#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
09bfa5cf |
|
15-Feb-2022 |
Mark Johnston <markj@FreeBSD.org> |
opencrypto: Add a routine to copy a crypto buffer cursor This was useful in converting armv8crypto to use buffer cursors. There are some cases where one wants to make two passes over data, and this provides a way to "reset" a cursor. Reviewed by: jhb MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D28949
|
#
f6459a7a |
|
25-Jan-2022 |
John Baldwin <jhb@FreeBSD.org> |
opencrypto/cryptodev.h: Add includes to make more self-contained. Reviewed by: markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34021
|
#
8f35841f |
|
11-Jan-2022 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Add support for the XChaCha20-Poly1305 AEAD cipher. This cipher is a wrapper around the ChaCha20-Poly1305 AEAD cipher which accepts a larger nonce. Part of the nonce is used along with the key as an input to HChaCha20 to generate a derived key used for ChaCha20-Poly1305. This cipher is used by WireGuard. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33523
|
#
74d3f1b6 |
|
04-Jan-2022 |
John Baldwin <jhb@FreeBSD.org> |
OCF: Add crypto_clonereq(). This function clones an existing crypto request, but associates the new request with a specified session. The intended use case is for drivers to be able to fall back to software by cloning a request and dispatch it to an internally allocated software session. Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D33607
|
#
d074adf1 |
|
20-Dec-2021 |
John Baldwin <jhb@FreeBSD.org> |
cryptodev.h: Drop 'extern' from function prototypes. Sponsored by: Chelsio Communications
|
#
47fc0495 |
|
16-Dec-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Define POLY1305_BLOCK_LEN constant. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33485
|
#
ae18720d |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Support multiple nonce lengths for AES-CCM. Permit nonces of lengths 7 through 13 in the OCF framework and the cryptosoft driver. A helper function (ccm_max_payload_length) can be used in OCF drivers to reject CCM requests which are too large for the specified nonce length. Reviewed by: sef Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32111
|
#
16676123 |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
cryptodev: Permit explicit IV/nonce and MAC/tag lengths. Add 'ivlen' and 'maclen' fields to the structure used for CIOGSESSION2 to specify the explicit IV/nonce and MAC/tag lengths for crypto sessions. If these fields are zero, the default lengths are used. This permits selecting an alternate nonce length for AEAD ciphers such as AES-CCM which support multiple nonce leengths. It also supports truncated MACs as input to AEAD or ETA requests. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32107
|
#
d8787d4f |
|
26-Jul-2021 |
Mark Johnston <markj@FreeBSD.org> |
crypto: Constify all transform descriptors No functional change intended. Reviewed by: ae, jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31196
|
#
8fa5c577 |
|
16-Jun-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Remove now-unused crypto_cursor_seg{base,len}. Callers should use crypto_cursor_segment() instead. Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D30448
|
#
beb817ed |
|
25-May-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Add crypto_cursor_segment() to fetch both base and length. This function combines crypto_cursor_segbase() and crypto_cursor_seglen() into a single function. This is mostly beneficial in the unmapped mbuf case where back to back calls of these two functions have to iterate over the sub-components of unmapped mbufs twice. Bump __FreeBSD_version for crypto drivers in ports. Suggested by: markj Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D30445
|
#
883a0196 |
|
25-May-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Add a new type of crypto buffer for a single mbuf. This is intended for use in KTLS transmit where each TLS record is described by a single mbuf that is itself queued in the socket buffer. Using the existing CRYPTO_BUF_MBUF would result in bus_dmamap_load_crp() walking additional mbufs in the socket buffer that are not relevant, but generating a S/G list that potentially exceeds the limit of the tag (while also wasting CPU cycles). Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D30136
|
#
76681661 |
|
12-Apr-2021 |
John Baldwin <jhb@FreeBSD.org> |
OCF: Remove support for asymmetric cryptographic operations. There haven't been any non-obscure drivers that supported this functionality and it has been impossible to test to ensure that it still works. The only known consumer of this interface was the engine in OpenSSL < 1.1. Modern OpenSSL versions do not include support for this interface as it was not well-documented. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D29736
|
#
fc8fc743 |
|
18-Feb-2021 |
John Baldwin <jhb@FreeBSD.org> |
Add an OCF algorithm for ChaCha20-Poly1305 AEAD. Note that this algorithm implements the mode defined in RFC 8439. Reviewed by: cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27836
|
#
68f6800c |
|
08-Feb-2021 |
Mark Johnston <markj@FreeBSD.org> |
opencrypto: Introduce crypto_dispatch_async() Currently, OpenCrypto consumers can request asynchronous dispatch by setting a flag in the cryptop. (Currently only IPSec may do this.) I think this is a bit confusing: we (conditionally) set cryptop flags to request async dispatch, and then crypto_dispatch() immediately examines those flags to see if the consumer wants async dispatch. The flag names are also confusing since they don't specify what "async" applies to: dispatch or completion. Add a new KPI, crypto_dispatch_async(), rather than encoding the requested dispatch type in each cryptop. crypto_dispatch_async() falls back to crypto_dispatch() if the session's driver provides asynchronous dispatch. Get rid of CRYPTOP_ASYNC() and CRYPTOP_ASYNC_KEEPORDER(). Similarly, add crypto_dispatch_batch() to request processing of a tailq of cryptops, rather than encoding the scheduling policy using cryptop flags. Convert GELI, the only user of this interface (disabled by default) to use the new interface. Add CRYPTO_SESS_SYNC(), which can be used by consumers to determine whether crypto requests will be dispatched synchronously. This is just a helper macro. Use it instead of looking at cap flags directly. Fix style in crypto_done(). Also get rid of CRYPTO_RETW_EMPTY() and just check the relevant queues directly. This could result in some unnecessary wakeups but I think it's very uncommon to be using more than one queue per worker in a given workload, so checking all three queues is a waste of cycles. Reviewed by: jhb Sponsored by: Ampere Computing Submitted by: Klara, Inc. MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D28194
|
#
688f8b82 |
|
