nettle-bugs July 2018

nettle-bugs@lists.lysator.liu.se

4 participants
5 discussions

[PATCH 0/8] Implement Curve448 ECDH and Ed448
by Daiki Ueno 02 Jan '20

02 Jan '20

Hello, This patch series implements the Curve448 Diffie-Hellman protocol (RFC 7748) and the Ed448 signature scheme (RFC 8032). Although I tried to make it as close as possible to the Curve25519 and Ed25519 implementations, I had to add a few special cases, namely: - for Curve448, eccdata directly calculates points on the Edwards curve instead of the equivalent Montgomery curve - untwisted versions of ecc_add_eh* and ecc_dup_eh are added - the point decoding for Ed448 uses a different formula to recover u and v Also, optimized implementation of modular reduction is currently missing, which is beyond my expertise. I would appreciate any suggestions regarding that. The patches are also available on: https://gitlab.com/dueno/nettle/commits/wip/dueno/ed448 Thanks to Hubert Kario and Nikos Mavrogiannopoulos for initial reviews. Daiki Ueno (8): ecc-mul-test: Fix mpn_cmp calls eccdata: Emit correct ecc_Bmodq_shifted for curve448 eccdata: Redirect ecc_point_out to given stream, instead of stderr ecc: Add add_hh and dup members to ecc_curve ecc-eh-to-a, eddsa-sign: Parameterize hard-coded value Implement curve448 primitives Implement SHAKE128/256 functions Implement Ed448 signature scheme .gitignore | 1 + Makefile.in | 18 +- curve448-eh-to-x.c | 73 + curve448-mul-g.c | 74 + curve448-mul.c | 148 + curve448.h | 58 + ecc-192.c | 5 + ecc-224.c | 5 + ecc-25519.c | 5 + ecc-256.c | 5 + ecc-384.c | 5 + ecc-448.c | 273 ++ ecc-521.c | 5 + ecc-add-eh.c | 74 +- ecc-add-ehh.c | 77 +- ecc-dup-eh.c | 55 +- ecc-eh-to-a.c | 4 +- ecc-internal.h | 57 +- ecc-mul-a-eh.c | 12 +- ecc-mul-g-eh.c | 4 +- ecc-point-mul-g.c | 7 +- ecc-point-mul.c | 2 +- ecc-point.c | 15 + eccdata.c | 183 +- ecdsa-keygen.c | 4 +- ed25519-sha512-sign.c | 15 + ed448-shake256-pubkey.c | 60 + ed448-shake256-sign.c | 92 + ed448-shake256-verify.c | 66 + eddsa-compress.c | 11 +- eddsa-decompress.c | 15 +- eddsa-expand.c | 20 +- eddsa-hash.c | 35 + eddsa-pubkey.c | 2 +- eddsa-sign.c | 18 +- eddsa-verify.c | 16 +- eddsa.h | 24 + examples/ecc-benchmark.c | 1 + nettle-internal.h | 2 +- nettle-meta-hashes.c | 2 + nettle-meta.h | 2 + nettle.texinfo | 152 +- sha3.c | 13 + sha3.h | 56 + shake128-meta.c | 42 + shake128.c | 84 + shake256-meta.c | 42 + shake256.c | 84 + testsuite/.test-rules.make | 12 + testsuite/Makefile.in | 5 +- testsuite/curve448-dh-test.c | 100 + testsuite/ecc-add-test.c | 48 +- testsuite/ecc-dup-test.c | 12 +- testsuite/ecc-mul-a-test.c | 6 +- testsuite/ecc-mul-g-test.c | 6 +- testsuite/ecdh-test.c | 16 +- testsuite/ecdsa-keygen-test.c | 16 + testsuite/ed448-test.c | 240 ++ testsuite/eddsa-compress-test.c | 137 +- testsuite/eddsa-sign-test.c | 66 +- testsuite/eddsa-verify-test.c | 49 +- testsuite/meta-hash-test.c | 2 + testsuite/shake.awk | 14 + testsuite/shake128-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/shake256-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/testutils.c | 57 +- 66 files changed, 14976 insertions(+), 199 deletions(-) create mode 100644 curve448-eh-to-x.c create mode 100644 curve448-mul-g.c create mode 100644 curve448-mul.c create mode 100644 curve448.h create mode 100644 ecc-448.c create mode 100644 ed448-shake256-pubkey.c create mode 100644 ed448-shake256-sign.c create mode 100644 ed448-shake256-verify.c create mode 100644 shake128-meta.c create mode 100644 shake128.c create mode 100644 shake256-meta.c create mode 100644 shake256.c create mode 100644 testsuite/curve448-dh-test.c create mode 100644 testsuite/ed448-test.c create mode 100755 testsuite/shake.awk create mode 100644 testsuite/shake128-test.c create mode 100644 testsuite/shake256-test.c -- 2.13.3

