summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* mlkem_tests: use public mlkem.h, no longer needs mlkem_tests_util.htb2025-08-151-4/+3
|
* mlkem_tests: mop up after feral openssl devs were heretb2025-08-151-83/+91
|
* mlkem_unittest: undo unnecessary variable renamingtb2025-08-151-5/+5
|
* Tweak comment in asn1_item_free: KNF, missing comma, wont -> won't.tb2025-08-141-3/+4
|
* unbreak tree after commiting from wrong placebeck2025-08-141-223/+1
|
* revert accidental disabling of ssl_security_cert() in -r1.52tb2025-08-141-2/+2
|
* Add a reasonable ML-KEM API for public use.beck2025-08-1414-897/+1783
| | | | | | | | | | | | | | | Adapt the tests to use this API. This does not yet make the symbols public in Symbols.list which will happen shortly with a bump. This includes some partial rototilling of the non-public interfaces which will be shortly continued when the internal code is deduplicated to not have multiple copies for ML-KEM 768 and ML-KEM 1024 (which is just an artifact of unravelling the boring C++ code). ok jsing@, tb@
* Use faster versions of bignum_{mul,sqr}_{4_8,6_12,8_16}() if possible.jsing2025-08-141-10/+41
| | | | | | | | If ADX instructions are available, use the non-_alt version of s2n-bignum's bignum_{mul,sqr}_{4_8,6_12,8_16}(), which are faster than the _alt non-ADX versions. ok tb@
* Provide amd64 specific versions of bn_mul_comba6() and bn_sqr_comba6().jsing2025-08-142-2/+22
| | | | | | | These use s2n-bignum's bignum_mul_6_12_alt() and bignum_sqr_6_12_alt() functions. ok tb@
* Provide bn_mod_add_words() and bn_mod_sub_words() on amd64.jsing2025-08-142-2/+25
| | | | | | These use s2n-bignum's bignum_modadd() and bignum_modsub() routines. ok tb@
* Add special handling for multiplication and squaring of BNs with six words.jsing2025-08-142-2/+6
| | | | | | | In these cases make use of bn_mul_comba6() or bn_sqr_comba6(), which are faster than the normal path. ok tb@
* Hook additional s2n-bignum routines to the amd64 build.jsing2025-08-141-1/+11
|
* Add CPU feature detection for ADX on amd64.jsing2025-08-142-5/+10
| | | | | | | | Add detection of Multi-Precision Add-Carry Instruction Extensions on amd64. s2n-bignum provides a number of fast multiplication routines that can leverage these instructions. ok tb@
* Clean up parts of rc4.jsing2025-08-141-79/+40
| | | | | | | | | | | | Provide a static inline rc4_step() function that replaces the near identical RC4_STEP and RC4_LOOP macros. Simplify the processing loop and use for loops with small constants, which the compiler can unroll if it wants to do so. Inline the SK_LOOP macro in rc4_set_key_internal(), also using a small loop that the compiler will most likely unroll. ok tb@
* Add benchmarks for 384 bit x 384 bit multiplication and 384 bit squaring.jsing2025-08-121-1/+14
|
* Revise include to match the name that we use.jsing2025-08-1210-20/+20
|
* Replace SPDX-License-Identifier with actual license.jsing2025-08-1210-20/+130
|
* Add RCS tags to new files.jsing2025-08-1210-0/+20
|
* Bring in bignum_mod{add,sub}() from s2n-bignum.jsing2025-08-122-0/+185
| | | | These provide modular addition and subtraction.
* Bring in bignum_{mul,sqr}_{4_8,8_16}() from s2n-bignum.jsing2025-08-124-0/+877
| | | | | | | These provide fast multiplication and squaring of inputs with 4 words or 8 words, producing an 8 or 16 word result. These versions require the CPU to support ADX instructions, while the _alt versions that have previously been imported do not.
* Bring in bignum_{mul,sqr}_6_12{,_alt}() from s2n-bignum.jsing2025-08-124-0/+807
| | | | | | These provide fast multiplication and squaring of inputs with 6x words, producing a 12 word result. The non-_alt versions require the CPU to support ADX instructions, while the _alt versions do not.
* Add RCS tags.jsing2025-08-122-0/+4
|
* Add const to bignum_*() function calls.jsing2025-08-121-16/+16
| | | | | Now that s2n-bignum has marked various inputs as const, we can do the same. In most cases we were casting away const, which we no longer need to do.
* Sync headers from s2n-bignum.jsing2025-08-122-236/+588
| | | | | This effectively brings in new function prototypes, a chunk of const additions and some new defines.
* Add RCS tags.jsing2025-08-1111-0/+22
|
* Resync s2n-bignum primitives for amd64 with upstream.jsing2025-08-1111-115/+113
| | | | This amounts to whitespace changes and label renaming.
* Clean up and move define to correct place.beck2025-08-102-5/+3
| | | | ok tb@
* Add missing make dependency as the oclo binary depends onanton2025-08-091-1/+3
| | | | | ocloexec_verify. Take the easy route and ensure all binaries are built before the regress make target.
* sync CA certificates from newer mozilla list, ok tb@sthen2025-08-061-339/+1
| | | | | | | | | | | | | | | | | | | https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt SHA256 (certdata.txt) = 579f336ace2e5717b8ecc06002ce0cce96f70623d188e1999c34b0f77696d3e9 Removals: - /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root - /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services - /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) - /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA - /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority - /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority - /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority Addition: + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
* Speed up bn_{mod,sqr}_mul_words() for specific inputs.jsing2025-08-051-3/+25
| | | | | | | | Use bn_{mul,sqr}_comba{4,6,8}() and bn_montgomery_reduce_words() for specific input sizes. This is significantly faster than using bn_montgomery_multiply_words(). ok tb@
* Provide bn_sqr_comba6().jsing2025-08-052-2/+48
| | | | | | This allows for fast squaring of a 6 word array. ok tb@
* Provide bn_mul_comba6().jsing2025-08-052-2/+63
| | | | | | This allows for fast multiplication of two 6 word arrays. ok tb@
* Mark the inputs to bn_mul_comba{4,8}() as const.jsing2025-08-053-9/+9
| | | | | | | This makes it consistent with bn_sqr_comba{4,8}() and simplifies an upcoming change. ok tb@
* Sort NAME, RETURN VALUES, ERRORS, and STANDARDS in the same order as SYNOPSIS.schwarze2025-08-041-16/+16
| | | | | Sort HISTORY chronologically. No text change.
* link illumos oclo test to the treetb2025-08-041-2/+2
|
* Implement the POSIX-2024 close-on-fork flag, but modified to beguenther2025-08-042-9/+10
| | | | | | | | | | | | reset on exec as preserving it across exec is not necessary for its original purpose and has security and usability concerns. Many thanks to Ricardo Branco (rbranco (at) suse.de) who did an independent implementation, caught that /dev/fd/* needed to be handled, and provided a port of the illumos test suite. Thanks to tb@ for assistance with that. ok deraadt@
* replace the flockfile backend with a per FILE recursive mutex.dlg2025-08-041-1/+7
| | | | | | | | | | | | | | | the flockfile implementation in thread/rthread_file.c used an external lock, and associated it with the relevant FILE * as needed. this isn't great for a lot of reasons, complexity being the big one, but the straw that broke the camels back is that it uses a single spinlock to coordinate all of this, which in turn generates a lot of sched_yield syscalls. this avoids all the code complexity and the spinlock by just embedding a small __rctmx in every FILE. tested by and ok tb@ jca@ ok claudio@
* Implement constant time EC scalar multiplication.jsing2025-08-031-16/+103
| | | | | | | | | | | | Replace simplistic non-constant time scalar multiplication with a constant time version. This is actually faster since we compute multiples of the point, then double four times and add once. The multiple to add is selected conditionally, ensuring that the access patterns remain the same regardless of value. Inspired by Go's scalar multiplication code. ok tb@
* Remove duplicate computation for b3.jsing2025-08-031-5/+1
|
* Add prototype for EC_GFp_homogeneous_projective_method().jsing2025-08-031-1/+2
|
* Avoid signed overflow in BN_MONT_CTX_set()tb2025-08-031-2/+3
| | | | | | | | ri is an int, so the check relied on signed overflow (UB). It's not really reachable, but shrug. reported by smatch via jsg ok beck jsing kenjiro
* Avoid signed overflow in BN_mul()tb2025-08-031-3/+4
| | | | | Reported by smatch via jsg. ok beck jsing kenjiro
* Provide benchmarks for EC arithmetic.jsing2025-08-032-1/+212
| | | | | This provides benchmarking for EC_POINT_add(), EC_POINT_dbl() and EC_POINT_mul()'s scalar * generator path.
* Provide bn_mod_sqr_words() and call it from ec_field_element_sqr().jsing2025-08-023-4/+20
| | | | | For now this still calls bn_montgomery_multiply_words(), however it can be optimised further in the future.
* Copy EC_FIELD_MODULUS/EC_FIELD_ELEMENTs when copying groups and points.jsing2025-08-021-1/+9
| | | | ok tb@
* Provide constant time conditional selection between EC_FIELD_ELEMENTs.jsing2025-08-022-2/+17
| | | | | | | | Provide a ec_field_element_select() function that allows for constant time conditional selection between two EC_FIELD_ELEMENTs. This will become a building block for constant time point multiplication. ok tb@
* Provide harness to run illumos's oclo tests from libc regresstb2025-08-023-0/+32
| | | | | | | This depends on the illumos-os-tests port I just imported and can be linked to the build once guenther lands the close-on-fork diff. Adapted from an initial diff by Ricardo Branco
* hash_test: remove variable name from prototype and fix a casttb2025-08-021-3/+3
|
* Rework PKCS7_simple_smimecap()tb2025-07-312-27/+36
| | | | | | | | | This is nearly identical to CMS_add_simple_smimecap(). We can reuse its doc comment mutatis mutandis and use the same construction. Maybe this wants deduplicating. Maybe not. ok kenjiro
* Rework PKCS7_add1_attrib_digest()tb2025-07-311-12/+18
| | | | | | | | | | | There's nothing really wrong here (at least when compared to the rest of this file an hour or so ago), but we can make this look somewhat more like code. That there's no bug here is not really related to the fact that it's an add1 function, not an add0 one. In fact, it's kind of surprising that the author had an uncharacteristic moment of lucidity and remembered to free the last argument passed to PKCS7_add_signed_attribute() on failure. ok kenjiro