[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Baryshkov GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer. Signed-off-by: Dmitry Baryshkov --- ecc-add-jja.c | 8 ecc-add-jjj.c | 8 ecc-curve25519.c | 6 ++ ecc-curve448.c| 6 ++ ecc-dup-jj.c | 8 ecc-gost-gc256b.c | 6 ++ ecc-gost-gc512a.c | 6 ++ ecc-internal.h| 25 - ecc-mod-arith.c | 12 ++-- ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 6 ++ ecc-secp224r1.c | 6 ++ ecc-secp256r1.c | 6 ++ ecc-secp384r1.c | 6 ++ ecc-secp521r1.c | 6 ++ 15 files changed, 91 insertions(+), 30 deletions(-) diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 037711d38249..55ad954587da 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc, /* w */ ecc_mod_mul (&ecc->p, j, y2, w); ecc_mod_sub (&ecc->p, w, j, y1); - ecc_mod_mul_1 (&ecc->p, w, w, 2); + ecc->p.mul_1 (&ecc->p, w, w, 2); /* i replaces hh, j */ - ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc->p.mul_1 (&ecc->p, hh, hh, 4); ecc_mod_mul (&ecc->p, j, hh, h); /* v */ @@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc, /* x_3, use (h, hh) as sqratch */ ecc_mod_sqr (&ecc->p, h, w); ecc_mod_sub (&ecc->p, r, h, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y_3, use (h, hh) as sqratch */ ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); - ecc_mod_submul_1 (&ecc->p, j, h, 2); + ecc->p.submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 54b2246aeb24..cad26193234a 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc, ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); ecc_mod_sub (&ecc->p, s2, v, s1); - ecc_mod_mul_1 (&ecc->p, s2, s2, 2); + ecc->p.mul_1 (&ecc->p, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ ecc_mod_sqr (&ecc->p, i, u2); - ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc->p.mul_1 (&ecc->p, i, i, 4); ecc_mod_mul (&ecc->p, j, u2, i); ecc_mod_mul (&ecc->p, v, u1, i); @@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc, /* x3, use u1, u2 as scratch */ ecc_mod_sqr (&ecc->p, u1, s2); ecc_mod_sub (&ecc->p, r, u1, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2); /* y3 */ ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ ecc_mod_mul (&ecc->p, i, s2, u2); - ecc_mod_submul_1 (&ecc->p, i, u1, 2); + ecc->p.submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-curve25519.c b/ecc-curve25519.c index f8f2c64af868..04df696f7357 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_submul_1_std, }, { 253, @@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index 484b7d1e0870..ce7a25d14c4e 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_submul_1_std, }, { 446, @@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 2247e8fdfd5a..4bbd5163c0e3 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc, ecc_mod_add (&ecc->p, sum, xp, delta); ecc_mod_sub (&ecc->p, delta, xp, delta); ecc_mod_mul (&ecc->p, beta, sum, delta); - ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); + ecc->p.mul_1 (&ecc->p, alpha, beta, 3); /* beta */ ecc_mod_mul (&ecc->p, beta, xp, gamma); @@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc, /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ ecc_mod_sqr (&ecc->p, g2, gamma); - ecc_mod_mul_1 (&ecc->p, sum, beta, 4); + ecc->p.mul_1 (&ecc->p, sum, beta, 4); /* x' */ ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ - ecc_mod_submul_1 (&ecc->p, gamma, sum, 2)
[PATCH 2/2] Add support for GOST GC256C curve
From: Dmitry Baryshkov Add support for GC256C curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-B (RFC 4357). Signed-off-by: Dmitry Baryshkov --- .gitignore | 1 + Makefile.in | 10 +- ecc-curve.h | 1 + ecc-gost-gc256c.c | 174 ecc-internal.h | 1 + eccdata.c | 32 ++ examples/ecc-benchmark.c| 1 + nettle.texinfo | 8 ++ testsuite/gostdsa-sign-test.c | 11 ++ testsuite/gostdsa-verify-test.c | 11 ++ testsuite/testutils.c | 14 ++- 11 files changed, 260 insertions(+), 4 deletions(-) create mode 100644 ecc-gost-gc256c.c diff --git a/.gitignore b/.gitignore index 48e2b7f464da..a94d279e5d18 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gost-gc256b.h +/ecc-gost-gc256c.h /ecc-gost-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h diff --git a/Makefile.in b/Makefile.in index d4fcb81302a2..7330ab893131 100644 --- a/Makefile.in +++ b/Makefile.in @@ -180,7 +180,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gost-gc256b.c ecc-gost-gc512a.c \ + ecc-gost-gc256b.c ecc-gost-gc256c.c \ + ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -391,6 +392,9 @@ ecc-curve448.h: eccdata.stamp ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-gost-gc256c.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + # Some reasonable choices for 512: # k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB @@ -407,6 +411,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h @@ -661,7 +666,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gost-gc256b.h ecc-gost-gc512a.h \ + ecc-gost-gc256b.h ecc-gost-gc256c.h \ + ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 8f050404a944..30a33d43782b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c new file mode 100644 index ..258cf75a26bc --- /dev/null +++ b/ecc-gost-gc256c.c @@ -0,0 +1,174 @@ +/* ecc-gost-gc256c.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include
[PATCH] Implement GOST VKO key derivation algorithm
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 2 +- gostdsa-vko.c| 77 ++ gostdsa.h| 7 +++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in| 2 +- testsuite/gostdsa-vko-test.c | 92 7 files changed, 182 insertions(+), 2 deletions(-) create mode 100644 gostdsa-vko.c create mode 100644 testsuite/gostdsa-vko-test.c diff --git a/Makefile.in b/Makefile.in index d4fcb81302a2..8f031d7a580d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ - ecc-gostdsa-verify.c gostdsa-verify.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ diff --git a/gostdsa-vko.c b/gostdsa-vko.c new file mode 100644 index ..f78159a736b3 --- /dev/null +++ b/gostdsa-vko.c @@ -0,0 +1,77 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "ecc-internal.h" +#include "gostdsa.h" + +int +gostdsa_vko(const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out) +{ + const struct ecc_curve *ecc = key->ecc; + unsigned bsize = (ecc_bit_size(ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + if (pub->ecc != ecc) + return 0; + + if (out_length < 2 * bsize) { + return 0; + } + + scratch = gmp_alloc_limbs (itch); + + mpn_set_base256_le (scratch, size, ukm, ukm_length); + if (mpn_zero_p (scratch, size)) +mpn_add_1 (scratch, scratch, size, 1); + ecc_mod_mul (&ecc->q, scratch + 3*size, key->p, scratch); + ecc->mul (ecc, scratch, scratch + 3*size, pub->p, scratch + 4*size); + ecc->h_to_a (ecc, 0, scratch + 3*size, scratch, scratch + 5*size); + mpn_get_base256_le (out, bsize, scratch + 3*size, size); + mpn_get_base256_le (out+bsize, bsize, scratch + 4*size, size); + gmp_free_limbs (scratch, itch); + + return 2 * bsize; +} diff --git a/gostdsa.h b/gostdsa.h index c92dfd1e1dd6..6667d0f1d3a8 100644 --- a/gostdsa.h +++ b/gostdsa.h @@ -44,6 +44,7 @@ extern "C" { /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify @@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); +int +gostdsa_vko(const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + size_t out_length, uint8_t *out); + /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); diff --git a/testsuite/.gitignore b/testsuite/.gitignore index b8b36c2accc2..a2b3d52312cd 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -46,6 +46,7 @@ /gostdsa-keygen-test /gostdsa-sign-test /gostdsa-verify-test +/gostdsa-vko-test /gosthash94-test /hkdf-test /hmac-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 922a2c7f135
[PATCH] gitlab-ci: reenable GOST compilation
From: Dmitry Baryshkov GnuTLS is now compatible again with Nettle master branch. Remove --disable-gost. Signed-off-by: Dmitry Baryshkov --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 663f98f5cb8e..5b348f38568f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -100,7 +100,7 @@ build/gnutls: make -j4 && make install - git clone --depth 1 --branch master https://gitlab.com/gnutls/gnutls.git gnutls-git - cd gnutls-git && git submodule update --init && ./bootstrap && -./configure --disable-gost --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && +./configure --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && make -j $(nproc) check tags: - shared -- 2.25.0 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] ecc: remove ecc_modp_foo/ecc_modq_foo macros
From: Dmitry Baryshkov To make ecc functions usage more obvious remove ecc_modp_foo() and ecc_modq_foo() wrapper macros. Signed-off-by: Dmitry Baryshkov --- curve25519-eh-to-x.c | 8 +++ curve448-eh-to-x.c | 4 ++-- ecc-add-eh.c | 38 +++ ecc-add-ehh.c| 42 +- ecc-add-jja.c| 44 ++-- ecc-add-jjj.c| 54 ++-- ecc-add-th.c | 38 +++ ecc-add-thh.c| 42 +- ecc-dup-eh.c | 26 ++--- ecc-dup-jj.c | 36 ++--- ecc-dup-th.c | 26 ++--- ecc-ecdsa-sign.c | 6 ++--- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c| 4 ++-- ecc-gostdsa-sign.c | 6 ++--- ecc-gostdsa-verify.c | 4 ++-- ecc-internal.h | 20 ecc-j-to-a.c | 12 +- eddsa-decompress.c | 10 eddsa-sign.c | 4 ++-- 20 files changed, 204 insertions(+), 224 deletions(-) diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c index 3a8787f022ed..1ce2dd830c75 100644 --- a/curve25519-eh-to-x.c +++ b/curve25519-eh-to-x.c @@ -62,14 +62,14 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 + x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); + ecc_mod_sub (&ecc->p, t0, wp, vp); /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); + ecc_mod_add (&ecc->p, t0, wp, vp); + ecc_mod_mul (&ecc->p, t2, t0, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c index 4bc78303f93b..ffeb83c15e44 100644 --- a/curve448-eh-to-x.c +++ b/curve448-eh-to-x.c @@ -61,8 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) */ /* Needs a total of 9*size storage. */ ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size); - ecc_modp_mul (ecc, t1, t0, vp); - ecc_modp_mul (ecc, t2, t1, t1); + ecc_mod_mul (&ecc->p, t1, t0, vp); + ecc_mod_mul (&ecc->p, t2, t1, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/ecc-add-eh.c b/ecc-add-eh.c index 8e6b82ab9fd0..05faa7526f41 100644 --- a/ecc-add-eh.c +++ b/ecc-add-eh.c @@ -78,30 +78,30 @@ ecc_add_eh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_sub (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p, D, y1, y2); + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3); + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + ecc_mod_mul (&ecc->p, x3, C, D); + ecc_mod_mul (&ecc->p, E, x3, ecc->b); + + ecc_mod_sub (&ecc->p, C, D, C); + ecc_mod_sqr (&ecc->p, B, z1); + ecc_mod_sub (&ecc->p, F, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (&ecc->p, B, F, T); + ecc_mod_mul (&ecc->p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, G, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (&ecc->p, B, G, z1); + ecc_mod_mul (&ecc->p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (&ecc->p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c index bdd827ba396d..1c57a728c797 100644 --- a/ecc-add-ehh.c +++ b/ecc-add-ehh.c @@ -80,32 +80,32 @@ ecc_add_ehh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_sub (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (&ecc->p, C, x1, x2); + ecc_mod_mul (&ecc->p,
[PATCH] cmac-des3: add meta declaration to Nettle library
From: Dmitry Baryshkov Move cmac-des3 meta information from testsuite/cmac-test.c to main Nettle library. Signed-off-by: Dmitry Baryshkov --- Makefile.in | 2 +- cmac-des3-meta.c | 52 +++ nettle-meta-macs.c| 1 + nettle-meta.h | 1 + testsuite/cmac-test.c | 12 - testsuite/meta-mac-test.c | 1 + 6 files changed, 56 insertions(+), 13 deletions(-) create mode 100644 cmac-des3-meta.c diff --git a/Makefile.in b/Makefile.in index d4fcb81302a2..ddc304285321 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,7 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ -cmac-aes128-meta.c cmac-aes256-meta.c \ +cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ diff --git a/cmac-des3-meta.c b/cmac-des3-meta.c new file mode 100644 index ..7fdee8e680cf --- /dev/null +++ b/cmac-des3-meta.c @@ -0,0 +1,52 @@ +/* cmac-des3-meta.c + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_des3 = +{ + "cmac_des3", + sizeof(struct cmac_des3_ctx), + CMAC64_DIGEST_SIZE, + DES3_KEY_SIZE, + + (nettle_set_key_func*) cmac_des3_set_key, + (nettle_hash_update_func*) cmac_des3_update, + (nettle_hash_digest_func*) cmac_des3_digest +}; diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c index cb9ede851573..a658ee39e230 100644 --- a/nettle-meta-macs.c +++ b/nettle-meta-macs.c @@ -40,6 +40,7 @@ const struct nettle_mac * const _nettle_macs[] = { &nettle_cmac_aes128, &nettle_cmac_aes256, + &nettle_cmac_des3, &nettle_hmac_md5, &nettle_hmac_ripemd160, &nettle_hmac_sha1, diff --git a/nettle-meta.h b/nettle-meta.h index 5d86615f94cc..7a6af363426b 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -276,6 +276,7 @@ nettle_get_macs (void); extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256; +extern const struct nettle_mac nettle_cmac_des3; /* HMAC variants with key size = digest size */ extern const struct nettle_mac nettle_hmac_md5; diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c index 1a2cd0e591cf..a71baa086d01 100644 --- a/testsuite/cmac-test.c +++ b/testsuite/cmac-test.c @@ -2,18 +2,6 @@ #include "nettle-internal.h" #include "cmac.h" -const struct nettle_mac nettle_cmac_des3 = -{ - "CMAC-3DES", - sizeof(struct cmac_des3_ctx), - CMAC64_DIGEST_SIZE, - DES3_KEY_SIZE, - - (nettle_set_key_func*) cmac_des3_set_key, - (nettle_hash_update_func*) cmac_des3_update, - (nettle_hash_digest_func*) cmac_des3_digest -}; - #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, key, msg, ref) diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c index 32b6f20f07cd..55339441c99f 100644 --- a/testsuite/meta-mac-test.c +++ b/testsuite/meta-mac-test.c @@ -4,6 +4,7 @@ const char* macs[] = { "cmac_aes128", "cmac_aes256", + "cmac_des3", "hmac_md5", "hmac_ripemd160", "hmac_sha1", -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] gost28147: move gost params to internal interface
From: Dmitry Baryshkov gost28147_param instances were never a part of stable release, so move them to internal header. Signed-off-by: Dmitry Baryshkov --- Makefile.in | 2 +- gost28147-internal.h | 12 + gost28147.c | 5 ++-- gost28147.h | 58 gosthash94.c | 9 +++ 5 files changed, 19 insertions(+), 67 deletions(-) delete mode 100644 gost28147.h diff --git a/Makefile.in b/Makefile.in index f876e5e82197..0de54e85c7ae 100644 --- a/Makefile.in +++ b/Makefile.in @@ -207,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ + gcm.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/gost28147-internal.h b/gost28147-internal.h index 7f5c6f8c63c0..0cb2d152c8ad 100644 --- a/gost28147-internal.h +++ b/gost28147-internal.h @@ -34,7 +34,19 @@ #ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED #define NETTLE_GOST28147_INTERNAL_H_INCLUDED +#include + #define _gost28147_encrypt_block _nettle_gost28147_encrypt_block +#define _gost28147_param_test_3411 _nettle_gost28147_param_test_3411 +#define _gost28147_param_CryptoPro_3411 _nettle_gost28147_param_CryptoPro_3411 + +extern const struct gost28147_param _gost28147_param_test_3411; +extern const struct gost28147_param _gost28147_param_CryptoPro_3411; + +struct gost28147_param +{ + uint32_t sbox[4][256]; +}; void _gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out); diff --git a/gost28147.c b/gost28147.c index 15d314c86c17..b6db334b2a0b 100644 --- a/gost28147.c +++ b/gost28147.c @@ -33,11 +33,10 @@ #endif #include "macros.h" -#include "gost28147.h" #include "gost28147-internal.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ -const struct gost28147_param gost28147_param_test_3411 = +const struct gost28147_param _gost28147_param_test_3411 = { { { /* 0 */ @@ -304,7 +303,7 @@ const struct gost28147_param gost28147_param_test_3411 = } }; -const struct gost28147_param gost28147_param_CryptoPro_3411 = +const struct gost28147_param _gost28147_param_CryptoPro_3411 = { { { /* 0 */ diff --git a/gost28147.h b/gost28147.h deleted file mode 100644 index 32e7d5e81eb8.. --- a/gost28147.h +++ /dev/null @@ -1,58 +0,0 @@ -/* gost28147.h - - The GOST 28147-89 cipher function, described in RFC 5831. - - Copyright (C) 2019 Dmitry Eremin-Solenikov - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_GOST28147_H_INCLUDED -#define NETTLE_GOST28147_H_INCLUDED - -#include "nettle-types.h" - -#ifdef __cplusplus -extern "C" { -#endif - -#define gost28147_param_test_3411 nettle_gost28147_param_test_3411 -#define gost28147_param_CryptoPro_3411 nettle_gost28147_param_CryptoPro_3411 - -struct gost28147_param -{ - uint32_t sbox[4][256]; -}; - -extern const struct gost28147_param gost28147_param_test_3411; -extern const struct gost28147_param gost28147_param_CryptoPro_3411; - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_GOST28147_H_INCLUDED */ diff --git a/gosthash94.c b/gosthash94.c index 954130f741e9..37a7f32272df 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -41,7 +41,6 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" -#include "gost28147.h" #include "gost28147-internal.h" /** @@ -339,7 +338,7 @@ gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, -gost28147_param_test_3411.sbox); +_gost28147_param_test_3411.sbox); } /** @@ -355,7 +354,7 @@ gosthash94cp_update (struct gosthash94_ctx *ctx,
[PATCH 2/2] Add support for GOST GC256C curve
From: Dmitry Baryshkov Add support for GC256C curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-B (RFC 4357). Signed-off-by: Dmitry Baryshkov --- .gitignore | 1 + Makefile.in | 10 +- ecc-curve.h | 1 + ecc-gost-gc256c.c | 191 ecc-internal.h | 1 + eccdata.c | 32 ++ examples/ecc-benchmark.c| 1 + nettle.texinfo | 8 ++ testsuite/gostdsa-sign-test.c | 11 ++ testsuite/gostdsa-verify-test.c | 11 ++ testsuite/testutils.c | 12 +- 11 files changed, 275 insertions(+), 4 deletions(-) create mode 100644 ecc-gost-gc256c.c diff --git a/.gitignore b/.gitignore index 48e2b7f464da..a94d279e5d18 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gost-gc256b.h +/ecc-gost-gc256c.h /ecc-gost-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h diff --git a/Makefile.in b/Makefile.in index f876e5e82197..9400a357fe81 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,7 +176,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gost-gc256b.c ecc-gost-gc512a.c \ + ecc-gost-gc256b.c ecc-gost-gc256c.c \ + ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -387,6 +388,9 @@ ecc-curve448.h: eccdata.stamp ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-gost-gc256c.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + # Some reasonable choices for 512: # k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB @@ -403,6 +407,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h @@ -657,7 +662,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gost-gc256b.h ecc-gost-gc512a.h \ + ecc-gost-gc256b.h ecc-gost-gc256c.h \ + ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 8f050404a944..30a33d43782b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c new file mode 100644 index ..9725ff65e6e2 --- /dev/null +++ b/ecc-gost-gc256c.c @@ -0,0 +1,191 @@ +/* ecc-gost-gc256c.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include
