6f49f5cd se Oct. 6, 2021, 9:27 p.m.
This update fixes a parser issue, which in special situations could
reject syntactically correct if statements.
cgit
ac847dbf jhb Oct. 6, 2021, 9:09 p.m.
Sponsored by:	The FreeBSD Foundation
cgit
42dcd395 jhb Oct. 6, 2021, 9:08 p.m.
This is useful for WireGuard which uses a nonce of 8 bytes rather
than the 12 bytes used for IPsec and TLS.

Note that this also fixes a (should be) harmless bug in ossl(4) where
the counter was incorrectly treated as a 64-bit counter instead of a
32-bit counter in terms of wrapping when using a 12 byte nonce.
However, this required a single message (TLS record) longer than 64 *
(2^32 - 1) bytes (about 256 GB) to trigger.

Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32122
cgit
668770dc jhb Oct. 6, 2021, 9:08 p.m.
Previously, only test vectors which used the default nonce and tag
sizes (12 and 16, respectively) were tested.  This now tests all of
the vectors.  This exposed some additional issues around requests with
an empty payload (which wasn't supported) and an empty AAD (which
falls back to CIOCCRYPT instead of CIOCCRYPTAEAD).

- Make use of the 'ivlen' and 'maclen' fields for CIOGSESSION2 to
  test AES-CCM vectors with non-default nonce and tag lengths.

- Permit requests with an empty payload.

- Permit an input MAC for requests without AAD.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32121
cgit
4361c4eb jhb Oct. 6, 2021, 9:08 p.m.
The tag length is included as one of the values in the flags byte of
block 0 passed to CBC_MAC, so merely copying the first N bytes is
insufficient.

To avoid adding more sideband data to the CBC MAC software context,
pull the generation of block 0, the AAD length, and AAD padding out of
cbc_mac.c and into cryptosoft.c.  This matches how GCM/GMAC are
handled where the length block is constructed in cryptosoft.c and
passed as an input to the Update callback.  As a result, the CBC MAC
Update() routine is now much simpler and simply performs the
XOR-and-encrypt step on each input block.

While here, avoid a copy to the staging block in the Update routine
when one or more full blocks are passed as input to the Update
callback.

Reviewed by:	sef
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32120
cgit
366ae4a0 jhb Oct. 6, 2021, 9:08 p.m.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32119
cgit
2ec2e4df jhb Oct. 6, 2021, 9:08 p.m.
Reviewed by:	markj
Sponsored by:	Chelsio Communications, The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32118
cgit
e148e407 jhb Oct. 6, 2021, 9:08 p.m.
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D32117
cgit
3e6a97b3 jhb Oct. 6, 2021, 9:08 p.m.
Sponsored by:	Chelsio Communications, The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32116
cgit
655eb762 jhb Oct. 6, 2021, 9:08 p.m.
Reviewed by:	sef
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32115
cgit
c09c379c jhb Oct. 6, 2021, 9:08 p.m.
Reviewed by:	sef
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32114
cgit
d718c2d3 jhb Oct. 6, 2021, 9:08 p.m.
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32113
cgit
8e6af6ad jhb Oct. 6, 2021, 9:08 p.m.
Reviewed by:	sef
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32112
cgit
ae18720d jhb Oct. 6, 2021, 9:08 p.m.
Permit nonces of lengths 7 through 13 in the OCF framework and the
cryptosoft driver.  A helper function (ccm_max_payload_length) can be
used in OCF drivers to reject CCM requests which are too large for the
specified nonce length.

Reviewed by:	sef
Sponsored by:	Chelsio Communications, The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32111
cgit
bcb0fd6a jhb Oct. 6, 2021, 9:08 p.m.
By default, the "normal" IV size (12) is used, but it can be overriden
via -I.  If -I is not specified and -z is specified, issue requests
for all possible IV sizes.

Reviewed by:	markj
Sponsored by:	 Chelsio Communications, The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32110
cgit