summaryrefslogtreecommitdiffstats
path: root/sys/crypto
Commit message (Collapse)AuthorAgeFilesLines
* MFC: r285215marius2017-09-212-28/+100
| | | | | | | | | | | | | | | | | | | | | | | remove _NORMAL flag which isn't suppose to be used w/ _alloc_ctx... MFC: r285289 address an issue where consumers, like IPsec, can reuse the same session in multiple threads w/o locking.. There was a single fpu context shared per session, if multiple threads were using the session, and both migrated away, they could corrupt each other's fpu context... MFC: r285297 upon further examination, it turns out that _unregister_all already provides the guarantee that no threads will be in the _newsession code.. MFC: r298332 aesni(4): Initialize error before use [1] Reported by: Coverity [1] CID: 1331554 [1]
* Fix r314332 (MFC of r300903): do not use C99 Static array indicesavg2017-03-022-4/+4
| | | | | | | | | The proper conditional support for that feature has not been MFC-ed yet and GCC is quirky about it. See r314101. This is a direct commit. Reported by: gjb
* MFC r300966: Retune SHA2 code for improved performance on CPUs with more ILP...avg2017-02-272-190/+198
|
* MFC r300903: Implement SHA-512 truncated (224 and 256 bits)avg2017-02-272-0/+223
|
* MFC r292782: Replace sys/crypto/sha2/sha2.c with lib/libmd/sha512c.cavg2017-02-276-800/+581
| | | | | | | cperciva's libmd implementation is 5-30% faster The same was done for SHA256 previously in r263218 Approved by: secteam
* MFC r263215,r263218,r285366: replace the kernel sha256 codeavg2017-02-234-402/+407
| | | | | | | | | | | | | | | r263215 copy these files from lib/libmd in preperation for moving these files into the kernel... r263218 replace the kernel's version w/ cperciva's implementation... r285366 Complete the move that was started w/ r263218.. Note that the last change is out of order with r282726 that I am going to merge as well. Many thanks to cperciva for the more efficient code and to jmg for integrating it into the kernel.
* MFC r264400,r265836:ngie2014-12-311-1/+1
| | | | | | | | | | | | | | r264400: NO_MAN= has been deprecated in favor of MAN= for some time, go ahead and finish the job. ncurses is now the only Makefile in the tree that uses it since it wasn't a simple mechanical change, and will be addressed in a future commit. r265836: Remove last two NO_MAN= in the tree. In both of these cases, MAN= is what is needed.
* MFC r267815:kib2014-06-303-94/+95
| | | | | Put the aesni_cipher_setup() and aesni_cipher_process() functions into the file which is compiled with SSE disabled.
* MFC r267767:kib2014-06-304-60/+28
| | | | | | Add FPU_KERN_KTHR flag to fpu_kern_enter(9). Apply the flag to padlock(4) and aesni(4). In aesni_cipher_process(), do not leak FPU context state on error.
* MFC r258399,258492:jmg2013-11-261-1/+2
| | | | | | mark aesni module _SYNC, improves performance ~27%... Approved by: re (glebius)
* MFC r257757:jmg2013-11-163-67/+95
| | | | | | fix issues w/ AES-NI on unaligned data blocks... Approved by: re (kib)
* Use the fact that the AES-NI instructions can be pipelined to improvejmg2013-09-037-422/+359
| | | | | | | | | | | | | | | | | | | performance... Use SSE2 instructions for calculating the XTS tweek factor... Let the compiler do more work and handle register allocation by using intrinsics, now only the key schedule is in assembly... Replace .byte hard coded instructions w/ the proper instructions now that both clang and gcc support them... On my machine, pulling the code to userland I saw performance go from ~150MB/sec to 2GB/sec in XTS mode. GELI on GNOP saw a more modest increase of about 3x due to other system overhead (geom and opencrypto)... These changes allow almost full disk io rate w/ geli... Reviewed by: -current, -security Thanks to: Mike Hamburg for the XTS tweek algorithm
* Fix const propagation issues to make GCC happy.andre2013-07-111-3/+4
| | | | Submitted by: Michael Butler <imb@protected-networks.net>
* SipHash is a cryptographically strong pseudo-random function (a.k.a. keyedandre2013-07-113-0/+464
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
* Sync with KAME.delphij2013-07-092-5/+4
| | | | MFC after: 1 month
* Allow assert() to operate correctly when building userland code.rmh2013-07-091-1/+3
|
* When porting XTS-related code from OpenBSD I forgot to update copyright (onlypjd2013-02-201-0/+1
| | | | | | | OpenBSD was credited in one of two commits). Fix it. Reported by: Theo de Raadt <deraadt@cvs.openbsd.org> Reviewed by: Damien Miller <djm@mindrot.org>
* Revert previous commit...kevlo2012-10-101-1/+1
| | | | Pointyhat to: kevlo (myself)
* Prefer NULL over 0 for pointerskevlo2012-10-091-1/+1
|
* Add support for the extended FPU states on amd64, both for nativekib2012-01-217-14/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 64bit and 32bit ABIs. As a side-effect, it enables AVX on capable CPUs. In particular: - Query the CPU support for XSAVE, list of the supported extensions and the required size of FPU save area. The hw.use_xsave tunable is provided for disabling XSAVE, and hw.xsave_mask may be used to select the enabled extensions. - Remove the FPU save area from PCB and dynamically allocate the (run-time sized) user save area on the top of the kernel stack, right above the PCB. Reorganize the thread0 PCB initialization to postpone it after BSP is queried for save area size. - The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as well. FPU state is only useful for suspend, where it is saved in dynamically allocated suspfpusave area. - Use XSAVE and XRSTOR to save/restore FPU state, if supported and enabled. - Define new mcontext_t flag _MC_HASFPXSTATE, indicating that mcontext_t has a valid pointer to out-of-struct extended FPU state. Signal handlers are supplied with stack-allocated fpu state. The sigreturn(2) and setcontext(2) syscall honour the flag, allowing the signal handlers to inspect and manipilate extended state in the interrupted context. - The getcontext(2) never returns extended state, since there is no place in the fixed-sized mcontext_t to place variable-sized save area. And, since mcontext_t is embedded into ucontext_t, makes it impossible to fix in a reasonable way. Instead of extending getcontext(2) syscall, provide a sysarch(2) facility to query extended FPU state. - Add ptrace(2) support for getting and setting extended state; while there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries. - Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to consumers, making it opaque. Internally, struct fpu_kern_ctx now contains a space for the extended state. Convert in-kernel consumers of fpu_kern KPI both on i386 and amd64. First version of the support for AVX was submitted by Tim Bird <tim.bird am sony com> on behalf of Sony. This version was written from scratch. Tested by: pho (previous version), Yamagi Burmeister <lists yamagi org> MFC after: 1 month
* Update Copyright.pjd2011-10-271-1/+1
| | | | MFC after: 3 days
* Improve AES-NI performance for AES-XTS:pjd2011-10-271-26/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Operate on uint64_t types when doing XORing, etc. instead of uint8_t. - Don't bzero() temporary block for every AES block. Do it once for entire data block. - AES-NI is available only on little endian architectures. Simplify code that takes block number from IV. Benchmarks: Memory-backed md(4) device, software AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 59.61MB/s Memory-backed md(4) device, old AES-NI AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 97.29MB/s Memory-backed md(4) device, new AES-NI AES-XTS, 4kB sector: # dd if=/dev/md0.eli bs=1m 221.26MB/s 127% performance improvement between old and new code. Harddisk, raw speed: # dd if=/dev/ada0 bs=1m 137.63MB/s Harddisk, software AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 47.83MB/s (34% of raw disk speed) Harddisk, old AES-NI AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 68.33MB/s (49% of raw disk speed) Harddisk, new AES-NI AES-XTS, 4kB sector: # dd if=/dev/ada0.eli bs=1m 108.35MB/s (78% of raw disk speed) 58% performance improvement between old and new code. As a side-note, GELI with AES-NI using AES-CBC can achive native disk speed. MFC after: 3 days
* Fix a bug in the result of manual assembly.kib2011-03-022-2/+2
| | | | | | Reported by: Stefan Grundmann <sg2342 googlemail com> PR: kern/155118 MFC after: 3 days
* Make private functions static.brucec2011-02-211-8/+8
| | | | | | | PR: kern/43611 Submitted by: Matt Emmerton <matt at gsicomp.on.ca> Reviewed by: kib MFC after: 3 days
* Remove DEBUG sections.kib2010-11-271-24/+0
| | | | MFC after: 3 days
* MFaesni r215427:kib2010-11-263-9/+31
| | | | | | | | Only save FPU context when not executing in the context of the crypto thread. Tested by: Mike Tancsa MFC after: 1 week
* Only save FPU context when not executing in the context of the cryptokib2010-11-171-8/+22
| | | | | | thread. Tested by: Mike Tancsa
* Change two missed instances of 'retq' in aeskeys_i386.S to 'retl', whichdim2010-10-131-2/+2
| | | | | | makes it possible to assemble this file with gas from newer binutils. Reviewed by: kib
