TO DO

Implementation

• add exn tests to make sure
  • KDF errors don't produce zero key!
  • unauthenticated decryption yields no data (?)
• change make-decrypt-context to buffer data by default for AEAD
• deterministic ECDSA?
• find and add more providers
• double-check library initialization
• lazy loading for crypto factories?
• protect unsafe method names
• CMS asn1?

libcrypto

• other standard output formats

Nettle

• add pkey RSA OAEP support? (need rkt impl of OAEP)

GCrypt

• add PSS saltlen support (needs gcrypt >= 1.7.0)
  • https://lwn.net/Articles/684508/
• shake128 digest has no fixed length

Interfaces

• digests
  • support XOFs
• pk sign padding: PSS "requires" saltlength param
  • add '(pss <saltlength>) pad mode
  • max size: https://github.com/pyca/cryptography/issues/3008

Testing

• test digests w/ key
• stress tests
• test for memory leaks

Long term / Far out / Unlikely

• encrypted pkcs8 support: rfc5958

• password hashing, storage, validation (cf passlib?) (not just raw kdfs)

• key management (PKCS_?), etc?

• securing key storage memory

  • "zero memory when done with" (memset, variants of memset that don't get optimized away)
  • advice: "don't swap key memory to disk" (gcry_malloc_secure, mlock)
  • problems:
    • GC can create copies (maybe malloc 'atomic-interior (non-moving) memory?)
    • IO can create copies, eg read pkcs8 from file, decode... file buffer may linger
  • partial solutions:
    • make-crypto-bytes: malloc 'atomic-interior (non-moving), attach zeroing finalizer
  • may need to create alt path that circumvents Racket code as much as possible
  • alternative: write crypto core in C (or similar), bind to Racket