date:20191124

git clone is unreliable for nettle

2019-11-24 Thread Tim Rühsen

Hi Niels,

since a while (max a few weeks), I see sporadic failures when cloning
nettle.

E.g. when building nettle on the OSS-Fuzz platform:

Step #1: [0m[91mfatal: unable to access
'https://git.lysator.liu.se/nettle/nettle.git/': Couldn't connect to server
Step #1: The command '/bin/sh -c git clone --depth=1
https://git.lysator.liu.se/nettle/nettle.git' returned a non-zero code: 128

Is there an access limit for IP address or something like that ?
And if yes, do you recommend to set up a mirror ?

Regards, Tim



signature.asc
Description: OpenPGP digital signature
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

[RFC] ecc: switch away from affine points representation

2019-11-24 Thread dbaryshkov

From: Dmitry Eremin-Solenikov 

Use jacobian/harmonized representation in ecc_point structure.

This is an RFC patch for now, j_to_a/eh_to_a are not modified to produce
y coordinate only, more tests are necessary most probably.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 ecc-a-to-j.c| 12 +++
 ecc-ecdsa-sign.c|  2 +-
 ecc-ecdsa-verify.c  |  4 ++--
 ecc-eh-to-a.c   | 17 ---
 ecc-internal.h  | 20 ++---
 ecc-j-to-a.c| 15 +++--
 ecc-mul-a-eh.c  | 13 +--
 ecc-mul-a.c | 18 +++-
 ecc-point-mul-g.c   |  8 +++
 ecc-point-mul.c |  2 +-
 ecc-point.c | 36 +--
 ecdsa-keygen.c  |  7 +++---
 eddsa-compress.c|  2 +-
 eddsa-decompress.c  |  1 +
 eddsa-verify.c  |  2 +-
 testsuite/ecc-add-test.c|  5 -
 testsuite/ecc-dup-test.c| 10 -
 testsuite/ecc-mul-a-test.c  | 22 ---
 testsuite/ecc-mul-g-test.c  |  4 ++--
 testsuite/ecdsa-keygen-test.c   | 38 ++---
 testsuite/eddsa-compress-test.c |  8 +--
 testsuite/eddsa-verify-test.c   |  2 +-
 testsuite/testutils.c   |  2 +-
 23 files changed, 152 insertions(+), 98 deletions(-)

diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c
index 9fb0d2b80c41..895502e0fe20 100644
--- a/ecc-a-to-j.c
+++ b/ecc-a-to-j.c
@@ -40,11 +40,12 @@
 
 void
 ecc_a_to_j (const struct ecc_curve *ecc,
-   mp_limb_t *r, const mp_limb_t *p)
+   mp_limb_t *r, const mpz_t x, const mpz_t y)
 {
   if (ecc->use_redc)
 {
-  mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size);
+  mpz_limbs_copy (r + ecc->p.size, x, ecc->p.size);
+  mpz_limbs_copy (r + 2 * ecc->p.size, y, ecc->p.size);
 
   mpn_zero (r, ecc->p.size);
   ecc->p.mod (&ecc->p, r);
@@ -52,8 +53,11 @@ ecc_a_to_j (const struct ecc_curve *ecc,
   mpn_zero (r + ecc->p.size, ecc->p.size);
   ecc->p.mod (&ecc->p, r + ecc->p.size);
 }
-  else if (r != p)
-mpn_copyi (r, p, 2*ecc->p.size);
+  else
+{
+  mpz_limbs_copy (r, x, ecc->p.size);
+  mpz_limbs_copy (r + ecc->p.size, y, ecc->p.size);
+}
 
   mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size);
 }
diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c
index 3b9e9cc1a35d..87239b7cccb6 100644
--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
@@ -80,7 +80,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc,
 
   ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size);
   /* x coordinate only, modulo q */
-  ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size);
+  ecc->h_to_a (ecc, 2, rp, NULL, P, P + 3*ecc->p.size);
 
   /* Invert k, uses 4 * ecc->p.size including scratch */
   ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */
diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c
index d7f5b684841a..120b12965fd5 100644
--- a/ecc-ecdsa-verify.c
+++ b/ecc-ecdsa-verify.c
@@ -64,7 +64,7 @@ mp_size_t
 ecc_ecdsa_verify_itch (const struct ecc_curve *ecc)
 {
   /* Largest storage need is for the ecc->mul call. */
-  return 5*ecc->p.size + ecc->mul_itch;
+  return 6*ecc->p.size + ecc->mul_itch;
 }
 
 /* FIXME: Use faster primitives, not requiring side-channel silence. */
@@ -145,7 +145,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
   ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size);
 }
   /* x coordinate only, modulo q */
-  ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size);
+  ecc->h_to_a (ecc, 2, P2, NULL, P1, P1 + 3*ecc->p.size);
 
   return (mpn_cmp (rp, P2, ecc->p.size) == 0);
 #undef P2
diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c
index 8173b887d59d..851dcb8d592a 100644
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -43,7 +43,8 @@
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
 int op,
-mp_limb_t *r, const mp_limb_t *p,
+mp_limb_t *x, mp_limb_t *y,
+const mp_limb_t *p,
 mp_limb_t *scratch)
 {
 #define izp scratch
@@ -60,8 +61,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
 
   ecc_modp_mul (ecc, tp, xp, izp);
-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r, tp, ecc->p.size);
+  cy = mpn_sub_n (x, tp, ecc->p.m, ecc->p.size);
+  cnd_copy (cy, x, tp, ecc->p.size);
 
   if (op)
 {
@@ -75,14 +76,14 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
  unsigned shift;
  assert (ecc->p.bit_size == 255);
  shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
- cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size,
-r[ecc->p.size-1] >> shift);
+ cy = mpn_submul_1 (x, ecc->q.m, ecc->p.size,
+x[ecc->p.size-1] >> shift);
  assert (cy < 2);
- cnd_add_n (cy, r, ecc->q.m, ecc->p.size);
+ cnd_add_n (cy, x, ec

[PATCH] ecc: rename source files with curves data

2019-11-24 Thread dbaryshkov

From: Dmitry Eremin-Solenikov 

In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 .gitignore| 12 ++---
 Makefile.in   | 45 
 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} |  0
 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} |  0
 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} |  0
 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} |  0
 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} |  0
 configure.ac  |  5 +-
 ecc-25519.c => ecc-curve25519.c   |  4 +-
 ecc-192.c => ecc-secp192r1.c  |  4 +-
 ecc-224.c => ecc-secp224r1.c  |  4 +-
 ecc-256.c => ecc-secp256r1.c  |  4 +-
 ecc-384.c => ecc-secp384r1.c  |  4 +-
 ecc-521.c => ecc-secp521r1.c  |  4 +-
 eccdata.c | 51 +++
 ...25519-modp.asm => ecc-curve25519-modp.asm} |  0
 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} |  0
 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} |  0
 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} |  0
 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} |  0
 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} |  0
 21 files changed, 74 insertions(+), 63 deletions(-)
 rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
 rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
 rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
 rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
 rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)
 rename ecc-25519.c => ecc-curve25519.c (99%)
 rename ecc-192.c => ecc-secp192r1.c (98%)
 rename ecc-224.c => ecc-secp224r1.c (98%)
 rename ecc-256.c => ecc-secp256r1.c (99%)
 rename ecc-384.c => ecc-secp384r1.c (99%)
 rename ecc-521.c => ecc-secp521r1.c (98%)
 rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
 rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
 rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
 rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
 rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
 rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)

diff --git a/.gitignore b/.gitignore
index b79c53f535ff..be10fbe959cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,12 +43,12 @@ core
 /keymap.h
 /parity.h
 /rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
+/ecc-curve25519.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
 /version.h
 /nettle.aux
 /nettle.cp
diff --git a/Makefile.in b/Makefile.in
index 9f5b065a706a..89066ec6c3c2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,8 +174,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
  gmp-glue.c cnd-copy.c \
  ecc-mod.c ecc-mod-inv.c \
  ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c \
+ ecc-curve25519.c ecc-secp192r1.c ecc-secp224r1.c \
+ ecc-secp256r1.c ecc-secp384r1.c ecc-secp521r1.c \
  ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
  ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
  ecc-eh-to-a.c \
@@ -345,24 +345,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
 # k = 14, c =  7, S = 256, T =  42 ( 28 A + 14 D) 12 KB
 # k = 11, c =  6, S = 192, T =  44 ( 33 A + 11 D)  9 KB
 # k = 16, c =  6, S = 128, T =  48 ( 32 A + 16 D)  6 KB
-ecc-192.h: eccdata.stamp
-   ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+   ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T 
$@
 
 # Some reasonable choices for 224:
 # k = 16, c =  7, S = 256, T =  48 ( 32 A + 16 D) ~16 KB
 # k = 10, c =  6, S = 256, T =  50 ( 40 A + 10 D) ~16 KB
 # k = 13, c =  6, S = 192, T =  52 ( 39 A + 13 D) ~12 KB
 # k =  9, c =  5, S = 160, T =  54 ( 45 A +  9 D) ~10 KB
-ecc-224.h: eccdata.stamp
-   ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+   ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv 
$@T $@
 
 # Some reasonable choices for 256:
 # k =  9, c =  6, S = 320, T =  54 ( 45 A +  9 D) 20 KB
 # k = 11, c =  6, S = 256, T =  55 ( 44 A + 11 D) 16 KB
 # k = 19, c =  7, S = 256, T =  57 ( 38 A + 19 D) 16 KB
 # k = 15, c =  6, S = 192, T =  60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
-   ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp256r1.h: eccdata.stamp
+   ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv 
$@T $@
 
 # Some reasonable choices for 384:
 # k = 16, c =  6, S = 256, T =  80 ( 64

Re: ECC code rework

2019-11-24 Thread Niels Möller

Dmitry Eremin-Solenikov  writes:

>> I've just pushed a change to the .gitlab-ci file, so I hope the next
>> build looks better.
>
> GnuTLS also received a MR to fix tests in minimal build, so next
> master-updates build should succeed.

It looks green now. Just merged those changes over to master. Please
remind to remove --disable-gost when things have stabilized.

> The problem is that both 3.5(.1) and master have same version. I just
> hope that we can get all ECC changes in single release.

Version checks on master will unfortunately never be quite reliable.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

Re: ECC code rework

2019-11-24 Thread Dmitry Eremin-Solenikov

Hello,

вс, 24 нояб. 2019 г. в 11:45, Niels Möller :
>
> Dmitry Eremin-Solenikov  writes:
>
> > GOST curves support in GnuTLS depends on exact Nettle ABI. I'd propose
> > to add --disable-gost to Nettle's GnuTLS execution for now, till ECC
> > ABI gets stable again.
>
> I've just pushed a change to the .gitlab-ci file, so I hope the next
> build looks better.

GnuTLS also received a MR to fix tests in minimal build, so next
master-updates build should succeed.

> > An alternative approach would be to define a symbol like
> > NETTLE_ECC_ABI_2 which can be used to detect ECC ABI compatibility.
>
> For code depending on nettle internals, maybe you can use facilities in
> nettle/version.h (both compile time and runtime check would be
> appropriate, since changes to struct ecc_curve is no longer considered a
> change to the public abi, and will not imply an soname change or
> anything like that).

The problem is that both 3.5(.1) and master have same version. I just
hope that we can get all ECC changes in single release.

> > ed25519 should not be directly tied to ABI compat. I'll take a look.

Should work now. The test message was misleading. It also was a GOST issue.

-- 
With best wishes
Dmitry
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

Re: ECC code rework

2019-11-24 Thread Niels Möller

Dmitry Eremin-Solenikov  writes:

> GOST curves support in GnuTLS depends on exact Nettle ABI. I'd propose
> to add --disable-gost to Nettle's GnuTLS execution for now, till ECC
> ABI gets stable again.

I've just pushed a change to the .gitlab-ci file, so I hope the next
build looks better.

> An alternative approach would be to define a symbol like
> NETTLE_ECC_ABI_2 which can be used to detect ECC ABI compatibility.

For code depending on nettle internals, maybe you can use facilities in
nettle/version.h (both compile time and runtime check would be
appropriate, since changes to struct ecc_curve is no longer considered a
change to the public abi, and will not imply an soname change or
anything like that).

> ed25519 should not be directly tied to ABI compat. I'll take a look.

Thanks.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

git clone is unreliable for nettle

[RFC] ecc: switch away from affine points representation

[PATCH] ecc: rename source files with curves data

Re: ECC code rework

Re: ECC code rework

Re: ECC code rework

6 matches

Site Navigation

Mail list logo

Footer information