The NetBSD Project

CVS log for src/tests/dev/cgd/Makefile

[BACK] Up to [cvs.NetBSD.org] / src / tests / dev / cgd

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: MAIN


Revision 1.11 / (download) - annotate - [select for diffs], Mon Jun 29 23:44:01 2020 UTC (5 months ago) by riastradh
Branch: MAIN
CVS Tags: HEAD
Changes since 1.10: +5 -2 lines
Diff to previous 1.10 (colored)

New cgd cipher adiantum.

Adiantum is a wide-block cipher, built out of AES, XChaCha12,
Poly1305, and NH, defined in

   Paul Crowley and Eric Biggers, `Adiantum: length-preserving
   encryption for entry-level processors', IACR Transactions on
   Symmetric Cryptology 2018(4), pp. 39--61.

Adiantum provides better security than a narrow-block cipher with CBC
or XTS, because every bit of each sector affects every other bit,
whereas with CBC each block of plaintext only affects the following
blocks of ciphertext in the disk sector, and with XTS each block of
plaintext only affects its own block of ciphertext and nothing else.

Adiantum generally provides much better performance than
constant-time AES-CBC or AES-XTS software do without hardware
support, and performance comparable to or better than the
variable-time (i.e., leaky) AES-CBC and AES-XTS software we had
before.  (Note: Adiantum also uses AES as a subroutine, but only once
per disk sector.  It takes only a small fraction of the time spent by
Adiantum, so there's relatively little performance impact to using
constant-time AES software over using variable-time AES software for
it.)

Adiantum naturally scales to essentially arbitrary disk sector sizes;
sizes >=1024-bytes take the most advantage of Adiantum's design for
performance, so 4096-byte sectors would be a natural choice if we
taught cgd to change the disk sector size.  (However, it's a
different cipher for each disk sector size, so it _must_ be a cgd
parameter.)

The paper presents a similar construction HPolyC.  The salient
difference is that HPolyC uses Poly1305 directly, whereas Adiantum
uses Poly1395(NH(...)).  NH is annoying because it requires a
1072-byte key, which means the test vectors are ginormous, and
changing keys is costly; HPolyC avoids these shortcomings by using
Poly1305 directly, but HPolyC is measurably slower, costing about
1.5x what Adiantum costs on 4096-byte sectors.

For the purposes of cgd, we will reuse each key for many messages,
and there will be very few keys in total (one per cgd volume) so --
except for the annoying verbosity of test vectors -- the tradeoff
weighs in the favour of Adiantum, especially if we teach cgd to do
>>512-byte sectors.

For now, everything that Adiantum needs beyond what's already in the
kernel is gathered into a single file, including NH, Poly1305, and
XChaCha12.  We can split those out -- and reuse them, and provide MD
tuned implementations, and so on -- as needed; this is just a first
pass to get Adiantum implemented for experimentation.

Revision 1.10 / (download) - annotate - [select for diffs], Sun Mar 1 18:08:12 2020 UTC (9 months ago) by christos
Branch: MAIN
CVS Tags: phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, is-mlppp-base, is-mlppp
Changes since 1.9: +3 -6 lines
Diff to previous 1.9 (colored)

Centralize the base rump libraries into a variable used by all the other
Makefiles so that we can make changes to it centrally as needed and have
less mess. Fixes the sun2 build that needs rumpvfs after librump after
the latest changes.

Revision 1.9 / (download) - annotate - [select for diffs], Sun Mar 1 17:06:26 2020 UTC (9 months ago) by christos
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

librump depends on vfs so add a dependency on for sun2.

Revision 1.8 / (download) - annotate - [select for diffs], Sun May 21 15:28:42 2017 UTC (3 years, 6 months ago) by riastradh
Branch: MAIN
CVS Tags: phil-wifi-base, phil-wifi-20191119, phil-wifi-20190609, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-9-base, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-8, matt-nb8-mediatek-base, matt-nb8-mediatek
Branch point for: phil-wifi
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Remove MKCRYPTO option.

Originally, MKCRYPTO was introduced because the United States
classified cryptography as a munition and restricted its export.  The
export controls were substantially relaxed fifteen years ago, and are
essentially irrelevant for software with published source code.

In the intervening time, nobody bothered to remove the option after
its motivation -- the US export restriction -- was eliminated.  I'm
not aware of any other operating system that has a similar option; I
expect it is mainly out of apathy for churn that we still have it.
Today, cryptography is an essential part of modern computing -- you
can't use the internet responsibly without cryptography.

The position of the TNF board of directors is that TNF makes no
representation that MKCRYPTO=no satisfies any country's cryptography
regulations.

My personal position is that the availability of cryptography is a
basic human right; that any local laws restricting it to a privileged
few are fundamentally immoral; and that it is wrong for developers to
spend effort crippling cryptography to work around such laws.

As proposed on tech-crypto, tech-security, and tech-userlevel to no
objections:

https://mail-index.netbsd.org/tech-crypto/2017/05/06/msg000719.html
https://mail-index.netbsd.org/tech-security/2017/05/06/msg000928.html
https://mail-index.netbsd.org/tech-userlevel/2017/05/06/msg010547.html

P.S.  Reviewing all the uses of MKCRYPTO in src revealed a lot of
*bad* crypto that was conditional on it, e.g. DES in telnet...  That
should probably be removed too, but on the grounds that it is bad,
not on the grounds that it is (nominally) crypto.

Revision 1.7 / (download) - annotate - [select for diffs], Fri Nov 11 07:39:58 2016 UTC (4 years ago) by alnsn
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)

Add 3des-cbc tests with 192 bits key.

Revision 1.6 / (download) - annotate - [select for diffs], Thu Nov 10 23:44:36 2016 UTC (4 years ago) by alnsn
Branch: MAIN
Changes since 1.5: +3 -3 lines
Diff to previous 1.5 (colored)

Add blowfish-cbc tests for 128, 256 and 448 bits keys.

Revision 1.5 / (download) - annotate - [select for diffs], Mon Nov 7 16:33:37 2016 UTC (4 years ago) by scole
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)

Only build t_cgd_aes if MKCRYPTO==yes and MKRUMP==yes.

Revision 1.4 / (download) - annotate - [select for diffs], Sun Nov 6 21:29:54 2016 UTC (4 years ago) by alnsn
Branch: MAIN
Changes since 1.3: +5 -3 lines
Diff to previous 1.3 (colored)

Don't build t_cgd_aes if ${MKCRYPTO} == "no".

Revision 1.3 / (download) - annotate - [select for diffs], Sun Nov 6 10:54:42 2016 UTC (4 years ago) by alnsn
Branch: MAIN
Changes since 1.2: +11 -1 lines
Diff to previous 1.2 (colored)

Add tests for not-yet-committed cgd algorithm AES-XTS.

The tests are marked as expected failures.

Revision 1.2 / (download) - annotate - [select for diffs], Tue Dec 14 17:48:31 2010 UTC (9 years, 11 months ago) by pooka
Branch: MAIN
CVS Tags: yamt-pagecache-tag8, yamt-pagecache-base9, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, yamt-pagecache, tls-maxphys-base, tls-maxphys, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, pgoyette-localcount-base, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, matt-mips64-premerge-20101231, localcount-20160914, cherry-xenmp-base, cherry-xenmp, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2, agc-symver-base, agc-symver
Branch point for: pgoyette-localcount
Changes since 1.1: +3 -9 lines
Diff to previous 1.1 (colored)

Retire the old C helper in h_img2cgd since we can now write everything
with a shellscript in terms of rump.cgdconfig and dd.

Revision 1.1 / (download) - annotate - [select for diffs], Thu Nov 11 22:38:47 2010 UTC (10 years ago) by pooka
Branch: MAIN

Add rudimentary cgd tests.  The tests use cgd to transform a
plaintext into into an encrypted image and back into plaintext by
doing rump I/O on /dev/cgd.  There is one test to check that giving
the same password for both encryption and decryption produces the
same plaintext and another to check that giving a different passwords
does not produce the same plaintext.

This could be fairly easily extended to test all feature of cgd
(hint hint).  For example, now cgd.conf is included in cvs, but
the only reason for that is that without further hacking cgdconfig
uses /dev/random quality random to generate the salt for a
pkcsetcetc_kdf2 cgconfig -g, and making an automated test block on
the entropy pool is just not good form.  Details are everything.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>