crypto: Initial copy from https://github.com/openbsd/sys/crypto

public header files put into include/crpyto
private header/source files put into crpyto

crypto.c cryptodev.[c|h] cryptosoft.[c|h] come from:
commit id is f245bed2a7593bf0decce50caaed4ce05fefd6cf

the rest come from:
commit id is 61b0e532b2dce0a91cf3ea67d346645a61a88cdd

Signed-off-by: anjiahao <anjiahao@xiaomi.com>

include/crypto/aes.h

@@ -0,0 +1,50 @@
+/*	$OpenBSD: aes.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $	*/
+/*
+ * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
+ * Copyright (c) 2016 Mike Belopuhov
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _AES_H_
+#define _AES_H_
+
+#ifndef AES_MAXROUNDS
+#define AES_MAXROUNDS	(14)
+#endif
+
+typedef struct aes_ctx {
+	uint32_t sk[60];
+	uint32_t sk_exp[120];
+
+	unsigned num_rounds;
+} AES_CTX;
+
+int	AES_Setkey(AES_CTX *, const uint8_t *, int);
+void	AES_Encrypt(AES_CTX *, const uint8_t *, uint8_t *);
+void	AES_Decrypt(AES_CTX *, const uint8_t *, uint8_t *);
+void	AES_Encrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t);
+void	AES_Decrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t);
+
+int	AES_KeySetup_Encrypt(uint32_t *, const uint8_t *, int);
+int	AES_KeySetup_Decrypt(uint32_t *, const uint8_t *, int);
+
+#endif	/* _AES_H_ */

include/crypto/blf.h

@@ -0,0 +1,79 @@
+/*	$OpenBSD: blf.h,v 1.7 2021/11/29 01:04:45 djm Exp $	*/
+
+/*
+ * Blowfish - a fast block cipher designed by Bruce Schneier
+ *
+ * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _BLF_H_
+#define _BLF_H_
+
+/* Schneier states the maximum key length to be 56 bytes.
+ * The way how the subkeys are initialized by the key up
+ * to (N+2)*4 i.e. 72 bytes are utilized.
+ * Warning: For normal blowfish encryption only 56 bytes
+ * of the key affect all cipherbits.
+ */
+
+#define BLF_N	16			/* Number of Subkeys */
+#define BLF_MAXKEYLEN ((BLF_N-2)*4)	/* 448 bits */
+#define BLF_MAXUTILIZED ((BLF_N+2)*4)	/* 576 bits */
+
+/* Blowfish context */
+typedef struct BlowfishContext {
+	u_int32_t S[4][256];	/* S-Boxes */
+	u_int32_t P[BLF_N + 2];	/* Subkeys */
+} blf_ctx;
+
+/* Raw access to customized Blowfish
+ *	blf_key is just:
+ *	Blowfish_initstate( state )
+ *	Blowfish_expand0state( state, key, keylen )
+ */
+
+void Blowfish_encipher(blf_ctx *, u_int32_t *);
+void Blowfish_decipher(blf_ctx *, u_int32_t *);
+void Blowfish_initstate(blf_ctx *);
+void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t);
+void Blowfish_expandstate(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t);
+
+/* Standard Blowfish */
+
+void blf_key(blf_ctx *, const u_int8_t *, u_int16_t);
+void blf_enc(blf_ctx *, u_int32_t *, u_int16_t);
+void blf_dec(blf_ctx *, u_int32_t *, u_int16_t);
+
+/* Converts u_int8_t to u_int32_t */
+u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t ,
+				    u_int16_t *);
+
+void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t);
+void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t);
+
+void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
+void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
+#endif

include/crypto/cast.h

@@ -0,0 +1,22 @@
+/*      $OpenBSD: cast.h,v 1.2 2002/03/14 01:26:51 millert Exp $       */
+
+/*
+ *	CAST-128 in C
+ *	Written by Steve Reid <sreid@sea-to-sky.net>
+ *	100% Public Domain - no warranty
+ *	Released 1997.10.11
+ */
+
+#ifndef _CAST_H_
+#define _CAST_H_
+
+typedef struct {
+	u_int32_t	xkey[32];	/* Key, after expansion */
+	int		rounds;		/* Number of rounds to use, 12 or 16 */
+} cast_key;
+
+void cast_setkey(cast_key * key, u_int8_t * rawkey, int keybytes);
+void cast_encrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
+void cast_decrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
+
+#endif /* ifndef _CAST_H_ */

include/crypto/chachapoly.h

@@ -0,0 +1,86 @@
+/*	$OpenBSD: chachapoly.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $	*/
+/*
+ * Copyright (c) 2015 Mike Belopuhov
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _CHACHAPOLY_H_
+#define _CHACHAPOLY_H_
+
+#define CHACHA20_KEYSIZE	32
+#define CHACHA20_CTR		4
+#define CHACHA20_SALT		4
+#define CHACHA20_NONCE		8
+#define CHACHA20_BLOCK_LEN	64
+
+struct chacha20_ctx {
+	uint8_t			block[CHACHA20_BLOCK_LEN];
+	uint8_t			nonce[CHACHA20_NONCE];
+};
+
+int	chacha20_setkey(void *, u_int8_t *, int);
+void	chacha20_reinit(caddr_t, u_int8_t *);
+void	chacha20_crypt(caddr_t, u_int8_t *);
+
+
+#define POLY1305_KEYLEN		32
+#define POLY1305_TAGLEN		16
+#define POLY1305_BLOCK_LEN	16
+
+struct poly1305_ctx {
+	/* r, h, pad, leftover */
+	unsigned long		state[5+5+4];
+	size_t			leftover;
+	unsigned char		buffer[POLY1305_BLOCK_LEN];
+	unsigned char		final;
+};
+
+typedef struct {
+	uint8_t			key[POLY1305_KEYLEN];
+	/* counter, salt */
+	uint8_t			nonce[CHACHA20_NONCE];
+	struct chacha20_ctx	chacha;
+	struct poly1305_ctx	poly;
+} CHACHA20_POLY1305_CTX;
+
+void	Chacha20_Poly1305_Init(void *);
+void	Chacha20_Poly1305_Setkey(void *, const uint8_t *, uint16_t);
+void	Chacha20_Poly1305_Reinit(void *, const uint8_t *, uint16_t);
+int	Chacha20_Poly1305_Update(void *, const uint8_t *, uint16_t);
+void	Chacha20_Poly1305_Final(uint8_t[POLY1305_TAGLEN], void *);
+
+/* WireGuard crypto */
+#define CHACHA20POLY1305_KEY_SIZE	CHACHA20_KEYSIZE
+#define CHACHA20POLY1305_AUTHTAG_SIZE	POLY1305_TAGLEN
+#define XCHACHA20POLY1305_NONCE_SIZE	24
+
+void chacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t,
+	const uint8_t *, const size_t,	const uint64_t,
+	const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
+
+int chacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t,
+	const uint8_t *, const size_t, const uint64_t,
+	const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
+
+void xchacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t,
+	const uint8_t *, const size_t,
+	const uint8_t[XCHACHA20POLY1305_NONCE_SIZE],
+	const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
+
+int xchacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t,
+	const uint8_t *, const size_t,
+	const uint8_t[XCHACHA20POLY1305_NONCE_SIZE],
+	const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
+
+#endif	/* _CHACHAPOLY_H_ */

include/crypto/cmac.h

@@ -0,0 +1,41 @@
+/*	$OpenBSD: cmac.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _CMAC_H_
+#define _CMAC_H_
+
+#define AES_CMAC_KEY_LENGTH	16
+#define AES_CMAC_DIGEST_LENGTH	16
+
+typedef struct _AES_CMAC_CTX {
+	AES_CTX		aesctx;
+	u_int8_t	X[16];
+	u_int8_t	M_last[16];
+	u_int		M_n;
+} AES_CMAC_CTX;
+
+__BEGIN_DECLS
+void	 AES_CMAC_Init(AES_CMAC_CTX *);
+void	 AES_CMAC_SetKey(AES_CMAC_CTX *, const u_int8_t [AES_CMAC_KEY_LENGTH]);
+void	 AES_CMAC_Update(AES_CMAC_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 AES_CMAC_Final(u_int8_t [AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,AES_CMAC_DIGEST_LENGTH)));
+__END_DECLS
+
+#endif /* _CMAC_H_ */

include/crypto/cryptodev.h

@@ -0,0 +1,345 @@
+/*	$OpenBSD: cryptodev.h,v 1.58 2013/10/31 10:32:38 mikeb Exp $	*/
+
+/*
+ * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
+ *
+ * This code was written by Angelos D. Keromytis in Athens, Greece, in
+ * February 2000. Network Security Technologies Inc. (NSTI) kindly
+ * supported the development of this code.
+ *
+ * Copyright (c) 2000 Angelos D. Keromytis
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all source code copies of any software which is or includes a copy or
+ * modification of this software.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ *
+ * Copyright (c) 2001 Theo de Raadt
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Effort sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F30602-01-2-0537.
+ *
+ */
+
+#ifndef _CRYPTO_CRYPTO_H_
+#define _CRYPTO_CRYPTO_H_
+
+#include <sys/ioccom.h>
+#include <sys/task.h>
+
+/* Some initial values */
+#define CRYPTO_DRIVERS_INITIAL	4
+#define CRYPTO_DRIVERS_MAX	128
+#define CRYPTO_SW_SESSIONS	32
+
+/* HMAC values */
+#define HMAC_MD5_BLOCK_LEN	64
+#define HMAC_SHA1_BLOCK_LEN	64
+#define HMAC_RIPEMD160_BLOCK_LEN 64
+#define HMAC_SHA2_256_BLOCK_LEN	64
+#define HMAC_SHA2_384_BLOCK_LEN	128
+#define HMAC_SHA2_512_BLOCK_LEN	128
+#define HMAC_MAX_BLOCK_LEN	HMAC_SHA2_512_BLOCK_LEN	/* keep in sync */
+#define HMAC_IPAD_VAL		0x36
+#define HMAC_OPAD_VAL		0x5C
+
+/* Encryption algorithm block sizes */
+#define DES_BLOCK_LEN		8
+#define DES3_BLOCK_LEN		8
+#define BLOWFISH_BLOCK_LEN	8
+#define CAST128_BLOCK_LEN	8
+#define RIJNDAEL128_BLOCK_LEN	16
+#define EALG_MAX_BLOCK_LEN	16 /* Keep this updated */
+
+/* Maximum hash algorithm result length */
+#define AALG_MAX_RESULT_LEN	64 /* Keep this updated */
+
+#define CRYPTO_DES_CBC		1
+#define CRYPTO_3DES_CBC		2
+#define CRYPTO_BLF_CBC		3
+#define CRYPTO_CAST_CBC		4
+#define CRYPTO_MD5_HMAC		6
+#define CRYPTO_SHA1_HMAC	7
+#define CRYPTO_RIPEMD160_HMAC	8
+#define CRYPTO_MD5_KPDK		9
+#define CRYPTO_SHA1_KPDK	10
+#define CRYPTO_RIJNDAEL128_CBC	11 /* 128 bit blocksize */
+#define CRYPTO_AES_CBC		11 /* 128 bit blocksize -- the same as above */
+#define CRYPTO_ARC4		12
+#define CRYPTO_MD5		13
+#define CRYPTO_SHA1		14
+#define CRYPTO_DEFLATE_COMP	15 /* Deflate compression algorithm */
+#define CRYPTO_NULL		16
+#define CRYPTO_LZS_COMP		17 /* LZS compression algorithm */
+#define CRYPTO_SHA2_256_HMAC	18
+#define CRYPTO_SHA2_384_HMAC	19
+#define CRYPTO_SHA2_512_HMAC	20
+#define CRYPTO_AES_CTR		21
+#define CRYPTO_AES_XTS		22
+#define CRYPTO_AES_GCM_16	23
+#define CRYPTO_AES_128_GMAC	24
+#define CRYPTO_AES_192_GMAC	25
+#define CRYPTO_AES_256_GMAC	26
+#define CRYPTO_AES_GMAC		27
+#define CRYPTO_ESN		28 /* Support for Extended Sequence Numbers */
+#define CRYPTO_ALGORITHM_MAX	28 /* Keep updated */
+
+/* Algorithm flags */
+#define	CRYPTO_ALG_FLAG_SUPPORTED	0x01 /* Algorithm is supported */
+#define	CRYPTO_ALG_FLAG_RNG_ENABLE	0x02 /* Has HW RNG for DH/DSA */
+#define	CRYPTO_ALG_FLAG_DSA_SHA		0x04 /* Can do SHA on msg */
+
+/* Standard initialization structure beginning */
+struct cryptoini {
+	int		cri_alg;	/* Algorithm to use */
+	int		cri_klen;	/* Key length, in bits */
+	int		cri_rnd;	/* Algorithm rounds, where relevant */
+	caddr_t		cri_key;	/* key to use */
+	union {
+		u_int8_t	iv[EALG_MAX_BLOCK_LEN];	/* IV to use */
+		u_int8_t	esn[4];			/* high-order ESN */
+	} u;
+#define cri_iv		u.iv
+#define cri_esn		u.esn
+	struct cryptoini *cri_next;
+};
+
+/* Describe boundaries of a single crypto operation */
+struct cryptodesc {
+	int		crd_skip;	/* How many bytes to ignore from start */
+	int		crd_len;	/* How many bytes to process */
+	int		crd_inject;	/* Where to inject results, if applicable */
+	int		crd_flags;
+
+#define	CRD_F_ENCRYPT		0x01	/* Set when doing encryption */
+#define	CRD_F_IV_PRESENT	0x02	/* When encrypting, IV is already in
+					   place, so don't copy. */
+#define	CRD_F_IV_EXPLICIT	0x04	/* IV explicitly provided */
+#define	CRD_F_DSA_SHA_NEEDED	0x08	/* Compute SHA-1 of buffer for DSA */
+#define CRD_F_COMP		0x10    /* Set when doing compression */
+#define CRD_F_ESN		0x20	/* Set when ESN field is provided */
+
+	struct cryptoini	CRD_INI; /* Initialization/context data */
+#define crd_esn		CRD_INI.cri_esn
+#define crd_iv		CRD_INI.cri_iv
+#define crd_key		CRD_INI.cri_key
+#define crd_rnd		CRD_INI.cri_rnd
+#define crd_alg		CRD_INI.cri_alg
+#define crd_klen	CRD_INI.cri_klen
+
+	struct cryptodesc *crd_next;
+};
+
+/* Structure describing complete operation */
+struct cryptop {
+	struct task	crp_task;
+
+	u_int64_t	crp_sid;	/* Session ID */
+	int		crp_ilen;	/* Input data total length */
+	int		crp_olen;	/* Result total length */
+	int		crp_alloctype;	/* Type of buf to allocate if needed */
+
+	int		crp_etype;	/*
+					 * Error type (zero means no error).
+					 * All error codes except EAGAIN
+					 * indicate possible data corruption (as in,
+					 * the data have been touched). On all
+					 * errors, the crp_sid may have changed
+					 * (reset to a new one), so the caller
+					 * should always check and use the new
+					 * value on future requests.
+					 */
+	int		crp_flags;
+
+#define CRYPTO_F_IMBUF	0x0001	/* Input/output are mbuf chains, otherwise contig */
+#define CRYPTO_F_IOV	0x0002	/* Input/output are uio */
+#define CRYPTO_F_REL	0x0004	/* Must return data in same place */
+#define CRYPTO_F_NOQUEUE	0x0008	/* Don't use crypto queue/thread */
+#define CRYPTO_F_DONE	0x0010	/* request completed */
+
+	void 		*crp_buf;	/* Data to be processed */
+	void 		*crp_opaque;	/* Opaque pointer, passed along */
+	struct cryptodesc *crp_desc;	/* Linked list of processing descriptors */
+
+	int (*crp_callback)(struct cryptop *); /* Callback function */
+
+	caddr_t		crp_mac;
+};
+
+#define CRYPTO_BUF_IOV		0x1
+#define CRYPTO_BUF_MBUF		0x2
+
+#define CRYPTO_OP_DECRYPT	0x0
+#define CRYPTO_OP_ENCRYPT	0x1
+
+/* bignum parameter, in packed bytes, ... */
+struct crparam {
+	caddr_t		crp_p;
+	u_int		crp_nbits;
+};
+
+#define CRK_MAXPARAM	8
+
+struct crypt_kop {
+	u_int		crk_op;		/* ie. CRK_MOD_EXP or other */
+	u_int		crk_status;	/* return status */
+	u_short		crk_iparams;	/* # of input parameters */
+	u_short		crk_oparams;	/* # of output parameters */
+	u_int		crk_pad1;
+	struct crparam	crk_param[CRK_MAXPARAM];
+};
+#define CRK_MOD_EXP		0
+#define CRK_MOD_EXP_CRT		1
+#define CRK_DSA_SIGN		2
+#define CRK_DSA_VERIFY		3
+#define CRK_DH_COMPUTE_KEY	4
+#define CRK_ALGORITHM_MAX	4 /* Keep updated */
+
+#define CRF_MOD_EXP		(1 << CRK_MOD_EXP)
+#define CRF_MOD_EXP_CRT		(1 << CRK_MOD_EXP_CRT)
+#define CRF_DSA_SIGN		(1 << CRK_DSA_SIGN)
+#define CRF_DSA_VERIFY		(1 << CRK_DSA_VERIFY)
+#define CRF_DH_COMPUTE_KEY	(1 << CRK_DH_COMPUTE_KEY)
+
+struct cryptkop {
+	struct task	krp_task;
+
+	u_int		krp_op;		/* ie. CRK_MOD_EXP or other */
+	u_int		krp_status;	/* return status */
+	u_short		krp_iparams;	/* # of input parameters */
+	u_short		krp_oparams;	/* # of output parameters */
+	u_int32_t	krp_hid;
+	struct crparam	krp_param[CRK_MAXPARAM];	/* kvm */
+	int		(*krp_callback)(struct cryptkop *);
+};
+
+/* Crypto capabilities structure */
+struct cryptocap {
+	u_int64_t	cc_operations;	/* Counter of how many ops done */
+	u_int64_t	cc_bytes;	/* Counter of how many bytes done */
+	u_int64_t	cc_koperations;	/* How many PK ops done */
+
+	u_int32_t	cc_sessions;	/* How many sessions allocated */
+
+	/* Symmetric/hash algorithms supported */
+	int		cc_alg[CRYPTO_ALGORITHM_MAX + 1];
+
+	/* Asymmetric algorithms supported */
+	int		cc_kalg[CRK_ALGORITHM_MAX + 1];
+
+	int		cc_queued;	/* Operations queued */
+
+	u_int8_t	cc_flags;
+#define CRYPTOCAP_F_CLEANUP     0x01
+#define CRYPTOCAP_F_SOFTWARE    0x02
+#define CRYPTOCAP_F_ENCRYPT_MAC 0x04 /* Can do encrypt-then-MAC (IPsec) */
+#define CRYPTOCAP_F_MAC_ENCRYPT 0x08 /* Can do MAC-then-encrypt (TLS) */
+
+	int		(*cc_newsession) (u_int32_t *, struct cryptoini *);
+	int		(*cc_process) (struct cryptop *);
+	int		(*cc_freesession) (u_int64_t);
+	int		(*cc_kprocess) (struct cryptkop *);
+};
+
+/*
+ * ioctl parameter to request creation of a session.
+ */
+struct session_op {
+	u_int32_t	cipher;		/* ie. CRYPTO_DES_CBC */
+	u_int32_t	mac;		/* ie. CRYPTO_MD5_HMAC */
+
+	u_int32_t	keylen;		/* cipher key */
+	caddr_t		key;
+	int		mackeylen;	/* mac key */
+	caddr_t		mackey;
+
+	u_int32_t	ses;		/* returns: session # */
+};
+
+/*
+ * ioctl parameter to request a crypt/decrypt operation against a session.
+ */
+struct crypt_op {
+	u_int32_t	ses;
+	u_int16_t	op;		/* ie. COP_ENCRYPT */
+#define COP_ENCRYPT	1
+#define COP_DECRYPT	2
+	u_int16_t	flags;		/* always 0 */
+
+	u_int		len;
+	caddr_t		src, dst;	/* become iov[] inside kernel */
+	caddr_t		mac;		/* must be big enough for chosen MAC */
+	caddr_t		iv;
+};
+
+#define CRYPTO_MAX_MAC_LEN	20
+
+/*
+ * done against open of /dev/crypto, to get a cloned descriptor.
+ * Please use F_SETFD against the cloned descriptor.
+ */
+#define	CRIOGET		_IOWR('c', 100, u_int32_t)
+
+/* the following are done against the cloned descriptor */
+#define	CIOCGSESSION	_IOWR('c', 101, struct session_op)
+#define	CIOCFSESSION	_IOW('c', 102, u_int32_t)
+#define CIOCCRYPT	_IOWR('c', 103, struct crypt_op)
+#define CIOCKEY		_IOWR('c', 104, struct crypt_kop)
+
+#define CIOCASYMFEAT	_IOR('c', 105, u_int32_t)
+
+#ifdef _KERNEL
+int	crypto_newsession(u_int64_t *, struct cryptoini *, int);
+int	crypto_freesession(u_int64_t);
+int	crypto_dispatch(struct cryptop *);
+int	crypto_kdispatch(struct cryptkop *);
+int	crypto_register(u_int32_t, int *,
+	    int (*)(u_int32_t *, struct cryptoini *), int (*)(u_int64_t),
+	    int (*)(struct cryptop *));
+int	crypto_kregister(u_int32_t, int *, int (*)(struct cryptkop *));
+int	crypto_unregister(u_int32_t, int);
+int32_t	crypto_get_driverid(u_int8_t);
+int	crypto_invoke(struct cryptop *);
+int	crypto_kinvoke(struct cryptkop *);
+void	crypto_done(struct cryptop *);
+void	crypto_kdone(struct cryptkop *);
+int	crypto_getfeat(int *);
+
+void	cuio_copydata(struct uio *, int, int, caddr_t);
+void	cuio_copyback(struct uio *, int, int, const void *);
+int	cuio_getptr(struct uio *, int, int *);
+int	cuio_apply(struct uio *, int, int,
+	    int (*f)(caddr_t, caddr_t, unsigned int), caddr_t);
+
+struct	cryptop *crypto_getreq(int);
+void	crypto_freereq(struct cryptop *);
+#endif /* _KERNEL */
+#endif /* _CRYPTO_CRYPTO_H_ */

include/crypto/cryptosoft.h

@@ -0,0 +1,74 @@
+/*	$OpenBSD: cryptosoft.h,v 1.14 2012/12/07 17:03:22 mikeb Exp $	*/
+
+/*
+ * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
+ *
+ * This code was written by Angelos D. Keromytis in Athens, Greece, in
+ * February 2000. Network Security Technologies Inc. (NSTI) kindly
+ * supported the development of this code.
+ *
+ * Copyright (c) 2000 Angelos D. Keromytis
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all source code copies of any software which is or includes a copy or
+ * modification of this software.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _CRYPTO_CRYPTOSOFT_H_
+#define _CRYPTO_CRYPTOSOFT_H_
+
+/* Software session entry */
+struct swcr_data {
+	int		sw_alg;		/* Algorithm */
+	union {
+		struct {
+			u_int8_t	 *SW_ictx;
+			u_int8_t	 *SW_octx;
+			u_int32_t	 SW_klen;
+			struct auth_hash *SW_axf;
+		} SWCR_AUTH;
+		struct {
+			u_int8_t	 *SW_kschedule;
+			struct enc_xform *SW_exf;
+		} SWCR_ENC;
+		struct {
+			u_int32_t	 SW_size;
+			struct comp_algo *SW_cxf;
+		} SWCR_COMP;
+	} SWCR_UN;
+
+#define sw_ictx		SWCR_UN.SWCR_AUTH.SW_ictx
+#define sw_octx		SWCR_UN.SWCR_AUTH.SW_octx
+#define sw_klen		SWCR_UN.SWCR_AUTH.SW_klen
+#define sw_axf		SWCR_UN.SWCR_AUTH.SW_axf
+#define sw_kschedule	SWCR_UN.SWCR_ENC.SW_kschedule
+#define sw_exf		SWCR_UN.SWCR_ENC.SW_exf
+#define sw_size		SWCR_UN.SWCR_COMP.SW_size
+#define sw_cxf		SWCR_UN.SWCR_COMP.SW_cxf
+
+	struct swcr_data *sw_next;
+};
+
+#ifdef _KERNEL
+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
+
+int	swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
+int	swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *,
+	caddr_t, int);
+int	swcr_authenc(struct cryptop *);
+int	swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
+int	swcr_process(struct cryptop *);
+int	swcr_newsession(u_int32_t *, struct cryptoini *);
+int	swcr_freesession(u_int64_t);
+void	swcr_init(void);
+#endif /* _KERNEL */
+
+#endif /* _CRYPTO_CRYPTO_H_ */

include/crypto/gmac.h

@@ -0,0 +1,49 @@
+/*	$OpenBSD: gmac.h,v 1.6 2017/05/02 11:44:32 mikeb Exp $	*/
+
+/*
+ * Copyright (c) 2010 Mike Belopuhov
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _GMAC_H_
+#define _GMAC_H_
+
+#include <crypto/aes.h>
+
+#define GMAC_BLOCK_LEN		16
+#define GMAC_DIGEST_LEN		16
+
+typedef struct _GHASH_CTX {
+	uint8_t		H[GMAC_BLOCK_LEN];		/* hash subkey */
+	uint8_t		S[GMAC_BLOCK_LEN];		/* state */
+	uint8_t		Z[GMAC_BLOCK_LEN];		/* initial state */
+} GHASH_CTX;
+
+typedef struct _AES_GMAC_CTX {
+	GHASH_CTX	ghash;
+	AES_CTX		K;
+	uint8_t		J[GMAC_BLOCK_LEN];		/* counter block */
+} AES_GMAC_CTX;
+
+__BEGIN_DECLS
+extern void (*ghash_update)(GHASH_CTX *, uint8_t *, size_t);
+
+void	AES_GMAC_Init(void *);
+void	AES_GMAC_Setkey(void *, const uint8_t *, uint16_t);
+void	AES_GMAC_Reinit(void *, const uint8_t *, uint16_t);
+int	AES_GMAC_Update(void *, const uint8_t *, uint16_t);
+void	AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], void *);
+__END_DECLS
+
+#endif /* _GMAC_H_ */

include/crypto/hmac.h

@@ -0,0 +1,65 @@
+/*	$OpenBSD: hmac.h,v 1.3 2012/12/05 23:20:15 deraadt Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _HMAC_H_
+#define _HMAC_H_
+
+typedef struct _HMAC_MD5_CTX {
+	MD5_CTX		ctx;
+	u_int8_t	key[MD5_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_MD5_CTX;
+
+typedef struct _HMAC_SHA1_CTX {
+	SHA1_CTX	ctx;
+	u_int8_t	key[SHA1_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_SHA1_CTX;
+
+typedef struct _HMAC_SHA256_CTX {
+	SHA2_CTX	ctx;
+	u_int8_t	key[SHA256_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_SHA256_CTX;
+
+__BEGIN_DECLS
+
+void	 HMAC_MD5_Init(HMAC_MD5_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_MD5_Update(HMAC_MD5_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_MD5_Final(u_int8_t [MD5_DIGEST_LENGTH], HMAC_MD5_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH)));
+
+void	 HMAC_SHA1_Init(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA1_Update(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA1_Final(u_int8_t [SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,SHA1_DIGEST_LENGTH)));
+
+void	 HMAC_SHA256_Init(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA256_Update(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
+
+__END_DECLS
+
+#endif	/* _HMAC_H_ */

include/crypto/idgen.h

@@ -0,0 +1,33 @@
+/*	$OpenBSD: idgen.h,v 1.3 2013/06/05 05:45:54 djm Exp $	*/
+/*
+ * Copyright (c) 2008 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define IDGEN32_ROUNDS		31
+#define IDGEN32_KEYLEN		32
+#define IDGEN32_REKEY_LIMIT	0x60000000
+#define IDGEN32_REKEY_TIME	600
+
+struct idgen32_ctx {
+	u_int32_t id32_counter;
+	u_int32_t id32_offset;
+	u_int32_t id32_hibit;
+	u_int8_t id32_key[IDGEN32_KEYLEN];
+	time_t id32_rekey_time;
+};
+
+void idgen32_init(struct idgen32_ctx *);
+u_int32_t idgen32(struct idgen32_ctx *);
+

include/crypto/key_wrap.h

@@ -0,0 +1,36 @@
+/*	$OpenBSD: key_wrap.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _KEY_WRAP_H_
+#define _KEY_WRAP_H_
+
+typedef struct _aes_key_wrap_ctx {
+	AES_CTX		ctx;
+} aes_key_wrap_ctx;
+
+__BEGIN_DECLS
+
+void	aes_key_wrap_set_key(aes_key_wrap_ctx *, const u_int8_t *, size_t);
+void	aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *, const u_int8_t *,
+	    size_t);
+void	aes_key_wrap(aes_key_wrap_ctx *, const u_int8_t *, size_t, u_int8_t *);
+int	aes_key_unwrap(aes_key_wrap_ctx *, const u_int8_t *, u_int8_t *,
+	    size_t);
+__END_DECLS
+
+#endif /* _KEY_WRAP_H_ */

include/crypto/md5.h

@@ -0,0 +1,38 @@
+/*	$OpenBSD: md5.h,v 1.3 2014/11/16 17:39:09 tedu Exp $	*/
+
+/*
+ * This code implements the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ */
+
+#ifndef _MD5_H_
+#define _MD5_H_
+
+#define	MD5_BLOCK_LENGTH		64
+#define	MD5_DIGEST_LENGTH		16
+
+typedef struct MD5Context {
+	u_int32_t state[4];			/* state */
+	u_int64_t count;			/* number of bits, mod 2^64 */
+	u_int8_t buffer[MD5_BLOCK_LENGTH];	/* input buffer */
+} MD5_CTX;
+
+__BEGIN_DECLS
+void	 MD5Init(MD5_CTX *);
+void	 MD5Update(MD5_CTX *, const void *, size_t)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 MD5Final(u_int8_t [MD5_DIGEST_LENGTH], MD5_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH)));
+void	 MD5Transform(u_int32_t [4], const u_int8_t [MD5_BLOCK_LENGTH])
+		__attribute__((__bounded__(__minbytes__,1,4)))
+		__attribute__((__bounded__(__minbytes__,2,MD5_BLOCK_LENGTH)));
+__END_DECLS
+
+#endif /* _MD5_H_ */

include/crypto/poly1305.h

@@ -0,0 +1,27 @@
+/*	$OpenBSD: poly1305.h,v 1.2 2020/07/22 13:54:30 tobhe Exp $	*/
+/*
+ * Public Domain poly1305 from Andrew Moon
+ *
+ * poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication
+ * and 64 bit addition from https://github.com/floodyberry/poly1305-donna
+ */
+
+#ifndef _POLY1305_H_
+#define _POLY1305_H_
+
+#define poly1305_block_size 16
+
+typedef struct poly1305_state {
+	unsigned long r[5];
+	unsigned long h[5];
+	unsigned long pad[4];
+	size_t leftover;
+	unsigned char buffer[poly1305_block_size];
+	unsigned char final;
+} poly1305_state;
+
+void	poly1305_init(poly1305_state *, const unsigned char[32]);
+void	poly1305_update(poly1305_state *, const unsigned char *, size_t);
+void	poly1305_finish(poly1305_state *, unsigned char[16]);
+
+#endif	/* _POLY1305_H_ */

include/crypto/rijndael.h

@@ -0,0 +1,58 @@
+/*	$OpenBSD: rijndael.h,v 1.13 2008/06/09 07:49:45 djm Exp $ */
+
+/**
+ * rijndael-alg-fst.h
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RIJNDAEL_H
+#define __RIJNDAEL_H
+
+#define AES_MAXKEYBITS	(256)
+#define AES_MAXKEYBYTES	(AES_MAXKEYBITS/8)
+/* for 256-bit keys, fewer for less */
+#define AES_MAXROUNDS	14
+
+typedef unsigned char	u8;
+typedef unsigned short	u16;
+typedef unsigned int	u32;
+
+/*  The structure for key information */
+typedef struct {
+	int	enc_only;		/* context contains only encrypt schedule */
+	int	Nr;			/* key-length-dependent number of rounds */
+	u32	ek[4*(AES_MAXROUNDS + 1)];	/* encrypt key schedule */
+	u32	dk[4*(AES_MAXROUNDS + 1)];	/* decrypt key schedule */
+} rijndael_ctx;
+
+int	 rijndael_set_key(rijndael_ctx *, const u_char *, int);
+int	 rijndael_set_key_enc_only(rijndael_ctx *, const u_char *, int);
+void	 rijndael_decrypt(rijndael_ctx *, const u_char *, u_char *);
+void	 rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *);
+
+int	rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
+int	rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
+void	rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
+	    unsigned char []);
+
+#endif /* __RIJNDAEL_H */

include/crypto/rmd160.h

@@ -0,0 +1,49 @@
+/*	$OpenBSD: rmd160.h,v 1.5 2009/07/05 19:33:46 millert Exp $	*/
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef  _RMD160_H
+#define  _RMD160_H
+
+#define RMD160_BLOCK_LENGTH		64
+#define RMD160_DIGEST_LENGTH		20
+
+/* RMD160 context. */
+typedef struct RMD160Context {
+	u_int32_t state[5];			/* state */
+	u_int64_t count;			/* number of bits, mod 2^64 */
+	u_char buffer[RMD160_BLOCK_LENGTH];	/* input buffer */
+} RMD160_CTX;
+
+__BEGIN_DECLS
+void	 RMD160Init(RMD160_CTX *);
+void	 RMD160Transform(u_int32_t [5], const u_char [RMD160_BLOCK_LENGTH])
+	     __attribute__((__bounded__(__minbytes__,1,5)))
+	     __attribute__((__bounded__(__minbytes__,2,RMD160_BLOCK_LENGTH)));
+void	 RMD160Update(RMD160_CTX *, const u_char *, u_int32_t)
+	     __attribute__((__bounded__(__string__,2,3)));
+void	 RMD160Final(u_char [RMD160_DIGEST_LENGTH], RMD160_CTX *)
+	     __attribute__((__bounded__(__minbytes__,1,RMD160_DIGEST_LENGTH)));
+__END_DECLS
+
+#endif  /* _RMD160_H */

include/crypto/sha1.h

@@ -0,0 +1,26 @@
+/*	$OpenBSD: sha1.h,v 1.6 2014/11/16 17:39:09 tedu Exp $	*/
+
+/*
+ * SHA-1 in C
+ * By Steve Reid <steve@edmweb.com>
+ * 100% Public Domain
+ */
+
+#ifndef _SHA1_H_
+#define _SHA1_H_
+
+#define	SHA1_BLOCK_LENGTH		64
+#define	SHA1_DIGEST_LENGTH		20
+
+typedef struct {
+	u_int32_t	state[5];
+	u_int64_t	count;
+	unsigned char	buffer[SHA1_BLOCK_LENGTH];
+} SHA1_CTX;
+  
+void SHA1Init(SHA1_CTX * context);
+void SHA1Transform(u_int32_t state[5], const unsigned char buffer[SHA1_BLOCK_LENGTH]);
+void SHA1Update(SHA1_CTX *context, const void *data, unsigned int len);
+void SHA1Final(unsigned char digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context);
+
+#endif /* _SHA1_H_ */

include/crypto/sha2.h

@@ -0,0 +1,83 @@
+/*	$OpenBSD: sha2.h,v 1.5 2014/11/16 17:39:09 tedu Exp $	*/
+
+/*
+ * FILE:	sha2.h
+ * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
+ */
+
+#ifndef _SHA2_H
+#define _SHA2_H
+
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+#define SHA256_BLOCK_LENGTH		64
+#define SHA256_DIGEST_LENGTH		32
+#define SHA256_DIGEST_STRING_LENGTH	(SHA256_DIGEST_LENGTH * 2 + 1)
+#define SHA384_BLOCK_LENGTH		128
+#define SHA384_DIGEST_LENGTH		48
+#define SHA384_DIGEST_STRING_LENGTH	(SHA384_DIGEST_LENGTH * 2 + 1)
+#define SHA512_BLOCK_LENGTH		128
+#define SHA512_DIGEST_LENGTH		64
+#define SHA512_DIGEST_STRING_LENGTH	(SHA512_DIGEST_LENGTH * 2 + 1)
+
+
+/*** SHA-256/384/512 Context Structure *******************************/
+typedef struct _SHA2_CTX {
+	union {
+		u_int32_t	st32[8];
+		u_int64_t	st64[8];
+	} state;
+	u_int64_t	bitcount[2];
+	u_int8_t	buffer[SHA512_BLOCK_LENGTH];
+} SHA2_CTX;
+
+__BEGIN_DECLS
+void SHA256Init(SHA2_CTX *);
+void SHA256Update(SHA2_CTX *, const void *, size_t)
+	__attribute__((__bounded__(__string__,2,3)));
+void SHA256Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA2_CTX *)
+	__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
+
+void SHA384Init(SHA2_CTX *);
+void SHA384Update(SHA2_CTX *, const void *, size_t)
+	__attribute__((__bounded__(__string__,2,3)));
+void SHA384Final(u_int8_t[SHA384_DIGEST_LENGTH], SHA2_CTX *)
+	__attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
+
+void SHA512Init(SHA2_CTX *);
+void SHA512Update(SHA2_CTX *, const void *, size_t)
+	__attribute__((__bounded__(__string__,2,3)));
+void SHA512Final(u_int8_t[SHA512_DIGEST_LENGTH], SHA2_CTX *)
+	__attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
+__END_DECLS
+
+#endif /* _SHA2_H */

include/crypto/siphash.h

@@ -0,0 +1,87 @@
+/* $OpenBSD: siphash.h,v 1.5 2015/02/20 11:51:03 tedu Exp $ */
+/*-
+ * Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * SipHash is a family of pseudorandom functions (a.k.a. keyed hash functions)
+ * optimized for speed on short messages returning a 64bit hash/digest value.
+ *
+ * The number of rounds is defined during the initialization:
+ *  SipHash24_Init() for the fast and resonable strong version
+ *  SipHash48_Init() for the strong version (half as fast)
+ *
+ * struct SIPHASH_CTX ctx;
+ * SipHash24_Init(&ctx);
+ * SipHash_SetKey(&ctx, "16bytes long key");
+ * SipHash_Update(&ctx, pointer_to_string, length_of_string);
+ * SipHash_Final(output, &ctx);
+ */
+
+#ifndef _SIPHASH_H_
+#define _SIPHASH_H_
+
+#define SIPHASH_BLOCK_LENGTH	 8
+#define SIPHASH_KEY_LENGTH	16
+#define SIPHASH_DIGEST_LENGTH	 8
+
+typedef struct _SIPHASH_CTX {
+	uint64_t	v[4];
+	uint8_t	buf[SIPHASH_BLOCK_LENGTH];
+	uint32_t	bytes;
+} SIPHASH_CTX;
+
+typedef struct {
+	uint64_t	k0;
+	uint64_t	k1;
+} SIPHASH_KEY;
+
+void		SipHash_Init(SIPHASH_CTX *, const SIPHASH_KEY *);
+void		SipHash_Update(SIPHASH_CTX *, int, int, const void *, size_t)
+		    __bounded((__buffer__, 4, 5));
+uint64_t	SipHash_End(SIPHASH_CTX *, int, int);
+void		SipHash_Final(void *, SIPHASH_CTX *, int, int)
+		    __bounded((__minbytes__, 1, SIPHASH_DIGEST_LENGTH));
+uint64_t	SipHash(const SIPHASH_KEY *, int, int, const void *, size_t)
+		    __bounded((__buffer__, 4, 5));
+
+#define SipHash24_Init(_c, _k)		SipHash_Init((_c), (_k))
+#define SipHash24_Update(_c, _p, _l)	SipHash_Update((_c), 2, 4, (_p), (_l))
+#define SipHash24_End(_d)		SipHash_End((_d), 2, 4)
+#define SipHash24_Final(_d, _c)		SipHash_Final((_d), (_c), 2, 4)
+#define SipHash24(_k, _p, _l)		SipHash((_k), 2, 4, (_p), (_l))
+
+#define SipHash48_Init(_c, _k)		SipHash_Init((_c), (_k))
+#define SipHash48_Update(_c, _p, _l)	SipHash_Update((_c), 4, 8, (_p), (_l))
+#define SipHash48_End(_d)		SipHash_End((_d), 4, 8)
+#define SipHash48_Final(_d, _c)		SipHash_Final((_d), (_c), 4, 8)
+#define SipHash48(_k, _p, _l)		SipHash((_k), 4, 8, (_p), (_l))
+
+#endif /* _SIPHASH_H_ */

include/crypto/xform.h

@@ -0,0 +1,111 @@
+/*	$OpenBSD: xform.h,v 1.32 2021/10/22 12:30:53 bluhm Exp $	*/
+
+/*
+ * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
+ *
+ * This code was written by Angelos D. Keromytis in Athens, Greece, in
+ * February 2000. Network Security Technologies Inc. (NSTI) kindly
+ * supported the development of this code.
+ *
+ * Copyright (c) 2000 Angelos D. Keromytis
+ *
+ * Permission to use, copy, and modify this software with or without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all source code copies of any software which is or includes a copy or
+ * modification of this software.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#ifndef _CRYPTO_XFORM_H_
+#define _CRYPTO_XFORM_H_
+
+#include <crypto/md5.h>
+#include <crypto/sha1.h>
+#include <crypto/rmd160.h>
+#include <crypto/sha2.h>
+#include <crypto/gmac.h>
+
+#define AESCTR_NONCESIZE	4
+#define AESCTR_IVSIZE		8
+#define AESCTR_BLOCKSIZE	16
+
+#define AES_XTS_BLOCKSIZE	16
+#define AES_XTS_IVSIZE		8
+#define AES_XTS_ALPHA		0x87	/* GF(2^128) generator polynomial */
+
+/* Declarations */
+struct auth_hash {
+	int type;
+	char *name;
+	u_int16_t keysize;
+	u_int16_t hashsize;
+	u_int16_t authsize;
+	u_int16_t ctxsize;
+	u_int16_t blocksize;
+	void (*Init) (void *);
+	void (*Setkey) (void *, const u_int8_t *, u_int16_t);
+	void (*Reinit) (void *, const u_int8_t *, u_int16_t);
+	int  (*Update) (void *, const u_int8_t *, u_int16_t);
+	void (*Final) (u_int8_t *, void *);
+};
+
+struct enc_xform {
+	int type;
+	char *name;
+	u_int16_t blocksize;
+	u_int16_t ivsize;
+	u_int16_t minkey;
+	u_int16_t maxkey;
+	u_int16_t ctxsize;
+	void (*encrypt) (caddr_t, u_int8_t *);
+	void (*decrypt) (caddr_t, u_int8_t *);
+	int  (*setkey) (void *, u_int8_t *, int len);
+	void (*reinit) (caddr_t, u_int8_t *);
+};
+
+struct comp_algo {
+	int type;
+	char *name;
+	size_t minlen;
+	u_int32_t (*compress) (u_int8_t *, u_int32_t, u_int8_t **);
+	u_int32_t (*decompress) (u_int8_t *, u_int32_t, u_int8_t **);
+};
+
+union authctx {
+	MD5_CTX md5ctx;
+	SHA1_CTX sha1ctx;
+	RMD160_CTX rmd160ctx;
+	SHA2_CTX sha2_ctx;
+	AES_GMAC_CTX aes_gmac_ctx;
+};
+
+extern const struct enc_xform enc_xform_3des;
+extern const struct enc_xform enc_xform_blf;
+extern const struct enc_xform enc_xform_cast5;
+extern const struct enc_xform enc_xform_aes;
+extern const struct enc_xform enc_xform_aes_ctr;
+extern const struct enc_xform enc_xform_aes_gcm;
+extern const struct enc_xform enc_xform_aes_gmac;
+extern const struct enc_xform enc_xform_aes_xts;
+extern const struct enc_xform enc_xform_chacha20_poly1305;
+extern const struct enc_xform enc_xform_null;
+
+extern const struct auth_hash auth_hash_hmac_md5_96;
+extern const struct auth_hash auth_hash_hmac_sha1_96;
+extern const struct auth_hash auth_hash_hmac_ripemd_160_96;
+extern const struct auth_hash auth_hash_hmac_sha2_256_128;
+extern const struct auth_hash auth_hash_hmac_sha2_384_192;
+extern const struct auth_hash auth_hash_hmac_sha2_512_256;
+extern const struct auth_hash auth_hash_gmac_aes_128;
+extern const struct auth_hash auth_hash_gmac_aes_192;
+extern const struct auth_hash auth_hash_gmac_aes_256;
+extern const struct auth_hash auth_hash_chacha20_poly1305;
+
+extern const struct comp_algo comp_algo_deflate;
+
+#endif /* _CRYPTO_XFORM_H_ */