Various cleanups to the software encryption transform interface.

- Consistently use 'void *' for key schedules / key contexts instead
  of a mix of 'caddr_t', 'uint8_t *', and 'void *'.

- Add a ctxsize member to enc_xform similar to what auth transforms use
  and require callers to malloc/zfree the context.  The setkey callback
  now supplies the caller-allocated context pointer and the zerokey
  callback is removed.  Callers now always use zfree() to ensure
  key contexts are zeroed.

- Consistently use C99 initializers for all statically-initialized
  instances of 'struct enc_xform'.

- Change the encrypt and decrypt functions to accept separate in and
  out buffer pointers.  Almost all of the backend crypto functions
  already supported separate input and output buffers and this makes
  it simpler to support separate buffers in OCF.

- Remove xform_userland.h shim to permit transforms to be compiled in
  userland.  Transforms no longer call malloc/free directly.

Reviewed by:	cem (earlier version)
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24855

sys/crypto/chacha20/chacha-sw.c

@@ -7,63 +7,42 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/xform_enc.h>
 
 static int
-chacha20_xform_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+chacha20_xform_setkey(void *ctx, const uint8_t *key, int len)
 {
-	struct chacha_ctx *ctx;
 
 	if (len != CHACHA_MINKEYLEN && len != 32)
 		return (EINVAL);
 
-	ctx = malloc(sizeof(*ctx), M_CRYPTO_DATA, M_NOWAIT | M_ZERO);
-	*sched = (void *)ctx;
-	if (ctx == NULL)
-		return (ENOMEM);
-
 	chacha_keysetup(ctx, key, len * 8);
 	return (0);
 }
 
 static void
-chacha20_xform_reinit(caddr_t key, const u_int8_t *iv)
+chacha20_xform_reinit(void *ctx, const u_int8_t *iv)
 {
-	struct chacha_ctx *ctx;
 
-	ctx = (void *)key;
 	chacha_ivsetup(ctx, iv + 8, iv);
 }
 
 static void
-chacha20_xform_zerokey(u_int8_t **sched)
+chacha20_xform_crypt(void *ctx, const uint8_t *in, uint8_t *out)
 {
-	struct chacha_ctx *ctx;
 
-	ctx = (void *)*sched;
-	explicit_bzero(ctx, sizeof(*ctx));
-	free(ctx, M_CRYPTO_DATA);
-	*sched = NULL;
+	chacha_encrypt_bytes(ctx, in, out, 1);
 }
 
 static void
-chacha20_xform_crypt(caddr_t cctx, u_int8_t *bytes)
+chacha20_xform_crypt_multi(void *ctx, const uint8_t *in, uint8_t *out,
+    size_t len)
 {
-	struct chacha_ctx *ctx;
 
-	ctx = (void *)cctx;
-	chacha_encrypt_bytes(ctx, bytes, bytes, 1);
-}
-
-static void
-chacha20_xform_crypt_multi(void *vctx, uint8_t *bytes, size_t len)
-{
-	struct chacha_ctx *ctx;
-
-	ctx = vctx;
-	chacha_encrypt_bytes(ctx, bytes, bytes, len);
+	chacha_encrypt_bytes(ctx, in, out, len);
 }
 
 struct enc_xform enc_xform_chacha20 = {
 	.type = CRYPTO_CHACHA20,
 	.name = "chacha20",
+	.ctxsize = sizeof(struct chacha_ctx),
 	.blocksize = 1,
 	.ivsize = CHACHA_NONCELEN + CHACHA_CTRLEN,
 	.minkey = CHACHA_MINKEYLEN,
@@ -71,7 +50,6 @@ struct enc_xform enc_xform_chacha20 = {
 	.encrypt = chacha20_xform_crypt,
 	.decrypt = chacha20_xform_crypt,
 	.setkey = chacha20_xform_setkey,
-	.zerokey = chacha20_xform_zerokey,
 	.reinit = chacha20_xform_reinit,
 	.encrypt_multi = chacha20_xform_crypt_multi,
 	.decrypt_multi = chacha20_xform_crypt_multi,

sys/dev/cxgbe/crypto/t4_crypto.c

@@ -1354,8 +1354,7 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
 {
 	struct auth_hash *axf;
 	struct enc_xform *exf;
-	void *auth_ctx;
-	uint8_t *kschedule;
+	void *auth_ctx, *kschedule;
 	char block[GMAC_BLOCK_LEN];
 	char digest[GMAC_DIGEST_LEN];
 	char iv[AES_BLOCK_LEN];
@@ -1389,7 +1388,12 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
 
 	/* Initialize the cipher. */
 	exf = &enc_xform_aes_nist_gcm;
-	error = exf->setkey(&kschedule, s->blkcipher.enckey,
+	kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT);
+	if (kschedule == NULL) {
+		error = ENOMEM;
+		goto out;
+	}
+	error = exf->setkey(kschedule, s->blkcipher.enckey,
 	    s->blkcipher.key_len);
 	if (error)
 		goto out;
@@ -1423,7 +1427,7 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
 		crypto_copydata(crp, crp->crp_payload_start + i, len, block);
 		bzero(block + len, sizeof(block) - len);
 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
-			exf->encrypt(kschedule, block);
+			exf->encrypt(kschedule, block, block);
 			axf->Update(auth_ctx, block, len);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    block);
@@ -1462,7 +1466,7 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
 				crypto_copydata(crp, crp->crp_payload_start + i,
 				    len, block);
 				bzero(block + len, sizeof(block) - len);
-				exf->decrypt(kschedule, block);
+				exf->decrypt(kschedule, block, block);
 				crypto_copyback(crp, crp->crp_payload_start + i,
 				    len, block);
 			}
@@ -1470,12 +1474,9 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
 			error = EBADMSG;
 	}
 