24-Nov-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove the cloned file descriptors for /dev/crypto. Crypto file descriptors were added in the original OCF import as a way to provide per-open data (specifically the list of symmetric sessions). However, this gives a bit of a confusing API where one has to open /dev/crypto and then invoke an ioctl to obtain a second file descriptor. This also does not match the API used with /dev/crypto on other BSDs or with Linux's /dev/crypto driver. Character devices have gained support for per-open data via cdevpriv since OCF was imported, so use cdevpriv to simplify the userland API by permitting ioctls directly on /dev/crypto descriptors. To provide backwards compatibility, CRIOGET now opens another /dev/crypto descriptor via kern_openat() rather than dup'ing the existing file descriptor. This preserves prior semantics in case CRIOGET is invoked multiple times on a single file descriptor. Reviewed by: markj Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27302
|
#
3acf4d23 |
|
06-Nov-2020 |
John Baldwin <jhb@FreeBSD.org> |
Use void * in place of caddr_t. Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27065
|
#
d3d79e96 |
|
03-Nov-2020 |
John Baldwin <jhb@FreeBSD.org> |
Consistently use C99 fixed-width types in the in-kernel crypto code. Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27061
|
#
d588dc7d |
|
30-Oct-2020 |
Mark Johnston <markj@FreeBSD.org> |
opencrypto: Annotate hmac_init_(i|o)pad() to make auth_hash const This makes them friendlier to drivers that try to use const pointers whenever possible in their internal structures. Reviewed by: jhb Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D26901
|
#
7e89ae49 |
|
16-Oct-2020 |
Marcin Wojtas <mw@FreeBSD.org> |
Prepare crypto framework for IPsec ESN support This permits requests (netipsec ESP and AH protocol) to provide the IPsec ESN (Extended Sequence Numbers) in a separate buffer. As with separate output buffer and separate AAD buffer not all drivers support this feature. Consumer must request use of this feature via new session flag. Submitted by: Grzegorz Jaszczyk <jaz@semihalf.com> Patryk Duda <pdk@semihalf.com> Reviewed by: jhb Differential revision: https://reviews.freebsd.org/D24838 Obtained from: Semihalf Sponsored by: Stormshield
|
#
e6f6d0c9 |
|
25-Aug-2020 |
Alan Somers <asomers@FreeBSD.org> |
crypto(9): add CRYPTO_BUF_VMPAGE crypto(9) functions can now be used on buffers composed of an array of vm_page_t structures, such as those stored in an unmapped struct bio. It requires the running to kernel to support the direct memory map, so not all architectures can use it. Reviewed by: markj, kib, jhb, mjg, mat, bcr (manpages) MFC after: 1 week Sponsored by: Axcient Differential Revision: https://reviews.freebsd.org/D25671
|
#
946b8f6f |
|
16-Jul-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add crypto_initreq() and crypto_destroyreq(). These routines are similar to crypto_getreq() and crypto_freereq() but operate on caller-supplied storage instead of allocating crypto requests from a UMA zone. Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D25691
|
#
7290cb47 |
|
30-Jun-2020 |
Mark Johnston <markj@FreeBSD.org> |
Convert cryptostats to a counter_u64 array. The global counters were not SMP-friendly. Use per-CPU counters instead. Reviewed by: jhb Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D25466
|
#
a5c053f5 |
|
30-Jun-2020 |
Mark Johnston <markj@FreeBSD.org> |
Remove CRYPTO_TIMING. It was added a very long time ago. It is single-threaded, so only really useful for basic measurements, and in the meantime we've gotten some more sophisticated profiling tools. Reviewed by: cem, delphij, jhb Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D25464
|
#
9b774dc0 |
|
22-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add support to the crypto framework for separate AAD buffers. This permits requests to provide the AAD in a separate side buffer instead of as a region in the crypto request input buffer. This is useful when the main data buffer might not contain the full AAD (e.g. for TLS or IPsec with ESN). Unlike separate IVs which are constrained in size and stored in an array in struct cryptop, separate AAD is provided by the caller setting a new crp_aad pointer to the buffer. The caller must ensure the pointer remains valid and the buffer contents static until the request is completed (e.g. when the callback routine is invoked). As with separate output buffers, not all drivers support this feature. Consumers must request use of this feature via a new session flag. To aid in driver testing, kern.crypto.cryptodev_separate_aad can be set to force /dev/crypto requests to use a separate AAD buffer. Discussed with: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25288
|
#
9b6b2f86 |
|
10-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Adjust crypto_apply function callbacks for OCF. - crypto_apply() is only used for reading a buffer to compute a digest, so change the data pointer to a const pointer. - To better match m_apply(), change the data pointer type to void * and the length from uint16_t to u_int. The length field in particular matters as none of the apply logic was splitting requests larger than UINT16_MAX. - Adjust the auth_xform Update callback to match the function prototype passed to crypto_apply() and crypto_apply_buf(). This removes the needs for casts when using the Update callback. - Change the Reinit and Setkey callbacks to also use a u_int length instead of uint16_t. - Update auth transforms for the changes. While here, use C99 initializers for auth_hash structures and avoid casts on callbacks. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25171
|
#
a3d565a1 |
|
09-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add a crypto capability flag for accelerated software drivers. Use this in GELI to print out a different message when accelerated software such as AESNI is used vs plain software crypto. While here, simplify the logic in GELI a bit for determing which type of crypto driver was chosen the first time by examining the capabilities of the matched driver after a single call to crypto_newsession rather than making separate calls with different flags. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25126
|
#
33f3bad3 |
|
25-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Export the _kern_crypto sysctl node from crypto.c. Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24545
|
#
9c0e3d3a |
|
