aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/crypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* crypto: explicitly dual licenseJason A. Donenfeld2018-09-2041-41/+41
| | | | Suggested-by: Thomas Gleixner <tglx@linutronix.de>
* poly1305: account for simd being toggled off midwayJason A. Donenfeld2018-09-203-26/+131
| | | | | | This is a very rare occurance, but we should account for it, so that the calculations aren't wrong. Here we convert from base 2^26 back to base 2^64.
* chacha20: prefer crypto_xor_cpy to avoid memmoveJason A. Donenfeld2018-09-201-5/+3
| | | | Suggested-by: Eric Biggers <ebiggers@kernel.org>
* poly1305: no need to trick gcc 8.1Jason A. Donenfeld2018-09-191-2/+2
| | | | | | | This reverts 37f114a73ba37219b00a66f0a51219a696599745, since gcc 8.2 no longer exhibits that bug. Suggested-by: Eric Biggers <ebiggers@kernel.org>
* blake2s: simplify final functionJason A. Donenfeld2018-09-192-40/+9
| | | | Suggested-by: Eric Biggers <ebiggers@kernel.org>
* poly1305: better module descriptionJason A. Donenfeld2018-09-181-1/+1
|
* chacha20: add independent self testJason A. Donenfeld2018-09-182-0/+1188
| | | | | This was already tested from the chacha20poly1305 test, but it's useful to be able to test this in isolation too.
* chacha20poly1305: add __init to selftest helper functionsJason A. Donenfeld2018-09-181-3/+3
|
* curve25519-arm: only compile if symbols will be usedJason A. Donenfeld2018-09-181-1/+1
|
* chacha20-x86_64: use correct cut off for avx512-vlJason A. Donenfeld2018-09-181-1/+1
|
* poly1305-x86_64: show full struct for stateJason A. Donenfeld2018-09-181-5/+7
|
* crypto: allow for disabling simd in zinc modulesJason A. Donenfeld2018-09-186-9/+33
|
* chacha20-x86_64: more limited cascadeJason A. Donenfeld2018-09-181-5/+4
|
* chacha20poly1305: relax simd between sg chunksJason A. Donenfeld2018-09-181-0/+2
|
* crypto: turn Zinc into individual modulesJason A. Donenfeld2018-09-1824-42/+166
|
* crypto: do not use -include trickJason A. Donenfeld2018-09-1714-51/+34
|
* poly1305-x86_64: don't activate simd for small blocksJason A. Donenfeld2018-09-171-3/+14
|
* chacha20-x86_64: don't activate simd for small blocksJason A. Donenfeld2018-09-171-1/+2
|
* crypto: pass simd by referenceJason A. Donenfeld2018-09-1714-83/+89
|
* chacha20-x86_64: cascade down implementationsJason A. Donenfeld2018-09-171-3/+3
|
* poly1305: do not require simd context for archJason A. Donenfeld2018-09-178-22/+14
|
* crypto: make MITJason A. Donenfeld2018-09-1639-39/+39
|
* chacha20-arm: swap scalar and neon functionsJason A. Donenfeld2018-09-131-697/+697
| | | | This brings us closer to the original code.
* poly1305: precompute 5*r in init instead of blocksJason A. Donenfeld2018-09-122-6/+18
|
* curve25519-x86_64: remove useless defineJason A. Donenfeld2018-09-121-1/+0
|
* chacha20: add constant for words in blockJason A. Donenfeld2018-09-122-2/+3
|
* poly1305: rename finish to finalJason A. Donenfeld2018-09-115-13/+13
|
* crypto: make sure UML is properly disabledJason A. Donenfeld2018-09-111-4/+4
|
* crypto: do not use compound literals in selftestsJason A. Donenfeld2018-09-112-7704/+7710
| | | | | | | gcc can't apply section attributes to compound literals, so we can't mark the actual data as __initconst. We thus waste space instead, but this shouldn't matter much, since it's cleared after init anyway, and because this is only for debugging.
* blake2s-x86_64: fix whitespace errorsJason A. Donenfeld2018-09-101-2/+2
|
* poly1305: switch to donnaJason A. Donenfeld2018-09-103-183/+398
|
* poly1305: rewrite self tests from scratchJason A. Donenfeld2018-09-081-1529/+831
| | | | This removes the old cruft and makes things a bit more idiomatic.
* compat: move simd.h from crypto to compat since it's going upstreamJason A. Donenfeld2018-09-061-65/+0
|
* crypto: use CRYPTOGAMS licenseJason A. Donenfeld2018-09-069-23/+27
|
* curve25519: arm: do not modify sp directlyJason A. Donenfeld2018-09-061-3/+3
| | | | | | Thumb doesn't like this. Reported-by: Roman Mamedov <rm@romanrm.net>
* global: prefer sizeof(*pointer) when possibleJason A. Donenfeld2018-09-042-2/+2
| | | | Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
* crypto: import zincJason A. Donenfeld2018-09-0342-984/+14670
|
* curve25519-arm: prefix immediates with #Jason A. Donenfeld2018-08-281-18/+18
|
* curve25519-arm: do not waste 32 bytes of stackJason A. Donenfeld2018-08-281-88/+88
|
* curve25519-arm: use ordinary prolog and epilogueSamuel Neves2018-08-281-18/+6
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-arm: add spaces after commasJason A. Donenfeld2018-08-281-2074/+2074
|
* curve25519-arm: cleanups from lkmlJason A. Donenfeld2018-08-281-33/+30
| | | | Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
* curve25519-arm: reformatJason A. Donenfeld2018-08-281-2096/+2096
|
* curve25519-x86_64: let the compiler decide when/how to load constantsSamuel Neves2018-08-281-5/+2
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-hacl64: use formally verified C for comparisonsJason A. Donenfeld2018-08-281-6/+19
| | | | | | The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical.
* crypto: use unaligned helpersJason A. Donenfeld2018-08-287-48/+51
| | | | | | This is not useful for WireGuard, but for the general use case we probably want it this way, and the speed difference is mostly lost in the noise.
* curve25519-hacl64: correct u64_gte_maskSamuel Neves2018-08-071-3/+1
| | | | | | | | | | | | | | | | | | | Remove signed right shifts. Previously u64_gte_mask was only correct for x < 2^63. Z3 script proving correctness: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> t = LShR(x^((x^y)|((x-y)^y)), 63) - 1 >>> >>> prove(If(UGE(x, y), BitVecVal(-1, 64), BitVecVal(0, 64)) == t) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-hacl64: simplify u64_eq_maskSamuel Neves2018-08-071-8/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid signed right shift. Z3 script showing equivalence: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> # Before ... x_ = ~(x ^ y) >>> x_ &= x_ << 32 >>> x_ &= x_ << 16 >>> x_ &= x_ << 8 >>> x_ &= x_ << 4 >>> x_ &= x_ << 2 >>> x_ &= x_ << 1 >>> x_ >>= 63 >>> >>> # After ... y_ = x ^ y >>> y_ = y_ | -y_ >>> y_ = LShR(y_, 63) - 1 >>> >>> prove(x_ == y_) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: use memmove in case buffers overlapJason A. Donenfeld2018-08-071-1/+1
| | | | Suggested-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-x86_64: avoid use of r12Jason A. Donenfeld2018-08-071-107/+107
| | | | | | | This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. Suggested-by: PaX Team <pageexec@freemail.hu>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.