Paths

Table of Contentst

Refactor driver and consumer interfaces for OCF (in-kernel crypto).
ClosedPublic
Actions

Authored by jhb on Feb 13 2020, 11:51 PM.

Details

Reviewers

cem
jhb

Commits

rS359374: Refactor driver and consumer interfaces for OCF (in-kernel crypto).

Summary

The linked list of cryptoini structures used in session initialization is replaced with a new flat structure: struct crypto_session_params. This session includes a new mode to define how the other fields should be interpreted. Available modes include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
  
  Additional modes could be added in the future (e.g. if we wanted to support TLS MtE for AES-CBC in the kernel we could add a new mode for that. TLS modes might also affect how AAD is interpreted, etc.)
  
  The flat structure also includes the key lengths and algorithms as before. However, code doesn't have to walk the linked list and switch on the algorithm to determine which key is the auth key vs encryption key. The 'csp_auth_*' fields are always used for auth keys and settings and 'csp_cipher_*' for cipher. (Compression algorithms are stored in csp_cipher_alg.)

Drivers no longer register a list of supported algorithms. This doesn't quite work when you factor in modes (e.g. a driver might support both AES-CBC and SHA2-256-HMAC separately but not combined for ETA). Instead, a new 'crypto_probesession' method has been added to the kobj interface for symmteric crypto drivers. This method returns a negative value on success (similar to how device_probe works) and the crypto framework uses this value to pick the "best" driver. There are three constants for hardware (e.g. ccr), accelerated software (e.g. aesni), and plain software (cryptosoft) that give preference in that order. One effect of this is that if you request only hardware when creating a new session, you will no longer get a session using accelerated software. Another effect is that the default setting to disallow software crypto via /dev/crypto now disables accelerated software.

Once a driver is chosen, 'crypto_newsession' is invoked as before.

Crypto operations are now solely described by the flat 'cryptop' structure. The linked list of descriptors has been removed.

A separate enum has been added to describe the type of data buffer in use instead of using CRYPTO_F_* flags to make it easier to add more types in the future if needed (e.g. wired userspace buffers for zero-copy). It will also make it easier to re-introduce separate input and output buffers (in-kernel TLS would benefit from this).

Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv' member of the operation structure. If this flag is not set, the IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated and stored into the data buffer. This cannot be used with CRYPTO_F_IV_SEPARATE.
  
  If a consumer wants to deal with explicit vs implicit IVs, etc. it can always generate the IV however it needs and store partial IVs in the buffer and the full IV/nonce in crp_iv and set CRYPTO_F_IV_SEPARATE.
  
  The layout of the buffer is now described via fields in cryptop. crp_aad_start and crp_aad_length define the boundaries of any AAD. Previously with GCM and CCM you defined an auth crd with this range, but for ETA your auth crd had to span both the AAD and plaintext (and they had to be adjacent).
  
  crp_payload_start and crp_payload_length define the boundaries of the plaintext/ciphertext. Modes that only do a single operation (COMPRESS, CIPHER, DIGEST) should only use this region and leave the AAD region empty.
  
  If a digest is present (or should be generated), it's starting location is marked by crp_digest_start.
  
  Instead of using the CRD_F_ENCRYPT flag to determine the direction of the operation, cryptop now includes an 'op' field defining the operation to perform. For digests I've added a new VERIFY digest mode which assumes a digest is present in the input and fails the request with EBADMSG if it doesn't match the internally-computed digest. GCM and CCM already assumed this, and the new AEAD mode requires this for decryption. However, ETA mode now supports doing a verify as well (so in this tree IPsec always requests that the crypto layer verify the digest instead of doing it in IPsec). Simple DIGEST operations can also do this, though there are no in-tree consumers.
  
  To eventually support some refcounting to close races, the session cookie is now passed to crypto_getop() and clients should no longer set crp_sesssion directly.

Assymteric crypto operation structures should be allocated via crypto_getkreq() and freed via crypto_freekreq(). This permits the crypto layer to track open asym requests and close races with a driver trying to unregister while asym requests are in flight.

crypto_copyback, crypto_copydata, crypto_apply, and crypto_contiguous_subsegment now accept the 'crp' object as the first parameter instead of individual members. This makes it easier to deal with different buffer types in the future as well as separate input and output buffers. It's also just simpler for driver writers to use.

bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer. This understands the various types of buffers so that drivers that use dma do not have to be aware of different buffer types.

Helper routines now exist to build an auth context for HMAC IPAD and OPAD. This reduces some duplicated work among drivers.

Key buffers are now treated as const throughout the framework and in device drivers. However, session key buffers provided when a session is created are expected to remain alive for the duration of the session.

GCM and CCM sessions now only specify a cipher algorithm and a cipher key. The redundant auth information is not needed or used.

For cryptosoft, split up the code a bit such that the 'process' callback now invokes a function pointer in the session. This function pointer is set based on the mode (in effect) though it simplifies a few edge cases that would otherwise be in the switch in 'process'.

It does split up GCM vs CCM which I think is more readable even if there is some duplication.

I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC as an auth algorithm and updated cryptocheck to work with it.

Combined cipher and auth sessions via /dev/crypto now always use ETA mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored. This was actually documented as being true in crypto(4) before, but the code had not implemented this before I added the CIPHER_FIRST flag.

I have not yet updated /dev/crypto to be aware of explicit modes for sessions. I will probably do that at some point in the future as well as teach it about IV/nonce and tag lengths for AEAD so we can support all of the NIST KAT tests for GCM and CCM.

I've split up the exising crypto.9 manpage into several pages of which many are written from scratch.

