Stefan Metzmacher [Tue, 17 Sep 2019 16:27:09 +0000 (18:27 +0200)]
cfb8: Fix decrypt path
It failed to decrypt buffers smaller than blocksize.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Sep 2019 18:55:08 +0000 (20:55 +0200)]
testsuite: test multiple chunksizes for cfb8 cipher
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Niels Möller [Sun, 15 Sep 2019 08:28:58 +0000 (10:28 +0200)]
Add FIXME comment on struct gosthash94_ctx reorg.
Niels Möller [Sun, 15 Sep 2019 08:23:24 +0000 (10:23 +0200)]
ChangeLog entries for gosthash94cp.
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:43:16 +0000 (21:43 +0300)]
Add PBKDF2 support for gosthash94cp
Russian technical comitee working on standartization of cryptography
algorithms has published the document describing usage of GOST R
34.11-94 hash function with PBKDF2 algorithm (MR 26.2.001-2012).
Add test vectors from that document and a special function implementing
Nettle interface for PBKDF2 using gosthash94cp.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:43:15 +0000 (21:43 +0300)]
Add HMAC functions for GOSTHASH94 and GOSTHASH94CP
GOST hash functions can be used to generate MAC using HMAC algorithm.
Add functions implementing HMAC with GOSTHASH94/GOSTHASH94CP.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:43:14 +0000 (21:43 +0300)]
Add GOST R 34.11-94 to nettle_hashes
Add entries for gosthash94 and gosthash94cp in nettle_hashes array.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:43:12 +0000 (21:43 +0300)]
Add support for GOSTHASH94CP: GOST R 34.11-94 hash with CryptoPro S-box
Hash gosthash94 implements GOST R 34.11-94 standard using S-Box defined
in the standard 'for testing purposes only'. RFC 4357 defines S-Box
(CryptoPro one) for GOST R 34.11-94 hash function that is widely used in
applications. Add separate hash function algorithm (gosthash94cp)
implementing GOST R 34.11-94 hashing using that S-Box.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:43:11 +0000 (21:43 +0300)]
Start separating GOST 28147-89 from GOST R 34.11-94
Hash function GOST R 34.11-94 (gosthash94) in its compression function
uses Russian block cipher (GOST 28147-89, Magma). Start separating block
cipher code from hash function code. For now there is no public
interface for this cipher, it will be added later.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Niels Möller [Sun, 15 Sep 2019 08:05:19 +0000 (10:05 +0200)]
dlopen-test: Use libnettle.dylib on MacOS.
Niels Möller [Sat, 14 Sep 2019 06:21:12 +0000 (08:21 +0200)]
Mention dependencies on GNU make and GNU GMP in the README file.
Dmitry Eremin-Solenikov [Wed, 4 Sep 2019 06:10:31 +0000 (09:10 +0300)]
gcm: move block shifting function to block-internal.h
Move GCM's block shift function to block-internal.h. This concludes
moving of all Galois mul-by-2 to single header.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Wed, 4 Sep 2019 06:10:30 +0000 (09:10 +0300)]
block modes: move Galois shifts to block-internal.h
Move Galois polynomial shifts to block-internal.h, simplifying common
code. GCM is left unconverted for now, this will be fixed later.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Wed, 4 Sep 2019 06:10:29 +0000 (09:10 +0300)]
block-internal: add block XORing functions
Add common implementations for functions doing XOR over
nettle_block16/nettle_block8.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 26 Aug 2019 18:20:22 +0000 (21:20 +0300)]
cmac64: fix nettle_block16 usage
CMAC64 uses block8, rather than block16.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 26 Aug 2019 18:20:21 +0000 (21:20 +0300)]
gcm: use uint64_t member of nettle_block16
Remove last usage of unsigned long member of nettle_block16.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Niels Möller [Fri, 23 Aug 2019 04:31:13 +0000 (06:31 +0200)]
Merge branch 'block16-refactor' into master-updates
Dmitry Eremin-Solenikov [Mon, 22 Jul 2019 06:37:12 +0000 (08:37 +0200)]
Expand documentation to cover CMAC-64
Niels Möller [Sun, 21 Jul 2019 12:47:17 +0000 (14:47 +0200)]
CMAC comment fixes
Niels Möller [Wed, 10 Jul 2019 21:00:33 +0000 (23:00 +0200)]
ChangeLog for previous change
Dmitry Eremin-Solenikov [Tue, 2 Jul 2019 12:38:57 +0000 (15:38 +0300)]
cmac: add CMAC-DES3 (CMAC-TDES) implementation
Implement CMAC using TrippleDES as underlying cipher.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Niels Möller [Wed, 10 Jul 2019 20:44:56 +0000 (22:44 +0200)]
ChangeLog for previous change
Dmitry Eremin-Solenikov [Tue, 9 Jul 2019 18:58:42 +0000 (21:58 +0300)]
cmac: add 64-bit mode CMAC
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Niels Möller [Mon, 8 Jul 2019 20:25:39 +0000 (22:25 +0200)]
Mark w member of union nettle_block16 as deprecated.
Niels Möller [Mon, 8 Jul 2019 20:22:35 +0000 (22:22 +0200)]
gcm: Use uint64_t member of nettle_block16.
Niels Möller [Mon, 8 Jul 2019 19:09:50 +0000 (21:09 +0200)]
eax: Use uint64_t member of nettle_block16.
Niels Möller [Tue, 2 Jul 2019 20:38:21 +0000 (22:38 +0200)]
ChangeLog for previous change
Dmitry Eremin-Solenikov [Tue, 2 Jul 2019 12:38:55 +0000 (15:38 +0300)]
Move MAC testing code to generic place from cmac-test
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Simo Sorce [Mon, 13 May 2019 19:24:56 +0000 (15:24 -0400)]
Add tests that exercise public key checks for ECDH
When performing ECDH the peer provided public key needs to be checked
for validity. FIPS requires basic tests be performed to insure the
provided points are in fact on the selected curve. Those checks already
exists in the ecc_point_set() function.
Add an explicit test that checks the boundaries so that any regression
in checks will be caught.
Signed-off-by: Simo Sorce <simo@redhat.com>
Niels Möller [Tue, 2 Jul 2019 12:28:04 +0000 (14:28 +0200)]
Merge branch 'siv-mode' into master-updates
Niels Möller [Wed, 26 Jun 2019 19:51:36 +0000 (21:51 +0200)]
Fixes for Nettle 3.5.1
Niels Möller [Wed, 26 Jun 2019 05:43:25 +0000 (07:43 +0200)]
ChangeLog entry for 3.5 release
Niels Möller [Tue, 25 Jun 2019 19:00:47 +0000 (21:00 +0200)]
Update config.guess and config.sub
Niels Möller [Sat, 15 Jun 2019 08:27:58 +0000 (10:27 +0200)]
NEWS for 3.5. Mention deprecations in intro.
Wim Lewis [Sat, 15 Jun 2019 08:15:39 +0000 (10:15 +0200)]
Fix some typos in the documentation.
Niels Möller [Thu, 6 Jun 2019 07:25:59 +0000 (09:25 +0200)]
Merge branch 'master' into siv-mode
The cmac changes on master breaks the previous version of the siv
code. Now updated, and improved to use const context arguments for the
_message functions.
Niels Möller [Thu, 6 Jun 2019 06:41:32 +0000 (08:41 +0200)]
Fix doc of cmac context structs.
Niels Möller [Wed, 5 Jun 2019 20:25:20 +0000 (22:25 +0200)]
Further separation of CMAC per-message state from subkeys.
Niels Möller [Wed, 5 Jun 2019 19:24:31 +0000 (21:24 +0200)]
Revert move of cmac128_ctx index
Niels Möller [Sat, 1 Jun 2019 08:30:29 +0000 (10:30 +0200)]
New struct cmac128_key.
Niels Möller [Wed, 15 May 2019 09:30:55 +0000 (11:30 +0200)]
Mention deletion of des-compat.h in NEWS
Niels Möller [Wed, 15 May 2019 08:24:48 +0000 (10:24 +0200)]
New SIV key size constants. Use in tests.
Niels Möller [Wed, 15 May 2019 08:11:22 +0000 (10:11 +0200)]
Require non-empty nonce for SIV mode.
Niels Möller [Sun, 12 May 2019 09:03:42 +0000 (11:03 +0200)]
Delete old libdes/openssl compatibility interface.
Niels Möller [Sat, 11 May 2019 19:29:52 +0000 (21:29 +0200)]
NEWS update for Nettle-3.5.
Niels Möller [Mon, 6 May 2019 17:36:33 +0000 (19:36 +0200)]
SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos
This AEAD algorithm provides a way to make nonce-reuse a not critical
issue. That is particular useful to stateless servers that cannot
ensure that the nonce will not repeat. This cipher is used by
draft-ietf-ntp-using-nts-for-ntp-17.
Niels Möller [Wed, 1 May 2019 12:24:35 +0000 (14:24 +0200)]
New header file cmac-internal.h
Move and rename block_mulx --> _cmac128_block_mulx.
Niels Möller [Sat, 27 Apr 2019 07:37:17 +0000 (09:37 +0200)]
ChangeLog entry for EPILOGUE fix.
Simo Sorce [Sat, 27 Apr 2019 07:05:08 +0000 (09:05 +0200)]
Add missing EPILOGUEs in assembly files
Niels Möller [Sun, 14 Apr 2019 06:35:47 +0000 (08:35 +0200)]
tools/nettle-pbkdf2.c: Check strdup return value.
Niels Möller [Fri, 29 Mar 2019 06:32:42 +0000 (07:32 +0100)]
Redefine struct aes_ctx as a union of key-size specific contexts.
Niels Möller [Wed, 27 Mar 2019 05:30:58 +0000 (06:30 +0100)]
Rearrange cmac's block_mulx, make it closer to xts_shift.
* xts.c (xts_shift): Arrange with a single write to u64[1].
* cmac.c (block_mulx): Rewrite to work in the same way as
xts_shift, with 64-bit operations. XTS and CMAC use opposite
endianness, but otherwise, these two functions are identical.
Niels Möller [Sun, 24 Mar 2019 12:34:08 +0000 (13:34 +0100)]
Update docs for xts-aes
The structs are named xts_aes*_key, not xts_aes*_ctx.
Niels Möller [Sun, 24 Mar 2019 12:31:37 +0000 (13:31 +0100)]
ChangeLog entries for XTS support.
Simo Sorce [Wed, 20 Mar 2019 15:46:22 +0000 (11:46 -0400)]
Recode xts_shift based on endianess
This creates two implementations of xts_shift, one for little endian and
one for big endian. This way we avoid copies to additional variables and
inefficient byteswapping on platforms that do not have dedicated
instructions.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 19 Mar 2019 20:30:53 +0000 (16:30 -0400)]
Inline ciphertext stealing
This avoids copying and may be somewhat more readable without the need
for so much explanation.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 4 Oct 2018 18:38:50 +0000 (14:38 -0400)]
Add support for XTS encryption mode
XEX encryption mode with tweak and ciphertext stealing (XTS) is
standardized in IEEE 1619 and generally used for storage devices.
Signed-off-by: Simo Sorce <simo@redhat.com>
Niels Möller [Wed, 10 Oct 2018 17:44:32 +0000 (19:44 +0200)]
Move block buffer last in hash context structs.
Niels Möller [Tue, 22 Jan 2019 18:06:43 +0000 (19:06 +0100)]
Merge branch 'delete-nettle-stdint-h' into master
Niels Möller [Mon, 21 Jan 2019 22:07:27 +0000 (23:07 +0100)]
.gitlab-ci.yml: Add -std=c89 and -DNDEBUG builds.
Niels Möller [Sat, 19 Jan 2019 16:21:25 +0000 (17:21 +0100)]
examples: Delete eratosthenes from TARGETS, left over from earlier change.
Niels Möller [Sat, 19 Jan 2019 15:16:37 +0000 (16:16 +0100)]
fat-arm.c: Fix declarations of chacha_core functions.
Niels Möller [Sat, 19 Jan 2019 08:42:24 +0000 (09:42 +0100)]
ChangeLog entries for previous change.
Yuriy M. Kaminskiy [Wed, 2 Jan 2019 16:41:32 +0000 (19:41 +0300)]
Add --enable-fat support for arm neon chacha20
On BCM2837B0 (Cortex-A53) @1.4GHz (Raspberry Pi 3B+),
Before:
`gnutls-cli --benchmark-ciphers`
CHACHA20-POLY1305 (16384) 51.54 MB/sec
`gnutls-cli --benchmark-tls-ciphers`:
ECDHE_RSA_CHACHA20_POLY1305 (payload 1400) 21.31 MB/sec
ECDHE_RSA_CHACHA20_POLY1305 (payload 15360) 24.60 MB/sec
`nettle-benchmark`
chacha encrypt 71.90
chacha decrypt 71.89
chacha_poly1305 encrypt 48.17
chacha_poly1305 decrypt 48.17
chacha_poly1305 update 146.03
After:
`gnutls-cli --benchmark-ciphers`
CHACHA20-POLY1305 (16384) 68.44 MB/sec
`gnutls-cli --benchmark-tls-ciphers`:
ECDHE_RSA_CHACHA20_POLY1305 (payload 1400) 27.25 MB/sec
ECDHE_RSA_CHACHA20_POLY1305 (payload 15360) 32.41 MB/sec
`nettle-benchmark`
chacha encrypt 106.00
chacha decrypt 105.94
chacha_poly1305 encrypt 65.94
chacha_poly1305 decrypt 65.96
chacha_poly1305 update 175.24
Niels Möller [Sat, 19 Jan 2019 08:09:12 +0000 (09:09 +0100)]
Update NEWS for Nettle-3.5.
Niels Möller [Thu, 17 Jan 2019 20:51:46 +0000 (21:51 +0100)]
.gitlab-ci.yml: Use ./bootstrap in gnutls build.
Niels Möller [Sun, 13 Jan 2019 09:48:26 +0000 (10:48 +0100)]
eccdata: More asserts in ecc_pippenger_precompute.
Nikos Mavrogiannopoulos [Wed, 2 Jan 2019 09:31:08 +0000 (10:31 +0100)]
.gitlab-ci.yml: updated to new images by gnutls
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Niels Möller [Sat, 12 Jan 2019 16:31:21 +0000 (17:31 +0100)]
Delete eratosthenseprogram
Niels Möller [Sun, 6 Jan 2019 10:11:15 +0000 (11:11 +0100)]
tests: Fix assert call with side effects.
(cherry picked from commit
73d3c6d5586cc0fd81eab081078144d621de07b4)
Niels Möller [Thu, 10 Jan 2019 20:59:03 +0000 (21:59 +0100)]
test: Use %u and corresponding cast, when printing bit sizes.
Niels Möller [Thu, 10 Jan 2019 20:57:09 +0000 (21:57 +0100)]
nettle-benchmark: Add volatile to inline asm.
Niels Möller [Tue, 8 Jan 2019 22:00:45 +0000 (23:00 +0100)]
Add missing include of sha2-internal.h.
Niels Möller [Sun, 6 Jan 2019 08:24:55 +0000 (09:24 +0100)]
Delete nettle-stdint.h
Niels Möller [Wed, 26 Dec 2018 18:49:56 +0000 (19:49 +0100)]
eccdata: Add assert.
Niels Möller [Wed, 26 Dec 2018 16:49:31 +0000 (17:49 +0100)]
In openssl benchmarks, use RSA_generate_key_ex.
Niels Möller [Wed, 26 Dec 2018 16:27:00 +0000 (17:27 +0100)]
eccdata: Check that table size is at least 2.
Intended to silence warning from the clang static analyzer.
Niels Möller [Wed, 26 Dec 2018 15:30:04 +0000 (16:30 +0100)]
Bump version number and sonames, for Nettle-3.5
Niels Möller [Wed, 26 Dec 2018 15:19:17 +0000 (16:19 +0100)]
Delete obsolete TODO file
Niels Möller [Wed, 26 Dec 2018 15:18:09 +0000 (16:18 +0100)]
New header file pkcs1-internal.h
Niels Möller [Wed, 26 Dec 2018 10:30:21 +0000 (11:30 +0100)]
Merge branch 'release-3.4-fixes' into master
Niels Möller [Wed, 26 Dec 2018 10:07:51 +0000 (11:07 +0100)]
Fix compilation with gcc -std=c89
Niels Möller [Wed, 26 Dec 2018 10:04:31 +0000 (11:04 +0100)]
Fix accidental use of C99 for loop.
* rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop.
Reported by Andreas Gustafsson.
* testsuite/rsa-sec-decrypt-test.c (test_main): Likewise.
Niels Möller [Tue, 4 Dec 2018 20:55:48 +0000 (21:55 +0100)]
Note release of Nettle-3.4.1.
Niels Möller [Wed, 28 Nov 2018 21:42:56 +0000 (22:42 +0100)]
Update NEWS file for 3.4.1.
Mention dependency on GMP-6, and RSA performance regression.
Niels Möller [Wed, 28 Nov 2018 21:33:47 +0000 (22:33 +0100)]
Update configure check to require GMP-6.0.0 or later.
Niels Möller [Wed, 28 Nov 2018 21:01:29 +0000 (22:01 +0100)]
Rewrite pkcs1_decrypt as a wrapper around _pkcs1_sec_decrypt_variable.
* testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
decrypted storage. Update test of rsa_decrypt, to allow clobbering
of all of the passed in message area.
Niels Möller [Wed, 28 Nov 2018 20:54:15 +0000 (21:54 +0100)]
Add rsa-internal.h to distributed headers.
Patch from Simo Sorce.
Niels Möller [Wed, 28 Nov 2018 20:52:30 +0000 (21:52 +0100)]
rsa-internal.h: Add include of rsa.h.
Niels Möller [Tue, 27 Nov 2018 07:56:27 +0000 (08:56 +0100)]
Describe RSA improvements in NEWS.
Niels Möller [Tue, 27 Nov 2018 07:21:02 +0000 (08:21 +0100)]
Rewrote _rsa_sec_compute_root, for clarity.
Use new local helper functions, with their own itch functions.
Niels Möller [Mon, 26 Nov 2018 06:32:28 +0000 (07:32 +0100)]
rsa-compute-root-test: Fix qsize. Try more keys.
Niels Möller [Sun, 25 Nov 2018 20:57:59 +0000 (21:57 +0100)]
Update mini-gmp version for _rsa_sec_compute_root_tr rename.
Niels Möller [Sun, 25 Nov 2018 19:29:07 +0000 (20:29 +0100)]
Renamed rsa-sec-compute-root-test --> rsa-compute-root-test.
Niels Möller [Sun, 25 Nov 2018 19:10:13 +0000 (20:10 +0100)]
cnd_mpn_zero: Use a volatile-declared mask variable.
Niels Möller [Sun, 25 Nov 2018 18:46:30 +0000 (19:46 +0100)]
Move decl. of rsa_sec_compute_root_tr to internal header.
Also renamed with leading underscore, and updated all callers.
Simo Sorce [Sun, 25 Nov 2018 18:23:38 +0000 (19:23 +0100)]
Switch rsa_compute_root to use side-channel safe variant
Niels Möller [Sun, 25 Nov 2018 17:53:55 +0000 (18:53 +0100)]
ChangeLog for previous change.
Simo Sorce [Fri, 9 Nov 2018 22:32:04 +0000 (17:32 -0500)]
Randomzed testing of rsa-sec-compute-root
Signed-off-by: Simo Sorce <simo@redhat.com>
Niels Möller [Sun, 25 Nov 2018 16:11:39 +0000 (17:11 +0100)]
testutils.c: Fix high bits of the mpz_urandomb used with mini-gmp.