From 93291cc4722d51afbba7378fab5cfb25da175a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20=28xq=29=20Quei=C3=9Fner?= Date: Fri, 25 Sep 2020 09:16:43 +0200 Subject: [PATCH 01/15] Implements std.meta.ArgsTuple. --- lib/std/meta.zig | 74 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/lib/std/meta.zig b/lib/std/meta.zig index 1507aa9de8..98f3b284c1 100644 --- a/lib/std/meta.zig +++ b/lib/std/meta.zig @@ -807,7 +807,7 @@ pub fn sizeof(target: anytype) usize { // TODO to get the correct result we have to translate // `1073741824 * 4` as `int(1073741824) *% int(4)` since // sizeof(1073741824 * 4) != sizeof(4294967296). - + // TODO test if target fits in int, long or long long return @sizeOf(c_int); }, @@ -826,3 +826,75 @@ test "sizeof" { testing.expect(sizeof(E.One) == @sizeOf(c_int)); testing.expect(sizeof(S) == 4); } + +/// For a given function type, returns a tuple type which fields will +/// correspond to the argument types. +/// +/// Examples: +/// - `ArgsTuple(fn() void)` ⇒ `tuple { }` +/// - `ArgsTuple(fn(a: u32) u32)` ⇒ `tuple { u32 }` +/// - `ArgsTuple(fn(a: u32, b: f16) noreturn)` ⇒ `tuple { u32, f16 }` +pub fn ArgsTuple(comptime Function: type) type { + const info = @typeInfo(Function); + if (info != .Fn) + @compileError("ArgsTuple expects a function type"); + + const function_info = info.Fn; + if (function_info.is_generic) + @compileError("Cannot create ArgsTuple for generic function"); + if (function_info.is_var_args) + @compileError("Cannot create ArgsTuple for variadic function"); + + var argument_field_list: [function_info.args.len]std.builtin.TypeInfo.StructField = undefined; + inline for (function_info.args) |arg, i| { + @setEvalBranchQuota(10_000); + var num_buf: [128]u8 = undefined; + argument_field_list[i] = std.builtin.TypeInfo.StructField{ + .name = std.fmt.bufPrint(&num_buf, "{d}", .{i}) catch unreachable, + .field_type = arg.arg_type.?, + .default_value = @as(?(arg.arg_type.?), null), + .is_comptime = false, + }; + } + + return @Type(std.builtin.TypeInfo{ + .Struct = std.builtin.TypeInfo.Struct{ + .is_tuple = true, + .layout = .Auto, + .decls = &[_]std.builtin.TypeInfo.Declaration{}, + .fields = &argument_field_list, + }, + }); +} + +comptime { + const T = struct { + fn assertTypeEqual(comptime Expected: type, comptime Actual: type) void { + if (Expected != Actual) + @compileError("Expected type " ++ @typeName(Expected) ++ ", but got type " ++ @typeName(Actual)); + } + + fn assertTuple(comptime expected: anytype, comptime Actual: type) void { + const info = @typeInfo(Actual); + if (info != .Struct) + @compileError("Expected struct type"); + if (!info.Struct.is_tuple) + @compileError("Struct type must be a tuple type"); + + const fields_list = std.meta.fields(Actual); + if (expected.len != fields_list.len) + @compileError("Argument count mismatch"); + + inline for (fields_list) |fld, i| { + if (expected[i] != fld.field_type) { + @compileError("Field " ++ fld.name ++ " expected to be type " ++ @typeName(expected[i]) ++ ", but was type " ++ @typeName(fld.field_type)); + } + } + } + }; + + T.assertTuple(.{}, ArgsTuple(fn () void)); + T.assertTuple(.{u32}, ArgsTuple(fn (a: u32) []const u8)); + T.assertTuple(.{ u32, f16 }, ArgsTuple(fn (a: u32, b: f16) noreturn)); + T.assertTuple(.{ u32, f16, []const u8 }, ArgsTuple(fn (a: u32, b: f16, c: []const u8) noreturn)); +} From 7f68b14377ffe33ded2866f6bf53f213a9c5f620 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20=28xq=29=20Quei=C3=9Fner?= Date: Fri, 25 Sep 2020 09:27:00 +0200 Subject: [PATCH 02/15] Implements std.meta.Tuple(), implements #4607 in userland. --- lib/std/meta.zig | 64 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/lib/std/meta.zig b/lib/std/meta.zig index 1507aa9de8..c92637250f 100644 --- a/lib/std/meta.zig +++ b/lib/std/meta.zig @@ -807,7 +807,7 @@ pub fn sizeof(target: anytype) usize { // TODO to get the correct result we have to translate // `1073741824 * 4` as `int(1073741824) *% int(4)` since // sizeof(1073741824 * 4) != sizeof(4294967296). - + // TODO test if target fits in int, long or long long return @sizeOf(c_int); }, @@ -826,3 +826,65 @@ test "sizeof" { testing.expect(sizeof(E.One) == @sizeOf(c_int)); testing.expect(sizeof(S) == 4); } + +/// For a given anonymous list of types, returns a new tuple type +/// with those types as fields. +/// +/// Examples: +/// - `Tuple(.{})` ⇒ `tuple { }` +/// - `Tuple(.{f32})` ⇒ `tuple { f32 }` +/// - `Tuple(.{f32,u32})` ⇒ `tuple { f32, u32 }` +pub fn Tuple(comptime types: anytype) type { + var tuple_fields: [types.len]std.builtin.TypeInfo.StructField = undefined; + inline for (types) |T, i| { + @setEvalBranchQuota(10_000); + var num_buf: [128]u8 = undefined; + tuple_fields[i] = std.builtin.TypeInfo.StructField{ + .name = std.fmt.bufPrint(&num_buf, "{d}", .{i}) catch unreachable, + .field_type = T, + .default_value = @as(?T, null), + .is_comptime = false, + }; + } + + return @Type(std.builtin.TypeInfo{ + .Struct = std.builtin.TypeInfo.Struct{ + .is_tuple = true, + .layout = .Auto, + .decls = &[_]std.builtin.TypeInfo.Declaration{}, + .fields = &tuple_fields, + }, + }); +} + +comptime { + const T = struct { + fn assertTypeEqual(comptime Expected: type, comptime Actual: type) void { + if (Expected != Actual) + @compileError("Expected type " ++ @typeName(Expected) ++ ", but got type " ++ @typeName(Actual)); + } + + fn assertTuple(comptime expected: anytype, comptime Actual: type) void { + const info = @typeInfo(Actual); + if (info != .Struct) + @compileError("Expected struct type"); + if (!info.Struct.is_tuple) + @compileError("Struct type must be a tuple type"); + + const fields_list = std.meta.fields(Actual); + if (expected.len != fields_list.len) + @compileError("Argument count mismatch"); + + inline for (fields_list) |fld, i| { + if (expected[i] != fld.field_type) { + @compileError("Field " ++ fld.name ++ " expected to be type " ++ @typeName(expected[i]) ++ ", but was type " ++ @typeName(fld.field_type)); + } + } + } + }; + + T.assertTuple(.{}, Tuple(.{})); + T.assertTuple(.{u32}, Tuple(.{u32})); + T.assertTuple(.{ u32, f16 }, Tuple(.{ u32, f16 })); + T.assertTuple(.{ u32, f16, []const u8 }, Tuple(.{ u32, f16, []const u8 })); +} From 933146699806fc25f8182f53cd8c217654d51664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20=28xq=29=20Quei=C3=9Fner?= Date: Mon, 28 Sep 2020 11:42:39 +0200 Subject: [PATCH 03/15] Changes comptime block to test. --- lib/std/meta.zig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/std/meta.zig b/lib/std/meta.zig index c92637250f..5b4920157a 100644 --- a/lib/std/meta.zig +++ b/lib/std/meta.zig @@ -857,7 +857,7 @@ pub fn Tuple(comptime types: anytype) type { }); } -comptime { +test "Tuple" { const T = struct { fn assertTypeEqual(comptime Expected: type, comptime Actual: type) void { if (Expected != Actual) From 55dfe729b480c2ba121c6f650d160921560d9535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20=28xq=29=20Quei=C3=9Fner?= Date: Mon, 28 Sep 2020 11:44:55 +0200 Subject: [PATCH 04/15] Changes comptime block to test. --- lib/std/meta.zig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/std/meta.zig b/lib/std/meta.zig index 98f3b284c1..2744690555 100644 --- a/lib/std/meta.zig +++ b/lib/std/meta.zig @@ -867,7 +867,7 @@ pub fn ArgsTuple(comptime Function: type) type { }); } -comptime { +test "ArgsTuple" { const T = struct { fn assertTypeEqual(comptime Expected: type, comptime Actual: type) void { if (Expected != Actual) From c2d60bc5b5dd9ac39760588c777cc6809732af19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20=28xq=29=20Quei=C3=9Fner?= Date: Mon, 28 Sep 2020 12:24:22 +0200 Subject: [PATCH 05/15] Follows @tadeokondrak remark about taking `[]const type`. --- lib/std/meta.zig | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/std/meta.zig b/lib/std/meta.zig index 5b4920157a..13d3c574e9 100644 --- a/lib/std/meta.zig +++ b/lib/std/meta.zig @@ -831,10 +831,10 @@ test "sizeof" { /// with those types as fields. /// /// Examples: -/// - `Tuple(.{})` ⇒ `tuple { }` -/// - `Tuple(.{f32})` ⇒ `tuple { f32 }` -/// - `Tuple(.{f32,u32})` ⇒ `tuple { f32, u32 }` -pub fn Tuple(comptime types: anytype) type { +/// - `Tuple(&[_]type {})` ⇒ `tuple { }` +/// - `Tuple(&[_]type {f32})` ⇒ `tuple { f32 }` +/// - `Tuple(&[_]type {f32,u32})` ⇒ `tuple { f32, u32 }` +pub fn Tuple(comptime types: []const type) type { var tuple_fields: [types.len]std.builtin.TypeInfo.StructField = undefined; inline for (types) |T, i| { @setEvalBranchQuota(10_000); @@ -883,8 +883,8 @@ test "Tuple" { } }; - T.assertTuple(.{}, Tuple(.{})); - T.assertTuple(.{u32}, Tuple(.{u32})); - T.assertTuple(.{ u32, f16 }, Tuple(.{ u32, f16 })); - T.assertTuple(.{ u32, f16, []const u8 }, Tuple(.{ u32, f16, []const u8 })); + T.assertTuple(.{}, Tuple(&[_]type{})); + T.assertTuple(.{u32}, Tuple(&[_]type{u32})); + T.assertTuple(.{ u32, f16 }, Tuple(&[_]type{ u32, f16 })); + T.assertTuple(.{ u32, f16, []const u8 }, Tuple(&[_]type{ u32, f16, []const u8 })); } From 56b52dd0a357f87627fe96dc99377a397f3bb9a1 Mon Sep 17 00:00:00 2001 From: LemonBoy Date: Mon, 28 Sep 2020 17:16:12 +0200 Subject: [PATCH 06/15] stage1: Detect OOB access of vector value Fixes #5710 --- src/ir.cpp | 10 ++++++++++ test/compile_errors.zig | 10 +++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/ir.cpp b/src/ir.cpp index 7d446c82a0..871c6739e6 100644 --- a/src/ir.cpp +++ b/src/ir.cpp @@ -21934,7 +21934,17 @@ static IrInstGen *ir_analyze_instruction_elem_ptr(IrAnalyze *ira, IrInstSrcElemP return ira->codegen->invalid_inst_gen; } safety_check_on = false; + } else if (array_type->id == ZigTypeIdVector) { + uint64_t vector_len = array_type->data.vector.len; + if (index >= vector_len) { + ir_add_error_node(ira, elem_ptr_instruction->base.base.source_node, + buf_sprintf("index %" ZIG_PRI_u64 " outside vector of size %" ZIG_PRI_u64, + index, vector_len)); + return ira->codegen->invalid_inst_gen; + } + safety_check_on = false; } + if (array_type->id == ZigTypeIdVector) { ZigType *elem_type = array_type->data.vector.elem_type; uint32_t host_vec_len = array_type->data.vector.len; diff --git a/test/compile_errors.zig b/test/compile_errors.zig index f457c74609..6ae857d1a8 100644 --- a/test/compile_errors.zig +++ b/test/compile_errors.zig @@ -2,6 +2,14 @@ const tests = @import("tests.zig"); const std = @import("std"); pub fn addCases(cases: *tests.CompileErrorContext) void { + cases.add("slice sentinel mismatch", + \\export fn entry() void { + \\ const x = @import("std").meta.Vector(3, f32){ 25, 75, 5, 0 }; + \\} + , &[_][]const u8{ + "tmp.zig:2:62: error: index 3 outside vector of size 3", + }); + cases.add("slice sentinel mismatch", \\export fn entry() void { \\ const y: [:1]const u8 = &[_:2]u8{ 1, 2 }; @@ -7548,7 +7556,7 @@ pub fn addCases(cases: *tests.CompileErrorContext) void { }); cases.add( // fixed bug #2032 - "compile diagnostic string for top level decl type", + "compile diagnostic string for top level decl type", \\export fn entry() void { \\ var foo: u32 = @This(){}; \\} From cbbcf609688d70ce9e45bde444b2904b39a0ae2c Mon Sep 17 00:00:00 2001 From: LemonBoy Date: Mon, 28 Sep 2020 17:16:57 +0200 Subject: [PATCH 07/15] stage1: Allow comparison with comptime-known vectors Since comptime_{int,float} vectors are not allowed (thanks $DEITY) we can use the element type infos to determine the minimum operand size. --- src/ir.cpp | 14 ++++---------- test/stage1/behavior/vector.zig | 8 ++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/ir.cpp b/src/ir.cpp index 871c6739e6..d8d7289dae 100644 --- a/src/ir.cpp +++ b/src/ir.cpp @@ -16715,16 +16715,12 @@ static IrInstGen *ir_analyze_bin_op_cmp_numeric(IrAnalyze *ira, IrInst *source_i } ZigType *dest_float_type = nullptr; uint32_t op1_bits; - if (instr_is_comptime(op1)) { + if (instr_is_comptime(op1) && result_type->id != ZigTypeIdVector) { ZigValue *op1_val = ir_resolve_const(ira, op1, UndefOk); if (op1_val == nullptr) return ira->codegen->invalid_inst_gen; if (op1_val->special == ConstValSpecialUndef) return ir_const_undef(ira, source_instr, ira->codegen->builtin_types.entry_bool); - if (result_type->id == ZigTypeIdVector) { - ir_add_error(ira, &op1->base, buf_sprintf("compiler bug: TODO: support comptime vector here")); - return ira->codegen->invalid_inst_gen; - } bool is_unsigned; if (op1_is_float) { BigInt bigint = {}; @@ -16750,6 +16746,7 @@ static IrInstGen *ir_analyze_bin_op_cmp_numeric(IrAnalyze *ira, IrInst *source_i op1_bits += 1; } } else if (op1_is_float) { + ir_assert(op1_scalar_type->id == ZigTypeIdFloat, source_instr); dest_float_type = op1_scalar_type; } else { ir_assert(op1_scalar_type->id == ZigTypeIdInt, source_instr); @@ -16759,16 +16756,12 @@ static IrInstGen *ir_analyze_bin_op_cmp_numeric(IrAnalyze *ira, IrInst *source_i } } uint32_t op2_bits; - if (instr_is_comptime(op2)) { + if (instr_is_comptime(op2) && result_type->id != ZigTypeIdVector) { ZigValue *op2_val = ir_resolve_const(ira, op2, UndefOk); if (op2_val == nullptr) return ira->codegen->invalid_inst_gen; if (op2_val->special == ConstValSpecialUndef) return ir_const_undef(ira, source_instr, ira->codegen->builtin_types.entry_bool); - if (result_type->id == ZigTypeIdVector) { - ir_add_error(ira, &op2->base, buf_sprintf("compiler bug: TODO: support comptime vector here")); - return ira->codegen->invalid_inst_gen; - } bool is_unsigned; if (op2_is_float) { BigInt bigint = {}; @@ -16794,6 +16787,7 @@ static IrInstGen *ir_analyze_bin_op_cmp_numeric(IrAnalyze *ira, IrInst *source_i op2_bits += 1; } } else if (op2_is_float) { + ir_assert(op2_scalar_type->id == ZigTypeIdFloat, source_instr); dest_float_type = op2_scalar_type; } else { ir_assert(op2_scalar_type->id == ZigTypeIdInt, source_instr); diff --git a/test/stage1/behavior/vector.zig b/test/stage1/behavior/vector.zig index 8bdffcd500..dc9e49da43 100644 --- a/test/stage1/behavior/vector.zig +++ b/test/stage1/behavior/vector.zig @@ -274,6 +274,14 @@ test "vector comparison operators" { expectEqual(@splat(4, true), v1 != v3); expectEqual(@splat(4, false), v1 != v2); } + { + // Comptime-known LHS/RHS + var v1: @Vector(4, u32) = [_]u32{ 2, 1, 2, 1 }; + const v2 = @splat(4, @as(u32, 2)); + const v3: @Vector(4, bool) = [_]bool{ true, false, true, false }; + expectEqual(v3, v1 == v2); + expectEqual(v3, v2 == v1); + } } }; S.doTheTest(); From 868a46eb43e68971634c046c8317c1b83cae21ae Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 28 Sep 2020 23:23:32 +0200 Subject: [PATCH 08/15] std/crypto: make gimli slightly faster Before: gimli-hash: 120 MiB/s gimli-aead: 130 MiB/s After: gimli-hash: 195 MiB/s gimli-aead: 208 MiB/s Also fixes in-place decryption by the way. If the input & output buffers were the same, decryption used to fail. Return on decryption error in the benchmark to detect similar issues in future AEADs even in non release-fast mode. --- lib/std/crypto/benchmark.zig | 2 +- lib/std/crypto/gimli.zig | 34 +++++++++++++++++++++------------- 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/lib/std/crypto/benchmark.zig b/lib/std/crypto/benchmark.zig index 860f1269f0..4397f7312a 100644 --- a/lib/std/crypto/benchmark.zig +++ b/lib/std/crypto/benchmark.zig @@ -168,7 +168,7 @@ pub fn benchmarkAead(comptime Aead: anytype, comptime bytes: comptime_int) !u64 const start = timer.lap(); while (offset < bytes) : (offset += in.len) { Aead.encrypt(in[0..], tag[0..], in[0..], &[_]u8{}, nonce, key); - Aead.decrypt(in[0..], in[0..], tag, &[_]u8{}, nonce, key) catch unreachable; + try Aead.decrypt(in[0..], in[0..], tag, &[_]u8{}, nonce, key); } mem.doNotOptimizeAway(&in); const end = timer.read(); diff --git a/lib/std/crypto/gimli.zig b/lib/std/crypto/gimli.zig index 5b572aad7d..e5f93f5833 100644 --- a/lib/std/crypto/gimli.zig +++ b/lib/std/crypto/gimli.zig @@ -40,8 +40,8 @@ pub const State = struct { pub fn permute(self: *Self) void { const state = &self.data; - var round = @as(u32, 24); - while (round > 0) : (round -= 1) { + comptime var round = @as(u32, 24); + inline while (round > 0) : (round -= 1) { var column = @as(usize, 0); while (column < 4) : (column += 1) { const x = math.rotl(u32, state[column], 24); @@ -249,15 +249,19 @@ pub const Aead = struct { in = in[State.RATE..]; out = out[State.RATE..]; }) { - for (buf[0..State.RATE]) |*p, i| { - p.* ^= in[i]; - out[i] = p.*; + const d = in[0..State.RATE]; + for (d) |v, i| { + buf[i] ^= v; + } + for (d) |_, i| { + out[i] = buf[i]; } state.permute(); } - for (buf[0..in.len]) |*p, i| { - p.* ^= in[i]; - out[i] = p.*; + const d = in[0..]; + for (d) |v, i| { + buf[i] ^= v; + out[i] = buf[i]; } // XOR 1 into the next byte of the state @@ -291,15 +295,19 @@ pub const Aead = struct { in = in[State.RATE..]; out = out[State.RATE..]; }) { - for (buf[0..State.RATE]) |*p, i| { - out[i] = p.* ^ in[i]; - p.* = in[i]; + const d = in[0..State.RATE].*; + for (d) |v, i| { + out[i] = buf[i] ^ v; + } + for (d) |v, i| { + buf[i] = v; } state.permute(); } for (buf[0..in.len]) |*p, i| { - out[i] = p.* ^ in[i]; - p.* = in[i]; + const d = in[i]; + out[i] = p.* ^ d; + p.* = d; } // XOR 1 into the next byte of the state From 613f8fe83fc2db4bc39f18ad1a8190d33a4a1181 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 29 Sep 2020 00:41:37 +0200 Subject: [PATCH 09/15] Use mem.copy() instead of manual iterations --- lib/std/crypto/gimli.zig | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/lib/std/crypto/gimli.zig b/lib/std/crypto/gimli.zig index e5f93f5833..181aa1ed53 100644 --- a/lib/std/crypto/gimli.zig +++ b/lib/std/crypto/gimli.zig @@ -249,17 +249,13 @@ pub const Aead = struct { in = in[State.RATE..]; out = out[State.RATE..]; }) { - const d = in[0..State.RATE]; - for (d) |v, i| { + for (in[0..State.RATE]) |v, i| { buf[i] ^= v; } - for (d) |_, i| { - out[i] = buf[i]; - } + mem.copy(u8, out[0..State.RATE], buf[0..State.RATE]); state.permute(); } - const d = in[0..]; - for (d) |v, i| { + for (in[0..]) |v, i| { buf[i] ^= v; out[i] = buf[i]; } @@ -299,9 +295,7 @@ pub const Aead = struct { for (d) |v, i| { out[i] = buf[i] ^ v; } - for (d) |v, i| { - buf[i] = v; - } + mem.copy(u8, buf[0..State.RATE], d[0..State.RATE]); state.permute(); } for (buf[0..in.len]) |*p, i| { From a45a4230bc2ef67dca4bd3267863695d6b04adfa Mon Sep 17 00:00:00 2001 From: Loris Cro Date: Tue, 29 Sep 2020 11:18:35 +0200 Subject: [PATCH 10/15] Fix std.event.Future Signed-off-by: Loris Cro --- lib/std/event/future.zig | 2 +- lib/std/event/lock.zig | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/std/event/future.zig b/lib/std/event/future.zig index c9777288e4..40c7845d53 100644 --- a/lib/std/event/future.zig +++ b/lib/std/event/future.zig @@ -95,7 +95,7 @@ test "std.event.Future" { // TODO provide a way to run tests in evented I/O mode if (!std.io.is_async) return error.SkipZigTest; - const handle = async testFuture(); + testFuture(); } fn testFuture() void { diff --git a/lib/std/event/lock.zig b/lib/std/event/lock.zig index a83395d7d0..6819e413d2 100644 --- a/lib/std/event/lock.zig +++ b/lib/std/event/lock.zig @@ -27,20 +27,24 @@ pub const Lock = struct { const Waiter = struct { // forced Waiter alignment to ensure it doesn't clash with LOCKED - next: ?*Waiter align(2), + next: ?*Waiter align(2), tail: *Waiter, node: Loop.NextTickNode, }; + pub fn initLocked() Lock { + return Lock{ .head = LOCKED }; + } + pub fn acquire(self: *Lock) Held { const held = self.mutex.acquire(); // self.head transitions from multiple stages depending on the value: - // UNLOCKED -> LOCKED: + // UNLOCKED -> LOCKED: // acquire Lock ownership when theres no waiters // LOCKED -> : // Lock is already owned, enqueue first Waiter - // -> : + // -> : // Lock is owned with pending waiters. Push our waiter to the queue. if (self.head == UNLOCKED) { @@ -51,7 +55,7 @@ pub const Lock = struct { var waiter: Waiter = undefined; waiter.next = null; - waiter.tail = &waiter; + waiter.tail = &waiter; const head = switch (self.head) { UNLOCKED => unreachable, @@ -79,15 +83,15 @@ pub const Lock = struct { } pub const Held = struct { - lock: *Lock, - + lock: *Lock, + pub fn release(self: Held) void { const waiter = blk: { const held = self.lock.mutex.acquire(); defer held.release(); // self.head goes through the reverse transition from acquire(): - // -> : + // -> : // pop a waiter from the queue to give Lock ownership when theres still others pending // -> LOCKED: // pop the laster waiter from the queue, while also giving it lock ownership when awaken From 4194714965a8080e6faa87d9859cc90aab07fe54 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 29 Sep 2020 13:09:11 +0200 Subject: [PATCH 11/15] Don't unroll the gimli permutation on release-small --- lib/std/crypto/gimli.zig | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/lib/std/crypto/gimli.zig b/lib/std/crypto/gimli.zig index 181aa1ed53..847562e395 100644 --- a/lib/std/crypto/gimli.zig +++ b/lib/std/crypto/gimli.zig @@ -38,7 +38,7 @@ pub const State = struct { return mem.sliceAsBytes(self.data[0..]); } - pub fn permute(self: *Self) void { + fn _permute_unrolled(self: *Self) void { const state = &self.data; comptime var round = @as(u32, 24); inline while (round > 0) : (round -= 1) { @@ -66,6 +66,42 @@ pub const State = struct { } } + fn _permute_small(self: *Self) void { + const state = &self.data; + var round = @as(u32, 24); + while (round > 0) : (round -= 1) { + var column = @as(usize, 0); + while (column < 4) : (column += 1) { + const x = math.rotl(u32, state[column], 24); + const y = math.rotl(u32, state[4 + column], 9); + const z = state[8 + column]; + state[8 + column] = ((x ^ (z << 1)) ^ ((y & z) << 2)); + state[4 + column] = ((y ^ x) ^ ((x | z) << 1)); + state[column] = ((z ^ y) ^ ((x & y) << 3)); + } + switch (round & 3) { + 0 => { + mem.swap(u32, &state[0], &state[1]); + mem.swap(u32, &state[2], &state[3]); + state[0] ^= round | 0x9e377900; + }, + 2 => { + mem.swap(u32, &state[0], &state[2]); + mem.swap(u32, &state[1], &state[3]); + }, + else => {}, + } + } + } + + pub fn permute(self: *Self) void { + if (std.builtin.mode == .ReleaseSmall) { + self._permute_small(); + } else { + self._permute_unrolled(); + } + } + pub fn squeeze(self: *Self, out: []u8) void { var i = @as(usize, 0); while (i + RATE <= out.len) : (i += RATE) { From 56d820087d712c3b3e93e8aeed8d556509050479 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 29 Sep 2020 14:01:08 +0200 Subject: [PATCH 12/15] gimli: make permute a constant, remove leading underscore --- lib/std/crypto/gimli.zig | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/lib/std/crypto/gimli.zig b/lib/std/crypto/gimli.zig index 847562e395..10e8a7dff0 100644 --- a/lib/std/crypto/gimli.zig +++ b/lib/std/crypto/gimli.zig @@ -38,7 +38,7 @@ pub const State = struct { return mem.sliceAsBytes(self.data[0..]); } - fn _permute_unrolled(self: *Self) void { + fn permute_unrolled(self: *Self) void { const state = &self.data; comptime var round = @as(u32, 24); inline while (round > 0) : (round -= 1) { @@ -66,7 +66,7 @@ pub const State = struct { } } - fn _permute_small(self: *Self) void { + fn permute_small(self: *Self) void { const state = &self.data; var round = @as(u32, 24); while (round > 0) : (round -= 1) { @@ -94,13 +94,7 @@ pub const State = struct { } } - pub fn permute(self: *Self) void { - if (std.builtin.mode == .ReleaseSmall) { - self._permute_small(); - } else { - self._permute_unrolled(); - } - } + pub const permute = if (std.builtin.mode == .ReleaseSmall) permute_small else permute_unrolled; pub fn squeeze(self: *Self, out: []u8) void { var i = @as(usize, 0); From 9f274e1f7df65472b0b312cbb6a559ebbaae7e1b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 28 Sep 2020 00:58:59 +0200 Subject: [PATCH 13/15] std/crypto: add the AEGIS128L AEAD Showcase that Zig can be a great option for high performance cryptography. The AEGIS family of authenticated encryption algorithms was selected for high-performance applications in the final portfolio of the CAESAR competition. They reuse the AES core function, but are substantially faster than the CCM, GCM and OCB modes while offering a high level of security. AEGIS algorithms are especially fast on CPUs with built-in AES support, and the 128L variant fully takes advantage of the pipeline in modern Intel CPUs. Performance of the Zig implementation is on par with libsodium. --- lib/std/crypto.zig | 1 + lib/std/crypto/aegis.zig | 197 +++++++++++++++++++++++++++++++++++ lib/std/crypto/aes/aesni.zig | 26 +++-- lib/std/crypto/aes/soft.zig | 30 +++++- lib/std/crypto/benchmark.zig | 1 + 5 files changed, 242 insertions(+), 13 deletions(-) create mode 100644 lib/std/crypto/aegis.zig diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 5763348729..73ad2ba20b 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -28,6 +28,7 @@ pub const aead = struct { pub const Gimli = @import("crypto/gimli.zig").Aead; pub const ChaCha20Poly1305 = chacha20.Chacha20Poly1305; pub const XChaCha20Poly1305 = chacha20.XChacha20Poly1305; + pub const AEGIS128L = @import("crypto/aegis.zig").AEGIS128L; }; /// MAC functions requiring single-use secret keys. diff --git a/lib/std/crypto/aegis.zig b/lib/std/crypto/aegis.zig new file mode 100644 index 0000000000..690f016a10 --- /dev/null +++ b/lib/std/crypto/aegis.zig @@ -0,0 +1,197 @@ +const std = @import("std"); +const mem = std.mem; +const assert = std.debug.assert; +const AESBlock = std.crypto.core.aes.Block; + +const State = struct { + blocks: [8]AESBlock, + + fn init(key: [16]u8, nonce: [16]u8) State { + const c1 = AESBlock.fromBytes(&[16]u8{ 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }); + const c2 = AESBlock.fromBytes(&[16]u8{ 0x0, 0x1, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }); + const key_block = AESBlock.fromBytes(&key); + const nonce_block = AESBlock.fromBytes(&nonce); + const blocks = [8]AESBlock{ + key_block.xorBlocks(nonce_block), + c1, + c2, + c1, + key_block.xorBlocks(nonce_block), + key_block.xorBlocks(c2), + key_block.xorBlocks(c1), + key_block.xorBlocks(c2), + }; + var state = State{ .blocks = blocks }; + var i: usize = 0; + while (i < 10) : (i += 1) { + state.update(nonce_block, key_block); + } + return state; + } + + inline fn update(state: *State, d1: AESBlock, d2: AESBlock) void { + const blocks = &state.blocks; + const tmp = blocks[7]; + comptime var i: usize = 7; + inline while (i > 0) : (i -= 1) { + blocks[i] = blocks[i - 1].encrypt(blocks[i]); + } + blocks[0] = tmp.encrypt(blocks[0]); + blocks[0] = blocks[0].xorBlocks(d1); + blocks[4] = blocks[4].xorBlocks(d2); + } + + fn enc(state: *State, dst: []u8, src: []const u8) void { + const blocks = &state.blocks; + const msg0 = AESBlock.fromBytes(src[0..16]); + const msg1 = AESBlock.fromBytes(src[16..32]); + var tmp0 = msg0.xorBlocks(blocks[6]).xorBlocks(blocks[1]); + var tmp1 = msg1.xorBlocks(blocks[2]).xorBlocks(blocks[5]); + tmp0 = tmp0.xorBlocks(blocks[2].andBlocks(blocks[3])); + tmp1 = tmp1.xorBlocks(blocks[6].andBlocks(blocks[7])); + dst[0..16].* = tmp0.toBytes(); + dst[16..32].* = tmp1.toBytes(); + state.update(msg0, msg1); + } + + fn dec(state: *State, dst: []u8, src: []const u8) void { + const blocks = &state.blocks; + var msg0 = AESBlock.fromBytes(src[0..16]).xorBlocks(blocks[6]).xorBlocks(blocks[1]); + var msg1 = AESBlock.fromBytes(src[16..32]).xorBlocks(blocks[2]).xorBlocks(blocks[5]); + msg0 = msg0.xorBlocks(blocks[2].andBlocks(blocks[3])); + msg1 = msg1.xorBlocks(blocks[6].andBlocks(blocks[7])); + dst[0..16].* = msg0.toBytes(); + dst[16..32].* = msg1.toBytes(); + state.update(msg0, msg1); + } + + fn mac(state: *State, adlen: usize, mlen: usize) [16]u8 { + const blocks = &state.blocks; + var sizes: [16]u8 = undefined; + mem.writeIntLittle(u64, sizes[0..8], adlen * 8); + mem.writeIntLittle(u64, sizes[8..16], mlen * 8); + const tmp = AESBlock.fromBytes(&sizes).xorBlocks(blocks[2]); + var i: usize = 0; + while (i < 7) : (i += 1) { + state.update(tmp, tmp); + } + return blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]). + xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes(); + } +}; + +/// AEGIS is a very fast authenticated encryption system built on top of the core AES function. +/// +/// The 128L variant of AEGIS has a 128 bit key, a 128 bit nonce, and processes 256 bit message blocks. +/// It was designed to fully exploit the parallelism and built-in AES support of recent Intel and ARM CPUs. +/// +/// https://eprint.iacr.org/2013/695.pdf +pub const AEGIS128L = struct { + pub const tag_length = 16; + pub const nonce_length = 16; + pub const key_length = 16; + + /// c: ciphertext: output buffer should be of size m.len + /// tag: authentication tag: output MAC + /// m: message + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { + assert(c.len == m.len); + var state = State.init(key, npub); + var src: [32]u8 align(16) = undefined; + var dst: [32]u8 align(16) = undefined; + var i: usize = 0; + while (i + 32 <= ad.len) : (i += 32) { + state.enc(&dst, ad[i..][0..32]); + } + if (ad.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); + state.enc(&dst, &src); + } + i = 0; + while (i + 32 <= m.len) : (i += 32) { + state.enc(c[i..][0..32], m[i..][0..32]); + } + if (m.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 32], m[i .. i + m.len % 32]); + state.enc(&dst, &src); + mem.copy(u8, c[i .. i + m.len % 32], dst[0 .. m.len % 32]); + } + tag.* = state.mac(ad.len, m.len); + } + + /// m: message: output buffer should be of size c.len + /// c: ciphertext + /// tag: authentication tag + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void { + assert(c.len == m.len); + var state = State.init(key, npub); + var src: [32]u8 align(16) = undefined; + var dst: [32]u8 align(16) = undefined; + var i: usize = 0; + while (i + 32 <= ad.len) : (i += 32) { + state.enc(&dst, ad[i..][0..32]); + } + if (ad.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); + state.enc(&dst, &src); + } + i = 0; + while (i + 32 <= m.len) : (i += 32) { + state.dec(m[i..][0..32], c[i..][0..32]); + } + if (m.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 32], c[i .. i + m.len % 32]); + state.dec(&dst, &src); + mem.copy(u8, m[i .. i + m.len % 32], dst[0 .. m.len % 32]); + mem.set(u8, dst[0 .. m.len % 32], 0); + const blocks = &state.blocks; + blocks[0] = blocks[0].xorBlocks(AESBlock.fromBytes(dst[0..16])); + blocks[4] = blocks[4].xorBlocks(AESBlock.fromBytes(dst[16..32])); + } + const computed_tag = state.mac(ad.len, m.len); + var acc: u8 = 0; + for (computed_tag) |_, j| { + acc |= (computed_tag[j] ^ tag[j]); + } + if (acc != 0) { + mem.set(u8, m, 0xaa); + return error.AuthenticationFailed; + } + } +}; + +const htest = @import("test.zig"); +const testing = std.testing; + +test "AEGIS128L" { + const key: [AEGIS128L.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 14; + const nonce: [AEGIS128L.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 13; + const ad = [8]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + const m = [32]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS128L.tag_length]u8 = undefined; + + AEGIS128L.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("79d94593d8c2119d7e8fd9b8fc77845c5c077a05b2528b6ac54b563aed8efe84", &c); + htest.assertEqual("cc6f3372f6aa1bb82388d695c3962d9a", &tag); + + c[0] +%= 1; + testing.expectError(error.AuthenticationFailed, AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key)); + c[0] -%= 1; + tag[0] +%= 1; + testing.expectError(error.AuthenticationFailed, AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key)); +} diff --git a/lib/std/crypto/aes/aesni.zig b/lib/std/crypto/aes/aesni.zig index f13a4a581c..47dd029bec 100644 --- a/lib/std/crypto/aes/aesni.zig +++ b/lib/std/crypto/aes/aesni.zig @@ -84,11 +84,21 @@ pub const Block = struct { }; } - /// XOR the content of two blocks. - pub inline fn xor(block1: Block, block2: Block) Block { + /// Apply the bitwise XOR operation to the content of two blocks. + pub inline fn xorBlocks(block1: Block, block2: Block) Block { return Block{ .repr = block1.repr ^ block2.repr }; } + /// Apply the bitwise AND operation to the content of two blocks. + pub inline fn andBlocks(block1: Block, block2: Block) Block { + return Block{ .repr = block1.repr & block2.repr }; + } + + /// Apply the bitwise OR operation to the content of two blocks. + pub inline fn orBlocks(block1: Block, block2: Block) Block { + return Block{ .repr = block1.repr | block2.repr }; + } + /// Perform operations on multiple blocks in parallel. pub const parallel = struct { /// The recommended number of AES encryption/decryption to perform in parallel for the chosen implementation. @@ -261,7 +271,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { /// Encrypt a single block. pub fn encrypt(ctx: Self, dst: *[16]u8, src: *const [16]u8) void { const round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(src).xor(round_keys[0]); + var t = Block.fromBytes(src).xorBlocks(round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.encrypt(round_keys[i]); @@ -273,7 +283,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { /// Encrypt+XOR a single block. pub fn xor(ctx: Self, dst: *[16]u8, src: *const [16]u8, counter: [16]u8) void { const round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(&counter).xor(round_keys[0]); + var t = Block.fromBytes(&counter).xorBlocks(round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.encrypt(round_keys[i]); @@ -288,7 +298,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { var ts: [count]Block = undefined; comptime var j = 0; inline while (j < count) : (j += 1) { - ts[j] = Block.fromBytes(src[j * 16 .. j * 16 + 16][0..16]).xor(round_keys[0]); + ts[j] = Block.fromBytes(src[j * 16 .. j * 16 + 16][0..16]).xorBlocks(round_keys[0]); } comptime var i = 1; inline while (i < rounds) : (i += 1) { @@ -310,7 +320,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { var ts: [count]Block = undefined; comptime var j = 0; inline while (j < count) : (j += 1) { - ts[j] = Block.fromBytes(counters[j * 16 .. j * 16 + 16][0..16]).xor(round_keys[0]); + ts[j] = Block.fromBytes(counters[j * 16 .. j * 16 + 16][0..16]).xorBlocks(round_keys[0]); } comptime var i = 1; inline while (i < rounds) : (i += 1) { @@ -352,7 +362,7 @@ pub fn AESDecryptCtx(comptime AES: type) type { /// Decrypt a single block. pub fn decrypt(ctx: Self, dst: *[16]u8, src: *const [16]u8) void { const inv_round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(src).xor(inv_round_keys[0]); + var t = Block.fromBytes(src).xorBlocks(inv_round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.decrypt(inv_round_keys[i]); @@ -367,7 +377,7 @@ pub fn AESDecryptCtx(comptime AES: type) type { var ts: [count]Block = undefined; comptime var j = 0; inline while (j < count) : (j += 1) { - ts[j] = Block.fromBytes(src[j * 16 .. j * 16 + 16][0..16]).xor(inv_round_keys[0]); + ts[j] = Block.fromBytes(src[j * 16 .. j * 16 + 16][0..16]).xorBlocks(inv_round_keys[0]); } comptime var i = 1; inline while (i < rounds) : (i += 1) { diff --git a/lib/std/crypto/aes/soft.zig b/lib/std/crypto/aes/soft.zig index c32662fbc5..5f66f3499e 100644 --- a/lib/std/crypto/aes/soft.zig +++ b/lib/std/crypto/aes/soft.zig @@ -125,8 +125,8 @@ pub const Block = struct { return Block{ .repr = BlockVec{ s0, s1, s2, s3 } }; } - /// XOR the content of two blocks. - pub inline fn xor(block1: Block, block2: Block) Block { + /// Apply the bitwise XOR operation to the content of two blocks. + pub inline fn xorBlocks(block1: Block, block2: Block) Block { var x: BlockVec = undefined; comptime var i = 0; inline while (i < 4) : (i += 1) { @@ -135,6 +135,26 @@ pub const Block = struct { return Block{ .repr = x }; } + /// Apply the bitwise AND operation to the content of two blocks. + pub inline fn andBlocks(block1: Block, block2: Block) Block { + var x: BlockVec = undefined; + comptime var i = 0; + inline while (i < 4) : (i += 1) { + x[i] = block1.repr[i] & block2.repr[i]; + } + return Block{ .repr = x }; + } + + /// Apply the bitwise OR operation to the content of two blocks. + pub inline fn orBlocks(block1: Block, block2: Block) Block { + var x: BlockVec = undefined; + comptime var i = 0; + inline while (i < 4) : (i += 1) { + x[i] = block1.repr[i] | block2.repr[i]; + } + return Block{ .repr = x }; + } + /// Perform operations on multiple blocks in parallel. pub const parallel = struct { /// The recommended number of AES encryption/decryption to perform in parallel for the chosen implementation. @@ -283,7 +303,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { /// Encrypt a single block. pub fn encrypt(ctx: Self, dst: *[16]u8, src: *const [16]u8) void { const round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(src).xor(round_keys[0]); + var t = Block.fromBytes(src).xorBlocks(round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.encrypt(round_keys[i]); @@ -295,7 +315,7 @@ pub fn AESEncryptCtx(comptime AES: type) type { /// Encrypt+XOR a single block. pub fn xor(ctx: Self, dst: *[16]u8, src: *const [16]u8, counter: [16]u8) void { const round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(&counter).xor(round_keys[0]); + var t = Block.fromBytes(&counter).xorBlocks(round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.encrypt(round_keys[i]); @@ -349,7 +369,7 @@ pub fn AESDecryptCtx(comptime AES: type) type { /// Decrypt a single block. pub fn decrypt(ctx: Self, dst: *[16]u8, src: *const [16]u8) void { const inv_round_keys = ctx.key_schedule.round_keys; - var t = Block.fromBytes(src).xor(inv_round_keys[0]); + var t = Block.fromBytes(src).xorBlocks(inv_round_keys[0]); comptime var i = 1; inline while (i < rounds) : (i += 1) { t = t.decrypt(inv_round_keys[i]); diff --git a/lib/std/crypto/benchmark.zig b/lib/std/crypto/benchmark.zig index 860f1269f0..d5b93947c5 100644 --- a/lib/std/crypto/benchmark.zig +++ b/lib/std/crypto/benchmark.zig @@ -149,6 +149,7 @@ const aeads = [_]Crypto{ Crypto{ .ty = crypto.aead.ChaCha20Poly1305, .name = "chacha20Poly1305" }, Crypto{ .ty = crypto.aead.XChaCha20Poly1305, .name = "xchacha20Poly1305" }, Crypto{ .ty = crypto.aead.Gimli, .name = "gimli-aead" }, + Crypto{ .ty = crypto.aead.AEGIS128L, .name = "aegis128l" }, }; pub fn benchmarkAead(comptime Aead: anytype, comptime bytes: comptime_int) !u64 { From bb1c6bc376f1a30d6dadd4aebcd1ebec6b4c8621 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 28 Sep 2020 14:50:00 +0200 Subject: [PATCH 14/15] Add AEGIS-256 as well --- lib/std/crypto.zig | 1 + lib/std/crypto/aegis.zig | 238 +++++++++++++++++++++++++++++++++-- lib/std/crypto/benchmark.zig | 3 +- 3 files changed, 231 insertions(+), 11 deletions(-) diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 73ad2ba20b..fa69d51d4d 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -29,6 +29,7 @@ pub const aead = struct { pub const ChaCha20Poly1305 = chacha20.Chacha20Poly1305; pub const XChaCha20Poly1305 = chacha20.XChacha20Poly1305; pub const AEGIS128L = @import("crypto/aegis.zig").AEGIS128L; + pub const AEGIS256 = @import("crypto/aegis.zig").AEGIS256; }; /// MAC functions requiring single-use secret keys. diff --git a/lib/std/crypto/aegis.zig b/lib/std/crypto/aegis.zig index 690f016a10..7ea7136f1e 100644 --- a/lib/std/crypto/aegis.zig +++ b/lib/std/crypto/aegis.zig @@ -3,10 +3,10 @@ const mem = std.mem; const assert = std.debug.assert; const AESBlock = std.crypto.core.aes.Block; -const State = struct { +const State128L = struct { blocks: [8]AESBlock, - fn init(key: [16]u8, nonce: [16]u8) State { + fn init(key: [16]u8, nonce: [16]u8) State128L { const c1 = AESBlock.fromBytes(&[16]u8{ 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }); const c2 = AESBlock.fromBytes(&[16]u8{ 0x0, 0x1, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }); const key_block = AESBlock.fromBytes(&key); @@ -21,7 +21,7 @@ const State = struct { key_block.xorBlocks(c1), key_block.xorBlocks(c2), }; - var state = State{ .blocks = blocks }; + var state = State128L{ .blocks = blocks }; var i: usize = 0; while (i < 10) : (i += 1) { state.update(nonce_block, key_block); @@ -29,7 +29,7 @@ const State = struct { return state; } - inline fn update(state: *State, d1: AESBlock, d2: AESBlock) void { + inline fn update(state: *State128L, d1: AESBlock, d2: AESBlock) void { const blocks = &state.blocks; const tmp = blocks[7]; comptime var i: usize = 7; @@ -41,7 +41,7 @@ const State = struct { blocks[4] = blocks[4].xorBlocks(d2); } - fn enc(state: *State, dst: []u8, src: []const u8) void { + fn enc(state: *State128L, dst: *[32]u8, src: *const [32]u8) void { const blocks = &state.blocks; const msg0 = AESBlock.fromBytes(src[0..16]); const msg1 = AESBlock.fromBytes(src[16..32]); @@ -54,7 +54,7 @@ const State = struct { state.update(msg0, msg1); } - fn dec(state: *State, dst: []u8, src: []const u8) void { + fn dec(state: *State128L, dst: *[32]u8, src: *const [32]u8) void { const blocks = &state.blocks; var msg0 = AESBlock.fromBytes(src[0..16]).xorBlocks(blocks[6]).xorBlocks(blocks[1]); var msg1 = AESBlock.fromBytes(src[16..32]).xorBlocks(blocks[2]).xorBlocks(blocks[5]); @@ -65,7 +65,7 @@ const State = struct { state.update(msg0, msg1); } - fn mac(state: *State, adlen: usize, mlen: usize) [16]u8 { + fn mac(state: *State128L, adlen: usize, mlen: usize) [16]u8 { const blocks = &state.blocks; var sizes: [16]u8 = undefined; mem.writeIntLittle(u64, sizes[0..8], adlen * 8); @@ -99,7 +99,7 @@ pub const AEGIS128L = struct { /// k: private key pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { assert(c.len == m.len); - var state = State.init(key, npub); + var state = State128L.init(key, npub); var src: [32]u8 align(16) = undefined; var dst: [32]u8 align(16) = undefined; var i: usize = 0; @@ -132,7 +132,7 @@ pub const AEGIS128L = struct { /// k: private key pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void { assert(c.len == m.len); - var state = State.init(key, npub); + var state = State128L.init(key, npub); var src: [32]u8 align(16) = undefined; var dst: [32]u8 align(16) = undefined; var i: usize = 0; @@ -170,10 +170,171 @@ pub const AEGIS128L = struct { } }; +const State256 = struct { + blocks: [6]AESBlock, + + fn init(key: [32]u8, nonce: [32]u8) State256 { + const c1 = AESBlock.fromBytes(&[16]u8{ 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }); + const c2 = AESBlock.fromBytes(&[16]u8{ 0x0, 0x1, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }); + const key_block1 = AESBlock.fromBytes(key[0..16]); + const key_block2 = AESBlock.fromBytes(key[16..32]); + const nonce_block1 = AESBlock.fromBytes(nonce[0..16]); + const nonce_block2 = AESBlock.fromBytes(nonce[16..32]); + const kxn1 = key_block1.xorBlocks(nonce_block1); + const kxn2 = key_block2.xorBlocks(nonce_block2); + const blocks = [6]AESBlock{ + kxn1, + kxn2, + c1, + c2, + key_block1.xorBlocks(c2), + key_block2.xorBlocks(c1), + }; + var state = State256{ .blocks = blocks }; + var i: usize = 0; + while (i < 4) : (i += 1) { + state.update(key_block1); + state.update(key_block2); + state.update(kxn1); + state.update(kxn2); + } + return state; + } + + inline fn update(state: *State256, d: AESBlock) void { + const blocks = &state.blocks; + const tmp = blocks[5].encrypt(blocks[0]); + comptime var i: usize = 5; + inline while (i > 0) : (i -= 1) { + blocks[i] = blocks[i - 1].encrypt(blocks[i]); + } + blocks[0] = tmp.xorBlocks(d); + } + + fn enc(state: *State256, dst: *[16]u8, src: *const [16]u8) void { + const blocks = &state.blocks; + const msg = AESBlock.fromBytes(src); + var tmp = msg.xorBlocks(blocks[5]).xorBlocks(blocks[4]).xorBlocks(blocks[1]); + tmp = tmp.xorBlocks(blocks[2].andBlocks(blocks[3])); + dst.* = tmp.toBytes(); + state.update(msg); + } + + fn dec(state: *State256, dst: *[16]u8, src: *const [16]u8) void { + const blocks = &state.blocks; + var msg = AESBlock.fromBytes(src).xorBlocks(blocks[5]).xorBlocks(blocks[4]).xorBlocks(blocks[1]); + msg = msg.xorBlocks(blocks[2].andBlocks(blocks[3])); + dst.* = msg.toBytes(); + state.update(msg); + } + + fn mac(state: *State256, adlen: usize, mlen: usize) [16]u8 { + const blocks = &state.blocks; + var sizes: [16]u8 = undefined; + mem.writeIntLittle(u64, sizes[0..8], adlen * 8); + mem.writeIntLittle(u64, sizes[8..16], mlen * 8); + const tmp = AESBlock.fromBytes(&sizes).xorBlocks(blocks[3]); + var i: usize = 0; + while (i < 7) : (i += 1) { + state.update(tmp); + } + return blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]). + xorBlocks(blocks[5]).toBytes(); + } +}; + +/// AEGIS is a very fast authenticated encryption system built on top of the core AES function. +/// +/// The 256 bit variant of AEGIS has a 256 bit key, a 256 bit nonce, and processes 128 bit message blocks. +/// +/// https://eprint.iacr.org/2013/695.pdf +pub const AEGIS256 = struct { + pub const tag_length = 16; + pub const nonce_length = 32; + pub const key_length = 32; + + /// c: ciphertext: output buffer should be of size m.len + /// tag: authentication tag: output MAC + /// m: message + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { + assert(c.len == m.len); + var state = State256.init(key, npub); + var src: [16]u8 align(16) = undefined; + var dst: [16]u8 align(16) = undefined; + var i: usize = 0; + while (i + 16 <= ad.len) : (i += 16) { + state.enc(&dst, ad[i..][0..16]); + } + if (ad.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); + state.enc(&dst, &src); + } + i = 0; + while (i + 16 <= m.len) : (i += 16) { + state.enc(c[i..][0..16], m[i..][0..16]); + } + if (m.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 16], m[i .. i + m.len % 16]); + state.enc(&dst, &src); + mem.copy(u8, c[i .. i + m.len % 16], dst[0 .. m.len % 16]); + } + tag.* = state.mac(ad.len, m.len); + } + + /// m: message: output buffer should be of size c.len + /// c: ciphertext + /// tag: authentication tag + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) !void { + assert(c.len == m.len); + var state = State256.init(key, npub); + var src: [16]u8 align(16) = undefined; + var dst: [16]u8 align(16) = undefined; + var i: usize = 0; + while (i + 16 <= ad.len) : (i += 16) { + state.enc(&dst, ad[i..][0..16]); + } + if (ad.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); + state.enc(&dst, &src); + } + i = 0; + while (i + 16 <= m.len) : (i += 16) { + state.dec(m[i..][0..16], c[i..][0..16]); + } + if (m.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 16], c[i .. i + m.len % 16]); + state.dec(&dst, &src); + mem.copy(u8, m[i .. i + m.len % 16], dst[0 .. m.len % 16]); + mem.set(u8, dst[0 .. m.len % 16], 0); + const blocks = &state.blocks; + blocks[0] = blocks[0].xorBlocks(AESBlock.fromBytes(&dst)); + } + const computed_tag = state.mac(ad.len, m.len); + var acc: u8 = 0; + for (computed_tag) |_, j| { + acc |= (computed_tag[j] ^ tag[j]); + } + if (acc != 0) { + mem.set(u8, m, 0xaa); + return error.AuthenticationFailed; + } + } +}; + const htest = @import("test.zig"); const testing = std.testing; -test "AEGIS128L" { +test "AEGIS128L test vector 1" { const key: [AEGIS128L.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 14; const nonce: [AEGIS128L.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 13; const ad = [8]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; @@ -195,3 +356,60 @@ test "AEGIS128L" { tag[0] +%= 1; testing.expectError(error.AuthenticationFailed, AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key)); } + +test "AEGIS128L test vector 2" { + const key: [AEGIS128L.key_length]u8 = [_]u8{0x00} ** 16; + const nonce: [AEGIS128L.nonce_length]u8 = [_]u8{0x00} ** 16; + const ad = [_]u8{}; + const m = [_]u8{0x00} ** 16; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS128L.tag_length]u8 = undefined; + + AEGIS128L.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("41de9000a7b5e40e2d68bb64d99ebb19", &c); + htest.assertEqual("f4d997cc9b94227ada4fe4165422b1c8", &tag); +} + +test "AEGIS256 test vector 1" { + const key: [AEGIS256.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 30; + const nonce: [AEGIS256.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 29; + const ad = [8]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + const m = [32]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS256.tag_length]u8 = undefined; + + AEGIS256.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS256.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("f373079ed84b2709faee373584585d60accd191db310ef5d8b11833df9dec711", &c); + htest.assertEqual("8d86f91ee606e9ff26a01b64ccbdd91d", &tag); + + c[0] +%= 1; + testing.expectError(error.AuthenticationFailed, AEGIS256.decrypt(&m2, &c, tag, &ad, nonce, key)); + c[0] -%= 1; + tag[0] +%= 1; + testing.expectError(error.AuthenticationFailed, AEGIS256.decrypt(&m2, &c, tag, &ad, nonce, key)); +} + +test "AEGIS256 test vector 2" { + const key: [AEGIS256.key_length]u8 = [_]u8{0x00} ** 32; + const nonce: [AEGIS256.nonce_length]u8 = [_]u8{0x00} ** 32; + const ad = [_]u8{}; + const m = [_]u8{0x00} ** 16; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS256.tag_length]u8 = undefined; + + AEGIS256.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS256.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("b98f03a947807713d75a4fff9fc277a6", &c); + htest.assertEqual("478f3b50dc478ef7d5cf2d0f7cc13180", &tag); +} diff --git a/lib/std/crypto/benchmark.zig b/lib/std/crypto/benchmark.zig index d5b93947c5..6578961902 100644 --- a/lib/std/crypto/benchmark.zig +++ b/lib/std/crypto/benchmark.zig @@ -149,7 +149,8 @@ const aeads = [_]Crypto{ Crypto{ .ty = crypto.aead.ChaCha20Poly1305, .name = "chacha20Poly1305" }, Crypto{ .ty = crypto.aead.XChaCha20Poly1305, .name = "xchacha20Poly1305" }, Crypto{ .ty = crypto.aead.Gimli, .name = "gimli-aead" }, - Crypto{ .ty = crypto.aead.AEGIS128L, .name = "aegis128l" }, + Crypto{ .ty = crypto.aead.AEGIS128L, .name = "aegis-128l" }, + Crypto{ .ty = crypto.aead.AEGIS256, .name = "aegis-256" }, }; pub fn benchmarkAead(comptime Aead: anytype, comptime bytes: comptime_int) !u64 { From 8d67f15d36bdd1a094596876796c77606a5e4a83 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 28 Sep 2020 15:02:11 +0200 Subject: [PATCH 15/15] aegis: add test vectors, and link to the latest version of the spec --- lib/std/crypto/aegis.zig | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/lib/std/crypto/aegis.zig b/lib/std/crypto/aegis.zig index 7ea7136f1e..cb9e4cabe9 100644 --- a/lib/std/crypto/aegis.zig +++ b/lib/std/crypto/aegis.zig @@ -85,7 +85,7 @@ const State128L = struct { /// The 128L variant of AEGIS has a 128 bit key, a 128 bit nonce, and processes 256 bit message blocks. /// It was designed to fully exploit the parallelism and built-in AES support of recent Intel and ARM CPUs. /// -/// https://eprint.iacr.org/2013/695.pdf +/// https://competitions.cr.yp.to/round3/aegisv11.pdf pub const AEGIS128L = struct { pub const tag_length = 16; pub const nonce_length = 16; @@ -247,7 +247,7 @@ const State256 = struct { /// /// The 256 bit variant of AEGIS has a 256 bit key, a 256 bit nonce, and processes 128 bit message blocks. /// -/// https://eprint.iacr.org/2013/695.pdf +/// https://competitions.cr.yp.to/round3/aegisv11.pdf pub const AEGIS256 = struct { pub const tag_length = 16; pub const nonce_length = 32; @@ -374,6 +374,22 @@ test "AEGIS128L test vector 2" { htest.assertEqual("f4d997cc9b94227ada4fe4165422b1c8", &tag); } +test "AEGIS128L test vector 3" { + const key: [AEGIS128L.key_length]u8 = [_]u8{0x00} ** 16; + const nonce: [AEGIS128L.nonce_length]u8 = [_]u8{0x00} ** 16; + const ad = [_]u8{}; + const m = [_]u8{}; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS128L.tag_length]u8 = undefined; + + AEGIS128L.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS128L.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("83cc600dc4e3e7e62d4055826174f149", &tag); +} + test "AEGIS256 test vector 1" { const key: [AEGIS256.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 30; const nonce: [AEGIS256.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 29; @@ -413,3 +429,19 @@ test "AEGIS256 test vector 2" { htest.assertEqual("b98f03a947807713d75a4fff9fc277a6", &c); htest.assertEqual("478f3b50dc478ef7d5cf2d0f7cc13180", &tag); } + +test "AEGIS256 test vector 3" { + const key: [AEGIS256.key_length]u8 = [_]u8{0x00} ** 32; + const nonce: [AEGIS256.nonce_length]u8 = [_]u8{0x00} ** 32; + const ad = [_]u8{}; + const m = [_]u8{}; + var c: [m.len]u8 = undefined; + var m2: [m.len]u8 = undefined; + var tag: [AEGIS256.tag_length]u8 = undefined; + + AEGIS256.encrypt(&c, &tag, &m, &ad, nonce, key); + try AEGIS256.decrypt(&m2, &c, tag, &ad, nonce, key); + testing.expectEqualSlices(u8, &m, &m2); + + htest.assertEqual("f7a0878f68bd083e8065354071fc27c3", &tag); +}