1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
60 	unsigned int counter[CHACHA_CTR_SIZE / 4];  in ossl_chacha20()  local
69 	if (crp->crp_cipher_key != NULL)  in ossl_chacha20()
70 		cipher_key = crp->crp_cipher_key;  in ossl_chacha20()
72 		cipher_key = csp->csp_cipher_key;  in ossl_chacha20()
73 	for (i = 0; i < nitems(key); i++)  in ossl_chacha20()
75 	crypto_read_iv(crp, counter);  in ossl_chacha20()
76 	for (i = 0; i < nitems(counter); i++)  in ossl_chacha20()
77 		counter[i] = le32toh(counter[i]);  in ossl_chacha20()
79 	resid = crp->crp_payload_length;  in ossl_chacha20()
80 	crypto_cursor_init(&cc_in, &crp->crp_buf);  in ossl_chacha20()
81 	crypto_cursor_advance(&cc_in, crp->crp_payload_start);  in ossl_chacha20()
84 		crypto_cursor_init(&cc_out, &crp->crp_obuf);  in ossl_chacha20()
85 		crypto_cursor_advance(&cc_out, crp->crp_payload_output_start);  in ossl_chacha20()
111 		/* Truncate if the 32-bit counter would roll over. */  in ossl_chacha20()
112 		next_counter = counter[0] + todo / CHACHA_BLK_SIZE;  in ossl_chacha20()
113 		if (next_counter < counter[0]) {  in ossl_chacha20()
114 			todo -= next_counter * CHACHA_BLK_SIZE;  in ossl_chacha20()
115 			next_counter = 0;  in ossl_chacha20()
118 		ChaCha20_ctr32(out, in, todo, key, counter);  in ossl_chacha20()
120 		counter[0] = next_counter;  in ossl_chacha20()
121 		if (counter[0] == 0)  in ossl_chacha20()
122 			counter[1]++;  in ossl_chacha20()
130 			outlen -= todo;  in ossl_chacha20()
137 			inlen -= todo;  in ossl_chacha20()
139 		resid -= todo;  in ossl_chacha20()
142 	if (resid > 0) {  in ossl_chacha20()
143 		memset(block, 0, sizeof(block));  in ossl_chacha20()
145 		ChaCha20_ctr32(block, block, CHACHA_BLK_SIZE, key, counter);  in ossl_chacha20()
150 	explicit_bzero(counter, sizeof(counter));  in ossl_chacha20()
152 	return (0);  in ossl_chacha20()
160 	unsigned int counter[CHACHA_CTR_SIZE / 4];  in ossl_chacha20_poly1305_encrypt()  local
171 	if (crp->crp_cipher_key != NULL)  in ossl_chacha20_poly1305_encrypt()
172 		cipher_key = crp->crp_cipher_key;  in ossl_chacha20_poly1305_encrypt()
174 		cipher_key = csp->csp_cipher_key;  in ossl_chacha20_poly1305_encrypt()
175 	for (i = 0; i < nitems(key); i++)  in ossl_chacha20_poly1305_encrypt()
178 	memset(counter, 0, sizeof(counter));  in ossl_chacha20_poly1305_encrypt()
179 	crypto_read_iv(crp, counter + (CHACHA_CTR_SIZE - csp->csp_ivlen) / 4);  in ossl_chacha20_poly1305_encrypt()
180 	for (i = 1; i < nitems(counter); i++)  in ossl_chacha20_poly1305_encrypt()
181 		counter[i] = le32toh(counter[i]);  in ossl_chacha20_poly1305_encrypt()
183 	/* Block 0 is used to generate the poly1305 key. */  in ossl_chacha20_poly1305_encrypt()
184 	counter[0] = 0;  in ossl_chacha20_poly1305_encrypt()
186 	memset(block, 0, sizeof(block));  in ossl_chacha20_poly1305_encrypt()
187 	ChaCha20_ctr32(block, block, sizeof(block), key, counter);  in ossl_chacha20_poly1305_encrypt()
191 	if (crp->crp_aad != NULL)  in ossl_chacha20_poly1305_encrypt()
192 		Poly1305_Update(&auth_ctx, crp->crp_aad, crp->crp_aad_length);  in ossl_chacha20_poly1305_encrypt()
194 		crypto_apply(crp, crp->crp_aad_start, crp->crp_aad_length,  in ossl_chacha20_poly1305_encrypt()
196 	if (crp->crp_aad_length % 16 != 0) {  in ossl_chacha20_poly1305_encrypt()