-	exf->zerokey(&kschedule);
 out:
-	if (auth_ctx != NULL) {
-		memset(auth_ctx, 0, axf->ctxsize);
-		free(auth_ctx, M_CCR);
-	}
+	zfree(kschedule, M_CCR);
+	zfree(auth_ctx, M_CCR);
 	crp->crp_etype = error;
 	crypto_done(crp);
 }
@@ -1810,7 +1811,7 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 	struct auth_hash *axf;
 	struct enc_xform *exf;
 	union authctx *auth_ctx;
-	uint8_t *kschedule;
+	void *kschedule;
 	char block[CCM_CBC_BLOCK_LEN];
 	char digest[AES_CBC_MAC_HASH_LEN];
 	char iv[AES_CCM_IV_LEN];
@@ -1844,7 +1845,12 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 
 	/* Initialize the cipher. */
 	exf = &enc_xform_ccm;
-	error = exf->setkey(&kschedule, s->blkcipher.enckey,
+	kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT);
+	if (kschedule == NULL) {
+		error = ENOMEM;
+		goto out;
+	}
+	error = exf->setkey(kschedule, s->blkcipher.enckey,
 	    s->blkcipher.key_len);
 	if (error)
 		goto out;
@@ -1876,11 +1882,11 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 		bzero(block + len, sizeof(block) - len);
 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
 			axf->Update(auth_ctx, block, len);
-			exf->encrypt(kschedule, block);
+			exf->encrypt(kschedule, block, block);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    block);
 		} else {
-			exf->decrypt(kschedule, block);
+			exf->decrypt(kschedule, block, block);
 			axf->Update(auth_ctx, block, len);
 		}
 	}
@@ -1910,7 +1916,7 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 				crypto_copydata(crp, crp->crp_payload_start + i,
 				    len, block);
 				bzero(block + len, sizeof(block) - len);
-				exf->decrypt(kschedule, block);
+				exf->decrypt(kschedule, block, block);
 				crypto_copyback(crp, crp->crp_payload_start + i,
 				    len, block);
 			}
@@ -1918,12 +1924,9 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 			error = EBADMSG;
 	}
 
-	exf->zerokey(&kschedule);
 out:
-	if (auth_ctx != NULL) {
-		memset(auth_ctx, 0, axf->ctxsize);
-		free(auth_ctx, M_CCR);
-	}
+	zfree(kschedule, M_CCR);
+	zfree(auth_ctx, M_CCR);
 	crp->crp_etype = error;
 	crypto_done(crp);
 }

sys/opencrypto/cryptosoft.c

@@ -65,7 +65,7 @@ struct swcr_auth {
 };
 
 struct swcr_encdec {
-	uint8_t		*sw_kschedule;
+	void		*sw_kschedule;
 	struct enc_xform *sw_exf;
 };
 
@@ -131,11 +131,8 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 	crypto_read_iv(crp, iv);
 
 	if (crp->crp_cipher_key != NULL) {
-		if (sw->sw_kschedule)
-			exf->zerokey(&(sw->sw_kschedule));
-
 		csp = crypto_get_params(crp->crp_session);
-		error = exf->setkey(&sw->sw_kschedule,
+		error = exf->setkey(sw->sw_kschedule,
 		    crp->crp_cipher_key, csp->csp_cipher_klen);
 		if (error)
 			return (error);
@@ -197,10 +194,10 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 			/* Actual encryption/decryption */
 			if (exf->reinit) {
 				if (encrypting) {
-					exf->encrypt(sw->sw_kschedule,
+					exf->encrypt(sw->sw_kschedule, blk,
 					    blk);
 				} else {
-					exf->decrypt(sw->sw_kschedule,
+					exf->decrypt(sw->sw_kschedule, blk,
 					    blk);
 				}
 			} else if (encrypting) {
@@ -208,7 +205,7 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 				for (j = 0; j < blks; j++)
 					blk[j] ^= ivp[j];
 
-				exf->encrypt(sw->sw_kschedule, blk);
+				exf->encrypt(sw->sw_kschedule, blk, blk);
 
 				/*
 				 * Keep encrypted block for XOR'ing
@@ -224,7 +221,7 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 				nivp = (ivp == iv) ? iv2 : iv;
 				bcopy(blk, nivp, blks);
 
-				exf->decrypt(sw->sw_kschedule, blk);
+				exf->decrypt(sw->sw_kschedule, blk, blk);
 