[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Baryshkov GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer. Signed-off-by: Dmitry Baryshkov --- ecc-curve25519.c | 8 ecc-curve448.c| 8 ecc-gost-gc256b.c | 8 ecc-gost-gc512a.c | 8 ecc-internal.h| 32 ecc-mod-arith.c | 12 ++-- ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 8 ecc-secp224r1.c | 8 ecc-secp256r1.c | 8 ecc-secp384r1.c | 8 ecc-secp521r1.c | 8 12 files changed, 101 insertions(+), 21 deletions(-) diff --git a/ecc-curve25519.c b/ecc-curve25519.c index 0ad3017c9ebc..4ee80c8d4463 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,10 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 253, @@ -329,6 +333,10 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index c31a0eb26ba4..71634b855af8 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,10 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 446, @@ -307,6 +311,10 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c index 8adc8e1763b9..acf3b56c8955 100644 --- a/ecc-gost-gc256b.c +++ b/ecc-gost-gc256b.c @@ -77,6 +77,10 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modp, ecc_mod_inv, NULL, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 256, @@ -96,6 +100,10 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modq, ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, USE_REDC, diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c index 6d210925b609..79d084f38d33 100644 --- a/ecc-gost-gc512a.c +++ b/ecc-gost-gc512a.c @@ -77,6 +77,10 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modp, ecc_mod_inv, NULL, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 512, @@ -96,6 +100,10 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modq, ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, USE_REDC, diff --git a/ecc-internal.h b/ecc-internal.h index 0022e0ab6cc2..ddeb6d3cb1f3 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -44,9 +44,9 @@ #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 +#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std +#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std +#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random @@ -146,6 +146,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); +typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m, +mp_limb_t *rp, +const mp_limb_t *ap, mp_limb_t b); + struct ecc_modulo { unsigned short bit_size; @@ -170,6 +174,10 @@ struct ecc_modulo ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; + + ecc_mod_mul_1_func *mul_1; + ecc_mod_mul_1_func *addmul_1; + ecc_mod_mul_1_func *submul_1; }; /* Represents an elliptic curve of the form @@ -240,15 +248,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b); void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_mod_submul_1 (const stru
[PATCH 0/2] two small fixes for ecc-gost branch
Hello, Two small fixes to go on top of ecc-gost branch. These two patches can be squashed into respective patches or just live as separate instances, whatever you would prefer. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 2/2] .gitignore: correct generated header names
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2e64c187574f..48e2b7f464da 100644 --- a/.gitignore +++ b/.gitignore @@ -45,8 +45,8 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h -/ecc-gc256b.h -/ecc-gc512a.h +/ecc-gost-gc256b.h +/ecc-gost-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 1/2] gost gc512a: rename functions to follow usual pattern
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- ecc-gost-gc512a.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c index 4baec1f5945d..6d210925b609 100644 --- a/ecc-gost-gc512a.c +++ b/ecc-gost-gc512a.c @@ -43,7 +43,7 @@ #include "ecc-gost-gc512a.h" static void -ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp) +ecc_gost_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp) { mp_size_t mn = m->size; mp_limb_t hi; @@ -54,8 +54,8 @@ ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp) assert(hi == 0); } -#define ecc_gc512a_modp ecc_gc512a_modp -#define ecc_gc512a_modq ecc_mod +#define ecc_gost_gc512a_modp ecc_gost_gc512a_modp +#define ecc_gost_gc512a_modq ecc_mod const struct ecc_curve _nettle_gost_gc512a = { @@ -73,8 +73,8 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_redc_ppm1, ecc_pp1h, -ecc_gc512a_modp, -ecc_gc512a_modp, +ecc_gost_gc512a_modp, +ecc_gost_gc512a_modp, ecc_mod_inv, NULL, }, @@ -92,8 +92,8 @@ const struct ecc_curve _nettle_gost_gc512a = NULL, ecc_qp1h, -ecc_gc512a_modq, -ecc_gc512a_modq, +ecc_gost_gc512a_modq, +ecc_gost_gc512a_modq, ecc_mod_inv, NULL, }, -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] hogweed-benchmark: fill 32 or 56 bytes rather than just sizeof(int)
From: Dmitry Baryshkov Don't call sizeof(CURVExyz_SIZE) to get amount of bytes to fill. Just use CURVExyz_SIZE itself. Signed-off-by: Dmitry Baryshkov --- examples/hogweed-benchmark.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c index 11393df04c81..69315211a0cc 100644 --- a/examples/hogweed-benchmark.c +++ b/examples/hogweed-benchmark.c @@ -771,12 +771,12 @@ bench_curve_init (unsigned size) case 255: ctx->mul = curve25519_mul; ctx->mul_g = curve25519_mul_g; - knuth_lfib_random (&lfib, sizeof(CURVE25519_SIZE), ctx->s); + knuth_lfib_random (&lfib, CURVE25519_SIZE, ctx->s); break; case 448: ctx->mul = curve448_mul; ctx->mul_g = curve448_mul_g; - knuth_lfib_random (&lfib, sizeof(CURVE448_SIZE), ctx->s); + knuth_lfib_random (&lfib, CURVE448_SIZE, ctx->s); break; default: abort (); -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v5 1/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Baryshkov Add GOST Digital Signature Algorithms support according to GOST R 34.10-2001/-2012. English translations of these standards are provided as RFC 5832 and RFC 7091. Signed-off-by: Dmitry Baryshkov --- Makefile.in | 4 +- ecc-gostdsa-sign.c | 101 + ecc-gostdsa-verify.c| 130 +++ ecc-hash.c | 11 +++ ecc-internal.h | 7 ++ gostdsa-sign.c | 74 +++ gostdsa-verify.c| 78 gostdsa.h | 100 + testsuite/.gitignore| 3 + testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 4 +- testsuite/gostdsa-keygen-test.c | 155 testsuite/gostdsa-sign-test.c | 88 ++ testsuite/gostdsa-verify-test.c | 111 +++ 14 files changed, 873 insertions(+), 2 deletions(-) create mode 100644 ecc-gostdsa-sign.c create mode 100644 ecc-gostdsa-verify.c create mode 100644 gostdsa-sign.c create mode 100644 gostdsa-verify.c create mode 100644 gostdsa.h create mode 100644 testsuite/gostdsa-keygen-test.c create mode 100644 testsuite/gostdsa-sign-test.c create mode 100644 testsuite/gostdsa-verify-test.c diff --git a/Makefile.in b/Makefile.in index eb1c6c335c39..f876e5e82197 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ @@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gosthash94.h hmac.h \ + gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c new file mode 100644 index ..00eeef81f659 --- /dev/null +++ b/ecc-gostdsa-sign.c @@ -0,0 +1,101 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g and ecc_mul_g_eh. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2pscratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*h) mod q. + */ + + ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); + /* x coordinate only, modulo q */ + ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); +
[PATCH v5 3/3] hogweed-benchmark: enable testing of GOST DSA
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- examples/hogweed-benchmark.c | 104 +++ 1 file changed, 104 insertions(+) diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c index 11393df04c81..bceed77e55d9 100644 --- a/examples/hogweed-benchmark.c +++ b/examples/hogweed-benchmark.c @@ -48,6 +48,7 @@ #include "dsa.h" #include "rsa.h" #include "eddsa.h" +#include "gostdsa.h" #include "curve25519.h" #include "curve448.h" @@ -591,6 +592,107 @@ bench_eddsa_clear (void *p) free (p); } +static void * +bench_gostdsa_init (unsigned size) +{ + struct ecdsa_ctx *ctx; + const struct ecc_curve *ecc; + + const char *xs; + const char *ys; + const char *zs; + mpz_t x, y, z; + + ctx = xalloc (sizeof(*ctx)); + + dsa_signature_init (&ctx->s); + knuth_lfib_init (&ctx->lfib, 17); + + switch (size) +{ +case 256: + ecc = &_nettle_gost_gc256b; + xs = "971566ceda436ee7678f7e07e84ebb7217406c0b4747aa8fd2ab1453c3d0dfba"; + ys = "ad58736965949f8e59830f8de20fc6c0d177f6ab599874f1e2e24ff71f9ce643"; + zs = "bfcf1d623e5cdd3032a7c6eabb4a923c46e43d640ffeaaf2c3ed39a8fa399924"; + ctx->digest = hash_string (&nettle_sha256, "abc"); + ctx->digest_size = 32; + break; + +case 512: + ecc = &_nettle_gost_gc512a; + xs = "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" + "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40"; + ys = "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" + "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73"; + zs = "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" + "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B"; + ctx->digest = hash_string (&nettle_sha512, "abc"); + ctx->digest_size = 64; + break; + +default: + die ("Internal error.\n"); +} + ecc_point_init (&ctx->pub, ecc); + ecc_scalar_init (&ctx->key, ecc); + + mpz_init_set_str (x, xs, 16); + mpz_init_set_str (y, ys, 16); + mpz_init_set_str (z, zs, 16); + + ecc_point_set (&ctx->pub, x, y); + ecc_scalar_set (&ctx->key, z); + + mpz_clear (x); + mpz_clear (y); + mpz_clear (z); + + gostdsa_sign (&ctx->key, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, + ctx->digest_size, ctx->digest, + &ctx->s); + + return ctx; +} + +static void +bench_gostdsa_sign (void *p) +{ + struct ecdsa_ctx *ctx = p; + struct dsa_signature s; + + dsa_signature_init (&s); + gostdsa_sign (&ctx->key, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, + ctx->digest_size, ctx->digest, + &s); + dsa_signature_clear (&s); +} + +static void +bench_gostdsa_verify (void *p) +{ + struct ecdsa_ctx *ctx = p; + if (! gostdsa_verify (&ctx->pub, + ctx->digest_size, ctx->digest, + &ctx->s)) +die ("Internal error, _gostdsa_verify failed.\n"); +} + +static void +bench_gostdsa_clear (void *p) +{ + struct ecdsa_ctx *ctx = p; + + ecc_point_clear (&ctx->pub); + ecc_scalar_clear (&ctx->key); + dsa_signature_clear (&ctx->s); + free (ctx->digest); + + free (ctx); +} + #if WITH_OPENSSL struct openssl_rsa_ctx { @@ -838,6 +940,8 @@ struct alg alg_list[] = { { "eddsa", 448, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, { "curve", 255, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear}, { "curve", 448, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear }, + { "gostdsa", 256, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, + { "gostdsa", 512, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v5 2/3] Add documentation for GOSTDSA and GOST curves.
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- nettle.texinfo | 65 +- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/nettle.texinfo b/nettle.texinfo index 65b36e315f81..38c84410c103 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -115,6 +115,7 @@ Public-key algorithms * Side-channel silence:: * ECDSA:: +* GOSTDSA:: * Curve 25519 and Curve 448:: @end detailmenu @@ -4916,6 +4917,7 @@ curve'' is used as a shorthand for the bitsize of the curve's prime @menu * Side-channel silence:: * ECDSA:: +* GOSTDSA:: * Curve 25519 and Curve 448:: @end menu @@ -4950,7 +4952,7 @@ accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -@node ECDSA, Curve 25519 and Curve 448, Side-channel silence, Elliptic curves +@node ECDSA, GOSTDSA, Side-channel silence, Elliptic curves @comment node-name, next, previous, up @subsubsection ECDSA @@ -5054,6 +5056,67 @@ random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun +@node GOSTDSA, Curve 25519 and Curve 448, ECDSA, Elliptic curves +@comment node-name, next, previous, up +@subsubsection GOSTDSA + +GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA +(@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works +over an elliptic curve group. Original documents are written in Russian. +English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}. +While technically nothing stops one from using GOSTDSA over any curve, it +is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, +creating a signature requires a unique random nonce (repeating the nonce +with two different messages reveals the private key, and any leak or bias +in the generation of the nonce also leaks information about the key). + +GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function +(GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is +defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC +6986}) of corresponding size (256 or 512) depending on curve size. + +Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA +data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to +represent public and private keys. Also to generate a new GOSTDSA key +pair one has to use @code{ecdsa_generate_keypair()} function. + +To create and verify GOSTDSA signatures, the following functions are used. + +@deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) +Uses the private key @var{key} to create a signature on @var{digest}. +@var{random_ctx} and @var{random} is a randomness generator. +@code{random(random_ctx, length, dst)} should generate @code{length} +random octets and store them at @code{dst}. The signature is stored in +@var{signature}, in the same was as for plain DSA. +@end deftypefun + +@deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) +Uses the public key @var{pub} to verify that @var{signature} is a valid +signature for the message digest @var{digest} (of @var{length} octets). +Returns 1 if the signature is valid, otherwise 0. +@end deftypefun + +For historical reason several curve IDs (OIDs) may correspond to a single +curve/generator combination. Following list defines correspondence +between nettle's view on curves and actual identifiers defined in @cite{RFC +4357} and @cite{RFC 7836}. + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc256b(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357}) +@item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357}) +@item id-tc26-gost-3410-12-256-paramSetB +@end itemize +@end deftypefun + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836}) +@end itemize +@end deftypefun + @node Curve 25519 and Curve 448, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 and Curve448 -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v4 3/4] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov Add GOST Digital Signature Algorithms support according to GOST R 34.10-2001/-2012. English translations of these standards are provided as RFC 5832 and RFC 7091. Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Baryshkov --- Makefile.in | 4 +- ecc-gostdsa-sign.c | 101 + ecc-gostdsa-verify.c| 130 +++ ecc-hash.c | 11 +++ ecc-internal.h | 7 ++ gostdsa-sign.c | 74 +++ gostdsa-verify.c| 78 gostdsa.h | 102 + testsuite/.gitignore| 3 + testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 4 +- testsuite/gostdsa-keygen-test.c | 154 testsuite/gostdsa-sign-test.c | 87 ++ testsuite/gostdsa-verify-test.c | 110 +++ testsuite/testutils.h | 1 + 15 files changed, 873 insertions(+), 2 deletions(-) create mode 100644 ecc-gostdsa-sign.c create mode 100644 ecc-gostdsa-verify.c create mode 100644 gostdsa-sign.c create mode 100644 gostdsa-verify.c create mode 100644 gostdsa.h create mode 100644 testsuite/gostdsa-keygen-test.c create mode 100644 testsuite/gostdsa-sign-test.c create mode 100644 testsuite/gostdsa-verify-test.c diff --git a/Makefile.in b/Makefile.in index a08dfe4da481..1396e2fe2808 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ @@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gosthash94.h hmac.h \ + gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c new file mode 100644 index ..00eeef81f659 --- /dev/null +++ b/ecc-gostdsa-sign.c @@ -0,0 +1,101 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g and ecc_mul_g_eh. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2pscratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*h) mod q. + */ + + ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); +
[PATCH v4 2/4] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov Add support for GC512A curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as tc26-gost-3410-12-512-paramSetA (RFC 7836). Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 1 + Makefile.in | 14 - ecc-curve.h | 1 + ecc-gost-gc512a.c| 128 +++ ecc-internal.h | 1 + eccdata.c| 38 examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 18 +- 8 files changed, 198 insertions(+), 4 deletions(-) create mode 100644 ecc-gost-gc512a.c diff --git a/.gitignore b/.gitignore index 4454ade5a950..2e64c187574f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gc256b.h +/ecc-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 9c1a925462aa..a08dfe4da481 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gost-gc256b.c \ + ecc-gost-gc256b.c ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -405,6 +405,15 @@ ecc-curve448.h: eccdata.stamp ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 512: +# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB +ecc-gost-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp @@ -412,6 +421,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -670,7 +680,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gost-gc256b.h \ + ecc-gost-gc256b.h ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index da07b0232d42..8f050404a944 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c new file mode 100644 index ..4baec1f5945d --- /dev/null +++ b/ecc-gost-gc512a.c @@ -0,0 +1,128 @@ +/* ecc-gost-gc512a.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc512a.h" + +static void +ecc_gc512a_modp (const struct ecc_
[PATCH v4 4/4] Add documentation for GOSTDSA and GOST curves.
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- nettle.texinfo | 65 +- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/nettle.texinfo b/nettle.texinfo index 65b36e315f81..38c84410c103 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -115,6 +115,7 @@ Public-key algorithms * Side-channel silence:: * ECDSA:: +* GOSTDSA:: * Curve 25519 and Curve 448:: @end detailmenu @@ -4916,6 +4917,7 @@ curve'' is used as a shorthand for the bitsize of the curve's prime @menu * Side-channel silence:: * ECDSA:: +* GOSTDSA:: * Curve 25519 and Curve 448:: @end menu @@ -4950,7 +4952,7 @@ accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -@node ECDSA, Curve 25519 and Curve 448, Side-channel silence, Elliptic curves +@node ECDSA, GOSTDSA, Side-channel silence, Elliptic curves @comment node-name, next, previous, up @subsubsection ECDSA @@ -5054,6 +5056,67 @@ random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun +@node GOSTDSA, Curve 25519 and Curve 448, ECDSA, Elliptic curves +@comment node-name, next, previous, up +@subsubsection GOSTDSA + +GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA +(@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works +over an elliptic curve group. Original documents are written in Russian. +English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}. +While technically nothing stops one from using GOSTDSA over any curve, it +is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, +creating a signature requires a unique random nonce (repeating the nonce +with two different messages reveals the private key, and any leak or bias +in the generation of the nonce also leaks information about the key). + +GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function +(GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is +defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC +6986}) of corresponding size (256 or 512) depending on curve size. + +Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA +data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to +represent public and private keys. Also to generate a new GOSTDSA key +pair one has to use @code{ecdsa_generate_keypair()} function. + +To create and verify GOSTDSA signatures, the following functions are used. + +@deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) +Uses the private key @var{key} to create a signature on @var{digest}. +@var{random_ctx} and @var{random} is a randomness generator. +@code{random(random_ctx, length, dst)} should generate @code{length} +random octets and store them at @code{dst}. The signature is stored in +@var{signature}, in the same was as for plain DSA. +@end deftypefun + +@deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) +Uses the public key @var{pub} to verify that @var{signature} is a valid +signature for the message digest @var{digest} (of @var{length} octets). +Returns 1 if the signature is valid, otherwise 0. +@end deftypefun + +For historical reason several curve IDs (OIDs) may correspond to a single +curve/generator combination. Following list defines correspondence +between nettle's view on curves and actual identifiers defined in @cite{RFC +4357} and @cite{RFC 7836}. + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc256b(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357}) +@item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357}) +@item id-tc26-gost-3410-12-256-paramSetB +@end itemize +@end deftypefun + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836}) +@end itemize +@end deftypefun + @node Curve 25519 and Curve 448, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 and Curve448 -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v4 1/4] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov Add support for GC256B curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357). Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Baryshkov --- .gitignore | 1 + Makefile.in | 11 ecc-curve.h | 1 + ecc-gost-gc256b.c| 128 +++ ecc-internal.h | 3 + eccdata.c| 34 ++- examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 12 +++- 8 files changed, 188 insertions(+), 3 deletions(-) create mode 100644 ecc-gost-gc256b.c diff --git a/.gitignore b/.gitignore index ea264107fa40..4454ade5a950 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h +/ecc-gc256b.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 38160bb40fe1..9c1a925462aa 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ + ecc-gost-gc256b.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gost-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -660,6 +670,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ + ecc-gost-gc256b.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 76024a19d24f..da07b0232d42 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -43,6 +43,7 @@ extern "C" { /* The contents of this struct is internal. */ struct ecc_curve; +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c new file mode 100644 index ..8adc8e1763b9 --- /dev/null +++ b/ecc-gost-gc256b.c @@ -0,0 +1,128 @@ +/* ecc-gost-gc256b.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc256b.h" + +static void +ecc_gost_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(rp, rp + mn, mn, 0x269); + hi = sec_add_1 (rp, rp, mn, hi * 0x269); + hi = sec_add_1 (rp, rp, mn, hi * 0x269); + assert(hi == 0); +}
[PATCH v3 1/3] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov Add support for GC256B curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357). Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 1 + Makefile.in | 11 ecc-curve.h | 1 + ecc-gc256b.c | 128 +++ ecc-internal.h | 3 + eccdata.c| 34 ++- examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 12 +++- 8 files changed, 188 insertions(+), 3 deletions(-) create mode 100644 ecc-gc256b.c diff --git a/.gitignore b/.gitignore index ea264107fa40..4454ade5a950 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h +/ecc-gc256b.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 38160bb40fe1..8815e7b76dea 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ + ecc-gc256b.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gc256b.$(OBJEXT): ecc-gc256b.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -660,6 +670,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ + ecc-gc256b.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 76024a19d24f..b378c8489839 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -43,6 +43,7 @@ extern "C" { /* The contents of this struct is internal. */ struct ecc_curve; +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gc256b.c b/ecc-gc256b.c new file mode 100644 index ..b2d12d0bdf7c --- /dev/null +++ b/ecc-gc256b.c @@ -0,0 +1,128 @@ +/* ecc-gc256b.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gc256b.h" + +static void +ecc_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(rp, rp + mn, mn, 0x269); + hi = sec_add_1 (rp, rp, mn, hi * 0x269); + hi = sec_add_1 (rp, rp, mn, hi * 0x269); + assert(hi == 0); +} + +#define ecc_gc256b_modp ecc_gc256b_modp +#define ecc_gc256b_modq ecc_mod + +const struct ecc_curve _
[PATCH v3 2/3] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov Add support for GC512A curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as tc26-gost-3410-12-512-paramSetA (RFC 7836). Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 1 + Makefile.in | 14 - ecc-curve.h | 1 + ecc-gc512a.c | 128 +++ ecc-internal.h | 1 + eccdata.c| 38 examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 18 +- 8 files changed, 198 insertions(+), 4 deletions(-) create mode 100644 ecc-gc512a.c diff --git a/.gitignore b/.gitignore index 4454ade5a950..2e64c187574f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gc256b.h +/ecc-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 8815e7b76dea..11883a8bc88b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gc256b.c \ + ecc-gc256b.c ecc-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -405,6 +405,15 @@ ecc-curve448.h: eccdata.stamp ecc-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 512: +# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB +ecc-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp @@ -412,6 +421,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gc256b.$(OBJEXT): ecc-gc256b.h +ecc-gc512a.$(OBJEXT): ecc-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -670,7 +680,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gc256b.h \ + ecc-gc256b.h ecc-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index b378c8489839..93e1585ba15b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gc512a.c b/ecc-gc512a.c new file mode 100644 index ..602fd28147ea --- /dev/null +++ b/ecc-gc512a.c @@ -0,0 +1,128 @@ +/* ecc-gc512a.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gc512a.h" + +static void +ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(rp, rp + mn, mn,
[PATCH v3 3/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov Add GOST Digital Signature Algorithms support according to GOST R 34.10-2001/-2012. English translations of these standards are provided as RFC 5832 and RFC 7091. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 4 +- ecc-gostdsa-sign.c | 101 + ecc-gostdsa-verify.c| 130 +++ ecc-hash.c | 11 +++ ecc-internal.h | 7 ++ gostdsa-sign.c | 74 +++ gostdsa-verify.c| 78 gostdsa.h | 102 + testsuite/.gitignore| 3 + testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 4 +- testsuite/gostdsa-keygen-test.c | 154 testsuite/gostdsa-sign-test.c | 87 ++ testsuite/gostdsa-verify-test.c | 110 +++ testsuite/testutils.h | 1 + 15 files changed, 873 insertions(+), 2 deletions(-) create mode 100644 ecc-gostdsa-sign.c create mode 100644 ecc-gostdsa-verify.c create mode 100644 gostdsa-sign.c create mode 100644 gostdsa-verify.c create mode 100644 gostdsa.h create mode 100644 testsuite/gostdsa-keygen-test.c create mode 100644 testsuite/gostdsa-sign-test.c create mode 100644 testsuite/gostdsa-verify-test.c diff --git a/Makefile.in b/Makefile.in index 11883a8bc88b..ac7b090c2ffd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ @@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gosthash94.h hmac.h \ + gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c new file mode 100644 index ..00eeef81f659 --- /dev/null +++ b/ecc-gostdsa-sign.c @@ -0,0 +1,101 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g and ecc_mul_g_eh. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2pscratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*h) mod q. + */ + + ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); + /* x coordinate only, modulo q
[PATCH v2 1/3] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov Add support for GC256B curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357). Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 1 + Makefile.in | 11 +++ ecc-curve.h | 1 + ecc-gc256b.c | 140 +++ ecc-internal.h | 3 + eccdata.c| 34 +- examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 12 +++- 8 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 ecc-gc256b.c diff --git a/.gitignore b/.gitignore index ea264107fa40..4454ade5a950 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h +/ecc-gc256b.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 38160bb40fe1..8815e7b76dea 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ + ecc-gc256b.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gc256b.$(OBJEXT): ecc-gc256b.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -660,6 +670,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ + ecc-gc256b.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 76024a19d24f..b378c8489839 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -43,6 +43,7 @@ extern "C" { /* The contents of this struct is internal. */ struct ecc_curve; +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gc256b.c b/ecc-gc256b.c new file mode 100644 index ..755759a8fd38 --- /dev/null +++ b/ecc-gc256b.c @@ -0,0 +1,140 @@ +/* ecc-gc256b.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC (ECC_REDC_SIZE != 0) + +#include "ecc-gc256b.h" + +#if ECC_REDC_SIZE > 0 +# define ecc_gc256b_redc ecc_pp1_redc +#elif ECC_REDC_SIZE == 0 +# define ecc_gc256b_redc NULL +#else +# error Configuration error +#endif + +static void +ecc_gc256b_modp (const struct ecc_modulo *
[PATCH v2 3/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov Add GOST Digital Signature Algorithms support according to GOST R 34.10-2001/-2012. English translations of these standards are provided as RFC 5832 and RFC 7091. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 4 +- ecc-gostdsa-sign.c | 103 + ecc-gostdsa-verify.c| 132 +++ ecc-hash.c | 11 +++ ecc-internal.h | 7 ++ gostdsa-sign.c | 76 gostdsa-verify.c| 80 + gostdsa.h | 102 + testsuite/.gitignore| 3 + testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 4 +- testsuite/gostdsa-keygen-test.c | 154 testsuite/gostdsa-sign-test.c | 87 ++ testsuite/gostdsa-verify-test.c | 110 +++ testsuite/testutils.h | 1 + 15 files changed, 881 insertions(+), 2 deletions(-) create mode 100644 ecc-gostdsa-sign.c create mode 100644 ecc-gostdsa-verify.c create mode 100644 gostdsa-sign.c create mode 100644 gostdsa-verify.c create mode 100644 gostdsa.h create mode 100644 testsuite/gostdsa-keygen-test.c create mode 100644 testsuite/gostdsa-sign-test.c create mode 100644 testsuite/gostdsa-verify-test.c diff --git a/Makefile.in b/Makefile.in index 28672c8546ea..05111eded397 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ @@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gosthash94.h hmac.h \ + gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c new file mode 100644 index ..0b8671d382ec --- /dev/null +++ b/ecc-gostdsa-sign.c @@ -0,0 +1,103 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g and ecc_mul_g_eh. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2pscratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*h) mod q. + */
[PATCH v2 2/3] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov Add support for GC512A curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as tc26-gost-3410-12-512-paramSetA (RFC 7836). Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 1 + Makefile.in | 13 +++- ecc-curve.h | 1 + ecc-gc512a.c | 140 +++ ecc-internal.h | 1 + eccdata.c| 139 ++ examples/ecc-benchmark.c | 1 + testsuite/testutils.c| 18 - 8 files changed, 310 insertions(+), 4 deletions(-) create mode 100644 ecc-gc512a.c diff --git a/.gitignore b/.gitignore index 4454ade5a950..2e64c187574f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gc256b.h +/ecc-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 8815e7b76dea..28672c8546ea 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gc256b.c \ + ecc-gc256b.c ecc-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -405,6 +405,14 @@ ecc-curve448.h: eccdata.stamp ecc-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 512: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) +ecc-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp @@ -412,6 +420,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gc256b.$(OBJEXT): ecc-gc256b.h +ecc-gc512a.$(OBJEXT): ecc-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -670,7 +679,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gc256b.h \ + ecc-gc256b.h ecc-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index b378c8489839..93e1585ba15b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gc512a.c b/ecc-gc512a.c new file mode 100644 index ..cc7be928fa6e --- /dev/null +++ b/ecc-gc512a.c @@ -0,0 +1,140 @@ +/* ecc-gc512a.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC (ECC_REDC_SIZE != 0) + +#include "ecc-gc512a.h" + +#if ECC_REDC_SIZE > 0 +# define ecc_gc512a_redc ecc_p
[PATCH 1/3] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Eremin-Solenikov GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer. Signed-off-by: Dmitry Eremin-Solenikov --- ecc-curve25519.c | 8 ecc-curve448.c | 8 ecc-internal.h | 32 ecc-mod-arith.c | 12 ++-- ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 8 ecc-secp224r1.c | 8 ecc-secp256r1.c | 8 ecc-secp384r1.c | 8 ecc-secp521r1.c | 8 10 files changed, 85 insertions(+), 21 deletions(-) diff --git a/ecc-curve25519.c b/ecc-curve25519.c index 0ad3017c9ebc..4ee80c8d4463 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,10 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 253, @@ -329,6 +333,10 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index c31a0eb26ba4..71634b855af8 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,10 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + +ecc_mod_mul_1_std, +ecc_mod_addmul_1_std, +ecc_mod_submul_1_std, }, { 446, @@ -307,6 +311,10 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + +NULL, +NULL, +NULL, }, 0, /* No redc */ diff --git a/ecc-internal.h b/ecc-internal.h index c918632df292..105b67b2990e 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -44,9 +44,9 @@ #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 +#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std +#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std +#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random @@ -141,6 +141,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); +typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m, +mp_limb_t *rp, +const mp_limb_t *ap, mp_limb_t b); + struct ecc_modulo { unsigned short bit_size; @@ -165,6 +169,10 @@ struct ecc_modulo ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; + + ecc_mod_mul_1_func *mul_1; + ecc_mod_mul_1_func *addmul_1; + ecc_mod_mul_1_func *submul_1; }; /* Represents an elliptic curve of the form @@ -235,15 +243,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b); void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); /* The mul and sqr functions need 2*m->size limbs at rp */ void @@ -259,11 +267,11 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, #define ecc_modp_sub(ecc, r, a, b) \ ecc_mod_sub (&(ecc)->p, (r), (a), (b)) #define ecc_modp_mul_1(ecc, r, a, b) \ - ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) + (ecc)->p.mul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_addmul_1(ecc, r, a, b) \ - ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) + (ecc)->p.addmul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_submul_1(ecc, r, a, b) \ - ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) + (ecc)->p.submul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_mul(ecc, r, a, b) \ ecc_mod_mul (&(ecc)->p, (r), (a), (b)) #define ecc_modp_sqr(ecc, r, a) \ diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c index f2e47f6747c1..0399a2cdd7c5 100644 --- a/ecc-mod-arith.c +++ b/ecc-mod-arith.c @@ -65,8 +65,8 @@ ecc_mod_sub (const struct ecc_mod
[PATCH 2/3] Add several GOST R 34.10 curves defined by RFC 4357 and RFC 7836
From: Dmitry Eremin-Solenikov Add three 256-bit curves from RFC 4357 (Section 11.4) and two 512-bit curves from RFC 7836 (Section A.1). Curves are named accrording to the "TLS Supported Groups" registry. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 5 + Makefile.in | 49 + ecc-curve.h | 5 + ecc-gc256b.c | 148 +++ ecc-gc256c.c | 210 +++ ecc-gc256d.c | 184 ++ ecc-gc512a.c | 148 +++ ecc-gc512b.c | 204 + ecc-internal.h | 7 ++ eccdata.c| 174 +++- examples/ecc-benchmark.c | 5 + testsuite/testutils.c| 56 ++- 12 files changed, 1192 insertions(+), 3 deletions(-) create mode 100644 ecc-gc256b.c create mode 100644 ecc-gc256c.c create mode 100644 ecc-gc256d.c create mode 100644 ecc-gc512a.c create mode 100644 ecc-gc512b.c diff --git a/.gitignore b/.gitignore index ea264107fa40..a0642b1b6c2f 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,11 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h +/ecc-gc256b.h +/ecc-gc256c.h +/ecc-gc256d.h +/ecc-gc512a.h +/ecc-gc512b.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 38160bb40fe1..d9b76d8d5354 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,6 +176,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ + ecc-gc256b.c ecc-gc256c.c ecc-gc256d.c \ + ecc-gc512a.c ecc-gc512b.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -396,12 +398,57 @@ ecc-curve25519.h: eccdata.stamp ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256c.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256c 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256d.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256d 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 512: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) +ecc-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 512: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) +ecc-gc512b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512b 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gc256b.$(OBJEXT): ecc-gc256b.h +ecc-gc256c.$(OBJEXT): ecc-gc256c.h +ecc-gc256d.$(OBJEXT): ecc-gc256d.h +ecc-gc512a.$(OBJEXT): ecc-gc512a.h +ecc-gc512b.$(OBJEXT): ecc-gc512b.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -660,6 +707,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ + ecc-gc256b.h ecc-gc256c.h ecc-gc256d.h \ + ecc-gc512a.h ecc-gc512b.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 76024a19d24f..6
[PATCH 3/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov Add GOST Digital Signature Algorithms support according to GOST R 34.10-2001/-2012. English translations of these standards are provided as RFC 5832 and RFC 7091. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 4 +- ecc-gostdsa-sign.c | 103 + ecc-gostdsa-verify.c| 132 +++ ecc-hash.c | 11 +++ ecc-internal.h | 7 ++ gostdsa-sign.c | 76 gostdsa-verify.c| 80 + gostdsa.h | 102 + testsuite/.gitignore| 3 + testsuite/.test-rules.make | 9 ++ testsuite/Makefile.in | 4 +- testsuite/gostdsa-keygen-test.c | 154 testsuite/gostdsa-sign-test.c | 125 ++ testsuite/gostdsa-verify-test.c | 148 ++ testsuite/testutils.h | 1 + 15 files changed, 957 insertions(+), 2 deletions(-) create mode 100644 ecc-gostdsa-sign.c create mode 100644 ecc-gostdsa-verify.c create mode 100644 gostdsa-sign.c create mode 100644 gostdsa-verify.c create mode 100644 gostdsa.h create mode 100644 testsuite/gostdsa-keygen-test.c create mode 100644 testsuite/gostdsa-sign-test.c create mode 100644 testsuite/gostdsa-verify-test.c diff --git a/Makefile.in b/Makefile.in index d9b76d8d5354..3efc41f5ea04 100644 --- a/Makefile.in +++ b/Makefile.in @@ -190,6 +190,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ @@ -206,7 +208,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gost28147.h gosthash94.h hmac.h \ + gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h \ diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c new file mode 100644 index ..0b8671d382ec --- /dev/null +++ b/ecc-gostdsa-sign.c @@ -0,0 +1,103 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g and ecc_mul_g_eh. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2pscratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*
[PATCH v3 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov Rename curve functions to use curve names instead of just bits. Otherwise function names can easily become confusing after adding other curves. Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 6 +++--- arm/ecc-secp224r1-modp.asm | 6 +++--- arm/ecc-secp256r1-redc.asm | 6 +++--- arm/ecc-secp384r1-modp.asm | 6 +++--- arm/ecc-secp521r1-modp.asm | 6 +++--- configure.ac | 22 +++--- ecc-curve25519.c | 34 +- ecc-curve448.c | 34 +- ecc-secp192r1.c| 16 ecc-secp224r1.c| 16 ecc-secp256r1.c| 32 ecc-secp384r1.c| 16 ecc-secp521r1.c| 12 ++-- eddsa-sign.c | 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 6 +++--- x86_64/ecc-secp224r1-modp.asm | 6 +++--- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 20 files changed, 121 insertions(+), 121 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index 4680336f1bc7..4c596a168b3d 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -49,11 +49,11 @@ define(, ) define(, ) define(, ) - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_secp192r1_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(_nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_secp192r1_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 400b7a815c2c..67089a0c2981 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_secp224r1_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_secp224r1_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 7b117de43fbc..f8386c39c9a6 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_secp256r1_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_secp256r1_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dd9a325b09de..1983ee68cdd4 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -46,11 +46,11 @@ define(, ) define(, ) define(, ) - C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_secp384r1_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(_nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_secp384r1_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index f11967634689..6d1759ec8a2a 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -45,14 +45,14 @@ define(, ) define(, ) define(, ) - C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 -PROLOGUE(_nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_secp521r1_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp)
[PATCH v3 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov There is no need to keep optimized ECC functions in public namespace (nettle_*), move them to internal namespace (_nettle_*). Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 4 ++-- arm/ecc-secp224r1-modp.asm | 4 ++-- arm/ecc-secp256r1-redc.asm | 4 ++-- arm/ecc-secp384r1-modp.asm | 4 ++-- arm/ecc-secp521r1-modp.asm | 4 ++-- ecc-curve25519.c | 2 +- ecc-curve448.c | 2 +- ecc-secp192r1.c| 2 +- ecc-secp224r1.c| 2 +- ecc-secp256r1.c| 2 +- ecc-secp384r1.c| 2 +- ecc-secp521r1.c| 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-curve448-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 4 ++-- x86_64/ecc-secp224r1-modp.asm | 4 ++-- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 19 files changed, 31 insertions(+), 31 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index dbaae2e38922..4680336f1bc7 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -53,7 +53,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_192_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_192_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 2c86755a7c9a..400b7a815c2c 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_224_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_224_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 9c20062a44e4..7b117de43fbc 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_256_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_256_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dbedbdf8d32e..dd9a325b09de 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -50,7 +50,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_384_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_384_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index 2b4f79192a2e..f11967634689 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .align 2 -PROLOGUE(nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_521_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp) stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16 pop {r4,r5,r6,r7,r8,pc} -EPILOGUE(nettle_ecc_521_modp) +EPILOGUE(_nettle_ecc_521_modp) diff --git a/ecc-curve25519.c b/ecc-curve25519.c index 73d72765dce8..65843a57ee5a 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -48,7 +48,7 @@ #if HAVE_NATIVE_ecc_25519_modp -#define ecc_25519_modp nettle_ecc_25519_modp +#define ecc_25519_modp _nettle_ecc_25519_modp void ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else diff --git a/ecc-curve448.c b/ecc-curve448.c index 7020e3e8f6aa..981dc53f279e 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -46,7 +46,7 @@ #include "ecc-curve448.h" #if HAVE_NATIVE_ecc_curve448_modp -#define ecc_448_modp nettle_ecc_curve448_modp +#define ecc_448_modp _nettle_ecc_curve448_modp void ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp); #elif GMP_NUMB_BITS == 64 diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 858a1b7554ce..15f5f1fa4c04 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -50,7 +50,7 @@ #if HAVE_NATIVE_ecc_192_modp -#define ecc_192_modp nettle_ecc_192_modp +#define ecc_192_modp _nettle_ecc_192_modp void ecc_192_modp (const struct ecc_modul
[PATCH v3 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 14 ++--- Makefile.in | 54 - ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- configure.ac | 6 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-448.c => ecc-curve448.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 58 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- 22 files changed, 105 insertions(+), 95 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-448.c => ecc-curve448.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) diff --git a/.gitignore b/.gitignore index 0afe61de3826..ea264107fa40 100644 --- a/.gitignore +++ b/.gitignore @@ -43,13 +43,13 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h -/ecc-448.h +/ecc-curve25519.h +/ecc-curve448.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index e0c9f5f7de66..38160bb40fe1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -175,8 +175,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c ecc-448.c \ + ecc-curve25519.c ecc-curve448.c \ + ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ + ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -350,24 +351,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ec
[PATCH v3 0/3] ecc: rename to contain full curve name
Next iteration of renaming patchset. The only change since v2 is rebasing on top of current master to fix conflicts due to ed448 addition. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v2 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov Rename curve functions to use curve names instead of just bits. Otherwise function names can easily become confusing after adding other curves. Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 6 +++--- arm/ecc-secp224r1-modp.asm | 6 +++--- arm/ecc-secp256r1-redc.asm | 6 +++--- arm/ecc-secp384r1-modp.asm | 6 +++--- arm/ecc-secp521r1-modp.asm | 6 +++--- configure.ac | 22 +++--- ecc-curve25519.c | 34 +- ecc-curve448.c | 24 ecc-secp192r1.c| 16 ecc-secp224r1.c| 16 ecc-secp256r1.c| 32 ecc-secp384r1.c| 16 ecc-secp521r1.c| 12 ++-- eddsa-sign.c | 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 6 +++--- x86_64/ecc-secp224r1-modp.asm | 6 +++--- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 20 files changed, 116 insertions(+), 116 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index 4680336f1bc7..4c596a168b3d 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -49,11 +49,11 @@ define(, ) define(, ) define(, ) - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_secp192r1_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(_nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_secp192r1_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 400b7a815c2c..67089a0c2981 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_secp224r1_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_secp224r1_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 7b117de43fbc..f8386c39c9a6 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_secp256r1_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_secp256r1_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dd9a325b09de..1983ee68cdd4 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -46,11 +46,11 @@ define(, ) define(, ) define(, ) - C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_secp384r1_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(_nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_secp384r1_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index f11967634689..6d1759ec8a2a 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -45,14 +45,14 @@ define(, ) define(, ) define(, ) - C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 -PROLOGUE(_nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_secp521r1_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp) stm R
[PATCH v2 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 14 ++--- Makefile.in | 54 - ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- configure.ac | 6 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-448.c => ecc-curve448.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 58 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- 22 files changed, 105 insertions(+), 95 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-448.c => ecc-curve448.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) diff --git a/.gitignore b/.gitignore index 0afe61de3826..ea264107fa40 100644 --- a/.gitignore +++ b/.gitignore @@ -43,13 +43,13 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h -/ecc-448.h +/ecc-curve25519.h +/ecc-curve448.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 8d06149ff5fb..28b7cfcebcdb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c ecc-448.c \ + ecc-curve25519.c ecc-curve448.c \ + ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ + ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ec
[PATCH v2 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov There is no need to keep optimized ECC functions in public namespace (nettle_*), move them to internal namespace (_nettle_*). Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 4 ++-- arm/ecc-secp224r1-modp.asm | 4 ++-- arm/ecc-secp256r1-redc.asm | 4 ++-- arm/ecc-secp384r1-modp.asm | 4 ++-- arm/ecc-secp521r1-modp.asm | 4 ++-- ecc-curve25519.c | 2 +- ecc-curve448.c | 2 +- ecc-secp192r1.c| 2 +- ecc-secp224r1.c| 2 +- ecc-secp256r1.c| 2 +- ecc-secp384r1.c| 2 +- ecc-secp521r1.c| 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-curve448-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 4 ++-- x86_64/ecc-secp224r1-modp.asm | 4 ++-- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 19 files changed, 31 insertions(+), 31 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index dbaae2e38922..4680336f1bc7 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -53,7 +53,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_192_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_192_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 2c86755a7c9a..400b7a815c2c 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_224_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_224_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 9c20062a44e4..7b117de43fbc 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_256_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_256_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dbedbdf8d32e..dd9a325b09de 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -50,7 +50,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_384_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_384_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index 2b4f79192a2e..f11967634689 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .align 2 -PROLOGUE(nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_521_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp) stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16 pop {r4,r5,r6,r7,r8,pc} -EPILOGUE(nettle_ecc_521_modp) +EPILOGUE(_nettle_ecc_521_modp) diff --git a/ecc-curve25519.c b/ecc-curve25519.c index e6a1b325be66..1045db7092ae 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -48,7 +48,7 @@ #if HAVE_NATIVE_ecc_25519_modp -#define ecc_25519_modp nettle_ecc_25519_modp +#define ecc_25519_modp _nettle_ecc_25519_modp void ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else diff --git a/ecc-curve448.c b/ecc-curve448.c index fce8b1ac0382..e1318ca4f01d 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -46,7 +46,7 @@ #include "ecc-curve448.h" #if HAVE_NATIVE_ecc_curve448_modp -#define ecc_448_modp nettle_ecc_curve448_modp +#define ecc_448_modp _nettle_ecc_curve448_modp void ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp); #elif GMP_NUMB_BITS == 64 diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 858a1b7554ce..15f5f1fa4c04 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -50,7 +50,7 @@ #if HAVE_NATIVE_ecc_192_modp -#define ecc_192_modp nettle_ecc_192_modp +#define ecc_192_modp _nettle_ecc_192_modp void ecc_192_modp (const struct ecc_modul
[PATCH 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov There is no need to keep optimized ECC functions in public namespace (nettle_*), move them to internal namespace (_nettle_*). Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 4 ++-- arm/ecc-secp224r1-modp.asm | 4 ++-- arm/ecc-secp256r1-redc.asm | 4 ++-- arm/ecc-secp384r1-modp.asm | 4 ++-- arm/ecc-secp521r1-modp.asm | 4 ++-- ecc-curve25519.c | 2 +- ecc-curve448.c | 2 +- ecc-secp192r1.c| 2 +- ecc-secp224r1.c| 2 +- ecc-secp256r1.c| 2 +- ecc-secp384r1.c| 2 +- ecc-secp521r1.c| 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-curve448-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 4 ++-- x86_64/ecc-secp224r1-modp.asm | 4 ++-- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 19 files changed, 31 insertions(+), 31 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index dbaae2e38922..4680336f1bc7 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -53,7 +53,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_192_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_192_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 2c86755a7c9a..400b7a815c2c 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_224_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_224_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 9c20062a44e4..7b117de43fbc 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -52,7 +52,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_256_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_256_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dbedbdf8d32e..dd9a325b09de 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -50,7 +50,7 @@ define(, ) .text .align 2 -PROLOGUE(nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_384_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_384_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index 2b4f79192a2e..f11967634689 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -52,7 +52,7 @@ define(, ) .align 2 -PROLOGUE(nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_521_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp) stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16 pop {r4,r5,r6,r7,r8,pc} -EPILOGUE(nettle_ecc_521_modp) +EPILOGUE(_nettle_ecc_521_modp) diff --git a/ecc-curve25519.c b/ecc-curve25519.c index e6a1b325be66..1045db7092ae 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -48,7 +48,7 @@ #if HAVE_NATIVE_ecc_25519_modp -#define ecc_25519_modp nettle_ecc_25519_modp +#define ecc_25519_modp _nettle_ecc_25519_modp void ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else diff --git a/ecc-curve448.c b/ecc-curve448.c index fce8b1ac0382..e1318ca4f01d 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -46,7 +46,7 @@ #include "ecc-curve448.h" #if HAVE_NATIVE_ecc_curve448_modp -#define ecc_448_modp nettle_ecc_curve448_modp +#define ecc_448_modp _nettle_ecc_curve448_modp void ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp); #elif GMP_NUMB_BITS == 64 diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 858a1b7554ce..15f5f1fa4c04 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -50,7 +50,7 @@ #if HAVE_NATIVE_ecc_192_modp -#define ecc_192_modp nettle_ecc_192_modp +#define ecc_192_modp _nettle_ecc_192_modp void ecc_192_modp (const struct ecc_modul
[PATCH 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 14 ++--- Makefile.in | 54 - ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- configure.ac | 6 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-448.c => ecc-curve448.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 58 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +- ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +- ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +- ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +- ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +- 22 files changed, 105 insertions(+), 95 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-448.c => ecc-curve448.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%) diff --git a/.gitignore b/.gitignore index 0afe61de3826..ea264107fa40 100644 --- a/.gitignore +++ b/.gitignore @@ -43,13 +43,13 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h -/ecc-448.h +/ecc-curve25519.h +/ecc-curve448.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 8d06149ff5fb..28b7cfcebcdb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c ecc-448.c \ + ecc-curve25519.c ecc-curve448.c \ + ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ + ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ec
[PATCH 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov Rename curve functions to use curve names instead of just bits. Otherwise function names can easily become confusing after adding other curves. Signed-off-by: Dmitry Eremin-Solenikov --- arm/ecc-secp192r1-modp.asm | 6 +++--- arm/ecc-secp224r1-modp.asm | 6 +++--- arm/ecc-secp256r1-redc.asm | 6 +++--- arm/ecc-secp384r1-modp.asm | 6 +++--- arm/ecc-secp521r1-modp.asm | 6 +++--- configure.ac | 22 +++--- ecc-curve25519.c | 34 +- ecc-curve448.c | 24 ecc-secp192r1.c| 16 ecc-secp224r1.c| 16 ecc-secp256r1.c| 32 ecc-secp384r1.c| 16 ecc-secp521r1.c| 12 ++-- eddsa-sign.c | 2 +- x86_64/ecc-curve25519-modp.asm | 4 ++-- x86_64/ecc-secp192r1-modp.asm | 6 +++--- x86_64/ecc-secp224r1-modp.asm | 6 +++--- x86_64/ecc-secp256r1-redc.asm | 4 ++-- x86_64/ecc-secp384r1-modp.asm | 4 ++-- x86_64/ecc-secp521r1-modp.asm | 4 ++-- 20 files changed, 116 insertions(+), 116 deletions(-) diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm index 4680336f1bc7..4c596a168b3d 100644 --- a/arm/ecc-secp192r1-modp.asm +++ b/arm/ecc-secp192r1-modp.asm @@ -49,11 +49,11 @@ define(, ) define(, ) define(, ) - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_192_modp) +PROLOGUE(_nettle_ecc_secp192r1_modp) push{r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 @@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp) pop {r4,r5,r6,r7,r8,r10} bx lr -EPILOGUE(_nettle_ecc_192_modp) +EPILOGUE(_nettle_ecc_secp192r1_modp) diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm index 400b7a815c2c..67089a0c2981 100644 --- a/arm/ecc-secp224r1-modp.asm +++ b/arm/ecc-secp224r1-modp.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_224_modp) +PROLOGUE(_nettle_ecc_secp224r1_modp) push{r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 @@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp) stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_224_modp) +EPILOGUE(_nettle_ecc_secp224r1_modp) diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm index 7b117de43fbc..f8386c39c9a6 100644 --- a/arm/ecc-secp256r1-redc.asm +++ b/arm/ecc-secp256r1-redc.asm @@ -48,11 +48,11 @@ define(, ) define(, ) define(, ) - C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_256_redc) +PROLOGUE(_nettle_ecc_secp256r1_redc) push{r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} @@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc) stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(_nettle_ecc_256_redc) +EPILOGUE(_nettle_ecc_secp256r1_redc) diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm index dd9a325b09de..1983ee68cdd4 100644 --- a/arm/ecc-secp384r1-modp.asm +++ b/arm/ecc-secp384r1-modp.asm @@ -46,11 +46,11 @@ define(, ) define(, ) define(, ) - C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 -PROLOGUE(_nettle_ecc_384_modp) +PROLOGUE(_nettle_ecc_secp384r1_modp) push{r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 @@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp) adcsT3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(_nettle_ecc_384_modp) +EPILOGUE(_nettle_ecc_secp384r1_modp) diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm index f11967634689..6d1759ec8a2a 100644 --- a/arm/ecc-secp521r1-modp.asm +++ b/arm/ecc-secp521r1-modp.asm @@ -45,14 +45,14 @@ define(, ) define(, ) define(, ) - C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 -PROLOGUE(_nettle_ecc_521_modp) +PROLOGUE(_nettle_ecc_secp521r1_modp) push{r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) @@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp) stm R
[PATCH v2] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 14 ++--- Makefile.in | 54 - ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 configure.ac | 5 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-448.c => ecc-curve448.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 58 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 22 files changed, 85 insertions(+), 74 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-448.c => ecc-curve448.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) diff --git a/.gitignore b/.gitignore index 0afe61de3826..ea264107fa40 100644 --- a/.gitignore +++ b/.gitignore @@ -43,13 +43,13 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h -/ecc-448.h +/ecc-curve25519.h +/ecc-curve448.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 036a3a1d7f8b..333044a19705 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c ecc-448.c \ + ecc-curve25519.c ecc-curve448.c \ + ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ + ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp256r1.h: eccdat
[RFC] ecc: switch away from affine points representation
From: Dmitry Eremin-Solenikov Use jacobian/harmonized representation in ecc_point structure. This is an RFC patch for now, j_to_a/eh_to_a are not modified to produce y coordinate only, more tests are necessary most probably. Signed-off-by: Dmitry Eremin-Solenikov --- ecc-a-to-j.c| 12 +++ ecc-ecdsa-sign.c| 2 +- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c | 17 --- ecc-internal.h | 20 ++--- ecc-j-to-a.c| 15 +++-- ecc-mul-a-eh.c | 13 +-- ecc-mul-a.c | 18 +++- ecc-point-mul-g.c | 8 +++ ecc-point-mul.c | 2 +- ecc-point.c | 36 +-- ecdsa-keygen.c | 7 +++--- eddsa-compress.c| 2 +- eddsa-decompress.c | 1 + eddsa-verify.c | 2 +- testsuite/ecc-add-test.c| 5 - testsuite/ecc-dup-test.c| 10 - testsuite/ecc-mul-a-test.c | 22 --- testsuite/ecc-mul-g-test.c | 4 ++-- testsuite/ecdsa-keygen-test.c | 38 ++--- testsuite/eddsa-compress-test.c | 8 +-- testsuite/eddsa-verify-test.c | 2 +- testsuite/testutils.c | 2 +- 23 files changed, 152 insertions(+), 98 deletions(-) diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c index 9fb0d2b80c41..895502e0fe20 100644 --- a/ecc-a-to-j.c +++ b/ecc-a-to-j.c @@ -40,11 +40,12 @@ void ecc_a_to_j (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p) + mp_limb_t *r, const mpz_t x, const mpz_t y) { if (ecc->use_redc) { - mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, x, ecc->p.size); + mpz_limbs_copy (r + 2 * ecc->p.size, y, ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r); @@ -52,8 +53,11 @@ ecc_a_to_j (const struct ecc_curve *ecc, mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size); } - else if (r != p) -mpn_copyi (r, p, 2*ecc->p.size); + else +{ + mpz_limbs_copy (r, x, ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, y, ecc->p.size); +} mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc1a35d..87239b7cccb6 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -80,7 +80,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, rp, NULL, P, P + 3*ecc->p.size); /* Invert k, uses 4 * ecc->p.size including scratch */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b684841a..120b12965fd5 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -64,7 +64,7 @@ mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc->mul call. */ - return 5*ecc->p.size + ecc->mul_itch; + return 6*ecc->p.size + ecc->mul_itch; } /* FIXME: Use faster primitives, not requiring side-channel silence. */ @@ -145,7 +145,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); } /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, P2, NULL, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 8173b887d59d..851dcb8d592a 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -43,7 +43,8 @@ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, -mp_limb_t *r, const mp_limb_t *p, +mp_limb_t *x, mp_limb_t *y, +const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch @@ -60,8 +61,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc, ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); + cy = mpn_sub_n (x, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, x, tp, ecc->p.size); if (op) { @@ -75,14 +76,14 @@ ecc_eh_to_a (const struct ecc_curve *ecc, unsigned shift; assert (ecc->p.bit_size == 255); shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, -r[ecc->p.size-1] >> shift); + cy = mpn_submul_1 (x, ecc->q.m, ecc->p.size, +x[ecc->p.size-1] >> shift); assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); + cnd_add_n (cy, x, ec
[PATCH] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 12 ++--- Makefile.in | 45 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 configure.ac | 5 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 51 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 21 files changed, 74 insertions(+), 63 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) diff --git a/.gitignore b/.gitignore index b79c53f535ff..be10fbe959cc 100644 --- a/.gitignore +++ b/.gitignore @@ -43,12 +43,12 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h +/ecc-curve25519.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 9f5b065a706a..89066ec6c3c2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c \ + ecc-curve25519.c ecc-secp192r1.c ecc-secp224r1.c \ + ecc-secp256r1.c ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -345,24 +345,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp256r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 384: # k = 16, c = 6, S = 256, T = 80 ( 64
[PATCH 1/2] Implement GOST R 34.11-2012 (Streebog) hash function
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in |5 +- examples/nettle-benchmark.c |3 +- hmac-streebog.c | 73 ++ hmac.h | 33 + nettle-meta-hashes.c|2 + nettle-meta.h |2 + nettle.texinfo | 72 ++ streebog-meta.c | 44 ++ streebog.c | 1334 +++ streebog.h | 99 +++ testsuite/.gitignore|1 + testsuite/.test-rules.make |3 + testsuite/Makefile.in |1 + testsuite/hmac-test.c | 17 + testsuite/meta-hash-test.c |2 + testsuite/pbkdf2-test.c | 30 +- testsuite/streebog-test.c | 81 +++ 17 files changed, 1798 insertions(+), 4 deletions(-) create mode 100644 hmac-streebog.c create mode 100644 streebog-meta.c create mode 100644 streebog.c create mode 100644 streebog.h create mode 100644 testsuite/streebog-test.c diff --git a/Makefile.in b/Makefile.in index 9f5b065a706a..c578e2901aa7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -106,7 +106,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ -hmac-sha512.c \ +hmac-sha512.c hmac-streebog.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ @@ -132,6 +132,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-meta.c \ +streebog.c streebog-meta.c \ twofish.c twofish-meta.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ @@ -209,7 +210,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ pbkdf2.h \ pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h \ - serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ + serpent.h sha.h sha1.h sha2.h sha3.h streebog.h twofish.h \ umac.h yarrow.h xts.h poly1305.h INSTALL_HEADERS = $(HEADERS) version.h @IF_MINI_GMP@ mini-gmp.h diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c index 5d0e649ea726..ea52cb44becf 100644 --- a/examples/nettle-benchmark.c +++ b/examples/nettle-benchmark.c @@ -918,7 +918,8 @@ main(int argc, char **argv) &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, - &nettle_gosthash94cp, + &nettle_gosthash94cp, &nettle_streebog256, + &nettle_streebog512, NULL }; diff --git a/hmac-streebog.c b/hmac-streebog.c new file mode 100644 index ..8298364bfca9 --- /dev/null +++ b/hmac-streebog.c @@ -0,0 +1,73 @@ +/* hmac-streebog.c + + HMAC-Streebog message authentication code. + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "hmac.h" + +void +hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, + size_t key_length, const uint8_t *key) +{ + HMAC_SET_KEY(ctx, &nettle_streebog512, key_length, key); +} + +void +hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, + size_t length, const uint8_t *data) +{ + streebog512_update(&ctx->state, length, data); +} + +void +hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, + size_t length, uint8_t *digest) +{ + HMAC_DIGEST(ctx, &nettle_streebog512, length, digest); +} + +void +hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, +
[PATCH 2/2] Implement PBKDF2 shortcut function for Streebog256/512
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 2 +- pbkdf2-hmac-streebog.c | 67 + pbkdf2.h| 14 + testsuite/pbkdf2-test.c | 7 + 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 pbkdf2-hmac-streebog.c diff --git a/Makefile.in b/Makefile.in index c578e2901aa7..bcf97fcd5c8c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -115,7 +115,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ nettle-meta-aeads.c nettle-meta-armors.c \ nettle-meta-ciphers.c nettle-meta-hashes.c \ pbkdf2.c pbkdf2-hmac-gosthash94.c pbkdf2-hmac-sha1.c \ -pbkdf2-hmac-sha256.c \ +pbkdf2-hmac-sha256.c pbkdf2-hmac-streebog.c \ poly1305-aes.c poly1305-internal.c \ realloc.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ diff --git a/pbkdf2-hmac-streebog.c b/pbkdf2-hmac-streebog.c new file mode 100644 index ..cc286f8940ac --- /dev/null +++ b/pbkdf2-hmac-streebog.c @@ -0,0 +1,67 @@ +/* pbkdf2-hmac-streebog.c + + PKCS #5 PBKDF2 used with HMAC-STREEBOG. + + Copyright (C) 2016 Dmitry Eremin-Solenikov + Copyright (C) 2012 Simon Josefsson + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pbkdf2.h" + +#include "hmac.h" + +void +pbkdf2_hmac_streebog256 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst) +{ + struct hmac_streebog256_ctx streebog256ctx; + + hmac_streebog256_set_key (&streebog256ctx, key_length, key); + PBKDF2 (&streebog256ctx, hmac_streebog256_update, hmac_streebog256_digest, + STREEBOG256_DIGEST_SIZE, iterations, salt_length, salt, length, dst); +} + +void +pbkdf2_hmac_streebog512 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst) +{ + struct hmac_streebog512_ctx streebog512ctx; + + hmac_streebog512_set_key (&streebog512ctx, key_length, key); + PBKDF2 (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, + STREEBOG512_DIGEST_SIZE, iterations, salt_length, salt, length, dst); +} diff --git a/pbkdf2.h b/pbkdf2.h index a36dfdbaa437..67583bce615a 100644 --- a/pbkdf2.h +++ b/pbkdf2.h @@ -46,6 +46,8 @@ extern "C" #define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1 #define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256 #define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp +#define pbkdf2_hmac_streebog256 nettle_pbkdf2_hmac_streebog256 +#define pbkdf2_hmac_streebog512 nettle_pbkdf2_hmac_streebog512 void pbkdf2 (void *mac_ctx, @@ -85,6 +87,18 @@ pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); +void +pbkdf2_hmac_streebog256 (size_t key_length, const uint8_t *key, +unsigned iterations, +size_t salt_length, const uint8_t *salt, +size_t length, uint8_t *dst); + +void +pbkdf2_hmac_streebog512 (size_t key_length, const uint8_t *key, +unsigned iterations, +size_t salt_length, const uint8_t *salt, +size_t length, uint8_t *dst); + #ifdef __cplusplus } #endif diff --git a/testsuite/pbkdf2-test.c b/testsuite/pbkdf2-test.c index 9e024e57b7f5..e76c82dc2b7e 100644 --- a/testsuite/pbkdf2-test.c +++ b/testsuite/pbkdf2-test.c @@ -157,9 +157,16 @@ test_main (void) STREEBOG512_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("50df062885b69801a3c10248eb0a27ab6e522ffeb20c991c660f001475d73a4e167f782c18e97e92976d9c1d970831ea78ccb879f67068cdac
[PATCH 2/5] Add the rest of sboxes for GOST 28147
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- gost28147.c | 1602 +++ gost28147.h | 13 + 2 files changed, 1615 insertions(+) diff --git a/gost28147.c b/gost28147.c index 6ccdcb6a353c..9fe31043a3ff 100644 --- a/gost28147.c +++ b/gost28147.c @@ -573,6 +573,1608 @@ const struct gost28147_param gost28147_param_CryptoPro_3411 = } }; +const struct gost28147_param gost28147_param_Test_89 = +{ + { +{ /* 0 */ + 0x00062000, 0x00061000, 0x00067800, 0x00062800, + 0x00064800, 0x00060800, 0x0006, 0x00064000, + 0x00067000, 0x00061800, 0x00065800, 0x00066000, + 0x00066800, 0x00063800, 0x00065000, 0x00063000, + 0x0004a000, 0x00049000, 0x0004f800, 0x0004a800, + 0x0004c800, 0x00048800, 0x00048000, 0x0004c000, + 0x0004f000, 0x00049800, 0x0004d800, 0x0004e000, + 0x0004e800, 0x0004b800, 0x0004d000, 0x0004b000, + 0x0007a000, 0x00079000, 0x0007f800, 0x0007a800, + 0x0007c800, 0x00078800, 0x00078000, 0x0007c000, + 0x0007f000, 0x00079800, 0x0007d800, 0x0007e000, + 0x0007e800, 0x0007b800, 0x0007d000, 0x0007b000, + 0x00072000, 0x00071000, 0x00077800, 0x00072800, + 0x00074800, 0x00070800, 0x0007, 0x00074000, + 0x00077000, 0x00071800, 0x00075800, 0x00076000, + 0x00076800, 0x00073800, 0x00075000, 0x00073000, + 0x00042000, 0x00041000, 0x00047800, 0x00042800, + 0x00044800, 0x00040800, 0x0004, 0x00044000, + 0x00047000, 0x00041800, 0x00045800, 0x00046000, + 0x00046800, 0x00043800, 0x00045000, 0x00043000, + 0xa000, 0x9000, 0xf800, 0xa800, + 0xc800, 0x8800, 0x8000, 0xc000, + 0xf000, 0x9800, 0xd800, 0xe000, + 0xe800, 0xb800, 0xd000, 0xb000, + 0x0001a000, 0x00019000, 0x0001f800, 0x0001a800, + 0x0001c800, 0x00018800, 0x00018000, 0x0001c000, + 0x0001f000, 0x00019800, 0x0001d800, 0x0001e000, + 0x0001e800, 0x0001b800, 0x0001d000, 0x0001b000, + 0x00052000, 0x00051000, 0x00057800, 0x00052800, + 0x00054800, 0x00050800, 0x0005, 0x00054000, + 0x00057000, 0x00051800, 0x00055800, 0x00056000, + 0x00056800, 0x00053800, 0x00055000, 0x00053000, + 0x00012000, 0x00011000, 0x00017800, 0x00012800, + 0x00014800, 0x00010800, 0x0001, 0x00014000, + 0x00017000, 0x00011800, 0x00015800, 0x00016000, + 0x00016800, 0x00013800, 0x00015000, 0x00013000, + 0x0003a000, 0x00039000, 0x0003f800, 0x0003a800, + 0x0003c800, 0x00038800, 0x00038000, 0x0003c000, + 0x0003f000, 0x00039800, 0x0003d800, 0x0003e000, + 0x0003e800, 0x0003b800, 0x0003d000, 0x0003b000, + 0x00022000, 0x00021000, 0x00027800, 0x00022800, + 0x00024800, 0x00020800, 0x0002, 0x00024000, + 0x00027000, 0x00021800, 0x00025800, 0x00026000, + 0x00026800, 0x00023800, 0x00025000, 0x00023000, + 0x0006a000, 0x00069000, 0x0006f800, 0x0006a800, + 0x0006c800, 0x00068800, 0x00068000, 0x0006c000, + 0x0006f000, 0x00069800, 0x0006d800, 0x0006e000, + 0x0006e800, 0x0006b800, 0x0006d000, 0x0006b000, + 0x00032000, 0x00031000, 0x00037800, 0x00032800, + 0x00034800, 0x00030800, 0x0003, 0x00034000, + 0x00037000, 0x00031800, 0x00035800, 0x00036000, + 0x00036800, 0x00033800, 0x00035000, 0x00033000, + 0x2000, 0x1000, 0x7800, 0x2800, + 0x4800, 0x0800, 0x, 0x4000, + 0x7000, 0x1800, 0x5800, 0x6000, + 0x6800, 0x3800, 0x5000, 0x3000, + 0x0005a000, 0x00059000, 0x0005f800, 0x0005a800, + 0x0005c800, 0x00058800, 0x00058000, 0x0005c000, + 0x0005f000, 0x00059800, 0x0005d800, 0x0005e000, + 0x0005e800, 0x0005b800, 0x0005d000, 0x0005b000, + 0x0002a000, 0x00029000, 0x0002f800, 0x0002a800, + 0x0002c800, 0x00028800, 0x00028000, 0x0002c000, + 0x0002f000, 0x00029800, 0x0002d800, 0x0002e000, + 0x0002e800, 0x0002b800, 0x0002d000, 0x0002b000, +}, { /* 1 */ + 0x0768, 0x0740, 0x0770, 0x0760, + 0x0738, 0x0718, 0x0748, 0x0750, + 0x0708, 0x0728, 0x0710, 0x0720, + 0x0730, 0x0778, 0x0700, 0x0758, + 0x04e8, 0x04c0, 0x04f0, 0x04e0, + 0x04b8, 0x0498, 0x04c8, 0x04d0, + 0x0488, 0x04a8, 0x0490, 0x04a0, + 0x04b0, 0x04f8, 0x0480, 0x04d8, + 0x05e8, 0x05c0, 0x05f0, 0x05e0, + 0x05b8, 0x0598, 0x05c8, 0x05d0, + 0x0588, 0x05a8, 0x0590, 0x05a0, + 0x05b0, 0x05f8, 0x0580, 0x05d8, + 0x0168, 0x0140, 0x0170, 0x0160, + 0x0138, 0x0118, 0x0148, 0x0150, + 0x0108, 0x0128, 0x0110, 0x0120, + 0x0130, 0x0178, 0x0100, 0x0158, + 0x02e8, 0x02c0, 0x02f0, 0x02e0, + 0x02b8, 0x029800
[PATCH 3/5] Add CFB mode support for GOST 28147-89
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- gost28147.c| 85 +++--- gost28147.h| 8 +++ testsuite/gost28147-test.c | 143 + 3 files changed, 228 insertions(+), 8 deletions(-) diff --git a/gost28147.c b/gost28147.c index 9fe31043a3ff..ac94dfaa2ed8 100644 --- a/gost28147.c +++ b/gost28147.c @@ -33,6 +33,7 @@ #endif #include +#include #include "macros.h" #include "gost28147.h" @@ -303,7 +304,8 @@ const struct gost28147_param gost28147_param_test_3411 = 0x0600, 0x0650, 0x0670, 0x0638, 0x0630, 0x0640, 0x0610, 0x0660, } - } + }, + 0 }; const struct gost28147_param gost28147_param_CryptoPro_3411 = @@ -570,7 +572,8 @@ const struct gost28147_param gost28147_param_CryptoPro_3411 = 0x0618, 0x0660, 0x0640, 0x0678, 0x0630, 0x0610, 0x0648, 0x0658, } - } + }, + 0 }; const struct gost28147_param gost28147_param_Test_89 = @@ -837,7 +840,8 @@ const struct gost28147_param gost28147_param_Test_89 = 0x0420, 0x0440, 0x0470, 0x0478, 0x0408, 0x0450, 0x0410, 0x0468, } - } + }, + 1 }; const struct gost28147_param gost28147_param_CryptoPro_A = @@ -1104,7 +1108,8 @@ const struct gost28147_param gost28147_param_CryptoPro_A = 0x0240, 0x0260, 0x0220, 0x0228, 0x0278, 0x0218, 0x0258, 0x0270, } - } + }, + 1 }; const struct gost28147_param gost28147_param_CryptoPro_B = @@ -1371,7 +1376,8 @@ const struct gost28147_param gost28147_param_CryptoPro_B = 0x0638, 0x0620, 0x0668, 0x0600, 0x0630, 0x0678, 0x0640, 0x0670, } - } + }, + 1 }; const struct gost28147_param gost28147_param_CryptoPro_C = @@ -1638,7 +1644,8 @@ const struct gost28147_param gost28147_param_CryptoPro_C = 0x0478, 0x0418, 0x0428, 0x0458, 0x0420, 0x0408, 0x0460, 0x0438, } - } + }, + 1 }; const struct gost28147_param gost28147_param_CryptoPro_D = @@ -1905,7 +1912,8 @@ const struct gost28147_param gost28147_param_CryptoPro_D = 0x0768, 0x0740, 0x0760, 0x0720, 0x0758, 0x0750, 0x0728, 0x0738, } - } + }, + 1 }; const struct gost28147_param gost28147_param_TC26_Z = @@ -2172,7 +2180,8 @@ const struct gost28147_param gost28147_param_TC26_Z = 0x0178, 0x0120, 0x0158, 0x0100, 0x0168, 0x0150, 0x0118, 0x0138, } - } + }, + 1 }; /* @@ -2245,6 +2254,37 @@ void _gost28147_decrypt_block (const uint32_t *key, const uint32_t sbox[4][256], *out = l, *(out + 1) = r; } +static const uint32_t gost28147_key_mesh_cryptopro_data[GOST28147_KEY_SIZE / 4] = { + 0x22720069, 0x2304c964, + 0x96db3a8d, 0xc42ae946, + 0x94acfe18, 0x1207ed00, + 0xc2dc86c0, 0x2ba94cef, +}; + +static void gost28147_key_mesh_cryptopro(struct gost28147_ctx *ctx) +{ + uint32_t newkey[GOST28147_KEY_SIZE/4]; + + _gost28147_decrypt_block(ctx->key, ctx->sbox, + &gost28147_key_mesh_cryptopro_data[0], + &newkey[0]); + + _gost28147_decrypt_block(ctx->key, ctx->sbox, + &gost28147_key_mesh_cryptopro_data[2], + &newkey[2]); + + _gost28147_decrypt_block(ctx->key, ctx->sbox, + &gost28147_key_mesh_cryptopro_data[4], + &newkey[4]); + + _gost28147_decrypt_block(ctx->key, ctx->sbox, + &gost28147_key_mesh_cryptopro_data[6], + &newkey[6]); + + memcpy(ctx->key, newkey, sizeof(newkey)); + ctx->key_count = 0; +} + void gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) { @@ -2253,6 +2293,7 @@ gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) assert(key); for (i = 0; i < 8; i++, key += 4) ctx->key[i] = LE_READ_UINT32(key); + ctx->key_count = 0; gost28147_set_param(ctx, &gost28147_param_TC26_Z); } @@ -2261,6 +2302,7 @@ gost28147_set_param(struct gost28147_ctx *ctx, const struct gost28147_param *par { assert(param); ctx->sbox = param->sbox; + ctx->key_meshing = param->key_meshing; } void @@ -2302,3 +2344,30 @@ gost28147_decrypt(const struct gost28147_ctx *ctx, length -= GOST28147_BLOCK_SIZE; } } + +void +gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + uint32_t block[2]; + + assert(!(length % GOST28147_BLOCK_SIZE)); + + while (length) +{ + block[0] = LE_READ_UINT32(src); src += 4; + block[1] = LE_READ_UINT32(src); src += 4; + if (ctx->key_meshing && ctx->key_count == 1024) + { + gost28147_key_mesh_cryptopro(ctx); + _gost28147_encrypt_bloc
[PATCH 1/5] Add GOST 28147-89 ECB encryption and decryption support
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 3 +- gost28147-internal.h | 3 + gost28147-meta.c | 49 +++ gost28147.c | 85 + gost28147.h | 30 + nettle-meta-ciphers.c| 1 + nettle-meta.h| 2 + nettle.texinfo | 38 +++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 + testsuite/Makefile.in| 1 + testsuite/gost28147-test.c | 119 +++ testsuite/meta-cipher-test.c | 1 + 13 files changed, 335 insertions(+), 1 deletion(-) create mode 100644 gost28147-meta.c create mode 100644 testsuite/gost28147-test.c diff --git a/Makefile.in b/Makefile.in index 9f5b065a706a..c6e40a74ad4f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,7 +103,8 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ -gost28147.c gosthash94.c gosthash94-meta.c \ +gost28147.c gost28147-meta.c \ +gosthash94.c gosthash94-meta.c \ hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ hmac-sha512.c \ diff --git a/gost28147-internal.h b/gost28147-internal.h index 7f5c6f8c63c0..2c3f5857a8d4 100644 --- a/gost28147-internal.h +++ b/gost28147-internal.h @@ -35,8 +35,11 @@ #define NETTLE_GOST28147_INTERNAL_H_INCLUDED #define _gost28147_encrypt_block _nettle_gost28147_encrypt_block +#define _gost28147_decrypt_block _nettle_gost28147_decrypt_block void _gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out); +void _gost28147_decrypt_block (const uint32_t *key, const uint32_t sbox[4][256], + const uint32_t *in, uint32_t *out); #endif /* NETTLE_GOST28147_INTERNAL_H_INCLUDED */ diff --git a/gost28147-meta.c b/gost28147-meta.c new file mode 100644 index ..69e4d265e453 --- /dev/null +++ b/gost28147-meta.c @@ -0,0 +1,49 @@ +/* gost28147-meta.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "gost28147.h" + +const struct nettle_cipher nettle_gost28147 = + { "gost28147", sizeof(struct gost28147_ctx), +GOST28147_BLOCK_SIZE, GOST28147_KEY_SIZE, +(nettle_set_key_func *) gost28147_set_key, +(nettle_set_key_func *) gost28147_set_key, +(nettle_cipher_func *) gost28147_encrypt, +(nettle_cipher_func *) gost28147_decrypt + }; diff --git a/gost28147.c b/gost28147.c index 15d314c86c17..6ccdcb6a353c 100644 --- a/gost28147.c +++ b/gost28147.c @@ -32,6 +32,8 @@ #include "config.h" #endif +#include + #include "macros.h" #include "gost28147.h" #include "gost28147-internal.h" @@ -615,3 +617,86 @@ void _gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox); *out = l, *(out + 1) = r; } + +void _gost28147_decrypt_block (const uint32_t *key, const uint32_t sbox[4][256], + const uint32_t *in, uint32_t *out) +{ + uint32_t l, r; + + r = in[0], l = in[1]; + GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); + GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); + GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); + GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); + GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox); + GOST_ENCRYPT_ROUND(l, r, key[5], key[4], sbox); + GOST_ENCRYPT_ROUND(l, r, key[3], key[2], sbox); + GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox); + GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox
[PATCH 5/5] Add GOST 28147-89 IMIT support
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- gost28147.c| 107 +++-- gost28147.h| 47 testsuite/gost28147-test.c | 102 +++ 3 files changed, 253 insertions(+), 3 deletions(-) diff --git a/gost28147.c b/gost28147.c index f718a202a56b..c7f5f1413695 100644 --- a/gost28147.c +++ b/gost28147.c @@ -36,6 +36,7 @@ #include #include "macros.h" +#include "nettle-write.h" #include "gost28147.h" #include "gost28147-internal.h" #include "memxor.h" @@ -2286,15 +2287,21 @@ static void gost28147_key_mesh_cryptopro(struct gost28147_ctx *ctx) ctx->key_count = 0; } -void -gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) +static void +_gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) { unsigned i; - assert(key); for (i = 0; i < 8; i++, key += 4) ctx->key[i] = LE_READ_UINT32(key); ctx->key_count = 0; +} + +void +gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) +{ + assert(key); + _gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_TC26_Z); } @@ -2457,3 +2464,97 @@ gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx, ctx->bytes = block_size - length; } } + +void +gost28147_imit_init(struct gost28147_imit_ctx *ctx) +{ + memset(ctx->state, 0, GOST28147_BLOCK_SIZE); + ctx->index = 0; + ctx->count = 0; + gost28147_set_param(&ctx->cctx, &gost28147_param_TC26_Z); /* Default */ +} + +void +gost28147_imit_set_key(struct gost28147_imit_ctx *ctx, + size_t length, + const uint8_t *key) +{ + assert(length == GOST28147_IMIT_KEY_SIZE); + assert(key); + + _gost28147_set_key(&ctx->cctx, key); + /* Do not reset param here */ +} + +void +gost28147_imit_set_nonce(struct gost28147_imit_ctx *ctx, const uint8_t *nonce) +{ + ctx->state[0] = LE_READ_UINT32(nonce + 0); + ctx->state[1] = LE_READ_UINT32(nonce + 4); +} + +void +gost28147_imit_set_param(struct gost28147_imit_ctx *ctx, +const struct gost28147_param *param) +{ + assert(param); + gost28147_set_param(&ctx->cctx, param); +} + +static void +gost28147_imit_compress(struct gost28147_imit_ctx *ctx, + const uint8_t *data) +{ + uint32_t l, r; + + if (ctx->cctx.key_meshing && ctx->cctx.key_count == 1024) +gost28147_key_mesh_cryptopro(&ctx->cctx); + + r = LE_READ_UINT32(data + 0) ^ ctx->state[0]; + l = LE_READ_UINT32(data + 4) ^ ctx->state[1]; + + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[0], ctx->cctx.key[1], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[2], ctx->cctx.key[3], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[4], ctx->cctx.key[5], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[6], ctx->cctx.key[7], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[0], ctx->cctx.key[1], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[2], ctx->cctx.key[3], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[4], ctx->cctx.key[5], ctx->cctx.sbox); + GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[6], ctx->cctx.key[7], ctx->cctx.sbox); + + ctx->state[0] = r; + ctx->state[1] = l; + + ctx->cctx.key_count += 8; +} + +void +gost28147_imit_update(struct gost28147_imit_ctx *ctx, + size_t length, + const uint8_t *data) +{ + MD_UPDATE(ctx, length, data, gost28147_imit_compress, ctx->count++); +} + +void +gost28147_imit_digest(struct gost28147_imit_ctx *ctx, + size_t length, + uint8_t *digest) +{ + assert(length <= GOST28147_IMIT_DIGEST_SIZE); + const uint8_t zero[GOST28147_IMIT_BLOCK_SIZE] = { 0 }; + + if (ctx->index) +{ + assert(ctx->index < GOST28147_IMIT_BLOCK_SIZE); + gost28147_imit_update(ctx, GOST28147_IMIT_BLOCK_SIZE - ctx->index, zero); +} + + if (ctx->count == 1) +{ + gost28147_imit_update(ctx, GOST28147_IMIT_BLOCK_SIZE, zero); +} + + _nettle_write_le32(length, digest, ctx->state); + gost28147_imit_init(ctx); +} diff --git a/gost28147.h b/gost28147.h index 08189067983c..6d380dff190e 100644 --- a/gost28147.h +++ b/gost28147.h @@ -60,6 +60,13 @@ extern "C" { #define gost28147_cnt_set_iv nettle_gost28147_cnt_set_iv #define gost28147_cnt_crypt nettle_gost28147_cnt_crypt +#define gost28147_imit_init nettle_gost28147_imit_init +#define gost28147_imit_set_key nettle_gost28147_imit_set_key +#define gost28147_imit_set_nonce nettle_gost28147_imit_set_nonce +#define gost28147_imit_set_param nettle_gost28147_imit_set_param +#define gost28147_imit_update nettle_gost28147_imit_update +#define gost28147_imit_digest nettle_gost28147_imit_digest + #define GOST28147_KEY_SIZE 32 #define GOST28147_BLOCK_SIZE 8 @@ -126,6 +133,46 @@ void gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *sr
[PATCH 4/5] Add special CNT mode for GOST 28147-89 cipher
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- gost28147.c| 86 gost28147.h| 24 ++ testsuite/gost28147-test.c | 161 + 3 files changed, 271 insertions(+) diff --git a/gost28147.c b/gost28147.c index ac94dfaa2ed8..f718a202a56b 100644 --- a/gost28147.c +++ b/gost28147.c @@ -38,6 +38,7 @@ #include "macros.h" #include "gost28147.h" #include "gost28147-internal.h" +#include "memxor.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ const struct gost28147_param gost28147_param_test_3411 = @@ -2371,3 +2372,88 @@ gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx, ctx->key_count += GOST28147_BLOCK_SIZE; } } + +static void +gost28147_cnt_next_iv(struct gost28147_cnt_ctx *ctx, + uint8_t *out) +{ + uint32_t block[2]; + uint32_t temp; + + if (ctx->ctx.key_meshing && ctx->ctx.key_count == 1024) +{ + gost28147_key_mesh_cryptopro(&ctx->ctx); + _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, ctx->iv, ctx->iv); + ctx->ctx.key_count = 0; +} + + ctx->iv[0] += 0x01010101; + temp = ctx->iv[1] + 0x01010104; + if (temp < ctx->iv[1]) +ctx->iv[1] = temp + 1; /* Overflow */ + else +ctx->iv[1] = temp; + + _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, ctx->iv, block); + + LE_WRITE_UINT32(out + 0, block[0]); + LE_WRITE_UINT32(out + 4, block[1]); + + ctx->ctx.key_count += GOST28147_BLOCK_SIZE; +} + +void +gost28147_cnt_init(struct gost28147_cnt_ctx *ctx, + const uint8_t *key, + const struct gost28147_param *param) +{ + gost28147_set_key(&ctx->ctx, key); + gost28147_set_param(&ctx->ctx, param); + ctx->bytes = 0; +} + +void +gost28147_cnt_set_iv(struct gost28147_cnt_ctx *ctx, +const uint8_t *iv) +{ + uint32_t block[2]; + + block[0] = LE_READ_UINT32(iv + 0); + block[1] = LE_READ_UINT32(iv + 4); + + _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, block, ctx->iv); +} + +void +gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + size_t block_size = GOST28147_BLOCK_SIZE; + + if (ctx->bytes) +{ + size_t part = ctx->bytes < length ? ctx->bytes : length; + memxor3(dst, src, ctx->buffer + block_size - ctx->bytes, part); + dst += part; + src += part; + length -= part; + ctx->bytes -= part; + ctx->bytes %= block_size; +} + while (length >= block_size) +{ + gost28147_cnt_next_iv(ctx, ctx->buffer); + memxor3(dst, src, ctx->buffer, block_size); + length -= block_size; + src += block_size; + dst += block_size; +} + + if (length != 0) +{ + gost28147_cnt_next_iv(ctx, ctx->buffer); + memxor3(dst, src, ctx->buffer, length); + ctx->bytes = block_size - length; +} +} diff --git a/gost28147.h b/gost28147.h index 241c1e136fbc..08189067983c 100644 --- a/gost28147.h +++ b/gost28147.h @@ -56,6 +56,10 @@ extern "C" { #define gost28147_encrypt_for_cfb nettle_gost28147_encrypt_for_cfb #define gost28147_decrypt nettle_gost28147_decrypt +#define gost28147_cnt_init nettle_gost28147_cnt_init +#define gost28147_cnt_set_iv nettle_gost28147_cnt_set_iv +#define gost28147_cnt_crypt nettle_gost28147_cnt_crypt + #define GOST28147_KEY_SIZE 32 #define GOST28147_BLOCK_SIZE 8 @@ -102,6 +106,26 @@ gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); +struct gost28147_cnt_ctx { + struct gost28147_ctx ctx; + size_t bytes; + uint32_t iv[2]; + uint8_t buffer[GOST28147_BLOCK_SIZE]; +}; + +void +gost28147_cnt_init(struct gost28147_cnt_ctx *ctx, + const uint8_t *key, + const struct gost28147_param *param); + +void +gost28147_cnt_set_iv(struct gost28147_cnt_ctx *ctx, +const uint8_t *iv); + +void +gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); #ifdef __cplusplus } #endif diff --git a/testsuite/gost28147-test.c b/testsuite/gost28147-test.c index 939bedee9c66..42441969a467 100644 --- a/testsuite/gost28147-test.c +++ b/testsuite/gost28147-test.c @@ -1,6 +1,7 @@ #include "testutils.h" #include "gost28147.h" #include "cfb.h" +#include "macros.h" static void test_gost28147(const struct gost28147_param *param, @@ -104,6 +105,82 @@ test_gost28147_cfb(const struct gost28147_param *param, free(data); } +static void +test_gost28147_cnt(const struct gost28147_param *param, + const struct tstring *key, + const struct tstring *start_iv, + const struct tstring *end_iv, + const struct tstring *cleartext, + const struct tstring *ciphertext) +{ + struct gos
[PATCH 0/5] GOST 28147-89 support
GOST 28147-89 is the data encryption standard for Russia (old, but still used). English translation is provided in RFC 5830. It defines a 64-bit cipher, ECB, CFB and counter (CNT) modes on top of it and a special mode of basic transformation that is used for MAC construction called "Imitovstavka" (IMIT). For GOST 28147-89 several S-boxes are defined (standard itself has defined "test" S-box, another "test" S-box is defined in GOST R 34.11-94 (RFC 5831), RFC 4357 defines several CryptoPro S-Boxes and finally TC26 has defined TC26-Z S-Box (RFC 7836)). Before finalizing documentation I'd like to hear your opinion on the GOST 28147-89 cipher and MAC interface. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v2 2/4] block modes: move Galois shifts to block-internal.h
From: Dmitry Eremin-Solenikov Move Galois polynomial shifts to block-internal.h, simplifying common code. GCM is left unconverted for now, this will be fixed later. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 2 +- block-internal.h | 72 +++ cmac-internal.h | 54 --- cmac.c| 28 ++ cmac64.c | 27 ++ eax.c | 18 ++-- siv-cmac-aes128.c | 1 - siv-cmac-aes256.c | 1 - siv-cmac.c| 7 ++--- xts.c | 34 -- 10 files changed, 87 insertions(+), 157 deletions(-) delete mode 100644 cmac-internal.h diff --git a/Makefile.in b/Makefile.in index f6658c86341c..ae9c8a7563f9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README desdata.stamp \ aes-internal.h block-internal.h \ - camellia-internal.h cmac-internal.h serpent-internal.h \ + camellia-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ diff --git a/block-internal.h b/block-internal.h index ab3a6a79b8cb..8972d0ac2b5b 100644 --- a/block-internal.h +++ b/block-internal.h @@ -90,4 +90,76 @@ block8_xor_bytes (union nettle_block8 *r, memxor3 (r->b, x->b, bytes, 8); } +/* Do a foreign-endianness shift of data */ + +#define LSHIFT_ALIEN_UINT64(x) \ + x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \ +(((x) & UINT64_C(0x8080808080808080)) >> 15)) + +/* Two typical defining polynoms */ + +#define BLOCK16_POLY (UINT64_C(0x87)) +#define BLOCK8_POLY (UINT64_C(0x1b)) + +/* Galois multiplications by 2: + * functions differ in shifting right or left, big- or little- endianness + * and by defining polynom. + * r == x is allowed. */ + +#if WORDS_BIGENDIAN +static inline void +block16_mulx_be (union nettle_block16 *dst, +const union nettle_block16 *src) +{ + uint64_t carry = src->u64[0] >> 63; + dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); + dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry); +} + +static inline void +block16_mulx_le (union nettle_block16 *dst, +const union nettle_block16 *src) +{ + uint64_t carry = (src->u64[1] & 0x80) >> 7; + dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) << 49); + dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) & -carry); +} + +static inline void +block8_mulx_be (union nettle_block8 *dst, + const union nettle_block8 *src) +{ + uint64_t carry = src->u64 >> 63; + + dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_mulx_be (union nettle_block16 *dst, +const union nettle_block16 *src) +{ + uint64_t carry = (src->u64[0] & 0x80) >> 7; + dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) << 49); + dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) & -carry); +} + +static inline void +block16_mulx_le (union nettle_block16 *dst, +const union nettle_block16 *src) +{ + uint64_t carry = src->u64[1] >> 63; + dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); + dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry); +} + +static inline void +block8_mulx_be (union nettle_block8 *dst, + const union nettle_block8 *src) +{ + uint64_t carry = (src->u64 & 0x80) >> 7; + + dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry); +} +#endif /* !WORDS_BIGENDIAN */ + #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/cmac-internal.h b/cmac-internal.h deleted file mode 100644 index 80db7fcc58cd.. --- a/cmac-internal.h +++ /dev/null @@ -1,54 +0,0 @@ -/* cmac-internal.h - - CMAC mode internal functions - - Copyright (C) 2017 Red Hat, Inc. - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU Gen
[PATCH v2 4/4] gcm: drop intermediate GCM_TABLE_BITS == 4 case
From: Dmitry Eremin-Solenikov It makes little sense to have intermediate solution with GCM_TABLE_BITS == 4. One either will use unoptimized case of GCM_TABLE_BITS == 0, or will switch to fully optimized case (8) as memory usage difference is quite low between 4 and 8. So drop GCM_TABLE_BITS == 4 support Signed-off-by: Dmitry Eremin-Solenikov --- gcm.c | 67 +++ 1 file changed, 8 insertions(+), 59 deletions(-) diff --git a/gcm.c b/gcm.c index cf615daf18bd..3a6f04a7671b 100644 --- a/gcm.c +++ b/gcm.c @@ -83,62 +83,7 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *y) } memcpy (x->b, Z.b, sizeof(Z)); } -#else /* GCM_TABLE_BITS != 0 */ -# if WORDS_BIGENDIAN -# define W(left,right) (0x##left##right) -# else -# define W(left,right) (0x##right##left) -# endif - -# if GCM_TABLE_BITS == 4 -static const uint16_t -shift_table[0x10] = { - W(00,00),W(1c,20),W(38,40),W(24,60),W(70,80),W(6c,a0),W(48,c0),W(54,e0), - W(e1,00),W(fd,20),W(d9,40),W(c5,60),W(91,80),W(8d,a0),W(a9,c0),W(b5,e0), -}; - -static void -gcm_gf_shift_4(union nettle_block16 *x) -{ - uint64_t *u64 = x->u64; - uint64_t reduce; - - /* Shift uses big-endian representation. */ -#if WORDS_BIGENDIAN - reduce = shift_table[u64[1] & 0xf]; - u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60); - u64[0] = (u64[0] >> 4) ^ (reduce << 48); -#else /* ! WORDS_BIGENDIAN */ -#define RSHIFT_WORD_4(x) \ - x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \ - | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12)) - reduce = shift_table[(u64[1] >> 56) & 0xf]; - u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0); - u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce; -# undef RSHIFT_WORD_4 -#endif /* ! WORDS_BIGENDIAN */ -} - -static void -gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) -{ - union nettle_block16 Z; - unsigned i; - - memset(Z.b, 0, sizeof(Z)); - - for (i = GCM_BLOCK_SIZE; i-- > 0;) -{ - uint8_t b = x->b[i]; - - gcm_gf_shift_4(&Z); - block16_xor(&Z, &table[b & 0xf]); - gcm_gf_shift_4(&Z); - block16_xor(&Z, &table[b >> 4]); -} - memcpy (x->b, Z.b, sizeof(Z)); -} # elif GCM_TABLE_BITS == 8 # if HAVE_NATIVE_gcm_hash8 @@ -147,6 +92,13 @@ void _nettle_gcm_hash8 (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data); # else /* !HAVE_NATIVE_gcm_hash8 */ + +# if WORDS_BIGENDIAN +# define W(left,right) (0x##left##right) +# else +# define W(left,right) (0x##right##left) +# endif + static const uint16_t shift_table[0x100] = { W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e), @@ -182,6 +134,7 @@ shift_table[0x100] = { W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae), W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be), }; +#undef W static void gcm_gf_shift_8(union nettle_block16 *x) @@ -221,10 +174,6 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) # error Unsupported table size. # endif /* GCM_TABLE_BITS != 8 */ -#undef W - -#endif /* GCM_TABLE_BITS */ - /* Increment the rightmost 32 bits. */ #define INC32(block) INCREMENT(4, (block.b) + GCM_BLOCK_SIZE - 4) -- 2.23.0.rc1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v2 3/4] gcm: move block shifting function to block-internal.h
From: Dmitry Eremin-Solenikov Move GCM's block shift function to block-internal.h. This concludes moving of all Galois mul-by-2 to single header. Signed-off-by: Dmitry Eremin-Solenikov --- block-internal.h | 30 +- gcm.c| 30 ++ 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/block-internal.h b/block-internal.h index 8972d0ac2b5b..88e19be333c8 100644 --- a/block-internal.h +++ b/block-internal.h @@ -95,11 +95,15 @@ block8_xor_bytes (union nettle_block8 *r, #define LSHIFT_ALIEN_UINT64(x) \ x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \ (((x) & UINT64_C(0x8080808080808080)) >> 15)) +#define RSHIFT_ALIEN_UINT64(x) \ + x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \ +(((x) & UINT64_C(0x0001010101010101)) << 15)) /* Two typical defining polynoms */ #define BLOCK16_POLY (UINT64_C(0x87)) #define BLOCK8_POLY (UINT64_C(0x1b)) +#define GHASH_POLY (UINT64_C(0xE1)) /* Galois multiplications by 2: * functions differ in shifting right or left, big- or little- endianness @@ -133,6 +137,18 @@ block8_mulx_be (union nettle_block8 *dst, dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry); } + +static inline void +block16_mulx_ghash (union nettle_block16 *r, + const union nettle_block16 *x) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - (x->u64[1] & 1); + r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); + r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56)); +} #else /* !WORDS_BIGENDIAN */ static inline void block16_mulx_be (union nettle_block16 *dst, @@ -160,6 +176,18 @@ block8_mulx_be (union nettle_block8 *dst, dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry); } -#endif /* !WORDS_BIGENDIAN */ + +static inline void +block16_mulx_ghash (union nettle_block16 *r, + const union nettle_block16 *x) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - ((x->u64[1] >> 56) & 1); + r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); + r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY); +} +#endif /* ! WORDS_BIGENDIAN */ #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/gcm.c b/gcm.c index 4a04a0a10842..cf615daf18bd 100644 --- a/gcm.c +++ b/gcm.c @@ -55,32 +55,6 @@ #include "ctr-internal.h" #include "block-internal.h" -#define GHASH_POLYNOMIAL 0xE1UL - -/* Multiplication by 010...0; a big-endian shift right. If the bit - shifted out is one, the defining polynomial is added to cancel it - out. r == x is allowed. */ -static void -gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) -{ - uint64_t mask; - - /* Shift uses big-endian representation. */ -#if WORDS_BIGENDIAN - mask = - (x->u64[1] & 1); - r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); - r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56)); -#else /* ! WORDS_BIGENDIAN */ -#define RSHIFT_WORD(x) \ - x) & 0xfefefefefefefefeUL) >> 1) \ - | (((x) & 0x0001010101010101UL) << 15)) - mask = - ((x->u64[1] >> 56) & 1); - r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); - r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL); -# undef RSHIFT_WORD -#endif /* ! WORDS_BIGENDIAN */ -} - #if GCM_TABLE_BITS == 0 /* Sets x <- x * y mod r, using the plain bitwise algorithm from the specification. y may be shorter than a full block, missing bytes @@ -104,7 +78,7 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *y) if (b & 0x80) block16_xor(&Z, &V); - gcm_gf_shift(&V, &V); + block16_mulx_ghash(&V, &V); } } memcpy (x->b, Z.b, sizeof(Z)); @@ -275,7 +249,7 @@ gcm_set_key(struct gcm_key *key, /* Algorithm 3 from the gcm paper. First do powers of two, then do the rest by adding. */ while (i /= 2) -gcm_gf_shift(&key->h[i], &key->h[2*i]); +block16_mulx_ghash(&key->h[i], &key->h[2*i]); for (i = 2; i < 1
[PATCH v2 1/4] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov Add common implementations for functions doing XOR over nettle_block16/nettle_block8. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 3 +- block-internal.h | 93 cmac.c | 11 +++--- cmac64.c | 12 +++ eax.c| 9 + gcm.c| 20 --- siv-cmac.c | 9 ++--- 7 files changed, 120 insertions(+), 37 deletions(-) create mode 100644 block-internal.h diff --git a/Makefile.in b/Makefile.in index af4f6e46ee9b..f6658c86341c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ INSTALL NEWS ChangeLog \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README desdata.stamp \ - aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \ + aes-internal.h block-internal.h \ + camellia-internal.h cmac-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ diff --git a/block-internal.h b/block-internal.h new file mode 100644 index ..ab3a6a79b8cb --- /dev/null +++ b/block-internal.h @@ -0,0 +1,93 @@ +/* block-internal.h + + Internal implementations of nettle_blockZ-related functions. + + Copyright (C) 2011 Katholieke Universiteit Leuven + Copyright (C) 2011, 2013, 2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED +#define NETTLE_BLOCK_INTERNAL_H_INCLUDED + +#include + +#include "nettle-types.h" +#include "memxor.h" + +static inline void +block16_xor (union nettle_block16 *r, +const union nettle_block16 *x) +{ + r->u64[0] ^= x->u64[0]; + r->u64[1] ^= x->u64[1]; +} + +static inline void +block16_xor3 (union nettle_block16 *r, + const union nettle_block16 *x, + const union nettle_block16 *y) +{ + r->u64[0] = x->u64[0] ^ y->u64[0]; + r->u64[1] = x->u64[1] ^ y->u64[1]; +} + +static inline void +block16_xor_bytes (union nettle_block16 *r, + const union nettle_block16 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 16); +} + +static inline void +block8_xor (union nettle_block8 *r, + const union nettle_block8 *x) +{ + r->u64 ^= x->u64; +} + +static inline void +block8_xor3 (union nettle_block8 *r, +const union nettle_block8 *x, +const union nettle_block8 *y) +{ + r->u64 = x->u64 ^ y->u64; +} + +static inline void +block8_xor_bytes (union nettle_block8 *r, + const union nettle_block8 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 8); +} + +#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/cmac.c b/cmac.c index 70ce8132d9d1..194324421c58 100644 --- a/cmac.c +++ b/cmac.c @@ -45,6 +45,7 @@ #include "memxor.h" #include "nettle-internal.h" #include "cmac-internal.h" +#include "block-internal.h" #include "macros.h" /* shift one and XOR with 0x87. */ @@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void *cipher, /* * now checksum everything but the last block */ - memxor3(Y.b, ctx->X.b, ctx->block.b, 16); + block16_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 16, ctx->X.b, Y.b); while (msg_len > 16) { - memxor3(Y.b, ctx->X.b, msg, 16); + block16_xor_bytes (&Y, &ctx->X, msg); encrypt(cipher, 16, ctx->X.b, Y.b); msg += 16; msg_len -= 16; @@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, ctx->block.b[ctx->index] = 0x80; memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index); - memxor(ctx->block.b, key->K2.b, 16); + block16_xor (&ctx->block, &key->K2); } else { - memxor(ctx->block.b, key->K1.b, 1
[PATCH 5/5] gcm: move block shifting function to block-internal.h
From: Dmitry Eremin-Solenikov Move GCM's block shift function to block-internal.h. This concludes moving of all Galois mul-by-2 to single header. Signed-off-by: Dmitry Eremin-Solenikov --- block-internal.h | 29 + gcm.c| 15 ++- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/block-internal.h b/block-internal.h index 8cc30f6f5a02..874e4dbe1929 100644 --- a/block-internal.h +++ b/block-internal.h @@ -166,4 +166,33 @@ block8_lshift_be (union nettle_block8 *dst, } #endif /* !WORDS_BIGENDIAN */ +#if WORDS_BIGENDIAN +static inline void +block16_rshift_be (union nettle_block16 *r, + const union nettle_block16 *x, + uint64_t poly) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - (x->u64[1] & 1); + r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); + r->u64[0] = (x->u64[0] >> 1) ^ (mask & (poly << 56)); +} +#else /* ! WORDS_BIGENDIAN */ +static inline void +block16_rshift_be (union nettle_block16 *r, + const union nettle_block16 *x, + uint64_t poly) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - ((x->u64[1] >> 56) & 1); + r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); + r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & poly); +} +#endif /* ! WORDS_BIGENDIAN */ + +/* shift one and XOR with 0x87. */ #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/gcm.c b/gcm.c index 17c889e67553..eca6ab6cab25 100644 --- a/gcm.c +++ b/gcm.c @@ -60,21 +60,10 @@ /* Multiplication by 010...0; a big-endian shift right. If the bit shifted out is one, the defining polynomial is added to cancel it out. r == x is allowed. */ -static void +static inline void gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) { - uint64_t mask; - - /* Shift uses big-endian representation. */ -#if WORDS_BIGENDIAN - mask = - (x->u64[1] & 1); - r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); - r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56)); -#else /* ! WORDS_BIGENDIAN */ - mask = - ((x->u64[1] >> 56) & 1); - r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); - r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL); -#endif /* ! WORDS_BIGENDIAN */ + block16_rshift_be (r, x, GHASH_POLYNOMIAL); } #if GCM_TABLE_BITS == 0 -- 2.23.0.rc1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 4/5] block modes: move Galois shifts to block-internal.h
From: Dmitry Eremin-Solenikov Move Galois polynomial shifts to block-internal.h, simplifying common code. GCM is left unconverted for now, this will be fixed later. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 2 +- block-internal.h | 76 +++ cmac-internal.h | 54 - cmac.c| 20 ++--- cmac64.c | 21 ++--- eax.c | 18 ++- gcm.c | 4 --- siv-cmac-aes128.c | 1 - siv-cmac-aes256.c | 1 - siv-cmac.c| 9 +- xts.c | 18 ++- 11 files changed, 94 insertions(+), 130 deletions(-) delete mode 100644 cmac-internal.h diff --git a/Makefile.in b/Makefile.in index f6658c86341c..ae9c8a7563f9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README desdata.stamp \ aes-internal.h block-internal.h \ - camellia-internal.h cmac-internal.h serpent-internal.h \ + camellia-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ diff --git a/block-internal.h b/block-internal.h index 84839c872f63..8cc30f6f5a02 100644 --- a/block-internal.h +++ b/block-internal.h @@ -90,4 +90,80 @@ block8_xor_bytes (union nettle_block8 *r, memxor3 (r->b, x->b, bytes, 8); } +#define LSHIFT_WORD(x) x) & 0x7f7f7f7f7f7f7f7f) << 1) | \ + (((x) & 0x8080808080808080) >> 15)) +#define RSHIFT_WORD(x) x) & 0xfefefefefefefefe) >> 1) | \ + (((x) & 0x0001010101010101) << 15)) + +/* Galois multiplications by 2: + * functions differ in shifting right or left, big- or little- endianness + * and by defininy polynom. + * r == x is allowed. */ + +#if WORDS_BIGENDIAN +static inline void +block16_lshift_be (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = src->u64[0] >> 63; + dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); + dst->u64[1] = (src->u64[1] << 1) ^ (poly & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_lshift_be (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64[0] & 0x80) >> 7; + dst->u64[0] = LSHIFT_WORD(src->u64[0]) | ((src->u64[1] & 0x80) << 49); + dst->u64[1] = LSHIFT_WORD(src->u64[1]) ^ ((poly << 56) & -carry); +} +#endif /* !WORDS_BIGENDIAN */ + +#if WORDS_BIGENDIAN +static inline void +block16_lshift_le (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64[1] & 0x80) >> 7; + dst->u64[1] = LSHIFT_WORD(src->u64[1]) | ((src->u64[0] & 0x80) << 49); + dst->u64[0] = LSHIFT_WORD(src->u64[0]) ^ ((poly << 56) & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_lshift_le (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = src->u64[1] >> 63; + dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); + dst->u64[0] = (src->u64[0] << 1) ^ (poly & -carry); +} +#endif /* !WORDS_BIGNDIAN */ + +#if WORDS_BIGENDIAN +static inline void +block8_lshift_be (union nettle_block8 *dst, + const union nettle_block8 *src, + uint64_t poly) +{ + uint64_t carry = src->u64 >> 63; + + dst->u64 = (src->u64 << 1) ^ (poly & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block8_lshift_be (union nettle_block8 *dst, + const union nettle_block8 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64 & 0x80) >> 7; + + dst->u64 = LSHIFT_WORD(src->u64) ^ ((poly << 56) & -carry); +} +#endif /* !WORDS_BIGENDIAN */ + #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/cmac-internal.h b/cmac-internal.h deleted file mode 100644 index 80db7fcc58cd.. --- a/cmac-internal.h +++ /dev/null @@ -1,54 +0,0 @@ -/* cmac-internal.h - - CMAC mode internal functions - - Copyright (C) 2017 Red Hat, Inc. - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful,
[PATCH 2/5] cmac64: fix nettle_block16 usage
From: Dmitry Eremin-Solenikov CMAC64 uses block8, rather than block16. Signed-off-by: Dmitry Eremin-Solenikov --- cmac64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmac64.c b/cmac64.c index 2fbffc9b5ea6..636635ba478b 100644 --- a/cmac64.c +++ b/cmac64.c @@ -98,7 +98,7 @@ cmac64_update(struct cmac64_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg) { - union nettle_block16 Y; + union nettle_block8 Y; /* * check if we expand the block */ -- 2.23.0.rc1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 3/5] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov Add common implementations for functions doing XOR over nettle_block16/nettle_block8. Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 3 +- block-internal.h | 93 cmac.c | 11 +++--- cmac64.c | 12 +++ eax.c| 9 + gcm.c| 20 --- siv-cmac.c | 9 ++--- 7 files changed, 120 insertions(+), 37 deletions(-) create mode 100644 block-internal.h diff --git a/Makefile.in b/Makefile.in index af4f6e46ee9b..f6658c86341c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ INSTALL NEWS ChangeLog \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README desdata.stamp \ - aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \ + aes-internal.h block-internal.h \ + camellia-internal.h cmac-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ diff --git a/block-internal.h b/block-internal.h new file mode 100644 index ..84839c872f63 --- /dev/null +++ b/block-internal.h @@ -0,0 +1,93 @@ +/* block-internal.h + + Internal implementations of nettle_blockZ-related functions. + + Copyright (C) 2011 Katholieke Universiteit Leuven + Copyright (C) 2011, 2013, 2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED +#define NETTLE_BLOCK_INTERNAL_H_INCLUDED + +#include + +#include "nettle-types.h" +#include "memxor.h" + +static inline void +block16_xor (union nettle_block16 *r, +const union nettle_block16 *x) +{ + r->u64[0] ^= x->u64[0]; + r->u64[1] ^= x->u64[1]; +} + +static inline void +block16_xor3 (union nettle_block16 *r, + const union nettle_block16 *x, + const union nettle_block16 *y) +{ + r->u64[0] = x->u64[0] ^ y->u64[0]; + r->u64[1] = x->u64[1] ^ y->u64[1]; +} + +static inline void +block16_xor_bytes (union nettle_block16 *r, + const union nettle_block16 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 16); +} + +static inline void +block8_xor (union nettle_block8 *r, +const union nettle_block8 *x) +{ + r->u64 ^= x->u64; +} + +static inline void +block8_xor3 (union nettle_block8 *r, + const union nettle_block8 *x, + const union nettle_block8 *y) +{ + r->u64 = x->u64 ^ y->u64; +} + +static inline void +block8_xor_bytes (union nettle_block8 *r, + const union nettle_block8 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 8); +} + +#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/cmac.c b/cmac.c index 70ce8132d9d1..194324421c58 100644 --- a/cmac.c +++ b/cmac.c @@ -45,6 +45,7 @@ #include "memxor.h" #include "nettle-internal.h" #include "cmac-internal.h" +#include "block-internal.h" #include "macros.h" /* shift one and XOR with 0x87. */ @@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void *cipher, /* * now checksum everything but the last block */ - memxor3(Y.b, ctx->X.b, ctx->block.b, 16); + block16_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 16, ctx->X.b, Y.b); while (msg_len > 16) { - memxor3(Y.b, ctx->X.b, msg, 16); + block16_xor_bytes (&Y, &ctx->X, msg); encrypt(cipher, 16, ctx->X.b, Y.b); msg += 16; msg_len -= 16; @@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, ctx->block.b[ctx->index] = 0x80; memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index); - memxor(ctx->block.b, key->K2.b, 16); + block16_xor (&ctx->block, &key->K2); } else { - memxor(ctx->block.b, key->K1
[PATCH 1/5] gcm: use uint64_t member of nettle_block16
From: Dmitry Eremin-Solenikov Remove last usage of unsigned long member of nettle_block16. Signed-off-by: Dmitry Eremin-Solenikov --- gcm.c | 47 --- 1 file changed, 12 insertions(+), 35 deletions(-) diff --git a/gcm.c b/gcm.c index a55f603f66d5..627097b24218 100644 --- a/gcm.c +++ b/gcm.c @@ -133,45 +133,22 @@ shift_table[0x10] = { static void gcm_gf_shift_4(union nettle_block16 *x) { - unsigned long *w = x->w; - unsigned long reduce; + uint64_t *u64 = x->u64; + uint64_t reduce; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN -# if SIZEOF_LONG == 4 - reduce = shift_table[w[3] & 0xf]; - w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28); - w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28); - w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28); - w[0] = (w[0] >> 4) ^ (reduce << 16); -# elif SIZEOF_LONG == 8 - reduce = shift_table[w[1] & 0xf]; - w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60); - w[0] = (w[0] >> 4) ^ (reduce << 48); -# else -# error Unsupported word size. */ -#endif + reduce = shift_table[u64[1] & 0xf]; + u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60); + u64[0] = (u64[0] >> 4) ^ (reduce << 48); #else /* ! WORDS_BIGENDIAN */ -# if SIZEOF_LONG == 4 -#define RSHIFT_WORD(x) \ - x) & 0xf0f0f0f0UL) >> 4) \ - | (((x) & 0x000f0f0f) << 12)) - reduce = shift_table[(w[3] >> 24) & 0xf]; - w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0); - w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0); - w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0); - w[0] = RSHIFT_WORD(w[0]) ^ reduce; -# elif SIZEOF_LONG == 8 -#define RSHIFT_WORD(x) \ - x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \ - | (((x) & 0x000f0f0f0f0f0f0fUL) << 12)) - reduce = shift_table[(w[1] >> 56) & 0xf]; - w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0); - w[0] = RSHIFT_WORD(w[0]) ^ reduce; -# else -# error Unsupported word size. */ -# endif -# undef RSHIFT_WORD +#define RSHIFT_WORD_4(x) \ + x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \ + | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12)) + reduce = shift_table[(u64[1] >> 56) & 0xf]; + u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0); + u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce; +# undef RSHIFT_WORD_4 #endif /* ! WORDS_BIGENDIAN */ } -- 2.23.0.rc1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] nettle-meta: add meta interface for CMAC-DES3 functions
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- Makefile.in | 2 +- cmac-des3-meta.c | 43 +++ nettle-meta-macs.c| 1 + nettle-meta.h | 13 testsuite/cmac-test.c | 12 --- testsuite/meta-mac-test.c | 1 + 6 files changed, 59 insertions(+), 13 deletions(-) create mode 100644 cmac-des3-meta.c diff --git a/Makefile.in b/Makefile.in index 409c655b2cee..de46bb5619f3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,7 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ -cmac-aes128-meta.c cmac-aes256-meta.c \ +cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ diff --git a/cmac-des3-meta.c b/cmac-des3-meta.c new file mode 100644 index ..40b27feaccdc --- /dev/null +++ b/cmac-des3-meta.c @@ -0,0 +1,43 @@ +/* cmac-des3-meta.c + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_des3 += _NETTLE_CMAC64(cmac_des3, DES3); diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c index 6575ed661db3..201b30847147 100644 --- a/nettle-meta-macs.c +++ b/nettle-meta-macs.c @@ -40,6 +40,7 @@ const struct nettle_mac * const _nettle_macs[] = { &nettle_cmac_aes128, &nettle_cmac_aes256, + &nettle_cmac_des3, &nettle_hmac_md5, &nettle_hmac_ripemd160, &nettle_hmac_sha1, diff --git a/nettle-meta.h b/nettle-meta.h index 4b4d312dfe0f..668c90924f1f 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -303,8 +303,21 @@ nettle_get_macs (void); #define nettle_macs (nettle_get_macs()) +#define _NETTLE_CMAC64(name, AES) {\ + #name, \ + sizeof(struct name##_ctx), \ + CMAC64_DIGEST_SIZE, \ + AES##_KEY_SIZE, \ + 0, \ + (nettle_set_key_func *) name##_set_key, \ + NULL,\ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest, \ +} + extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256; +extern const struct nettle_mac nettle_cmac_des3; extern const struct nettle_mac nettle_hmac_md5; extern const struct nettle_mac nettle_hmac_ripemd160; diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c index 1a2cd0e591cf..a71baa086d01 100644 --- a/testsuite/cmac-test.c +++ b/testsuite/cmac-test.c @@ -2,18 +2,6 @@ #include "nettle-internal.h" #include "cmac.h" -const struct nettle_mac nettle_cmac_des3 = -{ - "CMAC-3DES", - sizeof(struct cmac_des3_ctx), - CMAC64_DIGEST_SIZE, - DES3_KEY_SIZE, - - (nettle_set_key_func*) cmac_des3_set_key, - (nettle_hash_update_func*) cmac_des3_update, - (nettle_hash_digest_func*) cmac_des3_digest -}; - #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, key, msg, ref) diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c index 09cb5e9fd11c..4f61c3173ec3 100644 --- a/testsuite/meta-mac-test.c +++ b/testsuite/meta-mac-test.c @@ -5,6 +5,7 @@ const char* macs[] = { "cmac_aes128", "cmac_aes256", + "cmac_des3", "hmac_md5", "hmac_ripemd160", "hmac_sha1", -- 2.20.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listi