xref: /freebsd/sys/opencrypto/cryptosoft.c (revision 6683132d54bd6d589889e43dabdc53d35e38a028)
1 /*	$OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $	*/
2 
3 /*-
4  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
5  * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting
6  *
7  * This code was written by Angelos D. Keromytis in Athens, Greece, in
8  * February 2000. Network Security Technologies Inc. (NSTI) kindly
9  * supported the development of this code.
10  *
11  * Copyright (c) 2000, 2001 Angelos D. Keromytis
12  * Copyright (c) 2014 The FreeBSD Foundation
13  * All rights reserved.
14  *
15  * Portions of this software were developed by John-Mark Gurney
16  * under sponsorship of the FreeBSD Foundation and
17  * Rubicon Communications, LLC (Netgate).
18  *
19  * Permission to use, copy, and modify this software with or without fee
20  * is hereby granted, provided that this entire notice is included in
21  * all source code copies of any software which is or includes a copy or
22  * modification of this software.
23  *
24  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
25  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
26  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
27  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
28  * PURPOSE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/malloc.h>
37 #include <sys/mbuf.h>
38 #include <sys/module.h>
39 #include <sys/sysctl.h>
40 #include <sys/errno.h>
41 #include <sys/random.h>
42 #include <sys/kernel.h>
43 #include <sys/uio.h>
44 #include <sys/lock.h>
45 #include <sys/rwlock.h>
46 #include <sys/endian.h>
47 #include <sys/limits.h>
48 #include <sys/mutex.h>
49 
50 #include <crypto/blowfish/blowfish.h>
51 #include <crypto/sha1.h>
52 #include <opencrypto/rmd160.h>
53 #include <opencrypto/cast.h>
54 #include <opencrypto/skipjack.h>
55 #include <sys/md5.h>
56 
57 #include <opencrypto/cryptodev.h>
58 #include <opencrypto/cryptosoft.h>
59 #include <opencrypto/xform.h>
60 
61 #include <sys/kobj.h>
62 #include <sys/bus.h>
63 #include "cryptodev_if.h"
64 
65 _Static_assert(AES_CCM_IV_LEN == AES_GCM_IV_LEN,
66     "AES_GCM_IV_LEN must currently be the same as AES_CCM_IV_LEN");
67 
68 static	int32_t swcr_id;
69 
70 u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
71 u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
72 
73 static	int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
74 static	int swcr_authcompute(struct cryptodesc *, struct swcr_data *, caddr_t, int);
75 static	int swcr_authenc(struct cryptop *crp);
76 static	int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
77 static	void swcr_freesession(device_t dev, crypto_session_t cses);
78 
79 /*
80  * Apply a symmetric encryption/decryption algorithm.
81  */
82 static int
83 swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
84     int flags)
85 {
86 	unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN];
87 	unsigned char *ivp, *nivp, iv2[EALG_MAX_BLOCK_LEN];
88 	struct enc_xform *exf;
89 	int i, j, k, blks, ind, count, ivlen;
90 	struct uio *uio, uiolcl;
91 	struct iovec iovlcl[4];
92 	struct iovec *iov;
93 	int iovcnt, iovalloc;
94 	int error;
95 
96 	error = 0;
97 
98 	exf = sw->sw_exf;
99 	blks = exf->blocksize;
100 	ivlen = exf->ivsize;
101 
102 	/* Check for non-padded data */
103 	if (crd->crd_len % blks)
104 		return EINVAL;
105 
106 	if (crd->crd_alg == CRYPTO_AES_ICM &&
107 	    (crd->crd_flags & CRD_F_IV_EXPLICIT) == 0)
108 		return (EINVAL);
109 
110 	/* Initialize the IV */
111 	if (crd->crd_flags & CRD_F_ENCRYPT) {
112 		/* IV explicitly provided ? */
113 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
114 			bcopy(crd->crd_iv, iv, ivlen);
115 		else
116 			arc4rand(iv, ivlen, 0);
117 
118 		/* Do we need to write the IV */
119 		if (!(crd->crd_flags & CRD_F_IV_PRESENT))
120 			crypto_copyback(flags, buf, crd->crd_inject, ivlen, iv);
121 
122 	} else {	/* Decryption */
123 		/* IV explicitly provided ? */
124 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
125 			bcopy(crd->crd_iv, iv, ivlen);
126 		else {
127 			/* Get IV off buf */
128 			crypto_copydata(flags, buf, crd->crd_inject, ivlen, iv);
129 		}
130 	}
131 
132 	if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
133 		int error;
134 
135 		if (sw->sw_kschedule)
136 			exf->zerokey(&(sw->sw_kschedule));
137 
138 		error = exf->setkey(&sw->sw_kschedule,
139 				crd->crd_key, crd->crd_klen / 8);
140 		if (error)
141 			return (error);
142 	}
143 
144 	iov = iovlcl;
145 	iovcnt = nitems(iovlcl);
146 	iovalloc = 0;
147 	uio = &uiolcl;
148 	if ((flags & CRYPTO_F_IMBUF) != 0) {
149 		error = crypto_mbuftoiov((struct mbuf *)buf, &iov, &iovcnt,
150 		    &iovalloc);
151 		if (error)
152 			return (error);
153 		uio->uio_iov = iov;
154 		uio->uio_iovcnt = iovcnt;
155 	} else if ((flags & CRYPTO_F_IOV) != 0)
156 		uio = (struct uio *)buf;
157 	else {
158 		iov[0].iov_base = buf;
159 		iov[0].iov_len = crd->crd_skip + crd->crd_len;
160 		uio->uio_iov = iov;
161 		uio->uio_iovcnt = 1;
162 	}
163 
164 	ivp = iv;
165 
166 	if (exf->reinit) {
167 		/*
168 		 * xforms that provide a reinit method perform all IV
169 		 * handling themselves.
170 		 */
171 		exf->reinit(sw->sw_kschedule, iv);
172 	}
173 
174 	count = crd->crd_skip;
175 	ind = cuio_getptr(uio, count, &k);
176 	if (ind == -1) {
177 		error = EINVAL;
178 		goto out;
179 	}
180 
181 	i = crd->crd_len;
182 
183 	while (i > 0) {
184 		/*
185 		 * If there's insufficient data at the end of
186 		 * an iovec, we have to do some copying.
187 		 */
188 		if (uio->uio_iov[ind].iov_len < k + blks &&
189 		    uio->uio_iov[ind].iov_len != k) {
190 			cuio_copydata(uio, count, blks, blk);
191 
192 			/* Actual encryption/decryption */
193 			if (exf->reinit) {
194 				if (crd->crd_flags & CRD_F_ENCRYPT) {
195 					exf->encrypt(sw->sw_kschedule,
196 					    blk);
197 				} else {
198 					exf->decrypt(sw->sw_kschedule,
199 					    blk);
200 				}
201 			} else if (crd->crd_flags & CRD_F_ENCRYPT) {
202 				/* XOR with previous block */
203 				for (j = 0; j < blks; j++)
204 					blk[j] ^= ivp[j];
205 
206 				exf->encrypt(sw->sw_kschedule, blk);
207 
208 				/*
209 				 * Keep encrypted block for XOR'ing
210 				 * with next block
211 				 */
212 				bcopy(blk, iv, blks);
213 				ivp = iv;
214 			} else {	/* decrypt */
215 				/*
216 				 * Keep encrypted block for XOR'ing
217 				 * with next block
218 				 */
219 				nivp = (ivp == iv) ? iv2 : iv;
220 				bcopy(blk, nivp, blks);
221 
222 				exf->decrypt(sw->sw_kschedule, blk);
223 
224 				/* XOR with previous block */
225 				for (j = 0; j < blks; j++)
226 					blk[j] ^= ivp[j];
227 
228 				ivp = nivp;
229 			}
230 
231 			/* Copy back decrypted block */
232 			cuio_copyback(uio, count, blks, blk);
233 
234 			count += blks;
235 
236 			/* Advance pointer */
237 			ind = cuio_getptr(uio, count, &k);
238 			if (ind == -1) {
239 				error = EINVAL;
240 				goto out;
241 			}
242 
243 			i -= blks;
244 
245 			/* Could be done... */
246 			if (i == 0)
247 				break;
248 		}
249 
250 		while (uio->uio_iov[ind].iov_len >= k + blks && i > 0) {
251 			uint8_t *idat;
252 			size_t nb, rem;
253 
254 			nb = blks;
255 			rem = MIN((size_t)i,
256 			    uio->uio_iov[ind].iov_len - (size_t)k);
257 			idat = (uint8_t *)uio->uio_iov[ind].iov_base + k;
258 
259 			if (exf->reinit) {
260 				if ((crd->crd_flags & CRD_F_ENCRYPT) != 0 &&
261 				    exf->encrypt_multi == NULL)
262 					exf->encrypt(sw->sw_kschedule,
263 					    idat);
264 				else if ((crd->crd_flags & CRD_F_ENCRYPT) != 0) {
265 					nb = rounddown(rem, blks);
266 					exf->encrypt_multi(sw->sw_kschedule,
267 					    idat, nb);
268 				} else if (exf->decrypt_multi == NULL)
269 					exf->decrypt(sw->sw_kschedule,
270 					    idat);
271 				else {
272 					nb = rounddown(rem, blks);
273 					exf->decrypt_multi(sw->sw_kschedule,
274 					    idat, nb);
275 				}
276 			} else if (crd->crd_flags & CRD_F_ENCRYPT) {
277 				/* XOR with previous block/IV */
278 				for (j = 0; j < blks; j++)
279 					idat[j] ^= ivp[j];
280 
281 				exf->encrypt(sw->sw_kschedule, idat);
282 				ivp = idat;
283 			} else {	/* decrypt */
284 				/*
285 				 * Keep encrypted block to be used
286 				 * in next block's processing.
287 				 */
288 				nivp = (ivp == iv) ? iv2 : iv;
289 				bcopy(idat, nivp, blks);
290 
291 				exf->decrypt(sw->sw_kschedule, idat);
292 
293 				/* XOR with previous block/IV */
294 				for (j = 0; j < blks; j++)
295 					idat[j] ^= ivp[j];
296 
297 				ivp = nivp;
298 			}
299 
300 			count += nb;
301 			k += nb;
302 			i -= nb;
303 		}
304 
305 		/*
306 		 * Advance to the next iov if the end of the current iov
307 		 * is aligned with the end of a cipher block.
308 		 * Note that the code is equivalent to calling:
309 		 *      ind = cuio_getptr(uio, count, &k);
310 		 */
311 		if (i > 0 && k == uio->uio_iov[ind].iov_len) {
312 			k = 0;
313 			ind++;
314 			if (ind >= uio->uio_iovcnt) {
315 				error = EINVAL;
316 				goto out;
317 			}
318 		}
319 	}
320 
321 out:
322 	if (iovalloc)
323 		free(iov, M_CRYPTO_DATA);
324 
325 	return (error);
326 }
327 
328 static int __result_use_check
329 swcr_authprepare(struct auth_hash *axf, struct swcr_data *sw, u_char *key,
330     int klen)
331 {
332 	int k;
333 
334 	klen /= 8;
335 
336 	switch (axf->type) {
337 	case CRYPTO_MD5_HMAC:
338 	case CRYPTO_SHA1_HMAC:
339 	case CRYPTO_SHA2_224_HMAC:
340 	case CRYPTO_SHA2_256_HMAC:
341 	case CRYPTO_SHA2_384_HMAC:
342 	case CRYPTO_SHA2_512_HMAC:
343 	case CRYPTO_NULL_HMAC:
344 	case CRYPTO_RIPEMD160_HMAC:
345 		for (k = 0; k < klen; k++)
346 			key[k] ^= HMAC_IPAD_VAL;
347 
348 		axf->Init(sw->sw_ictx);
349 		axf->Update(sw->sw_ictx, key, klen);
350 		axf->Update(sw->sw_ictx, hmac_ipad_buffer, axf->blocksize - klen);
351 
352 		for (k = 0; k < klen; k++)
353 			key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
354 
355 		axf->Init(sw->sw_octx);
356 		axf->Update(sw->sw_octx, key, klen);
357 		axf->Update(sw->sw_octx, hmac_opad_buffer, axf->blocksize - klen);
358 
359 		for (k = 0; k < klen; k++)
360 			key[k] ^= HMAC_OPAD_VAL;
361 		break;
362 	case CRYPTO_MD5_KPDK:
363 	case CRYPTO_SHA1_KPDK:
364 	{
365 		/*
366 		 * We need a buffer that can hold an md5 and a sha1 result
367 		 * just to throw it away.
368 		 * What we do here is the initial part of:
369 		 *   ALGO( key, keyfill, .. )
370 		 * adding the key to sw_ictx and abusing Final() to get the
371 		 * "keyfill" padding.
372 		 * In addition we abuse the sw_octx to save the key to have
373 		 * it to be able to append it at the end in swcr_authcompute().
374 		 */
375 		u_char buf[SHA1_RESULTLEN];
376 
377 		sw->sw_klen = klen;
378 		bcopy(key, sw->sw_octx, klen);
379 		axf->Init(sw->sw_ictx);
380 		axf->Update(sw->sw_ictx, key, klen);
381 		axf->Final(buf, sw->sw_ictx);
382 		break;
383 	}
384 	case CRYPTO_POLY1305:
385 		if (klen != POLY1305_KEY_LEN) {
386 			CRYPTDEB("bad poly1305 key size %d", klen);
387 			return EINVAL;
388 		}
389 		/* FALLTHROUGH */
390 	case CRYPTO_BLAKE2B:
391 	case CRYPTO_BLAKE2S:
392 		axf->Setkey(sw->sw_ictx, key, klen);
393 		axf->Init(sw->sw_ictx);
394 		break;
395 	default:
396 		printf("%s: CRD_F_KEY_EXPLICIT flag given, but algorithm %d "
397 		    "doesn't use keys.\n", __func__, axf->type);
398 		return EINVAL;
399 	}
400 	return 0;
401 }
402 
403 /*
404  * Compute keyed-hash authenticator.
405  */
406 static int
407 swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
408     int flags)
409 {
410 	unsigned char aalg[HASH_MAX_LEN];
411 	struct auth_hash *axf;
412 	union authctx ctx;
413 	int err;
414 
415 	if (sw->sw_ictx == 0)
416 		return EINVAL;
417 
418 	axf = sw->sw_axf;
419 
420 	if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
421 		err = swcr_authprepare(axf, sw, crd->crd_key, crd->crd_klen);
422 		if (err != 0)
423 			return err;
424 	}
425 
426 	bcopy(sw->sw_ictx, &ctx, axf->ctxsize);
427 
428 	err = crypto_apply(flags, buf, crd->crd_skip, crd->crd_len,
429 	    (int (*)(void *, void *, unsigned int))axf->Update, (caddr_t)&ctx);
430 	if (err)
431 		return err;
432 
433 	switch (sw->sw_alg) {
434 	case CRYPTO_SHA1:
435 	case CRYPTO_SHA2_224:
436 	case CRYPTO_SHA2_256:
437 	case CRYPTO_SHA2_384:
438 	case CRYPTO_SHA2_512:
439 		axf->Final(aalg, &ctx);
440 		break;
441 
442 	case CRYPTO_MD5_HMAC:
443 	case CRYPTO_SHA1_HMAC:
444 	case CRYPTO_SHA2_224_HMAC:
445 	case CRYPTO_SHA2_256_HMAC:
446 	case CRYPTO_SHA2_384_HMAC:
447 	case CRYPTO_SHA2_512_HMAC:
448 	case CRYPTO_RIPEMD160_HMAC:
449 		if (sw->sw_octx == NULL)
450 			return EINVAL;
451 
452 		axf->Final(aalg, &ctx);
453 		bcopy(sw->sw_octx, &ctx, axf->ctxsize);
454 		axf->Update(&ctx, aalg, axf->hashsize);
455 		axf->Final(aalg, &ctx);
456 		break;
457 
458 	case CRYPTO_MD5_KPDK:
459 	case CRYPTO_SHA1_KPDK:
460 		/* If we have no key saved, return error. */
461 		if (sw->sw_octx == NULL)
462 			return EINVAL;
463 
464 		/*
465 		 * Add the trailing copy of the key (see comment in
466 		 * swcr_authprepare()) after the data:
467 		 *   ALGO( .., key, algofill )
468 		 * and let Final() do the proper, natural "algofill"
469 		 * padding.
470 		 */
471 		axf->Update(&ctx, sw->sw_octx, sw->sw_klen);
472 		axf->Final(aalg, &ctx);
473 		break;
474 
475 	case CRYPTO_BLAKE2B:
476 	case CRYPTO_BLAKE2S:
477 	case CRYPTO_NULL_HMAC:
478 	case CRYPTO_POLY1305:
479 		axf->Final(aalg, &ctx);
480 		break;
481 	}
482 
483 	/* Inject the authentication data */
484 	crypto_copyback(flags, buf, crd->crd_inject,
485 	    sw->sw_mlen == 0 ? axf->hashsize : sw->sw_mlen, aalg);
486 	return 0;
487 }
488 
489 CTASSERT(INT_MAX <= (1ll<<39) - 256);	/* GCM: plain text < 2^39-256 */
490 CTASSERT(INT_MAX <= (uint64_t)-1);	/* GCM: associated data <= 2^64-1 */
491 
492 /*
493  * Apply a combined encryption-authentication transformation
494  */
495 static int
496 swcr_authenc(struct cryptop *crp)
497 {
498 	uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))];
499 	u_char *blk = (u_char *)blkbuf;
500 	u_char aalg[AALG_MAX_RESULT_LEN];
501 	u_char uaalg[AALG_MAX_RESULT_LEN];
502 	u_char iv[EALG_MAX_BLOCK_LEN];
503 	union authctx ctx;
504 	struct swcr_session *ses;
505 	struct cryptodesc *crd, *crda = NULL, *crde = NULL;
506 	struct swcr_data *sw, *swa, *swe = NULL;
507 	struct auth_hash *axf = NULL;
508 	struct enc_xform *exf = NULL;
509 	caddr_t buf = (caddr_t)crp->crp_buf;
510 	uint32_t *blkp;
511 	int aadlen, blksz, i, ivlen, len, iskip, oskip, r;
512 	int isccm = 0;
513 
514 	ivlen = blksz = iskip = oskip = 0;
515 
516 	ses = crypto_get_driver_session(crp->crp_session);
517 
518 	for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
519 		for (i = 0; i < nitems(ses->swcr_algorithms) &&
520 		    ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
521 			;
522 		if (i == nitems(ses->swcr_algorithms))
523 			return (EINVAL);
524 
525 		sw = &ses->swcr_algorithms[i];
526 		switch (sw->sw_alg) {
527 		case CRYPTO_AES_CCM_16:
528 		case CRYPTO_AES_NIST_GCM_16:
529 		case CRYPTO_AES_NIST_GMAC:
530 			swe = sw;
531 			crde = crd;
532 			exf = swe->sw_exf;
533 			/* AES_CCM_IV_LEN and AES_GCM_IV_LEN are both 12 */
534 			ivlen = AES_CCM_IV_LEN;
535 			break;
536 		case CRYPTO_AES_CCM_CBC_MAC:
537 			isccm = 1;
538 			/* FALLTHROUGH */
539 		case CRYPTO_AES_128_NIST_GMAC:
540 		case CRYPTO_AES_192_NIST_GMAC:
541 		case CRYPTO_AES_256_NIST_GMAC:
542 			swa = sw;
543 			crda = crd;
544 			axf = swa->sw_axf;
545 			if (swa->sw_ictx == 0)
546 				return (EINVAL);
547 			bcopy(swa->sw_ictx, &ctx, axf->ctxsize);
548 			blksz = axf->blocksize;
549 			break;
550 		default:
551 			return (EINVAL);
552 		}
553 	}
554 	if (crde == NULL || crda == NULL)
555 		return (EINVAL);
556 	/*
557 	 * We need to make sure that the auth algorithm matches the
558 	 * encr algorithm.  Specifically, for AES-GCM must go with
559 	 * AES NIST GMAC, and AES-CCM must go with CBC-MAC.
560 	 */
561 	if (crde->crd_alg == CRYPTO_AES_NIST_GCM_16) {
562 		switch (crda->crd_alg) {
563 		case CRYPTO_AES_128_NIST_GMAC:
564 		case CRYPTO_AES_192_NIST_GMAC:
565 		case CRYPTO_AES_256_NIST_GMAC:
566 			break;	/* Good! */
567 		default:
568 			return (EINVAL);	/* Not good! */
569 		}
570 	} else if (crde->crd_alg == CRYPTO_AES_CCM_16 &&
571 	    crda->crd_alg != CRYPTO_AES_CCM_CBC_MAC)
572 		return (EINVAL);
573 
574 	if ((crde->crd_alg == CRYPTO_AES_NIST_GCM_16 ||
575 	     crde->crd_alg == CRYPTO_AES_CCM_16) &&
576 	    (crde->crd_flags & CRD_F_IV_EXPLICIT) == 0)
577 		return (EINVAL);
578 
579 	if (crde->crd_klen != crda->crd_klen)
580 		return (EINVAL);
581 
582 	/* Initialize the IV */
583 	if (crde->crd_flags & CRD_F_ENCRYPT) {
584 		/* IV explicitly provided ? */
585 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
586 			bcopy(crde->crd_iv, iv, ivlen);
587 		else
588 			arc4rand(iv, ivlen, 0);
589 
590 		/* Do we need to write the IV */
591 		if (!(crde->crd_flags & CRD_F_IV_PRESENT))
592 			crypto_copyback(crp->crp_flags, buf, crde->crd_inject,
593 			    ivlen, iv);
594 
595 	} else {	/* Decryption */
596 			/* IV explicitly provided ? */
597 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
598 			bcopy(crde->crd_iv, iv, ivlen);
599 		else {
600 			/* Get IV off buf */
601 			crypto_copydata(crp->crp_flags, buf, crde->crd_inject,
602 			    ivlen, iv);
603 		}
604 	}
605 
606 	if (swa->sw_alg == CRYPTO_AES_CCM_CBC_MAC) {
607 		/*
608 		 * AES CCM-CBC needs to know the length of
609 		 * both the auth data, and payload data, before
610 		 * doing the auth computation.
611 		 */
612 		ctx.aes_cbc_mac_ctx.authDataLength = crda->crd_len;
613 		ctx.aes_cbc_mac_ctx.cryptDataLength = crde->crd_len;
614 	}
615 	/* Supply MAC with IV */
616 	if (axf->Reinit)
617 		axf->Reinit(&ctx, iv, ivlen);
618 
619 	/* Supply MAC with AAD */
620 	aadlen = crda->crd_len;
621 
622 	for (i = iskip; i < crda->crd_len; i += blksz) {
623 		len = MIN(crda->crd_len - i, blksz - oskip);
624 		crypto_copydata(crp->crp_flags, buf, crda->crd_skip + i, len,
625 		    blk + oskip);
626 		bzero(blk + len + oskip, blksz - len - oskip);
627 		axf->Update(&ctx, blk, blksz);
628 		oskip = 0; /* reset initial output offset */
629 	}
630 
631 	if (exf->reinit)
632 		exf->reinit(swe->sw_kschedule, iv);
633 
634 	/* Do encryption/decryption with MAC */
635 	for (i = 0; i < crde->crd_len; i += len) {
636 		if (exf->encrypt_multi != NULL) {
637 			len = rounddown(crde->crd_len - i, blksz);
638 			if (len == 0)
639 				len = blksz;
640 			else
641 				len = MIN(len, sizeof(blkbuf));
642 		} else
643 			len = blksz;
644 		len = MIN(crde->crd_len - i, len);
645 		if (len < blksz)
646 			bzero(blk, blksz);
647 		crypto_copydata(crp->crp_flags, buf, crde->crd_skip + i, len,
648 		    blk);
649 		/*
650 		 * One of the problems with CCM+CBC is that the authentication
651 		 * is done on the unecncrypted data.  As a result, we have
652 		 * to do the authentication update at different times,
653 		 * depending on whether it's CCM or not.
654 		 */
655 		if (crde->crd_flags & CRD_F_ENCRYPT) {
656 			if (isccm)
657 				axf->Update(&ctx, blk, len);
658 			if (exf->encrypt_multi != NULL)
659 				exf->encrypt_multi(swe->sw_kschedule, blk,
660 				    len);
661 			else
662 				exf->encrypt(swe->sw_kschedule, blk);
663 			if (!isccm)
664 				axf->Update(&ctx, blk, len);
665 			crypto_copyback(crp->crp_flags, buf,
666 			    crde->crd_skip + i, len, blk);
667 		} else {
668 			if (isccm) {
669 				KASSERT(exf->encrypt_multi == NULL,
670 				    ("assume CCM is single-block only"));
671 				exf->decrypt(swe->sw_kschedule, blk);
672 			}
673 			axf->Update(&ctx, blk, len);
674 		}
675 	}
676 
677 	/* Do any required special finalization */
678 	switch (crda->crd_alg) {
679 		case CRYPTO_AES_128_NIST_GMAC:
680 		case CRYPTO_AES_192_NIST_GMAC:
681 		case CRYPTO_AES_256_NIST_GMAC:
682 			/* length block */
683 			bzero(blk, blksz);
684 			blkp = (uint32_t *)blk + 1;
685 			*blkp = htobe32(aadlen * 8);
686 			blkp = (uint32_t *)blk + 3;
687 			*blkp = htobe32(crde->crd_len * 8);
688 			axf->Update(&ctx, blk, blksz);
689 			break;
690 	}
691 
692 	/* Finalize MAC */
693 	axf->Final(aalg, &ctx);
694 
695 	/* Validate tag */
696 	if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
697 		crypto_copydata(crp->crp_flags, buf, crda->crd_inject,
698 		    axf->hashsize, uaalg);
699 
700 		r = timingsafe_bcmp(aalg, uaalg, axf->hashsize);
701 		if (r == 0) {
702 			/* tag matches, decrypt data */
703 			if (isccm) {
704 				KASSERT(exf->reinit != NULL,
705 				    ("AES-CCM reinit function must be set"));
706 				exf->reinit(swe->sw_kschedule, iv);
707 			}
708 			for (i = 0; i < crde->crd_len; i += blksz) {
709 				len = MIN(crde->crd_len - i, blksz);
710 				if (len < blksz)
711 					bzero(blk, blksz);
712 				crypto_copydata(crp->crp_flags, buf,
713 				    crde->crd_skip + i, len, blk);
714 				exf->decrypt(swe->sw_kschedule, blk);
715 				crypto_copyback(crp->crp_flags, buf,
716 				    crde->crd_skip + i, len, blk);
717 			}
718 		} else
719 			return (EBADMSG);
720 	} else {
721 		/* Inject the authentication data */
722 		crypto_copyback(crp->crp_flags, buf, crda->crd_inject,
723 		    axf->hashsize, aalg);
724 	}
725 
726 	return (0);
727 }
728 
729 /*
730  * Apply a compression/decompression algorithm
731  */
732 static int
733 swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw,
734     caddr_t buf, int flags)
735 {
736 	u_int8_t *data, *out;
737 	struct comp_algo *cxf;
738 	int adj;
739 	u_int32_t result;
740 
741 	cxf = sw->sw_cxf;
742 
743 	/* We must handle the whole buffer of data in one time
744 	 * then if there is not all the data in the mbuf, we must
745 	 * copy in a buffer.
746 	 */
747 
748 	data = malloc(crd->crd_len, M_CRYPTO_DATA,  M_NOWAIT);
749 	if (data == NULL)
750 		return (EINVAL);
751 	crypto_copydata(flags, buf, crd->crd_skip, crd->crd_len, data);
752 
753 	if (crd->crd_flags & CRD_F_COMP)
754 		result = cxf->compress(data, crd->crd_len, &out);
755 	else
756 		result = cxf->decompress(data, crd->crd_len, &out);
757 
758 	free(data, M_CRYPTO_DATA);
759 	if (result == 0)
760 		return EINVAL;
761 
762 	/* Copy back the (de)compressed data. m_copyback is
763 	 * extending the mbuf as necessary.
764 	 */
765 	sw->sw_size = result;
766 	/* Check the compressed size when doing compression */
767 	if (crd->crd_flags & CRD_F_COMP) {
768 		if (result >= crd->crd_len) {
769 			/* Compression was useless, we lost time */
770 			free(out, M_CRYPTO_DATA);
771 			return 0;
772 		}
773 	}
774 
775 	crypto_copyback(flags, buf, crd->crd_skip, result, out);
776 	if (result < crd->crd_len) {
777 		adj = result - crd->crd_len;
778 		if (flags & CRYPTO_F_IMBUF) {
779 			adj = result - crd->crd_len;
780 			m_adj((struct mbuf *)buf, adj);
781 		} else if (flags & CRYPTO_F_IOV) {
782 			struct uio *uio = (struct uio *)buf;
783 			int ind;
784 
785 			adj = crd->crd_len - result;
786 			ind = uio->uio_iovcnt - 1;
787 
788 			while (adj > 0 && ind >= 0) {
789 				if (adj < uio->uio_iov[ind].iov_len) {
790 					uio->uio_iov[ind].iov_len -= adj;
791 					break;
792 				}
793 
794 				adj -= uio->uio_iov[ind].iov_len;
795 				uio->uio_iov[ind].iov_len = 0;
796 				ind--;
797 				uio->uio_iovcnt--;
798 			}
799 		}
800 	}
801 	free(out, M_CRYPTO_DATA);
802 	return 0;
803 }
804 
805 /*
806  * Generate a new software session.
807  */
808 static int
809 swcr_newsession(device_t dev, crypto_session_t cses, struct cryptoini *cri)
810 {
811 	struct swcr_session *ses;
812 	struct swcr_data *swd;
813 	struct auth_hash *axf;
814 	struct enc_xform *txf;
815 	struct comp_algo *cxf;
816 	size_t i;
817 	int len;
818 	int error;
819 
820 	if (cses == NULL || cri == NULL)
821 		return EINVAL;
822 
823 	ses = crypto_get_driver_session(cses);
824 	mtx_init(&ses->swcr_lock, "swcr session lock", NULL, MTX_DEF);
825 
826 	for (i = 0; cri != NULL && i < nitems(ses->swcr_algorithms); i++) {
827 		swd = &ses->swcr_algorithms[i];
828 
829 		switch (cri->cri_alg) {
830 		case CRYPTO_DES_CBC:
831 			txf = &enc_xform_des;
832 			goto enccommon;
833 		case CRYPTO_3DES_CBC:
834 			txf = &enc_xform_3des;
835 			goto enccommon;
836 		case CRYPTO_BLF_CBC:
837 			txf = &enc_xform_blf;
838 			goto enccommon;
839 		case CRYPTO_CAST_CBC:
840 			txf = &enc_xform_cast5;
841 			goto enccommon;
842 		case CRYPTO_SKIPJACK_CBC:
843 			txf = &enc_xform_skipjack;
844 			goto enccommon;
845 		case CRYPTO_RIJNDAEL128_CBC:
846 			txf = &enc_xform_rijndael128;
847 			goto enccommon;
848 		case CRYPTO_AES_XTS:
849 			txf = &enc_xform_aes_xts;
850 			goto enccommon;
851 		case CRYPTO_AES_ICM:
852 			txf = &enc_xform_aes_icm;
853 			goto enccommon;
854 		case CRYPTO_AES_NIST_GCM_16:
855 			txf = &enc_xform_aes_nist_gcm;
856 			goto enccommon;
857 		case CRYPTO_AES_CCM_16:
858 			txf = &enc_xform_ccm;
859 			goto enccommon;
860 		case CRYPTO_AES_NIST_GMAC:
861 			txf = &enc_xform_aes_nist_gmac;
862 			swd->sw_exf = txf;
863 			break;
864 		case CRYPTO_CAMELLIA_CBC:
865 			txf = &enc_xform_camellia;
866 			goto enccommon;
867 		case CRYPTO_NULL_CBC:
868 			txf = &enc_xform_null;
869 			goto enccommon;
870 		case CRYPTO_CHACHA20:
871 			txf = &enc_xform_chacha20;
872 			goto enccommon;
873 		enccommon:
874 			if (cri->cri_key != NULL) {
875 				error = txf->setkey(&swd->sw_kschedule,
876 				    cri->cri_key, cri->cri_klen / 8);
877 				if (error) {
878 					swcr_freesession(dev, cses);
879 					return error;
880 				}
881 			}
882 			swd->sw_exf = txf;
883 			break;
884 
885 		case CRYPTO_MD5_HMAC:
886 			axf = &auth_hash_hmac_md5;
887 			goto authcommon;
888 		case CRYPTO_SHA1_HMAC:
889 			axf = &auth_hash_hmac_sha1;
890 			goto authcommon;
891 		case CRYPTO_SHA2_224_HMAC:
892 			axf = &auth_hash_hmac_sha2_224;
893 			goto authcommon;
894 		case CRYPTO_SHA2_256_HMAC:
895 			axf = &auth_hash_hmac_sha2_256;
896 			goto authcommon;
897 		case CRYPTO_SHA2_384_HMAC:
898 			axf = &auth_hash_hmac_sha2_384;
899 			goto authcommon;
900 		case CRYPTO_SHA2_512_HMAC:
901 			axf = &auth_hash_hmac_sha2_512;
902 			goto authcommon;
903 		case CRYPTO_NULL_HMAC:
904 			axf = &auth_hash_null;
905 			goto authcommon;
906 		case CRYPTO_RIPEMD160_HMAC:
907 			axf = &auth_hash_hmac_ripemd_160;
908 		authcommon:
909 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
910 			    M_NOWAIT);
911 			if (swd->sw_ictx == NULL) {
912 				swcr_freesession(dev, cses);
913 				return ENOBUFS;
914 			}
915 
916 			swd->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
917 			    M_NOWAIT);
918 			if (swd->sw_octx == NULL) {
919 				swcr_freesession(dev, cses);
920 				return ENOBUFS;
921 			}
922 
923 			if (cri->cri_key != NULL) {
924 				error = swcr_authprepare(axf, swd,
925 				    cri->cri_key, cri->cri_klen);
926 				if (error != 0) {
927 					swcr_freesession(dev, cses);
928 					return error;
929 				}
930 			}
931 
932 			swd->sw_mlen = cri->cri_mlen;
933 			swd->sw_axf = axf;
934 			break;
935 
936 		case CRYPTO_MD5_KPDK:
937 			axf = &auth_hash_key_md5;
938 			goto auth2common;
939 
940 		case CRYPTO_SHA1_KPDK:
941 			axf = &auth_hash_key_sha1;
942 		auth2common:
943 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
944 			    M_NOWAIT);
945 			if (swd->sw_ictx == NULL) {
946 				swcr_freesession(dev, cses);
947 				return ENOBUFS;
948 			}
949 
950 			swd->sw_octx = malloc(cri->cri_klen / 8,
951 			    M_CRYPTO_DATA, M_NOWAIT);
952 			if (swd->sw_octx == NULL) {
953 				swcr_freesession(dev, cses);
954 				return ENOBUFS;
955 			}
956 
957 			/* Store the key so we can "append" it to the payload */
958 			if (cri->cri_key != NULL) {
959 				error = swcr_authprepare(axf, swd,
960 				    cri->cri_key, cri->cri_klen);
961 				if (error != 0) {
962 					swcr_freesession(dev, cses);
963 					return error;
964 				}
965 			}
966 
967 			swd->sw_mlen = cri->cri_mlen;
968 			swd->sw_axf = axf;
969 			break;
970 #ifdef notdef
971 		case CRYPTO_MD5:
972 			axf = &auth_hash_md5;
973 			goto auth3common;
974 #endif
975 
976 		case CRYPTO_SHA1:
977 			axf = &auth_hash_sha1;
978 			goto auth3common;
979 		case CRYPTO_SHA2_224:
980 			axf = &auth_hash_sha2_224;
981 			goto auth3common;
982 		case CRYPTO_SHA2_256:
983 			axf = &auth_hash_sha2_256;
984 			goto auth3common;
985 		case CRYPTO_SHA2_384:
986 			axf = &auth_hash_sha2_384;
987 			goto auth3common;
988 		case CRYPTO_SHA2_512:
989 			axf = &auth_hash_sha2_512;
990 
991 		auth3common:
992 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
993 			    M_NOWAIT);
994 			if (swd->sw_ictx == NULL) {
995 				swcr_freesession(dev, cses);
996 				return ENOBUFS;
997 			}
998 
999 			axf->Init(swd->sw_ictx);
1000 			swd->sw_mlen = cri->cri_mlen;
1001 			swd->sw_axf = axf;
1002 			break;
1003 
1004 		case CRYPTO_AES_CCM_CBC_MAC:
1005 			switch (cri->cri_klen) {
1006 			case 128:
1007 				axf = &auth_hash_ccm_cbc_mac_128;
1008 				break;
1009 			case 192:
1010 				axf = &auth_hash_ccm_cbc_mac_192;
1011 				break;
1012 			case 256:
1013 				axf = &auth_hash_ccm_cbc_mac_256;
1014 				break;
1015 			default:
1016 				swcr_freesession(dev, cses);
1017 				return EINVAL;
1018 			}
1019 			goto auth4common;
1020 		case CRYPTO_AES_128_NIST_GMAC:
1021 			axf = &auth_hash_nist_gmac_aes_128;
1022 			goto auth4common;
1023 
1024 		case CRYPTO_AES_192_NIST_GMAC:
1025 			axf = &auth_hash_nist_gmac_aes_192;
1026 			goto auth4common;
1027 
1028 		case CRYPTO_AES_256_NIST_GMAC:
1029 			axf = &auth_hash_nist_gmac_aes_256;
1030 		auth4common:
1031 			len = cri->cri_klen / 8;
1032 			if (len != 16 && len != 24 && len != 32) {
1033 				swcr_freesession(dev, cses);
1034 				return EINVAL;
1035 			}
1036 
1037 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
1038 			    M_NOWAIT);
1039 			if (swd->sw_ictx == NULL) {
1040 				swcr_freesession(dev, cses);
1041 				return ENOBUFS;
1042 			}
1043 			axf->Init(swd->sw_ictx);
1044 			axf->Setkey(swd->sw_ictx, cri->cri_key, len);
1045 			swd->sw_axf = axf;
1046 			break;
1047 
1048 		case CRYPTO_BLAKE2B:
1049 			axf = &auth_hash_blake2b;
1050 			goto auth5common;
1051 		case CRYPTO_BLAKE2S:
1052 			axf = &auth_hash_blake2s;
1053 			goto auth5common;
1054 		case CRYPTO_POLY1305:
1055 			axf = &auth_hash_poly1305;
1056 		auth5common:
1057 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
1058 			    M_NOWAIT);
1059 			if (swd->sw_ictx == NULL) {
1060 				swcr_freesession(dev, cses);
1061 				return ENOBUFS;
1062 			}
1063 			axf->Setkey(swd->sw_ictx, cri->cri_key,
1064 			    cri->cri_klen / 8);
1065 			axf->Init(swd->sw_ictx);
1066 			swd->sw_axf = axf;
1067 			break;
1068 
1069 		case CRYPTO_DEFLATE_COMP:
1070 			cxf = &comp_algo_deflate;
1071 			swd->sw_cxf = cxf;
1072 			break;
1073 		default:
1074 			swcr_freesession(dev, cses);
1075 			return EINVAL;
1076 		}
1077 
1078 		swd->sw_alg = cri->cri_alg;
1079 		cri = cri->cri_next;
1080 		ses->swcr_nalgs++;
1081 	}
1082 
1083 	if (cri != NULL) {
1084 		CRYPTDEB("Bogus session request for three or more algorithms");
1085 		return EINVAL;
1086 	}
1087 	return 0;
1088 }
1089 
1090 static void
1091 swcr_freesession(device_t dev, crypto_session_t cses)
1092 {
1093 	struct swcr_session *ses;
1094 	struct swcr_data *swd;
1095 	struct enc_xform *txf;
1096 	struct auth_hash *axf;
1097 	size_t i;
1098 
1099 	ses = crypto_get_driver_session(cses);
1100 
1101 	mtx_destroy(&ses->swcr_lock);
1102 	for (i = 0; i < nitems(ses->swcr_algorithms); i++) {
1103 		swd = &ses->swcr_algorithms[i];
1104 
1105 		switch (swd->sw_alg) {
1106 		case CRYPTO_DES_CBC:
1107 		case CRYPTO_3DES_CBC:
1108 		case CRYPTO_BLF_CBC:
1109 		case CRYPTO_CAST_CBC:
1110 		case CRYPTO_SKIPJACK_CBC:
1111 		case CRYPTO_RIJNDAEL128_CBC:
1112 		case CRYPTO_AES_XTS:
1113 		case CRYPTO_AES_ICM:
1114 		case CRYPTO_AES_NIST_GCM_16:
1115 		case CRYPTO_AES_NIST_GMAC:
1116 		case CRYPTO_CAMELLIA_CBC:
1117 		case CRYPTO_NULL_CBC:
1118 		case CRYPTO_CHACHA20:
1119 		case CRYPTO_AES_CCM_16:
1120 			txf = swd->sw_exf;
1121 
1122 			if (swd->sw_kschedule)
1123 				txf->zerokey(&(swd->sw_kschedule));
1124 			break;
1125 
1126 		case CRYPTO_MD5_HMAC:
1127 		case CRYPTO_SHA1_HMAC:
1128 		case CRYPTO_SHA2_224_HMAC:
1129 		case CRYPTO_SHA2_256_HMAC:
1130 		case CRYPTO_SHA2_384_HMAC:
1131 		case CRYPTO_SHA2_512_HMAC:
1132 		case CRYPTO_RIPEMD160_HMAC:
1133 		case CRYPTO_NULL_HMAC:
1134 		case CRYPTO_AES_CCM_CBC_MAC:
1135 			axf = swd->sw_axf;
1136 
1137 			if (swd->sw_ictx) {
1138 				bzero(swd->sw_ictx, axf->ctxsize);
1139 				free(swd->sw_ictx, M_CRYPTO_DATA);
1140 			}
1141 			if (swd->sw_octx) {
1142 				bzero(swd->sw_octx, axf->ctxsize);
1143 				free(swd->sw_octx, M_CRYPTO_DATA);
1144 			}
1145 			break;
1146 
1147 		case CRYPTO_MD5_KPDK:
1148 		case CRYPTO_SHA1_KPDK:
1149 			axf = swd->sw_axf;
1150 
1151 			if (swd->sw_ictx) {
1152 				bzero(swd->sw_ictx, axf->ctxsize);
1153 				free(swd->sw_ictx, M_CRYPTO_DATA);
1154 			}
1155 			if (swd->sw_octx) {
1156 				bzero(swd->sw_octx, swd->sw_klen);
1157 				free(swd->sw_octx, M_CRYPTO_DATA);
1158 			}
1159 			break;
1160 
1161 		case CRYPTO_BLAKE2B:
1162 		case CRYPTO_BLAKE2S:
1163 		case CRYPTO_MD5:
1164 		case CRYPTO_POLY1305:
1165 		case CRYPTO_SHA1:
1166 		case CRYPTO_SHA2_224:
1167 		case CRYPTO_SHA2_256:
1168 		case CRYPTO_SHA2_384:
1169 		case CRYPTO_SHA2_512:
1170 		case CRYPTO_AES_128_NIST_GMAC:
1171 		case CRYPTO_AES_192_NIST_GMAC:
1172 		case CRYPTO_AES_256_NIST_GMAC:
1173 			axf = swd->sw_axf;
1174 
1175 			if (swd->sw_ictx) {
1176 				explicit_bzero(swd->sw_ictx, axf->ctxsize);
1177 				free(swd->sw_ictx, M_CRYPTO_DATA);
1178 			}
1179 			break;
1180 
1181 		case CRYPTO_DEFLATE_COMP:
1182 			/* Nothing to do */
1183 			break;
1184 		}
1185 	}
1186 }
1187 
1188 /*
1189  * Process a software request.
1190  */
1191 static int
1192 swcr_process(device_t dev, struct cryptop *crp, int hint)
1193 {
1194 	struct swcr_session *ses = NULL;
1195 	struct cryptodesc *crd;
1196 	struct swcr_data *sw;
1197 	size_t i;
1198 
1199 	/* Sanity check */
1200 	if (crp == NULL)
1201 		return EINVAL;
1202 
1203 	if (crp->crp_desc == NULL || crp->crp_buf == NULL) {
1204 		crp->crp_etype = EINVAL;
1205 		goto done;
1206 	}
1207 
1208 	ses = crypto_get_driver_session(crp->crp_session);
1209 	mtx_lock(&ses->swcr_lock);
1210 
1211 	/* Go through crypto descriptors, processing as we go */
1212 	for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
1213 		/*
1214 		 * Find the crypto context.
1215 		 *
1216 		 * XXX Note that the logic here prevents us from having
1217 		 * XXX the same algorithm multiple times in a session
1218 		 * XXX (or rather, we can but it won't give us the right
1219 		 * XXX results). To do that, we'd need some way of differentiating
1220 		 * XXX between the various instances of an algorithm (so we can
1221 		 * XXX locate the correct crypto context).
1222 		 */
1223 		for (i = 0; i < nitems(ses->swcr_algorithms) &&
1224 		    ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
1225 			;
1226 
1227 		/* No such context ? */
1228 		if (i == nitems(ses->swcr_algorithms)) {
1229 			crp->crp_etype = EINVAL;
1230 			goto done;
1231 		}
1232 		sw = &ses->swcr_algorithms[i];
1233 		switch (sw->sw_alg) {
1234 		case CRYPTO_DES_CBC:
1235 		case CRYPTO_3DES_CBC:
1236 		case CRYPTO_BLF_CBC:
1237 		case CRYPTO_CAST_CBC:
1238 		case CRYPTO_SKIPJACK_CBC:
1239 		case CRYPTO_RIJNDAEL128_CBC:
1240 		case CRYPTO_AES_XTS:
1241 		case CRYPTO_AES_ICM:
1242 		case CRYPTO_CAMELLIA_CBC:
1243 		case CRYPTO_CHACHA20:
1244 			if ((crp->crp_etype = swcr_encdec(crd, sw,
1245 			    crp->crp_buf, crp->crp_flags)) != 0)
1246 				goto done;
1247 			break;
1248 		case CRYPTO_NULL_CBC:
1249 			crp->crp_etype = 0;
1250 			break;
1251 		case CRYPTO_MD5_HMAC:
1252 		case CRYPTO_SHA1_HMAC:
1253 		case CRYPTO_SHA2_224_HMAC:
1254 		case CRYPTO_SHA2_256_HMAC:
1255 		case CRYPTO_SHA2_384_HMAC:
1256 		case CRYPTO_SHA2_512_HMAC:
1257 		case CRYPTO_RIPEMD160_HMAC:
1258 		case CRYPTO_NULL_HMAC:
1259 		case CRYPTO_MD5_KPDK:
1260 		case CRYPTO_SHA1_KPDK:
1261 		case CRYPTO_MD5:
1262 		case CRYPTO_SHA1:
1263 		case CRYPTO_SHA2_224:
1264 		case CRYPTO_SHA2_256:
1265 		case CRYPTO_SHA2_384:
1266 		case CRYPTO_SHA2_512:
1267 		case CRYPTO_BLAKE2B:
1268 		case CRYPTO_BLAKE2S:
1269 		case CRYPTO_POLY1305:
1270 			if ((crp->crp_etype = swcr_authcompute(crd, sw,
1271 			    crp->crp_buf, crp->crp_flags)) != 0)
1272 				goto done;
1273 			break;
1274 
1275 		case CRYPTO_AES_NIST_GCM_16:
1276 		case CRYPTO_AES_NIST_GMAC:
1277 		case CRYPTO_AES_128_NIST_GMAC:
1278 		case CRYPTO_AES_192_NIST_GMAC:
1279 		case CRYPTO_AES_256_NIST_GMAC:
1280 		case CRYPTO_AES_CCM_16:
1281 		case CRYPTO_AES_CCM_CBC_MAC:
1282 			crp->crp_etype = swcr_authenc(crp);
1283 			goto done;
1284 
1285 		case CRYPTO_DEFLATE_COMP:
1286 			if ((crp->crp_etype = swcr_compdec(crd, sw,
1287 			    crp->crp_buf, crp->crp_flags)) != 0)
1288 				goto done;
1289 			else
1290 				crp->crp_olen = (int)sw->sw_size;
1291 			break;
1292 
1293 		default:
1294 			/* Unknown/unsupported algorithm */
1295 			crp->crp_etype = EINVAL;
1296 			goto done;
1297 		}
1298 	}
1299 
1300 done:
1301 	if (ses)
1302 		mtx_unlock(&ses->swcr_lock);
1303 	crypto_done(crp);
1304 	return 0;
1305 }
1306 
1307 static void
1308 swcr_identify(driver_t *drv, device_t parent)
1309 {
1310 	/* NB: order 10 is so we get attached after h/w devices */
1311 	if (device_find_child(parent, "cryptosoft", -1) == NULL &&
1312 	    BUS_ADD_CHILD(parent, 10, "cryptosoft", 0) == 0)
1313 		panic("cryptosoft: could not attach");
1314 }
1315 
1316 static int
1317 swcr_probe(device_t dev)
1318 {
1319 	device_set_desc(dev, "software crypto");
1320 	return (BUS_PROBE_NOWILDCARD);
1321 }
1322 
1323 static int
1324 swcr_attach(device_t dev)
1325 {
1326 	memset(hmac_ipad_buffer, HMAC_IPAD_VAL, HMAC_MAX_BLOCK_LEN);
1327 	memset(hmac_opad_buffer, HMAC_OPAD_VAL, HMAC_MAX_BLOCK_LEN);
1328 
1329 	swcr_id = crypto_get_driverid(dev, sizeof(struct swcr_session),
1330 			CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_SYNC);
1331 	if (swcr_id < 0) {
1332 		device_printf(dev, "cannot initialize!");
1333 		return ENOMEM;
1334 	}
1335 #define	REGISTER(alg) \
1336 	crypto_register(swcr_id, alg, 0,0)
1337 	REGISTER(CRYPTO_DES_CBC);
1338 	REGISTER(CRYPTO_3DES_CBC);
1339 	REGISTER(CRYPTO_BLF_CBC);
1340 	REGISTER(CRYPTO_CAST_CBC);
1341 	REGISTER(CRYPTO_SKIPJACK_CBC);
1342 	REGISTER(CRYPTO_NULL_CBC);
1343 	REGISTER(CRYPTO_MD5_HMAC);
1344 	REGISTER(CRYPTO_SHA1_HMAC);
1345 	REGISTER(CRYPTO_SHA2_224_HMAC);
1346 	REGISTER(CRYPTO_SHA2_256_HMAC);
1347 	REGISTER(CRYPTO_SHA2_384_HMAC);
1348 	REGISTER(CRYPTO_SHA2_512_HMAC);
1349 	REGISTER(CRYPTO_RIPEMD160_HMAC);
1350 	REGISTER(CRYPTO_NULL_HMAC);
1351 	REGISTER(CRYPTO_MD5_KPDK);
1352 	REGISTER(CRYPTO_SHA1_KPDK);
1353 	REGISTER(CRYPTO_MD5);
1354 	REGISTER(CRYPTO_SHA1);
1355 	REGISTER(CRYPTO_SHA2_224);
1356 	REGISTER(CRYPTO_SHA2_256);
1357 	REGISTER(CRYPTO_SHA2_384);
1358 	REGISTER(CRYPTO_SHA2_512);
1359 	REGISTER(CRYPTO_RIJNDAEL128_CBC);
1360 	REGISTER(CRYPTO_AES_XTS);
1361 	REGISTER(CRYPTO_AES_ICM);
1362 	REGISTER(CRYPTO_AES_NIST_GCM_16);
1363 	REGISTER(CRYPTO_AES_NIST_GMAC);
1364 	REGISTER(CRYPTO_AES_128_NIST_GMAC);
1365 	REGISTER(CRYPTO_AES_192_NIST_GMAC);
1366 	REGISTER(CRYPTO_AES_256_NIST_GMAC);
1367  	REGISTER(CRYPTO_CAMELLIA_CBC);
1368 	REGISTER(CRYPTO_DEFLATE_COMP);
1369 	REGISTER(CRYPTO_BLAKE2B);
1370 	REGISTER(CRYPTO_BLAKE2S);
1371 	REGISTER(CRYPTO_CHACHA20);
1372 	REGISTER(CRYPTO_AES_CCM_16);
1373 	REGISTER(CRYPTO_AES_CCM_CBC_MAC);
1374 	REGISTER(CRYPTO_POLY1305);
1375 #undef REGISTER
1376 
1377 	return 0;
1378 }
1379 
1380 static int
1381 swcr_detach(device_t dev)
1382 {
1383 	crypto_unregister_all(swcr_id);
1384 	return 0;
1385 }
1386 
1387 static device_method_t swcr_methods[] = {
1388 	DEVMETHOD(device_identify,	swcr_identify),
1389 	DEVMETHOD(device_probe,		swcr_probe),
1390 	DEVMETHOD(device_attach,	swcr_attach),
1391 	DEVMETHOD(device_detach,	swcr_detach),
1392 
1393 	DEVMETHOD(cryptodev_newsession,	swcr_newsession),
1394 	DEVMETHOD(cryptodev_freesession,swcr_freesession),
1395 	DEVMETHOD(cryptodev_process,	swcr_process),
1396 
1397 	{0, 0},
1398 };
1399 
1400 static driver_t swcr_driver = {
1401 	"cryptosoft",
1402 	swcr_methods,
1403 	0,		/* NB: no softc */
1404 };
1405 static devclass_t swcr_devclass;
1406 
1407 /*
1408  * NB: We explicitly reference the crypto module so we
1409  * get the necessary ordering when built as a loadable
1410  * module.  This is required because we bundle the crypto
1411  * module code together with the cryptosoft driver (otherwise
1412  * normal module dependencies would handle things).
1413  */
1414 extern int crypto_modevent(struct module *, int, void *);
1415 /* XXX where to attach */
1416 DRIVER_MODULE(cryptosoft, nexus, swcr_driver, swcr_devclass, crypto_modevent,0);
1417 MODULE_VERSION(cryptosoft, 1);
1418 MODULE_DEPEND(cryptosoft, crypto, 1, 1, 1);
1419