summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2010-04-20remove proc.h include from uvm_map.h. This has far reaching effects, asTed Unangst
sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
2010-01-10Fix two bugs in IPsec/HMAC-SHA2:Markus Friedl
(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt
2009-09-03crypto hardware (eg, hifn) establishes its interrupt handler atDavid Gwynne
IPL_NET. when the hardware finishes some work for the crypto subsystem and therefore something in the kernel that wanted crypto done, it calls crypto_done from that interrupt handler. one of the things that uses crypto is ipsec. when crypto is done for ipsec it then pushes the packet along the network stack. the problem is that all the structures inside the network stack are only protected at splsoftnet. we could be in the middle of modifications to the pf state table or the pfsync queues when we get a hifn interrupt and then go stomp on the same structures. the solution is to defer the completions so they can do the right spl protections. this basically reverts r1.46 of src/sys/crypto/crypto.c. found by naddy@
2009-08-17sizeof(ptr) -> sizeof(*ptr) as intended; ok djm@ millert@Miod Vallat
2009-07-05Buffer in RMD160_CTX is length RMD160_BLOCK_LENGTH not RMD160_DIGEST_LENGTH.Todd C. Miller
Userland version was already correct. From Jason Fritcher. OK deraadt@
2009-02-17variable no longer usedTheo de Raadt
2009-02-17The loop here preparing the uio always added the length of the firstOwain Ainsworth
iovec, not the correct one. It worked ok since iovcnt was always 1. Since it's unlikely to be any other number, remove the loop and just add the one length we care about. "go ahead" deraadt@.
2008-11-04Use defines for constants. Use __attribute__ bounded.Hans-Joerg Hoexer
ok markus@ (quite some time ago)
2008-10-30reintroduce mutexes to workqs for locking.David Gwynne
tested by many on many archs including several alpha test. ok tedu@ go for it deraadt@
2008-09-06match libc sha2(3) API changes for kernel; ok millert@Damien Miller
2008-08-12Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256, AES-128-CMACDamien Bergamini
and AES Key Wrap algorithms. They will replace/extend the non-generic implementation in net80211. AES-128-CMAC tested by sobrado@ (AlphaServer 1200), naddy@ (alpha/sparc64) and sthen@ (sparc64, armish). HMAC-* reviewed by hshoexer@ ok and hints from djm@
2008-07-21gives this a chance to work on architectures with strict alignmentDamien Bergamini
constraints.
2008-06-25implement automatic time-based rekeying (every 10 minutes); ok deraadt@Damien Miller
2008-06-09Introduce a facility to generate unpredictable 32 bit numbers withDamien Miller
near maximal (2^32) cycle times. These are useful for network IDs in cases where there are negative consequences to ID prediction and/or reuse. Use the idgen32() functions to generate IPv6 IDs and NFS client/server XIDs. Pseudorandom permutation code in crypto/idgen.c based on public domain skip32.c from Greg Rose. feedback & ok thib@ deraadt@
2008-06-09add myself to copyrightDamien Miller
2008-06-09Implement the AES XTS mode of operation for the crypto(9) framework.Damien Miller
XTS is a "tweaked" AES mode that has properties that are desirable for block device encryption and it is specified in the IEEE P1619-2007 standard for this purpose. prodded by & ok hshoexer@
2008-06-09constify arguments in wrapper functions; the lower level functionsDamien Miller
were already done
2008-06-09rename arc4random_bytes => arc4random_buf to match libc's nicer name;Damien Miller
ok deraadt@
2007-11-28finish conversion to workq. remove list remnants, and put spl in the rightTed Unangst
places. handle the no workq case here. ok deraadt
2007-11-26typos; ok jmc@Martynas Venckus
sys/netinet/in_pcb.c and sys/net/bridgestp.c ok henning@ sys/dev/pci/bktr/* ok jakemsr@
2007-11-25convert crypto thread to workq. add WQ_DIRECTOK flag to workq.Ted Unangst
combined, this lets us use crypto before the thread is running and therefore cryptoraid can attach nice and early. ok/testing deraadt mbalmer marco
2007-11-14do not call crypto_done() on errors, since the drivers already do this.Markus Friedl
otherwise we call the callback twice; fixes panics on crypto errors as seen on reboot; ok hshoexer
2007-09-15fix error introduced by my previous commit:Hans-Joerg Hoexer
"MALLOC(*swd, ...)" vs. "swd = malloc(..." ok millert
2007-09-13Here too: Convert MALLOC/FREE to malloc/free and use M_ZERO where applicable.Hans-Joerg Hoexer
error spotting and ok krw@
2007-09-11Add __bounded__ attributes to prototypes.Damien Miller
Use (x & 0xff) rather than (x % 256) - compilers generate faster code. Add arc4_getbytes function to extract raw keystream ok markus@ tom@
2007-09-10Make the hmac ipad/opad globals "const" and fixup the crypto functionsHenric Jungheim
to match. ok deraadt@
2007-07-24add rc4_skip() function that can be used to discard bytes fromDamien Bergamini
the arc4 key stream. rc4_skip(ctx, len); is equivalent to: u_int8_t dummy[len]; rc4_crypt(ctx, dummy, dummy, len); except that is does not require storage space and that it saves some cpu cycles. ok deraadt@
2007-07-20unbreak landisk kernel sha1 by working around a compiler bug;Otto Moerbeek
also brings kernel sha1 more in line with userland; discussed with miod@ and millert@;
2007-05-27make the #defines in rijndael.h a bit more meaningfulTed Unangst
ok djm and with a hint from henning
2007-05-27make crp_buf a void *. caddr_t implies bufferness, it's not.Ted Unangst
ok deraadt jason
2007-04-10``it's'' -> ``its'' when the grammar gods require this change.Miod Vallat
2007-02-21Don't use arbitrary 128 bytes as size of the blf key array if we know exactlyAlexander von Gernler
how much blowfish takes at max, which is 72 bytes. Also define a constant for this in the include file, suggested by ray@. ok pedro@ thib@ tedu@
2007-02-19minimum blocksize for ESP is 32 bit, so adjust blocksize of NULLHans-Joerg Hoexer
encryption accordingly. Makes NULL encryption useable with ESP. Noticed by Martin Hedenfalk <martin.hedenfalk at gmail.com>. ok markus@
2006-12-29Avoid void * arithmetic, okay deraadt@, suggestions from millert@Pedro Martelletto
2006-11-19typo; from bret lambertJason McIntyre
ok pedro
2006-10-25pr5274 fix localhost dos with oversized valuesTed Unangst
ok deraadt
2006-05-31remove some silly casts. put spl calls after all declarations.Ted Unangst
put one splx in a better spot. make a variable size MALLOC use malloc. remove null test after malloc(M_WAITOK). add PR_NOWAIT flag to pool_get instead of 0. change callbacks to correct type. ok brad deraadt markus mickey
2006-03-23kill evil \r; from cedricMichael Shalayeff
2006-03-21Implementation of the Michael MIC as defined in IEEE 802.11i for TKIP.Reyk Floeter
The MIC generates a weak 64bit digest protected by an additional key. Obviously, this digest alg is required for future IEEE 802.11i/WPA support. test vectors passed on alpha amd64 mvme68k mvme88k sgi sparc sparc64 vax i386 ok djm@
2006-03-04splimp -> splvmBrad Smith
ok miod@
2005-08-18do not allow 0-length transforms; from freebsdTheo de Raadt
2005-06-13get rid of ifdef MSDOS, no binary changeHans-Joerg Hoexer
ok markus@
2005-05-25AESCTR support for ESP (RFC 3686); ok hshoexerMarkus Friedl
2005-05-10support NULL encryption for ESP; ok hshoexer, hoMarkus Friedl
2005-05-02simplify by using arc4random_bytes(), ok djm, hshoexerMarkus Friedl
2005-03-24major knfHans-Joerg Hoexer
fix spelling in comment, by rohee@ no binary change ok deraadt@
2005-03-24ansi and tiny knfHans-Joerg Hoexer
ok deraadt@
2004-12-21Don't use crypto thread for callbacks.Marco Pfatschbacher
This primarily improves IPsec performance when using crypto accelerators. With help from markus@, tested by wvdputte@. ok deraadt@, markus@
2004-12-20Allow the setkey function of a transform to fail, eg. when an insufficientHans-Joerg Hoexer
number of key bits is supplied. Only AES and DES/3DES might fail. ok and help markus@
2004-12-15minimum key length of aes is 128 bit, not 64.Hans-Joerg Hoexer
ok markus