Incompatible changes

List overview All Threads
Download

newer

older

[PATCH] getopt: Fix getopt/getenv...

[PATCH] SLH-DSA

Niels Möller

5 Mar 2025 5 Mar '25

8:41 a.m.

Hi,

I've decided to start doing some of the cleanup changes that will break ABI and/or API (which has been stable since nettle-3.6, released 5 years ago). I think the more interesting planned changes are listed on https://git.lysator.liu.se/nettle/nettle/-/issues, and the most disruptive one is dropping the length argument for the various _digest functions (https://git.lysator.liu.se/nettle/nettle/-/issues/5). Changes will be released as nettle-4.0. Focus will be on changes affecting libnettle, to be able to get this done in a reasonable time, but it will nevertheless imply an soname bump also for libhogweed.

If needed, bug fixes will be back-ported to a compatible nettle-3 branch, for additional 3.10.x releases.

If you have opinions on what breaking changes should or shouldn't be done at this time, this is a good time to speak up. If that is helpful for applications to transition, I'm open to add some preprocessor defines or headers that can be used to get API (but not ABI) compatibility with nettle 3.

Regards, /Niels

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

Show replies by date

Niels Möller

5 Mar 5 Mar

4:11 p.m.

New subject: C version (was Re: Incompatible changes)

Niels Möller nisse@lysator.liu.se writes:

...

I've decided to start doing some of the cleanup changes that will break ABI and/or API (which has been stable since nettle-3.6, released 5 years ago).

Related question, is this a good time to start requiring a C11 compiler? Would enable some improvements that affect the api or abi:

1. We could enforce 16-byte alignment for union nettle_block16. Could in theory give improved performance, in particular for SIMD assembly code that can then use instructions that require 16-byte alignment. But unclear to me if that would make any measurable difference.

2. We could change return type from int to bool (or _Bool) for functions returning a success/fail indication.

Regards, /Niels

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

Simo Sorce

4:20 p.m.

New subject: C version (was Re: Incompatible changes)

Hi Niels, If you are going to break the ABI anyway, this sounds like an ideal time to also make those changes, better to have one big disruption than many consecutive ones.

On Wed, 2025-03-05 at 17:11 +0100, Niels Möller wrote:

...

Niels Möller nisse@lysator.liu.se writes:

...
I've decided to start doing some of the cleanup changes that will break ABI and/or API (which has been stable since nettle-3.6, released 5 years ago).

Related question, is this a good time to start requiring a C11 compiler? Would enable some improvements that affect the api or abi:

We could enforce 16-byte alignment for union nettle_block16. Could in theory give improved performance, in particular for SIMD assembly code that can then use instructions that require 16-byte alignment. But unclear to me if that would make any measurable difference.

We could change return type from int to bool (or _Bool) for functions returning a success/fail indication.

Regards, /Niels

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-leave@lists.lysator.liu.se

-- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc

Niels Möller

13 Mar 13 Mar

7:36 p.m.

Niels Möller nisse@lysator.liu.se writes:

...

I've decided to start doing some of the cleanup changes that will break ABI and/or API (which has been stable since nettle-3.6, released 5 years ago). [...] the most disruptive one is dropping the length argument for the various _digest functions (https://git.lysator.liu.se/nettle/nettle/-/issues/5).

Changes to drop the digest size is now on branch delete-digest_func-size (https://git.lysator.liu.se/nettle/nettle/-/tree/delete-digest_func-size). Unsurprisingly breaks the gnutls build, see https://gitlab.com/gnutls/nettle/-/jobs/9379366785.

Below is a crude patch that makes GnuTLS compile successfully (but fails a few of the tests; I don't fully understand the GnuTLS abstractions, my best guess is that there are a few digest calls that really want a truncated hash).

GnuTLS (as well as other applications) that wants to work with nettle both before and after this transition can either use a configure test for affected functions that they use, or check NETTLE_VERSION_MAJOR >= 4 (defined in nettle/version.h).

For GnuTLS, I would suggest to have internal interfaces for hash functions follow Nettle and only support a fixed size, and then wrappers around nettle functions can include or omit the constant digest size argument depending on nettle version. But may need to introduce a separate abstraction for shake, which does have variable output size.

Any comments or suggestions before I merge this change?

I have made a couple of other breaking deletions: rsa-compat, dsa-compat, openpgp, the deprecated variant of the aes api, for a total of more than 2000 deleted lines. I think these are less likely to cause trouble.

Regards, /Niels

diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c index 7772eb9eb..11b3d82bf 100644 --- a/lib/accelerated/x86/aes-gcm-padlock.c +++ b/lib/accelerated/x86/aes-gcm-padlock.c @@ -176,8 +176,12 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) { struct gcm_padlock_aes_ctx *ctx = _ctx; + if (tagsize != 16) { + gnutls_assert(); + return; + }

- GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tagsize, tag); + GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tag); }

#include "aes-gcm-aead.h" diff --git a/lib/accelerated/x86/aes-gcm-x86-aesni.c b/lib/accelerated/x86/aes-gcm-x86-aesni.c index d7865ff96..edeaf04cf 100644 --- a/lib/accelerated/x86/aes-gcm-x86-aesni.c +++ b/lib/accelerated/x86/aes-gcm-x86-aesni.c @@ -169,7 +169,12 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) { struct gcm_x86_aes_ctx *ctx = _ctx;

- GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag); + if (tagsize != 16) { + gnutls_assert(); + return; + } + + GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tag); }

static void aes_gcm_deinit(void *_ctx) diff --git a/lib/accelerated/x86/aes-gcm-x86-ssse3.c b/lib/accelerated/x86/aes-gcm-x86-ssse3.c index 6bad1a497..2d8352177 100644 --- a/lib/accelerated/x86/aes-gcm-x86-ssse3.c +++ b/lib/accelerated/x86/aes-gcm-x86-ssse3.c @@ -177,8 +177,11 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) { struct gcm_x86_aes_ctx *ctx = _ctx; - - GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag); + if (tagsize != 16) { + gnutls_assert(); + return; + } + GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tag); }

static void aes_gcm_deinit(void *_ctx) diff --git a/lib/accelerated/x86/hmac-padlock.c b/lib/accelerated/x86/hmac-padlock.c index 18003c160..3faebcf80 100644 --- a/lib/accelerated/x86/hmac-padlock.c +++ b/lib/accelerated/x86/hmac-padlock.c @@ -42,7 +42,7 @@ #define MAX_SHA_DIGEST_SIZE (512 / 8)

struct padlock_hmac_ctx { @@ -74,10 +74,10 @@ static void padlock_hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, padlock_sha1_update(&ctx->state, length, data); }

-static void padlock_hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, +static void padlock_hmac_sha1_digest(struct hmac_sha1_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &padlock_sha1, length, digest); + HMAC_DIGEST(ctx, &padlock_sha1, digest); }

static void padlock_hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, @@ -92,10 +92,9 @@ static void padlock_hmac_sha256_update(struct hmac_sha256_ctx *ctx, padlock_sha256_update(&ctx->state, length, data); }

-static void padlock_hmac_sha256_digest(struct hmac_sha256_ctx *ctx, - size_t length, uint8_t *digest) +static void padlock_hmac_sha256_digest(struct hmac_sha256_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &padlock_sha256, length, digest); + HMAC_DIGEST(ctx, &padlock_sha256, digest); }

static void padlock_hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, @@ -105,9 +104,9 @@ static void padlock_hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, }

static void padlock_hmac_sha224_digest(struct hmac_sha224_ctx *ctx, - size_t length, uint8_t *digest) + uint8_t *digest) { - HMAC_DIGEST(ctx, &padlock_sha224, length, digest); + HMAC_DIGEST(ctx, &padlock_sha224, digest); }

static void padlock_hmac_sha384_set_key(struct hmac_sha384_ctx *ctx, @@ -117,9 +116,9 @@ static void padlock_hmac_sha384_set_key(struct hmac_sha384_ctx *ctx, }

static void padlock_hmac_sha384_digest(struct hmac_sha384_ctx *ctx, - size_t length, uint8_t *digest) + uint8_t *digest) { - HMAC_DIGEST(ctx, &padlock_sha384, length, digest); + HMAC_DIGEST(ctx, &padlock_sha384, digest); }

static void padlock_hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, @@ -135,9 +134,9 @@ static void padlock_hmac_sha512_update(struct hmac_sha512_ctx *ctx, }

static void padlock_hmac_sha512_digest(struct hmac_sha512_ctx *ctx, - size_t length, uint8_t *digest) + uint8_t *digest) { - HMAC_DIGEST(ctx, &padlock_sha512, length, digest); + HMAC_DIGEST(ctx, &padlock_sha512, digest); }

static int _hmac_ctx_init(gnutls_mac_algorithm_t algo, @@ -257,7 +256,7 @@ static int wrap_padlock_hmac_output(void *src_ctx, void *digest, return GNUTLS_E_SHORT_MEMORY_BUFFER; }

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

return 0; } diff --git a/lib/accelerated/x86/hmac-x86-ssse3.c b/lib/accelerated/x86/hmac-x86-ssse3.c index 178837d58..ef9558517 100644 --- a/lib/accelerated/x86/hmac-x86-ssse3.c +++ b/lib/accelerated/x86/hmac-x86-ssse3.c @@ -37,7 +37,7 @@ #ifdef HAVE_LIBNETTLE

struct x86_hmac_ctx { @@ -69,10 +69,10 @@ static void x86_hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, x86_sha1_update(&ctx->state, length, data); }

-static void x86_hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, +static void x86_hmac_sha1_digest(struct hmac_sha1_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &x86_sha1, length, digest); + HMAC_DIGEST(ctx, &x86_sha1, digest); }

static void x86_hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, @@ -87,10 +87,10 @@ static void x86_hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, x86_sha256_update(&ctx->state, length, data); }

-static void x86_hmac_sha256_digest(struct hmac_sha256_ctx *ctx, size_t length, +static void x86_hmac_sha256_digest(struct hmac_sha256_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &x86_sha256, length, digest); + HMAC_DIGEST(ctx, &x86_sha256, digest); }

static void x86_hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, @@ -99,10 +99,10 @@ static void x86_hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, HMAC_SET_KEY(ctx, &x86_sha224, key_length, key); }

-static void x86_hmac_sha224_digest(struct hmac_sha224_ctx *ctx, size_t length, +static void x86_hmac_sha224_digest(struct hmac_sha224_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &x86_sha224, length, digest); + HMAC_DIGEST(ctx, &x86_sha224, digest); }

static void x86_hmac_sha384_set_key(struct hmac_sha384_ctx *ctx, @@ -111,10 +111,10 @@ static void x86_hmac_sha384_set_key(struct hmac_sha384_ctx *ctx, HMAC_SET_KEY(ctx, &x86_sha384, key_length, key); }

-static void x86_hmac_sha384_digest(struct hmac_sha384_ctx *ctx, size_t length, +static void x86_hmac_sha384_digest(struct hmac_sha384_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &x86_sha384, length, digest); + HMAC_DIGEST(ctx, &x86_sha384, digest); }

static void x86_hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, @@ -129,10 +129,10 @@ static void x86_hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, x86_sha512_update(&ctx->state, length, data); }

-static void x86_hmac_sha512_digest(struct hmac_sha512_ctx *ctx, size_t length, +static void x86_hmac_sha512_digest(struct hmac_sha512_ctx *ctx, uint8_t *digest) { - HMAC_DIGEST(ctx, &x86_sha512, length, digest); + HMAC_DIGEST(ctx, &x86_sha512, digest); }

static int _hmac_ctx_init(gnutls_mac_algorithm_t algo, struct x86_hmac_ctx *ctx) @@ -249,7 +249,7 @@ static int wrap_x86_hmac_output(void *src_ctx, void *digest, size_t digestsize) return GNUTLS_E_SHORT_MEMORY_BUFFER; }

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

return 0; } @@ -276,7 +276,7 @@ static int wrap_x86_hmac_fast(gnutls_mac_algorithm_t algo, const void *nonce,

ctx.setkey(&ctx, key_size, key); ctx.update(&ctx, text_size, text); - ctx.digest(&ctx, ctx.length, digest); + ctx.digest(&ctx, digest);

zeroize_temp_key(&ctx, sizeof(ctx));

diff --git a/lib/accelerated/x86/sha-padlock.c b/lib/accelerated/x86/sha-padlock.c index 84c2a68a6..433f77ce5 100644 --- a/lib/accelerated/x86/sha-padlock.c +++ b/lib/accelerated/x86/sha-padlock.c @@ -35,7 +35,7 @@ #ifdef HAVE_LIBNETTLE

