nettle-bugs

nettle-bugs@lists.lysator.liu.se

2196 discussions

[PATCH 0/2] Provide GOST R 34.11-2012 (Streebog) hash function
by Dmitry Eremin-Solenikov 12 May '19

12 May '19

These two patches add support for Russian standard-defined Streebog (GOST R 34.11-2012) hash functions (256 and 512 bit outputs). -- With best wishes Dmitry

1 2

[PATCH 1/3] Move MAC testing code to generic place from cmac-test
by Dmitry Eremin-Solenikov 12 May '19

12 May '19

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- testsuite/cmac-test.c | 100 +++++++++++------------------------------- testsuite/testutils.c | 64 +++++++++++++++++++++++++++ testsuite/testutils.h | 6 +++ 3 files changed, 96 insertions(+), 74 deletions(-) diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c index 31662d1b6c1b..b1d4aa30dfbe 100644 --- a/testsuite/cmac-test.c +++ b/testsuite/cmac-test.c @@ -2,83 +2,35 @@ #include "nettle-internal.h" #include "cmac.h" +const struct nettle_mac nettle_cmac_aes128 = +{ + "CMAC-AES128", + sizeof(struct cmac_aes128_ctx), + CMAC128_DIGEST_SIZE, + AES128_KEY_SIZE, + + (nettle_set_key_func*) cmac_aes128_set_key, + (nettle_hash_update_func*) cmac_aes128_update, + (nettle_hash_digest_func*) cmac_aes128_digest +}; + +const struct nettle_mac nettle_cmac_aes256 = +{ + "CMAC-AES256", + sizeof(struct cmac_aes256_ctx), + CMAC128_DIGEST_SIZE, + AES256_KEY_SIZE, + + (nettle_set_key_func*) cmac_aes256_set_key, + (nettle_hash_update_func*) cmac_aes256_update, + (nettle_hash_digest_func*) cmac_aes256_digest +}; + #define test_cmac_aes128(key, msg, ref) \ - test_cmac_hash ((nettle_set_key_func*) cmac_aes128_set_key, \ - (nettle_hash_update_func*) cmac_aes128_update, \ - (nettle_hash_digest_func*) cmac_aes128_digest, \ - sizeof(struct cmac_aes128_ctx), \ - key, msg, ref) + test_mac(&nettle_cmac_aes128, key, msg, ref) #define test_cmac_aes256(key, msg, ref) \ - test_cmac_hash ((nettle_set_key_func*) cmac_aes256_set_key, \ - (nettle_hash_update_func*) cmac_aes256_update, \ - (nettle_hash_digest_func*) cmac_aes256_digest, \ - sizeof(struct cmac_aes256_ctx), \ - key, msg, ref) - -static void -test_cmac_hash (nettle_set_key_func *set_key, - nettle_hash_update_func *update, - nettle_hash_digest_func *digest, size_t ctx_size, - const struct tstring *key, const struct tstring *msg, - const struct tstring *ref) -{ - void *ctx; - uint8_t hash[16]; - unsigned i; - - ctx = xalloc(ctx_size); - - ASSERT (ref->length == sizeof(hash)); - ASSERT (key->length == 16 || key->length == 32); - set_key (ctx, key->data); - update (ctx, msg->length, msg->data); - digest (ctx, sizeof(hash), hash); - if (!MEMEQ (ref->length, ref->data, hash)) - { - fprintf (stderr, "cmac_hash failed, msg: "); - print_hex (msg->length, msg->data); - fprintf(stderr, "Output:"); - print_hex (16, hash); - fprintf(stderr, "Expected:"); - tstring_print_hex(ref); - fprintf(stderr, "\n"); - FAIL(); - } - - /* attempt to re-use the structure */ - update (ctx, msg->length, msg->data); - digest (ctx, sizeof(hash), hash); - if (!MEMEQ (ref->length, ref->data, hash)) - { - fprintf (stderr, "cmac_hash failed on re-use, msg: "); - print_hex (msg->length, msg->data); - fprintf(stderr, "Output:"); - print_hex (16, hash); - fprintf(stderr, "Expected:"); - tstring_print_hex(ref); - fprintf(stderr, "\n"); - FAIL(); - } - - /* attempt byte-by-byte hashing */ - set_key (ctx, key->data); - for (i=0;i<msg->length;i++) - update (ctx, 1, msg->data+i); - digest (ctx, sizeof(hash), hash); - if (!MEMEQ (ref->length, ref->data, hash)) - { - fprintf (stderr, "cmac_hash failed on byte-by-byte, msg: "); - print_hex (msg->length, msg->data); - fprintf(stderr, "Output:"); - print_hex (16, hash); - fprintf(stderr, "Expected:"); - tstring_print_hex(ref); - fprintf(stderr, "\n"); - FAIL(); - } - free (ctx); -} + test_mac(&nettle_cmac_aes256, key, msg, ref) void test_main(void) diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 1812ff4f52b0..ba0b41131925 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -924,6 +924,70 @@ test_hash_large(const struct nettle_hash *hash, free(data); } +void +test_mac(const struct nettle_mac *mac, + const struct tstring *key, + const struct tstring *msg, + const struct tstring *digest) +{ + void *ctx = xalloc(mac->context_size); + uint8_t *hash = xalloc(mac->digest_size); + unsigned i; + + + ASSERT (digest->length == mac->digest_size); + ASSERT (key->length == mac->key_size); + mac->set_key (ctx, key->data); + mac->update (ctx, msg->length, msg->data); + mac->digest (ctx, digest->length, hash); + + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "test_mac failed, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (mac->digest_size, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + + /* attempt to re-use the structure */ + mac->update (ctx, msg->length, msg->data); + mac->digest (ctx, digest->length, hash); + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "test_mac: failed on re-use, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (mac->digest_size, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + + /* attempt byte-by-byte hashing */ + mac->set_key (ctx, key->data); + for (i=0;i<msg->length;i++) + mac->update (ctx, 1, msg->data+i); + mac->digest (ctx, digest->length, hash); + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "cmac_hash failed on byte-by-byte, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (16, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + free (ctx); + free (hash); +} + void test_armor(const struct nettle_armor *armor, size_t data_length, diff --git a/testsuite/testutils.h b/testsuite/testutils.h index ded57db6ab4f..f4ea38da9deb 100644 --- a/testsuite/testutils.h +++ b/testsuite/testutils.h @@ -170,6 +170,12 @@ test_hash_large(const struct nettle_hash *hash, uint8_t c, const struct tstring *digest); +void +test_mac(const struct nettle_mac *mac, + const struct tstring *key, + const struct tstring *msg, + const struct tstring *digest); + void test_armor(const struct nettle_armor *armor, size_t data_length, -- 2.19.1

1 4

Intel CET protection
by Simo Sorce 27 Apr '19

27 Apr '19

Hello, the attached patches have been used to successfully enable and test Intel CET support in an Intel emulator on SDV hardware. The patches are minimally intrusive and enable to use a future countermeasure that is very useful as it makes ROP attacks very hard to carry out. GCC already has all the needed support to create CET hardened code, however the hand-coded assembly needs to be changed to conform. Without these changes all the binaries that load nettle will otherwise have CET disabled, as it is an all-or-nothing at the binary level and missing ENDBRANCH instruction cause the program to terminate on indirect jump/call instructions. The second patch is used to make the system happy when hardening flags are enabled in gcc, as it generates the appropriate section information that tells the linker all is good. Unfortunately I do not have actual tests for this feature (one of the reasons why it is behind a configure flag even though it is safe to add the code on any x86 hardware) because the only real way to test this is to run on hardware or emulators that cause the segfaults on errors. But we can add a simple test later once hardware becomes available. Finally while looking at the assembly I noticed that some functions have a PROLOGUE() defined but not an EPILOGUE() macro defined in their .asm files. It is unclear to me if this is an error or intentional so didn't touch those, it doesn't affect functionality for this patch anyway. HTH, Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc

2 8

nettle-pbkdf2 Segmentation fault
by Yu, Mingli 15 Apr '19

15 Apr '19

# echo -n passwd| nettle-pbkdf2 -i 1 -l 16 [65534.886509] nettle-pbkdf2[708]: segfault at 1f594260 ip 00007f3332256998 sp 00007fff60d44410 error 4 in libnettle.so.6.5[7f3332244000+1d00] [65534.887525] Code: e8 6d db fe ff 44 01 6d 68 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 dc e9 68 ff f Segmentation fault

4 18

[PATCH] fat-arm.c: prefer getauxval() over /proc/cpuinfo parsing
by Yuriy M. Kaminskiy 14 Apr '19

14 Apr '19

When compiled for armv6+ and getauxval() is present (glibc 2.16+), avoid slow and unreliable /proc/cpuinfo parsing. E.g. /proc/cpuinfo contains junk with qemu-user and can be unavailable in some chroot environment.

2 3

Implement XTS block cipher mode
by Simo Sorce 25 Mar '19

25 Mar '19

Hello, The attached patch implements the XTS block cipher mode, as specified in IEEE P1619. The interface is split into a generic pair of functions for encryption and decryption and additional AES-128/AES-256 variants. The function signatures follows the same pattern used by other block- cipher modes like ctr, cfb, ccm, etc... Basic tests using a small selection of NIST CAVS vectors are provided. XTS is use in several disk encryption algorithms and programs because it allows to use a block cipher even when the input length is not a perfect multiple of the block cipher length by using ciphertext stealing. Thanks to Daiki Ueno for initial review. Feedback is appreciated. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc

3 25

[WIP] aes arm asm from libgcrypt
by Yuriy M. Kaminskiy 24 Mar '19

24 Mar '19

On raspberry pi 3b+ (cortex-a53 @ 1.4GHz): Before: aes128 | nanosecs/byte mebibytes/sec cycles/byte ECB enc | 39.58 ns/B 24.10 MiB/s - c/B ECB dec | 39.57 ns/B 24.10 MiB/s - c/B After: ECB enc | 15.24 ns/B 62.57 MiB/s - c/B ECB dec | 15.68 ns/B 60.80 MiB/s - c/B Passes nettle regression test (only little-endian though) Does not use pre-rotated tables (as in AES_SMALL), so reduces d-cache footprint from 4.25K to 1K (enc)/1.25K (dec); completely unrolled, so increases i-cache footprint from 948b to 4416b (enc)/4032b (dec) As it completely replaces current implementation, I just attached new files (will post final version as a patch). P.S. Yes, I tried convert macros to m4: complete failure (no named parameters, problems with more than 9 arguments, weird expansion rules); so I fallen back to good ol' gas. Sorry. P.P.S. with this change, gcm/neon and (to-be-publushed) chacha_blocks/neon, gnutls-cli --benchmark-ciphers: Before: Checking cipher-MAC combinations, payload size: 16384 AES-128-GCM 13.56 MB/sec CHACHA20-POLY1305 68.26 MB/sec AES-128-CBC-SHA1 16.72 MB/sec AES-128-CBC-SHA256 15.07 MB/sec After: AES-128-GCM 35.32 MB/sec CHACHA20-POLY1305 94.94 MB/sec AES-128-CBC-SHA1 27.53 MB/sec AES-128-CBC-SHA256 23.30 MB/sec

2 4

[WIP][RFC][PATCH 1-3/x] chacha: add asm optimizations from Andrew Moon
by Yuriy M. Kaminskiy 17 Mar '19

17 Mar '19

Taken from https://github.com/floodyberry/chacha-opt (released by author as public-domain-or-MIT, so I guess ok to borrow). On x86/sse2 and x86_64: 80 to 100% faster. Passes regression test on linux/debian/stretch x86 and x86_64, benchmarks ran with patched nettle-3.4.1 (due to abi break in 3.5). *Not* tested on win{32,64} (important: win64 ABI difference). chacha-opt also contains x86{,_64}-{ssse3,avx{,2},xop} optimized code, but I don't have hardware to test (and there are difference in structure/argument layout that need to be corrected and tested). WIP, will add armv6 and arm/neon a bit later. P.S. Then I will probably take a look at poly1305 and likely try to borrow license-compatible arm asm somewhere (current nettle code is painfully slow); gcrypt is somewhat faster than nettle and LGPLv2.1+; cryptograms has definitely fastest crypto, but it is BSD-3-clause-or-GPLv2+; while it is, AFAIK, compatible with LGPL, but not sure if that's acceptable for nettle inclusion. P.S. previously posted arm neon gcm patch breaks x86_64 compilation, will post trivial fix later.

3 6

FYI: fast gcm/ghash for arm neon
by Yuriy M. Kaminskiy 14 Mar '19

14 Mar '19

Currently ghash/gcm performance on arm in both gcrypt and nettle is a bit abysmal: === bench-slopes-nettle === GCM auth | 28.43 ns/B 33.54 MiB/s 39.81 c/B 1400.2 === bench-slopes-gcrypt === GCM auth | 21.86 ns/B 43.62 MiB/s 30.52 c/B 1396.0 === bench-slopes-openssl [1.1.1a] === GCM auth | 5.99 ns/B 159.3 MiB/s 8.38 c/B 1399.6 === cut === Current openssl/cryptograms code is based on ideas from https://hal.inria.fr/hal-01506572 (licensed CC BY 4.0) and there are linked implementation https://conradoplg.cryptoland.net/software/ecc-and-ae-for-arm-neon/ (licensed LGPL 2.1+), which I guess should be acceptable to borrow. Very preliminary patch for nettle will be posted as reply (passes nettle regression test, but needs more extensive testing); === bench-slopes-nettle [w/ patched nettle 3.3] === aes128 | nanosecs/byte mebibytes/sec cycles/byte GCM auth | 7.07 ns/B 134.9 MiB/s 9.90 c/B === cut === (And not only it is notably faster, it should be completely free of all cache/timing leaks).

3 3

sec_powm.c:293: GNU MP assertion failed: enb >= windowsize
by Jeffrey Walton 01 Feb '19

01 Feb '19

Hi Everyone, I'm trying to build Nettle 3.4.1 on Fedora 29, x64 (fully patched). Self tests are failing at: PASS: rsa-sec-decrypt sec_powm.c:293: GNU MP assertion failed: enb >= windowsize ../run-tests: line 57: 22997 Aborted (core dumped) "$1" $testflags FAIL: rsa-compute-root PASS: dsa PASS: dsa-keygen GMP is 6.1.2, which is the latest version. Could someone please advise. Thanks.

5 16

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs