nettle-bugs

nettle-bugs@lists.lysator.liu.se

2191 discussions

[PATCH 0/2] Updating the nettle-benchmark
by Emil Velikov 08 May '20

08 May '20

Hi all, Here are a couple of small patches for nettle-benchmark: - removes the deprecated OpenSSL hash API - adds more OpenSSL sha2 hashes into the mix Kindly merge or let me know of your concerns :-) Related question: As you can see from the second patch, nettle performance is a little low wrt OpenSSL - ~55% for sha1, and ~65% for sha2. Is that normal, or there is something off with my system/build? I'm using the default "--enable-assembler" and "-O2" as seen in the configure.ac, plus my processor lacks the SHA_NI ISA. Thanks Emil P.S. More misc patches coming shortly, so stay tuned :-P Emil Velikov (2): examples: don't use deprecated OpenSSL hashing API external: add more openssl sha2 digests to the benchmark examples/nettle-benchmark.c | 6 +- examples/nettle-openssl.c | 112 ++++++++++++++---------------------- nettle-internal.h | 3 + 3 files changed, 50 insertions(+), 71 deletions(-) -- 2.25.1

2 5

ANNOUNCE: Nettle-3.6
by nisse＠lysator.liu.se 04 May '20

04 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This version includes several new features, and a couple of bug fixes, see NEWS entries below. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.6.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.6.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.6.tar.gz Happy hacking, /Niels Möller NEWS for the Nettle 3.6 release This release adds a couple of new features, most notable being support for ED448 signatures. It is not binary compatible with earlier releases. The shared library names are libnettle.so.8.0 and libhogweed.so.6.0, with sonames nibnettle.so.8 and libhogweed.so.6. The changed sonames are mainly to avoid upgrade problems with recent GnuTLS versions, that depend on Nettle internals outside of the advertised ABI. But also because of the removal of internal poly1305 functions which were undocumented but declared in an installed header file, see Interface changes below. New features: * Support for Curve448 and ED448 signatures. Contributed by Daiki Ueno. * Support for SHAKE256 (SHA3 variant with arbitrary output size). Contributed by Daiki Ueno. * Support for SIV-CMAC (Synthetic Initialization Vector) mode, contributed by Nikos Mavrogiannopoulos. * Support for CMAC64, contributed by Dmitry Baryshkov. * Support for the "CryptoPro" variant of the GOST hash function, as gosthash94cp. Contributed by Dmitry Baryshkov. * Support for GOST DSA signatures, including GOST curves gc256b and gc512a. Contributed by Dmitry Baryshkov. * Support for Intel CET in x86 and x86_64 assembly files, if enabled via CFLAGS (gcc --fcf-protection=full). Contributed by H.J. Lu and Simo Sorce. * A few new functions to improve support for the Chacha variant with 96-bit nonce and 32-bit block counter (the existing functions use nonce and counter of 64-bit each), and functions to set the counter. Contributed by Daiki Ueno. * New interface, struct nettle_mac, for MAC (message authentication code) algorithms. This abstraction is only for MACs that don't require a per-message nonce. For HMAC, the key size is fixed, and equal the digest size of the underlying hash function. Bug fixes: * Fix bug in cfb8_decrypt. Previously, the IV was not updated correctly in the case of input data shorter than the block size. Reported by Stephan Mueller, fixed by Daiki Ueno. * Fix configure check for __builtin_bswap64, the incorrect check would result in link errors on platforms missing this function. Patch contributed by George Koehler. * All use of old-fashioned suffix rules in the Makefiles have been replaced with %-pattern rules. Nettle's use of suffix rules in earlier versions depended on undocumented GNU make behavior, which is being deprecated in GNU make 4.3. Building with other make programs than GNU make is untested and unsupported. (Building with BSD make or Solaris make used to work years ago, but has not been tested recently). Interface changes: * Declarations of internal poly1305.h functions have been removed from the header file poly1305.h, to make it clear that they are not part of the advertised API or ABI. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.1.0 or later (unless --enable-mini-gmp is used). * A fair amount of changes to ECC internals, with a few deleted and a few new fields in the internal struct ecc_curve. Files and functions have been renamed to more consistently match the curve name, e.g., ecc-256.c has been renamed to ecc-secp256r1.c. * Documentation for chacha-poly1305 updated. It is no longer experimental. The implementation was updated to follow RFC 8439 in Nettle-3.1, but that was not documented or announced at the time. - -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEy0li0HDXfX/Li6Nicdjx/zaMZncFAl6p3hsACgkQcdjx/zaM ZneC5gf7BZuz13jnIzETuRCtqwcV8BaFZOhBrDmqPxHeCVL2BVZwUxVpIVZAhqKu ngj5i4GEQBHLg5BRJk/97gyn4YCbWfr7397tqBdUWO2VWFKaG+5QGCG3pjjxyjgm hECNrRpSLHHVzUFi2bLCo4Ur+R2d52I1l+hI7CekTxAk1c01xhpobs0pSUDUCfco /c8gNbbrNZc/KxUq1qtaWucxvysa4BsfnqucnhjAftMrmishFdr282gWNrnK3q9K kHIxCL01bYIQVQmYdH0VglGtq7rYCkL870Ip21OOaL+LIHm1FMaDpXHbXi/GkGqK Ukre//RxgMbwPMsM7eh5rp7pOAqdug== =QvUR -----END PGP SIGNATURE-----

2 3

Nettle-3.6rc2
by nisse＠lysator.liu.se 25 Apr '20

25 Apr '20

I've made another tarball, http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc2.tar.gz http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc1.tar.gz.sig Changes some rc1: * Sonames of *both* libnettle and libhogweed are updated. * Merged gost_vko. * Other api/abi cleanups, affecting gosthash and poly1305. * Deleted the test asserts that failed when linking hogweed.dll in wine (and presumably on windows too). * Some more Makefile and test cleanups, deleted the .testrules.make file (replaced with %-pattern rules in the main testsuite/Makefile.in), deleted workaround with extra dll symlinks, and instead set WINEPATH. * NEWS edits. -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

1 0

Windows dll test failures
by nisse＠lysator.liu.se 23 Apr '20

23 Apr '20

I have a question to the list, if anyone here knows details of how windows dlls work. I cross compile for windows with ./configure --host=x86_64-w64-mingw32 --enable-mini-gmp CXX=/bin/false make and run tests with make check EMULATOR=wine64 It fails the ecc-dup and ecc-add tests, in this and similar asserts: ASSERT (ecc->dup == ecc_dup_jj); Here, the right hand side is a symbol from libhogweed-x.dll, and on the left hand side, ecc refers to a constant struct in the same dll. My guess us that dynamic linking on windows doesn't provide function pointer comparisons as specified by the C standard. Maybe left-hand side is the real function entry point, and the right hand side is the address of some glue code related to dynamic linking. Is that right? If so, I can just disable this assert for windows, but I'd like to understand what'g going on. I think the reason it works with ELF, is that ELF dynamic linking tries harder to make all references point to the same PLT glue code, but I don't fully understand the details there either. Somewhat related to this: The ecc pointer is taken from this array in testutils.c: const struct ecc_curve * const ecc_curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_secp_521r1, &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, &_nettle_gost_gc512a, NULL }; The entries are references to data objects in the dll. I'm a bit surprised that works at all, is it expected to work? I had the impression that dlls only exported functions. Should the test code be changed to use the advertised getter functions, nettle_get_secp_256r1 and friends? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

2 3

[PATCH v3] Implement GOST VKO key derivation algorithm
by Dmitry Baryshkov 21 Apr '20

21 Apr '20

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gostdsa-vko.c | 96 ++++++++++++++++++++++++++++++++++++ gostdsa.h | 7 +++ nettle.texinfo | 15 ++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/gostdsa-vko-test.c | 91 ++++++++++++++++++++++++++++++++++ 8 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c diff --git a/Makefile.in b/Makefile.in index ddc304285321..29b3cfb4aafe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index 000000000000..7bdcdfc3fa16 --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,96 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * output is 2 * curve size: + * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko (const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..d479201e3295 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +void +gostdsa_vko (const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/nettle.texinfo b/nettle.texinfo index ff64889c4169..995d5de80813 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1065,6 +1065,7 @@ This function also resets the context in the same way as @subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} @cindex GOST hash +@anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. The standard itself @@ -5157,6 +5158,20 @@ Returns curve corresponding to following identifiers: @end itemize @end deftypefun +For GOST key pairs key derivation/key agreement function (VKO) is defined in +@cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function that does +multiplication. Caller should do hashing on his own (it will be either +GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). + +@deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) +Uses private key @var{priv}, public ket @var{pub} and shared key material +@var{ukm} to generate shared secret, written to buffer @var{out}. The buffer +should be of the size equal to 2 private key lengths: 64 bytes for 256 bit +curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually +transferred in cleartext. It does not have to be secret. +@end deftypefun + @node Curve 25519 and Curve 448, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 and Curve448 diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 9de8f4125079..fdcde6cb9748 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -304,6 +304,9 @@ gostdsa-verify-test$(EXEEXT): gostdsa-verify-test.$(OBJEXT) gostdsa-keygen-test$(EXEEXT): gostdsa-keygen-test.$(OBJEXT) $(LINK) gostdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-keygen-test$(EXEEXT) +gostdsa-vko-test$(EXEEXT): gostdsa-vko-test.$(OBJEXT) + $(LINK) gostdsa-vko-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-vko-test$(EXEEXT) + sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 89b52efad9df..025f3ea18040 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -56,7 +56,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ - gostdsa-keygen-test.c + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx diff --git a/testsuite/gostdsa-vko-test.c b/testsuite/gostdsa-vko-test.c new file mode 100644 index 000000000000..c8a762b125c2 --- /dev/null +++ b/testsuite/gostdsa-vko-test.c @@ -0,0 +1,91 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + +} -- 2.25.1

2 2

[PATCH v2] Implement GOST VKO key derivation algorithm
by Dmitry Baryshkov 21 Apr '20

21 Apr '20

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gostdsa-vko.c | 94 ++++++++++++++++++++++++++++++++++++ gostdsa.h | 7 +++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/gostdsa-vko-test.c | 91 ++++++++++++++++++++++++++++++++++ 7 files changed, 198 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c -- - Added internal documentation - Dropped dependency of tests on Streebog diff --git a/Makefile.in b/Makefile.in index ddc304285321..29b3cfb4aafe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index 000000000000..0c027014e5ea --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,94 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko(const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size(ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (out_length == 2 * bsize); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..5ccf35a767a8 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +void +gostdsa_vko(const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 9de8f4125079..fdcde6cb9748 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -304,6 +304,9 @@ gostdsa-verify-test$(EXEEXT): gostdsa-verify-test.$(OBJEXT) gostdsa-keygen-test$(EXEEXT): gostdsa-keygen-test.$(OBJEXT) $(LINK) gostdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-keygen-test$(EXEEXT) +gostdsa-vko-test$(EXEEXT): gostdsa-vko-test.$(OBJEXT) + $(LINK) gostdsa-vko-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-vko-test$(EXEEXT) + sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 89b52efad9df..025f3ea18040 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -56,7 +56,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ - gostdsa-keygen-test.c + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx diff --git a/testsuite/gostdsa-vko-test.c b/testsuite/gostdsa-vko-test.c new file mode 100644 index 000000000000..5d77f2efced5 --- /dev/null +++ b/testsuite/gostdsa-vko-test.c @@ -0,0 +1,91 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out_len, out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + +} -- 2.25.1

2 3

[PATCH 1/6] Start separating GOST 28147-89 from GOST R 34.11-94
by Dmitry Eremin-Solenikov 19 Apr '20

19 Apr '20

Hash function GOST R 34.11-94 (gosthash94) in its compression function uses Russian block cipher (GOST 28147-89, Magma). Start separating block cipher code from hash function code. For now there is no public interface for this cipher, it will be added later. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- Makefile.in | 4 +- gost28147.c | 342 +++++++++++++++++++++++++++++++++++++++++++++++++++ gost28147.h | 63 ++++++++++ gosthash94.c | 245 +----------------------------------- 4 files changed, 412 insertions(+), 242 deletions(-) create mode 100644 gost28147.c create mode 100644 gost28147.h diff --git a/Makefile.in b/Makefile.in index 537e97d19bea..795d66edb2c8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -102,7 +102,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac-aes128.c cmac-aes256.c \ - gosthash94.c gosthash94-meta.c \ + gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ knuth-lfib.c hkdf.c \ @@ -195,7 +195,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gosthash94.h hmac.h \ + gcm.h gost28147.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h \ diff --git a/gost28147.c b/gost28147.c new file mode 100644 index 000000000000..c734c4365fa7 --- /dev/null +++ b/gost28147.c @@ -0,0 +1,342 @@ +/* gost28147.c - GOST 28147-89 cipher implementation + * + * based on Russian standard GOST 28147-89 + * For English description, check RFC 5830. + * S-Boxes are expanded from the tables defined in RFC4357: + * https://tools.ietf.org/html/rfc4357 + * + * Copyright: 2019 Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> + * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include "macros.h" +#include "gost28147.h" + +/* pre-initialized GOST lookup tables based on rotated S-Box */ +const struct gost28147_param gost28147_param_test_3411 = +{ + { + /* 0 */ + 0x00072000, 0x00075000, 0x00074800, 0x00071000, + 0x00076800, 0x00074000, 0x00070000, 0x00077000, + 0x00073000, 0x00075800, 0x00070800, 0x00076000, + 0x00073800, 0x00077800, 0x00072800, 0x00071800, + 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, + 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, + 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, + 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, + 0x00022000, 0x00025000, 0x00024800, 0x00021000, + 0x00026800, 0x00024000, 0x00020000, 0x00027000, + 0x00023000, 0x00025800, 0x00020800, 0x00026000, + 0x00023800, 0x00027800, 0x00022800, 0x00021800, + 0x00062000, 0x00065000, 0x00064800, 0x00061000, + 0x00066800, 0x00064000, 0x00060000, 0x00067000, + 0x00063000, 0x00065800, 0x00060800, 0x00066000, + 0x00063800, 0x00067800, 0x00062800, 0x00061800, + 0x00032000, 0x00035000, 0x00034800, 0x00031000, + 0x00036800, 0x00034000, 0x00030000, 0x00037000, + 0x00033000, 0x00035800, 0x00030800, 0x00036000, + 0x00033800, 0x00037800, 0x00032800, 0x00031800, + 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, + 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, + 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, + 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, + 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, + 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, + 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, + 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, + 0x00052000, 0x00055000, 0x00054800, 0x00051000, + 0x00056800, 0x00054000, 0x00050000, 0x00057000, + 0x00053000, 0x00055800, 0x00050800, 0x00056000, + 0x00053800, 0x00057800, 0x00052800, 0x00051800, + 0x00012000, 0x00015000, 0x00014800, 0x00011000, + 0x00016800, 0x00014000, 0x00010000, 0x00017000, + 0x00013000, 0x00015800, 0x00010800, 0x00016000, + 0x00013800, 0x00017800, 0x00012800, 0x00011800, + 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, + 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, + 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, + 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, + 0x00042000, 0x00045000, 0x00044800, 0x00041000, + 0x00046800, 0x00044000, 0x00040000, 0x00047000, + 0x00043000, 0x00045800, 0x00040800, 0x00046000, + 0x00043800, 0x00047800, 0x00042800, 0x00041800, + 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, + 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, + 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, + 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, + 0x00002000, 0x00005000, 0x00004800, 0x00001000, + 0x00006800, 0x00004000, 0x00000000, 0x00007000, + 0x00003000, 0x00005800, 0x00000800, 0x00006000, + 0x00003800, 0x00007800, 0x00002800, 0x00001800, + 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, + 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, + 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, + 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, + 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, + 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, + 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, + 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, + 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, + 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, + 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, + 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, + /* 1 */ + 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, + 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, + 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, + 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, + 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, + 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, + 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, + 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, + 0x05280000, 0x05400000, 0x05080000, 0x05680000, + 0x05500000, 0x05180000, 0x05200000, 0x05100000, + 0x05700000, 0x05780000, 0x05600000, 