From nisse at lysator.liu.se Wed Jan 5 22:48:22 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Wed, 05 Jan 2011 22:48:22 +0100 Subject: howto use openssl generated rsa keys with nettle In-Reply-To: <4D245F61.9000700@tut.fi> (Jyke Jokinen's message of "Wed, 05 Jan 2011 14:09:05 +0200") References: <4D245F61.9000700@tut.fi> Message-ID: Jyke Jokinen writes: > In private key the fields are (openssl rsa -in key.pem -text): > privateExponent: > prime1: > prime2: > exponent1: > exponent2: > coefficient: > > Prime1&2 should be the factors p and q in rsa_private_key(?) > What values should be used for a, b and c? If n = p q, e is the public exponent and d is the private exponent, then one should have a = d mod (p - 1) b = d mod (q - 1) c = q^{-1} (mod p) I've tried to explain this in rsa.h, suggestions for improving the documentation are welcome. I'm pretty sure openssl uses the same values. Off the top of my head I can't say for sure how to pair together nettle's names and openssl's, but I think they're in the same order, i.e., privateExponent = d prime1 = p prime2 = q exponent1 = a exponent2 = b coefficient = c Anyway, a, b, and c are redundant and can be computed from p, q and d, so you can check if the pairing above is correct. For converting keys in pkcs#1 format, also have a look at the program examples/pkcs1-conv.c, and the function rsa_keypair_from_der which it uses. Regards, /Niels PS. I've added your address to the non-member whitelist. I hope that works, and that you can now post to the list. (Default posting policy is members-only, as a desperate anti-spam measure). -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Fri Jan 7 22:11:45 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 07 Jan 2011 22:11:45 +0100 Subject: elliptic curve in nettle? In-Reply-To: <4D114271.7060007@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 21 Dec 2010 19:12:33 -0500") References: <4D0FDAAB.7060702@fifthhorseman.net> <4D114271.7060007@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: >> patents situation, > > Unfortunately, the patent system seems to be such that even if i were a > patent lawyer (i am not, fortunately), i could make no iron-clad > guarantees. The best i can offer is a sort of suggestive inference: I'm aware that there are no guarantees. I think a reasonable requirement for implementing a new algorithm (ecc or otherwise) is that at least all known patent holders license related patents on royalty-free (and otherwise GPL compatible) terms. Jeffrey Walton writes: > I think Daniel is on the right track by choosing standardized domain > parameter support. When using standard parameters, you only have to > choose your private key and publish the public key. In this case, RFC > 5114 - Additional Diffie-Hellman Groups for Use with IETF Standards > (et al), would also be of interest. Noted. > For those interested, Certicom, which holds many EC patents and is > owned by RIM, lost a few "slam dunk" cases recently. The events caused > paralysis in RIM's legal department to the point where the sales team > has not inked a license in over a year. When I inquired about > licensing over the summer, I was told to go to RSA Data Securities > even though RSA is probably violating Certicom. The fellow who advised > me worked for Certicom. Intriguing story... as I've said, I haven't been following the area. My conclusions for now are: 1. It makes sense to add support for certain elliptic curves or types of curves to nettle. I'm still not quite sure what the applications are, diffie-hellman key exchange have been mentioned, do the most important standards also use them for encryption and signatures (e.g., ElGamal style)? The implementation ought to include an ecc exponentiation primitive that can be used for various applications. (BTW, Nettle currently doesn't include any support for ElGamal using the usual modular group, is that something that would be useful? I try to give higher priority to algorithms that are in used in real protocols and applications, and lower priority to more academic constructions). 2. I will not have much time to spend on ecc in the near future. I'm happy to comment on, and integrate, well-written patches. As usual, test cases are a very important part of the implementation... 3. On the legal side, I'd like to have some clear evidence that the particular curves implemented are unlikely to lead to trouble with known patents, possibly with fsf legal staff or sflc in the loop. I'm not sure I know the area well enough to provide all needed input to legal staff, though, so I may need help with this part as well. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Fri Jan 7 22:43:39 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 07 Jan 2011 16:43:39 -0500 Subject: elliptic curve in nettle? In-Reply-To: References: <4D0FDAAB.7060702@fifthhorseman.net> <4D114271.7060007@fifthhorseman.net> Message-ID: <4D27890B.4070404@fifthhorseman.net> On 01/07/2011 04:11 PM, Niels M?ller wrote: > 1. It makes sense to add support for certain elliptic curves or types of > curves to nettle. I'm still not quite sure what the applications are, > diffie-hellman key exchange have been mentioned, do the most > important standards also use them for encryption and signatures > (e.g., ElGamal style)? The implementation ought to include an > ecc exponentiation primitive that can be used for various applications. > > (BTW, Nettle currently doesn't include any support for ElGamal using > the usual modular group, is that something that would be useful? I > try to give higher priority to algorithms that are in used in real > protocols and applications, and lower priority to more academic > constructions). OpenSSH 5.7 (due out later this month) will add the use of Elliptic Curve DH and DSA. Interoperability with OpenSSH by ssh clients using nettle would be an excellent real-world scenario. ElGamal is still widely used for asymmetric OpenPGP encryption. Try scanning the public keyservers for people with ElGamal subkeys (i wish i had some easy way to present statistics from them -- sorry i don't!) so yes, both EC and ElGamal have very clear real-world (non-academic) usefulness. > 3. On the legal side, I'd like to have some clear evidence that the > particular curves implemented are unlikely to lead to trouble with > known patents, possibly with fsf legal staff or sflc in the loop. I'm > not sure I know the area well enough to provide all needed input to > legal staff, though, so I may need help with this part as well. i'll point the SFLC lawyers at this thread. hopefully they can get in touch. --dkg From simon at josefsson.org Fri Jan 7 22:58:33 2011 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 07 Jan 2011 22:58:33 +0100 Subject: elliptic curve in nettle? In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Fri, 07 Jan 2011 22:11:45 +0100") References: <4D0FDAAB.7060702@fifthhorseman.net> <4D114271.7060007@fifthhorseman.net> Message-ID: <87oc7scr5i.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > 3. On the legal side, I'd like to have some clear evidence that the > particular curves implemented are unlikely to lead to trouble with > known patents, possibly with fsf legal staff or sflc in the loop. I'm > not sure I know the area well enough to provide all needed input to > legal staff, though, so I may need help with this part as well. I believe the SFLC is aware of the ECC situation, so you may want to talk to them about it. It is a messy area. /Simon From nisse at lysator.liu.se Wed Feb 2 22:15:50 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Wed, 02 Feb 2011 22:15:50 +0100 Subject: GCM mode and GMAC Message-ID: Hi, Nikos Mavrogiannopoulos have been looking into support for Galois Counter Mode (GCM), see http://www.cryptobarn.com/papers/gcm-spec.pdf My understanding of GCM is that the main point is a new MAC function which allows efficient hardware implementation. As far as I see, there's no clear advantage of using GCM instead of plain CTR mode combined with the same MAC function (applied to the plaintext). For Nettle, I think the first step ought to be to properly support the MAC function, GMAC. The most fundamental difference to other MAC functions is that it takes two input strings (besides the key). When used as a plain MAC, the second input is empty, while when used with GCM, the first input is auxillary data to be authenticated, and the second input is the cryptotext. Some questions: * Naming: Is "gmac" a good enough name? Or "ghash" (the name of the primitive which takes a key and two inputs, in the paper)? Or do we need something more verbose, like galois_mac or gmac128 or so? * Specification: It's not entirely clear to me how the spec is to be interpreted when one of the input strings is empty. The most reasonable interpretation would be that there should be zero blocks to process (n or m equal to zero). This requires some bending of the notation in equation (2), for example, with m = 0, n = 1, we should have X_0 = 0 X_1 = C_1^* ? H X_2 = (X_1 + (0 || len(C))) ? H and with m = 1, n = 0, X_0 = 0 X_1 = A_1^* ? H X_2 = (X_1 0 (len(A) || 0)) ? H Do you agree? * Interface: I think the basic use case with empty second input should be just like other MAC:s, struct gmac_ctx; /* Key size fixed to GMAC_KEY_SIZE == 16 */ void gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key); void gmac_update(struct gmac_ctx *ctx, unsigned length, const uint8_t *data); void gmac_digest(struct gmac_ctx *ctx, unsigned length, uint8_t *digest); The context struct and the set_key function is essential to be able to do any optimizations using key-dependant tables. But then we need a function to mark the end of the first input and the start of the second. Name for that one? void gmac_next(struct gmac_ctx *ctx); This will pad the current input to a block boundary, and switch to using a different length counter. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From simon at josefsson.org Thu Feb 3 09:52:38 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 03 Feb 2011 09:52:38 +0100 Subject: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Wed, 02 Feb 2011 22:15:50 +0100") References: Message-ID: <87sjw5fqjt.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > Hi, > > Nikos Mavrogiannopoulos have been looking into support for Galois > Counter Mode (GCM), see http://www.cryptobarn.com/papers/gcm-spec.pdf Hi! NIST Has some other links for it: http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html > My understanding of GCM is that the main point is a new MAC function > which allows efficient hardware implementation. As far as I see, there's > no clear advantage of using GCM instead of plain CTR mode combined with > the same MAC function (applied to the plaintext). Shouldn't you MAC the ciphertext? That's the proved secure approach. > * Naming: Is "gmac" a good enough name? Or "ghash" (the name of the > primitive which takes a key and two inputs, in the paper)? Or do we > need something more verbose, like galois_mac or gmac128 or so? The name GMAC is well established: http://en.wikipedia.org/wiki/Galois/Counter_Mode > * Specification: It's not entirely clear to me how the spec is to be > interpreted when one of the input strings is empty. The most > reasonable interpretation would be that there should be zero blocks > to process (n or m equal to zero). This requires some bending of the > notation in equation (2), for example, with m = 0, n = 1, we should > have If this is a real problem with latest specification, it might make sense to bring this up somewhere. > * Interface: I think the basic use case with empty second input should > be just like other MAC:s, > > struct gmac_ctx; > > /* Key size fixed to GMAC_KEY_SIZE == 16 */ > void > gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key); > > void > gmac_update(struct gmac_ctx *ctx, > unsigned length, const uint8_t *data); > > void > gmac_digest(struct gmac_ctx *ctx, > unsigned length, uint8_t *digest); > > The context struct and the set_key function is essential to be able > to do any optimizations using key-dependant tables. > > But then we need a function to mark the end of the first input and > the start of the second. Name for that one? > > void > gmac_next(struct gmac_ctx *ctx); > > This will pad the current input to a block boundary, and switch to > using a different length counter. How about gmac_authenticate? Further, I'm wondering if some other authenticating MACs cannot process data in parallell, which would argue for an interface like this: struct gmac_ctx; /* Key size fixed to GMAC_KEY_SIZE == 16 */ void gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key); void gmac_update(struct gmac_ctx *ctx, unsigned length, const uint8_t *data); void gmac_digest(struct gmac_ctx *ctx, unsigned length, uint8_t *digest); void gmac_authenticate(struct gmac_ctx *ctx, unsigned length, const uint8_t *data); Or something. /Simon From nisse at lysator.liu.se Thu Feb 3 13:40:47 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 03 Feb 2011 13:40:47 +0100 Subject: GCM mode and GMAC In-Reply-To: <87sjw5fqjt.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 03 Feb 2011 09:52:38 +0100") References: <87sjw5fqjt.fsf@latte.josefsson.org> Message-ID: Simon Josefsson writes: > http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html I was just wondering what an "authoritative" reference would be. > Shouldn't you MAC the ciphertext? That's the proved secure approach. I'm not familiar with those subtleties. Intuitively, it makes sense to me to MAC the cleartext, since that's closest to the *meaning* of the message. IIRC I picked up this (possibly outdated) advice from Applied Cryptography years ago. If you can trick the receiver to use the wrong key or iv for decryption, then the receiver gets a garbled message, and if the MAC is applied to cryptotext rather than cleartext, the message will still apear to be authentic. So some care is needed when applying the MAC to ciphertext only (and I'm talking about the general combination of encryption and MAC, not the specific combination in GCM which I hope gets things right). E.g., in ssh the mac is done as mac = MAC(key, sequence_number || unencrypted_packet) and replacing the unencrypted_packet by the corresponding ciphertext, with no other changes, would likely cause some trouble. >> * Naming: Is "gmac" a good enough name? Or "ghash" (the name of the >> primitive which takes a key and two inputs, in the paper)? Or do we >> need something more verbose, like galois_mac or gmac128 or so? > > The name GMAC is well established: > > http://en.wikipedia.org/wiki/Galois/Counter_Mode Ok. gmac it should be then. Or perhaps gmac128, in case anyone is using 64-bit gmac or planning for larger sizes? > If this is a real problem with latest specification, it might make sense > to bring this up somewhere. I'd have to check the NIST version of the spec. > Further, I'm wondering if some other authenticating MACs cannot process > data in parallell, which would argue for an interface like this: > > struct gmac_ctx; > > /* Key size fixed to GMAC_KEY_SIZE == 16 */ > void > gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key); > > void > gmac_update(struct gmac_ctx *ctx, > unsigned length, const uint8_t *data); > > void > gmac_digest(struct gmac_ctx *ctx, > unsigned length, uint8_t *digest); > > void > gmac_authenticate(struct gmac_ctx *ctx, > unsigned length, const uint8_t *data); > > Or something. I'm not sure I understand what you are referring to. At least for gmac, I don't think one can mix the two inputs, one must complete one before starting on the other. And I'd prefer that this restriction is clearly expressed in the interface. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From noloader at gmail.com Thu Feb 3 17:35:25 2011 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 3 Feb 2011 11:35:25 -0500 Subject: GCM mode and GMAC In-Reply-To: References: <87sjw5fqjt.fsf@latte.josefsson.org> Message-ID: On Thu, Feb 3, 2011 at 7:40 AM, Niels M?ller wrote: > Simon Josefsson writes: > >> http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html > > I was just wondering what an "authoritative" reference would be. NIST SP800-38D. See http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html and http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf. [SNIP] Jeff From nisse at lysator.liu.se Thu Feb 3 19:49:11 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 03 Feb 2011 19:49:11 +0100 Subject: GCM mode and GMAC In-Reply-To: <87sjw5fqjt.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 03 Feb 2011 09:52:38 +0100") References: <87sjw5fqjt.fsf@latte.josefsson.org> Message-ID: Simon Josefsson writes: > The name GMAC is well established: > > http://en.wikipedia.org/wiki/Galois/Counter_Mode And if I understand the spec correctly, T = GMAC(K, M) is computed roughly as follows H = E_K(0...0) T = GHASH_H(M || ...) XOR E_K(IV) I.e, the MAC key K is converted to the "hash subkey H" using the encryption function of some block cipher (typically AES), and this block cipher is also used together with the IV to get a value XOR:ed to the output of GHASH. I imagine the final XOR is essential for the MAC security (to hide the otherwise very regular algebraic structure of GHASH). When writing the previous mail, I hadn't realized that also the MAC part depends on the block cipher, and should be parametrized by the block cipher used. This makes it less natural to view GMAC as an independent algorithm. Also, the need for an IV (never repeated with the same key) necessarily makes the interface more complex than, e.g., the HMAC interface. Just like for DSA, where would be some use for a deterministic variant where the IV (or random number in the case of DSA) is determined as some function of the message (and possibly also of the key, although the dependence on the key clearly should be one-way). Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Thu Feb 3 21:20:57 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 03 Feb 2011 21:20:57 +0100 Subject: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Wed, 02 Feb 2011 22:15:50 +0100") References: Message-ID: Replying to myself: > The context struct and the set_key function is essential to be able > to do any optimizations using key-dependant tables. It actually gets a bit complicated. I think we need several context/state structs. First, the key. The only way the key is directly used is for encrypting things using the underlying block cipher. So it makes sense to represent the key as const void *cipher_ctx; nettle_crypt_func *encrypt; (except that for historical reasons, the first argument for nettle_crypt_func is not const). Next, we have tables derived from the key. These are needed for otpimized implementations of ghash, and should be reused when several messages are processed using the same key. E.g., this could be done as struct gcm128_ctx { const void *cipher_ctx; nettle_crypt_func *encrypt; uint8_t H[16]; /* Hash subkey */ uint8_t M0[16][256]; /* Key-dependent table. */ }; void gcm128_ctx_init(struct gcm128_ctx *ctx, const void *cipher_ctx, nettle_crypt_func *encrypt); (It would be more consistent with the rest of nettle to not store those pointers in gcm128_ctx, since its supposed to be ok to memcpy context structs around. One could either pass them as arguments to all functions, or inline an aes_ctx if aes is all we care about. I include them here, to simplify function prototypes). Functions to process complete gcm messages can take this ctx as argument. The main ghash iteration would also take this context struct as argument, /* Set state = (state XOR data) dot H */ void ghash_update(const struct gcm128_ctx *ctx, uint8_t *state, const uint8_t *data); For streaming operations, we also need a per-message state struct, something like struct gcm128_msg { uint8_t Y[16]; /* counter */ uint8_t J[16]; /* encryption of that */ uint8_t J0[16]; /* first encrypted counter block to be used for constructing the digest. */ uint8_t hash[16]; /* hashing state */ unsigned index; /* Index when doing partial blocks */ uint32_t auth_length; uint32_t msg_length; }; void gcm128_msg_init(struct gcm128_msg *msg, const struct gcm128_ctx *ctx, uint32_t iv_length, const uint8_t *iv); /* Process auxillary auth data */ void gcm128_msg_auth(struct gcm128_msg *msg, const struct gcm128_ctx *ctx, uint32_t length, const uint8_t *data); /* Only difference between encrypt and decrypt is if data is hashed before or after xoring with the key stream. */ void gcm128_msg_encrypt(struct gcm128_msg *msg, const struct gcm128_ctx *ctx, uint32_t length, uint8_t *dst, const uint8_t *src); void gcm128_msg_decrypt(struct gcm128_msg *msg, const struct gcm128_ctx *ctx, uint32_t length, uint8_t *dst, const uint8_t *src); gcm128_msg_digest(struct gcm128_msg *msg, const struct gcm128_ctx *ctx, uint32_t length, uint8_t *dst); Comments? It gets more complicated than almost anything currently in Nettle. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Sun Feb 6 00:08:27 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Sun, 06 Feb 2011 00:08:27 +0100 Subject: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Wed, 02 Feb 2011 22:15:50 +0100") References: Message-ID: nisse at lysator.liu.se (Niels M?ller) writes: > Nikos Mavrogiannopoulos have been looking into support for Galois > Counter Mode (GCM), see http://www.cryptobarn.com/papers/gcm-spec.pdf I've checked in a first version, based on Nikos' code. Tentative interface as follows: #define GCM_BLOCK_SIZE 16 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) #define GCM_TABLE_BITS 0 struct gcm_ctx { /* Key-dependent state. */ /* Hashing subkey */ uint8_t h[GCM_BLOCK_SIZE]; #if GCM_TABLE_BITS uint8_t h_table[1 << GCM_TABLE_BITS][GCM_BLOCK_SIZE]; #endif /* Per-message state, depending on the iv */ /* Original counter block */ uint8_t iv[GCM_BLOCK_SIZE]; /* Updated for each block. */ uint8_t ctr[GCM_BLOCK_SIZE]; /* Hashing state */ uint8_t x[GCM_BLOCK_SIZE]; uint64_t auth_size; uint64_t data_size; }; /* FIXME: Should use const for the cipher context. Then needs const for nettle_crypt_func, which also rules out using that abstraction for arcfour. */ void gcm_set_key(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f); void gcm_set_iv(struct gcm_ctx *ctx, unsigned length, const uint8_t *iv); void gcm_auth(struct gcm_ctx *ctx, unsigned length, const uint8_t *data); void gcm_encrypt(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src); void gcm_decrypt(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src); void gcm_digest(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *digest); Comments on both structure and naming are welcome. > My understanding of GCM is that the main point is a new MAC function > which allows efficient hardware implementation. The unoptimized GF(2^128) multiply function really is awfully slow. On x86_64, gmac takes 830 cycles/byte! We can compare to the sha functions, where sha1, sha256 and sha512 take respectively 8, 18 and 12 cycles/byte, so the current code is two orders of magnitude slower than hmac-sha1. It remains to see how much table space and/or assembly hacking is needed to get reasonable performance. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Sun Feb 6 00:30:56 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 06 Feb 2011 00:30:56 +0100 Subject: GCM mode and GMAC In-Reply-To: References: Message-ID: <4D4DDDB0.9070908@gnutls.org> On 02/06/2011 12:08 AM, Niels M?ller wrote: > The unoptimized GF(2^128) multiply function really is awfully slow. On > x86_64, gmac takes 830 cycles/byte! We can compare to the sha functions, > where sha1, sha256 and sha512 take respectively 8, 18 and 12 > cycles/byte, so the current code is two orders of magnitude slower than > hmac-sha1. > It remains to see how much table space and/or assembly hacking is needed > to get reasonable performance. There is a special instruction for that on new intel and AMD CPUs... http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/ http://en.wikipedia.org/wiki/CLMUL_instruction_set Unfortunately I don't have anything close to those cpus... regards, Nikos From nisse at lysator.liu.se Sun Feb 6 22:23:56 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Sun, 06 Feb 2011 22:23:56 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D4DDDB0.9070908@gnutls.org> (Nikos Mavrogiannopoulos's message of "Sun, 06 Feb 2011 00:30:56 +0100") References: <4D4DDDB0.9070908@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > On 02/06/2011 12:08 AM, Niels M?ller wrote: > >> It remains to see how much table space and/or assembly hacking is needed >> to get reasonable performance. > > There is a special instruction for that on new intel and AMD CPUs... > http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/ > http://en.wikipedia.org/wiki/CLMUL_instruction_set Interesting. I haven't played with any such special instructions (even if it ought to make a bit of difference also for aes). Anyway, I've been hacking a bit on the C-implementation over the day, and the galois hashing (gmac) is now 18 times(!) faster. Summary of changes: Original unoptimized code: Algorithm mode Mbyte/s cycles/byte cycles/block gmac auth 1.49 829.83 13277.27 Optimized rshift, rewritten to use word-sized operations: Algorithm mode Mbyte/s cycles/byte cycles/block gmac auth 4.62 268.14 4290.23 Optimized gf_mul, rewritten to use separate byte and bit loops: Algorithm mode Mbyte/s cycles/byte cycles/block gmac auth 5.46 227.18 3634.90 Moved reduction into shift function: Algorithm mode Mbyte/s cycles/byte cycles/block gmac auth 6.79 182.69 2923.02 Introduced 4-bit tables: Algorithm mode Mbyte/s cycles/byte cycles/block gmac auth 27.14 45.68 730.82 Remaining tricks: * Try 8-bit tables (which increases storage need a lot, the modest 4-bit tables need only 256 additional bytes per key, for gf_mul, and a 32-byte constant table for gf_shift. Extending to 8 bits makes both tables 16 times larger). * See if it makes sense to write any assembler for the hashing function. * Various smaller microoptimizations, like a public memxor-variant for when areas are known to be word-aligned. Or inline that xor:ing. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Sun Feb 6 22:53:49 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 06 Feb 2011 22:53:49 +0100 Subject: GCM mode and GMAC In-Reply-To: References: Message-ID: <4D4F186D.2090404@gnutls.org> On 02/06/2011 12:08 AM, Niels M?ller wrote: > void gcm_set_key(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func > *f); I don't like the name of the function name. It doesn't reveal anything about its purpose. There is no key to set there. I'd suggest the original gcm_init. Moreover by not allowing the setting the blocksize as option any extension on that code to work with 64-bit ciphers, will require an abi break, or a new gcm64 mode... (what if 256-bit ciphers are added in the future?) > void gcm_encrypt(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func > *f, unsigned length, uint8_t *dst, const uint8_t *src); void > gcm_digest(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f, > unsigned length, uint8_t *digest); As I already mentioned I prefer having the cipher and f, to context to avoid supplying on individual calls. There is no advantage (that I can see) on having on each function parameters, and it just delegates the storage of those two pointers, to caller's structures instead. It's no big deal but it is inconvenience. regards, Nikos From nmav at gnutls.org Sun Feb 6 22:54:46 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 06 Feb 2011 22:54:46 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4DDDB0.9070908@gnutls.org> Message-ID: <4D4F18A6.3020009@gnutls.org> On 02/06/2011 10:23 PM, Niels M?ller wrote: > Nikos Mavrogiannopoulos writes: > >> On 02/06/2011 12:08 AM, Niels M?ller wrote: >> >>> It remains to see how much table space and/or assembly hacking is needed >>> to get reasonable performance. >> >> There is a special instruction for that on new intel and AMD CPUs... >> http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/ >> http://en.wikipedia.org/wiki/CLMUL_instruction_set > > Interesting. I haven't played with any such special instructions (even > if it ought to make a bit of difference also for aes). > > Anyway, I've been hacking a bit on the C-implementation over the day, > and the galois hashing (gmac) is now 18 times(!) faster. Summary of > changes: [...] > Introduced 4-bit tables: > > Algorithm mode Mbyte/s cycles/byte cycles/block > gmac auth 27.14 45.68 730.82 That's pretty impressive! From nisse at lysator.liu.se Mon Feb 7 10:26:47 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 07 Feb 2011 10:26:47 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D4F186D.2090404@gnutls.org> (Nikos Mavrogiannopoulos's message of "Sun, 06 Feb 2011 22:53:49 +0100") References: <4D4F186D.2090404@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > On 02/06/2011 12:08 AM, Niels M?ller wrote: > >> void gcm_set_key(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func >> *f); > > I don't like the name of the function name. It doesn't reveal anything > about its purpose. There is no key to set there. I'd suggest the > original gcm_init. I see your point, and I think I'll change the name. If we introduce a gcm_aes wrapper, that will have a _set_key method. > Moreover by not allowing the setting the blocksize as option any > extension on that code to work with 64-bit ciphers, will require > an abi break, or a new gcm64 mode... (what if 256-bit ciphers are added > in the future?) I don't think it's useful to be that general here. Variants with different block sizes will likely need a different context struct anyway. I could rename gcm to gcm128 in the interface if that's clearer. > As I already mentioned I prefer having the cipher and f, to context > to avoid supplying on individual calls. There is no advantage (that I > can see) on having on each function parameters, and it just delegates > the storage of those two pointers, to caller's structures instead. It's > no big deal but it is inconvenience. I haven't yet made up my mind on this, but let me explain the reason for having these pointers as function arguments. The idea is that context structs in nettle should be non-magic with no pointers, so that it can be copied or relocated in memory at will. Say we implement gcm_aes as struct gcm_aes_ctx { struct gcm_ctx gcm; struct aes_ctx aes; }; void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { gcm_encrypt(&ctx->gcm, &ctx->aes, (nettle_crypt_func) aes_encrypt, length, dst, src); } Then the context struct is still non-magic. We can call gcm_aes_set_key, and then create multiple copies of gcm_aes_ctx (using plain memcpy) which are independent. If we add some pointers to struct gcm_ctx (which *does* increase the storage size of gcm_aes_ctx, although that's maybe not a big deal), plain copying will leave pointers pointing to other objects, and we'll have to introduce a function gcm_aes_copy. And if you think copying here is the wrong thing (since we waste memory with multiple identical copies of an aes_ctx representing the key), then I think one should also split gcm_ctx into a key-dependent part (which should be shared rather than copied, in particular if we go for larger key-dependent tables) and a message-dependent part (which also shouldn't be copied, instead multiple instances should be independently initialized). We can compare with the hmac code; there's no context struct for the general construction, but hmac_sha1_ctx and other's defined using the HMAC_CTX macro put both key-the dependent parts (.inner, .outer) and the message dependent part (.state) in a single struct. When thinking about it, maybe the right thing is to redesign the general gcm-code to use a separate struct for the hash subkey, passed as argument to the functions needing it. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Mon Feb 7 11:04:17 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 07 Feb 2011 11:04:17 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4DDDB0.9070908@gnutls.org> Message-ID: <4D4FC3A1.20206@gnutls.org> On 02/06/2011 10:23 PM, Niels M?ller wrote: > Interesting. I haven't played with any such special instructions (even > if it ought to make a bit of difference also for aes). > Anyway, I've been hacking a bit on the C-implementation over the day, > and the galois hashing (gmac) is now 18 times(!) faster. Summary of > changes: I've also done a comparison benchmark of AES-GCM (the 4-bit table one) versus HMAC-SHAx+AES-CBC... AES-GCM in software is disappointing... Checking AES-128-GCM (16kb payload)... Encrypted 97.67 Mb in 5.00 secs: 19.53 Mb/sec Checking AES-128-CBC with SHA256 (16kb payload)... Encrypted and hashed 246.14 Mb in 5.00 secs: 49.23 Mb/sec Checking AES-128-CBC with SHA1 (16kb payload)... Encrypted and hashed 354.16 Mb in 5.00 secs: 70.83 Mb/sec regards, Nikos From nmav at gnutls.org Mon Feb 7 11:35:15 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 07 Feb 2011 11:35:15 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> Message-ID: <4D4FCAE3.6030306@gnutls.org> On 02/07/2011 10:26 AM, Niels M?ller wrote: >> Moreover by not allowing the setting the blocksize as option any >> extension on that code to work with 64-bit ciphers, will require >> an abi break, or a new gcm64 mode... (what if 256-bit ciphers are >> added in the future?) > I don't think it's useful to be that general here. Variants with > different block sizes will likely need a different context struct > anyway. Indeed... > I could rename gcm to gcm128 in the interface if that's clearer. I like the plain gcm... >> As I already mentioned I prefer having the cipher and f, to context >> to avoid supplying on individual calls. There is no advantage (that >> I can see) on having on each function parameters, and it just >> delegates the storage of those two pointers, to caller's structures >> instead. It's no big deal but it is inconvenience. > I haven't yet made up my mind on this, but let me explain the reason > for having these pointers as function arguments. The idea is that > context structs in nettle should be non-magic with no pointers, so > that it can be copied or relocated in memory at will. Say we > implement gcm_aes as [...] It makes sense, and although I've never used context structs like that I could understand if someone did. I like to see context structures as things that will take away my burden of maintaining several pointers and data that relate to the operation. Moreover different AEAD modes might have different requirements, but it might be nice to have a consistent low level interface on them (if possible of course). If an AEAD mode doesn't require the encryption function at the _digest operation, it would mean it would have different function parameters. For me it would be best if it was consistent, even if it is low-level... but it's your call... [...] > When thinking about it, maybe the right thing is to redesign the > general gcm-code to use a separate struct for the hash subkey, > passed as argument to the functions needing it. I would like less of the internals of gcm exposed to the user rather than more. As a user of nettle I wouldn't even want to know that there is a hash subkey on gcm. regards, Nikos From nisse at lysator.liu.se Mon Feb 7 12:21:42 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 07 Feb 2011 12:21:42 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D4FCAE3.6030306@gnutls.org> (Nikos Mavrogiannopoulos's message of "Mon, 07 Feb 2011 11:35:15 +0100") References: <4D4F186D.2090404@gnutls.org> <4D4FCAE3.6030306@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > I would like less of the internals of gcm exposed to the user rather > than more. As a user of nettle I wouldn't even want to know that there > is a hash subkey on gcm. In any case we should probably have a gcm_aes interface (and whatever other variants are relevant) that is easier to use than the lowest level gcm interface. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Mon Feb 7 13:20:20 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 07 Feb 2011 13:20:20 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D4FC3A1.20206@gnutls.org> (Nikos Mavrogiannopoulos's message of "Mon, 07 Feb 2011 11:04:17 +0100") References: <4D4DDDB0.9070908@gnutls.org> <4D4FC3A1.20206@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > I've also done a comparison benchmark of AES-GCM (the 4-bit table one) > versus HMAC-SHAx+AES-CBC... AES-GCM in software is disappointing... Now I've tried 8-bit tables. Then I get into the same ballpark as md5 and the sha functions (benchmarking on intel x86_64): Algorithm mode Mbyte/s cycles/byte cycles/block md5 update 174.20 7.12 455.48 sha1 update 158.09 7.84 501.89 sha256 update 68.36 18.14 1160.65 sha512 update 104.99 11.81 1511.55 gmac auth 65.93 18.80 300.87 I think both sha512 and gmac benefit from 64-bit wide registers, while md5, sha1 and sha256 does not. And I think there are still a couple of microoptimizations left to do for gmac. (I'm only benchmarking gmac; the encryption should be about the same as AES in ECB or CTR mode, which is roughly 17 cycles/byte on the same hardware). Now the question is if it's a good tradeoff to expand the key to a 4 KB table. BTW, I hadn't noticed before that sha512 is faster per byte than sha256. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Mon Feb 7 13:55:21 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 07 Feb 2011 13:55:21 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> <4D4FCAE3.6030306@gnutls.org> Message-ID: <4D4FEBB9.50909@gnutls.org> On 02/07/2011 12:21 PM, Niels M?ller wrote: >> I would like less of the internals of gcm exposed to the user >> rather than more. As a user of nettle I wouldn't even want to know >> that there is a hash subkey on gcm. > > In any case we should probably have a gcm_aes interface (and > whatever other variants are relevant) that is easier to use than the > lowest level gcm interface. Could be... Another thing. I've implicitly used gcm_set_iv() as a way to reset the GCM mode. Unfortunately it is not enough. The auth_size and data_size have to be set to zero as well. Do you think that should be done in the set_iv function as well? I've currently done that in gnutls, and with that change gnutls talks GCM with others servers. regards, Nikos From nmav at gnutls.org Mon Feb 7 14:01:15 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 07 Feb 2011 14:01:15 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4DDDB0.9070908@gnutls.org> <4D4FC3A1.20206@gnutls.org> Message-ID: <4D4FED1B.4020706@gnutls.org> On 02/07/2011 01:20 PM, Niels M?ller wrote: > Nikos Mavrogiannopoulos writes: > >> I've also done a comparison benchmark of AES-GCM (the 4-bit table one) >> versus HMAC-SHAx+AES-CBC... AES-GCM in software is disappointing... > Now I've tried 8-bit tables. Then I get into the same ballpark as md5 > and the sha functions (benchmarking on intel x86_64): > Algorithm mode Mbyte/s cycles/byte cycles/block > md5 update 174.20 7.12 455.48 > sha1 update 158.09 7.84 501.89 > sha256 update 68.36 18.14 1160.65 > sha512 update 104.99 11.81 1511.55 > gmac auth 65.93 18.80 300.87 > I think both sha512 and gmac benefit from 64-bit wide registers, while > md5, sha1 and sha256 does not. And I think there are still a couple of > microoptimizations left to do for gmac. > (I'm only benchmarking gmac; the encryption should be about the same as > AES in ECB or CTR mode, which is roughly 17 cycles/byte on the same > hardware). > Now the question is if it's a good tradeoff to expand the key to a 4 KB > table. 4kb is not much on a desktop. There are constraint systems where this might be a problem though. Libtomcrypt had a definition to cope with this issue (e.g. LOW_FOOTPRINT or so). On the other hand systems that might have an assembler-optimized version, would need to share the same big state as well... I don't know. That's why I like hiding that stuff :) regards, Nikos From nisse at lysator.liu.se Mon Feb 7 17:01:24 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 07 Feb 2011 17:01:24 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D4FEBB9.50909@gnutls.org> (Nikos Mavrogiannopoulos's message of "Mon, 07 Feb 2011 13:55:21 +0100") References: <4D4F186D.2090404@gnutls.org> <4D4FCAE3.6030306@gnutls.org> <4D4FEBB9.50909@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > Could be... Another thing. I've implicitly used gcm_set_iv() as a way to > reset the GCM mode. Unfortunately it is not enough. It's intended to work, current gcm_set_iv in cvs does /* Reset the rest of the message-dependent state. */ memset(ctx->x, 0, sizeof(ctx->x)); ctx->auth_size = ctx->data_size = 0; Is there something I'm missing? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Mon Feb 7 22:49:22 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 07 Feb 2011 22:49:22 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> <4D4FCAE3.6030306@gnutls.org> <4D4FEBB9.50909@gnutls.org> Message-ID: <4D5068E2.9020903@gnutls.org> On 02/07/2011 05:01 PM, Niels M?ller wrote: > Nikos Mavrogiannopoulos writes: > >> Could be... Another thing. I've implicitly used gcm_set_iv() as a >> way to reset the GCM mode. Unfortunately it is not enough. > It's intended to work, current gcm_set_iv in cvs does /* Reset the > rest of the message-dependent state. */ memset(ctx->x, 0, > sizeof(ctx->x)); ctx->auth_size = ctx->data_size = 0; Is there > something I'm missing? No forget it. I was mistaken on the reason of the issue I had. The current version is ok and inter-operable with.other TLS-GCM versions. regards, Nikos From nmav at gnutls.org Tue Feb 8 11:01:49 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 08 Feb 2011 11:01:49 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> Message-ID: <4D51148D.70203@gnutls.org> On 02/07/2011 10:26 AM, Niels M?ller wrote: > I haven't yet made up my mind on this, but let me explain the reason > for having these pointers as function arguments. The idea is that > context structs in nettle should be non-magic with no pointers, so > that it can be copied or relocated in memory at will. Say we > implement gcm_aes as What I was wondering is how would you think of implementing the cpu-specific optimizations in assembly? What I had in mind is that the _init function would detect the particular instructions present and set some function pointers to the structure that will assist the operations such as gf_mul to select the proper variant... However as it seems, this is not how it can be done if function pointers are not stored... regards, Nikos From nisse at lysator.liu.se Tue Feb 8 12:11:25 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 08 Feb 2011 12:11:25 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D51148D.70203@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 08 Feb 2011 11:01:49 +0100") References: <4D4F186D.2090404@gnutls.org> <4D51148D.70203@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > What I was wondering is how would you think of implementing the > cpu-specific optimizations in assembly? If/when we do that, and if we want to be able to select which code to use at runtime (rater than compile time), I think we should use global pointers, one for each routine that can make use special instructions. Either setup automagically at first use, or at library load time (using the same mechanisms as C++ constructors). Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Tue Feb 8 13:09:33 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 08 Feb 2011 13:09:33 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> <4D51148D.70203@gnutls.org> Message-ID: <4D51327D.2030203@gnutls.org> On 02/08/2011 12:11 PM, Niels M?ller wrote: >> What I was wondering is how would you think of implementing the >> cpu-specific optimizations in assembly? > If/when we do that, and if we want to be able to select which code > to use at runtime (rater than compile time), The compile time will cause problems to distributions that ship a single library across compatible architectures. Given that they will ship the version without special instructions for compatibility, most systems will not be affected by such optimizations. > I think we should use global pointers, one for each routine that can > make use special instructions. Either setup automagically at first > use, or at library load time (using the same mechanisms as C++ > constructors). I like the latter... An explicit global library initialization function might also do. regards, Nikos From nisse at lysator.liu.se Tue Feb 8 13:26:43 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 08 Feb 2011 13:26:43 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D51327D.2030203@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 08 Feb 2011 13:09:33 +0100") References: <4D4F186D.2090404@gnutls.org> <4D51148D.70203@gnutls.org> <4D51327D.2030203@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > On 02/08/2011 12:11 PM, Niels M?ller wrote: > >> I think we should use global pointers, one for each routine that can >> make use special instructions. Either setup automagically at first >> use, or at library load time (using the same mechanisms as C++ >> constructors). > > I like the latter... An explicit global library initialization function > might also do. GMP does the former. Not as pretty, but seems to work well, and maybe a bit easier to do portably. Regards /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nmav at gnutls.org Tue Feb 8 14:21:40 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 08 Feb 2011 14:21:40 +0100 Subject: GCM mode and GMAC In-Reply-To: References: <4D4F186D.2090404@gnutls.org> <4D51148D.70203@gnutls.org> <4D51327D.2030203@gnutls.org> Message-ID: <4D514364.8080600@gnutls.org> On 02/08/2011 01:26 PM, Niels M?ller wrote: > Nikos Mavrogiannopoulos writes: > >> On 02/08/2011 12:11 PM, Niels M?ller wrote: >> >>> I think we should use global pointers, one for each routine that can >>> make use special instructions. Either setup automagically at first >>> use, or at library load time (using the same mechanisms as C++ >>> constructors). >> I like the latter... An explicit global library initialization function >> might also do. > GMP does the former. Not as pretty, but seems to work well, and maybe a > bit easier to do portably. How does it deal with multi-threaded access? From nisse at lysator.liu.se Tue Feb 8 14:36:13 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 08 Feb 2011 14:36:13 +0100 Subject: GCM mode and GMAC In-Reply-To: <4D514364.8080600@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 08 Feb 2011 14:21:40 +0100") References: <4D4F186D.2090404@gnutls.org> <4D51148D.70203@gnutls.org> <4D51327D.2030203@gnutls.org> <4D514364.8080600@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > How does it deal with multi-threaded access? The worst thing that can happen is that several threads examine the cpuid flags, and then write identical pointers to the same locations at approximately the same time. And as far as I have understod, that is no problem, because, reading and writing a pointer value is an atomic operations on the concerned architectures. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From simon at josefsson.org Thu Feb 10 00:30:25 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 10 Feb 2011 00:30:25 +0100 Subject: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Wed, 02 Feb 2011 22:15:50 +0100") References: Message-ID: <874o8cu6pa.fsf@latte.josefsson.org> I looked at recent GCM code and noticed this: /* FIXME: Should use const for the cipher context. Then needs const for nettle_crypt_func, which also rules out using that abstraction for arcfour. */ void gcm_set_key(struct gcm_key *key, void *cipher, nettle_crypt_func *f); However GCM (like CCM) is only specified for block ciphers, and further, only for 128-bit block ciphers. Thus I wonder if avoiding use of const just to let the abstraction support a stream cipher is wise? /Simon From nisse at lysator.liu.se Thu Feb 10 07:27:45 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 10 Feb 2011 07:27:45 +0100 Subject: GCM mode and GMAC In-Reply-To: <874o8cu6pa.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 10 Feb 2011 00:30:25 +0100") References: <874o8cu6pa.fsf@latte.josefsson.org> Message-ID: Simon Josefsson writes: > /* FIXME: Should use const for the cipher context. Then needs const for > nettle_crypt_func, which also rules out using that abstraction for > arcfour. */ > > However GCM (like CCM) is only specified for block ciphers, and further, > only for 128-bit block ciphers. Thus I wonder if avoiding use of const > just to let the abstraction support a stream cipher is wise? This nettle_Crypt_func is not gcm-specific. It is used primarily for the nettle_cipher class in nettle-meta.h: struct nettle_cipher { const char *name; unsigned context_size; /* Zero for stream ciphers */ unsigned block_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_crypt_func *encrypt; nettle_crypt_func *decrypt; }; This currently is used to represent both block and stream ciphers, [...] extern const struct nettle_cipher nettle_aes256; extern const struct nettle_cipher nettle_arcfour128; extern const struct nettle_cipher nettle_camellia128; [...] Currently, arcfour is the only supported stream cipher (they seem to be out of fashion, are thare any other stream ciphers in use? A5 maybe?) So the question is, should we decide that nettle_cipher is f?r block ciphers only (where the encrypt and decrypt functions don't change any state )? Fitting arcfour and block ciphers into the same abstraction doesn't make much sense anyway, since they should be used very differently. Then we can make the context argument const for nettle_crypt_func, but we'd also have to delete extern const struct nettle_cipher nettle_arcfour128; or replace it with something else, which is an incompatible interface change. As long as it's the only supported stream cipher, it doesn't make much sense to me create a new general stream cipher construction. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Thu Feb 10 12:02:19 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 10 Feb 2011 12:02:19 +0100 Subject: GCM updates Re: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Mon, 07 Feb 2011 13:20:20 +0100") References: <4D4DDDB0.9070908@gnutls.org> <4D4FC3A1.20206@gnutls.org> Message-ID: I've done some further updates. * I've introduced a specialized function gcm_gf_add, used instead of memxor when blocks are aligned, and also avoiding looping overhead and (if it is inlined, which I think it should be) call overhead. Current performance on x86_64 is 28.5 cycles / byte with 4-bit tables (current default), and 8.5 cycles / byte with 8-bit tables. Close to a factor of two improvement. * I've introduced a union gcm_block, which is used internally to ensure that the gf elements have the right alignment. Tested on sparc32 and sparc64 (big endian and pickier about alignment). * I've split out the message-independent state to a separate struct gcm_key, which needs to be passed as argument to all gcm functions. * I've added a struct gcm_aes_ctx and related functions. This is an all-in-one context, including all of the cipher context, the hashing subkey, and message state. * I've added support for IV:s of arbitrary lengths, and added the rest of the testcases from http://www.cryptobarn.com/papers/gcm-spec.pdf * I've simplified the configuration of internal multiplication routines a bit, and rewritten the table generation to use just shifts and adds (as suggested in http://www.cryptobarn.com/papers/gcm-spec.pdf), which means that when tables are used, there's no need to keep the bitwise multiplication function which doesn't use tables. I think the code is stabilizing a bit now. One naming question: Should gcm_aes_auth be renamed to gcm_aes_update, for consistency with other hash and mac functions? I'm tempted to do that. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From simon at josefsson.org Thu Feb 10 13:26:57 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 10 Feb 2011 13:26:57 +0100 Subject: Stream ciphers (was: Re: GCM mode and GMAC) In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Thu, 10 Feb 2011 07:27:45 +0100") References: <874o8cu6pa.fsf@latte.josefsson.org> Message-ID: <87ipwsnkha.fsf_-_@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > Currently, arcfour is the only supported stream cipher (they seem to be > out of fashion, are thare any other stream ciphers in use? A5 maybe?) There are newer stream ciphers, mostly due to eSTREAM: http://www.ecrypt.eu.org/stream/ I don't understand the rationale for stream ciphers today though. The traditional argument for stream ciphers was speed but you get 10GBps+ with nice modes like AES-GCM. Further, you can build a secure key stream generator from any secure block cipher (see for example [1]). Maybe the argument today is cost of hardware, but for that to be effective in the long run you have to beat Moore's law. /Simon [1] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/kfb/kfb-spec.pdf From simon at josefsson.org Thu Feb 10 13:38:19 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 10 Feb 2011 13:38:19 +0100 Subject: GCM mode and GMAC In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Thu, 10 Feb 2011 07:27:45 +0100") References: <874o8cu6pa.fsf@latte.josefsson.org> Message-ID: <87ei7gnjyc.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > So the question is, should we decide that nettle_cipher is f?r block > ciphers only (where the encrypt and decrypt functions don't change any > state )? Fitting arcfour and block ciphers into the same > abstraction doesn't make much sense anyway, since they should be used > very differently. Then we can make the context argument const for > nettle_crypt_func, but we'd also have to delete > > extern const struct nettle_cipher nettle_arcfour128; > > or replace it with something else, which is an incompatible interface > change. As long as it's the only supported stream cipher, it doesn't > make much sense to me create a new general stream cipher construction. Breaking API compatibility is painful. Other libraries like libgcrypt also try to use the same interface for both stream ciphers and block ciphers too. However, in my experience this makes things difficult at a higher level -- the distinction perculate up because stream ciphers doesn't (for example) have a block length so you either have to say it has a block length of 1 byte (or 1 bit if you support bit-lengths) which can cause problems if you want to do MAC or other processing on a block-by-block basis (MAC:ing each byte is not a good idea..). So I would support making stream ciphers a different beast than block ciphers as far as the API goes, unless the API change is too painful. If we had used a object oriented language, there could be a super-class "cipher" and two sub-classes "block cipher" and "stream cipher". Then some functions could take any "cipher" and some (like GCM) could take any "block cipher". Fortunately we aren't using OO here though. :-) /Simon From nisse at lysator.liu.se Thu Feb 10 17:04:40 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 10 Feb 2011 17:04:40 +0100 Subject: LGPL blowfish In-Reply-To: <871v5lzx67.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon, 13 Dec 2010 13:15:12 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> Message-ID: [ Resending, got list address wrong first time. ] Simon Josefsson writes: > nisse at lysator.liu.se (Niels M?ller) writes: > >> Simon Josefsson writes: >> >>> I'll look at serpent next. >> >> Great! > > Turns out it was a bit more complicated, will debug some more... BTW, how far did you get with serpent? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Fri Feb 11 11:07:02 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 11 Feb 2011 11:07:02 +0100 Subject: Serpent In-Reply-To: <87oc6j6o55.fsf_-_@latte.josefsson.org> (Simon Josefsson's message of "Fri, 11 Feb 2011 08:12:06 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org> Message-ID: Simon Josefsson writes: > nisse at lysator.liu.se (Niels M?ller) writes: > >> Maybe you can try adding some of the testvectors at >> http://www.cs.technion.ac.il/~biham/Reports/Serpent/ to nettle and >> libgcrypt, and see what happens? (On the nettle side, I'll try to give >> that a reasonably high priority). > > As you noted privately, they fail in nettle but work in libgcrypt. A while ago, the email masquerading setup was broken on the machine where I write email. Because of this, the invalid adress nettle-bugs at lysator.liu.se has appeared in headers of some of my emails, and then copied into replies to those. The correct address is nettle-bugs at lists.lysator.liu.se. > According to Eli's page and the AES submission paper, there is Serpent-0 > and Serpent-1 and the paper discuss (page 22-23) that the key schedule > has changed. Do you think nettle's implementation is serpent-0, or is it just broken? I'm puzzled, because I'm fairly sure I got the test vectors from serpent's submission package (I could try to double check that), which if I understand correctly ought to be serpent-1. I vaguely remember I had some difficulty understanding the organization of the test data, though. And I'm sorry if you have wasted some time debugging fully correct key scheduling. > I updated the wikipedia article on this: > http://en.wikipedia.org/wiki/Serpent_%28cipher%29 Hmm, I can't find any mention of serpent-0 there? > Still, I'm not sure it is worth the time to fix Serpent in Nettle. I > suggest to remove it, that will save some code size as well. It's clearly no use to keep the current broken implementation. But I think it would be nice to have serpent, for a couple of reasons: * It's generally good to have a couple of ciphers with aes-compatible key and block sizes. Besides aes/rijndael and serpent, there's twofish and camellia. * I'm not sure what performance one can get out of serpent compared to aes, in particular on 64-bit processors. AES doesn't fit well with 64-bit operations, camellia is better in that respect but includes some awkward operations (current 64-bit code could perhaps be improved abit using larger tables). * I'd prefer to not remove existing features. If you have a half-done port of libgrypt's serpent code, maybe you or I could finish it? I'll start by looking into the test vectors, I'd like to figure out where nettle's came from, and I'd like to have a serpent-test.c including correct test vectors, even if we end up removing all other serpent code. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From n.mavrogiannopoulos at gmail.com Fri Feb 11 11:39:04 2011 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 11 Feb 2011 11:39:04 +0100 Subject: Serpent In-Reply-To: References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org> Message-ID: On Fri, Feb 11, 2011 at 11:07 AM, Niels M?ller wrote: > I'll start by looking into the test vectors, I'd like to figure out > where nettle's came from, and I'd like to have a serpent-test.c > including correct test vectors, even if we end up removing all other > serpent code. I'am just repeating myself and might become annoying... but does it really worth the time? Is there anyone using that algorithm, or anyone planning to use it? As it stands now serpent is an academic cipher, it is not used in any protocol. regards, Nikos From nisse at lysator.liu.se Fri Feb 11 11:43:34 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 11 Feb 2011 11:43:34 +0100 Subject: Serpent In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Fri, 11 Feb 2011 11:07:02 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org> Message-ID: nisse at lysator.liu.se (Niels M?ller) writes: > I'm puzzled, because I'm fairly sure I got the test vectors from > serpent's submission package (I could try to double check that), I have checked that now. I downloaded and unpacked the submission package http://www.cl.cam.ac.uk/~rja14/Papers/serpent.tar.gz Test vectors are in the floppy4 directory. In floppy4/ecb_vk.txt, the first test vector is KEYSIZE=128 PT=00000000000000000000000000000000 I=1 KEY=80000000000000000000000000000000 CT=49afbfad9d5a34052cd8ffa5986bd2dd and in floppy4/ecb_vt.txt the first text vector is KEYSIZE=128 KEY=00000000000000000000000000000000 I=1 PT=80000000000000000000000000000000 CT=10b5ffb720b8cb9002a1142b0ba2e94a These are the first two testvectors in nettle's serpent-test.c. On the other hand, the file http://www.cs.technion.ac.il/~biham/Reports/Serpent/Serpent-128-128.verified.test-vectors contains the testvector Set 2, vector# 0: key=00000000000000000000000000000000 plain=80000000000000000000000000000000 cipher=A3B35DE7C358DDD82644678C64B8BCBB decrypted=80000000000000000000000000000000 Iterated 100 times=1DDF9883B4663045753758E0B9B2C09B Iterated 1000 times=BE5AE44A1CF1BB86DD7A3B61CEEA01EC Same inputs as in ecb_vt.txt, but different output. What results do you get with libgcrypt for the above two test vectors? I think I have to mail the authors... Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Fri Feb 11 12:11:41 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 11 Feb 2011 12:11:41 +0100 Subject: Serpent In-Reply-To: (Nikos Mavrogiannopoulos's message of "Fri, 11 Feb 2011 11:39:04 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org>

Message-ID: Nikos Mavrogiannopoulos writes: > As it stands now serpent is an academic cipher, > it is not used in any protocol. It's specified as an optional algorithm in the ssh protocol (see RFC 4253 and RFC 4344). That said, I think the main use for serpent or any other of the losing aes finalists are as backups in case some serious problem is discovered with aes. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From n.mavrogiannopoulos at gmail.com Fri Feb 11 12:28:33 2011 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 11 Feb 2011 12:28:33 +0100 Subject: Serpent In-Reply-To: References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org>

Message-ID: On Fri, Feb 11, 2011 at 12:11 PM, Niels M?ller wrote: >> As it stands now serpent is an academic cipher, >> it is not used in any protocol. > It's specified as an optional algorithm in the ssh protocol (see RFC > 4253 and RFC 4344). Ah, I didn't know that. > That said, I think the main use for serpent or any other of the losing > aes finalists are as backups in case some serious problem is discovered > with aes. Nowdays this is also camellia for that purpose... regards, Nikos From dkg at fifthhorseman.net Fri Feb 11 16:41:25 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 11 Feb 2011 10:41:25 -0500 Subject: Serpent In-Reply-To: References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org>

Message-ID: <4D5558A5.1060805@fifthhorseman.net> On 02/11/2011 05:39 AM, Nikos Mavrogiannopoulos wrote: > I'am just repeating myself and might become annoying... but does it > really worth the time? Is there anyone using that algorithm, or anyone > planning to use it? As it stands now serpent is an academic cipher, > it is not used in any protocol. I know people who use serpent with Linux's dm-crypt for encrypted block devices. It's not entirely academic. having multiple implementations of serpent would be a Good Thing. --dkg From simon at josefsson.org Fri Feb 11 19:51:47 2011 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 11 Feb 2011 19:51:47 +0100 Subject: Serpent In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Fri, 11 Feb 2011 11:07:02 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org> Message-ID: <87sjvuz9oc.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: >> According to Eli's page and the AES submission paper, there is Serpent-0 >> and Serpent-1 and the paper discuss (page 22-23) that the key schedule >> has changed. > > Do you think nettle's implementation is serpent-0, or is it just > broken? I don't know, I suspect it is serpent-0 but haven't confirmed it. >> I updated the wikipedia article on this: >> http://en.wikipedia.org/wiki/Serpent_%28cipher%29 > > Hmm, I can't find any mention of serpent-0 there? I see it, maybe there is some caching? > If you have a half-done port of libgrypt's serpent code, maybe you or I > could finish it? Sure! I suspect everything except the key schedule is working in my port. Should I try to make it compatible with libgcrypt, and presumably Serpent-1? Thus modifying serpent-test.c? I'll send a patch later. /Simon From nisse at lysator.liu.se Fri Feb 11 20:08:23 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 11 Feb 2011 20:08:23 +0100 Subject: Serpent In-Reply-To: <87sjvuz9oc.fsf@latte.josefsson.org> (Simon Josefsson's message of "Fri, 11 Feb 2011 19:51:47 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> <87oc6j6o55.fsf_-_@latte.josefsson.org> <87sjvuz9oc.fsf@latte.josefsson.org> Message-ID: Simon Josefsson writes: > Should I try to make it compatible with libgcrypt, and presumably > Serpent-1? It ought to be serpent-1, the algorithm proposed for AES. RFC 4344 references the algorithm like this: [SERPENT] Anderson, R., Biham, E., and Knudsen, L., "Serpent: A proposal for the Advanced Encryption Standard", NIST AES Proposal, 1998. > Thus modifying serpent-test.c? I'll send a patch later. I've already checked in a few new test cases in serpent-test.c (taken from http://www.cs.technion.ac.il/~biham/Reports/Serpent/), but #if:ed out for now. I'd also like to hear what response we get from the serpent people regarding conflicting test vectors, it seems so strange if the test vectors in the aes submission were broken. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Fri Feb 11 00:19:25 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 11 Feb 2011 00:19:25 +0100 Subject: LGPL blowfish In-Reply-To: <8739nveg2k.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 10 Feb 2011 22:26:59 +0100") References: <87lj4jvj9o.fsf@latte.josefsson.org> <87ei9tu5fu.fsf@latte.josefsson.org> <871v5lzx67.fsf@latte.josefsson.org> <87lj1nhf3j.fsf@latte.josefsson.org> <8739nveg2k.fsf@latte.josefsson.org> Message-ID: [ Resend, the posting originally used an incorrect list address. /nisse ] Simon Josefsson writes: > I wonder which of nettle or libgcrypt is correct -- and further, I > really wonder if anyone cares at all about Serpent if a problem like > this haven't been noticed before? Interesting... As far as I recall the nettle history (and also looking at the comments), the nettle adaptation of serpent.c was done by Rafael Sevilla, if I have touched that code I think it's trivial changes only. And I think that I wrote serpent-test.c, based on the test vectors in the serpent AES-competition package. I don't remember if I have ever done any interoperability testing of serpent with lsh (which uses nettle's implementation). Trying to connect to some openssh servers, it seems they don't enable serpent by default. Maybe you can try adding some of the testvectors at http://www.cs.technion.ac.il/~biham/Reports/Serpent/ to nettle and libgcrypt, and see what happens? (On the nettle side, I'll try to give that a reasonably high priority). Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Tue Feb 22 23:07:14 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 22 Feb 2011 17:07:14 -0500 Subject: nettle documentation tweaks? Message-ID: <4D643392.9090100@fifthhorseman.net> hi nettle folks-- i've been reading the latest nettle docs [0], and i wanted to say that they are excellent. Clear explanations, and useful contextual help about how various crypto primitives can be used in real-world settings as well. Thanks for this! I have two nit-picks that i'd like to share in hopes of making excellent documentation even better. 0) avoid replay attacks in pubkey authorization example. Section 6.5 contains the following paragraph: > Besides signing meaningful messages, digital signatures can be used for > authorization. A server can be configured with a public key, such that > any client that connects to the service is given a random nonce > message. If the server gets a reply with a correct signature matching > the nonce message and the configured public key, the client is granted > access. So the configuration of the server can be understood as ?grant > access to whoever knows the private key corresponding to this > particular public key, and to no others?. This simple scheme is actually vulnerable to a replay attack: an man-in-the-middle attacker can pose as the service to the user while simultaneously connecting to the service directly. The attacker gets a nonce from the server, passes it to the user for signing, returns the user's response to the service, and gains access. One way to avoid this is to ensure that the "random nonce" to be signed by the user is actually a negotiated value that neither party can fully control. I recognize that this documentation shouldn't go into deep detail here, but i've seen real-world attempts to implement cryptosystems that are subject to this kind of replay attack :(. i think it would be a good idea to warn against it somehow. 1) "bad things may happen", "a few subtle issues", etc. should have outbound links There are several places in the docs that mention potential security concerns implementators should be aware of. For example, the remark about CBC providing "information leakage" could link to http://www.kb.cert.org/vuls/id/958563 Again, i'm not pushing for major changes or lots of intrusive commentary here (and i don't know how difficult it is to make outbound links in the documentation system used by nettle) but it would make already good docs even better. Thanks again for this library! Regards, --dkg [0] http://www.lysator.liu.se/~nisse/nettle/nettle.html#Cipher-modes From nisse at lysator.liu.se Mon Feb 28 17:19:16 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 28 Feb 2011 17:19:16 +0100 Subject: nettle documentation tweaks? In-Reply-To: <4D643392.9090100@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 22 Feb 2011 17:07:14 -0500") References: <4D643392.9090100@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > i've been reading the latest nettle docs [0], and i wanted to say that > they are excellent. Clear explanations, and useful contextual help > about how various crypto primitives can be used in real-world settings > as well. Thanks! > Section 6.5 contains the following paragraph: > >> Besides signing meaningful messages, digital signatures can be used for >> authorization. [...] > This simple scheme is actually vulnerable to a replay attack: an > man-in-the-middle attacker can pose as the service to the user while > simultaneously connecting to the service directly. The attacker gets a > nonce from the server, passes it to the user for signing, returns the > user's response to the service, and gains access. > One way to avoid this is to ensure that the "random nonce" to be signed > by the user is actually a negotiated value that neither party can fully > control. Right. A common and reasonable way to handle it is by negotiating a session key using DH, use that key for message authentication of the session (and why not also encryption, while we're at it). Then either side can let the other authenticate itself by signing a nonce which is not an independent random value, but computed in some way from the session key. I have to think a bit more on how to explain this in a concise way, any suggestions? I think it may be appropriate to not recommend any protocol which doesn't include some kind of authentication of the session. And from this point of view, the session-key thing can be seen as an optimization, where the alternative is to sign each message. > 1) "bad things may happen", "a few subtle issues", etc. should have > outbound links > > There are several places in the docs that mention potential security > concerns implementators should be aware of. For example, the remark > about CBC providing "information leakage" could link to > http://www.kb.cert.org/vuls/id/958563 I've added this link. Patches for other missing references are appreciated... Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Thu Mar 17 06:23:54 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Mar 2011 01:23:54 -0400 Subject: nettle perl bindings Message-ID: <4D819AEA.4060609@fifthhorseman.net> Hi Nettle Folks-- I'm building Perl bindings for libnettle. I hope to claim the Crypt::Nettle namespace. The project is in its infancy, but i currently have coverage for all hash functions and ciphers. My next steps are adding bindings for Yarrow and RSA. At the moment, my source code is available via git: git clone git://lair.fifthhorseman.net/~dkg/libcrypt-nettle-perl You can test it with: cd libcrypt-nettle-perl perl Makefile.PL make make test You can read the docs with: pod2text lib/Crypt/Nettle.pm pod2text lib/Crypt/Nettle/Hash.pm pod2text lib/Crypt/Nettle/Cipher.pm I have not yet uploaded it to CPAN. I'd be very happy to get feedback from anyone interested. Regards, --dkg From nisse at lysator.liu.se Thu Mar 17 08:56:12 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 17 Mar 2011 08:56:12 +0100 Subject: nettle perl bindings In-Reply-To: <4D819AEA.4060609@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 01:23:54 -0400") References: <4D819AEA.4060609@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > I'm building Perl bindings for libnettle. I hope to claim the > Crypt::Nettle namespace. Nice! I'm not very familiar with perl, but I have had a quick look at the documentation. > You can read the docs with: > > pod2text lib/Crypt/Nettle.pm A typo: : In the future, it should support asymmetric encrpytion and pseudo-random ^^ : number generation. : COPYRIGHT AND LICENSE : Copyright (c) Daniel Kahn Gillmor Crypt::Nettle is free software, you : may redistribute it and/or modify it under the same terms as Perl : itself. The GPL/LGPL license of the nettle library itself may apply to perl programs using these bindings. I don't know if it's customary to document this in a bit more detail? > pod2text lib/Crypt/Nettle/Hash.pm : hmac_data($algo, $data) How do you provide the key? I'm not sure it's the right design to mix hash functions and macs (and how will you deal with macs that are not based on the hmac construction)? > pod2text lib/Crypt/Nettle/Cipher.pm Typo: : ABSTRACT : Crypt::Nettle::Cipher provides an object interface to symmetric : encrpytion and decryption from the nettle C library. Each ^^ : new($is_encrypt, $algo, $key, $mode, $iv) You include arctwo algorithms twice in the algorithm list. Maybe you should exclude serpent until the recently discovered interoperability problems are sorted out? How do you deal with algorithms with a large number of possible key sizes? Maybe it would be better to view, e.g., aes and arcfour as just two algorithm, and let the size of the given key imply the keysize? The $is_encrypt flag to new seems a bit awkward. Maybe it would be easier with my $ctx = new ($algo, $mode) /* Possibly with $mode defaulting to ecb?, and not allowed at all for stream ciphers. */ $ctx->set_encrypt_key($key, $iv) /* $iv optional and required when applicable */ $ctx->set_decrypt_key($key, $iv) : process($data) I think the requirement that the length is a multiple of the block size needs to be relaxed a bit. For CTR mode, one should allow a partial block for the last call. And *maybe* for all calls (with an internal block buffer to let CTR work like a stream cipher), even if that's not how nettle's ctr mode support works. Maybe you should think about how to add gcm support. Which is a bit more complicated, with both per-key state and per-message state, and additional inputs and outputs. How do you query if a cipher is a block or a stream cipher? block_size() returning 0? Happy hacking, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Thu Mar 17 09:45:00 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Mar 2011 04:45:00 -0400 Subject: nettle perl bindings In-Reply-To: References: <4D819AEA.4060609@fifthhorseman.net> Message-ID: <4D81CA0C.5050406@fifthhorseman.net> Thanks for the quick review Niels! On 03/17/2011 03:56 AM, Niels M?ller wrote: > A typo: The typos and stupidly-broken hmac_data() convenience function have been fixed and pushed. I also added a unit test for hmac_data() within t/03-hmac.t which would have caught the mistake in the first place. > : COPYRIGHT AND LICENSE > : Copyright (c) Daniel Kahn Gillmor Crypt::Nettle is free software, you > : may redistribute it and/or modify it under the same terms as Perl > : itself. > > The GPL/LGPL license of the nettle library itself may apply to perl > programs using these bindings. I don't know if it's customary to > document this in a bit more detail? I welcome suggestions for improved text. I agree that the intersections of the various licenses can be a bit confusing. > You include arctwo algorithms twice in the algorithm list. That's what i get for copying/pasting from the docs :P Section 6.2.11 of http://www.lysator.liu.se/~nisse/nettle/nettle.html actually lists them twice. > Maybe you > should exclude serpent until the recently discovered interoperability > problems are sorted out? I'd prefer to expose the functions exposed by the underlying library if possible. If there are incompatibilities, we should be catching them in the test suite (though my test suite for ciphers only covers aes and cast and camellia at the moment). > How do you deal with algorithms with a large number of possible key > sizes? Maybe it would be better to view, e.g., aes and arcfour as just > two algorithm, and let the size of the given key imply the keysize? hm, this is an interesting idea. I'll have to think about how to implement that, but i think it's doable. > The $is_encrypt flag to new seems a bit awkward. Maybe it would be > easier with > > my $ctx = new ($algo, $mode) /* Possibly with $mode defaulting to > ecb?, and not allowed at all for stream ciphers. */ > > $ctx->set_encrypt_key($key, $iv) /* $iv optional and required when applicable */ > $ctx->set_decrypt_key($key, $iv) > > : process($data) My problem with this is that i then have to handle the case where the user invokes process() without having remembered to set a key. I agree that $is_encrypt seems a little bit clumsy (and it's irrelevant for many of the ciphers), but i think the fact that it's readable mitigates things somewhat. > I think the requirement that the length is a multiple of the block size > needs to be relaxed a bit. For CTR mode, one should allow a partial > block for the last call. And *maybe* for all calls (with an internal block > buffer to let CTR work like a stream cipher), even if that's not how > nettle's ctr mode support works. I'm actually not enforcing any of these constraints in the perl code -- they'll just crop up if the user passes the wrong data down to the library underneath. > Maybe you should think about how to add gcm support. Which is a bit more > complicated, with both per-key state and per-message state, and > additional inputs and outputs. interesting -- is GCM part of nettle itself, or do you think i should implement it in the perl wrapper? I didn't see any mention of GCM in the online docs. > How do you query if a cipher is a block or a stream cipher? > block_size() returning 0? yep, that's it at the moment. Let me know what other feedback you have, --dkg From simon at josefsson.org Thu Mar 17 09:45:19 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 17 Mar 2011 09:45:19 +0100 Subject: nettle perl bindings In-Reply-To: <4D819AEA.4060609@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 01:23:54 -0400") References: <4D819AEA.4060609@fifthhorseman.net> Message-ID: <87tyf2f84g.fsf@latte.josefsson.org> Daniel Kahn Gillmor writes: > Hi Nettle Folks-- > > I'm building Perl bindings for libnettle. I hope to claim the > Crypt::Nettle namespace. > > The project is in its infancy, but i currently have coverage for all > hash functions and ciphers. > > My next steps are adding bindings for Yarrow and RSA. Don't forget to add RSA blinding, otherwise it may be vulnerable in the real world. I wish Nettle supported this natively, RSA is not generally safe without it. /Simon From dkg at fifthhorseman.net Thu Mar 17 10:01:52 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Mar 2011 05:01:52 -0400 Subject: nettle perl bindings In-Reply-To: <87tyf2f84g.fsf@latte.josefsson.org> References: <4D819AEA.4060609@fifthhorseman.net> <87tyf2f84g.fsf@latte.josefsson.org> Message-ID: <4D81CE00.7000007@fifthhorseman.net> Hi Simon-- On 03/17/2011 04:45 AM, Simon Josefsson wrote: > Don't forget to add RSA blinding, otherwise it may be vulnerable in the > real world. I wish Nettle supported this natively, RSA is not generally > safe without it. Thanks for this suggestion -- i'm not sure that the perl bindings are the right place to do this, though. Do other Nettle language bindings handle RSA blinding? I'd rather have the perl bindings stay fairly close to the underlying C library. My understanding is that RSA blinding is a countermeasure against timing attacks, and that it introduces a new dependency on some sort of RNG (though perhaps a weak one?) to parts of the process that wouldn't otherwise need it. I'd certainly prefer to have that handled within the lower-level library if possible, though i wouldn't mind creating and handing in a yarrow context for each of these operations. --dkg From nisse at lysator.liu.se Thu Mar 17 10:29:53 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 17 Mar 2011 10:29:53 +0100 Subject: nettle perl bindings In-Reply-To: <4D81CA0C.5050406@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 04:45:00 -0400") References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > I welcome suggestions for improved text. I agree that the intersections > of the various licenses can be a bit confusing. I guess it will be easier when we have moved to LGPL. Then it's going to take some effort to write a perl program which use these bindings and violate the licensing terms. (With the GPL, I'm actually not sure myself under which circumstances the perl program would have to be GPL:ed). > Section 6.2.11 of http://www.lysator.liu.se/~nisse/nettle/nettle.html > actually lists them twice. Ooops. Fixed now. > My problem with this is that i then have to handle the case where the > user invokes process() without having remembered to set a key. Can't you just raise some error ? You'd need to have some flag to remember if it's been initialized, but you need that anyway for the is_encrypt method, right? > I'm actually not enforcing any of these constraints in the perl code -- > they'll just crop up if the user passes the wrong data down to the > library underneath. That seems a bit dangerous. I thought the principle was that it shouldn't be easy to write perl code which triggers some assertion failure in some C routine. > interesting -- is GCM part of nettle itself, or do you think i should > implement it in the perl wrapper? I didn't see any mention of GCM in > the online docs. It's in the CVS version of Nettle, but not yet in any release. Maybe most of the discussion was private rather than on this list? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Thu Mar 17 10:35:50 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 17 Mar 2011 10:35:50 +0100 Subject: nettle perl bindings In-Reply-To: <4D81CE00.7000007@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 05:01:52 -0400") References: <4D819AEA.4060609@fifthhorseman.net> <87tyf2f84g.fsf@latte.josefsson.org> <4D81CE00.7000007@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > My understanding is that RSA blinding is a countermeasure against timing > attacks, and that it introduces a new dependency on some sort of RNG > (though perhaps a weak one?) to parts of the process that wouldn't > otherwise need it. I confess I don't remember the details of why blinding is desirable. Does it improve hiding of the key, message, or both? Would it help to use a powm function which has data-independent timing? There's a powm_sec in gmp which is supposed to do this (assuming underlying arithmetic instructions have data independent timing), and which is only slighly slower than the general version for sizes of interest. But a few other functions are still missing to make it really useful. It would make sense to add an RSA interface which takes a randomness source as input (for blinding), and a DSA interface which doesn't need a randomness source (and instead uses something like the hash of the message beeing signed as the "random" value needed, like it's done putty). But neither is currently a high priority for me. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Thu Mar 17 10:50:05 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Mar 2011 05:50:05 -0400 Subject: nettle perl bindings In-Reply-To: References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> Message-ID: <4D81D94D.2060600@fifthhorseman.net> On 03/17/2011 05:29 AM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: >> My problem with this is that i then have to handle the case where the >> user invokes process() without having remembered to set a key. > > Can't you just raise some error ? Sure, but that introduces a different kind of ugliness -- i'm not sure that trading off this ugliness for the other one is worthwhile, though i'm willing to be convinced. > You'd need to have some flag to > remember if it's been initialized, but you need that anyway for the > is_encrypt method, right? i'm not sure i see the parallel. is_encrypt() says whether the Crypt::Nettle::Cipher object was initialized as an encrypting cipher or a decrypting cipher. >> I'm actually not enforcing any of these constraints in the perl code -- >> they'll just crop up if the user passes the wrong data down to the >> library underneath. > > That seems a bit dangerous. I thought the principle was that it > shouldn't be easy to write perl code which triggers some assertion > failure in some C routine. Yes, that would be ideal. I think the right way to go in the long term (as noted in the BUGS section of Cipher.pm) is to add internal buffering for process() calls so the user can pass arbitrarily-sized data to the object. The extra fiddly bits with this arrangement are: 0) process_in_place() is still brittle: you won't be able to call it at all if the internal buffer isn't on a clean block boundary, and you also won't be able to call it with arbitrary-sized data. 1) the data retrieved from process() isn't guaranteed to be the same size as the data fed in. 2) i'll need to introduce a finish() call that handles some sort of padding and emits the final data. It's a bunch more bookkeeping internally, but it does seem like it would let the user treat the block ciphers as something approximating a stream cipher without having to think much about it, which would be nice. I think getting RSA working is higher priority for me at the moment, but i'll certainly keep this suggestion on my plate. > It's in the CVS version of Nettle, but not yet in any release. Maybe > most of the discussion was private rather than on this list? When a new version is released, i'll be happy to update the perl bindings to enable access to the new features :) Is the revision control for Nettle publicly visible? --dkg From n.mavrogiannopoulos at gmail.com Thu Mar 17 10:59:46 2011 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Thu, 17 Mar 2011 10:59:46 +0100 Subject: nettle perl bindings In-Reply-To: References: <4D819AEA.4060609@fifthhorseman.net> <87tyf2f84g.fsf@latte.josefsson.org> <4D81CE00.7000007@fifthhorseman.net> Message-ID: On Thu, Mar 17, 2011 at 10:35 AM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: > >> My understanding is that RSA blinding is a countermeasure against timing >> attacks, and that it introduces a new dependency on some sort of RNG >> (though perhaps a weak one?) to parts of the process that wouldn't >> otherwise need it. > I confess I don't remember the details of why blinding is desirable. > Does it improve hiding of the key, message, or both? Actually RSA is has pretty much limited utility without blinding since retrieving the RSA private key from a web server has been shown practical since 2003 and attacks were known since 1996 (Kocher). gnutls implements blinding over nettle's functions. You might add a warning on the documentation of nettle's functions. The papers discussion the attacks: * Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems by Kocher (1996) * Remote timing attacks are practical by Boneh and Brumley * Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations regards, Nikos From nisse at lysator.liu.se Thu Mar 17 11:27:28 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Thu, 17 Mar 2011 11:27:28 +0100 Subject: nettle perl bindings In-Reply-To: <4D81D94D.2060600@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 05:50:05 -0400") References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> <4D81D94D.2060600@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: >> You'd need to have some flag to >> remember if it's been initialized, but you need that anyway for the >> is_encrypt method, right? > > i'm not sure i see the parallel. is_encrypt() says whether the > Crypt::Nettle::Cipher object was initialized as an encrypting cipher or > a decrypting cipher. I was just thinking of the internal book-keeping, which I imagine would be the same (but with three possible states rather than two). > Is the revision control for Nettle publicly visible? Yes. A little bit awkward, in that you need to get the complete lsh tree, but follow the instructions at http://www.lysator.liu.se/~nisse/nettle/ and it should work. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From simon at josefsson.org Thu Mar 17 22:19:13 2011 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 17 Mar 2011 22:19:13 +0100 Subject: nettle perl bindings In-Reply-To: <4D81CE00.7000007@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 05:01:52 -0400") References: <4D819AEA.4060609@fifthhorseman.net> <87tyf2f84g.fsf@latte.josefsson.org> <4D81CE00.7000007@fifthhorseman.net> Message-ID: <87zkot78dq.fsf@latte.josefsson.org> Daniel Kahn Gillmor writes: > Hi Simon-- > > On 03/17/2011 04:45 AM, Simon Josefsson wrote: >> Don't forget to add RSA blinding, otherwise it may be vulnerable in the >> real world. I wish Nettle supported this natively, RSA is not generally >> safe without it. > > Thanks for this suggestion -- i'm not sure that the perl bindings are > the right place to do this, though. Do other Nettle language bindings > handle RSA blinding? I'd rather have the perl bindings stay fairly > close to the underlying C library. Yes -- I agree. Btw, thanks for working on perl bindings, that sounds really useful. nisse at lysator.liu.se (Niels M?ller) writes: > It would make sense to add an RSA interface which takes a randomness > source as input (for blinding), and a DSA interface which doesn't need a > randomness source (and instead uses something like the hash of the > message beeing signed as the "random" value needed, like it's done > putty). Yes, an interface like that seems like a simple and sufficient solution to the problem. /Simon From dkg at fifthhorseman.net Fri Mar 18 00:05:43 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Mar 2011 19:05:43 -0400 Subject: nettle perl bindings In-Reply-To: <4D81D94D.2060600@fifthhorseman.net> References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> <4D81D94D.2060600@fifthhorseman.net> Message-ID: <4D8293C7.2070002@fifthhorseman.net> On 03/17/2011 05:50 AM, Daniel Kahn Gillmor wrote: > I think getting RSA working is higher priority for me at the moment, And now it's done -- I just wrapped up Crypt::Nettle::Yarrow and Crypt::Nettle::RSA! I'm about ready to tag this thing as Crypt::Nettle version 0.1. I'll try to do a CPAN upload shortly if i can figure that out. If anyone can run the test suite and report back, i'd appreciate it. git clone git://lair.fifthhorseman.net/~dkg/libcrypt-nettle-perl cd libcrypt-nettle-perl perl Makefile.PL make make test Niels, this is clearly a derivative work of Nettle. I'm happy to put whatever free license you think is appropriate on it. Is GPL-2+ OK? Regards, --dkg From nisse at lysator.liu.se Fri Mar 18 06:55:26 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 18 Mar 2011 06:55:26 +0100 Subject: nettle perl bindings In-Reply-To: <4D8293C7.2070002@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 17 Mar 2011 19:05:43 -0400") References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> <4D81D94D.2060600@fifthhorseman.net> <4D8293C7.2070002@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > Niels, this is clearly a derivative work of Nettle. I'm happy to put > whatever free license you think is appropriate on it. Is GPL-2+ OK? If by "GPL-2+" you mean GPL version 2 or (user's option) any later version, that's fine with me. As you know, changing the Nettle license to (some version of) the LPGL is planned. When that happens, it would make some sense for the perl bindings to follow, even if sticking to the GPL is still a perfectly acceptable option. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Fri Mar 18 14:28:20 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 18 Mar 2011 09:28:20 -0400 Subject: nettle perl bindings In-Reply-To: References: <4D819AEA.4060609@fifthhorseman.net> <4D81CA0C.5050406@fifthhorseman.net> <4D81D94D.2060600@fifthhorseman.net> <4D8293C7.2070002@fifthhorseman.net> Message-ID: <4D835DF4.4030701@fifthhorseman.net> On 03/18/2011 01:55 AM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: > >> Niels, this is clearly a derivative work of Nettle. I'm happy to put >> whatever free license you think is appropriate on it. Is GPL-2+ OK? > > If by "GPL-2+" you mean GPL version 2 or (user's option) any later version, > that's fine with me. yes, this is what i mean. > As you know, changing the Nettle license to (some version of) the LPGL > is planned. When that happens, it would make some sense for the perl > bindings to follow, even if sticking to the GPL is still a perfectly > acceptable option. Sure, I'd be happy to follow the licensing changes. --dkg From dkg at fifthhorseman.net Mon Mar 21 07:24:22 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 02:24:22 -0400 Subject: typo in manual for arctwo Message-ID: <4D86EF16.70702@fifthhorseman.net> Hi Nettle folks-- There's a typo in the Nettle manual about the ARCTWO block size. the attached patch (against 2.1) should fix it. Of course, it might already be fixed on the development trunk. Is there a public revision control system for nettle someplace i can look at? --dkg PS i sent this message earlier PGP/MIME-signed, but it was rejected by the mailing list with "After content filtering, the message was empty" -- could the content filtering be relaxed a little bit to allow multipart/signed messages? The message MIME structure looked like this: ???multipart/signed ???multipart/mixed ???text/plain ???text/x-diff attachment ??application/pgp-signature attachment I then tried re-sending it without the cryptographic signature, which produced a message like this: ???multipart/mixed ??text/plain ??text/x-diff attachment This second message was rejected with the message: "The message's content type was not explicitly allowed" Both of these seem like pretty reasonable message structures for posts to a cryptographic software development mailing list; it'd be nice if they could go through :) Here is the patch inline: arctwo-doc-fix.patch --- nettle.texinfo.orig 2011-03-16 19:08:50.000000000 -0400 +++ nettle.texinfo 2011-03-16 19:09:26.000000000 -0400 @@ -871,7 +871,7 @@ @end deftp @defvr Constant ARCTWO_BLOCK_SIZE -The AES block-size, 8 +The ARCTWO block-size, 8 @end defvr @defvr Constant ARCTWO_MIN_KEY_SIZE From dkg at fifthhorseman.net Mon Mar 21 07:28:45 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 02:28:45 -0400 Subject: typo in manual for arctwo In-Reply-To: <4D86EF16.70702@fifthhorseman.net> References: <4D86EF16.70702@fifthhorseman.net> Message-ID: <4D86F01D.9020605@fifthhorseman.net> On 03/21/2011 02:24 AM, Daniel Kahn Gillmor wrote: > Of course, it might already be fixed on the development trunk. Is there > a public revision control system for nettle someplace i can look at? Gah, this question was already answered by niels several days ago, though it was after i sent this patch originally, and this message was caught up in fighting with the mailing list configuration. It looks like this fix has not yet been made on the development trunk, if my reading of the CVS repo is accurate. --dkg From nisse at lysator.liu.se Mon Mar 21 14:41:09 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 21 Mar 2011 14:41:09 +0100 Subject: List configuration (Was: Re: typo in manual for arctwo) In-Reply-To: <4D86EF16.70702@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 02:24:22 -0400") References: <4D86EF16.70702@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > PS i sent this message earlier PGP/MIME-signed, but it was rejected by > the mailing list with "After content filtering, the message was empty" > -- could the content filtering be relaxed a little bit to allow > multipart/signed messages? I agree this rejection was silly. I'm not so good at mailman configuration. The "pass_mime_types" option was set to text/plain multipart/signed I'm now changing it to text multipart application/pgp-signature Do you think that is good enough? Other suggestions? Or is it better to completely disable this content-type filtering? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Mon Mar 21 14:43:36 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 21 Mar 2011 14:43:36 +0100 Subject: typo in manual for arctwo In-Reply-To: <4D86EF16.70702@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 02:24:22 -0400") References: <4D86EF16.70702@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > arctwo-doc-fix.patch > > --- nettle.texinfo.orig 2011-03-16 19:08:50.000000000 -0400 > +++ nettle.texinfo 2011-03-16 19:09:26.000000000 -0400 > @@ -871,7 +871,7 @@ > @end deftp > > @defvr Constant ARCTWO_BLOCK_SIZE > -The AES block-size, 8 > +The ARCTWO block-size, 8 > @end defvr > > @defvr Constant ARCTWO_MIN_KEY_SIZE Checked in now. Thanks for spotting it. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Mon Mar 21 16:35:03 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 11:35:03 -0400 Subject: making algorithms in nettle dynamically enumerable Message-ID: <4D877027.6040207@fifthhorseman.net> Hi Nettle folks-- In the course of writing Crypt::Nettle, it occurs to me that i'm going to need to update the list of available ciphers and digests for each new version of nettle that comes out. This also means that newer versions of the perl bindings won't work by default against older versions of libnettle, which seems like it might make the perl bindings less useful for people who are stuck (for whatever reason) with an older version of libnettle. The attached patch would present an interface to dynamically enumerate the available ciphers and digest algorithms (and armor methods) supported by the current version of libnettle. bindings built against this meta-interface wouldn't need to be closely tied to any particular version of nettle, and so could be both forward- and backward-compatible. I'd be happy with any other interface that would give me the same effect, of course, and i'm not convinced that this is the best way to do it -- it just seemed the simplest in the current implementation. It would also be nice to make a similar interface to genericize cipher modes (ECB, CBC, CTR, and GCM), if that's possible; i'm not sure what the best approach is for doing that. Feedback welcome, of course. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: meta-lists.patch Type: text/x-diff Size: 3801 bytes Desc: not available Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110321/15388116/attachment.patch From dkg at fifthhorseman.net Mon Mar 21 17:12:47 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 12:12:47 -0400 Subject: List configuration (Was: Re: typo in manual for arctwo) In-Reply-To: References: <4D86EF16.70702@fifthhorseman.net> Message-ID: <4D8778FF.4060708@fifthhorseman.net> On 03/21/2011 09:41 AM, Niels M?ller wrote: > I agree this rejection was silly. I'm not so good at mailman > configuration. The "pass_mime_types" option was set to > > text/plain > multipart/signed > > I'm now changing it to > > text > multipart > application/pgp-signature > > Do you think that is good enough? Other suggestions? I'm no mailman guru either, but these settings changes seem to have let my recent message "making algorithms in nettle dynamically enumerable" go through fine, while signed. So thanks! > Or is it better to completely disable this content-type filtering? I've never used content-type filtering -- i'd lean toward turning it off unless there is a well-understood problem that it fixes (e.g. if a spammer is targetting the list with a bunch of garbage). But i'm happy with it as it currently stands :) Thanks for the fix, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110321/7b0b7d15/attachment.pgp From simon at josefsson.org Mon Mar 21 19:23:46 2011 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 21 Mar 2011 19:23:46 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D877027.6040207@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 11:35:03 -0400") References: <4D877027.6040207@fifthhorseman.net> Message-ID: <878vw8tjrh.fsf@latte.josefsson.org> One comment is that it is more difficult to export variables portably than functions (especially Windows), so sometimes it is preferred to export a function that returns a static array than exporting the static array itself. However, I think nettle already relies on exporting variables so then this point is moot. I support the patch otherwise. /Simon From nisse at lysator.liu.se Mon Mar 21 20:04:58 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 21 Mar 2011 20:04:58 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D877027.6040207@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 11:35:03 -0400") References: <4D877027.6040207@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > This also means that newer versions of the perl bindings won't work by > default against older versions of libnettle, I don't know how the build system for the perl bindings is setup, but using something like autoconf should make it easier if you really want to support multiple nettle versions, with or without public key support. > The attached patch would present an interface to dynamically enumerate > the available ciphers and digest algorithms (and armor methods) > supported by the current version of libnettle. The need for this hasn't occured to me, but I see the point. What do others think? > bindings built against > this meta-interface wouldn't need to be closely tied to any particular > version of nettle, and so could be both forward- and backward-compatible. But some other parts of the nettle interfaces have not been as stable between releases, so it doesn't solve the problem completely. > I'd be happy with any other interface that would give me the same > effect, of course, and i'm not convinced that this is the best way to do > it -- it just seemed the simplest in the current implementation. Right, it's about as simple as one can get, and I like that. I think one level of indirection like you do is desirable, for linking reasons. One may want to think about fancy hardware accelerators (currently not supported at all), which would require some runtime check on what's available. > It would also be nice to make a similar interface to genericize cipher > modes (ECB, CBC, CTR, and GCM), if that's possible; i'm not sure what > the best approach is for doing that. I'm not sure this is as useful. The modes have different properties and generally don't work well as substitutes for each other. And at least, the list is expected to be expanded less frequently than the list of hashes or block ciphers. Some comments on the implementation: > +const struct nettle_armor *nettle_armors[] = { > + &nettle_base64, > + &nettle_base16, > + NULL > +}; The typing should be something like const struct nettle_armor * const nettle_armors[] to say that both the list itself and the pointed to structures are const. Also, I think there should be one compilation unit and object file per list, so that it's, for example, possible to statically link with the list of all hash algorithms without also dragging in all ciphers. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Mon Mar 21 20:42:22 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 15:42:22 -0400 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: References: <4D877027.6040207@fifthhorseman.net> Message-ID: <4D87AA1E.7080001@fifthhorseman.net> On 03/21/2011 03:04 PM, Niels M?ller wrote: > I don't know how the build system for the perl bindings is setup, but > using something like autoconf should make it easier if you really want > to support multiple nettle versions, with or without public key support. that's an interesting suggestion -- i'm afraid i don't know enough about integrating autoconf with perlxs to know how to go down that path without a more research, but i'll consider it for the future. It would only allow backward-compatibility, though -- not forward-compatibility. That is: if you built Crypt::Nettle against libnettle version X, and then upgraded to libnettle version Y, you'd have to also re-build Crypt::Nettle. That's not a horrible tradeoff, i guess. > But some other parts of the nettle interfaces have not been as stable > between releases, so it doesn't solve the problem completely. yes, that's true -- i'm proposing this just for the ciphers and hashes at the moment. > One may want to think about fancy hardware accelerators (currently not > supported at all), which would require some runtime check on what's > available. that's an interesting part i hadn't considered. I'm not certain how to represent such a change, but i like the idea that one could discover available/supported hardware dynamically somehow. Would supporting that use case suggest a different API? > I'm not sure this is as useful. The modes have different properties and > generally don't work well as substitutes for each other. And at least, > the list is expected to be expanded less frequently than the list of > hashes or block ciphers. OK. Maybe this is a good target for the autoconf approach you mentioned above. > Some comments on the implementation: > >> +const struct nettle_armor *nettle_armors[] = { >> + &nettle_base64, >> + &nettle_base16, >> + NULL >> +}; > > The typing should be something like > > const struct nettle_armor * const nettle_armors[] > > to say that both the list itself and the pointed to structures are > const. Yes, you are right, thanks! > Also, I think there should be one compilation unit and object file per > list, so that it's, for example, possible to statically link with the > list of all hash algorithms without also dragging in all ciphers. Is there any reason to use this approach for statically-linked tools? Maybe for UI or hardware discoverability, i guess. It certainly wouldn't help in terms of software discoverability or forward/backward compatibility in a statically-linked library. Do you want me to submit a modified patch with these changes? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110321/f3c3ec58/attachment.pgp From nisse at lysator.liu.se Mon Mar 21 21:07:41 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 21 Mar 2011 21:07:41 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D87AA1E.7080001@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 15:42:22 -0400") References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > On 03/21/2011 03:04 PM, Niels M?ller wrote: >> One may want to think about fancy hardware accelerators (currently not >> supported at all), which would require some runtime check on what's >> available. > > that's an interesting part i hadn't considered. I'm not certain how to > represent such a change, but i like the idea that one could discover > available/supported hardware dynamically somehow. Would supporting that > use case suggest a different API? To add hardware acceleration, one would need to either detect hardware and build a list automatically at loadtime, or have a function to build and return the list. It can no longer be a compile-time constant. But I think the API you suggested is good enough for now. It's hard to guess what really interface is needed before the hardware support exists, and I'd rather not define something overly complicated just because it might possibly be needed later. >> Also, I think there should be one compilation unit and object file per >> list, so that it's, for example, possible to statically link with the >> list of all hash algorithms without also dragging in all ciphers. > Is there any reason to use this approach for statically-linked tools? The general principle is that independent functionality should be in separate object files. I don't think this case is an exception. To be a little more concrete, say you want a tool that can compute a hash sum using any algorithm supported by nettle, and you then want that tool on some constrained system with statically linked binaries, or included in a statically linked busybox executable. > Do you want me to submit a modified patch with these changes? That would be nice. Documentation would also be appreciated (it should probably mention why des is not on the list, but I don't think it needs to be terribly many words). Test cases are perhaps not essential for this, but maybe you can think of some relevant test? It may also be good to review the naming. Until now, the name attribute in nettle_cipher and similar structs has been intended to be displayed for informational purposes only. With your interface, users will be invited to use it as an identifier to look up an algorithm. How do you intend to use that name in the perl bindings? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Mon Mar 21 21:32:56 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 Mar 2011 16:32:56 -0400 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> Message-ID: <4D87B5F8.8040908@fifthhorseman.net> On 03/21/2011 04:07 PM, Niels M?ller wrote: > But I think the API you suggested is good enough for now. ok. > The general principle is that independent functionality should be in > separate object files. I don't think this case is an exception. To be a > little more concrete, say you want a tool that can compute a hash sum > using any algorithm supported by nettle, and you then want that tool on > some constrained system with statically linked binaries, or included in > a statically linked busybox executable. Gotcha, this is a useful way to think about things. Thanks for your explanation. > That would be nice. Documentation would also be appreciated (it should > probably mention why des is not on the list, but I don't think it needs > to be terribly many words). Test cases are perhaps not essential for > this, but maybe you can think of some relevant test? i'll work on a revised patch with docs and a test if i can figure out a test as well. > It may also be good to review the naming. Until now, the name attribute > in nettle_cipher and similar structs has been intended to be displayed > for informational purposes only. With your interface, users will be > invited to use it as an identifier to look up an algorithm. How do you > intend to use that name in the perl bindings? The perl bindings already expose an enumeration + lookup interface, but i've implemented it myself outside of nettle. I'll be happy to keep the existing perl API but drop the Crypt::Nettle implementation of it in favor of one in the main library, though. fwiw, i have no objections to the current naming scheme. I'll probably do a case-insensitive match against the exported names. Your earlier suggestion that the user should be able to say "aes" and then we would select an algorithm based on the supplied keysize suggests a particular simple naming convention, where the keysize is always a strict suffix to the algorithm name. That is, a library might use a function by comparing the requested algorithm name as a strict prefix with the size of the keylength. I suppose that selection function could be part of libnettle as well, instead of making each binding report it. something like: const nettle_cipher* nettle_select_cipher(const char* algoname, int keylength = 0); This would not remove the need for the other API, though, since it doesn't provide algorithm enumeration. I can try to include such an implementation in the revised patch if y'all think it would be useful. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110321/dcc4dc64/attachment.pgp From nisse at lysator.liu.se Mon Mar 21 21:50:13 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 21 Mar 2011 21:50:13 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D87B5F8.8040908@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 21 Mar 2011 16:32:56 -0400") References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > That is, a library might use a function by comparing the requested > algorithm name as a strict prefix with the size of the keylength. If that works with all algorithms, that's good. I recall I changed or was about to change these things for the CAST cipher a while back. "arctwo_gutmann" may also be a corner case. > const nettle_cipher* > nettle_select_cipher(const char* algoname, int keylength = 0); I think this function might fit better as an example in the documentation. (And you can't do default arguments like that in C). There are so many queries one might want to do. Beside this example, "give me all variants of aes", or "give me all block ciphers with a given block size", so I think it's a bit premature to decide which query functions to add. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Tue Mar 22 22:01:01 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 22 Mar 2011 17:01:01 -0400 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D87B5F8.8040908@fifthhorseman.net> References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> Message-ID: <4D890E0D.8080000@fifthhorseman.net> On 03/21/2011 04:32 PM, Daniel Kahn Gillmor wrote: > i'll work on a revised patch with docs and a test if i can figure out a > test as well. Attached is a patch that breaks out separate compilation units, const-ifies the arrays, and adjusts the docs and the test suite. I did not see nettle_armor in the docs at all, so i didn't add any docs about nettle_armors[]. Maybe that whole section needs to be written? Any further comments? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: make-algorithms-dynamically-enumerable.patch Type: text/x-diff Size: 11193 bytes Desc: not available Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110322/8e2b10d4/attachment.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110322/8e2b10d4/attachment.pgp From dkg at fifthhorseman.net Tue Mar 22 22:01:19 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 22 Mar 2011 17:01:19 -0400 Subject: developing nettle with git Message-ID: <4D890E1F.30208@fifthhorseman.net> hi folks-- I'm managing my nettle work via git. I've extracted the cvs history of the upstream repo (nettle-only -- i'd rather not deal with all of lsh) and imported it into git. OF at all possible I plan to keep the "origin" branch up-to-date with the upstream CVS. Anyone who prefers to use git is welcome to use my repo as a jumping off point so you don't have to hassle with git cvsimport yourself. You can find it here: git clone git://lair.fifthhorseman.net/~dkg/nettle I would be happy to have nettle sources tracked as a separate project from lsh, just to make it easier for people to hack on it. Niels, if you want to consider transitioning nettle sources out of the the lsh repository and into something like git (or any other dvcs), i'd be happy to help you do that. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110322/cf12c674/attachment.pgp From nisse at lysator.liu.se Wed Mar 23 11:12:23 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Wed, 23 Mar 2011 11:12:23 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D890E0D.8080000@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 22 Mar 2011 17:01:01 -0400") References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> <4D890E0D.8080000@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > Attached is a patch that breaks out separate compilation units, > const-ifies the arrays, and adjusts the docs and the test suite. Thanks. I'm going to commit this. I noticed some incorrect file names in the file headers (which I'll fix), and there's no copyright line. I guess I should simply add Copyright (C) 2011 Daniel Kahn Gillmor at the top of the new files. > I did not see nettle_armor in the docs at all, so i didn't add any docs > about nettle_armors[]. Maybe that whole section needs to be written? The reason these functionality is undocumented is most likely that I wasn't confident that the interface is right, it's not been used very much. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Wed Mar 23 11:25:38 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Wed, 23 Mar 2011 11:25:38 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: <4D890E0D.8080000@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 22 Mar 2011 17:01:01 -0400") References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> <4D890E0D.8080000@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > Any further comments? The following (in nettle.texinfo) looks a bit strange. > + at deftypevrx {Constant Struct * Constant} {struct nettle_hash *} nettle_hashes[] > + at deftypevrx {Constant Struct * const} {struct nettle_cipher *} nettle_ciphers[] I'm no texinfo guru, but I think the first {...} is supposed to be just a category (Function, Macro, Variable, etc), and the second {...} the type. I thik @deftypevrx {Constant Struct} {struct nettle_hash **} nettle_hashes would be more correct (unless we want a new categories "Algorithm List" which I think is a bit overkill), but I haven't yet checked the generated output. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Wed Mar 23 13:07:20 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Wed, 23 Mar 2011 13:07:20 +0100 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Wed, 23 Mar 2011 11:12:23 +0100") References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> <4D890E0D.8080000@fifthhorseman.net> Message-ID: nisse at lysator.liu.se (Niels M?ller) writes: > Thanks. I'm going to commit this. Checked in now. I also wrote a program tools/nettle-hash to take advantage of the new interface. Comments appreciated. Should output be more compatible with md5sum, sha1sum et al? But I think I like to also include information on the algorithm used. Should it have a -c (check) mode as well? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Wed Mar 23 16:56:20 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 23 Mar 2011 11:56:20 -0400 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> <4D890E0D.8080000@fifthhorseman.net> Message-ID: <4D8A1824.6060607@fifthhorseman.net> On 03/23/2011 06:25 AM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: > >> Any further comments? > > The following (in nettle.texinfo) looks a bit strange. > >> + at deftypevrx {Constant Struct * Constant} {struct nettle_hash *} nettle_hashes[] > >> + at deftypevrx {Constant Struct * const} {struct nettle_cipher *} nettle_ciphers[] > > I'm no texinfo guru, but I think the first {...} is supposed to be just a category > (Function, Macro, Variable, etc), and the second {...} the type. I thik > > @deftypevrx {Constant Struct} {struct nettle_hash **} nettle_hashes > > would be more correct (unless we want a new categories "Algorithm List" > which I think is a bit overkill), but I haven't yet checked the > generated output. Ah, ok. I'm no texinfo guru either -- i just put in what made the pdf output look reasonable. Your changes make at least as much sense to me as what i put in there. Thanks for fixing it, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110323/106c09e5/attachment.pgp From dkg at fifthhorseman.net Wed Mar 23 16:59:21 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 23 Mar 2011 11:59:21 -0400 Subject: making algorithms in nettle dynamically enumerable In-Reply-To: References: <4D877027.6040207@fifthhorseman.net> <4D87AA1E.7080001@fifthhorseman.net> <4D87B5F8.8040908@fifthhorseman.net> <4D890E0D.8080000@fifthhorseman.net> Message-ID: <4D8A18D9.5070600@fifthhorseman.net> On 03/23/2011 06:12 AM, Niels M?ller wrote: > Thanks. I'm going to commit this. I noticed some incorrect file names in > the file headers (which I'll fix), and there's no copyright line. I > guess I should simply add > > Copyright (C) 2011 Daniel Kahn Gillmor > > at the top of the new files. This is fine, thanks. sorry about the incorrect file names -- i hate being caught copying and pasting! :P >> I did not see nettle_armor in the docs at all, so i didn't add any docs >> about nettle_armors[]. Maybe that whole section needs to be written? > > The reason these functionality is undocumented is most likely that I > wasn't confident that the interface is right, it's not been used very > much. That makes sense to me. I looked at trying to make a Crypt::Nettle::Armor in the perl bindings to take advantage of it, and decided that (a) i wasn't exactly sure how i wanted to use it, and (b) it probably wasn't worth it because perl has good native base64 and base16 encoding/decoding anyway. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110323/974189f2/attachment.pgp From hoyt6 at llnl.gov Thu Mar 24 22:40:52 2011 From: hoyt6 at llnl.gov (Hoyt, David) Date: Thu, 24 Mar 2011 14:40:52 -0700 Subject: developing nettle with git In-Reply-To: <4D890E1F.30208@fifthhorseman.net> References: <4D890E1F.30208@fifthhorseman.net> Message-ID: > Niels, if you want to consider transitioning nettle sources out of the the lsh repository and into something like git +1 to that. From nisse at lysator.liu.se Fri Mar 25 11:45:05 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 25 Mar 2011 11:45:05 +0100 Subject: developing nettle with git In-Reply-To: <4D890E1F.30208@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 22 Mar 2011 17:01:19 -0400") References: <4D890E1F.30208@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > Niels, if you want to consider transitioning nettle sources out of the > the lsh repository and into something like git (or any other dvcs), i'd > be happy to help you do that. I'm certainly considering it; it would be nice to get away from cvs. I was involved in the conversion of the gmp repository to mercurial just a few years ago. That was fairly easy, only serious obstacle was that we discovered a rcs file where some early revision was corrupt. After purging that broken revision with cvs admin, things worked well. But to convert nettle and lsh, there are some issues: 1. I'm familiar with mercurial, but I hear that git is a better choice these days, so maybe I should go with git instead. And then I have some new stuff to learn. 2. Currently, several more-or-less independent projects are in the lsh cvs tree. Besides nettle, there's libspki, argp, sftp. So how should this be split up? As far as I understand, neither hg nor git have any well-working analogue to cvs modules, which would otherwise have been a natural choice. Also, I guess this splitting of the repository complicates migration a bit. 3. Then there's the shared files which are symlinked by the top-level lsh/.bootstrap script. I guess with a split it will be unavoidable to have multiple separately version controlled copies of those files. I guess it's possible to start with migrating nettle from cvs, and leave the rest of the tree for later. But I'm not sure that's a good way to do it. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Fri Mar 25 20:28:32 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 25 Mar 2011 15:28:32 -0400 Subject: developing nettle with git In-Reply-To: References: <4D890E1F.30208@fifthhorseman.net> Message-ID: <4D8CECE0.6090307@fifthhorseman.net> On 03/25/2011 06:45 AM, Niels M?ller wrote: > 1. I'm familiar with mercurial, but I hear that git is a better choice > these days, so maybe I should go with git instead. And then I have > some new stuff to learn. i find myself more effective with git than with mercurial, but i acknowledge that i have spent more time thinking about git (and many more other projects i collaborate on use git as well, so not spending time with it isn't much of an option for me). > 2. Currently, several more-or-less independent projects are in the lsh > cvs tree. Besides nettle, there's libspki, argp, sftp. So how should > this be split up? As far as I understand, neither hg nor git have > any well-working analogue to cvs modules, which would otherwise have > been a natural choice. git does have submodule support -- so you can have one repository reference another at a given commit. I don't use it often, but i can help you sort it out if you like. "git help submodule" for some starter documentation/reference. OTOH, if these separate pieces are actually different libraries, i'm not sure that using submodules really makes a lot of sense. I think you just want one git repository per project. Is there a reason that lsh would need to be tightly-coupled with any of these libraries instead of using their exported API? One git repo per project is a pretty reasonable approach. And it's not hard to serve several git repos from a single server. If you want help setting that up, i'd be happy to help out. > 3. Then there's the shared files which are symlinked by the top-level > lsh/.bootstrap script. I guess with a split it will be unavoidable to > have multiple separately version controlled copies of those files. i think you might be right here. For my git development, i took static copies of those files and placed them directly in my git repo (the commit log comment starts with "transfer files from lsh". How often do these files actually change? Is it critical that they be kept in sync? > I guess it's possible to start with migrating nettle from cvs, and leave > the rest of the tree for later. But I'm not sure that's a good way to do > it. I actually don't think that's an unreasonable approach. If we just migrate one component (nettle), we can make sure the migrated setup is OK and that your workflow feels sensible before going through the work of the other subprojects. We can apply any new knowledge learned from the nettle transition to the migration of the other subprojects. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110325/b750d794/attachment.pgp From nisse at lysator.liu.se Sat Mar 26 08:46:09 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Sat, 26 Mar 2011 08:46:09 +0100 Subject: developing nettle with git In-Reply-To: <4D8CECE0.6090307@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri, 25 Mar 2011 15:28:32 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > git does have submodule support -- so you can have one repository > reference another at a given commit. I don't have any first-hand experience with git submodules, but I've heard some stories saying that it's not yet very usable. > Is there a reason that lsh would need to be tightly-coupled with any > of these libraries instead of using their exported API? The main reason is that lsh is the main testcase. So when introducing new features one of those those libraries, I usually first hack lsh to use it, to iron out both interface and implementation bugs. Those intermediate versions may never be in the API of any released library. git submodules (assuming that they work well) would probably be the right tool to keep these libraries in subdirectories of the lsh work tree. Ah, and then it's the release procedure. I'd still like to bundle the libraries with lsh, and having the libraries in subdirectories makes that easier. And as long as the versions bundled with nettle are configured for static linking, I see no problem of bundling lsh with unreleased versions of the libraries. > How often do these files actually change? Is it critical that they be > kept in sync? It's not critical, it's just for convenience. It's nice to have a single version, which is used (and tested) with all the projects. >> I guess it's possible to start with migrating nettle from cvs, and leave >> the rest of the tree for later. But I'm not sure that's a good way to do >> it. > > I actually don't think that's an unreasonable approach. If we just > migrate one component (nettle), we can make sure the migrated setup is > OK and that your workflow feels sensible before going through the work > of the other subprojects. If we do that, I guess we'd need the following steps: 1. migrate the nettle cvs directory to a git repository. 2. cvs rm all those files from the cvs tree (as usual, we can't cvs rm the directories themselves). 3. At some later time, migrate the lsh cvs repository to git. Should the old nettle subdirectory be excluded somehow? Perhaps not, if I want to be able to check out old lsh versions from git. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Mon Mar 28 01:56:47 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 27 Mar 2011 19:56:47 -0400 Subject: developing nettle with git In-Reply-To: References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> Message-ID: <4D8FCEBF.7070104@fifthhorseman.net> On 03/26/2011 03:46 AM, Niels M?ller wrote: > The main reason is that lsh is the main testcase. So when introducing > new features one of those those libraries, I usually first hack lsh to > use it, to iron out both interface and implementation bugs. Those > intermediate versions may never be in the API of any released library. > > git submodules (assuming that they work well) would probably be the > right tool to keep these libraries in subdirectories of the lsh work > tree. Yeah, you can definitely do that with git submodules. I'd be happy to help you iron out kinks in that workflow if you like. > Ah, and then it's the release procedure. I'd still like to bundle the > libraries with lsh, and having the libraries in subdirectories makes > that easier. And as long as the versions bundled with nettle are > configured for static linking, I see no problem of bundling lsh with > unreleased versions of the libraries. hm, are you talking about making binary releases? or source releases? > If we do that, I guess we'd need the following steps: > > 1. migrate the nettle cvs directory to a git repository. this is already done, if you don't mind using my git repo as the base: git://lair.fifthhorseman.net/~dkg/nettle You can just clone it and then publish it yourself :) if you want to do the repository conversion yourself, i understand that too -- i'm just trying to help. To do it yourself, you want to use git cvsimport (from the git-cvs package in debian). > 2. cvs rm all those files from the cvs tree (as usual, we can't cvs rm > the directories themselves). > > 3. At some later time, migrate the lsh cvs repository to git. Should the > old nettle subdirectory be excluded somehow? Perhaps not, if I want > to be able to check out old lsh versions from git. i don't think you'll need to exclude the old nettle subdirectory from any future lsh cvs->git migration, especially if the directory has been removed from the HEAD already. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110327/940e8c0d/attachment.pgp From nisse at lysator.liu.se Mon Mar 28 09:17:35 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 28 Mar 2011 09:17:35 +0200 Subject: developing nettle with git In-Reply-To: <4D8FCEBF.7070104@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Sun, 27 Mar 2011 19:56:47 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > hm, are you talking about making binary releases? or source releases? I'm talking about the source releases of lsh. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Mon Mar 28 10:15:33 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 28 Mar 2011 10:15:33 +0200 Subject: developing nettle with git In-Reply-To: <4D8FCEBF.7070104@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Sun, 27 Mar 2011 19:56:47 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > To do it yourself, you want to use git cvsimport (from the git-cvs > package in debian). I think I'd prefer to do the conversion myself. I've had a first look at the man page for git-cvsimport. I take it I first need to scan the cvs log for all comitters and write a cvs-authors file (I remember I had some trouble with character set issues for the corresponding file when doing the hg migration for gmp. Should the names here be in the $LC_CTYPE charset, or always utf8?). Then, I'm not sure how to deal with branches, in particular, the -r and -o options. I'm not used to git, and with hg I also haven't used any "real" branches, I've just cloned the repository. I'm a bit scared by "You should never do any work of your own on the branches that are created by git cvsimport." in the man page. I think I'd like to keep the possibility of doing cvs import more than once. What command line did you use? What branches did you end up with? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Mon Mar 28 15:07:45 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 28 Mar 2011 15:07:45 +0200 Subject: developing nettle with git In-Reply-To: <4D8FCEBF.7070104@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Sun, 27 Mar 2011 19:56:47 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > Yeah, you can definitely do that with git submodules. Hmm. I'm not sure that will work the way I like. I've been told that if I have an lsh directory with nettle as a submodule, I can't easily modify nettle and commit and push changes from that tree. git-subtree may be more useful (see https://github.com/apenwarr/git-subtree/blob/master/git-subtree.txt and http://psionides.jogger.pl/2010/02/04/sharing-code-between-projects-with-git-subtree/) Maybe it makes things simpler to stick to a single repository for everything (like the current cvs repository)? Is there any compelling reason why nettle must be a separate repository? (If I understand the docs correctly, one could split off a nettle repository later, using git-subtree split). Regardss, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Mon Mar 28 19:03:08 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 28 Mar 2011 13:03:08 -0400 Subject: developing nettle with git In-Reply-To: References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: <4D90BF4C.400@fifthhorseman.net> On 03/28/2011 03:17 AM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: > >> hm, are you talking about making binary releases? or source releases? > > I'm talking about the source releases of lsh. I'm a software developer, a sysadmin, and a contributor to a distro (debian). No matter which of those three hats i'm wearing, i *strongly* prefer to have source releases broken out into separable components, rather than one monolithic tarball. I prefer this for system maintenance, for security, for clarity of API, and for ease of modification. I'm not sure what the argument for monolithic source release is. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110328/b416be1b/attachment.pgp From dkg at fifthhorseman.net Mon Mar 28 19:22:54 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 28 Mar 2011 13:22:54 -0400 Subject: developing nettle with git In-Reply-To: References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: <4D90C3EE.4010403@fifthhorseman.net> On 03/28/2011 04:15 AM, Niels M?ller wrote: > I take it I first need to scan the cvs log for all comitters and write a > cvs-authors file (I remember I had some trouble with character set > issues for the corresponding file when doing the hg migration for gmp. > Should the names here be in the $LC_CTYPE charset, or always utf8?). i'd do everything in utf8 myself, but then my LC_CTYPE always uses UTF-8 anyway. I don't know what the consequences are of doing things other ways. > Then, I'm not sure how to deal with branches, in particular, the -r and > -o options. I'm not used to git, and with hg I also haven't used any > "real" branches, I've just cloned the repository. I'm a bit scared by > "You should never do any work of your own on the branches that are > created by git cvsimport." in the man page. > > I think I'd like to keep the possibility of doing cvs import more than > once. Meaning you want to update the cvs tree concurrently with the git repo? This is doable, but it means that your git repo will need to be regularly rebased against the CVS tree. I've been doing this with the git repo i've published, but that's because the CVS tree is still in use. doing regular git cvsimports against an active CVS tree will make it more difficult for other people to develop against the git tree, which seems like it defeats one of the nice advantages of moving to a modern dvcs. > What command line did you use? What branches did you end up with? I ran something like this: cvs -d :pserver:anonymous at cvs.lysator.liu.se:/cvsroot/lsh \ co -d nettle lsh/nettle cd nettle git cvsimport I ended up with no extra branches, though. Just a handful of tags. What sort of branches do you want to end up with? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110328/225442df/attachment.pgp From dkg at fifthhorseman.net Mon Mar 28 19:47:29 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 28 Mar 2011 13:47:29 -0400 Subject: developing nettle with git In-Reply-To: References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> Message-ID: <4D90C9B1.1090906@fifthhorseman.net> On 03/28/2011 09:07 AM, Niels M?ller wrote: > Maybe it makes things simpler to stick to a single repository for > everything (like the current cvs repository)? Is there any compelling > reason why nettle must be a separate repository? (If I understand the > docs correctly, one could split off a nettle repository later, using > git-subtree split). I'd personally like to work on nettle without dealing with the entire source of lsh and the other components. I suspect the same might be true of people who want to hack on the other components, or on lsh itself. If you want to encourage external participation, separate repositories make more sense to me. How do other folks on this list feel about the tradeoffs here? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110328/d7b8fea2/attachment.pgp From simon at josefsson.org Mon Mar 28 19:54:33 2011 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 28 Mar 2011 19:54:33 +0200 Subject: developing nettle with git In-Reply-To: <4D90BF4C.400@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 28 Mar 2011 13:03:08 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> <4D90BF4C.400@fifthhorseman.net> Message-ID: <87oc4v5dwm.fsf@latte.josefsson.org> Daniel Kahn Gillmor writes: > On 03/28/2011 03:17 AM, Niels M?ller wrote: >> Daniel Kahn Gillmor writes: >> >>> hm, are you talking about making binary releases? or source releases? >> >> I'm talking about the source releases of lsh. > > I'm a software developer, a sysadmin, and a contributor to a distro > (debian). No matter which of those three hats i'm wearing, i *strongly* > prefer to have source releases broken out into separable components, > rather than one monolithic tarball. I prefer this for system > maintenance, for security, for clarity of API, and for ease of modification. +1 As Nettle is looking to become more widely, it seems like a good time to make a separate repository for it. Lsh could just import the latest stable Nettle release, couldn't it? /Simon From nisse at lysator.liu.se Mon Mar 28 20:39:29 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Mon, 28 Mar 2011 20:39:29 +0200 Subject: developing nettle with git In-Reply-To: <4D90C3EE.4010403@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 28 Mar 2011 13:22:54 -0400") References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> <4D90C3EE.4010403@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > On 03/28/2011 04:15 AM, Niels M?ller wrote: >> I think I'd like to keep the possibility of doing cvs import more than >> once. > > Meaning you want to update the cvs tree concurrently with the git repo? Not in the longer term, but maybe during a transition period. But I guess it's not essential. > I ran something like this: > > cvs -d :pserver:anonymous at cvs.lysator.liu.se:/cvsroot/lsh \ > co -d nettle lsh/nettle > cd nettle > git cvsimport It all ended up on the "origin" branch then? (I'm still not familiar with git conventions). > I ended up with no extra branches, though. Just a handful of tags. > What sort of branches do you want to end up with? There are a few branches, in the lsh tree I think there's lsh_1_2_BRANCH, lsh_1_4_2_BRANCH, lsh_2_0_4_BRANCH, experimental_BRANCH_20050201. I branched and tagged the complete tree at the time, but appearantly that was before the move from lsh/src/nettle to lsh/nettle, so there are no tags in the current nettle subdirectory. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Tue Mar 29 06:24:42 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 29 Mar 2011 00:24:42 -0400 Subject: weak-key ciphers and arcfour Message-ID: <4D915F0A.7070604@fifthhorseman.net> hi nettle folks-- the nettle docs say: > In Nettle, most key setup functions have no return value, but > for ciphers with weak keys, the return value indicates whether or not > the given key is weak. [...] > A problem is that the key > setup of ARCFOUR is quite weak, you should never use keys with > structure, keys that are ordinary passwords, or sequences of keys like > ``secret:1'', ``secret:2'', ... [...] > void arcfour_set_key (struct arcfour_ctx *ctx, unsigned length, const uint8_t *key) > Initialize the cipher. The same function is used for both encryption and > decryption. Put together, these three statements seem contradictory. If arcfour has weak keys, shouldn't arcfour_set_key return an int indicating whether the key is considered weak (like the key setup functions for BLOWFISH, DES, and DES3 do)? Is the problem that there is no clear way to determine if an arcfour key is weak? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110329/75873f29/attachment.pgp From nisse at lysator.liu.se Tue Mar 29 07:19:22 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 29 Mar 2011 07:19:22 +0200 Subject: weak-key ciphers and arcfour In-Reply-To: <4D915F0A.7070604@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 29 Mar 2011 00:24:42 -0400") References: <4D915F0A.7070604@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: >> A problem is that the key >> setup of ARCFOUR is quite weak, you should never use keys with >> structure, keys that are ordinary passwords, or sequences of keys like >> ``secret:1'', ``secret:2'', ... The problem with arcfour is not that some particular keys are unexpectedly weak, but that the key bits are not spread out very well into the internal state (sorry if this description is a bit vague; my understanding is also a bit vague...). So there's unexpectedly high correlation between the first bytes of the key and the first bytes of the generated key stream, and I think there's also undesired correlation between key streams for close keys. I think the recommendations in the manual (hash the key first, and discard the initial bytes of the key stream) are still adequate. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Tue Mar 29 08:18:30 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 29 Mar 2011 02:18:30 -0400 Subject: struct nettle_cipher for weak-key ciphers Message-ID: <4D9179B6.4060702@fifthhorseman.net> hi nettle folks-- now that Crypt::Nettle seems effective and functional, i'm starting to look at using it in other systems i'm working on. Suddenly, i realize i'm missing access to 3DES and BLOWFISH, which i find i actually want :/ I'm missing them because there is no struct nettle_cipher for these algorithms (or for DES, for that matter, though i care less about DES). I seem to have a few options: 0) Crypt::Nettle could write unique interfaces to those ciphers and expose them to the user of the perl module as (for example) Crypt::Nettle::Cipher::3DES and Crypt::Nettle::Cipher::Blowfish . this breaks symmetry with the rest of the interface, though. 1) Crypt::Nettle could create its own struct nettle_cipher objects for these ciphers, wrapping the weak key checking in some code of that belongs to the perl module 2) I could propose that nettle to create struct nettle_cipher objects for these ciphers directly. I prefer (1) or (2) because they'll keep a simple interface for Crypt::Nettle. I'm not sure how to do (2) without breaking ABI in nettle somehow (or losing the weak-key error checking). But going with option (1) seems likely to cause code duplication in any other higher-level bindings that use the struct nettle_cipher objects to present a normalized interface. Any thoughts on how i should proceed? I can certainly do (1) independently of libnettle itself, but if there's a way to handle (2) more cleanly than i've been able to imagine thus far, i'd be happy to hear about it. Or, am i barking up the wrong tree entirely? I'm imagining (for example) a user who has in their possession a symmetrically-encrypted message that they happen to know the key for. The cipher used was one of the "weak-key" ciphers, and it's even possible that the key is in fact a weak key. The user should still be able to decrypt the message using Crypt::Nettle (or any other binding). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110329/b5c64916/attachment.pgp From nmav at gnutls.org Tue Mar 29 09:59:29 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 29 Mar 2011 09:59:29 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: <4D9179B6.4060702@fifthhorseman.net> References: <4D9179B6.4060702@fifthhorseman.net> Message-ID: <4D919161.2000204@gnutls.org> On 03/29/2011 08:18 AM, Daniel Kahn Gillmor wrote: > now that Crypt::Nettle seems effective and functional, i'm starting to > look at using it in other systems i'm working on. Suddenly, i realize > i'm missing access to 3DES and BLOWFISH, which i find i actually want :/ > I'm missing them because there is no struct nettle_cipher for these > algorithms (or for DES, for that matter, though i care less about DES). > I seem to have a few options: > > 0) Crypt::Nettle could write unique interfaces to those ciphers and > expose them to the user of the perl module as (for example) > Crypt::Nettle::Cipher::3DES and Crypt::Nettle::Cipher::Blowfish . this > breaks symmetry with the rest of the interface, though. > 1) Crypt::Nettle could create its own struct nettle_cipher objects for > these ciphers, wrapping the weak key checking in some code of that > belongs to the perl module > 2) I could propose that nettle to create struct nettle_cipher objects > for these ciphers directly. > I prefer (1) or (2) because they'll keep a simple interface for > Crypt::Nettle. I'm not sure how to do (2) without breaking ABI in > nettle somehow (or losing the weak-key error checking). I'd also prefer (2), because it reduces work for nettle consumers. For gnutls I didn't use nettle_cipher at all and created my own wrappers, because nettle cipher works only with few ciphers. At least for TLS, weak key checking is not that important due to low probability of selecting one, to be of any practical concern. regards, Nikos From nmav at gnutls.org Tue Mar 29 10:03:10 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 29 Mar 2011 10:03:10 +0200 Subject: developing nettle with git In-Reply-To: <4D90C9B1.1090906@fifthhorseman.net> References: <4D890E1F.30208@fifthhorseman.net> <4D8CECE0.6090307@fifthhorseman.net> <4D8FCEBF.7070104@fifthhorseman.net> <4D90C9B1.1090906@fifthhorseman.net> Message-ID: <4D91923E.80101@gnutls.org> On 03/28/2011 07:47 PM, Daniel Kahn Gillmor wrote: > On 03/28/2011 09:07 AM, Niels M?ller wrote: >> Maybe it makes things simpler to stick to a single repository for >> everything (like the current cvs repository)? Is there any compelling >> reason why nettle must be a separate repository? (If I understand the >> docs correctly, one could split off a nettle repository later, using >> git-subtree split). > I'd personally like to work on nettle without dealing with the entire > source of lsh and the other components. That is the case with me as well. Moreover requiring someone to checkout a different project to access nettle, just gives the impression that the library is not intended for general use, but is rather an internal library of that project. regards, Nikos From simon at josefsson.org Tue Mar 29 10:11:00 2011 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 29 Mar 2011 10:11:00 +0200 Subject: weak-key ciphers and arcfour In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Tue, 29 Mar 2011 07:19:22 +0200") References: <4D915F0A.7070604@fifthhorseman.net> Message-ID: <8739m62vor.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > Daniel Kahn Gillmor writes: > >>> A problem is that the key >>> setup of ARCFOUR is quite weak, you should never use keys with >>> structure, keys that are ordinary passwords, or sequences of keys like >>> ``secret:1'', ``secret:2'', ... > > The problem with arcfour is not that some particular keys are > unexpectedly weak, but that the key bits are not spread out very well > into the internal state (sorry if this description is a bit vague; my > understanding is also a bit vague...). There are some keys which are even weaker, for example keys beginning with 00 00 FD and 03 FD FC, see this paper: http://impic.org/papers/WeakKeys-report.pdf On the other hand, RC4 is broken so the function might as well always return 1 to indicate that the key is weak since it is used with RC4. :-) /Simon From nisse at lysator.liu.se Tue Mar 29 11:02:03 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 29 Mar 2011 11:02:03 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: <4D9179B6.4060702@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 29 Mar 2011 02:18:30 -0400") References: <4D9179B6.4060702@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > I seem to have a few options: > > 0) Crypt::Nettle could write unique interfaces to those ciphers and > expose them to the user of the perl module as (for example) > Crypt::Nettle::Cipher::3DES and Crypt::Nettle::Cipher::Blowfish . this > breaks symmetry with the rest of the interface, though. > > 1) Crypt::Nettle could create its own struct nettle_cipher objects for > these ciphers, wrapping the weak key checking in some code of that > belongs to the perl module > > 2) I could propose that nettle to create struct nettle_cipher objects > for these ciphers directly. I recommend (1). The way this is done in the Pike bindings (the implementation is maybe a bit too complicated for its own good), I use a struct pike_cipher very similar to nettle_cipher, /* Calls Pike_error on errors */ typedef void (*pike_nettle_set_key_func)(void *ctx, ptrdiff_t length, const char *key, /* Force means to use key even if it is weak */ int force); struct pike_cipher { const char *name; unsigned context_size; unsigned block_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; pike_nettle_set_key_func set_encrypt_key; pike_nettle_set_key_func set_decrypt_key; nettle_crypt_func encrypt; nettle_crypt_func decrypt; }; Here, the pike_nettle_set_key_func differs from nettle_set_key_func is two ways, related to error handling: 1. It checks if the key size is appropriate for the algorithm, and raises an exception if not (in contrast, a bad key size passed to the nettle set_key function would abort the process with an assertion failure). 2. The behaviour for weak keys. If the force argument is zero (for Pike calls, it's an optional argument and omitting it also means zero), a weak key results in an exception. If the force argument is non-zero, a weak key is not not considered an error. In these bindings, unlike yours, each cipher like AES is a single class, with multiple supported key sizes. So all ciphers need their own set_key wrapper for proper error checking. In your case, where you have one separate class per possible key size, I think you could do something similar and still use the new enumeration interface for the "normal" algorithms. If you're fine with either having weak keys always raise an exception or always be accepted, you could write set_key wrappers for the affected ciphers which do precisely that and which adhere to the nettle_set_key_func interface (note that des_set_key and des3_set_key don't have a key size argument so they need wrappers also for that reason). If you want it to be configurable, things get a bit more complicated and you may need your own struct perl_cipher to extend struct nettle_cipher (you could still enumerate the available nettle_cipher and convert each to a corresponding perl_cipher). Or you could just define separate classes with and without weak key checking. There will be a little code duplication. But there ought to be code *somewhere* to implements the language-specific pieces of the interface, such as exception based error handling, and new features, like, e.g., the optional force argument above. > Or, am i barking up the wrong tree entirely? I'm imagining (for > example) a user who has in their possession a symmetrically-encrypted > message that they happen to know the key for. The cipher used was one > of the "weak-key" ciphers, and it's even possible that the key is in > fact a weak key. The user should still be able to decrypt the message > using Crypt::Nettle (or any other binding). I agree that there are certainly cases where you don't want to treat weak keys as errors. Even though I think it makes sense to have a default behaviour which treats weak keys as errors. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Tue Mar 29 11:08:31 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 29 Mar 2011 11:08:31 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: <4D919161.2000204@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 29 Mar 2011 09:59:29 +0200") References: <4D9179B6.4060702@fifthhorseman.net> <4D919161.2000204@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > At least for TLS, weak key checking is not that important due to > low probability of selecting one, to be of any practical concern. In lsh, I disconnect when a weak key is detected. The problem with relying on "low probability" is that unless you generate the random key all by yourself, you need that probability to be low also in the presence of any possible attacks on the key agreement protocol. The analysis needed to rule out such attacks may cause some headache, which you can avoid by simply refusing to use weak keys if they ever occur. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Tue Mar 29 11:25:17 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 29 Mar 2011 11:25:17 +0200 Subject: weak-key ciphers and arcfour In-Reply-To: <8739m62vor.fsf@latte.josefsson.org> (Simon Josefsson's message of "Tue, 29 Mar 2011 10:11:00 +0200") References: <4D915F0A.7070604@fifthhorseman.net> <8739m62vor.fsf@latte.josefsson.org> Message-ID: Simon Josefsson writes: > There are some keys which are even weaker, for example keys beginning > with 00 00 FD and 03 FD FC, see this paper: > > http://impic.org/papers/WeakKeys-report.pdf This still exploits statistical properties of the first few generated bytes, right? So if you generate and discard the first 512 or 1024 bytes or so of the keystream, the statistics for these keys shouldn't be much different from any oter keys, right? Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From simon at josefsson.org Tue Mar 29 11:58:12 2011 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 29 Mar 2011 11:58:12 +0200 Subject: weak-key ciphers and arcfour In-Reply-To: ("Niels =?iso-8859-1?Q?M=F6ller=22's?= message of "Tue, 29 Mar 2011 11:25:17 +0200") References: <4D915F0A.7070604@fifthhorseman.net> <8739m62vor.fsf@latte.josefsson.org> Message-ID: <87sju61c5n.fsf@latte.josefsson.org> nisse at lysator.liu.se (Niels M?ller) writes: > Simon Josefsson writes: > >> There are some keys which are even weaker, for example keys beginning >> with 00 00 FD and 03 FD FC, see this paper: >> >> http://impic.org/papers/WeakKeys-report.pdf > > This still exploits statistical properties of the first few generated > bytes, right? Yes, that's true. > So if you generate and discard the first 512 or 1024 bytes or so of > the keystream, the statistics for these keys shouldn't be much > different from any oter keys, right? Right. I think 512 bytes is a bit on the low end these days, conservative recommendations are now up 3072 bytes: http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC4-drop Note that the RC4 keystream can be distinguished from random with only about a few GB's of stream output regardless of how many initial bytes are dropped. This suggests to me that there are attacks that will work regardless of how much initial output you discard. /Simon From nmav at gnutls.org Tue Mar 29 17:07:13 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 29 Mar 2011 17:07:13 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: References: <4D9179B6.4060702@fifthhorseman.net> <4D919161.2000204@gnutls.org> Message-ID: <4D91F5A1.7020806@gnutls.org> On 03/29/2011 11:08 AM, Niels M?ller wrote: > Nikos Mavrogiannopoulos writes: > >> At least for TLS, weak key checking is not that important due to >> low probability of selecting one, to be of any practical concern. > In lsh, I disconnect when a weak key is detected. > The problem with relying on "low probability" is that unless you > generate the random key all by yourself, you need that probability to be > low also in the presence of any possible attacks on the key agreement > protocol. The analysis needed to rule out such attacks may cause some > headache, which you can avoid by simply refusing to use weak keys if > they ever occur. In TLS the generated keys do not only depend on the key exchange but also on several bytes of randomness contributed by both peers. Even a key exchange with a malicious party, would produce random keys with a little more than 224 bits of randomness. Moreover if you handle weak keys, you should include it into the protocol, i.e. do you restart the key exchange once a weak key is detected, or you just terminate the handshake? TLS has no provisions for a re-handshake once a weak-key is detected. regards, Nikos From dkg at fifthhorseman.net Tue Mar 29 17:47:41 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 29 Mar 2011 11:47:41 -0400 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: References: <4D9179B6.4060702@fifthhorseman.net> Message-ID: <4D91FF1D.9080408@fifthhorseman.net> On 03/29/2011 05:02 AM, Niels M?ller wrote: > If you're fine with either having weak keys always raise an exception or > always be accepted, you could write set_key wrappers for the affected > ciphers which do precisely that and which adhere to the > nettle_set_key_func interface (note that des_set_key and des3_set_key > don't have a key size argument so they need wrappers also for that > reason). If you want it to be configurable, things get a bit more > complicated and you may need your own struct perl_cipher to extend > struct nettle_cipher (you could still enumerate the available > nettle_cipher and convert each to a corresponding perl_cipher). Or you > could just define separate classes with and without weak key checking. this is quite a bit of code duplication across bindings. I'd rather just expose the fact of a weak key to the caller directly (whether through exceptions, return codes, or some other mechanism. ----- Here's a proposal for (2) which i'll name "2a"; I believe it does involve an ABI+API bump to libnettle, but should allow for a reduction in the amount of code for all bindings (which in turn might make the creation of future bindings more likely, thereby getting the nettle goodness out to more people). I know i'd be more likely to maintain additional bindings if they are smaller/simpler. redefine nettle_set_key_func to return an int instead of a void: typedef int nettle_set_key_func(void *ctx, unsigned length, const uint8_t *key); For the ciphers which have no weak keys, create wrapper functions around their set_key functions which always return 1, and use those wrapper functions to populate the standard nettle_cipher objects. Add a wrapper function around des_set_key and des3_set_key that includes a key length argument; add corresponding nettle_cipher objects for des and des3. Add new nettle_cipher objects for the remaining weak-key ciphers (only blowfish?) without the wrapping functions. ----- And here is "2b", a more involved proposal for (2) -- it's a bigger ABI+API change, but the exposed API becomes more normalized: Redefine nettle_set_key_func as in "2a"; and also change all the *_set_key() functions in nettle to return an int directly. ciphers with no weak keys will naturally always return 1. Change des_set_key() and des3_set_key() to take length arguments like every other *_set_key() function. Add new nettle_cipher objects for all missing ciphers. ----- I understand the natural reluctance to make an ABI bump, and i think it's good to do so carefully (and i regret that i didn't make this proposal before the recent ABI bump to get it all done together). But i think the tradeoff in terms of simplicity of new bindings is an overall positive one. In either proposal, bindings still retain the ability to report weak keys using language-specific mechanisms/error handling. I'd be happy to write a patch for either 2a or 2b, if there was a chance that they would be accepted upstream. Either one would make me happy (and more willing to step up to writing python bindings, which i'd like to have on my plate for the future). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110329/a45f4c7b/attachment.pgp From nisse at lysator.liu.se Tue Mar 29 21:38:31 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 29 Mar 2011 21:38:31 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: <4D91FF1D.9080408@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 29 Mar 2011 11:47:41 -0400") References: <4D9179B6.4060702@fifthhorseman.net> <4D91FF1D.9080408@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > this is quite a bit of code duplication across bindings. Could you be a bit more concrete? Which variant of wrappers and weak-key interface are you thinking about? Before getting into specifics, I'd like to point out that the structs declared in nettle-meta.h are not intended as a fully general algorithm framework (to do that, one could, e.g., implement an interface on the same level of abstraction as libgcrypt's, on top of nettle). Besides missing des and blowfish, it doesn't provide a nettle_cipher struct for every possible key size for all algorithms, and there's also no mechanism to query possible key sizes. To me, the lack of a struct nettle_cipher for des and blowfish-128 is comparable to the lack of struct nettle_cipher for cast, arcfour and blowfish with 80 bit key. And to support them all in a reasonable way would require something quite different from the current struct nettle_cipher. nettle-meta.h is intended to provide the simplest algorithm abstraction possible, to cover the simple cases. And also as inspiration for extended frameworks, either more general or more application specific. This works better for hash algorithm (more regular properties than for the ciphers), and in the Pike bindings, I use nettle_hash as is, but I don't use nettle_cipher. > Here's a proposal for (2) which i'll name "2a"; I believe it does > involve an ABI+API bump to libnettle, but should allow for a reduction > in the amount of code for all bindings (which in turn might make the > creation of future bindings more likely, thereby getting the nettle > goodness out to more people). I know i'd be more likely to maintain > additional bindings if they are smaller/simpler. > > redefine nettle_set_key_func to return an int instead of a void: > > typedef int nettle_set_key_func(void *ctx, > unsigned length, > const uint8_t *key); > > For the ciphers which have no weak keys, create wrapper functions around > their set_key functions which always return 1, and use those wrapper > functions to populate the standard nettle_cipher objects. > > Add a wrapper function around des_set_key and des3_set_key that includes > a key length argument; add corresponding nettle_cipher objects for des > and des3. I could consider this, but I'm not convinced that it really solves an important problem. To me, a language-specific wrapper like, e.g., void pike_blowfish_set_key(void *ctx, ptrdiff_t length, const char *key, int force) { if (length < BLOWFISH_MIN_KEY_SIZE || length > BLOWFISH_MAX_KEY_SIZE) Pike_error("BLOWFISH_Info: Bad keysize for BLOWFISH.\n"); if (!blowfish_set_key(ctx, length, (const uint8_t *)key) && !force) Pike_error("BLOWFISH_Info: Key is weak.\n"); } seems more useful than a language agnostic wrapper int aes_set_encrypt_key_wrapper (struct aes_ctx *ctx, unsigned length, const uint8_t *key) { aes_set_encrypt_key (ctx, length, key); return 1; } which lacks adequate error handling for bad key sizes. And if we extend nettle_cipher to include a description of valid key sizes, and/or introduce additional error codes for the set_key functions to signal different types of bad keys, then we get quite far from the current minimalistic flavor of nettle. > And here is "2b", a more involved proposal for (2) -- it's a bigger > ABI+API change, but the exposed API becomes more normalized: I'm not going to do this. The low level cipher interface is not intended to normalize away important differences between ciphers. In particular, * I don't like dummy return values (which are either unnecessarily checked, making code ugly, or get people into the habit if ignoring return values). "Can't fail" (except by abort()) is a very simplifying property of a function, and then it shouldn't return an error code. * I also don't like dummy function arguments, used like int des_set_key (struct des_ctx *ctx, unsigned length, const uint8_t *key) { assert (length == DES_KEY_SIZE); ... } (except in an optional wrapper function, where the above would be the right thing). Remember that the C interface is intended to be nice also for applications that use just one or two algorithms. These applications should not suffer from cruft intended to unify the interface with some other algorithm which the applications couldn't care less about. An important case would be applications that use only the newer algorithms like aes or camellia. They shouldn't have to bother about a return value introduced just because it's needed for des. BTW: There's another easy alternative which we could call (3): Keep nettle_set_key_func as is. Introduce wrappers for des and blowfish which just ignore weak keys, and provide nettle_cipher structs using these wrappers. Then you get des and blowfish sans weak key detection, using the same interface as the other ciphers. I think this would fit reasonably with the nettle design principles. Question is: Would anybody find it useful? For a general language binding, I would expect that one would want to have the possibility to detect weak keys. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From dkg at fifthhorseman.net Thu Mar 31 17:34:32 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 31 Mar 2011 11:34:32 -0400 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: References: <4D9179B6.4060702@fifthhorseman.net> <4D91FF1D.9080408@fifthhorseman.net> Message-ID: <4D949F08.9060904@fifthhorseman.net> On 03/29/2011 03:38 PM, Niels M?ller wrote: > Daniel Kahn Gillmor writes: > >> this is quite a bit of code duplication across bindings. > > Could you be a bit more concrete? Which variant of wrappers and weak-key > interface are you thinking about? sorry -- i meant that it seemed like it would be unnecessary code duplication for me to create a perl_nettle_cipher struct that matched your pike_nettle_cipher. > Before getting into specifics, I'd like to point out that the structs > declared in nettle-meta.h are not intended as a fully general algorithm > framework (to do that, one could, e.g., implement an interface on the > same level of abstraction as libgcrypt's, on top of nettle). hm, ok, i see your point. it sounds like nettle_cipher might be a reasonable choice for symmetric encryption (where the tools can select reasonable key sizes, etc), but *not* a reasonable choice for symmetric decryption (where we have to cope with arbitrary algorithms and keys foisted on us by the incoming ciphertext). > This works better for hash algorithm (more regular properties than for > the ciphers), and in the Pike bindings, I use nettle_hash as is, but I > don't use nettle_cipher. Perhaps what i'm wondering is: can we define an cipher abstraction that exposes the relevant details in C, provides a framework that is suitable for symmetric decryption, and doesn't violate the minimalistic flavor of nettle? I think having something like this in the canonical sources (instead of implemented outside of nettle) would make it easier to write and maintain language bindings. Or, as you said about your Pike bindings: "the implementation is maybe a bit too complicated for its own good" -- wouldn't it be better to have the extra implementation complexity in only one place instead of expecting every binding that uses it to duplicate it? > I could consider this, but I'm not convinced that it really solves an > important problem. To me, a language-specific wrapper like, e.g., > > void > pike_blowfish_set_key(void *ctx, > ptrdiff_t length, const char *key, > int force) > { > if (length < BLOWFISH_MIN_KEY_SIZE || length > BLOWFISH_MAX_KEY_SIZE) > Pike_error("BLOWFISH_Info: Bad keysize for BLOWFISH.\n"); > if (!blowfish_set_key(ctx, length, (const uint8_t *)key) && !force) > Pike_error("BLOWFISH_Info: Key is weak.\n"); > } > > seems more useful than a language agnostic wrapper > > int > aes_set_encrypt_key_wrapper (struct aes_ctx *ctx, > unsigned length, const uint8_t *key) > { > aes_set_encrypt_key (ctx, length, key); > return 1; > } i think you might be comparing apples and oranges here. I agree that language-specific error handling is useful. I'd expect any bindings to report errors in some sort of native form. But that doesn't mean that we shouldn't have a cipher-agnostic interface in C that is capable of reporting all the standard classes of errors. But it would be nice for the authors of the bindings to have a standard way (in C) to get error reports that is cipher-agnostic. Otherwise, we'll end up with a bunch of duplicate cipher-specific code in each binding. Maybe it's useful to think through what possible errors could come up from a *_set_key function, and come up with a C interface that would cover them all in some sort of distinguishable fashion? So far, i think the errors i've heard are: * bad key size * weak key Anything else? Do we want a way to report the range of acceptable key sizes for a given cipher? > which lacks adequate error handling for bad key sizes. And if we extend > nettle_cipher to include a description of valid key sizes, and/or > introduce additional error codes for the set_key functions to signal > different types of bad keys, then we get quite far from the current > minimalistic flavor of nettle. > >> And here is "2b", a more involved proposal for (2) -- it's a bigger >> ABI+API change, but the exposed API becomes more normalized: > > I'm not going to do this. The low level cipher interface is not intended > to normalize away important differences between ciphers. That seems reasonable to me. I'm happy to discard proposal 2b. > BTW: There's another easy alternative which we could call (3): Keep > nettle_set_key_func as is. Introduce wrappers for des and blowfish which > just ignore weak keys, and provide nettle_cipher structs using these > wrappers. Then you get des and blowfish sans weak key detection, using > the same interface as the other ciphers. I think this would fit > reasonably with the nettle design principles. Question is: Would anybody > find it useful? For a general language binding, I would expect that one > would want to have the possibility to detect weak keys. Yes, i agree that general language bindings should allow the user to detect weak keys. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature Url : http://lists.lysator.liu.se/pipermail/nettle-bugs/attachments/20110331/c39d1e13/attachment.pgp From nisse at lysator.liu.se Fri Apr 1 11:28:58 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Fri, 01 Apr 2011 11:28:58 +0200 Subject: struct nettle_cipher for weak-key ciphers In-Reply-To: <4D949F08.9060904@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 31 Mar 2011 11:34:32 -0400") References: <4D9179B6.4060702@fifthhorseman.net> <4D91FF1D.9080408@fifthhorseman.net> <4D949F08.9060904@fifthhorseman.net> Message-ID: Daniel Kahn Gillmor writes: > can we define an cipher abstraction that exposes the relevant details > in C, provides a framework that is suitable for symmetric decryption, > and doesn't violate the minimalistic flavor of nettle? Feel free to try... Some points to keep in mind: 1. I think the current nettle_cipher is useful for some applications, even if it's not suitable for language bindings which want to provide access to everything available. 2. Error checking at set_key > So far, i think the errors i've heard are: > > * bad key size > > * weak key > > Anything else? One could possibly add parity error for DES, but I doubt anyone really cares about that. One *might* want to make some distinction between "hard" errors, like bad key sizes, and "soft" errors or warnings like weak keys, where the resulting cipher context still can be used, if desired. 3. The set of supported key sizes. This is the issue with most potential for making things hairy (and this information is not provided by nettle's cipher specific interfaces either; there's a define for a single "recommended" key size, and when applicable there are defines for the minimum and maximum key size. But the user has to look in the documentation to find out which key sizes in this range are actually supported). > Do we want a way to report the range of acceptable key sizes for a > given cipher? I think a general algorithm abstraction ought to provide that. And I think the model for this more general abstraction should be that ciphers are parametrized by key size, which is different from current nettle_cipher (and the design of your perl bindings) which is unaware that the two ciphers aes-128 and aes-256 are in fact related. There are two types of queries one could support: a) The ability to ask if a particular key size is ok. b) The ability to get the complete set of available key sizes. From nmav at gnutls.org Sun Apr 3 01:42:10 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 03 Apr 2011 01:42:10 +0200 Subject: different lib directories for gnutls and nettle In-Reply-To: <437hbgql64.wl%bjg@gnu.org> References: <437hbgql64.wl%bjg@gnu.org> Message-ID: <4D97B452.9080100@gnutls.org> On 03/31/2011 12:48 AM, Brian Gough wrote: > Hi, now that GNU TLS is using nettle I notice there is a difference > between the --libdir for the two packages on 64 bit. > Nettle installs to $prefix/lib64/ and GNU TLS looks for it in > $prefix/lib/ -- so it fails and the standard configure/install to a > prefix doesn't work. Indeed it seems nettle for some reason uses the /usr/lib64. Niels, is there really a reason for that? As I understand from the FHS[0] /usr/lib is the system library directory. /usr/lib64 and /usr/lib32 might not even be there. regards, Nikos [0]. http://www.pathname.com/fhs/pub/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA From nisse at lysator.liu.se Tue Apr 12 11:27:42 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 12 Apr 2011 11:27:42 +0200 Subject: different lib directories for gnutls and nettle In-Reply-To: <4D97B452.9080100@gnutls.org> (Nikos Mavrogiannopoulos's message of "Sun, 03 Apr 2011 01:42:10 +0200") References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: > Indeed it seems nettle for some reason uses the /usr/lib64. Niels, > is there really a reason for that? As I understand from the FHS[0] > /usr/lib is the system library directory. /usr/lib64 and /usr/lib32 > might not even be there. Sorry for the late reply. A bit down in the same document, http://www.pathname.com/fhs/pub/fhs-2.3.html, it says /lib64 and /lib32 : 64/32-bit libraries (architecture dependent) The 64-bit architectures PPC64, s390x, sparc64 and AMD64 must place 64-bit libraries in /lib64, and 32-bit (or 31-bit on s390) libraries in /lib. If you believe this, then it's wrong to install 64-bit libraries in lib. And I believed so when I wrote this part of the nettle configure.ac... But then it turned out that at least debian on x86_64 ignores this part of the FHS, and puts the 64-bit libraries in lib, and 32-bit libraries in lib32. Which seems to also be the freebsd way of doing it. In the debian case, lib64 is a symlink to lib, so it doesn't matter for a 64-bit builds (they will be installed in lib64, which is a symlink to lib, which is tye right place), while a build with ./configure CC="gcc -m32" && make && make install will install the 32-bit library files in the wrong place. I'm not sure what the right thing is. Is there any distribution which actuallly does what the FHS says? If so, I guess configure needs to check what directories exists, and install in lib$ABI whenever that directory exists, otherwise in lib. I haven't got around to fixing that. Regards, /Niels -- Niels M?ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From nisse at lysator.liu.se Tue Apr 12 16:48:21 2011 From: nisse at lysator.liu.se (Niels =?iso-8859-1?Q?M=F6ller?=) Date: Tue, 12 Apr 2011 16:48:21 +0200 Subject: different lib directories for gnutls and nettle In-Reply-To: <43y63fppdz.wl%bjg@gnu.org> (Brian Gough's message of "Tue, 12 Apr 2011 14:31:36 +0100") References: <437hbgql64.wl%bjg@gnu.org> <4D97B452.9080100@gnutls.org> <43y63fppdz.wl%bjg@gnu.org> Message-ID: