[PATCH 5/5] gcm: move block shifting function to block-internal.h
From: Dmitry Eremin-Solenikov
Move GCM's block shift function to block-internal.h. This concludes
moving of all Galois mul-by-2 to single header.
Signed-off-by: Dmitry Eremin-Solenikov
---
block-internal.h | 29 +
gcm.c| 15 ++-
2 files changed, 31 insertions(+), 13 deletions(-)
diff --git a/block-internal.h b/block-internal.h
index 8cc30f6f5a02..874e4dbe1929 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -166,4 +166,33 @@ block8_lshift_be (union nettle_block8 *dst,
}
#endif /* !WORDS_BIGENDIAN */
+#if WORDS_BIGENDIAN
+static inline void
+block16_rshift_be (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ uint64_t poly)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - (x->u64[1] & 1);
+ r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
+ r->u64[0] = (x->u64[0] >> 1) ^ (mask & (poly << 56));
+}
+#else /* ! WORDS_BIGENDIAN */
+static inline void
+block16_rshift_be (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ uint64_t poly)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - ((x->u64[1] >> 56) & 1);
+ r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
+ r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & poly);
+}
+#endif /* ! WORDS_BIGENDIAN */
+
+/* shift one and XOR with 0x87. */
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/gcm.c b/gcm.c
index 17c889e67553..eca6ab6cab25 100644
--- a/gcm.c
+++ b/gcm.c
@@ -60,21 +60,10 @@
/* Multiplication by 010...0; a big-endian shift right. If the bit
shifted out is one, the defining polynomial is added to cancel it
out. r == x is allowed. */
-static void
+static inline void
gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x)
{
- uint64_t mask;
-
- /* Shift uses big-endian representation. */
-#if WORDS_BIGENDIAN
- mask = - (x->u64[1] & 1);
- r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
- r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56));
-#else /* ! WORDS_BIGENDIAN */
- mask = - ((x->u64[1] >> 56) & 1);
- r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
- r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL);
-#endif /* ! WORDS_BIGENDIAN */
+ block16_rshift_be (r, x, GHASH_POLYNOMIAL);
}
#if GCM_TABLE_BITS == 0
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 4/5] block modes: move Galois shifts to block-internal.h
From: Dmitry Eremin-Solenikov
Move Galois polynomial shifts to block-internal.h, simplifying common
code. GCM is left unconverted for now, this will be fixed later.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
block-internal.h | 76 +++
cmac-internal.h | 54 -
cmac.c| 20 ++---
cmac64.c | 21 ++---
eax.c | 18 ++-
gcm.c | 4 ---
siv-cmac-aes128.c | 1 -
siv-cmac-aes256.c | 1 -
siv-cmac.c| 9 +-
xts.c | 18 ++-
11 files changed, 94 insertions(+), 130 deletions(-)
delete mode 100644 cmac-internal.h
diff --git a/Makefile.in b/Makefile.in
index f6658c86341c..ae9c8a7563f9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
aes-internal.h block-internal.h \
- camellia-internal.h cmac-internal.h serpent-internal.h \
+ camellia-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
index 84839c872f63..8cc30f6f5a02 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -90,4 +90,80 @@ block8_xor_bytes (union nettle_block8 *r,
memxor3 (r->b, x->b, bytes, 8);
}
+#define LSHIFT_WORD(x) x) & 0x7f7f7f7f7f7f7f7f) << 1) | \
+ (((x) & 0x8080808080808080) >> 15))
+#define RSHIFT_WORD(x) x) & 0xfefefefefefefefe) >> 1) | \
+ (((x) & 0x0001010101010101) << 15))
+
+/* Galois multiplications by 2:
+ * functions differ in shifting right or left, big- or little- endianness
+ * and by defininy polynom.
+ * r == x is allowed. */
+
+#if WORDS_BIGENDIAN
+static inline void
+block16_lshift_be (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64[0] >> 63;
+ dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63);
+ dst->u64[1] = (src->u64[1] << 1) ^ (poly & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block16_lshift_be (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64[0] & 0x80) >> 7;
+ dst->u64[0] = LSHIFT_WORD(src->u64[0]) | ((src->u64[1] & 0x80) << 49);
+ dst->u64[1] = LSHIFT_WORD(src->u64[1]) ^ ((poly << 56) & -carry);
+}
+#endif /* !WORDS_BIGENDIAN */
+
+#if WORDS_BIGENDIAN
+static inline void
+block16_lshift_le (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64[1] & 0x80) >> 7;
+ dst->u64[1] = LSHIFT_WORD(src->u64[1]) | ((src->u64[0] & 0x80) << 49);
+ dst->u64[0] = LSHIFT_WORD(src->u64[0]) ^ ((poly << 56) & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block16_lshift_le (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64[1] >> 63;
+ dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63);
+ dst->u64[0] = (src->u64[0] << 1) ^ (poly & -carry);
+}
+#endif /* !WORDS_BIGNDIAN */
+
+#if WORDS_BIGENDIAN
+static inline void
+block8_lshift_be (union nettle_block8 *dst,
+ const union nettle_block8 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64 >> 63;
+
+ dst->u64 = (src->u64 << 1) ^ (poly & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block8_lshift_be (union nettle_block8 *dst,
+ const union nettle_block8 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64 & 0x80) >> 7;
+
+ dst->u64 = LSHIFT_WORD(src->u64) ^ ((poly << 56) & -carry);
+}
+#endif /* !WORDS_BIGENDIAN */
+
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac-internal.h b/cmac-internal.h
deleted file mode 100644
index 80db7fcc58cd..
--- a/cmac-internal.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* cmac-internal.h
-
- CMAC mode internal functions
-
- Copyright (C) 2017 Red Hat, Inc.
-
- Contributed by Nikos Mavrogiannopoulos
-
- This file is part of GNU Nettle.
-
- GNU Nettle is free software: you can redistribute it and/or
- modify it under the terms of either:
-
- * the GNU Lesser General Public License as published by the Free
- Software Foundation; either version 3 of the License, or (at your
- option) any later version.
-
- or
-
- * the GNU General Public License as published by the Free
- Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- or both in parallel, as here.
-
- GNU Nettle is distributed in the hope that it will be useful,
[PATCH 2/5] cmac64: fix nettle_block16 usage
From: Dmitry Eremin-Solenikov
CMAC64 uses block8, rather than block16.
Signed-off-by: Dmitry Eremin-Solenikov
---
cmac64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmac64.c b/cmac64.c
index 2fbffc9b5ea6..636635ba478b 100644
--- a/cmac64.c
+++ b/cmac64.c
@@ -98,7 +98,7 @@ cmac64_update(struct cmac64_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt,
size_t msg_len, const uint8_t *msg)
{
- union nettle_block16 Y;
+ union nettle_block8 Y;
/*
* check if we expand the block
*/
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 3/5] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov
Add common implementations for functions doing XOR over
nettle_block16/nettle_block8.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 3 +-
block-internal.h | 93
cmac.c | 11 +++---
cmac64.c | 12 +++
eax.c| 9 +
gcm.c| 20 ---
siv-cmac.c | 9 ++---
7 files changed, 120 insertions(+), 37 deletions(-)
create mode 100644 block-internal.h
diff --git a/Makefile.in b/Makefile.in
index af4f6e46ee9b..f6658c86341c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
INSTALL NEWS ChangeLog \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
- aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \
+ aes-internal.h block-internal.h \
+ camellia-internal.h cmac-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
new file mode 100644
index ..84839c872f63
--- /dev/null
+++ b/block-internal.h
@@ -0,0 +1,93 @@
+/* block-internal.h
+
+ Internal implementations of nettle_blockZ-related functions.
+
+ Copyright (C) 2011 Katholieke Universiteit Leuven
+ Copyright (C) 2011, 2013, 2018 Niels Möller
+ Copyright (C) 2018 Red Hat, Inc.
+ Copyright (C) 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED
+#define NETTLE_BLOCK_INTERNAL_H_INCLUDED
+
+#include
+
+#include "nettle-types.h"
+#include "memxor.h"
+
+static inline void
+block16_xor (union nettle_block16 *r,
+const union nettle_block16 *x)
+{
+ r->u64[0] ^= x->u64[0];
+ r->u64[1] ^= x->u64[1];
+}
+
+static inline void
+block16_xor3 (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const union nettle_block16 *y)
+{
+ r->u64[0] = x->u64[0] ^ y->u64[0];
+ r->u64[1] = x->u64[1] ^ y->u64[1];
+}
+
+static inline void
+block16_xor_bytes (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 16);
+}
+
+static inline void
+block8_xor (union nettle_block8 *r,
+const union nettle_block8 *x)
+{
+ r->u64 ^= x->u64;
+}
+
+static inline void
+block8_xor3 (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const union nettle_block8 *y)
+{
+ r->u64 = x->u64 ^ y->u64;
+}
+
+static inline void
+block8_xor_bytes (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 8);
+}
+
+#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac.c b/cmac.c
index 70ce8132d9d1..194324421c58 100644
--- a/cmac.c
+++ b/cmac.c
@@ -45,6 +45,7 @@
#include "memxor.h"
#include "nettle-internal.h"
#include "cmac-internal.h"
+#include "block-internal.h"
#include "macros.h"
/* shift one and XOR with 0x87. */
@@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void
*cipher,
/*
* now checksum everything but the last block
*/
- memxor3(Y.b, ctx->X.b, ctx->block.b, 16);
+ block16_xor3(&Y, &ctx->X, &ctx->block);
encrypt(cipher, 16, ctx->X.b, Y.b);
while (msg_len > 16)
{
- memxor3(Y.b, ctx->X.b, msg, 16);
+ block16_xor_bytes (&Y, &ctx->X, msg);
encrypt(cipher, 16, ctx->X.b, Y.b);
msg += 16;
msg_len -= 16;
@@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct
cmac128_key *key,
ctx->block.b[ctx->index] = 0x80;
memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index);
- memxor(ctx->block.b, key->K2.b, 16);
+ block16_xor (&ctx->block, &key->K2);
}
else
{
- memxor(ctx->block.b, key->K1
[PATCH 1/5] gcm: use uint64_t member of nettle_block16
From: Dmitry Eremin-Solenikov
Remove last usage of unsigned long member of nettle_block16.
Signed-off-by: Dmitry Eremin-Solenikov
---
gcm.c | 47 ---
1 file changed, 12 insertions(+), 35 deletions(-)
diff --git a/gcm.c b/gcm.c
index a55f603f66d5..627097b24218 100644
--- a/gcm.c
+++ b/gcm.c
@@ -133,45 +133,22 @@ shift_table[0x10] = {
static void
gcm_gf_shift_4(union nettle_block16 *x)
{
- unsigned long *w = x->w;
- unsigned long reduce;
+ uint64_t *u64 = x->u64;
+ uint64_t reduce;
/* Shift uses big-endian representation. */
#if WORDS_BIGENDIAN
-# if SIZEOF_LONG == 4
- reduce = shift_table[w[3] & 0xf];
- w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28);
- w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28);
- w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28);
- w[0] = (w[0] >> 4) ^ (reduce << 16);
-# elif SIZEOF_LONG == 8
- reduce = shift_table[w[1] & 0xf];
- w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60);
- w[0] = (w[0] >> 4) ^ (reduce << 48);
-# else
-# error Unsupported word size. */
-#endif
+ reduce = shift_table[u64[1] & 0xf];
+ u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60);
+ u64[0] = (u64[0] >> 4) ^ (reduce << 48);
#else /* ! WORDS_BIGENDIAN */
-# if SIZEOF_LONG == 4
-#define RSHIFT_WORD(x) \
- x) & 0xf0f0f0f0UL) >> 4) \
- | (((x) & 0x000f0f0f) << 12))
- reduce = shift_table[(w[3] >> 24) & 0xf];
- w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0);
- w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0);
- w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0);
- w[0] = RSHIFT_WORD(w[0]) ^ reduce;
-# elif SIZEOF_LONG == 8
-#define RSHIFT_WORD(x) \
- x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \
- | (((x) & 0x000f0f0f0f0f0f0fUL) << 12))
- reduce = shift_table[(w[1] >> 56) & 0xf];
- w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0);
- w[0] = RSHIFT_WORD(w[0]) ^ reduce;
-# else
-# error Unsupported word size. */
-# endif
-# undef RSHIFT_WORD
+#define RSHIFT_WORD_4(x) \
+ x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \
+ | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12))
+ reduce = shift_table[(u64[1] >> 56) & 0xf];
+ u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0);
+ u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce;
+# undef RSHIFT_WORD_4
#endif /* ! WORDS_BIGENDIAN */
}
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
