summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2012-12-11Bring back a small copy optimization in the aes-gcm handling:Mike Belopuhov
with ESN AAD is 12 bytes long so it's faster to zero out 4 bytes than to copy 12. Without ESN it's either copying or zeroing out 8 bytes but we'll rely on the cache locality here.
2012-12-07RFC 4106, Section 5 states that the SPI and a 64-bit SequenceMike Belopuhov
Number are provided to the GCM as an Additional Authenticated Data. Usually an SPI and a lower 32-bit part of the ESN are contained within the same memory buffer whereas an upper part of the ESN comes from an external location. To accommodate that RFC 4303, Section 3.3.2.1 states that upper part of the ESN is hashed in the end. Unfortunately this advice is not applicable for the combined authentication/encryption modes and RFC 4106 decided not to follow that advice, effectively requiring large API changes to accommodate that poor choice. For now implement a kludge that will take an effect in case CRD_F_ESN flag is set in the crypto operation descriptor. Successfully tested against Linux 3.2 with strongSwan 4.6.4.
2012-12-07Fix one of the two issues with ESN support in the GCM case:Mike Belopuhov
supply correct AAD length to the final round of hashing. While here rename swcr_combined to swcr_authenc.
2012-12-05Remove excessive sys/cdefs.h inclusionTheo de Raadt
ok guenther millert kettenis
2012-10-28We need to allocate memory for crp_buf in the DMA accessibleMike Belopuhov
region since it's passed to the hardware directly. Tested by Yoshihisa Matsushita <y at m8a ! org>, thanks! ok kettenis miod
2012-10-04Clean up uninitialized warnings from cryptosoft and aesni.Christiano F. Haesbaert
Part of the work to remove -Wno-uninitialized. ok mikeb@
2012-06-29Add support for the Extended (64-bit) Sequence Number as definedMike Belopuhov
in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
2012-04-25Use explicit_bzero() for clearing key material.Matthew Dempsky
Pointed out by Michael W. Bombardieri on tech@. ok deraadt
2012-04-22Add struct proc * argument to FRELE() and FILE_SET_MATURE() inPhilip Guenthe
anticipation of further changes to closef(). No binary change. ok krw@ miod@ deraadt@
2012-02-15Hold struct filedesc's fd_lock when writing to the fd_ofiles, fd_ofileflags,Philip Guenthe
or fd_{lo,hi}maps members, or when doing a read for a write. Fixes hangs when an rthreaded processes sleeps while copying the fd table for fork() and catches another thread with the lock. ok jsing@ tedu@
2011-07-07empty files should be deletedTed Unangst
2011-07-07Replace the cruddy old sys/net/zlib.[ch]. We now use the sys/lib/libzTheo de Raadt
code. Missing chunks of the API are imported from the libc version, with a few #ifdef's to port it into the kernel environment. The bootblocks already used the newer code, and should encounter no surprises since there are so few changes to the existing files. In the kernel, ipcomp and kernel ppp are changed to the new API. ipcomp has been tested. ok tedu the brave
2011-01-12cleanup aes-ctr keystream after use; ok deraadtMike Belopuhov
2011-01-11fix encryption for uio_iovcnt > 1 by passing the absolute offset 'count'Markus Friedl
to cuio_copydata() and make sure we don't loop forever if the end of an iov matches the cipher block boundary. ok mikeb, deraadt
2011-01-11key lengths are counted in bitsTheo de Raadt
2011-01-11add explicit_bzero() calls before free()ing key materialTheo de Raadt
ok mikeb
2011-01-11in SHA1Final(), explicitly clear the local bufferTheo de Raadt
ok mikeb
2011-01-11accidental commit of a pending diff relating to something elseTheo de Raadt
2011-01-11in AES_GMAC_Final(), explicitly clear the local bufferTheo de Raadt
ok mikeb
2011-01-11for key material that is being being discarded, convert bzero() toTheo de Raadt
explicit_bzero() where required ok markus mikeb
2010-12-22use the do {} while construct in the copying macrosTheo de Raadt
ok mikeb
2010-12-21remove dead code (ivp did always point to iv in the decrypt path).Markus Friedl
instead save one bcopy() per block by alternating between two iv buffers; ok mikeb@
2010-12-16move CRYPTO_VIAC3_MAX out of cryptodev.h and into the onlyJonathan Gray
file it will be used from. requested by/ok mikeb@
2010-12-16The VIA ciphers are added to an array of CRYPTO_ALGORITHM_MAX lengthJonathan Gray
which should have been declared as CRYPTO_ALGORITHM_MAX + 1, fix this and reserve enough space for the VIA additions as well. ok/comments from mikeb & deraadt
2010-12-14disable access to the crypto(4) device from userland; ok deraadtMike Belopuhov
2010-11-08use a well established define instead of rolling our own; no binary changeMike Belopuhov
2010-10-06Retire SkipjackMike Belopuhov
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
2010-10-06zero out auth hash context before freeing it; ok matthew millertMike Belopuhov
2010-09-22OCF support for the Galois/Counter Mode (GCM) for AES asMike Belopuhov
described in FIPS SP 800-38D. This implementation supports 16 byte authentication tag only, splitting transformation into two parts: encryption and authentication. Encryption is handled by the existing AES-CTR implementation, while authentication requires new AES_GMAC hash function. Additional routine is added to the software crypto driver to deal with peculiarities of a combined authentication- encryption transformation. With suggestions from reyk, naddy and toby.
