From wk at gnupg.org Tue Mar 3 13:52:24 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2020 13:52:24 +0100 Subject: [PATCH] gcrypt.texi: fix description of hash algorithms In-Reply-To: <20200228212000.GH11886@flashtux.org> (=?utf-8?Q?=22S=C3=A9ba?= =?utf-8?Q?stien?= Helleu"'s message of "Fri, 28 Feb 2020 22:20:01 +0100") References: <20200228212000.GH11886@flashtux.org> Message-ID: <87tv35txbr.fsf@wheatstone.g10code.de> On Fri, 28 Feb 2020 22:20, S?bastien Helleu said: > You'll find attached a patch to fix two typos in doc (description of hash > algorithms). Thanks. Applied to master and stable. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dbaryshkov at gmail.com Tue Mar 3 15:10:02 2020 From: dbaryshkov at gmail.com (Dmitry Baryshkov) Date: Tue, 3 Mar 2020 17:10:02 +0300 Subject: [PATCH 0/3] gost28147: implement KeyMeshing per RFC 4357 In-Reply-To: <20200209182944.491835-1-dbaryshkov@gmail.com> References: <20200209182944.491835-1-dbaryshkov@gmail.com> Message-ID: ??, 9 ????. 2020 ?. ? 21:30, : > > RFC 4357 defines a special procedure of changing key and IV each 1024 > bytes. This procedure should be used for CFB-encrypted data (e.g. CMS > files). Implement support for this key meshing. These changes were asked > for by AltLinux team implementing support for RFC 4490 in gpgsm. Re-ping, any review? -- With best wishes Dmitry From dbaryshkov at gmail.com Thu Mar 5 11:49:52 2020 From: dbaryshkov at gmail.com (Dmitry Baryshkov) Date: Thu, 5 Mar 2020 13:49:52 +0300 Subject: Support for RFC 4357 Message-ID: Hello, On February 9th I've sent three patches implementing support for a part of RFC 4357 (key meshing for GOST 28147-89) [1]. This is required to support CMS and encrypted private key files using GOST 28147-89 algorithm (see RFC 4490). For a month there was no reaction on the ML. I'm trying to understand now, if there are any issues with the patches themselves, with the approach selected to implement it, or we should just wait for some time? [1] https://lists.gnupg.org/pipermail/gcrypt-devel/2020-February/004922.html -- With best wishes Dmitry From wk at gnupg.org Wed Mar 18 11:03:51 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 18 Mar 2020 11:03:51 +0100 Subject: Support for RFC 4357 In-Reply-To: (Dmitry Baryshkov via Gcrypt-devel's message of "Thu, 5 Mar 2020 13:49:52 +0300") References: Message-ID: <874kumdlo8.fsf@wheatstone.g10code.de> On Thu, 5 Mar 2020 13:49, Dmitry Baryshkov said: > For a month there was no reaction on the ML. I'm trying to understand Sorry, for this. I guess we all waited for someone to start commenting on it. I now had a brief look at it and noticed that the changes only affect the GOST algorithms and add one new algo identifier. From my point of view the pacthes are okay and can be applied. @jussi, @gniibe, okay? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 2734 bytes Desc: not available URL: From gniibe at fsij.org Thu Mar 19 01:15:08 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 19 Mar 2020 09:15:08 +0900 Subject: Support for RFC 4357 In-Reply-To: <874kumdlo8.fsf@wheatstone.g10code.de> References: <874kumdlo8.fsf@wheatstone.g10code.de> Message-ID: <874kulxks3.fsf@iwagami.gniibe.org> Werner Koch wrote: > From my point of view the pacthes are okay and can be applied. @jussi, > @gniibe, okay? No problem. My apologize for not reviewing soonish. I was busy for other work (constant-time modular multiplicative inverse). -- From jussi.kivilinna at iki.fi Thu Mar 19 10:56:23 2020 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 19 Mar 2020 11:56:23 +0200 Subject: Support for RFC 4357 In-Reply-To: <874kumdlo8.fsf@wheatstone.g10code.de> References: <874kumdlo8.fsf@wheatstone.g10code.de> Message-ID: On 18.3.2020 12.03, Werner Koch wrote: > On Thu, 5 Mar 2020 13:49, Dmitry Baryshkov said: > >> For a month there was no reaction on the ML. I'm trying to understand > > Sorry, for this. I guess we all waited for someone to start commenting > on it. I now had a brief look at it and noticed that the changes only > affect the GOST algorithms and add one new algo identifier. > > From my point of view the pacthes are okay and can be applied. @jussi, > @gniibe, okay? > Looks ok to me. -Jussi From dbaryshkov at gmail.com Fri Mar 20 09:31:18 2020 From: dbaryshkov at gmail.com (Dmitry Baryshkov) Date: Fri, 20 Mar 2020 11:31:18 +0300 Subject: Gcrypt compilation chokes under Android/Termux Message-ID: Hello, I have tried building libgcrypt on Android 8.1 (ARMv8) under Termux. Unfortunately build failed with the following error. $ gcc --version clang version 9.0.1 Target: aarch64-unknown-linux-android Thread model: posix InstalledDir: /data/data/com.termux/files/usr/bin ... /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../libgcrypt/cipher -I.. -I../src -I../../libgcrypt/src -I../mpi -I../../libgcrypt/mpi -Wa,--noexecstack -g -O2 -MT chacha20-aarch64.lo -MD -MP -MF .deps/chacha20-aarch64.Tpo -c -o chacha20-aarch64.lo ../../libgcrypt/cipher/chacha20-aarch64.S libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../libgcrypt/cipher -I.. -I../src -I../../libgcrypt/src -I../mpi -I../../libgcrypt/mpi -Wa,--noexecstack -g -O2 -MT chacha20-aarch64.lo -MD -MP -MF .deps/chacha20-aarch64.Tpo -c ../../libgcrypt/cipher/chacha20-aarch64.S -fPIC -DPIC -o .libs/chacha20-aarch64.o ../../libgcrypt/cipher/chacha20-aarch64.S:419:701: error: invalid operand for instruction add v18.4s, v18.4s, v22.4s;; add v19.4s, v19.4s, v23.4s;; umulh x25, x11, x15;; eor v1.16b, v18.16b, v30.16b;; eor v2.16b, v19.16b, v31.16b;; adds x17, x17, x24;; rev32 v30.8h, v1.8h; rev32 v31.8h, v2.8h;; mul x11, x12, x15;; add v26.4s, v26.4s, v30.4s;; add v27.4s, v27.4s, v31.4s;; adc x16, x16, x25;; eor v1.16b, v26.16b, v22.16b;; eor v2.16b, v27.16b, v23.16b;; mul x12, x12, x13;; shl v22.4s, v1.4s, #(12); shl v23.4s, v2.4s, #(12); adds x11, x11, x20;; sri v22.4s, v1.4s, #(32 - (12)); sri v23.4s, v2.4s, #(32 - (12));; adc x10, x12, x19;; add v18.4s, v18.4s, v22.4s;; add v19.4s, v19.4s, v23.4s;; and x12, x10, #3;; eor v1.16b, v18.16b, v30.16b;; eor v2.16b, v19.16b, v31.16b;; mov x10, x10, lsr #2;; tbl v30.16b, {v1.16b}, v7.16b; add x10, x10, x10, lsl #2;; tbl v31.16b, {v2.16b}, v7.16b;; adds x10, x10, x17;; add v26.4s, v26.4s, v30.4s;; add v27.4s, v27.4s, v31.4s;; adcs x11, x11, x16;; eor v1.16b, v26.16b, v22.16b;; eor v2.16b, v27.16b, v23.16b;; adc w12, w12, wzr;; shl v22.4s, v1.4s, #(7); shl v23.4s, v2.4s, #(7); ldr x22, [x9, #((1 * 16) + 0 * 8)];; sri v22.4s, v1.4s, #(32 - (7)); sri v23.4s, v2.4s, #(32 - (7));; ^ ../../libgcrypt/cipher/chacha20-aarch64.S:451:701: error: invalid operand for instruction add v18.4s, v18.4s, v23.4s;; add v19.4s, v19.4s, v20.4s;; umulh x25, x11, x15;; eor v1.16b, v18.16b, v29.16b;; eor v2.16b, v19.16b, v30.16b;; adds