summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2017-05-31make the AES-XTS mode a little more constant-time, though the AESDamien Miller
implementation that it depends on currently isn't. ok mikeb tom
2017-05-17Revert MI AES-XTS code back to T-tables amid poor performanceMike Belopuhov
Suffered by many, the revert tested by stsp@.
2017-05-02Switch 802.11 crypto over to the new AESMike Belopuhov
OK stsp@
2017-05-02Switch glxsb(4), VIA padlock and AES-NI drivers over to the new AESMike Belopuhov
2017-05-02Switch OCF and IPsec over to the new AESMike Belopuhov
ok djm
2017-04-30Constant time AES implementationMike Belopuhov
This introduces a 32-bit constant time AES implementation from Thomas Pornin originally for BearSSL and then adjusted by Thomas and myself to fit OpenBSD kernel. One of the additional features is an API for encryption and decryption subkey expansion in the format specified by NIST in FIPS 197. Tested by myself and naddy@, ok djm@
2017-04-12The kernel has to slightly different version of SipHash_Final but withFlorian Obser
the same bug as just fixed in userland: ---------- SipHash_Final() was assuming the digest was 64-bit aligned, resulting in misaligned memory accesses with armv7 ramdisk -Os bsd.rd ping ok florian millert ---------- OK deraadt@
2017-02-07Reduce the per-packet allocation costs for crypto operations (cryptop)Patrick Wildt
by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API. This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used. From, with and ok markus@, ok bluhm@ "looks sane" mpi@
2017-02-07The return code of crp_callback is never checked, so it is notAlexander Bluhm
useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
2016-09-19convert bcopy to memcpy. from david hillTed Unangst
2016-09-15all pools have their ipl set via pool_setipl, so fold it into pool_init.David Gwynne
the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
2016-09-02Remove variables 'm' and 'uio' that are only ever assigned toTom Cosgrove
(in swcr_authenc()) ok mikeb@, who pointed out that I'd missed uio
2016-04-18Add a mechanism for dispatching mpsafe crypto operations. This adds a newMark Kettenis
CRYPTOCAP_F_MPSAFE flag that crypto implementations can set to indicate that their cc_process() implementation can safely run without holding the kernel lock. ok mikeb@
2015-12-10Remove plain DES from the kernel crypto framework, including the cryptoChristian Weisgerber
accelerator drivers. No longer used by anything. ok sthen@ mikeb@
2015-11-18Cleanup gotos as suggested by jsing@ along with spaces and label namesMike Belopuhov
2015-11-13remove unused ARC4 support; ok mikeb@Christian Weisgerber
2015-11-13Remove unused non HMAC versions of MD5 and SHA1; ok mpi, deraadt, naddyMike Belopuhov
2015-11-12remove a few unused definesMike Belopuhov
2015-11-12another define from the dsa eraMike Belopuhov
2015-11-12spacingMike Belopuhov
2015-11-07Update copyright informationMike Belopuhov
2015-11-07Pass AES_GMAC context as a void pointer to cut down on casts in xform.cMike Belopuhov
2015-11-07Allow overriding ghash_update() with an optimized MD function. UseChristian Weisgerber
this on amd64 to provide a version that uses the PCLMUL instruction on CPUs that support it but don't have AESNI. ok mikeb@
2015-11-06Instead of multiplying with 0..1, extend the bit into a mask and do an AND.Christian Weisgerber
The same technique was already used a few lines above. ok mikeb@
2015-11-04Pass context as a void pointer to cut down on casts in xform.cMike Belopuhov
2015-11-03Remove two unused definesMike Belopuhov
2015-11-03Enable Chacha20-Poly1305 in the software crypto driverMike Belopuhov
ok naddy, jsing, reyk
2015-11-03Hook up Chacha20-Poly1305 to the OpenBSD Cryptographic FrameworkMike Belopuhov
ok naddy, jsing
2015-11-03Chacha20-Poly1305 AEAD construction as described in RFC7634 and RFC7539Mike Belopuhov
ok naddy, jsing
2015-10-29Import Poly1305 Message Authentication CodeMike Belopuhov
Poly1305 is a one-time authenticator designed by Daniel J. Bernstein. This is a slightly adjusted public domain implementation by Andrew Moon found at https://github.com/floodyberry/poly1305-donna ok jsing, previous version ok djm, looked at by reyk@
2015-10-27Use verbose defines instead of hardcoded values for clarity whenMike Belopuhov
initializing hash objects. No binary or functional change.
2015-10-27Sync chacha_ivsetup to the version in ssh so that we couldMike Belopuhov
specify custom counter value when setting up Chacha context. ok reyk djm
2015-10-26Use axf's hashsize as a block size in the authenticated encryption routine.Mike Belopuhov
No change for GCM, however upcoming changes will rely on this.
2015-08-31two fairly simple sizes for free()Theo de Raadt
2015-08-28fairly simple sizes for free(); ok teduTheo de Raadt
2015-03-16Include <sys/param.h> rather than <sys/types.h> when also includingMiod Vallat
<sys/systm.h>; fixes build on vax due to <machine/macros.h> redeclaring some functions from <lib/libkern/libkern.h> as inlines.
2015-03-14Remove wrong reference to zlib.Loganaden Velvindron
OK deraadt@
2015-03-14Remove some includes include-what-you-use claims don'tJonathan Gray
have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
2015-02-20Use standard spelling for types, and rename local variable from "free".Ted Unangst
No actual change, but makes it easier to reuse the code elsewhere. Suggested by Andre Smagin
2015-02-09we want to defer work traditionally (in openbsd) handled in anDavid Gwynne
interrupt context to a taskq running in a thread. however, there is a concern that if we do that then we allow accidental use of sleeping APIs in this work, which will make it harder to move the work back to interrupts in the future. guenther and kettenis came up with the idea of marking a proc with CANTSLEEP which the sleep paths can check and panic on. this builds on that so you create taskqs that run with CANTSLEEP set except when they need to sleep for more tasks to run. the taskq_create api is changed to take a flags argument so users can specify CANTSLEEP. MPSAFE is also passed via this flags field now. this means archs that defined IPL_MPSAFE to 0 can now create mpsafe taskqs too. lots of discussion at s2k15 ok guenther@ miod@ mpi@ tedu@ pelikan@
2015-02-07keep this in sync a bit with userland by putting static on functionsDavid Gwynne
that are only used in this file. tedu argues if something sucks we would fault before we can get to these, and they dont do anything except maths. these symbols dont need to be visible to ddb. originally from Fritjof Bornebusch suggested by and ok tedu@
2015-01-27remove the second void * argument on tasks.David Gwynne
when workqs were introduced, we provided a second argument so you could pass a thing and some context to work on it in. there were very few things that took advantage of the second argument, so when i introduced pools i suggested removing it. since tasks were meant to replace workqs, it was requested that we keep the second argument to make porting from workqs to tasks easier. now that workqs are gone, i had a look at the use of the second argument again and found only one good use of it (vdsp(4) on sparc64 if you're interested) and a tiny handful of questionable uses. the vast majority of tasks only used a single argument. i have since modified all tasks that used two args to only use one, so now we can remove the second argument. so this is a mechanical change. all tasks only passed NULL as their second argument, so we can just remove it. ok krw@
2015-01-16Less code, more better. No longer need to worry about what mysteriousTed Unangst
things will happen when machines have 8 byte longs.
2015-01-15remove static version stringTed Unangst
2015-01-15simplify des headers by stripping out all the unnecessary userland bitsTed Unangst
ok deraadt
2015-01-04Use __buffer__ instead of __string__ as the __bounded type. The former causesMiod Vallat
extra warnings with gcc 3, due to the way we use siphash in the filesystem code. With dlg@
2014-12-31recent changes broke alignment requirements on arm.Ted Unangst
simplify a bit more, swapping only aligned values and then using memcpy to fill the digest. fix confirmed by jsg. ok jsg kettenis millert
2014-12-30add __bounded as appropriate.David Gwynne
looks good to deraadt@ miod@ and tedu@
2014-12-28convert bcopy to memcpy in md5 and sha1. also be consistent about clearingTed Unangst
context and making digest required to Final.
2014-12-28remove KPDK. not really used, and a bad choice anyway. ok naddyTed Unangst