From: Niels Möller Date: Wed, 5 Mar 2025 15:33:05 +0000 (+0100) Subject: Merge branch 'delete-old-aes'. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7caff47d52a6c7feadbc3deb195729625c0f4496;p=thirdparty%2Fnettle.git Merge branch 'delete-old-aes'. Delete old AES api using the same struct aes_ctx for all key sizes. --- 7caff47d52a6c7feadbc3deb195729625c0f4496 diff --cc ChangeLog index 77ed80a7,3fa62ecd..0403e22f --- a/ChangeLog +++ b/ChangeLog @@@ -1,3727 -1,28 +1,3745 @@@ -2018-02-21 Niels Möller +2025-03-05 Niels Möller + Delete old AES interface. + * aes.h (struct aes_ctx): Deleted. + (AES_MIN_KEY_SIZE, AES_MAX_KEY_SIZE): Deleted constants. + * gcm.h (struct gcm_aes_ctx): Deleted. - - * aes-encrypt.c (aes_encrypt): Deleted function. - * aes-decrypt.c (aes_decrypt): Likewise. - ++ * aes-encrypt.c: Deleted file. ++ * aes-decrypt.c: Deleted file. + * aes-set-encrypt-key.c: Deleted file. + * aes-set-decrypt-key.c: Deleted file. + * gcm-aes.c: Deleted file. + * Makefile.in (nettle_SOURCES): Drop above files. - + * nettle.texinfo: Delete corresponding documentation. - + * testsuite/aes-test.c (test_invert): Generalize to take a struct + nettle_cipher and an invert function. + (test_cipher2): Deleted function. + (test_main): Delete tests of old AES interface. - + * testsuite/gcm-test.c (test_main): Delete tests of struct + gcm_aes_ctx functions. + + Delete incomplete and old openpgp support. + * pgp-encode.c: Deleted file. + * pgp.h: Deleted file. + * rsa2openpgp.c: Deleted file. + * rsa.h (rsa_keypair_to_openpgp): Delete declaration. + * Makefile.in (hogweed_SOURCES): Delete pgp-encode.c and rsa2openpgp.c. + (HEADERS): Delete pgp.h. + + * md5-compat.c (MD5Init, MD5Update, MD5Final): Delete file and + functions. Also delete corresponding header file, tests, and + documentation. + + * configure.ac: Bump version numbers, to prepare for changes that + break API or ABI. Bump package version to 4.0. + (LIBNETTLE_MAJOR, LIBNETTLE_MINOR): Bump, to 9.0. + (LIBHOGWEED_MAJOR, LIBHOGWEED_MINOR): Bump, to 7.0. + +2025-03-02 Niels Möller + + * powerpc64/p8/gcm-aes-decrypt.asm: Avoid using lxvb16x + instruction in powerpc64/p8 files. Reported by Sean McGovern. + * powerpc64/p8/gcm-aes-encrypt.asm: Likewise. + +2025-02-09 Niels Möller + + * powerpc64/p8/gcm-aes-decrypt.asm: Use stxvd2x/lxvd2x rather than + stxv/lxv for save and restore of vector registers, since the + latter instructions are not available on Power8 (ISA v2.07). + * powerpc64/p8/gcm-aes-encrypt.asm: Likewise. + +2024-12-30 Niels Möller + + * Released Nettle-3.10.1. + +2024-12-28 Niels Möller + + * testsuite/testutils.c (mark_bytes_undefined) + (mark_bytes_defined) [!HAVE_VALGRIND_MEMCHECK_H]: Add UNUSED + attribute on dummy version of these functions. + +2024-12-14 Niels Möller + + * configure.ac: Bump package version, to 3.10.1. + (LIBNETTLE_MINOR): Bump minor number, to 8.10. + (LIBHOGWEED_MINOR): Bump minor number, to 6.10. + +2024-12-13 Niels Möller + + * aclocal.m4 (NETTLE_PROG_VALGRIND): Check if executable appears + to include lsan, asan or msan symbols, and if so, don't attempt to + run valgrind. + +2024-10-16 Niels Möller + + * run-tests: Cleanup, guided by shellcheck warnings. Use $() + rather than `` and $(()) rather than expr. + +2024-09-08 Niels Möller + + From Brad Smith: Support elf_aux_info (OpenBSD and FreeBSD). + * configure.ac: Check for elf_aux_info. + * fat-arm64.c (get_arm64_features): Use elf_aux_info if available. + * fat-ppc.c (get_ppc_features): Likewise. + +2024-06-23 Niels Möller + + * testsuite/testutils.h (struct nettle_xof): New struct type. + * testsuite/testutils.c (test_hash): Delete support for tests with + arbitrary digest size, reverting part of 2019-12-25 change. + (test_xof): New function, test both digest and output functions. + * testsuite/shake128-test.c (test_main): Change from using + test_hash to test_xof. + * testsuite/shake256-test.c (test_incremental): Deleted function, + superseded by test_xof. + (test_main): Change from using test_hash to test_xof, delete use + of test_incremental. + +2024-06-16 Niels Möller + + * testsuite/testutils.c (test_mac): Add set_key function argument, + to support tests with key size != mac->key_size. + * testsuite/cmac-test.c: Update test_mac usage. + * testsuite/hmac-test.c (HMAC_TEST): Deleted macro, replace with + test_mac, passing set_key function when needed. + (test_main): Add more test vectors from RFC 4868, previously + draft-kelly-ipsec-ciph-sha2. + + * hmac-gosthash94-meta.c: New file. + * nettle-meta.h (nettle_hmac_gosthash94) + (nettle_hmac_gosthash94cp): Declare. + * nettle-meta-macs.c (_nettle_macs): Add nettle_hmac_gosthash94 + and nettle_hmac_gosthash94cp. + * Makefile.in (nettle_SOURCES): Add hmac-gosthash94-meta.c. + * testsuite/meta-mac-test.c: Update test. + + * Released Nettle-3.10. + + * examples/rsa-encrypt-test: Consistently add $EXEEXT to + executable names. + * examples/rsa-sign-test: Likewise. + * examples/rsa-verify-test: Likewise. + * examples/setup-env: Likewise. + * tools/nettle-pbkdf2-test: Likewise. + * tools/pkcs1-conv-test: Likewise + * tools/sexp-conv-test: Likewise. + + * configure.ac: When cross-compiling targetting windows, + always use "wine" as EMULATOR; using "wine64" for 64-bit windows + seems no longer needed. + +2024-06-15 Niels Möller + + * testsuite/Makefile.in (TS_SC_NETTLE): New variable. + (DISTFILES): Unconditionally include side-channel tests, + fix accidental dependence on IF_VALGRIND. + +2024-06-11 Niels Möller + + * fat-arm64.c: Enable use of getauxval on android, for + __ANDROID_API__ >= 18. + +2024-06-10 Niels Möller + + From Eric Richter: + * powerpc64/p8/sha256-compress-n.asm: New file. + * powerpc64/fat/sha256-compress-n-2.asm: New file. + * fat-ppc.c: Add fat setup for _nettle_sha256_compress_n. + +2024-06-09 Niels Möller + + * ecc-internal.h (assert_maybe) [!WITH_EXTRA_ASSERTS]: Cast to + void, to avoid warnings. + +2024-06-05 Niels Möller + + * config.guess: Update to 2024-01-01 version. + * config.sub: Update to 2024-01-01 version. + +2024-06-02 Niels Möller + + * configure.ac: Bump package version, to 3.10. + (LIBNETTLE_MINOR): Bump minor number, to 8.9. + (LIBHOGWEED_MINOR): Bump minor number, to 6.9. + +2024-06-01 Niels Möller + + * eddsa-hash.c (_eddsa_hash): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. + + * ecc-hash.c (ecc_hash, gost_hash): Deleted file, moved functions to... + * dsa-hash.c (_nettle_dsa_hash): Change to use mpn interface + instead of mpz, replacing ecc_hash. + (_nettle_gostdsa_hash): Moved here, renamed from gost_hash. + * dsa-internal.h (_nettle_dsa_hash): Update declaration. + (_nettle_gostdsa_hash): Moved declaration here. + * ecc-internal.h (ecc_hash, gost_hash): Delete old declarations. + * gmp-glue.h (NETTLE_BIT_SIZE_TO_LIMB_SIZE): New macro. + + * dsa-sign.c (dsa_sign): Adapt to _nettle_dsa_hash change. + * dsa-verify.c (dsa_verify): Likewise. + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use _nettle_dsa_hash. + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. + * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Use _nettle_gostdsa_hash. + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. + + * Makefile.in (hogweed_SOURCES): Delete ecc-hash.c + +2024-05-15 Niels Möller + + * powerpc64/p8/gcm-aes-encrypt.asm: Reduce register usage. + * powerpc64/p8/gcm-aes-decrypt.asm: Analogous changes. + +2024-04-14 Niels Möller + + From Danny Tsen: Combined gcm-aes implementation for powerpc64. + * configure.ac: Define HAVE_NATIVE_gcm_aes_encrypt and + HAVE_NATIVE_gcm_aes_decrypt. + (asm_nettle_optional_list): Add gcm-aes-encrypt.asm, + gcm-aes-encrypt-2.asm, gcm-aes-decrypt.asm, and + gcm-aes-decrypt-2.asm. + * gcm-internal.h (_gcm_aes_encrypt, _gcm_aes_decrypt): Declare + internal functions, and define as dummy macros when not supported. + * gcm-aes128.c (gcm_aes128_encrypt): Use _gcm_aes_encrypt. + (gcm_aes128_decrypt): Use _gcm_aes_encrypt. + * gcm-aes192.c (gcm_aes192_encrypt, gcm_aes128_decrypt): Likewise. + * gcm-aes256.c (gcm_aes256_encrypt, gcm_aes256_decrypt): Likewise. + * Makefile.in (DISTFILES): Add gcm-internal.h. + * powerpc64/machine.m4 (GF_MUL): New macro. + * powerpc64/fat/gcm-aes-decrypt-2.asm: New file. + * powerpc64/fat/gcm-aes-encrypt-2.asm: New file. + * powerpc64/p8/gcm-aes-decrypt.asm: New file. + * powerpc64/p8/gcm-aes-encrypt.asm: New file. + * fat-setup.h (gcm_aes_crypt_func): New typedef. + * fat-ppc.c: Fat setup for gcm_aes_encrypt and gcm_aes_decrypt. + (gcm_aes_crypt_c): New nop implementation. + +2024-03-29 Niels Möller + + * bswap-internal.h (nettle_bswap32_n): New inline function. + (bswap32_n_if_le): New macro, to reduce code duplication. + * blowfish-bcrypt.c (bswap32_if_le_n): Deleted, usage replaced + with shared bswap32_n_if_le. + * umac-set-key.c (bswap32_if_le_n): Likewise. + +2024-03-28 Niels Möller + + * sha512-224-meta.c (nettle_sha512_224): Change name to + "sha512_224", with underscore rather than dash. + * sha512-256-meta.c (nettle_sha512_256): Analogous change. + * nettle-meta-hashes.c (_nettle_hashes): Add nettle_sha512_224 and + nettle_sha512_256. + * testsuite/meta-hash-test.c: Update test. + +2024-03-24 Niels Möller + + * testsuite/gcm-test.c (test_main): Add a test case that triggers + 32-bit counter wraparound for gcm_aes256, and a larger 719 byte + message. + +2024-03-28 Niels Möller + + From Daiki Ueno: + * shake128.c (sha3_128_init, sha3_128_update, sha3_128_shake) + (sha3_128_shake_output): New file, new functions. + * testsuite/shake128-test.c: New testcases. + * Makefile.in (nettle_SOURCES): Add shake128.c. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake128-test.c. + +2024-03-24 Niels Möller + + * sha3-shake.c (_nettle_sha3_shake, _nettle_sha3_shake_output): + New file, new functions. Generalizations of sha3_256_shake and + sha3_256_shake_output, respectively. + (_nettle_sha3_shake_output): Use one's complement of index, + instead of just setting high bit. + + * shake256.c (sha3_256_shake, sha3_256_shake_output): Implement in + terms of calls to the new functions. + * Makefile.in (nettle_SOURCES): Add sha3-shake.c. + + * sha3.c (_nettle_sha3_update): Use MD_FILL_OR_RETURN_INDEX. + (sha3_xor_block): New function, taken out from sha3_absorb. + (_nettle_sha3_pad): Call sha3_xor_block, not sha3_absorb. + * sha3-internal.h (_sha3_pad_shake): By above change, no longer + implies sha3_permute. + (_sha3_pad_hash): Update, to still include a + call to sha3_permute. + * shake256.c (sha3_256_shake, sha3_256_shake_output): Update to + call sha3_permute before generating output. + +2024-03-20 Niels Möller + + * testsuite/gcm-test.c (test_main): Add a test case that triggers + 32-bit counter wraparound for gcm_aes128. + +2024-03-10 Niels Möller + + From Daiki Ueno: + * shake256.c (sha3_256_shake_output): New function, incremental + shake256 output. + * testsuite/shake256-test.c (test_incremental): New function, for + testing sha3_256_shake_output. + (test_main): Use it. + +2024-03-10 Niels Möller + + * poly1305-update.c (_nettle_poly1305_update): Explicitly check + for empty input and return. + + * testsuite/testutils.c (test_aead): Test with associated split + data into two pieces in different ways, respecting block + boundaries. Also add a call to update(ctx, 0, NULL) in the + middle, and encrypt and decrypt calls with empty input. + +2024-03-08 Niels Möller + + Fix ubsan issues for empty hash updates. + * macros.h (MD_UPDATE): Check upfront if length is zero. Avoids + calling memcpy(dst, NULL, 0), which is undefined behavior. + * sha256.c (sha256_update): Likewise. + * sha3.c (_nettle_sha3_update): Likewise. + * testsuite/testutils.c (test_hash): Test with message split into + two pieces in different ways, and also add an call to update(ctx, + 0, NULL) in the middle. + +2024-02-16 Niels Möller + + RSA-OAEP support contributed by Nicolas Mora and Daiki Ueno: + * rsa-oaep-encrypt.c (_rsa_oaep_encrypt) + (rsa_oaep_sha256_encrypt, rsa_oaep_sha384_encrypt) + (rsa_oaep_sha512_encrypt): New file, new functions. + * rsa-oaep-decrypt.c (_rsa_oaep_decrypt) + (rsa_oaep_sha256_decrypt, rsa_oaep_sha384_decrypt) + (rsa_oaep_sha512_decrypt): New file, new functions. + * rsa.h: Declare new RSA OAEP functions. + * rsa-internal.h: Declare internal RSA OAEP functions. + * oaep.c (_oaep_sec_decrypt_variable, _oaep_decode_mgf1) + (_oaep_encode_mgf1): New file, new functions. + * oaep.h: New file, declaring internal functions. + * Makefile.in (hogweed_SOURCES): Add oaep.c, rsa-oaep-encrypt.c + rsa-oaep-decrypt.c. + (DISTFILES): Add oaep.h. + * nettle.texinfo (RSA): Document RSA-OAEP functions. + * testsuite/rsa-oaep-encrypt-test.c: New tests. + * testsuite/testutils.c (test_rsa_set_key_2): New function. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add rsa-oaep-encrypt-test.c + (TS_SC_HOGWEED): Add sc-rsa-oaep-encrypt-test. + +2024-02-02 Niels Möller + + Optimize powerpc64 aes decrypt. Speedup of 80%-100%, depending on + key size, when benchmarked on Power 10: + * configure.ac (asm_replace_list): Add aes-invert-internal.asm. + (asm_nettle_optional_list): Add aes-invert-internal-2.asm. + * powerpc64/p8/aes-invert-internal.asm (_aes_invert): New file. + Implementat _aes_invert as just a memcpy. + * powerpc64/p8/aes-decrypt-internal.asm: Rework to use unmixed + encryption subkeys, which fits better with the vncipher + instruction, and eliminates lots of vxor instructions. + * powerpc64/fat/aes-invert-internal-2.asm: New file. + * aes-invert-internal.c: Check HAVE_NATIVE_aes_invert, and define + _nettle_aes_invert_c wen needed. + * fat-setup.h (aes_invert_internal_func): New typedef. + * fat-ppc.c: Add fat setup for _aes_invert. + +2024-01-28 Niels Möller + + * powerpc64/p8/aes-encrypt-internal.asm: Use r10-r12 consistently + for indexing, and reducing number of used callee-save registers. + * powerpc64/p8/aes-decrypt-internal.asm: Likewise. + +2024-01-27 Niels Möller + + * aes-invert-internal.c (_nettle_aes_invert): Don't reorder the subkeys. + * aes-decrypt-internal.c (_nettle_aes_decrypt): Updated to process + subkeys starting from the end, and let subkeys pointer point at + the subkey for the first decrypt round, located at the end of the + array. + * aes128-decrypt.c (nettle_aes128_decrypt): Updated accordingly. + * aes192-decrypt.c (nettle_aes192_decrypt): Likewise. + * aes256-decrypt.c (nettle_aes256_decrypt): Likewise. + * arm/aes.m4 (AES_LOAD_INCR): New macro, specifying desired + increment of key pointer. + * arm/aes-decrypt-internal.asm: Updated for new conventions. + * arm/v6/aes-decrypt-internal.asm: Likewise. + * arm64/crypto/aes128-decrypt.asm: Likewise. + * arm64/crypto/aes192-decrypt.asm: Likewise. + * arm64/crypto/aes256-decrypt.asm: Likewise. + * powerpc64/p8/aes-decrypt-internal.asm: Likewise. + * sparc64/aes-decrypt-internal.asm: Likewise. + * x86/aes-decrypt-internal.asm: Likewise. + * x86_64/aes-decrypt-internal.asm: Likewise. + * x86_64/aes-decrypt-internal.asm: Likewise. + * x86_64/aesni/aes128-decrypt.asm: Likewise. + * x86_64/aesni/aes192-decrypt.asm: Likewise. + * x86_64/aesni/aes256-decrypt.asm: Likewise. + +2024-01-26 Niels Möller + + Delete all sparc32 assembly. + * sparc32/aes-decrypt-internal.asm: Deleted file. + * sparc32/aes-encrypt-internal.asm: Deleted file. + * configure.ac: Don't enable any assembly for 32-bit sparc. + * Makefile.in (distdir): Don't distribute sparc32 files. + * sparc64/aes.m4: Moved file, from... + * sparc32/aes.m4: ... old location. + * sparc64/aes-encrypt-internal.asm: Update for location of aes.m4. + * sparc64/aes-decrypt-internal.asm: Likewise. + +2024-01-23 Niels Möller + + * powerpc64/machine.m4 (GHASH_REDUCE): New macro. Improve + scheduling, adding vpmsumd result last. + * powerpc64/p8/ghash-update.asm: Use GHASH_REDUCE, slightly reduce + vector register usage, simplify use of index registers. + +2024-01-21 Niels Möller + + * powerpc64/machine.m4 (OPN_XXY, OPN_XXXY): New macros. + * powerpc64/p8/aes-encrypt-internal.asm: Use macros for repeated + instruction patterns. + * powerpc64/p8/aes-decrypt-internal.asm: Likewise. + +2023-12-27 Niels Möller + + * testsuite/gcm-test.c (test_main): Additional gcm test case, with + 719 byte message, contributed by Danny Tsen. + +2023-12-08 Niels Möller + + Delete all md5 assembly code. + * md5.c (nettle_md5_compress): Move function and related macros + here, from... + * md5-compress.c: ... deleted file. + * x86/md5-compress.asm: Deleted file. + * x86_64/md5-compress.asm: Deleted file. + + * configure.ac: When checking for openssl, use AC_LINK_IFELSE to + check if needed functions really are available. Just using + AC_CHECK_LIB to check for, e.g., EVP_RSA_gen, doesn't work, since + that is a macro that depends on including openssl/rsa.h.' + +2023-12-06 Niels Möller + + * drbg-ctr-aes256.c (drbg_ctr_aes256_output): New helper function. + (drbg_ctr_aes256_update, drbg_ctr_aes256_random): Use it. + + From Simon Josefsson: + * drbg-ctr.h (struct drbg_ctr_aes256_ctx): New context struct. + (DRBG_CTR_AES256_SEED_SIZE): New constant. + * drbg-ctr-aes256.c (drbg_ctr_aes256_update) + (drbg_ctr_aes256_init, drbg_ctr_aes256_random): New file, new functions. + + * testsuite/drbg-ctr-aes256-test.c: New testcase. + * nettle.texinfo (Randomness): Document DRBG-CTR. + +2023-12-05 Niels Möller + + From Tim Kosse: + * fat-arm64.c (check_sysctlbyname) [__APPLE__]: New function. + (get_arm64_features) [__APPLE__]: Fix feature detection for Apple + M1 devices. + + * configure.ac: In openssl tests, check for the headers actually + used by the benchmarking code, and for a subset of the relevant + functions. + + * examples/nettle-openssl.c: Trim openssl includes and defines, + and use Nettle's definition of sha1 and md5 constants. + (nettle_openssl_init): Deleted. + * examples/nettle-benchmark.c (main): Delete call to nettle_openssl_init. + +2023-12-04 Niels Möller + + * examples/nettle-openssl.c (nettle_openssl_blowfish128) + (nettle_openssl_des, openssl_cast128_set_encrypt_key): Deleted, + since these algorithms are now available in openssl only via the + "legacy provider". Also deleted declarations and usage. + + * examples/hogweed-benchmark.c (struct openssl_ctx): Unified + struct, replacing openssl_rsa_ctx and openssl_ecdsa_ctx. + (bench_openssl_init, bench_openssl_sign, bench_openssl_verify) + (bench_openssl_clear): New functions, using EVP interfaces to + signing, replacing rsa- and ecdsa-specific functions. + (bench_openssl_rsa_init, bench_openssl_ecdsa_init): Use bench_openssl_init. + +2023-11-23 Niels Möller + + * nettle-internal.h: Keep only declarations actually used + internally in the library. + * non-nettle.h: New file, contents extracted from + nettle-internal.h, for use in test and benchmark code. + * non-nettle.c: New file, renamed from ... + * nettle-internal.c: ... old name, deleted. + * Makefile.in (internal_SOURCES, DISTFILES): Updated accordingly. + * testsuite/Makefile.in (TEST_OBJS): Replace ../nettle-internal.o + with ../non-nettle.o, and update corresponding make rule. + * examples/Makefile.in (BENCH_OBJS): Likewise. + +2023-11-22 Niels Möller + + Revert part of the 2023-08-05 change. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Merge with + _rsa_sec_decrypt, including input range check. + (_rsa_sec_decrypt): Deleted. + * rsa-internal.h (_rsa_sec_decrypt): Delete declaration. + * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Always + call rsa_sec_decrypt, but don't annotate the ciphertext input as + undefined/secret. + +2023-11-15 Niels Möller + + * ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe. + * ecc-curve448.c (ecc_curve448_modp): Likewise. + * ecc-curve25519.c (ecc_curve25519_modq): Likewise. + * eddsa-hash.c (_eddsa_hash): Likewise. + * eddsa-sign.c (_eddsa_sign): Likewise. + + * testsuite/curve25519-dh-test.c (test_g): Add calls to + mark_bytes_undefined and mark_bytes_defined. + (test_a): Likewise. + (test_main): Skip side-channel tests in builds with mini-gmp or + extra asserts enabled. + * testsuite/curve448-dh-test.c: Analogous changes. + * testsuite/ed448-test.c (test_one): Analogous changes. + * testsuite/ed25519-test.c: Analogous changes. + + * testsuite/Makefile.in (TS_SC_HOGWEED): New make variable. Added + sc-curve25519-dh-test, sc-curve448-dh-test, sc-ed25519-test, and + sc-ed448-test to list. + * testsuite/sc-curve25519-dh-test: New testcase. + * testsuite/sc-curve448-dh-test: New testcase. + * testsuite/sc-ed448-test: New testcase. + * testsuite/sc-ed25519-test: New testcase. + +2023-11-14 Niels Möller + + Add a first side-channel test for the ECC code. + * configure.ac: New option --enable-extra-asserts. Enables asserts + that are disabled by default, due to conflict with tests of + side-channel silence. + (WITH_EXTRA_ASSERTS): Corresponding new define. + * ecc-internal.h (assert_maybe): Conditionally define this assert + macro, depending on WITH_EXTRA_ASSERTS. + * ecc-mod-arith.c: Convert most asserts to assert_maybe. + * ecc-mod-inv.c (ecc_mod_inv): Likewise. + * ecc-mod.c (ecc_mod): Likewise. + * ecc-pm1-redc.c (ecc_pm1_redc): Likewise. + * ecc-pp1-redc.c (ecc_pp1_redc): Likewise. + * ecc-secp192r1.c (ecc_secp192r1_modp): Likewise. + * ecc-secp384r1.c (ecc_secp384r1_modp): Likewise. + * testsuite/ecdsa-sign-test.c (test_ecdsa): Add calls to + mark_bytes_undefined and mark_bytes_defined. + (test_main): Skip side-channel tests in builds with mini-gmp or + extra asserts enabled. + * testsuite/sc-ecdsa-sign-test: New testcase. + * testsuite/Makefile.in (TS_SC): Add sc-ecdsa-sign-test. + +2023-11-12 Niels Möller + + * gmp-glue.h (GMP_LIMB_BITS) [NETTLE_USE_MINI_GMP]: Define as alias for + GMP_NUMB_BITS. + (is_zero_limb): Move inline function here. Add static, for + compatibility with c89. and mini-gmp builds. + * gmp-glue.c (sec_zero_p): Use is_zero_limb. + +2023-11-06 Niels Möller + + Avoid comparison like cnd = (x == 0) in code intended to be + side-channel silent, since to eliminate branches with some + compilers/architectures, in particular 32-bit x86 and the msvc compiler. + * nettle-internal.h (IS_ZERO_SMALL): New macro. + * memeql-sec.c (memeql_sec): Use IS_ZERO_SMALL. + * pkcs1-sec-decrypt.c (EQUAL): Likewise. + + * cnd-copy.c (cnd_copy): Require that cnd argument is 1 or 0. + * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS == 0]: + Rearrange loop to pass 0 or 1 to cnd_copy. + * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: + Likewise. + * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS > 0]: Use + IS_ZERO_SMALL, and pass 0 or 1 to cnd_copy. + * ecc-mul-g.c (ecc_mul_g): Likewise. + + * ecc-internal.h (is_zero_limb): New inline function. + * eddsa-decompress.c (_eddsa_decompress): Likewise. + * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Likewise. + * ecc-mod-arith.c (ecc_mod_zero_p): Likewise. + (ecc_mod_equal_p): Avoid comparison cy == 0. + * ecc-j-to-a.c (ecc_j_to_a): Avoid comparison cy == 0. + +2023-10-06 Niels Möller + + * testsuite/rsa-sec-decrypt-test.c (test_main): Skip side-channel + test if built with mini-gmp. + + * testsuite/sc-valgrind.sh (with_valgrind): Pass + --exit-on-first-error=yes. + + * aclocal.m4 (NETTLE_PROG_VALGRIND): New macro. + * configure.ac: Use it. + * testsuite/Makefile.in (TS_SH): Include side-channel tests only + if we have a working valgrind. + + * misc/c89: New wrapper script to force compiling in c89 mode. + +2023-10-04 Niels Möller + + * bswap-internal.h (bswap32_if_be, bswap32_if_le): New macros. + * blowfish-bcrypt.c (bswap32_if_le_n): Rename, to not collide with + new macro. + (bswap32_if_le): ... old name, deleted. + * umac-set-key.c (bswap32_if_le_n): Define in the same way as for + bcrypt, replacing... + (BE_SWAP32_N): ...deleted macro. + * umac-l3.c (_nettle_umac_l3_init): Use bswap64_if_le. + * umac-l2.c (_nettle_umac_l2_init): Use bswap32_if_le. + * chacha-core-internal.c (_nettle_chacha_core): Use bswap32_if_be. + * salsa20-core-internal.c (_nettle_salsa20_core): Likewise + + * umac-l2.c (_nettle_umac_l2_final): Delete redundant assignment. + +2023-10-03 Niels Möller + + * Makefile.in (check-fat): Reduce tests to run to TS_FAT, to speed + up tests. + + * testsuite/Makefile.in (TS_FAT): Define list of tests relevant + for testing algorithm variants in fat builds. + + * testsuite/ecc-mod-arith-test.c: Reduce test count, aiming to get + test to complete in roughly 0.1s. + * testsuite/ecc-mod-test.c: Likewise. + * testsuite/ecc-modinv-test.c: Likewise. + * testsuite/ecc-mul-a-test.c: Likewise. + * testsuite/ecc-redc-test.c: Likewise. + * testsuite/ecc-sqrt-test.c: Likewise. + * testsuite/eddsa-compress-test.c: Likewise. + * testsuite/poly1305-test.c: Likewise. + * testsuite/random-prime-test.c: Likewise. + * testsuite/rsa-compute-root-test.c: Likewise. + * testsuite/rsa-sec-decrypt-test.c: Likewise. + + * testsuite/Makefile.in (TS_SH): Delete tools tests from list. + * tools/Makefile.in (check): Run tools tests from this target. + (TS_ALL): New variable. + (DISTFILES): Add TS_ALL files. + * testsuite/teardown-env: Deleted, intead let make clean delete + test files. + * tools/nettle-pbkdf2-test: Moved, from testseuite/. + * tools/sexp-conv-test: Likewise. + * tools/pkcs1-conv-test: Likewise. + +2023-08-05 Niels Möller + + * testsuite/testutils.c (mark_bytes_undefined) + (mark_bytes_defined): New functions. Update side-channel related + tests to use them. + (main): Check environment variable NETTLE_TEST_SIDE_CHANNEL. + (test_side_channel): New global variable. + + * testsuite/sc-valgrind.sh (with_valgrind): New file, new shell + utility function. + + * testsuite/sc-pkcs1-sec-decrypt-test: New test, for side channel + silence. + * testsuite/sc-memeql-test: Likewise. + * testsuite/sc-gcm-test: Likewise. + * testsuite/sc-cnd-memcpy-test: Likewise. + * testsuite/rsa-sec-decrypt-test: Likewise. + + * rsa-sec-decrypt.c (_rsa_sec_decrypt): New internal function, + without input range checks. + (rsa_sec_decrypt): Use it. + +2023-08-02 Niels Möller + + * configure.ac: Replace obsoleted macros, require autoconf-2.69, + from 2012, or later. + * aclocal.m4: Likewise. + + * aclocal.m4 (LSH_FUNC_STRERROR): Delete macro. + (LSH_FUNC_STRSIGNAL): Delete unused macro. + * configure.ac: Delete usage of LSH_FUNC_STRERROR. + * tools/nettle-hash.c (main): Use strerror unconditionally. + * tools/nettle-pbkdf2.c (main): Likewise. + +2023-08-01 Niels Möller + + * configure.ac: Delete special handling of rntcl; it should be + treated like any other cross compiler. Delete obsolete check of + ac_cv_prog_cc_stdc. + +2023-06-01 Niels Möller + + * Released Nettle-3.9.1. + +2023-05-26 Niels Möller + + * configure.ac: Bump package version, to 3.9.1. + (LIBNETTLE_MINOR): Bump minor number, to 8.8. + (LIBHOGWEED_MINOR): Bump minor number, to 6.8. + +2023-05-19 Niels Möller + + From Jussi Kivilinna: + * ocb.c (ocb_crypt_n): Fix broken loop logic. + * testsuite/ocb-test.c (test_main): Add test vector from libgcrypt, + with larger message, to exercise above loop. + +2023-05-16 Niels Möller + + * x86_64/ghash-update.asm: Use separate unaligned load + instructions (movups) to load the tabulated values, since they are + only 8-byte aligned and pand memory operands require 16-byte + alignment. + +2023-05-15 Niels Möller + + * eccdata.c (output_bignum_redc): Add missing mpz_clear, reported + by Noah Watkins. + (output_digits): Delete a gratuitous mpz_init. + +2023-05-14 Niels Möller + + * Released nettle-3.9. + +2023-05-12 Niels Möller + + * texinfo.tex: Delete unused file. + + Copy files from https://git.savannah.gnu.org/cgit/gnulib.git/plain/build-aux/ + * install-sh: Update to 2020-11-14.01 version. + * config.guess: Update to 2023-01-01 version. + * config.sub: Update to 2023-01-21 version. + +2023-05-10 Niels Möller + + Fix compile error in --disable-public-key configuration. + * testsuite/sha1-test.c: Add missing include of sha1.h. + * testsuite/sha256-test.c: Add missing include of sha2.h. + +2023-05-07 Niels Möller + + * configure.ac: Bump package version, to 3.9. + (LIBNETTLE_MINOR): Bump minor number, to 8.7 (8.6 was used for + Nettle-3.8.1). + (LIBHOGWEED_MINOR): Bump minor number, to 6.7. + +2023-04-25 Niels Möller + + Rework tests of SIV message functions. + * testsuite/siv-gcm-test.c (nettle_encrypt_message_func) + (nettle_decrypt_message_func): Delete typedefs. + (test_compare_results, test_cipher_siv_gcm): Delete functions. + (test_siv_gcm_aes128, test_siv_gcm_aes256): Delete macros. + (siv_gcm_aes128, siv_gcm_aes256): New algorithm structs. + (test_main): Use test_aead_message. + + * testsuite/siv-cmac-test.c (nettle_encrypt_message_func) + (nettle_decrypt_message_func): Delete typedefs. + (test_compare_results, test_cipher_siv): Delete functions. + (test_siv_aes128, test_siv_aes256): Delete macros. + (siv_cmac_aes128, siv_cmac_aes256): New algorithm structs. + (test_main): Use test_aead_message. + +2023-04-24 Niels Möller + + Rework tests of OCB message functions. + * testsuite/testutils.c (test_aead_message): New function, for + testing AEAD message functions. + * testsuite/testutils.h (nettle_encrypt_message_func) + (nettle_decrypt_message_func): New typedefs. + (struct nettle_aead_message): New struct. + * testsuite/ocb-test.c (nettle_encrypt_message_func) + (nettle_decrypt_message_func): Deleted typedefs. + (test_compare_results): Deleted function. + (test_ocb_aes128): Deleted macro. + (struct ocb_aes128_message_key): New struct. + (ocb_aes128_set_encrypt_key_wrapper) + (ocb_aes128_set_decrypt_key_wrapper) + (ocb_aes128_encrypt_message_wrapper) + (ocb_aes128_decrypt_message_wrapper): New wrapper functions, using + above ocb_aes128_message_key for both encrypt and decrypt, and a + fix tag length of 16 octets. + (ocb_aes128_message): New algorithm struct, with above wrappers. + (test_main): Use test_aead_message. + +2023-04-23 Niels Möller + + * testsuite/siv-cmac-test.c: Renamed file, from... + * testsuite/siv-test.c: ... old name. + +2023-04-13 Niels Möller + + * ghash-update.c (gcm_gf_mul): Rewrite to avoid side-channel + leakage. Now processes the message bits one at a time, using + tabulated values of the key premultiplied by appropriate powers of + x, so that the table is accessed in a fixed sequential order. + Performance penalty, on x86_64, is roughly 3 times. + (shift_table): Deleted table. + (gcm_gf_shift_8): Deleted function. + * ghash-set-key.c (_ghash_set_key): Rewrite table generation. + * gcmdata.c: Deleted. + * Makefile.in: Delete references to gcmdata. + + * x86_64/ghash-update.asm: Rewritten, similar side-channel silent + method as the C implementation, with same table layout, but using + sse2 instructions. + + * testsuite/gcm-test.c (test_ghash_internal): Add valgrind + annotations, to verify that the ghash implementation makes no + data-dependent branches or memory accesses. + + * examples/nettle-benchmark.c (bench_ghash_update): New function. + +2023-04-03 Niels Möller + + From Mamone Tarsha: + * x86_64/pclmul/ghash-update.asm: New loop to process two blocks + at a time. + * x86_64/pclmul/ghash-set-key.asm: Likewise. + +2023-03-25 Niels Möller + + * ocb.h (OCB_MAX_NONCE_SIZE): New constant. + +2023-02-16 Niels Möller + + * x86_64/sha256-compress-n.asm: Fix incorrect w64 setup. Report + and fix from Gisle Vanem. + +2023-02-08 Niels Möller + + * examples/nettle-benchmark.c (main): Benchmark ocb_aes128. + +2023-02-07 Niels Möller + + Implement OCB mode. RFC 7253. + * block-internal.h (block16_set): New function. + + * ocb.c (ocb_set_key, ocb_set_nonce, ocb_update, ocb_encrypt) + (ocb_decrypt, ocb_encrypt_message, ocb_decrypt_message): New + public functions. + (MEM_ROTATE_RIGHT, MEM_MASK): New macros. + (extract, update_offset, pad_block, ocb_fill_n, ocb_crypt_n) + (ocb_checksum_n): New helper functions. + * ocb-aes128.c (ocb_aes128_set_encrypt_key) + (ocb_aes128_set_decrypt_key, ocb_aes128_set_nonce) + (ocb_aes128_update, ocb_aes128_encrypt, ocb_aes128_decrypt) + (ocb_aes128_digest, ocb_aes128_encrypt_message) + (ocb_aes128_decrypt_message): New file, new functions. + * ocb.h: Declare ocb functions. + (struct ocb_key): New struct. + (struct ocb_ctx): New struct. + (struct ocb_aes128_encrypt_key): New struct. + * Makefile.in (nettle_SOURCES): Add ocb.c ocb-aes128.c. + (HEADERS): Add ocb.h. + + * nettle-internal.c (nettle_ocb_aes128) + (ocb_aes128_set_encrypt_key_wrapper) + (ocb_aes128_set_decrypt_key_wrapper) + (ocb_aes128_set_nonce_wrapper, ocb_aes128_update_wrapper) + (ocb_aes128_encrypt_wrapper, ocb_aes128_decrypt_wrapper) + (ocb_aes128_digest_wrapper): New aead algorithm, and + related wrapper functions. + * nettle-internal.h (OCB_NONCE_SIZE): New constant. + (struct ocb_aes128_ctx): New struct. + + * testsuite/ocb-test.c: New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add ocb-test.c. + +2023-02-06 Niels Möller + + * testsuite/testutils.c (test_aead): Always use set_nonce function + pointer if non-NULL, test varying alignment, output the unexpected + data when test fails. + +2022-12-05 Niels Möller + + * xts-aes128.c (xts_aes128_encrypt_message) + (xts_aes128_decrypt_message): const-declare the xts_key argument. + * xts-aes256.c (xts_aes256_encrypt_message) + (xts_aes256_decrypt_message): Likewise. + +2022-11-09 Niels Möller + + From Mamone Tarsha: + * powerpc64/p9/poly1305-blocks.asm: New file, multi-block radix + 2^44 implementation. Benchmarked to give a speedup of 3.2 times on + Power9. + * powerpc64/p9/poly1305.m4 (DEFINES_BLOCK_R64, BLOCK_R64): New + file, new macros. + * powerpc64/p9/poly1305-internal.asm: Use BLOCK_R64 macro. + * powerpc64/machine.m4 (INC_GPR, INC_VR): New macros. + * powerpc64/fat/poly1305-blocks.asm: New file. + * poly1305-update.c: Check HAVE_NATIVE_fat_poly1305_blocks, and + define _nettle_poly1305_blocks_c when needed. + * fat-ppc.c: Fat setup for _nettle_poly1305_blocks. + +2022-11-07 Niels Möller + + * configure.ac (ASM_FLAGS): New configure environment variable. + * aclocal.m4 (GMP_TRY_ASSEMBLE): Use $ASM_FLAGS. + * config.make.in (ASM_FLAGS): Add substitution. + * Makefile.in: Use $(ASM_FLAGS) when compiling .asm files. + +2022-10-31 Niels Möller + + * configure.ac: (asm_file_list): Add HAVE_NATIVE_poly1305_blocks. + (asm_nettle_optional_list): Add poly1305-blocks.asm. + * x86_64/poly1305-blocks.asm: New file. + + * md-internal.h (MD_FILL_OR_RETURN_INDEX): New macro. + * poly1305-update.c (_nettle_poly1305_update): New file and + function. + * poly1305-internal.h: Declare _nettle_poly1305_blocks and + _nettle_poly1305_update. + * chacha-poly1305.c (poly1305_update): Use _nettle_poly1305_update. + * poly1305-aes.c (poly1305_aes_update): Likewise. + * Makefile.in (nettle_SOURCES): Add poly1305-update.c. + +2022-10-13 Niels Möller + + * gmp-glue.c (mpn_sec_tabselect) [NETTLE_USE_MINI_GMP]: Add back + here, to support mini-gmp builds. Updated signature to be + compatible with the gmp version. + * gmp-glue.h: Add declaration. + +2022-10-11 Niels Möller + + * sec-tabselect.c (sec_tabselect): Delete file and function. All + callers updated to use gmp's mpn_sec_tabselect instead, which is + implemented in assembly on many platforms. + +2022-10-02 Niels Möller + + * examples/ecc-benchmark.c (bench_curve): Add benchmarking of + modulo q inversion. + +2022-09-29 Niels Möller + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Call ecc_mul_g and ecc_mul_a directly, not via + function pointers. + (ecc_ecdsa_verify_itch): Use ECC_MUL_A_ITCH + rather than ecc->mul_itch. + * ecc-gostdsa-verify.c (ecc_gostdsa_verify_itch) + (ecc_gostdsa_verify): Analogous changes. + + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Call ecc_mul_g and ecc_j_to_a + directly, not via function pointers. + (ecc_ecdsa_sign_itch): Use ECC_MUL_G_ITCH rather than + ecc->mul_g_itch. + * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): + Analogous changes. + +2022-09-28 Niels Möller + + * testsuite/meta-hash-test.c (test_main): Add check of + NETTLE_MAX_HASH_BLOCK_SIZE. + * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE): Increase to 144, + to accommodate sha3_224. + * testsuite/meta-cipher-test.c (test_main): Check that cipher + metadata doesn't exceed NETTLE_MAX_CIPHER_BLOCK_SIZE or + NETTLE_MAX_CIPHER_KEY_SIZE. + + From Daiki Ueno: + * siv-gcm.c (siv_gcm_encrypt_message, siv_gcm_decrypt_message): + New file, implementation of SIV-GCM. + * siv-gcm.h (SIV_GCM_BLOCK_SIZE, SIV_GCM_DIGEST_SIZE) + (SIV_GCM_NONCE_SIZE): New header file, new constants and + declarations. + * siv-gcm-aes128.c (siv_gcm_aes128_encrypt_message) + (siv_gcm_aes128_decrypt_message): New file and functions. + * siv-gcm-aes256.c (siv_gcm_aes256_encrypt_message) + (siv_gcm_aes256_decrypt_message): Likewise. + * siv-ghash-set-key.c (_siv_ghash_set_key): New file, new internal + function. + * siv-ghash-update.c (_siv_ghash_update): Likewise. + * block-internal.h (block16_bswap): New inline function. + * bswap-internal.h (bswap64_if_be): New macro. + * nettle-internal.h (NETTLE_MAX_CIPHER_KEY_SIZE): New constant. + * Makefile.in (nettle_SOURCES): Add new source files. + (HEADERS): Add siv-gcm.h. + * testsuite/siv-gcm-test.c: New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add siv-gcm-test.c. + * nettle.texinfo (SIV-GCM): Documentation. + + From Zoltan Fridrich: + * balloon.c (balloon, balloon_itch): Implementation of balloon + password hash. + * balloon.h: New header file. + * balloon-sha1.c (balloon_sha1): New file and function. + * balloon-sha256.c (balloon_sha256): Likewise. + * balloon-sha384.c (balloon_sha384): Likewise. + * balloon-sha512.c (balloon_sha512): Likewise. + * Makefile.in (nettle_SOURCES): Add balloon source files. + (HEADERS): Add ballon.h. + * testsuite/balloon-test.c: New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add balloon-test.c. + +2022-09-14 Niels Möller + + * ecc-nonsec-add-jjj.c (ecc_nonsec_add_jjj): New file and + function. + * ecc-internal.h: Declare it. + * Makefile.in (hogweed_SOURCES): Add ecc-nonsec-add-jjj.c. + * testsuite/ecc-add-test.c (test_main): Add tests for ecc_nonsec_add_jjj. + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj, + to produce correct result in a corner case where point addition + needs to use point duplication. Also use ecc_j_to_a rather than + ecc->h_to_a, since ecdsa supports only weierstrass curves. + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change. + + * testsuite/ecdsa-verify-test.c (test_main): Add corresponding test. + * testsuite/ecdsa-sign-test.c (test_main): And a test producing + the problematic signature. + +2022-09-08 Niels Möller + + * eccdata.c (string_toupper): New utility function. + (output_modulo): Move more of the per-modulo output here. + (output_curve): Remove corresponding code. + +2022-08-31 Niels Möller + + * bswap-internal.h (nettle_bswap64, nettle_bswap32) + (bswap64_if_le): New header file, new inline functions/macros. + * gcm.c (gcm_hash_sizes): Use bswap64_if_le, and bswap-internal.h, + replacing local definition of bswap_if_le. + * nist-keywrap.c (nist_keywrap16): Likewise. + * blowfish-bcrypt.c (swap32): Renamed function, to... + (bswap32_if_le): ...new name, rewritten to use nettle_bswap32. + Update call sites. + * Makefile.in (DISTFILES): Add bswap-internal.h. + +2022-08-18 Niels Möller + + * Makefile.in (HEADERS): Add sm4.h. + + From Tianjia Zhang: SM4 block cipher. + * sm4.c: New file. + * sm4.h: New file. + * sm4-meta.c: New file. + * gcm-sm4.c: New file + * gcm-sm4-meta.c: New file. + * nettle.texinfo: Document SM4. + * testsuite/gcm-test.c (test_main): Add SM4 tests. + * testsuite/sm4-test.c: New file. + + * configure.ac (ABI): Change mips abi check to apply only to mips64. + +2022-08-17 Niels Möller + + * testsuite/testutils.c (mpz_urandomm) [NETTLE_USE_MINI_GMP]: New + fallback definition when building with mini-gmp. + +2022-08-16 Niels Möller + + * ecc-mod-arith.c (ecc_mod_sub): Ensure that if inputs are in the + range 0 <= a, b < 2m, then output is in the same range. + * eccdata.c (output_curve): New outputs ecc_Bm2p and ecc_Bm2q. + * ecc-internal.h (struct ecc_modulo): New member Bm2m (B^size - + 2m), needed by ecc_mod_sub. Update all curves. + * testsuite/ecc-mod-arith-test.c: New tests for ecc_mod_add and + ecc_mod_sub. + + * eccdata.c (output_modulo): Output the limb size, delete return + value. + (output_curve): Update calls to output_modulo, other minor cleanup. + +2022-08-07 Niels Möller + + Delete all arcfour assembly code. + * arcfour.c (arcfour_crypt): Moved function here, from... + * arcfour-crypt.c: ... deleted file. + * sparc32/arcfour-crypt.asm: Deleted. + * sparc64/arcfour-crypt.asm: Deleted. + * x86/arcfour-crypt.asm: Deleted. + * asm.m4: Delete arcfour structure offsets. + +2022-08-07 Niels Möller + + Based on patch from Corentin Labbe: + * nettle.texinfo: Document sha256_compress, sha512_compress, + md5_compress and sha1_compress. + + * configure.ac: Refer to nettle-types.h, rather than arcfour.c, + for AC_CONFIG_SRCDIR. + +2022-08-05 Niels Möller + + * nettle-internal.h: Include stdlib.h, fix alloca warnings on BSD. + * hmac.c: Delete corresponding include here, no longer needed. + + * getopt.c: Include stdlib.h and unistd.h unconditionally, + similarly to the gnulib version of this file. + +2022-08-04 Niels Möller + + From Brad Smith: + * configure.ac: Fix 64-bit MIPS ABI check for other OS's like *BSD / Linux. + * aclocal.m4 (LSH_CCPIC): Use proper PIC flag for *BSD OS's. + * blowfish-bcrypt.c (swap32): Eliminate conflict with OpenBSD's swap32 macro. + +2022-07-29 Niels Möller + + * s390x/msa_x1/sha256-compress-n.asm: New file. replacing... + * s390x/msa_x1/sha256-compress.asm: ...deleted file. + * s390x/fat/sha256-compress-n-2.asm: New file. replacing... + * s390x/fat/sha256-compress-2.asm: ...deleted file. + * fat-s390x.c: Update fat setup. + +2022-07-26 Niels Möller + + * arm/v6/sha256-compress-n.asm: New file. replacing... + * arm/v6/sha256-compress.asm: ...deleted file. + * arm/fat/sha256-compress-n-2.asm: New file. replacing... + * arm/fat/sha256-compress-2.asm: ...deleted file. + * fat-arm.c: Update fat setup. + +2022-07-11 Niels Möller + + * arm64/crypto/sha256-compress-n.asm: New file. replacing... + * arm64/crypto/sha256-compress.asm: ...deleted file. + * arm64/fat/sha256-compress-n-2.asm: New file. replacing... + * arm64/fat/sha256-compress-2.asm: ...deleted file. + * fat-arm64.c: Update fat setup. + +2022-07-05 Niels Möller + + * md-internal.h (MD_FILL_OR_RETURN): New file, new macro. + * sha256-compress-n.c (_nettle_sha256_compress_n): New file and + function, replacing... + * sha256-compress.c (_nettle_sha256_compress): ...deleted file and + function. + * sha2-internal.h (_nettle_sha256_compress_n): Declare new function.. + * sha256.c (sha256_compress): Update to use + _nettle_sha256_compress_n and MD_FILL_OR_RETURN. + * x86_64/sha256-compress-n.asm: New file. replacing... + * x86_64/sha256-compress.asm: ...deleted file. + * x86_64/sha_ni/sha256-compress-n.asm: New file. replacing... + * x86_64/sha_ni/sha256-compress.asm: ...deleted file. + * fat-setup.h (sha256_compress_n_func): New typedef, replacing... + (sha256_compress_func): ... deleted typedef. + * fat-x86_64.c: Update fat setup. + +2022-06-20 Niels Möller + + * testsuite/sha1-test.c (test_sha1_compress): New function. + (test_main): Add tests for compressing 0, 1 or 2 blocks. + * testsuite/sha256-test.c (test_sha256_compress): New function. + (test_main): Add tests for compressing 0, 1 or 2 blocks. + +2022-06-12 Niels Möller + + From Christian Weisgerber: + * fat-arm64.c (get_arm64_features): Enable runtime feature + detection for openbsd. + +2022-06-09 Niels Möller + + * md5.h (md5_compress): New public name for compression function. + * sha1.h (sha1_compress): Likewise. + + Based on patches from Corentin Labbe: + * sha2.h: Declare new functions. + * sha256.c (sha256_compress): New function. + (COMPRESS): Updated to use sha256_compress. + (sha256_write_digest): Use sha256_compress directly. + * sha512.c (sha512_compress): New function. + (COMPRESS): Updated to use sha512_compress. + (sha512_write_digest): Use sha512_compress directly. + +2022-06-02 Niels Möller + + * Released nettle-3.8. + +2022-05-23 Niels Möller + + * Makefile.in (OPT_SOURCES): Add missing file fat-arm64.c. + + * config.guess: Update to 2022-05-08 version. + * config.sub: Update to 2022-01-03 version. + +2022-05-20 Niels Möller + + * configure.ac: Bump package version, to 3.8. + (LIBNETTLE_MINOR): Bump minor number, to 8.5. + (LIBHOGWEED_MINOR): Bump minor number, to 6.5. + +2022-05-05 Niels Möller + + * nettle.texinfo (CBC): Document cbc_aes128_encrypt, + cbc_aes192_encrypt and cbc_aes256_encrypt. + +2022-04-28 Niels Möller + + * nettle.texinfo (Copyright): Deleted incomplete and out of date + list of authors. Replaced by... + * AUTHORS: New updated list of authors and contributions. + +2022-02-23 Niels Möller + + Analogous s390x update, by Mamone Tarsha: + * fat-s390x.c (fat_init): Update fat init for new _ghash_set_key + and _ghash_update functions, delete setup for old gcm functions. + * s390x/fat/ghash-update-2.asm: New file. + * s390x/fat/ghash-set-key-2.asm: New file. + * s390x/fat/gcm-hash.asm: Deleted. + * s390x/msa_x4/gcm-hash.asm: Deleted, split into two new files... + * s390x/msa_x4/ghash-update.asm: New file. + * s390x/msa_x4/ghash-set-key.asm: New file + +2022-02-22 Niels Möller + + * fat-ppc.c (fat_init): Update fat init for new _ghash_set_key + and _ghash_update functions, delete setup for old gcm functions. + + * powerpc64/fat/ghash-update-2.asm: New file. + * powerpc64/fat/ghash-set-key-2.asm: New file. + * powerpc64/fat/gcm-hash.asm: Deleted. + + * powerpc64/p8/gcm-hash.asm: Deleted, split into two new files... + * powerpc64/p8/ghash-update.asm: New file. + * powerpc64/p8/ghash-set-key.asm: New file + +2022-02-21 Niels Möller + + * fat-arm64.c (fat_init): Update fat init for new _ghash_set_key + and _ghash_update functions, delete setup for old gcm functions. + + * arm64/fat/ghash-update-2.asm: New file. + * arm64/fat/ghash-set-key-2.asm: New file. + * arm64/fat/gcm-hash.asm: Deleted. + + * ghash-update.c (_nettle_ghash_update_c): New name, for fat builds. + + * arm64/crypto/gcm-hash.asm: Deleted, split into two new files... + * arm64/crypto/ghash-set-key.asm: New file. + * arm64/crypto/ghash-update.asm: New file. + +2022-02-19 Niels Möller + + * fat-x86_64.c (fat_init): Update fat init for new _ghash_set_key + and _ghash_update functions, delete setup for old gcm functions. + * fat-setup.h (ghash_set_key_func, ghash_update_func): New + typedefs. + (gcm_init_key_func, gcm_hash_func): Deleted typedefs. + * x86_64/fat/ghash-update.asm: New file. + * x86_64/fat/ghash-update-2.asm: New file. + * x86_64/fat/ghash-set-key-2.asm: New file. + * x86_64/fat/gcm-hash.asm: Deleted. + * ghash-set-key.c (_nettle_ghash_set_key_c): New name, for fat + builds. + * configure.ac (asm_nettle_optional_list): Add ghash-set-key-2.asm + ghash-update-2.asm. + + * ghash-set-key.c (_ghash_digest): Deleted, and also deleted + assembly implementations. + * gcm.c (gcm_digest): Replace call to _ghash_digest with block16_xor. + + * x86_64/pclmul/gcm-hash.asm: Deleted, split into two new files... + * x86_64/pclmul/ghash-set-key.asm: New file. + * x86_64/pclmul/ghash-update.asm: New file. + + * configure.ac (asm_replace_list): Add ghash-set-key.asm ghash-update.asm. + (asm_nettle_optional_list): Delete gcm-hash.asm gcm-hash8.asm. + * x86_64/ghash-update.asm: New file, based on old gcm-hash8.asm, + but without any handling of partial blocks. + * x86_64/gcm-hash8.asm: Deleted. + + * ghash-set-key.c (_ghash_digest): Moved function from... + * ghash-update.c (_ghash_digest): ...old location. + +2022-02-18 Niels Möller + + * block-internal.h (block16_zero): New function. + + * ghash-internal.h: New file, declaring new internal ghash interface. + * gcm-internal.h: Deleted file. + * ghash-update.c (gcm_gf_shift_8): Moved here (from gcm.c) + (gcm_gf_mul): Likewise. + (_ghash_update): New function, extracted from _nettle_gcm_hash_c. + (_ghash_digest): New function. + * ghash-set-key.c (_ghash_set_key): New file and function. + Extracted from _nettle_gcm_init_key_c and _nettle_gcm_set_key. + + * gcm.c (INC32): Deleted macro, used in only one place. + (gcm_set_key): Update to use _ghash_set_key. + (gcm_hash): Renamed, was _gcm_hash, and implemented in terms of + _ghash_update. + (bswap_if_le): New function (copied from nist-keywrap.c). + (gcm_hash_sizes): Use bswap_if_le and _ghash_update. + (gcm_set_iv): Updated to use gcm_hash and block16_zero. + (gcm_digest): Use _ghash_digest. + + * testsuite/gcm-test.c (test_ghash_internal): Updated to use + _ghash_set_key and _ghash_update. + + * Makefile.in (nettle_SOURCES): Add ghash-set-key.c ghash-update.c. + (DISTFILES): Replaced gcm-internal.h with ghash-internal.h. + +2022-02-17 Niels Möller + + * gcm.c: Require that GCM_TABLE_BITS == 8. Delete old code for + GCM_TABLE_BITS == 0 and GCM_TABLE_BITS == 4. + * gcm-internal.h: Delete checks for GCM_TABLE_BITS != 8. + * fat-x86_64.c: Likewise. + * fat-s390x.c: Likewise. + * fat-ppc.c: Likewise. + * fat-arm64.c: Likewise. + +2022-02-15 Niels Möller + + * fat-x86_64.c: Add fat setup for gcm. + * x86_64/fat/gcm-hash.asm: New file. + + * Makefile.in (distdir): Add x86_64/pclmul directory. + * configure.ac: New configure option --enable-x86-pclmul. + (asm_path): Add x86_64/pclmul, if above option is set. + * x86_64/pclmul/gcm-hash.asm: New file, initial implementation of + GCM using the pclmulqdq instructions. + +2022-02-08 Niels Möller + + * gcm-internal.h (_gcm_hash): Arrange so that this is an alias for + the appropriate implementation. Updated all users. + * gcm.c (_nettle_gcm_set_key): New internal function, intended to + make tests of internal ghash functions easier. + (gcm_set_key): Use it. + * testsuite/gcm-test.c (test_ghash_internal): New function. + (test_main): Add tests of internal ghash functions, with keys + corresponding to various single-bit polynomials. + +2022-01-28 Niels Möller + + * testsuite/poly1305-test.c (poly1305_internal): Renamed function, + was test_poly1305_internal. + (test_poly1305_internal): New helper function. + (test_fixed): New function, to test internal functions with fixed + test inputs. + (test_random): Use test_poly1305_internal. + (test_main): Call test_fixed. + + * misc/poly1305-gen-example.pike: Program to generate poly1305 + inputs with a given digest. + +2022-01-27 Niels Möller + + * x86_64/poly1305-internal.asm: Rewrote. Rearrange folding, so + that all the multiply instructions needed to process a block are + independent of each other. Measured speedup of 16% on AMD zen2 and + 28% on Intel broadwell, and expected to be generally faster. + * asm.m4 (P1305): Rearrange struct contents, to fit 64-bit entries + S0 and H2. Total struct size unchanged. + +2022-01-25 Niels Möller + + Chacha implementation for arm64, contributed by Mamone Tarsha. + * arm64/chacha-core-internal.asm: New file. + * arm64/chacha-2core.asm: New file. + * arm64/chacha-4core.asm: New file + +2022-01-24 Niels Möller + + * powerpc64/ecc-secp224r1-modp.asm: New file, contributed by + Amitay Isaacs. + * powerpc64/ecc-curve25519-modp.asm: New file, contributed by + Martin Schwenke & Alastair D´Silva + * powerpc64/ecc-curve448-modp.asm: New file, contributed by Martin + Schwenke & Amitay Isaacs. + +2022-01-23 Niels Möller + + * testsuite/poly1305-test.c (test_poly1305_internal): New function. + (ref_poly1305_internal): New function. + (test_random): New function. + (test_main): Call test_random. + + Arrange so that GMP or mini-gmp is always available for tests. + * testsuite/testutils.h [!WITH_HOGWEED]: Include mini-gmp.h. + * testsuite/testutils.c [!WITH_HOGWEED]: Include mini-gmp.c. + +2022-01-21 Niels Möller + + * powerpc64/ecc-secp192r1-modp.asm: New file, contributed by + Amitay Isaacs. + * powerpc64/ecc-secp384r1-modp.asm: New file, contributed by + Martin Schwenke, Amitay Isaacs & Alastair D´Silva. + * powerpc64/ecc-secp521r1-modp.asm: New file, contributed by + Martin Schwenke & Alastair D´Silva. + +2022-01-17 Niels Möller + + * testsuite/testutils.c (test_ecc_point_valid_p): New function, + moved from... + * testsuite/ecdsa-keygen-test.c (ecc_valid_p): ... old copy. + * testsuite/gostdsa-keygen-test.c (ecc_valid_p): ... old copy. + * testsuite/testutils.h: Declare it. + (test_randomize) [NETTLE_USE_MINI_GMP]: Use inline function rather + than macro for dummy definition, to avoid compile time warnings. + +2022-01-10 Niels Möller + + * powerpc64/ecc-secp256r1-redc.asm: Reduce number of registers + used, eliminating save and restore of callee-save registers. + Speedup of 7% reported for POWER9 (and marginal speedup of secp256 + sign and verify operations). + +2022-01-04 Niels Möller + + * configure.ac (ELFV2_ABI): New substituted variable, set on + powerpc64 based on the _CALL_ELF define. + * config.m4.in (ELFV2_ABI): Substituted here. + * powerpc64/machine.m4: Use ELFV2_ABI rather than WORDS_BIGENDIAN + to select abi flavor. Intended to support ppc64be + musl, which, + unlike other big-endian configurations, uses ELFv2. + +2021-12-09 Niels Möller + + * x86_64/ecc-secp256r1-redc.asm: New folding scheme with one less + carry propagation phase, and fewer registers, avoiding save and + restore of callee-save registers. 17% speedup of this function on + AMD Ryzen 5, resulting in a modest improvement in ecdsa + performance. + + * powerpc64/ecc-secp256r1-redc.asm: New file, contributed by + Amitay Isaacs. + +2021-11-29 Niels Möller + + From Tianjia Zhang: SM3 hash function. + * sm3.h: New file. + * sm3.c: New file. + * sm3-meta.c: New file. + * hmac-sm3.c: New file. + * hmac-sm3-meta.c: New file. + * testsuite/sm3-test.c: New file. + * nettle.texinfo: Document SM3. + +2021-11-19 Niels Möller + + * gmp-glue.c (mpz_limbs_cmp): Deleted function. Usage replaced + with mpz_roinit_n and mpz_cmp. + (mpz_limbs_read_n): Deleted function. Usage in tests only, + replaced with mpz_limbs_copy. + +2021-11-15 Niels Möller + + * testsuite/eddsa-compress-test.c (test_main): Use test_randomize. + * testsuite/ecc-redc-test.c (test_main): Likewise. + * testsuite/ecc-mul-g-test.c (test_main): Likewise. + * testsuite/ecc-mul-a-test.c (test_main): Likewise. + + * testsuite/ecc-modinv-test.c (test_modulo): Trim allocation for + result area. + (test_main): Use test_randomize. + * testsuite/ecc-sqrt-test.c (test_sqrt): Trim allocation. + (test_sqrt_ratio): Trim allocation. Fix sqrt_ratio test for v = 0, + failure is expected. + (test_main): Use test_randomize. + +2021-11-13 Niels Möller + + * testsuite/testutils.c (get_random_seed): Move function here. + (test_randomize): New function. + * testsuite/ecc-mod-test.c (get_random_seed): Delete old copy. + (test_main): Use test_randomize. + * testsuite/rsa-compute-root-test.c (get_random_seed): Delete old copy. + (test_main): Use test_randomize. + + * ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero + input, which needs handling as a special case in the + Tonelli-Shanks algorithm. + + * testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0) + returns 0. + (test_sqrt_ratio): Check that sqrt (0/1) returns 0. + +2021-11-11 Niels Möller + + * eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only + when computed. Fixes uninitialized value bug from previous change. + + * ecc-secp384r1.c (ecc_mod_pow_288m32m1): New function. + (ecc_secp384r1_inv): Use ecc_mod_pow_288m32m1. + (ecc_secp384r1_sqrt): Likewise. + + * eccdata.c (output_curve): Delete generation of unused values + ecc_sqrt_t and ECC_SQRT_T_BITS. + +2021-11-10 Niels Möller + + * eccdata.c (output_bignum_redc): New function. + (output_curve): Generate both redc and non-redc versions of + ecc_sqrt_z. Fixes secp224r1 sqrt, in configs using redc. + +2021-11-08 Niels Möller + + Square root functions, based on patch by Wim Lewis. + * ecc-internal.h (ecc_mod_sqrt_func): New typedef. + (struct ecc_modulo): Add sqrt function pointer and sqrt_itch. + Update all curve definitions. + * ecc-secp192r1.c (ECC_SECP192R1_SQRT_ITCH): New constant. + (ecc_secp192r1_sqrt): New function. + * ecc-secp256r1.c (ecc_secp256r1_sqrt): New function. + * ecc-secp384r1.c (ecc_secp384r1_sqrt): New function. + * ecc-secp521r1.c (ecc_secp521r1_sqrt): New function. + * ecc-secp224r1.c (ecc_secp224r1_sqrt): New function, using + Tonelli-Shanks' algorithm. + + * testsuite/ecc-sqrt-test.c (test_sqrt): New function. + (test_sqrt_ratio): Renamed function (was test_modulo). + (test_main): Test sqrt function, for curves that define it. + + * ecc-secp224r1.c (ecc_mod_pow_127m1): New function. + +2021-11-07 Niels Möller + + * ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to + sqrt_ratio_itch. + * eddsa-decompress.c (_eddsa_decompress_itch): Updated. + + * ecc-curve448.c (ECC_CURVE448_SQRT_RATIO_ITCH): Renamed, from ... + (ECC_CURVE448_SQRT_ITCH): ... old name. + (ecc_curve448_sqrt_ratio): Renamed, from ... + (ecc_curve448_sqrt): ... old name. + (_nettle_curve448): Updated. + + * ecc-curve25519.c (ECC_25519_SQRT_RATIO_ITCH): Renamed, from ... + (ECC_25519_SQRT_ITCH): ... old name + (ecc_curve25519_sqrt_ratio): Renamed, from ... + (ecc_curve25519_sqrt): ... old name. + (_nettle_curve25519): Updated. + + * ecc-internal.h (ecc_mod_sqrt_ratio_func): Renamed typedef... + (ecc_mod_sqrt_func): ... from old name. + (struct ecc_modulo): Renamed corresponding function pointer to + sqrt_ratio. Updated all uses. + +2021-10-28 Niels Möller + + * ecc-mod-arith.c (ecc_mod_equal_p): New function, moved from + ecc-modinv-test.c. Based on patch by Wim Lewis. + * testsuite/ecc-modinv-test.c (mod_eq_p): Deleted, replaced with ecc_mod_equal_p. + +2021-10-26 Niels Möller + + * ecc-mod-arith.c (ecc_mod_zero_p): New function. + * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. + * ecc-curve448.c (ecc_curve448_zero_p): Deleted, usage replaced + with ecc_mod_zero_p. + * testsuite/ecc-modinv-test.c (mod_eq_p): Rewritten to use + ecc_mod_zero_p, and require that one input is canonically reduced. + (zero_p): Deleted, usage replaced with ecc_mod_zero_p. + +2021-10-23 Niels Möller + + * gmp-glue.c (sec_zero_p): New function. + * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. + * ecc-curve448.c (ecc_curve448_zero_p): Use it. + * ecc-random.c (ecdsa_in_range): Use it. + (zero_p): Delete static function. + +2021-10-22 Niels Möller + + * ecc-secp256r1.c: Rework ad-hoc reduction functions. In + particular, arranged to always use single-limb quotients, no q2 + quotient carry. + (ecc_secp256r1_modp): Reimplemented, closer to 2/1 division, + (ecc_secp256r1_modq): Reimplemented, closer to divappr2 division. + +2021-10-06 Niels Möller + + * testsuite/ecc-mod-test.c: Extend tests to give better coverage + of corner cases, with input close to a multiple of the modulo. + +2021-09-21 Niels Möller + + * Makefile.in (nettle.pdf): Generate pdf manual using texi2pdf, + rather than texi2dvi + dvips + ps2pdf, which makes hyperlinks work + better. + + * nettle.texinfo: Delete explicit node pointers in nettle.texinfo + Instead, rely on makeinfo's automatic pointer creation. + (Cipher functions): Split into nodes, with proper menu. + +2021-09-14 Niels Möller + + * cbc.h (cbc_aes128_encrypt, cbc_aes192_encrypt) + (cbc_aes256_encrypt): Change interface, take cipher context + pointer and iv as separate arguments. Update C and x86_64 + implementations and corresponding glue code. + + * testsuite/testutils.c (test_aead): Test encrypt/decrypt with + message split into pieces. + +2021-09-12 Niels Möller + + * Merged CBC-AES changes into master branch. + +2021-09-09 Niels Möller + + Implementation of CBC-AES for x86_64 aesni. Roughly 40%-50% + speedup benchmarked on Ryzen 5. + * x86_64/aesni/cbc-aes128-encrypt.asm: New file. + * x86_64/aesni/cbc-aes192-encrypt.asm: New file. + * x86_64/aesni/cbc-aes256-encrypt.asm: New file. + * x86_64/fat/cbc-aes128-encrypt-2.asm: New file. + * x86_64/fat/cbc-aes192-encrypt-2.asm: New file. + * x86_64/fat/cbc-aes256-encrypt-2.asm: New file. + * configure.ac (asm_nettle_optional_list, asm_replace_list): Add + new asm files. + * fat-setup.h (cbc_aes128_encrypt_func, cbc_aes192_encrypt_func) + (cbc_aes256_encrypt_func): New typedefs. + * fat-x86_64.c (fat_init): Use new functions, when aesni is available + +2021-09-08 Niels Möller + + * cbc-aes128-encrypt.c (nettle_cbc_aes128_encrypt): New file and + function. + * cbc-aes192-encrypt.c (cbc_aes192_set_encrypt_key): New file. + * cbc-aes256-encrypt.c (cbc_aes256_set_encrypt_key): New file. + * cbc.h (cbc_aes128_ctx, struct cbc_aes192_ctx, cbc_aes256_ctx): + New context structs. Declare new functions. + * Makefile.in (nettle_SOURCES): Add new files. + * nettle-internal.c (nettle_cbc_aes128, nettle_cbc_aes192) + (nettle_cbc_aes256): New algorithm structs, for tests and + benchmarking. + * testsuite/testutils.c (test_aead): Skip tests of decryption and + authentication, if corresponding function pointers are NULL. + * testsuite/cbc-test.c (test_main): Add tests of new cbc + functions. + * examples/nettle-benchmark.c (time_aead): Skip decrypt benchmark, + if corresponding function pointer is NULL. + +2021-09-09 Niels Möller + + * x86_64/fat/cpuid.asm: Fix usage of W64_ENTRY and W64_EXIT, to + make fat builds work on 64-bit windows. + +2021-08-16 Niels Möller + + S390x functions for sha1, sha256 and sha512, from Mamone Tarsha: + * s390x/msa/sha1-compress.asm: New file. + * s390x/msa_x1/sha256-compress.asm: Likewise. + * s390x/msa_x2/sha512-compress.asm: Likewise. + * s390x/fat/sha1-compress-2.asm: Likewise. + * s390x/fat/sha256-compress-2.asm: Likewise. + * s390x/fat/sha512-compress-2.asm: Likewise. + * fat-s390x.c: Update fat setup. + * Makefile.in (distdir): Add s390x/msa_x1. + +2021-08-10 Niels Möller + + * x86_64/aesni/aes128-encrypt.asm: New file, with 2-way loop. + * x86_64/aesni/aes128-decrypt.asm: Likewise. + * x86_64/aesni/aes192-encrypt.asm: Likewise. + * x86_64/aesni/aes192-decrypt.asm: Likewise. + * x86_64/aesni/aes256-encrypt.asm: Likewise. + * x86_64/aesni/aes256-decrypt.asm: Likewise. + * x86_64/aesni/aes-encrypt-internal.asm: Deleted. + * x86_64/aesni/aes-decrypt-internal.asm: Deleted. + * x86_64/fat/: Corresponding new and deleted files. + * fat-x86_64.c: Update fat setup accordingly. + +2021-08-09 Niels Möller + + Arm64 AES functions, from Mamone Tarsha: + * arm64/crypto/aes128-decrypt.asm: New file. + * arm64/crypto/aes128-encrypt.asm: New file. + * arm64/crypto/aes192-decrypt.asm: New file. + * arm64/crypto/aes192-encrypt.asm: New file. + * arm64/crypto/aes256-decrypt.asm: New file. + * arm64/crypto/aes256-encrypt.asm: New file. + * arm64/fat/aes128-decrypt-2.asm: New file. + * arm64/fat/aes128-encrypt-2.asm: New file. + * arm64/fat/aes192-decrypt-2.asm: New file. + * arm64/fat/aes192-encrypt-2.asm: New file. + * arm64/fat/aes256-decrypt-2.asm: New file. + * arm64/fat/aes256-encrypt-2.asm: New file. + * configure.ac: Add aes to arm64 FAT_TEST_LIST. + * fat-arm64.c: Update fat setup. + +2021-08-06 Niels Möller + + S390x xor functions, from Mamone Tarsha: + * configure.ac: New configure option --enable-s390x-vf. + * fat-s390x.c: Fat setup for memxor3. + * s390x/vf/memxor3.asm: New file. + * s390x/memxor.asm: New file. + * s390x/machine.m4 (XOR_LEN): New macro. + * s390x/fat/memxor3-2.asm: New file. + +2021-07-24 Niels Möller + + Merged s390x code. + + GCM and fat build support for s390x, contributed by Mamone Tarsha: + * s390x/machine.m4: New file. + * s390x/msa_x4/gcm-hash.asm: New file. + * fat-s390x.c: New file. + * s390x/fat/cpu-facility.asm: New file. + * s390x/fat/: New wrapper files for aes and gcm assembly. + +2021-07-21 Niels Möller + + * Makefile.in (OPT_SOURCES): Add fat-s390x.c. + +2021-05-09 Niels Möller + + Implementation of AES using s390x "message security assist" + extensions. Contributed by Mamone Tarsha: + * s390x/msa_x1/aes128-decrypt.asm: New file. + * s390x/msa_x1/aes128-encrypt.asm: New file. + * s390x/msa_x1/aes128-set-decrypt-key.asm: New file. + * s390x/msa_x1/aes128-set-encrypt-key.asm: New file. + * s390x/msa_x2/aes192-decrypt.asm: New file. + * s390x/msa_x2/aes192-encrypt.asm: New file. + * s390x/msa_x2/aes192-set-decrypt-key.asm: New file. + * s390x/msa_x2/aes192-set-encrypt-key.asm: New file. + * s390x/msa_x2/aes256-decrypt.asm: New file. + * s390x/msa_x2/aes256-encrypt.asm: New file. + * s390x/msa_x2/aes256-set-decrypt-key.asm: New file. + * s390x/msa_x2/aes256-set-encrypt-key.asm: New file. + * configure.ac: Renamed option to --enable-s390x-msa. Enables both + mas_x1 and msa_x2. + (asm_replace_list): Add more aes files. + * Makefile.in (distdir): Add s390x/msa_x1 s390x/msa_x2 directories. + +2021-04-01 Niels Möller + + Move aes128_encrypt and similar functions to their own files. To + make it easier for assembly implementations to override specific + AES variants. + * aes-decrypt.c: Split file, keep only legacy function aes_decrypt here. + * aes-decrypt-table.c (_nettle_aes_decrypt_table): New file, moved + table here. + * aes128-decrypt.c (aes128_decrypt): New file, moved function here. + * aes192-decrypt.c (aes192_decrypt): New file, moved function here. + * aes256-decrypt.c (aes256_decrypt): New file, moved function here. + * aes-encrypt.c: Split file, keep only legacy function aes_encrypt here. + * aes128-encrypt.c (aes128_encrypt): New file, moved function here. + * aes192-encrypt.c (aes192_encrypt): New file, moved function here. + * aes256-encrypt.c (aes256_encrypt): New file, moved function here. + * Makefile.in (nettle_SOURCES): Add new files. + +2021-03-28 Niels Möller + + Initial config for s390x, contributed by Mamone Tarsha. + * configure.ac: Add flag --enable-s390x-msa-x1. Add ABI check for + s390x, and setup asm_path. + * Makefile.in (distdir): Add s390x directory. + * s390x/README: New file + +2021-07-08 Niels Möller + + * configure.ac (FAT_TEST_LIST): Add sha2 to aarch64 fat tests. + + From Mamone Tarsha: + * arm64/fat/sha256-compress-2.asm: New file. + * arm64/crypto/sha256-compress.asm: New file. + * fat-arm64.c: Add setup for nettle_sha1_compress. + +2021-06-30 Niels Möller + + * configure.ac (FAT_TEST_LIST): Add sha1 to aarch64 fat tests. + + From Mamone Tarsha: + * fat-arm64.c: Add setup for nettle_sha1_compress. + * arm64/fat/sha1-compress-2.asm: New file. + +2021-06-01 Niels Möller + + From Mamone Tarsha: + * arm64/crypto/sha1-compress.asm: New file. + +2021-05-17 Niels Möller + + Bug fixes merged from from 3.7.3 release (starting from 2021-05-06). + * rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is + in range. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + * rsa-decrypt.c (rsa_decrypt): Likewise. + * testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n. + +2021-05-14 Niels Möller + + * rsa-sign-tr.c (rsa_sec_blind): Delete mn argument. + (_rsa_sec_compute_root_tr): Delete mn argument, instead require + that input size matches key size. Rearrange use of temporary + storage, to support in-place operation, x == m. Update all + callers. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of + input, for calling _rsa_sec_compute_root_tr. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + + * testsuite/rsa-encrypt-test.c (test_main): Test calling all of + rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input. + +2021-05-06 Niels Möller + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message + length is valid, for given key size. + * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for + calls to rsa_sec_decrypt specifying a too large message length. + +2021-05-23 Niels Möller + + From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394). + * nist-keywrap.c (bswap_if_le, nist_keywrap16, nist_keyunwrap16) + (aes128_keywrap, aes192_keywrap, aes256_keywrap) + (aes128_keyunwrap, aes192_keyunwrap, aes256_keyunwrap): New file, + new functions. + * nist-keywrap.h: New header file. + * Makefile.in (nettle_SOURCES): Add nist-keywrap.c. + (HEADERS): Add nist-keywrap.h. + * testsuite/aes-keywrap-test.c (test_main): New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add aes-keywrap-test.c. + +2021-04-13 Niels Möller + + * powerpc64/p8/aes-encrypt-internal.asm (SWAP_MASK): Change macro + name to use all uppercase. + * powerpc64/p8/aes-decrypt-internal.asm (SWAP_MASK): Likewise. + +2021-04-11 Niels Möller + + * config.guess: Update to 2021-01-25 version, from savannah's + config.git. Needed to recognize M1 Macs. + * config.sub: Similarly update to 2021-03-10 version. + +2021-03-24 Niels Möller + + * .gitlab-ci.yml: Add remote tests for s390x. + +2021-03-22 Niels Möller + + Arm64 improvements, including fat build support. Contributed by + Mamone Tarsha: + * configure.ac (asm_path): Setup for arm64 fat builds. + * fat-arm64.c: New file. + * fat-arm64.c: New file. + * arm64/fat/gcm-hash.asm: New file. + * arm64/crypto/gcm-hash.asm: Improved docs. Use m4 macros rather + than as macros. + (LOAD_REV_PARTIAL_BLOCK): New macro. + * arm64/README: Improved docs. + +2021-03-21 Niels Möller + + * Released nettle-3.7.2 with ecc bug-fixes only. + + * NEWS: NEWS entries for 3.7.2. + +2021-03-13 Niels Möller + + * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to + compute the scalar used for ecc multiplication. + + * eddsa-hash.c (_eddsa_hash): Ensure result is canonically + reduced. Two of the three call sites need that. + + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to + canonical range. + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + * testsuite/ecdsa-verify-test.c (test_main): Add test case that + triggers an assert on 64-bit platforms, without above fix. + * testsuite/ecdsa-sign-test.c (test_main): Test case generating + the same signature. + +2021-03-13 Niels Möller + + * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. + +2021-03-11 Niels Möller + + * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): + New functions. + * ecc-internal.h: Declare and document new functions. + * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. + * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. + * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. + * ecc-j-to-a.c (ecc_j_to_a): Likewise. + * ecc-mul-m.c (ecc_mul_m): Likewise. + +2021-03-04 Niels Möller + + Merged initial arm64 code. + +2021-02-03 Niels Möller + + * arm64/crypto/gcm-hash.asm: Renamed directory, moved file,... + * arm64/v8/gcm-hash.asm: ... old name. + +2021-02-02 Niels Möller + + * arm64/v8/gcm-hash.asm: Add ".arch armv8-a+crypto" directive. + Supported by both GNU as and clang (the latter at least from + version 3.9.1). + * configure.ac: Don't add -march=armv8-a+crypto to CFLAGS. + +2021-01-31 Niels Möller + + * arm64/v8/gcm-hash.asm: New file, contributed by Maamoun TK and + Michael Weiser. + * arm64/README: New file. Document endianness issues, contributed + by Michael Weiser. + +2021-02-17 Niels Möller + + * Released Nettle-3.7.1. + +2021-02-15 Niels Möller + + * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted + glue to openssl arcfour. + (openssl_arcfour128_set_encrypt_key) + (openssl_arcfour128_set_decrypt_key): Deleted. + * nettle-internal.h: Deleted declaration. + * examples/nettle-benchmark.c (aeads): Delete benchmarking. + +2021-02-13 Niels Möller + + * configure.ac: Bump package version, to 3.7.1. + (LIBNETTLE_MINOR): Bump minor number, to 8.2. + (LIBHOGWEED_MINOR): Bump minor number, to 6.2. + +2021-02-10 Niels Möller + + * chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case + that counter increment should be 3 (129 <= message length <= 192). + (_nettle_chacha_crypt32_4core): Likewise. + + * testsuite/chacha-test.c (test_chacha_rounds): New function, for + tests with non-standard round count. Extracted from _test_chacha. + (_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32 + handling. When testing message prefixes of varying length, also + encrypt the remainder of the message, to catch errors in counter + value update. + (test_main): Add a few tests with large messages (16 blocks, 1024 + octets), to improve test coverage for _nettle_chacha_crypt_4core + and _nettle_chacha_crypt32_4core. + +2021-01-25 Niels Möller + + * arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon + implementation reportedly gave a speedup of 45% on Cortex A9, + compared to the C implementation, when it was added back in 2013. + That appears to no longer be the case with more recent processors + and compilers. And it's even significantly slower than the C + implementation on some platforms, including the Raspberry Pi 4. + With the introduction of salsa20-2core.asm, performance of this + function is also less important. + * arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons. + * arm/fat/salsa20-core-internal-2.asm: Deleted file. + * arm/fat/chacha-core-internal-2.asm: Deleted file. + * fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup. + +2021-01-31 Niels Möller + + New variants, contributed by Nicolas Mora. + * pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function. + * pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function. + * testsuite/pbkdf2-test.c (test_main): Corresponding tests. + +2021-01-20 Niels Möller + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with + all-zero hash. Reported by Guido Vranken. + * testsuite/ecdsa-verify-test.c: Add corresponding test case. + +2021-01-10 Niels Möller + + * fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor + conditional as defined(__GLIBC_PREREQ), but move to a nested #if + conditional. Fixes compile error on OpenBSD/powerpc64, reported by + Jasper Lievisse Adriaanse. + +2021-01-04 Niels Möller + + * Released Nettle-3.7. + +2020-12-27 Niels Möller + + * configure.ac: Enable fat build by default. + +2020-12-26 Niels Möller + + * NEWS: News entries for Nettle-3.7. + + * Makefile.in (distdir): Distribute the README files in assembly + directories. + + * configure.ac: Bump package version, to 3.7. + (LIBNETTLE_MINOR): Bump minor number, to 8.1. + (LIBHOGWEED_MINOR): Bump minor number, to 6.1. + +2020-12-21 Niels Möller + + From Mamone Tarsha: + * fat-ppc.c: Check glibc version, and use getauxval only when available. + +2020-12-12 Niels Möller + + * powerpc64/p7/chacha-4core.asm: More interleaving of independent + instructions, gives slight speedup on Power9. + +2020-12-01 Niels Möller + + * powerpc64/p7/chacha-4core.asm: Use protected zone below stack + pointer to save registers, without modifying the stack pointer. + (QR): Instruction level interleaving in the main loop, written by + Torbjörn Granlund. + +2020-11-30 Niels Möller + + * m4-utils.m4 (m4_unquote): New macro, copied from GMP's + mpn/asm-defs.m4. + + * chacha-crypt.c: (_nettle_chacha_crypt_4core) + (_nettle_chacha_crypt32_4core): New functions. + (_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core): + Deleted, no longer needed. + * chacha-internal.h: Add prototypes for _nettle_chacha_4core and + related functions. + * configure.ac (asm_nettle_optional_list): Add chacha-4core.asm. + * powerpc64/fat/chacha-4core.asm: New file. + * powerpc64/p7/chacha-4core.asm: New file. + * fat-ppc.c (fat_init): When altivec is available, use + _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core + instead of _2core variants. + + * chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in + handling of counter; this function should not propagate any carry. + + * aes-internal.h: Delete name mangling of internal symbols. Update + all internal references to use _nettle prefix. + * camellia-internal.h: Likewise. + * chacha-internal.h: Likewise. + * ctr-internal.h: Likewise. + * dsa-internal.h: Likewise. + * gost28147-internal.h: Likewise. + * poly1305-internal.h: Likewise. + * salsa20-internal.h: Likewise. + * sha3-internal.h: Likewise. + * umac-internal.h: Likewise. + +2020-11-26 Niels Möller + + Enable powerpc64 gcm code in fat builds. Based on patch + contributed by Mamone Tarsha: + * powerpc64/fat/gcm-hash.asm: New file. + * configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and + HAVE_NATIVE_fat_gcm_hash. + * gcm.c (gcm_init_key): Renamed, to ... + (_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals. + (gcm_hash): Renamed, to... + (_nettle_gcm_hash_c): ... new name. Add fat setup conditionals. + * fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs. + * fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash. + * gcm-internal.h: New file. + * Makefile.in (DISTFILES): Add gcm-internal.h. + + * powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone + Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash. + +2020-11-28 Niels Möller + + * powerpc64/p7/chacha-2core.asm: Simplify counter carry handling + using the vaddcuw instruction. + + Merge changes by Marco Bodrato and Torbjorn Granlund, from the + gmp/mini-gmp copy of this file. + * run-tests: Delete special handling of zero arguments. Update + WINEPATH, instead of overwriting it. + +2020-11-27 Niels Möller + + * aclocal.m4: Replace some calls to exit with return, since exit + requires stdlib.h. Including patch contributed by Adrien Béraud. + + * testsuite/version-test.c: Include version.h. Patch contributed + by Brian Smith. + +2020-11-25 Niels Möller + + * powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for + big-endian builds. + +2020-11-24 Niels Möller + + Enable ppc chacha_2core in fat builds. + * configure.ac: Add HAVE_NATIVE_fat_chacha_2core. + * chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core. + * chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core): + Add declarations. + * fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and + _nettle_chacha_crypt32_2core when altivec is available. + * powerpc64/fat/chacha-2core.asm: New file, including p7 version. + +2020-11-23 Niels Möller + + * powerpc64/p7/chacha-2core.asm: New file. + + * chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New + variants of chacha_crypt, using _chacha_2core to do two blocks at + a time. + * chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations. + * configure.ac (asm_nettle_optional_list): Add chacha-2core.asm. + +2020-11-14 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all + scratch needs, don't use memory after the result area. + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call. + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. + * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. + * ecc-j-to-a.c (ecc_j_to_a): Likewise. + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. + * curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise. + * curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and + reduce scratch need from 9*size to 5*size. + * ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH) + (ECC_EH_TO_A_ITCH): Update accordingly, but no change in total + scratch need. + +2020-11-13 Niels Möller + + * ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert + itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all + secp and gost curve definitions to use it. + +2020-10-21 Niels Möller + + * ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular + inverse using powering. + (_nettle_secp_384r1): Analogous updates. Increases signing + performance roughly 15% on x86_64. + +2020-10-20 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed. + (ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv. + + * ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular + inverse using powering. + (_nettle_secp_256r1): Analogous updates. Increases signing + performance roughly 6% on x86_64. + + * ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular + inverse using powering. + (_nettle_secp_224r1): Analogous updates. Increases signing + performance roughly 17% on x86_64. + +2020-10-19 Niels Möller + + * ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular + inverse using powering. + (_nettle_secp_521r1): Analogous updates. Increases signing + performance roughly 15% on x86_64. + +2020-10-15 Niels Möller + + * ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular + inverse using powering. + (_nettle_secp_192r1): Use it for p.invert, and also update + h_to_a_itch. Increases signing performance roughly 25% on x86_64. + + * testsuite/ecc-modinv-test.c (test_modulo): Allow invert function + to return a non-canonical representation. + +2020-11-08 Niels Möller + + Merge refactoring of ecc modulo and reduce functions. + * eddsa-sign.c (_eddsa_sign_itch): Update, since now point + multiplication needs less scratch than point compression. + * eddsa-pubkey.c (_eddsa_public_key_itch): Likewise. + + * ecc-internal.h: Update *_ITCH macros for point multiplication + and signatures. They need slightly less scratch after optimization + of the point addition functions. + + * ecc-mul-m.c (ecc_mul_m): Reduce scratch need. + (ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap + per iteration. + + * ecc-add-jja.c (ecc_add_jja): Reduce scratch need. + * ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need. + * ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size. + (ECC_MUL_M_ITCH): New 8*size. + +2020-11-06 Niels Möller + + After these changes, both curve25519 and curve448 need 4*size for + invert and 6*size for sqrt. + * ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need. + (ecc_curve448_inv): Likewise. + (ecc_curve448_sqrt): Likewise. + * ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need. + + * ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy. + +2020-11-05 Niels Möller + + * ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need. + * ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size. + +2020-11-03 Niels Möller + + * ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need. + * ecc-dup-th.c (ecc_dup_th): Analogous changes. + * ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size. + + * ecc-internal.h (ecc_add_func): Document in-place operation. + * ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly. + * testsuite/ecc-add-test.c (test_main): Likewise. + + * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. + * ecc-add-th.c (ecc_add_th): Analogous changes. + * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. + * ecc-add-thh.c (ecc_add_thh): Analogous changes. + * ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH) + (ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size. + +2020-11-02 Niels Möller + + * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. + (ecc_curve25519_inv): Likewise. + (ecc_curve25519_sqrt): Likewise. + +2020-11-01 Niels Möller + + * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument + for scratch area, reducing required size of result area. Update + all callers to naïvely keep using result in scratch area. + (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing + required size of result area. + + * testsuite/testutils.c (test_ecc_point): Show curve bits on failure. + +2020-10-31 Niels Möller + + * ecc-internal.h (typedef ecc_mod_func): Updated all assembly + implementations. + + * testsuite/ecc-mod-test.c (test_one): Extend tests, to also test + with different destination area. + * testsuite/ecc-redc-test.c (test_main): Likewise. + +2020-10-30 Niels Möller + + * ecc-internal.h (typedef ecc_mod_func): Add separate result + argument. Updated all C implementations and callers. + +2020-10-29 Niels Möller + + * ecc-mod.c (ecc_mod): More unified handling of final carry + folding. Also eliminates a goto statement. + +2020-11-07 Niels Möller + + Merged initial powerpc64 implementation of chacha. + * configure.ac: New command line option --enable-power-altivec. + Update asm_path logic, and add altivec to FAT_TEST_LIST. + * fat-ppc.c (get_ppc_features): Add logic to check for altivec and + vsx support, and select aither C or altivec implementation of + chacha_core. + * powerpc64/p7/chacha-core-internal.asm: New file. + +2020-09-25 Niels Möller + + * powerpc64/p7/chacha-core-internal.asm: New file. + * Makefile.in (distdir): Add powerpc64/p7. + +2020-10-29 Niels Möller + + * blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids + undefined behavior, since shifting an 8-bit value left by 24 bits + overflows the range of signed int. Reported by Guido Vranken. + +2020-10-28 Niels Möller + + * gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use + corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n, + mpn_cnd_swap, available from GMP version 6.1.0. Update all + callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one + more argument than the old functions. + + * gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap) + [NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds. + +2020-10-14 Niels Möller + + * ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved + functions here. + * ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more + general ecc_mod_pow_2k_mul. + * ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function. + * ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted + static functions. + +2020-10-13 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function, + not preserving input argument. Extracted from old ecc_mod_inv. + (ecc_mod_inv): Call ecc_mod_inv_destructive. + (ecc_mod_inv_redc): New inversion function, with input and output + in redc form. + + * ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc. + * ecc-secp256r1.c: Likewise. + + * ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking + advantage of ecc->p.invert handling redc, when appropriate. Reduce + scratch need from 5n to 4n in the process (assuming inversion + needs 2n). + + * testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if + appropriate. + +2020-09-25 Niels Möller + + * gcm.c (gcm_fill): Added separate implementations for big- and + little-endian, to use uint64_t stores and less overhead. + +2020-09-24 Niels Möller + + * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register + names. Can be tested by configuring with CC='gcc -Wa,-mregnames'. + +2020-09-21 Niels Möller + + * m4-utils.m4: New file with m4 utilities, copied from GMP's + mpn/asm-defs.m4. + * Makefile.in (DISTFILES): Add m4-utils.m4. + (%.asm): Include m4-utils.m4 for preprocessing of .asm files, and + include config.m4 before machine.m4. + + * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test, + adapted from corresponding test in GMP's acinlude.m4. + * configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted + variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64 + assembly code is enabled. + * config.m4.in: Substituted here. + * powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and + if needed, replace register names like r0, r1, ... with integers. + +2020-09-15 Niels Möller + + * Makefile.in (DISTFILES): Add missing file blowfish-internal.h. + +2020-09-14 Niels Möller + + * asm.m4: Delete use of changequote, stick to the m4 default + quoting characters `'. Updated all assembly and m4 files. + * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround. + +2020-09-12 Niels Möller + + * x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT. + +2020-08-29 Niels Möller + + Initial powerpc64 assembly support, contributed by Mamone Tarsha: + * configure.ac: New configure option --enable-power-crypto-ext. + (asm_path): Setup this and related variables for powerpc64. + * powerpc64/machine.m4: New file. + * powerpc64/README: New file. + * powerpc64/p8/aes-encrypt-internal.asm: New file. + * powerpc64/p8/aes-decrypt-internal.asm: New file. + * powerpc64/fat/aes-encrypt-internal-2.asm: New file. + * powerpc64/fat/aes-decrypt-internal-2.asm: New file. + * fat-ppc.c: New file. + * Makefile.in (OPT_SOURCES): Add fat-ppc.c. + (distdir): Add powerpc64 directories. + * aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative + name, for fat builds. + * aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise. + +2020-07-28 Niels Möller + + * configure.ac (FAT_TEST_LIST): New substituted variable. Set for + fat builds, otherwise empty. + * Makefile.in (check-fat): New target, using $(FAT_TEST_LIST). + +2020-07-13 Niels Möller + + * chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use + _chacha_3core. + + * arm/neon/chacha-3core.asm: New file, 3-way interleaving of + chacha. + +2020-07-11 Niels Möller + + * testsuite/chacha-test.c (test_main): Delete obsolete tests for + chacha with 128-bit keys. #if:ed out since 2014-03-04, see below. + (test_chacha_core): New function, test chacha with simple input + structure. + +2020-07-10 Niels Möller + + * x86_64/salsa20-2core.asm: New file. + * x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is + faster. + +2020-07-08 Niels Möller + + Rearrange salsa20, enabling ARM fat builds to use sala20_2core. + * salsa20-crypt-internal.c (_salsa20_crypt_2core) + (_salsa20_crypt_1core): New file, new functions. One or the other + is used for implementing salsa20_crypt and salsa20r12_crypt, + depending on availability of salsa20_2core. + * salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt. + * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. + * salsa20-internal.h: Declare new internal functions. + * Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c. + * fat-setup.h (salsa20_crypt_func): New typedef. + * fat-arm.c (_salsa20_crypt): Select _salsa20_crypt + implementation, use 2core version when Neon instructions are + available. + * arm/fat/salsa20-2core.asm: New file, including Neon + implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core, + * configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the + case that salsa20_2core is defined, but runtime checks are needed + to determine if it is usable. + +2020-07-06 Niels Möller + + * testsuite/salsa20-test.c (test_salsa20_core): New function, test + salsa20 with simple input structure. + + * configure.ac: Obey --enable-arm-neon=yes, even if not explicitly + targetting ARM v6 or later. + +2020-07-01 Niels Möller + + * testsuite/bcrypt-test.c: New file. Moved bcrypt tests here. + + Support for bcrypt, contributed by Stephen R. van den Berg. + * blowfish-bcrypt.c (blowfish_bcrypt_hash) + (blowfish_bcrypt_verify): New file, new functions. + * blowfish-internal.h: New header file, declaring internals needed + for bcrypt. + * testsuite/blowfish-test.c: Add bcrypt tests. + * nettle.texinfo (Cipher functions): Document bcrypt. + +2020-06-30 Niels Möller + + * nettle.texinfo (Miscellaneous hash functions): New section, with + Streebog documentation, contributed by Dmitry Baryshkov. + (Top): Added some missing entries to the detailed node listing + +2020-06-29 Niels Möller + + * .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch + by Maamoun TK. + +2020-06-25 Niels Möller + + * x86_64/chacha-core-internal.asm (QROUND): Fix use of macro + arguments. Spotted by Torbjörn Granlund. + +2020-06-02 Niels Möller + + * examples/nettle-benchmark.c (main): Delete call to + time_overhead. The attempt to measure function call overhead is + not very useful or accurate. The benchmarking loop is optimized + away by gcc-10, making the benchmark program hang. + (bench_nothing, time_overhead): Deleted. + +2020-04-29 Niels Möller + + * Released Nettle-3.6. + +2020-04-27 Niels Möller + + * configure.ac: Tweak gcc command line options. Delete checks for + older gcc versions. Add -Wno-sign-compare, since warnings for + signed/unsigned comparisons adds a lot of noise, in particular + when building mini-gmp. + + * mini-gmp.c: Updated mini-gmp from the gmp repository, latest + change from 2020-04-20. + * mini-gmp.h: Likewise. + +2020-04-25 Niels Möller + + * gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify) + (mpz_limbs_finish, mpz_roinit_n): Delete compatibility + definitions. These functions available in GMP since version 6.0.0. + * gmp-glue.h: Delete corresponding declarations, and preprocessor + conditions. + + * configure.ac: Update required version of GMP to 6.1.0, needed + for mpn_zero_p. + * ecc-ecdsa-verify.c (zero_p): Deleted static function, usage + replaced with mpn_zero_p. + * testsuite/testutils.c (mpn_zero_p): Delete conditional + definition. + * testsuite/testutils.h: Delete corresponding declarations. + + * Makefile.in (DISTFILES): Add poly1305-internal.h. + * testsuite/Makefile.in (DISTFILES): Delete setup-env. + +2020-04-23 Niels Möller + + * run-tests: Set WINEPATH, since it appears wine doesn't search + for dlls in the unix PATH. + * examples/setup-env: Delete creation of extra dll symlinks. + * examples/teardown-env: Delete corresponding cleanup. + * testsuite/setup-env: Deleted file (same symlink creation). + * testsuite/teardown-env: Delete corresponding cleanup. + + * testsuite/ecc-add-test.c (test_main): Delete ASSERTs with + functions pointer comparisons. They provide little value, and fail + when linking with hogweed.dll on windows. + * testsuite/ecc-dup-test.c (test_main): Likewise. + +2020-04-22 Niels Möller + + * testsuite/Makefile.in: Use pattern rules for test executables, + replacing... + (test-rules): ...deleted rule. + * testsuite/.test-rules.make: Deleted file. + +2020-04-21 Niels Möller + + From Dmitry Baryshkov: + * gostdsa-vko.c (gostdsa_vko): New file and function. + * testsuite/gostdsa-vko-test.c (test_vko): New test. + * nettle.texinfo (GOSTDSA): Document it. + +2020-04-19 Niels Möller + + From Dmitry Baryshkov: + * gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable + use of MD_UPDATE macro, in particular, replacing byte count with + block count and index. Also move buffer last, for consistency with + other hash functions. + * gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro. + (gosthash94_write_digest): Update for block count rather than byte + count. + +2020-04-17 Niels Möller + + * configure.ac (LIBNETTLE_MAJOR): Increase libnettle version + number to 8.0, for move of internal poly1305 functions. + (LIBNETTLE_MINOR): Reset to zero. + +2020-04-15 Niels Möller + + From Dmitry Baryshkov: + * poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block): + Removed declarations from this public header file. + * poly1305-internal.h: New file, with declarations of internal + poly1305 functions. + (_poly1305_set_key, _poly1305_digest): Renamed, with leading + underscore. Updated definitions and all uses. + +2020-04-12 Niels Möller + + * Makefile.in (DISTFILES): Reorder to ensure that generated des + headers can't be older than desdata.stamp. + + * testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc + -std=c89. + +2020-04-06 Niels Möller + + * configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version + number to 6.0, at request of Gnutls team. + (LIBHOGWEED_MINOR): Reset to zero. + +2020-04-01 Niels Möller + + * config.guess: Update to 2020-01-01 version, from savannah's + config.git. + * config.sub: Likewise. + +2020-03-31 Niels Möller + + * aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP) + (LSH_MAKE_CONDITIONAL): Delete unused macros. + + * config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables. + + * run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and + related member variables. + + * testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR + to the run-tests script, and leave setting of LD_LIBRARY_PATH and + related variables to that script. + * examples/Makefile.in (check): Likewise. + +2020-03-26 Niels Möller + + * configure.ac: Bump package version to 3.6. + (LIBNETTLE_MINOR): Bump minor number, now 7.1. + (LIBHOGWEED_MINOR): Bump minor numbers, now 5.1 + +2020-03-14 Niels Möller + + From H.J. Lu: + * configure.ac (ASM_X86_ENDBR, ASM_X86_MARK_CET_ALIGN): New + substituted variables. + * config.m4.in: Substituted here. Add ASM_X86_MARK_CET to + diversion inserted at end of assembly files. + * asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point. + +2020-03-09 Niels Möller + + From Daiki Ueno: + * chacha-crypt.c (chacha_crypt32): New function. + * chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32): + New functions. + * chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants. + * chacha-poly1305.c (chacha_poly1305_encrypt) + (chacha_poly1305_decrypt): Use chacha_crypt32. + * testsuite/chacha-test.c: Update tests to use new functions. + * nettle.texinfo: Document new chacha functions, and update + out-of-date chacha-poly1305 documentation. + +2020-03-08 Niels Möller + + From Dmitry Baryshkov: + * cmac-des3-meta.c (nettle_cmac_des): New file, moving definition + from... + * testsuite/cmac-test.c: ... old location. + * nettle-meta.h (nettle_cmac_des): Declare it. + +2020-02-15 Niels Möller + + From Dmitry Baryshkov: + * ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr) + (ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add) + (ecc_modp_sub): Deleted macros. Updated callers to use respective + functions instead. + (ecc_modp_addmul_1): Delete unused macro. + +2020-02-09 Niels Möller + + Addition of struct nettle_mac based on patches by Daiki Ueno. + * nettle-meta-macs.c (nettle_get_macs): New file, new function. + * testsuite/meta-mac-test.c: New test. + + * nettle-meta.h (_NETTLE_HMAC): New macro. + (nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1) + (nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384) + (nettle_hmac_sha512): Declare. + (struct nettle_mac): New public struct, + * testsuite/testutils.h: ...moved from this file. + + * hmac-md5-meta.c: New file. + * hmac-ripemd160-meta.c: Likewise. + * hmac-sha1-meta.c: Likewise. + * hmac-sha224-meta.c: Likewise. + * hmac-sha256-meta.c: Likewise. + * hmac-sha384-meta.c: Likewise. + * hmac-sha512-meta.c: Likewise. + + * Makefile.in (nettle_SOURCES): Add new files. + + * testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of + this macro. + * testsuite/testutils.c (test_mac): Allow testing with smaller + digest size. + * testsuite/hmac-test.c (test_main): Use test_mac for tests using + key size == digest size. + + * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): + Moved to... + * cmac-aes128-meta.c: New file. + * cmac-aes256-meta.c: New file. + + * nettle-meta.h (struct nettle_mac): New public struct, + * testsuite/testutils.h: ...moved from this file. + +2020-02-06 Niels Möller + + From Dmitry Baryshkov: + * gost28147.h: Deleted, move declarations to gost28147-internal.h. + +2020-02-05 Niels Möller + + * configure.ac: On Solaris, link shared libraries with --shared + rather than -G. For gcc, --shared is the proper way. For Solaris' + proprietary cc, according to docs, it accepts --shared as an alias + for -G since Oracle Solaris Studio 12.4, and it was made more gcc + compatible in later versions. Since 12.4 was released in 2014, + don't attempt to cater for older versions. + +2020-01-26 Niels Möller + + * ecc-internal.h (struct ecc_curve): Delete g, the curve + generator, since it was used only by tests. Update all curve + instances. + + * eccdata.c (output_curve): Delete output of ecc_g. + (output_point): Delete name argument, and update callers. + + * testsuite/testutils.c (ecc_ref): Table of reference points moved + out of test_ecc_mul_a. Add generator to the list of points. + (test_ecc_mul_a): Use ecc_ref table also for the n == 1 case. + (test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions, + using the tabulated generator. + + * testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of + accessing ecc->g. + * testsuite/ecc-dup-test.c: Likewise. + * testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga. + Delete special case for n == 1. + * testsuite/ecc-mul-g-test.c: Use test_ecc_ga. + + Support for GOST DSA, contributed by Dmitry Baryshkov. + * gostdsa-verify.c (gostdsa_verify): New file and function. + * gostdsa-sign.c (gostdsa_sign): New file and function. + * ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch) + (ecc_gostdsa_verify): New file and functions. + * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): + New file and functions. + * ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro. + * ecc-hash.c (gost_hash): New function. + * testsuite/gostdsa-verify-test.c: New test. + * testsuite/gostdsa-sign-test.c: New test. + * testsuite/gostdsa-keygen-test.c: New test. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests. + + Support for GOST gc256b and gc512a curves, contributed by Dmitry + Baryshkov. + * eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and + gost_gc512a. + * ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b. + * ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a. + * Makefile.in: Add rules to generate ecc-gost-gc256b.h and + ecc-gost-gc512a.h. + (hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c. + * examples/ecc-benchmark.c (curves): Add to list. + * testsuite/testutils.c (ecc_curves): Add to list. + (test_ecc_mul_a): Reference points for new curves. + + * NEWS: Started on entries for Nettle-3.6. + +2020-01-25 Niels Möller + + * examples/hogweed-benchmark.c (bench_curve_init): Pass correct + sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov. + +2020-01-15 Niels Möller + + * Makefile.in: Replace suffix rules by pattern rules. Move .asm + rule above .c rule, since now the order of rules in the Makefile + matters, rather than the order in the .SUFFIXES list. + (aesdata, desdata, twofishdata, shadata, gcmdata, eccparams): + Individual rules replaced by a pattern rule. + (eccdata): Add explicit dependencies, to complement the pattern + rule. + * examples/Makefile.in: Replace suffix rules by pattern rules. + * testsuite/Makefile.in: Likewise. + * tools/Makefile.in: Likewise. + + * config.make.in: Empty .SUFFIXES, to not accidentally use any + suffix rules. + + * aclocal.m4 (DEP_INCLUDE): Delete substituted variable. + + * Makefile.in: Use the GNU make directive -include to include + dependency .d files. Delete dependency files on make clean. + * examples/Makefile.in: Likewise. + * testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly. + * tools/Makefile.in: Likewise. + + * configure.ac (dummy-dep-files): Delete these config commands. + +2020-01-10 Niels Möller + + From Dmitry Eremin-Solenikov: Consistently rename ecc files and + internal functions to include curve name rather than just number + of bits. E.g., + * ecc-256.c (nettle_ecc_256_redc): File and function renamed to... + * ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names. + * eccdata.c (ecc_curve_init, main): Take curve name as input, not + bit size. + +2020-01-03 Niels Möller + + Add benchmarking of ed25519, ed448 and curve448. + * examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct. + (bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify) + (bench_eddsa_clear): New functions. + (struct curve_ctx): New struct, generalizing struct curve25519_ctx. + (bench_curve_init, bench_curve_mul_g, bench_curve_mul) + (bench_curve_clear): New functions. + (struct curve25519_ctx, bench_curve25519_mul_g) + (bench_curve25519_mul, bench_curve25519): Deleted. + (alg_list): Add eddsa and curve entries. + (main): Delete call to bench_curve25519. + +2020-01-02 Niels Möller + + * eddsa-internal.h (nettle_eddsa_dom_func): New typedef. + (struct ecc_eddsa): Use function pointer to represent eddsa dom + string. To avoid calling sha512_update with empty input for + ed25519. + * ed448-shake256.c (ed448_dom): New function, calling + sha3_256_update with the magic dom prefix. + (_nettle_ed448_shake256): Point to it. + * ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function. + + * eddsa-sign.c (_eddsa_sign): Update to use dom function pointer. + * eddsa-verify.c (_eddsa_verify): Likewise. + + * eddsa-internal.h (struct ecc_eddsa): Add magic dom string, + needed for ed448. + * ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string. + * ed448-shake256.c (_nettle_ed448_shake256): New file and + parameter struct. + + * eddsa-hash.c (_eddsa_hash): Add digest_size as input argument. + Handle ed448 digests with two extra bytes. Update callers. + * eddsa-verify.c (_eddsa_verify): Hash dom string. + * eddsa-sign.c (_eddsa_sign_itch): Assert that + _eddsa_compress_itch isn't too large. + (_eddsa_sign): New argument k1, with the hash prefix. Add hashing + of this prefix and the dom string. Update callers. Fix final + reduction, it's different for ed25519, with q slightly larger than + a power of two, and ed448, with q slightly smaller. + * eddsa-pubkey.c (_eddsa_public_key_itch): Assert that + _eddsa_compress_itch isn't too large. + + Implementation of ed448-shake256, based on patch by Daiki Ueno. + * ed448-shake256-pubkey.c (ed448_shake256_public_key): New file + and function. + * ed448-shake256-sign.c (ed448_shake256_sign): New file and function. + * ed448-shake256-verify.c (ed448_shake256_verify): New file and function. + + * Makefile.in (hogweed_SOURCES): Add new ed448 files. + + * testsuite/eddsa-verify-test.c (test_ed448): New function. + (test_main): New ed448 tests. + * testsuite/eddsa-sign-test.c (test_ed448_sign): New function. + (test_main): New ed448 tests. + * testsuite/ed448-test.c: New tests. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c. + + * nettle.texinfo (Curve 25519 and Curve 448): Document ed448. + +2020-01-01 Niels Möller + + * ecc-448.c (ecc_mod_pow_2kp1): New function. + (ecc_mod_pow_446m224m1): Reduce scratch usage from 6*n to 5*n, at + the cost of one copy operation. Also use ecc_mod_pow_2kp1 where + applicable. + (ECC_448_INV_ITCH): Reduce to 5*ECC_LIMB_SIZE. + (ECC_448_SQRT_ITCH): Reduce to 9*ECC_LIMB_SIZE. + + * testsuite/eddsa-compress-test.c: Test also with curve448. + +2019-12-30 Niels Möller + + Preparation for ed448, based on patch by Daiki Ueno. + * eddsa-internal.h (struct ecc_eddsa): New struct for eddsa + parameters. + * ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct. + * eddsa-expand.c (_eddsa_expand_key): Replace input + struct nettle_hash with struct ecc_eddsa, and generalize for + ed448. Update all callers. + * eddsa-sign.c (_eddsa_sign): Likewise. + * eddsa-verify.c (_eddsa_verify): Likewise. + * eddsa-compress.c (_eddsa_compress): Store sign bit in most + significant bit of last byte, as specified by RFC 8032. + * eddsa-decompress.c (_eddsa_decompress): Corresponding update. + Also generalize to support ed448, and make validity checks + stricter. + * testsuite/eddsa-sign-test.c (test_ed25519_sign): New function. + (test_main): Use it. + * testsuite/eddsa-verify-test.c (test_ed25519): New function. + (test_main): Use it. + +2019-12-28 Niels Möller + + * bignum.h: Drop unrelated include of nettle-meta.h. + * pss.h: Include nettle-meta.h explicitly. + * eddsa-internal.h: Likewise. + +2019-12-25 Niels Möller + + Support for SHAKE256, based on patch by Daiki Ueno. + * shake256.c (sha3_256_shake): New file and function. + * Makefile.in (nettle_SOURCES): Add shake256.c. + * testsuite/testutils.c (test_hash): Allow arbitrary digest size, + if hash->digest_size == 0. + * testsuite/shake.awk: New script to extract test vectors. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c. + (DISTFILES): Add shake.awk. + * nettle.texinfo (Recommended hash functions): Document SHAKE-256. + + * sha3.c (_sha3_pad): Generalized with an argument for the magic + suffix defining the sha3 instance. + * sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes. + Updated all callers of _sha3_pad. + (_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f. + +2019-12-19 Niels Möller + + * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use + add_hh rather than add_hhh. + (table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise. + * ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]: + Reduced from 13*n to 12*n. + +2019-12-18 Niels Möller + + Rename add and dup functions for Edwards curves. + * ecc-dup-th.c (ecc_dup_th): New file, move and rename ecc_dup_eh. + * ecc-add-th.c (ecc_add_th): New file, move and rename ecc_add_eh. + * ecc-add-thh.c (ecc_add_thh): New file, move and rename + ecc_add_ehh. + * ecc-dup-eh.c (ecc_dup_eh_untwisted): Rename to just ecc_dup_eh. + * ecc-add-eh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_eh. + * ecc-add-ehh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_ehh. + * ecc-internal.h (ecc_dup_th, ecc_add_th, ecc_add_thh): Declare + new functions, delete declarations of ecc_*_untwisted variants. + (ECC_DUP_TH_ITCH, ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): New macros. + * ecc-25519.c (_nettle_curve25519): Update, use ecc_dup_th and + friends. + * ecc-448.c (_nettle_curve448): Update for rename, without + _untwisted suffix. + * Makefile.in (hogweed_SOURCES): Added ecc-dup-th.c, ecc-add-th.c, + and ecc-add-thh.c + * testsuite/ecc-dup-test.c (test_main): Update asserts. + * testsuite/ecc-add-test.c (test_main): Likewise. + + * eddsa-verify.c (_eddsa_verify): Use function pointer rather than + calling ecc_add_eh directly. Preparation for eddsa over curve448. + +2019-12-17 Niels Möller + + * examples/ecc-benchmark.c (bench_dup_hh): Rename, and use + ecc->dup pointer. + (bench_dup_jj): ... old name. + (bench_add_hh): Rename, and use ecc->addd_hh pointer. + (bench_add_jja): ... old name. + (bench_dup_eh, bench_add_eh): Deleted. + (bench_curve): Update, and delete curve25519 special case. + (main): Update table headers accordingly. + +2019-12-15 Niels Möller + + * ecc-dup-eh.c (ecc_dup_eh): Eliminate one unneeded ecc_modp_add. + +2019-12-14 Niels Möller + + * ecc-mul-m.c (ecc_mul_m): New file and function. Implements + multipliction for curves in Montgomery representation, as used for + curve25519 and curve448. Extracted from curve25519_mul. + * ecc-internal.h (ecc_mul_m): Declare. + (ECC_MUL_M_ITCH): New macro. + * Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c. + + * curve25519-mul.c (curve25519_mul): Use ecc_mul_m. + * curve448-mul.c (curve448_mul): Likewise. + +2019-12-13 Niels Möller + + * Merge curve448 implementation. + +2019-12-09 Niels Möller + + * ecc-internal.h: Revert itch macro changes. We now have + h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few places + relying on this. + (ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros. + (ECC_ECDSA_SIGN_ITCH): Revert previous change. + + * ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n + to 6*n. + (ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly. + * curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n. + +2019-12-08 Niels Möller + + * x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New + assembly function. + * ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use + native nettle_ecc_curve448_modp if available. + * configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm. + (HAVE_NATIVE_ecc_curve448_modp): New config.h define. + +2019-12-03 Niels Möller + + * ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function. + +2019-12-01 Niels Möller + + Curve 448 support contributed by Daiki Ueno. + * eccdata.c (enum ecc_type): Add ECC_TYPE_EDWARDS. + (ecc_add): Support untwisted edwards curves. + (ecc_curve_init): Add curve448 parameters. + * ecc-internal.h (ECC_ECDSA_KEYGEN_ITCH): New macro. + (ECC_ECDSA_SIGN_ITCH): Increased from 12*size to 13*size. + (ECC_MAX): New macro. + * ecc-448.c: New file. + (ecc_mod_pow_2k, ecc_mod_pow_446m224m1, ecc_448_inv) + (ecc_448_zero_p, ecc_448_sqrt): New functions. + (_nettle_curve448): New curve definition. + * curve448.h (CURVE448_SIZE): New constant. + (curve448_mul_g, curve448_mul): Declare new public functions. + * ecc-eh-to-a.c (ecc_eh_to_a): Update assert to allow the curve448 + Edwards curve. + * curve448-mul.c (curve448_mul): New file and function. + * curve448-mul-g.c (curve448_mul_g): New file and function. + * curve448-eh-to-x.c (curve448_eh_to_x): New file and function. + * ecc-dup-eh.c (ecc_dup_eh_untwisted): New function. + * ecc-add-ehh.c (ecc_add_ehh_untwisted): New function. + * ecc-add-eh.c (ecc_add_eh_untwisted): New function. + * ecc-point.c (ecc_point_set): Add point validation for curve448. + * ecc-point-mul.c (ecc_point_mul): Allow h_to_a_itch larger than + mul_itch. + * ecc-point-mul-g.c (ecc_point_mul_g): Allow h_to_a_itch + larger than mul_g_itch. Switch from TMP_DECL/_ALLOC/_FREE to + gmp_alloc_limbs/gmp_free_limbs. + * ecdsa-keygen.c (ecdsa_generate_keypair): Use + ECC_ECDSA_KEYGEN_ITCH. + * Makefile.in (hogweed_SOURCES): Add ecc-448.c, curve448-mul-g.c, + curve448-mul.c, and curve448-eh-to-x.c. + (HEADERS): Add curve448.h. + (ecc-448.h): New generated file. + + * testsuite/testutils.c (ecc_curves): Add _nettle_curve448 to list + of tested curves. + (test_ecc_mul_a): Add curve448. + * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add curve448 support. + * testsuite/ecdh-test.c (test_main): Add tests for (non-standard) + curve448 diffie-hellman. + * testsuite/ecc-add-test.c (test_main): Update for testing of curve448. + * testsuite/ecc-dup-test.c (test_main): Likewise. + * testsuite/ecc-mul-a-test.c (test_main): Likewise. Also increase + scratch allocation for h_to_a_itch. + * testsuite/ecc-mul-g-test.c (test_main): Likewise. + * testsuite/curve448-dh-test.c: Test for curve448. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add curve448-dh-test.c. + + * examples/ecc-benchmark.c: Add curve448 to list of benchmarked + curves. + + * nettle.texinfo (Curve 25519 and Curve 448): Add docs. + +2019-12-07 Niels Möller + + * ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only + used for non-standard ecdsa over curve25519. + * testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa + over curve25519. + * testsuite/ecdsa-verify-test.c (test_main): Likewise. + * testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519 + from test. + +2019-12-05 Niels Möller + + * configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to + check for __builtin_bswap64. Since calling an non-existing + function typically results in a warning only at compile time, but + fails at link time. Patch contributed by by George Koehler. + +2019-12-04 Niels Möller + + * testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to + unsigned long for argument to fprintf. + +2019-11-21 Niels Möller + + * eccdata.c (ecc_curve_init_str): Delete unused t and d arguments. + Related to the the edwards_root member of struct ecc_curve, which + was used by ecc_a_to_eh before it was deleted, see 2014-09-17 + entry below. + (ecc_curve_init): Delete corresponding curve25519 constants, and + NULL arguments passed for the other curves. + + * Merge curve448 preparations, from September 2017. + +2017-09-23 Niels Möller + + * eccdata.c: Reorganize curve25519 precomputation to work directly + with the twisted Edwards curve, with new point addition based on a + patch from Daiki Ueno. + * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery + curve constant. + + * ecc-internal.h (struct ecc_curve): Delete unused pointer + edwards_root. Update all instances. + * eccdata.c (output_curve): Don't output it. + + * testsuite/ecc-add-test.c (test_main): Reduce test duplication. + Use ecc->add_hhh_itch. + * testsuite/ecc-dup-test.c (test_main): Reduce test duplication. + Use ecc->dup_itch. + +2017-09-23 Daiki Ueno + + * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of + hard-coded value for curve25519. + * eddsa-sign.c (_eddsa_sign): Likewise. + + * ecc-internal.h (ecc_dup_func): New typedef. + (struct ecc_curve): New constants add_hh_itch and dup_itch, new + function pointers add_hh and dup. + * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c, + ecc-25519.c: Update accordingly. + * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers. + * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh): + Likewise. + * testsuite/ecc-dup-test.c (test_main): Likewise. + * testsuite/ecc-add-test.c (test_main): Likewise. + +2019-10-01 Niels Möller + + * testsuite/testutils.c (test_cipher_cfb8): Reset destination area + between tests. Encrypt/decrypt final partial block. + + From Daiki Ueno, fixing bug reported by Stephan Mueller: + * cfb.c (cfb8_decrypt): Don't truncate output IV if input is + shorter than block size. + * testsuite/testutils.c (test_cipher_cfb8): Test splitting input + into multiple calls to cfb8_encrypt and cfb8_decrypt. + +2019-09-30 Niels Möller + + * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read. + Trim allocation size for de_data, drop some uses of + SIV_DIGEST_SIZE, call FAIL for unexpected returned values. + (test_compare_results): Delete digest argument. + +2019-09-15 Niels Möller + + From Dmitry Eremin-Solenikov: + * gost28147.c (_gost28147_encrypt_block): New file, encrypt + function and sbox tables moved here. + * gosthash94.c: Update functions to take sbox array as argument. + (gost_block_compress): Use _gost28147_encrypt_block. + (gosthash94cp_update,gosthash94cp_digest): New functions. + * gost28147-internal.h: New file. + * gost28147.h: New file. + * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm. + * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and + nettle_gosthash94cp. + * hmac-gosthash94.c (hmac_gosthash94_set_key) + (hmac_gosthash94_update, hmac_gosthash94_digest) + (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update) + (hmac_gosthash94cp_digest): New file and functions. + * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file + and function. + * testsuite/pbkdf2-test.c (test_main): Add + pbkdf2-hmac-gosthash94cp tests. + * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests. + * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests. + * nettle.texinfo (Legacy hash functions): Document gosthash94cp. + + * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS. + +2019-07-08 Niels Möller + + * nettle-types.h (union nettle_block16): Mark w member as deprecated. + * eax.c (block16_xor): Use uint64_t member of nettle_block16. + * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise. + +2019-07-10 Niels Möller + + From Dmitry Eremin-Solenikov: + * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init) + (cmac64_update, cmac64_digest): New file, new functions. + * cmac-des3.c (cmac_des3_set_key, cmac_des3_update) + (cmac_des3_digest): New file, new functions. + * cmac.h: Add cmac64 and cmac_des3 declarations. + * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c. + * testsuite/cmac-test.c (test_main): Add tests for cmac_des3. + +2019-07-02 Niels Möller + + From Dmitry Eremin-Solenikov: + * testsuite/testutils.c (test_mac): New function. + * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): + New algorithm structs. + (test_cmac_aes128, test_cmac_aes256): Use test_mac. + +2019-06-06 Niels Möller + + Update for cmac changes, enabling const for the _message functions. + * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, + and use a local struct cmac128_ctx for message-specific state. + (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated + callers. + (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const + struct cmac128_key as argument. Updated callers. + + * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key + rather than struct cmac128_ctx. + + * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): Likewise. + * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): The ctx argument made const. + +2019-05-15 Niels Möller + + * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): + New constants. + * testsuite/siv-test.c: Simplify tests a little. + + * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. + * siv-cmac.c (_siv_s2v): Require non-empty nonce. + * nettle.texinfo (SIV-CMAC): Update documentation. + +2019-05-06 Niels Möller + + SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: + * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. + (SIV_CMAC_CTX): New macro. + (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New + context structs. + * siv-cmac.c (_siv_s2v, siv_cmac_set_key) + (siv_cmac_encrypt_message) + (siv_cmac_decrypt_message): New file, new functions. + * siv-cmac-aes128.c (siv_cmac_aes128_set_key) + (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): New file, new functions. + * siv-cmac-aes256.c (siv_cmac_aes256_set_key) + (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): New file, new functions. + * Makefile.in (nettle_SOURCES): Add siv-cmac source files. + (HEADERS): Add siv-cmac.h. + * testsuite/siv-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c + * nettle.texinfo (SIV-CMAC): Documentation. + +2019-04-30 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * cmac.c (_cmac128_block_mulx): Renamed function... + (block_mulx): ... from old name. + * cmac-internal.h (_cmac128_block_mulx): New file, declare function. + * Makefile.in (DISTFILES): Added cmac-internal.h. + +2019-06-26 Niels Möller + + * Released nettle-3.5.1. + + * configure.ac: Update version number to 3.5.1. + + * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed + directories. + + * Released nettle-3.5. + +2019-06-25 Niels Möller + + * config.sub: Update to 2019-05-23 version, from savannah's + config.git. + * config.guess: Update to 2019-06-10 version, from savannah's + config.git. Adds recognition of mips R6 and riscv. + +2019-06-05 Niels Möller + + Further separation of CMAC per-message state from the + message-independent subkeys, analogous to the gcm implementation. + * cmac.h (struct cmac128_ctx): Remove key, instead a struct + cmac128_key should be passed separately to functions that need it. + (CMAC128_CTX): Include both a struct cmac128_key and a struct + cmac128_ctx. + (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. + + * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx + to cmac128_key. Use a nettle_block16 for the constant zero block. + (cmac128_init): New function, to initialize a cmac128_ctx. + (cmac128_digest): Add cmac128_key argument. Move padding memset + into the block handling a partial block. Call cmac128_init to + reset state. + +2019-06-01 Niels Möller + + * cmac.h (struct cmac128_key): New struct. + * cmac.h (struct cmac128_ctx): Use struct cmac128_key. + * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. + +2019-05-12 Niels Möller + + Delete old libdes/openssl compatibility interface. + * des-compat.c: Delete file. + * des-compat.h: Delete file. + * testsuite/des-compat-test.c: Delete file. + * nettle.texinfo (Compatibility functions): Delete mention in documentation. + +2019-05-11 Niels Möller + + * NEWS: More updates for Nettle-3.5. + +2019-04-27 Niels Möller + + From Simo Sorce: + * x86_64/poly1305-internal.asm: Add missing EPILOGUE. + * x86_64/serpent-decrypt.asm: Likewise. + * x86_64/serpent-encrypt.asm: Likewise. + +2019-04-14 Niels Möller + + * tools/nettle-pbkdf2.c (main): Check strdup return value. + +2019-03-29 Niels Möller + + * aes.h (struct aes_ctx): Redefine using a union of key-size + specific contexts. + * aes-decrypt.c (aes_decrypt): Use switch on key_size. + * aes-encrypt.c (aes_encrypt): Likewise. + * aes-set-decrypt-key.c (aes_invert_key): Likewise. + * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise. + +2019-03-27 Niels Möller + + * xts.c (xts_shift): Arrange with a single write to u64[1]. + * cmac.c (block_mulx): Rewrite to work in the same way as + xts_shift, with 64-bit operations. XTS and CMAC use opposite + endianness, but otherwise, these two functions are identical. + +2019-03-24 Niels Möller + + From Simo Sorce: + * xts.h: New file. + * xts.c: New file. + (BE_SHIFT): New macro. + (xts_shift, check_length, xts_encrypt_message) + (xts_decrypt_message): New functions. + * xts-aes128.c (xts_aes128_set_encrypt_key) + (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message) + (xts_aes128_decrypt_message): New file, new functions. + * xts-aes256.c (xts_aes256_set_encrypt_key) + (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message) + (xts_aes256_decrypt_message): New file, new functions. + * nettle.texinfo (XTS): Document XTS mode. + * Makefile.in (nettle_SOURCES): Add xts sourcce files. + (HEADERS): New installed header xts.h. + * testsuite/xts-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c. + +2019-02-06 Niels Möller + + * gosthash94.h (struct gosthash94_ctx): Move block buffer last in + struct. + * md2.h (struct md2_ctx): Likewise. + * md4.h (struct md4_ctx): Likewise. + * md5.h (struct md5_ctx): Likewise. + * ripemd160.h (struct ripemd160_ctx): Likewise. + * sha1.h (struct sha1_ctx): Likewise. + * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise. + +2019-01-19 Niels Möller + + * examples/Makefile.in (TARGETS): Delete eratosthenes, left over + from earlier change. + + * fat-arm.c: Fix declarations of chacha_core functions. + + From Yuriy M. Kaminskiy: + * fat-setup.h (chacha_core_func): New typedef. + * fat-arm.c (fat_init): Enable choice between + _nettle_chacha_core_c and _nettle_chacha_core_neon. + * configure.ac (asm_nettle_optional_list): Add + chacha-core-internal-2.asm. + * chacha-core-internal.c: Enable fat build with C and asm version. + * arm/fat/chacha-core-internal-2.asm: New file. + +2019-01-12 Niels Möller + + * examples/eratosthenes.c: Deleted program. + * examples/Makefile.in: Delete rule to build and distribute it. + +2019-01-10 Niels Möller + + * testsuite/rsa-compute-root-test.c (test_one): Use %u and + corresponding cast, when printing bit sizes. + +2019-01-09 Niels Möller + + * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to + inline asm. + +2019-01-08 Niels Möller + + * sha512-compress.c: Add missing include of sha2-internal.h. + +2019-01-06 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert + call with side-effects. + +2019-01-06 Niels Möller + + * nettle-types.h: Don't use nettle-stdint.h, include + directly. + * nettle-write.h: Likewise. + * configure.ac: Delete use of AX_CREATE_STDINT_H. + * aclocal.m4 (AX_CREATE_STDINT_H): Delete. + * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of + nettle-stdint.h. + +2018-12-26 Niels Möller + + * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper + function. Call openssl's RSA_generate_key_ex rather then the + deprecated RSA_generate_key. + (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it. + + * eccdata.c (ecc_pippenger_precompute): Check that table size is + at least 2. Intended to silence warning from the clang static + analyzer. + + * configure.ac: Bump package version to 3.5. + (LIBNETTLE_MAJOR): Bump major number, now 7. + (LIBHOGWEED_MAJOR): Bump major number, now 5. + (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero. + + * pkcs1-internal.h: New header file, moved declarations of + _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here. + * rsa-internal.h: ... old location. + * Makefile.in (DISTFILES): Added pkcs1-internal.h. + * pkcs1-decrypt.c: Include new file. + * pkcs1-sec-decrypt.c: Likewise. + * rsa-decrypt-tr.c: Likewise. + * rsa-sec-decrypt.c: Likewise. + * testsuite/pkcs1-sec-decrypt-test.c: Likewise. + + * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for + strdup with gcc -std=c89. + * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for + getline with gcc -std=c89. + + * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. + Reported by Andreas Gustafsson. + * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. + +2018-12-04 Niels Möller + + * Released nettle-3.4.1. + +2018-11-28 Niels Möller + + * configure.ac: Update GMP check. Check for the function + mpn_sec_div_r, available since GMP-6.0.0. + + * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of + decrypted storage. Update test of rsa_decrypt, to allow clobbering + of all of the passed in message area. + + * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around + _pkcs1_sec_decrypt_variable. Improves side-channel silence of the + only caller, rsa_decrypt. + + * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make + dist. Patch from Simo Sorce. + + * rsa-internal.h: Add include of rsa.h. + +2018-11-27 Niels Möller + + * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New + local helper functions, with their own itch functions. + (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to + use helpers, for clarity. + +2018-11-26 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify + selection of psize and qsize, and fix so that qsize is used. + (test_main): Add outer loop, to test with more than one key. + Deallocate storage before exiting. + +2018-11-25 Niels Möller + + * testsuite/rsa-compute-root-test.c: Renamed, from ... + * testsuite/rsa-sec-compute-root-test.c: ... old name. + + * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... + * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. + * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... + (rsa_sec_compute_root_tr): ... old name. Updated callers. + (cnd_mpn_zero): Use a volatile-declared mask variable. + + * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix + masking of most significant bits. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Use + NETTLE_OCTET_SIZE_TO_LIMB_SIZE. + + * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak + valgrind marking, and document potential leakage of lowest and + highest bits of p and q. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to + mpz_sizeinbase, since that potentially leaks most significant bits + of private key parameters a and b. + + * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix + valgrind marking of return value. + + Merged below changes from Simo Sorce, to make RSA private key + operations side-channel silent. + +2018-11-08 Simo Sorce + + * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use + _rsa_sec_compute_root. + + * testsuite/rsa-sec-compute-root-test.c: Add more tests for new + side-channel silent functions. + + * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, + since that is required for one of the GMP calls in + _rsa_sec_compute_root. + + * rsa-decrypt-tr.c: Switch to use side-channel silent functions. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private + function. Variable size version for backwards compatibility. + + * testsuite/rsa-sec-decrypt-test.c: Adds more tests. + + * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. + Fixed length side-channel silent version of rsa-decrypt. + * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. + + * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for + _pkcs1_sec_decrypt. + + * gmp-glue.c (mpn_get_base256): New function. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. + Fixed length side-channel silent version of pkcs1-decrypt. + + * cnd-memcpy.c (cnd_memcpy): New function. + * memops.h: Declare it. + * testsuite/cnd-memcpy-test.c: New test case. + + * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses + _rsa_sec_compute_root, as well as side-channel silent RSA + blinding. + (rsa_compute_root_tr) Rewritten as a wrapper around + rsa_sec_compute_root_tr. + (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) + (cnd_mpn_zero): New helper functions. + (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not + side-channel silent wrapper around rsa_compute_root_tr, and the + latter function left unchanged. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) + (_rsa_sec_compute_root): New file, new private functions. + Side-channel silent version of rsa_compute_root. + * rsa-internal.h: New header file with declarations. + + * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. + +2018-11-24 Niels Möller + + * configure.ac: Bump package version to 3.4.1. + (LIBNETTLE_MINOR): Bump library version to 6.5. + (LIBHOGWEED_MINOR): Bump library version to 4.5. + +2018-11-17 Niels Möller + + * examples/hogweed-benchmark.c (bench_rsa_verify) + (bench_openssl_rsa_tr_init): New functions. + (alg_list): Benchmark timing-resistant RSA functions, i.e., + including RSA blinding. + (main): Increase width of first column, here and in other + printouts. + +2018-10-10 Dmitry Eremin-Solenikov + + * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when + processing more than on full block of size CTR_BUFFER_LIMIT, src + and dst arguments to memxor3 were not properly updated. + +2018-10-10 Niels Möller + + * aes-set-encrypt-key.c: Add missing include of stdlib.h. + * des-compat.c: Likewise. + +2018-09-13 Niels Möller + + * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and + redundant check for p == q. + +2018-08-09 Niels Möller + + * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with + _NETTLE_ATTRIBUTE_DEPRECATED. + + * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) + (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and + lookalikes. + * ecc-curve.h: Include nettle-types.h, and use + _NETTLE_ATTRIBUTE_PURE instead of local definition. + * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit + #ifdefs. + + * aes.h: Mark functions using struct aes_ctx interface as + deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where + the functions are implemented or tested. + * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. + + * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) + (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast + between incompatible function types (which gcc-8 warns about). + Wrappers are expected to compile to a single jmp instruction. + + * des-compat.c (des_compat_des3_encrypt) + (des_compat_des3_decrypt): Change length argument type to size_t. + +2018-08-08 Niels Möller + + * nettle.texinfo (Compatibility): New section on ABI and API + compatibility. + +2018-07-25 Dmitry Eremin-Solenikov + + * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. + +2018-07-13 Niels Möller + + * examples/eratosthenes.c (vector_alloc): Add assert related to + overflow in the size calculation. Fixes a corner case identified + by static analysis. + (vector_init): Analogous assert. + +2018-07-12 Niels Möller + + * examples/eratosthenes.c (main): Don't allocate bitmap storage + for limit == 2 (early exit), closing memory leak at exit. + (main): Fix handling of short -q option. + + * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, + to fix memory leak. + (ecc_curve_clear): New function. + (main): Call it, to deallocate storage before exit. + +2018-07-08 Niels Möller + + * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. + * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. + * x86_64/fat/sha1-compress-2.asm: Likewise. + +2018-07-07 Niels Möller + + From Nikos Mavrogiannopoulos. + * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to + public function, since there's known appliation usage (filezilla). + * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor + alias for the new name. + * md5-compress.c (nettle_md5_compress): Similarly renamed (used by + sogo). + * md5.h (_nettle_md5_compress): Old name,, now a preprocessor + alias for the new name. + + * chacha-internal.h, dsa-internal.h, eddsa-internal.h: + * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: + * salsa20-internal.h, sha2-internal.h, sha3-internal.h: + * umac-internal.h: Internal declarations moved to new header + files, which are not installed.. + * Makefile.in (DISTFILES): Added above files. + + * libnettle.map.in: Use a different symbol version for _nettle_* + symbols, depending on the minor release. This marks these symbols + explicitly not part of the public Nettle ABI. + * libhogweed.map.in: Analogous change. + +2018-06-17 Niels Möller + + * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed + by Dmitry Eremin-Solenikov. + + * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, + produced by Apple's Xcode 10 compiler. Patch contributed by + Dominyk Tiller. + +2018-03-25 Niels Möller + + From Michael Weiser. + * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN. + * config.m4.in: Use it to set WORDS_BIGENDIAN. + * asm.m4 (IF_BE, IF_LE): New macros. + * arm/memxor.asm: Support big-endian ARM. + * arm/memxor3.asm: Likewise. + * arm/neon/chacha-core-internal.asm: Likewise. + * arm/neon/salsa20-core-internal.asm: Likewise. + * arm/neon/umac-nh.asm: Likewise. + * arm/v6/sha1-compress.asm: Likewise. + * arm/v6/sha256-compress.asm: Likewise. + * arm/README: Document big-endian considerations. + +2018-03-17 Niels Möller + + Discourage direct access to data symbols with non-public size. + Direct references to these symbols may result in copy-relocations + like R_X86_64_COPY, which make the symbol size leak into the ABI. + * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) + (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add + leading underscore on these data symbols. + + * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads) + (_nettle_armors): Add leading underscore on these data symbols. + Update all internal use. Macros without leading underscore remain, + and expand to access via accessor functions nettle_get_ciphers and + similar. + +2018-03-10 Niels Möller + + * eccdata.c (ecc_table_size): New helper function. + (ecc_pippenger_precompute): Display warning for poor parameters. + + * eccparams.c (main): New program, to list parameter alternatives + for Pippenger's algorithm. + + * Makefile.in: Tweak parameters for ecc tables. + (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6. + Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3% + for ecdsa signatures. + (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c = + 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on + 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures. + (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures. + (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c = + 6. Table size unchanged. 12% speedup for ecdsa signatures. + (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6. + Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit + platforms). 15% speedup for ecdsa signatures. + (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures. + +2018-03-14 Niels Möller + + Merge sha256 code using the x86_64 sha_ni instructions, starting + 2018-02-21. + +2018-03-11 Niels Möller + + * x86_64/fat/sha256-compress.asm: New file. + * x86_64/fat/sha256-compress-2.asm: New file. + * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or + sha_ni version for sha256_compress. + +2018-02-21 Niels Möller + + * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni + instructions. + 2018-02-20 Niels Möller * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly. diff --cc Makefile.in index fc2d2354,2b2edfd6..3b8b0dbb --- a/Makefile.in +++ b/Makefile.in @@@ -68,12 -62,9 +68,11 @@@ check-fat all-here: $(TARGETS) $(DOCTARGETS) - nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \ -nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ - aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ ++nettle_SOURCES = aes-decrypt-internal.c aes-decrypt-table.c \ + aes128-decrypt.c aes192-decrypt.c aes256-decrypt.c \ - aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ ++ aes-encrypt-internal.c aes-encrypt-table.c \ + aes128-encrypt.c aes192-encrypt.c aes256-encrypt.c \ aes-invert-internal.c aes-set-key-internal.c \ - aes-set-encrypt-key.c aes-set-decrypt-key.c \ aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ aes128-meta.c \ aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ @@@ -107,11 -91,9 +106,11 @@@ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ - ctr.c ctr16.c des.c des3.c des-compat.c \ + ctr.c ctr16.c des.c des3.c \ eax.c eax-aes128.c eax-aes128-meta.c \ + ghash-set-key.c ghash-update.c \ + siv-ghash-set-key.c siv-ghash-update.c \ - gcm.c gcm-aes.c \ + gcm.c \ gcm-aes128.c gcm-aes128-meta.c \ gcm-aes192.c gcm-aes192-meta.c \ gcm-aes256.c gcm-aes256-meta.c \ diff --cc nettle.texinfo index a4f7d2e1,b8722676..3c021bc2 --- a/nettle.texinfo +++ b/nettle.texinfo @@@ -1385,9 -1144,7 +1385,7 @@@ Like all the AES candidates, the winnin bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in @file{}, and there is one - context struct for each key size. (Earlier versions of Nettle used a - single context struct, @code{struct aes_ctx}, for all key sizes. This - interface kept for backwards compatibility). -context struct for each key size.. ++context struct for each key size. @deftp {Context struct} {struct aes128_ctx} @deftpx {Context struct} {struct aes192_ctx} @@@ -2457,33 -2030,10 +2444,33 @@@ the source and destination area for th These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use - an @code{struct aes_ctx} context with the @code{des_encrypt} function. + an @code{struct aes256_ctx} context with the @code{des_encrypt} function. -@node CTR, CFB and CFB8, CBC, Cipher modes -@comment node-name, next, previous, up +@subsubsection Cipher-specific functions + +Encryption in @acronym{CBC} mode (but not decryption!) is inherently +serial. It can pass only one block at a time to the block cipher's +encrypt function. Optimizations to process several blocks in parallel +can't be applied, and on platforms where the underlying cipher is fast, +per-function-call overhead, e.g., loading subkeys from memory into +registers, can be significant. Depending on platform and cipher used, +@code{cbc_encrypt} can be considerably slower than both +@code{cbc_decrypt} and @acronym{CTR} mode. The second reason for poor +performance can be addressed by having a combined @acronym{CBC} and +encrypt function, for ciphers where the overhead is significant. + +Nettle currently includes such special functions only for AES. + +@deftypefun void cbc_aes128_encrypt (const struct aes128_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void cbc_aes192_encrypt (const struct aes192_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void cbc_aes256_encrypt (const struct aes256_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Calling @code{cbc_aes128_encrypt(ctx, iv, length, dst, src)} does the +same thing as calling @code{cbc_encrypt(ctx, aes128_encrypt, +AES_BLOCK_SIZE, iv, length, dst, src)}, but is more efficient on certain +platforms. +@end deftypefun + +@node CTR @subsection Counter mode @cindex Counter Mode diff --cc testsuite/gcm-test.c index e8228ed7,c280ee5e..eaebf7f4 --- a/testsuite/gcm-test.c +++ b/testsuite/gcm-test.c @@@ -29,86 -25,6 +29,59 @@@ test_gcm_hash (const struct tstring *ms } } +static void +test_ghash_internal (const struct tstring *key, + const struct tstring *iv, + const struct tstring *message, + const struct tstring *digest) +{ + ASSERT (key->length == GCM_BLOCK_SIZE); + ASSERT (iv->length == GCM_BLOCK_SIZE); + ASSERT (digest->length == GCM_BLOCK_SIZE); + ASSERT (message->length % GCM_BLOCK_SIZE == 0); + struct gcm_key gcm_key; + union nettle_block16 state; + + /* Mark inputs as "undefined" to valgrind, to get warnings about any + branches or memory accesses depending on secret data. */ + memcpy (state.b, key->data, GCM_BLOCK_SIZE); + mark_bytes_undefined (sizeof(state), &state); + _ghash_set_key (&gcm_key, &state); + + memcpy (state.b, iv->data, GCM_BLOCK_SIZE); + mark_bytes_undefined (sizeof(state), &state); + mark_bytes_undefined (message->length, message->data); + _ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data); + mark_bytes_defined (sizeof(state), &state); + mark_bytes_defined (message->length, message->data); + + if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data)) + { + fprintf (stderr, "gcm_hash (internal) failed\n"); + fprintf(stderr, "Key: "); + tstring_print_hex(key); + fprintf(stderr, "\nIV: "); + tstring_print_hex(iv); + fprintf(stderr, "\nMessage: "); + tstring_print_hex(message); + fprintf(stderr, "\nOutput: "); + print_hex(GCM_BLOCK_SIZE, state.b); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } +} + - static nettle_set_key_func gcm_unified_aes128_set_key; - static nettle_set_key_func gcm_unified_aes128_set_iv; - static void - gcm_unified_aes128_set_key (void *ctx, const uint8_t *key) - { - gcm_aes_set_key (ctx, AES128_KEY_SIZE, key); - } - static void - gcm_unified_aes128_set_iv (void *ctx, const uint8_t *iv) - { - gcm_aes_set_iv (ctx, GCM_IV_SIZE, iv); - } - static const struct nettle_aead - nettle_gcm_unified_aes128 = { - "gcm-aes128", - sizeof (struct gcm_aes_ctx), - GCM_BLOCK_SIZE, AES128_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_unified_aes128_set_key, - (nettle_set_key_func *) gcm_unified_aes128_set_key, - (nettle_set_key_func *) gcm_unified_aes128_set_iv, - (nettle_hash_update_func *) gcm_aes_update, - (nettle_crypt_func *) gcm_aes_encrypt, - (nettle_crypt_func *) gcm_aes_decrypt, - (nettle_hash_digest_func *) gcm_aes_digest - }; - +/* Hack that uses a 16-byte nonce, a 12-byte standard GCM nonce and an + explicit initial value for the counter. */ +static void +gcm_aes128_set_iv_hack (struct gcm_aes128_ctx *ctx, size_t size, const uint8_t *iv) { + assert (size == 16); + gcm_aes128_set_iv (ctx, 12, iv); + memcpy (ctx->gcm.ctr.b + 12, iv + 12, 4); +} + void test_main(void) { @@@ -237,247 -119,6 +210,227 @@@ "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); - /* Same test, but with old gcm_aes interface */ - test_aead(&nettle_gcm_unified_aes128, - (nettle_hash_update_func *) gcm_aes_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), - SHEX("feedfacedeadbeeffeedfacedeadbeef" - "abaddad2"), - SHEX("d9313225f88406e5a55909c5aff5269a" - "86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525" - "b16aedf5aa0de657ba637b39"), - SHEX("8ce24998625615b603a033aca13fb894" - "be9112a5c3a211a8ba262a3cca7e2ca7" - "01e4a9a4fba43c90ccdcb281d48c7c6f" - "d62875d2aca417034c34aee5"), - SHEX("9313225df88406e555909c5aff5269aa" - "6a7a9538534f7da1e4c303d2a318a728" - "c3c0c95156809539fcf0e2429a6b5254" - "16aedbf5a0de6a57a637b39b"), - SHEX("619cc5aefffe0bfa462af43c1699d050")); - + /* Test 128 bytes */ + test_aead(&nettle_gcm_aes128, NULL, + SHEX("feffe9928665731c6d6a8f9467308308"), + SHEX(""), + SHEX("d9313225f88406e5a55909c5aff5269a" + "86a7a9531534f7da2e4c303d8a318a72" + "1c3c0c95956809532fcf0e2449a6b525" + "b16aedf5aa0de657ba637b391aafd255" + "5ae376bc5e9f6a1b08e34db7a6ee0736" + "9ba662ea12f6f197e6bc3ed69d2480f3" + "ea5691347f2ba69113eb37910ebc18c8" + "0f697234582016fa956ca8f63ae6b473"), + SHEX("42831ec2217774244b7221b784d0d49c" + "e3aa212f2c02a4e035c17e2329aca12e" + "21d514b25466931c7d8f6a5aac84aa05" + "1ba30b396a0aac973d58e091473f5985" + "874b1178906ddbeab04ab2fe6cce8c57" + "8d7e961bd13fd6a8c56b66ca5e576492" + "1a48cd8bda04e66343e73055118b69b9" + "ced486813846958a11e602c03cfc232b"), + SHEX("cafebabefacedbaddecaf888"), + SHEX("796836f1246c9d735c5e1be0a715ccc3")); + + /* Test 719 bytes */ + test_aead(&nettle_gcm_aes256, NULL, + SHEX("6235f895fca5ebf60e921204d3a13f2e" + "8b32cfe744ed1359043877b0b9adb438"), + SHEX(""), + SHEX("42c1cc08486f413f2f11668b2a16f0e0" + "5883f0c37014c05b3fec1d253c51d203" + "cf59741fb285b407c66a63398a5bdecb" + "af0844bd6f9115e1f57a6e18bddd6150" + "59a997abbb0e745c00a4435404549b3b" + "77ecfd5ca6e87b08aee6103f3265d1fc" + "a41d2c31fb337ab33523f42041d4ad82" + "8ba4ad961c2053be0ea6f4dc78493e72" + "b1a9b583cb0854b7ad493aae98cea666" + "1030908c5583d77c8be653ded26e1821" + "0152d19f9dbb9c7357cc8909759b7870" + "ed26974db4e40ca5fa700470c6961c7d" + "544177a8e3b07e9682d9eca2876855f9" + "8f9e7343476a08369367a82ddeac41a9" + "5c4d73970f7068fa564d00c23b1fc8b9" + "781f5107e39a134eed2b2ea3f744b2e7" + "ab1937d9ba765ed2f25315174c6b169f" + "026649ca7c9105f245361ef577ad1f46" + "a813fb63b608996382a2edb3acdf4319" + "45ea7873d9b73911a3137cf83ff7ad81" + "482fa95c5fa0f079a4477d802026fd63" + "0ac77e6d7547ff76662e8a6c8135af0b" + "2e6a4960c110e1e15403a4090c377a15" + "23275b8b4ba56497ae4a50731f661c5c" + "03253c8d485871340eec4e551a036ae5" + "b6192b842a20d1ea806f960e0562c778" + "8779603846b425576e1663f8ad6ed742" + "69e188ef6ed5b49a3c786c3be5a01d22" + "865c743aeb2426c709fc919647874f1a" + "d66b2c1847c0b824a85a4a9ecb03e72a" + "09e64d9c6d8660f52f4869379ff2d2cb" + "0e5add6e8afb6afe0b63de8742798a68" + "51289b7aebafb82f9dd1c7459008c983" + "e98384cb28690969ce99460054cbd838" + "f9534abf31ce571533fa96043342e3c0" + "b7544a657a7c02e61995d00e820763f9" + "e12b2afc559252c9b59f232860e72051" + "10d3ed6d9babb8e25d9a34b3be9c64cb" + "78c69122409180bed7785c0e0adc08e9" + "6710a483987923e792daa92216b1e778" + "a31c6c8f357c4d372f6e0b505c34b9f9" + "e63d910d3295aa3d481106bb2df26388" + "3f7309e245563151fa5e4e62f790f9a9" + "7d7b1bb1c8266e66f6909a7ff257cc23" + "59fafaaa440401a7a478db743d8bb5"), + SHEX("840bdbd5b7a8fe20bbb1127f41eab3c0" + "a2b437191158b60b4c1d380554d11673" + "8e1c2090a29ab77447e6d8fc183ab4ea" + "d5165a2c530146b31833746c50f2e8c0" + "73da6022ebe3e59b20936c4b3799b823" + "3b4eace85be80fb7c38ffb4a37d93995" + "34f1db8f71d9c70b02f163fc9bfcc5ab" + "b9141321dfceaa8844301ece260192f8" + "9f004b0c4bf75fe089ca9466112197ca" + "3e83742ddb4d11eb97c214ff9e1ea06b" + "08b4312b85c6856c90ec39c0ecb3b54e" + "f39ce7833a770af456fece18336d0b2d" + "33dac8055cb4092ade6b529801ef363d" + "bdf98fa83eaacdd1012d4249c3b684bb" + "4896e090936c4864d4fa7f932ca621c8" + "7a237baa205612ae169d940f54a1ecca" + "514ef239f4f85f045a0dbff583a115e1" + "f53cd862a3ed4789854ce5dbac9e171d" + "0c09e33e395b4d740ef534ee70114cfd" + "db34b1b5103f73b7f5faedb01fa5cd3c" + "8d3583d411446e6c5be00e69a539e5bb" + "a9572437e61fddcf162a13f96a2d90a0" + "03607aed69d5008b7e4fcbb9fa91b937" + "c126ce9097226464c172431bf6acc154" + "8a109cdd8dd58eb2e485dae0205ff4b4" + "15b5a08d127449233adf4ad3f03b89eb" + "f8cc627bfb9307416126945870a63ce4" + "ff58c4133dcb366b32e5b26d03746f76" + "9377de48c4fa304ada4980770f1cbe11" + "c848b1e5bbf28ae1962f9fd18e8a5ce2" + "f7d7d854f33fc491b8fb86dc46249160" + "6c2fc94137514954098121f3039f2be3" + "1f3963aff4d75360a7c754f9eeb1b17d" + "75546593feb1686b5702f9bb0ef9f8bf" + "011227b4fee4797a405b514bdf38ecb1" + "6a56ff354d4233aa6f1be4dce0db8535" + "6210d4ecebc57e451c6f17ca3b8e2d66" + "4f4b3656cd1b59aad29b17b958df7b64" + "8aff3b9ca6b5489eaae25d0971325fb6" + "29bee7c7527e91826b6d33e134063621" + "5ebe1e2f3ec1fbea492cb5caf7b037ea" + "1fed1004d9480d1a1cfbe7840e835374" + "c765e25ce5ba734c0ee1b51145614346" + "aa258fbd8508fa4c15c1c0d8f5dc16bb" + "7b1de38757a72a1d38589e8a43dc57"), + SHEX("00ffffffff0000ffffff00ff"), + SHEX("d1817d2be9ff993a4b24525855e14914")); + + /* Same input, but different initial counter value, to trigger wraparound. */ + test_aead(&nettle_gcm_aes256, + (nettle_hash_update_func *) gcm_aes128_set_iv_hack, + SHEX("6235f895fca5ebf60e921204d3a13f2e" + "8b32cfe744ed1359043877b0b9adb438"), + SHEX(""), + SHEX("42c1cc08486f413f2f11668b2a16f0e0" + "5883f0c37014c05b3fec1d253c51d203" + "cf59741fb285b407c66a63398a5bdecb" + "af0844bd6f9115e1f57a6e18bddd6150" + "59a997abbb0e745c00a4435404549b3b" + "77ecfd5ca6e87b08aee6103f3265d1fc" + "a41d2c31fb337ab33523f42041d4ad82" + "8ba4ad961c2053be0ea6f4dc78493e72" + "b1a9b583cb0854b7ad493aae98cea666" + "1030908c5583d77c8be653ded26e1821" + "0152d19f9dbb9c7357cc8909759b7870" + "ed26974db4e40ca5fa700470c6961c7d" + "544177a8e3b07e9682d9eca2876855f9" + "8f9e7343476a08369367a82ddeac41a9" + "5c4d73970f7068fa564d00c23b1fc8b9" + "781f5107e39a134eed2b2ea3f744b2e7" + "ab1937d9ba765ed2f25315174c6b169f" + "026649ca7c9105f245361ef577ad1f46" + "a813fb63b608996382a2edb3acdf4319" + "45ea7873d9b73911a3137cf83ff7ad81" + "482fa95c5fa0f079a4477d802026fd63" + "0ac77e6d7547ff76662e8a6c8135af0b" + "2e6a4960c110e1e15403a4090c377a15" + "23275b8b4ba56497ae4a50731f661c5c" + "03253c8d485871340eec4e551a036ae5" + "b6192b842a20d1ea806f960e0562c778" + "8779603846b425576e1663f8ad6ed742" + "69e188ef6ed5b49a3c786c3be5a01d22" + "865c743aeb2426c709fc919647874f1a" + "d66b2c1847c0b824a85a4a9ecb03e72a" + "09e64d9c6d8660f52f4869379ff2d2cb" + "0e5add6e8afb6afe0b63de8742798a68" + "51289b7aebafb82f9dd1c7459008c983" + "e98384cb28690969ce99460054cbd838" + "f9534abf31ce571533fa96043342e3c0" + "b7544a657a7c02e61995d00e820763f9" + "e12b2afc559252c9b59f232860e72051" + "10d3ed6d9babb8e25d9a34b3be9c64cb" + "78c69122409180bed7785c0e0adc08e9" + "6710a483987923e792daa92216b1e778" + "a31c6c8f357c4d372f6e0b505c34b9f9" + "e63d910d3295aa3d481106bb2df26388" + "3f7309e245563151fa5e4e62f790f9a9" + "7d7b1bb1c8266e66f6909a7ff257cc23" + "59fafaaa440401a7a478db743d8bb5"), + SHEX("abdf2d43d5acea0e 037296441e544e8f" + "d9b2fdfc434b3966 be04e88b226b9bbd" + "ed6c798834bf5283 30d5a386d49b5a45" + "2076bc49acf3d854 c15b52b15ab0008f" + "b28069951f2baf3a d845ead585168f25" + "b126ea81592fc417 3a4664cb599992dc" + "5e2aebeb9a7f0ce3 46d2d100295469f2" + "cae1f9190c3f50cd 8f2a4f19ea285453" + "cbb7ab12f79807e5 400020da75e12ff6" + "3a436705056e46bb abd17cc1e1a33b39" + "4df0802b60bbe8cc 3aa5627c70279019" + "7dca60f33e0eb11d cda293ac1cbe7454" + "66f1c91f205e87a0 c84f06b0d920f973" + "a1378dccc7950361 b7e406e557437005" + "72fe973681beae6d 4a6947e3776f70f3" + "71f9b1b3fbe70a51 2a0b9e6a6e6c7fd9" + "b5a3471734e55883 5edddf7fb99001cf" + "65fdf667c395724e 1984a0cff12a7c82" + "9a740788cfc85c84 10e807d7b1c5860b" + "5131eb7445ab198f 21a403a9284e44f0" + "4a1383f19c6cf199 5ff1c72c83c3a34e" + "f090bb8d3bc9fea0 ce70208e4effac75" + "d930d8c81e6ca39a 94795f27d704724e" + "873d43d6c4f6b080 221d892ec3a813b8" + "9dfbf54b81d03b92 5805df1d3a510a58" + "7303010c64c44fff 7fc8e5e7807ddfa0" + "24e93a62d5ec07ee 1e12fa6d4676e8e9" + "44ebbb62c61055f0 1634038b1306de00" + "645de12137a32634 66c482feae4d9212" + "5f5e8c48824d47a2 4233de2bf15f797b" + "aa4ac69555d2f83c 95f8b5ea6aab9c58" + "71efdf2d37dc48e8 045329279fb161ce" + "c791d786b8b13ade 934c191376dcbbd7" + "fca82eb907b71fe4 1d2c57e11c502933" + "e770d742cdfc65d0 0d8f434b76cb5808" + "4965dfade4c5a682 8e263fe55bd12052" + "835e3ed3e8387163 b77ddc5c210181da" + "5ec215b884d353ad 678ca70fc0251c35" + "e411707a9649e1bc 4ee3e3b550ee286e" + "9f51c98857530d88 e17b6e6dfacbe809" + "7e1ed9df02427c7b 59e03f823ee85f35" + "65066f1d8cc286b1 e1e13259769b6ebf" + "60ebd2d913e6d019 755f6d6811d3e606" + "8f42b10f2e02a646 8b0a9b7889b99b7c" + "1754b9ee8e03b3c2 5dcf41b71f3c64"), + SHEX("00ffffffff0000ff ffff00fffffffffd"), /* ctr == 2^31-3 */ + SHEX("d64dd27c678a2827 859bd29e7ea4ae07")); + + /* Test case 7 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000"