Home | History | Annotate | Line # | Download | only in dev
cgd_crypto.c revision 1.27
      1  1.27  riastrad /* $NetBSD: cgd_crypto.c,v 1.27 2020/07/25 22:14:35 riastradh Exp $ */
      2   1.1     elric 
      3   1.1     elric /*-
      4   1.1     elric  * Copyright (c) 2002 The NetBSD Foundation, Inc.
      5   1.1     elric  * All rights reserved.
      6   1.1     elric  *
      7   1.1     elric  * This code is derived from software contributed to The NetBSD Foundation
      8   1.1     elric  * by Roland C. Dowdeswell.
      9   1.1     elric  *
     10   1.1     elric  * Redistribution and use in source and binary forms, with or without
     11   1.1     elric  * modification, are permitted provided that the following conditions
     12   1.1     elric  * are met:
     13   1.1     elric  * 1. Redistributions of source code must retain the above copyright
     14   1.1     elric  *    notice, this list of conditions and the following disclaimer.
     15   1.1     elric  * 2. Redistributions in binary form must reproduce the above copyright
     16   1.1     elric  *    notice, this list of conditions and the following disclaimer in the
     17   1.1     elric  *    documentation and/or other materials provided with the distribution.
     18   1.1     elric  *
     19   1.1     elric  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     20   1.1     elric  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     21   1.1     elric  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     22   1.1     elric  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     23   1.1     elric  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     24   1.1     elric  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     25   1.1     elric  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     26   1.1     elric  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     27   1.1     elric  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     28   1.1     elric  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     29   1.1     elric  * POSSIBILITY OF SUCH DAMAGE.
     30   1.1     elric  */
     31   1.1     elric 
     32   1.1     elric /*
     33   1.1     elric  *  Crypto Framework For cgd.c
     34   1.1     elric  *
     35   1.1     elric  *	This framework is temporary and awaits a more complete
     36   1.1     elric  *	kernel wide crypto implementation.
     37   1.1     elric  */
     38   1.1     elric 
     39   1.1     elric #include <sys/cdefs.h>
     40  1.27  riastrad __KERNEL_RCSID(0, "$NetBSD: cgd_crypto.c,v 1.27 2020/07/25 22:14:35 riastradh Exp $");
     41   1.1     elric 
     42   1.1     elric #include <sys/param.h>
     43  1.21  riastrad #include <sys/kmem.h>
     44   1.1     elric #include <sys/systm.h>
     45   1.1     elric 
     46   1.1     elric #include <dev/cgd_crypto.h>
     47   1.1     elric 
     48  1.26  riastrad #include <crypto/adiantum/adiantum.h>
     49  1.24  riastrad #include <crypto/aes/aes.h>
     50  1.27  riastrad #include <crypto/aes/aes_cbc.h>
     51  1.27  riastrad #include <crypto/aes/aes_xts.h>
     52  1.19  riastrad #include <crypto/blowfish/blowfish.h>
     53  1.19  riastrad #include <crypto/des/des.h>
     54  1.11  christos 
     55   1.1     elric /*
     56   1.1     elric  * The general framework provides only one generic function.
     57  1.16  gutterid  * It takes the name of an algorithm and returns a struct cryptfuncs *
     58   1.1     elric  * for it.  It is up to the initialisation routines of the algorithm
     59   1.1     elric  * to check key size and block size.
