MFC r285336:

Add support for AES modes to IPSec.  These modes work both in software only
mode and with hardware support on systems that have AESNI instructions.

Differential Revision:  D2936
Reviewed by:    jmg, eri, cognet
Sponsored by:   Rubicon Communications (Netgate)

TAG:	IPSEC-HEAD
Issue:	#4841

4 files changed, 199 insertions, 114 deletions

diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 5274ea2..4feb851 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -80,11 +80,11 @@
 	(((sav)->flags & SADB_X_EXT_OLD) ? \
 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
 /* 
- * Return authenticator size in bytes.  The old protocol is known
- * to use a fixed 16-byte authenticator.  The new algorithm use 12-byte
- * authenticator.
+ * Return authenticator size in bytes, based on a field in the
+ * algorithm descriptor.
  */
-#define	AUTHSIZE(sav)	ah_authsize(sav)
+#define	AUTHSIZE(sav)	\
+	((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->hashsize)
 
 VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
@@ -110,27 +110,6 @@ static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 static int ah_input_cb(struct cryptop*);
 static int ah_output_cb(struct cryptop*);
 
-static int
-ah_authsize(struct secasvar *sav)
-{
-
-	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
-
-	if (sav->flags & SADB_X_EXT_OLD)
-		return 16;
-
-	switch (sav->alg_auth) {
-	case SADB_X_AALG_SHA2_256:
-		return 16;
-	case SADB_X_AALG_SHA2_384:
-		return 24;
-	case SADB_X_AALG_SHA2_512:
-		return 32;
-	default:
-		return AH_HMAC_HASHLEN;
-	}
-	/* NOTREACHED */
-}
 /*
  * NB: this is public for use by the PF_KEY support.
  */
@@ -158,6 +137,12 @@ ah_algorithm_lookup(int alg)
 		return &auth_hash_hmac_sha2_384;
 	case SADB_X_AALG_SHA2_512:
 		return &auth_hash_hmac_sha2_512;
+	case SADB_X_AALG_AES128GMAC:
+		return &auth_hash_nist_gmac_aes_128;
+	case SADB_X_AALG_AES192GMAC:
+		return &auth_hash_nist_gmac_aes_192;
+	case SADB_X_AALG_AES256GMAC:
+		return &auth_hash_nist_gmac_aes_256;
 	}
 	return NULL;
 }
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index b5a22ba..a47404b 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -119,6 +119,12 @@ esp_algorithm_lookup(int alg)
 		return &enc_xform_null;
 	case SADB_X_EALG_CAMELLIACBC:
 		return &enc_xform_camellia;
+	case SADB_X_EALG_AESCTR:
+		return &enc_xform_aes_icm;
+	case SADB_X_EALG_AESGCM16:
+		return &enc_xform_aes_nist_gcm;
+	case SADB_X_EALG_AESGMAC:
+		return &enc_xform_aes_nist_gmac;
 	}
 	return NULL;
 }
@@ -196,7 +202,7 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 	 *      the ESP header will be processed incorrectly.  The
 	 *      compromise is to force it to zero here.
 	 */
-	sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
+	sav->ivlen = (txform == &enc_xform_null ? 0 : txform->ivsize);
 	sav->iv = (caddr_t) malloc(sav->ivlen, M_XDATA, M_WAITOK);
 	key_randomfill(sav->iv, sav->ivlen);	/*XXX*/
 
@@ -213,11 +219,45 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 	sav->tdb_xform = xsp;
 	sav->tdb_encalgxform = txform;
 
+	/*
+	 * Whenever AES-GCM is used for encryption, one
+	 * of the AES authentication algorithms is chosen
+	 * as well, based on the key size.
+	 */
+	if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
+		switch (keylen) {
+		case AES_128_HMAC_KEY_LEN:
+			sav->alg_auth = SADB_X_AALG_AES128GMAC;
+			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_128;
+			break;
+		case AES_192_HMAC_KEY_LEN:
+			sav->alg_auth = SADB_X_AALG_AES192GMAC;
+			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_192;
+			break;
+		case AES_256_HMAC_KEY_LEN:
+			sav->alg_auth = SADB_X_AALG_AES256GMAC;
+			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_256;
+			break;
+		default:
+			DPRINTF(("%s: invalid key length %u"
+				 "for algorithm %s\n", __func__,
+				 keylen, txform->name));
+			return EINVAL;
+		}
+		bzero(&cria, sizeof(cria));
+		cria.cri_alg = sav->tdb_authalgxform->type;
+		cria.cri_klen = _KEYBITS(sav->key_enc) + 4;
+		cria.cri_key = sav->key_enc->key_data;
+	}
+
 	/* Initialize crypto session. */
 	bzero(&crie, sizeof (crie));
 	crie.cri_alg = sav->tdb_encalgxform->type;
 	crie.cri_klen = _KEYBITS(sav->key_enc);
 	crie.cri_key = sav->key_enc->key_data;
+	if (sav->alg_enc == SADB_X_EALG_AESGCM16)
+		arc4rand(crie.cri_iv, sav->ivlen, 0);
+
 	/* XXX Rounds ? */
 
 	if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
@@ -287,7 +327,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		m_freem(m);
 		return EINVAL;
 	}
-
 	/* XXX don't pullup, just copy header */
 	IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
 
@@ -300,18 +339,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	else
 		hlen = sizeof (struct newesp) + sav->ivlen;
 	/* Authenticator hash size */
-	if (esph != NULL) {
-		switch (esph->type) {
-		case CRYPTO_SHA2_256_HMAC:
-		case CRYPTO_SHA2_384_HMAC:
-		case CRYPTO_SHA2_512_HMAC:
-			alen = esph->hashsize/2;
-			break;
-		default:
-			alen = AH_HMAC_HASHLEN;
-			break;
-		}
-	}
+	alen = esph ? esph->hashsize : 0;
 
 	/*
 	 * Verify payload length is multiple of encryption algorithm
@@ -323,13 +351,15 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	 */
 	plen = m->m_pkthdr.len - (skip + hlen + alen);
 	if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
-		DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
-		    "  SA %s/%08lx\n", __func__,
-		    plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst,
-			buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
-		ESPSTAT_INC(esps_badilen);
-		m_freem(m);
-		return EINVAL;
+		if (!espx || sav->alg_enc != SADB_X_EALG_AESGCM16) {
+			DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
+				"  SA %s/%08lx\n", __func__,
+				plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst,
+				buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
+			ESPSTAT_INC(esps_badilen);
+			m_freem(m);
+			return EINVAL;
+		}
 	}
 
 	/*
@@ -375,12 +405,20 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 
 		/* Authentication descriptor */
 		crda->crd_skip = skip;
-		crda->crd_len = m->m_pkthdr.len - (skip + alen);
+		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16) 
+			crda->crd_len = hlen - sav->ivlen;
+		else
+			crda->crd_len = m->m_pkthdr.len - (skip + alen);
 		crda->crd_inject = m->m_pkthdr.len - alen;
 
 		crda->crd_alg = esph->type;
-		crda->crd_key = sav->key_auth->key_data;
-		crda->crd_klen = _KEYBITS(sav->key_auth);
+		if (espx && (espx->type == CRYPTO_AES_NIST_GCM_16)) {
+			crda->crd_key = sav->key_enc->key_data;
+			crda->crd_klen = _KEYBITS(sav->key_enc);
+		} else {
+			crda->crd_key = sav->key_auth->key_data;
+			crda->crd_klen = _KEYBITS(sav->key_auth);
+		}	
 
 		/* Copy the authenticator */
 		m_copydata(m, m->m_pkthdr.len - alen, alen,
@@ -418,6 +456,9 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	crde->crd_alg = espx->type;
 	crde->crd_key = sav->key_enc->key_data;
 	crde->crd_klen = _KEYBITS(sav->key_enc);
+	if (espx && (espx->type == CRYPTO_AES_NIST_GCM_16))
+		crde->crd_flags |= CRD_F_IV_EXPLICIT;
+
 	/* XXX Rounds ? */
 
 	return (crypto_dispatch(crp));
@@ -487,16 +528,7 @@ esp_input_cb(struct cryptop *crp)
 
 	/* If authentication was performed, check now. */
 	if (esph != NULL) {
-		switch (esph->type) {
-		case CRYPTO_SHA2_256_HMAC:
-		case CRYPTO_SHA2_384_HMAC:
-		case CRYPTO_SHA2_512_HMAC:
-			alen = esph->hashsize/2;
-			break;
-		default:
-			alen = AH_HMAC_HASHLEN;
-			break;
-		}
+		alen = esph->hashsize;
 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
 		/* Copy the authenticator from the packet */
 		m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
@@ -661,22 +693,13 @@ esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
 	 * NB: The null encoding transform has a blocksize of 4
 	 *     so that headers are properly aligned.
 	 */
-	blks = espx->blocksize;		/* IV blocksize */
+	blks = espx->ivsize;		/* IV blocksize */
 
 	/* XXX clamp padding length a la KAME??? */
 	padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
 
 	if (esph)
-		switch (esph->type) {
-		case CRYPTO_SHA2_256_HMAC:
-		case CRYPTO_SHA2_384_HMAC:
-		case CRYPTO_SHA2_512_HMAC:
-			alen = esph->hashsize/2;
-			break;
-		default:
-		alen = AH_HMAC_HASHLEN;
-			break;
-		}
+		alen = esph->hashsize;
 	else
 		alen = 0;
 
@@ -704,6 +727,8 @@ esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
 		error = EPFNOSUPPORT;
 		goto bad;
 	}
+	DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd %d\n",
+		__func__, skip, hlen, rlen, padding, alen, blks));
 	if (skip + hlen + rlen + padding + alen > maxpacketsize) {
 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
 		    "(len %u, max len %u)\n", __func__,
@@ -818,6 +843,8 @@ esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
 		crde->crd_alg = espx->type;
 		crde->crd_key = sav->key_enc->key_data;
 		crde->crd_klen = _KEYBITS(sav->key_enc);
+		if (espx->type == CRYPTO_AES_NIST_GCM_16)
+			crde->crd_flags |= CRD_F_IV_EXPLICIT;
 		/* XXX Rounds ? */
 	} else
 		crda = crp->crp_desc;
@@ -852,13 +879,22 @@ esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
 	if (esph) {
 		/* Authentication descriptor. */
 		crda->crd_skip = skip;
-		crda->crd_len = m->m_pkthdr.len - (skip + alen);
+		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16)
+			crda->crd_len = hlen - sav->ivlen;
+		else
+			crda->crd_len = m->m_pkthdr.len - (skip + alen);
 		crda->crd_inject = m->m_pkthdr.len - alen;
 
 		/* Authentication operation. */
 		crda->crd_alg = esph->type;
-		crda->crd_key = sav->key_auth->key_data;
-		crda->crd_klen = _KEYBITS(sav->key_auth);
+		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16) {
+			crda->crd_key = sav->key_enc->key_data;
+			crda->crd_klen = _KEYBITS(sav->key_enc);
+		} else {
+			crda->crd_key = sav->key_auth->key_data;
+			crda->crd_klen = _KEYBITS(sav->key_auth);
+		}
+
 	}
 
