chiark / gitweb /
Mark Wooding [Wed, 10 May 2017 20:19:54 +0000 (21:19 +0100)]
math/scaf.c: Add some debugging utilities I found handy.
Mark Wooding [Wed, 10 May 2017 20:19:32 +0000 (21:19 +0100)]
math/scaf.c: Fix conditional subtractions in `scaf_reduce'.
So that they actually subtract the right thing. Obvious blunder. The
big surprise is that none of the literally thousands of
Ed25519 tests
which have hammered on that code caught it. (Found during development
of Ed448, coming later.)
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/rsa-pub.c: Implement the optimal addition chains for e = 3, e = 65537.
Also add tests for e = 3 (previously missing) and e = 17 (to exercise
the general modexp path).
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
progs/perftest.c: Allow setting the public exponent in RSA tests.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/rsa-gen.c, progs/key.c: Overhaul RSA key generation.
Rewrite the key-generation code from scratch. The new version seems
simpler to me, and allows the caller to choose the public exponent. It
also retries repeatedly until it finds acceptable values unless told to
stop within a finite number of steps.
Add an option to `key' to allow the user to select a different
exponent. Recommend e = 3 in the manpage.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Improve the commentary.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Replace inexplicable exponentiation with extended-gcd.
For some reason, I calculated s^-1 as s^{r-2} (mod r). This code isn't
even slightly constant-time, and gcd is faster than modexp. Also, this
bit isn't time-critical anyway, and the code is way simpler like this.
Mark Wooding [Sun, 14 May 2017 03:11:09 +0000 (04:11 +0100)]
Merge branch '2.3.x'
* 2.3.x:
Release 2.3.1.
pub/bbs-gen.c, pub/rsa-gen.c: Remove the lower-bounding on q.
math/strongprime.c: Clamp the starting point.
math/strongprime.c: Reduce failures by adding some more slop bits.
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
progs/cc-sig.c: Don't destroy an RSA context just after building it.
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
key/key-io.c: Produce valid key lines for empty keys.
key/key-io.c: Fix segfault opening `KOPEN_READ | KOPEN_NOFILE' key files.
Conflicts:
math/group-guts.h (trivial)
progs/catcrypt.c (already picked up)
Mark Wooding [Sat, 13 May 2017 14:21:43 +0000 (15:21 +0100)]
Release 2.3.1.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/bbs-gen.c, pub/rsa-gen.c: Remove the lower-bounding on q.
It's unnecessary. It was a bad idea because it biases q quite heavily,
but now `strongprime' generates primes in the right interval so that
getting the right bit length isn't a problem.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Clamp the starting point.
Now the result will be in the upper quarter of the `obvious' range, and
the product of two such values is guaranteed to have the desired number
of bits. This saves callers from doing stupid things like trying to
clamp one of the factors by hand, which ends up significantly biasing
the second factor. (This isn't very bad, because there's a /lot/ of
randomness in the chosen congruence class, but it's good to fix this
sort of thing.)
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Reduce failures by adding some more slop bits.
In my experiments, failures were happening about 2--3% of the time,
which is way more than one is really willing to tolerate.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
Mark Wooding [Mon, 17 Apr 2017 23:03:01 +0000 (00:03 +0100)]
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
Somehow this seemed to work anyway on my machine; but valgrind agrees
that it was wrong.
Mark Wooding [Mon, 17 Apr 2017 22:31:11 +0000 (23:31 +0100)]
progs/cc-sig.c: Don't destroy an RSA context just after building it.
It causes an assertion failure later. Really embarrassing.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
Callers of the abstract group API expect to pass in a pointer-to-
structure. The binary and prime group implementations expected a
pointer-to-pointer, which looks different. Change the way these work,
so that the group element is a structure holding a pointer, rather than
just a bare pointer. This doesn't make any difference on targets with
sane ABIs, but it fixes a potentially nasty problem on weirder
platforms.
Add a macro explaining this change so that users of this unstable
interface can cope with both versions.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
And not directly.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
key/key-io.c: Produce valid key lines for empty keys.
If a key contains only an empty tree of structures, then `key_write'
returns an empty string, which breaks the whitespace-separated field
structure of the output key line. Notice this and insert an empty
structure by hand as an unpleasant bodge.