25-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add support for optional separate output buffers to in-kernel crypto. Some crypto consumers such as GELI and KTLS for file-backed sendfile need to store their output in a separate buffer from the input. Currently these consumers copy the contents of the input buffer into the output buffer and queue an in-place crypto operation on the output buffer. Using a separate output buffer avoids this copy. - Create a new 'struct crypto_buffer' describing a crypto buffer containing a type and type-specific fields. crp_ilen is gone, instead buffers that use a flat kernel buffer have a cb_buf_len field for their length. The length of other buffer types is inferred from the backing store (e.g. uio_resid for a uio). Requests now have two such structures: crp_buf for the input buffer, and crp_obuf for the output buffer. - Consumers now use helper functions (crypto_use_*, e.g. crypto_use_mbuf()) to configure the input buffer. If an output buffer is not configured, the request still modifies the input buffer in-place. A consumer uses a second set of helper functions (crypto_use_output_*) to configure an output buffer. - Consumers must request support for separate output buffers when creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are only permitted to queue a request with a separate output buffer on sessions with this flag set. Existing drivers already reject sessions with unknown flags, so this permits drivers to be modified to support this extension without requiring all drivers to change. - Several data-related functions now have matching versions that operate on an explicit buffer (e.g. crypto_apply_buf, crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf). - Most of the existing data-related functions operate on the input buffer. However crypto_copyback always writes to the output buffer if a request uses a separate output buffer. - For the regions in input/output buffers, the following conventions are followed: - AAD and IV are always present in input only and their fields are offsets into the input buffer. - payload is always present in both buffers. If a request uses a separate output buffer, it must set a new crp_payload_start_output field to the offset of the payload in the output buffer. - digest is in the input buffer for verify operations, and in the output buffer for compute operations. crp_digest_start is relative to the appropriate buffer. - Add a crypto buffer cursor abstraction. This is a more general form of some bits in the cryptosoft driver that tried to always use uio's. However, compared to the original code, this avoids rewalking the uio iovec array for requests with multiple vectors. It also avoids allocate an iovec array for mbufs and populating it by instead walking the mbuf chain directly. - Update the cryptosoft(4) driver to support separate output buffers making use of the cursor abstraction. Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24545
|
#
d65771e4 |
|
22-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Correct the minimum key length for Camellia to 16 bytes (128 bits). MFC after: 1 week
|
#
63823cac |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove MD5 HMAC from OCF. There are no in-kernel consumers. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24775
|
#
0e00c709 |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for DES and Triple DES from OCF. It no longer has any in-kernel consumers via OCF. smbfs still uses single DES directly, so sys/crypto/des remains for that use case. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24773
|
#
32075647 |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for the Blowfish algorithm from OCF. It no longer has any in-kernel consumers. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24772
|
#
33fb013e |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for the ARC4 algorithm from OCF. There are no longer any in-kernel consumers. The software implementation was also a non-functional stub. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24771
|
#
3a0b6a93 |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for keyed MD5 and SHA1 authentication hashes. They no longer have any in-tree consumers. Note that these are a different from MD5-HMAC and SHA1-HMAC and were only used with IPsec. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24770
|
#
5e46d47f |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for the skipjack encryption algorithm. This was removed from IPsec in r286100 and no longer has any in-tree consumers. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24769
|
#
7971a6f9 |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for the cast128 encryption algorithm. It no longer has any in-tree consumers. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24768
|
#
29fe41dd |
|
20-Apr-2020 |
John Baldwin <jhb@FreeBSD.org> |
Retire the CRYPTO_F_IV_GENERATE flag. The sole in-tree user of this flag has been retired, so remove this complexity from all drivers. While here, add a helper routine drivers can use to read the current request's IV into a local buffer. Use this routine to replace duplicated code in nearly all drivers. Reviewed by: cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24450
|
#
c0341432 |
|
27-Mar-2020 |
John Baldwin <jhb@FreeBSD.org> |
Refactor driver and consumer interfaces for OCF (in-kernel crypto). - The linked list of cryptoini structures used in session initialization is replaced with a new flat structure: struct crypto_session_params. This session includes a new mode to define how the other fields should be interpreted. Available modes include: - COMPRESS (for compression/decompression) - CIPHER (for simply encryption/decryption) - DIGEST (computing and verifying digests) - AEAD (combined auth and encryption such as AES-GCM and AES-CCM) - ETA (combined auth and encryption using encrypt-then-authenticate) Additional modes could be added in the future (e.g. if we wanted to support TLS MtE for AES-CBC in the kernel we could add a new mode for that. TLS modes might also affect how AAD is interpreted, etc.) The flat structure also includes the key lengths and algorithms as before. However, code doesn't have to walk the linked list and switch on the algorithm to determine which key is the auth key vs encryption key. The 'csp_auth_*' fields are always used for auth keys and settings and 'csp_cipher_*' for cipher. (Compression algorithms are stored in csp_cipher_alg.) - Drivers no longer register a list of supported algorithms. This doesn't quite work when you factor in modes (e.g. a driver might support both AES-CBC and SHA2-256-HMAC separately but not combined for ETA). Instead, a new 'crypto_probesession' method has been added to the kobj interface for symmteric crypto drivers. This method returns a negative value on success (similar to how device_probe works) and the crypto framework uses this value to pick the "best" driver. There are three constants for hardware (e.g. ccr), accelerated software (e.g. aesni), and plain software (cryptosoft) that give preference in that order. One effect of this is that if you request only hardware when creating a new session, you will no longer get a session using accelerated software. Another effect is that the default setting to disallow