From owner-svn-src-all@freebsd.org  Thu Jul  9 21:05:49 2015
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72359997457;
 Thu,  9 Jul 2015 21:05:49 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from smtp.hungerhost.com (smtp.hungerhost.com [216.38.53.177])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B70F1ACB;
 Thu,  9 Jul 2015 21:05:48 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from pool-108-54-164-204.nycmny.fios.verizon.net
 ([108.54.164.204]:63053 helo=[192.168.1.19])
 by vps.hungerhost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.85) (envelope-from <gnn@neville-neil.com>)
 id 1ZDJ0t-0000uB-SY; Thu, 09 Jul 2015 17:05:47 -0400
From: "George Neville-Neil" <gnn@neville-neil.com>
To: "George V. Neville-Neil" <gnn@FreeBSD.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: Re: svn commit: r285336 - in head/sys: netipsec opencrypto
Date: Thu, 09 Jul 2015 17:05:37 -0400
Message-ID: <DC2D9D6C-80FB-404E-82EA-ADCB72E6141C@neville-neil.com>
In-Reply-To: <201507091816.t69IGawf097288@repo.freebsd.org>
References: <201507091816.t69IGawf097288@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.1r5084)
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.hungerhost.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - neville-neil.com
X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id:
 gnn@neville-neil.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 21:05:49 -0000

Should have also pointed out that the original version of this patch
comes from pfsense and Ermal (eri@).

Best,
George

On 9 Jul 2015, at 14:16, George V. Neville-Neil wrote:

> Author: gnn
> Date: Thu Jul  9 18:16:35 2015
> New Revision: 285336
> URL: https://svnweb.freebsd.org/changeset/base/285336
>
> Log:
> Add support for AES modes to IPSec.  These modes work both in software 
> only
> mode and with hardware support on systems that have AESNI 
> instructions.
>
> Differential Revision:	D2936
> Reviewed by:	jmg, eri, cognet
> Sponsored by:	Rubicon Communications (Netgate)
>
> Modified:
> head/sys/netipsec/xform_ah.c
> head/sys/netipsec/xform_esp.c
> head/sys/opencrypto/cryptodev.h
> head/sys/opencrypto/xform.c
>
> Modified: head/sys/netipsec/xform_ah.c
> ==============================================================================
> --- head/sys/netipsec/xform_ah.c	Thu Jul  9 17:45:08 2015	(r285335)
> +++ head/sys/netipsec/xform_ah.c	Thu Jul  9 18:16:35 2015	(r285336)
> @@ -82,11 +82,11 @@
> 	(((sav)->flags & SADB_X_EXT_OLD) ? \
> 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
> /*
> - * Return authenticator size in bytes.  The old protocol is known
> - * to use a fixed 16-byte authenticator.  The new algorithm use 
> 12-byte
> - * authenticator.
> + * Return authenticator size in bytes, based on a field in the
> + * algorithm descriptor.
> */
> -#define	AUTHSIZE(sav)	ah_authsize(sav)
> +#define	AUTHSIZE(sav)	\
> +	((sav->flags & SADB_X_EXT_OLD) ? 16 : 
> (sav)->tdb_authalgxform->hashsize)
>
> VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
> VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc 
> */
> @@ -112,27 +112,6 @@ static unsigned char ipseczeroes[256];	/
> static int ah_input_cb(struct cryptop*);
> static int ah_output_cb(struct cryptop*);
>
> -static int
> -ah_authsize(struct secasvar *sav)
> -{
> -
> -	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
> -
> -	if (sav->flags & SADB_X_EXT_OLD)
> -		return 16;
> -
> -	switch (sav->alg_auth) {
> -	case SADB_X_AALG_SHA2_256:
> -		return 16;
> -	case SADB_X_AALG_SHA2_384:
> -		return 24;
> -	case SADB_X_AALG_SHA2_512:
> -		return 32;
> -	default:
> -		return AH_HMAC_HASHLEN;
> -	}
> -	/* NOTREACHED */
> -}
> /*
> * NB: this is public for use by the PF_KEY support.
> */
> @@ -160,6 +139,12 @@ ah_algorithm_lookup(int alg)
> 		return &auth_hash_hmac_sha2_384;
> 	case SADB_X_AALG_SHA2_512:
> 		return &auth_hash_hmac_sha2_512;
> +	case SADB_X_AALG_AES128GMAC:
> +		return &auth_hash_nist_gmac_aes_128;
> +	case SADB_X_AALG_AES192GMAC:
> +		return &auth_hash_nist_gmac_aes_192;
> +	case SADB_X_AALG_AES256GMAC:
> +		return &auth_hash_nist_gmac_aes_256;
> 	}
> 	return NULL;
> }
>
> Modified: head/sys/netipsec/xform_esp.c
> ==============================================================================
> --- head/sys/netipsec/xform_esp.c	Thu Jul  9 17:45:08 2015	(r285335)
> +++ head/sys/netipsec/xform_esp.c	Thu Jul  9 18:16:35 2015	(r285336)
> @@ -121,6 +121,12 @@ esp_algorithm_lookup(int alg)
> 		return &enc_xform_null;
> 	case SADB_X_EALG_CAMELLIACBC:
> 		return &enc_xform_camellia;
> +	case SADB_X_EALG_AESCTR:
> +		return &enc_xform_aes_icm;
> +	case SADB_X_EALG_AESGCM16:
> +		return &enc_xform_aes_nist_gcm;
> +	case SADB_X_EALG_AESGMAC:
> +		return &enc_xform_aes_nist_gmac;
> 	}
> 	return NULL;
> }
> @@ -198,7 +204,7 @@ esp_init(struct secasvar *sav, struct xf
> 	 *      the ESP header will be processed incorrectly.  The
> 	 *      compromise is to force it to zero here.
> 	 */
> -	sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
> +	sav->ivlen = (txform == &enc_xform_null ? 0 : txform->ivsize);
> 	sav->iv = (caddr_t) malloc(sav->ivlen, M_XDATA, M_WAITOK);
> 	key_randomfill(sav->iv, sav->ivlen);	/*XXX*/
>
> @@ -215,11 +221,45 @@ esp_init(struct secasvar *sav, struct xf
> 	sav->tdb_xform = xsp;
> 	sav->tdb_encalgxform = txform;
>
> +	/*
> +	 * Whenever AES-GCM is used for encryption, one
> +	 * of the AES authentication algorithms is chosen
> +	 * as well, based on the key size.
> +	 */
> +	if (sav->alg_enc == SADB_X_EALG_AESGCM16) {
> +		switch (keylen) {
> +		case AES_128_HMAC_KEY_LEN:
> +			sav->alg_auth = SADB_X_AALG_AES128GMAC;
> +			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_128;
> +			break;
> +		case AES_192_HMAC_KEY_LEN:
> +			sav->alg_auth = SADB_X_AALG_AES192GMAC;
> +			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_192;
> +			break;
> +		case AES_256_HMAC_KEY_LEN:
> +			sav->alg_auth = SADB_X_AALG_AES256GMAC;
> +			sav->tdb_authalgxform = &auth_hash_nist_gmac_aes_256;
> +			break;
> +		default:
> +			DPRINTF(("%s: invalid key length %u"
> +				 "for algorithm %s\n", __func__,
> +				 keylen, txform->name));
> +			return EINVAL;
> +		}
> +		bzero(&cria, sizeof(cria));
> +		cria.cri_alg = sav->tdb_authalgxform->type;
> +		cria.cri_klen = _KEYBITS(sav->key_enc) + 4;
> +		cria.cri_key = sav->key_enc->key_data;
> +	}
> +
> 	/* Initialize crypto session. */
> 	bzero(&crie, sizeof (crie));
> 	crie.cri_alg = sav->tdb_encalgxform->type;
> 	crie.cri_klen = _KEYBITS(sav->key_enc);
> 	crie.cri_key = sav->key_enc->key_data;
> +	if (sav->alg_enc == SADB_X_EALG_AESGCM16)
> +		arc4rand(crie.cri_iv, sav->ivlen, 0);
> +
> 	/* XXX Rounds ? */
>
> 	if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
> @@ -289,7 +329,6 @@ esp_input(struct mbuf *m, struct secasva
> 		m_freem(m);
> 		return EINVAL;
> 	}
> -
> 	/* XXX don't pullup, just copy header */
> 	IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct 
> newesp));
>
> @@ -302,18 +341,7 @@ esp_input(struct mbuf *m, struct secasva
