Commit Graph

176 Commits

Author SHA1 Message Date
des
ce96d70e17 Fix gcc build: preserve const qualifier when casting input values.
Noticed by:	bz@
Submitted by:	dim@
2014-11-11 13:37:28 +00:00
des
d656003ded Constify the AES code and propagate to consumers. This allows us to
update the Fortuna code to use SHAd-256 as defined in FS&K.

Approved by:	so (self)
2014-11-10 09:44:38 +00:00
kib
4b355196ab Put the aesni_cipher_setup() and aesni_cipher_process() functions into
the file which is compiled with SSE disabled.  The functions set up
the FPU context for kernel, and compiler optimizations which could
lead to use of XMM registers before the fpu_kern_enter(9) is called or
after fpu_kern_leave(9), panic the machine.

Discussed with:	jmg
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2014-06-24 06:55:49 +00:00
kib
fe547198b1 Add FPU_KERN_KTHR flag to fpu_kern_enter(9), which avoids saving FPU
context into memory for the kernel threads which called
fpu_kern_thread(9).  This allows the fpu_kern_enter() callers to not
check for is_fpu_kern_thread() to get the optimization.

Apply the flag to padlock(4) and aesni(4).  In aesni_cipher_process(),
do not leak FPU context state on error.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2014-06-23 07:37:54 +00:00
imp
c39e6fc2c9 NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
2014-04-13 05:21:56 +00:00
jmg
eab153cc9d replace the kernel's version w/ cperciva's implementation... In all
my tests, it is faster ~20%, even on an old IXP425 533MHz it is ~45%
faster...  This is partly due to loop unrolling, so the code size does
significantly increase...  I do plan on committing a version that
rolls up the loops again for smaller code size for embedded systems
where size is more important than absolute performance (it'll save ~6k
code)...

The kernel implementation is now shared w/ userland's libcrypt and
libmd...

We drop support for sha256 from sha2.c, so now sha2.c only contains
sha384 and sha512...

Reviewed by:	secteam@
2014-03-16 01:43:23 +00:00
jmg
bf2e9f212d copy these files from lib/libmd in preperation for moving these files
into the kernel...
2014-03-16 00:57:26 +00:00
jmg
f19a97b48c fix broken style(9) in r258399
Pointed out by:	brd
2013-11-23 00:28:18 +00:00
jmg
472b0e6b78 flag that the aesni driver is sync... This means we don't waste a
context switch just to call the done callback...  On my machine, this
improves geli/gzero decrypt performance by ~27% from 550MB/sec to
~700MB/sec...

MFC after:	3 days
2013-11-20 20:25:27 +00:00
jmg
c4e415a9b1 make it so that from/to can be missaligned as it can happen (the geli
regression manages to do it)...  We use a packed struct to coerce
gcc/clang into producing unaligned loads (there is not packed pointer
attribute, otherwise this would be easier)...

use _storeu_ and _loadu_ when using the structure is overkill...

be better at using types properly...  Since we allocate our own key
schedule and make sure it's aligned, use the __m128i type in various
arguments to functions...

clang ignores __aligned on prototypes and gcc errors on them, leave them
in comments to document that these function arguments are require to be
aligned...

about all that changes is movdqa -> movdqu from reading the diff of the
disassembly output...

Noticed by:	symbolics at gmx.com
MFC after:	3 days
2013-11-06 19:14:49 +00:00
jmg
8ec798134a Use the fact that the AES-NI instructions can be pipelined to improve
performance... Use SSE2 instructions for calculating the XTS tweek
factor...  Let the compiler do more work and handle register allocation
by using intrinsics, now only the key schedule is in assembly...

Replace .byte hard coded instructions w/ the proper instructions now
that both clang and gcc support them...

On my machine, pulling the code to userland I saw performance go from
~150MB/sec to 2GB/sec in XTS mode.  GELI on GNOP saw a more modest
increase of about 3x due to other system overhead (geom and
opencrypto)...

