aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/crypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* blake2s: satisfy sparseJason A. Donenfeld2017-08-021-2/+2
|
* blake2s: fix up alignment issuesJason A. Donenfeld2017-07-201-9/+11
| | | | | When it's unclear if block is aligned, we just assume unaligned, rather than branching.
* blake2s: move compression loop to assemblySamuel Neves2017-07-203-72/+84
|
* curve25519: keep certain sandy2x functions in CJason A. Donenfeld2017-06-252-232/+84
| | | | We can let the compiler optimize how it sees fit.
* curve25519: satisfy sparse and use short typesJason A. Donenfeld2017-06-241-26/+26
|
* main: annotate init/exit functions to save memoryJason A. Donenfeld2017-06-243-6/+6
|
* random: wait for random bytes when generating nonces and ephemeralsJason A. Donenfeld2017-06-121-1/+1
| | | | | | | | | | | We can let userspace configure wireguard interfaces before the RNG is fully initialized, since what we mostly care about is having good randomness for ephemerals and xchacha nonces. By deferring the wait to actually asking for the randomness, we give a lot more opportunity for gathering entropy. This won't cover entropy for hash table secrets or cookie secrets (which rotate anyway), but those have far less catastrophic failure modes, so ensuring good randomness for elliptic curve points and nonces should be sufficient.
* curve25519: use more standard label convention in asmJason A. Donenfeld2017-06-012-24/+24
|
* curve25519: add NEON versions for ARMJason A. Donenfeld2017-05-312-27/+2158
|
* curve25519: align the basepoint to 32 bytesJason A. Donenfeld2017-05-311-2/+2
|
* curve25519: actually, do some things on heap sometimesJason A. Donenfeld2017-05-311-0/+170
| | | | This reverts commit 42dd5bd87e418275203dd6644b6b6b0cc310d4d9.
* chacha20poly1305: add NEON versions for ARM and ARM64Jason A. Donenfeld2017-05-304-6/+1031
|
* chacha20poly1305: move constants to rodataJason A. Donenfeld2017-05-215-14/+27
|
* chacha20poly1305: implement vectorized hchacha20Jason A. Donenfeld2017-05-172-21/+157
|
* chacha20poly1305: check return values of sgopsJason A. Donenfeld2017-04-042-9/+17
|
* chacha20poly1305: enforce authtag checking with compilerJason A. Donenfeld2017-03-302-15/+10
|
* curve25519: protect against potential invalid point attacksJason A. Donenfeld2017-03-302-18/+30
|
* curve25519: 128-bit integer != x86_64Jason A. Donenfeld2017-03-241-2/+8
|
* curve25519: do dispatcher in C instead of asm, since shlx is haswell onlyJason A. Donenfeld2017-03-202-162/+73
|
* curve25519: add AVX implementationJason A. Donenfeld2017-03-193-23/+3697
|
* blake2s: add AVX implementationJason A. Donenfeld2017-03-195-7/+602
|
* compat: backport siphash & dst_cache from mainlineJason A. Donenfeld2017-02-132-296/+0
|
* curve25519: do everything on the stackJason A. Donenfeld2017-01-151-171/+0
| | | | | | With MIPS now supporting a separate IRQ stack, and with these changes being backported into OpenWRT (and likely the stable mainline releases), we no longer need to kmalloc more space for temporary variables.
* Use __read_mostly attribute when possibleJason A. Donenfeld2017-01-131-3/+3
|
* Update copyrightJason A. Donenfeld2017-01-108-8/+8
|
* blake2s: cleanupJason A. Donenfeld2016-12-261-9/+4
|
* cookies: use xchacha20poly1305 instead of chacha20poly1305Jason A. Donenfeld2016-12-232-1/+120
| | | | | This allows us to precompute the blake2s calls and save cycles, since hchacha is fast.
* siphash: preserve endian-ness for quick helperJason A. Donenfeld2016-12-161-5/+9
| | | | This fixes errors on big endian machines.
* siphash: update against upstream submissionJason A. Donenfeld2016-12-164-84/+292
|
* siphash: useless riceJason A. Donenfeld2016-12-121-3/+1
|
* crypto: use kernel's bitops functionsJason A. Donenfeld2016-12-112-18/+15
|
* blake2s: move self tests to correct directoryJason A. Donenfeld2016-12-111-554/+1
|
* global: move to consistent use of uN instead of uintN_t for kernel codeJason A. Donenfeld2016-12-118-327/+327
|
* siphash: add types to headerJason A. Donenfeld2016-11-291-0/+2
|
* headers: cleanup noticesJason A. Donenfeld2016-11-218-8/+8
|
* chacha20poly1305: sse/ymm should be implicitexperimental-0.0.20161116.1Jason A. Donenfeld2016-11-161-1/+1
|
* chacha20poly1305: rely on avx and avx2experimental-0.0.20161116Jason A. Donenfeld2016-11-161-1/+1
| | | | | | It turns out some FrankenVMs disable AVX but keep AVX2, causing issues. The crypto code now relies on having both AVX and AVX2 and the right features.
* curve25519: use kmalloc in order to not overflow stackexperimental-0.0.20161110Jason A. Donenfeld2016-11-101-89/+260
| | | | | | | | | | | | | | | | | On MIPS, the IRQ and SoftIRQ handlers share the stack with whatever kernel thread was interrupted. This means that Curve25519 can be interrupted by, say, an ethernet controller, that then gets handled by a SoftIRQ. If something like l2tp is being used, which uses quite a bit of stack, then by the time the SoftIRQ handler gets to WireGuard code and calls into the stack-heavy ChaPoly functions, our 8k stack is shot. In other words, since Curve25519 is such a big consumer of stack, if it's interrupted by anything else that uses a healthy amount of stack, then disaster strikes. The solution here is just to allocate using kmalloc. This is quite ugly, and if performance becomes an issue, we might consider moving to a kmem_cache allocator, or even having each peer keep its own preallocated space. But for now, we'll try this.
* chacha20poly1305: don't forget version headerJason A. Donenfeld2016-11-091-0/+1
|
* chacha20poly1305: it's just as fast to use these more simple unaligned access helpersJason A. Donenfeld2016-11-071-36/+7
|
* chacha20poly1305: cleanup magic constantsexperimental-0.0.20161105Jason A. Donenfeld2016-11-051-3/+2
|
* c89: the static keyword is okay in c99, but not in c89Jason A. Donenfeld2016-11-056-22/+22
|
* data: keep FPU on when possibleJason A. Donenfeld2016-11-042-52/+41
|
* chacha20poly1305: src is different from dst on last pieceexperimental-0.0.20161103Jason A. Donenfeld2016-11-031-1/+1
| | | | | | | This took hours of debugging. In some cases, the src and dst are different for the last piece, so the incorrect code here resulted in computing the poly1305 over the wrong data. This lead to packets being unnecessarily dropped.
* Rework headers and includesJason A. Donenfeld2016-09-295-4/+6
|
* poly1305: optimize unaligned accessRené van Dorst2016-09-291-0/+30
|
* selftest: move to subfolderJason A. Donenfeld2016-08-023-207/+3
|
* c: specify static array size in function paramsJason A. Donenfeld2016-08-026-22/+22
| | | | | | | | | | | | | | | The C standard states: A declaration of a parameter as ``array of type'' shall be adjusted to ``qualified pointer to type'', where the type qualifiers (if any) are those specified within the [ and ] of the array type derivation. If the keyword static also appears within the [ and ] of the array type derivation, then for each call to the function, the value of the corresponding actual argument shall provide access to the first element of an array with at least as many elements as specified by the size expression. By changing void func(int array[4]) to void func(int array[static 4]), we automatically get the compiler checking argument sizes for us, which is quite nice.
* curve25519: unneeded zeros variableJason A. Donenfeld2016-07-071-2/+0
|
* chacha20poly1305: use more standard way of testing FPU featuresJason A. Donenfeld2016-06-291-7/+2
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.