path: root/src/crypto/include/zinc (unfollow)
Commit message (Collapse)AuthorFilesLines
2018-09-11crypto: do not use compound literals in selftestsJason A. Donenfeld2-7704/+7710
gcc can't apply section attributes to compound literals, so we can't mark the actual data as __initconst. We thus waste space instead, but this shouldn't matter much, since it's cleared after init anyway, and because this is only for debugging.
2018-09-10blake2s-x86_64: fix whitespace errorsJason A. Donenfeld1-2/+2
2018-09-10version: bump snapshot0.0.20180910Jason A. Donenfeld2-2/+2
2018-09-10poly1305: switch to donnaJason A. Donenfeld3-183/+398
2018-09-08poly1305: rewrite self tests from scratchJason A. Donenfeld1-1529/+831
This removes the old cruft and makes things a bit more idiomatic.
2018-09-06compat: move simd.h from crypto to compat since it's going upstreamJason A. Donenfeld2-0/+4
2018-09-06compat: arch-namespace certain includesJason A. Donenfeld5-8/+8
2018-09-06compat: support neon.h on old kernelsJason A. Donenfeld2-0/+14
Reported-by: Philipp Richter <richterphilipp.pops@gmail.com>
2018-09-06crypto: use CRYPTOGAMS licenseJason A. Donenfeld9-23/+27
2018-09-06curve25519: arm: do not modify sp directlyJason A. Donenfeld1-3/+3
Thumb doesn't like this. Reported-by: Roman Mamedov <rm@romanrm.net>
2018-09-04version: bump snapshot0.0.20180904Jason A. Donenfeld2-2/+2
2018-09-04global: always find OOM unlikelyJason A. Donenfeld6-17/+17
Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
2018-09-04global: prefer sizeof(*pointer) when possibleJason A. Donenfeld15-53/+44
Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
2018-09-03global: satisfy check_patch.pl errorsJason A. Donenfeld6-26/+27
2018-09-03crypto: import zincJason A. Donenfeld56-6553/+13141
2018-09-02uapi: reformatJason A. Donenfeld1-81/+83
2018-09-02tools: ipc: do not warn on unrecognized netlink attributesJason A. Donenfeld1-17/+0
It makes extending things more difficult.
2018-09-02netlink: insert peer version placeholderJason A. Donenfeld3-3/+17
While we don't want people to ever use old protocols, people will complain if the API "changes", so explicitly make the unset protocol mean the latest, and add a dummy mechanism of specifying the protocol on a per-peer basis, which we hope nobody actually ever uses.
2018-08-28curve25519-arm: prefix immediates with #Jason A. Donenfeld1-18/+18
2018-08-28curve25519-arm: do not waste 32 bytes of stackJason A. Donenfeld1-88/+88
2018-08-28curve25519-arm: use ordinary prolog and epilogueSamuel Neves1-18/+6
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
2018-08-28curve25519-arm: add spaces after commasJason A. Donenfeld1-2074/+2074
2018-08-28curve25519-arm: cleanups from lkmlJason A. Donenfeld1-33/+30
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-08-28curve25519-arm: reformatJason A. Donenfeld1-2096/+2096
2018-08-28curve25519-x86_64: let the compiler decide when/how to load constantsSamuel Neves1-5/+2
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
2018-08-28curve25519-hacl64: use formally verified C for comparisonsJason A. Donenfeld1-6/+19
The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical.
2018-08-28crypto: use unaligned helpersJason A. Donenfeld9-55/+61
This is not useful for WireGuard, but for the general use case we probably want it this way, and the speed difference is mostly lost in the noise.
2018-08-28Kconfig: use new-style help markerJason A. Donenfeld1-2/+2
2018-08-28compat: rng_is_initialized made it into 4.19Jason A. Donenfeld1-53/+53
2018-08-28global: run through clang-formatJason A. Donenfeld28-795/+1654
This is the worst commit in the whole repo, making the code much less readable, but so it goes with upstream maintainers. We are now woefully wrapped at 80 columns.
2018-08-21wg-quick: check correct variable for route deduplicationJason A. Donenfeld1-1/+1
Reported-by: John Sager <john@sager.me.uk>
2018-08-12wg-quick: darwin: prefer system paths for toolsJason A. Donenfeld1-1/+1
The only things wg-quick(8) needs from Homebrew are bash(1) and wg(8). Other than that, it's explicitly coded against the native system utilities. Since wg-quick(8) and bash(1) are invoked in auto_su by their full absolute path (via $SELF and $BASH, respectively), we can simply set the $PATH to be prefixed by the default system binary paths. This way, if users install tools that conflict with system tools -- such as GNU coreutils -- we won't accidently call those. Reported-by: Deirdre Connolly <durumcrustulum@gmail.com>
2018-08-09version: bump snapshot0.0.20180809Jason A. Donenfeld2-2/+2
2018-08-09netlink: don't start over iteration on multipart non-first allowedipsJason A. Donenfeld2-2/+28
Reported-by: Matt Layher <mdlayher@gmail.com>
2018-08-09timers: include header in right fileJason A. Donenfeld2-2/+2
2018-08-07curve25519-hacl64: correct u64_gte_maskSamuel Neves1-3/+1
Remove signed right shifts. Previously u64_gte_mask was only correct for x < 2^63. Z3 script proving correctness: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> t = LShR(x^((x^y)|((x-y)^y)), 63) - 1 >>> >>> prove(If(UGE(x, y), BitVecVal(-1, 64), BitVecVal(0, 64)) == t) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
2018-08-07curve25519-hacl64: simplify u64_eq_maskSamuel Neves1-8/+3
Avoid signed right shift. Z3 script showing equivalence: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> # Before ... x_ = ~(x ^ y) >>> x_ &= x_ << 32 >>> x_ &= x_ << 16 >>> x_ &= x_ << 8 >>> x_ &= x_ << 4 >>> x_ &= x_ << 2 >>> x_ &= x_ << 1 >>> x_ >>= 63 >>> >>> # After ... y_ = x ^ y >>> y_ = y_ | -y_ >>> y_ = LShR(y_, 63) - 1 >>> >>> prove(x_ == y_) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
2018-08-07chacha20: use memmove in case buffers overlapJason A. Donenfeld1-1/+1
Suggested-by: Samuel Neves <sneves@dei.uc.pt>
2018-08-07curve25519-x86_64: avoid use of r12Jason A. Donenfeld1-107/+107
This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. Suggested-by: PaX Team <pageexec@freemail.hu>
2018-08-06qemu: add easy git harnessJason A. Donenfeld1-1/+8
2018-08-06chacha20poly1305: selftest: use arrays for test vectorsJason A. Donenfeld1-777/+3577
2018-08-06crypto: move simd context to specific typeJason A. Donenfeld11-147/+153
Suggested-by: Andy Lutomirski <luto@kernel.org>
2018-08-04compat: better atomic acquire/release backportJason A. Donenfeld1-16/+10
2018-08-04send: switch handshake stamp to an atomicJason A. Donenfeld4-14/+12
Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. Otherwise it's possible that when the RNG finally initializes, two handshakes are sent back to back, which isn't sensible.
2018-08-03version: bump snapshot0.0.20180802Jason A. Donenfeld2-2/+2
2018-08-03allowedips: use different macro names so as to avoid confusionJason A. Donenfeld1-5/+5
A mailing list interlocutor argues that sharing the same macro name might lead to errors down the road. Suggested-by: Andrew Lunn <andrew@lunn.ch>
2018-08-03peer: ensure destruction doesn't raceJason A. Donenfeld11-110/+148
Completely rework peer removal to ensure peers don't jump between contexts and create races.
2018-08-02noise: free peer references on failureJason A. Donenfeld1-11/+11
2018-08-02cookie: returned keypair might disappear if rcu lock not heldJason A. Donenfeld2-14/+19
And in general it's good to prefer dereferencing entry.peer from a handshake object rather than a keypair object, when possible, since keypairs could disappear before their underlying peer.
2018-08-02queueing: ensure strictly ordered loads and storesJason A. Donenfeld4-5/+33
We don't want a consumer to read plaintext when it's supposed to be reading ciphertext, which means we need to synchronize across cores. Suggested-by: Jann Horn <jann@thejh.net>