head 1.25; access; symbols netbsd-11-0-RC4:1.24 netbsd-11-0-RC3:1.24 netbsd-11-0-RC2:1.24 netbsd-11-0-RC1:1.24 perseant-exfatfs-base-20250801:1.24 netbsd-11:1.24.0.2 netbsd-11-base:1.24 netbsd-10-1-RELEASE:1.23.4.1 perseant-exfatfs-base-20240630:1.23 perseant-exfatfs:1.23.0.10 perseant-exfatfs-base:1.23 netbsd-8-3-RELEASE:1.4.10.1 netbsd-9-4-RELEASE:1.4.22.1 netbsd-10-0-RELEASE:1.23 netbsd-10-0-RC6:1.23 netbsd-10-0-RC5:1.23 netbsd-10-0-RC4:1.23 netbsd-10-0-RC3:1.23 netbsd-10-0-RC2:1.23 thorpej-ifq:1.23.0.8 thorpej-ifq-base:1.23 thorpej-altq-separation:1.23.0.6 thorpej-altq-separation-base:1.23 netbsd-10-0-RC1:1.23 netbsd-10:1.23.0.4 netbsd-10-base:1.23 bouyer-sunxi-drm:1.23.0.2 bouyer-sunxi-drm-base:1.23 netbsd-9-3-RELEASE:1.4.22.1 thorpej-i2c-spi-conf2:1.21.0.16 thorpej-i2c-spi-conf2-base:1.21 thorpej-futex2:1.21.0.14 thorpej-futex2-base:1.21 thorpej-cfargs2:1.21.0.12 thorpej-cfargs2-base:1.21 cjep_sun2x-base1:1.21 cjep_sun2x:1.21.0.10 cjep_sun2x-base:1.21 cjep_staticlib_x-base1:1.21 netbsd-9-2-RELEASE:1.4.22.1 cjep_staticlib_x:1.21.0.8 cjep_staticlib_x-base:1.21 thorpej-i2c-spi-conf:1.21.0.6 thorpej-i2c-spi-conf-base:1.21 thorpej-cfargs:1.21.0.4 thorpej-cfargs-base:1.21 thorpej-futex:1.21.0.2 thorpej-futex-base:1.21 netbsd-9-1-RELEASE:1.4.22.1 bouyer-xenpvh-base2:1.6 phil-wifi-20200421:1.6 bouyer-xenpvh-base1:1.6 phil-wifi-20200411:1.6 bouyer-xenpvh:1.6.0.6 bouyer-xenpvh-base:1.6 is-mlppp:1.6.0.4 is-mlppp-base:1.6 phil-wifi-20200406:1.6 netbsd-8-2-RELEASE:1.4.10.1 ad-namecache-base3:1.6 netbsd-9-0-RELEASE:1.4.22.1 netbsd-9-0-RC2:1.4.22.1 ad-namecache-base2:1.6 ad-namecache-base1:1.6 ad-namecache:1.6.0.2 ad-namecache-base:1.6 netbsd-9-0-RC1:1.4.22.1 phil-wifi-20191119:1.5 netbsd-9:1.4.0.22 netbsd-9-base:1.4 phil-wifi-20190609:1.4 netbsd-8-1-RELEASE:1.4 netbsd-8-1-RC1:1.4 isaki-audio2:1.4.0.20 isaki-audio2-base:1.4 pgoyette-compat-merge-20190127:1.4 pgoyette-compat-20190127:1.4 pgoyette-compat-20190118:1.4 pgoyette-compat-1226:1.4 pgoyette-compat-1126:1.4 pgoyette-compat-1020:1.4 pgoyette-compat-0930:1.4 pgoyette-compat-0906:1.4 netbsd-7-2-RELEASE:1.3 pgoyette-compat-0728:1.4 netbsd-8-0-RELEASE:1.4 phil-wifi:1.4.0.18 phil-wifi-base:1.4 pgoyette-compat-0625:1.4 netbsd-8-0-RC2:1.4 pgoyette-compat-0521:1.4 pgoyette-compat-0502:1.4 pgoyette-compat-0422:1.4 netbsd-8-0-RC1:1.4 pgoyette-compat-0415:1.4 pgoyette-compat-0407:1.4 pgoyette-compat-0330:1.4 pgoyette-compat-0322:1.4 pgoyette-compat-0315:1.4 netbsd-7-1-2-RELEASE:1.3 pgoyette-compat:1.4.0.16 pgoyette-compat-base:1.4 netbsd-7-1-1-RELEASE:1.3 tls-maxphys-base-20171202:1.4 matt-nb8-mediatek:1.4.0.14 matt-nb8-mediatek-base:1.4 nick-nhusb-base-20170825:1.4 perseant-stdc-iso10646:1.4.0.12 perseant-stdc-iso10646-base:1.4 netbsd-8:1.4.0.10 netbsd-8-base:1.4 prg-localcount2-base3:1.4 prg-localcount2-base2:1.4 prg-localcount2-base1:1.4 prg-localcount2:1.4.0.8 prg-localcount2-base:1.4 pgoyette-localcount-20170426:1.4 bouyer-socketcan-base1:1.4 jdolecek-ncq:1.4.0.6 jdolecek-ncq-base:1.4 pgoyette-localcount-20170320:1.4 netbsd-7-1:1.3.0.12 netbsd-7-1-RELEASE:1.3 netbsd-7-1-RC2:1.3 nick-nhusb-base-20170204:1.4 netbsd-7-nhusb-base-20170116:1.3 bouyer-socketcan:1.4.0.4 bouyer-socketcan-base:1.4 pgoyette-localcount-20170107:1.4 netbsd-7-1-RC1:1.3 nick-nhusb-base-20161204:1.4 pgoyette-localcount-20161104:1.4 netbsd-7-0-2-RELEASE:1.3 nick-nhusb-base-20161004:1.4 localcount-20160914:1.4 netbsd-7-nhusb:1.3.0.10 netbsd-7-nhusb-base:1.3 pgoyette-localcount-20160806:1.4 pgoyette-localcount-20160726:1.4 pgoyette-localcount:1.4.0.2 pgoyette-localcount-base:1.4 nick-nhusb-base-20160907:1.4 nick-nhusb-base-20160529:1.4 netbsd-7-0-1-RELEASE:1.3 nick-nhusb-base-20160422:1.4 nick-nhusb-base-20160319:1.4 nick-nhusb-base-20151226:1.4 netbsd-7-0:1.3.0.8 netbsd-7-0-RELEASE:1.3 nick-nhusb-base-20150921:1.3 netbsd-7-0-RC3:1.3 netbsd-7-0-RC2:1.3 netbsd-7-0-RC1:1.3 nick-nhusb-base-20150606:1.3 nick-nhusb-base-20150406:1.3 nick-nhusb:1.3.0.6 nick-nhusb-base:1.3 netbsd-6-0-6-RELEASE:1.1 netbsd-6-1-5-RELEASE:1.1 netbsd-7:1.3.0.4 netbsd-7-base:1.3 yamt-pagecache-base9:1.3 yamt-pagecache-tag8:1.1 netbsd-6-1-4-RELEASE:1.1 netbsd-6-0-5-RELEASE:1.1 tls-earlyentropy:1.3.0.2 tls-earlyentropy-base:1.3 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.3 