Re: Basic SHA3 support (cryptographic discussion)

2018-01-11 Thread Daniel Loebenberger 
Hi,

concerning the question who needs SHA3, we do not agree that SHA3 should
be skipped as a standard. As cryptographers we sincerely believe that
the SHA3 design is superior to the one of SHA256 also due to the process
it was created. We believe that an efficient implementation will trigger
increased use of the standard and hope that its user base will grow
quickly once the commands are simply there.

For the discussion, find here some additional arguments in favor of
SHA3:

- The construction of SHA3 differs considerably from the SHA2
constructions (which covers all variants). Cryptanalytic progress for
SHA2 can destroy all variants at once, but will probably not affect
SHA3.

- SHA3's design principles are far better understood than the ones of
SHA2. The invention of sponge functions is in our opinion one of the
greatest inventions in hash-function design over the past few years. It
is simple and brilliant, and the generic properties of the construction
have appealing properties. - A possible migration away from SHA2 will be
faster when including SHA3 in OpenBSD now if it should happen that major
cryptanalytic advances attacking SHA2 pop up in the future. - The claim
that we now "know" how to build secure hash functions in general seems
problematic. To break a function, substantial cryptanalytic effort must
be made. It is not clear how much of this effort was put in the
presumably secure "newer" functions. - The argument that SHA3 is slow
does at least not apply to the reference code we used: The current
implementation of sha3-256 is indeed [slightly] faster on our machine
than the one of sha256.

Best regards,
Daniel, Stefan and Alexander

Re: Basic SHA3 support

2018-01-11 Thread Daniel Loebenberger 
d a message digest, suitable for use as a digital signature.
+There are four families of functions, with names corresponding to
+the number of bits in the resulting message digest.
+The functions can process a message of arbitrary length as input.
+.Pp
+The SHA-3 functions are considered to be more secure than the
+.Xr sha1 3
+functions with which they share a similar interface. They are an
+alternative to the
+.Xr sha2 3
+functions.
+The 224, 256, 384, and 512-bit versions of SHA-3 share the same interface.
+For brevity, only the 256-bit variants are described below.
+.Pp
+The
+.Fn SHA3_256Init
+function initializes a SHA3_CTX
+.Fa context
+for use with
+.Fn SHA3_256Update
+and
+.Fn SHA3_256Final .
+The
+.Fn SHA3_256Update
+function adds
+.Fa data
+of length
+.Fa len
+to the SHA3_CTX specified by
+.Fa context .
+.Fn SHA3_256Final
+is called when all data has been added via
+.Fn SHA3_256Update
+and stores a message digest in the
+.Fa digest
+parameter.
+.Pp
+The
+.Fn SHA3_256End
+function is a front end for
+.Fn SHA3_256Final
+which converts the digest into an
+.Tn ASCII
+representation of the digest in hexadecimal.
+.Pp
+The
+.Fn SHA3_256File
+function calculates the digest for a file and returns the result via
+.Fn SHA3_256End .
+If
+.Fn SHA3_256File
+is unable to open the file, a
+.Dv NULL
+pointer is returned.
+.Pp
+.Fn SHA3_256FileChunk
+behaves like
+.Fn SHA3_256File
+but calculates the digest only for that portion of the file starting at
+.Fa offset
+and continuing for
+.Fa length
+bytes or until end of file is reached, whichever comes first.
+A zero
+.Fa length
+can be specified to read until end of file.
+A negative
+.Fa length
+or
+.Fa offset
+will be ignored.
+.Pp
+The
+.Fn SHA3_256Data
+function
+calculates the digest of an arbitrary string and returns the result via
+.Fn SHA3_256End .
+.Pp
+For each of the
+.Fn SHA3_256End ,
+.Fn SHA3_256File ,
+.Fn SHA3_256FileChunk ,
+and
+.Fn SHA3_256Data
+functions the
+.Fa buf
+parameter should either be a string large enough to hold the resulting digest
+(e.g.\&
+.Dv SHA3_224_DIGEST_STRING_LENGTH ,
+.Dv SHA3_256_DIGEST_STRING_LENGTH ,
+.Dv SHA3_384_DIGEST_STRING_LENGTH ,
+.Dv SHA3_512_DIGEST_STRING_LENGTH ,
+or
+.Dv SHA3_512_256_DIGEST_STRING_LENGTH ,
+depending on the function being used)
+or a
+.Dv NULL
+pointer.
+In the latter case, space will be dynamically allocated via
+.Xr malloc 3
+and should be freed using
+.Xr free 3
+when it is no longer needed.
+.Sh EXAMPLES
+The following code fragment will calculate the SHA3-256 digest for the string
+.Qq abc ,
+which is
+.Dq 0x3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 .
+.Bd -literal -offset indent
+SHA3_CTX ctx;
+u_int8_t results[SHA3_256_DIGEST_LENGTH];
+char *buf;
+int n;
+
+buf = "abc";
+n = strlen(buf);
+SHA3_256Init(&ctx);
+SHA3_256Update(&ctx, (u_int8_t *)buf, n);
+SHA3_256Final(results, &ctx);
+
+/* Print the digest as one long hex value */
+printf("0x");
+for (n = 0; n \*(Lt SHA3_256_DIGEST_LENGTH; n++)
+   printf("%02x", results[n]);
+putchar('\en');
+.Ed
+.Pp
+Alternately, the helper functions could be used in the following way:
+.Bd -literal -offset indent
+u_int8_t output[SHA3_256_DIGEST_STRING_LENGTH];
+char *buf = "abc";
+
+printf("0x%s\en", SHA3_256Data(buf, strlen(buf), output));
+.Ed
+.Sh SEE ALSO
+.Xr cksum 1 ,
+.Xr md5 3 ,
+.Xr rmd160 3 ,
+.Xr sha1 3 ,
+.Xr sha2 3
+.Rs
+.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
+.%O FIPS PUB 202
+.Re
+.Pp
+The
+.Fn SHA3_256End ,
+.Fn SHA3_256File ,
+.Fn SHA3_256FileChunk ,
+and
+.Fn SHA3_256Data
+helper functions are derived from code written by
+.An Poul-Henning Kamp .
Index: lib/libc/hash/sha3.c
===
RCS file: lib/libc/hash/sha3.c
diff -N lib/libc/hash/sha3.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ lib/libc/hash/sha3.c11 Jan 2018 09:04:18 -
@@ -0,0 +1,761 @@
+/*
+ * Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+ * Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+ * denoted as "the implementer".
+ * 
+ * For more information, feedback or questions, please refer to our websites:
+ * http://keccak.noekeon.org/
+ * http://keyak.noekeon.org/
+ * http://ketje.noekeon.org/
+ * 
+ * Adaptation to OpenBSD in 2017/18 by
+ * Stefan-Lukas Gazdag, Alexander von Gernler and Daniel Loebenberger
+ * https://www.genua.de/
+ * also denoted as "the implementer"
+ * 
+ * To the extent possible under law, the implementer has waived all copyright
+ * and related or neighboring rights to the source code in this file.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+typedef unsigned long long tKeccakLane;
+
+#define SHA3_NRROUNDS 24
+#define SHA3_NRLANES 25
+#define SHA3_DELIMITER 0x06
+
+#define index(x, y) (((x)

Re: Basic SHA3 support

2018-01-10 Thread Daniel Loebenberger 
+The
+.Fn SHA3_256Init
+function initializes a SHA3_CTX
+.Fa context
+for use with
+.Fn SHA3_256Update
+and
+.Fn SHA3_256Final .
+The
+.Fn SHA3_256Update
+function adds
+.Fa data
+of length
+.Fa len
+to the SHA3_CTX specified by
+.Fa context .
+.Fn SHA3_256Final
+is called when all data has been added via
+.Fn SHA3_256Update
+and stores a message digest in the
+.Fa digest
+parameter.
+.Pp
+The
+.Fn SHA3_256End
+function is a front end for
+.Fn SHA3_256Final
+which converts the digest into an
+.Tn ASCII
+representation of the digest in hexadecimal.
+.Pp
+The
+.Fn SHA3_256File
+function calculates the digest for a file and returns the result via
+.Fn SHA3_256End .
+If
+.Fn SHA3_256File
+is unable to open the file, a
+.Dv NULL
+pointer is returned.
+.Pp
+.Fn SHA3_256FileChunk
+behaves like
+.Fn SHA3_256File
+but calculates the digest only for that portion of the file starting at
+.Fa offset
+and continuing for
+.Fa length
+bytes or until end of file is reached, whichever comes first.
+A zero
+.Fa length
+can be specified to read until end of file.
+A negative
+.Fa length
+or
+.Fa offset
+will be ignored.
+.Pp
+The
+.Fn SHA3_256Data
+function
+calculates the digest of an arbitrary string and returns the result via
+.Fn SHA3_256End .
+.Pp
+For each of the
+.Fn SHA3_256End ,
+.Fn SHA3_256File ,
+.Fn SHA3_256FileChunk ,
+and
+.Fn SHA3_256Data
+functions the
+.Fa buf
+parameter should either be a string large enough to hold the resulting digest
+(e.g.\&
+.Dv SHA3_224_DIGEST_STRING_LENGTH ,
+.Dv SHA3_256_DIGEST_STRING_LENGTH ,
+.Dv SHA3_384_DIGEST_STRING_LENGTH ,
+.Dv SHA3_512_DIGEST_STRING_LENGTH ,
+or
+.Dv SHA3_512_256_DIGEST_STRING_LENGTH ,
+depending on the function being used)
+or a
+.Dv NULL
+pointer.
+In the latter case, space will be dynamically allocated via
+.Xr malloc 3
+and should be freed using
+.Xr free 3
+when it is no longer needed.
+.Sh EXAMPLES
+The following code fragment will calculate the SHA3-256 digest for the string
+.Qq abc ,
+which is
+.Dq 0x3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 .
+.Bd -literal -offset indent
+SHA3_CTX ctx;
+u_int8_t results[SHA3_256_DIGEST_LENGTH];
+char *buf;
+int n;
+
+buf = "abc";
+n = strlen(buf);
+SHA3_256Init(&ctx);
+SHA3_256Update(&ctx, (u_int8_t *)buf, n);
+SHA3_256Final(results, &ctx);
+
+/* Print the digest as one long hex value */
+printf("0x");
+for (n = 0; n \*(Lt SHA3_256_DIGEST_LENGTH; n++)
+   printf("%02x", results[n]);
+putchar('\en');
+.Ed
+.Pp
+Alternately, the helper functions could be used in the following way:
+.Bd -literal -offset indent
+u_int8_t output[SHA3_256_DIGEST_STRING_LENGTH];
+char *buf = "abc";
+
+printf("0x%s\en", SHA3_256Data(buf, strlen(buf), output));
+.Ed
+.Sh SEE ALSO
+.Xr cksum 1 ,
+.Xr md5 3 ,
+.Xr rmd160 3 ,
+.Xr sha1 3 ,
+.Xr sha2 3
+.Rs
+.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
+.%O FIPS PUB 202
+.Re
+.Pp
+The
+.Fn SHA3_256End ,
+.Fn SHA3_256File ,
+.Fn SHA3_256FileChunk ,
+and
+.Fn SHA3_256Data
+helper functions are derived from code written by
+.An Poul-Henning Kamp .
Index: lib/libc/hash/sha3.c
===
RCS file: lib/libc/hash/sha3.c
diff -N lib/libc/hash/sha3.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ lib/libc/hash/sha3.c10 Jan 2018 13:44:01 -
@@ -0,0 +1,761 @@
+/*
+ * Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+ * Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+ * denoted as "the implementer".
+ * 
+ * For more information, feedback or questions, please refer to our websites:
+ * http://keccak.noekeon.org/
+ * http://keyak.noekeon.org/
+ * http://ketje.noekeon.org/
+ * 
+ * Adaptation to OpenBSD in 2017/18 by
+ * Stefan-Lukas Gazdag, Alexander von Gernler and Daniel Loebenberger
+ * https://www.genua.de/
+ * also denoted as "the implementer"
+ * 
+ * To the extent possible under law, the implementer has waived all copyright
+ * and related or neighboring rights to the source code in this file.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+typedef unsigned long long tKeccakLane;
+
+#define SHA3_NRROUNDS 24
+#define SHA3_NRLANES 25
+#define SHA3_DELIMITER 0x06
+
+#define index(x, y) (((x)%5)+5*((y)%5))
+
+const tKeccakLane KeccakRoundConstants[SHA3_NRROUNDS] =
+{
+   0x0001,
+   0x8082,
+   0x8000808a,
+   0x800080008000,
+   0x808b,
+   0x8001,
+   0x800080008081,
+   0x80008009,
+   0x008a,
+   0x0088,
+   0x80008009,
+   0x800a,
+   0x8000808b,
+   0x808b,
+   0x80008089,
+   0x80008003,
+   0x80008002,
+   0x8080,
+

Basic SHA3 support

2018-01-09 Thread Daniel Loebenberger 
Hi everyone,

enclosed you find a patch to add basic SHA3-/Keccak support to OpenBSD.

Changes have been made to libc, and a suite of sha3 checksum tools
were added (sha3-224, sha3-256, sha3-384, sha-512), extending the 
existing md5(1) checksum tool.

The SHA3 implementation itself was taken from the reference code written
by the Keccak Team (https://keccak.team/) which is available under public
domain (CC0).

We'd be happy to see this in OpenBSD and appreciate any comments.

Best regards,
Daniel, Stefan and Alexander

--
Dr. Daniel Loebenberger
Evaluation & Research

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei München
Tel. +49 89 991950-0, Fax -999, www.genua.de
Geschäftsführer: Matthias Ochs, Marc Tesch. Amtsgericht München 
HRB 98238.
Die genua GmbH ist ein Unternehmen der Bundesdruckerei-Gruppe.


Index: bin/md5/Makefile
===
RCS file: /cvs/src/bin/md5/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- bin/md5/Makefile30 Mar 2016 06:38:40 -  1.15
+++ bin/md5/Makefile9 Jan 2018 15:17:20 -
@@ -2,13 +2,20 @@
 
 PROG=  md5
 SRCS=  crc.c md5.c
-MAN=   cksum.1 md5.1
+
 LINKS= ${BINDIR}/md5 ${BINDIR}/sha1 \
+   ${BINDIR}/md5 ${BINDIR}/sha224 \
${BINDIR}/md5 ${BINDIR}/sha256 \
+   ${BINDIR}/md5 ${BINDIR}/sha384 \
${BINDIR}/md5 ${BINDIR}/sha512 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-224 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-256 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-384 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-512 \
${BINDIR}/md5 ${BINDIR}/cksum
 
-CPPFLAGS+= -I${.CURDIR}
+CPPFLAGS+=-I${.CURDIR}
+
 COPTS+=-Wall -Wconversion -Wmissing-prototypes
 
 .include 
Index: bin/md5/md5.1
===
RCS file: /cvs/src/bin/md5/md5.1,v
retrieving revision 1.47
diff -u -p -u -p -r1.47 md5.1
--- bin/md5/md5.1   23 Feb 2017 20:46:08 -  1.47
+++ bin/md5/md5.1   9 Jan 2018 15:17:20 -
@@ -18,14 +18,18 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd $Mdocdate: February 23 2017 $
+.Dd $Mdocdate: January 9 2018 $
 .Dt MD5 1
 .Os
 .Sh NAME
 .Nm md5 ,
 .Nm sha1 ,
 .Nm sha256 ,
-.Nm sha512
+.Nm sha512 ,
+.Nm sha3-224 ,
+.Nm sha3-256 ,
+.Nm sha3-384 ,
+.Nm sha3-512
 .Nd calculate a message digest (checksum) for a file
 .Sh SYNOPSIS
 .Nm md5
@@ -52,6 +56,30 @@
 .Op Fl h Ar hashfile
 .Op Fl s Ar string
 .Op Ar
+.Nm sha3-224
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-256
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-384
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-512
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
 .Sh DESCRIPTION
 These utilities take as input a message of arbitrary length and produce
 as output a message digest (checksum) of the input.
@@ -136,7 +164,13 @@ and \*(Gt0 if an error occurs.
 .%R RFC 3174
 .%T US Secure Hash Algorithm 1 (SHA1)
 .Re
+.Pp
 .Rs
 .%T Secure Hash Standard
 .%O FIPS PUB 180-2
+.Re
+.Pp
+.Rs
+.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
+.%O FIPS PUB 202
 .Re
Index: bin/md5/md5.c
===
RCS file: /cvs/src/bin/md5/md5.c,v
retrieving revision 1.92
diff -u -p -u -p -r1.92 md5.c
--- bin/md5/md5.c   11 Sep 2017 16:35:38 -  1.92
+++ bin/md5/md5.c   9 Jan 2018 15:17:20 -
@@ -42,6 +42,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #define STYLE_MD5  0
@@ -61,6 +62,7 @@ union ANY_CTX {
SHA1_CTX sha1;
 #endif /* !defined(SHA2_ONLY) */
SHA2_CTX sha2;
+   SHA3_CTX sha3;
 };
 
 struct hash_function {
@@ -177,6 +179,50 @@ struct hash_function {
(void (*)(void *, const unsigned char *, size_t))SHA512Update,
(void (*)(unsigned char *, void *))SHA512Final,
(char *(*)(void *, char *))SHA512End
+   },
+   {
+   "SHA3-224",
+   SHA3_224_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_224Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+   (char *(*)(void *, char *))SHA3_224End
+   },
+   {
+   "SHA3-256",
+   SHA3_256_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_256Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+