From: Niels Möller Date: Wed, 26 Dec 2018 10:30:21 +0000 (+0100) Subject: Merge branch 'release-3.4-fixes' into master X-Git-Tag: nettle_3.5rc1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc30c4d8276db2802d844be0c6c2cc67ff2d43cf;p=thirdparty%2Fnettle.git Merge branch 'release-3.4-fixes' into master --- fc30c4d8276db2802d844be0c6c2cc67ff2d43cf diff --cc ChangeLog index 4d14dd84,e0beb7f2..fd487df1 --- a/ChangeLog +++ b/ChangeLog @@@ -1,116 -1,145 +1,253 @@@ + 2018-12-26 Niels Möller + + * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for + strdup with gcc -std=c89. + * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for + getline with gcc -std=c89. + + * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. + Reported by Andreas Gustafsson. + * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. + + 2018-12-04 Niels Möller + + * Released nettle-3.4.1. + + 2018-11-28 Niels Möller + + * configure.ac: Update GMP check. Check for the function + mpn_sec_div_r, available since GMP-6.0.0. + + * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of + decrypted storage. Update test of rsa_decrypt, to allow clobbering + of all of the passed in message area. + + * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around + _pkcs1_sec_decrypt_variable. Improves side-channel silence of the + only caller, rsa_decrypt. + + * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make + dist. Patch from Simo Sorce. + + * rsa-internal.h: Add include of rsa.h. + + 2018-11-27 Niels Möller + + * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New + local helper functions, with their own itch functions. + (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to + use helpers, for clarity. + + 2018-11-26 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify + selection of psize and qsize, and fix so that qsize is used. + (test_main): Add outer loop, to test with more than one key. + Deallocate storage before exiting. + + 2018-11-25 Niels Möller + + * testsuite/rsa-compute-root-test.c: Renamed, from ... + * testsuite/rsa-sec-compute-root-test.c: ... old name. + + * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... + * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. + * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... + (rsa_sec_compute_root_tr): ... old name. Updated callers. + (cnd_mpn_zero): Use a volatile-declared mask variable. + + * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix + masking of most significant bits. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Use + NETTLE_OCTET_SIZE_TO_LIMB_SIZE. + + * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak + valgrind marking, and document potential leakage of lowest and + highest bits of p and q. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to + mpz_sizeinbase, since that potentially leaks most significant bits + of private key parameters a and b. + + * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix + valgrind marking of return value. + + Merged below changes from Simo Sorce, to make RSA private key + operations side-channel silent. + + 2018-11-08 Simo Sorce + + * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use + _rsa_sec_compute_root. + + * testsuite/rsa-sec-compute-root-test.c: Add more tests for new + side-channel silent functions. + + * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, + since that is required for one of the GMP calls in + _rsa_sec_compute_root. + + * rsa-decrypt-tr.c: Switch to use side-channel silent functions. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private + function. Variable size version for backwards compatibility. + + * testsuite/rsa-sec-decrypt-test.c: Adds more tests. + + * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. + Fixed length side-channel silent version of rsa-decrypt. + * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. + + * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for + _pkcs1_sec_decrypt. + + * gmp-glue.c (mpn_get_base256): New function. + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. + Fixed length side-channel silent version of pkcs1-decrypt. + + * cnd-memcpy.c (cnd_memcpy): New function. + * memops.h: Declare it. + * testsuite/cnd-memcpy-test.c: New test case. + + * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses + _rsa_sec_compute_root, as well as side-channel silent RSA + blinding. + (rsa_compute_root_tr) Rewritten as a wrapper around + rsa_sec_compute_root_tr. + (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) + (cnd_mpn_zero): New helper functions. + (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not + side-channel silent wrapper around rsa_compute_root_tr, and the + latter function left unchanged. + + * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) + (_rsa_sec_compute_root): New file, new private functions. + Side-channel silent version of rsa_compute_root. + * rsa-internal.h: New header file with declarations. + + * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. + + 2018-11-24 Niels Möller + + * configure.ac: Bump package version to 3.4.1. + (LIBNETTLE_MINOR): Bump library version to 6.5. + (LIBHOGWEED_MINOR): Bump library version to 4.5. + +2018-11-17 Niels Möller + + * examples/hogweed-benchmark.c (bench_rsa_verify) + (bench_openssl_rsa_tr_init): New functions. + (alg_list): Benchmark timing-resistant RSA functions, i.e., + including RSA blinding. + (main): Increase width of first column, here and in other + printouts. + +2018-10-10 Dmitry Eremin-Solenikov + + * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when + processing more than on full block of size CTR_BUFFER_LIMIT, src + and dst arguments to memxor3 were not properly updated. + +2018-10-10 Niels Möller + + * aes-set-encrypt-key.c: Add missing include of stdlib.h. + * des-compat.c: Likewise. + +2018-09-13 Niels Möller + + * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and + redundant check for p == q. + +2018-08-09 Niels Möller + + * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with + _NETTLE_ATTRIBUTE_DEPRECATED. + + * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) + (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and + lookalikes. + * ecc-curve.h: Include nettle-types.h, and use + _NETTLE_ATTRIBUTE_PURE instead of local definition. + * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit + #ifdefs. + + * aes.h: Mark functions using struct aes_ctx interface as + deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where + the functions are implemented or tested. + * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. + + * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) + (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast + between incompatible function types (which gcc-8 warns about). + Wrappers are expected to compile to a single jmp instruction. + + * des-compat.c (des_compat_des3_encrypt) + (des_compat_des3_decrypt): Change length argument type to size_t. + +2018-08-08 Niels Möller + + * nettle.texinfo (Compatibility): New section on ABI and API + compatibility. + +2018-07-25 Dmitry Eremin-Solenikov + + * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. + +2018-07-13 Niels Möller + + * examples/eratosthenes.c (vector_alloc): Add assert related to + overflow in the size calculation. Fixes a corner case identified + by static analysis. + (vector_init): Analogous assert. + +2018-07-12 Niels Möller + + * examples/eratosthenes.c (main): Don't allocate bitmap storage + for limit == 2 (early exit), closing memory leak at exit. + (main): Fix handling of short -q option. + + * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, + to fix memory leak. + (ecc_curve_clear): New function. + (main): Call it, to deallocate storage before exit. + +2018-07-08 Niels Möller + + * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. + * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. + * x86_64/fat/sha1-compress-2.asm: Likewise. + +2018-07-07 Niels Möller + + From Nikos Mavrogiannopoulos. + * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to + public function, since there's known appliation usage (filezilla). + * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor + alias for the new name. + * md5-compress.c (nettle_md5_compress): Similarly renamed (used by + sogo). + * md5.h (_nettle_md5_compress): Old name,, now a preprocessor + alias for the new name. + + * chacha-internal.h, dsa-internal.h, eddsa-internal.h: + * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: + * salsa20-internal.h, sha2-internal.h, sha3-internal.h: + * umac-internal.h: Internal declarations moved to new header + files, which are not installed.. + * Makefile.in (DISTFILES): Added above files. + + * libnettle.map.in: Use a different symbol version for _nettle_* + symbols, depending on the minor release. This marks these symbols + explicitly not part of the public Nettle ABI. + * libhogweed.map.in: Analogous change. + 2018-06-17 Niels Möller - Backported from master branch. * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed by Dmitry Eremin-Solenikov. + * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, produced by Apple's Xcode 10 compiler. Patch contributed by Dominyk Tiller. diff --cc NEWS index e1091920,cadd0f04..b0a0dda4 --- a/NEWS +++ b/NEWS @@@ -1,60 -1,78 +1,130 @@@ +NEWS for the Nettle 3.5 release + + Changes in behavior: + + * Nettle's gcm_crypt will now call the underlying block cipher + to process more than one block at a time. This is not a + change to the documented behavior, but unfortunately breaks + assumptions accidentally made in GnuTLS, up to and including + version 3.6.1. + - Bug fixes: - - * Fix bug in pkcs1-conv, missing break statements in the - parsing of PEM input files. - + New features: + + * Support for CFB8 (Cipher Feedback Mode, processing a single + octet per block cipher operation), contributed by Dmitry + Eremin-Solenikov. + + * Support for CMAC (RFC 4493), contributed by Nikos + Mavrogiannopoulos. + + Optimizations: + + * Improved performance of the x86_64 AES implementation using + the aesni instructions. Gives a large speedup for operations + processing multiple blocks at a time (including CTR mode, + GCM mode, and CBC decrypt, but *not* CBC encrypt). + + * Improved performance for CTR mode, for the common case of + 16-byte block size. Pass more data at a time to underlying + block cipher, and fill the counter blocks more efficiently. + Extension to also handle GCM mode efficiently contributed + by Nikos Mavrogiannopoulos. + + * New x86_64 implementation of sha1 and sha256, for processors + supporting the sha_ni instructions. Speedup of 3-5 times on + affected processors. + + * Improved parameters for the precomputation of tables used + for ecc signatures. Roughly 10%-15% speedup of the ecdsa + sign operation using the secp_256r1, secp_384r1 and + secp_521r1 curves, and 25% speedup of ed25519 sign + operation, benchmarked on x86_64. Table sizes unchanged, + around 16 KB per curve. + + Miscellaneous: + + * Support for big-endian ARM systems, contributed by Michael + Weiser. + + * The programs aesdata, desdata, twofishdata, shadata and + gcmdata are no longer built by default. Makefile + improvements contributed by Jay Foad. + + NEWS for the Nettle 3.4.1 release + + This release fixes a few bugs, and makes the RSA private key + operations side channel silent. The RSA improvements are + contributed by Simo Sorce and Red Hat, and include one new + public function, rsa_sec_decrypt, see below. + + All functions using RSA private keys are now side-channel + silent, meaning that they try hard to avoid any branches or + memory accesses depending on secret data. This applies both to + the bignum calculations, which now use GMP's mpn_sec_* family + of functions, and the processing of PKCS#1 padding needed for + RSA decryption. + + Nettle's ECC functions were already side-channel silent, while + the DSA functions still aren't. There's also one caveat + regarding the improved RSA functions: due to small table + lookups in relevant mpn_sec_* functions in GMP-6.1.2, the + lowest and highest few bits of the secret factors p and q may + still leak. I'm not aware of any attacks on RSA where knowing + a few bits of the factors makes a significant difference. This + leak will likely be plugged in later GMP versions. + + Changes in behavior: + + * The functions rsa_decrypt and rsa_decrypt_tr may now clobber + all of the provided message buffer, independent of the + actual message length. They are side-channel silent, in that + branches and memory accesses don't depend on the validity or + length of the message. Side-channel leakage from the + caller's use of length and return value may still provide an + oracle useable for a Bleichenbacher-style chosen ciphertext + attack. Which is why the new function rsa_sec_decrypt is + recommended. + + New features: + + * A new function rsa_sec_decrypt. It differs from + rsa_decrypt_tr in that the length of the decrypted message + is given a priori, and PKCS#1 padding indicating a different + length is treated as an error. For applications that may be + subject to chosen ciphertext attacks, it is recommended to + initialize the message area with random data, call this + function, and ignore the return value. This applies in + particular to RSA-based key exchange in the TLS protocol. + + Bug fixes: + + * Fix bug in pkcs1-conv, missing break statements in the + parsing of PEM input files. + + * Fix link error on the pss-mgf1-test test, affecting builds + without public key support. + + Performance regression: + + * All RSA private key operations employing RSA blinding, i.e., + rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and + rsa_compute_root_tr, are significantly slower. This is + because (i) RSA blinding now use side-channel silent + operations, (ii) blinding includes a modular inversion, and + (iii) side-channel silent modular inversion, implemented as + mpn_sec_invert, is very expensive. A 60% slowdown for + 2048-bit RSA keys have been measured. + + Miscellaneous: + + * Building the public key support of nettle now requires GMP + version 6.0 or later (unless --enable-mini-gmp is used). + + The shared library names are libnettle.so.6.5 and + libhogweed.so.4.5, with sonames still libnettle.so.6 and + libhogweed.so.4. It is intended to be fully binary compatible + with nettle-3.1. + NEWS for the Nettle 3.4 release This release fixes bugs and adds a few new features. It also diff --cc rsa-decrypt-tr.c index e800b71e,5dfb91b1..1e6ad934 --- a/rsa-decrypt-tr.c +++ b/rsa-decrypt-tr.c @@@ -36,11 -36,9 +36,8 @@@ # include "config.h" #endif --#include "rsa.h" #include "rsa-internal.h" - - #include "bignum.h" - #include "pkcs1.h" + #include "gmp-glue.h" int rsa_decrypt_tr(const struct rsa_public_key *pub, diff --cc rsa-internal.h index 5c97eaa1,bd667bc2..264c0a6a --- a/rsa-internal.h +++ b/rsa-internal.h @@@ -34,36 -34,42 +34,69 @@@ #ifndef NETTLE_RSA_INTERNAL_H_INCLUDED #define NETTLE_RSA_INTERNAL_H_INCLUDED --#include "nettle-types.h" - + #include "rsa.h" +#define _rsa_verify _nettle_rsa_verify +#define _rsa_verify_recover _nettle_rsa_verify_recover +#define _rsa_check_size _nettle_rsa_check_size +#define _rsa_blind _nettle_rsa_blind +#define _rsa_unblind _nettle_rsa_unblind + #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch + #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root + #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr + #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt + #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable +/* Internal functions. */ +int +_rsa_verify(const struct rsa_public_key *key, + const mpz_t m, + const mpz_t s); + +int +_rsa_verify_recover(const struct rsa_public_key *key, + mpz_t m, + const mpz_t s); + +size_t +_rsa_check_size(mpz_t n); + +/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, + and will likely be removed with the next ABI break. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED; +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) + _NETTLE_ATTRIBUTE_DEPRECATED; + + /* side-channel silent root computation */ + mp_size_t + _rsa_sec_compute_root_itch(const struct rsa_private_key *key); + void + _rsa_sec_compute_root(const struct rsa_private_key *key, + mp_limb_t *rp, const mp_limb_t *mp, + mp_limb_t *scratch); + + /* Safe side-channel silent variant, using RSA blinding, and checking the + * result after CRT. */ + int + _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + mp_limb_t *x, const mp_limb_t *m, size_t mn); + + /* additional resistance to memory access side-channel attacks. + * Note: message buffer is returned unchanged on error */ + int + _pkcs1_sec_decrypt (size_t length, uint8_t *message, + size_t padded_message_length, + const volatile uint8_t *padded_message); + + int + _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, + size_t padded_message_length, + const volatile uint8_t *padded_message); + #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */