...
 
Commits (6)
2019-12-28 Niels Möller <nisse@lysator.liu.se>
* bignum.h: Drop unreleted include of nettle-meta.h.
* pss.h: Include nettle-meta.h explicitly.
* eddsa-internal.h: Likewise.
2019-12-25 Niels Möller <nisse@lysator.liu.se>
Support for SHAKE256, based on patch by Daiki Ueno.
* shake256.c (sha3_256_shake): New file and function.
* Makefile.in (nettle_SOURCES): Add shake256.c.
* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
if hash->digest_size == 0.
* testsuite/shake.awk: New script to extract test vectors.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
(DISTFILES): Add shake.awk.
* nettle.texinfo (Recommended hash functions): Document SHAKE-256.
* sha3.c (_sha3_pad): Generalized with an argument for the magic
suffix defining the sha3 instance.
* sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes.
Updated all callers of _sha3_pad.
(_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f.
2019-12-19 Niels Möller <nisse@lysator.liu.se>
* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
......
......@@ -129,7 +129,8 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
sha512-224-meta.c sha512-256-meta.c \
sha3.c sha3-permute.c \
sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \
sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\
sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \
shake256.c \
serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \
serpent-meta.c \
twofish.c twofish-meta.c \
......
......@@ -34,8 +34,6 @@
#ifndef NETTLE_BIGNUM_H_INCLUDED
#define NETTLE_BIGNUM_H_INCLUDED
#include "nettle-meta.h"
#include "nettle-types.h"
/* For NETTLE_USE_MINI_GMP */
......
......@@ -55,7 +55,7 @@
void
ecc_256_redc (const struct ecc_modulo *p, mp_limb_t *rp);
#else /* !HAVE_NATIVE_ecc_256_redc */
# if ECC_REDC_SIZE > 0
# if ECC_REDC_SIZE > 0
# define ecc_256_redc ecc_pp1_redc
# elif ECC_REDC_SIZE == 0
# define ecc_256_redc NULL
......@@ -115,13 +115,13 @@ ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp)
/*
n-1 n-2 n-3 n-4
+---+---+---+---+
| u1| u0| u low |
+---+---+---+---+
- | q1(2^96-1)|
+-------+---+
|q2(2^.)|
+-------+
+---+---+---+---+
| u1| u0| u low |
+---+---+---+---+
- | q1(2^96-1)|
+-------+---+
|q2(2^.)|
+-------+
We multiply by two low limbs of p, 2^96 - 1, so we could use
shifts rather than mul.
......@@ -161,7 +161,7 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
mp_limb_t q2, q1, q0, t, c1, c0;
u0 = rp[n-2];
/* <q2, q1, q0> = v * u2 + <u2,u1>, same method as above.
+---+---+
......@@ -183,7 +183,7 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
q2 = q1 < t;
/* Compute candidate remainder, <u1, u0> - <q2, q1> * (2^128 - 2^96 + 2^64 - 1)
<u1, u0> + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128)
<u1, u0> + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128)
+---+---+
| u1| u0|
......@@ -194,9 +194,9 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
+-+-+-+
| q1|
--+-+-+-+---+
| u2| u1|
| u2| u1|
+---+---+
*/
*/
u2 = u1 + q2 - q1;
u1 = u0 + q1;
u2 += (u1 < q1);
......@@ -215,7 +215,7 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
t = mpn_submul_1 (rp + n - 4, q->m, 2, q1);
c0 += t;
c1 = c0 < t;
/* Construct underflow condition. */
c1 += (u1 < c0);
t = - (mp_limb_t) (u2 < c1);
......@@ -234,7 +234,7 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
rp[2] = u1;
rp[3] = u2;
}
#else
#error Unsupported parameters
#endif
......@@ -243,7 +243,7 @@ const struct ecc_curve _nettle_secp_256r1 =
{
{
256,
ECC_LIMB_SIZE,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
ECC_REDC_SIZE,
ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
......@@ -253,8 +253,8 @@ const struct ecc_curve _nettle_secp_256r1 =
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
ecc_pp1h,
ecc_256_modp,
USE_REDC ? ecc_256_redc : ecc_256_modp,
ecc_mod_inv,
......@@ -262,7 +262,7 @@ const struct ecc_curve _nettle_secp_256r1 =
},
{
256,
ECC_LIMB_SIZE,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
......
......@@ -33,6 +33,7 @@
#define NETTLE_EDDSA_INTERNAL_H
#include "nettle-types.h"
#include "nettle-meta.h"
#define _eddsa_compress _nettle_eddsa_compress
#define _eddsa_compress_itch _nettle_eddsa_compress_itch
......
......@@ -834,6 +834,28 @@ octets of the digest are written.
This function also resets the context.
@end deftypefun
@subsubsection @acronym{SHAKE-256}
@cindex SHAKE
In addition to those SHA-3 hash functions, Nettle also provides a SHA-3
extendable-output function (XOF), SHAKE-256. Unlike SHA-3 hash functions,
SHAKE can produce an output digest of any desired length.
To use SHAKE256, the context struct, init and update functions are the
same as for SHA3-256. To get a SHAKE256 digest, the following function
is used instead of @code{sha3_256_digest}. For an output size of
@code{SHA3_256_DIGEST_SIZE}, security is equivalent to SHA3-256 (but the
digest is different). Increasing output size further does not increase
security in terms of collision or preimage resistance. It can be seen as
a built in pseudorandomness generator.
@deftypefun void sha3_256_shake (struct shake256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and produces a SHAKE256 digest, writing it
to @var{digest}. @var{length} can be of arbitrary size.
This function also resets the context.
@end deftypefun
@node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions
@comment node-name, next, previous, up
@subsection Legacy hash functions
......
......@@ -34,7 +34,7 @@
#ifndef NETTLE_PSS_H_INCLUDED
#define NETTLE_PSS_H_INCLUDED
#include "nettle-types.h"
#include "nettle-meta.h"
#include "bignum.h"
#ifdef __cplusplus
......
......@@ -63,7 +63,7 @@ sha3_224_digest(struct sha3_224_ctx *ctx,
size_t length,
uint8_t *digest)
{
_sha3_pad (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index);
_sha3_pad_hash (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a);
sha3_224_init (ctx);
}
......@@ -63,7 +63,7 @@ sha3_256_digest(struct sha3_256_ctx *ctx,
size_t length,
uint8_t *digest)
{
_sha3_pad (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index);
_sha3_pad_hash (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a);
sha3_256_init (ctx);
}
......@@ -63,7 +63,7 @@ sha3_384_digest(struct sha3_384_ctx *ctx,
size_t length,
uint8_t *digest)
{
_sha3_pad (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index);
_sha3_pad_hash (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a);
sha3_384_init (ctx);
}
......@@ -63,7 +63,7 @@ sha3_512_digest(struct sha3_512_ctx *ctx,
size_t length,
uint8_t *digest)
{
_sha3_pad (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index);
_sha3_pad_hash (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a);
sha3_512_init (ctx);
}
......@@ -39,14 +39,25 @@
#define _sha3_update _nettle_sha3_update
#define _sha3_pad _nettle_sha3_pad
#define SHA3_HASH_MAGIC 6
#define SHA3_SHAKE_MAGIC 0x1f
unsigned
_sha3_update (struct sha3_state *state,
unsigned block_size, uint8_t *block,
unsigned pos,
size_t length, const uint8_t *data);
void
_sha3_pad (struct sha3_state *state,
unsigned block_size, uint8_t *block, unsigned pos);
unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic);
#define _sha3_pad_hash(state, block_size, block, pos) \
_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC)
#define _sha3_pad_shake(state, block_size, block, pos) \
_sha3_pad (state, block_size, block, pos, SHA3_SHAKE_MAGIC)
#endif
......@@ -92,10 +92,10 @@ _sha3_update (struct sha3_state *state,
void
_sha3_pad (struct sha3_state *state,
unsigned block_size, uint8_t *block, unsigned pos)
unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic)
{
assert (pos < block_size);
block[pos++] = 6;
block[pos++] = magic;
memset (block + pos, 0, block_size - pos);
block[block_size - 1] |= 0x80;
......
......@@ -48,6 +48,7 @@ extern "C" {
#define sha3_256_init nettle_sha3_256_init
#define sha3_256_update nettle_sha3_256_update
#define sha3_256_digest nettle_sha3_256_digest
#define sha3_256_shake nettle_sha3_256_shake
#define sha3_384_init nettle_sha3_384_init
#define sha3_384_update nettle_sha3_384_update
#define sha3_384_digest nettle_sha3_384_digest
......@@ -135,6 +136,13 @@ sha3_256_digest(struct sha3_256_ctx *ctx,
size_t length,
uint8_t *digest);
/* Alternative digest function implementing shake256, with arbitrary
digest size */
void
sha3_256_shake(struct sha3_256_ctx *ctx,
size_t length,
uint8_t *digest);
struct sha3_384_ctx
{
struct sha3_state state;
......
/* shake256.c
The SHAKE256 hash function, arbitrary length output.
Copyright (C) 2017 Daiki Ueno
Copyright (C) 2017 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <stddef.h>
#include <string.h>
#include "sha3.h"
#include "sha3-internal.h"
#include "nettle-write.h"
void
sha3_256_shake (struct sha3_256_ctx *ctx,
size_t length,
uint8_t *dst)
{
_sha3_pad_shake (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index);
while (length > SHA3_256_BLOCK_SIZE)
{
_nettle_write_le64 (SHA3_256_BLOCK_SIZE, dst, ctx->state.a);
length -= SHA3_256_BLOCK_SIZE;
dst += SHA3_256_BLOCK_SIZE;
sha3_permute (&ctx->state);
}
_nettle_write_le64 (length, dst, ctx->state.a);
sha3_256_init (ctx);
}
......@@ -100,6 +100,9 @@ sha3-384-test$(EXEEXT): sha3-384-test.$(OBJEXT)
sha3-512-test$(EXEEXT): sha3-512-test.$(OBJEXT)
$(LINK) sha3-512-test.$(OBJEXT) $(TEST_OBJS) -o sha3-512-test$(EXEEXT)
shake256-test$(EXEEXT): shake256-test.$(OBJEXT)
$(LINK) shake256-test.$(OBJEXT) $(TEST_OBJS) -o shake256-test$(EXEEXT)
serpent-test$(EXEEXT): serpent-test.$(OBJEXT)
$(LINK) serpent-test.$(OBJEXT) $(TEST_OBJS) -o serpent-test$(EXEEXT)
......
......@@ -24,6 +24,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \
sha3-permute-test.c sha3-224-test.c sha3-256-test.c \
sha3-384-test.c sha3-512-test.c \
shake256-test.c \
serpent-test.c twofish-test.c version-test.c \
knuth-lfib-test.c \
cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \
......
#! /usr/bin/awk -f
# This script is used to process the Keccak testvectors, originally
# we used http://keccak.noekeon.org/KeccakKAT-3.zip.
# For the updated NIST version, test vectors can be found at
# https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors
/^Len/ { len = $3 }
/^Msg/ { msg = $3 }
/^Squeezed/ { md = $3;
if (len % 8 == 0)
printf("test_hash_extendable(&nettle_shakexxx, /* %d octets */\nSHEX(\"%s\"),\nSHEX(\"%s\"));\n",
len / 8, len ? msg : "", md);
}
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -866,33 +866,36 @@ test_hash(const struct nettle_hash *hash,
const struct tstring *digest)
{
void *ctx = xalloc(hash->context_size);
uint8_t *buffer = xalloc(hash->digest_size);
uint8_t *buffer = xalloc(digest->length);
uint8_t *input;
unsigned offset;
ASSERT (digest->length == hash->digest_size);
/* Here, hash->digest_size zero means arbitrary size. */
if (hash->digest_size)
ASSERT (digest->length == hash->digest_size);
hash->init(ctx);
hash->update(ctx, msg->length, msg->data);
hash->digest(ctx, hash->digest_size, buffer);
hash->digest(ctx, digest->length, buffer);
if (MEMEQ(hash->digest_size, digest->data, buffer) == 0)
if (MEMEQ(digest->length, digest->data, buffer) == 0)
{
fprintf(stdout, "\nGot:\n");
print_hex(hash->digest_size, buffer);
print_hex(digest->length, buffer);
fprintf(stdout, "\nExpected:\n");
print_hex(hash->digest_size, digest->data);
print_hex(digest->length, digest->data);
abort();
}
memset(buffer, 0, hash->digest_size);
memset(buffer, 0, digest->length);
hash->update(ctx, msg->length, msg->data);
hash->digest(ctx, hash->digest_size - 1, buffer);
ASSERT(digest->length > 0);
hash->digest(ctx, digest->length - 1, buffer);
ASSERT(MEMEQ(hash->digest_size - 1, digest->data, buffer));
ASSERT(MEMEQ(digest->length - 1, digest->data, buffer));
ASSERT(buffer[hash->digest_size - 1] == 0);
ASSERT(buffer[digest->length - 1] == 0);
input = xalloc (msg->length + 16);
for (offset = 0; offset < 16; offset++)
......@@ -900,13 +903,13 @@ test_hash(const struct nettle_hash *hash,
memset (input, 0, msg->length + 16);
memcpy (input + offset, msg->data, msg->length);
hash->update (ctx, msg->length, input + offset);
hash->digest (ctx, hash->digest_size, buffer);
if (MEMEQ(hash->digest_size, digest->data, buffer) == 0)
hash->digest (ctx, digest->length, buffer);
if (MEMEQ(digest->length, digest->data, buffer) == 0)
{
fprintf(stdout, "hash input address: %p\nGot:\n", input + offset);
print_hex(hash->digest_size, buffer);
print_hex(digest->length, buffer);
fprintf(stdout, "\nExpected:\n");
print_hex(hash->digest_size, digest->data);
print_hex(digest->length, digest->data);
abort();
}
}
......