We tweaked ChaCha to arrive at the IETF's implementation specified by RFC 7539. We are not sure how to handle block counter wrap. At the moment the caller is responsible for managing it. We were not able to find a reference implementation so we disable SIMD implementations like SSE, AVX, NEON and Power4. We need the wide block tests for corner cases to ensure our implementation is correct.
Use std::ostringstream instead. Eventually I'd like to see the output stream passed into the function of interest. It will avoid problems on some mobile OSes that don't have standard inputs and outputs.
TweetNaCl is a compact reimplementation of the NaCl library by Daniel J. Bernstein, Bernard van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe and Sjaak Smetsers. The library is less than 20 KB in size and provides 25 of the NaCl library functions.
The compact library uses curve25519, XSalsa20, Poly1305 and SHA-512 as default primitives, and includes both x25519 key exchange and ed25519 signatures. The complete list of functions can be found in TweetNaCl: A crypto library in 100 tweets (20140917), Table 1, page 5.
Crypto++ retained the function names and signatures but switched to data types provided by <stdint.h> to promote interoperability with Crypto++ and avoid size problems on platforms like Cygwin. For example, NaCl typdef'd u64 as an unsigned long long, but Cygwin, MinGW and MSYS are LP64 systems (not LLP64 systems). In addition, Crypto++ was missing NaCl's signed 64-bit integer i64.
Crypto++ enforces the 0-key restriction due to small points. The TweetNaCl library allowed the 0-keys to small points. Also see RFC 7748, Elliptic Curves for Security, Section 6.
TweetNaCl is well written but not well optimized. It runs 2x to 3x slower than optimized routines from libsodium. However, the library is still 2x to 4x faster than the algorithms NaCl was designed to replace.
The Crypto++ wrapper for TweetNaCl requires OS features. That is, NO_OS_DEPENDENCE cannot be defined. It is due to TweetNaCl's internal function randombytes. Crypto++ used DefaultAutoSeededRNG within randombytes, so OS integration must be enabled. You can use another generator like RDRAND to avoid the restriction.
They seemed to produce a hang when running self tests in AppVeyor.
Also use IsDebuggerPresent() to determine when we should call DebugBreak(). The OS killed our debug build when fuzzing caused an assert to fail
We have not been able to determine a reliable way to detect cpu's and platforms with Cmake. We are side stepping the Cmake problem by building rdrand.cpp all the time. If its not avilable for a cpu or platform, then RDRAND or RDSEED throw an exception.
Most of these appear to have been cleared over the last couple of years.
C4127 is too prevelant. We are probably going to have to live with it.
We may be able to clear C4250 with a using statement. For example 'using ASN1CryptoMaterial::Load'.
MSVC resisted clearing C4661 by pushing/poping in iterhash.h and osrng.h. It was like MSVC simply ignored it.
CRYPTOPP_COVERAGE was added at 9614307ab7 to increase code coverage support. This commit enables additional validation routines when CRYPTOPP_COVERAGE is in effect.
Jeffrey Walton
orangefour
Linmao Song