nettle-bugs

nettle-bugs@lists.lysator.liu.se

3 participants
2194 discussions

[PATCH libdrm v2 1/2] examples: don't use deprecated OpenSSL hashing API
by Emil Velikov 28 May '20

28 May '20

The direct $HASH_{Init,Update,Final} has been discouraged for a while. With the upcoming OpenSSL 3.0 it will be officially deprecated. Add a handy macro, to avoid repetition and mistakes like in the current code. Namely - we're using SHA cblock/digest_len for md5 :-\ The macro will also make it easier to add more, as seen with next patch. v2: Align it with the crypto implementations, namely: - use openssh_hash_ctx::evp, use correct sizeof() - move hash_update out of the macro - remove forward declarations for hash functions Signed-off-by: Emil Velikov <emil.l.velikov(a)gmail.com> --- examples/nettle-openssl.c | 110 +++++++++++++++----------------------- 1 file changed, 44 insertions(+), 66 deletions(-) diff --git a/examples/nettle-openssl.c b/examples/nettle-openssl.c index bb2e6627..3c487013 100644 --- a/examples/nettle-openssl.c +++ b/examples/nettle-openssl.c @@ -62,6 +62,13 @@ struct openssl_cipher_ctx { EVP_CIPHER_CTX *evp; }; +/* We use Openssl's EVP api for all openssl hashes. This API selects + platform-specific implementations if appropriate, e.g., using x86 + AES-NI instructions. */ +struct openssl_hash_ctx { + EVP_MD_CTX *evp; +}; + void nettle_openssl_init(void) { @@ -383,76 +390,47 @@ nettle_openssl_cast128 = { /* Hash functions */ -/* md5 */ -static nettle_hash_init_func openssl_md5_init; -static void -openssl_md5_init(void *ctx) -{ - MD5_Init(ctx); -} - -static nettle_hash_update_func openssl_md5_update; -static void -openssl_md5_update(void *ctx, - size_t length, - const uint8_t *src) -{ - MD5_Update(ctx, src, length); -} - -static nettle_hash_digest_func openssl_md5_digest; -static void -openssl_md5_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - MD5_Final(dst, ctx); - MD5_Init(ctx); -} - -const struct nettle_hash -nettle_openssl_md5 = { - "openssl md5", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_md5_init, - openssl_md5_update, - openssl_md5_digest -}; - -/* sha1 */ -static nettle_hash_init_func openssl_sha1_init; -static void -openssl_sha1_init(void *ctx) -{ - SHA1_Init(ctx); -} - -static nettle_hash_update_func openssl_sha1_update; static void -openssl_sha1_update(void *ctx, +openssl_hash_update(void *p, size_t length, const uint8_t *src) { - SHA1_Update(ctx, src, length); -} + struct openssl_hash_ctx *ctx = p; + EVP_DigestUpdate(ctx->evp, src, length); +} + +#define OPENSSL_HASH(NAME, name) \ +static void \ +openssl_##name##_init(void *p) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + if ((ctx->evp = EVP_MD_CTX_new()) == NULL) \ + return; \ + \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +static void \ +openssl_##name##_digest(void *p, \ + size_t length, uint8_t *dst) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + assert(length == NAME##_DIGEST_LENGTH); \ + \ + EVP_DigestFinal(ctx->evp, dst, NULL); \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +const struct nettle_hash \ +nettle_openssl_##name = { \ + "openssl " #name, sizeof(struct openssl_hash_ctx), \ + NAME##_DIGEST_LENGTH, NAME##_CBLOCK, \ + openssl_##name##_init, \ + openssl_hash_update, \ + openssl_##name##_digest \ +}; -static nettle_hash_digest_func openssl_sha1_digest; -static void -openssl_sha1_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - SHA1_Final(dst, ctx); - SHA1_Init(ctx); -} +OPENSSL_HASH(MD5, md5) +OPENSSL_HASH(SHA, sha1) -const struct nettle_hash -nettle_openssl_sha1 = { - "openssl sha1", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_sha1_init, - openssl_sha1_update, - openssl_sha1_digest -}; - #endif /* WITH_OPENSSL */ -- 2.25.1

3 7

[PATCH] gitlab-ci: reenable GOST compilation
by dbaryshkov＠gmail.com 10 May '20

10 May '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> GnuTLS is now compatible again with Nettle master branch. Remove --disable-gost. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 663f98f5cb8e..5b348f38568f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -100,7 +100,7 @@ build/gnutls: make -j4 && make install - git clone --depth 1 --branch master https://gitlab.com/gnutls/gnutls.git gnutls-git - cd gnutls-git && git submodule update --init && ./bootstrap && - ./configure --disable-gost --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && + ./configure --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && make -j $(nproc) check tags: - shared -- 2.25.0

3 2

[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
by dbaryshkov＠gmail.com 08 May '20

08 May '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- ecc-add-jja.c | 8 ++++---- ecc-add-jjj.c | 8 ++++---- ecc-curve25519.c | 6 ++++++ ecc-curve448.c | 6 ++++++ ecc-dup-jj.c | 8 ++++---- ecc-gost-gc256b.c | 6 ++++++ ecc-gost-gc512a.c | 6 ++++++ ecc-internal.h | 25 ++++++++++++++++--------- ecc-mod-arith.c | 12 ++++++------ ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 6 ++++++ ecc-secp224r1.c | 6 ++++++ ecc-secp256r1.c | 6 ++++++ ecc-secp384r1.c | 6 ++++++ ecc-secp521r1.c | 6 ++++++ 15 files changed, 91 insertions(+), 30 deletions(-) diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 037711d38249..55ad954587da 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc, /* w */ ecc_mod_mul (&ecc->p, j, y2, w); ecc_mod_sub (&ecc->p, w, j, y1); - ecc_mod_mul_1 (&ecc->p, w, w, 2); + ecc->p.mul_1 (&ecc->p, w, w, 2); /* i replaces hh, j */ - ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc->p.mul_1 (&ecc->p, hh, hh, 4); ecc_mod_mul (&ecc->p, j, hh, h); /* v */ @@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc, /* x_3, use (h, hh) as sqratch */ ecc_mod_sqr (&ecc->p, h, w); ecc_mod_sub (&ecc->p, r, h, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y_3, use (h, hh) as sqratch */ ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); - ecc_mod_submul_1 (&ecc->p, j, h, 2); + ecc->p.submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 54b2246aeb24..cad26193234a 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc, ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); ecc_mod_sub (&ecc->p, s2, v, s1); - ecc_mod_mul_1 (&ecc->p, s2, s2, 2); + ecc->p.mul_1 (&ecc->p, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ ecc_mod_sqr (&ecc->p, i, u2); - ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc->p.mul_1 (&ecc->p, i, i, 4); ecc_mod_mul (&ecc->p, j, u2, i); ecc_mod_mul (&ecc->p, v, u1, i); @@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc, /* x3, use u1, u2 as scratch */ ecc_mod_sqr (&ecc->p, u1, s2); ecc_mod_sub (&ecc->p, r, u1, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y3 */ ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ ecc_mod_mul (&ecc->p, i, s2, u2); - ecc_mod_submul_1 (&ecc->p, i, u1, 2); + ecc->p.submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-curve25519.c b/ecc-curve25519.c index f8f2c64af868..04df696f7357 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 253, @@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, 0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index 484b7d1e0870..ce7a25d14c4e 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 446, @@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + + NULL, + NULL, }, 0, /* No redc */ diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 2247e8fdfd5a..4bbd5163c0e3 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc, ecc_mod_add (&ecc->p, sum, xp, delta); ecc_mod_sub (&ecc->p, delta, xp, delta); ecc_mod_mul (&ecc->p, beta, sum, delta); - ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); + ecc->p.mul_1 (&ecc->p, alpha, beta, 3); /* beta */ ecc_mod_mul (&ecc->p, beta, xp, gamma); @@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc, /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ ecc_mod_sqr (&ecc->p, g2, gamma); - ecc_mod_mul_1 (&ecc->p, sum, beta, 4); + ecc->p.mul_1 (&ecc->p, sum, beta, 4); /* x' */ ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ - ecc_mod_submul_1 (&ecc->p, gamma, sum, 2); + ecc->p.submul_1 (&ecc->p, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size); /* y' */ ecc_mod_sub (&ecc->p, sum, sum, r); ecc_mod_mul (&ecc->p, gamma, sum, alpha); - ecc_mod_submul_1 (&ecc->p, gamma, g2, 8); + ecc->p.submul_1 (&ecc->p, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c index a23d46fc8af6..24e1ac6c99a7 100644 --- a/ecc-gost-gc256b.c +++ b/ecc-gost-gc256b.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c index 398762c337d6..5de4eda85d9c 100644 --- a/ecc-gost-gc512a.c +++ b/ecc-gost-gc512a.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 512, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-internal.h b/ecc-internal.h index 9e24e0ce4521..e1380bfb2b20 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -44,9 +44,9 @@ #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 +#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std +#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std +#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random @@ -146,6 +146,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); +typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m, + mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); + struct ecc_modulo { unsigned short bit_size; @@ -170,6 +174,9 @@ struct ecc_modulo ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; + + ecc_mod_mul_1_func *mul_1; + ecc_mod_mul_1_func *submul_1; }; /* Represents an elliptic curve of the form @@ -237,15 +244,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b); void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); /* The mul and sqr functions need 2*m->size limbs at rp */ void diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c index f2e47f6747c1..0399a2cdd7c5 100644 --- a/ecc-mod-arith.c +++ b/ecc-mod-arith.c @@ -65,8 +65,8 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; @@ -80,8 +80,8 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; @@ -95,8 +95,8 @@ ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; diff --git a/ecc-mul-m.c b/ecc-mul-m.c index 68bdd16e8e94..539b9d0677e7 100644 --- a/ecc-mul-m.c +++ b/ecc-mul-m.c @@ -80,7 +80,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x3, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z3, E, AA); for (i = bit_high; i >= bit_low; i--) @@ -98,7 +98,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); /* Last use of BB */ ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_add (m, C, x3, z3); ecc_mod_sub (m, D, x3, z3); ecc_mod_mul (m, z2, E, AA); /* Last use of E and AA */ @@ -124,7 +124,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z2, E, AA); } assert (m->invert_itch <= 7 * m->size); diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 046026f3f697..79080495ec7e 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -130,6 +130,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_secp192r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 192, @@ -149,6 +152,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c index 05d84017a68a..064a9e2f7fd4 100644 --- a/ecc-secp224r1.c +++ b/ecc-secp224r1.c @@ -82,6 +82,9 @@ const struct ecc_curve _nettle_secp_224r1 = USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 224, @@ -101,6 +104,9 @@ const struct ecc_curve _nettle_secp_224r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp256r1.c b/ecc-secp256r1.c index d399642453d5..0a25a086f3fe 100644 --- a/ecc-secp256r1.c +++ b/ecc-secp256r1.c @@ -259,6 +259,9 @@ const struct ecc_curve _nettle_secp_256r1 = USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -278,6 +281,9 @@ const struct ecc_curve _nettle_secp_256r1 = ecc_secp256r1_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp384r1.c b/ecc-secp384r1.c index 54bcd1128d39..5a9131f72c98 100644 --- a/ecc-secp384r1.c +++ b/ecc-secp384r1.c @@ -167,6 +167,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_secp384r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 384, @@ -186,6 +189,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp521r1.c b/ecc-secp521r1.c index 776f7ae03e27..f01a97537eb8 100644 --- a/ecc-secp521r1.c +++ b/ecc-secp521r1.c @@ -95,6 +95,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_secp521r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 521, @@ -114,6 +117,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, -- 2.25.0

2 2

[PATCH 0/2] Updating the nettle-benchmark
by Emil Velikov 08 May '20

08 May '20

Hi all, Here are a couple of small patches for nettle-benchmark: - removes the deprecated OpenSSL hash API - adds more OpenSSL sha2 hashes into the mix Kindly merge or let me know of your concerns :-) Related question: As you can see from the second patch, nettle performance is a little low wrt OpenSSL - ~55% for sha1, and ~65% for sha2. Is that normal, or there is something off with my system/build? I'm using the default "--enable-assembler" and "-O2" as seen in the configure.ac, plus my processor lacks the SHA_NI ISA. Thanks Emil P.S. More misc patches coming shortly, so stay tuned :-P Emil Velikov (2): examples: don't use deprecated OpenSSL hashing API external: add more openssl sha2 digests to the benchmark examples/nettle-benchmark.c | 6 +- examples/nettle-openssl.c | 112 ++++++++++++++---------------------- nettle-internal.h | 3 + 3 files changed, 50 insertions(+), 71 deletions(-) -- 2.25.1

