nettle merge requestshttps://git.lysator.liu.se/nettle/nettle/-/merge_requests2020-11-27T06:57:27Zhttps://git.lysator.liu.se/nettle/nettle/-/merge_requests/1Include version.h in version-test.c2020-11-27T06:57:27ZBrian SmithInclude version.h in version-test.cThe code fails to build without this include.The code fails to build without this include.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/2Using uint32_t for pbkdf2 iterations2020-01-11T11:43:30ZGhost UserUsing uint32_t for pbkdf2 iterationshttps://git.lysator.liu.se/nettle/nettle/-/merge_requests/5Make nettle compile with pre-UAL arm assembler.2017-02-28T18:58:32ZMarcus HoffmannMake nettle compile with pre-UAL arm assembler.See: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjagjjbc.html for details.See: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjagjjbc.html for details.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/6WIP: Support GOST R 34.11-2012 (Streebog) hash function2020-06-14T21:21:57ZDmitry BaryshkovWIP: Support GOST R 34.11-2012 (Streebog) hash functionhttps://git.lysator.liu.se/nettle/nettle/-/merge_requests/7GOST 28147-89 support2020-05-22T14:57:23ZDmitry BaryshkovGOST 28147-89 supporthttps://git.lysator.liu.se/nettle/nettle/-/merge_requests/8Big-endian ARM CI employing a fat build2020-07-21T09:44:23ZMichael WeiserBig-endian ARM CI employing a fat buildThis change adds a big-endian ARM CI build to the infrastructure. For now it uses external images (built by me) from Docker Hub, not GnuTLS's build-images and the Gitlab registry. That can (and IMO should) be changed, of course.This change adds a big-endian ARM CI build to the infrastructure. For now it uses external images (built by me) from Docker Hub, not GnuTLS's build-images and the Gitlab registry. That can (and IMO should) be changed, of course.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/9m4: follow GMP changes for GMP_PROG_CC_FOR_BUILD2020-11-27T07:18:45ZAdrien Béraudm4: follow GMP changes for GMP_PROG_CC_FOR_BUILDGMP has been using `return 0;` instead of `exit(0);` for GMP_PROG_CC* m4 macros since 2014.
The current code for `conftest.c` is technically incorrect, as `exit(int)` requires `stdlib.h` to be included:
https://www.man7.org/linux/man-...GMP has been using `return 0;` instead of `exit(0);` for GMP_PROG_CC* m4 macros since 2014.
The current code for `conftest.c` is technically incorrect, as `exit(int)` requires `stdlib.h` to be included:
https://www.man7.org/linux/man-pages/man3/exit.3.html
This commit fixes the case where the compiler expects `#include <stdlib.h>` to use `exit`, which was observed to be an issue in some environnements.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/10[PowerPC64] Modify register defines in gcm-hash.asm2020-11-25T16:25:05ZMaamoun TK[PowerPC64] Modify register defines in gcm-hash.asmThis patch changes register defines to avoid using non-volatile registers in places it's not preserved.This patch changes register defines to avoid using non-volatile registers in places it's not preserved.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/11[PowerPC64] Fat build support for GHASH2020-11-26T19:25:57ZMaamoun TK[PowerPC64] Fat build support for GHASHThis patch adds fat build support for GHASH on PowerPC.This patch adds fat build support for GHASH on PowerPC.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/12Suppress warnings in certain configuration and fix x86_64 build2020-11-27T15:10:33ZMaamoun TKSuppress warnings in certain configuration and fix x86_64 buildThis patch declares prototypes for _nettle_gcm_init_key() and _nettle_gcm_hash() as needed in gcm-internal.h and it fixes preprocessor directive in gcm.c.This patch declares prototypes for _nettle_gcm_init_key() and _nettle_gcm_hash() as needed in gcm-internal.h and it fixes preprocessor directive in gcm.c.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/13[AArch64] Optimize GHASH2021-01-30T23:19:19ZMaamoun TK[AArch64] Optimize GHASHThis patch optimizes GHASH on AArch64 architecture. The patch check for little-endian mode to enable the optimized GHASH core, Optimizing GHASH on little-endian mode using PMULL instruction is a little bit tricky because the 64-bit opera...This patch optimizes GHASH on AArch64 architecture. The patch check for little-endian mode to enable the optimized GHASH core, Optimizing GHASH on little-endian mode using PMULL instruction is a little bit tricky because the 64-bit operations on SIMD registers are byte-reversed in little-endian mode so in order to get a correct result the input must be 64-bit byte-reversed and in this case the output of PMULL instruction will be 128-bit byte-reversed.
