summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2023-02-03Remove redundant DIAGNOSTIC wrappers around KASSERT macros.Miod Vallat
From Crystal Kolipe.
2022-12-27Fix array bounds mismatch with clang 15Patrick Wildt
New warning -Warray-parameter is a bit overzealous. ok millert@ tb@
2022-08-29static const, not const staticJonathan Gray
c99 6.11.5: "The placement of a storage-class specifier other than at the beginning of the declaration specifiers in a declaration is an obsolescent feature." ok miod@ tb@
2022-08-28remove unused blowfish inline definesJonathan Gray
inline use was removed in 1998
2022-05-03Retire CRYPTO_F_MPSAFE it is no longer of any use. The crypto frameworkClaudio Jeker
no longer uses a callback and so there is no need to define the callback as MPSAFE. OK bluhm@
2021-11-29Niels agreed to remove the advertising clause; switching theseDamien Miller
to 3-term BSD license.
2021-10-24Remove crp_etype and return errors directly from crypto_invoke()Tobias Heider
ok patrick@
2021-10-24Stop setting etype in the MD crypto code. So far we have set the etypePatrick Wildt
and returned the error, which made the MI crypto code set the etype for a second time. We still have to set etype after calling the MD process function, as the callers of crypto_invoke() still expect error handling to be shown through the etype. But at least now all MD crypto code does not have to worry about that anymore. Once the callers are changed to not look at etype anymore, we can get rid of it completely. ok tobhe@
2021-10-23Retire asynchronous crypto API as it is no longer required by any driver andTobias Heider
adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration works synchronously, eliminating the need for callbacks. Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is blocking and only returns after the operation has completed or an error occured. Invoke callback functions directly from the consumer (e.g. IPsec, softraid) instead of relying on the crypto driver to call crypto_done(). ok bluhm@ mvs@ patrick@
2021-10-22After deleting hifn(4) the only provider for the LZS compressionAlexander Bluhm
algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
2021-10-21Remove more dead code related to crypto task queues.Tobias Heider
2021-10-21Remove code to run crypto operations in a task queue. The code wasTobias Heider
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag. ok patrick@ mvs@ bluhm@
2021-10-13The function crypto_dispatch() never returns an error. Make itAlexander Bluhm
void and remove error handling in the callers. OK patrick@ mvs@
2021-10-13The kernel crypto framework sometimes returned an error, sometimesAlexander Bluhm
the callback was called, and sometimes both. So the caller of that API could not release resources correctly. A bunch of errors can or should not happen, replace them with an assert. Remove redundant checks. crypto_invoke() should not return the error, but pass it via callback. Some old hardware drivers keep part of their inconsistency as I cannot test them. OK mpi@
2021-07-26Do not queue crypto operations for IPsec. The packet entries inAlexander Bluhm
task queues were unlimited and could overflow during havy traffic. Even if we still use hardware drivers that sleep, softnet task instead of soft interrupt can handle this now. Without queues net lock is inherited and kernel lock is only needed once per packet. This results in less lock contention and faster IPsec. Also protect tdb drop counters with net lock and avoid a leak in crypto dispatch error handling. intense testing Hrvoje Popovski; OK mpi@
2021-07-21Propagate errors from crypto_invoke() and count them in IPsec. TheyAlexander Bluhm
should not happen, but always check error conditions. tq is never NULL, remove the check. tdb->tdb_odrops++ is not MP safe, but will be addressed separately in ipsec_output_cb(). OK mvs@
2021-07-09Remove unused `cc_koperations' and `cc_queued' members from 'cryptocap'mvs
struct. ok bluhm@
2021-07-09Use SLIST macro for cryptosoft sessions instead of hand rolled list.Alexander Bluhm
OK mpi@ tobhe@
2021-07-08The properties of the crypto algorithms never change. Declare themAlexander Bluhm
constant. Then they are mapped as read only. OK deraadt@ dlg@
2021-06-30Remove unused variable cryptodesc_pool. Document global variablesAlexander Bluhm
in crypto.c and annotate locking protection. Assert kernel lock where needed. Remove dead code from crypto_get_driverid(). Move crypto_init() prototype into header file. OK mpi@
2021-03-12spellingJonathan Gray
2020-07-22Add missing CVS tags.tobhe
ok patrick@
2020-06-27don't try to expand alignment using __aligned(16) on local variables.Theo de Raadt
that stops being normal C. the object type has to be sufficient, if it needed larger alignment such a type or a union should be used instead. (breaks landisk gcc, for one)
2020-06-24kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)cheloha
time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
2020-06-21add constructions for wireguard.David Gwynne
from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21add hchacha20 for wireguard.David Gwynne
i think we should turn the chacha code into an actual c file at some point to reduce duplication of object code, but that can happen later. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21curve25519 for wireguard.David Gwynne
via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21add blake2s for wireguard.David Gwynne
via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-05-29rndvar.h not needed hereTheo de Raadt
2020-04-15idgen32(9): use time_uptime(9) for rekey timestamps, not time_second(9)cheloha
Timestamp contexts with a monotonic clock. time_second(9) can jump, stretching or truncating our rekey interval. time_uptime(9) will not jump around. ok djm@
2020-03-30Break crypto_unregister() sanity check into two expressions, making itKenneth R Westerback
clearer what is being checked. Original suggestion from kettenis@.
2020-03-29Don't access past end of cc_alg[] when trying to avoidKenneth R Westerback
unregistering an invalid algorithm. CID 1453298 ok kettenis@ (with suggested improvements to come)
2019-01-09free(9) sizes.Martin Pieuchot
ok visa@
2018-05-31Add sizes for free().Frederic Cambus
OK visa@
2018-04-09Move some AES-related defines into xform.h to reduce duplication.Visa Hankala
gmac.c is left untouched for now to preserve layering. OK mikeb@, deraadt@
2018-01-05Sync with the code in libcMike Belopuhov
OK millert; original commit message by tedu@: memcpy from the right place. at this point, the used variable is not relevant. from Mark Karpilovskij. ok millert
2017-11-30Fix the IPL and flags of the MP-safe crypto taskq. Now a sane IPLVisa Hankala
is passed to the mutex implementation, and the queue actually runs without the kernel lock. Tested by dhill@ OK mikeb@, dhill@, kettenis@
2017-08-10the userland crypto interface died long ago, can clean up the headerTed Unangst
2017-05-31make the AES-XTS mode a little more constant-time, though the AESDamien Miller
implementation that it depends on currently isn't. ok mikeb tom
2017-05-17Revert MI AES-XTS code back to T-tables amid poor performanceMike Belopuhov
Suffered by many, the revert tested by stsp@.
2017-05-02Switch 802.11 crypto over to the new AESMike Belopuhov
OK stsp@
2017-05-02Switch glxsb(4), VIA padlock and AES-NI drivers over to the new AESMike Belopuhov
2017-05-02Switch OCF and IPsec over to the new AESMike Belopuhov
ok djm
2017-04-30Constant time AES implementationMike Belopuhov
This introduces a 32-bit constant time AES implementation from Thomas Pornin originally for BearSSL and then adjusted by Thomas and myself to fit OpenBSD kernel. One of the additional features is an API for encryption and decryption subkey expansion in the format specified by NIST in FIPS 197. Tested by myself and naddy@, ok djm@
2017-04-12The kernel has to slightly different version of SipHash_Final but withFlorian Obser
the same bug as just fixed in userland: ---------- SipHash_Final() was assuming the digest was 64-bit aligned, resulting in misaligned memory accesses with armv7 ramdisk -Os bsd.rd ping ok florian millert ---------- OK deraadt@
2017-02-07Reduce the per-packet allocation costs for crypto operations (cryptop)Patrick Wildt
by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API. This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used. From, with and ok markus@, ok bluhm@ "looks sane" mpi@
2017-02-07The return code of crp_callback is never checked, so it is notAlexander Bluhm
useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
2016-09-19convert bcopy to memcpy. from david hillTed Unangst
2016-09-15all pools have their ipl set via pool_setipl, so fold it into pool_init.David Gwynne
the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
2016-09-02Remove variables 'm' and 'uio' that are only ever assigned toTom Cosgrove
(in swcr_authenc()) ok mikeb@, who pointed out that I'd missed uio