riastradh-drm2-base3:1.3 netbsd-6-1-3-RELEASE:1.1 netbsd-6-0-4-RELEASE:1.1 netbsd-6-1-2-RELEASE:1.1 netbsd-6-0-3-RELEASE:1.1 rmind-smpnet-nbase:1.3 netbsd-6-1-1-RELEASE:1.1 riastradh-drm2-base2:1.1 riastradh-drm2-base1:1.1 riastradh-drm2:1.1.0.32 riastradh-drm2-base:1.1 rmind-smpnet:1.1.0.24 rmind-smpnet-base:1.3 netbsd-6-1:1.1.0.30 netbsd-6-0-2-RELEASE:1.1 netbsd-6-1-RELEASE:1.1 khorben-n900:1.1.0.28 netbsd-6-1-RC4:1.1 netbsd-6-1-RC3:1.1 agc-symver:1.1.0.26 agc-symver-base:1.1 netbsd-6-1-RC2:1.1 netbsd-6-1-RC1:1.1 yamt-pagecache-base8:1.1 netbsd-6-0-1-RELEASE:1.1 yamt-pagecache-base7:1.1 matt-nb6-plus-nbase:1.1 yamt-pagecache-base6:1.1 netbsd-6-0:1.1.0.22 netbsd-6-0-RELEASE:1.1 netbsd-6-0-RC2:1.1 tls-maxphys:1.1.0.20 tls-maxphys-base:1.3 matt-nb6-plus:1.1.0.18 matt-nb6-plus-base:1.1 netbsd-6-0-RC1:1.1 jmcneill-usbmp-base10:1.1 yamt-pagecache-base5:1.1 jmcneill-usbmp-base9:1.1 yamt-pagecache-base4:1.1 jmcneill-usbmp-base8:1.1 jmcneill-usbmp-base7:1.1 jmcneill-usbmp-base6:1.1 jmcneill-usbmp-base5:1.1 jmcneill-usbmp-base4:1.1 jmcneill-usbmp-base3:1.1 jmcneill-usbmp-pre-base2:1.1 jmcneill-usbmp-base2:1.1 netbsd-6:1.1.0.16 netbsd-6-base:1.1 jmcneill-usbmp:1.1.0.14 jmcneill-usbmp-base:1.1 jmcneill-audiomp3:1.1.0.12 jmcneill-audiomp3-base:1.1 yamt-pagecache-base3:1.1 yamt-pagecache-base2:1.1 yamt-pagecache:1.1.0.10 yamt-pagecache-base:1.1 rmind-uvmplock-nbase:1.1 cherry-xenmp:1.1.0.8 cherry-xenmp-base:1.1 rmind-uvmplock-base:1.1 rmind-uvmplock:1.1.0.6 bouyer-quota2-nbase:1.1 bouyer-quota2:1.1.0.4 bouyer-quota2-base:1.1 jruoho-x86intr:1.1.0.2 jruoho-x86intr-base:1.1 matt-mips64-premerge-20101231:1.1; locks; strict; comment @# @; 1.25 date 2025.11.23.08.07.55; author kre; state Exp; branches; next 1.24; commitid 5U5JJzQ8kwn8uEjG; 1.24 date 2024.07.26.18.25.03; author riastradh; state Exp; branches; next 1.23; commitid PulmjBxB8NdBunjF; 1.23 date 2021.08.21.09.08.55; author christos; state Exp; branches 1.23.4.1 1.23.10.1; next 1.22; commitid jtntDWbOR8x8OO5D; 1.22 date 2021.08.21.08.47.23; author christos; state Exp; branches; next 1.21; commitid dLqB9AZ883SBGO5D; 1.21 date 2020.08.27.14.01.36; author riastradh; state Exp; branches; next 1.20; commitid A1qYWu4TChK2YHlC; 1.20 date 2020.08.26.15.49.56; author riastradh; state Exp; branches; next 1.19; commitid mCp7SsjDmjBdBAlC; 1.19 date 2020.08.21.06.37.30; author riastradh; state Exp; branches; next 1.18; commitid oSDaIEzpkUBrHTkC; 1.18 date 2020.08.21.06.30.46; author riastradh; state Exp; branches; next 1.17; commitid PteIjRPEDvSiFTkC; 1.17 date 2020.08.21.06.27.41; author riastradh; state Exp; branches; next 1.16; commitid 873JKME6W3L6ETkC; 1.16 date 2020.08.20.21.33.43; author riastradh; state Exp; branches; next 1.15; commitid 4nY5R1QaLei8HQkC; 1.15 date 2020.08.20.21.30.32; author riastradh; state Exp; branches; next 1.14; commitid Bns4iZSqZxC2GQkC; 1.14 date 2020.08.20.21.21.32; author riastradh; state Exp; branches; next 1.13; commitid N73Yrga05QuWCQkC; 1.13 date 2020.07.28.20.15.07; author riastradh; state Exp; branches; next 1.12; commitid OD3YAxpRSjqXZShC; 1.12 date 2020.07.26.04.25.49; author riastradh; state Exp; branches; next 1.11; commitid 8kki1LTBDrTiOxhC; 1.11 date 2020.07.26.04.25.14; author riastradh; state Exp; branches; next 1.10; commitid FMHTc6VjePR6OxhC; 1.10 date 2020.07.26.04.03.45; author riastradh; state Exp; branches; next 1.9; commitid imyIew06TI6KGxhC; 1.9 date 2020.07.25.22.40.08; author riastradh; state Exp; branches; next 1.8; commitid F3jTj17atpyHTvhC; 1.8 date 2020.06.29.23.44.01; author riastradh; state Exp; branches; next 1.7; commitid ijLegoVLyO4j5beC; 1.7 date 2020.06.29.23.27.52; author riastradh; state Exp; branches; next 1.6; commitid sTXj7fZb1kEfZaeC; 1.6 date 2019.12.05.03.57.55; author riastradh; state Exp; branches; next 1.5; commitid kbGXbJvFBJF5btNB; 1.5 date 2019.09.02.20.09.30; author riastradh; state Exp; branches; next 1.4; commitid umY6sKR39MMIztBB; 1.4 date 2015.10.19.16.16.37; author pooka; state Exp; branches 1.4.10.1 1.4.18.1 1.4.22.1; next 1.3; commitid tw5dhIUFxtTYIJFy; 1.3 date 2014.01.17.01.32.53; author pooka; state Exp; branches 1.3.4.1 1.3.6.1 1.3.8.1 1.3.12.1; next 1.2; commitid rEaNSdVMEMfjpplx; 1.2 date 