**GCM Benchmark result:**
| Version | Mbyte/s |
| ------ | ------ |
| C | 208 |
| Optimized GHASH | 3255 |https://git.lysator.liu.se/nettle/nettle/-/merge_requests/14[PowerPC64] Use 32-bit offset to load data2020-12-19T09:04:33ZMaamoun TK[PowerPC64] Use 32-bit offset to load data`ld` instruction supports 16-bit offset, this means it can address up to 64K of GOT memory from a single base when loading data so only ~8,000 global variables are accessible in this way. While this works under the current circumstances,...`ld` instruction supports 16-bit offset, this means it can address up to 64K of GOT memory from a single base when loading data so only ~8,000 global variables are accessible in this way. While this works under the current circumstances, it's more safe to use wider offset to allow more variables to be accessed. This patch uses 32-bit offset to support medium or large code model with a maximum addressing reach of 4 GB. While this patch inserts additional instruction to load data from memory, the linker will optimize out the first instruction when possible by override it with `nop` instruction.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/15[PowerPC64] Use signal to detect CPU features when getauxval() isn't available2020-12-20T16:57:53ZMaamoun TK[PowerPC64] Use signal to detect CPU features when getauxval() isn't availableThis patch use signal functions and inline assembly to detect CPU features when glibc version is older than 2.16 where getauxval() has not been added yet.This patch use signal functions and inline assembly to detect CPU features when glibc version is older than 2.16 where getauxval() has not been added yet.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/16[PowerPC64] Skip using getauxval() when it is not available2021-01-10T18:12:24ZMaamoun TK[PowerPC64] Skip using getauxval() when it is not availableThis patch skips using getauxval() function to detect CPU features when glibc version is older than 2.16 where getauxval() has not been added yet.This patch skips using getauxval() function to detect CPU features when glibc version is older than 2.16 where getauxval() has not been added yet.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/17[S390x] Optimize AES modes2021-03-21T19:27:34ZMaamoun TK[S390x] Optimize AES modesThis patch takes advantage of built-in AES functions to optimize AES modes.
Added configurable options:
--enable-s390x-msa (Enable message-security assist on z/Architecture)
--enable-s390x-msa-x4 (Enable message-security-assist extensio...This patch takes advantage of built-in AES functions to optimize AES modes.
Added configurable options:
--enable-s390x-msa (Enable message-security assist on z/Architecture)
--enable-s390x-msa-x4 (Enable message-security-assist extension 4 on z/Architecture)
--enable-s390x-msa-x8 (Enable message-security-assist extension 8 on z/Architecture)
The patch contains fat support that checks the CPU features at runtime and run the optimized cores when the corresponding features are enabled.
**Benchmark**:
This benchmark is run on z15 with 5.2 GHz CPU frequency.
benchmark of AES functions measured by cycles per byte when message-security-assist extension 8 is enabled (KMA-GCM-AES is used to optimize AES-GCM mode).
| Function | C (CPB) | [MSA-X8] Hardware accelerated (CPB) |
| ------ | ------ | ------ |
| AES128 Encrypt | 21.7 | 0.9 |
| AES128 Decrypt | 23.7 | 0.8 |
| AES192 Encrypt | 25.7 | 0.7 |
| AES192 Decrypt | 26.6 | 0.7 |
| AES256 Encrypt | 28.7 | 0.7 |
| AES256 Decrypt | 30.3 | 0.7 |
| CBC-AES128 Encrypt | 27.2 | 1.2 |
| CBC-AES128 Decrypt | 26.6 | 0.8 |
| CBC-AES192 Encrypt | 31.5 | 1.4 |
| CBC-AES192 Decrypt | 29.6 | 0.8 |
| CBC-AES256 Encrypt | 34.7 | 1.6 |
| CBC-AES256 Decrypt | 33.3 | 0.8 |
| CFB-AES128 Encrypt | 28.6 | 1.3 |
| CFB-AES128 Decrypt | 23.5 | 1.3 |
| CFB-AES192 Encrypt | 32.7 | 1.6 |
| CFB-AES192 Decrypt | 28.4 | 1.5 |
| CFB-AES256 Encrypt | 35.8 | 1.7 |
| CFB-AES256 Decrypt | 31.2 | 1.7 |
| CFB8-AES128 Encrypt | 341.6 | 17.3 |
| CFB8-AES128 Decrypt | 328.3 | 17.4 |
| CFB8-AES192 Encrypt | 398.2 | 20.4 |
| CFB8-AES192 Decrypt | 385.0 | 20.4 |
| CFB8-AES256 Encrypt | 453.3 | 23.4 |
| CFB8-AES256 Decrypt | 440.7 | 23.4 |
| CMAC-AES128 Update | 21.9 | 1.0 |
| CMAC-AES256 Update | 28.8 | 1.3 |
| CCM-AES128 Encrypt | 44.3 | 1.8 |
| CCM-AES128 Decrypt | 44.0 | 3.0 |
| CCM-AES128 Update | 21.6 | 1.0 |
| CCM-AES192 Encrypt | 52.0 | 2.0 |
| CCM-AES192 Decrypt | 52.0 | 3.2 |
| CCM-AES192 Update | 25.3 | 1.2 |
| CCM-AES256 Encrypt | 58.6 | 2.2 |
| CCM-AES256 Decrypt | 58.6 | 3.3 |
| CCM-AES256 Update | 28.4 | 1.4 |
| CTR-AES128 Crypt | 22.6 | 0.8 |
| CTR-AES192 Crypt | 26.7 | 0.8 |
| CTR-AES256 Crypt | 29.9 | 0.8 |
| XTS-AES128 Encrypt | 26.5 | 0.8 |
| XTS-AES128 Decrypt | 27.2 | 0.8 |
| XTS-AES256 Encrypt | 33.4 | 0.8 |
| XTS-AES256 Decrypt | 35.9 | 0.8 |
| GCM-AES128 Encrypt | 33.8 | 0.8 | 6.8 |
| GCM-AES128 Decrypt | 34.0 | 0.8 | 5.0 |
| GCM-AES128 Update | 11.6 | 0.5 | 0.4 |
| GCM-AES192 Encrypt | 38.4 | 0.8 | 6.8 |
| GCM-AES192 Decrypt | 39.1 | 0.8 | 5.0 |
| GCM-AES192 Update | 11.6 | 0.5 | 0.4 |
| GCM-AES256 Encrypt | 41.7 | 0.8 | 6.6 |
| GCM-AES256 Decrypt | 41.7 | 0.8 | 4.6 |
| GCM-AES256 Update | 11.5 | 0.5 | 0.4 |
benchmark of AES-GCM mode functions measured by cycles per byte when message-security-assist extension 4 is enabled (KM-AES and KIMD-GHASH are used to optimize AES-GCM mode).
| Function | C (CPB) | [MSA-X4] Hardware accelerated (CPB) |
| ------ | ------ | ------ |
| GCM-AES128 Encrypt | 33.8 | 6.8 |
| GCM-AES128 Decrypt | 34.0 | 5.0 |
| GCM-AES128 Update | 11.6 | 0.4 |
| GCM-AES192 Encrypt | 38.4 | 6.8 |
| GCM-AES192 Decrypt | 39.1 | 5.0 |
| GCM-AES192 Update | 11.6 | 0.4 |
| GCM-AES256 Encrypt | 41.7 | 6.6 |
| GCM-AES256 Decrypt | 41.7 | 4.6 |
| GCM-AES256 Update | 11.5 | 0.4 |https://git.lysator.liu.se/nettle/nettle/-/merge_requests/18Add pbkdf2_hmac_sha384 pbkdf2_hmac_sha5122021-02-02T15:15:20ZNicolas MoraAdd pbkdf2_hmac_sha384 pbkdf2_hmac_sha512Add pbkdf2_hmac_sha384 pbkdf2_hmac_sha512 functions and their test caseAdd pbkdf2_hmac_sha384 pbkdf2_hmac_sha512 functions and their test casehttps://git.lysator.liu.se/nettle/nettle/-/merge_requests/19Implement aes key wrap and key unwrap (RFC 3394)2021-07-01T13:50:38ZNicolas MoraImplement aes key wrap and key unwrap (RFC 3394)https://git.lysator.liu.se/nettle/nettle/-/merge_requests/20RSA-OAEP encryption/decryption2024-01-06T01:15:43ZNicolas MoraRSA-OAEP encryption/decryptionThis is the implementation of the RSAES-OAEP as defined in the [RFC 3347](https://tools.ietf.org/html/rfc3447#section-7.1
)
The added test suite verifies the test vectors provided in the [RFC 7516](https://tools.ietf.org/html/rfc7516#ap...This is the implementation of the RSAES-OAEP as defined in the [RFC 3347](https://tools.ietf.org/html/rfc3447#section-7.1
)
The added test suite verifies the test vectors provided in the [RFC 7516](https://tools.ietf.org/html/rfc7516#appendix-A.1) and the Document "RSAES-OAEP Encryption Scheme Algorithm specification and supporting documentation"https://git.lysator.liu.se/nettle/nettle/-/merge_requests/21[AArch64] Fat build support for GCM optimization and syntax improvements2021-03-22T20:50:38ZMaamoun TK[AArch64] Fat build support for GCM optimization and syntax improvementsThis patch add fat build support for GCM optimization on AArch64, in addition to use m4 macros, add documentation comments, and update README file.This patch add fat build support for GCM optimization on AArch64, in addition to use m4 macros, add documentation comments, and update README file.https://git.lysator.liu.se/nettle/nettle/-/merge_requests/22nettle-benchmark: avoid -Wmaybe-uninitialized warnings2021-03-28T14:45:02ZDaiki Uenonettle-benchmark: avoid -Wmaybe-uninitialized warningsOtherwise GCC 11 prints the following warning:
```console
nettle-benchmark.c: In function ‘time_umac’:
../umac.h:42:25: warning: ‘key’ may be used uninitialized [-Wmaybe-uninitialized]
42 | #define umac32_set_key nettle_umac32_...Otherwise GCC 11 prints the following warning:
```console
nettle-benchmark.c: In function ‘time_umac’:
../umac.h:42:25: warning: ‘key’ may be used uninitialized [-Wmaybe-uninitialized]
42 | #define umac32_set_key nettle_umac32_set_key
nettle-benchmark.c:395:3: note: in expansion of macro ‘umac32_set_key’
395 | umac32_set_key (&ctx32, key);
| ^~~~~~~~~~~~~~
```
Although this should be harmless as it's in the benchmarking code and
the content of the key doesn't matter, it wouldn't hurt to explicitly
initialize it. This patch also uses predefined constants for key
sizes.