summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Avoid asm("") for MSVCtb15 hours1-1/+5
| | | | | | This allows us to get rid of an ugly patch in portable. ok jsing
* Mop up the now unused RC4_CHUNK defines.jsing47 hours13-130/+0
| | | | ok tb@
* Further simplify the rc4 implementation.jsing47 hours1-117/+45
| | | | | | | | | | | | | | | | The RC4_CHUNK related code is intended to process native word sized chunks if the input and output are naturally aligned. However, RC4_CHUNK is currently a mess of machine dependent defines. Replace this with uint64_t on all architectures - 64 bit architectures will be happy with this and on 32 bit architectures the compiler can decompose this into multiple 32 bit operations. Provide separate rc4_chunk() implementations for big and little endian, since not all architectures have a byte swap instruction that would make this a cheap conversion. Thanks to gkoehler@ and tb@ for testing on big endian. ok tb@
* Tweak comment in asn1_item_free: KNF, missing comma, wont -> won't.tb4 days1-3/+4
|
* unbreak tree after commiting from wrong placebeck5 days1-223/+1
|
* Add a reasonable ML-KEM API for public use.beck5 days8-302/+1385
| | | | | | | | | | | | | | | Adapt the tests to use this API. This does not yet make the symbols public in Symbols.list which will happen shortly with a bump. This includes some partial rototilling of the non-public interfaces which will be shortly continued when the internal code is deduplicated to not have multiple copies for ML-KEM 768 and ML-KEM 1024 (which is just an artifact of unravelling the boring C++ code). ok jsing@, tb@
* Use faster versions of bignum_{mul,sqr}_{4_8,6_12,8_16}() if possible.jsing5 days1-10/+41
| | | | | | | | If ADX instructions are available, use the non-_alt version of s2n-bignum's bignum_{mul,sqr}_{4_8,6_12,8_16}(), which are faster than the _alt non-ADX versions. ok tb@
* Provide amd64 specific versions of bn_mul_comba6() and bn_sqr_comba6().jsing5 days2-2/+22
| | | | | | | These use s2n-bignum's bignum_mul_6_12_alt() and bignum_sqr_6_12_alt() functions. ok tb@
* Provide bn_mod_add_words() and bn_mod_sub_words() on amd64.jsing5 days2-2/+25
| | | | | | These use s2n-bignum's bignum_modadd() and bignum_modsub() routines. ok tb@
* Add special handling for multiplication and squaring of BNs with six words.jsing5 days2-2/+6
| | | | | | | In these cases make use of bn_mul_comba6() or bn_sqr_comba6(), which are faster than the normal path. ok tb@
* Hook additional s2n-bignum routines to the amd64 build.jsing5 days1-1/+11
|
* Add CPU feature detection for ADX on amd64.jsing5 days2-5/+10
| | | | | | | | Add detection of Multi-Precision Add-Carry Instruction Extensions on amd64. s2n-bignum provides a number of fast multiplication routines that can leverage these instructions. ok tb@
* Clean up parts of rc4.jsing5 days1-79/+40
| | | | | | | | | | | | Provide a static inline rc4_step() function that replaces the near identical RC4_STEP and RC4_LOOP macros. Simplify the processing loop and use for loops with small constants, which the compiler can unroll if it wants to do so. Inline the SK_LOOP macro in rc4_set_key_internal(), also using a small loop that the compiler will most likely unroll. ok tb@
* Revise include to match the name that we use.jsing7 days10-20/+20
|
* Replace SPDX-License-Identifier with actual license.jsing7 days10-20/+130
|
* Add RCS tags to new files.jsing7 days10-0/+20
|
* Bring in bignum_mod{add,sub}() from s2n-bignum.jsing7 days2-0/+185
| | | | These provide modular addition and subtraction.
* Bring in bignum_{mul,sqr}_{4_8,8_16}() from s2n-bignum.jsing7 days4-0/+877
| | | | | | | These provide fast multiplication and squaring of inputs with 4 words or 8 words, producing an 8 or 16 word result. These versions require the CPU to support ADX instructions, while the _alt versions that have previously been imported do not.
* Bring in bignum_{mul,sqr}_6_12{,_alt}() from s2n-bignum.jsing7 days4-0/+807
| | | | | | These provide fast multiplication and squaring of inputs with 6x words, producing a 12 word result. The non-_alt versions require the CPU to support ADX instructions, while the _alt versions do not.
* Add RCS tags.jsing7 days2-0/+4
|
* Add const to bignum_*() function calls.jsing7 days1-16/+16
| | | | | Now that s2n-bignum has marked various inputs as const, we can do the same. In most cases we were casting away const, which we no longer need to do.
* Sync headers from s2n-bignum.jsing7 days2-236/+588
| | | | | This effectively brings in new function prototypes, a chunk of const additions and some new defines.
* Add RCS tags.jsing8 days11-0/+22
|
* Resync s2n-bignum primitives for amd64 with upstream.jsing8 days11-115/+113
| | | | This amounts to whitespace changes and label renaming.
* Clean up and move define to correct place.beck9 days2-5/+3
| | | | ok tb@
* sync CA certificates from newer mozilla list, ok tb@sthen13 days1-339/+1
| | | | | | | | | | | | | | | | | | | https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt SHA256 (certdata.txt) = 579f336ace2e5717b8ecc06002ce0cce96f70623d188e1999c34b0f77696d3e9 Removals: - /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root - /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services - /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) - /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA - /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority - /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority - /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority Addition: + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
* Speed up bn_{mod,sqr}_mul_words() for specific inputs.jsing14 days1-3/+25
| | | | | | | | Use bn_{mul,sqr}_comba{4,6,8}() and bn_montgomery_reduce_words() for specific input sizes. This is significantly faster than using bn_montgomery_multiply_words(). ok tb@
* Provide bn_sqr_comba6().jsing14 days2-2/+48
| | | | | | This allows for fast squaring of a 6 word array. ok tb@
* Provide bn_mul_comba6().jsing14 days2-2/+63
| | | | | | This allows for fast multiplication of two 6 word arrays. ok tb@
* Mark the inputs to bn_mul_comba{4,8}() as const.jsing14 days3-9/+9
| | | | | | | This makes it consistent with bn_sqr_comba{4,8}() and simplifies an upcoming change. ok tb@
* Implement constant time EC scalar multiplication.jsing2025-08-031-16/+103
| | | | | | | | | | | | Replace simplistic non-constant time scalar multiplication with a constant time version. This is actually faster since we compute multiples of the point, then double four times and add once. The multiple to add is selected conditionally, ensuring that the access patterns remain the same regardless of value. Inspired by Go's scalar multiplication code. ok tb@
* Remove duplicate computation for b3.jsing2025-08-031-5/+1
|
* Add prototype for EC_GFp_homogeneous_projective_method().jsing2025-08-031-1/+2
|
* Avoid signed overflow in BN_MONT_CTX_set()tb2025-08-031-2/+3
| | | | | | | | ri is an int, so the check relied on signed overflow (UB). It's not really reachable, but shrug. reported by smatch via jsg ok beck jsing kenjiro
* Avoid signed overflow in BN_mul()tb2025-08-031-3/+4
| | | | | Reported by smatch via jsg. ok beck jsing kenjiro
* Provide bn_mod_sqr_words() and call it from ec_field_element_sqr().jsing2025-08-023-4/+20
| | | | | For now this still calls bn_montgomery_multiply_words(), however it can be optimised further in the future.
* Copy EC_FIELD_MODULUS/EC_FIELD_ELEMENTs when copying groups and points.jsing2025-08-021-1/+9
| | | | ok tb@
* Provide constant time conditional selection between EC_FIELD_ELEMENTs.jsing2025-08-022-2/+17
| | | | | | | | Provide a ec_field_element_select() function that allows for constant time conditional selection between two EC_FIELD_ELEMENTs. This will become a building block for constant time point multiplication. ok tb@
* Rework PKCS7_simple_smimecap()tb2025-07-312-27/+36
| | | | | | | | | This is nearly identical to CMS_add_simple_smimecap(). We can reuse its doc comment mutatis mutandis and use the same construction. Maybe this wants deduplicating. Maybe not. ok kenjiro
* Rework PKCS7_add1_attrib_digest()tb2025-07-311-12/+18
| | | | | | | | | | | There's nothing really wrong here (at least when compared to the rest of this file an hour or so ago), but we can make this look somewhat more like code. That there's no bug here is not really related to the fact that it's an add1 function, not an add0 one. In fact, it's kind of surprising that the author had an uncharacteristic moment of lucidity and remembered to free the last argument passed to PKCS7_add_signed_attribute() on failure. ok kenjiro
* Rewrite PKCS7_get_smimecap() to use d2i_X509_ALGORS()tb2025-07-311-6/+9
| | | | | | | | | Since we finally found a use for i2d_X509_ALGORS(), make use of its sibling here. This avoids some ridiculous contortions in not quite peak muppet code (obviously this was a first test run for the grand finale in CMS). ok kenjiro
* Plug leaks due to misuse of PKCS7_add_signed_attribute()tb2025-07-312-26/+52
| | | | | | | | | | | | | | | | | | | | | set0/add0 functions that can fail are the worst. Without fail this trips up both users and authors (by and large these are two identical groups consisting of a single person), resulting in leaks and double frees. In today's episode of spelunking in the gruesome gore provided by the PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert(). We do so by recalling that there is i2d_X509_ALGORS(), so we might as well put it to use instead of inlining it poorly (aka, without error checking). Normalize said error checking and ensure ownership is handled correctly in the usual single-exit idiom. ESS_add_signing_cert() can also make use of proper i2d handling, so it's simpler and correct and in the end looks pretty much the same as PKCS7_add_attrib_smimecap(). ok kenjiro
* curve25519.c: zap trailing whitespace introduced in previoustb2025-07-291-2/+2
|
* PKCS7_add0_attrib_signing_time: tweak commenttb2025-07-281-2/+2
|
* Below STANDARDS, reference the two most relevant sections of RFC 5652.schwarze2025-07-271-1/+5
| | | | | | | | Given that RFC 5652 does not override the earlier (and simpler) standards but instead strives to remain compatible, referencing both the original and the latest versions seems helpful. OK tb@
* Remove DES_UNROLL from opensslconf.h.jsing2025-07-2713-156/+0
| | | | | | This is no longer used in the DES code. ok tb@
* Rework DES encryption/decryption loops.jsing2025-07-272-124/+31
| | | | | | | | | Use a slightly unrolled loop, which gets us half way between DES_UNROLL and no DES_UNROLL. While we're not terribly concerned by DES performance, this gets us a small gain on aarch64 and a small loss on arm. But above all, we end up with simpler code. ok tb@
* Inline cms_add1_signingTime() in its only consumertb2025-07-271-31/+9
| | | | | | Why have seven lines if you can have 30... tweak/ok kenjiro
* Update PKCS7_add0_attrib_signing_time() docstb2025-07-271-3/+3
| | | | | | | Document the change of behavor from pk7_attr.c r1.17: the time is now validated to be in correct RFC 5280 time format. ok kenjiro
* Fix PKCS7_add0_attrib_signing_time()tb2025-07-271-5/+24
| | | | | | | | | | If the caller passes in NULL, helpfully a new ASN1_TIME is allocated with X509_gmtime_adj() and leaked if PKCS7_add0_attrib_signing_time() fails afterward. Fix this. Also don't blindly set the signing time to a UTCTime. Validate the usual RFC 5280 format before setting it, as that's what RFC 5652, section 11.3 mandates. ok kenjiro
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-19 06:55:29 +0000