198 		memset(block, 0, 16);  in ossl_chacha20_poly1305_encrypt()
200 		    16 - crp->crp_aad_length % 16);  in ossl_chacha20_poly1305_encrypt()
204 	counter[0] = 1;  in ossl_chacha20_poly1305_encrypt()
207 	resid = crp->crp_payload_length;  in ossl_chacha20_poly1305_encrypt()
208 	crypto_cursor_init(&cc_in, &crp->crp_buf);  in ossl_chacha20_poly1305_encrypt()
209 	crypto_cursor_advance(&cc_in, crp->crp_payload_start);  in ossl_chacha20_poly1305_encrypt()
212 		crypto_cursor_init(&cc_out, &crp->crp_obuf);  in ossl_chacha20_poly1305_encrypt()
213 		crypto_cursor_advance(&cc_out, crp->crp_payload_output_start);  in ossl_chacha20_poly1305_encrypt()
239 		/* Truncate if the 32-bit counter would roll over. */  in ossl_chacha20_poly1305_encrypt()
240 		next_counter = counter[0] + todo / CHACHA_BLK_SIZE;  in ossl_chacha20_poly1305_encrypt()
241 		if (csp->csp_ivlen == 8 && next_counter < counter[0]) {  in ossl_chacha20_poly1305_encrypt()
242 			todo -= next_counter * CHACHA_BLK_SIZE;  in ossl_chacha20_poly1305_encrypt()
243 			next_counter = 0;  in ossl_chacha20_poly1305_encrypt()
246 		ChaCha20_ctr32(out, in, todo, key, counter);  in ossl_chacha20_poly1305_encrypt()
249 		counter[0] = next_counter;  in ossl_chacha20_poly1305_encrypt()
250 		if (csp->csp_ivlen == 8 && counter[0] == 0)  in ossl_chacha20_poly1305_encrypt()
251 			counter[1]++;  in ossl_chacha20_poly1305_encrypt()
259 			outlen -= todo;  in ossl_chacha20_poly1305_encrypt()
266 			inlen -= todo;  in ossl_chacha20_poly1305_encrypt()
268 		resid -= todo;  in ossl_chacha20_poly1305_encrypt()
271 	if (resid > 0) {  in ossl_chacha20_poly1305_encrypt()
272 		memset(block, 0, sizeof(block));  in ossl_chacha20_poly1305_encrypt()
274 		ChaCha20_ctr32(block, block, CHACHA_BLK_SIZE, key, counter);  in ossl_chacha20_poly1305_encrypt()
279 		memset(block + resid, 0, todo - resid);  in ossl_chacha20_poly1305_encrypt()
284 	le64enc(block, crp->crp_aad_length);  in ossl_chacha20_poly1305_encrypt()
285 	le64enc(block + 8, crp->crp_payload_length);  in ossl_chacha20_poly1305_encrypt()
289 	crypto_copyback(crp, crp->crp_digest_start, csp->csp_auth_mlen == 0 ?  in ossl_chacha20_poly1305_encrypt()
290 	    POLY1305_HASH_LEN : csp->csp_auth_mlen, tag);  in ossl_chacha20_poly1305_encrypt()
295 	explicit_bzero(counter, sizeof(counter));  in ossl_chacha20_poly1305_encrypt()
297 	return (0);  in ossl_chacha20_poly1305_encrypt()
306 	unsigned int counter[CHACHA_CTR_SIZE / 4];  in ossl_chacha20_poly1305_decrypt()  local
318 	if (crp->crp_cipher_key != NULL)  in ossl_chacha20_poly1305_decrypt()
319 		cipher_key = crp->crp_cipher_key;  in ossl_chacha20_poly1305_decrypt()
321 		cipher_key = csp->csp_cipher_key;  in ossl_chacha20_poly1305_decrypt()
322 	for (i = 0; i < nitems(key); i++)  in ossl_chacha20_poly1305_decrypt()
325 	memset(counter, 0, sizeof(counter));  in ossl_chacha20_poly1305_decrypt()
326 	crypto_read_iv(crp, counter + (CHACHA_CTR_SIZE - csp->csp_ivlen) / 4);  in ossl_chacha20_poly1305_decrypt()
327 	for (i = 1; i < nitems(counter); i++)  in ossl_chacha20_poly1305_decrypt()
328 		counter[i] = le32toh(counter[i]);  in ossl_chacha20_poly1305_decrypt()
330 	/* Block 0 is used to generate the poly1305 key. */  in ossl_chacha20_poly1305_decrypt()
331 	counter[0] = 0;  in ossl_chacha20_poly1305_decrypt()
