Module Name: src Committed By: riastradh Date: Mon Jun 29 23:34:48 UTC 2020
Modified Files: src/sys/opencrypto: aesxcbcmac.c aesxcbcmac.h cryptosoft.c cryptosoft_xform.c files.opencrypto gmac.c gmac.h xform.c Log Message: opencrypto: Switch from legacy rijndael API to new aes API. While here, apply various rijndael->aes renames, reduce the size of aesxcbc_ctx by 480 bytes, and convert some malloc->kmem. Leave in the symbol enc_xform_rijndael128 for now, though, so this doesn't break any kernel ABI. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/opencrypto/aesxcbcmac.c \ src/sys/opencrypto/gmac.h cvs rdiff -u -r1.1 -r1.2 src/sys/opencrypto/aesxcbcmac.h cvs rdiff -u -r1.55 -r1.56 src/sys/opencrypto/cryptosoft.c cvs rdiff -u -r1.28 -r1.29 src/sys/opencrypto/cryptosoft_xform.c cvs rdiff -u -r1.29 -r1.30 src/sys/opencrypto/files.opencrypto \ src/sys/opencrypto/xform.c cvs rdiff -u -r1.3 -r1.4 src/sys/opencrypto/gmac.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/opencrypto/aesxcbcmac.c diff -u src/sys/opencrypto/aesxcbcmac.c:1.2 src/sys/opencrypto/aesxcbcmac.c:1.3 --- src/sys/opencrypto/aesxcbcmac.c:1.2 Mon Sep 26 14:50:54 2016 +++ src/sys/opencrypto/aesxcbcmac.c Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $ */ +/* $NetBSD: aesxcbcmac.c,v 1.3 2020/06/29 23:34:48 riastradh Exp $ */ /* * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project. @@ -30,11 +30,12 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.3 2020/06/29 23:34:48 riastradh Exp $"); #include <sys/param.h> #include <sys/systm.h> -#include <crypto/rijndael/rijndael.h> + +#include <crypto/aes/aes.h> #include <opencrypto/aesxcbcmac.h> @@ -47,24 +48,31 @@ aes_xcbc_mac_init(void *vctx, const uint { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 }; static const uint8_t k3seed[AES_BLOCKSIZE] = { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 }; - u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4]; + struct aesenc r_ks; aesxcbc_ctx *ctx; uint8_t k1[AES_BLOCKSIZE]; ctx = vctx; memset(ctx, 0, sizeof(*ctx)); - if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0) - return -1; - rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1); - rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2); - rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3); - if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0) - return -1; - if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0) - return -1; - if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0) - return -1; + switch (keylen) { + case 16: + ctx->r_nr = aes_setenckey128(&r_ks, key); + break; + case 24: + ctx->r_nr = aes_setenckey192(&r_ks, key); + break; + case 32: + ctx->r_nr = aes_setenckey256(&r_ks, key); + break; + } + aes_enc(&r_ks, k1seed, k1, ctx->r_nr); + aes_enc(&r_ks, k2seed, ctx->k2, ctx->r_nr); + aes_enc(&r_ks, k3seed, ctx->k3, ctx->r_nr); + aes_setenckey128(&ctx->r_k1s, k1); + + explicit_memset(&r_ks, 0, sizeof(r_ks)); + explicit_memset(k1, 0, sizeof(k1)); return 0; } @@ -83,7 +91,7 @@ aes_xcbc_mac_loop(void *vctx, const uint if (ctx->buflen == sizeof(ctx->buf)) { for (i = 0; i < sizeof(ctx->e); i++) ctx->buf[i] ^= ctx->e[i]; - rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e); + aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr); ctx->buflen = 0; } if (ctx->buflen + len < sizeof(ctx->buf)) { @@ -96,7 +104,7 @@ aes_xcbc_mac_loop(void *vctx, const uint sizeof(ctx->buf) - ctx->buflen); for (i = 0; i < sizeof(ctx->e); i++) ctx->buf[i] ^= ctx->e[i]; - rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e); + aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr); addr += sizeof(ctx->buf) - ctx->buflen; ctx->buflen = 0; } @@ -105,7 +113,7 @@ aes_xcbc_mac_loop(void *vctx, const uint memcpy(buf, addr, AES_BLOCKSIZE); for (i = 0; i < sizeof(buf); i++) buf[i] ^= ctx->e[i]; - rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e); + aes_enc(&ctx->r_k1s, buf, ctx->e, ctx->r_nr); addr += AES_BLOCKSIZE; } if (addr < ep) { @@ -129,7 +137,7 @@ aes_xcbc_mac_result(uint8_t *addr, void ctx->buf[i] ^= ctx->e[i]; ctx->buf[i] ^= ctx->k2[i]; } - rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest); + aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr); } else { for (i = ctx->buflen; i < sizeof(ctx->buf); i++) ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00; @@ -137,7 +145,7 @@ aes_xcbc_mac_result(uint8_t *addr, void ctx->buf[i] ^= ctx->e[i]; ctx->buf[i] ^= ctx->k3[i]; } - rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest); + aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr); } memcpy(addr, digest, sizeof(digest)); Index: src/sys/opencrypto/gmac.h diff -u src/sys/opencrypto/gmac.h:1.2 src/sys/opencrypto/gmac.h:1.3 --- src/sys/opencrypto/gmac.h:1.2 Thu Jun 9 14:47:42 2011 +++ src/sys/opencrypto/gmac.h Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: gmac.h,v 1.2 2011/06/09 14:47:42 drochner Exp $ */ +/* $NetBSD: gmac.h,v 1.3 2020/06/29 23:34:48 riastradh Exp $ */ /* OpenBSD: gmac.h,v 1.1 2010/09/22 11:54:23 mikeb Exp */ /* @@ -20,7 +20,7 @@ #ifndef _GMAC_H_ #define _GMAC_H_ -#include <crypto/rijndael/rijndael.h> +#include <crypto/aes/aes.h> #define GMAC_BLOCK_LEN 16 #define GMAC_DIGEST_LEN 16 @@ -41,7 +41,7 @@ typedef struct _GHASH_CTX { typedef struct _AES_GMAC_CTX { GHASH_CTX ghash; - uint32_t K[4*(RIJNDAEL_MAXNR + 1)]; + struct aesenc K; uint8_t J[GMAC_BLOCK_LEN]; /* counter block */ int rounds; } AES_GMAC_CTX; Index: src/sys/opencrypto/aesxcbcmac.h diff -u src/sys/opencrypto/aesxcbcmac.h:1.1 src/sys/opencrypto/aesxcbcmac.h:1.2 --- src/sys/opencrypto/aesxcbcmac.h:1.1 Tue May 24 19:10:09 2011 +++ src/sys/opencrypto/aesxcbcmac.h Mon Jun 29 23:34:48 2020 @@ -1,4 +1,7 @@ -/* $NetBSD: aesxcbcmac.h,v 1.1 2011/05/24 19:10:09 drochner Exp $ */ +/* $NetBSD: aesxcbcmac.h,v 1.2 2020/06/29 23:34:48 riastradh Exp $ */ + +#ifndef _OPENCRYPTO_AESXCBCMAC_H +#define _OPENCRYPTO_AESXCBCMAC_H #include <sys/types.h> @@ -8,9 +11,7 @@ typedef struct { u_int8_t e[AES_BLOCKSIZE]; u_int8_t buf[AES_BLOCKSIZE]; size_t buflen; - u_int32_t r_k1s[(RIJNDAEL_MAXNR+1)*4]; - u_int32_t r_k2s[(RIJNDAEL_MAXNR+1)*4]; - u_int32_t r_k3s[(RIJNDAEL_MAXNR+1)*4]; + struct aesenc r_k1s; int r_nr; /* key-length-dependent number of rounds */ u_int8_t k2[AES_BLOCKSIZE]; u_int8_t k3[AES_BLOCKSIZE]; @@ -19,3 +20,5 @@ typedef struct { int aes_xcbc_mac_init(void *, const u_int8_t *, u_int16_t); int aes_xcbc_mac_loop(void *, const u_int8_t *, u_int16_t); void aes_xcbc_mac_result(u_int8_t *, void *); + +#endif /* _OPENCRYPTO_AESXCBCMAC_H */ Index: src/sys/opencrypto/cryptosoft.c diff -u src/sys/opencrypto/cryptosoft.c:1.55 src/sys/opencrypto/cryptosoft.c:1.56 --- src/sys/opencrypto/cryptosoft.c:1.55 Sun Jun 14 23:23:55 2020 +++ src/sys/opencrypto/cryptosoft.c Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: cryptosoft.c,v 1.55 2020/06/14 23:23:55 riastradh Exp $ */ +/* $NetBSD: cryptosoft.c,v 1.56 2020/06/29 23:34:48 riastradh Exp $ */ /* $FreeBSD: src/sys/opencrypto/cryptosoft.c,v 1.2.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ */ @@ -24,7 +24,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.55 2020/06/14 23:23:55 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.56 2020/06/29 23:34:48 riastradh Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -831,8 +831,8 @@ swcr_newsession(void *arg, u_int32_t *si case CRYPTO_SKIPJACK_CBC: txf = &swcr_enc_xform_skipjack; goto enccommon; - case CRYPTO_RIJNDAEL128_CBC: - txf = &swcr_enc_xform_rijndael128; + case CRYPTO_AES_CBC: + txf = &swcr_enc_xform_aes; goto enccommon; case CRYPTO_CAMELLIA_CBC: txf = &swcr_enc_xform_camellia; @@ -890,15 +890,13 @@ swcr_newsession(void *arg, u_int32_t *si axf = &swcr_auth_hash_hmac_ripemd_160_96; goto authcommon; /* leave this for safety */ authcommon: - (*swd)->sw_ictx = malloc(axf->ctxsize, - M_CRYPTO_DATA, M_NOWAIT); + (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP); if ((*swd)->sw_ictx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; } - (*swd)->sw_octx = malloc(axf->ctxsize, - M_CRYPTO_DATA, M_NOWAIT); + (*swd)->sw_octx = kmem_alloc(axf->ctxsize, KM_NOSLEEP); if ((*swd)->sw_octx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; @@ -936,16 +934,15 @@ swcr_newsession(void *arg, u_int32_t *si CTASSERT(SHA1_DIGEST_LENGTH >= MD5_DIGEST_LENGTH); axf = &swcr_auth_hash_key_sha1; auth2common: - (*swd)->sw_ictx = malloc(axf->ctxsize, - M_CRYPTO_DATA, M_NOWAIT); + (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP); if ((*swd)->sw_ictx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; } /* Store the key so we can "append" it to the payload */ - (*swd)->sw_octx = malloc(cri->cri_klen / 8, M_CRYPTO_DATA, - M_NOWAIT); + (*swd)->sw_octx = kmem_alloc(cri->cri_klen / 8, + KM_NOSLEEP); if ((*swd)->sw_octx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; @@ -968,8 +965,7 @@ swcr_newsession(void *arg, u_int32_t *si case CRYPTO_SHA1: axf = &swcr_auth_hash_sha1; auth3common: - (*swd)->sw_ictx = malloc(axf->ctxsize, - M_CRYPTO_DATA, M_NOWAIT); + (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP); if ((*swd)->sw_ictx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; @@ -991,8 +987,7 @@ swcr_newsession(void *arg, u_int32_t *si case CRYPTO_AES_256_GMAC: axf = &swcr_auth_hash_gmac_aes_256; auth4common: - (*swd)->sw_ictx = malloc(axf->ctxsize, - M_CRYPTO_DATA, M_NOWAIT); + (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP); if ((*swd)->sw_ictx == NULL) { swcr_freesession(NULL, i); return ENOBUFS; @@ -1057,7 +1052,7 @@ swcr_freesession(void *arg, u_int64_t ti case CRYPTO_BLF_CBC: case CRYPTO_CAST_CBC: case CRYPTO_SKIPJACK_CBC: - case CRYPTO_RIJNDAEL128_CBC: + case CRYPTO_AES_CBC: case CRYPTO_CAMELLIA_CBC: case CRYPTO_AES_CTR: case CRYPTO_AES_GCM_16: @@ -1083,11 +1078,11 @@ swcr_freesession(void *arg, u_int64_t ti if (swd->sw_ictx) { explicit_memset(swd->sw_ictx, 0, axf->ctxsize); - free(swd->sw_ictx, M_CRYPTO_DATA); + kmem_free(swd->sw_ictx, axf->ctxsize); } if (swd->sw_octx) { explicit_memset(swd->sw_octx, 0, axf->ctxsize); - free(swd->sw_octx, M_CRYPTO_DATA); + kmem_free(swd->sw_octx, axf->ctxsize); } break; @@ -1097,11 +1092,11 @@ swcr_freesession(void *arg, u_int64_t ti if (swd->sw_ictx) { explicit_memset(swd->sw_ictx, 0, axf->ctxsize); - free(swd->sw_ictx, M_CRYPTO_DATA); + kmem_free(swd->sw_ictx, axf->ctxsize); } if (swd->sw_octx) { explicit_memset(swd->sw_octx, 0, swd->sw_klen); - free(swd->sw_octx, M_CRYPTO_DATA); + kmem_free(swd->sw_octx, axf->ctxsize); } break; @@ -1115,7 +1110,7 @@ swcr_freesession(void *arg, u_int64_t ti if (swd->sw_ictx) { explicit_memset(swd->sw_ictx, 0, axf->ctxsize); - free(swd->sw_ictx, M_CRYPTO_DATA); + kmem_free(swd->sw_ictx, axf->ctxsize); } break; @@ -1193,7 +1188,7 @@ swcr_process(void *arg, struct cryptop * case CRYPTO_BLF_CBC: case CRYPTO_CAST_CBC: case CRYPTO_SKIPJACK_CBC: - case CRYPTO_RIJNDAEL128_CBC: + case CRYPTO_AES_CBC: case CRYPTO_CAMELLIA_CBC: case CRYPTO_AES_CTR: if ((crp->crp_etype = swcr_encdec(crd, sw, @@ -1294,7 +1289,7 @@ swcr_init(void) REGISTER(CRYPTO_AES_128_GMAC); REGISTER(CRYPTO_AES_192_GMAC); REGISTER(CRYPTO_AES_256_GMAC); - REGISTER(CRYPTO_RIJNDAEL128_CBC); + REGISTER(CRYPTO_AES_CBC); REGISTER(CRYPTO_DEFLATE_COMP); REGISTER(CRYPTO_DEFLATE_COMP_NOGROW); REGISTER(CRYPTO_GZIP_COMP); Index: src/sys/opencrypto/cryptosoft_xform.c diff -u src/sys/opencrypto/cryptosoft_xform.c:1.28 src/sys/opencrypto/cryptosoft_xform.c:1.29 --- src/sys/opencrypto/cryptosoft_xform.c:1.28 Sat Oct 12 00:49:30 2019 +++ src/sys/opencrypto/cryptosoft_xform.c Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: cryptosoft_xform.c,v 1.28 2019/10/12 00:49:30 christos Exp $ */ +/* $NetBSD: cryptosoft_xform.c,v 1.29 2020/06/29 23:34:48 riastradh Exp $ */ /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ @@ -40,23 +40,24 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.28 2019/10/12 00:49:30 christos Exp $"); +__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.29 2020/06/29 23:34:48 riastradh Exp $"); +#include <sys/cprng.h> +#include <sys/kmem.h> +#include <sys/md5.h> +#include <sys/rmd160.h> +#include <sys/sha1.h> +#include <sys/sha2.h> + +#include <crypto/aes/aes.h> #include <crypto/blowfish/blowfish.h> +#include <crypto/camellia/camellia.h> #include <crypto/cast128/cast128.h> #include <crypto/des/des.h> -#include <crypto/rijndael/rijndael.h> #include <crypto/skipjack/skipjack.h> -#include <crypto/camellia/camellia.h> -#include <opencrypto/deflate.h> - -#include <sys/md5.h> -#include <sys/rmd160.h> -#include <sys/sha1.h> -#include <sys/sha2.h> -#include <sys/cprng.h> #include <opencrypto/aesxcbcmac.h> +#include <opencrypto/deflate.h> #include <opencrypto/gmac.h> struct swcr_auth_hash { @@ -94,7 +95,7 @@ static int des3_setkey(u_int8_t **, cons static int blf_setkey(u_int8_t **, const u_int8_t *, int); static int cast5_setkey(u_int8_t **, const u_int8_t *, int); static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); -static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int); +static int aes_setkey(u_int8_t **, const u_int8_t *, int); static int cml_setkey(u_int8_t **, const u_int8_t *, int); static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); @@ -103,14 +104,14 @@ static void des3_encrypt(void *, u_int8_ static void blf_encrypt(void *, u_int8_t *); static void cast5_encrypt(void *, u_int8_t *); static void skipjack_encrypt(void *, u_int8_t *); -static void rijndael128_encrypt(void *, u_int8_t *); +static void aes_encrypt(void *, u_int8_t *); static void cml_encrypt(void *, u_int8_t *); static void des1_decrypt(void *, u_int8_t *); static void des3_decrypt(void *, u_int8_t *); static void blf_decrypt(void *, u_int8_t *); static void cast5_decrypt(void *, u_int8_t *); static void skipjack_decrypt(void *, u_int8_t *); -static void rijndael128_decrypt(void *, u_int8_t *); +static void aes_decrypt(void *, u_int8_t *); static void cml_decrypt(void *, u_int8_t *); static void aes_ctr_crypt(void *, u_int8_t *); static void des1_zerokey(u_int8_t **); @@ -118,7 +119,7 @@ static void des3_zerokey(u_int8_t **); static void blf_zerokey(u_int8_t **); static void cast5_zerokey(u_int8_t **); static void skipjack_zerokey(u_int8_t **); -static void rijndael128_zerokey(u_int8_t **); +static void aes_zerokey(u_int8_t **); static void cml_zerokey(u_int8_t **); static void aes_ctr_zerokey(u_int8_t **); static void aes_gmac_zerokey(u_int8_t **); @@ -204,12 +205,12 @@ static const struct swcr_enc_xform swcr_ NULL }; -static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = { +static const struct swcr_enc_xform swcr_enc_xform_aes = { &enc_xform_rijndael128, - rijndael128_encrypt, - rijndael128_decrypt, - rijndael128_setkey, - rijndael128_zerokey, + aes_encrypt, + aes_decrypt, + aes_setkey, + aes_zerokey, NULL }; @@ -599,38 +600,68 @@ skipjack_zerokey(u_int8_t **sched) *sched = NULL; } +struct aes_ctx { + struct aesenc enc; + struct aesdec dec; + uint32_t nr; +}; + static void -rijndael128_encrypt(void *key, u_int8_t *blk) +aes_encrypt(void *key, u_int8_t *blk) { - rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); + struct aes_ctx *ctx = key; + + aes_enc(&ctx->enc, blk, blk, ctx->nr); } static void -rijndael128_decrypt(void *key, u_int8_t *blk) +aes_decrypt(void *key, u_int8_t *blk) { - rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, - (u_char *) blk); + struct aes_ctx *ctx = key; + + aes_dec(&ctx->dec, blk, blk, ctx->nr); } static int -rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len) +aes_setkey(u_int8_t **sched, const u_int8_t *key, int len) { + struct aes_ctx *ctx; if (len != 16 && len != 24 && len != 32) return EINVAL; - *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, - M_NOWAIT|M_ZERO); - if (*sched == NULL) + ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); + if (ctx == NULL) return ENOMEM; - rijndael_set_key((rijndael_ctx *) *sched, key, len * 8); + + switch (len) { + case 16: + aes_setenckey128(&ctx->enc, key); + aes_setdeckey128(&ctx->dec, key); + ctx->nr = AES_128_NROUNDS; + break; + case 24: + aes_setenckey192(&ctx->enc, key); + aes_setdeckey192(&ctx->dec, key); + ctx->nr = AES_192_NROUNDS; + break; + case 32: + aes_setenckey256(&ctx->enc, key); + aes_setdeckey256(&ctx->dec, key); + ctx->nr = AES_256_NROUNDS; + break; + } + + *sched = (void *)ctx; return 0; } static void -rijndael128_zerokey(u_int8_t **sched) +aes_zerokey(u_int8_t **sched) { - memset(*sched, 0, sizeof(rijndael_ctx)); - free(*sched, M_CRYPTO_DATA); + struct aes_ctx *ctx = (void *)*sched; + + explicit_memset(ctx, 0, sizeof(*ctx)); + kmem_free(ctx, sizeof(*ctx)); *sched = NULL; } @@ -678,7 +709,7 @@ cml_zerokey(u_int8_t **sched) struct aes_ctr_ctx { /* need only encryption half */ - u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; + struct aesenc ac_ek; u_int8_t ac_block[AESCTR_BLOCKSIZE]; int ac_nr; struct { @@ -699,10 +730,10 @@ aes_ctr_crypt(void *key, u_int8_t *blk) i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) if (++ctx->ac_block[i]) /* continue on overflow */ break; - rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); + aes_enc(&ctx->ac_ek, ctx->ac_block, keystream, ctx->ac_nr); for (i = 0; i < AESCTR_BLOCKSIZE; i++) blk[i] ^= keystream[i]; - memset(keystream, 0, sizeof(keystream)); + explicit_memset(keystream, 0, sizeof(keystream)); } int @@ -713,13 +744,20 @@ aes_ctr_setkey(u_int8_t **sched, const u if (len < AESCTR_NONCESIZE) return EINVAL; - ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, - M_NOWAIT|M_ZERO); + ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); if (!ctx) return ENOMEM; - ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key, - (len - AESCTR_NONCESIZE) * 8); - if (!ctx->ac_nr) { /* wrong key len */ + switch (len) { + case 16 + AESCTR_NONCESIZE: + ctx->ac_nr = aes_setenckey128(&ctx->ac_ek, key); + break; + case 24 + AESCTR_NONCESIZE: + ctx->ac_nr = aes_setenckey192(&ctx->ac_ek, key); + break; + case 32 + AESCTR_NONCESIZE: + ctx->ac_nr = aes_setenckey256(&ctx->ac_ek, key); + break; + default: aes_ctr_zerokey((u_int8_t **)&ctx); return EINVAL; } @@ -733,9 +771,10 @@ aes_ctr_setkey(u_int8_t **sched, const u void aes_ctr_zerokey(u_int8_t **sched) { + struct aes_ctr_ctx *ctx = (void *)*sched; - memset(*sched, 0, sizeof(struct aes_ctr_ctx)); - free(*sched, M_CRYPTO_DATA); + explicit_memset(ctx, 0, sizeof(*ctx)); + kmem_free(ctx, sizeof(*ctx)); *sched = NULL; } @@ -783,8 +822,7 @@ aes_gmac_setkey(u_int8_t **sched, const { struct aes_gmac_ctx *ctx; - ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA, - M_NOWAIT|M_ZERO); + ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); if (!ctx) return ENOMEM; @@ -797,8 +835,9 @@ aes_gmac_setkey(u_int8_t **sched, const void aes_gmac_zerokey(u_int8_t **sched) { + struct aes_gmac_ctx *ctx = (void *)*sched; - free(*sched, M_CRYPTO_DATA); + kmem_free(ctx, sizeof(*ctx)); *sched = NULL; } Index: src/sys/opencrypto/files.opencrypto diff -u src/sys/opencrypto/files.opencrypto:1.29 src/sys/opencrypto/files.opencrypto:1.30 --- src/sys/opencrypto/files.opencrypto:1.29 Wed Apr 22 09:15:40 2020 +++ src/sys/opencrypto/files.opencrypto Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -# $NetBSD: files.opencrypto,v 1.29 2020/04/22 09:15:40 rin Exp $ +# $NetBSD: files.opencrypto,v 1.30 2020/06/29 23:34:48 riastradh Exp $ # # @@ -7,7 +7,7 @@ # that use the opencrypto framework, should list opencrypto as a dependency # to pull in the framework. -define opencrypto: rijndael +define opencrypto: aes file opencrypto/criov.c opencrypto file opencrypto/xform.c opencrypto file opencrypto/crypto.c opencrypto Index: src/sys/opencrypto/xform.c diff -u src/sys/opencrypto/xform.c:1.29 src/sys/opencrypto/xform.c:1.30 --- src/sys/opencrypto/xform.c:1.29 Thu Jul 6 08:27:07 2017 +++ src/sys/opencrypto/xform.c Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.c,v 1.29 2017/07/06 08:27:07 ozaki-r Exp $ */ +/* $NetBSD: xform.c,v 1.30 2020/06/29 23:34:48 riastradh Exp $ */ /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ @@ -40,7 +40,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.29 2017/07/06 08:27:07 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.30 2020/06/29 23:34:48 riastradh Exp $"); #include <sys/param.h> #include <sys/malloc.h> @@ -145,8 +145,8 @@ const struct enc_xform enc_xform_skipjac }; const struct enc_xform enc_xform_rijndael128 = { - .type = CRYPTO_RIJNDAEL128_CBC, - .name = "Rijndael-128/AES", + .type = CRYPTO_AES_CBC, + .name = "AES", .blocksize = 16, .ivsize = 16, .minkey = 16, Index: src/sys/opencrypto/gmac.c diff -u src/sys/opencrypto/gmac.c:1.3 src/sys/opencrypto/gmac.c:1.4 --- src/sys/opencrypto/gmac.c:1.3 Thu Jun 9 14:47:42 2011 +++ src/sys/opencrypto/gmac.c Mon Jun 29 23:34:48 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: gmac.c,v 1.3 2011/06/09 14:47:42 drochner Exp $ */ +/* $NetBSD: gmac.c,v 1.4 2020/06/29 23:34:48 riastradh Exp $ */ /* OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp */ /* @@ -26,7 +26,8 @@ #include <sys/param.h> #include <sys/systm.h> -#include <crypto/rijndael/rijndael.h> +#include <crypto/aes/aes.h> + #include <opencrypto/gmac.h> void ghash_gfmul(const GMAC_INT *, const GMAC_INT *, GMAC_INT *); @@ -114,13 +115,25 @@ AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const { int i; - ctx->rounds = rijndaelKeySetupEnc(ctx->K, (const u_char *)key, - (klen - AESCTR_NONCESIZE) * 8); + switch (klen) { + case 16 + AESCTR_NONCESIZE: + ctx->rounds = aes_setenckey128(&ctx->K, key); + break; + case 24 + AESCTR_NONCESIZE: + ctx->rounds = aes_setenckey192(&ctx->K, key); + break; + case 32 + AESCTR_NONCESIZE: + ctx->rounds = aes_setenckey256(&ctx->K, key); + break; + default: + panic("invalid AES_GMAC_Setkey length in bytes: %u", + (unsigned)klen); + } /* copy out salt to the counter block */ memcpy(ctx->J, key + klen - AESCTR_NONCESIZE, AESCTR_NONCESIZE); /* prepare a hash subkey */ - rijndaelEncrypt(ctx->K, ctx->rounds, (void *)ctx->ghash.H, - (void *)ctx->ghash.H); + aes_enc(&ctx->K, (const void *)ctx->ghash.H, (void *)ctx->ghash.H, + ctx->rounds); #if GMAC_INTLEN == 8 for (i = 0; i < 2; i++) ctx->ghash.H[i] = be64toh(ctx->ghash.H[i]); @@ -163,7 +176,7 @@ AES_GMAC_Final(uint8_t digest[GMAC_DIGES /* do one round of GCTR */ ctx->J[GMAC_BLOCK_LEN - 1] = 1; - rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream); + aes_enc(&ctx->K, ctx->J, keystream, ctx->rounds); k = keystream; d = digest; #if GMAC_INTLEN == 8