kris
/
boringssl
1
0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 0 Wiki Activity
瀏覽代碼

Rename NEWHOPE functions to offer/accept/finish. 

This is consistent with the new convention in ssl_ecdh.c.

Along the way, change newhope_test.c to not iterate 1000 times over each
test.

Change-Id: I7a500f45b838eba8f6df96957891aa8e880ba089
Reviewed-on: https://boringssl-review.googlesource.com/8012
Reviewed-by: David Benjamin <davidben@google.com>
kris/onging/CECPQ3_patch15
Matt Braithwaite 8 年之前
committed by David Benjamin
父節點
1147be052c
當前提交
e09e579603
共有 4 個文件被更改,包括 91 次插入97 次删除
分割檢視
Diff Options
Show Stats Download Patch File Download Diff File
  1. +23
    -23
      crypto/newhope/newhope.c
  2. +31
    -37
      crypto/newhope/newhope_test.c
  3. +28
    -27
      include/openssl/newhope.h
  4. +9
    -10
      tool/speed.cc

+ 23
- 23
crypto/newhope/newhope.c 查看文件

@@ -46,14 +46,14 @@ static void decode_rec(const uint8_t *r, NEWHOPE_POLY *c) {
}
}

void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) {
void NEWHOPE_offer(uint8_t *offermsg, NEWHOPE_POLY *sk) {
newhope_poly_getnoise(sk);
newhope_poly_ntt(sk);

/* The first part of the server's message is the seed, which compactly encodes
/* The first part of the offer message is the seed, which compactly encodes
* a. */
NEWHOPE_POLY a;
uint8_t *seed = &servermsg[POLY_BYTES];
uint8_t *seed = &offermsg[POLY_BYTES];
RAND_bytes(seed, SEED_LENGTH);
newhope_poly_uniform(&a, seed);

@@ -61,18 +61,18 @@ void NEWHOPE_keygen(uint8_t *servermsg, NEWHOPE_POLY *sk) {
newhope_poly_getnoise(&e);
newhope_poly_ntt(&e);

/* The second part of the server's message is the polynomial pk = a*sk+e */
/* The second part of the offer message is the polynomial pk = a*sk+e */
NEWHOPE_POLY r, pk;
newhope_poly_pointwise(&r, sk, &a);
newhope_poly_add(&pk, &e, &r);
newhope_poly_tobytes(servermsg, &pk);
newhope_poly_tobytes(offermsg, &pk);
}

int NEWHOPE_client_compute_key(
uint8_t key[SHA256_DIGEST_LENGTH],
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH],
const uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len) {
if (msg_len != NEWHOPE_SERVERMSG_LENGTH) {
int NEWHOPE_accept(uint8_t key[SHA256_DIGEST_LENGTH],
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH],
const uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH],
size_t msg_len) {
if (msg_len != NEWHOPE_OFFERMSG_LENGTH) {
return 0;
}

@@ -80,28 +80,28 @@ int NEWHOPE_client_compute_key(
newhope_poly_getnoise(&sp);
newhope_poly_ntt(&sp);

/* The first part of the client's message is the polynomial bp=e'+a*s' */
/* The first part of the accept message is the polynomial bp=e'+a*s' */
{
NEWHOPE_POLY ep;
newhope_poly_getnoise(&ep);
newhope_poly_ntt(&ep);

/* Generate the same |a| as the server, from the server's seed. */
/* Generate the same |a| as the peer, from the peer's seed. */
NEWHOPE_POLY a;
const uint8_t *seed = &servermsg[POLY_BYTES];
const uint8_t *seed = &offermsg[POLY_BYTES];
newhope_poly_uniform(&a, seed);

NEWHOPE_POLY bp;
newhope_poly_pointwise(&bp, &a, &sp);
newhope_poly_add(&bp, &bp, &ep);
newhope_poly_tobytes(clientmsg, &bp);
newhope_poly_tobytes(acceptmsg, &bp);
}

/* v = pk * s' + e'' */
NEWHOPE_POLY v;
{
NEWHOPE_POLY pk;
newhope_poly_frombytes(&pk, servermsg);
newhope_poly_frombytes(&pk, offermsg);

NEWHOPE_POLY epp;
newhope_poly_getnoise(&epp);
@@ -111,10 +111,10 @@ int NEWHOPE_client_compute_key(
newhope_poly_add(&v, &v, &epp);
}

/* The second part of the client's message is the reconciliation data derived
/* The second part of the accept message is the reconciliation data derived
* from v. */
NEWHOPE_POLY c;
uint8_t *reconciliation = &clientmsg[POLY_BYTES];
uint8_t *reconciliation = &acceptmsg[POLY_BYTES];
newhope_helprec(&c, &v);
encode_rec(&c, reconciliation);

@@ -130,21 +130,21 @@ int NEWHOPE_client_compute_key(
return 1;
}

int NEWHOPE_server_compute_key(
uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk,
const uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len) {
if (msg_len != NEWHOPE_CLIENTMSG_LENGTH) {
int NEWHOPE_finish(uint8_t key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk,
const uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH],
size_t msg_len) {
if (msg_len != NEWHOPE_ACCEPTMSG_LENGTH) {
return 0;
}
NEWHOPE_POLY bp;
newhope_poly_frombytes(&bp, clientmsg);
newhope_poly_frombytes(&bp, acceptmsg);

NEWHOPE_POLY v;
newhope_poly_pointwise(&v, sk, &bp);
newhope_poly_invntt(&v);

NEWHOPE_POLY c;
const uint8_t *reconciliation = &clientmsg[POLY_BYTES];
const uint8_t *reconciliation = &acceptmsg[POLY_BYTES];
decode_rec(reconciliation, &c);

uint8_t k[KEY_LENGTH];


+ 31
- 37
crypto/newhope/newhope_test.c 查看文件

@@ -22,34 +22,32 @@
#include "internal.h"


#define NTESTS 1000
#define NTESTS 1

static int test_keys(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH];
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH];
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH];
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;

for (i = 0; i < NTESTS; i++) {
/* Alice generates a public key */
NEWHOPE_keygen(servermsg, sk);
NEWHOPE_offer(offermsg, sk);

/* Bob derives a secret key and creates a response */
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg,
sizeof(servermsg))) {
fprintf(stderr, "ERROR client key exchange failed\n");
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}

/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg,
sizeof(clientmsg))) {
fprintf(stderr, "ERROR server key exchange failed\n");
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}

if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) != 0) {
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) != 0) {
fprintf(stderr, "ERROR keys did not agree\n");
return 0;
}
@@ -61,33 +59,31 @@ static int test_keys(void) {

static int test_invalid_sk_a(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH];
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH];
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH];
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;

for (i = 0; i < NTESTS; i++) {
/* Alice generates a public key */
NEWHOPE_keygen(servermsg, sk);
NEWHOPE_offer(offermsg, sk);

/* Bob derives a secret key and creates a response */
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg,
sizeof(servermsg))) {
fprintf(stderr, "ERROR client key exchange failed\n");
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}

/* Corrupt the secret key */
NEWHOPE_keygen(servermsg /* not used below */, sk);
NEWHOPE_offer(offermsg /* not used below */, sk);

/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg,
sizeof(clientmsg))) {
fprintf(stderr, "ERROR server key exchange failed\n");
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}

if (memcmp(server_key, client_key, SHA256_DIGEST_LENGTH) == 0) {
if (memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH) == 0) {
fprintf(stderr, "ERROR invalid sk_a\n");
return 0;
}
@@ -99,34 +95,32 @@ static int test_invalid_sk_a(void) {

static int test_invalid_ciphertext(void) {
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t server_key[SHA256_DIGEST_LENGTH], client_key[SHA256_DIGEST_LENGTH];
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH];
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH];
uint8_t offer_key[SHA256_DIGEST_LENGTH], accept_key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
int i;

for (i = 0; i < 10; i++) {
/* Alice generates a public key */
NEWHOPE_keygen(servermsg, sk);
NEWHOPE_offer(offermsg, sk);

/* Bob derives a secret key and creates a response */
if (!NEWHOPE_client_compute_key(client_key, clientmsg, servermsg,
sizeof(servermsg))) {
fprintf(stderr, "ERROR client key exchange failed\n");
if (!NEWHOPE_accept(accept_key, acceptmsg, offermsg, sizeof(offermsg))) {
fprintf(stderr, "ERROR accept key exchange failed\n");
return 0;
}

/* Change some byte in the "ciphertext" */
clientmsg[42] ^= 1;
acceptmsg[42] ^= 1;

/* Alice uses Bob's response to get her secret key */
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg,
sizeof(clientmsg))) {
fprintf(stderr, "ERROR server key exchange failed\n");
if (!NEWHOPE_finish(offer_key, sk, acceptmsg, sizeof(acceptmsg))) {
fprintf(stderr, "ERROR finish key exchange failed\n");
return 0;
}

if (!memcmp(server_key, client_key, SHA256_DIGEST_LENGTH)) {
fprintf(stderr, "ERROR invalid clientmsg\n");
if (!memcmp(offer_key, accept_key, SHA256_DIGEST_LENGTH)) {
fprintf(stderr, "ERROR invalid acceptmsg\n");
return 0;
}
}


+ 28
- 27
include/openssl/newhope.h 查看文件

@@ -38,37 +38,38 @@ OPENSSL_EXPORT NEWHOPE_POLY *NEWHOPE_POLY_new(void);
/* NEWHOPE_POLY_free frees |p|. */
OPENSSL_EXPORT void NEWHOPE_POLY_free(NEWHOPE_POLY *p);

/* NEWHOPE_SERVERMSG_LENGTH is the length of the server's message to the
* client. */
#define NEWHOPE_SERVERMSG_LENGTH (((1024 * 14) / 8) + 32)
/* NEWHOPE_OFFERMSG_LENGTH is the length of the offering party's message to the
* accepting party. */
#define NEWHOPE_OFFERMSG_LENGTH (((1024 * 14) / 8) + 32)

