|
1 |
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
|
|
2 |
index 068ad0e..872aa43 100644
|
|
3 |
--- a/lib/libipsec/pfkey_dump.c
|
|
4 |
+++ b/lib/libipsec/pfkey_dump.c
|
|
5 |
@@ -187,6 +187,9 @@ static struct val2str str_alg_enc[] = {
|
|
6 |
#ifdef SADB_X_EALG_AESCTR
|
|
7 |
{ SADB_X_EALG_AESCTR, "aes-ctr", },
|
|
8 |
#endif
|
|
9 |
+#ifdef SADB_X_EALG_AESGCM16
|
|
10 |
+ { SADB_X_EALG_AESGCM16, "aes-gcm-16", },
|
|
11 |
+#endif
|
|
12 |
#ifdef SADB_X_EALG_CAMELLIACBC
|
|
13 |
{ SADB_X_EALG_CAMELLIACBC, "camellia-cbc", },
|
|
14 |
#endif
|
|
15 |
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
|
|
16 |
index 19a9164..0e67bb2 100644
|
|
17 |
--- a/sbin/setkey/setkey.8
|
|
18 |
+++ b/sbin/setkey/setkey.8
|
|
19 |
@@ -627,11 +627,12 @@ des-deriv 64 ipsec-ciph-des-derived-01
|
|
20 |
3des-deriv 192 no document
|
|
21 |
rijndael-cbc 128/192/256 rfc3602
|
|
22 |
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
|
23 |
+aes-gcm-16 160/224/288 rfc4106
|
|
24 |
camllia-cbc 128/192/256 rfc4312
|
|
25 |
.Ed
|
|
26 |
.Pp
|
|
27 |
Note that the first 128/192/256 bits of a key for
|
|
28 |
-.Li aes-ctr
|
|
29 |
+.Li aes-ctr or aes-gcm-16
|
|
30 |
will be used as AES key, and remaining 32 bits will be used as nonce.
|
|
31 |
.Pp
|
|
32 |
The following are the list of compression algorithms that can be used
|
|
33 |
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
|
|
34 |
index c89982f..f258e63 100644
|
|
35 |
--- a/sbin/setkey/token.l
|
|
36 |
+++ b/sbin/setkey/token.l
|
|
37 |
@@ -168,6 +168,7 @@ tcp { yylval.num = 0; return(PR_TCP); }
|
|
38 |
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
|
|
39 |
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
|
|
40 |
<S_ENCALG>camellia-cbc { yylval.num = SADB_X_EALG_CAMELLIACBC; BEGIN INITIAL; return(ALG_ENC); }
|
|
41 |
+<S_ENCALG>aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC); }
|
|
42 |
|
|
43 |
/* compression algorithms */
|
|
44 |
{hyphen}C { return(F_COMP); }
|
|
45 |
diff --git a/sys/conf/files b/sys/conf/files
|
|
46 |
index e978443..8440b86 100644
|
|
47 |
--- a/sys/conf/files
|
|
48 |
+++ b/sys/conf/files
|
|
49 |
@@ -3777,6 +3777,7 @@ opencrypto/cryptodev.c optional cryptodev
|
|
50 |
opencrypto/cryptodev_if.m optional crypto
|
|
51 |
opencrypto/cryptosoft.c optional crypto
|
|
52 |
opencrypto/cryptodeflate.c optional crypto
|
|
53 |
+opencrypto/gmac.c optional crypto
|
|
54 |
opencrypto/rmd160.c optional crypto | ipsec
|
|
55 |
opencrypto/skipjack.c optional crypto
|
|
56 |
opencrypto/xform.c optional crypto
|
|
57 |
diff --git a/sys/crypto/via/padlock_hash.c b/sys/crypto/via/padlock_hash.c
|
|
58 |
index 924a9ec..133581f 100644
|
|
59 |
--- a/sys/crypto/via/padlock_hash.c
|
|
60 |
+++ b/sys/crypto/via/padlock_hash.c
|
|
61 |
@@ -75,7 +75,7 @@ struct padlock_sha_ctx {
|
|
62 |
CTASSERT(sizeof(struct padlock_sha_ctx) <= sizeof(union authctx));
|
|
63 |
|
|
64 |
static void padlock_sha_init(struct padlock_sha_ctx *ctx);
|
|
65 |
-static int padlock_sha_update(struct padlock_sha_ctx *ctx, uint8_t *buf,
|
|
66 |
+static int padlock_sha_update(struct padlock_sha_ctx *ctx, const uint8_t *buf,
|
|
67 |
uint16_t bufsize);
|
|
68 |
static void padlock_sha1_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
|
69 |
static void padlock_sha256_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
|
70 |
@@ -83,16 +83,16 @@ static void padlock_sha256_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
|
71 |
static struct auth_hash padlock_hmac_sha1 = {
|
|
72 |
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
|
|
73 |
20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(struct padlock_sha_ctx),
|
|
74 |
- (void (*)(void *))padlock_sha_init,
|
|
75 |
- (int (*)(void *, uint8_t *, uint16_t))padlock_sha_update,
|
|
76 |
+ (void (*)(void *))padlock_sha_init, NULL, NULL,
|
|
77 |
+ (int (*)(void *, const uint8_t *, uint16_t))padlock_sha_update,
|
|
78 |
(void (*)(uint8_t *, void *))padlock_sha1_final
|
|
79 |
};
|
|
80 |
|
|
81 |
static struct auth_hash padlock_hmac_sha256 = {
|
|
82 |
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
|
|
83 |
32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(struct padlock_sha_ctx),
|
|
84 |
- (void (*)(void *))padlock_sha_init,
|
|
85 |
- (int (*)(void *, uint8_t *, uint16_t))padlock_sha_update,
|
|
86 |
+ (void (*)(void *))padlock_sha_init, NULL, NULL,
|
|
87 |
+ (int (*)(void *, const uint8_t *, uint16_t))padlock_sha_update,
|
|
88 |
(void (*)(uint8_t *, void *))padlock_sha256_final
|
|
89 |
};
|
|
90 |
|
|
91 |
@@ -167,7 +167,7 @@ padlock_sha_init(struct padlock_sha_ctx *ctx)
|
|
92 |
}
|
|
93 |
|
|
94 |
static int
|
|
95 |
-padlock_sha_update(struct padlock_sha_ctx *ctx, uint8_t *buf, uint16_t bufsize)
|
|
96 |
+padlock_sha_update(struct padlock_sha_ctx *ctx, const uint8_t *buf, uint16_t bufsize)
|
|
97 |
{
|
|
98 |
|
|
99 |
if (ctx->psc_size - ctx->psc_offset < bufsize) {
|
|
100 |
diff --git a/sys/modules/crypto/Makefile b/sys/modules/crypto/Makefile
|
|
101 |
index 6a37c10..7d84c97 100644
|
|
102 |
--- a/sys/modules/crypto/Makefile
|
|
103 |
+++ b/sys/modules/crypto/Makefile
|
|
104 |
@@ -15,6 +15,7 @@ SRCS += cast.c cryptodeflate.c rmd160.c rijndael-alg-fst.c rijndael-api.c
|
|
105 |
SRCS += skipjack.c bf_enc.c bf_ecb.c bf_skey.c
|
|
106 |
SRCS += des_ecb.c des_enc.c des_setkey.c
|
|
107 |
SRCS += sha1.c sha2.c
|
|
108 |
+SRCS += gmac.c
|
|
109 |
SRCS += opt_param.h cryptodev_if.h bus_if.h device_if.h
|
|
110 |
SRCS += opt_ddb.h opt_kdtrace.h
|
|
111 |
SRCS += camellia.c camellia-api.c
|
|
112 |
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
|
|
113 |
index c45f8b0..fc8bea7 100644
|
|
114 |
--- a/sys/net/pfkeyv2.h
|
|
115 |
+++ b/sys/net/pfkeyv2.h
|
|
116 |
@@ -343,6 +343,9 @@ struct sadb_x_nat_t_frag {
|
|
117 |
#define SADB_X_AALG_SHA2_512 7
|
|
118 |
#define SADB_X_AALG_RIPEMD160HMAC 8
|
|
119 |
#define SADB_X_AALG_AES_XCBC_MAC 9 /* draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */
|
|
120 |
+#define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */
|
|
121 |
+#define SADB_X_AALG_AES192GMAC 12
|
|
122 |
+#define SADB_X_AALG_AES256GMAC 13
|
|
123 |
/* private allocations should use 249-255 (RFC2407) */
|
|
124 |
#define SADB_X_AALG_MD5 249 /* Keyed MD5 */
|
|
125 |
#define SADB_X_AALG_SHA 250 /* Keyed SHA */
|
|
126 |
@@ -360,6 +363,9 @@ struct sadb_x_nat_t_frag {
|
|
127 |
#define SADB_X_EALG_BLOWFISHCBC 7
|
|
128 |
#define SADB_X_EALG_RIJNDAELCBC 12
|
|
129 |
#define SADB_X_EALG_AES 12
|
|
130 |
+#define SADB_X_EALG_AESGCM8 18 /* RFC4106 */
|
|
131 |
+#define SADB_X_EALG_AESGCM12 19
|
|
132 |
+#define SADB_X_EALG_AESGCM16 20
|
|
133 |
/* private allocations - based on RFC4312/IANA assignment */
|
|
134 |
#define SADB_X_EALG_CAMELLIACBC 22
|
|
135 |
/* private allocations should use 249-255 (RFC2407) */
|
|
136 |
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
|
|
137 |
index bb6d1e6..2639634 100644
|
|
138 |
--- a/sys/netipsec/xform_esp.c
|
|
139 |
+++ b/sys/netipsec/xform_esp.c
|
|
140 |
@@ -120,6 +120,10 @@ esp_algorithm_lookup(int alg)
|
|
141 |
return &enc_xform_null;
|
|
142 |
case SADB_X_EALG_CAMELLIACBC:
|
|
143 |
return &enc_xform_camellia;
|
|
144 |
+ case SADB_X_EALG_AESCTR:
|
|
145 |
+ return &enc_xform_aes_ctr;
|
|
146 |
+ case SADB_X_EALG_AESGCM16:
|
|
147 |
+ return &enc_xform_aes_gcm;
|
|
148 |
}
|
|
149 |
return NULL;
|
|
150 |
}
|
|
151 |
@@ -214,6 +218,27 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
|
|
152 |
sav->tdb_xform = xsp;
|
|
153 |
sav->tdb_encalgxform = txform;
|
|
154 |
|
|
155 |
+ if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
|
|
156 |
+ switch (keylen) {
|
|
157 |
+ case 20:
|
|
158 |
+ sav->alg_auth = SADB_X_AALG_AES128GMAC;
|
|
159 |
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_128;
|
|
160 |
+ break;
|
|
161 |
+ case 28:
|
|
162 |
+ sav->alg_auth = SADB_X_AALG_AES192GMAC;
|
|
163 |
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_192;
|
|
164 |
+ break;
|
|
165 |
+ case 36:
|
|
166 |
+ sav->alg_auth = SADB_X_AALG_AES256GMAC;
|
|
167 |
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_256;
|
|
168 |
+ break;
|
|
169 |
+ }
|
|
170 |
+ bzero(&cria, sizeof(cria));
|
|
171 |
+ cria.cri_alg = sav->tdb_authalgxform->type;
|
|
172 |
+ cria.cri_klen = _KEYBITS(sav->key_enc);
|
|
173 |
+ cria.cri_key = sav->key_enc->key_data;
|
|
174 |
+ }
|
|
175 |
+
|
|
176 |
/* Initialize crypto session. */
|
|
177 |
bzero(&crie, sizeof (crie));
|
|
178 |
crie.cri_alg = sav->tdb_encalgxform->type;
|
|
179 |
@@ -309,6 +334,11 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|
180 |
case CRYPTO_SHA2_512_HMAC:
|
|
181 |
alen = esph->hashsize/2;
|
|
182 |
break;
|
|
183 |
+ case CRYPTO_AES_128_GMAC:
|
|
184 |
+ case CRYPTO_AES_192_GMAC:
|
|
185 |
+ case CRYPTO_AES_256_GMAC:
|
|
186 |
+ alen = esph->hashsize;
|
|
187 |
+ break;
|
|
188 |
default:
|
|
189 |
alen = AH_HMAC_HASHLEN;
|
|
190 |
break;
|
|
191 |
@@ -396,12 +426,20 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|
192 |
|
|
193 |
/* Authentication descriptor */
|
|
194 |
crda->crd_skip = skip;
|
|
195 |
- crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
|
196 |
+ if (espx && espx->type == CRYPTO_AES_GCM_16)
|
|
197 |
+ crda->crd_len = hlen - sav->ivlen;
|
|
198 |
+ else
|
|
199 |
+ crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
|
200 |
crda->crd_inject = m->m_pkthdr.len - alen;
|
|
201 |
|
|
202 |
crda->crd_alg = esph->type;
|
|
203 |
- crda->crd_key = sav->key_auth->key_data;
|
|
204 |
- crda->crd_klen = _KEYBITS(sav->key_auth);
|
|
205 |
+ if (espx && (espx->type == CRYPTO_AES_GCM_16)) {
|
|
206 |
+ crda->crd_key = sav->key_enc->key_data;
|
|
207 |
+ crda->crd_klen = _KEYBITS(sav->key_enc);
|
|
208 |
+ } else {
|
|
209 |
+ crda->crd_key = sav->key_auth->key_data;
|
|
210 |
+ crda->crd_klen = _KEYBITS(sav->key_auth);
|
|
211 |
+ }
|
|
212 |
|
|
213 |
/* Copy the authenticator */
|
|
214 |
if (mtag == NULL)
|
|
215 |
@@ -521,6 +559,11 @@ esp_input_cb(struct cryptop *crp)
|
|
216 |
case CRYPTO_SHA2_512_HMAC:
|
|
217 |
alen = esph->hashsize/2;
|
|
218 |
break;
|
|
219 |
+ case CRYPTO_AES_128_GMAC:
|
|
220 |
+ case CRYPTO_AES_192_GMAC:
|
|
221 |
+ case CRYPTO_AES_256_GMAC:
|
|
222 |
+ alen = esph->hashsize;
|
|
223 |
+ break;
|
|
224 |
default:
|
|
225 |
alen = AH_HMAC_HASHLEN;
|
|
226 |
break;
|
|
227 |
@@ -891,13 +934,21 @@ esp_output(
|
|
228 |
if (esph) {
|
|
229 |
/* Authentication descriptor. */
|
|
230 |
crda->crd_skip = skip;
|
|
231 |
- crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
|
232 |
+ if (espx && espx->type == CRYPTO_AES_GCM_16)
|
|
233 |
+ crda->crd_len = hlen - sav->ivlen;
|
|
234 |
+ else
|
|
235 |
+ crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
|
236 |
crda->crd_inject = m->m_pkthdr.len - alen;
|
|
237 |
|
|
238 |
/* Authentication operation. */
|
|
239 |
crda->crd_alg = esph->type;
|
|
240 |
- crda->crd_key = sav->key_auth->key_data;
|
|
241 |
- crda->crd_klen = _KEYBITS(sav->key_auth);
|
|
242 |
+ if (espx && espx->type == CRYPTO_AES_GCM_16) {
|
|
243 |
+ crda->crd_key = sav->key_enc->key_data;
|
|
244 |
+ crda->crd_klen = _KEYBITS(sav->key_enc);
|
|
245 |
+ } else {
|
|
246 |
+ crda->crd_key = sav->key_auth->key_data;
|
|
247 |
+ crda->crd_klen = _KEYBITS(sav->key_auth);
|
|
248 |
+ }
|
|
249 |
}
|
|
250 |
|
|
251 |
return crypto_dispatch(crp);
|
|
252 |
@@ -988,6 +1039,11 @@ esp_output_cb(struct cryptop *crp)
|
|
253 |
case CRYPTO_SHA2_512_HMAC:
|
|
254 |
alen = esph->hashsize/2;
|
|
255 |
break;
|
|
256 |
+ case CRYPTO_AES_128_GMAC:
|
|
257 |
+ case CRYPTO_AES_192_GMAC:
|
|
258 |
+ case CRYPTO_AES_256_GMAC:
|
|
259 |
+ alen = esph->hashsize;
|
|
260 |
+ break;
|
|
261 |
default:
|
|
262 |
alen = AH_HMAC_HASHLEN;
|
|
263 |
break;
|
|
264 |
diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c
|
|
265 |
index 44bfa5c..cbb8531 100644
|
|
266 |
--- a/sys/opencrypto/cryptodev.c
|
|
267 |
+++ b/sys/opencrypto/cryptodev.c
|
|
268 |
@@ -434,6 +434,13 @@ cryptof_ioctl(
|
|
269 |
case CRYPTO_CAMELLIA_CBC:
|
|
270 |
txform = &enc_xform_camellia;
|
|
271 |
break;
|
|
272 |
+ case CRYPTO_AES_CTR:
|
|
273 |
+ txform = &enc_xform_aes_ctr;
|
|
274 |
+ break;
|
|
275 |
+ case CRYPTO_AES_GCM_16:
|
|
276 |
+ txform = &enc_xform_aes_gcm;
|
|
277 |
+ break;
|
|
278 |
+
|
|
279 |
default:
|
|
280 |
return (EINVAL);
|
|
281 |
}
|
|
282 |
@@ -459,6 +466,16 @@ cryptof_ioctl(
|
|
283 |
case CRYPTO_RIPEMD160_HMAC:
|
|
284 |
thash = &auth_hash_hmac_ripemd_160;
|
|
285 |
break;
|
|
286 |
+ case CRYPTO_AES_128_GMAC:
|
|
287 |
+ thash = &auth_hash_gmac_aes_128;
|
|
288 |
+ break;
|
|
289 |
+ case CRYPTO_AES_192_GMAC:
|
|
290 |
+ thash = &auth_hash_gmac_aes_192;
|
|
291 |
+ break;
|
|
292 |
+ case CRYPTO_AES_256_GMAC:
|
|
293 |
+ thash = &auth_hash_gmac_aes_256;
|
|
294 |
+ break;
|
|
295 |
+
|
|
296 |
#ifdef notdef
|
|
297 |
case CRYPTO_MD5:
|
|
298 |
thash = &auth_hash_md5;
|
|
299 |
diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h
|
|
300 |
index e299522..fbf049b 100644
|
|
301 |
--- a/sys/opencrypto/cryptodev.h
|
|
302 |
+++ b/sys/opencrypto/cryptodev.h
|
|
303 |
@@ -72,6 +72,7 @@
|
|
304 |
#define SHA2_512_HASH_LEN 64
|
|
305 |
#define MD5_KPDK_HASH_LEN 16
|
|
306 |
#define SHA1_KPDK_HASH_LEN 20
|
|
307 |
+#define AES_GMAC_HASH_LEN 16
|
|
308 |
/* Maximum hash algorithm result length */
|
|
309 |
#define HASH_MAX_LEN SHA2_512_HASH_LEN /* Keep this updated */
|
|
310 |
|
|
311 |
@@ -100,6 +101,9 @@
|
|
312 |
#define CAMELLIA_BLOCK_LEN 16
|
|
313 |
#define EALG_MAX_BLOCK_LEN AES_BLOCK_LEN /* Keep this updated */
|
|
314 |
|
|
315 |
+/* Maximum hash algorithm result length */
|
|
316 |
+#define AALG_MAX_RESULT_LEN 64 /* Keep this updated */
|
|
317 |
+
|
|
318 |
#define CRYPTO_ALGORITHM_MIN 1
|
|
319 |
#define CRYPTO_DES_CBC 1
|
|
320 |
#define CRYPTO_3DES_CBC 2
|
|
321 |
@@ -122,9 +126,15 @@
|
|
322 |
#define CRYPTO_SHA2_256_HMAC 18
|
|
323 |
#define CRYPTO_SHA2_384_HMAC 19
|
|
324 |
#define CRYPTO_SHA2_512_HMAC 20
|
|
325 |
-#define CRYPTO_CAMELLIA_CBC 21
|
|
326 |
+#define CRYPTO_CAMELLIA_CBC 21
|
|
327 |
#define CRYPTO_AES_XTS 22
|
|
328 |
-#define CRYPTO_ALGORITHM_MAX 22 /* Keep updated - see below */
|
|
329 |
+#define CRYPTO_AES_CTR 23
|
|
330 |
+#define CRYPTO_AES_GCM_16 24
|
|
331 |
+#define CRYPTO_AES_128_GMAC 25
|
|
332 |
+#define CRYPTO_AES_192_GMAC 26
|
|
333 |
+#define CRYPTO_AES_256_GMAC 27
|
|
334 |
+#define CRYPTO_AES_GMAC 28
|
|
335 |
+#define CRYPTO_ALGORITHM_MAX 28 /* Keep updated - see below */
|
|
336 |
|
|
337 |
/* Algorithm flags */
|
|
338 |
#define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */
|
|
339 |
@@ -276,7 +286,12 @@ struct cryptoini {
|
|
340 |
int cri_mlen; /* Number of bytes we want from the
|
|
341 |
entire hash. 0 means all. */
|
|
342 |
caddr_t cri_key; /* key to use */
|
|
343 |
- u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; /* IV to use */
|
|
344 |
+ union {
|
|
345 |
+ u_int8_t iv[EALG_MAX_BLOCK_LEN]; /* IV to use */
|
|
346 |
+ u_int8_t esn[4]; /* high-order ESN */
|
|
347 |
+ } u;
|
|
348 |
+#define cri_iv u.iv
|
|
349 |
+#define cri_esn u.esn
|
|
350 |
struct cryptoini *cri_next;
|
|
351 |
};
|
|
352 |
|
|
353 |
@@ -294,8 +309,10 @@ struct cryptodesc {
|
|
354 |
#define CRD_F_DSA_SHA_NEEDED 0x08 /* Compute SHA-1 of buffer for DSA */
|
|
355 |
#define CRD_F_KEY_EXPLICIT 0x10 /* Key explicitly provided */
|
|
356 |
#define CRD_F_COMP 0x0f /* Set when doing compression */
|
|
357 |
+#define CRD_F_ESN 0x20 /* Set when doing compression */
|
|
358 |
|
|
359 |
struct cryptoini CRD_INI; /* Initialization/context data */
|
|
360 |
+#define crd_esn CRD_INI.cri_esn
|
|
361 |
#define crd_iv CRD_INI.cri_iv
|
|
362 |
#define crd_key CRD_INI.cri_key
|
|
363 |
#define crd_alg CRD_INI.cri_alg
|
|
364 |
diff --git a/sys/opencrypto/cryptosoft.c b/sys/opencrypto/cryptosoft.c
|
|
365 |
index d73f462..a1f7480 100644
|
|
366 |
--- a/sys/opencrypto/cryptosoft.c
|
|
367 |
+++ b/sys/opencrypto/cryptosoft.c
|
|
368 |
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
|
|
369 |
#include <sys/random.h>
|
|
370 |
#include <sys/kernel.h>
|
|
371 |
#include <sys/uio.h>
|
|
372 |
+#include <sys/endian.h>
|
|
373 |
|
|
374 |
#include <crypto/blowfish/blowfish.h>
|
|
375 |
#include <crypto/sha1.h>
|
|
376 |
@@ -60,6 +61,7 @@ u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
|
|
377 |
|
|
378 |
static int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
|
379 |
static int swcr_authcompute(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
|
380 |
+static int swcr_authenc(struct cryptop *crp);
|
|
381 |
static int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
|
382 |
static int swcr_freesession(device_t dev, u_int64_t tid);
|
|
383 |
|
|
384 |
@@ -579,6 +581,164 @@ swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
|
|
385 |
}
|
|
386 |
|
|
387 |
/*
|
|
388 |
+ * Apply a combined encryption-authentication transformation
|
|
389 |
+ */
|
|
390 |
+static int
|
|
391 |
+swcr_authenc(struct cryptop *crp)
|
|
392 |
+{
|
|
393 |
+ uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))];
|
|
394 |
+ u_char *blk = (u_char *)blkbuf;
|
|
395 |
+ u_char aalg[AALG_MAX_RESULT_LEN];
|
|
396 |
+ u_char iv[EALG_MAX_BLOCK_LEN];
|
|
397 |
+ union authctx ctx;
|
|
398 |
+ struct cryptodesc *crd, *crda = NULL, *crde = NULL;
|
|
399 |
+ struct swcr_data *sw, *swa, *swe = NULL;
|
|
400 |
+ struct auth_hash *axf = NULL;
|
|
401 |
+ struct enc_xform *exf = NULL;
|
|
402 |
+ caddr_t buf = (caddr_t)crp->crp_buf;
|
|
403 |
+ uint32_t *blkp;
|
|
404 |
+ int aadlen, blksz, i, ivlen, len, iskip, oskip;
|
|
405 |
+
|
|
406 |
+ ivlen = blksz = iskip = oskip = 0;
|
|
407 |
+
|
|
408 |
+ for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
|
|
409 |
+ for (sw = swcr_sessions[crp->crp_sid & 0xffffffff];
|
|
410 |
+ sw && sw->sw_alg != crd->crd_alg;
|
|
411 |
+ sw = sw->sw_next)
|
|
412 |
+ ;
|
|
413 |
+ if (sw == NULL)
|
|
414 |
+ return (EINVAL);
|
|
415 |
+
|
|
416 |
+ switch (sw->sw_alg) {
|
|
417 |
+ case CRYPTO_AES_GCM_16:
|
|
418 |
+ case CRYPTO_AES_GMAC:
|
|
419 |
+ swe = sw;
|
|
420 |
+ crde = crd;
|
|
421 |
+ exf = swe->sw_exf;
|
|
422 |
+ ivlen = 8;
|
|
423 |
+ break;
|
|
424 |
+ case CRYPTO_AES_128_GMAC:
|
|
425 |
+ case CRYPTO_AES_192_GMAC:
|
|
426 |
+ case CRYPTO_AES_256_GMAC:
|
|
427 |
+ swa = sw;
|
|
428 |
+ crda = crd;
|
|
429 |
+ axf = swa->sw_axf;
|
|
430 |
+ if (swa->sw_ictx == 0)
|
|
431 |
+ return (EINVAL);
|
|
432 |
+ bcopy(swa->sw_ictx, &ctx, axf->ctxsize);
|
|
433 |
+ blksz = axf->blocksize;
|
|
434 |
+ break;
|
|
435 |
+ default:
|
|
436 |
+ return (EINVAL);
|
|
437 |
+ }
|
|
438 |
+ }
|
|
439 |
+ if (crde == NULL || crda == NULL)
|
|
440 |
+ return (EINVAL);
|
|
441 |
+
|
|
442 |
+ /* Initialize the IV */
|
|
443 |
+ if (crde->crd_flags & CRD_F_ENCRYPT) {
|
|
444 |
+ /* IV explicitly provided ? */
|
|
445 |
+ if (crde->crd_flags & CRD_F_IV_EXPLICIT)
|
|
446 |
+ bcopy(crde->crd_iv, iv, ivlen);
|
|
447 |
+ else
|
|
448 |
+ arc4rand(iv, ivlen, 0);
|
|
449 |
+
|
|
450 |
+ /* Do we need to write the IV */
|
|
451 |
+ if (!(crde->crd_flags & CRD_F_IV_PRESENT))
|
|
452 |
+ crypto_copyback(crp->crp_flags, buf, crde->crd_inject,
|
|
453 |
+ ivlen, iv);
|
|
454 |
+
|
|
455 |
+ } else { /* Decryption */
|
|
456 |
+ /* IV explicitly provided ? */
|
|
457 |
+ if (crde->crd_flags & CRD_F_IV_EXPLICIT)
|
|
458 |
+ bcopy(crde->crd_iv, iv, ivlen);
|
|
459 |
+ else {
|
|
460 |
+ /* Get IV off buf */
|
|
461 |
+ crypto_copydata(crp->crp_flags, buf, crde->crd_inject,
|
|
462 |
+ ivlen, iv);
|
|
463 |
+ }
|
|
464 |
+ }
|
|
465 |
+
|
|
466 |
+ /* Supply MAC with IV */
|
|
467 |
+ if (axf->Reinit)
|
|
468 |
+ axf->Reinit(&ctx, iv, ivlen);
|
|
469 |
+
|
|
470 |
+ /* Supply MAC with AAD */
|
|
471 |
+ aadlen = crda->crd_len;
|
|
472 |
+ /*
|
|
473 |
+ * Section 5 of RFC 4106 specifies that AAD construction consists of
|
|
474 |
+ * {SPI, ESN, SN} whereas the real packet contains only {SPI, SN}.
|
|
475 |
+ * Unfortunately it doesn't follow a good example set in the Section
|
|
476 |
+ * 3.3.2.1 of RFC 4303 where upper part of the ESN, located in the
|
|
477 |
+ * external (to the packet) memory buffer, is processed by the hash
|
|
478 |
+ * function in the end thus allowing to retain simple programming
|
|
479 |
+ * interfaces and avoid kludges like the one below.
|
|
480 |
+ */
|
|
481 |
+ if (crda->crd_flags & CRD_F_ESN) {
|
|
482 |
+ aadlen += 4;
|
|
483 |
+ /* SPI */
|
|
484 |
+ crypto_copydata(crp->crp_flags, buf, crda->crd_skip, 4, blk);
|
|
485 |
+ iskip = 4; /* loop below will start with an offset of 4 */
|
|
486 |
+ /* ESN */
|
|
487 |
+ bcopy(crda->crd_esn, blk + 4, 4);
|
|
488 |
+ oskip = iskip + 4; /* offset output buffer blk by 8 */
|
|
489 |
+ }
|
|
490 |
+ for (i = iskip; i < crda->crd_len; i += blksz) {
|
|
491 |
+ len = MIN(crda->crd_len - i, blksz - oskip);
|
|
492 |
+ crypto_copydata(crp->crp_flags, buf, crda->crd_skip + i, len,
|
|
493 |
+ blk + oskip);
|
|
494 |
+ bzero(blk + len + oskip, blksz - len - oskip);
|
|
495 |
+ axf->Update(&ctx, blk, blksz);
|
|
496 |
+ oskip = 0; /* reset initial output offset */
|
|
497 |
+ }
|
|
498 |
+
|
|
499 |
+ if (exf->reinit)
|
|
500 |
+ exf->reinit(swe->sw_kschedule, iv);
|
|
501 |
+
|
|
502 |
+ /* Do encryption/decryption with MAC */
|
|
503 |
+ for (i = 0; i < crde->crd_len; i += blksz) {
|
|
504 |
+ len = MIN(crde->crd_len - i, blksz);
|
|
505 |
+ if (len < blksz)
|
|
506 |
+ bzero(blk, blksz);
|
|
507 |
+ crypto_copydata(crp->crp_flags, buf, crde->crd_skip + i, len,
|
|
508 |
+ blk);
|
|
509 |
+ if (crde->crd_flags & CRD_F_ENCRYPT) {
|
|
510 |
+ exf->encrypt(swe->sw_kschedule, blk);
|
|
511 |
+ axf->Update(&ctx, blk, len);
|
|
512 |
+ } else {
|
|
513 |
+ axf->Update(&ctx, blk, len);
|
|
514 |
+ exf->decrypt(swe->sw_kschedule, blk);
|
|
515 |
+ }
|
|
516 |
+ crypto_copyback(crp->crp_flags, buf, crde->crd_skip + i, len,
|
|
517 |
+ blk);
|
|
518 |
+ }
|
|
519 |
+
|
|
520 |
+ /* Do any required special finalization */
|
|
521 |
+ switch (crda->crd_alg) {
|
|
522 |
+ case CRYPTO_AES_128_GMAC:
|
|
523 |
+ case CRYPTO_AES_192_GMAC:
|
|
524 |
+ case CRYPTO_AES_256_GMAC:
|
|
525 |
+ /* length block */
|
|
526 |
+ bzero(blk, blksz);
|
|
527 |
+ blkp = (uint32_t *)blk + 1;
|
|
528 |
+ *blkp = htobe32(aadlen * 8);
|
|
529 |
+ blkp = (uint32_t *)blk + 3;
|
|
530 |
+ *blkp = htobe32(crde->crd_len * 8);
|
|
531 |
+ axf->Update(&ctx, blk, blksz);
|
|
532 |
+ break;
|
|
533 |
+ }
|
|
534 |
+
|
|
535 |
+ /* Finalize MAC */
|
|
536 |
+ axf->Final(aalg, &ctx);
|
|
537 |
+
|
|
538 |
+ /* Inject the authentication data */
|
|
539 |
+ crypto_copyback(crp->crp_flags, buf, crda->crd_inject, axf->hashsize,
|
|
540 |
+ aalg);
|
|
541 |
+
|
|
542 |
+ return (0);
|
|
543 |
+}
|
|
544 |
+
|
|
545 |
+/*
|
|
546 |
* Apply a compression/decompression algorithm
|
|
547 |
*/
|
|
548 |
static int
|
|
549 |
@@ -738,6 +898,16 @@ swcr_newsession(device_t dev, u_int32_t *sid, struct cryptoini *cri)
|
|
550 |
case CRYPTO_AES_XTS:
|
|
551 |
txf = &enc_xform_aes_xts;
|
|
552 |
goto enccommon;
|
|
553 |
+ case CRYPTO_AES_CTR:
|
|
554 |
+ txf = &enc_xform_aes_ctr;
|
|
555 |
+ goto enccommon;
|
|
556 |
+ case CRYPTO_AES_GCM_16:
|
|
557 |
+ txf = &enc_xform_aes_gcm;
|
|
558 |
+ goto enccommon;
|
|
559 |
+ case CRYPTO_AES_GMAC:
|
|
560 |
+ txf = &enc_xform_aes_gmac;
|
|
561 |
+ (*swd)->sw_exf = txf;
|
|
562 |
+ break;
|
|
563 |
case CRYPTO_CAMELLIA_CBC:
|
|
564 |
txf = &enc_xform_camellia;
|
|
565 |
goto enccommon;
|
|
566 |
@@ -850,6 +1020,30 @@ swcr_newsession(device_t dev, u_int32_t *sid, struct cryptoini *cri)
|
|
567 |
(*swd)->sw_axf = axf;
|
|
568 |
break;
|
|
569 |
#endif
|
|
570 |
+
|
|
571 |
+ case CRYPTO_AES_128_GMAC:
|
|
572 |
+ axf = &auth_hash_gmac_aes_128;
|
|
573 |
+ goto auth4common;
|
|
574 |
+
|
|
575 |
+ case CRYPTO_AES_192_GMAC:
|
|
576 |
+ axf = &auth_hash_gmac_aes_192;
|
|
577 |
+ goto auth4common;
|
|
578 |
+
|
|
579 |
+ case CRYPTO_AES_256_GMAC:
|
|
580 |
+ axf = &auth_hash_gmac_aes_256;
|
|
581 |
+ auth4common:
|
|
582 |
+ (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
|
|
583 |
+ M_NOWAIT);
|
|
584 |
+ if ((*swd)->sw_ictx == NULL) {
|
|
585 |
+ swcr_freesession(dev, i);
|
|
586 |
+ return ENOBUFS;
|
|
587 |
+ }
|
|
588 |
+ axf->Init((*swd)->sw_ictx);
|
|
589 |
+ axf->Setkey((*swd)->sw_ictx, cri->cri_key,
|
|
590 |
+ cri->cri_klen / 8);
|
|
591 |
+ (*swd)->sw_axf = axf;
|
|
592 |
+ break;
|
|
593 |
+
|
|
594 |
case CRYPTO_DEFLATE_COMP:
|
|
595 |
cxf = &comp_algo_deflate;
|
|
596 |
(*swd)->sw_cxf = cxf;
|
|
597 |
@@ -897,6 +1092,9 @@ swcr_freesession(device_t dev, u_int64_t tid)
|
|
598 |
case CRYPTO_SKIPJACK_CBC:
|
|
599 |
case CRYPTO_RIJNDAEL128_CBC:
|
|
600 |
case CRYPTO_AES_XTS:
|
|
601 |
+ case CRYPTO_AES_CTR:
|
|
602 |
+ case CRYPTO_AES_GCM_16:
|
|
603 |
+ case CRYPTO_AES_GMAC:
|
|
604 |
case CRYPTO_CAMELLIA_CBC:
|
|
605 |
case CRYPTO_NULL_CBC:
|
|
606 |
txf = swd->sw_exf;
|
|
607 |
@@ -1011,6 +1209,7 @@ swcr_process(device_t dev, struct cryptop *crp, int hint)
|
|
608 |
case CRYPTO_SKIPJACK_CBC:
|
|
609 |
case CRYPTO_RIJNDAEL128_CBC:
|
|
610 |
case CRYPTO_AES_XTS:
|
|
611 |
+ case CRYPTO_AES_CTR:
|
|
612 |
case CRYPTO_CAMELLIA_CBC:
|
|
613 |
if ((crp->crp_etype = swcr_encdec(crd, sw,
|
|
614 |
crp->crp_buf, crp->crp_flags)) != 0)
|
|
615 |
@@ -1035,6 +1234,14 @@ swcr_process(device_t dev, struct cryptop *crp, int hint)
|
|
616 |
goto done;
|
|
617 |
break;
|
|
618 |
|
|
619 |
+ case CRYPTO_AES_GCM_16:
|
|
620 |
+ case CRYPTO_AES_GMAC:
|
|
621 |
+ case CRYPTO_AES_128_GMAC:
|
|
622 |
+ case CRYPTO_AES_192_GMAC:
|
|
623 |
+ case CRYPTO_AES_256_GMAC:
|
|
624 |
+ crp->crp_etype = swcr_authenc(crp);
|
|
625 |
+ goto done;
|
|
626 |
+
|
|
627 |
case CRYPTO_DEFLATE_COMP:
|
|
628 |
if ((crp->crp_etype = swcr_compdec(crd, sw,
|
|
629 |
crp->crp_buf, crp->crp_flags)) != 0)
|
|
630 |
@@ -1104,6 +1311,12 @@ swcr_attach(device_t dev)
|
|
631 |
REGISTER(CRYPTO_SHA1);
|
|
632 |
REGISTER(CRYPTO_RIJNDAEL128_CBC);
|
|
633 |
REGISTER(CRYPTO_AES_XTS);
|
|
634 |
+ REGISTER(CRYPTO_AES_CTR);
|
|
635 |
+ REGISTER(CRYPTO_AES_GCM_16);
|
|
636 |
+ REGISTER(CRYPTO_AES_GMAC);
|
|
637 |
+ REGISTER(CRYPTO_AES_128_GMAC);
|
|
638 |
+ REGISTER(CRYPTO_AES_192_GMAC);
|
|
639 |
+ REGISTER(CRYPTO_AES_256_GMAC);
|
|
640 |
REGISTER(CRYPTO_CAMELLIA_CBC);
|
|
641 |
REGISTER(CRYPTO_DEFLATE_COMP);
|
|
642 |
#undef REGISTER
|
|
643 |
diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c
|
|
644 |
new file mode 100644
|
|
645 |
index 0000000..72ac227
|
|
646 |
--- /dev/null
|
|
647 |
+++ b/sys/opencrypto/gmac.c
|
|
648 |
@@ -0,0 +1,163 @@
|
|
649 |
+/* $OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp $ */
|
|
650 |
+
|
|
651 |
+/*
|
|
652 |
+ * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net>
|
|
653 |
+ *
|
|
654 |
+ * Permission to use, copy, modify, and distribute this software for any
|
|
655 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
656 |
+ * copyright notice and this permission notice appear in all copies.
|
|
657 |
+ *
|
|
658 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
659 |
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
660 |
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
661 |
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
662 |
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
663 |
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
664 |
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
665 |
+ */
|
|
666 |
+
|
|
667 |
+/*
|
|
668 |
+ * This code implements the Message Authentication part of the
|
|
669 |
+ * Galois/Counter Mode (as being described in the RFC 4543) using
|
|
670 |
+ * the AES cipher. FIPS SP 800-38D describes the algorithm details.
|
|
671 |
+ */
|
|
672 |
+
|
|
673 |
+#ifdef _KERNEL
|
|
674 |
+#include <sys/param.h>
|
|
675 |
+#include <sys/systm.h>
|
|
676 |
+#include <sys/endian.h>
|
|
677 |
+#else
|
|
678 |
+#include <sys/types.h>
|
|
679 |
+#include <sys/endian.h>
|
|
680 |
+#include <stdint.h>
|
|
681 |
+#include <string.h>
|
|
682 |
+#endif
|
|
683 |
+
|
|
684 |
+#include <crypto/rijndael/rijndael.h>
|
|
685 |
+#include <opencrypto/gmac.h>
|
|
686 |
+
|
|
687 |
+void ghash_gfmul(uint32_t *, uint32_t *, uint32_t *);
|
|
688 |
+void ghash_update(GHASH_CTX *, uint8_t *, size_t);
|
|
689 |
+
|
|
690 |
+/* Computes a block multiplication in the GF(2^128) */
|
|
691 |
+void
|
|
692 |
+ghash_gfmul(uint32_t *X, uint32_t *Y, uint32_t *product)
|
|
693 |
+{
|
|
694 |
+ uint32_t v[4];
|
|
695 |
+ uint32_t z[4] = { 0, 0, 0, 0};
|
|
696 |
+ uint8_t *x = (uint8_t *)X;
|
|
697 |
+ uint32_t mul;
|
|
698 |
+ int i;
|
|
699 |
+
|
|
700 |
+ v[0] = be32toh(Y[0]);
|
|
701 |
+ v[1] = be32toh(Y[1]);
|
|
702 |
+ v[2] = be32toh(Y[2]);
|
|
703 |
+ v[3] = be32toh(Y[3]);
|
|
704 |
+
|
|
705 |
+ for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) {
|
|
706 |
+ /* update Z */
|
|
707 |
+ if (x[i >> 3] & (1 << (~i & 7))) {
|
|
708 |
+ z[0] ^= v[0];
|
|
709 |
+ z[1] ^= v[1];
|
|
710 |
+ z[2] ^= v[2];
|
|
711 |
+ z[3] ^= v[3];
|
|
712 |
+ } /* else: we preserve old values */
|
|
713 |
+
|
|
714 |
+ /* update V */
|
|
715 |
+ mul = v[3] & 1;
|
|
716 |
+ v[3] = (v[2] << 31) | (v[3] >> 1);
|
|
717 |
+ v[2] = (v[1] << 31) | (v[2] >> 1);
|
|
718 |
+ v[1] = (v[0] << 31) | (v[1] >> 1);
|
|
719 |
+ v[0] = (v[0] >> 1) ^ (0xe1000000 * mul);
|
|
720 |
+ }
|
|
721 |
+
|
|
722 |
+ product[0] = htobe32(z[0]);
|
|
723 |
+ product[1] = htobe32(z[1]);
|
|
724 |
+ product[2] = htobe32(z[2]);
|
|
725 |
+ product[3] = htobe32(z[3]);
|
|
726 |
+}
|
|
727 |
+
|
|
728 |
+void
|
|
729 |
+ghash_update(GHASH_CTX *ctx, uint8_t *X, size_t len)
|
|
730 |
+{
|
|
731 |
+ uint32_t *x = (uint32_t *)X;
|
|
732 |
+ uint32_t *s = (uint32_t *)ctx->S;
|
|
733 |
+ uint32_t *y = (uint32_t *)ctx->Z;
|
|
734 |
+ int i;
|
|
735 |
+
|
|
736 |
+ for (i = 0; i < len / GMAC_BLOCK_LEN; i++) {
|
|
737 |
+ s[0] = y[0] ^ x[0];
|
|
738 |
+ s[1] = y[1] ^ x[1];
|
|
739 |
+ s[2] = y[2] ^ x[2];
|
|
740 |
+ s[3] = y[3] ^ x[3];
|
|
741 |
+
|
|
742 |
+ ghash_gfmul((uint32_t *)ctx->S, (uint32_t *)ctx->H,
|
|
743 |
+ (uint32_t *)ctx->S);
|
|
744 |
+
|
|
745 |
+ y = s;
|
|
746 |
+ x += 4;
|
|
747 |
+ }
|
|
748 |
+
|
|
749 |
+ bcopy(ctx->S, ctx->Z, GMAC_BLOCK_LEN);
|
|
750 |
+}
|
|
751 |
+
|
|
752 |
+#define AESCTR_NONCESIZE 4
|
|
753 |
+
|
|
754 |
+void
|
|
755 |
+AES_GMAC_Init(AES_GMAC_CTX *ctx)
|
|
756 |
+{
|
|
757 |
+ bzero(ctx->ghash.H, GMAC_BLOCK_LEN);
|
|
758 |
+ bzero(ctx->ghash.S, GMAC_BLOCK_LEN);
|
|
759 |
+ bzero(ctx->ghash.Z, GMAC_BLOCK_LEN);
|
|
760 |
+ bzero(ctx->J, GMAC_BLOCK_LEN);
|
|
761 |
+}
|
|
762 |
+
|
|
763 |
+void
|
|
764 |
+AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen)
|
|
765 |
+{
|
|
766 |
+ ctx->rounds = rijndaelKeySetupEnc(ctx->K, (u_char *)key,
|
|
767 |
+ (klen - AESCTR_NONCESIZE) * 8);
|
|
768 |
+ /* copy out salt to the counter block */
|
|
769 |
+ bcopy(key + klen - AESCTR_NONCESIZE, ctx->J, AESCTR_NONCESIZE);
|
|
770 |
+ /* prepare a hash subkey */
|
|
771 |
+ rijndaelEncrypt(ctx->K, ctx->rounds, ctx->ghash.H, ctx->ghash.H);
|
|
772 |
+}
|
|
773 |
+
|
|
774 |
+void
|
|
775 |
+AES_GMAC_Reinit(AES_GMAC_CTX *ctx, const uint8_t *iv, uint16_t ivlen)
|
|
776 |
+{
|
|
777 |
+ /* copy out IV to the counter block */
|
|
778 |
+ bcopy(iv, ctx->J + AESCTR_NONCESIZE, ivlen);
|
|
779 |
+}
|
|
780 |
+
|
|
781 |
+int
|
|
782 |
+AES_GMAC_Update(AES_GMAC_CTX *ctx, const uint8_t *data, uint16_t len)
|
|
783 |
+{
|
|
784 |
+ uint8_t blk[16] = {};
|
|
785 |
+ int plen;
|
|
786 |
+
|
|
787 |
+ if (len > 0) {
|
|
788 |
+ plen = len % GMAC_BLOCK_LEN;
|
|
789 |
+ if (len >= GMAC_BLOCK_LEN)
|
|
790 |
+ ghash_update(&ctx->ghash, (uint8_t *)data, len - plen);
|
|
791 |
+ if (plen) {
|
|
792 |
+ bcopy((uint8_t *)data + (len - plen), blk, plen);
|
|
793 |
+ ghash_update(&ctx->ghash, blk, GMAC_BLOCK_LEN);
|
|
794 |
+ }
|
|
795 |
+ }
|
|
796 |
+ return (0);
|
|
797 |
+}
|
|
798 |
+
|
|
799 |
+void
|
|
800 |
+AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx)
|
|
801 |
+{
|
|
802 |
+ uint8_t keystream[GMAC_BLOCK_LEN];
|
|
803 |
+ int i;
|
|
804 |
+
|
|
805 |
+ /* do one round of GCTR */
|
|
806 |
+ ctx->J[GMAC_BLOCK_LEN - 1] = 1;
|
|
807 |
+ rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream);
|
|
808 |
+ for (i = 0; i < GMAC_DIGEST_LEN; i++)
|
|
809 |
+ digest[i] = ctx->ghash.S[i] ^ keystream[i];
|
|
810 |
+ bzero(keystream, sizeof(keystream));
|
|
811 |
+}
|
|
812 |
diff --git a/sys/opencrypto/gmac.h b/sys/opencrypto/gmac.h
|
|
813 |
new file mode 100644
|
|
814 |
index 0000000..94137da
|
|
815 |
--- /dev/null
|
|
816 |
+++ b/sys/opencrypto/gmac.h
|
|
817 |
@@ -0,0 +1,48 @@
|
|
818 |
+/* $OpenBSD: gmac.h,v 1.2 2012/12/05 23:20:15 deraadt Exp $ */
|
|
819 |
+
|
|
820 |
+/*
|
|
821 |
+ * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net>
|
|
822 |
+ *
|
|
823 |
+ * Permission to use, copy, modify, and distribute this software for any
|
|
824 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
825 |
+ * copyright notice and this permission notice appear in all copies.
|
|
826 |
+ *
|
|
827 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
828 |
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
829 |
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
830 |
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
831 |
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
832 |
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
833 |
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
834 |
+ */
|
|
835 |
+
|
|
836 |
+#ifndef _GMAC_H_
|
|
837 |
+#define _GMAC_H_
|
|
838 |
+
|
|
839 |
+#include <crypto/rijndael/rijndael.h>
|
|
840 |
+
|
|
841 |
+#define GMAC_BLOCK_LEN 16
|
|
842 |
+#define GMAC_DIGEST_LEN 16
|
|
843 |
+
|
|
844 |
+typedef struct _GHASH_CTX {
|
|
845 |
+ uint8_t H[GMAC_BLOCK_LEN]; /* hash subkey */
|
|
846 |
+ uint8_t S[GMAC_BLOCK_LEN]; /* state */
|
|
847 |
+ uint8_t Z[GMAC_BLOCK_LEN]; /* initial state */
|
|
848 |
+} GHASH_CTX;
|
|
849 |
+
|
|
850 |
+typedef struct _AES_GMAC_CTX {
|
|
851 |
+ GHASH_CTX ghash;
|
|
852 |
+ uint32_t K[4*(RIJNDAEL_MAXNR + 1)];
|
|
853 |
+ uint8_t J[GMAC_BLOCK_LEN]; /* counter block */
|
|
854 |
+ int rounds;
|
|
855 |
+} AES_GMAC_CTX;
|
|
856 |
+
|
|
857 |
+__BEGIN_DECLS
|
|
858 |
+void AES_GMAC_Init(AES_GMAC_CTX *);
|
|
859 |
+void AES_GMAC_Setkey(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
|
860 |
+void AES_GMAC_Reinit(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
|
861 |
+int AES_GMAC_Update(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
|
862 |
+void AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], AES_GMAC_CTX *);
|
|
863 |
+__END_DECLS
|
|
864 |
+
|
|
865 |
+#endif /* _GMAC_H_ */
|
|
866 |
diff --git a/sys/opencrypto/xform.c b/sys/opencrypto/xform.c
|
|
867 |
index bfb061b..590116c 100644
|
|
868 |
--- a/sys/opencrypto/xform.c
|
|
869 |
+++ b/sys/opencrypto/xform.c
|
|
870 |
@@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$");
|
|
871 |
#include <opencrypto/deflate.h>
|
|
872 |
#include <opencrypto/rmd160.h>
|
|
873 |
#include <opencrypto/skipjack.h>
|
|
874 |
+#include <opencrypto/gmac.h>
|
|
875 |
|
|
876 |
#include <sys/md5.h>
|
|
877 |
|
|
878 |
@@ -76,6 +77,7 @@ static int blf_setkey(u_int8_t **, u_int8_t *, int);
|
|
879 |
static int cast5_setkey(u_int8_t **, u_int8_t *, int);
|
|
880 |
static int skipjack_setkey(u_int8_t **, u_int8_t *, int);
|
|
881 |
static int rijndael128_setkey(u_int8_t **, u_int8_t *, int);
|
|
882 |
+static int aes_ctr_setkey(u_int8_t **, u_int8_t *, int);
|
|
883 |
static int aes_xts_setkey(u_int8_t **, u_int8_t *, int);
|
|
884 |
static int cml_setkey(u_int8_t **, u_int8_t *, int);
|
|
885 |
|
|
886 |
@@ -99,6 +101,8 @@ static void rijndael128_decrypt(caddr_t, u_int8_t *);
|
|
887 |
static void aes_xts_decrypt(caddr_t, u_int8_t *);
|
|
888 |
static void cml_decrypt(caddr_t, u_int8_t *);
|
|
889 |
|
|
890 |
+static void aes_ctr_crypt(caddr_t, u_int8_t *);
|
|
891 |
+
|
|
892 |
static void null_zerokey(u_int8_t **);
|
|
893 |
static void des1_zerokey(u_int8_t **);
|
|
894 |
static void des3_zerokey(u_int8_t **);
|
|
895 |
@@ -106,26 +110,46 @@ static void blf_zerokey(u_int8_t **);
|
|
896 |
static void cast5_zerokey(u_int8_t **);
|
|
897 |
static void skipjack_zerokey(u_int8_t **);
|
|
898 |
static void rijndael128_zerokey(u_int8_t **);
|
|
899 |
+static void aes_ctr_zerokey(u_int8_t **);
|
|
900 |
static void aes_xts_zerokey(u_int8_t **);
|
|
901 |
static void cml_zerokey(u_int8_t **);
|
|
902 |
|
|
903 |
+static void aes_ctr_reinit(caddr_t, u_int8_t *);
|
|
904 |
static void aes_xts_reinit(caddr_t, u_int8_t *);
|
|
905 |
+static void aes_gcm_reinit(caddr_t, u_int8_t *);
|
|
906 |
|
|
907 |
static void null_init(void *);
|
|
908 |
-static int null_update(void *, u_int8_t *, u_int16_t);
|
|
909 |
+static void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len);
|
|
910 |
+static int null_update(void *, const u_int8_t *, u_int16_t);
|
|
911 |
static void null_final(u_int8_t *, void *);
|
|
912 |
-static int MD5Update_int(void *, u_int8_t *, u_int16_t);
|
|
913 |
+static int MD5Update_int(void *, const u_int8_t *, u_int16_t);
|
|
914 |
static void SHA1Init_int(void *);
|
|
915 |
-static int SHA1Update_int(void *, u_int8_t *, u_int16_t);
|
|
916 |
+static int SHA1Update_int(void *, const u_int8_t *, u_int16_t);
|
|
917 |
static void SHA1Final_int(u_int8_t *, void *);
|
|
918 |
-static int RMD160Update_int(void *, u_int8_t *, u_int16_t);
|
|
919 |
-static int SHA256Update_int(void *, u_int8_t *, u_int16_t);
|
|
920 |
-static int SHA384Update_int(void *, u_int8_t *, u_int16_t);
|
|
921 |
-static int SHA512Update_int(void *, u_int8_t *, u_int16_t);
|
|
922 |
+static int RMD160Update_int(void *, const u_int8_t *, u_int16_t);
|
|
923 |
+static int SHA256Update_int(void *, const u_int8_t *, u_int16_t);
|
|
924 |
+static int SHA384Update_int(void *, const u_int8_t *, u_int16_t);
|
|
925 |
+static int SHA512Update_int(void *, const u_int8_t *, u_int16_t);
|
|
926 |
|
|
927 |
static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
|
|
928 |
static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
|
|
929 |
|
|
930 |
+#define AESCTR_NONCESIZE 4
|
|
931 |
+#define AESCTR_IVSIZE 8
|
|
932 |
+#define AESCTR_BLOCKSIZE 16
|
|
933 |
+
|
|
934 |
+struct aes_ctr_ctx {
|
|
935 |
+ u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)];
|
|
936 |
+ /*
|
|
937 |
+ * ac_block is initalized to: [ NONCE : IV : CNTR ]
|
|
938 |
+ * Where NONCE is the last four bytes of the key.
|
|
939 |
+ * IV is provided by user.
|
|
940 |
+ * CNTR is initalized to 0 for CTR and 1 for GCM.
|
|
941 |
+ */
|
|
942 |
+ u_int8_t ac_block[AESCTR_BLOCKSIZE];
|
|
943 |
+ int ac_nr;
|
|
944 |
+};
|
|
945 |
+
|
|
946 |
MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
|
|
947 |
|
|
948 |
/* Encryption instances */
|
|
949 |
@@ -137,7 +161,7 @@ struct enc_xform enc_xform_null = {
|
|
950 |
null_decrypt,
|
|
951 |
null_setkey,
|
|
952 |
null_zerokey,
|
|
953 |
- NULL
|
|
954 |
+ NULL,
|
|
955 |
};
|
|
956 |
|
|
957 |
struct enc_xform enc_xform_des = {
|
|
958 |
@@ -147,7 +171,7 @@ struct enc_xform enc_xform_des = {
|
|
959 |
des1_decrypt,
|
|
960 |
des1_setkey,
|
|
961 |
des1_zerokey,
|
|
962 |
- NULL
|
|
963 |
+ NULL,
|
|
964 |
};
|
|
965 |
|
|
966 |
struct enc_xform enc_xform_3des = {
|
|
967 |
@@ -157,7 +181,7 @@ struct enc_xform enc_xform_3des = {
|
|
968 |
des3_decrypt,
|
|
969 |
des3_setkey,
|
|
970 |
des3_zerokey,
|
|
971 |
- NULL
|
|
972 |
+ NULL,
|
|
973 |
};
|
|
974 |
|
|
975 |
struct enc_xform enc_xform_blf = {
|
|
976 |
@@ -167,7 +191,7 @@ struct enc_xform enc_xform_blf = {
|
|
977 |
blf_decrypt,
|
|
978 |
blf_setkey,
|
|
979 |
blf_zerokey,
|
|
980 |
- NULL
|
|
981 |
+ NULL,
|
|
982 |
};
|
|
983 |
|
|
984 |
struct enc_xform enc_xform_cast5 = {
|
|
985 |
@@ -177,17 +201,16 @@ struct enc_xform enc_xform_cast5 = {
|
|
986 |
cast5_decrypt,
|
|
987 |
cast5_setkey,
|
|
988 |
cast5_zerokey,
|
|
989 |
- NULL
|
|
990 |
+ NULL,
|
|
991 |
};
|
|
992 |
|
|
993 |
struct enc_xform enc_xform_skipjack = {
|
|
994 |
CRYPTO_SKIPJACK_CBC, "Skipjack",
|
|
995 |
SKIPJACK_BLOCK_LEN, 10, 10,
|
|
996 |
skipjack_encrypt,
|
|
997 |
- skipjack_decrypt,
|
|
998 |
- skipjack_setkey,
|
|
999 |
+ skipjack_decrypt, skipjack_setkey,
|
|
1000 |
skipjack_zerokey,
|
|
1001 |
- NULL
|
|
1002 |
+ NULL,
|
|
1003 |
};
|
|
1004 |
|
|
1005 |
struct enc_xform enc_xform_rijndael128 = {
|
|
1006 |
@@ -197,7 +220,37 @@ struct enc_xform enc_xform_rijndael128 = {
|
|
1007 |
rijndael128_decrypt,
|
|
1008 |
rijndael128_setkey,
|
|
1009 |
rijndael128_zerokey,
|
|
1010 |
- NULL
|
|
1011 |
+ NULL,
|
|
1012 |
+};
|
|
1013 |
+
|
|
1014 |
+struct enc_xform enc_xform_aes_ctr = {
|
|
1015 |
+ CRYPTO_AES_CTR, "AES-CTR",
|
|
1016 |
+ RIJNDAEL128_BLOCK_LEN, 8+4, 32+4,
|
|
1017 |
+ aes_ctr_crypt,
|
|
1018 |
+ aes_ctr_crypt,
|
|
1019 |
+ aes_ctr_setkey,
|
|
1020 |
+ rijndael128_zerokey,
|
|
1021 |
+ aes_ctr_reinit,
|
|
1022 |
+};
|
|
1023 |
+
|
|
1024 |
+struct enc_xform enc_xform_aes_gcm = {
|
|
1025 |
+ CRYPTO_AES_GCM_16, "AES-GCM",
|
|
1026 |
+ 1, 16+4, 32+4,
|
|
1027 |
+ aes_ctr_crypt,
|
|
1028 |
+ aes_ctr_crypt,
|
|
1029 |
+ aes_ctr_setkey,
|
|
1030 |
+ aes_ctr_zerokey,
|
|
1031 |
+ aes_gcm_reinit,
|
|
1032 |
+};
|
|
1033 |
+
|
|
1034 |
+struct enc_xform enc_xform_aes_gmac = {
|
|
1035 |
+ CRYPTO_AES_GMAC, "AES-GMAC",
|
|
1036 |
+ 1, 16+4, 32+4,
|
|
1037 |
+ NULL,
|
|
1038 |
+ NULL,
|
|
1039 |
+ NULL,
|
|
1040 |
+ NULL,
|
|
1041 |
+ NULL,
|
|
1042 |
};
|
|
1043 |
|
|
1044 |
struct enc_xform enc_xform_aes_xts = {
|
|
1045 |
@@ -217,7 +270,7 @@ struct enc_xform enc_xform_arc4 = {
|
|
1046 |
NULL,
|
|
1047 |
NULL,
|
|
1048 |
NULL,
|
|
1049 |
- NULL
|
|
1050 |
+ NULL,
|
|
1051 |
};
|
|
1052 |
|
|
1053 |
struct enc_xform enc_xform_camellia = {
|
|
1054 |
@@ -227,70 +280,100 @@ struct enc_xform enc_xform_camellia = {
|
|
1055 |
cml_decrypt,
|
|
1056 |
cml_setkey,
|
|
1057 |
cml_zerokey,
|
|
1058 |
- NULL
|
|
1059 |
+ NULL,
|
|
1060 |
};
|
|
1061 |
|
|
1062 |
/* Authentication instances */
|
|
1063 |
-struct auth_hash auth_hash_null = {
|
|
1064 |
+struct auth_hash auth_hash_null = { /* NB: context isn't used */
|
|
1065 |
CRYPTO_NULL_HMAC, "NULL-HMAC",
|
|
1066 |
- 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */
|
|
1067 |
- null_init, null_update, null_final
|
|
1068 |
+ 0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
|
|
1069 |
+ null_init, null_reinit, null_reinit, null_update, null_final
|
|
1070 |
};
|
|
1071 |
|
|
1072 |
struct auth_hash auth_hash_hmac_md5 = {
|
|
1073 |
CRYPTO_MD5_HMAC, "HMAC-MD5",
|
|
1074 |
- 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX),
|
|
1075 |
- (void (*) (void *)) MD5Init, MD5Update_int,
|
|
1076 |
+ 16, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
|
|
1077 |
+ (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int,
|
|
1078 |
(void (*) (u_int8_t *, void *)) MD5Final
|
|
1079 |
};
|
|
1080 |
|
|
1081 |
struct auth_hash auth_hash_hmac_sha1 = {
|
|
1082 |
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
|
|
1083 |
- 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX),
|
|
1084 |
- SHA1Init_int, SHA1Update_int, SHA1Final_int
|
|
1085 |
+ 20, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
|
|
1086 |
+ SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
|
|
1087 |
};
|
|
1088 |
|
|
1089 |
struct auth_hash auth_hash_hmac_ripemd_160 = {
|
|
1090 |
CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
|
|
1091 |
- 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX),
|
|
1092 |
- (void (*)(void *)) RMD160Init, RMD160Update_int,
|
|
1093 |
+ 20, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), RIPEMD160_HMAC_BLOCK_LEN,
|
|
1094 |
+ (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int,
|
|
1095 |
(void (*)(u_int8_t *, void *)) RMD160Final
|
|
1096 |
};
|
|
1097 |
|
|
1098 |
struct auth_hash auth_hash_key_md5 = {
|
|
1099 |
CRYPTO_MD5_KPDK, "Keyed MD5",
|
|
1100 |
- 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX),
|
|
1101 |
- (void (*)(void *)) MD5Init, MD5Update_int,
|
|
1102 |
+ 0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
|
|
1103 |
+ (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int,
|
|
1104 |
(void (*)(u_int8_t *, void *)) MD5Final
|
|
1105 |
};
|
|
1106 |
|
|
1107 |
struct auth_hash auth_hash_key_sha1 = {
|
|
1108 |
CRYPTO_SHA1_KPDK, "Keyed SHA1",
|
|
1109 |
- 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX),
|
|
1110 |
- SHA1Init_int, SHA1Update_int, SHA1Final_int
|
|
1111 |
+ 0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
|
|
1112 |
+ SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
|
|
1113 |
};
|
|
1114 |
|
|
1115 |
struct auth_hash auth_hash_hmac_sha2_256 = {
|
|
1116 |
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
|
|
1117 |
- 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX),
|
|
1118 |
- (void (*)(void *)) SHA256_Init, SHA256Update_int,
|
|
1119 |
+ 32, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN,
|
|
1120 |
+ (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int,
|
|
1121 |
(void (*)(u_int8_t *, void *)) SHA256_Final
|
|
1122 |
};
|
|
1123 |
|
|
1124 |
struct auth_hash auth_hash_hmac_sha2_384 = {
|
|
1125 |
CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
|
|
1126 |
- 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX),
|
|
1127 |
- (void (*)(void *)) SHA384_Init, SHA384Update_int,
|
|
1128 |
+ 48, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN,
|
|
1129 |
+ (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int,
|
|
1130 |
(void (*)(u_int8_t *, void *)) SHA384_Final
|
|
1131 |
};
|
|
1132 |
|
|
1133 |
struct auth_hash auth_hash_hmac_sha2_512 = {
|
|
1134 |
CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
|
|
1135 |
- 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX),
|
|
1136 |
- (void (*)(void *)) SHA512_Init, SHA512Update_int,
|
|
1137 |
+ 64, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN,
|
|
1138 |
+ (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int,
|
|
1139 |
(void (*)(u_int8_t *, void *)) SHA512_Final
|
|
1140 |
};
|
|
1141 |
|
|
1142 |
+struct auth_hash auth_hash_gmac_aes_128 = {
|
|
1143 |
+ CRYPTO_AES_128_GMAC, "GMAC-AES-128",
|
|
1144 |
+ 16+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
|
1145 |
+ (void (*)(void *)) AES_GMAC_Init,
|
|
1146 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
|
1147 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
|
1148 |
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
|
1149 |
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
|
1150 |
+};
|
|
1151 |
+
|
|
1152 |
+struct auth_hash auth_hash_gmac_aes_192 = {
|
|
1153 |
+ CRYPTO_AES_192_GMAC, "GMAC-AES-192",
|
|
1154 |
+ 24+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
|
1155 |
+ (void (*)(void *)) AES_GMAC_Init,
|
|
1156 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
|
1157 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
|
1158 |
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
|
1159 |
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
|
1160 |
+};
|
|
1161 |
+
|
|
1162 |
+struct auth_hash auth_hash_gmac_aes_256 = {
|
|
1163 |
+ CRYPTO_AES_256_GMAC, "GMAC-AES-256",
|
|
1164 |
+ 32+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
|
1165 |
+ (void (*)(void *)) AES_GMAC_Init,
|
|
1166 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
|
1167 |
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
|
1168 |
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
|
1169 |
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
|
1170 |
+};
|
|
1171 |
+
|
|
1172 |
/* Compression instance */
|
|
1173 |
struct comp_algo comp_algo_deflate = {
|
|
1174 |
CRYPTO_DEFLATE_COMP, "Deflate",
|
|
1175 |
@@ -579,6 +662,79 @@ rijndael128_zerokey(u_int8_t **sched)
|
|
1176 |
*sched = NULL;
|
|
1177 |
}
|
|
1178 |
|
|
1179 |
+void
|
|
1180 |
+aes_ctr_reinit(caddr_t key, u_int8_t *iv)
|
|
1181 |
+{
|
|
1182 |
+ struct aes_ctr_ctx *ctx;
|
|
1183 |
+
|
|
1184 |
+ ctx = (struct aes_ctr_ctx *)key;
|
|
1185 |
+ bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
|
|
1186 |
+
|
|
1187 |
+ /* reset counter */
|
|
1188 |
+ bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
|
|
1189 |
+}
|
|
1190 |
+
|
|
1191 |
+void
|
|
1192 |
+aes_gcm_reinit(caddr_t key, u_int8_t *iv)
|
|
1193 |
+{
|
|
1194 |
+ struct aes_ctr_ctx *ctx;
|
|
1195 |
+
|
|
1196 |
+ aes_ctr_reinit(key, iv);
|
|
1197 |
+
|
|
1198 |
+ ctx = (struct aes_ctr_ctx *)key;
|
|
1199 |
+ ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */
|
|
1200 |
+}
|
|
1201 |
+
|
|
1202 |
+void
|
|
1203 |
+aes_ctr_crypt(caddr_t key, u_int8_t *data)
|
|
1204 |
+{
|
|
1205 |
+ struct aes_ctr_ctx *ctx;
|
|
1206 |
+ u_int8_t keystream[AESCTR_BLOCKSIZE];
|
|
1207 |
+ int i;
|
|
1208 |
+
|
|
1209 |
+ ctx = (struct aes_ctr_ctx *)key;
|
|
1210 |
+ /* increment counter */
|
|
1211 |
+ for (i = AESCTR_BLOCKSIZE - 1;
|
|
1212 |
+ i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
|
|
1213 |
+ if (++ctx->ac_block[i]) /* continue on overflow */
|
|
1214 |
+ break;
|
|
1215 |
+ rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
|
|
1216 |
+ for (i = 0; i < AESCTR_BLOCKSIZE; i++)
|
|
1217 |
+ data[i] ^= keystream[i];
|
|
1218 |
+ bzero(keystream, sizeof(keystream));
|
|
1219 |
+}
|
|
1220 |
+
|
|
1221 |
+int
|
|
1222 |
+aes_ctr_setkey(u_int8_t **sched, u_int8_t *key, int len)
|
|
1223 |
+{
|
|
1224 |
+ struct aes_ctr_ctx *ctx;
|
|
1225 |
+
|
|
1226 |
+ if (len < AESCTR_NONCESIZE)
|
|
1227 |
+ return EINVAL;
|
|
1228 |
+
|
|
1229 |
+ *sched = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA,
|
|
1230 |
+ M_NOWAIT | M_ZERO);
|
|
1231 |
+ if (*sched == NULL)
|
|
1232 |
+ return ENOMEM;
|
|
1233 |
+
|
|
1234 |
+ ctx = (struct aes_ctr_ctx *)*sched;
|
|
1235 |
+ ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key,
|
|
1236 |
+ (len - AESCTR_NONCESIZE) * 8);
|
|
1237 |
+ if (ctx->ac_nr == 0)
|
|
1238 |
+ return EINVAL;
|
|
1239 |
+ bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE);
|
|
1240 |
+ return 0;
|
|
1241 |
+}
|
|
1242 |
+
|
|
1243 |
+void
|
|
1244 |
+aes_ctr_zerokey(u_int8_t **sched)
|
|
1245 |
+{
|
|
1246 |
+
|
|
1247 |
+ bzero(*sched, sizeof(struct aes_ctr_ctx));
|
|
1248 |
+ free(*sched, M_CRYPTO_DATA);
|
|
1249 |
+ *sched = NULL;
|
|
1250 |
+}
|
|
1251 |
+
|
|
1252 |
#define AES_XTS_BLOCKSIZE 16
|
|
1253 |
#define AES_XTS_IVSIZE 8
|
|
1254 |
#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */
|
|
1255 |
@@ -728,8 +884,13 @@ null_init(void *ctx)
|
|
1256 |
{
|
|
1257 |
}
|
|
1258 |
|
|
1259 |
+static void
|
|
1260 |
+null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1261 |
+{
|
|
1262 |
+}
|
|
1263 |
+
|
|
1264 |
static int
|
|
1265 |
-null_update(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1266 |
+null_update(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1267 |
{
|
|
1268 |
return 0;
|
|
1269 |
}
|
|
1270 |
@@ -742,14 +903,14 @@ null_final(u_int8_t *buf, void *ctx)
|
|
1271 |
}
|
|
1272 |
|
|
1273 |
static int
|
|
1274 |
-RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1275 |
+RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1276 |
{
|
|
1277 |
RMD160Update(ctx, buf, len);
|
|
1278 |
return 0;
|
|
1279 |
}
|
|
1280 |
|
|
1281 |
static int
|
|
1282 |
-MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1283 |
+MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1284 |
{
|
|
1285 |
MD5Update(ctx, buf, len);
|
|
1286 |
return 0;
|
|
1287 |
@@ -762,7 +923,7 @@ SHA1Init_int(void *ctx)
|
|
1288 |
}
|
|
1289 |
|
|
1290 |
static int
|
|
1291 |
-SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1292 |
+SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1293 |
{
|
|
1294 |
SHA1Update(ctx, buf, len);
|
|
1295 |
return 0;
|
|
1296 |
@@ -775,21 +936,21 @@ SHA1Final_int(u_int8_t *blk, void *ctx)
|
|
1297 |
}
|
|
1298 |
|
|
1299 |
static int
|
|
1300 |
-SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1301 |
+SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1302 |
{
|
|
1303 |
SHA256_Update(ctx, buf, len);
|
|
1304 |
return 0;
|
|
1305 |
}
|
|
1306 |
|
|
1307 |
static int
|
|
1308 |
-SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1309 |
+SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1310 |
{
|
|
1311 |
SHA384_Update(ctx, buf, len);
|
|
1312 |
return 0;
|
|
1313 |
}
|
|
1314 |
|
|
1315 |
static int
|
|
1316 |
-SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
|
1317 |
+SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
|
1318 |
{
|
|
1319 |
SHA512_Update(ctx, buf, len);
|
|
1320 |
return 0;
|
|
1321 |
diff --git a/sys/opencrypto/xform.h b/sys/opencrypto/xform.h
|
|
1322 |
index 8df7b07..c92723c 100644
|
|
1323 |
--- a/sys/opencrypto/xform.h
|
|
1324 |
+++ b/sys/opencrypto/xform.h
|
|
1325 |
@@ -29,6 +29,7 @@
|
|
1326 |
#include <crypto/sha1.h>
|
|
1327 |
#include <crypto/sha2/sha2.h>
|
|
1328 |
#include <opencrypto/rmd160.h>
|
|
1329 |
+#include <opencrypto/gmac.h>
|
|
1330 |
|
|
1331 |
/* Declarations */
|
|
1332 |
struct auth_hash {
|
|
1333 |
@@ -36,10 +37,12 @@ struct auth_hash {
|
|
1334 |
char *name;
|
|
1335 |
u_int16_t keysize;
|
|
1336 |
u_int16_t hashsize;
|
|
1337 |
- u_int16_t blocksize;
|
|
1338 |
u_int16_t ctxsize;
|
|
1339 |
+ u_int16_t blocksize;
|
|
1340 |
void (*Init) (void *);
|
|
1341 |
- int (*Update) (void *, u_int8_t *, u_int16_t);
|
|
1342 |
+ void (*Setkey) (void *, const u_int8_t *, u_int16_t);
|
|
1343 |
+ void (*Reinit) (void *, const u_int8_t *, u_int16_t);
|
|
1344 |
+ int (*Update) (void *, const u_int8_t *, u_int16_t);
|
|
1345 |
void (*Final) (u_int8_t *, void *);
|
|
1346 |
};
|
|
1347 |
|
|
1348 |
@@ -53,7 +56,7 @@ struct enc_xform {
|
|
1349 |
u_int16_t minkey, maxkey;
|
|
1350 |
void (*encrypt) (caddr_t, u_int8_t *);
|
|
1351 |
void (*decrypt) (caddr_t, u_int8_t *);
|
|
1352 |
- int (*setkey) (u_int8_t **, u_int8_t *, int len);
|
|
1353 |
+ int (*setkey) (u_int8_t **, u_int8_t *, int);
|
|
1354 |
void (*zerokey) (u_int8_t **);
|
|
1355 |
void (*reinit) (caddr_t, u_int8_t *);
|
|
1356 |
};
|
|
1357 |
@@ -73,6 +76,7 @@ union authctx {
|
|
1358 |
SHA256_CTX sha256ctx;
|
|
1359 |
SHA384_CTX sha384ctx;
|
|
1360 |
SHA512_CTX sha512ctx;
|
|
1361 |
+ AES_GMAC_CTX aes_gmac_ctx;
|
|
1362 |
};
|
|
1363 |
|
|
1364 |
extern struct enc_xform enc_xform_null;
|
|
1365 |
@@ -82,6 +86,9 @@ extern struct enc_xform enc_xform_blf;
|
|
1366 |
extern struct enc_xform enc_xform_cast5;
|
|
1367 |
extern struct enc_xform enc_xform_skipjack;
|
|
1368 |
extern struct enc_xform enc_xform_rijndael128;
|
|
1369 |
+extern struct enc_xform enc_xform_aes_ctr;
|
|
1370 |
+extern struct enc_xform enc_xform_aes_gcm;
|
|
1371 |
+extern struct enc_xform enc_xform_aes_gmac;
|
|
1372 |
extern struct enc_xform enc_xform_aes_xts;
|
|
1373 |
extern struct enc_xform enc_xform_arc4;
|
|
1374 |
extern struct enc_xform enc_xform_camellia;
|
|
1375 |
@@ -95,6 +102,9 @@ extern struct auth_hash auth_hash_hmac_ripemd_160;
|
|
1376 |
extern struct auth_hash auth_hash_hmac_sha2_256;
|
|
1377 |
extern struct auth_hash auth_hash_hmac_sha2_384;
|
|
1378 |
extern struct auth_hash auth_hash_hmac_sha2_512;
|
|
1379 |
+extern struct auth_hash auth_hash_gmac_aes_128;
|
|
1380 |
+extern struct auth_hash auth_hash_gmac_aes_192;
|
|
1381 |
+extern struct auth_hash auth_hash_gmac_aes_256;
|
|
1382 |
|
|
1383 |
extern struct comp_algo comp_algo_deflate;
|
|
1384 |
|
|
1385 |
diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c
|
|
1386 |
index b4014ad..af1b234 100644
|
|
1387 |
--- a/usr.bin/netstat/ipsec.c
|
|
1388 |
+++ b/usr.bin/netstat/ipsec.c
|
|
1389 |
@@ -155,6 +155,9 @@ static struct val2str ipsec_espnames[] = {
|
|
1390 |
#ifdef SADB_X_EALG_AESCTR
|
|
1391 |
{ SADB_X_EALG_AESCTR, "aes-ctr", },
|
|
1392 |
#endif
|
|
1393 |
+#ifdef SADB_X_EALG_AESGCM16
|
|
1394 |
+ { SADB_X_EALG_AESGCM16, "aes-gcm-16", },
|
|
1395 |
+#endif
|
|
1396 |
{ -1, NULL },
|
|
1397 |
};
|
|
1398 |
|
Add AES-GCM software version implementation for IPSec