1 files changed, 18 insertions, 6 deletions

diff --git a/usr/src/common/crypto/chacha/chacha.c b/usr/src/common/crypto/chacha/chacha.c
index cef4aac466..3665ae28d4 100644
--- a/usr/src/common/crypto/chacha/chacha.c
+++ b/usr/src/common/crypto/chacha/chacha.c
@@ -1,13 +1,25 @@
 /*
+ * This implementation of ChaCha20 comes from the initial Dan Bernstein
+ * implementation, including a 256-bit key, a 64-bit nonce and a 64-bit
+ * counter.  This is in contrast to ChaCha20 as defined in RFC 7539, which
+ * defines a 256-bit key, a 96-bit nonce and a 32-bit counter. In particular,
+ * kernel crash dump encryption relies on the fact that our larger counter
+ * allows for the encryption of very large messages (many gigabytes in
+ * length); any change to this implementation that reduces the size of the
+ * counter should be mindful of this use case.
+ */
+
+/*
 chacha-merged.c version 20080118
 D. J. Bernstein
 Public domain.
 */
 
-/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */
 
-#include <chacha.h>
-#include <stddef.h>
+#include "chacha.h"
+#include <sys/stddef.h>
+#include <sys/null.h>
 
 typedef unsigned char u8;
 typedef unsigned int u32;
@@ -76,10 +88,10 @@ chacha_keysetup(chacha_ctx_t *x, const u8 *k, u32 kbits, u32 ivbits __unused)
 }
 
 void
-chacha_ivsetup(chacha_ctx_t *x, const u8 *iv)
+chacha_ivsetup(chacha_ctx_t *x,const u8 *iv, const u8 *counter)
 {
-  x->chacha_input[12] = 0;
-  x->chacha_input[13] = 0;
+  x->chacha_input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+  x->chacha_input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
   x->chacha_input[14] = U8TO32_LITTLE(iv + 0);
   x->chacha_input[15] = U8TO32_LITTLE(iv + 4);
 }