chiark / gitweb /
Mark Wooding [Wed, 5 Jul 2017 21:09:59 +0000 (22:09 +0100)]
configure.ac: Check for some brain damage from Clang's assembler.
It doesn't understand `.arch' or the `adcd' instruction. I'm damned if
I'm writing `dword ptr' everywhere, so Clang users will have to figure
out some way to use Gas if they want the assembler code.
Mark Wooding [Wed, 5 Jul 2017 21:08:11 +0000 (22:08 +0100)]
configure.ac: Delay checking the assembler until we know the target CPU.
It turns out that assemblers are deficient in target-specific ways, so
we have to figure out what the target is like before we can probe for
the brokenness. Reorder things so that this is possible. No functional
change.
Mark Wooding [Wed, 5 Jul 2017 20:38:41 +0000 (21:38 +0100)]
configure.ac: Abstract out common pattern in CPU/ABI variable defs.
The new combined macro is really ugly, but it's probably better than two
copies of the same thing. No functional change.
Mark Wooding [Wed, 5 Jul 2017 20:32:14 +0000 (21:32 +0100)]
math/mpint.h: Add Clang warning-muffling.
Otherwise the compile is very noisy.
Mark Wooding [Wed, 5 Jul 2017 20:30:20 +0000 (21:30 +0100)]
base/dispatch.c: Fix operand constraints in `setflags'.
It wasn't correct to use `g' here. Clang legitimately used sp-relative
memory locations, which broke really badly because the stack pointer
moves during the code sequence. Force the operands into registers to
avoid this problem.
Mark Wooding [Wed, 5 Jul 2017 20:29:31 +0000 (21:29 +0100)]
math/strongprime.c: Muffle an irritating style warning from Clang.
Mark Wooding [Wed, 5 Jul 2017 20:27:30 +0000 (21:27 +0100)]
progs/catsign.c: Mark the various `choke' functions as `NORETURN'.
If I don't do this, then Clang complains (otherwise correctly) that `y'
might be used uninitialized.
Mark Wooding [Tue, 4 Jul 2017 23:51:36 +0000 (00:51 +0100)]
Merge branch '2.3.x'
* 2.3.x:
symm/hmac-def.h: Fix the NMAC and SSLMAC classes.
Conflicts:
symm/hmac-def.h
Mark Wooding [Tue, 4 Jul 2017 17:53:21 +0000 (18:53 +0100)]
vars.am, math/Makefile.am: Tweak `silent-rules' machinery.
Since Automake 1.11, the advice for setting up custom silent-rules
recipes has changed, so use the new machinery.
Also, I'm no longer mainly working on wheezy, and Automake has made the
operation field two spaces wider while I wasn't looking, so make the
output line up properly.
This means that Catacomb now requires Automake 1.11.2 or later to build
from the Git tree.
Mark Wooding [Tue, 4 Jul 2017 16:54:50 +0000 (17:54 +0100)]
symm/sha3.c: Attach the correct operations to the `shake256' cipher.
Rather embarrassing. Thanks to GCC 6 for pointing out that
`shake256_gcops' was unused.
Mark Wooding [Tue, 4 Jul 2017 16:47:54 +0000 (17:47 +0100)]
symm/twofish.c: Break a line to make the code clearer.
In retrospect, squashing all of that onto one line was an error. Thanks
to GCC 6 for pointing this out.
Mark Wooding [Tue, 4 Jul 2017 16:55:55 +0000 (17:55 +0100)]
symm/hmac-def.h: Fix the NMAC and SSLMAC classes.
Thanks to GCC 6 for pointing out that many of the necessary bits of
functionality were hanging around unused. (Why did earlier versions not
spot this?)
It looks like they never worked properly. I hereby deprecate them, and
intend to remove them in Catacomb 2.5.
Mark Wooding [Sun, 28 May 2017 18:03:08 +0000 (19:03 +0100)]
Release 2.4.1.
Mark Wooding [Sun, 28 May 2017 18:03:08 +0000 (19:03 +0100)]
Merge branch '2.3.x'
* 2.3.x:
Release 2.3.2.
math/mpx.c: Fix two's-complement storing.
Conflicts:
debian/changelog
Mark Wooding [Sun, 28 May 2017 18:03:08 +0000 (19:03 +0100)]
Release 2.3.2.
Mark Wooding [Sun, 28 May 2017 18:03:08 +0000 (19:03 +0100)]
math/mpx.c: Fix two's-complement storing.
Oh, dear. This was a bit wrong.
* The internal representation, in terms of `mpw' vectors, is always
nonnegative. Remove the bogus sign-extension machinery for
`mpx_load*2cn'.
* The logic for sign-extending octet vectors in `mpx_store*2cn' was
the wrong way round. Fix it.
* Rather than sign-extending `mpw' vectors, it's necessary to apply a
correction when we reach the end of an octet vector in
`mpx_load*2cn'. Introduce a new argument to `MPX_LOADSTORE' to
carry the necessary correction logic, and use it.
* The test functions used a single `mpw' vector length for both
positive and negative values, which meant that the logic for sign-
extending octet strings on output wasn't exercised. Fix the test:
so that it now does two passes, forcing both sign-extension on
output and zero-extension on input.
Mark Wooding [Tue, 23 May 2017 10:48:46 +0000 (11:48 +0100)]
symm/{chacha,salsa20}-x86ish-sse2.S: Fix typo in commentary.
Mark Wooding [Tue, 23 May 2017 10:48:22 +0000 (11:48 +0100)]
key.1: Document `tag -r' properly.
Mark Wooding [Sun, 14 May 2017 20:05:43 +0000 (21:05 +0100)]
Release 2.4.0.1.
Mark Wooding [Sun, 14 May 2017 19:39:45 +0000 (20:39 +0100)]
symm/rijndael-arm-crypto.S: Fix `pushreg'/`popreg' syntax.
My test build didn't catch this because my assembler is too old. So, it's
brown-paper-bag time once again.
Mark Wooding [Sun, 14 May 2017 15:08:33 +0000 (16:08 +0100)]
Release 2.4.0.
Mark Wooding [Wed, 10 May 2017 20:58:36 +0000 (21:58 +0100)]
pub/ed448.[ch], etc.: Add the Ed448 signature scheme from RFC8032.
Mark Wooding [Mon, 1 May 2017 00:38:30 +0000 (01:38 +0100)]
math/fgoldi.[ch]: Implement the extra operations needed for Ed448.
Mark Wooding [Mon, 1 May 2017 00:38:30 +0000 (01:38 +0100)]
math/scmul.h, pub/
ed25519.c: Abstract out scalar multiplication code.
Because what it needed was to be embedded in a hairy macro.
Mark Wooding [Wed, 10 May 2017 20:57:51 +0000 (21:57 +0100)]
progs/*.1: Mention the default hash for `
ed25519',
Mark Wooding [Wed, 10 May 2017 20:23:22 +0000 (21:23 +0100)]
pub/
ed25519.[ch], etc.: Implement the `context' variant from RFC8032.
Add the test vectors from the RFC, and a little Makefile machinery to
mix them into the main test set.
Mark Wooding [Mon, 1 May 2017 00:38:30 +0000 (01:38 +0100)]
math/f25519.c, utils/curve25519.sage: Slightly improve `quosqrt' algorithm.
The algorithm from the Bernstein et al. paper was somewhat ugly.
Replace it with a different one using the techniques I used in `fgoldi'
for the main calculation, but with the same end structure.
Mark Wooding [Wed, 10 May 2017 20:15:56 +0000 (21:15 +0100)]
pub/
ed25519.c: Rearrange `ptadd' to use fewer registers.
Taking a little inspiration from the three-address code in the
paper (which I can't use as-is, because it clobbers one of its inputs) I
managed to delete two of the temporary registers.
Mark Wooding [Wed, 10 May 2017 20:17:27 +0000 (21:17 +0100)]
pub/
ed25519.c: Don't return the `h1' private-key portion if it's not wanted.
Saves making a temporary buffer in `ed25519_pubkey'.
Mark Wooding [Wed, 10 May 2017 20:13:54 +0000 (21:13 +0100)]
pub/
ed25519.c: Range-check coordinates and scalars when verifying.
This is a requirement of RFC8032, though Bernstein et al don't see the
point.
It's easy enough to test that verification rejects an out-of-range
scalar part in the signature, but there's hardly any space in the
curve-point part, so I've had to cheat.
Mark Wooding [Wed, 10 May 2017 20:11:51 +0000 (21:11 +0100)]
pub/{
ed25519,x25519,x448}.c: Use symbolic constants for sizes of things.
The main code still knows the right numbers by magic.
Mark Wooding [Wed, 10 May 2017 20:06:03 +0000 (21:06 +0100)]
utils/split-pieces, pub/
ed25519.c: New utility makes field-element constants.
It seems to make slightly different (but equivalent) constants from the
machinery in `utils/curve25519.sage'. Replace the constants in
`pub/
ed25519.c' with the new ones.
Mark Wooding [Wed, 10 May 2017 20:54:46 +0000 (21:54 +0100)]
symm/sha3.[ch]: Add support for SHA3 and related functions based on Keccak.
Mark Wooding [Wed, 10 May 2017 20:53:25 +0000 (21:53 +0100)]
symm/hash.h: Add support for test vectors with hex-encoded messages.
Mark Wooding [Wed, 10 May 2017 20:52:30 +0000 (21:52 +0100)]
progs/rspit.c: Make the `salsae' tab be `const'.
Silly oversight.
Mark Wooding [Wed, 10 May 2017 20:51:45 +0000 (21:51 +0100)]
symm/hmac-def.h: Set HMAC keys up in a more principled manner.
No longer does it reach into the hash context and run `HASH_compress' by
hand.
This means that nothing assumes that `HASH_compress' exists any more.
Mark Wooding [Wed, 10 May 2017 20:50:04 +0000 (21:50 +0100)]
symm/hmac-def.h: Report key sizes as 16-bit quantities.
Hash states can be huge. It was an obvious mistake defining the
recommended key size in terms of the state size, but I can't change it
now.
Mark Wooding [Wed, 10 May 2017 20:46:39 +0000 (21:46 +0100)]
base/keysz.[ch]: Add a flag to say that arguments are 16 bits wide.
This breaks programs which thing they can parse arbitrary key-size
descriptors. The obvious such thing is the Python interface, so note
that we need a later version.
Mark Wooding [Mon, 1 May 2017 00:38:30 +0000 (01:38 +0100)]
symm/keccak1600.[ch]: Add the Keccak-p[1600, n] permutation.
Currently just a special snowflake. Fancier things forthcoming.
Mark Wooding [Wed, 10 May 2017 19:58:34 +0000 (20:58 +0100)]
symm/sha512.[ch], etc.: Support SHA512/224 and SHA512/256.
These are more truncated versions of SHA512 with different initial
values. The point of the exercise is performance: SHA512 runs faster
than SHA256 on 64-bit processors (it munches twice as much data per run
through the compression function, but has only 25% more rounds). Add
test vectors for the hash function from NIST and Wikipedia, and HMAC
tests I found under a rock.
Mark Wooding [Wed, 10 May 2017 19:53:27 +0000 (20:53 +0100)]
symm/t/sha...: Add official NIST HMAC test vectors.
I found some at last, annoyingly provided as PDF documents.
Unsurprisingly, the code passed first time.
Strange: the tests include two tests for the message `Sample message for
keylen=blocklen', exactly one of which has the key length equal to the
block length. Whatevs.
Mark Wooding [Wed, 10 May 2017 18:48:20 +0000 (19:48 +0100)]
symm/: Eliminate the remaining checked-in stubby source files.
Now that $(STUBS_SRC) actually works, use it to eliminate `safersk.c',
`sha224.c', `sha384.c', and `whirlpool256.c'. Move test vectors to
their new homes, and modify the base files to actually run them.
Alas, the build machinery wants to ship `t/safersk' even though it's
empty, so leave it as a stub. (Maybe...) And the HMAC mode machinery
wants to put its test in the mode test-vector file, which is a bit
annoying. Still, the cruft is reduced.
Mark Wooding [Wed, 10 May 2017 18:36:44 +0000 (19:36 +0100)]
symm/stub.c.in: Add a trivial test rig which says to look over there.
As hinted.
Mark Wooding [Wed, 10 May 2017 18:35:59 +0000 (19:35 +0100)]
symm/Makefile.am: Add a `base' column to the $(STUBS_SRC) list.
The list is currently empty, so this is just a matter of fiddling with
the bits of Makefile which process it. But it means that we can add
things to `stub.c.in' which refer to the base C file, for example to
tell a reader where the real thing is.
Mark Wooding [Wed, 10 May 2017 19:26:41 +0000 (20:26 +0100)]
symm/blkc.h, symm/hash.h: Factor out pieces of the test machinery.
This will allow a source file to include tests for a hash function or
block cipher /and/ other kinds of tests. Possibly even for another hash
function or block cipher.
This was mostly done already for block ciphers: the remaining piece
involved making a macro to populate the test table. But hash functions
haven't been as fortunate.
Fix the new definitions to allow non-identifier names for hashes and
block ciphers, to match the mode definitions.
Mark Wooding [Wed, 10 May 2017 18:29:41 +0000 (19:29 +0100)]
symm/: Allow block cipher and hash functions with strange names.
This is quite a performance, actually.
* The `multigen' tool now has a modifier `:f' which makes a filename-
safe version of a value.
* The `multigen' input files and `Makefile.am' have been changed to
use `:f' appropriately.
* All of the `MUMBLE-def.h' header files have been changed to
introduce a new macro `MUMBLE_DEFX' with two extra arguments: the
thing's presentable name (for use in class structures), and a
filename-safe version of it. The old `MUMBLE_DEF' macro still
exists for compatibility (has anyone else written a mode?).
* Similar changes have been made to the testing machinery in `blkc.h'
and `hash.h', but this still needs cleaning up somewhat.
Mark Wooding [Wed, 10 May 2017 21:24:53 +0000 (22:24 +0100)]
math/{genlimits.c,mpdump.c}: Delete long-defunct source files.
These programs' jobs have been taken over by `mpgen', which is much
better at it.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
progs/: Generate XDH and EdDSA operations using macros.
There are already two very similar XDH implementations, and EdDSA is
likely to have more. Let's not write more code than we need to.
Mark Wooding [Wed, 10 May 2017 20:03:51 +0000 (21:03 +0100)]
pub/
ed25519.c: Use the correct type for the field-element constants.
This fixes a bug: `bz_pieces' had the wrong type, but likely worked
anyway by luck -- especially on little-endian machines.
Mark Wooding [Wed, 10 May 2017 20:01:03 +0000 (21:01 +0100)]
math/f{25519,goldi}.[ch]: Export the piece type.
Mark Wooding [Wed, 10 May 2017 20:19:54 +0000 (21:19 +0100)]
math/scaf.c: Add some debugging utilities I found handy.
Mark Wooding [Wed, 10 May 2017 20:19:32 +0000 (21:19 +0100)]
math/scaf.c: Fix conditional subtractions in `scaf_reduce'.
So that they actually subtract the right thing. Obvious blunder. The
big surprise is that none of the literally thousands of
Ed25519 tests
which have hammered on that code caught it. (Found during development
of Ed448, coming later.)
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/rsa-pub.c: Implement the optimal addition chains for e = 3, e = 65537.
Also add tests for e = 3 (previously missing) and e = 17 (to exercise
the general modexp path).
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
progs/perftest.c: Allow setting the public exponent in RSA tests.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/rsa-gen.c, progs/key.c: Overhaul RSA key generation.
Rewrite the key-generation code from scratch. The new version seems
simpler to me, and allows the caller to choose the public exponent. It
also retries repeatedly until it finds acceptable values unless told to
stop within a finite number of steps.
Add an option to `key' to allow the user to select a different
exponent. Recommend e = 3 in the manpage.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Improve the commentary.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Replace inexplicable exponentiation with extended-gcd.
For some reason, I calculated s^-1 as s^{r-2} (mod r). This code isn't
even slightly constant-time, and gcd is faster than modexp. Also, this
bit isn't time-critical anyway, and the code is way simpler like this.
Mark Wooding [Sun, 14 May 2017 03:11:09 +0000 (04:11 +0100)]
Merge branch '2.3.x'
* 2.3.x:
Release 2.3.1.
pub/bbs-gen.c, pub/rsa-gen.c: Remove the lower-bounding on q.
math/strongprime.c: Clamp the starting point.
math/strongprime.c: Reduce failures by adding some more slop bits.
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
progs/cc-sig.c: Don't destroy an RSA context just after building it.
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
key/key-io.c: Produce valid key lines for empty keys.
key/key-io.c: Fix segfault opening `KOPEN_READ | KOPEN_NOFILE' key files.
Conflicts:
math/group-guts.h (trivial)
progs/catcrypt.c (already picked up)
Mark Wooding [Sat, 13 May 2017 14:21:43 +0000 (15:21 +0100)]
Release 2.3.1.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
pub/bbs-gen.c, pub/rsa-gen.c: Remove the lower-bounding on q.
It's unnecessary. It was a bad idea because it biases q quite heavily,
but now `strongprime' generates primes in the right interval so that
getting the right bit length isn't a problem.
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Clamp the starting point.
Now the result will be in the upper quarter of the `obvious' range, and
the product of two such values is guaranteed to have the desired number
of bits. This saves callers from doing stupid things like trying to
clamp one of the factors by hand, which ends up significantly biasing
the second factor. (This isn't very bad, because there's a /lot/ of
randomness in the chosen congruence class, but it's good to fix this
sort of thing.)
Mark Wooding [Thu, 11 May 2017 09:42:15 +0000 (10:42 +0100)]
math/strongprime.c: Reduce failures by adding some more slop bits.
In my experiments, failures were happening about 2--3% of the time,
which is way more than one is really willing to tolerate.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
Mark Wooding [Mon, 17 Apr 2017 23:03:01 +0000 (00:03 +0100)]
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
Somehow this seemed to work anyway on my machine; but valgrind agrees
that it was wrong.
Mark Wooding [Mon, 17 Apr 2017 22:31:11 +0000 (23:31 +0100)]
progs/cc-sig.c: Don't destroy an RSA context just after building it.
It causes an assertion failure later. Really embarrassing.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
Callers of the abstract group API expect to pass in a pointer-to-
structure. The binary and prime group implementations expected a
pointer-to-pointer, which looks different. Change the way these work,
so that the group element is a structure holding a pointer, rather than
just a bare pointer. This doesn't make any difference on targets with
sane ABIs, but it fixes a potentially nasty problem on weirder
platforms.
Add a macro explaining this change so that users of this unstable
interface can cope with both versions.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
And not directly.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
key/key-io.c: Produce valid key lines for empty keys.
If a key contains only an empty tree of structures, then `key_write'
returns an empty string, which breaks the whitespace-separated field
structure of the output key line. Notice this and insert an empty
structure by hand as an unpleasant bodge.
The resulting key is still highly anomalous. In particular, it doesn't
match any filter, because structure nodes don't have flags. I don't
know what to do about this.
Mark Wooding [Sat, 13 May 2017 11:27:31 +0000 (12:27 +0100)]
key/key-io.c: Fix segfault opening `KOPEN_READ | KOPEN_NOFILE' key files.
They're useless, but they shouldn't cause a crash.
Mark Wooding [Sun, 30 Apr 2017 17:43:46 +0000 (18:43 +0100)]
Merge branches 'mdw/latin-ietf' and 'mdw/curve25519'
* mdw/latin-ietf:
symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces.
symm/{chacha,salsa20}.c: Change how the test code sets up the cipher.
symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
symm/{chacha,salsa20}.[ch]: Compress systematic naming better in comments.
symm/stub.h.in: Fix bogus characters in the include guard macro name.
symm/stub.h.in: Add include guard around header.
symm/t/chacha: Fix typo in comment.
* mdw/curve25519:
pub/, progs/: Add support for X448 key exchange, defined in RFC7748.
math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
pub/, progs/: Implement Bernstein's
Ed25519 signature scheme.
math/f25519.[ch]: More field operations.
pub/, progs/: Implement Bernstein's X25519 key-exchange algorithm.
math/f25519.c: Implementation for arithmetic in GF(2^255 - 19).
.gitignore, utils/.gitignore: Change Sage ignore rules.
Mark Wooding [Wed, 26 Apr 2017 10:55:08 +0000 (11:55 +0100)]
pub/, progs/: Add support for X448 key exchange, defined in RFC7748.
Mark Wooding [Wed, 26 Apr 2017 10:54:29 +0000 (11:54 +0100)]
math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
GF(2^448 - 2^224 - 1).
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/, progs/: Implement Bernstein's
Ed25519 signature scheme.
Mark Wooding [Wed, 26 Apr 2017 10:53:05 +0000 (11:53 +0100)]
math/f25519.[ch]: More field operations.
Most are fairly simple utilities, except for `f25519_quosqrt' which does
a combined division and square root.
Mark Wooding [Mon, 17 Apr 2017 23:39:24 +0000 (00:39 +0100)]
pub/, progs/: Implement Bernstein's X25519 key-exchange algorithm.
Mark Wooding [Mon, 17 Apr 2017 23:39:24 +0000 (00:39 +0100)]
math/f25519.c: Implementation for arithmetic in GF(2^255 - 19).
There's both a fast implementation for platforms with 64-bit arithmetic,
and a slow baseline for minimal C89 platforms. The code works better on
two's complement systems with arithmetic right shifts, but it works
portably.
* Arithmetic shifts are implemented with hairy masking and exact
division, but GCC notices and optimizes accordingly.
* Two's complement is used in the conditional-swap machinery, but
there's a fallback using multiplication if the `configure' script
can't detect it.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces.
I think these are a bad idea, but they'll be popular (and are etched
into the AEAD proposal).
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.c: Change how the test code sets up the cipher.
Introduce a macro which does the key, nonce and position setup in one
go.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/{chacha,salsa20}.[ch]: Compress systematic naming better in comments.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/stub.h.in: Fix bogus characters in the include guard macro name.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/stub.h.in: Add include guard around header.
Most Catacomb public headers do this, so the stubs ought to too.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/t/chacha: Fix typo in comment.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
.gitignore, utils/.gitignore: Change Sage ignore rules.
It seems Sage now makes `.sage.py' files instead of plain `.py'. This
is a much better idea, and it means that we can have a single rule to
ignore all of them.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/cc-kem.c: Add `naclbox' crypto transform.
This uses Salsa20/r (or ChaChar) and Poly1305 in the same way as NaCl
`secretbox'. Difference: NaCl uses XSalsa20 for the extended nonce
size, but we have no need of that here.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-kem.c: Refactor bulk encryption.
The bulk crypto transform is now owned by the KEM machinery, and
provided to callers as one object rather than a bunch of little
components. There are some conceptual changes in the UI, but in fact
everything still works the way it did before.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Support applying parameters in all key-generation algorithms.
If the algorithm itself can't make use of parameters, at least it can
copy the key attributes.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Let `copyparam' worry about the parameter key's type.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/key.c: Report full parameter-key name in errors about it.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time.
Mark Wooding [Mon, 17 Apr 2017 23:03:01 +0000 (00:03 +0100)]
progs/cc-sig.c: Initialize hash context properly for RSA-PSS.
Somehow this seemed to work anyway on my machine; but valgrind agrees
that it was wrong.
Mark Wooding [Mon, 17 Apr 2017 22:31:11 +0000 (23:31 +0100)]
progs/cc-sig.c: Don't destroy an RSA context just after building it.
It causes an assertion failure later. Really embarrassing.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
key/key-io.c: Produce valid key lines for empty keys.
If a key contains only an empty tree of structures, then `key_write'
returns an empty string, which breaks the whitespace-separated field
structure of the output key line. Notice this and insert an empty
structure by hand as an unpleasant bodge.
The resulting key is still highly anomalous. In particular, it doesn't
match any filter, because structure nodes don't have flags. I don't
know what to do about this.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-bin.c, math/g-prime.c: Fix type incompatibility.
Callers of the abstract group API expect to pass in a pointer-to-
structure. The binary and prime group implementations expected a
pointer-to-pointer, which looks different. Change the way these work,
so that the group element is a structure holding a pointer, rather than
just a bare pointer. This doesn't make any difference on targets with
sane ABIs, but it fixes a potentially nasty problem on weirder
platforms.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/g-*.c: Group implementations include `group.h' via `group-guts.h'.
And not directly.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/...: Make a number of functions be const-correct.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/poly1305.c: Implement `flushzero' to zero-pad to a block boundary.
I prefer plain `flush', but not all implementations expose it. The
`flushzero' operation is the one wanted by RFC7539 AEAD.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/poly1305.c: Implement Bernstein's Monte-Carlo test.
I did run the full test once, but it took almost an hour.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/t/poly1305: Add the tests from Bernstein's original paper.
They were tucked away in an appendix and I missed them. Also, I
implemented from the NaCl paper, which is a better fit for modern usage.
Mark Wooding [Fri, 14 Apr 2017 22:27:50 +0000 (23:27 +0100)]
Merge branch '2.3.x'
* 2.3.x:
symm/salsa20.[ch]: Add missing LGPL notices.
math/mpx-mul4-test.c: Set `dstr' length correctly in conversion function.
symm/chacha.c: Fix `tell' response.
symm/chacha.[ch]: Fix comment headers.
symm/{chacha.c,salsa20.c}: Fix random generator allocation sizes.