2014.01.14.17.05.50; author pgoyette; state Exp; branches; next 1.1; commitid rFf4oQy7OrpEF6lx; 1.1 date 2010.12.05.20.11.22; author pooka; state Exp; branches 1.1.6.1 1.1.10.1 1.1.20.1 1.1.24.1; next ; 1.23.4.1 date 2024.10.09.10.49.04; author martin; state Exp; branches; next ; commitid lYQf1qrcksjHyYsF; 1.23.10.1 date 2025.08.02.05.57.52; author perseant; state Exp; branches; next ; commitid 23j6GFaDws3O875G; 1.4.10.1 date 2019.09.03.12.08.21; author martin; state Exp; branches; next ; commitid qV2l6sTtlPSFSyBB; 1.4.18.1 date 2020.04.08.14.09.01; author martin; state Exp; branches; next 1.4.18.2; commitid Qli2aW9E74UFuA3C; 1.4.18.2 date 2020.04.13.08.05.18; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; 1.4.22.1 date 2019.09.03.07.47.59; author martin; state Exp; branches; next ; commitid QaZLfHJ3j05mrxBB; 1.3.4.1 date 2019.09.03.12.20.42; author martin; state Exp; branches; next ; commitid DvIKWS8h3oCUWyBB; 1.3.6.1 date 2015.12.27.12.10.15; author skrll; state Exp; branches; next ; commitid BTSqUD4SdJ5k7AOy; 1.3.8.1 date 2019.09.03.12.30.46; author martin; state Exp; branches; next ; commitid yyUivoke4svm0zBB; 1.3.12.1 date 2019.09.03.12.28.30; author martin; state Exp; branches; next ; commitid y6xZrY6cEXxAZyBB; 1.1.6.1 date 2010.12.05.20.11.22; author rmind; state dead; branches; next 1.1.6.2; 1.1.6.2 date 2011.03.05.20.56.13; author rmind; state Exp; branches; next ; 1.1.10.1 date 2014.05.22.11.41.14; author yamt; state Exp; branches; next ; commitid VUUXuyNWnt3AKwBx; 1.1.20.1 date 2014.08.20.00.04.40; author tls; state Exp; branches; next 1.1.20.2; commitid jTnpym9Qu0o4R1Nx; 1.1.20.2 date 2017.12.03.11.39.14; author jdolecek; state Exp; branches; next ; commitid XcIYRZTAh1LmerhA; 1.1.24.1 date 2014.05.18.17.46.17; author rmind; state Exp; branches; next ; commitid mL5ZYSzpqK6QS2Bx; desc @@ 1.25 log @ Add the new ass_keysched.c to the rump kernel crypto lib This will hopefully unbreak the builds. @ text @# $NetBSD: Makefile,v 1.24 2024/07/26 18:25:03 riastradh Exp $ # S=${.CURDIR}/../../../.. SODIUM_IMPORTDIR=${S}/external/isc/libsodium SODIUM_DIR=${SODIUM_IMPORTDIR}/dist/src/libsodium .PATH: ${S}/crypto/adiantum \ ${S}/crypto/aes \ ${S}/crypto/blowfish \ ${S}/crypto/camellia \ ${S}/crypto/cast128 \ ${S}/crypto/des \ ${S}/crypto/skipjack \ ${SODIUM_DIR}/crypto_scalarmult/curve25519/ref10 \ ${SODIUM_DIR}/crypto_scalarmult/curve25519 \ ${SODIUM_DIR}/crypto_scalarmult \ ${SODIUM_DIR}/crypto_onetimeauth/poly1305/donna \ ${SODIUM_DIR}/crypto_onetimeauth/poly1305 \ ${SODIUM_DIR}/crypto_onetimeauth \ ${SODIUM_DIR}/crypto_stream/chacha20/ref \ ${SODIUM_DIR}/crypto_stream/chacha20 \ ${SODIUM_DIR}/crypto_aead/xchacha20poly1305/sodium \ ${SODIUM_DIR}/crypto_aead/chacha20poly1305/sodium \ ${SODIUM_DIR}/crypto_core/hchacha20 \ ${SODIUM_DIR}/crypto_core/ed25519/ref10 \ ${SODIUM_IMPORTDIR}/src LIB= rumpkern_crypto COMMENT=Cryptographic routines # Adiantum SRCS+= adiantum.c SRCS+= adiantum_selftest.c # AES SRCS+= aes_bear.c SRCS+= aes_ccm.c SRCS+= aes_ccm_mbuf.c SRCS+= aes_ct.c SRCS+= aes_ct_dec.c SRCS+= aes_ct_enc.c SRCS+= aes_impl.c SRCS+= aes_keysched.c SRCS+= aes_selftest.c # blowfish SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c bf_module.c # camellia SRCS+= camellia.c camellia-api.c # cast128 SRCS+= cast128.c # DES SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c # skipjack SRCS+= skipjack.c # libsodium SODIUM_CPPFLAGS+= -I${SODIUM_IMPORTDIR}/include SODIUM_CPPFLAGS+= -I${SODIUM_IMPORTDIR}/dist/src/libsodium/include/sodium #SODIUM_CPPFLAGS+= -DHAVE_TI_MODE SODIUM_CWARNFLAGS+= -Wno-shadow SODIUM_CWARNFLAGS+= -Wno-unused-function SODIUM_CWARNFLAGS+= -Wno-unused-variable SODIUM_SRCS+= x25519_ref10.c SODIUM_SRCS+= scalarmult_curve25519.c SODIUM_SRCS+= crypto_scalarmult.c SODIUM_SRCS+= poly1305_donna.c SODIUM_SRCS+= onetimeauth_poly1305.c SODIUM_SRCS+= crypto_onetimeauth.c SODIUM_SRCS+= chacha20_ref.c SODIUM_SRCS+= stream_chacha20.c SODIUM_SRCS+= aead_xchacha20poly1305.c SODIUM_SRCS+= aead_chacha20poly1305.c SODIUM_SRCS+= core_hchacha20.c SODIUM_SRCS+= ed25519_ref10.c SODIUM_SRCS+= sodium_module.c SODIUM_SRCS+= sodium_selftest.c SRCS+= ${SODIUM_SRCS} .for _s_ in ${SODIUM_SRCS} CPPFLAGS.${_s_}+= ${SODIUM_CPPFLAGS} COPTS.