Merge branch 'main' into main

diskuv · Feb 9, 2024 · 4f236b3 · 4f236b3
2 parents d475557 + 33bde01
commit 4f236b3
Show file tree

Hide file tree

Showing 21 changed files with 7,059 additions and 14 deletions.
diff --git a/.ci/dkml-compilers/pc/setup-dkml-windows_x86.ps1 b/.ci/dkml-compilers/pc/setup-dkml-windows_x86.ps1
diff --git a/.ci/dkml-compilers/pc/setup-dkml-windows_x86_64.ps1 b/.ci/dkml-compilers/pc/setup-dkml-windows_x86_64.ps1
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -1,5 +1,5 @@
 freebsd_instance:
-  image_family: freebsd-12-2
+  image_family: freebsd-13-2
 
 freebsd_task:
   env:

diff --git a/.gitattributes b/.gitattributes
@@ -1 +1,7 @@
 *.ml linguist-language=OCaml
+
+# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_character_encoding?view=powershell-7.1
+*.ps1 text working-tree-encoding=UTF-16 eol=crlf
+*.psm1 text working-tree-encoding=UTF-16 eol=crlf
+# Other file types that must be CRLF
+*.sln text eol=crlf
diff --git a/.github/workflows/dkml.yml b/.github/workflows/dkml.yml
@@ -0,0 +1,106 @@
+##########################################################################
+# File: dktool/cmake/scripts/dkml/workflow/compilers-github-workflows-dkml.in.yml#
+#                                                                        #
+# Copyright 2022 Diskuv, Inc.                                            #
+#                                                                        #
+# Licensed under the Apache License, Version 2.0 (the "License");        #
+# you may not use this file except in compliance with the License.       #
+# You may obtain a copy of the License at                                #
+#                                                                        #
+#     http://www.apache.org/licenses/LICENSE-2.0                         #
+#                                                                        #
+# Unless required by applicable law or agreed to in writing, software    #
+# distributed under the License is distributed on an "AS IS" BASIS,      #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or        #
+# implied. See the License for the specific language governing           #
+# permissions and limitations under the License.                         #
+#                                                                        #
+##########################################################################
+
+# Updating
+# --------
+#
+# 1. Delete this file.
+# 2. Run dk with your original arguments:
+#        ./dk dkml.workflow.compilers CI GitHub Desktop OS Windows
+#    or get help to come up with new arguments:
+#        ./dk dkml.workflow.compilers HELP
+
+name: Build with DkML compiler
+
+on:
+  # trigger on any push
+  push:
+  # ... or trigger manually from GitHub web interface
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include: #
+          - gh_os: windows-2019
+            abi_pattern: win32-windows_x86
+            dkml_host_abi: windows_x86
+          - gh_os: windows-2019
+            abi_pattern: win32-windows_x86_64
+            dkml_host_abi: windows_x86_64
+
+    runs-on: ${{ matrix.gh_os }}
+    name: build / ${{ matrix.abi_pattern }}
+
+    # mirage-crypto does not support MSVC as of 2023-09-03. Remove
+    # this when MSVC is properly supported.
+    continue-on-error: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Cache DkML compilers code
+        uses: actions/cache@v3
+        id: cache-dkml-compilers
+        with:
+          path: .ci/dkml-compilers
+          key: ${{ runner.os }}
+
+      - name: Checkout DkML compilers code
+        if: steps.cache-dkml-compilers.outputs.cache-hit != 'true'
+        # For help: ./dk dkml.workflow.compilers HELP
+        run: ./dk dkml.workflow.compilers CI GitHub
+
+      # The .ci/dkml-compilers "pre" actions will create the environment variables:
+      #   opam_root, exe_ext, dkml_host_abi, abi_pattern (and many more)
+      #
+      - name: Setup DkML compilers on a Windows host
+        if: startsWith(matrix.dkml_host_abi, 'windows_')
+        uses: ./.ci/dkml-compilers/gh-windows/pre
+        with:
+          DKML_COMPILER: ${{ env.DKML_COMPILER }}
+          CACHE_PREFIX: ${{ env.CACHE_PREFIX }}
+
+      # This section is for your own build logic which you should place in
+      # ci/build-test.sh or a similar file
+
+      - name: Build and test on Windows host
+        if: startsWith(matrix.dkml_host_abi, 'windows_')
+        shell: msys2 {0}
+        run: ci/build-test.sh
+
+      - name: Build and test on non-Windows host
+        if: "!startsWith(matrix.dkml_host_abi, 'windows_')"
+        run: ci/build-test.sh
+
+      # The .ci/dkml-compilers "post" actions will finalize caching, etc.
+
+      - name: Teardown DkML compilers on a Windows host
+        if: startsWith(matrix.dkml_host_abi, 'windows_')
+        uses: ./.ci/dkml-compilers/gh-windows/post
+
+      - name: Teardown DkML compilers on a Darwin host
+        if: startsWith(matrix.dkml_host_abi, 'darwin_')
+        uses: ./.ci/dkml-compilers/gh-darwin/post
+
+      - name: Teardown DkML compilers on a Linux host
+        if: startsWith(matrix.dkml_host_abi, 'linux_')
+        uses: ./.ci/dkml-compilers/gh-linux/post
diff --git a/.gitignore b/.gitignore
@@ -15,3 +15,13 @@ mirage/myocamlbuild.ml
 mirage/.mirage.config
 _opam
 *.install
+
+# CI using dkml-workflows' DkML compilers.
+#   DkML compilers populate the .opam folder.
+/.opam/
+#   GitHub, unlike GitLab, does not need its CI files to exist
+#   before referencing them. That means the GitHub scripts do not need
+#   to be checked in.
+/.ci/dkml-compilers/gh-*
+#   Desktop testing on Windows uses MSYS2.
+/msys64/
diff --git a/.test-mirage.sh b/.test-mirage.sh
@@ -3,9 +3,9 @@
 set -ex
 