I have converted all drivers and consumers in the tree and verified that they compile, but I have not tested all of them. I have tested the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
  
  and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
  
  I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)

Test Plan

cryptocheck of tested drivers
have tested ktls_ocf using normal KTLS testing (nginx)
tested IPsec with pinging while over a tunnel for most of the supported algorithms in the tree (not able to test IPcomp since I couldn't get it to work in stock FreeBSD)
tested GELI using a memory disk with aesni0, software, and ccr0 as backing drivers
make tinderbox

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 30113
Build 27920: arc lint + arc unit

Event Timeline

jhb created this revision.Feb 13 2020, 11:51 PM

Herald added subscribers: ae, andrew. · View Herald TranscriptFeb 13 2020, 11:51 PM

Harbormaster completed remote builds in B29369: Diff 68293.Feb 13 2020, 11:51 PM

jhb added inline comments.Feb 14 2020, 12:33 AM

notes
2	I won't commit this file, but it lives in the branch and ended up in the review as a result.
share/man/man4/crypto.4
151	Will bump Dd on all affected manpages at time of commit.
sys/crypto/armv8/armv8_crypto.c
292–298	This applies r342024 to this driver which was copied from aesni,
sys/crypto/ccp/ccp_hardware.c
1703	Hmm, in ccr I ended up renaming 'authenc' to 'eta'. Might be prudent to do the same in this driver post-commit.
sys/dev/cxgbe/crypto/t4_crypto.c
1085–1086	ETA always requires checking the tag, so I can G/C this workaround now.
sys/dev/glxsb/glxsb.c
494	Need to fix the `accellerate` typo here and in padlock.
sys/dev/hifn/hifn7751.c
2709	The fact that hifn(4) wants to replace the mbuf pointer in the `crp` is pretty crappy. I think it might happen to work by accident with IPsec, but it doesn't seem like the right thing to me to be changing the pointer. I added an XXX for ubsec(4) which has copied and pasted all the craziness from hifn(4) here but then fails to actually update the mbuf pointer in `crp`. All of these shenanigans appear to be trying to avoid the second copy of the data back into the original mbuf when using normal bus_dma bounce buffers. I feel like the driver should just use bounce buffers if it has to.
sys/dev/ubsec/ubsec.c
1442	I guess the original version did actually update crp_mbuf. Sigh. I guess I can at least replicate what I did for hifn(4) here then.
sys/geom/eli/g_eli_privacy.c
251	I removed this "optimization" because we need to use `crypto_getreq` to get proper reference counting on sessions in the future. OTOH, we are at least only allocating a single `crp` and not the descriptors anymore.
sys/kgssapi/krb5/kcrypto_des3.c
51–52	This crypto consumer was "creative". It created a single session that had both DES and MAC entries when the session was created, but then would only send down requests for either DES or MAC, but not both. To make this work in the new (saner) world order, it now uses separate sessions for DES and MAC.

jhb added inline comments.Feb 14 2020, 1:34 AM

sys/dev/cxgbe/crypto/t4_crypto.c
1085–1086	Actually, GELI does send these requests still, but it probably shouldn't.

Remove OBE workaround from ccr_eta_done.
Don't permit DECRYPT | COMPUTE for ETA.
accellerate -> accelerate.
Let OCF verify HMACs for ETA.
Update crp_mbuf instead of leaking q_dst_m.

Harbormaster completed remote builds in B29371: Diff 68298.Feb 14 2020, 1:35 AM

Fix a couple of bugs in my geli ETA changes.
Tidy GELI auth failure logging.

Herald added a subscriber: melifaro. · View Herald TranscriptFeb 25 2020, 11:34 PM

Harbormaster completed remote builds in B29619: Diff 68828.Feb 25 2020, 11:34 PM

I've retested with GELI + AUTH after my changes to mandate verify for ETA and fixed a couple of bugs I had as a result. I also discovered a rather interesting behavior change. Currently, if data fails the authentication check, geli warns about it on the console, but returns the decrypted data (which may be garbage) to the reader instead of failing the I/O request. The version in this branch will instead fail I/O requests with EBADMSG if the authentication fails. For GELI I found that performance was slightly worse, I suspect because I've gone back to doing separate uma_zalloc calls for struct cryptop objects instead of pre-allocating them in the bio_driver2 block. However, I do hope that adding support for separate in vs out buffers (which can avoid the bcopy currently done) will more than offset this in the future.

So GELI is not quite as bad as I said above. If the authentication doesn't match, it doesn't return the output of the decryption operation to the caller. Instead, it leaves whatever happens to be in the caller-provided buffer unchanged. However, this seems possibly bogus as it's not clear if the caller-provided buffer is always sanitized (e.g. it might be better if the current GELI code were to explicitly zero the data that it isn't able to verify to avoid leaking random kernel heap memory). I think I'd prefer to stick with the new semantics (albeit substituting EINTEGRITY for EBADMSG as suggested by @cem). If someone really needs the old semantics it can be re-added.

I've not reviewed the entire patch, but I have converted a (not in-tree) crypto driver to this. It works, and greatly improves the open crypto API from the driver perspective.

Actually, I misread the code. On any corruption mismatch it sets bio_error to -1, and then converts that -1 to EINVAL. The -1 just a hack to avoid double-logging it seems.

Some perf numbers from geli.
Map EBADMSG to EINTEGRITY for GELI.
Allow other errors to supersede EINTEGRITY.
Coalesce auth errors.
Various fixes to previous.

Harbormaster completed remote builds in B29685: Diff 68980.Feb 29 2020, 12:27 AM

So GELI with auth now does the same exact logging as before. The only remaining difference is that the error returned is still EINTEGRITY rather than EINVAL.

jhb added a parent revision: D24131: Use the newer EINTEGRITY error when authentication fails..Mar 20 2020, 12:40 AM

Rebase

Harbormaster completed remote builds in B30113: Diff 69884.Mar 26 2020, 3:13 AM

val_packett.cool mentioned this in D21017: armv8crypto: add AES-XTS support.Mar 27 2020, 10:15 PM

hmm automation did not pick up that this has landed

jhb accepted this revision.Mar 28 2020, 1:05 AM

jhb added a commit: rS359374: Refactor driver and consumer interfaces for OCF (in-kernel crypto)..

This revision is now accepted and ready to land.Mar 28 2020, 1:06 AM

jhb closed this revision.Mar 28 2020, 1:06 AM

Revision Contents
Changeset List

Path

Size

ObsoleteFiles.inc

5 lines

notes

257 lines

share/

man/

man4/

crypto.4

20 lines

man7/

crypto.7

30 lines

man9/

45 lines

19 lines

749 lines

178 lines

392 lines

419 lines

245 lines

sys/

crypto/

aesni/

aesni.h

14 lines

aesni.c

852 lines

aesni_wrap.c

58 lines

armv8/

armv8_crypto.c

248 lines

blake2/

blake2_cryptodev.c

217 lines

ccp/

ccp.h

19 lines

ccp.c

472 lines

ccp_hardware.c

232 lines

via/

10 lines

146 lines

124 lines

118 lines

dev/

cesa/

cesa.h

5 lines

cesa.c

601 lines

cxgbe/

adapter.h

2 lines

crypto/

t4_crypto.c

1305 lines

t4_keyctx.c

40 lines

tom/

t4_tls.c

4 lines

glxsb/

glxsb.h

6 lines

glxsb.c

294 lines

glxsb_hash.c

100 lines

hifn/

hifn7751.c

624 lines

hifn7751var.h

15 lines

safe/

safe.c

921 lines

safevar.h

12 lines

sec/

sec.h

18 lines

sec.c

544 lines

ubsec/

ubsec.c

597 lines

ubsecvar.h

10 lines

geom/

eli/

20 lines

49 lines

46 lines

181 lines

85 lines

kern/

subr_bus_dma.c

51 lines

uipc_ktls.c

3 lines

kgssapi/

krb5/

kcrypto_aes.c

109 lines

kcrypto_des.c

57 lines

kcrypto_des3.c

108 lines

mips/

cavium/

cryptocteon/

cavium_crypto.c

180 lines

cryptocteon.c

453 lines

cryptocteonvar.h

12 lines

nlm/

dev/

sec/

16 lines

440 lines

22 lines

125 lines

hal/

nlmsaelib.h

4 lines

netipsec/

5 lines

78 lines

171 lines

79 lines

opencrypto/

85 lines

1317 lines

144 lines

559 lines

118 lines

1735 lines

95 lines

6 lines

sys/

bus_dma.h

8 lines

tests/

sys/

opencrypto/

cryptodev.py

5 lines

cryptodevh.py

3 lines

cryptotest.py

8 lines

tools/

crypto/

cryptocheck.c

196 lines

Commit	Tree	Parents	Author	Summary	Date
6ce72c877228	ca7fa7f55f64	5794bf4051b9	John Baldwin	Various fixes to previous.	Feb 29 2020, 12:25 AM
5794bf4051b9	90b73c6b3d1d	8ffc8f5ddf65	John Baldwin	Coalesce auth errors. (Show More…)	Feb 28 2020, 10:31 PM
8ffc8f5ddf65	296bb404e579	1109d76a3e2b	John Baldwin	Allow other errors to supersede EINTEGRITY. (Show More…)	Feb 28 2020, 7:01 PM
1109d76a3e2b	b0ef85297156	dcd5a58c3d46	John Baldwin	Map EBADMSG to EINTEGRITY for GELI.	Feb 26 2020, 12:57 AM
dcd5a58c3d46	b05f923f3962	864d67962fb5	John Baldwin	Some perf numbers from geli.	Feb 26 2020, 12:00 AM
864d67962fb5	98caf2efb100	13bf7fe7fbb0	John Baldwin	Tidy GELI auth failure logging.	Feb 25 2020, 11:32 PM
13bf7fe7fbb0	32e4fa85f9f1	e6dcd40e4fce	John Baldwin	Fix a couple of bugs in my geli ETA changes. (Show More…)	Feb 25 2020, 10:29 PM
e6dcd40e4fce	9ad673d3dd18	6f22a446f35a	John Baldwin	Update crp_mbuf instead of leaking q_dst_m. (Show More…)	Feb 14 2020, 1:32 AM
6f22a446f35a	b19103c17f44	7352c0a7ee61	John Baldwin	Let OCF verify HMACs for ETA. (Show More…)	Feb 14 2020, 1:24 AM
7352c0a7ee61	09f7779a63de	903301971577	John Baldwin	accellerate -> accelerate.	Feb 14 2020, 1:20 AM
903301971577	bce6e5f65041	bafc19e87eff	John Baldwin	Don't permit DECRYPT \| COMPUTE for ETA.	Feb 14 2020, 1:13 AM
bafc19e87eff	1c19c7ea3c9f	a94dcdae4b74	John Baldwin	Remove OBE workaround from ccr_eta_done. (Show More…)	Feb 14 2020, 12:46 AM
a94dcdae4b74	9271bf3091e9	c62682767aef	John Baldwin	Several it's -> its.	Feb 7 2020, 11:26 PM
c62682767aef	4d84f2472a66	322886f475c1	John Baldwin	Better table formatting.	Feb 7 2020, 2:40 AM
322886f475c1	aab83159c1cb	6c2686ae9817	John Baldwin	Rewrite crypto.9 in terms of the other pages. (Show More…)	Feb 7 2020, 2:28 AM
6c2686ae9817	21310a5bf8c0	6953bc421b4f	John Baldwin	Add a crypto_asym.9 manpage.	Feb 1 2020, 12:38 AM
6953bc421b4f	960f10e031d7	81d3ef5cf8d4	John Baldwin	Formatting nit.	Feb 1 2020, 12:38 AM
81d3ef5cf8d4	ba63c454fc27	2b2a8840a4b1	John Baldwin	Various typos and fixes.	Feb 1 2020, 12:20 AM
2b2a8840a4b1	b08b0d89ae0e	7c7cd12dcfc6	John Baldwin	Drop some unused prototypes.	Feb 1 2020, 12:05 AM
7c7cd12dcfc6	da5591b46e4d	be2135f8f411	John Baldwin	Just use void as the return type for krp_callback. (Show More…)	Feb 1 2020, 12:04 AM
