summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/aes (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove #error if OPENSSL_NO_FOO is definedtb2025-01-252-10/+2
| | | | discussed with jsing
* AES_{decrypt,encrypt}() don't return void internal functiontb2024-11-131-3/+3
| | | | | | | "A return statement with an expression shall not appear in a function whose return type is void." ok deraadt miod
* Provide and use crypto_arch.h.jsing2024-08-112-2/+5
| | | | | | | | Provide a per architecture crypto_arch.h - this will be used in a similar manner to bn_arch.h and will allow for architecture specific #defines and static inline functions. Move the HAVE_AES_* and HAVE_RC4_* defines here. ok tb@
* Hide symbols in aesjoshua2024-03-303-3/+17
| | | | ok jsing
* Tweak defines since the Td4 table is only used for AES_{encrypt,decrypt}jsing2024-03-291-6/+9
|
* Always use C functions for AES_{encrypt,decrypt}().jsing2024-03-298-79/+107
| | | | | | | Always provide AES_{encrypt,decrypt}() via C functions, which then either use a C implementation or call the assembly implementation. ok tb@
* Always use C functions for AES_set_{encrypt,decrypt}_key().jsing2024-03-295-54/+85
| | | | | | | | Always include aes_core.c and provide AES_set_{encrypt,decrypt}_key() via C functions, which then either use a C implementation or call the assembly implementation. ok tb@
* Rename AES_cbc_encrypt to aes_cbc_encrypt_internal for the SEH handlers.jsing2024-03-291-4/+4
| | | | Should fix windows build.
* Merge aes_cbc.c into aes.c now that aes_cbc.c is used on all platforms.jsing2024-03-282-79/+26
|
* Make AES_cbc_encrypt() always be a C function.jsing2024-03-283-15/+26
| | | | | | | | Rename the assembly generated functions from AES_cbc_encrypt() to aes_cbc_encrypt_internal(). Always include aes_cbc.c and change it to use defines that are similar to those used in BN. ok tb@
* Consolidate most of the AES modes into a single C file.jsing2024-03-285-287/+68
| | | | Discussed with tb@
* Remove assembly for stitched modes.jsing2024-03-271-1237/+0
| | | | | The stitched modes have been removed, so having assembly for them is of little use.
* Replace GETU32 and PUTU32.jsing2024-03-272-29/+26
| | | | | | | | Replace GETU32 with crypto_load_be32toh() and PUTU32 with crypto_store_htobe32(). Make the offset handling cleaner at the same time. ok beck@ joshua@ tb@
* Remove near duplicate AES_set_{encrypt,decrypt}_key() functions.jsing2024-03-271-208/+2
| | | | | | | | | | | | | | | There are currently three ways in which AES is implemented - all in assembly (amd64 et al), all in C (aarch64 et al) and, half in C and half in assembly (hppa and sparc64). The last of these cases currently makes use of a near duplicate AES_set_{encrypt,decrypt}_key() implementation that avoids using the AES tables. Remove the near duplicate version and if only a half assembly version is implemented, use the same C version of AES_set_{encrypt,decrypt}_key() as everyone else. This adds around 8KB of rodata to libcrypto on these two platforms. Discussed with beck and tb.
* Use crypto_rol_u32() instead of an undefined ROTATE macro.jsing2024-03-271-9/+5
| | | | ok tb@
* Remove unused NDEBUG define.jsing2024-03-271-7/+1
|
* Tidy includes and a comment.jsing2024-03-271-3/+7
|
* Remove rather scary unused experimental code.jsing2024-03-271-1081/+0
| | | | ok tb@
* Add a few missing endbr64 to libcryptotb2024-02-241-0/+4
| | | | | | | | gcm_{gmult,ghash}_4bit(), aesni_ccm64_decrypt_blocks(), aes_cbc_encrypt(), and aesni_xts_{en,de}crypt() were overlooked in previous passes. Found with a diff for ld.lld by kettenis ok kettenis
* Replace uses of endbr64 with _CET_ENDBR from cet.htb2024-02-245-61/+61
| | | | | | | | | cet.h is needed for other platforms to emit the relevant .gnu.properties sections that are necessary for them to enable IBT. It also avoids issues with older toolchains on macOS that explode on encountering endbr64. based on a diff by kettenis ok beck kettenis
* aesni_ctr32_encrypt_blocks() is called indirectly from C code, so itderaadt2023-09-181-0/+1
| | | | | needs endbr64 ok kettenis tb
* Remove more *_options() stufftb2023-07-311-3/+1
| | | | | | | The public symbols were removed. Some prototypes and in the case of DES even the implementation remained. ok jsing
* Two files did not want to go away. Go!tb2023-07-281-0/+0
|
* Remove various ${thing}_optionstb2023-07-281-65/+0
| | | | | | | | | | Various, ancient ciphers exposed some of their innards via an _options() API. Apart from openssl version/speed, only some lua thingie in nmap ever looked at these. Go figure. hppa testing by miod, i386 testing by sthen. Thanks! ok jsing
* Add endbr64 where needed by inspection. Passes regresson tests.deraadt2023-04-255-0/+60
| | | | ok jsing, and kind of tb an earlier version
* Drop two useless READMEstb2023-04-171-3/+0
| | | | "go ahead" jsing
* Use explicit .text instead of .previous to please Windows/MinGW on amd64tb2023-02-235-5/+5
| | | | ok miod
* Use .section .rodata instead of a plain .rodatatb2023-02-095-5/+5
| | | | | | | | At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to make it happy. ok deraadt miod
* Remove AIX toc data after every function. NFCmiod2023-02-021-23/+2
|
* Unbreak vpaes-x86 implementation.jsing2023-02-021-2/+0
| | | | | | Remove remnants of previous PIC handling. ok miod@
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-013-38/+42
| | | | | | responsible from getting the proper address of those blocks. ok tb@ jsing@
* Move constants out of text segment into rodata to prepare for xonly supportderaadt2023-01-145-7/+10
| | | | | on amd64. no pic handling is neccessary since amd64 has full reach. ok kettenis
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-13/+48
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok kettenis@
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-16/+18
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok jsing@ kettenis@
* spelling fixes; from paul tagliamontejmc2022-12-266-23/+23
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Make header guards of internal headers consistenttb2022-11-261-4/+4
| | | | | Not all of them, only those that didn't leak into a public header... Yes.
* Make internal header file names consistenttb2022-11-266-11/+11
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Add stack frames to AES-NI x86_64 assembly.jsing2022-07-301-39/+58
| | | | | | | | | | | | | | | | | | | | | The current AES-NI x86_64 assembly does some strange, although valid things, such as making internal function calls without creating stack frames. In this case, the return address lands in the red zone (which it allows for when making use of the stack) and everything works as expected. However, this trips a false positive in valgrind, which seems to think that any data saved on the stack prior to the internal function call is now "undefined" once the function returns. Avoid this by actually using stack frames - this brings in most of 6a40ebe86b4 from OpenSSL, omitting the unnecessary explicit stack alignment (which was apparently added so this code could be used in the Linux kernel with an incorrectly aligned stack). Valgrind issue reported by Steffen Jaeckel (@sjaeckel), found via libstrophe unit tests. ok tb@
* Use memmove instead of memcpy for overlapping memoryinoguchi2022-01-221-5/+5
| | | | | | CID 250936 251103 OK beck@ jsing@ millert@ tb@
* Use memmove() instead of memcpy() to get rid of the need fortb2018-11-071-3/+3
| | | | | | | | | non-overlapping *in and *out buffers as we're already implementing the "in place (un)wrapping" algorithms as given in RFC 3394. This removes a gratuitous API difference to OpenSSLin these undocumented functions. Found while working on wycheproof regress tests. ok beck jsing
* RFC 3394 section 2 states that we need at least two 64 bit blockstb2018-10-201-6/+6
| | | | | | | | | | | | | | for wrapping and, accordingly, three 64 bit blocks for unwrapping. That is: we need at least 16 bytes for wrapping and 24 bytes for unwrapping. This also matches the lower bounds that OpenSSL have in their CRYPTO_128_{un,}wrap() functions. In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(), this results in a segfault since then inlen -= 8 underflows. Found while playing with the Wycheproof keywrap test vectors. ok bcook
* KNF: move two opening curly braces of function bodies to their own linestb2018-04-031-2/+3
|
* On OpenBSD/armv7 we deliberately trap unaligned access. Unfortunatelykettenis2018-01-071-7/+7
| | | | | | | | the assembly code in libcrypto assumes unaligned access is allowed for ARMv7. Make these paths conditional on __STRICT_ALIGNMENT not being defined and define __STRICT_ALIGNMENT in arm_arch.h for OpenBSD. ok tom@
* http://repzret.org/p/repzret/deraadt2017-12-111-5/+5
| | | | | | | | | | My read of this: Long time ago (Think Conan, not dinasaurs) during the race to make speedier processors, a cpu vendor built a pipeline with a bad stall, and proposed a tremendously hasky workaround. A wizard adopted this into his perl scroll, and failed to reflect later when no compiler adopted the practice. This relic remains at the tail end of some functions in OpenSSL as ".byte 0xf3,0xc3". Banish it straight to hell. ok mlarkin, others also stared blankly
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-1/+5
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Replace all uses of magic numbers when operating on OPENSSL_ia32_P[] bymiod2016-11-043-10/+13
| | | | | | | | | | | | | | | meaningful constants in a private header file, so that reviewers can actually get a chance to figure out what the code is attempting to do without knowing all cpuid bits. While there, turn it from an array of two 32-bit ints into a properly aligned 64-bit int. Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will now always use OPENSSL_cpu_caps() and check for the proper bits in the whole 64-bit word it returns. i386 tests and ok jsing@
* Less S390.jsing2016-09-041-2237/+0
| | | | ok deraadt@
* Less IA64.jsing2016-09-041-1123/+0
| | | | ok deraadt@
* Cast Td4[] values (which are uint8_t) to uint32_t before shifting them left bymiod2015-11-051-5/+5
| | | | | | | | | 24 bits; if we don't, Td4[] gets cast to signed int, and according to C>=99 6.5.7, signed int shifted by enough bits to cause a the sign bit to be set is an UB. Reported by Pascal Cuoq on behalf of the trust-in-soft.com mafia I am {partial,slightly related} to.
* Correct spelling of OPENSSL_cleanse.jsing2015-09-101-2/+2
| | | | ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 01:02:11 +0000