${_s_}+= ${SODIUM_CWARNFLAGS} .endfor .include .include @ 1.24 log @sys/crypto/sodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD. PR kern/58468 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.23 2021/08/21 09:08:55 christos Exp $ d44 1 @ 1.23 log @rename glue.c to sodium_module.c @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.22 2021/08/21 08:47:23 christos Exp $ d84 1 @ 1.23.10.1 log @Sync with HEAD @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.24 2024/07/26 18:25:03 riastradh Exp $ a83 1 SODIUM_SRCS+= sodium_selftest.c @ 1.23.4.1 log @Pull up following revision(s) (requested by riastradh in ticket #933): sys/external/isc/libsodium/src/sodium_module.c: revision 1.2 sys/external/isc/libsodium/include/core.h: revision 1.2 sys/external/isc/libsodium/include/stdlib.h: revision 1.2 sys/modules/sodium/Makefile.sodmod: revision 1.4 sys/external/isc/libsodium/include/crypto_verify_16.h: revision 1.2 sys/external/isc/libsodium/include/errno.h: file removal sys/crypto/sodium/sodium_selftest.h: revision 1.1 sys/external/isc/libsodium/include/stdint.h: revision 1.2 sys/crypto/sodium/sodium_selftest.h: revision 1.2 sys/external/isc/libsodium/include/assert.h: file removal sys/external/isc/libsodium/conf/files.libsodium: revision 1.7 sys/rump/kern/lib/libcrypto/Makefile: revision 1.24 sys/external/isc/libsodium/src/sodium_selftest.c: revision 1.1 sys/external/isc/libsodium/src/sodium_selftest.c: revision 1.2 sys/external/isc/libsodium/include/string.h: revision 1.2 sys/crypto/sodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD. PR kern/58468 sys/crypto/sodium: Fill out crypto_verify_16 stub. Without this change, libsodium silently accepts forgeries. This one's a doozy, and it's a sobering reminder that: (a) wg(4) is still experimental (only user of libsodium in kernel; both are available only through default-off optional modules). (b) Known-answer test vectors are critical, including negative tests (test that forgeries are rejected), and must be mandatory for all new crypto code -- and should be added to old crypto code too. (c) Crypto code must also have self-tests that run in the same environment, not just the same code in a different build or test environment -- the libsodium code itself is fine, but we built it differently and need to exercise it differently from upstream's automatic tests. It's my fault for not catching this earlier. What happened is: 1. ozaki-r@@ adapted libsodium to build in the kernel with various glue to build code meant for standard userland C, like errno.h and string.h. 2. Since libsodium's crypto_verify_16.c uses various SIMD intrinsics on various architectures, it couldn't be used directly in the kernel build, because -- at the time -- we hadn't wired up any header files for SIMD intrinsics or any runtime support for saving and restoring SIMD state appropriately in the kernel. 3. ozaki-r@@ put a similar glue header file crypto_verify_16.h to override libsodium's, with a stub to be implemented later, and presumably forgot to remind me about it. 4. I missed the stub in crypto_verify_16.h when reviewing the libsodium import and wg(4) code because it was in the same directory as various other simple glue code that I deemed low-risk. (I did make one change to that glue code, to replace cprng_fast by cprng_strong, but I suspect I found that by searching for cprng_fast users rather than by reviewing this code.) 5. I broke my own rule about always having known-answer test vectors for crypto code because I figured libsodium was well-enough exercised that we could skimp on it for now, and my focus was more on the state machine and synchronization logic than on the crypto. 