be2135f8f411	c09aa8d08b84	aa5c3845a525	John Baldwin	Add a crypto_driver for the symmetric driver interface.	Jan 31 2020, 11:24 PM
aa5c3845a525	d5bcc02c5ee6	81d71a07e671	John Baldwin	Typos.	Jan 31 2020, 11:23 PM
81d71a07e671	1ab01c8e43d7	cb76cdd5a09e	John Baldwin	Note a weird issue I saw.	Jan 31 2020, 11:22 PM
cb76cdd5a09e	25e271f3403b	1ba7845b0891	John Baldwin	Don't attempt to validate hash lengths. (Show More…)	Jan 31 2020, 5:57 PM
1ba7845b0891	d24086566e32	2e59a30a1c86	John Baldwin	Rename authenc to eta.	Jan 30 2020, 10:33 PM
2e59a30a1c86	d7ef14bbd052	baf5231b0f2f	John Baldwin	Add a new crypto_request(9) manpage.	Jan 18 2020, 12:49 AM
baf5231b0f2f	befd950976f4	c6521137c353	John Baldwin	Compare crp_olen against crp_payload_length directly.	Jan 18 2020, 12:43 AM
c6521137c353	19ae83859603	6d981e5411bc	John Baldwin	Don't use crp_olen for non-compression requests.	Jan 15 2020, 7:38 PM
6d981e5411bc	25921151e83e	7980fc92d6cf	John Baldwin	Fix a sign bug so we get an FPU context for aesni cipher setup.	Jan 15 2020, 1:01 AM
7980fc92d6cf	bb6ead25efc0	ad5cdd874c3b	John Baldwin	Still need the GMAC key length constants for xform_gmac.c.	Jan 15 2020, 12:12 AM
ad5cdd874c3b	25997724c462	38dfccc088b6	John Baldwin	Stop using the old GMAC constants in the python tests.	Jan 14 2020, 11:58 PM
38dfccc088b6	6a0d9bc90885	459b495cc247	John Baldwin	Updates to crypto(7).	Jan 14 2020, 11:21 PM
459b495cc247	b93f2742a884	7e39ee2e7ce7	John Baldwin	More forcefully retire the old GMAC constants. (Show More…)	Jan 14 2020, 11:17 PM
7e39ee2e7ce7	4f0240fceaa6	3624be606b7c	John Baldwin	Add a crypto_session.9 manpage describing sessions. (Show More…)	Jan 14 2020, 10:59 PM
3624be606b7c	0278750784df	1db335764521	John Baldwin	Typo.	Jan 7 2020, 8:42 PM
1db335764521	5a1b56318097	55356f08ea69	John Baldwin	Axe COP_F_CIPHER_FIRST since ETA is the session mode now. (Show More…)	Jan 7 2020, 8:41 PM
55356f08ea69	35324f585360	644f89dd6347	John Baldwin	Fix merge-o in GMAC.	Jan 7 2020, 8:36 PM
644f89dd6347	c00dcad03ef7	eead50560697	John Baldwin	Update crypto.4.	Dec 28 2019, 1:05 AM
eead50560697	6236031697a2	e97fb47f1501	John Baldwin	Switch to verify digest on decrypt for ETA sessions.	Dec 27 2019, 8:06 PM
e97fb47f1501	5a281d9895eb	9589515deda2	John Baldwin	Various cleanups to cryptocheck. (Show More…)	Dec 27 2019, 7:46 PM
9589515deda2	78d3043bb429	15d5bea9fb41	John Baldwin	Remove no-longer-used hmac_ipad/opad_buffer variables.	Dec 24 2019, 7:10 PM
15d5bea9fb41	2274e89ac279	bdc2986b766e	John Baldwin	Trim some #if 0'd bits I missed.	Dec 24 2019, 7:08 PM
bdc2986b766e	3c16ff62d993	8a3647469e43	John Baldwin	Update TLS 1.3 bits.	Dec 24 2019, 7:03 PM
8a3647469e43	b2a9bb5d01bf	2ef96f954aa5	John Baldwin	Update.	Dec 17 2019, 10:59 PM
2ef96f954aa5	d1497e65adfb	de1f1fb4ddb7	John Baldwin	Use bus_dmamap_load_crp(). (Show More…)	Dec 17 2019, 10:58 PM
de1f1fb4ddb7	b8ffac7a308a	25c2d47696e2	John Baldwin	Add a bus_dmamap_load_crp() wrapper function.	Dec 14 2019, 12:16 AM
25c2d47696e2	ae28a8f89600	40f265b708dc	John Baldwin	Update notes.	Nov 19 2019, 10:02 PM
40f265b708dc	f6df766f290c	69ee5b26430b	John Baldwin	Compile fixes.	Nov 19 2019, 10:00 PM
69ee5b26430b	c96b56adc970	91d3dde2887d	John Baldwin	Switch csp_*_klen to bytes instead of bits.	Nov 19 2019, 9:45 PM
91d3dde2887d	ace9741a1904	725d112d1fb9	John Baldwin	Update notes.	Nov 19 2019, 8:32 PM
725d112d1fb9	f4a12d74c4f1	1d846cf9518a	John Baldwin	Reject sessions with unsupported csp_flags to future proof.	Nov 19 2019, 7:52 PM
1d846cf9518a	d7efc7761073	3a5a3c0a36fe	John Baldwin	Axe CSP_IV_VALID since it hasn't been used.	Nov 19 2019, 7:49 PM
3a5a3c0a36fe	33ad072c007b	7a94080895d1	John Baldwin	Update.	Nov 15 2019, 1:03 AM
7a94080895d1	6f81ead8e737	78755460764d	John Baldwin	Move more checks for auth at least (mlen, etc.) into common code. (Show More…)	Nov 15 2019, 12:58 AM
78755460764d	7f095f059ab7	1b8e62b85e5c	John Baldwin	Fix mismerge.	Nov 14 2019, 11:29 PM
1b8e62b85e5c	da5effadba35	e0e697068cc6	John Baldwin	Update notes.	Nov 14 2019, 10:26 PM
e0e697068cc6	321b769e37ba	3f16869162c7	John Baldwin	Trim unused fields from cryptocteon.	Nov 14 2019, 10:25 PM
3f16869162c7	b611ed8c47e6	7984cf69a59a	John Baldwin	Convert nlmsec(4).	Nov 14 2019, 10:22 PM
7984cf69a59a	8709e64efcec	9c56e624c7a6	John Baldwin	Drop unused newsession hook from XLP RSA driver.	Nov 14 2019, 10:21 PM
9c56e624c7a6	480d5e6af81e	4520b70282ff	John Baldwin	Update cesa to verify digests.	Nov 14 2019, 8:16 PM
4520b70282ff	97b96c4c9c21	910485579213	John Baldwin	Update sec(4) to verify digests and handle truncated digests.	Nov 14 2019, 8:12 PM
910485579213	2f20ab267315	cfd51a6f463c	John Baldwin	Handle digest verify in glxsb(4).	Nov 14 2019, 7:44 PM
cfd51a6f463c	660c2a5e96b9	cadfed174b42	John Baldwin	Convert the cryptocteon driver.	Nov 14 2019, 7:33 PM
cadfed174b42	1404f74b91f4	a7737dce7c2e	John Baldwin	Convert cesa(4).	Oct 30 2019, 12:34 AM
a7737dce7c2e	ed4420246c16	2f4173289a7a	John Baldwin	Free OCF sessions.	Oct 30 2019, 12:31 AM
2f4173289a7a	29eb4cd93bdb	08715a8cb2c1	John Baldwin	Fix KTLS OCF module to work again.	Oct 30 2019, 12:14 AM
08715a8cb2c1	7d94bf11d5f2	a8e88b463567	John Baldwin	klen is in bits, not bytes.	Oct 29 2019, 10:22 PM
a8e88b463567	917c3bcbb0cd	c1b83454e6bc	John Baldwin	Convert sec(4).	Oct 29 2019, 9:21 PM
c1b83454e6bc	d8cc66af2db8	49f17809d2d6	John Baldwin	Fix a few more places in ccr(4) to check auth_klen.	Oct 29 2019, 7:16 PM
49f17809d2d6	8f55c9e7944d	b3163416f8a0	John Baldwin	Update notes.	Oct 26 2019, 12:09 AM
b3163416f8a0	50925bfc8a18	ac972cdab9ed	John Baldwin	Update glxsb(4).	Oct 26 2019, 12:08 AM
ac972cdab9ed	a67377b6b5f0	0dbff0a38954	John Baldwin	Convert armv8 crypto.	Oct 25 2019, 11:14 PM
0dbff0a38954	6edf802af242	4ea5c38e3c02	John Baldwin	Update ktls_ocf.	Oct 25 2019, 10:43 PM
4ea5c38e3c02	116f4d11ab00	38171f7ddb5c	John Baldwin	Update cryptodev_warn().	Oct 25 2019, 10:31 PM
38171f7ddb5c	d9496213f371	d1b8384ea92a	John Baldwin	Checkpoint notes.	Oct 25 2019, 9:47 PM
d1b8384ea92a	43cfe744efa9	74cc1930e710	John Baldwin	Compile fixes.	Oct 18 2019, 12:18 AM
74cc1930e710	5349efb2193b	df15531757b6	John Baldwin	Axe per-op key lengths. (Show More…)	Oct 17 2019, 10:24 PM
df15531757b6	851d26b42281	60c7503d1f6b	John Baldwin	Drop the kern.crypto.user node.	Aug 22 2019, 12:03 AM
60c7503d1f6b	ea5d7566bc9b	915b40f52e76	John Baldwin	Use the right function to init the OPAD context.	Aug 21 2019, 11:59 PM
915b40f52e76	95365d2c2c7c	3423d588088a	John Baldwin	Move crypto sysctls under kern.crypto. so they are easier to find. (Show More…)	Aug 21 2019, 11:44 PM
3423d588088a	62b4244bccb3	1244c3948950	John Baldwin	Use correct key.	Aug 20 2019, 7:45 PM
1244c3948950	f77eadc1309f	5b81389a21f6	John Baldwin	Add helper routines for initializing ipad/ipad auth_ctx for HMAC.	Aug 20 2019, 7:44 PM
5b81389a21f6	c08983e83d76	c42ebf2f395d	John Baldwin	Make keys passed in crp and csp const.	Aug 20 2019, 7:03 PM
c42ebf2f395d	1e6bd1a2debd	a096a5f9248d	John Baldwin	Rename CRYPTO_BUF_IOV -> CRYPTO_BUF_UIO.	Aug 20 2019, 1:28 AM
a096a5f9248d	3b77e9f2d700	1a4a9a71edc6	John Baldwin	Convert geli(4).	Aug 20 2019, 1:19 AM
1a4a9a71edc6	25f04384ef9e	1722420a7a8a	John Baldwin	Add a 'how' argument to crypto_getreq for M_WAITOK vs M_NOWAIT.	Aug 20 2019, 12:48 AM
1722420a7a8a	fe0610db0e3b	699393181c5a	John Baldwin	Convert safe(4). (Show More…)	Aug 19 2019, 11:40 PM
699393181c5a	408ee2c098f2	33e702955305	John Baldwin	Fix a typo.	Aug 19 2019, 11:40 PM
33e702955305	2b76d4b142fa	41984957c2e4	John Baldwin	Convert padlock(4).	Aug 19 2019, 11:39 PM
41984957c2e4	f1da7db9c243	88b8560e755b	John Baldwin	Convert ubsec(4). (Show More…)	Aug 19 2019, 9:31 PM
88b8560e755b	5b98741ff9ef	59262ad81df0	John Baldwin	Convert kgssap_krb5. (Show More…)	Aug 19 2019, 6:50 PM
59262ad81df0	e64e585db7fc	dbcc2fb24a89	John Baldwin	Handle VERIFY_DIGEST for hash only requests in ccr.	Aug 14 2019, 9:16 PM
dbcc2fb24a89	bc0d28e54c30	c077c500f70e	John Baldwin	Convert hifn(4). (Show More…)	Aug 14 2019, 8:52 PM
c077c500f70e	840a060fa677	51da819bc6c3	John Baldwin	Use crypto_session_params. (Show More…)	Aug 14 2019, 12:59 AM
51da819bc6c3	f6e4ea2fbbaa	2b1ca2c718ed	John Baldwin	Use crypto_session_params. (Show More…)	Aug 14 2019, 12:26 AM
2b1ca2c718ed	7cfb8887b477	941b3692b78b	John Baldwin	Remove unused partial_digest_len.	Aug 14 2019, 12:13 AM
941b3692b78b	d2300969524b	778daa7b0ee7	John Baldwin	Use crypto_get_params in place of some fields cached in the session struct. (Show More…)	Aug 14 2019, 12:10 AM
778daa7b0ee7	e50efa053c3f	90a965fa354c	John Baldwin	Remove unused field.	Aug 13 2019, 11:51 PM
90a965fa354c	55b39f6b2336	0deba382a504	John Baldwin	Add a crypto_get_params() to return a const csp pointer from a session. (Show More…)	Aug 13 2019, 11:49 PM
0deba382a504	efb444efd2f3	ae37cc0b725c	John Baldwin	Cleanup a few things with hashes and mlen. (Show More…)	Aug 13 2019, 11:42 PM
ae37cc0b725c	da8fb9acd332	c90200dac189	John Baldwin	Convert ccp(4). (Show More…)	Aug 13 2019, 10:02 PM
c90200dac189	c61df513f5e1	4d975393a3d2	John Baldwin	Trim an unused variable.	Aug 13 2019, 9:47 PM
4d975393a3d2	d1b4f111472d	9ca654c0314a	John Baldwin	Convert blake2.	Aug 13 2019, 5:16 PM
9ca654c0314a	86f6400adfa4	2d1f5e5fd728	John Baldwin	Mark aesni as software in crypto_get_driverid.	Aug 13 2019, 5:00 PM
2d1f5e5fd728	ee88a24d14b0	b57ad8195c91	John Baldwin	Add a missing break to fix AEAD for ccr as well.	Aug 8 2019, 12:57 AM
b57ad8195c91	dd31d6260b81	0e3555d38f1b	John Baldwin	Add a missing break to fix AEAD for aesni(4).	Aug 8 2019, 12:12 AM
0e3555d38f1b	30b016929805	815b0df3fcfc	John Baldwin	Fix build without INVARIANTS.	Aug 7 2019, 11:33 PM
815b0df3fcfc	b860dbe24f7b	1fa3feb7500c	John Baldwin	Validate 'mlen' and store the final value in the session. (Show More…)	Aug 6 2019, 12:31 AM
1fa3feb7500c	87889b4d6c27	f8683ac5173a	John Baldwin	Convert aesni(4). (Show More…)	Aug 6 2019, 12:26 AM
f8683ac5173a	ce3c7e3d2358	edda488d34cb	John Baldwin	Update a few comments.	Aug 2 2019, 6:28 PM
edda488d34cb	4d828fd1b8c8	ecc511e67cf5	John Baldwin	Remove #include and use void * for contexts.	Aug 2 2019, 6:27 PM
ecc511e67cf5	1747bda12ebb	848e63e5cbaf	John Baldwin	Need to always init 'csp' in a session. (Show More…)	Aug 2 2019, 6:19 PM
848e63e5cbaf	8771133635e6	ef1aaa242bfb	John Baldwin	Move the IPAD and OPAD constant arrays to the crypto.c.	Aug 2 2019, 5:59 PM
ef1aaa242bfb	b3c92166ff30	20eb293a8ac7	John Baldwin	Move the cryptosoft structures to the C file.	Aug 2 2019, 5:39 PM
20eb293a8ac7	3e0426bee42c	b98d9dfeca77	John Baldwin	Purge cruft from cryptodev.h.	Aug 2 2019, 5:35 PM
b98d9dfeca77	c3d044ca7831	5d18e49f5a27	John Baldwin	Change crypto_getreq() to accept a session pointer. (Show More…)	Aug 2 2019, 5:30 PM
5d18e49f5a27	5ec669cf9a23	688411c9791f	John Baldwin	Trim an unused include that's marked with an XXX.	Jun 28 2019, 5:56 PM
688411c9791f	6029276324d6	b431abebc5ca	John Baldwin	Add another todo.	Jun 28 2019, 12:59 AM
b431abebc5ca	7825d326d279	dacde190f469	John Baldwin	Update ccr(4) for probesession.	Jun 28 2019, 12:59 AM
dacde190f469	3c4a0f1ce35f	aa4d952cd9f8	John Baldwin	Update for the probesession changes.	Jun 28 2019, 12:20 AM
aa4d952cd9f8	09cc00dde522	526552bec8ff	John Baldwin	Disable modules not yet converted for now.	Jun 28 2019, 12:19 AM
526552bec8ff	a95d7102ec6b	bbd2fa9932fa	John Baldwin	crypto_register doesn't exist anymore.	Jun 27 2019, 11:40 PM
bbd2fa9932fa	a2d3efad0f31	d8fc50af71f5	John Baldwin	Various compile fixes.	Jun 27 2019, 11:40 PM
d8fc50af71f5	75377bbe2d86	34764847a340	John Baldwin	Some more cleanups.	Jun 12 2019, 7:45 PM
34764847a340	e3f2b83bc281	7f728a0c4a64	John Baldwin	Finish first pass of crypto_drivers stuff. (Show More…)	Jun 12 2019, 7:34 PM
7f728a0c4a64	44e19a8ec16b	da54b6af6296	John Baldwin	Checkpoint reworking crypto_drivers. (Show More…)	Jun 12 2019, 1:13 AM
da54b6af6296	aa19170de23a	432d41994f16	John Baldwin	Retire an unused constant.	Jun 12 2019, 12:08 AM
432d41994f16	6810737f7d10	b4af3119345c	John Baldwin	Be clear that sessions are only for sym crypto.	Jun 12 2019, 12:01 AM
b4af3119345c	b210f5df2ee5	6ff209c3a617	John Baldwin	Flesh out docs for cryptodev_if.m methods.	Jun 12 2019, 12:00 AM
6ff209c3a617	b074085aa39e	812dde174239	John Baldwin	Start on probesession.	Jun 11 2019, 12:15 AM
812dde174239	d11b051e3b73	3966203fa238	John Baldwin	Be more explicit about setting crp_op. (Show More…)	Apr 30 2019, 9:23 PM
3966203fa238	ebf344ca46c2	e7495a38b9a9	John Baldwin	Clear thash for CCM.	Apr 30 2019, 7:27 PM
e7495a38b9a9	8bd3ec19c1da	167853567788	John Baldwin	CCM-related compile fixes.	Apr 25 2019, 11:20 PM
167853567788	3f9bff8191e7	94e38f655350	John Baldwin	Explicitly reject F_IV_GENERATE for GMAC/CBC_MAC digests. (Show More…)	Apr 25 2019, 11:00 PM
94e38f655350	37790f62d5c6	da2b4497b29c	John Baldwin	Remove some impossible checks.	Apr 25 2019, 10:56 PM
da2b4497b29c	645c2a5ec4d1	0dfe9b2d293a	John Baldwin	More CCM cleanups.	Apr 25 2019, 10:53 PM
0dfe9b2d293a	ff0b485ed398	433fdb5be812	John Baldwin	Minor cleanups for CCM.	Apr 25 2019, 10:45 PM
433fdb5be812	0963b4256778	1aedeadd0689	John Baldwin	Update with current testing on ipsec.	Apr 25 2019, 9:00 PM
1aedeadd0689	191687f03736	c9ed8870dc5f	John Baldwin	Drop old #if 0'd GMAC bits.	Mar 25 2019, 9:58 PM
c9ed8870dc5f	a4c7a95358fb	7f79e09f5f57	John Baldwin	Use correct thash for GMAC with 192 and 256 bit keys.	Mar 25 2019, 9:57 PM
7f79e09f5f57	f5b8598a46a3	f425b7a4f703	John Baldwin	The existing /dev/crypto never supported GMAC. (Show More…)	Mar 25 2019, 9:10 PM
f425b7a4f703	346d0372bfad	64e171ccc022	John Baldwin	Set csp_ivlen for GMAC requests. (Show More…)	Mar 25 2019, 9:05 PM
64e171ccc022	438ba561d503	fbe815d06b5d	John Baldwin	Don't save a copy of the digest/tag for esp_input. (Show More…)	Mar 22 2019, 5:11 PM
fbe815d06b5d	25279da19bbd	1ab32924d837	John Baldwin	Add missing break for compression.	Mar 21 2019, 11:57 PM
1ab32924d837	ddb6f9289d4e	66a2c2d8f0a5	John Baldwin	Don't set IV parameters for NULL cipher which has no IV.	Mar 21 2019, 10:45 PM
66a2c2d8f0a5	18dab711f1dd	6da45f9170a0	John Baldwin	Trailing whitespace.	Mar 21 2019, 10:38 PM
6da45f9170a0	62c4d55fd59c	5a2a37025149	John Baldwin	GCM shouldn't require a MAC algorithm anymore.	Mar 21 2019, 10:30 PM
5a2a37025149	dd109cf283ea	2e701d6c6740	John Baldwin	Add GMAC tests. (Show More…)	Mar 21 2019, 10:28 PM
2e701d6c6740	2a23f7a82f60	a5965c9acdd9	John Baldwin	Permit a zero length IV for the NULL cipher.	Mar 21 2019, 9:58 PM
a5965c9acdd9	dffcd0813a04	87c9ce1c84e3	John Baldwin	More updates for GMAC not using legacy algorithm constants.	Mar 21 2019, 9:57 PM
87c9ce1c84e3	c68b891abb7f	ce87f22f1e77	John Baldwin	The GMAC hash xforms now use CRYPTO_AES_NIST_GMAC.	Mar 6 2019, 12:32 AM
ce87f22f1e77	03c563556ae0	76448f9f4db8	John Baldwin	Permit an IV size of 16 for AES-XTS for backwards compat.	Mar 5 2019, 11:13 PM
76448f9f4db8	f7a103879716	d87b56a01207	John Baldwin	Fix AAD length in esp_output.	Mar 5 2019, 10:49 PM
d87b56a01207	d1aa5ac54ef1	5b237a4f570e	John Baldwin	Apply hash functions to AAD region before payload. (Show More…)	Mar 5 2019, 10:46 PM
5b237a4f570e	f26ab5fafa80	fd7fba5de928	John Baldwin	Require crp_digest_start of 0 for CSP_MODE_CIPHER.	Mar 5 2019, 10:46 PM
fd7fba5de928	acf2c15c706b	1ebb0edb30db	John Baldwin	Compute digests for CSP_MODE_ETA for the aead ioctl. (Show More…)	Mar 5 2019, 10:44 PM
1ebb0edb30db	b47ee61b5bb8	e175d3978632	John Baldwin	Fix AES-XTS for ccr. (Show More…)	Mar 4 2019, 10:45 PM
e175d3978632	4804396a81e3	2f84f1ff077e	John Baldwin	Trim trailing whitespace.	Mar 4 2019, 10:08 PM
2f84f1ff077e	0ea969800f5b	9a34cd9ab009	John Baldwin	Trivial fixes for ccr(4). (Show More…)	Feb 28 2019, 1:13 AM
9a34cd9ab009	db06f745f187	7291f50ba877	John Baldwin	Fixes for sw crypto and hashes. (Show More…)	Feb 27 2019, 11:48 PM
7291f50ba877	67d4fcb785f2	45d01ab5dcb7	John Baldwin	Don't fail driver_suitable when csp_cipher_alg is 0.	Feb 27 2019, 11:19 PM
45d01ab5dcb7	74084f2f7fd3	1be11cd65a82	John Baldwin	Switch algorithm constant for gmac thash's to remove use_gmac variable.	Feb 27 2019, 8:54 PM
1be11cd65a82	fa28c6bb3376	ffd004fd4082	John Baldwin	Support GMAC requests via /dev/crypto. (Show More…)	Feb 14 2019, 8:34 PM
ffd004fd4082	7805fa9dd9a2	d11a4b1e799e	John Baldwin	Clear thash for GCM to avoid setting auth parameters.	Feb 14 2019, 7:59 PM
d11a4b1e799e	530414c04994	39a2ac1b8384	John Baldwin	Set csp_ivlen.	Feb 14 2019, 1:00 AM
