nettle-bugs April 2014

nettle-bugs@lists.lysator.liu.se

7 participants
8 discussions

[PATCH 1/5] Don't include OPT_ASM_SOURCES twice in hogweed_PURE_OBJS
by Martin Storsjö 24 Aug '14

24 Aug '14

OPT_ASM_SOURCES is already included via hogweed_OBJS. This avoids build errors about duplicate symbols in the shared library. --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 1ec807b..2db76c5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -180,7 +180,7 @@ nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) $(LIBOBJS) nettle_PURE_OBJS = $(nettle_OBJS:.$(OBJEXT)=.p$(OBJEXT)) hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) $(OPT_ASM_SOURCES:.asm=.$(OBJEXT)) -hogweed_PURE_OBJS = $(hogweed_OBJS:.$(OBJEXT)=.p$(OBJEXT)) $(OPT_ASM_SOURCES:.asm=.p$(OBJEXT)) +hogweed_PURE_OBJS = $(hogweed_OBJS:.$(OBJEXT)=.p$(OBJEXT)) libnettle.a: $(nettle_OBJS) -rm -f $@ -- 1.7.9.4

5 29

nettle-mini
by Nikos Mavrogiannopoulos 26 Jun '14

26 Jun '14

Hello, I have put in https://github.com/nmav/nettle-mini/tree/gmp-mini a version of nettle that has an additional configure option. The --enable-mini-gmp. This will compile libghoweed using mini-gmp thus allowing nettle to be used in space constrained systems. Note that using nettle with mini-gmp instead of gmp imposes a penalty of around 10x, and may leak more information due to side-channels (this should not be the case for RSA as blinding is performed in hogweed, but I haven't checked the other algorithms). regards, Nikos

3 5

[PATCH] Some CCM mode documentation
by Owen Kirby 03 May '14

03 May '14

Here's a first stab at assembling some documentation about CCM mode and its API. It's probably still in need some some good proofreading for grammar and consistency. Some minor nits that I noticed about the API while writing it: - ccm_decrypt_message uses const void * for the cipher context, but all the other interfaces use void * for this. - passing the clength rather mlength to ccm_decrypt_message could be a little confusing when compared to the rest of the API. In retrospect, I think Neils's initial suggestion on this API was probably the better way to go. Cheers, Owen >From 0b0651a6e754652d9ce1aa7c2f6f7cbc3fc498bc Mon Sep 17 00:00:00 2001 From: Owen Kirby <osk(a)exegin.com> Date: Sat, 12 Apr 2014 21:31:39 -0700 Subject: [PATCH] Added CCM mode to the documentation. --- nettle.texinfo | 225 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 224 insertions(+), 1 deletion(-) diff --git a/nettle.texinfo b/nettle.texinfo index 68883a5..c988eb6 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -88,6 +88,7 @@ Cipher modes * CBC:: * CTR:: * GCM:: +* CCM:: Public-key algorithms @@ -1788,6 +1789,7 @@ signature to authenticate the message. * CBC:: * CTR:: * GCM:: +* CCM:: @end menu @@ -1960,7 +1962,7 @@ last three arguments define the source and destination area for the operation. @end deffn -@node GCM, , CTR, Cipher modes +@node GCM, CCM, CTR, Cipher modes @comment node-name, next, previous, up @subsection Galois counter mode @@ -2153,7 +2155,228 @@ equal to @code{GCM_BLOCK_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun +@node CCM, , GCM, Cipher modes +@comment node-name, next, previous, up +@subsection Counter with CBC-MAC mode + +@cindex Counter with CBC-MAC Mode +@cindex CCM Mode + +CCM mode is the combination of counter mode with message authentication based on +cipher block chaining. It is constructed on top of a block cipher which must +have a block size of 128 bits. @acronym{CCM} mode is recommended by NIST in +@uref{http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf, +NIST Special Publication 800-38C}. Nettle's support for CCM consists of a +low-level general interface, a message encryption and authentication interface, +and specific functions for CCM using AES as the underlying block cipher. These +interfaces are defined in @file{<nettle/ccm.h>} + +The inputs to @acronym{CCM} are: +@itemize +@item +A key, which can be used for many messages. +@item +A parameter @var{L} which determines the size of the nonce and the maximum +length of message data which can be processed by @acronym{CCM}. +@item +A tag length, which must be a multiple of 4 bytes up to a maximum of one block. +@item +A nonce which @emph{must} be unique for each message. +@item +Optional authenticated data, which is to be included in the message +authentication, but not encrypted. +@item +The plaintext. May be empty. +@end itemize + +The outputs from @acronym{CCM} are: +@itemize +@item +The ciphertext of the same length as the plaintext. +@item +An encrypted authentication tag, up to one block on length. +@end itemize + +The parameter @var{L} determines the size of the counter that is used for the +message length, such that the maximum message length in bytes is given by +@code{maxlength = (1 << L) - 1}. However increasing @var{L} also restricts the +size of the nonce such that @code{noncelength = CCM_BLOCK_SIZE - 1 - L}, and +throughout this interface the parameter @var{L} is provided implicitly by the +nonce length. + +@acronym{CCM} mode encryption operates as follows: +@itemize +@item The nonce and message length are concatenated to create + @code{B_0 = flags | nonce | mlength} +@item The authenticated data and plaintext is formatted into the string + @code{B = L(adata) | adata | padding | plaintext | padding} with @code{padding} + being the shortest string of zero bytes such that the length of the string is + a multiple of the block size, and @code{L(adata)} is an encoding of the + length of @code{adata}. +@item The string @code{B} is separated into blocks @code{B_1} ... @code{B_n} +@item The authentication tag @code{T} is calculated as + @code{T=0, for i=0 to n, do T = E_k(B_i XOR T)} + +@item An initial counter is then initialized from the nonce to create + @code{IC = flags | nonce | padding}, where @code{padding} is the shortest + string of zero bytes such that @code{IC} is exactly one block in length. +@item The authentication tag is encrypted using using @acronym{CTR} mode: + @code{MAC = E_k(IC) XOR T} +@item The plaintext is then encrypted using @acronym{CTR} mode with an initial + counter of @code{IC+1}. +@end itemize + +@acronym{CCM} mode decryption operates similarly, except that the ciphertext +and @acronym{MAC} are first decrypted using CTR mode to retreive the plaintext +and authentication tag. The authentication tag can then be recalucated from the +authenticated data and plantext, and compared to the value in the message to +check for authenticity. + +@subsubsection General @acronym{CCM} interface + +For all of the functions in the @acronym{CCM} interface, @var{cipher} is the +context struct for the underlying cipher and @var{f} is the encryption function. +The cipher's encryption key must be set before calling any of the @acronym{CCM} +functions. The cipher's decryption function and key are never used. + +@deftp {Context struct} {struct ccm_ctx} +Holds state corresponding to a particular message. +@end deftp + +@defvr Constant CCM_BLOCK_SIZE +@acronym{CCM}'s block size, 16. +@end defvr + +@deftypefun void ccm_set_nonce (struct ccm_ctx *@var{ctx}, void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) +Initializes @var{ctx} using the given nonce and the sizes of the authenticated +data, message, and @acronym{MAC} to be processed. +@end deftypefun + +@deftypefun void ccm_update (struct ccm_ctx *@var{ctx}, void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) +Provides associated data to be authenticated. Must be called after +@code{ccm_set_nonce}, and before @code{ccm_encrypt}, @code{ccm_decrypt}, or +@code{ccm_digest}. +@end deftypefun + +@deftypefun void ccm_encrypt (struct ccm_ctx *@var{ctx}, void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_decrypt (struct ccm_ctx *@var{ctx}, void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Encrypts or decrypts the message data. Must be called after @code{ccm_set_nonce} +and before @code{ccm_digest}. All but the last call for each message @emph{must} +use a length that is a multiple of the block size. +@end deftypefun + +@deftypefun void ccm_digest (struct ccm_ctx *@var{ctx}, void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) +Extracts the message digest (also known ``authentication tag''). This is +the final operation when processing a message. @var{length} is usually +equal to the @var{taglen} parameter supplied to @code{ccm_set_nonce}, but if you +provide a smaller value, only the first @var{length} octets of the digest are +written. +@end deftypefun + +To encrypt a message using the general @acronym{CCM} interface, set the message +nonce and length using @code{ccm_set_nonce} and then call @code{ccm_update} to +generate the digest of any authenticated data. After all of the authenticated +data has been digested use @code{ccm_encrypt} to encrypt the plaintext. Finally, +use @code{ccm_digest} to return the encrypted @acronym{MAC}. + +To decrypt a message, use @code{ccm_set_nonce} and @code{ccm_update} the same as +you would for encryption, and then call @code{ccm_decrypt} to decrypt the +ciphertext. After decrypting the ciphertext @code{ccm_digest} will return the +encrypted @acronym{MAC} which should be identical to the @acronym{MAC} in the +received message. + +@subsubsection @acronym{CCM} message interface + +The @acronym{CCM} message fuctions provides a simple interface that will +perform authentication and message encryption in a single function call. The +length of the ciphertext is given by @var{clength}, and it is always exactly +@var{tlength} bytes longer than the corresponding plaintext. The length of the +plaintext is not provided explicitly in this interface, as it would always have +a value of @var{mlength} = @var{clength} - @var{tlength}. + +@deftypefun void ccm_encrypt_message (void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Computes the message digest from the @var{adata} and @var{src} parameters, +encrypts the plaintext from @var{src}, appends the encrypted @acronym{MAC} to +ciphertext and outputs it to @var{dst}. +@end deftypefun + +@deftypefun int ccm_decrypt_message (void *@var{cipher}, nettle_crypt_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, +recalculates the @acronym{MAC} from @var{adata} and the plaintext, and compares +it to the final @var{tlength} bytes of @var{src}. If the values of the received +and calculated @acronym{MAC}s are equal, this will return 1 indicating a valid +and authenticated message. Otherwise, this function will return zero. +@end deftypefun + +@subsubsection @acronym{CCM}-@acronym{AES} interface + +The @acronym{AES} @acronym{CCM} functions provide an API for using @acronym{CCM} +mode with the @acronym{AES} block ciphers. The parameters all have the same +meaning as the general and message interfaces, except that the @var{cipher}, +@var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context +structure, and a set-key function must be called before using any of the other +functions in this interface. +@deftp {Context struct} {struct ccm_aes128_ctx} +Holds state corresponding to a particular message encrypted using the AES-128 block cipher. +@end deftp + +@deftp {Context struct} {struct ccm_aes192_ctx} +Holds state corresponding to a particular message encrypted using the AES-192 block cipher. +@end deftp + +@deftp {Context struct} {struct ccm_aes256_ctx} +Holds state corresponding to a particular message encrypted using the AES-256 block cipher. +@end deftp + +@deftypefun void ccm_aes128_set_key (struct ccm_aes128_ctx *@var{ctx}, const void *@var{key}) +@deftypefunx void ccm_aes192_set_key (struct ccm_aes192_ctx *@var{ctx}, const void *@var{key}) +@deftypefunx void ccm_aes256_set_key (struct ccm_aes256_ctx *@var{ctx}, const void *@var{key}) +Initializes the encryption key for the AES block cipher. One of these functions +must be called before any of the other functions in the @acronym{AES} +@acronym{CCM} interface. +@end deftypefun + +@deftypefun void ccm_aes128_set_nonce (struct ccm_aes128_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) +@deftypefunx void ccm_aes192_set_nonce (struct ccm_aes192_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) +@deftypefunx void ccm_aes256_set_nonce (struct ccm_aes256_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) +These are identical to @code{ccm_set_nonce}, except that @var{cipher}, +@var{f}, and @var{ctx} are replaced with a context structure. +@end deftypefun + +@deftypefun void ccm_aes128_update (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefunx void ccm_aes192_update (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefunx void ccm_aes256_update (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +These are identical to @code{ccm_set_update}, except that @var{cipher}, +@var{f}, and @var{ctx} are replaced with a context structure. +@end deftypefun + +@deftypefun void ccm_aes128_encrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes192_encrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes256_encrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes128_decrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes192_decrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes256_decrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +These are identical to @code{ccm_set_encrypt} and @code{ccm_set_decrypt}, except +that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. +@end deftypefun + +@deftypefun void ccm_aes128_digest (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefunx void ccm_aes192_digest (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefunx void ccm_aes256_digest (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +These are identical to @code{ccm_set_digest}, except that @var{cipher}, +@var{f}, and @var{ctx} are replaced with a context structure. +@end deftypefun + +@deftypefun void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +These are identical to @code{ccm_encrypt_message} and @code{ccm_decrypt_message} +except that @var{cipher} and @var{f} are replaced with a context structure. +@end deftypefun @node Keyed hash functions, Key derivation functions, Cipher modes, Reference @comment node-name, next, previous, up -- 1.7.9.5

2 7

[PATCH v3] CCM Cipher Modes
by Owen Kirby 03 May '14

03 May '14

Latest round of changes to the CCM modes, this moves the processing of L(a) into ccm_set_nonce() and updates the all-at-once API to concatenate the ciphertext and digest together. Cheers, Owen 2014-03-20 Owen Kirby <osk(a)exegin.com> * ccm.c (ccm_digest, ccm_set_nonce): Moved L(a) generation into ccm_set_nonce() * ccm.c (ccm_encrypt_message): Modified API to append the tag to the ciphertext. * ccm.c (ccm_decrypt_message): Modified API to parse the tag from the ciphertext. * ccm.h (struct ccm_ctx): Removed alen parameter, and made blength unsigned. * testsuite/ccm-test.c: Updated the test vectors for the all-at-once API. 2014-03-14 Owen Kirby <osk(a)exegin.com> * ccm-aes.c: Removed legacy AES API. * ccm.c (ccm_encrypt_message): Added all-at-once API for CCM mode ciphers. * ccm.c (ccm_digest): Added assert to ensure CCM digest length <= block size. * ccm.h: Updated copyright for CCM modes to Owen Kirby and Exegin Technologies. * ccm.c: Minor changes to CCM IV and nonce building functions. * ccm-aesXXX.c: Added all-at-once API, and removed the CCM helper macros. * testsuite/ccm-test.c: Added tests for the cipher-specific CCM functions. * testsuite/.test-rules.make: Fixed the building of the CCM self-test. >From 7643b88984cc71deb16ae2f3e91a6e7a0e2b8023 Mon Sep 17 00:00:00 2001 From: Owen Kirby <osk(a)exegin.com> Date: Wed, 20 Mar 2014 14:28:56 -0800 Subject: [PATCH] Support for CCM mode ciphers. --- Makefile.in | 1 + ccm-aes128.c | 100 +++++++ ccm-aes192.c | 101 +++++++ ccm-aes256.c | 102 +++++++ ccm.c | 255 ++++++++++++++++ ccm.h | 273 +++++++++++++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 + testsuite/Makefile.in | 2 +- testsuite/ccm-test.c | 713 ++++++++++++++++++++++++++++++++++++++++++++ 10 files changed, 1550 insertions(+), 1 deletion(-) create mode 100644 ccm-aes128.c create mode 100644 ccm-aes192.c create mode 100644 ccm-aes256.c create mode 100644 ccm.c create mode 100644 ccm.h create mode 100644 testsuite/ccm-test.c diff --git a/Makefile.in b/Makefile.in index 24349c3..c05d891 100644 --- a/Makefile.in +++ b/Makefile.in @@ -87,6 +87,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ camellia256-set-decrypt-key.c \ camellia256-meta.c \ cast128.c cast128-meta.c cbc.c \ + ccm.c ccm-aes.c ccm-aes128.c ccm-aes192.c ccm-aes256.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ diff --git a/ccm-aes128.c b/ccm-aes128.c new file mode 100644 index 0000000..94554e5 --- /dev/null +++ b/ccm-aes128.c @@ -0,0 +1,100 @@ +/* ccm-aes128.c + * + * Counter with CBC-MAC mode using AES128 as the underlying cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes.h" +#include "ccm.h" + +void +ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key) +{ + aes128_set_encrypt_key(&ctx->cipher, key); +} + +void +ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen) +{ + ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_crypt_func *)aes128_encrypt, + length, nonce, authlen, msglen, taglen); +} + +void +ccm_aes128_update(struct ccm_aes128_ctx *ctx, + size_t length, const uint8_t *data) +{ + ccm_update(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes128_encrypt, length, data); +} + +void +ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes128_encrypt, length, dst, src); +} + +void +ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_decrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes128_encrypt, length, dst, src); +} + +void +ccm_aes128_digest(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *digest) +{ + ccm_digest(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes128_encrypt, length, digest); +} + +void +ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt_message(&ctx->cipher, (nettle_crypt_func *)aes128_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} + +int +ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + return ccm_decrypt_message(&ctx->cipher, (nettle_crypt_func *)aes128_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} \ No newline at end of file diff --git a/ccm-aes192.c b/ccm-aes192.c new file mode 100644 index 0000000..a2618a5 --- /dev/null +++ b/ccm-aes192.c @@ -0,0 +1,101 @@ +/* ccm-aes192.c + * + * Counter with CBC-MAC mode using AES192 as the underlying cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes.h" +#include "ccm.h" + + +void +ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key) +{ + aes192_set_encrypt_key(&ctx->cipher, key); +} + +void +ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen) +{ + ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_crypt_func *)aes192_encrypt, + length, nonce, authlen, msglen, taglen); +} + +void +ccm_aes192_update(struct ccm_aes192_ctx *ctx, + size_t length, const uint8_t *data) +{ + ccm_update(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes192_encrypt, length, data); +} + +void +ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes192_encrypt, length, dst, src); +} + +void +ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_decrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes192_encrypt, length, dst, src); +} + +void +ccm_aes192_digest(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *digest) +{ + ccm_digest(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes192_encrypt, length, digest); +} + +void +ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt_message(&ctx->cipher, (nettle_crypt_func *)aes192_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} + +int +ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + return ccm_decrypt_message(&ctx->cipher, (nettle_crypt_func *)aes192_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} diff --git a/ccm-aes256.c b/ccm-aes256.c new file mode 100644 index 0000000..0779a2d --- /dev/null +++ b/ccm-aes256.c @@ -0,0 +1,102 @@ +/* ccm-aes256.c + * + * Counter with CBC-MAC mode using AES256 as the underlying cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes.h" +#include "ccm.h" + + +void +ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key) +{ + aes256_set_encrypt_key(&ctx->cipher, key); +} + +void +ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen) +{ + ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_crypt_func *)aes256_encrypt, + length, nonce, authlen, msglen, taglen); +} + +void +ccm_aes256_update(struct ccm_aes256_ctx *ctx, + size_t length, const uint8_t *data) +{ + ccm_update(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes256_encrypt, length, data); +} + +void +ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes256_encrypt, length, dst, src); +} + +void +ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_decrypt(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes256_encrypt, length, dst, src); +} + +void +ccm_aes256_digest(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *digest) +{ + ccm_digest(&ctx->ccm, &ctx->cipher, + (nettle_crypt_func *)aes256_encrypt, length, digest); +} + +void +ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + ccm_encrypt_message(&ctx->cipher, (nettle_crypt_func *)aes256_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} + +int +ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + return ccm_decrypt_message(&ctx->cipher, (nettle_crypt_func *)aes256_encrypt, + nlength, nonce, alength, adata, tlength, clength, dst, src); +} + diff --git a/ccm.c b/ccm.c new file mode 100644 index 0000000..82c2612 --- /dev/null +++ b/ccm.c @@ -0,0 +1,255 @@ +/* ccm.c + * + * Counter with CBC-MAC mode, specified by NIST, + * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20… + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> +#include <string.h> + +#include "ccm.h" +#include "ctr.h" + +#include "memxor.h" +#include "nettle-internal.h" +#include "macros.h" + +/* + * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count + * flags = 1 octet + * nonce = N octets + * count >= 1 octet + * + * such that: + * sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block + */ +#define CCM_FLAG_L 0x07 +#define CCM_FLAG_M 0x38 +#define CCM_FLAG_ADATA 0x40 +#define CCM_FLAG_RESERVED 0x80 +#define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1) +#define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L) +#define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M) + +#define CCM_OFFSET_FLAGS 0 +#define CCM_OFFSET_NONCE 1 +#define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_)) +#define CCM_L_MAX_SIZE (CCM_FLAG_L+1) +#define CCM_IV_MAX_SIZE (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - 1) +#define CCM_IV_MIN_SIZE (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - CCM_L_MAX_SIZE) + +/* + * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding + * + * blength is the length of data that has been added to the CBC-MAC modulus the + * cipher block size. If the value of blength is non-zero then some data has + * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0), + * and iterate the cipher one more time. + * + * The end of adata is detected implicitly by the first call to the encrypt() + * and decrypt() functions, and will call ccm_pad() to insert the padding if + * necessary. Because of the underlying CTR encryption, the encrypt() and + * decrypt() functions must be called with a multiple of the block size and + * therefore blength should be zero on all but the first call. + * + * Likewise, the end of the plaintext is implicitly determined by the first call + * to the digest() function, which will pad if the final CTR encryption was not + * a multiple of the block size. + */ +static void +ccm_pad(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f) +{ + if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); + ctx->blength = 0; +} + +static void +ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce, uint8_t flags, size_t count) +{ + unsigned int i; + + /* Sanity check the nonce length. */ + assert(noncelen >= CCM_IV_MIN_SIZE); + assert(noncelen <= CCM_IV_MAX_SIZE); + + /* Generate the IV */ + iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen)); + memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen); + for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) { + iv[i] = count & 0xff; + count >>= 8; + } + + /* Ensure the count was not truncated. */ + assert(!count); +} + +void +ccm_set_nonce(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen) +{ + /* Generate the IV for the CTR and CBC-MAC */ + ctx->blength = 0; + ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen); + ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1); + + /* If no auth data, encrypt B0 and skip L(a) */ + if (!authlen) { + f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); + return; + } + + /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */ + ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA; + f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); + if (authlen >= (0x01ULL << 32)) { + /* Encode L(a) as 0xff || 0xff || <64-bit integer> */ + ctx->tag.b[ctx->blength++] ^= 0xff; + ctx->tag.b[ctx->blength++] ^= 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; + } + else if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) { + /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */ + ctx->tag.b[ctx->blength++] ^= 0xff; + ctx->tag.b[ctx->blength++] ^= 0xfe; + ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; + } + ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff; + ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff; +} + +void +ccm_update(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, const uint8_t *data) +{ + const uint8_t *end = data + length; + + /* If we don't have enough to fill a block, save the data for later. */ + if ((ctx->blength + length) < CCM_BLOCK_SIZE) { + memxor(&ctx->tag.b[ctx->blength], data, length); + ctx->blength += length; + return; + } + + /* Process a partially filled block. */ + if (ctx->blength) { + memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength); + data += (CCM_BLOCK_SIZE - ctx->blength); + f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); + } + + /* Process full blocks. */ + while ((data + CCM_BLOCK_SIZE) < end) { + memxor(ctx->tag.b, data, CCM_BLOCK_SIZE); + f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); + data += CCM_BLOCK_SIZE; + } /* while */ + + /* Save leftovers for later. */ + ctx->blength = (end - data); + if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength); +} + +/* + * Because of the underlying CTR mode encryption, when called multiple times + * the data in intermediate calls must be provided in multiples of the block + * size. + */ +void +ccm_encrypt(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ccm_pad(ctx, cipher, f); + ccm_update(ctx, cipher, f, length, src); + ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); +} + +/* + * Because of the underlying CTR mode decryption, when called multiple times + * the data in intermediate calls must be provided in multiples of the block + * size. + */ +void +ccm_decrypt(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *dst, const uint8_t *src) +{ + ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); + ccm_pad(ctx, cipher, f); + ccm_update(ctx, cipher, f, length, dst); +} + +void +ccm_digest(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *digest) +{ + int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]); + assert(length <= CCM_BLOCK_SIZE); + while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0; + ccm_pad(ctx, cipher, f); + ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b); +} + +void +ccm_encrypt_message(void *cipher, nettle_crypt_func *f, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + struct ccm_ctx ctx; + uint8_t *tag = dst + (clength-tlength); + assert(clength >= tlength); + ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); + ccm_update(&ctx, cipher, f, alength, adata); + ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src); + ccm_digest(&ctx, cipher, f, tlength, tag); +} + +int +ccm_decrypt_message(void *cipher, nettle_crypt_func *f, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + struct ccm_ctx ctx; + uint8_t tag[CCM_BLOCK_SIZE]; + assert(clength >= tlength); + ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); + ccm_update(&ctx, cipher, f, alength, adata); + ccm_decrypt(&ctx, cipher, f, clength-tlength, dst, src); + ccm_digest(&ctx, cipher, f, tlength, tag); + return (memcmp(tag, src + (clength-tlength), tlength) == 0); +} diff --git a/ccm.h b/ccm.h new file mode 100644 index 0000000..da10cf9 --- /dev/null +++ b/ccm.h @@ -0,0 +1,273 @@ +/* ccm.h + * + * Counter with CBC-MAC mode, specified by NIST, + * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20… + * + * NIST SP800-38C doesn't specify the particular formatting and counter generation + * algorithm for CCM, but it does include an example algorithm. This example + * has become the de-factor standard, and has been adopted by both the IETF and + * IEEE across a wide variety of protocols. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * Contributed by Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#ifndef NETTLE_CCM_H_INCLUDED +#define NETTLE_CCM_H_INCLUDED + +#include "aes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define ccm_set_nonce nettle_ccm_set_nonce +#define ccm_update nettle_ccm_update +#define ccm_encrypt nettle_ccm_encrypt +#define ccm_decrypt nettle_ccm_decrypt +#define ccm_digest nettle_ccm_digest +#define ccm_encrypt_message nettle_ccm_encrypt_message +#define ccm_decrypt_message nettle_ccm_decrypt_message + +#define ccm_aes128_set_key nettle_ccm_aes128_set_key +#define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce +#define ccm_aes128_update nettle_ccm_aes128_update +#define ccm_aes128_encrypt nettle_ccm_aes128_encrypt +#define ccm_aes128_decrypt nettle_ccm_aes128_decrypt +#define ccm_aes128_digest nettle_ccm_aes128_digest +#define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message +#define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message + +#define ccm_aes192_set_key nettle_ccm_aes192_set_key +#define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce +#define ccm_aes192_update nettle_ccm_aes192_update +#define ccm_aes192_encrypt nettle_ccm_aes192_encrypt +#define ccm_aes192_decrypt nettle_ccm_aes192_decrypt +#define ccm_aes192_digest nettle_ccm_aes192_digest +#define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message +#define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message + +#define ccm_aes256_set_key nettle_ccm_aes256_set_key +#define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce +#define ccm_aes256_update nettle_ccm_aes256_update +#define ccm_aes256_encrypt nettle_ccm_aes256_encrypt +#define ccm_aes256_decrypt nettle_ccm_aes256_decrypt +#define ccm_aes256_digest nettle_ccm_aes256_digest +#define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message +#define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message + +/* For CCM, the block size of the block cipher shall be 128 bits. */ +#define CCM_BLOCK_SIZE 16 + +/* Per-message state */ +struct ccm_ctx { + union nettle_block16 ctr; /* Counter for CTR encryption. */ + union nettle_block16 tag; /* CBC-MAC message tag. */ + /* Length of data processed by the CBC-MAC modulus the block size */ + unsigned int blength; +}; + +/* + * CCM mode requires the adata and message lengths when building the IV, which + * prevents streaming processing and it incompatible with the AEAD API. + */ +void +ccm_set_nonce(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t noncelen, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen); + +void +ccm_update(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, const uint8_t *data); + +void +ccm_encrypt(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_decrypt(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_digest(struct ccm_ctx *ctx, void *cipher, nettle_crypt_func *f, + size_t length, uint8_t *digest); + +/* + * All-in-one encryption and decryption API: + * tlength = sizeof(digest) + * mlength = sizeof(cleartext) + * clength = sizeof(ciphertext) = mlength + tlength + * + * The ciphertext will contain the encrypted payload with the message digest + * appended to the end. + */ +void +ccm_encrypt_message(void *cipher, nettle_crypt_func *f, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +/* + * The decryption function will write the plaintext to dst and parse the digest + * from the final tlength bytes of the ciphertext. If the digest matched the + * value computed during decryption then this will return 1, or it will return + * 0 if the digest was invalid. + */ +int +ccm_decrypt_message(void *cipher, nettle_crypt_func *f, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +/* CCM Mode with AES-128 */ +struct ccm_aes128_ctx { + struct ccm_ctx ccm; + struct aes128_ctx cipher; +}; + +void +ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key); + +void +ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, + size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen); + +void +ccm_aes128_update (struct ccm_aes128_ctx *ctx, + size_t length, const uint8_t *data); + +void +ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes128_digest(struct ccm_aes128_ctx *ctx, + size_t length, uint8_t *digest); + +void +ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +struct ccm_aes192_ctx { + struct ccm_ctx ccm; + struct aes192_ctx cipher; +}; + +/* CCM Mode with AES-192 */ +void +ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key); + +void +ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, + size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen); + +void +ccm_aes192_update(struct ccm_aes192_ctx *ctx, + size_t length, const uint8_t *data); + +void +ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes192_digest(struct ccm_aes192_ctx *ctx, + size_t length, uint8_t *digest); + +void +ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +/* CCM Mode with AES-256 */ +struct ccm_aes256_ctx { + struct ccm_ctx ccm; + struct aes256_ctx cipher; +}; + +void +ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key); + +void +ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, + size_t length, const uint8_t *nonce, + size_t authlen, size_t msglen, size_t taglen); + +void +ccm_aes256_update(struct ccm_aes256_ctx *ctx, + size_t length, const uint8_t *data); + +void +ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +ccm_aes256_digest(struct ccm_aes256_ctx *ctx, + size_t length, uint8_t *digest); + +void +ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, size_t tlength, + size_t clength, uint8_t *dst, const uint8_t *src); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_CCM_H_INCLUDED */ diff --git a/testsuite/.gitignore b/testsuite/.gitignore index 3b836af..8e5521b 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -11,6 +11,7 @@ /camellia-test /cast128-test /cbc-test +/ccm-test /ctr-test /cxx-test /des-compat-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 43079ec..16d107c 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -100,6 +100,9 @@ knuth-lfib-test$(EXEEXT): knuth-lfib-test.$(OBJEXT) cbc-test$(EXEEXT): cbc-test.$(OBJEXT) $(LINK) cbc-test.$(OBJEXT) $(TEST_OBJS) -o cbc-test$(EXEEXT) +ccm-test$(EXEEXT): ccm-test.$(OBJEXT) + $(LINK) ccm-test.$(OBJEXT) $(TEST_OBJS) -o ccm-test$(EXEEXT) + ctr-test$(EXEEXT): ctr-test.$(OBJEXT) $(LINK) ctr-test.$(OBJEXT) $(TEST_OBJS) -o ctr-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index d59a2cb..30611c7 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -25,7 +25,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ sha3-384-test.c sha3-512-test.c \ serpent-test.c twofish-test.c \ knuth-lfib-test.c \ - cbc-test.c ctr-test.c gcm-test.c eax-test.c \ + cbc-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c meta-armor-test.c \ diff --git a/testsuite/ccm-test.c b/testsuite/ccm-test.c new file mode 100644 index 0000000..845d27f --- /dev/null +++ b/testsuite/ccm-test.c @@ -0,0 +1,713 @@ +/* ccm-test.c + * + * Self-test and vectors for CCM mode ciphers using AES-128 and AES-256. The + * test vectors have been collected from the following standards: + * NIST SP800-38C + * RFC 3610 + * IEEE 802.15.4-2011 + * IEEE P1619.1/D22 July 2007 (draft version) + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Exegin Technologies Limited + * Copyright (C) 2014 Owen Kirby + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ +#include "testutils.h" +#include "aes.h" +#include "ccm.h" +#include "knuth-lfib.h" + +static void +test_compare_results(const char *name, + const struct tstring *adata, + /* Expected results. */ + const struct tstring *e_clear, + const struct tstring *e_cipher, + /* Actual results. */ + const void *clear, + const void *cipher, + const void *digest) /* digest optional. */ +{ + int tlength = (e_cipher->length - e_clear->length); + if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest)) + { + fprintf(stderr, "%s digest failed:\nAdata:", name); + tstring_print_hex(adata); + fprintf(stderr, "\nInput: "); + tstring_print_hex(e_clear); + fprintf(stderr, "\nOutput: "); + print_hex(tlength, digest); + fprintf(stderr, "\nExpected:"); + print_hex(tlength, e_cipher->data + e_clear->length); + fprintf(stderr, "\n"); + FAIL(); + } + if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) + { + fprintf(stderr, "%s: encryption failed\nAdata: ", name); + tstring_print_hex(adata); + fprintf(stderr, "\nInput: "); + tstring_print_hex(e_clear); + fprintf(stderr, "\nOutput: "); + print_hex(e_cipher->length, cipher); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(e_cipher); + fprintf(stderr, "\n"); + FAIL(); + } + if (!MEMEQ(e_clear->length, e_clear->data, clear)) + { + fprintf(stderr, "%s decrypt failed:\nAdata:", name); + tstring_print_hex(adata); + fprintf(stderr, "\nInput: "); + tstring_print_hex(e_cipher); + fprintf(stderr, "\nOutput: "); + print_hex(e_clear->length, clear); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(e_clear); + fprintf(stderr, "\n"); + FAIL(); + } +} /* test_compare_results */ + +static void +test_cipher_ccm(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *nonce, + const struct tstring *authdata, + int repeat, + const struct tstring *cleartext, + const struct tstring *ciphertext) +{ + void *ctx = xalloc(cipher->context_size); + uint8_t *en_data; + uint8_t *de_data; + uint8_t *en_digest; + uint8_t de_digest[CCM_BLOCK_SIZE]; + size_t tlength; + struct ccm_ctx ccm; + int i; + + ASSERT (key->length == cipher->key_size); + ASSERT (cleartext->length <= ciphertext->length); + ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length); + tlength = ciphertext->length - cleartext->length; + if (!authdata) repeat = 0; + + de_data = xalloc(cleartext->length); + en_data = xalloc(ciphertext->length); + en_digest = en_data + cleartext->length; + cipher->set_encrypt_key(ctx, key->data); + + /* Encrypt using the incremental API. */ + ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); + } + ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data); + ccm_digest(&ccm, ctx, cipher->encrypt, tlength, en_digest); + + /* Decrypt using the incremental API. */ + ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); + } + ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data); + ccm_digest(&ccm, ctx, cipher->encrypt, tlength, de_digest); + + /* Compare results using the generic API. */ + test_compare_results("CCM", authdata, + cleartext, ciphertext, de_data, en_data, de_digest); + + /* Ensure we get the same answers using the all-in-one API. */ + if (repeat <= 1) { + int ret; + memset(de_data, 0, cleartext->length); + memset(en_data, 0, ciphertext->length); + memset(de_digest, 0, sizeof(de_digest)); + + ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); + + ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length, authdata->data, tlength, ciphertext->length, de_data, ciphertext->data); + + if (ret != 1) fprintf(stderr, "ccm_decrypt_message failed to validate message\n"); + test_compare_results("CCM_MSG", authdata, + cleartext, ciphertext, de_data, en_data, NULL); + + /* Ensure that we can detect corrupted message or tag data. */ + if (tlength) { + en_data[0] ^= 1; + ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length, authdata->data, tlength, ciphertext->length, de_data, en_data); + if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); + } + /* Ensure we can detect corrupted adata. */ + if (tlength && authdata->length) { + ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, + authdata->length-1, authdata->data, tlength, ciphertext->length, de_data, ciphertext->data); + if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); + } + } + + /* Ensure we get the same answers using the per-cipher API. */ + if (cipher == &nettle_aes128) { + struct ccm_aes128_ctx aes; + memset(de_data, 0, cleartext->length); + memset(en_data, 0, ciphertext->length); + memset(de_digest, 0, sizeof(de_digest)); + + /* AES-128 encrypt. */ + ccm_aes128_set_key(&aes, key->data); + ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_aes128_update(&aes, authdata->length, authdata->data); + } + ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data); + ccm_aes128_digest(&aes, tlength, en_digest); + + /* AES-128 decrypt. */ + ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_aes128_update(&aes, authdata->length, authdata->data); + } + ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data); + ccm_aes128_digest(&aes, tlength, de_digest); + + test_compare_results("CCM_AES_128", authdata, + cleartext, ciphertext, de_data, en_data, de_digest); + } + /* TODO: I couldn't find any test cases for CCM-AES-192 */ + if (cipher == &nettle_aes256) { + struct ccm_aes256_ctx aes; + memset(de_data, 0, cleartext->length); + memset(en_data, 0, ciphertext->length); + memset(de_digest, 0, sizeof(de_digest)); + + /* AES-256 encrypt. */ + ccm_aes256_set_key(&aes, key->data); + ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_aes256_update(&aes, authdata->length, authdata->data); + } + ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data); + ccm_aes256_digest(&aes, tlength, en_digest); + + /* AES-256 decrypt. */ + ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, + authdata->length * repeat, cleartext->length, tlength); + for (i = 0; i < repeat; i++) { + ccm_aes256_update(&aes, authdata->length, authdata->data); + } + ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data); + ccm_aes256_digest(&aes, tlength, de_digest); + + test_compare_results("CCM_AES_256", authdata, + cleartext, ciphertext, de_data, en_data, de_digest); + } + + free(ctx); + free(en_data); + free(de_data); +} + +void +test_main(void) +{ + /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */ + struct tstring *adata; + unsigned int i; + adata = tstring_alloc(256); + for (i=0; i<adata->length; i++) adata->data[i] = (i & 0xff); + + /* From NIST spec 800-38C on AES modes. + * + * Appendix C: Example Vectors + */ + /* + * C.1 Example 1 + * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("404142434445464748494a4b4c4d4e4f"), + SHEX("10111213141516"), + SHEX("0001020304050607"), 1, + SHEX("20212223"), + SHEX("7162015b" + "4dac255d")); + + /* + * C.2 Example 2 + * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("404142434445464748494a4b4c4d4e4f"), + SHEX("1011121314151617"), + SHEX("000102030405060708090a0b0c0d0e0f"), 1, + SHEX("202122232425262728292a2b2c2d2e2f"), + SHEX("d2a1f0e051ea5f62081a7792073d593d" + "1fc64fbfaccd")); + + /* + * C.3 Example 3 + * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("404142434445464748494a4b4c4d4e4f"), + SHEX("101112131415161718191a1b"), + SHEX("000102030405060708090a0b0c0d0e0f" + "10111213"), 1, + SHEX("202122232425262728292a2b2c2d2e2f" + "3031323334353637"), + SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b" + "6176aad9a4428aa5 484392fbc1b09951")); + + /* + * C.4 Example 4 + * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256 + * A = 00010203 04050607 08090a0b 0c0d0e0f + * 10111213 ... + */ + test_cipher_ccm(&nettle_aes128, + SHEX("404142434445464748494a4b4c4d4e4f"), + SHEX("101112131415161718191a1b1c"), + adata, 256, + SHEX("202122232425262728292a2b2c2d2e2f" + "303132333435363738393a3b3c3d3e3f"), + SHEX("69915dad1e84c6376a68c2967e4dab61" + "5ae0fd1faec44cc484828529463ccf72" + "b4ac6bec93e8598e7f0dadbcea5b")); + + /* From RFC 3610 + * + * Section 8: Test Vectors + * Packet Vector #1 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), + SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84" + "17 E8 D1 2C FD F9 26 E0")); + + /* + * Packet Vector #2 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), + SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B" + "A0 91 D5 6E 10 40 09 16")); + + /* + * Packet Vector #3 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), + SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57" + "4A DA A7 6F BD 9F B0 C5")); + + /* + * Packet Vector #4 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), + SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C" + "96 C8 61 B9 C9 E6 1E F1")); + + /* + * Packet Vector #5 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), + SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E" + "51 E8 3F 07 7D 9C 2D 93")); + + /* + * Packet Vector #6 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), + SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87" + "40 5A 04 43 AC 91 CB 94")); + + /* + * Packet Vector #7 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), + SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C" + "04 8C 56 60 2C 97 AC BB 74 90")); + + /* + * Packet Vector #8 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), + SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24" + "C1 7B 44 33 F4 34 96 3F 34 B4")); + + /* + * Packet Vector #9 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07"), 1, + SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), + SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97" + "EA 9C 07 E5 6B 5E B1 7E 5F 4E")); + + /* + * Packet Vector #10 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), + SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B" + "56 6A A9 40 6B 4D 99 99 88 DD")); + + /* + * Packet Vector #11 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), + SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34" + "F5 3A A2 E9 10 7A 8B 6C 02 2C")); + + /* + * Packet Vector #12 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"), + SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, + SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), + SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43" + "CD 1A A3 16 62 E7 AD 65 D6 DB")); + + /* + * Packet Vector #13 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"), + SHEX("0B E1 A8 8B AC E0 18 B1"), 1, + SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"), + SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8" + "E7 8C F7 CB 0C DD D7 B3")); + + /* + * Packet Vector #14 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"), + SHEX("63 01 8F 76 DC 8A 1B CB"), 1, + SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"), + SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33" + "C5 2E E8 1D 7D 77 C0 8A")); + + /* + * Packet Vector #15 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"), + SHEX("AA 6C FA 36 CA E8 6B 40"), 1, + SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"), + SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08" + "A7 76 79 6E DB 72 35 06")); + + /* + * Packet Vector #16 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"), + SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1, + SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"), + SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26" + "9A 6F 49 97 5B CA DE AF")); + + /* + * Packet Vector #17 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"), + SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1, + SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"), + SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F" + "76 2C 0C 77 44 FE 7E 3C")); + + /* + * Packet Vector #18 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"), + SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1, + SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"), + SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8" + "47 09 9E 5A E0 70 45 51")); + + /* + * Packet Vector #19 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"), + SHEX("D8 5B C7 E6 9F 94 4F B8"), 1, + SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"), + SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A" + "63 7C F9 BE C2 40 88 97 C6 BA")); + + /* + * Packet Vector #20 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"), + SHEX("74 A0 EB C9 06 9F 5B 37"), 1, + SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"), + SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6" + "F0 A4 77 CC 2F C9 BF 54 89 44")); + + /* + * Packet Vector #21 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"), + SHEX("44 A3 AA 3A AE 64 75 CA"), 1, + SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"), + SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54" + "4D 41 51 A4 ED 3A 8B 87 B9 CE")); + + /* + * Packet Vector #22 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"), + SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1, + SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"), + SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF" + "7D 22 C8 08 8C 66 6B E5 C1 97")); + + /* + * Packet Vector #23 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"), + SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1, + SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"), + SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC" + "DF 7E 00 DC CE C7 AE 52 98 7D")); + + /* + * Packet Vector #24 + */ + test_cipher_ccm(&nettle_aes128, + SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), + SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"), + SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1, + SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"), + SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1" + "6D CE 9E 82 EF A1 6D A6 20 59")); + + /* From IEEE 802.15.4-2011 + * + * Annex C: Test vectors for cryptographic building blocks + * C.2.1 MAC beacon frame + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"), + SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1, + SHEX(""), + SHEX("22 3B C1 EC 84 1A B5 53")); + + /* + * C.2.2 MAC data frame + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 04"), + SHEX("69 DC 84 21 43 02 00 00 00 00 48 DE AC 01 00 00 00 00 48 DE AC 04 05 00 00 00"), 1, + SHEX("61 62 63 64"), + SHEX("D4 3E 02 2B")); + + /* + * C.2.3 MAC command frame + */ + test_cipher_ccm(&nettle_aes128, + SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), + SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"), + SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1, + SHEX("CE"), + SHEX("D8 4F DE 52 90 61 F9 C6 F1")); + + /* From IEEE P1619.1/D22 July 2007 (draft version) + * + * Annex D: Test Vectors + * D.2.1 CCM-128-AES-256 test vector 1 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("0000000000000000000000000000000000000000000000000000000000000000"), + SHEX("000000000000000000000000"), + SHEX(""), 0, + SHEX("00000000000000000000000000000000"), + SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" + "4b0a3e5e51f151eb0ffae7c43d010fdb")); + + /* + * D.2.2 CCM-128-AES-256 test vector 2 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("0000000000000000000000000000000000000000000000000000000000000000"), + SHEX("000000000000000000000000"), + SHEX("00000000000000000000000000000000"), 1, + SHEX(""), + SHEX("904704e89fb216443cb9d584911fc3c2")); + + /* + * D.2.3 CCM-128-AES-256 test vector 3 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("0000000000000000000000000000000000000000000000000000000000000000"), + SHEX("000000000000000000000000"), + SHEX("00000000000000000000000000000000"), 1, + SHEX("00000000000000000000000000000000"), + SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" + "87314e9c1fa01abe6a6415943dc38521")); + + /* + * D.2.4 CCM-128-AES-256 test vector 4 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"), + SHEX("dbd1a3636024b7b402da7d6f"), + SHEX(""), 0, + SHEX("a845348ec8c5b5f126f50e76fefd1b1e"), + SHEX("cc881261c6a7fa72b96a1739176b277f" + "3472e1145f2c0cbe146349062cf0e423")); + + /* + * D.2.5 CCM-128-AES-256 test vector 5 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), + SHEX("101112131415161718191a1b"), + SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1, + SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"), + SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5" + "9bba3f3a107f3239bd63902923f80371")); + + /* + * D.2.6 CCM-128-AES-256 test vector 6 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), + SHEX("101112131415161718191a1b"), + adata, 256, + SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), + SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2" + "3376d2cf256ef613c56454cbb5265834")); + + /* + * D.2.7 CCM-128-AES-256 test vector 7 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), + SHEX("101112131415161718191a1b"), + SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1, + SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), + SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2" + "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86" + "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108" + "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152" + "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2" + "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad" + "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738" + "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9" + "ebb1fa9d28ccfe21bdfea7e6d91e0bab")); + + /* + * D.2.8 CCM-128-AES-256 test vector 8 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"), + SHEX("dbd1a3636024b7b402da7d6f"), + SHEX("36"), 1, + SHEX("a9"), + SHEX("9d3261b1cf931431e99a32806738ecbd2a")); + + /* + * D.2.9 CCM-128-AES-256 test vector 9 + */ + test_cipher_ccm(&nettle_aes256, + SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"), + SHEX("dbd1a3636024b7b402da7d6f"), + SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1, + SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"), + SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6" + "8f3829e8e76ee23c04f566189e63c686")); +} -- 1.7.9.5

2 6

Side-channel silet memcmp
by nisse＠lysator.liu.se 28 Apr '14

28 Apr '14

There are lots of authentication functions which end by comparing two digests. The recent ccm_decrypt_message is typical, ending with return (memcmp(tag, src + mlength, tlength) == 0); This can leak information (via cache or timing) on the position of the first difference, which might cause problems in some situations. Would it be a good idea to add a side-channel silent memory comparison function? The hardest question is, as often, how it should be named. But it should be pretty easy to implement, I think int mem_equal (const void *ap, const void *bp, size_t n) { volatile const unsigned char *a = ap; volatile const unsigned char *b = bp volatile unsigned char d; size_t i; for (i = d = 0; i < n; i++) d |= a[i] ^ b[i]; return d == 0; } should do (even if maybe volatile const is an unusual combination of qualifiers). Is this a good name? The nacl library (by djb et al) includes similar functions, see http://nacl.cr.yp.to/verify.html. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

3 7

Rename, MD5_DATA_SIZE -> MD5_BLOCK_SIZE, etc ?
by nisse＠lysator.liu.se 25 Apr '14

25 Apr '14

In another forum, it was suggested that UMAC_DATA_SIZE be renamed to UMAC_BLOCK_SIZE, and for consistency one could do the same with, e.g., MD5_DATA_SIZE. For the time being, the old names should be kept for backwards compatibility. Unlike block sizes for ciphers, these *_DATA_SIZE constants are rarely needed by applications; they are in the public headers mainly because they determine the buffer sizes in the context structs, and they are also needed for the HMAC construction. So the naming is not totally illogical, but I think using *_BLOCK_SIZE would be more consistent. What do you think? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

1 1

Feature removals
by nisse＠lysator.liu.se 11 Apr '14

11 Apr '14

I'm considering removing the following features: * des-compat.h and all its functions. This provides some level of compatiblity with libdes (and possibly also old versions of openssl/ssleay). I've not heard of anyone actually using this. * rsa-compat.h and all its functions. Compatibility with RSAREF. I've never heard of anyone actually using this either. * The nettle_next_prime function. No longer used internally in Nettle's key generation functions, and applications should use the corresponding GMP function instead. Any objections? If you know of any use of these features, please speak up. (In case a feature is removed and it later turns out to be a mistake, I'm open to reintroduce features in an update, but I believe there's little need to keep these around). And any other cruft which should be removed while we're at it? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

3 3

[PATCH] Enabled tests for openssl curves secp256r1 and secp192r1.
by Nikos Mavrogiannopoulos 10 Apr '14

10 Apr '14

This patch allows comparing the performance differences in secp256r1 (the curve mostly used in the web), between nettle and openssl. regards, Nikos

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs April 2014