nettle-bugs

nettle-bugs@lists.lysator.liu.se

2196 discussions

nettle-benchmark hangs at startup w/ 100% cpu
by Daniel P. Berrangé 02 Jun '20

02 Jun '20

I was trying the nettle-benchmark program and found that it hangs at startup burning 100% CPU. Debugging shows this is when measuring benchmark overhead. With a quick printf of the "ncalls" variable in time_function(), I can see that it overflows: time_function ncalls=100 elapsed=0.000010 time_function ncalls=1000 elapsed=0.000003 time_function ncalls=10000 elapsed=0.000002 time_function ncalls=100000 elapsed=0.000002 time_function ncalls=1000000 elapsed=0.000002 time_function ncalls=10000000 … [View More]

2 3

Intel AES-NI perforamnce
by nisse＠lysator.liu.se 31 May '20

31 May '20

I've spent an evening taking a closer look at intel AES performance, after it was pointed out to me by Torbjörn that the Intel AESNI instructions are highly pipelined on most or all processors supporting them. Meaning that the processor can start execution of one even two instructions per cycle, provided that they are independent, while it takes several cycles until the results become available for depending instructions. Out-of-order (OoO) execution can help to run things in parallel, even if … [View More]the instruction stream locally is a sequence of dependent instructions. E.g., my main development machine has a broadwell processor, and it can issue one aesni instruction per cycle, and I think the latency is 7 cycles. Encrypting one block needs 10 aesni instructions (one per round, and then there's a eleventh subkey applied with plain xor which can issue in parallel with another instruction in the same cycle). When I benchmark, aes128 ECB runs in 10.2 cycles per block, which means that out-of-order execution is very successful, executing many iterations of the loop in parallel. CBC encrypt, which is inherently non-parallel, runs *much* slower, I get 91 cycles per block, where the latency of just the aes encyption wold be 71 cycles (if 7 cycles latency per aesni instruction is correct, and then one more cycle for the xor subkey, the remaining 20 cycles for the CBC processing which seems to be a bit slow in itself). I'm considering rearranging the loops to interleave multiple blocks. See below code which implements 4-way interleaving (a drop-in replacement for x86_64/aesni/aes-encrypt-internal). If this approach turns out to be useful, might be beneficial to extend to 8-way interleaving: That would allow instructions to run nicely in parallel even without any out-of-order-execution. However, the interleaved code makes no change to performance in my benchmarks on my machine. Since the old code is close to 10 cycles / block, which is a hard limit from instruction issue of the aesni instructions, and it seems almost all other instructions are already executing in parallel with them. But it might be an improvement on other processors, or for applications that process a small number of blocks at a time (in the middle between CBC which always does one block at a time, and the ECB benchmark which does 10 KB, or 640 blocks, at a time), by making things easier for the processor's OoO-machinery. If you have any application benchmarks it would be interesting if you could try out the interleaved version. I'm also thinking that maybe we should add benchmarks for various message sizes? Regards, /Niels C x86_64/aesni/aes-encrypt-internal.asm ifelse(< Copyright (C) 2015, 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Input argument define(<ROUNDS>, <%rdi>) define(<KEYS>, <%rsi>) C define(<TABLE>, <%rdx>) C Unused here define(<LENGTH>,<%rcx>) define(<DST>, <%r8>) define(<SRC>, <%r9>) define(<CNT>, <%r10>) define(<TMP>, <%r10>) C Can overlap CNT define(<TAB>, <%rdx>) define(<SUBKEY>, <%xmm0>) define(<B0>, <%xmm1>) define(<B1>, <%xmm2>) define(<B2>, <%xmm3>) define(<B3>, <%xmm4>) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) W64_ENTRY(6, 5) shr $4, LENGTH test LENGTH, LENGTH jz .Lend C Each round uses 16 bytes of subkeys, i.e., 16 bytes. We have C an initial xor round, rounds-1 regular rounds, and one final C round. Adjust so that ROUNDS reflects the number of regular C rounds, KEYS points to the key for the final round, and KEYS C + ROUNDS points to the key for the first regular round. dec XREG(ROUNDS) shl $4, XREG(ROUNDS) lea 16(ROUNDS, KEYS), KEYS neg ROUNDS jmp .Loop_end .Lloop_4w: mov ROUNDS, CNT movups -16(KEYS, ROUNDS), SUBKEY movups (SRC), B0 movups 16(SRC), B1 movups 32(SRC), B2 movups 48(SRC), B3 pxor SUBKEY, B0 pxor SUBKEY, B1 pxor SUBKEY, B2 pxor SUBKEY, B3 .Lround_loop_4w: movups (KEYS, CNT), SUBKEY add $16, CNT aesenc SUBKEY, B0 aesenc SUBKEY, B1 aesenc SUBKEY, B2 aesenc SUBKEY, B3 jne .Lround_loop_4w movups (KEYS), SUBKEY aesenclast SUBKEY, B0 aesenclast SUBKEY, B1 aesenclast SUBKEY, B2 aesenclast SUBKEY, B3 movups B0, (DST) movups B1, 16(DST) movups B2, 32(DST) movups B3, 48(DST) add $64, SRC add $64, DST sub $4, LENGTH .Loop_end: cmp $4, LENGTH jnc .Lloop_4w lea .Ljmptab(%rip), TAB movslq (TAB, LENGTH, 4), TMP lea (TAB, TMP), TMP jmp *TMP .Ltail3: mov ROUNDS, CNT movups -16(KEYS, ROUNDS), SUBKEY movups (SRC), B0 movups 16(SRC), B1 movups 32(SRC), B2 pxor SUBKEY, B0 pxor SUBKEY, B1 pxor SUBKEY, B2 .Lround_loop_3w: movups (KEYS, CNT), SUBKEY add $16, CNT aesenc SUBKEY, B0 aesenc SUBKEY, B1 aesenc SUBKEY, B2 jne .Lround_loop_3w movups (KEYS), SUBKEY aesenclast SUBKEY, B0 aesenclast SUBKEY, B1 aesenclast SUBKEY, B2 movups B0, (DST) movups B1, 16(DST) movups B2, 32(DST) jmp .Lend .Ltail2: mov ROUNDS, CNT movups -16(KEYS, ROUNDS), SUBKEY movups (SRC), B0 movups 16(SRC), B1 pxor SUBKEY, B0 pxor SUBKEY, B1 .Lround_loop_2w: movups (KEYS, CNT), SUBKEY add $16, CNT aesenc SUBKEY, B0 aesenc SUBKEY, B1 jne .Lround_loop_2w movups (KEYS), SUBKEY aesenclast SUBKEY, B0 aesenclast SUBKEY, B1 movups B0, (DST) movups B1, 16(DST) jmp .Lend .Ltail1: mov ROUNDS, CNT movups -16(KEYS, ROUNDS), SUBKEY movups (SRC), B0 pxor SUBKEY, B0 .Lround_loop_1w: movups (KEYS, CNT), SUBKEY add $16, CNT aesenc SUBKEY, B0 jne .Lround_loop_1w movups (KEYS), SUBKEY aesenclast SUBKEY, B0 movups B0, (DST) .Lend: W64_EXIT(6, 5) ret EPILOGUE(_nettle_aes_encrypt) C FIXME: Put in rodata? ALIGN(4) .Ljmptab: .long .Lend - .Ljmptab .long .Ltail1 - .Ljmptab .long .Ltail2 - .Ljmptab .long .Ltail3 - .Ljmptab -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. [View Less]

1 0

[PATCH libdrm v2 1/2] examples: don't use deprecated OpenSSL hashing API
by Emil Velikov 28 May '20

28 May '20

The direct $HASH_{Init,Update,Final} has been discouraged for a while. With the upcoming OpenSSL 3.0 it will be officially deprecated. Add a handy macro, to avoid repetition and mistakes like in the current code. Namely - we're using SHA cblock/digest_len for md5 :-\ The macro will also make it easier to add more, as seen with next patch. v2: Align it with the crypto implementations, namely: - use openssh_hash_ctx::evp, use correct sizeof() - move hash_update out of the macro - remove … [View More]forward declarations for hash functions Signed-off-by: Emil Velikov <emil.l.velikov(a)gmail.com> --- examples/nettle-openssl.c | 110 +++++++++++++++----------------------- 1 file changed, 44 insertions(+), 66 deletions(-) diff --git a/examples/nettle-openssl.c b/examples/nettle-openssl.c index bb2e6627..3c487013 100644 --- a/examples/nettle-openssl.c +++ b/examples/nettle-openssl.c @@ -62,6 +62,13 @@ struct openssl_cipher_ctx { EVP_CIPHER_CTX *evp; }; +/* We use Openssl's EVP api for all openssl hashes. This API selects + platform-specific implementations if appropriate, e.g., using x86 + AES-NI instructions. */ +struct openssl_hash_ctx { + EVP_MD_CTX *evp; +}; + void nettle_openssl_init(void) { @@ -383,76 +390,47 @@ nettle_openssl_cast128 = { /* Hash functions */ -/* md5 */ -static nettle_hash_init_func openssl_md5_init; -static void -openssl_md5_init(void *ctx) -{ - MD5_Init(ctx); -} - -static nettle_hash_update_func openssl_md5_update; -static void -openssl_md5_update(void *ctx, - size_t length, - const uint8_t *src) -{ - MD5_Update(ctx, src, length); -} - -static nettle_hash_digest_func openssl_md5_digest; -static void -openssl_md5_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - MD5_Final(dst, ctx); - MD5_Init(ctx); -} - -const struct nettle_hash -nettle_openssl_md5 = { - "openssl md5", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_md5_init, - openssl_md5_update, - openssl_md5_digest -}; - -/* sha1 */ -static nettle_hash_init_func openssl_sha1_init; -static void -openssl_sha1_init(void *ctx) -{ - SHA1_Init(ctx); -} - -static nettle_hash_update_func openssl_sha1_update; static void -openssl_sha1_update(void *ctx, +openssl_hash_update(void *p, size_t length, const uint8_t *src) { - SHA1_Update(ctx, src, length); -} + struct openssl_hash_ctx *ctx = p; + EVP_DigestUpdate(ctx->evp, src, length); +} + +#define OPENSSL_HASH(NAME, name) \ +static void \ +openssl_##name##_init(void *p) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + if ((ctx->evp = EVP_MD_CTX_new()) == NULL) \ + return; \ + \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +static void \ +openssl_##name##_digest(void *p, \ + size_t length, uint8_t *dst) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + assert(length == NAME##_DIGEST_LENGTH); \ + \ + EVP_DigestFinal(ctx->evp, dst, NULL); \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +const struct nettle_hash \ +nettle_openssl_##name = { \ + "openssl " #name, sizeof(struct openssl_hash_ctx), \ + NAME##_DIGEST_LENGTH, NAME##_CBLOCK, \ + openssl_##name##_init, \ + openssl_hash_update, \ + openssl_##name##_digest \ +}; -static nettle_hash_digest_func openssl_sha1_digest; -static void -openssl_sha1_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - SHA1_Final(dst, ctx); - SHA1_Init(ctx); -} +OPENSSL_HASH(MD5, md5) +OPENSSL_HASH(SHA, sha1) -const struct nettle_hash -nettle_openssl_sha1 = { - "openssl sha1", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_sha1_init, - openssl_sha1_update, - openssl_sha1_digest -}; - #endif /* WITH_OPENSSL */ -- 2.25.1 [View Less]

3 7

[PATCH] gitlab-ci: reenable GOST compilation
by dbaryshkov＠gmail.com 10 May '20

10 May '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> GnuTLS is now compatible again with Nettle master branch. Remove --disable-gost. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 663f98f5cb8e..5b348f38568f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -100,7 +100,7 @@ build/gnutls: make -j4 && make install - git clone --depth 1 -… [View More]

3 2

[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
by dbaryshkov＠gmail.com 08 May '20

08 May '20

From: Dmitry Baryshkov <dbaryshkov(a)gmail.com> GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer. Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- ecc-add-jja.c | 8 ++++---- ecc-add-jjj.c | 8 ++++---- ecc-curve25519.c | 6 ++++++ ecc-curve448.c | 6 ++++++ ecc-dup-jj.c | 8 ++++---- ecc-gost-gc256b.c | 6 ++++++ ecc-gost-gc512a.c | 6 … [View More]++++++ ecc-internal.h | 25 ++++++++++++++++--------- ecc-mod-arith.c | 12 ++++++------ ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 6 ++++++ ecc-secp224r1.c | 6 ++++++ ecc-secp256r1.c | 6 ++++++ ecc-secp384r1.c | 6 ++++++ ecc-secp521r1.c | 6 ++++++ 15 files changed, 91 insertions(+), 30 deletions(-) diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 037711d38249..55ad954587da 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc, /* w */ ecc_mod_mul (&ecc->p, j, y2, w); ecc_mod_sub (&ecc->p, w, j, y1); - ecc_mod_mul_1 (&ecc->p, w, w, 2); + ecc->p.mul_1 (&ecc->p, w, w, 2); /* i replaces hh, j */ - ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc->p.mul_1 (&ecc->p, hh, hh, 4); ecc_mod_mul (&ecc->p, j, hh, h); /* v */ @@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc, /* x_3, use (h, hh) as sqratch */ ecc_mod_sqr (&ecc->p, h, w); ecc_mod_sub (&ecc->p, r, h, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y_3, use (h, hh) as sqratch */ ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); - ecc_mod_submul_1 (&ecc->p, j, h, 2); + ecc->p.submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 54b2246aeb24..cad26193234a 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc, ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); ecc_mod_sub (&ecc->p, s2, v, s1); - ecc_mod_mul_1 (&ecc->p, s2, s2, 2); + ecc->p.mul_1 (&ecc->p, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ ecc_mod_sqr (&ecc->p, i, u2); - ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc->p.mul_1 (&ecc->p, i, i, 4); ecc_mod_mul (&ecc->p, j, u2, i); ecc_mod_mul (&ecc->p, v, u1, i); @@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc, /* x3, use u1, u2 as scratch */ ecc_mod_sqr (&ecc->p, u1, s2); ecc_mod_sub (&ecc->p, r, u1, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y3 */ ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ ecc_mod_mul (&ecc->p, i, s2, u2); - ecc_mod_submul_1 (&ecc->p, i, u1, 2); + ecc->p.submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-curve25519.c b/ecc-curve25519.c index f8f2c64af868..04df696f7357 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 253, @@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, 0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index 484b7d1e0870..ce7a25d14c4e 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 446, @@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + + NULL, + NULL, }, 0, /* No redc */ diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 2247e8fdfd5a..4bbd5163c0e3 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc, ecc_mod_add (&ecc->p, sum, xp, delta); ecc_mod_sub (&ecc->p, delta, xp, delta); ecc_mod_mul (&ecc->p, beta, sum, delta); - ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); + ecc->p.mul_1 (&ecc->p, alpha, beta, 3); /* beta */ ecc_mod_mul (&ecc->p, beta, xp, gamma); @@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc, /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ ecc_mod_sqr (&ecc->p, g2, gamma); - ecc_mod_mul_1 (&ecc->p, sum, beta, 4); + ecc->p.mul_1 (&ecc->p, sum, beta, 4); /* x' */ ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ - ecc_mod_submul_1 (&ecc->p, gamma, sum, 2); + ecc->p.submul_1 (&ecc->p, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size); /* y' */ ecc_mod_sub (&ecc->p, sum, sum, r); ecc_mod_mul (&ecc->p, gamma, sum, alpha); - ecc_mod_submul_1 (&ecc->p, gamma, g2, 8); + ecc->p.submul_1 (&ecc->p, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c index a23d46fc8af6..24e1ac6c99a7 100644 --- a/ecc-gost-gc256b.c +++ b/ecc-gost-gc256b.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c index 398762c337d6..5de4eda85d9c 100644 --- a/ecc-gost-gc512a.c +++ b/ecc-gost-gc512a.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 512, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-internal.h b/ecc-internal.h index 9e24e0ce4521..e1380bfb2b20 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -44,9 +44,9 @@ #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 +#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std +#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std +#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random @@ -146,6 +146,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); +typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m, + mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); + struct ecc_modulo { unsigned short bit_size; @@ -170,6 +174,9 @@ struct ecc_modulo ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; + + ecc_mod_mul_1_func *mul_1; + ecc_mod_mul_1_func *submul_1; }; /* Represents an elliptic curve of the form @@ -237,15 +244,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b); void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); /* The mul and sqr functions need 2*m->size limbs at rp */ void diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c index f2e47f6747c1..0399a2cdd7c5 100644 --- a/ecc-mod-arith.c +++ b/ecc-mod-arith.c @@ -65,8 +65,8 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; @@ -80,8 +80,8 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; @@ -95,8 +95,8 @@ ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, } void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; diff --git a/ecc-mul-m.c b/ecc-mul-m.c index 68bdd16e8e94..539b9d0677e7 100644 --- a/ecc-mul-m.c +++ b/ecc-mul-m.c @@ -80,7 +80,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x3, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z3, E, AA); for (i = bit_high; i >= bit_low; i--) @@ -98,7 +98,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); /* Last use of BB */ ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_add (m, C, x3, z3); ecc_mod_sub (m, D, x3, z3); ecc_mod_mul (m, z2, E, AA); /* Last use of E and AA */ @@ -124,7 +124,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z2, E, AA); } assert (m->invert_itch <= 7 * m->size); diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 046026f3f697..79080495ec7e 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -130,6 +130,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_secp192r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 192, @@ -149,6 +152,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c index 05d84017a68a..064a9e2f7fd4 100644 --- a/ecc-secp224r1.c +++ b/ecc-secp224r1.c @@ -82,6 +82,9 @@ const struct ecc_curve _nettle_secp_224r1 = USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 224, @@ -101,6 +104,9 @@ const struct ecc_curve _nettle_secp_224r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp256r1.c b/ecc-secp256r1.c index d399642453d5..0a25a086f3fe 100644 --- a/ecc-secp256r1.c +++ b/ecc-secp256r1.c @@ -259,6 +259,9 @@ const struct ecc_curve _nettle_secp_256r1 = USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -278,6 +281,9 @@ const struct ecc_curve _nettle_secp_256r1 = ecc_secp256r1_modq, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp384r1.c b/ecc-secp384r1.c index 54bcd1128d39..5a9131f72c98 100644 --- a/ecc-secp384r1.c +++ b/ecc-secp384r1.c @@ -167,6 +167,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_secp384r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 384, @@ -186,6 +189,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, diff --git a/ecc-secp521r1.c b/ecc-secp521r1.c index 776f7ae03e27..f01a97537eb8 100644 --- a/ecc-secp521r1.c +++ b/ecc-secp521r1.c @@ -95,6 +95,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_secp521r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 521, @@ -114,6 +117,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, }, USE_REDC, -- 2.25.0 [View Less]

2 2

[PATCH 0/2] Updating the nettle-benchmark
by Emil Velikov 08 May '20

08 May '20

Hi all, Here are a couple of small patches for nettle-benchmark: - removes the deprecated OpenSSL hash API - adds more OpenSSL sha2 hashes into the mix Kindly merge or let me know of your concerns :-) Related question: As you can see from the second patch, nettle performance is a little low wrt OpenSSL - ~55% for sha1, and ~65% for sha2. Is that normal, or there is something off with my system/build? I'm using the default "--enable-assembler" and "-O2" as seen in the configure.ac, … [View More]

2 5

ANNOUNCE: Nettle-3.6
by nisse＠lysator.liu.se 04 May '20

04 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This version includes several new features, and a couple of bug fixes, see NEWS entries below. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.6.tar.gz ftp://ftp.gnu.org/gnu/… [View More]nettle/nettle-3.6.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.6.tar.gz Happy hacking, /Niels Möller NEWS for the Nettle 3.6 release This release adds a couple of new features, most notable being support for ED448 signatures. It is not binary compatible with earlier releases. The shared library names are libnettle.so.8.0 and libhogweed.so.6.0, with sonames nibnettle.so.8 and libhogweed.so.6. The changed sonames are mainly to avoid upgrade problems with recent GnuTLS versions, that depend on Nettle internals outside of the advertised ABI. But also because of the removal of internal poly1305 functions which were undocumented but declared in an installed header file, see Interface changes below. New features: * Support for Curve448 and ED448 signatures. Contributed by Daiki Ueno. * Support for SHAKE256 (SHA3 variant with arbitrary output size). Contributed by Daiki Ueno. * Support for SIV-CMAC (Synthetic Initialization Vector) mode, contributed by Nikos Mavrogiannopoulos. * Support for CMAC64, contributed by Dmitry Baryshkov. * Support for the "CryptoPro" variant of the GOST hash function, as gosthash94cp. Contributed by Dmitry Baryshkov. * Support for GOST DSA signatures, including GOST curves gc256b and gc512a. Contributed by Dmitry Baryshkov. * Support for Intel CET in x86 and x86_64 assembly files, if enabled via CFLAGS (gcc --fcf-protection=full). Contributed by H.J. Lu and Simo Sorce. * A few new functions to improve support for the Chacha variant with 96-bit nonce and 32-bit block counter (the existing functions use nonce and counter of 64-bit each), and functions to set the counter. Contributed by Daiki Ueno. * New interface, struct nettle_mac, for MAC (message authentication code) algorithms. This abstraction is only for MACs that don't require a per-message nonce. For HMAC, the key size is fixed, and equal the digest size of the underlying hash function. Bug fixes: * Fix bug in cfb8_decrypt. Previously, the IV was not updated correctly in the case of input data shorter than the block size. Reported by Stephan Mueller, fixed by Daiki Ueno. * Fix configure check for __builtin_bswap64, the incorrect check would result in link errors on platforms missing this function. Patch contributed by George Koehler. * All use of old-fashioned suffix rules in the Makefiles have been replaced with %-pattern rules. Nettle's use of suffix rules in earlier versions depended on undocumented GNU make behavior, which is being deprecated in GNU make 4.3. Building with other make programs than GNU make is untested and unsupported. (Building with BSD make or Solaris make used to work years ago, but has not been tested recently). Interface changes: * Declarations of internal poly1305.h functions have been removed from the header file poly1305.h, to make it clear that they are not part of the advertised API or ABI. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.1.0 or later (unless --enable-mini-gmp is used). * A fair amount of changes to ECC internals, with a few deleted and a few new fields in the internal struct ecc_curve. Files and functions have been renamed to more consistently match the curve name, e.g., ecc-256.c has been renamed to ecc-secp256r1.c. * Documentation for chacha-poly1305 updated. It is no longer experimental. The implementation was updated to follow RFC 8439 in Nettle-3.1, but that was not documented or announced at the time. - -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEy0li0HDXfX/Li6Nicdjx/zaMZncFAl6p3hsACgkQcdjx/zaM ZneC5gf7BZuz13jnIzETuRCtqwcV8BaFZOhBrDmqPxHeCVL2BVZwUxVpIVZAhqKu ngj5i4GEQBHLg5BRJk/97gyn4YCbWfr7397tqBdUWO2VWFKaG+5QGCG3pjjxyjgm hECNrRpSLHHVzUFi2bLCo4Ur+R2d52I1l+hI7CekTxAk1c01xhpobs0pSUDUCfco /c8gNbbrNZc/KxUq1qtaWucxvysa4BsfnqucnhjAftMrmishFdr282gWNrnK3q9K kHIxCL01bYIQVQmYdH0VglGtq7rYCkL870Ip21OOaL+LIHm1FMaDpXHbXi/GkGqK Ukre//RxgMbwPMsM7eh5rp7pOAqdug== =QvUR -----END PGP SIGNATURE----- [View Less]

2 3

Nettle-3.6rc2
by nisse＠lysator.liu.se 25 Apr '20

25 Apr '20

I've made another tarball, http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc2.tar.gz http://www.lysator.liu.se/~nisse/archive/nettle-3.6rc1.tar.gz.sig Changes some rc1: * Sonames of *both* libnettle and libhogweed are updated. * Merged gost_vko. * Other api/abi cleanups, affecting gosthash and poly1305. * Deleted the test asserts that failed when linking hogweed.dll in wine (and presumably on windows too). * Some more Makefile and test cleanups, deleted the .testrules.make … [View More]

1 0

Windows dll test failures
by nisse＠lysator.liu.se 23 Apr '20

23 Apr '20

I have a question to the list, if anyone here knows details of how windows dlls work. I cross compile for windows with ./configure --host=x86_64-w64-mingw32 --enable-mini-gmp CXX=/bin/false make and run tests with make check EMULATOR=wine64 It fails the ecc-dup and ecc-add tests, in this and similar asserts: ASSERT (ecc->dup == ecc_dup_jj); Here, the right hand side is a symbol from libhogweed-x.dll, and on the left hand side, ecc refers to a constant struct in the same dll. … [View More]

2 3

[PATCH v3] Implement GOST VKO key derivation algorithm
by Dmitry Baryshkov 21 Apr '20

21 Apr '20

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Signed-off-by: Dmitry Baryshkov <dbaryshkov(a)gmail.com> --- Makefile.in | 2 +- gostdsa-vko.c | 96 ++++++++++++++++++++++++++++++++++++ gostdsa.h | 7 +++ nettle.texinfo | 15 ++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/gostdsa-vko-test.c | 91 ++++++++++++++++++++++++++++++++… [View More]++ 8 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c diff --git a/Makefile.in b/Makefile.in index ddc304285321..29b3cfb4aafe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index 000000000000..7bdcdfc3fa16 --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,96 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> +#include <stdlib.h> + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * output is 2 * curve size: + * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko (const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..d479201e3295 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +void +gostdsa_vko (const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/nettle.texinfo b/nettle.texinfo index ff64889c4169..995d5de80813 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1065,6 +1065,7 @@ This function also resets the context in the same way as @subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} @cindex GOST hash +@anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. The standard itself @@ -5157,6 +5158,20 @@ Returns curve corresponding to following identifiers: @end itemize @end deftypefun +For GOST key pairs key derivation/key agreement function (VKO) is defined in +@cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function that does +multiplication. Caller should do hashing on his own (it will be either +GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). + +@deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) +Uses private key @var{priv}, public ket @var{pub} and shared key material +@var{ukm} to generate shared secret, written to buffer @var{out}. The buffer +should be of the size equal to 2 private key lengths: 64 bytes for 256 bit +curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually +transferred in cleartext. It does not have to be secret. +@end deftypefun + @node Curve 25519 and Curve 448, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 and Curve448 diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 9de8f4125079..fdcde6cb9748 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -304,6 +304,9 @@ gostdsa-verify-test$(EXEEXT): gostdsa-verify-test.$(OBJEXT) gostdsa-keygen-test$(EXEEXT): gostdsa-keygen-test.$(OBJEXT) $(LINK) gostdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-keygen-test$(EXEEXT) +gostdsa-vko-test$(EXEEXT): gostdsa-vko-test.$(OBJEXT) + $(LINK) gostdsa-vko-test.$(OBJEXT) $(TEST_OBJS) -o gostdsa-vko-test$(EXEEXT) + sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 89b52efad9df..025f3ea18040 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -56,7 +56,7 @@ TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ - gostdsa-keygen-test.c + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx diff --git a/testsuite/gostdsa-vko-test.c b/testsuite/gostdsa-vko-test.c new file mode 100644 index 000000000000..c8a762b125c2 --- /dev/null +++ b/testsuite/gostdsa-vko-test.c @@ -0,0 +1,91 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + +} -- 2.25.1 [View Less]

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs