| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
After the guts of MLKEM_public_key were changed from a union to a struct,
the aligner grew the struct, leaking as many bytes of private key data as
the struct grew (on normal platforms that would be 2).
Ideally this would all be a bit more robust.
CID 621603 621604
ok jsing kenjiro
|
| |
|
|
|
| |
With the renaming, aes_set_decrypt_key_generic() should now call
aes_set_encrypt_key_generic() directly.
|
| |
|
|
|
|
|
|
|
| |
Rename the C based AES implementation to *_generic() and provide
*_internal() wrappers for these. This allows for architectures to provide
accelerated versions without having to also provide a fallback
implementation.
ok tb@
|
| |
|
|
|
|
|
| |
This avoids leaving previous round keys around on failure, or leaving parts
of previous round keys behind if reused with a smaller key size.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Every aes_set_{encrypt,decrypt}_key_internal() implementation is currently
required to check the inputs and return appropriate error codes. Pull the
input validation up to the API boundary, setting key->rounds at the same
time. Additionally, call aes_set_encrypt_key_internal() directly from
aes_set_decrypt_key_internal(), rather than going back through the public
API.
ok tb@
|
| |
|
|
|
|
|
| |
The BN_DIV2W define provides a code path for double word division via the C
compiler, which is only enabled on hppa. Simplify the code and mop this up.
ok tb@
|
| |
|
|
| |
This is now only on amd64.
|
| |
|
|
|
|
|
| |
bn_sqr_words() does not actually compute the square of the words, it only
computes the square of each individual word - rename it to reflect reality.
Discussed with tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This moves everything not public to mlkem_internal.c
removing the old files and doing some further cleanup
on the way.
With this landed mlkem is out of my stack and can be
changed without breaking my subsequent changes
ok tb@
|
| |
|
|
|
|
|
|
| |
The old assembly bn_sqr_words() does not actually square words in the
bignum sense. These will have to be renamed (once I come up with a name
for whatever it actually does) before we can roll forward again.
Found the hard way by Janne Johansson.
|
| | |
|
| |
|
|
|
|
| |
Use bn_mul_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_mul_words(), such as amd64.
|
| | |
|
| |
|
|
|
|
|
|
| |
Use bn_sqr_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_sqr_words(), such as amd64.
ok tb@
|
| |
|
|
|
| |
This uses s2n-bignum's bignum_mul() and provides significant performance
gains for a range of multiplication sizes.
|
| |
|
|
| |
(for our purposes).
|
| |
|
|
|
|
| |
Not installed for nearly a decade since it only "documents" internal
functions and structs and the internal function doco gets more out of
sync with reality with every (much needed) pass over bn/
|
| | |
|
| |
|
|
| |
This was missed in the previous commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most bn_.*_words() functions operate on two word arrays, however
bn_mul_words() and bn_mul_add_words() operate on one word array and
multiply by a single word. Rename these to bn_mulw_words() and
bn_mulw_add_words() to reflect this, following naming scheme that we use
for primitives.
This frees up bn_mul_words() to actually be used for multiplying two word
arrays. Rename bn_mul_normal() to bn_mul_words(), which will then become
one of the possible assembly integration points.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rework some of the squaring code so that it calls bn_sqr_words() and use
this as the integration point for assembly. Convert bn_sqr_normal() to
bn_sqr_words(), which is then used on architectures that do not provide
their own version.
This means that we resume using the assembly version of bn_sqr_words() on
i386, mips64 and powerpc, which can provide considerable performance gains.
ok tb@
|
| |
|
|
|
|
| |
The code supporting this toggle has long been removed from all the forks.
discussed with jsing
|
| |
|
|
|
|
|
|
| |
I have effectively rewritten the entirety of this file end of 2024.
This isn't code I'm particularly proud of, but it's much better than
it was before (it's not as if that involved any sort of challenge...)
requested by/ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After drilling through many layers of fossilized turds from a
long-forgotten millenium, jsing and I finally found oil^Wa
machine-independent version of opensslconf.h.
Remove the no longer needed versions in arch/*/ and move one copy
to the top level. Add an RCS tag and place the remaining garbage
in the public domain.
ok jsing
|
| |
|
|
| |
Rides the libcrypto bump from a couple days ago
|
| | |
|
| |
|
|
| |
rides the libcrypto bump
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This includes interfaces for public and private keys for ML-KEM 768
and 1024. Marshalling and parsing of public keys and parsing of the
wasteful NIST format of private keys (marshalling this private key
format is deliberately omitted from the public API). Decapsulation
and encapsulation of shared secrets.
This will soon be used to implement the X25519MLKEM768 hybrid key
agreement in libssl.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
I was overeager to remove those a while back. This was dumb because
this is about a basic ASN.1 type. The Gentoo maintainers found that
tpm2-tools uses templated ASN.1 involving them.
Fixes https://github.com/libressl/portable/issues/1178
ok beck jsing
|
| |
|
|
| |
Removes another patch in portable
|
| |
|
|
|
|
| |
This allows us to get rid of an ugly patch in portable.
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RC4_CHUNK related code is intended to process native word sized
chunks if the input and output are naturally aligned. However, RC4_CHUNK
is currently a mess of machine dependent defines.
Replace this with uint64_t on all architectures - 64 bit architectures will
be happy with this and on 32 bit architectures the compiler can decompose
this into multiple 32 bit operations. Provide separate rc4_chunk()
implementations for big and little endian, since not all architectures
have a byte swap instruction that would make this a cheap conversion.
Thanks to gkoehler@ and tb@ for testing on big endian.
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adapt the tests to use this API.
This does not yet make the symbols public in Symbols.list
which will happen shortly with a bump.
This includes some partial rototilling of the non-public
interfaces which will be shortly continued when the internal
code is deduplicated to not have multiple copies for ML-KEM
768 and ML-KEM 1024 (which is just an artifact of unravelling
the boring C++ code).
ok jsing@, tb@
|
| |
|
|
|
|
|
|
| |
If ADX instructions are available, use the non-_alt version of s2n-bignum's
bignum_{mul,sqr}_{4_8,6_12,8_16}(), which are faster than the _alt
non-ADX versions.
ok tb@
|
| |
|
|
|
|
|
| |
These use s2n-bignum's bignum_mul_6_12_alt() and bignum_sqr_6_12_alt()
functions.
ok tb@
|
| |
|
|
|
|
| |
These use s2n-bignum's bignum_modadd() and bignum_modsub() routines.
ok tb@
|
| |
|
|
|
|
|
| |
In these cases make use of bn_mul_comba6() or bn_sqr_comba6(), which are
faster than the normal path.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Add detection of Multi-Precision Add-Carry Instruction Extensions on amd64.
s2n-bignum provides a number of fast multiplication routines that can
leverage these instructions.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide a static inline rc4_step() function that replaces the near
identical RC4_STEP and RC4_LOOP macros. Simplify the processing loop and
use for loops with small constants, which the compiler can unroll if it
wants to do so.
Inline the SK_LOOP macro in rc4_set_key_internal(), also using a small loop
that the compiler will most likely unroll.
ok tb@
|
| | |
|
| | |
|
| | |
|