39a2ac1b8384	90dcff9f9c47	a6dd9b06a8c2	John Baldwin	Update crypto_contiguous_subsegment() to take the full crp.	Feb 14 2019, 12:36 AM
a6dd9b06a8c2	b68ddb6d7f3a	4423f8ab5603	John Baldwin	Update for SCMD constant unification.	Feb 14 2019, 12:36 AM
4423f8ab5603	373d9edf8d16	bfb7c912d89c	John Baldwin	Another note about IV lengths.	Oct 18 2018, 1:11 AM
bfb7c912d89c	441975eecf0e	3f354613601d	John Baldwin	Update the ccr(4) driver for the flattened structures. (Show More…)	Oct 18 2018, 1:03 AM
3f354613601d	18fdb108362b	39247076d1cf	John Baldwin	Add an assertion that GCM always uses an explicit IV.	Oct 18 2018, 12:58 AM
39247076d1cf	af1adb52c399	f4a9ae88180e	John Baldwin	More thoughts.	Oct 17 2018, 10:39 PM
f4a9ae88180e	c8961c8f22be	5af953dd7e67	John Baldwin	Use explicit key lengths for re-keys.	Oct 16 2018, 12:21 AM
5af953dd7e67	81310d71985c	f743573cec8c	John Baldwin	Drop csp_iv[].	Oct 15 2018, 11:59 PM
f743573cec8c	9282d227ef16	57e16794446d	John Baldwin	Use a plain buf instead of an iov/uio for /dev/crypto. (Show More…)	Oct 15 2018, 11:16 PM
57e16794446d	0fba5e788130	0f50cbbb2dff	John Baldwin	Update cryptodev for flattened session parameters and descriptors.	Oct 15 2018, 11:03 PM
0f50cbbb2dff	8fb6cd0d3f3a	0939ba557013	John Baldwin	Implement EtA for cryptosoft.	Oct 15 2018, 9:10 PM
0939ba557013	e01fde8993a2	e85e32393cc2	John Baldwin	Remove unused variables to fix build.	Oct 15 2018, 8:48 PM
e85e32393cc2	5d285bc506aa	8a2bd504e92e	John Baldwin	Checkpoint WIP on updating cryptosoft. (Show More…)	Oct 13 2018, 12:20 AM
8a2bd504e92e	31dbb64a96ef	370876b2cc16	John Baldwin	More note updates including GMAC in the new world order.	Oct 13 2018, 12:12 AM
370876b2cc16	eea988114211	a992f72daf2f	John Baldwin	Compile fix after csp_ivlen change.	Oct 13 2018, 12:11 AM
a992f72daf2f	589c838f436c	9419f2f65469	John Baldwin	Set csp_ivlen for IPsec ESP.	Oct 12 2018, 10:54 PM
9419f2f65469	e0dc493f18a8	5c4613fca8fc	John Baldwin	Rename csp_cipher_ivlen to csp_ivlen since it is also used for GMAC. (Show More…)	Oct 12 2018, 10:53 PM
5c4613fca8fc	35be48cda996	0a8e14f2d6c4	John Baldwin	Add helpers for evaluating crp_op.	Oct 12 2018, 10:42 PM
0a8e14f2d6c4	918c9ab41bd0	eb1a479e70e1	John Baldwin	Only permit VERIFY with DECRYPT for AEAD.	Oct 12 2018, 6:29 PM
eb1a479e70e1	2bd3f9ea31c5	e9c6e66fb427	John Baldwin	Get crypto.c to compile. (Show More…)	Oct 12 2018, 5:17 PM
e9c6e66fb427	86d3d70e1747	322a4182ad6b	John Baldwin	Add another TODO.	Oct 12 2018, 5:16 PM
322a4182ad6b	c75fad77e5dd	69e419fadfb0	John Baldwin	Change crypto_apply/copy* to take the 'crp' in place of buf and flags. (Show More…)	Oct 12 2018, 4:36 PM
69e419fadfb0	4cc56e49d204	22decd93b12f	John Baldwin	Update for IPsec compression for flattened structures.	Oct 12 2018, 12:12 AM
22decd93b12f	b5f911a634ec	1bf37ecb65f9	John Baldwin	Add OP constants for compression. (Show More…)	Oct 12 2018, 12:06 AM
1bf37ecb65f9	0f36979da3f2	49bf7e592abc	John Baldwin	Remember to set COMPUTE_DIGEST for ESP output with auth.	Oct 12 2018, 12:06 AM
49bf7e592abc	fe0d5ed63df2	0bf0c8fe2b2f	John Baldwin	Update IPsec ESP for the flattened structure changes.	Oct 11 2018, 11:47 PM
0bf0c8fe2b2f	f84fc815b459	72c7b84aa962	John Baldwin	Added some basic sanity checks on csp's and crp's.	Oct 11 2018, 11:45 PM
72c7b84aa962	61ecd3ea23b6	b2ce2a64191a	John Baldwin	Checkpoint some more notes.	Oct 11 2018, 11:44 PM
b2ce2a64191a	ae3da1cdda50	aa1504162aeb	John Baldwin	Add a compression mode and re-enable crp_ilen/olen.	Oct 11 2018, 11:42 PM
aa1504162aeb	c6778fb92545	ff2c3a950de5	John Baldwin	Note that GENERATE implies storing.	Oct 11 2018, 9:51 PM
ff2c3a950de5	887271bf9569	78a4de4eba8b	John Baldwin	Turn compute vs verify into a flag. (Show More…)	Oct 11 2018, 8:58 PM
78a4de4eba8b	5bd50b0851bd	b3f87255579e	John Baldwin	Update IPsec AH for the flattened structure changes.	Oct 11 2018, 8:53 PM
b3f87255579e	65020e468440	7239f15e8759	John Baldwin	Initial thoughts / TODOs.	Oct 11 2018, 8:52 PM
7239f15e8759	a7fad6f59a6f	185d435bd586	John Baldwin	First version of new structures for sessions and ops. (Show More…)	Oct 11 2018, 8:40 PM