summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/aes (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove near duplicate AES_set_{encrypt,decrypt}_key() functions.jsing2024-03-271-208/+2
| | | | | | | | | | | | | | | There are currently three ways in which AES is implemented - all in assembly (amd64 et al), all in C (aarch64 et al) and, half in C and half in assembly (hppa and sparc64). The last of these cases currently makes use of a near duplicate AES_set_{encrypt,decrypt}_key() implementation that avoids using the AES tables. Remove the near duplicate version and if only a half assembly version is implemented, use the same C version of AES_set_{encrypt,decrypt}_key() as everyone else. This adds around 8KB of rodata to libcrypto on these two platforms. Discussed with beck and tb.
* Use crypto_rol_u32() instead of an undefined ROTATE macro.jsing2024-03-271-9/+5
| | | | ok tb@
* Remove unused NDEBUG define.jsing2024-03-271-7/+1
|
* Tidy includes and a comment.jsing2024-03-271-3/+7
|
* Remove rather scary unused experimental code.jsing2024-03-271-1081/+0
| | | | ok tb@
* Add a few missing endbr64 to libcryptotb2024-02-241-0/+4
| | | | | | | | gcm_{gmult,ghash}_4bit(), aesni_ccm64_decrypt_blocks(), aes_cbc_encrypt(), and aesni_xts_{en,de}crypt() were overlooked in previous passes. Found with a diff for ld.lld by kettenis ok kettenis
* Replace uses of endbr64 with _CET_ENDBR from cet.htb2024-02-245-61/+61
| | | | | | | | | cet.h is needed for other platforms to emit the relevant .gnu.properties sections that are necessary for them to enable IBT. It also avoids issues with older toolchains on macOS that explode on encountering endbr64. based on a diff by kettenis ok beck kettenis
* aesni_ctr32_encrypt_blocks() is called indirectly from C code, so itderaadt2023-09-181-0/+1
| | | | | needs endbr64 ok kettenis tb
* Remove more *_options() stufftb2023-07-311-3/+1
| | | | | | | The public symbols were removed. Some prototypes and in the case of DES even the implementation remained. ok jsing
* Two files did not want to go away. Go!tb2023-07-281-0/+0
|
* Remove various ${thing}_optionstb2023-07-281-65/+0
| | | | | | | | | | Various, ancient ciphers exposed some of their innards via an _options() API. Apart from openssl version/speed, only some lua thingie in nmap ever looked at these. Go figure. hppa testing by miod, i386 testing by sthen. Thanks! ok jsing
* Add endbr64 where needed by inspection. Passes regresson tests.deraadt2023-04-255-0/+60
| | | | ok jsing, and kind of tb an earlier version
* Drop two useless READMEstb2023-04-171-3/+0
| | | | "go ahead" jsing
* Use explicit .text instead of .previous to please Windows/MinGW on amd64tb2023-02-235-5/+5
| | | | ok miod
* Use .section .rodata instead of a plain .rodatatb2023-02-095-5/+5
| | | | | | | | At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to make it happy. ok deraadt miod
* Remove AIX toc data after every function. NFCmiod2023-02-021-23/+2
|
* Unbreak vpaes-x86 implementation.jsing2023-02-021-2/+0
| | | | | | Remove remnants of previous PIC handling. ok miod@
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-013-38/+42
| | | | | | responsible from getting the proper address of those blocks. ok tb@ jsing@
* Move constants out of text segment into rodata to prepare for xonly supportderaadt2023-01-145-7/+10
| | | | | on amd64. no pic handling is neccessary since amd64 has full reach. ok kettenis
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-13/+48
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok kettenis@
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-16/+18
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok jsing@ kettenis@
* spelling fixes; from paul tagliamontejmc2022-12-266-23/+23
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Make header guards of internal headers consistenttb2022-11-261-4/+4
| | | | | Not all of them, only those that didn't leak into a public header... Yes.
* Make internal header file names consistenttb2022-11-266-11/+11
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Add stack frames to AES-NI x86_64 assembly.jsing2022-07-301-39/+58
| | | | | | | | | | | | | | | | | | | | | The current AES-NI x86_64 assembly does some strange, although valid things, such as making internal function calls without creating stack frames. In this case, the return address lands in the red zone (which it allows for when making use of the stack) and everything works as expected. However, this trips a false positive in valgrind, which seems to think that any data saved on the stack prior to the internal function call is now "undefined" once the function returns. Avoid this by actually using stack frames - this brings in most of 6a40ebe86b4 from OpenSSL, omitting the unnecessary explicit stack alignment (which was apparently added so this code could be used in the Linux kernel with an incorrectly aligned stack). Valgrind issue reported by Steffen Jaeckel (@sjaeckel), found via libstrophe unit tests. ok tb@
* Use memmove instead of memcpy for overlapping memoryinoguchi2022-01-221-5/+5
| | | | | | CID 250936 251103 OK beck@ jsing@ millert@ tb@
* Use memmove() instead of memcpy() to get rid of the need fortb2018-11-071-3/+3
| | | | | | | | | non-overlapping *in and *out buffers as we're already implementing the "in place (un)wrapping" algorithms as given in RFC 3394. This removes a gratuitous API difference to OpenSSLin these undocumented functions. Found while working on wycheproof regress tests. ok beck jsing
* RFC 3394 section 2 states that we need at least two 64 bit blockstb2018-10-201-6/+6
| | | | | | | | | | | | | | for wrapping and, accordingly, three 64 bit blocks for unwrapping. That is: we need at least 16 bytes for wrapping and 24 bytes for unwrapping. This also matches the lower bounds that OpenSSL have in their CRYPTO_128_{un,}wrap() functions. In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(), this results in a segfault since then inlen -= 8 underflows. Found while playing with the Wycheproof keywrap test vectors. ok bcook
* KNF: move two opening curly braces of function bodies to their own linestb2018-04-031-2/+3
|
* On OpenBSD/armv7 we deliberately trap unaligned access. Unfortunatelykettenis2018-01-071-7/+7
| | | | | | | | the assembly code in libcrypto assumes unaligned access is allowed for ARMv7. Make these paths conditional on __STRICT_ALIGNMENT not being defined and define __STRICT_ALIGNMENT in arm_arch.h for OpenBSD. ok tom@
* http://repzret.org/p/repzret/deraadt2017-12-111-5/+5
| | | | | | | | | | My read of this: Long time ago (Think Conan, not dinasaurs) during the race to make speedier processors, a cpu vendor built a pipeline with a bad stall, and proposed a tremendously hasky workaround. A wizard adopted this into his perl scroll, and failed to reflect later when no compiler adopted the practice. This relic remains at the tail end of some functions in OpenSSL as ".byte 0xf3,0xc3". Banish it straight to hell. ok mlarkin, others also stared blankly
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-1/+5
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Replace all uses of magic numbers when operating on OPENSSL_ia32_P[] bymiod2016-11-043-10/+13
| | | | | | | | | | | | | | | meaningful constants in a private header file, so that reviewers can actually get a chance to figure out what the code is attempting to do without knowing all cpuid bits. While there, turn it from an array of two 32-bit ints into a properly aligned 64-bit int. Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will now always use OPENSSL_cpu_caps() and check for the proper bits in the whole 64-bit word it returns. i386 tests and ok jsing@
* Less S390.jsing2016-09-041-2237/+0
| | | | ok deraadt@
* Less IA64.jsing2016-09-041-1123/+0
| | | | ok deraadt@
* Cast Td4[] values (which are uint8_t) to uint32_t before shifting them left bymiod2015-11-051-5/+5
| | | | | | | | | 24 bits; if we don't, Td4[] gets cast to signed int, and according to C>=99 6.5.7, signed int shifted by enough bits to cause a the sign bit to be set is an UB. Reported by Pascal Cuoq on behalf of the trust-in-soft.com mafia I am {partial,slightly related} to.
* Correct spelling of OPENSSL_cleanse.jsing2015-09-101-2/+2
| | | | ok miod@
* Remove the logic responsible for outputting most AES-NI instructions asmiod2015-07-192-46/+0
| | | | | | | | | raw byte sequences. The toolchains have had some time to update and assemble the instructions correctly (except for p{ins,ext}rd which are not supported yet by as(1) under OpenBSD, but will be fixed shortly). Inspired by a discussion between tedu@ and John-Mark Gurney. Verified to still work on Mac OS X and average Linux distros by bcook@
* Replace `.byte 0x48,0x83,0xEC,0x08' with `sub \$8,%rsp' which is exactly themiod2015-07-191-2/+2
| | | | same four bytes, unobfuscated.
* extenstion -> extensionmiod2015-07-171-1/+1
|
* Remove assert() or OPENSSL_assert() of pointers being non-NULL. The policymiod2015-02-104-17/+5
| | | | | for libraries in OpenBSD is to deliberately let NULL pointers cause a SIGSEGV. ok doug@ jsing@
* Make sure to load absolute symbol address with `dla' instead of `la' whenmiod2014-12-071-4/+10
| | | | generating code for 64-bit mips userland.
* Remove OPENSSL_FIPSCANISTER mentions.miod2014-12-071-4/+0
|
* deregister; no binary changejsg2014-10-281-2/+2
| | | | ok jsing@ miod@
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-112-5/+4
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Stop including standard headers via cryptlib.h - pull in the headers thatjsing2014-07-101-1/+3
| | | | | | are needed in the source files that actually require them. ok beck@ miod@
* remove unused, private version strings except SSL_version_strbcook2014-07-091-3/+1
| | | | | | Also remove unused des_ver.h, which exports some of these strings, but is not installed. ok miod@ tedu@
* Kill more FIPS tentacles by removing the private_AES_set_{enc,dec}rypt_key()miod2014-07-098-84/+60
| | | | | | | | internal interfaces, and promoting them to being the public AES_set_{enc,dec}rypt_key() interfaces. In non-FIPS mode, these public interfaces were directly calling the private ones. ok guenther@ jsing@
* tags as requested by miod and teduderaadt2014-06-1212-12/+12
|
* c-file-style hints, begone; ok beckderaadt2014-06-1111-11/+11
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-26 10:06:48 +0000