nettle-bugs

nettle-bugs@lists.lysator.liu.se

3 participants
2194 discussions

Re: [PATCH] x86: Add X86_ENDBR and CET marker to config.m4.in
by Simo Sorce 09 Mar '20

09 Mar '20

On Mon, 2020-03-09 at 08:33 -0700, H.J. Lu wrote: > On Mon, Mar 9, 2020 at 5:36 AM Simo Sorce <simo(a)redhat.com> wrote: > > On Sat, 2020-03-07 at 17:49 +0100, Niels Möller wrote: > > > "H.J. Lu" <hjl.tools(a)gmail.com> writes: > > > > > > > Intel Control-flow Enforcement Technology (CET): > > > > > > > > https://software.intel.com/en-us/articles/intel-sdm > > > > > > > > contains shadow stack (SHSTK) and indirect branch tracking (IBT). When > > > > CET is enabled, ELF object files must be marked with .note.gnu.property > > > > section. Also when IBT is enabled, all indirect branch targets must > > > > start with ENDBR instruction. > > > > > > > > This patch adds X86_ENDBR and the CET marker to config.m4.in when CET > > > > is enabled. It updates PROLOGUE with X86_ENDBR. > > > > > > I'd like to have a look at what gcc produces. How is it enabled with > > > gcc? In the docs, I find > > > > > > -mshstk > > > > > > The -mshstk option enables shadow stack built-in functions from x86 > > > Control-flow Enforcement Technology (CET). > > > > > > but when I try compiling a trivial function, > > > > > > $ cat foo-cet.c > > > int foo(void) {return 0;} > > > $ gcc -save-temps -c -mshstk foo-cet.c > > > > > > I get no endbr instruction and no note in the foo-cet.s. I'm using > > > gcc-8.3. I do get an > > > > > > .section .note.GNU-stack,"",@progbits > > > > > > corresponding to Nettle's ASM_MARK_NOEXEC_STACK > > > > > > > --- a/config.m4.in > > > > +++ b/config.m4.in > > > > @@ -8,6 +8,10 @@ define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl > > > > define(<W64_ABI>, <@W64_ABI@>)dnl > > > > define(<RODATA>, <@ASM_RODATA@>)dnl > > > > define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl > > > > +define(<X86_ENDBR>,<@X86_ENDBR@>)dnl > > > > +divert(1) > > > > +@X86_GNU_PROPERTY@ > > > > +divert > > > > divert(1) > > > > @ASM_MARK_NOEXEC_STACK@ > > > > divert > > > > > > You can put the two properties in the same m4 divert. Also, please > > > rename the autoconf substitutions with ASM_ prefix, and something more > > > descriptive than X64_GNU_PROPERTY. E.g., ASM_X86_ENDBR and > > > ASM_X86_MARK_CET. > > > > > > > diff --git a/configure.ac b/configure.ac > > > > index ba3ab7c6..e9ed630c 100644 > > > > --- a/configure.ac > > > > +++ b/configure.ac > > > > @@ -803,6 +803,82 @@ EOF > > > > ASM_ALIGN_LOG="$nettle_cv_asm_align_log" > > > > fi > > > > > > > > +dnl Define > > > > +dnl 1. X86_ENDBR for endbr32/endbr64. > > > > +dnl 2. X86_GNU_PROPERTY to add a .note.gnu.property section to mark > > > > +dnl Intel CET support if needed. > > > > +dnl .section ".note.gnu.property", "a" > > > > +dnl .p2align POINTER-ALIGN > > > > +dnl .long 1f - 0f > > > > +dnl .long 4f - 1f > > > > +dnl .long 5 > > > > +dnl 0: > > > > +dnl .asciz "GNU" > > > > +dnl 1: > > > > +dnl .p2align POINTER-ALIGN > > > > +dnl .long 0xc0000002 > > > > +dnl .long 3f - 2f > > > > +dnl 2: > > > > +dnl .long 3 > > > > +dnl 3: > > > > +dnl .p2align POINTER-ALIGN > > > > +dnl 4: > > > > > > No need to repeat the definition in full in this comment. And as I think > > > I've said before, I'm a bit surprised that it needs to be this verbose. > > > > > > > +AC_CACHE_CHECK([if Intel CET is enabled], > > > > + [nettle_cv_asm_x86_intel_cet], > > > > + [AC_TRY_COMPILE([ > > > > +#ifndef __CET__ > > > > +#error Intel CET is not enabled > > > > +#endif > > > > + ], [], > > > > + [nettle_cv_asm_x86_intel_cet=yes], > > > > + [nettle_cv_asm_x86_intel_cet=no])]) > > > > +if test "$nettle_cv_asm_x86_intel_cet" = yes; then > > > > + case $ABI in > > > > + 32|standard) > > > > + X86_ENDBR=endbr32 > > > > + p2align=2 > > > > + ;; > > > > + 64) > > > > + X86_ENDBR=endbr64 > > > > + p2align=3 > > > > + ;; > > > > + x32) > > > > + X86_ENDBR=endbr64 > > > > + p2align=2 > > > > + ;; > > > > + esac > > > > + AC_CACHE_CHECK([if .note.gnu.property section is needed], > > > > + [nettle_cv_asm_x86_gnu_property], > > > > + [AC_TRY_COMPILE([ > > > > +#if !defined __ELF__ || !defined __CET__ > > > > +#error GNU property is not needed > > > > +#endif > > > > + ], [], > > > > + [nettle_cv_asm_x86_gnu_property=yes], > > > > + [nettle_cv_asm_x86_gnu_property=no])]) > > > > +else > > > > + nettle_cv_asm_x86_gnu_property=no > > > > +fi > > > > +if test "$nettle_cv_asm_x86_gnu_property" = yes; then > > > > + X86_GNU_PROPERTY=" > > > > + .section \".note.gnu.property\", \"a\" > > > > + .p2align $p2align > > > > + .long 1f - 0f > > > > + .long 4f - 1f > > > > + .long 5 > > > > +0: > > > > + .asciz \"GNU\" > > > > +1: > > > > + .p2align $p2align > > > > + .long 0xc0000002 > > > > + .long 3f - 2f > > > > +2: > > > > + .long 3 > > > > +3: > > > > + .p2align $p2align > > > > +4:" > > > > +fi > > > > > > Maybe a bit easier to read if you use single quotes for > > > X86_GNU_PROPERTY='...', don't escape the inner double quotes. That > > > leaves the expansion of $p2align, maybe it's better to define a separate > > > substituted variable for pointer alignment? (If there's no easier way to > > > enforce pointer-alignment). > > > > Niels, > > I sent patches longa few months ago on the list to enable CET, they > > already went through review, any reason why we are looking at a > > different set and restarting review from scratch now? > > > > (sorry for not catching earlier, we seem to be having some delivery > > issues and sometimes mailing list post are not reaching me, please keep > > me in direct CC for now, hopefully that will help :-/ ) > > > > Hi Simo, > > master branch doesn't contain any CET support. Can you share your patch > with me? I will give it a try on CET processor. > > Thanks. The patchset i solder than I did remember, April 2019 But I recall running at least one version of it on our CET emulator @ Red Hat. HTH, Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc

2 2

Re: [PATCH] x86: Add X86_ENDBR and CET marker to config.m4.in
by nisse＠lysator.liu.se 09 Mar '20

09 Mar '20

"H.J. Lu" <hjl.tools(a)gmail.com> writes: > Intel Control-flow Enforcement Technology (CET): > > https://software.intel.com/en-us/articles/intel-sdm > > contains shadow stack (SHSTK) and indirect branch tracking (IBT). When > CET is enabled, ELF object files must be marked with .note.gnu.property > section. Also when IBT is enabled, all indirect branch targets must > start with ENDBR instruction. > > This patch adds X86_ENDBR and the CET marker to config.m4.in when CET > is enabled. It updates PROLOGUE with X86_ENDBR. I'd like to have a look at what gcc produces. How is it enabled with gcc? In the docs, I find -mshstk The -mshstk option enables shadow stack built-in functions from x86 Control-flow Enforcement Technology (CET). but when I try compiling a trivial function, $ cat foo-cet.c int foo(void) {return 0;} $ gcc -save-temps -c -mshstk foo-cet.c I get no endbr instruction and no note in the foo-cet.s. I'm using gcc-8.3. I do get an .section .note.GNU-stack,"",@progbits corresponding to Nettle's ASM_MARK_NOEXEC_STACK > --- a/config.m4.in > +++ b/config.m4.in > @@ -8,6 +8,10 @@ define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl > define(<W64_ABI>, <@W64_ABI@>)dnl > define(<RODATA>, <@ASM_RODATA@>)dnl > define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl > +define(<X86_ENDBR>,<@X86_ENDBR@>)dnl > +divert(1) > +@X86_GNU_PROPERTY@ > +divert > divert(1) > @ASM_MARK_NOEXEC_STACK@ > divert You can put the two properties in the same m4 divert. Also, please rename the autoconf substitutions with ASM_ prefix, and something more descriptive than X64_GNU_PROPERTY. E.g., ASM_X86_ENDBR and ASM_X86_MARK_CET. > diff --git a/configure.ac b/configure.ac > index ba3ab7c6..e9ed630c 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -803,6 +803,82 @@ EOF > ASM_ALIGN_LOG="$nettle_cv_asm_align_log" > fi > > +dnl Define > +dnl 1. X86_ENDBR for endbr32/endbr64. > +dnl 2. X86_GNU_PROPERTY to add a .note.gnu.property section to mark > +dnl Intel CET support if needed. > +dnl .section ".note.gnu.property", "a" > +dnl .p2align POINTER-ALIGN > +dnl .long 1f - 0f > +dnl .long 4f - 1f > +dnl .long 5 > +dnl 0: > +dnl .asciz "GNU" > +dnl 1: > +dnl .p2align POINTER-ALIGN > +dnl .long 0xc0000002 > +dnl .long 3f - 2f > +dnl 2: > +dnl .long 3 > +dnl 3: > +dnl .p2align POINTER-ALIGN > +dnl 4: No need to repeat the definition in full in this comment. And as I think I've said before, I'm a bit surprised that it needs to be this verbose. > +AC_CACHE_CHECK([if Intel CET is enabled], > + [nettle_cv_asm_x86_intel_cet], > + [AC_TRY_COMPILE([ > +#ifndef __CET__ > +#error Intel CET is not enabled > +#endif > + ], [], > + [nettle_cv_asm_x86_intel_cet=yes], > + [nettle_cv_asm_x86_intel_cet=no])]) > +if test "$nettle_cv_asm_x86_intel_cet" = yes; then > + case $ABI in > + 32|standard) > + X86_ENDBR=endbr32 > + p2align=2 > + ;; > + 64) > + X86_ENDBR=endbr64 > + p2align=3 > + ;; > + x32) > + X86_ENDBR=endbr64 > + p2align=2 > + ;; > + esac > + AC_CACHE_CHECK([if .note.gnu.property section is needed], > + [nettle_cv_asm_x86_gnu_property], > + [AC_TRY_COMPILE([ > +#if !defined __ELF__ || !defined __CET__ > +#error GNU property is not needed > +#endif > + ], [], > + [nettle_cv_asm_x86_gnu_property=yes], > + [nettle_cv_asm_x86_gnu_property=no])]) > +else > + nettle_cv_asm_x86_gnu_property=no > +fi > +if test "$nettle_cv_asm_x86_gnu_property" = yes; then > + X86_GNU_PROPERTY=" > + .section \".note.gnu.property\", \"a\" > + .p2align $p2align > + .long 1f - 0f > + .long 4f - 1f > + .long 5 > +0: > + .asciz \"GNU\" > +1: > + .p2align $p2align > + .long 0xc0000002 > + .long 3f - 2f > +2: > + .long 3 > +3: > + .p2align $p2align > +4:" > +fi Maybe a bit easier to read if you use single quotes for X86_GNU_PROPERTY='...', don't escape the inner double quotes. That leaves the expansion of $p2align, maybe it's better to define a separate substituted variable for pointer alignment? (If there's no easier way to enforce pointer-alignment). Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

3 3

[PATCH] cmac-des3: add meta declaration to Nettle library
by dbaryshkov＠gmail.com 08 Mar '20

08 Mar '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> Move cmac-des3 meta information from testsuite/cmac-test.c to main Nettle library. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- cmac-des3-meta.c | 52 +++++++++++++++++++++++++++++++++++++++ nettle-meta-macs.c | 1 + nettle-meta.h | 1 + testsuite/cmac-test.c | 12 --------- testsuite/meta-mac-test.c | 1 + 6 files changed, 56 insertions(+), 13 deletions(-) create mode 100644 cmac-des3-meta.c diff --git a/Makefile.in b/Makefile.in index d4fcb81302a2..ddc304285321 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,7 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ - cmac-aes128-meta.c cmac-aes256-meta.c \ + cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ diff --git a/cmac-des3-meta.c b/cmac-des3-meta.c new file mode 100644 index 000000000000..7fdee8e680cf --- /dev/null +++ b/cmac-des3-meta.c @@ -0,0 +1,52 @@ +/* cmac-des3-meta.c + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_des3 = +{ + "cmac_des3", + sizeof(struct cmac_des3_ctx), + CMAC64_DIGEST_SIZE, + DES3_KEY_SIZE, + + (nettle_set_key_func*) cmac_des3_set_key, + (nettle_hash_update_func*) cmac_des3_update, + (nettle_hash_digest_func*) cmac_des3_digest +}; diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c index cb9ede851573..a658ee39e230 100644 --- a/nettle-meta-macs.c +++ b/nettle-meta-macs.c @@ -40,6 +40,7 @@ const struct nettle_mac * const _nettle_macs[] = { &nettle_cmac_aes128, &nettle_cmac_aes256, + &nettle_cmac_des3, &nettle_hmac_md5, &nettle_hmac_ripemd160, &nettle_hmac_sha1, diff --git a/nettle-meta.h b/nettle-meta.h index 5d86615f94cc..7a6af363426b 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -276,6 +276,7 @@ nettle_get_macs (void); extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256; +extern const struct nettle_mac nettle_cmac_des3; /* HMAC variants with key size = digest size */ extern const struct nettle_mac nettle_hmac_md5; diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c index 1a2cd0e591cf..a71baa086d01 100644 --- a/testsuite/cmac-test.c +++ b/testsuite/cmac-test.c @@ -2,18 +2,6 @@ #include "nettle-internal.h" #include "cmac.h" -const struct nettle_mac nettle_cmac_des3 = -{ - "CMAC-3DES", - sizeof(struct cmac_des3_ctx), - CMAC64_DIGEST_SIZE, - DES3_KEY_SIZE, - - (nettle_set_key_func*) cmac_des3_set_key, - (nettle_hash_update_func*) cmac_des3_update, - (nettle_hash_digest_func*) cmac_des3_digest -}; - #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, key, msg, ref) diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c index 32b6f20f07cd..55339441c99f 100644 --- a/testsuite/meta-mac-test.c +++ b/testsuite/meta-mac-test.c @@ -4,6 +4,7 @@ const char* macs[] = { "cmac_aes128", "cmac_aes256", + "cmac_des3", "hmac_md5", "hmac_ripemd160", "hmac_sha1", -- 2.24.1

2 1

[PATCH 1/2] chacha: add function to set initial block counter
by Daiki Ueno 07 Mar '20

07 Mar '20

From: Daiki Ueno <dueno(a)redhat.com> The ChaCha20 based header protection algorithm in QUIC requires a way to set the initial value of counter: https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#name-chacha20-based… This will add a new function chacha_set_counter, which takes an 8-octet initial value of the block counter. Signed-off-by: Daiki Ueno <dueno(a)redhat.com> --- chacha-set-nonce.c | 7 +++++++ chacha.h | 5 +++++ nettle.texinfo | 12 ++++++++++++ testsuite/chacha-test.c | 37 +++++++++++++++++++++++++++++++++++-- 4 files changed, 59 insertions(+), 2 deletions(-) diff --git a/chacha-set-nonce.c b/chacha-set-nonce.c index 607f176b..2c34e498 100644 --- a/chacha-set-nonce.c +++ b/chacha-set-nonce.c @@ -68,3 +68,10 @@ chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } + +void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter) +{ + ctx->state[12] = LE_READ_UINT32(counter + 0); + ctx->state[13] = LE_READ_UINT32(counter + 4); +} diff --git a/chacha.h b/chacha.h index 429a55b6..440fe968 100644 --- a/chacha.h +++ b/chacha.h @@ -46,6 +46,7 @@ extern "C" { #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 +#define chacha_set_counter nettle_chacha_set_counter #define chacha_crypt nettle_chacha_crypt /* Currently, only 256-bit keys are supported. */ @@ -53,6 +54,7 @@ extern "C" { #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 +#define CHACHA_COUNTER_SIZE 8 #define _CHACHA_STATE_LENGTH 16 @@ -81,6 +83,9 @@ chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); +void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter); + void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); diff --git a/nettle.texinfo b/nettle.texinfo index 19eb6d34..0b339f51 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1669,6 +1669,10 @@ ChaCha block size, 64. Size of the nonce, 8. @end defvr +@defvr Constant CHACHA_COUNTER_SIZE +Size of the counter, 8. +@end defvr + @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, @@ -1681,6 +1685,14 @@ octets. This function also initializes the block counter, setting it to zero. @end deftypefun +@deftypefun void chacha_set_counter (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) +Sets the block counter. It is always of size @code{CHACHA_COUNTER_SIZE}, +8 octets. This is rarely needed since @code{chacha_set_nonce} +initializes the block counter to zero. When it is still necessary, this +function must be called after @code{chacha_set_nonce}. + +@end deftypefun + @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, diff --git a/testsuite/chacha-test.c b/testsuite/chacha-test.c index d6489e9c..6875d4bb 100644 --- a/testsuite/chacha-test.c +++ b/testsuite/chacha-test.c @@ -38,8 +38,9 @@ #include "chacha-internal.h" static void -test_chacha(const struct tstring *key, const struct tstring *nonce, - const struct tstring *expected, unsigned rounds) +_test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds, + const struct tstring *counter) { struct chacha_ctx ctx; @@ -69,6 +70,9 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, else die ("Bad nonce size %u.\n", (unsigned) nonce->length); + if (counter) + chacha_set_counter(&ctx, counter->data); + chacha_crypt (&ctx, length, data, data); ASSERT (data[-1] == 17); @@ -98,6 +102,8 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, ASSERT (nonce->length == CHACHA_NONCE_SIZE); chacha_set_nonce(&ctx, nonce->data); + if (counter) + chacha_set_counter(&ctx, counter->data); _chacha_core (out, ctx.state, rounds); if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) @@ -117,6 +123,21 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, } } +static void +test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds) +{ + _test_chacha(key, nonce, expected, rounds, NULL); +} + +static void +test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds, + const struct tstring *counter) +{ + _test_chacha(key, nonce, expected, rounds, counter); +} + void test_main(void) { @@ -644,4 +665,16 @@ test_main(void) "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), 20); + + /* This is identical to the 96-bit nonce test, but it manually sets + the counter value */ + test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" + "1011121314151617 18191a1b1c1d1e1f"), + SHEX("0000004a00000000"), + SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" + "c7d1f4c733c06803 0422aa9ac3d46c4e" + "d2826446079faa09 14c2d705d98b02a2" + "b5129cd1de164eb9 cbd083e8a2503c4e"), + 20, + SHEX("0100000000000009")); } -- 2.24.1

2 3

[PATCH] chacha: add function to set the initial value of counter
by Daiki Ueno 04 Mar '20

04 Mar '20

2 2

Armeb is broken
by Андрей Аладьев 03 Mar '20

03 Mar '20

Hello, please see the following gnutls issue https://gitlab.com/gnutls/gnutls/issues/941. Nettle today is working on aarch64, aarch64_be and arm, but broken on armeb. You can test it using the following way: 1. Enable CONFIG_X86_X32=y in kernel. 2. Install qemu-user with required arch and start qemu-binfmt service. Run commands: docker run -it puchuu/test_aarch64-unknown-linux-gnu bash env-update && source /etc/profile MAKEOPTS='-j16' FEATURES='test' emerge -v1 dev-libs/nettle Unfortunately I can't provide complete armeb image, because its build depends on working nettle. I can provide only armeb results: FAIL: chacha FAIL: memxor FAIL: ccm FAIL: pss FAIL: rsa-pss-sign-tr 5 of 98 tests failed I am launching "./testsuite/chacha-test" directly, result: Error, length 7, expected: 76b8e0ada0f13d Got: ade0a9f13d9076 qemu: uncaught target signal 6 (Aborted) - core dumped So it looks like armeb is completely broken today.

4 16

[PATCH] Enable/disable gost
by Андрей Аладьев 19 Feb '20

19 Feb '20

Hello. I saw new master branch received "gost" support. Please add "--enable-gost" and "--disable-gost" flag. I've noticed this flag is already a part of ".gitlab-ci.yml". I will attach patch to this mail. >From my point of view - I don't trust any russian government innovation, especially because of their crypto-licensing politics and unknown genesis of s-boxes. But I am sure that this flag will be used by many people: for example openwrt, ddwrt developers don't like additional code. By default I've disabled this flag. If you think it is important - please enable it by default. Thank you.

2 1

[PATCH] ecc: remove ecc_modp_foo/ecc_modq_foo macros
by dbaryshkov＠gmail.com 15 Feb '20

15 Feb '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> To make ecc functions usage more obvious remove ecc_modp_foo() and ecc_modq_foo() wrapper macros. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- curve25519-eh-to-x.c | 8 +++---- curve448-eh-to-x.c | 4 ++-- ecc-add-eh.c | 38 +++++++++++++++---------------- ecc-add-ehh.c | 42 +++++++++++++++++----------------- ecc-add-jja.c | 44 ++++++++++++++++++------------------ ecc-add-jjj.c | 54 ++++++++++++++++++++++---------------------- ecc-add-th.c | 38 +++++++++++++++---------------- ecc-add-thh.c | 42 +++++++++++++++++----------------- ecc-dup-eh.c | 26 ++++++++++----------- ecc-dup-jj.c | 36 ++++++++++++++--------------- ecc-dup-th.c | 26 ++++++++++----------- ecc-ecdsa-sign.c | 6 ++--- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c | 4 ++-- ecc-gostdsa-sign.c | 6 ++--- ecc-gostdsa-verify.c | 4 ++-- ecc-internal.h | 20 ---------------- ecc-j-to-a.c | 12 +++++----- eddsa-decompress.c | 10 ++++---- eddsa-sign.c | 4 ++-- 20 files changed, 204 insertions(+), 224 deletions(-) diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c index 3a8787f022ed..1ce2dd830c75 100644 --- a/curve25519-eh-to-x.c +++ b/curve25519-eh-to-x.c @@ -62,14 +62,14 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 + x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); + ecc_mod_sub (&ecc->p, t0, wp, vp); /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); + ecc_mod_add (&ecc->p, t0, wp, vp); + ecc_mod_mul (&ecc->p, t2, t0, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c index 4bc78303f93b..ffeb83c15e44 100644 --- a/curve448-eh-to-x.c +++ b/curve448-eh-to-x.c @@ -61,8 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) */ /* Needs a total of 9*size storage. */ ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size); - ecc_modp_mul (ecc, t1, t0, vp); - ecc_modp_mul (ecc, t2, t1, t1); + ecc_mod_mul (&ecc->p, t1, t0, vp); + ecc_mod_mul (&ecc->p, t2, t1, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/ecc-add-eh.c b/ecc-add-eh.c index 8e6b82ab9fd0..05faa7526f41 100644 --- a/ecc-add-eh.c +++ b/ecc-add-eh.c @@ -78,30 +78,30 @@ ecc_add_eh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_sub (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + + ecc_mod_sub (&ecc->p, C, D, C); + ecc_mod_sqr (&ecc->p, B, z1); + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (&ecc->p, B, F, T); + ecc_mod_mul (&ecc->p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, G, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (&ecc->p, B, G, z1); + ecc_mod_mul (&ecc->p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c index bdd827ba396d..1c57a728c797 100644 --- a/ecc-add-ehh.c +++ b/ecc-add-ehh.c @@ -80,32 +80,32 @@ ecc_add_ehh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_sub (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, A, x1, y1); + ecc_mod_add (&ecc->p, B, x2, y2); + ecc_mod_mul (&ecc->p, T, A, B); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + ecc_mod_sub (&ecc->p, C, D, C); + + ecc_mod_mul (&ecc->p, A, z1, z2); + ecc_mod_sqr (&ecc->p, B, A); + + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, A); + ecc_mod_mul (&ecc->p, B, F, T); + ecc_mod_mul (&ecc->p, x3, B, A); /* y3 */ - ecc_modp_mul (ecc, B, G, C); - ecc_modp_mul (ecc, y3, B, A); + ecc_mod_mul (&ecc->p, B, G, C); + ecc_mod_mul (&ecc->p, y3, B, A); /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 9b5cab9db315..037711d38249 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -85,41 +85,41 @@ ecc_add_jja (const struct ecc_curve *ecc, #define y2 (q + ecc->p.size) /* zz */ - ecc_modp_sqr (ecc, zz, z1); + ecc_mod_sqr (&ecc->p, zz, z1); /* h*/ - ecc_modp_mul (ecc, h, x2, zz); - ecc_modp_sub (ecc, h, h, x1); + ecc_mod_mul (&ecc->p, h, x2, zz); + ecc_mod_sub (&ecc->p, h, h, x1); /* hh */ - ecc_modp_sqr (ecc, hh, h); + ecc_mod_sqr (&ecc->p, hh, h); /* Do z^3 early, store at w. */ - ecc_modp_mul (ecc, w, zz, z1); + ecc_mod_mul (&ecc->p, w, zz, z1); /* z_3, use j area for scratch */ - ecc_modp_add (ecc, r + 2*ecc->p.size, p + 2*ecc->p.size, h); - ecc_modp_sqr (ecc, j, r + 2*ecc->p.size); - ecc_modp_sub (ecc, j, j, zz); - ecc_modp_sub (ecc, r + 2*ecc->p.size, j, hh); + ecc_mod_add (&ecc->p, r + 2*ecc->p.size, p + 2*ecc->p.size, h); + ecc_mod_sqr (&ecc->p, j, r + 2*ecc->p.size); + ecc_mod_sub (&ecc->p, j, j, zz); + ecc_mod_sub (&ecc->p, r + 2*ecc->p.size, j, hh); /* w */ - ecc_modp_mul (ecc, j, y2, w); - ecc_modp_sub (ecc, w, j, y1); - ecc_modp_mul_1 (ecc, w, w, 2); + ecc_mod_mul (&ecc->p, j, y2, w); + ecc_mod_sub (&ecc->p, w, j, y1); + ecc_mod_mul_1 (&ecc->p, w, w, 2); /* i replaces hh, j */ - ecc_modp_mul_1 (ecc, hh, hh, 4); - ecc_modp_mul (ecc, j, hh, h); + ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc_mod_mul (&ecc->p, j, hh, h); /* v */ - ecc_modp_mul (ecc, v, x1, hh); + ecc_mod_mul (&ecc->p, v, x1, hh); /* x_3, use (h, hh) as sqratch */ - ecc_modp_sqr (ecc, h, w); - ecc_modp_sub (ecc, r, h, j); - ecc_modp_submul_1 (ecc, r, v, 2); + ecc_mod_sqr (&ecc->p, h, w); + ecc_mod_sub (&ecc->p, r, h, j); + ecc_mod_submul_1 (&ecc->p, r, v, 2); /* y_3, use (h, hh) as sqratch */ - ecc_modp_mul (ecc, h, y1, j); /* frees j */ - ecc_modp_sub (ecc, r + ecc->p.size, v, r); - ecc_modp_mul (ecc, j, r + ecc->p.size, w); - ecc_modp_submul_1 (ecc, j, h, 2); + ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ + ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); + ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); + ecc_mod_submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 1143e79a0b6f..54b2246aeb24 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -74,47 +74,47 @@ ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *v = scratch + 6*ecc->p.size; /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */ - ecc_modp_sqr (ecc, z1z1, p + 2*ecc->p.size); - ecc_modp_sqr (ecc, z2z2, q + 2*ecc->p.size); - ecc_modp_mul (ecc, u1, p, z2z2); - ecc_modp_mul (ecc, u2, q, z1z1); - ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */ + ecc_mod_sqr (&ecc->p, z1z1, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, z2z2, q + 2*ecc->p.size); + ecc_mod_mul (&ecc->p, u1, p, z2z2); + ecc_mod_mul (&ecc->p, u2, q, z1z1); + ecc_mod_sub (&ecc->p, u2, u2, u1); /* Store h in u2 */ /* z3, use i, j, v as scratch, result at i. */ - ecc_modp_add (ecc, i, p + 2*ecc->p.size, q + 2*ecc->p.size); - ecc_modp_sqr (ecc, v, i); - ecc_modp_sub (ecc, v, v, z1z1); - ecc_modp_sub (ecc, v, v, z2z2); - ecc_modp_mul (ecc, i, v, u2); + ecc_mod_add (&ecc->p, i, p + 2*ecc->p.size, q + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, v, i); + ecc_mod_sub (&ecc->p, v, v, z1z1); + ecc_mod_sub (&ecc->p, v, v, z2z2); + ecc_mod_mul (&ecc->p, i, v, u2); /* Delayed write, to support in-place operation. */ /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */ - ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ - ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ - ecc_modp_mul (ecc, s1, p + ecc->p.size, v); - ecc_modp_mul (ecc, v, j, q + ecc->p.size); - ecc_modp_sub (ecc, s2, v, s1); - ecc_modp_mul_1 (ecc, s2, s2, 2); + ecc_mod_mul (&ecc->p, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ + ecc_mod_mul (&ecc->p, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ + ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); + ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); + ecc_mod_sub (&ecc->p, s2, v, s1); + ecc_mod_mul_1 (&ecc->p, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ - ecc_modp_sqr (ecc, i, u2); - ecc_modp_mul_1 (ecc, i, i, 4); - ecc_modp_mul (ecc, j, u2, i); - ecc_modp_mul (ecc, v, u1, i); + ecc_mod_sqr (&ecc->p, i, u2); + ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc_mod_mul (&ecc->p, j, u2, i); + ecc_mod_mul (&ecc->p, v, u1, i); /* now, u1, u2 and i are free for reuse .*/ /* x3, use u1, u2 as scratch */ - ecc_modp_sqr (ecc, u1, s2); - ecc_modp_sub (ecc, r, u1, j); - ecc_modp_submul_1 (ecc, r, v, 2); + ecc_mod_sqr (&ecc->p, u1, s2); + ecc_mod_sub (&ecc->p, r, u1, j); + ecc_mod_submul_1 (&ecc->p, r, v, 2); /* y3 */ - ecc_modp_mul (ecc, u1, s1, j); /* Frees j */ - ecc_modp_sub (ecc, u2, v, r); /* Frees v */ - ecc_modp_mul (ecc, i, s2, u2); - ecc_modp_submul_1 (ecc, i, u1, 2); + ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ + ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ + ecc_mod_mul (&ecc->p, i, s2, u2); + ecc_mod_submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-add-th.c b/ecc-add-th.c index c19afbb5f7d4..1d61a32ea6ec 100644 --- a/ecc-add-th.c +++ b/ecc-add-th.c @@ -84,30 +84,30 @@ ecc_add_th (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_add (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + + ecc_mod_add (&ecc->p, C, D, C); + ecc_mod_sqr (&ecc->p, B, z1); + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, G, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (&ecc->p, B, G, T); + ecc_mod_mul (&ecc->p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, F, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (&ecc->p, B, F, z1); + ecc_mod_mul (&ecc->p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-thh.c b/ecc-add-thh.c index 03bb761f0500..59b33f385edb 100644 --- a/ecc-add-thh.c +++ b/ecc-add-thh.c @@ -85,32 +85,32 @@ ecc_add_thh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_add (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, A, x1, y1); + ecc_mod_add (&ecc->p, B, x2, y2); + ecc_mod_mul (&ecc->p, T, A, B); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + ecc_mod_add (&ecc->p, C, D, C); + + ecc_mod_mul (&ecc->p, A, z1, z2); + ecc_mod_sqr (&ecc->p, B, A); + + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, G, T); - ecc_modp_mul (ecc, x3, B, A); + ecc_mod_mul (&ecc->p, B, G, T); + ecc_mod_mul (&ecc->p, x3, B, A); /* y3 */ - ecc_modp_mul (ecc, B, F, C); - ecc_modp_mul (ecc, y3, B, A); + ecc_mod_mul (&ecc->p, B, F, C); + ecc_mod_mul (&ecc->p, y3, B, A); /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-dup-eh.c b/ecc-dup-eh.c index f7b46eefa3ae..b36c55408e8c 100644 --- a/ecc-dup-eh.c +++ b/ecc-dup-eh.c @@ -64,28 +64,28 @@ ecc_dup_eh (const struct ecc_curve *ecc, #define j (scratch + 4*ecc->p.size) /* b */ - ecc_modp_add (ecc, e, p, p + ecc->p.size); - ecc_modp_sqr (ecc, b, e); + ecc_mod_add (&ecc->p, e, p, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, b, e); /* c */ - ecc_modp_sqr (ecc, c, p); + ecc_mod_sqr (&ecc->p, c, p); /* d */ - ecc_modp_sqr (ecc, d, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, d, p + ecc->p.size); /* h, can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, r, p + 2*ecc->p.size); /* e, */ - ecc_modp_add (ecc, e, c, d); + ecc_mod_add (&ecc->p, e, c, d); /* j */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, j, e, r); + ecc_mod_add (&ecc->p, r, r, r); + ecc_mod_sub (&ecc->p, j, e, r); /* x' */ - ecc_modp_sub (ecc, b, b, e); - ecc_modp_mul (ecc, r, b, j); + ecc_mod_sub (&ecc->p, b, b, e); + ecc_mod_mul (&ecc->p, r, b, j); /* y' */ - ecc_modp_sub (ecc, c, c, d); /* Redundant */ - ecc_modp_mul (ecc, r + ecc->p.size, e, c); + ecc_mod_sub (&ecc->p, c, c, d); /* Redundant */ + ecc_mod_mul (&ecc->p, r + ecc->p.size, e, c); /* z' */ - ecc_modp_mul (ecc, b, e, j); + ecc_mod_mul (&ecc->p, b, e, j); mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size); } diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 8e1cf36c17eb..2247e8fdfd5a 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -72,39 +72,39 @@ ecc_dup_jj (const struct ecc_curve *ecc, #define zp (p + 2*ecc->p.size) /* delta */ - ecc_modp_sqr (ecc, delta, zp); + ecc_mod_sqr (&ecc->p, delta, zp); /* gamma */ - ecc_modp_sqr (ecc, gamma, yp); + ecc_mod_sqr (&ecc->p, gamma, yp); /* z'. Can use beta area as scratch. */ - ecc_modp_add (ecc, r + 2*ecc->p.size, yp, zp); - ecc_modp_sqr (ecc, beta, r + 2*ecc->p.size); - ecc_modp_sub (ecc, beta, beta, gamma); - ecc_modp_sub (ecc, r + 2*ecc->p.size, beta, delta); + ecc_mod_add (&ecc->p, r + 2*ecc->p.size, yp, zp); + ecc_mod_sqr (&ecc->p, beta, r + 2*ecc->p.size); + ecc_mod_sub (&ecc->p, beta, beta, gamma); + ecc_mod_sub (&ecc->p, r + 2*ecc->p.size, beta, delta); /* alpha. Can use beta area as scratch, and overwrite delta. */ - ecc_modp_add (ecc, sum, xp, delta); - ecc_modp_sub (ecc, delta, xp, delta); - ecc_modp_mul (ecc, beta, sum, delta); - ecc_modp_mul_1 (ecc, alpha, beta, 3); + ecc_mod_add (&ecc->p, sum, xp, delta); + ecc_mod_sub (&ecc->p, delta, xp, delta); + ecc_mod_mul (&ecc->p, beta, sum, delta); + ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); /* beta */ - ecc_modp_mul (ecc, beta, xp, gamma); + ecc_mod_mul (&ecc->p, beta, xp, gamma); /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ - ecc_modp_sqr (ecc, g2, gamma); - ecc_modp_mul_1 (ecc, sum, beta, 4); + ecc_mod_sqr (&ecc->p, g2, gamma); + ecc_mod_mul_1 (&ecc->p, sum, beta, 4); /* x' */ - ecc_modp_sqr (ecc, gamma, alpha); /* Overwrites gamma and beta */ - ecc_modp_submul_1 (ecc, gamma, sum, 2); + ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ + ecc_mod_submul_1 (&ecc->p, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size); /* y' */ - ecc_modp_sub (ecc, sum, sum, r); - ecc_modp_mul (ecc, gamma, sum, alpha); - ecc_modp_submul_1 (ecc, gamma, g2, 8); + ecc_mod_sub (&ecc->p, sum, sum, r); + ecc_mod_mul (&ecc->p, gamma, sum, alpha); + ecc_mod_submul_1 (&ecc->p, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } diff --git a/ecc-dup-th.c b/ecc-dup-th.c index b4ce95c91ebd..dd95b84ac097 100644 --- a/ecc-dup-th.c +++ b/ecc-dup-th.c @@ -81,29 +81,29 @@ ecc_dup_th (const struct ecc_curve *ecc, #define J (scratch + 4*ecc->p.size) /* B */ - ecc_modp_add (ecc, F, p, p + ecc->p.size); - ecc_modp_sqr (ecc, B, F); + ecc_mod_add (&ecc->p, F, p, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, B, F); /* C */ - ecc_modp_sqr (ecc, C, p); + ecc_mod_sqr (&ecc->p, C, p); /* D */ - ecc_modp_sqr (ecc, D, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, D, p + ecc->p.size); /* Can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, r, p + 2*ecc->p.size); /* F, */ - ecc_modp_sub (ecc, F, D, C); + ecc_mod_sub (&ecc->p, F, D, C); /* B - C - D */ - ecc_modp_add (ecc, C, C, D); - ecc_modp_sub (ecc, B, B, C); + ecc_mod_add (&ecc->p, C, C, D); + ecc_mod_sub (&ecc->p, B, B, C); /* J */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, J, r, F); + ecc_mod_add (&ecc->p, r, r, r); + ecc_mod_sub (&ecc->p, J, r, F); /* x' */ - ecc_modp_mul (ecc, r, B, J); + ecc_mod_mul (&ecc->p, r, B, J); /* y' */ - ecc_modp_mul (ecc, r + ecc->p.size, F, C); + ecc_mod_mul (&ecc->p, r + ecc->p.size, F, C); /* z' */ - ecc_modp_mul (ecc, B, F, J); + ecc_mod_mul (&ecc->p, B, F, J); mpn_copyi (r + 2*ecc->p.size, B, ecc->p.size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc1a35d..d675bd9b3805 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -88,9 +88,9 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, /* Process hash digest */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, tp, zp, rp); - ecc_modq_add (ecc, hp, hp, tp); - ecc_modq_mul (ecc, tp, hp, kinv); + ecc_mod_mul (&ecc->q, tp, zp, rp); + ecc_mod_add (&ecc->q, hp, hp, tp); + ecc_mod_mul (&ecc->q, tp, hp, kinv); mpn_copyi (sp, tp, ecc->p.size); #undef P diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b684841a..6f9fb5d98175 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + ecc_mod_mul (&ecc->q, u1, hp, sinv); /* u2 = r / s, P2 = u2 * Y */ - ecc_modq_mul (ecc, u2, rp, sinv); + ecc_mod_mul (&ecc->q, u2, rp, sinv); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 89d2b6e3bcae..869e8ad52c89 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -61,11 +61,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc, /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); - ecc_modp_mul (ecc, tp, xp, izp); + ecc_mod_mul (&ecc->p, tp, xp, izp); cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r, tp, ecc->p.size); - ecc_modp_mul (ecc, tp, yp, izp); + ecc_mod_mul (&ecc->p, tp, yp, izp); cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); } diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c index 00eeef81f659..a12eb2af20fa 100644 --- a/ecc-gostdsa-sign.c +++ b/ecc-gostdsa-sign.c @@ -84,9 +84,9 @@ ecc_gostdsa_sign (const struct ecc_curve *ecc, if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); - ecc_modq_mul (ecc, tp, rp, zp); - ecc_modq_mul (ecc, t2p, kp, hp); - ecc_modq_add (ecc, sp, tp, t2p); + ecc_mod_mul (&ecc->q, tp, rp, zp); + ecc_mod_mul (&ecc->q, t2p, kp, hp); + ecc_mod_add (&ecc->q, sp, tp, t2p); /* Also reduce mod ecc->q. It should already be < 2*ecc->q, * so one subtraction should suffice. */ diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c index 4358132b2bf6..29b82c8494ac 100644 --- a/ecc-gostdsa-verify.c +++ b/ecc-gostdsa-verify.c @@ -102,10 +102,10 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc, ecc->q.invert (&ecc->q, vp, hp, vp + 2*ecc->p.size); /* z1 = s / h, P1 = z1 * G */ - ecc_modq_mul (ecc, z1, sp, vp); + ecc_mod_mul (&ecc->q, z1, sp, vp); /* z2 = - r / h, P2 = z2 * Y */ - ecc_modq_mul (ecc, z2, rp, vp); + ecc_mod_mul (&ecc->q, z2, rp, vp); mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ diff --git a/ecc-internal.h b/ecc-internal.h index 9516023a96ab..9e24e0ce4521 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -256,26 +256,6 @@ void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap); -#define ecc_modp_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sub(ecc, r, a, b) \ - ecc_mod_sub (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul_1(ecc, r, a, b) \ - ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_addmul_1(ecc, r, a, b) \ - ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_submul_1(ecc, r, a, b) \ - ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sqr(ecc, r, a) \ - ecc_mod_sqr (&(ecc)->p, (r), (a)) - -#define ecc_modq_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->q, (r), (a), (b)) -#define ecc_modq_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->q, (r), (a), (b)) - /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c index eca10f0fac9e..a232e0c5c5af 100644 --- a/ecc-j-to-a.c +++ b/ecc-j-to-a.c @@ -74,7 +74,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, mpn_zero (izBp + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, izBp); - ecc_modp_mul (ecc, iz2p, izp, izBp); + ecc_mod_mul (&ecc->p, iz2p, izp, izBp); } else { @@ -83,11 +83,11 @@ ecc_j_to_a (const struct ecc_curve *ecc, mpn_copyi (up, p+2*ecc->p.size, ecc->p.size); /* p_z */ ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); - ecc_modp_sqr (ecc, iz2p, izp); + ecc_mod_sqr (&ecc->p, iz2p, izp); } - ecc_modp_mul (ecc, iz3p, iz2p, p); - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so + ecc_mod_mul (&ecc->p, iz3p, iz2p, p); + /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so do a conditional subtraction. */ cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); cnd_copy (cy, r, iz3p, ecc->p.size); @@ -105,8 +105,8 @@ ecc_j_to_a (const struct ecc_curve *ecc, } return; } - ecc_modp_mul (ecc, iz3p, iz2p, izp); - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); + ecc_mod_mul (&ecc->p, iz3p, iz2p, izp); + ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size); /* And a similar subtraction. */ cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); diff --git a/eddsa-decompress.c b/eddsa-decompress.c index 441ccfbfb18a..8116084dda09 100644 --- a/eddsa-decompress.c +++ b/eddsa-decompress.c @@ -90,14 +90,14 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, /* For a valid input, y < p, so subtraction should underflow. */ res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size); - ecc_modp_sqr (ecc, y2, yp); - ecc_modp_mul (ecc, vp, y2, ecc->b); - ecc_modp_sub (ecc, vp, vp, ecc->unit); + ecc_mod_sqr (&ecc->p, y2, yp); + ecc_mod_mul (&ecc->p, vp, y2, ecc->b); + ecc_mod_sub (&ecc->p, vp, vp, ecc->unit); /* The sign is different between curve25519 and curve448. */ if (ecc->p.bit_size == 255) - ecc_modp_sub (ecc, up, ecc->unit, y2); + ecc_mod_sub (&ecc->p, up, ecc->unit, y2); else - ecc_modp_sub (ecc, up, y2, ecc->unit); + ecc_mod_sub (&ecc->p, up, y2, ecc->unit); res &= ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); diff --git a/eddsa-sign.c b/eddsa-sign.c index 1d5e4796b120..acb8299b4191 100644 --- a/eddsa-sign.c +++ b/eddsa-sign.c @@ -91,8 +91,8 @@ _eddsa_sign (const struct ecc_curve *ecc, eddsa->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); - ecc_modq_mul (ecc, sp, hp, k2); - ecc_modq_add (ecc, sp, sp, rp); /* FIXME: Can be plain add */ + ecc_mod_mul (&ecc->q, sp, hp, k2); + ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */ if (ecc->p.bit_size == 255) { /* FIXME: Special code duplicated in ecc_curve25519_modq -- 2.24.1

2 1

Two MRs on git.lysator.liu.se
by Dmitry Eremin-Solenikov 10 Feb '20

10 Feb '20

Hello, I've opened two merge requests on git.lysator.liu.se: one for new hash function support (https://git.lysator.liu.se/nettle/nettle/merge_requests/6) and another one for GOST 28147 cipher/MAC support (https://git.lysator.liu.se/nettle/nettle/merge_requests/7). Code has been tested for quite some time in GnuTLS and has been submitted with minor modifications. -- With best wishes Dmitry

1 0

[PATCH v2 0/6] Add meta interface for MAC algorithms
by Daiki Ueno 09 Feb '20

09 Feb '20

From: Daiki Ueno <dueno(a)redhat.com> The changes from the previous series are: - remove the global hmac_*_set_key_expanded functions - leave out set_nonce member if the operation is not supported For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank. Daiki Ueno (6): nettle-meta: Move struct nettle_mac to nettle-meta.h nettle-meta: Add meta interface for CMAC functions nettle-meta: Add meta interface for HMAC functions nettle-meta: Add meta interface for UMAC functions nettle-meta: Expose all defined MACs through nettle_macs tests: Add test for meta interface for MAC algorithms Makefile.in | 7 +++- cmac-aes128-meta.c | 43 ++++++++++++++++++++ cmac-aes256-meta.c | 43 ++++++++++++++++++++ hmac-md5-meta.c | 47 ++++++++++++++++++++++ hmac-ripemd160-meta.c | 47 ++++++++++++++++++++++ hmac-sha1-meta.c | 47 ++++++++++++++++++++++ hmac-sha224-meta.c | 47 ++++++++++++++++++++++ hmac-sha256-meta.c | 47 ++++++++++++++++++++++ hmac-sha384-meta.c | 47 ++++++++++++++++++++++ hmac-sha512-meta.c | 47 ++++++++++++++++++++++ nettle-meta-macs.c | 61 ++++++++++++++++++++++++++++ nettle-meta.h | 81 ++++++++++++++++++++++++++++++++++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/cmac-test.c | 24 ----------- testsuite/meta-mac-test.c | 43 ++++++++++++++++++++ testsuite/testutils.h | 29 -------------- umac128-meta.c | 47 ++++++++++++++++++++++ umac32-meta.c | 47 ++++++++++++++++++++++ umac64-meta.c | 47 ++++++++++++++++++++++ umac96-meta.c | 47 ++++++++++++++++++++++ 22 files changed, 799 insertions(+), 55 deletions(-) create mode 100644 cmac-aes128-meta.c create mode 100644 cmac-aes256-meta.c create mode 100644 hmac-md5-meta.c create mode 100644 hmac-ripemd160-meta.c create mode 100644 hmac-sha1-meta.c create mode 100644 hmac-sha224-meta.c create mode 100644 hmac-sha256-meta.c create mode 100644 hmac-sha384-meta.c create mode 100644 hmac-sha512-meta.c create mode 100644 nettle-meta-macs.c create mode 100644 testsuite/meta-mac-test.c create mode 100644 umac128-meta.c create mode 100644 umac32-meta.c create mode 100644 umac64-meta.c create mode 100644 umac96-meta.c -- 2.21.0

3 18

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs