for counter mode), and AES-GCM. Both of these modes have been added to
the aesni module.
Included is a set of tests to validate that the software and aesni
module calculate the correct values. These use the NIST KAT test
vectors. To run the test, you will need to install a soon to be
committed port, nist-kat that will install the vectors. Using a port
is necessary as the test vectors are around 25MB.
All the man pages were updated. I have added a new man page, crypto.7,
which includes a description of how to use each mode. All the new modes
and some other AES modes are present. It would be good for someone
else to go through and document the other modes.
A new ioctl was added to support AEAD modes which AES-GCM is one of them.
Without this ioctl, it is not possible to test AEAD modes from userland.
Add a timing safe bcmp for use to compare MACs. Previously we were using
bcmp which could leak timing info and result in the ability to forge
messages.
Add a minor optimization to the aesni module so that single segment
mbufs don't get copied and instead are updated in place. The aesni
module needs to be updated to support blocked IO so segmented mbufs
don't have to be copied.
We require that the IV be specified for all calls for both GCM and ICM.
This is to ensure proper use of these functions.
Obtained from: p4: //depot/projects/opencrypto
Relnotes: yes
Sponsored by: FreeBSD Foundation
Sponsored by: NetGate
Using PROG instead of PROGS will in cases of high -j with -DNO_ROOT cause
the PROG to show up more than once as it's handling the SCRIPTS install case
in a recursive manner, separate from the non-recursive case
After the recent batch of commits to bsd.progs.mk to fix behavior with how
variables are defaulted to, explicitly setting SRCS for a PROG is no longer
required
MFC after: 1 week
Reviewed by: asomers
Phabric: D1130
Sponsored by: EMC / Isilon Storage Division
This causes the directory traversing Kyuafile to be installed, which in turn
causes tests/sys/pjdfstest to always be run from /usr/tests/sys
Let KYUAFILE default to auto, so the file generated by suite.test.mk gets
installed instead
MFC after: 1 week
pjdfstest execution is opt-in and must be done as root due to some of the
assumptions made by the test suite and lack of error checking in the non-root
case
A description of how to execute pjdfstest with kyua is provided in
share/pjdfstest/README
Phabric: D824 (an earlier prototype patch)
MFC after: 1 month
Relnotes: yes
Sponsored by: EMC / Isilon Storage Division
fibs. Use the mbuf's or the socket's fib instead of RT_ALL_FIBS. Fixes PR
187553. Also fixes netperf's UDP_STREAM test on a nondefault fib.
sys/netinet/ip_output.c
In ip_output, lookup the source address using the mbuf's fib instead
of RT_ALL_FIBS.
sys/netinet/in_pcb.c
in in_pcbladdr, lookup the source address using the socket's fib,
because we don't seem to have the mbuf fib. They should be the same,
though.
tests/sys/net/fibs_test.sh
Clear the expected failure on udp_dontroute.
PR: 187553
CR: https://reviews.freebsd.org/D772
MFC after: 3 weeks
Sponsored by: Spectra Logic
tests/sys/kern/unix_seqpacket_test.c
* Remove a duplicate error check in mk_pair_of_sockets
* Always close sockets in the success path of ATF test cases. Don't
bother with the error paths, because those are mostly assertions
anyway. Most of these socket leaks were reported by Coverity.
All of them are harmless, because each ATF test case runs in its
own process.
* Fix the len argument to send in shutdown_send and
shutdown_send_sigpipe. The old version was using sizeof a pointer
instead of sizeof the char array. Reported by Coverity.
* Change a few ATF_CHECK to ATF_REQUIRE if the test can't reasonably
continue past a failure.
Reported by: Coverity Scan
CID: 1229995, 1229991, 1229988, 1229994, 1229989, 1229992
CID: 1229993, 1229990, 1229984, 1229967, 1230005, 1229977
CID: 1229966, 1230004, 1229976
MFC after: 1 week
Sponsored by: Spectra Logic
ifa_ifwithnet() and ifa_ifwithdstaddr() The legacy functions will call the
_fib() versions with RT_ALL_FIBS, preserving legacy behavior.
sys/net/if_var.h
sys/net/if.c
Add legacy-compatible functions as described above. Ensure legacy
behavior when RT_ALL_FIBS is passed as fibnum.
sys/netinet/in_pcb.c
sys/netinet/ip_output.c
sys/netinet/ip_options.c
sys/net/route.c
sys/net/rtsock.c
sys/netinet6/nd6.c
Call with _fib() functions if we must use a specific fib, or the
legacy functions otherwise.
tests/sys/netinet/fibs_test.sh
tests/sys/netinet/udp_dontroute.c
Improve the udp_dontroute test. The bug that this test exercises is
that ifa_ifwithnet() will return the wrong address, if multiple
interfaces have addresses on the same subnet but with different
fibs. The previous version of the test only considered one possible
failure mode: that ifa_ifwithnet_fib() might fail to find any
suitable address at all. The new version also checks whether
ifa_ifwithnet_fib() finds the correct address by checking where the
ARP request goes.
Reported by: bz, hrs
Reviewed by: hrs
MFC after: 1 week
X-MFC-with: 264905
Sponsored by: Spectra Logic