0x05380000, + 0x05300000, 0x05000000, 0x05480000, 0x05580000, + 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, + 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, + 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, + 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, + 0x00280000, 0x00400000, 0x00080000, 0x00680000, + 0x00500000, 0x00180000, 0x00200000, 0x00100000, + 0x00700000, 0x00780000, 0x00600000, 0x00380000, + 0x00300000, 0x00000000, 0x00480000, 0x00580000, + 0x04280000, 0x04400000, 0x04080000, 0x04680000, + 0x04500000, 0x04180000, 0x04200000, 0x04100000, + 0x04700000, 0x04780000, 0x04600000, 0x04380000, + 0x04300000, 0x04000000, 0x04480000, 0x04580000, + 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, + 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, + 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, + 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, + 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, + 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, + 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, + 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, + 0x07280000, 0x07400000, 0x07080000, 0x07680000, + 0x07500000, 0x07180000, 0x07200000, 0x07100000, + 0x07700000, 0x07780000, 0x07600000, 0x07380000, + 0x07300000, 0x07000000, 0x07480000, 0x07580000, + 0x02280000, 0x02400000, 0x02080000, 0x02680000, + 0x02500000, 0x02180000, 0x02200000, 0x02100000, + 0x02700000, 0x02780000, 0x02600000, 0x02380000, + 0x02300000, 0x02000000, 0x02480000, 0x02580000, + 0x03280000, 0x03400000, 0x03080000, 0x03680000, + 0x03500000, 0x03180000, 0x03200000, 0x03100000, + 0x03700000, 0x03780000, 0x03600000, 0x03380000, + 0x03300000, 0x03000000, 0x03480000, 0x03580000, + 0x06280000, 0x06400000, 0x06080000, 0x06680000, + 0x06500000, 0x06180000, 0x06200000, 0x06100000, + 0x06700000, 0x06780000, 0x06600000, 0x06380000, + 0x06300000, 0x06000000, 0x06480000, 0x06580000, + 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, + 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, + 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, + 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, + 0x01280000, 0x01400000, 0x01080000, 0x01680000, + 0x01500000, 0x01180000, 0x01200000, 0x01100000, + 0x01700000, 0x01780000, 0x01600000, 0x01380000, + 0x01300000, 0x01000000, 0x01480000, 0x01580000, + 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, + 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, + 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, + 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, + 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, + 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, + 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, + 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, + /* 2 */ + 0x30000002, 0x60000002, 0x38000002, 0x08000002, + 0x28000002, 0x78000002, 0x68000002, 0x40000002, + 0x20000002, 0x50000002, 0x48000002, 0x70000002, + 0x00000002, 0x18000002, 0x58000002, 0x10000002, + 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, + 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, + 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, + 0x80000005, 0x98000005, 0xd8000005, 0x90000005, + 0x30000005, 0x60000005, 0x38000005, 0x08000005, + 0x28000005, 0x78000005, 0x68000005, 0x40000005, + 0x20000005, 0x50000005, 0x48000005, 0x70000005, + 0x00000005, 0x18000005, 0x58000005, 0x10000005, + 0x30000000, 0x60000000, 0x38000000, 0x08000000, + 0x28000000, 0x78000000, 0x68000000, 0x40000000, + 0x20000000, 0x50000000, 0x48000000, 0x70000000, + 0x00000000, 0x18000000, 0x58000000, 0x10000000, + 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, + 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, + 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, + 0x80000003, 0x98000003, 0xd8000003, 0x90000003, + 0x30000001, 0x60000001, 0x38000001, 0x08000001, + 0x28000001, 0x78000001, 0x68000001, 0x40000001, + 0x20000001, 0x50000001, 0x48000001, 0x70000001, + 0x00000001, 0x18000001, 0x58000001, 0x10000001, + 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, + 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, + 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, + 0x80000000, 0x98000000, 0xd8000000, 0x90000000, + 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, + 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, + 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, + 0x80000006, 0x98000006, 0xd8000006, 0x90000006, + 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, + 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, + 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, + 0x80000001, 0x98000001, 0xd8000001, 0x90000001, + 0x30000003, 0x60000003, 0x38000003, 0x08000003, + 0x28000003, 0x78000003, 0x68000003, 0x40000003, + 0x20000003, 0x50000003, 0x48000003, 0x70000003, + 0x00000003, 0x18000003, 0x58000003, 0x10000003, + 0x30000004, 0x60000004, 0x38000004, 0x08000004, + 0x28000004, 0x78000004, 0x68000004, 0x40000004, + 0x20000004, 0x50000004, 0x48000004, 0x70000004, + 0x00000004, 0x18000004, 0x58000004, 0x10000004, + 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, + 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, + 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, + 0x80000002, 0x98000002, 0xd8000002, 0x90000002, + 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, + 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, + 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, + 0x80000004, 0x98000004, 0xd8000004, 0x90000004, + 0x30000006, 0x60000006, 0x38000006, 0x08000006, + 0x28000006, 0x78000006, 0x68000006, 0x40000006, + 0x20000006, 0x50000006, 0x48000006, 0x70000006, + 0x00000006, 0x18000006, 0x58000006, 0x10000006, + 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, + 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, + 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, + 0x80000007, 0x98000007, 0xd8000007, 0x90000007, + 0x30000007, 0x60000007, 0x38000007, 0x08000007, + 0x28000007, 0x78000007, 0x68000007, 0x40000007, + 0x20000007, 0x50000007, 0x48000007, 0x70000007, + 0x00000007, 0x18000007, 0x58000007, 0x10000007, + /* 3 */ + 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, + 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, + 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, + 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, + 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, + 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, + 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, + 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, + 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, + 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, + 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, + 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, + 0x00000068, 0x00000058, 0x00000020, 0x00000008, + 0x00000018, 0x00000078, 0x00000028, 0x00000048, + 0x00000000, 0x00000050, 0x00000070, 0x00000038, + 0x00000030, 0x00000040, 0x00000010, 0x00000060, + 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, + 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, + 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, + 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, + 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, + 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, + 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, + 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, + 0x00000568, 0x00000558, 0x00000520, 0x00000508, + 0x00000518, 0x00000578, 0x00000528, 0x00000548, + 0x00000500, 0x00000550, 0x00000570, 0x00000538, + 0x00000530, 0x00000540, 0x00000510, 0x00000560, + 0x00000268, 0x00000258, 0x00000220, 0x00000208, + 0x00000218, 0x00000278, 0x00000228, 0x00000248, + 0x00000200, 0x00000250, 0x00000270, 0x00000238, + 0x00000230, 0x00000240, 0x00000210, 0x00000260, + 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, + 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, + 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, + 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, + 0x00000168, 0x00000158, 0x00000120, 0x00000108, + 0x00000118, 0x00000178, 0x00000128, 0x00000148, + 0x00000100, 0x00000150, 0x00000170, 0x00000138, + 0x00000130, 0x00000140, 0x00000110, 0x00000160, + 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, + 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, + 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, + 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, + 0x00000768, 0x00000758, 0x00000720, 0x00000708, + 0x00000718, 0x00000778, 0x00000728, 0x00000748, + 0x00000700, 0x00000750, 0x00000770, 0x00000738, + 0x00000730, 0x00000740, 0x00000710, 0x00000760, + 0x00000368, 0x00000358, 0x00000320, 0x00000308, + 0x00000318, 0x00000378, 0x00000328, 0x00000348, + 0x00000300, 0x00000350, 0x00000370, 0x00000338, + 0x00000330, 0x00000340, 0x00000310, 0x00000360, + 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, + 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, + 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, + 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, + 0x00000468, 0x00000458, 0x00000420, 0x00000408, + 0x00000418, 0x00000478, 0x00000428, 0x00000448, + 0x00000400, 0x00000450, 0x00000470, 0x00000438, + 0x00000430, 0x00000440, 0x00000410, 0x00000460, + 0x00000668, 0x00000658, 0x00000620, 0x00000608, + 0x00000618, 0x00000678, 0x00000628, 0x00000648, + 0x00000600, 0x00000650, 0x00000670, 0x00000638, + 0x00000630, 0x00000640, 0x00000610, 0x00000660, + } +}; + +/* + * A macro that performs a full encryption round of GOST 28147-89. + * Temporary variables tmp assumed and variables r and l for left and right + * blocks. + */ +#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ + tmp = (key1) + r; \ + l ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; \ + tmp = (key2) + l; \ + r ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; + +/* encrypt a block with the given key */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out) +{ + uint32_t l, r, tmp; + + r = in[0], l = in[1]; + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[7], key[6], sbox) + GOST_ENCRYPT_ROUND(key[5], key[4], sbox) + GOST_ENCRYPT_ROUND(key[3], key[2], sbox) + GOST_ENCRYPT_ROUND(key[1], key[0], sbox) + *out = l, *(out + 1) = r; +} diff --git a/gost28147.h b/gost28147.h new file mode 100644 index 000000000000..83d8915b9d38 --- /dev/null +++ b/gost28147.h @@ -0,0 +1,63 @@ +/* gost28147.h + + The GOST 28147-89 cipher function, described in RFC 5831. + + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GOST28147_H_INCLUDED +#define NETTLE_GOST28147_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define gost28147_param_test_3411 nettle_gost28147_param_test_3411 + +/* Private */ +#define gost28147_encrypt_simple nettle_gost28147_encrypt_simple + +struct gost28147_param +{ + uint32_t sbox[4*256]; +}; + +extern const struct gost28147_param gost28147_param_test_3411; + +/* Internal interface for use by GOST R 34.11-94 */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_GOST28147_H_INCLUDED */ diff --git a/gosthash94.c b/gosthash94.c index e60c9ae5cddf..870235eefa34 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -1,5 +1,7 @@ -/* gost.c - an implementation of GOST Hash Function +/* gosthash94.c - an implementation of GOST Hash Function + * * based on the Russian Standard GOST R 34.11-94. + * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> @@ -38,209 +40,7 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" - -/* pre-initialized GOST lookup tables based on rotated S-Box */ -static const uint32_t gosthash94_sbox[4][256] = { - { - 0x72000, 0x75000, 0x74800, 0x71000, 0x76800, - 0x74000, 0x70000, 0x77000, 0x73000, 0x75800, - 0x70800, 0x76000, 0x73800, 0x77800, 0x72800, - 0x71800, 0x5A000, 0x5D000, 0x5C800, 0x59000, - 0x5E800, 0x5C000, 0x58000, 0x5F000, 0x5B000, - 0x5D800, 0x58800, 0x5E000, 0x5B800, 0x5F800, - 0x5A800, 0x59800, 0x22000, 0x25000, 0x24800, - 0x21000, 0x26800, 0x24000, 0x20000, 0x27000, - 0x23000, 0x25800, 0x20800, 0x26000, 0x23800, - 0x27800, 0x22800, 0x21800, 0x62000, 0x65000, - 0x64800, 0x61000, 0x66800, 0x64000, 0x60000, - 0x67000, 0x63000, 0x65800, 0x60800, 0x66000, - 0x63800, 0x67800, 0x62800, 0x61800, 0x32000, - 0x35000, 0x34800, 0x31000, 0x36800, 0x34000, - 0x30000, 0x37000, 0x33000, 0x35800, 0x30800, - 0x36000, 0x33800, 0x37800, 0x32800, 0x31800, - 0x6A000, 0x6D000, 0x6C800, 0x69000, 0x6E800, - 0x6C000, 0x68000, 0x6F000, 0x6B000, 0x6D800, - 0x68800, 0x6E000, 0x6B800, 0x6F800, 0x6A800, - 0x69800, 0x7A000, 0x7D000, 0x7C800, 0x79000, - 0x7E800, 0x7C000, 0x78000, 0x7F000, 0x7B000, - 0x7D800, 0x78800, 0x7E000, 0x7B800, 0x7F800, - 0x7A800, 0x79800, 0x52000, 0x55000, 0x54800, - 0x51000, 0x56800, 0x54000, 0x50000, 0x57000, - 0x53000, 0x55800, 0x50800, 0x56000, 0x53800, - 0x57800, 0x52800, 0x51800, 0x12000, 0x15000, - 0x14800, 0x11000, 0x16800, 0x14000, 0x10000, - 0x17000, 0x13000, 0x15800, 0x10800, 0x16000, - 0x13800, 0x17800, 0x12800, 0x11800, 0x1A000, - 0x1D000, 0x1C800, 0x19000, 0x1E800, 0x1C000, - 0x18000, 0x1F000, 0x1B000, 0x1D800, 0x18800, - 0x1E000, 0x1B800, 0x1F800, 0x1A800, 0x19800, - 0x42000, 0x45000, 0x44800, 0x41000, 0x46800, - 0x44000, 0x40000, 0x47000, 0x43000, 0x45800, - 0x40800, 0x46000, 0x43800, 0x47800, 0x42800, - 0x41800, 0xA000, 0xD000, 0xC800, 0x9000, - 0xE800, 0xC000, 0x8000, 0xF000, 0xB000, - 0xD800, 0x8800, 0xE000, 0xB800, 0xF800, - 0xA800, 0x9800, 0x2000, 0x5000, 0x4800, - 0x1000, 0x6800, 0x4000, 0x0, 0x7000, - 0x3000, 0x5800, 0x800, 0x6000, 0x3800, - 0x7800, 0x2800, 0x1800, 0x3A000, 0x3D000, - 0x3C800, 0x39000, 0x3E800, 0x3C000, 0x38000, - 0x3F000, 0x3B000, 0x3D800, 0x38800, 0x3E000, - 0x3B800, 0x3F800, 0x3A800, 0x39800, 0x2A000, - 0x2D000, 0x2C800, 0x29000, 0x2E800, 0x2C000, - 0x28000, 0x2F000, 0x2B000, 0x2D800, 0x28800, - 0x2E000, 0x2B800, 0x2F800, 0x2A800, 0x29800, - 0x4A000, 0x4D000, 0x4C800, 0x49000, 0x4E800, - 0x4C000, 0x48000, 0x4F000, 0x4B000, 0x4D800, - 0x48800, 0x4E000, 0x4B800, 0x4F800, 0x4A800, - 0x49800 - }, { - 0x3A80000, 0x3C00000, 0x3880000, 0x3E80000, 0x3D00000, - 0x3980000, 0x3A00000, 0x3900000, 0x3F00000, 0x3F80000, - 0x3E00000, 0x3B80000, 0x3B00000, 0x3800000, 0x3C80000, - 0x3D80000, 0x6A80000, 0x6C00000, 0x6880000, 0x6E80000, - 0x6D00000, 0x6980000, 0x6A00000, 0x6900000, 0x6F00000, - 0x6F80000, 0x6E00000, 0x6B80000, 0x6B00000, 0x6800000, - 0x6C80000, 0x6D80000, 0x5280000, 0x5400000, 0x5080000, - 0x5680000, 0x5500000, 0x5180000, 0x5200000, 0x5100000, - 0x5700000, 0x5780000, 0x5600000, 0x5380000, 0x5300000, - 0x5000000, 0x5480000, 0x5580000, 0xA80000, 0xC00000, - 0x880000, 0xE80000, 0xD00000, 0x980000, 0xA00000, - 0x900000, 0xF00000, 0xF80000, 0xE00000, 0xB80000, - 0xB00000, 0x800000, 0xC80000, 0xD80000, 0x280000, - 0x400000, 0x80000, 0x680000, 0x500000, 0x180000, - 0x200000, 0x100000, 0x700000, 0x780000, 0x600000, - 0x380000, 0x300000, 0x0, 0x480000, 0x580000, - 0x4280000, 0x4400000, 0x4080000, 0x4680000, 0x4500000, - 0x4180000, 0x4200000, 0x4100000, 0x4700000, 0x4780000, - 0x4600000, 0x4380000, 0x4300000, 0x4000000, 0x4480000, - 0x4580000, 0x4A80000, 0x4C00000, 0x4880000, 0x4E80000, - 0x4D00000, 0x4980000, 0x4A00000, 0x4900000, 0x4F00000, - 0x4F80000, 0x4E00000, 0x4B80000, 0x4B00000, 0x4800000, - 0x4C80000, 0x4D80000, 0x7A80000, 0x7C00000, 0x7880000, - 0x7E80000, 0x7D00000, 0x7980000, 0x7A00000, 0x7900000, - 0x7F00000, 0x7F80000, 0x7E00000, 0x7B80000, 0x7B00000, - 0x7800000, 0x7C80000, 0x7D80000, 0x7280000, 0x7400000, - 0x7080000, 0x7680000, 0x7500000, 0x7180000, 0x7200000, - 0x7100000, 0x7700000, 0x7780000, 0x7600000, 0x7380000, - 0x7300000, 0x7000000, 0x7480000, 0x7580000, 0x2280000, - 0x2400000, 0x2080000, 0x2680000, 0x2500000, 0x2180000, - 0x2200000, 0x2100000, 0x2700000, 0x2780000, 0x2600000, - 0x2380000, 0x2300000, 0x2000000, 0x2480000, 0x2580000, - 0x3280000, 0x3400000, 0x3080000, 0x3680000, 0x3500000, - 0x3180000, 0x3200000, 0x3100000, 0x3700000, 0x3780000, - 0x3600000, 0x3380000, 0x3300000, 0x3000000, 0x3480000, - 0x3580000, 0x6280000, 0x6400000, 0x6080000, 0x6680000, - 0x6500000, 0x6180000, 0x6200000, 0x6100000, 0x6700000, - 0x6780000, 0x6600000, 0x6380000, 0x6300000, 0x6000000, - 0x6480000, 0x6580000, 0x5A80000, 0x5C00000, 0x5880000, - 0x5E80000, 0x5D00000, 0x5980000, 0x5A00000, 0x5900000, - 0x5F00000, 0x5F80000, 0x5E00000, 0x5B80000, 0x5B00000, - 0x5800000, 0x5C80000, 0x5D80000, 0x1280000, 0x1400000, - 0x1080000, 0x1680000, 0x1500000, 0x1180000, 0x1200000, - 0x1100000, 0x1700000, 0x1780000, 0x1600000, 0x1380000, - 0x1300000, 0x1000000, 0x1480000, 0x1580000, 0x2A80000, - 0x2C00000, 0x2880000, 0x2E80000, 0x2D00000, 0x2980000, - 0x2A00000, 0x2900000, 0x2F00000, 0x2F80000, 0x2E00000, - 0x2B80000, 0x2B00000, 0x2800000, 0x2C80000, 0x2D80000, - 0x1A80000, 0x1C00000, 0x1880000, 0x1E80000, 0x1D00000, - 0x1980000, 0x1A00000, 0x1900000, 0x1F00000, 0x1F80000, - 0x1E00000, 0x1B80000, 0x1B00000, 0x1800000, 0x1C80000, - 0x1D80000 - }, { - 0x30000002, 0x60000002, 0x38000002, 0x8000002, - 0x28000002, 0x78000002, 0x68000002, 0x40000002, - 0x20000002, 0x50000002, 0x48000002, 0x70000002, - 0x2, 0x18000002, 0x58000002, 0x10000002, - 0xB0000005, 0xE0000005, 0xB8000005, 0x88000005, - 0xA8000005, 0xF8000005, 0xE8000005, 0xC0000005, - 0xA0000005, 0xD0000005, 0xC8000005, 0xF0000005, - 0x80000005, 0x98000005, 0xD8000005, 0x90000005, - 0x30000005, 0x60000005, 0x38000005, 0x8000005, - 0x28000005, 0x78000005, 0x68000005, 0x40000005, - 0x20000005, 0x50000005, 0x48000005, 0x70000005, - 0x5, 0x18000005, 0x58000005, 0x10000005, - 0x30000000, 0x60000000, 0x38000000, 0x8000000, - 0x28000000, 0x78000000, 0x68000000, 0x40000000, - 0x20000000, 0x50000000, 0x48000000, 0x70000000, - 0x0, 0x18000000, 0x58000000, 0x10000000, - 0xB0000003, 0xE0000003, 0xB8000003, 0x88000003, - 0xA8000003, 0xF8000003, 0xE8000003, 0xC0000003, - 0xA0000003, 0xD0000003, 0xC8000003, 0xF0000003, - 0x80000003, 0x98000003, 0xD8000003, 0x90000003, - 0x30000001, 0x60000001, 0x38000001, 0x8000001, - 0x28000001, 0x78000001, 0x68000001, 0x40000001, - 0x20000001, 0x50000001, 0x48000001, 0x70000001, - 0x1, 0x18000001, 0x58000001, 0x10000001, - 0xB0000000, 0xE0000000, 0xB8000000, 0x88000000, - 0xA8000000, 0xF8000000, 0xE8000000, 0xC0000000, - 0xA0000000, 0xD0000000, 0xC8000000, 0xF0000000, - 0x80000000, 0x98000000, 0xD8000000, 0x90000000, - 0xB0000006, 0xE0000006, 0xB8000006, 0x88000006, - 0xA8000006, 0xF8000006, 0xE8000006, 0xC0000006, - 0xA0000006, 0xD0000006, 0xC8000006, 0xF0000006, - 0x80000006, 0x98000006, 0xD8000006, 0x90000006, - 0xB0000001, 0xE0000001, 0xB8000001, 0x88000001, - 0xA8000001, 0xF8000001, 0xE8000001, 0xC0000001, - 0xA0000001, 0xD0000001, 0xC8000001, 0xF0000001, - 0x80000001, 0x98000001, 0xD8000001, 0x90000001, - 0x30000003, 0x60000003, 0x38000003, 0x8000003, - 0x28000003, 0x78000003, 0x68000003, 0x40000003, - 0x20000003, 0x50000003, 0x48000003, 0x70000003, - 0x3, 0x18000003, 0x58000003, 0x10000003, - 0x30000004, 0x60000004, 0x38000004, 0x8000004, - 0x28000004, 0x78000004, 0x68000004, 0x40000004, - 0x20000004, 0x50000004, 0x48000004, 0x70000004, - 0x4, 0x18000004, 0x58000004, 0x10000004, - 0xB0000002, 0xE0000002, 0xB8000002, 0x88000002, - 0xA8000002, 0xF8000002, 0xE8000002, 0xC0000002, - 0xA0000002, 0xD0000002, 0xC8000002, 0xF0000002, - 0x80000002, 0x98000002, 0xD8000002, 0x90000002, - 0xB0000004, 0xE0000004, 0xB8000004, 0x88000004, - 0xA8000004, 0xF8000004, 0xE8000004, 0xC0000004, - 0xA0000004, 0xD0000004, 0xC8000004, 0xF0000004, - 0x80000004, 0x98000004, 0xD8000004, 0x90000004, - 0x30000006, 0x60000006, 0x38000006, 0x8000006, - 0x28000006, 0x78000006, 0x68000006, 0x40000006, - 0x20000006, 0x50000006, 0x48000006, 0x70000006, - 0x6, 0x18000006, 0x58000006, 0x10000006, - 0xB0000007, 0xE0000007, 0xB8000007, 0x88000007, - 0xA8000007, 0xF8000007, 0xE8000007, 0xC0000007, - 0xA0000007, 0xD0000007, 0xC8000007, 0xF0000007, - 0x80000007, 0x98000007, 0xD8000007, 0x90000007, - 0x30000007, 0x60000007, 0x38000007, 0x8000007, - 0x28000007, 0x78000007, 0x68000007, 0x40000007, - 0x20000007, 0x50000007, 0x48000007, 0x70000007, - 0x7, 0x18000007, 0x58000007, 0x10000007 - }, { - 0xE8, 0xD8, 0xA0, 0x88, 0x98, 0xF8, 0xA8, 0xC8, 0x80, 0xD0, - 0xF0, 0xB8, 0xB0, 0xC0, 0x90, 0xE0, 0x7E8, 0x7D8, 0x7A0, 0x788, - 0x798, 0x7F8, 0x7A8, 0x7C8, 0x780, 0x7D0, 0x7F0, 0x7B8, 0x7B0, 0x7C0, - 0x790, 0x7E0, 0x6E8, 0x6D8, 0x6A0, 0x688, 0x698, 0x6F8, 0x6A8, 0x6C8, - 0x680, 0x6D0, 0x6F0, 0x6B8, 0x6B0, 0x6C0, 0x690, 0x6E0, 0x68, 0x58, - 0x20, 0x8, 0x18, 0x78, 0x28, 0x48, 0x0, 0x50, 0x70, 0x38, - 0x30, 0x40, 0x10, 0x60, 0x2E8, 0x2D8, 0x2A0, 0x288, 0x298, 0x2F8, - 0x2A8, 0x2C8, 0x280, 0x2D0, 0x2F0, 0x2B8, 0x2B0, 0x2C0, 0x290, 0x2E0, - 0x3E8, 0x3D8, 0x3A0, 0x388, 0x398, 0x3F8, 0x3A8, 0x3C8, 0x380, 0x3D0, - 0x3F0, 0x3B8, 0x3B0, 0x3C0, 0x390, 0x3E0, 0x568, 0x558, 0x520, 0x508, - 0x518, 0x578, 0x528, 0x548, 0x500, 0x550, 0x570, 0x538, 0x530, 0x540, - 0x510, 0x560, 0x268, 0x258, 0x220, 0x208, 0x218, 0x278, 0x228, 0x248, - 0x200, 0x250, 0x270, 0x238, 0x230, 0x240, 0x210, 0x260, 0x4E8, 0x4D8, - 0x4A0, 0x488, 0x498, 0x4F8, 0x4A8, 0x4C8, 0x480, 0x4D0, 0x4F0, 0x4B8, - 0x4B0, 0x4C0, 0x490, 0x4E0, 0x168, 0x158, 0x120, 0x108, 0x118, 0x178, - 0x128, 0x148, 0x100, 0x150, 0x170, 0x138, 0x130, 0x140, 0x110, 0x160, - 0x1E8, 0x1D8, 0x1A0, 0x188, 0x198, 0x1F8, 0x1A8, 0x1C8, 0x180, 0x1D0, - 0x1F0, 0x1B8, 0x1B0, 0x1C0, 0x190, 0x1E0, 0x768, 0x758, 0x720, 0x708, - 0x718, 0x778, 0x728, 0x748, 0x700, 0x750, 0x770, 0x738, 0x730, 0x740, - 0x710, 0x760, 0x368, 0x358, 0x320, 0x308, 0x318, 0x378, 0x328, 0x348, - 0x300, 0x350, 0x370, 0x338, 0x330, 0x340, 0x310, 0x360, 0x5E8, 0x5D8, - 0x5A0, 0x588, 0x598, 0x5F8, 0x5A8, 0x5C8, 0x580, 0x5D0, 0x5F0, 0x5B8, - 0x5B0, 0x5C0, 0x590, 0x5E0, 0x468, 0x458, 0x420, 0x408, 0x418, 0x478, - 0x428, 0x448, 0x400, 0x450, 0x470, 0x438, 0x430, 0x440, 0x410, 0x460, - 0x668, 0x658, 0x620, 0x608, 0x618, 0x678, 0x628, 0x648, 0x600, 0x650, - 0x670, 0x638, 0x630, 0x640, 0x610, 0x660 - } -}; +#include "gost28147.h" /** * Initialize algorithm context before calculating hash @@ -254,40 +54,6 @@ gosthash94_init (struct gosthash94_ctx *ctx) memset (ctx, 0, sizeof (struct gosthash94_ctx)); } -/* - * A macro that performs a full encryption round of GOST 28147-89. - * Temporary variables tmp assumed and variables r and l for left and right - * blocks. - */ -#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ - tmp = (key1) + r; \ - l ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; \ - tmp = (key2) + l; \ - r ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; - -/* encrypt a block with the given key */ -#define GOST_ENCRYPT(result, i, key, hash, sbox) \ - r = hash[i], l = hash[i + 1]; \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[7], key[6], sbox) \ - GOST_ENCRYPT_ROUND(key[5], key[4], sbox) \ - GOST_ENCRYPT_ROUND(key[3], key[2], sbox) \ - GOST_ENCRYPT_ROUND(key[1], key[0], sbox) \ - result[i] = l, result[i + 1] = r; - /** * The core transformation. Process a 512-bit block. * @@ -299,7 +65,6 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; - uint32_t l, r, tmp; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); @@ -341,7 +106,7 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ - GOST_ENCRYPT (s, i, key, ctx->hash, gosthash94_sbox); + gost28147_encrypt_simple (key, gost28147_param_test_3411.sbox, &ctx->hash[i], &s[i]); if (i == 0) { -- 2.20.1

2 8

Nettle backup maintainers?
by Jeffrey Walton 18 Apr '20

18 Apr '20

Hi Everyone/Niels, Forgive me for asking... Does Nettle have backup maintainers? If so, can you name them and provide their public keys in case something happens to Niels. Sweden has been criticized for its handling of the coronavirus. The country seems to be engaging in relatively risky behavior. [1] [1] https://time.com/5817412/sweden-coronavirus/ Jeff

4 6

[PATCH v2] poly1305: make internal symbols internal
by Dmitry Baryshkov 15 Apr '20

15 Apr '20

Make low-level poly1305 functions that were marked as "internal" in public header file really internal. Change their prefix from nettle to _nettle. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- chacha-poly1305.c | 5 +-- poly1305-aes.c | 5 +-- poly1305-internal.c | 5 +-- poly1305-internal.h | 66 ++++++++++++++++++++++++++++++++++++ poly1305.h | 14 -------- x86_64/poly1305-internal.asm | 12 +++---- 6 files changed, 81 insertions(+), 26 deletions(-) create mode 100644 poly1305-internal.h diff --git a/chacha-poly1305.c b/chacha-poly1305.c index a15fef0cd742..47ca86bb360d 100644 --- a/chacha-poly1305.c +++ b/chacha-poly1305.c @@ -54,6 +54,7 @@ #include "chacha-internal.h" #include "chacha-poly1305.h" +#include "poly1305-internal.h" #include "macros.h" @@ -80,7 +81,7 @@ chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, chacha_set_nonce96 (&ctx->chacha, nonce); /* Generate authentication key */ _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); - poly1305_set_key (&ctx->poly1305, u.subkey); + _poly1305_set_key (&ctx->poly1305, u.subkey); /* For final poly1305 processing */ memcpy (ctx->s.b, u.subkey + 16, 16); /* Increment block count */ @@ -162,6 +163,6 @@ chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, _poly1305_block (&ctx->poly1305, buf, 1); - poly1305_digest (&ctx->poly1305, &ctx->s); + _poly1305_digest (&ctx->poly1305, &ctx->s); memcpy (digest, &ctx->s.b, length); } diff --git a/poly1305-aes.c b/poly1305-aes.c index 1a27b1d85523..85a6d2ae138b 100644 --- a/poly1305-aes.c +++ b/poly1305-aes.c @@ -38,13 +38,14 @@ #include <string.h> #include "poly1305.h" +#include "poly1305-internal.h" #include "macros.h" void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) { aes128_set_encrypt_key(&ctx->aes, (key)); - poly1305_set_key(&ctx->pctx, (key+16)); + _poly1305_set_key(&ctx->pctx, (key+16)); ctx->index = 0; } @@ -82,7 +83,7 @@ poly1305_aes_digest (struct poly1305_aes_ctx *ctx, } aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); - poly1305_digest (&ctx->pctx, &s); + _poly1305_digest (&ctx->pctx, &s); memcpy (digest, s.b, length); INCREMENT (16, ctx->nonce); diff --git a/poly1305-internal.c b/poly1305-internal.c index 2ee16807c514..8713fcb68894 100644 --- a/poly1305-internal.c +++ b/poly1305-internal.c @@ -63,6 +63,7 @@ #include <string.h> #include "poly1305.h" +#include "poly1305-internal.h" #include "macros.h" @@ -85,7 +86,7 @@ #define h4 hh void -poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) +_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) { uint32_t t0,t1,t2,t3; @@ -148,7 +149,7 @@ _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) /* Adds digest to the nonce */ void -poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) +_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) { uint32_t b, nb; uint64_t f0,f1,f2,f3; diff --git a/poly1305-internal.h b/poly1305-internal.h new file mode 100644 index 000000000000..edb80f7fa011 --- /dev/null +++ b/poly1305-internal.h @@ -0,0 +1,66 @@ +/* poly1305.h + + Poly1305 message authentication code. + + Copyright (C) 2013 Nikos Mavrogiannopoulos + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_POLY1305_INTERNAL_H_INCLUDED +#define NETTLE_POLY1305_INTERNAL_H_INCLUDED + +#include "aes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define _poly1305_set_key _nettle_poly1305_set_key +#define _poly1305_digest _nettle_poly1305_digest +#define _poly1305_block _nettle_poly1305_block + +/* Low level functions/macros for the poly1305 construction. */ + +#define POLY1305_DIGEST_SIZE 16 +#define POLY1305_KEY_SIZE 16 + +/* Low-level internal interface. */ +void _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); +/* Extracts digest, and adds it to s, the encrypted nonce. */ +void _poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); +/* Internal function. Process one block. */ +void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, + unsigned high); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_POLY1305_INTERNAL_H_INCLUDED */ diff --git a/poly1305.h b/poly1305.h index eadc4057fe89..99c63c8a8288 100644 --- a/poly1305.h +++ b/poly1305.h @@ -42,10 +42,6 @@ extern "C" { #endif /* Name mangling */ -#define poly1305_set_key nettle_poly1305_set_key -#define poly1305_digest nettle_poly1305_digest -#define _poly1305_block _nettle_poly1305_block - #define poly1305_aes_set_key nettle_poly1305_aes_set_key #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce #define poly1305_aes_update nettle_poly1305_aes_update @@ -53,9 +49,7 @@ extern "C" { /* Low level functions/macros for the poly1305 construction. */ -#define POLY1305_DIGEST_SIZE 16 #define POLY1305_BLOCK_SIZE 16 -#define POLY1305_KEY_SIZE 16 struct poly1305_ctx { /* Key, 128-bit value and some cached multiples. */ @@ -76,14 +70,6 @@ struct poly1305_ctx { } h; }; -/* Low-level internal interface. */ -void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); -/* Extracts digest, and adds it to s, the encrypted nonce. */ -void poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); -/* Internal function. Process one block. */ -void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, - unsigned high); - /* poly1305-aes */ #define POLY1305_AES_KEY_SIZE 32 diff --git a/x86_64/poly1305-internal.asm b/x86_64/poly1305-internal.asm index 98159ad391ec..8012e49f3781 100644 --- a/x86_64/poly1305-internal.asm +++ b/x86_64/poly1305-internal.asm @@ -41,14 +41,14 @@ define(<H0>, <%r9>) define(<H1>, <%r10>) define(<H2>, <%r11>) - C poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) + C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) .text C Registers: C %rdi: ctx C %rsi: key C %r8: mask ALIGN(16) -PROLOGUE(nettle_poly1305_set_key) +PROLOGUE(_nettle_poly1305_set_key) W64_ENTRY(2,0) mov $0x0ffffffc0fffffff, %r8 mov (%rsi), %rax @@ -69,7 +69,7 @@ PROLOGUE(nettle_poly1305_set_key) W64_EXIT(2,0) ret -EPILOGUE(nettle_poly1305_set_key) +EPILOGUE(_nettle_poly1305_set_key) C 64-bit multiplication mod 2^130 - 5 C @@ -142,12 +142,12 @@ PROLOGUE(_nettle_poly1305_block) ret EPILOGUE(_nettle_poly1305_block) - C poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) + C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) C Registers: C %rdi: ctx C %rsi: s -PROLOGUE(nettle_poly1305_digest) +PROLOGUE(_nettle_poly1305_digest) W64_ENTRY(2, 0) mov P1305_H0 (CTX), H0 @@ -182,5 +182,5 @@ define(<T1>, <%rax>) mov XREG(%rax), P1305_H2 (CTX) W64_EXIT(2, 0) ret -EPILOGUE(nettle_poly1305_digest) +EPILOGUE(_nettle_poly1305_digest) -- 2.25.1

2 1

Nettle-3.6 soon
by nisse＠lysator.liu.se 15 Apr '20

15 Apr '20

Hi, I've updated the NEWS file, and I don't think there are any easy changes pending. Please let me know ASAP if there's anything missing in NEWS, or if there are additional changes you think ought to be included before release. I intend to create a release-candidate tarball in a day or two for final testing. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

6 33

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs