| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
aesni(4): Initialize error before use
Reported by: Coverity
CID: 1331554
Sponsored by: EMC / Isilon Storage Division
TAG: IPSEC-HEAD
(cherry picked from commit 0bfe8f207817729d5666bdea8fee38f24eacf67e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Break up opencrypto/xform.c so it can be reused piecemeal
Keep xform.c as a meta-file including the broken out bits
existing code that includes xform.c continues to work as normal
Individual algorithms can now be reused elsewhere, including outside
of the kernel
Reviewed by: bapt (previous version), gnn, delphij
Approved by: secteam
MFC after: 1 week
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D4674
TAG: IPSEC-HEAD
(cherry picked from commit 271bb86c6bc2052797fce3ea16d42b3a60ec388c)
|
|
|
|
|
|
|
| |
const'ify an arg that we don't update...
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
| |
Complete the move that was started w/ r263218.. For some reason I
didn't delete the files, so that means we need to bring the changes in
r282726 to the correct files..
make tinderbox completed with this patch...
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
| |
upon further examination, it turns out that _unregister_all already
provides the guarantee that no threads will be in the _newsession code..
This is provided by the CRYPTODRIVER lock... This makes the pause
unneeded...
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
address an issue where consumers, like IPsec, can reuse the same
session in multiple threads w/o locking.. There was a single fpu
context shared per session, if multiple threads were using the session,
and both migrated away, they could corrupt each other's fpu context...
This patch adds a per cpu context and a lock to protect it...
It also tries to better address unloading of the aesni module...
The pause will be removed once the OpenCrypto Framework provides a
better method for draining callers into _newsession...
I first discovered the fpu context sharing issue w/ a flood ping over
an IPsec tunnel between two bhyve machines... The patch in D3015
was used to verify that this fix does fix the issue...
Reviewed by: gnn, kib (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D3016
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
| |
unroll the loop slightly... This improves performance enough to
justify, especially for CBC performance where we can't pipeline.. I
don't happen to have my measurements handy though...
Sponsored by: Netflix, Inc.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for non-random IV's when CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT
flags are not specified... This bug was introduced in r275732...
This only affects IPsec ESP only policies w/ the aesni module loaded,
other subsystems specify one or both of the flags...
Reviewed by: gnn, delphij, eri
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
remove _NORMAL flag which isn't suppose to be used w/ _alloc_ctx...
Reviewed by: kib (a while ago)
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the version of gcc in the FreeBSD tree, this modification was made to
the compiler in svn r242182:
A similar change was done to clang in the FreeBSD tree in svn r218893:
However, for external gcc toolchains, this patch is not in the compiler's header
file.
This patch to FreeBSD's aesni code allows compilation with an external
gcc toolchain.
Differential Revision: https://reviews.freebsd.org/D2285
Reviewed by: jmg, dim
Approved by: dim
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add some new modes to OpenCrypto. These modes are AES-ICM (can be used
for counter mode), and AES-GCM. Both of these modes have been added to
the aesni module.
Included is a set of tests to validate that the software and aesni
module calculate the correct values. These use the NIST KAT test
vectors. To run the test, you will need to install a soon to be
committed port, nist-kat that will install the vectors. Using a port
is necessary as the test vectors are around 25MB.
All the man pages were updated. I have added a new man page, crypto.7,
which includes a description of how to use each mode. All the new modes
and some other AES modes are present. It would be good for someone
else to go through and document the other modes.
A new ioctl was added to support AEAD modes which AES-GCM is one of them.
Without this ioctl, it is not possible to test AEAD modes from userland.
Add a timing safe bcmp for use to compare MACs. Previously we were using
bcmp which could leak timing info and result in the ability to forge
messages.
Add a minor optimization to the aesni module so that single segment
mbufs don't get copied and instead are updated in place. The aesni
module needs to be updated to support blocked IO so segmented mbufs
don't have to be copied.
We require that the IV be specified for all calls for both GCM and ICM.
This is to ensure proper use of these functions.
Obtained from: p4: //depot/projects/opencrypto
Relnotes: yes
Sponsored by: FreeBSD Foundation
Sponsored by: NetGate
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
| |
Fix gcc build: preserve const qualifier when casting input values.
Noticed by: bz@
Submitted by: dim@
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Constify the AES code and propagate to consumers. This allows us to
update the Fortuna code to use SHAd-256 as defined in FS&K.
Approved by: so (self)
MFC r274341:
I just realized that the previous commit message makes no sense: the
first sentence should have read "Constify the AES and SHA-256 code and
wrappers". This allows us to feed zero_region (which is const) to the
hash function during reseeding and thereby implement the FS&K version of
SHAd-256 instead of the older F&S version.