@@ -129,13 +129,10 @@ static void _nettle_write_be32(unsigned length, uint8_t *dst, uint32_t *src) } }

-static void padlock_sha1_digest(struct sha1_ctx *ctx, size_t length, - uint8_t *digest) +static void padlock_sha1_digest(struct sha1_ctx *ctx, uint8_t *digest) { uint64_t bit_count;

- assert(length <= SHA1_DIGEST_SIZE); - MD_PAD(ctx, 8, SHA1_COMPRESS);

/* There are 512 = 2^9 bits in one block */ @@ -145,16 +142,13 @@ static void padlock_sha1_digest(struct sha1_ctx *ctx, size_t length, WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); SHA1_COMPRESS(ctx, ctx->block);

- _nettle_write_be32(length, digest, ctx->state); + _nettle_write_be32(SHA1_DIGEST_SIZE, digest, ctx->state); }

-static void padlock_sha256_digest(struct sha256_ctx *ctx, size_t length, - uint8_t *digest) +static void padlock_sha256_digest(struct sha256_ctx *ctx, uint8_t *digest) { uint64_t bit_count;

- assert(length <= SHA256_DIGEST_SIZE); - MD_PAD(ctx, 8, SHA256_COMPRESS);

/* There are 512 = 2^9 bits in one block */ @@ -166,19 +160,14 @@ static void padlock_sha256_digest(struct sha256_ctx *ctx, size_t length, WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); SHA256_COMPRESS(ctx, ctx->block);

- _nettle_write_be32(length, digest, ctx->state); + _nettle_write_be32(SHA256_DIGEST_SIZE, digest, ctx->state); }

-static void padlock_sha512_digest(struct sha512_ctx *ctx, size_t length, - uint8_t *digest) +static void padlock_sha512_digest(struct sha512_ctx *ctx, uint8_t *digest) { uint64_t high, low;

unsigned i; - unsigned words; - unsigned leftover; - - assert(length <= SHA512_DIGEST_SIZE);

MD_PAD(ctx, 16, SHA512_COMPRESS);

@@ -193,21 +182,8 @@ static void padlock_sha512_digest(struct sha512_ctx *ctx, size_t length, WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 8), low); SHA512_COMPRESS(ctx, ctx->block);

- words = length / 8; - leftover = length % 8; - - for (i = 0; i < words; i++, digest += 8) + for (i = 0; i < 8; i++, digest += 8) WRITE_UINT64(digest, ctx->state[i]); - - if (leftover) { - /* Truncate to the right size */ - uint64_t word = ctx->state[i] >> (8 * (8 - leftover)); - - do { - digest[--leftover] = word & 0xff; - word >>= 8; - } while (leftover); - } }

static int _ctx_init(gnutls_digest_algorithm_t algo, @@ -309,10 +285,10 @@ static int wrap_padlock_hash_output(void *src_ctx, void *digest, struct padlock_hash_ctx *ctx; ctx = src_ctx;

- if (digestsize < ctx->length) + if (digestsize != ctx->length) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

ctx->init(ctx->ctx_ptr);

diff --git a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c index 2c93bc944..9867ba080 100644 --- a/lib/accelerated/x86/sha-x86-ssse3.c +++ b/lib/accelerated/x86/sha-x86-ssse3.c @@ -36,7 +36,7 @@ void sha256_block_data_order(void *c, const void *p, size_t len); void sha512_block_data_order(void *c, const void *p, size_t len);

@@ -325,7 +325,7 @@ static int wrap_x86_hash_output(void *src_ctx, void *digest, size_t digestsize) if (digestsize < ctx->length) return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

return 0; } @@ -341,7 +341,7 @@ static int wrap_x86_hash_fast(gnutls_digest_algorithm_t algo, const void *text, return gnutls_assert_val(ret);

ctx.update(&ctx, text_size, text); - ctx.digest(&ctx, ctx.length, digest); + ctx.digest(&ctx, digest);

return 0; } diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c index f5db2e504..a472cf09a 100644 --- a/lib/nettle/cipher.c +++ b/lib/nettle/cipher.c @@ -1425,8 +1425,8 @@ static int wrap_nettle_cipher_aead_encrypt(void *_ctx, const void *nonce, ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth);

ctx->cipher->encrypt(ctx, plain_size, encr, plain); - - ctx->cipher->tag(ctx->ctx_ptr, tag_size, + /* FIXME: Check tag_size is as expected. */ + ctx->cipher->tag(ctx->ctx_ptr, ((uint8_t *)encr) + plain_size); } else { /* CCM-style cipher */ @@ -1506,7 +1506,8 @@ static int wrap_nettle_cipher_aead_decrypt(void *_ctx, const void *nonce,

ctx->cipher->decrypt(ctx, encr_size, plain, encr);

- ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag); + /* FIXME: Check tag_size is as expected. */ + ctx->cipher->tag(ctx->ctx_ptr, tag);

if (gnutls_memcmp(((uint8_t *)encr) + encr_size, tag, tag_size) != 0) @@ -1574,8 +1575,8 @@ static int wrap_nettle_cipher_auth(void *_ctx, const void *plain, static void wrap_nettle_cipher_tag(void *_ctx, void *tag, size_t tag_size) { struct nettle_cipher_ctx *ctx = _ctx; - - ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag); + /* FIXME: Check tag_size is as expected. */ + ctx->cipher->tag(ctx->ctx_ptr, tag); }

static void wrap_nettle_cipher_close(void *_ctx) diff --git a/lib/nettle/gost/cmac-kuznyechik.c b/lib/nettle/gost/cmac-kuznyechik.c index 964141103..68c4c358f 100644 --- a/lib/nettle/gost/cmac-kuznyechik.c +++ b/lib/nettle/gost/cmac-kuznyechik.c @@ -44,9 +44,9 @@ void cmac_kuznyechik_update(struct cmac_kuznyechik_ctx *ctx, size_t length, CMAC128_UPDATE(ctx, kuznyechik_encrypt, length, data); }

-void cmac_kuznyechik_digest(struct cmac_kuznyechik_ctx *ctx, size_t length, +void cmac_kuznyechik_digest(struct cmac_kuznyechik_ctx *ctx, uint8_t *digest) { - CMAC128_DIGEST(ctx, kuznyechik_encrypt, length, digest); + CMAC128_DIGEST(ctx, kuznyechik_encrypt, digest); } #endif diff --git a/lib/nettle/gost/cmac-magma.c b/lib/nettle/gost/cmac-magma.c index b8e6d58d1..6202760e8 100644 --- a/lib/nettle/gost/cmac-magma.c +++ b/lib/nettle/gost/cmac-magma.c @@ -44,9 +44,9 @@ void cmac_magma_update(struct cmac_magma_ctx *ctx, size_t length, CMAC64_UPDATE(ctx, magma_encrypt, length, data); }

-void cmac_magma_digest(struct cmac_magma_ctx *ctx, size_t length, +void cmac_magma_digest(struct cmac_magma_ctx *ctx, uint8_t *digest) { - CMAC64_DIGEST(ctx, magma_encrypt, length, digest); + CMAC64_DIGEST(ctx, magma_encrypt, digest); } #endif diff --git a/lib/nettle/gost/cmac.h b/lib/nettle/gost/cmac.h index 5894cfddb..6982b11d2 100644 --- a/lib/nettle/gost/cmac.h +++ b/lib/nettle/gost/cmac.h @@ -58,7 +58,7 @@ void cmac_magma_set_key(struct cmac_magma_ctx *ctx, const uint8_t *key); void cmac_magma_update(struct cmac_magma_ctx *ctx, size_t length, const uint8_t *data);

-void cmac_magma_digest(struct cmac_magma_ctx *ctx, size_t length, +void cmac_magma_digest(struct cmac_magma_ctx *ctx, uint8_t *digest);

#ifdef __cplusplus @@ -83,7 +83,7 @@ void cmac_kuznyechik_set_key(struct cmac_kuznyechik_ctx *ctx, void cmac_kuznyechik_update(struct cmac_kuznyechik_ctx *ctx, size_t length, const uint8_t *data);

-void cmac_kuznyechik_digest(struct cmac_kuznyechik_ctx *ctx, size_t length, +void cmac_kuznyechik_digest(struct cmac_kuznyechik_ctx *ctx, uint8_t *digest);