2010-09-08Reintroduce most crypto/crypto.c r1.55:Joel Sing
Move pool initialization to init_crypto and zap the crypto_pool_initialized variable. This way we don't have to check if the pool are initialized every time we do a crypto_getreq(). However, also perform the crypto initialisation earlier in init_main so that the crypto pools are initialised before they are used. ok mikeb@ thib@ deraadt@
2010-08-08Backout r1.55 since this breaks anything which does crypto ops prior toJoel Sing
init_crypto() being called from late in init_main(). In particular, this breaks softraid crypto volumes that are assembled at boot. No cookies for thib/mikeb! "Back it out, right now" deraadt@
2010-07-21No need for read/write functions, just use enodev like all the otherTheo de Raadt
things things do ok nicm
2010-07-20Switch some obvious network stack MAC comparisons from bcmp() toMatthew Dempsky
timingsafe_bcmp(). ok deraadt@; committed over WPA.
2010-07-20Mark a DMA accessible malloc for later correction. This isMatthew Dempsky
potentially up to 64KB, so we'll need something fancier than dma_alloc().
2010-07-08Revert part of previous.Thordur I. Bjornsson
The splvm protection is needed after all, as we are walking the list of registered crypto drivers and doing that unprotected is unwise. Pointed out by kettenis@
2010-07-08Move pool initialization to init_crypto and zap the crypto_pool_initializedThordur I. Bjornsson
variable. This way we don't have to check if the pool are initialized every time we do a crypto_getreq(). Move splvm lower as it isnt need all through crypto_newsession(). tiny KNF nit. From mikeb OK deraadt@
2010-07-02m_copyback can fail to allocate memory, but is a void fucntion so gymnasticsBret Lambert
are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
2010-06-23Zap a dead prototype, crypto_thread(); Leftover since crypto wasThordur I. Bjornsson
moved from a special kthread to workqs. OK dlg@
2010-06-09Remove the CRYPTO_ALGORITHM_ALL define, fixup accordinglyThordur I. Bjornsson
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX Do this also for the CRK_ALGORITHM_MAX this also fixes the a bug that caused us to skip CRK_DH_COMPUTE_KEY. ok deraadt@
2010-04-20remove proc.h include from uvm_map.h. This has far reaching effects, asTed Unangst
sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
2010-01-10Fix two bugs in IPsec/HMAC-SHA2:Markus Friedl
(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt
2009-09-03crypto hardware (eg, hifn) establishes its interrupt handler atDavid Gwynne
IPL_NET. when the hardware finishes some work for the crypto subsystem and therefore something in the kernel that wanted crypto done, it calls crypto_done from that interrupt handler. one of the things that uses crypto is ipsec. when crypto is done for ipsec it then pushes the packet along the network stack. the problem is that all the structures inside the network stack are only protected at splsoftnet. we could be in the middle of modifications to the pf state table or the pfsync queues when we get a hifn interrupt and then go stomp on the same structures. the solution is to defer the completions so they can do the right spl protections. this basically reverts r1.46 of src/sys/crypto/crypto.c. found by naddy@
2009-08-17sizeof(ptr) -> sizeof(*ptr) as intended; ok djm@ millert@Miod Vallat
2009-07-05Buffer in RMD160_CTX is length RMD160_BLOCK_LENGTH not RMD160_DIGEST_LENGTH.Todd C. Miller
Userland version was already correct. From Jason Fritcher. OK deraadt@
2009-02-17variable no longer usedTheo de Raadt
2009-02-17The loop here preparing the uio always added the length of the firstOwain Ainsworth
iovec, not the correct one. It worked ok since iovcnt was always 1. Since it's unlikely to be any other number, remove the loop and just add the one length we care about. "go ahead" deraadt@.
2008-11-04Use defines for constants. Use __attribute__ bounded.Hans-Joerg Hoexer
ok markus@ (quite some time ago)
2008-10-30reintroduce mutexes to workqs for locking.David Gwynne
tested by many on many archs including several alpha test. ok tedu@ go for it deraadt@
2008-09-06match libc sha2(3) API changes for kernel; ok millert@Damien Miller
2008-08-12Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256, AES-128-CMACDamien Bergamini
and AES Key Wrap algorithms. They will replace/extend the non-generic implementation in net80211. AES-128-CMAC tested by sobrado@ (AlphaServer 1200), naddy@ (alpha/sparc64) and sthen@ (sparc64, armish). HMAC-* reviewed by hshoexer@ ok and hints from djm@