x17, x17, x24;; rev32 v29.8h, v1.8h; rev32 v30.8h, v2.8h;; mul x11, x12, x15;; add v24.4s, v24.4s, v29.4s;; add v25.4s, v25.4s, v30.4s;; adc x16, x16, x25;; eor v1.16b, v24.16b, v23.16b;; eor v2.16b, v25.16b, v20.16b;; mul x12, x12, x13;; shl v23.4s, v1.4s, #(12); shl v20.4s, v2.4s, #(12); adds x11, x11, x20;; sri v23.4s, v1.4s, #(32 - (12)); sri v20.4s, v2.4s, #(32 - (12));; adc x10, x12, x19;; add v18.4s, v18.4s, v23.4s;; add v19.4s, v19.4s, v20.4s;; and x12, x10, #3;; eor v1.16b, v18.16b, v29.16b;; eor v2.16b, v19.16b, v30.16b;; mov x10, x10, lsr #2;; tbl v29.16b, {v1.16b}, v7.16b; add x10, x10, x10, lsl #2;; tbl v30.16b, {v2.16b}, v7.16b;; adds x10, x10, x17;; add v24.4s, v24.4s, v29.4s;; add v25.4s, v25.4s, v30.4s;; adcs x11, x11, x16;; eor v1.16b, v24.16b, v23.16b;; eor v2.16b, v25.16b, v20.16b;; adc w12, w12, wzr;; shl v23.4s, v1.4s, #(7); shl v20.4s, v2.4s, #(7); subs x26, x26, #2; sri v23.4s, v1.4s, #(32 - (7)); sri v20.4s, v2.4s, #(32 - (7));;; ^ ../../libgcrypt/cipher/chacha20-aarch64.S:496:342: error: invalid operand for instruction add v18.4s, v18.4s, v23.4s;; add v19.4s, v19.4s, v20.4s;; adc x10, x12, x19;; eor v1.16b, v18.16b, v29.16b;; eor v2.16b, v19.16b, v30.16b;; ; rev32 v29.8h, v1.8h; rev32 v30.8h, v2.8h;; and x12, x10, #3;; add v24.4s, v24.4s, v29.4s;; add v25.4s, v25.4s, v30.4s;; ; eor v1.16b, v24.16b, v23.16b;; eor v2.16b, v25.16b, v20.16b;; mov x10, x10, lsr #2;; shl v23.4s, v1.4s, #(12); shl v20.4s, v2.4s, #(12); ; sri v23.4s, v1.4s, #(32 - (12)); sri v20.4s, v2.4s, #(32 - (12));; add x10, x10, x10, lsl #2;; add v18.4s, v18.4s, v23.4s;; add v19.4s, v19.4s, v20.4s;; ; eor v1.16b, v18.16b, v29.16b;; eor v2.16b, v19.16b, v30.16b;; adds x10, x10, x17;; tbl v29.16b, {v1.16b}, v7.16b; ; tbl v30.16b, {v2.16b}, v7.16b;; adcs x11, x11, x16;; add v24.4s, v24.4s, v29.4s;; add v25.4s, v25.4s, v30.4s;; ; eor v1.16b, v24.16b, v23.16b;; eor v2.16b, v25.16b, v20.16b;; adc w12, w12, wzr;; shl v23.4s, v1.4s, #(7); shl v20.4s, v2.4s, #(7); subs x26, x26, #2; sri v23.4s, v1.4s, #(32 - (7)); sri v20.4s, v2.4s, #(32 - (7));; ^ make[2]: *** [Makefile:807: chacha20-aarch64.lo] Error 1 -- With best wishes Dmitry -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Mar 20 13:59:52 2020 From: wk at gnupg.org (Werner Koch) Date: Fri, 20 Mar 2020 13:59:52 +0100 Subject: [PATCH 0/3] gost28147: implement KeyMeshing per RFC 4357 In-Reply-To: <20200209182944.491835-1-dbaryshkov@gmail.com> (Dmitry Eremin-Solenikov via Gcrypt-devel's message of "Sun, 9 Feb 2020 21:29:41 +0300") References: <20200209182944.491835-1-dbaryshkov@gmail.com> Message-ID: <87fte39o6v.fsf@wheatstone.g10code.de> Hi! I just applied and pushed your patches. Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 2734 bytes Desc: not available URL: From dbaryshkov at gmail.com Fri Mar 20 14:49:28 2020 From: dbaryshkov at gmail.com (dbaryshkov at gmail.com) Date: Fri, 20 Mar 2020 16:49:28 +0300 Subject: [PATCH] tests/benchmark.c: fix error message for invalid MAC algo Message-ID: <20200320134928.2231683-1-dbaryshkov@gmail.com> From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- tests/benchmark.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/benchmark.c b/tests/benchmark.c index a245152c0228..5963527e1d7a 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -613,7 +613,7 @@ mac_bench ( const char *algoname ) algo = gcry_mac_map_name (algoname); if (!algo) { - fprintf (stderr, PGM ": invalid hash algorithm `%s'\n", algoname); + fprintf (stderr, PGM ": invalid MAC algorithm `%s'\n", algoname); exit (1); } -- 2.25.1 From jussi.kivilinna at iki.fi Sat Mar 21 15:34:49 2020 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sat, 21 Mar 2020 16:34:49 +0200 Subject: [PATCH] asm-poly1305-aarch64: fix building with clang Message-ID: <158480128945.7863.1544770782152904596.stgit@localhost6.localdomain6> * cipher/asm-poly1305-aarch64.h (POLY1305_BLOCK_PART25): Use correct instruction format for right-shifting. -- GCC recognizes 32-bit ARM's 'move with barrel shift operand' on Aarch64, but clang does not. Therefore switch to use shift instruction instead. Signed-off-by: Jussi Kivilinna --- cipher/asm-poly1305-aarch64.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipher/asm-poly1305-aarch64.h b/cipher/asm-poly1305-aarch64.h index 6c342bee..90092709 100644 --- a/cipher/asm-poly1305-aarch64.h +++ b/cipher/asm-poly1305-aarch64.h @@ -167,7 +167,7 @@ /* carry propagation */ \ and POLY_R_H2, POLY_R_H0, #3; #define POLY1305_BLOCK_PART25() \ - mov POLY_R_H0, POLY_R_H0, lsr #2; + lsr POLY_R_H0, POLY_R_H0, #2; #define POLY1305_BLOCK_PART26() \ add POLY_R_H0, POLY_R_H0, POLY_R_H0, lsl #2; #define POLY1305_BLOCK_PART27() \ From dbaryshkov at gmail.com Sat Mar 21 18:16:15 2020 From: dbaryshkov at gmail.com (Dmitry Baryshkov) Date: Sat, 21 Mar 2020 20:16:15 +0300 Subject: [PATCH] asm-poly1305-aarch64: fix building with clang In-Reply-To: <158480128945.7863.1544770782152904596.stgit@localhost6.localdomain6> References: <158480128945.7863.1544770782152904596.stgit@localhost6.localdomain6> Message-ID: > * cipher/asm-poly1305-aarch64.h (POLY1305_BLOCK_PART25): Use correct > instruction format for right-shifting. > -- > > GCC recognizes 32-bit ARM's 'move with barrel shift operand' on Aarch64, > but clang does not. Therefore switch to use shift instruction instead. > Thank you, this fixed an issue. > Signed-off-by: Jussi Kivilinna > > -- With best wishes Dmitry -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbaryshkov at gmail.com Sat Mar 21 20:31:09 2020 From: dbaryshkov at gmail.com (Dmitry Baryshkov) Date: Sat, 21 Mar 2020 22:31:09 +0300 Subject: [PATCH 0/3] gost28147: implement KeyMeshing per RFC 4357 In-Reply-To: <87fte39o6v.fsf@wheatstone.g10code.de> References: <20200209182944.491835-1-dbaryshkov@gmail.com> <87fte39o6v.fsf@wheatstone.g10code.de> Message-ID: ??, 20 ???. 2020 ?. ? 16:00, Werner Koch : > > Hi! > > I just applied and pushed your patches. Thanks. Thank you! -- With best wishes Dmitry From dbaryshkov at gmail.com Sat Mar 21 20:33:49 2020 From: dbaryshkov at gmail.com (dbaryshkov at gmail.com) Date: Sat, 21 Mar 2020 22:33:49 +0300 Subject: [PATCH 0/2] gost28147: add support for special MAC mode Message-ID: <20200321193351.39935-1-dbaryshkov@gmail.com> GOST 28147-89 defines a special mode of using base transformation for generating MAC. See RFC 5830 Section 8 for an English description of this mode. Originally this mode was called "Imitovstavka", so it is typical now to name this mode "imit". This mode is used e.g. inside CMS files generated using GOST algorithms. These changes were asked for by AltLinux team implementing support for RFC 4490 in gpgsm. -- With best wishes Dmitry From dbaryshkov at gmail.com Sat Mar 21 20:33:51 2020 From: dbaryshkov at gmail.com (dbaryshkov at gmail.com) Date: Sat, 21 Mar 2020 22:33:51 +0300 Subject: [PATCH 2/2] gost28147: implement special MAC mode called imitovstavka (IMIT) In-Reply-To: <20200321193351.39935-1-dbaryshkov@gmail.com> References: <20200321193351.39935-1-dbaryshkov@gmail.com> Message-ID: <20200321193351.39935-3-dbaryshkov@gmail.com> From: Dmitry Baryshkov * src/gcrypt.h.in (GCRY_MAC_GOST28147_IMIT): New. * cipher/gost28147.c (gost_imit_open, gost_imit_close, gost_imit_setkey, gost_imit_setiv, gost_imit_reset, _gost_imit_block, gost_imit_block, gost_imit_write, gost_imit_finish, gost_imit_read, gost_imit_verify, gost_imit_get_maclen, gost_imit_get_keylen, gost_imit_set_extra_info): New functions implementing GOST 28147-89 MAC (imitovstavka, IMIT) mode. * cipher/gost28147.c (gost_imit_ops, _gcry_mac_type_spec_gost28147_imit): declare GOST 28147-89 IMIT handler. * cipher/mac-internal.h (gcry_mac_handle): add fields to support GOST 28147-89 IMIT mode. * cipher/mac.c (mac_list): add _gcry_mac_type_spec_gost28147_imit, (spec_from_algo): handle GCRY_MAC_GOST28147_IMIT. * tests/basic.c (check_mac): add GOST28147-89 IMIT test vector. -- GOST 28147-89 (see RFC 5830 Section 8) defines MAC construction using the same base transformation. Implement support for it: required to read some CMS files produced using GOST algorithms, see RFC 4490. Signed-off-by: Dmitry Baryshkov --- cipher/gost28147.c | 242 +++++++++++++++++++++++++++++++++++++++++- cipher/mac-internal.h | 11 ++ cipher/mac.c | 5 + src/gcrypt.h.in | 1 + tests/basic.c | 7 ++ 5 files changed, 264 insertions(+), 2 deletions(-) diff --git a/cipher/gost28147.c b/cipher/gost28147.c index 00d729020799..24385915031c 100644 --- a/cipher/gost28147.c +++ b/cipher/gost28147.c @@ -23,16 +23,17 @@ * - OFB-like mode with additional transformation on keystream * RFC 5830 names this 'counter encryption' mode * Original GOST text uses the term 'gammirovanie' - * - MAC mode + * - MAC mode ('imitovstavka') * * This implementation handles ECB and CFB modes via usual libgcrypt handling. - * OFB-like and MAC modes are unsupported. + * OFB-like modes are unsupported. */ #include #include "types.h" #include "g10lib.h" #include "cipher.h" +#include "mac-internal.h" #include "bufhelp.h" #include "gost.h" @@ -311,3 +312,240 @@ gcry_cipher_spec_t _gcry_cipher_spec_gost28147_mesh = gost_decrypt_block, NULL, NULL, NULL, gost_set_extra_info, }; + +static gcry_err_code_t +gost_imit_open (gcry_mac_hd_t h) +{ + memset(&h->u.imit, 0, sizeof(h->u.imit)); + return 0; +} + +static void +gost_imit_close (gcry_mac_hd_t h) +{ + (void) h; +} + +static gcry_err_code_t +gost_imit_setkey (gcry_mac_hd_t h, const unsigned char *key, size_t keylen) +{ + int i; + + if (keylen != 256 / 8) + return GPG_ERR_INV_KEYLEN; + + if (!h->u.imit.ctx.sbox) + h->u.imit.ctx.sbox = sbox_CryptoPro_A; + + for (i = 0; i < 8; i++) + { + h->u.imit.ctx.key[i] = buf_get_le32(&key[4*i]); + } + + return 0; +} + +static gcry_err_code_t +gost_imit_setiv (gcry_mac_hd_t h, + const unsigned char *iv, + size_t ivlen) +{ + if (ivlen != 8) + return GPG_ERR_INV_LENGTH; + + h->u.imit.n1 = buf_get_le32 (iv + 0); + h->u.imit.n2 = buf_get_le32 (iv + 4); + + return 0; +} + +static gcry_err_code_t +gost_imit_reset (gcry_mac_hd_t h) +{ + h->u.imit.n1 = h->u.imit.n2 = 0; + h->u.imit.unused = 0; + return 0; +} + +static unsigned int +_gost_imit_block (const u32 *sbox, const u32 *key, u32 *o1, u32 *o2, u32 n1, u32 n2) +{ + n1 ^= *o1; + n2 ^= *o2; + + n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox); + n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox); + n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox); + n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox); + + n2 ^= gost_val (key[0], n1, sbox); n1 ^= gost_val (key[1], n2, sbox); + n2 ^= gost_val (key[2], n1, sbox); n1 ^= gost_val (key[3], n2, sbox); + n2 ^= gost_val (key[4], n1, sbox); n1 ^= gost_val (key[5], n2, sbox); + n2 ^= gost_val (key[6], n1, sbox); n1 ^= gost_val (key[7], n2, sbox); + + *o1 = n1; + *o2 = n2; + + return /* burn_stack */ 4*sizeof(void*) /* func call */ + + 3*sizeof(void*) /* stack */ + + 4*sizeof(void*) /* gost_val call */; +} + +static inline unsigned int +gost_imit_block (GOST28147_context *ctx, u32 *n1, u32 *n2, const unsigned char *buf) +{ + if (ctx->mesh_limit && (ctx->mesh_counter == ctx->mesh_limit)) + cryptopro_key_meshing (ctx); + + return _gost_imit_block (ctx->sbox, ctx->key, + n1, n2, + buf_get_le32 (buf+0), + buf_get_le32 (buf+4)); +} + +static gcry_err_code_t +gost_imit_write (gcry_mac_hd_t h, const unsigned char *buf, size_t buflen) +{ + const int blocksize = 8; + unsigned int burn = 0; + if (!buflen || !buf) + return GPG_ERR_NO_ERROR; + + if (h->u.imit.unused) + { + for (; buflen && h->u.imit.unused < blocksize; buflen --) + h->u.imit.lastiv[h->u.imit.unused++] = *buf++; + + if (h->u.imit.unused < blocksize) + return GPG_ERR_NO_ERROR; + + h->u.imit.count ++; + burn = gost_imit_block (&h->u.imit.ctx, + &h->u.imit.n1, &h->u.imit.n2, + h->u.imit.lastiv); + + h->u.imit.unused = 0; + } + + while (buflen >= blocksize) + { + h->u.imit.count ++; + burn = gost_imit_block (&h->u.imit.ctx, + &h->u.imit.n1, &h->u.imit.n2, + buf); + buf += blocksize; + buflen -= blocksize; + } + + for (; buflen; buflen--) + h->u.imit.lastiv[h->u.imit.unused++] = *buf++; + + _gcry_burn_stack (burn); + + return GPG_ERR_NO_ERROR; +} + +static void +gost_imit_finish (gcry_mac_hd_t h) +{ + static const unsigned char zero[8] = {0}; + + /* Fill till full block */ + if (h->u.imit.unused) + gost_imit_write(h, zero, 8 - h->u.imit.unused); + + if (h->u.imit.count == 1) + gost_imit_write(h, zero, 8); +} + +static gcry_err_code_t +gost_imit_read (gcry_mac_hd_t h, unsigned char *outbuf, size_t * outlen) +{ + unsigned int dlen = 8; + unsigned char digest[8]; + + gost_imit_finish (h); + + buf_put_le32 (digest+0, h->u.imit.n1); + buf_put_le32 (digest+4, h->u.imit.n2); + + if (*outlen <= dlen) + buf_cpy (outbuf, digest, *outlen); + else + { + buf_cpy (outbuf, digest, dlen); + *outlen = dlen; + } + return 0; +} + +static gcry_err_code_t +gost_imit_verify (gcry_mac_hd_t h, const unsigned char *buf, size_t buflen) +{ + unsigned char tbuf[8]; + + gost_imit_finish (h); + + buf_put_le32 (tbuf+0, h->u.imit.n1); + buf_put_le32 (tbuf+4, h->u.imit.n2); + + return buf_eq_const(tbuf, buf, buflen) ? + GPG_ERR_NO_ERROR : GPG_ERR_CHECKSUM; +} + +static unsigned int +gost_imit_get_maclen (int algo) +{ + (void) algo; + return 4; /* or 8 */ +} + + +static unsigned int +gost_imit_get_keylen (int algo) +{ + (void) algo; + return 256 / 8; +} + +static gpg_err_code_t +gost_imit_set_extra_info (gcry_mac_hd_t hd, int what, const void *buffer, size_t buflen) +{ + gpg_err_code_t ec = 0; + + (void)buffer; + (void)buflen; + + switch (what) + { + case GCRYCTL_SET_SBOX: + ec = gost_set_sbox (&hd->u.imit.ctx, buffer); + break; + + default: + ec = GPG_ERR_INV_OP; + break; + } + return ec; +} + + +static gcry_mac_spec_ops_t gost_imit_ops = { + gost_imit_open, + gost_imit_close, + gost_imit_setkey, + gost_imit_setiv, + gost_imit_reset, + gost_imit_write, + gost_imit_read, + gost_imit_verify, + gost_imit_get_maclen, + gost_imit_get_keylen, + gost_imit_set_extra_info, +}; + +gcry_mac_spec_t _gcry_mac_type_spec_gost28147_imit = + { + GCRY_MAC_GOST28147_IMIT, {0, 0}, "GOST28147_IMIT", + &gost_imit_ops + }; diff --git a/cipher/mac-internal.h b/cipher/mac-internal.h index 15b4dfc2c5de..646ec1cfa220 100644 --- a/cipher/mac-internal.h +++ b/cipher/mac-internal.h @@ -95,6 +95,7 @@ typedef struct gcry_mac_spec const gcry_mac_spec_ops_t *ops; } gcry_mac_spec_t; +#include "gost.h" /* The handle structure. */ struct gcry_mac_handle @@ -120,6 +121,13 @@ struct gcry_mac_handle struct { struct poly1305mac_context_s *ctx; } poly1305mac; + struct { + GOST28147_context ctx; + u32 n1, n2; + unsigned int unused; + unsigned int count; + unsigned char lastiv[8]; /* IMIT blocksize */ + } imit; } u; }; @@ -219,6 +227,9 @@ extern gcry_mac_spec_t _gcry_mac_type_spec_cmac_idea; #if USE_GOST28147 extern gcry_mac_spec_t _gcry_mac_type_spec_cmac_gost28147; #endif +#if USE_GOST28147 +extern gcry_mac_spec_t _gcry_mac_type_spec_gost28147_imit; +#endif /* * The GMAC algorithm specifications (mac-gmac.c). diff --git a/cipher/mac.c b/cipher/mac.c index 1bc1aa985c93..0abc0d33bfbc 100644 --- a/cipher/mac.c +++ b/cipher/mac.c @@ -127,6 +127,7 @@ static gcry_mac_spec_t * const mac_list[] = { #endif #if USE_GOST28147 &_gcry_mac_type_spec_cmac_gost28147, + &_gcry_mac_type_spec_gost28147_imit, #endif &_gcry_mac_type_spec_poly1305mac, NULL, @@ -403,6 +404,10 @@ spec_from_algo (int algo) spec = mac_list_algo401[algo - 401]; else if (algo >= 501 && algo < 501 + DIM(mac_list_algo501)) spec = mac_list_algo501[algo - 501]; +#ifdef USE_GOST28147 + else if (algo == GCRY_MAC_GOST28147_IMIT) + spec = &_gcry_mac_type_spec_gost28147_imit; +#endif if (spec) gcry_assert (spec->algo == algo); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 375a40e2acaa..bc96ba40aeea 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -1440,6 +1440,7 @@ typedef struct gcry_mac_handle *gcry_mac_hd_t; enum gcry_mac_algos { GCRY_MAC_NONE = 0, + GCRY_MAC_GOST28147_IMIT = 1, GCRY_MAC_HMAC_SHA256 = 101, GCRY_MAC_HMAC_SHA224 = 102, diff --git a/tests/basic.c b/tests/basic.c index 3a7d667602df..2dee1beef043 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -12862,6 +12862,13 @@ check_mac (void) "\x9d\xeb\xb0\xcd\x24\x90\xd3\x9b\x47\x78\x37\x0a\x81\xf2\x83\x2a", "\x61\xee\x09\x21\x8d\x29\xb0\xaa\xed\x7e\x15\x4a\x2c\x55\x09\xcc", 0, 32 }, + { GCRY_MAC_GOST28147_IMIT, + "\xb5\xa1\xf0\xe3\xce\x2f\x02\x1d\x67\x61\x94\x34\x5c\x41\xe3\x6e", + "\x9d\x05\xb7\x9e\x90\xca\xd0\x0a\x2c\xda\xd2\x2e\xf4\xe8\x6f\x5c" + "\xf5\xdc\x37\x68\x19\x85\xb3\xbf\xaa\x18\xc1\xc3\x05\x0a\x91\xa2", + "\xf8\x1f\x08\xa3", + NULL, + 16, 32 }, { 0 }, }; int i; -- 2.25.1 From dbaryshkov at gmail.com Sat Mar 21 20:33:50 2020 From: dbaryshkov at gmail.com (dbaryshkov at gmail.com) Date: Sat, 21 Mar 2020 22:33:50 +0300 Subject: [PATCH 1/2] mac: add support for gcry_mac_ctl(GCRYCTL_SET_SBOX) In-Reply-To: <20200321193351.39935-1-dbaryshkov@gmail.com> References: <20200321193351.39935-1-dbaryshkov@gmail.com> Message-ID: <20200321193351.39935-2-dbaryshkov@gmail.com> From: Dmitry Baryshkov * cipher/mac-internal.h (gcry_mac_spec_ops_t): add set_extra_info field for providing additional settings. * cipher/mac.c (_gcry_mac_ctl): support GCRYCTL_SET_SBOX call. * cipher/mac-cmac.c (cmac_ops): set set_extra_info to NULL. * cipher/mac-gmac.c (gmac_ops): the same. * cipher/mac-hmac.c (hmac_ops): the same. * cipher/mac-poly1305.c (poly1305mac_ops): the same. -- New MAC GOST28147-IMIT needs info about S-Box to be used. This info can be passed via a call to gcry_mac_ctl(GCRYCTL_SET_SBOX, ...). Signed-off-by: Dmitry Baryshkov --- cipher/mac-cmac.c | 3 ++- cipher/mac-gmac.c | 3 ++- cipher/mac-hmac.c | 3 ++- cipher/mac-internal.h | 4 ++++ cipher/mac-poly1305.c | 3 ++- cipher/mac.c | 7 +++++++ 6 files changed, 19 insertions(+), 4 deletions(-) diff --git a/cipher/mac-cmac.c b/cipher/mac-cmac.c index e42a764de592..aee5bb63d05f 100644 --- a/cipher/mac-cmac.c +++ b/cipher/mac-cmac.c @@ -154,7 +154,8 @@ static gcry_mac_spec_ops_t cmac_ops = { cmac_read, cmac_verify, cmac_get_maclen, - cmac_get_keylen + cmac_get_keylen, + NULL }; diff --git a/cipher/mac-gmac.c b/cipher/mac-gmac.c index 9bc86d970e6e..aa78c7e37d4d 100644 --- a/cipher/mac-gmac.c +++ b/cipher/mac-gmac.c @@ -149,7 +149,8 @@ static gcry_mac_spec_ops_t gmac_ops = { gmac_read, gmac_verify, gmac_get_maclen, - gmac_get_keylen + gmac_get_keylen, + NULL }; diff --git a/cipher/mac-hmac.c b/cipher/mac-hmac.c index e488d03aa317..d0cc5775bb08 100644 --- a/cipher/mac-hmac.c +++ b/cipher/mac-hmac.c @@ -233,7 +233,8 @@ static const gcry_mac_spec_ops_t hmac_ops = { hmac_read, hmac_verify, hmac_get_maclen, - hmac_get_keylen + hmac_get_keylen, + NULL }; diff --git a/cipher/mac-internal.h b/cipher/mac-internal.h index 03f5b8da8f4c..15b4dfc2c5de 100644 --- a/cipher/mac-internal.h +++ b/cipher/mac-internal.h @@ -63,6 +63,9 @@ typedef gcry_err_code_t (*gcry_mac_verify_func_t)(gcry_mac_hd_t h, typedef unsigned int (*gcry_mac_get_maclen_func_t)(int algo); typedef unsigned int (*gcry_mac_get_keylen_func_t)(int algo); +/* The type used to convey additional information to a MAC. */ +typedef gpg_err_code_t (*gcry_mac_set_extra_info_t) + (gcry_mac_hd_t h, int what, const void *buffer, size_t buflen); typedef struct gcry_mac_spec_ops { @@ -76,6 +79,7 @@ typedef struct gcry_mac_spec_ops gcry_mac_verify_func_t verify; gcry_mac_get_maclen_func_t get_maclen; gcry_mac_get_keylen_func_t get_keylen; + gcry_mac_set_extra_info_t set_extra_info; } gcry_mac_spec_ops_t; diff --git a/cipher/mac-poly1305.c b/cipher/mac-poly1305.c index b80f87db3676..39ba790f8eee 100644 --- a/cipher/mac-poly1305.c +++ b/cipher/mac-poly1305.c @@ -322,7 +322,8 @@ static gcry_mac_spec_ops_t poly1305mac_ops = { poly1305mac_read, poly1305mac_verify, poly1305mac_get_maclen, - poly1305mac_get_keylen + poly1305mac_get_keylen, + NULL }; diff --git a/cipher/mac.c b/cipher/mac.c index 0bbac3e414e4..1bc1aa985c93 100644 --- a/cipher/mac.c +++ b/cipher/mac.c @@ -708,6 +708,13 @@ _gcry_mac_ctl (gcry_mac_hd_t hd, int cmd, void *buffer, size_t buflen) case GCRYCTL_RESET: rc = mac_reset (hd); break; + case GCRYCTL_SET_SBOX: + if (hd->spec->ops->set_extra_info) + rc = hd->spec->ops->set_extra_info + (hd, GCRYCTL_SET_SBOX, buffer, buflen); + else + rc = GPG_ERR_NOT_SUPPORTED; + break; default: rc = GPG_ERR_INV_OP; } -- 2.25.1