Module Name: src Committed By: drochner Date: Thu May 26 21:50:03 UTC 2011
Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: pfkey_dump.c src/crypto/dist/ipsec-tools/src/setkey: token.l src/sys/net: pfkeyv2.h src/sys/netipsec: xform_esp.c src/sys/opencrypto: cryptodev.h cryptosoft.c cryptosoft_xform.c files.opencrypto xform.c xform.h src/usr.bin/netstat: fast_ipsec.c Added Files: src/sys/opencrypto: gmac.c gmac.h Log Message: pull in AES-GCM/GMAC support from OpenBSD This is still somewhat experimental. Tested between 2 similar boxes so far. There is much potential for performance improvement. For now, I've changed the gmac code to accept any data alignment, as the "char *" pointer suggests. As the code is practically used, 32-bit alignment can be assumed, at the cost of data copies. I don't know whether bytewise access or copies are worse performance-wise. For efficient implementations using SSE2 instructions on x86, even stricter alignment requirements might arise. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 \ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/setkey/token.l cvs rdiff -u -r1.28 -r1.29 src/sys/net/pfkeyv2.h cvs rdiff -u -r1.37 -r1.38 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.23 -r1.24 src/sys/opencrypto/cryptodev.h \ src/sys/opencrypto/files.opencrypto cvs rdiff -u -r1.36 -r1.37 src/sys/opencrypto/cryptosoft.c cvs rdiff -u -r1.22 -r1.23 src/sys/opencrypto/cryptosoft_xform.c cvs rdiff -u -r0 -r1.1 src/sys/opencrypto/gmac.c src/sys/opencrypto/gmac.h cvs rdiff -u -r1.27 -r1.28 src/sys/opencrypto/xform.c cvs rdiff -u -r1.18 -r1.19 src/sys/opencrypto/xform.h cvs rdiff -u -r1.16 -r1.17 src/usr.bin/netstat/fast_ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.18 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.19 --- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.18 Fri Dec 3 14:32:52 2010 +++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Thu May 26 21:50:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkey_dump.c,v 1.18 2010/12/03 14:32:52 tteras Exp $ */ +/* $NetBSD: pfkey_dump.c,v 1.19 2011/05/26 21:50:02 drochner Exp $ */ /* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */ @@ -197,6 +197,12 @@ #ifdef SADB_X_EALG_AESCTR { SADB_X_EALG_AESCTR, "aes-ctr", }, #endif +#ifdef SADB_X_EALG_AESGCM16 + { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, +#endif +#ifdef SADB_X_EALG_AESGMAC + { SADB_X_EALG_AESGMAC, "aes-gmac", }, +#endif #ifdef SADB_X_EALG_CAMELLIACBC { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, #endif Index: src/crypto/dist/ipsec-tools/src/setkey/token.l diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.15 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.16 --- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.15 Fri Jun 4 13:06:03 2010 +++ src/crypto/dist/ipsec-tools/src/setkey/token.l Thu May 26 21:50:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: token.l,v 1.15 2010/06/04 13:06:03 vanhu Exp $ */ +/* $NetBSD: token.l,v 1.16 2011/05/26 21:50:02 drochner Exp $ */ /* $KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $ */ @@ -223,6 +223,16 @@ yylval.num = SADB_X_EALG_CAMELLIACBC; BEGIN INITIAL; return(ALG_ENC); #endif } +<S_ENCALG>aes-gcm-16 { +#ifdef SADB_X_EALG_AESGCM16 + yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC); +#endif +} +<S_ENCALG>aes-gmac { +#ifdef SADB_X_EALG_AESGMAC + yylval.num = SADB_X_EALG_AESGMAC; BEGIN INITIAL; return(ALG_ENC); +#endif +} /* compression algorithms */ {hyphen}C { return(F_COMP); } Index: src/sys/net/pfkeyv2.h diff -u src/sys/net/pfkeyv2.h:1.28 src/sys/net/pfkeyv2.h:1.29 --- src/sys/net/pfkeyv2.h:1.28 Thu May 5 17:46:48 2011 +++ src/sys/net/pfkeyv2.h Thu May 26 21:50:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkeyv2.h,v 1.28 2011/05/05 17:46:48 drochner Exp $ */ +/* $NetBSD: pfkeyv2.h,v 1.29 2011/05/26 21:50:02 drochner Exp $ */ /* $KAME: pfkeyv2.h,v 1.36 2003/07/25 09:33:37 itojun Exp $ */ /* @@ -351,7 +351,10 @@ #define SADB_X_AALG_SHA2_384 6 #define SADB_X_AALG_SHA2_512 7 #define SADB_X_AALG_RIPEMD160HMAC 8 -#define SADB_X_AALG_AES_XCBC_MAC 9 /* draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */ +#define SADB_X_AALG_AES_XCBC_MAC 9 /* RFC3566 */ +#define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */ +#define SADB_X_AALG_AES192GMAC 12 +#define SADB_X_AALG_AES256GMAC 13 /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_AALG_MD5 249 /* Keyed MD5 */ #define SADB_X_AALG_SHA 250 /* Keyed SHA */ @@ -369,9 +372,12 @@ #define SADB_X_EALG_BLOWFISHCBC 7 #define SADB_X_EALG_RIJNDAELCBC 12 #define SADB_X_EALG_AES 12 -#define SADB_X_EALG_AESCTR 13 -/* private allocations - based on RFC4312/IANA assignment */ -#define SADB_X_EALG_CAMELLIACBC 22 +#define SADB_X_EALG_AESCTR 13 /* RFC3686 */ +#define SADB_X_EALG_AESGCM8 18 /* RFC4106 */ +#define SADB_X_EALG_AESGCM12 19 +#define SADB_X_EALG_AESGCM16 20 +#define SADB_X_EALG_CAMELLIACBC 22 /* RFC4312 */ +#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821 */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SKIPJACK 250 Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.37 src/sys/netipsec/xform_esp.c:1.38 --- src/sys/netipsec/xform_esp.c:1.37 Mon May 23 15:17:25 2011 +++ src/sys/netipsec/xform_esp.c Thu May 26 21:50:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.37 2011/05/23 15:17:25 drochner Exp $ */ +/* $NetBSD: xform_esp.c,v 1.38 2011/05/26 21:50:02 drochner Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.37 2011/05/23 15:17:25 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.38 2011/05/26 21:50:02 drochner Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -132,6 +132,10 @@ return &enc_xform_camellia; case SADB_X_EALG_AESCTR: return &enc_xform_aes_ctr; + case SADB_X_EALG_AESGCM16: + return &enc_xform_aes_gcm; + case SADB_X_EALG_AESGMAC: + return &enc_xform_aes_gmac; case SADB_EALG_NULL: return &enc_xform_null; } @@ -219,6 +223,28 @@ sav->tdb_xform = xsp; sav->tdb_encalgxform = txform; + if (sav->alg_enc == SADB_X_EALG_AESGCM16 || + sav->alg_enc == SADB_X_EALG_AESGMAC) { + switch (keylen) { + case 20: + sav->alg_auth = SADB_X_AALG_AES128GMAC; + sav->tdb_authalgxform = &auth_hash_gmac_aes_128; + break; + case 28: + sav->alg_auth = SADB_X_AALG_AES192GMAC; + sav->tdb_authalgxform = &auth_hash_gmac_aes_192; + break; + case 36: + sav->alg_auth = SADB_X_AALG_AES256GMAC; + sav->tdb_authalgxform = &auth_hash_gmac_aes_256; + break; + } + memset(&cria, 0, sizeof(cria)); + cria.cri_alg = sav->tdb_authalgxform->type; + cria.cri_klen = _KEYBITS(sav->key_enc); + cria.cri_key = _KEYBUF(sav->key_enc); + } + /* Initialize crypto session. */ memset(&crie, 0, sizeof (crie)); crie.cri_alg = sav->tdb_encalgxform->type; @@ -381,12 +407,21 @@ /* Authentication descriptor */ crda->crd_skip = skip; - crda->crd_len = m->m_pkthdr.len - (skip + alen); + if (espx && espx->type == CRYPTO_AES_GCM_16) + crda->crd_len = hlen - sav->ivlen; + else + crda->crd_len = m->m_pkthdr.len - (skip + alen); crda->crd_inject = m->m_pkthdr.len - alen; crda->crd_alg = esph->type; - crda->crd_key = _KEYBUF(sav->key_auth); - crda->crd_klen = _KEYBITS(sav->key_auth); + if (espx && (espx->type == CRYPTO_AES_GCM_16 || + espx->type == CRYPTO_AES_GMAC)) { + crda->crd_key = _KEYBUF(sav->key_enc); + crda->crd_klen = _KEYBITS(sav->key_enc); + } else { + crda->crd_key = _KEYBUF(sav->key_auth); + crda->crd_klen = _KEYBITS(sav->key_auth); + } /* Copy the authenticator */ if (mtag == NULL) @@ -418,7 +453,10 @@ if (espx) { IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor")); crde->crd_skip = skip + hlen; - crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); + if (espx->type == CRYPTO_AES_GMAC) + crde->crd_len = 0; + else + crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); crde->crd_inject = skip + hlen - sav->ivlen; crde->crd_alg = espx->type; @@ -856,7 +894,10 @@ /* Encryption descriptor. */ crde->crd_skip = skip + hlen; - crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); + if (espx->type == CRYPTO_AES_GMAC) + crde->crd_len = 0; + else + crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); crde->crd_flags = CRD_F_ENCRYPT; crde->crd_inject = skip + hlen - sav->ivlen; @@ -896,13 +937,22 @@ if (esph) { /* Authentication descriptor. */ crda->crd_skip = skip; - crda->crd_len = m->m_pkthdr.len - (skip + alen); + if (espx && espx->type == CRYPTO_AES_GCM_16) + crda->crd_len = hlen - sav->ivlen; + else + crda->crd_len = m->m_pkthdr.len - (skip + alen); crda->crd_inject = m->m_pkthdr.len - alen; /* Authentication operation. */ crda->crd_alg = esph->type; - crda->crd_key = _KEYBUF(sav->key_auth); - crda->crd_klen = _KEYBITS(sav->key_auth); + if (espx && (espx->type == CRYPTO_AES_GCM_16 || + espx->type == CRYPTO_AES_GMAC)) { + crda->crd_key = _KEYBUF(sav->key_enc); + crda->crd_klen = _KEYBITS(sav->key_enc); + } else { + crda->crd_key = _KEYBUF(sav->key_auth); + crda->crd_klen = _KEYBITS(sav->key_auth); + } } return crypto_dispatch(crp); Index: src/sys/opencrypto/cryptodev.h diff -u src/sys/opencrypto/cryptodev.h:1.23 src/sys/opencrypto/cryptodev.h:1.24 --- src/sys/opencrypto/cryptodev.h:1.23 Tue May 24 19:10:09 2011 +++ src/sys/opencrypto/cryptodev.h Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cryptodev.h,v 1.23 2011/05/24 19:10:09 drochner Exp $ */ +/* $NetBSD: cryptodev.h,v 1.24 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/sys/opencrypto/cryptodev.h,v 1.2.2.6 2003/07/02 17:04:50 sam Exp $ */ /* $OpenBSD: cryptodev.h,v 1.33 2002/07/17 23:52:39 art Exp $ */ @@ -140,7 +140,12 @@ #define CRYPTO_CAMELLIA_CBC 26 #define CRYPTO_AES_CTR 27 #define CRYPTO_AES_XCBC_MAC_96 28 -#define CRYPTO_ALGORITHM_MAX 28 /* Keep updated - see below */ +#define CRYPTO_AES_GCM_16 29 +#define CRYPTO_AES_128_GMAC 30 +#define CRYPTO_AES_192_GMAC 31 +#define CRYPTO_AES_256_GMAC 32 +#define CRYPTO_AES_GMAC 33 +#define CRYPTO_ALGORITHM_MAX 33 /* Keep updated - see below */ /* Algorithm flags */ #define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */ Index: src/sys/opencrypto/files.opencrypto diff -u src/sys/opencrypto/files.opencrypto:1.23 src/sys/opencrypto/files.opencrypto:1.24 --- src/sys/opencrypto/files.opencrypto:1.23 Tue May 24 19:10:11 2011 +++ src/sys/opencrypto/files.opencrypto Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -# $NetBSD: files.opencrypto,v 1.23 2011/05/24 19:10:11 drochner Exp $ +# $NetBSD: files.opencrypto,v 1.24 2011/05/26 21:50:03 drochner Exp $ # # @@ -19,6 +19,7 @@ file opencrypto/cryptosoft.c swcrypto file opencrypto/deflate.c swcrypto # wrapper around zlib file opencrypto/aesxcbcmac.c swcrypto +file opencrypto/gmac.c swcrypto # Pseudo-device for userspace access to opencrypto # (and thus crypto hardware accelerators). Index: src/sys/opencrypto/cryptosoft.c diff -u src/sys/opencrypto/cryptosoft.c:1.36 src/sys/opencrypto/cryptosoft.c:1.37 --- src/sys/opencrypto/cryptosoft.c:1.36 Tue May 24 19:10:10 2011 +++ src/sys/opencrypto/cryptosoft.c Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cryptosoft.c,v 1.36 2011/05/24 19:10:10 drochner Exp $ */ +/* $NetBSD: cryptosoft.c,v 1.37 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/sys/opencrypto/cryptosoft.c,v 1.2.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ */ @@ -24,7 +24,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.36 2011/05/24 19:10:10 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.37 2011/05/26 21:50:03 drochner Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -48,6 +48,7 @@ SHA384_CTX sha384ctx; SHA512_CTX sha512ctx; aesxcbc_ctx aesxcbcctx; + AES_GMAC_CTX aesgmacctx; }; struct swcr_data **swcr_sessions = NULL; @@ -63,6 +64,7 @@ static int swcr_encdec(struct cryptodesc *, const struct swcr_data *, void *, int); static int swcr_compdec(struct cryptodesc *, const struct swcr_data *, void *, int, int *); +static int swcr_combined(struct cryptop *, int); static int swcr_process(void *, struct cryptop *, int); static int swcr_newsession(void *, u_int32_t *, struct cryptoini *); static int swcr_freesession(void *, u_int64_t); @@ -562,6 +564,143 @@ } /* + * Apply a combined encryption-authentication transformation + */ +static int +swcr_combined(struct cryptop *crp, int outtype) +{ + uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))]; + u_char *blk = (u_char *)blkbuf; + u_char aalg[AALG_MAX_RESULT_LEN]; + u_char iv[EALG_MAX_BLOCK_LEN]; + union authctx ctx; + struct cryptodesc *crd, *crda = NULL, *crde = NULL; + struct swcr_data *sw, *swa, *swe = NULL; + const struct swcr_auth_hash *axf = NULL; + const struct swcr_enc_xform *exf = NULL; + void *buf = (void *)crp->crp_buf; + uint32_t *blkp; + int i, blksz = 0, ivlen = 0, len; + + for (crd = crp->crp_desc; crd; crd = crd->crd_next) { + for (sw = swcr_sessions[crp->crp_sid & 0xffffffff]; + sw && sw->sw_alg != crd->crd_alg; + sw = sw->sw_next) + ; + if (sw == NULL) + return (EINVAL); + + switch (sw->sw_alg) { + case CRYPTO_AES_GCM_16: + case CRYPTO_AES_GMAC: + swe = sw; + crde = crd; + exf = swe->sw_exf; + ivlen = exf->enc_xform->ivsize; + break; + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + swa = sw; + crda = crd; + axf = swa->sw_axf; + if (swa->sw_ictx == 0) + return (EINVAL); + memcpy(&ctx, swa->sw_ictx, axf->ctxsize); + blksz = axf->auth_hash->blocksize; + break; + default: + return (EINVAL); + } + } + if (crde == NULL || crda == NULL) + return (EINVAL); + if (outtype == CRYPTO_BUF_CONTIG) + return (EINVAL); + + /* Initialize the IV */ + if (crde->crd_flags & CRD_F_ENCRYPT) { + /* IV explicitly provided ? */ + if (crde->crd_flags & CRD_F_IV_EXPLICIT) { + memcpy(iv, crde->crd_iv, ivlen); + if (exf->reinit) + exf->reinit(swe->sw_kschedule, iv, 0); + } else if (exf->reinit) + exf->reinit(swe->sw_kschedule, 0, iv); + else + arc4randbytes(iv, ivlen); + + /* Do we need to write the IV */ + if (!(crde->crd_flags & CRD_F_IV_PRESENT)) + COPYBACK(outtype, buf, crde->crd_inject, ivlen, iv); + + } else { /* Decryption */ + /* IV explicitly provided ? */ + if (crde->crd_flags & CRD_F_IV_EXPLICIT) + memcpy(iv, crde->crd_iv, ivlen); + else { + /* Get IV off buf */ + COPYDATA(outtype, buf, crde->crd_inject, ivlen, iv); + } + if (exf->reinit) + exf->reinit(swe->sw_kschedule, iv, 0); + } + + /* Supply MAC with IV */ + if (axf->Reinit) + axf->Reinit(&ctx, iv, ivlen); + + /* Supply MAC with AAD */ + for (i = 0; i < crda->crd_len; i += blksz) { + len = MIN(crda->crd_len - i, blksz); + COPYDATA(outtype, buf, crda->crd_skip + i, len, blk); + axf->Update(&ctx, blk, len); + } + + /* Do encryption/decryption with MAC */ + for (i = 0; i < crde->crd_len; i += blksz) { + len = MIN(crde->crd_len - i, blksz); + if (len < blksz) + memset(blk, 0, blksz); + COPYDATA(outtype, buf, crde->crd_skip + i, len, blk); + if (crde->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(swe->sw_kschedule, blk); + axf->Update(&ctx, blk, len); + } else { + axf->Update(&ctx, blk, len); + exf->decrypt(swe->sw_kschedule, blk); + } + COPYBACK(outtype, buf, crde->crd_skip + i, len, blk); + } + + /* Do any required special finalization */ + switch (crda->crd_alg) { + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + /* length block */ + memset(blk, 0, blksz); + blkp = (uint32_t *)blk + 1; + *blkp = htobe32(crda->crd_len * 8); + blkp = (uint32_t *)blk + 3; + *blkp = htobe32(crde->crd_len * 8); + axf->Update(&ctx, blk, blksz); + break; + } + + /* Finalize MAC */ + axf->Final(aalg, &ctx); + + /* Inject the authentication data */ + if (outtype == CRYPTO_BUF_MBUF) + COPYBACK(outtype, buf, crda->crd_inject, axf->auth_hash->authsize, aalg); + else + memcpy(crp->crp_mac, aalg, axf->auth_hash->authsize); + + return (0); +} + +/* * Apply a compression/decompression algorithm */ static int @@ -710,6 +849,9 @@ case CRYPTO_AES_CTR: txf = &swcr_enc_xform_aes_ctr; goto enccommon; + case CRYPTO_AES_GCM_16: + txf = &swcr_enc_xform_aes_gcm; + goto enccommon; case CRYPTO_NULL_CBC: txf = &swcr_enc_xform_null; goto enccommon; @@ -723,6 +865,11 @@ (*swd)->sw_exf = txf; break; + case CRYPTO_AES_GMAC: + txf = &swcr_enc_xform_aes_gmac; + (*swd)->sw_exf = txf; + break; + case CRYPTO_MD5_HMAC: axf = &swcr_auth_hash_hmac_md5; goto authcommon; @@ -842,6 +989,16 @@ case CRYPTO_AES_XCBC_MAC_96: axf = &swcr_auth_hash_aes_xcbc_mac; + goto auth4common; + case CRYPTO_AES_128_GMAC: + axf = &swcr_auth_hash_gmac_aes_128; + goto auth4common; + case CRYPTO_AES_192_GMAC: + axf = &swcr_auth_hash_gmac_aes_192; + goto auth4common; + case CRYPTO_AES_256_GMAC: + axf = &swcr_auth_hash_gmac_aes_256; + auth4common: (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA, M_NOWAIT); if ((*swd)->sw_ictx == NULL) { @@ -912,6 +1069,7 @@ case CRYPTO_RIJNDAEL128_CBC: case CRYPTO_CAMELLIA_CBC: case CRYPTO_AES_CTR: + case CRYPTO_AES_GCM_16: case CRYPTO_NULL_CBC: txf = swd->sw_exf; @@ -919,6 +1077,9 @@ txf->zerokey(&(swd->sw_kschedule)); break; + case CRYPTO_AES_GMAC: + break; + case CRYPTO_MD5_HMAC: case CRYPTO_MD5_HMAC_96: case CRYPTO_SHA1_HMAC: @@ -958,6 +1119,9 @@ case CRYPTO_MD5: case CRYPTO_SHA1: case CRYPTO_AES_XCBC_MAC_96: + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: axf = swd->sw_axf; if (swd->sw_ictx) @@ -1069,6 +1233,14 @@ goto done; break; + case CRYPTO_AES_GCM_16: + case CRYPTO_AES_GMAC: + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + crp->crp_etype = swcr_combined(crp, type); + goto done; + case CRYPTO_DEFLATE_COMP: case CRYPTO_DEFLATE_COMP_NOGROW: case CRYPTO_GZIP_COMP: @@ -1111,6 +1283,8 @@ REGISTER(CRYPTO_SKIPJACK_CBC); REGISTER(CRYPTO_CAMELLIA_CBC); REGISTER(CRYPTO_AES_CTR); + REGISTER(CRYPTO_AES_GCM_16); + REGISTER(CRYPTO_AES_GMAC); REGISTER(CRYPTO_NULL_CBC); REGISTER(CRYPTO_MD5_HMAC); REGISTER(CRYPTO_MD5_HMAC_96); @@ -1127,6 +1301,9 @@ REGISTER(CRYPTO_MD5); REGISTER(CRYPTO_SHA1); REGISTER(CRYPTO_AES_XCBC_MAC_96); + REGISTER(CRYPTO_AES_128_GMAC); + REGISTER(CRYPTO_AES_192_GMAC); + REGISTER(CRYPTO_AES_256_GMAC); REGISTER(CRYPTO_RIJNDAEL128_CBC); REGISTER(CRYPTO_DEFLATE_COMP); REGISTER(CRYPTO_DEFLATE_COMP_NOGROW); Index: src/sys/opencrypto/cryptosoft_xform.c diff -u src/sys/opencrypto/cryptosoft_xform.c:1.22 src/sys/opencrypto/cryptosoft_xform.c:1.23 --- src/sys/opencrypto/cryptosoft_xform.c:1.22 Tue May 24 19:10:11 2011 +++ src/sys/opencrypto/cryptosoft_xform.c Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cryptosoft_xform.c,v 1.22 2011/05/24 19:10:11 drochner Exp $ */ +/* $NetBSD: cryptosoft_xform.c,v 1.23 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ @@ -40,7 +40,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.22 2011/05/24 19:10:11 drochner Exp $"); +__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.23 2011/05/26 21:50:03 drochner Exp $"); #include <crypto/blowfish/blowfish.h> #include <crypto/cast128/cast128.h> @@ -56,12 +56,14 @@ #include <sys/sha1.h> #include <sys/sha2.h> #include <opencrypto/aesxcbcmac.h> +#include <opencrypto/gmac.h> struct swcr_auth_hash { const struct auth_hash *auth_hash; int ctxsize; void (*Init)(void *); void (*Setkey)(void *, const uint8_t *, uint16_t); + void (*Reinit)(void *, const uint8_t *, uint16_t); int (*Update)(void *, const uint8_t *, uint16_t); void (*Final)(uint8_t *, void *); }; @@ -118,6 +120,7 @@ static void cml_zerokey(u_int8_t **); static void aes_ctr_zerokey(u_int8_t **); static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); +static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); static void null_init(void *); static int null_update(void *, const u_int8_t *, u_int16_t); @@ -215,6 +218,24 @@ aes_ctr_reinit }; +static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { + &enc_xform_aes_gcm, + aes_ctr_crypt, + aes_ctr_crypt, + aes_ctr_setkey, + aes_ctr_zerokey, + aes_gcm_reinit +}; + +static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { + &enc_xform_aes_gmac, + NULL, + NULL, + NULL, + NULL, + NULL +}; + static const struct swcr_enc_xform swcr_enc_xform_camellia = { &enc_xform_camellia, cml_encrypt, @@ -227,80 +248,80 @@ /* Authentication instances */ static const struct swcr_auth_hash swcr_auth_hash_null = { &auth_hash_null, sizeof(int), /* NB: context isn't used */ - null_init, NULL, null_update, null_final + null_init, NULL, NULL, null_update, null_final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { &auth_hash_hmac_md5, sizeof(MD5_CTX), - (void (*) (void *)) MD5Init, NULL, MD5Update_int, + (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*) (u_int8_t *, void *)) MD5Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { &auth_hash_hmac_sha1, sizeof(SHA1_CTX), - SHA1Init_int, NULL, SHA1Update_int, SHA1Final_int + SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int }; static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), - (void (*)(void *)) RMD160Init, NULL, RMD160Update_int, + (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, (void (*)(u_int8_t *, void *)) RMD160Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { &auth_hash_hmac_md5_96, sizeof(MD5_CTX), - (void (*) (void *)) MD5Init, NULL, MD5Update_int, + (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*) (u_int8_t *, void *)) MD5Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), - SHA1Init_int, NULL, SHA1Update_int, SHA1Final_int + SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int }; static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), - (void (*)(void *)) RMD160Init, NULL, RMD160Update_int, + (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, (void (*)(u_int8_t *, void *)) RMD160Final }; static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { &auth_hash_key_md5, sizeof(MD5_CTX), - (void (*)(void *)) MD5Init, NULL, MD5Update_int, + (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*)(u_int8_t *, void *)) MD5Final }; static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { &auth_hash_key_sha1, sizeof(SHA1_CTX), - SHA1Init_int, NULL, SHA1Update_int, SHA1Final_int + SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int }; static const struct swcr_auth_hash swcr_auth_hash_md5 = { &auth_hash_md5, sizeof(MD5_CTX), - (void (*) (void *)) MD5Init, NULL, MD5Update_int, + (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*) (u_int8_t *, void *)) MD5Final }; static const struct swcr_auth_hash swcr_auth_hash_sha1 = { &auth_hash_sha1, sizeof(SHA1_CTX), - (void (*)(void *)) SHA1Init, NULL, SHA1Update_int, + (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, (void (*)(u_int8_t *, void *)) SHA1Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), - (void (*)(void *)) SHA256_Init, NULL, SHA256Update_int, + (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, (void (*)(u_int8_t *, void *)) SHA256_Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), - (void (*)(void *)) SHA384_Init, NULL, SHA384Update_int, + (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, (void (*)(u_int8_t *, void *)) SHA384_Final }; static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), - (void (*)(void *)) SHA512_Init, NULL, SHA512Update_int, + (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, (void (*)(u_int8_t *, void *)) SHA512_Final }; @@ -308,7 +329,34 @@ &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), null_init, (void (*)(void *, const u_int8_t *, u_int16_t))aes_xcbc_mac_init, - aes_xcbc_mac_loop, aes_xcbc_mac_result + NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result +}; + +static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { + &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), + (void (*)(void *))AES_GMAC_Init, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, + (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, + (void (*)(u_int8_t *, void *))AES_GMAC_Final +}; + +static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { + &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), + (void (*)(void *))AES_GMAC_Init, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, + (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, + (void (*)(u_int8_t *, void *))AES_GMAC_Final +}; + +static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { + &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), + (void (*)(void *))AES_GMAC_Init, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, + (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, + (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, + (void (*)(u_int8_t *, void *))AES_GMAC_Final }; /* Compression instance */ @@ -723,6 +771,23 @@ memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); } +void +aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) +{ + struct aes_ctr_ctx *ctx = key; + + if (!iv) { + ctx->ivgenctx.lastiv++; + iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; + } + if (ivout) + memcpy(ivout, iv, AESCTR_IVSIZE); + memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); + /* reset counter */ + memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); + ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ +} + /* * And now for auth. */ Index: src/sys/opencrypto/xform.c diff -u src/sys/opencrypto/xform.c:1.27 src/sys/opencrypto/xform.c:1.28 --- src/sys/opencrypto/xform.c:1.27 Tue May 24 19:10:11 2011 +++ src/sys/opencrypto/xform.c Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.c,v 1.27 2011/05/24 19:10:11 drochner Exp $ */ +/* $NetBSD: xform.c,v 1.28 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ @@ -40,7 +40,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.27 2011/05/24 19:10:11 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.28 2011/05/26 21:50:03 drochner Exp $"); #include <sys/param.h> #include <sys/malloc.h> @@ -140,6 +140,16 @@ 16, 8, 16+4, 32+4 }; +const struct enc_xform enc_xform_aes_gcm = { + CRYPTO_AES_GCM_16, "AES-GCM", + 4 /* ??? */, 8, 16+4, 32+4 +}; + +const struct enc_xform enc_xform_aes_gmac = { + CRYPTO_AES_GMAC, "AES-GMAC", + 4 /* ??? */, 8, 16+4, 32+4 +}; + /* Authentication instances */ const struct auth_hash auth_hash_null = { CRYPTO_NULL_HMAC, "NULL-HMAC", @@ -216,6 +226,21 @@ 16, 16, 12, 0 }; +const struct auth_hash auth_hash_gmac_aes_128 = { + CRYPTO_AES_128_GMAC, "GMAC-AES-128", + 16+4, 16, 16, 16 /* ??? */ +}; + +const struct auth_hash auth_hash_gmac_aes_192 = { + CRYPTO_AES_192_GMAC, "GMAC-AES-192", + 24+4, 16, 16, 16 /* ??? */ +}; + +const struct auth_hash auth_hash_gmac_aes_256 = { + CRYPTO_AES_256_GMAC, "GMAC-AES-256", + 32+4, 16, 16, 16 /* ??? */ +}; + /* Compression instance */ const struct comp_algo comp_algo_deflate = { CRYPTO_DEFLATE_COMP, "Deflate", Index: src/sys/opencrypto/xform.h diff -u src/sys/opencrypto/xform.h:1.18 src/sys/opencrypto/xform.h:1.19 --- src/sys/opencrypto/xform.h:1.18 Tue May 24 19:10:12 2011 +++ src/sys/opencrypto/xform.h Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.18 2011/05/24 19:10:12 drochner Exp $ */ +/* $NetBSD: xform.h,v 1.19 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/sys/opencrypto/xform.h,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ /* $OpenBSD: xform.h,v 1.10 2002/04/22 23:10:09 deraadt Exp $ */ @@ -65,6 +65,8 @@ extern const struct enc_xform enc_xform_arc4; extern const struct enc_xform enc_xform_camellia; extern const struct enc_xform enc_xform_aes_ctr; +extern const struct enc_xform enc_xform_aes_gcm; +extern const struct enc_xform enc_xform_aes_gmac; extern const struct auth_hash auth_hash_null; extern const struct auth_hash auth_hash_md5; @@ -81,6 +83,9 @@ extern const struct auth_hash auth_hash_hmac_sha2_384; extern const struct auth_hash auth_hash_hmac_sha2_512; extern const struct auth_hash auth_hash_aes_xcbc_mac_96; +extern const struct auth_hash auth_hash_gmac_aes_128; +extern const struct auth_hash auth_hash_gmac_aes_192; +extern const struct auth_hash auth_hash_gmac_aes_256; extern const struct comp_algo comp_algo_deflate; extern const struct comp_algo comp_algo_deflate_nogrow; Index: src/usr.bin/netstat/fast_ipsec.c diff -u src/usr.bin/netstat/fast_ipsec.c:1.16 src/usr.bin/netstat/fast_ipsec.c:1.17 --- src/usr.bin/netstat/fast_ipsec.c:1.16 Tue May 24 19:10:12 2011 +++ src/usr.bin/netstat/fast_ipsec.c Thu May 26 21:50:03 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: fast_ipsec.c,v 1.16 2011/05/24 19:10:12 drochner Exp $ */ +/* $NetBSD: fast_ipsec.c,v 1.17 2011/05/26 21:50:03 drochner Exp $ */ /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ /*- @@ -33,7 +33,7 @@ #include <sys/cdefs.h> #ifndef lint #ifdef __NetBSD__ -__RCSID("$NetBSD: fast_ipsec.c,v 1.16 2011/05/24 19:10:12 drochner Exp $"); +__RCSID("$NetBSD: fast_ipsec.c,v 1.17 2011/05/26 21:50:03 drochner Exp $"); #endif #endif /* not lint*/ @@ -118,6 +118,9 @@ { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, + { SADB_X_AALG_AES128GMAC, "aes-128-gmac", }, + { SADB_X_AALG_AES192GMAC, "aes-192-gmac", }, + { SADB_X_AALG_AES256GMAC, "aes-256-gmac", }, }; static const struct alg espalgs[] = { { SADB_EALG_NONE, "none", }, @@ -129,6 +132,8 @@ { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", }, { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, { SADB_X_EALG_AESCTR, "aes-ctr", }, + { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, + { SADB_X_EALG_AESGMAC, "aes-gmac", }, }; static const struct alg ipcompalgs[] = { { SADB_X_CALG_NONE, "none", }, Added files: Index: src/sys/opencrypto/gmac.c diff -u /dev/null src/sys/opencrypto/gmac.c:1.1 --- /dev/null Thu May 26 21:50:03 2011 +++ src/sys/opencrypto/gmac.c Thu May 26 21:50:03 2011 @@ -0,0 +1,153 @@ +/* $NetBSD: gmac.c,v 1.1 2011/05/26 21:50:03 drochner Exp $ */ +/* OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp */ + +/* + * Copyright (c) 2010 Mike Belopuhov <m...@vantronix.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the Message Authentication part of the + * Galois/Counter Mode (as being described in the RFC 4543) using + * the AES cipher. FIPS SP 800-38D describes the algorithm details. + */ + +#include <sys/param.h> +#include <sys/systm.h> + +#include <crypto/rijndael/rijndael.h> +#include <opencrypto/gmac.h> + +void ghash_gfmul(const uint32_t *, const uint32_t *, uint32_t *); +void ghash_update(GHASH_CTX *, const uint8_t *, size_t); + +/* Computes a block multiplication in the GF(2^128) */ +void +ghash_gfmul(const uint32_t *X, const uint32_t *Y, uint32_t *product) +{ + uint32_t v[4]; + uint32_t z[4] = { 0, 0, 0, 0}; + const uint8_t *x = (const uint8_t *)X; + uint32_t mul; + int i; + + v[0] = be32toh(Y[0]); + v[1] = be32toh(Y[1]); + v[2] = be32toh(Y[2]); + v[3] = be32toh(Y[3]); + + for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) { + /* update Z */ + if (x[i >> 3] & (1 << (~i & 7))) { + z[0] ^= v[0]; + z[1] ^= v[1]; + z[2] ^= v[2]; + z[3] ^= v[3]; + } /* else: we preserve old values */ + + /* update V */ + mul = v[3] & 1; + v[3] = (v[2] << 31) | (v[3] >> 1); + v[2] = (v[1] << 31) | (v[2] >> 1); + v[1] = (v[0] << 31) | (v[1] >> 1); + v[0] = (v[0] >> 1) ^ (0xe1000000 * mul); + } + + product[0] = htobe32(z[0]); + product[1] = htobe32(z[1]); + product[2] = htobe32(z[2]); + product[3] = htobe32(z[3]); +} + +void +ghash_update(GHASH_CTX *ctx, const uint8_t *X, size_t len) +{ + uint8_t *s = (uint8_t *)ctx->S; + uint8_t *y = (uint8_t *)ctx->Z; + int i, j; + + for (i = 0; i < len / GMAC_BLOCK_LEN; i++) { + for (j = 0; j < GMAC_BLOCK_LEN; j++) + s[j] = y[j] ^ X[j]; + + ghash_gfmul(ctx->S, ctx->H, ctx->S); + + y = s; + X += GMAC_BLOCK_LEN; + } + + memcpy(ctx->Z, ctx->S, GMAC_BLOCK_LEN); +} + +#define AESCTR_NONCESIZE 4 + +void +AES_GMAC_Init(AES_GMAC_CTX *ctx) +{ + + memset(ctx, 0, sizeof(AES_GMAC_CTX)); +} + +void +AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen) +{ + ctx->rounds = rijndaelKeySetupEnc(ctx->K, (const u_char *)key, + (klen - AESCTR_NONCESIZE) * 8); + /* copy out salt to the counter block */ + memcpy(ctx->J, key + klen - AESCTR_NONCESIZE, AESCTR_NONCESIZE); + /* prepare a hash subkey */ + rijndaelEncrypt(ctx->K, ctx->rounds, (void *)ctx->ghash.H, + (void *)ctx->ghash.H); +} + +void +AES_GMAC_Reinit(AES_GMAC_CTX *ctx, const uint8_t *iv, uint16_t ivlen) +{ + /* copy out IV to the counter block */ + memcpy(ctx->J + AESCTR_NONCESIZE, iv, ivlen); +} + +int +AES_GMAC_Update(AES_GMAC_CTX *ctx, const uint8_t *data, uint16_t len) +{ + uint32_t blk[4] = { 0, 0, 0, 0 }; + int plen; + + if (len > 0) { + plen = len % GMAC_BLOCK_LEN; + if (len >= GMAC_BLOCK_LEN) + ghash_update(&ctx->ghash, (const uint8_t *)data, + len - plen); + if (plen) { + memcpy(blk, data + (len - plen), plen); + ghash_update(&ctx->ghash, (uint8_t *)blk, + GMAC_BLOCK_LEN); + } + } + return (0); +} + +void +AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx) +{ + uint8_t keystream[GMAC_BLOCK_LEN]; + int i; + + /* do one round of GCTR */ + ctx->J[GMAC_BLOCK_LEN - 1] = 1; + rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream); + for (i = 0; i < GMAC_DIGEST_LEN; i++) + digest[i] = ((uint8_t *)ctx->ghash.S)[i] ^ keystream[i]; + memset(keystream, 0, sizeof(keystream)); +} Index: src/sys/opencrypto/gmac.h diff -u /dev/null src/sys/opencrypto/gmac.h:1.1 --- /dev/null Thu May 26 21:50:03 2011 +++ src/sys/opencrypto/gmac.h Thu May 26 21:50:03 2011 @@ -0,0 +1,51 @@ +/* $NetBSD: gmac.h,v 1.1 2011/05/26 21:50:03 drochner Exp $ */ +/* OpenBSD: gmac.h,v 1.1 2010/09/22 11:54:23 mikeb Exp */ + +/* + * Copyright (c) 2010 Mike Belopuhov <m...@vantronix.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _GMAC_H_ +#define _GMAC_H_ + +#include <crypto/rijndael/rijndael.h> + +#define GMAC_BLOCK_LEN 16 +#define GMAC_DIGEST_LEN 16 + +typedef struct _GHASH_CTX { + uint32_t H[GMAC_BLOCK_LEN/4]; /* hash subkey */ + uint32_t S[GMAC_BLOCK_LEN/4]; /* state */ + uint32_t Z[GMAC_BLOCK_LEN/4]; /* initial state */ +} GHASH_CTX; + +typedef struct _AES_GMAC_CTX { + GHASH_CTX ghash; + uint32_t K[4*(RIJNDAEL_MAXNR + 1)]; + uint8_t J[GMAC_BLOCK_LEN]; /* counter block */ + int rounds; +} AES_GMAC_CTX; + +#include <sys/cdefs.h> + +__BEGIN_DECLS +void AES_GMAC_Init(AES_GMAC_CTX *); +void AES_GMAC_Setkey(AES_GMAC_CTX *, const uint8_t *, uint16_t); +void AES_GMAC_Reinit(AES_GMAC_CTX *, const uint8_t *, uint16_t); +int AES_GMAC_Update(AES_GMAC_CTX *, const uint8_t *, uint16_t); +void AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], AES_GMAC_CTX *); +__END_DECLS + +#endif /* _GMAC_H_ */