2 5

ANNOUNCE: Nettle-3.6
by nisse＠lysator.liu.se 04 May '20

04 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This version includes several new features, and a couple of bug fixes, see NEWS entries below. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.6.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.6.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.6.tar.gz Happy hacking, /Niels Möller NEWS for the Nettle 3.6 release This release adds a couple of new features, most notable being support for ED448 signatures. It is not binary compatible with earlier releases. The shared library names are libnettle.so.8.0 and libhogweed.so.6.0, with sonames nibnettle.so.8 and libhogweed.so.6. The changed sonames are mainly to avoid upgrade problems with recent GnuTLS versions, that depend on Nettle internals outside of the advertised ABI. But also because of the removal of internal poly1305 functions which were undocumented but declared in an installed header file, see Interface changes below. New features: * Support for Curve448 and ED448 signatures. Contributed by Daiki Ueno. * Support for SHAKE256 (SHA3 variant with arbitrary output size). Contributed by Daiki Ueno. * Support for SIV-CMAC (Synthetic Initialization Vector) mode, contributed by Nikos Mavrogiannopoulos. * Support for CMAC64, contributed by Dmitry Baryshkov. * Support for the "CryptoPro" variant of the GOST hash function, as gosthash94cp. Contributed by Dmitry Baryshkov. * Support for GOST DSA signatures, including GOST curves gc256b and gc512a. Contributed by Dmitry Baryshkov. * Support for Intel CET in x86 and x86_64 assembly files, if enabled via CFLAGS (gcc --fcf-protection=full). Contributed by H.J. Lu and Simo Sorce. * A few new functions to improve support for the Chacha variant with 96-bit nonce and 32-bit block counter (the existing functions use nonce and counter of 64-bit each), and functions to set the counter. Contributed by Daiki Ueno. * New interface, struct nettle_mac, for MAC (message authentication code) algorithms. This abstraction is only for MACs that don't require a per-message nonce. For HMAC, the key size is fixed, and equal the digest size of the underlying hash function. Bug fixes: * Fix bug in cfb8_decrypt. Previously, the IV was not updated correctly in the case of input data shorter than the block size. Reported by Stephan Mueller, fixed by Daiki Ueno. * Fix configure check for __builtin_bswap64, the incorrect check would result in link errors on platforms missing this function. Patch contributed by George Koehler. * All use of old-fashioned suffix rules in the Makefiles have been replaced with %-pattern rules. Nettle's use of suffix rules in earlier versions depended on undocumented GNU make behavior, which is being deprecated in GNU make 4.3. Building with other make programs than GNU make is untested and unsupported. (Building with BSD make or Solaris make used to work years ago, but has not been tested recently). Interface changes: * Declarations of internal poly1305.h functions have been removed from the header file poly1305.h, to make it clear that they are not part of the advertised API or ABI. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.1.0 or later (unless --enable-mini-gmp is used). * A fair amount of changes to ECC internals, with a few deleted and a few new fields in the internal struct ecc_curve. Files and functions have been renamed to more consistently match the curve name, e.g., ecc-256.c has been renamed to ecc-secp256r1.c. * Documentation for chacha-poly1305 updated. It is no longer experimental. The implementation was updated to follow RFC 8439 in Nettle-3.1, but that was not documented or announced at the time. - -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEy0li0HDXfX/Li6Nicdjx/zaMZncFAl6p3hsACgkQcdjx/zaM ZneC5gf7BZuz13jnIzETuRCtqwcV8BaFZOhBrDmqPxHeCVL2BVZwUxVpIVZAhqKu ngj5i4GEQBHLg5BRJk/97gyn4YCbWfr7397tqBdUWO2VWFKaG+5QGCG3pjjxyjgm hECNrRpSLHHVzUFi2bLCo4Ur+R2d52I1l+hI7CekTxAk1c01xhpobs0pSUDUCfco /c8gNbbrNZc/KxUq1qtaWucxvysa4BsfnqucnhjAftMrmishFdr282gWNrnK3q9K kHIxCL01bYIQVQmYdH0VglGtq7rYCkL870Ip21OOaL+LIHm1FMaDpXHbXi/GkGqK Ukre//RxgMbwPMsM7eh5rp7pOAqdug== =QvUR -----END PGP SIGNATURE-----

2 3

Nettle-3.6rc2
by nisse＠lysator.liu.se 25 Apr '20

25 Apr '20

I've made another tarball, http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc2.tar.gz http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc1.tar.gz.sig Changes some rc1: * Sonames of *both* libnettle and libhogweed are updated. * Merged gost_vko. * Other api/abi cleanups, affecting gosthash and poly1305. * Deleted the test asserts that failed when linking hogweed.dll in wine (and presumably on windows too). * Some more Makefile and test cleanups, deleted the .testrules.make file (replaced with %-pattern rules in the main testsuite/Makefile.in), deleted workaround with extra dll symlinks, and instead set WINEPATH. * NEWS edits. -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

1 0

Windows dll test failures
by nisse＠lysator.liu.se 23 Apr '20

23 Apr '20

I have a question to the list, if anyone here knows details of how windows dlls work. I cross compile for windows with ./configure --host=x86_64-w64-mingw32 --enable-mini-gmp CXX=/bin/false make and run tests with make check EMULATOR=wine64 It fails the ecc-dup and ecc-add tests, in this and similar asserts: ASSERT (ecc->dup == ecc_dup_jj); Here, the right hand side is a symbol from libhogweed-x.dll, and on the left hand side, ecc refers to a constant struct in the same dll. My guess us that dynamic linking on windows doesn't provide function pointer comparisons as specified by the C standard. Maybe left-hand side is the real function entry point, and the right hand side is the address of some glue code related to dynamic linking. Is that right? If so, I can just disable this assert for windows, but I'd like to understand what'g going on. I think the reason it works with ELF, is that ELF dynamic linking tries harder to make all references point to the same PLT glue code, but I don't fully understand the details there either. Somewhat related to this: The ecc pointer is taken from this array in testutils.c: const struct ecc_curve * const ecc_curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_secp_521r1, &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, &_nettle_gost_gc512a, NULL }; The entries are references to data objects in the dll. I'm a bit surprised that works at all, is it expected to work? I had the impression that dlls only exported functions. Should the test code be changed to use the advertised getter functions, nettle_get_secp_256r1 and friends? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

2 3

[PATCH v3] Implement GOST VKO key derivation algorithm
by Dmitry Baryshkov 22 Apr '20

22 Apr '20

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gostdsa-vko.c | 96 ++++++++++++++++++++++++++++++++++++ gostdsa.h | 7 +++ nettle.texinfo | 15 ++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/gostdsa-vko-test.c | 91 ++++++++++++++++++++++++++++++++++ 8 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c diff --git a/Makefile.in b/Makefile.in index ddc304285321..29b3cfb4aafe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index 000000000000..7bdcdfc3fa16 --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,96 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * output is 2 * curve size: + * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko (const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..d479201e3295 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +void +gostdsa_vko (const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/nettle.texinfo b/nettle.texinfo index ff64889c4169..995d5de80813 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1065,6 +1065,7 @@ This function also resets the context in the same way as @subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} @cindex GOST hash +@anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. The standard itself @@ -5157,6 +5158,20 @@ Returns curve corresponding to following identifiers: @end itemize @end deftypefun +For GOST key pairs key derivation/key agreement function (VKO) is defined in +@cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function that does +multiplication. Caller should do hashing on his own (it will be either +GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). + +@deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) +Uses private key @var{priv}, public ket @var{pub} and shared key material +@var{ukm} to generate shared secret, written to buffer @var{out}. The buffer +should be of the size equal to 2 private key lengths: 64 bytes for 256 bit +curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually +transferred in cleartext. It does not have to be secret. +@end deftypefun + @node Curve 25519 and Curve 448, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 and Curve448 diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 9de8f4125079..fdcde6cb9748 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -304,6 +304,9 @@ gostdsa-verify-test$(EXEEXT): gostdsa-verify-test.$(OBJEXT) gostdsa-keygen-test$(EXEEXT): gostdsa-keygen-test.$(OBJEXT) $(LINK) gostdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-keygen-test$(EXEEXT) +gostdsa-vko-test$(EXEEXT): gostdsa-vko-test.$(OBJEXT) + $(LINK) gostdsa-vko-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-vko-test$(EXEEXT) + sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 89b52efad9df..025f3ea18040 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -56,7 +56,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ - gostdsa-keygen-test.c + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx diff --git a/testsuite/gostdsa-vko-test.c b/testsuite/gostdsa-vko-test.c new file mode 100644 index 000000000000..c8a762b125c2 --- /dev/null +++ b/testsuite/gostdsa-vko-test.c @@ -0,0 +1,91 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + +} -- 2.25.1

