chiark / gitweb /
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/rijndael-x86-aesni.S: Use xmm5 instead of xmm7.
The only reason is that (stupidly) the Windows 64-bit ABI designates
(the bottom 128 bits of) xmm7 as being callee-saved.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/*.S: Symbolic names for shuffles.
The magic constants for the various shuffles (actually, all rotations)
have irritated me. Replace them with names, now we have a preprocessor.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/chacha-x86-sse2.S: Fix the register allocation comment.
The four rows can't all be in XMM0.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
Preprocess the assembler files.
* Rename the `*.s' files to `*.S'.
* Create a new header `base/asm-common.h' containing useful
definitions, particularly for dealing with the peculiarities of
shared library code.
* Convert the assembler files to use the new macros.
* Convert the assembler files to use `//' for comments rather than
`#' (as currently). This is a bit annoying, but `#' is wanted by
the preprocessor, and `/* ... */' doesn't work in Emacs's
`asm-mode'.
The reason for doing all of this is because the C preprocessor will let
me do things like inventing symbolic names for registers, which will be
handy later when I add support for AMD64 processors, because most of the
code will be identical between 32- and 64-bit machines.
This change has the side-effect that the AESNI implementation no longer
uses PIC-ish means to find things when it doesn't need to.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
configure.ac: Improve the host CPU family detection.
In particular, also collect the ABI.
Mark Wooding [Wed, 18 May 2016 09:28:25 +0000 (10:28 +0100)]
base/dispatch.c: Indent some preprocessor definitions properly.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
Add a pile of debug output around the CPU dispatching machinery.
Report on finding things in the environment, progress on runtime probes,
and the decisions about which implementations we pick. Decision-making
isn't time-critical, so this is left in permanently.
Mark Wooding [Wed, 18 May 2016 08:17:01 +0000 (09:17 +0100)]
base/dispatch.c: Add documentation for some internal functions.
Mark Wooding [Wed, 18 May 2016 08:15:59 +0000 (09:15 +0100)]
base/dispatch.c: Add in more useful section markers.
There will be more sections.
Mark Wooding [Mon, 25 May 2015 09:34:14 +0000 (10:34 +0100)]
Support Intel's AES Native Instructions where available on x86 hardware.
* Add a detector for the CPU feature.
* Implement AES in terms of the Intel AESNI instructions.
We can't use the fancy instructions to implement Rijndael with large
blocks, unfortunately; we /can/ (and do) use the rather cumbersome
key-scheduling instructions.
There's a slightly annoying endianness difference between Catacomb
(big-endian) and AESNI (little-endian). Resolve this by (a) maintaining
the key schedule in little-endian order if we're using AESNI (and blocks
are exactly 128 bits); and (b) end-swapping the block on entry and exit
to the block cipher operations.
Mark Wooding [Sat, 2 May 2015 16:05:20 +0000 (17:05 +0100)]
symm/: New SSE2 implementations of Salsa20 and ChaCha.
These are chosen at runtime if the CPU is suitable.
Mark Wooding [Sat, 2 May 2015 16:05:20 +0000 (17:05 +0100)]
symm/salsa20.c, symm/salsa20-core.h: Permute input matrix for SIMD.
Maintain the input matrix in the Salsa20 context structure in a permuted
form which makes SIMD implementations of the core function rather more
efficient.
Mark Wooding [Mon, 25 May 2015 18:37:01 +0000 (19:37 +0100)]
debian/rules: Run tests twice, once without any detected CPU features.
Mark Wooding [Sat, 30 May 2015 19:26:39 +0000 (20:26 +0100)]
base/dispatch.c: Check operating system support for XMM registers.
I found a technique for doing this described by Agner Fog: see
http://www.agner.org/optimize/#manual_asm
which is conveniently independent of any particular system. Quite why
Intel don't document this clearly is something of a mystery to me.
Mark Wooding [Mon, 18 May 2015 22:21:02 +0000 (23:21 +0100)]
configure.ac, base/dispatch.[ch]: CPU-specific implementations.
We now have the capability for a function to have multiple CPU-specific
implementations, and to choose the most appropriate one at runtime.
The new `cpu_feature_p' function doesn't understand much in the way of
features yet, but is ready to grow later.
Mark Wooding [Sat, 2 May 2015 16:05:20 +0000 (17:05 +0100)]
configure.ac: Arrange to have an assembler available.
Mark Wooding [Mon, 20 Jul 2015 12:53:44 +0000 (13:53 +0100)]
Merge branch 'mdw/latin-dances'
* mdw/latin-dances:
progs/rspit.c: Include Salsa20 and ChaCha (and their variants).
symm: Implement Bernstein's ChaCha stream cipher.
symm: Implement Bernstein's Salsa20 stream cipher and its variants.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
progs/rspit.c: Include Salsa20 and ChaCha (and their variants).
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm: Implement Bernstein's ChaCha stream cipher.
Mark Wooding [Fri, 13 Mar 2015 20:09:51 +0000 (20:09 +0000)]
symm: Implement Bernstein's Salsa20 stream cipher and its variants.
Mark Wooding [Fri, 29 May 2015 17:54:29 +0000 (18:54 +0100)]
progs/key.c: Multiple output presentations for fingerprints.
Add a new presentation for base32 output, separated into groups of six
characters.
Also document the presentation styles better; include some other missing
options in usage messages; and patch an irrelevant memory leak.
Mark Wooding [Fri, 29 May 2015 17:49:35 +0000 (18:49 +0100)]
progs/key.c: Use the mLib generic codec interface instead of base64_*.
This means we can actually detect errors in the seed provided to `key
add -s'.
Mark Wooding [Fri, 29 May 2015 17:47:59 +0000 (18:47 +0100)]
progs/key.c: Exit with `EXIT_FAILURE' on keyring open failure.
Portability fix for a careless error.
Mark Wooding [Fri, 29 May 2015 13:41:13 +0000 (14:41 +0100)]
rand/rand.c: Fix incorrect assertion.
Mark Wooding [Thu, 28 May 2015 18:49:34 +0000 (19:49 +0100)]
math/ec-raw.[ch] (ec_ec2osp): Check that the requested flags are sane.
Also tests, just to make sure.
Mark Wooding [Mon, 25 May 2015 17:59:52 +0000 (18:59 +0100)]
Merge branch 'mdw/fixes'
* mdw/fixes:
symm/safer.[ch]: Correct description for `safer_setup'.
symm/rc4.h: Mention that RC4 isn't really very good.
symm/rc4.[ch]: Fix incorrect documentation on `rc4_rand'.
symm/seal.c: Fix IV handling through `gcipher' interface.
math/mpint.h: Add new conversions.
math/mpint.[ch]: Consolidate the list of supplied conversions in header.
progs/rspit.c: Update the baton more frequently if we can.
progs/rspit.c: Higher resolution timing.
progs/rspit.c: Handle large requested output.
progs/rspit.c: Better handling of block cipher IVs.
progs/rspit.c: Make the internal tables be const.
rand/rand.[ch]: Spring-clean the random source cryptography.
rand/rand.[ch]: Don't dynamically construct the global generator.
symm/multigen: Some UI improvements.
symm: Expunge stubby header files from the source tree.
symm/Makefile.am: Modes files listed as `EXTRA_DIST' and `nodist_...'.
symm/Makefile.am: Have modes things depend on `Makefile.am'.
symm/modes.am.in: Fix `Generated from ...' header.
Mark Wooding [Wed, 18 Mar 2015 09:58:21 +0000 (09:58 +0000)]
symm/safer.[ch]: Correct description for `safer_setup'.
Mark Wooding [Sat, 2 May 2015 16:05:20 +0000 (17:05 +0100)]
configure.ac: Fix detection of the freewheel generator
This has been broken since the `configure.ac' script was introduced in
commit
ba6e6b64033b1f9de49feccb5c9cd438354481f7.
Mark Wooding [Mon, 18 May 2015 22:21:33 +0000 (23:21 +0100)]
progs/key.1: General typesetting improvements.
Mark Wooding [Fri, 10 Apr 2015 14:19:25 +0000 (15:19 +0100)]
math/mpmont.c (mpmont_reduce): Segfault if Karatsuba product is short.
In the Karatsuba branch, it's possible (e.g., if the input is actually
zero) that the result is short. A later `MP_LEN(d) - n' then underflows
causing general badness. Make sure the result is actually long enough.
Mark Wooding [Mon, 31 Mar 2014 15:01:46 +0000 (16:01 +0100)]
pub/dsa-misc.c: Include a magic prefix in the hashing.
To prevent protocol interference. In practice, I think including the
private key should be enough, because nobody would use that in any other
kind of hash, right...?
