1
|
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
|
2
|
index 068ad0e..872aa43 100644
|
3
|
--- a/lib/libipsec/pfkey_dump.c
|
4
|
+++ b/lib/libipsec/pfkey_dump.c
|
5
|
@@ -187,6 +187,9 @@ static struct val2str str_alg_enc[] = {
|
6
|
#ifdef SADB_X_EALG_AESCTR
|
7
|
{ SADB_X_EALG_AESCTR, "aes-ctr", },
|
8
|
#endif
|
9
|
+#ifdef SADB_X_EALG_AESGCM16
|
10
|
+ { SADB_X_EALG_AESGCM16, "aes-gcm-16", },
|
11
|
+#endif
|
12
|
#ifdef SADB_X_EALG_CAMELLIACBC
|
13
|
{ SADB_X_EALG_CAMELLIACBC, "camellia-cbc", },
|
14
|
#endif
|
15
|
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
|
16
|
index 19a9164..0e67bb2 100644
|
17
|
--- a/sbin/setkey/setkey.8
|
18
|
+++ b/sbin/setkey/setkey.8
|
19
|
@@ -627,11 +627,12 @@ des-deriv 64 ipsec-ciph-des-derived-01
|
20
|
3des-deriv 192 no document
|
21
|
rijndael-cbc 128/192/256 rfc3602
|
22
|
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
23
|
+aes-gcm-16 160/224/288 rfc4106
|
24
|
camllia-cbc 128/192/256 rfc4312
|
25
|
.Ed
|
26
|
.Pp
|
27
|
Note that the first 128/192/256 bits of a key for
|
28
|
-.Li aes-ctr
|
29
|
+.Li aes-ctr or aes-gcm-16
|
30
|
will be used as AES key, and remaining 32 bits will be used as nonce.
|
31
|
.Pp
|
32
|
The following are the list of compression algorithms that can be used
|
33
|
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
|
34
|
index c89982f..f258e63 100644
|
35
|
--- a/sbin/setkey/token.l
|
36
|
+++ b/sbin/setkey/token.l
|
37
|
@@ -168,6 +168,7 @@ tcp { yylval.num = 0; return(PR_TCP); }
|
38
|
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
|
39
|
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
|
40
|
<S_ENCALG>camellia-cbc { yylval.num = SADB_X_EALG_CAMELLIACBC; BEGIN INITIAL; return(ALG_ENC); }
|
41
|
+<S_ENCALG>aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC); }
|
42
|
|
43
|
/* compression algorithms */
|
44
|
{hyphen}C { return(F_COMP); }
|
45
|
diff --git a/sys/conf/files b/sys/conf/files
|
46
|
index e978443..8440b86 100644
|
47
|
--- a/sys/conf/files
|
48
|
+++ b/sys/conf/files
|
49
|
@@ -3777,6 +3777,7 @@ opencrypto/cryptodev.c optional cryptodev
|
50
|
opencrypto/cryptodev_if.m optional crypto
|
51
|
opencrypto/cryptosoft.c optional crypto
|
52
|
opencrypto/cryptodeflate.c optional crypto
|
53
|
+opencrypto/gmac.c optional crypto
|
54
|
opencrypto/rmd160.c optional crypto | ipsec
|
55
|
opencrypto/skipjack.c optional crypto
|
56
|
opencrypto/xform.c optional crypto
|
57
|
diff --git a/sys/crypto/via/padlock_hash.c b/sys/crypto/via/padlock_hash.c
|
58
|
index 924a9ec..133581f 100644
|
59
|
--- a/sys/crypto/via/padlock_hash.c
|
60
|
+++ b/sys/crypto/via/padlock_hash.c
|
61
|
@@ -75,7 +75,7 @@ struct padlock_sha_ctx {
|
62
|
CTASSERT(sizeof(struct padlock_sha_ctx) <= sizeof(union authctx));
|
63
|
|
64
|
static void padlock_sha_init(struct padlock_sha_ctx *ctx);
|
65
|
-static int padlock_sha_update(struct padlock_sha_ctx *ctx, uint8_t *buf,
|
66
|
+static int padlock_sha_update(struct padlock_sha_ctx *ctx, const uint8_t *buf,
|
67
|
uint16_t bufsize);
|
68
|
static void padlock_sha1_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
69
|
static void padlock_sha256_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
70
|
@@ -83,16 +83,16 @@ static void padlock_sha256_final(uint8_t *hash, struct padlock_sha_ctx *ctx);
|
71
|
static struct auth_hash padlock_hmac_sha1 = {
|
72
|
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
|
73
|
20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(struct padlock_sha_ctx),
|
74
|
- (void (*)(void *))padlock_sha_init,
|
75
|
- (int (*)(void *, uint8_t *, uint16_t))padlock_sha_update,
|
76
|
+ (void (*)(void *))padlock_sha_init, NULL, NULL,
|
77
|
+ (int (*)(void *, const uint8_t *, uint16_t))padlock_sha_update,
|
78
|
(void (*)(uint8_t *, void *))padlock_sha1_final
|
79
|
};
|
80
|
|
81
|
static struct auth_hash padlock_hmac_sha256 = {
|
82
|
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
|
83
|
32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(struct padlock_sha_ctx),
|
84
|
- (void (*)(void *))padlock_sha_init,
|
85
|
- (int (*)(void *, uint8_t *, uint16_t))padlock_sha_update,
|
86
|
+ (void (*)(void *))padlock_sha_init, NULL, NULL,
|
87
|
+ (int (*)(void *, const uint8_t *, uint16_t))padlock_sha_update,
|
88
|
(void (*)(uint8_t *, void *))padlock_sha256_final
|
89
|
};
|
90
|
|
91
|
@@ -167,7 +167,7 @@ padlock_sha_init(struct padlock_sha_ctx *ctx)
|
92
|
}
|
93
|
|
94
|
static int
|
95
|
-padlock_sha_update(struct padlock_sha_ctx *ctx, uint8_t *buf, uint16_t bufsize)
|
96
|
+padlock_sha_update(struct padlock_sha_ctx *ctx, const uint8_t *buf, uint16_t bufsize)
|
97
|
{
|
98
|
|
99
|
if (ctx->psc_size - ctx->psc_offset < bufsize) {
|
100
|
diff --git a/sys/modules/crypto/Makefile b/sys/modules/crypto/Makefile
|
101
|
index 6a37c10..7d84c97 100644
|
102
|
--- a/sys/modules/crypto/Makefile
|
103
|
+++ b/sys/modules/crypto/Makefile
|
104
|
@@ -15,6 +15,7 @@ SRCS += cast.c cryptodeflate.c rmd160.c rijndael-alg-fst.c rijndael-api.c
|
105
|
SRCS += skipjack.c bf_enc.c bf_ecb.c bf_skey.c
|
106
|
SRCS += des_ecb.c des_enc.c des_setkey.c
|
107
|
SRCS += sha1.c sha2.c
|
108
|
+SRCS += gmac.c
|
109
|
SRCS += opt_param.h cryptodev_if.h bus_if.h device_if.h
|
110
|
SRCS += opt_ddb.h opt_kdtrace.h
|
111
|
SRCS += camellia.c camellia-api.c
|
112
|
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
|
113
|
index c45f8b0..fc8bea7 100644
|
114
|
--- a/sys/net/pfkeyv2.h
|
115
|
+++ b/sys/net/pfkeyv2.h
|
116
|
@@ -343,6 +343,9 @@ struct sadb_x_nat_t_frag {
|
117
|
#define SADB_X_AALG_SHA2_512 7
|
118
|
#define SADB_X_AALG_RIPEMD160HMAC 8
|
119
|
#define SADB_X_AALG_AES_XCBC_MAC 9 /* draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */
|
120
|
+#define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */
|
121
|
+#define SADB_X_AALG_AES192GMAC 12
|
122
|
+#define SADB_X_AALG_AES256GMAC 13
|
123
|
/* private allocations should use 249-255 (RFC2407) */
|
124
|
#define SADB_X_AALG_MD5 249 /* Keyed MD5 */
|
125
|
#define SADB_X_AALG_SHA 250 /* Keyed SHA */
|
126
|
@@ -360,6 +363,9 @@ struct sadb_x_nat_t_frag {
|
127
|
#define SADB_X_EALG_BLOWFISHCBC 7
|
128
|
#define SADB_X_EALG_RIJNDAELCBC 12
|
129
|
#define SADB_X_EALG_AES 12
|
130
|
+#define SADB_X_EALG_AESGCM8 18 /* RFC4106 */
|
131
|
+#define SADB_X_EALG_AESGCM12 19
|
132
|
+#define SADB_X_EALG_AESGCM16 20
|
133
|
/* private allocations - based on RFC4312/IANA assignment */
|
134
|
#define SADB_X_EALG_CAMELLIACBC 22
|
135
|
/* private allocations should use 249-255 (RFC2407) */
|
136
|
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
|
137
|
index bb6d1e6..2639634 100644
|
138
|
--- a/sys/netipsec/xform_esp.c
|
139
|
+++ b/sys/netipsec/xform_esp.c
|
140
|
@@ -120,6 +120,10 @@ esp_algorithm_lookup(int alg)
|
141
|
return &enc_xform_null;
|
142
|
case SADB_X_EALG_CAMELLIACBC:
|
143
|
return &enc_xform_camellia;
|
144
|
+ case SADB_X_EALG_AESCTR:
|
145
|
+ return &enc_xform_aes_ctr;
|
146
|
+ case SADB_X_EALG_AESGCM16:
|
147
|
+ return &enc_xform_aes_gcm;
|
148
|
}
|
149
|
return NULL;
|
150
|
}
|
151
|
@@ -214,6 +218,27 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
|
152
|
sav->tdb_xform = xsp;
|
153
|
sav->tdb_encalgxform = txform;
|
154
|
|
155
|
+ if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
|
156
|
+ switch (keylen) {
|
157
|
+ case 20:
|
158
|
+ sav->alg_auth = SADB_X_AALG_AES128GMAC;
|
159
|
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_128;
|
160
|
+ break;
|
161
|
+ case 28:
|
162
|
+ sav->alg_auth = SADB_X_AALG_AES192GMAC;
|
163
|
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_192;
|
164
|
+ break;
|
165
|
+ case 36:
|
166
|
+ sav->alg_auth = SADB_X_AALG_AES256GMAC;
|
167
|
+ sav->tdb_authalgxform = &auth_hash_gmac_aes_256;
|
168
|
+ break;
|
169
|
+ }
|
170
|
+ bzero(&cria, sizeof(cria));
|
171
|
+ cria.cri_alg = sav->tdb_authalgxform->type;
|
172
|
+ cria.cri_klen = _KEYBITS(sav->key_enc);
|
173
|
+ cria.cri_key = sav->key_enc->key_data;
|
174
|
+ }
|
175
|
+
|
176
|
/* Initialize crypto session. */
|
177
|
bzero(&crie, sizeof (crie));
|
178
|
crie.cri_alg = sav->tdb_encalgxform->type;
|
179
|
@@ -309,6 +334,11 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
180
|
case CRYPTO_SHA2_512_HMAC:
|
181
|
alen = esph->hashsize/2;
|
182
|
break;
|
183
|
+ case CRYPTO_AES_128_GMAC:
|
184
|
+ case CRYPTO_AES_192_GMAC:
|
185
|
+ case CRYPTO_AES_256_GMAC:
|
186
|
+ alen = esph->hashsize;
|
187
|
+ break;
|
188
|
default:
|
189
|
alen = AH_HMAC_HASHLEN;
|
190
|
break;
|
191
|
@@ -396,12 +426,20 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
192
|
|
193
|
/* Authentication descriptor */
|
194
|
crda->crd_skip = skip;
|
195
|
- crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
196
|
+ if (espx && espx->type == CRYPTO_AES_GCM_16)
|
197
|
+ crda->crd_len = hlen - sav->ivlen;
|
198
|
+ else
|
199
|
+ crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
200
|
crda->crd_inject = m->m_pkthdr.len - alen;
|
201
|
|
202
|
crda->crd_alg = esph->type;
|
203
|
- crda->crd_key = sav->key_auth->key_data;
|
204
|
- crda->crd_klen = _KEYBITS(sav->key_auth);
|
205
|
+ if (espx && (espx->type == CRYPTO_AES_GCM_16)) {
|
206
|
+ crda->crd_key = sav->key_enc->key_data;
|
207
|
+ crda->crd_klen = _KEYBITS(sav->key_enc);
|
208
|
+ } else {
|
209
|
+ crda->crd_key = sav->key_auth->key_data;
|
210
|
+ crda->crd_klen = _KEYBITS(sav->key_auth);
|
211
|
+ }
|
212
|
|
213
|
/* Copy the authenticator */
|
214
|
if (mtag == NULL)
|
215
|
@@ -521,6 +559,11 @@ esp_input_cb(struct cryptop *crp)
|
216
|
case CRYPTO_SHA2_512_HMAC:
|
217
|
alen = esph->hashsize/2;
|
218
|
break;
|
219
|
+ case CRYPTO_AES_128_GMAC:
|
220
|
+ case CRYPTO_AES_192_GMAC:
|
221
|
+ case CRYPTO_AES_256_GMAC:
|
222
|
+ alen = esph->hashsize;
|
223
|
+ break;
|
224
|
default:
|
225
|
alen = AH_HMAC_HASHLEN;
|
226
|
break;
|
227
|
@@ -891,13 +934,21 @@ esp_output(
|
228
|
if (esph) {
|
229
|
/* Authentication descriptor. */
|
230
|
crda->crd_skip = skip;
|
231
|
- crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
232
|
+ if (espx && espx->type == CRYPTO_AES_GCM_16)
|
233
|
+ crda->crd_len = hlen - sav->ivlen;
|
234
|
+ else
|
235
|
+ crda->crd_len = m->m_pkthdr.len - (skip + alen);
|
236
|
crda->crd_inject = m->m_pkthdr.len - alen;
|
237
|
|
238
|
/* Authentication operation. */
|
239
|
crda->crd_alg = esph->type;
|
240
|
- crda->crd_key = sav->key_auth->key_data;
|
241
|
- crda->crd_klen = _KEYBITS(sav->key_auth);
|
242
|
+ if (espx && espx->type == CRYPTO_AES_GCM_16) {
|
243
|
+ crda->crd_key = sav->key_enc->key_data;
|
244
|
+ crda->crd_klen = _KEYBITS(sav->key_enc);
|
245
|
+ } else {
|
246
|
+ crda->crd_key = sav->key_auth->key_data;
|
247
|
+ crda->crd_klen = _KEYBITS(sav->key_auth);
|
248
|
+ }
|
249
|
}
|
250
|
|
251
|
return crypto_dispatch(crp);
|
252
|
@@ -988,6 +1039,11 @@ esp_output_cb(struct cryptop *crp)
|
253
|
case CRYPTO_SHA2_512_HMAC:
|
254
|
alen = esph->hashsize/2;
|
255
|
break;
|
256
|
+ case CRYPTO_AES_128_GMAC:
|
257
|
+ case CRYPTO_AES_192_GMAC:
|
258
|
+ case CRYPTO_AES_256_GMAC:
|
259
|
+ alen = esph->hashsize;
|
260
|
+ break;
|
261
|
default:
|
262
|
alen = AH_HMAC_HASHLEN;
|
263
|
break;
|
264
|
diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c
|
265
|
index 44bfa5c..cbb8531 100644
|
266
|
--- a/sys/opencrypto/cryptodev.c
|
267
|
+++ b/sys/opencrypto/cryptodev.c
|
268
|
@@ -434,6 +434,13 @@ cryptof_ioctl(
|
269
|
case CRYPTO_CAMELLIA_CBC:
|
270
|
txform = &enc_xform_camellia;
|
271
|
break;
|
272
|
+ case CRYPTO_AES_CTR:
|
273
|
+ txform = &enc_xform_aes_ctr;
|
274
|
+ break;
|
275
|
+ case CRYPTO_AES_GCM_16:
|
276
|
+ txform = &enc_xform_aes_gcm;
|
277
|
+ break;
|
278
|
+
|
279
|
default:
|
280
|
return (EINVAL);
|
281
|
}
|
282
|
@@ -459,6 +466,16 @@ cryptof_ioctl(
|
283
|
case CRYPTO_RIPEMD160_HMAC:
|
284
|
thash = &auth_hash_hmac_ripemd_160;
|
285
|
break;
|
286
|
+ case CRYPTO_AES_128_GMAC:
|
287
|
+ thash = &auth_hash_gmac_aes_128;
|
288
|
+ break;
|
289
|
+ case CRYPTO_AES_192_GMAC:
|
290
|
+ thash = &auth_hash_gmac_aes_192;
|
291
|
+ break;
|
292
|
+ case CRYPTO_AES_256_GMAC:
|
293
|
+ thash = &auth_hash_gmac_aes_256;
|
294
|
+ break;
|
295
|
+
|
296
|
#ifdef notdef
|
297
|
case CRYPTO_MD5:
|
298
|
thash = &auth_hash_md5;
|
299
|
diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h
|
300
|
index e299522..fbf049b 100644
|
301
|
--- a/sys/opencrypto/cryptodev.h
|
302
|
+++ b/sys/opencrypto/cryptodev.h
|
303
|
@@ -72,6 +72,7 @@
|
304
|
#define SHA2_512_HASH_LEN 64
|
305
|
#define MD5_KPDK_HASH_LEN 16
|
306
|
#define SHA1_KPDK_HASH_LEN 20
|
307
|
+#define AES_GMAC_HASH_LEN 16
|
308
|
/* Maximum hash algorithm result length */
|
309
|
#define HASH_MAX_LEN SHA2_512_HASH_LEN /* Keep this updated */
|
310
|
|
311
|
@@ -100,6 +101,9 @@
|
312
|
#define CAMELLIA_BLOCK_LEN 16
|
313
|
#define EALG_MAX_BLOCK_LEN AES_BLOCK_LEN /* Keep this updated */
|
314
|
|
315
|
+/* Maximum hash algorithm result length */
|
316
|
+#define AALG_MAX_RESULT_LEN 64 /* Keep this updated */
|
317
|
+
|
318
|
#define CRYPTO_ALGORITHM_MIN 1
|
319
|
#define CRYPTO_DES_CBC 1
|
320
|
#define CRYPTO_3DES_CBC 2
|
321
|
@@ -122,9 +126,15 @@
|
322
|
#define CRYPTO_SHA2_256_HMAC 18
|
323
|
#define CRYPTO_SHA2_384_HMAC 19
|
324
|
#define CRYPTO_SHA2_512_HMAC 20
|
325
|
-#define CRYPTO_CAMELLIA_CBC 21
|
326
|
+#define CRYPTO_CAMELLIA_CBC 21
|
327
|
#define CRYPTO_AES_XTS 22
|
328
|
-#define CRYPTO_ALGORITHM_MAX 22 /* Keep updated - see below */
|
329
|
+#define CRYPTO_AES_CTR 23
|
330
|
+#define CRYPTO_AES_GCM_16 24
|
331
|
+#define CRYPTO_AES_128_GMAC 25
|
332
|
+#define CRYPTO_AES_192_GMAC 26
|
333
|
+#define CRYPTO_AES_256_GMAC 27
|
334
|
+#define CRYPTO_AES_GMAC 28
|
335
|
+#define CRYPTO_ALGORITHM_MAX 28 /* Keep updated - see below */
|
336
|
|
337
|
/* Algorithm flags */
|
338
|
#define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */
|
339
|
@@ -276,7 +286,12 @@ struct cryptoini {
|
340
|
int cri_mlen; /* Number of bytes we want from the
|
341
|
entire hash. 0 means all. */
|
342
|
caddr_t cri_key; /* key to use */
|
343
|
- u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; /* IV to use */
|
344
|
+ union {
|
345
|
+ u_int8_t iv[EALG_MAX_BLOCK_LEN]; /* IV to use */
|
346
|
+ u_int8_t esn[4]; /* high-order ESN */
|
347
|
+ } u;
|
348
|
+#define cri_iv u.iv
|
349
|
+#define cri_esn u.esn
|
350
|
struct cryptoini *cri_next;
|
351
|
};
|
352
|
|
353
|
@@ -294,8 +309,10 @@ struct cryptodesc {
|
354
|
#define CRD_F_DSA_SHA_NEEDED 0x08 /* Compute SHA-1 of buffer for DSA */
|
355
|
#define CRD_F_KEY_EXPLICIT 0x10 /* Key explicitly provided */
|
356
|
#define CRD_F_COMP 0x0f /* Set when doing compression */
|
357
|
+#define CRD_F_ESN 0x20 /* Set when doing compression */
|
358
|
|
359
|
struct cryptoini CRD_INI; /* Initialization/context data */
|
360
|
+#define crd_esn CRD_INI.cri_esn
|
361
|
#define crd_iv CRD_INI.cri_iv
|
362
|
#define crd_key CRD_INI.cri_key
|
363
|
#define crd_alg CRD_INI.cri_alg
|
364
|
diff --git a/sys/opencrypto/cryptosoft.c b/sys/opencrypto/cryptosoft.c
|
365
|
index d73f462..a1f7480 100644
|
366
|
--- a/sys/opencrypto/cryptosoft.c
|
367
|
+++ b/sys/opencrypto/cryptosoft.c
|
368
|
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
|
369
|
#include <sys/random.h>
|
370
|
#include <sys/kernel.h>
|
371
|
#include <sys/uio.h>
|
372
|
+#include <sys/endian.h>
|
373
|
|
374
|
#include <crypto/blowfish/blowfish.h>
|
375
|
#include <crypto/sha1.h>
|
376
|
@@ -60,6 +61,7 @@ u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
|
377
|
|
378
|
static int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
379
|
static int swcr_authcompute(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
380
|
+static int swcr_authenc(struct cryptop *crp);
|
381
|
static int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
|
382
|
static int swcr_freesession(device_t dev, u_int64_t tid);
|
383
|
|
384
|
@@ -579,6 +581,164 @@ swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
|
385
|
}
|
386
|
|
387
|
/*
|
388
|
+ * Apply a combined encryption-authentication transformation
|
389
|
+ */
|
390
|
+static int
|
391
|
+swcr_authenc(struct cryptop *crp)
|
392
|
+{
|
393
|
+ uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))];
|
394
|
+ u_char *blk = (u_char *)blkbuf;
|
395
|
+ u_char aalg[AALG_MAX_RESULT_LEN];
|
396
|
+ u_char iv[EALG_MAX_BLOCK_LEN];
|
397
|
+ union authctx ctx;
|
398
|
+ struct cryptodesc *crd, *crda = NULL, *crde = NULL;
|
399
|
+ struct swcr_data *sw, *swa, *swe = NULL;
|
400
|
+ struct auth_hash *axf = NULL;
|
401
|
+ struct enc_xform *exf = NULL;
|
402
|
+ caddr_t buf = (caddr_t)crp->crp_buf;
|
403
|
+ uint32_t *blkp;
|
404
|
+ int aadlen, blksz, i, ivlen, len, iskip, oskip;
|
405
|
+
|
406
|
+ ivlen = blksz = iskip = oskip = 0;
|
407
|
+
|
408
|
+ for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
|
409
|
+ for (sw = swcr_sessions[crp->crp_sid & 0xffffffff];
|
410
|
+ sw && sw->sw_alg != crd->crd_alg;
|
411
|
+ sw = sw->sw_next)
|
412
|
+ ;
|
413
|
+ if (sw == NULL)
|
414
|
+ return (EINVAL);
|
415
|
+
|
416
|
+ switch (sw->sw_alg) {
|
417
|
+ case CRYPTO_AES_GCM_16:
|
418
|
+ case CRYPTO_AES_GMAC:
|
419
|
+ swe = sw;
|
420
|
+ crde = crd;
|
421
|
+ exf = swe->sw_exf;
|
422
|
+ ivlen = 8;
|
423
|
+ break;
|
424
|
+ case CRYPTO_AES_128_GMAC:
|
425
|
+ case CRYPTO_AES_192_GMAC:
|
426
|
+ case CRYPTO_AES_256_GMAC:
|
427
|
+ swa = sw;
|
428
|
+ crda = crd;
|
429
|
+ axf = swa->sw_axf;
|
430
|
+ if (swa->sw_ictx == 0)
|
431
|
+ return (EINVAL);
|
432
|
+ bcopy(swa->sw_ictx, &ctx, axf->ctxsize);
|
433
|
+ blksz = axf->blocksize;
|
434
|
+ break;
|
435
|
+ default:
|
436
|
+ return (EINVAL);
|
437
|
+ }
|
438
|
+ }
|
439
|
+ if (crde == NULL || crda == NULL)
|
440
|
+ return (EINVAL);
|
441
|
+
|
442
|
+ /* Initialize the IV */
|
443
|
+ if (crde->crd_flags & CRD_F_ENCRYPT) {
|
444
|
+ /* IV explicitly provided ? */
|
445
|
+ if (crde->crd_flags & CRD_F_IV_EXPLICIT)
|
446
|
+ bcopy(crde->crd_iv, iv, ivlen);
|
447
|
+ else
|
448
|
+ arc4rand(iv, ivlen, 0);
|
449
|
+
|
450
|
+ /* Do we need to write the IV */
|
451
|
+ if (!(crde->crd_flags & CRD_F_IV_PRESENT))
|
452
|
+ crypto_copyback(crp->crp_flags, buf, crde->crd_inject,
|
453
|
+ ivlen, iv);
|
454
|
+
|
455
|
+ } else { /* Decryption */
|
456
|
+ /* IV explicitly provided ? */
|
457
|
+ if (crde->crd_flags & CRD_F_IV_EXPLICIT)
|
458
|
+ bcopy(crde->crd_iv, iv, ivlen);
|
459
|
+ else {
|
460
|
+ /* Get IV off buf */
|
461
|
+ crypto_copydata(crp->crp_flags, buf, crde->crd_inject,
|
462
|
+ ivlen, iv);
|
463
|
+ }
|
464
|
+ }
|
465
|
+
|
466
|
+ /* Supply MAC with IV */
|
467
|
+ if (axf->Reinit)
|
468
|
+ axf->Reinit(&ctx, iv, ivlen);
|
469
|
+
|
470
|
+ /* Supply MAC with AAD */
|
471
|
+ aadlen = crda->crd_len;
|
472
|
+ /*
|
473
|
+ * Section 5 of RFC 4106 specifies that AAD construction consists of
|
474
|
+ * {SPI, ESN, SN} whereas the real packet contains only {SPI, SN}.
|
475
|
+ * Unfortunately it doesn't follow a good example set in the Section
|
476
|
+ * 3.3.2.1 of RFC 4303 where upper part of the ESN, located in the
|
477
|
+ * external (to the packet) memory buffer, is processed by the hash
|
478
|
+ * function in the end thus allowing to retain simple programming
|
479
|
+ * interfaces and avoid kludges like the one below.
|
480
|
+ */
|
481
|
+ if (crda->crd_flags & CRD_F_ESN) {
|
482
|
+ aadlen += 4;
|
483
|
+ /* SPI */
|
484
|
+ crypto_copydata(crp->crp_flags, buf, crda->crd_skip, 4, blk);
|
485
|
+ iskip = 4; /* loop below will start with an offset of 4 */
|
486
|
+ /* ESN */
|
487
|
+ bcopy(crda->crd_esn, blk + 4, 4);
|
488
|
+ oskip = iskip + 4; /* offset output buffer blk by 8 */
|
489
|
+ }
|
490
|
+ for (i = iskip; i < crda->crd_len; i += blksz) {
|
491
|
+ len = MIN(crda->crd_len - i, blksz - oskip);
|
492
|
+ crypto_copydata(crp->crp_flags, buf, crda->crd_skip + i, len,
|
493
|
+ blk + oskip);
|
494
|
+ bzero(blk + len + oskip, blksz - len - oskip);
|
495
|
+ axf->Update(&ctx, blk, blksz);
|
496
|
+ oskip = 0; /* reset initial output offset */
|
497
|
+ }
|
498
|
+
|
499
|
+ if (exf->reinit)
|
500
|
+ exf->reinit(swe->sw_kschedule, iv);
|
501
|
+
|
502
|
+ /* Do encryption/decryption with MAC */
|
503
|
+ for (i = 0; i < crde->crd_len; i += blksz) {
|
504
|
+ len = MIN(crde->crd_len - i, blksz);
|
505
|
+ if (len < blksz)
|
506
|
+ bzero(blk, blksz);
|
507
|
+ crypto_copydata(crp->crp_flags, buf, crde->crd_skip + i, len,
|
508
|
+ blk);
|
509
|
+ if (crde->crd_flags & CRD_F_ENCRYPT) {
|
510
|
+ exf->encrypt(swe->sw_kschedule, blk);
|
511
|
+ axf->Update(&ctx, blk, len);
|
512
|
+ } else {
|
513
|
+ axf->Update(&ctx, blk, len);
|
514
|
+ exf->decrypt(swe->sw_kschedule, blk);
|
515
|
+ }
|
516
|
+ crypto_copyback(crp->crp_flags, buf, crde->crd_skip + i, len,
|
517
|
+ blk);
|
518
|
+ }
|
519
|
+
|
520
|
+ /* Do any required special finalization */
|
521
|
+ switch (crda->crd_alg) {
|
522
|
+ case CRYPTO_AES_128_GMAC:
|
523
|
+ case CRYPTO_AES_192_GMAC:
|
524
|
+ case CRYPTO_AES_256_GMAC:
|
525
|
+ /* length block */
|
526
|
+ bzero(blk, blksz);
|
527
|
+ blkp = (uint32_t *)blk + 1;
|
528
|
+ *blkp = htobe32(aadlen * 8);
|
529
|
+ blkp = (uint32_t *)blk + 3;
|
530
|
+ *blkp = htobe32(crde->crd_len * 8);
|
531
|
+ axf->Update(&ctx, blk, blksz);
|
532
|
+ break;
|
533
|
+ }
|
534
|
+
|
535
|
+ /* Finalize MAC */
|
536
|
+ axf->Final(aalg, &ctx);
|
537
|
+
|
538
|
+ /* Inject the authentication data */
|
539
|
+ crypto_copyback(crp->crp_flags, buf, crda->crd_inject, axf->hashsize,
|
540
|
+ aalg);
|
541
|
+
|
542
|
+ return (0);
|
543
|
+}
|
544
|
+
|
545
|
+/*
|
546
|
* Apply a compression/decompression algorithm
|
547
|
*/
|
548
|
static int
|
549
|
@@ -738,6 +898,16 @@ swcr_newsession(device_t dev, u_int32_t *sid, struct cryptoini *cri)
|
550
|
case CRYPTO_AES_XTS:
|
551
|
txf = &enc_xform_aes_xts;
|
552
|
goto enccommon;
|
553
|
+ case CRYPTO_AES_CTR:
|
554
|
+ txf = &enc_xform_aes_ctr;
|
555
|
+ goto enccommon;
|
556
|
+ case CRYPTO_AES_GCM_16:
|
557
|
+ txf = &enc_xform_aes_gcm;
|
558
|
+ goto enccommon;
|
559
|
+ case CRYPTO_AES_GMAC:
|
560
|
+ txf = &enc_xform_aes_gmac;
|
561
|
+ (*swd)->sw_exf = txf;
|
562
|
+ break;
|
563
|
case CRYPTO_CAMELLIA_CBC:
|
564
|
txf = &enc_xform_camellia;
|
565
|
goto enccommon;
|
566
|
@@ -850,6 +1020,30 @@ swcr_newsession(device_t dev, u_int32_t *sid, struct cryptoini *cri)
|
567
|
(*swd)->sw_axf = axf;
|
568
|
break;
|
569
|
#endif
|
570
|
+
|
571
|
+ case CRYPTO_AES_128_GMAC:
|
572
|
+ axf = &auth_hash_gmac_aes_128;
|
573
|
+ goto auth4common;
|
574
|
+
|
575
|
+ case CRYPTO_AES_192_GMAC:
|
576
|
+ axf = &auth_hash_gmac_aes_192;
|
577
|
+ goto auth4common;
|
578
|
+
|
579
|
+ case CRYPTO_AES_256_GMAC:
|
580
|
+ axf = &auth_hash_gmac_aes_256;
|
581
|
+ auth4common:
|
582
|
+ (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
|
583
|
+ M_NOWAIT);
|
584
|
+ if ((*swd)->sw_ictx == NULL) {
|
585
|
+ swcr_freesession(dev, i);
|
586
|
+ return ENOBUFS;
|
587
|
+ }
|
588
|
+ axf->Init((*swd)->sw_ictx);
|
589
|
+ axf->Setkey((*swd)->sw_ictx, cri->cri_key,
|
590
|
+ cri->cri_klen / 8);
|
591
|
+ (*swd)->sw_axf = axf;
|
592
|
+ break;
|
593
|
+
|
594
|
case CRYPTO_DEFLATE_COMP:
|
595
|
cxf = &comp_algo_deflate;
|
596
|
(*swd)->sw_cxf = cxf;
|
597
|
@@ -897,6 +1092,9 @@ swcr_freesession(device_t dev, u_int64_t tid)
|
598
|
case CRYPTO_SKIPJACK_CBC:
|
599
|
case CRYPTO_RIJNDAEL128_CBC:
|
600
|
case CRYPTO_AES_XTS:
|
601
|
+ case CRYPTO_AES_CTR:
|
602
|
+ case CRYPTO_AES_GCM_16:
|
603
|
+ case CRYPTO_AES_GMAC:
|
604
|
case CRYPTO_CAMELLIA_CBC:
|
605
|
case CRYPTO_NULL_CBC:
|
606
|
txf = swd->sw_exf;
|
607
|
@@ -1011,6 +1209,7 @@ swcr_process(device_t dev, struct cryptop *crp, int hint)
|
608
|
case CRYPTO_SKIPJACK_CBC:
|
609
|
case CRYPTO_RIJNDAEL128_CBC:
|
610
|
case CRYPTO_AES_XTS:
|
611
|
+ case CRYPTO_AES_CTR:
|
612
|
case CRYPTO_CAMELLIA_CBC:
|
613
|
if ((crp->crp_etype = swcr_encdec(crd, sw,
|
614
|
crp->crp_buf, crp->crp_flags)) != 0)
|
615
|
@@ -1035,6 +1234,14 @@ swcr_process(device_t dev, struct cryptop *crp, int hint)
|
616
|
goto done;
|
617
|
break;
|
618
|
|
619
|
+ case CRYPTO_AES_GCM_16:
|
620
|
+ case CRYPTO_AES_GMAC:
|
621
|
+ case CRYPTO_AES_128_GMAC:
|
622
|
+ case CRYPTO_AES_192_GMAC:
|
623
|
+ case CRYPTO_AES_256_GMAC:
|
624
|
+ crp->crp_etype = swcr_authenc(crp);
|
625
|
+ goto done;
|
626
|
+
|
627
|
case CRYPTO_DEFLATE_COMP:
|
628
|
if ((crp->crp_etype = swcr_compdec(crd, sw,
|
629
|
crp->crp_buf, crp->crp_flags)) != 0)
|
630
|
@@ -1104,6 +1311,12 @@ swcr_attach(device_t dev)
|
631
|
REGISTER(CRYPTO_SHA1);
|
632
|
REGISTER(CRYPTO_RIJNDAEL128_CBC);
|
633
|
REGISTER(CRYPTO_AES_XTS);
|
634
|
+ REGISTER(CRYPTO_AES_CTR);
|
635
|
+ REGISTER(CRYPTO_AES_GCM_16);
|
636
|
+ REGISTER(CRYPTO_AES_GMAC);
|
637
|
+ REGISTER(CRYPTO_AES_128_GMAC);
|
638
|
+ REGISTER(CRYPTO_AES_192_GMAC);
|
639
|
+ REGISTER(CRYPTO_AES_256_GMAC);
|
640
|
REGISTER(CRYPTO_CAMELLIA_CBC);
|
641
|
REGISTER(CRYPTO_DEFLATE_COMP);
|
642
|
#undef REGISTER
|
643
|
diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c
|
644
|
new file mode 100644
|
645
|
index 0000000..72ac227
|
646
|
--- /dev/null
|
647
|
+++ b/sys/opencrypto/gmac.c
|
648
|
@@ -0,0 +1,163 @@
|
649
|
+/* $OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp $ */
|
650
|
+
|
651
|
+/*
|
652
|
+ * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net>
|
653
|
+ *
|
654
|
+ * Permission to use, copy, modify, and distribute this software for any
|
655
|
+ * purpose with or without fee is hereby granted, provided that the above
|
656
|
+ * copyright notice and this permission notice appear in all copies.
