#
303975 |
|
11-Aug-2016 |
gjb |
Copy stable/11@r303970 to releng/11.0 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, and rename it to RC1.
Update __FreeBSD_version.
Use the quarterly branch for the default FreeBSD.conf pkg(8) repo and the dvd1.iso packages population.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
302408 |
|
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
293306 |
|
07-Jan-2016 |
allanjude |
Make additional parts of sys/geom/eli more usable in userspace
The upcoming GELI support in the loader reuses parts of this code Some ifdefs are added, and some code is moved outside of existing ifdefs
The HMAC parts of GELI are broken out into their own file, to separate them from the kernel crypto/openssl dependant parts that are replaced in the boot code.
Passed the GELI regression suite (tools/regression/geom/eli) Files=20 Tests=14996 Result: PASS
Reviewed by: pjd, delphij MFC after: 1 week Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D4699
|
#
275732 |
|
12-Dec-2014 |
jmg |
Add some new modes to OpenCrypto. These modes are AES-ICM (can be used for counter mode), and AES-GCM. Both of these modes have been added to the aesni module.
Included is a set of tests to validate that the software and aesni module calculate the correct values. These use the NIST KAT test vectors. To run the test, you will need to install a soon to be committed port, nist-kat that will install the vectors. Using a port is necessary as the test vectors are around 25MB.
All the man pages were updated. I have added a new man page, crypto.7, which includes a description of how to use each mode. All the new modes and some other AES modes are present. It would be good for someone else to go through and document the other modes.
A new ioctl was added to support AEAD modes which AES-GCM is one of them. Without this ioctl, it is not possible to test AEAD modes from userland.
Add a timing safe bcmp for use to compare MACs. Previously we were using bcmp which could leak timing info and result in the ability to forge messages.
Add a minor optimization to the aesni module so that single segment mbufs don't get copied and instead are updated in place. The aesni module needs to be updated to support blocked IO so segmented mbufs don't have to be copied.
We require that the IV be specified for all calls for both GCM and ICM. This is to ensure proper use of these functions.
Obtained from: p4: //depot/projects/opencrypto Relnotes: yes Sponsored by: FreeBSD Foundation Sponsored by: NetGate
|
#
271148 |
|
05-Sep-2014 |
jmg |
use a straight buffer instead of an iov w/ 1 segment... The aesni driver when it hits a mbuf/iov buffer, it mallocs and copies the data for processing.. This improves perf by ~8-10% on my machine...
I have thoughts of fixing AES-NI so that it can better handle segmented buffers, which should help improve IPSEC performance, but that is for the future...
|
#
261618 |
|
08-Feb-2014 |
delphij |
In g_eli_crypto_hmac_init(), zero out after using the ipad buffer, k_ipad.
Note that the two consumers in geli(4) are not affected by this issue because the way the code is constructed and as such, we believe there is no security impact with or without this change with geli(4)'s usage.
Reported by: Serge van den Boom <serge vdboom.org> Reviewed by: pjd MFC after: 2 weeks
|
#
259429 |
|
15-Dec-2013 |
pjd |
Clear some more places with potentially sensitive data.
MFC after: 1 week
|
#
213072 |
|
23-Sep-2010 |
pjd |
Update copyright years.
MFC after: 1 week
|
#
213070 |
|
23-Sep-2010 |
pjd |
Add support for AES-XTS. This will be the default now.
MFC after: 1 week
|
#
173746 |
|
19-Nov-2007 |
jb |
On some arches, openssl is built with OPENSSL_NO_CAMELLIA, so the code here needs to depend on that too.
|
#
172031 |
|
01-Sep-2007 |
pjd |
Add support for Camellia encryption algorithm.
PR: kern/113790 Submitted by: Yoshisato YANAGISAWA <yanagisawa@csg.is.titech.ac.jp> Approved by: re (bmah)
|
#
167755 |
|
21-Mar-2007 |
sam |
Overhaul driver/subsystem api's: o make all crypto drivers have a device_t; pseudo drivers like the s/w crypto driver synthesize one o change the api between the crypto subsystem and drivers to use kobj; cryptodev_if.m defines this api o use the fact that all crypto drivers now have a device_t to add support for specifying which of several potential devices to use when doing crypto operations o add new ioctls that allow user apps to select a specific crypto device to use (previous ioctls maintained for compatibility) o overhaul crypto subsystem code to eliminate lots of cruft and hide implementation details from drivers o bring in numerous fixes from Michale Richardson/hifn; mostly for 795x parts o add an optional mechanism for mmap'ing the hifn 795x public key h/w to user space for use by openssl (not enabled by default) o update crypto test tools to use new ioctl's and add cmd line options to specify a device to use for tests
These changes will also enable much future work on improving the core crypto subsystem; including proper load balancing and interposing code between the core and drivers to dispatch small operations to the s/w driver as appropriate.
These changes were instigated by the work of Michael Richardson.
Reviewed by: pjd Approved by: re
|
#
157900 |
|
20-Apr-2006 |
pjd |
geli(8) provides keys on newsession time, so remove CRD_F_KEY_EXPLICIT flag as HW crypto drivers don't support it.
|
#
155174 |
|
01-Feb-2006 |
pjd |
Remove trailing spaces.
|
#
148456 |
|
27-Jul-2005 |
pjd |
Add GEOM_ELI class which provides GEOM providers encryption. For features list and usage see manual page: geli(8).
Sponsored by: Wheel Sp. z o.o. http://www.wheel.pl MFC after: 1 week
|