software crypto via /dev/crypto now disables accelerated software. Once a driver is chosen, 'crypto_newsession' is invoked as before. - Crypto operations are now solely described by the flat 'cryptop' structure. The linked list of descriptors has been removed. A separate enum has been added to describe the type of data buffer in use instead of using CRYPTO_F_* flags to make it easier to add more types in the future if needed (e.g. wired userspace buffers for zero-copy). It will also make it easier to re-introduce separate input and output buffers (in-kernel TLS would benefit from this). Try to make the flags related to IV handling less insane: - CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv' member of the operation structure. If this flag is not set, the IV is stored in the data buffer at the 'crp_iv_start' offset. - CRYPTO_F_IV_GENERATE means that a random IV should be generated and stored into the data buffer. This cannot be used with CRYPTO_F_IV_SEPARATE. If a consumer wants to deal with explicit vs implicit IVs, etc. it can always generate the IV however it needs and store partial IVs in the buffer and the full IV/nonce in crp_iv and set CRYPTO_F_IV_SEPARATE. The layout of the buffer is now described via fields in cryptop. crp_aad_start and crp_aad_length define the boundaries of any AAD. Previously with GCM and CCM you defined an auth crd with this range, but for ETA your auth crd had to span both the AAD and plaintext (and they had to be adjacent). crp_payload_start and crp_payload_length define the boundaries of the plaintext/ciphertext. Modes that only do a single operation (COMPRESS, CIPHER, DIGEST) should only use this region and leave the AAD region empty. If a digest is present (or should be generated), it's starting location is marked by crp_digest_start. Instead of using the CRD_F_ENCRYPT flag to determine the direction of the operation, cryptop now includes an 'op' field defining the operation to perform. For digests I've added a new VERIFY digest mode which assumes a digest is present in the input and fails the request with EBADMSG if it doesn't match the internally-computed digest. GCM and CCM already assumed this, and the new AEAD mode requires this for decryption. The new ETA mode now also requires this for decryption, so IPsec and GELI no longer do their own authentication verification. Simple DIGEST operations can also do this, though there are no in-tree consumers. To eventually support some refcounting to close races, the session cookie is now passed to crypto_getop() and clients should no longer set crp_sesssion directly. - Assymteric crypto operation structures should be allocated via crypto_getkreq() and freed via crypto_freekreq(). This permits the crypto layer to track open asym requests and close races with a driver trying to unregister while asym requests are in flight. - crypto_copyback, crypto_copydata, crypto_apply, and crypto_contiguous_subsegment now accept the 'crp' object as the first parameter instead of individual members. This makes it easier to deal with different buffer types in the future as well as separate input and output buffers. It's also simpler for driver writers to use. - bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer. This understands the various types of buffers so that drivers that use DMA do not have to be aware of different buffer types. - Helper routines now exist to build an auth context for HMAC IPAD and OPAD. This reduces some duplicated work among drivers. - Key buffers are now treated as const throughout the framework and in device drivers. However, session key buffers provided when a session is created are expected to remain alive for the duration of the session. - GCM and CCM sessions now only specify a cipher algorithm and a cipher key. The redundant auth information is not needed or used. - For cryptosoft, split up the code a bit such that the 'process' callback now invokes a function pointer in the session. This function pointer is set based on the mode (in effect) though it simplifies a few edge cases that would otherwise be in the switch in 'process'. It does split up GCM vs CCM which I think is more readable even if there is some duplication. - I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC as an auth algorithm and updated cryptocheck to work with it. - Combined cipher and auth sessions via /dev/crypto now always use ETA mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored. This was actually documented as being true in crypto(4) before, but the code had not implemented this before I added the CIPHER_FIRST flag. - I have not yet updated /dev/crypto to be aware of explicit modes for sessions. I will probably do that at some point in the future as well as teach it about IV/nonce and tag lengths for AEAD so we can support all of the NIST KAT tests for GCM and CCM. - I've split up the exising crypto.9 manpage into several pages of which many are written from scratch. - I have converted all drivers and consumers in the tree and verified that they compile, but I have not tested all of them. I have tested the following drivers: - cryptosoft - aesni (AES only) - blake2 - ccr and the following consumers: - cryptodev - IPsec - ktls_ocf - GELI (lightly) I have not tested the following: - ccp - aesni with sha - hifn - kgssapi_krb5 - ubsec - padlock - safe - armv8_crypto (aarch64) - glxsb (i386) - sec (ppc) - cesa (armv7) - cryptocteon (mips64) - nlmsec (mips64) Discussed with: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D23677
|
#
507281e5 |
|
14-Feb-2019 |
Sean Eric Fagan <sef@FreeBSD.org> |
Add AES-CCM encryption, and plumb into OCF. This commit essentially has three parts: * Add the AES-CCM encryption hooks. This is in and of itself fairly small, as there is only a small difference between CCM and the other ICM-based algorithms. * Hook the code into the OpenCrypto framework. This is the bulk of the changes, as the algorithm type has to be checked for, and the differences between it and GCM dealt with. * Update the cryptocheck tool to be aware of it. This is invaluable for confirming that the code works. This is a software-only implementation, meaning that the performance is very low. Sponsored by: iXsystems Inc. Differential Revision: https://reviews.freebsd.org/D19090
|
#
a99bc4c3 |
|
14-Feb-2019 |
Sean Eric Fagan <sef@FreeBSD.org> |
Add CBC-MAC authentication. This adds the CBC-MAC code to the kernel, but does not hook it up to anything (that comes in the next commit). https://tools.ietf.org/html/rfc3610 describes the algorithm. Note that this is a software-only implementation, which means it is fairly slow. Sponsored by: iXsystems Inc Differential Revision: https://reviews.freebsd.org/D18592
|
#
345c692d |
|
10-Feb-2019 |
Marius Strobl <marius@FreeBSD.org> |
As struct cryptop is wrapped in #ifdef _KERNEL, userland doesn't need to drag in <sys/_task.h> either.