Approved by: so (self)
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
replace the kernel's version w/ cperciva's implementation... In all
my tests, it is faster ~20%, even on an old IXP425 533MHz it is ~45%
faster... This is partly due to loop unrolling, so the code size does
significantly increase... I do plan on committing a version that
rolls up the loops again for smaller code size for embedded systems
where size is more important than absolute performance (it'll save ~6k
code)...
The kernel implementation is now shared w/ userland's libcrypt and
libmd...
We drop support for sha256 from sha2.c, so now sha2.c only contains
sha384 and sha512...
Reviewed by: secteam@
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
| |
copy these files from lib/libmd in preperation for moving these files
into the kernel...
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch aesgcm.soft.1.patch"
This reverts commit 46e99a8858f1c843c1774e472c11d422ca2163ae.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch aesgcm.hwaccl.diff"
This reverts commit 86163f54d3288d43997b0766d4c2538ed7f70b17.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_aescbc_aesni.diff"
This reverts commit e588e3adb30b79a5c8457edbba288b2582253639.
TAG: IPSEC-HEAD
Issue: #4841
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r264400:
NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
r265836:
Remove last two NO_MAN= in the tree. In both of these cases, MAN= is
what is needed.
|
|
|
|
|
| |
Put the aesni_cipher_setup() and aesni_cipher_process() functions into
the file which is compiled with SSE disabled.
|
|
|
|
|
|
| |
Add FPU_KERN_KTHR flag to fpu_kern_enter(9).
Apply the flag to padlock(4) and aesni(4).
In aesni_cipher_process(), do not leak FPU context state on error.
|
|
|
|
|
|
| |
mark aesni module _SYNC, improves performance ~27%...
Approved by: re (glebius)
|
|
|
|
|
|
| |
fix issues w/ AES-NI on unaligned data blocks...
Approved by: re (kib)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
performance... Use SSE2 instructions for calculating the XTS tweek
factor... Let the compiler do more work and handle register allocation
by using intrinsics, now only the key schedule is in assembly...
Replace .byte hard coded instructions w/ the proper instructions now
that both clang and gcc support them...
On my machine, pulling the code to userland I saw performance go from
~150MB/sec to 2GB/sec in XTS mode. GELI on GNOP saw a more modest
increase of about 3x due to other system overhead (geom and
opencrypto)...
These changes allow almost full disk io rate w/ geli...
Reviewed by: -current, -security
Thanks to: Mike Hamburg for the XTS tweek algorithm
|
|
|
|
| |
Submitted by: Michael Butler <imb@protected-networks.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hash function) optimized for speed on short messages returning a 64bit hash/
digest value.
SipHash is simpler and much faster than other secure MACs and competitive
in speed with popular non-cryptographic hash functions. It uses a 128-bit
key without the hidden cost of a key expansion step. SipHash iterates a
simple round function consisting of four additions, four xors, and six
rotations, interleaved with xors of message blocks for a pre-defined number
of compression and finalization rounds. The absence of secret load/store
addresses or secret branch conditions avoid timing attacks. No state is
shared between messages. Hashing is deterministic and doesn't use nonces.
It is not susceptible to length extension attacks.
Target applications include network traffic authentication, message
authentication (MAC) and hash-tables protection against hash-flooding
denial-of-service attacks.
The number of update/finalization rounds is defined during initialization:
SipHash24_Init() for the fast and reasonable strong version.
SipHash48_Init() for the strong version (half as fast).
SipHash usage is similar to other hash functions:
struct SIPHASH_CTX ctx;
char *k = "16bytes long key"
char *s = "string";
uint64_t h = 0;
SipHash24_Init(&ctx);
SipHash_SetKey(&ctx, k);
SipHash_Update(&ctx, s, strlen(s));
SipHash_Final(&h, &ctx); /* or */
h = SipHash_End(&ctx); /* or */
h = SipHash24(&ctx, k, s, strlen(s));
It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and
is described in the paper "SipHash: a fast short-input PRF", 2012.09.18:
https://131002.net/siphash/siphash.pdf
Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa
Implemented by: andre (based on the paper)
Reviewed by: cperciva
|
|
|
|
| |
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
| |
OpenBSD was credited in one of two commits). Fix it.
Reported by: Theo de Raadt <deraadt@cvs.openbsd.org>
Reviewed by: Damien Miller <djm@mindrot.org>
|
|
|
|
| |
Pointyhat to: kevlo (myself)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
64bit and 32bit ABIs. As a side-effect, it enables AVX on capable
CPUs.
In particular:
- Query the CPU support for XSAVE, list of the supported extensions
and the required size of FPU save area. The hw.use_xsave tunable is
provided for disabling XSAVE, and hw.xsave_mask may be used to
select the enabled extensions.
- Remove the FPU save area from PCB and dynamically allocate the
(run-time sized) user save area on the top of the kernel stack,
right above the PCB. Reorganize the thread0 PCB initialization to
postpone it after BSP is queried for save area size.
- The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as
well. FPU state is only useful for suspend, where it is saved in
dynamically allocated suspfpusave area.
- Use XSAVE and XRSTOR to save/restore FPU state, if supported and
enabled.
- Define new mcontext_t flag _MC_HASFPXSTATE, indicating that
mcontext_t has a valid pointer to out-of-struct extended FPU
state. Signal handlers are supplied with stack-allocated fpu
state. The sigreturn(2) and setcontext(2) syscall honour the flag,
allowing the signal handlers to inspect and manipilate extended
state in the interrupted context.
- The getcontext(2) never returns extended state, since there is no
place in the fixed-sized mcontext_t to place variable-sized save
area. And, since mcontext_t is embedded into ucontext_t, makes it
impossible to fix in a reasonable way. Instead of extending
getcontext(2) syscall, provide a sysarch(2) facility to query
extended FPU state.
- Add ptrace(2) support for getting and setting extended state; while
there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries.
- Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to
consumers, making it opaque. Internally, struct fpu_kern_ctx now
contains a space for the extended state. Convert in-kernel consumers
of fpu_kern KPI both on i386 and amd64.
First version of the support for AVX was submitted by Tim Bird
<tim.bird am sony com> on behalf of Sony. This version was written
from scratch.
Tested by: pho (previous version), Yamagi Burmeister <lists yamagi org>
MFC after: 1 month
|
|
|
|
| |
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Operate on uint64_t types when doing XORing, etc. instead of uint8_t.
- Don't bzero() temporary block for every AES block. Do it once for entire
data block.
- AES-NI is available only on little endian architectures. Simplify code
that takes block number from IV.
Benchmarks:
Memory-backed md(4) device, software AES-XTS, 4kB sector:
# dd if=/dev/md0.eli bs=1m
59.61MB/s
Memory-backed md(4) device, old AES-NI AES-XTS, 4kB sector:
# dd if=/dev/md0.eli bs=1m
97.29MB/s
Memory-backed md(4) device, new AES-NI AES-XTS, 4kB sector:
# dd if=/dev/md0.eli bs=1m
221.26MB/s
127% performance improvement between old and new code.
Harddisk, raw speed:
# dd if=/dev/ada0 bs=1m
137.63MB/s
Harddisk, software AES-XTS, 4kB sector:
# dd if=/dev/ada0.eli bs=1m
47.83MB/s (34% of raw disk speed)
Harddisk, old AES-NI AES-XTS, 4kB sector:
# dd if=/dev/ada0.eli bs=1m
68.33MB/s (49% of raw disk speed)
Harddisk, new AES-NI AES-XTS, 4kB sector:
# dd if=/dev/ada0.eli bs=1m
108.35MB/s (78% of raw disk speed)
58% performance improvement between old and new code.
As a side-note, GELI with AES-NI using AES-CBC can achive native disk speed.
MFC after: 3 days
|
|
|
|
|
|
| |
Reported by: Stefan Grundmann <sg2342 googlemail com>
PR: kern/155118
MFC after: 3 days
|
|
|
|
|
|
|
| |
PR: kern/43611
Submitted by: Matt Emmerton <matt at gsicomp.on.ca>
Reviewed by: kib
MFC after: 3 days
|
|
|
|
| |
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
Only save FPU context when not executing in the context of the crypto
thread.
Tested by: Mike Tancsa
MFC after: 1 week
|
|
|
|
|
|
| |
thread.
Tested by: Mike Tancsa
|
|
|
|
|
|
| |
makes it possible to assemble this file with gas from newer binutils.
Reviewed by: kib
|
|
|
|
| |
MFC after: 2 weeks
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
|
|
| |
The aeskeys_{amd64,i386}.S content was mostly obtained from OpenBSD,
no objections to the license from core.
Hardware provided by: Sentex Communications
Tested by: fabient, pho (previous versions)
MFC after: 1 month
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
context from in-kernel execution of padlock instructions and to handle
spurious FPUDNA exceptions that sometime are raised when doing padlock
calculations.
Globally mark crypto(9) kthread as using FPU.
Reviewed by: pjd
Hardware provided by: Sentex Communications
Tested by: pho
PR: amd64/135014
MFC after: 1 month
|
|
|
|
|
|
|
|
| |
as we already hold the non sleepable crypto_driver_mutex.
Approved by: gnn(mentor)
Obtained from: NETASQ
MFC after: 2 weeks
|