Commit Graph

179 Commits

Author SHA1 Message Date
pgoyette
f496b70ec7 Undo previous - it still needs a lot more work.
For now, we'll use the hand-crafted cf* structures and directly
call all the config routines.
2014-02-03 23:11:40 +00:00
pgoyette
ece0adc8d2 Replace home-grown config with standardized calls to
config_{init,fini}_component()
2014-01-31 18:11:32 +00:00
pgoyette
ed85bc8507 As requested by mrg@, since there is still a small window during which
the in-module ref-counting can fail, completely disable auto-unload.
2014-01-24 15:11:09 +00:00
pgoyette
1e5d7f9c10 Implement in-module ref-counting, and do not allow auto-unload if there
are existing references.

Note that manual unloading is not prevented.

OK christos@

XXX Also note that there is still a small window where the ref-count can
XXX be decremented, and then the process/thread preempted.  If auto-unload
XXX happens before that thread can return from the module's code, bad
XXX things (tm) could happen.
2014-01-21 20:33:01 +00:00
pgoyette
e28535a6ba knf: Blank line even if no variable declarations. 2014-01-21 18:54:28 +00:00
christos
f317bf09bc bail out unloading for now 2014-01-19 18:16:13 +00:00
pgoyette
05ab90b48a Clean-up module initialization 2014-01-14 14:16:47 +00:00
pgoyette
c01db8ec62 When using modular opencrypto, make sure the sysctl variables get
created.
2014-01-13 21:15:36 +00:00
pgoyette
ece76c8800 When crypto(4) is built-in, crypto_modcmd() doesn't need to handle all
the auto-config stuff.

While here, ensure that we depend on opencrypto.
2014-01-04 21:42:42 +00:00
pgoyette
2dd4f4d91a Modularize the opencrypto components and link to the build 2014-01-01 16:06:00 +00:00
martin
8606bfb9d2 Remove unused variable 2013-09-12 13:12:35 +00:00
martin
814c381f42 Fix return value of cryptodev_msessionfin. 2013-09-12 13:02:37 +00:00
riastradh
82db4b9858 Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
2013-06-24 04:21:19 +00:00
christos
9305dd3557 fix compilation 2013-02-02 21:38:24 +00:00
christos
8874000015 fix compilation 2013-02-02 21:02:06 +00:00
drochner
8588929dc5 Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
2012-08-30 12:16:48 +00:00
tls
f27d6532f5 Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not).  This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.
2011-11-28 08:05:05 +00:00
tls
3afd44cf08 First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00
joerg
258624699d Fix memset usage. 2011-07-04 16:06:17 +00:00
mrg
f2c5b35875 avoid some uninitialised warning issues GCC 4.5 complains about. 2011-07-03 01:01:06 +00:00
drochner
b8b7a5e34c use 64-bit integers for GF128 multiplication on LP64 CPUs 2011-06-09 14:47:42 +00:00
drochner
1f2bb173aa -if an opencrypto(9) session is allocated, the driver is refcounted
and can not disappear -- no need to hold crypto_mtx to check the
 driver list
 (the whole check is questionable)
-crp->crp_cv (the condition variable) is used by userland cryptodev
 exclusively -- move its initialization there, no need to waste
 cycles of in-kernel callers
-add a comment which members of "struct cryptop" are used
 by opencrypto(9) and which by crypto(4)
 (this should be split, no need to waste memory for in-kernel callers)
2011-06-09 14:41:24 +00:00
drochner
2706a22ac6 reduce typecasts and byte swapping 2011-06-08 10:14:16 +00:00
drochner
49c12b7a9f use a simple counter as IV for AES-GMAC as suggested in RFC4543 2011-06-07 15:57:51 +00:00
drochner
891d96fa89 allow testing of GCM/GMAC code from userland 2011-05-27 17:09:09 +00:00
drochner
0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
drochner
92976d49aa fix building of a linked list if multiple algorithms are requested
in a session -- this just didn't work
2011-05-26 20:33:24 +00:00
drochner
a99f8b0b24 catch some corner cases of user input 2011-05-24 19:12:53 +00:00
drochner
ebc232a582 copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.
2011-05-24 19:10:08 +00:00
drochner
9f36e7657e move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore
2011-05-24 18:59:21 +00:00
drochner
a82503509c Change the way the IV is generated for AES-CTR: use a simple counter
instead of arc4random(). AES-CTR is sensitive against IV recurrence
(with the same key / nonce), and a random number doesn't give that
guarantee.
This needs a little API change in cryptosoft -- I've suggested it to
Open/FreeBSD, might change it depending on feedback.
Thanks to Steven Bellovin for hints.
2011-05-24 18:52:51 +00:00
drochner
4bd7f95161 -remove references to crypto/arc4/arc4.* -- the code isn't used
anywhere afaics
 (The confusion comes probably from use of arc4random() at various places,
  but this lives in libkern and doesn't share code with the former.)
-g/c non-implementation of arc4 encryption in swcrypto(4)
-remove special casing of ARC4 in crypto(4) -- the point is that it
 doesn't use an IV, and this fact is made explicit by the new "ivsize"
 property of xforms
2011-05-23 15:37:35 +00:00
drochner
893c8ed684 If symmetric encryption is done from userland crypto(4) and no IV
is specified, the kernel gets one from the random generator. Make sure it
is copied out to the user, otherwise the result is quite useless.
2011-05-23 15:22:57 +00:00
drochner
001a6a7632 being here, export camellia-cbc through crypto(4) to allow userland tests 2011-05-23 13:53:59 +00:00
drochner
3e66cf4890 add an AES-CTR xform, from OpenBSD 2011-05-23 13:51:10 +00:00
drochner
5fafa9c424 -in the descriptor for encryption xforms, split the "blocksize" field
into "blocksize" and "IV size"
-add an "reinit" function pointer which, if set, means that the xform
 does its IV handling itself and doesn't want the default CBC handling
 by the framework (poor name, but left that way to avoid unecessary
 differences)
This syncs with Open/FreeBSD, purpose is to allow non-CBC transforms.
Refer to ivsize instead of blocksize where appropriate.
(At this point, blocksize and ivsize are identical.)
2011-05-23 13:46:54 +00:00
drochner
bd8641a3b2 sync minimum key size for AES with reality 2011-05-21 13:23:36 +00:00
drochner
a194baae12 check key size on initialization -- othwise the rijndael code
can fail silently
2011-05-21 13:22:45 +00:00
drochner
c53cf15519 fix a logics bug (which has been here from the beginning) which made
that only 96 random bits were used for IV generation,
this caused eg that the last 4 bytes of the IV in ESP/AES-CBC
were constant, leaking kernel memory
affects FAST_IPSEC only
2011-05-21 10:04:03 +00:00
drochner
efd342eb96 split the "crypto_mtx" spinlock into 3: one spinlock each for
the incoming and outgoing request queues (which can be dealt with
by hardware accelerators) and an adaptive lock for "all the rest"
(mostly driver configuration, but also some unrelated stuff in
cryptodev.c which should be revisited)
The latter one seems to be uneeded at many places, but for now I've
done simple replacements only, except minor fixes (where
softint_schedule() was called without the lock held)
2011-05-16 10:27:49 +00:00
drochner
ee62067b42 remove redundant declarations 2011-05-16 10:18:52 +00:00
drochner
d26dda3d0d As a first step towards more fine-grained locking, don't require
crypto_{new.free}session() to be called with the "crypto_mtx"
spinlock held.
This doesn't change much for now because these functions acquire
the said mutex first on entry now, but at least it keeps the nasty
locks local to the opencrypto core.
2011-05-06 21:48:46 +00:00
drochner
3d2cef1770 support camellia-cbc by swcrypt 2011-05-05 17:44:39 +00:00
drochner
eb321d71b8 make camellia-cbc known to the opencrypto framework 2011-05-05 17:42:17 +00:00
drochner
5321a73544 const'fy algorithm descriptors 2011-03-09 11:43:36 +00:00
drochner
d4205293e5 -start to make the GZIP code similar to DEFLATE: make error handling
work the same way, grow output buffer exponentially and kill
 reallocation of metadata
-minor cleanup, make definitions private which are implementation
 details of deflate.gzip
2011-03-09 11:36:43 +00:00
drochner
b4da53f1e6 make the use of SHA2-HMAC by FAST_IPSEC compliant to current standards:
-RFC2104 says that the block size of the hash algorithm must be used
 for key/ipad/opad calculations. While formerly all ciphers used a block
 length of 64, SHA384 and SHA512 use 128 bytes. So we can't use the
 HMAC_BLOCK_LEN constant anymore. Add a new field to "struct auth_hash"
 for the per-cipher blocksize.
-Due to this, there can't be a single "CRYPTO_SHA2_HMAC" external name
 anymore. Replace this by 3 for the 3 different keysizes.
 This was done by Open/FreeBSD before.
-Also fix the number of authenticator bits used tor ESP and AH to
 conform to RFC4868, and remove uses of AH_HMAC_HASHLEN which did
 assume a fixed authenticator size of 12 bytes.

