cryptosoft.c - OpenGrok cross reference for /freebsd/sys/opencrypto/cryptosoft.c

Deleted Added

sdiffudifftextold (d3d79e96..)new (dd2e1352..)

cryptosoft.c (d3d79e968b67cc9a9855f9a29cf72763dec3578d)	cryptosoft.c (dd2e1352b68aa33f7f6f8c19aaf88cf287013ae8)
1/* $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ / 2 3/- 4 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 5 * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting 6 * 7 * This code was written by Angelos D. Keromytis in Athens, Greece, in 8 * February 2000. Network Security Technologies Inc. (NSTI) kindly --- 853 unchanged lines hidden (view full) --- 862 863out: 864 explicit_bzero(blkbuf, sizeof(blkbuf)); 865 explicit_bzero(tag, sizeof(tag)); 866 explicit_bzero(iv, sizeof(iv)); 867 return (error); 868} 869	1/* $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ / 2 3/- 4 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 5 * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting 6 * 7 * This code was written by Angelos D. Keromytis in Athens, Greece, in 8 * February 2000. Network Security Technologies Inc. (NSTI) kindly --- 853 unchanged lines hidden (view full) --- 862 863out: 864 explicit_bzero(blkbuf, sizeof(blkbuf)); 865 explicit_bzero(tag, sizeof(tag)); 866 explicit_bzero(iv, sizeof(iv)); 867 return (error); 868} 869
	870static int 871swcr_chacha20_poly1305(struct swcr_session ses, struct cryptop crp) 872{ 873 const struct crypto_session_params csp; 874 uint64_t blkbuf[howmany(CHACHA20_NATIVE_BLOCK_LEN, sizeof(uint64_t))]; 875 u_char blk = (u_char )blkbuf; 876 u_char tag[POLY1305_HASH_LEN]; 877 struct crypto_buffer_cursor cc_in, cc_out; 878 const u_char inblk; 879 u_char outblk; 880 uint64_t blkp; 881 union authctx ctx; 882 struct swcr_auth swa; 883 struct swcr_encdec swe; 884 struct auth_hash axf; 885 struct enc_xform exf; 886 int blksz, error, r, resid; 887 888 swa = &ses->swcr_auth; 889 axf = swa->sw_axf; 890 891 swe = &ses->swcr_encdec; 892 exf = swe->sw_exf; 893 blksz = exf->native_blocksize; 894 KASSERT(blksz <= sizeof(blkbuf), ("%s: blocksize mismatch", __func__)); 895 896 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 897 return (EINVAL); 898 899 csp = crypto_get_params(crp->crp_session); 900 901 /* Generate Poly1305 key. / 902 if (crp->crp_cipher_key != NULL) 903 axf->Setkey(&ctx, crp->crp_cipher_key, csp->csp_cipher_klen); 904 else 905 axf->Setkey(&ctx, csp->csp_cipher_key, csp->csp_cipher_klen); 906 axf->Reinit(&ctx, crp->crp_iv, csp->csp_ivlen); 907 908 / Supply MAC with AAD / 909 if (crp->crp_aad != NULL) 910 axf->Update(&ctx, crp->crp_aad, crp->crp_aad_length); 911 else 912 crypto_apply(crp, crp->crp_aad_start, 913 crp->crp_aad_length, axf->Update, &ctx); 914 if (crp->crp_aad_length % 16 != 0) { 915 / padding1 / 916 memset(blk, 0, 16); 917 axf->Update(&ctx, blk, 16 - crp->crp_aad_length % 16); 918 } 919 920 if (crp->crp_cipher_key != NULL) 921 exf->setkey(swe->sw_kschedule, crp->crp_cipher_key, 922 csp->csp_cipher_klen); 923 exf->reinit(swe->sw_kschedule, crp->crp_iv); 924 925 / Do encryption with MAC / 926 crypto_cursor_init(&cc_in, &crp->crp_buf); 927 crypto_cursor_advance(&cc_in, crp->crp_payload_start); 928 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) { 929 crypto_cursor_init(&cc_out, &crp->crp_obuf); 930 crypto_cursor_advance(&cc_out, crp->crp_payload_output_start); 931 } else 932 cc_out = cc_in; 933 for (resid = crp->crp_payload_length; resid >= blksz; resid -= blksz) { 934 if (crypto_cursor_seglen(&cc_in) < blksz) { 935 crypto_cursor_copydata(&cc_in, blksz, blk); 936 inblk = blk; 937 } else { 938 inblk = crypto_cursor_segbase(&cc_in); 939 crypto_cursor_advance(&cc_in, blksz); 940 } 941 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 942 if (crypto_cursor_seglen(&cc_out) < blksz) 943 outblk = blk; 944 else 945 outblk = crypto_cursor_segbase(&cc_out); 946 exf->encrypt(swe->sw_kschedule, inblk, outblk); 947 axf->Update(&ctx, outblk, blksz); 948 if (outblk == blk) 949 crypto_cursor_copyback(&cc_out, blksz, blk); 950 else 951 crypto_cursor_advance(&cc_out, blksz); 952 } else { 953 axf->Update(&ctx, inblk, blksz); 954 } 955 } 956 if (resid > 0) { 957 crypto_cursor_copydata(&cc_in, resid, blk); 958 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 959 exf->encrypt_last(swe->sw_kschedule, blk, blk, resid); 960 crypto_cursor_copyback(&cc_out, resid, blk); 961 } 962 axf->Update(&ctx, blk, resid); 963 if (resid % 16 != 0) { 964 / padding2 / 965 memset(blk, 0, 16); 966 axf->Update(&ctx, blk, 16 - resid % 16); 967 } 968 } 969 970 / lengths / 971 blkp = (uint64_t )blk; 972 blkp[0] = htole64(crp->crp_aad_length); 973 blkp[1] = htole64(crp->crp_payload_length); 974 axf->Update(&ctx, blk, sizeof(uint64_t) * 2); 975 976 /* Finalize MAC / 977 axf->Final(tag, &ctx); 978 979 / Validate tag / 980 error = 0; 981 if (!CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 982 u_char tag2[POLY1305_HASH_LEN]; 983 984 crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, tag2); 985 986 r = timingsafe_bcmp(tag, tag2, swa->sw_mlen); 987 explicit_bzero(tag2, sizeof(tag2)); 988 if (r != 0) { 989 error = EBADMSG; 990 goto out; 991 } 992 993 / tag matches, decrypt data / 994 crypto_cursor_init(&cc_in, &crp->crp_buf); 995 crypto_cursor_advance(&cc_in, crp->crp_payload_start); 996 for (resid = crp->crp_payload_length; resid > blksz; 997 resid -= blksz) { 998 if (crypto_cursor_seglen(&cc_in) < blksz) { 999 crypto_cursor_copydata(&cc_in, blksz, blk); 1000 inblk = blk; 1001 } else { 1002 inblk = crypto_cursor_segbase(&cc_in); 1003 crypto_cursor_advance(&cc_in, blksz); 1004 } 1005 if (crypto_cursor_seglen(&cc_out) < blksz) 1006 outblk = blk; 1007 else 1008 outblk = crypto_cursor_segbase(&cc_out); 1009 exf->decrypt(swe->sw_kschedule, inblk, outblk); 1010 if (outblk == blk) 1011 crypto_cursor_copyback(&cc_out, blksz, blk); 1012 else 1013 crypto_cursor_advance(&cc_out, blksz); 1014 } 1015 if (resid > 0) { 1016 crypto_cursor_copydata(&cc_in, resid, blk); 1017 exf->decrypt_last(swe->sw_kschedule, blk, blk, resid); 1018 crypto_cursor_copyback(&cc_out, resid, blk); 1019 } 1020 } else { 1021 / Inject the authentication data */ 1022 crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); 1023 } 1024 1025out: 1026 explicit_bzero(blkbuf, sizeof(blkbuf)); 1027 explicit_bzero(tag, sizeof(tag)); 1028 explicit_bzero(&ctx, sizeof(ctx)); 1029 return (error); 1030} 1031
870/* 871 * Apply a cipher and a digest to perform EtA. 872 / 873static int 874swcr_eta(struct swcr_session ses, struct cryptop crp) 875{ 876 int error; 877 --- 288 unchanged lines hidden* (view full) --- 1166 if (csp->csp_cipher_key != NULL) 1167 axf->Setkey(swa->sw_ictx, csp->csp_cipher_key, 1168 csp->csp_cipher_klen); 1169 1170 /* Second, setup the cipher side. */ 1171 return (swcr_setup_cipher(ses, csp)); 1172} 1173	1032/* 1033 * Apply a cipher and a digest to perform EtA. 1034 / 1035static int 1036swcr_eta(struct swcr_session ses, struct cryptop crp) 1037{ 1038 int error; 1039 --- 288 unchanged lines hidden* (view full) --- 1328 if (csp->csp_cipher_key != NULL) 1329 axf->Setkey(swa->sw_ictx, csp->csp_cipher_key, 1330 csp->csp_cipher_klen); 1331 1332 /* Second, setup the cipher side. */ 1333 return (swcr_setup_cipher(ses, csp)); 1334} 1335
	1336static int 1337swcr_setup_chacha20_poly1305(struct swcr_session ses, 1338 const struct crypto_session_params csp) 1339{ 1340 struct swcr_auth swa; 1341 struct auth_hash axf; 1342 1343 if (csp->csp_ivlen != CHACHA20_POLY1305_IV_LEN) 1344 return (EINVAL); 1345 1346 /* First, setup the auth side. / 1347 swa = &ses->swcr_auth; 1348 axf = &auth_hash_chacha20_poly1305; 1349 swa->sw_axf = axf; 1350 if (csp->csp_auth_mlen < 0 \|\| csp->csp_auth_mlen > axf->hashsize) 1351 return (EINVAL); 1352 if (csp->csp_auth_mlen == 0) 1353 swa->sw_mlen = axf->hashsize; 1354 else 1355 swa->sw_mlen = csp->csp_auth_mlen; 1356 1357 / The auth state is regenerated for each nonce. / 1358 1359 / Second, setup the cipher side. */ 1360 return (swcr_setup_cipher(ses, csp)); 1361} 1362
1174static bool 1175swcr_auth_supported(const struct crypto_session_params csp) 1176{ 1177 struct auth_hash axf; 1178 1179 axf = crypto_auth_hash(csp); 1180 if (axf == NULL) 1181 return (false); --- 71 unchanged lines hidden (view full) --- 1253 default: 1254 return (EINVAL); 1255 } 1256 break; 1257 case CSP_MODE_CIPHER: 1258 switch (csp->csp_cipher_alg) { 1259 case CRYPTO_AES_NIST_GCM_16: 1260 case CRYPTO_AES_CCM_16:	1363static bool 1364swcr_auth_supported(const struct crypto_session_params csp) 1365{ 1366 struct auth_hash axf; 1367 1368 axf = crypto_auth_hash(csp); 1369 if (axf == NULL) 1370 return (false); --- 71 unchanged lines hidden (view full) --- 1442 default: 1443 return (EINVAL); 1444 } 1445 break; 1446 case CSP_MODE_CIPHER: 1447 switch (csp->csp_cipher_alg) { 1448 case CRYPTO_AES_NIST_GCM_16: 1449 case CRYPTO_AES_CCM_16:
	1450 case CRYPTO_CHACHA20_POLY1305:
1261 return (EINVAL); 1262 default: 1263 if (!swcr_cipher_supported(csp)) 1264 return (EINVAL); 1265 break; 1266 } 1267 break; 1268 case CSP_MODE_DIGEST: 1269 if (!swcr_auth_supported(csp)) 1270 return (EINVAL); 1271 break; 1272 case CSP_MODE_AEAD: 1273 switch (csp->csp_cipher_alg) { 1274 case CRYPTO_AES_NIST_GCM_16: 1275 case CRYPTO_AES_CCM_16:	1451 return (EINVAL); 1452 default: 1453 if (!swcr_cipher_supported(csp)) 1454 return (EINVAL); 1455 break; 1456 } 1457 break; 1458 case CSP_MODE_DIGEST: 1459 if (!swcr_auth_supported(csp)) 1460 return (EINVAL); 1461 break; 1462 case CSP_MODE_AEAD: 1463 switch (csp->csp_cipher_alg) { 1464 case CRYPTO_AES_NIST_GCM_16: 1465 case CRYPTO_AES_CCM_16:
	1466 case CRYPTO_CHACHA20_POLY1305:
1276 break; 1277 default: 1278 return (EINVAL); 1279 } 1280 break; 1281 case CSP_MODE_ETA: 1282 /* AEAD algorithms cannot be used for EtA. */ 1283 switch (csp->csp_cipher_alg) { 1284 case CRYPTO_AES_NIST_GCM_16: 1285 case CRYPTO_AES_CCM_16:	1467 break; 1468 default: 1469 return (EINVAL); 1470 } 1471 break; 1472 case CSP_MODE_ETA: 1473 /* AEAD algorithms cannot be used for EtA. */ 1474 switch (csp->csp_cipher_alg) { 1475 case CRYPTO_AES_NIST_GCM_16: 1476 case CRYPTO_AES_CCM_16:
	1477 case CRYPTO_CHACHA20_POLY1305:
1286 return (EINVAL); 1287 } 1288 switch (csp->csp_auth_alg) { 1289 case CRYPTO_AES_NIST_GMAC: 1290 case CRYPTO_AES_CCM_CBC_MAC: 1291 return (EINVAL); 1292 } 1293 --- 44 unchanged lines hidden (view full) --- 1338 case CSP_MODE_CIPHER: 1339 switch (csp->csp_cipher_alg) { 1340 case CRYPTO_NULL_CBC: 1341 ses->swcr_process = swcr_null; 1342 break; 1343#ifdef INVARIANTS 1344 case CRYPTO_AES_NIST_GCM_16: 1345 case CRYPTO_AES_CCM_16:	1478 return (EINVAL); 1479 } 1480 switch (csp->csp_auth_alg) { 1481 case CRYPTO_AES_NIST_GMAC: 1482 case CRYPTO_AES_CCM_CBC_MAC: 1483 return (EINVAL); 1484 } 1485 --- 44 unchanged lines hidden (view full) --- 1530 case CSP_MODE_CIPHER: 1531 switch (csp->csp_cipher_alg) { 1532 case CRYPTO_NULL_CBC: 1533 ses->swcr_process = swcr_null; 1534 break; 1535#ifdef INVARIANTS 1536 case CRYPTO_AES_NIST_GCM_16: 1537 case CRYPTO_AES_CCM_16:
	1538 case CRYPTO_CHACHA20_POLY1305:
1346 panic("bad cipher algo"); 1347#endif 1348 default: 1349 error = swcr_setup_cipher(ses, csp); 1350 if (error == 0) 1351 ses->swcr_process = swcr_encdec; 1352 } 1353 break; --- 7 unchanged lines hidden (view full) --- 1361 if (error == 0) 1362 ses->swcr_process = swcr_gcm; 1363 break; 1364 case CRYPTO_AES_CCM_16: 1365 error = swcr_setup_ccm(ses, csp); 1366 if (error == 0) 1367 ses->swcr_process = swcr_ccm; 1368 break;	1539 panic("bad cipher algo"); 1540#endif 1541 default: 1542 error = swcr_setup_cipher(ses, csp); 1543 if (error == 0) 1544 ses->swcr_process = swcr_encdec; 1545 } 1546 break; --- 7 unchanged lines hidden (view full) --- 1554 if (error == 0) 1555 ses->swcr_process = swcr_gcm; 1556 break; 1557 case CRYPTO_AES_CCM_16: 1558 error = swcr_setup_ccm(ses, csp); 1559 if (error == 0) 1560 ses->swcr_process = swcr_ccm; 1561 break;
	1562 case CRYPTO_CHACHA20_POLY1305: 1563 error = swcr_setup_chacha20_poly1305(ses, csp); 1564 if (error == 0) 1565 ses->swcr_process = swcr_chacha20_poly1305; 1566 break;
1369#ifdef INVARIANTS 1370 default: 1371 panic("bad aead algo"); 1372#endif 1373 } 1374 break; 1375 case CSP_MODE_ETA: 1376#ifdef INVARIANTS 1377 switch (csp->csp_cipher_alg) { 1378 case CRYPTO_AES_NIST_GCM_16: 1379 case CRYPTO_AES_CCM_16:	1567#ifdef INVARIANTS 1568 default: 1569 panic("bad aead algo"); 1570#endif 1571 } 1572 break; 1573 case CSP_MODE_ETA: 1574#ifdef INVARIANTS 1575 switch (csp->csp_cipher_alg) { 1576 case CRYPTO_AES_NIST_GCM_16: 1577 case CRYPTO_AES_CCM_16:
	1578 case CRYPTO_CHACHA20_POLY1305:
1380 panic("bad eta cipher algo"); 1381 } 1382 switch (csp->csp_auth_alg) { 1383 case CRYPTO_AES_NIST_GMAC: 1384 case CRYPTO_AES_CCM_CBC_MAC: 1385 panic("bad eta auth algo"); 1386 } 1387#endif --- 125 unchanged lines hidden ---	1579 panic("bad eta cipher algo"); 1580 } 1581 switch (csp->csp_auth_alg) { 1582 case CRYPTO_AES_NIST_GMAC: 1583 case CRYPTO_AES_CCM_CBC_MAC: 1584 panic("bad eta auth algo"); 1585 } 1586#endif --- 125 unchanged lines hidden ---