6. I had not yet written known-answer test vectors for the higher-level wg(4) protocol messages. Before we can remove the `experimental' tag from wg(4) we will need to (among other things): i. Write self-tests for the rest of (what we use from) libsodium. ii. Write extensive known-answer test vectors for all the wg(4) protocol messages (and ideally state machine transitions). iii. Write self-tests for a reasonable subset of the wg(4) KATs. iv. Review all of the libsodium glue code I neglected to review. PR kern/58468 sys/crypto/sodium: Simplify string.h stub. Not sure of any particular problem with the previous stub, but let's make sure to use the same prototypes for memset/memcpy/memmove as everything else in the kernel. PR kern/58468 sys/crypto/sodium: Nix unused assert.h stub. Maybe this was a vestige of an earlier draft of the libsodium import, but it doesn't appear to be needed now by any libsodium files we use. PR kern/58468 sys/crypto/sodium: Nix risky defines from core.h stub. These are risky not because they might cause crypto flaws, but because they might cause usage of the SIMD unit in the kernel along paths where we haven't made it safe. That said -- no change to the amd64 module .o and .kmod files, so this doesn't currently make a difference; it's just risky to have around in case we later include other parts of libsodium that it does affect, like the Salsa20 code. PR kern/58468 sys/crypto/sodium: Nix unused errno.h. Maybe this was a vestige of an earlier draft of the libsodium import, but it doesn't appear to be needed now by any libsodium files we use. PR kern/58468 sys/crypto/sodium: Simplify stdint.h stub. No change to the .o or .kmod files; just the .d make dependency files change. PR kern/58468 sys/crypto/sodium: Tighten stdlib.h glue. 1. Make sure nothing uses malloc and free. All of the routines we need should work in fixed-size, caller-allocated buffers and reasonable stack space. 2. Make panic message for abort() stub clearer. There are calls to it, but they imply internal errors inside libsodium which should not happen unless there is an unrecoverable software bug in libsodium. PR kern/58468 sys/crypto/sodium: Add self-test for XChaCha20/Poly1305 AEAD. PR kern/58468 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.23 2021/08/21 09:08:55 christos Exp $ a83 1 SODIUM_SRCS+= sodium_selftest.c @ 1.22 log @Add glue.c for libsodium (suggested by riastradh). Tidy up. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.21 2020/08/27 14:01:36 riastradh Exp $ d83 1 a83 1 SODIUM_SRCS+= glue.c @ 1.21 log @Move address hashing from init_main.c to kern_sysctl.c. This way rump gets it automatically. Make sure blake2s is in librumpkern.so, not just in librumpkern_crypto.so, for this to work. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.20 2020/08/26 15:49:56 riastradh Exp $ d4 11 a14 10 SODIUM_IMPORTDIR=${.CURDIR}/../../../../external/isc/libsodium SODIUM_DIR=${.CURDIR}/../../../../external/isc/libsodium/dist/src/libsodium .PATH: ${.CURDIR}/../../../../crypto/adiantum \ ${.CURDIR}/../../../../crypto/aes \ ${.CURDIR}/../../../../crypto/blowfish \ ${.CURDIR}/../../../../crypto/camellia \ ${.CURDIR}/../../../../crypto/cast128 \ ${.CURDIR}/../../../../crypto/des \ ${.CURDIR}/../../../../crypto/skipjack \ d26 2 a27 1 ${SODIUM_DIR}/crypto_core/ed25519/ref10 d83 1 @ 1.20 log @Tidy up libsodium makefile and config fragments. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.19 2020/08/21 06:37:30 riastradh Exp $ a8 1 ${.CURDIR}/../../../../crypto/blake2 \ a58 3 # BLAKE2 SRCS+= blake2s.c @ 1.19 log @Disable libsodium HAVE_TI_MODE for now. This may reduce performance by not taking advantage of 64x64->128 multiplications on some platforms, but let's worry about that later and fix the build on the other platforms instead. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.18 2020/08/21 06:30:46 riastradh Exp $ d63 1 a63 2 # Various cryptography functions SODIUM_CPPFLAGS= d69 23 a91 22 SODIUM_CPPFLAGS+= -Wno-shadow SODIUM_CPPFLAGS+= -Wno-unused-function SODIUM_CPPFLAGS+= -Wno-unused-variable CPPFLAGS.x25519_ref10.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.scalarmult_curve25519.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.crypto_scalarmult.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.poly1305_donna.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.onetimeauth_poly1305.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.crypto_onetimeauth.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.chacha20_ref.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.stream_chacha20.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.aead_xchacha20poly1305.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.aead_chacha20poly1305.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.core_hchacha20.c+= ${SODIUM_CPPFLAGS} CPPFLAGS.ed25519_ref10.c+= ${SODIUM_CPPFLAGS} SRCS+= x25519_ref10.c scalarmult_curve25519.c crypto_scalarmult.c SRCS+= poly1305_donna.c onetimeauth_poly1305.c SRCS+= crypto_onetimeauth.c chacha20_ref.c stream_chacha20.c SRCS+= aead_xchacha20poly1305.c aead_chacha20poly1305.c SRCS+= core_hchacha20.c ed25519_ref10.c @ 1.18 log @Split flags onto separate lines, sorted, to make diffs easier. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.17 2020/08/21 06:27:41 riastradh Exp $ d68 1 a68 1 SODIUM_CPPFLAGS+= -DHAVE_TI_MODE @ 1.17 log @Disable -Wshadow for libsodium. Evidently ed25519_ref10.c has a global and a local both named `d'. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.16 2020/08/20 21:33:43 riastradh Exp $ d67 6 a72 1 SODIUM_CPPFLAGS+= -Wno-shadow -Wno-unused-function -Wno-unused-variable -DHAVE_TI_MODE @ 1.16 log @Missed a spot -- add sys/crypto/blake2 to .PATH here. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.15 2020/08/20 21:30:32 riastradh Exp $ d67 1 a67 1 SODIUM_CPPFLAGS+= -Wno-unused-function -Wno-unused-variable -DHAVE_TI_MODE @ 1.15 log @Fix vestiges of libb2. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2020/08/20 21:21:32 riastradh Exp $ d9 1 @ 1.14 log @[ozaki-r] Changes to the kernel core for wireguard @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2020/07/28 20:15:07 riastradh Exp $ a13 1 ${.CURDIR}/../../../../external/cc0/libb2/dist/src \ d60 1 a60 3 SRCS+= blake2s-ref.c CPPFLAGS.blake2s-ref.c+= -I${.CURDIR}/../../../../external/cc0/libb2/include \ -Wno-cast-qual -DSUFFIX= @ 1.13 log @Rewrite cprng_fast in terms of new ChaCha API. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2020/07/26 04:25:49 riastradh Exp $ d4 3 d13 14 a26 1 ${.CURDIR}/../../../../crypto/skipjack d60 30 @ 1.12 log @Fix more sort order. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2020/07/26 04:25:14 riastradh Exp $ a8 1 ${.CURDIR}/../../../../crypto/chacha \ a37 5 # ChaCha SRCS+= chacha_impl.c SRCS+= chacha_ref.c SRCS+= chacha_selftest.c @ 1.11 log @Add missing aes_ccm.c, aes_ccm_mbuf.c. Fix sort order. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2020/07/26 04:03:45 riastradh Exp $ d20 10 d36 3 a43 3 # cast128 SRCS+= cast128.c a46 10 # AES SRCS+= aes_bear.c SRCS+= aes_ccm.c SRCS+= aes_ccm_mbuf.c SRCS+= aes_ct.c SRCS+= aes_ct_dec.c SRCS+= aes_ct_enc.c SRCS+= aes_impl.c SRCS+= aes_selftest.c @ 1.10 log @Add chacha to rump libcrypto. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2020/07/25 22:40:08 riastradh Exp $ a5 1 ${.CURDIR}/../../../../crypto/chacha \ d9 1 d39 2 @ 1.9 log @Remove now-unused legacy rijndael API. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2020/06/29 23:44:01 riastradh Exp $ d6 1 d26 5 @ 1.8 log @New cgd cipher adiantum. Adiantum is a wide-block cipher, built out of AES, XChaCha12, Poly1305, and NH, defined in Paul Crowley and Eric Biggers, `Adiantum: length-preserving encryption for entry-level processors', IACR Transactions on Symmetric Cryptology 2018(4), pp. 39--61. Adiantum provides better security than a narrow-block cipher with CBC or XTS, because every bit of each sector affects every other bit, whereas with CBC each block of plaintext only affects the following blocks of ciphertext in the disk sector, and with XTS each block of plaintext only affects its own block of ciphertext and nothing else. Adiantum generally provides much better performance than constant-time AES-CBC or AES-XTS software do without hardware support, and performance comparable to or better than the variable-time (i.e., leaky) AES-CBC and AES-XTS software we had before. (Note: Adiantum also uses AES as a subroutine, but only once per disk sector. It takes only a small fraction of the time spent by Adiantum, so there's relatively little performance impact to using constant-time AES software over using variable-time AES software for it.) Adiantum naturally scales to essentially arbitrary disk sector sizes; sizes >=1024-bytes take the most advantage of Adiantum's design for performance, so 4096-byte sectors would be a natural choice if we taught cgd to change the disk sector size. (However, it's a different cipher for each disk sector size, so it _must_ be a cgd parameter.) The paper presents a similar construction HPolyC. The salient difference is that HPolyC uses Poly1305 directly, whereas Adiantum uses Poly1395(NH(...)). NH is annoying because it requires a 1072-byte key, which means the test vectors are ginormous, and changing keys is costly; HPolyC avoids these shortcomings by using Poly1305 directly, but HPolyC is measurably slower, costing about 1.5x what Adiantum costs on 4096-byte sectors. For the purposes of cgd, we will reuse each key for many messages, and there will be very few keys in total (one per cgd volume) so -- except for the annoying verbosity of test vectors -- the tradeoff weighs in the favour of Adiantum, especially if we teach cgd to do >>512-byte sectors. For now, everything that Adiantum needs beyond what's already in the kernel is gathered into a single file, including NH, Poly1305, and XChaCha12. We can split those out -- and reuse them, and provide MD tuned implementations, and so on -- as needed; this is just a first pass to get Adiantum implemented for experimentation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2020/06/29 23:27:52 riastradh Exp $ a36 1 SRCS+= aes_rijndael.c @ 1.7 log @Rework AES in kernel to finally address CVE-2005-1797. 1. Rip out old variable-time reference implementation. 2. Replace it by BearSSL's constant-time 32-bit logic. => Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5. => We could conditionally adopt the 64-bit logic too, which would likely give a modest performance boost on 64-bit platforms without AES-NI, but that's a bit more trouble. 3. Select the AES implementation at boot-time; allow an MD override. => Use self-tests to verify basic correctness at boot. => The implementation selection policy is rather rudimentary at the moment but it is isolated to one place so it's easy to change later on. This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves the way to take advantage of CPU support for AES -- both things we should've done a decade ago. Downside: Computing AES takes 2-3x the CPU time. But that's what hardware support will be coming for. Rudimentary measurement of performance impact done by: mount -t tmpfs tmpfs /tmp dd if=/dev/zero of=/tmp/disk bs=1m count=512 vnconfig -cv vnd0 /tmp/disk cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero dd if=/dev/rcgd0d of=/dev/null bs=64k dd if=/dev/zero of=/dev/rcgd0d bs=64k The AES-CBC encryption performance impact is closer to 3x because it is inherently sequential; the AES-CBC decryption impact is closer to 2x because the bitsliced AES logic can process two blocks at once. Discussed on tech-kern: https://mail-index.NetBSD.org/tech-kern/2020/06/18/msg026505.html @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2019/12/05 03:57:55 riastradh Exp $ d4 2 a5 1 .PATH: ${.CURDIR}/../../../../crypto/aes \ d15 4 @ 1.6 log @Missed a spot in the crypto/arc4 deletion. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2019/09/02 20:09:30 riastradh Exp $ d4 2 a5 1 .PATH: ${.CURDIR}/../../../../crypto/blowfish \ a8 1 ${.CURDIR}/../../../../crypto/rijndael \ d26 8 a33 2 # rijndael SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.5 log @Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... XXX pullup-7 XXX pullup-8 XXX pullup-9 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2015/10/19 16:16:37 pooka Exp $ d4 1 a4 2 .PATH: ${.CURDIR}/../../../../crypto/arc4 \ ${.CURDIR}/../../../../crypto/blowfish \ a13 3 # arc4 SRCS+= arc4.c @ 1.4 log @Add a COMMENT describing what each component roughly does. "make describe" prints the comment. Requested/inspired by Vincent Schwarzer on rumpkernel-users @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2014/01/17 01:32:53 pooka Exp $ d31 1 a31 2 # rijndael is in rumpkern due to it being used by cprng #SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.4.18.1 log @Merge changes from current as of 20200406 @ text @d1 1 a1 1 # $NetBSD$ d4 2 a5 1 .PATH: ${.CURDIR}/../../../../crypto/blowfish \ d15 3 @ 1.4.18.2 log @Mostly merge changes from HEAD upto 20200411 @ text @d27 2 a28 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.4.10.1 log @Pull up following revision(s) (requested by riastradh in ticket #1365): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2015/10/19 16:16:37 pooka Exp $ d31 2 a32 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.4.22.1 log @Pull up following revision(s) (requested by riastradh in ticket #173): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... XXX pullup-7 XXX pullup-8 XXX pullup-9 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2015/10/19 16:16:37 pooka Exp $ d31 2 a32 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.3 log @Use subr_cprng.c instead of stub implementation. Rijndael migrates from rumpkern_crypto to rumpkern due to it being mandatory for cprng. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2014/01/14 17:05:50 pgoyette Exp $ d13 1 @ 1.3.8.1 log @Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2014/01/17 01:32:53 pooka Exp $ d30 2 a31 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.3.12.1 log @Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2014/01/17 01:32:53 pooka Exp $ d30 2 a31 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.3.4.1 log @Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2014/01/17 01:32:53 pooka Exp $ d30 2 a31 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.3.6.1 log @Sync with HEAD (as of 26th Dec) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2015/10/19 16:16:37 pooka Exp $ a12 1 COMMENT=Cryptographic routines @ 1.2 log @Add the MODULE parts for blowfish and des. Add camellia algorithm. (pooka@@ says no lib version change required) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2010/12/05 20:11:22 pooka Exp $ d30 2 a31 1 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.1 log @rumpcrypto should never have been its own faction, so finally make it a component under kern, i.e. rumpcrypto -> rumpkern_crypto. @ text @d1 1 a1 1 # $NetBSD: Makefile.rumpcrypto,v 1.2 2010/02/16 20:42:46 pooka Exp $ d6 1 d18 4 a21 1 SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c d27 1 a27 1 SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c @ 1.1.20.1 log @Rebase to HEAD as of a few days ago. @ text @d1 1 a1 1 # $NetBSD$ a5 1 ${.CURDIR}/../../../../crypto/camellia \ d17 1 a17 4 SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c bf_module.c # camellia SRCS+= camellia.c camellia-api.c d23 1 a23 1 SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c d26 1 a26 2 # rijndael is in rumpkern due to it being used by cprng #SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.1.20.2 log @update from HEAD @ text @a12 1 COMMENT=Cryptographic routines @ 1.1.10.1 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2010/12/05 20:11:22 pooka Exp $ a5 1 ${.CURDIR}/../../../../crypto/camellia \ d17 1 a17 4 SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c bf_module.c # camellia SRCS+= camellia.c camellia-api.c d23 1 a23 1 SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c d26 1 a26 2 # rijndael is in rumpkern due to it being used by cprng #SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.1.24.1 log @sync with head @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2010/12/05 20:11:22 pooka Exp $ a5 1 ${.CURDIR}/../../../../crypto/camellia \ d17 1 a17 4 SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c bf_module.c # camellia SRCS+= camellia.c camellia-api.c d23 1 a23 1 SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c d26 1 a26 2 # rijndael is in rumpkern due to it being used by cprng #SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c @ 1.1.6.1 log @file Makefile was added on branch rmind-uvmplock on 2011-03-05 20:56:13 +0000 @ text @d1 32 @ 1.1.6.2 log @sync with head @ text @a0 32 # $NetBSD$ # .PATH: ${.CURDIR}/../../../../crypto/arc4 \ ${.CURDIR}/../../../../crypto/blowfish \ ${.CURDIR}/../../../../crypto/cast128 \ ${.CURDIR}/../../../../crypto/des \ ${.CURDIR}/../../../../crypto/rijndael \ ${.CURDIR}/../../../../crypto/skipjack LIB= rumpkern_crypto # arc4 SRCS+= arc4.c # blowfish SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c # cast128 SRCS+= cast128.c # DES SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c # rijndael SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c # skipjack SRCS+= skipjack.c .include .include @