* Fix two copy&paste bugs.pjd2010-09-251-2/+2
| | | | MFC after: 2 weeks
* Add support for CRYPTO_AES_XTS.pjd2010-09-233-24/+151
| | | | MFC after: 1 week
* Add support for CRD_F_KEY_EXPLICIT flag.pjd2010-09-231-16/+32
| | | | MFC after: 1 week
* Simplify code a bit.pjd2010-09-232-10/+5
| | | | MFC after: 1 week
* Crypto(4) driver for AESNI.kib2010-07-237-0/+1464
| | | | | | | | | The aeskeys_{amd64,i386}.S content was mostly obtained from OpenBSD, no objections to the license from core. Hardware provided by: Sentex Communications Tested by: fabient, pho (previous versions) MFC after: 1 month
* Use the fpu_kern_enter() interface to properly separate usermode FPUkib2010-06-054-3/+34
| | | | | | | | | | | | | | context from in-kernel execution of padlock instructions and to handle spurious FPUDNA exceptions that sometime are raised when doing padlock calculations. Globally mark crypto(9) kthread as using FPU. Reviewed by: pjd Hardware provided by: Sentex Communications Tested by: pho PR: amd64/135014 MFC after: 1 month
* Changed to M_NOWAIT when reallocing psc_buf in padlock_sha_update(),vanhu2009-05-271-1/+3
| | | | | | | | as we already hold the non sleepable crypto_driver_mutex. Approved by: gnn(mentor) Obtained from: NETASQ MFC after: 2 weeks
* identify routine takes driver_t *, not device_t *.imp2009-02-051-1/+1
|
* Connect padlock(4) to amd64 build for VIA Nano processors.jkim2009-01-122-3/+3
|
* Avoid 256 integer divisions per rc4_init() call. Replace it with usingmav2008-12-161-3/+5
| | | | | | | | separate index variable. It gives more then double rc4_init() performance increase on tested i386 P4. It also gives about 15% speedup to PPTP VPN with stateless MPPE encryption (by ng_mppc) which calls rc4_init() for every packet.
* Fix a potential NULL-pointer dereference in padlock(4).philip2008-11-171-1/+5
| | | | | Spotted by: Coverity (via pjd) MFC after: 1 week
* Simplify session selection/allocation.pjd2008-08-091-10/+5
|
* - Fix freeing session on newsession failure.pjd2008-08-091-9/+24
| | | | - Update copyright years.
* Implify sessions freeing loop.pjd2008-08-091-2/+1
|
* We don't have to drop a lock around malloc(M_NOWAIT).pjd2008-08-091-4/+4
|
* When freeing session, restore its ID after zeroing memory.pjd2008-08-091-0/+1
| | | | Bug tracked down by: Patrick Lamaiziere <patfbsd@davenulle.org>
* Sessions in-use are at the end of the queue, so use TAILQ_FOREACH_REVERSE()pjd2008-08-091-3/+5
| | | | | | when looking for them. Idea from: Patrick Lamaiziere <patfbsd@davenulle.org>
* Convert lock that protects sessions list from a mutex to a rwlock.pjd2008-07-201-16/+16
| | | | Now we can use read lock in fast path (padlock_process()).
* Make test00 compilable again.sobomax2008-01-152-1/+3
|
* Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSECgnn2007-07-031-1/+1
| | | | | | | | option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC. Approved by: re Sponsored by: Secure Computing
* Integrate the Camellia Block Cipher. For more information see RFC 4132gnn2007-05-093-0/+1459
| | | | | | | and its bibliography. Submitted by: Tomoyuki Okazaki <okazaki at kick dot gr dot jp> MFC after: 1 month
* Overhaul driver/subsystem api's:sam2007-03-211-74/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o make all crypto drivers have a device_t; pseudo drivers like the s/w crypto driver synthesize one o change the api between the crypto subsystem and drivers to use kobj; cryptodev_if.m defines this api o use the fact that all crypto drivers now have a device_t to add support for specifying which of several potential devices to use when doing crypto operations o add new ioctls that allow user apps to select a specific crypto device to use (previous ioctls maintained for compatibility) o overhaul crypto subsystem code to eliminate lots of cruft and hide implementation details from drivers o bring in numerous fixes from Michale Richardson/hifn; mostly for 795x parts o add an optional mechanism for mmap'ing the hifn 795x public key h/w to user space for use by openssl (not enabled by default) o update crypto test tools to use new ioctl's and add cmd line options to specify a device to use for tests These changes will also enable much future work on improving the core crypto subsystem; including proper load balancing and interposing code between the core and drivers to dispatch small operations to the s/w driver as appropriate. These changes were instigated by the work of Michael Richardson. Reviewed by: pjd Approved by: re
OpenPOWER on IntegriCloud