> 	else
> 		hlen = sizeof (struct newesp) + sav->ivlen;
> 	/* Authenticator hash size */
> -	if (esph != NULL) {
> -		switch (esph->type) {
> -		case CRYPTO_SHA2_256_HMAC:
> -		case CRYPTO_SHA2_384_HMAC:
> -		case CRYPTO_SHA2_512_HMAC:
> -			alen = esph->hashsize/2;
> -			break;
> -		default:
> -			alen = AH_HMAC_HASHLEN;
> -			break;
> -		}
> -	}
> +	alen = esph ? esph->hashsize : 0;
>
> 	/*
> 	 * Verify payload length is multiple of encryption algorithm
> @@ -325,13 +353,15 @@ esp_input(struct mbuf *m, struct secasva
> 	 */
> 	plen = m->m_pkthdr.len - (skip + hlen + alen);
> 	if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
> -		DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
> -		    "  SA %s/%08lx\n", __func__,
> -		    plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst,
> -			buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
> -		ESPSTAT_INC(esps_badilen);
> -		m_freem(m);
> -		return EINVAL;
> +		if (!espx || sav->alg_enc != SADB_X_EALG_AESGCM16) {
> +			DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
> +				"  SA %s/%08lx\n", __func__,
> +				plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst,
> +				buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
> +			ESPSTAT_INC(esps_badilen);
> +			m_freem(m);
> +			return EINVAL;
> +		}
> 	}
>
> 	/*
> @@ -377,12 +407,20 @@ esp_input(struct mbuf *m, struct secasva
>
> 		/* Authentication descriptor */
> 		crda->crd_skip = skip;
> -		crda->crd_len = m->m_pkthdr.len - (skip + alen);
> +		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16)
> +			crda->crd_len = hlen - sav->ivlen;
> +		else
> +			crda->crd_len = m->m_pkthdr.len - (skip + alen);
> 		crda->crd_inject = m->m_pkthdr.len - alen;
>
> 		crda->crd_alg = esph->type;
> -		crda->crd_key = sav->key_auth->key_data;
> -		crda->crd_klen = _KEYBITS(sav->key_auth);
> +		if (espx && (espx->type == CRYPTO_AES_NIST_GCM_16)) {
> +			crda->crd_key = sav->key_enc->key_data;
> +			crda->crd_klen = _KEYBITS(sav->key_enc);
> +		} else {
> +			crda->crd_key = sav->key_auth->key_data;
> +			crda->crd_klen = _KEYBITS(sav->key_auth);
> +		}	
>
> 		/* Copy the authenticator */
> 		m_copydata(m, m->m_pkthdr.len - alen, alen,
> @@ -420,6 +458,9 @@ esp_input(struct mbuf *m, struct secasva
> 	crde->crd_alg = espx->type;
> 	crde->crd_key = sav->key_enc->key_data;
> 	crde->crd_klen = _KEYBITS(sav->key_enc);
> +	if (espx && (espx->type == CRYPTO_AES_NIST_GCM_16))
> +		crde->crd_flags |= CRD_F_IV_EXPLICIT;
> +
> 	/* XXX Rounds ? */
>
> 	return (crypto_dispatch(crp));
> @@ -489,16 +530,7 @@ esp_input_cb(struct cryptop *crp)
>
> 	/* If authentication was performed, check now. */
> 	if (esph != NULL) {
> -		switch (esph->type) {
> -		case CRYPTO_SHA2_256_HMAC:
> -		case CRYPTO_SHA2_384_HMAC:
> -		case CRYPTO_SHA2_512_HMAC:
> -			alen = esph->hashsize/2;
> -			break;
> -		default:
> -			alen = AH_HMAC_HASHLEN;
> -			break;
> -		}
> +		alen = esph->hashsize;
> 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
> 		/* Copy the authenticator from the packet */
> 		m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
> @@ -663,22 +695,13 @@ esp_output(struct mbuf *m, struct ipsecr
> 	 * NB: The null encoding transform has a blocksize of 4
> 	 *     so that headers are properly aligned.
> 	 */
> -	blks = espx->blocksize;		/* IV blocksize */
> +	blks = espx->ivsize;		/* IV blocksize */
>
> 	/* XXX clamp padding length a la KAME??? */
> 	padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
>
> 	if (esph)
> -		switch (esph->type) {
> -		case CRYPTO_SHA2_256_HMAC:
> -		case CRYPTO_SHA2_384_HMAC:
> -		case CRYPTO_SHA2_512_HMAC:
> -			alen = esph->hashsize/2;
> -			break;
> -		default:
> -		alen = AH_HMAC_HASHLEN;
> -			break;
> -		}
> +		alen = esph->hashsize;
> 	else
> 		alen = 0;
>
> @@ -706,6 +729,8 @@ esp_output(struct mbuf *m, struct ipsecr
> 		error = EPFNOSUPPORT;
> 		goto bad;
> 	}
> +	DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd 
> %d\n",
> +		__func__, skip, hlen, rlen, padding, alen, blks));
> 	if (skip + hlen + rlen + padding + alen > maxpacketsize) {
> 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
> 		    "(len %u, max len %u)\n", __func__,
> @@ -820,6 +845,8 @@ esp_output(struct mbuf *m, struct ipsecr
> 		crde->crd_alg = espx->type;
> 		crde->crd_key = sav->key_enc->key_data;
> 		crde->crd_klen = _KEYBITS(sav->key_enc);
> +		if (espx->type == CRYPTO_AES_NIST_GCM_16)
> +			crde->crd_flags |= CRD_F_IV_EXPLICIT;
> 		/* XXX Rounds ? */
> 	} else
> 		crda = crp->crp_desc;
> @@ -854,13 +881,22 @@ esp_output(struct mbuf *m, struct ipsecr
> 	if (esph) {
> 		/* Authentication descriptor. */
> 		crda->crd_skip = skip;
> -		crda->crd_len = m->m_pkthdr.len - (skip + alen);
> +		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16)
> +			crda->crd_len = hlen - sav->ivlen;
> +		else
> +			crda->crd_len = m->m_pkthdr.len - (skip + alen);
> 		crda->crd_inject = m->m_pkthdr.len - alen;
>
> 		/* Authentication operation. */
> 		crda->crd_alg = esph->type;
> -		crda->crd_key = sav->key_auth->key_data;
> -		crda->crd_klen = _KEYBITS(sav->key_auth);
> +		if (espx && espx->type == CRYPTO_AES_NIST_GCM_16) {
> +			crda->crd_key = sav->key_enc->key_data;
> +			crda->crd_klen = _KEYBITS(sav->key_enc);
> +		} else {
> +			crda->crd_key = sav->key_auth->key_data;
> +			crda->crd_klen = _KEYBITS(sav->key_auth);
> +		}
> +
> 	}
>
> 	return crypto_dispatch(crp);
> @@ -953,6 +989,11 @@ esp_output_cb(struct cryptop *crp)
> 			case CRYPTO_SHA2_512_HMAC:
> 				alen = esph->hashsize/2;
> 				break;
> +			case CRYPTO_AES_128_GMAC:
> +			case CRYPTO_AES_192_GMAC:
> +			case CRYPTO_AES_256_GMAC:
> +				alen = esph->hashsize;
> +				break;
> 			default:
> 				alen = AH_HMAC_HASHLEN;
> 				break;
>
> Modified: head/sys/opencrypto/cryptodev.h
> ==============================================================================
> --- head/sys/opencrypto/cryptodev.h	Thu Jul  9 17:45:08 2015	(r285335)
> +++ head/sys/opencrypto/cryptodev.h	Thu Jul  9 18:16:35 2015	(r285336)
> @@ -78,6 +78,7 @@
> #define	SHA2_512_HASH_LEN	64
> #define	MD5_KPDK_HASH_LEN	16
> #define	SHA1_KPDK_HASH_LEN	20
> +#define	AES_HASH_LEN		16
> /* Maximum hash algorithm result length */
> #define	HASH_MAX_LEN		SHA2_512_HASH_LEN /* Keep this updated */
>
> @@ -86,28 +87,74 @@
> #define	MD5_HMAC_BLOCK_LEN		64
> #define	SHA1_HMAC_BLOCK_LEN		64
> #define	RIPEMD160_HMAC_BLOCK_LEN	64
> -#define	SHA2_256_HMAC_BLOCK_LEN		64
> -#define	SHA2_384_HMAC_BLOCK_LEN		128
> -#define	SHA2_512_HMAC_BLOCK_LEN		128
> +#define	SHA2_256_HMAC_BLOCK_LEN	64
> +#define	SHA2_384_HMAC_BLOCK_LEN	128
> +#define	SHA2_512_HMAC_BLOCK_LEN	128
> /* Maximum HMAC block length */
> -#define	HMAC_MAX_BLOCK_LEN		SHA2_512_HMAC_BLOCK_LEN /* Keep this 
> updated */
> +#define	HMAC_MAX_BLOCK_LEN	SHA2_512_HMAC_BLOCK_LEN /* Keep this 
> updated */
> #define	HMAC_IPAD_VAL			0x36
> #define	HMAC_OPAD_VAL			0x5C
> +/* HMAC Key Length */
> +#define	NULL_HMAC_KEY_LEN		0
> +#define	MD5_HMAC_KEY_LEN		16
> +#define	SHA1_HMAC_KEY_LEN		20
> +#define	RIPEMD160_HMAC_KEY_LEN		20
> +#define	SHA2_256_HMAC_KEY_LEN		32
> +#define	SHA2_384_HMAC_KEY_LEN		48
> +#define	SHA2_512_HMAC_KEY_LEN		64
> +#define	AES_128_HMAC_KEY_LEN		16
> +#define	AES_192_HMAC_KEY_LEN		24
> +#define	AES_256_HMAC_KEY_LEN		32
>
> /* Encryption algorithm block sizes */
> -#define NULL_BLOCK_LEN		4
> -#define DES_BLOCK_LEN		8
> -#define DES3_BLOCK_LEN		8
> -#define BLOWFISH_BLOCK_LEN	8
> -#define SKIPJACK_BLOCK_LEN	8
> -#define CAST128_BLOCK_LEN	8
> -#define RIJNDAEL128_BLOCK_LEN	16
> -#define AES_BLOCK_LEN		RIJNDAEL128_BLOCK_LEN
> -#define CAMELLIA_BLOCK_LEN	16
> -#define EALG_MAX_BLOCK_LEN	AES_BLOCK_LEN /* Keep this updated */
> +#define	NULL_BLOCK_LEN		4
> +#define	DES_BLOCK_LEN		8
> +#define	DES3_BLOCK_LEN		8
> +#define	BLOWFISH_BLOCK_LEN	8
> +#define	SKIPJACK_BLOCK_LEN	8
> +#define	CAST128_BLOCK_LEN	8
> +#define	RIJNDAEL128_BLOCK_LEN	16
> +#define	AES_BLOCK_LEN		16
> +#define	AES_MIN_BLOCK_LEN	1
> +#define	ARC4_BLOCK_LEN		1
> +#define	CAMELLIA_BLOCK_LEN	16
> +#define	EALG_MAX_BLOCK_LEN	AES_BLOCK_LEN /* Keep this updated */
> +
> +/* IV Lengths */
> +
> +#define	ARC4_IV_LEN		1
> +#define	AES_IV_LEN		12
> +#define	AES_XTS_IV_LEN		8
> +#define	AES_XTS_ALPHA		0x87	/* GF(2^128) generator polynomial */
> +
> +#define AES_CTR_NONCE_SIZE	4
> +
> +/* Min and Max Encryption Key Sizes */
> +#define	NULL_MIN_KEY		0
> +#define	NULL_MAX_KEY		256 /* 2048 bits, max key */
> +#define	DES_MIN_KEY		8
> +#define	DES_MAX_KEY		DES_MIN_KEY
> +#define	TRIPLE_DES_MIN_KEY	24
> +#define	TRIPLE_DES_MAX_KEY	TRIPLE_DES_MIN_KEY
> +#define	BLOWFISH_MIN_KEY	5
> +#define	BLOWFISH_MAX_KEY	56 /* 448 bits, max key */
> +#define	CAST_MIN_KEY		5
> +#define	CAST_MAX_KEY		16
> +#define	SKIPJACK_MIN_KEY	10
> +#define	SKIPJACK_MAX_KEY	SKIPJACK_MIN_KEY
> +#define	RIJNDAEL_MIN_KEY	16
> +#define	RIJNDAEL_MAX_KEY	32
> +#define	AES_MIN_KEY		16
> +#define	AES_MAX_KEY		32
> +#define	AES_XTS_MIN_KEY		32
> +#define	AES_XTS_MAX_KEY		64
> +#define	ARC4_MIN_KEY		1
> +#define	ARC4_MAX_KEY		32
> +#define	CAMELLIA_MIN_KEY	8
> +#define	CAMELLIA_MAX_KEY	32
>
> /* Maximum hash algorithm result length */
> -#define AALG_MAX_RESULT_LEN	64 /* Keep this updated */
> +#define	AALG_MAX_RESULT_LEN	64 /* Keep this updated */
>
> #define	CRYPTO_ALGORITHM_MIN	1
> #define	CRYPTO_DES_CBC		1
> @@ -141,7 +188,7 @@
> #define	CRYPTO_AES_256_NIST_GMAC 28 /* auth side */
> #define	CRYPTO_ALGORITHM_MAX	28 /* Keep updated - see below */
>
> -#define CRYPTO_ALGO_VALID(x)	((x) >= CRYPTO_ALGORITHM_MIN && \
> +#define	CRYPTO_ALGO_VALID(x)	((x) >= CRYPTO_ALGORITHM_MIN && \
> 				 (x) <= CRYPTO_ALGORITHM_MAX)
>
> /* Algorithm flags */
>
> Modified: head/sys/opencrypto/xform.c
> ==============================================================================
> --- head/sys/opencrypto/xform.c	Thu Jul  9 17:45:08 2015	(r285335)
> +++ head/sys/opencrypto/xform.c	Thu Jul  9 18:16:35 2015	(r285336)
> @@ -154,7 +154,7 @@ MALLOC_DEFINE(M_XDATA, "xform", "xform d
> struct enc_xform enc_xform_null = {
> 	CRYPTO_NULL_CBC, "NULL",
> 	/* NB: blocksize of 4 is to generate a properly aligned ESP header */
> -	NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */
> +	NULL_BLOCK_LEN, NULL_BLOCK_LEN, NULL_MIN_KEY, NULL_MAX_KEY,
> 	null_encrypt,
> 	null_decrypt,
> 	null_setkey,
> @@ -164,7 +164,7 @@ struct enc_xform enc_xform_null = {
>
> struct enc_xform enc_xform_des = {
> 	CRYPTO_DES_CBC, "DES",
> -	DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8,
> +	DES_BLOCK_LEN, DES_BLOCK_LEN, DES_MIN_KEY, DES_MAX_KEY,
> 	des1_encrypt,
> 	des1_decrypt,
> 	des1_setkey,
> @@ -174,7 +174,8 @@ struct enc_xform enc_xform_des = {
>
> struct enc_xform enc_xform_3des = {
> 	CRYPTO_3DES_CBC, "3DES",
> -	DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24,
> +	DES3_BLOCK_LEN, DES3_BLOCK_LEN, TRIPLE_DES_MIN_KEY,
> +	TRIPLE_DES_MAX_KEY,
> 	des3_encrypt,
> 	des3_decrypt,
> 	des3_setkey,
> @@ -184,7 +185,8 @@ struct enc_xform enc_xform_3des = {
>
> struct enc_xform enc_xform_blf = {
> 	CRYPTO_BLF_CBC, "Blowfish",
> -	BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key 
> */,
> +	BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, BLOWFISH_MIN_KEY,
> +	BLOWFISH_MAX_KEY,
> 	blf_encrypt,
> 	blf_decrypt,
> 	blf_setkey,
> @@ -194,7 +196,7 @@ struct enc_xform enc_xform_blf = {
>
> struct enc_xform enc_xform_cast5 = {
> 	CRYPTO_CAST_CBC, "CAST-128",
> -	CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16,
> +	CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, CAST_MIN_KEY, CAST_MAX_KEY,
> 	cast5_encrypt,
> 	cast5_decrypt,
> 	cast5_setkey,
> @@ -204,7 +206,8 @@ struct enc_xform enc_xform_cast5 = {
>
> struct enc_xform enc_xform_skipjack = {
> 	CRYPTO_SKIPJACK_CBC, "Skipjack",
> -	SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10,
> +	SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, SKIPJACK_MIN_KEY,
> +	SKIPJACK_MAX_KEY,
> 	skipjack_encrypt,
> 	skipjack_decrypt, skipjack_setkey,
> 	skipjack_zerokey,
> @@ -213,7 +216,8 @@ struct enc_xform enc_xform_skipjack = {
>
> struct enc_xform enc_xform_rijndael128 = {
> 	CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES",
> -	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32,
> +	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, RIJNDAEL_MIN_KEY,
> +	RIJNDAEL_MAX_KEY,
> 	rijndael128_encrypt,
> 	rijndael128_decrypt,
> 	rijndael128_setkey,
