Re: svn commit: r295134 - head/sys/kgssapi/krb5

2016-02-02 Thread Alan Somers 
On Mon, Feb 1, 2016 at 5:14 PM, Conrad E. Meyer  wrote:
> Author: cem
> Date: Tue Feb  2 00:14:51 2016
> New Revision: 295134
> URL: https://svnweb.freebsd.org/changeset/base/295134
>
> Log:
>   kcrypto_aes: Use separate sessions for AES and SHA1
>
>   Some hardware supports AES acceleration but not SHA1, e.g., AES-NI
>   extensions.  It is useful to have accelerated AES even if SHA1 must be
>   software.
>
>   Suggested by: asomers
>   Reviewed by:  asomers, dfr
>   Sponsored by: EMC / Isilon Storage Division
>   Differential Revision:https://reviews.freebsd.org/D5146
>
> Modified:
>   head/sys/kgssapi/krb5/kcrypto_aes.c

Thanks for doing this, Conrad.  Could you also please MFC it once
stable/10 thaws?
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Re: svn commit: r295134 - head/sys/kgssapi/krb5

2016-02-02 Thread Conrad Meyer 
On Tue, Feb 2, 2016 at 10:21 AM, Alan Somers  wrote:
> On Mon, Feb 1, 2016 at 5:14 PM, Conrad E. Meyer  wrote:
>> URL: https://svnweb.freebsd.org/changeset/base/295134
>>
>> Log:
>>   kcrypto_aes: Use separate sessions for AES and SHA1
>
> Thanks for doing this, Conrad.  Could you also please MFC it once
> stable/10 thaws?

Sorry, I don't do stable branches.  If you would like to MFC it to 10,
please go ahead.

Best,
Conrad
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r295134 - head/sys/kgssapi/krb5

2016-02-01 Thread Conrad E. Meyer 
Author: cem
Date: Tue Feb  2 00:14:51 2016
New Revision: 295134
URL: https://svnweb.freebsd.org/changeset/base/295134

Log:
  kcrypto_aes: Use separate sessions for AES and SHA1
  
  Some hardware supports AES acceleration but not SHA1, e.g., AES-NI
  extensions.  It is useful to have accelerated AES even if SHA1 must be
  software.
  
  Suggested by: asomers
  Reviewed by:  asomers, dfr
  Sponsored by: EMC / Isilon Storage Division
  Differential Revision:https://reviews.freebsd.org/D5146

Modified:
  head/sys/kgssapi/krb5/kcrypto_aes.c

Modified: head/sys/kgssapi/krb5/kcrypto_aes.c
==
--- head/sys/kgssapi/krb5/kcrypto_aes.c Mon Feb  1 23:51:30 2016
(r295133)
+++ head/sys/kgssapi/krb5/kcrypto_aes.c Tue Feb  2 00:14:51 2016
(r295134)
@@ -43,7 +43,8 @@ __FBSDID("$FreeBSD$");
 
 struct aes_state {
struct mtx  as_lock;
-   uint64_tas_session;
+   uint64_tas_session_aes;
+   uint64_tas_session_sha1;
 };
 
 static void
@@ -61,8 +62,10 @@ aes_destroy(struct krb5_key_state *ks)
 {
struct aes_state *as = ks->ks_priv;
 
-   if (as->as_session)
-   crypto_freesession(as->as_session);
+   if (as->as_session_aes != 0)
+   crypto_freesession(as->as_session_aes);
+   if (as->as_session_sha1 != 0)
+   crypto_freesession(as->as_session_sha1);
mtx_destroy(>as_lock);
free(ks->ks_priv, M_GSSAPI);
 }
@@ -72,32 +75,35 @@ aes_set_key(struct krb5_key_state *ks, c
 {
void *kp = ks->ks_key;
struct aes_state *as = ks->ks_priv;
-   struct cryptoini cri[2];
+   struct cryptoini cri;
 
if (kp != in)
bcopy(in, kp, ks->ks_class->ec_keylen);
 
-   if (as->as_session)
-   crypto_freesession(as->as_session);
-
-   bzero(cri, sizeof(cri));
+   if (as->as_session_aes != 0)
+   crypto_freesession(as->as_session_aes);
+   if (as->as_session_sha1 != 0)
+   crypto_freesession(as->as_session_sha1);
 
/*
 * We only want the first 96 bits of the HMAC.
 */
-   cri[0].cri_alg = CRYPTO_SHA1_HMAC;
-   cri[0].cri_klen = ks->ks_class->ec_keybits;
-   cri[0].cri_mlen = 12;
-   cri[0].cri_key = ks->ks_key;
-   cri[0].cri_next = [1];
-
-   cri[1].cri_alg = CRYPTO_AES_CBC;
-   cri[1].cri_klen = ks->ks_class->ec_keybits;
-   cri[1].cri_mlen = 0;
-   cri[1].cri_key = ks->ks_key;
-   cri[1].cri_next = NULL;
+   bzero(, sizeof(cri));
+   cri.cri_alg = CRYPTO_SHA1_HMAC;
+   cri.cri_klen = ks->ks_class->ec_keybits;
+   cri.cri_mlen = 12;
+   cri.cri_key = ks->ks_key;
+   cri.cri_next = NULL;
+   crypto_newsession(>as_session_sha1, ,
+   CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
 
-   crypto_newsession(>as_session, cri,
+   bzero(, sizeof(cri));
+   cri.cri_alg = CRYPTO_AES_CBC;
+   cri.cri_klen = ks->ks_class->ec_keybits;
+   cri.cri_mlen = 0;
+   cri.cri_key = ks->ks_key;
+   cri.cri_next = NULL;
+   crypto_newsession(>as_session_aes, ,
CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
 }
 
@@ -114,7 +120,7 @@ aes_crypto_cb(struct cryptop *crp)
int error;
struct aes_state *as = (struct aes_state *) crp->crp_opaque;

-   if (CRYPTO_SESID2CAPS(as->as_session) & CRYPTOCAP_F_SYNC)
+   if (CRYPTO_SESID2CAPS(crp->crp_sid) & CRYPTOCAP_F_SYNC)
return (0);
 
error = crp->crp_etype;
@@ -151,7 +157,7 @@ aes_encrypt_1(const struct krb5_key_stat
crd->crd_next = NULL;
crd->crd_alg = CRYPTO_AES_CBC;
 
-   crp->crp_sid = as->as_session;
+   crp->crp_sid = as->as_session_aes;
crp->crp_flags = buftype | CRYPTO_F_CBIFSYNC;
crp->crp_buf = buf;
crp->crp_opaque = (void *) as;
@@ -159,7 +165,7 @@ aes_encrypt_1(const struct krb5_key_stat
 
error = crypto_dispatch(crp);
 
-   if ((CRYPTO_SESID2CAPS(as->as_session) & CRYPTOCAP_F_SYNC) == 0) {
+   if ((CRYPTO_SESID2CAPS(as->as_session_aes) & CRYPTOCAP_F_SYNC) == 0) {
mtx_lock(>as_lock);
if (!error && !(crp->crp_flags & CRYPTO_F_DONE))
error = msleep(crp, >as_lock, 0, "gssaes", 0);
@@ -326,7 +332,7 @@ aes_checksum(const struct krb5_key_state
crd->crd_next = NULL;
crd->crd_alg = CRYPTO_SHA1_HMAC;
 
-   crp->crp_sid = as->as_session;
+   crp->crp_sid = as->as_session_sha1;
crp->crp_ilen = inlen;
crp->crp_olen = 12;
crp->crp_etype = 0;
@@ -337,7 +343,7 @@ aes_checksum(const struct krb5_key_state
 
error = crypto_dispatch(crp);
 
-   if ((CRYPTO_SESID2CAPS(as->as_session) & CRYPTOCAP_F_SYNC) == 0) {
+   if ((CRYPTO_SESID2CAPS(as->as_session_sha1) & CRYPTOCAP_F_SYNC) == 0) {
mtx_lock(>as_lock);
if (!error &&