| Commit message (Collapse) | Author | Files | Lines |
|---|
|
With the renaming, aes_set_decrypt_key_generic() should now call
aes_set_encrypt_key_generic() directly.
|
|
Rename the C based AES implementation to *_generic() and provide
*_internal() wrappers for these. This allows for architectures to provide
accelerated versions without having to also provide a fallback
implementation.
ok tb@
|
|
This avoids leaving previous round keys around on failure, or leaving parts
of previous round keys behind if reused with a smaller key size.
ok tb@
|
|
Every aes_set_{encrypt,decrypt}_key_internal() implementation is currently
required to check the inputs and return appropriate error codes. Pull the
input validation up to the API boundary, setting key->rounds at the same
time. Additionally, call aes_set_encrypt_key_internal() directly from
aes_set_decrypt_key_internal(), rather than going back through the public
API.
ok tb@
|
|
Since this has grown organically, the test selection has become a weird mix
of globs, regexes and test variants and it is hard to reason about what is
run and why. Instead, load all the json files from testvectors_v1/ and look
at algorithm (almost always available) and test schema to figure out if we
support it in libcrypto and the test harness. This separates the logic of
the test runner better from the test selection. Also make it a fatal error
if we don't explicitly skip an unknown algorithm.
|
|
|
|
|
|
This prepares an upcoming change by not only skipping small curves but
also binary curves that have test vectors.
|
|
|
|
The webcrypto test files for P-256, P-384, and P-521 are identical to
the P1363 test files for these curves with the hashes SHA-256, SHA-384,
and SHA-512, respectively. The only real differences in the test paths
is the Go glue code to translate to libcrypto, so they're pointless.
|
|
The BN_DIV2W define provides a code path for double word division via the C
compiler, which is only enabled on hppa. Simplify the code and mop this up.
ok tb@
|
|
This is now only on amd64.
|
|
bn_sqr_words() does not actually compute the square of the words, it only
computes the square of each individual word - rename it to reflect reality.
Discussed with tb@
|
|
|
|
|
|
This moves everything not public to mlkem_internal.c
removing the old files and doing some further cleanup
on the way.
With this landed mlkem is out of my stack and can be
changed without breaking my subsequent changes
ok tb@
|
|
|
|
|
|
|
|
These are no longer supported in v1 and we skipped them anyway.
|
|
|
|
This checks for a collection of prime order groups (secp, Brainpool, FRP)
the curve parameters are corrct. The collection is a superset of our
built-in curves, so we get one more validation for exxentially free.
|
|
Since the wycheproof tests were written in Java, they inherited some of
that language's weirdnesses. For example, the hex representation may have
odd length, is 2-complement and needs zero-padding if the top bit of a
nibble is set, similar to ASN.1 integers.
This is needed for correctly decoding the Primality test cases, which
worked nicely in v0 but no longer for v1. Convert the Primality test
to use this.
|
|
There's more work needed here since some of the tests are designed to
test the signing side of things, where we only verify. To be dealt with
later.
|
|
This excludes the bitcoin tests since our ECDSA_verify() doesn't have the
logic to enforce s < order / 2 to avoid the well-known malleability issue
with secp256k1 that (r, s) is valid if and only if (r, order - s) is valid.
Moreover, add a workaround for overly picky P1363 tests where only
correctly padded P1363 signatures are accepted. As the test authors say
"To our knowledge no standard (i.e., IEEE P1363 or RFC 7515) requires any
explicit checks of the signature size during signature verification."
In fact, the problem really is in the test code, not in libcrypto and
is a bit annoying to fix in a non-silly way.
|
|
|
|
|
|
|
|
|
|
eddsa_test.json is now ed25519_test.json and again key* was renamed to
PublicKey*.
|
|
key* are now called PublicKey*, so change teh json tags accordingly.
|
|
|
|
|
|
This is straightforward since the schema did not change. This adds
coverage for HMAC-SHA512/224 and HMAC-SHA512/256.
|
|
|
|
The version is passed to the test runner, so it can unmarshal the v0
and v1 JSON as appropriate later on.
|
|
|
|
In https://github.com/C2SP/wycheproof/pull/169, upstream removed the
testvector/ path, thereby creating the need to migrate if we want to
benefit from future changes and tests. While this has been around for
a very long time and generally provided more and better coverage, there
never was sufficient motivation to do so.
As a first step, change use of the testVectorPath constant to use of
a path variable so we can switch the tests one by one by appending _v1
when appropriate.
|
|
The old assembly bn_sqr_words() does not actually square words in the
bignum sense. These will have to be renamed (once I come up with a name
for whatever it actually does) before we can roll forward again.
Found the hard way by Janne Johansson.
|
|
|
|
Use bn_mul_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_mul_words(), such as amd64.
|
|
|
|
Use bn_sqr_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_sqr_words(), such as amd64.
ok tb@
|
|
This uses s2n-bignum's bignum_mul() and provides significant performance
gains for a range of multiplication sizes.
|
|
(for our purposes).
|
|
Not installed for nearly a decade since it only "documents" internal
functions and structs and the internal function doco gets more out of
sync with reality with every (much needed) pass over bn/
|
|
|
|
This was missed in the previous commit.
|
|
Most bn_.*_words() functions operate on two word arrays, however
bn_mul_words() and bn_mul_add_words() operate on one word array and
multiply by a single word. Rename these to bn_mulw_words() and
bn_mulw_add_words() to reflect this, following naming scheme that we use
for primitives.
This frees up bn_mul_words() to actually be used for multiplying two word
arrays. Rename bn_mul_normal() to bn_mul_words(), which will then become
one of the possible assembly integration points.
ok tb@
|
|
Rework some of the squaring code so that it calls bn_sqr_words() and use
this as the integration point for assembly. Convert bn_sqr_normal() to
bn_sqr_words(), which is then used on architectures that do not provide
their own version.
This means that we resume using the assembly version of bn_sqr_words() on
i386, mips64 and powerpc, which can provide considerable performance gains.
ok tb@
|
