.gitlab-ci.yml

@@ -13,8 +13,7 @@ variables:
   - 'make -j$(nproc)'
   - 'make -j$(nproc) check $EXTRA_CHECK_TARGET'
   tags:
-  - shared
-  - linux
+  - saas-linux-small-amd64
   except:
   - tags
   variables:
@@ -94,8 +93,7 @@ build/static-analyzers:
   - scan-build ./configure --disable-documentation --disable-assembler
   - scan-build --status-bugs -o scan-build-lib make -j$(nproc)
   tags:
-  - shared
-  - linux
+  - saas-linux-small-amd64
   except:
   - tags
   artifacts:
@@ -117,8 +115,7 @@ build/gnutls:
       --disable-cxx --disable-guile --without-p11-kit --disable-doc &&
     make -j$(nproc) && make -j $(nproc) check
   tags:
-  - shared
-  - linux
+  - saas-linux-small-amd64
   except:
   - tags
   artifacts:
@@ -160,8 +157,7 @@ remote/s390x:
     - $SSH_PRIVATE_KEY != ""
     - $S390X_ACCOUNT != ""
   tags:
-  - shared
-  - linux
+  - saas-linux-small-amd64
   except:
   - tags
 
@@ -183,8 +179,7 @@ remote/s390x:
   - make EMULATOR=${EMULATOR} -j$(nproc) check
   - make EMULATOR=${EMULATOR} -j$(nproc) check-fat
   tags:
-  - shared
-  - linux
+  - saas-linux-small-amd64
   except:
   - tags
   variables:
@@ -226,3 +221,10 @@ cross/s390x-linux-gnu:
   variables:
     EXTRA_CONFIGURE_ARGS: '--disable-assembler'
     EMULATOR: qemu-s390x
+
+cross/sparc64-linux-gnu:
+  extends: .cross-build
+  variables:
+    EXTRA_CONFIGURE_ARGS: '--enable-mini-gmp'
+    QEMU_LD_PREFIX: /usr/sparc64-linux-gnu
+    EMULATOR: qemu-sparc64

AUTHORS

@@ -40,7 +40,7 @@ Simon Josefsson		Port of Arctwo, from GnuTLS and libgcrypt. New
 			ports of LGPL Serpent and Blowfish code, from
 			libgcrypt. Port of Salsa20, based on djb's
 			reference. Implementation of PBKDF2 (RFC
-			2898).
+			2898) and drbg-ctr.
 
 Henrik Grubbström	AES assembly for Sparc64.
 
@@ -94,9 +94,9 @@ Owen Kirby		Implementation of CCM mode.
 Amos Jeffries		Implementation of base64url encoding.
 
 Daiki Ueno		Implementation of RSA-PSS signatures,
-			curve448, shake256, ed448-shake256 signatures,
+			curve448, SHA3 shake, ed448-shake256 signatures,
 			chacha functions for 32-bit nonce, struct
-			nettle_mac interface, siv-gcm.
+			nettle_mac interface, siv-gcm, RSA-OAEP.
 
 Dmitry Baryshkov	CFB and CFB8 modes, CMAC64. gosthash94cp and
 			Streebog hash functions, GOST DSA signatures
@@ -113,13 +113,13 @@ Stephen R. van den Berg
 			Port of bcrypt.
 
 Mamone Tarsha Kurdi	Powerpc64 assembly and fat build setup,
-			including AES and GCM. Arm64 assembly and fat
+			including AES, GCM and poly1305. Arm64 assembly and fat
 			build setup, including AES, Chacha, GCM, SHA1,
 			SHA256. S390x assembly and fat build setup,
 			including AES, Chacha, memxor, memxor3, SHA1,
 			SHA256, SHA512, SHA3.
 
-Nicolas Mora		RFC 3394 keywrap.
+Nicolas Mora		RFC 3394 keywrap, RSA-OAEP.
 
 Tianjia Zhang		SM3 hash function, SM4 block cipher.
 
@@ -129,4 +129,8 @@ Amitay Isaacs		Powerpc64 assembly for secp192r1, secp224r1
 Martin Schwenke		Powerpc64 assembly for secp384r1, secp521r1,
 			curve25519 and curve448.
 
-Zoltan Fridrich		Ballon password hashing.
+Zoltan Fridrich		Balloon password hashing.
+
+Danny Tsen		Powerpc64 assembly for combined GCM-AES.
+
+Eric Richter		Powerpc64 sha256 assembly.

Makefile.in

@@ -68,12 +68,11 @@ check-fat:
 
 all-here: $(TARGETS) $(DOCTARGETS)
 
-nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
+nettle_SOURCES = aes-decrypt-internal.c aes-decrypt-table.c \
 		 aes128-decrypt.c aes192-decrypt.c aes256-decrypt.c \
-		 aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \
+		 aes-encrypt-internal.c aes-encrypt-table.c \
 		 aes128-encrypt.c aes192-encrypt.c aes256-encrypt.c \
 		 aes-invert-internal.c aes-set-key-internal.c \
-		 aes-set-encrypt-key.c aes-set-decrypt-key.c \
 		 aes128-set-encrypt-key.c aes128-set-decrypt-key.c \
 		 aes128-meta.c \
 		 aes192-set-encrypt-key.c aes192-set-decrypt-key.c \
@@ -111,7 +110,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
 		 eax.c eax-aes128.c eax-aes128-meta.c \
 		 ghash-set-key.c ghash-update.c \
 		 siv-ghash-set-key.c siv-ghash-update.c \
-		 gcm.c gcm-aes.c \
+		 gcm.c \
 		 gcm-aes128.c gcm-aes128-meta.c \
 		 gcm-aes192.c gcm-aes192-meta.c \
 		 gcm-aes256.c gcm-aes256-meta.c \
@@ -126,10 +125,11 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
 		 hmac-sha512.c hmac-streebog.c hmac-sm3.c \
 		 hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \
 		 hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \
-		 hmac-sha512-meta.c hmac-streebog-meta.c hmac-sm3-meta.c \
+		 hmac-sha512-meta.c hmac-gosthash94-meta.c \
+		 hmac-streebog-meta.c hmac-sm3-meta.c \
 		 knuth-lfib.c hkdf.c \
 		 md2.c md2-meta.c md4.c md4-meta.c \
-		 md5.c md5-compress.c md5-compat.c md5-meta.c \
+		 md5.c md5-meta.c \
 		 memeql-sec.c memxor.c memxor3.c \
 		 nettle-lookup-hash.c \
 		 nettle-meta-aeads.c nettle-meta-armors.c \
@@ -151,7 +151,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \
 		 sha3.c sha3-permute.c \
 		 sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \
 		 sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \
-		 shake256.c \
+		 sha3-shake.c shake128.c shake256.c \
 		 sm3.c sm3-meta.c \
 		 serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \
 		 serpent-meta.c \
@@ -172,6 +172,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  bignum.c bignum-random.c bignum-random-prime.c \
 		  sexp2bignum.c \
 		  pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \
+		  oaep.c \
 		  pkcs1-sec-decrypt.c \
 		  pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \
 		  pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \
@@ -186,15 +187,13 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \
 		  rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \
 		  rsa-encrypt.c rsa-decrypt.c \
+		  rsa-oaep-encrypt.c rsa-oaep-decrypt.c \
 		  rsa-sec-decrypt.c rsa-decrypt-tr.c \
-		  rsa-keygen.c rsa-blind.c \
+		  rsa-keygen.c \
 		  rsa2sexp.c sexp2rsa.c \
-		  dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \
+		  dsa.c dsa-gen-params.c \
 		  dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \
-		  dsa-sha1-sign.c dsa-sha1-verify.c \
-		  dsa-sha256-sign.c dsa-sha256-verify.c  \
 		  dsa2sexp.c sexp2dsa.c \
-		  pgp-encode.c rsa2openpgp.c \
 		  der-iterator.c der2rsa.c der2dsa.c \
 		  sec-add-1.c sec-sub-1.c \
 		  gmp-glue.c cnd-copy.c \
@@ -210,7 +209,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \
 		  ecc-dup-th.c ecc-add-th.c ecc-add-thh.c \
 		  ecc-mul-g-eh.c ecc-mul-a-eh.c ecc-mul-m.c \
-		  ecc-mul-g.c ecc-mul-a.c ecc-hash.c ecc-random.c \
+		  ecc-mul-g.c ecc-mul-a.c ecc-random.c \
 		  ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \
 		  ecc-ecdsa-sign.c ecdsa-sign.c \
 		  ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
@@ -230,18 +229,17 @@ OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.
 HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h balloon.h \
 	  base16.h base64.h bignum.h buffer.h camellia.h cast128.h \
 	  cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \
-	  curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \
+	  curve25519.h curve448.h des.h dsa.h eax.h \
 	  ecc-curve.h ecc.h ecdsa.h eddsa.h \
 	  gcm.h gostdsa.h gosthash94.h hmac.h \
 	  knuth-lfib.h hkdf.h \
 	  macros.h \
 	  cmac.h siv-cmac.h siv-gcm.h \
-	  md2.h md4.h \
-	  md5.h md5-compat.h \
+	  md2.h md4.h md5.h \
 	  memops.h memxor.h \
 	  nettle-meta.h nettle-types.h \
 	  ocb.h pbkdf2.h \
-	  pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \
+	  pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \
 	  salsa20.h sexp.h serpent.h \
 	  sha.h sha1.h sha2.h sha3.h sm3.h sm4.h streebog.h twofish.h \
 	  umac.h yarrow.h xts.h poly1305.h nist-keywrap.h \
@@ -268,7 +266,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
 	nettle.pc.in hogweed.pc.in \
 	desdata.stamp $(des_headers) descore.README \
 	aes-internal.h block-internal.h blowfish-internal.h bswap-internal.h \
-	camellia-internal.h \
+	camellia-internal.h gcm-internal.h \
 	ghash-internal.h gost28147-internal.h poly1305-internal.h \
 	serpent-internal.h cast128_sboxes.h desinfo.h desCode.h \
 	ripemd160-internal.h md-internal.h sha2-internal.h \
@@ -276,7 +274,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
 	ctr-internal.h chacha-internal.h sha3-internal.h \
 	salsa20-internal.h umac-internal.h hogweed-internal.h \
 	rsa-internal.h pkcs1-internal.h dsa-internal.h eddsa-internal.h \
-	gmp-glue.h ecc-internal.h fat-setup.h \
+	gmp-glue.h ecc-internal.h fat-setup.h oaep.h \
 	mini-gmp.h asm.m4 m4-utils.m4 \
 	nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c
 
