summaryrefslogtreecommitdiff
path: root/sys/crypto
AgeCommit message (Collapse)Author
2015-02-07keep this in sync a bit with userland by putting static on functionsDavid Gwynne
that are only used in this file. tedu argues if something sucks we would fault before we can get to these, and they dont do anything except maths. these symbols dont need to be visible to ddb. originally from Fritjof Bornebusch suggested by and ok tedu@
2015-01-27remove the second void * argument on tasks.David Gwynne
when workqs were introduced, we provided a second argument so you could pass a thing and some context to work on it in. there were very few things that took advantage of the second argument, so when i introduced pools i suggested removing it. since tasks were meant to replace workqs, it was requested that we keep the second argument to make porting from workqs to tasks easier. now that workqs are gone, i had a look at the use of the second argument again and found only one good use of it (vdsp(4) on sparc64 if you're interested) and a tiny handful of questionable uses. the vast majority of tasks only used a single argument. i have since modified all tasks that used two args to only use one, so now we can remove the second argument. so this is a mechanical change. all tasks only passed NULL as their second argument, so we can just remove it. ok krw@
2015-01-16Less code, more better. No longer need to worry about what mysteriousTed Unangst
things will happen when machines have 8 byte longs.
2015-01-15remove static version stringTed Unangst
2015-01-15simplify des headers by stripping out all the unnecessary userland bitsTed Unangst
ok deraadt
2015-01-04Use __buffer__ instead of __string__ as the __bounded type. The former causesMiod Vallat
extra warnings with gcc 3, due to the way we use siphash in the filesystem code. With dlg@
2014-12-31recent changes broke alignment requirements on arm.Ted Unangst
simplify a bit more, swapping only aligned values and then using memcpy to fill the digest. fix confirmed by jsg. ok jsg kettenis millert
2014-12-30add __bounded as appropriate.David Gwynne
looks good to deraadt@ miod@ and tedu@
2014-12-28convert bcopy to memcpy in md5 and sha1. also be consistent about clearingTed Unangst
context and making digest required to Final.
2014-12-28remove KPDK. not really used, and a bad choice anyway. ok naddyTed Unangst
2014-12-23as in libc, always assume digest is passed to Final. no null allowed.Ted Unangst
2014-12-23as in libc, there's no need to check for calling Init on null contextTed Unangst
2014-12-23use endian.h swap macros instead of home grown versionsTed Unangst
2014-12-20openbsd rcisdTed Unangst
2014-12-19make the code look more like libc by changing Transform to take the stateTed Unangst
ok millert
2014-12-19convert bcopy/zero to memcpy. ok deraadt djmTed Unangst
2014-12-18only unroll on i386 and amd64 (where confirmed to be much faster).Ted Unangst
naddy found sparc64 gets a little slower when unrolled. ok deraadt
2014-12-17unroll loops for sha2. quite a bit faster for amd64.Ted Unangst
ok deraadt millert
2014-11-17Sync our kernel AES code to the one shipped in OpenSSL/LibreSSL.Mike Belopuhov
This includes a commit made by Andy Polyakov <appro at openssl ! org> to the OpenSSL source tree on Wed, 28 Jun 2006 with the following message: "Mitigate cache-collision timing attack on last round." OK naddy, miod
2014-11-16Defining the interface in terms of char * means most callers areTed Unangst
required to cast their pointers, which is ugly and possibly error prone. accidentally casting an int to a pointer, for example, instead of the address of the int. implicit void * casting is safer. This updates the kernel hash interfaces to use void *. Similar changes are possible for userland. I think it's safe, but there may be some peculiar source compatbility issues there, so let's just do the kernel first. ok dlg millert
2014-11-12Improve performance of an internal loop by saving up on branchingMike Belopuhov
Pointed out by John-Mark Gurney <jmg at funkthat ! com>, thanks!
