Merge remote-tracking branch 'origin/master'

7 files changed, 30 insertions, 8 deletions

diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java
index 89a0f7e1..b34f9ea5 100644
--- a/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java
+++ b/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java
@@ -40,7 +40,8 @@ public class GMac implements Mac
      * Creates a GMAC based on the operation of a 128 bit block cipher in GCM mode.
      * 
      * @param macSizeBits
-     *            the mac size to generate, in bits. Must be a multiple of 8 and >= 96 and <= 128.
+     *            the mac size to generate, in bits. Must be a multiple of 8 and >= 32 and <= 128.
+     *            Sizes less than 96 are not recommended, but are supported for specialized applications.
      * @param cipher
      *            the cipher to be used in GCM mode to generate the MAC.
      */
diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java
index 4094dc59..0d458c46 100644
--- a/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java
+++ b/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java
@@ -82,6 +82,10 @@ public class GCMBlockCipher
         return cipher.getAlgorithmName() + "/GCM";
     }
 
+    /**
+     * NOTE: MAC sizes from 32 bits to 128 bits (must be a multiple of 8) are supported. The default is 128 bits.
+     * Sizes less than 96 are not recommended, but are supported for specialized applications.
+     */
     public void init(boolean forEncryption, CipherParameters params)
         throws IllegalArgumentException
     {
@@ -98,7 +102,7 @@ public class GCMBlockCipher
             initialAssociatedText = param.getAssociatedText();
 
             int macSizeBits = param.getMacSize();
-            if (macSizeBits < 96 || macSizeBits > 128 || macSizeBits % 8 != 0)
+            if (macSizeBits < 32 || macSizeBits > 128 || macSizeBits % 8 != 0)
             {
                 throw new IllegalArgumentException("Invalid value for MAC size: " + macSizeBits);
             }
@@ -128,9 +132,7 @@ public class GCMBlockCipher
             throw new IllegalArgumentException("IV must be at least 1 byte");
         }
 
-        // TODO This should be configurable by init parameters
-        // (but must be 16 if nonce length not 12) (BLOCK_SIZE?)
-//        this.tagLength = 16;
+        // TODO Restrict macSize to 16 if nonce length not 12?
 
         // Cipher always used in forward mode
         // if keyParam is null we're reusing the last key.
@@ -389,7 +391,6 @@ public class GCMBlockCipher
 
         gHASHBlock(S, X);
 
-        // TODO Fix this if tagLength becomes configurable
         // T = MSBt(GCTRk(J0,S))
         byte[] tag = new byte[BLOCK_SIZE];
         cipher.processBlock(J0, 0, tag, 0);
diff --git a/core/src/main/javadoc/org/bouncycastle/math/custom/djb/package.html b/core/src/main/javadoc/org/bouncycastle/math/custom/djb/package.html
new file mode 100644
index 00000000..344418b9
--- /dev/null
+++ b/core/src/main/javadoc/org/bouncycastle/math/custom/djb/package.html
@@ -0,0 +1,7 @@
+<html>
+<body bgcolor="#ffffff">
+Experimental implementation of curve25519. Note that the curve implementation is in the short-Weierstrass form,
+which is not the recommended (nor most suitable) approach. In particular, the input/output conventions are not
+compliant with standard implementations, and point conversions would be needed to interoperate.
+</body>
+</html>
diff --git a/core/src/main/javadoc/org/bouncycastle/math/custom/sec/package.html b/core/src/main/javadoc/org/bouncycastle/math/custom/sec/package.html
new file mode 100644
index 00000000..bb2845c3
--- /dev/null
+++ b/core/src/main/javadoc/org/bouncycastle/math/custom/sec/package.html
@@ -0,0 +1,6 @@
+<html>
+<body bgcolor="#ffffff">
+Custom implementations of (most of) the curves over Fp from the SEC specification. Uses the new "raw" math classes
+in place of BigInteger, and includes customized modular reductions taking advantage of the special forms of the primes.
+</body>
+</html>
diff --git a/core/src/main/javadoc/org/bouncycastle/math/raw/package.html b/core/src/main/javadoc/org/bouncycastle/math/raw/package.html
new file mode 100644
index 00000000..061958b7
--- /dev/null
+++ b/core/src/main/javadoc/org/bouncycastle/math/raw/package.html
@@ -0,0 +1,5 @@
+<html>
+<body bgcolor="#ffffff">
+Math support for raw multi-precision calculations.
+</body>
+</html>
diff --git a/docs/releasenotes.html b/docs/releasenotes.html
index 04899a60..7d1febd9 100644
--- a/docs/releasenotes.html
+++ b/docs/releasenotes.html
@@ -38,6 +38,8 @@ Release 1.51
 <li>Support has been add for RFC5649 key wrapping using AES.</li>
 <li>The PGP API now allows access and handling of User IDs as raw byte arrays, to deal with keyrings not using UTF-8.</li>
 <li>The PGP API now provides automatic conversion of embedded signatures in signature sub-packet vectors.</li>
+<li>GCM and GMAC now support tag lengths down to 32 bits.</li>
+<li>Custom implementations for many of the SEC Fp curves have been added, resulting in drastically improved performance. The current list includes all secp***k1 and secp***r1 curves from 192 to 521 bits. They can be accessed via the org.bouncycastle.crypto.ec.CustomNamedCurves class and are generally selected by other internal APIs in place of the generic implementations.</li>
 </ul>
 <h3>2.1.4 Notes</h3>
 <ul>
diff --git a/docs/specifications.html b/docs/specifications.html
index 0deaa595..89582ab0 100644
--- a/docs/specifications.html
+++ b/docs/specifications.html
@@ -317,7 +317,7 @@ implementations
 <tr><td><b>CBCBlockCipherMac</b></td><td>blocksize/2 unless specified</td><td>&nbsp;</td></tr>
 <tr><td><b>CFBBlockCipherMac</b></td><td>blocksize/2, in CFB 8 mode, unless specified</td><td>&nbsp;</td></tr>
 <tr><td><b>CMac</b></td><td>24 to 128 bits</td><td>Usable with block ciphers, NIST SP 800-38B.</td></tr>
-<tr><td><b>GMac</b></td><td>96 to 128 bits</td><td>Usable with GCM mode ciphers, defined for AES, NIST SP 800-38D.</td></tr>
+<tr><td><b>GMac</b></td><td>32 to 128 bits</td><td>Usable with GCM mode ciphers, defined for AES, NIST SP 800-38D.</td></tr>
 <tr><td><b>GOST28147Mac</b></td><td>32 bits</td><td>&nbsp;</td></tr>
 <tr><td><b>ISO9797Alg3Mac</b></td><td>multiple of 8 bits up to underlying cipher size.</td><td>&nbsp;</td></tr>
 <tr><td><b>HMac</b></td><td>digest length</td><td>&nbsp;</td></tr>
@@ -699,7 +699,7 @@ change as the draft is finalised.
 <table cellpadding=5 cellspacing=0 border=1 width=80%>
 <tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr>
 <tr><td>Any MAC based on a block cipher, CBC (the default) and CFB modes.</td><td>half the cipher's block size (usually 32 bits)</td><td>&nbsp;</td></tr>
-<tr><td>*-GMAC</td><td>96 to 128 bits</td><td>Usable with GCM mode ciphers, defined for AES, NIST SP 800-38D. e.g. AES-GMAC.</td></tr>
+<tr><td>*-GMAC</td><td>32 to 128 bits</td><td>Usable with GCM mode ciphers, defined for AES, NIST SP 800-38D. e.g. AES-GMAC.</td></tr>
 <tr><td>VMPC-MAC</td><td>128</td><td>&nbsp;</td></tr>
 <tr><td>HMac-MD2</td><td>128</td><td>&nbsp;</td></tr>
 <tr><td>HMac-MD4</td><td>128</td><td>&nbsp;</td></tr>