Up to [cvs.NetBSD.org] / src / sys / crypto / sodium
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Pull up following revision(s) (requested by riastradh in ticket #933): sys/external/isc/libsodium/src/sodium_module.c: revision 1.2 sys/external/isc/libsodium/include/core.h: revision 1.2 sys/external/isc/libsodium/include/stdlib.h: revision 1.2 sys/modules/sodium/Makefile.sodmod: revision 1.4 sys/external/isc/libsodium/include/crypto_verify_16.h: revision 1.2 sys/external/isc/libsodium/include/errno.h: file removal sys/crypto/sodium/sodium_selftest.h: revision 1.1 sys/external/isc/libsodium/include/stdint.h: revision 1.2 sys/crypto/sodium/sodium_selftest.h: revision 1.2 sys/external/isc/libsodium/include/assert.h: file removal sys/external/isc/libsodium/conf/files.libsodium: revision 1.7 sys/rump/kern/lib/libcrypto/Makefile: revision 1.24 sys/external/isc/libsodium/src/sodium_selftest.c: revision 1.1 sys/external/isc/libsodium/src/sodium_selftest.c: revision 1.2 sys/external/isc/libsodium/include/string.h: revision 1.2 sys/crypto/sodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD. PR kern/58468 sys/crypto/sodium: Fill out crypto_verify_16 stub. Without this change, libsodium silently accepts forgeries. This one's a doozy, and it's a sobering reminder that: (a) wg(4) is still experimental (only user of libsodium in kernel; both are available only through default-off optional modules). (b) Known-answer test vectors are critical, including negative tests (test that forgeries are rejected), and must be mandatory for all new crypto code -- and should be added to old crypto code too. (c) Crypto code must also have self-tests that run in the same environment, not just the same code in a different build or test environment -- the libsodium code itself is fine, but we built it differently and need to exercise it differently from upstream's automatic tests. It's my fault for not catching this earlier. What happened is: 1. ozaki-r@ adapted libsodium to build in the kernel with various glue to build code meant for standard userland C, like errno.h and string.h. 2. Since libsodium's crypto_verify_16.c uses various SIMD intrinsics on various architectures, it couldn't be used directly in the kernel build, because -- at the time -- we hadn't wired up any header files for SIMD intrinsics or any runtime support for saving and restoring SIMD state appropriately in the kernel. 3. ozaki-r@ put a similar glue header file crypto_verify_16.h to override libsodium's, with a stub to be implemented later, and presumably forgot to remind me about it. 4. I missed the stub in crypto_verify_16.h when reviewing the libsodium import and wg(4) code because it was in the same directory as various other simple glue code that I deemed low-risk. (I did make one change to that glue code, to replace cprng_fast by cprng_strong, but I suspect I found that by searching for cprng_fast users rather than by reviewing this code.) 5. I broke my own rule about always having known-answer test vectors for crypto code because I figured libsodium was well-enough exercised that we could skimp on it for now, and my focus was more on the state machine and synchronization logic than on the crypto. 6. I had not yet written known-answer test vectors for the higher-level wg(4) protocol messages. Before we can remove the `experimental' tag from wg(4) we will need to (among other things): i. Write self-tests for the rest of (what we use from) libsodium. ii. Write extensive known-answer test vectors for all the wg(4) protocol messages (and ideally state machine transitions). iii. Write self-tests for a reasonable subset of the wg(4) KATs. iv. Review all of the libsodium glue code I neglected to review. PR kern/58468 sys/crypto/sodium: Simplify string.h stub. Not sure of any particular problem with the previous stub, but let's make sure to use the same prototypes for memset/memcpy/memmove as everything else in the kernel. PR kern/58468 sys/crypto/sodium: Nix unused assert.h stub. Maybe this was a vestige of an earlier draft of the libsodium import, but it doesn't appear to be needed now by any libsodium files we use. PR kern/58468 sys/crypto/sodium: Nix risky defines from core.h stub. These are risky not because they might cause crypto flaws, but because they might cause usage of the SIMD unit in the kernel along paths where we haven't made it safe. That said -- no change to the amd64 module .o and .kmod files, so this doesn't currently make a difference; it's just risky to have around in case we later include other parts of libsodium that it does affect, like the Salsa20 code. PR kern/58468 sys/crypto/sodium: Nix unused errno.h. Maybe this was a vestige of an earlier draft of the libsodium import, but it doesn't appear to be needed now by any libsodium files we use. PR kern/58468 sys/crypto/sodium: Simplify stdint.h stub. No change to the .o or .kmod files; just the .d make dependency files change. PR kern/58468 sys/crypto/sodium: Tighten stdlib.h glue. 1. Make sure nothing uses malloc and free. All of the routines we need should work in fixed-size, caller-allocated buffers and reasonable stack space. 2. Make panic message for abort() stub clearer. There are calls to it, but they imply internal errors inside libsodium which should not happen unless there is an unrecoverable software bug in libsodium. PR kern/58468 sys/crypto/sodium: Add self-test for XChaCha20/Poly1305 AEAD. PR kern/58468
file sodium_selftest.h was added on branch netbsd-10 on 2024-10-09 10:49:04 +0000
sys/crypto/sodium: Add self-test for XChaCha20/Poly1305 AEAD. PR kern/58468
sys/crypto/sodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD. PR kern/58468