opencrypto: Switch from legacy rijndael API to new aes API.

While here, apply various rijndael->aes renames, reduce the size
of aesxcbc_ctx by 480 bytes, and convert some malloc->kmem.

Leave in the symbol enc_xform_rijndael128 for now, though, so this
doesn't break any kernel ABI.

sys/opencrypto/aesxcbcmac.c

@@ -1,4 +1,4 @@
-/* $NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $ */
+/* $NetBSD: aesxcbcmac.c,v 1.3 2020/06/29 23:34:48 riastradh Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
@@ -30,11 +30,12 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.3 2020/06/29 23:34:48 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
-#include <crypto/rijndael/rijndael.h>
+
+#include <crypto/aes/aes.h>
 
 #include <opencrypto/aesxcbcmac.h>
 
@@ -47,24 +48,31 @@ aes_xcbc_mac_init(void *vctx, const uint8_t *key, u_int16_t keylen)
 	    { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
 	static const uint8_t k3seed[AES_BLOCKSIZE] =
 	    { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
-	u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
+	struct aesenc r_ks;
 	aesxcbc_ctx *ctx;
 	uint8_t k1[AES_BLOCKSIZE];
 
 	ctx = vctx;
 	memset(ctx, 0, sizeof(*ctx));
 
-	if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0)
-		return -1;
-	rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1);
-	rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
-	rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
-	if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0)
-		return -1;
-	if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0)
-		return -1;
-	if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0)
-		return -1;
+	switch (keylen) {
+	case 16:
+		ctx->r_nr = aes_setenckey128(&r_ks, key);
+		break;
+	case 24:
+		ctx->r_nr = aes_setenckey192(&r_ks, key);
+		break;
+	case 32:
+		ctx->r_nr = aes_setenckey256(&r_ks, key);
+		break;
+	}
+	aes_enc(&r_ks, k1seed, k1, ctx->r_nr);
+	aes_enc(&r_ks, k2seed, ctx->k2, ctx->r_nr);
+	aes_enc(&r_ks, k3seed, ctx->k3, ctx->r_nr);
+	aes_setenckey128(&ctx->r_k1s, k1);
+
+	explicit_memset(&r_ks, 0, sizeof(r_ks));
+	explicit_memset(k1, 0, sizeof(k1));
 
 	return 0;
 }
@@ -83,7 +91,7 @@ aes_xcbc_mac_loop(void *vctx, const uint8_t *addr, u_int16_t len)
 	if (ctx->buflen == sizeof(ctx->buf)) {
 		for (i = 0; i < sizeof(ctx->e); i++)
 			ctx->buf[i] ^= ctx->e[i];
-		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+		aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr);
 		ctx->buflen = 0;
 	}
 	if (ctx->buflen + len < sizeof(ctx->buf)) {
@@ -96,7 +104,7 @@ aes_xcbc_mac_loop(void *vctx, const uint8_t *addr, u_int16_t len)
 		    sizeof(ctx->buf) - ctx->buflen);
 		for (i = 0; i < sizeof(ctx->e); i++)
 			ctx->buf[i] ^= ctx->e[i];
-		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+		aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr);
 		addr += sizeof(ctx->buf) - ctx->buflen;
 		ctx->buflen = 0;
 	}
@@ -105,7 +113,7 @@ aes_xcbc_mac_loop(void *vctx, const uint8_t *addr, u_int16_t len)
 		memcpy(buf, addr, AES_BLOCKSIZE);
 		for (i = 0; i < sizeof(buf); i++)
 			buf[i] ^= ctx->e[i];
-		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
+		aes_enc(&ctx->r_k1s, buf, ctx->e, ctx->r_nr);
 		addr += AES_BLOCKSIZE;
 	}
 	if (addr < ep) {
@@ -129,7 +137,7 @@ aes_xcbc_mac_result(uint8_t *addr, void *vctx)
 			ctx->buf[i] ^= ctx->e[i];
 			ctx->buf[i] ^= ctx->k2[i];
 		}
-		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+		aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr);
 	} else {
 		for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
 			ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
@@ -137,7 +145,7 @@ aes_xcbc_mac_result(uint8_t *addr, void *vctx)
 			ctx->buf[i] ^= ctx->e[i];
 			ctx->buf[i] ^= ctx->k3[i];
 		}
-		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+		aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr);
 	}
 
 	memcpy(addr, digest, sizeof(digest));

sys/opencrypto/aesxcbcmac.h

@@ -1,4 +1,7 @@
-/* $NetBSD: aesxcbcmac.h,v 1.1 2011/05/24 19:10:09 drochner Exp $ */
+/* $NetBSD: aesxcbcmac.h,v 1.2 2020/06/29 23:34:48 riastradh Exp $ */
+
+#ifndef	_OPENCRYPTO_AESXCBCMAC_H
+#define	_OPENCRYPTO_AESXCBCMAC_H
 
 #include <sys/types.h>
 
@@ -8,9 +11,7 @@ typedef struct {
 	u_int8_t	e[AES_BLOCKSIZE];
 	u_int8_t	buf[AES_BLOCKSIZE];
 	size_t		buflen;
-	u_int32_t	r_k1s[(RIJNDAEL_MAXNR+1)*4];
-	u_int32_t	r_k2s[(RIJNDAEL_MAXNR+1)*4];
-	u_int32_t	r_k3s[(RIJNDAEL_MAXNR+1)*4];
+	struct aesenc	r_k1s;
 	int		r_nr; /* key-length-dependent number of rounds */
 	u_int8_t	k2[AES_BLOCKSIZE];
 	u_int8_t	k3[AES_BLOCKSIZE];
@@ -19,3 +20,5 @@ typedef struct {
 int aes_xcbc_mac_init(void *, const u_int8_t *, u_int16_t);
 int aes_xcbc_mac_loop(void *, const u_int8_t *, u_int16_t);
 void aes_xcbc_mac_result(u_int8_t *, void *);
+
+#endif	/* _OPENCRYPTO_AESXCBCMAC_H */

sys/opencrypto/cryptosoft.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: cryptosoft.c,v 1.55 2020/06/14 23:23:55 riastradh Exp $ */
+/*	$NetBSD: cryptosoft.c,v 1.56 2020/06/29 23:34:48 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/cryptosoft.c,v 1.2.2.1 2002/11/21 23:34:23 sam Exp $	*/
 /*	$OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $	*/
 
@@ -24,7 +24,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.55 2020/06/14 23:23:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.56 2020/06/29 23:34:48 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -831,8 +831,8 @@ swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 		case CRYPTO_SKIPJACK_CBC:
 			txf = &swcr_enc_xform_skipjack;
 			goto enccommon;
-		case CRYPTO_RIJNDAEL128_CBC:
-			txf = &swcr_enc_xform_rijndael128;
+		case CRYPTO_AES_CBC:
+			txf = &swcr_enc_xform_aes;
 			goto enccommon;
 		case CRYPTO_CAMELLIA_CBC:
 			txf = &swcr_enc_xform_camellia;
@@ -890,15 +890,13 @@ swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 			axf = &swcr_auth_hash_hmac_ripemd_160_96;
 			goto authcommon;	/* leave this for safety */
 		authcommon:
-			(*swd)->sw_ictx = malloc(axf->ctxsize,
-			    M_CRYPTO_DATA, M_NOWAIT);
+			(*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
 			if ((*swd)->sw_ictx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
 			}
 
-			(*swd)->sw_octx = malloc(axf->ctxsize,
-			    M_CRYPTO_DATA, M_NOWAIT);
+			(*swd)->sw_octx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
 			if ((*swd)->sw_octx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
@@ -936,16 +934,15 @@ swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 			CTASSERT(SHA1_DIGEST_LENGTH >= MD5_DIGEST_LENGTH);
 			axf = &swcr_auth_hash_key_sha1;
 		auth2common:
-			(*swd)->sw_ictx = malloc(axf->ctxsize,
-			    M_CRYPTO_DATA, M_NOWAIT);
+			(*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
 			if ((*swd)->sw_ictx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
 			}
 