|
#
ff2038a9 |
|
12-Dec-2018 |
Matt Macy <mmacy@FreeBSD.org> |
Generalize AES iov optimization Right now, aesni_cipher_alloc does a bit of special-casing for CRYPTO_F_IOV, to not do any allocation if the first uio is large enough for the requested size. While working on ZFS crypto port, I ran into horrible performance because the code uses scatter-gather, and many of the times the data to encrypt was in the second entry. This code looks through the list, and tries to see if there is a single uio that can contain the requested data, and, if so, uses that. This has a slight impact on the current consumers, in that the check is a little more complicated for the ones that use CRYPTO_F_IOV -- but none of them meet the criteria for testing more than one. Submitted by: sef at ixsystems.com Reviewed by: cem@ MFC after: 3 days Sponsored by: iX Systems Differential Revision: https://reviews.freebsd.org/D18522
|
#
01d5de8f |
|
16-Aug-2018 |
Conrad Meyer <cem@FreeBSD.org> |
Add xform-conforming auth_hash wrapper for Poly-1305 The wrapper is a thin shim around libsodium's Poly-1305 implementation. For now, we just use the C algorithm and do not attempt to build the SSE-optimized variant for x86 processors. The algorithm support has not yet been plumbed through cryptodev, or added to cryptosoft.
|
#
1b0909d5 |
|
17-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OpenCrypto: Convert sessions to opaque handles instead of integers Track session objects in the framework, and pass handles between the framework (OCF), consumers, and drivers. Avoid redundancy and complexity in individual drivers by allocating session memory in the framework and providing it to drivers in ::newsession(). Session handles are no longer integers with information encoded in various high bits. Use of the CRYPTO_SESID2FOO() macros should be replaced with the appropriate crypto_ses2foo() function on the opaque session handle. Convert OCF drivers (in particular, cryptosoft, as well as myriad others) to the opaque handle interface. Discard existing session tracking as much as possible (quick pass). There may be additional code ripe for deletion. Convert OCF consumers (ipsec, geom_eli, krb5, cryptodev) to handle-style interface. The conversion is largely mechnical. The change is documented in crypto.9. Inspired by https://lists.freebsd.org/pipermail/freebsd-arch/2018-January/018835.html . No objection from: ae (ipsec portion) Reported by: jhb
|
#
2e08e39f |
|
13-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OCF: Add a typedef for session identifiers No functional change. This should ease the transition from an integer session identifier model to an opaque pointer model.
|
#
c4729f6e |
|
09-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OCF: Add plain hash modes In part, to support OpenSSL's use of cryptodev, which puts the HMAC pieces in software and only offloads the raw hash primitive. The following cryptodev identifiers are added: * CRYPTO_RIPEMD160 (not hooked up) * CRYPTO_SHA2_224 * CRYPTO_SHA2_256 * CRYPTO_SHA2_384 * CRYPTO_SHA2_512 The plain SHA1 and 2 hashes are plumbed through cryptodev (feels like there is a lot of redundancy here...) and cryptosoft. This adds new auth_hash implementations for the plain hashes, as well as SHA1 (which had a cryptodev.h identifier, but no implementation). Add plain SHA 1 and 2 hash tests to the cryptocheck tool. Motivation stems from John Baldwin's earlier OCF email, https://lists.freebsd.org/pipermail/freebsd-arch/2018-January/018835.html .
|
#
c97f39ce |
|
09-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OCF: Add CRYPTO_SHA2_224_HMAC mode Round out the complete set of basic SHA2 HMAC modes with SHA2-224. Support is added to the cryptocheck test tool.
|
#
590adc1b |
|
09-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
Remove "HMAC" from <HASH>_HMAC_BLOCK_LEN macro names The block size is a property of the underlying hash algorithm, and has nothing to do with the HMAC construction. No functional change.
|
#
61590291 |
|
28-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
opencrypto: Integrate Chacha20 algorithm into OCF Mostly this is a thin shim around existing code to integrate with enc_xform and cryptosoft (+ cryptodev). Expand the cryptodev buffer used to match that of Chacha20's native block size as a performance enhancement for chacha20_xform_crypt_multi.
