FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.2 2021-05-26T19:36:30Z 2021-05-26T19:36:30Z Mark Johnston markj@FreeBSD.org 2021-04-27T00:04:25Z urn:sha1:71c7f71de5789daff5bc6dedba82544fa97eec84 Otherwise aesni_process() is not thread-safe for AES+SHA-HMAC transforms, since hmac_update() updates the caller-supplied key directly to create the derived key. Use a buffer on the stack to store a copy of the key used for computing inner and outer digests. This is a direct commit to stable/12 as the bug is not present in later branches. Approved by: so Security: EN-21:11.aesni Reviewed by: kib (cherry picked from commit 62e32cf9140e6c13663dcd69ec3b3c7ca4579782) 2020-09-08T23:19:59Z John Baldwin jhb@FreeBSD.org 2020-09-08T23:19:59Z urn:sha1:95b37a4ed741fd116809d0f2cb295c4e9977f5b6 The amount to copy for the first block is the minimum of the size of the AAD region or the remaining space in the first block. 2019-09-11T23:45:58Z Alexander Motin mav@FreeBSD.org 2019-09-11T23:45:58Z urn:sha1:a51825244b4dafbbdb746f8c56838e056d1f2b48 Add an AESNI-optimized version of the CCM/CBC cryptographic and authentication code. The primary client of this is probably going to be ZFS encryption. 2019-09-11T23:41:09Z Alexander Motin mav@FreeBSD.org 2019-09-11T23:41:09Z urn:sha1:bc37c2432e21fbd738a32e3ac893f5637afb5521 Right now, aesni_cipher_alloc does a bit of special-casing for CRYPTO_F_IOV, to not do any allocation if the first uio is large enough for the requested size. While working on ZFS crypto port, I ran into horrible performance because the code uses scatter-gather, and many of the times the data to encrypt was in the second entry. This code looks through the list, and tries to see if there is a single uio that can contain the requested data, and, if so, uses that. This has a slight impact on the current consumers, in that the check is a little more complicated for the ones that use CRYPTO_F_IOV -- but none of them meet the criteria for testing more than one. 2019-09-05T23:27:59Z Warner Losh imp@FreeBSD.org 2019-09-05T23:27:59Z urn:sha1:835ddc360d2fc8faaa80993c4e2c9985c2c72145 Regularize the Netflix copyright 2019-09-05T23:24:43Z Warner Losh imp@FreeBSD.org 2019-09-05T23:24:43Z urn:sha1:4f58e69b0dedaabe320f3701a6d018160f83b673 2019-09-05T22:38:53Z Warner Losh imp@FreeBSD.org 2019-09-05T22:38:53Z urn:sha1:c1b1efbe5b2cec80e45c20caf77ed519a87d4b4a Regularize the Netflix copyright 2018-09-26T17:12:14Z Warner Losh imp@FreeBSD.org 2018-09-26T17:12:14Z urn:sha1:329e817fcc97aa847765c5171cc89a81a0b25527 Remove unused and easy to misuse PNP macro parameter Inspired by r338025, just remove the element size parameter to the MODULE_PNP_INFO macro entirely. The 'table' parameter is now required to have correct pointer (or array) type. Since all invocations of the macro already had this property and the emitted PNP data continues to include the element size, there is no functional change. Mostly done with the coccinelle 'spatch' tool: $ cat modpnpsize0.cocci @normaltables@ identifier b,c; expression a,d,e; declarer MODULE_PNP_INFO; @@ MODULE_PNP_INFO(a,b,c,d, -sizeof(d[0]), e); @singletons@ identifier b,c,d; expression a; declarer MODULE_PNP_INFO; @@ MODULE_PNP_INFO(a,b,c,&d, -sizeof(d), 1); $ rg -l MODULE_PNP_INFO -- sys | \ xargs spatch --in-place --sp-file modpnpsize0.cocci (Note that coccinelle invokes diff(1) via a PATH search and expects diff to tolerate the -B flag, which BSD diff does not. So I had to link gdiff into PATH as diff to use spatch.) Tinderbox'd (-DMAKE_JUST_KERNELS). Approved by: re (glen) 2018-08-31T01:01:16Z Warner Losh imp@FreeBSD.org 2018-08-31T01:01:16Z urn:sha1:91eeadc516218ea08a7b2edd2056bda2bafd60f2 Remove the PNP info for the moment from the driver. It's an experimental driver (as noted in r328150). It's performance is about 1/10th that of aesni. It will often panic when used with GELI (PR 2279820). It's not in our best interest to have such a driver be autoloaded by default. Approved by: re@ (rgrimes) Reviewed By: cem@ Differential Review: https://reviews.freebsd.org/D16959 2018-08-19T17:40:50Z Xin LI delphij@FreeBSD.org 2018-08-19T17:40:50Z urn:sha1:c1e80940f3b4030df0aaed73028053af057e476d ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760