Commit Graph

166 Commits

Author SHA1 Message Date
christos
9305dd3557 fix compilation 2013-02-02 21:38:24 +00:00
christos
8874000015 fix compilation 2013-02-02 21:02:06 +00:00
drochner
8588929dc5 Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
2012-08-30 12:16:48 +00:00
tls
f27d6532f5 Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not).  This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.
2011-11-28 08:05:05 +00:00
tls
3afd44cf08 First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00
joerg
258624699d Fix memset usage. 2011-07-04 16:06:17 +00:00
mrg
f2c5b35875 avoid some uninitialised warning issues GCC 4.5 complains about. 2011-07-03 01:01:06 +00:00
drochner
b8b7a5e34c use 64-bit integers for GF128 multiplication on LP64 CPUs 2011-06-09 14:47:42 +00:00
drochner
1f2bb173aa -if an opencrypto(9) session is allocated, the driver is refcounted
and can not disappear -- no need to hold crypto_mtx to check the
 driver list
 (the whole check is questionable)
-crp->crp_cv (the condition variable) is used by userland cryptodev
 exclusively -- move its initialization there, no need to waste
 cycles of in-kernel callers
-add a comment which members of "struct cryptop" are used
 by opencrypto(9) and which by crypto(4)
 (this should be split, no need to waste memory for in-kernel callers)
2011-06-09 14:41:24 +00:00
drochner
2706a22ac6 reduce typecasts and byte swapping 2011-06-08 10:14:16 +00:00
drochner
49c12b7a9f use a simple counter as IV for AES-GMAC as suggested in RFC4543 2011-06-07 15:57:51 +00:00
drochner
891d96fa89 allow testing of GCM/GMAC code from userland 2011-05-27 17:09:09 +00:00
drochner
0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
drochner
92976d49aa fix building of a linked list if multiple algorithms are requested
in a session -- this just didn't work
2011-05-26 20:33:24 +00:00
drochner
a99f8b0b24 catch some corner cases of user input 2011-05-24 19:12:53 +00:00
drochner
ebc232a582 copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.
2011-05-24 19:10:08 +00:00
drochner
9f36e7657e move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore
2011-05-24 18:59:21 +00:00
drochner
a82503509c Change the way the IV is generated for AES-CTR: use a simple counter
instead of arc4random(). AES-CTR is sensitive against IV recurrence
(with the same key / nonce), and a random number doesn't give that
guarantee.
This needs a little API change in cryptosoft -- I've suggested it to
Open/FreeBSD, might change it depending on feedback.
Thanks to Steven Bellovin for hints.
2011-05-24 18:52:51 +00:00
drochner
4bd7f95161 -remove references to crypto/arc4/arc4.* -- the code isn't used
anywhere afaics
 (The confusion comes probably from use of arc4random() at various places,
  but this lives in libkern and doesn't share code with the former.)
-g/c non-implementation of arc4 encryption in swcrypto(4)
-remove special casing of ARC4 in crypto(4) -- the point is that it
 doesn't use an IV, and this fact is made explicit by the new "ivsize"
 property of xforms
2011-05-23 15:37:35 +00:00
drochner
893c8ed684 If symmetric encryption is done from userland crypto(4) and no IV
is specified, the kernel gets one from the random generator. Make sure it
is copied out to the user, otherwise the result is quite useless.
2011-05-23 15:22:57 +00:00
drochner
001a6a7632 being here, export camellia-cbc through crypto(4) to allow userland tests 2011-05-23 13:53:59 +00:00
drochner
3e66cf4890 add an AES-CTR xform, from OpenBSD 2011-05-23 13:51:10 +00:00
drochner
5fafa9c424 -in the descriptor for encryption xforms, split the "blocksize" field
into "blocksize" and "IV size"
-add an "reinit" function pointer which, if set, means that the xform
 does its IV handling itself and doesn't want the default CBC handling
 by the framework (poor name, but left that way to avoid unecessary
 differences)
This syncs with Open/FreeBSD, purpose is to allow non-CBC transforms.
Refer to ivsize instead of blocksize where appropriate.
(At this point, blocksize and ivsize are identical.)
2011-05-23 13:46:54 +00:00
drochner
bd8641a3b2 sync minimum key size for AES with reality 2011-05-21 13:23:36 +00:00
drochner
a194baae12 check key size on initialization -- othwise the rijndael code
can fail silently
2011-05-21 13:22:45 +00:00
drochner
c53cf15519 fix a logics bug (which has been here from the beginning) which made
that only 96 random bits were used for IV generation,
this caused eg that the last 4 bytes of the IV in ESP/AES-CBC
were constant, leaking kernel memory
affects FAST_IPSEC only
2011-05-21 10:04:03 +00:00
drochner
efd342eb96 split the "crypto_mtx" spinlock into 3: one spinlock each for
the incoming and outgoing request queues (which can be dealt with
by hardware accelerators) and an adaptive lock for "all the rest"
(mostly driver configuration, but also some unrelated stuff in
cryptodev.c which should be revisited)
The latter one seems to be uneeded at many places, but for now I've
done simple replacements only, except minor fixes (where
softint_schedule() was called without the lock held)
2011-05-16 10:27:49 +00:00
drochner
ee62067b42 remove redundant declarations 2011-05-16 10:18:52 +00:00
drochner
d26dda3d0d As a first step towards more fine-grained locking, don't require
crypto_{new.free}session() to be called with the "crypto_mtx"
spinlock held.
This doesn't change much for now because these functions acquire
the said mutex first on entry now, but at least it keeps the nasty
locks local to the opencrypto core.
2011-05-06 21:48:46 +00:00
drochner
3d2cef1770 support camellia-cbc by swcrypt 2011-05-05 17:44:39 +00:00
drochner
eb321d71b8 make camellia-cbc known to the opencrypto framework 2011-05-05 17:42:17 +00:00
drochner
5321a73544 const'fy algorithm descriptors 2011-03-09 11:43:36 +00:00
drochner
d4205293e5 -start to make the GZIP code similar to DEFLATE: make error handling
work the same way, grow output buffer exponentially and kill
 reallocation of metadata
-minor cleanup, make definitions private which are implementation
 details of deflate.gzip
2011-03-09 11:36:43 +00:00
drochner
b4da53f1e6 make the use of SHA2-HMAC by FAST_IPSEC compliant to current standards:
-RFC2104 says that the block size of the hash algorithm must be used
 for key/ipad/opad calculations. While formerly all ciphers used a block
 length of 64, SHA384 and SHA512 use 128 bytes. So we can't use the
 HMAC_BLOCK_LEN constant anymore. Add a new field to "struct auth_hash"
 for the per-cipher blocksize.
-Due to this, there can't be a single "CRYPTO_SHA2_HMAC" external name
 anymore. Replace this by 3 for the 3 different keysizes.
 This was done by Open/FreeBSD before.
-Also fix the number of authenticator bits used tor ESP and AH to
 conform to RFC4868, and remove uses of AH_HMAC_HASHLEN which did
 assume a fixed authenticator size of 12 bytes.

FAST_IPSEC will not interoperate with KAME IPSEC anymore if sha2 is used,
because the latter doesn't implement these standards. It should
interoperate with at least modern Free/OpenBSD now.
(I've only tested with NetBSD-current/FAST_IPSEC on both ends.)
2011-02-25 20:13:10 +00:00
drochner
1caa9a52b2 small modifications in dealing with the unknown result size of compression/
decompression:
-seperate the IPCOMP specific rule that compression must not grow the
 data from general compression semantics: Introduce a special name
 CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe
 the IPCOMP semantics and use it there. (being here, fix the check
 so that equal size is considered failure as well as required by
 RFC2393)
 Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get
 deflated data back, even if they are not smaller than the original.
-allow to pass a "size hint" to the DEFLATE decompression function
 which is used for the initial buffer allocation. Due to the changes
 done there, additional allocations and extra copies are avoided if the
 initial allocation is sufficient. Set the size hint to MCLBYTES (=2k)
 in IPCOMP which should be good for many use cases.
2011-02-24 20:03:41 +00:00
drochner
7d3e4b2396 make the crypto softint MPSAFE -- I see no reason not to do it, and
it didn't cause trouble for me. (It doesn't give additional parallelization
as things look now, just saves the acquisition of KERNEL_LOCK.)
2011-02-24 19:35:46 +00:00
drochner
8b3e490633 Don't panic, just truncate, if the iov is too short in a COPYBACK.
This case can be triggered from userland cryptodev if the buffer
for decompressed data is too small.
(It would look cleaner if the lengths would be passed explicitely
everywhere, but that would thwart the abstraction done by COPYDATA/COPYBACK
which allows to treat mbufs and iovs the same way.)
2011-02-24 19:28:03 +00:00
drochner
c3a6a9f41e make the compatibility code conditional on COMPAT_50 2011-02-19 16:26:34 +00:00
drochner
896d946a93 redo result buffer allocation, to avoid dynamic allocations:
-use exponentially growing buffer sizes instead of just linear extension
-drop the dynamic allocation of buffer metadata introduced in rev.1.8 --
 if the initial array is not sufficient something is wrong
-apply some (arbitrary, heuristic) limit so that compressed data
 which extract into insane amounts of constant data don't kill the system
This addresses PR kern/36864 by Wolfgang Stukenbrock. Some tuning
might be useful, but hopefully this is an improvement already.
2011-02-18 22:02:09 +00:00
drochner
909a8e8346 more "const" 2011-02-18 19:56:01 +00:00
drochner
50ee89e031 address the obvious byteorder and alignment problems in gzip size/crc
tail, should fix PR kern/44210 by Wolfgang Stukenbrock
being here, fix a bug in crc calculation of decompressed data, and
actually verify the crc
2011-02-18 10:50:56 +00:00
drochner
0533bd7178 The decompressor in sys/net/zlib.c has a bug: It returns Z_BUF_ERROR after
a successful decompression in rare cases. A necessary but not sufficient
condition seems to be that the decompressed data end exactly at the end
of an allocated output buffer. (I can reproduce this reliably with
a userland program built against kernel zlib. Userland libz is much
newer and not affected.)
Since kernel zlib is based on an old version and heavily modified, I don't
dare to touch it. So catch this case in the wrapper.
Being here, reorder deflate/inflate error handling and add comments
to make understandable what is tested and why.
2011-02-17 17:10:18 +00:00
drochner
16566ac90c -avoid allocation of an extra result buffer and data copy in case
the DEFLATE complssion/decompression result is within a single
 buffer already
-simplify bookkeeping of allocated buffers (and don't waste the
 last member of the metadata array)
from Wolfgang Stukenbrock per PR kern/36865 (with some cleanup
of error handling by me)
The Gzip compression case can be improved too, but for now I've applied
the buffer bookkeeping changes.

tested with IP4 IPCOMP
2011-02-16 19:08:57 +00:00
drochner
2cef52fe83 whan compressing, set the Z_FINISH flag to zlib to tell that
the data chunk is the final one, which makes that zlib issues the
proper termination marker
(KAME IPSEC does this, but doesn't check eagerly in the receive
path, so the missing termination didn't cause problems so far)
closes my PR kern/44539
being here, replace the Z_PARTIAL_FLUSH flag which is marked
deprecated by zlib by Z_SYNC_FLUSH in the decompression path
(tested with IPv4 IPCOMP on i386)
2011-02-10 21:17:49 +00:00
drochner
2e4e5505e2 Don't store temporary values in the opencrypto session data struct which
can be shared by multiple threads -- pass them on the stack instead.
Add some "const" to document this. (One _could_ use the session struct
for temporary stuff with proper locking, but it seems unnecessary here.)
Also remove the unused SW_crc member in the session struct.
From Wolfgang Stukenbrock per PR kern/44472.
2011-02-10 21:00:42 +00:00
christos
4e0632c12d PR/44470: Dr. Wolfgang Stukenbrock: opencrypto kernel implementation may pass
outdated argument to worker
2011-01-26 19:52:16 +00:00
pgoyette
96dea8fbcd Keep condvar wmesg within 8 char limit. 2010-08-11 11:49:09 +00:00
jakllsch
bbc746ce72 Consistently use a single CRYPTO_SESID2HID-like macro.
Improve CRYPTO_DEBUG printing a bit:
 print pointers with %p
 print unsigned with %u rather than %d
 use CRYPTO_SESID2LID instead of just casting to uint32_t
2010-08-02 19:59:35 +00:00
hubertf
0579eb13de Add missing "break" for CRYPTO_CAST_CBC, and some assorted comment fixes.
openssl(1) checks for CAST (and others) on ~every startup.
2010-01-31 14:32:56 +00:00
dsl
2a54322c7b If a multithreaded app closes an fd while another thread is blocked in
read/write/accept, then the expectation is that the blocked thread will
exit and the close complete.
Since only one fd is affected, but many fd can refer to the same file,
the close code can only request the fs code unblock with ERESTART.
Fixed for pipes and sockets, ERESTART will only be generated after such
a close - so there should be no change for other programs.
Also rename fo_abort() to fo_restart() (this used to be fo_drain()).
Fixes PR/26567
2009-12-20 09:36:05 +00:00