xref: /freebsd/sys/opencrypto/cryptosoft.c (revision 7815283df299be63807225a9fe9b6e54406eae28)
1 /*	$OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $	*/
2 
3 /*-
4  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
5  * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting
6  *
7  * This code was written by Angelos D. Keromytis in Athens, Greece, in
8  * February 2000. Network Security Technologies Inc. (NSTI) kindly
9  * supported the development of this code.
10  *
11  * Copyright (c) 2000, 2001 Angelos D. Keromytis
12  * Copyright (c) 2014 The FreeBSD Foundation
13  * All rights reserved.
14  *
15  * Portions of this software were developed by John-Mark Gurney
16  * under sponsorship of the FreeBSD Foundation and
17  * Rubicon Communications, LLC (Netgate).
18  *
19  * Permission to use, copy, and modify this software with or without fee
20  * is hereby granted, provided that this entire notice is included in
21  * all source code copies of any software which is or includes a copy or
22  * modification of this software.
23  *
24  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
25  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
26  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
27  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
28  * PURPOSE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/malloc.h>
37 #include <sys/mbuf.h>
38 #include <sys/module.h>
39 #include <sys/sysctl.h>
40 #include <sys/errno.h>
41 #include <sys/random.h>
42 #include <sys/kernel.h>
43 #include <sys/uio.h>
44 #include <sys/lock.h>
45 #include <sys/rwlock.h>
46 #include <sys/endian.h>
47 #include <sys/limits.h>
48 #include <sys/mutex.h>
49 
50 #include <crypto/blowfish/blowfish.h>
51 #include <crypto/sha1.h>
52 #include <opencrypto/rmd160.h>
53 #include <opencrypto/cast.h>
54 #include <opencrypto/skipjack.h>
55 #include <sys/md5.h>
56 
57 #include <opencrypto/cryptodev.h>
58 #include <opencrypto/cryptosoft.h>
59 #include <opencrypto/xform.h>
60 
61 #include <sys/kobj.h>
62 #include <sys/bus.h>
63 #include "cryptodev_if.h"
64 
65 static	int32_t swcr_id;
66 
67 u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
68 u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
69 
70 static	int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
71 static	int swcr_authcompute(struct cryptodesc *, struct swcr_data *, caddr_t, int);
72 static	int swcr_authenc(struct cryptop *crp);
73 static	int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
74 static	void swcr_freesession(device_t dev, crypto_session_t cses);
75 
76 /*
77  * Apply a symmetric encryption/decryption algorithm.
78  */
79 static int
80 swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
81     int flags)
82 {
83 	unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN];
84 	unsigned char *ivp, *nivp, iv2[EALG_MAX_BLOCK_LEN];
85 	struct enc_xform *exf;
86 	int i, j, k, blks, ind, count, ivlen;
87 	struct uio *uio, uiolcl;
88 	struct iovec iovlcl[4];
89 	struct iovec *iov;
90 	int iovcnt, iovalloc;
91 	int error;
92 
93 	error = 0;
94 
95 	exf = sw->sw_exf;
96 	blks = exf->blocksize;
97 	ivlen = exf->ivsize;
98 
99 	/* Check for non-padded data */
100 	if (crd->crd_len % blks)
101 		return EINVAL;
102 
103 	if (crd->crd_alg == CRYPTO_AES_ICM &&
104 	    (crd->crd_flags & CRD_F_IV_EXPLICIT) == 0)
105 		return (EINVAL);
106 
107 	/* Initialize the IV */
108 	if (crd->crd_flags & CRD_F_ENCRYPT) {
109 		/* IV explicitly provided ? */
110 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
111 			bcopy(crd->crd_iv, iv, ivlen);
112 		else
113 			arc4rand(iv, ivlen, 0);
114 
115 		/* Do we need to write the IV */
116 		if (!(crd->crd_flags & CRD_F_IV_PRESENT))
117 			crypto_copyback(flags, buf, crd->crd_inject, ivlen, iv);
118 
119 	} else {	/* Decryption */
120 		/* IV explicitly provided ? */
121 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
122 			bcopy(crd->crd_iv, iv, ivlen);
123 		else {
124 			/* Get IV off buf */
125 			crypto_copydata(flags, buf, crd->crd_inject, ivlen, iv);
126 		}
127 	}
128 
129 	if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
130 		int error;
131 
132 		if (sw->sw_kschedule)
133 			exf->zerokey(&(sw->sw_kschedule));
134 
135 		error = exf->setkey(&sw->sw_kschedule,
136 				crd->crd_key, crd->crd_klen / 8);
137 		if (error)
138 			return (error);
139 	}
140 
141 	iov = iovlcl;
142 	iovcnt = nitems(iovlcl);
143 	iovalloc = 0;
144 	uio = &uiolcl;
145 	if ((flags & CRYPTO_F_IMBUF) != 0) {
146 		error = crypto_mbuftoiov((struct mbuf *)buf, &iov, &iovcnt,
147 		    &iovalloc);
148 		if (error)
149 			return (error);
150 		uio->uio_iov = iov;
151 		uio->uio_iovcnt = iovcnt;
152 	} else if ((flags & CRYPTO_F_IOV) != 0)
153 		uio = (struct uio *)buf;
154 	else {
155 		iov[0].iov_base = buf;
156 		iov[0].iov_len = crd->crd_skip + crd->crd_len;
157 		uio->uio_iov = iov;
158 		uio->uio_iovcnt = 1;
159 	}
160 
161 	ivp = iv;
162 
163 	if (exf->reinit) {
164 		/*
165 		 * xforms that provide a reinit method perform all IV
166 		 * handling themselves.
167 		 */
168 		exf->reinit(sw->sw_kschedule, iv);
169 	}
170 
171 	count = crd->crd_skip;
172 	ind = cuio_getptr(uio, count, &k);
173 	if (ind == -1) {
174 		error = EINVAL;
175 		goto out;
176 	}
177 
178 	i = crd->crd_len;
179 
180 	while (i > 0) {
181 		/*
182 		 * If there's insufficient data at the end of
183 		 * an iovec, we have to do some copying.