|
#
289b9798 |
|
26-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OCF: CRYPTDEB(): Enhance to allow formatted logging Sponsored by: Dell EMC Isilon
|
#
0e33efe4 |
|
21-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
Import Blake2 algorithms (blake2b, blake2s) from libb2 The upstream repository is on github BLAKE2/libb2. Files landed in sys/contrib/libb2 are the unmodified upstream files, except for one difference: secure_zero_memory's contents have been replaced with explicit_bzero() only because the previous implementation broke powerpc link. Preferential use of explicit_bzero() is in progress upstream, so it is anticipated we will be able to drop this diff in the future. sys/crypto/blake2 contains the source files needed to port libb2 to our build system, a wrapped (limited) variant of the algorithm to match the API of our auth_transform softcrypto abstraction, incorporation into the Open Crypto Framework (OCF) cryptosoft(4) driver, as well as an x86 SSE/AVX accelerated OCF driver, blake2(4). Optimized variants of blake2 are compiled for a number of x86 machines (anything from SSE2 to AVX + XOP). On those machines, FPU context will need to be explicitly saved before using blake2(4)-provided algorithms directly. Use via cryptodev / OCF saves FPU state automatically, and use via the auth_transform softcrypto abstraction does not use FPU. The intent of the OCF driver is mostly to enable testing in userspace via /dev/crypto. ATF tests are added with published KAT test vectors to validate correctness. Reviewed by: jhb, markj Obtained from: github BLAKE2/libb2 Differential Revision: https://reviews.freebsd.org/D14662
|
#
a296c719 |
|
16-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Split crp_buf into a union. This adds explicit crp_mbuf and crp_uio pointers of the right type to replace casts of crp_buf. This does not sweep through changing existing code, but new code should use the correct fields instead of casts. Reviewed by: kib Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D13927
|
#
eda08c83 |
|
11-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Change the type of 'crp_opaque' from caddr_t to void *. Opaque pointers should be void *. Note that this does not go through the tree removing all of the now-unnecessary casts. Reviewed by: kib Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D13848
|
#
39bbca6f |
|
03-Nov-2017 |
Fabien Thomas <fabient@FreeBSD.org> |
crypto(9) is called from ipsec in CRYPTO_F_CBIFSYNC mode. This is working fine when a lot of different flows to be ciphered/deciphered are involved. However, when a software crypto driver is used, there are situations where we could benefit from making crypto(9) multi threaded: - a single flow is to be ciphered: only one thread is used to cipher it, - a single ESP flow is to be deciphered: only one thread is used to decipher it. The idea here is to call crypto(9) using a new mode (CRYPTO_F_ASYNC) to dispatch the crypto jobs on multiple threads, if the underlying crypto driver is working in synchronous mode. Another flag is added (CRYPTO_F_ASYNC_KEEPORDER) to make crypto(9) dispatch the crypto jobs in the order they are received (an additional queue/thread is used), so that the packets are reinjected in the network using the same order they were posted. A new sysctl net.inet.ipsec.async_crypto can be used to activate this new behavior (disabled by default). Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae, jmg, jhb Differential Revision: https://reviews.freebsd.org/D10680 Sponsored by: Stormshield
|
#
3693b188 |
|
26-Sep-2017 |
Conrad Meyer <cem@FreeBSD.org> |
opencrypto: Loosen restriction on HMAC key sizes Theoretically, HMACs do not actually have any limit on key sizes. Transforms should compact input keys larger than the HMAC block size by using the transform (hash) on the input key. (Short input keys are padded out with zeros to the HMAC block size.) Still, not all FreeBSD crypto drivers that provide HMAC functionality handle longer-than-blocksize keys appropriately, so enforce a "maximum" key length in the crypto API for auth_hashes that previously expressed a requirement. (The "maximum" is the size of a single HMAC block for the given transform.) Unconstrained auth_hashes are left as-is. I believe the previous hardcoded sizes were committed in the original import of opencrypto from OpenBSD and are due to specific protocol details of IPSec. Note that none of the previous sizes actually matched the appropriate HMAC block size. The previous hardcoded sizes made the SHA tests in cryptotest.py useless for testing FreeBSD crypto drivers; none of the NIST-KAT example inputs had keys sized to the previous expectations. The following drivers were audited to check that they handled keys up to the block size of the HMAC safely: Software HMAC: * padlock(4) * cesa * glxsb * safe(4) * ubsec(4) Hardware accelerated HMAC: * ccr(4) * hifn(4) * sec(4) (Only supports up to 64 byte keys despite claiming to support SHA2 HMACs, but validates input key sizes) * cryptocteon (MIPS) * nlmsec (MIPS) * rmisec (MIPS) (Amusingly, does not appear to use key material at all -- presumed broken) Reviewed by: jhb (previous version), rlibby (previous version) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D12437
|
#
2c907637 |
|
21-Sep-2017 |
John Baldwin <jhb@FreeBSD.org> |
Add a new COP_F_CIPHER_FIRST flag for struct crypt_op. This requests that the cipher be performed before rather than after the HMAC when both are specified for a single operation. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D11757
|
#
7dd10fde |
|
09-May-2017 |
John Baldwin <jhb@FreeBSD.org> |
Use const with some read-only buffers in opencrypto APIs. - Mark the source buffer for a copyback operation as const in the kernel API. - Use const with input-only buffers in crypto ioctl structures used with /dev/crypto. MFC after: 1 month Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D10517
|
#
a2bc81bf |
|
04-Aug-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec defines the keys differently than NIST does, so we have to muck with key lengths and nonce/IVs to be standard compliant... Remove the iv from secasvar as it was unused... Add a counter protected by a mutex to ensure that the counter for GCM and ICM will never be repeated.. This is a requirement for security.. I would use atomics, but we don't have a 64bit one on all platforms.. Fix a bug where IPsec was depending upon the OCF to ensure that the blocksize was always at least 4 bytes to maintain alignment... Move this logic into IPsec so changes to OCF won't break IPsec... In one place, espx was always non-NULL, so don't test that it's non-NULL before doing work.. minor style cleanups... drop setting key and klen as they were not used... Enforce that OCF won't pass invalid key lengths to AES that would panic the machine... This was has been tested by others too... I tested this against NetBSD 6.1.5 using mini-test suite in https://github.com/jmgurney/ipseccfgs and the only things that don't pass are keyed md5 and sha1, and 3des-deriv (setkey syntax error), all other modes listed in setkey's man page... The nice thing is that NetBSD uses setkey, so same config files were used on both... Reviewed by: gnn
|
#
577f7474 |
|
14-Jul-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
Fix XTS, and name things a bit better... Though confusing, GCM using ICM_BLOCK_LEN, but ICM does not is correct... GCM is built on ICM, but uses a function other than swcr_encdec... swcr_encdec cannot handle partial blocks which is why it must still use AES_BLOCK_LEN and is why XTS was broken by the commit... Thanks to the tests for helping sure I didn't break GCM w/ an earlier patch... I did run the tests w/o this patch, and need to figure out why they did not fail, clearly more tests are needed... Prodded by: peter
|
#
16de9ac1 |
|
09-Jul-2015 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Add support for AES modes to IPSec. These modes work both in software only mode and with hardware support on systems that have AESNI instructions. Differential Revision: D2936 Reviewed by: jmg, eri, cognet Sponsored by: Rubicon Communications (Netgate)
|
#
748a12e2 |
|
07-Jul-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
we may get here w/ non-sleepable locks held, so switch to _NOWAIT when doing this memory allocation... Reviewed by: ae
|
#
08fca7a5 |
|
12-Dec-2014 |
John-Mark Gurney <jmg@FreeBSD.org> |
Add some new modes to OpenCrypto. These modes are AES-ICM (can be used for counter mode), and AES-GCM. Both of these modes have been added to the aesni module. Included is a set of tests to validate that the software and aesni module calculate the correct values. These use the NIST KAT test vectors. To run the test, you will need to install a soon to be committed port, nist-kat that will install the vectors. Using a port is necessary as the test vectors are around 25MB. All the man pages were updated. I have added a new man page, crypto.7, which includes a description of how to use each mode. All the new modes and some other AES modes are present. It would be good for someone else to go through and document the other modes. A new ioctl was added to support AEAD modes which AES-GCM is one of them. Without this ioctl, it is not possible to test AEAD modes from userland. Add a timing safe bcmp for use to compare MACs. Previously we were using bcmp which could leak timing info and result in the ability to forge messages. Add a minor optimization to the aesni module so that single segment mbufs don't get copied and instead are updated in place. The aesni module needs to be updated to support blocked IO so segmented mbufs don't have to be copied. We require that the IV be specified for all calls for both GCM and ICM. This is to ensure proper use of these functions. Obtained from: p4: //depot/projects/opencrypto Relnotes: yes Sponsored by: FreeBSD Foundation Sponsored by: NetGate
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
d295bdee |
|
23-Sep-2010 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Add support for AES-XTS. Obtained from: OpenBSD MFC after: 1 week
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
559d3390 |
|
09-May-2007 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Integrate the Camellia Block Cipher. For more information see RFC 4132 and its bibliography. Submitted by: Tomoyuki Okazaki <okazaki at kick dot gr dot jp> MFC after: 1 month
|
#
6810ad6f |
|
20-Mar-2007 |
Sam Leffler <sam@FreeBSD.org> |
Overhaul driver/subsystem api's: o make all crypto drivers have a device_t; pseudo drivers like the s/w crypto driver synthesize one o change the api between the crypto subsystem and drivers to use kobj; cryptodev_if.m defines this api o use the fact that all crypto drivers now have a device_t to add support for specifying which of several potential devices to use when doing crypto operations o add new ioctls that allow user apps to select a specific crypto device to use (previous ioctls maintained for compatibility) o overhaul crypto subsystem code to eliminate lots of cruft and hide implementation details from drivers o bring in numerous fixes from Michale Richardson/hifn; mostly for 795x parts o add an optional mechanism for mmap'ing the hifn 795x public key h/w to user space for use by openssl (not enabled by default) o update crypto test tools to use new ioctl's and add cmd line options to specify a device to use for tests These changes will also enable much future work on improving the core crypto subsystem; including proper load balancing and interposing code between the core and drivers to dispatch small operations to the s/w driver as appropriate. These changes were instigated by the work of Michael Richardson. Reviewed by: pjd Approved by: re
|
#
11d2e1e8 |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Replace COPYDATA() and COPYBACK() macros with crypto_copydata() and crypto_copyback() functions. - Add crypto_apply() function. This will allow for more code simplification.
|
#
d905998c |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Move COPYDATA() and COPYBACK() macros to cryptodev.h, they will be used in padlock(4) as well.
|
#
082a4bab |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Remove HMAC_BLOCK_LEN, it serves no purpose. - Use defines of used algorithm instead of HMAC_BLOCK_LEN.
|
#
eec31f22 |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Use define of an algorithm with the biggest block length to describe EALG_MAX_BLOCK_LEN instead of hardcoded value. - Kill an unused define.
|
#
bc58b0ec |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Rename HMAC_BLOCK_MAXLEN to HMAC_MAX_BLOCK_LEN to be consistent with EALG_MAX_BLOCK_LEN.
|
#
0bbc4bf9 |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Rename AALG_MAX_RESULT_LEN to HASH_MAX_LEN to look more constent with other defines.
|
#
9ea7e421 |
|
04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Add defines with hash length for each hash algorithm. - Add defines with block length for each HMAC algorithm. - Add AES_BLOCK_LEN define which is an alias for RIJNDAEL128_BLOCK_LEN. - Add NULL_BLOCK_LEN define.
|
#
6c68b224 |
|
22-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Remove (now unused) crp_mac field.
|
#
3aaf7145 |
|
22-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Document how we synchronize access to the fields in the cryptocap structure.
