* shake256.c (sha3_256_shake): New file and function.
* Makefile.in (nettle_SOURCES): Add shake256.c.
* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
if hash->digest_size == 0.
* testsuite/shake.awk: New script to extract test vectors.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
(DISTFILES): Add shake.awk.

* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
add_hh rather than add_hhh.
(table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise.
* ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]:
Reduced from 13*n to 12*n.

* eddsa-verify.c (_eddsa_verify): Use function pointer rather than
calling ecc_add_eh directly. Preparation for eddsa over curve448.

* curve25519-mul.c (curve25519_mul): Use ecc_mul_m.
* curve448-mul.c (curve448_mul): Likewise.

* ecc-mul-m.c (ecc_mul_m): New file and function. Implements
multipliction for curves in Montgomery representation, as used for
curve25519 and curve448. Extracted from curve25519_mul.
* ecc-internal.h (ecc_mul_m): Declare.
(ECC_MUL_M_ITCH): New macro.
* Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c.

We now have h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few
places relying on this.
(ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros.
(ECC_ECDSA_SIGN_ITCH): Revert previous change.

* ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n
to 6*n.
(ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly.
* curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n.

* x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New
assembly function.
* ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use
native nettle_ecc_curve448_modp if available.
* configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm.
(HAVE_NATIVE_ecc_curve448_modp): New config.h define.

* ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only
used for non-standard ecdsa over curve25519.
* testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa
over curve25519.
* testsuite/ecdsa-verify-test.c (test_main): Likewise.
* testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519
from test.

* configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to
check for __builtin_bswap64. Since calling an non-existing
function typically results in a warning only at compile time, but
fails at link time. Patch contributed by by George Koehler.

* testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to
unsigned long for argument to fprintf.

* ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function.

Daiki Ueno authored Nov 30, 2019 and Niels Möller committed Nov 30, 2019

This patch adds the necessary primitives for "curve448", defined in
RFC 7748.  Those primitives are namely: addition, doubling, scalar
multiplication of the generator or an arbitrary point, inversion, and
square root.

Current gost support in gnutls depends on nettle internals.

Related to the the edwards_root member of struct ecc_curve, which
was used by ecc_a_to_eh before it was deleted, see 2014-09-17
entry below.
(ecc_curve_init): Delete corresponding curve25519 constants, and
NULL arguments passed for the other curves.

* testsuite/testutils.c (test_cipher_cfb8): Reset destination area
between tests. Encrypt/decrypt final partial block.

Daiki Ueno authored Sep 27, 2019 and Niels Möller committed Oct 01, 2019

Previously cfb8_decrypt didn't update the IV if the input is shorter
than the AES block size.  Reported by Stephan Mueller.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Dmitry Baryshkov authored Jul 11, 2019 and Niels Möller committed Sep 15, 2019

Russian technical comitee working on standartization of cryptography
algorithms has published the document describing usage of GOST R
34.11-94 hash function with PBKDF2 algorithm (MR 26.2.001-2012).
Add test vectors from that document and a special function implementing
Nettle interface for PBKDF2 using gosthash94cp.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Dmitry Baryshkov authored Jul 11, 2019 and Niels Möller committed Sep 15, 2019

GOST hash functions can be used to generate MAC using HMAC algorithm.
Add functions implementing HMAC with GOSTHASH94/GOSTHASH94CP.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Dmitry Baryshkov authored Jul 11, 2019 and Niels Möller committed Sep 15, 2019

Add entries for gosthash94 and gosthash94cp in nettle_hashes array.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Dmitry Baryshkov authored Jul 11, 2019 and Niels Möller committed Sep 15, 2019

Hash gosthash94 implements GOST R 34.11-94 standard using S-Box defined
in the standard 'for testing purposes only'. RFC 4357 defines S-Box
(CryptoPro one) for GOST R 34.11-94 hash function that is widely used in
applications. Add separate hash function algorithm (gosthash94cp)
implementing GOST R 34.11-94 hashing using that S-Box.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>