 				/* XOR with previous block */
 				for (j = 0; j < blks; j++)
@@ -264,25 +261,25 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 			if (exf->reinit) {
 				if (encrypting && exf->encrypt_multi == NULL)
 					exf->encrypt(sw->sw_kschedule,
-					    idat);
+					    idat, idat);
 				else if (encrypting) {
 					nb = rounddown(rem, blks);
 					exf->encrypt_multi(sw->sw_kschedule,
-					    idat, nb);
+					    idat, idat, nb);
 				} else if (exf->decrypt_multi == NULL)
 					exf->decrypt(sw->sw_kschedule,
-					    idat);
+					    idat, idat);
 				else {
 					nb = rounddown(rem, blks);
 					exf->decrypt_multi(sw->sw_kschedule,
-					    idat, nb);
+					    idat, idat, nb);
 				}
 			} else if (encrypting) {
 				/* XOR with previous block/IV */
 				for (j = 0; j < blks; j++)
 					idat[j] ^= ivp[j];
 
-				exf->encrypt(sw->sw_kschedule, idat);
+				exf->encrypt(sw->sw_kschedule, idat, idat);
 				ivp = idat;
 			} else {	/* decrypt */
 				/*
@@ -292,7 +289,7 @@ swcr_encdec(struct swcr_session *ses, struct cryptop *crp)
 				nivp = (ivp == iv) ? iv2 : iv;
 				bcopy(idat, nivp, blks);
 
-				exf->decrypt(sw->sw_kschedule, idat);
+				exf->decrypt(sw->sw_kschedule, idat, idat);
 
 				/* XOR with previous block/IV */
 				for (j = 0; j < blks; j++)
@@ -543,7 +540,7 @@ swcr_gcm(struct swcr_session *ses, struct cryptop *crp)
 			bzero(blk, blksz);
 		crypto_copydata(crp, crp->crp_payload_start + i, len, blk);
 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
-			exf->encrypt(swe->sw_kschedule, blk);
+			exf->encrypt(swe->sw_kschedule, blk, blk);
 			axf->Update(&ctx, blk, len);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    blk);
@@ -579,7 +576,7 @@ swcr_gcm(struct swcr_session *ses, struct cryptop *crp)
 				bzero(blk, blksz);
 			crypto_copydata(crp, crp->crp_payload_start + i, len,
 			    blk);
-			exf->decrypt(swe->sw_kschedule, blk);
+			exf->decrypt(swe->sw_kschedule, blk, blk);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    blk);
 		}
@@ -704,7 +701,7 @@ swcr_ccm(struct swcr_session *ses, struct cryptop *crp)
 		crypto_copydata(crp, crp->crp_payload_start + i, len, blk);
 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
 			axf->Update(&ctx, blk, len);
-			exf->encrypt(swe->sw_kschedule, blk);
+			exf->encrypt(swe->sw_kschedule, blk, blk);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    blk);
 		} else {
@@ -716,7 +713,7 @@ swcr_ccm(struct swcr_session *ses, struct cryptop *crp)
 			 * the tag and a second time after the tag is
 			 * verified.
 			 */
-			exf->decrypt(swe->sw_kschedule, blk);
+			exf->decrypt(swe->sw_kschedule, blk, blk);
 			axf->Update(&ctx, blk, len);
 		}
 	}
@@ -741,7 +738,7 @@ swcr_ccm(struct swcr_session *ses, struct cryptop *crp)
 				bzero(blk, blksz);
 			crypto_copydata(crp, crp->crp_payload_start + i, len,
 			    blk);
-			exf->decrypt(swe->sw_kschedule, blk);
+			exf->decrypt(swe->sw_kschedule, blk, blk);
 			crypto_copyback(crp, crp->crp_payload_start + i, len,
 			    blk);
 		}
@@ -854,7 +851,7 @@ swcr_compdec(struct swcr_session *ses, struct cryptop *crp)
 }
 
 static int
-swcr_setup_encdec(struct swcr_session *ses,
+swcr_setup_cipher(struct swcr_session *ses,
     const struct crypto_session_params *csp)
 {
 	struct swcr_encdec *swe;
@@ -864,8 +861,14 @@ swcr_setup_encdec(struct swcr_session *ses,
 	swe = &ses->swcr_encdec;
 	txf = crypto_cipher(csp);
 	MPASS(txf->ivsize == csp->csp_ivlen);
+	if (txf->ctxsize != 0) {
+		swe->sw_kschedule = malloc(txf->ctxsize, M_CRYPTO_DATA,
+		    M_NOWAIT);
+		if (swe->sw_kschedule == NULL)
+			return (ENOMEM);
+	}
 	if (csp->csp_cipher_key != NULL) {
-		error = txf->setkey(&swe->sw_kschedule,
+		error = txf->setkey(swe->sw_kschedule,
 		    csp->csp_cipher_key, csp->csp_cipher_klen);
 		if (error)
 			return (error);
@@ -962,11 +965,8 @@ static int
 swcr_setup_gcm(struct swcr_session *ses,
     const struct crypto_session_params *csp)
 {
-	struct swcr_encdec *swe;
 	struct swcr_auth *swa;
-	struct enc_xform *txf;
 	struct auth_hash *axf;
-	int error;
 
 	if (csp->csp_ivlen != AES_GCM_IV_LEN)
 		return (EINVAL);
@@ -1002,28 +1002,15 @@ swcr_setup_gcm(struct swcr_session *ses,
 		    csp->csp_cipher_klen);
 
 	/* Second, setup the cipher side. */
-	swe = &ses->swcr_encdec;
-	txf = &enc_xform_aes_nist_gcm;
-	if (csp->csp_cipher_key != NULL) {
-		error = txf->setkey(&swe->sw_kschedule,
-		    csp->csp_cipher_key, csp->csp_cipher_klen);
-		if (error)
-			return (error);
-	}
-	swe->sw_exf = txf;
-
-	return (0);
+	return (swcr_setup_cipher(ses, csp));
 }
 
 static int
 swcr_setup_ccm(struct swcr_session *ses,
     const struct crypto_session_params *csp)
 {
-	struct swcr_encdec *swe;
 	struct swcr_auth *swa;
-	struct enc_xform *txf;
 	struct auth_hash *axf;
-	int error;
 
 	if (csp->csp_ivlen != AES_CCM_IV_LEN)
 		return (EINVAL);
@@ -1059,17 +1046,7 @@ swcr_setup_ccm(struct swcr_session *ses,
 		    csp->csp_cipher_klen);
 
 	/* Second, setup the cipher side. */
-	swe = &ses->swcr_encdec;
-	txf = &enc_xform_ccm;
-	if (csp->csp_cipher_key != NULL) {
-		error = txf->setkey(&swe->sw_kschedule,
-		    csp->csp_cipher_key, csp->csp_cipher_klen);
-		if (error)
-			return (error);
-	}
-	swe->sw_exf = txf;
-
-	return (0);
+	return (swcr_setup_cipher(ses, csp));
 }
 
 static bool
@@ -1246,7 +1223,7 @@ swcr_newsession(device_t dev, crypto_session_t cses,
 			panic("bad cipher algo");
 #endif
 		default:
-			error = swcr_setup_encdec(ses, csp);
+			error = swcr_setup_cipher(ses, csp);
 			if (error == 0)
 				ses->swcr_process = swcr_encdec;
 		}
@@ -1295,7 +1272,7 @@ swcr_newsession(device_t dev, crypto_session_t cses,
 			break;
 		}
 
-		error = swcr_setup_encdec(ses, csp);
+		error = swcr_setup_cipher(ses, csp);
 		if (error == 0)
 			ses->swcr_process = swcr_eta;
 		break;
@@ -1313,18 +1290,13 @@ swcr_freesession(device_t dev, crypto_session_t cses)
 {
 	struct swcr_session *ses;
 	struct swcr_auth *swa;
-	struct enc_xform *txf;
 	struct auth_hash *axf;
 
 	ses = crypto_get_driver_session(cses);
 
 	mtx_destroy(&ses->swcr_lock);
 
-	txf = ses->swcr_encdec.sw_exf;
-	if (txf != NULL) {
-		if (ses->swcr_encdec.sw_kschedule != NULL)
-			txf->zerokey(&(ses->swcr_encdec.sw_kschedule));
-	}
+	zfree(ses->swcr_encdec.sw_kschedule, M_CRYPTO_DATA);
 
 	axf = ses->swcr_auth.sw_axf;
 	if (axf != NULL) {

sys/opencrypto/xform_aes_icm.c

@@ -52,43 +52,50 @@ __FBSDID("$FreeBSD$");
 
 #include <opencrypto/xform_enc.h>
 
-static	int aes_icm_setkey(u_int8_t **, const u_int8_t *, int);
-static	void aes_icm_crypt(caddr_t, u_int8_t *);
-static	void aes_icm_zerokey(u_int8_t **);
-static	void aes_icm_reinit(caddr_t, const u_int8_t *);
-static	void aes_gcm_reinit(caddr_t, const u_int8_t *);
-static	void aes_ccm_reinit(caddr_t, const u_int8_t *);
+static	int aes_icm_setkey(void *, const uint8_t *, int);
+static	void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
+static	void aes_icm_reinit(void *, const uint8_t *);
+static	void aes_gcm_reinit(void *, const uint8_t *);
+static	void aes_ccm_reinit(void *, const uint8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_aes_icm = {
-	CRYPTO_AES_ICM, "AES-ICM",
-	AES_BLOCK_LEN, AES_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY,
-	aes_icm_crypt,
-	aes_icm_crypt,
-	aes_icm_setkey,
-	aes_icm_zerokey,
-	aes_icm_reinit,
+	.type = CRYPTO_AES_ICM,
+	.name = "AES-ICM",
+	.ctxsize = sizeof(struct aes_icm_ctx),
+	.blocksize = AES_BLOCK_LEN,
+	.ivsize = AES_BLOCK_LEN,
+	.minkey = AES_MIN_KEY,
+	.maxkey = AES_MAX_KEY,
+	.encrypt = aes_icm_crypt,
+	.decrypt = aes_icm_crypt,
+	.setkey = aes_icm_setkey,
+	.reinit = aes_icm_reinit,
 };
 
 struct enc_xform enc_xform_aes_nist_gcm = {
-	CRYPTO_AES_NIST_GCM_16, "AES-GCM",
-	AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
-	aes_icm_crypt,
-	aes_icm_crypt,
-	aes_icm_setkey,
-	aes_icm_zerokey,
-	aes_gcm_reinit,
+	.type = CRYPTO_AES_NIST_GCM_16,
+	.name = "AES-GCM",
+	.ctxsize = sizeof(struct aes_icm_ctx),
+	.blocksize = AES_ICM_BLOCK_LEN,
+	.ivsize = AES_GCM_IV_LEN,
+	.minkey = AES_MIN_KEY,
+	.maxkey = AES_MAX_KEY,
+	.encrypt = aes_icm_crypt,
+	.decrypt = aes_icm_crypt,
+	.setkey = aes_icm_setkey,
+	.reinit = aes_gcm_reinit,
 };
 
 struct enc_xform enc_xform_ccm = {
 	.type = CRYPTO_AES_CCM_16,
 	.name = "AES-CCM",
+	.ctxsize = sizeof(struct aes_icm_ctx),
 	.blocksize = AES_ICM_BLOCK_LEN, .ivsize = AES_CCM_IV_LEN,
 	.minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
 	.encrypt = aes_icm_crypt,
 	.decrypt = aes_icm_crypt,
 	.setkey = aes_icm_setkey,
-	.zerokey = aes_icm_zerokey,
 	.reinit = aes_ccm_reinit,
 };
 
@@ -96,33 +103,33 @@ struct enc_xform enc_xform_ccm = {
  * Encryption wrapper routines.
  */
 static void
-aes_icm_reinit(caddr_t key, const u_int8_t *iv)
+aes_icm_reinit(void *key, const uint8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
-	ctx = (struct aes_icm_ctx *)key;
+	ctx = key;
 	bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE);
 }
 
 static void
-aes_gcm_reinit(caddr_t key, const u_int8_t *iv)
+aes_gcm_reinit(void *key, const uint8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
 	aes_icm_reinit(key, iv);
 
-	ctx = (struct aes_icm_ctx *)key;
+	ctx = key;
 	/* GCM starts with 2 as counter 1 is used for final xor of tag. */
 	bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4);
 	ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2;
 }
 
 static void
-aes_ccm_reinit(caddr_t key, const u_int8_t *iv)
+aes_ccm_reinit(void *key, const uint8_t *iv)
 {
 	struct aes_icm_ctx *ctx;
 
-	ctx = (struct aes_icm_ctx*)key;
+	ctx = key;
 
 	/* CCM has flags, then the IV, then the counter, which starts at 1 */
 	bzero(ctx->ac_block, sizeof(ctx->ac_block));
@@ -133,16 +140,16 @@ aes_ccm_reinit(caddr_t key, const u_int8_t *iv)
 }
 
 static void
-aes_icm_crypt(caddr_t key, u_int8_t *data)
+aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
 {
 	struct aes_icm_ctx *ctx;
-	u_int8_t keystream[AESICM_BLOCKSIZE];
+	uint8_t keystream[AESICM_BLOCKSIZE];
 	int i;
 
-	ctx = (struct aes_icm_ctx *)key;
+	ctx = key;
 	rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
 	for (i = 0; i < AESICM_BLOCKSIZE; i++)
-		data[i] ^= keystream[i];
+		out[i] = in[i] ^ keystream[i];
 	explicit_bzero(keystream, sizeof(keystream));
 
 	/* increment counter */
@@ -153,28 +160,14 @@ aes_icm_crypt(caddr_t key, u_int8_t *data)
 }
 
 static int
-aes_icm_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+aes_icm_setkey(void *sched, const uint8_t *key, int len)
 {
 	struct aes_icm_ctx *ctx;
 
 	if (len != 16 && len != 24 && len != 32)
-		return EINVAL;
+		return (EINVAL);
 
-	*sched = KMALLOC(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA,
-	    M_NOWAIT | M_ZERO);
-	if (*sched == NULL)
-		return ENOMEM;
-
-	ctx = (struct aes_icm_ctx *)*sched;
+	ctx = sched;
 	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
-	return 0;
-}
-
-static void
-aes_icm_zerokey(u_int8_t **sched)
-{
-
-	bzero(*sched, sizeof(struct aes_icm_ctx));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
+	return (0);
 }

sys/opencrypto/xform_aes_xts.c

@@ -52,31 +52,34 @@ __FBSDID("$FreeBSD$");
 
 #include <opencrypto/xform_enc.h>
 
-static	int aes_xts_setkey(u_int8_t **, const u_int8_t *, int);
-static	void aes_xts_encrypt(caddr_t, u_int8_t *);
-static	void aes_xts_decrypt(caddr_t, u_int8_t *);
-static	void aes_xts_zerokey(u_int8_t **);
-static	void aes_xts_reinit(caddr_t, const u_int8_t *);
+static	int aes_xts_setkey(void *, const uint8_t *, int);
+static	void aes_xts_encrypt(void *, const uint8_t *, uint8_t *);
+static	void aes_xts_decrypt(void *, const uint8_t *, uint8_t *);
+static	void aes_xts_reinit(void *, const uint8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_aes_xts = {
-	CRYPTO_AES_XTS, "AES-XTS",
-	AES_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY,
-	aes_xts_encrypt,
-	aes_xts_decrypt,
-	aes_xts_setkey,
-	aes_xts_zerokey,
-	aes_xts_reinit
+	.type = CRYPTO_AES_XTS,
+	.name = "AES-XTS",
+	.ctxsize = sizeof(struct aes_xts_ctx),
+	.blocksize = AES_BLOCK_LEN,
+	.ivsize = AES_XTS_IV_LEN,
+	.minkey = AES_XTS_MIN_KEY,
+	.maxkey = AES_XTS_MAX_KEY,
+	.encrypt = aes_xts_encrypt,
+	.decrypt = aes_xts_decrypt,
+	.setkey = aes_xts_setkey,
+	.reinit = aes_xts_reinit
 };
 
 /*
  * Encryption wrapper routines.
  */
 static void
-aes_xts_reinit(caddr_t key, const u_int8_t *iv)
+aes_xts_reinit(void *key, const uint8_t *iv)
 {
-	struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key;
-	u_int64_t blocknum;
+	struct aes_xts_ctx *ctx = key;
+	uint64_t blocknum;
 	u_int i;
 
 	/*
@@ -95,21 +98,22 @@ aes_xts_reinit(caddr_t key, const u_int8_t *iv)
 }
 
 static void
-aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
+aes_xts_crypt(struct aes_xts_ctx *ctx, const uint8_t *in, uint8_t *out,
+    u_int do_encrypt)
 {
-	u_int8_t block[AES_XTS_BLOCKSIZE];
+	uint8_t block[AES_XTS_BLOCKSIZE];
 	u_int i, carry_in, carry_out;
 
 	for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
-		block[i] = data[i] ^ ctx->tweak[i];
+		block[i] = in[i] ^ ctx->tweak[i];
 
 	if (do_encrypt)
-		rijndael_encrypt(&ctx->key1, block, data);
+		rijndael_encrypt(&ctx->key1, block, out);
 	else
-		rijndael_decrypt(&ctx->key1, block, data);
+		rijndael_decrypt(&ctx->key1, block, out);
 
 	for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
-		data[i] ^= ctx->tweak[i];
+		out[i] ^= ctx->tweak[i];
 
 	/* Exponentiate tweak */
 	carry_in = 0;
@@ -120,45 +124,33 @@ aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
 	}
 	if (carry_in)
 		ctx->tweak[0] ^= AES_XTS_ALPHA;
-	bzero(block, sizeof(block));
+	explicit_bzero(block, sizeof(block));
 }
 
 static void
-aes_xts_encrypt(caddr_t key, u_int8_t *data)
+aes_xts_encrypt(void *key, const uint8_t *in, uint8_t *out)
 {
-	aes_xts_crypt((struct aes_xts_ctx *)key, data, 1);
+	aes_xts_crypt(key, in, out, 1);
 }
 
 static void
-aes_xts_decrypt(caddr_t key, u_int8_t *data)
+aes_xts_decrypt(void *key, const uint8_t *in, uint8_t *out)
 {
-	aes_xts_crypt((struct aes_xts_ctx *)key, data, 0);
+	aes_xts_crypt(key, in, out, 0);
 }
 
 static int
-aes_xts_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+aes_xts_setkey(void *sched, const uint8_t *key, int len)
 {
 	struct aes_xts_ctx *ctx;
 
 	if (len != 32 && len != 64)
-		return EINVAL;
+		return (EINVAL);
 
-	*sched = KMALLOC(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA,
-	    M_NOWAIT | M_ZERO);
-	if (*sched == NULL)
-		return ENOMEM;
-	ctx = (struct aes_xts_ctx *)*sched;
+	ctx = sched;
 
 	rijndael_set_key(&ctx->key1, key, len * 4);
 	rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
 
-	return 0;
-}
-
-static void
-aes_xts_zerokey(u_int8_t **sched)
-{
-	bzero(*sched, sizeof(struct aes_xts_ctx));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
+	return (0);
 }

sys/opencrypto/xform_auth.h

@@ -44,7 +44,6 @@
 #include <opencrypto/cbc_mac.h>
 
 #include <opencrypto/cryptodev.h>
-#include <opencrypto/xform_userland.h>
 
 /* XXX use a define common with other hash stuff ! */
 #define	AH_ALEN_MAX	64	/* max authenticator hash length */

sys/opencrypto/xform_cml.c

@@ -53,61 +53,46 @@ __FBSDID("$FreeBSD$");
 #include <crypto/camellia/camellia.h>
 #include <opencrypto/xform_enc.h>
 
-static	int cml_setkey(u_int8_t **, const u_int8_t *, int);
-static	void cml_encrypt(caddr_t, u_int8_t *);
-static	void cml_decrypt(caddr_t, u_int8_t *);
-static	void cml_zerokey(u_int8_t **);
+static	int cml_setkey(void *, const uint8_t *, int);
+static	void cml_encrypt(void *, const uint8_t *, uint8_t *);
+static	void cml_decrypt(void *, const uint8_t *, uint8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_camellia = {
-	CRYPTO_CAMELLIA_CBC, "Camellia",
-	CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, CAMELLIA_MIN_KEY,
-	CAMELLIA_MAX_KEY,
-	cml_encrypt,
-	cml_decrypt,
-	cml_setkey,
-	cml_zerokey,
-	NULL,
+	.type = CRYPTO_CAMELLIA_CBC,
+	.name = "Camellia-CBC",
+	.ctxsize = sizeof(camellia_ctx),
+	.blocksize = CAMELLIA_BLOCK_LEN,
+	.ivsize = CAMELLIA_BLOCK_LEN,
+	.minkey = CAMELLIA_MIN_KEY,
+	.maxkey = CAMELLIA_MAX_KEY,
+	.encrypt = cml_encrypt,
+	.decrypt = cml_decrypt,
+	.setkey = cml_setkey,
 };
 
 /*
  * Encryption wrapper routines.
  */
 static void
-cml_encrypt(caddr_t key, u_int8_t *blk)
+cml_encrypt(void *ctx, const uint8_t *in, uint8_t *out)
 {
-	camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk);
+	camellia_encrypt(ctx, in, out);
 }
 
 static void
-cml_decrypt(caddr_t key, u_int8_t *blk)
+cml_decrypt(void *ctx, const uint8_t *in, uint8_t *out)
 {
-	camellia_decrypt(((camellia_ctx *) key), (u_char *) blk,
-	    (u_char *) blk);
+	camellia_decrypt(ctx, in, out);
 }
 
 static int
-cml_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+cml_setkey(void *ctx, const uint8_t *key, int len)
 {
-	int err;
 
 	if (len != 16 && len != 24 && len != 32)
 		return (EINVAL);
-	*sched = KMALLOC(sizeof(camellia_ctx), M_CRYPTO_DATA,
-	    M_NOWAIT|M_ZERO);
-	if (*sched != NULL) {
-		camellia_set_key((camellia_ctx *) *sched, key,
-		    len * 8);
-		err = 0;
-	} else
-		err = ENOMEM;
-	return err;
-}
 
-static void
-cml_zerokey(u_int8_t **sched)
-{
-	bzero(*sched, sizeof(camellia_ctx));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
+	camellia_set_key(ctx, key, len * 8);
+	return (0);
 }

sys/opencrypto/xform_comp.h

@@ -36,7 +36,6 @@
 
 #include <opencrypto/deflate.h>
 #include <opencrypto/cryptodev.h>
-#include <opencrypto/xform_userland.h>
 
 /* Declarations */
 struct comp_algo {

sys/opencrypto/xform_enc.h

@@ -36,7 +36,6 @@
 #include <crypto/rijndael/rijndael.h>
 #include <crypto/camellia/camellia.h>
 #include <opencrypto/cryptodev.h>
-#include <opencrypto/xform_userland.h>
 
 #define AESICM_BLOCKSIZE	AES_BLOCK_LEN
 #define	AES_XTS_BLOCKSIZE	16
@@ -47,22 +46,22 @@
 struct enc_xform {
 	int type;
 	char *name;
+	size_t ctxsize;
 	u_int16_t blocksize;	/* Required input block size -- 1 for stream ciphers. */
 	u_int16_t ivsize;
 	u_int16_t minkey, maxkey;
-	void (*encrypt) (caddr_t, u_int8_t *);
-	void (*decrypt) (caddr_t, u_int8_t *);
-	int (*setkey) (u_int8_t **, const u_int8_t *, int len);
-	void (*zerokey) (u_int8_t **);
-	void (*reinit) (caddr_t, const u_int8_t *);
+	void (*encrypt) (void *, const uint8_t *, uint8_t *);
+	void (*decrypt) (void *, const uint8_t *, uint8_t *);
+	int (*setkey) (void *, const uint8_t *, int len);
+	void (*reinit) (void *, const u_int8_t *);
 	/*
 	 * Encrypt/decrypt 1+ blocks of input -- total size is 'len' bytes.
 	 * Len is guaranteed to be a multiple of the defined 'blocksize'.
 	 * Optional interface -- most useful for stream ciphers with a small
 	 * blocksize (1).
 	 */
-	void (*encrypt_multi) (void *, uint8_t *, size_t len);
-	void (*decrypt_multi) (void *, uint8_t *, size_t len);
+	void (*encrypt_multi) (void *, const uint8_t *, uint8_t *, size_t len);
+	void (*decrypt_multi) (void *, const uint8_t *, uint8_t *, size_t len);
 };
 
 

sys/opencrypto/xform_gmac.c

@@ -55,13 +55,12 @@ __FBSDID("$FreeBSD$");
 
 /* Encryption instances */
 struct enc_xform enc_xform_aes_nist_gmac = {
-	CRYPTO_AES_NIST_GMAC, "AES-GMAC",
-	AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
+	.type = CRYPTO_AES_NIST_GMAC,
+	.name = "AES-GMAC",
+	.blocksize = AES_ICM_BLOCK_LEN,
+	.ivsize = AES_GCM_IV_LEN,
+	.minkey = AES_MIN_KEY,
+	.maxkey = AES_MAX_KEY,
 };
 
 /* Authentication instances */

sys/opencrypto/xform_null.c

@@ -53,10 +53,8 @@ __FBSDID("$FreeBSD$");
 #include <opencrypto/xform_auth.h>
 #include <opencrypto/xform_enc.h>
 
-static	int null_setkey(u_int8_t **, const u_int8_t *, int);
-static	void null_encrypt(caddr_t, u_int8_t *);
-static	void null_decrypt(caddr_t, u_int8_t *);
-static	void null_zerokey(u_int8_t **);
+static	int null_setkey(void *, const u_int8_t *, int);
+static	void null_crypt(void *, const uint8_t *, uint8_t *);
 
 static	void null_init(void *);
 static	void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len);
@@ -65,14 +63,16 @@ static	void null_final(u_int8_t *, void *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_null = {
-	CRYPTO_NULL_CBC, "NULL",
+	.type = CRYPTO_NULL_CBC,
+	.name = "NULL",
 	/* NB: blocksize of 4 is to generate a properly aligned ESP header */
-	NULL_BLOCK_LEN, 0, NULL_MIN_KEY, NULL_MAX_KEY, 
-	null_encrypt,
-	null_decrypt,
-	null_setkey,
-	null_zerokey,
-	NULL,
+	.blocksize = NULL_BLOCK_LEN,
+	.ivsize = 0,
+	.minkey = NULL_MIN_KEY,
+	.maxkey = NULL_MAX_KEY,
+	.encrypt = null_crypt,
+	.decrypt = null_crypt,
+	.setkey = null_setkey,
 };
 
 /* Authentication instances */
@@ -94,26 +94,14 @@ struct auth_hash auth_hash_null = {
  * Encryption wrapper routines.
  */
 static void
-null_encrypt(caddr_t key, u_int8_t *blk)
-{
-}
-
-static void
-null_decrypt(caddr_t key, u_int8_t *blk)
+null_crypt(void *key, const uint8_t *in, uint8_t *out)
 {
 }
 
 static int
-null_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+null_setkey(void *sched, const uint8_t *key, int len)
 {
-	*sched = NULL;
-	return 0;
-}
-
-static void
-null_zerokey(u_int8_t **sched)
-{
-	*sched = NULL;
+	return (0);
 }
 
 /*

sys/opencrypto/xform_rijndael.c

@@ -53,61 +53,46 @@ __FBSDID("$FreeBSD$");
 #include <crypto/rijndael/rijndael.h>
 #include <opencrypto/xform_enc.h>
 
-static	int rijndael128_setkey(u_int8_t **, const u_int8_t *, int);
-static	void rijndael128_encrypt(caddr_t, u_int8_t *);
-static	void rijndael128_decrypt(caddr_t, u_int8_t *);
-static	void rijndael128_zerokey(u_int8_t **);
+static	int rijndael128_setkey(void *, const u_int8_t *, int);
+static	void rijndael128_encrypt(void *, const uint8_t *, uint8_t *);
+static	void rijndael128_decrypt(void *, const uint8_t *, uint8_t *);
 
 /* Encryption instances */
 struct enc_xform enc_xform_rijndael128 = {
-	CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES",
-	RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, RIJNDAEL_MIN_KEY,
-	RIJNDAEL_MAX_KEY,
-	rijndael128_encrypt,
-	rijndael128_decrypt,
-	rijndael128_setkey,
-	rijndael128_zerokey,
-	NULL,
+	.type = CRYPTO_RIJNDAEL128_CBC,
+	.name = "Rijndael-128/AES",
+	.ctxsize = sizeof(rijndael_ctx),
+	.blocksize = RIJNDAEL128_BLOCK_LEN,
+	.ivsize = RIJNDAEL128_BLOCK_LEN,
+	.minkey = RIJNDAEL_MIN_KEY,
+	.maxkey = RIJNDAEL_MAX_KEY,
+	.encrypt = rijndael128_encrypt,
+	.decrypt = rijndael128_decrypt,
+	.setkey = rijndael128_setkey,
 };
 
 /*
  * Encryption wrapper routines.
  */
 static void
-rijndael128_encrypt(caddr_t key, u_int8_t *blk)
+rijndael128_encrypt(void *key, const uint8_t *in, uint8_t *out)
 {
-	rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk);
+	rijndael_encrypt(key, in, out);
 }
 
 static void
-rijndael128_decrypt(caddr_t key, u_int8_t *blk)
+rijndael128_decrypt(void *key, const uint8_t *in, uint8_t *out)
 {
-	rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk,
-	    (u_char *) blk);
+	rijndael_decrypt(key, in, out);
 }
 
 static int
-rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+rijndael128_setkey(void *sched, const uint8_t *key, int len)
 {
-	int err;
 
 	if (len != 16 && len != 24 && len != 32)
 		return (EINVAL);
-	*sched = KMALLOC(sizeof(rijndael_ctx), M_CRYPTO_DATA,
-	    M_NOWAIT|M_ZERO);
-	if (*sched != NULL) {
-		rijndael_set_key((rijndael_ctx *) *sched, key,
-		    len * 8);
-		err = 0;
-	} else
-		err = ENOMEM;
-	return err;
-}
 
-static void
-rijndael128_zerokey(u_int8_t **sched)
-{
-	bzero(*sched, sizeof(rijndael_ctx));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
+	rijndael_set_key(sched, key, len * 8);
+	return (0);
 }

sys/opencrypto/xform_userland.h

@@ -1,48 +0,0 @@
-/*-
- * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#ifndef _CRYPTO_XFORM_USERLAND_H_
-#define _CRYPTO_XFORM_USERLAND_H_
-
-#ifdef _KERNEL
-#include <sys/systm.h>
-#define KMALLOC(size, type, flags)	malloc(size, type, flags)
-#define KFREE(ptr, type)		free(ptr, type)
-#else /* not _KERNEL */
-#ifdef _STANDALONE
-#include <stand.h>
-#else /* !_STAND */
-#include <stdlib.h>
-#include <string.h>
-#endif /* _STAND */
-#define KMALLOC(size, type, flags)	malloc(size)
-#define KFREE(ptr, type)		free(ptr)
-#endif /* _KERNEL */
-
-
-#endif /* _CRYPTO_XFORM_USERLAND_H_ */