chiark / gitweb /
Mark Wooding [Fri, 28 Jun 2013 23:23:07 +0000 (00:23 +0100)]
Mollify various warnings which occur in 64-bit builds.
Mark Wooding [Fri, 28 Jun 2013 23:22:28 +0000 (00:22 +0100)]
pixie.c: Use `socklen_t' rather than `size_t'.
Mark Wooding [Sat, 22 Jun 2013 15:23:56 +0000 (16:23 +0100)]
key/pixie-common.c, progs/pixie.c: Handle error returns better.
This was rather bad, really. It's still not perfect, by a long way.
Mark Wooding [Sat, 22 Jun 2013 15:24:52 +0000 (16:24 +0100)]
progs/pixie.c: Fix format security bugs.
Really not very impressive.
Mark Wooding [Sat, 22 Jun 2013 14:04:44 +0000 (15:04 +0100)]
Use the shiny new `mLib' warning-control macros.
Mark Wooding [Sat, 22 Jun 2013 14:03:33 +0000 (15:03 +0100)]
progs: Fix a number of format-related errors.
Picked up by the new `mLib' attribute machinery.
Mark Wooding [Wed, 19 Jun 2013 02:09:46 +0000 (03:09 +0100)]
Muffle GCC warnings in various ways.
Some don't require much in the way of contortion to muffle without using
GCC-specific tricks. Others are hard or impossible to avoid -- because
they're to do with macro definitions, or even actually GCC bugs (e.g.,
the array-bounds warning in `square.c') -- without just muffling the
warnings explicitly, by name.
Mark Wooding [Wed, 19 Jun 2013 00:43:57 +0000 (01:43 +0100)]
progs/pixie.c: Rewrite list hacking to avoid strict-aliasing badness.
The circular list stuff was quite pretty but involved some really
unpleasant casting which modern GCC (quite properly) complains about
vociferously.
Replace it with more traditional doubly-linked-list hacking with
null-pointer sentinels, with the slightly nasty pointer swizzling tucked
away in useful macros. Some of the uses of these macros (e.g.,
unlinking the first or last item in a list) could be made more efficient
by using special-case versions, but it doesn't seem worthwhile.
Mark Wooding [Wed, 19 Jun 2013 00:39:03 +0000 (01:39 +0100)]
progs/pixie.c: Rename `log' function to `pxlog'.
Shuts up an annoying compiler warning.
Mark Wooding [Fri, 14 Jun 2013 19:43:15 +0000 (20:43 +0100)]
debian: Use Debhelper 8 rather than the awful custom script.
Mark Wooding [Fri, 14 Jun 2013 19:43:15 +0000 (20:43 +0100)]
debian/control: Remove irrelevant blather about `xpixie'.
The script was never shipped.
Mark Wooding [Wed, 5 Jun 2013 16:14:30 +0000 (17:14 +0100)]
Overhaul `math' representation machinery.
Collect type information from the C compiler at configuration
time (using a rather complicated hack so that it works with
cross-compilers). Read this from a Python script `mpgen' which is now
responsible for knowing all of the `mp' representation details.
Since `mpgen' generates all of the constant tables directly, we no
longer have any need for the programs `genlimits' or `mpdump' -- or the
random collection of `awk' scripts for turning `mumbletab.in' files into
`mumbletab.c' files. And this means that we can kill `libmpbase.la'.
With this change, Catacomb is finally safe for cross-compilation.
Mark Wooding [Sun, 2 Jun 2013 20:37:47 +0000 (21:37 +0100)]
Generate precomputed tables as sources in `precomps/'.
Rather than header files in the build tree. The precomputations are
distributed, and not built in cross builds.
Mark Wooding [Sun, 2 Jun 2013 11:54:11 +0000 (12:54 +0100)]
Rearrange the file tree.
It's actually, like, a tree now. Testing is a bit wobbly: you really do
have to make the library before the tests will build. I don't like
this, but the pieces of the library are all rather intertwined.
One small piece of unintertwining: `strongprime.c' no longer includes
`rand.h', which detaches the mathematical code from the symmetric-crypto
build system disaster.
Test files have been moved into `t/' directories as is now established
practice.