333 	memset(block, 0, sizeof(block));  in ossl_chacha20_poly1305_decrypt()
334 	ChaCha20_ctr32(block, block, sizeof(block), key, counter);  in ossl_chacha20_poly1305_decrypt()
338 	if (crp->crp_aad != NULL)  in ossl_chacha20_poly1305_decrypt()
339 		Poly1305_Update(&auth_ctx, crp->crp_aad, crp->crp_aad_length);  in ossl_chacha20_poly1305_decrypt()
341 		crypto_apply(crp, crp->crp_aad_start, crp->crp_aad_length,  in ossl_chacha20_poly1305_decrypt()
343 	if (crp->crp_aad_length % 16 != 0) {  in ossl_chacha20_poly1305_decrypt()
345 		memset(block, 0, 16);  in ossl_chacha20_poly1305_decrypt()
347 		    16 - crp->crp_aad_length % 16);  in ossl_chacha20_poly1305_decrypt()
351 	crypto_apply(crp, crp->crp_payload_start, crp->crp_payload_length,  in ossl_chacha20_poly1305_decrypt()
353 	if (crp->crp_payload_length % 16 != 0) {  in ossl_chacha20_poly1305_decrypt()
355 		memset(block, 0, 16);  in ossl_chacha20_poly1305_decrypt()
357 		    16 - crp->crp_payload_length % 16);  in ossl_chacha20_poly1305_decrypt()
361 	le64enc(block, crp->crp_aad_length);  in ossl_chacha20_poly1305_decrypt()
362 	le64enc(block + 8, crp->crp_payload_length);  in ossl_chacha20_poly1305_decrypt()
366 	mlen = csp->csp_auth_mlen == 0 ? POLY1305_HASH_LEN : csp->csp_auth_mlen;  in ossl_chacha20_poly1305_decrypt()
367 	crypto_copydata(crp, crp->crp_digest_start, mlen, tag2);  in ossl_chacha20_poly1305_decrypt()
368 	if (timingsafe_bcmp(tag, tag2, mlen) != 0) {  in ossl_chacha20_poly1305_decrypt()
374 	counter[0] = 1;  in ossl_chacha20_poly1305_decrypt()
376 	resid = crp->crp_payload_length;  in ossl_chacha20_poly1305_decrypt()
377 	crypto_cursor_init(&cc_in, &crp->crp_buf);  in ossl_chacha20_poly1305_decrypt()
378 	crypto_cursor_advance(&cc_in, crp->crp_payload_start);  in ossl_chacha20_poly1305_decrypt()
381 		crypto_cursor_init(&cc_out, &crp->crp_obuf);  in ossl_chacha20_poly1305_decrypt()
382 		crypto_cursor_advance(&cc_out, crp->crp_payload_output_start);  in ossl_chacha20_poly1305_decrypt()
408 		/* Truncate if the 32-bit counter would roll over. */  in ossl_chacha20_poly1305_decrypt()
409 		next_counter = counter[0] + todo / CHACHA_BLK_SIZE;  in ossl_chacha20_poly1305_decrypt()
410 		if (csp->csp_ivlen == 8 && next_counter < counter[0]) {  in ossl_chacha20_poly1305_decrypt()
411 			todo -= next_counter * CHACHA_BLK_SIZE;  in ossl_chacha20_poly1305_decrypt()
412 			next_counter = 0;  in ossl_chacha20_poly1305_decrypt()
415 		ChaCha20_ctr32(out, in, todo, key, counter);  in ossl_chacha20_poly1305_decrypt()
417 		counter[0] = next_counter;  in ossl_chacha20_poly1305_decrypt()
418 		if (csp->csp_ivlen == 8 && counter[0] == 0)  in ossl_chacha20_poly1305_decrypt()
419 			counter[1]++;  in ossl_chacha20_poly1305_decrypt()
427 			outlen -= todo;  in ossl_chacha20_poly1305_decrypt()
434 			inlen -= todo;  in ossl_chacha20_poly1305_decrypt()
436 		resid -= todo;  in ossl_chacha20_poly1305_decrypt()
439 	if (resid > 0) {  in ossl_chacha20_poly1305_decrypt()
440 		memset(block, 0, sizeof(block));  in ossl_chacha20_poly1305_decrypt()
442 		ChaCha20_ctr32(block, block, CHACHA_BLK_SIZE, key, counter);  in ossl_chacha20_poly1305_decrypt()
446 	error = 0;  in ossl_chacha20_poly1305_decrypt()
451 	explicit_bzero(counter, sizeof(counter));  in ossl_chacha20_poly1305_decrypt()