From e09e579603bf7d05b5160bb9bd53eacea6cff47d Mon Sep 17 00:00:00 2001 From: Matt Braithwaite Date: Thu, 19 May 2016 10:30:52 -0700 Subject: [PATCH] Rename NEWHOPE functions to offer/accept/finish. This is consistent with the new convention in ssl_ecdh.c. Along the way, change newhope_test.c to not iterate 1000 times over each test. Change-Id: I7a500f45b838eba8f6df96957891aa8e880ba089 Reviewed-on: https://boringssl-review.googlesource.com/8012 Reviewed-by: David Benjamin --- crypto/newhope/newhope.c | 46 ++++++++++++------------ crypto/newhope/newhope_test.c | 68 ++++++++++++++++------------------- include/openssl/newhope.h | 55 ++++++++++++++-------------- tool/speed.cc | 19 +++++----- 4 files changed, 91 insertions(+), 97 deletions(-) diff --git a/crypto/newhope/newhope.c b/crypto/newhope/newhope.c index 29e189f0..9f0bb6f4 100644 --- a/crypto/newhope/newhope.c +++ b/crypto/newhope/newhope.c @@ -46,14 +46,14 @@ static void decode_rec(const uint8_t *r, NEWHOPE_POLY *c) { } } -void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) { +void NEWHOPE_offer(uint8_t *offermsg, NEWHOPE_POLY *sk) { newhope_poly_getnoise(sk); newhope_poly_ntt(sk); - /* The first part of the server's message is the seed, which compactly encodes + /* The first part of the offer message is the seed, which compactly encodes * a. */ NEWHOPE_POLY a; - uint8_t *seed = &servermsg[POLY_BYTES]; + uint8_t *seed = &offermsg[POLY_BYTES]; RAND_bytes(seed, SEED_LENGTH); newhope_poly_uniform(&a, seed); @@ -61,18 +61,18 @@ void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) { newhope_poly_getnoise(&e); newhope_poly_ntt(&e); - /* The second part of the server's message is the polynomial pk = a*sk+e */ + /* The second part of the offer message is the polynomial pk = a*sk+e */ NEWHOPE_POLY r, pk; newhope_poly_pointwise(&r, sk, &a); newhope_poly_add(&pk, &e, &r); - newhope_poly_tobytes(servermsg, &pk); + newhope_poly_tobytes(offermsg, &pk); } -int NEWHOPE_client_compute_key( - uint8_t key[SHA256_DIGEST_LENGTH], - uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH], - const uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len) { - if (msg_len != NEWHOPE_SERVERMSG_LENGTH) { +int NEWHOPE_accept(uint8_t key[SHA256_DIGEST_LENGTH], + uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH], + const uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH], + size_t msg_len) { + if (msg_len != NEWHOPE_OFFERMSG_LENGTH) { return 0; } @@ -80,28 +80,28 @@ int NEWHOPE_client_compute_key( newhope_poly_getnoise(&sp); newhope_poly_ntt(&sp); - /* The first part of the client's message is the polynomial bp=e'+a*s' */ + /* The first part of the accept message is the polynomial bp=e'+a*s' */ { NEWHOPE_POLY ep; newhope_poly_getnoise(&ep); newhope_poly_ntt(&ep); - /* Generate the same |a| as the server, from the server's seed. */ + /* Generate the same |a| as the peer, from the peer's seed. */ NEWHOPE_POLY a; - const uint8_t *seed = &servermsg[POLY_BYTES]; + const uint8_t *seed = &offermsg[POLY_BYTES]; newhope_poly_uniform(&a, seed); NEWHOPE_POLY bp; newhope_poly_pointwise(&bp, &a, &sp); newhope_poly_add(&bp, &bp, &ep); - newhope_poly_tobytes(clientmsg, &bp); + newhope_poly_tobytes(acceptmsg, &bp); } /* v = pk * s' + e'' */ NEWHOPE_POLY v; { NEWHOPE_POLY pk; - newhope_poly_frombytes(&pk, servermsg); + newhope_poly_frombytes(&pk, offermsg); NEWHOPE_POLY epp; newhope_poly_getnoise(&epp); @@ -111,10 +111,10 @@ int NEWHOPE_client_compute_key( newhope_poly_add(&v, &v, &epp); } - /* The second part of the client's message is the reconciliation data derived + /* The second part of the accept message is the reconciliation data derived * from v. */ NEWHOPE_POLY c; - uint8_t *reconciliation = &clientmsg[POLY_BYTES]; + uint8_t *reconciliation = &acceptmsg[POLY_BYTES]; newhope_helprec(&c, &v); encode_rec(&c, reconciliation); @@ -130,21 +130,21 @@ int NEWHOPE_client_compute_key( return 1; } -int NEWHOPE_server_compute_key( - uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, - const uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len) { - if (msg_len != NEWHOPE_CLIENTMSG_LENGTH) { +int NEWHOPE_finish(uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, + const uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH], + size_t msg_len) { + if (msg_len != NEWHOPE_ACCEPTMSG_LENGTH) { return 0; } NEWHOPE_POLY bp; - newhope_poly_frombytes(&bp, clientmsg); + newhope_poly_frombytes(&bp, acceptmsg); NEWHOPE_POLY v; newhope_poly_pointwise(&v, sk, &bp); newhope_poly_invntt(&v); NEWHOPE_POLY c; - const uint8_t *reconciliation = &clientmsg[POLY_BYTES]; + const uint8_t *reconciliation = &acceptmsg[POLY_BYTES]; decode_rec(reconciliation, &c); uint8_t k[KEY_LENGTH]; diff --git a/crypto/newhope/newhope_test.c b/crypto/newhope/newhope_test.c index 5d960072..f3e011fb 100644 --- a/crypto/newhope/newhope_test.c +++ b/crypto/newhope/newhope_test.c @@ -22,34 +22,32 @@ #include "internal.h" -#define NTESTS 1000 +#define NTESTS 1 static int test_keys(void) { NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); - uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; - uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; - uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; + uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; + uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; + uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; int i; for (i = 0; i < NTESTS; i++) { /* Alice generates a public key */ - NEWHOPE_keygen(servermsg, sk); + NEWHOPE_offer(offermsg, sk); /* Bob derives a secret key and creates a response */ - if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, - sizeof(servermsg))) { - fprintf(stderr, "ERROR client key exchange failed\n"); + if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { + fprintf(stderr, "ERROR accept key exchange failed\n"); return 0; } /* Alice uses Bob's response to get her secret key */ - if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, - sizeof(clientmsg))) { - fprintf(stderr, "ERROR server key exchange failed\n"); + if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { + fprintf(stderr, "ERROR finish key exchange failed\n"); return 0; } - if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) != 0) { + if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) != 0) { fprintf(stderr, "ERROR keys did not agree\n"); return 0; } @@ -61,33 +59,31 @@ static int test_keys(void) { static int test_invalid_sk_a(void) { NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); - uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; - uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; - uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; + uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; + uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; + uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; int i; for (i = 0; i < NTESTS; i++) { /* Alice generates a public key */ - NEWHOPE_keygen(servermsg, sk); + NEWHOPE_offer(offermsg, sk); /* Bob derives a secret key and creates a response */ - if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, - sizeof(servermsg))) { - fprintf(stderr, "ERROR client key exchange failed\n"); + if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { + fprintf(stderr, "ERROR accept key exchange failed\n"); return 0; } /* Corrupt the secret key */ - NEWHOPE_keygen(servermsg /* not used below */, sk); + NEWHOPE_offer(offermsg /* not used below */, sk); /* Alice uses Bob's response to get her secret key */ - if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, - sizeof(clientmsg))) { - fprintf(stderr, "ERROR server key exchange failed\n"); + if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { + fprintf(stderr, "ERROR finish key exchange failed\n"); return 0; } - if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) == 0) { + if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) { fprintf(stderr, "ERROR invalid sk_a\n"); return 0; } @@ -99,34 +95,32 @@ static int test_invalid_sk_a(void) { static int test_invalid_ciphertext(void) { NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); - uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH]; - uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; - uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; + uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH]; + uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; + uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; int i; for (i = 0; i < 10; i++) { /* Alice generates a public key */ - NEWHOPE_keygen(servermsg, sk); + NEWHOPE_offer(offermsg, sk); /* Bob derives a secret key and creates a response */ - if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg, - sizeof(servermsg))) { - fprintf(stderr, "ERROR client key exchange failed\n"); + if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) { + fprintf(stderr, "ERROR accept key exchange failed\n"); return 0; } /* Change some byte in the "ciphertext" */ - clientmsg[42] ^= 1; + acceptmsg[42] ^= 1; /* Alice uses Bob's response to get her secret key */ - if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, - sizeof(clientmsg))) { - fprintf(stderr, "ERROR server key exchange failed\n"); + if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) { + fprintf(stderr, "ERROR finish key exchange failed\n"); return 0; } - if (!memcmp(server_key, client_key, SHA256_DIGEST_LENGTH)) { - fprintf(stderr, "ERROR invalid clientmsg\n"); + if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) { + fprintf(stderr, "ERROR invalid acceptmsg\n"); return 0; } } diff --git a/include/openssl/newhope.h