 			/* Store the key so we can "append" it to the payload */
-			(*swd)->sw_octx = malloc(cri->cri_klen / 8, M_CRYPTO_DATA,
-			    M_NOWAIT);
+			(*swd)->sw_octx = kmem_alloc(cri->cri_klen / 8,
+			    KM_NOSLEEP);
 			if ((*swd)->sw_octx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
@@ -968,8 +965,7 @@ swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 		case CRYPTO_SHA1:
 			axf = &swcr_auth_hash_sha1;
 		auth3common:
-			(*swd)->sw_ictx = malloc(axf->ctxsize,
-			    M_CRYPTO_DATA, M_NOWAIT);
+			(*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
 			if ((*swd)->sw_ictx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
@@ -991,8 +987,7 @@ swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 		case CRYPTO_AES_256_GMAC:
 			axf = &swcr_auth_hash_gmac_aes_256;
 		auth4common:
-			(*swd)->sw_ictx = malloc(axf->ctxsize,
-			    M_CRYPTO_DATA, M_NOWAIT);
+			(*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
 			if ((*swd)->sw_ictx == NULL) {
 				swcr_freesession(NULL, i);
 				return ENOBUFS;
@@ -1057,7 +1052,7 @@ swcr_freesession(void *arg, u_int64_t tid)
 		case CRYPTO_BLF_CBC:
 		case CRYPTO_CAST_CBC:
 		case CRYPTO_SKIPJACK_CBC:
-		case CRYPTO_RIJNDAEL128_CBC:
+		case CRYPTO_AES_CBC:
 		case CRYPTO_CAMELLIA_CBC:
 		case CRYPTO_AES_CTR:
 		case CRYPTO_AES_GCM_16:
@@ -1083,11 +1078,11 @@ swcr_freesession(void *arg, u_int64_t tid)
 
 			if (swd->sw_ictx) {
 				explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
-				free(swd->sw_ictx, M_CRYPTO_DATA);
+				kmem_free(swd->sw_ictx, axf->ctxsize);
 			}
 			if (swd->sw_octx) {
 				explicit_memset(swd->sw_octx, 0, axf->ctxsize);
-				free(swd->sw_octx, M_CRYPTO_DATA);
+				kmem_free(swd->sw_octx, axf->ctxsize);
 			}
 			break;
 
@@ -1097,11 +1092,11 @@ swcr_freesession(void *arg, u_int64_t tid)
 
 			if (swd->sw_ictx) {
 				explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
-				free(swd->sw_ictx, M_CRYPTO_DATA);
+				kmem_free(swd->sw_ictx, axf->ctxsize);
 			}
 			if (swd->sw_octx) {
 				explicit_memset(swd->sw_octx, 0, swd->sw_klen);
-				free(swd->sw_octx, M_CRYPTO_DATA);
+				kmem_free(swd->sw_octx, axf->ctxsize);
 			}
 			break;
 
@@ -1115,7 +1110,7 @@ swcr_freesession(void *arg, u_int64_t tid)
 
 			if (swd->sw_ictx) {
 				explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
-				free(swd->sw_ictx, M_CRYPTO_DATA);
+				kmem_free(swd->sw_ictx, axf->ctxsize);
 			}
 			break;
 
@@ -1193,7 +1188,7 @@ swcr_process(void *arg, struct cryptop *crp, int hint)
 		case CRYPTO_BLF_CBC:
 		case CRYPTO_CAST_CBC:
 		case CRYPTO_SKIPJACK_CBC:
-		case CRYPTO_RIJNDAEL128_CBC:
+		case CRYPTO_AES_CBC:
 		case CRYPTO_CAMELLIA_CBC:
 		case CRYPTO_AES_CTR:
 			if ((crp->crp_etype = swcr_encdec(crd, sw,
@@ -1294,7 +1289,7 @@ swcr_init(void)
 	REGISTER(CRYPTO_AES_128_GMAC);
 	REGISTER(CRYPTO_AES_192_GMAC);
 	REGISTER(CRYPTO_AES_256_GMAC);
-	REGISTER(CRYPTO_RIJNDAEL128_CBC);
+	REGISTER(CRYPTO_AES_CBC);
 	REGISTER(CRYPTO_DEFLATE_COMP);
 	REGISTER(CRYPTO_DEFLATE_COMP_NOGROW);
 	REGISTER(CRYPTO_GZIP_COMP);

sys/opencrypto/cryptosoft_xform.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: cryptosoft_xform.c,v 1.28 2019/10/12 00:49:30 christos Exp $ */
+/*	$NetBSD: cryptosoft_xform.c,v 1.29 2020/06/29 23:34:48 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $	*/
 /*	$OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $	*/
 
@@ -40,23 +40,24 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.28 2019/10/12 00:49:30 christos Exp $");
-
-#include <crypto/blowfish/blowfish.h>
-#include <crypto/cast128/cast128.h>
-#include <crypto/des/des.h>
-#include <crypto/rijndael/rijndael.h>
-#include <crypto/skipjack/skipjack.h>
-#include <crypto/camellia/camellia.h>
-
-#include <opencrypto/deflate.h>
+__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.29 2020/06/29 23:34:48 riastradh Exp $");
 
+#include <sys/cprng.h>
+#include <sys/kmem.h>
 #include <sys/md5.h>
 #include <sys/rmd160.h>
 #include <sys/sha1.h>
 #include <sys/sha2.h>
-#include <sys/cprng.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/blowfish/blowfish.h>
+#include <crypto/camellia/camellia.h>
+#include <crypto/cast128/cast128.h>
+#include <crypto/des/des.h>
+#include <crypto/skipjack/skipjack.h>
+
 #include <opencrypto/aesxcbcmac.h>
+#include <opencrypto/deflate.h>
 #include <opencrypto/gmac.h>
 
 struct swcr_auth_hash {
@@ -94,7 +95,7 @@ static	int des3_setkey(u_int8_t **, const u_int8_t *, int);
 static	int blf_setkey(u_int8_t **, const u_int8_t *, int);
 static	int cast5_setkey(u_int8_t **, const u_int8_t *, int);
 static  int skipjack_setkey(u_int8_t **, const u_int8_t *, int);
-static  int rijndael128_setkey(u_int8_t **, const u_int8_t *, int);
+static  int aes_setkey(u_int8_t **, const u_int8_t *, int);
 static  int cml_setkey(u_int8_t **, const u_int8_t *, int);
 static  int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int);
 static	int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int);
@@ -103,14 +104,14 @@ static	void des3_encrypt(void *, u_int8_t *);
 static	void blf_encrypt(void *, u_int8_t *);
 static	void cast5_encrypt(void *, u_int8_t *);
 static	void skipjack_encrypt(void *, u_int8_t *);
-static	void rijndael128_encrypt(void *, u_int8_t *);
+static	void aes_encrypt(void *, u_int8_t *);
 static  void cml_encrypt(void *, u_int8_t *);
 static	void des1_decrypt(void *, u_int8_t *);
 static	void des3_decrypt(void *, u_int8_t *);
 static	void blf_decrypt(void *, u_int8_t *);
 static	void cast5_decrypt(void *, u_int8_t *);
 static	void skipjack_decrypt(void *, u_int8_t *);
-static	void rijndael128_decrypt(void *, u_int8_t *);
+static	void aes_decrypt(void *, u_int8_t *);
 static  void cml_decrypt(void *, u_int8_t *);
 static  void aes_ctr_crypt(void *, u_int8_t *);
 static	void des1_zerokey(u_int8_t **);
@@ -118,7 +119,7 @@ static	void des3_zerokey(u_int8_t **);
 static	void blf_zerokey(u_int8_t **);
 static	void cast5_zerokey(u_int8_t **);
 static	void skipjack_zerokey(u_int8_t **);
-static	void rijndael128_zerokey(u_int8_t **);
+static	void aes_zerokey(u_int8_t **);
 static  void cml_zerokey(u_int8_t **);
 static  void aes_ctr_zerokey(u_int8_t **);
 static	void aes_gmac_zerokey(u_int8_t **);
@@ -204,12 +205,12 @@ static const struct swcr_enc_xform swcr_enc_xform_skipjack = {
 	NULL
 };
 
-static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = {
+static const struct swcr_enc_xform swcr_enc_xform_aes = {
 	&enc_xform_rijndael128,
-	rijndael128_encrypt,
-	rijndael128_decrypt,
-	rijndael128_setkey,
-	rijndael128_zerokey,
+	aes_encrypt,
+	aes_decrypt,
+	aes_setkey,
+	aes_zerokey,
 	NULL
 };
 
@@ -599,38 +600,68 @@ skipjack_zerokey(u_int8_t **sched)
 	*sched = NULL;
 }
 
+struct aes_ctx {
+	struct aesenc	enc;
+	struct aesdec	dec;
+	uint32_t	nr;
+};
+
 static void
-rijndael128_encrypt(void *key, u_int8_t *blk)
+aes_encrypt(void *key, u_int8_t *blk)
 {
-	rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk);
+	struct aes_ctx *ctx = key;
+
+	aes_enc(&ctx->enc, blk, blk, ctx->nr);
 }
 
 static void
-rijndael128_decrypt(void *key, u_int8_t *blk)
+aes_decrypt(void *key, u_int8_t *blk)
 {
-	rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk,
-	    (u_char *) blk);
+	struct aes_ctx *ctx = key;
+
+	aes_dec(&ctx->dec, blk, blk, ctx->nr);
 }
 
 static int
-rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+aes_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
+	struct aes_ctx *ctx;
 
 	if (len != 16 && len != 24 && len != 32)
 		return EINVAL;
-	*sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA,
-	    M_NOWAIT|M_ZERO);
-	if (*sched == NULL)
+	ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
+	if (ctx == NULL)
 		return ENOMEM;
-	rijndael_set_key((rijndael_ctx *) *sched, key, len * 8);
+
+	switch (len) {
+	case 16:
+		aes_setenckey128(&ctx->enc, key);
+		aes_setdeckey128(&ctx->dec, key);
+		ctx->nr = AES_128_NROUNDS;
+		break;
+	case 24:
+		aes_setenckey192(&ctx->enc, key);
+		aes_setdeckey192(&ctx->dec, key);
+		ctx->nr = AES_192_NROUNDS;
+		break;
+	case 32:
+		aes_setenckey256(&ctx->enc, key);
+		aes_setdeckey256(&ctx->dec, key);
+		ctx->nr = AES_256_NROUNDS;
+		break;
+	}
+
+	*sched = (void *)ctx;
 	return 0;
 }
 
 static void
-rijndael128_zerokey(u_int8_t **sched)
+aes_zerokey(u_int8_t **sched)
 {
-	memset(*sched, 0, sizeof(rijndael_ctx));
-	free(*sched, M_CRYPTO_DATA);
+	struct aes_ctx *ctx = (void *)*sched;
+
+	explicit_memset(ctx, 0, sizeof(*ctx));
+	kmem_free(ctx, sizeof(*ctx));
 	*sched = NULL;
 }
 
@@ -678,7 +709,7 @@ cml_zerokey(u_int8_t **sched)
 
 struct aes_ctr_ctx {
 	/* need only encryption half */
-	u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)];
+	struct aesenc ac_ek;
 	u_int8_t ac_block[AESCTR_BLOCKSIZE];
 	int ac_nr;
 	struct {
@@ -699,10 +730,10 @@ aes_ctr_crypt(void *key, u_int8_t *blk)
 	     i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
 		if (++ctx->ac_block[i]) /* continue on overflow */
 			break;
-	rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
+	aes_enc(&ctx->ac_ek, ctx->ac_block, keystream, ctx->ac_nr);
 	for (i = 0; i < AESCTR_BLOCKSIZE; i++)
 		blk[i] ^= keystream[i];
-	memset(keystream, 0, sizeof(keystream));
+	explicit_memset(keystream, 0, sizeof(keystream));
 }
 
 int
@@ -713,13 +744,20 @@ aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 	if (len < AESCTR_NONCESIZE)
 		return EINVAL;
 
-	ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA,
-		     M_NOWAIT|M_ZERO);
+	ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
 	if (!ctx)
 		return ENOMEM;
-	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key,
-			(len - AESCTR_NONCESIZE) * 8);
-	if (!ctx->ac_nr) { /* wrong key len */
+	switch (len) {
+	case 16 + AESCTR_NONCESIZE:
+		ctx->ac_nr = aes_setenckey128(&ctx->ac_ek, key);
+		break;
+	case 24 + AESCTR_NONCESIZE:
+		ctx->ac_nr = aes_setenckey192(&ctx->ac_ek, key);
+		break;
+	case 32 + AESCTR_NONCESIZE:
+		ctx->ac_nr = aes_setenckey256(&ctx->ac_ek, key);
+		break;
+	default:
 		aes_ctr_zerokey((u_int8_t **)&ctx);
 		return EINVAL;
 	}
@@ -733,9 +771,10 @@ aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 void
 aes_ctr_zerokey(u_int8_t **sched)
 {
+	struct aes_ctr_ctx *ctx = (void *)*sched;
 
-	memset(*sched, 0, sizeof(struct aes_ctr_ctx));
-	free(*sched, M_CRYPTO_DATA);
+	explicit_memset(ctx, 0, sizeof(*ctx));
+	kmem_free(ctx, sizeof(*ctx));
 	*sched = NULL;
 }
 
@@ -783,8 +822,7 @@ aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 {
 	struct aes_gmac_ctx *ctx;
 
-	ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA,
-		     M_NOWAIT|M_ZERO);
+	ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
 	if (!ctx)
 		return ENOMEM;
 
@@ -797,8 +835,9 @@ aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len)
 void
 aes_gmac_zerokey(u_int8_t **sched)
 {
+	struct aes_gmac_ctx *ctx = (void *)*sched;
 
-	free(*sched, M_CRYPTO_DATA);
+	kmem_free(ctx, sizeof(*ctx));
 	*sched = NULL;
 }
 

sys/opencrypto/files.opencrypto

@@ -1,4 +1,4 @@
-#	$NetBSD: files.opencrypto,v 1.29 2020/04/22 09:15:40 rin Exp $
+#	$NetBSD: files.opencrypto,v 1.30 2020/06/29 23:34:48 riastradh Exp $
 #
 #
 
@@ -7,7 +7,7 @@
 # that use the opencrypto framework, should list opencrypto as a dependency
 # to pull in the framework.
 
-define	opencrypto: rijndael
+define	opencrypto: aes
 file	opencrypto/criov.c		opencrypto
 file	opencrypto/xform.c		opencrypto
 file	opencrypto/crypto.c		opencrypto

sys/opencrypto/gmac.c

@@ -1,4 +1,4 @@
-/* $NetBSD: gmac.c,v 1.3 2011/06/09 14:47:42 drochner Exp $ */
+/* $NetBSD: gmac.c,v 1.4 2020/06/29 23:34:48 riastradh Exp $ */
 /* OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp */
 
 /*
@@ -26,7 +26,8 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 
-#include <crypto/rijndael/rijndael.h>
+#include <crypto/aes/aes.h>
+
 #include <opencrypto/gmac.h>
 
 void	ghash_gfmul(const GMAC_INT *, const GMAC_INT *, GMAC_INT *);
@@ -114,13 +115,25 @@ AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen)
 {
 	int i;
 
-	ctx->rounds = rijndaelKeySetupEnc(ctx->K, (const u_char *)key,
-	    (klen - AESCTR_NONCESIZE) * 8);
+	switch (klen) {
+	case 16 + AESCTR_NONCESIZE:
+		ctx->rounds = aes_setenckey128(&ctx->K, key);
+		break;
+	case 24 + AESCTR_NONCESIZE:
+		ctx->rounds = aes_setenckey192(&ctx->K, key);
+		break;
+	case 32 + AESCTR_NONCESIZE:
+		ctx->rounds = aes_setenckey256(&ctx->K, key);
+		break;
+	default:
+		panic("invalid AES_GMAC_Setkey length in bytes: %u",
+		    (unsigned)klen);
+	}
 	/* copy out salt to the counter block */
 	memcpy(ctx->J, key + klen - AESCTR_NONCESIZE, AESCTR_NONCESIZE);
 	/* prepare a hash subkey */
-	rijndaelEncrypt(ctx->K, ctx->rounds, (void *)ctx->ghash.H,
-			(void *)ctx->ghash.H);
+	aes_enc(&ctx->K, (const void *)ctx->ghash.H, (void *)ctx->ghash.H,
+	    ctx->rounds);
 #if GMAC_INTLEN == 8
 	for (i = 0; i < 2; i++)
 		ctx->ghash.H[i] = be64toh(ctx->ghash.H[i]);
@@ -163,7 +176,7 @@ AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx)
 
 	/* do one round of GCTR */
 	ctx->J[GMAC_BLOCK_LEN - 1] = 1;
-	rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream);
+	aes_enc(&ctx->K, ctx->J, keystream, ctx->rounds);
 	k = keystream;
 	d = digest;
 #if GMAC_INTLEN == 8

sys/opencrypto/gmac.h

@@ -1,4 +1,4 @@
-/* $NetBSD: gmac.h,v 1.2 2011/06/09 14:47:42 drochner Exp $ */
+/* $NetBSD: gmac.h,v 1.3 2020/06/29 23:34:48 riastradh Exp $ */
 /* OpenBSD: gmac.h,v 1.1 2010/09/22 11:54:23 mikeb Exp */
 
 /*
@@ -20,7 +20,7 @@
 #ifndef _GMAC_H_
 #define _GMAC_H_
 
-#include <crypto/rijndael/rijndael.h>
+#include <crypto/aes/aes.h>
 
 #define GMAC_BLOCK_LEN		16
 #define GMAC_DIGEST_LEN		16
@@ -41,7 +41,7 @@ typedef struct _GHASH_CTX {
 
 typedef struct _AES_GMAC_CTX {
 	GHASH_CTX	ghash;
-	uint32_t	K[4*(RIJNDAEL_MAXNR + 1)];
+	struct aesenc	K;
 	uint8_t		J[GMAC_BLOCK_LEN];		/* counter block */
 	int		rounds;
 } AES_GMAC_CTX;

sys/opencrypto/xform.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: xform.c,v 1.29 2017/07/06 08:27:07 ozaki-r Exp $ */
+/*	$NetBSD: xform.c,v 1.30 2020/06/29 23:34:48 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $	*/
 /*	$OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $	*/
 
@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.29 2017/07/06 08:27:07 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.30 2020/06/29 23:34:48 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/malloc.h>
@@ -145,8 +145,8 @@ const struct enc_xform enc_xform_skipjack = {
 };
 
 const struct enc_xform enc_xform_rijndael128 = {
-	.type		= CRYPTO_RIJNDAEL128_CBC,
-	.name		= "Rijndael-128/AES",
+	.type		= CRYPTO_AES_CBC,
+	.name		= "AES",
 	.blocksize	= 16,
 	.ivsize		= 16,
 	.minkey		= 16,