Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | crypto: do not waste space on selftest items | Jason A. Donenfeld | 2018-09-20 | 3 | -9458/+10993 |
| | | | | | | This unfortunately means we have to define symbols, since we want them in __initconst, but it's better than the other two options (no initconst or wasting space for fixed size buffers). | ||||
* | crypto: explicitly dual license | Jason A. Donenfeld | 2018-09-20 | 41 | -41/+41 |
| | | | | Suggested-by: Thomas Gleixner <tglx@linutronix.de> | ||||
* | poly1305: account for simd being toggled off midway | Jason A. Donenfeld | 2018-09-20 | 3 | -26/+131 |
| | | | | | | This is a very rare occurance, but we should account for it, so that the calculations aren't wrong. Here we convert from base 2^26 back to base 2^64. | ||||
* | chacha20: prefer crypto_xor_cpy to avoid memmove | Jason A. Donenfeld | 2018-09-20 | 1 | -5/+3 |
| | | | | Suggested-by: Eric Biggers <ebiggers@kernel.org> | ||||
* | poly1305: no need to trick gcc 8.1 | Jason A. Donenfeld | 2018-09-19 | 1 | -2/+2 |
| | | | | | | | This reverts 37f114a73ba37219b00a66f0a51219a696599745, since gcc 8.2 no longer exhibits that bug. Suggested-by: Eric Biggers <ebiggers@kernel.org> | ||||
* | blake2s: simplify final function | Jason A. Donenfeld | 2018-09-19 | 2 | -40/+9 |
| | | | | Suggested-by: Eric Biggers <ebiggers@kernel.org> | ||||
* | poly1305: better module description | Jason A. Donenfeld | 2018-09-18 | 1 | -1/+1 |
| | |||||
* | chacha20: add independent self test | Jason A. Donenfeld | 2018-09-18 | 2 | -0/+1188 |
| | | | | | This was already tested from the chacha20poly1305 test, but it's useful to be able to test this in isolation too. | ||||
* | chacha20poly1305: add __init to selftest helper functions | Jason A. Donenfeld | 2018-09-18 | 1 | -3/+3 |
| | |||||
* | curve25519-arm: only compile if symbols will be used | Jason A. Donenfeld | 2018-09-18 | 1 | -1/+1 |
| | |||||
* | chacha20-x86_64: use correct cut off for avx512-vl | Jason A. Donenfeld | 2018-09-18 | 1 | -1/+1 |
| | |||||
* | poly1305-x86_64: show full struct for state | Jason A. Donenfeld | 2018-09-18 | 1 | -5/+7 |
| | |||||
* | crypto: allow for disabling simd in zinc modules | Jason A. Donenfeld | 2018-09-18 | 6 | -9/+33 |
| | |||||
* | chacha20-x86_64: more limited cascade | Jason A. Donenfeld | 2018-09-18 | 1 | -5/+4 |
| | |||||
* | chacha20poly1305: relax simd between sg chunks | Jason A. Donenfeld | 2018-09-18 | 1 | -0/+2 |
| | |||||
* | crypto: turn Zinc into individual modules | Jason A. Donenfeld | 2018-09-18 | 24 | -42/+166 |
| | |||||
* | crypto: do not use -include trick | Jason A. Donenfeld | 2018-09-17 | 14 | -51/+34 |
| | |||||
* | poly1305-x86_64: don't activate simd for small blocks | Jason A. Donenfeld | 2018-09-17 | 1 | -3/+14 |
| | |||||
* | chacha20-x86_64: don't activate simd for small blocks | Jason A. Donenfeld | 2018-09-17 | 1 | -1/+2 |
| | |||||
* | crypto: pass simd by reference | Jason A. Donenfeld | 2018-09-17 | 14 | -83/+89 |
| | |||||
* | chacha20-x86_64: cascade down implementations | Jason A. Donenfeld | 2018-09-17 | 1 | -3/+3 |
| | |||||
* | poly1305: do not require simd context for arch | Jason A. Donenfeld | 2018-09-17 | 8 | -22/+14 |
| | |||||
* | crypto: make MIT | Jason A. Donenfeld | 2018-09-16 | 39 | -39/+39 |
| | |||||
* | chacha20-arm: swap scalar and neon functions | Jason A. Donenfeld | 2018-09-13 | 1 | -697/+697 |
| | | | | This brings us closer to the original code. | ||||
* | poly1305: precompute 5*r in init instead of blocks | Jason A. Donenfeld | 2018-09-12 | 2 | -6/+18 |
| | |||||
* | curve25519-x86_64: remove useless define | Jason A. Donenfeld | 2018-09-12 | 1 | -1/+0 |
| | |||||
* | chacha20: add constant for words in block | Jason A. Donenfeld | 2018-09-12 | 2 | -2/+3 |
| | |||||
* | poly1305: rename finish to final | Jason A. Donenfeld | 2018-09-11 | 5 | -13/+13 |
| | |||||
* | crypto: make sure UML is properly disabled | Jason A. Donenfeld | 2018-09-11 | 1 | -4/+4 |
| | |||||
* | crypto: do not use compound literals in selftests | Jason A. Donenfeld | 2018-09-11 | 2 | -7704/+7710 |
| | | | | | | | gcc can't apply section attributes to compound literals, so we can't mark the actual data as __initconst. We thus waste space instead, but this shouldn't matter much, since it's cleared after init anyway, and because this is only for debugging. | ||||
* | blake2s-x86_64: fix whitespace errors | Jason A. Donenfeld | 2018-09-10 | 1 | -2/+2 |
| | |||||
* | poly1305: switch to donna | Jason A. Donenfeld | 2018-09-10 | 3 | -183/+398 |
| | |||||
* | poly1305: rewrite self tests from scratch | Jason A. Donenfeld | 2018-09-08 | 1 | -1529/+831 |
| | | | | This removes the old cruft and makes things a bit more idiomatic. | ||||
* | compat: move simd.h from crypto to compat since it's going upstream | Jason A. Donenfeld | 2018-09-06 | 1 | -65/+0 |
| | |||||
* | crypto: use CRYPTOGAMS license | Jason A. Donenfeld | 2018-09-06 | 9 | -23/+27 |
| | |||||
* | curve25519: arm: do not modify sp directly | Jason A. Donenfeld | 2018-09-06 | 1 | -3/+3 |
| | | | | | | Thumb doesn't like this. Reported-by: Roman Mamedov <rm@romanrm.net> | ||||
* | global: prefer sizeof(*pointer) when possible | Jason A. Donenfeld | 2018-09-04 | 2 | -2/+2 |
| | | | | Suggested-by: Sultan Alsawaf <sultanxda@gmail.com> | ||||
* | crypto: import zinc | Jason A. Donenfeld | 2018-09-03 | 42 | -984/+14670 |
| | |||||
* | curve25519-arm: prefix immediates with # | Jason A. Donenfeld | 2018-08-28 | 1 | -18/+18 |
| | |||||
* | curve25519-arm: do not waste 32 bytes of stack | Jason A. Donenfeld | 2018-08-28 | 1 | -88/+88 |
| | |||||
* | curve25519-arm: use ordinary prolog and epilogue | Samuel Neves | 2018-08-28 | 1 | -18/+6 |
| | | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519-arm: add spaces after commas | Jason A. Donenfeld | 2018-08-28 | 1 | -2074/+2074 |
| | |||||
* | curve25519-arm: cleanups from lkml | Jason A. Donenfeld | 2018-08-28 | 1 | -33/+30 |
| | | | | Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> | ||||
* | curve25519-arm: reformat | Jason A. Donenfeld | 2018-08-28 | 1 | -2096/+2096 |
| | |||||
* | curve25519-x86_64: let the compiler decide when/how to load constants | Samuel Neves | 2018-08-28 | 1 | -5/+2 |
| | | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519-hacl64: use formally verified C for comparisons | Jason A. Donenfeld | 2018-08-28 | 1 | -6/+19 |
| | | | | | | The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical. | ||||
* | crypto: use unaligned helpers | Jason A. Donenfeld | 2018-08-28 | 7 | -48/+51 |
| | | | | | | This is not useful for WireGuard, but for the general use case we probably want it this way, and the speed difference is mostly lost in the noise. | ||||
* | curve25519-hacl64: correct u64_gte_mask | Samuel Neves | 2018-08-07 | 1 | -3/+1 |
| | | | | | | | | | | | | | | | | | | | Remove signed right shifts. Previously u64_gte_mask was only correct for x < 2^63. Z3 script proving correctness: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> t = LShR(x^((x^y)|((x-y)^y)), 63) - 1 >>> >>> prove(If(UGE(x, y), BitVecVal(-1, 64), BitVecVal(0, 64)) == t) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | curve25519-hacl64: simplify u64_eq_mask | Samuel Neves | 2018-08-07 | 1 | -8/+3 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid signed right shift. Z3 script showing equivalence: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> # Before ... x_ = ~(x ^ y) >>> x_ &= x_ << 32 >>> x_ &= x_ << 16 >>> x_ &= x_ << 8 >>> x_ &= x_ << 4 >>> x_ &= x_ << 2 >>> x_ &= x_ << 1 >>> x_ >>= 63 >>> >>> # After ... y_ = x ^ y >>> y_ = y_ | -y_ >>> y_ = LShR(y_, 63) - 1 >>> >>> prove(x_ == y_) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt> | ||||
* | chacha20: use memmove in case buffers overlap | Jason A. Donenfeld | 2018-08-07 | 1 | -1/+1 |
| | | | | Suggested-by: Samuel Neves <sneves@dei.uc.pt> |