Age | Commit message (Collapse) | Author |
|
described in FIPS SP 800-38D.
This implementation supports 16 byte authentication tag only,
splitting transformation into two parts: encryption and
authentication. Encryption is handled by the existing
AES-CTR implementation, while authentication requires new
AES_GMAC hash function.
Additional routine is added to the software crypto driver
to deal with peculiarities of a combined authentication-
encryption transformation.
With suggestions from reyk, naddy and toby.
|
|
Move pool initialization to init_crypto and zap the crypto_pool_initialized
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
However, also perform the crypto initialisation earlier in init_main so
that the crypto pools are initialised before they are used.
ok mikeb@ thib@ deraadt@
|
|
init_crypto() being called from late in init_main(). In particular, this
breaks softraid crypto volumes that are assembled at boot.
No cookies for thib/mikeb!
"Back it out, right now" deraadt@
|
|
things things do
ok nicm
|
|
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
|
potentially up to 64KB, so we'll need something fancier than
dma_alloc().
|
|
The splvm protection is needed after all, as we are walking the list
of registered crypto drivers and doing that unprotected is unwise.
Pointed out by kettenis@
|
|
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
Move splvm lower as it isnt need all through crypto_newsession().
tiny KNF nit.
From mikeb
OK deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
moved from a special kthread to workqs.
OK dlg@
|
|
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX
Do this also for the CRK_ALGORITHM_MAX this also fixes
the a bug that caused us to skip CRK_DH_COMPUTE_KEY.
ok deraadt@
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
IPL_NET. when the hardware finishes some work for the crypto subsystem
and therefore something in the kernel that wanted crypto done, it
calls crypto_done from that interrupt handler.
one of the things that uses crypto is ipsec. when crypto is done
for ipsec it then pushes the packet along the network stack. the
problem is that all the structures inside the network stack are
only protected at splsoftnet. we could be in the middle of modifications
to the pf state table or the pfsync queues when we get a hifn
interrupt and then go stomp on the same structures.
the solution is to defer the completions so they can do the right
spl protections.
this basically reverts r1.46 of src/sys/crypto/crypto.c.
found by naddy@
|
|
|
|
Userland version was already correct. From Jason Fritcher. OK deraadt@
|
|
|
|
iovec, not the correct one. It worked ok since iovcnt was always 1.
Since it's unlikely to be any other number, remove the loop and just add
the one length we care about.
"go ahead" deraadt@.
|
|
ok markus@ (quite some time ago)
|
|
tested by many on many archs including several alpha test.
ok tedu@ go for it deraadt@
|
|
|
|
and AES Key Wrap algorithms.
They will replace/extend the non-generic implementation in net80211.
AES-128-CMAC tested by sobrado@ (AlphaServer 1200),
naddy@ (alpha/sparc64) and sthen@ (sparc64, armish).
HMAC-* reviewed by hshoexer@
ok and hints from djm@
|
|
constraints.
|
|
|
|
near maximal (2^32) cycle times. These are useful for network
IDs in cases where there are negative consequences to ID prediction
and/or reuse.
Use the idgen32() functions to generate IPv6 IDs and NFS client/server
XIDs.
Pseudorandom permutation code in crypto/idgen.c based on public
domain skip32.c from Greg Rose.
feedback & ok thib@ deraadt@
|
|
|
|
XTS is a "tweaked" AES mode that has properties that are desirable
for block device encryption and it is specified in the IEEE
P1619-2007 standard for this purpose.
prodded by & ok hshoexer@
|
|
were already done
|
|
ok deraadt@
|
|
places. handle the no workq case here. ok deraadt
|
|
sys/netinet/in_pcb.c and sys/net/bridgestp.c ok henning@
sys/dev/pci/bktr/* ok jakemsr@
|
|
combined, this lets us use crypto before the thread is running
and therefore cryptoraid can attach nice and early.
ok/testing deraadt mbalmer marco
|
|
otherwise we call the callback twice; fixes panics on crypto errors as
seen on reboot; ok hshoexer
|
|
"MALLOC(*swd, ...)" vs. "swd = malloc(..."
ok millert
|
|
error spotting and ok krw@
|
|
Use (x & 0xff) rather than (x % 256) - compilers generate faster code.
Add arc4_getbytes function to extract raw keystream
ok markus@ tom@
|
|
to match.
ok deraadt@
|
|
the arc4 key stream.
rc4_skip(ctx, len);
is equivalent to:
u_int8_t dummy[len];
rc4_crypt(ctx, dummy, dummy, len);
except that is does not require storage space and that it saves
some cpu cycles.
ok deraadt@
|
|
also brings kernel sha1 more in line with userland;
discussed with miod@ and millert@;
|
|
ok djm and with a hint from henning
|
|
ok deraadt jason
|
|
|
|
how much blowfish takes at max, which is 72 bytes.
Also define a constant for this in the include file, suggested by ray@.
ok pedro@ thib@ tedu@
|
|
encryption accordingly. Makes NULL encryption useable with ESP.
Noticed by Martin Hedenfalk <martin.hedenfalk at gmail.com>.
ok markus@
|
|
|
|
ok pedro
|
|
ok deraadt
|
|
put one splx in a better spot. make a variable size MALLOC use malloc.
remove null test after malloc(M_WAITOK).
add PR_NOWAIT flag to pool_get instead of 0. change callbacks to correct type.
ok brad deraadt markus mickey
|
|
|
|
The MIC generates a weak 64bit digest protected by an additional key.
Obviously, this digest alg is required for future IEEE 802.11i/WPA
support.
test vectors passed on alpha amd64 mvme68k mvme88k sgi sparc sparc64 vax i386
ok djm@
|