nettle-bugs June 2021

nettle-bugs@lists.lysator.liu.se

3 participants
11 discussions

Add RSA-OAEP encryption/decryption to Nettle
by Nicolas Mora 09 Mar '24

09 Mar '24

Hello, I've made a new Merge Request in the nettle gitlab repo to provide RSA-OAEP encryption and decryption: https://git.lysator.liu.se/nettle/nettle/-/merge_requests/20 It adds 2 new functions: int pkcs1_oaep_encrypt (size_t key_size, void *random_ctx, nettle_random_func *random, size_t hlen, size_t label_length, const uint8_t *label, size_t message_length, const uint8_t *message, mpz_t m); int pkcs1_oaep_decrypt (size_t key_size, const mpz_t m, size_t hlen, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message); The parameter hlen is the output length of the SHA function used for masking data: - SHA1_DIGEST_SIZE - SHA256_DIGEST_SIZE - SHA384_DIGEST_SIZE - SHA512_DIGEST_SIZE Is it possible to get feedback for this MR and eventually push it to the master branch? Thanks in advance /Nicolas

4 21

Curve point decompression
by Wim Lewis 10 Nov '21

10 Nov '21

I'm looking at implementing elliptic curve point compression a la SEC1 (admittedly, mostly to reduce the number of "feature not supported" code paths in a library, but it seems like a somewhat useful ability). Nettle/Hogweed already implements it internally for curve25519, but I want to implement it for the "secp" curves as well. Point compression is easy enough, but point decompression requires some curve math, potentially dependent on the specific curve, and some of it is redundant with what's already done in ecc_point_set(). So I was thinking about moving this functionality into Hogweed as a function along the lines of ecc_point_set_compressed(), which would take, instead of a y-coordinate, an int containing the sign/parity of the y-coordinate. So my question for the list and for the maintainers is, is this a reasonable API to add to Hogweed? Is there interest in including it in Hogweed if I were to take the time to turn it into a tidy patch?

3 10

[S390x] Optimize AES modes
by Maamoun TK 19 Sep '21

19 Sep '21

I made a merge request for optimizing AES modes on s390x architecture, the patch implements the optimized cores using cipher instructions that have been added to s390x arch in message security assist extensions. The patch uses the following functions: KM-AES-128 (ECB-AES128) KM-AES-192 (ECB-AES192) KM-AES-256 (ECB-AES256) KMC-AES-128 (CBC-AES128) KMC-AES-192 (CBC-AES192) KMC-AES-256 (CBC-AES256) KMAC-AES-128 (CCM-AES128, CMAC-AES128) KMAC-AES-192 (CCM-AES192) KMAC-AES-256 (CCM-AES256, CMAC-AES256) KMF-AES-128 (CFB-AES128, CFB8-AES128) KMF-AES-192 (CFB-AES192, CFB8-AES192) KMF-AES-256 (CFB-AES256, CFB8-AES256) KM-XTS-AES-128 (XTS-AES128) KM-XTS-AES-256 (XTS-AES256) KIMD-GHASH (GHASH) KMCTR-AES-128, KMA-GCM-AES-128 (CTR-AES128) KMCTR-AES-192, KMA-GCM-AES-192 (CTR-AES192) KMCTR-AES-256, KMA-GCM-AES-256 (CTR-AES256) KMA-GCM-AES-128 (GCM-AES128) KMA-GCM-AES-192 (GCM-AES192) KMA-GCM-AES-256 (GCM-AES256) The merge request has also a benchmark that measures the speed of optimized cores on s390x arch. I can't set up gitlab CI for automatic testing on s390x arch because qemu hasn't implemented cipher functions for this arch. However, there is an easy way to test the patch manually by requesting a free account on the LinuxONE Community Cloud, both short-term and long-term access are available. https://linuxone.cloud.marist.edu/#/register?flag=VM regards, Mamone

4 39

[S390x] Optimize GHASH
by Maamoun TK 17 Jul '21

17 Jul '21

I made a merge request !26 <https://git.lysator.liu.se/nettle/nettle/-/merge_requests/26> that optimizes the GHASH algorithm for S390x architecture. I've attached a benchmark in the description of merge request that describes the improvement of using GHASH accelerator over C implementation. I've also made two patches for fat build support of AES and GHASH for S390x architecture in addition to optimize memxor function using 'xc (xor storage-to-storage) instruction' Files · s390x-fat · Maamoun TK / nettle · GitLab (liu.se) <https://git.lysator.liu.se/mamonet/nettle/-/tree/s390x-fat> Files · s390x-memxor · Maamoun TK / nettle · GitLab (liu.se) <https://git.lysator.liu.se/mamonet/nettle/-/tree/s390x-memxor> I'll make merge requests for both patches after the current one being merged since they need to rebase on top of that patch. regards, Mamone