2 2

[PATCH v2] Implement GOST VKO key derivation algorithm
by Dmitry Baryshkov 21 Apr '20

21 Apr '20

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gostdsa-vko.c | 94 ++++++++++++++++++++++++++++++++++++ gostdsa.h | 7 +++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/gostdsa-vko-test.c | 91 ++++++++++++++++++++++++++++++++++ 7 files changed, 198 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c -- - Added internal documentation - Dropped dependency of tests on Streebog diff --git a/Makefile.in b/Makefile.in index ddc304285321..29b3cfb4aafe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index 000000000000..0c027014e5ea --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,94 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko(const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size(ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (out_length == 2 * bsize); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..5ccf35a767a8 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +void +gostdsa_vko(const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 9de8f4125079..fdcde6cb9748 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -304,6 +304,9 @@ gostdsa-verify-test$(EXEEXT): gostdsa-verify-test.$(OBJEXT) gostdsa-keygen-test$(EXEEXT): gostdsa-keygen-test.$(OBJEXT) $(LINK) gostdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-keygen-test$(EXEEXT) +gostdsa-vko-test$(EXEEXT): gostdsa-vko-test.$(OBJEXT) + $(LINK) gostdsa-vko-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-vko-test$(EXEEXT) + sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 89b52efad9df..025f3ea18040 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -56,7 +56,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ - gostdsa-keygen-test.c + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx diff --git a/testsuite/gostdsa-vko-test.c b/testsuite/gostdsa-vko-test.c new file mode 100644 index 000000000000..5d77f2efced5 --- /dev/null +++ b/testsuite/gostdsa-vko-test.c @@ -0,0 +1,91 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out_len, out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + +} -- 2.25.1

2 3

[PATCH 1/6] Start separating GOST 28147-89 from GOST R 34.11-94
by Dmitry Eremin-Solenikov 19 Apr '20

19 Apr '20

Hash function GOST R 34.11-94 (gosthash94) in its compression function uses Russian block cipher (GOST 28147-89, Magma). Start separating block cipher code from hash function code. For now there is no public interface for this cipher, it will be added later. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- Makefile.in | 4 +- gost28147.c | 342 +++++++++++++++++++++++++++++++++++++++++++++++++++ gost28147.h | 63 ++++++++++ gosthash94.c | 245 +----------------------------------- 4 files changed, 412 insertions(+), 242 deletions(-) create mode 100644 gost28147.c create mode 100644 gost28147.h diff --git a/Makefile.in b/Makefile.in index 537e97d19bea..795d66edb2c8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -102,7 +102,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac-aes128.c cmac-aes256.c \ - gosthash94.c gosthash94-meta.c \ + gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ knuth-lfib.c hkdf.c \ @@ -195,7 +195,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gosthash94.h hmac.h \ + gcm.h gost28147.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h \ diff --git a/gost28147.c b/gost28147.c new file mode 100644 index 000000000000..c734c4365fa7 --- /dev/null +++ b/gost28147.c @@ -0,0 +1,342 @@ +/* gost28147.c - GOST 28147-89 cipher implementation + * + * based on Russian standard GOST 28147-89 + * For English description, check RFC 5830. + * S-Boxes are expanded from the tables defined in RFC4357: + * https://tools.ietf.org/html/rfc4357 + * + * Copyright: 2019 Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> + * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include "macros.h" +#include "gost28147.h" + +/* pre-initialized GOST lookup tables based on rotated S-Box */ +const struct gost28147_param gost28147_param_test_3411 = +{ + { + /* 0 */ + 0x00072000, 0x00075000, 0x00074800, 0x00071000, + 0x00076800, 0x00074000, 0x00070000, 0x00077000, + 0x00073000, 0x00075800, 0x00070800, 0x00076000, + 0x00073800, 0x00077800, 0x00072800, 0x00071800, + 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, + 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, + 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, + 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, + 0x00022000, 0x00025000, 0x00024800, 0x00021000, + 0x00026800, 0x00024000, 0x00020000, 0x00027000, + 0x00023000, 0x00025800, 0x00020800, 0x00026000, + 0x00023800, 0x00027800, 0x00022800, 0x00021800, + 0x00062000, 0x00065000, 0x00064800, 0x00061000, + 0x00066800, 0x00064000, 0x00060000, 0x00067000, + 0x00063000, 0x00065800, 0x00060800, 0x00066000, + 0x00063800, 0x00067800, 0x00062800, 0x00061800, + 0x00032000, 0x00035000, 0x00034800, 0x00031000, + 0x00036800, 0x00034000, 0x00030000, 0x00037000, + 0x00033000, 0x00035800, 0x00030800, 0x00036000, + 0x00033800, 0x00037800, 0x00032800, 0x00031800, + 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, + 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, + 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, + 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, + 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, + 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, + 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, + 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, + 0x00052000, 0x00055000, 0x00054800, 0x00051000, + 0x00056800, 0x00054000, 0x00050000, 0x00057000, + 0x00053000, 0x00055800, 0x00050800, 0x00056000, + 0x00053800, 0x00057800, 0x00052800, 0x00051800, + 0x00012000, 0x00015000, 0x00014800, 0x00011000, + 0x00016800, 0x00014000, 0x00010000, 0x00017000, + 0x00013000, 0x00015800, 0x00010800, 0x00016000, + 0x00013800, 0x00017800, 0x00012800, 0x00011800, + 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, + 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, + 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, + 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, + 0x00042000, 0x00045000, 0x00044800, 0x00041000, + 0x00046800, 0x00044000, 0x00040000, 0x00047000, + 0x00043000, 0x00045800, 0x00040800, 0x00046000, + 0x00043800, 0x00047800, 0x00042800, 0x00041800, + 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, + 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, + 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, + 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, + 0x00002000, 0x00005000, 0x00004800, 0x00001000, + 0x00006800, 0x00004000, 0x00000000, 0x00007000, + 0x00003000, 0x00005800, 0x00000800, 0x00006000, + 0x00003800, 0x00007800, 0x00002800, 0x00001800, + 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, + 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, + 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, + 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, + 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, + 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, + 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, + 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, + 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, + 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, + 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, + 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, + /* 1 */ + 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, + 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, + 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, + 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, + 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, + 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, + 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, + 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, + 0x05280000, 0x05400000, 0x05080000, 0x05680000, + 0x05500000, 0x05180000, 0x05200000, 0x05100000, + 0x05700000, 0x05780000, 0x05600000, 0x05380000, + 0x05300000, 0x05000000, 0x05480000, 0x05580000, + 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, + 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, + 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, + 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, + 0x00280000, 0x00400000, 0x00080000, 0x00680000, + 0x00500000, 0x00180000, 0x00200000, 0x00100000, + 0x00700000, 0x00780000, 0x00600000, 0x00380000, + 0x00300000, 0x00000000, 0x00480000, 0x00580000, + 0x04280000, 0x04400000, 0x04080000, 0x04680000, + 0x04500000, 0x04180000, 0x04200000, 0x04100000, + 0x04700000, 0x04780000, 0x04600000, 0x04380000, + 0x04300000, 0x04000000, 0x04480000, 0x04580000, + 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, + 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, + 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, + 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, + 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, + 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, + 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, + 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, + 0x07280000, 0x07400000, 0x07080000, 0x07680000, + 0x07500000, 0x07180000, 0x07200000, 0x07100000, + 0x07700000, 0x07780000, 0x07600000, 0x07380000, + 0x07300000, 0x07000000, 0x07480000, 0x07580000, + 0x02280000, 0x02400000, 0x02080000, 0x02680000, + 0x02500000, 0x02180000, 0x02200000, 0x02100000, + 0x02700000, 0x02780000, 0x02600000, 0x02380000, + 0x02300000, 0x02000000, 0x02480000, 0x02580000, + 0x03280000, 0x03400000, 0x03080000, 0x03680000, + 0x03500000, 0x03180000, 0x03200000, 0x03100000, + 0x03700000, 0x03780000, 0x03600000, 0x03380000, + 0x03300000, 0x03000000, 0x03480000, 0x03580000, + 0x06280000, 0x06400000, 0x06080000, 0x06680000, + 0x06500000, 0x06180000, 0x06200000, 0x06100000, + 0x06700000, 0x06780000, 0x06600000, 0x06380000, + 0x06300000, 0x06000000, 0x06480000, 0x06580000, + 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, + 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, + 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, + 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, + 0x01280000, 0x01400000, 0x01080000, 0x01680000, + 0x01500000, 0x01180000, 0x01200000, 0x01100000, + 0x01700000, 0x01780000, 0x01600000, 0x01380000, + 0x01300000, 0x01000000, 0x01480000, 0x01580000, + 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, + 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, + 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, + 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, + 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, + 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, + 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, + 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, + /* 2 */ + 0x30000002, 0x60000002, 0x38000002, 0x08000002, + 0x28000002, 0x78000002, 0x68000002, 0x40000002, + 0x20000002, 0x50000002, 0x48000002, 0x70000002, + 0x00000002, 0x18000002, 0x58000002, 0x10000002, + 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, + 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, + 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, + 0x80000005, 0x98000005, 0xd8000005, 0x90000005, + 0x30000005, 0x60000005, 0x38000005, 0x08000005, + 0x28000005, 0x78000005, 0x68000005, 0x40000005, + 0x20000005, 0x50000005, 0x48000005, 0x70000005, + 0x00000005, 0x18000005, 0x58000005, 0x10000005, + 0x30000000, 0x60000000, 0x38000000, 0x08000000, + 0x28000000, 0x78000000, 0x68000000, 0x40000000, + 0x20000000, 0x50000000, 0x48000000, 0x70000000, + 0x00000000, 0x18000000, 0x58000000, 0x10000000, + 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, + 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, + 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, + 0x80000003, 0x98000003, 0xd8000003, 0x90000003, + 0x30000001, 0x60000001, 0x38000001, 0x08000001, + 0x28000001, 0x78000001, 0x68000001, 0x40000001, + 0x20000001, 0x50000001, 0x48000001, 0x70000001, + 0x00000001, 0x18000001, 0x58000001, 0x10000001, + 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, + 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, + 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, + 0x80000000, 0x98000000, 0xd8000000, 0x90000000, + 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, + 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, + 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, + 0x80000006, 0x98000006, 0xd8000006, 0x90000006, + 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, + 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, + 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, + 0x80000001, 0x98000001, 0xd8000001, 0x90000001, + 0x30000003, 0x60000003, 0x38000003, 0x08000003, + 0x28000003, 0x78000003, 0x68000003, 0x40000003, + 0x20000003, 0x50000003, 0x48000003, 0x70000003, + 0x00000003, 0x18000003, 0x58000003, 0x10000003, + 0x30000004, 0x60000004, 0x38000004, 0x08000004, + 0x28000004, 0x78000004, 0x68000004, 0x40000004, + 0x20000004, 0x50000004, 0x48000004, 0x70000004, + 0x00000004, 0x18000004, 0x58000004, 0x10000004, + 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, + 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, + 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, + 0x80000002, 0x98000002, 0xd8000002, 0x90000002, + 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, + 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, + 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, + 0x80000004, 0x98000004, 0xd8000004, 0x90000004, + 0x30000006, 0x60000006, 0x38000006, 0x08000006, + 0x28000006, 0x78000006, 0x68000006, 0x40000006, + 0x20000006, 0x50000006, 0x48000006, 0x70000006, + 0x00000006, 0x18000006, 0x58000006, 0x10000006, + 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, + 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, + 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, + 0x80000007, 0x98000007, 0xd8000007, 0x90000007, + 0x30000007, 0x60000007, 0x38000007, 0x08000007, + 0x28000007, 0x78000007, 0x68000007, 0x40000007, + 0x20000007, 0x50000007, 0x48000007, 0x70000007, + 0x00000007, 0x18000007, 0x58000007, 0x10000007, + /* 3 */ + 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, + 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, + 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, + 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, + 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, + 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, + 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, + 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, + 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, + 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, + 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, + 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, + 0x00000068, 0x00000058, 0x00000020, 0x00000008, + 0x00000018, 0x00000078, 0x00000028, 0x00000048, + 0x00000000, 0x00000050, 0x00000070, 0x00000038, + 0x00000030, 0x00000040, 0x00000010, 0x00000060, + 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, + 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, + 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, + 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, + 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, + 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, + 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, + 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, + 0x00000568, 0x00000558, 0x00000520, 0x00000508, + 0x00000518, 0x00000578, 0x00000528, 0x00000548, + 0x00000500, 0x00000550, 0x00000570, 0x00000538, + 0x00000530, 0x00000540, 0x00000510, 0x00000560, + 0x00000268, 0x00000258, 0x00000220, 0x00000208, + 0x00000218, 0x00000278, 0x00000228, 0x00000248, + 0x00000200, 0x00000250, 0x00000270, 0x00000238, + 0x00000230, 0x00000240, 0x00000210, 0x00000260, + 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, + 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, + 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, + 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, + 0x00000168, 0x00000158, 0x00000120, 0x00000108, + 0x00000118, 0x00000178, 0x00000128, 0x00000148, + 0x00000100, 0x00000150, 0x00000170, 0x00000138, + 0x00000130, 0x00000140, 0x00000110, 0x00000160, + 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, + 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, + 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, + 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, + 0x00000768, 0x00000758, 0x00000720, 0x00000708, + 0x00000718, 0x00000778, 0x00000728, 0x00000748, + 0x00000700, 0x00000750, 0x00000770, 0x00000738, + 0x00000730, 0x00000740, 0x00000710, 0x00000760, + 0x00000368, 0x00000358, 0x00000320, 0x00000308, + 0x00000318, 0x00000378, 0x00000328, 0x00000348, + 0x00000300, 0x00000350, 0x00000370, 0x00000338, + 0x00000330, 0x00000340, 0x00000310, 0x00000360, + 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, + 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, + 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, + 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, + 0x00000468, 0x00000458, 0x00000420, 0x00000408, + 0x00000418, 0x00000478, 0x00000428, 0x00000448, + 0x00000400, 0x00000450, 0x00000470, 0x00000438, + 0x00000430, 0x00000440, 0x00000410, 0x00000460, + 0x00000668, 0x00000658, 0x00000620, 0x00000608, + 0x00000618, 0x00000678, 0x00000628, 0x00000648, + 0x00000600, 0x00000650, 0x00000670, 0x00000638, + 0x00000630, 0x00000640, 0x00000610, 0x00000660, + } +}; + +/* + * A macro that performs a full encryption round of GOST 28147-89. + * Temporary variables tmp assumed and variables r and l for left and right + * blocks. + */ +#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ + tmp = (key1) + r; \ + l ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; \ + tmp = (key2) + l; \ + r ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; + +/* encrypt a block with the given key */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out) +{ + uint32_t l, r, tmp; + + r = in[0], l = in[1]; + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[7], key[6], sbox) + GOST_ENCRYPT_ROUND(key[5], key[4], sbox) + GOST_ENCRYPT_ROUND(key[3], key[2], sbox) + GOST_ENCRYPT_ROUND(key[1], key[0], sbox) + *out = l, *(out + 1) = r; +} diff --git a/gost28147.h b/gost28147.h new file mode 100644 index 000000000000..83d8915b9d38 --- /dev/null +++ b/gost28147.h @@ -0,0 +1,63 @@ +/* gost28147.h + + The GOST 28147-89 cipher function, described in RFC 5831. + + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GOST28147_H_INCLUDED +#define NETTLE_GOST28147_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define gost28147_param_test_3411 nettle_gost28147_param_test_3411 + +/* Private */ +#define gost28147_encrypt_simple nettle_gost28147_encrypt_simple + +struct gost28147_param +{ + uint32_t sbox[4*256]; +}; + +extern const struct gost28147_param gost28147_param_test_3411; + +/* Internal interface for use by GOST R 34.11-94 */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_GOST28147_H_INCLUDED */ diff --git a/gosthash94.c b/gosthash94.c index e60c9ae5cddf..870235eefa34 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -1,5 +1,7 @@ -/* gost.c - an implementation of GOST Hash Function +/* gosthash94.c - an implementation of GOST Hash Function + * * based on the Russian Standard GOST R 34.11-94. + * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> @@ -38,209 +40,7 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" - -/* pre-initialized GOST lookup tables based on rotated S-Box */ -static const uint32_t gosthash94_sbox[4][256] = { - { - 0x72000, 0x75000, 0x74800, 0x71000, 0x76800, - 0x74000, 0x70000, 0x77000, 0x73000, 0x75800, - 0x70800, 0x76000, 0x73800, 0x77800, 0x72800, - 0x71800, 0x5A000, 0x5D000, 0x5C800, 0x59000, - 0x5E800, 0x5C000, 0x58000, 0x5F000, 0x5B000, - 0x5D800, 0x58800, 0x5E000, 0x5B800, 0x5F800, - 0x5A800, 0x59800, 0x22000, 0x25000, 0x24800, - 0x21000, 0x26800, 0x24000, 0x20000, 0x27000, - 0x23000, 0x25800, 0x20800, 0x26000, 0x23800, - 0x27800, 0x22800, 0x21800, 0x62000, 0x65000, - 0x64800, 0x61000, 0x66800, 0x64000, 0x60000, - 0x67000, 0x63000, 0x65800, 0x60800, 0x66000, - 0x63800, 0x67800, 0x62800, 0x61800, 0x32000, - 0x35000, 0x34800, 0x31000, 0x36800, 0x34000, - 0x30000, 0x37000, 0x33000, 0x35800, 0x30800, - 0x36000, 0x33800, 0x37800, 0x32800, 0x31800, - 0x6A000, 0x6D000, 0x6C800, 0x69000, 0x6E800, - 0x6C000, 0x68000, 0x6F000, 0x6B000, 0x6D800, - 0x68800, 0x6E000, 0x6B800, 0x6F800, 0x6A800, - 0x69800, 0x7A000, 0x7D000, 0x7C800, 0x79000, - 0x7E800, 0x7C000, 0x78000, 0x7F000, 0x7B000, - 0x7D800, 0x78800, 0x7E000, 0x7B800, 0x7F800, - 0x7A800, 0x79800, 0x52000, 0x55000, 0x54800, - 0x51000, 0x56800, 0x54000, 0x50000, 0x57000, - 0x53000, 0x55800, 0x50800, 0x56000, 0x53800, - 0x57800, 0x52800, 0x51800, 0x12000, 0x15000, - 0x14800, 0x11000, 0x16800, 0x14000, 0x10000, - 0x17000, 0x13000, 0x15800, 0x10800, 0x16000, - 0x13800, 0x17800, 0x12800, 0x11800, 0x1A000, - 0x1D000, 0x1C800, 0x19000, 0x1E800, 0x1C000, - 0x18000, 0x1F000, 0x1B000, 0x1D800, 0x18800, - 0x1E000, 0x1B800, 0x1F800, 0x1A800, 0x19800, - 0x42000, 0x45000, 0x44800, 0x41000, 0x46800, - 0x44000, 0x40000, 0x47000, 0x43000, 0x45800, - 0x40800, 0x46000, 0x43800, 0x47800, 0x42800, - 0x41800, 0xA000, 0xD000, 0xC800, 0x9000, - 0xE800, 0xC000, 0x8000, 0xF000, 0xB000, - 0xD800, 0x8800, 0xE000, 0xB800, 0xF800, - 0xA800, 0x9800, 0x2000, 0x5000, 0x4800, - 0x1000, 0x6800, 0x4000, 0x0, 0x7000, - 0x3000, 0x5800, 0x800, 0x6000, 0x3800, - 0x7800, 0x2800, 0x1800, 0x3A000, 0x3D000, - 0x3C800, 0x39000, 0x3E800, 0x3C000, 0x38000, - 0x3F000, 0x3B000, 0x3D800, 0x38800, 0x3E000, - 0x3B800, 0x3F800, 0x3A800, 0x39800, 0x2A000, - 0x2D000, 0x2C800, 0x29000, 0x2E800, 0x2C000, - 0x28000, 0x2F000, 0x2B000, 0x2D800, 0x28800, - 0x2E000, 0x2B800, 0x2F800, 0x2A800, 0x29800, - 0x4A000, 0x4D000, 0x4C800, 0x49000, 0x4E800, - 0x4C000, 0x48000, 0x4F000, 0x4B000, 0x4D800, - 0x48800, 0x4E000, 0x4B800, 0x4F800, 0x4A800, - 0x49800 - }, { - 0x3A80000, 0x3C00000, 0x3880000, 0x3E80000, 0x3D00000, - 0x3980000, 0x3A00000, 0x3900000, 0x3F00000, 0x3F80000, - 0x3E00000, 0x3B80000, 0x3B00000, 0x3800000, 0x3C80000, - 0x3D80000, 0x6A80000, 0x6C00000, 0x6880000, 0x6E80000, - 0x6D00000, 0x6980000, 0x6A00000, 0x6900000, 0x6F00000, - 0x6F80000, 0x6E00000, 0x6B80000, 0x6B00000, 0x6800000, - 0x6C80000, 0x6D80000, 0x5280000, 0x5400000, 0x5080000, - 0x5680000, 0x5500000, 0x5180000, 0x5200000, 0x5100000, - 0x5700000, 0x5780000, 0x5600000, 0x5380000, 0x5300000, - 0x5000000, 0x5480000, 0x5580000, 0xA80000, 0xC00000, - 0x880000, 0xE80000, 0xD00000, 0x980000, 0xA00000, - 0x900000, 0xF00000, 0xF80000, 0xE00000, 0xB80000, - 0xB00000, 0x800000, 0xC80000, 0xD80000, 0x280000, - 0x400000, 0x80000, 0x680000, 0x500000, 0x180000, - 0x200000, 0x100000, 0x700000, 0x780000, 0x600000, - 0x380000, 0x300000, 0x0, 0x480000, 0x580000, - 0x4280000, 0x4400000, 0x4080000, 0x4680000, 0x4500000, - 0x4180000, 0x4200000, 0x4100000, 0x4700000, 0x4780000, - 0x4600000, 0x4380000, 0x4300000, 0x4000000, 0x4480000, - 0x4580000, 0x4A80000, 0x4C00000, 0x4880000, 0x4E80000, - 0x4D00000, 0x4980000, 0x4A00000, 0x4900000, 0x4F00000, - 0x4F80000, 0x4E00000, 0x4B80000, 0x4B00000, 0x4800000, - 0x4C80000, 0x4D80000, 0x7A80000, 0x7C00000, 0x7880000, - 0x7E80000, 0x7D00000, 0x7980000, 0x7A00000, 0x7900000, - 0x7F00000, 0x7F80000, 0x7E00000, 0x7B80000, 0x7B00000, - 0x7800000, 0x7C80000, 0x7D80000, 0x7280000, 0x7400000, - 0x7080000, 0x7680000, 0x7500000, 0x7180000, 0x7200000, - 0x7100000, 0x7700000, 0x7780000, 0x7600000, 0x7380000, - 0x7300000, 0x7000000, 0x7480000, 0x7580000, 0x2280000, - 0x2400000, 0x2080000, 0x2680000, 0x2500000, 0x2180000, - 0x2200000, 0x2100000, 0x2700000, 0x2780000, 0x2600000, - 0x2380000, 0x2300000, 0x2000000, 0x2480000, 0x2580000, - 0x3280000, 0x3400000, 0x3080000, 0x3680000, 0x3500000, - 0x3180000, 0x3200000, 0x3100000, 0x3700000, 0x3780000, - 0x3600000, 0x3380000, 0x3300000, 0x3000000, 0x3480000, - 0x3580000, 0x6280000, 0x6400000, 0x6080000, 0x6680000, - 0x6500000, 0x6180000, 0x6200000, 0x6100000, 0x6700000, - 0x6780000, 0x6600000, 0x6380000, 0x6300000, 0x6000000, - 0x6480000, 0x6580000, 0x5A80000, 0x5C00000, 0x5880000, - 0x5E80000, 0x5D00000, 0x5980000, 0x5A00000, 0x5900000, - 0x5F00000, 0x5F80000, 0x5E00000, 0x5B80000, 0x5B00000, - 0x5800000, 0x5C80000, 0x5D80000, 0x1280000, 0x1400000, - 0x1080000, 0x1680000, 0x1500000, 0x1180000, 0x1200000, - 0x1100000, 0x1700000, 0x1780000, 0x1600000, 0x1380000, - 0x1300000, 0x1000000, 0x1480000, 0x1580000, 0x2A80000, - 0x2C00000, 0x2880000, 0x2E80000, 0x2D00000, 0x2980000, - 0x2A00000, 0x2900000, 0x2F00000, 0x2F80000, 0x2E00000, - 0x2B80000, 0x2B00000, 0x2800000, 0x2C80000, 0x2D80000, - 0x1A80000, 0x1C00000, 0x1880000, 0x1E80000, 0x1D00000, - 0x1980000, 0x1A00000, 0x1900000, 0x1F00000, 0x1F80000, - 0x1E00000, 0x1B80000, 0x1B00000, 0x1800000, 0x1C80000, - 0x1D80000 - }, { - 0x30000002, 0x60000002, 0x38000002, 0x8000002, - 0x28000002, 0x78000002, 0x68000002, 0x40000002, - 0x20000002, 0x50000002, 0x48000002, 0x70000002, - 0x2, 0x18000002, 0x58000002, 0x10000002, - 0xB0000005, 0xE0000005, 0xB8000005, 0x88000005, - 0xA8000005, 0xF8000005, 0xE8000005, 0xC0000005, - 0xA0000005, 0xD0000005, 0xC8000005, 0xF0000005, - 0x80000005, 0x98000005, 0xD8000005, 0x90000005, - 0x30000005, 0x60000005, 0x38000005, 0x8000005, - 0x28000005, 0x78000005, 0x68000005, 0x40000005, - 0x20000005, 0x50000005, 0x48000005, 0x70000005, - 0x5, 0x18000005, 0x58000005, 0x10000005, - 0x30000000, 0x60000000, 0x38000000, 0x8000000, - 0x28000000, 0x78000000, 0x68000000, 0x40000000, - 0x20000000, 0x50000000, 0x48000000, 0x70000000, - 0x0, 0x18000000, 0x58000000, 0x10000000, - 0xB0000003, 0xE0000003, 0xB8000003, 0x88000003, - 0xA8000003, 0xF8000003, 0xE8000003, 0xC0000003, - 0xA0000003, 0xD0000003, 0xC8000003, 0xF0000003, - 0x80000003, 0x98000003, 0xD8000003, 0x90000003, - 0x30000001, 0x60000001, 0x38000001, 0x8000001, - 0x28000001, 0x78000001, 0x68000001, 0x40000001, - 0x20000001, 0x50000001, 0x48000001, 0x70000001, - 0x1, 0x18000001, 0x58000001, 0x10000001, - 0xB0000000, 0xE0000000, 0xB8000000, 0x88000000, - 0xA8000000, 0xF8000000, 0xE8000000, 0xC0000000, - 0xA0000000, 0xD0000000, 0xC8000000, 0xF0000000, - 0x80000000, 0x98000000, 0xD8000000, 0x90000000, - 0xB0000006, 0xE0000006, 0xB8000006, 0x88000006, - 0xA8000006, 0xF8000006, 0xE8000006, 0xC0000006, - 0xA0000006, 0xD0000006, 0xC8000006, 0xF0000006, - 0x80000006, 0x98000006, 0xD8000006, 0x90000006, - 0xB0000001, 0xE0000001, 0xB8000001, 0x88000001, - 0xA8000001, 0xF8000001, 0xE8000001, 0xC0000001, - 0xA0000001, 0xD0000001, 0xC8000001, 0xF0000001, - 0x80000001, 0x98000001, 0xD8000001, 0x90000001, - 0x30000003, 0x60000003, 0x38000003, 0x8000003, - 0x28000003, 0x78000003, 0x68000003, 0x40000003, - 0x20000003, 0x50000003, 0x48000003, 0x70000003, - 0x3, 0x18000003, 0x58000003, 0x10000003, - 0x30000004, 0x60000004, 0x38000004, 0x8000004, - 0x28000004, 0x78000004, 0x68000004, 0x40000004, - 0x20000004, 0x50000004, 0x48000004, 0x70000004, - 0x4, 0x18000004, 0x58000004, 0x10000004, - 0xB0000002, 0xE0000002, 0xB8000002, 0x88000002, - 0xA8000002, 0xF8000002, 0xE8000002, 0xC0000002, - 0xA0000002, 0xD0000002, 0xC8000002, 0xF0000002, - 0x80000002, 0x98000002, 0xD8000002, 0x90000002, - 0xB0000004, 0xE0000004, 0xB8000004, 0x88000004, - 0xA8000004, 0xF8000004, 0xE8000004, 0xC0000004, - 0xA0000004, 0xD0000004, 0xC8000004, 0xF0000004, - 0x80000004, 0x98000004, 0xD8000004, 0x90000004, - 0x30000006, 0x60000006, 0x38000006, 0x8000006, - 0x28000006, 0x78000006, 0x68000006, 0x40000006, - 0x20000006, 0x50000006, 0x48000006, 0x70000006, - 0x6, 0x18000006, 0x58000006, 0x10000006, - 0xB0000007, 0xE0000007, 0xB8000007, 0x88000007, - 0xA8000007, 0xF8000007, 0xE8000007, 0xC0000007, - 0xA0000007, 0xD0000007, 0xC8000007, 0xF0000007, - 0x80000007, 0x98000007, 0xD8000007, 0x90000007, - 0x30000007, 0x60000007, 0x38000007, 0x8000007, - 0x28000007, 0x78000007, 0x68000007, 0x40000007, - 0x20000007, 0x50000007, 0x48000007, 0x70000007, - 0x7, 0x18000007, 0x58000007, 0x10000007 - }, { - 0xE8, 0xD8, 0xA0, 0x88, 0x98, 0xF8, 0xA8, 0xC8, 0x80, 0xD0, - 0xF0, 0xB8, 0xB0, 0xC0, 0x90, 0xE0, 0x7E8, 0x7D8, 0x7A0, 0x788, - 0x798, 0x7F8, 0x7A8, 0x7C8, 0x780, 0x7D0, 0x7F0, 0x7B8, 0x7B0, 0x7C0, - 0x790, 0x7E0, 0x6E8, 0x6D8, 0x6A0, 0x688, 0x698, 0x6F8, 0x6A8, 0x6C8, - 0x680, 0x6D0, 0x6F0, 0x6B8, 0x6B0, 0x6C0, 0x690, 0x6E0, 0x68, 0x58, - 0x20, 0x8, 0x18, 0x78, 0x28, 0x48, 0x0, 0x50, 0x70, 0x38, - 0x30, 0x40, 0x10, 0x60, 0x2E8, 0x2D8, 0x2A0, 0x288, 0x298, 0x2F8, - 0x2A8, 0x2C8, 0x280, 0x2D0, 0x2F0, 0x2B8, 0x2B0, 0x2C0, 0x290, 0x2E0, - 0x3E8, 0x3D8, 0x3A0, 0x388, 0x398, 0x3F8, 0x3A8, 0x3C8, 0x380, 0x3D0, - 0x3F0, 0x3B8, 0x3B0, 0x3C0, 0x390, 0x3E0, 0x568, 0x558, 0x520, 0x508, - 0x518, 0x578, 0x528, 0x548, 0x500, 0x550, 0x570, 0x538, 0x530, 0x540, - 0x510, 0x560, 0x268, 0x258, 0x220, 0x208, 0x218, 0x278, 0x228, 0x248, - 0x200, 0x250, 0x270, 0x238, 0x230, 0x240, 0x210, 0x260, 0x4E8, 0x4D8, - 0x4A0, 0x488, 0x498, 0x4F8, 0x4A8, 0x4C8, 0x480, 0x4D0, 0x4F0, 0x4B8, - 0x4B0, 0x4C0, 0x490, 0x4E0, 0x168, 0x158, 0x120, 0x108, 0x118, 0x178, - 0x128, 0x148, 0x100, 0x150, 0x170, 0x138, 0x130, 0x140, 0x110, 0x160, - 0x1E8, 0x1D8, 0x1A0, 0x188, 0x198, 0x1F8, 0x1A8, 0x1C8, 0x180, 0x1D0, - 0x1F0, 0x1B8, 0x1B0, 0x1C0, 0x190, 0x1E0, 0x768, 0x758, 0x720, 0x708, - 0x718, 0x778, 0x728, 0x748, 0x700, 0x750, 0x770, 0x738, 0x730, 0x740, - 0x710, 0x760, 0x368, 0x358, 0x320, 0x308, 0x318, 0x378, 0x328, 0x348, - 0x300, 0x350, 0x370, 0x338, 0x330, 0x340, 0x310, 0x360, 0x5E8, 0x5D8, - 0x5A0, 0x588, 0x598, 0x5F8, 0x5A8, 0x5C8, 0x580, 0x5D0, 0x5F0, 0x5B8, - 0x5B0, 0x5C0, 0x590, 0x5E0, 0x468, 0x458, 0x420, 0x408, 0x418, 0x478, - 0x428, 0x448, 0x400, 0x450, 0x470, 0x438, 0x430, 0x440, 0x410, 0x460, - 0x668, 0x658, 0x620, 0x608, 0x618, 0x678, 0x628, 0x648, 0x600, 0x650, - 0x670, 0x638, 0x630, 0x640, 0x610, 0x660 - } -}; +#include "gost28147.h" /** * Initialize algorithm context before calculating hash @@ -254,40 +54,6 @@ gosthash94_init (struct gosthash94_ctx *ctx) memset (ctx, 0, sizeof (struct gosthash94_ctx)); } -/* - * A macro that performs a full encryption round of GOST 28147-89. - * Temporary variables tmp assumed and variables r and l for left and right - * blocks. - */ -#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ - tmp = (key1) + r; \ - l ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; \ - tmp = (key2) + l; \ - r ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; - -/* encrypt a block with the given key */ -#define GOST_ENCRYPT(result, i, key, hash, sbox) \ - r = hash[i], l = hash[i + 1]; \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[7], key[6], sbox) \ - GOST_ENCRYPT_ROUND(key[5], key[4], sbox) \ - GOST_ENCRYPT_ROUND(key[3], key[2], sbox) \ - GOST_ENCRYPT_ROUND(key[1], key[0], sbox) \ - result[i] = l, result[i + 1] = r; - /** * The core transformation. Process a 512-bit block. * @@ -299,7 +65,6 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; - uint32_t l, r, tmp; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); @@ -341,7 +106,7 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ - GOST_ENCRYPT (s, i, key, ctx->hash, gosthash94_sbox); + gost28147_encrypt_simple (key, gost28147_param_test_3411.sbox, &ctx->hash[i], &s[i]); if (i == 0) { -- 2.20.1

2 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs