Re: [PATCH 3/5] block-internal: add block XORing functions
Hello,
вт, 3 сент. 2019 г. в 20:05, Niels Möller :
>
> dbarysh...@gmail.com writes:
>
> > From: Dmitry Eremin-Solenikov
> >
> > Add common implementations for functions doing XOR over
> > nettle_block16/nettle_block8.
>
> I've merged the first two patches. Thanks! Do you know if anyone is using
> GCM_TABLE_BITS 4? I've tested that it still works, both before and after
> your change, but I don't test it regularly.
I don't know. As the size difference between GCM_TABLE_BITS being 4 and 8
is not that big, maybe we can drop it alltogether. I can send a patch ;-)
> > +static inline void
> > +block16_xor_bytes (union nettle_block16 *r,
> > +const union nettle_block16 *x,
> > +const uint8_t *bytes)
> > +{
> > + memxor3 (r->b, x->b, bytes, 16);
> > +}
>
> [...]
>
> > +static inline void
> > +block8_xor_bytes (union nettle_block8 *r,
> > +const union nettle_block8 *x,
> > +const uint8_t *bytes)
> > +{
> > + memxor3 (r->b, x->b, bytes, 8);
> > +}
>
> Not sure these two wrappers are that helpful. Do you have a good
> reason to add them?
They fit into cmac128/cmac64/siv-cmac code, as they simplify code
there a bit. Using them you just say that Block1 = Block2 ^
bytestring, rather than XORing Block.b fields.
If you'd like, I can drop them, but from my point of view they look
like good encapsulation.
>
> The rest of the patch looks like a nice consolidation.
>
> > --- a/gcm.c
> > +++ b/gcm.c
> > @@ -53,16 +53,10 @@
> > #include "nettle-internal.h"
> > #include "macros.h"
> > #include "ctr-internal.h"
> > +#include "block-internal.h"
> >
> > #define GHASH_POLYNOMIAL 0xE1UL
> >
> > -static void
> > -gcm_gf_add (union nettle_block16 *r,
> > - const union nettle_block16 *x, const union nettle_block16 *y)
> > -{
> > - r->u64[0] = x->u64[0] ^ y->u64[0];
> > - r->u64[1] = x->u64[1] ^ y->u64[1];
> > -}
> > /* Multiplication by 010...0; a big-endian shift right. If the bit
> > shifted out is one, the defining polynomial is added to cancel it
> > out. r == x is allowed. */
> > @@ -108,7 +102,7 @@ gcm_gf_mul (union nettle_block16 *x, const union
> > nettle_block16 *y)
> >for (j = 0; j < 8; j++, b <<= 1)
> > {
> > if (b & 0x80)
> > - gcm_gf_add(&Z, &Z, &V);
> > + block16_xor3(&Z, &Z, &V);
>
> This and few other calls below can be block16_xor rather than block16_xor3.
Will fix in next iteration.
--
With best wishes
Dmitry
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Re: [PATCH 3/5] block-internal: add block XORing functions
dbarysh...@gmail.com writes:
> From: Dmitry Eremin-Solenikov
>
> Add common implementations for functions doing XOR over
> nettle_block16/nettle_block8.
I've merged the first two patches. Thanks! Do you know if anyone is using
GCM_TABLE_BITS 4? I've tested that it still works, both before and after
your change, but I don't test it regularly.
> +static inline void
> +block16_xor_bytes (union nettle_block16 *r,
> +const union nettle_block16 *x,
> +const uint8_t *bytes)
> +{
> + memxor3 (r->b, x->b, bytes, 16);
> +}
[...]
> +static inline void
> +block8_xor_bytes (union nettle_block8 *r,
> +const union nettle_block8 *x,
> +const uint8_t *bytes)
> +{
> + memxor3 (r->b, x->b, bytes, 8);
> +}
Not sure these two wrappers are that helpful. Do you have a good
reason to add them?
The rest of the patch looks like a nice consolidation.
> --- a/gcm.c
> +++ b/gcm.c
> @@ -53,16 +53,10 @@
> #include "nettle-internal.h"
> #include "macros.h"
> #include "ctr-internal.h"
> +#include "block-internal.h"
>
> #define GHASH_POLYNOMIAL 0xE1UL
>
> -static void
> -gcm_gf_add (union nettle_block16 *r,
> - const union nettle_block16 *x, const union nettle_block16 *y)
> -{
> - r->u64[0] = x->u64[0] ^ y->u64[0];
> - r->u64[1] = x->u64[1] ^ y->u64[1];
> -}
> /* Multiplication by 010...0; a big-endian shift right. If the bit
> shifted out is one, the defining polynomial is added to cancel it
> out. r == x is allowed. */
> @@ -108,7 +102,7 @@ gcm_gf_mul (union nettle_block16 *x, const union
> nettle_block16 *y)
>for (j = 0; j < 8; j++, b <<= 1)
> {
> if (b & 0x80)
> - gcm_gf_add(&Z, &Z, &V);
> + block16_xor3(&Z, &Z, &V);
This and few other calls below can be block16_xor rather than block16_xor3.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 3/5] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov
Add common implementations for functions doing XOR over
nettle_block16/nettle_block8.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 3 +-
block-internal.h | 93
cmac.c | 11 +++---
cmac64.c | 12 +++
eax.c| 9 +
gcm.c| 20 ---
siv-cmac.c | 9 ++---
7 files changed, 120 insertions(+), 37 deletions(-)
create mode 100644 block-internal.h
diff --git a/Makefile.in b/Makefile.in
index af4f6e46ee9b..f6658c86341c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
INSTALL NEWS ChangeLog \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
- aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \
+ aes-internal.h block-internal.h \
+ camellia-internal.h cmac-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
new file mode 100644
index ..84839c872f63
--- /dev/null
+++ b/block-internal.h
@@ -0,0 +1,93 @@
+/* block-internal.h
+
+ Internal implementations of nettle_blockZ-related functions.
+
+ Copyright (C) 2011 Katholieke Universiteit Leuven
+ Copyright (C) 2011, 2013, 2018 Niels Möller
+ Copyright (C) 2018 Red Hat, Inc.
+ Copyright (C) 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED
+#define NETTLE_BLOCK_INTERNAL_H_INCLUDED
+
+#include
+
+#include "nettle-types.h"
+#include "memxor.h"
+
+static inline void
+block16_xor (union nettle_block16 *r,
+const union nettle_block16 *x)
+{
+ r->u64[0] ^= x->u64[0];
+ r->u64[1] ^= x->u64[1];
+}
+
+static inline void
+block16_xor3 (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const union nettle_block16 *y)
+{
+ r->u64[0] = x->u64[0] ^ y->u64[0];
+ r->u64[1] = x->u64[1] ^ y->u64[1];
+}
+
+static inline void
+block16_xor_bytes (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 16);
+}
+
+static inline void
+block8_xor (union nettle_block8 *r,
+const union nettle_block8 *x)
+{
+ r->u64 ^= x->u64;
+}
+
+static inline void
+block8_xor3 (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const union nettle_block8 *y)
+{
+ r->u64 = x->u64 ^ y->u64;
+}
+
+static inline void
+block8_xor_bytes (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 8);
+}
+
+#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac.c b/cmac.c
index 70ce8132d9d1..194324421c58 100644
--- a/cmac.c
+++ b/cmac.c
@@ -45,6 +45,7 @@
#include "memxor.h"
#include "nettle-internal.h"
#include "cmac-internal.h"
+#include "block-internal.h"
#include "macros.h"
/* shift one and XOR with 0x87. */
@@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void
*cipher,
/*
* now checksum everything but the last block
*/
- memxor3(Y.b, ctx->X.b, ctx->block.b, 16);
+ block16_xor3(&Y, &ctx->X, &ctx->block);
encrypt(cipher, 16, ctx->X.b, Y.b);
while (msg_len > 16)
{
- memxor3(Y.b, ctx->X.b, msg, 16);
+ block16_xor_bytes (&Y, &ctx->X, msg);
encrypt(cipher, 16, ctx->X.b, Y.b);
msg += 16;
msg_len -= 16;
@@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct
cmac128_key *key,
ctx->block.b[ctx->index] = 0x80;
memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index);
- memxor(ctx->block.b, key->K2.b, 16);
+ block16_xor (&ctx->block, &key->K2);
}
else
{
- memxor(ctx->block.b, key->K1
