openbsd/src/lib/libcrypto/modes, branch libressl-v4.2.1

openbsd/src/lib/libcrypto/modes, branch libressl-v4.2.1 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v4.2.1 2025-07-13T06:01:33+00:00 Simplify AES-XTS implementation and remove AES-NI specific code from EVP. 2025-07-13T06:01:33+00:00 jsing 2025-07-13T06:01:33+00:00 urn:sha1:f0234f5a33ecf3b2784f3e73bdf1e937abe56599 Provide aes_xts_encrypt_internal() and call that from aes_xts_cipher(). Have amd64 and i386 provide their own versions that dispatch to aesni_xts_encrypt()/aesni_xts_decrypt() as appropriate. The AESNI_CAPABLE code and methods can then be removed. ok tb@ Rework gcm128 implementation selection for amd64/i386. 2025-06-28T12:39:10+00:00 jsing 2025-06-28T12:39:10+00:00 urn:sha1:48723f4db60f6f8a8ad8424ffe5e0262d30f397c Provide gcm128_amd64.c and gcm128_i386.c, which contain the appropriate gcm128 initialisation and CPU feature tests for the respective platform. This allows for all of the #define spagetti to be removed from gcm128.c and removes one of the two remaining consumers of crypto_cpu_caps_ia32(). ok tb@ Use a single implementation of gcm_mul()/gcm_ghash(). 2025-06-28T12:32:27+00:00 jsing 2025-06-28T12:32:27+00:00 urn:sha1:6021a17fa478e42f9f97414c6114ffe64731e576 Since we always initialise the gmult/ghash function pointers, use the same implementaion of gcm_mul() and gcm_ghash(), regardless of the actual underlying implementation. ok tb@ Remove less than useful comment. 2025-06-28T12:25:22+00:00 jsing 2025-06-28T12:25:22+00:00 urn:sha1:426ed7c4756274bd9a701f02587dd1f650775f12 Make OPENSSL_IA32_SSE2 the default for i386 and remove the flag. 2025-06-09T14:28:34+00:00 jsing 2025-06-09T14:28:34+00:00 urn:sha1:951cd4503ff3c4cc93c1a36cf06138b1ddd739d7 The OPENSSL_IA32_SSE2 flag controls whether a number of the perlasm scripts generate additional implementations that use SSE2 functionality. In all cases except ghash, the code checks OPENSSL_ia32cap_P for SSE2 support, before trying to run SSE2 code. For ghash it generates a CLMUL based implementation in addition to different MMX version (one MMX version hides behind OPENSSL_IA32_SSE2, the other does not), however this does not appear to actually use SSE2. We also disable AES-NI on i386 if OPENSSL_IA32_SSE2. On OpenBSD, we've always defined OPENSSL_IA32_SSE2 so this is effectively a no-op. The only change is that we now check MMX rather than SSE2 for the ghash MMX implementation. ok bcook@ beck@ More code clean up. 2025-06-08T07:49:45+00:00 jsing 2025-06-08T07:49:45+00:00 urn:sha1:b878d30ee2aa2cabb825bb255a5071247dac4893 Fix some things that got missed in the last pass - the majority is use of post-increment rather than unnecessary pre-increment. Remove more mess related to arm assembly. 2025-06-08T07:38:42+00:00 jsing 2025-06-08T07:38:42+00:00 urn:sha1:7bd57f7872819358d673e776e52068a2886488b6 Mop up ghash arm assembly remnants. 2025-05-24T07:51:21+00:00 jsing 2025-05-24T07:51:21+00:00 urn:sha1:48113109399bcf835f01280f051dd6d6cb85cb3c Do a clean up pass over the GCM code. 2025-05-22T12:44:14+00:00 jsing 2025-05-22T12:44:14+00:00 urn:sha1:fbcd8e05b542515758e9d2624734a781d3d03247 Rework some logic, add explicit numerical checks, move assignment out of variable declaration and use post-increment/post-decrement unless there is a specific reason to do pre-increment. ok kenjiro@ tb@ Use timingsafe_memcmp() in CRYPTO_gcm128_finish(). 2025-05-22T12:33:36+00:00 jsing 2025-05-22T12:33:36+00:00 urn:sha1:d19325f59fd7a16b2759c55d0837d754c2f532f4 When checking the GCM tag, use timingsafe_memcmp() instead of memcmp(). ok tb@