     60   1.1     elric  */
     61   1.1     elric 
     62  1.14     alnsn static cfunc_init		cgd_cipher_aes_cbc_init;
     63  1.14     alnsn static cfunc_destroy		cgd_cipher_aes_cbc_destroy;
     64  1.14     alnsn static cfunc_cipher		cgd_cipher_aes_cbc;
     65  1.14     alnsn 
     66  1.14     alnsn static cfunc_init		cgd_cipher_aes_xts_init;
     67  1.14     alnsn static cfunc_destroy		cgd_cipher_aes_xts_destroy;
     68  1.14     alnsn static cfunc_cipher		cgd_cipher_aes_xts;
     69  1.14     alnsn 
     70  1.14     alnsn static cfunc_init		cgd_cipher_3des_init;
     71  1.14     alnsn static cfunc_destroy		cgd_cipher_3des_destroy;
     72  1.14     alnsn static cfunc_cipher		cgd_cipher_3des_cbc;
     73  1.14     alnsn 
     74  1.14     alnsn static cfunc_init		cgd_cipher_bf_init;
     75  1.14     alnsn static cfunc_destroy		cgd_cipher_bf_destroy;
     76  1.14     alnsn static cfunc_cipher		cgd_cipher_bf_cbc;
     77  1.11  christos 
     78  1.26  riastrad static cfunc_init		cgd_cipher_adiantum_init;
     79  1.26  riastrad static cfunc_destroy		cgd_cipher_adiantum_destroy;
     80  1.26  riastrad static cfunc_cipher		cgd_cipher_adiantum_crypt;
     81  1.26  riastrad 
     82  1.11  christos static const struct cryptfuncs cf[] = {
     83  1.11  christos 	{
     84  1.14     alnsn 		.cf_name	= "aes-xts",
     85  1.14     alnsn 		.cf_init	= cgd_cipher_aes_xts_init,
     86  1.14     alnsn 		.cf_destroy	= cgd_cipher_aes_xts_destroy,
     87  1.14     alnsn 		.cf_cipher	= cgd_cipher_aes_xts,
     88  1.14     alnsn 	},
     89  1.14     alnsn 	{
     90  1.11  christos 		.cf_name	= "aes-cbc",
     91  1.14     alnsn 		.cf_init	= cgd_cipher_aes_cbc_init,
     92  1.14     alnsn 		.cf_destroy	= cgd_cipher_aes_cbc_destroy,
     93  1.11  christos 		.cf_cipher	= cgd_cipher_aes_cbc,
     94  1.11  christos 	},
     95  1.11  christos 	{
     96  1.11  christos 		.cf_name	= "3des-cbc",
     97  1.11  christos 		.cf_init	= cgd_cipher_3des_init,
     98  1.11  christos 		.cf_destroy	= cgd_cipher_3des_destroy,
     99  1.11  christos 		.cf_cipher	= cgd_cipher_3des_cbc,
    100  1.11  christos 	},
    101  1.11  christos 	{
    102  1.11  christos 		.cf_name	= "blowfish-cbc",
    103  1.11  christos 		.cf_init	= cgd_cipher_bf_init,
    104  1.11  christos 		.cf_destroy	= cgd_cipher_bf_destroy,
    105  1.11  christos 		.cf_cipher	= cgd_cipher_bf_cbc,
    106  1.11  christos 	},
    107  1.26  riastrad 	{
    108  1.26  riastrad 		.cf_name	= "adiantum",
    109  1.26  riastrad 		.cf_init	= cgd_cipher_adiantum_init,
    110  1.26  riastrad 		.cf_destroy	= cgd_cipher_adiantum_destroy,
    111  1.26  riastrad 		.cf_cipher	= cgd_cipher_adiantum_crypt,
    112  1.26  riastrad 	},
    113  1.11  christos };
    114  1.11  christos const struct cryptfuncs *
    115   1.6  christos cryptfuncs_find(const char *alg)
    116   1.1     elric {
    117   1.1     elric 
    118  1.11  christos 	for (size_t i = 0; i < __arraycount(cf); i++)
    119  1.11  christos 		if (strcmp(cf[i].cf_name, alg) == 0)
    120  1.11  christos 			return &cf[i];
    121  1.11  christos 
    122   1.1     elric 	return NULL;
    123   1.1     elric }
    124   1.1     elric 
    125   1.1     elric /*
    126   1.1     elric  *  AES Framework