> @@ -223,7 +227,7 @@ struct enc_xform enc_xform_rijndael128 =
>
> struct enc_xform enc_xform_aes_icm = {
> 	CRYPTO_AES_ICM, "AES-ICM",
> -	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32,
> +	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, AES_MIN_KEY, 
> AES_MAX_KEY,
> 	aes_icm_crypt,
> 	aes_icm_crypt,
> 	aes_icm_setkey,
> @@ -233,7 +237,7 @@ struct enc_xform enc_xform_aes_icm = {
>
> struct enc_xform enc_xform_aes_nist_gcm = {
> 	CRYPTO_AES_NIST_GCM_16, "AES-GCM",
> -	1, 12, 16, 32,
> +	AES_MIN_BLOCK_LEN, AES_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
> 	aes_icm_crypt,
> 	aes_icm_crypt,
> 	aes_icm_setkey,
> @@ -243,7 +247,7 @@ struct enc_xform enc_xform_aes_nist_gcm
>
> struct enc_xform enc_xform_aes_nist_gmac = {
> 	CRYPTO_AES_NIST_GMAC, "AES-GMAC",
> -	1, 12, 16, 32,
> +	AES_MIN_BLOCK_LEN, AES_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
> 	NULL,
> 	NULL,
> 	NULL,
> @@ -253,7 +257,7 @@ struct enc_xform enc_xform_aes_nist_gmac
>
> struct enc_xform enc_xform_aes_xts = {
> 	CRYPTO_AES_XTS, "AES-XTS",
> -	RIJNDAEL128_BLOCK_LEN, 8, 32, 64,
> +	AES_MIN_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY,
> 	aes_xts_encrypt,
> 	aes_xts_decrypt,
> 	aes_xts_setkey,
> @@ -263,7 +267,7 @@ struct enc_xform enc_xform_aes_xts = {
>
> struct enc_xform enc_xform_arc4 = {
> 	CRYPTO_ARC4, "ARC4",
> -	1, 1, 1, 32,
> +	ARC4_BLOCK_LEN, ARC4_IV_LEN, ARC4_MIN_KEY, ARC4_MAX_KEY,
> 	NULL,
> 	NULL,
> 	NULL,
> @@ -273,7 +277,8 @@ struct enc_xform enc_xform_arc4 = {
>
> struct enc_xform enc_xform_camellia = {
> 	CRYPTO_CAMELLIA_CBC, "Camellia",
> -	CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32,
> +	CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, CAMELLIA_MIN_KEY,
> +	CAMELLIA_MAX_KEY,
> 	cml_encrypt,
> 	cml_decrypt,
> 	cml_setkey,
> @@ -284,67 +289,72 @@ struct enc_xform enc_xform_camellia = {
> /* Authentication instances */
> struct auth_hash auth_hash_null = {	/* NB: context isn't used */
> 	CRYPTO_NULL_HMAC, "NULL-HMAC",
> -	0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
> +	NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
> 	null_init, null_reinit, null_reinit, null_update, null_final
> };
>
> struct auth_hash auth_hash_hmac_md5 = {
> 	CRYPTO_MD5_HMAC, "HMAC-MD5",
> -	16, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
> +	MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
> 	(void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int,
> 	(void (*) (u_int8_t *, void *)) MD5Final
> };
>
> struct auth_hash auth_hash_hmac_sha1 = {
> 	CRYPTO_SHA1_HMAC, "HMAC-SHA1",
> -	20, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
> +	SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), 
> SHA1_HMAC_BLOCK_LEN,
> 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
> };
>
> struct auth_hash auth_hash_hmac_ripemd_160 = {
> 	CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
> -	20, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), 
> RIPEMD160_HMAC_BLOCK_LEN,
> +	RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX),
> +	RIPEMD160_HMAC_BLOCK_LEN,
