2018-11-04 01:38:04 +08:00
|
|
|
# Note that these directories are filtered in Configure. Look for %skipdir
|
|
|
|
|
# there for further explanations.
|
Introduce new internal hashtable implementation
Create a new hashtable that is more efficient than the existing LHASH_OF
implementation. the new ossl_ht api offers several new features that
improve performance opportunistically
* A more generalized hash function. Currently using fnv1a, provides a
more general hash function, but can still be overridden where needed
* Improved locking and reference counting. This hash table is
internally locked with an RCU lock, and optionally reference counts
elements, allowing for users to not have to create and manage their
own read/write locks
* Lockless operation. The hash table can be configured to operate
locklessly on the read side, improving performance, at the sacrifice
of the ability to grow the hash table or delete elements from it
* A filter function allowing for the retrieval of several elements at a
time matching a given criteria without having to hold a lock
permanently
* a doall_until iterator variant, that allows callers which need to
iterate over the entire hash table until a given condition is met (as
defined by the return value of the iterator callback). This allows
for callers attempting to do expensive cache searches for a small
number of elements to terminate the iteration early, saving cpu cycles
* Dynamic type safety. The hash table provides operations to set and
get data of a specific type without having to define a type at the
instatiation point
* Multiple data type storage. The hash table can store multiple data
types allowing for more flexible usage
* Ubsan safety. Because the API deals with concrete single types
(HT_KEY and HT_VALUE), leaving specific type casting to the call
recipient with dynamic type validation, this implementation is safe
from the ubsan undefined behavior warnings that require additional
thunking on callbacks.
Testing of this new hashtable with an equivalent hash function, I can
observe approximately a 6% performance improvement in the lhash_test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23671)
2024-01-28 23:50:38 +08:00
|
|
|
SUBDIRS=objects buffer bio stack lhash hashtable rand evp asn1 pem x509 conf \
|
2019-11-10 12:16:36 +08:00
|
|
|
txt_db pkcs7 pkcs12 ui kdf store property \
|
Multi-variant ML-KEM
This introduces support for ML-KEM-512 and ML-KEM-1024 using the same
underlying implementation parameterised by a few macros for the
associated types and constants.
KAT tests are added for ML-KEM 512 and 1024, to complement the previous
tests for ML-KEM-768.
MLKEM{512,768,1024} TLS "group" codepoints are updated to match the
final IANA assigments and to make the additional KEMs known to the TLS
layer.
The pure-QC MLKEMs are not in the default list of supported groups, and
need to be explicitly enabled by the application. Future work will
introduce support for hybrids, and for more fine-grained policy of
which keyshares a client should send by default, and when a server
should request (HRR) a new mutually-supported group that was not
sent.
Tests for ML-KEM key exchange added to sslapitest to make sure that our
TLS client MLKEM{512,768,1024} implementations interoperate with our TLS
server, and that MLKEM* are not negotiated in TLS 1.2.
Tests also added to excercise non-derandomised ML-KEM APIs, both
directly (bypassing the provider layer), and through the generic EVP KEM
API (exercising the provider). These make sure that RNG input is used
correctly (KAT tests bypass the RNG by specifying seeds).
The API interface to the provider takes an "const ML_KEM_VINFO" pointer,
(obtained from ossl_ml_kem_get_vinfo()). This checks input and output
buffer sizes before passing control to internal code that assumes
correctly sized (for each variant) buffers.
The original BoringSSL API was refactored to eliminate the opaque
public/private key structure wrappers, since these structures are an
internal detail between libcrypto and the provider, they are not part of
the public (EVP) API.
New "clangover" counter-measures added, refined with much appreciated
input from David Benjamin (Chromium).
The internal steps of "encrypt_cpa" were reordered to reduce the
working-set size of the algorithm, now needs space for just two
temporary "vectors" rather than three. The "decap" function now process
the decrypted message in one call, rather than three separate calls to
scalar_decode_1, scalar_decompress and scalar_add.
Some loops were unrolled, improving performance of en/decapsulate
(pre-expanded vectors and matrix) by around 5%.
To handle, however unlikely, the SHA3 primitives not behaving like
"pure" functions and failing, the implementation of `decap` was modifed:
- To use the KDF to compute the Fujisaki-Okamoto (FO) failure secret
first thing, and if that fails, bail out returning an error, a shared
secret is still returned at random from the RNG, but it is OK for the
caller to not use it.
- If any of the subsequently used hash primitives fail, use the computed
FO failure secret (OK, despite no longer constant-time) and return
success (otherwise the RNG would replace the result).
- We quite reasonably assume that chosen-ciphertext attacks (of the
correct length) cannot cause hash functions to fail in a manner the
depends on the private key content.