Also take the opportunity to eradicate the CVS `$Id...$' droppings.
Mark Wooding [Sat, 1 Jun 2013 22:39:51 +0000 (23:39 +0100)]
configure.ac: Replace with a new version.
Mark Wooding [Sat, 1 Jun 2013 19:35:54 +0000 (20:35 +0100)]
blowfish-mktab.c: Remove the eye-candy progress meter.
It really makes a mess of parallel builds.
Mark Wooding [Sat, 1 Jun 2013 19:28:26 +0000 (20:28 +0100)]
Abandon the `m4'-based build system. And there was great rejoicing.
The makefile has been entirely rewritten using old-fashioned Automake.
I've used the undocumented `foo_OBJECTS' variables in a couple of places
to make parallel builds work, but those will disappear again in the
course of future rearrangements of the source tree.
A couple of the scungier programs for building boilerplate source files
have been replaced by the marvellous new template-substitution program
`multigen'.
The `qcc' script is a casualty of the rearrangements. Supporting it is
easy, but probably pointless. So it's gone.
Currently most of the generated code is left in the build tree (rather
than the source tree) and not distributed. This wants to be fixed
later, but the exact machinery will be rather different.
This is only the start of a programme of overhauling Catacomb's ageing
and rather nasty build system. The objective is to end up with modern-
looking build scripts, and a pleasant and sensible directory tree. Not
much of the actual code will change during this, though lots of it will
move around. In particular, the testing machinery is likely to be
overhauled quite a lot.
Mark Wooding [Sat, 1 Jun 2013 22:38:03 +0000 (23:38 +0100)]
.links: Drop obsolete `lib-config.in' file.
Mark Wooding [Sat, 1 Jun 2013 19:34:48 +0000 (20:34 +0100)]
key-flags.c, key-pack.c, key-pass.c: Don't use the `key.h' machinery.
These are logically part of the `key-data.h' layer, and don't need
anything beyond that, so remove the header-file inclusion.
Mark Wooding [Mon, 27 May 2013 21:34:38 +0000 (22:34 +0100)]
Release 2.1.4.
Mark Wooding [Mon, 27 May 2013 21:23:58 +0000 (22:23 +0100)]
oaep.c, pkcs1.c: Use official constant-time operations.
The logic is a bit more contorted in places, but the security is better.
Mark Wooding [Mon, 27 May 2013 21:23:35 +0000 (22:23 +0100)]
ct.c, ct.h: New constant-time operations.
Mark Wooding [Mon, 27 May 2013 22:05:44 +0000 (23:05 +0100)]
Revert "group.h: Fix the struct tag for `group'."
I'm a moron. The trailing `_' was there to distinguish my groups from
`struct group' in <grp.h>. Put it back.
This reverts commit
c6c823084467cc7a60808cdee8015529115b8b91.
Mark Wooding [Mon, 27 May 2013 21:28:12 +0000 (22:28 +0100)]
Merge branch 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb
* 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb:
mpmul.[ch]: Move internal `HWM' and `LWM' constants to implementation.
group.h: Fix the struct tag for `group'.
Mark Wooding [Tue, 30 Apr 2013 22:00:34 +0000 (23:00 +0100)]
mpmul.[ch]: Move internal `HWM' and `LWM' constants to implementation.
No idea what I was thinking when I put them in the public header file.
Mark Wooding [Thu, 11 Apr 2013 10:37:10 +0000 (11:37 +0100)]
Release 2.1.3.
Mark Wooding [Thu, 11 Apr 2013 11:02:21 +0000 (12:02 +0100)]
The pixie no longer needs to be setuid-root.
So turn off the option by default, and downgrade the question. Also
make the documentation more useful and up-to-date.
Mark Wooding [Wed, 10 Apr 2013 19:40:36 +0000 (20:40 +0100)]
group.h: Fix the struct tag for `group'.
Maybe I was going to give it a longer name once upon a time. It's stuck
now, though.
Mark Wooding [Mon, 8 Apr 2013 16:10:50 +0000 (17:10 +0100)]
mkphrase.c: Allow a range for phrase entropy.