The resulting key is still highly anomalous. In particular, it doesn't
match any filter, because structure nodes don't have flags. I don't
know what to do about this.
Mark Wooding [Sat, 13 May 2017 11:27:31 +0000 (12:27 +0100)]
key/key-io.c: Fix segfault opening `KOPEN_READ | KOPEN_NOFILE' key files.
They're useless, but they shouldn't cause a crash.
Mark Wooding [Sun, 30 Apr 2017 17:43:46 +0000 (18:43 +0100)]
Merge branches 'mdw/latin-ietf' and 'mdw/curve25519'
* mdw/latin-ietf:
symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces.
symm/{chacha,salsa20}.c: Change how the test code sets up the cipher.
symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
symm/{chacha,salsa20}.[ch]: Compress systematic naming better in comments.
symm/stub.h.in: Fix bogus characters in the include guard macro name.
symm/stub.h.in: Add include guard around header.
symm/t/chacha: Fix typo in comment.
* mdw/curve25519:
pub/, progs/: Add support for X448 key exchange, defined in RFC7748.
math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
pub/, progs/: Implement Bernstein's
Ed25519 signature scheme.
math/f25519.[ch]: More field operations.
pub/, progs/: Implement Bernstein's X25519 key-exchange algorithm.
math/f25519.c: Implementation for arithmetic in GF(2^255 - 19).
.gitignore, utils/.gitignore: Change Sage ignore rules.
Mark Wooding [Wed, 26 Apr 2017 10:55:08 +0000 (11:55 +0100)]
pub/, progs/: Add support for X448 key exchange, defined in RFC7748.
Mark Wooding [Wed, 26 Apr 2017 10:54:29 +0000 (11:54 +0100)]
math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
GF(2^448 - 2^224 - 1).
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/, progs/: Implement Bernstein's
Ed25519 signature scheme.
Mark Wooding [Wed, 26 Apr 2017 10:53:05 +0000 (11:53 +0100)]
math/f25519.[ch]: More field operations.
Most are fairly simple utilities, except for `f25519_quosqrt' which does
a combined division and square root.
Mark Wooding [Mon, 17 Apr 2017 23:39:24 +0000 (00:39 +0100)]
pub/, progs/: Implement Bernstein's X25519 key-exchange algorithm.
Mark Wooding [Mon, 17 Apr 2017 23:39:24 +0000 (00:39 +0100)]
math/f25519.c: Implementation for arithmetic in GF(2^255 - 19).
There's both a fast implementation for platforms with 64-bit arithmetic,
and a slow baseline for minimal C89 platforms. The code works better on
two's complement systems with arithmetic right shifts, but it works
portably.
* Arithmetic shifts are implemented with hairy masking and exact
division, but GCC notices and optimizes accordingly.
* Two's complement is used in the conditional-swap machinery, but
there's a fallback using multiplication if the `configure' script
can't detect it.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces.
I think these are a bad idea, but they'll be popular (and are etched
into the AEAD proposal).
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.c: Change how the test code sets up the cipher.
Introduce a macro which does the key, nonce and position setup in one
go.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.[ch]: Compress systematic naming better in comments.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/stub.h.in: Fix bogus characters in the include guard macro name.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/stub.h.in: Add include guard around header.
Most Catacomb public headers do this, so the stubs ought to too.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/t/chacha: Fix typo in comment.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
.gitignore, utils/.gitignore: Change Sage ignore rules.
It seems Sage now makes `.sage.py' files instead of plain `.py'. This
is a much better idea, and it means that we can have a single rule to
ignore all of them.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/cc-kem.c: Add `naclbox' crypto transform.
This uses Salsa20/r (or ChaChar) and Poly1305 in the same way as NaCl
`secretbox'. Difference: NaCl uses XSalsa20 for the extended nonce
size, but we have no need of that here.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-kem.c: Refactor bulk encryption.
The bulk crypto transform is now owned by the KEM machinery, and
provided to callers as one object rather than a bunch of little
components. There are some conceptual changes in the UI, but in fact
everything still works the way it did before.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Support applying parameters in all key-generation algorithms.
If the algorithm itself can't make use of parameters, at least it can
copy the key attributes.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Let `copyparam' worry about the parameter key's type.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Report full parameter-key name in errors about it.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
Mark Wooding [Mon, 17 Apr 2017 23:03:01 +0000 (00:03 +0100)]
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
Somehow this seemed to work anyway on my machine; but valgrind agrees
that it was wrong.
Mark Wooding [Mon, 17 Apr 2017 22:31:11 +0000 (23:31 +0100)]
progs/cc-sig.c: Don't destroy an RSA context just after building it.
It causes an assertion failure later. Really embarrassing.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
key/key-io.c: Produce valid key lines for empty keys.
If a key contains only an empty tree of structures, then `key_write'
returns an empty string, which breaks the whitespace-separated field
structure of the output key line. Notice this and insert an empty
structure by hand as an unpleasant bodge.
The resulting key is still highly anomalous. In particular, it doesn't
match any filter, because structure nodes don't have flags. I don't
know what to do about this.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
Callers of the abstract group API expect to pass in a pointer-to-
structure. The binary and prime group implementations expected a
pointer-to-pointer, which looks different. Change the way these work,
so that the group element is a structure holding a pointer, rather than
just a bare pointer. This doesn't make any difference on targets with
sane ABIs, but it fixes a potentially nasty problem on weirder
platforms.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
And not directly.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/...: Make a number of functions be const-correct.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/poly1305.c: Implement `flushzero' to zero-pad to a block boundary.
I prefer plain `flush', but not all implementations expose it. The
`flushzero' operation is the one wanted by RFC7539 AEAD.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/poly1305.c: Implement Bernstein's Monte-Carlo test.
I did run the full test once, but it took almost an hour.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/t/poly1305: Add the tests from Bernstein's original paper.
They were tucked away in an appendix and I missed them. Also, I
implemented from the NaCl paper, which is a better fit for modern usage.
Mark Wooding [Fri, 14 Apr 2017 22:27:50 +0000 (23:27 +0100)]
Merge branch '2.3.x'
* 2.3.x:
symm/salsa20.[ch]: Add missing LGPL notices.
math/mpx-mul4-test.c: Set `dstr' length correctly in conversion function.
symm/chacha.c: Fix `tell' response.
symm/chacha.[ch]: Fix comment headers.
symm/{chacha.c,salsa20.c}: Fix random generator allocation sizes.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/poly1305.c: Fix 16/32-bit `carry_reduce'.
I managed to botch the bounds last time.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/salsa20.[ch]: Add missing LGPL notices.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/mpx-mul4-test.c: Set `dstr' length correctly in conversion function.
(cherry picked from commit
b00264d9e2ac2f2be2808e7ad663c35115519504)
Mark Wooding [Thu, 13 Apr 2017 13:47:28 +0000 (14:47 +0100)]
symm/chacha.c: Fix `tell' response.
Mark Wooding [Thu, 13 Apr 2017 14:50:46 +0000 (15:50 +0100)]
symm/chacha.[ch]: Fix comment headers.
Mark Wooding [Thu, 13 Apr 2017 13:47:11 +0000 (14:47 +0100)]
symm/{chacha.c,salsa20.c}: Fix random generator allocation sizes.
This makes a real mess.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/mpx-mul4-test.c: Set `dstr' length correctly in conversion function.
Mark Wooding [Sat, 8 Apr 2017 10:05:49 +0000 (11:05 +0100)]
symm/poly1305.c: Change reading of 26-bit pieces.
This way, the masks fit together visually.
Mark Wooding [Sat, 8 Apr 2017 08:52:56 +0000 (09:52 +0100)]
symm/poly1305.c: Fix visual code misalignment.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/perftest.c: Add performance test for Poly1305.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/perftest.c: Split out magic table includes into their own stanza.
Mark Wooding [Fri, 7 Apr 2017 09:15:03 +0000 (10:15 +0100)]
symm/poly1305.h: Add missing `POLY1305_TAGSZ' definition.
Mark Wooding [Thu, 6 Apr 2017 16:31:30 +0000 (17:31 +0100)]
symm/poly1305.c: Fix 64-bit shift error.
Thank you, GCC, for warning about that.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/: Implement Daniel Bernstein's `Poly1305' message authentication code.
Mark Wooding [Wed, 5 Apr 2017 08:01:13 +0000 (09:01 +0100)]
Release 2.3.0.1.
Mark Wooding [Wed, 5 Apr 2017 07:59:33 +0000 (08:59 +0100)]
base/asm-common.h: Fix the sense of the `WANT_EXECUTABLE_STACK' check.
Brown paper bag time.
Mark Wooding [Wed, 5 Apr 2017 08:05:59 +0000 (09:05 +0100)]
math/: Distribute the `mpx-mul4' test vectors, with the correct name.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/: Add low-level testing for accelerated `mpx-mul4' multiplier.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
Makefile.am: Some reformatting.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
vars.am: Some reformatting.
Mark Wooding [Mon, 3 Apr 2017 09:25:30 +0000 (10:25 +0100)]
Release 2.3.0.
Mark Wooding [Wed, 4 Jan 2017 01:42:16 +0000 (01:42 +0000)]
math/mpx-mul4-amd64-sse2.S: SSE2 multipliers for AMD64.
Plus the various hangers on.
Mark Wooding [Wed, 4 Jan 2017 01:41:22 +0000 (01:41 +0000)]
math/mpx-mul4-x86-sse2.S: Maintain a local copy of the counter.
I've no idea whether one's allowed to mutate a parameter passed on the
stack. Play it safe.
This means that (a) the counter is now in a fixed place in the frame so
that `testtail' doesn't need to be told where it is, an (b)
`testprologue' needs to initialize it from the caller's parameter, so it
needs to grow a macro argument.
Mark Wooding [Wed, 4 Jan 2017 01:35:50 +0000 (01:35 +0000)]
math/mpx-mul4-x86-sse2.S: Make stack alignment more standard.
This actually slightly reduces the amount of stack needed, but I don't
quite understand why. There's a knock-on rearrangement of the stack
frame in the test wrappers and C-interface subroutines.
There's also a slightly sneaky introduction of space for a later change.
But there shouldn't be any externally observable difference.
Mark Wooding [Wed, 4 Jan 2017 01:36:56 +0000 (01:36 +0000)]
math/mpx-mul4-x86-sse2.S: Slightly reorder to reduce dependence.
Doesn't help much.
Mark Wooding [Wed, 4 Jan 2017 01:36:13 +0000 (01:36 +0000)]
math/mpx-mul4-x86-sse2.S: Fix comment formatting.
Mark Wooding [Thu, 29 Dec 2016 15:24:56 +0000 (15:24 +0000)]
math/mpx-mul4-x86-sse2.S: Additional piece of commentary.
Mark Wooding [Thu, 29 Dec 2016 15:24:26 +0000 (15:24 +0000)]
math/mpx-mul4-x86-sse2.S: Use default arguments for macros.
I'd muddled up my macro languages and misremembered that GNU as handles
omitted macro arguments sensibly. So use default argument values
throughout. Some of the macro arguments have been reordered to make
defaulting work better. No functional change.
Mark Wooding [Thu, 29 Dec 2016 14:36:12 +0000 (14:36 +0000)]
math/mpx-mul4-x86-sse2.S: Use the correct vector-multiply instruction.
Not sure why GNU as let me get away with that.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: Give `squash' an explicit destination argument.
Also, rearrange the arguments so the destination(s) are at the start.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: Optimize `squash'.
We can use `punpckldq' to assemble the 32-bit pieces, rather than a lot
of shifting to clear bits and then `por'.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: Use `movdqa' to move between XMM registers.
Not `movdqu'. I don't think there's a performance difference (any
more), but it's better style.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: Add an extra blank line to improve layout.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: Fix operand name in commentary.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
math/mpx-mul4-x86-sse2.S: `mmla4' only need 48 bytes of stack.
Mark Wooding [Mon, 7 Nov 2016 12:24:35 +0000 (12:24 +0000)]
symm/salsa20-arm-neon.S: Improve output permutation still further.
Mark Wooding [Thu, 29 Dec 2016 14:35:06 +0000 (14:35 +0000)]
symm/rijndael-x86ish-aesni.S: Use `.extern' for external symbols.
Duh. `.globl' is certainly the wrong thing here.
Mark Wooding [Thu, 29 Dec 2016 15:21:08 +0000 (15:21 +0000)]
base/asm-common.h, */*.S: New macros for making stack-unwinding tables.
Previously, I only supported Microsoft SEH tables, because they're
basically essential to having a working 64-bit binary (because Microsoft
are crazy and throw asynchronous exceptions). But there are three
variants of stack-unwinding tables which are useful to make:
* Microsoft's SEH tables for AMD64, constructed using `.seh_...'
directives;
* ARM's `.ARM.exidx' and `.ARM.extab' tables; and
* Dwarf `.eh_frame' and `.debug_frame' tables.
These are all quite similar in flavour, but different in detail. Rather
than write lots of hairy conditional stuff around subroutine prologues
and epilogues, wrap the whole lot up in some target-specific macros.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
base/asm-common.h, *.S: Add `INTFUNC' macro for internal subroutines.
This provides correct alignment, and scoping for Windows SEH
annotations.
Mark Wooding [Thu, 29 Dec 2016 14:15:40 +0000 (14:15 +0000)]
base/asm-common.h: Define `WORDSZ' appropriately for x86ish platforms.
Four for 32-bit, eight for 64-bit, obviously.
Mark Wooding [Thu, 29 Dec 2016 14:14:45 +0000 (14:14 +0000)]
base/asm-common.h: Use `_' consistently for ignored macro arguments.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
base/asm-common.h, symm/*.S: New macros for register name decoration.
Enhance `base/asm-common.h' with new macros for translating between
various ways of describing pieces of machine registers.
The x86/AMD64 general-purpose registers are a complicated mess of
overlapping pieces, and trying to write code which works on both just
makes everything even more interesting.
The ARM NEON registers are somewhat complicated, and GNU as isn't as
good as it should be at coping with alternative ways of denoting pieces
of them. (For example, it ought to allow {q0-q7} instead of {d0-d15},
but doesn't; and it ought to allow q2[2] instead of d5[0], but doesn't.)
Use these macros tastefully in the various pieces of assembler code.
Mark Wooding [Sat, 5 Nov 2016 21:28:22 +0000 (21:28 +0000)]
base/asm-common.h: Add some general C preprocessor utilities.
Mark Wooding [Thu, 29 Dec 2016 11:50:50 +0000 (11:50 +0000)]
base/ct.c: Better constant-time algorithms from /Hacker's Delight/.
Improve equality checking and ordering, and add detailed commentary.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
base/asm-common.h, symm/rijndael-x86ish-aesni.S: Better section switching.
Provide macros for changing section which handle (a) switching to the
right text subsection, and (b) a section for readonly data.
Mark Wooding [Sat, 5 Nov 2016 12:22:43 +0000 (12:22 +0000)]
base/asm-common.h: Include `.note.GNU-stack' section on ELF targets.
This will ensure that Catacomb doesn't force an executable stack on
processes using it. Oops.
Mark Wooding [Sat, 5 Nov 2016 20:38:31 +0000 (20:38 +0000)]
math/mpx-mul4-x86-sse2.S: Use `SHUF' instead of hardwired constants.
Mark Wooding [Tue, 1 Nov 2016 22:38:41 +0000 (22:38 +0000)]
symm/salsa20-*.S: Optimize the output permutations.
A little analysis, and a lot of trial and error, shows reveals that the
state permutation can be decomposed into some rotations of the rows, a
matrix transpose, and another rotation of the rows. These steps can be
done moderately efficiently using the Intel and ARM SIMD instructions.
Mark Wooding [Sun, 2 Oct 2016 23:27:11 +0000 (00:27 +0100)]
math/mpx.h, math/mpmont.c: Retune the Karatsuba thresholds.
It seems like Karatsuba isn't especially worthwhile for Montgomery
multiplication at any cryptographically relevant modulus size. It's
certainly a lose with the new SSE2 multipliers.
Mark Wooding [Sun, 2 Oct 2016 23:26:28 +0000 (00:26 +0100)]
math/ptab.in: Include the correct Oakley 2048 group!
I'd mistakenly duplicated the 1536 group. This is... unfortunate.