Niels Möller | 20 Jun 07:30 2016
Picon
Picon
Picon

Using mpz_powm_sec

I'm considering the below patch, making use of the side-channel silent
mpz_powm_sec function. The idea is to make the RSA and DSA code less
vulnerable to side-channel attacks.

Exponentiation routines typically build a small table of powers at run
time, and then look up exponent bits in the table, a few bits at the
time. This table lookup may leak information about the exponent bits
(which in the case of RSA and DSA are secret) to an attacker running
other processes on the same physical machine.

mpz_powm_sec uses a slower table-lookup function, which for each lookup
does a sequential read of the entire table. Some caveats:

* The CRT code used for RSA signing uses other functions which may leak,
  in particular division functions with branches depending on secret
  data.

* Since we still use the mpz interface rather than the mpn interface in
  gmp, the exponents use a normalized size field (so top limb is
  non-zero). This might still leak information about the top exponent
  bits.

* The patch drops support for GMP versions older than GMP-5.0, relased
  in 2010. 

* Mini-gmp builds don't try to be side-channel silent, they will use
  a #define mpz_powm_sec mpz_powm.

* I haven't yet had time to do proper benchmarks. Signing should get a
  bit slower, but I don't know how much.
(Continue reading)

Aaron Boxer | 25 May 20:46 2016
Picon
Gravatar

Porting openssl code to nettle

Hello!

I am porting some openssl code to nettle. It involves working with SHA1
keys.
What would people recommend as a guide to doing this port? I know very
little
about cryptography.

The code can be found here:

https://github.com/GrokImageCompression/asdcplib/blob/master/src/KM_prng.cpp

Thanks so much,
Aaron
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Niels Möller | 25 Apr 21:43 2016
Picon
Picon
Picon

Curve25519 and RFC 7748

Hi,

Nikos pointed out to me that there's a slight difference between
curve25519 as implemented by Nettle and the spec in RFC 7748.

As far as I see, the difference is that RFC 7748 says that bit 255 of an
encoded x coordinates is ignored. Or more precisely, the high bit of the
31:st octet in the x input string is cleared before convertion into an
integer. While nettle's curve25519_mul includes it in the computation,
with the usual wrap-around, 2^255 = 19 (mod p). I don't see any
difference in handling scalars. Do you agree?

So I'm considering this change,

diff --git a/curve25519-mul.c b/curve25519-mul.c
index adb20cb..f5127d7 100644
--- a/curve25519-mul.c
+++ b/curve25519-mul.c
 <at>  <at>  -72,7 +72,11  <at>  <at>  curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
   itch = ecc->p.size * 12;
   scratch = gmp_alloc_limbs (itch);

+  /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x1 always
+     holds at least 256 bits. */
   mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE);
+  /* Clear bit 255, as required by RFC 7748. */
+  x1[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS));

   /* Initialize, x2 = x1, z2 = 1 */
   mpn_copyi (x2, x1, ecc->p.size);
(Continue reading)

Nikos Mavrogiannopoulos | 10 Mar 18:10 2016
Picon

mini-gmp builds enhancements

The attached patches fix compilation issues with mini-gmp, add a gitlab
build rule, and prevent the symbols defined in gmp-glue.h from being
exported into nettle's ABI.

The latter was to avoid abidiff differences to hogweed's ABI when built
with different gmp versions. For that I renamed the gmp-glue _nettle_*
symbols to _inettle_*.

regards,
Nikos
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Nikos Mavrogiannopoulos | 29 Feb 13:29 2016
Picon
Gravatar

patch to use gitlab runners with libasan and libubsan

Hello,
 I've now completed enabling the undefined sanitizer for gnutls, and
may be a good idea to use it for nettle to.  The following patch
enables running the test suite of nettle under libasan (to detect any
invalid memory accesses/writes), and the undefined sanitizer.

I've run a test build, and the libasan build succeeds but the libubsan
builds fail:
https://gitlab.com/gnutls/nettle/builds/773956

Its complaints are not that critical for the targetted platforms but
may be nice not to rely on undefined behavior.

regards,
Nikos
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Nikos Mavrogiannopoulos | 18 Feb 11:06 2016
Picon
Gravatar

dll file names

Hello,
 The attached patch corrects the name used for the windows dlls. With
the current naming, it is not possible to update an existing version
of nettle by dropping the new files in place and the patch fixes that.

regards,
Nikos
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Hanno Böck | 13 Feb 11:13 2016
Picon
Gravatar

abort / assert issues in sexp-conv

Hi,

I did a quick fuzzing test of the command line tools coming with nettle.

echo "]"|sexp-conv
will cause an abort call and
echo "{MiM}"|sexp-conv
causes an assert:
sexp-conv: /var/tmp/portage/dev-libs/nettle-3.2/work/nettle-3.2/tools/input.c:128:
sexp_input_start_coding: Assertion `!input->coding' failed.

Not sure how relevant these tools are, but usually abort/assert calls
are debugging tools for situations in a software that should never
happen on normal operations.

--

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...
GPG: BBB51E42
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Nikos Mavrogiannopoulos | 9 Feb 14:31 2016
Picon

backporting ecc patches

Hello Niels,
 Do you plan a backport of the carry propagation fix in secp384 [0] for
nettle 2.7.1? My limited understanding of the 3.2 assembly file
wouldn't work out of the box in 2.7 due to the change from ecc_curve to
ecc_modulus.

The fix for the secp256r1 issue [1] looks quite trivial to backport if
p->m is replaced by ecc->p. Is my understanding correct?

regards,
Nikos

[0]. https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c90
1dbd84a12e52b918a09cd7

[1]. https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985
e3872e4550137209e3ce4d

_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Girish Kumar | 7 Feb 16:19 2016

cross compiling nettle-3.2 for armv7 on linux

Hi All,

I am cross compiling nettle-3.2  for armv7 on linux. But I  am getting following error.
Could you please help me on this

nettle_deps = $(shell find $(LTOP)/nettle-3.2 -type f)
$(OBJS)/nettle/nettle.configured: $(nettle_deps)
     <at> rm -rf $(OBJS)/nettle;
     <at> mkdir -p $(OBJS)/nettle;
     <at> cd $(OBJS)/nettle;\
    declare -x PATH=$(CCPATH):$(PATH);\
    declare -x ac_cv_func_malloc_0_nonnull="yes";\
    declare -x ac_cv_func_realloc_0_nonnull="yes";\
    declare -x CFLAGS="$(PLATFORM_CFLAGS) ";\
    declare -x LDFLAGS="$(PLATFORM_LDFLAGS) -L$(CROSSLIBS) -L$(BUILT_LIBS)";\
    declare -x CPPFLAGS="$(PLATFORM_CPPFLAGS) -I$(CROSSINCS) -I$(BUILT_INCLUDES) ";\
    $(LTOP)/nettle-3.2/configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX)  --disable-static&> $(OBJS)/nettle/configure.out
     <at> touch $(OBJS)/nettle/nettle.configured

$(RAMDISK_LIB)/nettle.so: $(OBJS)/nettle/nettle.configured
     <at> cd $(OBJS)/nettle;\
    declare -x HOSTCC=`which gcc`;\
    declare -x PATH=$(CCPATH):$(PATH);\
    declare -x CFLAGS="$(PLATFORM_CFLAGS) ";\
    declare -x LDFLAGS="$(PLATFORM_LDFLAGS) -L$(CROSSLIBS) -L$(BUILT_LIBS)";\
    declare -x CPPFLAGS="$(PLATFORM_CPPFLAGS) -I$(CROSSINCS) -I$(BUILT_INCLUDES) ";\
    $(MAKE) &> $(OBJS)/nettle/make.out;\
    $(MAKE) install  &> $(OBJS)/nettle/install.out
checking build system compiler gcc... no
checking build system compiler cc... no
(Continue reading)

Niels Möller | 28 Jan 21:30 2016
Picon
Picon
Picon

ANNOUNCE: Nettle-3.2

I'm happy to announce a new release of GNU Nettle, a low-level
cryptographics library. This is mainly a bug fix release, with few new
features.

The Nettle home page can be found at
https://www.lysator.liu.se/~nisse/nettle/, and the manual at
https://www.lysator.liu.se/~nisse/nettle/nettle.html.

NEWS for the Nettle 3.2 release

	Bug fixes:

	* The SHA3 implementation is updated according to the FIPS 202
	  standard. It is not interoperable with earlier versions of
	  Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
	  differentiate at compile time, sha3.h defines the constant
	  NETTLE_SHA3_FIPS202.

	* Fix corner-case carry propagation bugs affecting elliptic
	  curve operations on the curves secp_256r1 and secp_384r1 on
	  certain platforms, including x86_64. Reported by Hanno Böck.

	New features:

	* New functions for RSA private key operations, identified by
	  the "_tr" suffix, with better resistance to side channel
	  attacks and to hardware or software failures which could
	  break the CRT optimization. See the Nettle manual for
	  details. Initial patch by Nikos Mavrogiannopoulos.

(Continue reading)

Niels Möller | 26 Jan 22:50 2016
Picon
Picon
Picon

Re: nettle-pbkdf2 dumps core when executed with an unknown option

dongsheng zhang <dongsheng.zhang <at> oracle.com> writes:

> Will a newer version of nettle with the fix be released soon please?

Your bug report was very timely, a new relase, nettle-3.2, is planned
this week.

Regards,
/Niels

--

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
nettle-bugs <at> lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

Gmane