Nixyri/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2024-11-15 00:26:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use a unified error set for std/crypto/*

Browse Source 
This ensures that errors are used consistently across all operations.
This commit is contained in:
Frank Denis 2021-03-13 15:11:35 +01:00 committed by Jakub Konka
parent f69305f865
commit b98d7747fa
18 changed files with 126 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/std/crypto.zig
View File

@ -144,6 +144,8 @@ pub const random = &@import("crypto/tlcsprng.zig").interface;
const std = @import("std.zig");
pub const Error = @import("crypto/error.zig").Error;
test "crypto" {
const please_windows_dont_oom = std.Target.current.os.tag == .windows;
if (please_windows_dont_oom) return error.SkipZigTest;
@ -151,7 +153,9 @@ test "crypto" {
inline for (std.meta.declarations(@This())) |decl| {
switch (decl.data) {
.Type => |t| {
std.testing.refAllDecls(t);
if (@typeInfo(t) != .ErrorSet) {
std.testing.refAllDecls(t);
}
},
.Var => |v| {
_ = v;

13
lib/std/crypto/25519/curve25519.zig
View File

@ -4,6 +4,7 @@
// The MIT license requires this copyright notice to be included in all copies
// and substantial portions of the software.
const std = @import("std");
const Error = std.crypto.Error;
/// Group operations over Curve25519.
pub const Curve25519 = struct {
@ -28,12 +29,12 @@ pub const Curve25519 = struct {
pub const basePoint = Curve25519{ .x = Fe.curve25519BasePoint };
/// Check that the encoding of a Curve25519 point is canonical.
pub fn rejectNonCanonical(s: [32]u8) !void {
pub fn rejectNonCanonical(s: [32]u8) Error!void {
return Fe.rejectNonCanonical(s, false);
}
/// Reject the neutral element.
pub fn rejectIdentity(p: Curve25519) !void {
pub fn rejectIdentity(p: Curve25519) Error!void {
if (p.x.isZero()) {
return error.IdentityElement;
}
@ -44,7 +45,7 @@ pub const Curve25519 = struct {
return p.dbl().dbl().dbl();
}
fn ladder(p: Curve25519, s: [32]u8, comptime bits: usize) !Curve25519 {
fn ladder(p: Curve25519, s: [32]u8, comptime bits: usize) Error!Curve25519 {
var x1 = p.x;
var x2 = Fe.one;
var z2 = Fe.zero;
@ -85,7 +86,7 @@ pub const Curve25519 = struct {
/// way to use Curve25519 for a DH operation.
/// Return error.IdentityElement if the resulting point is
/// the identity element.
pub fn clampedMul(p: Curve25519, s: [32]u8) !Curve25519 {
pub fn clampedMul(p: Curve25519, s: [32]u8) Error!Curve25519 {
var t: [32]u8 = s;
scalar.clamp(&t);
return try ladder(p, t, 255);
@ -95,14 +96,14 @@ pub const Curve25519 = struct {
/// Return error.IdentityElement if the resulting point is
/// the identity element or error.WeakPublicKey if the public
/// key is a low-order point.
pub fn mul(p: Curve25519, s: [32]u8) !Curve25519 {
pub fn mul(p: Curve25519, s: [32]u8) Error!Curve25519 {
const cofactor = [_]u8{8} ++ [_]u8{0} ** 31;
_ = ladder(p, cofactor, 4) catch |_| return error.WeakPublicKey;
return try ladder(p, s, 256);
}
/// Compute the Curve25519 equivalent to an Edwards25519 point.
pub fn fromEdwards25519(p: std.crypto.ecc.Edwards25519) !Curve25519 {
pub fn fromEdwards25519(p: std.crypto.ecc.Edwards25519) Error!Curve25519 {
try p.clearCofactor().rejectIdentity();
const one = std.crypto.ecc.Edwards25519.Fe.one;
const x = one.add(p.y).mul(one.sub(p.y).invert()); // xMont=(1+yEd)/(1-yEd)

23
lib/std/crypto/25519/ed25519.zig
View File

@ -8,7 +8,8 @@ const crypto = std.crypto;
const debug = std.debug;
const fmt = std.fmt;
const mem = std.mem;
const Sha512 = std.crypto.hash.sha2.Sha512;
const Sha512 = crypto.hash.sha2.Sha512;
const Error = crypto.Error;
/// Ed25519 (EdDSA) signatures.
pub const Ed25519 = struct {
@ -40,7 +41,7 @@ pub const Ed25519 = struct {
///
/// For this reason, an EdDSA secret key is commonly called a seed,
/// from which the actual secret is derived.
pub fn create(seed: ?[seed_length]u8) !KeyPair {
pub fn create(seed: ?[seed_length]u8) Error!KeyPair {
const ss = seed orelse ss: {
var random_seed: [seed_length]u8 = undefined;
crypto.random.bytes(&random_seed);
@ -71,7 +72,7 @@ pub const Ed25519 = struct {
/// Sign a message using a key pair, and optional random noise.
/// Having noise creates non-standard, non-deterministic signatures,
/// but has been proven to increase resilience against fault attacks.
pub fn sign(msg: []const u8, key_pair: KeyPair, noise: ?[noise_length]u8) ![signature_length]u8 {
pub fn sign(msg: []const u8, key_pair: KeyPair, noise: ?[noise_length]u8) Error![signature_length]u8 {
const seed = key_pair.secret_key[0..seed_length];
const public_key = key_pair.secret_key[seed_length..];
if (!mem.eql(u8, public_key, &key_pair.public_key)) {
@ -111,8 +112,8 @@ pub const Ed25519 = struct {
}
/// Verify an Ed25519 signature given a message and a public key.
/// Returns error.InvalidSignature is the signature verification failed.
pub fn verify(sig: [signature_length]u8, msg: []const u8, public_key: [public_length]u8) !void {
/// Returns error.SignatureVerificationFailed is the signature verification failed.
pub fn verify(sig: [signature_length]u8, msg: []const u8, public_key: [public_length]u8) Error!void {
const r = sig[0..32];
const s = sig[32..64];
try Curve.scalar.rejectNonCanonical(s.*);
@ -133,7 +134,7 @@ pub const Ed25519 = struct {
const ah = try a.neg().mulPublic(hram);
const sb_ah = (try Curve.basePoint.mulPublic(s.*)).add(ah);
if (expected_r.sub(sb_ah).clearCofactor().rejectIdentity()) |_| {
return error.InvalidSignature;
return error.SignatureVerificationFailed;
} else |_| {}
}
@ -145,7 +146,7 @@ pub const Ed25519 = struct {
};
/// Verify several signatures in a single operation, much faster than verifying signatures one-by-one
pub fn verifyBatch(comptime count: usize, signature_batch: [count]BatchElement) !void {
pub fn verifyBatch(comptime count: usize, signature_batch: [count]BatchElement) Error!void {
var r_batch: [count][32]u8 = undefined;
var s_batch: [count][32]u8 = undefined;
var a_batch: [count]Curve = undefined;
@ -200,7 +201,7 @@ pub const Ed25519 = struct {
const zsb = try Curve.basePoint.mulPublic(zs_sum);
if (zr.add(zah).sub(zsb).rejectIdentity()) |_| {
return error.InvalidSignature;
return error.SignatureVerificationFailed;
} else |_| {}
}
};
@ -223,7 +224,7 @@ test "ed25519 signature" {
var buf: [128]u8 = undefined;
std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&sig)}), "10A442B4A80CC4225B154F43BEF28D2472CA80221951262EB8E0DF9091575E2687CC486E77263C3418C757522D54F84B0359236ABBBD4ACD20DC297FDCA66808");
try Ed25519.verify(sig, "test", key_pair.public_key);
std.testing.expectError(error.InvalidSignature, Ed25519.verify(sig, "TEST", key_pair.public_key));
std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verify(sig, "TEST", key_pair.public_key));
}
test "ed25519 batch verification" {
@ -251,7 +252,7 @@ test "ed25519 batch verification" {
try Ed25519.verifyBatch(2, signature_batch);
signature_batch[1].sig = sig1;
std.testing.expectError(error.InvalidSignature, Ed25519.verifyBatch(signature_batch.len, signature_batch));
std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verifyBatch(signature_batch.len, signature_batch));
}
}
@ -316,7 +317,7 @@ test "ed25519 test vectors" {
.msg_hex = "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",
.public_key_hex = "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
.sig_hex = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03be9678ac102edcd92b0210bb34d7428d12ffc5df5f37e359941266a4e35f0f",
.expected = error.InvalidSignature, // 8 - non-canonical R
.expected = error.SignatureVerificationFailed, // 8 - non-canonical R
},
Vec{
.msg_hex = "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",

21
lib/std/crypto/25519/edwards25519.zig
View File

@ -7,6 +7,7 @@ const std = @import("std");
const debug = std.debug;
const fmt = std.fmt;
const mem = std.mem;
const Error = std.crypto.Error;
/// Group operations over Edwards25519.
pub const Edwards25519 = struct {
@ -25,7 +26,7 @@ pub const Edwards25519 = struct {
is_base: bool = false,
/// Decode an Edwards25519 point from its compressed (Y+sign) coordinates.
pub fn fromBytes(s: [encoded_length]u8) !Edwards25519 {
pub fn fromBytes(s: [encoded_length]u8) Error!Edwards25519 {
const z = Fe.one;
const y = Fe.fromBytes(s);
var u = y.sq();
@ -55,7 +56,7 @@ pub const Edwards25519 = struct {
}
/// Check that the encoding of a point is canonical.
pub fn rejectNonCanonical(s: [32]u8) !void {
pub fn rejectNonCanonical(s: [32]u8) Error!void {
return Fe.rejectNonCanonical(s, true);
}
@ -80,7 +81,7 @@ pub const Edwards25519 = struct {
const identityElement = Edwards25519{ .x = Fe.zero, .y = Fe.one, .z = Fe.one, .t = Fe.zero };
/// Reject the neutral element.
pub fn rejectIdentity(p: Edwards25519) !void {
pub fn rejectIdentity(p: Edwards25519) Error!void {
if (p.x.isZero()) {
return error.IdentityElement;
}
@ -176,7 +177,7 @@ pub const Edwards25519 = struct {
// Based on real-world benchmarks, we only use this for multi-scalar multiplication.
// NAF could be useful to half the size of precomputation tables, but we intentionally
// avoid these to keep the standard library lightweight.
fn pcMul(pc: [9]Edwards25519, s: [32]u8, comptime vartime: bool) !Edwards25519 {
fn pcMul(pc: [9]Edwards25519, s: [32]u8, comptime vartime: bool) Error!Edwards25519 {
std.debug.assert(vartime);
const e = nonAdjacentForm(s);
var q = Edwards25519.identityElement;
@ -196,7 +197,7 @@ pub const Edwards25519 = struct {
}
// Scalar multiplication with a 4-bit window and the first 15 multiples.
fn pcMul16(pc: [16]Edwards25519, s: [32]u8, comptime vartime: bool) !Edwards25519 {
fn pcMul16(pc: [16]Edwards25519, s: [32]u8, comptime vartime: bool) Error!Edwards25519 {
var q = Edwards25519.identityElement;
var pos: usize = 252;
while (true) : (pos -= 4) {
@ -234,7 +235,7 @@ pub const Edwards25519 = struct {
/// Multiply an Edwards25519 point by a scalar without clamping it.
/// Return error.WeakPublicKey if the resulting point is
/// the identity element.
pub fn mul(p: Edwards25519, s: [32]u8) !Edwards25519 {
pub fn mul(p: Edwards25519, s: [32]u8) Error!Edwards25519 {
const pc = if (p.is_base) basePointPc else pc: {
const xpc = precompute(p, 15);
xpc[4].rejectIdentity() catch |_| return error.WeakPublicKey;
@ -245,7 +246,7 @@ pub const Edwards25519 = struct {
/// Multiply an Edwards25519 point by a *PUBLIC* scalar *IN VARIABLE TIME*
/// This can be used for signature verification.
pub fn mulPublic(p: Edwards25519, s: [32]u8) !Edwards25519 {
pub fn mulPublic(p: Edwards25519, s: [32]u8) Error!Edwards25519 {
if (p.is_base) {
return pcMul16(basePointPc, s, true);
} else {
@ -257,7 +258,7 @@ pub const Edwards25519 = struct {
/// Multiscalar multiplication *IN VARIABLE TIME* for public data
/// Computes ps0*ss0 + ps1*ss1 + ps2*ss2... faster than doing many of these operations individually
pub fn mulMulti(comptime count: usize, ps: [count]Edwards25519, ss: [count][32]u8) !Edwards25519 {
pub fn mulMulti(comptime count: usize, ps: [count]Edwards25519, ss: [count][32]u8) Error!Edwards25519 {
var pcs: [count][9]Edwards25519 = undefined;
for (ps) |p, i| {
if (p.is_base) {
@ -296,14 +297,14 @@ pub const Edwards25519 = struct {
/// This is strongly recommended for DH operations.
/// Return error.WeakPublicKey if the resulting point is
/// the identity element.
pub fn clampedMul(p: Edwards25519, s: [32]u8) !Edwards25519 {
pub fn clampedMul(p: Edwards25519, s: [32]u8) Error!Edwards25519 {
var t: [32]u8 = s;
scalar.clamp(&t);
return mul(p, t);
}
// montgomery -- recover y = sqrt(x^3 + A*x^2 + x)
fn xmontToYmont(x: Fe) !Fe {
fn xmontToYmont(x: Fe) Error!Fe {
var x2 = x.sq();
const x3 = x.mul(x2);
x2 = x2.mul32(Fe.edwards25519a_32);

5
lib/std/crypto/25519/field.zig
View File

@ -6,6 +6,7 @@
const std = @import("std");
const readIntLittle = std.mem.readIntLittle;
const writeIntLittle = std.mem.writeIntLittle;
const Error = std.crypto.Error;
pub const Fe = struct {
limbs: [5]u64,
@ -112,7 +113,7 @@ pub const Fe = struct {
}
/// Reject non-canonical encodings of an element, possibly ignoring the top bit
pub fn rejectNonCanonical(s: [32]u8, comptime ignore_extra_bit: bool) !void {
pub fn rejectNonCanonical(s: [32]u8, comptime ignore_extra_bit: bool) Error!void {
var c: u16 = (s[31] & 0x7f) ^ 0x7f;
comptime var i = 30;
inline while (i > 0) : (i -= 1) {
@ -412,7 +413,7 @@ pub const Fe = struct {
}
/// Compute the square root of `x2`, returning `error.NotSquare` if `x2` was not a square
pub fn sqrt(x2: Fe) !Fe {
pub fn sqrt(x2: Fe) Error!Fe {
var x2_copy = x2;
const x = x2.uncheckedSqrt();
const check = x.sq().sub(x2_copy);

9
lib/std/crypto/25519/ristretto255.zig
View File

@ -5,6 +5,7 @@
// and substantial portions of the software.
const std = @import("std");
const fmt = std.fmt;
const Error = std.crypto.Error;
/// Group operations over Edwards25519.
pub const Ristretto255 = struct {
@ -34,7 +35,7 @@ pub const Ristretto255 = struct {
return .{ .ratio_is_square = @boolToInt(has_m_root) | @boolToInt(has_p_root), .root = x.abs() };
}
fn rejectNonCanonical(s: [encoded_length]u8) !void {
fn rejectNonCanonical(s: [encoded_length]u8) Error!void {
if ((s[0] & 1) != 0) {
return error.NonCanonical;
}
@ -42,7 +43,7 @@ pub const Ristretto255 = struct {
}
/// Reject the neutral element.
pub fn rejectIdentity(p: Ristretto255) callconv(.Inline) !void {
pub fn rejectIdentity(p: Ristretto255) callconv(.Inline) Error!void {
return p.p.rejectIdentity();
}
@ -50,7 +51,7 @@ pub const Ristretto255 = struct {
pub const basePoint = Ristretto255{ .p = Curve.basePoint };
/// Decode a Ristretto255 representative.
pub fn fromBytes(s: [encoded_length]u8) !Ristretto255 {
pub fn fromBytes(s: [encoded_length]u8) Error!Ristretto255 {
try rejectNonCanonical(s);
const s_ = Fe.fromBytes(s);
const ss = s_.sq(); // s^2
@ -153,7 +154,7 @@ pub const Ristretto255 = struct {
/// Multiply a Ristretto255 element with a scalar.
/// Return error.WeakPublicKey if the resulting element is
/// the identity element.
pub fn mul(p: Ristretto255, s: [encoded_length]u8) callconv(.Inline) !Ristretto255 {
pub fn mul(p: Ristretto255, s: [encoded_length]u8) callconv(.Inline) Error!Ristretto255 {
return Ristretto255{ .p = try p.p.mul(s) };
}

3
lib/std/crypto/25519/scalar.zig
View File

@ -5,6 +5,7 @@
// and substantial portions of the software.
const std = @import("std");
const mem = std.mem;
const Error = std.crypto.Error;
/// 2^252 + 27742317777372353535851937790883648493
pub const field_size = [32]u8{
@ -18,7 +19,7 @@ pub const CompressedScalar = [32]u8;
pub const zero = [_]u8{0} ** 32;
/// Reject a scalar whose encoding is not canonical.
pub fn rejectNonCanonical(s: [32]u8) !void {
pub fn rejectNonCanonical(s: [32]u8) Error!void {
var c: u8 = 0;
var n: u8 = 1;
var i: usize = 31;

11
lib/std/crypto/25519/x25519.zig
View File

@ -9,6 +9,7 @@ const mem = std.mem;
const fmt = std.fmt;
const Sha512 = crypto.hash.sha2.Sha512;
const Error = crypto.Error;
/// X25519 DH function.
pub const X25519 = struct {
@ -31,7 +32,7 @@ pub const X25519 = struct {
secret_key: [secret_length]u8,
/// Create a new key pair using an optional seed.
pub fn create(seed: ?[seed_length]u8) !KeyPair {
pub fn create(seed: ?[seed_length]u8) Error!KeyPair {
const sk = seed orelse sk: {
var random_seed: [seed_length]u8 = undefined;
crypto.random.bytes(&random_seed);
@ -44,7 +45,7 @@ pub const X25519 = struct {
}
/// Create a key pair from an Ed25519 key pair
pub fn fromEd25519(ed25519_key_pair: crypto.sign.Ed25519.KeyPair) !KeyPair {
pub fn fromEd25519(ed25519_key_pair: crypto.sign.Ed25519.KeyPair) Error!KeyPair {
const seed = ed25519_key_pair.secret_key[0..32];
var az: [Sha512.digest_length]u8 = undefined;
Sha512.hash(seed, &az, .{});
@ -59,13 +60,13 @@ pub const X25519 = struct {
};
/// Compute the public key for a given private key.
pub fn recoverPublicKey(secret_key: [secret_length]u8) ![public_length]u8 {
pub fn recoverPublicKey(secret_key: [secret_length]u8) Error![public_length]u8 {
const q = try Curve.basePoint.clampedMul(secret_key);
return q.toBytes();
}
/// Compute the X25519 equivalent to an Ed25519 public eky.
pub fn publicKeyFromEd25519(ed25519_public_key: [crypto.sign.Ed25519.public_length]u8) ![public_length]u8 {
pub fn publicKeyFromEd25519(ed25519_public_key: [crypto.sign.Ed25519.public_length]u8) Error![public_length]u8 {
const pk_ed = try crypto.ecc.Edwards25519.fromBytes(ed25519_public_key);
const pk = try Curve.fromEdwards25519(pk_ed);
return pk.toBytes();
@ -74,7 +75,7 @@ pub const X25519 = struct {
/// Compute the scalar product of a public key and a secret scalar.
/// Note that the output should not be used as a shared secret without
/// hashing it first.
pub fn scalarmult(secret_key: [secret_length]u8, public_key: [public_length]u8) ![shared_length]u8 {
pub fn scalarmult(secret_key: [secret_length]u8, public_key: [public_length]u8) Error![shared_length]u8 {
const q = try Curve.fromBytes(public_key).clampedMul(secret_key);
return q.toBytes();
}

5
lib/std/crypto/aegis.zig
View File

@ -8,6 +8,7 @@ const std = @import("std");
const mem = std.mem;
const assert = std.debug.assert;
const AesBlock = std.crypto.core.aes.Block;
const Error = std.crypto.Error;
const State128L = struct {
blocks: [8]AesBlock,
@ -136,7 +137,7 @@ pub const Aegis128L = struct {
/// ad: Associated Data
/// npub: public nonce
/// k: private key
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) Error!void {
assert(c.len == m.len);
var state = State128L.init(key, npub);
var src: [32]u8 align(16) = undefined;
@ -298,7 +299,7 @@ pub const Aegis256 = struct {
/// ad: Associated Data
/// npub: public nonce
/// k: private key
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) Error!void {
assert(c.len == m.len);
var state = State256.init(key, npub);
var src: [16]u8 align(16) = undefined;

3
lib/std/crypto/aes_gcm.zig
View File

@ -12,6 +12,7 @@ const debug = std.debug;
const Ghash = std.crypto.onetimeauth.Ghash;
const mem = std.mem;
const modes = crypto.core.modes;
const Error = crypto.Error;
pub const Aes128Gcm = AesGcm(crypto.core.aes.Aes128);
pub const Aes256Gcm = AesGcm(crypto.core.aes.Aes256);
@ -59,7 +60,7 @@ fn AesGcm(comptime Aes: anytype) type {
}
}
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) Error!void {
assert(c.len == m.len);
const aes = Aes.initEnc(key);

3
lib/std/crypto/aes_ocb.zig
View File

@ -10,6 +10,7 @@ const aes = crypto.core.aes;
const assert = std.debug.assert;
const math = std.math;
const mem = std.mem;
const Error = crypto.Error;
pub const Aes128Ocb = AesOcb(aes.Aes128);
pub const Aes256Ocb = AesOcb(aes.Aes256);
@ -178,7 +179,7 @@ fn AesOcb(comptime Aes: anytype) type {
/// ad: Associated Data
/// npub: public nonce
/// k: secret key
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) Error!void {
assert(c.len == m.len);
const aes_enc_ctx = Aes.initEnc(key);

22
lib/std/crypto/bcrypt.zig
View File

@ -11,7 +11,8 @@ const math = std.math;
const mem = std.mem;
const debug = std.debug;
const testing = std.testing;
const utils = std.crypto.utils;
const utils = crypto.utils;
const Error = crypto.Error;
const salt_length: usize = 16;
const salt_str_length: usize = 22;
@ -21,13 +22,6 @@ const ct_length: usize = 24;
/// Length (in bytes) of a password hash
pub const hash_length: usize = 60;
pub const BcryptError = error{
/// The hashed password cannot be decoded.
InvalidEncoding,
/// The hash is not valid for the given password.
InvalidPassword,
};
const State = struct {
sboxes: [4][256]u32 = [4][256]u32{
.{ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a },
@ -185,7 +179,7 @@ const Codec = struct {
debug.assert(j == b64.len);
}
fn decode(bin: []u8, b64: []const u8) BcryptError!void {
fn decode(bin: []u8, b64: []const u8) Error!void {
var i: usize = 0;
var j: usize = 0;
while (j < bin.len) {
@ -210,7 +204,7 @@ const Codec = struct {
}
};
fn strHashInternal(password: []const u8, rounds_log: u6, salt: [salt_length]u8) BcryptError![hash_length]u8 {
fn strHashInternal(password: []const u8, rounds_log: u6, salt: [salt_length]u8) Error![hash_length]u8 {
var state = State{};
var password_buf: [73]u8 = undefined;
const trimmed_len = math.min(password.len, password_buf.len - 1);
@ -258,14 +252,14 @@ fn strHashInternal(password: []const u8, rounds_log: u6, salt: [salt_length]u8)
/// IMPORTANT: by design, bcrypt silently truncates passwords to 72 bytes.
/// If this is an issue for your application, hash the password first using a function such as SHA-512,
/// and then use the resulting hash as the password parameter for bcrypt.
pub fn strHash(password: []const u8, rounds_log: u6) ![hash_length]u8 {
pub fn strHash(password: []const u8, rounds_log: u6) Error![hash_length]u8 {
var salt: [salt_length]u8 = undefined;
crypto.random.bytes(&salt);
return strHashInternal(password, rounds_log, salt);
}
/// Verify that a previously computed hash is valid for a given password.
pub fn strVerify(h: [hash_length]u8, password: []const u8) BcryptError!void {
pub fn strVerify(h: [hash_length]u8, password: []const u8) Error!void {
if (!mem.eql(u8, "$2", h[0..2])) return error.InvalidEncoding;
if (h[3] != '$' or h[6] != '$') return error.InvalidEncoding;
const rounds_log_str = h[4..][0..2];
@ -275,7 +269,7 @@ pub fn strVerify(h: [hash_length]u8, password: []const u8) BcryptError!void {
const rounds_log = fmt.parseInt(u6, rounds_log_str[0..], 10) catch return error.InvalidEncoding;
const wanted_s = try strHashInternal(password, rounds_log, salt);
if (!mem.eql(u8, wanted_s[0..], h[0..])) {
return error.InvalidPassword;
return error.PasswordVerificationFailed;
}
}
@ -292,7 +286,7 @@ test "bcrypt codec" {
test "bcrypt" {
const s = try strHash("password", 5);
try strVerify(s, "password");
testing.expectError(error.InvalidPassword, strVerify(s, "invalid password"));
testing.expectError(error.PasswordVerificationFailed, strVerify(s, "invalid password"));
const long_s = try strHash("password" ** 100, 5);
try strVerify(long_s, "password" ** 100);

17
lib/std/crypto/chacha20.zig
View File

@ -13,6 +13,7 @@ const testing = std.testing;
const maxInt = math.maxInt;
const Vector = std.meta.Vector;
const Poly1305 = std.crypto.onetimeauth.Poly1305;
const Error = std.crypto.Error;
// Vectorized implementation of the core function
const ChaCha20VecImpl = struct {
@ -656,7 +657,7 @@ fn chacha20poly1305Seal(ciphertextAndTag: []u8, plaintext: []const u8, data: []c
}
/// Verifies and decrypts an authenticated message produced by chacha20poly1305SealDetached.
fn chacha20poly1305OpenDetached(dst: []u8, ciphertext: []const u8, tag: *const [chacha20poly1305_tag_length]u8, data: []const u8, key: [32]u8, nonce: [12]u8) !void {
fn chacha20poly1305OpenDetached(dst: []u8, ciphertext: []const u8, tag: *const [chacha20poly1305_tag_length]u8, data: []const u8, key: [32]u8, nonce: [12]u8) Error!void {
// split ciphertext and tag
assert(dst.len == ciphertext.len);
@ -702,9 +703,9 @@ fn chacha20poly1305OpenDetached(dst: []u8, ciphertext: []const u8, tag: *const [
}
/// Verifies and decrypts an authenticated message produced by chacha20poly1305Seal.
fn chacha20poly1305Open(dst: []u8, ciphertextAndTag: []const u8, data: []const u8, key: [32]u8, nonce: [12]u8) !void {
fn chacha20poly1305Open(dst: []u8, ciphertextAndTag: []const u8, data: []const u8, key: [32]u8, nonce: [12]u8) Error!void {
if (ciphertextAndTag.len < chacha20poly1305_tag_length) {
return error.InvalidMessage;
return error.AuthenticationFailed;
}
const ciphertextLen = ciphertextAndTag.len - chacha20poly1305_tag_length;
return try chacha20poly1305OpenDetached(dst, ciphertextAndTag[0..ciphertextLen], ciphertextAndTag[ciphertextLen..][0..chacha20poly1305_tag_length], data, key, nonce);
@ -740,13 +741,13 @@ fn xchacha20poly1305Seal(ciphertextAndTag: []u8, plaintext: []const u8, data: []
}
/// Verifies and decrypts an authenticated message produced by xchacha20poly1305SealDetached.
fn xchacha20poly1305OpenDetached(plaintext: []u8, ciphertext: []const u8, tag: *const [chacha20poly1305_tag_length]u8, data: []const u8, key: [32]u8, nonce: [24]u8) !void {
fn xchacha20poly1305OpenDetached(plaintext: []u8, ciphertext: []const u8, tag: *const [chacha20poly1305_tag_length]u8, data: []const u8, key: [32]u8, nonce: [24]u8) Error!void {
const extended = extend(key, nonce);
return try chacha20poly1305OpenDetached(plaintext, ciphertext, tag, data, extended.key, extended.nonce);
}
/// Verifies and decrypts an authenticated message produced by xchacha20poly1305Seal.
fn xchacha20poly1305Open(ciphertextAndTag: []u8, msgAndTag: []const u8, data: []const u8, key: [32]u8, nonce: [24]u8) !void {
fn xchacha20poly1305Open(ciphertextAndTag: []u8, msgAndTag: []const u8, data: []const u8, key: [32]u8, nonce: [24]u8) Error!void {
const extended = extend(key, nonce);
return try chacha20poly1305Open(ciphertextAndTag, msgAndTag, data, extended.key, extended.nonce);
}
@ -864,7 +865,7 @@ test "open" {
testing.expectError(error.AuthenticationFailed, chacha20poly1305Open(out[0..], ciphertext[0..], data[0..], key, bad_nonce));
// a short ciphertext should result in a different error
testing.expectError(error.InvalidMessage, chacha20poly1305Open(out[0..], "", data[0..], key, bad_nonce));
testing.expectError(error.AuthenticationFailed, chacha20poly1305Open(out[0..], "", data[0..], key, bad_nonce));
}
}
@ -915,7 +916,7 @@ pub const Chacha20Poly1305 = struct {
/// npub: public nonce
/// k: private key
/// NOTE: the check of the authentication tag is currently not done in constant time
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) Error!void {
assert(c.len == m.len);
return try chacha20poly1305OpenDetached(m, c, tag[0..], ad, k, npub);
}
@ -944,7 +945,7 @@ pub const XChacha20Poly1305 = struct {
/// npub: public nonce
/// k: private key
/// NOTE: the check of the authentication tag is currently not done in constant time
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) Error!void {
assert(c.len == m.len);
return try xchacha20poly1305OpenDetached(m, c, tag[0..], ad, k, npub);
}

34
lib/std/crypto/error.zig Normal file
View File

@ -0,0 +1,34 @@
pub const Error = error{
/// MAC verification failed - The tag doesn't verify for the given ciphertext and secret key
AuthenticationFailed,
/// The requested output length is too long for the chosen algorithm
OutputTooLong,
/// Finite field operation returned the identity element
IdentityElement,
/// Encoded input cannot be decoded
InvalidEncoding,
/// The signature does't verify for the given message and public key
SignatureVerificationFailed,
/// Both a public and secret key have been provided, but they are incompatible
KeyMismatch,
/// Encoded input is not in canonical form
NonCanonical,
/// Square root has no solutions
NotSquare,
/// Verification string doesn't match the provided password and parameters
PasswordVerificationFailed,
/// Parameters would be insecure to use
WeakParameters,
/// Public key would be insecure to use
WeakPublicKey,
};

5
lib/std/crypto/gimli.zig
View File

@ -20,6 +20,7 @@ const assert = std.debug.assert;
const testing = std.testing;
const htest = @import("test.zig");
const Vector = std.meta.Vector;
const Error = std.crypto.Error;
pub const State = struct {
pub const BLOCKBYTES = 48;
@ -392,7 +393,7 @@ pub const Aead = struct {
/// npub: public nonce
/// k: private key
/// NOTE: the check of the authentication tag is currently not done in constant time
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) Error!void {
assert(c.len == m.len);
var state = Aead.init(ad, npub, k);
@ -429,7 +430,7 @@ pub const Aead = struct {
// TODO: use a constant-time equality check here, see https://github.com/ziglang/zig/issues/1776
if (!mem.eql(u8, buf[0..State.RATE], &tag)) {
@memset(m.ptr, undefined, m.len);
return error.InvalidMessage;
return error.AuthenticationFailed;
}
}
};

3
lib/std/crypto/isap.zig
View File

@ -3,6 +3,7 @@ const debug = std.debug;
const mem = std.mem;
const math = std.math;
const testing = std.testing;
const Error = std.crypto.Error;
/// ISAPv2 is an authenticated encryption system hardened against side channels and fault attacks.
/// https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/isap-spec-round2.pdf
@ -217,7 +218,7 @@ pub const IsapA128A = struct {
tag.* = mac(c, ad, npub, key);
}
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) Error!void {
var computed_tag = mac(c, ad, npub, key);
var acc: u8 = 0;
for (computed_tag) |_, j| {

15
lib/std/crypto/pbkdf2.zig
View File

@ -7,6 +7,7 @@
const std = @import("std");
const mem = std.mem;
const maxInt = std.math.maxInt;
const Error = std.crypto.Error;
// RFC 2898 Section 5.2
//
@ -36,14 +37,6 @@ const maxInt = std.math.maxInt;
// Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini.
pub const Pbkdf2Error = error{
/// At least one round is required
TooFewRounds,
/// Maximum length of the derived key is `maxInt(u32) * Prf.mac_length`
DerivedKeyTooLong,
};
/// Apply PBKDF2 to generate a key from a password.
///
/// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132.
@ -62,8 +55,8 @@ pub const Pbkdf2Error = error{
/// the derivedKey. It is common to tune this parameter to achieve approximately 100ms.
///
/// Prf: Pseudo-random function to use. A common choice is `std.crypto.auth.hmac.HmacSha256`.
pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) Pbkdf2Error!void {
if (rounds < 1) return error.TooFewRounds;
pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) Error!void {
if (rounds < 1) return error.WeakParameters;
const dkLen = derivedKey.len;
const hLen = Prf.mac_length;
@ -76,7 +69,7 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds:
//
if (comptime (maxInt(usize) > maxInt(u32) * hLen) and (dkLen > @as(usize, maxInt(u32) * hLen))) {
// If maxInt(usize) is less than `maxInt(u32) * hLen` then dkLen is always inbounds
return error.DerivedKeyTooLong;
return error.OutputTooLong;
}
// FromSpec:

15
lib/std/crypto/salsa20.zig
View File

@ -15,6 +15,7 @@ const Vector = std.meta.Vector;
const Poly1305 = crypto.onetimeauth.Poly1305;
const Blake2b = crypto.hash.blake2.Blake2b;
const X25519 = crypto.dh.X25519;
const Error = crypto.Error;
const Salsa20VecImpl = struct {
const Lane = Vector(4, u32);
@ -398,7 +399,7 @@ pub const XSalsa20Poly1305 = struct {
/// ad: Associated Data
/// npub: public nonce
/// k: private key
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) !void {
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, k: [key_length]u8) Error!void {
debug.assert(c.len == m.len);
const extended = extend(k, npub);
var block0 = [_]u8{0} ** 64;
@ -446,7 +447,7 @@ pub const SecretBox = struct {
/// Verify and decrypt `c` using a nonce `npub` and a key `k`.
/// `m` must be exactly `tag_length` smaller than `c`, as `c` includes an authentication tag in addition to the encrypted message.
pub fn open(m: []u8, c: []const u8, npub: [nonce_length]u8, k: [key_length]u8) !void {
pub fn open(m: []u8, c: []const u8, npub: [nonce_length]u8, k: [key_length]u8) Error!void {
if (c.len < tag_length) {
return error.AuthenticationFailed;
}
@ -481,20 +482,20 @@ pub const Box = struct {
pub const KeyPair = X25519.KeyPair;
/// Compute a secret suitable for `secretbox` given a recipent's public key and a sender's secret key.
pub fn createSharedSecret(public_key: [public_length]u8, secret_key: [secret_length]u8) ![shared_length]u8 {
pub fn createSharedSecret(public_key: [public_length]u8, secret_key: [secret_length]u8) Error![shared_length]u8 {
const p = try X25519.scalarmult(secret_key, public_key);
const zero = [_]u8{0} ** 16;
return Salsa20Impl.hsalsa20(zero, p);
}
/// Encrypt and authenticate a message using a recipient's public key `public_key` and a sender's `secret_key`.
pub fn seal(c: []u8, m: []const u8, npub: [nonce_length]u8, public_key: [public_length]u8, secret_key: [secret_length]u8) !void {
pub fn seal(c: []u8, m: []const u8, npub: [nonce_length]u8, public_key: [public_length]u8, secret_key: [secret_length]u8) Error!void {
const shared_key = try createSharedSecret(public_key, secret_key);
return SecretBox.seal(c, m, npub, shared_key);
}
/// Verify and decrypt a message using a recipient's secret key `public_key` and a sender's `public_key`.
pub fn open(m: []u8, c: []const u8, npub: [nonce_length]u8, public_key: [public_length]u8, secret_key: [secret_length]u8) !void {
pub fn open(m: []u8, c: []const u8, npub: [nonce_length]u8, public_key: [public_length]u8, secret_key: [secret_length]u8) Error!void {
const shared_key = try createSharedSecret(public_key, secret_key);
return SecretBox.open(m, c, npub, shared_key);
}
@ -527,7 +528,7 @@ pub const SealedBox = struct {
/// Encrypt a message `m` for a recipient whose public key is `public_key`.
/// `c` must be `seal_length` bytes larger than `m`, so that the required metadata can be added.
pub fn seal(c: []u8, m: []const u8, public_key: [public_length]u8) !void {
pub fn seal(c: []u8, m: []const u8, public_key: [public_length]u8) Error!void {
debug.assert(c.len == m.len + seal_length);
var ekp = try KeyPair.create(null);
const nonce = createNonce(ekp.public_key, public_key);
@ -538,7 +539,7 @@ pub const SealedBox = struct {
/// Decrypt a message using a key pair.
/// `m` must be exactly `seal_length` bytes smaller than `c`, as `c` also includes metadata.
pub fn open(m: []u8, c: []const u8, keypair: KeyPair) !void {
pub fn open(m: []u8, c: []const u8, keypair: KeyPair) Error!void {
if (c.len < seal_length) {
return error.AuthenticationFailed;
}