|
#
f6c4bc3b |
|
17-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Fix a very old bug in HMAC/SHA{384,512}. When HMAC is using SHA384 or SHA512, the blocksize is 128 bytes, not 64 bytes as anywhere else. The bug also exists in NetBSD, OpenBSD and various other independed implementations I look at. - We cannot decide which hash function to use for HMAC based on the key length, because any HMAC function can use any key length. To fix it split CRYPTO_SHA2_HMAC into three algorithm: CRYPTO_SHA2_256_HMAC, CRYPTO_SHA2_384_HMAC and CRYPTO_SHA2_512_HMAC. Those names are consistent with OpenBSD's naming. - Remove authsize field from auth_hash structure. - Allow consumer to define size of hash he wants to receive. This allows to use HMAC not only for IPsec, where 96 bits MAC is requested. The size of requested MAC is defined at newsession time in the cri_mlen field - when 0, entire MAC will be returned. - Add swcr_authprepare() function which prepares authentication key. - Allow to provide key for every authentication operation, not only at newsession time by honoring CRD_F_KEY_EXPLICIT flag. - Make giving key at newsession time optional - don't try to operate on it if its NULL. - Extend COPYBACK()/COPYDATA() macros to handle CRYPTO_BUF_CONTIG buffer type as well. - Accept CRYPTO_BUF_IOV buffer type in swcr_authcompute() as we have cuio_apply() now. - 16 bits for key length (SW_klen) is more than enough. Reviewed by: sam
|
#
4acae0ac |
|
17-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
- Make opencrypto more SMP friendly by dropping the queue lock around crypto_invoke(). This allows to serve multiple crypto requests in parallel and not bached requests are served lock-less. Drivers should not depend on the queue lock beeing held around crypto_invoke() and if they do, that's an error in the driver - it should do its own synchronization. - Don't forget to wakeup the crypto thread when new requests is queued and only if both symmetric and asymmetric queues are empty. - Symmetric requests use sessions and there is no way driver can disappear when there is an active session, so we don't need to check this, but assert this. This is also safe to not use the driver lock in this case. - Assymetric requests don't use sessions, so don't check the driver in crypto_kinvoke(). - Protect assymetric operation with the driver lock, because if there is no symmetric session, driver can disappear. - Don't send assymetric request to the driver if it is marked as blocked. - Add an XXX comment, because I don't think migration to another driver is safe when there are pending requests using freed session. - Remove 'hint' argument from crypto_kinvoke(), as it serves no purpose. - Don't hold the driver lock around kprocess method call, instead use cc_koperations to track number of in-progress requests. - Cleanup register/unregister code a bit. - Other small simplifications and cleanups. Reviewed by: sam
|
#
645df8d0 |
|
17-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Remove cri_rnd. It is not used. Reviewed by: sam
|
#
b5161eb7 |
|
17-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Forgot about adding cuio_apply() here. Reviewed by: sam
|
#
60727d8b |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
#
c740ae4b |
|
02-Feb-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add CRD_F_KEY_EXPLICIT which allows the key to be changed per operation, just like it was possible to change the IV. Currently supported on Hifn and software engines only. Approved by: sam@
|
#
37621fd5 |
|
15-Dec-2003 |
Bruce M Simpson <bms@FreeBSD.org> |
Push m_apply() and m_getptr() up into the colleciton of standard mbuf routines, and purge them from opencrypto. Reviewed by: sam Obtained from: NetBSD Sponsored by: spc.org
|
#
d8409aaf |
|
29-Jun-2003 |
Sam Leffler <sam@FreeBSD.org> |
consolidate callback optimization check in one location by adding a flag for crypto operations that indicates the crypto code should do the check in crypto_done MFC after: 1 day
|
#
07d0c94a |
|
27-Jun-2003 |
Sam Leffler <sam@FreeBSD.org> |
Add support to eliminate a context switch per crypto op when using the software crypto device: o record crypto device capabilities in each session id o add a capability that indicates if the crypto driver operates synchronously o tag the software crypto driver as operating synchronously This commit also introduces crypto session id macros that cleanup their construction and querying.
|
#
3569ae7f |
|
02-Jun-2003 |
Sam Leffler <sam@FreeBSD.org> |
Flush my local cache of cryto subsystem fixes: o add a ``done'' flag for crypto operations; this is set when the operation completes and is intended for callers to check operations that may complete ``prematurely'' because of direct callbacks o close a race for operations where the crypto driver returns ERESTART: we need to hold the q lock to insure the blocked state for the driver and any driver-private state is consistent; otherwise drivers may take an interrupt and notify the crypto subsystem that it can unblock the driver but operations will be left queued and never be processed o close a race in /dev/crypto where operations can complete before the caller can sleep waiting for the callback: use a per-session mutex and the new done flag to handle this o correct crypto_dispatch's handling of operations where the driver returns ERESTART: the return value must be zero and not ERESTART, otherwise the caller may free the crypto request despite it being queued for later handling (this typically results in a later panic) o change crypto mutex ``names'' so witness printouts and the like are more meaningful
|
#
eb73a605 |
|
23-Feb-2003 |
Sam Leffler <sam@FreeBSD.org> |
o add a CRYPTO_F_CBIMM flag to symmetric ops to indicate the callback should be done in crypto_done rather than in the callback thread o use this flag to mark operations from /dev/crypto since the callback routine just does a wakeup; this eliminates the last unneeded ctx switch o change CRYPTO_F_NODELAY to CRYPTO_F_BATCH with an inverted meaning so "0" becomes the default/desired setting (needed for user-mode compatibility with openbsd) o change crypto_dispatch to honor CRYPTO_F_BATCH instead of always dispatching immediately o remove uses of CRYPTO_F_NODELAY o define COP_F_BATCH for ops submitted through /dev/crypto and pass this on to the op that is submitted Similar changes and more eventually coming for asymmetric ops. MFC if re gives approval.
|
#
7d1853ee |
|
02-Jan-2003 |
Sam Leffler <sam@FreeBSD.org> |
MFS: crypto timing support; purge usercrypto sysctl (just don't config cryptodev or kldunload cryptodev module); crypto statistcs; remove unused alloctype field from crypto op to offset addition of the performance time stamp Supported by: Vernier Networks
|
#
b4c408e0 |
|
07-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
remove CIOGSSESSION (get software session); it was added only for testing
|
#
091d81d1 |
|
04-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
In-kernel crypto framework derived from openbsd. This facility provides a consistent interface to h/w and s/w crypto algorithms for use by the kernel and (for h/w at least) by user-mode apps. Access for user-level code is through a /dev/crypto device that'll eventually be used by openssl to (potentially) accelerate many applications. Coming soon is an IPsec that makes use of this service to accelerate ESP, AH, and IPCOMP protocols. Included here is the "core" crypto support, /dev/crypto driver, various crypto algorithms that are not already present in the KAME crypto area, and support routines used by crypto device drivers. Obtained from: openbsd
|