Mark Wooding [Mon, 8 Apr 2013 16:09:49 +0000 (17:09 +0100)]
mkphrase.c: Better error checking on the length range parameter.
Mark Wooding [Sun, 7 Apr 2013 22:44:34 +0000 (23:44 +0100)]
New function and example program computes Fibonacci numbers fairly fast.
Mark Wooding [Thu, 28 Feb 2013 16:55:41 +0000 (16:55 +0000)]
hashsum.c: Document `--progress' in the `--help' display.
Release 2.1.2.1.
Mark Wooding [Thu, 28 Feb 2013 17:36:22 +0000 (17:36 +0000)]
.gitignore: Ignore `auto-version' script.
Mark Wooding [Wed, 9 Jan 2013 03:26:52 +0000 (03:26 +0000)]
Release 2.1.2.
Mark Wooding [Wed, 9 Jan 2013 03:29:48 +0000 (03:29 +0000)]
Cleanups.
* Remove bogus old `catacomb-config.in' file from the pre-pkgconfig
days.
* Fix library version in Makefile.
Mark Wooding [Wed, 9 Jan 2013 03:56:20 +0000 (03:56 +0000)]
cc-hash.c (fhash): The FILE name may be null.
So pass a dummy string on for the progress indicator.
Mark Wooding [Sat, 25 Feb 2012 23:35:18 +0000 (23:35 +0000)]
Hash utilities: Check for and report on junk files.
That is, when verifying a list of hashes, we optionally detect and
report files which are present in the filesystem, alongside files which
we're checking, but which aren't in our list.
Thanks to Patrick Gosling for the idea.
Mark Wooding [Mon, 7 Jan 2013 23:27:08 +0000 (23:27 +0000)]
Hash utilities: maintain a hash state object, not a bundle of arguments.
This makes a number of things a bit cleaner, except that we (currently
pointlessly) remember to free up this state object when we're finished
with it.
Mark Wooding [Thu, 3 May 2012 12:48:59 +0000 (13:48 +0100)]
Use auto-version machinery for building.
Mark Wooding [Thu, 3 May 2012 12:35:47 +0000 (13:35 +0100)]
Makefile.m4: Remove mplimits.[ch] on clean.
Mark Wooding [Thu, 3 May 2012 12:28:24 +0000 (13:28 +0100)]
configure.in: Put the auxiliary scripts in a useful place.
For some reason, modern Autoconf finds the wrong copy otherwise and
all ell breaks loose.
Mark Wooding [Thu, 3 May 2012 09:54:16 +0000 (10:54 +0100)]
mpint.c (touint): Compare unsigned with unsigned, not unsigned long.
Otherwise the tests fail on LP64 platforms.
Mark Wooding [Thu, 3 May 2012 09:44:20 +0000 (10:44 +0100)]
tests/Makefile.m4: Distribute the converted AES test-vector files.
Otherwise later versions of distcheck fail.
Mark Wooding [Thu, 3 May 2012 09:35:19 +0000 (10:35 +0100)]
Makefile.m4: Don't build pgroups.kr: it introduces circular dependency.
Mark Wooding [Sat, 25 Feb 2012 23:34:16 +0000 (23:34 +0000)]
hashsum.c: Return nonzero from `checkhash' on errors.
A serious bug: `checkhash' carefully maintained the `rc' variable -- and
then ignored it and always returned zero anyway.
Mark Wooding [Sat, 25 Feb 2012 13:41:19 +0000 (13:41 +0000)]
cc.h: Fix FHF_MASK.
Must have been a typo. Nobody uses this for anything anyway.
Mark Wooding [Mon, 23 Jan 2012 02:46:53 +0000 (02:46 +0000)]
key-data.[ch]: Fix trivial typo.
`key_mewmp'. Miaow.
Mark Wooding [Mon, 23 Jan 2012 02:37:40 +0000 (02:37 +0000)]
key-data.c (key_struct{set,steal}): Assert no other references.
Otherwise I predict serious trouble when someone gets the reference
counting wrong.
Mark Wooding [Sun, 22 Jan 2012 13:12:15 +0000 (13:12 +0000)]
dsig.c: Allow precomputed hashes to be read from a file.
This lets you convert a hashsum(1) file or similar into a dsig(1)
signature file.
Mark Wooding [Sun, 22 Jan 2012 13:12:15 +0000 (13:12 +0000)]
cc-hash.c, hashsum.c: Move hash-file parsing stuff to `cc-hash.c'.
This is a bit trickier than just slinging existing functions about and
tarting them up a bit: it introduces a proper interface to parsing hash
files, which previously was interleaved with actually verifying the
hashes.
Also moved a couple of auxiliary functions which are needed by the moved
code.
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
cc-hash.c: New file containing hash-related code from hashsum and dsig.
There's a fair amount of duplication already, most notably the
`getstring'/`putstring' functions, and `fhash'. The encoding stuff
isn't common yet, but will be needed in a later change.
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
cc.h: Reorder the declarations.
Split the file into chunks with their own type definitions and so on,
rather than having one big section of type definitions.
This header file is getting a bit unwieldy, and I'm going to be adding
more stuff to it. It probably ought to be split into pieces.
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
dsig.c: Accept `-' to mean stdin/stdout in arguments to `-f' and `-o'.
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
Catcrypt tools: Roll out progress indicator stuff from hashsum.
Factor out the progress indication from hashsum, and introduce it into
the other tools.
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
catcrypt.c: Don't close output file twice.
The C library doesn't like it. Who knew?
Mark Wooding [Sun, 22 Jan 2012 13:12:14 +0000 (13:12 +0000)]
catcrypt.c, catsign.c: Shorten chunk sizes.
The chunks are written with a 16-bit length, so the maximum chunk size
is 2^16 - 1 = 65535. Unfortunately, catsign tried to write 65536-byte
chunks, and catcrypt tried to cram a MAC tag in there too. The result
is that chunk_write fails an assertion because the chunks are too big.
No idea why this ever worked before.
Mark Wooding [Sun, 22 Jan 2012 13:02:47 +0000 (13:02 +0000)]
keyutil.c: Remove stray tabs and trailing space from the list format.
Not sure how the trailing spaces got there; the tabs are from
an overzealous tabification run.
Mark Wooding [Sun, 22 Jan 2012 12:58:57 +0000 (12:58 +0000)]
keyutil.c: Only copy the shared parts of a parameters key.
Reported by GCC warning that `kf' wasn't used for anything. Use the new
function key_copydata to copy only the bits which really ought to be
copied.
This is unlikely to make much difference in practice since all
parameters keys we make have all of their components shared.
Mark Wooding [Sun, 22 Jan 2012 12:57:45 +0000 (12:57 +0000)]
key-data.[ch] (key_copydata): New function copies filtered key data.
Mark Wooding [Sun, 22 Jan 2012 12:56:34 +0000 (12:56 +0000)]
key-attr.c (key_setkeydata): Decref after incref.
Otherwise we'd crash if someone set the key data to be itself.
Mark Wooding [Sun, 22 Jan 2012 12:55:52 +0000 (12:55 +0000)]
.gitignore: Ignore `ylwrap'.
Mark Wooding [Sun, 2 Oct 2011 12:58:19 +0000 (13:58 +0100)]
hashsum.1: Write some notes about compatibility with GNU Coreutils.
Mark Wooding [Sun, 2 Oct 2011 12:57:59 +0000 (13:57 +0100)]
hashsum.1: Fix counting error (left over from some previous edit).
Mark Wooding [Sun, 2 Oct 2011 12:41:44 +0000 (13:41 +0100)]
hashsum.c: Optional progress indicator for large files.
Hashing large files is very dull. Optionally provide some eyecandy and
a completion time estimate (if the input is seekable) in order to keep
the user happy.
Mark Wooding [Thu, 1 Sep 2011 23:49:10 +0000 (00:49 +0100)]
mptext.c: Fix hopeless incorrectness in raw base conversions.
Both mp_write and mp_read are broken. The former would write a digit
`0' for a zero input, and attempt to prefix its output with a `-' sign
on negative input, both of which are impossible to decode unambiguously.
The latter would skip leading whitespace characters, which makes
encodings beginning with certain bytes decode incorrectly.
Include tests for these cases, and fix the bugs.
Mark Wooding [Tue, 5 Jul 2011 15:24:47 +0000 (16:24 +0100)]
Makefile.m4: Fix linking problems.
Debian's become pickier about propagating dependencies from libraries.
This is probably a good thing for keeping us honest, so include $(LDADD)
in various places with a glad heart.
Mark Wooding [Fri, 20 May 2011 23:55:19 +0000 (00:55 +0100)]
tiger-mktab.c: Don't have printf swallow a kludge64 whole.
If a 64-bit type was actually found, we tried to feed the containing
kludge64 structure to printf while printing the table, rather than just
the 64-bit number inside. This was silly.
Mark Wooding [Fri, 20 May 2011 23:53:37 +0000 (00:53 +0100)]
ghash.h: Fix GH_HASHSTR64*.
These were bogus redefinitions of GH_HASHSTR32* due to a stupid
copy-and-paste error.
Mark Wooding [Wed, 22 Apr 2009 19:20:56 +0000 (20:20 +0100)]
gdsa: Include "dsa.h" for dsa_h2n.
Somehow it managed to work anyway.
Mark Wooding [Wed, 22 Apr 2009 19:02:41 +0000 (20:02 +0100)]
perftest: Document the `-q' option for disabling checking.
The option didn't make its way to the help message.
Mark Wooding [Fri, 26 Dec 2008 12:47:12 +0000 (12:47 +0000)]
Makefile: Link tests against stuff like -lm.
Now that EC validation requires transcendental functions, some of the
tests are breaking. This is obviously less than ideal.
Mark Wooding [Fri, 26 Dec 2008 12:41:59 +0000 (12:41 +0000)]
perftest: Optionally disable group checking.
This takes ages on big prime groups, and is almost useless. It may be
worth making not-checking be the default.
Mark Wooding [Mon, 17 Mar 2008 18:48:12 +0000 (18:48 +0000)]
Infrastructure: Switch over to pkg-config.
Mark Wooding [Fri, 1 Feb 2008 18:29:17 +0000 (18:29 +0000)]
gdsa: Fix the conversion of hashes to integers to conform to the spec.
The spec is obviously insane.
Mark Wooding [Thu, 31 Jan 2008 12:01:00 +0000 (12:01 +0000)]
hashsum: Write directives when hashing a list of files from stdin.
Otherwise the list can't be verified properly.
Mark Wooding [Mon, 5 Nov 2007 14:30:36 +0000 (14:30 +0000)]
tests/gdsa: Test from P1363.
Mark Wooding [Tue, 30 Oct 2007 10:49:40 +0000 (10:49 +0000)]
ectab.in: Add previously unacceptable curves from X9.62.
Previously we rejected curves with large cofactors. We've now
recognized that this was unnecessary. This change includes the curves
from X9.62 which were previously omitted for having large cofactors.
The curve c2onb239v2 seems incorrect as specified. In particular, the
specified base point G isn't in the prime-order subgroup -- in fact, it
seems as if the curve group E is cyclic and G is primitive in E. The
base point included in the table is actually P = 6 G, which does
correctly generate the prime-order subgroup.
Mark Wooding [Tue, 20 Feb 2007 17:32:07 +0000 (17:32 +0000)]
ec-info: Better checking of embedding degrees.
Replace the rather cheap embedding degree check with a more
sophisticated analysis.
* Use the new key-size conversions from keysz-conv.c to determine a
suitable embedding degree.
* Following L. Hitt's paper, we ensure that no field with the same
characteristic as the curve field is sufficiently small to cause
concern; the old algorithm just checked extensions of the curve
field, which can miss the smallest possible target field.
* This involves a rather fancy algorithm which partially factors the
curve order r - 1, making use of the new prime iteration code.
Still to do on this:
* Work out how to identify curves where pairings will help an attacker
solve the DDH problem.
* Provide a mechanism for passing parameters to checking functions.
Mark Wooding [Mon, 19 Feb 2007 17:25:49 +0000 (17:25 +0000)]
ec-info: Add trailing newline to error message.
If there are syntactically incorrect curves on the command line, an
error is reported without a trailing newline. This has a tendency to
get eaten by bash (my prompt has a carriage return at the beginning).
Mark Wooding [Tue, 20 Feb 2007 17:22:50 +0000 (17:22 +0000)]
primeiter: New functions for iterating over small primes.
The primeiter functions return consecutive prime numbers from a given
starting point. To help do this efficiently we use a `wheel': a table
of steps to make which avoid integers with small factors. The wheel is
generated by a new build-time utility genwheel.c.
Mark Wooding [Mon, 19 Feb 2007 13:09:58 +0000 (13:09 +0000)]
keysz-conv: Conversions between different kinds of key types.
It's useful to be able to convert between, say, a DL key length and an
EC key length. The functions are here; they'll probably want to be
fiddled with as time goes on and the relationships change.
Mark Wooding [Mon, 19 Feb 2007 13:07:38 +0000 (13:07 +0000)]
keysz.h: Extract key-size stuff into a separate header file.
This is going to grow later; for now, just move the stuff from gcipher.
Include keysz.h in gcipher.h for backwards compatibility, even though
it's not strictly necessary.
Mark Wooding [Tue, 20 Feb 2007 00:10:47 +0000 (00:10 +0000)]
mpbarrett: Mark newly-split d as UNDEF.
After being split off from m (or whatever), we write q - mb->m into d's
storage; obviously we don't need whatever was there before, so it's safe
to set UNDEF. We'll clear the flag shortly afterwards when d inherits
its sign and burn flags.
Mark Wooding [Tue, 20 Feb 2007 00:08:55 +0000 (00:08 +0000)]
mpbarrett: Fix memory leak in early exit from mpbarrett_reduce.
If we exit in the first stage, we leaked q. This isn't tested, because
I couldn't contrive a test case for it.
Mark Wooding [Tue, 20 Feb 2007 00:04:39 +0000 (00:04 +0000)]
mpbarrett: Found mpbarrett_reduce hanging on this testcase.
A Python program spun inside mpbarrett_reduce, attempting the
computation in this testcase. The test program hung too, and debugging
it yielded the following information. On entry, d and m were equal; for
some reason, in the MP_DEST call, d was being aliased to m again, even
though m was still active; of course, m/d now had refcount 1, and all
hell broke loose when m got dropped.
A ground-up rebuild made the problem go away, so maybe it was just fluff
in the build tree. I'm leaving this test here anyway so that it'll
catch a return of the bug, and maybe I can investigate it more carefully
then.
Mark Wooding [Sat, 17 Feb 2007 12:11:26 +0000 (12:11 +0000)]
group-parse: Emit useful error messages when parsing fails.
Previously it would overwrite the useful message from lower-level
parsers with its own bland and unhelpful error.
Mark Wooding [Thu, 15 Feb 2007 16:36:42 +0000 (16:36 +0000)]
A number of small bug fixes, some motivated by compiler warnings.
* key-data.c:key_nextsubkey -- explicitly return nonzero if we found
something.
* key-io.c:key_new -- cast the constant type pointer during the
unpleasant hack.
* mp-mem.c:mp_build -- store an arena in the built integer; otherwise
pgen_primep (for example) gets confused later on.
* mp-modsqrt.c:mp_modsqrt -- fix the maths in a comment; the code was
fine.
* oaep.c:oaep_decode -- don't try to do too much in one expression.
* pgen-simul.c:pgen_simultest -- always return a sensible result code.
* cc.h:sig -- hash classes are constant.
* cc-{kem,sig}.c:get{kem,sig} -- initialize the kp structure member,
just in case.
* rijndael*.c, square.c -- fix const-correctness errors.
Mark Wooding [Thu, 15 Feb 2007 16:38:15 +0000 (16:38 +0000)]
mp-gcd, gf-gcd: Tweak memory management subtly.
Avoid mp churn by keeping a single spare integer lying around during the
main loop.
Mark Wooding [Sat, 10 Feb 2007 22:47:20 +0000 (22:47 +0000)]
mp-jacobi: Implement Kronecker symbol.
The Kronecker symbol is a generalization of the Jacobi symbol whose
domain is the entire space of integers. This just lets us return
something vaguely sensible even when the arguments are messed up.
Mark Wooding [Thu, 18 Jan 2007 16:51:18 +0000 (16:51 +0000)]
ec-info: Overhaul elliptic curve domain parameter checking.
* Separate out the common parts of prime and binary curve checking into
its own function.
* Replace the cofactor checking with a new, rather more complicated,
algorithm which verifies that it has the correct value without
needing an explicit square-root. Also allow larger cofactors; it's
not our responsibility to avoid small-subgroup attacks.
* Replace the embedding-degree check with one that's rather more
enlightened. Unfortunately, it has to intuit the desired security
level, and that's not going to work well.
Also check for memory leaks in the test harness (one snuck in during
development and was caught by another test).
Mark Wooding [Sun, 28 Jan 2007 22:51:01 +0000 (22:51 +0000)]
cleanup: Big pile of whitespace fixes, all at once.
Mark Wooding [Wed, 17 Jan 2007 17:32:04 +0000 (17:32 +0000)]
ec-bin (ec_binproj): Make curve setup faster.
Rather than computing bb from b by two square roots, each of which
actually calculates sqrt(x) as x^{2^{m-1}}, we can save time by
computing qdrt(x) as x^{2^{m-2}}.
I think this means that nobody uses F_SQRT on binary fields any more,
but I'll keep them around just in case.
Mark Wooding [Tue, 16 Jan 2007 22:09:55 +0000 (22:09 +0000)]
Modify syntax of field and curve specs to reserve `/'.
I'll want `/' as an operator in the expression syntax, so they can't
have it any more. Use `;' instead.
Mark Wooding [Tue, 16 Jan 2007 22:09:51 +0000 (22:09 +0000)]
modexp: Implement simple mp_modexp function.
This has been a serious omission for rather too long.
Mark Wooding [Tue, 16 Jan 2007 22:09:36 +0000 (22:09 +0000)]
genlimits: New program to generate useful limit MPs for C types.
Also another fix to mpint.h, to suppress pointless leading zero workds.
Mark Wooding [Tue, 16 Jan 2007 22:20:15 +0000 (22:20 +0000)]
Merge branch 'fixes'
* fixes:
mpint: Fix misbehaviour on larger-than-mpw integer types.
Fix various assumptions about mpw sizes.
utils/mpreducetests.py: Tool to generate unpleasant mpreduce tests.
mpreduce: Don't crash if we've accumulated no instructions.
mpreduce: Don't stop bit scanner too early.
mpreduce: Debug decomposition corrupts initial state for code generator.
factorial: Fix usage message to fit in with conventions.
cleanup: Various aesthetic fiddlings of little consequence.
Mark Wooding [Tue, 4 Apr 2006 16:20:05 +0000 (17:20 +0100)]
mpint: Fix misbehaviour on larger-than-mpw integer types.
The old implementation of MP_FROMINT was grievously broken, it turns
out. Handle positive and negative numbers separately.
Mark Wooding [Tue, 4 Apr 2006 16:17:45 +0000 (17:17 +0100)]
Fix various assumptions about mpw sizes.
* configure, mptypes: New configure switches force mpw type to either
sane but small (16/32 bits) or cussid (19/38 bits). This found a
bunch of exciting bugs...
* gfreduce, mpreduce: If MPW_BITS is not a power of two, modular
reduction of a `negative' unsigned value does the wrong thing.
* mpx_lsl and friends: Shifting ops weren't masking high-order bits
correctly when writing the output. Apply MPW().
* mpx_usubnlsl: More failure to elide high-order junk bits.
* mptypes, mpx_udiv, mpx_bits, mp_odd: The binary search is neato, but
starts in the wrong place if MPW_BITS is not a power of two. Have
mptypes compute MPW_P2 as the largest power of two less than
MPW_BITS.
Mark Wooding [Tue, 16 Jan 2007 22:19:57 +0000 (22:19 +0000)]
utils/mpreducetests.py: Tool to generate unpleasant mpreduce tests.
Mark Wooding [Tue, 16 Jan 2007 21:50:40 +0000 (21:50 +0000)]
pgroups: Ship a keyring file containing the custom prime groups.
This is largely as a useful reference for the benefit of, oh, say the
TrIPE RFC document.