src/sys/crypto, branch upstream/10.1.0

MFC r267815:

2014-06-30T09:51:27Z

Put the aesni_cipher_setup() and aesni_cipher_process() functions into the file which is compiled with SSE disabled.

MFC r267767:

2014-06-30T09:48:44Z

Add FPU_KERN_KTHR flag to fpu_kern_enter(9). Apply the flag to padlock(4) and aesni(4). In aesni_cipher_process(), do not leak FPU context state on error.

MFC r258399,258492:

2013-11-26T08:46:39Z

mark aesni module _SYNC, improves performance ~27%... Approved by: re (glebius)

MFC r257757:

2013-11-16T09:01:24Z

fix issues w/ AES-NI on unaligned data blocks... Approved by: re (kib)

Use the fact that the AES-NI instructions can be pipelined to improve

2013-09-03T18:31:23Z

performance... Use SSE2 instructions for calculating the XTS tweek factor... Let the compiler do more work and handle register allocation by using intrinsics, now only the key schedule is in assembly... Replace .byte hard coded instructions w/ the proper instructions now that both clang and gcc support them... On my machine, pulling the code to userland I saw performance go from ~150MB/sec to 2GB/sec in XTS mode. GELI on GNOP saw a more modest increase of about 3x due to other system overhead (geom and opencrypto)... These changes allow almost full disk io rate w/ geli... Reviewed by: -current, -security Thanks to: Mike Hamburg for the XTS tweek algorithm

Fix const propagation issues to make GCC happy.

2013-07-11T16:27:11Z

Submitted by: Michael Butler

SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed

2013-07-11T14:18:38Z

hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva

Sync with KAME.

2013-07-09T22:04:35Z

MFC after: 1 month

Allow assert() to operate correctly when building userland code.

2013-07-09T10:27:26Z

When porting XTS-related code from OpenBSD I forgot to update copyright (only

2013-02-20T22:59:53Z

OpenBSD was credited in one of two commits). Fix it. Reported by: Theo de Raadt Reviewed by: Damien Miller