Commit Graph

583 Commits

Author SHA1 Message Date
Frank Denis
c062c532d7 Add post-quantum key agreement X25519MLKEM768
X25519MLKEM768 replaces X25519Kyber768Draft00 now that NIST has
released ML-KEM.

IANA has assigned the codepoint 0x11ec:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
2024-09-24 13:18:32 -07:00
Linus Groh
8588964972 Replace deprecated default initializations with decl literals 2024-09-12 16:01:23 +01:00
Alex Rønne Petersen
9bcb0e938c
std.crypto.ml_kem: Reduce test iteration counts from 100 to 10. (#21285)
Closes #21255.
2024-09-02 23:20:48 +00:00
mlugg
4330c40596
std: avoid field/decl name conflicts
Most of these changes seem like improvements. The PDB thing had a TODO
saying it used to crash; I anticipate it works now, we'll see what CI
does.

The `std.os.uefi` field renames are a notable breaking change.
2024-08-29 20:39:11 +01:00
mlugg
0fe3fd01dd
std: update std.builtin.Type fields to follow naming conventions
The compiler actually doesn't need any functional changes for this: Sema
does reification based on the tag indices of `std.builtin.Type` already!
So, no zig1.wasm update is necessary.

This change is necessary to disallow name clashes between fields and
decls on a type, which is a prerequisite of #9938.
2024-08-28 08:39:59 +01:00
Frank Denis
b131b6dd36 Rename the namespace for ml_kem variants of Kyber to nist 2024-08-22 07:54:12 +02:00
Frank Denis
067ae04e0b Update ML-KEM to the final specification
NIST has published the final specification of ML-KEM, which adds
domain separation to the seed used to create the inner secret key.
2024-08-22 01:00:12 +02:00
mlugg
018262d537
std: update eval branch quotas after bdbc485
Also, update `std.math.Log2Int[Ceil]` to more efficient implementations
that don't use up so much damn quota!
2024-08-21 01:30:46 +01:00
mlugg
9cf8a7661f
compiler: handle eval branch quota in memoized calls
In a `memoized_call`, store how many backwards braches the call
performs. Add this to `sema.branch_count` when using a memoized call. If
this exceeds the quota, perform a non-memoized call to get a correct
"exceeded X backwards branches" error.

Also, do not memoize calls which do `@setEvalBranchQuota` or similar, as
this affects global state which must apply to the caller.

Change some eval branch quotas so that the compiler itself still builds correctly.

This commit manually changes a file in Aro which is automatically
generated. The sources which generate the file are not in this repo.
Upstream Aro should make the suitable changes on their end before the
next sync of Aro sources into the Zig repo.
2024-08-21 01:26:55 +01:00
Andrew Kelley
54151428e5 std.crypto: better names for everything in utils
std.crypto has quite a few instances of breaking naming conventions.
This is the beginning of an effort to address that.

Deprecates `std.crypto.utils`.
2024-08-09 19:47:06 -07:00
Jakub Dóka
a6486492be
std.crypto.ecdsa: use separate function for null seed (#20953)
Due to the `std.crypto.ecdsa.KeyPair.create` taking and optional of seed, even if the seed is generated, cross-compiling to the environments without standard random source (eg. wasm) (`std.crypto.random.bytes`) will fail to compile.

This commit changes the API of the problematic function and moves the random seed generation to a new utility function.
2024-08-07 01:06:15 -07:00
Andrew Kelley
a7029496d1 remove hard tabs from source code
these are illegal according to the spec
2024-07-31 16:57:42 -07:00
Frank Denis
2e8acdf6fa
Fix compilation issues in crypto.bccrypt and poly1305 (#20756) 2024-07-23 19:45:24 +00:00
Frank Denis
d2c9a51d1e
Fix function definition: ChaCha20With64BitNonce counter is u64 (#20734)
Fixes #20732
2024-07-22 23:04:32 +00:00
Igor Anić
aa73bb6bc9
tls.Client: implement record padding (#20558)
On decryption tls client should remove zero byte padding after the
content type field. This padding is rarely used, the only site (from the
list of top domains) that I found using it is `tutanota.com`.

From [RFC](https://datatracker.ietf.org/doc/html/rfc8446#section-5.4):
> All encrypted TLS records can be padded.
> Padding is a string of zero-valued bytes appended to the ContentType
field before encryption.
> the receiving implementation scans the field from the end toward the
beginning until it finds a non-zero octet. This non-zero octet is the
content type of the message.

Currently we can't connect to that site:
```
$ zig run main.zig -- tutanota.com
error: TlsInitializationFailed
/usr/local/zig/zig-linux-x86_64-0.14.0-dev.208+854e86c56/lib/std/crypto/tls/Client.zig:476:45: 0x121fbed in init__anon_10331 (http_get_std)
                if (inner_ct != .handshake) return error.TlsUnexpectedMessage;
                                            ^
/usr/local/zig/zig-linux-x86_64-0.14.0-dev.208+854e86c56/lib/std/http/Client.zig:1357:99: 0x1161f0b in connectTcp (http_get_std)
        conn.data.tls_client.* = std.crypto.tls.Client.init(stream, client.ca_bundle, host) catch return error.TlsInitializationFailed;
                                                                                                  ^
/usr/local/zig/zig-linux-x86_64-0.14.0-dev.208+854e86c56/lib/std/http/Client.zig:1492:14: 0x11271e1 in connect (http_get_std)
    } orelse return client.connectTcp(host, port, protocol);
             ^
/usr/local/zig/zig-linux-x86_64-0.14.0-dev.208+854e86c56/lib/std/http/Client.zig:1640:9: 0x111a24e in open (http_get_std)
        try client.connect(valid_uri.host.?.raw, uriPort(valid_uri, protocol), protocol);
        ^
/home/ianic/Code/tls.zig/example/http_get_std.zig:28:19: 0x1118f8c in main (http_get_std)
        var req = try client.open(.GET, uri, .{ .server_header_buffer = &server_header_buffer });
                  ^
```
using this example:

```zig
const std = @import("std");

pub fn main() !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    const allocator = gpa.allocator();

    const args = try std.process.argsAlloc(allocator);
    defer std.process.argsFree(allocator, args);

    if (args.len > 1) {
        const domain = args[1];

        var client: std.http.Client = .{ .allocator = allocator };
        defer client.deinit();

        // Add https:// prefix if needed
        const url = brk: {
            const scheme = "https://";
            if (domain.len >= scheme.len and std.mem.eql(u8, domain[0..scheme.len], scheme))
                break :brk domain;

            var url_buf: [128]u8 = undefined;
            break :brk try std.fmt.bufPrint(&url_buf, "https://{s}", .{domain});
        };

        const uri = try std.Uri.parse(url);
        var server_header_buffer: [16 * 1024]u8 = undefined;
        var req = try client.open(.GET, uri, .{ .server_header_buffer = &server_header_buffer });
        defer req.deinit();

        try req.send();
        try req.wait();
    }
}
```
2024-07-21 01:19:36 -07:00
Andrew Kelley
e8c4e79499 std.c reorganization
It is now composed of these main sections:
* Declarations that are shared among all operating systems.
* Declarations that have the same name, but different type signatures
  depending on the operating system. Often multiple operating systems
  share the same type signatures however.
* Declarations that are specific to a single operating system.
  - These are imported one per line so you can see where they come from,
    protected by a comptime block to prevent accessing the wrong one.

Closes #19352 by changing the convention to making types `void` and
functions `{}`, so that it becomes possible to update `@hasDecl` sites
to use `@TypeOf(f) != void` or `T != void`. Happily, this ended up
removing some duplicate logic and update some bitrotted feature
detection checks.

A handful of types have been modified to gain namespacing and type
safety. This is a breaking change.

Oh, and the last usage of `usingnamespace` site is eliminated.
2024-07-19 00:30:32 -07:00
Lucas Santos
89942ebd03
Better implementation of GetLastError. (#20623)
Instead of calling the dynamically loaded kernel32.GetLastError, we can extract it from the TEB.
As shown by [Wine](34b1606019/include/winternl.h (L439)), the last error lives at offset 0x34 of the TEB in 32-bit Windows and at offset 0x68 in 64-bit Windows.
2024-07-15 10:49:51 -07:00
bing
464537db62
std.crypto.ff: fix typo in montgomery boolean documentation (#20624) 2024-07-14 15:34:02 +02:00
Igor Anić
ca752c61c0 tls.Client: fix out of bounds panic
When calculating how much ciphertext from the stream can fit into
user and internal buffers we should also take into account ciphertext
data which are already in internal buffer.

Fixes: 15226

Tested with
[this](https://github.com/ziglang/zig/issues/15226#issuecomment-2218809140).
Using client with different read buffers until I, hopefully, understood
what is happening.

Not relevant to this fix, but this
[part](95d9292a7a/lib/std/crypto/tls/Client.zig (L988-L991))
is still mystery to me. Why we don't use free_size in buf_cap
calculation. Seems like rudiment from previous implementation without iovec.
2024-07-12 03:07:15 -04:00
Jora Troosh
13070448f5
std: fix typos (#20560) 2024-07-09 14:25:42 -07:00
Igor Anić
c1e7eb7389 crypto.Certificate: case insensitive host name check
This makes comparing host name with dns name from certificate case
insensitive.

I found a few domains (from the
[cloudflare](https://radar.cloudflare.com/domains) list of top domains)
for which tls.Client fails to connect. Error is:

```zig
error: TlsInitializationFailed
Code/zig/lib/std/crypto/Certificate.zig:336:9: 0x1177b1f in verifyHostName (http_get_std)
        return error.CertificateHostMismatch;
Code/zig/lib/std/crypto/tls23/handshake_client.zig:461:25: 0x11752bd in parseServerCertificate (http_get_std)
                        try subject.verifyHostName(opt.host);
```
In its certificate this domains have host names which are not strictly
lower case. This is what checkHostName is comparing:

 |host_name            |  dns_name                |
 |------------------------------------------------|
 |ey.com               | EY.COM                   |
 |truist.com           | Truist.com               |
 |wscampanhas.bradesco | WSCAMPANHAS.BRADESCO     |
 |dell.com             | Dell.com                 |

From
[RFC2818](https://datatracker.ietf.org/doc/html/rfc2818#section-2.4):
>  Matching is performed using the matching rules specified by
   [RFC2459].
From [RFC2459](https://datatracker.ietf.org/doc/html/rfc2459#section-4.2.1.7):
> When comparing URIs, conforming implementations
> MUST compare the scheme and host without regard to case, but assume
> the remainder of the scheme-specific-part is case sensitive.

Testing with:

```
const std = @import("std");

pub fn main() !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    const allocator = gpa.allocator();

    const args = try std.process.argsAlloc(allocator);
    defer std.process.argsFree(allocator, args);

    if (args.len > 1) {
        const domain = args[1];

        var client: std.http.Client = .{ .allocator = allocator };
        defer client.deinit();

        // Add https:// prefix if needed
        const url = brk: {
            const scheme = "https://";
            if (domain.len >= scheme.len and std.mem.eql(u8, domain[0..scheme.len], scheme))
                break :brk domain;

            var url_buf: [128]u8 = undefined;
            break :brk try std.fmt.bufPrint(&url_buf, "https://{s}", .{domain});
        };

        const uri = try std.Uri.parse(url);
        var server_header_buffer: [16 * 1024]u8 = undefined;
        var req = try client.open(.GET, uri, .{ .server_header_buffer = &server_header_buffer });
        defer req.deinit();

        try req.send();
        try req.wait();
    }
}
```
`$ zig run example/main.zig -- truist.com `
2024-07-09 16:35:41 -04:00
Shun Sakai
8f20e81b88
std.crypto.pwhash: Add recommended parameters (#20527)
These parameters according to the OWASP cheat sheet.
2024-07-07 20:18:33 +00:00
Frank Denis
f3655fd07d
std.crypto.chacha: fix typo in XChaChaIETF.stream() (#20399)
Thanks to @r4gus for reporting this.

Fixes #20398
2024-06-23 13:20:18 +00:00
Frank Denis
332fbb4b02
crypto.edwards25519: add the ability to check for group membership (#20175)
Most of the functions related to points on the Edwards25519 curve
check that input points are not in a small-order subgroup.

They don't check that points are on the prime-order subgroup,
because this is expensive, and not always necessary.

However, applications may require such a check in order to
ensure that a public key is valid, and that a secret key counterpart
exists.

Many functions in the public API of libsodium related to arithmetic
over Edwards25519 also do that check unconditionally. This is
expensive, but a good way to catch bugs in protocols and
implementations.

So, add a `rejectUnexpectedSubgroup()` function to achieve this.

The documentation on the edwards25519->curve25519 conversion
function was also updated, in order to explain how to match
libsodium's behavior if necessary.

We use an addition chain to multiply the point by the order of
the prime group.

An alternative we may implement later is Pornin's point halving
technique: https://eprint.iacr.org/2022/1164.pdf
2024-06-04 10:11:05 +02:00
Frank Denis
993885c040
sha3.keccak: allow Keccak[f=200] (#20181)
We support Keccak[f=200] just fine, so allow it.
2024-06-04 10:10:46 +02:00
Jakub Konka
2e1fc0dd14 handle visionos target OS tag in the compiler
* rename .xros to .visionos as agreed in the tracking issue
* add support for VisionOS platform in the MachO linker
2024-05-09 15:04:15 +02:00
Ryan Liptak
a52f12afc9 Delete compile errors for deprecated decls 2024-05-03 13:27:30 -07:00
clickingbuttons
8a36a1f913
std.crypto.hash.sha2: cleanup add add more docs (#19744)
* std.crypto.hash.sha2: generalize sha512 truncation

Replace `Sha512224`, `Sha512256`, and `Sha512T224` with
`fn Sha512Truncated(digest_bits: comptime_int)`.

This required refactoring `Sha2x64(comptime params)` to
`Sha2x64(comptime iv: [8]u64, digest_bits: comptime_int)`
for user-specified `digest_bits`.

I left #19697 alone but added a compile-time check that digest_bits is
divisible by 8.

Remove docs which restate type name. Add module docs and reference where
IVs come from.

* std.crypto.sha2: make Sha512_224 and Sha512_256 pub

* make generic type implementation detail, add comments

* fix iv

* address @jedisct1 feedback

* fix typo

* renaming

* add truncation clarifying comment and Sha259T192 tests
2024-04-28 22:22:09 +02:00
Nameless
aecd9cc6d1 std.posix.iovec: use .base and .len instead of .iov_base and .iov_len 2024-04-28 00:20:30 -07:00
clickingbuttons
7cf3167e98
std.crypto: make ff.ct_unprotected.limbsCmpLt compile (#19741)
* std.crypto: make ff.ct_unprotected.limbsCmpLt compile

* std.crypto: add ff.ct test

* fix testCt to work on x86

* disable test on stage2-c

---------

Co-authored-by: Frank Denis <124872+jedisct1@users.noreply.github.com>
2024-04-23 20:29:36 +00:00
Travis Staloch
8af59d1f98 ComptimeStringMap: return a regular struct and optimize
this patch renames ComptimeStringMap to StaticStringMap, makes it
accept only a single type parameter, and return a known struct type
instead of an anonymous struct.  initial motivation for these changes
was to reduce the 'very long type names' issue described here
https://github.com/ziglang/zig/pull/19682.

this breaks the previous API.  users will now need to write:
`const map = std.StaticStringMap(T).initComptime(kvs_list);`

* move `kvs_list` param from type param to an `initComptime()` param
* new public methods
  * `keys()`, `values()` helpers
  * `init(allocator)`, `deinit(allocator)` for runtime data
  * `getLongestPrefix(str)`, `getLongestPrefixIndex(str)` - i'm not sure
     these belong but have left in for now incase they are deemed useful
* performance notes:
  * i posted some benchmarking results here:
    https://github.com/travisstaloch/comptime-string-map-revised/issues/1
  * i noticed a speedup reducing the size of the struct from 48 to 32
    bytes and thus use u32s instead of usize for all length fields
  * i noticed speedup storing KVs as a struct of arrays
  * latest benchmark shows these wall_time improvements for
    debug/safe/small/fast builds: -6.6% / -10.2% / -19.1% / -8.9%. full
    output in link above.
2024-04-22 15:31:41 -07:00
Frank Denis
d8764ec770 Rename der_encoded_max_length to der_encoded_length_max
The `length_min`/`length_max` convention is used everywhere else in
`std.crypto.*` so be consistent.
2024-04-20 16:27:56 -07:00
Meghan Denny
f03829a2da
define std.crypto.sha2.Sha512224 (#19697)
* define std.crypto.sha2.Sha512224

* rename blunder

* add sha512-224 and sha512-256 tests

* fix Sha2x64 for variations that aren't a multiple of 64 bits
2024-04-19 14:50:46 +00:00
Frank Denis
e45bdc6bd6
std.crypto.pcurves.*: simpler, smaller, faster u64 addition with carry (#19644)
signature/s:

Algorithm        Before     After
---------------+---------+-------
ecdsa-p256        3707       4396
ecdsa-p384        1067       1332
ecdsa-secp256k1   4490       5147

Add ECDSA to the benchmark by the way.
2024-04-14 01:13:22 +02:00
Andrew Kelley
fc17402919
std.crypto.Certificate: support 3072 bits RSA certificate (#19591)
Used by musicbrainz.org API.
2024-04-09 12:16:45 -07:00
Frank Denis
9d27f34d04
crypto.sha3: implement constructions from NIST SP 800-185 (#19533)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf

This adds useful standard SHA3-based constructions from the
NIST SP 800-185 document:

- cSHAKE: similar to the SHAKE extensible hash function, but
with the addition of a context parameter.
- KMAC: SHAKE-based authentication / keyed XOF
- TupleHash: unambiguous hashing of tuples

These are required by recent protocols and specifications.

They also offer properties that none of the currently available
constructions in the stdlib offer, especially the ability to safely
hash tuples.

Other keyed hash functions/XOFs will fall back to using HMAC, which
is suboptimal from a performance perspective, but fine from a
security perspective.
2024-04-09 12:16:19 -07:00
regeliv
13a9d94a80 Change std.os.exit to std.process.exit 2024-03-22 15:01:02 +02:00
Andrew Kelley
12191c8a22 std: promote tests to doctests
Now these show up as "example usage" in generated documentation.
2024-03-21 14:11:46 -07:00
Andrew Kelley
cd62005f19 extract std.posix from std.os
closes #5019
2024-03-19 11:45:09 -07:00
Frank Denis
153ba46a5b
{aegis,aes_gcm}: fix overflow with large inputs on 32-bit systems (#19270)
These systems write the number of *bits* of their inputs as a u64.

However if `@sizeOf(usize) == 4`, an input message or associated data
whose size is > 512 MiB could overflow.

On 64-bit systems, it is safe to assume that no machine has more than
2 EiB of memory.
2024-03-12 22:56:28 +00:00
Frank Denis
b8920bceb7
ml_kem.zig: inLen -> in_len (#19269)
Don't use camelCase for variable names, especially just for that one.
2024-03-12 19:52:06 +00:00
Andrew Kelley
cb4e087fda
Merge pull request #19239 from jedisct1/ml-kem
std.crypto: add support for ML-KEM
2024-03-11 18:48:08 -07:00
Frank Denis
eaca8626b2
std.crypto.pcurves fixes (#19245)
Fixes compilation errors in functions that are syntaxic sugar
to operate on serialized scalars.

Also make it explicit that square roots in fields whose size is
not congruent to 3 modulo 4 are not an error, they are just
not implemented yet.

Reported by @vitalonodo - Thanks!
2024-03-11 09:00:15 +01:00
Frank Denis
2dba5eaa64 Fix typo in an old comment, and avoid useless hash 2024-03-10 19:54:38 +01:00
Frank Denis
1ca3a48b87 std.crypto: add support for ML-KEM
ML-KEM is the Kyber post-quantum secure key encapsulation mechanism,
as being standardized by NIST.

Too bad, they decided to rename it; the "Kyber" name was so much
better!

This implements the current draft (NIST FIPS-203), which is already
being deployed even though the specification is not finalized.
2024-03-10 15:48:38 +01:00
Ryan Liptak
16b3d1004e Remove redundant test name prefixes now that test names are fully qualified
Follow up to #19079, which made test names fully qualified.

This fixes tests that now-redundant information in their test names. For example here's a fully qualified test name before the changes in this commit:

"priority_queue.test.std.PriorityQueue: shrinkAndFree"

and the same test's name after the changes in this commit:

"priority_queue.test.shrinkAndFree"
2024-02-26 15:18:31 -08:00
Jacob Young
4fcc750ba5 x86_64: implement more shuffles 2024-02-25 11:22:10 +01:00
Jacob Young
2fdc9e6ae8 x86_64: implement @shuffle 2024-02-25 11:22:10 +01:00
Jacob Young
ab6f9e3d10 x86_64: fix incorrect mnemonic selection 2024-02-25 11:22:10 +01:00
Jacob Young
d894727873 x86_64: implement @byteSwap of big integers 2024-02-12 05:25:07 +01:00