Skip to content

Commit

Permalink
Multithreaded encrypt: improvements
Browse files Browse the repository at this point in the history
Split out encryption in software for TLSv13.
Call software encryption in async encrypt.
Support ChaCha20-Poly1305.
  • Loading branch information
SparkiDev committed Dec 17, 2024
1 parent dd3a59c commit dbb5103
Show file tree
Hide file tree
Showing 6 changed files with 218 additions and 196 deletions.
77 changes: 39 additions & 38 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -8234,10 +8234,17 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
{
int i;
for (i = 0; i < WOLFSSL_THREADED_CRYPT_CNT; i++) {
bufferStatic* buff = &ssl->buffers.encrypt[i].buffer;

ssl->buffers.encrypt[i].stop = 1;
FreeCiphersSide(&ssl->buffers.encrypt[i].cipher, ssl->heap);
ThreadCrypt* encrypt = &ssl->buffers.encrypt[i];
bufferStatic* buff = &encrypt->buffer;

encrypt->stop = 1;
FreeCiphersSide(&encrypt->cipher, ssl->heap);
#if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
if (encrypt->auth.poly1305)
ForceZero(encrypt->auth.poly1305, sizeof(Poly1305));
XFREE(encrypt->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER);
encrypt->auth.poly1305 = NULL;
#endif
if (buff->dynamicFlag) {
XFREE(buff->buffer - buff->offset, ssl->heap,
DYNAMIC_TYPE_OUT_BUFFER);
Expand All @@ -8248,10 +8255,17 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
}
}
for (i = 0; i < WOLFSSL_THREADED_CRYPT_CNT; i++) {
bufferStatic* buff = &ssl->buffers.decrypt[i].buffer;

ssl->buffers.decrypt[i].stop = 1;
FreeCiphersSide(&ssl->buffers.decrypt[i].cipher, ssl->heap);
ThreadCrypt* decrypt = &ssl->buffers.decrypt[i];
bufferStatic* buff = &decrypt->buffer;

decrypt->stop = 1;
FreeCiphersSide(&decrypt->cipher, ssl->heap);
#if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
if (decrypt->auth.poly1305)
ForceZero(decrypt->auth.poly1305, sizeof(Poly1305));
XFREE(decrypt->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER);
decrypt->auth.poly1305 = NULL;
#endif
if (buff->dynamicFlag) {
XFREE(buff->buffer - buff->offset, ssl->heap,
DYNAMIC_TYPE_OUT_BUFFER);
Expand Down Expand Up @@ -25295,40 +25309,27 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
SetKeys(&encrypt->cipher, NULL, &ssl->keys, &ssl->specs,
ssl->options.side, ssl->heap, ssl->devId, ssl->rng,
ssl->options.tls1_3);
#ifdef HAVE_ONE_TIME_AUTH
if (ssl->specs.bulk_cipher_algorithm == wolfssl_chacha) {
ret = SetAuthKeys(&encrypt->auth, &ssl->keys, &ssl->specs,
ssl->heap, ssl->devId);
if (ret != 0)
return ret;
}
#endif

encrypt->init = 1;
}

encrypt->buffer.length = sendSz;
encrypt->offset = RECORD_HEADER_SZ;
if (ssl->options.dtls) {
encrypt->offset += DTLS_RECORD_EXTRA;
}
encrypt->cryptLen = outputSz - encrypt->offset;
#ifdef HAVE_TRUNCATED_HMAC
if (ssl->truncated_hmac) {
encrypt->cryptLen -= min(TRUNCATED_HMAC_SZ,
ssl->specs.hash_size);
}
else
#endif
{
encrypt->cryptLen -= ssl->specs.hash_size;
}

#if !defined(NO_PUBLIC_GCM_SET_IV) && \
((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
XMEMCPY(encrypt->nonce, ssl->keys.aead_enc_imp_IV,
AESGCM_IMP_IV_SZ);
XMEMCPY(encrypt->nonce + AESGCM_IMP_IV_SZ, ssl->keys.aead_exp_IV,
AESGCM_EXP_IV_SZ);
#endif
XMEMSET(encrypt->additional, 0, AEAD_AUTH_DATA_SZ);
WriteSEQ(ssl, CUR_ORDER, encrypt->additional);
XMEMCPY(encrypt->additional + AEAD_TYPE_OFFSET,
encrypt->buffer.buffer, 3);
c16toa(sendSz - encrypt->offset - AESGCM_EXP_IV_SZ -
ssl->specs.aead_mac_size,
encrypt->additional + AEAD_LEN_OFFSET);
encrypt->buffer.idx = 0;
encrypt->cryptLen = sendSz - RECORD_HEADER_SZ;

BuildTls13Nonce(ssl, encrypt->nonce, ssl->keys.aead_enc_imp_IV,
CUR_ORDER);
XMEMCPY(encrypt->additional, encrypt->buffer.buffer,
encrypt->offset);

#ifdef WOLFSSL_DTLS
if (ssl->options.dtls)
Expand Down
5 changes: 4 additions & 1 deletion src/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -3403,7 +3403,10 @@ int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,

#ifdef HAVE_ONE_TIME_AUTH
/* set one time authentication keys */
static int SetAuthKeys(OneTimeAuth* authentication, Keys* keys,
#ifndef WOLFSSL_THREADED_CRYPT
static
#endif
int SetAuthKeys(OneTimeAuth* authentication, Keys* keys,
CipherSpecs* specs, void* heap, int devId)
{

Expand Down
43 changes: 17 additions & 26 deletions src/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -23914,36 +23914,27 @@ int wolfSSL_AsyncEncryptStop(WOLFSSL* ssl, int idx)

int wolfSSL_AsyncEncrypt(WOLFSSL* ssl, int idx)
{
int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
int ret;
ThreadCrypt* encrypt = &ssl->buffers.encrypt[idx];
unsigned char* out = encrypt->buffer.buffer + encrypt->offset;
word32 dataSz = encrypt->cryptLen - ssl->specs.aead_mac_size;

if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
unsigned char* out = encrypt->buffer.buffer + encrypt->offset;
unsigned char* input = encrypt->buffer.buffer + encrypt->offset;
word32 encSz = encrypt->buffer.length - encrypt->offset;

ret =
#if !defined(NO_GCM_ENCRYPT_EXTRA) && \
((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
wc_AesGcmEncrypt_ex
ret = EncryptTls13Sw(ssl->specs.bulk_cipher_algorithm, &encrypt->cipher,
#ifdef HAVE_ONE_TIME_AUTH
&encrypt->auth,
#else
wc_AesGcmEncrypt
#endif
(encrypt->cipher.aes,
out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
encSz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
encrypt->nonce, AESGCM_NONCE_SZ,
out + encSz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size,
encrypt->additional, AEAD_AUTH_DATA_SZ);
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
XMEMCPY(out, encrypt->nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ);
#endif
encrypt->done = 1;
NULL,
#endif
out, out, dataSz, encrypt->nonce, encrypt->additional, RECORD_HEADER_SZ,
ssl->specs.aead_mac_size, 1);
#ifdef WOLFSSL_DTLS13
if (ret == 0 && ssl->options.dtls) {
ret = Dtls13EncryptRecordNumber(ssl, encrypt->buffer.buffer,
(word16)encrypt->buffer.length);
}
#endif /* WOLFSSL_DTLS13 */

encrypt->done = 1;

return ret;
}
Expand Down
Loading

0 comments on commit dbb5103

Please sign in to comment.