git clone is unreliable for nettle
Hi Niels, since a while (max a few weeks), I see sporadic failures when cloning nettle. E.g. when building nettle on the OSS-Fuzz platform: Step #1: [0m[91mfatal: unable to access 'https://git.lysator.liu.se/nettle/nettle.git/': Couldn't connect to server Step #1: The command '/bin/sh -c git clone --depth=1 https://git.lysator.liu.se/nettle/nettle.git' returned a non-zero code: 128 Is there an access limit for IP address or something like that ? And if yes, do you recommend to set up a mirror ? Regards, Tim signature.asc Description: OpenPGP digital signature ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[RFC] ecc: switch away from affine points representation
From: Dmitry Eremin-Solenikov Use jacobian/harmonized representation in ecc_point structure. This is an RFC patch for now, j_to_a/eh_to_a are not modified to produce y coordinate only, more tests are necessary most probably. Signed-off-by: Dmitry Eremin-Solenikov --- ecc-a-to-j.c| 12 +++ ecc-ecdsa-sign.c| 2 +- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c | 17 --- ecc-internal.h | 20 ++--- ecc-j-to-a.c| 15 +++-- ecc-mul-a-eh.c | 13 +-- ecc-mul-a.c | 18 +++- ecc-point-mul-g.c | 8 +++ ecc-point-mul.c | 2 +- ecc-point.c | 36 +-- ecdsa-keygen.c | 7 +++--- eddsa-compress.c| 2 +- eddsa-decompress.c | 1 + eddsa-verify.c | 2 +- testsuite/ecc-add-test.c| 5 - testsuite/ecc-dup-test.c| 10 - testsuite/ecc-mul-a-test.c | 22 --- testsuite/ecc-mul-g-test.c | 4 ++-- testsuite/ecdsa-keygen-test.c | 38 ++--- testsuite/eddsa-compress-test.c | 8 +-- testsuite/eddsa-verify-test.c | 2 +- testsuite/testutils.c | 2 +- 23 files changed, 152 insertions(+), 98 deletions(-) diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c index 9fb0d2b80c41..895502e0fe20 100644 --- a/ecc-a-to-j.c +++ b/ecc-a-to-j.c @@ -40,11 +40,12 @@ void ecc_a_to_j (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p) + mp_limb_t *r, const mpz_t x, const mpz_t y) { if (ecc->use_redc) { - mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, x, ecc->p.size); + mpz_limbs_copy (r + 2 * ecc->p.size, y, ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r); @@ -52,8 +53,11 @@ ecc_a_to_j (const struct ecc_curve *ecc, mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size); } - else if (r != p) -mpn_copyi (r, p, 2*ecc->p.size); + else +{ + mpz_limbs_copy (r, x, ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, y, ecc->p.size); +} mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc1a35d..87239b7cccb6 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -80,7 +80,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, rp, NULL, P, P + 3*ecc->p.size); /* Invert k, uses 4 * ecc->p.size including scratch */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b684841a..120b12965fd5 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -64,7 +64,7 @@ mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc->mul call. */ - return 5*ecc->p.size + ecc->mul_itch; + return 6*ecc->p.size + ecc->mul_itch; } /* FIXME: Use faster primitives, not requiring side-channel silence. */ @@ -145,7 +145,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); } /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, P2, NULL, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 8173b887d59d..851dcb8d592a 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -43,7 +43,8 @@ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, -mp_limb_t *r, const mp_limb_t *p, +mp_limb_t *x, mp_limb_t *y, +const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch @@ -60,8 +61,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc, ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); + cy = mpn_sub_n (x, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, x, tp, ecc->p.size); if (op) { @@ -75,14 +76,14 @@ ecc_eh_to_a (const struct ecc_curve *ecc, unsigned shift; assert (ecc->p.bit_size == 255); shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, -r[ecc->p.size-1] >> shift); + cy = mpn_submul_1 (x, ecc->q.m, ecc->p.size, +x[ecc->p.size-1] >> shift); assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); + cnd_add_n (cy, x, ec
[PATCH] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore| 12 ++--- Makefile.in | 45 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 configure.ac | 5 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 51 +++ ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 21 files changed, 74 insertions(+), 63 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) diff --git a/.gitignore b/.gitignore index b79c53f535ff..be10fbe959cc 100644 --- a/.gitignore +++ b/.gitignore @@ -43,12 +43,12 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h +/ecc-curve25519.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 9f5b065a706a..89066ec6c3c2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c \ + ecc-curve25519.c ecc-secp192r1.c ecc-secp224r1.c \ + ecc-secp256r1.c ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -345,24 +345,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp256r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 384: # k = 16, c = 6, S = 256, T = 80 ( 64
Re: ECC code rework
Dmitry Eremin-Solenikov writes: >> I've just pushed a change to the .gitlab-ci file, so I hope the next >> build looks better. > > GnuTLS also received a MR to fix tests in minimal build, so next > master-updates build should succeed. It looks green now. Just merged those changes over to master. Please remind to remove --disable-gost when things have stabilized. > The problem is that both 3.5(.1) and master have same version. I just > hope that we can get all ECC changes in single release. Version checks on master will unfortunately never be quite reliable. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Re: ECC code rework
Hello, вс, 24 нояб. 2019 г. в 11:45, Niels Möller : > > Dmitry Eremin-Solenikov writes: > > > GOST curves support in GnuTLS depends on exact Nettle ABI. I'd propose > > to add --disable-gost to Nettle's GnuTLS execution for now, till ECC > > ABI gets stable again. > > I've just pushed a change to the .gitlab-ci file, so I hope the next > build looks better. GnuTLS also received a MR to fix tests in minimal build, so next master-updates build should succeed. > > An alternative approach would be to define a symbol like > > NETTLE_ECC_ABI_2 which can be used to detect ECC ABI compatibility. > > For code depending on nettle internals, maybe you can use facilities in > nettle/version.h (both compile time and runtime check would be > appropriate, since changes to struct ecc_curve is no longer considered a > change to the public abi, and will not imply an soname change or > anything like that). The problem is that both 3.5(.1) and master have same version. I just hope that we can get all ECC changes in single release. > > ed25519 should not be directly tied to ABI compat. I'll take a look. Should work now. The test message was misleading. It also was a GOST issue. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Re: ECC code rework
Dmitry Eremin-Solenikov writes: > GOST curves support in GnuTLS depends on exact Nettle ABI. I'd propose > to add --disable-gost to Nettle's GnuTLS execution for now, till ECC > ABI gets stable again. I've just pushed a change to the .gitlab-ci file, so I hope the next build looks better. > An alternative approach would be to define a symbol like > NETTLE_ECC_ABI_2 which can be used to detect ECC ABI compatibility. For code depending on nettle internals, maybe you can use facilities in nettle/version.h (both compile time and runtime check would be appropriate, since changes to struct ecc_curve is no longer considered a change to the public abi, and will not imply an soname change or anything like that). > ed25519 should not be directly tied to ABI compat. I'll take a look. Thanks. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs