aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/crypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* simd: add missing headerJason A. Donenfeld2018-06-221-0/+1
| | | | Suggested-by: Shlomi Steinberg <shlomi@shlomisteinberg.com>
* poly1305: give linker the correct constant data section sizeJason A. Donenfeld2018-06-221-1/+1
| | | | | | Otherwise these constants will be merged wrong or excluded, and we'll wind up with wrong calculations. While bfd (the normal kernel linker) doesn't seem to mind, recent versions of gold do bad things.
* poly1305: add missing string.h headerJason A. Donenfeld2018-06-201-0/+1
| | | | Reported-by: Peter Korsgaard <peter@korsgaard.com>
* simd: no need to restore fpu state when no preemptionJason A. Donenfeld2018-06-171-0/+2
|
* simd: encapsulate fpu amortization into nice functionsJason A. Donenfeld2018-06-173-47/+66
|
* chacha20poly1305: use slow crypto on -rt kernels on arm tooJason A. Donenfeld2018-06-141-1/+1
|
* chacha20poly1305: use slow crypto on -rt kernelsJason A. Donenfeld2018-06-131-1/+1
| | | | | | | | | | | | | | In rt kernels, spinlocks call schedule(), which means preemption can't be disabled. The FPU disables preemption. Hence, we can either restructure things to move the calls to kernel_fpu_begin/end to be really close to the actual crypto routines, or we can do the slower lazier solution of just not using the FPU at all on -rt kernels. This patch goes with the latter lazy solution. The reason why we don't place the calls to kernel_fpu_begin/end close to the crypto routines in the first place is that they're very expensive, as it usually involves a call to XSAVE. So on sane kernels, we benefit from only having to call it once.
* chacha20: add missing include to headerJason A. Donenfeld2018-06-021-0/+1
|
* poly1305: mips: compute S on flyRené van Dorst2018-05-311-31/+22
| | | | | | This reduces memory access and the total opaque size. Signed-off-by: René van Dorst <opensource@vdorst.com>
* crypto: consistent constificationJason A. Donenfeld2018-05-316-23/+23
|
* chacha20poly1305: combine stack variables into unionJason A. Donenfeld2018-05-311-54/+53
|
* chacha20poly1305: split up into separate filesJason A. Donenfeld2018-05-316-614/+724
|
* curve25519: x86_64: make symbol staticJason A. Donenfeld2018-05-291-2/+2
|
* curve25519: x86_64: satisfy sparseJason A. Donenfeld2018-05-291-260/+260
|
* chacha20poly1305: add mips32 implementationRené van Dorst2018-05-183-5/+912
| | | | Signed-off-by: René van Dorst <opensource@vdorst.com>
* chacha20poly1305: make gcc 8.1 happySamuel Neves2018-05-131-2/+2
| | | | | | | | | | | | | | | GCC 8.1 does not know about the invariant `0 <= ctx->num < POLY1305_BLOCK_SIZE`. This results in a warning that `memcpy(ctx->data + num, inp, len);` may overflow the `data` field, which is correct for arbitrary values of `num`. To make the invariant explicit we ensure that `num` is in the required range. An alternative would be to change `ctx->num` to a 4-bit bitfield at the point of declaration. This changes the code from `test ebp, ebp; jz end` to `and ebp, 15; jz end`, which have identical performance characteristics. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* poly1305: do not place constants in different sectionsJason A. Donenfeld2018-04-181-14/+1
| | | | | | | We're referencing these constants as one contiguous blob, so if there's any merging that goes on with other constants elsewhere (such as the kernel's current poly1305 implementation that we hope to replace), then these will be reordered and have the wrong values.
* blake2s: remove unused helperJason A. Donenfeld2018-04-161-5/+0
|
* chacha20poly1305: put magic constant behind macroJason A. Donenfeld2018-04-051-2/+4
|
* curve25519: precomp const correctnessJason A. Donenfeld2018-03-091-24/+22
|
* curve25519: memzero in batchesJason A. Donenfeld2018-03-091-140/+124
|
* curve25519: use cmov instead of xor for cswapJason A. Donenfeld2018-03-091-12/+39
| | | | Also add cselect optimization.
* curve25519: use precomp implementation instead of sandy2xJason A. Donenfeld2018-03-093-3437/+2070
| | | | It's faster and doesn't use the FPU.
* crypto: read only after initJason A. Donenfeld2018-03-024-10/+11
|
* blake2s: use union instead of castingJason A. Donenfeld2018-02-141-18/+16
| | | | | This deals with alignment more easily and also helps squelch a clang-analyzer warning.
* curve25519: replace fiat64 with faster hacl64Jason A. Donenfeld2018-02-013-470/+883
| | | | | This reverts commit da4ff396cc5d5e0ff21f9ecbc2f951c048c63fff and adds some optimizations to hacl64.
* curve25519: replace hacl64 with fiat64Jason A. Donenfeld2018-02-013-871/+470
| | | | | | | | | | For now, it's faster: hacl64: 109782 cycles per call fiat64: 108984 cycles per call It's quite possible this commit will be reverted with nice changes from INRIA, though.
* chacha20poly1305: better buffer alignmentJason A. Donenfeld2018-01-301-9/+8
|
* chacha20poly1305: use existing rol32 functionJason A. Donenfeld2018-01-301-9/+4
|
* poly1305: add poly-specific self-testsJason A. Donenfeld2018-01-192-0/+2
|
* curve25519-fiat32: uninline certain functionsJason A. Donenfeld2018-01-181-4/+4
| | | | | | | | | | | While this has a negative performance impact on x86_64, it has a positive performance impact on smaller machines, which is where we're actually using this code. For example, an A53: Before: fiat32: 228605 cycles per call After: fiat32: 188307 cycles per call
* curve25519: wire up new impls and remove donnaJason A. Donenfeld2018-01-183-1454/+3
|
* curve25519: resolve symbol clash between fe typesJason A. Donenfeld2018-01-181-7/+7
|
* curve25519: import 64-bit hacl-star implementationJason A. Donenfeld2018-01-181-0/+739
|
* curve25519: import 32-bit fiat-crypto implementationJason A. Donenfeld2018-01-181-0/+838
|
* curve25519: modularize implementationJason A. Donenfeld2018-01-185-1610/+1640
|
* poly1305: remove indirect callsSamuel Neves2018-01-181-79/+96
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* global: year bumpJason A. Donenfeld2018-01-0316-16/+16
|
* crypto: compile on UMLJason A. Donenfeld2017-12-134-2/+8
| | | | We basically just don't use FPU in UML.
* chacha20poly1305: wire up avx512vl for skylake-xJason A. Donenfeld2017-12-112-4/+17
|
* chacha20: avx512vl implementationSamuel Neves2017-12-112-0/+571
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* poly1305: fix avx512f alignment bugSamuel Neves2017-12-111-1/+1
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20poly1305: cleaner generic codeJason A. Donenfeld2017-12-111-90/+49
|
* blake2s-x86_64: fix spacingJason A. Donenfeld2017-12-091-70/+70
|
* global: add SPDX tags to all filesGreg Kroah-Hartman2017-12-0916-247/+57
| | | | | | | | | | | | | It's good to have SPDX identifiers in all files as the Linux kernel developers are working to add these identifiers to all files. Update all files with the correct SPDX license identifier based on the license text of the project or based on the license in the file itself. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Modified-by: Jason A. Donenfeld <Jason@zx2c4.com>
* chacha20-arm: fix with clang -fno-integrated-as.David Benjamin2017-12-031-1/+3
| | | | | | | | | The __clang__-guarded #defines cause gas to complain if clang is passed -fno-integrated-as. Emitting .syntax unified when those are used fixes this. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
* poly1305: update x86-64 kernel to AVX512F onlySamuel Neves2017-12-032-138/+132
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519: explictly depend on AS_AVXJason A. Donenfeld2017-11-281-3/+3
|
* curve25519: modularize dispatchJason A. Donenfeld2017-11-281-91/+82
|
* blake2s: tweak avx512 codeSamuel Neves2017-11-261-64/+47
| | | | | | | | This is not as ideal as using zmm, but zmm downclocks. And it's not as fast single-threaded as using the gathers. But it is faster when multithreaded, which is what WireGuard is doing. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.