Age | Commit message (Collapse) | Author |
|
with ESN AAD is 12 bytes long so it's faster to zero out 4
bytes than to copy 12. Without ESN it's either copying or
zeroing out 8 bytes but we'll rely on the cache locality here.
|
|
Number are provided to the GCM as an Additional Authenticated
Data. Usually an SPI and a lower 32-bit part of the ESN are
contained within the same memory buffer whereas an upper part
of the ESN comes from an external location. To accommodate
that RFC 4303, Section 3.3.2.1 states that upper part of the
ESN is hashed in the end. Unfortunately this advice is not
applicable for the combined authentication/encryption modes
and RFC 4106 decided not to follow that advice, effectively
requiring large API changes to accommodate that poor choice.
For now implement a kludge that will take an effect in case
CRD_F_ESN flag is set in the crypto operation descriptor.
Successfully tested against Linux 3.2 with strongSwan 4.6.4.
|
|
supply correct AAD length to the final round of hashing.
While here rename swcr_combined to swcr_authenc.
|
|
ok guenther millert kettenis
|
|
region since it's passed to the hardware directly.
Tested by Yoshihisa Matsushita <y at m8a ! org>, thanks!
ok kettenis miod
|
|
Part of the work to remove -Wno-uninitialized.
ok mikeb@
|
|
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
|
Pointed out by Michael W. Bombardieri on tech@.
ok deraadt
|
|
anticipation of further changes to closef(). No binary change.
ok krw@ miod@ deraadt@
|
|
or fd_{lo,hi}maps members, or when doing a read for a write. Fixes hangs
when an rthreaded processes sleeps while copying the fd table for fork()
and catches another thread with the lock.
ok jsing@ tedu@
|
|
|
|
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
|
|
|
to cuio_copydata() and make sure we don't loop forever if the end of
an iov matches the cipher block boundary.
ok mikeb, deraadt
|
|
|
|
ok mikeb
|
|
ok mikeb
|
|
|
|
ok mikeb
|
|
explicit_bzero() where required
ok markus mikeb
|
|
ok mikeb
|
|
instead save one bcopy() per block by alternating between two iv buffers;
ok mikeb@
|
|
file it will be used from.
requested by/ok mikeb@
|
|
which should have been declared as CRYPTO_ALGORITHM_MAX + 1,
fix this and reserve enough space for the VIA additions as well.
ok/comments from mikeb & deraadt
|
|
|
|
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
|
|
described in FIPS SP 800-38D.
This implementation supports 16 byte authentication tag only,
splitting transformation into two parts: encryption and
authentication. Encryption is handled by the existing
AES-CTR implementation, while authentication requires new
AES_GMAC hash function.
Additional routine is added to the software crypto driver
to deal with peculiarities of a combined authentication-
encryption transformation.
With suggestions from reyk, naddy and toby.
|
|
Move pool initialization to init_crypto and zap the crypto_pool_initialized
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
However, also perform the crypto initialisation earlier in init_main so
that the crypto pools are initialised before they are used.
ok mikeb@ thib@ deraadt@
|
|
init_crypto() being called from late in init_main(). In particular, this
breaks softraid crypto volumes that are assembled at boot.
No cookies for thib/mikeb!
"Back it out, right now" deraadt@
|
|
things things do
ok nicm
|
|
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
|
potentially up to 64KB, so we'll need something fancier than
dma_alloc().
|
|
The splvm protection is needed after all, as we are walking the list
of registered crypto drivers and doing that unprotected is unwise.
Pointed out by kettenis@
|
|
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
Move splvm lower as it isnt need all through crypto_newsession().
tiny KNF nit.
From mikeb
OK deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
moved from a special kthread to workqs.
OK dlg@
|
|
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX
Do this also for the CRK_ALGORITHM_MAX this also fixes
the a bug that caused us to skip CRK_DH_COMPUTE_KEY.
ok deraadt@
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
IPL_NET. when the hardware finishes some work for the crypto subsystem
and therefore something in the kernel that wanted crypto done, it
calls crypto_done from that interrupt handler.
one of the things that uses crypto is ipsec. when crypto is done
for ipsec it then pushes the packet along the network stack. the
problem is that all the structures inside the network stack are
only protected at splsoftnet. we could be in the middle of modifications
to the pf state table or the pfsync queues when we get a hifn
interrupt and then go stomp on the same structures.
the solution is to defer the completions so they can do the right
spl protections.
this basically reverts r1.46 of src/sys/crypto/crypto.c.
found by naddy@
|
|
|
|
Userland version was already correct. From Jason Fritcher. OK deraadt@
|
|
|
|
iovec, not the correct one. It worked ok since iovcnt was always 1.
Since it's unlikely to be any other number, remove the loop and just add
the one length we care about.
"go ahead" deraadt@.
|
|
ok markus@ (quite some time ago)
|
|
tested by many on many archs including several alpha test.
ok tedu@ go for it deraadt@
|
|
|
|
and AES Key Wrap algorithms.
They will replace/extend the non-generic implementation in net80211.
AES-128-CMAC tested by sobrado@ (AlphaServer 1200),
naddy@ (alpha/sparc64) and sthen@ (sparc64, armish).
HMAC-* reviewed by hshoexer@
ok and hints from djm@
|