2014-11-04introduce SipHash, designed by Jean-Phillippe Aumasson and DanielDavid Gwynne
J. Bernstein, as described at https://131002.net/siphash/, and via Andre Oppermanns implementation in FreeBSD. this is supposed to be a good but cheap hash for use in places where you want to protect against hash bucket flooding attacks. yasuoka@ pointed me at this after i asked about possibilities for protecting the in_pcb hash he was tinkering with. naddy@ mikeb@ claudio@ and djm@ agree it is much better than doing nothing commit deraadt@
2014-10-23pools lock themselves now, we just have to tell them what IPL theyDavid Gwynne
will be used from. this adds pool_setipl at IPL_VM to the crypto descriptor pools, and removes all the splvm handling around the use of those pools. tested by many via tech@ ok kettenis@ deraadt@
2014-10-23apply only the bit of r1.69 that should have been committed:David Gwynne
make the crypto taskq protect things at IPL_VM instead of IPL_HIGH. everything else in crypto.c uses splvm/IPL_VM. it seems this IPL_HIGH came about because the hand rolled task list and thread that crypto used to use was converted to workqs, which unconditionally used IPL_HIGH internally. when it was converted from workqs to tasks it blindly ported the protection workqs gave. tested by many via tech@ and snapshots ok kettenis@
2014-10-23revert previous. it did more than the commit message said it did.David Gwynne
2014-10-22make the crypto taskq protect things at IPL_VM instead of IPL_HIGH.David Gwynne
everything else in crypto.c uses splvm/IPL_VM. it seems this IPL_HIGH came about because the hand rolled task list and thread that crypto used to use was converted to workqs, which unconditionally used IPL_HIGH internally. when it was converted from workqs to tasks it blindly ported the protection workqs gave. tested by many via tech@ and snapshots ok kettenis@
2014-10-20replace bzeros after allocations with M_ZERO and PR_ZERO as appropriate.David Gwynne
ok deraadt@
2014-09-14remove uneeded proc.h includesJonathan Gray
ok mpi@ kspillner@
2014-08-20Bye bye /dev/cryptoMike Belopuhov
The interface has been disabled by default for about 4 years and currently there's not much value in having it around at all. ok deraadt
2014-08-20Bye bye /dev/cryptoMike Belopuhov
The interface has been disabled by default for about 4 years and currently there's not much value in having it around at all. ok deraadt
2014-08-18dont rely on mbuf.h to provide pool.h.David Gwynne
ok miod@, who has offerred to help with any MD fallout ok guenther@
2014-07-13use mallocarray()Theo de Raadt
2014-07-13do not need malloc.hTheo de Raadt
2014-07-12add a size argument to free. will be used soon, but for now default to 0.Ted Unangst
after discussions with beck deraadt kettenis.
2014-07-08decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.hTheo de Raadt
don't need to be married. ok guenther miod beck jsing kettenis
2014-02-18fix IPComp interop with linux: switch Z_PARTIAL_FLUSH to Z_FINISH forMarkus Friedl
deflate(); this hurts interop with broken old openbsd releases; ok reyk@
2014-02-11- grow the decompression buffer more aggressively if we haveMarkus Friedl
a high compression ratio, e.g. for ping -s 10000 -p aa - deal with inflate returning Z_BUF_ERROR if the output buffer is full. this can happen in some edge cases with upgraded libz from 2004 ok mikeb@
2014-01-21cc_queued is not used for anything atm, remove it; ok jsing, markusMike Belopuhov
2014-01-21Respect CRYPTO_F_NOQUEUE flag when dispatching a crypto operationMike Belopuhov
ok jsing, markus
2013-11-18ansify some function definitions and tidy up this code style wise. thisBrad Smith
ancient code looked pretty crummy. ok deraadt@
2013-11-02replace rc4 with ChaCha20 here, too; ok djm, tedu, deraadtMarkus Friedl
2013-10-31convert crypto work queue to the task_add(9) api; ok dlgMike Belopuhov
2013-08-25Allocate and deallocate memory for encryption contexts within cryptosoft,Joel Sing
rather than requiring each algorithm to provide their own memory handling. This matches the interface already provided by cryptosoft for authentication algorithms and removes the need for zerokey functions. ok mikeb@
2013-06-11Replace more ovbcopy with memmove; swap the src and dst arguments tooTheo de Raadt
2013-06-05fix a bug that caused time-based rekeys to happen too frequently.Damien Miller
rename the structure internals to id32_* in anticipation of an idgen16() that might come in the future.
2013-03-27institute a hard cap on crypto devs instead of a useless wraparound checkTed Unangst
ok beck
2012-12-11Bring back a small copy optimization in the aes-gcm handling:Mike Belopuhov
with ESN AAD is 12 bytes long so it's faster to zero out 4 bytes than to copy 12. Without ESN it's either copying or zeroing out 8 bytes but we'll rely on the cache locality here.
2012-12-07RFC 4106, Section 5 states that the SPI and a 64-bit SequenceMike Belopuhov
Number are provided to the GCM as an Additional Authenticated Data. Usually an SPI and a lower 32-bit part of the ESN are contained within the same memory buffer whereas an upper part of the ESN comes from an external location. To accommodate that RFC 4303, Section 3.3.2.1 states that upper part of the ESN is hashed in the end. Unfortunately this advice is not applicable for the combined authentication/encryption modes and RFC 4106 decided not to follow that advice, effectively requiring large API changes to accommodate that poor choice. For now implement a kludge that will take an effect in case CRD_F_ESN flag is set in the crypto operation descriptor. Successfully tested against Linux 3.2 with strongSwan 4.6.4.
2012-12-07Fix one of the two issues with ESN support in the GCM case:Mike Belopuhov
supply correct AAD length to the final round of hashing. While here rename swcr_combined to swcr_authenc.
2012-12-05Remove excessive sys/cdefs.h inclusionTheo de Raadt
ok guenther millert kettenis