Age | Commit message (Collapse) | Author |
|
to 3-term BSD license.
|
|
ok patrick@
|
|
and returned the error, which made the MI crypto code set the etype for
a second time. We still have to set etype after calling the MD process
function, as the callers of crypto_invoke() still expect error handling
to be shown through the etype. But at least now all MD crypto code does
not have to worry about that anymore. Once the callers are changed to
not look at etype anymore, we can get rid of it completely.
ok tobhe@
|
|
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.
Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().
ok bluhm@ mvs@ patrick@
|
|
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@
|
|
|
|
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.
ok patrick@ mvs@ bluhm@
|
|
void and remove error handling in the callers.
OK patrick@ mvs@
|
|
the callback was called, and sometimes both. So the caller of that
API could not release resources correctly.
A bunch of errors can or should not happen, replace them with an
assert. Remove redundant checks. crypto_invoke() should not return
the error, but pass it via callback.
Some old hardware drivers keep part of their inconsistency as I
cannot test them.
OK mpi@
|
|
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@
|
|
should not happen, but always check error conditions. tq is never
NULL, remove the check. tdb->tdb_odrops++ is not MP safe, but will
be addressed separately in ipsec_output_cb().
OK mvs@
|
|
struct.
ok bluhm@
|
|
OK mpi@ tobhe@
|
|
constant. Then they are mapped as read only.
OK deraadt@ dlg@
|
|
in crypto.c and annotate locking protection. Assert kernel lock
where needed. Remove dead code from crypto_get_driverid(). Move
crypto_init() prototype into header file.
OK mpi@
|
|
|
|
ok patrick@
|
|
that stops being normal C. the object type has to be sufficient, if it
needed larger alignment such a type or a union should be used instead.
(breaks landisk gcc, for one)
|
|
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
|
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
i think we should turn the chacha code into an actual c file at
some point to reduce duplication of object code, but that can happen
later.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
Timestamp contexts with a monotonic clock. time_second(9) can jump,
stretching or truncating our rekey interval. time_uptime(9) will not
jump around.
ok djm@
|
|
clearer what is being checked.
Original suggestion from kettenis@.
|
|
unregistering an invalid algorithm.
CID 1453298
ok kettenis@ (with suggested improvements to come)
|
|
ok visa@
|
|
OK visa@
|
|
gmac.c is left untouched for now to preserve layering.
OK mikeb@, deraadt@
|
|
OK millert; original commit message by tedu@:
memcpy from the right place. at this point, the used variable is not
relevant. from Mark Karpilovskij.
ok millert
|
|
is passed to the mutex implementation, and the queue actually runs
without the kernel lock.
Tested by dhill@
OK mikeb@, dhill@, kettenis@
|
|
|
|
implementation that it depends on currently isn't.
ok mikeb tom
|
|
Suffered by many, the revert tested by stsp@.
|
|
OK stsp@
|
|
|
|
ok djm
|
|
This introduces a 32-bit constant time AES implementation from
Thomas Pornin originally for BearSSL and then adjusted by Thomas
and myself to fit OpenBSD kernel. One of the additional features
is an API for encryption and decryption subkey expansion in the
format specified by NIST in FIPS 197.
Tested by myself and naddy@, ok djm@
|
|
the same bug as just fixed in userland:
----------
SipHash_Final() was assuming the digest was 64-bit aligned, resulting in
misaligned memory accesses with armv7 ramdisk -Os bsd.rd ping
ok florian millert
----------
OK deraadt@
|
|
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.
This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.
From, with and ok markus@, ok bluhm@
"looks sane" mpi@
|
|
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@
|
|
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
(in swcr_authenc())
ok mikeb@, who pointed out that I'd missed uio
|
|
CRYPTOCAP_F_MPSAFE flag that crypto implementations can set to indicate that
their cc_process() implementation can safely run without holding the kernel
lock.
ok mikeb@
|
|
accelerator drivers. No longer used by anything. ok sthen@ mikeb@
|
|
|
|
|
|
|