@@ -614,7 +612,7 @@ distdir: $(DISTFILES)
 	  else cp "$(srcdir)/$$f" "$(distdir)" ; \
 	  fi ; \
 	done
-	set -e; for d in sparc32 sparc64 x86 \
+	set -e; for d in sparc64 x86 \
 		x86_64 x86_64/aesni x86_64/sha_ni x86_64/pclmul x86_64/fat \
 		arm arm/neon arm/v6 arm/fat \
 		arm64 arm64/crypto arm64/fat \

NEWS

+NEWS for the Nettle 3.10.1 release
+
+	This is a maintenance release, with only a few bugfixes and
+	portability improvements.
+
+	The new version is intended to be fully source and binary
+	compatible with Nettle-3.6. The shared library names are
+	libnettle.so.8.10 and libhogweed.so.6.10, with sonames
+	libnettle.so.8 and libhogweed.so.6.
+
+	Bug fixes:
+
+	* Fix buffer overread in the new sha256 assembly for
+	  powerpc64, as well as a stack alignment issue.
+
+	* Added missing nettle_mac structs for hmac-gosthash.
+
+	* Fix configure test for valgrind, to not attempt to run
+	  valgrind on executables built using memory sanitizers.
+
+	Optimizations:
+
+	* Improved runtime detection of cpu features for OpenBSD and
+	  FreeBSD, using elf_aux_info when available. This also adds
+	  runtime detection for FreeBSD on arm64. Contributed by Brad
+	  Smith.
+
 NEWS for the Nettle 3.10 release
 
+	This is a maintenance release, including a few each of bug
+	fixes, new features and optimizations.
+
+	The new version is intended to be fully source and binary
+	compatible with Nettle-3.6. The shared library names are
+	libnettle.so.8.9 and libhogweed.so.6.9, with sonames
+	libnettle.so.8 and libhogweed.so.6.
+
+	Bug fixes:
+
+	* Add missing hash functions sha512_224 and sha512_256 to the
+	  nettle_get_hashes() list. The name values in the
+	  corresponding nettle_hash structs also changed to use
+	  underscore instead of dash, for consistency.
+
+	* Fix a few cases of formally undefined calls to memcpy(dst,
+	  NULL, 0), resulting from valid calls to, e.g.,
+	  sha256_update(ctx, 0, NULL).
+
 	New features:
 
+	* Support RSA-OAEP encryption. Contributed by Nicolas Mora and
+	  Daiki Ueno.
+
+	* New function sha3_256_shake_output, new functions
+	  sha3_128_init, sha3_128_update, sha3_128_shake,
+	  sha3_128_shake_output. Contributed by Daiki Ueno.
+
 	* Added DRBG-CTR with AES256, contributed by Simon Josefsson.
 
+	Optimizations:
+
+	* New combined gcm-aes assembly for powerpc64, contributed by
+	  Danny Tsen.
+
+	* New sha256 assembly for powerpc64, contributed by Eric
+          Richter.
+
+	* Improved performance for powerpc64 AES decrypt, by skipping
+	  subkey transformations that don't suit the vncipher
+	  instructions.
+
+	* Add arm64 CPU feature detection for Android and for Apple systems,
+	  contributed by Foolbar and Tim Kosse, respectively.
+
+	Miscellaneous:
+
+	* New tests for side-channel silence, based on valgrind.
+
+	* Delete all md5 assembly code. Delete all sparc32 assembly code.
+
 NEWS for the Nettle 3.9.1 release
 
 	This is a bugfix release, fixing a few bugs reported for

aclocal.m4

@@ -552,7 +552,14 @@ AC_DEFUN([NETTLE_PROG_VALGRIND],
 [AC_CACHE_CHECK([if valgrind is working],
   nettle_cv_prog_valgrind,
   [AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
-    if valgrind -q ./conftest$EXEEXT 2>&AS_MESSAGE_LOG_FD; then
+    # Valgrind is known to work poorly and sometimes hang indefinitely
+    # on executables built with gcc's leak-sanitizer and
+    # address-sanitizer, and with clang's memory sanitizer. Attempt to
+    # work around. See https://bugs.kde.org/show_bug.cgi?id=492255
+    if "$NM" ./conftest$EXEEXT 2>&AS_MESSAGE_LOG_FD |
+       grep '_lsan_\|_msan_\|_asan_' >/dev/null; then
+      nettle_cv_prog_valgrind=no
+    elif valgrind -q ./conftest$EXEEXT 2>&AS_MESSAGE_LOG_FD; then
       nettle_cv_prog_valgrind=yes
     else
       nettle_cv_prog_valgrind=no

aes-decrypt-internal.c

@@ -60,6 +60,7 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
     {
       uint32_t w0, w1, w2, w3;		/* working ciphertext */
       uint32_t t0, t1, t2, t3;
+      const uint32_t *p;
       unsigned i;
       
       /* Get clear text, using little-endian byte order.
@@ -70,12 +71,12 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
       w2 = LE_READ_UINT32(src + 8)  ^ keys[2];
       w3 = LE_READ_UINT32(src + 12) ^ keys[3];
 
-      for (i = 1; i < rounds; i++)
+      for (i = 1, p = keys - 4; i < rounds; i++, p -= 4)
 	{
-	  t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]);
-	  t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
-	  t2 = AES_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]);
-	  t3 = AES_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]);
+	  t0 = AES_ROUND(T, w0, w3, w2, w1, p[0]);
+	  t1 = AES_ROUND(T, w1, w0, w3, w2, p[1]);
+	  t2 = AES_ROUND(T, w2, w1, w0, w3, p[2]);
+	  t3 = AES_ROUND(T, w3, w2, w1, w0, p[3]);
 
 	  /* We could unroll the loop twice, to avoid these
 	     assignments. If all eight variables fit in registers,
@@ -88,10 +89,10 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
 
       /* Final round */
 
-      t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]);
-      t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
-      t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]);
-      t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]);
+      t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, p[0]);
+      t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, p[1]);
+      t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, p[2]);
+      t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, p[3]);
 
       LE_WRITE_UINT32(dst, t0);
       LE_WRITE_UINT32(dst + 4, t1);

aes-encrypt.c

-/* aes-encrypt.c
-
-   Encryption function for the aes/rijndael block cipher.
-
-   Copyright (C) 2002, 2013 Niels Möller
-
-   This file is part of GNU Nettle.
-
-   GNU Nettle is free software: you can redistribute it and/or
-   modify it under the terms of either:
-
-     * the GNU Lesser General Public License as published by the Free
-       Software Foundation; either version 3 of the License, or (at your
-       option) any later version.
-
-   or
-
-     * the GNU General Public License as published by the Free
-       Software Foundation; either version 2 of the License, or (at your
-       option) any later version.
-
-   or both in parallel, as here.
-
-   GNU Nettle is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-
-   You should have received copies of the GNU General Public License and
-   the GNU Lesser General Public License along with this program.  If
-   not, see http://www.gnu.org/licenses/.
-*/
-
-#if HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <stdlib.h>
-
-#include "aes-internal.h"
-
-/* The main point on this function is to help the assembler
-   implementations of _nettle_aes_encrypt to get the table pointer.
-   For PIC code, the details can be complex and system dependent. */
-void
-aes_encrypt(const struct aes_ctx *ctx,
-	    size_t length, uint8_t *dst,
-	    const uint8_t *src)
-{
-  switch (ctx->key_size)
-    {
-    default: abort();
-    case AES128_KEY_SIZE:
-      aes128_encrypt(&ctx->u.ctx128, length, dst, src);
-      break;
-    case AES192_KEY_SIZE:
-      aes192_encrypt(&ctx->u.ctx192, length, dst, src);
-      break;
-    case AES256_KEY_SIZE:
-      aes256_encrypt(&ctx->u.ctx256, length, dst, src);
-      break;
-    }
-}

aes-internal.h

@@ -66,6 +66,8 @@ _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys,
 		    size_t length, uint8_t *dst,
 		    const uint8_t *src);
 
+/* The keys pointer points at the subkeys for the first decrypt round,
+   located at the end of the array. */
 void
 _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
 		    const struct aes_table *T,

aes-invert-internal.c

@@ -42,6 +42,13 @@
 
 #include "macros.h"
 
+/* For fat builds */
+#if HAVE_NATIVE_aes_invert
+void
+_nettle_aes_invert_c(unsigned rounds, uint32_t *dst, const uint32_t *src);
+#define _nettle_aes_invert _nettle_aes_invert_c
+#endif
+
 /* NOTE: We don't include rotated versions of the table. */
 static const uint32_t mtable[0x100] =
 {
@@ -111,9 +118,9 @@ static const uint32_t mtable[0x100] =
   0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d,
 };
 
-#define MIX_COLUMN(T, key) do { \
+#define MIX_COLUMN(T, out, in) do {		\
     uint32_t _k, _nk, _t;	\
-    _k = (key);			\
+    _k = (in);			\
     _nk = T[_k & 0xff];		\
     _k >>= 8;			\
     _t = T[_k & 0xff];		\
@@ -124,7 +131,7 @@ static const uint32_t mtable[0x100] =
     _k >>= 8;			\
     _t = T[_k & 0xff];		\
     _nk ^= ROTL32(24, _t);	\
-    (key) = _nk;		\
+    (out) = _nk;		\
   } while(0)
   
 
@@ -136,29 +143,13 @@ _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src)
 {
   unsigned i;
 
-  /* Reverse the order of subkeys, in groups of 4. */
-  /* FIXME: Instead of reordering the subkeys, change the access order
-     of aes_decrypt, since it's a separate function anyway? */
-  if (src == dst)
-    {
-      unsigned j, k;
+  /* Transform all subkeys but the first and last. */
+  for (i = 4; i < 4 * rounds; i++)
+    MIX_COLUMN (mtable, dst[i], src[i]);
 
-      for (i = 0, j = rounds * 4;
-	   i < j;
-	   i += 4, j -= 4)
-	for (k = 0; k<4; k++)
-	  SWAP(dst[i+k], dst[j+k]);
-    }
-  else
+  if (src != dst)
     {
-      unsigned k;
-
-      for (i = 0; i <= rounds * 4; i += 4)
-	for (k = 0; k < 4; k++)
-	  dst[i+k] = src[rounds * 4 - i + k];
+      dst[0] = src[0]; dst[1] = src[1]; dst[2] = src[2]; dst[3] = src[3];
+      dst[i] = src[i]; dst[i+1] = src[i+1]; dst[i+2] = src[i+2]; dst[i+3] = src[i+3];
     }
-
-  /* Transform all subkeys but the first and last. */
-  for (i = 4; i < 4 * rounds; i++)
-    MIX_COLUMN (mtable, dst[i]);
 }

aes-set-decrypt-key.c

-/* aes-set-decrypt-key.c
-
-   Inverse key setup for the aes/rijndael block cipher.
-
-   Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller
-   Copyright (C) 2013 Niels Möller
-
-   This file is part of GNU Nettle.
-
-   GNU Nettle is free software: you can redistribute it and/or
-   modify it under the terms of either:
-
-     * the GNU Lesser General Public License as published by the Free
-       Software Foundation; either version 3 of the License, or (at your
-       option) any later version.
-
-   or
-
-     * the GNU General Public License as published by the Free
-       Software Foundation; either version 2 of the License, or (at your
-       option) any later version.
-
-   or both in parallel, as here.
-
-   GNU Nettle is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-
-   You should have received copies of the GNU General Public License and
-   the GNU Lesser General Public License along with this program.  If
-   not, see http://www.gnu.org/licenses/.
-*/
-
-#if HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <stdlib.h>
-
-/* This file implements and uses deprecated functions */
-#define _NETTLE_ATTRIBUTE_DEPRECATED
-
-#include "aes.h"
-
-void
-aes_invert_key(struct aes_ctx *dst,
-	       const struct aes_ctx *src)
-{
-  switch (src->key_size)
-    {
-    default: abort();
-    case AES128_KEY_SIZE:
-      aes128_invert_key(&dst->u.ctx128, &src->u.ctx128);
-      break;
-    case AES192_KEY_SIZE:
-      aes192_invert_key(&dst->u.ctx192, &src->u.ctx192);
-      break;
-    case AES256_KEY_SIZE:
-      aes256_invert_key(&dst->u.ctx256, &src->u.ctx256);
-      break;
-    }
-
-  dst->key_size = src->key_size;
-}
-
-void
-aes_set_decrypt_key(struct aes_ctx *ctx,
-		    size_t keysize, const uint8_t *key)
-{
-  /* We first create subkeys for encryption,
-   * then modify the subkeys for decryption. */
-  aes_set_encrypt_key(ctx, keysize, key);
-  aes_invert_key(ctx, ctx);
-}
-

aes.h

@@ -41,11 +41,6 @@ extern "C" {
 #endif
 
 /* Name mangling */
-#define aes_set_encrypt_key nettle_aes_set_encrypt_key
-#define aes_set_decrypt_key nettle_aes_set_decrypt_key
-#define aes_invert_key nettle_aes_invert_key
-#define aes_encrypt nettle_aes_encrypt
-#define aes_decrypt nettle_aes_decrypt
 #define aes128_set_encrypt_key nettle_aes128_set_encrypt_key
 #define aes128_set_decrypt_key nettle_aes128_set_decrypt_key
 #define aes128_invert_key nettle_aes128_invert_key
@@ -134,50 +129,6 @@ aes256_decrypt(const struct aes256_ctx *ctx,
 	       size_t length, uint8_t *dst,
 	       const uint8_t *src);
 
-/* The older nettle-2.7 AES interface is deprecated, please migrate to
-   the newer interface where each algorithm has a fixed key size. */
-
-/* Variable key size between 128 and 256 bits. But the only valid
- * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */
-#define AES_MIN_KEY_SIZE AES128_KEY_SIZE
-#define AES_MAX_KEY_SIZE AES256_KEY_SIZE
-
-#define AES_KEY_SIZE 32
-
-struct aes_ctx
-{
-  unsigned key_size;  /* In octets */
-  union {
-    struct aes128_ctx ctx128;
-    struct aes192_ctx ctx192;
-    struct aes256_ctx ctx256;
-  } u;
-};
-
-void
-aes_set_encrypt_key(struct aes_ctx *ctx,
-		    size_t length, const uint8_t *key)
-  _NETTLE_ATTRIBUTE_DEPRECATED;
-
-void
-aes_set_decrypt_key(struct aes_ctx *ctx,
-		   size_t length, const uint8_t *key)
-  _NETTLE_ATTRIBUTE_DEPRECATED;
-
-void
-aes_invert_key(struct aes_ctx *dst,
-	       const struct aes_ctx *src)
-  _NETTLE_ATTRIBUTE_DEPRECATED;
-
-void
-aes_encrypt(const struct aes_ctx *ctx,
-	    size_t length, uint8_t *dst,
-	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
-void
-aes_decrypt(const struct aes_ctx *ctx,
-	    size_t length, uint8_t *dst,
-	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
-
 #ifdef __cplusplus
 }
 #endif

aes128-decrypt.c

@@ -54,6 +54,6 @@ nettle_aes128_decrypt(const struct aes128_ctx *ctx,
 	       const uint8_t *src)
 {
   assert(!(length % AES_BLOCK_SIZE) );
-  _nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys, &_nettle_aes_decrypt_table,
-		      length, dst, src);
+  _nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys + 4*_AES128_ROUNDS,
+		      &_nettle_aes_decrypt_table, length, dst, src);
 }

aes192-decrypt.c

@@ -54,6 +54,6 @@ nettle_aes192_decrypt(const struct aes192_ctx *ctx,
 	       const uint8_t *src)
 {
   assert(!(length % AES_BLOCK_SIZE) );
-  _nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys, &_nettle_aes_decrypt_table,
-		      length, dst, src);
+  _nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys + 4 * _AES192_ROUNDS,
+		      &_nettle_aes_decrypt_table, length, dst, src);
 }

aes256-decrypt.c

@@ -54,6 +54,6 @@ nettle_aes256_decrypt(const struct aes256_ctx *ctx,
 	       const uint8_t *src)
 {
   assert(!(length % AES_BLOCK_SIZE) );
-  _nettle_aes_decrypt(_AES256_ROUNDS, ctx->keys, &_nettle_aes_decrypt_table,
-		      length, dst, src);
+  _nettle_aes_decrypt(_AES256_ROUNDS, ctx->keys + 4 * _AES256_ROUNDS,
+		      &_nettle_aes_decrypt_table, length, dst, src);
 }

arm/aes-decrypt-internal.asm

@@ -111,11 +111,12 @@ define(`AES_DECRYPT_ROUND', `
 	and	T0, MASK, $1, ror #22
 	ldr	T0, [TABLE, T0]
 
-	ldm	$9!, {$1,$2,$3,$4}
+	ldm	$9, {$1,$2,$3,$4}
 	eor	$8, $8, T0
 	sub	TABLE, TABLE, #3072
 	eor	$5, $5, $1
 	eor	$6, $6, $2
+	sub	$9, $9, #16
 	eor	$7, $7, $3
 	eor	$8, $8, $4
 ')
@@ -142,7 +143,7 @@ PROLOGUE(_nettle_aes_decrypt)
 	AES_LOAD(X0,KEY,W0)
 	AES_LOAD(X0,KEY,W1)
 	AES_LOAD(X0,KEY,W2)
-	AES_LOAD(X0,KEY,W3)
+	AES_LOAD_INCR(X0,KEY,W3, -28)
 
 	str	X0, FRAME_SRC
 

arm/aes.m4

 C Loads one word, and adds it to the subkey. Uses T0
-C AES_LOAD(SRC, KEY, REG)
-define(`AES_LOAD', `
+C AES_LOAD(SRC, KEY, REG, INCR)
+define(`AES_LOAD_INCR', `
 	ldrb	$3, [$1], #+1
 	ldrb	T0, [$1], #+1
 	orr	$3, T0, lsl #8
@@ -8,9 +8,13 @@ define(`AES_LOAD', `
 	orr	$3, T0, lsl #16
 	ldrb	T0, [$1], #+1
 	orr	$3, T0, lsl #24
-	ldr	T0, [$2], #+4
+	ldr	T0, [$2], #$4
 	eor	$3, T0
 ')
+C Loads one word, and adds it to the subkey. Uses T0
+C AES_LOAD(SRC, KEY, REG)
+define(`AES_LOAD', `AES_LOAD_INCR($1, $2, $3, +4)')
+
 C Stores one word. Destroys input.
 C AES_STORE(DST, X)
 define(`AES_STORE', `

arm/v6/aes-decrypt-internal.asm

@@ -114,11 +114,12 @@ define(`AES_DECRYPT_ROUND', `
 	uxtb	T0, $1, ror #24
 	ldr	T0, [TABLE, T0, lsl #2]
 
-	ldm	$9!, {$1,$2,$3,$4}
+	ldm	$9, {$1,$2,$3,$4}
 	eor	$8, $8, T0
 	sub	TABLE, TABLE, #3072
 	eor	$5, $5, $1
 	eor	$6, $6, $2
+	sub	$9, $9, #16
 	eor	$7, $7, $3
 	eor	$8, $8, $4
 ')
@@ -148,7 +149,7 @@ PROLOGUE(_nettle_aes_decrypt)
 	AES_LOAD(SRC,KEY,W0)
 	AES_LOAD(SRC,KEY,W1)
 	AES_LOAD(SRC,KEY,W2)
-	AES_LOAD(SRC,KEY,W3)
+	AES_LOAD_INCR(SRC,KEY,W3, -28)
 
 	str	SRC, FRAME_SRC
 

arm64/crypto/aes128-decrypt.asm

@@ -73,16 +73,16 @@ PROLOGUE(nettle_aes128_decrypt)
 L4B_loop:
     ld1            {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64
     
-    AESD_ROUND_4B(S0,S1,S2,S3,K0)
-    AESD_ROUND_4B(S0,S1,S2,S3,K1)
-    AESD_ROUND_4B(S0,S1,S2,S3,K2)
-    AESD_ROUND_4B(S0,S1,S2,S3,K3)
-    AESD_ROUND_4B(S0,S1,S2,S3,K4)
-    AESD_ROUND_4B(S0,S1,S2,S3,K5)
-    AESD_ROUND_4B(S0,S1,S2,S3,K6)
-    AESD_ROUND_4B(S0,S1,S2,S3,K7)
+    AESD_ROUND_4B(S0,S1,S2,S3,K10)
+    AESD_ROUND_4B(S0,S1,S2,S3,K9)
     AESD_ROUND_4B(S0,S1,S2,S3,K8)
-    AESD_LAST_ROUND_4B(S0,S1,S2,S3,K9,K10)
+    AESD_ROUND_4B(S0,S1,S2,S3,K7)
+    AESD_ROUND_4B(S0,S1,S2,S3,K6)
+    AESD_ROUND_4B(S0,S1,S2,S3,K5)
+    AESD_ROUND_4B(S0,S1,S2,S3,K4)
+    AESD_ROUND_4B(S0,S1,S2,S3,K3)
+    AESD_ROUND_4B(S0,S1,S2,S3,K2)
+    AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0)
 
     st1            {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64
 
@@ -97,16 +97,16 @@ L1B:
 L1B_loop:
     ld1            {S0.16b},[SRC],#16
     
-    AESD_ROUND_1B(S0,K0)
-    AESD_ROUND_1B(S0,K1)
-    AESD_ROUND_1B(S0,K2)
-    AESD_ROUND_1B(S0,K3)
-    AESD_ROUND_1B(S0,K4)
-    AESD_ROUND_1B(S0,K5)
-    AESD_ROUND_1B(S0,K6)
-    AESD_ROUND_1B(S0,K7)
+    AESD_ROUND_1B(S0,K10)
+    AESD_ROUND_1B(S0,K9)
     AESD_ROUND_1B(S0,K8)
-    AESD_LAST_ROUND_1B(S0,K9,K10)
+    AESD_ROUND_1B(S0,K7)
+    AESD_ROUND_1B(S0,K6)
+    AESD_ROUND_1B(S0,K5)
+    AESD_ROUND_1B(S0,K4)
+    AESD_ROUND_1B(S0,K3)
+    AESD_ROUND_1B(S0,K2)
+    AESD_LAST_ROUND_1B(S0,K1,K0)
 
     st1            {S0.16b},[DST],#16
 

arm64/crypto/aes192-decrypt.asm

@@ -76,18 +76,18 @@ PROLOGUE(nettle_aes192_decrypt)
 L4B_loop:
     ld1            {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64
     
-    AESD_ROUND_4B(S0,S1,S2,S3,K0)
-    AESD_ROUND_4B(S0,S1,S2,S3,K1)
-    AESD_ROUND_4B(S0,S1,S2,S3,K2)
-    AESD_ROUND_4B(S0,S1,S2,S3,K3)
-    AESD_ROUND_4B(S0,S1,S2,S3,K4)
-    AESD_ROUND_4B(S0,S1,S2,S3,K5)
-    AESD_ROUND_4B(S0,S1,S2,S3,K6)
-    AESD_ROUND_4B(S0,S1,S2,S3,K7)
-    AESD_ROUND_4B(S0,S1,S2,S3,K8)
-    AESD_ROUND_4B(S0,S1,S2,S3,K9)
+    AESD_ROUND_4B(S0,S1,S2,S3,K12)
+    AESD_ROUND_4B(S0,S1,S2,S3,K11)
     AESD_ROUND_4B(S0,S1,S2,S3,K10)
-    AESD_LAST_ROUND_4B(S0,S1,S2,S3,K11,K12)
+    AESD_ROUND_4B(S0,S1,S2,S3,K9)
+    AESD_ROUND_4B(S0,S1,S2,S3,K8)
+    AESD_ROUND_4B(S0,S1,S2,S3,K7)
+    AESD_ROUND_4B(S0,S1,S2,S3,K6)
+    AESD_ROUND_4B(S0,S1,S2,S3,K5)
+    AESD_ROUND_4B(S0,S1,S2,S3,K4)
+    AESD_ROUND_4B(S0,S1,S2,S3,K3)
+    AESD_ROUND_4B(S0,S1,S2,S3,K2)
+    AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0)
 
     st1            {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64
 
@@ -102,18 +102,18 @@ L1B:
 L1B_loop:
     ld1            {S0.16b},[SRC],#16
     
-    AESD_ROUND_1B(S0,K0)
-    AESD_ROUND_1B(S0,K1)
-    AESD_ROUND_1B(S0,K2)
-    AESD_ROUND_1B(S0,K3)
-    AESD_ROUND_1B(S0,K4)
-    AESD_ROUND_1B(S0,K5)
-    AESD_ROUND_1B(S0,K6)
-    AESD_ROUND_1B(S0,K7)
-    AESD_ROUND_1B(S0,K8)
-    AESD_ROUND_1B(S0,K9)
+    AESD_ROUND_1B(S0,K12)
+    AESD_ROUND_1B(S0,K11)
     AESD_ROUND_1B(S0,K10)
-    AESD_LAST_ROUND_1B(S0,K11,K12)
+    AESD_ROUND_1B(S0,K9)
+    AESD_ROUND_1B(S0,K8)
+    AESD_ROUND_1B(S0,K7)
+    AESD_ROUND_1B(S0,K6)
+    AESD_ROUND_1B(S0,K5)
+    AESD_ROUND_1B(S0,K4)
+    AESD_ROUND_1B(S0,K3)
+    AESD_ROUND_1B(S0,K2)
+    AESD_LAST_ROUND_1B(S0,K1,K0)
 
     st1            {S0.16b},[DST],#16