2 35

[RFC 1/4] hmac: provide alternative HMAC interface
by Dmitry Eremin-Solenikov 30 Jul '18

30 Jul '18

Provide alternative HMAC interface, with context struct having just derived key and single hash state instead of three hash states at once. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- hmac.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hmac.h | 34 ++++++++++++++++++++++++++++- 2 files changed, 101 insertions(+), 1 deletion(-) diff --git a/hmac.c b/hmac.c index 6ac5e11a0686..44ac705856ad 100644 --- a/hmac.c +++ b/hmac.c @@ -115,3 +115,71 @@ hmac_digest(const void *outer, const void *inner, void *state, memcpy(state, inner, hash->context_size); } + +void +hmac2_set_key(void *outer, void *inner, void *state, + const struct nettle_hash *hash, + size_t key_length, const uint8_t *key) +{ + TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE); + TMP_ALLOC(pad, hash->block_size); + + hash->init(state); + if (key_length > hash->block_size) + { + /* Reduce key to the algorithm's hash size. Use the area pointed + * to by state for the temporary state. */ + + TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + TMP_ALLOC(digest, hash->digest_size); + + hash->update(state, key_length, key); + hash->digest(state, hash->digest_size, digest); + + key = digest; + key_length = hash->digest_size; + } + + assert(key_length <= hash->block_size); + + memset(pad, OPAD, hash->block_size); + memxor(pad, key, key_length); + + /* Init happened before */ + hash->update(state, hash->block_size, pad); + memcpy(outer, state, hash->state_size); + + memset(pad, IPAD, hash->block_size); + memxor(pad, key, key_length); + + hash->init(state); + hash->update(state, hash->block_size, pad); + + memcpy(inner, state, hash->state_size); +} + +void +hmac2_update(void *state, + const struct nettle_hash *hash, + size_t length, const uint8_t *data) +{ + hash->update(state, length, data); +} + +void +hmac2_digest(const void *outer, const void *inner, void *state, + const struct nettle_hash *hash, + size_t length, uint8_t *dst) +{ + TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); + TMP_ALLOC(digest, hash->digest_size); + + hash->digest(state, hash->digest_size, digest); + + memcpy(state, outer, hash->state_size); + + hash->update(state, hash->digest_size, digest); + hash->digest(state, length, dst); + + memcpy(state, inner, hash->state_size); +} diff --git a/hmac.h b/hmac.h index 40a8e77aab6d..e6519023d259 100644 --- a/hmac.h +++ b/hmac.h @@ -49,6 +49,9 @@ extern "C" { #define hmac_set_key nettle_hmac_set_key #define hmac_update nettle_hmac_update #define hmac_digest nettle_hmac_digest +#define hmac2_set_key nettle_hmac2_set_key +#define hmac2_update nettle_hmac2_update +#define hmac2_digest nettle_hmac2_digest #define hmac_md5_set_key nettle_hmac_md5_set_key #define hmac_md5_update nettle_hmac_md5_update #define hmac_md5_digest nettle_hmac_md5_digest @@ -87,6 +90,24 @@ hmac_digest(const void *outer, const void *inner, void *state, size_t length, uint8_t *digest); +void +hmac2_set_key(void *outer, void *inner, void *state, + const struct nettle_hash *hash, + size_t length, const uint8_t *key); + +/* This function is not strictly needed, it's s just the same as the + * hash update or hmac2_update functions. */ +void +hmac2_update(void *state, + const struct nettle_hash *hash, + size_t length, const uint8_t *data); + +void +hmac2_digest(const void *outer, const void *inner, void *state, + const struct nettle_hash *hash, + size_t length, uint8_t *digest); + + #define HMAC_CTX(type) \ { type outer; type inner; type state; } @@ -98,10 +119,21 @@ hmac_digest(const void *outer, const void *inner, void *state, hmac_digest( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ (hash), (length), (digest) ) +#define HMAC2_CTX(ctx_type, type) \ +{ type outer; type inner; ctx_type state; } + +#define HMAC2_SET_KEY(ctx, hash, length, key) \ + hmac2_set_key( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ + (hash), (length), (key) ) + +#define HMAC2_DIGEST(ctx, hash, length, digest) \ + hmac2_digest( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ + (hash), (length), (digest) ) + /* HMAC using specific hash functions */ /* hmac-md5 */ -struct hmac_md5_ctx HMAC_CTX(struct md5_ctx); +struct hmac_md5_ctx HMAC2_CTX(struct md5_ctx, struct md5_state); void hmac_md5_set_key(struct hmac_md5_ctx *ctx, -- 2.18.0

2 4

[PATCH] Add benchmarking for HMAC functions
by Dmitry Eremin-Solenikov 30 Jul '18

30 Jul '18

In preparation of changing internal HMAC interface add benchmarking for HMAC functions. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- examples/nettle-benchmark.c | 154 ++++++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c index 5a88e72dd678..101ba7d4abcc 100644 --- a/examples/nettle-benchmark.c +++ b/examples/nettle-benchmark.c @@ -67,6 +67,7 @@ #include "umac.h" #include "cmac.h" #include "poly1305.h" +#include "hmac.h" #include "nettle-meta.h" #include "nettle-internal.h" @@ -476,6 +477,147 @@ time_poly1305_aes(void) time_function(bench_hash, &info)); } +struct bench_hmac_info +{ + void *ctx; + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; + size_t length; + size_t digest_length; + const uint8_t *data; +}; + +static void +bench_hmac(void *arg) +{ + struct bench_hmac_info *info = arg; + uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; + size_t pos, length; + + length = info->length; + for (pos = 0; pos < BENCH_BLOCK; pos += length) + { + size_t single = pos + length < BENCH_BLOCK ? + length : + BENCH_BLOCK - pos; + info->update(info->ctx, single, info->data + pos); + info->digest(info->ctx, info->digest_length, digest); + } +} + +static const struct +{ + size_t length; + const char *msg; +} hmac_tests[] = { + { 64, "64 bytes" }, + { 256, "256 bytes" }, + { 1024, "1024 bytes" }, + { 4096, "4096 bytes" }, + { BENCH_BLOCK, "single msg" }, + { 0, NULL }, +}; + +static void +time_hmac_md5(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_md5_ctx md5_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_md5_set_key(&md5_ctx, MD5_BLOCK_SIZE, data); + info.ctx = &md5_ctx; + info.update = (nettle_hash_update_func *) hmac_md5_update; + info.digest = (nettle_hash_digest_func *) hmac_md5_digest; + info.digest_length = MD5_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-md5", hmac_tests[pos].msg, MD5_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha1(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha1_ctx sha1_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha1_set_key(&sha1_ctx, SHA1_BLOCK_SIZE, data); + info.ctx = &sha1_ctx; + info.update = (nettle_hash_update_func *) hmac_sha1_update; + info.digest = (nettle_hash_digest_func *) hmac_sha1_digest; + info.digest_length = SHA1_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha1", hmac_tests[pos].msg, SHA1_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha256(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha256_ctx sha256_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha256_set_key(&sha256_ctx, SHA256_BLOCK_SIZE, data); + info.ctx = &sha256_ctx; + info.update = (nettle_hash_update_func *) hmac_sha256_update; + info.digest = (nettle_hash_digest_func *) hmac_sha256_digest; + info.digest_length = SHA256_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha256", hmac_tests[pos].msg, SHA256_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha512(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha512_ctx sha512_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha512_set_key(&sha512_ctx, SHA512_BLOCK_SIZE, data); + info.ctx = &sha512_ctx; + info.update = (nettle_hash_update_func *) hmac_sha512_update; + info.digest = (nettle_hash_digest_func *) hmac_sha512_digest; + info.digest_length = SHA512_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha512", hmac_tests[pos].msg, SHA512_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + static int prefix_p(const char *prefix, const char *s) { @@ -883,6 +1025,18 @@ main(int argc, char **argv) if (!alg || strstr(aeads[i]->name, alg)) time_aead(aeads[i]); + if (!alg || strstr ("hmac-md5", alg)) + time_hmac_md5(); + + if (!alg || strstr ("hmac-sha1", alg)) + time_hmac_sha1(); + + if (!alg || strstr ("hmac-sha256", alg)) + time_hmac_sha256(); + + if (!alg || strstr ("hmac-sha512", alg)) + time_hmac_sha512(); + optind++; } while (alg && argv[optind]); -- 2.18.0

2 1

[PATCH 0/2] Rework HMAC interface
by Dmitry Eremin-Solenikov 25 Jul '18

25 Jul '18

Hello colleagues, I gave a little thought to Niels' idea: 5. Revamp hmac and underlying hash functions with a separate state struct. Probably low priority, but it is a bit silly that, e.g., hmac_sha512_ctx includes three 128-byte large block buffers. I've implemented new approach using hmac2 prefix, but if you like this approach I can switch hmac2 prefix to just hmac and drop older API. -- With best wishes Dmitry

3 6

nettle symbols: improve map files
by Nikos Mavrogiannopoulos 16 Jul '18

16 Jul '18

Hi, This patch makes the exported symbols explicit in the map file. Furthermore it moves symbols only listed in internal headers in a special section which makes them valid only for testing. I've tested it with abi-compliance-checker and it detects the following missing from nettle: nettle_aeads, nettle_armors, nettle_ciphers, nettle_hashes and from hogweed the nettle_secp_*r1, which seem expected. Niels, I'm not sure however if that was your intention. Didn't you want to deprecate some of the _nettle symbols as well like _nettle_secp_256r1? These are however still present in the exported headers and unless we remove them, they seem to be part of the API and ABI. I also attach the script which generated the files in case you'd like to play with it. regards, Nikos

3 26

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs July 2018