From: Niels Möller Date: Thu, 21 Nov 2019 18:43:57 +0000 (+0100) Subject: Merge branch 'curve448' into master X-Git-Tag: nettle_3.6rc1~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=889a582f3ee1b03e98f47e8bb353659af0933822;p=thirdparty%2Fnettle.git Merge branch 'curve448' into master --- 889a582f3ee1b03e98f47e8bb353659af0933822 diff --cc ChangeLog index f2a85d01,f7d28359..a63ca94e --- a/ChangeLog +++ b/ChangeLog @@@ -1,985 -1,37 +1,1023 @@@ ++2019-11-21 Niels Möller ++ ++ * Merge curve448 preparations, from September 2017. ++ + 2017-09-23 Niels Möller + + * eccdata.c: Reorganize curve25519 precomputation to work directly + with the twisted Edwards curve, with new point addition based on a + patch from Daiki Ueno. + * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery + curve constant. + + * ecc-internal.h (struct ecc_curve): Delete unused pointer + edwards_root. Update all instances. + * eccdata.c (output_curve): Don't output it. + + * testsuite/ecc-add-test.c (test_main): Reduce test duplication. + Use ecc->add_hhh_itch. + * testsuite/ecc-dup-test.c (test_main): Reduce test duplication. + Use ecc->dup_itch. + + 2017-09-23 Daiki Ueno + + * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of + hard-coded value for curve25519. + * eddsa-sign.c (_eddsa_sign): Likewise. + + * ecc-internal.h (ecc_dup_func): New typedef. + (struct ecc_curve): New constants add_hh_itch and dup_itch, new + function pointers add_hh and dup. + * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c, + ecc-25519.c: Update accordingly. + * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers. + * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh): + Likewise. + * testsuite/ecc-dup-test.c (test_main): Likewise. + * testsuite/ecc-add-test.c (test_main): Likewise. + +2019-10-01 Niels Möller + + * testsuite/testutils.c (test_cipher_cfb8): Reset destination area + between tests. Encrypt/decrypt final partial block. + + From Daiki Ueno, fixing bug reported by Stephan Mueller: + * cfb.c (cfb8_decrypt): Don't truncate output IV if input is + shorter than block size. + * testsuite/testutils.c (test_cipher_cfb8): Test splitting input + into multiple calls to cfb8_encrypt and cfb8_decrypt. + +2019-09-30 Niels Möller + + * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read. + Trim allocation size for de_data, drop some uses of + SIV_DIGEST_SIZE, call FAIL for unexpected returned values. + (test_compare_results): Delete digest argument. + +2019-09-15 Niels Möller + + From Dmitry Eremin-Solenikov: + * gost28147.c (_gost28147_encrypt_block): New file, encrypt + function and sbox tables moved here. + * gosthash94.c: Update functions to take sbox array as argument. + (gost_block_compress): Use _gost28147_encrypt_block. + (gosthash94cp_update,gosthash94cp_digest): New functions. + * gost28147-internal.h: New file. + * gost28147.h: New file. + * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm. + * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and + nettle_gosthash94cp. + * hmac-gosthash94.c (hmac_gosthash94_set_key) + (hmac_gosthash94_update, hmac_gosthash94_digest) + (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update) + (hmac_gosthash94cp_digest): New file and functions. + * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file + and function. + * testsuite/pbkdf2-test.c (test_main): Add + pbkdf2-hmac-gosthash94cp tests. + * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests. + * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests. + * nettle.texinfo (Legacy hash functions): Document gosthash94cp. + + * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS. + +2019-07-08 Niels Möller + + * nettle-types.h (union nettle_block16): Mark w member as deprecated. + * eax.c (block16_xor): Use uint64_t member of nettle_block16. + * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise. + +2019-07-10 Niels Möller + + From Dmitry Eremin-Solenikov: + * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init) + (cmac64_update, cmac64_digest): New file, new functions. + * cmac-des3.c (cmac_des3_set_key, cmac_des3_update) + (cmac_des3_digest): New file, new functions. + * cmac.h: Add cmac64 and cmac_des3 declarations. + * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c. + * testsuite/cmac-test.c (test_main): Add tests for cmac_des3. + +2019-07-02 Niels Möller + + From Dmitry Eremin-Solenikov: + * testsuite/testutils.c (test_mac): New function. + * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): + New algorithm structs. + (test_cmac_aes128, test_cmac_aes256): Use test_mac. + +2019-06-06 Niels Möller + + Update for cmac changes, enabling const for the _message functions. + * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, + and use a local struct cmac128_ctx for message-specific state. + (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated + callers. + (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const + struct cmac128_key as argument. Updated callers. + + * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key + rather than struct cmac128_ctx. + + * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): Likewise. + * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): The ctx argument made const. + +2019-05-15 Niels Möller + + * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): + New constants. + * testsuite/siv-test.c: Simplify tests a little. + + * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. + * siv-cmac.c (_siv_s2v): Require non-empty nonce. + * nettle.texinfo (SIV-CMAC): Update documentation. + +2019-05-06 Niels Möller + + SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: + * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. + (SIV_CMAC_CTX): New macro. + (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New + context structs. + * siv-cmac.c (_siv_s2v, siv_cmac_set_key) + (siv_cmac_encrypt_message) + (siv_cmac_decrypt_message): New file, new functions. + * siv-cmac-aes128.c (siv_cmac_aes128_set_key) + (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): New file, new functions. + * siv-cmac-aes256.c (siv_cmac_aes256_set_key) + (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): New file, new functions. + * Makefile.in (nettle_SOURCES): Add siv-cmac source files. + (HEADERS): Add siv-cmac.h. + * testsuite/siv-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c + * nettle.texinfo (SIV-CMAC): Documentation. + +2019-04-30 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * cmac.c (_cmac128_block_mulx): Renamed function... + (block_mulx): ... from old name. + * cmac-internal.h (_cmac128_block_mulx): New file, declare function. + * Makefile.in (DISTFILES): Added cmac-internal.h. + +2019-06-26 Niels Möller + + * Released nettle-3.5.1. + + * configure.ac: Update version number to 3.5.1. + + * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed + directories. + + * Released nettle-3.5. + +2019-06-25 Niels Möller + + * config.sub: Update to 2019-05-23 version, from savannah's + config.git. + * config.guess: Update to 2019-06-10 version, from savannah's + config.git. Adds recognition of mips R6 and riscv. + +2019-06-05 Niels Möller + + Further separation of CMAC per-message state from the + message-independent subkeys, analogous to the gcm implementation. + * cmac.h (struct cmac128_ctx): Remove key, instead a struct + cmac128_key should be passed separately to functions that need it. + (CMAC128_CTX): Include both a struct cmac128_key and a struct + cmac128_ctx. + (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. + + * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx + to cmac128_key. Use a nettle_block16 for the constant zero block. + (cmac128_init): New function, to initialize a cmac128_ctx. + (cmac128_digest): Add cmac128_key argument. Move padding memset + into the block handling a partial block. Call cmac128_init to + reset state. + +2019-06-01 Niels Möller + + * cmac.h (struct cmac128_key): New struct. + * cmac.h (struct cmac128_ctx): Use struct cmac128_key. + * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. + +2019-05-12 Niels Möller + + Delete old libdes/openssl compatibility interface. + * des-compat.c: Delete file. + * des-compat.h: Delete file. + * testsuite/des-compat-test.c: Delete file. + * nettle.texinfo (Compatibility functions): Delete mention in documentation. + +2019-05-11 Niels Möller + + * NEWS: More updates for Nettle-3.5. + +2019-04-27 Niels Möller + + From Simo Sorce: + * x86_64/poly1305-internal.asm: Add missing EPILOGUE. + * x86_64/serpent-decrypt.asm: Likewise. + * x86_64/serpent-encrypt.asm: Likewise. + +2019-04-14 Niels Möller + + * tools/nettle-pbkdf2.c (main): Check strdup return value. + +2019-03-29 Niels Möller + + * aes.h (struct aes_ctx): Redefine using a union of key-size + specific contexts. + * aes-decrypt.c (aes_decrypt): Use switch on key_size. + * aes-encrypt.c (aes_encrypt): Likewise. + * aes-set-decrypt-key.c (aes_invert_key): Likewise. + * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise. + +2019-03-27 Niels Möller + + * xts.c (xts_shift): Arrange with a single write to u64[1]. + * cmac.c (block_mulx): Rewrite to work in the same way as + xts_shift, with 64-bit operations. XTS and CMAC use opposite + endianness, but otherwise, these two functions are identical. + +2019-03-24 Niels Möller + + From Simo Sorce: + * xts.h: New file. + * xts.c: New file. + (BE_SHIFT): New macro. + (xts_shift, check_length, xts_encrypt_message) + (xts_decrypt_message): New functions. + * xts-aes128.c (xts_aes128_set_encrypt_key) + (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message) + (xts_aes128_decrypt_message): New file, new functions. + * xts-aes256.c (xts_aes256_set_encrypt_key) + (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message) + (xts_aes256_decrypt_message): New file, new functions. + * nettle.texinfo (XTS): Document XTS mode. + * Makefile.in (nettle_SOURCES): Add xts sourcce files. + (HEADERS): New installed header xts.h. + * testsuite/xts-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c. + +2019-02-06 Niels Möller + + * gosthash94.h (struct gosthash94_ctx): Move block buffer last in + struct. + * md2.h (struct md2_ctx): Likewise. + * md4.h (struct md4_ctx): Likewise. + * md5.h (struct md5_ctx): Likewise. + * ripemd160.h (struct ripemd160_ctx): Likewise. + * sha1.h (struct sha1_ctx): Likewise. + * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise. + +2019-01-19 Niels Möller + + * examples/Makefile.in (TARGETS): Delete eratosthenes, left over + from earlier change. + + * fat-arm.c: Fix declarations of chacha_core functions. + + From Yuriy M. Kaminskiy: + * fat-setup.h (chacha_core_func): New typedef. + * fat-arm.c (fat_init): Enable choice between + _nettle_chacha_core_c and _nettle_chacha_core_neon. + * configure.ac (asm_nettle_optional_list): Add + chacha-core-internal-2.asm. + * chacha-core-internal.c: Enable fat build with C and asm version. + * arm/fat/chacha-core-internal-2.asm: New file. + +2019-01-12 Niels Möller + + * examples/eratosthenes.c: Deleted program. + * examples/Makefile.in: Delete rule to build and distribute it. + +2019-01-10 Niels Möller + + * testsuite/rsa-compute-root-test.c (test_one): Use %u and + corresponding cast, when printing bit sizes. + +2019-01-09 Niels Möller + + * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to + inline asm. + +2019-01-08 Niels Möller + + * sha512-compress.c: Add missing include of sha2-internal.h. + +2019-01-06 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert + call with side-effects. + +2019-01-06 Niels Möller + + * nettle-types.h: Don't use nettle-stdint.h, include + directly. + * nettle-write.h: Likewise. + * configure.ac: Delete use of AX_CREATE_STDINT_H. + * aclocal.m4 (AX_CREATE_STDINT_H): Delete. + * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of + nettle-stdint.h. + +2018-12-26 Niels Möller + + * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper + function. Call openssl's RSA_generate_key_ex rather then the + deprecated RSA_generate_key. + (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it. + + * eccdata.c (ecc_pippenger_precompute): Check that table size is + at least 2. Intended to silence warning from the clang static + analyzer. + + * configure.ac: Bump package version to 3.5. + (LIBNETTLE_MAJOR): Bump major number, now 7. + (LIBHOGWEED_MAJOR): Bump major number, now 5. + (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero. + + * pkcs1-internal.h: New header file, moved declarations of + _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here. + * rsa-internal.h: ... old location. + * Makefile.in (DISTFILES): Added pkcs1-internal.h. + * pkcs1-decrypt.c: Include new file. + * pkcs1-sec-decrypt.c: Likewise. + * rsa-decrypt-tr.c: Likewise. + * rsa-sec-decrypt.c: Likewise. + * testsuite/pkcs1-sec-decrypt-test.c: Likewise. + + * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for + strdup with gcc -std=c89. + * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for + getline with gcc -std=c89. + + * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. + Reported by Andreas Gustafsson. + * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. + +2018-12-04 Niels Möller + + * Released nettle-3.4.1. + +2018-11-28 Niels Möller + + * configure.ac: Update GMP check. Check for the function + mpn_sec_div_r, available since GMP-6.0.0. + + * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of + decrypted storage. Update test of rsa_decrypt, to allow clobbering + of all of the passed in message area. + + * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around + _pkcs1_sec_decrypt_variable. Improves side-channel silence of the + only caller, rsa_decrypt. + + * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make + dist. Patch from Simo Sorce. + + * rsa-internal.h: Add include of rsa.h. + +2018-11-27 Niels Möller + + * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New + local helper functions, with their own itch functions. + (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to + use helpers, for clarity. + +2018-11-26 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify + selection of psize and qsize, and fix so that qsize is used. + (test_main): Add outer loop, to test with more than one key. + Deallocate storage before exiting. + +2018-11-25 Niels Möller + + * testsuite/rsa-compute-root-test.c: Renamed, from ... + * testsuite/rsa-sec-compute-root-test.c: ... old name. + + * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... + * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. + * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... + (rsa_sec_compute_root_tr): ... old name. Updated callers. + (cnd_mpn_zero): Use a volatile-declared mask variable. + + * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix + masking of most significant bits. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Use + NETTLE_OCTET_SIZE_TO_LIMB_SIZE. + + * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak + valgrind marking, and document potential leakage of lowest and + highest bits of p and q. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to + mpz_sizeinbase, since that potentially leaks most significant bits + of private key parameters a and b. + + * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix + valgrind marking of return value. + + Merged below changes from Simo Sorce, to make RSA private key + operations side-channel silent. + +2018-11-08 Simo Sorce + + * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use + _rsa_sec_compute_root. + + * testsuite/rsa-sec-compute-root-test.c: Add more tests for new + side-channel silent functions. + + * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, + since that is required for one of the GMP calls in + _rsa_sec_compute_root. + + * rsa-decrypt-tr.c: Switch to use side-channel silent functions. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private + function. Variable size version for backwards compatibility. + + * testsuite/rsa-sec-decrypt-test.c: Adds more tests. + + * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. + Fixed length side-channel silent version of rsa-decrypt. + * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. + + * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for + _pkcs1_sec_decrypt. + + * gmp-glue.c (mpn_get_base256): New function. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. + Fixed length side-channel silent version of pkcs1-decrypt. + + * cnd-memcpy.c (cnd_memcpy): New function. + * memops.h: Declare it. + * testsuite/cnd-memcpy-test.c: New test case. + + * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses + _rsa_sec_compute_root, as well as side-channel silent RSA + blinding. + (rsa_compute_root_tr) Rewritten as a wrapper around + rsa_sec_compute_root_tr. + (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) + (cnd_mpn_zero): New helper functions. + (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not + side-channel silent wrapper around rsa_compute_root_tr, and the + latter function left unchanged. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) + (_rsa_sec_compute_root): New file, new private functions. + Side-channel silent version of rsa_compute_root. + * rsa-internal.h: New header file with declarations. + + * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. + +2018-11-24 Niels Möller + + * configure.ac: Bump package version to 3.4.1. + (LIBNETTLE_MINOR): Bump library version to 6.5. + (LIBHOGWEED_MINOR): Bump library version to 4.5. + +2018-11-17 Niels Möller + + * examples/hogweed-benchmark.c (bench_rsa_verify) + (bench_openssl_rsa_tr_init): New functions. + (alg_list): Benchmark timing-resistant RSA functions, i.e., + including RSA blinding. + (main): Increase width of first column, here and in other + printouts. + +2018-10-10 Dmitry Eremin-Solenikov + + * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when + processing more than on full block of size CTR_BUFFER_LIMIT, src + and dst arguments to memxor3 were not properly updated. + +2018-10-10 Niels Möller + + * aes-set-encrypt-key.c: Add missing include of stdlib.h. + * des-compat.c: Likewise. + +2018-09-13 Niels Möller + + * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and + redundant check for p == q. + +2018-08-09 Niels Möller + + * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with + _NETTLE_ATTRIBUTE_DEPRECATED. + + * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) + (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and + lookalikes. + * ecc-curve.h: Include nettle-types.h, and use + _NETTLE_ATTRIBUTE_PURE instead of local definition. + * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit + #ifdefs. + + * aes.h: Mark functions using struct aes_ctx interface as + deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where + the functions are implemented or tested. + * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. + + * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) + (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast + between incompatible function types (which gcc-8 warns about). + Wrappers are expected to compile to a single jmp instruction. + + * des-compat.c (des_compat_des3_encrypt) + (des_compat_des3_decrypt): Change length argument type to size_t. + +2018-08-08 Niels Möller + + * nettle.texinfo (Compatibility): New section on ABI and API + compatibility. + +2018-07-25 Dmitry Eremin-Solenikov + + * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. + +2018-07-13 Niels Möller + + * examples/eratosthenes.c (vector_alloc): Add assert related to + overflow in the size calculation. Fixes a corner case identified + by static analysis. + (vector_init): Analogous assert. + +2018-07-12 Niels Möller + + * examples/eratosthenes.c (main): Don't allocate bitmap storage + for limit == 2 (early exit), closing memory leak at exit. + (main): Fix handling of short -q option. + + * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, + to fix memory leak. + (ecc_curve_clear): New function. + (main): Call it, to deallocate storage before exit. + +2018-07-08 Niels Möller + + * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. + * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. + * x86_64/fat/sha1-compress-2.asm: Likewise. + +2018-07-07 Niels Möller + + From Nikos Mavrogiannopoulos. + * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to + public function, since there's known appliation usage (filezilla). + * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor + alias for the new name. + * md5-compress.c (nettle_md5_compress): Similarly renamed (used by + sogo). + * md5.h (_nettle_md5_compress): Old name,, now a preprocessor + alias for the new name. + + * chacha-internal.h, dsa-internal.h, eddsa-internal.h: + * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: + * salsa20-internal.h, sha2-internal.h, sha3-internal.h: + * umac-internal.h: Internal declarations moved to new header + files, which are not installed.. + * Makefile.in (DISTFILES): Added above files. + + * libnettle.map.in: Use a different symbol version for _nettle_* + symbols, depending on the minor release. This marks these symbols + explicitly not part of the public Nettle ABI. + * libhogweed.map.in: Analogous change. + +2018-06-17 Niels Möller + + * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed + by Dmitry Eremin-Solenikov. + + * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, + produced by Apple's Xcode 10 compiler. Patch contributed by + Dominyk Tiller. + +2018-03-25 Niels Möller + + From Michael Weiser. + * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN. + * config.m4.in: Use it to set WORDS_BIGENDIAN. + * asm.m4 (IF_BE, IF_LE): New macros. + * arm/memxor.asm: Support big-endian ARM. + * arm/memxor3.asm: Likewise. + * arm/neon/chacha-core-internal.asm: Likewise. + * arm/neon/salsa20-core-internal.asm: Likewise. + * arm/neon/umac-nh.asm: Likewise. + * arm/v6/sha1-compress.asm: Likewise. + * arm/v6/sha256-compress.asm: Likewise. + * arm/README: Document big-endian considerations. + +2018-03-17 Niels Möller + + Discourage direct access to data symbols with non-public size. + Direct references to these symbols may result in copy-relocations + like R_X86_64_COPY, which make the symbol size leak into the ABI. + * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) + (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add + leading underscore on these data symbols. + + * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads) + (_nettle_armors): Add leading underscore on these data symbols. + Update all internal use. Macros without leading underscore remain, + and expand to access via accessor functions nettle_get_ciphers and + similar. + +2018-03-10 Niels Möller + + * eccdata.c (ecc_table_size): New helper function. + (ecc_pippenger_precompute): Display warning for poor parameters. + + * eccparams.c (main): New program, to list parameter alternatives + for Pippenger's algorithm. + + * Makefile.in: Tweak parameters for ecc tables. + (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6. + Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3% + for ecdsa signatures. + (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c = + 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on + 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures. + (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures. + (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c = + 6. Table size unchanged. 12% speedup for ecdsa signatures. + (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6. + Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit + platforms). 15% speedup for ecdsa signatures. + (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures. + +2018-03-14 Niels Möller + + Merge sha256 code using the x86_64 sha_ni instructions, starting + 2018-02-21. + +2018-03-11 Niels Möller + + * x86_64/fat/sha256-compress.asm: New file. + * x86_64/fat/sha256-compress-2.asm: New file. + * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or + sha_ni version for sha256_compress. + +2018-02-21 Niels Möller + + * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni + instructions. + +2018-02-20 Niels Möller + + * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly. + +2018-02-19 Niels Möller + + Mostly aesthetic changes. Besides indentation: + * cmac.h (struct cmac128): Rename, to cmac128_ctx. + (CMAC128_CTX): Rename first member from data to ctx. + + * cmac.c: Use const void * as the type for cipher arguments. + (block_mulx): Un-inline. + (cmac128_set_key): Make a constant function local. + + * testsuite/cmac-test.c: Delete local typedefs. + +2018-02-19 Nikos Mavrogiannopoulos + + Add support for CMAC. + * cmac.h: New file. + (struct cmac128): New struct. + * cmac.c (block_mulx, cmac128_set_key, cmac128_update) + (cmac128_digest): New file, new functions. + * cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update) + (cmac_aes128_digest): New file, new functions. + * cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update) + (cmac_aes256_digest): New file, new functions. + * Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c. + (HEADERS): Added cmac.h. + + * testsuite/cmac-test.c: New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c. + + * examples/nettle-benchmark.c (time_cmac): New function. + (main): Use it. + + * nettle.texinfo: Document CMAC. + +2018-02-20 Niels Möller + + * testsuite/cbc-test.c (test_cbc_bulk): Use struct + aes256_ctx, instead of the deprecated struct aes_ctx. + * testsuite/cfb-test.c (test_cfb_bulk): Likewise. + * examples/rsa-session.h (struct rsa_session): Likewise. + * examples/rsa-encrypt.c (rsa_session_set_encrypt_key) + (process_file): Use aes256_* functions. + * examples/rsa-decrypt.c (rsa_session_set_decrypt_key) + (process_file): Likewise. + +2018-02-19 Niels Möller + + * nettle-internal.h: Include sha3.h, needed for the definition of + NETTLE_MAX_HASH_CONTEXT_SIZE. + (TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support + allocation of context structs with alignment requirements. + [!HAVE_ALLOCA]: Also use assert, rather than calling abort + directly. + + * pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros. + * pss-mgf1.c (pss_mgf1): Likewise. + +2018-02-18 Niels Möller + + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c... + (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds + without public-key support. + +2018-02-18 Dmitry Eremin-Solenikov + + * examples/nettle-openssl.c): Move expressions with side effects + out of asserts. + +2018-02-17 Dmitry Eremin-Solenikov + + (openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use + EVP_CipherInit_ex. + * examples/nettle-openssl.c (nettle_openssl_gcm_aes128) + (nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead + algorithms, for benchmarking purposes, and supporting wrapper functions. + * nettle-internal.h: Corresponding declarations. + * examples/nettle-benchmark.c (main): Include openssl's gcm aes in + benchmark. + +2018-02-16 Niels Möller + + * nettle.texinfo: Improved index entries. + (Cipher functions): Update CAST128/CAST5 docs. Inconsistencies + spotted by Henrik Rindlöw. + +2018-02-10 Niels Möller + + * configure.ac: New configure option --enable-x86-sha-ni. + +2018-02-07 Niels Möller + + * x86_64/fat/sha1-compress.asm: New file. + * x86_64/fat/sha1-compress-2.asm: New file. + * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or + sha_ni version for sha1_compress. + +2018-02-05 Niels Möller + + * x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni + instructions. + + * fat-x86_64.c (get_x86_features): Check for sha_ni extension. + + * x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction. + +2018-02-01 Nikos Mavrogiannopoulos + + * gcm.c (gcm_fill): New function, for use with _ctr_crypt16. + (gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of + gcm_aes128, benchmarked on x86_64 with aesni instructions. + +2018-02-01 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * ctr16.c (_ctr_crypt16): New file, renamed and generalized + function. New function pointer argument, used to fill a block with + counter values. Use nettle_block16 * as the type for the buffer to + be filled. Always process any final and partial block, and return + no value. + * ctr.c (ctr_crypt): ... previous, replaced, function. + (ctr_fill16): Updated to new argument type. + (ctr_crypt): Return immediately after using _ctr_crypt16. + + * ctr-internal.h: New file, declaring _ctr_crypt16. + (nettle_fill16_func): New function typedef. + + * Makefile.in (nettle_SOURCES): Added ctr16.c. + (DISTFILES): Added ctr-internal.h. + +2018-01-30 Niels Möller + + * Makefile.in (clean-here): Don't delete desdata.stamp. + +2018-01-24 Jay Foad + + * Makefile.in (TARGETS): Delete dependencies on aesdata, desdata, + twofishdata, shadata and gcmdata. They are not needed for a normal + build. + (clean-here): Explicitly delete of above files. + (desdata.stamp): New stamp target, to avoid building desdata twice + in a parallell build. + +2018-01-23 Niels Möller + + * configure.ac (asm_path): Recognize "x86", in addition to "i?86", + for 32-bit x86 processors. Reportedly needed for x86 android builds. + +2018-01-20 Niels Möller + + CFB8 support, contributed by Dmitry Eremin-Solenikov. + * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. + * cfb.h: Declare them. + (CFB8_ENCRYPT, CFB8_DECRYPT): New macros. + * testsuite/cfb-test.c: New tests for CFB8. + * nettle.texinfo (CFB and CFB8): Documentation. + +2018-01-16 Niels Möller + + * tools/pkcs1-conv.c (convert_file): Add missing break statements. + +2018-01-09 Niels Möller + + * testsuite/testutils.c (test_cipher_ctr): Test operations with + shorter sizes. + + * testsuite/ctr-test.c: Additional unofficial test vectors, to + exercise carry propagation in the counter, and block size + different from 16. + +2018-01-08 Niels Möller + + * ctr.c (ctr_crypt16): New function, with optimizations specific + to 16-byte block size. + (ctr_fill16): New helper function, definition depending on + WORDS_BIGENDIAN, and little endian version requiring + HAVE_BUILTIN_BSWAP64. + (ctr_crypt): Use ctr_crypt16, when appropriate. + + * nettle-types.h (union nettle_block16): Add uint64_t field. + + * configure.ac: Check for __builtin_bswap64, define + HAVE_BUILTIN_BSWAP64 if available. + + * ctr.c (ctr_fill): New function. Use in ctr_crypt. + + * ctr.c (ctr_crypt): For in-place operation, increase max buffer + size from 4 blocks to 512 bytes, similarly to CBC and CFB. + Improves in-place aes128 CTR performance by 25% on x86_64. + + * examples/nettle-benchmark.c (time_cipher): Benchmark in-place + operation separately, for cbc_decrypt and ctr_crypt. + + * cbc.c (cbc_decrypt): For in-place operation (src == dst case), + eliminate use of src variable. + * cfb.c (cfb_decrypt): Likewise. + * gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor. + +2018-01-03 Niels Möller + + * x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm + registers before the block loop, and completely unroll the round + loop. + * x86_64/aesni/aes-decrypt-internal.asm: Likewise. + +2017-11-19 Niels Möller + + * Released nettle-3.4. + +2017-11-12 Niels Möller + + * configure.ac: Update check of GMP_NUMB_BITS declaration in + assembly files. Was broken by rename of configure variable + GMP_NUMB_BITS --> NUMB_BITS. + +2017-11-11 Niels Möller + + * nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers + and nettle_get_aeads, and replace nettle_secp_256r1 by + nettle_get_secp_256r1. Update version numbers. Delete ancient + setting of ispell-skip-region-alist as an emacs file-local + variable. + +2017-11-08 Niels Möller + + * ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1) + (nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete + macro wrappers, partially reverting below 2017-04-09 change. They + didn't work at all for applications that only see a forward + declaration of struct ecc_curve. Instead, we will have to make an + ABI and API break and delete these symbols, when the size of + struct ecc_curve is increased. + +2017-11-05 Niels Möller + + * configure.ac Bump package version to 3.4. + (LIBNETTLE_MINOR): Bump library version to 6.4. + (LIBHOGWEED_MINOR): Bump library version to 4.4. + +2017-10-23 Niels Möller + + * examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the + environment, to support Mac OSX shared libraries. + * testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise. + +2017-10-23 Niels Möller + + Merge API fixes, starting at 2017-01-12. + +2017-04-09 Niels Möller + + * ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1) + (nettle_get_secp_256r1, nettle_get_secp_384r1) + (nettle_get_secp_521r1): New functions, returning a pointer to + corresponding structure. + (nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1) + (nettle_secp_384r1, nettle_secp_521r1): Redefined as macros, + calling the corresponding function. + + * nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New + macros, analogous to below change to nettle_hashes. + + * nettle-meta-ciphers.c (nettle_get_ciphers): New function. + + * nettle-meta-aeads.c (nettle_get_aeads): New function. + + * nettle-meta-armors.c (nettle_get_armors): New function. + +2017-01-12 Niels Möller + + * tools/nettle-hash.c (find_algorithm): Deleted function. + (main): Replaced by call to nettle_lookup_hash. + + * testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash. + + * nettle-meta.h (nettle_hashes): New macro, expanding to a call to + nettle_get_hashes. Direct access to the array causes the array + size to leak into the ABI, since a plain un-relocatable executable + linking with libnettle.so gets copy relocations for any referenced + data items in the shared library. + + * nettle-meta-hashes.c (nettle_get_hashes): New function. + +2017-10-16 Niels Möller + + CFB support, contributed by Dmitry Eremin-Solenikov. + * cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions. + * cfb.h: New header file. + (CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros. + * Makefile.in (nettle_SOURCES): Add cfb.c. + (HEADERS): Add cfb.h. + * testsuite/cfb-test.c: New test case. + * testsuite/testutils.c (test_cipher_cfb): New function. + * nettle.texinfo (CFB): Documentation. + +2017-10-16 Niels Möller + + * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with + gcc. + +2017-09-27 Niels Möller + + Merged armor-signedness branch, starting 2017-08-27. + +2017-09-24 Niels Möller + + * tools/pkcs1-conv.c (base64_decode_in_place): New helper + function. + (decode_base64): Use it. + + * sexp-transport-format.c (base64_encode_in_place): New helper + function. + (sexp_transport_vformat): Use it. + + * testsuite/base64-test.c (test_fuzz_once): Update to use char + type where appropriate. + (test_main): Use helper functions base64_encode_in_place and + base64_decode_in_place (copied to this file). + + * testsuite/testutils.c (tstring_data): Use uint8_t for data + argument. + * testsuite/testutils.h (SDATA): Use US macro to cast data + argument. + +2017-08-27 Niels Möller + + * base64-encode.c (base64_encode_raw, base64_encode_group) + (base64_encode_single, base64_encode_update) + (base64_encode_final): Change type of destination to char *. + * base16-encode.c (base16_encode_single, base16_encode_update): + Likewise. + * base64-decode.c (base64_decode_single, base64_decode_update): + Change type of source argument to const char *. Update (almost) + all callers. + * base16-decode.c (base16_decode_single, base16_decode_update): + Likewise. + * nettle-types.h (nettle_armor_encode_update_func) + (nettle_armor_encode_final_func, nettle_armor_decode_update_func): + Corresponding updates to typedefs. + 2017-09-14 Niels Möller * hkdf.c: Delete unneeded includes. Use Nettle licensing notice. diff --cc eccdata.c index fa7a11c5,b1354741..58ae156b --- a/eccdata.c +++ b/eccdata.c @@@ -612,63 -647,19 +647,61 @@@ ecc_curve_init (struct ecc_curve *ecc, } static void -ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) +ecc_curve_clear (struct ecc_curve *ecc) +{ + mpz_clear (ecc->p); + mpz_clear (ecc->b); + mpz_clear (ecc->q); + ecc_clear (&ecc->g); - mpz_clear (ecc->d); - mpz_clear (ecc->t); + if (ecc->table) + { + size_t i; + for (i = 0; i < ecc->table_size; i++) + ecc_clear (&ecc->table[i]); + free (ecc->table); + } + if (ecc->ref) + { + size_t i; + for (i = 0; i < 3; i++) + ecc_clear (&ecc->ref[i]); + free (ecc->ref); + } +} + +static unsigned +ecc_table_size(unsigned bits, unsigned k, unsigned c) { - unsigned p = (ecc->bit_size + k-1) / k; + unsigned p = (bits + k-1) / k; unsigned M = (p + c-1)/c; + return M; +} + +static void +ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) +{ + unsigned M = ecc_table_size (ecc->bit_size, k, c); unsigned i, j; + if (M < 2) + { + fprintf (stderr, "Invalid parameters, implies M = %u\n", M); + exit (EXIT_FAILURE); + } + + if (M == ecc_table_size (ecc->bit_size, k-1, c)) + fprintf(stderr, + "warn: Parameters k = %u, c = %d are suboptimal, could use smaller k\n", + k, c); + ecc->pippenger_k = k; ecc->pippenger_c = c; ecc->table_size = M << c; + assert (ecc->table_size >= 2); ecc->table = ecc_alloc (ecc->table_size); - + /* Compute the first 2^c entries */ - ecc_set_zero (&ecc->table[0]); + ecc_set_zero (ecc, &ecc->table[0]); ecc_set (&ecc->table[1], &ecc->g); for (j = 2; j < (1U<