b/include/openssl/newhope.h index af573bae..48c82fe9 100644 --- a/include/openssl/newhope.h +++ b/include/openssl/newhope.h @@ -38,37 +38,38 @@ OPENSSL_EXPORT NEWHOPE_POLY *NEWHOPE_POLY_new(void); /* NEWHOPE_POLY_free frees |p|. */ OPENSSL_EXPORT void NEWHOPE_POLY_free(NEWHOPE_POLY *p); -/* NEWHOPE_SERVERMSG_LENGTH is the length of the server's message to the - * client. */ -#define NEWHOPE_SERVERMSG_LENGTH (((1024 * 14) / 8) + 32) +/* NEWHOPE_OFFERMSG_LENGTH is the length of the offering party's message to the + * accepting party. */ +#define NEWHOPE_OFFERMSG_LENGTH (((1024 * 14) / 8) + 32) -/* NEWHOPE_CLIENTMSG_LENGTH is the length of the client's message to the - * server. */ -#define NEWHOPE_CLIENTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4) +/* NEWHOPE_ACCEPTMSG_LENGTH is the length of the accepting party's message to + * the offering party. */ +#define NEWHOPE_ACCEPTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4) -/* NEWHOPE_keygen initializes |out_msg| and |out_sk| for a new key - * exchange. |msg| must have room for |NEWHOPE_SERVERMSG_LENGTH| bytes. Neither +/* NEWHOPE_offer initializes |out_msg| and |out_sk| for a new key + * exchange. |msg| must have room for |NEWHOPE_OFFERMSG_LENGTH| bytes. Neither * output may be cached. */ -OPENSSL_EXPORT void NEWHOPE_keygen(uint8_t out_msg[NEWHOPE_SERVERMSG_LENGTH], - NEWHOPE_POLY *out_sk); - -/* NEWHOPE_server_compute_key completes a key exchange given a client message - * |msg| and the previously generated server secret |sk|. The result of the - * key exchange is written to |out_key|, which must have space for +OPENSSL_EXPORT void NEWHOPE_offer(uint8_t out_msg[NEWHOPE_OFFERMSG_LENGTH], + NEWHOPE_POLY *out_sk); + +/* NEWHOPE_accept completes a key exchange given an offer message |msg|. The + * result of the key exchange is written to |out_key|, which must have space for + * |SHA256_DIGEST_LENGTH| bytes. The message to be send to the offering party is + * written to |out_msg|, which must have room for |NEWHOPE_ACCEPTMSG_LENGTH| + * bytes. Returns 1 on success and 0 on error. */ +OPENSSL_EXPORT int NEWHOPE_accept(uint8_t out_key[SHA256_DIGEST_LENGTH], + uint8_t out_msg[NEWHOPE_ACCEPTMSG_LENGTH], + const uint8_t msg[NEWHOPE_OFFERMSG_LENGTH], + size_t msg_len); + +/* NEWHOPE_finish completes a key exchange for the offering party, given an + * accept message |msg| and the previously generated secret |sk|. The result of + * the key exchange is written to |out_key|, which must have space for * |SHA256_DIGEST_LENGTH| bytes. Returns 1 on success and 0 on error. */ -OPENSSL_EXPORT int NEWHOPE_server_compute_key( - uint8_t out_key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk, - const uint8_t msg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len); - -/* NEWHOPE_client_compute_key completes a key exchange given a server message - * |msg|. The result of the key exchange is written to |out_key|, which must - * have space for |SHA256_DIGEST_LENGTH| bytes. The message to be send to the - * client is written to |out_msg|, which must have room for - * |NEWHOPE_CLIENTMSG_LENGTH| bytes. Returns 1 on success and 0 on error. */ -OPENSSL_EXPORT int NEWHOPE_client_compute_key( - uint8_t out_key[SHA256_DIGEST_LENGTH], - uint8_t out_msg[NEWHOPE_CLIENTMSG_LENGTH], - const uint8_t msg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len); +OPENSSL_EXPORT int NEWHOPE_finish(uint8_t out_key[SHA256_DIGEST_LENGTH], + const NEWHOPE_POLY *sk, + const uint8_t msg[NEWHOPE_ACCEPTMSG_LENGTH], + size_t msg_len); #if defined(__cplusplus) diff --git a/tool/speed.cc b/tool/speed.cc index 68d78e2b..58c73829 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -522,15 +522,14 @@ static bool SpeedNewHope(const std::string &selected) { TimeResults results; NEWHOPE_POLY *sk = NEWHOPE_POLY_new(); - uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH]; - RAND_bytes(clientmsg, sizeof(clientmsg)); - - if (!TimeFunction(&results, [sk, &clientmsg]() -> bool { - uint8_t server_key[SHA256_DIGEST_LENGTH]; - uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH]; - NEWHOPE_keygen(servermsg, sk); - if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg, - NEWHOPE_CLIENTMSG_LENGTH)) { + uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; + RAND_bytes(acceptmsg, sizeof(acceptmsg)); + + if (!TimeFunction(&results, [sk, &acceptmsg]() -> bool { + uint8_t key[SHA256_DIGEST_LENGTH]; + uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]; + NEWHOPE_offer(offermsg, sk); + if (!NEWHOPE_finish(key, sk, acceptmsg, NEWHOPE_ACCEPTMSG_LENGTH)) { return false; } return true; @@ -540,7 +539,7 @@ static bool SpeedNewHope(const std::string &selected) { } NEWHOPE_POLY_free(sk); - results.Print("newhope server key exchange"); + results.Print("newhope key exchange"); return true; }