| Age | Commit message (Collapse) | Author |
|---|
|
extra warnings with gcc 3, due to the way we use siphash in the filesystem
code.
With dlg@
|
|
simplify a bit more, swapping only aligned values and then using memcpy
to fill the digest. fix confirmed by jsg.
ok jsg kettenis millert
|
|
looks good to deraadt@ miod@ and tedu@
|
|
context and making digest required to Final.
|
|
|
|
|
|
|
|
|
|
|
|
ok millert
|
|
|
|
naddy found sparc64 gets a little slower when unrolled.
ok deraadt
|
|
ok deraadt millert
|
|
This includes a commit made by Andy Polyakov <appro at openssl ! org>
to the OpenSSL source tree on Wed, 28 Jun 2006 with the following
message: "Mitigate cache-collision timing attack on last round."
OK naddy, miod
|
|
required to cast their pointers, which is ugly and possibly error
prone. accidentally casting an int to a pointer, for example, instead
of the address of the int. implicit void * casting is safer.
This updates the kernel hash interfaces to use void *. Similar changes
are possible for userland. I think it's safe, but there may be some
peculiar source compatbility issues there, so let's just do the kernel
first.
ok dlg millert
|
|
Pointed out by John-Mark Gurney <jmg at funkthat ! com>, thanks!
|
|
J. Bernstein, as described at https://131002.net/siphash/, and via
Andre Oppermanns implementation in FreeBSD.
this is supposed to be a good but cheap hash for use in places where
you want to protect against hash bucket flooding attacks.
yasuoka@ pointed me at this after i asked about possibilities for
protecting the in_pcb hash he was tinkering with.
naddy@ mikeb@ claudio@ and djm@ agree it is much better than doing nothing
commit deraadt@
|
|
will be used from.
this adds pool_setipl at IPL_VM to the crypto descriptor pools, and
removes all the splvm handling around the use of those pools.
tested by many via tech@
ok kettenis@ deraadt@
|
|
make the crypto taskq protect things at IPL_VM instead of IPL_HIGH.
everything else in crypto.c uses splvm/IPL_VM. it seems this IPL_HIGH
came about because the hand rolled task list and thread that crypto
used to use was converted to workqs, which unconditionally used
IPL_HIGH internally. when it was converted from workqs to tasks it
blindly ported the protection workqs gave.
tested by many via tech@ and snapshots
ok kettenis@
|
|
|
|
everything else in crypto.c uses splvm/IPL_VM. it seems this IPL_HIGH
came about because the hand rolled task list and thread that crypto
used to use was converted to workqs, which unconditionally used
IPL_HIGH internally. when it was converted from workqs to tasks it
blindly ported the protection workqs gave.
tested by many via tech@ and snapshots
ok kettenis@
|
|
ok deraadt@
|
|
ok mpi@ kspillner@
|
|
The interface has been disabled by default for about 4 years and
currently there's not much value in having it around at all.
ok deraadt
|
|
The interface has been disabled by default for about 4 years and
currently there's not much value in having it around at all.
ok deraadt
|
|
ok miod@, who has offerred to help with any MD fallout
ok guenther@
|
|
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
don't need to be married.
ok guenther miod beck jsing kettenis
|
|
deflate(); this hurts interop with broken old openbsd releases; ok reyk@
|
|
a high compression ratio, e.g. for ping -s 10000 -p aa
- deal with inflate returning Z_BUF_ERROR if the output buffer is full.
this can happen in some edge cases with upgraded libz from 2004
ok mikeb@
|
|
|
|
ok jsing, markus
|
|
ancient code looked pretty crummy.
ok deraadt@
|
|
|
|
|
|
rather than requiring each algorithm to provide their own memory handling.
This matches the interface already provided by cryptosoft for
authentication algorithms and removes the need for zerokey functions.
ok mikeb@
|
|
|
|
rename the structure internals to id32_* in anticipation of an
idgen16() that might come in the future.
|
|
ok beck
|
|
with ESN AAD is 12 bytes long so it's faster to zero out 4
bytes than to copy 12. Without ESN it's either copying or
zeroing out 8 bytes but we'll rely on the cache locality here.
|
|
Number are provided to the GCM as an Additional Authenticated
Data. Usually an SPI and a lower 32-bit part of the ESN are
contained within the same memory buffer whereas an upper part
of the ESN comes from an external location. To accommodate
that RFC 4303, Section 3.3.2.1 states that upper part of the
ESN is hashed in the end. Unfortunately this advice is not
applicable for the combined authentication/encryption modes
and RFC 4106 decided not to follow that advice, effectively
requiring large API changes to accommodate that poor choice.
For now implement a kludge that will take an effect in case
CRD_F_ESN flag is set in the crypto operation descriptor.
Successfully tested against Linux 3.2 with strongSwan 4.6.4.
|
|
supply correct AAD length to the final round of hashing.
While here rename swcr_combined to swcr_authenc.
|
|
ok guenther millert kettenis
|
|
region since it's passed to the hardware directly.
Tested by Yoshihisa Matsushita <y at m8a ! org>, thanks!
ok kettenis miod
|
|
Part of the work to remove -Wno-uninitialized.
ok mikeb@
|
|
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
|
Pointed out by Michael W. Bombardieri on tech@.
ok deraadt
|
|
anticipation of further changes to closef(). No binary change.
ok krw@ miod@ deraadt@
|
