Changeset View
Changeset View
Standalone View
Standalone View
sys/crypto/openssl/ossl_chacha20.c
- This file was added.
/*- | |||||
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD | |||||
* | |||||
* Copyright (c) 2020 Netflix, Inc | |||||
* | |||||
* Redistribution and use in source and binary forms, with or without | |||||
* modification, are permitted provided that the following conditions | |||||
* are met: | |||||
* 1. Redistributions of source code must retain the above copyright | |||||
* notice, this list of conditions and the following disclaimer, | |||||
* without modification. | |||||
* 2. Redistributions in binary form must reproduce at minimum a disclaimer | |||||
* similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any | |||||
* redistribution must be conditioned upon including a substantially | |||||
* similar Disclaimer requirement for further binary redistribution. | |||||
* | |||||
* NO WARRANTY | |||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||||
* LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY | |||||
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL | |||||
* THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, | |||||
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER | |||||
* IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF | |||||
* THE POSSIBILITY OF SUCH DAMAGES. | |||||
*/ | |||||
#include <sys/types.h> | |||||
#include <sys/endian.h> | |||||
#include <sys/malloc.h> | |||||
#include <sys/time.h> | |||||
#include <opencrypto/cryptodev.h> | |||||
#include <crypto/openssl/ossl.h> | |||||
#include <crypto/openssl/ossl_chacha.h> | |||||
int | |||||
ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp) | |||||
{ | |||||
_Alignas(8) unsigned int key[CHACHA_KEY_SIZE / 4]; | |||||
unsigned int counter[CHACHA_CTR_SIZE / 4]; | |||||
unsigned char block[CHACHA_BLK_SIZE]; | |||||
struct crypto_buffer_cursor cc_in, cc_out; | |||||
const unsigned char *in, *inseg, *cipher_key; | |||||
unsigned char *out, *outseg; | |||||
size_t resid, todo, inlen, outlen; | |||||
uint32_t next_counter; | |||||
u_int i; | |||||
if (crp->crp_cipher_key != NULL) | |||||
cipher_key = crp->crp_cipher_key; | |||||
else | |||||
cipher_key = csp->csp_cipher_key; | |||||
for (i = 0; i < nitems(key); i++) | |||||
key[i] = CHACHA_U8TOU32(cipher_key + i * 4); | |||||
crypto_read_iv(crp, counter); | |||||
for (i = 0; i < nitems(counter); i++) | |||||
counter[i] = le32toh(counter[i]); | |||||
resid = crp->crp_payload_length; | |||||
crypto_cursor_init(&cc_in, &crp->crp_buf); | |||||
crypto_cursor_advance(&cc_in, crp->crp_payload_start); | |||||
inseg = crypto_cursor_segbase(&cc_in); | |||||
inlen = crypto_cursor_seglen(&cc_in); | |||||
if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) { | |||||
crypto_cursor_init(&cc_out, &crp->crp_obuf); | |||||
crypto_cursor_advance(&cc_out, crp->crp_payload_output_start); | |||||
} else | |||||
cc_out = cc_in; | |||||
outseg = crypto_cursor_segbase(&cc_out); | |||||
outlen = crypto_cursor_seglen(&cc_out); | |||||
while (resid >= CHACHA_BLK_SIZE) { | |||||
if (inlen < CHACHA_BLK_SIZE) { | |||||
crypto_cursor_copydata(&cc_in, CHACHA_BLK_SIZE, block); | |||||
in = block; | |||||
inlen = CHACHA_BLK_SIZE; | |||||
} else | |||||
in = inseg; | |||||
if (outlen < CHACHA_BLK_SIZE) { | |||||
out = block; | |||||
outlen = CHACHA_BLK_SIZE; | |||||
} else | |||||
out = outseg; | |||||
/* Figure out how many blocks we can encrypt/decrypt at once. */ | |||||
todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); | |||||
#ifdef __LP64__ | |||||
/* ChaCha20_ctr32() assumes length is <= 4GB. */ | |||||
todo = (uint32_t)todo; | |||||
#endif | |||||
/* Truncate if the 32-bit counter would roll over. */ | |||||
next_counter = counter[0] + todo / CHACHA_BLK_SIZE; | |||||
if (next_counter < counter[0]) { | |||||
todo -= next_counter * CHACHA_BLK_SIZE; | |||||
next_counter = 0; | |||||
} | |||||
ChaCha20_ctr32(out, in, todo, key, counter); | |||||
counter[0] = next_counter; | |||||
if (counter[0] == 0) | |||||
counter[1]++; | |||||
if (out == block) { | |||||
crypto_cursor_copyback(&cc_out, CHACHA_BLK_SIZE, block); | |||||
outseg = crypto_cursor_segbase(&cc_out); | |||||
outlen = crypto_cursor_seglen(&cc_out); | |||||
} else { | |||||
crypto_cursor_advance(&cc_out, todo); | |||||
outseg += todo; | |||||
outlen -= todo; | |||||
} | |||||
if (in == block) { | |||||
inseg = crypto_cursor_segbase(&cc_in); | |||||
inlen = crypto_cursor_seglen(&cc_in); | |||||
} else { | |||||
crypto_cursor_advance(&cc_in, todo); | |||||
inseg += todo; | |||||
inlen -= todo; | |||||
} | |||||
resid -= todo; | |||||
} | |||||
if (resid > 0) { | |||||
memset(block, 0, sizeof(block)); | |||||
crypto_cursor_copydata(&cc_in, resid, block); | |||||
ChaCha20_ctr32(block, block, CHACHA_BLK_SIZE, key, counter); | |||||
crypto_cursor_copyback(&cc_out, resid, block); | |||||
} | |||||
explicit_bzero(block, sizeof(block)); | |||||
explicit_bzero(counter, sizeof(counter)); | |||||
explicit_bzero(key, sizeof(key)); | |||||
return (0); | |||||
} |