184 		 */
185 		if (uio->uio_iov[ind].iov_len < k + blks &&
186 		    uio->uio_iov[ind].iov_len != k) {
187 			cuio_copydata(uio, count, blks, blk);
188 
189 			/* Actual encryption/decryption */
190 			if (exf->reinit) {
191 				if (crd->crd_flags & CRD_F_ENCRYPT) {
192 					exf->encrypt(sw->sw_kschedule,
193 					    blk);
194 				} else {
195 					exf->decrypt(sw->sw_kschedule,
196 					    blk);
197 				}
198 			} else if (crd->crd_flags & CRD_F_ENCRYPT) {
199 				/* XOR with previous block */
200 				for (j = 0; j < blks; j++)
201 					blk[j] ^= ivp[j];
202 
203 				exf->encrypt(sw->sw_kschedule, blk);
204 
205 				/*
206 				 * Keep encrypted block for XOR'ing
207 				 * with next block
208 				 */
209 				bcopy(blk, iv, blks);
210 				ivp = iv;
211 			} else {	/* decrypt */
212 				/*
213 				 * Keep encrypted block for XOR'ing
214 				 * with next block
215 				 */
216 				nivp = (ivp == iv) ? iv2 : iv;
217 				bcopy(blk, nivp, blks);
218 
219 				exf->decrypt(sw->sw_kschedule, blk);
220 
221 				/* XOR with previous block */
222 				for (j = 0; j < blks; j++)
223 					blk[j] ^= ivp[j];
224 
225 				ivp = nivp;
226 			}
227 
228 			/* Copy back decrypted block */
229 			cuio_copyback(uio, count, blks, blk);
230 
231 			count += blks;
232 
233 			/* Advance pointer */
234 			ind = cuio_getptr(uio, count, &k);
235 			if (ind == -1) {
236 				error = EINVAL;
237 				goto out;
238 			}
239 
240 			i -= blks;
241 
242 			/* Could be done... */
243 			if (i == 0)
244 				break;
245 		}
246 
247 		while (uio->uio_iov[ind].iov_len >= k + blks && i > 0) {
248 			uint8_t *idat;
249 			size_t nb, rem;
250 
251 			nb = blks;
252 			rem = MIN((size_t)i,
253 			    uio->uio_iov[ind].iov_len - (size_t)k);
254 			idat = (uint8_t *)uio->uio_iov[ind].iov_base + k;
255 
256 			if (exf->reinit) {
257 				if ((crd->crd_flags & CRD_F_ENCRYPT) != 0 &&
258 				    exf->encrypt_multi == NULL)
259 					exf->encrypt(sw->sw_kschedule,
260 					    idat);
261 				else if ((crd->crd_flags & CRD_F_ENCRYPT) != 0) {
262 					nb = rounddown(rem, blks);
263 					exf->encrypt_multi(sw->sw_kschedule,
264 					    idat, nb);
265 				} else if (exf->decrypt_multi == NULL)
266 					exf->decrypt(sw->sw_kschedule,
267 					    idat);
268 				else {
269 					nb = rounddown(rem, blks);
270 					exf->decrypt_multi(sw->sw_kschedule,
271 					    idat, nb);
272 				}
273 			} else if (crd->crd_flags & CRD_F_ENCRYPT) {
274 				/* XOR with previous block/IV */
275 				for (j = 0; j < blks; j++)
276 					idat[j] ^= ivp[j];
277 
278 				exf->encrypt(sw->sw_kschedule, idat);
279 				ivp = idat;
280 			} else {	/* decrypt */
281 				/*
282 				 * Keep encrypted block to be used
283 				 * in next block's processing.
284 				 */
285 				nivp = (ivp == iv) ? iv2 : iv;
286 				bcopy(idat, nivp, blks);
287 
288 				exf->decrypt(sw->sw_kschedule, idat);
289 
290 				/* XOR with previous block/IV */
291 				for (j = 0; j < blks; j++)
292 					idat[j] ^= ivp[j];
293 
294 				ivp = nivp;
295 			}
296 
297 			count += nb;
298 			k += nb;
299 			i -= nb;
300 		}
301 
302 		/*
303 		 * Advance to the next iov if the end of the current iov
304 		 * is aligned with the end of a cipher block.
305 		 * Note that the code is equivalent to calling:
306 		 *      ind = cuio_getptr(uio, count, &k);
307 		 */
308 		if (i > 0 && k == uio->uio_iov[ind].iov_len) {
309 			k = 0;
310 			ind++;
311 			if (ind >= uio->uio_iovcnt) {
312 				error = EINVAL;
313 				goto out;
314 			}
315 		}
316 	}
317 
318 out:
319 	if (iovalloc)
320 		free(iov, M_CRYPTO_DATA);
321 
322 	return (error);
323 }
324 
325 static int __result_use_check
326 swcr_authprepare(struct auth_hash *axf, struct swcr_data *sw, u_char *key,
327     int klen)
328 {
329 	int k;
330 
331 	klen /= 8;
332 
333 	switch (axf->type) {
334 	case CRYPTO_MD5_HMAC:
335 	case CRYPTO_SHA1_HMAC:
336 	case CRYPTO_SHA2_224_HMAC:
337 	case CRYPTO_SHA2_256_HMAC:
338 	case CRYPTO_SHA2_384_HMAC:
339 	case CRYPTO_SHA2_512_HMAC:
340 	case CRYPTO_NULL_HMAC:
341 	case CRYPTO_RIPEMD160_HMAC:
342 		for (k = 0; k < klen; k++)
343 			key[k] ^= HMAC_IPAD_VAL;
344 
345 		axf->Init(sw->sw_ictx);
346 		axf->Update(sw->sw_ictx, key, klen);
347 		axf->Update(sw->sw_ictx, hmac_ipad_buffer, axf->blocksize - klen);
348 
349 		for (k = 0; k < klen; k++)
350 			key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
351 
352 		axf->Init(sw->sw_octx);
353 		axf->Update(sw->sw_octx, key, klen);
354 		axf->Update(sw->sw_octx, hmac_opad_buffer, axf->blocksize - klen);
355 
356 		for (k = 0; k < klen; k++)
357 			key[k] ^= HMAC_OPAD_VAL;
358 		break;
359 	case CRYPTO_MD5_KPDK:
360 	case CRYPTO_SHA1_KPDK:
361 	{
362 		/*
363 		 * We need a buffer that can hold an md5 and a sha1 result
364 		 * just to throw it away.
365 		 * What we do here is the initial part of:
366 		 *   ALGO( key, keyfill, .. )
367 		 * adding the key to sw_ictx and abusing Final() to get the
368 		 * "keyfill" padding.
369 		 * In addition we abuse the sw_octx to save the key to have
370 		 * it to be able to append it at the end in swcr_authcompute().
371 		 */
372 		u_char buf[SHA1_RESULTLEN];
373 
374 		sw->sw_klen = klen;
375 		bcopy(key, sw->sw_octx, klen);
376 		axf->Init(sw->sw_ictx);
377 		axf->Update(sw->sw_ictx, key, klen);
378 		axf->Final(buf, sw->sw_ictx);
379 		break;
380 	}
381 	case CRYPTO_POLY1305:
382 		if (klen != POLY1305_KEY_LEN) {
383 			CRYPTDEB("bad poly1305 key size %d", klen);
384 			return EINVAL;
385 		}
386 		/* FALLTHROUGH */
387 	case CRYPTO_BLAKE2B:
388 	case CRYPTO_BLAKE2S:
389 		axf->Setkey(sw->sw_ictx, key, klen);
390 		axf->Init(sw->sw_ictx);
391 		break;
392 	default:
393 		printf("%s: CRD_F_KEY_EXPLICIT flag given, but algorithm %d "
394 		    "doesn't use keys.\n", __func__, axf->type);
395 		return EINVAL;
396 	}
397 	return 0;
398 }
399 
400 /*
401  * Compute keyed-hash authenticator.
402  */
403 static int
404 swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
405     int flags)
406 {
407 	unsigned char aalg[HASH_MAX_LEN];
408 	struct auth_hash *axf;
409 	union authctx ctx;
410 	int err;
411 
412 	if (sw->sw_ictx == 0)
413 		return EINVAL;
414 
415 	axf = sw->sw_axf;
416 
417 	if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
418 		err = swcr_authprepare(axf, sw, crd->crd_key, crd->crd_klen);
419 		if (err != 0)
420 			return err;
421 	}
422 
423 	bcopy(sw->sw_ictx, &ctx, axf->ctxsize);
424 
425 	err = crypto_apply(flags, buf, crd->crd_skip, crd->crd_len,
426 	    (int (*)(void *, void *, unsigned int))axf->Update, (caddr_t)&ctx);
427 	if (err)
428 		return err;
429 
430 	switch (sw->sw_alg) {
431 	case CRYPTO_SHA1:
432 	case CRYPTO_SHA2_224:
433 	case CRYPTO_SHA2_256:
434 	case CRYPTO_SHA2_384:
435 	case CRYPTO_SHA2_512:
436 		axf->Final(aalg, &ctx);
437 		break;
438 
439 	case CRYPTO_MD5_HMAC:
440 	case CRYPTO_SHA1_HMAC:
441 	case CRYPTO_SHA2_224_HMAC:
442 	case CRYPTO_SHA2_256_HMAC:
443 	case CRYPTO_SHA2_384_HMAC:
444 	case CRYPTO_SHA2_512_HMAC:
445 	case CRYPTO_RIPEMD160_HMAC:
446 		if (sw->sw_octx == NULL)
447 			return EINVAL;
448 
449 		axf->Final(aalg, &ctx);
450 		bcopy(sw->sw_octx, &ctx, axf->ctxsize);
451 		axf->Update(&ctx, aalg, axf->hashsize);
452 		axf->Final(aalg, &ctx);
453 		break;
454 
455 	case CRYPTO_MD5_KPDK:
456 	case CRYPTO_SHA1_KPDK:
457 		/* If we have no key saved, return error. */
458 		if (sw->sw_octx == NULL)
459 			return EINVAL;
460 
461 		/*
462 		 * Add the trailing copy of the key (see comment in
463 		 * swcr_authprepare()) after the data:
464 		 *   ALGO( .., key, algofill )
465 		 * and let Final() do the proper, natural "algofill"
466 		 * padding.
467 		 */
468 		axf->Update(&ctx, sw->sw_octx, sw->sw_klen);
469 		axf->Final(aalg, &ctx);
470 		break;
471 
472 	case CRYPTO_BLAKE2B:
473 	case CRYPTO_BLAKE2S:
474 	case CRYPTO_NULL_HMAC:
475 	case CRYPTO_POLY1305:
476 		axf->Final(aalg, &ctx);
477 		break;
478 	}
479 
480 	/* Inject the authentication data */
481 	crypto_copyback(flags, buf, crd->crd_inject,
482 	    sw->sw_mlen == 0 ? axf->hashsize : sw->sw_mlen, aalg);
483 	return 0;
484 }
485 
486 CTASSERT(INT_MAX <= (1ll<<39) - 256);	/* GCM: plain text < 2^39-256 */
487 CTASSERT(INT_MAX <= (uint64_t)-1);	/* GCM: associated data <= 2^64-1 */
488 
489 /*
490  * Apply a combined encryption-authentication transformation
491  */
492 static int
493 swcr_authenc(struct cryptop *crp)
494 {
495 	uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))];
496 	u_char *blk = (u_char *)blkbuf;
497 	u_char aalg[AALG_MAX_RESULT_LEN];
498 	u_char uaalg[AALG_MAX_RESULT_LEN];
499 	u_char iv[EALG_MAX_BLOCK_LEN];
500 	union authctx ctx;
501 	struct swcr_session *ses;
502 	struct cryptodesc *crd, *crda = NULL, *crde = NULL;
503 	struct swcr_data *sw, *swa, *swe = NULL;
504 	struct auth_hash *axf = NULL;
505 	struct enc_xform *exf = NULL;
506 	caddr_t buf = (caddr_t)crp->crp_buf;
507 	uint32_t *blkp;
508 	int aadlen, blksz, i, ivlen, len, iskip, oskip, r;
509 
510 	ivlen = blksz = iskip = oskip = 0;
511 
512 	ses = crypto_get_driver_session(crp->crp_session);
513 
514 	for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
515 		for (i = 0; i < nitems(ses->swcr_algorithms) &&
516 		    ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
517 			;
518 		if (i == nitems(ses->swcr_algorithms))
519 			return (EINVAL);
520 
521 		sw = &ses->swcr_algorithms[i];
522 		switch (sw->sw_alg) {
523 		case CRYPTO_AES_NIST_GCM_16:
524 		case CRYPTO_AES_NIST_GMAC:
525 			swe = sw;
526 			crde = crd;
527 			exf = swe->sw_exf;
528 			ivlen = 12;
529 			break;
530 		case CRYPTO_AES_128_NIST_GMAC:
531 		case CRYPTO_AES_192_NIST_GMAC:
532 		case CRYPTO_AES_256_NIST_GMAC:
533 			swa = sw;
534 			crda = crd;
535 			axf = swa->sw_axf;
536 			if (swa->sw_ictx == 0)
537 				return (EINVAL);
538 			bcopy(swa->sw_ictx, &ctx, axf->ctxsize);
539 			blksz = axf->blocksize;
540 			break;
541 		default:
542 			return (EINVAL);
543 		}
544 	}
545 	if (crde == NULL || crda == NULL)
546 		return (EINVAL);
547 
548 	if (crde->crd_alg == CRYPTO_AES_NIST_GCM_16 &&
549 	    (crde->crd_flags & CRD_F_IV_EXPLICIT) == 0)
550 		return (EINVAL);
551 
552 	if (crde->crd_klen != crda->crd_klen)
553 		return (EINVAL);
554 
555 	/* Initialize the IV */
556 	if (crde->crd_flags & CRD_F_ENCRYPT) {
557 		/* IV explicitly provided ? */
558 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
559 			bcopy(crde->crd_iv, iv, ivlen);
560 		else
561 			arc4rand(iv, ivlen, 0);
562 
563 		/* Do we need to write the IV */
564 		if (!(crde->crd_flags & CRD_F_IV_PRESENT))
565 			crypto_copyback(crp->crp_flags, buf, crde->crd_inject,
566 			    ivlen, iv);
567 
568 	} else {	/* Decryption */
569 			/* IV explicitly provided ? */
570 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
571 			bcopy(crde->crd_iv, iv, ivlen);
572 		else {
573 			/* Get IV off buf */
574 			crypto_copydata(crp->crp_flags, buf, crde->crd_inject,
575 			    ivlen, iv);
576 		}
577 	}
578 
579 	/* Supply MAC with IV */
580 	if (axf->Reinit)
581 		axf->Reinit(&ctx, iv, ivlen);
582 
583 	/* Supply MAC with AAD */
584 	aadlen = crda->crd_len;
585 
586 	for (i = iskip; i < crda->crd_len; i += blksz) {
587 		len = MIN(crda->crd_len - i, blksz - oskip);
588 		crypto_copydata(crp->crp_flags, buf, crda->crd_skip + i, len,
589 		    blk + oskip);
590 		bzero(blk + len + oskip, blksz - len - oskip);
591 		axf->Update(&ctx, blk, blksz);
592 		oskip = 0; /* reset initial output offset */
593 	}
594 
595 	if (exf->reinit)
596 		exf->reinit(swe->sw_kschedule, iv);
597 
598 	/* Do encryption/decryption with MAC */
599 	for (i = 0; i < crde->crd_len; i += len) {
600 		if (exf->encrypt_multi != NULL) {
601 			len = rounddown(crde->crd_len - i, blksz);
602 			if (len == 0)
603 				len = blksz;
604 			else
605 				len = MIN(len, sizeof(blkbuf));
606 		} else
607 			len = blksz;
608 		len = MIN(crde->crd_len - i, len);
609 		if (len < blksz)
610 			bzero(blk, blksz);
611 		crypto_copydata(crp->crp_flags, buf, crde->crd_skip + i, len,
612 		    blk);
613 		if (crde->crd_flags & CRD_F_ENCRYPT) {
614 			if (exf->encrypt_multi != NULL)
615 				exf->encrypt_multi(swe->sw_kschedule, blk,
616 				    len);
617 			else
618 				exf->encrypt(swe->sw_kschedule, blk);
619 			axf->Update(&ctx, blk, len);
620 			crypto_copyback(crp->crp_flags, buf,
621 			    crde->crd_skip + i, len, blk);
622 		} else {
623 			axf->Update(&ctx, blk, len);
624 		}
625 	}
626 
627 	/* Do any required special finalization */
628 	switch (crda->crd_alg) {
629 		case CRYPTO_AES_128_NIST_GMAC:
630 		case CRYPTO_AES_192_NIST_GMAC:
631 		case CRYPTO_AES_256_NIST_GMAC:
632 			/* length block */
633 			bzero(blk, blksz);
634 			blkp = (uint32_t *)blk + 1;
635 			*blkp = htobe32(aadlen * 8);
636 			blkp = (uint32_t *)blk + 3;
637 			*blkp = htobe32(crde->crd_len * 8);
638 			axf->Update(&ctx, blk, blksz);
639 			break;
640 	}
641 
642 	/* Finalize MAC */
643 	axf->Final(aalg, &ctx);
644 
645 	/* Validate tag */
646 	if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
647 		crypto_copydata(crp->crp_flags, buf, crda->crd_inject,
648 		    axf->hashsize, uaalg);
649 
650 		r = timingsafe_bcmp(aalg, uaalg, axf->hashsize);
651 		if (r == 0) {
652 			/* tag matches, decrypt data */
653 			for (i = 0; i < crde->crd_len; i += blksz) {
654 				len = MIN(crde->crd_len - i, blksz);
655 				if (len < blksz)
656 					bzero(blk, blksz);
657 				crypto_copydata(crp->crp_flags, buf,
658 				    crde->crd_skip + i, len, blk);
659 				exf->decrypt(swe->sw_kschedule, blk);
660 				crypto_copyback(crp->crp_flags, buf,
661 				    crde->crd_skip + i, len, blk);
662 			}
663 		} else
664 			return (EBADMSG);
665 	} else {
666 		/* Inject the authentication data */
667 		crypto_copyback(crp->crp_flags, buf, crda->crd_inject,
668 		    axf->hashsize, aalg);
669 	}
670 
671 	return (0);
672 }
673 
674 /*
675  * Apply a compression/decompression algorithm
676  */
677 static int
678 swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw,
679     caddr_t buf, int flags)
680 {
681 	u_int8_t *data, *out;
682 	struct comp_algo *cxf;
683 	int adj;
684 	u_int32_t result;
685 
686 	cxf = sw->sw_cxf;
687 
688 	/* We must handle the whole buffer of data in one time
689 	 * then if there is not all the data in the mbuf, we must
690 	 * copy in a buffer.
691 	 */
692 
693 	data = malloc(crd->crd_len, M_CRYPTO_DATA,  M_NOWAIT);
694 	if (data == NULL)
695 		return (EINVAL);
696 	crypto_copydata(flags, buf, crd->crd_skip, crd->crd_len, data);
697 
698 	if (crd->crd_flags & CRD_F_COMP)
699 		result = cxf->compress(data, crd->crd_len, &out);
700 	else
701 		result = cxf->decompress(data, crd->crd_len, &out);
702 
703 	free(data, M_CRYPTO_DATA);
704 	if (result == 0)
705 		return EINVAL;
706 
707 	/* Copy back the (de)compressed data. m_copyback is
708 	 * extending the mbuf as necessary.
709 	 */
710 	sw->sw_size = result;
711 	/* Check the compressed size when doing compression */
712 	if (crd->crd_flags & CRD_F_COMP) {
713 		if (result >= crd->crd_len) {
714 			/* Compression was useless, we lost time */
715 			free(out, M_CRYPTO_DATA);
716 			return 0;
717 		}
718 	}
719 
720 	crypto_copyback(flags, buf, crd->crd_skip, result, out);
721 	if (result < crd->crd_len) {
722 		adj = result - crd->crd_len;
723 		if (flags & CRYPTO_F_IMBUF) {
724 			adj = result - crd->crd_len;
725 			m_adj((struct mbuf *)buf, adj);
726 		} else if (flags & CRYPTO_F_IOV) {
727 			struct uio *uio = (struct uio *)buf;
728 			int ind;
729 
730 			adj = crd->crd_len - result;
731 			ind = uio->uio_iovcnt - 1;
732 
733 			while (adj > 0 && ind >= 0) {
734 				if (adj < uio->uio_iov[ind].iov_len) {
735 					uio->uio_iov[ind].iov_len -= adj;
736 					break;
737 				}
738 
739 				adj -= uio->uio_iov[ind].iov_len;
740 				uio->uio_iov[ind].iov_len = 0;
741 				ind--;
742 				uio->uio_iovcnt--;
743 			}
744 		}
745 	}
746 	free(out, M_CRYPTO_DATA);
747 	return 0;
748 }
749 
750 /*
751  * Generate a new software session.
752  */
753 static int
754 swcr_newsession(device_t dev, crypto_session_t cses, struct cryptoini *cri)
755 {
756 	struct swcr_session *ses;
757 	struct swcr_data *swd;
758 	struct auth_hash *axf;
759 	struct enc_xform *txf;
760 	struct comp_algo *cxf;
761 	size_t i;
762 	int len;
763 	int error;
764 
765 	if (cses == NULL || cri == NULL)
766 		return EINVAL;
767 
768 	ses = crypto_get_driver_session(cses);
769 	mtx_init(&ses->swcr_lock, "swcr session lock", NULL, MTX_DEF);
770 
771 	for (i = 0; cri != NULL && i < nitems(ses->swcr_algorithms); i++) {
772 		swd = &ses->swcr_algorithms[i];
773 
774 		switch (cri->cri_alg) {
775 		case CRYPTO_DES_CBC:
776 			txf = &enc_xform_des;
777 			goto enccommon;
778 		case CRYPTO_3DES_CBC:
779 			txf = &enc_xform_3des;
780 			goto enccommon;
781 		case CRYPTO_BLF_CBC:
782 			txf = &enc_xform_blf;
783 			goto enccommon;
784 		case CRYPTO_CAST_CBC:
785 			txf = &enc_xform_cast5;
786 			goto enccommon;
787 		case CRYPTO_SKIPJACK_CBC:
788 			txf = &enc_xform_skipjack;
789 			goto enccommon;
790 		case CRYPTO_RIJNDAEL128_CBC:
791 			txf = &enc_xform_rijndael128;
792 			goto enccommon;
793 		case CRYPTO_AES_XTS:
794 			txf = &enc_xform_aes_xts;
795 			goto enccommon;
796 		case CRYPTO_AES_ICM:
797 			txf = &enc_xform_aes_icm;
798 			goto enccommon;
799 		case CRYPTO_AES_NIST_GCM_16:
800 			txf = &enc_xform_aes_nist_gcm;
801 			goto enccommon;
802 		case CRYPTO_AES_NIST_GMAC:
803 			txf = &enc_xform_aes_nist_gmac;
804 			swd->sw_exf = txf;
805 			break;
806 		case CRYPTO_CAMELLIA_CBC:
807 			txf = &enc_xform_camellia;
808 			goto enccommon;
809 		case CRYPTO_NULL_CBC:
810 			txf = &enc_xform_null;
811 			goto enccommon;
812 		case CRYPTO_CHACHA20:
813 			txf = &enc_xform_chacha20;
814 			goto enccommon;
815 		enccommon:
816 			if (cri->cri_key != NULL) {
817 				error = txf->setkey(&swd->sw_kschedule,
818 				    cri->cri_key, cri->cri_klen / 8);
819 				if (error) {
820 					swcr_freesession(dev, cses);
821 					return error;
822 				}
823 			}
824 			swd->sw_exf = txf;
825 			break;
826 
827 		case CRYPTO_MD5_HMAC:
828 			axf = &auth_hash_hmac_md5;
829 			goto authcommon;
830 		case CRYPTO_SHA1_HMAC:
831 			axf = &auth_hash_hmac_sha1;
832 			goto authcommon;
833 		case CRYPTO_SHA2_224_HMAC:
834 			axf = &auth_hash_hmac_sha2_224;
835 			goto authcommon;
836 		case CRYPTO_SHA2_256_HMAC:
837 			axf = &auth_hash_hmac_sha2_256;
838 			goto authcommon;
839 		case CRYPTO_SHA2_384_HMAC:
840 			axf = &auth_hash_hmac_sha2_384;
841 			goto authcommon;
842 		case CRYPTO_SHA2_512_HMAC:
843 			axf = &auth_hash_hmac_sha2_512;
844 			goto authcommon;
845 		case CRYPTO_NULL_HMAC:
846 			axf = &auth_hash_null;
847 			goto authcommon;
848 		case CRYPTO_RIPEMD160_HMAC:
849 			axf = &auth_hash_hmac_ripemd_160;
850 		authcommon:
851 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
852 			    M_NOWAIT);
853 			if (swd->sw_ictx == NULL) {
854 				swcr_freesession(dev, cses);
855 				return ENOBUFS;
856 			}
857 
858 			swd->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
859 			    M_NOWAIT);
860 			if (swd->sw_octx == NULL) {
861 				swcr_freesession(dev, cses);
862 				return ENOBUFS;
863 			}
864 
865 			if (cri->cri_key != NULL) {
866 				error = swcr_authprepare(axf, swd,
867 				    cri->cri_key, cri->cri_klen);
868 				if (error != 0) {
869 					swcr_freesession(dev, cses);
870 					return error;
871 				}
872 			}
873 
874 			swd->sw_mlen = cri->cri_mlen;
875 			swd->sw_axf = axf;
876 			break;
877 
878 		case CRYPTO_MD5_KPDK:
879 			axf = &auth_hash_key_md5;
880 			goto auth2common;
881 
882 		case CRYPTO_SHA1_KPDK:
883 			axf = &auth_hash_key_sha1;
884 		auth2common:
885 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
886 			    M_NOWAIT);
887 			if (swd->sw_ictx == NULL) {
888 				swcr_freesession(dev, cses);
889 				return ENOBUFS;
890 			}
891 
892 			swd->sw_octx = malloc(cri->cri_klen / 8,
893 			    M_CRYPTO_DATA, M_NOWAIT);
894 			if (swd->sw_octx == NULL) {
895 				swcr_freesession(dev, cses);
896 				return ENOBUFS;
897 			}
898 
899 			/* Store the key so we can "append" it to the payload */
900 			if (cri->cri_key != NULL) {
901 				error = swcr_authprepare(axf, swd,
902 				    cri->cri_key, cri->cri_klen);
903 				if (error != 0) {
904 					swcr_freesession(dev, cses);
905 					return error;
906 				}
907 			}
908 
909 			swd->sw_mlen = cri->cri_mlen;
910 			swd->sw_axf = axf;
911 			break;
912 #ifdef notdef
913 		case CRYPTO_MD5:
914 			axf = &auth_hash_md5;
915 			goto auth3common;
916 #endif
917 
918 		case CRYPTO_SHA1:
919 			axf = &auth_hash_sha1;
920 			goto auth3common;
921 		case CRYPTO_SHA2_224:
922 			axf = &auth_hash_sha2_224;
923 			goto auth3common;
924 		case CRYPTO_SHA2_256:
925 			axf = &auth_hash_sha2_256;
926 			goto auth3common;
927 		case CRYPTO_SHA2_384:
928 			axf = &auth_hash_sha2_384;
929 			goto auth3common;
930 		case CRYPTO_SHA2_512:
931 			axf = &auth_hash_sha2_512;
932 
933 		auth3common:
934 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
935 			    M_NOWAIT);
936 			if (swd->sw_ictx == NULL) {
937 				swcr_freesession(dev, cses);
938 				return ENOBUFS;
939 			}
940 
941 			axf->Init(swd->sw_ictx);
942 			swd->sw_mlen = cri->cri_mlen;
943 			swd->sw_axf = axf;
944 			break;
945 
946 		case CRYPTO_AES_128_NIST_GMAC:
947 			axf = &auth_hash_nist_gmac_aes_128;
948 			goto auth4common;
949 
950 		case CRYPTO_AES_192_NIST_GMAC:
951 			axf = &auth_hash_nist_gmac_aes_192;
952 			goto auth4common;
953 
954 		case CRYPTO_AES_256_NIST_GMAC:
955 			axf = &auth_hash_nist_gmac_aes_256;
956 		auth4common:
957 			len = cri->cri_klen / 8;
958 			if (len != 16 && len != 24 && len != 32) {
959 				swcr_freesession(dev, cses);
960 				return EINVAL;
961 			}
962 
963 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
964 			    M_NOWAIT);
965 			if (swd->sw_ictx == NULL) {
966 				swcr_freesession(dev, cses);
967 				return ENOBUFS;
968 			}
969 			axf->Init(swd->sw_ictx);
970 			axf->Setkey(swd->sw_ictx, cri->cri_key, len);
971 			swd->sw_axf = axf;
972 			break;
973 
974 		case CRYPTO_BLAKE2B:
975 			axf = &auth_hash_blake2b;
976 			goto auth5common;
977 		case CRYPTO_BLAKE2S:
978 			axf = &auth_hash_blake2s;
979 			goto auth5common;
980 		case CRYPTO_POLY1305:
981 			axf = &auth_hash_poly1305;
982 		auth5common:
983 			swd->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
984 			    M_NOWAIT);
985 			if (swd->sw_ictx == NULL) {
986 				swcr_freesession(dev, cses);
987 				return ENOBUFS;
988 			}
989 			axf->Setkey(swd->sw_ictx, cri->cri_key,
990 			    cri->cri_klen / 8);
991 			axf->Init(swd->sw_ictx);
992 			swd->sw_axf = axf;
993 			break;
994 
995 		case CRYPTO_DEFLATE_COMP:
996 			cxf = &comp_algo_deflate;
997 			swd->sw_cxf = cxf;
998 			break;
999 		default:
1000 			swcr_freesession(dev, cses);
1001 			return EINVAL;
1002 		}
1003 
1004 		swd->sw_alg = cri->cri_alg;
1005 		cri = cri->cri_next;
1006 		ses->swcr_nalgs++;
1007 	}
1008 
1009 	if (cri != NULL) {
1010 		CRYPTDEB("Bogus session request for three or more algorithms");
1011 		return EINVAL;
1012 	}
1013 	return 0;
1014 }
1015 
1016 static void
1017 swcr_freesession(device_t dev, crypto_session_t cses)
1018 {
1019 	struct swcr_session *ses;
1020 	struct swcr_data *swd;
1021 	struct enc_xform *txf;
1022 	struct auth_hash *axf;
1023 	size_t i;
1024 
1025 	ses = crypto_get_driver_session(cses);
1026 
1027 	mtx_destroy(&ses->swcr_lock);
1028 	for (i = 0; i < nitems(ses->swcr_algorithms); i++) {
1029 		swd = &ses->swcr_algorithms[i];
1030 
1031 		switch (swd->sw_alg) {
1032 		case CRYPTO_DES_CBC:
1033 		case CRYPTO_3DES_CBC:
1034 		case CRYPTO_BLF_CBC:
1035 		case CRYPTO_CAST_CBC:
1036 		case CRYPTO_SKIPJACK_CBC:
1037 		case CRYPTO_RIJNDAEL128_CBC:
1038 		case CRYPTO_AES_XTS:
1039 		case CRYPTO_AES_ICM:
1040 		case CRYPTO_AES_NIST_GCM_16:
1041 		case CRYPTO_AES_NIST_GMAC:
1042 		case CRYPTO_CAMELLIA_CBC:
1043 		case CRYPTO_NULL_CBC:
1044 		case CRYPTO_CHACHA20:
1045 			txf = swd->sw_exf;
1046 
1047 			if (swd->sw_kschedule)
1048 				txf->zerokey(&(swd->sw_kschedule));
1049 			break;
1050 
1051 		case CRYPTO_MD5_HMAC:
1052 		case CRYPTO_SHA1_HMAC:
1053 		case CRYPTO_SHA2_224_HMAC:
1054 		case CRYPTO_SHA2_256_HMAC:
1055 		case CRYPTO_SHA2_384_HMAC:
1056 		case CRYPTO_SHA2_512_HMAC:
1057 		case CRYPTO_RIPEMD160_HMAC:
1058 		case CRYPTO_NULL_HMAC:
1059 			axf = swd->sw_axf;
1060 
1061 			if (swd->sw_ictx) {
1062 				bzero(swd->sw_ictx, axf->ctxsize);
1063 				free(swd->sw_ictx, M_CRYPTO_DATA);
1064 			}
1065 			if (swd->sw_octx) {
1066 				bzero(swd->sw_octx, axf->ctxsize);
1067 				free(swd->sw_octx, M_CRYPTO_DATA);
1068 			}
1069 			break;
1070 
1071 		case CRYPTO_MD5_KPDK:
1072 		case CRYPTO_SHA1_KPDK:
1073 			axf = swd->sw_axf;
1074 
1075 			if (swd->sw_ictx) {
1076 				bzero(swd->sw_ictx, axf->ctxsize);
1077 				free(swd->sw_ictx, M_CRYPTO_DATA);
1078 			}
1079 			if (swd->sw_octx) {
1080 				bzero(swd->sw_octx, swd->sw_klen);
1081 				free(swd->sw_octx, M_CRYPTO_DATA);
1082 			}
1083 			break;
1084 
1085 		case CRYPTO_BLAKE2B:
1086 		case CRYPTO_BLAKE2S:
1087 		case CRYPTO_MD5:
1088 		case CRYPTO_POLY1305:
1089 		case CRYPTO_SHA1:
1090 		case CRYPTO_SHA2_224:
1091 		case CRYPTO_SHA2_256:
1092 		case CRYPTO_SHA2_384:
1093 		case CRYPTO_SHA2_512:
1094 			axf = swd->sw_axf;
1095 
1096 			if (swd->sw_ictx) {
1097 				explicit_bzero(swd->sw_ictx, axf->ctxsize);
1098 				free(swd->sw_ictx, M_CRYPTO_DATA);
1099 			}
1100 			break;
1101 
1102 		case CRYPTO_DEFLATE_COMP:
1103 			/* Nothing to do */
1104 			break;
1105 		}
1106 	}
1107 }
1108 
1109 /*
1110  * Process a software request.
1111  */
1112 static int
1113 swcr_process(device_t dev, struct cryptop *crp, int hint)
1114 {
1115 	struct swcr_session *ses = NULL;
1116 	struct cryptodesc *crd;
1117 	struct swcr_data *sw;
1118 	size_t i;
1119 
1120 	/* Sanity check */
1121 	if (crp == NULL)
1122 		return EINVAL;
1123 
1124 	if (crp->crp_desc == NULL || crp->crp_buf == NULL) {
1125 		crp->crp_etype = EINVAL;
1126 		goto done;
1127 	}
1128 
1129 	ses = crypto_get_driver_session(crp->crp_session);
1130 	mtx_lock(&ses->swcr_lock);
1131 
1132 	/* Go through crypto descriptors, processing as we go */
1133 	for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
1134 		/*
1135 		 * Find the crypto context.
1136 		 *
1137 		 * XXX Note that the logic here prevents us from having
1138 		 * XXX the same algorithm multiple times in a session
1139 		 * XXX (or rather, we can but it won't give us the right
1140 		 * XXX results). To do that, we'd need some way of differentiating
1141 		 * XXX between the various instances of an algorithm (so we can
1142 		 * XXX locate the correct crypto context).
1143 		 */
1144 		for (i = 0; i < nitems(ses->swcr_algorithms) &&
1145 		    ses->swcr_algorithms[i].sw_alg != crd->crd_alg; i++)
1146 			;
1147 
1148 		/* No such context ? */
1149 		if (i == nitems(ses->swcr_algorithms)) {
1150 			crp->crp_etype = EINVAL;
1151 			goto done;
1152 		}
1153 		sw = &ses->swcr_algorithms[i];
1154 		switch (sw->sw_alg) {
1155 		case CRYPTO_DES_CBC:
1156 		case CRYPTO_3DES_CBC:
1157 		case CRYPTO_BLF_CBC:
1158 		case CRYPTO_CAST_CBC:
1159 		case CRYPTO_SKIPJACK_CBC:
1160 		case CRYPTO_RIJNDAEL128_CBC:
1161 		case CRYPTO_AES_XTS:
1162 		case CRYPTO_AES_ICM:
1163 		case CRYPTO_CAMELLIA_CBC:
1164 		case CRYPTO_CHACHA20:
1165 			if ((crp->crp_etype = swcr_encdec(crd, sw,
1166 			    crp->crp_buf, crp->crp_flags)) != 0)
1167 				goto done;
1168 			break;
1169 		case CRYPTO_NULL_CBC:
1170 			crp->crp_etype = 0;
1171 			break;
1172 		case CRYPTO_MD5_HMAC:
1173 		case CRYPTO_SHA1_HMAC:
1174 		case CRYPTO_SHA2_224_HMAC:
1175 		case CRYPTO_SHA2_256_HMAC:
1176 		case CRYPTO_SHA2_384_HMAC:
1177 		case CRYPTO_SHA2_512_HMAC:
1178 		case CRYPTO_RIPEMD160_HMAC:
1179 		case CRYPTO_NULL_HMAC:
1180 		case CRYPTO_MD5_KPDK:
1181 		case CRYPTO_SHA1_KPDK:
1182 		case CRYPTO_MD5:
1183 		case CRYPTO_SHA1:
1184 		case CRYPTO_SHA2_224:
1185 		case CRYPTO_SHA2_256:
1186 		case CRYPTO_SHA2_384:
1187 		case CRYPTO_SHA2_512:
1188 		case CRYPTO_BLAKE2B:
1189 		case CRYPTO_BLAKE2S:
1190 		case CRYPTO_POLY1305:
1191 			if ((crp->crp_etype = swcr_authcompute(crd, sw,
1192 			    crp->crp_buf, crp->crp_flags)) != 0)
1193 				goto done;
1194 			break;
1195 
1196 		case CRYPTO_AES_NIST_GCM_16:
1197 		case CRYPTO_AES_NIST_GMAC:
1198 		case CRYPTO_AES_128_NIST_GMAC:
1199 		case CRYPTO_AES_192_NIST_GMAC:
1200 		case CRYPTO_AES_256_NIST_GMAC:
1201 			crp->crp_etype = swcr_authenc(crp);
1202 			goto done;
1203 
1204 		case CRYPTO_DEFLATE_COMP:
1205 			if ((crp->crp_etype = swcr_compdec(crd, sw,
1206 			    crp->crp_buf, crp->crp_flags)) != 0)
1207 				goto done;
1208 			else
1209 				crp->crp_olen = (int)sw->sw_size;
1210 			break;
1211 
1212 		default:
1213 			/* Unknown/unsupported algorithm */
1214 			crp->crp_etype = EINVAL;
1215 			goto done;
1216 		}
1217 	}
1218 
1219 done:
1220 	if (ses)
1221 		mtx_unlock(&ses->swcr_lock);
1222 	crypto_done(crp);
1223 	return 0;
1224 }
1225 
1226 static void
1227 swcr_identify(driver_t *drv, device_t parent)
1228 {
1229 	/* NB: order 10 is so we get attached after h/w devices */
1230 	if (device_find_child(parent, "cryptosoft", -1) == NULL &&
1231 	    BUS_ADD_CHILD(parent, 10, "cryptosoft", 0) == 0)
1232 		panic("cryptosoft: could not attach");
1233 }
1234 
1235 static int
1236 swcr_probe(device_t dev)
1237 {
1238 	device_set_desc(dev, "software crypto");
1239 	return (BUS_PROBE_NOWILDCARD);
1240 }
1241 
1242 static int
1243 swcr_attach(device_t dev)
1244 {
1245 	memset(hmac_ipad_buffer, HMAC_IPAD_VAL, HMAC_MAX_BLOCK_LEN);
1246 	memset(hmac_opad_buffer, HMAC_OPAD_VAL, HMAC_MAX_BLOCK_LEN);
1247 
1248 	swcr_id = crypto_get_driverid(dev, sizeof(struct swcr_session),
1249 			CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_SYNC);
1250 	if (swcr_id < 0) {
1251 		device_printf(dev, "cannot initialize!");
1252 		return ENOMEM;
1253 	}
1254 #define	REGISTER(alg) \
1255 	crypto_register(swcr_id, alg, 0,0)
1256 	REGISTER(CRYPTO_DES_CBC);
1257 	REGISTER(CRYPTO_3DES_CBC);
1258 	REGISTER(CRYPTO_BLF_CBC);
1259 	REGISTER(CRYPTO_CAST_CBC);
1260 	REGISTER(CRYPTO_SKIPJACK_CBC);
1261 	REGISTER(CRYPTO_NULL_CBC);
1262 	REGISTER(CRYPTO_MD5_HMAC);
1263 	REGISTER(CRYPTO_SHA1_HMAC);
1264 	REGISTER(CRYPTO_SHA2_224_HMAC);
1265 	REGISTER(CRYPTO_SHA2_256_HMAC);
1266 	REGISTER(CRYPTO_SHA2_384_HMAC);
1267 	REGISTER(CRYPTO_SHA2_512_HMAC);
1268 	REGISTER(CRYPTO_RIPEMD160_HMAC);
1269 	REGISTER(CRYPTO_NULL_HMAC);
1270 	REGISTER(CRYPTO_MD5_KPDK);
1271 	REGISTER(CRYPTO_SHA1_KPDK);
1272 	REGISTER(CRYPTO_MD5);
1273 	REGISTER(CRYPTO_SHA1);
1274 	REGISTER(CRYPTO_SHA2_224);
1275 	REGISTER(CRYPTO_SHA2_256);
1276 	REGISTER(CRYPTO_SHA2_384);
1277 	REGISTER(CRYPTO_SHA2_512);
1278 	REGISTER(CRYPTO_RIJNDAEL128_CBC);
1279 	REGISTER(CRYPTO_AES_XTS);
1280 	REGISTER(CRYPTO_AES_ICM);
1281 	REGISTER(CRYPTO_AES_NIST_GCM_16);
1282 	REGISTER(CRYPTO_AES_NIST_GMAC);
1283 	REGISTER(CRYPTO_AES_128_NIST_GMAC);
1284 	REGISTER(CRYPTO_AES_192_NIST_GMAC);
1285 	REGISTER(CRYPTO_AES_256_NIST_GMAC);
1286  	REGISTER(CRYPTO_CAMELLIA_CBC);
1287 	REGISTER(CRYPTO_DEFLATE_COMP);
1288 	REGISTER(CRYPTO_BLAKE2B);
1289 	REGISTER(CRYPTO_BLAKE2S);
1290 	REGISTER(CRYPTO_CHACHA20);
1291 	REGISTER(CRYPTO_POLY1305);
1292 #undef REGISTER
1293 
1294 	return 0;
1295 }
1296 
1297 static int
1298 swcr_detach(device_t dev)
1299 {
1300 	crypto_unregister_all(swcr_id);
1301 	return 0;
1302 }
1303 
1304 static device_method_t swcr_methods[] = {
1305 	DEVMETHOD(device_identify,	swcr_identify),
1306 	DEVMETHOD(device_probe,		swcr_probe),
1307 	DEVMETHOD(device_attach,	swcr_attach),
1308 	DEVMETHOD(device_detach,	swcr_detach),
1309 
1310 	DEVMETHOD(cryptodev_newsession,	swcr_newsession),
1311 	DEVMETHOD(cryptodev_freesession,swcr_freesession),
1312 	DEVMETHOD(cryptodev_process,	swcr_process),
1313 
1314 	{0, 0},
1315 };
1316 
1317 static driver_t swcr_driver = {
1318 	"cryptosoft",
1319 	swcr_methods,
1320 	0,		/* NB: no softc */
1321 };
1322 static devclass_t swcr_devclass;
1323 
1324 /*
1325  * NB: We explicitly reference the crypto module so we
1326  * get the necessary ordering when built as a loadable
1327  * module.  This is required because we bundle the crypto
1328  * module code together with the cryptosoft driver (otherwise
1329  * normal module dependencies would handle things).
1330  */
1331 extern int crypto_modevent(struct module *, int, void *);
1332 /* XXX where to attach */
1333 DRIVER_MODULE(cryptosoft, nexus, swcr_driver, swcr_devclass, crypto_modevent,0);
1334 MODULE_VERSION(cryptosoft, 1);
1335 MODULE_DEPEND(cryptosoft, crypto, 1, 1, 1);
1336