summaryrefslogtreecommitdiffstats
path: root/sys/crypto/cryptosoft.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* free(9) sizes.mpi2019-01-091-3/+3
| | | | ok visa@
* Add sizes for free().fcambus2018-05-311-6/+7
| | | | OK visa@
* Switch OCF and IPsec over to the new AESmikeb2017-05-021-5/+5
| | | | ok djm
* Reduce the per-packet allocation costs for crypto operations (cryptop)patrick2017-02-071-4/+7
| | | | | | | | | | | | | | by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API. This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used. From, with and ok markus@, ok bluhm@ "looks sane" mpi@
* Remove variables 'm' and 'uio' that are only ever assigned totom2016-09-021-5/+1
| | | | | | (in swcr_authenc()) ok mikeb@, who pointed out that I'd missed uio
* Remove plain DES from the kernel crypto framework, including the cryptonaddy2015-12-101-7/+1
| | | | accelerator drivers. No longer used by anything. ok sthen@ mikeb@
* Cleanup gotos as suggested by jsing@ along with spaces and label namesmikeb2015-11-181-8/+7
|
* Remove unused non HMAC versions of MD5 and SHA1; ok mpi, deraadt, naddymikeb2015-11-131-30/+1
|
* remove a few unused definesmikeb2015-11-121-3/+2
|
* Enable Chacha20-Poly1305 in the software crypto drivermikeb2015-11-031-1/+25
| | | | ok naddy, jsing, reyk
* Use axf's hashsize as a block size in the authenticated encryption routine.mikeb2015-10-261-7/+7
| | | | No change for GCM, however upcoming changes will rely on this.
* two fairly simple sizes for free()deraadt2015-08-311-3/+4
|
* Remove some includes include-what-you-use claims don'tjsg2015-03-141-2/+1
| | | | | | | have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
* remove KPDK. not really used, and a bad choice anyway. ok naddytedu2014-12-281-59/+1
|
* use mallocarray()deraadt2014-07-131-2/+2
|
* add a size argument to free. will be used soon, but for now default to 0.tedu2014-07-121-12/+12
| | | | after discussions with beck deraadt kettenis.
* Allocate and deallocate memory for encryption contexts within cryptosoft,jsing2013-08-251-4/+14
| | | | | | | | rather than requiring each algorithm to provide their own memory handling. This matches the interface already provided by cryptosoft for authentication algorithms and removes the need for zerokey functions. ok mikeb@
* Bring back a small copy optimization in the aes-gcm handling:mikeb2012-12-111-2/+3
| | | | | | with ESN AAD is 12 bytes long so it's faster to zero out 4 bytes than to copy 12. Without ESN it's either copying or zeroing out 8 bytes but we'll rely on the cache locality here.
* RFC 4106, Section 5 states that the SPI and a 64-bit Sequencemikeb2012-12-071-17/+25
| | | | | | | | | | | | | | | Number are provided to the GCM as an Additional Authenticated Data. Usually an SPI and a lower 32-bit part of the ESN are contained within the same memory buffer whereas an upper part of the ESN comes from an external location. To accommodate that RFC 4303, Section 3.3.2.1 states that upper part of the ESN is hashed in the end. Unfortunately this advice is not applicable for the combined authentication/encryption modes and RFC 4106 decided not to follow that advice, effectively requiring large API changes to accommodate that poor choice. For now implement a kludge that will take an effect in case CRD_F_ESN flag is set in the crypto operation descriptor. Successfully tested against Linux 3.2 with strongSwan 4.6.4.
* Fix one of the two issues with ESN support in the GCM case:mikeb2012-12-071-4/+4
| | | | | supply correct AAD length to the final round of hashing. While here rename swcr_combined to swcr_authenc.
* Clean up uninitialized warnings from cryptosoft and aesni.haesbaert2012-10-041-2/+4
| | | | | | Part of the work to remove -Wno-uninitialized. ok mikeb@
* Add support for the Extended (64-bit) Sequence Number as definedmikeb2012-06-291-6/+25
| | | | | | | | | | | | in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
* fix encryption for uio_iovcnt > 1 by passing the absolute offset 'count'markus2011-01-111-3/+16
| | | | | | to cuio_copydata() and make sure we don't loop forever if the end of an iov matches the cipher block boundary. ok mikeb, deraadt
* add explicit_bzero() calls before free()ing key materialderaadt2011-01-111-6/+6
| | | | ok mikeb
* accidental commit of a pending diff relating to something elsederaadt2011-01-111-21/+8
|
* for key material that is being being discarded, convert bzero() toderaadt2011-01-111-8/+21
| | | | | explicit_bzero() where required ok markus mikeb
* use the do {} while construct in the copying macrosderaadt2010-12-221-9/+15
| | | | ok mikeb
* remove dead code (ivp did always point to iv in the decrypt path).markus2010-12-211-38/+14
| | | | | instead save one bcopy() per block by alternating between two iv buffers; ok mikeb@
* Retire Skipjackmikeb2010-10-061-8/+1
| | | | | | | | | | | There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
* zero out auth hash context before freeing it; ok matthew millertmikeb2010-10-061-2/+4
|
* OCF support for the Galois/Counter Mode (GCM) for AES asmikeb2010-09-221-1/+192
| | | | | | | | | | | | | | | | described in FIPS SP 800-38D. This implementation supports 16 byte authentication tag only, splitting transformation into two parts: encryption and authentication. Encryption is handled by the existing AES-CTR implementation, while authentication requires new AES_GMAC hash function. Additional routine is added to the software crypto driver to deal with peculiarities of a combined authentication- encryption transformation. With suggestions from reyk, naddy and toby.
* m_copyback can fail to allocate memory, but is a void fucntion so gymnasticsblambert2010-07-021-3/+3
| | | | | | | | | are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
* remove proc.h include from uvm_map.h. This has far reaching effects, astedu2010-04-201-2/+1
| | | | | | sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
* Fix two bugs in IPsec/HMAC-SHA2:markus2010-01-101-8/+24
| | | | | | | | | | | | | | | (1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt
* Implement the AES XTS mode of operation for the crypto(9) framework.djm2008-06-091-5/+39
| | | | | | | | XTS is a "tweaked" AES mode that has properties that are desirable for block device encryption and it is specified in the IEEE P1619-2007 standard for this purpose. prodded by & ok hshoexer@
* rename arc4random_bytes => arc4random_buf to match libc's nicer name;djm2008-06-091-2/+2
| | | | ok deraadt@
* fix error introduced by my previous commit:hshoexer2007-09-151-2/+2
| | | | | | "MALLOC(*swd, ...)" vs. "swd = malloc(..." ok millert
* Here too: Convert MALLOC/FREE to malloc/free and use M_ZERO where applicable.hshoexer2007-09-131-12/+9
| | | | error spotting and ok krw@
* Make the hmac ipad/opad globals "const" and fixup the crypto functionshenric2007-09-101-3/+3
| | | | | | to match. ok deraadt@
* Avoid void * arithmetic, okay deraadt@, suggestions from millert@pedro2006-12-291-2/+2
|
* AESCTR support for ESP (RFC 3686); ok hshoexermarkus2005-05-251-16/+31
|
* support NULL encryption for ESP; ok hshoexer, homarkus2005-05-101-1/+4
|
* simplify by using arc4random_bytes(), ok djm, hshoexermarkus2005-05-021-22/+3
|
* Allow the setkey function of a transform to fail, eg. when an insufficienthshoexer2004-12-201-3/+6
| | | | | | | | number of key bits is supplied. Only AES and DES/3DES might fail. ok and help markus@
* Replace RSA-derived md5 code with code derived from Colin Plumb's PD version.millert2004-05-071-2/+2
| | | | | | This moves md5.c out of libkern and into sys/crypto where it belongs (as requested by markus@). Note that md5.c is still mandatory (dev/rnd.c uses it). Verified with IPsec + hmac-md5 and tcp md5sig. OK henning@ and hshoexer@
* leak; vgirish at tenet.res.in; via angelos; ok hshoexer, henning, deraadtmarkus2004-04-141-1/+4
|
* hmac-sha2-{256,384,512} support in AH/ESP auth. markus okitojun2003-07-241-1/+19
|
* There's no cleaning necessary for deflate compression, so remove it fromjason2003-02-211-6/+1
| | | | the switch.
* From Angelos:jason2002-11-211-31/+25
| | | | | | - simplistic load balancing across multiple cards - simplified registration process - a few style nits.
* Add a CRYPTO_NULL xform (it's a do nothing, but nice for measuring thejason2002-11-121-1/+8
| | | | | bandwidth of the kernel API). It's only available from userland and then only if kern.cryptodevallowsoft=1.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.