These changes allow almost full disk io rate w/ geli...

Reviewed by:	-current, -security
Thanks to:	Mike Hamburg for the XTS tweek algorithm
2013-09-03 18:31:23 +00:00
andre
01fc9682ce Fix const propagation issues to make GCC happy.
Submitted by:	Michael Butler <imb@protected-networks.net>
2013-07-11 16:27:11 +00:00
andre
5c4a796865 SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed
hash function) optimized for speed on short messages returning a 64bit hash/
digest value.

SipHash is simpler and much faster than other secure MACs and competitive
in speed with popular non-cryptographic hash functions.  It uses a 128-bit
key without the hidden cost of a key expansion step.  SipHash iterates a
simple round function consisting of four additions, four xors, and six
rotations, interleaved with xors of message blocks for a pre-defined number
of compression and finalization rounds.  The absence of  secret load/store
addresses or secret branch conditions avoid timing attacks.  No state is
shared between messages.  Hashing is deterministic and doesn't use nonces.
It is not susceptible to length extension attacks.

Target applications include network traffic authentication, message
authentication (MAC) and hash-tables protection against hash-flooding
denial-of-service attacks.

The number of update/finalization rounds is defined during initialization:

 SipHash24_Init() for the fast and reasonable strong version.
 SipHash48_Init() for the strong version (half as fast).

SipHash usage is similar to other hash functions:

 struct SIPHASH_CTX ctx;
 char *k = "16bytes long key"
 char *s = "string";
 uint64_t h = 0;
 SipHash24_Init(&ctx);
 SipHash_SetKey(&ctx, k);
 SipHash_Update(&ctx, s, strlen(s));
 SipHash_Final(&h, &ctx);  /* or */
 h = SipHash_End(&ctx);    /* or */
 h = SipHash24(&ctx, k, s, strlen(s));

It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and
is described in the paper "SipHash: a fast short-input PRF", 2012.09.18:
 https://131002.net/siphash/siphash.pdf
 Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa

Implemented by:	andre (based on the paper)
Reviewed by:	cperciva
2013-07-11 14:18:38 +00:00
delphij
b8b7a65ef6 Sync with KAME.
MFC after:	1 month
2013-07-09 22:04:35 +00:00
rmh
7e76036b6d Allow assert() to operate correctly when building userland code. 2013-07-09 10:27:26 +00:00
pjd
2d6cf6d680 When porting XTS-related code from OpenBSD I forgot to update copyright (only
OpenBSD was credited in one of two commits). Fix it.

Reported by:	Theo de Raadt <deraadt@cvs.openbsd.org>
Reviewed by:	Damien Miller <djm@mindrot.org>
2013-02-20 22:59:53 +00:00
kevlo
ceb08698f2 Revert previous commit...
Pointyhat to:	kevlo (myself)
2012-10-10 08:36:38 +00:00
kevlo
8747a46991 Prefer NULL over 0 for pointers 2012-10-09 08:27:40 +00:00
kib
361bfae5c2 Add support for the extended FPU states on amd64, both for native
64bit and 32bit ABIs.  As a side-effect, it enables AVX on capable
CPUs.

In particular:

- Query the CPU support for XSAVE, list of the supported extensions
  and the required size of FPU save area. The hw.use_xsave tunable is
  provided for disabling XSAVE, and hw.xsave_mask may be used to
  select the enabled extensions.

- Remove the FPU save area from PCB and dynamically allocate the
  (run-time sized) user save area on the top of the kernel stack,
  right above the PCB. Reorganize the thread0 PCB initialization to
  postpone it after BSP is queried for save area size.

- The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as
  well. FPU state is only useful for suspend, where it is saved in
  dynamically allocated suspfpusave area.

- Use XSAVE and XRSTOR to save/restore FPU state, if supported and
  enabled.

- Define new mcontext_t flag _MC_HASFPXSTATE, indicating that
  mcontext_t has a valid pointer to out-of-struct extended FPU
  state. Signal handlers are supplied with stack-allocated fpu
  state. The sigreturn(2) and setcontext(2) syscall honour the flag,
  allowing the signal handlers to inspect and manipilate extended
  state in the interrupted context.

- The getcontext(2) never returns extended state, since there is no
  place in the fixed-sized mcontext_t to place variable-sized save
  area. And, since mcontext_t is embedded into ucontext_t, makes it
  impossible to fix in a reasonable way.  Instead of extending
  getcontext(2) syscall, provide a sysarch(2) facility to query
  extended FPU state.

- Add ptrace(2) support for getting and setting extended state; while
  there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries.

- Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to
  consumers, making it opaque. Internally, struct fpu_kern_ctx now
  contains a space for the extended state. Convert in-kernel consumers
  of fpu_kern KPI both on i386 and amd64.

First version of the support for AVX was submitted by Tim Bird
<tim.bird am sony com> on behalf of Sony. This version was written
from scratch.

Tested by:	pho (previous version), Yamagi Burmeister <lists yamagi org>
MFC after:	1 month
2012-01-21 17:45:27 +00:00
pjd
0c79680192 Update Copyright.
MFC after:	3 days
2011-10-27 14:15:26 +00:00
pjd
d01d35973a Improve AES-NI performance for AES-XTS:
- Operate on uint64_t types when doing XORing, etc. instead of uint8_t.
- Don't bzero() temporary block for every AES block. Do it once for entire
  data block.
- AES-NI is available only on little endian architectures. Simplify code
  that takes block number from IV.

Benchmarks:

Memory-backed md(4) device, software AES-XTS, 4kB sector:

	# dd if=/dev/md0.eli bs=1m
	59.61MB/s

Memory-backed md(4) device, old AES-NI AES-XTS, 4kB sector:

	# dd if=/dev/md0.eli bs=1m
	97.29MB/s

Memory-backed md(4) device, new AES-NI AES-XTS, 4kB sector:

	# dd if=/dev/md0.eli bs=1m
	221.26MB/s

127% performance improvement between old and new code.

Harddisk, raw speed:

	# dd if=/dev/ada0 bs=1m
	137.63MB/s

Harddisk, software AES-XTS, 4kB sector:

	# dd if=/dev/ada0.eli bs=1m
	47.83MB/s (34% of raw disk speed)

Harddisk, old AES-NI AES-XTS, 4kB sector:

	# dd if=/dev/ada0.eli bs=1m
	68.33MB/s (49% of raw disk speed)

Harddisk, new AES-NI AES-XTS, 4kB sector:

	# dd if=/dev/ada0.eli bs=1m
	108.35MB/s (78% of raw disk speed)

58% performance improvement between old and new code.

As a side-note, GELI with AES-NI using AES-CBC can achive native disk speed.

MFC after:	3 days
2011-10-27 14:07:57 +00:00
kib
3ba18a4657 Fix a bug in the result of manual assembly.
Reported by:	Stefan Grundmann <sg2342 googlemail com>
PR:	kern/155118
MFC after:	3 days
2011-03-02 14:56:58 +00:00
brucec
2f4588c022 Make private functions static.
PR:		kern/43611
Submitted by:	Matt Emmerton <matt at gsicomp.on.ca>
Reviewed by:	kib
MFC after:	3 days
2011-02-21 16:21:43 +00:00
kib
1ddadd8390 Remove DEBUG sections.
MFC after:	3 days
2010-11-27 15:41:44 +00:00
kib
b2984c404f MFaesni r215427:
Only save FPU context when not executing in the context of the crypto
thread.

Tested by:	Mike Tancsa
MFC after:	1 week
2010-11-26 14:35:20 +00:00
kib
96d3f81fc8 Only save FPU context when not executing in the context of the crypto
thread.

Tested by:	Mike Tancsa
2010-11-17 16:17:15 +00:00
dim
2cbf038dc7 Change two missed instances of 'retq' in aeskeys_i386.S to 'retl', which
makes it possible to assemble this file with gas from newer binutils.

Reviewed by:	kib
2010-10-13 17:55:53 +00:00
pjd
5afa0ed148 Fix two copy&paste bugs.
MFC after:	2 weeks
2010-09-25 10:32:52 +00:00
pjd
419759c089 Add support for CRYPTO_AES_XTS.
MFC after:	1 week
2010-09-23 11:57:25 +00:00
pjd
7c5b734f64 Add support for CRD_F_KEY_EXPLICIT flag.
MFC after:	1 week
2010-09-23 11:46:53 +00:00
pjd
4c64468739 Simplify code a bit.
MFC after:	1 week
2010-09-23 11:26:38 +00:00
kib
a619846587 Crypto(4) driver for AESNI.
The aeskeys_{amd64,i386}.S content was mostly obtained from OpenBSD,
no objections to the license from core.

Hardware provided by:	Sentex Communications
Tested by:	fabient, pho (previous versions)
MFC after:	1 month
2010-07-23 11:00:46 +00:00
kib
6a41cd83d7 Use the fpu_kern_enter() interface to properly separate usermode FPU
context from in-kernel execution of padlock instructions and to handle
spurious FPUDNA exceptions that sometime are raised when doing padlock
calculations.

Globally mark crypto(9) kthread as using FPU.

Reviewed by:	pjd
Hardware provided by:	Sentex Communications
Tested by:	  pho
PR:    amd64/135014
MFC after:    1 month
2010-06-05 16:00:53 +00:00
vanhu
f484650153 Changed to M_NOWAIT when reallocing psc_buf in padlock_sha_update(),
as we already hold the non sleepable crypto_driver_mutex.

Approved by:	gnn(mentor)
Obtained from:	NETASQ
MFC after:	2 weeks
2009-05-27 09:52:12 +00:00
imp
6388654b8d identify routine takes driver_t *, not device_t *. 2009-02-05 19:30:28 +00:00
jkim
926a84447a Connect padlock(4) to amd64 build for VIA Nano processors. 2009-01-12 19:23:46 +00:00
mav
f702951b49 Avoid 256 integer divisions per rc4_init() call. Replace it with using
separate index variable.

It gives more then double rc4_init() performance increase on tested i386 P4.
It also gives about 15% speedup to PPTP VPN with stateless MPPE encryption
(by ng_mppc) which calls rc4_init() for every packet.
2008-12-16 13:58:37 +00:00
philip
f3d74d62d3 Fix a potential NULL-pointer dereference in padlock(4).
Spotted by:	Coverity (via pjd)
MFC after:	1 week
2008-11-17 19:00:36 +00:00
pjd
dca2fd863d Simplify session selection/allocation. 2008-08-09 20:01:01 +00:00
pjd
c2715b68b6 - Fix freeing session on newsession failure.
- Update copyright years.
2008-08-09 19:48:59 +00:00
pjd
e3f8d38bb0 Implify sessions freeing loop. 2008-08-09 19:47:19 +00:00
pjd
6c7aca77a3 We don't have to drop a lock around malloc(M_NOWAIT). 2008-08-09 19:45:43 +00:00
pjd
c14f239009 When freeing session, restore its ID after zeroing memory.
Bug tracked down by:	Patrick Lamaiziere <patfbsd@davenulle.org>
2008-08-09 19:43:44 +00:00
pjd
1be547932b Sessions in-use are at the end of the queue, so use TAILQ_FOREACH_REVERSE()
when looking for them.

Idea from:	Patrick Lamaiziere <patfbsd@davenulle.org>
2008-08-09 19:42:37 +00:00
pjd
00602e0182 Convert lock that protects sessions list from a mutex to a rwlock.
Now we can use read lock in fast path (padlock_process()).
2008-07-20 07:34:00 +00:00
sobomax
ccb885253e Make test00 compilable again. 2008-01-15 18:34:47 +00:00
gnn
aeca69ded5 Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC
option is now deprecated, as well as the KAME IPsec code.
What was FAST_IPSEC is now IPSEC.

Approved by: re
Sponsored by: Secure Computing
2007-07-03 12:13:45 +00:00
gnn
38b76f0623 Integrate the Camellia Block Cipher. For more information see RFC 4132
and its bibliography.

Submitted by:   Tomoyuki Okazaki <okazaki at kick dot gr dot jp>
MFC after:      1 month
2007-05-09 19:37:02 +00:00
sam
f96ba7ffda Overhaul driver/subsystem api's:
o make all crypto drivers have a device_t; pseudo drivers like the s/w
  crypto driver synthesize one
o change the api between the crypto subsystem and drivers to use kobj;
  cryptodev_if.m defines this api
o use the fact that all crypto drivers now have a device_t to add support
  for specifying which of several potential devices to use when doing
  crypto operations
o add new ioctls that allow user apps to select a specific crypto device
  to use (previous ioctls maintained for compatibility)
o overhaul crypto subsystem code to eliminate lots of cruft and hide
  implementation details from drivers
o bring in numerous fixes from Michale Richardson/hifn; mostly for
  795x parts
o add an optional mechanism for mmap'ing the hifn 795x public key h/w
  to user space for use by openssl (not enabled by default)
o update crypto test tools to use new ioctl's and add cmd line options
  to specify a device to use for tests

These changes will also enable much future work on improving the core
crypto subsystem; including proper load balancing and interposing code
between the core and drivers to dispatch small operations to the s/w
driver as appropriate.

These changes were instigated by the work of Michael Richardson.

Reviewed by:	pjd
Approved by:	re
2007-03-21 03:42:51 +00:00
kevlo
94bc2d7409 Initialize T1 to silent gcc warning.
Approved by: cognet
2006-10-22 02:19:33 +00:00
pjd
8277c8e2a4 Less magic.
MFC after:	3 days
2006-09-15 10:44:55 +00:00
kan
6ef43dbb8f GCC 3.4.6 gets confused on this file and produces bogus warning.
Shut it up.
2006-08-26 21:48:00 +00:00
pjd
f422bef855 Remove trailing spaces. 2006-07-28 14:48:30 +00:00
pjd
cea88d1e47 Use existing roundup2() macro.
Suggested by:	njl
2006-07-28 14:46:19 +00:00
pjd
773098d748 Remove redundant check committed by accident. 2006-07-25 20:00:55 +00:00
pjd
054c4a83dd Avoid memory allocations when the given address is already 16 bytes aligned.
Such an address can be used directly in padlock's AES.
This improves speed of geli(8) significantly:

	# sysctl kern.geom.zero.clear=0
	# geli onetime -s 4096 gzero
	# dd if=/dev/gzero.eli of=/dev/null bs=1m count=1000

Before:	113MB/s
After:	203MB/s

BTW. If sector size is set to 128kB, I can read at 276MB/s :)
2006-07-25 19:32:58 +00:00
pjd
90aa974bdf Modify PADLOCK_ALIGN() macro, so when the given address is already 16 bytes
aligned, it will be used directly, not 'address + 16'.
2006-07-25 19:06:54 +00:00
pjd
1bdee6da83 Style fixes. 2006-07-25 19:04:26 +00:00
pjd
90eb685fca Implement support for HMAC/SHA1 and HMAC/SHA256 acceleration found in
new VIA CPUs.
For older CPUs HMAC/SHA1 and HMAC/SHA256 (and others) will still be done
in software.

Move symmetric cryptography (currently only AES-CBC 128/192/256) to
padlock_cipher.c file. Move HMAC cryptography to padlock_hash.c file.

Hardware from:	Centaur Technologies
2006-07-22 16:18:47 +00:00
pjd
361a0884e4 Correct few bzero()s.
MFC after:	3 days
2006-07-22 13:14:11 +00:00
pjd
0495e43729 Set ses_ictx and ses_octx to NULL after freeing them, so we won't free
them twice.
This is possible for example in situation when session is used in
authentication context, then freed and then used in encryption context
and freed - in encryption context ses_ictx and ses_octx are not touched
at newsession time, but padlock_freesession could still try to free them
when they are not NULL.
2006-07-22 10:04:47 +00:00
mr
4af607ffd5 Use the already stored VIA RNG probe information
instead of probing again.
Adjust style(9) somewhat in probe.c

Reviewed by:	pjd
MFC after:	1 week
2006-07-13 09:15:14 +00:00
pjd
e9425270e5 Fix gratuitous compiler warning.
Reported by:	Rong-en Fan <grafan@gmail.com>
2006-06-08 17:40:02 +00:00
pjd
87e654aa04 - Pretend to accelerate various HMAC algorithms, so padlock(4) can be used
with fast_ipsec(4) and geli(8) authentication (comming soon).
  If consumer requests only for HMAC algorithm (without encryption), return
  EINVAL.
- Add support for the CRD_F_KEY_EXPLICIT flag, for both encryption and
  authentication.
2006-06-05 16:22:04 +00:00
pjd
a4071b836a padlock(4) doesn't support explicitly provided keys yet.
Return an error instead of encrypting/decrypting data with a wrong key.
2006-04-20 06:31:44 +00:00
pjd
7f664ed13a On padlock initialization, allocate memory with M_WAITOK. 2006-04-12 12:13:34 +00:00
pjd
352b6c307b Add VIA/ACE "PadLock" support as a crypto(9) driver.
HW donated by:			Mike Tancsa <mike@sentex.net>
Most of the code obtained from:	OpenBSD
MFC after:			3 days
2005-08-18 00:30:22 +00:00
pjd
bb000dd3d5 Assert proper key size also in userland by defining KASSERT in !_KERNEL case. 2005-08-17 07:59:07 +00:00
cperciva
bdfa6fbbb1 Unbreak the world build (in sbin/gbde). This file is used by both
kernel and world, so KASSERT() needs to be wrapped within an #ifdef
_KERNEL / #endif pair.

Reported by:	krion, tinderbox
2005-08-17 00:24:20 +00:00
pjd
372c5a7d07 Check key size for rijndael, as invalid key size can lead to kernel panic.
It checked other algorithms against this bug and it seems they aren't
affected.

Reported by:	Mike Tancsa <mike@sentex.net>
PR:		i386/84860
Reviewed by:	phk, cperciva(x2)
2005-08-16 18:59:00 +00:00
ume
5f96af1a75 gbde(8) is also rejndael user.
Reported by:	phk
2005-03-11 22:07:04 +00:00
ume
5ce7e2e80a just use crypto/rijndael, and nuke opencrypto/rindael.[ch].
the two became almost identical since latest KAME merge.

Discussed with:	sam
2005-03-11 17:24:46 +00:00
ume
8a8b13dab5 integrate rijndael-alg-fst.h into rijndael.h. 2005-03-11 16:26:10 +00:00
ume
73402ef817 stop including rijndael-api-fst.h from rijndael.h.
this is required to integrate opencrypto into crypto.
2005-03-11 15:42:51 +00:00
ume
f61af04d95 sys/crypto/md5.[ch] is used from nowhere. So, just nuke them. 2005-03-11 12:56:15 +00:00
ume
4319b5fb5e refer opencrypto/cast.h directly. 2005-03-11 12:37:07 +00:00
ume
4bc4328cd1 use cast128 in opencrypto to nuke duplicate code. 2005-03-10 11:40:53 +00:00
ru
cec60429bb Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
jhb
cc03c9de7d Initiate deorbit burn sequence for 80386 support in FreeBSD: Remove
80386 (I386_CPU) support from the kernel.
2004-11-16 20:42:32 +00:00
ru
5db2b9d5b3 For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:33:08 +00:00
obrien
18012715d9 Use __FBSDID(). 2004-06-14 00:38:54 +00:00
des
b3e7bd9f6b Fix a reentrancy issue in md5_calc(). 2004-01-27 18:57:21 +00:00
ume
88488cca11 avoid module name conflict with opencrypto/rijndael.c.
Reported by:	tinderbox
2003-11-12 04:22:37 +00:00
ume
7755ea7d71 cleanup rijndael API.
since there are naming conflicts with opencrypto, #define was
added to rename functions intend to avoid conflicts.

Obtained from:	KAME
2003-11-11 18:58:54 +00:00
ume
2545ff462c rijndael-alg-fst.[ch]:
- redo updating.

rijndael-api-fst.[ch]:
  - switch to use new low level rijndael api.
  - stop using u8, u16 and u32.
  - space cleanup.

Tested by:	gbde(8) and phk's test program
2003-11-10 10:33:39 +00:00
phk
9f420bf43d Add a testcase which validates that the same buffer can be passed to
rijndael_blockDecrypt() as both input and output.

This property is important because inside rijndael we can get away
with allocating just a 16 byte "work" buffer on the stack (which
is very cheap), whereas the calling code would need to allocate the
full sized buffer, and in all likelyhood would have to do so with
an expensive malloc(9).
2003-10-19 22:12:23 +00:00
ume
8ff2c775d4 - revert to old rijndael code. new rijndael code broke gbde.
- since aes-xcbc-mac and aes-ctr require functions in new
  rijndael code, aes-xcbc-mac and aes-ctr are disabled for now.
2003-10-19 21:28:34 +00:00
ume
3d011c684c Fix alignment problem on 64 bit arch.
I only tested if it doesn't break anything on i368.  Since I
have no 64 bit machine, I cannot test it, actually.

Reported by:	jmallett
2003-10-14 13:37:37 +00:00
ume
a89e9b5e91 use BF_ecb_encrypt().
Obtained from:	KAME
2003-10-13 19:26:08 +00:00
ume
dc45666132 simplify and update rijndael code.
Obtained from:	KAME
2003-10-12 21:05:05 +00:00
ume
b436e75e9a use opencrypto for RMD160.
Requested by:	sam
2003-10-12 18:25:38 +00:00
ume
329da09a2a drop useless define. 2003-10-12 14:47:24 +00:00
ume
d56603d9be use bswap32() for big endian arch.
Reported by:	tinderbox via kris
2003-10-12 14:32:13 +00:00
ume
f1d14cc455 RIPEMD160 support
Obtained from:	KAME
2003-10-12 09:43:48 +00:00
ume
8df937af7e switch cast128 implementation to implementation by Steve Reid;
smaller footprint.

Obtained from:	KAME
2003-10-10 15:06:16 +00:00
ume
d850f73361 one more opossite conditiion.
Reported by:	"lg" <zevlg@yandex.ru>
2003-09-18 17:26:56 +00:00
ume
c724a09a95 condition of padLen check was opposite.
Reported by:	"lg" <zevlg@yandex.ru>
Reviewed by:	Lev Walkin <vlm@netli.com>
2003-09-17 08:51:43 +00:00
phk
1456ca5b58 Correctly bzero the entire context, not just the first sizeof(void *) bytes.
Found by:	Juergen Buchmueller <pullmoll@stop1984.com>
2003-09-08 18:32:33 +00:00
obrien
349c6025d0 Use __FBSDID(). 2003-06-10 21:44:29 +00:00
obrien
4054bc5e58 Assembly files put thru the C preprocessor need to have C style comments. 2003-04-21 16:30:12 +00:00