summaryrefslogtreecommitdiffstats
path: root/sys/crypto
Commit message (Collapse)AuthorAgeFilesLines
* MFC r264400,r265836:ngie2014-12-311-1/+1
| | | | | | | | | | | | | | r264400: NO_MAN= has been deprecated in favor of MAN= for some time, go ahead and finish the job. ncurses is now the only Makefile in the tree that uses it since it wasn't a simple mechanical change, and will be addressed in a future commit. r265836: Remove last two NO_MAN= in the tree. In both of these cases, MAN= is what is needed.
* MFC r267815:kib2014-06-303-94/+95
| | | | | Put the aesni_cipher_setup() and aesni_cipher_process() functions into the file which is compiled with SSE disabled.
* MFC r267767:kib2014-06-304-60/+28
| | | | | | Add FPU_KERN_KTHR flag to fpu_kern_enter(9). Apply the flag to padlock(4) and aesni(4). In aesni_cipher_process(), do not leak FPU context state on error.
* MFC r258399,258492:jmg2013-11-261-1/+2
| | | | | | mark aesni module _SYNC, improves performance ~27%... Approved by: re (glebius)
* MFC r257757:jmg2013-11-163-67/+95
| | | | | | fix issues w/ AES-NI on unaligned data blocks... Approved by: re (kib)
* Use the fact that the AES-NI instructions can be pipelined to improvejmg2013-09-037-422/+359
| | | | | | | | | | | | | | | | | | | performance... Use SSE2 instructions for calculating the XTS tweek factor... Let the compiler do more work and handle register allocation by using intrinsics, now only the key schedule is in assembly... Replace .byte hard coded instructions w/ the proper instructions now that both clang and gcc support them... On my machine, pulling the code to userland I saw performance go from ~150MB/sec to 2GB/sec in XTS mode. GELI on GNOP saw a more modest increase of about 3x due to other system overhead (geom and opencrypto)... These changes allow almost full disk io rate w/ geli... Reviewed by: -current, -security Thanks to: Mike Hamburg for the XTS tweek algorithm
* Fix const propagation issues to make GCC happy.andre2013-07-111-3/+4
| | | | Submitted by: Michael Butler <imb@protected-networks.net>
* SipHash is a cryptographically strong pseudo-random function (a.k.a. keyedandre2013-07-113-0/+464
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
* Sync with KAME.delphij2013-07-092-5/+4
| | | | MFC after: 1 month
* Allow assert() to operate correctly when building userland code.rmh2013-07-091-1/+3
|
* When porting XTS-related code from OpenBSD I forgot to update copyright (onlypjd2013-02-201-0/+1
| | | | | | | OpenBSD was credited in one of two commits). Fix it. Reported by: Theo de Raadt <deraadt@cvs.openbsd.org> Reviewed by: Damien Miller <djm@mindrot.org>
* Revert previous commit...kevlo2012-10-101-1/+1
| | | | Pointyhat to: kevlo (myself)
* Prefer NULL over 0 for pointerskevlo2012-10-091-1/+1
|
* Add support for the extended FPU states on amd64, both for nativekib2012-01-217-14/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 64bit and 32bit ABIs. As a side-effect, it enables AVX on capable CPUs. In particular: - Query the CPU support for XSAVE, list of the supported extensions and the required size of FPU save area. The hw.use_xsave tunable is provided for disabling XSAVE, and hw.xsave_mask may be used to select the enabled extensions. - Remove the FPU save area from PCB and dynamically allocate the (run-time sized) user save area on the top of the kernel stack, right above the PCB. Reorganize the thread0 PCB initialization to postpone it after BSP is queried for save area size. - The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as well. FPU state is only useful for suspend, where it is saved in dynamically allocated suspfpusave area. - Use XSAVE and XRSTOR to save/restore FPU state, if supported and enabled. - Define new mcontext_t flag _MC_HASFPXSTATE, indicating that mcontext_t has a valid pointer to out-of-struct extended FPU state. Signal handlers are supplied with stack-allocated fpu state. The sigreturn(2) and setcontext(2) syscall honour the flag, allowing the signal handlers to inspect and manipilate extended state in the interrupted context. - The getcontext(2) never returns extended state, since there is no place in the fixed-sized mcontext_t to place variable-sized save area. And, since mcontext_t is embedded into ucontext_t, makes it impossible to fix in a reasonable way. Instead of extending getcontext(2) syscall, provide a sysarch(2) facility to query extended FPU state. - Add ptrace(2) support for getting and setting extended state; while there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries. - Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to consumers, making it opaque. Internally, struct fpu_kern_ctx now contains a space for the extended state. Convert in-kernel consumers of fpu_kern KPI both on i386 and amd64. First version of the support for AVX was submitted by Tim Bird <tim.bird am sony com> on behalf of Sony. This version was written from scratch. Tested by: pho (previous version), Yamagi Burmeister <lists yamagi org> MFC after: 1 month
* Update Copyright.pjd2011-10-271-1/+1
| | | | MFC after: 3 days
* Improve AES-NI performance for AES-XTS:pjd2011-10-271-26/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Operate on uint64_t types when doing XORing, etc. instead of uint8_t. - Don't bzero() temporary block for every AES block. Do it once for entire data block. - AES-NI is available only on little endian architectures. Simplify code that takes block number from IV. Benchmarks: Memory-backed md(4) device, software AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 59.61MB/s Memory-backed md(4) device, old AES-NI AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 97.29MB/s Memory-backed md(4) device, new AES-NI AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 221.26MB/s 127% performance improvement between old and new code. Harddisk, raw speed: # dd if=/dev/ada0 bs=1m 137.63MB/s Harddisk, software AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 47.83MB/s (34% of raw disk speed) Harddisk, old AES-NI AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 68.33MB/s (49% of raw disk speed) Harddisk, new AES-NI AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 108.35MB/s (78% of raw disk speed) 58% performance improvement between old and new code. As a side-note, GELI with AES-NI using AES-CBC can achive native disk speed. MFC after: 3 days
* Fix a bug in the result of manual assembly.kib2011-03-022-2/+2
| | | | | | Reported by: Stefan Grundmann <sg2342 googlemail com> PR: kern/155118 MFC after: 3 days
* Make private functions static.brucec2011-02-211-8/+8
| | | | | | | PR: kern/43611 Submitted by: Matt Emmerton <matt at gsicomp.on.ca> Reviewed by: kib MFC after: 3 days
* Remove DEBUG sections.kib2010-11-271-24/+0
| | | | MFC after: 3 days
* MFaesni r215427:kib2010-11-263-9/+31
| | | | | | | | Only save FPU context when not executing in the context of the crypto thread. Tested by: Mike Tancsa MFC after: 1 week
* Only save FPU context when not executing in the context of the cryptokib2010-11-171-8/+22
| | | | | | thread. Tested by: Mike Tancsa
* Change two missed instances of 'retq' in aeskeys_i386.S to 'retl', whichdim2010-10-131-2/+2
| | | | | | makes it possible to assemble this file with gas from newer binutils. Reviewed by: kib
* Fix two copy&paste bugs.pjd2010-09-251-2/+2
| | | | MFC after: 2 weeks
* Add support for CRYPTO_AES_XTS.pjd2010-09-233-24/+151
| | | | MFC after: 1 week
* Add support for CRD_F_KEY_EXPLICIT flag.pjd2010-09-231-16/+32
| | | | MFC after: 1 week
* Simplify code a bit.pjd2010-09-232-10/+5
| | | | MFC after: 1 week
* Crypto(4) driver for AESNI.kib2010-07-237-0/+1464
| | | | | | | | | The aeskeys_{amd64,i386}.S content was mostly obtained from OpenBSD, no objections to the license from core. Hardware provided by: Sentex Communications Tested by: fabient, pho (previous versions) MFC after: 1 month
* Use the fpu_kern_enter() interface to properly separate usermode FPUkib2010-06-054-3/+34
| | | | | | | | | | | | | | context from in-kernel execution of padlock instructions and to handle spurious FPUDNA exceptions that sometime are raised when doing padlock calculations. Globally mark crypto(9) kthread as using FPU. Reviewed by: pjd Hardware provided by: Sentex Communications Tested by: pho PR: amd64/135014 MFC after: 1 month
* Changed to M_NOWAIT when reallocing psc_buf in padlock_sha_update(),vanhu2009-05-271-1/+3
| | | | | | | | as we already hold the non sleepable crypto_driver_mutex. Approved by: gnn(mentor) Obtained from: NETASQ MFC after: 2 weeks
* identify routine takes driver_t *, not device_t *.imp2009-02-051-1/+1
|
* Connect padlock(4) to amd64 build for VIA Nano processors.jkim2009-01-122-3/+3
|
* Avoid 256 integer divisions per rc4_init() call. Replace it with usingmav2008-12-161-3/+5
| | | | | | | | separate index variable. It gives more then double rc4_init() performance increase on tested i386 P4. It also gives about 15% speedup to PPTP VPN with stateless MPPE encryption (by ng_mppc) which calls rc4_init() for every packet.
* Fix a potential NULL-pointer dereference in padlock(4).philip2008-11-171-1/+5
| | | | | Spotted by: Coverity (via pjd) MFC after: 1 week
* Simplify session selection/allocation.pjd2008-08-091-10/+5
|
* - Fix freeing session on newsession failure.pjd2008-08-091-9/+24
| | | | - Update copyright years.
* Implify sessions freeing loop.pjd2008-08-091-2/+1
|
* We don't have to drop a lock around malloc(M_NOWAIT).pjd2008-08-091-4/+4
|
* When freeing session, restore its ID after zeroing memory.pjd2008-08-091-0/+1
| | | | Bug tracked down by: Patrick Lamaiziere <patfbsd@davenulle.org>
* Sessions in-use are at the end of the queue, so use TAILQ_FOREACH_REVERSE()pjd2008-08-091-3/+5
| | | | | | when looking for them. Idea from: Patrick Lamaiziere <patfbsd@davenulle.org>
* Convert lock that protects sessions list from a mutex to a rwlock.pjd2008-07-201-16/+16
| | | | Now we can use read lock in fast path (padlock_process()).
* Make test00 compilable again.sobomax2008-01-152-1/+3
|
* Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSECgnn2007-07-031-1/+1
| | | | | | | | option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC. Approved by: re Sponsored by: Secure Computing
* Integrate the Camellia Block Cipher. For more information see RFC 4132gnn2007-05-093-0/+1459
| | | | | | | and its bibliography. Submitted by: Tomoyuki Okazaki <okazaki at kick dot gr dot jp> MFC after: 1 month
* Overhaul driver/subsystem api's:sam2007-03-211-74/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o make all crypto drivers have a device_t; pseudo drivers like the s/w crypto driver synthesize one o change the api between the crypto subsystem and drivers to use kobj; cryptodev_if.m defines this api o use the fact that all crypto drivers now have a device_t to add support for specifying which of several potential devices to use when doing crypto operations o add new ioctls that allow user apps to select a specific crypto device to use (previous ioctls maintained for compatibility) o overhaul crypto subsystem code to eliminate lots of cruft and hide implementation details from drivers o bring in numerous fixes from Michale Richardson/hifn; mostly for 795x parts o add an optional mechanism for mmap'ing the hifn 795x public key h/w to user space for use by openssl (not enabled by default) o update crypto test tools to use new ioctl's and add cmd line options to specify a device to use for tests These changes will also enable much future work on improving the core crypto subsystem; including proper load balancing and interposing code between the core and drivers to dispatch small operations to the s/w driver as appropriate. These changes were instigated by the work of Michael Richardson. Reviewed by: pjd Approved by: re
* Initialize T1 to silent gcc warning.kevlo2006-10-221-1/+1
| | | | Approved by: cognet
* Less magic.pjd2006-09-151-2/+3
| | | | MFC after: 3 days
* GCC 3.4.6 gets confused on this file and produces bogus warning.kan2006-08-261-1/+1
| | | | Shut it up.
* Remove trailing spaces.pjd2006-07-281-1/+1
|
* Use existing roundup2() macro.pjd2006-07-281-1/+1
| | | | Suggested by: njl
* Remove redundant check committed by accident.pjd2006-07-251-2/+0
|
OpenPOWER on IntegriCloud