Support for ML-KEM-512 required adding a centered binomial distribution
helper function to deal with η_1 == 3 in just that variant.
Some additional comments were added to highlight how the code relates to
the ML-KEM specification in FIPS 203.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26172)
2024-11-30 22:20:58 +08:00
|
|
|
md2 md4 md5 sha mdc2 ml_kem hmac ripemd whrlpool poly1305 \
|
2018-11-04 01:26:35 +08:00
|
|
|
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
|
|
|
|
|
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
|
2020-08-17 03:25:08 +08:00
|
|
|
err comp http ocsp cms ts srp cmac ct async ess crmf cmp encode_decode \
|
2024-10-03 09:16:15 +08:00
|
|
|
ffc hpke thread lms ml_dsa slh_dsa
|
2018-11-04 01:26:35 +08:00
|
|
|
|
2016-01-30 06:33:10 +08:00
|
|
|
LIBS=../libcrypto
|
2019-06-16 18:56:21 +08:00
|
|
|
|
|
|
|
|
$UPLINKSRC=
|
|
|
|
|
$UPLINKDEF=
|
|
|
|
|
IF[{- !$disabled{uplink} -}]
|
|
|
|
|
$UPLINKSRC_common=../ms/uplink.c
|
2022-05-20 04:09:50 +08:00
|
|
|
$UPLINKSRC_x86=$UPLINKSRC_common uplink-x86.S
|
2019-06-16 18:56:21 +08:00
|
|
|
$UPLINKSRC_x86_64=$UPLINKSRC_common uplink-x86_64.s
|
|
|
|
|
$UPLINKSRC_ia64=$UPLINKSRC_common uplink-ia64.s
|
|
|
|
|
|
|
|
|
|
IF[$UPLINKSRC_{- $target{uplink_arch} -}]
|
|
|
|
|
$UPLINKSRC=$UPLINKSRC_{- $target{uplink_arch} -}
|
|
|
|
|
$UPLINKDEF=OPENSSL_USE_APPLINK
|
|
|
|
|
ENDIF
|
|
|
|
|
ENDIF
|
|
|
|
|
|
2019-06-17 01:35:08 +08:00
|
|
|
$CPUIDASM=mem_clr.c
|
|
|
|
|
$CPUIDDEF=
|
|
|
|
|
IF[{- !$disabled{asm} && $config{processor} ne '386' -}]
|
2022-05-20 04:09:50 +08:00
|
|
|
$CPUIDASM_x86=x86cpuid.S
|
2019-06-17 01:35:08 +08:00
|
|
|
|
|
|
|
|
$CPUIDASM_x86_64=x86_64cpuid.s
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_ia64=ia64cpuid.s
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_sparcv9=sparcv9cap.c sparccpuid.S
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_alpha=alphacpuid.s
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_s390x=s390xcap.c s390xcpuid.S
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_armv4=armcap.c armv4cpuid.S
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_aarch64=armcap.c arm64cpuid.S
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_parisc11=pariscid.s
|
|
|
|
|
$CPUIDASM_parisc20_64=$CPUIDASM_parisc11
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_ppc32=ppccpuid.s ppccap.c
|
|
|
|
|
$CPUIDASM_ppc64=$CPUIDASM_ppc32
|
|
|
|
|
|
|
|
|
|
$CPUIDASM_c64xplus=c64xpluscpuid.s
|
|
|
|
|
|
Add basic RISC-V cpuid and OPENSSL_riscvcap
RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.
For example, to specify 64-bit RISC-V with the G,C,Zba,Zbb,Zbc
extensions, one could write: OPENSSL_riscvcap="rv64gc_zba_zbb_zbc"
Architecture string parsing is still very primitive, but can be
expanded in the future. Currently, only bitmanip extensions Zba, Zbb,
Zbc and Zbs are supported.
Includes implementation of constant-time CRYPTO_memcmp in riscv64 asm,
as well as OPENSSL_cleanse. Assembly implementations are written using
perlasm.
Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)
2022-01-28 16:28:52 +08:00
|
|
|
$CPUIDASM_riscv64=riscvcap.c riscv64cpuid.s
|
2022-05-14 00:02:44 +08:00
|
|
|
$CPUIDASM_riscv32=riscvcap.c riscv32cpuid.s
|
Add basic RISC-V cpuid and OPENSSL_riscvcap
RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.
For example, to specify 64-bit RISC-V with the G,C,Zba,Zbb,Zbc
extensions, one could write: OPENSSL_riscvcap="rv64gc_zba_zbb_zbc"
Architecture string parsing is still very primitive, but can be
expanded in the future. Currently, only bitmanip extensions Zba, Zbb,
Zbc and Zbs are supported.