    127   1.1     elric  */
    128   1.1     elric 
    129   1.1     elric struct aes_privdata {
    130  1.24  riastrad 	struct aesenc	ap_enckey;
    131  1.24  riastrad 	struct aesdec	ap_deckey;
    132  1.24  riastrad 	uint32_t	ap_nrounds;
    133   1.1     elric };
    134   1.1     elric 
    135  1.11  christos static void *
    136  1.14     alnsn cgd_cipher_aes_cbc_init(size_t keylen, const void *key, size_t *blocksize)
    137   1.1     elric {
    138   1.1     elric 	struct	aes_privdata *ap;
    139   1.1     elric 
    140   1.1     elric 	if (!blocksize)
    141   1.1     elric 		return NULL;
    142   1.1     elric 	if (keylen != 128 && keylen != 192 && keylen != 256)
    143   1.1     elric 		return NULL;
    144   1.6  christos 	if (*blocksize == (size_t)-1)
    145   1.1     elric 		*blocksize = 128;
    146   1.1     elric 	if (*blocksize != 128)
    147   1.1     elric 		return NULL;
    148  1.21  riastrad 	ap = kmem_zalloc(sizeof(*ap), KM_SLEEP);
    149  1.24  riastrad 	switch (keylen) {
    150  1.24  riastrad 	case 128:
    151  1.24  riastrad 		aes_setenckey128(&ap->ap_enckey, key);
    152  1.24  riastrad 		aes_setdeckey128(&ap->ap_deckey, key);
    153  1.24  riastrad 		ap->ap_nrounds = AES_128_NROUNDS;
    154  1.24  riastrad 		break;
    155  1.24  riastrad 	case 192:
    156  1.24  riastrad 		aes_setenckey192(&ap->ap_enckey, key);
    157  1.24  riastrad 		aes_setdeckey192(&ap->ap_deckey, key);
    158  1.24  riastrad 		ap->ap_nrounds = AES_192_NROUNDS;
    159  1.24  riastrad 		break;
    160  1.24  riastrad 	case 256:
    161  1.24  riastrad 		aes_setenckey256(&ap->ap_enckey, key);
    162  1.24  riastrad 		aes_setdeckey256(&ap->ap_deckey, key);
    163  1.24  riastrad 		ap->ap_nrounds = AES_256_NROUNDS;
    164  1.24  riastrad 		break;
    165  1.24  riastrad 	}
    166   1.6  christos 	return ap;
    167   1.1     elric }
    168   1.1     elric 
    169  1.11  christos static void
    170  1.14     alnsn cgd_cipher_aes_cbc_destroy(void *data)
    171   1.1     elric {
    172   1.6  christos 	struct aes_privdata *apd = data;
    173   1.1     elric 
    174  1.12  riastrad 	explicit_memset(apd, 0, sizeof(*apd));
    175  1.21  riastrad 	kmem_free(apd, sizeof(*apd));
    176   1.1     elric }
    177   1.1     elric 
    178  1.11  christos static void
    179  1.23  riastrad cgd_cipher_aes_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
    180  1.23  riastrad     const void *blkno, int dir)
    181   1.1     elric {
    182   1.6  christos 	struct aes_privdata	*apd = privdata;
    183  1.25  riastrad 	uint8_t iv[CGD_AES_BLOCK_SIZE] __aligned(CGD_AES_BLOCK_SIZE) = {0};
    184  1.18  riastrad 
    185  1.23  riastrad 	/* Compute the CBC IV as AES_k(blkno).  */
    186  1.24  riastrad 	aes_enc(&apd->ap_enckey, blkno, iv, apd->ap_nrounds);
    187   1.1     elric 
    188   1.1     elric 	switch (dir) {
    189   1.1     elric 	case CGD_CIPHER_ENCRYPT:
    190  1.24  riastrad 		aes_cbc_enc(&apd->ap_enckey, src, dst, nbytes, iv,
    191  1.24  riastrad 		    apd->ap_nrounds);
    192   1.1     elric 		break;
    193   1.1     elric 	case CGD_CIPHER_DECRYPT:
    194  1.24  riastrad 		aes_cbc_dec(&apd->ap_deckey, src, dst, nbytes, iv,
    195  1.24  riastrad 		    apd->ap_nrounds);
