git: ec3872a696a9 - stable/13 - Add an OCF algorithm for ChaCha20-Poly1305 AEAD.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Oct 2021 17:06:50 UTC
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=ec3872a696a9b931ca8366c616bf9efc2dbfe8f8 commit ec3872a696a9b931ca8366c616bf9efc2dbfe8f8 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-02-18 17:21:56 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-10-21 15:51:22 +0000 Add an OCF algorithm for ChaCha20-Poly1305 AEAD. Note that this algorithm implements the mode defined in RFC 8439. Reviewed by: cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27836 (cherry picked from commit fc8fc743d89388c0c5b97a491428fab2b36beac8) --- share/man/man7/crypto.7 | 4 +++- sys/conf/files | 1 + sys/modules/crypto/Makefile | 1 + sys/opencrypto/crypto.c | 12 +++++----- sys/opencrypto/cryptodev.c | 11 +++++++++ sys/opencrypto/cryptodev.h | 5 +++- sys/opencrypto/xform_chacha20_poly1305.c | 41 ++++++++++++++++++++++++++++++++ sys/opencrypto/xform_enc.h | 1 + 8 files changed, 68 insertions(+), 8 deletions(-) diff --git a/share/man/man7/crypto.7 b/share/man/man7/crypto.7 index d6cae1e39819..ccc2d1fc9be3 100644 --- a/share/man/man7/crypto.7 +++ b/share/man/man7/crypto.7 @@ -27,7 +27,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 20, 2021 +.Dd February 18, 2021 .Dt CRYPTO 7 .Os .Sh NAME @@ -161,6 +161,8 @@ The following AEAD algorithms are supported: AES Galois/Counter Mode .It Dv CRYPTO_AES_CCM_16 Ta 12 Ta 16, 24, 32 Ta 16 Ta AES Counter with CBC-MAC +.It Dv CRYPTO_CHACHA20_POLY1305 Ta 12 Ta 32 Ta 16 Ta +ChaCha20-Poly1305 .El .Sh SEE ALSO .Xr crypto 4 , diff --git a/sys/conf/files b/sys/conf/files index 2d3ae104753d..a352a0759c99 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -4948,6 +4948,7 @@ opencrypto/gfmult.c optional crypto | ipsec | ipsec_support opencrypto/rmd160.c optional crypto | ipsec | ipsec_support opencrypto/xform.c optional crypto | ipsec | ipsec_support opencrypto/xform_cbc_mac.c optional crypto +opencrypto/xform_chacha20_poly1305.c optional crypto opencrypto/xform_poly1305.c optional crypto \ compile-with "${NORMAL_C} -I$S/contrib/libsodium/src/libsodium/include -I$S/crypto/libsodium" contrib/libsodium/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c \ diff --git a/sys/modules/crypto/Makefile b/sys/modules/crypto/Makefile index 01ade43a0e51..89af6ab8fc61 100644 --- a/sys/modules/crypto/Makefile +++ b/sys/modules/crypto/Makefile @@ -67,6 +67,7 @@ SRCS += randombytes.c CFLAGS.randombytes.c += -I${LIBSODIUM_INC} -I${LIBSODIUM_COMPAT} SRCS += utils.c CFLAGS.utils.c += -I${LIBSODIUM_INC} -I${LIBSODIUM_COMPAT} +SRCS += xform_chacha20_poly1305.c SRCS += opt_param.h cryptodev_if.h bus_if.h device_if.h SRCS += opt_compat.h diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c index 59c74c86de00..704077043bb8 100644 --- a/sys/opencrypto/crypto.c +++ b/sys/opencrypto/crypto.c @@ -602,6 +602,8 @@ crypto_cipher(const struct crypto_session_params *csp) return (&enc_xform_chacha20); case CRYPTO_AES_CCM_16: return (&enc_xform_ccm); + case CRYPTO_CHACHA20_POLY1305: + return (&enc_xform_chacha20_poly1305); default: return (NULL); } @@ -693,6 +695,7 @@ static enum alg_type { [CRYPTO_POLY1305] = ALG_KEYED_DIGEST, [CRYPTO_AES_CCM_CBC_MAC] = ALG_KEYED_DIGEST, [CRYPTO_AES_CCM_16] = ALG_AEAD, + [CRYPTO_CHACHA20_POLY1305] = ALG_AEAD, }; static enum alg_type @@ -837,6 +840,7 @@ check_csp(const struct crypto_session_params *csp) switch (csp->csp_cipher_alg) { case CRYPTO_AES_NIST_GCM_16: case CRYPTO_AES_CCM_16: + case CRYPTO_CHACHA20_POLY1305: if (csp->csp_auth_mlen > 16) return (false); break; @@ -1310,12 +1314,8 @@ crp_sanity(struct cryptop *crp) crp->crp_op == (CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST), ("invalid AEAD op %x", crp->crp_op)); - if (csp->csp_cipher_alg == CRYPTO_AES_NIST_GCM_16) - KASSERT(crp->crp_flags & CRYPTO_F_IV_SEPARATE, - ("GCM without a separate IV")); - if (csp->csp_cipher_alg == CRYPTO_AES_CCM_16) - KASSERT(crp->crp_flags & CRYPTO_F_IV_SEPARATE, - ("CCM without a separate IV")); + KASSERT(crp->crp_flags & CRYPTO_F_IV_SEPARATE, + ("AEAD without a separate IV")); break; case CSP_MODE_ETA: KASSERT(crp->crp_op == diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c index 61f8f332e1ca..81c6dcd01e2a 100644 --- a/sys/opencrypto/cryptodev.c +++ b/sys/opencrypto/cryptodev.c @@ -428,6 +428,9 @@ cse_create(struct fcrypt *fcr, struct session2_op *sop) case CRYPTO_AES_CCM_16: txform = &enc_xform_ccm; break; + case CRYPTO_CHACHA20_POLY1305: + txform = &enc_xform_chacha20_poly1305; + break; default: CRYPTDEB("invalid cipher"); SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); @@ -586,6 +589,12 @@ cse_create(struct fcrypt *fcr, struct session2_op *sop) return (EINVAL); } csp.csp_mode = CSP_MODE_AEAD; + } else if (sop->cipher == CRYPTO_CHACHA20_POLY1305) { + if (sop->mac != 0) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + return (EINVAL); + } + csp.csp_mode = CSP_MODE_AEAD; } else if (txform != NULL && thash != NULL) csp.csp_mode = CSP_MODE_ETA; else if (txform != NULL) @@ -679,6 +688,8 @@ cse_create(struct fcrypt *fcr, struct session2_op *sop) cse->hashsize = AES_GMAC_HASH_LEN; else if (csp.csp_cipher_alg == CRYPTO_AES_CCM_16) cse->hashsize = AES_CBC_MAC_HASH_LEN; + else if (csp.csp_cipher_alg == CRYPTO_CHACHA20_POLY1305) + cse->hashsize = POLY1305_HASH_LEN; cse->ivsize = csp.csp_ivlen; mtx_lock(&fcr->lock); diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h index ecb1d929d1db..277867734841 100644 --- a/sys/opencrypto/cryptodev.h +++ b/sys/opencrypto/cryptodev.h @@ -124,6 +124,7 @@ #define AES_CCM_IV_LEN 12 #define AES_XTS_IV_LEN 8 #define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ +#define CHACHA20_POLY1305_IV_LEN 12 /* Min and Max Encryption Key Sizes */ #define NULL_MIN_KEY 0 @@ -136,6 +137,7 @@ #define AES_XTS_MAX_KEY (2 * AES_MAX_KEY) #define CAMELLIA_MIN_KEY 16 #define CAMELLIA_MAX_KEY 32 +#define CHACHA20_POLY1305_KEY 32 /* Maximum hash algorithm result length */ #define AALG_MAX_RESULT_LEN 64 /* Keep this updated */ @@ -184,7 +186,8 @@ #define CRYPTO_POLY1305 38 #define CRYPTO_AES_CCM_CBC_MAC 39 /* auth side */ #define CRYPTO_AES_CCM_16 40 /* cipher side */ -#define CRYPTO_ALGORITHM_MAX 40 /* Keep updated - see below */ +#define CRYPTO_CHACHA20_POLY1305 41 /* combined AEAD cipher per RFC 8439 */ +#define CRYPTO_ALGORITHM_MAX 41 /* Keep updated - see below */ #define CRYPTO_ALGO_VALID(x) ((x) >= CRYPTO_ALGORITHM_MIN && \ (x) <= CRYPTO_ALGORITHM_MAX) diff --git a/sys/opencrypto/xform_chacha20_poly1305.c b/sys/opencrypto/xform_chacha20_poly1305.c new file mode 100644 index 000000000000..e568e76cad51 --- /dev/null +++ b/sys/opencrypto/xform_chacha20_poly1305.c @@ -0,0 +1,41 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2020 Netflix Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <crypto/chacha20/chacha.h> +#include <opencrypto/xform_enc.h> + +struct enc_xform enc_xform_chacha20_poly1305 = { + .type = CRYPTO_CHACHA20_POLY1305, + .name = "ChaCha20-Poly1305", + .ctxsize = sizeof(struct chacha_ctx), + .blocksize = 1, + .native_blocksize = CHACHA_BLOCKLEN, + .ivsize = CHACHA20_POLY1305_IV_LEN, + .minkey = CHACHA20_POLY1305_KEY, + .maxkey = CHACHA20_POLY1305_KEY, +}; + diff --git a/sys/opencrypto/xform_enc.h b/sys/opencrypto/xform_enc.h index b44f1ff0c270..e8325f20917b 100644 --- a/sys/opencrypto/xform_enc.h +++ b/sys/opencrypto/xform_enc.h @@ -81,6 +81,7 @@ extern struct enc_xform enc_xform_aes_nist_gmac; extern struct enc_xform enc_xform_aes_xts; extern struct enc_xform enc_xform_camellia; extern struct enc_xform enc_xform_chacha20; +extern struct enc_xform enc_xform_chacha20_poly1305; extern struct enc_xform enc_xform_ccm; struct aes_icm_ctx {