> 	(void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int,
> 	(void (*)(u_int8_t *, void *)) RMD160Final
> };
>
> struct auth_hash auth_hash_key_md5 = {
> 	CRYPTO_MD5_KPDK, "Keyed MD5",
> -	0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
> +	NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
> 	(void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int,
> 	(void (*)(u_int8_t *, void *)) MD5Final
> };
>
> struct auth_hash auth_hash_key_sha1 = {
> 	CRYPTO_SHA1_KPDK, "Keyed SHA1",
> -	0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
> +	NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
> 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
> };
>
> struct auth_hash auth_hash_hmac_sha2_256 = {
> 	CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
> -	32, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN,
> +	SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX),
> +	SHA2_256_HMAC_BLOCK_LEN,
> 	(void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int,
> 	(void (*)(u_int8_t *, void *)) SHA256_Final
> };
>
> struct auth_hash auth_hash_hmac_sha2_384 = {
> 	CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
> -	48, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN,
> +	SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX),
> +	SHA2_384_HMAC_BLOCK_LEN,
> 	(void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int,
> 	(void (*)(u_int8_t *, void *)) SHA384_Final
> };
>
> struct auth_hash auth_hash_hmac_sha2_512 = {
> 	CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
> -	64, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN,
> +	SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX),
> +	SHA2_512_HMAC_BLOCK_LEN,
> 	(void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int,
> 	(void (*)(u_int8_t *, void *)) SHA512_Final
> };
>
> struct auth_hash auth_hash_nist_gmac_aes_128 = {
> 	CRYPTO_AES_128_NIST_GMAC, "GMAC-AES-128",
> -	16, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
> +	AES_128_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
> +	GMAC_BLOCK_LEN,
> 	(void (*)(void *)) AES_GMAC_Init,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
> @@ -354,7 +364,8 @@ struct auth_hash auth_hash_nist_gmac_aes
>
> struct auth_hash auth_hash_nist_gmac_aes_192 = {
> 	CRYPTO_AES_192_NIST_GMAC, "GMAC-AES-192",
> -	24, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
> +	AES_192_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
> +	GMAC_BLOCK_LEN,
> 	(void (*)(void *)) AES_GMAC_Init,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
> @@ -364,7 +375,8 @@ struct auth_hash auth_hash_nist_gmac_aes
>
> struct auth_hash auth_hash_nist_gmac_aes_256 = {
> 	CRYPTO_AES_256_NIST_GMAC, "GMAC-AES-256",
> -	32, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN,
> +	AES_256_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx),
> +	GMAC_BLOCK_LEN,
> 	(void (*)(void *)) AES_GMAC_Init,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
> 	(void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,