    196  1.14     alnsn 		break;
    197  1.14     alnsn 	default:
    198  1.17  riastrad 		panic("%s: unrecognised direction %d", __func__, dir);
    199  1.14     alnsn 	}
    200  1.14     alnsn }
    201  1.14     alnsn 
    202  1.22  riastrad /*
    203  1.22  riastrad  * AES-XTS
    204  1.22  riastrad  */
    205  1.22  riastrad 
    206  1.22  riastrad struct aesxts {
    207  1.24  riastrad 	struct aesenc	ax_enckey;
    208  1.24  riastrad 	struct aesdec	ax_deckey;
    209  1.24  riastrad 	struct aesenc	ax_tweakkey;
    210  1.24  riastrad 	uint32_t	ax_nrounds;
    211  1.22  riastrad };
    212  1.22  riastrad 
    213  1.14     alnsn static void *
    214  1.14     alnsn cgd_cipher_aes_xts_init(size_t keylen, const void *xtskey, size_t *blocksize)
    215  1.14     alnsn {
    216  1.22  riastrad 	struct aesxts *ax;
    217  1.14     alnsn 	const char *key, *key2; /* XTS key is made of two AES keys. */
    218  1.14     alnsn 
    219  1.14     alnsn 	if (!blocksize)
    220  1.14     alnsn 		return NULL;
    221  1.14     alnsn 	if (keylen != 256 && keylen != 512)
    222  1.14     alnsn 		return NULL;
    223  1.14     alnsn 	if (*blocksize == (size_t)-1)
    224  1.14     alnsn 		*blocksize = 128;
    225  1.14     alnsn 	if (*blocksize != 128)
    226  1.14     alnsn 		return NULL;
    227  1.14     alnsn 
    228  1.22  riastrad 	ax = kmem_zalloc(sizeof(*ax), KM_SLEEP);
    229  1.14     alnsn 	keylen /= 2;
    230  1.14     alnsn 	key = xtskey;
    231  1.14     alnsn 	key2 = key + keylen / CHAR_BIT;
    232  1.14     alnsn 
    233  1.24  riastrad 	switch (keylen) {
    234  1.24  riastrad 	case 128:
    235  1.24  riastrad 		aes_setenckey128(&ax->ax_enckey, key);
    236  1.24  riastrad 		aes_setdeckey128(&ax->ax_deckey, key);
    237  1.24  riastrad 		aes_setenckey128(&ax->ax_tweakkey, key2);
    238  1.24  riastrad 		ax->ax_nrounds = AES_128_NROUNDS;
    239  1.24  riastrad 		break;
    240  1.24  riastrad 	case 256:
    241  1.24  riastrad 		aes_setenckey256(&ax->ax_enckey, key);
    242  1.24  riastrad 		aes_setdeckey256(&ax->ax_deckey, key);
    243  1.24  riastrad 		aes_setenckey256(&ax->ax_tweakkey, key2);
    244  1.24  riastrad 		ax->ax_nrounds = AES_256_NROUNDS;
    245  1.24  riastrad 		break;
    246  1.24  riastrad 	}
    247  1.14     alnsn 
    248  1.22  riastrad 	return ax;
    249  1.14     alnsn }
    250  1.14     alnsn 
    251  1.14     alnsn static void
    252  1.22  riastrad cgd_cipher_aes_xts_destroy(void *cookie)
    253  1.14     alnsn {
    254  1.22  riastrad 	struct aesxts *ax = cookie;
    255  1.14     alnsn 
    256  1.22  riastrad 	explicit_memset(ax, 0, sizeof(*ax));
    257  1.22  riastrad 	kmem_free(ax, sizeof(*ax));
    258  1.14     alnsn }
    259  1.14     alnsn 
    260  1.14     alnsn static void
    261  1.23  riastrad cgd_cipher_aes_xts(void *cookie, void *dst, const void *src, size_t nbytes,
    262  1.23  riastrad     const void *blkno, int dir)
    263  1.14     alnsn {
    264  1.22  riastrad 	struct aesxts *ax = cookie;
    265  1.23  riastrad 	uint8_t tweak[CGD_AES_BLOCK_SIZE];
    266  1.18  riastrad 
    267  1.23  riastrad 	/* Compute the initial tweak as AES_k(blkno).  */
    268  1.24  riastrad 	aes_enc(&ax->ax_tweakkey, blkno, tweak, ax->ax_nrounds);
