Age | Commit message (Collapse) | Author |
|
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX
Do this also for the CRK_ALGORITHM_MAX this also fixes
the a bug that caused us to skip CRK_DH_COMPUTE_KEY.
ok deraadt@
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
IPL_NET. when the hardware finishes some work for the crypto subsystem
and therefore something in the kernel that wanted crypto done, it
calls crypto_done from that interrupt handler.
one of the things that uses crypto is ipsec. when crypto is done
for ipsec it then pushes the packet along the network stack. the
problem is that all the structures inside the network stack are
only protected at splsoftnet. we could be in the middle of modifications
to the pf state table or the pfsync queues when we get a hifn
interrupt and then go stomp on the same structures.
the solution is to defer the completions so they can do the right
spl protections.
this basically reverts r1.46 of src/sys/crypto/crypto.c.
found by naddy@
|
|
|
|
Userland version was already correct. From Jason Fritcher. OK deraadt@
|
|
|
|
iovec, not the correct one. It worked ok since iovcnt was always 1.
Since it's unlikely to be any other number, remove the loop and just add
the one length we care about.
"go ahead" deraadt@.
|
|
ok markus@ (quite some time ago)
|
|
tested by many on many archs including several alpha test.
ok tedu@ go for it deraadt@
|
|
|
|
and AES Key Wrap algorithms.
They will replace/extend the non-generic implementation in net80211.
AES-128-CMAC tested by sobrado@ (AlphaServer 1200),
naddy@ (alpha/sparc64) and sthen@ (sparc64, armish).
HMAC-* reviewed by hshoexer@
ok and hints from djm@
|
|
constraints.
|
|
|
|
near maximal (2^32) cycle times. These are useful for network
IDs in cases where there are negative consequences to ID prediction
and/or reuse.
Use the idgen32() functions to generate IPv6 IDs and NFS client/server
XIDs.
Pseudorandom permutation code in crypto/idgen.c based on public
domain skip32.c from Greg Rose.
feedback & ok thib@ deraadt@
|
|
|
|
XTS is a "tweaked" AES mode that has properties that are desirable
for block device encryption and it is specified in the IEEE
P1619-2007 standard for this purpose.
prodded by & ok hshoexer@
|
|
were already done
|
|
ok deraadt@
|
|
places. handle the no workq case here. ok deraadt
|
|
sys/netinet/in_pcb.c and sys/net/bridgestp.c ok henning@
sys/dev/pci/bktr/* ok jakemsr@
|
|
combined, this lets us use crypto before the thread is running
and therefore cryptoraid can attach nice and early.
ok/testing deraadt mbalmer marco
|
|
otherwise we call the callback twice; fixes panics on crypto errors as
seen on reboot; ok hshoexer
|
|
"MALLOC(*swd, ...)" vs. "swd = malloc(..."
ok millert
|
|
error spotting and ok krw@
|
|
Use (x & 0xff) rather than (x % 256) - compilers generate faster code.
Add arc4_getbytes function to extract raw keystream
ok markus@ tom@
|
|
to match.
ok deraadt@
|
|
the arc4 key stream.
rc4_skip(ctx, len);
is equivalent to:
u_int8_t dummy[len];
rc4_crypt(ctx, dummy, dummy, len);
except that is does not require storage space and that it saves
some cpu cycles.
ok deraadt@
|
|
also brings kernel sha1 more in line with userland;
discussed with miod@ and millert@;
|
|
ok djm and with a hint from henning
|
|
ok deraadt jason
|
|
|
|
how much blowfish takes at max, which is 72 bytes.
Also define a constant for this in the include file, suggested by ray@.
ok pedro@ thib@ tedu@
|
|
encryption accordingly. Makes NULL encryption useable with ESP.
Noticed by Martin Hedenfalk <martin.hedenfalk at gmail.com>.
ok markus@
|
|
|
|
ok pedro
|
|
ok deraadt
|
|
put one splx in a better spot. make a variable size MALLOC use malloc.
remove null test after malloc(M_WAITOK).
add PR_NOWAIT flag to pool_get instead of 0. change callbacks to correct type.
ok brad deraadt markus mickey
|
|
|
|
The MIC generates a weak 64bit digest protected by an additional key.
Obviously, this digest alg is required for future IEEE 802.11i/WPA
support.
test vectors passed on alpha amd64 mvme68k mvme88k sgi sparc sparc64 vax i386
ok djm@
|
|
ok miod@
|
|
|
|
ok markus@
|
|
|
|
|
|
|
|
fix spelling in comment, by rohee@
no binary change
ok deraadt@
|
|
ok deraadt@
|
|
This primarily improves IPsec performance when using crypto accelerators.
With help from markus@, tested by wvdputte@.
ok deraadt@, markus@
|
|
number of key bits is supplied.
Only AES and DES/3DES might fail.
ok and help markus@
|