aboutsummaryrefslogtreecommitdiff
path: root/sys/crypto/chacha20
Commit message (Collapse)AuthorAgeFilesLines
* crypto: avoid warnings about too-long initializer stringsDimitry Andric2025-12-301-2/+2
| | | | | | | | | | | | | | | | Mark `sigma` and `tau` as `__non_string`, to avoid warnings from clang 21 similar to: sys/crypto/chacha20/chacha.c:53:31: error: initializer-string for character array is too long, array size is 16 but initializer has size 17 (including the null terminating character); did you mean to use the 'nonstring' attribute? [-Werror,-Wunterminated-string-initialization] 53 | static const char sigma[16] = "expand 32-byte k"; | ^~~~~~~~~~~~~~~~~~ sys/crypto/chacha20/chacha.c:54:29: error: initializer-string for character array is too long, array size is 16 but initializer has size 17 (including the null terminating character); did you mean to use the 'nonstring' attribute? [-Werror,-Wunterminated-string-initialization] 54 | static const char tau[16] = "expand 16-byte k"; | ^~~~~~~~~~~~~~~~~~ MFC after: 3 days Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D54364
* style(9): white space after ; and around binary operatorsDavid E. O'Brien2025-10-161-3/+3
| | | | | | | in for() loops. Also, use 'while', where only the conditional test of 'for' was used. Reviewed by: sjg
* sys: Automated cleanup of cdefs and other formattingWarner Losh2023-11-271-1/+0
| | | | | | | | | | | | | | | | Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
* sys: Remove $FreeBSD$: one-line bare tagWarner Losh2023-08-161-2/+0
| | | | Remove /^\s*\$FreeBSD\$$\n/
* sys: Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-162-4/+0
| | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
* sys: Remove $FreeBSD$: one-line .c comment patternWarner Losh2023-08-161-1/+0
| | | | Remove /^/[*/]\s*\$FreeBSD\$.*\n/
* crypto: Re-add encrypt/decrypt_multi hooks to enc_xform.John Baldwin2022-01-111-2/+12
| | | | | | | | | | | | | These callbacks allow multiple contiguous blocks to be manipulated in a single call. Note that any trailing partial block for a stream cipher must still be passed to encrypt/decrypt_last. While here, document the setkey and reinit hooks and reorder the hooks in 'struct enc_xform' to better reflect the life cycle. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33529
* crypto: Permit variable-sized IVs for ciphers with a reinit hook.John Baldwin2021-10-061-2/+3
| | | | | | | | | | Add a 'len' argument to the reinit hook in 'struct enc_xform' to permit support for AEAD ciphers such as AES-CCM and Chacha20-Poly1305 which support different nonce lengths. Reviewed by: markj Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32105
* crypto: Constify all transform descriptorsMark Johnston2021-07-261-1/+1
| | | | | | | | | No functional change intended. Reviewed by: ae, jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31196
* Consistently use C99 fixed-width types in the in-kernel crypto code.John Baldwin2020-11-031-1/+1
| | | | | | | | | Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27061 Notes: svn path=/head/; revision=367309
* Improve support for stream ciphers in the software encryption interface.John Baldwin2020-05-221-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a 'native_blocksize' member to 'struct enc_xform' that ciphers can use if they support a partial final block. This is particular useful for stream ciphers, but can also apply to other ciphers. cryptosoft will only pass in native blocks to the encrypt and decrypt hooks. For the final partial block, 'struct enc_xform' now has new encrypt_last/decrypt_last hooks which accept the length of the final block. The multi_block methods are also retired. Mark AES-ICM (AES-CTR) as a stream cipher. This has some interesting effects on IPsec in that FreeBSD can now properly receive all packets sent by Linux when using AES-CTR, but FreeBSD can no longer interoperate with OpenBSD and older verisons of FreeBSD which assume AES-CTR packets have a payload padded to a 16-byte boundary. Kornel has offered to work on a patch to add a compatiblity sysctl to enforce additional padding for AES-CTR in esp_output to permit compatibility with OpenBSD and older versions of FreeBSD. AES-XTS continues to use a block size of a single AES block length. It is possible to adjust it to support partial final blocks by implementing cipher text stealing via encrypt_last/decrypt_last hooks, but I have not done so. Reviewed by: cem (earlier version) Tested by: Kornel Dulęba <mindal@semihalf.com> (AES-CTR with IPsec) Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24906 Notes: svn path=/head/; revision=361390
* Various cleanups to the software encryption transform interface.John Baldwin2020-05-201-30/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Consistently use 'void *' for key schedules / key contexts instead of a mix of 'caddr_t', 'uint8_t *', and 'void *'. - Add a ctxsize member to enc_xform similar to what auth transforms use and require callers to malloc/zfree the context. The setkey callback now supplies the caller-allocated context pointer and the zerokey callback is removed. Callers now always use zfree() to ensure key contexts are zeroed. - Consistently use C99 initializers for all statically-initialized instances of 'struct enc_xform'. - Change the encrypt and decrypt functions to accept separate in and out buffer pointers. Almost all of the backend crypto functions already supported separate input and output buffers and this makes it simpler to support separate buffers in OCF. - Remove xform_userland.h shim to permit transforms to be compiled in userland. Transforms no longer call malloc/free directly. Reviewed by: cem (earlier version) Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24855 Notes: svn path=/head/; revision=361298
* Use 'const' for keys and IVs passed to software encryption algorithms.John Baldwin2019-08-221-2/+2
| | | | | | | | | | | | Specifically, use 'const' for the key passed to the 'setkey' method and 'const' for the 'iv' passed to the 'reinit' method. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D21347 Notes: svn path=/head/; revision=351364
* Embedded chacha: Add 0-bit iv + 128-bit counter modeConrad Meyer2019-03-012-1/+43
| | | | | | | | | | | This mode might be suitable for a Fortuna keystream primitive. Reviewed by: markm Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19410 Notes: svn path=/head/; revision=344714
* Add explicit copyright text to trivial headerConrad Meyer2018-10-221-0/+3
| | | | | | | Reported by: rgrimes Notes: svn path=/head/; revision=339561
* Embedded chacha: Remove some harmless dead stores in keystream modeConrad Meyer2018-10-201-0/+2
| | | | | | | | | (From r338059.) Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=339500
* Embedded chacha: Distinguish via dedicated macroConrad Meyer2018-10-201-3/+3
| | | | | | | | | | | | Set embedding expectations via CHACHA_EMBED macro rather than _KERNEL definition. No functional change. Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=339499
* crypto/chacha: Split header into separate _chacha.hConrad Meyer2018-10-202-4/+13
| | | | | | | Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=339498
* Update userland arc4random() with OpenBSD's Chacha20 based arc4random().Xin LI2018-08-192-7/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 Notes: svn path=/head/; revision=338059
* opencrypto: Integrate Chacha20 algorithm into OCFConrad Meyer2018-03-291-0/+78
| | | | | | | | | | | Mostly this is a thin shim around existing code to integrate with enc_xform and cryptosoft (+ cryptodev). Expand the cryptodev buffer used to match that of Chacha20's native block size as a performance enhancement for chacha20_xform_crypt_multi. Notes: svn path=/head/; revision=331724
* Garbage collect unused chacha20 codeConrad Meyer2018-03-162-262/+0
| | | | | | | | | | | | | | | | | Two copies of chacha20 were imported into the tree on Apr 15 2017 (r316982) and Apr 16 2017 (r317015). Only the latter is actually used by anything, so just go ahead and garbage collect the unused version while it's still only in CURRENT. I'm not making any judgement on which implementation is better. If I pulled the wrong one, feel free to swap the existing implementation out and replace it with the other code (conforming to the API that actually gets used in randomdev, of course). We only need one generic implementation. Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=331049
* Fix counter increment in Salsa and ChaCha.Dag-Erling Smørgrav2017-04-221-3/+2
| | | | | | | | | | | In my eagerness to eliminate a branch which is taken once per 2^38 bytes of keystream, I forgot that the state words are in host order. Thus, the counter increment code worked fine on little-endian machines, but not on big-endian ones. Switch to a simpler (branchful) solution. Notes: svn path=/head/; revision=317277
* Replace the RC4 algorithm for generating in-kernel secure randomMark Murray2017-04-162-0/+256
| | | | | | | | | | | | | | | | | numbers with Chacha20. Keep the API, though, as that is what the other *BSD's have done. Use the boot-time entropy stash (if present) to bootstrap the in-kernel entropy source. Reviewed by: delphij,rwatson Approved by: so(delphij) MFC after: 2 months Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10048 Notes: svn path=/head/; revision=317015
* 3BSD-licensed implementation of the chacha20 stream cipher, intended forDag-Erling Smørgrav2017-04-152-0/+263
use by the upcoming arc4random replacement. Notes: svn path=/head/; revision=316982
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-23 09:57:57 +0000