#ifdef __cplusplus diff --git a/lib/nettle/gost/gost-wrap.c b/lib/nettle/gost/gost-wrap.c index 3670678c8..0005a0801 100644 --- a/lib/nettle/gost/gost-wrap.c +++ b/lib/nettle/gost/gost-wrap.c @@ -92,7 +92,7 @@ void gost28147_key_wrap_cryptopro(const struct gost28147_param *param, gost28147_imit_set_param(&ictx, param); gost28147_imit_set_nonce(&ictx, ukm); gost28147_imit_update(&ictx, GOST28147_KEY_SIZE, cek); - gost28147_imit_digest(&ictx, GOST28147_IMIT_DIGEST_SIZE, imit); + gost28147_imit_digest(&ictx, imit); }

int gost28147_key_unwrap_cryptopro(const struct gost28147_param *param, @@ -116,7 +116,7 @@ int gost28147_key_unwrap_cryptopro(const struct gost28147_param *param, gost28147_imit_set_param(&ictx, param); gost28147_imit_set_nonce(&ictx, ukm); gost28147_imit_update(&ictx, GOST28147_KEY_SIZE, cek); - gost28147_imit_digest(&ictx, GOST28147_IMIT_DIGEST_SIZE, mac); + gost28147_imit_digest(&ictx, mac);

return memeql_sec(mac, imit, GOST28147_IMIT_DIGEST_SIZE); } diff --git a/lib/nettle/gost/gost28147.c b/lib/nettle/gost/gost28147.c index bb5ee0740..389cd893b 100644 --- a/lib/nettle/gost/gost28147.c +++ b/lib/nettle/gost/gost28147.c @@ -8631,10 +8631,9 @@ void gost28147_imit_update(struct gost28147_imit_ctx *ctx, size_t length, MD_UPDATE(ctx, length, data, gost28147_imit_compress, ctx->count++); }

-void gost28147_imit_digest(struct gost28147_imit_ctx *ctx, size_t length, +void gost28147_imit_digest(struct gost28147_imit_ctx *ctx, uint8_t *digest) { - assert(length <= GOST28147_IMIT_DIGEST_SIZE); const uint8_t zero[GOST28147_IMIT_BLOCK_SIZE] = { 0 };

if (ctx->index) { @@ -8647,7 +8646,7 @@ void gost28147_imit_digest(struct gost28147_imit_ctx *ctx, size_t length, gost28147_imit_update(ctx, GOST28147_IMIT_BLOCK_SIZE, zero); }

- _nettle_write_le32(length, digest, ctx->state); + _nettle_write_le32(GOST28147_IMIT_DIGEST_SIZE, digest, ctx->state); _gost28147_imit_reinit(ctx); } #endif diff --git a/lib/nettle/gost/gost28147.h b/lib/nettle/gost/gost28147.h index 5b5a7dcbe..feba9cd3b 100644 --- a/lib/nettle/gost/gost28147.h +++ b/lib/nettle/gost/gost28147.h @@ -174,7 +174,7 @@ void gost28147_imit_set_param(struct gost28147_imit_ctx *ctx, void gost28147_imit_update(struct gost28147_imit_ctx *ctx, size_t length, const uint8_t *data);

-void gost28147_imit_digest(struct gost28147_imit_ctx *ctx, size_t length, +void gost28147_imit_digest(struct gost28147_imit_ctx *ctx, uint8_t *digest);

#ifdef __cplusplus diff --git a/lib/nettle/int/dsa-fips.h b/lib/nettle/int/dsa-fips.h index 5c1c90e3b..1de1199c1 100644 --- a/lib/nettle/int/dsa-fips.h +++ b/lib/nettle/int/dsa-fips.h @@ -100,7 +100,7 @@ inline static void hash(uint8_t digest[DIGEST_SIZE], unsigned length,

sha384_init(&ctx); sha384_update(&ctx, length, data); - sha384_digest(&ctx, DIGEST_SIZE, digest); + sha384_digest(&ctx, digest);

return; } diff --git a/lib/nettle/int/tls1-prf.c b/lib/nettle/int/tls1-prf.c index 46520b06a..1366403f9 100644 --- a/lib/nettle/int/tls1-prf.c +++ b/lib/nettle/int/tls1-prf.c @@ -63,7 +63,7 @@ static void P_hash(void *mac_ctx, nettle_hash_update_func *update, } else { update(mac_ctx, digest_size, Atmp); } - digest(mac_ctx, digest_size, Atmp); /* store A(i) */ + digest(mac_ctx, Atmp); /* store A(i) */

update(mac_ctx, digest_size, Atmp); /* hash A(i) */ update(mac_ctx, label_size, @@ -73,7 +73,7 @@ static void P_hash(void *mac_ctx, nettle_hash_update_func *update, if (left < (ssize_t)digest_size) digest_size = left;

- digest(mac_ctx, digest_size, dst); + digest(mac_ctx, dst);

left -= digest_size; dst += digest_size; diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c index 899dc0e6e..e7e58a7c4 100644 --- a/lib/nettle/mac.c +++ b/lib/nettle/mac.c @@ -49,7 +49,7 @@ #include <nettle/gcm.h>

typedef void (*update_func)(void *, size_t, const uint8_t *); -typedef void (*digest_func)(void *, size_t, uint8_t *); +typedef void (*digest_func)(void *, uint8_t *); typedef void (*set_key_func)(void *, size_t, const uint8_t *); typedef void (*set_nonce_func)(void *, size_t, const uint8_t *); typedef void (*init_func)(void *); @@ -278,13 +278,12 @@ static void _wrap_gmac_update(void *_ctx, size_t length, const uint8_t *data) ctx->pos = length; }

-static void _wrap_gmac_digest(void *_ctx, size_t length, uint8_t *digest) +static void _wrap_gmac_digest(void *_ctx, uint8_t *digest) { struct gmac_ctx *ctx = _ctx; - if (ctx->pos) gcm_update(&ctx->ctx, &ctx->key, ctx->pos, ctx->buffer); - gcm_digest(&ctx->ctx, &ctx->key, &ctx->cipher, ctx->encrypt, length, + gcm_digest(&ctx->ctx, &ctx->key, &ctx->cipher, ctx->encrypt, digest); ctx->pos = 0; } @@ -468,7 +467,7 @@ static int wrap_nettle_mac_fast(gnutls_mac_algorithm_t algo, const void *nonce, ctx.set_nonce(&ctx, nonce_size, nonce); } ctx.update(&ctx, text_size, text); - ctx.digest(&ctx, ctx.length, digest); + ctx.digest(&ctx, digest);

zeroize_temp_key(&ctx, sizeof(ctx));

@@ -589,7 +588,7 @@ static int wrap_nettle_mac_output(void *src_ctx, void *digest, return GNUTLS_E_SHORT_MEMORY_BUFFER; }

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

return 0; } @@ -665,16 +664,13 @@ static void _md5_sha1_update(void *_ctx, size_t len, const uint8_t *data) sha1_update(&ctx->sha1, len, data); }

-static void _md5_sha1_digest(void *_ctx, size_t len, uint8_t *digest) +static void _md5_sha1_digest(void *_ctx, uint8_t *digest) { struct md5_sha1_ctx *ctx = _ctx;

- md5_digest(&ctx->md5, len <= MD5_DIGEST_SIZE ? len : MD5_DIGEST_SIZE, - digest); + md5_digest(&ctx->md5, digest);

- if (len > MD5_DIGEST_SIZE) - sha1_digest(&ctx->sha1, len - MD5_DIGEST_SIZE, - digest + MD5_DIGEST_SIZE); + sha1_digest(&ctx->sha1, digest + MD5_DIGEST_SIZE); }

static void _md5_sha1_init(void *_ctx) @@ -771,6 +767,7 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.sha3_512; ctx->length = SHA3_512_DIGEST_SIZE; break; +#if 0 case GNUTLS_DIG_SHAKE_128: ctx->init = (init_func)sha3_128_init; ctx->update = (update_func)sha3_128_update; @@ -787,6 +784,7 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.sha3_256; ctx->length = 0; /* unused */ break; +#endif #endif case GNUTLS_DIG_MD2: ctx->init = (init_func)md2_init; @@ -848,7 +846,7 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, if (text_size > 0) { ctx.update(&ctx, text_size, text); } - ctx.digest(&ctx, ctx.length, digest); + ctx.digest(&ctx, digest); zeroize_temp_key(&ctx, sizeof(ctx));

return 0; @@ -910,7 +908,7 @@ static int wrap_nettle_hash_output(void *src_ctx, void *digest, return GNUTLS_E_SHORT_MEMORY_BUFFER; }

- ctx->digest(ctx->ctx_ptr, digestsize, digest); + ctx->digest(ctx->ctx_ptr, digest);

return 0; } @@ -929,7 +927,7 @@ static int wrap_nettle_hkdf_extract(gnutls_mac_algorithm_t mac, const void *key, return gnutls_assert_val(ret);

ctx.set_key(&ctx, saltsize, salt); - hkdf_extract(&ctx.ctx, ctx.update, ctx.digest, ctx.length, keysize, key, + hkdf_extract(&ctx.ctx, ctx.update, ctx.digest, keysize, key, output);

zeroize_temp_key(&ctx, sizeof(ctx));

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

Niels Möller

18 Mar 18 Mar

7:55 p.m.

Niels Möller nisse@lysator.liu.se writes:

...

Changes to drop the digest size is now on branch delete-digest_func-size (https://git.lysator.liu.se/nettle/nettle/-/tree/delete-digest_func-size). Unsurprisingly breaks the gnutls build, see https://gitlab.com/gnutls/nettle/-/jobs/9379366785.

I've now merged this branch. I think I will have to disable the gnutls ci job, or mark as "allow_failure", for the time being, but it will be nice when there's a gnutls update (or development branch) that works with these changes; then I'll be happy to reenable that job test.

I haven't yet updated ccm and ocb; they are defined such that digest size also needs to be passed when setting the nonce, and not entirely sure how to deal with that. From a quick look, it appears both tls (RFC 6655) and ipsec (RFC 4309) specifies use of ccm with shorter authentication tags, so at least it's not very obscure.

I see a few different approaches:

1. Keep the tag size argument as is for ccm_set_nonce and ocb_set_nonce, drop it from ccm_digest and ocb_digest, and leave it to the application to copy a truncated version of the digest when needed.

2. Change both the _set_nonce and _digest functions to always use the full tag size (16 octets), for consistency with other nettle functions. And add separate _set_nonce_something function (and maybe _digest_something too) for supporting a truncated tag. I have no great idea on naming, though.

3. Like 2, but only add public functions for specific reasonable tag sizes. Could be named like ccm64 and ccm96 for the ones in RFC 6655.

4. Leave interface as is, with _digest functions different from all others.

And then we also have the _encrypt_message / _decrypt_message functions. They could either be left as is, or have separate functions for default (full 16 octet) tag size, and for truncated tags.

Opinions? Are you aware of applications actually using ccm and/or ocb with short tags?

Regards, /Niels

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

Daiki Ueno

20 Mar 20 Mar

1:38 a.m.

Hello Niels,

Niels Möller nisse@lysator.liu.se writes:

...

Niels Möller nisse@lysator.liu.se writes:

...
Changes to drop the digest size is now on branch delete-digest_func-size (https://git.lysator.liu.se/nettle/nettle/-/tree/delete-digest_func-size). Unsurprisingly breaks the gnutls build, see https://gitlab.com/gnutls/nettle/-/jobs/9379366785.

I've now merged this branch. I think I will have to disable the gnutls ci job, or mark as "allow_failure", for the time being, but it will be nice when there's a gnutls update (or development branch) that works with these changes; then I'll be happy to reenable that job test.

Thank you for the heads-up; I will try to create a patch to accommodate those changes. Although "allow_failure" would work, would it be possible to have a branch in the nettle repository, so the gnutls CI can pin the nettle checkout to a specific revision right before the breaking change, with something like "git clone --depth=1 --branch release-3.10-fixes"?

Regards,

-- Daiki Ueno

Niels Möller

7:07 p.m.

Daiki Ueno ueno@gnu.org writes:

...

would it be possible to have a branch in the nettle repository, so the gnutls CI can pin the nettle checkout to a specific revision right before the breaking change, with something like "git clone --depth=1 --branch release-3.10-fixes"?

Sure, I've created a branch like that now. (I'm considering to make a 3.10.2 bug fix release in the not too distant future, so far with a few ppc-related fixes).

Regards, /Niels

-- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

Age (days ago)

Last active (days ago)

nettle-bugs@lists.lysator.liu.se

6 comments

3 participants

tags (0)

participants (3)

Daiki Ueno
Niels Möller
Simo Sorce