1 /* $OpenBSD: cryptosoft.c,v 1.46 2006/12/29 13:04:37 pedro Exp $ */
2
3 /*
4 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
5 *
6 * This code was written by Angelos D. Keromytis in Athens, Greece, in
7 * February 2000. Network Security Technologies Inc. (NSTI) kindly
8 * supported the development of this code.
9 *
10 * Copyright (c) 2000, 2001 Angelos D. Keromytis
11 *
12 * Permission to use, copy, and modify this software with or without fee
13 * is hereby granted, provided that this entire notice is included in
14 * all source code copies of any software which is or includes a copy or
15 * modification of this software.
16 *
17 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
18 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
19 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
20 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
21 * PURPOSE.
22 */
23
24 #include <sys/param.h>
25 #include <sys/systm.h>
26 #include <sys/malloc.h>
27 #include <sys/mbuf.h>
28 #include <sys/sysctl.h>
29 #include <sys/errno.h>
30 #include <dev/rndvar.h>
31 #include <crypto/md5.h>
32 #include <crypto/sha1.h>
33 #include <crypto/rmd160.h>
34 #include <crypto/cast.h>
35 #include <crypto/skipjack.h>
36 #include <crypto/blf.h>
37 #include <crypto/cryptodev.h>
38 #include <crypto/cryptosoft.h>
39 #include <crypto/xform.h>
40
41 u_int8_t hmac_ipad_buffer[64] = {
42 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
43 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
44 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
45 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
46 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
47 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
48 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
49 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
50 };
51
52 u_int8_t hmac_opad_buffer[64] = {
53 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
54 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
55 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
56 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
57 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
58 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
59 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
60 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C
61 };
62
63
64 struct swcr_data **swcr_sessions = NULL;
65 u_int32_t swcr_sesnum = 0;
66 int32_t swcr_id = -1;
67
68 #define COPYBACK(x, a, b, c, d) \
69 (x) == CRYPTO_BUF_MBUF ? m_copyback((struct mbuf *)a,b,c,d) \
70 : cuio_copyback((struct uio *)a,b,c,d)
71 #define COPYDATA(x, a, b, c, d) \
72 (x) == CRYPTO_BUF_MBUF ? m_copydata((struct mbuf *)a,b,c,d) \
73 : cuio_copydata((struct uio *)a,b,c,d)
74
75 /*
76 * Apply a symmetric encryption/decryption algorithm.
77 */
78 int
79 swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
80 int outtype)
81 {
82 unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN], *idat;
83 unsigned char *ivp, piv[EALG_MAX_BLOCK_LEN];
84 struct enc_xform *exf;
85 int i, k, j, blks, ind, count, ivlen;
86 struct mbuf *m = NULL;
87 struct uio *uio = NULL;
88
89 exf = sw->sw_exf;
90 blks = exf->blocksize;
91 ivlen = exf->ivsize;
92
93 /* Check for non-padded data */
94 if (crd->crd_len % blks)
95 return EINVAL;
96
97 if (outtype == CRYPTO_BUF_MBUF)
98 m = (struct mbuf *) buf;
99 else
100 uio = (struct uio *) buf;
101
102 /* Initialize the IV */
103 if (crd->crd_flags & CRD_F_ENCRYPT) {
104 /* IV explicitly provided ? */
105 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
106 bcopy(crd->crd_iv, iv, ivlen);
107 else
108 arc4random_bytes(iv, ivlen);
109
110 /* Do we need to write the IV */
111 if (!(crd->crd_flags & CRD_F_IV_PRESENT)) {
112 COPYBACK(outtype, buf, crd->crd_inject, ivlen, iv);
113 }
114
115 } else { /* Decryption */
116 /* IV explicitly provided ? */
117 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
118 bcopy(crd->crd_iv, iv, ivlen);
119 else {
120 /* Get IV off buf */
121 COPYDATA(outtype, buf, crd->crd_inject, ivlen, iv);
122 }
123 }
124
125 ivp = iv;
126
127 if (exf->reinit)
128 exf->reinit(sw->sw_kschedule, iv);
129
130 if (outtype == CRYPTO_BUF_MBUF) {
131 /* Find beginning of data */
132 m = m_getptr(m, crd->crd_skip, &k);
133 if (m == NULL)
134 return EINVAL;
135
136 i = crd->crd_len;
137
138 while (i > 0) {
139 /*
140 * If there's insufficient data at the end of
141 * an mbuf, we have to do some copying.
142 */
143 if (m->m_len < k + blks && m->m_len != k) {
144 m_copydata(m, k, blks, blk);
145
146 /* Actual encryption/decryption */
147 if (exf->reinit) {
148 exf->encrypt(sw->sw_kschedule, blk);
149 } else if (crd->crd_flags & CRD_F_ENCRYPT) {
150 /* XOR with previous block */
151 for (j = 0; j < blks; j++)
152 blk[j] ^= ivp[j];
153
154 exf->encrypt(sw->sw_kschedule, blk);
155
156 /*
157 * Keep encrypted block for XOR'ing
158 * with next block
159 */
160 bcopy(blk, iv, blks);
161 ivp = iv;
162 } else { /* decrypt */
163 /*
164 * Keep encrypted block for XOR'ing
165 * with next block
166 */
167 if (ivp == iv)
168 bcopy(blk, piv, blks);
169 else
170 bcopy(blk, iv, blks);
171
172 exf->decrypt(sw->sw_kschedule, blk);
173
174 /* XOR with previous block */
175 for (j = 0; j < blks; j++)
176 blk[j] ^= ivp[j];
177
178 if (ivp == iv)
179 bcopy(piv, iv, blks);
180 else
181 ivp = iv;
182 }
183
184 /* Copy back decrypted block */
185 m_copyback(m, k, blks, blk);
186
187 /* Advance pointer */
188 m = m_getptr(m, k + blks, &k);
189 if (m == NULL)
190 return EINVAL;
191
192 i -= blks;
193
194 /* Could be done... */
195 if (i == 0)
196 break;
197 }
198
199 /* Skip possibly empty mbufs */
200 if (k == m->m_len) {
201 for (m = m->m_next; m && m->m_len == 0;
202 m = m->m_next)
203 ;
204 k = 0;
205 }
206
207 /* Sanity check */
208 if (m == NULL)
209 return EINVAL;
210
211 /*
212 * Warning: idat may point to garbage here, but
213 * we only use it in the while() loop, only if
214 * there are indeed enough data.
215 */
216 idat = mtod(m, unsigned char *) + k;
217
218 while (m->m_len >= k + blks && i > 0) {
219 if (exf->reinit) {
220 exf->encrypt(sw->sw_kschedule, idat);
221 } else if (crd->crd_flags & CRD_F_ENCRYPT) {
222 /* XOR with previous block/IV */
223 for (j = 0; j < blks; j++)
224 idat[j] ^= ivp[j];
225
226 exf->encrypt(sw->sw_kschedule, idat);
227 ivp = idat;
228 } else { /* decrypt */
229 /*
230 * Keep encrypted block to be used
231 * in next block's processing.
232 */
233 if (ivp == iv)
234 bcopy(idat, piv, blks);
235 else
236 bcopy(idat, iv, blks);
237
238 exf->decrypt(sw->sw_kschedule, idat);
239
240 /* XOR with previous block/IV */
241 for (j = 0; j < blks; j++)
242 idat[j] ^= ivp[j];
243
244 if (ivp == iv)
245 bcopy(piv, iv, blks);
246 else
247 ivp = iv;
248 }
249
250 idat += blks;
251 k += blks;
252 i -= blks;
253 }
254 }
255 } else {
256 /* Find beginning of data */
257 count = crd->crd_skip;
258 ind = cuio_getptr(uio, count, &k);
259 if (ind == -1)
260 return EINVAL;
261
262 i = crd->crd_len;
263
264 while (i > 0) {
265 /*
266 * If there's insufficient data at the end,
267 * we have to do some copying.
268 */
269 if (uio->uio_iov[ind].iov_len < k + blks &&
270 uio->uio_iov[ind].iov_len != k) {
271 cuio_copydata(uio, k, blks, blk);
272
273 /* Actual encryption/decryption */
274 if (exf->reinit) {
275 exf->encrypt(sw->sw_kschedule, blk);
276 } else if (crd->crd_flags & CRD_F_ENCRYPT) {
277 /* XOR with previous block */
278 for (j = 0; j < blks; j++)
279 blk[j] ^= ivp[j];
280
281 exf->encrypt(sw->sw_kschedule, blk);
282
283 /*
284 * Keep encrypted block for XOR'ing
285 * with next block
286 */
287 bcopy(blk, iv, blks);
288 ivp = iv;
289 } else { /* decrypt */
290 /*
291 * Keep encrypted block for XOR'ing
292 * with next block
293 */
294 if (ivp == iv)
295 bcopy(blk, piv, blks);
296 else
297 bcopy(blk, iv, blks);
298
299 exf->decrypt(sw->sw_kschedule, blk);
300
301 /* XOR with previous block */
302 for (j = 0; j < blks; j++)
303 blk[j] ^= ivp[j];
304
305 if (ivp == iv)
306 bcopy(piv, iv, blks);
307 else
308 ivp = iv;
309 }
310
311 /* Copy back decrypted block */
312 cuio_copyback(uio, k, blks, blk);
313
314 count += blks;
315
316 /* Advance pointer */
317 ind = cuio_getptr(uio, count, &k);
318 if (ind == -1)
319 return (EINVAL);
320
321 i -= blks;
322
323 /* Could be done... */
324 if (i == 0)
325 break;
326 }
327
328 /*
329 * Warning: idat may point to garbage here, but
330 * we only use it in the while() loop, only if
331 * there are indeed enough data.
332 */
333 idat = (char *)uio->uio_iov[ind].iov_base + k;
334
335 while (uio->uio_iov[ind].iov_len >= k + blks &&
336 i > 0) {
337 if (exf->reinit) {
338 exf->encrypt(sw->sw_kschedule, idat);
339 } else if (crd->crd_flags & CRD_F_ENCRYPT) {
340 /* XOR with previous block/IV */
341 for (j = 0; j < blks; j++)
342 idat[j] ^= ivp[j];
343
344 exf->encrypt(sw->sw_kschedule, idat);
345 ivp = idat;
346 } else { /* decrypt */
347 /*
348 * Keep encrypted block to be used
349 * in next block's processing.
350 */
351 if (ivp == iv)
352 bcopy(idat, piv, blks);
353 else
354 bcopy(idat, iv, blks);
355
356 exf->decrypt(sw->sw_kschedule, idat);
357
358 /* XOR with previous block/IV */
359 for (j = 0; j < blks; j++)
360 idat[j] ^= ivp[j];
361
362 if (ivp == iv)
363 bcopy(piv, iv, blks);
364 else
365 ivp = iv;
366 }
367
368 idat += blks;
369 count += blks;
370 k += blks;
371 i -= blks;
372 }
373 }
374 }
375
376 return 0; /* Done with encryption/decryption */
377 }
378
379 /*
380 * Compute keyed-hash authenticator.
381 */
382 int
383 swcr_authcompute(struct cryptop *crp, struct cryptodesc *crd,
384 struct swcr_data *sw, caddr_t buf, int outtype)
385 {
386 unsigned char aalg[AALG_MAX_RESULT_LEN];
387 struct auth_hash *axf;
388 union authctx ctx;
389 int err;
390
391 if (sw->sw_ictx == 0)
392 return EINVAL;
393
394 axf = sw->sw_axf;
395
396 bcopy(sw->sw_ictx, &ctx, axf->ctxsize);
397
398 if (outtype == CRYPTO_BUF_MBUF)
399 err = m_apply((struct mbuf *) buf, crd->crd_skip, crd->crd_len,
400 (int (*)(caddr_t, caddr_t, unsigned int)) axf->Update,
401 (caddr_t) &ctx);
402 else
403 err = cuio_apply((struct uio *) buf, crd->crd_skip,
404 crd->crd_len,
405 (int (*)(caddr_t, caddr_t, unsigned int)) axf->Update,
406 (caddr_t) &ctx);
407
408 if (err)
409 return err;
410
411 switch (sw->sw_alg) {
412 case CRYPTO_MD5_HMAC:
413 case CRYPTO_SHA1_HMAC:
414 case CRYPTO_RIPEMD160_HMAC:
415 case CRYPTO_SHA2_256_HMAC:
416 case CRYPTO_SHA2_384_HMAC:
417 case CRYPTO_SHA2_512_HMAC:
418 if (sw->sw_octx == NULL)
419 return EINVAL;
420
421 axf->Final(aalg, &ctx);
422 bcopy(sw->sw_octx, &ctx, axf->ctxsize);
423 axf->Update(&ctx, aalg, axf->hashsize);
424 axf->Final(aalg, &ctx);
425 break;
426
427 case CRYPTO_MD5_KPDK:
428 case CRYPTO_SHA1_KPDK:
429 if (sw->sw_octx == NULL)
430 return EINVAL;
431
432 axf->Update(&ctx, sw->sw_octx, sw->sw_klen);
433 axf->Final(aalg, &ctx);
434 break;
435
436 case CRYPTO_MD5:
437 case CRYPTO_SHA1:
438 axf->Final(aalg, &ctx);
439 break;
440 }
441
442 /* Inject the authentication data */
443 if (outtype == CRYPTO_BUF_MBUF)
444 COPYBACK(outtype, buf, crd->crd_inject, axf->authsize, aalg);
445 else
446 bcopy(aalg, crp->crp_mac, axf->authsize);
447
448 return 0;
449 }
450
451 /*
452 * Apply a compression/decompression algorithm
453 */
454 int
455 swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw,
456 caddr_t buf, int outtype)
457 {
458 u_int8_t *data, *out;
459 struct comp_algo *cxf;
460 int adj;
461 u_int32_t result;
462
463 cxf = sw->sw_cxf;
464
465 /* We must handle the whole buffer of data in one time
466 * then if there is not all the data in the mbuf, we must
467 * copy in a buffer.
468 */
469
470 MALLOC(data, u_int8_t *, crd->crd_len, M_CRYPTO_DATA, M_NOWAIT);
471 if (data == NULL)
472 return (EINVAL);
473 COPYDATA(outtype, buf, crd->crd_skip, crd->crd_len, data);
474
475 if (crd->crd_flags & CRD_F_COMP)
476 result = cxf->compress(data, crd->crd_len, &out);
477 else
478 result = cxf->decompress(data, crd->crd_len, &out);
479
480 FREE(data, M_CRYPTO_DATA);
481 if (result == 0)
482 return EINVAL;
483
484 /* Copy back the (de)compressed data. m_copyback is
485 * extending the mbuf as necessary.
486 */
487 sw->sw_size = result;
488 /* Check the compressed size when doing compression */
489 if (crd->crd_flags & CRD_F_COMP) {
490 if (result > crd->crd_len) {
491 /* Compression was useless, we lost time */
492 FREE(out, M_CRYPTO_DATA);
493 return 0;
494 }
495 }
496
497 COPYBACK(outtype, buf, crd->crd_skip, result, out);
498 if (result < crd->crd_len) {
499 adj = result - crd->crd_len;
500 if (outtype == CRYPTO_BUF_MBUF) {
501 adj = result - crd->crd_len;
502 m_adj((struct mbuf *)buf, adj);
503 } else {
504 struct uio *uio = (struct uio *)buf;
505 int ind;
506
507 adj = crd->crd_len - result;
508 ind = uio->uio_iovcnt - 1;
509
510 while (adj > 0 && ind >= 0) {
511 if (adj < uio->uio_iov[ind].iov_len) {
512 uio->uio_iov[ind].iov_len -= adj;
513 break;
514 }
515
516 adj -= uio->uio_iov[ind].iov_len;
517 uio->uio_iov[ind].iov_len = 0;
518 ind--;
519 uio->uio_iovcnt--;
520 }
521 }
522 }
523 FREE(out, M_CRYPTO_DATA);
524 return 0;
525 }
526
527 /*
528 * Generate a new software session.
