Hello,
I've made a new Merge Request in the nettle gitlab repo to provide
RSA-OAEP encryption and decryption:
https://git.lysator.liu.se/nettle/nettle/-/merge_requests/20
It adds 2 new functions:
int
pkcs1_oaep_encrypt (size_t key_size,
void *random_ctx, nettle_random_func *random,
size_t hlen,
size_t label_length, const uint8_t *label,
size_t message_length, const uint8_t *message,
mpz_t m);
int
pkcs1_oaep_decrypt (size_t key_size,
const …
[View More]mpz_t m,
size_t hlen,
size_t label_length, const uint8_t *label,
size_t *length, uint8_t *message);
The parameter hlen is the output length of the SHA function used for
masking data:
- SHA1_DIGEST_SIZE
- SHA256_DIGEST_SIZE
- SHA384_DIGEST_SIZE
- SHA512_DIGEST_SIZE
Is it possible to get feedback for this MR and eventually push it to the
master branch?
Thanks in advance
/Nicolas
[View Less]
I'm looking at implementing elliptic curve point compression a la SEC1
(admittedly, mostly to reduce the number of "feature not supported" code
paths in a library, but it seems like a somewhat useful ability).
Nettle/Hogweed already implements it internally for curve25519, but I want
to implement it for the "secp" curves as well.
Point compression is easy enough, but point decompression requires some
curve math, potentially dependent on the specific curve, and some of it is
redundant …
[View More]with what's already done in ecc_point_set(). So I was thinking
about moving this functionality into Hogweed as a function along the lines
of ecc_point_set_compressed(), which would take, instead of a y-coordinate,
an int containing the sign/parity of the y-coordinate.
So my question for the list and for the maintainers is, is this a
reasonable API to add to Hogweed? Is there interest in including it in
Hogweed if I were to take the time to turn it into a tidy patch?
[View Less]
I made a merge request for optimizing AES modes on s390x architecture, the
patch implements the optimized cores using cipher instructions that have
been added to s390x arch in message security assist extensions. The patch
uses the following functions:
KM-AES-128 (ECB-AES128)
KM-AES-192 (ECB-AES192)
KM-AES-256 (ECB-AES256)
KMC-AES-128 (CBC-AES128)
KMC-AES-192 (CBC-AES192)
KMC-AES-256 (CBC-AES256)
KMAC-AES-128 (CCM-AES128, CMAC-AES128)
KMAC-AES-192 (CCM-AES192)
KMAC-AES-256 (CCM-AES256, CMAC-…
[View More]AES256)
KMF-AES-128 (CFB-AES128, CFB8-AES128)
KMF-AES-192 (CFB-AES192, CFB8-AES192)
KMF-AES-256 (CFB-AES256, CFB8-AES256)
KM-XTS-AES-128 (XTS-AES128)
KM-XTS-AES-256 (XTS-AES256)
KIMD-GHASH (GHASH)
KMCTR-AES-128, KMA-GCM-AES-128 (CTR-AES128)
KMCTR-AES-192, KMA-GCM-AES-192 (CTR-AES192)
KMCTR-AES-256, KMA-GCM-AES-256 (CTR-AES256)
KMA-GCM-AES-128 (GCM-AES128)
KMA-GCM-AES-192 (GCM-AES192)
KMA-GCM-AES-256 (GCM-AES256)
The merge request has also a benchmark that measures the speed of optimized
cores on s390x arch.
I can't set up gitlab CI for automatic testing on s390x arch because qemu
hasn't implemented cipher functions for this arch. However, there is an
easy way to test the patch manually by requesting a free account on the
LinuxONE Community
Cloud, both short-term and long-term access are available.
https://linuxone.cloud.marist.edu/#/register?flag=VM
regards,
Mamone
[View Less]
I made a merge request !26
<https://git.lysator.liu.se/nettle/nettle/-/merge_requests/26> that
optimizes the GHASH algorithm for S390x architecture. I've attached a
benchmark in the description of merge request that describes the
improvement of using GHASH accelerator over C implementation. I've also
made two patches for fat build support of AES and GHASH for S390x
architecture in addition to optimize memxor function using 'xc (xor
storage-to-storage) instruction'
Files · s390x-fat · …
[View More]Maamoun TK / nettle · GitLab (liu.se)
<https://git.lysator.liu.se/mamonet/nettle/-/tree/s390x-fat>
Files · s390x-memxor · Maamoun TK / nettle · GitLab (liu.se)
<https://git.lysator.liu.se/mamonet/nettle/-/tree/s390x-memxor>
I'll make merge requests for both patches after the current one being
merged since they need to rebase on top of that patch.
regards,
Mamone
[View Less]
Hello mailing list,
I am a student at Brno University of Technology at Faculty of Information
Technology and intern at Red Hat Crypto team.
My current project is the implementation of HPKE draft [0]. The first goal
is to implement mode_base.
Example usage for the project is the encrypted hello message in TLS [1].
Do you have interest in merging the code after completion?
[0] https://tools.ietf.org/html/draft-irtf-cfrg-hpke-07
[1] https://gitlab.com/gnutls/gnutls/-/issues/595
Regards
Norbert Pócs
This patch added fat build support SHA1 compress function using the regular
HWCAP features.
---
arm64/fat/sha1-compress-2.asm | 37 +++++++++++++++++++++++++++++++++++++
fat-arm64.c | 32 ++++++++++++++++++++++++++++++--
2 files changed, 67 insertions(+), 2 deletions(-)
create mode 100644 arm64/fat/sha1-compress-2.asm
diff --git a/arm64/fat/sha1-compress-2.asm b/arm64/fat/sha1-compress-2.asm
new file mode 100644
index 00000000..b53cb63e
--- /dev/null
+++ b/arm64/fat/sha1-…
[View More]compress-2.asm
@@ -0,0 +1,37 @@
+C arm64/fat/sha1-compress-2.asm
+
+
+ifelse(`
+ Copyright (C) 2021 Mamone Tarsha
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+')
+
+dnl PROLOGUE(nettle_sha1_compress) picked up by configure
+
+define(`fat_transform', `_$1_arm64')
+include_src(`arm64/crypto/sha1-compress.asm')
diff --git a/fat-arm64.c b/fat-arm64.c
index 9f81951f..c696e9bb 100644
--- a/fat-arm64.c
+++ b/fat-arm64.c
@@ -61,10 +61,14 @@
#ifndef HWCAP_PMULL
#define HWCAP_PMULL (1 << 4)
#endif
+#ifndef HWCAP_SHA1
+#define HWCAP_SHA1 (1 << 5)
+#endif
struct arm64_features
{
int have_pmull;
+ int have_sha1;
};
#define MATCH(s, slen, literal, llen) \
@@ -75,6 +79,7 @@ get_arm64_features (struct arm64_features *features)
{
const char *s;
features->have_pmull = 0;
+ features->have_sha1 = 0;
s = secure_getenv (ENV_OVERRIDE);
if (s)
@@ -85,6 +90,8 @@ get_arm64_features (struct arm64_features *features)
if (MATCH (s, length, "pmull", 5))
features->have_pmull = 1;
+ else if (MATCH (s, length, "sha1", 4))
+ features->have_sha1 = 1;
if (!sep)
break;
s = sep + 1;
@@ -95,6 +102,8 @@ get_arm64_features (struct arm64_features *features)
unsigned long hwcap = getauxval(AT_HWCAP);
features->have_pmull
= ((hwcap & (HWCAP_ASIMD | HWCAP_PMULL)) == (HWCAP_ASIMD | HWCAP_PMULL));
+ features->have_sha1
+ = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA1)) == (HWCAP_ASIMD | HWCAP_SHA1));
#endif
}
}
@@ -109,6 +118,10 @@ DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, c)
DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, arm64)
#endif /* GCM_TABLE_BITS == 8 */
+DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func)
+DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c)
+DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, arm64)
+
static void CONSTRUCTOR
fat_init (void)
{
@@ -119,8 +132,9 @@ fat_init (void)
verbose = getenv (ENV_VERBOSE) != NULL;
if (verbose)
- fprintf (stderr, "libnettle: cpu features: %s\n",
- features.have_pmull ? "polynomial multiply long instructions
(PMULL/PMULL2)" : "");
+ fprintf (stderr, "libnettle: cpu features:%s%s\n",
+ features.have_pmull ? " polynomial multiply long instructions
(PMULL/PMULL2)" : "",
+ features.have_sha1 ? " sha1 instructions" : "");
if (features.have_pmull)
{
@@ -142,6 +156,16 @@ fat_init (void)
_nettle_gcm_hash_vec = _nettle_gcm_hash_c;
#endif /* GCM_TABLE_BITS == 8 */
}
+ if (features.have_sha1)
+ {
+ if (verbose)
+ fprintf (stderr, "libnettle: enabling hardware-accelerated sha1 compress
code.\n");
+ nettle_sha1_compress_vec = _nettle_sha1_compress_arm64;
+ }
+ else
+ {
+ nettle_sha1_compress_vec = _nettle_sha1_compress_c;
+ }
}
#if GCM_TABLE_BITS == 8
@@ -154,3 +178,7 @@ DEFINE_FAT_FUNC(_nettle_gcm_hash, void,
size_t length, const uint8_t *data),
(key, x, length, data))
#endif /* GCM_TABLE_BITS == 8 */
+
+DEFINE_FAT_FUNC(nettle_sha1_compress, void,
+ (uint32_t *state, const uint8_t *input),
+ (state, input))
--
2.25.1
[View Less]
I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix bugs in the RSA decryption functions. The
bugs cause crashes on certain invalid inputs, which could be used
for denial of service attacks on applications using these functions.
More details in NEWS file below.
Upgrading is strongly recommended.
The Nettle home page can be found at
https://www.lysator.liu.se/~nisse/nettle/, and the manual at
https://www.lysator.liu.se/~nisse/nettle/nettle.html.
The …
[View More]release can be downloaded from
https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gzftp://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gzhttps://www.lysator.liu.se/~nisse/archive/nettle-3.7.3.tar.gz
Regards,
/Niels
NEWS for the Nettle 3.7.3 release
This is bugfix release, fixing bugs that could make the RSA
decryption functions crash on invalid inputs.
Upgrading to the new version is strongly recommended. For
applications that want to support older versions of Nettle,
the bug can be worked around by adding a check that the RSA
ciphertext is in the range 0 < ciphertext < n, before
attempting to decrypt it.
Thanks to Paul Schaub and Justus Winter for reporting these
problems.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.4 and libhogweed.so.6.4, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Fix crash for zero input to rsa_sec_decrypt and
rsa_decrypt_tr. Potential denial of service vector.
* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
failure for out of range inputs, instead of either crashing,
or silently reducing input modulo n. Potential denial of
service vector.
* Ensure that rsa_decrypt returns failure for out of range
inputs, instead of silently reducing input modulo n.
* Ensure that rsa_sec_decrypt returns failure if the message
size is too large for the given key. Unlike the other bugs,
this would typically be triggered by invalid local
configuration, rather than by processing untrusted remote
data.
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
[View Less]
Hi!
This series introduces a mechanism to support arch specific, combined AES+GCM
{en,de}cryption functions. These functions are stubbed by default and will
fall-back to the separate hash and crypt functions if no arch override exists.
The arch override can be provided either at build time via appropriate config
options or using the FAT runtime mechanism.
An implementation combining AES+GCM _can potentially_ yield significant
performance boosts by allowing for increased instruction …
[View More]parallelism, avoiding
C-function call overhead, more flexibility in assembly fine-tuning, etc. This
series provides such an implementation based on the existing optimized Nettle
routines for POWER9 and later processors. Benchmark results on a POWER9
Blackbird running at 3.5GHz are given at the end of this mail. Both builds were
configured statically ie. not FAT. FAT performance is slightly lower for both
but shows similar gains with this series. The OpenSSL build is based on latest
OpenSSL master with all PowerPC optimizations enabled.
Note that the gains on an early POWER10 system are even more impressive but
unfortunately I cannot share those results publically yet :(
AES+GCM combined (this series)
------------------------------
Algorithm mode Mbyte/s
gcm_aes128 encrypt 2567.62
gcm_aes128 decrypt 2582.32
gcm_aes128 update 7724.15
gcm_aes192 encrypt 2279.39
gcm_aes192 decrypt 2293.20
gcm_aes192 update 7724.41
gcm_aes256 encrypt 2054.09
gcm_aes256 decrypt 2061.25
gcm_aes256 update 7724.04
openssl gcm_aes128 encrypt 2336.93
openssl gcm_aes128 decrypt 2337.95
openssl gcm_aes128 update 6248.22
openssl gcm_aes192 encrypt 2113.93
openssl gcm_aes192 decrypt 2114.93
openssl gcm_aes192 update 6210.65
openssl gcm_aes256 encrypt 1936.95
openssl gcm_aes256 decrypt 1935.88
openssl gcm_aes256 update 6208.72
AES,GCM separate (nettle master)
--------------------------------
Algorithm mode Mbyte/s
gcm_aes128 encrypt 1418.66
gcm_aes128 decrypt 1418.97
gcm_aes128 update 7766.31
gcm_aes192 encrypt 1314.03
gcm_aes192 decrypt 1313.17
gcm_aes192 update 7760.23
gcm_aes256 encrypt 1218.75
gcm_aes256 decrypt 1218.64
gcm_aes256 update 7760.52
openssl gcm_aes128 encrypt 2324.70
openssl gcm_aes128 decrypt 2317.19
openssl gcm_aes128 update 6152.77
openssl gcm_aes192 encrypt 2102.99
openssl gcm_aes192 decrypt 2098.98
openssl gcm_aes192 update 6175.62
openssl gcm_aes256 encrypt 1925.85
openssl gcm_aes256 decrypt 1922.49
openssl gcm_aes256 update 6204.55
Christopher M. Riedl (6):
gcm: Introduce gcm_aes_{de,en}crypt()
ppc: Fix variable name for --enable-power-altivec
ppc: Add FAT feature and config option for ISA 3.0
ppc: Add gcm_aes_encrypt() asm for ISA 3.0 (P9)
ppc: Add gcm_aes_decrypt() asm for ISA 3.0 (P9)
ppc: Enable gcm_aes_{de,en}crypt() FAT
configure.ac | 19 +-
fat-ppc.c | 45 ++
fat-setup.h | 6 +
gcm-internal.h | 14 +
gcm.c | 151 ++++++-
powerpc64/fat/gcm-aes-decrypt.asm | 37 ++
powerpc64/fat/gcm-aes-encrypt.asm | 37 ++
powerpc64/p9/gcm-aes-decrypt.asm | 663 +++++++++++++++++++++++++++++
powerpc64/p9/gcm-aes-encrypt.asm | 666 ++++++++++++++++++++++++++++++
9 files changed, 1630 insertions(+), 8 deletions(-)
create mode 100644 powerpc64/fat/gcm-aes-decrypt.asm
create mode 100644 powerpc64/fat/gcm-aes-encrypt.asm
create mode 100644 powerpc64/p9/gcm-aes-decrypt.asm
create mode 100644 powerpc64/p9/gcm-aes-encrypt.asm
--
2.26.1
[View Less]