                 axf->Update(sw->sw_octx, hmac_opad_buffer, axf->blocksize - klen);
  358         
  359                 for (k = 0; k < klen; k++)
  360                         key[k] ^= HMAC_OPAD_VAL;
  361                 break;
  362         case CRYPTO_MD5_KPDK:
  363         case CRYPTO_SHA1_KPDK:
  364         {
  365                 /* 
  366                  * We need a buffer that can hold an md5 and a sha1 result
  367                  * just to throw it away.
  368                  * What we do here is the initial part of:
  369                  *   ALGO( key, keyfill, .. )
  370                  * adding the key to sw_ictx and abusing Final() to get the
  371                  * "keyfill" padding.
  372                  * In addition we abuse the sw_octx to save the key to have
  373                  * it to be able to append it at the end in swcr_authcompute().
  374                  */
  375                 u_char buf[SHA1_RESULTLEN];
  376 
  377                 sw->sw_klen = klen;
  378                 bcopy(key, sw->sw_octx, klen);
  379                 axf->Init(sw->sw_ictx);
  380                 axf->Update(sw->sw_ictx, key, klen);
  381                 axf->Final(buf, sw->sw_ictx);
  382                 break;
  383         }
  384         case CRYPTO_POLY1305:
  385                 if (klen != POLY1305_KEY_LEN) {
  386                         CRYPTDEB("bad poly1305 key size %d", klen);
  387                         return EINVAL;
  388                 }
  389                 /* FALLTHROUGH */
  390         case CRYPTO_BLAKE2B:
  391         case CRYPTO_BLAKE2S:
  392                 axf->Setkey(sw->sw_ictx, key, klen);
  393                 axf->Init(sw->sw_ictx);
  394                 break;
  395         default:
  396                 printf("%s: CRD_F_KEY_EXPLICIT flag given, but algorithm %d "
  397                     "doesn't use keys.\n", __func__, axf->type);
  398                 return EINVAL;
  399         }
  400         return 0;
  401 }
  402 
  403 /*
  404  * Compute keyed-hash authenticator.
  405  */
  406 static int
  407 swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
  408     int flags)
  409 {
  410         unsigned char aalg[HASH_MAX_LEN];
  411         struct auth_hash *axf;
  412         union authctx ctx;
  413         int err;
  414 
  415         if (sw->sw_ictx == 0)
  416                 return EINVAL;
  417 
  418         axf = sw->sw_axf;
  419 
  420         if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
  421                 err = swcr_authprepare(axf, sw, crd->crd_key, crd->crd_klen);
  422                 if (err != 0)
  423                         return err;
  424         }
  425 
  426         bcopy(sw->sw_ictx, &ctx, axf->ctxsize);
  427 
  428         err = crypto_apply(flags, buf, crd->crd_skip, crd->crd_len,
  429             (int (*)(void *, void *, unsigned int))axf->Update, (caddr_t)&ctx);
  430         if (err)
  431                 return err;
  432 
  433         switch (sw->sw_alg) {
  434         case CRYPTO_SHA1:
  435         case CRYPTO_SHA2_224:
  436         case CRYPTO_SHA2_256:
  437         case CRYPTO_SHA2_384:
  438         case CRYPTO_SHA2_512:
  439                 axf->Final(aalg, &ctx);
  440                 break;
  441 
  442         case CRYPTO_MD5_HMAC:
  443         case CRYPTO_SHA1_HMAC:
  444         case CRYPTO_SHA2_224_HMAC:
  445         case CRYPTO_SHA2_256_HMAC:
  446         case CRYPTO_SHA2_384_HMAC:
  447         case CRYPTO_SHA2_512_HMAC:
  448         case CRYPTO_RIPEMD160_HMAC:
  449                 if (sw->sw_octx == NULL)
  450                         return EINVAL;
  451 
  452                 axf->Final(aalg, &ctx);
  453                 bcopy(sw->sw_octx, &ctx, axf->ctxsize);
  454                 axf->Update(&ctx, aalg, axf->hashsize);
  455                 axf->Final(aalg, &ctx);
  456                 break;
  457 
  458         case CRYPTO_MD5_KPDK:
  459         case CRYPTO_SHA1_KPDK:
  460                 /* If we have no key saved, return error. */
  461                 if (sw->sw_octx == NULL)
  462                         return EINVAL;
  463 
  464                 /*
  465                  * Add the trailing copy of the key (see comment in
  466                  * swcr_authprepare()) after the data:
  467                  *   ALGO( .., key, algofill )
  468                  * and let Final() do the proper, natural "algofill"
  469                  * padding.
  470                  */
  471                 axf->Update(&ctx, sw->sw_octx, sw->sw_klen);
  472                 axf->Final(aalg, &ctx);
  473                 break;
  474 
  475         case CRYPTO_BLAKE2B:
  476         case CRYPTO_BLAKE2S:
  477         case CRYPTO_NULL_HMAC:
  478         case CRYPTO_POLY1305:
  479                 axf->Final(aalg, &ctx);
  480                 break;
  481         }
  482 
  483         /* Inject the authentication data */
  484         crypto_copyback(flags, buf, crd->crd_inject,
  485             sw->sw_mlen == 0 ? axf->hashsize : sw->sw_mlen, aalg);
  486         return 0;
  487 }
  488 
  489 CTASSERT(INT_MAX <= (1ll<<39) - 256);   /* GCM: plain text < 2^39-256 */
  490 CTASSERT(INT_MAX <= (uint64_t)-1);      /* GCM: associated data <= 2^64-1 */
  491 
  492 /*
  493  * Apply a combined encryption-authentication transformation
  494  */
  495 static int
  496 swcr_authenc(struct cryptop *crp)
  497 {
  498         uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))];
  499         u_char *blk = (u_char *)blkbuf;
  500         u_char aalg[AALG_MAX_RESULT_LEN];
  501         u_char uaalg[AALG_MAX_RESULT_LEN];
  502         u_char iv[EALG_MAX_BLOCK_LEN];
  503         union authctx ctx;
  504         struct swcr_session *ses;
  505         struct cryptodesc *crd, *crda = NULL, *crde = NULL;
  506         struct swcr_data *sw, *swa, *swe = NULL;
  507         struct auth_hash *axf = NULL;
  508         struct enc_xform *exf = NULL;
  509         caddr_t buf = (caddr_t)crp->crp_buf;
  510         uint32_t *blkp;
  511         int aadlen, blksz, i, ivlen, len, iskip, oskip, r;
  512         int isccm = 0;
  513 
  514         ivlen = blksz = iskip = oskip = 0;
  515 
  516         ses = crypto_get_driver_session(crp->crp_session);
  517 
  518         for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
  519                 for (i = 0; i < nitems(ses->swcr_algorithms) &&
  520                     ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
  521                         ;
  522                 if (i == nitems(ses->swcr_algorithms))
  523                         return (EINVAL);
  524 
  525                 sw = &ses->swcr_algorithms[i];
  526                 switch (sw->sw_alg) {
  527                 case CRYPTO_AES_CCM_16:
  528                 case CRYPTO_AES_NIST_GCM_16:
  529                 case CRYPTO_AES_NIST_GMAC:
  530                         swe = sw;
  531                         crde = crd;
  532                         exf = swe->sw_exf;
  533                         /* AES_CCM_IV_LEN and AES_GCM_IV_LEN are both 12 */
  534                         ivlen = AES_CCM_IV_LEN;
  535                         break;
  536                 case CRYPTO_AES_CCM_CBC_MAC:
  537                         isccm = 1;
  538                         /* FALLTHROUGH */
  539                 case CRYPTO_AES_128_NIST_GMAC:
  540                 case CRYPTO_AES_192_NIST_GMAC:
  541                 case CRYPTO_AES_256_NIST_GMAC:
  542                         swa = sw;
  543                         crda = crd;
  544                         axf = swa->sw_axf;
  545                         if (swa->sw_ictx == 0)
  546                                 return (EINVAL);
  547                         bcopy(swa->sw_ictx, &ctx, axf->ctxsize);
  548                         blksz = axf->blocksize;
  549                         break;
  550                 default:
  551                         return (EINVAL);
  552                 }
  553         }
  554         if (crde == NULL || crda == NULL)
  555                 return (EINVAL);
  556         /*
  557          * We need to make sure that the auth algorithm matches the
  558          * encr algorithm.  Specifically, for AES-GCM must go with
  559          * AES NIST GMAC, and AES-CCM must go with CBC-MAC.
  560          */
  561         if (crde->crd_alg == CRYPTO_AES_NIST_GCM_16) {
  562                 switch (crda->crd_alg) {
  563                 case CRYPTO_AES_128_NIST_GMAC:
  564                 case CRYPTO_AES_192_NIST_GMAC:
  565                 case CRYPTO_AES_256_NIST_GMAC:
  566                         break;  /* Good! */
  567                 default:
  568                         return (EINVAL);        /* Not good! */
  569                 }
  570         } else if (crde->crd_alg == CRYPTO_AES_CCM_16 &&
  571             crda->crd_alg != CRYPTO_AES_CCM_CBC_MAC)
  572                 return (EINVAL);
  573 
  574         if ((crde->crd_alg == CRYPTO_AES_NIST_GCM_16 ||
  575              crde->crd_alg == CRYPTO_AES_CCM_16) &&
  576             (crde->crd_flags & CRD_F_IV_EXPLICIT) == 0)
  577                 return (EINVAL);
  578 
  579         if (crde->crd_klen != crda->crd_klen)
  580                 return (EINVAL);
  581 
  582         /* Initialize the IV */
  583         if (crde->crd_flags & CRD_F_ENCRYPT) {
  584                 /* IV explicitly provided ? */
  585                 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
  586                         bcopy(crde->crd_iv, iv, ivlen);
  587                 else
  588                         arc4rand(iv, ivlen, 0);
  589 
  590                 /* Do we need to write the IV */
  591                 if (!(crde->crd_flags & CRD_F_IV_PRESENT))
  592                         crypto_copyback(crp->crp_flags, buf, crde->crd_inject,
  593                             ivlen, iv);
  594 
  595         } else {        /* Decryption */
  596                         /* IV explicitly provided ? */
  597                 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
  598                         bcopy(crde->crd_iv, iv, ivlen);
  599                 else {
  600                         /* Get IV off buf */
  601                         crypto_copydata(crp->crp_flags, buf, crde->crd_inject,
  602                             ivlen, iv);
  603                 }
  604         }
  605 
  606         if (swa->sw_alg == CRYPTO_AES_CCM_CBC_MAC) {
  607                 /*
  608                  * AES CCM-CBC needs to know the length of
  609                  * both the auth data, and payload data, before
  610                  * doing the auth computation.
  611                  */
  612                 ctx.aes_cbc_mac_ctx.authDataLength = crda->crd_len;
  613                 ctx.aes_cbc_mac_ctx.cryptDataLength = crde->crd_len;
  614         }
  615         /* Supply MAC with IV */
  616         if (axf->Reinit)
  617                 axf->Reinit(&ctx, iv, ivlen);
  618 
  619         /* Supply MAC with AAD */
  620         aadlen = crda->crd_len;
  621 
  622         for (i = iskip; i < crda->crd_len; i += blksz) {
  623                 len = MIN(crda->crd_len - i, blksz - oskip);
  624                 crypto_copydata(crp->crp_flags, buf, crda->crd_skip + i, len,
  625                     blk + oskip);
  626                 bzero(blk + len + oskip, blksz - len - oskip);
  627                 axf->Update(&ctx, blk, blksz);
  628                 oskip = 0; /* reset initial output offset */
  629         }
  630 
  631         if (exf->reinit)
  632                 exf->reinit(swe->sw_kschedule, iv);
  633 
  634         /* Do encryption/decryption with MAC */
  635         for (i = 0; i < crde->crd_len; i += len) {
  636                 if (exf->encrypt_multi != NULL) {
  637                         len = rounddown(crde->crd_len - i, blksz);
  638                         if (len == 0)
  639                                 len = blksz;
  640                         else
  641                                 len = MIN(len, sizeof(blkbuf));
  642                 } else
  643                         len = blksz;
  644                 len = MIN(crde->crd_len - i, len);
  645                 if (len < blksz)
  646                         bzero(blk, blksz);
  647                 crypto_copydata(crp->crp_flags, buf, crde->crd_skip + i, len,
  648                     blk);
  649                 /*
  650                  * One of the problems with CCM+CBC is that the authentication
  651                  * is done on the unecncrypted data.  As a result, we have
  652                  * to do the authentication update at different times,
  653                  * depending on whether it's CCM or not.
  654                  */
  655                 if (crde->crd_flags & CRD_F_ENCRYPT) {
  656                         if (isccm)
  657                                 axf->Update(&ctx, blk, len);
  658                         if (exf->encrypt_multi != NULL)
  659                                 exf->encrypt_multi(swe->sw_kschedule, blk,
  660                                     len);
  661                         else
  662                                 exf->encrypt(swe->sw_kschedule, blk);
  663                         if (!isccm)
  664                                 axf->Update(&ctx, blk, len);
  665                         crypto_copyback(crp->crp_flags, buf,
  666                             crde->crd_skip + i, len, blk);
  667                 } else {
  668                         if (isccm) {
  669                                 KASSERT(exf->encrypt_multi == NULL,
  670                                     ("assume CCM is single-block only"));
  671                                 exf->decrypt(swe->sw_kschedule, blk);
  672                         }
  673                         axf->Update(&ctx, blk, len);
  674                 }
  675         }
  676 
  677         /* Do any required special finalization */
  678         switch (crda->crd_alg) {
  679                 case CRYPTO_AES_128_NIST_GMAC:
  680                 case CRYPTO_AES_192_NIST_GMAC:
  681                 case CRYPTO_AES_256_NIST_GMAC:
  682                         /* length block */
  683                         bzero(blk, blksz);
  684                         blkp = (uint32_t *)blk + 1;
  685                         *blkp = htobe32(aadlen * 8);
  686                         blkp = (uint32_t *)blk + 3;
  687                         *blkp = htobe32(crde->crd_len * 8);
  688                         axf->Update(&ctx, blk, blksz);
  689                         break;
  690         }
  691 
  692         /* Finalize MAC */
  693         axf->Final(aalg, &ctx);
  694 
  695         /* Validate tag */
  696         if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
  697                 crypto_copydata(crp->crp_flags, buf, crda->crd_inject,
  698                     axf->hashsize, uaalg);
  699 
  700                 r = timingsafe_bcmp(aalg, uaalg, axf->hashsize);
  701                 if (r == 0) {
  702                         /* tag matches, decrypt data */
  703                         if (isccm) {
  704                                 KASSERT(exf->reinit != NULL,
  705                                     ("AES-CCM reinit function must be set"));
  706                                 exf->reinit(swe->sw_kschedule, iv);
  707                         }
  708                         for (i = 0; i < crde->crd_len; i += blksz) {
  709                                 len = MIN(crde->crd_len - i, blksz);
  710                                 if (len < blksz)
  711                                         bzero(blk, blksz);
  712                                 crypto_copydata(crp->crp_flags, buf,
  713                                     crde->crd_skip + i, len, blk);
  714                                 exf->decrypt(swe->sw_kschedule, blk);
  715                                 crypto_copyback(crp->crp_flags, buf,
  716                                     crde->crd_skip + i, len, blk);
  717                         }
  718                 } else
  719                         return (EBADMSG);
  720         } else {
  721                 /* Inject the authentication data */
  722                 crypto_copyback(crp->crp_flags, buf, crda->crd_inject,
  723                     axf->hashsize, aalg);
  724         }
  725 
  726         return (0);
  727 }
  728 
  729 /*
  730  * Apply a compression/decompression algorithm
  731  */
  732 static int
  733 swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw,
  734     caddr_t buf, int flags)
  735 {
  736         u_int8_t *data, *out;
  737         struct comp_algo *cxf;
  738         int adj;
  739         u_int32_t result;
  740 
  741         cxf = sw->sw_cxf;
  742 
  743         /* We must handle the whole buffer of data in one time
  744          * then if there is not all the data in the mbuf, we must
  745          * copy in a buffer.
  746          */
  747 
  748         data = malloc(crd->crd_len, M_CRYPTO_DATA,  M_NOWAIT);
  749         if (data == NULL)
  750                 return (EINVAL);
  751         crypto_copydata(flags, buf, crd->crd_skip, crd->crd_len, data);
  752 
  753         if (crd->crd_flags & CRD_F_COMP)
  754                 result = cxf->compress(data, crd->crd_len, &out);
  755         else
  756                 result = cxf->decompress(data, crd->crd_len, &out);
  757 
  758         free(data, M_CRYPTO_DATA);
  759         if (result == 0)
  760                 return EINVAL;
  761 
  762         /* Copy back the (de)compressed data. m_copyback is
  763          * extending the mbuf as necessary.
  764          */
  765         sw->sw_size = result;
  766         /* Check the compressed size when doing compression */
  767         if (crd->crd_flags & CRD_F_COMP) {
  768                 if (result >= crd->crd_len) {
  769                         /* Compression was useless, we lost time */
  770                         free(out, M_CRYPTO_DATA);
  771                         return 0;
  772                 }
  773         }
  774 
  775         crypto_copyback(flags, buf, crd->crd_skip, result, out);
  776         if (result < crd->crd_len) {
  777                 adj = result - crd->crd_len;
  778                 if (flags & CRYPTO_F_IMBUF) {
  779                         adj = result - crd->crd_len;
  780                         m_adj((struct mbuf *)buf, adj);
  781                 } else if (flags & CRYPTO_F_IOV) {
  782                         struct uio *uio = (struct uio *)buf;
  783                         int ind;
  784 
  785                         adj = crd->crd_len - result;
  786                         ind = uio->uio_iovcnt - 1;
  787 
  788                         while (adj > 0 && ind >= 0) {
  789                                 if (adj < uio->uio_iov[ind].iov_len) {
  790                                         uio->uio_iov[ind].iov_len -= adj;
  791                                         break;
  792                                 }
  793 
  794                                 adj -= uio->uio_iov[ind].iov_len;
  795                                 uio->uio_iov[ind].iov_len = 0;
  796                                 ind--;
  797                                 uio->uio_iovcnt--;
  798                         }
  799                 }
  800         }
  801         free(out, M_CRYPTO_DATA);
  802         return 0;
  803 }
  804 
  805 /*
  806  * Generate a new software session.
  807  */
  808 static int
  809 swcr_newsession(device_t dev, crypto_session_t cses, struct cryptoini *cri)
  810 {
  811         struct swcr_session *ses;
  812         struct swcr_data *swd;
  813         struct auth_hash *axf;
  814         struct enc_xform *txf;
  815         struct comp_algo *cxf;
  816         size_t i;
  817         int len;
  818         int error;
  819 
  820         if (cses == NULL || cri == NULL)
  821                 return EINVAL;
  822 
  823         ses = crypto_get_driver_session(cses);
  824         mtx_init(&ses->swcr_lock, "swcr session lock", NULL, MTX_DEF);
  825 
  826         for (i = 0; cri != NULL && i < nitems(ses->swcr_algorithms); i++) {
  827                 swd = &ses->swcr_algorithms[i];
  828 
  829                 switch (cri->cri_alg) {
  830                 case CRYPTO_DES_CBC:
  831                         txf = &enc_xform_des;
  832                         goto enccommon;
  833                 case CRYPTO_3DES_CBC:
  834                         txf = &enc_xform_3des;
  835                         goto enccommon;
  836                 case CRYPTO_BLF_CBC:
  837                         txf = &enc_xform_blf;
  838                         goto enccommon;
  839                 case CRYPTO_CAST_CBC:
  840                         txf = &enc_xform_cast5;
  841                         goto enccommon;
  842                 case CRYPTO_SKIPJACK_CBC:
  843                         txf = &enc_xform_skipjack;
  844                         goto enccommon;
  845                 case CRYPTO_RIJNDAEL128_CBC:
  846                         txf = &enc_xform_rijndael128;
  847                         goto enccommon;
  848                 case CRYPTO_AES_XTS:
  849                         txf = &enc_xform_aes_xts;
  850                         goto enccommon;
  851                 case CRYPTO_AES_ICM:
  852                         txf = &enc_xform_aes_icm;
  853                         goto enccommon;
  854                 case CRYPTO_AES_NIST_GCM_16:
  855                         txf = &enc_xform_aes_nist_gcm;
  856                         goto enccommon;
  857                 case CRYPTO_AES_CCM_16:
  858                         txf = &enc_xform_ccm;
  859                         goto enccommon;
  860                 case CRYPTO_AES_NIST_GMAC:
  861                         txf = &enc_xform_aes_nist_gmac;
  862                         swd->sw_exf = txf;
  863                         break;
  864                 case CRYPTO_CAMELLIA_CBC:
  865                         txf = &enc_xform_camellia;
  866                         goto enccommon;
  867                 case CRYPTO_NULL_CBC:
  868                         txf = &enc_xform_null;
  869                         goto enccommon;
  870                 case CRYPTO_CHACHA20:
  871                         txf = &enc_xform_chacha20;
  872                         goto enccommon;
  873                 enccommon:
  874                         if (cri->cri_key != NULL) {
  875                                 error = txf->setkey(&swd->sw_kschedule,
  876                                     cri->cri_key, cri->cri_klen / 8);
  877                                 if (error) {
  878                                         swcr_freesession(dev, cses);
  879                                         return error;
  880                                 }
  881                         }
  882                         swd->sw_exf = txf;
  883                         break;
  884         
  885                 case CRYPTO_MD5_HMAC:
  886                         axf = &auth_hash_hmac_md5;
  887                         goto authcommon;
  888                 case CRYPTO_SHA1_HMAC:
  889                         axf = &auth_hash_hmac_sha1;
  890                         goto authcommon;
  891                 case CRYPTO_SHA2_224_HMAC:
  892                         axf = &auth_hash_hmac_sha2_224;
  893                         goto authcommon;
  894                 case CRYPTO_SHA2_256_HMAC:
  895                         axf = &auth_hash_hmac_sha2_256;
  896                         goto authcommon;
  897                 case CRYPTO_SHA2_384_HMAC:
  898                         axf = &auth_hash_hmac_sha2_384;
  899                         goto authcommon;
  900                 case CRYPTO_SHA2_512_HMAC:
  901                         axf = &auth_hash_hmac_sha2_512;
  902                         goto authcommon;
  903                 case CRYPTO_NULL_HMAC:
  904                         axf = &auth_hash_null;
  905                         goto authcommon;
  906                 case CRYPTO_RIPEMD160_HMAC:
  907                         axf = &auth_hash_hmac_ripemd_160;
  908                 authcommon:
  909                         swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
  910                             M_NOWAIT);
  911                         if (swd->sw_ictx == NULL) {
  912                                 swcr_freesession(dev, cses);
  913                                 return ENOBUFS;
  914                         }
  915         
  916                         swd->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
  917                             M_NOWAIT);
  918                         if (swd->sw_octx == NULL) {
  919                                 swcr_freesession(dev, cses);
  920                                 return ENOBUFS;
  921                         }
  922 
  923                         if (cri->cri_key != NULL) {
  924                                 error = swcr_authprepare(axf, swd,
  925                                     cri->cri_key, cri->cri_klen);
  926                                 if (error != 0) {
  927                                         swcr_freesession(dev, cses);
  928                                         return error;
  929                                 }
  930                         }
  931 
  932                         swd->sw_mlen = cri->cri_mlen;
  933                         swd->sw_axf = axf;
  934                         break;
  935         
  936                 case CRYPTO_MD5_KPDK:
  937                         axf = &auth_hash_key_md5;
  938                         goto auth2common;
  939         
  940                 case CRYPTO_SHA1_KPDK:
  941                         axf = &auth_hash_key_sha1;
  942                 auth2common:
  943                         swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
  944                             M_NOWAIT);
  945                         if (swd->sw_ictx == NULL) {
  946                                 swcr_freesession(dev, cses);
  947                                 return ENOBUFS;
  948                         }
  949         
  950                         swd->sw_octx = malloc(cri->cri_klen / 8,
  951                             M_CRYPTO_DATA, M_NOWAIT);
  952                         if (swd->sw_octx == NULL) {
  953                                 swcr_freesession(dev, cses);
  954                                 return ENOBUFS;
  955                         }
  956 
  957                         /* Store the key so we can "append" it to the payload */
  958                         if (cri->cri_key != NULL) {
  959                                 error = swcr_authprepare(axf, swd,
  960                                     cri->cri_key, cri->cri_klen);
  961                                 if (error != 0) {
  962                                         swcr_freesession(dev, cses);
  963                                         return error;
  964                                 }
  965                         }
  966 
  967                         swd->sw_mlen = cri->cri_mlen;
  968                         swd->sw_axf = axf;
  969                         break;
  970 #ifdef notdef
  971                 case CRYPTO_MD5:
  972                         axf = &auth_hash_md5;
  973                         goto auth3common;
  974 #endif
  975 
  976                 case CRYPTO_SHA1:
  977                         axf = &auth_hash_sha1;
  978                         goto auth3common;
  979                 case CRYPTO_SHA2_224:
  980                         axf = &auth_hash_sha2_224;
  981                         goto auth3common;
  982                 case CRYPTO_SHA2_256:
  983                         axf = &auth_hash_sha2_256;
  984                         goto auth3common;
  985                 case CRYPTO_SHA2_384:
  986                         axf = &auth_hash_sha2_384;
  987                         goto auth3common;
  988                 case CRYPTO_SHA2_512:
  989                         axf = &auth_hash_sha2_512;
  990 
  991                 auth3common:
  992                         swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
  993                             M_NOWAIT);
  994                         if (swd->sw_ictx == NULL) {
  995                                 swcr_freesession(dev, cses);
  996                                 return ENOBUFS;
  997                         }
  998 
  999                         axf->Init(swd->sw_ictx);
 1000                         swd->sw_mlen = cri->cri_mlen;
 1001                         swd->sw_axf = axf;
 1002                         break;
 1003 
 1004                 case CRYPTO_AES_CCM_CBC_MAC:
 1005                         switch (cri->cri_klen) {
 1006                         case 128:
 1007                                 axf = &auth_hash_ccm_cbc_mac_128;
 1008                                 break;
 1009                         case 192:
 1010                                 axf = &auth_hash_ccm_cbc_mac_192;
 1011                                 break;
 1012                         case 256:
 1013                                 axf = &auth_hash_ccm_cbc_mac_256;
 1014                                 break;
 1015                         default:
 1016                                 swcr_freesession(dev, cses);
 1017                                 return EINVAL;
 1018                         }
 1019                         goto auth4common;
 1020                 case CRYPTO_AES_128_NIST_GMAC:
 1021                         axf = &auth_hash_nist_gmac_aes_128;
 1022                         goto auth4common;
 1023 
 1024                 case CRYPTO_AES_192_NIST_GMAC:
 1025                         axf = &auth_hash_nist_gmac_aes_192;
 1026                         goto auth4common;
 1027 
 1028                 case CRYPTO_AES_256_NIST_GMAC:
 1029                         axf = &auth_hash_nist_gmac_aes_256;
 1030                 auth4common:
 1031                         len = cri->cri_klen / 8;
 1032                         if (len != 16 && len != 24 && len != 32) {
 1033                                 swcr_freesession(dev, cses);
 1034                                 return EINVAL;
 1035                         }
 1036 
 1037                         swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 1038                             M_NOWAIT);
 1039                         if (swd->sw_ictx == NULL) {
 1040                                 swcr_freesession(dev, cses);
 1041                                 return ENOBUFS;
 1042                         }
 1043                         axf->Init(swd->sw_ictx);
 1044                         axf->Setkey(swd->sw_ictx, cri->cri_key, len);
 1045                         swd->sw_axf = axf;
 1046                         break;
 1047 
 1048                 case CRYPTO_BLAKE2B:
 1049                         axf = &auth_hash_blake2b;
 1050                         goto auth5common;
 1051                 case CRYPTO_BLAKE2S:
 1052                         axf = &auth_hash_blake2s;
 1053                         goto auth5common;
 1054                 case CRYPTO_POLY1305:
 1055                         axf = &auth_hash_poly1305;
 1056                 auth5common:
 1057                         swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 1058                             M_NOWAIT);
 1059                         if (swd->sw_ictx == NULL) {
 1060                                 swcr_freesession(dev, cses);
 1061                                 return ENOBUFS;
 1062                         }
 1063                         axf->Setkey(swd->sw_ictx, cri->cri_key,
 1064                             cri->cri_klen / 8);
 1065                         axf->Init(swd->sw_ictx);
 1066                         swd->sw_axf = axf;
 1067                         break;
 1068 
 1069                 case CRYPTO_DEFLATE_COMP:
 1070                         cxf = &comp_algo_deflate;
 1071                         swd->sw_cxf = cxf;
 1072                         break;
 1073                 default:
 1074                         swcr_freesession(dev, cses);
 1075                         return EINVAL;
 1076                 }
 1077         
 1078                 swd->sw_alg = cri->cri_alg;
 1079                 cri = cri->cri_next;
 1080                 ses->swcr_nalgs++;
 1081         }
 1082 
 1083         if (cri != NULL) {
 1084                 CRYPTDEB("Bogus session request for three or more algorithms");
 1085                 return EINVAL;
 1086         }
 1087         return 0;
 1088 }
 1089 
 1090 static void
 1091 swcr_freesession(device_t dev, crypto_session_t cses)
 1092 {
 1093         struct swcr_session *ses;
 1094         struct swcr_data *swd;
 1095         struct enc_xform *txf;
 1096         struct auth_hash *axf;
 1097         size_t i;
 1098 
 1099         ses = crypto_get_driver_session(cses);
 1100 
 1101         mtx_destroy(&ses->swcr_lock);
 1102         for (i = 0; i < nitems(ses->swcr_algorithms); i++) {
 1103                 swd = &ses->swcr_algorithms[i];
 1104 
 1105                 switch (swd->sw_alg) {
 1106                 case CRYPTO_DES_CBC:
 1107                 case CRYPTO_3DES_CBC:
 1108                 case CRYPTO_BLF_CBC:
 1109                 case CRYPTO_CAST_CBC:
 1110                 case CRYPTO_SKIPJACK_CBC:
 1111                 case CRYPTO_RIJNDAEL128_CBC:
 1112                 case CRYPTO_AES_XTS:
 1113                 case CRYPTO_AES_ICM:
 1114                 case CRYPTO_AES_NIST_GCM_16:
 1115                 case CRYPTO_AES_NIST_GMAC:
 1116                 case CRYPTO_CAMELLIA_CBC:
 1117                 case CRYPTO_NULL_CBC:
 1118                 case CRYPTO_CHACHA20:
 1119                 case CRYPTO_AES_CCM_16:
 1120                         txf = swd->sw_exf;
 1121 
 1122                         if (swd->sw_kschedule)
 1123                                 txf->zerokey(&(swd->sw_kschedule));
 1124                         break;
 1125 
 1126                 case CRYPTO_MD5_HMAC:
 1127                 case CRYPTO_SHA1_HMAC:
 1128                 case CRYPTO_SHA2_224_HMAC:
 1129                 case CRYPTO_SHA2_256_HMAC:
 1130                 case CRYPTO_SHA2_384_HMAC:
 1131                 case CRYPTO_SHA2_512_HMAC:
 1132                 case CRYPTO_RIPEMD160_HMAC:
 1133                 case CRYPTO_NULL_HMAC:
 1134                 case CRYPTO_AES_CCM_CBC_MAC:
 1135                         axf = swd->sw_axf;
 1136 
 1137                         if (swd->sw_ictx) {
 1138                                 bzero(swd->sw_ictx, axf->ctxsize);
 1139                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 1140                         }
 1141                         if (swd->sw_octx) {
 1142                                 bzero(swd->sw_octx, axf->ctxsize);
 1143                                 free(swd->sw_octx, M_CRYPTO_DATA);
 1144                         }
 1145                         break;
 1146 
 1147                 case CRYPTO_MD5_KPDK:
 1148                 case CRYPTO_SHA1_KPDK:
 1149                         axf = swd->sw_axf;
 1150 
 1151                         if (swd->sw_ictx) {
 1152                                 bzero(swd->sw_ictx, axf->ctxsize);
 1153                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 1154                         }
 1155                         if (swd->sw_octx) {
 1156                                 bzero(swd->sw_octx, swd->sw_klen);
 1157                                 free(swd->sw_octx, M_CRYPTO_DATA);
 1158                         }
 1159                         break;
 1160 
 1161                 case CRYPTO_BLAKE2B:
 1162                 case CRYPTO_BLAKE2S:
 1163                 case CRYPTO_MD5:
 1164                 case CRYPTO_POLY1305:
 1165                 case CRYPTO_SHA1:
 1166                 case CRYPTO_SHA2_224:
 1167                 case CRYPTO_SHA2_256:
 1168                 case CRYPTO_SHA2_384:
 1169                 case CRYPTO_SHA2_512:
 1170                 case CRYPTO_AES_128_NIST_GMAC:
 1171                 case CRYPTO_AES_192_NIST_GMAC:
 1172                 case CRYPTO_AES_256_NIST_GMAC:
 1173                         axf = swd->sw_axf;
 1174 
 1175                         if (swd->sw_ictx) {
 1176                                 explicit_bzero(swd->sw_ictx, axf->ctxsize);
 1177                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 1178                         }
 1179                         break;
 1180 
 1181                 case CRYPTO_DEFLATE_COMP:
 1182                         /* Nothing to do */
 1183                         break;
 1184                 }
 1185         }
 1186 }
 1187 
 1188 /*
 1189  * Process a software request.
 1190  */
 1191 static int
 1192 swcr_process(device_t dev, struct cryptop *crp, int hint)
 1193 {
 1194         struct swcr_session *ses = NULL;
 1195         struct cryptodesc *crd;
 1196         struct swcr_data *sw;
 1197         size_t i;
 1198 
 1199         /* Sanity check */
 1200         if (crp == NULL)
 1201                 return EINVAL;
 1202 
 1203         if (crp->crp_desc == NULL || crp->crp_buf == NULL) {
 1204                 crp->crp_etype = EINVAL;
 1205                 goto done;
 1206         }
 1207 
 1208         ses = crypto_get_driver_session(crp->crp_session);
 1209         mtx_lock(&ses->swcr_lock);
 1210 
 1211         /* Go through crypto descriptors, processing as we go */
 1212         for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
 1213                 /*
 1214                  * Find the crypto context.
 1215                  *
 1216                  * XXX Note that the logic here prevents us from having
 1217                  * XXX the same algorithm multiple times in a session
 1218                  * XXX (or rather, we can but it won't give us the right
 1219                  * XXX results). To do that, we'd need some way of differentiating
 1220                  * XXX between the various instances of an algorithm (so we can
 1221                  * XXX locate the correct crypto context).
 1222                  */
 1223                 for (i = 0; i < nitems(ses->swcr_algorithms) &&
 1224                     ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
 1225                         ;
 1226 
 1227                 /* No such context ? */
 1228                 if (i == nitems(ses->swcr_algorithms)) {
 1229                         crp->crp_etype = EINVAL;
 1230                         goto done;
 1231                 }
 1232                 sw = &ses->swcr_algorithms[i];
 1233                 switch (sw->sw_alg) {
 1234                 case CRYPTO_DES_CBC:
 1235                 case CRYPTO_3DES_CBC:
 1236                 case CRYPTO_BLF_CBC:
 1237                 case CRYPTO_CAST_CBC:
 1238                 case CRYPTO_SKIPJACK_CBC:
 1239                 case CRYPTO_RIJNDAEL128_CBC:
 1240                 case CRYPTO_AES_XTS:
 1241                 case CRYPTO_AES_ICM:
 1242                 case CRYPTO_CAMELLIA_CBC:
 1243                 case CRYPTO_CHACHA20:
 1244                         if ((crp->crp_etype = swcr_encdec(crd, sw,
 1245                             crp->crp_buf, crp->crp_flags)) != 0)
 1246                                 goto done;
 1247                         break;
 1248                 case CRYPTO_NULL_CBC:
 1249                         crp->crp_etype = 0;
 1250                         break;
 1251                 case CRYPTO_MD5_HMAC:
 1252                 case CRYPTO_SHA1_HMAC:
 1253                 case CRYPTO_SHA2_224_HMAC:
 1254                 case CRYPTO_SHA2_256_HMAC:
 1255                 case CRYPTO_SHA2_384_HMAC:
 1256                 case CRYPTO_SHA2_512_HMAC:
 1257                 case CRYPTO_RIPEMD160_HMAC:
 1258                 case CRYPTO_NULL_HMAC:
 1259                 case CRYPTO_MD5_KPDK:
 1260                 case CRYPTO_SHA1_KPDK:
 1261                 case CRYPTO_MD5:
 1262                 case CRYPTO_SHA1:
 1263                 case CRYPTO_SHA2_224:
 1264                 case CRYPTO_SHA2_256:
 1265                 case CRYPTO_SHA2_384:
 1266                 case CRYPTO_SHA2_512:
 1267                 case CRYPTO_BLAKE2B:
 1268                 case CRYPTO_BLAKE2S:
 1269                 case CRYPTO_POLY1305:
 1270                         if ((crp->crp_etype = swcr_authcompute(crd, sw,
 1271                             crp->crp_buf, crp->crp_flags)) != 0)
 1272                                 goto done;
 1273                         break;
 1274 
 1275                 case CRYPTO_AES_NIST_GCM_16:
 1276                 case CRYPTO_AES_NIST_GMAC:
 1277                 case CRYPTO_AES_128_NIST_GMAC:
 1278                 case CRYPTO_AES_192_NIST_GMAC:
 1279                 case CRYPTO_AES_256_NIST_GMAC:
 1280                 case CRYPTO_AES_CCM_16:
 1281                 case CRYPTO_AES_CCM_CBC_MAC:
 1282                         crp->crp_etype = swcr_authenc(crp);
 1283                         goto done;
 1284 
 1285                 case CRYPTO_DEFLATE_COMP:
 1286                         if ((crp->crp_etype = swcr_compdec(crd, sw, 
 1287                             crp->crp_buf, crp->crp_flags)) != 0)
 1288                                 goto done;
 1289                         else
 1290                                 crp->crp_olen = (int)sw->sw_size;
 1291                         break;
 1292 
 1293                 default:
 1294                         /* Unknown/unsupported algorithm */
 1295                         crp->crp_etype = EINVAL;
 1296                         goto done;
 1297                 }
 1298         }
 1299 
 1300 done:
 1301         if (ses)
 1302                 mtx_unlock(&ses->swcr_lock);
 1303         crypto_done(crp);
 1304         return 0;
 1305 }
 1306 
 1307 static void
 1308 swcr_identify(driver_t *drv, device_t parent)
 1309 {
 1310         /* NB: order 10 is so we get attached after h/w devices */
 1311         if (device_find_child(parent, "cryptosoft", -1) == NULL &&
 1312             BUS_ADD_CHILD(parent, 10, "cryptosoft", 0) == 0)
 1313                 panic("cryptosoft: could not attach");
 1314 }
 1315 
 1316 static int
 1317 swcr_probe(device_t dev)
 1318 {
 1319         device_set_desc(dev, "software crypto");
 1320         return (BUS_PROBE_NOWILDCARD);
 1321 }
 1322 
 1323 static int
 1324 swcr_attach(device_t dev)
 1325 {
 1326         memset(hmac_ipad_buffer, HMAC_IPAD_VAL, HMAC_MAX_BLOCK_LEN);
 1327         memset(hmac_opad_buffer, HMAC_OPAD_VAL, HMAC_MAX_BLOCK_LEN);
 1328 
 1329         swcr_id = crypto_get_driverid(dev, sizeof(struct swcr_session),
 1330                         CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_SYNC);
 1331         if (swcr_id < 0) {
 1332                 device_printf(dev, "cannot initialize!");
 1333                 return ENOMEM;
 1334         }
 1335 #define REGISTER(alg) \
 1336         crypto_register(swcr_id, alg, 0,0)
 1337         REGISTER(CRYPTO_DES_CBC);
 1338         REGISTER(CRYPTO_3DES_CBC);
 1339         REGISTER(CRYPTO_BLF_CBC);
 1340         REGISTER(CRYPTO_CAST_CBC);
 1341         REGISTER(CRYPTO_SKIPJACK_CBC);
 1342         REGISTER(CRYPTO_NULL_CBC);
 1343         REGISTER(CRYPTO_MD5_HMAC);
 1344         REGISTER(CRYPTO_SHA1_HMAC);
 1345         REGISTER(CRYPTO_SHA2_224_HMAC);
 1346         REGISTER(CRYPTO_SHA2_256_HMAC);
 1347         REGISTER(CRYPTO_SHA2_384_HMAC);
 1348         REGISTER(CRYPTO_SHA2_512_HMAC);
 1349         REGISTER(CRYPTO_RIPEMD160_HMAC);
 1350         REGISTER(CRYPTO_NULL_HMAC);
 1351         REGISTER(CRYPTO_MD5_KPDK);
 1352         REGISTER(CRYPTO_SHA1_KPDK);
 1353         REGISTER(CRYPTO_MD5);
 1354         REGISTER(CRYPTO_SHA1);
 1355         REGISTER(CRYPTO_SHA2_224);
 1356         REGISTER(CRYPTO_SHA2_256);
 1357         REGISTER(CRYPTO_SHA2_384);
 1358         REGISTER(CRYPTO_SHA2_512);
 1359         REGISTER(CRYPTO_RIJNDAEL128_CBC);
 1360         REGISTER(CRYPTO_AES_XTS);
 1361         REGISTER(CRYPTO_AES_ICM);
 1362         REGISTER(CRYPTO_AES_NIST_GCM_16);
 1363         REGISTER(CRYPTO_AES_NIST_GMAC);
 1364         REGISTER(CRYPTO_AES_128_NIST_GMAC);
 1365         REGISTER(CRYPTO_AES_192_NIST_GMAC);
 1366         REGISTER(CRYPTO_AES_256_NIST_GMAC);
 1367         REGISTER(CRYPTO_CAMELLIA_CBC);
 1368         REGISTER(CRYPTO_DEFLATE_COMP);
 1369         REGISTER(CRYPTO_BLAKE2B);
 1370         REGISTER(CRYPTO_BLAKE2S);
 1371         REGISTER(CRYPTO_CHACHA20);
 1372         REGISTER(CRYPTO_AES_CCM_16);
 1373         REGISTER(CRYPTO_AES_CCM_CBC_MAC);
 1374         REGISTER(CRYPTO_POLY1305);
 1375 #undef REGISTER
 1376 
 1377         return 0;
 1378 }
 1379 
 1380 static int
 1381 swcr_detach(device_t dev)
 1382 {
 1383         crypto_unregister_all(swcr_id);
 1384         return 0;
 1385 }
 1386 
 1387 static device_method_t swcr_methods[] = {
 1388         DEVMETHOD(device_identify,      swcr_identify),
 1389         DEVMETHOD(device_probe,         swcr_probe),
 1390         DEVMETHOD(device_attach,        swcr_attach),
 1391         DEVMETHOD(device_detach,        swcr_detach),
 1392 
 1393         DEVMETHOD(cryptodev_newsession, swcr_newsession),
 1394         DEVMETHOD(cryptodev_freesession,swcr_freesession),
 1395         DEVMETHOD(cryptodev_process,    swcr_process),
 1396 
 1397         {0, 0},
 1398 };
 1399 
 1400 static driver_t swcr_driver = {
 1401         "cryptosoft",
 1402         swcr_methods,
 1403         0,              /* NB: no softc */
 1404 };
 1405 static devclass_t swcr_devclass;
 1406 
 1407 /*
 1408  * NB: We explicitly reference the crypto module so we
 1409  * get the necessary ordering when built as a loadable
 1410  * module.  This is required because we bundle the crypto
 1411  * module code together with the cryptosoft driver (otherwise
 1412  * normal module dependencies would handle things).
 1413  */
 1414 extern int crypto_modevent(struct module *, int, void *);
 1415 /* XXX where to attach */
 1416 DRIVER_MODULE(cryptosoft, nexus, swcr_driver, swcr_devclass, crypto_modevent,0);
 1417 MODULE_VERSION(cryptosoft, 1);
 1418 MODULE_DEPEND(cryptosoft, crypto, 1, 1, 1);

Cache object: db0dd2d704e94cc59314143d162de898


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.