nettle-bugs January 2018

nettle-bugs@lists.lysator.liu.se

7 participants
13 discussions

[PATCH 0/8] Implement Curve448 ECDH and Ed448
by Daiki Ueno 03 Jan '20

03 Jan '20

Hello, This patch series implements the Curve448 Diffie-Hellman protocol (RFC 7748) and the Ed448 signature scheme (RFC 8032). Although I tried to make it as close as possible to the Curve25519 and Ed25519 implementations, I had to add a few special cases, namely: - for Curve448, eccdata directly calculates points on the Edwards curve instead of the equivalent Montgomery curve - untwisted versions of ecc_add_eh* and ecc_dup_eh are added - the point decoding for Ed448 uses a different formula to recover u and v Also, optimized implementation of modular reduction is currently missing, which is beyond my expertise. I would appreciate any suggestions regarding that. The patches are also available on: https://gitlab.com/dueno/nettle/commits/wip/dueno/ed448 Thanks to Hubert Kario and Nikos Mavrogiannopoulos for initial reviews. Daiki Ueno (8): ecc-mul-test: Fix mpn_cmp calls eccdata: Emit correct ecc_Bmodq_shifted for curve448 eccdata: Redirect ecc_point_out to given stream, instead of stderr ecc: Add add_hh and dup members to ecc_curve ecc-eh-to-a, eddsa-sign: Parameterize hard-coded value Implement curve448 primitives Implement SHAKE128/256 functions Implement Ed448 signature scheme .gitignore | 1 + Makefile.in | 18 +- curve448-eh-to-x.c | 73 + curve448-mul-g.c | 74 + curve448-mul.c | 148 + curve448.h | 58 + ecc-192.c | 5 + ecc-224.c | 5 + ecc-25519.c | 5 + ecc-256.c | 5 + ecc-384.c | 5 + ecc-448.c | 273 ++ ecc-521.c | 5 + ecc-add-eh.c | 74 +- ecc-add-ehh.c | 77 +- ecc-dup-eh.c | 55 +- ecc-eh-to-a.c | 4 +- ecc-internal.h | 57 +- ecc-mul-a-eh.c | 12 +- ecc-mul-g-eh.c | 4 +- ecc-point-mul-g.c | 7 +- ecc-point-mul.c | 2 +- ecc-point.c | 15 + eccdata.c | 183 +- ecdsa-keygen.c | 4 +- ed25519-sha512-sign.c | 15 + ed448-shake256-pubkey.c | 60 + ed448-shake256-sign.c | 92 + ed448-shake256-verify.c | 66 + eddsa-compress.c | 11 +- eddsa-decompress.c | 15 +- eddsa-expand.c | 20 +- eddsa-hash.c | 35 + eddsa-pubkey.c | 2 +- eddsa-sign.c | 18 +- eddsa-verify.c | 16 +- eddsa.h | 24 + examples/ecc-benchmark.c | 1 + nettle-internal.h | 2 +- nettle-meta-hashes.c | 2 + nettle-meta.h | 2 + nettle.texinfo | 152 +- sha3.c | 13 + sha3.h | 56 + shake128-meta.c | 42 + shake128.c | 84 + shake256-meta.c | 42 + shake256.c | 84 + testsuite/.test-rules.make | 12 + testsuite/Makefile.in | 5 +- testsuite/curve448-dh-test.c | 100 + testsuite/ecc-add-test.c | 48 +- testsuite/ecc-dup-test.c | 12 +- testsuite/ecc-mul-a-test.c | 6 +- testsuite/ecc-mul-g-test.c | 6 +- testsuite/ecdh-test.c | 16 +- testsuite/ecdsa-keygen-test.c | 16 + testsuite/ed448-test.c | 240 ++ testsuite/eddsa-compress-test.c | 137 +- testsuite/eddsa-sign-test.c | 66 +- testsuite/eddsa-verify-test.c | 49 +- testsuite/meta-hash-test.c | 2 + testsuite/shake.awk | 14 + testsuite/shake128-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/shake256-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/testutils.c | 57 +- 66 files changed, 14976 insertions(+), 199 deletions(-) create mode 100644 curve448-eh-to-x.c create mode 100644 curve448-mul-g.c create mode 100644 curve448-mul.c create mode 100644 curve448.h create mode 100644 ecc-448.c create mode 100644 ed448-shake256-pubkey.c create mode 100644 ed448-shake256-sign.c create mode 100644 ed448-shake256-verify.c create mode 100644 shake128-meta.c create mode 100644 shake128.c create mode 100644 shake256-meta.c create mode 100644 shake256.c create mode 100644 testsuite/curve448-dh-test.c create mode 100644 testsuite/ed448-test.c create mode 100755 testsuite/shake.awk create mode 100644 testsuite/shake128-test.c create mode 100644 testsuite/shake256-test.c -- 2.13.3

2 35

API for new AEAD modes
by Nikos Mavrogiannopoulos 01 Jun '18

01 Jun '18

Hi, As it is now AEAD ciphers in nettle are supported with their own API. AES-CCM provides: ccm_aes128_set_key ccm_aes128_set_nonce ccm_aes128_update ccm_aes128_encrypt ccm_aes128_decrypt ccm_aes128_digest ccm_aes128_encrypt_message ccm_aes128_decrypt_message AES-GCM: gcm_aes128_set_key gcm_aes128_update gcm_aes128_set_iv gcm_aes128_encrypt gcm_aes128_decrypt gcm_aes128_digest chacha-poly1305: chacha_poly1305_set_key chacha_poly1305_set_nonce chacha_poly1305_update chacha_poly1305_encrypt chacha_poly1305_decrypt chacha_poly1305_digest ccm_aes128_set_nonce takes different parameters from the chacha and gcm equivalent function. Furthermore the AEAD modes for block ciphers include an abstract layer which can be re-used of other ciphers. For example the GCM mode abstraction is re-used for camellia as well. So overall there is a kind of "abstract" API followed with the set_key, set_nonce, update, encrypt/decrypt, however these have not always the same parameters as in the CCM case. I'm checking the AES-SIV-CMAC mode which cannot even be put in that abstraction as the MAC in SIV is the IV and thus the MAC-style API doesn't really suit it. My understanding is that AEAD modes according to RFC5116 need to have 4 inputs: key, nonce, associated data, plaintext so the CCM encrypt and decrypt message seem to be the closer to that API. Would it make sense to standardize on these, and only provide that API for AEAD modes? The reason I'm asking is because SIV could benefit of a very custom API as well because it can take advantage of multiple associated data, but in the end I believe AEAD is about simplicity. Providing a unique API per AEAD cipher seems to me quite contradictory to that goal. regards, Nikos

4 6

cmac
by Nikos Mavrogiannopoulos 22 Feb '18

22 Feb '18

Hi, The attached patch brings support for AES-128-CMAC. The code is based on the samba code. The rshift and lshift functions come from the AES implementation bundled with samba. regards, Nikos

3 14

[PATCH v2 1/2] Implement PSS encoding functions
by Daiki Ueno 20 Feb '18

20 Feb '18

From: Daiki Ueno <dueno(a)redhat.com> Signed-off-by: Daiki Ueno <dueno(a)redhat.com> --- There was an obvious buffer overrun in mgf1-test.c, which should be fixed in this version. --- Makefile.in | 5 +- mgf1-sha256.c | 47 +++++++++++ mgf1-sha384.c | 47 +++++++++++ mgf1-sha512.c | 47 +++++++++++ mgf1.c | 72 +++++++++++++++++ mgf1.h | 70 ++++++++++++++++ nettle-types.h | 3 + pss-sha256.c | 64 +++++++++++++++ pss-sha512.c | 90 +++++++++++++++++++++ pss.c | 195 +++++++++++++++++++++++++++++++++++++++++++++ pss.h | 105 ++++++++++++++++++++++++ testsuite/.test-rules.make | 6 ++ testsuite/Makefile.in | 4 +- testsuite/mgf1-test.c | 23 ++++++ testsuite/pss-test.c | 35 ++++++++ 15 files changed, 810 insertions(+), 3 deletions(-) create mode 100644 mgf1-sha256.c create mode 100644 mgf1-sha384.c create mode 100644 mgf1-sha512.c create mode 100644 mgf1.c create mode 100644 mgf1.h create mode 100644 pss-sha256.c create mode 100644 pss-sha512.c create mode 100644 pss.c create mode 100644 pss.h create mode 100644 testsuite/mgf1-test.c create mode 100644 testsuite/pss-test.c diff --git a/Makefile.in b/Makefile.in index 135542f..035074c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -110,6 +110,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ + mgf1.c mgf1-sha256.c mgf1-sha384.c mgf1-sha512.c \ nettle-meta-aeads.c nettle-meta-armors.c \ nettle-meta-ciphers.c nettle-meta-hashes.c \ pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ @@ -144,6 +145,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ + pss.c pss-sha256.c pss-sha512.c \ rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ @@ -194,9 +196,10 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ md2.h md4.h \ md5.h md5-compat.h \ memops.h memxor.h \ + mgf1.h \ nettle-meta.h nettle-types.h \ pbkdf2.h \ - pgp.h pkcs1.h realloc.h ripemd160.h rsa.h \ + pgp.h pkcs1.h pss.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h \ serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ umac.h yarrow.h poly1305.h diff --git a/mgf1-sha256.c b/mgf1-sha256.c new file mode 100644 index 0000000..11e908c --- /dev/null +++ b/mgf1-sha256.c @@ -0,0 +1,47 @@ +/* mgf1-sha256.c + + PKCS#1 mask generation function 1, based on SHA-256. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha256(const struct sha256_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha256_ctx state; + return mgf1(hash, &state, &nettle_sha256, mask_length, mask); +} diff --git a/mgf1-sha384.c b/mgf1-sha384.c new file mode 100644 index 0000000..5dd2b07 --- /dev/null +++ b/mgf1-sha384.c @@ -0,0 +1,47 @@ +/* mgf1-sha384.c + + PKCS#1 mask generation function 1, based on SHA-384. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha384(const struct sha384_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha384_ctx state; + return mgf1(hash, &state, &nettle_sha384, mask_length, mask); +} diff --git a/mgf1-sha512.c b/mgf1-sha512.c new file mode 100644 index 0000000..d1fba5f --- /dev/null +++ b/mgf1-sha512.c @@ -0,0 +1,47 @@ +/* mgf1-sha512.c + + PKCS#1 mask generation function 1, based on SHA-512. + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include "nettle-meta.h" + +int +mgf1_sha512(const struct sha512_ctx *hash, size_t mask_length, uint8_t *mask) +{ + struct sha512_ctx state; + return mgf1(hash, &state, &nettle_sha512, mask_length, mask); +} diff --git a/mgf1.c b/mgf1.c new file mode 100644 index 0000000..a96b086 --- /dev/null +++ b/mgf1.c @@ -0,0 +1,72 @@ +/* mgf1.c + + PKCS#1 mask generation function 1 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "mgf1.h" + +#include <assert.h> +#include <string.h> + +#include "nettle-internal.h" + +#define MGF1_MIN(a,b) ((a) < (b) ? (a) : (b)) + +int +mgf1(void *seed, void *state, const struct nettle_hash *hash, + size_t mask_length, uint8_t *mask) +{ + TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + size_t i, blocks; + uint8_t c[4], *p; + + TMP_ALLOC(h, hash->digest_size); + + blocks = (mask_length + hash->digest_size - 1) / hash->digest_size; + for (i = 0, p = mask; i < blocks; i++, p += hash->digest_size) + { + c[0] = (i >> 24) & 0xFF; + c[1] = (i >> 16) & 0xFF; + c[2] = (i >> 8) & 0xFF; + c[3] = i & 0xFF; + + memcpy(state, seed, hash->context_size); + hash->update(state, 4, c); + hash->digest(state, hash->digest_size, h); + memcpy(p, h, MGF1_MIN(hash->digest_size, mask_length - (p - mask))); + } + + return 1; +} diff --git a/mgf1.h b/mgf1.h new file mode 100644 index 0000000..bbaffce --- /dev/null +++ b/mgf1.h @@ -0,0 +1,70 @@ +/* mgf1.h + + PKCS#1 mask generation function 1 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_MGF1_H_INCLUDED +#define NETTLE_MGF1_H_INCLUDED + +#include "nettle-meta.h" + +#include "sha1.h" +#include "sha2.h" + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Namespace mangling */ +#define mgf1 nettle_mgf1 +#define mgf1_sha256 nettle_mgf1_sha256 +#define mgf1_sha384 nettle_mgf1_sha384 +#define mgf1_sha512 nettle_mgf1_sha512 + +int +mgf1(void *seed, void *state, const struct nettle_hash *hash, + size_t mask_length, uint8_t *mask); + +int +mgf1_sha256(const struct sha256_ctx *hash, size_t mask_length, uint8_t *mask); + +int +mgf1_sha384(const struct sha384_ctx *hash, size_t mask_length, uint8_t *mask); + +int +mgf1_sha512(const struct sha512_ctx *hash, size_t mask_length, uint8_t *mask); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_MGF1_H_INCLUDED */ diff --git a/nettle-types.h b/nettle-types.h index 475937d..b687958 100644 --- a/nettle-types.h +++ b/nettle-types.h @@ -103,6 +103,9 @@ typedef int nettle_armor_decode_update_func(void *ctx, typedef int nettle_armor_decode_final_func(void *ctx); +typedef int nettle_mgf_func(void *ctx, size_t mask_length, uint8_t *mask); + + #ifdef __cplusplus } #endif diff --git a/pss-sha256.c b/pss-sha256.c new file mode 100644 index 0000000..9c12037 --- /dev/null +++ b/pss-sha256.c @@ -0,0 +1,64 @@ +/* pss.c + + PKCS#1 RSA-PSS padding, using SHA-256 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pss.h" + +int +pss_sha256_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha256_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha256, + (nettle_mgf_func *) mgf1_sha256, + salt_length, salt, + digest); +} + +int +pss_sha256_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha256_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha256, + (nettle_mgf_func *) mgf1_sha256, + salt_length, + digest); +} diff --git a/pss-sha512.c b/pss-sha512.c new file mode 100644 index 0000000..e24b45d --- /dev/null +++ b/pss-sha512.c @@ -0,0 +1,90 @@ +/* pss.c + + PKCS#1 RSA-PSS padding, using SHA-384 and SHA-512 (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pss.h" + +int +pss_sha384_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha384_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha384, + (nettle_mgf_func *) mgf1_sha384, + salt_length, salt, + digest); +} + +int +pss_sha384_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha384_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha384, + (nettle_mgf_func *) mgf1_sha384, + salt_length, + digest); +} + +int +pss_sha512_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + struct sha512_ctx state; + return pss_encode(m, bits, + &state, &nettle_sha512, + (nettle_mgf_func *) mgf1_sha512, + salt_length, salt, + digest); +} + +int +pss_sha512_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest) +{ + struct sha512_ctx state; + return pss_verify(m, bits, + &state, &nettle_sha512, + (nettle_mgf_func *) mgf1_sha512, + salt_length, + digest); +} diff --git a/pss.c b/pss.c new file mode 100644 index 0000000..5dd23a7 --- /dev/null +++ b/pss.c @@ -0,0 +1,195 @@ +/* pss.c + + PKCS#1 RSA-PSS padding (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <string.h> + +#include "pss.h" + +#include "bignum.h" +#include "gmp-glue.h" + +#include "memxor.h" +#include "nettle-internal.h" + +static const uint8_t pss_masks[8] = { + 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1 +}; + +int +pss_encode(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest) +{ + TMP_GMP_DECL(em, uint8_t); + uint8_t pad[8]; + size_t key_size = (bits + 7) / 8; + size_t j; + + TMP_GMP_ALLOC(em, key_size); + + if (key_size < hash->digest_size + salt_length + 2) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Compute M'. */ + hash->init(state); + memset(pad, 0, 8); + hash->update(state, 8, pad); + hash->update(state, hash->digest_size, digest); + hash->update(state, salt_length, salt); + + /* Store H in EM, right after maskedDB. */ + hash->digest(state, hash->digest_size, em + key_size - hash->digest_size - 1); + + /* Compute dbMask. */ + hash->init(state); + hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1); + + mgf(state, key_size - hash->digest_size - 1, em); + + /* Compute maskedDB and store it in front of H in EM. */ + for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) + em[j] ^= 0; + em[j++] ^= 1; + memxor(em + j, salt, salt_length); + j += salt_length; + + /* Store the trailer field following H. */ + j += hash->digest_size; + *(em + j) = 0xbc; + + /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */ + *em &= pss_masks[(8 * key_size - bits)]; + + nettle_mpz_set_str_256_u(m, key_size, em); + TMP_GMP_FREE(em); + return 1; +} + +int +pss_verify(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, + const uint8_t *digest) +{ + TMP_GMP_DECL(em, uint8_t); + TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + uint8_t pad[8], *h, *db, *salt; + size_t key_size = (bits + 7) / 8; + size_t j; + + /* Allocate twice the key size to store the intermediate data DB + * following the EM value. */ + TMP_GMP_ALLOC(em, key_size * 2); + + TMP_ALLOC(h2, hash->digest_size); + + if (key_size < hash->digest_size + salt_length + 2) + { + TMP_GMP_FREE(em); + return 0; + } + + nettle_mpz_get_str_256(key_size, em, m); + + /* Check the trailer field. */ + if (em[key_size - 1] != 0xbc) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Extract H. */ + h = em + (key_size - hash->digest_size - 1); + + /* Check if the leftmost 8 * emLen - emBits bits of the leftmost + * octet of EM are all equal to zero. */ + if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0) + { + TMP_GMP_FREE(em); + return 0; + } + + /* Compute dbMask. */ + hash->init(state); + hash->update(state, hash->digest_size, h); + + db = em + key_size; + mgf(state, key_size - hash->digest_size - 1, db); + + /* Compute DB. */ + memxor(db, em, key_size - hash->digest_size - 1); + + *db &= pss_masks[(8 * key_size - bits)]; + for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) + if (db[j] != 0) { + TMP_GMP_FREE(em); + return 0; + } + + /* Check the octet right after PS is 0x1. */ + if (db[j] != 0x1) + { + TMP_GMP_FREE(em); + return 0; + } + salt = db + j + 1; + + /* Compute H'. */ + memset(pad, 0, 8); + hash->init(state); + hash->update(state, 8, pad); + hash->update(state, hash->digest_size, digest); + hash->update(state, salt_length, salt); + hash->digest(state, hash->digest_size, h2); + + /* Check if H' = H. */ + if (memcmp(h2, h, hash->digest_size) != 0) + { + TMP_GMP_FREE(em); + return 0; + } + + TMP_GMP_FREE(em); + return 1; +} diff --git a/pss.h b/pss.h new file mode 100644 index 0000000..1ebe1eb --- /dev/null +++ b/pss.h @@ -0,0 +1,105 @@ +/* pss.h + + PKCS#1 RSA-PSS (RFC-3447). + + Copyright (C) 2017 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_PSS_H_INCLUDED +#define NETTLE_PSS_H_INCLUDED + +#include "nettle-types.h" +#include "bignum.h" + +#include "mgf1.h" + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Namespace mangling */ +#define pss_encode nettle_pss_encode +#define pss_verify nettle_pss_verify +#define pss_sha256_encode nettle_pss_sha256_encode +#define pss_sha256_verify nettle_pss_sha256_verify +#define pss_sha384_encode nettle_pss_sha384_encode +#define pss_sha384_verify nettle_pss_sha384_verify +#define pss_sha512_encode nettle_pss_sha512_encode +#define pss_sha512_verify nettle_pss_sha512_verify + +int +pss_encode(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_verify(mpz_t m, size_t bits, + void *state, const struct nettle_hash *hash, + nettle_mgf_func mgf, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha256_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha256_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha384_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha384_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +int +pss_sha512_encode(mpz_t m, size_t bits, + size_t salt_length, const uint8_t *salt, + const uint8_t *digest); + +int +pss_sha512_verify(mpz_t m, size_t bits, + size_t salt_length, + const uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_PSS_H_INCLUDED */ diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index b263e1f..2b4499f 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -157,6 +157,9 @@ yarrow-test$(EXEEXT): yarrow-test.$(OBJEXT) pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT) $(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT) +mgf1-test$(EXEEXT): mgf1-test.$(OBJEXT) + $(LINK) mgf1-test.$(OBJEXT) $(TEST_OBJS) -o mgf1-test$(EXEEXT) + sexp-test$(EXEEXT): sexp-test.$(OBJEXT) $(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT) @@ -178,6 +181,9 @@ random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT) pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT) $(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT) +pss-test$(EXEEXT): pss-test.$(OBJEXT) + $(LINK) pss-test.$(OBJEXT) $(TEST_OBJS) -o pss-test$(EXEEXT) + rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 689d432..4a9604f 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -30,12 +30,12 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ meta-aead-test.c meta-armor-test.c \ - buffer-test.c yarrow-test.c pbkdf2-test.c + buffer-test.c yarrow-test.c pbkdf2-test.c mgf1-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ - pkcs1-test.c rsa-sign-tr-test.c \ + pkcs1-test.c pss-test.c rsa-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c \ diff --git a/testsuite/mgf1-test.c b/testsuite/mgf1-test.c new file mode 100644 index 0000000..967be07 --- /dev/null +++ b/testsuite/mgf1-test.c @@ -0,0 +1,23 @@ +#include "testutils.h" +#include "mgf1.h" + +void +test_main(void) +{ + struct sha256_ctx hash; + struct tstring *expected; + uint8_t mask[120]; + int ret; + + expected = SHEX("cf2db1ac9867debdf8ce91f99f141e5544bf26ca36b3fd4f8e4035" + "eec42cab0d46c386ebccef82ba0bb0b095aaa5548b03cdff695187" + "1c6fb505af68af688332f885d324a47d2145a3d8392c37978d7dc9" + "84c95728950c4cf3de6becc59e60ea506951bd40e6de3863095064" + "3ab2edbb47dc66cb54beb2d1"); + + sha256_init(&hash); + sha256_update(&hash, 3, "abc"); + ret = mgf1_sha256(&hash, 120, mask); + ASSERT(ret == 1); + ASSERT(MEMEQ (120, mask, expected->data)); +} diff --git a/testsuite/pss-test.c b/testsuite/pss-test.c new file mode 100644 index 0000000..2d53e03 --- /dev/null +++ b/testsuite/pss-test.c @@ -0,0 +1,35 @@ +#include "testutils.h" + +#include "pss.h" + +void +test_main(void) +{ + struct tstring *salt; + struct tstring *digest; + mpz_t m; + mpz_t expected; + int ret; + + mpz_init(m); + mpz_init(expected); + + salt = SHEX("11223344556677889900"); + /* From sha256-test.c */ + digest = SHEX("ba7816bf8f01cfea 414140de5dae2223" + "b00361a396177a9c b410ff61f20015ad"); + ret = pss_sha256_encode(m, 1024, salt->length, salt->data, digest->data); + ASSERT(ret == 1); + + mpz_set_str(expected, + "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8" + "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8" + "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f" + "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1" + "d7788826a63af767f301bcc05dd65b00da862cbc", 16); + + ASSERT(mpz_cmp(m, expected) == 0); + + ret = pss_sha256_verify(m, 1024, salt->length, digest->data); + ASSERT(ret == 1); +} -- 2.9.3

5 23

[PATCH 1/2] Provide wrappers around OpenSSL AES GCM
by Dmitry Eremin-Solenikov 18 Feb '18

18 Feb '18

For benchmarking purposes provide wrappers around OpenSSL AES GCM implementation. Note, digest callback will work only for encryption due to OpenSSL internals. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- examples/nettle-openssl.c | 109 +++++++++++++++++++++++++++++++++++++++++++++- nettle-internal.h | 3 ++ 2 files changed, 110 insertions(+), 2 deletions(-) diff --git a/examples/nettle-openssl.c b/examples/nettle-openssl.c index b549ba54..a0b20d3c 100644 --- a/examples/nettle-openssl.c +++ b/examples/nettle-openssl.c @@ -80,7 +80,7 @@ openssl_evp_set_encrypt_key(void *p, const uint8_t *key, { struct openssl_cipher_ctx *ctx = p; ctx->evp = EVP_CIPHER_CTX_new(); - assert(EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); + assert(EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 1) == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void @@ -89,7 +89,7 @@ openssl_evp_set_decrypt_key(void *p, const uint8_t *key, { struct openssl_cipher_ctx *ctx = p; ctx->evp = EVP_CIPHER_CTX_new(); - assert(EVP_DecryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); + assert(EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 0) == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } @@ -110,6 +110,47 @@ openssl_evp_decrypt(const void *p, size_t length, assert(EVP_DecryptUpdate(ctx->evp, dst, &len, src, length) == 1); } +static void +openssl_evp_set_nonce(void *p, const uint8_t *nonce) +{ + const struct openssl_cipher_ctx *ctx = p; + assert(EVP_CipherInit_ex(ctx->evp, NULL, NULL, NULL, nonce, -1) == 1); +} + +static void +openssl_evp_update(void *p, size_t length, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + assert(EVP_EncryptUpdate(ctx->evp, NULL, &len, src, length) == 1); +} + +/* This will work for encryption only! */ +static void +openssl_evp_gcm_digest(void *p, size_t length, uint8_t *dst) +{ + const struct openssl_cipher_ctx *ctx = p; + assert(EVP_CIPHER_CTX_ctrl(ctx->evp, EVP_CTRL_GCM_GET_TAG, length, dst) == 1); +} + +static void +openssl_evp_aead_encrypt(void *p, size_t length, + uint8_t *dst, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + assert(EVP_EncryptUpdate(ctx->evp, dst, &len, src, length) == 1); +} + +static void +openssl_evp_aead_decrypt(void *p, size_t length, + uint8_t *dst, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + assert(EVP_DecryptUpdate(ctx->evp, dst, &len, src, length) == 1); +} + /* AES */ static nettle_set_key_func openssl_aes128_set_encrypt_key; static nettle_set_key_func openssl_aes128_set_decrypt_key; @@ -175,6 +216,70 @@ nettle_openssl_aes256 = { openssl_evp_encrypt, openssl_evp_decrypt }; +/* AES-GCM */ +static void +openssl_gcm_aes128_set_encrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_gcm()); +} +static void +openssl_gcm_aes128_set_decrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_gcm()); +} + +static void +openssl_gcm_aes192_set_encrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_gcm()); +} +static void +openssl_gcm_aes192_set_decrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_gcm()); +} + +static void +openssl_gcm_aes256_set_encrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_gcm()); +} +static void +openssl_gcm_aes256_set_decrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_gcm()); +} + +const struct nettle_aead +nettle_openssl_gcm_aes128 = { + "openssl gcm_aes128", sizeof(struct openssl_cipher_ctx), + 16, 16, 12, 16, + openssl_gcm_aes128_set_encrypt_key, openssl_gcm_aes128_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest +}; + +const struct nettle_aead +nettle_openssl_gcm_aes192 = { + "openssl gcm_aes192", sizeof(struct openssl_cipher_ctx), + 16, 24, 12, 16, + openssl_gcm_aes192_set_encrypt_key, openssl_gcm_aes192_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest +}; + +const struct nettle_aead +nettle_openssl_gcm_aes256 = { + "openssl gcm_aes256", sizeof(struct openssl_cipher_ctx), + 16, 32, 12, 16, + openssl_gcm_aes256_set_encrypt_key, openssl_gcm_aes256_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest +}; + /* Arcfour */ static void openssl_arcfour128_set_encrypt_key(void *ctx, const uint8_t *key) diff --git a/nettle-internal.h b/nettle-internal.h index 0b0d25c9..38c8d2a8 100644 --- a/nettle-internal.h +++ b/nettle-internal.h @@ -76,6 +76,9 @@ extern const struct nettle_aead nettle_arcfour128; extern const struct nettle_aead nettle_chacha; extern const struct nettle_aead nettle_salsa20; extern const struct nettle_aead nettle_salsa20r12; +extern const struct nettle_aead nettle_openssl_gcm_aes128; +extern const struct nettle_aead nettle_openssl_gcm_aes192; +extern const struct nettle_aead nettle_openssl_gcm_aes256; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ -- 2.11.0

5 16

Performance of AESNI impl vs other crypto libraries
by Daniel P. Berrange 02 Feb '18

02 Feb '18

I wrote a crude/simple test program to compare the performance of AES-128-CBC across openssl, gcrypt, nettle and gnutls, and was surprised to find that nettle is consistently ~25% slower than the other libraries for its AESNI implementation. On my Core i7-6820HQ I get nettle: 850 MB/s gcrypt: 1172 MB/s gnutls: 1230 MB/s openssl: 1153 MB/s with versions nettle-3.3-2.fc26.x86_64 libgcrypt-1.7.8-1.fc26.x86_64 gnutls-3.5.14-1.fc26.x86_64 openssl-1.1.0f-7.fc26.x86_64 And on Xeon E5-2609 I get nettle: 325 MB/s gcrypt: 403 MB/s gnutls: 414 MB/s openssl: 414 MB/s with versions nettle-3.3-1.fc25.x86_64 libgcrypt-1.7.8-1.fc25.x86_64 gnutls-3.5.14-1.fc25.x86_64 openssl-1.0.2k-1.fc25.x86_64 Naively I would have expected them all to be pretty much equal given that they're delegating to the same hardware routines. Has anyone else done comparative benchmarks of nettle's impl against others & seen the same kind of results ? I'll attach my test program to this mail, so if I made a mistake in usage there feel free to point it out. FWIW, I also found there is some wierd interaction between nettle and glibc-2.23. If I have that glibc version and run with NETTLE_FAT_VERBOSE=1 it claims it is picking the AESNI impl, but the performance figures clearly show it is actually running the pure software impl because they're 100 MB/s instead of 325 MB/s. I upgraded to glibc 2.24 and this wierdness went away, so I've not investigated that further. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

5 20

Build system bug with assembler and clang
by blargh 24 Jan '18

24 Jan '18

Hi, I've been building nettle with Clang from a generated toolchain with the latest Android NDK (16b). Form architecture with available assembler code (x86 in particular), compilation fails because the generated asm is not compatible with clang. So I use --disable-assembler, thinking it would fix the problem. But it still fails (see log below): The workaround has been to entirely disable (comment) the asm rule in Makefile.in: #.asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4 # $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s # $(COMPILE) -c $*.s # @echo "$@ : $< $(srcdir)/asm.m4 machine.m4 config.m4" >$@.d For some reason, this rule generates asm files even when --disable-assembler is specified and it gets in the way later in the build. The proper fix would be to make sure this rule never kicks in with --disable-assembler. And also maybe force --disable-assembler when clang is the compiler, or update the asm generation macro (asm.m4) to produce .s files compatible with clang. ///////// Version: nettle 3.4 Host type: x86-unknown-none ABI: standard Assembly files: none Install prefix: /home/bobbie/ffmpeg-android-3.4.1/toolchain-android Library directory: ${exec_prefix}/lib Compiler: /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot Static libraries: yes Shared libraries: no Public key crypto: yes Using mini-gmp: no Documentation: no make install-here make[1]: Entering directory `/home/bobbie/ffmpeg-android-3.4.1/nettle-3.4' /bin/mkdir -p /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include/nettle /usr/bin/m4 ./asm.m4 machine.m4 config.m4 aes-decrypt-internal.asm >aes-decrypt-internal.s /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-decrypt.o -MD -MP -MF aes-decrypt.o.d -c aes-decrypt.c \ && true for f in aes.h arcfour.h arctwo.h asn1.h blowfish.h base16.h base64.h bignum.h buffer.h camellia.h cast128.h cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h ecc-curve.h ecc.h ecdsa.h eddsa.h gcm.h gosthash94.h hmac.h knuth-lfib.h hkdf.h macros.h md2.h md4.h md5.h md5-compat.h memops.h memxor.h nettle-meta.h nettle-types.h pbkdf2.h pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h salsa20.h sexp.h serpent.h sha.h sha1.h sha2.h sha3.h twofish.h umac.h yarrow.h poly1305.h nettle-stdint.h version.h ; do \ if [ -f "$f" ] ; then \ /usr/bin/install -c -m 644 "$f" /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include/nettle ; \ else \ /usr/bin/install -c -m 644 "./$f" /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include/nettle ; \ fi ; done /usr/bin/m4 ./asm.m4 machine.m4 config.m4 aes-encrypt-internal.asm >aes-encrypt-internal.s /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-encrypt.o -MD -MP -MF aes-encrypt.o.d -c aes-encrypt.c \ && true /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-encrypt-table.o -MD -MP -MF aes-encrypt-table.o.d -c aes-encrypt-table.c \ && true /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-invert-internal.o -MD -MP -MF aes-invert-internal.o.d -c aes-invert-internal.c \ && true /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-set-key-internal.o -MD -MP -MF aes-set-key-internal.o.d -c aes-set-key-internal.c \ && true /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-decrypt-internal.o -MD -MP -MF aes-decrypt-internal.o.d -c aes-decrypt-internal.s /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-encrypt-internal.o -MD -MP -MF aes-encrypt-internal.o.d -c aes-encrypt-internal.s /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-set-encrypt-key.o -MD -MP -MF aes-set-encrypt-key.o.d -c aes-set-encrypt-key.c \ && true clang50/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes-set-decrypt-key.o -MD -MP -MF aes-set-decrypt-key.o.d -c aes-set-decrypt-key.c \ && true /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes128-set-encrypt-key.o -MD -MP -MF aes128-set-encrypt-key.o.d -c aes128-set-encrypt-key.c \ && true : warning: argument unused during compilation: '-D __ANDROID_API__=14' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-D HAVE_CONFIG_H' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MT aes-decrypt-internal.o' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MD' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MP' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MF aes-decrypt-internal.o.d' [-Wunused-command-line-argument] aes-decrypt-internal.s:67:10: error: unknown token in expression teq r3, #0 ^ aes-decrypt-internal.s:68:2: error: invalid instruction mnemonic 'beq' beq .Lend ^~~ aes-decrypt-internal.s:70:7: error: Unexpected '{' in expression push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} ^ clang50: warning: argument unused during compilation: '-D __ANDROID_API__=14' [-Wunused-command-line-argument] /home/bobbie/ffmpeg-android-3.4.1/toolchain-android/bin/i686-linux-android-clang --sysroot=/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/sysroot -I. -DHAVE_CONFIG_H -I/home/bobbie/ffmpeg-android-3.4.1/toolchain-android/include -ggdb3 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wpointer-arith -Wbad-function-cast -Wnested-externs -fpic -MT aes128-set-decrypt-key.o -MD -MP -MF aes128-set-decrypt-key.o.d -c aes128-set-decrypt-key.c \ && true clang50: warning: argument unused during compilation: '-D HAVE_CONFIG_H' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MT aes-encrypt-internal.o' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MD' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MP' [-Wunused-command-line-argument] clang50: warning: argument unused during compilation: '-MF aes-encrypt-internal.o.d' [-Wunused-command-line-argument] aes-decrypt-internal.s:71:10: error: unknown token in expression mov r0, #0x3fc ^ aes-decrypt-internal.s:75:13: error: expected ']' in brackets expression ldr r1, [sp, #+48] ^ aes-decrypt-internal.s:76:10: error: Unexpected '{' in expression ldm sp, {r10, r11} ^ aes-decrypt-internal.s:79:17: error: unknown token in expression ldrb r4, [r1], #+1

3 3

[PATCH v2] Add CFB8 - Cipher Feedback 8-bit block cipher mode
by Dmitry Eremin-Solenikov 21 Jan '18

21 Jan '18

Add CFB variant with 8-bit segment size. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- cfb.c | 72 ++++++++++++++++++++ cfb.h | 35 ++++++++++ nettle.texinfo | 106 ++++++++++++++++++++++++------ testsuite/cfb-test.c | 103 +++++++++++++++++++++++++++++ testsuite/testutils.c | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++ testsuite/testutils.h | 7 ++ 6 files changed, 482 insertions(+), 19 deletions(-) --- CFB8 support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. * cfb.h (CFB8_CTX, CFB8_SET_IV, CFB8_ENCRYPT, CFB8_DECRYPT): New macros. * testsuite/cfb-test.c: CFB8 test cases. * testsuite/testutils.c (test_cipher_cfb8): New function. * nettle.texinfo (CFB8): Documentation. diff --git a/cfb.c b/cfb.c index 805b8c4533a0..19cba4b5ba5d 100644 --- a/cfb.c +++ b/cfb.c @@ -162,3 +162,75 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f, } } } + +/* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size + * bytes and does memcpy/memxor afterwards */ +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size); + uint8_t pos; + + memcpy(buffer, iv, block_size); + pos = 0; + while (length) + { + uint8_t t; + + if (pos == block_size) + { + memcpy(buffer, buffer + block_size, block_size); + pos = 0; + } + + f(ctx, block_size, outbuf, buffer + pos); + t = *(dst++) = *(src++) ^ outbuf[0]; + buffer[pos + block_size] = t; + length--; + pos ++; + } + memcpy(iv, buffer + pos, block_size); +} + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size * 2); + uint8_t i = 0; + + memcpy(buffer, iv, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + + while (length) + { + + for (i = 0; i < length && i < block_size; i++) + f(ctx, block_size, outbuf + i, buffer + i); + + memxor3(dst, src, outbuf, i); + + length -= i; + src += i; + dst += i; + + memcpy(buffer, buffer + block_size, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + + } + + memcpy(iv, buffer + i, block_size); +} diff --git a/cfb.h b/cfb.h index 16660df9b8ab..782ac133aa1c 100644 --- a/cfb.h +++ b/cfb.h @@ -45,6 +45,9 @@ extern "C" { #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt +#define cfb8_encrypt nettle_cfb8_encrypt +#define cfb8_decrypt nettle_cfb8_decrypt + void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, @@ -57,12 +60,28 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + + #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) +#define CFB8_CTX CFB_CTX +#define CFB8_SET_IV CFB_SET_IV + /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ @@ -80,6 +99,22 @@ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) +#define CFB8_ENCRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_encrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + +#define CFB8_DECRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_decrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + #ifdef __cplusplus } #endif diff --git a/nettle.texinfo b/nettle.texinfo index aa374449c527..f501cfbeb2d7 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -93,7 +93,7 @@ Cipher modes * CBC:: * CTR:: -* CFB:: +* CFB and CFB8:: * GCM:: * CCM:: @@ -1904,21 +1904,21 @@ Book mode, @acronym{ECB}), leaks information. Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher -Feedback (@acronym{CFB}) and a couple of @acronym{AEAD} modes -(@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but +Feedback (@acronym{CFB} and @acronym{CFB8}) and a couple of @acronym{AEAD} +modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @uref{http://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. -Modes like @acronym{CBC}, @acronym{CTR} and @acronym{CFB} provide @emph{no} -message authentication, and should always be used together with a -@acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate -the message. +Modes like @acronym{CBC}, @acronym{CTR}, @acronym{CFB} and @acronym{CFB8} +provide @emph{no} message authentication, and should always be used together +with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to +authenticate the message. @menu * CBC:: * CTR:: -* CFB:: +* CFB and CFB8:: @end menu @node CBC, CTR, Cipher modes, Cipher modes @@ -2014,7 +2014,7 @@ These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes_ctx} context with the @code{des_encrypt} function. -@node CTR, CFB, CBC, Cipher modes +@node CTR, CFB and CFB8, CBC, Cipher modes @comment node-name, next, previous, up @subsection Counter mode @@ -2090,18 +2090,21 @@ last three arguments define the source and destination area for the operation. @end deffn -@node CFB, , CTR, Cipher modes +@node CFB and CFB8, , CTR, Cipher modes @comment node-name, next, previous, up @subsection Cipher Feedback mode @cindex Cipher Feedback Mode -@cindex CFB Mode +@cindex Cipher Feedback 8-bit Mode +@cindex CFB Modes +@cindex CFB8 Mode -Cipher Feedback mode (@acronym{CFB}) being a close relative to both -@acronym{CBC} mode and @acronym{CTR} mode borrows some characteristics -from stream ciphers. -The message is divided into @code{n} blocks @code{M_1},@dots{} +Cipher Feedback mode (@acronym{CFB}) and Cipher Feedback 8-bit mode +(@acronym{CFB8}) being close relatives to both @acronym{CBC} mode and +@acronym{CTR} mode borrow some characteristics from stream ciphers. + +For CFB the message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. @@ -2121,10 +2124,31 @@ C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n @end example -Nettle's includes two functions for applying a block cipher in Cipher -Feedback (@acronym{CFB}) mode, one for encryption and one for -decryption. These functions uses @code{void *} to pass cipher contexts -around. +Cipher Feedback 8-bit mode (@acronym{CFB8}) transforms block cipher into a stream +cipher. The message is encrypted byte after byte, not requiring any padding. + +If @code{E_k} is the encryption function of a block cipher, @code{b} is +@code{E_k} block size, @code{IV} is the initialization vector, then the +@code{n} plaintext bytes are transformed into @code{n} ciphertext bytes +@code{C_1},@dots{} @code{C_n} as follows: + +@example +I_1 = IV +C_1 = E_k(I_1) [1..8] XOR M_1 +I_2 = I_1 [9..b] << 8 | C_1 +C_2 = E_k(I_2) [1..8] XOR M_2 + +@dots{} + +I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) +C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) +I_n = I_(n-1) [9..b] << 8 | C_(n-1) +C_n = E_k(I_n) [1..8] XOR M_n +@end example + +Nettle's includes functions for applying a block cipher in Cipher +Feedback (@acronym{CFB}) and Cipher Feedback 8-bit (@acronym{CFB8}) +modes. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cfb_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @@ -2141,6 +2165,18 @@ When a message is encrypted using a sequence of calls to is a multiple of the block size. @end deftypefun +@deftypefun {void} cfb8_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx {void} cfb8_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) + +Applies the encryption or decryption function @var{f} in @acronym{CFB8} +mode. The final IV block processed is copied into @var{iv} +before returning, so that a large message can be processed by a sequence of +calls to @code{cfb8_encrypt}. Note that for @acronym{CFB8} mode internally +uses encryption only function and hence @var{f} should always be the +encryption function for the underlying block cipher. + +@end deftypefun + Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CFB_CTX (@var{context_type}, @var{block_size}) @@ -2175,6 +2211,38 @@ last three arguments define the source and destination area for the operation. @end deffn +@deffn Macro CFB8_CTX (@var{context_type}, @var{block_size}) +Expands to +@example +@{ + context_type ctx; + uint8_t iv[block_size]; +@} +@end example +@end deffn + +@deffn Macro CFB8_SET_IV(@var{ctx}, @var{iv}) +First argument is a pointer to a context struct as defined by +@code{CFB8_CTX}, and the second is a pointer to an initialization vector +that is copied into that context. +@end deffn + +@deffn Macro CFB8_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_encrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + +@deffn Macro CFB8_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_decrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + @node Authenticated encryption, Keyed hash functions, Cipher modes, Reference @comment node-name, next, previous, up diff --git a/testsuite/cfb-test.c b/testsuite/cfb-test.c index b59bee225bf8..b83233830b5a 100644 --- a/testsuite/cfb-test.c +++ b/testsuite/cfb-test.c @@ -6,6 +6,7 @@ /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 +#define CFB8_BULK_DATA CFB_BULK_DATA static void test_cfb_bulk(void) @@ -64,9 +65,110 @@ test_cfb_bulk(void) ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } +static void +test_cfb8_bulk(void) +{ + struct knuth_lfib_ctx random; + + uint8_t clear[CFB8_BULK_DATA]; + + uint8_t cipher[CFB8_BULK_DATA + 1]; + + const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" + "743008105a08657d dcaad4128eee38b3"); + + const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); + const uint8_t *end_iv = H("f84bfd48206f5803 6ef86f4e69e9aec0"); + + struct CFB8_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; + + knuth_lfib_init(&random, CFB8_BULK_DATA); + knuth_lfib_random(&random, CFB8_BULK_DATA, clear); + + /* Byte that should not be overwritten */ + cipher[CFB8_BULK_DATA] = 17; + + aes_set_encrypt_key(&aes.ctx, 32, key); + CFB8_SET_IV(&aes, start_iv); + + CFB8_ENCRYPT(&aes, aes_encrypt, CFB8_BULK_DATA, cipher, clear); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk encryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + + /* Decrypt, in place */ + aes_set_encrypt_key(&aes.ctx, 32, key); + CFB8_SET_IV(&aes, start_iv); + CFB8_DECRYPT(&aes, aes_encrypt, CFB8_BULK_DATA, cipher, cipher); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk decryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + ASSERT (MEMEQ(CFB8_BULK_DATA, clear, cipher)); +} + void test_main(void) { + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.7 CFB8-AES128.Encrypt + */ + + test_cipher_cfb8(&nettle_aes128, + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("3b79424c9c0dd436bace9e0ed4586a4f" + "32b9"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.9 CFB8-AES192.Encrypt + */ + + test_cipher_cfb8(&nettle_aes192, + SHEX("8e73b0f7da0e6452c810f32b809079e5" + "62f8ead2522c6b7b"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("cda2521ef0a905ca44cd057cbf0d47a0" + "678a"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.11 CFB8-AES256.Encrypt + */ + + test_cipher_cfb8(&nettle_aes256, + SHEX("603deb1015ca71be2b73aef0857d7781" + "1f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("dc1f1a8520a64db55fcc8ac554844e88" + "9700"), + SHEX("000102030405060708090a0b0c0d0e0f")); + /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors @@ -139,6 +241,7 @@ test_main(void) SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); + test_cfb8_bulk(); } /* diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 08471958fbc0..5ee9eda35264 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -423,6 +423,184 @@ test_cipher_cfb(const struct nettle_cipher *cipher, free(iv); } +void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iiv) +{ + void *ctx = xalloc(cipher->context_size); + uint8_t *data, *data2; + uint8_t *iv = xalloc(cipher->block_size); + size_t length; + + ASSERT (cleartext->length == ciphertext->length); + length = cleartext->length; + + ASSERT (key->length == cipher->key_size); + ASSERT (iiv->length == cipher->block_size); + + data = xalloc(length); + data2 = xalloc(length); + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, cleartext->data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed:\nInput:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data2, data); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed:\nInput:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + + /* Repeat all tests with incomplete last block */ + length -= 1; + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, cleartext->data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data2, data); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + + free(ctx); + free(data); + free(data2); + free(iv); +} + void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, diff --git a/testsuite/testutils.h b/testsuite/testutils.h index fbbba7b9fab5..ded57db6ab4f 100644 --- a/testsuite/testutils.h +++ b/testsuite/testutils.h @@ -129,6 +129,13 @@ test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *ciphertext, const struct tstring *iv); +void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iv); + void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, -- 2.15.1

2 1

[PATCH] Add CFB8 - Cipher Feedback 8-bit block cipher mode
by Dmitry Eremin-Solenikov 16 Jan '18

16 Jan '18

Add CFB variant with 8-bit segment size. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- cfb.c | 75 +++++++++++++++++++++ cfb.h | 35 ++++++++++ nettle.texinfo | 96 +++++++++++++++++++++++++-- testsuite/cfb-test.c | 103 +++++++++++++++++++++++++++++ testsuite/testutils.c | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++ testsuite/testutils.h | 7 ++ 6 files changed, 487 insertions(+), 7 deletions(-) --- CFB8 support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. * cfb.h (CFB8_CTX, CFB8_SET_IV, CFB8_ENCRYPT, CFB8_DECRYPT): New macros. * testsuite/cfb-test.c: CFB8 test cases. * testsuite/testutils.c (test_cipher_cfb8): New function. * nettle.texinfo (CFB8): Documentation. diff --git a/cfb.c b/cfb.c index 805b8c4533a0..8e0ca47130d4 100644 --- a/cfb.c +++ b/cfb.c @@ -162,3 +162,78 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f, } } } + +/* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size + * bytes and does memcpy/memxor afterwards */ +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size); + uint8_t pos; + + memcpy(buffer, iv, block_size); + pos = 0; + while (length) + { + uint8_t t; + + if (pos == block_size) + { + memcpy(buffer, buffer + block_size, block_size); + pos = 0; + } + + f(ctx, block_size, outbuf, buffer + pos); + t = *(dst++) = *(src++) ^ outbuf[0]; + buffer[pos + block_size] = t; + length--; + pos ++; + } + memcpy(iv, buffer + pos, block_size); +} + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size * 2); + uint8_t i = 0; + + memcpy(buffer, iv, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + + while (length) + { + + for (i = 0; i < length && i < block_size; i++) + f(ctx, block_size, outbuf + i, buffer + i); + + if (src != dst) + memxor3(dst, src, outbuf, i); + else + memxor(dst, outbuf, i); + + length -= i; + src += i; + dst += i; + + memcpy(buffer, buffer + block_size, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + + } + + memcpy(iv, buffer + i, block_size); +} diff --git a/cfb.h b/cfb.h index 16660df9b8ab..782ac133aa1c 100644 --- a/cfb.h +++ b/cfb.h @@ -45,6 +45,9 @@ extern "C" { #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt +#define cfb8_encrypt nettle_cfb8_encrypt +#define cfb8_decrypt nettle_cfb8_decrypt + void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, @@ -57,12 +60,28 @@ cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + + #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) +#define CFB8_CTX CFB_CTX +#define CFB8_SET_IV CFB_SET_IV + /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ @@ -80,6 +99,22 @@ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) +#define CFB8_ENCRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_encrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + +#define CFB8_DECRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_decrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + #ifdef __cplusplus } #endif diff --git a/nettle.texinfo b/nettle.texinfo index aa374449c527..e610e74c79ab 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -94,6 +94,7 @@ Cipher modes * CBC:: * CTR:: * CFB:: +* CFB8:: * GCM:: * CCM:: @@ -1904,21 +1905,22 @@ Book mode, @acronym{ECB}), leaks information. Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher -Feedback (@acronym{CFB}) and a couple of @acronym{AEAD} modes -(@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but +Feedback (@acronym{CFB} and @acronym{CFB8}) and a couple of @acronym{AEAD} +modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @uref{http://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. -Modes like @acronym{CBC}, @acronym{CTR} and @acronym{CFB} provide @emph{no} -message authentication, and should always be used together with a -@acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate -the message. +Modes like @acronym{CBC}, @acronym{CTR}, @acronym{CFB} and @acronym{CFB8} +provide @emph{no} message authentication, and should always be used together +with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to +authenticate the message. @menu * CBC:: * CTR:: * CFB:: +* CFB8:: @end menu @node CBC, CTR, Cipher modes, Cipher modes @@ -2090,7 +2092,7 @@ last three arguments define the source and destination area for the operation. @end deffn -@node CFB, , CTR, Cipher modes +@node CFB, CFB8, CTR, Cipher modes @comment node-name, next, previous, up @subsection Cipher Feedback mode @@ -2175,6 +2177,86 @@ last three arguments define the source and destination area for the operation. @end deffn +@node CFB8, , CFB, Cipher modes +@comment node-name, next, previous, up +@subsection Cipher Feedback 8-bit mode + +@cindex Cipher Feedback 8-bit Mode +@cindex CFB8 Mode + +Cipher Feedback 8-bit mode (@acronym{CFB8}) transforms block cipher into a stream +cipher. The message is encrypted byte after byte, not requiring any padding. + +If @code{E_k} is the encryption function of a block cipher, @code{b} is +@code{E_k} block size, @code{IV} is the initialization vector, then the +@code{n} plaintext bytes are transformed into @code{n} ciphertext bytes +@code{C_1},@dots{} @code{C_n} as follows: + +@example +I_1 = IV +C_1 = E_k(I_1) [1..8] XOR M_1 +I_2 = I_1 [9..b] << 8 | C_1 +C_2 = E_k(I_2) [1..8] XOR M_2 + +@dots{} + +I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) +C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) +I_n = I_(n-1) [9..b] << 8 | C_(n-1) +C_n = E_k(I_n) [1..8] XOR M_n +@end example + +Nettle's includes two functions for applying a block cipher in Cipher +Feedback 8-bit (@acronym{CFB8}) mode, one for encryption and one for +decryption. These functions uses @code{void *} to pass cipher contexts +around. + +@deftypefun {void} cfb8_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx {void} cfb8_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) + +Applies the encryption or decryption function @var{f} in @acronym{CFB8} +mode. The final IV block processed is copied into @var{iv} +before returning, so that a large message can be processed by a sequence of +calls to @code{cfb8_encrypt}. Note that for @acronym{CFB8} mode internally +uses encryption only function and hence @var{f} should always be the +encryption function for the underlying block cipher. + +@end deftypefun + +Like for @acronym{CBC}, there are also a couple of helper macros. + +@deffn Macro CFB8_CTX (@var{context_type}, @var{block_size}) +Expands to +@example +@{ + context_type ctx; + uint8_t iv[block_size]; +@} +@end example +@end deffn + +@deffn Macro CFB8_SET_IV(@var{ctx}, @var{iv}) +First argument is a pointer to a context struct as defined by +@code{CFB8_CTX}, and the second is a pointer to an initialization vector +that is copied into that context. +@end deffn + +@deffn Macro CFB8_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_encrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + +@deffn Macro CFB8_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_decrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + @node Authenticated encryption, Keyed hash functions, Cipher modes, Reference @comment node-name, next, previous, up diff --git a/testsuite/cfb-test.c b/testsuite/cfb-test.c index b59bee225bf8..b83233830b5a 100644 --- a/testsuite/cfb-test.c +++ b/testsuite/cfb-test.c @@ -6,6 +6,7 @@ /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 +#define CFB8_BULK_DATA CFB_BULK_DATA static void test_cfb_bulk(void) @@ -64,9 +65,110 @@ test_cfb_bulk(void) ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } +static void +test_cfb8_bulk(void) +{ + struct knuth_lfib_ctx random; + + uint8_t clear[CFB8_BULK_DATA]; + + uint8_t cipher[CFB8_BULK_DATA + 1]; + + const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" + "743008105a08657d dcaad4128eee38b3"); + + const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); + const uint8_t *end_iv = H("f84bfd48206f5803 6ef86f4e69e9aec0"); + + struct CFB8_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; + + knuth_lfib_init(&random, CFB8_BULK_DATA); + knuth_lfib_random(&random, CFB8_BULK_DATA, clear); + + /* Byte that should not be overwritten */ + cipher[CFB8_BULK_DATA] = 17; + + aes_set_encrypt_key(&aes.ctx, 32, key); + CFB8_SET_IV(&aes, start_iv); + + CFB8_ENCRYPT(&aes, aes_encrypt, CFB8_BULK_DATA, cipher, clear); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk encryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + + /* Decrypt, in place */ + aes_set_encrypt_key(&aes.ctx, 32, key); + CFB8_SET_IV(&aes, start_iv); + CFB8_DECRYPT(&aes, aes_encrypt, CFB8_BULK_DATA, cipher, cipher); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk decryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + ASSERT (MEMEQ(CFB8_BULK_DATA, clear, cipher)); +} + void test_main(void) { + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.7 CFB8-AES128.Encrypt + */ + + test_cipher_cfb8(&nettle_aes128, + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("3b79424c9c0dd436bace9e0ed4586a4f" + "32b9"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.9 CFB8-AES192.Encrypt + */ + + test_cipher_cfb8(&nettle_aes192, + SHEX("8e73b0f7da0e6452c810f32b809079e5" + "62f8ead2522c6b7b"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("cda2521ef0a905ca44cd057cbf0d47a0" + "678a"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.11 CFB8-AES256.Encrypt + */ + + test_cipher_cfb8(&nettle_aes256, + SHEX("603deb1015ca71be2b73aef0857d7781" + "1f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("dc1f1a8520a64db55fcc8ac554844e88" + "9700"), + SHEX("000102030405060708090a0b0c0d0e0f")); + /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors @@ -139,6 +241,7 @@ test_main(void) SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); + test_cfb8_bulk(); } /* diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 08471958fbc0..5ee9eda35264 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -423,6 +423,184 @@ test_cipher_cfb(const struct nettle_cipher *cipher, free(iv); } +void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iiv) +{ + void *ctx = xalloc(cipher->context_size); + uint8_t *data, *data2; + uint8_t *iv = xalloc(cipher->block_size); + size_t length; + + ASSERT (cleartext->length == ciphertext->length); + length = cleartext->length; + + ASSERT (key->length == cipher->key_size); + ASSERT (iiv->length == cipher->block_size); + + data = xalloc(length); + data2 = xalloc(length); + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, cleartext->data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed:\nInput:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data2, data); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed:\nInput:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + + /* Repeat all tests with incomplete last block */ + length -= 1; + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, cleartext->data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data2, data); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + + free(ctx); + free(data); + free(data2); + free(iv); +} + void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, diff --git a/testsuite/testutils.h b/testsuite/testutils.h index fbbba7b9fab5..ded57db6ab4f 100644 --- a/testsuite/testutils.h +++ b/testsuite/testutils.h @@ -129,6 +129,13 @@ test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *ciphertext, const struct tstring *iv); +void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iv); + void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, -- 2.15.1

2 1

[PATCH] Allow user to specify multiple algorithms to nettle-benchmark
by Dmitry Eremin-Solenikov 13 Jan '18

13 Jan '18

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- examples/nettle-benchmark.c | 47 +++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c index 53c4e5f9..e0578c31 100644 --- a/examples/nettle-benchmark.c +++ b/examples/nettle-benchmark.c @@ -794,7 +794,7 @@ main(int argc, char **argv) break; case OPT_HELP: - printf("Usage: nettle-benchmark [-f clock frequency] [alg]\n"); + printf("Usage: nettle-benchmark [-f clock frequency] [alg...]\n"); return EXIT_SUCCESS; case '?': @@ -804,8 +804,6 @@ main(int argc, char **argv) abort(); } - alg = argv[optind]; - time_init(); bench_sha1_compress(); bench_salsa20_core(); @@ -815,29 +813,36 @@ main(int argc, char **argv) header(); - if (!alg || strstr ("memxor", alg)) + do { - time_memxor(); - printf("\n"); - } - - for (i = 0; hashes[i]; i++) - if (!alg || strstr(hashes[i]->name, alg)) - time_hash(hashes[i]); + alg = argv[optind]; + + if (!alg || strstr ("memxor", alg)) + { + time_memxor(); + printf("\n"); + } + + for (i = 0; hashes[i]; i++) + if (!alg || strstr(hashes[i]->name, alg)) + time_hash(hashes[i]); + + if (!alg || strstr ("umac", alg)) + time_umac(); - if (!alg || strstr ("umac", alg)) - time_umac(); + if (!alg || strstr ("poly1305-aes", alg)) + time_poly1305_aes(); - if (!alg || strstr ("poly1305-aes", alg)) - time_poly1305_aes(); + for (i = 0; ciphers[i]; i++) + if (!alg || strstr(ciphers[i]->name, alg)) + time_cipher(ciphers[i]); - for (i = 0; ciphers[i]; i++) - if (!alg || strstr(ciphers[i]->name, alg)) - time_cipher(ciphers[i]); + for (i = 0; aeads[i]; i++) + if (!alg || strstr(aeads[i]->name, alg)) + time_aead(aeads[i]); - for (i = 0; aeads[i]; i++) - if (!alg || strstr(aeads[i]->name, alg)) - time_aead(aeads[i]); + optind++; + } while (alg && argv[optind]); return 0; } -- 2.11.0

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs January 2018