mirrors/zig
1
0
Fork 0
mirror of https://codeberg.org/ziglang/zig.git synced 2025-12-06 13:54:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
34167 commits 46 branches 24 tags 576 MiB
Commit graph

31 commits

Author SHA1 Message Date
Andrew Kelley
e7b18a7ce6 std.crypto: remove inline from most functions 
To quote the language reference,

It is generally better to let the compiler decide when to inline a
function, except for these scenarios:

* To change how many stack frames are in the call stack, for debugging
  purposes.
* To force comptime-ness of the arguments to propagate to the return
  value of the function, as in the above example.
* Real world performance measurements demand it. Don't guess!

Note that inline actually restricts what the compiler is allowed to do.
This can harm binary size, compilation speed, and even runtime
performance.

`zig run lib/std/crypto/benchmark.zig -OReleaseFast`
[-before-] vs {+after+}

              md5:        [-990-]        {+998+} MiB/s
             sha1:       [-1144-]       {+1140+} MiB/s
           sha256:       [-2267-]       {+2275+} MiB/s
           sha512:        [-762-]        {+767+} MiB/s
         sha3-256:        [-680-]        {+683+} MiB/s
         sha3-512:        [-362-]        {+363+} MiB/s
        shake-128:        [-835-]        {+839+} MiB/s
        shake-256:        [-680-]        {+681+} MiB/s
   turboshake-128:       [-1567-]       {+1570+} MiB/s
   turboshake-256:       [-1276-]       {+1282+} MiB/s
          blake2s:        [-778-]        {+789+} MiB/s
          blake2b:       [-1071-]       {+1086+} MiB/s
           blake3:       [-1148-]       {+1137+} MiB/s
            ghash:      [-10044-]      {+10033+} MiB/s
          polyval:       [-9726-]      {+10033+} MiB/s
         poly1305:       [-2486-]       {+2703+} MiB/s
         hmac-md5:        [-991-]        {+998+} MiB/s
        hmac-sha1:       [-1134-]       {+1137+} MiB/s
      hmac-sha256:       [-2265-]       {+2288+} MiB/s
      hmac-sha512:        [-765-]        {+764+} MiB/s
      siphash-2-4:       [-4410-]       {+4438+} MiB/s
      siphash-1-3:       [-7144-]       {+7225+} MiB/s
   siphash128-2-4:       [-4397-]       {+4449+} MiB/s
   siphash128-1-3:       [-7281-]       {+7374+} MiB/s
  aegis-128x4 mac:      [-73385-]      {+74523+} MiB/s
  aegis-256x4 mac:      [-30160-]      {+30539+} MiB/s
  aegis-128x2 mac:      [-66662-]      {+67267+} MiB/s
  aegis-256x2 mac:      [-16812-]      {+16806+} MiB/s
   aegis-128l mac:      [-33876-]      {+34055+} MiB/s
    aegis-256 mac:       [-8993-]       {+9087+} MiB/s
         aes-cmac:       2036 MiB/s
           x25519:      [-20670-]      {+16844+} exchanges/s
          ed25519:      [-29763-]      {+29576+} signatures/s
       ecdsa-p256:       [-4762-]       {+4900+} signatures/s
       ecdsa-p384:       [-1465-]       {+1500+} signatures/s
  ecdsa-secp256k1:       [-5643-]       {+5769+} signatures/s
          ed25519:      [-21926-]      {+21721+} verifications/s
          ed25519:      [-51200-]      {+50880+} verifications/s (batch)
 chacha20Poly1305:       [-1189-]       {+1109+} MiB/s
xchacha20Poly1305:       [-1196-]       {+1107+} MiB/s
 xchacha8Poly1305:       [-1466-]       {+1555+} MiB/s
 xsalsa20Poly1305:        [-660-]        {+620+} MiB/s
      aegis-128x4:      [-76389-]      {+78181+} MiB/s
      aegis-128x2:      [-53946-]      {+53495+} MiB/s
       aegis-128l:      [-27219-]      {+25621+} MiB/s
      aegis-256x4:      [-49351-]      {+49542+} MiB/s
      aegis-256x2:      [-32390-]      {+32366+} MiB/s
        aegis-256:       [-8881-]       {+8944+} MiB/s
       aes128-gcm:       [-6095-]       {+6205+} MiB/s
       aes256-gcm:       [-5306-]       {+5427+} MiB/s
       aes128-ocb:       [-8529-]      {+13974+} MiB/s
       aes256-ocb:       [-7241-]       {+9442+} MiB/s
        isapa128a:        [-204-]        {+214+} MiB/s
    aes128-single:  [-133857882-]  {+134170944+} ops/s
    aes256-single:   [-96306962-]   {+96408639+} ops/s
         aes128-8: [-1083210101-] {+1073727253+} ops/s
         aes256-8:  [-762042466-]  {+767091778+} ops/s
           bcrypt:      0.009 s/ops
           scrypt:      [-0.018-]      {+0.017+} s/ops
           argon2:      [-0.037-]      {+0.060+} s/ops
      kyber512d00:     [-206057-]     {+205779+} encaps/s
      kyber768d00:     [-156074-]     {+150711+} encaps/s
     kyber1024d00:     [-116626-]     {+115469+} encaps/s
      kyber512d00:     [-181149-]     {+182046+} decaps/s
      kyber768d00:     [-136965-]     {+135676+} decaps/s
     kyber1024d00:     [-101307-]     {+100643+} decaps/s
      kyber512d00:     [-123624-]     {+123375+} keygen/s
      kyber768d00:      [-69465-]      {+70828+} keygen/s
     kyber1024d00:      [-43117-]      {+43208+} keygen/s
 2025-07-13 18:26:13 +02:00
Jacob Young
a4e88abf04 std.crypto.tls: advertise all supported signature algorithms 2024-11-07 20:25:26 -05:00
Jacob Young
90a761c186 std.crypto.tls: make verify data checks timing safe 2024-11-07 20:25:26 -05:00
Jacob Young
7afb277725 std.crypto.tls: fix x25519_ml_kem768 key share 
This is mostly nfc cleanup as I was bisecting the client hello to find
the problematic part, and the only bug fix ended up being

    key_share.x25519_kp.public_key ++
    key_share.ml_kem768_kp.public_key.toBytes()

to

    key_share.ml_kem768_kp.public_key.toBytes() ++
    key_share.x25519_kp.public_key)

and the same swap in `KeyShare.exchange` as per some random blog that
says "a hybrid keyshare, constructed by concatenating the public KEM key
with the public X25519 key".  I also note that based on the same blog
post, there was a draft version of this method that indeed had these
values swapped, and that used to be supported by this code, but it was
not properly fixed up when this code was updated from the draft spec.

Closes #21747
 2024-11-07 20:25:26 -05:00
Jacob Young
c2a779ae79 std.crypto.tls: implement TLSv1.2 2024-11-07 20:25:26 -05:00
Frank Denis
c062c532d7 Add post-quantum key agreement X25519MLKEM768 
X25519MLKEM768 replaces X25519Kyber768Draft00 now that NIST has
released ML-KEM.

IANA has assigned the codepoint 0x11ec:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
 2024-09-24 13:18:32 -07:00
mlugg
0fe3fd01dd
std: update std.builtin.Type fields to follow naming conventions 
The compiler actually doesn't need any functional changes for this: Sema
does reification based on the tag indices of `std.builtin.Type` already!
So, no zig1.wasm update is necessary.

This change is necessary to disallow name clashes between fields and
decls on a type, which is a prerequisite of #9938.
 2024-08-28 08:39:59 +01:00
Jora Troosh
13070448f5
std: fix typos (#20560) 2024-07-09 14:25:42 -07:00
melonedo
9b0da5ccef Fix TLS record overflow by limiting inner record length to 2^14 
Per last paragraph of RFC 8446, Section 5.2, the length of the inner content of an encrypted record must not exceed 2^14 + 1, while that of the whole encrypted record must not exceed 2^14 + 256.
 2024-01-16 14:58:56 -08:00
Frank Denis
9831dc9e0c TLS: The 0x1306 TLS identifier was updated to TLS_AEGIS_256_SHA512 
Following the recommendations from [1], the AEGIS specification
and the TLS registry [2] were updated to recommend SHA512 for the
traffic secrets.

[1] https://eprint.iacr.org/2023/913.pdf
[2] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
 2023-12-01 18:00:15 +01:00
Andrew Kelley
3fc6fc6812 std.builtin.Endian: make the tags lower case 
Let's take this breaking change opportunity to fix the style of this
enum.
 2023-10-31 21:37:35 -04:00
Jacob Young
d890e81761 mem: fix ub in writeInt 
Use inline to vastly simplify the exposed API.  This allows a
comptime-known endian parameter to be propogated, making extra functions
for a specific endianness completely unnecessary.
 2023-10-31 21:37:35 -04:00
mlugg
f26dda2117 all: migrate code to new cast builtin syntax 
Most of this migration was performed automatically with `zig fmt`. There
were a few exceptions which I had to manually fix:

* `@alignCast` and `@addrSpaceCast` cannot be automatically rewritten
* `@truncate`'s fixup is incorrect for vectors
* Test cases are not formatted, and their error locations change
 2023-06-24 16:56:39 -07:00
Eric Joldasov
50339f595a all: zig fmt and rename "@XToY" to "@YFromX" 
Signed-off-by: Eric Joldasov <bratishkaerik@getgoogleoff.me>
 2023-06-19 12:34:42 -07:00
Nameless
0e5e6cb10c
std.http: add TlsAlert descriptions so that they can at least be viewed in err return traces 2023-06-01 13:43:55 -05:00
Bas Westerbaan
7cb3a67507
crypto/tls: switch X25519Kyber768Draft00 to new codepoint (#15821) 
The tls wg preferred a codepoint outside of the reserved range. This new
codepoint has been assigned by IANA.

See

 - https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00-02/
 - https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-8
 2023-05-23 11:07:07 +00:00
Andrew Kelley
125221cce9 std: update to use @memcpy directly 2023-04-28 13:24:43 -07:00
Bas Westerbaan
2089b3f193
tls: use post-quantum secure key exchange (#14920) 2023-03-17 17:51:24 +01:00
Andrew Kelley
aeaef8c0ff update std lib and compiler sources to new for loop syntax 2023-02-18 19:17:21 -07:00
Andrew Kelley
611a1fdd6d std.crypto.tls: add API for sending close_notify 
This commit adds `writeEnd` and `writeAllEnd` in order to send data and
also notify the server that there will be no more data written.

Unfortunately, it seems most TLS implementations in the wild get this
wrong and immediately close the socket when they see a close_notify,
rather than only ending the data stream on the application layer.
 2023-01-02 16:57:16 -07:00
Andrew Kelley
0fb78b15aa std.crypto.tls: use a Decoder abstraction 
This commit introduces tls.Decoder and then uses it in tls.Client. The
purpose is to make it difficult to introduce vulnerabilities in the
parsing code. With this abstraction in place, bugs in the TLS
implementation will trip checks in the decoder, regardless of the actual
length of packets sent by the other party, so that we can have
confidence when using ReleaseFast builds.
 2023-01-02 16:57:16 -07:00
Andrew Kelley
21ab99174e std.crypto.tls.Client: use enums more 2023-01-02 16:57:16 -07:00
Andrew Kelley
ceb211e65f std.crypto.tls.Client: handle key_update message 2023-01-02 16:57:15 -07:00
Andrew Kelley
4f9f4575bd std.crypto.tls: rename HandshakeCipher 2023-01-02 16:57:15 -07:00
Andrew Kelley
bbc074252c introduce std.crypto.CertificateBundle 
for reading root certificate authority bundles from standard
installation locations on the file system. So far only Linux logic is
added.
 2023-01-02 16:57:15 -07:00
Andrew Kelley
3237000d95 std.crypto.tls: rudimentary certificate parsing 2023-01-02 16:57:15 -07:00
Andrew Kelley
5d7eca6669 std.crypto.tls.Client: fix verify_data for batched handshakes 2023-01-02 16:57:15 -07:00
Andrew Kelley
e2efba76aa std.crypto.tls: refactor to remove mutations 
build up the hello message with array concatenation and helper functions
rather than hard-coded offsets and lengths.
 2023-01-02 16:57:15 -07:00
Andrew Kelley
41f4461cda std.crypto.tls.Client: verify the server's Finished message 2023-01-02 16:57:15 -07:00
Andrew Kelley
942b5b468f std.crypto.tls: implement the rest of the cipher suites 
Also:
 * Use KeyPair.create() function
 * Don't bother with CCM
 2023-01-02 16:57:15 -07:00
Andrew Kelley
93ab8be8d8 extract std.crypto.tls.Client into separate namespace 2023-01-02 16:57:15 -07:00