Commit Graph

195 Commits

Author SHA1 Message Date
msaitoh 8bc54e5be6 KNF. Remove extra spaces. No functional change. 2016-07-07 06:55:38 +00:00
dholland 99c0175780 Needs sys/time.h for struct timespec. 2016-01-22 22:35:27 +00:00
christos df2b8d0369 fix the build 2015-11-28 03:40:43 +00:00
pgoyette aa36e9a178 Re-work the module init and destroy code to allow it to be unloaded and
then reloaded.

Should fix PR kern/49842
2015-11-28 03:06:45 +00:00
dholland 1fbab01a93 More on PR 41200: headers that declare ioctls should include sys/ioccom.h.
This covers (I think) all the MI headers outside of external/ (and dist/).
2015-09-06 06:00:59 +00:00
christos e7ae23fd9e include "ioconf.h" to get the 'void <driver>attach(int count);' prototype. 2015-08-20 14:40:16 +00:00
prlw1 810c65ef57 Trivial printf format changes and typo fix 2015-03-26 17:40:16 +00:00
christos b6c3dd8524 simplify, no functional change 2014-11-27 20:30:21 +00:00
christos 4a7ee5f4da Return ENOSPC instead of ENOMEM when there is no room in the buffer to
store results. ENOMEM in this subsystem means we cannot allocate more
requests or internal buffers for xforms.
2014-11-27 20:30:05 +00:00
matt 68a7688ef0 Try not to use f_data, use f_fcrypt to get a correctly typed pointer. 2014-09-05 09:23:40 +00:00
skrll 8c091b0d9b At least crypto_mtx needs initialisation here. Spotted during PR/49065
investigation.
2014-08-04 14:17:18 +00:00
dholland f9228f4225 Add d_discard to all struct cdevsw instances I could find.
All have been set to "nodiscard"; some should get a real implementation.
2014-07-25 08:10:31 +00:00
riastradh f1257be5b0 If we register with pmf on attach, deregister on detach. 2014-07-02 18:58:42 +00:00
christos f43f371e43 register with pmf. 2014-06-21 17:34:30 +00:00
dholland a68f9396b6 Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.
2014-03-16 05:20:22 +00:00
pooka 4f6fb3bf35 Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
2014-02-25 18:30:08 +00:00
pgoyette f496b70ec7 Undo previous - it still needs a lot more work.
For now, we'll use the hand-crafted cf* structures and directly
call all the config routines.
2014-02-03 23:11:40 +00:00
pgoyette ece0adc8d2 Replace home-grown config with standardized calls to
config_{init,fini}_component()
2014-01-31 18:11:32 +00:00
pgoyette ed85bc8507 As requested by mrg@, since there is still a small window during which
the in-module ref-counting can fail, completely disable auto-unload.
2014-01-24 15:11:09 +00:00
pgoyette 1e5d7f9c10 Implement in-module ref-counting, and do not allow auto-unload if there
are existing references.

Note that manual unloading is not prevented.

OK christos@

XXX Also note that there is still a small window where the ref-count can
XXX be decremented, and then the process/thread preempted.  If auto-unload
XXX happens before that thread can return from the module's code, bad
XXX things (tm) could happen.
2014-01-21 20:33:01 +00:00
pgoyette e28535a6ba knf: Blank line even if no variable declarations. 2014-01-21 18:54:28 +00:00
christos f317bf09bc bail out unloading for now 2014-01-19 18:16:13 +00:00
pgoyette 05ab90b48a Clean-up module initialization 2014-01-14 14:16:47 +00:00
pgoyette c01db8ec62 When using modular opencrypto, make sure the sysctl variables get
created.
2014-01-13 21:15:36 +00:00
pgoyette ece76c8800 When crypto(4) is built-in, crypto_modcmd() doesn't need to handle all
the auto-config stuff.

While here, ensure that we depend on opencrypto.
2014-01-04 21:42:42 +00:00
pgoyette 2dd4f4d91a Modularize the opencrypto components and link to the build 2014-01-01 16:06:00 +00:00
martin 8606bfb9d2 Remove unused variable 2013-09-12 13:12:35 +00:00
martin 814c381f42 Fix return value of cryptodev_msessionfin. 2013-09-12 13:02:37 +00:00
riastradh 82db4b9858 Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
2013-06-24 04:21:19 +00:00
christos 9305dd3557 fix compilation 2013-02-02 21:38:24 +00:00
christos 8874000015 fix compilation 2013-02-02 21:02:06 +00:00
drochner 8588929dc5 Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
2012-08-30 12:16:48 +00:00
tls f27d6532f5 Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not).  This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.
2011-11-28 08:05:05 +00:00
tls 3afd44cf08 First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00
joerg 258624699d Fix memset usage. 2011-07-04 16:06:17 +00:00
mrg f2c5b35875 avoid some uninitialised warning issues GCC 4.5 complains about. 2011-07-03 01:01:06 +00:00
drochner b8b7a5e34c use 64-bit integers for GF128 multiplication on LP64 CPUs 2011-06-09 14:47:42 +00:00
drochner 1f2bb173aa -if an opencrypto(9) session is allocated, the driver is refcounted
and can not disappear -- no need to hold crypto_mtx to check the
 driver list
 (the whole check is questionable)
-crp->crp_cv (the condition variable) is used by userland cryptodev
 exclusively -- move its initialization there, no need to waste
 cycles of in-kernel callers
-add a comment which members of "struct cryptop" are used
 by opencrypto(9) and which by crypto(4)
 (this should be split, no need to waste memory for in-kernel callers)
2011-06-09 14:41:24 +00:00
drochner 2706a22ac6 reduce typecasts and byte swapping 2011-06-08 10:14:16 +00:00
drochner 49c12b7a9f use a simple counter as IV for AES-GMAC as suggested in RFC4543 2011-06-07 15:57:51 +00:00
drochner 891d96fa89 allow testing of GCM/GMAC code from userland 2011-05-27 17:09:09 +00:00
drochner 0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
drochner 92976d49aa fix building of a linked list if multiple algorithms are requested
in a session -- this just didn't work
2011-05-26 20:33:24 +00:00
drochner a99f8b0b24 catch some corner cases of user input 2011-05-24 19:12:53 +00:00
drochner ebc232a582 copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.
2011-05-24 19:10:08 +00:00
drochner 9f36e7657e move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore
2011-05-24 18:59:21 +00:00
drochner a82503509c Change the way the IV is generated for AES-CTR: use a simple counter
instead of arc4random(). AES-CTR is sensitive against IV recurrence
(with the same key / nonce), and a random number doesn't give that
guarantee.
This needs a little API change in cryptosoft -- I've suggested it to
Open/FreeBSD, might change it depending on feedback.
Thanks to Steven Bellovin for hints.
2011-05-24 18:52:51 +00:00
drochner 4bd7f95161 -remove references to crypto/arc4/arc4.* -- the code isn't used
anywhere afaics
 (The confusion comes probably from use of arc4random() at various places,
  but this lives in libkern and doesn't share code with the former.)
-g/c non-implementation of arc4 encryption in swcrypto(4)
-remove special casing of ARC4 in crypto(4) -- the point is that it
 doesn't use an IV, and this fact is made explicit by the new "ivsize"
 property of xforms
2011-05-23 15:37:35 +00:00
drochner 893c8ed684 If symmetric encryption is done from userland crypto(4) and no IV
is specified, the kernel gets one from the random generator. Make sure it
is copied out to the user, otherwise the result is quite useless.
2011-05-23 15:22:57 +00:00
drochner 001a6a7632 being here, export camellia-cbc through crypto(4) to allow userland tests 2011-05-23 13:53:59 +00:00