crypto: Move blake2s_hmac() to its only user wg_noise.c

The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implem

crypto: Move blake2s_hmac() to its only user wg_noise.c

The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implement the HMAC construction that supports any hash algorithms.
Therefore, it's better to move blake2s_hmac() to wg_noise.c as
noise_hmac().

See also: https://git.zx2c4.com/wireguard-freebsd/commit/?id=5c5832279855722b939a381b9a291dc5ca2ee52e

show more ...

crypto: Fix the KKASSERT() in blake2s_init_key()

crypto: Minor cleanups to blake2s

- Adjust the KKASSERT() to be easier to read.
- Add KKASSERT() to blake2s_hmac(), avoiding the possible misuse of
passing a too large 'outlen', which could cause

crypto: Minor cleanups to blake2s

- Adjust the KKASSERT() to be easier to read.
- Add KKASSERT() to blake2s_hmac(), avoiding the possible misuse of
passing a too large 'outlen', which could cause panic or data
corruption.
- Minor style cleanups.

show more ...

crypto: Add two comments to _chacha20poly1305_final()

It's actually not hard to understand, but add comments to make it quite
clear.

Various minor whitespace cleanups

Accumulated along the way.

crypto/chachapoly: Allow output be NULL in decrypting empty plaintext

Don't distinguish the input cipher data from AD by checking whether the
output buffer is NULL, because it's actually valid to pa

crypto/chachapoly: Allow output be NULL in decrypting empty plaintext

Don't distinguish the input cipher data from AD by checking whether the
output buffer is NULL, because it's actually valid to pass it as NULL
when to decrypt a message of empty plaintext. And it's really used by
WireGuard.

So separate the AD process code into a separate helper function named
_chacha20poly1305_update_ad(). Update the assertions to not blindly
assert 'out != NULL'. Also add a note about this special case to the
header file.

show more ...

crypto: Implement chacha20poly1305 in-place process for mbuf chains

Implement the chacha20poly1305_{encrypt,decrypt}_mbuf() functions that
performs in-place encryption and decryption for data in an

crypto: Implement chacha20poly1305 in-place process for mbuf chains

Implement the chacha20poly1305_{encrypt,decrypt}_mbuf() functions that
performs in-place encryption and decryption for data in an mbuf chain.

The in-kernel WireGuard will use these two functions to encrypt/decrypt
packets.

show more ...

crypto: Refactor the chacha20poly1305 code to be more flexible

Introduce the 'chacha20poly1305_ctx' struct to hold the context, and
implement the _init()/_update()/_final() functions as the building

crypto: Refactor the chacha20poly1305 code to be more flexible

Introduce the 'chacha20poly1305_ctx' struct to hold the context, and
implement the _init()/_update()/_final() functions as the building
blocks to perform encryption/decryption in a more generic way.

The main intention is to help implement the in-place encryption and
decryption of data in an mbuf chain. That would reduce the unnecessary
memory allocations and data copies in packet manipulations, as needed by
the in-kernel WireGuard. This API will be done in a later commit.

Rewrite the original chacha20poly1305_{encrypt,decrypt}() functions
using the new blocks.

show more ...

crypto: Add ChaCha20-Poly1305 and XChaCha20-Poly1305 AEAD

Derived from OpenBSD with significant modifications by me:

- Removed unused code to hook into the cryptosoft framework.
- Adjusted the inte

crypto: Add ChaCha20-Poly1305 and XChaCha20-Poly1305 AEAD

Derived from OpenBSD with significant modifications by me:

- Removed unused code to hook into the cryptosoft framework.
- Adjusted the interface to align with the IETF RFC document
(e.g., make the nonce a byte string other than a uint64_t),
so that the code becomes more generic.

References:
- RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
- RFC draft: XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305

show more ...

crypto: Add brief descriptions to every chacha20 public function

One important note is that chacha_encrypt_bytes() supports in-place
decryption/encryption. This point ensures that the chacha20poly1

crypto: Add brief descriptions to every chacha20 public function

One important note is that chacha_encrypt_bytes() supports in-place
decryption/encryption. This point ensures that the chacha20poly1305
code also supports in-place operations.

show more ...

crypto: Add hchacha20() for implementing XChaCha20-Poly1305 AEAD

Derived from OpenBSD. I changed memcpy() to multiple U32TO8_LITTLE()s,
so the output key is in the standard little-endian format.

R

crypto: Add hchacha20() for implementing XChaCha20-Poly1305 AEAD

Derived from OpenBSD. I changed memcpy() to multiple U32TO8_LITTLE()s,
so the output key is in the standard little-endian format.

Reference:
- RFC draft: XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305

show more ...

crypto: Adjust curve25519 and hook to build

- Fix header inclusions.
- Add necessary '__inline' for '__always_inline' to fix build.
- Replace 'letoh32()' with 'le32toh()'.
- Adjust style a bit to be

crypto: Adjust curve25519 and hook to build

- Fix header inclusions.
- Add necessary '__inline' for '__always_inline' to fix build.
- Replace 'letoh32()' with 'le32toh()'.
- Adjust style a bit to be more consistent.

show more ...

crypto: Import Curve25519 implementation from OpenBSD

Required by the in-kernel WireGuard VPN.

crypto: Some minor cleanups to poly1305

- Use 'uint8_t' instead of 'unsigned char', being more consistent with
other crypto code (e.g., chacha20)
- Add two more macros: POLY1305_KEY_SIZE, POLY1305

crypto: Some minor cleanups to poly1305

- Use 'uint8_t' instead of 'unsigned char', being more consistent with
other crypto code (e.g., chacha20)
- Add two more macros: POLY1305_KEY_SIZE, POLY1305_MAC_SIZE

show more ...

crypto: Adjust poly1305 and hook to build

- Use all uppercase for macro constant (i.e., POLY1305_BLOCK_SIZE).
- Add 'inline' to two helper functions: U8TO32(), U32TO8()

crypto: Import Poly1305 implementation from OpenBSD

This hash algorithm is required to implement the Chacha20-Poly1305 AEAD
cipher as required by the in-kernel WireGuard VPN.

crypto: Remove unnecessary 'const' qualifiers in blake2s

crypto: Adjust blake2 and hook to build

Make necessary changes to make it build. Meanwhile, adjust the style a
bit to look more consistent.

crypto: Import BLAKE2s implementation from OpenBSD

Required by the in-kernel WireGuard VPN.

crypto: Adjust siphash a bit and hook to build

crypto: Import SipHash implementation from FreeBSD

Required by the in-kernel WireGuard VPN.

crypto: Remove unused/useless chacha20/chacha-sw.c

It's used in FreeBSD to hook the software-implementation (without
hardware acceleration) of Chacha20 to the crypto(9) framework. Given
our crypto(

crypto: Remove unused/useless chacha20/chacha-sw.c

It's used in FreeBSD to hook the software-implementation (without
hardware acceleration) of Chacha20 to the crypto(9) framework. Given
our crypto(9) is significantly different from FreeBSD's, this source is
useless to us. The hook code must be rewritten in our side.

show more ...

crypto: Include chacha20 into this module

crypto: Cleanup Makefile by grouping and sorting the sources

crypto: Remove obsolete chacha (superseded by chacha20)