| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
| |
|
|
|
| |
Pointed out by Michael W. Bombardieri on tech@.
ok deraadt
|
| |
|
|
|
|
| |
anticipation of further changes to closef(). No binary change.
ok krw@ miod@ deraadt@
|
| |
|
|
|
|
|
|
| |
or fd_{lo,hi}maps members, or when doing a read for a write. Fixes hangs
when an rthreaded processes sleeps while copying the fd table for fork()
and catches another thread with the lock.
ok jsing@ tedu@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
| | |
|
| |
|
|
|
|
| |
to cuio_copydata() and make sure we don't loop forever if the end of
an iov matches the cipher block boundary.
ok mikeb, deraadt
|
| | |
|
| |
|
|
| |
ok mikeb
|
| |
|
|
| |
ok mikeb
|
| | |
|
| |
|
|
| |
ok mikeb
|
| |
|
|
|
| |
explicit_bzero() where required
ok markus mikeb
|
| |
|
|
| |
ok mikeb
|
| |
|
|
|
| |
instead save one bcopy() per block by alternating between two iv buffers;
ok mikeb@
|
| |
|
|
|
|
| |
file it will be used from.
requested by/ok mikeb@
|
| |
|
|
|
|
|
| |
which should have been declared as CRYPTO_ALGORITHM_MAX + 1,
fix this and reserve enough space for the VIA additions as well.
ok/comments from mikeb & deraadt
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
described in FIPS SP 800-38D.
This implementation supports 16 byte authentication tag only,
splitting transformation into two parts: encryption and
authentication. Encryption is handled by the existing
AES-CTR implementation, while authentication requires new
AES_GMAC hash function.
Additional routine is added to the software crypto driver
to deal with peculiarities of a combined authentication-
encryption transformation.
With suggestions from reyk, naddy and toby.
|
| |
|
|
|
|
|
|
|
|
|
| |
Move pool initialization to init_crypto and zap the crypto_pool_initialized
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
However, also perform the crypto initialisation earlier in init_main so
that the crypto pools are initialised before they are used.
ok mikeb@ thib@ deraadt@
|
| |
|
|
|
|
|
|
|
| |
init_crypto() being called from late in init_main(). In particular, this
breaks softraid crypto volumes that are assembled at boot.
No cookies for thib/mikeb!
"Back it out, right now" deraadt@
|
| |
|
|
|
| |
things things do
ok nicm
|
| |
|
|
|
|
| |
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
| |
|
|
|
| |
potentially up to 64KB, so we'll need something fancier than
dma_alloc().
|
| |
|
|
|
|
|
| |
The splvm protection is needed after all, as we are walking the list
of registered crypto drivers and doing that unprotected is unwise.
Pointed out by kettenis@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
variable. This way we don't have to check if the pool are initialized every
time we do a crypto_getreq().
Move splvm lower as it isnt need all through crypto_newsession().
tiny KNF nit.
From mikeb
OK deraadt@
|
| |
|
|
|
|
|
|
|
| |
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
| |
|
|
|
|
| |
moved from a special kthread to workqs.
OK dlg@
|
| |
|
|
|
|
|
|
| |
and make the loop invartiants <= CRYPTO_ALGORITHM_MAX
Do this also for the CRK_ALGORITHM_MAX this also fixes
the a bug that caused us to skip CRK_DH_COMPUTE_KEY.
ok deraadt@
|
| |
|
|
|
|
| |
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPL_NET. when the hardware finishes some work for the crypto subsystem
and therefore something in the kernel that wanted crypto done, it
calls crypto_done from that interrupt handler.
one of the things that uses crypto is ipsec. when crypto is done
for ipsec it then pushes the packet along the network stack. the
problem is that all the structures inside the network stack are
only protected at splsoftnet. we could be in the middle of modifications
to the pf state table or the pfsync queues when we get a hifn
interrupt and then go stomp on the same structures.
the solution is to defer the completions so they can do the right
spl protections.
this basically reverts r1.46 of src/sys/crypto/crypto.c.
found by naddy@
|
| | |
|
| |
|
|
| |
Userland version was already correct. From Jason Fritcher. OK deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
iovec, not the correct one. It worked ok since iovcnt was always 1.
Since it's unlikely to be any other number, remove the loop and just add
the one length we care about.
"go ahead" deraadt@.
|
| |
|
|
| |
ok markus@ (quite some time ago)
|
| |
|
|
|
|
| |
tested by many on many archs including several alpha test.
ok tedu@ go for it deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
and AES Key Wrap algorithms.
They will replace/extend the non-generic implementation in net80211.
AES-128-CMAC tested by sobrado@ (AlphaServer 1200),
naddy@ (alpha/sparc64) and sthen@ (sparc64, armish).
HMAC-* reviewed by hshoexer@
ok and hints from djm@
|
| |
|
|
| |
constraints.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
near maximal (2^32) cycle times. These are useful for network
IDs in cases where there are negative consequences to ID prediction
and/or reuse.
Use the idgen32() functions to generate IPv6 IDs and NFS client/server
XIDs.
Pseudorandom permutation code in crypto/idgen.c based on public
domain skip32.c from Greg Rose.
feedback & ok thib@ deraadt@
|
| | |
|
| |
|
|
|
|
|
|
| |
XTS is a "tweaked" AES mode that has properties that are desirable
for block device encryption and it is specified in the IEEE
P1619-2007 standard for this purpose.
prodded by & ok hshoexer@
|
| |
|
|
| |
were already done
|
mikeb
matthew
guenther
tedu
deraadt
markus
jsg
jsing
thib
blambert
dlg
miod
millert
oga
hshoexer
djm
damien