nettle-bugs

nettle-bugs@lists.lysator.liu.se

2191 discussions

[PATCH 1/2] chacha: add function to set initial block counter
by Daiki Ueno 07 Mar '20

07 Mar '20

From: Daiki Ueno <dueno(a)redhat.com> The ChaCha20 based header protection algorithm in QUIC requires a way to set the initial value of counter: https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#name-chacha20-based… This will add a new function chacha_set_counter, which takes an 8-octet initial value of the block counter. Signed-off-by: Daiki Ueno <dueno(a)redhat.com> --- chacha-set-nonce.c | 7 +++++++ chacha.h | 5 +++++ nettle.texinfo | 12 ++++++++++++ testsuite/chacha-test.c | 37 +++++++++++++++++++++++++++++++++++-- 4 files changed, 59 insertions(+), 2 deletions(-) diff --git a/chacha-set-nonce.c b/chacha-set-nonce.c index 607f176b..2c34e498 100644 --- a/chacha-set-nonce.c +++ b/chacha-set-nonce.c @@ -68,3 +68,10 @@ chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } + +void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter) +{ + ctx->state[12] = LE_READ_UINT32(counter + 0); + ctx->state[13] = LE_READ_UINT32(counter + 4); +} diff --git a/chacha.h b/chacha.h index 429a55b6..440fe968 100644 --- a/chacha.h +++ b/chacha.h @@ -46,6 +46,7 @@ extern "C" { #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 +#define chacha_set_counter nettle_chacha_set_counter #define chacha_crypt nettle_chacha_crypt /* Currently, only 256-bit keys are supported. */ @@ -53,6 +54,7 @@ extern "C" { #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 +#define CHACHA_COUNTER_SIZE 8 #define _CHACHA_STATE_LENGTH 16 @@ -81,6 +83,9 @@ chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); +void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter); + void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); diff --git a/nettle.texinfo b/nettle.texinfo index 19eb6d34..0b339f51 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1669,6 +1669,10 @@ ChaCha block size, 64. Size of the nonce, 8. @end defvr +@defvr Constant CHACHA_COUNTER_SIZE +Size of the counter, 8. +@end defvr + @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, @@ -1681,6 +1685,14 @@ octets. This function also initializes the block counter, setting it to zero. @end deftypefun +@deftypefun void chacha_set_counter (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) +Sets the block counter. It is always of size @code{CHACHA_COUNTER_SIZE}, +8 octets. This is rarely needed since @code{chacha_set_nonce} +initializes the block counter to zero. When it is still necessary, this +function must be called after @code{chacha_set_nonce}. + +@end deftypefun + @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, diff --git a/testsuite/chacha-test.c b/testsuite/chacha-test.c index d6489e9c..6875d4bb 100644 --- a/testsuite/chacha-test.c +++ b/testsuite/chacha-test.c @@ -38,8 +38,9 @@ #include "chacha-internal.h" static void -test_chacha(const struct tstring *key, const struct tstring *nonce, - const struct tstring *expected, unsigned rounds) +_test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds, + const struct tstring *counter) { struct chacha_ctx ctx; @@ -69,6 +70,9 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, else die ("Bad nonce size %u.\n", (unsigned) nonce->length); + if (counter) + chacha_set_counter(&ctx, counter->data); + chacha_crypt (&ctx, length, data, data); ASSERT (data[-1] == 17); @@ -98,6 +102,8 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, ASSERT (nonce->length == CHACHA_NONCE_SIZE); chacha_set_nonce(&ctx, nonce->data); + if (counter) + chacha_set_counter(&ctx, counter->data); _chacha_core (out, ctx.state, rounds); if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) @@ -117,6 +123,21 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, } } +static void +test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds) +{ + _test_chacha(key, nonce, expected, rounds, NULL); +} + +static void +test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds, + const struct tstring *counter) +{ + _test_chacha(key, nonce, expected, rounds, counter); +} + void test_main(void) { @@ -644,4 +665,16 @@ test_main(void) "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), 20); + + /* This is identical to the 96-bit nonce test, but it manually sets + the counter value */ + test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" + "1011121314151617 18191a1b1c1d1e1f"), + SHEX("0000004a00000000"), + SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" + "c7d1f4c733c06803 0422aa9ac3d46c4e" + "d2826446079faa09 14c2d705d98b02a2" + "b5129cd1de164eb9 cbd083e8a2503c4e"), + 20, + SHEX("0100000000000009")); } -- 2.24.1

2 3

[PATCH] chacha: add function to set the initial value of counter
by Daiki Ueno 04 Mar '20

04 Mar '20

2 2

Armeb is broken
by Андрей Аладьев 02 Mar '20

02 Mar '20

Hello, please see the following gnutls issue https://gitlab.com/gnutls/gnutls/issues/941. Nettle today is working on aarch64, aarch64_be and arm, but broken on armeb. You can test it using the following way: 1. Enable CONFIG_X86_X32=y in kernel. 2. Install qemu-user with required arch and start qemu-binfmt service. Run commands: docker run -it puchuu/test_aarch64-unknown-linux-gnu bash env-update && source /etc/profile MAKEOPTS='-j16' FEATURES='test' emerge -v1 dev-libs/nettle Unfortunately I can't provide complete armeb image, because its build depends on working nettle. I can provide only armeb results: FAIL: chacha FAIL: memxor FAIL: ccm FAIL: pss FAIL: rsa-pss-sign-tr 5 of 98 tests failed I am launching "./testsuite/chacha-test" directly, result: Error, length 7, expected: 76b8e0ada0f13d Got: ade0a9f13d9076 qemu: uncaught target signal 6 (Aborted) - core dumped So it looks like armeb is completely broken today.

4 16

[PATCH] Enable/disable gost
by Андрей Аладьев 19 Feb '20

19 Feb '20

Hello. I saw new master branch received "gost" support. Please add "--enable-gost" and "--disable-gost" flag. I've noticed this flag is already a part of ".gitlab-ci.yml". I will attach patch to this mail. >From my point of view - I don't trust any russian government innovation, especially because of their crypto-licensing politics and unknown genesis of s-boxes. But I am sure that this flag will be used by many people: for example openwrt, ddwrt developers don't like additional code. By default I've disabled this flag. If you think it is important - please enable it by default. Thank you.

2 1

[PATCH] ecc: remove ecc_modp_foo/ecc_modq_foo macros
by dbaryshkov＠gmail.com 15 Feb '20

15 Feb '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> To make ecc functions usage more obvious remove ecc_modp_foo() and ecc_modq_foo() wrapper macros. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- curve25519-eh-to-x.c | 8 +++---- curve448-eh-to-x.c | 4 ++-- ecc-add-eh.c | 38 +++++++++++++++---------------- ecc-add-ehh.c | 42 +++++++++++++++++----------------- ecc-add-jja.c | 44 ++++++++++++++++++------------------ ecc-add-jjj.c | 54 ++++++++++++++++++++++---------------------- ecc-add-th.c | 38 +++++++++++++++---------------- ecc-add-thh.c | 42 +++++++++++++++++----------------- ecc-dup-eh.c | 26 ++++++++++----------- ecc-dup-jj.c | 36 ++++++++++++++--------------- ecc-dup-th.c | 26 ++++++++++----------- ecc-ecdsa-sign.c | 6 ++--- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c | 4 ++-- ecc-gostdsa-sign.c | 6 ++--- ecc-gostdsa-verify.c | 4 ++-- ecc-internal.h | 20 ---------------- ecc-j-to-a.c | 12 +++++----- eddsa-decompress.c | 10 ++++---- eddsa-sign.c | 4 ++-- 20 files changed, 204 insertions(+), 224 deletions(-) diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c index 3a8787f022ed..1ce2dd830c75 100644 --- a/curve25519-eh-to-x.c +++ b/curve25519-eh-to-x.c @@ -62,14 +62,14 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 + x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); + ecc_mod_sub (&ecc->p, t0, wp, vp); /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); + ecc_mod_add (&ecc->p, t0, wp, vp); + ecc_mod_mul (&ecc->p, t2, t0, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c index 4bc78303f93b..ffeb83c15e44 100644 --- a/curve448-eh-to-x.c +++ b/curve448-eh-to-x.c @@ -61,8 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) */ /* Needs a total of 9*size storage. */ ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size); - ecc_modp_mul (ecc, t1, t0, vp); - ecc_modp_mul (ecc, t2, t1, t1); + ecc_mod_mul (&ecc->p, t1, t0, vp); + ecc_mod_mul (&ecc->p, t2, t1, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/ecc-add-eh.c b/ecc-add-eh.c index 8e6b82ab9fd0..05faa7526f41 100644 --- a/ecc-add-eh.c +++ b/ecc-add-eh.c @@ -78,30 +78,30 @@ ecc_add_eh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_sub (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + + ecc_mod_sub (&ecc->p, C, D, C); + ecc_mod_sqr (&ecc->p, B, z1); + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (&ecc->p, B, F, T); + ecc_mod_mul (&ecc->p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, G, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (&ecc->p, B, G, z1); + ecc_mod_mul (&ecc->p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c index bdd827ba396d..1c57a728c797 100644 --- a/ecc-add-ehh.c +++ b/ecc-add-ehh.c @@ -80,32 +80,32 @@ ecc_add_ehh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_sub (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, A, x1, y1); + ecc_mod_add (&ecc->p, B, x2, y2); + ecc_mod_mul (&ecc->p, T, A, B); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + ecc_mod_sub (&ecc->p, C, D, C); + + ecc_mod_mul (&ecc->p, A, z1, z2); + ecc_mod_sqr (&ecc->p, B, A); + + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, A); + ecc_mod_mul (&ecc->p, B, F, T); + ecc_mod_mul (&ecc->p, x3, B, A); /* y3 */ - ecc_modp_mul (ecc, B, G, C); - ecc_modp_mul (ecc, y3, B, A); + ecc_mod_mul (&ecc->p, B, G, C); + ecc_mod_mul (&ecc->p, y3, B, A); /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 9b5cab9db315..037711d38249 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -85,41 +85,41 @@ ecc_add_jja (const struct ecc_curve *ecc, #define y2 (q + ecc->p.size) /* zz */ - ecc_modp_sqr (ecc, zz, z1); + ecc_mod_sqr (&ecc->p, zz, z1); /* h*/ - ecc_modp_mul (ecc, h, x2, zz); - ecc_modp_sub (ecc, h, h, x1); + ecc_mod_mul (&ecc->p, h, x2, zz); + ecc_mod_sub (&ecc->p, h, h, x1); /* hh */ - ecc_modp_sqr (ecc, hh, h); + ecc_mod_sqr (&ecc->p, hh, h); /* Do z^3 early, store at w. */ - ecc_modp_mul (ecc, w, zz, z1); + ecc_mod_mul (&ecc->p, w, zz, z1); /* z_3, use j area for scratch */ - ecc_modp_add (ecc, r + 2*ecc->p.size, p + 2*ecc->p.size, h); - ecc_modp_sqr (ecc, j, r + 2*ecc->p.size); - ecc_modp_sub (ecc, j, j, zz); - ecc_modp_sub (ecc, r + 2*ecc->p.size, j, hh); + ecc_mod_add (&ecc->p, r + 2*ecc->p.size, p + 2*ecc->p.size, h); + ecc_mod_sqr (&ecc->p, j, r + 2*ecc->p.size); + ecc_mod_sub (&ecc->p, j, j, zz); + ecc_mod_sub (&ecc->p, r + 2*ecc->p.size, j, hh); /* w */ - ecc_modp_mul (ecc, j, y2, w); - ecc_modp_sub (ecc, w, j, y1); - ecc_modp_mul_1 (ecc, w, w, 2); + ecc_mod_mul (&ecc->p, j, y2, w); + ecc_mod_sub (&ecc->p, w, j, y1); + ecc_mod_mul_1 (&ecc->p, w, w, 2); /* i replaces hh, j */ - ecc_modp_mul_1 (ecc, hh, hh, 4); - ecc_modp_mul (ecc, j, hh, h); + ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc_mod_mul (&ecc->p, j, hh, h); /* v */ - ecc_modp_mul (ecc, v, x1, hh); + ecc_mod_mul (&ecc->p, v, x1, hh); /* x_3, use (h, hh) as sqratch */ - ecc_modp_sqr (ecc, h, w); - ecc_modp_sub (ecc, r, h, j); - ecc_modp_submul_1 (ecc, r, v, 2); + ecc_mod_sqr (&ecc->p, h, w); + ecc_mod_sub (&ecc->p, r, h, j); + ecc_mod_submul_1 (&ecc->p, r, v, 2); /* y_3, use (h, hh) as sqratch */ - ecc_modp_mul (ecc, h, y1, j); /* frees j */ - ecc_modp_sub (ecc, r + ecc->p.size, v, r); - ecc_modp_mul (ecc, j, r + ecc->p.size, w); - ecc_modp_submul_1 (ecc, j, h, 2); + ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ + ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); + ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); + ecc_mod_submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 1143e79a0b6f..54b2246aeb24 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -74,47 +74,47 @@ ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *v = scratch + 6*ecc->p.size; /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */ - ecc_modp_sqr (ecc, z1z1, p + 2*ecc->p.size); - ecc_modp_sqr (ecc, z2z2, q + 2*ecc->p.size); - ecc_modp_mul (ecc, u1, p, z2z2); - ecc_modp_mul (ecc, u2, q, z1z1); - ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */ + ecc_mod_sqr (&ecc->p, z1z1, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, z2z2, q + 2*ecc->p.size); + ecc_mod_mul (&ecc->p, u1, p, z2z2); + ecc_mod_mul (&ecc->p, u2, q, z1z1); + ecc_mod_sub (&ecc->p, u2, u2, u1); /* Store h in u2 */ /* z3, use i, j, v as scratch, result at i. */ - ecc_modp_add (ecc, i, p + 2*ecc->p.size, q + 2*ecc->p.size); - ecc_modp_sqr (ecc, v, i); - ecc_modp_sub (ecc, v, v, z1z1); - ecc_modp_sub (ecc, v, v, z2z2); - ecc_modp_mul (ecc, i, v, u2); + ecc_mod_add (&ecc->p, i, p + 2*ecc->p.size, q + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, v, i); + ecc_mod_sub (&ecc->p, v, v, z1z1); + ecc_mod_sub (&ecc->p, v, v, z2z2); + ecc_mod_mul (&ecc->p, i, v, u2); /* Delayed write, to support in-place operation. */ /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */ - ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ - ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ - ecc_modp_mul (ecc, s1, p + ecc->p.size, v); - ecc_modp_mul (ecc, v, j, q + ecc->p.size); - ecc_modp_sub (ecc, s2, v, s1); - ecc_modp_mul_1 (ecc, s2, s2, 2); + ecc_mod_mul (&ecc->p, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ + ecc_mod_mul (&ecc->p, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ + ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); + ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); + ecc_mod_sub (&ecc->p, s2, v, s1); + ecc_mod_mul_1 (&ecc->p, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ - ecc_modp_sqr (ecc, i, u2); - ecc_modp_mul_1 (ecc, i, i, 4); - ecc_modp_mul (ecc, j, u2, i); - ecc_modp_mul (ecc, v, u1, i); + ecc_mod_sqr (&ecc->p, i, u2); + ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc_mod_mul (&ecc->p, j, u2, i); + ecc_mod_mul (&ecc->p, v, u1, i); /* now, u1, u2 and i are free for reuse .*/ /* x3, use u1, u2 as scratch */ - ecc_modp_sqr (ecc, u1, s2); - ecc_modp_sub (ecc, r, u1, j); - ecc_modp_submul_1 (ecc, r, v, 2); + ecc_mod_sqr (&ecc->p, u1, s2); + ecc_mod_sub (&ecc->p, r, u1, j); + ecc_mod_submul_1 (&ecc->p, r, v, 2); /* y3 */ - ecc_modp_mul (ecc, u1, s1, j); /* Frees j */ - ecc_modp_sub (ecc, u2, v, r); /* Frees v */ - ecc_modp_mul (ecc, i, s2, u2); - ecc_modp_submul_1 (ecc, i, u1, 2); + ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ + ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ + ecc_mod_mul (&ecc->p, i, s2, u2); + ecc_mod_submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-add-th.c b/ecc-add-th.c index c19afbb5f7d4..1d61a32ea6ec 100644 --- a/ecc-add-th.c +++ b/ecc-add-th.c @@ -84,30 +84,30 @@ ecc_add_th (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_add (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + + ecc_mod_add (&ecc->p, C, D, C); + ecc_mod_sqr (&ecc->p, B, z1); + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, G, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (&ecc->p, B, G, T); + ecc_mod_mul (&ecc->p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, F, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (&ecc->p, B, F, z1); + ecc_mod_mul (&ecc->p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-thh.c b/ecc-add-thh.c index 03bb761f0500..59b33f385edb 100644 --- a/ecc-add-thh.c +++ b/ecc-add-thh.c @@ -85,32 +85,32 @@ ecc_add_thh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_add (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, A, x1, y1); + ecc_mod_add (&ecc->p, B, x2, y2); + ecc_mod_mul (&ecc->p, T, A, B); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + ecc_mod_add (&ecc->p, C, D, C); + + ecc_mod_mul (&ecc->p, A, z1, z2); + ecc_mod_sqr (&ecc->p, B, A); + + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, G, T); - ecc_modp_mul (ecc, x3, B, A); + ecc_mod_mul (&ecc->p, B, G, T); + ecc_mod_mul (&ecc->p, x3, B, A); /* y3 */ - ecc_modp_mul (ecc, B, F, C); - ecc_modp_mul (ecc, y3, B, A); + ecc_mod_mul (&ecc->p, B, F, C); + ecc_mod_mul (&ecc->p, y3, B, A); /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-dup-eh.c b/ecc-dup-eh.c index f7b46eefa3ae..b36c55408e8c 100644 --- a/ecc-dup-eh.c +++ b/ecc-dup-eh.c @@ -64,28 +64,28 @@ ecc_dup_eh (const struct ecc_curve *ecc, #define j (scratch + 4*ecc->p.size) /* b */ - ecc_modp_add (ecc, e, p, p + ecc->p.size); - ecc_modp_sqr (ecc, b, e); + ecc_mod_add (&ecc->p, e, p, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, b, e); /* c */ - ecc_modp_sqr (ecc, c, p); + ecc_mod_sqr (&ecc->p, c, p); /* d */ - ecc_modp_sqr (ecc, d, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, d, p + ecc->p.size); /* h, can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, r, p + 2*ecc->p.size); /* e, */ - ecc_modp_add (ecc, e, c, d); + ecc_mod_add (&ecc->p, e, c, d); /* j */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, j, e, r); + ecc_mod_add (&ecc->p, r, r, r); + ecc_mod_sub (&ecc->p, j, e, r); /* x' */ - ecc_modp_sub (ecc, b, b, e); - ecc_modp_mul (ecc, r, b, j); + ecc_mod_sub (&ecc->p, b, b, e); + ecc_mod_mul (&ecc->p, r, b, j); /* y' */ - ecc_modp_sub (ecc, c, c, d); /* Redundant */ - ecc_modp_mul (ecc, r + ecc->p.size, e, c); + ecc_mod_sub (&ecc->p, c, c, d); /* Redundant */ + ecc_mod_mul (&ecc->p, r + ecc->p.size, e, c); /* z' */ - ecc_modp_mul (ecc, b, e, j); + ecc_mod_mul (&ecc->p, b, e, j); mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size); } diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 8e1cf36c17eb..2247e8fdfd5a 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -72,39 +72,39 @@ ecc_dup_jj (const struct ecc_curve *ecc, #define zp (p + 2*ecc->p.size) /* delta */ - ecc_modp_sqr (ecc, delta, zp); + ecc_mod_sqr (&ecc->p, delta, zp); /* gamma */ - ecc_modp_sqr (ecc, gamma, yp); + ecc_mod_sqr (&ecc->p, gamma, yp); /* z'. Can use beta area as scratch. */ - ecc_modp_add (ecc, r + 2*ecc->p.size, yp, zp); - ecc_modp_sqr (ecc, beta, r + 2*ecc->p.size); - ecc_modp_sub (ecc, beta, beta, gamma); - ecc_modp_sub (ecc, r + 2*ecc->p.size, beta, delta); + ecc_mod_add (&ecc->p, r + 2*ecc->p.size, yp, zp); + ecc_mod_sqr (&ecc->p, beta, r + 2*ecc->p.size); + ecc_mod_sub (&ecc->p, beta, beta, gamma); + ecc_mod_sub (&ecc->p, r + 2*ecc->p.size, beta, delta); /* alpha. Can use beta area as scratch, and overwrite delta. */ - ecc_modp_add (ecc, sum, xp, delta); - ecc_modp_sub (ecc, delta, xp, delta); - ecc_modp_mul (ecc, beta, sum, delta); - ecc_modp_mul_1 (ecc, alpha, beta, 3); + ecc_mod_add (&ecc->p, sum, xp, delta); + ecc_mod_sub (&ecc->p, delta, xp, delta); + ecc_mod_mul (&ecc->p, beta, sum, delta); + ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); /* beta */ - ecc_modp_mul (ecc, beta, xp, gamma); + ecc_mod_mul (&ecc->p, beta, xp, gamma); /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ - ecc_modp_sqr (ecc, g2, gamma); - ecc_modp_mul_1 (ecc, sum, beta, 4); + ecc_mod_sqr (&ecc->p, g2, gamma); + ecc_mod_mul_1 (&ecc->p, sum, beta, 4); /* x' */ - ecc_modp_sqr (ecc, gamma, alpha); /* Overwrites gamma and beta */ - ecc_modp_submul_1 (ecc, gamma, sum, 2); + ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ + ecc_mod_submul_1 (&ecc->p, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size); /* y' */ - ecc_modp_sub (ecc, sum, sum, r); - ecc_modp_mul (ecc, gamma, sum, alpha); - ecc_modp_submul_1 (ecc, gamma, g2, 8); + ecc_mod_sub (&ecc->p, sum, sum, r); + ecc_mod_mul (&ecc->p, gamma, sum, alpha); + ecc_mod_submul_1 (&ecc->p, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } diff --git a/ecc-dup-th.c b/ecc-dup-th.c index b4ce95c91ebd..dd95b84ac097 100644 --- a/ecc-dup-th.c +++ b/ecc-dup-th.c @@ -81,29 +81,29 @@ ecc_dup_th (const struct ecc_curve *ecc, #define J (scratch + 4*ecc->p.size) /* B */ - ecc_modp_add (ecc, F, p, p + ecc->p.size); - ecc_modp_sqr (ecc, B, F); + ecc_mod_add (&ecc->p, F, p, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, B, F); /* C */ - ecc_modp_sqr (ecc, C, p); + ecc_mod_sqr (&ecc->p, C, p); /* D */ - ecc_modp_sqr (ecc, D, p + ecc->p.size); + ecc_mod_sqr (&ecc->p, D, p + ecc->p.size); /* Can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); + ecc_mod_sqr (&ecc->p, r, p + 2*ecc->p.size); /* F, */ - ecc_modp_sub (ecc, F, D, C); + ecc_mod_sub (&ecc->p, F, D, C); /* B - C - D */ - ecc_modp_add (ecc, C, C, D); - ecc_modp_sub (ecc, B, B, C); + ecc_mod_add (&ecc->p, C, C, D); + ecc_mod_sub (&ecc->p, B, B, C); /* J */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, J, r, F); + ecc_mod_add (&ecc->p, r, r, r); + ecc_mod_sub (&ecc->p, J, r, F); /* x' */ - ecc_modp_mul (ecc, r, B, J); + ecc_mod_mul (&ecc->p, r, B, J); /* y' */ - ecc_modp_mul (ecc, r + ecc->p.size, F, C); + ecc_mod_mul (&ecc->p, r + ecc->p.size, F, C); /* z' */ - ecc_modp_mul (ecc, B, F, J); + ecc_mod_mul (&ecc->p, B, F, J); mpn_copyi (r + 2*ecc->p.size, B, ecc->p.size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc1a35d..d675bd9b3805 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -88,9 +88,9 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, /* Process hash digest */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, tp, zp, rp); - ecc_modq_add (ecc, hp, hp, tp); - ecc_modq_mul (ecc, tp, hp, kinv); + ecc_mod_mul (&ecc->q, tp, zp, rp); + ecc_mod_add (&ecc->q, hp, hp, tp); + ecc_mod_mul (&ecc->q, tp, hp, kinv); mpn_copyi (sp, tp, ecc->p.size); #undef P diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b684841a..6f9fb5d98175 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + ecc_mod_mul (&ecc->q, u1, hp, sinv); /* u2 = r / s, P2 = u2 * Y */ - ecc_modq_mul (ecc, u2, rp, sinv); + ecc_mod_mul (&ecc->q, u2, rp, sinv); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 89d2b6e3bcae..869e8ad52c89 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -61,11 +61,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc, /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); - ecc_modp_mul (ecc, tp, xp, izp); + ecc_mod_mul (&ecc->p, tp, xp, izp); cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r, tp, ecc->p.size); - ecc_modp_mul (ecc, tp, yp, izp); + ecc_mod_mul (&ecc->p, tp, yp, izp); cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); } diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c index 00eeef81f659..a12eb2af20fa 100644 --- a/ecc-gostdsa-sign.c +++ b/ecc-gostdsa-sign.c @@ -84,9 +84,9 @@ ecc_gostdsa_sign (const struct ecc_curve *ecc, if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); - ecc_modq_mul (ecc, tp, rp, zp); - ecc_modq_mul (ecc, t2p, kp, hp); - ecc_modq_add (ecc, sp, tp, t2p); + ecc_mod_mul (&ecc->q, tp, rp, zp); + ecc_mod_mul (&ecc->q, t2p, kp, hp); + ecc_mod_add (&ecc->q, sp, tp, t2p); /* Also reduce mod ecc->q. It should already be < 2*ecc->q, * so one subtraction should suffice. */ diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c index 4358132b2bf6..29b82c8494ac 100644 --- a/ecc-gostdsa-verify.c +++ b/ecc-gostdsa-verify.c @@ -102,10 +102,10 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc, ecc->q.invert (&ecc->q, vp, hp, vp + 2*ecc->p.size); /* z1 = s / h, P1 = z1 * G */ - ecc_modq_mul (ecc, z1, sp, vp); + ecc_mod_mul (&ecc->q, z1, sp, vp); /* z2 = - r / h, P2 = z2 * Y */ - ecc_modq_mul (ecc, z2, rp, vp); + ecc_mod_mul (&ecc->q, z2, rp, vp); mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ diff --git a/ecc-internal.h b/ecc-internal.h index 9516023a96ab..9e24e0ce4521 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -256,26 +256,6 @@ void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap); -#define ecc_modp_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sub(ecc, r, a, b) \ - ecc_mod_sub (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul_1(ecc, r, a, b) \ - ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_addmul_1(ecc, r, a, b) \ - ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_submul_1(ecc, r, a, b) \ - ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sqr(ecc, r, a) \ - ecc_mod_sqr (&(ecc)->p, (r), (a)) - -#define ecc_modq_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->q, (r), (a), (b)) -#define ecc_modq_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->q, (r), (a), (b)) - /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c index eca10f0fac9e..a232e0c5c5af 100644 --- a/ecc-j-to-a.c +++ b/ecc-j-to-a.c @@ -74,7 +74,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, mpn_zero (izBp + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, izBp); - ecc_modp_mul (ecc, iz2p, izp, izBp); + ecc_mod_mul (&ecc->p, iz2p, izp, izBp); } else { @@ -83,11 +83,11 @@ ecc_j_to_a (const struct ecc_curve *ecc, mpn_copyi (up, p+2*ecc->p.size, ecc->p.size); /* p_z */ ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); - ecc_modp_sqr (ecc, iz2p, izp); + ecc_mod_sqr (&ecc->p, iz2p, izp); } - ecc_modp_mul (ecc, iz3p, iz2p, p); - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so + ecc_mod_mul (&ecc->p, iz3p, iz2p, p); + /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so do a conditional subtraction. */ cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); cnd_copy (cy, r, iz3p, ecc->p.size); @@ -105,8 +105,8 @@ ecc_j_to_a (const struct ecc_curve *ecc, } return; } - ecc_modp_mul (ecc, iz3p, iz2p, izp); - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); + ecc_mod_mul (&ecc->p, iz3p, iz2p, izp); + ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size); /* And a similar subtraction. */ cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); diff --git a/eddsa-decompress.c b/eddsa-decompress.c index 441ccfbfb18a..8116084dda09 100644 --- a/eddsa-decompress.c +++ b/eddsa-decompress.c @@ -90,14 +90,14 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, /* For a valid input, y < p, so subtraction should underflow. */ res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size); - ecc_modp_sqr (ecc, y2, yp); - ecc_modp_mul (ecc, vp, y2, ecc->b); - ecc_modp_sub (ecc, vp, vp, ecc->unit); + ecc_mod_sqr (&ecc->p, y2, yp); + ecc_mod_mul (&ecc->p, vp, y2, ecc->b); + ecc_mod_sub (&ecc->p, vp, vp, ecc->unit); /* The sign is different between curve25519 and curve448. */ if (ecc->p.bit_size == 255) - ecc_modp_sub (ecc, up, ecc->unit, y2); + ecc_mod_sub (&ecc->p, up, ecc->unit, y2); else - ecc_modp_sub (ecc, up, y2, ecc->unit); + ecc_mod_sub (&ecc->p, up, y2, ecc->unit); res &= ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); diff --git a/eddsa-sign.c b/eddsa-sign.c index 1d5e4796b120..acb8299b4191 100644 --- a/eddsa-sign.c +++ b/eddsa-sign.c @@ -91,8 +91,8 @@ _eddsa_sign (const struct ecc_curve *ecc, eddsa->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); - ecc_modq_mul (ecc, sp, hp, k2); - ecc_modq_add (ecc, sp, sp, rp); /* FIXME: Can be plain add */ + ecc_mod_mul (&ecc->q, sp, hp, k2); + ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */ if (ecc->p.bit_size == 255) { /* FIXME: Special code duplicated in ecc_curve25519_modq -- 2.24.1

2 1

Two MRs on git.lysator.liu.se
by Dmitry Eremin-Solenikov 10 Feb '20

10 Feb '20

Hello, I've opened two merge requests on git.lysator.liu.se: one for new hash function support (https://git.lysator.liu.se/nettle/nettle/merge_requests/6) and another one for GOST 28147 cipher/MAC support (https://git.lysator.liu.se/nettle/nettle/merge_requests/7). Code has been tested for quite some time in GnuTLS and has been submitted with minor modifications. -- With best wishes Dmitry

1 0

[PATCH v2 0/6] Add meta interface for MAC algorithms
by Daiki Ueno 09 Feb '20

09 Feb '20

From: Daiki Ueno <dueno(a)redhat.com> The changes from the previous series are: - remove the global hmac_*_set_key_expanded functions - leave out set_nonce member if the operation is not supported For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank. Daiki Ueno (6): nettle-meta: Move struct nettle_mac to nettle-meta.h nettle-meta: Add meta interface for CMAC functions nettle-meta: Add meta interface for HMAC functions nettle-meta: Add meta interface for UMAC functions nettle-meta: Expose all defined MACs through nettle_macs tests: Add test for meta interface for MAC algorithms Makefile.in | 7 +++- cmac-aes128-meta.c | 43 ++++++++++++++++++++ cmac-aes256-meta.c | 43 ++++++++++++++++++++ hmac-md5-meta.c | 47 ++++++++++++++++++++++ hmac-ripemd160-meta.c | 47 ++++++++++++++++++++++ hmac-sha1-meta.c | 47 ++++++++++++++++++++++ hmac-sha224-meta.c | 47 ++++++++++++++++++++++ hmac-sha256-meta.c | 47 ++++++++++++++++++++++ hmac-sha384-meta.c | 47 ++++++++++++++++++++++ hmac-sha512-meta.c | 47 ++++++++++++++++++++++ nettle-meta-macs.c | 61 ++++++++++++++++++++++++++++ nettle-meta.h | 81 ++++++++++++++++++++++++++++++++++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/cmac-test.c | 24 ----------- testsuite/meta-mac-test.c | 43 ++++++++++++++++++++ testsuite/testutils.h | 29 -------------- umac128-meta.c | 47 ++++++++++++++++++++++ umac32-meta.c | 47 ++++++++++++++++++++++ umac64-meta.c | 47 ++++++++++++++++++++++ umac96-meta.c | 47 ++++++++++++++++++++++ 22 files changed, 799 insertions(+), 55 deletions(-) create mode 100644 cmac-aes128-meta.c create mode 100644 cmac-aes256-meta.c create mode 100644 hmac-md5-meta.c create mode 100644 hmac-ripemd160-meta.c create mode 100644 hmac-sha1-meta.c create mode 100644 hmac-sha224-meta.c create mode 100644 hmac-sha256-meta.c create mode 100644 hmac-sha384-meta.c create mode 100644 hmac-sha512-meta.c create mode 100644 nettle-meta-macs.c create mode 100644 testsuite/meta-mac-test.c create mode 100644 umac128-meta.c create mode 100644 umac32-meta.c create mode 100644 umac64-meta.c create mode 100644 umac96-meta.c -- 2.21.0

3 18

[PATCH] gost28147: move gost params to internal interface
by dbaryshkov＠gmail.com 06 Feb '20

06 Feb '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> gost28147_param instances were never a part of stable release, so move them to internal header. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gost28147-internal.h | 12 +++++++++ gost28147.c | 5 ++-- gost28147.h | 58 -------------------------------------------- gosthash94.c | 9 +++---- 5 files changed, 19 insertions(+), 67 deletions(-) delete mode 100644 gost28147.h diff --git a/Makefile.in b/Makefile.in index f876e5e82197..0de54e85c7ae 100644 --- a/Makefile.in +++ b/Makefile.in @@ -207,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ + gcm.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/gost28147-internal.h b/gost28147-internal.h index 7f5c6f8c63c0..0cb2d152c8ad 100644 --- a/gost28147-internal.h +++ b/gost28147-internal.h @@ -34,7 +34,19 @@ #ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED #define NETTLE_GOST28147_INTERNAL_H_INCLUDED +#include <stdint.h> + #define _gost28147_encrypt_block _nettle_gost28147_encrypt_block +#define _gost28147_param_test_3411 _nettle_gost28147_param_test_3411 +#define _gost28147_param_CryptoPro_3411 _nettle_gost28147_param_CryptoPro_3411 + +extern const struct gost28147_param _gost28147_param_test_3411; +extern const struct gost28147_param _gost28147_param_CryptoPro_3411; + +struct gost28147_param +{ + uint32_t sbox[4][256]; +}; void _gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out); diff --git a/gost28147.c b/gost28147.c index 15d314c86c17..b6db334b2a0b 100644 --- a/gost28147.c +++ b/gost28147.c @@ -33,11 +33,10 @@ #endif #include "macros.h" -#include "gost28147.h" #include "gost28147-internal.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ -const struct gost28147_param gost28147_param_test_3411 = +const struct gost28147_param _gost28147_param_test_3411 = { { { /* 0 */ @@ -304,7 +303,7 @@ const struct gost28147_param gost28147_param_test_3411 = } }; -const struct gost28147_param gost28147_param_CryptoPro_3411 = +const struct gost28147_param _gost28147_param_CryptoPro_3411 = { { { /* 0 */ diff --git a/gost28147.h b/gost28147.h deleted file mode 100644 index 32e7d5e81eb8..000000000000 --- a/gost28147.h +++ /dev/null @@ -1,58 +0,0 @@ -/* gost28147.h - - The GOST 28147-89 cipher function, described in RFC 5831. - - Copyright (C) 2019 Dmitry Eremin-Solenikov - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_GOST28147_H_INCLUDED -#define NETTLE_GOST28147_H_INCLUDED - -#include "nettle-types.h" - -#ifdef __cplusplus -extern "C" { -#endif - -#define gost28147_param_test_3411 nettle_gost28147_param_test_3411 -#define gost28147_param_CryptoPro_3411 nettle_gost28147_param_CryptoPro_3411 - -struct gost28147_param -{ - uint32_t sbox[4][256]; -}; - -extern const struct gost28147_param gost28147_param_test_3411; -extern const struct gost28147_param gost28147_param_CryptoPro_3411; - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_GOST28147_H_INCLUDED */ diff --git a/gosthash94.c b/gosthash94.c index 954130f741e9..37a7f32272df 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -41,7 +41,6 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" -#include "gost28147.h" #include "gost28147-internal.h" /** @@ -339,7 +338,7 @@ gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, - gost28147_param_test_3411.sbox); + _gost28147_param_test_3411.sbox); } /** @@ -355,7 +354,7 @@ gosthash94cp_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, - gost28147_param_CryptoPro_3411.sbox); + _gost28147_param_CryptoPro_3411.sbox); } /** @@ -399,7 +398,7 @@ gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result) { gosthash94_write_digest (ctx, length, result, - gost28147_param_test_3411.sbox); + _gost28147_param_test_3411.sbox); } void @@ -407,5 +406,5 @@ gosthash94cp_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result) { gosthash94_write_digest (ctx, length, result, - gost28147_param_CryptoPro_3411.sbox); + _gost28147_param_CryptoPro_3411.sbox); } -- 2.24.1

2 1

Please use -shared on Solaris. Don't use -G on Solaris
by Jeffrey Walton 06 Feb '20

06 Feb '20

When linking the shared object with -G on Solaris: gcc -g2 -O2 -m64 -march=native -fPIC -pthread -Wno-pointer-sign -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -L/usr/local/lib -m64 -Wl,-R,'$ORIGIN/../lib' -Wl,-R,/usr/local/lib -G -h libnettle.so.7 aes-decrypt-internal.o aes-decrypt.o aes-encrypt-internal.o aes-encrypt.o aes-encrypt-table.o ... It results in: ld.so.1: aes-test: fatal: relocation error: R_AMD64_PC32: file ../.lib/libhogweed.so.5: symbol _init: value 0x7f004df15e9d does not fit ../run-tests: line 61: 12934: Killed FAIL: aes ld.so.1: arcfour-test: fatal: relocation error: R_AMD64_PC32: file ../.lib/libhogweed.so.5: symbol _init: value 0x7f004df15a1d does not fit ../run-tests: line 61: 12939: Killed FAIL: arcfour ld.so.1: arctwo-test: fatal: relocation error: R_AMD64_PC32: file ../.lib/libhogweed.so.5: symbol _init: value 0x7f004df153dd does not fit ../run-tests: line 61: 12944: Killed FAIL: arctwo ... Here's the full paste of the build using -G: https://pastebin.com/SKZxKfdZ. Please use -shared, not -G. -shared works as expected on Solaris. Jeff

3 9

Crash on Core-i7 8700 machine with --enable-x86-aesni and --enable-x86-sha-ni
by Jeffrey Walton 03 Feb '20

03 Feb '20

Hi Everyone, I'm catching a crash with Nettle 3.5.1 on a Core-i7 8700 configured with --enable-x86-aesni and --enable-x86-sha-ni. I verified the compiler supports both AESNI and SHA. Illegal instruction (core dumped) FAIL: hkdf PASS: salsa20 Illegal instruction (core dumped) FAIL: sha1 Illegal instruction (core dumped) FAIL: sha224 Illegal instruction (core dumped) FAIL: sha256 The machine is not configured with --enable-fat because of build failures on other platforms. On other platforms, --enable-fat causes SHA to be built even when the compiler does not support SHA. To avoid the compile error I dropped --enable-fat . So my question now is, how do I enable AES and SHA at compile time depending on the compiler support, and enable runtime switching? Thanks ------- Here is the logic I was trying to use. It accommodates both Linux and Solaris. AESNI_OPT=$("$CC" "$CFLAGS" -dM -E -maes - </dev/null 2>&1 | grep -i -c "__AES__") SHANI_OPT=$("$CC" "$CFLAGS" -dM -E -msha - </dev/null 2>&1 | grep -i -c "__SHA__") if [[ "$AESNI_OPT" -eq 1 ]]; then echo "Compiler supports AES-NI. Adding --enable-x86-aesni" CONFIG_OPTS+=("--enable-x86-aesni") fi if [[ "$SHANI_OPT" -eq 1 ]]; then echo "Compiler supports SHA-NI. Adding --enable-x86-sha-ni" CONFIG_OPTS+=("--enable-x86-sha-ni") fi # Crash on Solaris machines with --enable-fat #if [[ "$IS_IA32" -ne 0 ]]; then # echo "Using runtime algorithm selection. Adding --enable-fat" # CONFIG_OPTS+=("--enable-fat") #fi

2 2

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs