From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=DATE_IN_PAST_12_24 autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 24652 invoked from network); 2 Jun 2021 09:28:18 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 2 Jun 2021 09:28:18 -0000 Received: from 149.28.13.84 ([149.28.13.84]) by 1ess; Tue Jun 1 15:52:33 -0400 2021 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit To: 9front@9front.org Date: Tue, 01 Jun 2021 12:51:12 -0700 From: fulton@fulton.software In-Reply-To: <1C4DE32C373501A487F0F5F1AD185B49@felloff.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: factory property solution Subject: Re: [9front] [PATCH] sha3 but fixed the code style Reply-To: 9front@9front.org Precedence: bulk Quoth cinap_lenrek@felloff.net: > where is sha3_keccakf.c? > > > -.I SHA2_512dlen > +.I SHA2_512dlen, > > why not: > > -.I SHA2_512dlen > +.IR SHA2_512dlen , > > -- > > sha3() leaks DigestDstate. suggested change: > ... > sha3_keccakf(s->bstate); > memmove(digest, s->b, dlen); > if(s->alloced) > free(s); > return nil; > > -- Fixed those issues: diff -r 8582c03efdc9 sys/man/1/sum --- a/sys/man/1/sum Sun May 30 14:30:50 2021 +0200 +++ b/sys/man/1/sum Tue Jun 01 12:50:25 2021 -0700 @@ -19,6 +19,10 @@ [ .B -2 .I bits +] +[ +.B -3 +.I bits ] [ .I file ... ] @@ -82,6 +86,12 @@ 384, and 512. +The +.L 3 +option has the same behavior of +.L 2 +, but instead outputs with +NIST SHA3 secure hash algorithm. .SH SOURCE .B /sys/src/cmd/sum.c .br @@ -92,3 +102,5 @@ .IR cmp (1), .IR wc (1), .IR sechash (2) +.SH BUGS +md5 and SHA-1 are considered broken and should not be used diff -r 8582c03efdc9 sys/man/2/sechash --- a/sys/man/2/sechash Sun May 30 14:30:50 2021 +0200 +++ b/sys/man/2/sechash Tue Jun 01 12:50:25 2021 -0700 @@ -1,7 +1,7 @@ .TH SECHASH 2 .SH NAME md4, md5, ripemd160, -sha1, sha2_224, sha2_256, sha2_384, sha2_512, +sha1, sha2_224, sha2_256, sha2_384, sha2_512,sha3_224, sha3_256, sha3_384, sha3_512, hmac_x, hmac_md5, hmac_sha1, hmac_sha2_224, hmac_sha2_256, hmac_sha2_384, hmac_sha2_512, poly1305 \- cryptographically secure hashes .SH SYNOPSIS @@ -43,6 +43,16 @@ .Ti DS* sha2_512(uchar *data, ulong dlen, uchar *digest, DS *state) .Ti +DS* sha3(uchar *data, ulong dlen, uchar *digest, int dlen, DS *state) +.Ti +DS* sha3_224(uchar *data, ulong dlen, uchar *digest, DS *state) +.Ti +DS* sha3_256(uchar *data, ulong dlen, uchar *digest, DS *state) +.Ti +DS* sha3_384(uchar *data, ulong dlen, uchar *digest, DS *state) +.Ti +DS* sha3_512(uchar *data, ulong dlen, uchar *digest, DS *state) +.Ti DS* hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DS *s, DS*(*x)(uchar*, ulong, uchar*, DS*), int xlen) .Ti DS* hmac_md5(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state) @@ -78,6 +88,10 @@ .IR sha2_256 , .IR sha2_384 , .IR sha2_512 , +.IR sha3_224 , +.IR sha3_256 , +.IR sha3_384 , +.IR sha3_512 , differ only in the length of the resulting digest and in the security of the hash. .I Sha2_* @@ -107,7 +121,11 @@ .IR SHA2_224dlen , .IR SHA2_256dlen , .IR SHA2_384dlen , -.I SHA2_512dlen +.I SHA2_512dlen , +.IR SHA3_224dlen , +.IR SHA3_256dlen , +.IR SHA3_384dlen , +.I SHA3_512dlen and .I Poly1305dlen define the lengths of the digests. @@ -172,3 +190,5 @@ .TP .B /lib/rfc/rfc2104 HMAC specification +.SH BUGS +md4, md5 and SHA-1 are considered broken and should not be used diff -r 8582c03efdc9 sys/src/cmd/sha1sum.c --- a/sys/src/cmd/sha1sum.c Sun May 30 14:30:50 2021 +0200 +++ b/sys/src/cmd/sha1sum.c Tue Jun 01 12:50:25 2021 -0700 @@ -23,6 +23,13 @@ 512, SHA2_512dlen, sha2_512, }; +static Sha2 sha3s[] = { /* This naming sucks */ + 224, SHA3_224dlen, sha3_224, + 256, SHA3_256dlen, sha3_256, + 384, SHA3_384dlen, sha3_384, + 512, SHA3_512dlen, sha3_512, +}; + static DigestState* (*shafunc)(uchar *, ulong, uchar *, DigestState *); static int shadlen; @@ -64,7 +71,7 @@ static void usage(void) { - fprint(2, "usage: %s [-2 bits] [file...]\n", argv0); + fprint(2, "usage: %s [-2 bits] [-3 bits] [file...]\n", argv0); exits("usage"); } @@ -87,6 +94,16 @@ shafunc = sha->func; shadlen = sha->dlen; break; + case '3': + bits = atoi(EARGF(usage())); + for (sha = sha3s; sha < sha3s + nelem(sha3s); sha++) + if (sha->bits == bits) + break; + if (sha >= sha3s + nelem(sha2s)) + sysfatal("unknown number of sha3 bits: %d", bits); + shafunc = sha->func; + shadlen = sha->dlen; + break; default: usage(); }ARGEND diff -r 8582c03efdc9 sys/src/libsec/port/sha3.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/sys/src/libsec/port/sha3.c Tue Jun 01 12:50:25 2021 -0700 @@ -0,0 +1,57 @@ +#include +#include +#include + +DigestState* +sha3(uchar *p, ulong len, uchar *digest, int dlen, DigestState* s){ + ulong i; + int j; + if(s == nil) { + s = mallocz(sizeof(*s), 1); + if(s == nil) + return nil; + s->malloced = 1; + s->blen = 200 - 2 * dlen; + } + j = s->pt; + for (i = 0; i < len; i++) { + s->b[j++] ^= p[i]; + if (j >= s->blen) { + sha3_keccakf(s->bstate); + j = 0; + } + } + s->pt = j; + + /* Don't go past this point if we're not writing the digest */ + if(digest == nil) + return s; + s->b[s->pt] ^= 0x06; + s->b[s->blen - 1] ^= 0x80; + sha3_keccakf(s->bstate); + memmove(digest, s->b, dlen); + if(s->malloced) + free(s); + + return s; +} + +DigestState* +sha3_224(uchar *p, ulong len, uchar *digest, SHA3_224state* s){ + return sha3(p, len, digest, 28, s); +} + +DigestState* +sha3_256(uchar *p, ulong len, uchar *digest, SHA3_256state* s){ + return sha3(p, len, digest, 32, s); +} + +DigestState* +sha3_384(uchar *p, ulong len, uchar *digest, SHA3_384state* s){ + return sha3(p, len, digest, 48, s); +} + +DigestState* +sha3_512(uchar *p, ulong len, uchar *digest, SHA3_512state* s){ + return sha3(p, len, digest, 64, s); +} diff -r 8582c03efdc9 sys/src/libsec/port/sha3_keccakf.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/sys/src/libsec/port/sha3_keccakf.c Tue Jun 01 12:50:25 2021 -0700 @@ -0,0 +1,69 @@ +#include +#include +#include +#define KECCAKF_ROUNDS 24 +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) + +void sha3_keccakf(u64int st[25]) +{ + // constants + const u64int keccakf_rndc[24] = { + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 + }; + const int keccakf_rotc[24] = { + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 + }; + const int keccakf_piln[24] = { + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 + }; + + /* variables */ + int i, j, r; + u64int t, bc[5]; + + + /* actual iteration */ + for (r = 0; r < KECCAKF_ROUNDS; r++) { + + // Theta + for (i = 0; i < 5; i++) + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] ^ st[i + 20]; + + for (i = 0; i < 5; i++) { + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); + for (j = 0; j < 25; j += 5) + st[j + i] ^= t; + } + + /* Rho Pi */ + t = st[1]; + for (i = 0; i < 24; i++) { + j = keccakf_piln[i]; + bc[0] = st[j]; + st[j] = ROTL64(t, keccakf_rotc[i]); + t = bc[0]; + } + + /* Chi */ + for (j = 0; j < 25; j += 5) { + for (i = 0; i < 5; i++) + bc[i] = st[j + i]; + for (i = 0; i < 5; i++) + st[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5]; + } + + /* Iota */ + st[0] ^= keccakf_rndc[r]; + } + + +}