    269  1.14     alnsn 
    270  1.14     alnsn 	switch (dir) {
    271  1.14     alnsn 	case CGD_CIPHER_ENCRYPT:
    272  1.24  riastrad 		aes_xts_enc(&ax->ax_enckey, src, dst, nbytes, tweak,
    273  1.24  riastrad 		    ax->ax_nrounds);
    274  1.14     alnsn 		break;
    275  1.14     alnsn 	case CGD_CIPHER_DECRYPT:
    276  1.24  riastrad 		aes_xts_dec(&ax->ax_deckey, src, dst, nbytes, tweak,
    277  1.24  riastrad 		    ax->ax_nrounds);
    278   1.1     elric 		break;
    279   1.1     elric 	default:
    280  1.17  riastrad 		panic("%s: unrecognised direction %d", __func__, dir);
    281   1.1     elric 	}
    282   1.1     elric }
    283   1.1     elric 
    284   1.1     elric /*
    285   1.1     elric  * 3DES Framework
    286   1.1     elric  */
    287   1.1     elric 
    288   1.1     elric struct c3des_privdata {
    289   1.1     elric 	des_key_schedule	cp_key1;
    290   1.1     elric 	des_key_schedule	cp_key2;
    291   1.1     elric 	des_key_schedule	cp_key3;
    292   1.1     elric };
    293   1.1     elric 
    294  1.11  christos static void *
    295   1.7    cbiere cgd_cipher_3des_init(size_t keylen, const void *key, size_t *blocksize)
    296   1.1     elric {
    297   1.1     elric 	struct	c3des_privdata *cp;
    298   1.1     elric 	int	error = 0;
    299   1.7    cbiere 	des_cblock *block;
    300   1.1     elric 
    301   1.1     elric 	if (!blocksize)
    302   1.1     elric 		return NULL;
    303   1.6  christos 	if (*blocksize == (size_t)-1)
    304   1.1     elric 		*blocksize = 64;
    305   1.1     elric 	if (keylen != (DES_KEY_SZ * 3 * 8) || *blocksize != 64)
    306   1.1     elric 		return NULL;
    307  1.21  riastrad 	cp = kmem_zalloc(sizeof(*cp), KM_SLEEP);
    308   1.7    cbiere 	block = __UNCONST(key);
    309   1.7    cbiere 	error  = des_key_sched(block, cp->cp_key1);
    310   1.7    cbiere 	error |= des_key_sched(block + 1, cp->cp_key2);
    311   1.7    cbiere 	error |= des_key_sched(block + 2, cp->cp_key3);
    312   1.1     elric 	if (error) {
    313  1.12  riastrad 		explicit_memset(cp, 0, sizeof(*cp));
    314  1.21  riastrad 		kmem_free(cp, sizeof(*cp));
    315   1.1     elric 		return NULL;
    316   1.1     elric 	}
    317   1.6  christos 	return cp;
    318   1.1     elric }
    319   1.1     elric 
    320  1.11  christos static void
    321   1.6  christos cgd_cipher_3des_destroy(void *data)
    322   1.1     elric {
    323   1.6  christos 	struct c3des_privdata *cp = data;
    324   1.1     elric 
    325  1.12  riastrad 	explicit_memset(cp, 0, sizeof(*cp));
    326  1.21  riastrad 	kmem_free(cp, sizeof(*cp));
    327   1.1     elric }
    328   1.1     elric 
    329   1.1     elric static void
    330  1.23  riastrad cgd_cipher_3des_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
    331  1.23  riastrad     const void *blkno, int dir)
    332   1.1     elric {
    333   1.6  christos 	struct	c3des_privdata *cp = privdata;
    334  1.18  riastrad 	des_cblock zero;
    335  1.23  riastrad 	uint8_t iv[CGD_3DES_BLOCK_SIZE];
    336  1.18  riastrad 
    337  1.23  riastrad 	/* Compute the CBC IV as 3DES_k(blkno) = 3DES-CBC_k(iv=blkno, 0).  */
    338  1.18  riastrad 	memset(&zero, 0, sizeof(zero));
    339  1.23  riastrad 	des_ede3_cbc_encrypt(blkno, iv, CGD_3DES_BLOCK_SIZE,
    340  1.18  riastrad 	    cp->cp_key1, cp->cp_key2, cp->cp_key3, &zero, /*encrypt*/1);
    341   1.1     elric 
    342   1.1     elric 	switch (dir) {
    343   1.1     elric 	case CGD_CIPHER_ENCRYPT:
    344  1.23  riastrad 		des_ede3_cbc_encrypt(src, dst, nbytes,
    345  1.23  riastrad 		    cp->cp_key1, cp->cp_key2, cp->cp_key3,
    346  1.23  riastrad 		    (des_cblock *)iv, /*encrypt*/1);
    347   1.1     elric 		break;
    348   1.1     elric 	case CGD_CIPHER_DECRYPT:
    349  1.23  riastrad 		des_ede3_cbc_encrypt(src, dst, nbytes,
    350  1.23  riastrad 		    cp->cp_key1, cp->cp_key2, cp->cp_key3,
    351  1.23  riastrad 		    (des_cblock *)iv, /*encrypt*/0);
    352   1.1     elric 		break;
    353   1.1     elric 	default:
    354  1.17  riastrad 		panic("%s: unrecognised direction %d", __func__, dir);
    355   1.1     elric 	}
    356   1.1     elric }
    357   1.1     elric 
    358   1.1     elric /*
    359   1.1     elric  * Blowfish Framework
    360   1.1     elric  */
    361   1.1     elric 
    362   1.1     elric struct bf_privdata {
    363   1.1     elric 	BF_KEY	bp_key;
    364   1.1     elric };
    365   1.1     elric 
    366   1.1     elric struct bf_encdata {
    367   1.1     elric 	BF_KEY		*be_key;
    368  1.18  riastrad 	uint8_t		 be_iv[CGD_BF_BLOCK_SIZE];
    369   1.1     elric };
    370   1.1     elric 
    371  1.11  christos static void *
    372   1.7    cbiere cgd_cipher_bf_init(size_t keylen, const void *key, size_t *blocksize)
    373   1.1     elric {
    374   1.1     elric 	struct	bf_privdata *bp;
    375   1.1     elric 
    376   1.1     elric 	if (!blocksize)
    377   1.1     elric 		return NULL;
    378   1.3       dan 	if (keylen < 40 || keylen > 448 || (keylen % 8 != 0))
    379   1.1     elric 		return NULL;
    380   1.6  christos 	if (*blocksize == (size_t)-1)
    381   1.1     elric 		*blocksize = 64;
    382   1.1     elric 	if (*blocksize != 64)
    383   1.1     elric 		return NULL;
    384  1.21  riastrad 	bp = kmem_zalloc(sizeof(*bp), KM_SLEEP);
    385   1.1     elric 	if (!bp)
    386   1.1     elric 		return NULL;
    387   1.3       dan 	BF_set_key(&bp->bp_key, keylen / 8, key);
    388   1.6  christos 	return bp;
    389   1.1     elric }
    390   1.1     elric 
    391  1.11  christos static void
    392   1.6  christos cgd_cipher_bf_destroy(void *data)
    393   1.1     elric {
    394   1.6  christos 	struct	bf_privdata *bp = data;
    395   1.1     elric 
    396  1.12  riastrad 	explicit_memset(bp, 0, sizeof(*bp));
    397  1.21  riastrad 	kmem_free(bp, sizeof(*bp));
    398   1.1     elric }
    399   1.1     elric 
    400  1.11  christos static void
    401  1.23  riastrad cgd_cipher_bf_cbc(void *privdata, void *dst, const void *src, size_t nbytes,
    402  1.23  riastrad     const void *blkno, int dir)
    403   1.1     elric {
    404   1.6  christos 	struct	bf_privdata *bp = privdata;
    405  1.23  riastrad 	uint8_t zero[CGD_BF_BLOCK_SIZE], iv[CGD_BF_BLOCK_SIZE];
    406  1.18  riastrad 
    407  1.23  riastrad 	/* Compute the CBC IV as Blowfish_k(blkno) = BF_CBC_k(blkno, 0).  */
    408  1.23  riastrad 	memset(zero, 0, sizeof(zero));
    409  1.23  riastrad 	BF_cbc_encrypt(blkno, iv, CGD_BF_BLOCK_SIZE, &bp->bp_key, zero,
    410  1.18  riastrad 	    /*encrypt*/1);
    411   1.1     elric 
    412   1.1     elric 	switch (dir) {
    413   1.1     elric 	case CGD_CIPHER_ENCRYPT:
    414  1.23  riastrad 		BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
    415  1.23  riastrad 		    /*encrypt*/1);
    416   1.1     elric 		break;
    417   1.1     elric 	case CGD_CIPHER_DECRYPT:
    418  1.23  riastrad 		BF_cbc_encrypt(src, dst, nbytes, &bp->bp_key, iv,
    419  1.23  riastrad 		    /*encrypt*/0);
    420   1.1     elric 		break;
    421   1.1     elric 	default:
    422  1.17  riastrad 		panic("%s: unrecognised direction %d", __func__, dir);
    423   1.1     elric 	}
    424   1.1     elric }
    425  1.26  riastrad 
    426  1.26  riastrad /*
    427  1.26  riastrad  * Adiantum
    428  1.26  riastrad  */
    429  1.26  riastrad 
    430  1.26  riastrad static void *
    431  1.26  riastrad cgd_cipher_adiantum_init(size_t keylen, const void *key, size_t *blocksize)
    432  1.26  riastrad {
    433  1.26  riastrad 	struct adiantum *A;
    434  1.26  riastrad 
    435  1.26  riastrad 	if (!blocksize)
    436  1.26  riastrad 		return NULL;
    437  1.26  riastrad 	if (keylen != 256)
    438  1.26  riastrad 		return NULL;
    439  1.26  riastrad 	if (*blocksize == (size_t)-1)
    440  1.26  riastrad 		*blocksize = 128;
    441  1.26  riastrad 	if (*blocksize != 128)
    442  1.26  riastrad 		return NULL;
    443  1.26  riastrad 
    444  1.26  riastrad 	A = kmem_zalloc(sizeof(*A), KM_SLEEP);
    445  1.26  riastrad 	adiantum_init(A, key);
    446  1.26  riastrad 
    447  1.26  riastrad 	return A;
    448  1.26  riastrad }
    449  1.26  riastrad 
    450  1.26  riastrad static void
    451  1.26  riastrad cgd_cipher_adiantum_destroy(void *cookie)
    452  1.26  riastrad {
    453  1.26  riastrad 	struct adiantum *A = cookie;
    454  1.26  riastrad 
    455  1.26  riastrad 	explicit_memset(A, 0, sizeof(*A));
    456  1.26  riastrad 	kmem_free(A, sizeof(*A));
    457  1.26  riastrad }
    458  1.26  riastrad 
    459  1.26  riastrad static void
    460  1.26  riastrad cgd_cipher_adiantum_crypt(void *cookie, void *dst, const void *src,
    461  1.26  riastrad     size_t nbytes, const void *blkno, int dir)
    462  1.26  riastrad {
    463  1.26  riastrad 	/*
    464  1.26  riastrad 	 * Treat the block number as a 128-bit block.  This is more
    465  1.26  riastrad 	 * than twice as big as the largest number of reasonable
    466  1.26  riastrad 	 * blocks, but it doesn't hurt (it would be rounded up to a
    467  1.26  riastrad 	 * 128-bit input anyway).
    468  1.26  riastrad 	 */
    469  1.26  riastrad 	const unsigned tweaklen = 16;
    470  1.26  riastrad 	struct adiantum *A = cookie;
    471  1.26  riastrad 
    472  1.26  riastrad 	switch (dir) {
    473  1.26  riastrad 	case CGD_CIPHER_ENCRYPT:
    474  1.26  riastrad 		adiantum_enc(dst, src, nbytes, blkno, tweaklen, A);
    475  1.26  riastrad 		break;
    476  1.26  riastrad 	case CGD_CIPHER_DECRYPT:
    477  1.26  riastrad 		adiantum_dec(dst, src, nbytes, blkno, tweaklen, A);
    478  1.26  riastrad 		break;
    479  1.26  riastrad 	default:
    480  1.26  riastrad 		panic("%s: unrecognised direction %d", __func__, dir);
    481  1.26  riastrad 	}
    482  1.26  riastrad }
    483