summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2010-09-22OCF support for the Galois/Counter Mode (GCM) for AES asMike Belopuhov
described in FIPS SP 800-38D. This implementation supports 16 byte authentication tag only, splitting transformation into two parts: encryption and authentication. Encryption is handled by the existing AES-CTR implementation, while authentication requires new AES_GMAC hash function. Additional routine is added to the software crypto driver to deal with peculiarities of a combined authentication- encryption transformation. With suggestions from reyk, naddy and toby.
2010-09-08Reintroduce most crypto/crypto.c r1.55:Joel Sing
Move pool initialization to init_crypto and zap the crypto_pool_initialized variable. This way we don't have to check if the pool are initialized every time we do a crypto_getreq(). However, also perform the crypto initialisation earlier in init_main so that the crypto pools are initialised before they are used. ok mikeb@ thib@ deraadt@
2010-08-08Backout r1.55 since this breaks anything which does crypto ops prior toJoel Sing
init_crypto() being called from late in init_main(). In particular, this breaks softraid crypto volumes that are assembled at boot. No cookies for thib/mikeb! "Back it out, right now" deraadt@
2010-07-21No need for read/write functions, just use enodev like all the otherTheo de Raadt
things things do ok nicm
2010-07-20Switch some obvious network stack MAC comparisons from bcmp() toMatthew Dempsky
timingsafe_bcmp(). ok deraadt@; committed over WPA.
2010-07-20Mark a DMA accessible malloc for later correction. This isMatthew Dempsky
potentially up to 64KB, so we'll need something fancier than dma_alloc().
2010-07-08Revert part of previous.Thordur I. Bjornsson
The splvm protection is needed after all, as we are walking the list of registered crypto drivers and doing that unprotected is unwise. Pointed out by kettenis@
2010-07-08Move pool initialization to init_crypto and zap the crypto_pool_initializedThordur I. Bjornsson
variable. This way we don't have to check if the pool are initialized every time we do a crypto_getreq(). Move splvm lower as it isnt need all through crypto_newsession(). tiny KNF nit. From mikeb OK deraadt@
2010-07-02m_copyback can fail to allocate memory, but is a void fucntion so gymnasticsBret Lambert
are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
2010-06-23Zap a dead prototype, crypto_thread(); Leftover since crypto wasThordur I. Bjornsson
moved from a special kthread to workqs. OK dlg@
2010-06-09Remove the CRYPTO_ALGORITHM_ALL define, fixup accordinglyThordur I. Bjornsson
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX Do this also for the CRK_ALGORITHM_MAX this also fixes the a bug that caused us to skip CRK_DH_COMPUTE_KEY. ok deraadt@
2010-04-20remove proc.h include from uvm_map.h. This has far reaching effects, asTed Unangst
sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
2010-01-10Fix two bugs in IPsec/HMAC-SHA2:Markus Friedl
(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt
2009-09-03crypto hardware (eg, hifn) establishes its interrupt handler atDavid Gwynne
IPL_NET. when the hardware finishes some work for the crypto subsystem and therefore something in the kernel that wanted crypto done, it calls crypto_done from that interrupt handler. one of the things that uses crypto is ipsec. when crypto is done for ipsec it then pushes the packet along the network stack. the problem is that all the structures inside the network stack are only protected at splsoftnet. we could be in the middle of modifications to the pf state table or the pfsync queues when we get a hifn interrupt and then go stomp on the same structures. the solution is to defer the completions so they can do the right spl protections. this basically reverts r1.46 of src/sys/crypto/crypto.c. found by naddy@
2009-08-17sizeof(ptr) -> sizeof(*ptr) as intended; ok djm@ millert@Miod Vallat
2009-07-05Buffer in RMD160_CTX is length RMD160_BLOCK_LENGTH not RMD160_DIGEST_LENGTH.Todd C. Miller
Userland version was already correct. From Jason Fritcher. OK deraadt@
2009-02-17variable no longer usedTheo de Raadt
2009-02-17The loop here preparing the uio always added the length of the firstOwain Ainsworth
iovec, not the correct one. It worked ok since iovcnt was always 1. Since it's unlikely to be any other number, remove the loop and just add the one length we care about. "go ahead" deraadt@.
2008-11-04Use defines for constants. Use __attribute__ bounded.Hans-Joerg Hoexer
ok markus@ (quite some time ago)
2008-10-30reintroduce mutexes to workqs for locking.David Gwynne
tested by many on many archs including several alpha test. ok tedu@ go for it deraadt@
2008-09-06match libc sha2(3) API changes for kernel; ok millert@Damien Miller
2008-08-12Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256, AES-128-CMACDamien Bergamini
and AES Key Wrap algorithms. They will replace/extend the non-generic implementation in net80211. AES-128-CMAC tested by sobrado@ (AlphaServer 1200), naddy@ (alpha/sparc64) and sthen@ (sparc64, armish). HMAC-* reviewed by hshoexer@ ok and hints from djm@
2008-07-21gives this a chance to work on architectures with strict alignmentDamien Bergamini
constraints.
2008-06-25implement automatic time-based rekeying (every 10 minutes); ok deraadt@Damien Miller
2008-06-09Introduce a facility to generate unpredictable 32 bit numbers withDamien Miller
near maximal (2^32) cycle times. These are useful for network IDs in cases where there are negative consequences to ID prediction and/or reuse. Use the idgen32() functions to generate IPv6 IDs and NFS client/server XIDs. Pseudorandom permutation code in crypto/idgen.c based on public domain skip32.c from Greg Rose. feedback & ok thib@ deraadt@
2008-06-09add myself to copyrightDamien Miller
2008-06-09Implement the AES XTS mode of operation for the crypto(9) framework.Damien Miller
XTS is a "tweaked" AES mode that has properties that are desirable for block device encryption and it is specified in the IEEE P1619-2007 standard for this purpose. prodded by & ok hshoexer@
2008-06-09constify arguments in wrapper functions; the lower level functionsDamien Miller
were already done
2008-06-09rename arc4random_bytes => arc4random_buf to match libc's nicer name;Damien Miller
ok deraadt@
2007-11-28finish conversion to workq. remove list remnants, and put spl in the rightTed Unangst
places. handle the no workq case here. ok deraadt
2007-11-26typos; ok jmc@Martynas Venckus
sys/netinet/in_pcb.c and sys/net/bridgestp.c ok henning@ sys/dev/pci/bktr/* ok jakemsr@
2007-11-25convert crypto thread to workq. add WQ_DIRECTOK flag to workq.Ted Unangst
combined, this lets us use crypto before the thread is running and therefore cryptoraid can attach nice and early. ok/testing deraadt mbalmer marco
2007-11-14do not call crypto_done() on errors, since the drivers already do this.Markus Friedl
otherwise we call the callback twice; fixes panics on crypto errors as seen on reboot; ok hshoexer
2007-09-15fix error introduced by my previous commit:Hans-Joerg Hoexer
"MALLOC(*swd, ...)" vs. "swd = malloc(..." ok millert
2007-09-13Here too: Convert MALLOC/FREE to malloc/free and use M_ZERO where applicable.Hans-Joerg Hoexer
error spotting and ok krw@
2007-09-11Add __bounded__ attributes to prototypes.Damien Miller
Use (x & 0xff) rather than (x % 256) - compilers generate faster code. Add arc4_getbytes function to extract raw keystream ok markus@ tom@
2007-09-10Make the hmac ipad/opad globals "const" and fixup the crypto functionsHenric Jungheim
to match. ok deraadt@
2007-07-24add rc4_skip() function that can be used to discard bytes fromDamien Bergamini
the arc4 key stream. rc4_skip(ctx, len); is equivalent to: u_int8_t dummy[len]; rc4_crypt(ctx, dummy, dummy, len); except that is does not require storage space and that it saves some cpu cycles. ok deraadt@
2007-07-20unbreak landisk kernel sha1 by working around a compiler bug;Otto Moerbeek
also brings kernel sha1 more in line with userland; discussed with miod@ and millert@;
2007-05-27make the #defines in rijndael.h a bit more meaningfulTed Unangst
ok djm and with a hint from henning
2007-05-27make crp_buf a void *. caddr_t implies bufferness, it's not.Ted Unangst
ok deraadt jason
2007-04-10``it's'' -> ``its'' when the grammar gods require this change.Miod Vallat
2007-02-21Don't use arbitrary 128 bytes as size of the blf key array if we know exactlyAlexander von Gernler
how much blowfish takes at max, which is 72 bytes. Also define a constant for this in the include file, suggested by ray@. ok pedro@ thib@ tedu@
2007-02-19minimum blocksize for ESP is 32 bit, so adjust blocksize of NULLHans-Joerg Hoexer
encryption accordingly. Makes NULL encryption useable with ESP. Noticed by Martin Hedenfalk <martin.hedenfalk at gmail.com>. ok markus@
2006-12-29Avoid void * arithmetic, okay deraadt@, suggestions from millert@Pedro Martelletto
2006-11-19typo; from bret lambertJason McIntyre
ok pedro
2006-10-25pr5274 fix localhost dos with oversized valuesTed Unangst
ok deraadt
2006-05-31remove some silly casts. put spl calls after all declarations.Ted Unangst
put one splx in a better spot. make a variable size MALLOC use malloc. remove null test after malloc(M_WAITOK). add PR_NOWAIT flag to pool_get instead of 0. change callbacks to correct type. ok brad deraadt markus mickey
2006-03-23kill evil \r; from cedricMichael Shalayeff
2006-03-21Implementation of the Michael MIC as defined in IEEE 802.11i for TKIP.Reyk Floeter
The MIC generates a weak 64bit digest protected by an additional key. Obviously, this digest alg is required for future IEEE 802.11i/WPA support. test vectors passed on alpha amd64 mvme68k mvme88k sgi sparc sparc64 vax i386 ok djm@