[PATCH 5/5] gcm: move block shifting function to block-internal.h
From: Dmitry Eremin-Solenikov
Move GCM's block shift function to block-internal.h. This concludes
moving of all Galois mul-by-2 to single header.
Signed-off-by: Dmitry Eremin-Solenikov
---
block-internal.h | 29 +
gcm.c| 15 ++-
2 files changed, 31 insertions(+), 13 deletions(-)
diff --git a/block-internal.h b/block-internal.h
index 8cc30f6f5a02..874e4dbe1929 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -166,4 +166,33 @@ block8_lshift_be (union nettle_block8 *dst,
}
#endif /* !WORDS_BIGENDIAN */
+#if WORDS_BIGENDIAN
+static inline void
+block16_rshift_be (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ uint64_t poly)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - (x->u64[1] & 1);
+ r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
+ r->u64[0] = (x->u64[0] >> 1) ^ (mask & (poly << 56));
+}
+#else /* ! WORDS_BIGENDIAN */
+static inline void
+block16_rshift_be (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ uint64_t poly)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - ((x->u64[1] >> 56) & 1);
+ r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
+ r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & poly);
+}
+#endif /* ! WORDS_BIGENDIAN */
+
+/* shift one and XOR with 0x87. */
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/gcm.c b/gcm.c
index 17c889e67553..eca6ab6cab25 100644
--- a/gcm.c
+++ b/gcm.c
@@ -60,21 +60,10 @@
/* Multiplication by 010...0; a big-endian shift right. If the bit
shifted out is one, the defining polynomial is added to cancel it
out. r == x is allowed. */
-static void
+static inline void
gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x)
{
- uint64_t mask;
-
- /* Shift uses big-endian representation. */
-#if WORDS_BIGENDIAN
- mask = - (x->u64[1] & 1);
- r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
- r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56));
-#else /* ! WORDS_BIGENDIAN */
- mask = - ((x->u64[1] >> 56) & 1);
- r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
- r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL);
-#endif /* ! WORDS_BIGENDIAN */
+ block16_rshift_be (r, x, GHASH_POLYNOMIAL);
}
#if GCM_TABLE_BITS == 0
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 3/5] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov
Add common implementations for functions doing XOR over
nettle_block16/nettle_block8.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 3 +-
block-internal.h | 93
cmac.c | 11 +++---
cmac64.c | 12 +++
eax.c| 9 +
gcm.c| 20 ---
siv-cmac.c | 9 ++---
7 files changed, 120 insertions(+), 37 deletions(-)
create mode 100644 block-internal.h
diff --git a/Makefile.in b/Makefile.in
index af4f6e46ee9b..f6658c86341c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
INSTALL NEWS ChangeLog \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
- aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \
+ aes-internal.h block-internal.h \
+ camellia-internal.h cmac-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
new file mode 100644
index ..84839c872f63
--- /dev/null
+++ b/block-internal.h
@@ -0,0 +1,93 @@
+/* block-internal.h
+
+ Internal implementations of nettle_blockZ-related functions.
+
+ Copyright (C) 2011 Katholieke Universiteit Leuven
+ Copyright (C) 2011, 2013, 2018 Niels Möller
+ Copyright (C) 2018 Red Hat, Inc.
+ Copyright (C) 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED
+#define NETTLE_BLOCK_INTERNAL_H_INCLUDED
+
+#include
+
+#include "nettle-types.h"
+#include "memxor.h"
+
+static inline void
+block16_xor (union nettle_block16 *r,
+const union nettle_block16 *x)
+{
+ r->u64[0] ^= x->u64[0];
+ r->u64[1] ^= x->u64[1];
+}
+
+static inline void
+block16_xor3 (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const union nettle_block16 *y)
+{
+ r->u64[0] = x->u64[0] ^ y->u64[0];
+ r->u64[1] = x->u64[1] ^ y->u64[1];
+}
+
+static inline void
+block16_xor_bytes (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 16);
+}
+
+static inline void
+block8_xor (union nettle_block8 *r,
+const union nettle_block8 *x)
+{
+ r->u64 ^= x->u64;
+}
+
+static inline void
+block8_xor3 (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const union nettle_block8 *y)
+{
+ r->u64 = x->u64 ^ y->u64;
+}
+
+static inline void
+block8_xor_bytes (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 8);
+}
+
+#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac.c b/cmac.c
index 70ce8132d9d1..194324421c58 100644
--- a/cmac.c
+++ b/cmac.c
@@ -45,6 +45,7 @@
#include "memxor.h"
#include "nettle-internal.h"
#include "cmac-internal.h"
+#include "block-internal.h"
#include "macros.h"
/* shift one and XOR with 0x87. */
@@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void
*cipher,
/*
* now checksum everything but the last block
*/
- memxor3(Y.b, ctx->X.b, ctx->block.b, 16);
+ block16_xor3(, >X, >block);
encrypt(cipher, 16, ctx->X.b, Y.b);
while (msg_len > 16)
{
- memxor3(Y.b, ctx->X.b, msg, 16);
+ block16_xor_bytes (, >X, msg);
encrypt(cipher, 16, ctx->X.b, Y.b);
msg += 16;
msg_len -= 16;
@@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct
cmac128_key *key,
ctx->block.b[ctx->index] = 0x80;
memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index);
- memxor(ctx->block.b, key->K2.b, 16);
+ block16_xor (>block, >K2);
}
else
{
- memxor(ctx->block.b, key->K1.b, 16);
+ block16_xor
[PATCH 1/5] gcm: use uint64_t member of nettle_block16
From: Dmitry Eremin-Solenikov
Remove last usage of unsigned long member of nettle_block16.
Signed-off-by: Dmitry Eremin-Solenikov
---
gcm.c | 47 ---
1 file changed, 12 insertions(+), 35 deletions(-)
diff --git a/gcm.c b/gcm.c
index a55f603f66d5..627097b24218 100644
--- a/gcm.c
+++ b/gcm.c
@@ -133,45 +133,22 @@ shift_table[0x10] = {
static void
gcm_gf_shift_4(union nettle_block16 *x)
{
- unsigned long *w = x->w;
- unsigned long reduce;
+ uint64_t *u64 = x->u64;
+ uint64_t reduce;
/* Shift uses big-endian representation. */
#if WORDS_BIGENDIAN
-# if SIZEOF_LONG == 4
- reduce = shift_table[w[3] & 0xf];
- w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28);
- w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28);
- w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28);
- w[0] = (w[0] >> 4) ^ (reduce << 16);
-# elif SIZEOF_LONG == 8
- reduce = shift_table[w[1] & 0xf];
- w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60);
- w[0] = (w[0] >> 4) ^ (reduce << 48);
-# else
-# error Unsupported word size. */
-#endif
+ reduce = shift_table[u64[1] & 0xf];
+ u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60);
+ u64[0] = (u64[0] >> 4) ^ (reduce << 48);
#else /* ! WORDS_BIGENDIAN */
-# if SIZEOF_LONG == 4
-#define RSHIFT_WORD(x) \
- x) & 0xf0f0f0f0UL) >> 4) \
- | (((x) & 0x000f0f0f) << 12))
- reduce = shift_table[(w[3] >> 24) & 0xf];
- w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0);
- w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0);
- w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0);
- w[0] = RSHIFT_WORD(w[0]) ^ reduce;
-# elif SIZEOF_LONG == 8
-#define RSHIFT_WORD(x) \
- x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \
- | (((x) & 0x000f0f0f0f0f0f0fUL) << 12))
- reduce = shift_table[(w[1] >> 56) & 0xf];
- w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0);
- w[0] = RSHIFT_WORD(w[0]) ^ reduce;
-# else
-# error Unsupported word size. */
-# endif
-# undef RSHIFT_WORD
+#define RSHIFT_WORD_4(x) \
+ x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \
+ | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12))
+ reduce = shift_table[(u64[1] >> 56) & 0xf];
+ u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0);
+ u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce;
+# undef RSHIFT_WORD_4
#endif /* ! WORDS_BIGENDIAN */
}
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 4/5] block modes: move Galois shifts to block-internal.h
From: Dmitry Eremin-Solenikov
Move Galois polynomial shifts to block-internal.h, simplifying common
code. GCM is left unconverted for now, this will be fixed later.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
block-internal.h | 76 +++
cmac-internal.h | 54 -
cmac.c| 20 ++---
cmac64.c | 21 ++---
eax.c | 18 ++-
gcm.c | 4 ---
siv-cmac-aes128.c | 1 -
siv-cmac-aes256.c | 1 -
siv-cmac.c| 9 +-
xts.c | 18 ++-
11 files changed, 94 insertions(+), 130 deletions(-)
delete mode 100644 cmac-internal.h
diff --git a/Makefile.in b/Makefile.in
index f6658c86341c..ae9c8a7563f9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
aes-internal.h block-internal.h \
- camellia-internal.h cmac-internal.h serpent-internal.h \
+ camellia-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
index 84839c872f63..8cc30f6f5a02 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -90,4 +90,80 @@ block8_xor_bytes (union nettle_block8 *r,
memxor3 (r->b, x->b, bytes, 8);
}
+#define LSHIFT_WORD(x) x) & 0x7f7f7f7f7f7f7f7f) << 1) | \
+ (((x) & 0x8080808080808080) >> 15))
+#define RSHIFT_WORD(x) x) & 0xfefefefefefefefe) >> 1) | \
+ (((x) & 0x0001010101010101) << 15))
+
+/* Galois multiplications by 2:
+ * functions differ in shifting right or left, big- or little- endianness
+ * and by defininy polynom.
+ * r == x is allowed. */
+
+#if WORDS_BIGENDIAN
+static inline void
+block16_lshift_be (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64[0] >> 63;
+ dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63);
+ dst->u64[1] = (src->u64[1] << 1) ^ (poly & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block16_lshift_be (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64[0] & 0x80) >> 7;
+ dst->u64[0] = LSHIFT_WORD(src->u64[0]) | ((src->u64[1] & 0x80) << 49);
+ dst->u64[1] = LSHIFT_WORD(src->u64[1]) ^ ((poly << 56) & -carry);
+}
+#endif /* !WORDS_BIGENDIAN */
+
+#if WORDS_BIGENDIAN
+static inline void
+block16_lshift_le (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64[1] & 0x80) >> 7;
+ dst->u64[1] = LSHIFT_WORD(src->u64[1]) | ((src->u64[0] & 0x80) << 49);
+ dst->u64[0] = LSHIFT_WORD(src->u64[0]) ^ ((poly << 56) & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block16_lshift_le (union nettle_block16 *dst,
+ const union nettle_block16 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64[1] >> 63;
+ dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63);
+ dst->u64[0] = (src->u64[0] << 1) ^ (poly & -carry);
+}
+#endif /* !WORDS_BIGNDIAN */
+
+#if WORDS_BIGENDIAN
+static inline void
+block8_lshift_be (union nettle_block8 *dst,
+ const union nettle_block8 *src,
+ uint64_t poly)
+{
+ uint64_t carry = src->u64 >> 63;
+
+ dst->u64 = (src->u64 << 1) ^ (poly & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block8_lshift_be (union nettle_block8 *dst,
+ const union nettle_block8 *src,
+ uint64_t poly)
+{
+ uint64_t carry = (src->u64 & 0x80) >> 7;
+
+ dst->u64 = LSHIFT_WORD(src->u64) ^ ((poly << 56) & -carry);
+}
+#endif /* !WORDS_BIGENDIAN */
+
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac-internal.h b/cmac-internal.h
deleted file mode 100644
index 80db7fcc58cd..
--- a/cmac-internal.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* cmac-internal.h
-
- CMAC mode internal functions
-
- Copyright (C) 2017 Red Hat, Inc.
-
- Contributed by Nikos Mavrogiannopoulos
-
- This file is part of GNU Nettle.
-
- GNU Nettle is free software: you can redistribute it and/or
- modify it under the terms of either:
-
- * the GNU Lesser General Public License as published by the Free
- Software Foundation; either version 3 of the License, or (at your
- option) any later version.
-
- or
-
- * the GNU General Public License as published by the Free
- Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- or both in parallel, as here.
-
- GNU Nettle is distributed in the hope that it will be
[PATCH v2 1/4] block-internal: add block XORing functions
From: Dmitry Eremin-Solenikov
Add common implementations for functions doing XOR over
nettle_block16/nettle_block8.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 3 +-
block-internal.h | 93
cmac.c | 11 +++---
cmac64.c | 12 +++
eax.c| 9 +
gcm.c| 20 ---
siv-cmac.c | 9 ++---
7 files changed, 120 insertions(+), 37 deletions(-)
create mode 100644 block-internal.h
diff --git a/Makefile.in b/Makefile.in
index af4f6e46ee9b..f6658c86341c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -230,7 +230,8 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
INSTALL NEWS ChangeLog \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
- aes-internal.h camellia-internal.h cmac-internal.h serpent-internal.h \
+ aes-internal.h block-internal.h \
+ camellia-internal.h cmac-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
new file mode 100644
index ..ab3a6a79b8cb
--- /dev/null
+++ b/block-internal.h
@@ -0,0 +1,93 @@
+/* block-internal.h
+
+ Internal implementations of nettle_blockZ-related functions.
+
+ Copyright (C) 2011 Katholieke Universiteit Leuven
+ Copyright (C) 2011, 2013, 2018 Niels Möller
+ Copyright (C) 2018 Red Hat, Inc.
+ Copyright (C) 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED
+#define NETTLE_BLOCK_INTERNAL_H_INCLUDED
+
+#include
+
+#include "nettle-types.h"
+#include "memxor.h"
+
+static inline void
+block16_xor (union nettle_block16 *r,
+const union nettle_block16 *x)
+{
+ r->u64[0] ^= x->u64[0];
+ r->u64[1] ^= x->u64[1];
+}
+
+static inline void
+block16_xor3 (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const union nettle_block16 *y)
+{
+ r->u64[0] = x->u64[0] ^ y->u64[0];
+ r->u64[1] = x->u64[1] ^ y->u64[1];
+}
+
+static inline void
+block16_xor_bytes (union nettle_block16 *r,
+ const union nettle_block16 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 16);
+}
+
+static inline void
+block8_xor (union nettle_block8 *r,
+ const union nettle_block8 *x)
+{
+ r->u64 ^= x->u64;
+}
+
+static inline void
+block8_xor3 (union nettle_block8 *r,
+const union nettle_block8 *x,
+const union nettle_block8 *y)
+{
+ r->u64 = x->u64 ^ y->u64;
+}
+
+static inline void
+block8_xor_bytes (union nettle_block8 *r,
+ const union nettle_block8 *x,
+ const uint8_t *bytes)
+{
+ memxor3 (r->b, x->b, bytes, 8);
+}
+
+#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac.c b/cmac.c
index 70ce8132d9d1..194324421c58 100644
--- a/cmac.c
+++ b/cmac.c
@@ -45,6 +45,7 @@
#include "memxor.h"
#include "nettle-internal.h"
#include "cmac-internal.h"
+#include "block-internal.h"
#include "macros.h"
/* shift one and XOR with 0x87. */
@@ -119,12 +120,12 @@ cmac128_update(struct cmac128_ctx *ctx, const void
*cipher,
/*
* now checksum everything but the last block
*/
- memxor3(Y.b, ctx->X.b, ctx->block.b, 16);
+ block16_xor3(, >X, >block);
encrypt(cipher, 16, ctx->X.b, Y.b);
while (msg_len > 16)
{
- memxor3(Y.b, ctx->X.b, msg, 16);
+ block16_xor_bytes (, >X, msg);
encrypt(cipher, 16, ctx->X.b, Y.b);
msg += 16;
msg_len -= 16;
@@ -151,14 +152,14 @@ cmac128_digest(struct cmac128_ctx *ctx, const struct
cmac128_key *key,
ctx->block.b[ctx->index] = 0x80;
memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index);
- memxor(ctx->block.b, key->K2.b, 16);
+ block16_xor (>block, >K2);
}
else
{
- memxor(ctx->block.b, key->K1.b, 16);
+ block16_xor
[PATCH v2 4/4] gcm: drop intermediate GCM_TABLE_BITS == 4 case
From: Dmitry Eremin-Solenikov
It makes little sense to have intermediate solution with GCM_TABLE_BITS
== 4. One either will use unoptimized case of GCM_TABLE_BITS == 0, or
will switch to fully optimized case (8) as memory usage difference is
quite low between 4 and 8. So drop GCM_TABLE_BITS == 4 support
Signed-off-by: Dmitry Eremin-Solenikov
---
gcm.c | 67 +++
1 file changed, 8 insertions(+), 59 deletions(-)
diff --git a/gcm.c b/gcm.c
index cf615daf18bd..3a6f04a7671b 100644
--- a/gcm.c
+++ b/gcm.c
@@ -83,62 +83,7 @@ gcm_gf_mul (union nettle_block16 *x, const union
nettle_block16 *y)
}
memcpy (x->b, Z.b, sizeof(Z));
}
-#else /* GCM_TABLE_BITS != 0 */
-# if WORDS_BIGENDIAN
-# define W(left,right) (0x##left##right)
-# else
-# define W(left,right) (0x##right##left)
-# endif
-
-# if GCM_TABLE_BITS == 4
-static const uint16_t
-shift_table[0x10] = {
- W(00,00),W(1c,20),W(38,40),W(24,60),W(70,80),W(6c,a0),W(48,c0),W(54,e0),
- W(e1,00),W(fd,20),W(d9,40),W(c5,60),W(91,80),W(8d,a0),W(a9,c0),W(b5,e0),
-};
-
-static void
-gcm_gf_shift_4(union nettle_block16 *x)
-{
- uint64_t *u64 = x->u64;
- uint64_t reduce;
-
- /* Shift uses big-endian representation. */
-#if WORDS_BIGENDIAN
- reduce = shift_table[u64[1] & 0xf];
- u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60);
- u64[0] = (u64[0] >> 4) ^ (reduce << 48);
-#else /* ! WORDS_BIGENDIAN */
-#define RSHIFT_WORD_4(x) \
- x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \
- | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12))
- reduce = shift_table[(u64[1] >> 56) & 0xf];
- u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0);
- u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce;
-# undef RSHIFT_WORD_4
-#endif /* ! WORDS_BIGENDIAN */
-}
-
-static void
-gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table)
-{
- union nettle_block16 Z;
- unsigned i;
-
- memset(Z.b, 0, sizeof(Z));
-
- for (i = GCM_BLOCK_SIZE; i-- > 0;)
-{
- uint8_t b = x->b[i];
-
- gcm_gf_shift_4();
- block16_xor(, [b & 0xf]);
- gcm_gf_shift_4();
- block16_xor(, [b >> 4]);
-}
- memcpy (x->b, Z.b, sizeof(Z));
-}
# elif GCM_TABLE_BITS == 8
# if HAVE_NATIVE_gcm_hash8
@@ -147,6 +92,13 @@ void
_nettle_gcm_hash8 (const struct gcm_key *key, union nettle_block16 *x,
size_t length, const uint8_t *data);
# else /* !HAVE_NATIVE_gcm_hash8 */
+
+# if WORDS_BIGENDIAN
+# define W(left,right) (0x##left##right)
+# else
+# define W(left,right) (0x##right##left)
+# endif
+
static const uint16_t
shift_table[0x100] = {
W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e),
@@ -182,6 +134,7 @@ shift_table[0x100] = {
W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae),
W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be),
};
+#undef W
static void
gcm_gf_shift_8(union nettle_block16 *x)
@@ -221,10 +174,6 @@ gcm_gf_mul (union nettle_block16 *x, const union
nettle_block16 *table)
# error Unsupported table size.
# endif /* GCM_TABLE_BITS != 8 */
-#undef W
-
-#endif /* GCM_TABLE_BITS */
-
/* Increment the rightmost 32 bits. */
#define INC32(block) INCREMENT(4, (block.b) + GCM_BLOCK_SIZE - 4)
--
2.23.0.rc1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v2 3/4] gcm: move block shifting function to block-internal.h
From: Dmitry Eremin-Solenikov
Move GCM's block shift function to block-internal.h. This concludes
moving of all Galois mul-by-2 to single header.
Signed-off-by: Dmitry Eremin-Solenikov
---
block-internal.h | 30 +-
gcm.c| 30 ++
2 files changed, 31 insertions(+), 29 deletions(-)
diff --git a/block-internal.h b/block-internal.h
index 8972d0ac2b5b..88e19be333c8 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -95,11 +95,15 @@ block8_xor_bytes (union nettle_block8 *r,
#define LSHIFT_ALIEN_UINT64(x) \
x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \
(((x) & UINT64_C(0x8080808080808080)) >> 15))
+#define RSHIFT_ALIEN_UINT64(x) \
+ x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \
+(((x) & UINT64_C(0x0001010101010101)) << 15))
/* Two typical defining polynoms */
#define BLOCK16_POLY (UINT64_C(0x87))
#define BLOCK8_POLY (UINT64_C(0x1b))
+#define GHASH_POLY (UINT64_C(0xE1))
/* Galois multiplications by 2:
* functions differ in shifting right or left, big- or little- endianness
@@ -133,6 +137,18 @@ block8_mulx_be (union nettle_block8 *dst,
dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry);
}
+
+static inline void
+block16_mulx_ghash (union nettle_block16 *r,
+ const union nettle_block16 *x)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - (x->u64[1] & 1);
+ r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
+ r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56));
+}
#else /* !WORDS_BIGENDIAN */
static inline void
block16_mulx_be (union nettle_block16 *dst,
@@ -160,6 +176,18 @@ block8_mulx_be (union nettle_block8 *dst,
dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry);
}
-#endif /* !WORDS_BIGENDIAN */
+
+static inline void
+block16_mulx_ghash (union nettle_block16 *r,
+ const union nettle_block16 *x)
+{
+ uint64_t mask;
+
+ /* Shift uses big-endian representation. */
+ mask = - ((x->u64[1] >> 56) & 1);
+ r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
+ r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY);
+}
+#endif /* ! WORDS_BIGENDIAN */
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/gcm.c b/gcm.c
index 4a04a0a10842..cf615daf18bd 100644
--- a/gcm.c
+++ b/gcm.c
@@ -55,32 +55,6 @@
#include "ctr-internal.h"
#include "block-internal.h"
-#define GHASH_POLYNOMIAL 0xE1UL
-
-/* Multiplication by 010...0; a big-endian shift right. If the bit
- shifted out is one, the defining polynomial is added to cancel it
- out. r == x is allowed. */
-static void
-gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x)
-{
- uint64_t mask;
-
- /* Shift uses big-endian representation. */
-#if WORDS_BIGENDIAN
- mask = - (x->u64[1] & 1);
- r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63);
- r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56));
-#else /* ! WORDS_BIGENDIAN */
-#define RSHIFT_WORD(x) \
- x) & 0xfefefefefefefefeUL) >> 1) \
- | (((x) & 0x0001010101010101UL) << 15))
- mask = - ((x->u64[1] >> 56) & 1);
- r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80);
- r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL);
-# undef RSHIFT_WORD
-#endif /* ! WORDS_BIGENDIAN */
-}
-
#if GCM_TABLE_BITS == 0
/* Sets x <- x * y mod r, using the plain bitwise algorithm from the
specification. y may be shorter than a full block, missing bytes
@@ -104,7 +78,7 @@ gcm_gf_mul (union nettle_block16 *x, const union
nettle_block16 *y)
if (b & 0x80)
block16_xor(, );
- gcm_gf_shift(, );
+ block16_mulx_ghash(, );
}
}
memcpy (x->b, Z.b, sizeof(Z));
@@ -275,7 +249,7 @@ gcm_set_key(struct gcm_key *key,
/* Algorithm 3 from the gcm paper. First do powers of two, then do
the rest by adding. */
while (i /= 2)
-gcm_gf_shift(>h[i], >h[2*i]);
+block16_mulx_ghash(>h[i], >h[2*i]);
for (i = 2; i < 1
[PATCH v2 2/4] block modes: move Galois shifts to block-internal.h
From: Dmitry Eremin-Solenikov
Move Galois polynomial shifts to block-internal.h, simplifying common
code. GCM is left unconverted for now, this will be fixed later.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
block-internal.h | 72 +++
cmac-internal.h | 54 ---
cmac.c| 28 ++
cmac64.c | 27 ++
eax.c | 18 ++--
siv-cmac-aes128.c | 1 -
siv-cmac-aes256.c | 1 -
siv-cmac.c| 7 ++---
xts.c | 34 --
10 files changed, 87 insertions(+), 157 deletions(-)
delete mode 100644 cmac-internal.h
diff --git a/Makefile.in b/Makefile.in
index f6658c86341c..ae9c8a7563f9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
nettle.pc.in hogweed.pc.in \
$(des_headers) descore.README desdata.stamp \
aes-internal.h block-internal.h \
- camellia-internal.h cmac-internal.h serpent-internal.h \
+ camellia-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
ripemd160-internal.h sha2-internal.h \
memxor-internal.h nettle-internal.h nettle-write.h \
diff --git a/block-internal.h b/block-internal.h
index ab3a6a79b8cb..8972d0ac2b5b 100644
--- a/block-internal.h
+++ b/block-internal.h
@@ -90,4 +90,76 @@ block8_xor_bytes (union nettle_block8 *r,
memxor3 (r->b, x->b, bytes, 8);
}
+/* Do a foreign-endianness shift of data */
+
+#define LSHIFT_ALIEN_UINT64(x) \
+ x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \
+(((x) & UINT64_C(0x8080808080808080)) >> 15))
+
+/* Two typical defining polynoms */
+
+#define BLOCK16_POLY (UINT64_C(0x87))
+#define BLOCK8_POLY (UINT64_C(0x1b))
+
+/* Galois multiplications by 2:
+ * functions differ in shifting right or left, big- or little- endianness
+ * and by defining polynom.
+ * r == x is allowed. */
+
+#if WORDS_BIGENDIAN
+static inline void
+block16_mulx_be (union nettle_block16 *dst,
+const union nettle_block16 *src)
+{
+ uint64_t carry = src->u64[0] >> 63;
+ dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63);
+ dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry);
+}
+
+static inline void
+block16_mulx_le (union nettle_block16 *dst,
+const union nettle_block16 *src)
+{
+ uint64_t carry = (src->u64[1] & 0x80) >> 7;
+ dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) <<
49);
+ dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) &
-carry);
+}
+
+static inline void
+block8_mulx_be (union nettle_block8 *dst,
+ const union nettle_block8 *src)
+{
+ uint64_t carry = src->u64 >> 63;
+
+ dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry);
+}
+#else /* !WORDS_BIGENDIAN */
+static inline void
+block16_mulx_be (union nettle_block16 *dst,
+const union nettle_block16 *src)
+{
+ uint64_t carry = (src->u64[0] & 0x80) >> 7;
+ dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) <<
49);
+ dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) &
-carry);
+}
+
+static inline void
+block16_mulx_le (union nettle_block16 *dst,
+const union nettle_block16 *src)
+{
+ uint64_t carry = src->u64[1] >> 63;
+ dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63);
+ dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry);
+}
+
+static inline void
+block8_mulx_be (union nettle_block8 *dst,
+ const union nettle_block8 *src)
+{
+ uint64_t carry = (src->u64 & 0x80) >> 7;
+
+ dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry);
+}
+#endif /* !WORDS_BIGENDIAN */
+
#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */
diff --git a/cmac-internal.h b/cmac-internal.h
deleted file mode 100644
index 80db7fcc58cd..
--- a/cmac-internal.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* cmac-internal.h
-
- CMAC mode internal functions
-
- Copyright (C) 2017 Red Hat, Inc.
-
- Contributed by Nikos Mavrogiannopoulos
-
- This file is part of GNU Nettle.
-
- GNU Nettle is free software: you can redistribute it and/or
- modify it under the terms of either:
-
- * the GNU Lesser General Public License as published by the Free
- Software Foundation; either version 3 of the License, or (at your
- option) any later version.
-
- or
-
- * the GNU General Public License as published by the Free
- Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- or both in parallel, as here.
-
- GNU Nettle is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received copies of the GNU
[PATCH 0/5] GOST 28147-89 support
GOST 28147-89 is the data encryption standard for Russia (old, but still used). English translation is provided in RFC 5830. It defines a 64-bit cipher, ECB, CFB and counter (CNT) modes on top of it and a special mode of basic transformation that is used for MAC construction called "Imitovstavka" (IMIT). For GOST 28147-89 several S-boxes are defined (standard itself has defined "test" S-box, another "test" S-box is defined in GOST R 34.11-94 (RFC 5831), RFC 4357 defines several CryptoPro S-Boxes and finally TC26 has defined TC26-Z S-Box (RFC 7836)). Before finalizing documentation I'd like to hear your opinion on the GOST 28147-89 cipher and MAC interface. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 3/5] Add CFB mode support for GOST 28147-89
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
gost28147.c| 85 +++---
gost28147.h| 8 +++
testsuite/gost28147-test.c | 143 +
3 files changed, 228 insertions(+), 8 deletions(-)
diff --git a/gost28147.c b/gost28147.c
index 9fe31043a3ff..ac94dfaa2ed8 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -33,6 +33,7 @@
#endif
#include
+#include
#include "macros.h"
#include "gost28147.h"
@@ -303,7 +304,8 @@ const struct gost28147_param gost28147_param_test_3411 =
0x0600, 0x0650, 0x0670, 0x0638,
0x0630, 0x0640, 0x0610, 0x0660,
}
- }
+ },
+ 0
};
const struct gost28147_param gost28147_param_CryptoPro_3411 =
@@ -570,7 +572,8 @@ const struct gost28147_param gost28147_param_CryptoPro_3411
=
0x0618, 0x0660, 0x0640, 0x0678,
0x0630, 0x0610, 0x0648, 0x0658,
}
- }
+ },
+ 0
};
const struct gost28147_param gost28147_param_Test_89 =
@@ -837,7 +840,8 @@ const struct gost28147_param gost28147_param_Test_89 =
0x0420, 0x0440, 0x0470, 0x0478,
0x0408, 0x0450, 0x0410, 0x0468,
}
- }
+ },
+ 1
};
const struct gost28147_param gost28147_param_CryptoPro_A =
@@ -1104,7 +1108,8 @@ const struct gost28147_param gost28147_param_CryptoPro_A =
0x0240, 0x0260, 0x0220, 0x0228,
0x0278, 0x0218, 0x0258, 0x0270,
}
- }
+ },
+ 1
};
const struct gost28147_param gost28147_param_CryptoPro_B =
@@ -1371,7 +1376,8 @@ const struct gost28147_param gost28147_param_CryptoPro_B =
0x0638, 0x0620, 0x0668, 0x0600,
0x0630, 0x0678, 0x0640, 0x0670,
}
- }
+ },
+ 1
};
const struct gost28147_param gost28147_param_CryptoPro_C =
@@ -1638,7 +1644,8 @@ const struct gost28147_param gost28147_param_CryptoPro_C =
0x0478, 0x0418, 0x0428, 0x0458,
0x0420, 0x0408, 0x0460, 0x0438,
}
- }
+ },
+ 1
};
const struct gost28147_param gost28147_param_CryptoPro_D =
@@ -1905,7 +1912,8 @@ const struct gost28147_param gost28147_param_CryptoPro_D =
0x0768, 0x0740, 0x0760, 0x0720,
0x0758, 0x0750, 0x0728, 0x0738,
}
- }
+ },
+ 1
};
const struct gost28147_param gost28147_param_TC26_Z =
@@ -2172,7 +2180,8 @@ const struct gost28147_param gost28147_param_TC26_Z =
0x0178, 0x0120, 0x0158, 0x0100,
0x0168, 0x0150, 0x0118, 0x0138,
}
- }
+ },
+ 1
};
/*
@@ -2245,6 +2254,37 @@ void _gost28147_decrypt_block (const uint32_t *key,
const uint32_t sbox[4][256],
*out = l, *(out + 1) = r;
}
+static const uint32_t gost28147_key_mesh_cryptopro_data[GOST28147_KEY_SIZE /
4] = {
+ 0x22720069, 0x2304c964,
+ 0x96db3a8d, 0xc42ae946,
+ 0x94acfe18, 0x1207ed00,
+ 0xc2dc86c0, 0x2ba94cef,
+};
+
+static void gost28147_key_mesh_cryptopro(struct gost28147_ctx *ctx)
+{
+ uint32_t newkey[GOST28147_KEY_SIZE/4];
+
+ _gost28147_decrypt_block(ctx->key, ctx->sbox,
+ _key_mesh_cryptopro_data[0],
+ [0]);
+
+ _gost28147_decrypt_block(ctx->key, ctx->sbox,
+ _key_mesh_cryptopro_data[2],
+ [2]);
+
+ _gost28147_decrypt_block(ctx->key, ctx->sbox,
+ _key_mesh_cryptopro_data[4],
+ [4]);
+
+ _gost28147_decrypt_block(ctx->key, ctx->sbox,
+ _key_mesh_cryptopro_data[6],
+ [6]);
+
+ memcpy(ctx->key, newkey, sizeof(newkey));
+ ctx->key_count = 0;
+}
+
void
gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key)
{
@@ -2253,6 +2293,7 @@ gost28147_set_key(struct gost28147_ctx *ctx, const
uint8_t *key)
assert(key);
for (i = 0; i < 8; i++, key += 4)
ctx->key[i] = LE_READ_UINT32(key);
+ ctx->key_count = 0;
gost28147_set_param(ctx, _param_TC26_Z);
}
@@ -2261,6 +2302,7 @@ gost28147_set_param(struct gost28147_ctx *ctx, const
struct gost28147_param *par
{
assert(param);
ctx->sbox = param->sbox;
+ ctx->key_meshing = param->key_meshing;
}
void
@@ -2302,3 +2344,30 @@ gost28147_decrypt(const struct gost28147_ctx *ctx,
length -= GOST28147_BLOCK_SIZE;
}
}
+
+void
+gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx,
+ size_t length, uint8_t *dst,
+ const uint8_t *src)
+{
+ uint32_t block[2];
+
+ assert(!(length % GOST28147_BLOCK_SIZE));
+
+ while (length)
+{
+ block[0] = LE_READ_UINT32(src); src += 4;
+ block[1] = LE_READ_UINT32(src); src += 4;
+ if (ctx->key_meshing && ctx->key_count == 1024)
+ {
+ gost28147_key_mesh_cryptopro(ctx);
+ _gost28147_encrypt_block(ctx->key, ctx->sbox, block, block);
+ ctx->key_count = 0;
+ }
[PATCH 1/5] Add GOST 28147-89 ECB encryption and decryption support
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 3 +-
gost28147-internal.h | 3 +
gost28147-meta.c | 49 +++
gost28147.c | 85 +
gost28147.h | 30 +
nettle-meta-ciphers.c| 1 +
nettle-meta.h| 2 +
nettle.texinfo | 38 +++
testsuite/.gitignore | 1 +
testsuite/.test-rules.make | 3 +
testsuite/Makefile.in| 1 +
testsuite/gost28147-test.c | 119 +++
testsuite/meta-cipher-test.c | 1 +
13 files changed, 335 insertions(+), 1 deletion(-)
create mode 100644 gost28147-meta.c
create mode 100644 testsuite/gost28147-test.c
diff --git a/Makefile.in b/Makefile.in
index 9f5b065a706a..c6e40a74ad4f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -103,7 +103,8 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gcm-camellia128.c gcm-camellia128-meta.c \
gcm-camellia256.c gcm-camellia256-meta.c \
cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \
-gost28147.c gosthash94.c gosthash94-meta.c \
+gost28147.c gost28147-meta.c \
+gosthash94.c gosthash94-meta.c \
hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \
hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \
hmac-sha512.c \
diff --git a/gost28147-internal.h b/gost28147-internal.h
index 7f5c6f8c63c0..2c3f5857a8d4 100644
--- a/gost28147-internal.h
+++ b/gost28147-internal.h
@@ -35,8 +35,11 @@
#define NETTLE_GOST28147_INTERNAL_H_INCLUDED
#define _gost28147_encrypt_block _nettle_gost28147_encrypt_block
+#define _gost28147_decrypt_block _nettle_gost28147_decrypt_block
void _gost28147_encrypt_block (const uint32_t *key, const uint32_t
sbox[4][256],
const uint32_t *in, uint32_t *out);
+void _gost28147_decrypt_block (const uint32_t *key, const uint32_t
sbox[4][256],
+ const uint32_t *in, uint32_t *out);
#endif /* NETTLE_GOST28147_INTERNAL_H_INCLUDED */
diff --git a/gost28147-meta.c b/gost28147-meta.c
new file mode 100644
index ..69e4d265e453
--- /dev/null
+++ b/gost28147-meta.c
@@ -0,0 +1,49 @@
+/* gost28147-meta.c
+
+ Copyright (C) 2016 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "nettle-meta.h"
+
+#include "gost28147.h"
+
+const struct nettle_cipher nettle_gost28147 =
+ { "gost28147", sizeof(struct gost28147_ctx),
+GOST28147_BLOCK_SIZE, GOST28147_KEY_SIZE,
+(nettle_set_key_func *) gost28147_set_key,
+(nettle_set_key_func *) gost28147_set_key,
+(nettle_cipher_func *) gost28147_encrypt,
+(nettle_cipher_func *) gost28147_decrypt
+ };
diff --git a/gost28147.c b/gost28147.c
index 15d314c86c17..6ccdcb6a353c 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -32,6 +32,8 @@
#include "config.h"
#endif
+#include
+
#include "macros.h"
#include "gost28147.h"
#include "gost28147-internal.h"
@@ -615,3 +617,86 @@ void _gost28147_encrypt_block (const uint32_t *key, const
uint32_t sbox[4][256],
GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox);
*out = l, *(out + 1) = r;
}
+
+void _gost28147_decrypt_block (const uint32_t *key, const uint32_t
sbox[4][256],
+ const uint32_t *in, uint32_t *out)
+{
+ uint32_t l, r;
+
+ r = in[0], l = in[1];
+ GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[5], key[4], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[3], key[2], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox);
+ GOST_ENCRYPT_ROUND(l, r, key[7], key[6],
[PATCH 5/5] Add GOST 28147-89 IMIT support
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
gost28147.c| 107 +++--
gost28147.h| 47
testsuite/gost28147-test.c | 102 +++
3 files changed, 253 insertions(+), 3 deletions(-)
diff --git a/gost28147.c b/gost28147.c
index f718a202a56b..c7f5f1413695 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -36,6 +36,7 @@
#include
#include "macros.h"
+#include "nettle-write.h"
#include "gost28147.h"
#include "gost28147-internal.h"
#include "memxor.h"
@@ -2286,15 +2287,21 @@ static void gost28147_key_mesh_cryptopro(struct
gost28147_ctx *ctx)
ctx->key_count = 0;
}
-void
-gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key)
+static void
+_gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key)
{
unsigned i;
- assert(key);
for (i = 0; i < 8; i++, key += 4)
ctx->key[i] = LE_READ_UINT32(key);
ctx->key_count = 0;
+}
+
+void
+gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key)
+{
+ assert(key);
+ _gost28147_set_key(ctx, key);
gost28147_set_param(ctx, _param_TC26_Z);
}
@@ -2457,3 +2464,97 @@ gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx,
ctx->bytes = block_size - length;
}
}
+
+void
+gost28147_imit_init(struct gost28147_imit_ctx *ctx)
+{
+ memset(ctx->state, 0, GOST28147_BLOCK_SIZE);
+ ctx->index = 0;
+ ctx->count = 0;
+ gost28147_set_param(>cctx, _param_TC26_Z); /* Default */
+}
+
+void
+gost28147_imit_set_key(struct gost28147_imit_ctx *ctx,
+ size_t length,
+ const uint8_t *key)
+{
+ assert(length == GOST28147_IMIT_KEY_SIZE);
+ assert(key);
+
+ _gost28147_set_key(>cctx, key);
+ /* Do not reset param here */
+}
+
+void
+gost28147_imit_set_nonce(struct gost28147_imit_ctx *ctx, const uint8_t *nonce)
+{
+ ctx->state[0] = LE_READ_UINT32(nonce + 0);
+ ctx->state[1] = LE_READ_UINT32(nonce + 4);
+}
+
+void
+gost28147_imit_set_param(struct gost28147_imit_ctx *ctx,
+const struct gost28147_param *param)
+{
+ assert(param);
+ gost28147_set_param(>cctx, param);
+}
+
+static void
+gost28147_imit_compress(struct gost28147_imit_ctx *ctx,
+ const uint8_t *data)
+{
+ uint32_t l, r;
+
+ if (ctx->cctx.key_meshing && ctx->cctx.key_count == 1024)
+gost28147_key_mesh_cryptopro(>cctx);
+
+ r = LE_READ_UINT32(data + 0) ^ ctx->state[0];
+ l = LE_READ_UINT32(data + 4) ^ ctx->state[1];
+
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[0], ctx->cctx.key[1], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[2], ctx->cctx.key[3], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[4], ctx->cctx.key[5], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[6], ctx->cctx.key[7], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[0], ctx->cctx.key[1], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[2], ctx->cctx.key[3], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[4], ctx->cctx.key[5], ctx->cctx.sbox);
+ GOST_ENCRYPT_ROUND(l, r, ctx->cctx.key[6], ctx->cctx.key[7], ctx->cctx.sbox);
+
+ ctx->state[0] = r;
+ ctx->state[1] = l;
+
+ ctx->cctx.key_count += 8;
+}
+
+void
+gost28147_imit_update(struct gost28147_imit_ctx *ctx,
+ size_t length,
+ const uint8_t *data)
+{
+ MD_UPDATE(ctx, length, data, gost28147_imit_compress, ctx->count++);
+}
+
+void
+gost28147_imit_digest(struct gost28147_imit_ctx *ctx,
+ size_t length,
+ uint8_t *digest)
+{
+ assert(length <= GOST28147_IMIT_DIGEST_SIZE);
+ const uint8_t zero[GOST28147_IMIT_BLOCK_SIZE] = { 0 };
+
+ if (ctx->index)
+{
+ assert(ctx->index < GOST28147_IMIT_BLOCK_SIZE);
+ gost28147_imit_update(ctx, GOST28147_IMIT_BLOCK_SIZE - ctx->index, zero);
+}
+
+ if (ctx->count == 1)
+{
+ gost28147_imit_update(ctx, GOST28147_IMIT_BLOCK_SIZE, zero);
+}
+
+ _nettle_write_le32(length, digest, ctx->state);
+ gost28147_imit_init(ctx);
+}
diff --git a/gost28147.h b/gost28147.h
index 08189067983c..6d380dff190e 100644
--- a/gost28147.h
+++ b/gost28147.h
@@ -60,6 +60,13 @@ extern "C" {
#define gost28147_cnt_set_iv nettle_gost28147_cnt_set_iv
#define gost28147_cnt_crypt nettle_gost28147_cnt_crypt
+#define gost28147_imit_init nettle_gost28147_imit_init
+#define gost28147_imit_set_key nettle_gost28147_imit_set_key
+#define gost28147_imit_set_nonce nettle_gost28147_imit_set_nonce
+#define gost28147_imit_set_param nettle_gost28147_imit_set_param
+#define gost28147_imit_update nettle_gost28147_imit_update
+#define gost28147_imit_digest nettle_gost28147_imit_digest
+
#define GOST28147_KEY_SIZE 32
#define GOST28147_BLOCK_SIZE 8
@@ -126,6 +133,46 @@ void
gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
+
+#define
[PATCH 2/5] Add the rest of sboxes for GOST 28147
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
gost28147.c | 1602 +++
gost28147.h | 13 +
2 files changed, 1615 insertions(+)
diff --git a/gost28147.c b/gost28147.c
index 6ccdcb6a353c..9fe31043a3ff 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -573,6 +573,1608 @@ const struct gost28147_param
gost28147_param_CryptoPro_3411 =
}
};
+const struct gost28147_param gost28147_param_Test_89 =
+{
+ {
+{ /* 0 */
+ 0x00062000, 0x00061000, 0x00067800, 0x00062800,
+ 0x00064800, 0x00060800, 0x0006, 0x00064000,
+ 0x00067000, 0x00061800, 0x00065800, 0x00066000,
+ 0x00066800, 0x00063800, 0x00065000, 0x00063000,
+ 0x0004a000, 0x00049000, 0x0004f800, 0x0004a800,
+ 0x0004c800, 0x00048800, 0x00048000, 0x0004c000,
+ 0x0004f000, 0x00049800, 0x0004d800, 0x0004e000,
+ 0x0004e800, 0x0004b800, 0x0004d000, 0x0004b000,
+ 0x0007a000, 0x00079000, 0x0007f800, 0x0007a800,
+ 0x0007c800, 0x00078800, 0x00078000, 0x0007c000,
+ 0x0007f000, 0x00079800, 0x0007d800, 0x0007e000,
+ 0x0007e800, 0x0007b800, 0x0007d000, 0x0007b000,
+ 0x00072000, 0x00071000, 0x00077800, 0x00072800,
+ 0x00074800, 0x00070800, 0x0007, 0x00074000,
+ 0x00077000, 0x00071800, 0x00075800, 0x00076000,
+ 0x00076800, 0x00073800, 0x00075000, 0x00073000,
+ 0x00042000, 0x00041000, 0x00047800, 0x00042800,
+ 0x00044800, 0x00040800, 0x0004, 0x00044000,
+ 0x00047000, 0x00041800, 0x00045800, 0x00046000,
+ 0x00046800, 0x00043800, 0x00045000, 0x00043000,
+ 0xa000, 0x9000, 0xf800, 0xa800,
+ 0xc800, 0x8800, 0x8000, 0xc000,
+ 0xf000, 0x9800, 0xd800, 0xe000,
+ 0xe800, 0xb800, 0xd000, 0xb000,
+ 0x0001a000, 0x00019000, 0x0001f800, 0x0001a800,
+ 0x0001c800, 0x00018800, 0x00018000, 0x0001c000,
+ 0x0001f000, 0x00019800, 0x0001d800, 0x0001e000,
+ 0x0001e800, 0x0001b800, 0x0001d000, 0x0001b000,
+ 0x00052000, 0x00051000, 0x00057800, 0x00052800,
+ 0x00054800, 0x00050800, 0x0005, 0x00054000,
+ 0x00057000, 0x00051800, 0x00055800, 0x00056000,
+ 0x00056800, 0x00053800, 0x00055000, 0x00053000,
+ 0x00012000, 0x00011000, 0x00017800, 0x00012800,
+ 0x00014800, 0x00010800, 0x0001, 0x00014000,
+ 0x00017000, 0x00011800, 0x00015800, 0x00016000,
+ 0x00016800, 0x00013800, 0x00015000, 0x00013000,
+ 0x0003a000, 0x00039000, 0x0003f800, 0x0003a800,
+ 0x0003c800, 0x00038800, 0x00038000, 0x0003c000,
+ 0x0003f000, 0x00039800, 0x0003d800, 0x0003e000,
+ 0x0003e800, 0x0003b800, 0x0003d000, 0x0003b000,
+ 0x00022000, 0x00021000, 0x00027800, 0x00022800,
+ 0x00024800, 0x00020800, 0x0002, 0x00024000,
+ 0x00027000, 0x00021800, 0x00025800, 0x00026000,
+ 0x00026800, 0x00023800, 0x00025000, 0x00023000,
+ 0x0006a000, 0x00069000, 0x0006f800, 0x0006a800,
+ 0x0006c800, 0x00068800, 0x00068000, 0x0006c000,
+ 0x0006f000, 0x00069800, 0x0006d800, 0x0006e000,
+ 0x0006e800, 0x0006b800, 0x0006d000, 0x0006b000,
+ 0x00032000, 0x00031000, 0x00037800, 0x00032800,
+ 0x00034800, 0x00030800, 0x0003, 0x00034000,
+ 0x00037000, 0x00031800, 0x00035800, 0x00036000,
+ 0x00036800, 0x00033800, 0x00035000, 0x00033000,
+ 0x2000, 0x1000, 0x7800, 0x2800,
+ 0x4800, 0x0800, 0x, 0x4000,
+ 0x7000, 0x1800, 0x5800, 0x6000,
+ 0x6800, 0x3800, 0x5000, 0x3000,
+ 0x0005a000, 0x00059000, 0x0005f800, 0x0005a800,
+ 0x0005c800, 0x00058800, 0x00058000, 0x0005c000,
+ 0x0005f000, 0x00059800, 0x0005d800, 0x0005e000,
+ 0x0005e800, 0x0005b800, 0x0005d000, 0x0005b000,
+ 0x0002a000, 0x00029000, 0x0002f800, 0x0002a800,
+ 0x0002c800, 0x00028800, 0x00028000, 0x0002c000,
+ 0x0002f000, 0x00029800, 0x0002d800, 0x0002e000,
+ 0x0002e800, 0x0002b800, 0x0002d000, 0x0002b000,
+}, { /* 1 */
+ 0x0768, 0x0740, 0x0770, 0x0760,
+ 0x0738, 0x0718, 0x0748, 0x0750,
+ 0x0708, 0x0728, 0x0710, 0x0720,
+ 0x0730, 0x0778, 0x0700, 0x0758,
+ 0x04e8, 0x04c0, 0x04f0, 0x04e0,
+ 0x04b8, 0x0498, 0x04c8, 0x04d0,
+ 0x0488, 0x04a8, 0x0490, 0x04a0,
+ 0x04b0, 0x04f8, 0x0480, 0x04d8,
+ 0x05e8, 0x05c0, 0x05f0, 0x05e0,
+ 0x05b8, 0x0598, 0x05c8, 0x05d0,
+ 0x0588, 0x05a8, 0x0590, 0x05a0,
+ 0x05b0, 0x05f8, 0x0580, 0x05d8,
+ 0x0168, 0x0140, 0x0170, 0x0160,
+ 0x0138, 0x0118, 0x0148, 0x0150,
+ 0x0108, 0x0128, 0x0110, 0x0120,
+ 0x0130, 0x0178, 0x0100, 0x0158,
+ 0x02e8, 0x02c0, 0x02f0, 0x02e0,
+ 0x02b8,
[PATCH 4/5] Add special CNT mode for GOST 28147-89 cipher
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
gost28147.c| 86
gost28147.h| 24 ++
testsuite/gost28147-test.c | 161 +
3 files changed, 271 insertions(+)
diff --git a/gost28147.c b/gost28147.c
index ac94dfaa2ed8..f718a202a56b 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -38,6 +38,7 @@
#include "macros.h"
#include "gost28147.h"
#include "gost28147-internal.h"
+#include "memxor.h"
/* pre-initialized GOST lookup tables based on rotated S-Box */
const struct gost28147_param gost28147_param_test_3411 =
@@ -2371,3 +2372,88 @@ gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx,
ctx->key_count += GOST28147_BLOCK_SIZE;
}
}
+
+static void
+gost28147_cnt_next_iv(struct gost28147_cnt_ctx *ctx,
+ uint8_t *out)
+{
+ uint32_t block[2];
+ uint32_t temp;
+
+ if (ctx->ctx.key_meshing && ctx->ctx.key_count == 1024)
+{
+ gost28147_key_mesh_cryptopro(>ctx);
+ _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, ctx->iv, ctx->iv);
+ ctx->ctx.key_count = 0;
+}
+
+ ctx->iv[0] += 0x01010101;
+ temp = ctx->iv[1] + 0x01010104;
+ if (temp < ctx->iv[1])
+ctx->iv[1] = temp + 1; /* Overflow */
+ else
+ctx->iv[1] = temp;
+
+ _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, ctx->iv, block);
+
+ LE_WRITE_UINT32(out + 0, block[0]);
+ LE_WRITE_UINT32(out + 4, block[1]);
+
+ ctx->ctx.key_count += GOST28147_BLOCK_SIZE;
+}
+
+void
+gost28147_cnt_init(struct gost28147_cnt_ctx *ctx,
+ const uint8_t *key,
+ const struct gost28147_param *param)
+{
+ gost28147_set_key(>ctx, key);
+ gost28147_set_param(>ctx, param);
+ ctx->bytes = 0;
+}
+
+void
+gost28147_cnt_set_iv(struct gost28147_cnt_ctx *ctx,
+const uint8_t *iv)
+{
+ uint32_t block[2];
+
+ block[0] = LE_READ_UINT32(iv + 0);
+ block[1] = LE_READ_UINT32(iv + 4);
+
+ _gost28147_encrypt_block(ctx->ctx.key, ctx->ctx.sbox, block, ctx->iv);
+}
+
+void
+gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx,
+ size_t length, uint8_t *dst,
+ const uint8_t *src)
+{
+ size_t block_size = GOST28147_BLOCK_SIZE;
+
+ if (ctx->bytes)
+{
+ size_t part = ctx->bytes < length ? ctx->bytes : length;
+ memxor3(dst, src, ctx->buffer + block_size - ctx->bytes, part);
+ dst += part;
+ src += part;
+ length -= part;
+ ctx->bytes -= part;
+ ctx->bytes %= block_size;
+}
+ while (length >= block_size)
+{
+ gost28147_cnt_next_iv(ctx, ctx->buffer);
+ memxor3(dst, src, ctx->buffer, block_size);
+ length -= block_size;
+ src += block_size;
+ dst += block_size;
+}
+
+ if (length != 0)
+{
+ gost28147_cnt_next_iv(ctx, ctx->buffer);
+ memxor3(dst, src, ctx->buffer, length);
+ ctx->bytes = block_size - length;
+}
+}
diff --git a/gost28147.h b/gost28147.h
index 241c1e136fbc..08189067983c 100644
--- a/gost28147.h
+++ b/gost28147.h
@@ -56,6 +56,10 @@ extern "C" {
#define gost28147_encrypt_for_cfb nettle_gost28147_encrypt_for_cfb
#define gost28147_decrypt nettle_gost28147_decrypt
+#define gost28147_cnt_init nettle_gost28147_cnt_init
+#define gost28147_cnt_set_iv nettle_gost28147_cnt_set_iv
+#define gost28147_cnt_crypt nettle_gost28147_cnt_crypt
+
#define GOST28147_KEY_SIZE 32
#define GOST28147_BLOCK_SIZE 8
@@ -102,6 +106,26 @@ gost28147_encrypt_for_cfb(struct gost28147_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src);
+struct gost28147_cnt_ctx {
+ struct gost28147_ctx ctx;
+ size_t bytes;
+ uint32_t iv[2];
+ uint8_t buffer[GOST28147_BLOCK_SIZE];
+};
+
+void
+gost28147_cnt_init(struct gost28147_cnt_ctx *ctx,
+ const uint8_t *key,
+ const struct gost28147_param *param);
+
+void
+gost28147_cnt_set_iv(struct gost28147_cnt_ctx *ctx,
+const uint8_t *iv);
+
+void
+gost28147_cnt_crypt(struct gost28147_cnt_ctx *ctx,
+ size_t length, uint8_t *dst,
+ const uint8_t *src);
#ifdef __cplusplus
}
#endif
diff --git a/testsuite/gost28147-test.c b/testsuite/gost28147-test.c
index 939bedee9c66..42441969a467 100644
--- a/testsuite/gost28147-test.c
+++ b/testsuite/gost28147-test.c
@@ -1,6 +1,7 @@
#include "testutils.h"
#include "gost28147.h"
#include "cfb.h"
+#include "macros.h"
static void
test_gost28147(const struct gost28147_param *param,
@@ -104,6 +105,82 @@ test_gost28147_cfb(const struct gost28147_param *param,
free(data);
}
+static void
+test_gost28147_cnt(const struct gost28147_param *param,
+ const struct tstring *key,
+ const struct tstring *start_iv,
+ const struct tstring *end_iv,
+ const struct tstring *cleartext,
+ const struct tstring *ciphertext)
+{
+ struct gost28147_cnt_ctx
[PATCH] nettle-meta: add meta interface for CMAC-DES3 functions
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
cmac-des3-meta.c | 43 +++
nettle-meta-macs.c| 1 +
nettle-meta.h | 13
testsuite/cmac-test.c | 12 ---
testsuite/meta-mac-test.c | 1 +
6 files changed, 59 insertions(+), 13 deletions(-)
create mode 100644 cmac-des3-meta.c
diff --git a/Makefile.in b/Makefile.in
index 409c655b2cee..de46bb5619f3 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -103,7 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gcm-camellia128.c gcm-camellia128-meta.c \
gcm-camellia256.c gcm-camellia256-meta.c \
cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \
-cmac-aes128-meta.c cmac-aes256-meta.c \
+cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \
gosthash94.c gosthash94-meta.c \
hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \
hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \
diff --git a/cmac-des3-meta.c b/cmac-des3-meta.c
new file mode 100644
index ..40b27feaccdc
--- /dev/null
+++ b/cmac-des3-meta.c
@@ -0,0 +1,43 @@
+/* cmac-des3-meta.c
+
+ Copyright (C) 2013, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "nettle-meta.h"
+
+#include "cmac.h"
+
+const struct nettle_mac nettle_cmac_des3
+= _NETTLE_CMAC64(cmac_des3, DES3);
diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c
index 6575ed661db3..201b30847147 100644
--- a/nettle-meta-macs.c
+++ b/nettle-meta-macs.c
@@ -40,6 +40,7 @@
const struct nettle_mac * const _nettle_macs[] = {
_cmac_aes128,
_cmac_aes256,
+ _cmac_des3,
_hmac_md5,
_hmac_ripemd160,
_hmac_sha1,
diff --git a/nettle-meta.h b/nettle-meta.h
index 4b4d312dfe0f..668c90924f1f 100644
--- a/nettle-meta.h
+++ b/nettle-meta.h
@@ -303,8 +303,21 @@ nettle_get_macs (void);
#define nettle_macs (nettle_get_macs())
+#define _NETTLE_CMAC64(name, AES) {\
+ #name, \
+ sizeof(struct name##_ctx), \
+ CMAC64_DIGEST_SIZE, \
+ AES##_KEY_SIZE, \
+ 0, \
+ (nettle_set_key_func *) name##_set_key, \
+ NULL,\
+ (nettle_hash_update_func *) name##_update, \
+ (nettle_hash_digest_func *) name##_digest, \
+}
+
extern const struct nettle_mac nettle_cmac_aes128;
extern const struct nettle_mac nettle_cmac_aes256;
+extern const struct nettle_mac nettle_cmac_des3;
extern const struct nettle_mac nettle_hmac_md5;
extern const struct nettle_mac nettle_hmac_ripemd160;
diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c
index 1a2cd0e591cf..a71baa086d01 100644
--- a/testsuite/cmac-test.c
+++ b/testsuite/cmac-test.c
@@ -2,18 +2,6 @@
#include "nettle-internal.h"
#include "cmac.h"
-const struct nettle_mac nettle_cmac_des3 =
-{
- "CMAC-3DES",
- sizeof(struct cmac_des3_ctx),
- CMAC64_DIGEST_SIZE,
- DES3_KEY_SIZE,
-
- (nettle_set_key_func*) cmac_des3_set_key,
- (nettle_hash_update_func*) cmac_des3_update,
- (nettle_hash_digest_func*) cmac_des3_digest
-};
-
#define test_cmac_aes128(key, msg, ref)
\
test_mac(_cmac_aes128, key, msg, ref)
diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c
index 09cb5e9fd11c..4f61c3173ec3 100644
--- a/testsuite/meta-mac-test.c
+++ b/testsuite/meta-mac-test.c
@@ -5,6 +5,7 @@
const char* macs[] = {
"cmac_aes128",
"cmac_aes256",
+ "cmac_des3",
"hmac_md5",
"hmac_ripemd160",
"hmac_sha1",
--
2.20.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 2/2] Implement PBKDF2 shortcut function for Streebog256/512
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
pbkdf2-hmac-streebog.c | 67 +
pbkdf2.h| 14 +
testsuite/pbkdf2-test.c | 7 +
4 files changed, 89 insertions(+), 1 deletion(-)
create mode 100644 pbkdf2-hmac-streebog.c
diff --git a/Makefile.in b/Makefile.in
index c578e2901aa7..bcf97fcd5c8c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -115,7 +115,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
nettle-meta-aeads.c nettle-meta-armors.c \
nettle-meta-ciphers.c nettle-meta-hashes.c \
pbkdf2.c pbkdf2-hmac-gosthash94.c pbkdf2-hmac-sha1.c \
-pbkdf2-hmac-sha256.c \
+pbkdf2-hmac-sha256.c pbkdf2-hmac-streebog.c \
poly1305-aes.c poly1305-internal.c \
realloc.c \
ripemd160.c ripemd160-compress.c ripemd160-meta.c \
diff --git a/pbkdf2-hmac-streebog.c b/pbkdf2-hmac-streebog.c
new file mode 100644
index ..cc286f8940ac
--- /dev/null
+++ b/pbkdf2-hmac-streebog.c
@@ -0,0 +1,67 @@
+/* pbkdf2-hmac-streebog.c
+
+ PKCS #5 PBKDF2 used with HMAC-STREEBOG.
+
+ Copyright (C) 2016 Dmitry Eremin-Solenikov
+ Copyright (C) 2012 Simon Josefsson
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "pbkdf2.h"
+
+#include "hmac.h"
+
+void
+pbkdf2_hmac_streebog256 (size_t key_length, const uint8_t *key,
+ unsigned iterations,
+ size_t salt_length, const uint8_t *salt,
+ size_t length, uint8_t *dst)
+{
+ struct hmac_streebog256_ctx streebog256ctx;
+
+ hmac_streebog256_set_key (, key_length, key);
+ PBKDF2 (, hmac_streebog256_update, hmac_streebog256_digest,
+ STREEBOG256_DIGEST_SIZE, iterations, salt_length, salt, length, dst);
+}
+
+void
+pbkdf2_hmac_streebog512 (size_t key_length, const uint8_t *key,
+ unsigned iterations,
+ size_t salt_length, const uint8_t *salt,
+ size_t length, uint8_t *dst)
+{
+ struct hmac_streebog512_ctx streebog512ctx;
+
+ hmac_streebog512_set_key (, key_length, key);
+ PBKDF2 (, hmac_streebog512_update, hmac_streebog512_digest,
+ STREEBOG512_DIGEST_SIZE, iterations, salt_length, salt, length, dst);
+}
diff --git a/pbkdf2.h b/pbkdf2.h
index a36dfdbaa437..67583bce615a 100644
--- a/pbkdf2.h
+++ b/pbkdf2.h
@@ -46,6 +46,8 @@ extern "C"
#define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1
#define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256
#define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp
+#define pbkdf2_hmac_streebog256 nettle_pbkdf2_hmac_streebog256
+#define pbkdf2_hmac_streebog512 nettle_pbkdf2_hmac_streebog512
void
pbkdf2 (void *mac_ctx,
@@ -85,6 +87,18 @@ pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t
*key,
size_t salt_length, const uint8_t *salt,
size_t length, uint8_t *dst);
+void
+pbkdf2_hmac_streebog256 (size_t key_length, const uint8_t *key,
+unsigned iterations,
+size_t salt_length, const uint8_t *salt,
+size_t length, uint8_t *dst);
+
+void
+pbkdf2_hmac_streebog512 (size_t key_length, const uint8_t *key,
+unsigned iterations,
+size_t salt_length, const uint8_t *salt,
+size_t length, uint8_t *dst);
+
#ifdef __cplusplus
}
#endif
diff --git a/testsuite/pbkdf2-test.c b/testsuite/pbkdf2-test.c
index 9e024e57b7f5..e76c82dc2b7e 100644
--- a/testsuite/pbkdf2-test.c
+++ b/testsuite/pbkdf2-test.c
@@ -157,9 +157,16 @@ test_main (void)
STREEBOG512_DIGEST_SIZE, 4096, LDATA("sa\0lt"),
SHEX("50df062885b69801a3c10248eb0a27ab6e522ffeb20c991c660f001475d73a4e167f782c18e97e92976d9c1d970831ea78ccb879f67068cdac1910740844e830"));
+ PBKDF2_HMAC_TEST
[PATCH 1/2] Implement GOST R 34.11-2012 (Streebog) hash function
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in |5 +-
examples/nettle-benchmark.c |3 +-
hmac-streebog.c | 73 ++
hmac.h | 33 +
nettle-meta-hashes.c|2 +
nettle-meta.h |2 +
nettle.texinfo | 72 ++
streebog-meta.c | 44 ++
streebog.c | 1334 +++
streebog.h | 99 +++
testsuite/.gitignore|1 +
testsuite/.test-rules.make |3 +
testsuite/Makefile.in |1 +
testsuite/hmac-test.c | 17 +
testsuite/meta-hash-test.c |2 +
testsuite/pbkdf2-test.c | 30 +-
testsuite/streebog-test.c | 81 +++
17 files changed, 1798 insertions(+), 4 deletions(-)
create mode 100644 hmac-streebog.c
create mode 100644 streebog-meta.c
create mode 100644 streebog.c
create mode 100644 streebog.h
create mode 100644 testsuite/streebog-test.c
diff --git a/Makefile.in b/Makefile.in
index 9f5b065a706a..c578e2901aa7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -106,7 +106,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gost28147.c gosthash94.c gosthash94-meta.c \
hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \
hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \
-hmac-sha512.c \
+hmac-sha512.c hmac-streebog.c \
knuth-lfib.c hkdf.c \
md2.c md2-meta.c md4.c md4-meta.c \
md5.c md5-compress.c md5-compat.c md5-meta.c \
@@ -132,6 +132,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\
serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \
serpent-meta.c \
+streebog.c streebog-meta.c \
twofish.c twofish-meta.c \
umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \
umac-poly64.c umac-poly128.c umac-set-key.c \
@@ -209,7 +210,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
pbkdf2.h \
pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \
salsa20.h sexp.h \
- serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \
+ serpent.h sha.h sha1.h sha2.h sha3.h streebog.h twofish.h \
umac.h yarrow.h xts.h poly1305.h
INSTALL_HEADERS = $(HEADERS) version.h @IF_MINI_GMP@ mini-gmp.h
diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c
index 5d0e649ea726..ea52cb44becf 100644
--- a/examples/nettle-benchmark.c
+++ b/examples/nettle-benchmark.c
@@ -918,7 +918,8 @@ main(int argc, char **argv)
_sha3_224, _sha3_256,
_sha3_384, _sha3_512,
_ripemd160, _gosthash94,
- _gosthash94cp,
+ _gosthash94cp, _streebog256,
+ _streebog512,
NULL
};
diff --git a/hmac-streebog.c b/hmac-streebog.c
new file mode 100644
index ..8298364bfca9
--- /dev/null
+++ b/hmac-streebog.c
@@ -0,0 +1,73 @@
+/* hmac-streebog.c
+
+ HMAC-Streebog message authentication code.
+
+ Copyright (C) 2016 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "hmac.h"
+
+void
+hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx,
+ size_t key_length, const uint8_t *key)
+{
+ HMAC_SET_KEY(ctx, _streebog512, key_length, key);
+}
+
+void
+hmac_streebog512_update(struct hmac_streebog512_ctx *ctx,
+ size_t length, const uint8_t *data)
+{
+ streebog512_update(>state, length, data);
+}
+
+void
+hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx,
+ size_t length, uint8_t *digest)
+{
+ HMAC_DIGEST(ctx, _streebog512, length, digest);
+}
+
+void
+hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx,
+ size_t key_length, const uint8_t *key)
+{
+ HMAC_SET_KEY(ctx, _streebog256,
[PATCH v2] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov
In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore| 14 ++---
Makefile.in | 54 -
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0
configure.ac | 5 +-
ecc-25519.c => ecc-curve25519.c | 4 +-
ecc-448.c => ecc-curve448.c | 4 +-
ecc-192.c => ecc-secp192r1.c | 4 +-
ecc-224.c => ecc-secp224r1.c | 4 +-
ecc-256.c => ecc-secp256r1.c | 4 +-
ecc-384.c => ecc-secp384r1.c | 4 +-
ecc-521.c => ecc-secp521r1.c | 4 +-
eccdata.c | 58 +++
...25519-modp.asm => ecc-curve25519-modp.asm} | 0
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0
22 files changed, 85 insertions(+), 74 deletions(-)
rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)
rename ecc-25519.c => ecc-curve25519.c (99%)
rename ecc-448.c => ecc-curve448.c (99%)
rename ecc-192.c => ecc-secp192r1.c (98%)
rename ecc-224.c => ecc-secp224r1.c (98%)
rename ecc-256.c => ecc-secp256r1.c (99%)
rename ecc-384.c => ecc-secp384r1.c (99%)
rename ecc-521.c => ecc-secp521r1.c (98%)
rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)
diff --git a/.gitignore b/.gitignore
index 0afe61de3826..ea264107fa40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,13 +43,13 @@ core
/keymap.h
/parity.h
/rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
-/ecc-448.h
+/ecc-curve25519.h
+/ecc-curve448.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
/version.h
/nettle.aux
/nettle.cp
diff --git a/Makefile.in b/Makefile.in
index 036a3a1d7f8b..333044a19705 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
gmp-glue.c cnd-copy.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c ecc-448.c \
+ ecc-curve25519.c ecc-curve448.c \
+ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
+ ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
ecc-eh-to-a.c \
@@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB
# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB
# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB
-ecc-192.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T
$@
# Some reasonable choices for 224:
# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB
# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB
# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB
# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB
-ecc-224.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 256:
# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp256r1.h:
[PATCH] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov
In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore| 12 ++---
Makefile.in | 45
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0
configure.ac | 5 +-
ecc-25519.c => ecc-curve25519.c | 4 +-
ecc-192.c => ecc-secp192r1.c | 4 +-
ecc-224.c => ecc-secp224r1.c | 4 +-
ecc-256.c => ecc-secp256r1.c | 4 +-
ecc-384.c => ecc-secp384r1.c | 4 +-
ecc-521.c => ecc-secp521r1.c | 4 +-
eccdata.c | 51 +++
...25519-modp.asm => ecc-curve25519-modp.asm} | 0
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0
21 files changed, 74 insertions(+), 63 deletions(-)
rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)
rename ecc-25519.c => ecc-curve25519.c (99%)
rename ecc-192.c => ecc-secp192r1.c (98%)
rename ecc-224.c => ecc-secp224r1.c (98%)
rename ecc-256.c => ecc-secp256r1.c (99%)
rename ecc-384.c => ecc-secp384r1.c (99%)
rename ecc-521.c => ecc-secp521r1.c (98%)
rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%)
rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%)
rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%)
rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%)
rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%)
diff --git a/.gitignore b/.gitignore
index b79c53f535ff..be10fbe959cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,12 +43,12 @@ core
/keymap.h
/parity.h
/rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
+/ecc-curve25519.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
/version.h
/nettle.aux
/nettle.cp
diff --git a/Makefile.in b/Makefile.in
index 9f5b065a706a..89066ec6c3c2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,8 +174,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
gmp-glue.c cnd-copy.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c \
+ ecc-curve25519.c ecc-secp192r1.c ecc-secp224r1.c \
+ ecc-secp256r1.c ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
ecc-eh-to-a.c \
@@ -345,24 +345,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB
# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB
# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB
-ecc-192.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T
$@
# Some reasonable choices for 224:
# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB
# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB
# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB
# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB
-ecc-224.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 256:
# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp256r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 384:
# k = 16, c = 6, S = 256, T = 80 ( 64
[RFC] ecc: switch away from affine points representation
From: Dmitry Eremin-Solenikov
Use jacobian/harmonized representation in ecc_point structure.
This is an RFC patch for now, j_to_a/eh_to_a are not modified to produce
y coordinate only, more tests are necessary most probably.
Signed-off-by: Dmitry Eremin-Solenikov
---
ecc-a-to-j.c| 12 +++
ecc-ecdsa-sign.c| 2 +-
ecc-ecdsa-verify.c | 4 ++--
ecc-eh-to-a.c | 17 ---
ecc-internal.h | 20 ++---
ecc-j-to-a.c| 15 +++--
ecc-mul-a-eh.c | 13 +--
ecc-mul-a.c | 18 +++-
ecc-point-mul-g.c | 8 +++
ecc-point-mul.c | 2 +-
ecc-point.c | 36 +--
ecdsa-keygen.c | 7 +++---
eddsa-compress.c| 2 +-
eddsa-decompress.c | 1 +
eddsa-verify.c | 2 +-
testsuite/ecc-add-test.c| 5 -
testsuite/ecc-dup-test.c| 10 -
testsuite/ecc-mul-a-test.c | 22 ---
testsuite/ecc-mul-g-test.c | 4 ++--
testsuite/ecdsa-keygen-test.c | 38 ++---
testsuite/eddsa-compress-test.c | 8 +--
testsuite/eddsa-verify-test.c | 2 +-
testsuite/testutils.c | 2 +-
23 files changed, 152 insertions(+), 98 deletions(-)
diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c
index 9fb0d2b80c41..895502e0fe20 100644
--- a/ecc-a-to-j.c
+++ b/ecc-a-to-j.c
@@ -40,11 +40,12 @@
void
ecc_a_to_j (const struct ecc_curve *ecc,
- mp_limb_t *r, const mp_limb_t *p)
+ mp_limb_t *r, const mpz_t x, const mpz_t y)
{
if (ecc->use_redc)
{
- mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size);
+ mpz_limbs_copy (r + ecc->p.size, x, ecc->p.size);
+ mpz_limbs_copy (r + 2 * ecc->p.size, y, ecc->p.size);
mpn_zero (r, ecc->p.size);
ecc->p.mod (>p, r);
@@ -52,8 +53,11 @@ ecc_a_to_j (const struct ecc_curve *ecc,
mpn_zero (r + ecc->p.size, ecc->p.size);
ecc->p.mod (>p, r + ecc->p.size);
}
- else if (r != p)
-mpn_copyi (r, p, 2*ecc->p.size);
+ else
+{
+ mpz_limbs_copy (r, x, ecc->p.size);
+ mpz_limbs_copy (r + ecc->p.size, y, ecc->p.size);
+}
mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size);
}
diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c
index 3b9e9cc1a35d..87239b7cccb6 100644
--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
@@ -80,7 +80,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc,
ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size);
/* x coordinate only, modulo q */
- ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size);
+ ecc->h_to_a (ecc, 2, rp, NULL, P, P + 3*ecc->p.size);
/* Invert k, uses 4 * ecc->p.size including scratch */
ecc->q.invert (>q, kinv, kp, tp); /* NOTE: Also clobbers hp */
diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c
index d7f5b684841a..120b12965fd5 100644
--- a/ecc-ecdsa-verify.c
+++ b/ecc-ecdsa-verify.c
@@ -64,7 +64,7 @@ mp_size_t
ecc_ecdsa_verify_itch (const struct ecc_curve *ecc)
{
/* Largest storage need is for the ecc->mul call. */
- return 5*ecc->p.size + ecc->mul_itch;
+ return 6*ecc->p.size + ecc->mul_itch;
}
/* FIXME: Use faster primitives, not requiring side-channel silence. */
@@ -145,7 +145,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size);
}
/* x coordinate only, modulo q */
- ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size);
+ ecc->h_to_a (ecc, 2, P2, NULL, P1, P1 + 3*ecc->p.size);
return (mpn_cmp (rp, P2, ecc->p.size) == 0);
#undef P2
diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c
index 8173b887d59d..851dcb8d592a 100644
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -43,7 +43,8 @@
void
ecc_eh_to_a (const struct ecc_curve *ecc,
int op,
-mp_limb_t *r, const mp_limb_t *p,
+mp_limb_t *x, mp_limb_t *y,
+const mp_limb_t *p,
mp_limb_t *scratch)
{
#define izp scratch
@@ -60,8 +61,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
ecc->p.invert (>p, izp, zp, tp + ecc->p.size);
ecc_modp_mul (ecc, tp, xp, izp);
- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
- cnd_copy (cy, r, tp, ecc->p.size);
+ cy = mpn_sub_n (x, tp, ecc->p.m, ecc->p.size);
+ cnd_copy (cy, x, tp, ecc->p.size);
if (op)
{
@@ -75,14 +76,14 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
unsigned shift;
assert (ecc->p.bit_size == 255);
shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
- cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size,
-r[ecc->p.size-1] >> shift);
+ cy = mpn_submul_1 (x, ecc->q.m, ecc->p.size,
+x[ecc->p.size-1] >> shift);
assert (cy < 2);
- cnd_add_n (cy, r, ecc->q.m, ecc->p.size);
+ cnd_add_n (cy, x, ecc->q.m,
[PATCH v2 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov
In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore| 14 ++---
Makefile.in | 54 -
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
configure.ac | 6 +-
ecc-25519.c => ecc-curve25519.c | 4 +-
ecc-448.c => ecc-curve448.c | 4 +-
ecc-192.c => ecc-secp192r1.c | 4 +-
ecc-224.c => ecc-secp224r1.c | 4 +-
ecc-256.c => ecc-secp256r1.c | 4 +-
ecc-384.c => ecc-secp384r1.c | 4 +-
ecc-521.c => ecc-secp521r1.c | 4 +-
eccdata.c | 58 +++
...25519-modp.asm => ecc-curve25519-modp.asm} | 0
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
22 files changed, 105 insertions(+), 95 deletions(-)
rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%)
rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%)
rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
rename ecc-25519.c => ecc-curve25519.c (99%)
rename ecc-448.c => ecc-curve448.c (99%)
rename ecc-192.c => ecc-secp192r1.c (98%)
rename ecc-224.c => ecc-secp224r1.c (98%)
rename ecc-256.c => ecc-secp256r1.c (99%)
rename ecc-384.c => ecc-secp384r1.c (99%)
rename ecc-521.c => ecc-secp521r1.c (98%)
rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%)
rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%)
rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
diff --git a/.gitignore b/.gitignore
index 0afe61de3826..ea264107fa40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,13 +43,13 @@ core
/keymap.h
/parity.h
/rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
-/ecc-448.h
+/ecc-curve25519.h
+/ecc-curve448.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
/version.h
/nettle.aux
/nettle.cp
diff --git a/Makefile.in b/Makefile.in
index 8d06149ff5fb..28b7cfcebcdb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
gmp-glue.c cnd-copy.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c ecc-448.c \
+ ecc-curve25519.c ecc-curve448.c \
+ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
+ ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
ecc-eh-to-a.c \
@@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB
# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB
# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB
-ecc-192.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T
$@
# Some reasonable choices for 224:
# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB
# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB
# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB
# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB
-ecc-224.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 256:
# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
[PATCH v2 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov
There is no need to keep optimized ECC functions in public namespace
(nettle_*), move them to internal namespace (_nettle_*).
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 4 ++--
arm/ecc-secp224r1-modp.asm | 4 ++--
arm/ecc-secp256r1-redc.asm | 4 ++--
arm/ecc-secp384r1-modp.asm | 4 ++--
arm/ecc-secp521r1-modp.asm | 4 ++--
ecc-curve25519.c | 2 +-
ecc-curve448.c | 2 +-
ecc-secp192r1.c| 2 +-
ecc-secp224r1.c| 2 +-
ecc-secp256r1.c| 2 +-
ecc-secp384r1.c| 2 +-
ecc-secp521r1.c| 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-curve448-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 4 ++--
x86_64/ecc-secp224r1-modp.asm | 4 ++--
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
19 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index dbaae2e38922..4680336f1bc7 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -53,7 +53,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_192_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_192_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 2c86755a7c9a..400b7a815c2c 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_224_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_224_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 9c20062a44e4..7b117de43fbc 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_256_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_256_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dbedbdf8d32e..dd9a325b09de 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -50,7 +50,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_384_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_384_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index 2b4f79192a2e..f11967634689 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.align 2
-PROLOGUE(nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_521_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp)
stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16
pop {r4,r5,r6,r7,r8,pc}
-EPILOGUE(nettle_ecc_521_modp)
+EPILOGUE(_nettle_ecc_521_modp)
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index e6a1b325be66..1045db7092ae 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -48,7 +48,7 @@
#if HAVE_NATIVE_ecc_25519_modp
-#define ecc_25519_modp nettle_ecc_25519_modp
+#define ecc_25519_modp _nettle_ecc_25519_modp
void
ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#else
diff --git a/ecc-curve448.c b/ecc-curve448.c
index fce8b1ac0382..e1318ca4f01d 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -46,7 +46,7 @@
#include "ecc-curve448.h"
#if HAVE_NATIVE_ecc_curve448_modp
-#define ecc_448_modp nettle_ecc_curve448_modp
+#define ecc_448_modp _nettle_ecc_curve448_modp
void
ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#elif GMP_NUMB_BITS == 64
diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c
index 858a1b7554ce..15f5f1fa4c04 100644
--- a/ecc-secp192r1.c
+++ b/ecc-secp192r1.c
@@ -50,7 +50,7 @@
#if HAVE_NATIVE_ecc_192_modp
-#define ecc_192_modp nettle_ecc_192_modp
+#define ecc_192_modp _nettle_ecc_192_modp
void
ecc_192_modp (const struct
[PATCH v2 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov
Rename curve functions to use curve names instead of just bits.
Otherwise function names can easily become confusing after adding other
curves.
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 6 +++---
arm/ecc-secp224r1-modp.asm | 6 +++---
arm/ecc-secp256r1-redc.asm | 6 +++---
arm/ecc-secp384r1-modp.asm | 6 +++---
arm/ecc-secp521r1-modp.asm | 6 +++---
configure.ac | 22 +++---
ecc-curve25519.c | 34 +-
ecc-curve448.c | 24
ecc-secp192r1.c| 16
ecc-secp224r1.c| 16
ecc-secp256r1.c| 32
ecc-secp384r1.c| 16
ecc-secp521r1.c| 12 ++--
eddsa-sign.c | 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 6 +++---
x86_64/ecc-secp224r1-modp.asm | 6 +++---
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
20 files changed, 116 insertions(+), 116 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index 4680336f1bc7..4c596a168b3d 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -49,11 +49,11 @@ define(, )
define(, )
define(, )
- C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_secp192r1_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(_nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_secp192r1_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 400b7a815c2c..67089a0c2981 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_secp224r1_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_secp224r1_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 7b117de43fbc..f8386c39c9a6 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_secp256r1_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_secp256r1_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dd9a325b09de..1983ee68cdd4 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -46,11 +46,11 @@ define(, )
define(, )
define(, )
- C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_secp384r1_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(_nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_secp384r1_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index f11967634689..6d1759ec8a2a 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -45,14 +45,14 @@ define(, )
define(, )
define(, )
- C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.Lc511:
.int 511
.align 2
-PROLOGUE(_nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_secp521r1_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp)
stm
[PATCH 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov
Rename curve functions to use curve names instead of just bits.
Otherwise function names can easily become confusing after adding other
curves.
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 6 +++---
arm/ecc-secp224r1-modp.asm | 6 +++---
arm/ecc-secp256r1-redc.asm | 6 +++---
arm/ecc-secp384r1-modp.asm | 6 +++---
arm/ecc-secp521r1-modp.asm | 6 +++---
configure.ac | 22 +++---
ecc-curve25519.c | 34 +-
ecc-curve448.c | 24
ecc-secp192r1.c| 16
ecc-secp224r1.c| 16
ecc-secp256r1.c| 32
ecc-secp384r1.c| 16
ecc-secp521r1.c| 12 ++--
eddsa-sign.c | 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 6 +++---
x86_64/ecc-secp224r1-modp.asm | 6 +++---
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
20 files changed, 116 insertions(+), 116 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index 4680336f1bc7..4c596a168b3d 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -49,11 +49,11 @@ define(, )
define(, )
define(, )
- C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_secp192r1_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(_nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_secp192r1_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 400b7a815c2c..67089a0c2981 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_secp224r1_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_secp224r1_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 7b117de43fbc..f8386c39c9a6 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_secp256r1_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_secp256r1_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dd9a325b09de..1983ee68cdd4 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -46,11 +46,11 @@ define(, )
define(, )
define(, )
- C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_secp384r1_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(_nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_secp384r1_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index f11967634689..6d1759ec8a2a 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -45,14 +45,14 @@ define(, )
define(, )
define(, )
- C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.Lc511:
.int 511
.align 2
-PROLOGUE(_nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_secp521r1_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp)
stm
[PATCH 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov
In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore| 14 ++---
Makefile.in | 54 -
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
configure.ac | 6 +-
ecc-25519.c => ecc-curve25519.c | 4 +-
ecc-448.c => ecc-curve448.c | 4 +-
ecc-192.c => ecc-secp192r1.c | 4 +-
ecc-224.c => ecc-secp224r1.c | 4 +-
ecc-256.c => ecc-secp256r1.c | 4 +-
ecc-384.c => ecc-secp384r1.c | 4 +-
ecc-521.c => ecc-secp521r1.c | 4 +-
eccdata.c | 58 +++
...25519-modp.asm => ecc-curve25519-modp.asm} | 0
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
22 files changed, 105 insertions(+), 95 deletions(-)
rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%)
rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%)
rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
rename ecc-25519.c => ecc-curve25519.c (99%)
rename ecc-448.c => ecc-curve448.c (99%)
rename ecc-192.c => ecc-secp192r1.c (98%)
rename ecc-224.c => ecc-secp224r1.c (98%)
rename ecc-256.c => ecc-secp256r1.c (99%)
rename ecc-384.c => ecc-secp384r1.c (99%)
rename ecc-521.c => ecc-secp521r1.c (98%)
rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%)
rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%)
rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
diff --git a/.gitignore b/.gitignore
index 0afe61de3826..ea264107fa40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,13 +43,13 @@ core
/keymap.h
/parity.h
/rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
-/ecc-448.h
+/ecc-curve25519.h
+/ecc-curve448.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
/version.h
/nettle.aux
/nettle.cp
diff --git a/Makefile.in b/Makefile.in
index 8d06149ff5fb..28b7cfcebcdb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,8 +174,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
gmp-glue.c cnd-copy.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c ecc-448.c \
+ ecc-curve25519.c ecc-curve448.c \
+ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
+ ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
ecc-eh-to-a.c \
@@ -346,24 +347,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB
# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB
# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB
-ecc-192.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T
$@
# Some reasonable choices for 224:
# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB
# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB
# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB
# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB
-ecc-224.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 256:
# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
[PATCH 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov
There is no need to keep optimized ECC functions in public namespace
(nettle_*), move them to internal namespace (_nettle_*).
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 4 ++--
arm/ecc-secp224r1-modp.asm | 4 ++--
arm/ecc-secp256r1-redc.asm | 4 ++--
arm/ecc-secp384r1-modp.asm | 4 ++--
arm/ecc-secp521r1-modp.asm | 4 ++--
ecc-curve25519.c | 2 +-
ecc-curve448.c | 2 +-
ecc-secp192r1.c| 2 +-
ecc-secp224r1.c| 2 +-
ecc-secp256r1.c| 2 +-
ecc-secp384r1.c| 2 +-
ecc-secp521r1.c| 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-curve448-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 4 ++--
x86_64/ecc-secp224r1-modp.asm | 4 ++--
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
19 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index dbaae2e38922..4680336f1bc7 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -53,7 +53,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_192_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_192_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 2c86755a7c9a..400b7a815c2c 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_224_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_224_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 9c20062a44e4..7b117de43fbc 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_256_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_256_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dbedbdf8d32e..dd9a325b09de 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -50,7 +50,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_384_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_384_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index 2b4f79192a2e..f11967634689 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.align 2
-PROLOGUE(nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_521_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp)
stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16
pop {r4,r5,r6,r7,r8,pc}
-EPILOGUE(nettle_ecc_521_modp)
+EPILOGUE(_nettle_ecc_521_modp)
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index e6a1b325be66..1045db7092ae 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -48,7 +48,7 @@
#if HAVE_NATIVE_ecc_25519_modp
-#define ecc_25519_modp nettle_ecc_25519_modp
+#define ecc_25519_modp _nettle_ecc_25519_modp
void
ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#else
diff --git a/ecc-curve448.c b/ecc-curve448.c
index fce8b1ac0382..e1318ca4f01d 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -46,7 +46,7 @@
#include "ecc-curve448.h"
#if HAVE_NATIVE_ecc_curve448_modp
-#define ecc_448_modp nettle_ecc_curve448_modp
+#define ecc_448_modp _nettle_ecc_curve448_modp
void
ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#elif GMP_NUMB_BITS == 64
diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c
index 858a1b7554ce..15f5f1fa4c04 100644
--- a/ecc-secp192r1.c
+++ b/ecc-secp192r1.c
@@ -50,7 +50,7 @@
#if HAVE_NATIVE_ecc_192_modp
-#define ecc_192_modp nettle_ecc_192_modp
+#define ecc_192_modp _nettle_ecc_192_modp
void
ecc_192_modp (const struct
[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Baryshkov
GOST curves will require different "fixups" for fast (mul X mod p)
operations. Move these operations to ecc_modulo structure and call them
via function pointer.
Signed-off-by: Dmitry Baryshkov
---
ecc-curve25519.c | 8
ecc-curve448.c| 8
ecc-gost-gc256b.c | 8
ecc-gost-gc512a.c | 8
ecc-internal.h| 32
ecc-mod-arith.c | 12 ++--
ecc-mul-m.c | 6 +++---
ecc-secp192r1.c | 8
ecc-secp224r1.c | 8
ecc-secp256r1.c | 8
ecc-secp384r1.c | 8
ecc-secp521r1.c | 8
12 files changed, 101 insertions(+), 21 deletions(-)
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index 0ad3017c9ebc..4ee80c8d4463 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -310,6 +310,10 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modp,
ecc_curve25519_inv,
ecc_curve25519_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
253,
@@ -329,6 +333,10 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-curve448.c b/ecc-curve448.c
index c31a0eb26ba4..71634b855af8 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -288,6 +288,10 @@ const struct ecc_curve _nettle_curve448 =
ecc_curve448_modp,
ecc_curve448_inv,
ecc_curve448_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
446,
@@ -307,6 +311,10 @@ const struct ecc_curve _nettle_curve448 =
ecc_mod, /* FIXME: Implement optimized reduce function */
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c
index 8adc8e1763b9..acf3b56c8955 100644
--- a/ecc-gost-gc256b.c
+++ b/ecc-gost-gc256b.c
@@ -77,6 +77,10 @@ const struct ecc_curve _nettle_gost_gc256b =
ecc_gost_gc256b_modp,
ecc_mod_inv,
NULL,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
256,
@@ -96,6 +100,10 @@ const struct ecc_curve _nettle_gost_gc256b =
ecc_gost_gc256b_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
USE_REDC,
diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c
index 6d210925b609..79d084f38d33 100644
--- a/ecc-gost-gc512a.c
+++ b/ecc-gost-gc512a.c
@@ -77,6 +77,10 @@ const struct ecc_curve _nettle_gost_gc512a =
ecc_gost_gc512a_modp,
ecc_mod_inv,
NULL,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
512,
@@ -96,6 +100,10 @@ const struct ecc_curve _nettle_gost_gc512a =
ecc_gost_gc512a_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
USE_REDC,
diff --git a/ecc-internal.h b/ecc-internal.h
index 0022e0ab6cc2..ddeb6d3cb1f3 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -44,9 +44,9 @@
#define ecc_pm1_redc _nettle_ecc_pm1_redc
#define ecc_mod_add _nettle_ecc_mod_add
#define ecc_mod_sub _nettle_ecc_mod_sub
-#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1
-#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1
-#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std
+#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std
+#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std
#define ecc_mod_mul _nettle_ecc_mod_mul
#define ecc_mod_sqr _nettle_ecc_mod_sqr
#define ecc_mod_random _nettle_ecc_mod_random
@@ -146,6 +146,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch);
+typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m,
+mp_limb_t *rp,
+const mp_limb_t *ap, mp_limb_t b);
+
struct ecc_modulo
{
unsigned short bit_size;
@@ -170,6 +174,10 @@ struct ecc_modulo
ecc_mod_func *reduce;
ecc_mod_inv_func *invert;
ecc_mod_sqrt_func *sqrt;
+
+ ecc_mod_mul_1_func *mul_1;
+ ecc_mod_mul_1_func *addmul_1;
+ ecc_mod_mul_1_func *submul_1;
};
/* Represents an elliptic curve of the form
@@ -240,15 +248,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp,
const mp_limb_t *ap, const mp_limb_t *bp);
void
-ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
- const mp_limb_t *ap, const mp_limb_t b);
+ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t b);
void
-ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
- const mp_limb_t *ap, mp_limb_t b);
+ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, mp_limb_t b);
void
-ecc_mod_submul_1 (const
[PATCH 2/2] Add support for GOST GC256C curve
From: Dmitry Baryshkov
Add support for GC256C curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-B (RFC 4357).
Signed-off-by: Dmitry Baryshkov
---
.gitignore | 1 +
Makefile.in | 10 +-
ecc-curve.h | 1 +
ecc-gost-gc256c.c | 191
ecc-internal.h | 1 +
eccdata.c | 32 ++
examples/ecc-benchmark.c| 1 +
nettle.texinfo | 8 ++
testsuite/gostdsa-sign-test.c | 11 ++
testsuite/gostdsa-verify-test.c | 11 ++
testsuite/testutils.c | 12 +-
11 files changed, 275 insertions(+), 4 deletions(-)
create mode 100644 ecc-gost-gc256c.c
diff --git a/.gitignore b/.gitignore
index 48e2b7f464da..a94d279e5d18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gost-gc256b.h
+/ecc-gost-gc256c.h
/ecc-gost-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
diff --git a/Makefile.in b/Makefile.in
index f876e5e82197..9400a357fe81 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,7 +176,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gost-gc256b.c ecc-gost-gc512a.c \
+ ecc-gost-gc256b.c ecc-gost-gc256c.c \
+ ecc-gost-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -387,6 +388,9 @@ ecc-curve448.h: eccdata.stamp
ecc-gost-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+ecc-gost-gc256c.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+
# Some reasonable choices for 512:
# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
@@ -403,6 +407,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
+ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h
ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
@@ -657,7 +662,8 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gost-gc256b.h ecc-gost-gc512a.h \
+ ecc-gost-gc256b.h ecc-gost-gc256c.h \
+ ecc-gost-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 8f050404a944..30a33d43782b 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c
new file mode 100644
index ..9725ff65e6e2
--- /dev/null
+++ b/ecc-gost-gc256c.c
@@ -0,0 +1,191 @@
+/* ecc-gost-gc256c.c
+
+ Compile time constant (but machine dependent) tables.
+
+ Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include
[PATCH] gost28147: move gost params to internal interface
From: Dmitry Baryshkov
gost28147_param instances were never a part of stable release, so move
them to internal header.
Signed-off-by: Dmitry Baryshkov
---
Makefile.in | 2 +-
gost28147-internal.h | 12 +
gost28147.c | 5 ++--
gost28147.h | 58
gosthash94.c | 9 +++
5 files changed, 19 insertions(+), 67 deletions(-)
delete mode 100644 gost28147.h
diff --git a/Makefile.in b/Makefile.in
index f876e5e82197..0de54e85c7ae 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -207,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \
curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \
ecc-curve.h ecc.h ecdsa.h eddsa.h \
- gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \
+ gcm.h gostdsa.h gosthash94.h hmac.h \
knuth-lfib.h hkdf.h \
macros.h \
cmac.h siv-cmac.h \
diff --git a/gost28147-internal.h b/gost28147-internal.h
index 7f5c6f8c63c0..0cb2d152c8ad 100644
--- a/gost28147-internal.h
+++ b/gost28147-internal.h
@@ -34,7 +34,19 @@
#ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED
#define NETTLE_GOST28147_INTERNAL_H_INCLUDED
+#include
+
#define _gost28147_encrypt_block _nettle_gost28147_encrypt_block
+#define _gost28147_param_test_3411 _nettle_gost28147_param_test_3411
+#define _gost28147_param_CryptoPro_3411 _nettle_gost28147_param_CryptoPro_3411
+
+extern const struct gost28147_param _gost28147_param_test_3411;
+extern const struct gost28147_param _gost28147_param_CryptoPro_3411;
+
+struct gost28147_param
+{
+ uint32_t sbox[4][256];
+};
void _gost28147_encrypt_block (const uint32_t *key, const uint32_t
sbox[4][256],
const uint32_t *in, uint32_t *out);
diff --git a/gost28147.c b/gost28147.c
index 15d314c86c17..b6db334b2a0b 100644
--- a/gost28147.c
+++ b/gost28147.c
@@ -33,11 +33,10 @@
#endif
#include "macros.h"
-#include "gost28147.h"
#include "gost28147-internal.h"
/* pre-initialized GOST lookup tables based on rotated S-Box */
-const struct gost28147_param gost28147_param_test_3411 =
+const struct gost28147_param _gost28147_param_test_3411 =
{
{
{ /* 0 */
@@ -304,7 +303,7 @@ const struct gost28147_param gost28147_param_test_3411 =
}
};
-const struct gost28147_param gost28147_param_CryptoPro_3411 =
+const struct gost28147_param _gost28147_param_CryptoPro_3411 =
{
{
{ /* 0 */
diff --git a/gost28147.h b/gost28147.h
deleted file mode 100644
index 32e7d5e81eb8..
--- a/gost28147.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* gost28147.h
-
- The GOST 28147-89 cipher function, described in RFC 5831.
-
- Copyright (C) 2019 Dmitry Eremin-Solenikov
-
- This file is part of GNU Nettle.
-
- GNU Nettle is free software: you can redistribute it and/or
- modify it under the terms of either:
-
- * the GNU Lesser General Public License as published by the Free
- Software Foundation; either version 3 of the License, or (at your
- option) any later version.
-
- or
-
- * the GNU General Public License as published by the Free
- Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- or both in parallel, as here.
-
- GNU Nettle is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received copies of the GNU General Public License and
- the GNU Lesser General Public License along with this program. If
- not, see http://www.gnu.org/licenses/.
-*/
-
-#ifndef NETTLE_GOST28147_H_INCLUDED
-#define NETTLE_GOST28147_H_INCLUDED
-
-#include "nettle-types.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define gost28147_param_test_3411 nettle_gost28147_param_test_3411
-#define gost28147_param_CryptoPro_3411 nettle_gost28147_param_CryptoPro_3411
-
-struct gost28147_param
-{
- uint32_t sbox[4][256];
-};
-
-extern const struct gost28147_param gost28147_param_test_3411;
-extern const struct gost28147_param gost28147_param_CryptoPro_3411;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* NETTLE_GOST28147_H_INCLUDED */
diff --git a/gosthash94.c b/gosthash94.c
index 954130f741e9..37a7f32272df 100644
--- a/gosthash94.c
+++ b/gosthash94.c
@@ -41,7 +41,6 @@
#include "macros.h"
#include "nettle-write.h"
#include "gosthash94.h"
-#include "gost28147.h"
#include "gost28147-internal.h"
/**
@@ -339,7 +338,7 @@ gosthash94_update (struct gosthash94_ctx *ctx,
size_t length, const uint8_t *msg)
{
gosthash94_update_int (ctx, length, msg,
-gost28147_param_test_3411.sbox);
+_gost28147_param_test_3411.sbox);
}
/**
@@ -355,7 +354,7 @@ gosthash94cp_update (struct gosthash94_ctx *ctx,
[PATCH] cmac-des3: add meta declaration to Nettle library
From: Dmitry Baryshkov
Move cmac-des3 meta information from testsuite/cmac-test.c to main
Nettle library.
Signed-off-by: Dmitry Baryshkov
---
Makefile.in | 2 +-
cmac-des3-meta.c | 52 +++
nettle-meta-macs.c| 1 +
nettle-meta.h | 1 +
testsuite/cmac-test.c | 12 -
testsuite/meta-mac-test.c | 1 +
6 files changed, 56 insertions(+), 13 deletions(-)
create mode 100644 cmac-des3-meta.c
diff --git a/Makefile.in b/Makefile.in
index d4fcb81302a2..ddc304285321 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -103,7 +103,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gcm-camellia128.c gcm-camellia128-meta.c \
gcm-camellia256.c gcm-camellia256-meta.c \
cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \
-cmac-aes128-meta.c cmac-aes256-meta.c \
+cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \
gost28147.c gosthash94.c gosthash94-meta.c \
hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \
hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \
diff --git a/cmac-des3-meta.c b/cmac-des3-meta.c
new file mode 100644
index ..7fdee8e680cf
--- /dev/null
+++ b/cmac-des3-meta.c
@@ -0,0 +1,52 @@
+/* cmac-des3-meta.c
+
+ Copyright (C) 2020 Dmitry Baryshkov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "nettle-meta.h"
+
+#include "cmac.h"
+
+const struct nettle_mac nettle_cmac_des3 =
+{
+ "cmac_des3",
+ sizeof(struct cmac_des3_ctx),
+ CMAC64_DIGEST_SIZE,
+ DES3_KEY_SIZE,
+
+ (nettle_set_key_func*) cmac_des3_set_key,
+ (nettle_hash_update_func*) cmac_des3_update,
+ (nettle_hash_digest_func*) cmac_des3_digest
+};
diff --git a/nettle-meta-macs.c b/nettle-meta-macs.c
index cb9ede851573..a658ee39e230 100644
--- a/nettle-meta-macs.c
+++ b/nettle-meta-macs.c
@@ -40,6 +40,7 @@
const struct nettle_mac * const _nettle_macs[] = {
_cmac_aes128,
_cmac_aes256,
+ _cmac_des3,
_hmac_md5,
_hmac_ripemd160,
_hmac_sha1,
diff --git a/nettle-meta.h b/nettle-meta.h
index 5d86615f94cc..7a6af363426b 100644
--- a/nettle-meta.h
+++ b/nettle-meta.h
@@ -276,6 +276,7 @@ nettle_get_macs (void);
extern const struct nettle_mac nettle_cmac_aes128;
extern const struct nettle_mac nettle_cmac_aes256;
+extern const struct nettle_mac nettle_cmac_des3;
/* HMAC variants with key size = digest size */
extern const struct nettle_mac nettle_hmac_md5;
diff --git a/testsuite/cmac-test.c b/testsuite/cmac-test.c
index 1a2cd0e591cf..a71baa086d01 100644
--- a/testsuite/cmac-test.c
+++ b/testsuite/cmac-test.c
@@ -2,18 +2,6 @@
#include "nettle-internal.h"
#include "cmac.h"
-const struct nettle_mac nettle_cmac_des3 =
-{
- "CMAC-3DES",
- sizeof(struct cmac_des3_ctx),
- CMAC64_DIGEST_SIZE,
- DES3_KEY_SIZE,
-
- (nettle_set_key_func*) cmac_des3_set_key,
- (nettle_hash_update_func*) cmac_des3_update,
- (nettle_hash_digest_func*) cmac_des3_digest
-};
-
#define test_cmac_aes128(key, msg, ref)
\
test_mac(_cmac_aes128, key, msg, ref)
diff --git a/testsuite/meta-mac-test.c b/testsuite/meta-mac-test.c
index 32b6f20f07cd..55339441c99f 100644
--- a/testsuite/meta-mac-test.c
+++ b/testsuite/meta-mac-test.c
@@ -4,6 +4,7 @@
const char* macs[] = {
"cmac_aes128",
"cmac_aes256",
+ "cmac_des3",
"hmac_md5",
"hmac_ripemd160",
"hmac_sha1",
--
2.24.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] gitlab-ci: reenable GOST compilation
From: Dmitry Baryshkov GnuTLS is now compatible again with Nettle master branch. Remove --disable-gost. Signed-off-by: Dmitry Baryshkov --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 663f98f5cb8e..5b348f38568f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -100,7 +100,7 @@ build/gnutls: make -j4 && make install - git clone --depth 1 --branch master https://gitlab.com/gnutls/gnutls.git gnutls-git - cd gnutls-git && git submodule update --init && ./bootstrap && -./configure --disable-gost --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && +./configure --disable-cxx --disable-guile --disable-doc && make -j$(nproc) && make -j $(nproc) check tags: - shared -- 2.25.0 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] Implement GOST VKO key derivation algorithm
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
gostdsa-vko.c| 77 ++
gostdsa.h| 7 +++
testsuite/.gitignore | 1 +
testsuite/.test-rules.make | 3 ++
testsuite/Makefile.in| 2 +-
testsuite/gostdsa-vko-test.c | 92
7 files changed, 182 insertions(+), 2 deletions(-)
create mode 100644 gostdsa-vko.c
create mode 100644 testsuite/gostdsa-vko-test.c
diff --git a/Makefile.in b/Makefile.in
index d4fcb81302a2..8f031d7a580d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
ecc-gostdsa-sign.c gostdsa-sign.c \
- ecc-gostdsa-verify.c gostdsa-verify.c \
+ ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
diff --git a/gostdsa-vko.c b/gostdsa-vko.c
new file mode 100644
index ..f78159a736b3
--- /dev/null
+++ b/gostdsa-vko.c
@@ -0,0 +1,77 @@
+/* gostdsa-vko.c
+
+ Copyright (C) 2016 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+#include
+
+#include "ecc-internal.h"
+#include "gostdsa.h"
+
+int
+gostdsa_vko(const struct ecc_scalar *key,
+ const struct ecc_point *pub,
+ size_t ukm_length, const uint8_t *ukm,
+ size_t out_length, uint8_t *out)
+{
+ const struct ecc_curve *ecc = key->ecc;
+ unsigned bsize = (ecc_bit_size(ecc) + 7) / 8;
+ mp_size_t size = ecc->p.size;
+ mp_size_t itch = 4*size + ecc->mul_itch;
+ mp_limb_t *scratch;
+
+ if (itch < 5*size + ecc->h_to_a_itch)
+ itch = 5*size + ecc->h_to_a_itch;
+
+ if (pub->ecc != ecc)
+ return 0;
+
+ if (out_length < 2 * bsize) {
+ return 0;
+ }
+
+ scratch = gmp_alloc_limbs (itch);
+
+ mpn_set_base256_le (scratch, size, ukm, ukm_length);
+ if (mpn_zero_p (scratch, size))
+mpn_add_1 (scratch, scratch, size, 1);
+ ecc_mod_mul (>q, scratch + 3*size, key->p, scratch);
+ ecc->mul (ecc, scratch, scratch + 3*size, pub->p, scratch + 4*size);
+ ecc->h_to_a (ecc, 0, scratch + 3*size, scratch, scratch + 5*size);
+ mpn_get_base256_le (out, bsize, scratch + 3*size, size);
+ mpn_get_base256_le (out+bsize, bsize, scratch + 4*size, size);
+ gmp_free_limbs (scratch, itch);
+
+ return 2 * bsize;
+}
diff --git a/gostdsa.h b/gostdsa.h
index c92dfd1e1dd6..6667d0f1d3a8 100644
--- a/gostdsa.h
+++ b/gostdsa.h
@@ -44,6 +44,7 @@ extern "C" {
/* Name mangling */
#define gostdsa_sign nettle_gostdsa_sign
#define gostdsa_verify nettle_gostdsa_verify
+#define gostdsa_vko nettle_gostdsa_vko
#define ecc_gostdsa_sign nettle_ecc_gostdsa_sign
#define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch
#define ecc_gostdsa_verify nettle_ecc_gostdsa_verify
@@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub,
size_t length, const uint8_t *digest,
const struct dsa_signature *signature);
+int
+gostdsa_vko(const struct ecc_scalar *key,
+ const struct ecc_point *pub,
+ size_t ukm_length, const uint8_t *ukm,
+ size_t out_length, uint8_t *out);
+
/* Low-level GOSTDSA functions. */
mp_size_t
ecc_gostdsa_sign_itch (const struct ecc_curve *ecc);
diff --git a/testsuite/.gitignore b/testsuite/.gitignore
index b8b36c2accc2..a2b3d52312cd 100644
--- a/testsuite/.gitignore
+++ b/testsuite/.gitignore
@@ -46,6 +46,7 @@
/gostdsa-keygen-test
/gostdsa-sign-test
/gostdsa-verify-test
+/gostdsa-vko-test
/gosthash94-test
/hkdf-test
/hmac-test
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index
[PATCH 2/2] Add support for GOST GC256C curve
From: Dmitry Baryshkov
Add support for GC256C curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-B (RFC 4357).
Signed-off-by: Dmitry Baryshkov
---
.gitignore | 1 +
Makefile.in | 10 +-
ecc-curve.h | 1 +
ecc-gost-gc256c.c | 174
ecc-internal.h | 1 +
eccdata.c | 32 ++
examples/ecc-benchmark.c| 1 +
nettle.texinfo | 8 ++
testsuite/gostdsa-sign-test.c | 11 ++
testsuite/gostdsa-verify-test.c | 11 ++
testsuite/testutils.c | 14 ++-
11 files changed, 260 insertions(+), 4 deletions(-)
create mode 100644 ecc-gost-gc256c.c
diff --git a/.gitignore b/.gitignore
index 48e2b7f464da..a94d279e5d18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gost-gc256b.h
+/ecc-gost-gc256c.h
/ecc-gost-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
diff --git a/Makefile.in b/Makefile.in
index d4fcb81302a2..7330ab893131 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -180,7 +180,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gost-gc256b.c ecc-gost-gc512a.c \
+ ecc-gost-gc256b.c ecc-gost-gc256c.c \
+ ecc-gost-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -391,6 +392,9 @@ ecc-curve448.h: eccdata.stamp
ecc-gost-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+ecc-gost-gc256c.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+
# Some reasonable choices for 512:
# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
@@ -407,6 +411,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
+ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h
ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
@@ -661,7 +666,8 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gost-gc256b.h ecc-gost-gc512a.h \
+ ecc-gost-gc256b.h ecc-gost-gc256c.h \
+ ecc-gost-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 8f050404a944..30a33d43782b 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c
new file mode 100644
index ..258cf75a26bc
--- /dev/null
+++ b/ecc-gost-gc256c.c
@@ -0,0 +1,174 @@
+/* ecc-gost-gc256c.c
+
+ Compile time constant (but machine dependent) tables.
+
+ Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Baryshkov
GOST curves will require different "fixups" for fast (mul X mod p)
operations. Move these operations to ecc_modulo structure and call them
via function pointer.
Signed-off-by: Dmitry Baryshkov
---
ecc-add-jja.c | 8
ecc-add-jjj.c | 8
ecc-curve25519.c | 6 ++
ecc-curve448.c| 6 ++
ecc-dup-jj.c | 8
ecc-gost-gc256b.c | 6 ++
ecc-gost-gc512a.c | 6 ++
ecc-internal.h| 25 -
ecc-mod-arith.c | 12 ++--
ecc-mul-m.c | 6 +++---
ecc-secp192r1.c | 6 ++
ecc-secp224r1.c | 6 ++
ecc-secp256r1.c | 6 ++
ecc-secp384r1.c | 6 ++
ecc-secp521r1.c | 6 ++
15 files changed, 91 insertions(+), 30 deletions(-)
diff --git a/ecc-add-jja.c b/ecc-add-jja.c
index 037711d38249..55ad954587da 100644
--- a/ecc-add-jja.c
+++ b/ecc-add-jja.c
@@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc,
/* w */
ecc_mod_mul (>p, j, y2, w);
ecc_mod_sub (>p, w, j, y1);
- ecc_mod_mul_1 (>p, w, w, 2);
+ ecc->p.mul_1 (>p, w, w, 2);
/* i replaces hh, j */
- ecc_mod_mul_1 (>p, hh, hh, 4);
+ ecc->p.mul_1 (>p, hh, hh, 4);
ecc_mod_mul (>p, j, hh, h);
/* v */
@@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc,
/* x_3, use (h, hh) as sqratch */
ecc_mod_sqr (>p, h, w);
ecc_mod_sub (>p, r, h, j);
- ecc_mod_submul_1 (>p, r, v, 2);
+ ecc->p.submul_1 (>p, r, v, 2);
/* y_3, use (h, hh) as sqratch */
ecc_mod_mul (>p, h, y1, j); /* frees j */
ecc_mod_sub (>p, r + ecc->p.size, v, r);
ecc_mod_mul (>p, j, r + ecc->p.size, w);
- ecc_mod_submul_1 (>p, j, h, 2);
+ ecc->p.submul_1 (>p, j, h, 2);
mpn_copyi (r + ecc->p.size, j, ecc->p.size);
}
diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c
index 54b2246aeb24..cad26193234a 100644
--- a/ecc-add-jjj.c
+++ b/ecc-add-jjj.c
@@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc,
ecc_mod_mul (>p, s1, p + ecc->p.size, v);
ecc_mod_mul (>p, v, j, q + ecc->p.size);
ecc_mod_sub (>p, s2, v, s1);
- ecc_mod_mul_1 (>p, s2, s2, 2);
+ ecc->p.mul_1 (>p, s2, s2, 2);
/* Store z3 */
mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size);
/* i, j, v */
ecc_mod_sqr (>p, i, u2);
- ecc_mod_mul_1 (>p, i, i, 4);
+ ecc->p.mul_1 (>p, i, i, 4);
ecc_mod_mul (>p, j, u2, i);
ecc_mod_mul (>p, v, u1, i);
@@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc,
/* x3, use u1, u2 as scratch */
ecc_mod_sqr (>p, u1, s2);
ecc_mod_sub (>p, r, u1, j);
- ecc_mod_submul_1 (>p, r, v, 2);
+ ecc->p.submul_1 (>p, r, v, 2);
/* y3 */
ecc_mod_mul (>p, u1, s1, j); /* Frees j */
ecc_mod_sub (>p, u2, v, r); /* Frees v */
ecc_mod_mul (>p, i, s2, u2);
- ecc_mod_submul_1 (>p, i, u1, 2);
+ ecc->p.submul_1 (>p, i, u1, 2);
mpn_copyi (r + ecc->p.size, i, ecc->p.size);
}
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index f8f2c64af868..04df696f7357 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modp,
ecc_curve25519_inv,
ecc_curve25519_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_submul_1_std,
},
{
253,
@@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-curve448.c b/ecc-curve448.c
index 484b7d1e0870..ce7a25d14c4e 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 =
ecc_curve448_modp,
ecc_curve448_inv,
ecc_curve448_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_submul_1_std,
},
{
446,
@@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 =
ecc_mod, /* FIXME: Implement optimized reduce function */
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c
index 2247e8fdfd5a..4bbd5163c0e3 100644
--- a/ecc-dup-jj.c
+++ b/ecc-dup-jj.c
@@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc,
ecc_mod_add (>p, sum, xp, delta);
ecc_mod_sub (>p, delta, xp, delta);
ecc_mod_mul (>p, beta, sum, delta);
- ecc_mod_mul_1 (>p, alpha, beta, 3);
+ ecc->p.mul_1 (>p, alpha, beta, 3);
/* beta */
ecc_mod_mul (>p, beta, xp, gamma);
@@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc,
/* Do gamma^2 and 4*beta early, to get them out of the way. We can
then use the old area at gamma as scratch. */
ecc_mod_sqr (>p, g2, gamma);
- ecc_mod_mul_1 (>p, sum, beta, 4);
+ ecc->p.mul_1 (>p, sum, beta, 4);
/* x' */
ecc_mod_sqr (>p, gamma, alpha); /* Overwrites gamma and beta */
- ecc_mod_submul_1 (>p, gamma, sum, 2);
+ ecc->p.submul_1 (>p, gamma, sum, 2);
mpn_copyi (r, gamma, ecc->p.size);
/* y' */
ecc_mod_sub (>p, sum, sum, r);
ecc_mod_mul (>p, gamma, sum, alpha);
- ecc_mod_submul_1 (>p, gamma, g2, 8);
+ ecc->p.submul_1
[PATCH] ecc: remove ecc_modp_foo/ecc_modq_foo macros
From: Dmitry Baryshkov To make ecc functions usage more obvious remove ecc_modp_foo() and ecc_modq_foo() wrapper macros. Signed-off-by: Dmitry Baryshkov --- curve25519-eh-to-x.c | 8 +++ curve448-eh-to-x.c | 4 ++-- ecc-add-eh.c | 38 +++ ecc-add-ehh.c| 42 +- ecc-add-jja.c| 44 ++-- ecc-add-jjj.c| 54 ++-- ecc-add-th.c | 38 +++ ecc-add-thh.c| 42 +- ecc-dup-eh.c | 26 ++--- ecc-dup-jj.c | 36 ++--- ecc-dup-th.c | 26 ++--- ecc-ecdsa-sign.c | 6 ++--- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c| 4 ++-- ecc-gostdsa-sign.c | 6 ++--- ecc-gostdsa-verify.c | 4 ++-- ecc-internal.h | 20 ecc-j-to-a.c | 12 +- eddsa-decompress.c | 10 eddsa-sign.c | 4 ++-- 20 files changed, 204 insertions(+), 224 deletions(-) diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c index 3a8787f022ed..1ce2dd830c75 100644 --- a/curve25519-eh-to-x.c +++ b/curve25519-eh-to-x.c @@ -62,14 +62,14 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 + x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); + ecc_mod_sub (>p, t0, wp, vp); /* Needs a total of 5*size storage. */ ecc->p.invert (>p, t1, t0, t2 + ecc->p.size); - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); + ecc_mod_add (>p, t0, wp, vp); + ecc_mod_mul (>p, t2, t0, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c index 4bc78303f93b..ffeb83c15e44 100644 --- a/curve448-eh-to-x.c +++ b/curve448-eh-to-x.c @@ -61,8 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) */ /* Needs a total of 9*size storage. */ ecc->p.invert (>p, t0, p, t1 + ecc->p.size); - ecc_modp_mul (ecc, t1, t0, vp); - ecc_modp_mul (ecc, t2, t1, t1); + ecc_mod_mul (>p, t1, t0, vp); + ecc_mod_mul (>p, t2, t1, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); diff --git a/ecc-add-eh.c b/ecc-add-eh.c index 8e6b82ab9fd0..05faa7526f41 100644 --- a/ecc-add-eh.c +++ b/ecc-add-eh.c @@ -78,30 +78,30 @@ ecc_add_eh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_sub (ecc, C, D, C); - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (>p, C, x1, x2); + ecc_mod_mul (>p, D, y1, y2); + ecc_mod_add (>p, x3, x1, y1); + ecc_mod_add (>p, y3, x2, y2); + ecc_mod_mul (>p, T, x3, y3); + ecc_mod_sub (>p, T, T, C); + ecc_mod_sub (>p, T, T, D); + ecc_mod_mul (>p, x3, C, D); + ecc_mod_mul (>p, E, x3, ecc->b); + + ecc_mod_sub (>p, C, D, C); + ecc_mod_sqr (>p, B, z1); + ecc_mod_sub (>p, F, B, E); + ecc_mod_add (>p, G, B, E); /* x3 */ - ecc_modp_mul (ecc, B, F, T); - ecc_modp_mul (ecc, x3, B, z1); + ecc_mod_mul (>p, B, F, T); + ecc_mod_mul (>p, x3, B, z1); /* y3 */ - ecc_modp_mul (ecc, B, G, z1); - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ + ecc_mod_mul (>p, B, G, z1); + ecc_mod_mul (>p, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ - ecc_modp_mul (ecc, B, F, G); + ecc_mod_mul (>p, B, F, G); mpn_copyi (z3, B, ecc->p.size); } diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c index bdd827ba396d..1c57a728c797 100644 --- a/ecc-add-ehh.c +++ b/ecc-add-ehh.c @@ -80,32 +80,32 @@ ecc_add_ehh (const struct ecc_curve *ecc, #define F D #define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_sub (ecc, C, D, C); - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); + ecc_mod_mul (>p, C, x1, x2); + ecc_mod_mul (>p, D, y1, y2); + ecc_mod_add (>p, A, x1, y1); + ecc_mod_add (>p, B, x2, y2); + ecc_mod_mul (>p, T, A, B); + ecc_mod_sub (>p, T, T,
[PATCH 2/3] Add several GOST R 34.10 curves defined by RFC 4357 and RFC 7836
From: Dmitry Eremin-Solenikov Add three 256-bit curves from RFC 4357 (Section 11.4) and two 512-bit curves from RFC 7836 (Section A.1). Curves are named accrording to the "TLS Supported Groups" registry. Signed-off-by: Dmitry Eremin-Solenikov --- .gitignore | 5 + Makefile.in | 49 + ecc-curve.h | 5 + ecc-gc256b.c | 148 +++ ecc-gc256c.c | 210 +++ ecc-gc256d.c | 184 ++ ecc-gc512a.c | 148 +++ ecc-gc512b.c | 204 + ecc-internal.h | 7 ++ eccdata.c| 174 +++- examples/ecc-benchmark.c | 5 + testsuite/testutils.c| 56 ++- 12 files changed, 1192 insertions(+), 3 deletions(-) create mode 100644 ecc-gc256b.c create mode 100644 ecc-gc256c.c create mode 100644 ecc-gc256d.c create mode 100644 ecc-gc512a.c create mode 100644 ecc-gc512b.c diff --git a/.gitignore b/.gitignore index ea264107fa40..a0642b1b6c2f 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,11 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h +/ecc-gc256b.h +/ecc-gc256c.h +/ecc-gc256d.h +/ecc-gc512a.h +/ecc-gc512b.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 38160bb40fe1..d9b76d8d5354 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,6 +176,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ + ecc-gc256b.c ecc-gc256c.c ecc-gc256d.c \ + ecc-gc512a.c ecc-gc512b.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -396,12 +398,57 @@ ecc-curve25519.h: eccdata.stamp ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256c.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256c 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gc256d.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc256d 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 512: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) +ecc-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 512: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) +ecc-gc512b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gc512b 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gc256b.$(OBJEXT): ecc-gc256b.h +ecc-gc256c.$(OBJEXT): ecc-gc256c.h +ecc-gc256d.$(OBJEXT): ecc-gc256d.h +ecc-gc512a.$(OBJEXT): ecc-gc512a.h +ecc-gc512b.$(OBJEXT): ecc-gc512b.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -660,6 +707,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ + ecc-gc256b.h ecc-gc256c.h ecc-gc256d.h \ + ecc-gc512a.h ecc-gc512b.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index
[PATCH 1/3] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Eremin-Solenikov
GOST curves will require different "fixups" for fast (mul X mod p)
operations. Move these operations to ecc_modulo structure and call them
via function pointer.
Signed-off-by: Dmitry Eremin-Solenikov
---
ecc-curve25519.c | 8
ecc-curve448.c | 8
ecc-internal.h | 32
ecc-mod-arith.c | 12 ++--
ecc-mul-m.c | 6 +++---
ecc-secp192r1.c | 8
ecc-secp224r1.c | 8
ecc-secp256r1.c | 8
ecc-secp384r1.c | 8
ecc-secp521r1.c | 8
10 files changed, 85 insertions(+), 21 deletions(-)
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index 0ad3017c9ebc..4ee80c8d4463 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -310,6 +310,10 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modp,
ecc_curve25519_inv,
ecc_curve25519_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
253,
@@ -329,6 +333,10 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-curve448.c b/ecc-curve448.c
index c31a0eb26ba4..71634b855af8 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -288,6 +288,10 @@ const struct ecc_curve _nettle_curve448 =
ecc_curve448_modp,
ecc_curve448_inv,
ecc_curve448_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_addmul_1_std,
+ecc_mod_submul_1_std,
},
{
446,
@@ -307,6 +311,10 @@ const struct ecc_curve _nettle_curve448 =
ecc_mod, /* FIXME: Implement optimized reduce function */
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-internal.h b/ecc-internal.h
index c918632df292..105b67b2990e 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -44,9 +44,9 @@
#define ecc_pm1_redc _nettle_ecc_pm1_redc
#define ecc_mod_add _nettle_ecc_mod_add
#define ecc_mod_sub _nettle_ecc_mod_sub
-#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1
-#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1
-#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std
+#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std
+#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std
#define ecc_mod_mul _nettle_ecc_mod_mul
#define ecc_mod_sqr _nettle_ecc_mod_sqr
#define ecc_mod_random _nettle_ecc_mod_random
@@ -141,6 +141,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch);
+typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m,
+mp_limb_t *rp,
+const mp_limb_t *ap, mp_limb_t b);
+
struct ecc_modulo
{
unsigned short bit_size;
@@ -165,6 +169,10 @@ struct ecc_modulo
ecc_mod_func *reduce;
ecc_mod_inv_func *invert;
ecc_mod_sqrt_func *sqrt;
+
+ ecc_mod_mul_1_func *mul_1;
+ ecc_mod_mul_1_func *addmul_1;
+ ecc_mod_mul_1_func *submul_1;
};
/* Represents an elliptic curve of the form
@@ -235,15 +243,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp,
const mp_limb_t *ap, const mp_limb_t *bp);
void
-ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
- const mp_limb_t *ap, const mp_limb_t b);
+ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t b);
void
-ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
- const mp_limb_t *ap, mp_limb_t b);
+ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, mp_limb_t b);
void
-ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
- const mp_limb_t *ap, mp_limb_t b);
+ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, mp_limb_t b);
/* The mul and sqr functions need 2*m->size limbs at rp */
void
@@ -259,11 +267,11 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
#define ecc_modp_sub(ecc, r, a, b) \
ecc_mod_sub (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul_1(ecc, r, a, b) \
- ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b))
+ (ecc)->p.mul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_addmul_1(ecc, r, a, b) \
- ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b))
+ (ecc)->p.addmul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_submul_1(ecc, r, a, b) \
- ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b))
+ (ecc)->p.submul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul(ecc, r, a, b) \
ecc_mod_mul (&(ecc)->p, (r), (a), (b))
#define ecc_modp_sqr(ecc, r, a) \
diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c
index f2e47f6747c1..0399a2cdd7c5 100644
--- a/ecc-mod-arith.c
+++ b/ecc-mod-arith.c
@@ -65,8 +65,8 @@ ecc_mod_sub (const struct
[PATCH 3/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov
Add GOST Digital Signature Algorithms support according to GOST R
34.10-2001/-2012. English translations of these standards are provided
as RFC 5832 and RFC 7091.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 4 +-
ecc-gostdsa-sign.c | 103 +
ecc-gostdsa-verify.c| 132 +++
ecc-hash.c | 11 +++
ecc-internal.h | 7 ++
gostdsa-sign.c | 76
gostdsa-verify.c| 80 +
gostdsa.h | 102 +
testsuite/.gitignore| 3 +
testsuite/.test-rules.make | 9 ++
testsuite/Makefile.in | 4 +-
testsuite/gostdsa-keygen-test.c | 154
testsuite/gostdsa-sign-test.c | 125 ++
testsuite/gostdsa-verify-test.c | 148 ++
testsuite/testutils.h | 1 +
15 files changed, 957 insertions(+), 2 deletions(-)
create mode 100644 ecc-gostdsa-sign.c
create mode 100644 ecc-gostdsa-verify.c
create mode 100644 gostdsa-sign.c
create mode 100644 gostdsa-verify.c
create mode 100644 gostdsa.h
create mode 100644 testsuite/gostdsa-keygen-test.c
create mode 100644 testsuite/gostdsa-sign-test.c
create mode 100644 testsuite/gostdsa-verify-test.c
diff --git a/Makefile.in b/Makefile.in
index d9b76d8d5354..3efc41f5ea04 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -190,6 +190,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
+ ecc-gostdsa-sign.c gostdsa-sign.c \
+ ecc-gostdsa-verify.c gostdsa-verify.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
@@ -206,7 +208,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \
curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \
ecc-curve.h ecc.h ecdsa.h eddsa.h \
- gcm.h gost28147.h gosthash94.h hmac.h \
+ gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \
knuth-lfib.h hkdf.h \
macros.h \
cmac.h siv-cmac.h \
diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c
new file mode 100644
index ..0b8671d382ec
--- /dev/null
+++ b/ecc-gostdsa-sign.c
@@ -0,0 +1,103 @@
+/* ecc-gostdsa-sign.c
+
+ Copyright (C) 2015 Dmitry Eremin-Solenikov
+ Copyright (C) 2013, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+#include
+
+#include "gostdsa.h"
+#include "ecc-internal.h"
+
+/* Low-level GOST DSA signing */
+
+mp_size_t
+ecc_gostdsa_sign_itch (const struct ecc_curve *ecc)
+{
+ /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for
+ ecc_mul_g and ecc_mul_g_eh. */
+ return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size);
+}
+
+/* NOTE: Caller should check if r or s is zero. */
+void
+ecc_gostdsa_sign (const struct ecc_curve *ecc,
+ const mp_limb_t *zp,
+ const mp_limb_t *kp,
+ size_t length, const uint8_t *digest,
+ mp_limb_t *rp, mp_limb_t *sp,
+ mp_limb_t *scratch)
+{
+#define P scratch
+#define hp (scratch + 4*ecc->p.size)
+#define tp (scratch + 2*ecc->p.size)
+#define t2pscratch
+ /* Procedure, according to GOST 34.10. q denotes the group
+ order.
+
+ 1. k <-- uniformly random, 0 < k < q
+
+ 2. C <-- (c_x, c_y) = k g
+
+ 3. r <-- c_x mod q
+
+ 4. s <-- (r*z +
[PATCH v2 2/3] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov
Add support for GC512A curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
tc26-gost-3410-12-512-paramSetA (RFC 7836).
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore | 1 +
Makefile.in | 13 +++-
ecc-curve.h | 1 +
ecc-gc512a.c | 140 +++
ecc-internal.h | 1 +
eccdata.c| 139 ++
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 18 -
8 files changed, 310 insertions(+), 4 deletions(-)
create mode 100644 ecc-gc512a.c
diff --git a/.gitignore b/.gitignore
index 4454ade5a950..2e64c187574f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gc256b.h
+/ecc-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 8815e7b76dea..28672c8546ea 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gc256b.c \
+ ecc-gc256b.c ecc-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -405,6 +405,14 @@ ecc-curve448.h: eccdata.stamp
ecc-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+# Some reasonable choices for 512:
+# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D)
+# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D)
+# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D)
+# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D)
+ecc-gc512a.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
@@ -412,6 +420,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gc256b.$(OBJEXT): ecc-gc256b.h
+ecc-gc512a.$(OBJEXT): ecc-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -670,7 +679,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gc256b.h \
+ ecc-gc256b.h ecc-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index b378c8489839..93e1585ba15b 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gc512a.c b/ecc-gc512a.c
new file mode 100644
index ..cc7be928fa6e
--- /dev/null
+++ b/ecc-gc512a.c
@@ -0,0 +1,140 @@
+/* ecc-gc512a.c
+
+ Compile time constant (but machine dependent) tables.
+
+ Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC (ECC_REDC_SIZE != 0)
+
+#include "ecc-gc512a.h"
+
+#if ECC_REDC_SIZE > 0
+# define ecc_gc512a_redc
[PATCH v2 1/3] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov
Add support for GC256B curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357).
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore | 1 +
Makefile.in | 11 +++
ecc-curve.h | 1 +
ecc-gc256b.c | 140 +++
ecc-internal.h | 3 +
eccdata.c| 34 +-
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 12 +++-
8 files changed, 200 insertions(+), 3 deletions(-)
create mode 100644 ecc-gc256b.c
diff --git a/.gitignore b/.gitignore
index ea264107fa40..4454ade5a950 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,7 @@ core
/rotors.h
/ecc-curve25519.h
/ecc-curve448.h
+/ecc-gc256b.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 38160bb40fe1..8815e7b76dea 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
+ ecc-gc256b.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp
ecc-curve448.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T
$@
+# Some reasonable choices for 256:
+# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
+# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
+# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
+# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
+ecc-gc256b.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
+ecc-gc256b.$(OBJEXT): ecc-gc256b.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -660,6 +670,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
+ ecc-gc256b.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 76024a19d24f..b378c8489839 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -43,6 +43,7 @@ extern "C" {
/* The contents of this struct is internal. */
struct ecc_curve;
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gc256b.c b/ecc-gc256b.c
new file mode 100644
index ..755759a8fd38
--- /dev/null
+++ b/ecc-gc256b.c
@@ -0,0 +1,140 @@
+/* ecc-gc256b.c
+
+ Compile time constant (but machine dependent) tables.
+
+ Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC (ECC_REDC_SIZE != 0)
+
+#include "ecc-gc256b.h"
+
+#if ECC_REDC_SIZE > 0
+# define ecc_gc256b_redc ecc_pp1_redc
+#elif ECC_REDC_SIZE == 0
+# define ecc_gc256b_redc NULL
+#else
+# error Configuration error
+#endif
+
+static void
+ecc_gc256b_modp (const struct ecc_modulo
[PATCH v2 3/3] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov
Add GOST Digital Signature Algorithms support according to GOST R
34.10-2001/-2012. English translations of these standards are provided
as RFC 5832 and RFC 7091.
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 4 +-
ecc-gostdsa-sign.c | 103 +
ecc-gostdsa-verify.c| 132 +++
ecc-hash.c | 11 +++
ecc-internal.h | 7 ++
gostdsa-sign.c | 76
gostdsa-verify.c| 80 +
gostdsa.h | 102 +
testsuite/.gitignore| 3 +
testsuite/.test-rules.make | 9 ++
testsuite/Makefile.in | 4 +-
testsuite/gostdsa-keygen-test.c | 154
testsuite/gostdsa-sign-test.c | 87 ++
testsuite/gostdsa-verify-test.c | 110 +++
testsuite/testutils.h | 1 +
15 files changed, 881 insertions(+), 2 deletions(-)
create mode 100644 ecc-gostdsa-sign.c
create mode 100644 ecc-gostdsa-verify.c
create mode 100644 gostdsa-sign.c
create mode 100644 gostdsa-verify.c
create mode 100644 gostdsa.h
create mode 100644 testsuite/gostdsa-keygen-test.c
create mode 100644 testsuite/gostdsa-sign-test.c
create mode 100644 testsuite/gostdsa-verify-test.c
diff --git a/Makefile.in b/Makefile.in
index 28672c8546ea..05111eded397 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
+ ecc-gostdsa-sign.c gostdsa-sign.c \
+ ecc-gostdsa-verify.c gostdsa-verify.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
@@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \
curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \
ecc-curve.h ecc.h ecdsa.h eddsa.h \
- gcm.h gost28147.h gosthash94.h hmac.h \
+ gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \
knuth-lfib.h hkdf.h \
macros.h \
cmac.h siv-cmac.h \
diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c
new file mode 100644
index ..0b8671d382ec
--- /dev/null
+++ b/ecc-gostdsa-sign.c
@@ -0,0 +1,103 @@
+/* ecc-gostdsa-sign.c
+
+ Copyright (C) 2015 Dmitry Eremin-Solenikov
+ Copyright (C) 2013, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+#include
+
+#include "gostdsa.h"
+#include "ecc-internal.h"
+
+/* Low-level GOST DSA signing */
+
+mp_size_t
+ecc_gostdsa_sign_itch (const struct ecc_curve *ecc)
+{
+ /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for
+ ecc_mul_g and ecc_mul_g_eh. */
+ return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size);
+}
+
+/* NOTE: Caller should check if r or s is zero. */
+void
+ecc_gostdsa_sign (const struct ecc_curve *ecc,
+ const mp_limb_t *zp,
+ const mp_limb_t *kp,
+ size_t length, const uint8_t *digest,
+ mp_limb_t *rp, mp_limb_t *sp,
+ mp_limb_t *scratch)
+{
+#define P scratch
+#define hp (scratch + 4*ecc->p.size)
+#define tp (scratch + 2*ecc->p.size)
+#define t2pscratch
+ /* Procedure, according to GOST 34.10. q denotes the group
+ order.
+
+ 1. k <-- uniformly random, 0 < k < q
+
+ 2. C <-- (c_x, c_y) = k g
+
+ 3. r <-- c_x mod q
+
+ 4. s <-- (r*z + k*h) mod q.
+
[PATCH v3 2/3] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov
Add support for GC512A curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
tc26-gost-3410-12-512-paramSetA (RFC 7836).
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore | 1 +
Makefile.in | 14 -
ecc-curve.h | 1 +
ecc-gc512a.c | 128 +++
ecc-internal.h | 1 +
eccdata.c| 38
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 18 +-
8 files changed, 198 insertions(+), 4 deletions(-)
create mode 100644 ecc-gc512a.c
diff --git a/.gitignore b/.gitignore
index 4454ade5a950..2e64c187574f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gc256b.h
+/ecc-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 8815e7b76dea..11883a8bc88b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gc256b.c \
+ ecc-gc256b.c ecc-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -405,6 +405,15 @@ ecc-curve448.h: eccdata.stamp
ecc-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+# Some reasonable choices for 512:
+# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
+# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
+# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB
+# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB
+# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB
+ecc-gc512a.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
@@ -412,6 +421,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gc256b.$(OBJEXT): ecc-gc256b.h
+ecc-gc512a.$(OBJEXT): ecc-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -670,7 +680,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gc256b.h \
+ ecc-gc256b.h ecc-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index b378c8489839..93e1585ba15b 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gc512a.c b/ecc-gc512a.c
new file mode 100644
index ..602fd28147ea
--- /dev/null
+++ b/ecc-gc512a.c
@@ -0,0 +1,128 @@
+/* ecc-gc512a.c
+
+ Copyright (C) 2016-2020 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include "ecc-gc512a.h"
+
+static void
+ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+{
+ mp_size_t mn = m->size;
+ mp_limb_t hi;
+
+ hi = mpn_addmul_1(rp, rp + mn,
[PATCH v3 1/3] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov
Add support for GC256B curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357).
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore | 1 +
Makefile.in | 11
ecc-curve.h | 1 +
ecc-gc256b.c | 128 +++
ecc-internal.h | 3 +
eccdata.c| 34 ++-
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 12 +++-
8 files changed, 188 insertions(+), 3 deletions(-)
create mode 100644 ecc-gc256b.c
diff --git a/.gitignore b/.gitignore
index ea264107fa40..4454ade5a950 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,7 @@ core
/rotors.h
/ecc-curve25519.h
/ecc-curve448.h
+/ecc-gc256b.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 38160bb40fe1..8815e7b76dea 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
+ ecc-gc256b.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp
ecc-curve448.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T
$@
+# Some reasonable choices for 256:
+# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
+# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
+# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
+# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
+ecc-gc256b.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
+ecc-gc256b.$(OBJEXT): ecc-gc256b.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -660,6 +670,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
+ ecc-gc256b.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 76024a19d24f..b378c8489839 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -43,6 +43,7 @@ extern "C" {
/* The contents of this struct is internal. */
struct ecc_curve;
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gc256b(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gc256b.c b/ecc-gc256b.c
new file mode 100644
index ..b2d12d0bdf7c
--- /dev/null
+++ b/ecc-gc256b.c
@@ -0,0 +1,128 @@
+/* ecc-gc256b.c
+
+ Copyright (C) 2016-2020 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include "ecc-gc256b.h"
+
+static void
+ecc_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+{
+ mp_size_t mn = m->size;
+ mp_limb_t hi;
+
+ hi = mpn_addmul_1(rp, rp + mn, mn, 0x269);
+ hi = sec_add_1 (rp, rp, mn, hi * 0x269);
+ hi = sec_add_1 (rp, rp, mn, hi * 0x269);
+ assert(hi == 0);
+}
+
+#define ecc_gc256b_modp ecc_gc256b_modp
+#define ecc_gc256b_modq ecc_mod
+
+const struct ecc_curve
[PATCH v4 1/4] Add support for GOST GC256B curve
From: Dmitry Eremin-Solenikov
Add support for GC256B curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-A and GostR3410-2001-CryptoPro-XchA (RFC 4357).
Signed-off-by: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Baryshkov
---
.gitignore | 1 +
Makefile.in | 11
ecc-curve.h | 1 +
ecc-gost-gc256b.c| 128 +++
ecc-internal.h | 3 +
eccdata.c| 34 ++-
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 12 +++-
8 files changed, 188 insertions(+), 3 deletions(-)
create mode 100644 ecc-gost-gc256b.c
diff --git a/.gitignore b/.gitignore
index ea264107fa40..4454ade5a950 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,7 @@ core
/rotors.h
/ecc-curve25519.h
/ecc-curve448.h
+/ecc-gc256b.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 38160bb40fe1..9c1a925462aa 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,6 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
+ ecc-gost-gc256b.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -396,12 +397,21 @@ ecc-curve25519.h: eccdata.stamp
ecc-curve448.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T
$@
+# Some reasonable choices for 256:
+# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
+# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
+# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
+# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
+ecc-gost-gc256b.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
+ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -660,6 +670,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
+ ecc-gost-gc256b.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 76024a19d24f..da07b0232d42 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -43,6 +43,7 @@ extern "C" {
/* The contents of this struct is internal. */
struct ecc_curve;
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c
new file mode 100644
index ..8adc8e1763b9
--- /dev/null
+++ b/ecc-gost-gc256b.c
@@ -0,0 +1,128 @@
+/* ecc-gost-gc256b.c
+
+ Copyright (C) 2016-2020 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include "ecc-gost-gc256b.h"
+
+static void
+ecc_gost_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+{
+ mp_size_t mn = m->size;
+ mp_limb_t hi;
+
+ hi = mpn_addmul_1(rp, rp + mn, mn, 0x269);
+ hi = sec_add_1 (rp, rp, mn, hi * 0x269);
+ hi = sec_add_1 (rp, rp, mn, hi * 0x269);
+ assert(hi == 0);
[PATCH v4 4/4] Add documentation for GOSTDSA and GOST curves.
From: Dmitry Baryshkov
Signed-off-by: Dmitry Baryshkov
---
nettle.texinfo | 65 +-
1 file changed, 64 insertions(+), 1 deletion(-)
diff --git a/nettle.texinfo b/nettle.texinfo
index 65b36e315f81..38c84410c103 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -115,6 +115,7 @@ Public-key algorithms
* Side-channel silence::
* ECDSA::
+* GOSTDSA::
* Curve 25519 and Curve 448::
@end detailmenu
@@ -4916,6 +4917,7 @@ curve'' is used as a shorthand for the bitsize of the
curve's prime
@menu
* Side-channel silence::
* ECDSA::
+* GOSTDSA::
* Curve 25519 and Curve 448::
@end menu
@@ -4950,7 +4952,7 @@ accesses depend only on the size of the input data and
its location in
memory, not on the actual data bits. This implies a performance penalty
in several of the building blocks.
-@node ECDSA, Curve 25519 and Curve 448, Side-channel silence, Elliptic curves
+@node ECDSA, GOSTDSA, Side-channel silence, Elliptic curves
@comment node-name, next, previous, up
@subsubsection ECDSA
@@ -5054,6 +5056,67 @@ random octets and store them at @code{dst}. For advice,
see
@xref{Randomness}.
@end deftypefun
+@node GOSTDSA, Curve 25519 and Curve 448, ECDSA, Elliptic curves
+@comment node-name, next, previous, up
+@subsubsection GOSTDSA
+
+GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA
+(@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works
+over an elliptic curve group. Original documents are written in Russian.
+English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}.
+While technically nothing stops one from using GOSTDSA over any curve, it
+is defined only over several 256 and 512-bit curves. Like DSA and ECDSA,
+creating a signature requires a unique random nonce (repeating the nonce
+with two different messages reveals the private key, and any leak or bias
+in the generation of the nonce also leaks information about the key).
+
+GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function
+(GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is
+defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC
+6986}) of corresponding size (256 or 512) depending on curve size.
+
+Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA
+data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to
+represent public and private keys. Also to generate a new GOSTDSA key
+pair one has to use @code{ecdsa_generate_keypair()} function.
+
+To create and verify GOSTDSA signatures, the following functions are used.
+
+@deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void
*@var{random_ctx}, nettle_random_func *@var{random}, size_t
@var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature
*@var{signature})
+Uses the private key @var{key} to create a signature on @var{digest}.
+@var{random_ctx} and @var{random} is a randomness generator.
+@code{random(random_ctx, length, dst)} should generate @code{length}
+random octets and store them at @code{dst}. The signature is stored in
+@var{signature}, in the same was as for plain DSA.
+@end deftypefun
+
+@deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t
@var{length}, const uint8_t *@var{digest}, const struct dsa_signature
*@var{signature})
+Uses the public key @var{pub} to verify that @var{signature} is a valid
+signature for the message digest @var{digest} (of @var{length} octets).
+Returns 1 if the signature is valid, otherwise 0.
+@end deftypefun
+
+For historical reason several curve IDs (OIDs) may correspond to a single
+curve/generator combination. Following list defines correspondence
+between nettle's view on curves and actual identifiers defined in @cite{RFC
+4357} and @cite{RFC 7836}.
+
+@deftypefun {const struct ecc_curve} nettle_get_gost_gc256b(void)
+Returns curve corresponding to following identifiers:
+@itemize
+@item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357})
+@item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357})
+@item id-tc26-gost-3410-12-256-paramSetB
+@end itemize
+@end deftypefun
+
+@deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void)
+Returns curve corresponding to following identifiers:
+@itemize
+@item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836})
+@end itemize
+@end deftypefun
+
@node Curve 25519 and Curve 448, , ECDSA, Elliptic curves
@comment node-name, next, previous, up
@subsubsection Curve25519 and Curve448
--
2.24.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v4 3/4] Add GOST DSA according to GOST R 34.10-2001/-2012
From: Dmitry Eremin-Solenikov
Add GOST Digital Signature Algorithms support according to GOST R
34.10-2001/-2012. English translations of these standards are provided
as RFC 5832 and RFC 7091.
Signed-off-by: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Baryshkov
---
Makefile.in | 4 +-
ecc-gostdsa-sign.c | 101 +
ecc-gostdsa-verify.c| 130 +++
ecc-hash.c | 11 +++
ecc-internal.h | 7 ++
gostdsa-sign.c | 74 +++
gostdsa-verify.c| 78
gostdsa.h | 102 +
testsuite/.gitignore| 3 +
testsuite/.test-rules.make | 9 ++
testsuite/Makefile.in | 4 +-
testsuite/gostdsa-keygen-test.c | 154
testsuite/gostdsa-sign-test.c | 87 ++
testsuite/gostdsa-verify-test.c | 110 +++
testsuite/testutils.h | 1 +
15 files changed, 873 insertions(+), 2 deletions(-)
create mode 100644 ecc-gostdsa-sign.c
create mode 100644 ecc-gostdsa-verify.c
create mode 100644 gostdsa-sign.c
create mode 100644 gostdsa-verify.c
create mode 100644 gostdsa.h
create mode 100644 testsuite/gostdsa-keygen-test.c
create mode 100644 testsuite/gostdsa-sign-test.c
create mode 100644 testsuite/gostdsa-verify-test.c
diff --git a/Makefile.in b/Makefile.in
index a08dfe4da481..1396e2fe2808 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -189,6 +189,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
+ ecc-gostdsa-sign.c gostdsa-sign.c \
+ ecc-gostdsa-verify.c gostdsa-verify.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
@@ -205,7 +207,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \
curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \
ecc-curve.h ecc.h ecdsa.h eddsa.h \
- gcm.h gost28147.h gosthash94.h hmac.h \
+ gcm.h gost28147.h gostdsa.h gosthash94.h hmac.h \
knuth-lfib.h hkdf.h \
macros.h \
cmac.h siv-cmac.h \
diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c
new file mode 100644
index ..00eeef81f659
--- /dev/null
+++ b/ecc-gostdsa-sign.c
@@ -0,0 +1,101 @@
+/* ecc-gostdsa-sign.c
+
+ Copyright (C) 2015 Dmitry Eremin-Solenikov
+ Copyright (C) 2013, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+#include
+
+#include "gostdsa.h"
+#include "ecc-internal.h"
+
+/* Low-level GOST DSA signing */
+
+mp_size_t
+ecc_gostdsa_sign_itch (const struct ecc_curve *ecc)
+{
+ /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for
+ ecc_mul_g and ecc_mul_g_eh. */
+ return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size);
+}
+
+/* NOTE: Caller should check if r or s is zero. */
+void
+ecc_gostdsa_sign (const struct ecc_curve *ecc,
+ const mp_limb_t *zp,
+ const mp_limb_t *kp,
+ size_t length, const uint8_t *digest,
+ mp_limb_t *rp, mp_limb_t *sp,
+ mp_limb_t *scratch)
+{
+#define P scratch
+#define hp (scratch + 4*ecc->p.size)
+#define tp (scratch + 2*ecc->p.size)
+#define t2pscratch
+ /* Procedure, according to GOST 34.10. q denotes the group
+ order.
+
+ 1. k <-- uniformly random, 0 < k < q
+
+ 2. C <-- (c_x, c_y) = k g
+
+ 3. r <-- c_x mod q
+
+ 4. s <-- (r*z + k*h) mod q.
+ */
+
+ ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size);
[PATCH v4 2/4] Add support for GOST GC512A curve
From: Dmitry Eremin-Solenikov
Add support for GC512A curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
tc26-gost-3410-12-512-paramSetA (RFC 7836).
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore | 1 +
Makefile.in | 14 -
ecc-curve.h | 1 +
ecc-gost-gc512a.c| 128 +++
ecc-internal.h | 1 +
eccdata.c| 38
examples/ecc-benchmark.c | 1 +
testsuite/testutils.c| 18 +-
8 files changed, 198 insertions(+), 4 deletions(-)
create mode 100644 ecc-gost-gc512a.c
diff --git a/.gitignore b/.gitignore
index 4454ade5a950..2e64c187574f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gc256b.h
+/ecc-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
/ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 9c1a925462aa..a08dfe4da481 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gost-gc256b.c \
+ ecc-gost-gc256b.c ecc-gost-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -405,6 +405,15 @@ ecc-curve448.h: eccdata.stamp
ecc-gost-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+# Some reasonable choices for 512:
+# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
+# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
+# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB
+# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB
+# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB
+ecc-gost-gc512a.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv
$@T $@
+
eccdata.stamp: eccdata.c
$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
echo stamp > eccdata.stamp
@@ -412,6 +421,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
+ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -670,7 +680,7 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gost-gc256b.h \
+ ecc-gost-gc256b.h ecc-gost-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index da07b0232d42..8f050404a944 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c
new file mode 100644
index ..4baec1f5945d
--- /dev/null
+++ b/ecc-gost-gc512a.c
@@ -0,0 +1,128 @@
+/* ecc-gost-gc512a.c
+
+ Copyright (C) 2016-2020 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include "ecc-gost-gc512a.h"
+
+static void
+ecc_gc512a_modp (const struct
[PATCH 0/2] two small fixes for ecc-gost branch
Hello, Two small fixes to go on top of ecc-gost branch. These two patches can be squashed into respective patches or just live as separate instances, whatever you would prefer. -- With best wishes Dmitry ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 2/2] .gitignore: correct generated header names
From: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2e64c187574f..48e2b7f464da 100644 --- a/.gitignore +++ b/.gitignore @@ -45,8 +45,8 @@ core /rotors.h /ecc-curve25519.h /ecc-curve448.h -/ecc-gc256b.h -/ecc-gc512a.h +/ecc-gost-gc256b.h +/ecc-gost-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 1/2] gost gc512a: rename functions to follow usual pattern
From: Dmitry Baryshkov
Signed-off-by: Dmitry Baryshkov
---
ecc-gost-gc512a.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c
index 4baec1f5945d..6d210925b609 100644
--- a/ecc-gost-gc512a.c
+++ b/ecc-gost-gc512a.c
@@ -43,7 +43,7 @@
#include "ecc-gost-gc512a.h"
static void
-ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ecc_gost_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp)
{
mp_size_t mn = m->size;
mp_limb_t hi;
@@ -54,8 +54,8 @@ ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp)
assert(hi == 0);
}
-#define ecc_gc512a_modp ecc_gc512a_modp
-#define ecc_gc512a_modq ecc_mod
+#define ecc_gost_gc512a_modp ecc_gost_gc512a_modp
+#define ecc_gost_gc512a_modq ecc_mod
const struct ecc_curve _nettle_gost_gc512a =
{
@@ -73,8 +73,8 @@ const struct ecc_curve _nettle_gost_gc512a =
ecc_redc_ppm1,
ecc_pp1h,
-ecc_gc512a_modp,
-ecc_gc512a_modp,
+ecc_gost_gc512a_modp,
+ecc_gost_gc512a_modp,
ecc_mod_inv,
NULL,
},
@@ -92,8 +92,8 @@ const struct ecc_curve _nettle_gost_gc512a =
NULL,
ecc_qp1h,
-ecc_gc512a_modq,
-ecc_gc512a_modq,
+ecc_gost_gc512a_modq,
+ecc_gost_gc512a_modq,
ecc_mod_inv,
NULL,
},
--
2.24.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH] hogweed-benchmark: fill 32 or 56 bytes rather than just sizeof(int)
From: Dmitry Baryshkov Don't call sizeof(CURVExyz_SIZE) to get amount of bytes to fill. Just use CURVExyz_SIZE itself. Signed-off-by: Dmitry Baryshkov --- examples/hogweed-benchmark.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c index 11393df04c81..69315211a0cc 100644 --- a/examples/hogweed-benchmark.c +++ b/examples/hogweed-benchmark.c @@ -771,12 +771,12 @@ bench_curve_init (unsigned size) case 255: ctx->mul = curve25519_mul; ctx->mul_g = curve25519_mul_g; - knuth_lfib_random (, sizeof(CURVE25519_SIZE), ctx->s); + knuth_lfib_random (, CURVE25519_SIZE, ctx->s); break; case 448: ctx->mul = curve448_mul; ctx->mul_g = curve448_mul_g; - knuth_lfib_random (, sizeof(CURVE448_SIZE), ctx->s); + knuth_lfib_random (, CURVE448_SIZE, ctx->s); break; default: abort (); -- 2.24.1 ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v5 3/3] hogweed-benchmark: enable testing of GOST DSA
From: Dmitry Baryshkov
Signed-off-by: Dmitry Baryshkov
---
examples/hogweed-benchmark.c | 104 +++
1 file changed, 104 insertions(+)
diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c
index 11393df04c81..bceed77e55d9 100644
--- a/examples/hogweed-benchmark.c
+++ b/examples/hogweed-benchmark.c
@@ -48,6 +48,7 @@
#include "dsa.h"
#include "rsa.h"
#include "eddsa.h"
+#include "gostdsa.h"
#include "curve25519.h"
#include "curve448.h"
@@ -591,6 +592,107 @@ bench_eddsa_clear (void *p)
free (p);
}
+static void *
+bench_gostdsa_init (unsigned size)
+{
+ struct ecdsa_ctx *ctx;
+ const struct ecc_curve *ecc;
+
+ const char *xs;
+ const char *ys;
+ const char *zs;
+ mpz_t x, y, z;
+
+ ctx = xalloc (sizeof(*ctx));
+
+ dsa_signature_init (>s);
+ knuth_lfib_init (>lfib, 17);
+
+ switch (size)
+{
+case 256:
+ ecc = &_nettle_gost_gc256b;
+ xs = "971566ceda436ee7678f7e07e84ebb7217406c0b4747aa8fd2ab1453c3d0dfba";
+ ys = "ad58736965949f8e59830f8de20fc6c0d177f6ab599874f1e2e24ff71f9ce643";
+ zs = "bfcf1d623e5cdd3032a7c6eabb4a923c46e43d640ffeaaf2c3ed39a8fa399924";
+ ctx->digest = hash_string (_sha256, "abc");
+ ctx->digest_size = 32;
+ break;
+
+case 512:
+ ecc = &_nettle_gost_gc512a;
+ xs = "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6"
+ "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40";
+ ys = "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1"
+ "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73";
+ zs = "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435"
+ "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B";
+ ctx->digest = hash_string (_sha512, "abc");
+ ctx->digest_size = 64;
+ break;
+
+default:
+ die ("Internal error.\n");
+}
+ ecc_point_init (>pub, ecc);
+ ecc_scalar_init (>key, ecc);
+
+ mpz_init_set_str (x, xs, 16);
+ mpz_init_set_str (y, ys, 16);
+ mpz_init_set_str (z, zs, 16);
+
+ ecc_point_set (>pub, x, y);
+ ecc_scalar_set (>key, z);
+
+ mpz_clear (x);
+ mpz_clear (y);
+ mpz_clear (z);
+
+ gostdsa_sign (>key,
+ >lfib, (nettle_random_func *) knuth_lfib_random,
+ ctx->digest_size, ctx->digest,
+ >s);
+
+ return ctx;
+}
+
+static void
+bench_gostdsa_sign (void *p)
+{
+ struct ecdsa_ctx *ctx = p;
+ struct dsa_signature s;
+
+ dsa_signature_init ();
+ gostdsa_sign (>key,
+ >lfib, (nettle_random_func *) knuth_lfib_random,
+ ctx->digest_size, ctx->digest,
+ );
+ dsa_signature_clear ();
+}
+
+static void
+bench_gostdsa_verify (void *p)
+{
+ struct ecdsa_ctx *ctx = p;
+ if (! gostdsa_verify (>pub,
+ ctx->digest_size, ctx->digest,
+ >s))
+die ("Internal error, _gostdsa_verify failed.\n");
+}
+
+static void
+bench_gostdsa_clear (void *p)
+{
+ struct ecdsa_ctx *ctx = p;
+
+ ecc_point_clear (>pub);
+ ecc_scalar_clear (>key);
+ dsa_signature_clear (>s);
+ free (ctx->digest);
+
+ free (ctx);
+}
+
#if WITH_OPENSSL
struct openssl_rsa_ctx
{
@@ -838,6 +940,8 @@ struct alg alg_list[] = {
{ "eddsa", 448, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify,
bench_eddsa_clear },
{ "curve", 255, bench_curve_init, bench_curve_mul_g, bench_curve_mul,
bench_curve_clear},
{ "curve", 448, bench_curve_init, bench_curve_mul_g, bench_curve_mul,
bench_curve_clear },
+ { "gostdsa", 256, bench_gostdsa_init, bench_gostdsa_sign,
bench_gostdsa_verify, bench_gostdsa_clear },
+ { "gostdsa", 512, bench_gostdsa_init, bench_gostdsa_sign,
bench_gostdsa_verify, bench_gostdsa_clear },
};
#define numberof(x) (sizeof (x) / sizeof ((x)[0]))
--
2.24.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v5 2/3] Add documentation for GOSTDSA and GOST curves.
From: Dmitry Baryshkov
Signed-off-by: Dmitry Baryshkov
---
nettle.texinfo | 65 +-
1 file changed, 64 insertions(+), 1 deletion(-)
diff --git a/nettle.texinfo b/nettle.texinfo
index 65b36e315f81..38c84410c103 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -115,6 +115,7 @@ Public-key algorithms
* Side-channel silence::
* ECDSA::
+* GOSTDSA::
* Curve 25519 and Curve 448::
@end detailmenu
@@ -4916,6 +4917,7 @@ curve'' is used as a shorthand for the bitsize of the
curve's prime
@menu
* Side-channel silence::
* ECDSA::
+* GOSTDSA::
* Curve 25519 and Curve 448::
@end menu
@@ -4950,7 +4952,7 @@ accesses depend only on the size of the input data and
its location in
memory, not on the actual data bits. This implies a performance penalty
in several of the building blocks.
-@node ECDSA, Curve 25519 and Curve 448, Side-channel silence, Elliptic curves
+@node ECDSA, GOSTDSA, Side-channel silence, Elliptic curves
@comment node-name, next, previous, up
@subsubsection ECDSA
@@ -5054,6 +5056,67 @@ random octets and store them at @code{dst}. For advice,
see
@xref{Randomness}.
@end deftypefun
+@node GOSTDSA, Curve 25519 and Curve 448, ECDSA, Elliptic curves
+@comment node-name, next, previous, up
+@subsubsection GOSTDSA
+
+GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA
+(@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works
+over an elliptic curve group. Original documents are written in Russian.
+English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}.
+While technically nothing stops one from using GOSTDSA over any curve, it
+is defined only over several 256 and 512-bit curves. Like DSA and ECDSA,
+creating a signature requires a unique random nonce (repeating the nonce
+with two different messages reveals the private key, and any leak or bias
+in the generation of the nonce also leaks information about the key).
+
+GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function
+(GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is
+defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC
+6986}) of corresponding size (256 or 512) depending on curve size.
+
+Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA
+data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to
+represent public and private keys. Also to generate a new GOSTDSA key
+pair one has to use @code{ecdsa_generate_keypair()} function.
+
+To create and verify GOSTDSA signatures, the following functions are used.
+
+@deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void
*@var{random_ctx}, nettle_random_func *@var{random}, size_t
@var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature
*@var{signature})
+Uses the private key @var{key} to create a signature on @var{digest}.
+@var{random_ctx} and @var{random} is a randomness generator.
+@code{random(random_ctx, length, dst)} should generate @code{length}
+random octets and store them at @code{dst}. The signature is stored in
+@var{signature}, in the same was as for plain DSA.
+@end deftypefun
+
+@deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t
@var{length}, const uint8_t *@var{digest}, const struct dsa_signature
*@var{signature})
+Uses the public key @var{pub} to verify that @var{signature} is a valid
+signature for the message digest @var{digest} (of @var{length} octets).
+Returns 1 if the signature is valid, otherwise 0.
+@end deftypefun
+
+For historical reason several curve IDs (OIDs) may correspond to a single
+curve/generator combination. Following list defines correspondence
+between nettle's view on curves and actual identifiers defined in @cite{RFC
+4357} and @cite{RFC 7836}.
+
+@deftypefun {const struct ecc_curve} nettle_get_gost_gc256b(void)
+Returns curve corresponding to following identifiers:
+@itemize
+@item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357})
+@item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357})
+@item id-tc26-gost-3410-12-256-paramSetB
+@end itemize
+@end deftypefun
+
+@deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void)
+Returns curve corresponding to following identifiers:
+@itemize
+@item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836})
+@end itemize
+@end deftypefun
+
@node Curve 25519 and Curve 448, , ECDSA, Elliptic curves
@comment node-name, next, previous, up
@subsubsection Curve25519 and Curve448
--
2.24.1
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH v3 3/3] ecc: rename functions to contain curve names instead of bits
From: Dmitry Eremin-Solenikov
Rename curve functions to use curve names instead of just bits.
Otherwise function names can easily become confusing after adding other
curves.
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 6 +++---
arm/ecc-secp224r1-modp.asm | 6 +++---
arm/ecc-secp256r1-redc.asm | 6 +++---
arm/ecc-secp384r1-modp.asm | 6 +++---
arm/ecc-secp521r1-modp.asm | 6 +++---
configure.ac | 22 +++---
ecc-curve25519.c | 34 +-
ecc-curve448.c | 34 +-
ecc-secp192r1.c| 16
ecc-secp224r1.c| 16
ecc-secp256r1.c| 32
ecc-secp384r1.c| 16
ecc-secp521r1.c| 12 ++--
eddsa-sign.c | 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 6 +++---
x86_64/ecc-secp224r1-modp.asm | 6 +++---
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
20 files changed, 121 insertions(+), 121 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index 4680336f1bc7..4c596a168b3d 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -49,11 +49,11 @@ define(, )
define(, )
define(, )
- C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_secp192r1_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(_nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(_nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_secp192r1_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 400b7a815c2c..67089a0c2981 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_secp224r1_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(_nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_secp224r1_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 7b117de43fbc..f8386c39c9a6 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -48,11 +48,11 @@ define(, )
define(, )
define(, )
- C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_secp256r1_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(_nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(_nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_secp256r1_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dd9a325b09de..1983ee68cdd4 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -46,11 +46,11 @@ define(, )
define(, )
define(, )
- C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.align 2
-PROLOGUE(_nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_secp384r1_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(_nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(_nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_secp384r1_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index f11967634689..6d1759ec8a2a 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -45,14 +45,14 @@ define(, )
define(, )
define(, )
- C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+ C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp)
.text
.Lc511:
.int 511
.align 2
-PROLOGUE(_nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_secp521r1_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(_nettle_ecc_521_modp)
[PATCH v3 2/3] ecc: prefix optimized ECC function names with underscore
From: Dmitry Eremin-Solenikov
There is no need to keep optimized ECC functions in public namespace
(nettle_*), move them to internal namespace (_nettle_*).
Signed-off-by: Dmitry Eremin-Solenikov
---
arm/ecc-secp192r1-modp.asm | 4 ++--
arm/ecc-secp224r1-modp.asm | 4 ++--
arm/ecc-secp256r1-redc.asm | 4 ++--
arm/ecc-secp384r1-modp.asm | 4 ++--
arm/ecc-secp521r1-modp.asm | 4 ++--
ecc-curve25519.c | 2 +-
ecc-curve448.c | 2 +-
ecc-secp192r1.c| 2 +-
ecc-secp224r1.c| 2 +-
ecc-secp256r1.c| 2 +-
ecc-secp384r1.c| 2 +-
ecc-secp521r1.c| 2 +-
x86_64/ecc-curve25519-modp.asm | 4 ++--
x86_64/ecc-curve448-modp.asm | 4 ++--
x86_64/ecc-secp192r1-modp.asm | 4 ++--
x86_64/ecc-secp224r1-modp.asm | 4 ++--
x86_64/ecc-secp256r1-redc.asm | 4 ++--
x86_64/ecc-secp384r1-modp.asm | 4 ++--
x86_64/ecc-secp521r1-modp.asm | 4 ++--
19 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/arm/ecc-secp192r1-modp.asm b/arm/ecc-secp192r1-modp.asm
index dbaae2e38922..4680336f1bc7 100644
--- a/arm/ecc-secp192r1-modp.asm
+++ b/arm/ecc-secp192r1-modp.asm
@@ -53,7 +53,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_192_modp)
+PROLOGUE(_nettle_ecc_192_modp)
push{r4,r5,r6,r7,r8,r10}
C Reduce two words at a time
add HP, RP, #48
@@ -103,4 +103,4 @@ PROLOGUE(nettle_ecc_192_modp)
pop {r4,r5,r6,r7,r8,r10}
bx lr
-EPILOGUE(nettle_ecc_192_modp)
+EPILOGUE(_nettle_ecc_192_modp)
diff --git a/arm/ecc-secp224r1-modp.asm b/arm/ecc-secp224r1-modp.asm
index 2c86755a7c9a..400b7a815c2c 100644
--- a/arm/ecc-secp224r1-modp.asm
+++ b/arm/ecc-secp224r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_224_modp)
+PROLOGUE(_nettle_ecc_224_modp)
push{r4,r5,r6,r7,r8,r10,r11,lr}
add L2, RP, #28
@@ -121,4 +121,4 @@ PROLOGUE(nettle_ecc_224_modp)
stmdb RP, {T0,T1,T2,T3,T4,T5,T6}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_224_modp)
+EPILOGUE(_nettle_ecc_224_modp)
diff --git a/arm/ecc-secp256r1-redc.asm b/arm/ecc-secp256r1-redc.asm
index 9c20062a44e4..7b117de43fbc 100644
--- a/arm/ecc-secp256r1-redc.asm
+++ b/arm/ecc-secp256r1-redc.asm
@@ -52,7 +52,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_256_redc)
+PROLOGUE(_nettle_ecc_256_redc)
push{r4,r5,r6,r7,r8,r10,r11,lr}
ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7}
@@ -170,4 +170,4 @@ PROLOGUE(nettle_ecc_256_redc)
stm RP, {T0,T1,T2,T3,T4,T5,T6,T7}
pop {r4,r5,r6,r7,r8,r10,r11,pc}
-EPILOGUE(nettle_ecc_256_redc)
+EPILOGUE(_nettle_ecc_256_redc)
diff --git a/arm/ecc-secp384r1-modp.asm b/arm/ecc-secp384r1-modp.asm
index dbedbdf8d32e..dd9a325b09de 100644
--- a/arm/ecc-secp384r1-modp.asm
+++ b/arm/ecc-secp384r1-modp.asm
@@ -50,7 +50,7 @@ define(, )
.text
.align 2
-PROLOGUE(nettle_ecc_384_modp)
+PROLOGUE(_nettle_ecc_384_modp)
push{r4,r5,r6,r7,r8,r10,lr}
add RP, RP, #80
@@ -267,4 +267,4 @@ PROLOGUE(nettle_ecc_384_modp)
adcsT3, T3, H
stm RP!, {T0,T1,T2,T3} C 8-11
pop {r4,r5,r6,r7,r8,r10,pc}
-EPILOGUE(nettle_ecc_384_modp)
+EPILOGUE(_nettle_ecc_384_modp)
diff --git a/arm/ecc-secp521r1-modp.asm b/arm/ecc-secp521r1-modp.asm
index 2b4f79192a2e..f11967634689 100644
--- a/arm/ecc-secp521r1-modp.asm
+++ b/arm/ecc-secp521r1-modp.asm
@@ -52,7 +52,7 @@ define(, )
.align 2
-PROLOGUE(nettle_ecc_521_modp)
+PROLOGUE(_nettle_ecc_521_modp)
push{r4,r5,r6,r7,r8,lr}
C Use that B^17 = 2^23 (mod p)
@@ -124,4 +124,4 @@ PROLOGUE(nettle_ecc_521_modp)
stm RP, {T0,T1,T2,F0,F1,F2,F3,H}C 9-16
pop {r4,r5,r6,r7,r8,pc}
-EPILOGUE(nettle_ecc_521_modp)
+EPILOGUE(_nettle_ecc_521_modp)
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index 73d72765dce8..65843a57ee5a 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -48,7 +48,7 @@
#if HAVE_NATIVE_ecc_25519_modp
-#define ecc_25519_modp nettle_ecc_25519_modp
+#define ecc_25519_modp _nettle_ecc_25519_modp
void
ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#else
diff --git a/ecc-curve448.c b/ecc-curve448.c
index 7020e3e8f6aa..981dc53f279e 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -46,7 +46,7 @@
#include "ecc-curve448.h"
#if HAVE_NATIVE_ecc_curve448_modp
-#define ecc_448_modp nettle_ecc_curve448_modp
+#define ecc_448_modp _nettle_ecc_curve448_modp
void
ecc_448_modp (const struct ecc_modulo *m, mp_limb_t *rp);
#elif GMP_NUMB_BITS == 64
diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c
index 858a1b7554ce..15f5f1fa4c04 100644
--- a/ecc-secp192r1.c
+++ b/ecc-secp192r1.c
@@ -50,7 +50,7 @@
#if HAVE_NATIVE_ecc_192_modp
-#define ecc_192_modp nettle_ecc_192_modp
+#define ecc_192_modp _nettle_ecc_192_modp
void
ecc_192_modp (const struct
[PATCH v3 1/3] ecc: rename source files with curves data
From: Dmitry Eremin-Solenikov
In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.
Signed-off-by: Dmitry Eremin-Solenikov
---
.gitignore| 14 ++---
Makefile.in | 54 -
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
configure.ac | 6 +-
ecc-25519.c => ecc-curve25519.c | 4 +-
ecc-448.c => ecc-curve448.c | 4 +-
ecc-192.c => ecc-secp192r1.c | 4 +-
ecc-224.c => ecc-secp224r1.c | 4 +-
ecc-256.c => ecc-secp256r1.c | 4 +-
ecc-384.c => ecc-secp384r1.c | 4 +-
ecc-521.c => ecc-secp521r1.c | 4 +-
eccdata.c | 58 +++
...25519-modp.asm => ecc-curve25519-modp.asm} | 0
...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 4 +-
...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 4 +-
...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 4 +-
...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 4 +-
...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 4 +-
22 files changed, 105 insertions(+), 95 deletions(-)
rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (97%)
rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (98%)
rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
rename ecc-25519.c => ecc-curve25519.c (99%)
rename ecc-448.c => ecc-curve448.c (99%)
rename ecc-192.c => ecc-secp192r1.c (98%)
rename ecc-224.c => ecc-secp224r1.c (98%)
rename ecc-256.c => ecc-secp256r1.c (99%)
rename ecc-384.c => ecc-secp384r1.c (99%)
rename ecc-521.c => ecc-secp521r1.c (98%)
rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%)
rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (96%)
rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (97%)
rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (97%)
rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (98%)
rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (97%)
diff --git a/.gitignore b/.gitignore
index 0afe61de3826..ea264107fa40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,13 +43,13 @@ core
/keymap.h
/parity.h
/rotors.h
-/ecc-192.h
-/ecc-224.h
-/ecc-256.h
-/ecc-384.h
-/ecc-521.h
-/ecc-25519.h
-/ecc-448.h
+/ecc-curve25519.h
+/ecc-curve448.h
+/ecc-secp192r1.h
+/ecc-secp224r1.h
+/ecc-secp256r1.h
+/ecc-secp384r1.h
+/ecc-secp521r1.h
/version.h
/nettle.aux
/nettle.cp
diff --git a/Makefile.in b/Makefile.in
index e0c9f5f7de66..38160bb40fe1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -175,8 +175,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
gmp-glue.c cnd-copy.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
- ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \
- ecc-25519.c ecc-448.c \
+ ecc-curve25519.c ecc-curve448.c \
+ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
+ ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \
ecc-eh-to-a.c \
@@ -350,24 +351,24 @@ des.$(OBJEXT): des.c des.h $(des_headers)
# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB
# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB
# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB
-ecc-192.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp192r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T
$@
# Some reasonable choices for 224:
# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB
# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB
# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB
# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB
-ecc-224.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-secp224r1.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv
$@T $@
# Some reasonable choices for 256:
# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB
# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB
# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB
# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB
-ecc-256.h: eccdata.stamp
- ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@