3 14

[Aarch64] Optimize AES
by Maamoun TK 17 Jul '21

17 Jul '21

This patch optimizes nettle_aes_encrypt() and nettle_aes_decrypt() functions for arm64 architecture, it takes advantage of 'aese' and 'aesmc' instructions to optimize the encryption function and 'aesd' and 'aesimc' to optimize the decryption function. The patch passes the testsuite of nettle. I also run the benchmark on gcc117 instance of CFarm by configuring the library with "--disable-fat --enable-arm64-crypto" options then executing examples/nettle-benchmark: aes128 ECB encrypt 2522.67 aes128 ECB decrypt 2522.53 aes192 ECB encrypt 2165.06 aes192 ECB decrypt 2165.04 aes256 ECB encrypt 1866.80 aes256 ECB decrypt 1866.38 openssl aes128 ECB encrypt 1043.52 openssl aes128 ECB decrypt 1043.05 openssl aes192 ECB encrypt 904.08 openssl aes192 ECB decrypt 903.85 openssl aes256 ECB encrypt 787.43 openssl aes256 ECB decrypt 787.20 gcm_aes128 encrypt 955.10 gcm_aes128 decrypt 955.06 gcm_aes128 update 3269.18 gcm_aes192 encrypt 896.26 gcm_aes192 decrypt 896.46 gcm_aes192 update 3270.24 gcm_aes256 encrypt 840.17 gcm_aes256 decrypt 843.53 gcm_aes256 update 3270.08 openssl gcm_aes128 encrypt 894.51 openssl gcm_aes128 decrypt 899.05 openssl gcm_aes128 update 1636.61 openssl gcm_aes192 encrypt 834.94 openssl gcm_aes192 decrypt 841.99 openssl gcm_aes192 update 1631.40 openssl gcm_aes256 encrypt 788.48 openssl gcm_aes256 decrypt 791.31 openssl gcm_aes256 update 1635.18 I'm a little suspicious about the benchmark numbers because as I remember the performance of gcm update doesn't double the openssl number, I repeat running the process but kept giving the same performance margin. --- arm64/crypto/aes-decrypt-internal.asm | 223 ++++++++++++++++++++++++++++++++++ arm64/crypto/aes-encrypt-internal.asm | 223 ++++++++++++++++++++++++++++++++++ 2 files changed, 446 insertions(+) create mode 100644 arm64/crypto/aes-decrypt-internal.asm create mode 100644 arm64/crypto/aes-encrypt-internal.asm diff --git a/arm64/crypto/aes-decrypt-internal.asm b/arm64/crypto/aes-decrypt-internal.asm new file mode 100644 index 00000000..4bfdb314 --- /dev/null +++ b/arm64/crypto/aes-decrypt-internal.asm @@ -0,0 +1,223 @@ +C arm64/crypto/aes-decrypt-internal.asm + +ifelse(` + Copyright (C) 2021 Mamone Tarsha + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +.file "aes-decrypt-internal.asm" +.arch armv8-a+crypto + +.text + +C Register usage: + +define(`ROUNDS', `x0') +define(`KEYS', `x1') +define(`LENGTH', `x3') +define(`DST', `x4') +define(`SRC', `x5') + +define(`S0', `v0') +define(`S1', `v1') +define(`S2', `v2') +define(`S3', `v3') +define(`K0', `v16') +define(`K1', `v17') +define(`K2', `v18') +define(`K3', `v19') +define(`K4', `v20') +define(`K5', `v21') +define(`K6', `v22') +define(`K7', `v23') +define(`K8', `v24') +define(`K9', `v25') +define(`K10', `v26') +define(`K11', `v27') +define(`K12', `v28') +define(`K13', `v29') +define(`K14', `v30') + +C AES_ROUND_4B(KEY) +define(`AES_ROUND_4B', m4_assert_numargs(1)` + aesd S0.16b,$1.16b + aesimc S0.16b,S0.16b + aesd S1.16b,$1.16b + aesimc S1.16b,S1.16b + aesd S2.16b,$1.16b + aesimc S2.16b,S2.16b + aesd S3.16b,$1.16b + aesimc S3.16b,S3.16b +') + +C AES_LAST_ROUND_4B(KEY) +define(`AES_LAST_ROUND_4B', m4_assert_numargs(1)` + aesd S0.16b,$1.16b + eor S0.16b,S0.16b,K14.16b + aesd S1.16b,$1.16b + eor S1.16b,S1.16b,K14.16b + aesd S2.16b,$1.16b + eor S2.16b,S2.16b,K14.16b + aesd S3.16b,$1.16b + eor S3.16b,S3.16b,K14.16b +') + +C AES_ROUND_1B(KEY) +define(`AES_ROUND_1B', m4_assert_numargs(1)` + aesd S0.16b,$1.16b + aesimc S0.16b,S0.16b +') + +C AES_LAST_ROUND_1B(KEY) +define(`AES_LAST_ROUND_1B', m4_assert_numargs(1)` + aesd S0.16b,$1.16b + eor S0.16b,S0.16b,K14.16b +') + +C _aes_decrypt(unsigned rounds, const uint32_t *keys, +C const struct aes_table *T, +C size_t length, uint8_t *dst, +C const uint8_t *src) + +PROLOGUE(_nettle_aes_decrypt) + ands x6,LENGTH,#-64 + b.eq L1B + + mov x7,KEYS + ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[x7],#64 + ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[x7],#64 + ld1 {K8.4s,K9.4s},[x7],#32 + cmp ROUNDS,#10 + b.eq L4B_last_key + ld1 {K10.4s,K11.4s},[x7],#32 + cmp ROUNDS,#12 + b.eq L4B_last_key + ld1 {K12.4s,K13.4s},[x7],#32 + +L4B_last_key: + ld1 {K14.4s},[x7] + +L4B_loop: + ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 + + AES_ROUND_4B(K0) + AES_ROUND_4B(K1) + AES_ROUND_4B(K2) + AES_ROUND_4B(K3) + AES_ROUND_4B(K4) + AES_ROUND_4B(K5) + AES_ROUND_4B(K6) + AES_ROUND_4B(K7) + AES_ROUND_4B(K8) + cmp ROUNDS,#10 + b.eq L4B_10_round + cmp ROUNDS,#12 + b.eq L4B_12_round + b L4B_14_round + +L4B_10_round: + AES_LAST_ROUND_4B(K9) + b L4B_done +L4B_12_round: + AES_ROUND_4B(K9) + AES_ROUND_4B(K10) + AES_LAST_ROUND_4B(K11) + b L4B_done +L4B_14_round: + AES_ROUND_4B(K9) + AES_ROUND_4B(K10) + AES_ROUND_4B(K11) + AES_ROUND_4B(K12) + AES_LAST_ROUND_4B(K13) + +L4B_done: + st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 + + subs x6,x6,#64 + b.ne L4B_loop + + and LENGTH,LENGTH,#63 + +L1B: + cbz LENGTH,Ldone + + mov x6,KEYS + ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[x6],#64 + ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[x6],#64 + ld1 {K8.4s,K9.4s},[x6],#32 + cmp ROUNDS,#10 + b.eq L1B_last_key + ld1 {K10.4s,K11.4s},[x6],#32 + cmp ROUNDS,#12 + b.eq L1B_last_key + ld1 {K12.4s,K13.4s},[x6],#32 + +L1B_last_key: + ld1 {K14.4s},[x6] + +L1B_loop: + ld1 {S0.16b},[SRC],#16 + + AES_ROUND_1B(K0) + AES_ROUND_1B(K1) + AES_ROUND_1B(K2) + AES_ROUND_1B(K3) + AES_ROUND_1B(K4) + AES_ROUND_1B(K5) + AES_ROUND_1B(K6) + AES_ROUND_1B(K7) + AES_ROUND_1B(K8) + cmp ROUNDS,#10 + b.eq L1B_10_round + cmp ROUNDS,#12 + b.eq L1B_12_round + b L1B_14_round + +L1B_10_round: + AES_LAST_ROUND_1B(K9) + b L1B_done +L1B_12_round: + AES_ROUND_1B(K9) + AES_ROUND_1B(K10) + AES_LAST_ROUND_1B(K11) + b L1B_done +L1B_14_round: + AES_ROUND_1B(K9) + AES_ROUND_1B(K10) + AES_ROUND_1B(K11) + AES_ROUND_1B(K12) + AES_LAST_ROUND_1B(K13) + +L1B_done: + st1 {S0.16b},[DST],#16 + + subs LENGTH,LENGTH,#16 + b.ne L1B_loop + +Ldone: + ret +EPILOGUE(_nettle_aes_decrypt) diff --git a/arm64/crypto/aes-encrypt-internal.asm b/arm64/crypto/aes-encrypt-internal.asm new file mode 100644 index 00000000..314f9333 --- /dev/null +++ b/arm64/crypto/aes-encrypt-internal.asm @@ -0,0 +1,223 @@ +C arm64/crypto/aes-encrypt-internal.asm + +ifelse(` + Copyright (C) 2021 Mamone Tarsha + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +.file "aes-encrypt-internal.asm" +.arch armv8-a+crypto + +.text + +C Register usage: + +define(`ROUNDS', `x0') +define(`KEYS', `x1') +define(`LENGTH', `x3') +define(`DST', `x4') +define(`SRC', `x5') + +define(`S0', `v0') +define(`S1', `v1') +define(`S2', `v2') +define(`S3', `v3') +define(`K0', `v16') +define(`K1', `v17') +define(`K2', `v18') +define(`K3', `v19') +define(`K4', `v20') +define(`K5', `v21') +define(`K6', `v22') +define(`K7', `v23') +define(`K8', `v24') +define(`K9', `v25') +define(`K10', `v26') +define(`K11', `v27') +define(`K12', `v28') +define(`K13', `v29') +define(`K14', `v30') + +C AES_ROUND_4B(KEY) +define(`AES_ROUND_4B', m4_assert_numargs(1)` + aese S0.16b,$1.16b + aesmc S0.16b,S0.16b + aese S1.16b,$1.16b + aesmc S1.16b,S1.16b + aese S2.16b,$1.16b + aesmc S2.16b,S2.16b + aese S3.16b,$1.16b + aesmc S3.16b,S3.16b +') + +C AES_LAST_ROUND_4B(KEY) +define(`AES_LAST_ROUND_4B', m4_assert_numargs(1)` + aese S0.16b,$1.16b + eor S0.16b,S0.16b,K14.16b + aese S1.16b,$1.16b + eor S1.16b,S1.16b,K14.16b + aese S2.16b,$1.16b + eor S2.16b,S2.16b,K14.16b + aese S3.16b,$1.16b + eor S3.16b,S3.16b,K14.16b +') + +C AES_ROUND_1B(KEY) +define(`AES_ROUND_1B', m4_assert_numargs(1)` + aese S0.16b,$1.16b + aesmc S0.16b,S0.16b +') + +C AES_LAST_ROUND_1B(KEY) +define(`AES_LAST_ROUND_1B', m4_assert_numargs(1)` + aese S0.16b,$1.16b + eor S0.16b,S0.16b,K14.16b +') + +C _aes_encrypt(unsigned rounds, const uint32_t *keys, +C const struct aes_table *T, +C size_t length, uint8_t *dst, +C uint8_t *src) + +PROLOGUE(_nettle_aes_encrypt) + ands x6,LENGTH,#-64 + b.eq L1B + + mov x7,KEYS + ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[x7],#64 + ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[x7],#64 + ld1 {K8.4s,K9.4s},[x7],#32 + cmp ROUNDS,#10 + b.eq L4B_last_key + ld1 {K10.4s,K11.4s},[x7],#32 + cmp ROUNDS,#12 + b.eq L4B_last_key + ld1 {K12.4s,K13.4s},[x7],#32 + +L4B_last_key: + ld1 {K14.4s},[x7] + +L4B_loop: + ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 + + AES_ROUND_4B(K0) + AES_ROUND_4B(K1) + AES_ROUND_4B(K2) + AES_ROUND_4B(K3) + AES_ROUND_4B(K4) + AES_ROUND_4B(K5) + AES_ROUND_4B(K6) + AES_ROUND_4B(K7) + AES_ROUND_4B(K8) + cmp ROUNDS,#10 + b.eq L4B_10_round + cmp ROUNDS,#12 + b.eq L4B_12_round + b L4B_14_round + +L4B_10_round: + AES_LAST_ROUND_4B(K9) + b L4B_done +L4B_12_round: + AES_ROUND_4B(K9) + AES_ROUND_4B(K10) + AES_LAST_ROUND_4B(K11) + b L4B_done +L4B_14_round: + AES_ROUND_4B(K9) + AES_ROUND_4B(K10) + AES_ROUND_4B(K11) + AES_ROUND_4B(K12) + AES_LAST_ROUND_4B(K13) + +L4B_done: + st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 + + subs x6,x6,#64 + b.ne L4B_loop + + and LENGTH,LENGTH,#63 + +L1B: + cbz LENGTH,Ldone + + mov x6,KEYS + ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[x6],#64 + ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[x6],#64 + ld1 {K8.4s,K9.4s},[x6],#32 + cmp ROUNDS,#10 + b.eq L1B_last_key + ld1 {K10.4s,K11.4s},[x6],#32 + cmp ROUNDS,#12 + b.eq L1B_last_key + ld1 {K12.4s,K13.4s},[x6],#32 + +L1B_last_key: + ld1 {K14.4s},[x6] + +L1B_loop: + ld1 {S0.16b},[SRC],#16 + + AES_ROUND_1B(K0) + AES_ROUND_1B(K1) + AES_ROUND_1B(K2) + AES_ROUND_1B(K3) + AES_ROUND_1B(K4) + AES_ROUND_1B(K5) + AES_ROUND_1B(K6) + AES_ROUND_1B(K7) + AES_ROUND_1B(K8) + cmp ROUNDS,#10 + b.eq L1B_10_round + cmp ROUNDS,#12 + b.eq L1B_12_round + b L1B_14_round + +L1B_10_round: + AES_LAST_ROUND_1B(K9) + b L1B_done +L1B_12_round: + AES_ROUND_1B(K9) + AES_ROUND_1B(K10) + AES_LAST_ROUND_1B(K11) + b L1B_done +L1B_14_round: + AES_ROUND_1B(K9) + AES_ROUND_1B(K10) + AES_ROUND_1B(K11) + AES_ROUND_1B(K12) + AES_LAST_ROUND_1B(K13) + +L1B_done: + st1 {S0.16b},[DST],#16 + + subs LENGTH,LENGTH,#16 + b.ne L1B_loop + +Ldone: + ret +EPILOGUE(_nettle_aes_encrypt) -- 2.25.1

2 2

HPKE implementation
by Norbert Pocs 14 Jul '21

14 Jul '21

Hello mailing list, I am a student at Brno University of Technology at Faculty of Information Technology and intern at Red Hat Crypto team. My current project is the implementation of HPKE draft [0]. The first goal is to implement mode_base. Example usage for the project is the encrypted hello message in TLS [1]. Do you have interest in merging the code after completion? [0] https://tools.ietf.org/html/draft-irtf-cfrg-hpke-07 [1] https://gitlab.com/gnutls/gnutls/-/issues/595 Regards Norbert Pócs

2 3

[Aarch64] Fat build support for SHA1 compress
by Maamoun TK 30 Jun '21

30 Jun '21

This patch added fat build support SHA1 compress function using the regular HWCAP features. --- arm64/fat/sha1-compress-2.asm | 37 +++++++++++++++++++++++++++++++++++++ fat-arm64.c | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 arm64/fat/sha1-compress-2.asm diff --git a/arm64/fat/sha1-compress-2.asm b/arm64/fat/sha1-compress-2.asm new file mode 100644 index 00000000..b53cb63e --- /dev/null +++ b/arm64/fat/sha1-compress-2.asm @@ -0,0 +1,37 @@ +C arm64/fat/sha1-compress-2.asm + + +ifelse(` + Copyright (C) 2021 Mamone Tarsha + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(nettle_sha1_compress) picked up by configure + +define(`fat_transform', `_$1_arm64') +include_src(`arm64/crypto/sha1-compress.asm') diff --git a/fat-arm64.c b/fat-arm64.c index 9f81951f..c696e9bb 100644 --- a/fat-arm64.c +++ b/fat-arm64.c @@ -61,10 +61,14 @@ #ifndef HWCAP_PMULL #define HWCAP_PMULL (1 << 4) #endif +#ifndef HWCAP_SHA1 +#define HWCAP_SHA1 (1 << 5) +#endif struct arm64_features { int have_pmull; + int have_sha1; }; #define MATCH(s, slen, literal, llen) \ @@ -75,6 +79,7 @@ get_arm64_features (struct arm64_features *features) { const char *s; features->have_pmull = 0; + features->have_sha1 = 0; s = secure_getenv (ENV_OVERRIDE); if (s) @@ -85,6 +90,8 @@ get_arm64_features (struct arm64_features *features) if (MATCH (s, length, "pmull", 5)) features->have_pmull = 1; + else if (MATCH (s, length, "sha1", 4)) + features->have_sha1 = 1; if (!sep) break; s = sep + 1; @@ -95,6 +102,8 @@ get_arm64_features (struct arm64_features *features) unsigned long hwcap = getauxval(AT_HWCAP); features->have_pmull = ((hwcap & (HWCAP_ASIMD | HWCAP_PMULL)) == (HWCAP_ASIMD | HWCAP_PMULL)); + features->have_sha1 + = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA1)) == (HWCAP_ASIMD | HWCAP_SHA1)); #endif } } @@ -109,6 +118,10 @@ DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, c) DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, arm64) #endif /* GCM_TABLE_BITS == 8 */ +DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) +DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) +DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, arm64) + static void CONSTRUCTOR fat_init (void) { @@ -119,8 +132,9 @@ fat_init (void) verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) - fprintf (stderr, "libnettle: cpu features: %s\n", - features.have_pmull ? "polynomial multiply long instructions (PMULL/PMULL2)" : ""); + fprintf (stderr, "libnettle: cpu features:%s%s\n", + features.have_pmull ? " polynomial multiply long instructions (PMULL/PMULL2)" : "", + features.have_sha1 ? " sha1 instructions" : ""); if (features.have_pmull) { @@ -142,6 +156,16 @@ fat_init (void) _nettle_gcm_hash_vec = _nettle_gcm_hash_c; #endif /* GCM_TABLE_BITS == 8 */ } + if (features.have_sha1) + { + if (verbose) + fprintf (stderr, "libnettle: enabling hardware-accelerated sha1 compress code.\n"); + nettle_sha1_compress_vec = _nettle_sha1_compress_arm64; + } + else + { + nettle_sha1_compress_vec = _nettle_sha1_compress_c; + } } #if GCM_TABLE_BITS == 8 @@ -154,3 +178,7 @@ DEFINE_FAT_FUNC(_nettle_gcm_hash, void, size_t length, const uint8_t *data), (key, x, length, data)) #endif /* GCM_TABLE_BITS == 8 */ + +DEFINE_FAT_FUNC(nettle_sha1_compress, void, + (uint32_t *state, const uint8_t *input), + (state, input)) -- 2.25.1

2 1

Re: [S390x] Optimize AES modes
by Maamoun TK 30 Jun '21

30 Jun '21

Hi Niels, Did you get a chance to look at the recently posted patches? Thank you, Mamone

1 0

ANNOUNCE: Nettle-3.7.3
by nisse＠lysator.liu.se 08 Jun '21

08 Jun '21

I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix bugs in the RSA decryption functions. The bugs cause crashes on certain invalid inputs, which could be used for denial of service attacks on applications using these functions. More details in NEWS file below. Upgrading is strongly recommended. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.7.3.tar.gz Regards, /Niels NEWS for the Nettle 3.7.3 release This is bugfix release, fixing bugs that could make the RSA decryption functions crash on invalid inputs. Upgrading to the new version is strongly recommended. For applications that want to support older versions of Nettle, the bug can be worked around by adding a check that the RSA ciphertext is in the range 0 < ciphertext < n, before attempting to decrypt it. Thanks to Paul Schaub and Justus Winter for reporting these problems. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.4 and libhogweed.so.6.4, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix crash for zero input to rsa_sec_decrypt and rsa_decrypt_tr. Potential denial of service vector. * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return failure for out of range inputs, instead of either crashing, or silently reducing input modulo n. Potential denial of service vector. * Ensure that rsa_decrypt returns failure for out of range inputs, instead of silently reducing input modulo n. * Ensure that rsa_sec_decrypt returns failure if the message size is too large for the given key. Unlike the other bugs, this would typically be triggered by invalid local configuration, rather than by processing untrusted remote data. -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

1 1

[RFC PATCH 0/6] Introduce combined AES-GCM assembly for POWER9+
by Christopher M. Riedl 01 Jun '21

01 Jun '21

Hi! This series introduces a mechanism to support arch specific, combined AES+GCM {en,de}cryption functions. These functions are stubbed by default and will fall-back to the separate hash and crypt functions if no arch override exists. The arch override can be provided either at build time via appropriate config options or using the FAT runtime mechanism. An implementation combining AES+GCM _can potentially_ yield significant performance boosts by allowing for increased instruction parallelism, avoiding C-function call overhead, more flexibility in assembly fine-tuning, etc. This series provides such an implementation based on the existing optimized Nettle routines for POWER9 and later processors. Benchmark results on a POWER9 Blackbird running at 3.5GHz are given at the end of this mail. Both builds were configured statically ie. not FAT. FAT performance is slightly lower for both but shows similar gains with this series. The OpenSSL build is based on latest OpenSSL master with all PowerPC optimizations enabled. Note that the gains on an early POWER10 system are even more impressive but unfortunately I cannot share those results publically yet :( AES+GCM combined (this series) ------------------------------ Algorithm mode Mbyte/s gcm_aes128 encrypt 2567.62 gcm_aes128 decrypt 2582.32 gcm_aes128 update 7724.15 gcm_aes192 encrypt 2279.39 gcm_aes192 decrypt 2293.20 gcm_aes192 update 7724.41 gcm_aes256 encrypt 2054.09 gcm_aes256 decrypt 2061.25 gcm_aes256 update 7724.04 openssl gcm_aes128 encrypt 2336.93 openssl gcm_aes128 decrypt 2337.95 openssl gcm_aes128 update 6248.22 openssl gcm_aes192 encrypt 2113.93 openssl gcm_aes192 decrypt 2114.93 openssl gcm_aes192 update 6210.65 openssl gcm_aes256 encrypt 1936.95 openssl gcm_aes256 decrypt 1935.88 openssl gcm_aes256 update 6208.72 AES,GCM separate (nettle master) -------------------------------- Algorithm mode Mbyte/s gcm_aes128 encrypt 1418.66 gcm_aes128 decrypt 1418.97 gcm_aes128 update 7766.31 gcm_aes192 encrypt 1314.03 gcm_aes192 decrypt 1313.17 gcm_aes192 update 7760.23 gcm_aes256 encrypt 1218.75 gcm_aes256 decrypt 1218.64 gcm_aes256 update 7760.52 openssl gcm_aes128 encrypt 2324.70 openssl gcm_aes128 decrypt 2317.19 openssl gcm_aes128 update 6152.77 openssl gcm_aes192 encrypt 2102.99 openssl gcm_aes192 decrypt 2098.98 openssl gcm_aes192 update 6175.62 openssl gcm_aes256 encrypt 1925.85 openssl gcm_aes256 decrypt 1922.49 openssl gcm_aes256 update 6204.55 Christopher M. Riedl (6): gcm: Introduce gcm_aes_{de,en}crypt() ppc: Fix variable name for --enable-power-altivec ppc: Add FAT feature and config option for ISA 3.0 ppc: Add gcm_aes_encrypt() asm for ISA 3.0 (P9) ppc: Add gcm_aes_decrypt() asm for ISA 3.0 (P9) ppc: Enable gcm_aes_{de,en}crypt() FAT configure.ac | 19 +- fat-ppc.c | 45 ++ fat-setup.h | 6 + gcm-internal.h | 14 + gcm.c | 151 ++++++- powerpc64/fat/gcm-aes-decrypt.asm | 37 ++ powerpc64/fat/gcm-aes-encrypt.asm | 37 ++ powerpc64/p9/gcm-aes-decrypt.asm | 663 +++++++++++++++++++++++++++++ powerpc64/p9/gcm-aes-encrypt.asm | 666 ++++++++++++++++++++++++++++++ 9 files changed, 1630 insertions(+), 8 deletions(-) create mode 100644 powerpc64/fat/gcm-aes-decrypt.asm create mode 100644 powerpc64/fat/gcm-aes-encrypt.asm create mode 100644 powerpc64/p9/gcm-aes-decrypt.asm create mode 100644 powerpc64/p9/gcm-aes-encrypt.asm -- 2.26.1

3 12

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs June 2021