summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2021-03-12spellingJonathan Gray
2020-07-22Add missing CVS tags.tobhe
ok patrick@
2020-06-27don't try to expand alignment using __aligned(16) on local variables.Theo de Raadt
that stops being normal C. the object type has to be sufficient, if it needed larger alignment such a type or a union should be used instead. (breaks landisk gcc, for one)
2020-06-24kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)cheloha
time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
2020-06-21add constructions for wireguard.David Gwynne
from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21add hchacha20 for wireguard.David Gwynne
i think we should turn the chacha code into an actual c file at some point to reduce duplication of object code, but that can happen later. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21curve25519 for wireguard.David Gwynne
via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-06-21add blake2s for wireguard.David Gwynne
via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
2020-05-29rndvar.h not needed hereTheo de Raadt
2020-04-15idgen32(9): use time_uptime(9) for rekey timestamps, not time_second(9)cheloha
Timestamp contexts with a monotonic clock. time_second(9) can jump, stretching or truncating our rekey interval. time_uptime(9) will not jump around. ok djm@
2020-03-30Break crypto_unregister() sanity check into two expressions, making itKenneth R Westerback
clearer what is being checked. Original suggestion from kettenis@.
2020-03-29Don't access past end of cc_alg[] when trying to avoidKenneth R Westerback
unregistering an invalid algorithm. CID 1453298 ok kettenis@ (with suggested improvements to come)
2019-01-09free(9) sizes.Martin Pieuchot
ok visa@
2018-05-31Add sizes for free().Frederic Cambus
OK visa@
2018-04-09Move some AES-related defines into xform.h to reduce duplication.Visa Hankala
gmac.c is left untouched for now to preserve layering. OK mikeb@, deraadt@
2018-01-05Sync with the code in libcMike Belopuhov
OK millert; original commit message by tedu@: memcpy from the right place. at this point, the used variable is not relevant. from Mark Karpilovskij. ok millert
2017-11-30Fix the IPL and flags of the MP-safe crypto taskq. Now a sane IPLVisa Hankala
is passed to the mutex implementation, and the queue actually runs without the kernel lock. Tested by dhill@ OK mikeb@, dhill@, kettenis@
2017-08-10the userland crypto interface died long ago, can clean up the headerTed Unangst
2017-05-31make the AES-XTS mode a little more constant-time, though the AESDamien Miller
implementation that it depends on currently isn't. ok mikeb tom
2017-05-17Revert MI AES-XTS code back to T-tables amid poor performanceMike Belopuhov
Suffered by many, the revert tested by stsp@.
2017-05-02Switch 802.11 crypto over to the new AESMike Belopuhov
OK stsp@
2017-05-02Switch glxsb(4), VIA padlock and AES-NI drivers over to the new AESMike Belopuhov
2017-05-02Switch OCF and IPsec over to the new AESMike Belopuhov
ok djm
2017-04-30Constant time AES implementationMike Belopuhov
This introduces a 32-bit constant time AES implementation from Thomas Pornin originally for BearSSL and then adjusted by Thomas and myself to fit OpenBSD kernel. One of the additional features is an API for encryption and decryption subkey expansion in the format specified by NIST in FIPS 197. Tested by myself and naddy@, ok djm@
2017-04-12The kernel has to slightly different version of SipHash_Final but withFlorian Obser
the same bug as just fixed in userland: ---------- SipHash_Final() was assuming the digest was 64-bit aligned, resulting in misaligned memory accesses with armv7 ramdisk -Os bsd.rd ping ok florian millert ---------- OK deraadt@
2017-02-07Reduce the per-packet allocation costs for crypto operations (cryptop)Patrick Wildt
by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API. This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used. From, with and ok markus@, ok bluhm@ "looks sane" mpi@
2017-02-07The return code of crp_callback is never checked, so it is notAlexander Bluhm
useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
2016-09-19convert bcopy to memcpy. from david hillTed Unangst
2016-09-15all pools have their ipl set via pool_setipl, so fold it into pool_init.David Gwynne
the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
2016-09-02Remove variables 'm' and 'uio' that are only ever assigned toTom Cosgrove
(in swcr_authenc()) ok mikeb@, who pointed out that I'd missed uio
2016-04-18Add a mechanism for dispatching mpsafe crypto operations. This adds a newMark Kettenis
CRYPTOCAP_F_MPSAFE flag that crypto implementations can set to indicate that their cc_process() implementation can safely run without holding the kernel lock. ok mikeb@
2015-12-10Remove plain DES from the kernel crypto framework, including the cryptoChristian Weisgerber
accelerator drivers. No longer used by anything. ok sthen@ mikeb@
2015-11-18Cleanup gotos as suggested by jsing@ along with spaces and label namesMike Belopuhov
2015-11-13remove unused ARC4 support; ok mikeb@Christian Weisgerber
2015-11-13Remove unused non HMAC versions of MD5 and SHA1; ok mpi, deraadt, naddyMike Belopuhov
2015-11-12remove a few unused definesMike Belopuhov
2015-11-12another define from the dsa eraMike Belopuhov
2015-11-12spacingMike Belopuhov
2015-11-07Update copyright informationMike Belopuhov
2015-11-07Pass AES_GMAC context as a void pointer to cut down on casts in xform.cMike Belopuhov
2015-11-07Allow overriding ghash_update() with an optimized MD function. UseChristian Weisgerber
this on amd64 to provide a version that uses the PCLMUL instruction on CPUs that support it but don't have AESNI. ok mikeb@
2015-11-06Instead of multiplying with 0..1, extend the bit into a mask and do an AND.Christian Weisgerber
The same technique was already used a few lines above. ok mikeb@
2015-11-04Pass context as a void pointer to cut down on casts in xform.cMike Belopuhov
2015-11-03Remove two unused definesMike Belopuhov
2015-11-03Enable Chacha20-Poly1305 in the software crypto driverMike Belopuhov
ok naddy, jsing, reyk
2015-11-03Hook up Chacha20-Poly1305 to the OpenBSD Cryptographic FrameworkMike Belopuhov
ok naddy, jsing
2015-11-03Chacha20-Poly1305 AEAD construction as described in RFC7634 and RFC7539Mike Belopuhov
ok naddy, jsing
2015-10-29Import Poly1305 Message Authentication CodeMike Belopuhov
Poly1305 is a one-time authenticator designed by Daniel J. Bernstein. This is a slightly adjusted public domain implementation by Andrew Moon found at https://github.com/floodyberry/poly1305-donna ok jsing, previous version ok djm, looked at by reyk@
2015-10-27Use verbose defines instead of hardcoded values for clarity whenMike Belopuhov
initializing hash objects. No binary or functional change.
2015-10-27Sync chacha_ivsetup to the version in ssh so that we couldMike Belopuhov
specify custom counter value when setting up Chacha context. ok reyk djm