From: Daiki Ueno dueno@redhat.com
The changes from the previous series are: - remove the global hmac_*_set_key_expanded functions - leave out set_nonce member if the operation is not supported
For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank.
Daiki Ueno (6): nettle-meta: Move struct nettle_mac to nettle-meta.h nettle-meta: Add meta interface for CMAC functions nettle-meta: Add meta interface for HMAC functions nettle-meta: Add meta interface for UMAC functions nettle-meta: Expose all defined MACs through nettle_macs tests: Add test for meta interface for MAC algorithms
Makefile.in | 7 +++- cmac-aes128-meta.c | 43 ++++++++++++++++++++ cmac-aes256-meta.c | 43 ++++++++++++++++++++ hmac-md5-meta.c | 47 ++++++++++++++++++++++ hmac-ripemd160-meta.c | 47 ++++++++++++++++++++++ hmac-sha1-meta.c | 47 ++++++++++++++++++++++ hmac-sha224-meta.c | 47 ++++++++++++++++++++++ hmac-sha256-meta.c | 47 ++++++++++++++++++++++ hmac-sha384-meta.c | 47 ++++++++++++++++++++++ hmac-sha512-meta.c | 47 ++++++++++++++++++++++ nettle-meta-macs.c | 61 ++++++++++++++++++++++++++++ nettle-meta.h | 81 ++++++++++++++++++++++++++++++++++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/cmac-test.c | 24 ----------- testsuite/meta-mac-test.c | 43 ++++++++++++++++++++ testsuite/testutils.h | 29 -------------- umac128-meta.c | 47 ++++++++++++++++++++++ umac32-meta.c | 47 ++++++++++++++++++++++ umac64-meta.c | 47 ++++++++++++++++++++++ umac96-meta.c | 47 ++++++++++++++++++++++ 22 files changed, 799 insertions(+), 55 deletions(-) create mode 100644 cmac-aes128-meta.c create mode 100644 cmac-aes256-meta.c create mode 100644 hmac-md5-meta.c create mode 100644 hmac-ripemd160-meta.c create mode 100644 hmac-sha1-meta.c create mode 100644 hmac-sha224-meta.c create mode 100644 hmac-sha256-meta.c create mode 100644 hmac-sha384-meta.c create mode 100644 hmac-sha512-meta.c create mode 100644 nettle-meta-macs.c create mode 100644 testsuite/meta-mac-test.c create mode 100644 umac128-meta.c create mode 100644 umac32-meta.c create mode 100644 umac64-meta.c create mode 100644 umac96-meta.c
From: Daiki Ueno dueno@redhat.com
The struct was defined in testutils.h as the interface was not stable. This generalizes the interface to cover all defined MAC algorithms in nettle.
Signed-off-by: Daiki Ueno dueno@redhat.com --- nettle-meta.h | 22 ++++++++++++++++++++++ testsuite/testutils.h | 29 ----------------------------- 2 files changed, 22 insertions(+), 29 deletions(-)
diff --git a/nettle-meta.h b/nettle-meta.h index 74e50e59..b03da208 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -238,6 +238,28 @@ extern const struct nettle_armor nettle_base64; extern const struct nettle_armor nettle_base64url; extern const struct nettle_armor nettle_base16;
+struct nettle_mac +{ + const char *name; + + /* Size of the context struct */ + unsigned context_size; + + /* Size of digests */ + unsigned digest_size; + + /* Suggested key size; other sizes are sometimes possible */ + unsigned key_size; + + /* Suggested nonce size; 0 if nonce is not used */ + unsigned nonce_size; + + nettle_set_key_func *set_key; + nettle_set_key_func *set_nonce; + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; +}; + #ifdef __cplusplus } #endif diff --git a/testsuite/testutils.h b/testsuite/testutils.h index f4ea38da..78daf62b 100644 --- a/testsuite/testutils.h +++ b/testsuite/testutils.h @@ -79,35 +79,6 @@ test_main(void);
extern int verbose;
-/* FIXME: When interface stabilizes, move to nettle-meta.h */ -struct nettle_mac -{ - const char *name; - - /* Size of the context struct */ - unsigned context_size; - - /* Size of digests */ - unsigned digest_size; - - /* Suggested key size; other sizes are sometimes possible. */ - unsigned key_size; - - nettle_set_key_func *set_key; - nettle_hash_update_func *update; - nettle_hash_digest_func *digest; -}; - -#define _NETTLE_HMAC(name, NAME, keysize) { \ - #name, \ - sizeof(struct hmac_##name##_ctx), \ - NAME##_DIGEST_SIZE, \ - NAME##_DIGEST_SIZE, \ - hmac_##name##_set_key, \ - hmac_##name##_update, \ - hmac_##name##_digest, \ -} - /* Test functions deallocate their inputs when finished.*/ void test_cipher(const struct nettle_cipher *cipher,
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 1 + cmac-aes128-meta.c | 43 +++++++++++++++++++++++++++++++++++++++++++ cmac-aes256-meta.c | 43 +++++++++++++++++++++++++++++++++++++++++++ nettle-meta.h | 15 +++++++++++++++ testsuite/cmac-test.c | 24 ------------------------ 5 files changed, 102 insertions(+), 24 deletions(-) create mode 100644 cmac-aes128-meta.c create mode 100644 cmac-aes256-meta.c
diff --git a/Makefile.in b/Makefile.in index b54e64b0..6a425e16 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,6 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac-aes128.c cmac-aes256.c \ + cmac-aes128-meta.c cmac-aes256-meta.c \ gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ diff --git a/cmac-aes128-meta.c b/cmac-aes128-meta.c new file mode 100644 index 00000000..6239984b --- /dev/null +++ b/cmac-aes128-meta.c @@ -0,0 +1,43 @@ +/* cmac-aes128-meta.c + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_aes128 += _NETTLE_CMAC(cmac_aes128, AES128); diff --git a/cmac-aes256-meta.c b/cmac-aes256-meta.c new file mode 100644 index 00000000..8f50f0d8 --- /dev/null +++ b/cmac-aes256-meta.c @@ -0,0 +1,43 @@ +/* cmac-aes256-meta.c + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_aes256 += _NETTLE_CMAC(cmac_aes256, AES256); diff --git a/nettle-meta.h b/nettle-meta.h index b03da208..783d80ce 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -260,6 +260,21 @@ struct nettle_mac nettle_hash_digest_func *digest; };
+#define _NETTLE_CMAC(name, AES) { \ + #name, \ + sizeof(struct name##_ctx), \ + CMAC128_DIGEST_SIZE, \ + AES##_KEY_SIZE, \ + 0, \ + (nettle_set_key_func *) name##_set_key, \ + NULL, \ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest, \ +} + +extern const struct nettle_mac nettle_cmac_aes128; +extern const struct nettle_mac nettle_cmac_aes256; + #ifdef __cplusplus } #endif diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c index b1d4aa30..42188ece 100644 --- a/testsuite/cmac-test.c +++ b/testsuite/cmac-test.c @@ -2,30 +2,6 @@ #include "nettle-internal.h" #include "cmac.h"
-const struct nettle_mac nettle_cmac_aes128 = -{ - "CMAC-AES128", - sizeof(struct cmac_aes128_ctx), - CMAC128_DIGEST_SIZE, - AES128_KEY_SIZE, - - (nettle_set_key_func*) cmac_aes128_set_key, - (nettle_hash_update_func*) cmac_aes128_update, - (nettle_hash_digest_func*) cmac_aes128_digest -}; - -const struct nettle_mac nettle_cmac_aes256 = -{ - "CMAC-AES256", - sizeof(struct cmac_aes256_ctx), - CMAC128_DIGEST_SIZE, - AES256_KEY_SIZE, - - (nettle_set_key_func*) cmac_aes256_set_key, - (nettle_hash_update_func*) cmac_aes256_update, - (nettle_hash_digest_func*) cmac_aes256_digest -}; - #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, key, msg, ref)
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 3 +++ hmac-md5-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-ripemd160-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-sha1-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-sha224-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-sha256-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-sha384-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ hmac-sha512-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++ nettle-meta.h | 20 ++++++++++++++++++ 9 files changed, 352 insertions(+) create mode 100644 hmac-md5-meta.c create mode 100644 hmac-ripemd160-meta.c create mode 100644 hmac-sha1-meta.c create mode 100644 hmac-sha224-meta.c create mode 100644 hmac-sha256-meta.c create mode 100644 hmac-sha384-meta.c create mode 100644 hmac-sha512-meta.c
diff --git a/Makefile.in b/Makefile.in index 6a425e16..9031d959 100644 --- a/Makefile.in +++ b/Makefile.in @@ -107,6 +107,9 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ + hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \ + hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \ + hmac-sha512-meta.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ diff --git a/hmac-md5-meta.c b/hmac-md5-meta.c new file mode 100644 index 00000000..3933a455 --- /dev/null +++ b/hmac-md5-meta.c @@ -0,0 +1,47 @@ +/* hmac-md5-meta.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_md5_set_key (ctx, MD5_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_md5 += _NETTLE_HMAC(hmac_md5, MD5); diff --git a/hmac-ripemd160-meta.c b/hmac-ripemd160-meta.c new file mode 100644 index 00000000..86469650 --- /dev/null +++ b/hmac-ripemd160-meta.c @@ -0,0 +1,47 @@ +/* hmac-ripemd160-meta.c + + Copyright (C) 2011 Andres Mejia + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_ripemd160_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_ripemd160_set_key (ctx, RIPEMD160_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_ripemd160 += _NETTLE_HMAC(hmac_ripemd160, RIPEMD160); diff --git a/hmac-sha1-meta.c b/hmac-sha1-meta.c new file mode 100644 index 00000000..14d34d2b --- /dev/null +++ b/hmac-sha1-meta.c @@ -0,0 +1,47 @@ +/* hmac-sha1-meta.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha1_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha1_set_key (ctx, SHA1_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha1 += _NETTLE_HMAC(hmac_sha1, SHA1); diff --git a/hmac-sha224-meta.c b/hmac-sha224-meta.c new file mode 100644 index 00000000..2468a4ce --- /dev/null +++ b/hmac-sha224-meta.c @@ -0,0 +1,47 @@ +/* hmac-sha224-meta.c + + Copyright (C) 2002, 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha224_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha224_set_key (ctx, SHA224_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha224 += _NETTLE_HMAC(hmac_sha224, SHA224); diff --git a/hmac-sha256-meta.c b/hmac-sha256-meta.c new file mode 100644 index 00000000..df099d05 --- /dev/null +++ b/hmac-sha256-meta.c @@ -0,0 +1,47 @@ +/* hmac-sha256-meta.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha256_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha256_set_key (ctx, SHA256_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha256 += _NETTLE_HMAC(hmac_sha256, SHA256); diff --git a/hmac-sha384-meta.c b/hmac-sha384-meta.c new file mode 100644 index 00000000..1cfdd278 --- /dev/null +++ b/hmac-sha384-meta.c @@ -0,0 +1,47 @@ +/* hmac-sha384-meta.c + + Copyright (C) 2002, 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha384_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha384_set_key (ctx, SHA384_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha384 += _NETTLE_HMAC(hmac_sha384, SHA384); diff --git a/hmac-sha512-meta.c b/hmac-sha512-meta.c new file mode 100644 index 00000000..f4140766 --- /dev/null +++ b/hmac-sha512-meta.c @@ -0,0 +1,47 @@ +/* hmac-sha512-meta.c + + Copyright (C) 2002, 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha512_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha512_set_key (ctx, SHA512_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha512 += _NETTLE_HMAC(hmac_sha512, SHA512); diff --git a/nettle-meta.h b/nettle-meta.h index 783d80ce..20f5cd89 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -272,9 +272,29 @@ struct nettle_mac (nettle_hash_digest_func *) name##_digest, \ }
+#define _NETTLE_HMAC(name, HASH) { \ + #name, \ + sizeof(struct name##_ctx), \ + HASH##_DIGEST_SIZE, \ + HASH##_BLOCK_SIZE, \ + 0, \ + name##_set_key_wrapper, \ + NULL, \ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest, \ +} + extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256;
+extern const struct nettle_mac nettle_hmac_md5; +extern const struct nettle_mac nettle_hmac_ripemd160; +extern const struct nettle_mac nettle_hmac_sha1; +extern const struct nettle_mac nettle_hmac_sha224; +extern const struct nettle_mac nettle_hmac_sha256; +extern const struct nettle_mac nettle_hmac_sha384; +extern const struct nettle_mac nettle_hmac_sha512; + #ifdef __cplusplus } #endif
Daiki Ueno ueno@gnu.org writes:
+static void +hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) +{
- hmac_md5_set_key (ctx, MD5_BLOCK_SIZE, key);
+}
[...]
+extern const struct nettle_mac nettle_hmac_md5; +extern const struct nettle_mac nettle_hmac_ripemd160; +extern const struct nettle_mac nettle_hmac_sha1; +extern const struct nettle_mac nettle_hmac_sha224; +extern const struct nettle_mac nettle_hmac_sha256; +extern const struct nettle_mac nettle_hmac_sha384; +extern const struct nettle_mac nettle_hmac_sha512;
If we define a single nettle_mac for each supported (no-nonce) mac algorithm, what should the key size be for each algorithm? Using the underlying block size for the hmac algorithms seems to be a bit overkill. What key sizes are used in practice? Does it make sense to use key size equal to digest size (at least, that's what used for hmac in the ssh protocol)?
My current plan is to first add struct nettle_mac as an interface for no-nonce macs. And then add a different struct for macs requiring a per-message nonce. struct nettle_nmac was suggested, any better name for this?
Regards, /Niels
Hello,
ср, 25 дек. 2019 г. в 14:31, Niels Möller nisse@lysator.liu.se:
Daiki Ueno ueno@gnu.org writes:
+static void +hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) +{
- hmac_md5_set_key (ctx, MD5_BLOCK_SIZE, key);
+}
[...]
+extern const struct nettle_mac nettle_hmac_md5; +extern const struct nettle_mac nettle_hmac_ripemd160; +extern const struct nettle_mac nettle_hmac_sha1; +extern const struct nettle_mac nettle_hmac_sha224; +extern const struct nettle_mac nettle_hmac_sha256; +extern const struct nettle_mac nettle_hmac_sha384; +extern const struct nettle_mac nettle_hmac_sha512;
If we define a single nettle_mac for each supported (no-nonce) mac algorithm, what should the key size be for each algorithm? Using the underlying block size for the hmac algorithms seems to be a bit overkill. What key sizes are used in practice? Does it make sense to use key size equal to digest size (at least, that's what used for hmac in the ssh protocol)?
Same goes for TLS. Key size = digest size for HMAC.
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
ср, 25 дек. 2019 г. в 14:31, Niels Möller nisse@lysator.liu.se:
If we define a single nettle_mac for each supported (no-nonce) mac algorithm, what should the key size be for each algorithm? Using the underlying block size for the hmac algorithms seems to be a bit overkill. What key sizes are used in practice? Does it make sense to use key size equal to digest size (at least, that's what used for hmac in the ssh protocol)?
Same goes for TLS. Key size = digest size for HMAC.
I've pushed Daiki's patches with struct nettle_mac to a branch move-nettle_mac, with a few changes: Drop the nonce things (and hence also umac). Change the hmac algorithms to all use digest size as the key size. And I've updated hmac tests to use this interface when possible.
Regards, /Niels
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 1 + nettle-meta.h | 17 +++++++++++++++++ umac128-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ umac32-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ umac64-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ umac96-meta.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 206 insertions(+) create mode 100644 umac128-meta.c create mode 100644 umac32-meta.c create mode 100644 umac64-meta.c create mode 100644 umac96-meta.c
diff --git a/Makefile.in b/Makefile.in index 9031d959..4cfc5005 100644 --- a/Makefile.in +++ b/Makefile.in @@ -138,6 +138,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ + umac32-meta.c umac64-meta.c umac96-meta.c umac128-meta.c \ version.c \ write-be32.c write-le32.c write-le64.c \ yarrow256.c yarrow_key_event.c \ diff --git a/nettle-meta.h b/nettle-meta.h index 20f5cd89..b51fb602 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -284,6 +284,18 @@ struct nettle_mac (nettle_hash_digest_func *) name##_digest, \ }
+#define _NETTLE_UMAC(name, NAME) { \ + #name, \ + sizeof(struct name##_ctx), \ + NAME##_DIGEST_SIZE, \ + UMAC_BLOCK_SIZE, \ + AES_BLOCK_SIZE, \ + (nettle_set_key_func *) name##_set_key, \ + name##_set_nonce_wrapper, \ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest, \ +} + extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256;
@@ -295,6 +307,11 @@ extern const struct nettle_mac nettle_hmac_sha256; extern const struct nettle_mac nettle_hmac_sha384; extern const struct nettle_mac nettle_hmac_sha512;
+extern const struct nettle_mac nettle_umac32; +extern const struct nettle_mac nettle_umac64; +extern const struct nettle_mac nettle_umac96; +extern const struct nettle_mac nettle_umac128; + #ifdef __cplusplus } #endif diff --git a/umac128-meta.c b/umac128-meta.c new file mode 100644 index 00000000..9f6a7e34 --- /dev/null +++ b/umac128-meta.c @@ -0,0 +1,47 @@ +/* umac128-meta.c + + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "umac.h" + +static void +umac128_set_nonce_wrapper (void *ctx, const uint8_t *key) +{ + umac128_set_nonce (ctx, AES_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_umac128 += _NETTLE_UMAC(umac128, UMAC128); diff --git a/umac32-meta.c b/umac32-meta.c new file mode 100644 index 00000000..2b4f9c14 --- /dev/null +++ b/umac32-meta.c @@ -0,0 +1,47 @@ +/* umac32-meta.c + + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "umac.h" + +static void +umac32_set_nonce_wrapper (void *ctx, const uint8_t *key) +{ + umac32_set_nonce (ctx, AES_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_umac32 += _NETTLE_UMAC(umac32, UMAC32); diff --git a/umac64-meta.c b/umac64-meta.c new file mode 100644 index 00000000..0351aaed --- /dev/null +++ b/umac64-meta.c @@ -0,0 +1,47 @@ +/* umac64-meta.c + + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "umac.h" + +static void +umac64_set_nonce_wrapper (void *ctx, const uint8_t *key) +{ + umac64_set_nonce (ctx, AES_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_umac64 += _NETTLE_UMAC(umac64, UMAC64); diff --git a/umac96-meta.c b/umac96-meta.c new file mode 100644 index 00000000..2feba8c8 --- /dev/null +++ b/umac96-meta.c @@ -0,0 +1,47 @@ +/* umac96-meta.c + + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "umac.h" + +static void +umac96_set_nonce_wrapper (void *ctx, const uint8_t *key) +{ + umac96_set_nonce (ctx, AES_BLOCK_SIZE, key); +} + +const struct nettle_mac nettle_umac96 += _NETTLE_UMAC(umac96, UMAC96);
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- Makefile.in | 2 +- nettle-meta-macs.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++ nettle-meta.h | 7 ++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 nettle-meta-macs.c
diff --git a/Makefile.in b/Makefile.in index 4cfc5005..8efe2f88 100644 --- a/Makefile.in +++ b/Makefile.in @@ -116,7 +116,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ memeql-sec.c memxor.c memxor3.c \ nettle-lookup-hash.c \ nettle-meta-aeads.c nettle-meta-armors.c \ - nettle-meta-ciphers.c nettle-meta-hashes.c \ + nettle-meta-ciphers.c nettle-meta-hashes.c nettle-meta-macs.c \ pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ poly1305-aes.c poly1305-internal.c \ realloc.c \ diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c new file mode 100644 index 00000000..6575ed66 --- /dev/null +++ b/nettle-meta-macs.c @@ -0,0 +1,61 @@ +/* nettle-meta-macs.c + + Copyright (C) 2011 Daniel Kahn Gillmor + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <stddef.h> + +#include "nettle-meta.h" + +const struct nettle_mac * const _nettle_macs[] = { + &nettle_cmac_aes128, + &nettle_cmac_aes256, + &nettle_hmac_md5, + &nettle_hmac_ripemd160, + &nettle_hmac_sha1, + &nettle_hmac_sha224, + &nettle_hmac_sha256, + &nettle_hmac_sha384, + &nettle_hmac_sha512, + &nettle_umac32, + &nettle_umac64, + &nettle_umac96, + &nettle_umac128, + NULL +}; + +const struct nettle_mac * const * +nettle_get_macs (void) +{ + return _nettle_macs; +} diff --git a/nettle-meta.h b/nettle-meta.h index b51fb602..4b4d312d 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -296,6 +296,13 @@ struct nettle_mac (nettle_hash_digest_func *) name##_digest, \ }
+/* null-terminated list of macs implemented by this + version of nettle */ +const struct nettle_mac * const * _NETTLE_ATTRIBUTE_PURE +nettle_get_macs (void); + +#define nettle_macs (nettle_get_macs()) + extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256;
From: Daiki Ueno dueno@redhat.com
Signed-off-by: Daiki Ueno dueno@redhat.com --- testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 +++ testsuite/Makefile.in | 2 +- testsuite/meta-mac-test.c | 43 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 testsuite/meta-mac-test.c
diff --git a/testsuite/.gitignore b/testsuite/.gitignore index 066bcee2..a57feccb 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -56,6 +56,7 @@ /meta-armor-test /meta-cipher-test /meta-hash-test +/meta-mac-test /pbkdf2-test /pkcs1-test /pkcs1-sec-decrypt-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index efb7df3c..87e288c5 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -160,6 +160,9 @@ meta-aead-test$(EXEEXT): meta-aead-test.$(OBJEXT) meta-armor-test$(EXEEXT): meta-armor-test.$(OBJEXT) $(LINK) meta-armor-test.$(OBJEXT) $(TEST_OBJS) -o meta-armor-test$(EXEEXT)
