MFC r275732:

Add some new modes to OpenCrypto.  These modes are AES-ICM (can be used
for counter mode), and AES-GCM.  Both of these modes have been added to
the aesni module.

Included is a set of tests to validate that the software and aesni
module calculate the correct values.  These use the NIST KAT test
vectors.  To run the test, you will need to install a soon to be
committed port, nist-kat that will install the vectors.  Using a port
is necessary as the test vectors are around 25MB.

All the man pages were updated.  I have added a new man page, crypto.7,
which includes a description of how to use each mode.  All the new modes
and some other AES modes are present.  It would be good for someone
else to go through and document the other modes.

A new ioctl was added to support AEAD modes which AES-GCM is one of them.
Without this ioctl, it is not possible to test AEAD modes from userland.

Add a timing safe bcmp for use to compare MACs.  Previously we were using
bcmp which could leak timing info and result in the ability to forge
messages.

Add a minor optimization to the aesni module so that single segment
mbufs don't get copied and instead are updated in place.  The aesni
module needs to be updated to support blocked IO so segmented mbufs
don't have to be copied.

We require that the IV be specified for all calls for both GCM and ICM.
This is to ensure proper use of these functions.

Obtained from:  p4: //depot/projects/opencrypto
Relnotes:       yes
Sponsored by:   FreeBSD Foundation
Sponsored by:   NetGate

TAG:	IPSEC-HEAD
Issue:	#4841

1 files changed, 18 insertions, 8 deletions

diff --git a/share/man/man9/crypto.9 b/share/man/man9/crypto.9
index c2682af..2aaf130 100644
--- a/share/man/man9/crypto.9
+++ b/share/man/man9/crypto.9
@@ -175,17 +175,26 @@ Contains an algorithm identifier.
 Currently supported algorithms are:
 .Pp
 .Bl -tag -width ".Dv CRYPTO_RIPEMD160_HMAC" -compact
+.It Dv CRYPTO_AES_128_NIST_GMAC
+.It Dv CRYPTO_AES_192_NIST_GMAC
+.It Dv CRYPTO_AES_256_NIST_GMAC
 .It Dv CRYPTO_AES_CBC
+.It Dv CRYPTO_AES_ICM
+.It Dv CRYPTO_AES_NIST_GCM_16
+.It Dv CRYPTO_AES_NIST_GMAC
+.It Dv CRYPTO_AES_XTS
 .It Dv CRYPTO_ARC4
 .It Dv CRYPTO_BLF_CBC
 .It Dv CRYPTO_CAMELLIA_CBC
 .It Dv CRYPTO_CAST_CBC
+.It Dv CRYPTO_DEFLATE_COMP
 .It Dv CRYPTO_DES_CBC
 .It Dv CRYPTO_3DES_CBC
-.It Dv CRYPTO_SKIPJACK_CBC
 .It Dv CRYPTO_MD5
 .It Dv CRYPTO_MD5_HMAC
 .It Dv CRYPTO_MD5_KPDK
+.It Dv CRYPTO_NULL_HMAC
+.It Dv CRYPTO_NULL_CBC
 .It Dv CRYPTO_RIPEMD160_HMAC
 .It Dv CRYPTO_SHA1
 .It Dv CRYPTO_SHA1_HMAC
@@ -193,8 +202,7 @@ Currently supported algorithms are:
 .It Dv CRYPTO_SHA2_256_HMAC
 .It Dv CRYPTO_SHA2_384_HMAC
 .It Dv CRYPTO_SHA2_512_HMAC
-.It Dv CRYPTO_NULL_HMAC
-.It Dv CRYPTO_NULL_CBC
+.It Dv CRYPTO_SKIPJACK_CBC
 .El
 .It Va cri_klen
 Specifies the length of the key in bits, for variable-size key
@@ -207,7 +215,8 @@ Contains the key to be used with the algorithm.
 .It Va cri_iv
 Contains an explicit initialization vector (IV), if it does not prefix
 the data.
-This field is ignored during initialization.
+This field is ignored during initialization
+.Pq Nm crypto_newsession .
 If no IV is explicitly passed (see below on details), a random IV is used
 by the device driver processing the request.
 .It Va cri_next
@@ -296,8 +305,6 @@ The buffer pointed to by
 is an
 .Vt uio
 structure.
-.It Dv CRYPTO_F_REL
-Must return data in the same place.
 .It Dv CRYPTO_F_BATCH
 Batch operation if possible.
 .It Dv CRYPTO_F_CBIMM
@@ -363,7 +370,7 @@ The following flags are defined:
 For encryption algorithms, this bit is set when encryption is required
 (when not set, decryption is performed).
 .It Dv CRD_F_IV_PRESENT
-For encryption algorithms, this bit is set when the IV already
+For encryption, this bit is set when the IV already
 precedes the data, so the
 .Va crd_inject
 value will be ignored and no IV will be written in the buffer.
@@ -372,7 +379,7 @@ at the location pointed to by
 .Va crd_inject .
 The IV length is assumed to be equal to the blocksize of the
 encryption algorithm.
-Some applications that do special
+Applications that do special
 .Dq "IV cooking" ,
 such as the half-IV mode in
 .Xr ipsec 4 ,
@@ -403,6 +410,8 @@ field for the given operation.
 Otherwise, the key is taken at newsession time from the
 .Va cri_key
 field.
+As calculating the key schedule may take a while, it is recommended that often
+used keys are given their own session.
 .It Dv CRD_F_COMP
 For compression algorithms, this bit is set when compression is required (when
 not set, decompression is performed).
@@ -641,6 +650,7 @@ most of the framework code
 .El
 .Sh SEE ALSO
 .Xr ipsec 4 ,
+.Xr crypto 7 ,
 .Xr malloc 9 ,
 .Xr sleep 9
 .Sh HISTORY