src/sys/crypto, branch release/13.2.0

sha512_224: Fix SHA512_224_Final() on little-endian machines.

2023-02-09T20:32:56Z

PR: 266863 MFC after: 1 week Reviewed by: allanjude, cperciva, des Differential Revision: https://reviews.freebsd.org/D38372 (cherry picked from commit 6680cfe8e0eec4427716ab50d73ab8231dd9ab28)

OpenSSL: Regen assembly files for OpenSSL 1.1.1t

2023-02-07T22:39:41Z

(cherry picked from commit f1cf49002dbb0b1976ef1ebd8e689a7825e3e06f)

OpenSSL: Regen assembly file for OpenSSSL 1.1.1s

2022-11-18T02:45:26Z

(cherry picked from commit f443d0802a21279387596ec2c9644d3e91ca0431)

: Fix operations with 8 byte nonce.

2022-11-15T01:39:54Z

In head, the inline ChaCha20+Poly1305 API is implemented using the software implementation backing OCF, but that requires API changes that can't be MFC'd. As a result, this API in stable/13 uses libsodium directly. However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce uses a different construction for the Poly1305 hash than is used for the standard IETF AEAD cipher used for TLS and IPsec. WireGuard's use of an 8 byte nonce also uses the more standard construction. Since the verison in stable/13 was using libsodium directly for the 8 byte nonce case, it was generating incorrect MACs for if_wg(4). As a workaround, change the direct API to always use the IETF API from libsodium which uses 12 byte nonces. This can be done by zero-extending the provided 8 byte nonce to 12 bytes so long as the passed in buffers are sufficiently small to not overflow a 4 byte counter. This fixes key negotiation for if_wg(4) on stable/13. This is also a direct commit to stable/13. Reported by: Marek Zarychta

Fix the IV length in the armv8 AES GCM code

2022-09-21T09:45:52Z

Reviewed by: cem, delphij Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36403 (cherry picked from commit 7c4cfece6b7cc9733610b99682be5e9f11f31fc3)

crypto: Add an API supporting curve25519.

2022-07-13T19:28:41Z

This adds a wrapper around libsodium's curve25519 support matching Linux's curve25519 API. The intended use case for this is WireGuard. Note that this is not integrated with OCF as it is not related to symmetric operations on data. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33935 (cherry picked from commit 0c6274a819ffdf6d5a3713b2c0f7014840f01703)

crypto: Add a simple API for [X]ChaCha20-Poly1035 on flat buffers.

2022-07-13T19:25:55Z

This is a synchronous software API which wraps the existing software implementation in libsodium. This is different from the code in main in that this uses libsodium directly. The version in main uses the software backend shared with OCF, but main required changes that break the ABI of struct enc_xform that cannot be merged to stable/13. Sponsored by: The FreeBSD Foundation (cherry picked from commit e71680049bb8ff395aeaa144377dd9e49331f45e)

OpenSSL: Regen assembly file for OpenSSSL 1.1.1q

2022-07-05T16:27:52Z

(cherry picked from commit 9576bca5834b3ccfbf7ff7d3b49db9c05c51d44c)

OpenSSL: Regen assembly file for OpenSSSL 1.1.1p

2022-06-21T22:49:17Z

(cherry picked from commit ec4d9b059ededda578be479c1d043c921907ed11)

crypto: Validate AES-GCM IV length in check_csp().

2022-04-29T20:50:04Z

This centralizes the check for valid nonce lengths for AES-GCM. While here, remove some duplicate checks for valid AES-GCM tag lengths from ccp(4) and ccr(4). Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33194 (cherry picked from commit 6e17a2e00d62fd3041e0bb511fe925079ad1c0d7)