From: Niels Möller Date: Mon, 20 Jan 2014 20:12:36 +0000 (+0100) Subject: Merge branch 'poly1305' into 'master'. X-Git-Tag: nettle_3.0_release_20140607~170 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=563df21b3eba6d7c5878de1efe1aeab10c48bb2f;p=thirdparty%2Fnettle.git Merge branch 'poly1305' into 'master'. --- 563df21b3eba6d7c5878de1efe1aeab10c48bb2f diff --cc ChangeLog index a7f6c11d,57fff080..00620bf6 --- a/ChangeLog +++ b/ChangeLog @@@ -1,137 -1,131 +1,266 @@@ + 2014-01-20 Niels Möller + ++ Merged poly1305-changes (starting at 2013-11-08). + * x86_64/poly1305-internal.asm: Update to new interface. + poly1305_digest much simplified. + + * poly1305.h (struct poly1305_ctx): Moved block and index + fields... + (struct poly1305_aes_ctx): ... to here. + * asm.m4: Delete also from the assembly definition of struct + poly1305_ctx. + + * poly1305-internal.c (poly1305_digest): Don't do final padding + here, leave that to caller. Add digest to the provided nonce s, + and deleted length and dst arguments. Also reset h0-h4 to zero + when done. + (_poly1305_block): Renamed, from... + (poly1305_block): ...old name. + + * poly1305-aes.c (poly1305_aes_update): New function. + (poly1305_aes_digest): Update for poly1305_digest changes, do + final padding here. + + * poly1305.c (poly1305_update): Deleted file and function. Moved + to poly1305-aes.c. + * Makefile.in (nettle_SOURCES): Deleted poly1305.c. + + 2014-01-17 Niels Möller + + * poly1305-internal.c (poly1305_block): Additional argument with + the high bit. + (poly1305_block_internal): Deleted function, code moved into the + poly1305_block. + (poly1305_digest): Simplified padding code, call poly1305_block + with high bit 0. + * poly1305.h (poly1305_block): Update prototype. + * poly1305.c (poly1305_update): Call poly1305_block with high bit 1. + * x86_64/poly1305-internal.asm (poly1305_block): Handle new + argument. + + * poly1305.h (struct poly1305_ctx): Moved nonce field from here... + (struct poly1305_aes_ctx): ... to here. + * poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest): + Updated for above. + * poly1305.c (poly1305_set_nonce): Deleted function. + * asm.m4: Delete nonce also from the assembly definition of struct + poly1305_ctx. + + 2014-01-16 Niels Möller + + * poly1305-aes.c: Include poly1305.c. Rewrite functions without + using the POLY1305_* macros. + + * Makefile.in (HEADERS): Deleted poly1305-aes.h. + + * poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE) + (POLY1305_DIGEST): Deleted macros. Only implemented variant is + poly1305-aes. + (POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE): + New constants. + (POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here, + from poly1305-aes.h. + (struct poly1305_aes_ctx): Likewise. + (poly1305_aes_set_key, poly1305_aes_set_nonce) + (poly1305_aes_update, poly1305_aes_digest): Likewise. + * poly1305-aes.h: Deleted file, declarations moved to poly1305.h. + Update all users. + + * poly1305-internal.c (s2, s3, s4): Fixed macros. + + * poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx + by struct aes128_ctx. + * poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest): + Update to use aes128_* functions. + * poly1305.h (POLY1305_SET_KEY): Drop key size argument when + calling set_key. + + 2013-12-19 Niels Möller + + * poly1305-aes.h (poly1305_aes_update): Define as an alias for + poly1305_update, using preprocessor and a type cast. + + * poly1305-aes.c (poly1305_aes_update): Deleted function. + + * poly1305.h (poly1305_update): Declare. + (_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros. + + * poly1305.c (poly1305_update): New function. + + 2013-11-21 Niels Möller + + * x86_64/poly1305-internal.asm: New file. Almost a factor of two + speedup. + + * configure.ac (asm_replace_list): Added poly1305-internal.asm. + + * asm.m4: Define struct ffsets for 64-bit poly1305_ctx. + + * poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an + additional argument to poly1305_digest. + (struct poly1305_ctx): Introduce unions, to support either 26-bit + or 64-bit implementation. + + * poly1305-internal.c (poly1305_digest): Added s argument. + + * poly1305.c (poly1305_set_s): Deleted function. + + 2013-11-12 Niels Möller + + * poly1305-internal.c: New file, for poly1305 functions depending + on the internal mod (2^130 - 5) representation. + (poly1305_block_internal): New helper function. + (poly1305_block, poly1305_digest): Use it. + + 2013-11-08 Nikos Mavrogiannopoulos + + * poly1305.h: New file. + * poly1305.c: New file. + * poly1305-aes.h: New file. + * poly1305-aes.c: New file. + * Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c. + (HEADERS): Added poly1305-aes.h and poly1305.h. + + * testsuite/poly1305-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c. + + * examples/nettle-benchmark.c (time_poly1305_aes): New function. + (main): Benchmark poly1305. + +2014-01-20 Niels Möller + + * Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c, + salsa20-128-set-key.c, and salsa20-256-set-key.c. + + * salsa20.h: Declare new functions. + (SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants. + (salsa20_set_iv): Define as an alias for salsa20_set_nonce. + + * salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and + salsa20_256_set_key. + (salsa20_set_iv): Renamed and moved... + * salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name. + + * salsa20-256-set-key.c (salsa20_256_set_key): New file and + function. + * salsa20-128-set-key.c (salsa20_128_set_key): New file and + function. + +2014-01-13 Niels Möller + + * nettle-types.h (union nettle_block16): New type, replacing union + gcm_block. + * gcm.h (union gcm_block): Deleted. Replaced by nettle_block16. + * gcm.c: Replaced all use of gcm_block by nettle_block16. + +2014-01-04 Niels Möller + + * config.guess: Updated to 2014-01-01 version, from + git://git.sv.gnu.org/config.git. + * config.sub: Likewise. + + * testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark): + New function. + (test_memxor, test_memxor3): Use test_mark to tell valgrind the + start and end of src and destination areas. + + * configure.ac: Check for valgrind/memcheck.h. + + * testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes, + needed for the way unaligned data is handled in, e.g., memxor. + +2014-01-03 Niels Möller + + * shadata.c (main): Zero-pad output values to 8 hex digits. + * sha256.c (K): Updated table. + +2013-12-17 Niels Möller + + * configure.ac (ASM_RODATA): New substituted variable. Needed for + portability to darwin. + * config.m4.in: Define RODATA, using configure variable ASM_RODATA + * x86_64/gcm-hash8.asm: Use RODATA macro. + + * bignum-random-prime.c (_nettle_generate_pocklington_prime): Use + stronger variants of Pocklington's theorem, to allow p0 of size + down to bits/3. + +2013-12-15 Niels Möller + + * nettle-internal.h (NETTLE_MAX_BIGNUM_BITS) + (NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits. + +2013-12-15 Nikos Mavrogiannopoulos + + Introduced TMP_GMP_ALLOC macro for temporary allocations of + potentially large data, e.g, sized as an RSA key. + * gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New + macros. + * gmp-glue.c (gmp_alloc, gmp_free): New functions. + * bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC. + * bignum-random.c (nettle_mpz_random_size): Likewise. + * pkcs1-decrypt.c (pkcs1_decrypt): Likewise. + * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. + * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise. + * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) + (pkcs1_rsa_sha512_encode_digest): Likewise. + * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) + (pkcs1_rsa_sha256_encode_digest): Likewise. + * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) + (pkcs1_rsa_sha1_encode_digest): Likewise. + * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) + (pkcs1_rsa_md5_encode_digest): Likewise. + +2013-12-14 Niels Möller + + * x86_64/gcm-hash8.asm: Use .short rather than .hword, for + compatibility with apple's assembler. + +2013-12-03 Niels Möller + + * x86_64/sha1-compress.asm: Reorganized, to get closer to the x86 + version. No difference in running time. + + * configure.ac (dummy-dep-files): Don't overwrite any existing + dependency files. + + * x86_64/md5-compress.asm: New file, similar to the x86 version. + 35% speedup on AMD, 15% speedup on Intel. + +2013-11-25 Niels Möller + + * testsuite/dsa-test.c (test_main): Additional tests from NIST + test vectors. + + * testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New + functions, supporting arbitrary digest size. + + * testsuite/testutils.h (ASSERT): Improved failure message. + + * dsa-verify.c (dsa_verify): Renamed, from _dsa_verify. + * dsa-sign.c (dsa_sign): Renamed, from _dsa_sign. + +2013-11-24 Niels Möller + + * testsuite/dsa-keygen-test.c (test_main): Test generating a + key with 224-bit q. + + * dsa-verify.c (_dsa_verify): Use _dsa_hash. + + * dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in + error case, spotted by Nikos. + + * dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224. + + * dsa-hash.c (_dsa_hash): New file and function. Allows digest + sizes not matching the bitsize of q. + * dsa.h (_dsa_hash): Declare it. + * Makefile.in (hogweed_SOURCES): Added dsa-hash.c. + +2013-11-23 Niels Möller + + * configure.ac: Check also for openssl/ecdsa.h. + 2013-10-05 Niels Möller * Makefile.in (nettle_SOURCES): Added eax.c. diff --cc poly1305.h index 00000000,359c8e32..8ba4c7cb mode 000000,100644..100644 --- a/poly1305.h +++ b/poly1305.h @@@ -1,0 -1,119 +1,120 @@@ + /* poly1305.h + * + * Poly1305 message authentication code. + */ + + /* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Nikos Mavrogiannopoulos + * Copyright (C) 2013, 2014 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + + #ifndef NETTLE_POLY1305_H_INCLUDED + #define NETTLE_POLY1305_H_INCLUDED + + #include "aes.h" + + #ifdef __cplusplus + extern "C" { + #endif + + /* Name mangling */ + #define poly1305_set_key nettle_poly1305_set_key + #define poly1305_digest nettle_poly1305_digest + #define _poly1305_block _nettle_poly1305_block + + #define poly1305_aes_set_key nettle_poly1305_aes_set_key + #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce + #define poly1305_aes_update nettle_poly1305_aes_update + #define poly1305_aes_digest nettle_poly1305_aes_digest + + /* Low level functions/macros for the poly1305 construction. */ + + #define POLY1305_DIGEST_SIZE 16 + #define POLY1305_BLOCK_SIZE 16 + #define POLY1305_KEY_SIZE 16 + + struct poly1305_ctx { + /* Key, 128-bit value and some cached multiples. */ + union + { + uint32_t r32[6]; + uint64_t r64[3]; + } r; + uint32_t s32[3]; + /* State, represented as words of 26, 32 or 64 bits, depending on + implementation. */ + /* High bits first, to maintain alignment. */ + uint32_t hh; + union + { + uint32_t h32[4]; + uint64_t h64[2]; + } h; + }; + + /* Low-level internal interface. */ + void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); + /* Extracts digest, and adds it to s, the encrypted nonce. */ + void poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s); + /* Internal function. Process one block. */ + void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t m[POLY1305_BLOCK_SIZE], + unsigned high); + + /* poly1305-aes */ + + #define POLY1305_AES_KEY_SIZE 32 + #define POLY1305_AES_DIGEST_SIZE 16 + #define POLY1305_AES_NONCE_SIZE 16 + + struct poly1305_aes_ctx + { + /* Keep aes context last, to make it possible to use a general + poly1305_update if other variants are added. */ + struct poly1305_ctx pctx; + uint8_t block[POLY1305_BLOCK_SIZE]; + unsigned index; + uint8_t nonce[POLY1305_BLOCK_SIZE]; + struct aes128_ctx aes; + }; + + /* Also initialize the nonce to zero. */ + void + poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key); + -/* Optional, if not used, messages get incrementing nonces starting from zero. */ ++/* Optional, if not used, messages get incrementing nonces starting ++ from zero. */ + void + poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, + const uint8_t *nonce); + + /* Update is not aes-specific, but since this is the only implemented + variant, we need no more general poly1305_update. */ + void + poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data); + + /* Also increments the nonce */ + void + poly1305_aes_digest (struct poly1305_aes_ctx *ctx, + size_t length, uint8_t *digest); + + #ifdef __cplusplus + } + #endif + + #endif /* NETTLE_POLY1305_H_INCLUDED */