 	return crypto_dispatch(crp);
@@ -951,6 +987,11 @@ esp_output_cb(struct cryptop *crp)
 			case CRYPTO_SHA2_512_HMAC:
 				alen = esph->hashsize/2;
 				break;
+			case CRYPTO_AES_128_GMAC:
+			case CRYPTO_AES_192_GMAC:
+			case CRYPTO_AES_256_GMAC:
+				alen = esph->hashsize;
+				break;
 			default:
 				alen = AH_HMAC_HASHLEN;
 				break;
diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h
index ab34b9e..48f094b 100644
--- a/sys/opencrypto/cryptodev.h
+++ b/sys/opencrypto/cryptodev.h
@@ -78,6 +78,7 @@
 #define	SHA2_512_HASH_LEN	64
 #define	MD5_KPDK_HASH_LEN	16
 #define	SHA1_KPDK_HASH_LEN	20
+#define	AES_HASH_LEN		16
 /* Maximum hash algorithm result length */
 #define	HASH_MAX_LEN		SHA2_512_HASH_LEN /* Keep this updated */
 
@@ -86,28 +87,74 @@
 #define	MD5_HMAC_BLOCK_LEN		64
 #define	SHA1_HMAC_BLOCK_LEN		64
 #define	RIPEMD160_HMAC_BLOCK_LEN	64
-#define	SHA2_256_HMAC_BLOCK_LEN		64
-#define	SHA2_384_HMAC_BLOCK_LEN		128
-#define	SHA2_512_HMAC_BLOCK_LEN		128
+#define	SHA2_256_HMAC_BLOCK_LEN	64
+#define	SHA2_384_HMAC_BLOCK_LEN	128
+#define	SHA2_512_HMAC_BLOCK_LEN	128
 /* Maximum HMAC block length */
-#define	HMAC_MAX_BLOCK_LEN		SHA2_512_HMAC_BLOCK_LEN /* Keep this updated */
+#define	HMAC_MAX_BLOCK_LEN	SHA2_512_HMAC_BLOCK_LEN /* Keep this updated */
 #define	HMAC_IPAD_VAL			0x36
 #define	HMAC_OPAD_VAL			0x5C
+/* HMAC Key Length */
+#define	NULL_HMAC_KEY_LEN		0
+#define	MD5_HMAC_KEY_LEN		16
+#define	SHA1_HMAC_KEY_LEN		20
+#define	RIPEMD160_HMAC_KEY_LEN		20
+#define	SHA2_256_HMAC_KEY_LEN		32
+#define	SHA2_384_HMAC_KEY_LEN		48
+#define	SHA2_512_HMAC_KEY_LEN		64
+#define	AES_128_HMAC_KEY_LEN		16
+#define	AES_192_HMAC_KEY_LEN		24
+#define	AES_256_HMAC_KEY_LEN		32
 
 /* Encryption algorithm block sizes */
-#define NULL_BLOCK_LEN		4
-#define DES_BLOCK_LEN		8
-#define DES3_BLOCK_LEN		8
-#define BLOWFISH_BLOCK_LEN	8
-#define SKIPJACK_BLOCK_LEN	8
-#define CAST128_BLOCK_LEN	8
-#define RIJNDAEL128_BLOCK_LEN	16
-#define AES_BLOCK_LEN		RIJNDAEL128_BLOCK_LEN
-#define CAMELLIA_BLOCK_LEN	16
-#define EALG_MAX_BLOCK_LEN	AES_BLOCK_LEN /* Keep this updated */
+#define	NULL_BLOCK_LEN		4
+#define	DES_BLOCK_LEN		8
+#define	DES3_BLOCK_LEN		8
+#define	BLOWFISH_BLOCK_LEN	8
+#define	SKIPJACK_BLOCK_LEN	8
+#define	CAST128_BLOCK_LEN	8
+#define	RIJNDAEL128_BLOCK_LEN	16
+#define	AES_BLOCK_LEN		16
+#define	AES_MIN_BLOCK_LEN	1
+#define	ARC4_BLOCK_LEN		1
+#define	CAMELLIA_BLOCK_LEN	16
+#define	EALG_MAX_BLOCK_LEN	AES_BLOCK_LEN /* Keep this updated */
+
+/* IV Lengths */
+
+#define	ARC4_IV_LEN		1
+#define	AES_IV_LEN		12
+#define	AES_XTS_IV_LEN		8
+#define	AES_XTS_ALPHA		0x87	/* GF(2^128) generator polynomial */
+
+#define AES_CTR_NONCE_SIZE	4
+
+/* Min and Max Encryption Key Sizes */
+#define	NULL_MIN_KEY		0
+#define	NULL_MAX_KEY		256 /* 2048 bits, max key */
+#define	DES_MIN_KEY		8
+#define	DES_MAX_KEY		DES_MIN_KEY
+#define	TRIPLE_DES_MIN_KEY	24
+#define	TRIPLE_DES_MAX_KEY	TRIPLE_DES_MIN_KEY
+#define	BLOWFISH_MIN_KEY	5
+#define	BLOWFISH_MAX_KEY	56 /* 448 bits, max key */
+#define	CAST_MIN_KEY		5
+#define	CAST_MAX_KEY		16
+#define	SKIPJACK_MIN_KEY	10
+#define	SKIPJACK_MAX_KEY	SKIPJACK_MIN_KEY
+#define	RIJNDAEL_MIN_KEY	16
+#define	RIJNDAEL_MAX_KEY	32
+#define	AES_MIN_KEY		16
+#define	AES_MAX_KEY		32
+#define	AES_XTS_MIN_KEY		32
+#define	AES_XTS_MAX_KEY		64
+#define	ARC4_MIN_KEY		1
+#define	ARC4_MAX_KEY		32
+#define	CAMELLIA_MIN_KEY	8
+#define	CAMELLIA_MAX_KEY	32
 
 /* Maximum hash algorithm result length */
-#define AALG_MAX_RESULT_LEN	64 /* Keep this updated */
+#define	AALG_MAX_RESULT_LEN	64 /* Keep this updated */
 
 #define	CRYPTO_ALGORITHM_MIN	1
 #define	CRYPTO_DES_CBC		1
@@ -141,7 +188,7 @@
 #define	CRYPTO_AES_256_NIST_GMAC 28 /* auth side */
 #define	CRYPTO_ALGORITHM_MAX	28 /* Keep updated - see below */
 
-#define CRYPTO_ALGO_VALID(x)	((x) >= CRYPTO_ALGORITHM_MIN && \
+#define	CRYPTO_ALGO_VALID(x)	((x) >= CRYPTO_ALGORITHM_MIN && \
 				 (x) <= CRYPTO_ALGORITHM_MAX)
 
 /* Algorithm flags */
diff --git a/sys/opencrypto/xform.c b/sys/opencrypto/xform.c
index 508a646..265e0b4 100644
--- a/sys/opencrypto/xform.c
+++ b/sys/opencrypto/xform.c
@@ -154,7 +154,7 @@ MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
 struct enc_xform enc_xform_null = {
 	CRYPTO_NULL_CBC, "NULL",
 	/* NB: blocksize of 4 is to generate a properly aligned ESP header */
-	NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */
+	NULL_BLOCK_LEN, NULL_BLOCK_LEN, NULL_MIN_KEY, NULL_MAX_KEY, 
 	null_encrypt,
 	null_decrypt,
 	null_setkey,
@@ -164,7 +164,7 @@ struct enc_xform enc_xform_null = {
 
 struct enc_xform enc_xform_des = {
 	CRYPTO_DES_CBC, "DES",
-	DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8,
+	DES_BLOCK_LEN, DES_BLOCK_LEN, DES_MIN_KEY, DES_MAX_KEY,
 	des1_encrypt,
 	des1_decrypt,
 	des1_setkey,
@@ -174,7 +174,8 @@ struct enc_xform enc_xform_des = {
 
 struct enc_xform enc_xform_3des = {
 	CRYPTO_3DES_CBC, "3DES",
-	DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24,
+	DES3_BLOCK_LEN, DES3_BLOCK_LEN, TRIPLE_DES_MIN_KEY,
+	TRIPLE_DES_MAX_KEY,
 	des3_encrypt,
 	des3_decrypt,
 	des3_setkey,
@@ -184,7 +185,8 @@ struct enc_xform enc_xform_3des = {
 
 struct enc_xform enc_xform_blf = {
 	CRYPTO_BLF_CBC, "Blowfish",
-	BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */,
+	BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, BLOWFISH_MIN_KEY,
+	BLOWFISH_MAX_KEY,
 	blf_encrypt,
 	blf_decrypt,
 	blf_setkey,
@@ -194,7 +196,7 @@ struct enc_xform enc_xform_blf = {
 
 struct enc_xform enc_xform_cast5 = {
 	CRYPTO_CAST_CBC, "CAST-128",
-	CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16,
+	CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, CAST_MIN_KEY, CAST_MAX_KEY,
 	cast5_encrypt,
 	cast5_decrypt,
 	cast5_setkey,
@@ -204,7 +206,8 @@ struct enc_xform enc_xform_cast5 = {
 
 struct enc_xform enc_xform_skipjack = {
 	CRYPTO_SKIPJACK_CBC, "Skipjack",
-	SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10,
+	SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, SKIPJACK_MIN_KEY,
+	SKIPJACK_MAX_KEY,
 	skipjack_encrypt,
 	skipjack_decrypt, skipjack_setkey,
 	skipjack_zerokey,
@@ -213,7 +216,8 @@ struct enc_xform enc_xform_skipjack = {
 
 struct enc_xform enc_xform_rijndael128 = {
 	CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES",
-	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32,
+	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, RIJNDAEL_MIN_KEY,
+	RIJNDAEL_MAX_KEY,
 	rijndael128_encrypt,
 	rijndael128_decrypt,
 	rijndael128_setkey,
@@ -223,7 +227,7 @@ struct enc_xform enc_xform_rijndael128 = {
 
 struct enc_xform enc_xform_aes_icm = {
 	CRYPTO_AES_ICM, "AES-ICM",
-	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32,
+	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY,
 	aes_icm_crypt,
 	aes_icm_crypt,
 	aes_icm_setkey,
@@ -233,7 +237,7 @@ struct enc_xform enc_xform_aes_icm = {
 
 struct enc_xform enc_xform_aes_nist_gcm = {
 	CRYPTO_AES_NIST_GCM_16, "AES-GCM",
-	1, 12, 16, 32,
+	AES_MIN_BLOCK_LEN, AES_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
 	aes_icm_crypt,
 	aes_icm_crypt,
 	aes_icm_setkey,
@@ -243,7 +247,7 @@ struct enc_xform enc_xform_aes_nist_gcm = {
 
 struct enc_xform enc_xform_aes_nist_gmac = {
 	CRYPTO_AES_NIST_GMAC, "AES-GMAC",
-	1, 12, 16, 32,
+	AES_MIN_BLOCK_LEN, AES_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
 	NULL,
 	NULL,
 	NULL,
@@ -253,7 +257,7 @@ struct enc_xform enc_xform_aes_nist_gmac = {
 
 struct enc_xform enc_xform_aes_xts = {
 	CRYPTO_AES_XTS, "AES-XTS",
-	RIJNDAEL128_BLOCK_LEN, 8, 32, 64,
+	AES_MIN_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY,
 	aes_xts_encrypt,
 	aes_xts_decrypt,
 	aes_xts_setkey,
@@ -263,7 +267,7 @@ struct enc_xform enc_xform_aes_xts = {
 
 struct enc_xform enc_xform_arc4 = {
 	CRYPTO_ARC4, "ARC4",
-	1, 1, 1, 32,
+	ARC4_BLOCK_LEN, ARC4_IV_LEN, ARC4_MIN_KEY, ARC4_MAX_KEY,
 	NULL,
 	NULL,
 	NULL,
@@ -273,7 +277,8 @@ struct enc_xform enc_xform_arc4 = {
 
 struct enc_xform enc_xform_camellia = {
 	CRYPTO_CAMELLIA_CBC, "Camellia",
-	CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32,
+	CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, CAMELLIA_MIN_KEY,
+	CAMELLIA_MAX_KEY,
 	cml_encrypt,
 	cml_decrypt,
 	cml_setkey,
@@ -284,67 +289,72 @@ struct enc_xform enc_xform_camellia = {
 /* Authentication instances */
 struct auth_hash auth_hash_null = {	/* NB: context isn't used */
 	CRYPTO_NULL_HMAC, "NULL-HMAC",
-	0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
+	NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
 	null_init, null_reinit, null_reinit, null_update, null_final
 };
 
 struct auth_hash auth_hash_hmac_md5 = {
 	CRYPTO_MD5_HMAC, "HMAC-MD5",
-	16, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
+	MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
 	(void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int,
 	(void (*) (u_int8_t *, void *)) MD5Final
 };
 
 struct auth_hash auth_hash_hmac_sha1 = {
 	CRYPTO_SHA1_HMAC, "HMAC-SHA1",
-	20, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
+	SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
 };
 
 struct auth_hash auth_hash_hmac_ripemd_160 = {
 	CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
-	20, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), RIPEMD160_HMAC_BLOCK_LEN,
+	RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX),
+	RIPEMD160_HMAC_BLOCK_LEN,
 	(void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int,
 	(void (*)(u_int8_t *, void *)) RMD160Final
 };
 
 struct auth_hash auth_hash_key_md5 = {
 	CRYPTO_MD5_KPDK, "Keyed MD5",
-	0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
+	NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
 	(void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int,
 	(void (*)(u_int8_t *, void *)) MD5Final
 };
 
 struct auth_hash auth_hash_key_sha1 = {
 	CRYPTO_SHA1_KPDK, "Keyed SHA1",
-	0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
+	NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
 };
 
 struct auth_hash auth_hash_hmac_sha2_256 = {
 	CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
-	32, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN,
+	SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX),
+	SHA2_256_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int,
 	(void (*)(u_int8_t *, void *)) SHA256_Final
 };
 
 struct auth_hash auth_hash_hmac_sha2_384 = {
 	CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
-	48, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN,
+	SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX),
+	SHA2_384_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int,
 	(void (*)(u_int8_t *, void *)) SHA384_Final
 };
 
 struct auth_hash auth_hash_hmac_sha2_512 = {
 	CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
-	64, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN,
+	SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX),
+	SHA2_512_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int,
 	(void (*)(u_int8_t *, void *)) SHA512_Final
 };
 
 struct auth_hash auth_hash_nist_gmac_aes_128 = {
 	CRYPTO_AES_128_NIST_GMAC, "GMAC-AES-128",
-	16, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
+	AES_128_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
+	GMAC_BLOCK_LEN,
 	(void (*)(void *)) AES_GMAC_Init,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
@@ -354,7 +364,8 @@ struct auth_hash auth_hash_nist_gmac_aes_128 = {
 
 struct auth_hash auth_hash_nist_gmac_aes_192 = {
 	CRYPTO_AES_192_NIST_GMAC, "GMAC-AES-192",
-	24, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
+	AES_192_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
+	GMAC_BLOCK_LEN,
 	(void (*)(void *)) AES_GMAC_Init,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
@@ -364,7 +375,8 @@ struct auth_hash auth_hash_nist_gmac_aes_192 = {
 
 struct auth_hash auth_hash_nist_gmac_aes_256 = {
 	CRYPTO_AES_256_NIST_GMAC, "GMAC-AES-256",
-	32, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
+	AES_256_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
+	GMAC_BLOCK_LEN,
 	(void (*)(void *)) AES_GMAC_Init,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,