Includes implementation of constant-time CRYPTO_memcmp in riscv64 asm,
as well as OPENSSL_cleanse. Assembly implementations are written using
perlasm.
Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)
2022-01-28 16:28:52 +08:00
|
|
|
|
2022-09-29 19:50:52 +08:00
|
|
|
$CPUIDASM_loongarch64=loongarchcap.c loongarch64cpuid.s
|
2019-06-17 01:35:08 +08:00
|
|
|
# Now that we have defined all the arch specific variables, use the
|
|
|
|
|
# appropriate one, and define the appropriate macros
|
|
|
|
|
IF[$CPUIDASM_{- $target{asm_arch} -}]
|
|
|
|
|
$CPUIDASM=$CPUIDASM_{- $target{asm_arch} -}
|
|
|
|
|
$CPUIDDEF=OPENSSL_CPUID_OBJ
|
|
|
|
|
ENDIF
|
|
|
|
|
ENDIF
|
|
|
|
|
|
2020-03-12 00:38:46 +08:00
|
|
|
# CPUID support. We need to add that explicitly in every shared library and
|
|
|
|
|
# provider module that uses it. ctype.c is included here because the CPUID
|
|
|
|
|
# uses functions from there to parse magic environment variables.
|
|
|
|
|
$CPUID_COMMON=$CPUIDASM cpuid.c ctype.c
|
|
|
|
|
INCLUDE[cpuid.o]=..
|
|
|
|
|
|
|
|
|
|
SOURCE[../libcrypto]=$CPUID_COMMON
|
|
|
|
|
DEFINE[../libcrypto]=$CPUIDDEF
|
2020-04-15 18:54:23 +08:00
|
|
|
SOURCE[../providers/libfips.a]=$CPUID_COMMON
|
|
|
|
|
DEFINE[../providers/libfips.a]=$CPUIDDEF
|
2020-03-12 00:38:46 +08:00
|
|
|
# We only need to include the CPUID stuff in the legacy provider when it's a
|
|
|
|
|
# separate module and it's dynamically linked with libcrypto. Otherwise, it
|
|
|
|
|
# already gets everything that the static libcrypto.a has, and doesn't need it
|
|
|
|
|
# added again.
|
|
|
|
|
IF[{- !$disabled{module} && !$disabled{shared} -}]
|
2021-12-23 21:59:12 +08:00
|
|
|
SOURCE[../providers/legacy]=$CPUID_COMMON
|
|
|
|
|
DEFINE[../providers/legacy]=$CPUIDDEF
|
2020-03-12 00:38:46 +08:00
|
|
|
ENDIF
|
|
|
|
|
|
|
|
|
|
# Implementations are now spread across several libraries, so the CPUID define
|
|
|
|
|
# need to be applied to all affected libraries and modules.
|
|
|
|
|
DEFINE[../providers/libcommon.a]=$CPUIDDEF
|
2021-05-10 17:12:22 +08:00
|
|
|
DEFINE[../providers/libdefault.a]=$CPUIDDEF
|
2020-03-12 00:38:46 +08:00
|
|
|
|
2019-01-20 20:14:58 +08:00
|
|
|
# The Core
|
2019-07-11 05:11:27 +08:00
|
|
|
$CORE_COMMON=provider_core.c provider_predefined.c \
|
2020-03-03 12:02:36 +08:00
|
|
|
core_fetch.c core_algorithm.c core_namemap.c self_test_core.c
|
2019-01-20 20:14:58 +08:00
|
|
|
|
2024-07-01 09:11:16 +08:00
|
|
|
SOURCE[../libcrypto]=$CORE_COMMON provider_conf.c indicator_core.c
|
2019-10-04 07:38:17 +08:00
|
|
|
SOURCE[../providers/libfips.a]=$CORE_COMMON
|
2019-04-10 22:01:40 +08:00
|
|
|
|
2019-01-20 20:14:58 +08:00
|
|
|
# Central utilities
|
2019-06-12 18:10:00 +08:00
|
|
|
$UTIL_COMMON=\
|
2019-07-04 00:42:21 +08:00
|
|
|
cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \
|
2025-06-13 01:09:56 +08:00
|
|
|
threads_pthread.c threads_win.c threads_none.c threads_common.c \
|
|
|
|
|
initthread.c context.c sparse_array.c asn1_dsa.c packet.c \
|
|
|
|
|
param_build.c param_build_set.c der_writer.c threads_lib.c \
|
2025-08-18 20:24:23 +08:00
|
|
|
params_dup.c time.c array_alloc.c aligned_alloc.c deterministic_nonce.c
|
2019-03-20 22:27:52 +08:00
|
|
|
|
2019-06-12 18:10:00 +08:00
|
|
|
SOURCE[../libcrypto]=$UTIL_COMMON \
|
2019-12-05 02:15:08 +08:00
|
|
|
mem.c mem_sec.c \
|
2024-05-16 12:33:55 +08:00
|
|
|
comp_methods.c cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c \
|
|
|
|
|
o_dir.c o_fopen.c getenv.c o_init.c init.c trace.c provider.c \
|
2025-08-09 05:35:01 +08:00
|
|
|
provider_child.c punycode.c passphrase.c sleep.c \
|
2025-02-28 16:51:43 +08:00
|
|
|
quic_vlint.c time.c defaults.c ssl_err.c
|
2019-10-04 07:38:17 +08:00
|
|
|
SOURCE[../providers/libfips.a]=$UTIL_COMMON
|
2019-06-12 18:10:00 +08:00
|
|
|
|
2020-03-12 00:38:46 +08:00
|
|
|
SOURCE[../libcrypto]=$UPLINKSRC
|
|
|
|
|
DEFINE[../libcrypto]=$UPLINKDEF
|
2019-03-20 22:27:52 +08:00
|
|
|
|
2019-09-21 06:01:04 +08:00
|
|
|
DEPEND[info.o]=buildinf.h
|
2016-01-30 06:33:10 +08:00
|
|
|
DEPEND[cversion.o]=buildinf.h
|
2018-03-09 19:39:01 +08:00
|
|
|
GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
|
2016-01-30 10:25:40 +08:00
|
|
|
|
2022-05-20 04:09:50 +08:00
|
|
|
GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
|
|
|
|
|
GENERATE[uplink-ia64.s]=../ms/uplink-ia64.pl
|
2016-01-30 14:14:58 +08:00
|
|
|
|
2022-05-20 04:09:50 +08:00
|
|
|
GENERATE[x86cpuid.S]=x86cpuid.pl
|
2016-03-07 22:00:45 +08:00
|
|
|
DEPEND[x86cpuid.s]=perlasm/x86asm.pl
|
2016-01-30 10:25:40 +08:00
|
|
|
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[x86_64cpuid.s]=x86_64cpuid.pl
|
2016-01-30 10:25:40 +08:00
|
|
|
|
2016-03-07 22:00:45 +08:00
|
|
|
GENERATE[ia64cpuid.s]=ia64cpuid.S
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[ppccpuid.s]=ppccpuid.pl
|
|
|
|
|
GENERATE[pariscid.s]=pariscid.pl
|
2016-03-07 22:00:45 +08:00
|
|
|
GENERATE[alphacpuid.s]=alphacpuid.pl
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[arm64cpuid.S]=arm64cpuid.pl
|
2016-03-11 20:44:46 +08:00
|
|
|
INCLUDE[arm64cpuid.o]=.
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[armv4cpuid.S]=armv4cpuid.pl
|
2016-03-11 20:44:46 +08:00
|
|
|
INCLUDE[armv4cpuid.o]=.
|
2019-09-13 06:05:26 +08:00
|
|
|
GENERATE[s390xcpuid.S]=s390xcpuid.pl
|
2017-10-02 21:53:00 +08:00
|
|
|
INCLUDE[s390xcpuid.o]=.
|
Add basic RISC-V cpuid and OPENSSL_riscvcap
RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.
For example, to specify 64-bit RISC-V with the G,C,Zba,Zbb,Zbc
extensions, one could write: OPENSSL_riscvcap="rv64gc_zba_zbb_zbc"
Architecture string parsing is still very primitive, but can be
expanded in the future. Currently, only bitmanip extensions Zba, Zbb,
Zbc and Zbs are supported.
Includes implementation of constant-time CRYPTO_memcmp in riscv64 asm,
as well as OPENSSL_cleanse. Assembly implementations are written using
perlasm.
Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)
2022-01-28 16:28:52 +08:00
|
|
|
GENERATE[riscv64cpuid.s]=riscv64cpuid.pl
|
2022-05-14 00:02:44 +08:00
|
|
|
GENERATE[riscv32cpuid.s]=riscv32cpuid.pl
|
2016-03-29 22:48:02 +08:00
|
|
|
|
2022-09-29 19:50:52 +08:00
|
|
|
GENERATE[loongarch64cpuid.s]=loongarch64cpuid.pl
|
2020-12-07 07:04:45 +08:00
|
|
|
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
|
2016-03-29 22:48:02 +08:00
|
|
|
SHARED_SOURCE[../libcrypto]=dllmain.c
|
|
|
|
|
ENDIF
|