|
657
|
+ *
|
658
|
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
659
|
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
660
|
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
661
|
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
662
|
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
663
|
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
664
|
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
665
|
+ */
|
666
|
+
|
667
|
+/*
|
668
|
+ * This code implements the Message Authentication part of the
|
669
|
+ * Galois/Counter Mode (as being described in the RFC 4543) using
|
670
|
+ * the AES cipher. FIPS SP 800-38D describes the algorithm details.
|
671
|
+ */
|
672
|
+
|
673
|
+#ifdef _KERNEL
|
674
|
+#include <sys/param.h>
|
675
|
+#include <sys/systm.h>
|
676
|
+#include <sys/endian.h>
|
677
|
+#else
|
678
|
+#include <sys/types.h>
|
679
|
+#include <sys/endian.h>
|
680
|
+#include <stdint.h>
|
681
|
+#include <string.h>
|
682
|
+#endif
|
683
|
+
|
684
|
+#include <crypto/rijndael/rijndael.h>
|
685
|
+#include <opencrypto/gmac.h>
|
686
|
+
|
687
|
+void ghash_gfmul(uint32_t *, uint32_t *, uint32_t *);
|
688
|
+void ghash_update(GHASH_CTX *, uint8_t *, size_t);
|
689
|
+
|
690
|
+/* Computes a block multiplication in the GF(2^128) */
|
691
|
+void
|
692
|
+ghash_gfmul(uint32_t *X, uint32_t *Y, uint32_t *product)
|
693
|
+{
|
694
|
+ uint32_t v[4];
|
695
|
+ uint32_t z[4] = { 0, 0, 0, 0};
|
696
|
+ uint8_t *x = (uint8_t *)X;
|
697
|
+ uint32_t mul;
|
698
|
+ int i;
|
699
|
+
|
700
|
+ v[0] = be32toh(Y[0]);
|
701
|
+ v[1] = be32toh(Y[1]);
|
702
|
+ v[2] = be32toh(Y[2]);
|
703
|
+ v[3] = be32toh(Y[3]);
|
704
|
+
|
705
|
+ for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) {
|
706
|
+ /* update Z */
|
707
|
+ if (x[i >> 3] & (1 << (~i & 7))) {
|
708
|
+ z[0] ^= v[0];
|
709
|
+ z[1] ^= v[1];
|
710
|
+ z[2] ^= v[2];
|
711
|
+ z[3] ^= v[3];
|
712
|
+ } /* else: we preserve old values */
|
713
|
+
|
714
|
+ /* update V */
|
715
|
+ mul = v[3] & 1;
|
716
|
+ v[3] = (v[2] << 31) | (v[3] >> 1);
|
717
|
+ v[2] = (v[1] << 31) | (v[2] >> 1);
|
718
|
+ v[1] = (v[0] << 31) | (v[1] >> 1);
|
719
|
+ v[0] = (v[0] >> 1) ^ (0xe1000000 * mul);
|
720
|
+ }
|
721
|
+
|
722
|
+ product[0] = htobe32(z[0]);
|
723
|
+ product[1] = htobe32(z[1]);
|
724
|
+ product[2] = htobe32(z[2]);
|
725
|
+ product[3] = htobe32(z[3]);
|
726
|
+}
|
727
|
+
|
728
|
+void
|
729
|
+ghash_update(GHASH_CTX *ctx, uint8_t *X, size_t len)
|
730
|
+{
|
731
|
+ uint32_t *x = (uint32_t *)X;
|
732
|
+ uint32_t *s = (uint32_t *)ctx->S;
|
733
|
+ uint32_t *y = (uint32_t *)ctx->Z;
|
734
|
+ int i;
|
735
|
+
|
736
|
+ for (i = 0; i < len / GMAC_BLOCK_LEN; i++) {
|
737
|
+ s[0] = y[0] ^ x[0];
|
738
|
+ s[1] = y[1] ^ x[1];
|
739
|
+ s[2] = y[2] ^ x[2];
|
740
|
+ s[3] = y[3] ^ x[3];
|
741
|
+
|
742
|
+ ghash_gfmul((uint32_t *)ctx->S, (uint32_t *)ctx->H,
|
743
|
+ (uint32_t *)ctx->S);
|
744
|
+
|
745
|
+ y = s;
|
746
|
+ x += 4;
|
747
|
+ }
|
748
|
+
|
749
|
+ bcopy(ctx->S, ctx->Z, GMAC_BLOCK_LEN);
|
750
|
+}
|
751
|
+
|
752
|
+#define AESCTR_NONCESIZE 4
|
753
|
+
|
754
|
+void
|
755
|
+AES_GMAC_Init(AES_GMAC_CTX *ctx)
|
756
|
+{
|
757
|
+ bzero(ctx->ghash.H, GMAC_BLOCK_LEN);
|
758
|
+ bzero(ctx->ghash.S, GMAC_BLOCK_LEN);
|
759
|
+ bzero(ctx->ghash.Z, GMAC_BLOCK_LEN);
|
760
|
+ bzero(ctx->J, GMAC_BLOCK_LEN);
|
761
|
+}
|
762
|
+
|
763
|
+void
|
764
|
+AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen)
|
765
|
+{
|
766
|
+ ctx->rounds = rijndaelKeySetupEnc(ctx->K, (u_char *)key,
|
767
|
+ (klen - AESCTR_NONCESIZE) * 8);
|
768
|
+ /* copy out salt to the counter block */
|
769
|
+ bcopy(key + klen - AESCTR_NONCESIZE, ctx->J, AESCTR_NONCESIZE);
|
770
|
+ /* prepare a hash subkey */
|
771
|
+ rijndaelEncrypt(ctx->K, ctx->rounds, ctx->ghash.H, ctx->ghash.H);
|
772
|
+}
|
773
|
+
|
774
|
+void
|
775
|
+AES_GMAC_Reinit(AES_GMAC_CTX *ctx, const uint8_t *iv, uint16_t ivlen)
|
776
|
+{
|
777
|
+ /* copy out IV to the counter block */
|
778
|
+ bcopy(iv, ctx->J + AESCTR_NONCESIZE, ivlen);
|
779
|
+}
|
780
|
+
|
781
|
+int
|
782
|
+AES_GMAC_Update(AES_GMAC_CTX *ctx, const uint8_t *data, uint16_t len)
|
783
|
+{
|
784
|
+ uint8_t blk[16] = {};
|
785
|
+ int plen;
|
786
|
+
|
787
|
+ if (len > 0) {
|
788
|
+ plen = len % GMAC_BLOCK_LEN;
|
789
|
+ if (len >= GMAC_BLOCK_LEN)
|
790
|
+ ghash_update(&ctx->ghash, (uint8_t *)data, len - plen);
|
791
|
+ if (plen) {
|
792
|
+ bcopy((uint8_t *)data + (len - plen), blk, plen);
|
793
|
+ ghash_update(&ctx->ghash, blk, GMAC_BLOCK_LEN);
|
794
|
+ }
|
795
|
+ }
|
796
|
+ return (0);
|
797
|
+}
|
798
|
+
|
799
|
+void
|
800
|
+AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx)
|
801
|
+{
|
802
|
+ uint8_t keystream[GMAC_BLOCK_LEN];
|
803
|
+ int i;
|
804
|
+
|
805
|
+ /* do one round of GCTR */
|
806
|
+ ctx->J[GMAC_BLOCK_LEN - 1] = 1;
|
807
|
+ rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream);
|
808
|
+ for (i = 0; i < GMAC_DIGEST_LEN; i++)
|
809
|
+ digest[i] = ctx->ghash.S[i] ^ keystream[i];
|
810
|
+ bzero(keystream, sizeof(keystream));
|
811
|
+}
|
812
|
diff --git a/sys/opencrypto/gmac.h b/sys/opencrypto/gmac.h
|
813
|
new file mode 100644
|
814
|
index 0000000..94137da
|
815
|
--- /dev/null
|
816
|
+++ b/sys/opencrypto/gmac.h
|
817
|
@@ -0,0 +1,48 @@
|
818
|
+/* $OpenBSD: gmac.h,v 1.2 2012/12/05 23:20:15 deraadt Exp $ */
|
819
|
+
|
820
|
+/*
|
821
|
+ * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net>
|
822
|
+ *
|
823
|
+ * Permission to use, copy, modify, and distribute this software for any
|
824
|
+ * purpose with or without fee is hereby granted, provided that the above
|
825
|
+ * copyright notice and this permission notice appear in all copies.
|
826
|
+ *
|
827
|
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
828
|
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
829
|
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
830
|
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
831
|
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
832
|
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
833
|
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
834
|
+ */
|
835
|
+
|
836
|
+#ifndef _GMAC_H_
|
837
|
+#define _GMAC_H_
|
838
|
+
|
839
|
+#include <crypto/rijndael/rijndael.h>
|
840
|
+
|
841
|
+#define GMAC_BLOCK_LEN 16
|
842
|
+#define GMAC_DIGEST_LEN 16
|
843
|
+
|
844
|
+typedef struct _GHASH_CTX {
|
845
|
+ uint8_t H[GMAC_BLOCK_LEN]; /* hash subkey */
|
846
|
+ uint8_t S[GMAC_BLOCK_LEN]; /* state */
|
847
|
+ uint8_t Z[GMAC_BLOCK_LEN]; /* initial state */
|
848
|
+} GHASH_CTX;
|
849
|
+
|
850
|
+typedef struct _AES_GMAC_CTX {
|
851
|
+ GHASH_CTX ghash;
|
852
|
+ uint32_t K[4*(RIJNDAEL_MAXNR + 1)];
|
853
|
+ uint8_t J[GMAC_BLOCK_LEN]; /* counter block */
|
854
|
+ int rounds;
|
855
|
+} AES_GMAC_CTX;
|
856
|
+
|
857
|
+__BEGIN_DECLS
|
858
|
+void AES_GMAC_Init(AES_GMAC_CTX *);
|
859
|
+void AES_GMAC_Setkey(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
860
|
+void AES_GMAC_Reinit(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
861
|
+int AES_GMAC_Update(AES_GMAC_CTX *, const uint8_t *, uint16_t);
|
862
|
+void AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], AES_GMAC_CTX *);
|
863
|
+__END_DECLS
|
864
|
+
|
865
|
+#endif /* _GMAC_H_ */
|
866
|
diff --git a/sys/opencrypto/xform.c b/sys/opencrypto/xform.c
|
867
|
index bfb061b..590116c 100644
|
868
|
--- a/sys/opencrypto/xform.c
|
869
|
+++ b/sys/opencrypto/xform.c
|
870
|
@@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$");
|
871
|
#include <opencrypto/deflate.h>
|
872
|
#include <opencrypto/rmd160.h>
|
873
|
#include <opencrypto/skipjack.h>
|
874
|
+#include <opencrypto/gmac.h>
|
875
|
|
876
|
#include <sys/md5.h>
|
877
|
|
878
|
@@ -76,6 +77,7 @@ static int blf_setkey(u_int8_t **, u_int8_t *, int);
|
879
|
static int cast5_setkey(u_int8_t **, u_int8_t *, int);
|
880
|
static int skipjack_setkey(u_int8_t **, u_int8_t *, int);
|
881
|
static int rijndael128_setkey(u_int8_t **, u_int8_t *, int);
|
882
|
+static int aes_ctr_setkey(u_int8_t **, u_int8_t *, int);
|
883
|
static int aes_xts_setkey(u_int8_t **, u_int8_t *, int);
|
884
|
static int cml_setkey(u_int8_t **, u_int8_t *, int);
|
885
|
|
886
|
@@ -99,6 +101,8 @@ static void rijndael128_decrypt(caddr_t, u_int8_t *);
|
887
|
static void aes_xts_decrypt(caddr_t, u_int8_t *);
|
888
|
static void cml_decrypt(caddr_t, u_int8_t *);
|
889
|
|
890
|
+static void aes_ctr_crypt(caddr_t, u_int8_t *);
|
891
|
+
|
892
|
static void null_zerokey(u_int8_t **);
|
893
|
static void des1_zerokey(u_int8_t **);
|
894
|
static void des3_zerokey(u_int8_t **);
|
895
|
@@ -106,26 +110,46 @@ static void blf_zerokey(u_int8_t **);
|
896
|
static void cast5_zerokey(u_int8_t **);
|
897
|
static void skipjack_zerokey(u_int8_t **);
|
898
|
static void rijndael128_zerokey(u_int8_t **);
|
899
|
+static void aes_ctr_zerokey(u_int8_t **);
|
900
|
static void aes_xts_zerokey(u_int8_t **);
|
901
|
static void cml_zerokey(u_int8_t **);
|
902
|
|
903
|
+static void aes_ctr_reinit(caddr_t, u_int8_t *);
|
904
|
static void aes_xts_reinit(caddr_t, u_int8_t *);
|
905
|
+static void aes_gcm_reinit(caddr_t, u_int8_t *);
|
906
|
|
907
|
static void null_init(void *);
|
908
|
-static int null_update(void *, u_int8_t *, u_int16_t);
|
909
|
+static void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len);
|
910
|
+static int null_update(void *, const u_int8_t *, u_int16_t);
|
911
|
static void null_final(u_int8_t *, void *);
|
912
|
-static int MD5Update_int(void *, u_int8_t *, u_int16_t);
|
913
|
+static int MD5Update_int(void *, const u_int8_t *, u_int16_t);
|
914
|
static void SHA1Init_int(void *);
|
915
|
-static int SHA1Update_int(void *, u_int8_t *, u_int16_t);
|
916
|
+static int SHA1Update_int(void *, const u_int8_t *, u_int16_t);
|
917
|
static void SHA1Final_int(u_int8_t *, void *);
|
918
|
-static int RMD160Update_int(void *, u_int8_t *, u_int16_t);
|
919
|
-static int SHA256Update_int(void *, u_int8_t *, u_int16_t);
|
920
|
-static int SHA384Update_int(void *, u_int8_t *, u_int16_t);
|
921
|
-static int SHA512Update_int(void *, u_int8_t *, u_int16_t);
|
922
|
+static int RMD160Update_int(void *, const u_int8_t *, u_int16_t);
|
923
|
+static int SHA256Update_int(void *, const u_int8_t *, u_int16_t);
|
924
|
+static int SHA384Update_int(void *, const u_int8_t *, u_int16_t);
|
925
|
+static int SHA512Update_int(void *, const u_int8_t *, u_int16_t);
|
926
|
|
927
|
static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
|
928
|
static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
|
929
|
|
930
|
+#define AESCTR_NONCESIZE 4
|
931
|
+#define AESCTR_IVSIZE 8
|
932
|
+#define AESCTR_BLOCKSIZE 16
|
933
|
+
|
934
|
+struct aes_ctr_ctx {
|
935
|
+ u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)];
|
936
|
+ /*
|
937
|
+ * ac_block is initalized to: [ NONCE : IV : CNTR ]
|
938
|
+ * Where NONCE is the last four bytes of the key.
|
939
|
+ * IV is provided by user.
|
940
|
+ * CNTR is initalized to 0 for CTR and 1 for GCM.
|
941
|
+ */
|
942
|
+ u_int8_t ac_block[AESCTR_BLOCKSIZE];
|
943
|
+ int ac_nr;
|
944
|
+};
|
945
|
+
|
946
|
MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
|
947
|
|
948
|
/* Encryption instances */
|
949
|
@@ -137,7 +161,7 @@ struct enc_xform enc_xform_null = {
|
950
|
null_decrypt,
|
951
|
null_setkey,
|
952
|
null_zerokey,
|
953
|
- NULL
|
954
|
+ NULL,
|
955
|
};
|
956
|
|
957
|
struct enc_xform enc_xform_des = {
|
958
|
@@ -147,7 +171,7 @@ struct enc_xform enc_xform_des = {
|
959
|
des1_decrypt,
|
960
|
des1_setkey,
|
961
|
des1_zerokey,
|
962
|
- NULL
|
963
|
+ NULL,
|
964
|
};
|
965
|
|
966
|
struct enc_xform enc_xform_3des = {
|
967
|
@@ -157,7 +181,7 @@ struct enc_xform enc_xform_3des = {
|
968
|
des3_decrypt,
|
969
|
des3_setkey,
|
970
|
des3_zerokey,
|
971
|
- NULL
|
972
|
+ NULL,
|
973
|
};
|
974
|
|
975
|
struct enc_xform enc_xform_blf = {
|
976
|
@@ -167,7 +191,7 @@ struct enc_xform enc_xform_blf = {
|
977
|
blf_decrypt,
|
978
|
blf_setkey,
|
979
|
blf_zerokey,
|
980
|
- NULL
|
981
|
+ NULL,
|
982
|
};
|
983
|
|
984
|
struct enc_xform enc_xform_cast5 = {
|
985
|
@@ -177,17 +201,16 @@ struct enc_xform enc_xform_cast5 = {
|
986
|
cast5_decrypt,
|
987
|
cast5_setkey,
|
988
|
cast5_zerokey,
|
989
|
- NULL
|
990
|
+ NULL,
|
991
|
};
|
992
|
|
993
|
struct enc_xform enc_xform_skipjack = {
|
994
|
CRYPTO_SKIPJACK_CBC, "Skipjack",
|
995
|
SKIPJACK_BLOCK_LEN, 10, 10,
|
996
|
skipjack_encrypt,
|
997
|
- skipjack_decrypt,
|
998
|
- skipjack_setkey,
|
999
|
+ skipjack_decrypt, skipjack_setkey,
|
1000
|
skipjack_zerokey,
|
1001
|
- NULL
|
1002
|
+ NULL,
|
1003
|
};
|
1004
|
|
1005
|
struct enc_xform enc_xform_rijndael128 = {
|
1006
|
@@ -197,7 +220,37 @@ struct enc_xform enc_xform_rijndael128 = {
|
1007
|
rijndael128_decrypt,
|
1008
|
rijndael128_setkey,
|
1009
|
rijndael128_zerokey,
|
1010
|
- NULL
|
1011
|
+ NULL,
|
1012
|
+};
|
1013
|
+
|
1014
|
+struct enc_xform enc_xform_aes_ctr = {
|
1015
|
+ CRYPTO_AES_CTR, "AES-CTR",
|
1016
|
+ RIJNDAEL128_BLOCK_LEN, 8+4, 32+4,
|
1017
|
+ aes_ctr_crypt,
|
1018
|
+ aes_ctr_crypt,
|
1019
|
+ aes_ctr_setkey,
|
1020
|
+ rijndael128_zerokey,
|
1021
|
+ aes_ctr_reinit,
|
1022
|
+};
|
1023
|
+
|
1024
|
+struct enc_xform enc_xform_aes_gcm = {
|
1025
|
+ CRYPTO_AES_GCM_16, "AES-GCM",
|
1026
|
+ 1, 16+4, 32+4,
|
1027
|
+ aes_ctr_crypt,
|
1028
|
+ aes_ctr_crypt,
|
1029
|
+ aes_ctr_setkey,
|
1030
|
+ aes_ctr_zerokey,
|
1031
|
+ aes_gcm_reinit,
|
1032
|
+};
|
1033
|
+
|
1034
|
+struct enc_xform enc_xform_aes_gmac = {
|
1035
|
+ CRYPTO_AES_GMAC, "AES-GMAC",
|
1036
|
+ 1, 16+4, 32+4,
|
1037
|
+ NULL,
|
1038
|
+ NULL,
|
1039
|
+ NULL,
|
1040
|
+ NULL,
|
1041
|
+ NULL,
|
1042
|
};
|
1043
|
|
1044
|
struct enc_xform enc_xform_aes_xts = {
|
1045
|
@@ -217,7 +270,7 @@ struct enc_xform enc_xform_arc4 = {
|
1046
|
NULL,
|
1047
|
NULL,
|
1048
|
NULL,
|
1049
|
- NULL
|
1050
|
+ NULL,
|
1051
|
};
|
1052
|
|
1053
|
struct enc_xform enc_xform_camellia = {
|
1054
|
@@ -227,70 +280,100 @@ struct enc_xform enc_xform_camellia = {
|
1055
|
cml_decrypt,
|
1056
|
cml_setkey,
|
1057
|
cml_zerokey,
|
1058
|
- NULL
|
1059
|
+ NULL,
|
1060
|
};
|
1061
|
|
1062
|
/* Authentication instances */
|
1063
|
-struct auth_hash auth_hash_null = {
|
1064
|
+struct auth_hash auth_hash_null = { /* NB: context isn't used */
|
1065
|
CRYPTO_NULL_HMAC, "NULL-HMAC",
|
1066
|
- 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */
|
1067
|
- null_init, null_update, null_final
|
1068
|
+ 0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
|
1069
|
+ null_init, null_reinit, null_reinit, null_update, null_final
|
1070
|
};
|
1071
|
|
1072
|
struct auth_hash auth_hash_hmac_md5 = {
|
1073
|
CRYPTO_MD5_HMAC, "HMAC-MD5",
|
1074
|
- 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX),
|
1075
|
- (void (*) (void *)) MD5Init, MD5Update_int,
|
1076
|
+ 16, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
|
1077
|
+ (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int,
|
1078
|
(void (*) (u_int8_t *, void *)) MD5Final
|
1079
|
};
|
1080
|
|
1081
|
struct auth_hash auth_hash_hmac_sha1 = {
|
1082
|
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
|
1083
|
- 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX),
|
1084
|
- SHA1Init_int, SHA1Update_int, SHA1Final_int
|
1085
|
+ 20, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
|
1086
|
+ SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
|
1087
|
};
|
1088
|
|
1089
|
struct auth_hash auth_hash_hmac_ripemd_160 = {
|
1090
|
CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
|
1091
|
- 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX),
|
1092
|
- (void (*)(void *)) RMD160Init, RMD160Update_int,
|
1093
|
+ 20, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), RIPEMD160_HMAC_BLOCK_LEN,
|
1094
|
+ (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int,
|
1095
|
(void (*)(u_int8_t *, void *)) RMD160Final
|
1096
|
};
|
1097
|
|
1098
|
struct auth_hash auth_hash_key_md5 = {
|
1099
|
CRYPTO_MD5_KPDK, "Keyed MD5",
|
1100
|
- 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX),
|
1101
|
- (void (*)(void *)) MD5Init, MD5Update_int,
|
1102
|
+ 0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
|
1103
|
+ (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int,
|
1104
|
(void (*)(u_int8_t *, void *)) MD5Final
|
1105
|
};
|
1106
|
|
1107
|
struct auth_hash auth_hash_key_sha1 = {
|
1108
|
CRYPTO_SHA1_KPDK, "Keyed SHA1",
|
1109
|
- 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX),
|
1110
|
- SHA1Init_int, SHA1Update_int, SHA1Final_int
|
1111
|
+ 0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
|
1112
|
+ SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
|
1113
|
};
|
1114
|
|
1115
|
struct auth_hash auth_hash_hmac_sha2_256 = {
|
1116
|
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
|
1117
|
- 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX),
|
1118
|
- (void (*)(void *)) SHA256_Init, SHA256Update_int,
|
1119
|
+ 32, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN,
|
1120
|
+ (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int,
|
1121
|
(void (*)(u_int8_t *, void *)) SHA256_Final
|
1122
|
};
|
1123
|
|
1124
|
struct auth_hash auth_hash_hmac_sha2_384 = {
|
1125
|
CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
|
1126
|
- 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX),
|
1127
|
- (void (*)(void *)) SHA384_Init, SHA384Update_int,
|
1128
|
+ 48, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN,
|
1129
|
+ (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int,
|
1130
|
(void (*)(u_int8_t *, void *)) SHA384_Final
|
1131
|
};
|
1132
|
|
1133
|
struct auth_hash auth_hash_hmac_sha2_512 = {
|
1134
|
CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
|
1135
|
- 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX),
|
1136
|
- (void (*)(void *)) SHA512_Init, SHA512Update_int,
|
1137
|
+ 64, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN,
|
1138
|
+ (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int,
|
1139
|
(void (*)(u_int8_t *, void *)) SHA512_Final
|
1140
|
};
|
1141
|
|
1142
|
+struct auth_hash auth_hash_gmac_aes_128 = {
|
1143
|
+ CRYPTO_AES_128_GMAC, "GMAC-AES-128",
|
1144
|
+ 16+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
1145
|
+ (void (*)(void *)) AES_GMAC_Init,
|
1146
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
1147
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
1148
|
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
1149
|
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
1150
|
+};
|
1151
|
+
|
1152
|
+struct auth_hash auth_hash_gmac_aes_192 = {
|
1153
|
+ CRYPTO_AES_192_GMAC, "GMAC-AES-192",
|
1154
|
+ 24+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
1155
|
+ (void (*)(void *)) AES_GMAC_Init,
|
1156
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
1157
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
1158
|
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
1159
|
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
1160
|
+};
|
1161
|
+
|
1162
|
+struct auth_hash auth_hash_gmac_aes_256 = {
|
1163
|
+ CRYPTO_AES_256_GMAC, "GMAC-AES-256",
|
1164
|
+ 32+4, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN,
|
1165
|
+ (void (*)(void *)) AES_GMAC_Init,
|
1166
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
|
1167
|
+ (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
|
1168
|
+ (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update,
|
1169
|
+ (void (*)(u_int8_t *, void *)) AES_GMAC_Final
|
1170
|
+};
|
1171
|
+
|
1172
|
/* Compression instance */
|
1173
|
struct comp_algo comp_algo_deflate = {
|
1174
|
CRYPTO_DEFLATE_COMP, "Deflate",
|
1175
|
@@ -579,6 +662,79 @@ rijndael128_zerokey(u_int8_t **sched)
|
1176
|
*sched = NULL;
|
1177
|
}
|
1178
|
|
1179
|
+void
|
1180
|
+aes_ctr_reinit(caddr_t key, u_int8_t *iv)
|
1181
|
+{
|
1182
|
+ struct aes_ctr_ctx *ctx;
|
1183
|
+
|
1184
|
+ ctx = (struct aes_ctr_ctx *)key;
|
1185
|
+ bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
|
1186
|
+
|
1187
|
+ /* reset counter */
|
1188
|
+ bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
|
1189
|
+}
|
1190
|
+
|
1191
|
+void
|
1192
|
+aes_gcm_reinit(caddr_t key, u_int8_t *iv)
|
1193
|
+{
|
1194
|
+ struct aes_ctr_ctx *ctx;
|
1195
|
+
|
1196
|
+ aes_ctr_reinit(key, iv);
|
1197
|
+
|
1198
|
+ ctx = (struct aes_ctr_ctx *)key;
|
1199
|
+ ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */
|
1200
|
+}
|
1201
|
+
|
1202
|
+void
|
1203
|
+aes_ctr_crypt(caddr_t key, u_int8_t *data)
|
1204
|
+{
|
1205
|
+ struct aes_ctr_ctx *ctx;
|
1206
|
+ u_int8_t keystream[AESCTR_BLOCKSIZE];
|
1207
|
+ int i;
|
1208
|
+
|
1209
|
+ ctx = (struct aes_ctr_ctx *)key;
|
1210
|
+ /* increment counter */
|
1211
|
+ for (i = AESCTR_BLOCKSIZE - 1;
|
1212
|
+ i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
|
1213
|
+ if (++ctx->ac_block[i]) /* continue on overflow */
|
1214
|
+ break;
|
1215
|
+ rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
|
1216
|
+ for (i = 0; i < AESCTR_BLOCKSIZE; i++)
|
1217
|
+ data[i] ^= keystream[i];
|
1218
|
+ bzero(keystream, sizeof(keystream));
|
1219
|
+}
|
1220
|
+
|
1221
|
+int
|
1222
|
+aes_ctr_setkey(u_int8_t **sched, u_int8_t *key, int len)
|
1223
|
+{
|
1224
|
+ struct aes_ctr_ctx *ctx;
|
1225
|
+
|
1226
|
+ if (len < AESCTR_NONCESIZE)
|
1227
|
+ return EINVAL;
|
1228
|
+
|
1229
|
+ *sched = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA,
|
1230
|
+ M_NOWAIT | M_ZERO);
|
1231
|
+ if (*sched == NULL)
|
1232
|
+ return ENOMEM;
|
1233
|
+
|
1234
|
+ ctx = (struct aes_ctr_ctx *)*sched;
|
1235
|
+ ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key,
|
1236
|
+ (len - AESCTR_NONCESIZE) * 8);
|
1237
|
+ if (ctx->ac_nr == 0)
|
1238
|
+ return EINVAL;
|
1239
|
+ bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE);
|
1240
|
+ return 0;
|
1241
|
+}
|
1242
|
+
|
1243
|
+void
|
1244
|
+aes_ctr_zerokey(u_int8_t **sched)
|
1245
|
+{
|
1246
|
+
|
1247
|
+ bzero(*sched, sizeof(struct aes_ctr_ctx));
|
1248
|
+ free(*sched, M_CRYPTO_DATA);
|
1249
|
+ *sched = NULL;
|
1250
|
+}
|
1251
|
+
|
1252
|
#define AES_XTS_BLOCKSIZE 16
|
1253
|
#define AES_XTS_IVSIZE 8
|
1254
|
#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */
|
1255
|
@@ -728,8 +884,13 @@ null_init(void *ctx)
|
1256
|
{
|
1257
|
}
|
1258
|
|
1259
|
+static void
|
1260
|
+null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1261
|
+{
|
1262
|
+}
|
1263
|
+
|
1264
|
static int
|
1265
|
-null_update(void *ctx, u_int8_t *buf, u_int16_t len)
|
1266
|
+null_update(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1267
|
{
|
1268
|
return 0;
|
1269
|
}
|
1270
|
@@ -742,14 +903,14 @@ null_final(u_int8_t *buf, void *ctx)
|
1271
|
}
|
1272
|
|
1273
|
static int
|
1274
|
-RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1275
|
+RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1276
|
{
|
1277
|
RMD160Update(ctx, buf, len);
|
1278
|
return 0;
|
1279
|
}
|
1280
|
|
1281
|
static int
|
1282
|
-MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1283
|
+MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1284
|
{
|
1285
|
MD5Update(ctx, buf, len);
|
1286
|
return 0;
|
1287
|
@@ -762,7 +923,7 @@ SHA1Init_int(void *ctx)
|
1288
|
}
|
1289
|
|
1290
|
static int
|
1291
|
-SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1292
|
+SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1293
|
{
|
1294
|
SHA1Update(ctx, buf, len);
|
1295
|
return 0;
|
1296
|
@@ -775,21 +936,21 @@ SHA1Final_int(u_int8_t *blk, void *ctx)
|
1297
|
}
|
1298
|
|
1299
|
static int
|
1300
|
-SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1301
|
+SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1302
|
{
|
1303
|
SHA256_Update(ctx, buf, len);
|
1304
|
return 0;
|
1305
|
}
|
1306
|
|
1307
|
static int
|
1308
|
-SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1309
|
+SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1310
|
{
|
1311
|
SHA384_Update(ctx, buf, len);
|
1312
|
return 0;
|
1313
|
}
|
1314
|
|
1315
|
static int
|
1316
|
-SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
|
1317
|
+SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
|
1318
|
{
|
1319
|
SHA512_Update(ctx, buf, len);
|
1320
|
return 0;
|
1321
|
diff --git a/sys/opencrypto/xform.h b/sys/opencrypto/xform.h
|
1322
|
index 8df7b07..c92723c 100644
|
1323
|
--- a/sys/opencrypto/xform.h
|
1324
|
+++ b/sys/opencrypto/xform.h
|
1325
|
@@ -29,6 +29,7 @@
|
1326
|
#include <crypto/sha1.h>
|
1327
|
#include <crypto/sha2/sha2.h>
|
1328
|
#include <opencrypto/rmd160.h>
|
1329
|
+#include <opencrypto/gmac.h>
|
1330
|
|
1331
|
/* Declarations */
|
1332
|
struct auth_hash {
|
1333
|
@@ -36,10 +37,12 @@ struct auth_hash {
|
1334
|
char *name;
|
1335
|
u_int16_t keysize;
|
1336
|
u_int16_t hashsize;
|
1337
|
- u_int16_t blocksize;
|
1338
|
u_int16_t ctxsize;
|
1339
|
+ u_int16_t blocksize;
|
1340
|
void (*Init) (void *);
|
1341
|
- int (*Update) (void *, u_int8_t *, u_int16_t);
|
1342
|
+ void (*Setkey) (void *, const u_int8_t *, u_int16_t);
|
1343
|
+ void (*Reinit) (void *, const u_int8_t *, u_int16_t);
|
1344
|
+ int (*Update) (void *, const u_int8_t *, u_int16_t);
|
1345
|
void (*Final) (u_int8_t *, void *);
|
1346
|
};
|
1347
|
|
1348
|
@@ -53,7 +56,7 @@ struct enc_xform {
|
1349
|
u_int16_t minkey, maxkey;
|
1350
|
void (*encrypt) (caddr_t, u_int8_t *);
|
1351
|
void (*decrypt) (caddr_t, u_int8_t *);
|
1352
|
- int (*setkey) (u_int8_t **, u_int8_t *, int len);
|
1353
|
+ int (*setkey) (u_int8_t **, u_int8_t *, int);
|
1354
|
void (*zerokey) (u_int8_t **);
|
1355
|
void (*reinit) (caddr_t, u_int8_t *);
|
1356
|
};
|
1357
|
@@ -73,6 +76,7 @@ union authctx {
|
1358
|
SHA256_CTX sha256ctx;
|
1359
|
SHA384_CTX sha384ctx;
|
1360
|
SHA512_CTX sha512ctx;
|
1361
|
+ AES_GMAC_CTX aes_gmac_ctx;
|
1362
|
};
|
1363
|
|
1364
|
extern struct enc_xform enc_xform_null;
|
1365
|
@@ -82,6 +86,9 @@ extern struct enc_xform enc_xform_blf;
|
1366
|
extern struct enc_xform enc_xform_cast5;
|
1367
|
extern struct enc_xform enc_xform_skipjack;
|
1368
|
extern struct enc_xform enc_xform_rijndael128;
|
1369
|
+extern struct enc_xform enc_xform_aes_ctr;
|
1370
|
+extern struct enc_xform enc_xform_aes_gcm;
|
1371
|
+extern struct enc_xform enc_xform_aes_gmac;
|
1372
|
extern struct enc_xform enc_xform_aes_xts;
|
1373
|
extern struct enc_xform enc_xform_arc4;
|
1374
|
extern struct enc_xform enc_xform_camellia;
|
1375
|
@@ -95,6 +102,9 @@ extern struct auth_hash auth_hash_hmac_ripemd_160;
|
1376
|
extern struct auth_hash auth_hash_hmac_sha2_256;
|
1377
|
extern struct auth_hash auth_hash_hmac_sha2_384;
|
1378
|
extern struct auth_hash auth_hash_hmac_sha2_512;
|
1379
|
+extern struct auth_hash auth_hash_gmac_aes_128;
|
1380
|
+extern struct auth_hash auth_hash_gmac_aes_192;
|
1381
|
+extern struct auth_hash auth_hash_gmac_aes_256;
|
1382
|
|
1383
|
extern struct comp_algo comp_algo_deflate;
|
1384
|
|
1385
|
diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c
|
1386
|
index b4014ad..af1b234 100644
|
1387
|
--- a/usr.bin/netstat/ipsec.c
|
1388
|
+++ b/usr.bin/netstat/ipsec.c
|
1389
|
@@ -155,6 +155,9 @@ static struct val2str ipsec_espnames[] = {
|
1390
|
#ifdef SADB_X_EALG_AESCTR
|
1391
|
{ SADB_X_EALG_AESCTR, "aes-ctr", },
|
1392
|
#endif
|
1393
|
+#ifdef SADB_X_EALG_AESGCM16
|
1394
|
+ { SADB_X_EALG_AESGCM16, "aes-gcm-16", },
|
1395
|
+#endif
|
1396
|
{ -1, NULL },
|
1397
|
};
|
1398
|
|