Mark Wooding [Mon, 13 Apr 2015 16:22:00 +0000 (17:22 +0100)]
progs/catcrypt.1: Fix stupid typo.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/rc4.h: Mention that RC4 isn't really very good.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/rc4.[ch]: Fix incorrect documentation on `rc4_rand'.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/seal.c: Fix IV handling through `gcipher' interface.
* Read the IV as octets (big-endian) rather than as a machine word.
* Advertise a `block size' of 4 octets.
This is a compatibility break, but I don't think anyone was using SEAL,
and it was nearly impossible to use correctly through this interface
anyway.
Mark Wooding [Wed, 18 Mar 2015 19:03:16 +0000 (19:03 +0000)]
math/mpint.h: Add new conversions.
Cover the remaining <mLib/bits.h> types, `long long', `intmax_t', and
`size_t'.
Conversions for the non-C89 types are only defined if the types are
actually detected.
Mark Wooding [Wed, 18 Mar 2015 18:59:28 +0000 (18:59 +0000)]
math/mpint.[ch]: Consolidate the list of supplied conversions in header.
Now there's only one source of ultimate conversion-related truth.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
progs/rspit.c: Update the baton more frequently if we can.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
progs/rspit.c: Higher resolution timing.
Use double-precision for representing time, as seconds since some
arbitrary epoch. If we're strictly portable then time(3) is all we
have, and we have to convert with difftime(3); otherwise we can have
gettimeofday(2) and convert by hand.
Mark Wooding [Wed, 18 Mar 2015 19:04:47 +0000 (19:04 +0000)]
progs/rspit.c: Handle large requested output.
We could work with `off_t' throughout, but in fact we might be asked for
a /very/ large stream, and it turns out that there's a rather convenient
multiprecision integer library just waiting to be used.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
progs/rspit.c: Better handling of block cipher IVs.
* Check the IV length during option parsing, rather than at the end.
* Don't accumulate IV material because we don't do that with keys.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
progs/rspit.c: Make the internal tables be const.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
rand/rand.[ch]: Spring-clean the random source cryptography.
* Use Twofish in counter mode for the main mixing function, because it
has lighter-weight key scheduling.
* Use SHA256 rather than HMAC(RIPEMD-160) for digesting. I don't
think HMAC has anything useful to bring to the party here, and
SHA256 is definitely closer to the security level we're aiming for
now.
* The context structure just contains a plain key now, rather than a
scheduled HMAC key, but there's padding to retain binary
compatibility.
* Keys fed into `rand_key' are mangled by hashing with a constant
prefix, mostly to sort out problems of length variation and so on.
* We keep back 256 bits rather than 160 now.
All of this obviously means that the generator will produce different
output now if you try to use it in a deterministic mode. Don't do that.
There are plenty of better deterministic generators in this library. I
reserve the right to change this one again in the future.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
rand/rand.[ch]: Don't dynamically construct the global generator.
Now it always exists, and is statically initialized. There should be no
observable change.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/multigen: Some UI improvements.
Previously the usage message (and the code!) suggested that you could
run multigen without any options, and it'd default to generating
output. Well, that was true, only it wouldn't know which input file to
read and then it'd crash with the unusually unhelpful error
TypeError: coercing to Unicode: need string or buffer, NoneType found
Changes to fix this:
* There's no default mode any more. You have to give `-l' or `-g'.
The `-g' option now does double duty, setting the mode and storing
an input file name.
* Print the `no mode set' error in a more friendly way, now that we
actually expect to see it.
* Fix the usage message so that it's clear that `-g' takes an
argument, which it always used to anyway.
* Change the usage message so that it shows `-l' and `-g' as
alternatives from which you must select one, rather than just
optional things from which you might pick several.
Callers which worked before won't see any change. Interactive use is
now a bit less dreadful.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm: Expunge stubby header files from the source tree.
Construct them at compile time instead.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/Makefile.am: Modes files listed as `EXTRA_DIST' and `nodist_...'.
The generated per-mode files were listed both as `nodist_...' and in
`EXTRA_DIST'. Sort this out by just adding them to the appropriate
distribution list instead.
Mark Wooding [Sun, 15 Mar 2015 02:11:40 +0000 (02:11 +0000)]
symm/Makefile.am: Have modes things depend on `Makefile.am'.
This is, after all, where the master list comes from. This includes the
modes files, and the various generated lists.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
symm/modes.am.in: Fix `Generated from ...' header.
Mark Wooding [Fri, 13 Mar 2015 20:36:31 +0000 (20:36 +0000)]
pub/rsa-recover.c: Give up if we run out of prime numbers.
We have a 1/2 probability of winning for each prime, and `NPRIME' is at
least 256, so the chances of us giving up on an input which we could, in
fact, factor if we persevered are negligible. We therefore neglect them.
Mark Wooding [Fri, 27 Feb 2015 21:19:41 +0000 (21:19 +0000)]
Merge branch 'mdw/ec-ptcmpr'
* mdw/ec-ptcmpr:
math/: Support EC2OSP and OS2ECP operations, with point compression.
math/f-{prime,niceprime}.c: Fix reduction for `add', `sub' and `neg'.
math/mp-modsqrt.c: Zero has a square root. Return it correctly.
math/: Improve some commentary in the binary-field arithmetic.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
math/: Support EC2OSP and OS2ECP operations, with point compression.
We handle both LSB and (IEEE 1363) SORT compression, and hybrid forms.
The `ec_fromraw' function now accepts compressed forms, but (for
compatibility's sake) `ec_toraw' doesn't generate them. Lots of tests
included.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
math/f-{prime,niceprime}.c: Fix reduction for `add', `sub' and `neg'.
None of these worked properly at the modulus itself. This causes the
`neg' method of prime curves to fail at 2-torsion points.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
math/mp-modsqrt.c: Zero has a square root. Return it correctly.
This causes `find' on prime curves to fail when given the x-coordinate
of a 2-torsion point.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
math/: Improve some commentary in the binary-field arithmetic.
* Explain why `gfreduce_trace' can safely return its answer as an int.
* Explain how `gfreduce_quadsolve' actually works. Also explicitly
guarantee that its result is deterministic.
* Explain how the `find' method works in `ec-bin.c'.
There's a little fiddling with braces to fit the new commentary in, but
no significant code change.
Mark Wooding [Fri, 27 Feb 2015 14:44:45 +0000 (14:44 +0000)]
progs/factorial.c: Reject negative inputs.
Otherwise they get reduced mod 2^large, and the program takes forever.
It's not like we'd get a better answer by using the full-on Gamma
function, so just report an error.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
pub/rsa-recover.c: Fail gracefully if `mpmont_create' fails.
Otherwise we'll crash and burn if, e.g., `n' is even for some reason.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
pub/rsa-recover.c: Gather cleanup to the end of the function.
We get to delete a whole lot of leave-in-the-middle cleanup, and
concentrate it all at the end. This also lets us recycle temporaries
slightly better.
There's a little light reformatting thrown in, but nothing too aggressive.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
pub/rsa-recover.c: Take out explicit factoring-retry loop.
We have the `again' label anyway, because we need to retry from the
nested square-root-finding loop, and the hope is that we do the thing
once and it works, retrying on failure, rather than iterating over a
thing, so I think I prefer the `goto' here.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
rsa-recover.c: First stage cleanup: hoist variable declarations.
Remove all of the variable declarations from inner blocks and hoist them
to toplevel. Initialize `mp' variables once, and use their initial
values, rather than writing `MP_NEW' explicitly in the first assignment.
There's no functional change here.
Two small (temporary) warts. Firstly, the handling of `z' and `zz' in
the factoring loop is rather nasty, repeatedly freeing and recreating
`zz'; and secondly `p1' and `q1' are used in two separate places. To
prevent conflicts here, reset the relevant variables to `MP_NEW' after
freeing them.
Mark Wooding [Mon, 22 Dec 2014 20:32:58 +0000 (20:32 +0000)]
pub/rsa-recover.c, pub/rsa.h: Say what's left when `rsa_recover' fails.
Mark Wooding [Wed, 24 Dec 2014 17:57:53 +0000 (17:57 +0000)]
base/ct.[ch]: Fix stupid editorial error in commentary for `ct_intle'.
Also, I checked through the disassembly for these functions, just to
check that GCC isn't inserting comparisons or branches where they aren't
wanted. It isn't -- at least, not yet.
Mark Wooding [Sat, 24 May 2014 13:00:03 +0000 (14:00 +0100)]
Release 2.1.7.
Mark Wooding [Wed, 16 Jul 2014 09:11:37 +0000 (10:11 +0100)]
Makefile.am, configure.ac, progs/Makefile.am: Link math library explicitly.
Rename `CATACOMB_LIBS' to `MATHLIBS' and use it explicitly in some of
the utility builds.
If the main library needs more library dependencies then it'll probably
be best to sort them out in the Makefile.
Mark Wooding [Sat, 5 Apr 2014 09:52:07 +0000 (10:52 +0100)]
progs/mkphrase.[c1]: Optionally drop apostrophes.
They don't do much good, really.
Mark Wooding [Sat, 5 Jul 2014 01:09:05 +0000 (02:09 +0100)]
progs/hashsum.c (checkhash): Fix stupid bugs.
* Initialize the return code. Not sure why this didn't get a warning.
* Pick up changes of hash function properly.
Mark Wooding [Mon, 19 May 2014 15:49:22 +0000 (16:49 +0100)]
math/ectab.in: Add the BADA55 curves by Bernstein et al.
Mark Wooding [Mon, 19 May 2014 11:36:37 +0000 (12:36 +0100)]
math/ectab.in: Add the Brainpool curves.
Really I should have done this years ago.
Mark Wooding [Wed, 14 May 2014 20:35:40 +0000 (21:35 +0100)]
math/mpgen, symm/multigen: Add copious commentary.
Mark Wooding [Wed, 14 May 2014 20:35:21 +0000 (21:35 +0100)]
math/mpgen, symm/multigen: Various minor cleanups.
Reordering some code; deleting pointless code; some very minor bug fixing.
Most notably, avoid a crash when reporting a row size mismatch, in
Relation.addrow.
Mark Wooding [Wed, 14 May 2014 20:29:29 +0000 (21:29 +0100)]
math/mpgen: Fix bugs in slot handling.
Several bugs, which conspired to cover their tracks.
* BaseSlot never actually stored the `omitp' and `allowp' functions.
* The MPSlot handler didn't chain up to the BaseSlot implementation
of `setup'.
* The EllipticCurveGroup's `beta' slot definition's `omitp' and `allowp'
functions used the slot name `type' instead of the object.
The incorrect lookups were hidden because the functions were never called.
The omission of `beta' values for most curve groups should then have
caused an error, only MPSlot.setup didn't chain up to the method which
would have noticed.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
progs/{catsign,mkphrase}.1: Fix synopsis line breaks.
Some lines which only contained tabs got clobbered in a whitespace
cleanup. Those lines were asking for trouble anyway; instead, use
\h'8n', which won't get caught in the same way, makes more space, and is
consistent with other manpages in the package.
Mark Wooding [Wed, 2 Apr 2014 23:04:24 +0000 (00:04 +0100)]
math/mpx.c: Eliminate clone-and-hack from `mpx_{load,store}{l,b}{,2cn}.
Introduce another pile of macros. The implementations probably aren't
as efficient as the hand-coded versions, but I don't think they were
ever time-critical.
Mark Wooding [Thu, 27 Mar 2014 03:18:32 +0000 (03:18 +0000)]
math/mpx.c: Eliminate clone-and-hack of shifting primitives.
Replace with some fancy macros.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c (noise_filter): Use the <mLib/sel.h> machinery.
Makes things a little more verbose but rather simpler.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c (noise_filter): Use <mLib/mdup.h>.
The code was slightly incorrect previously: if the standard descriptors
are closed to begin with, then the pipe ends up being closed on entry.
As far as I know, this has never actually happened, but I have the
machinery to fix this bug so I might as well use it.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c (noise_filter): Invoke the shell properly.
This has been buggered forever. :-/
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c: Environment variable to force use of `noise_filter'.
For debugging, mostly. Don't use this in real life.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c: Order <signal.h> properly.
I try to keep them alphabetical.
Mark Wooding [Wed, 12 Mar 2014 16:20:35 +0000 (16:20 +0000)]
math/gfreduce.c: Fix commentary.
Nothing very serious.
Mark Wooding [Wed, 12 Mar 2014 16:20:06 +0000 (16:20 +0000)]
math/mpreduce.c: Fix some typos in commentary.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c (noise_timer): Actually update previous time.
A long-standing bug. Oops.
Mark Wooding [Sat, 13 Jul 2013 15:34:40 +0000 (16:34 +0100)]
rand/noise.c (noise_devrandom): Fix reading from the kernel random device.
It was, unfortunately, filled with badgers.
* Don't take short reads for an answer. Loop until the read actually
fails, or we've filled the buffer.
* If we didn't actually read enough to fill the buffer, then don't
return success! The fallback collectors will engage and hopefully
save our bacon.
Mark Wooding [Fri, 6 Sep 2013 09:46:54 +0000 (10:46 +0100)]
gdsa: Generate nonces more securely.
Hash the private key and message, together with some random stuff. This
ought to be hard to guess even if the randomness is bad.
Mark Wooding [Fri, 6 Sep 2013 09:45:22 +0000 (10:45 +0100)]
pub/gkcdsa.c: Fix label in test failure output.
Mark Wooding [Sat, 28 Dec 2013 14:21:51 +0000 (14:21 +0000)]
Release 2.1.6.1.
Mark Wooding [Sat, 28 Dec 2013 13:59:44 +0000 (13:59 +0000)]
symm/multigen: Fix for Python 2.5.
The top-level `next' function was introduced in 2.6, so use `.next()'
and catch `StopIteration'.
Mark Wooding [Sat, 28 Dec 2013 13:36:37 +0000 (13:36 +0000)]
math/gen{primes,wheel}.c: Don't use full header file name in `#include'.
This makes source distributions fail badly.
Mark Wooding [Fri, 27 Dec 2013 14:29:16 +0000 (14:29 +0000)]
Release 2.1.6.
Mark Wooding [Fri, 27 Dec 2013 12:32:12 +0000 (12:32 +0000)]
math/mp-jacobi.c: Fix embarrassing spelling mistake in documentation.
Mark Wooding [Fri, 27 Dec 2013 12:02:26 +0000 (12:02 +0000)]
math/mp-gcd.c: Minor reformatting.
So that it matches the recent fix a little better.
Mark Wooding [Fri, 27 Dec 2013 12:00:53 +0000 (12:00 +0000)]
math/mp-gcd.c: Avoid clobbering constants during the sign fixup.
If the GCD computation was trivial, then the state still contains
references to the constants `MP_ZERO' and `MP_ONE'. It would be Really Bad
to trash their signs -- in particular, this causes comparisons with
`MP_ONE' to fail, leading to an assertion failure from `mp_modinv'.
Mark Wooding [Fri, 27 Dec 2013 11:56:48 +0000 (11:56 +0000)]
Makefile.am: Add some forgotten files to the distribution archive.
Mark Wooding [Sun, 11 Aug 2013 01:07:41 +0000 (02:07 +0100)]
More whitespace fixes.
With a little luck, that'll be the last for a while.
Mark Wooding [Sun, 11 Aug 2013 01:08:00 +0000 (02:08 +0100)]
.gitattributes: New file; Python programs shouldn't have tabs.
Mark Wooding [Sat, 10 Aug 2013 20:19:58 +0000 (21:19 +0100)]
Some more whitespace cleanups.
Mark Wooding [Sat, 10 Aug 2013 08:48:52 +0000 (09:48 +0100)]
math/gfreduce.c, math/mpreduce.c: Remove unused macro from testing code.
Must have been cut-and-paste lossage when the tests were added.
Also remove a spurious blank line.
Mark Wooding [Fri, 9 Aug 2013 12:22:47 +0000 (13:22 +0100)]
math/gfreduce.[ch]: Fix out-of-bounds memory access.
The final pass of the reduction adds a multiple of the extra top bits
from the most significant word; but at this point, the generated
instruction sequence will access a word one beyond the bottom of the
supplied memory vector. While it (probably) won't modify this word, it
will still attempt to read and write it.
This is relatively harmless, since typically the vector will have been
allocated from our custom arena, and therefore there'll be a header word
in this position, but hand-built polynomials may cause trouble.
Fix this bug by keeping track of the first instruction which accesses a
word other than the least significant, and using this alternative entry
point in the final pass. Fortunately, there's an unused slot, `liv', in
the context structure which we can use for this purpose!
(Yes, the previous refactoring was largely for the purpose of fixing
this bug.)
Mark Wooding [Fri, 9 Aug 2013 09:30:48 +0000 (10:30 +0100)]
math/gfreduce.c: Refactor and document.
There was an unfortunate amount of code duplication in the old code,
particularly around the issuing of LSR instruction sequences. Gather
the relevant state into a structure, and split the repeated code into
separate functions.
A casualty of this refactoring work is the work put into calculating the
`liv' slot in the `gfreduce' structure, carefully calculated to be a
pointer immediately after the first `STORE' instruction. Alas, this
information is completely useless.
Also add a bunch of commentary explaining the underlying theory.
Mark Wooding [Fri, 9 Aug 2013 09:13:15 +0000 (10:13 +0100)]
math/gfreduce.h: Missing include.