+meta-mac-test$(EXEEXT): meta-mac-test.$(OBJEXT) + $(LINK) meta-mac-test.$(OBJEXT) $(TEST_OBJS) -o meta-mac-test$(EXEEXT) + buffer-test$(EXEEXT): buffer-test.$(OBJEXT) $(LINK) buffer-test.$(OBJEXT) $(TEST_OBJS) -o buffer-test$(EXEEXT)
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index f8f85701..d688c242 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -31,7 +31,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ - meta-aead-test.c meta-armor-test.c \ + meta-aead-test.c meta-armor-test.c meta-mac-test.c \ buffer-test.c yarrow-test.c xts-test.c pbkdf2-test.c
TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c new file mode 100644 index 00000000..09cb5e9f --- /dev/null +++ b/testsuite/meta-mac-test.c @@ -0,0 +1,43 @@ +#include "testutils.h" +#include "nettle-internal.h" +#include "nettle-meta.h" + +const char* macs[] = { + "cmac_aes128", + "cmac_aes256", + "hmac_md5", + "hmac_ripemd160", + "hmac_sha1", + "hmac_sha224", + "hmac_sha256", + "hmac_sha384", + "hmac_sha512", + "umac32", + "umac64", + "umac96", + "umac128", +}; + +void +test_main(void) +{ + int i, j; + int count = sizeof(macs)/sizeof(*macs); + for (i = 0; i < count; i++) { + for (j = 0; NULL != nettle_macs[j]; j++) { + if (0 == strcmp(macs[i], nettle_macs[j]->name)) + break; + } + ASSERT(NULL != nettle_macs[j]); /* make sure we found a matching mac */ + } + for (i = 0; NULL != nettle_macs[i]; i++) { + if (nettle_macs[i]->nonce_size > 0) + ASSERT(NULL != nettle_macs[i]->set_nonce); + else + ASSERT(NULL == nettle_macs[i]->set_nonce); + } + i = 0; + while (NULL != nettle_macs[i]) + i++; + ASSERT(i == count); /* we are not missing testing any macs */ +}
пн, 22 июл. 2019 г. в 11:54, Daiki Ueno ueno@gnu.org:
From: Daiki Ueno dueno@redhat.com
The changes from the previous series are:
- remove the global hmac_*_set_key_expanded functions
- leave out set_nonce member if the operation is not supported
For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank.
Looks good to me now, thank you.
Daiki Ueno ueno@gnu.org writes:
From: Daiki Ueno dueno@redhat.com
The changes from the previous series are:
- remove the global hmac_*_set_key_expanded functions
- leave out set_nonce member if the operation is not supported
For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank.
I'm a bit uneasy about the set_nonce pointer. It's used only for umac, where nonce use is a bit peculiar with the auto-increment optimization.
Would it be ok to leave umac out, and move the definition of nettle_mac from testutils.h as is (except that the comment "other sizes are sometimes possible" on the key_size field seems wrong)?
Then nettle_mac is very similar to nettle_hash, one just calls ->set_key instead of ->init, and one can then hash several messages with the same key using a sequence of ->update and ->digest calls.
Regards, /Niels
сб, 14 сент. 2019 г. в 13:47, Niels Möller nisse@lysator.liu.se:
Daiki Ueno ueno@gnu.org writes:
From: Daiki Ueno dueno@redhat.com
The changes from the previous series are:
- remove the global hmac_*_set_key_expanded functions
- leave out set_nonce member if the operation is not supported
For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank.
I'm a bit uneasy about the set_nonce pointer. It's used only for umac, where nonce use is a bit peculiar with the auto-increment optimization.
Would it be ok to leave umac out, and move the definition of nettle_mac from testutils.h as is (except that the comment "other sizes are sometimes possible" on the key_size field seems wrong)?
There will be a nonce for GMAC.
Then nettle_mac is very similar to nettle_hash, one just calls ->set_key instead of ->init, and one can then hash several messages with the same key using a sequence of ->update and ->digest calls.
Regards, /Niels
-- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
There will be a nonce for GMAC.
Ok. If we keep set_nonce, we have to clarify what it means. There are a couple of cases, where the first two are relatively easy.
nonce_size == 0, set_nonce == NULL: Never call set_nonce. This is the HMAC case.
nonce_size == 0, set_nonce != NULL: This could mean that nonce is optional. Does that make any sense?
nonce_size > 0, set_nonce != NULL: Would then be used for UMAC and GMAC.
For the last case, I have a couple of questions.
1. Comment says "suggested nonce_size", but I take it only that one size is possible, since set_nonce is nettle_set_key_func, with no length argument. Or do you intend to allow other sizes?
I think I'd prefer fix size, to keep things simple. And treat variants with different nonce size as separate mac algorithms, for this abstraction. Just like with the key size.
2. What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
Regards, /Niels
Hello,
nisse@lysator.liu.se (Niels Möller) writes:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
There will be a nonce for GMAC.
Ok. If we keep set_nonce, we have to clarify what it means. There are a couple of cases, where the first two are relatively easy.
nonce_size == 0, set_nonce == NULL: Never call set_nonce. This is the HMAC case.
nonce_size == 0, set_nonce != NULL: This could mean that nonce is optional. Does that make any sense?
nonce_size > 0, set_nonce != NULL: Would then be used for UMAC and GMAC.
For the last case, I have a couple of questions.
Comment says "suggested nonce_size", but I take it only that one size is possible, since set_nonce is nettle_set_key_func, with no length argument. Or do you intend to allow other sizes?
I think I'd prefer fix size, to keep things simple. And treat variants with different nonce size as separate mac algorithms, for this abstraction. Just like with the key size.
I think fixed size would be sufficient (the code was merely copied from the nettle_aead definition).
What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
Provided that the two types of MACs (nonces are required or not) are supposedly not intermixed, another option might be to provide a separate struct (say, nettle_nmac) for MACs that require nonces (UMAC and GMAC, not sure if there will be more to come), and mandate set_nonce != NULL:
- nettle_mac (from the testutils.h definition) for HMAC, CMAC - nettle_nmac (nettle_nmac + set_nonce) for UMAC, GMAC
That would be analogous to the distinction between nettle_cipher and nettle_aead and serve the documentation.
Regards,
Daiki Ueno ueno@gnu.org writes:
Comment says "suggested nonce_size", but I take it only that one size is possible, since set_nonce is nettle_set_key_func, with no length argument. Or do you intend to allow other sizes?
I think I'd prefer fix size, to keep things simple. And treat variants with different nonce size as separate mac algorithms, for this abstraction. Just like with the key size.
I think fixed size would be sufficient (the code was merely copied from the nettle_aead definition).
Good.
Provided that the two types of MACs (nonces are required or not) are supposedly not intermixed, another option might be to provide a separate struct (say, nettle_nmac) for MACs that require nonces (UMAC and GMAC, not sure if there will be more to come), and mandate set_nonce != NULL:
- nettle_mac (from the testutils.h definition) for HMAC, CMAC
- nettle_nmac (nettle_nmac + set_nonce) for UMAC, GMAC
Makes sense. One would then only need a good name. Is there any standard terminology distinguishing between these two variants? But I'm fine with a single struct, provided that it's clearly specified how the set_nonce call is expected to be used.
Regards, /Niels
вс, 15 сент. 2019 г. в 10:28, Niels Möller nisse@lysator.liu.se:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
There will be a nonce for GMAC.
Ok. If we keep set_nonce, we have to clarify what it means. There are a couple of cases, where the first two are relatively easy.
nonce_size == 0, set_nonce == NULL: Never call set_nonce. This is the HMAC case.
Fine with me
nonce_size == 0, set_nonce != NULL: This could mean that nonce is optional. Does that make any sense?
I don't think we should allow such constructions. Neither UMAC nor GMAC make optional use of nonce. And if we think further, 3GPP MAC algorithms, which make use of nonce, also have non-optional fixed size nonce.
nonce_size > 0, set_nonce != NULL: Would then be used for UMAC and GMAC.
Fine with me
For the last case, I have a couple of questions.
Comment says "suggested nonce_size", but I take it only that one size is possible, since set_nonce is nettle_set_key_func, with no length argument. Or do you intend to allow other sizes?
I think I'd prefer fix size, to keep things simple. And treat variants with different nonce size as separate mac algorithms, for this abstraction. Just like with the key size.
Fix size. If one needs variable nonce size, he can use full interface.
What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
I'd say that this is an undefined behaviour. So, if one needs fully predictable result, he should set nonce each time. For GMAC nonce MUST be set each time to a new value. For UMAC one can skip this call. We might want to refine this UB later.
Consider other MACs (like Kasumi F8/Snow3G UIA2/ZUC EIA3) which require nonce, can have nonce autoincrement, but with complex rules.
BTW: I have written a library with 3GPP encryption/integrity alogorithms. The library follow closely Nettle interface. I can publish it and/or submit into nettle for inclusion. However I am completely unsure about patent status and enforcement for those algorithms. Do you know if somebody can advice me on this topic?
-- With best wishes Dmitry
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
I'd say that this is an undefined behaviour. So, if one needs fully predictable result, he should set nonce each time. For GMAC nonce MUST be set each time to a new value. For UMAC one can skip this call. We might want to refine this UB later.
I would prefer to have it nailed down. It kind-of defeats the purpose of a nettle_mac abstraction if code using it is expected to have if (umac) { do this } else { do that }.
Consider other MACs (like Kasumi F8/Snow3G UIA2/ZUC EIA3) which require nonce, can have nonce autoincrement, but with complex rules.
Complex how? If it is a common usecase, one could consider to either do auto-increment always (part of ->digest, like currently done for umac), or have a separate method increment_nonce or so.
BTW: I have written a library with 3GPP encryption/integrity alogorithms. The library follow closely Nettle interface. I can publish it and/or submit into nettle for inclusion. However I am completely unsure about patent status and enforcement for those algorithms. Do you know if somebody can advice me on this topic?
It's time consuming to research patent status (and usually impossibly to reach certainty). Maybe you could ask FSF or sfconservancy lawyers, and say you consider contributing an implementation to GNU Nettle, but I doubt they have the resources to do a thorough investigation. If you know the patent holders, you could mail and ask them, or check if there's any general patent policy for 3GPP members. Reviewing any licensing terms they offer should be an easier task for FSF lawyers than a more open-ended patent investigation.
Regards, /Niels
Hello,
ср, 18 сент. 2019 г. в 08:38, Niels Möller nisse@lysator.liu.se:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
What should be the behavior for usage like
->set_key ->set_nonce ->update ->digest ->update ->digest
with second set_nonce missing?
Should it just keep the nonce from the first digest? (Sounds a bit dangerous). Or autoincrement? (That's what umac does, because it's defined in a way to make that more efficient). Or be specified as invalid, triggering asserts whenever it is easy to detect?
I think it has to be specified; it will be too confusing if UMAC behaves in one way and GMAC behaves differently.
I'd say that this is an undefined behaviour. So, if one needs fully predictable result, he should set nonce each time. For GMAC nonce MUST be set each time to a new value. For UMAC one can skip this call. We might want to refine this UB later.
I would prefer to have it nailed down. It kind-of defeats the purpose of a nettle_mac abstraction if code using it is expected to have if (umac) { do this } else { do that }.
I'd propose then that if one uses generic interface, he MUST set nonce each time. If one wishes to use auto-increment option of UMAC, he is already tied to UMAC and thus doesn't have to use generic interface at all.
Consider other MACs (like Kasumi F8/Snow3G UIA2/ZUC EIA3) which require nonce, can have nonce autoincrement, but with complex rules.
Complex how? If it is a common usecase, one could consider to either do auto-increment always (part of ->digest, like currently done for umac), or have a separate method increment_nonce or so.
Complex as incrementing a value in the middle of nonce by the amount of bytes processed in the call. Again I think now, that it might be easier to demand calling set_nonce when using generic interface.
BTW: I have written a library with 3GPP encryption/integrity alogorithms. The library follow closely Nettle interface. I can publish it and/or submit into nettle for inclusion. However I am completely unsure about patent status and enforcement for those algorithms. Do you know if somebody can advice me on this topic?
It's time consuming to research patent status (and usually impossibly to reach certainty). Maybe you could ask FSF or sfconservancy lawyers, and say you consider contributing an implementation to GNU Nettle, but I doubt they have the resources to do a thorough investigation. If you know the patent holders, you could mail and ask them, or check if there's any general patent policy for 3GPP members. Reviewing any licensing terms they offer should be an easier task for FSF lawyers than a more open-ended patent investigation.
I have received no significant response from FSF, FSFE and sconservancy (maybe I was asking a wrong question though). Just typical "patent research is costly and we do not do consulting". Anyway, patent licenses are explicit about using these algorithms to only implement actual 3GPP/LTE support. So they should not target generic library.
nettle-bugs@lists.lysator.liu.se
-
Daiki Ueno -
Dmitry Eremin-Solenikov -
nisse@lysator.liu.se