Commit Graph

36 Commits

Author SHA1 Message Date
Isaac Freund
5b850d5c92
Run zig fmt on src/ and lib/std/
This replaces callconv(.Inline) with the more idiomatic inline keyword.
2021-05-20 17:14:18 +02:00
Veikka Tuominen
fd77f2cfed std: update usage of std.testing 2021-05-08 15:15:30 +03:00
Frank Denis
10f2d62789
std/crypto: use finer-grained error sets in function signatures (#8558)
std/crypto: use finer-grained error sets in function signatures

Returning the `crypto.Error` error set for all crypto operations
was very convenient to ensure that errors were used consistently,
and to avoid having multiple error names for the same thing.

The flipside is that callers were forced to always handle all
possible errors, even those that could never be returned by a
function.

This PR makes all functions return union sets of the actual errors
they can return.

The error sets themselves are all limited to a single error.

Larger sets are useful for platform-specific APIs, but we don't have
any of these in `std/crypto`, and I couldn't find any meaningful way
to build larger sets.
2021-04-20 19:57:27 +02:00
Frank Denis
b98d7747fa Use a unified error set for std/crypto/*
This ensures that errors are used consistently across all operations.
2021-03-14 20:51:31 +01:00
LemonBoy
057bf1afc9 std: Add more error checking in hexToBytes
Prevent the function from turning into an endless loop that may or may
not perform OOB accesses.
2021-02-21 12:19:03 +02:00
Tadeo Kondrak
5dfe0e7e8f
Convert inline fn to callconv(.Inline) everywhere 2021-02-10 20:06:12 -07:00
Frank Denis
6c2e0c2046 Year++ 2020-12-31 15:45:24 -08:00
Matt Sicker
d9fe7ea815 Fix Gimli hash on 16n byte inputs 2020-12-23 10:59:14 +02:00
Frank Denis
e7b60b219b std/crypto: don't constrain Gimli hash output to a fixed length
As documented in the comment right above the finalization function,
Gimli can be used as a XOF, i.e. the output doesn't have a fixed
length.

So, allow it to be used that way, just like BLAKE3.
2020-11-05 17:21:19 -05:00
Frank Denis
4417206230 Now that they support vectors, use math.rot{l,r} 2020-11-05 17:19:48 -05:00
Frank Denis
8d7c160fb4 Make Gimli test vector look like the python implementation 2020-11-03 09:13:14 +01:00
Frank Denis
d764636d21 Another big-endian fix for Gimli
We read and write bytes directly from the state, but in the init
function, we potentially endian-swap them.

Initialize bytes in native format since we will be reading them
in native format as well later.

Also use the public interface in the "permute" test rather than an
internal interface. The state itself is not meant to be accessed directly,
even in tests.
2020-11-03 02:01:48 +01:00
Frank Denis
ad9655db3a Fix Gimli for big-endian targets 2020-11-02 13:38:20 -05:00
Žiga Željko
7c2bde1f07 std/crypto: API cleanup 2020-10-26 19:19:34 -04:00
Frank Denis
fa17447090 std/crypto: make the whole APIs more consistent
- use `PascalCase` for all types. So, AES256GCM is now Aes256Gcm.
- consistently use `_length` instead of mixing `_size` and `_length` for the
constants we expose
- Use `minimum_key_length` when it represents an actual minimum length.
Otherwise, use `key_length`.
- Require output buffers (for ciphertexts, macs, hashes) to be of the right
size, not at least of that size in some functions, and the exact size elsewhere.
- Use a `_bits` suffix instead of `_length` when a size is represented as a
number of bits to avoid confusion.
- Functions returning a constant-sized slice are now defined as a slice instead
of a pointer + a runtime assertion. This is the case for most hash functions.
- Use `camelCase` for all functions instead of `snake_case`.

No functional changes, but these are breaking API changes.
2020-10-17 18:53:08 -04:00
Frank Denis
0b4a5254fa Vectorize Gimli 2020-10-16 18:41:11 -04:00
Frank Denis
51a3d0603c std.rand: set DefaultCsprng to Gimli, and require a larger seed
`DefaultCsprng` is documented as a cryptographically secure RNG.

While `ISAAC` is a CSPRNG, the variant we have, `ISAAC64` is not.
A 64 bit seed is a bit small to satisfy that claim.

We also saw it being used with the current date as a seed, that
also defeats the point of a CSPRNG.

Set `DefaultCsprng` to `Gimli` instead of `ISAAC64`, rename
the parameter from `init_s` to `secret_seed` + add a comment to
clarify what kind of seed is expected here.

Instead of directly touching the internals of the Gimli implementation
(which can change/be architecture-specific), add an `init()` function
to the state.

Our Gimli-based CSPRNG was also not backtracking resistant. Gimli
is a permutation; it can be reverted. So, if the state was ever leaked,
future secrets, but also all the previously generated ones could be
recovered. Clear the rate after a squeeze in order to prevent this.

Finally, a dumb test was added just to exercise `DefaultCsprng` since
we don't use it anywhere.
2020-10-15 20:57:16 -04:00
Frank Denis
56d820087d gimli: make permute a constant, remove leading underscore 2020-09-29 14:01:08 +02:00
Frank Denis
4194714965 Don't unroll the gimli permutation on release-small 2020-09-29 13:23:04 +02:00
Frank Denis
613f8fe83f Use mem.copy() instead of manual iterations 2020-09-29 10:23:00 +02:00
Frank Denis
868a46eb43 std/crypto: make gimli slightly faster
Before:
       gimli-hash:        120 MiB/s
       gimli-aead:        130 MiB/s

After:
       gimli-hash:        195 MiB/s
       gimli-aead:        208 MiB/s

Also fixes in-place decryption by the way.

If the input & output buffers were the same, decryption used to fail.

Return on decryption error in the benchmark to detect similar issues
in future AEADs even in non release-fast mode.
2020-09-29 00:29:20 +02:00
Frank Denis
ff2e82f382 Rename at to tag in AEADs 2020-08-26 10:50:34 +02:00
Frank Denis
b8729ca1a0 Improve crypto benchmarks
- 1MiB objects on the stack doesn't play well with wasmtime.
Reduce these to 512KiB so that the webassembly benchmarks can run.
- Pass expected results to a blackBox() function. Without this, in
release-fast mode, the compiler could detected unused return values,
and would produce results that didn't make sense for siphash.
- Add AEAD constructions to the benchmarks.
- Inline chacha20Core() makes it 4 times faster.
- benchmarkSignatures() -> benchmarkSignature() for consistency.
2020-08-26 10:50:34 +02:00
Frank Denis
fc55cd458a Hash functions now accept an option set
- This avoids having multiple `init()` functions for every combination
of optional parameters
- The API is consistent across all hash functions
- New options can be added later without breaking existing applications.
  For example, this is going to come in handy if we implement parallelization
  for BLAKE2 and BLAKE3.
- We don't have a mix of snake_case and camelCase functions any more, at
least in the public crypto API

Support for BLAKE2 salt and personalization (more commonly called context)
parameters have been implemented by the way to illustrate this.
2020-08-21 00:51:14 +02:00
Frank Denis
446597bd3c Remove the reset() function from hash functions
Justification:
- reset() is unnecessary; states that have to be reused can be copied
- reset() is error-prone. Copying a previous state prevents forgetting
  struct members.
- reset() forces implementation to store sensitive data (key, initial state)
  in memory even when they are not needed.
- reset() is confusing as it has a different meaning elsewhere in Zig.
2020-08-20 23:02:10 +02:00
Frank Denis
6f9ea9eaef Breaking: sort std/crypto functions into categories
Instead of having all primitives and constructions share the same namespace,
they are now organized by category and function family.

Types within the same category are expected to share the exact same API.
2020-08-20 23:02:05 +02:00
Andrew Kelley
4a69b11e74 add license header to all std lib files
add SPDX license identifier
copyright ownership is zig contributors
2020-08-20 16:07:04 -04:00
Frank Denis
f46e375bbe std/crypto: gimli.Aead.decrypt()'s ad should be const 2020-08-17 07:16:06 +02:00
Timon Kruiper
c829f2f7b7 Add mips support to standard library 2020-04-24 15:28:55 -04:00
Andrew Kelley
9e7ae06249
std lib API deprecations for the upcoming 0.6.0 release
See #3811
2020-03-30 14:23:22 -04:00
xackus
783e8ad031 remove @bytesToSlice, @sliceToBytes from std lib 2020-02-21 19:46:53 +01:00
daurnimator
ef4ecaa462
std: add AEAD modes for gimli 2020-02-06 00:21:26 +11:00
daurnimator
b495512175
add gimli to crypto hash benchmark 2020-02-06 00:16:00 +11:00
Andrew Kelley
bf3ac66150
remove type coercion from array values to references
* Implements #3768. This is a sweeping breaking change that requires
   many (trivial) edits to Zig source code. Array values no longer
   coerced to slices; however one may use `&` to obtain a reference to
   an array value, which may then be coerced to a slice.

 * Adds `IrInstruction::dump`, for debugging purposes. It's useful to
   call to inspect the instruction when debugging Zig IR.

 * Fixes bugs with result location semantics. See the new behavior test
   cases, and compile error test cases.

 * Fixes bugs with `@typeInfo` not properly resolving const values.

 * Behavior tests are passing but std lib tests are not yet. There
   is more work to do before merging this branch.
2019-11-27 03:37:50 -05:00
Andrew Kelley
e0db54e89d
update the codebase to use @as 2019-11-08 15:57:24 -05:00
Andrew Kelley
ed36dbbd9c
mv std/ lib/
that's all this commit does. further commits will fix cli flags and
such.

see #2221
2019-09-25 23:35:41 -04:00