529 */
530 int
531 swcr_newsession(u_int32_t *sid, struct cryptoini *cri)
532 {
533 struct swcr_data **swd;
534 struct auth_hash *axf;
535 struct enc_xform *txf;
536 struct comp_algo *cxf;
537 u_int32_t i;
538 int k;
539
540 if (sid == NULL || cri == NULL)
541 return EINVAL;
542
543 if (swcr_sessions) {
544 for (i = 1; i < swcr_sesnum; i++)
545 if (swcr_sessions[i] == NULL)
546 break;
547 }
548
549 if (swcr_sessions == NULL || i == swcr_sesnum) {
550 if (swcr_sessions == NULL) {
551 i = 1; /* We leave swcr_sessions[0] empty */
552 swcr_sesnum = CRYPTO_SW_SESSIONS;
553 } else
554 swcr_sesnum *= 2;
555
556 swd = malloc(swcr_sesnum * sizeof(struct swcr_data *),
557 M_CRYPTO_DATA, M_NOWAIT);
558 if (swd == NULL) {
559 /* Reset session number */
560 if (swcr_sesnum == CRYPTO_SW_SESSIONS)
561 swcr_sesnum = 0;
562 else
563 swcr_sesnum /= 2;
564 return ENOBUFS;
565 }
566
567 bzero(swd, swcr_sesnum * sizeof(struct swcr_data *));
568
569 /* Copy existing sessions */
570 if (swcr_sessions) {
571 bcopy(swcr_sessions, swd,
572 (swcr_sesnum / 2) * sizeof(struct swcr_data *));
573 free(swcr_sessions, M_CRYPTO_DATA);
574 }
575
576 swcr_sessions = swd;
577 }
578
579 swd = &swcr_sessions[i];
580 *sid = i;
581
582 while (cri) {
583 MALLOC(*swd, struct swcr_data *, sizeof(struct swcr_data),
584 M_CRYPTO_DATA, M_NOWAIT);
585 if (*swd == NULL) {
586 swcr_freesession(i);
587 return ENOBUFS;
588 }
589 bzero(*swd, sizeof(struct swcr_data));
590
591 switch (cri->cri_alg) {
592 case CRYPTO_DES_CBC:
593 txf = &enc_xform_des;
594 goto enccommon;
595 case CRYPTO_3DES_CBC:
596 txf = &enc_xform_3des;
597 goto enccommon;
598 case CRYPTO_BLF_CBC:
599 txf = &enc_xform_blf;
600 goto enccommon;
601 case CRYPTO_CAST_CBC:
602 txf = &enc_xform_cast5;
603 goto enccommon;
604 case CRYPTO_SKIPJACK_CBC:
605 txf = &enc_xform_skipjack;
606 goto enccommon;
607 case CRYPTO_RIJNDAEL128_CBC:
608 txf = &enc_xform_rijndael128;
609 goto enccommon;
610 case CRYPTO_AES_CTR:
611 txf = &enc_xform_aes_ctr;
612 goto enccommon;
613 case CRYPTO_NULL:
614 txf = &enc_xform_null;
615 goto enccommon;
616 enccommon:
617 if (txf->setkey(&((*swd)->sw_kschedule), cri->cri_key,
618 cri->cri_klen / 8) < 0) {
619 swcr_freesession(i);
620 return EINVAL;
621 }
622 (*swd)->sw_exf = txf;
623 break;
624
625 case CRYPTO_MD5_HMAC:
626 axf = &auth_hash_hmac_md5_96;
627 goto authcommon;
628 case CRYPTO_SHA1_HMAC:
629 axf = &auth_hash_hmac_sha1_96;
630 goto authcommon;
631 case CRYPTO_RIPEMD160_HMAC:
632 axf = &auth_hash_hmac_ripemd_160_96;
633 goto authcommon;
634 case CRYPTO_SHA2_256_HMAC:
635 axf = &auth_hash_hmac_sha2_256_96;
636 goto authcommon;
637 case CRYPTO_SHA2_384_HMAC:
638 axf = &auth_hash_hmac_sha2_384_96;
639 goto authcommon;
640 case CRYPTO_SHA2_512_HMAC:
641 axf = &auth_hash_hmac_sha2_512_96;
642 authcommon:
643 (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
644 M_NOWAIT);
645 if ((*swd)->sw_ictx == NULL) {
646 swcr_freesession(i);
647 return ENOBUFS;
648 }
649
650 (*swd)->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
651 M_NOWAIT);
652 if ((*swd)->sw_octx == NULL) {
653 swcr_freesession(i);
654 return ENOBUFS;
655 }
656
657 for (k = 0; k < cri->cri_klen / 8; k++)
658 cri->cri_key[k] ^= HMAC_IPAD_VAL;
659
660 axf->Init((*swd)->sw_ictx);
661 axf->Update((*swd)->sw_ictx, cri->cri_key,
662 cri->cri_klen / 8);
663 axf->Update((*swd)->sw_ictx, hmac_ipad_buffer,
664 HMAC_BLOCK_LEN - (cri->cri_klen / 8));
665
666 for (k = 0; k < cri->cri_klen / 8; k++)
667 cri->cri_key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
668
669 axf->Init((*swd)->sw_octx);
670 axf->Update((*swd)->sw_octx, cri->cri_key,
671 cri->cri_klen / 8);
672 axf->Update((*swd)->sw_octx, hmac_opad_buffer,
673 HMAC_BLOCK_LEN - (cri->cri_klen / 8));
674
675 for (k = 0; k < cri->cri_klen / 8; k++)
676 cri->cri_key[k] ^= HMAC_OPAD_VAL;
677 (*swd)->sw_axf = axf;
678 break;
679
680 case CRYPTO_MD5_KPDK:
681 axf = &auth_hash_key_md5;
682 goto auth2common;
683
684 case CRYPTO_SHA1_KPDK:
685 axf = &auth_hash_key_sha1;
686 auth2common:
687 (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
688 M_NOWAIT);
689 if ((*swd)->sw_ictx == NULL) {
690 swcr_freesession(i);
691 return ENOBUFS;
692 }
693
694 /* Store the key so we can "append" it to the payload */
695 (*swd)->sw_octx = malloc(cri->cri_klen / 8, M_CRYPTO_DATA,
696 M_NOWAIT);
697 if ((*swd)->sw_octx == NULL) {
698 swcr_freesession(i);
699 return ENOBUFS;
700 }
701
702 (*swd)->sw_klen = cri->cri_klen / 8;
703 bcopy(cri->cri_key, (*swd)->sw_octx, cri->cri_klen / 8);
704 axf->Init((*swd)->sw_ictx);
705 axf->Update((*swd)->sw_ictx, cri->cri_key,
706 cri->cri_klen / 8);
707 axf->Final(NULL, (*swd)->sw_ictx);
708 (*swd)->sw_axf = axf;
709 break;
710
711 case CRYPTO_MD5:
712 axf = &auth_hash_md5;
713 goto auth3common;
714
715 case CRYPTO_SHA1:
716 axf = &auth_hash_sha1;
717 auth3common:
718 (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
719 M_NOWAIT);
720 if ((*swd)->sw_ictx == NULL) {
721 swcr_freesession(i);
722 return ENOBUFS;
723 }
724
725 axf->Init((*swd)->sw_ictx);
726 (*swd)->sw_axf = axf;
727 break;
728
729 case CRYPTO_DEFLATE_COMP:
730 cxf = &comp_algo_deflate;
731 (*swd)->sw_cxf = cxf;
732 break;
733 default:
734 swcr_freesession(i);
735 return EINVAL;
736 }
737
738 (*swd)->sw_alg = cri->cri_alg;
739 cri = cri->cri_next;
740 swd = &((*swd)->sw_next);
741 }
742 return 0;
743 }
744
745 /*
746 * Free a session.
747 */
748 int
749 swcr_freesession(u_int64_t tid)
750 {
751 struct swcr_data *swd;
752 struct enc_xform *txf;
753 struct auth_hash *axf;
754 u_int32_t sid = ((u_int32_t) tid) & 0xffffffff;
755
756 if (sid > swcr_sesnum || swcr_sessions == NULL ||
757 swcr_sessions[sid] == NULL)
758 return EINVAL;
759
760 /* Silently accept and return */
761 if (sid == 0)
762 return 0;
763
764 while ((swd = swcr_sessions[sid]) != NULL) {
765 swcr_sessions[sid] = swd->sw_next;
766
767 switch (swd->sw_alg) {
768 case CRYPTO_DES_CBC:
769 case CRYPTO_3DES_CBC:
770 case CRYPTO_BLF_CBC:
771 case CRYPTO_CAST_CBC:
772 case CRYPTO_SKIPJACK_CBC:
773 case CRYPTO_RIJNDAEL128_CBC:
774 case CRYPTO_AES_CTR:
775 case CRYPTO_NULL:
776 txf = swd->sw_exf;
777
778 if (swd->sw_kschedule)
779 txf->zerokey(&(swd->sw_kschedule));
780 break;
781
782 case CRYPTO_MD5_HMAC:
783 case CRYPTO_SHA1_HMAC:
784 case CRYPTO_RIPEMD160_HMAC:
785 case CRYPTO_SHA2_256_HMAC:
786 case CRYPTO_SHA2_384_HMAC:
787 case CRYPTO_SHA2_512_HMAC:
788 axf = swd->sw_axf;
789
790 if (swd->sw_ictx) {
791 bzero(swd->sw_ictx, axf->ctxsize);
792 free(swd->sw_ictx, M_CRYPTO_DATA);
793 }
794 if (swd->sw_octx) {
795 bzero(swd->sw_octx, axf->ctxsize);
796 free(swd->sw_octx, M_CRYPTO_DATA);
797 }
798 break;
799
800 case CRYPTO_MD5_KPDK:
801 case CRYPTO_SHA1_KPDK:
802 axf = swd->sw_axf;
803
804 if (swd->sw_ictx) {
805 bzero(swd->sw_ictx, axf->ctxsize);
806 free(swd->sw_ictx, M_CRYPTO_DATA);
807 }
808 if (swd->sw_octx) {
809 bzero(swd->sw_octx, swd->sw_klen);
810 free(swd->sw_octx, M_CRYPTO_DATA);
811 }
812 break;
813
814 case CRYPTO_MD5:
815 case CRYPTO_SHA1:
816 axf = swd->sw_axf;
817
818 if (swd->sw_ictx)
819 free(swd->sw_ictx, M_CRYPTO_DATA);
820 break;
821 }
822
823 FREE(swd, M_CRYPTO_DATA);
824 }
825 return 0;
826 }
827
828 /*
829 * Process a software request.
830 */
831 int
832 swcr_process(struct cryptop *crp)
833 {
834 struct cryptodesc *crd;
835 struct swcr_data *sw;
836 u_int32_t lid;
837 int type;
838
839 /* Sanity check */
840 if (crp == NULL)
841 return EINVAL;
842
843 if (crp->crp_desc == NULL || crp->crp_buf == NULL) {
844 crp->crp_etype = EINVAL;
845 goto done;
846 }
847
848 lid = crp->crp_sid & 0xffffffff;
849 if (lid >= swcr_sesnum || lid == 0 || swcr_sessions[lid] == NULL) {
850 crp->crp_etype = ENOENT;
851 goto done;
852 }
853
854 if (crp->crp_flags & CRYPTO_F_IMBUF)
855 type = CRYPTO_BUF_MBUF;
856 else
857 type = CRYPTO_BUF_IOV;
858
859 /* Go through crypto descriptors, processing as we go */
860 for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
861 /*
862 * Find the crypto context.
863 *
864 * XXX Note that the logic here prevents us from having
865 * XXX the same algorithm multiple times in a session
866 * XXX (or rather, we can but it won't give us the right
867 * XXX results). To do that, we'd need some way of differentiating
868 * XXX between the various instances of an algorithm (so we can
869 * XXX locate the correct crypto context).
870 */
871 for (sw = swcr_sessions[lid];
872 sw && sw->sw_alg != crd->crd_alg;
873 sw = sw->sw_next)
874 ;
875
876 /* No such context ? */
877 if (sw == NULL) {
878 crp->crp_etype = EINVAL;
879 goto done;
880 }
881
882 switch (sw->sw_alg) {
883 case CRYPTO_NULL:
884 break;
885 case CRYPTO_DES_CBC:
886 case CRYPTO_3DES_CBC:
887 case CRYPTO_BLF_CBC:
888 case CRYPTO_CAST_CBC:
889 case CRYPTO_SKIPJACK_CBC:
890 case CRYPTO_RIJNDAEL128_CBC:
891 case CRYPTO_AES_CTR:
892 if ((crp->crp_etype = swcr_encdec(crd, sw,
893 crp->crp_buf, type)) != 0)
894 goto done;
895 break;
896 case CRYPTO_MD5_HMAC:
897 case CRYPTO_SHA1_HMAC:
898 case CRYPTO_RIPEMD160_HMAC:
899 case CRYPTO_SHA2_256_HMAC:
900 case CRYPTO_SHA2_384_HMAC:
901 case CRYPTO_SHA2_512_HMAC:
902 case CRYPTO_MD5_KPDK:
903 case CRYPTO_SHA1_KPDK:
904 case CRYPTO_MD5:
905 case CRYPTO_SHA1:
906 if ((crp->crp_etype = swcr_authcompute(crp, crd, sw,
907 crp->crp_buf, type)) != 0)
908 goto done;
909 break;
910
911 case CRYPTO_DEFLATE_COMP:
912 if ((crp->crp_etype = swcr_compdec(crd, sw,
913 crp->crp_buf, type)) != 0)
914 goto done;
915 else
916 crp->crp_olen = (int)sw->sw_size;
917 break;
918
919 default:
920 /* Unknown/unsupported algorithm */
921 crp->crp_etype = EINVAL;
922 goto done;
923 }
924 }
925
926 done:
927 crypto_done(crp);
928 return 0;
929 }
930
931 /*
932 * Initialize the driver, called from the kernel main().
933 */
934 void
935 swcr_init(void)
936 {
937 int algs[CRYPTO_ALGORITHM_MAX + 1];
938 int flags = CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_ENCRYPT_MAC |
939 CRYPTOCAP_F_MAC_ENCRYPT;
940
941 swcr_id = crypto_get_driverid(flags);
942 if (swcr_id < 0) {
943 /* This should never happen */
944 panic("Software crypto device cannot initialize!");
945 }
946
947 bzero(algs, sizeof(algs));
948
949 algs[CRYPTO_DES_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
950 algs[CRYPTO_3DES_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
951 algs[CRYPTO_BLF_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
952 algs[CRYPTO_CAST_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
953 algs[CRYPTO_SKIPJACK_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
954 algs[CRYPTO_MD5_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
955 algs[CRYPTO_SHA1_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
956 algs[CRYPTO_RIPEMD160_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
957 algs[CRYPTO_MD5_KPDK] = CRYPTO_ALG_FLAG_SUPPORTED;
958 algs[CRYPTO_SHA1_KPDK] = CRYPTO_ALG_FLAG_SUPPORTED;
959 algs[CRYPTO_MD5] = CRYPTO_ALG_FLAG_SUPPORTED;
960 algs[CRYPTO_SHA1] = CRYPTO_ALG_FLAG_SUPPORTED;
961 algs[CRYPTO_RIJNDAEL128_CBC] = CRYPTO_ALG_FLAG_SUPPORTED;
962 algs[CRYPTO_AES_CTR] = CRYPTO_ALG_FLAG_SUPPORTED;
963 algs[CRYPTO_DEFLATE_COMP] = CRYPTO_ALG_FLAG_SUPPORTED;
964 algs[CRYPTO_NULL] = CRYPTO_ALG_FLAG_SUPPORTED;
965 algs[CRYPTO_SHA2_256_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
966 algs[CRYPTO_SHA2_384_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
967 algs[CRYPTO_SHA2_512_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED;
968
969 crypto_register(swcr_id, algs, swcr_newsession,
970 swcr_freesession, swcr_process);
971 }