FAST_IPSEC will not interoperate with KAME IPSEC anymore if sha2 is used,
because the latter doesn't implement these standards. It should
interoperate with at least modern Free/OpenBSD now.
(I've only tested with NetBSD-current/FAST_IPSEC on both ends.)
2011-02-25 20:13:10 +00:00
drochner
1caa9a52b2 small modifications in dealing with the unknown result size of compression/
decompression:
-seperate the IPCOMP specific rule that compression must not grow the
 data from general compression semantics: Introduce a special name
 CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe
 the IPCOMP semantics and use it there. (being here, fix the check
 so that equal size is considered failure as well as required by
 RFC2393)
 Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get
 deflated data back, even if they are not smaller than the original.
-allow to pass a "size hint" to the DEFLATE decompression function
 which is used for the initial buffer allocation. Due to the changes
 done there, additional allocations and extra copies are avoided if the
 initial allocation is sufficient. Set the size hint to MCLBYTES (=2k)
 in IPCOMP which should be good for many use cases.
2011-02-24 20:03:41 +00:00
drochner
7d3e4b2396 make the crypto softint MPSAFE -- I see no reason not to do it, and
it didn't cause trouble for me. (It doesn't give additional parallelization
as things look now, just saves the acquisition of KERNEL_LOCK.)
2011-02-24 19:35:46 +00:00
drochner
8b3e490633 Don't panic, just truncate, if the iov is too short in a COPYBACK.
This case can be triggered from userland cryptodev if the buffer
for decompressed data is too small.
(It would look cleaner if the lengths would be passed explicitely
everywhere, but that would thwart the abstraction done by COPYDATA/COPYBACK
which allows to treat mbufs and iovs the same way.)
2011-02-24 19:28:03 +00:00