| History log of /src/sys/dev/cgd_crypto.c |
| Revision | | Date | Author | Comments |
| 1.27 |
| 25-Jul-2020 |
riastradh | Split aes_cbc_* and aes_xts_* into their own header files.
aes.h will remain just for key setup; any particular construction using
AES can have its own header file so we can have many of them without
rebuilding everything AES-related whenever one of them changes.
(Planning to add AES-CCM and AES-GCM too.)
|
| 1.26 |
| 29-Jun-2020 |
riastradh | New cgd cipher adiantum.
Adiantum is a wide-block cipher, built out of AES, XChaCha12,
Poly1305, and NH, defined in
Paul Crowley and Eric Biggers, `Adiantum: length-preserving
encryption for entry-level processors', IACR Transactions on
Symmetric Cryptology 2018(4), pp. 39--61.
Adiantum provides better security than a narrow-block cipher with CBC
or XTS, because every bit of each sector affects every other bit,
whereas with CBC each block of plaintext only affects the following
blocks of ciphertext in the disk sector, and with XTS each block of
plaintext only affects its own block of ciphertext and nothing else.
Adiantum generally provides much better performance than
constant-time AES-CBC or AES-XTS software do without hardware
support, and performance comparable to or better than the
variable-time (i.e., leaky) AES-CBC and AES-XTS software we had
before. (Note: Adiantum also uses AES as a subroutine, but only once
per disk sector. It takes only a small fraction of the time spent by
Adiantum, so there's relatively little performance impact to using
constant-time AES software over using variable-time AES software for
it.)
Adiantum naturally scales to essentially arbitrary disk sector sizes;
sizes >=1024-bytes take the most advantage of Adiantum's design for
performance, so 4096-byte sectors would be a natural choice if we
taught cgd to change the disk sector size. (However, it's a
different cipher for each disk sector size, so it _must_ be a cgd
parameter.)
The paper presents a similar construction HPolyC. The salient
difference is that HPolyC uses Poly1305 directly, whereas Adiantum
uses Poly1395(NH(...)). NH is annoying because it requires a
1072-byte key, which means the test vectors are ginormous, and
changing keys is costly; HPolyC avoids these shortcomings by using
Poly1305 directly, but HPolyC is measurably slower, costing about
1.5x what Adiantum costs on 4096-byte sectors.
For the purposes of cgd, we will reuse each key for many messages,
and there will be very few keys in total (one per cgd volume) so --
except for the annoying verbosity of test vectors -- the tradeoff
weighs in the favour of Adiantum, especially if we teach cgd to do
>>512-byte sectors.
For now, everything that Adiantum needs beyond what's already in the
kernel is gathered into a single file, including NH, Poly1305, and
XChaCha12. We can split those out -- and reuse them, and provide MD
tuned implementations, and so on -- as needed; this is just a first
pass to get Adiantum implemented for experimentation.
|
| 1.25 |
| 29-Jun-2020 |
riastradh | cgd(4): Align IVs on the stack.
This will make it easier for some hardware crypto support.
|
| 1.24 |
| 29-Jun-2020 |
riastradh | cgd(4): Switch from legacy rijndael API to new aes API.
|
| 1.23 |
| 13-Jun-2020 |
riastradh | Eliminate uio indirection for cgd crypto.
We don't actually use it, and we only ever used it kludgily in the
CBC encryption direction in the past anyway.
|
| 1.22 |
| 13-Jun-2020 |
riastradh | Shrink AES-XTS state by 280 bytes.
|
| 1.21 |
| 13-Jun-2020 |
riastradh | Convert malloc -> kmem.
|
| 1.20 |
| 13-Jun-2020 |
riastradh | Remove obsolete comment -- AES block size is always 128.
|
| 1.19 |
| 13-Jun-2020 |
riastradh | Tidy up includes.
|
| 1.18 |
| 13-Jun-2020 |
riastradh | Fold `cipher prep' into `cipher' in cgd.
Simplify some logic along the way and u_int*_t -> uint*_t.
|
| 1.17 |
| 14-Dec-2019 |
riastradh | Just use KASSERTMSG and panic. No need for custom wrappers.
|
| 1.16 |
| 26-Sep-2019 |
gutteridge | cgd_crypto.c: fix minor typo in comment
|
| 1.15 |
| 02-Jan-2017 |
alnsn | branches: 1.15.16;
Replace numeric block sizes with symbolic names,
No functional change. Requested by mrg a couple of months ago.
|
| 1.14 |
| 11-Dec-2016 |
alnsn | Add XTS mode to cgd(4).
|
| 1.13 |
| 25-Apr-2015 |
riastradh | branches: 1.13.2;
Sprinkle const into cgd crypto API.
|
| 1.12 |
| 24-Jun-2013 |
riastradh | branches: 1.12.10;
Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.
Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
|
| 1.11 |
| 05-Dec-2012 |
christos | add cgdconfig -l like vnconfig -l
|
| 1.10 |
| 30-Aug-2012 |
drochner | branches: 1.10.2;
Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
|
| 1.9 |
| 28-Apr-2008 |
martin | branches: 1.9.34;
Remove clause 3 and 4 from TNF licenses
|
| 1.8 |
| 15-Dec-2007 |
perry | branches: 1.8.6; 1.8.8; 1.8.10;
__FUNCTION__ -> __func__
|
| 1.7 |
| 21-Jan-2007 |
cbiere | branches: 1.7.20; 1.7.28; 1.7.32;
Added const-qualifiers.
|
| 1.6 |
| 01-Dec-2006 |
christos | - remove size check; the init functions do it.
- fix size_t/int confusion
- caddr_t -> void *
|
| 1.5 |
| 11-Dec-2005 |
christos | branches: 1.5.20; 1.5.22;
merge ktrace-lwp.
|
| 1.4 |
| 19-Mar-2005 |
dan | branches: 1.4.2;
clear freed memory
|
| 1.3 |
| 18-Mar-2004 |
dan | branches: 1.3.2; 1.3.6; 1.3.8; 1.3.10; 1.3.14;
Fix a longstanding bug in key-handling for the blowfish cipher.
This is an incompatible change, and will break all existing cgd images
encrypted with blowfish. Users will need to dump their data before
booting a kernel with this change, and recreate cgd's and restore data
afterwards.
I believe this affects a very small number of users other than myself;
indeed after several alert mails in an attempt to find them, only 2
such users have come forward. They have both agreed the requirement
for backwards compatibility does not warrant the effort nor the mess
in the code. This code does exist, if it should later prove to be
needed, but will not be in the tree.
Further, by the nature of the issue, I have strong reasons to believe
that, even if they missed these mails, there would be few other users
of blowfish who update their systems with any regularity; any such
users would have tripped over the problem in the same way I did when
it was first found over a year ago.
The problem stems from two issues with the underlying blowfish
encryption routines used by cgd:
- they take key length arguments counted in bytes, rather than bits
like all the opther ciphers.
- they silently truncate any keys longer than an internal limit,
rather than returning an error (which would have exposed the
previous discrepancy immediately).
As a result, the kernel reads too much data as the key from cgdconfig,
and then truncates most of it. This can easily be demonstrated/tested.
Currently, Blowfish users will find that if they mis-enter the cgd
passphrase on the first attempt, when validation fails and cgdconfig
prompts for the passphrase again, the cgd will not correctly configure
even when given a correct passphrase.
|
| 1.2 |
| 31-Mar-2003 |
elric | branches: 1.2.2;
Removed some debugging printfs that made it into the tree.
|
| 1.1 |
| 04-Oct-2002 |
elric | branches: 1.1.2;
The CryptoGraphic Disk Driver.
|
| 1.1.2.2 |
| 18-Oct-2002 |
nathanw | Catch up to -current.
|
| 1.1.2.1 |
| 04-Oct-2002 |
nathanw | file cgd_crypto.c was added on branch nathanw_sa on 2002-10-18 02:41:27 +0000
|
| 1.2.2.4 |
| 01-Apr-2005 |
skrll | Sync with HEAD.
|
| 1.2.2.3 |
| 21-Sep-2004 |
skrll | Fix the sync with head I botched.
|
| 1.2.2.2 |
| 18-Sep-2004 |
skrll | Sync with HEAD.
|
| 1.2.2.1 |
| 03-Aug-2004 |
skrll | Sync with HEAD
|
| 1.3.14.1 |
| 19-Mar-2005 |
tron | Pull up revision 1.4 (requested by dan in ticket #26):
clear freed memory
|
| 1.3.10.1 |
| 26-Mar-2005 |
yamt | sync with head.
|
| 1.3.8.1 |
| 29-Apr-2005 |
kent | sync with -current
|
| 1.3.6.1 |
| 20-Mar-2005 |
tron | Pull up revision 1.4 (requested by dan in ticket #1343):
clear freed memory
|
| 1.3.2.1 |
| 20-Mar-2005 |
tron | Pull up revision 1.4 (requested by dan in ticket #1343):
clear freed memory
|
| 1.4.2.3 |
| 21-Jan-2008 |
yamt | sync with head
|
| 1.4.2.2 |
| 26-Feb-2007 |
yamt | sync with head.
|
| 1.4.2.1 |
| 30-Dec-2006 |
yamt | sync with head.
|
| 1.5.22.1 |
| 10-Dec-2006 |
yamt | sync with head.
|
| 1.5.20.2 |
| 01-Feb-2007 |
ad | Sync with head.
|
| 1.5.20.1 |
| 12-Jan-2007 |
ad | Sync with head.
|
| 1.7.32.1 |
| 02-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.7.28.1 |
| 26-Dec-2007 |
ad | Sync with head.
|
| 1.7.20.1 |
| 09-Jan-2008 |
matt | sync with HEAD
|
| 1.8.10.1 |
| 16-May-2008 |
yamt | sync with head.
|
| 1.8.8.1 |
| 18-May-2008 |
yamt | sync with head.
|
| 1.8.6.1 |
| 02-Jun-2008 |
mjf | Sync with HEAD.
|
| 1.9.34.3 |
| 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.9.34.2 |
| 16-Jan-2013 |
yamt | sync with (a bit old) head
|
| 1.9.34.1 |
| 30-Oct-2012 |
yamt | sync with head
|
| 1.10.2.3 |
| 03-Dec-2017 |
jdolecek | update from HEAD
|
| 1.10.2.2 |
| 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.10.2.1 |
| 25-Feb-2013 |
tls | resync with head
|
| 1.12.10.2 |
| 05-Feb-2017 |
skrll | Sync with HEAD
|
| 1.12.10.1 |
| 06-Jun-2015 |
skrll | Sync with HEAD
|
| 1.13.2.1 |
| 07-Jan-2017 |
pgoyette | Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
|
| 1.15.16.2 |
| 13-Apr-2020 |
martin | Mostly merge changes from HEAD upto 20200411
|
| 1.15.16.1 |
| 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
