Mark Wooding [Thu, 29 Dec 2016 11:50:50 +0000 (11:50 +0000)]
base/ct.c: Better constant-time algorithms from /Hacker's Delight/.
Improve equality checking and ordering, and add detailed commentary.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
base/asm-common.h, symm/rijndael-x86ish-aesni.S: Better section switching.
Provide macros for changing section which handle (a) switching to the
right text subsection, and (b) a section for readonly data.
Mark Wooding [Sat, 5 Nov 2016 12:22:43 +0000 (12:22 +0000)]
base/asm-common.h: Include `.note.GNU-stack' section on ELF targets.
This will ensure that Catacomb doesn't force an executable stack on
processes using it. Oops.
Mark Wooding [Sat, 5 Nov 2016 20:38:31 +0000 (20:38 +0000)]
math/mpx-mul4-x86-sse2.S: Use `SHUF' instead of hardwired constants.
Mark Wooding [Tue, 1 Nov 2016 22:38:41 +0000 (22:38 +0000)]
symm/salsa20-*.S: Optimize the output permutations.
A little analysis, and a lot of trial and error, shows reveals that the
state permutation can be decomposed into some rotations of the rows, a
matrix transpose, and another rotation of the rows. These steps can be
done moderately efficiently using the Intel and ARM SIMD instructions.
Mark Wooding [Sun, 2 Oct 2016 23:27:11 +0000 (00:27 +0100)]
math/mpx.h, math/mpmont.c: Retune the Karatsuba thresholds.
It seems like Karatsuba isn't especially worthwhile for Montgomery
multiplication at any cryptographically relevant modulus size. It's
certainly a lose with the new SSE2 multipliers.
Mark Wooding [Sun, 2 Oct 2016 23:26:28 +0000 (00:26 +0100)]
math/ptab.in: Include the correct Oakley 2048 group!
I'd mistakenly duplicated the 1536 group. This is... unfortunate.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
math/: SSE2-based high-performance multipliers.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
base/asm-common.h: Add some debugging macros.
Currently only for 32-bit x86. More will come when they seem useful...
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
vars.am: Don't delete `*.t' files after running tests.
Silly GNU Make. Of course I wanted to keep them.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
math/mpmont.c: Make REDC coefficient as long as the modulus.
We'll have trouble later if it's too short.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
math/mpmont.c: Factor out the computational core of the algorithm.
Surprisingly, this makes everything a little simpler.
Mark Wooding [Mon, 12 Sep 2016 21:32:37 +0000 (22:32 +0100)]
math/ec-test.c: Add in missing space in test failure reports.
Mark Wooding [Sun, 11 Sep 2016 14:05:49 +0000 (15:05 +0100)]
vars.am: Associate more useful dependencies with test programs.
For a long time, probably forever, `make FOO.t' hasn't actually worked
to rebuild the test program because of deficiencies in make(1) suffix
rules. Add GNU Make pattern rules, which can have dependencies, to
finally fix this.
Mark Wooding [Sun, 11 Sep 2016 14:03:59 +0000 (15:03 +0100)]
vars.am, symm/Makefile.am: Associate built test vector files with logs.
Previously they were associated with the test executables, but that's
not the right approach, and it's going to be a problem if we don't fix
it.
Unfortunately, Automake only allows dependencies on test log files if
the test-file suffix is listed in $(TEST_EXTENSIONS).
Mark Wooding [Sun, 11 Sep 2016 13:29:49 +0000 (14:29 +0100)]
math/mprand.[ch], rand/grand.c: Check range of arguments.
* mprand: It doesn't make sense to ask for a zero-bit integer whose
low bit is set; or, indeed, a four-bit integer whose fourth bit is
set. So check the mask against the bit length.
* mprand: On the other hand, it /does/ make sense to ask for a
zero-bit integer, and the answer is simply zero. But the code used
to segfault. Fix this.
* mprand_range, grand_defaultrange: It doesn't make sense to ask for
an integer in [0, 0), because there aren't any. Check before
trying.
Mark Wooding [Sun, 11 Sep 2016 13:24:34 +0000 (14:24 +0100)]
math/mpint.h (MP_TOINT): Convert MP digits to target type before shifting.
Otherwise conversions to types wider than `mpw' never actually works.
Mark Wooding [Fri, 9 Sep 2016 10:06:41 +0000 (11:06 +0100)]
math/{mpbarrett,mpmont}.h: Provide correctness proofs for these methods.
Add commentary explaining how these reduction algorithms actually work,
with proofs.
Mark Wooding [Thu, 11 Aug 2016 09:07:04 +0000 (10:07 +0100)]
symm/rijndael-x86ish-aesni.S: Load destination pointer earlier on 32-bit.
We don't need EDX for anything for most of the code, so repurpose it
earlier ready for the final store.
Mark Wooding [Thu, 11 Aug 2016 09:02:56 +0000 (10:02 +0100)]
symm/rijndael-x86ish-aesni.S: Fix conflict in 32-bit register allocation.
Since
28321c9..., the context pointer in ECX was overwritten with the
GOT pointer, used to find the end-swapping table, resulting in an abort.
Reallocate so that the round count, which is loaded /after/ the endswap
pointer, ends up in ECX, and the context pointer goes in EAX, which
doesn't get clobbered.
This doesn't affect 64-bit targets.
Mark Wooding [Thu, 11 Aug 2016 08:15:12 +0000 (09:15 +0100)]
base/asm-common.h, *-x86ish-*.S: Centralize SSE shuffling constants.
Introduce a centrally defined `SHUF(D, C, B, A)' macro to make shuffling
constants for `pshufd' and friends, rather than defining inscrutable
`ROTL' etc. macros in each file.
There are lots of other shuffling instructions, which may need their own
magic macros, so this might prove to have been a bad name, but we'll
worry about that later.
Mark Wooding [Mon, 8 Aug 2016 09:33:29 +0000 (10:33 +0100)]
symm/{chacha,salsa20}-*.S: Indent the hoisted transposition instructions.
This hopefully makes it clearer how the various interleaved strands of
computation work.
Mark Wooding [Mon, 8 Aug 2016 09:32:04 +0000 (10:32 +0100)]
symm/salsa20-x86ish-sse2.S: Cosmetic fixes.
Fix a mangled comment, and remove a spurious blank line.
Mark Wooding [Sat, 30 Jul 2016 10:48:16 +0000 (11:48 +0100)]
symm/rijndael-arm-crypto.S: More aggressive loading of subkey data.
Rewrite the block-encryption primitives so that they load key data in
multiple round chunks. There's now a separate prefix piece for each
number of rounds other than ten which does the extra and flows into the
main sequence. Because the code is now rather more complicated, there's
only one copy of it, in a macro, as for the AESNI version.
Mark Wooding [Wed, 13 Jul 2016 22:19:03 +0000 (23:19 +0100)]
base/asm-common.h, *.S: Include metadata for 64-bit Windows stack unwinding.
There are (annoyingly undocumented) assembler directives, which make
this fairly straightforward. I've manually verified that they're
setting up the expected data structures correctly. Under normal
circumstances, we don't expect these leaf functions to throw exceptions.
Note that the `endswap_block' subroutine of `rijndael_setup_x86ish_-
aesni' is not currently properly described.
Mark Wooding [Wed, 13 Jul 2016 22:16:38 +0000 (23:16 +0100)]
symm/rijndael-x86ish-aesni.S: Move setup of endswap table after prologue.
When we introduce metadata for Windows stack unwinding, it will be ugly
to have to count this code as part of the stack-frame establishment
prologue. Move it later.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h, *.S: Introduce `AUXFN'/`ENDAUXFN'; abolish `gotaux'.
This change introduces a new macro pair `AUXFN' and `ENDAUXFN' which are
mostly useful in other macros. They bracket an auxiliary function
definition which will be put somewhere convenient (at the end of the
text section), and defined exactly once.
This is exactly what we need to make the `_where_am_i.GOTREG' macros
automatically in `ldgot', so use this and abolish `gotaux' from the
codebase.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-*.S (rijndael_setup_*): Roll up the inner loop.
Reduce code size by tracking position in the main key-schedule loop in a
register and dispatching rather than tracking it in the program-counter.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-x86ish-aesni.S (rijndael_setup_x86ish_aesni): Label numbering.
Follow what appear to be my current conventions properly.
Mark Wooding [Tue, 12 Jul 2016 09:28:05 +0000 (10:28 +0100)]
Release 2.2.5.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-arm-crypto.S (rijndael_setup_arm_crypto): Avoid reload.
Juggle the register allocation in the loop which copies over the first
key-data cycle, so as to arrange to leave the last copied key word in
r4. Then we can elide the explicit load of r4 at the start of the main
key expansion loop, because it already has the right value, saving a
whole instruction.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-arm-crypto.S (rijndael_setup_arm_crypto): Renumber labels.
Be more consistent about the label numbering. Specifically, 0 is
usually a loop head, and 9 is usually a thing to do next.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-arm-crypto.S (rijndael_setup_arm_crypto): Fix missing label.
The loop which copies the initial key data from a misaligned address
ends with a branch to the next label 9 which, due to an oversight on my
part, skipped out the setup for the main loop. Introduce an extra label
9 to fix this.
Mark Wooding [Mon, 11 Jul 2016 10:10:50 +0000 (11:10 +0100)]
configure.ac: Use modern version of `AC_CHECK_TYPES'.
Also, check for `socklen_t' in <sys/socket.h>, so that we can find it on
Android. I don't expect this to be the last Android portability
failure, because I've not even tried building it there yet.
Mark Wooding [Mon, 11 Jul 2016 09:50:31 +0000 (10:50 +0100)]
symm/rijndael-arm-crypto.S: Outdent the `.rept/.endr' directives.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac: Use new name for `AX_C_LONG_LONG'.
The correct name is in wheezy's version of the Autoconf archive, so I
guess it's not that new really.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
Release 2.2.4.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac, symm/rijndael*: Use ARMv8 AES instructions where available.
This matches the x86 AESNI support, but is less mad.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/dispatch.c: Add notional support for `AT_HWCAP2' entry.
Later ARM-based kernels provide one of these, at least.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac: Check that the chosen assembler will actually work.
If the system assembler doesn't like the GNUish directive syntax I'm
using, then the build will fail badly and be hard to fix. Now, if the
assembler doesn't look like it's going to work, then declare the target
platform to be unknown so as to disable all of this fancy machinery.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac: Segregate checks by source language better.
Move the poking-about-for-CPU-features function checks in with the rest
of the C code probing.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-x86ish-aesni.S: Have `endswap_block' copy NKW to ECX.
Eliminate a tiny bit of code duplication. It's not like anyone else
uses that subroutine.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Factor out `deposit fake literal pool' macro.
This might be useful for debugging purposes.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
Have a small reformatting session.
* Outdent `.macro' and `.endm' directives. Firstly, this makes them
more prominent, similar to `FUNC' and `ENDFUNC'. Secondly, though,
it has the effect of moving the macro name into the mnemonic column.
* Remove the second `External definitions' banner from `symm/
rijndael-x86ish-aesni.S'.
* Reflow the various `CPU_DISPATCH' stanze.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
symm/rijndael-x86ish-aesni.S: Decorate `rijndael_rcon' correctly.
I don't think I've tested this on 32-bit Windows, which is the only
platform I'm currently supporting which needs nontrivial symbol
decoration.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/dispatch.c: Fix list-macro invocation if we have `getauxval'.
Caused hopeless build failure on ARM versions of jessie.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/dispatch.c: Just include all the auxvec-related headers we can.
The necessary stuff will be in one of them. It turns out that the
previous approach sometimes missed some important definitions.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Use the correct `CPUFAM_*' name for ARM.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac: Quote `$ac_cv_search_clock_gettime' properly.
This can expand to `none required', which confuses test(1). My fault.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/pfilt.c (pfilt_jump): Fix off-by-one error in reduction.
Oh, dear. This is quite a bad one. The loop added the residues for the
jump to the candidate, and reduced each if the result was strictly
higher than the modulus. It then reports failure (or immediate success)
if any residue is zero, otherwise reporting a candidate for subsequent
testing. Obviously, this is a stupid bug, with the result that,
effectively, every step reports a candidate for further testing.
This bug has two bad consequences.
* Candidates with small factors aren't weeded out, so prime searching
takes an unnecessarily long time. I'd spotted this, but didn't have
a way in to investigate the problem.
* Candidates which actually have small factors, but are in fact below
the `smallenough' threshold, are reported as being verified as
prime, so the overall procedure erroneously returns known
composites.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/bbs-gen.c, pub/rsa-gen.c: Fail if the generated key is the wrong length.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/bbs-gen.c: Carefully generate numbers of the correct sizes.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/bbs-gen.c: Return secret numbers for private keys.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/strongprime.c: Choose the smaller primes' sizes more carefully.
The old code would indeed, as the warning in the comment said, produce
numbers which are larger than requested because the component primes'
sizes were chosen in a naïve manner. I've now (eventually!) thought
about the issue some more and come up with a better approach.
The `BITSLOP' macro is now gone, replaced by a carefully chosen value
supported by some actual mathematics. As a result, the warning comments
have been removed. Also, `strongprime' will fail if it actually returns
a number of the wrong size.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/, pub/: Take a more consistent approach to prime-generation failures.
* Don't have `strongprime_setup' assert just because the requested
size is too small.
* Fix `strongprime' itself, so that it leaves its destination in a
predictable state (specifically, it's unmolested) if it fails.
* Remove the retry loops from `bbs_gen' and `rsa_gen'. Now,
downstream failures are consistently propagated.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
pub/rsa-gen.c: Don't leak `t'.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/, pub/: Generate primes with exactly the right size.
Previously, the `strongprime' and `limlee' machinery had a tendency to
generate primes which were a few bits shorter than actually requested.
Fix this unfortunate state of affairs by using a more careful analysis
of sizes of things.
The Lim--Lee prime generation has been changed quite a bit. The large
factor now might not be suitable, so there's some new machinery for
tracking how useful it's being for generating numbers of the right size
and choosing a different one if it gets out of whack. Unfortunately,
this means applying a rather unpleasant hack to the structure layout to
preserve ABI compatibility.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
math/mp-arith.c: New function `mp_leastcongruent'.
Return the least representative of a congruence class not less than a
given lower bound.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
Some basic formatting fixes.
* Some indentation fixes.
* Reorder the factors in a mathsy comment to improve clarity.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Add some slightly cheesy Thumb support.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Introduce simpler PIC data reference macro.
Using the `GOT_PREL' relocation type means that we don't need to burn a
register for the GOT.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Use new literal-pool stuff for ARM PIC macros.
The support in GAS for the ARM literal-loading syntax is entirely
hopeless.
* It unnecessarily refuses to allow expressions involving external
symbols as literal values (e.g., `ldr r0, =_GLOBAL_OFFSET_TABLE_ -
. - 12'). I've checked: if you modify GAS to remove the pointless
check, then it produces the right result.
* It doesn't use the enhanced expression evaluator which understands
relocation annotations (so you can't say `ldr r0, =foo(GOT)').
Indeed, this evaluator is internal to the handler for `.word' and
friends. Fixing this would be rather hard work, and involve
uprating the literal-pool machinery quite a bit.
Instead, use the new subsection-based fake literal pool handling
machinery `_LIT' and `_ENDLIT' and some per-macro symbols with awful
names.
This also removes the magic knowledge which the previous version of the
`ldgot' had about the right PC offset, which would have been wrong for
Thumb code.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Introduce bad literal-pool handling macros.
Abuse subsections for arranging to place literals near the functions
which need them. These are no use for human-written code, but they're
useful in macros, especially since GAS is actually rather bad at dealing
with complex expressions and relocation types in its ARM literal syntax.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Accept condition codes in ARM PIC macros.
Confusingly, the `leaext' macro already accepted a condition argument,
but did nothing with it. Add the same argument to both (as the first
optional argument), and actually make the instructions be conditional.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/asm-common.h: Use `GOTREG' rather than the raw register name.
Note that this doesn't mean that one can redefine `GOTREG' and have the
macros use a different register by default; the relative expansion
orders of the two macro systems don't work like that.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
*.S: Use `.text' consistently to name the text section.
Notably, `.text' allows a subsection number, while `.section' has
BFD-target-specific syntax.
Mark Wooding [Wed, 27 May 2015 18:06:22 +0000 (19:06 +0100)]
pub/dsa.h, pub/dsa-sign.h: Deprecate the old DSA interface.
It's terribly crufty and hard to use properly, because it offloads most
of the hard work onto its caller. It's also next to impossible to fix.
The main problem is the handling of the nonce, which the caller is
expected to have come up with somehow and passed in. It would be nice
to make this optional, and come up with a deterministic (or randomized-
but-safe) nonce in the default case, but that's very hard to do with
this interface:
* The function isn't given a random number generator so it can't use
that to randomize its nonce, if it wanted to do that.
* Worse, we aren't given a hash function, so we don't know which one
to use for generating the nonce.
It'd be possible to write a complicated thing which picks a hash
function out of a list somehow based on the other parameters, but it
doesn't seem worthwhile when taking advantage of this will still require
source changes to callers, and the newer `gdsa' interface is much
less awful.
So I'll just deprecate these old functions and hope that nobody uses
them for anything.
Mark Wooding [Wed, 27 May 2015 18:05:58 +0000 (19:05 +0100)]
pub/dsa.h: Make sure `grand' is actually declared.
Mark Wooding [Wed, 27 May 2015 18:04:29 +0000 (19:04 +0100)]
pub/dsa-misc.c, pub/dsa.h: Make arg name in comment match declaration.
Mark Wooding [Mon, 13 Jun 2016 21:24:00 +0000 (22:24 +0100)]
Release 2.2.3.
Mark Wooding [Mon, 13 Jun 2016 21:00:00 +0000 (22:00 +0100)]
Merge branch 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb
* 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb: (53 commits)
rand/rand.c (rdrand_quick): Improve the loop.
configure.ac, rand/noise.c: Get high-res time from `clock_gettime'.
rand/noise.c: Make the high-res timer function be a bit more abstract.
configure.ac, Makefile.am: Collect libs only needed by Catcomb itself.
Makefile.am: Include $(PIXIE_LIBS) in the main library.
rand/noise.c (noise_devrandom): Use OpenBSD system call `getentropy'.
rand/noise.c (noise_devrandom): Use new Linux system call `getrandom'.
rand/noise.c (noise_devrandom): Handle Linux's broken `/dev/urandom'.
rand/noise.c (noise_devrandom): Refactor internals.
src/noise.c: Make `bitcount' table be static and constant.
rand/rand.c: Add support for x86 `RDRAND' instruction in `rand_quick'.
base/dispatch.[ch]: Detect availability of the x86 `RDRAND' instruction.
rand/rand.[ch]: Add external `rand_quick' function.
rand/: Secure `rand' generator against fork problems.
Release 2.2.2.
math/mp-arith.c (mp_testbit): Want nonstrict comparison for bounds check.
symm/salsa20-arm-neon.S: Mark the final-permutation stores as word-aligned.
symm/: Add ARM NEON implementations of ChaCha and Salsa20.
symm/{salsa20,chacha}-x86ish-sse2.S: Use numeric labels for internal loops.
symm/salsa20-x86ish-sse2.S: Fix stray `##' comment to be `//'.
...
Conflicts:
debian/changelog
Mark Wooding [Mon, 6 Jun 2016 10:01:46 +0000 (11:01 +0100)]
rand/rand.c (rdrand_quick): Improve the loop.
The `RDRAND' instruction can fail, leaving carry clear. Previously, I
just exposed the carry flag in a register (with `SETC'), and looped
around in C.
Rewrite the loop in assembler. This is makes the flow cleaner, and
(coincidentally) avoids a dependency on the `SETcc' instructions (though
if I thought a processor might have `RDRAND' and not `SETcc', I wouldn't
have written the original code the way I did). But the main benefit is
that I don't have nightmares about seeing
...; setc al; test al, al; ...
sequences any more. There's still the issue of `i' being tested for
zero twice, but I don't think I can fix that without resorting to `asm
goto', and that has its own problems.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac, rand/noise.c: Get high-res time from `clock_gettime'.
If it's available.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/noise.c: Make the high-res timer function be a bit more abstract.
You can tell that there's more coming from the indentation. But there
shouldn't be any real change at this stage.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
configure.ac, Makefile.am: Collect libs only needed by Catcomb itself.
Currently there aren't any, but some may turn up soon.
Oddly, the `pkg-config' machinery already had all the right stuff in it:
it just wasn't being exercised.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
Makefile.am: Include $(PIXIE_LIBS) in the main library.
After all, it needs to be able to contact the pixie. I guess I've not
had to deal with many stupid systems which hide functions in `-lsocket'
recently.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/noise.c (noise_devrandom): Use OpenBSD system call `getentropy'.
If it's available, it does the right thing. I think.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/noise.c (noise_devrandom): Use new Linux system call `getrandom'.
The new system call has pretty much the right semantics. If it's
available, then try to use it. Annoyingly, the syscall isn't supported
in the libc, so we have to do it the hard way. On the plus side, this
means that the code will work if built on a system with the syscall
defined, and run on one with the right kernel, without introducing a
dependency on the libc.
If it fails because the kernel entropy pool isn't initialized, then
there's no point in messing with the devices because they won't be any
better. If it fails because the call isn't there, then it proceeds with
other options.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/noise.c (noise_devrandom): Handle Linux's broken `/dev/urandom'.
On Linux, try to open `/dev/random' and make sure it's readable before
proceeding to `/dev/urandom'. Generally we want to be reading
`/dev/urandom', but not if it hasn't been initialized properly.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/noise.c (noise_devrandom): Refactor internals.
The objective is to make adding new ways of collecting high-quality
system entropy easier.
* Add labels for success and exit, to make sure that whatever we add
whatever's in the buffer to the pool, and then clear out the buffer.
* Initialize `fd' to `-1' at the top, and close it on the way out to
make sure it doesn't leak.
* Change the main `open' condition to allow something to have opened the
right file already.
This shouldn't change any observable behaviour, but it will make things
easier in future.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
src/noise.c: Make `bitcount' table be static and constant.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/rand.c: Add support for x86 `RDRAND' instruction in `rand_quick'.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
base/dispatch.[ch]: Detect availability of the x86 `RDRAND' instruction.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/rand.[ch]: Add external `rand_quick' function.
This is a function which can be called frequently to top up the internal
entropy.
Internally, rename `TIMER' to `QUICK', and call the internal `quick'
function as well as the noise-source timer. The `quick' core currently
doesn't do anything, but will act as a dispatcher to CPU-specific
entropy sources.
Mark Wooding [Thu, 26 May 2016 08:26:09 +0000 (09:26 +0100)]
rand/: Secure `rand' generator against fork problems.
This is fiddlier than it really ought to be.
* Make the `i' and `irot' members be `unsigned short' to make space
for a new member. These members have well-constrained ranges, so
this is safe.
* Insert a new `gen' member to keep track of the pool's `generation
number'. Arrange that the global generator's generation number is
initially zero.
* Invent a new system-specific function `rand_generation' which
returns a nonzero `generation number', which changes across forks
and such things.
* Have the output functions `rand_get' and `rand_getgood' check the
generation number and force a `rand_gate' if it changes.
* Arrange for `rand_gate' and `rand_stretch' to feed the generation
number into the hashing, so that generators with different
generations behave computationally independently.
Mark Wooding [Sat, 4 Jun 2016 01:15:53 +0000 (02:15 +0100)]
Merge branch '2.2.x'
* 2.2.x:
Release 2.2.2.
math/mp-arith.c (mp_testbit): Want nonstrict comparison for bounds check.
Mark Wooding [Sat, 4 Jun 2016 00:14:08 +0000 (01:14 +0100)]
Release 2.2.2.
Mark Wooding [Fri, 3 Jun 2016 21:25:02 +0000 (22:25 +0100)]
math/mp-arith.c (mp_testbit): Want nonstrict comparison for bounds check.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/salsa20-arm-neon.S: Mark the final-permutation stores as word-aligned.
This was just an oversight when I was hacking the initial code.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/: Add ARM NEON implementations of ChaCha and Salsa20.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/{salsa20,chacha}-x86ish-sse2.S: Use numeric labels for internal loops.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
symm/salsa20-x86ish-sse2.S: Fix stray `##' comment to be `//'.
Not sure how this one slipped through the net. Oh, well; it didn't
cause any damage.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
configure.ac: Detect plain `arm' as an ARM CPU identifier.
For some reason I've not discovered yet, my test machinery shows as
`arm-unknown-linux-gnueabi' rather than `armv7l-unknown-linux-gnueabi',
which inhibits building the fancy CPU-specific code. This hid a build
failure from my test machinery, which is quite annoying.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
base/dispatch.c: Missing parens on call to `get_hwcaps'.
This is only a problem on ARM hosts, but it breaks the build for
them (unsurprisingly). For some reason, the test machinery I used
before committing the broken code came up with a slightly different
host-platform name which the configure script didn't recognize, so the
test environment didn't try to compile the broken code.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
base/dispatch.c: Stop parsing the auxiliary vector when we hit `AT_NULL'.
This doesn't seem too dreadful so far (partly because nothing is using
this machinery for something important, and partly because we're parsing
the vector from a file with known length), but fix it anyway.
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
Merge branch 'mdw/cpu-dispatch'
* mdw/cpu-dispatch:
Add support machinery for ARM hosts.
base/dispatch.c: Add (unused) machinery for probing ELF auxilary vector.
Add support for AMD64 processors and Microsoft Windows.
symm/rijndael-x86-aseni.S: Unify encryption and decryption with a macro.
symm/rijndael-x86-aesni.S: Use xmm5 instead of xmm7.
symm/*.S: Symbolic names for shuffles.
symm/chacha-x86-sse2.S: Fix the register allocation comment.
Preprocess the assembler files.
configure.ac: Improve the host CPU family detection.
base/dispatch.c: Indent some preprocessor definitions properly.
Add a pile of debug output around the CPU dispatching machinery.
base/dispatch.c: Add documentation for some internal functions.
base/dispatch.c: Add in more useful section markers.
Support Intel's AES Native Instructions where available on x86 hardware.
symm/: New SSE2 implementations of Salsa20 and ChaCha.
symm/salsa20.c, symm/salsa20-core.h: Permute input matrix for SIMD.
debian/rules: Run tests twice, once without any detected CPU features.
base/dispatch.c: Check operating system support for XMM registers.
configure.ac, base/dispatch.[ch]: CPU-specific implementations.
configure.ac: Arrange to have an assembler available.
Conflicts:
configure.ac
symm/Makefile.am
Mark Wooding [Sat, 21 May 2016 10:26:40 +0000 (11:26 +0100)]
configure.ac: Turn on colour in the test output.
It makes it easier to spot the bad ones in a vast spew of parallel test
runs across multiple target platforms.
Mark Wooding [Sat, 21 May 2016 10:07:15 +0000 (11:07 +0100)]
symm/BLKMODE-def.h: Fix alignment of separators in hexdump output.
Now the `:' markers actually correspond with the block boundaries.
Amazing, no?
Mark Wooding [Sat, 21 May 2016 13:33:28 +0000 (14:33 +0100)]
Add support machinery for ARM hosts.
There's currently no ARM code here, but we can probe for the
features (and it seems to work).
Mark Wooding [Wed, 18 May 2016 09:29:03 +0000 (10:29 +0100)]
base/dispatch.c: Add (unused) machinery for probing ELF auxilary vector.
Some platforms don't allow CPU feature-probing from userland, and rely
on the kernel informing processes in some other way. ELF-ish systems
hide this information in the auxiliary vector, which is very hard to
find. Add some machinery for doing this anyway.