/* NEWHOPE_CLIENTMSG_LENGTH is the length of the client's message to the
* server. */
#define NEWHOPE_CLIENTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4)
/* NEWHOPE_ACCEPTMSG_LENGTH is the length of the accepting party's message to
* the offering party. */
#define NEWHOPE_ACCEPTMSG_LENGTH (((1024 * 14) / 8) + 1024 / 4)

/* NEWHOPE_keygen initializes |out_msg| and |out_sk| for a new key
* exchange. |msg| must have room for |NEWHOPE_SERVERMSG_LENGTH| bytes. Neither
/* NEWHOPE_offer initializes |out_msg| and |out_sk| for a new key
* exchange. |msg| must have room for |NEWHOPE_OFFERMSG_LENGTH| bytes. Neither
* output may be cached. */
OPENSSL_EXPORT void NEWHOPE_keygen(uint8_t out_msg[NEWHOPE_SERVERMSG_LENGTH],
NEWHOPE_POLY *out_sk);

/* NEWHOPE_server_compute_key completes a key exchange given a client message
* |msg| and the previously generated server secret |sk|. The result of the
* key exchange is written to |out_key|, which must have space for
OPENSSL_EXPORT void NEWHOPE_offer(uint8_t out_msg[NEWHOPE_OFFERMSG_LENGTH],
NEWHOPE_POLY *out_sk);

/* NEWHOPE_accept completes a key exchange given an offer message |msg|. The
* result of the key exchange is written to |out_key|, which must have space for
* |SHA256_DIGEST_LENGTH| bytes. The message to be send to the offering party is
* written to |out_msg|, which must have room for |NEWHOPE_ACCEPTMSG_LENGTH|
* bytes. Returns 1 on success and 0 on error. */
OPENSSL_EXPORT int NEWHOPE_accept(uint8_t out_key[SHA256_DIGEST_LENGTH],
uint8_t out_msg[NEWHOPE_ACCEPTMSG_LENGTH],
const uint8_t msg[NEWHOPE_OFFERMSG_LENGTH],
size_t msg_len);

/* NEWHOPE_finish completes a key exchange for the offering party, given an
* accept message |msg| and the previously generated secret |sk|. The result of
* the key exchange is written to |out_key|, which must have space for
* |SHA256_DIGEST_LENGTH| bytes. Returns 1 on success and 0 on error. */
OPENSSL_EXPORT int NEWHOPE_server_compute_key(
uint8_t out_key[SHA256_DIGEST_LENGTH], const NEWHOPE_POLY *sk,
const uint8_t msg[NEWHOPE_CLIENTMSG_LENGTH], size_t msg_len);

/* NEWHOPE_client_compute_key completes a key exchange given a server message
* |msg|. The result of the key exchange is written to |out_key|, which must
* have space for |SHA256_DIGEST_LENGTH| bytes. The message to be send to the
* client is written to |out_msg|, which must have room for
* |NEWHOPE_CLIENTMSG_LENGTH| bytes. Returns 1 on success and 0 on error. */
OPENSSL_EXPORT int NEWHOPE_client_compute_key(
uint8_t out_key[SHA256_DIGEST_LENGTH],
uint8_t out_msg[NEWHOPE_CLIENTMSG_LENGTH],
const uint8_t msg[NEWHOPE_SERVERMSG_LENGTH], size_t msg_len);
OPENSSL_EXPORT int NEWHOPE_finish(uint8_t out_key[SHA256_DIGEST_LENGTH],
const NEWHOPE_POLY *sk,
const uint8_t msg[NEWHOPE_ACCEPTMSG_LENGTH],
size_t msg_len);


#if defined(__cplusplus)


+ 9
- 10
tool/speed.cc 查看文件

@@ -522,15 +522,14 @@ static bool SpeedNewHope(const std::string &selected) {

TimeResults results;
NEWHOPE_POLY *sk = NEWHOPE_POLY_new();
uint8_t clientmsg[NEWHOPE_CLIENTMSG_LENGTH];
RAND_bytes(clientmsg, sizeof(clientmsg));

if (!TimeFunction(&results, [sk, &clientmsg]() -> bool {
uint8_t server_key[SHA256_DIGEST_LENGTH];
uint8_t servermsg[NEWHOPE_SERVERMSG_LENGTH];
NEWHOPE_keygen(servermsg, sk);
if (!NEWHOPE_server_compute_key(server_key, sk, clientmsg,
NEWHOPE_CLIENTMSG_LENGTH)) {
uint8_t acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
RAND_bytes(acceptmsg, sizeof(acceptmsg));

if (!TimeFunction(&results, [sk, &acceptmsg]() -> bool {
uint8_t key[SHA256_DIGEST_LENGTH];
uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
NEWHOPE_offer(offermsg, sk);
if (!NEWHOPE_finish(key, sk, acceptmsg, NEWHOPE_ACCEPTMSG_LENGTH)) {
return false;
}
return true;
@@ -540,7 +539,7 @@ static bool SpeedNewHope(const std::string &selected) {
}

NEWHOPE_POLY_free(sk);
results.Print("newhope server key exchange");
results.Print("newhope key exchange");
return true;
}



Write Preview
Loading…
取消
儲存