| Age | Commit message (Collapse) | Author |
|---|
|
ok patrick@
|
|
that stops being normal C. the object type has to be sufficient, if it
needed larger alignment such a type or a union should be used instead.
(breaks landisk gcc, for one)
|
|
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
|
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
i think we should turn the chacha code into an actual c file at
some point to reduce duplication of object code, but that can happen
later.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
Timestamp contexts with a monotonic clock. time_second(9) can jump,
stretching or truncating our rekey interval. time_uptime(9) will not
jump around.
ok djm@
|
|
clearer what is being checked.
Original suggestion from kettenis@.
|
|
unregistering an invalid algorithm.
CID 1453298
ok kettenis@ (with suggested improvements to come)
|
|
ok visa@
|
|
OK visa@
|
|
gmac.c is left untouched for now to preserve layering.
OK mikeb@, deraadt@
|
|
OK millert; original commit message by tedu@:
memcpy from the right place. at this point, the used variable is not
relevant. from Mark Karpilovskij.
ok millert
|
|
is passed to the mutex implementation, and the queue actually runs
without the kernel lock.
Tested by dhill@
OK mikeb@, dhill@, kettenis@
|
|
|
|
implementation that it depends on currently isn't.
ok mikeb tom
|
|
Suffered by many, the revert tested by stsp@.
|
|
OK stsp@
|
|
|
|
ok djm
|
|
This introduces a 32-bit constant time AES implementation from
Thomas Pornin originally for BearSSL and then adjusted by Thomas
and myself to fit OpenBSD kernel. One of the additional features
is an API for encryption and decryption subkey expansion in the
format specified by NIST in FIPS 197.
Tested by myself and naddy@, ok djm@
|
|
the same bug as just fixed in userland:
----------
SipHash_Final() was assuming the digest was 64-bit aligned, resulting in
misaligned memory accesses with armv7 ramdisk -Os bsd.rd ping
ok florian millert
----------
OK deraadt@
|
|
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.
This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.
From, with and ok markus@, ok bluhm@
"looks sane" mpi@
|
|
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@
|
|
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
(in swcr_authenc())
ok mikeb@, who pointed out that I'd missed uio
|
|
CRYPTOCAP_F_MPSAFE flag that crypto implementations can set to indicate that
their cc_process() implementation can safely run without holding the kernel
lock.
ok mikeb@
|
|
accelerator drivers. No longer used by anything. ok sthen@ mikeb@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this on amd64 to provide a version that uses the PCLMUL instruction
on CPUs that support it but don't have AESNI. ok mikeb@
|
|
The same technique was already used a few lines above. ok mikeb@
|
|
|
|
|
|
ok naddy, jsing, reyk
|
|
ok naddy, jsing
|
|
ok naddy, jsing
|
|
Poly1305 is a one-time authenticator designed by Daniel J. Bernstein.
This is a slightly adjusted public domain implementation by Andrew Moon
found at https://github.com/floodyberry/poly1305-donna
ok jsing, previous version ok djm, looked at by reyk@
|
|
initializing hash objects. No binary or functional change.
|
|
specify custom counter value when setting up Chacha context.
ok reyk djm
|
|
No change for GCM, however upcoming changes will rely on this.
|