 opam install --confirm-level=unsafe-yes "mirage>4"
-# to satisfy hardcoded version constraints in mirage, we need to be < 0.11.0
+# to satisfy hardcoded version constraints in mirage, we need to be < 0.12.0
 # and "dune subst" doesn't work on these PR checkouts
-version='version: "0.10.99~dev"'
+version='version: "0.11.99~dev"'
 echo $version >> mirage-crypto-rng-mirage.opam
 echo $version >> mirage-crypto-rng.opam
 echo $version >> mirage-crypto.opam

diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,10 @@
+## unreleased
+
+* mirage-crypto-rng: support Loongarch (#190 @fangyaling, review @loongson-zn)
+* mirage-crypto-rng: support NetBSD (#189 @drchrispinnock)
+* mirage-crypto-rng: allocate less in Fortuna when feeding (#188 @hannesm,
+  reported by @palainp)
+
 ## v0.11.2 (2023-09-18)
 
 * mirage-crypto-rng-eio: improve portability by using eio 0.7's monotonic clock
@@ -46,7 +53,7 @@
 - remove mirage 3 cross-compilation runes (#163 @hannesm)
 - CI: mirage-crypto-rng-eio requires ocaml 5 and dune 2.7 (#170 @hannesm, fixes
   #169 thanks to @bikallem @talex5)
-- CI: use miage 4 (#166 @hannesm)
+- CI: use mirage 4 (#166 @hannesm)
 
 ## v0.10.7 (2022-09-13)
 

diff --git a/bench/dune b/bench/dune
@@ -2,4 +2,4 @@
  (names speed)
  (modules speed)
  (libraries mirage-crypto mirage-crypto-rng mirage-crypto-rng.unix
-   mirage-crypto-pk))
+   mirage-crypto-pk mirage-crypto-ec))
diff --git a/bench/speed.ml b/bench/speed.ml
@@ -179,6 +179,67 @@ let dh_secrets =
          "60057457975706301816395663645420233759377744187465730049174048360108513636349450241008234412972340882517684187851" ;
        ])
 
+let ecdsa_p224 =
+  Result.get_ok
+    (Mirage_crypto_ec.P224.Dsa.priv_of_cstruct
+       (Cstruct.of_hex "f254645834cfff245599be937a00535f6a2c8b00dc34bdf50df68903"))
+
+let ecdsa_p224_sig () =
+  Mirage_crypto_ec.P224.Dsa.sign ~key:ecdsa_p224 (Cstruct.sub msg 0 28)
+
+let ecdsa_p256 =
+  Result.get_ok
+    (Mirage_crypto_ec.P256.Dsa.priv_of_cstruct
+       (Cstruct.of_hex "089f4ffcccf9ba13fedd0942ef08cf2d909f32e2934ab5c93b6c99be5a9ff527"))
+
+let ecdsa_p256_sig () =
+  Mirage_crypto_ec.P256.Dsa.sign ~key:ecdsa_p256 (Cstruct.sub msg 0 32)
+
+let ecdsa_p384 =
+  Result.get_ok
+    (Mirage_crypto_ec.P384.Dsa.priv_of_cstruct
+       (Cstruct.of_hex "f5c0c9fb95178641af76f3831f41e2d37cfaafffc7e60172cfb089fe604b56a61c7c31a6904b3b5d08207a4b81e25ea5"))
+
+let ecdsa_p384_sig () =
+  Mirage_crypto_ec.P384.Dsa.sign ~key:ecdsa_p384 (Cstruct.sub msg 0 48)
+
+let ecdsa_p521 =
+  Result.get_ok
+    (Mirage_crypto_ec.P521.Dsa.priv_of_cstruct
+       (Cstruct.of_hex "00b18f60c0352ad8e3ef982f1ddfcf6eec7fa6caf0e6f368354a8b02b2d8ac1e059e309891e2bfa85791a5e71b40bdecbf902bf243dc3b0080495cf4d91c78728bd5"))
+
+let ecdsa_p521_sig () =
+  Mirage_crypto_ec.P521.Dsa.sign ~key:ecdsa_p521 (Cstruct.sub msg 0 65)
+
+let ed25519 =
+  Result.get_ok (Mirage_crypto_ec.Ed25519.priv_of_cstruct
+                   (Cstruct.of_hex "3e0ab682171275c569fce9ca8bccd2d2771454a2300c3529f7a4d80b843883bc"))
+
+let ed25519_sig () =
+  Mirage_crypto_ec.Ed25519.sign ~key:ed25519 msg
+
+let ecdsas = [
+  ("P224", `P224 (ecdsa_p224, ecdsa_p224_sig ()));
+  ("P256", `P256 (ecdsa_p256, ecdsa_p256_sig ()));
+  ("P384", `P384 (ecdsa_p384, ecdsa_p384_sig ()));
+  ("P521", `P521 (ecdsa_p521, ecdsa_p521_sig ()));
+  ("Ed25519", `Ed25519 (ed25519, ed25519_sig ()));
+]
+
+let ecdh_shares =
+  [
+    ("P224", `P224 (Mirage_crypto_ec.P224.Dh.secret_of_cs (Cstruct.of_hex "60a814ec54d0c2d28c03ff01df32267d40432311df41aacb2fa5fdf7") |> Result.get_ok |> fst,
+                    Cstruct.of_hex "042d8d91c909fdab2f7f0c33466dd74697e5166d378982e9ecf5492cb32d69d7eb96dc57d775b70d56237f8ec49e5752c87542dc41dc5049d2"));
+    ("P256", `P256 (Mirage_crypto_ec.P256.Dh.secret_of_cs (Cstruct.of_hex "470d57706c7706b68a3f423aeaf4ff7fdd02494a10d3e381c3c11f7276802cdc") |> Result.get_ok |> fst,
+                    Cstruct.of_hex "0411b3fc82721c269a19909a3b2fc26d9895826d0cfcbc1f7626e488f01f4ca6b5c5ed76adee7af81bb20b17cf231cbf0c67db0295d68d1d92c2d2a5a80638d78d"));
+    ("P384", `P384 (Mirage_crypto_ec.P384.Dh.secret_of_cs (Cstruct.of_hex "ee55e29b61752d5a3e525656db8bd8fe6f94fab8aacc9e92acff4c4812bf7a6187aba46cc60ab8f08efcf2d574584b74") |> Result.get_ok |> fst,
+                    Cstruct.of_hex "040489cf24bc80bf89fdfe9c05ecc39f6916ad4509d9398597950d3d24e828f6bf56ba4ad6d21ed7863bed68e413364bd4c7b1e9047d36124c6953be7c61209cb3fc56452f7305293783c7c0ed929d6c98c7bc97f60a72ed2269a8eb19bb7ee131"));
+    ("P521", `P521 (Mirage_crypto_ec.P521.Dh.secret_of_cs (Cstruct.of_hex "00aa470ba1cc843ba314821e72de4cd299aec1f26e9d64a0d87db18a3da9f65c45ecfcc5617ff0d73b2e0e1cdff8048e01be5e20149412e7dbfab7feae249b1bfa4d") |> Result.get_ok |> fst,
+                    Cstruct.of_hex "04001d1629eeb1c425f904d755330079d13c77da921e01cf50d717e0d6850a81a3902bb92a03faeacbd6289c1590685a6044b5e94dcfc41deb6a88db62a891b0b893bb00e42a66b2f013bdd0d27d8e07cb35fc3e2c2b22f93ecfd5eab7886197ca073c2c5e6831d65e2d0b8aa408438e49542f05f41c576df70e3caf5bb8227d483094ae58"));
+    ("X25519", `X25519 (Mirage_crypto_ec.X25519.secret_of_cs (Cstruct.of_hex "4c6db7cf935bcf84026178d40c956af09d8e363203490d2c41625acb68b931a4") |> Result.get_ok |> fst,
+                        Cstruct.of_hex "ca19193cf5c0b38c61aa01c172b2e93d16f750d0846277ad322de5e4fb332429"));
+  ]
+
 let bm name f = (name, fun () -> f name)
 
 let benchmarks = [
@@ -245,6 +306,39 @@ let benchmarks = [
         (fun (k, _) -> string_of_int (Z.numbits k.p))
         [dsa_1024,dsa_sig_1024 () ; dsa_2048,dsa_sig_2048 () ; dsa_3072,dsa_sig_3072 ()]);
 
+  bm "ecdsa-generate" (fun name ->
+      let open Mirage_crypto_ec in
+      count name
+        (fun (_, x) -> match x with
+           | `P224 _ -> P224.Dsa.generate () |> ignore
+           | `P256 _ -> P256.Dsa.generate () |> ignore
+           | `P384 _ -> P384.Dsa.generate () |> ignore
+           | `P521 _ -> P521.Dsa.generate () |> ignore
+           | `Ed25519 _ -> Ed25519.generate () |> ignore
+        )
+        fst ecdsas);
+
+  bm "ecdsa-sign" (fun name ->
+      let open Mirage_crypto_ec in
+      count name (fun (_, x) -> match x with
+          | `P224 (key, _) -> P224.Dsa.sign ~key (Cstruct.sub msg 0 28)
+          | `P256 (key, _) -> P256.Dsa.sign ~key (Cstruct.sub msg 0 32)
+          | `P384 (key, _) -> P384.Dsa.sign ~key (Cstruct.sub msg 0 48)
+          | `P521 (key, _) -> P521.Dsa.sign ~key (Cstruct.sub msg 0 65)
+          | `Ed25519 (key, _) -> Ed25519.sign ~key msg, Cstruct.empty
+        )
+        fst ecdsas);
+
+  bm "ecdsa-verify" (fun name ->
+      let open Mirage_crypto_ec in
+      count name (fun (_, x) -> match x with
+          | `P224 (key, signature) -> P224.Dsa.(verify ~key:(pub_of_priv key) signature (Cstruct.sub msg 0 28))
+          | `P256 (key, signature) -> P256.Dsa.(verify ~key:(pub_of_priv key) signature (Cstruct.sub msg 0 32))
+          | `P384 (key, signature) -> P384.Dsa.(verify ~key:(pub_of_priv key) signature (Cstruct.sub msg 0 48))
+          | `P521 (key, signature) -> P521.Dsa.(verify ~key:(pub_of_priv key) signature (Cstruct.sub msg 0 65))
+          | `Ed25519 (key, signature) -> Ed25519.(verify ~key:(pub_of_priv key) signature ~msg)
+        ) fst ecdsas);
+
   bm "dh-secret" (fun name ->
       count name (fun (_, group) -> Mirage_crypto_pk.Dh.gen_key group)
         fst dh_groups);
@@ -254,6 +348,26 @@ let benchmarks = [
           Mirage_crypto_pk.Dh.shared sec share)
         (fun ((g, _), _) -> g) dh_secrets);
 
+  bm "ecdh-secret" (fun name ->
+      let open Mirage_crypto_ec in
+      count name (fun (_, x) -> match x with
+          | `P224 _ -> P224.Dh.gen_key () |> ignore
+          | `P256 _ -> P256.Dh.gen_key () |> ignore
+          | `P384 _ -> P384.Dh.gen_key () |> ignore
+          | `P521 _ -> P521.Dh.gen_key () |> ignore
+          | `X25519 _ -> X25519.gen_key () |> ignore)
+        fst ecdh_shares);
+
+  bm "ecdh-share" (fun name ->
+      let open Mirage_crypto_ec in
+      count name (fun (_, x) -> match x with
+          | `P224 (sec, share) -> P224.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `P256 (sec, share) -> P256.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `P384 (sec, share) -> P384.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `P521 (sec, share) -> P521.Dh.key_exchange sec share |> Result.get_ok |> ignore
+          | `X25519 (sec, share) -> X25519.key_exchange sec share  |> Result.get_ok |> ignore)
+        fst ecdh_shares);
+
   bm "chacha20-poly1305" (fun name ->
       let key = Mirage_crypto.Chacha20.of_secret (Mirage_crypto_rng.generate 32)
       and nonce = Mirage_crypto_rng.generate 8 in

diff --git a/ci/build-test.sh b/ci/build-test.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+##########################################################################
+# File: dktool/cmake/scripts/dkml/workflow/compilers-build-test.in.sh    #
+#                                                                        #
+# Copyright 2022 Diskuv, Inc.                                            #
+#                                                                        #
+# Licensed under the Apache License, Version 2.0 (the "License");        #
+# you may not use this file except in compliance with the License.       #
+# You may obtain a copy of the License at                                #
+#                                                                        #
+#     http://www.apache.org/licenses/LICENSE-2.0                         #
+#                                                                        #
+# Unless required by applicable law or agreed to in writing, software    #
+# distributed under the License is distributed on an "AS IS" BASIS,      #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or        #
+# implied. See the License for the specific language governing           #
+# permissions and limitations under the License.                         #
+#                                                                        #
+##########################################################################
+
+# Updating
+# --------
+#
+# 1. Delete this file.
+# 2. Run dk with your original arguments:
+#        ./dk dkml.workflow.compilers CI GitHub Desktop OS Windows
+#    or get help to come up with new arguments:
+#        ./dk dkml.workflow.compilers HELP
+
+set -euf
+
+# Set project directory
+if [ -n "${CI_PROJECT_DIR:-}" ]; then
+    PROJECT_DIR="$CI_PROJECT_DIR"
+elif [ -n "${PC_PROJECT_DIR:-}" ]; then
+    PROJECT_DIR="$PC_PROJECT_DIR"
+elif [ -n "${GITHUB_WORKSPACE:-}" ]; then
+    PROJECT_DIR="$GITHUB_WORKSPACE"
+else
+    PROJECT_DIR="$PWD"
+fi
+if [ -x /usr/bin/cygpath ]; then
+    PROJECT_DIR=$(/usr/bin/cygpath -au "$PROJECT_DIR")
+fi
+
+# shellcheck disable=SC2154
+echo "
+=============
+build-test.sh
+=============
+.
+---------
+Arguments
+---------
+$*
+.
+------
+Matrix
+------
+dkml_host_abi=$dkml_host_abi
+abi_pattern=$abi_pattern
+opam_root=$opam_root
+exe_ext=${exe_ext:-}
+.
+"
+
+# PATH. Add opamrun
+export PATH="$PROJECT_DIR/.ci/sd4/opamrun:$PATH"
+
+# Initial Diagnostics (optional but useful)
+opamrun switch
+opamrun list
+opamrun var
+opamrun config report
+opamrun option
+opamrun exec -- ocamlc -config
+
+# Update
+opamrun update
+
+# Make your own build logic!
+opamrun install --yes --deps-only -t mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt mirage-crypto-rng-mirage mirage-crypto-pk mirage-crypto-ec
+opamrun exec -- dune build -p mirage-crypto,mirage-crypto-rng,mirage-crypto-rng-lwt,mirage-crypto-rng-mirage,mirage-crypto-pk,mirage-crypto-ec
+opamrun exec -- dune runtest -p mirage-crypto,mirage-crypto-rng,mirage-crypto-rng-lwt,mirage-crypto-rng-mirage,mirage-crypto-pk,mirage-crypto-ec