сб, 28 мар. 2020 г. в 11:30, Kinichiro Inoguchi <kinichiro.inogu...@gmail.com>: > > Hi, > > I have a 3 questions, > - parameter set values for Twisted Edwards > - description in _ec_list_element_st > - naming about object identifier > > details are described below. > > > On Thu, Mar 26, 2020 at 09:25:57PM +0300, dbarysh...@gmail.com wrote: > > From: Dmitry Baryshkov <dbarysh...@gmail.com> > > > > Add support for GOST curves defined by RFC 7836 and > > draft-deremin-rfc4491-bis. Add aliases for 256-bit GOST curves (see > > draft-smyshlyaev-tls12-gost-suites). > > > > Sponsored by ROSA Linux. > > > > Signed-off-by: Dmitry Baryshkov <dbarysh...@gmail.com> > > --- > > src/lib/libcrypto/ec/ec_curve.c | 158 +++++++++++++++++++++++++- > > src/lib/libcrypto/objects/obj_mac.num | 6 + > > src/lib/libcrypto/objects/objects.txt | 10 +- > > 3 files changed, 168 insertions(+), 6 deletions(-) > > > > diff --git a/src/lib/libcrypto/ec/ec_curve.c > > b/src/lib/libcrypto/ec/ec_curve.c > > index e075b1ed3ea5..a1bc88ee2cc6 100644 > > --- a/src/lib/libcrypto/ec/ec_curve.c > > +++ b/src/lib/libcrypto/ec/ec_curve.c > > @@ -2900,11 +2900,101 @@ static const struct { > > } > > }; > > > > +static const struct { > > + EC_CURVE_DATA h; > > + unsigned char data[0 + 32 * 6]; > > +} > > + _EC_GOST_2012_256_TC26_A = { > > + { > > + NID_X9_62_prime_field, 0, 32, 1 > > + }, > > + { /* no seed */ > > + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, > > /* p */ > > + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, > > + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, > > + 0xFD, 0x97, > > + 0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48, > > /* a */ > > + 0x92, 0xc2, 0x30, 0x35, 0xa2, 0x7c, 0xe2, 0x5e, 0x20, 0x13, > > + 0xbf, 0x95, 0xaa, 0x33, 0xb2, 0x2c, 0x65, 0x6f, 0x27, 0x7e, > > + 0x73, 0x35, > > + 0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20, > > /* b */ > > + 0xe7, 0xc3, 0x59, 0xa9, 0xd4, 0x1a, 0x22, 0xfc, 0xcd, 0x91, > > + 0x08, 0xe1, 0x7b, 0xf7, 0xba, 0x93, 0x37, 0xa6, 0xf8, 0xae, > > + 0x95, 0x13, > > + 0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09, > > /* x */ > > + 0x23, 0x42, 0x57, 0x12, 0xb2, 0xbb, 0x65, 0x8b, 0x91, 0x96, > > + 0x93, 0x2e, 0x02, 0xc7, 0x8b, 0x25, 0x82, 0xfe, 0x74, 0x2d, > > + 0xaa, 0x28, > > + 0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57, > > /* y */ > > + 0x86, 0xc4, 0xbb, 0x46, 0xe9, 0x56, 0x5f, 0xde, 0x0b, 0x53, > > + 0x44, 0x76, 0x67, 0x40, 0xaf, 0x26, 0x8a, 0xdb, 0x32, 0x32, > > + 0x2e, 0x5c, > > + 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > /* order */ > > + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xd8, 0xcd, 0xdf, > > + 0xc8, 0x7b, 0x66, 0x35, 0xc1, 0x15, 0xaf, 0x55, 0x6c, 0x36, > > + 0x0c, 0x67, > > + } > > +}; > > + > > > This diff adds * below, and 2 Twisted Edwards one misses m,e,d,u,v. > Is this as you expected for now ? > > Canonical: > *id-tc26-gost-3410-2012-512-paramSetTest order = m = q > id-tc26-gost-3410-2012-512-paramSetA order = m = q > id-tc26-gost-3410-2012-512-paramSetB order = m = q > > Twisted Edwards: > *id-tc26-gost-3410-2012-512-paramSetC order = q, misses m,e,d,u,v > *id-tc26-gost-3410-2012-256-paramSetA order = q, misses m,e,d,u,v
This is expected. These curves are defined in Weierstrass form (a, b, x, y) and in birationally equivalent Twisted Edwards form (e, d, u, v). One can perform calculations in any of these forms. In this RFC m = order of a whole curve, q is an order of the subgroup. Version 2 of the patch will fix cofactors. > > #endif > > > > typedef struct _ec_list_element_st { > > @@ -3147,8 +3291,14 @@ static const ec_list_element curve_list[] = { > > {NID_id_GostR3410_2001_CryptoPro_C_ParamSet, > > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-C"}, > > {NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, > > &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-XchA"}, > > {NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, > > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-XchB"}, > > - {NID_id_tc26_gost_3410_2012_512_paramSetA, &_EC_GOST_2012_TC26_A.h, > > 0, "GOST R 34.10-2012 TC26-A"}, > > - {NID_id_tc26_gost_3410_2012_512_paramSetB, &_EC_GOST_2012_TC26_B.h, > > 0, "GOST R 34.10-2012 TC26-B"}, > > + {NID_id_tc26_gost_3410_2012_256_paramSetA, > > &_EC_GOST_2012_256_TC26_A.h, 0, "GOST R 34.10-2012 256 TC26-A"}, > > + {NID_id_tc26_gost_3410_2012_256_paramSetB, > > &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 512 TC26-B"}, > > + {NID_id_tc26_gost_3410_2012_256_paramSetC, > > &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2001 512 TC26-C"}, > > + {NID_id_tc26_gost_3410_2012_256_paramSetD, > > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2012 512 TC26-D"}, > > > Are the 4th parameter above respectively > "GOST R 34.10-2012 256 TC26-B" ? > "GOST R 34.10-2012 256 TC26-C" ? > "GOST R 34.10-2012 256 TC26-D" ? Yes. C&P error. Fixing now. > > + {NID_id_tc26_gost_3410_2012_512_paramSetTest, > > &_EC_GOST_2012_512_Test.h, 0, "GOST R 34.10-2012 512 Test Curve"}, > > + {NID_id_tc26_gost_3410_2012_512_paramSetA, > > &_EC_GOST_2012_512_TC26_A.h, 0, "GOST R 34.10-2012 512 TC26-A"}, > > + {NID_id_tc26_gost_3410_2012_512_paramSetB, > > &_EC_GOST_2012_512_TC26_B.h, 0, "GOST R 34.10-2012 512 TC26-B"}, > > + {NID_id_tc26_gost_3410_2012_512_paramSetC, > > &_EC_GOST_2012_512_TC26_C.h, 0, "GOST R 34.10-2012 512 TC26-C"}, > > #endif > > }; > > > > diff --git a/src/lib/libcrypto/objects/obj_mac.num > > b/src/lib/libcrypto/objects/obj_mac.num > > index 8405ba5e319b..a7cfe548d6bd 100644 > > --- a/src/lib/libcrypto/objects/obj_mac.num > > +++ b/src/lib/libcrypto/objects/obj_mac.num > > @@ -990,3 +990,9 @@ dhSinglePass_cofactorDH_sha512kdf_scheme 989 > > dh_std_kdf 990 > > dh_cofactor_kdf 991 > > pSpecified 992 > > +id_tc26_gost_3410_2012_256_paramSetA 993 > > +id_tc26_gost_3410_2012_256_paramSetB 994 > > +id_tc26_gost_3410_2012_256_paramSetC 995 > > +id_tc26_gost_3410_2012_256_paramSetD 996 > > +id_tc26_gost_3410_2012_512_paramSetTest 997 > > +id_tc26_gost_3410_2012_512_paramSetC 998 > > diff --git a/src/lib/libcrypto/objects/objects.txt > > b/src/lib/libcrypto/objects/objects.txt > > index ea7700724f00..e097c50e696b 100644 > > --- a/src/lib/libcrypto/objects/objects.txt > > +++ b/src/lib/libcrypto/objects/objects.txt > > @@ -1372,8 +1372,14 @@ member-body 643 7 1 : tc26 > > tc26 1 2 2 : streebog256 : GOST R 34.11-2012 (256 bit) > > !Cname id-tc26-gost3411-2012-512 > > tc26 1 2 3 : streebog512 : GOST R 34-11-2012 (512 bit) > > -tc26 2 1 2 1 : id-tc26-gost-3410-2012-512-paramSetA > > -tc26 2 1 2 2 : id-tc26-gost-3410-2012-512-paramSetB > > +tc26 2 1 1 1 : id-tc26-gost-3410-2012-256-paramSetA : GOST R > > 34.10-2012 (256 bit) ParamSet A > > +tc26 2 1 1 2 : id-tc26-gost-3410-2012-256-paramSetB : GOST R > > 34.10-2012 (256 bit) ParamSet B > > +tc26 2 1 1 3 : id-tc26-gost-3410-2012-256-paramSetC : GOST R > > 34.10-2012 (256 bit) ParamSet C > > +tc26 2 1 1 4 : id-tc26-gost-3410-2012-256-paramSetD : GOST R > > 34.10-2012 (256 bit) ParamSet D > > +tc26 2 1 2 0 : id-tc26-gost-3410-2012-512-paramSetTest : GOST R > > 34.10-2012 (512 bit) testing parameter set > > +tc26 2 1 2 1 : id-tc26-gost-3410-2012-512-paramSetA : GOST R > > 34.10-2012 (512 bit) ParamSet A > > +tc26 2 1 2 2 : id-tc26-gost-3410-2012-512-paramSetB : GOST R > > 34.10-2012 (512 bit) ParamSet B > > > These 2 are added in obj_mac.num and objects.txt (-2012-). > id-tc26-gost-3410-2012-512-paramSetA > id-tc26-gost-3410-2012-512-paramSetB These two are already present in LibreSSL's sources, I've just added LNs. They were added long time ago, when there was discrepancy where -2012- or -12- should be used. > But in RFC7836 these 2 parameter set object identifiers are described (-12-), > id-tc26-gost-3410-12-512-paramSetA > id-tc26-gost-3410-12-512-paramSetB > > Is -2012- right ? > I thought this diff would be right and RFC should be fixed. I have followed OpenSSL's lead here (they use -2012-). The registry uses -12- however (see https://tc26.ru/about/protsedury-i-reglamenty/identifikatory-obektov-oid-tekhnicheskogo-komiteta-po-standartizatsii-kriptograficheskaya-zashchita-1.html). I'll change all of them to -12-. > > +tc26 2 1 2 3 : id-tc26-gost-3410-2012-512-paramSetC : GOST R > > 34.10-2012 (512 bit) ParamSet C > > tc26 2 5 1 1 : id-tc26-gost-28147-param-Z > > tc26 1 1 1 : id-tc26-gost3410-2012-256 : GOST R 34.10-2012 (256 > > bit) > > tc26 1 1 2 : id-tc26-gost3410-2012-512 : GOST R 34.10-2012 (512 > > bit) -- With best wishes Dmitry