libgcrypt.git
6 days agobuild: Let configure create the VERSION file. master
NIIBE Yutaka [Tue, 16 Oct 2018 05:46:55 +0000 (14:46 +0900)]
build: Let configure create the VERSION file.

* autogen.sh: Update from libgpg-error.
* configure.ac: Use mym4_versoin to create VERSION file.
* Makefile.am (dist-hook): Do not create VERSION file.
(EXTRA_DIST): Add VERSION.

--

GnuPG-bug-id: 3283
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 months agoAdd size optimized cipher block copy and xor functions
Jussi Kivilinna [Sat, 21 Jul 2018 08:56:46 +0000 (11:56 +0300)]
Add size optimized cipher block copy and xor functions

* cipher/bufhelp.h (buf_get_he32, buf_put_he32, buf_get_he64)
(buf_put_he64): New.
* cipher/cipher-internal.h (cipher_block_cpy, cipher_block_xor)
(cipher_block_xor_1, cipher_block_xor_2dst, cipher_block_xor_n_copy_2)
(cipher_block_xor_n_copy): New.
* cipher/cipher-gcm-intel-pclmul.c
(_gcry_ghash_setup_intel_pclmul): Use assembly for swapping endianness
instead of buf_get_be64 and buf_cpy.
* cipher/blowfish.c: Use new cipher_block_* functions for cipher block
sized buf_cpy/xor* operations.
* cipher/camellia-glue.c: Ditto.
* cipher/cast5.c: Ditto.
* cipher/cipher-aeswrap.c: Ditto.
* cipher/cipher-cbc.c: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-cfb.c: Ditto.
* cipher/cipher-cmac.c: Ditto.
* cipher/cipher-ctr.c: Ditto.
* cipher/cipher-eax.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-ocb.c: Ditto.
* cipher/cipher-ofb.c: Ditto.
* cipher/cipher-xts.c: Ditto.
* cipher/des.c: Ditto.
* cipher/rijndael.c: Ditto.
* cipher/serpent.c: Ditto.
* cipher/twofish.c: Ditto.
--

This commit adds size-optimized functions for copying and xoring
cipher block sized buffers. These functions also allow GCC to use
inline auto-vectorization for block cipher copying and xoring on
higher optimization levels.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 months agoRFC-8439 was published.
NIIBE Yutaka [Wed, 4 Jul 2018 05:09:38 +0000 (14:09 +0900)]
RFC-8439 was published.

* cipher/cipher-poly1305.c: Update RFC reference.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
4 months agoClean-up implementation selection for SHA1 and SHA2
Jussi Kivilinna [Tue, 19 Jun 2018 19:10:49 +0000 (22:10 +0300)]
Clean-up implementation selection for SHA1 and SHA2

* cipher/sha1.c (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha1_transform_amd64_ssse3, do_sha1_transform_amd64_avx)
(do_sha1_transform_amd64_avx_bmi2, do_sha1_transform_intel_shaext)
(do_sha1_transform_armv7_neon, do_sha1_transform_armv8_ce): New.
(transform_blk, transform): Merge to ...
(do_transform_generic): ... this and remove calls to assembly
implementations.
(sha1_init): Select hd->bctx.bwrite based on HW features.
(_gcry_sha1_mixblock, sha1_final): Call hd->bctx.bwrite instead of
transform.
* cipher/sha1.h (SHA1_CONTEXT): Remove implementation selection bits.
* cipher/sha256.h (SHA256_CONTEXT): Remove implementation selection
bits.
(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
(do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
(do_sha256_transform_armv8_ce): New.
(transform_blk, transform): Merge to ...
(do_transform_generic): ... this and remove calls to assembly
implementations.
(sha256_init, sha224_init): Select hd->bctx.bwrite based on HW
features.
(sha256_final): Call hd->bctx.bwrite instead of transform.
* cipher/sha512-armv7-neon.S
(_gcry_sha512_transform_armv7_neon): Return zero.
* cipher/sha512.h (SHA512_CONTEXT): Remove implementation selection
bits.
(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha512_transform_armv7_neon, do_sha512_transform_amd64_ssse3)
(do_sha512_transform_amd64_avx, do_sha512_transform_amd64_avx2): New.
[USE_ARM_ASM] (do_transform_generic): New.
(transform_blk, transform): Merge to ...
[!USE_ARM_ASM] (do_transform_generic): ... this and remove calls to
assembly implementations.
(sha512_init, sha384_init): Select hd->bctx.bwrite based on HW
features.
(sha512_final): Call hd->bctx.bwrite instead of transform.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAdd hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2
Jussi Kivilinna [Sun, 17 Jun 2018 17:03:28 +0000 (20:03 +0300)]
Add hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2

* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add hash_buffer and
hash_buffers functions for BLAKE2 variants.
* cipher/keccak.c (_gcry_sha3_hash_buffer, _gcry_sha3_hash_buffers)
(_gcry_sha3_224_hash_buffer, _gcry_sha3_224_hash_buffers)
(_gcry_sha3_256_hash_buffer, _gcry_sha3_256_hash_buffers)
(_gcry_sha3_384_hash_buffer, _gcry_sha3_384_hash_buffers)
(_gcry_sha3_512_hash_buffer, _gcry_sha3_512_hash_buffers): New.
* cipher/sha256.c (_gcry_sha224_hash_buffer)
(_gcry_sha224_hash_buffers): New.
* cipher/sha512.c (_gcry_sha384_hash_buffer)
(_gcry_sha384_hash_buffers): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAdd hash_buffer and hash_buffers pointers to message digest spec
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add hash_buffer and hash_buffers pointers to message digest spec

* src/cipher-proto.h (gcry_md_hash_buffer_t)
(gcry_md_hash_buffers_t): New.
(gcry_md_spec): Add hash_buffer and hash_buffers.
* cipher/md.c (_gcry_md_hash_buffer, _gcry_md_hash_buffers): Use
hash_buffer/hash_buffers from MD spec instead of hard-coding supported
algorithms.
* cipher/blake2.c: Add NULL to MD spec hash_buffer and hash_buffers
pointers.
* cipher/crc.c: Ditto.
* cipher/gostr3411-94.c: Ditto.
* cipher/keccak.c: Ditto.
* cipher/md2.c: Ditto.
* cipher/md4.c: Ditto.
* cipher/md5.c: Ditto.
* cipher/stribog.c: Ditto.
* cipher/tiger.c: Ditto.
* cipher/whirlpool.c: Ditto.
* cipher/rmd160.c (_gcry_rmd160_hash_buffers): New.
(_gcry_digest_spec_rmd160): Add hash_buffer and hash_buffers functions.
* cipher/sha1.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
* cipher/sha256.c (_gcry_digest_spec_sha256): Add hash_buffer and
hash_buffers functions.
(_gcry_digest_spec_sha224): Add NULL pointers for hash_buffer and
hash_buffers.
* cipher/sha512.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
(_gcry_digest_spec_sha384): Add NULL pointers for hash_buffer and
hash_buffers.
* cipher/sm3.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAES: setup cipher object bulk routines with optimized versions
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
AES: setup cipher object bulk routines with optimized versions

* cipher/rijndael-aesni.c
(_gcry_aes_aesni_prepare_decryption): Rename...
(do_aesni_prepare_decryption): .. to this.
(_gcry_aes_aesni_prepare_decryption): New.
(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_aesni_cbc_dec, aesni_ocb_dec)
(_gcry_aes_aesni_xts_dec): Check and prepare decryption.
(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): Change return
type to size_t.
* cipher/rijndael-armv8-ce.c
(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
(_gcry_aes_armv8_ce_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
(_gcry_aes_armv8_ce_xts_dec): Check and prepare decryption.
(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Change
return type to size_t.
* cipher/rijndael-ssse3-amd64.c
(_gcry_ssse3_prepare_decryption): Rename...
(do_ssse3_prepare_decryption): .. to this.
(_gcry_ssse3_prepare_decryption): New.
(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_dec): Check and prepare decryption.
(_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Change return
type to size_t.
* cipher/rijndael.c
(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
(_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_crypt)
(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_ocb_crypt)
(_gcry_aes_ssse3_ocb_auth, _gcry_aes_ssse3_xts_crypt)
(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
(_gcry_aes_armv8_ce_ocb_auth, _gcry_aes_armv8_ce_xts_crypt): Change
prototypes to match bulk operations.
(do_setkey): Setup bulk operations with optimized implementations.
(_gcry_aes_cfb_enc, _gcry_aes_cbc_enc, _gcry_aes_ctr_enc)
(_gcry_aes_cfb_dec, _gcry_aes_cbc_dec, _gcry_aes_ocb_crypt)
(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Update
usage to match new prototypes, avoid prefetch and decryption
preparation on optimized code paths.
--

Replace bulk operation functions of cipher object with faster
version for reduced per call overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoPass cipher object pointer to setkey functions
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Pass cipher object pointer to setkey functions

* cipher/cipher.c (cipher_setkey): Pass cipher object pointer to
cipher's setkey function.
* cipher/arcfour.c: Add gcry_cipher_hd_t parameter for setkey
functions and update selftests to pass NULL pointer.
* cipher/blowfish.c: Ditto.
* cipher/camellia-glue.c: Ditto.
* cipher/cast5.c: Ditto.
* cipher/chacha20.c: Ditto.
* cipher/cipher-selftest.c: Ditto.
* cipher/des.c: Ditto.
* cipher/gost28147.c: Ditto.
* cipher/idea.c: Ditto.
* cipher/rfc2268.c: Ditto.
* cipher/rijndael.c: Ditto.
* cipher/salsa20.c: Ditto.
* cipher/seed.c: Ditto.
* cipher/serpent.c: Ditto.
* cipher/twofish.c: Ditto.
* src/cipher-proto.h: Ditto.
--

This allows setkey function to replace bulk cipher operations
with faster alternative.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAdd fast path for _gcry_fips_is_operational
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add fast path for _gcry_fips_is_operational

* src/fips.c (no_fips_mode_required): Rename to...
(_gcry_no_fips_mode_required): ...this and make externally available.
* src/g10lib.h (_gcry_no_fips_mode_required): New extern.
(fips_mode): Inline _gcry_fips_mode to macro, use
_gcry_no_fips_mode_required directly.
(fips_is_operational): Inline fips_mode check from
_gcry_fips_in_operational.
--

Add fast path to reduce call overhead in src/visibility.c where
fips_is_operational is called before cipher/md/etc operations.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAccess cipher mode routines through routine pointers
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Access cipher mode routines through routine pointers

* cipher/cipher-internal.h (gcry_cipher_handle): Add function pointers
for mode operations.
(_gcry_cipher_xts_crypt): Remove.
(_gcry_cipher_xts_encrypt, _gcry_cipher_xts_decrypt): New.
* cipher/cipher-xts.c (_gcry_cipher_xts_encrypt)
(_gcry_cipher_xts_decrypt): New.
* cipher/cipher.c (_gcry_cipher_setup_mode_ops): New.
(_gcry_cipher_open_internal): Setup mode routines.
(cipher_encrypt, cipher_decrypt): Remove.
(do_stream_encrypt, do_stream_decrypt, do_encrypt_none_unknown)
(do_decrypt_none_unknown): New.
(_gcry_cipher_encrypt, _gcry_cipher_decrypt, _gcry_cipher_setiv)
(_gcry_cipher_authenticate, _gcry_cipher_gettag)
(_gcry_cipher_checktag): Adapted to use mode routines through pointers.
--

Change to use mode operations through pointers to reduce per call
overhead for cipher operations.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAdd separate handlers for CBC-CTS variant
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add separate handlers for CBC-CTS variant

* cipher/cipher-cbc.c (cbc_encrypt_inner, cbc_decrypt_inner)
(_gcry_cipher_cbc_cts_encrypt, _gcry_cipher_cbc_cts_decrypt): New.
(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Remove CTS
handling.
* cipher/cipher-internal.h (_gcry_cipher_cbc_cts_encrypt)
(_gcry_cipher_cbc_cts_decrypt): New.
* cipher/cipher.c (cipher_encrypt, cipher_decrypt): Call CBC-CTS
handler if CBC-CTS flag is set.
--

Separate CTS handling to separate function for small decrease in
CBC per call overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAvoid division by spec->blocksize in cipher mode handlers
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Avoid division by spec->blocksize in cipher mode handlers

* cipher/cipher-internal.h (_gcry_blocksize_shift): New.
* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
(_gcry_cipherp_cbc_decrypt): Use bit-level operations instead of
division to get number of blocks and check input length against
blocksize.
* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
(_gcry_cipher_cfb_decrypt): Ditto.
* cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
* cipher/cipher-ctr.c (_gcry_cipher_ctr_crypt): Ditto.
* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
(_gcry_cipher_ofb_decrypt): Ditto.
--

Integer division was causing 10 to 20 cycles per call overhead
for cipher modes on x86-64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoFix CBC-CTS+CBC-MAC flag check
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Fix CBC-CTS+CBC-MAC flag check

* cipher/cipher.c (_gcry_cipher_open_internal): Check flags separately
instead of AND masking two flags to zero.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agotests/basic: silence GCC-8 warning
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
tests/basic: silence GCC-8 warning

* tests/basic.c (check_ofb_cipher, check_stream_cipher): Change
tv[].data[].inlen type from signed to unsigned integer.
--

Patch silences new GCC-8 compiler warning:
 '__builtin_memcmp_eq' specified size between 18446744071562067968 and
 18446744073709551615 exceeds maximum object size 9223372036854775807
 [-Wstringop-overflow=]

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agorandom: Fix hang of _gcry_rndjent_get_version.
Will Dietz [Sun, 17 Jun 2018 23:53:58 +0000 (18:53 -0500)]
random: Fix hang of _gcry_rndjent_get_version.

* random/rndjent.c (_gcry_rndjent_get_version): Move locking.

--

While the protection for jent_rng_collector is needed,
_gcry_rndjent_poll is also acquiring the lock for the variable.
Thus, it hangs.

This change is sub-optimal, the lock is once released after the call
of _gcry_rndjent_poll.  It might be good to modify the API of
_gcry_rndjent_poll to explicitly allow this use case of forcing
initialization keeping the lock.

Comments and change log entry by gniibe.

GnuPG-bug-id: 4034
Fixes-commit: 0de2a22fcf6607d0aecb550feefa414cee3731b2

4 months agoAdd NEWS from the 1.8 and 1.7 branches.
Werner Koch [Wed, 13 Jun 2018 08:37:59 +0000 (10:37 +0200)]
Add NEWS from the 1.8 and 1.7 branches.

--

4 months agoecc: Add blinding for ECDSA.
NIIBE Yutaka [Wed, 13 Jun 2018 06:28:58 +0000 (15:28 +0900)]
ecc: Add blinding for ECDSA.

* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.

--

Reported-by: Keegan Ryan <Keegan.Ryan@nccgroup.trust>
CVE-id: CVE-2018-0495
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
4 months agoecc: Improve gcry_mpi_ec_curve_point
Werner Koch [Tue, 5 Jun 2018 12:33:01 +0000 (14:33 +0200)]
ecc: Improve gcry_mpi_ec_curve_point

* mpi/ec.c (_gcry_mpi_ec_curve_point): Check range of coordinates.
* tests/t-mpi-point.c (point_on_curve): New.
--

Due to the conversion to affine coordinates we didn't detected points
with values >= P.  The solution here might not be the best according
to the NIST standard (it is done there at an earlier opportunity) but
it reliably detects points we do not expect to receive.

The new test vectors have been compared against gnutls/nettle.

Reported-by: Stephan Müller
Signed-off-by: Werner Koch <wk@gnupg.org>
4 months agompi: New internal function _gcry_mpi_cmpabs.
Werner Koch [Tue, 5 Jun 2018 12:29:53 +0000 (14:29 +0200)]
mpi: New internal function _gcry_mpi_cmpabs.

* mpi/mpi-cmp.c (_gcry_mpi_cmp): Factor out to ...
(do_mpi_cmp): New.  Add arg absmode.
(_gcry_mpi_cmpabs): New.
* src/gcrypt-int.h (mpi_cmpabs): New macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
5 months agobuild: Convince gcc not to delete NULL ptr checks.
Werner Koch [Sun, 29 Apr 2018 16:01:24 +0000 (18:01 +0200)]
build: Convince gcc not to delete NULL ptr checks.

* configure.ac: Try to use -fno-delete-null-pointer-checks.

Signed-off-by: Werner Koch <wk@gnupg.org>
5 months agoprime: Avoid rare assertion failure in gcry_prime_check.
Werner Koch [Sat, 28 Apr 2018 16:30:53 +0000 (18:30 +0200)]
prime: Avoid rare assertion failure in gcry_prime_check.

* cipher/primegen.c (is_prime): Don't fail on the assert X > 1.
--

When using gcry_prime_check the function is_prime can be called with
quite small candidates so there is a real chance that the random X
values is indeed 0 or 1.  This would trigger the assert.  To avoid
this we now retry in this case.

Reported-by: Heiko Stamer
Signed-off-by: Werner Koch <wk@gnupg.org>
6 months agompi: Fix for buidling for MIPS64 with Clang
Werner Koch [Tue, 17 Apr 2018 15:15:30 +0000 (17:15 +0200)]
mpi: Fix for buidling for MIPS64 with Clang

* mpi/longlong.h [MIPS64][__clang__]: Use the C version like we
already do for 32 bit MIPS.
--

GnuPG-bug-id: 3915
Signed-off-by: Werner Koch <wk@gnupg.org>
6 months agohmac: Use xtrymalloc.
NIIBE Yutaka [Tue, 10 Apr 2018 23:45:22 +0000 (08:45 +0900)]
hmac: Use xtrymalloc.

* src/hmac256.c (_gcry_hmac256_new): Use xtrymalloc.
(_gcry_hmac256_file): Likewise.

--

Don't require config.h but stdint.h for STANDALONE.
Drop STANDALONE support for WindowsCE.

GnuPG-bug-id: 3877
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 months agobasic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks
Jussi Kivilinna [Tue, 10 Apr 2018 19:14:39 +0000 (22:14 +0300)]
basic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks

* tests/basic_all_hwfeature_combinations.sh: Use $njobs to limit
parallel tasks instead of fixed number "8".
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoFaster look-up for spec by algo for digests, ciphers and MAC
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Faster look-up for spec by algo for digests, ciphers and MAC

* cipher/cipher.c (cipher_list_algo0, cipher_list_algo301): New cipher
spec lists with same order and spacing as 'gcry_cipher_algos'
enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
* cipher/mac.c (mac_list_algo101, mac_list_algo201, mac_list_algo401)
(mac_list_algo501): New MAC spec lists with same order and spacing as
'gcry_mac_algos' enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
* cipher/md.c (digest_list_algo0, digest_list_algo301): New digest
spec lists with same order and spacing as 'gcry_md_algos'
enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoFix building with BLAKE2 disabled
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Fix building with BLAKE2 disabled

* cipher/md.c (md_setkey): Enclose Blake2 part with USE_BLAKE2.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAdd missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Add missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface

* cipher/mac-hmac.c (map_mac_algo_to_md): Add GOSTR3411_CP, BLAKE2 and
SM3.
(_gcry_mac_type_spec_hmac_gost3411_cp)
(_gcry_mac_type_spec_hmac_blake2b_512)
(_gcry_mac_type_spec_hmac_blake2b_384)
(_gcry_mac_type_spec_hmac_blake2b_256)
(_gcry_mac_type_spec_hmac_blake2b_160)
(_gcry_mac_type_spec_hmac_blake2s_256)
(_gcry_mac_type_spec_hmac_blake2s_224)
(_gcry_mac_type_spec_hmac_blake2s_160)
(_gcry_mac_type_spec_hmac_blake2s_128)
(_gcry_mac_type_spec_hmac_sm3): New.
* cipher/mac-internal.h (_gcry_mac_type_spec_hmac_gost3411_cp)
(_gcry_mac_type_spec_hmac_blake2b_512)
(_gcry_mac_type_spec_hmac_blake2b_384)
(_gcry_mac_type_spec_hmac_blake2b_256)
(_gcry_mac_type_spec_hmac_blake2b_160)
(_gcry_mac_type_spec_hmac_blake2s_256)
(_gcry_mac_type_spec_hmac_blake2s_224)
(_gcry_mac_type_spec_hmac_blake2s_160)
(_gcry_mac_type_spec_hmac_blake2s_128)
(_gcry_mac_type_spec_hmac_sm3): New.
* cipher/mac.c (mac_list): Add GOSTR3411_CP, BLAKE2 and SM3.
* src/gcrypt.h.in (GCRY_MAC_HMAC_GOSTR3411_CP)
(GCRY_MAC_HMAC_BLAKE2B_512, GCRY_MAC_HMAC_BLAKE2B_384)
(GCRY_MAC_HMAC_BLAKE2B_256, GCRY_MAC_HMAC_BLAKE2B_160)
(GCRY_MAC_HMAC_BLAKE2S_256, GCRY_MAC_HMAC_BLAKE2S_224)
(GCRY_MAC_HMAC_BLAKE2S_160, GCRY_MAC_HMAC_BLAKE2S_128)
(GCRY_MAC_HMAC_SM3): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agorandom: Protect another use of jent_rng_collector.
NIIBE Yutaka [Tue, 10 Apr 2018 02:01:57 +0000 (11:01 +0900)]
random: Protect another use of jent_rng_collector.

* random/rndjent.c (_gcry_rndjent_get_version): Lock the access.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 months agoaarch64/assembly: only use the lower 32 bit of an int parameters
Jussi Kivilinna [Sat, 24 Mar 2018 15:49:16 +0000 (17:49 +0200)]
aarch64/assembly: only use the lower 32 bit of an int parameters

* cipher/camellia-aarch64.S (_gcry_camellia_arm_encrypt_block)
(__gcry_camellia_arm_decrypt_block): Make comment section about input
registers match usage.
* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_ocb_auth_armv8_ce): Use
'w12' and 'w7' instead of 'x12' and 'x7'.
(_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Fix function
prototype in comments.
* mpi/aarch64/mpih-add1.S: Use 32-bit registers for 32-bit mpi_size_t
parameters.
* mpi/aarch64/mpih-mul1.S: Ditto.
* mpi/aarch64/mpih-mul2.S: Ditto.
* mpi/aarch64/mpih-mul3.S: Ditto.
* mpi/aarch64/mpih-sub1.S: Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agopoly1305: silence compiler warning on clang/aarch64
Jussi Kivilinna [Sat, 24 Mar 2018 15:22:45 +0000 (17:22 +0200)]
poly1305: silence compiler warning on clang/aarch64

* cipher/poly1305.c (MUL_MOD_1305_64): cast zero constant to 64-bits.
--

This patch fixes "value size does not match register size specified
by the constraint and modifier [-Wasm-operand-widths]" warnings when
building with clang/aarch64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoaarch64: Enable building the aarch64 cipher assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:40 +0000 (23:32 +0200)]
aarch64: Enable building the aarch64 cipher assembly for windows

* cipher/asm-common-aarch64.h: New.
* cipher/camellia-aarch64.S: Use ELF macro, use x19 instead of x18.
* cipher/chacha20-aarch64.S: Use ELF macro, don't use GOT on windows.
* cipher/cipher-gcm-armv8-aarch64-ce.S: Use ELF macro.
* cipher/rijndael-aarch64.S: Use ELF macro.
* cipher/rijndael-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha1-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha256-armv8-aarch64-ce.S: Use ELF macro.
* cipher/twofish-aarch64.S: Use ELF macro.
* configure.ac: Don't require .size and .type in aarch64 assembly check.
--
Don't require .type and .size in configure; we can make
them optional via a preprocessor macro.

This is mostly a mechanical change, wrapping the .type and .size
directives in an ELF() macro, with two actual manual changes:
(when targeting windows):
- Don't load global symbols via a GOT (in chacha20)
- Don't use the x18 register (in camellia); back up and restore x19
  in the prologue/epilogue and use that instead.

x18 is a platform specific register; on linux, it's free to be used
by user code, while it's reserved for platform use on windows and
darwin. Always use x19 instead of x18 for consistency.

Signed-off-by: Martin Storsjö <martin@martin.st>
6 months agoaarch64: camellia: Only use the lower 32 bit of an int parameter
Martin Storsjö [Thu, 22 Mar 2018 21:32:39 +0000 (23:32 +0200)]
aarch64: camellia: Only use the lower 32 bit of an int parameter

* cipher/camellia-aarch64.S: Use 'w3' instead of 'x3'.
--
The keybits parameter is declared as int, and in those cases, the
upper half of a register is undefined, not guaranteed to be zero.

Signed-off-by: Martin Storsjö <martin@martin.st>
6 months agoaarch64: Fix assembling chacha20-aarch64.S with clang/llvm
Martin Storsjö [Thu, 22 Mar 2018 21:32:38 +0000 (23:32 +0200)]
aarch64: Fix assembling chacha20-aarch64.S with clang/llvm

* cipher/chacha20-aarch64.S: Remove superfluous lane counts.
--
When referring to a specific lane, one doesn't need to specify
the total number of lanes of the register. With GNU binutils,
both forms are accepted, while clang/llvm rejects the form
with the unnecessary number of lanes.

Signed-off-by: Martin Storsjö <martin@martin.st>
6 months agoaarch64: mpi: Fix building the mpi aarch64 assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:37 +0000 (23:32 +0200)]
aarch64: mpi: Fix building the mpi aarch64 assembly for windows

* mpi/aarch64/mpih-add1.S: Use ELF macro.
* mpi/aarch64/mpih-mul1.S: Use ELF macro.
* mpi/aarch64/mpih-mul2.S: Use ELF macro.
* mpi/aarch64/mpih-mul3.S: Use ELF macro.
* mpi/aarch64/mpih-sub1.S: Use ELF macro.
* mpi/asm-common-aarch64.h: New.
--

The mpi aarch64 assembly is enabled as soon as the compiler supports
inline assembly, without checking for .type and .size, as is done
for the rest of the assembly in cipher/*.S. (The .type and .size
directives are only supported on ELF.)

Signed-off-by: Martin Storsjö <martin@martin.st>
6 months agorandom: Don't assume that _WIN64 implies x86_64
Martin Storsjö [Thu, 22 Mar 2018 21:32:36 +0000 (23:32 +0200)]
random: Don't assume that _WIN64 implies x86_64

* random/rndw32.c: Change _WIN64 ifdef into __x86_64__.
--

This fixes building this file for windows on aarch64.

Signed-off-by: Martin Storsjö <martin@martin.st>
6 months agoRegister DCO for Martin Storsjö
Jussi Kivilinna [Wed, 28 Mar 2018 17:32:56 +0000 (20:32 +0300)]
Register DCO for Martin Storsjö

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agotests/aeswrap: add in-place encryption/decryption testing
Jussi Kivilinna [Thu, 22 Mar 2018 19:54:20 +0000 (21:54 +0200)]
tests/aeswrap: add in-place encryption/decryption testing

* tests/aeswrap.c (check): Rename to...
(check_one): ...this and add in-place testing.
(check): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoAES-KW: fix in-place encryption
Stephan Mueller [Mon, 12 Mar 2018 21:24:37 +0000 (22:24 +0100)]
AES-KW: fix in-place encryption

* cipher/cipher-aeswrap.c: move memmove call before KW IV setting
--

In case AES-KW in-place encryption is performed, the plaintext must be
moved to the correct destination location before the first semiblock of
the destination buffer is modified. Without the patch, the first
semiblock of the plaintext is overwritten with a6a6a6a6a6a6a6a6.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
7 months agobench-slope: add CPU frequency auto-detection
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
bench-slope: add CPU frequency auto-detection

* tests/bench-slope.c (bench_obj): Add 'hd'.
(bench_encrypt_init, bench_encrypt_free, bench_encrypt_do_bench)
(bench_decrypt_do_bench, bench_xts_encrypt_init)
(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
(bench_ccm_encrypt_init, bench_ccm_encrypt_do_bench)
(bench_ccm_decrypt_do_bench, bench_aead_encrypt_init)
(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
(bench_hash_init, bench_hash_free, bench_hash_do_bench)
(bench_mac_init, bench_mac_free, bench_mac_do_bench): Use 'obj->hd'
for storing pointer to crypto context.
(auto_ghz): New.
(do_slope_benchmark): Rename to...
(slope_benchmark): ...this.
(auto_ghz_init, auto_ghz_free, auto_ghz_bench, auto_ghz_detect_ops)
(get_auto_ghz, do_slope_benchmark): New.
(double_to_str): Round number larger than 1000 to integer.
(bench_print_result_csv, bench_print_result_std)
(bench_print_result, bench_print_header, cipher_bench_one)
(hash_bench_one, mac_bench_one, kdf_bench_one, kdf_bench): Add
auto-detected frequency printing.
(print_help): Help for CPU speed auto-detection mode.
(main): Add parsing for "--cpu-mhz auto".
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months ago_gcry_burn_stack: use memset for clearing memory
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
_gcry_burn_stack: use memset for clearing memory

* src/misc.c (__gcry_burn_stack) [HAVE_VLA]: Use 'memset' for clearing
stack.
--

Patch switches stacking burning to use faster memset instead of
wipememory. Memset is accessed through volatile function pointer,
so that compiler will not optimize away the call.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoImprove constant-time buffer compare
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:22 +0000 (21:42 +0200)]
Improve constant-time buffer compare

* cipher/bufhelp.h (buf_eq_const): Rewrite logic.
--

New implementation for constant-time buffer comparing that
avoids generating conditional code in comparison loop.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agodoc: Clarify the value range of the use-rsa-e parameter.
Werner Koch [Thu, 22 Mar 2018 14:28:04 +0000 (15:28 +0100)]
doc: Clarify the value range of the use-rsa-e parameter.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
8 months agoAdd Intel SHA Extensions accelerated SHA256 implementation
Jussi Kivilinna [Thu, 15 Feb 2018 20:13:28 +0000 (22:13 +0200)]
Add Intel SHA Extensions accelerated SHA256 implementation

* cipher/Makefile.am: Add 'sha256-intel-shaext.c'.
* cipher/sha256-intel-shaext.c: New.
* cipher/sha256.c (USE_SHAEXT)
(_gcry_sha256_transform_intel_shaext): New.
(SHA256_CONTEXT): Add 'use_shaext'.
(sha256_init, sha224_init) [USE_SHAEXT]: Use shaext if supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* configure.ac: Add 'sha256-intel-shaext.lo'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |     10.07 ns/B     94.72 MiB/s     15.10 c/B

After (3.7x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |      2.70 ns/B     353.8 MiB/s      4.04 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoAdd Intel SHA Extensions accelerated SHA1 implementation
Jussi Kivilinna [Tue, 13 Feb 2018 18:22:41 +0000 (20:22 +0200)]
Add Intel SHA Extensions accelerated SHA1 implementation

* cipher/Makefile.am: Add 'sha1-intel-shaext.c'.
* cipher/sha1-intel-shaext.c: New.
* cipher/sha1.c (USE_SHAEXT, _gcry_sha1_transform_intel_shaext): New.
(sha1_init) [USE_SHAEXT]: Use shaext implementation is supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* cipher/sha1.h (SHA1_CONTEXT): Add 'use_shaext'.
* configure.ac: Add 'sha1-intel-shaext.lo'.
(shaextsupport, gcry_cv_gcc_inline_asm_shaext): New.
* src/g10lib.h: Add HWF_INTEL_SHAEXT and reorder HWF flags.
* src/hwf-x86.c (detect_x86_gnuc): Detect SHA Extensions.
* src/hwfeatures.c (hwflist): Add 'intel-shaext'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      4.50 ns/B     211.7 MiB/s      6.76 c/B

After (4.0x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      1.11 ns/B     858.1 MiB/s      1.67 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoAVX implementation of BLAKE2s
Jussi Kivilinna [Thu, 8 Feb 2018 17:45:10 +0000 (19:45 +0200)]
AVX implementation of BLAKE2s

* cipher/Makefile.am: Add 'blake2s-amd64-avx.S'.
* cipher/blake2.c (USE_AVX, _gry_blake2s_transform_amd64_avx): New.
(BLAKE2S_CONTEXT) [USE_AVX]: Add 'use_avx'.
(blake2s_transform): Rename to ...
(blake2s_transform_generic): ... this.
(blake2s_transform): New.
(blake2s_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2s_init_ctx): Check HW features and enable AVX implementation
if supported.
* cipher/blake2s-amd64-avx.S: New.
* configure.ac: Add 'blake2s-amd64-avx.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.77 ns/B     538.2 MiB/s      7.09 c/B

After (~1.3x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.34 ns/B     711.4 MiB/s      5.36 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoAVX2 implementation of BLAKE2b
Jussi Kivilinna [Sun, 14 Jan 2018 14:48:17 +0000 (16:48 +0200)]
AVX2 implementation of BLAKE2b

* cipher/Makefile.am: Add 'blake2b-amd64-avx2.S'.
* cipher/blake2.c (USE_AVX2, ASM_FUNC_ABI, ASM_EXTRA_STACK)
(_gry_blake2b_transform_amd64_avx2): New.
(BLAKE2B_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
(blake2b_transform): Rename to ...
(blake2b_transform_generic): ... this.
(blake2b_transform): New.
(blake2b_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2b_init_ctx): Check HW features and enable AVX2 implementation
if supported.
* cipher/blake2b-amd64-avx2.S: New.
* configure.ac: Add 'blake2b-amd64-avx2.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |      1.07 ns/B     887.8 MiB/s      4.30 c/B

After (~1.4x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |     0.771 ns/B    1236.8 MiB/s      3.08 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoFix incorrect counter overflow handling for GCM
Jussi Kivilinna [Wed, 31 Jan 2018 18:02:48 +0000 (20:02 +0200)]
Fix incorrect counter overflow handling for GCM

* cipher/cipher-gcm.c (gcm_ctr_encrypt): New function to handle
32-bit CTR increment for GCM.
(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Do not use
generic CTR implementation directly, use gcm_ctr_encrypt instead.
* tests/basic.c (_check_gcm_cipher): Add test-vectors for 32-bit
CTR overflow.
(check_gcm_cipher): Add 'split input to 15 bytes and 17 bytes'
test-runs.
--

Reported-by: Clemens Lang <Clemens.Lang@bmw.de>
> I believe we have found what seems to be a bug in counter overflow
> handling in AES-GCM in libgcrypt's implementation. This leads to
> incorrect results when using a non-12-byte IV and decrypting payloads
> encrypted with other AES-GCM implementations, such as OpenSSL.
>
> According to the NIST Special Publication 800-38D "Recommendation for
> Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC",
> section 7.1, algorithm 4, step 3 [NIST38D], the counter increment is
> defined as inc_32. Section 6.2 of the same document defines the
> incrementing function inc_s for positive integers s as follows:
>
> | the function increments the right-most s bits of the string, regarded
> | as the binary representation of an integer, modulo 2^s; the remaining,
> | left-most len(X) - s bits remain unchanged
>
> (X is the complete counter value in this case)
>
> This problem does not occur when using a 12-byte IV, because AES-GCM has
> a special case for the inital counter value with 12-byte IVs:
>
> | If len(IV)=96, then J_0 = IV || 0^31 || 1
>
> i.e., one would have to encrypt (UINT_MAX - 1) * blocksize of data to
> hit an overflow. However, for non-12-byte IVs, the initial counter value
> is the output of a hash function, which makes hitting an overflow much
> more likely.
>
> In practice, we have found that using
>
>  iv = 9e 79 18 8c ff 09 56 1e c9 90 99 cc 6d 5d f6 d3
>  key = 26 56 e5 73 76 03 c6 95 0d 22 07 31 5d 32 5c 6b a5 54 5f 40 23 98 60 f6 f7 06 6f 7a 4f c2 ca 40
>
> will reliably trigger an overflow when encrypting 10 MiB of data. It
> seems that this is caused by re-using the AES-CTR implementation for
> incrementing the counter.

Bug was introduced by commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532
"GCM: Use counter mode code for speed-up".

GnuPG-bug-id: 3764
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoFix use of AVX instructions in Chaha20 SSSE3 implementation
Jussi Kivilinna [Mon, 22 Jan 2018 20:17:50 +0000 (22:17 +0200)]
Fix use of AVX instructions in Chaha20 SSSE3 implementation

* cipher/chacha20-amd64-ssse3.S: Replace two 'vmovdqa' instructions
with 'movdqa'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agodoc: fix double "See" in front of reference
Jussi Kivilinna [Sat, 20 Jan 2018 19:12:12 +0000 (21:12 +0200)]
doc: fix double "See" in front of reference

* doc/gcrypt.texi: Change @xref to @ref when text already has 'see' in
the front.
--

@xref references start with `See ...'. Use @ref instead
when text already has 'see' in front.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAdd EAX mode
Jussi Kivilinna [Sat, 20 Jan 2018 19:08:37 +0000 (21:08 +0200)]
Add EAX mode

* cipher/Makefile.am: Add 'cipher-eax.c'.
* cipher/cipher-cmac.c (cmac_write): Rename to ...
(_gcry_cmac_write): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_generate_subkeys): Rename to ...
(_gcry_cmac_generate_subkeys): ... this; Take CMAC context as new
input parameter; Return error code.
(cmac_final): Rename to ...
(_gcry_cmac_final): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_tag): Take CMAC context as new input parameter.
(_gcry_cmac_reset): New.
(_gcry_cipher_cmac_authenticate): Remove duplicate tag flag check;
Adapt to changes above.
(_gcry_cipher_cmac_get_tag): Adapt to changes above.
(_gcry_cipher_cmac_check_tag): Ditto.
(_gcry_cipher_cmac_set_subkeys): Ditto.
* cipher-eax.c: New.
* cipher-internal.h (gcry_cmac_context_t): New.
(gcry_cipher_handle): Update u_mode.cmac; Add u_mode.eax.
(_gcry_cmac_write, _gcry_cmac_generate_subkeys, _gcry_cmac_final)
(_gcry_cmac_reset, _gcry_cipher_eax_encrypt, _gcry_cipher_eax_decrypt)
(_gcry_cipher_eax_set_nonce, _gcry_cipher_eax_authenticate)
(_gcry_cipher_eax_get_tag, _gcry_cipher_eax_check_tag)
(_gcry_cipher_eax_setkey): New prototypes.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
(_gcry_cipher_authenticate, _gcry_cipher_gettag, _gcry_cipher_checktag)
(_gcry_cipher_info): Add EAX mode.
* doc/gcrypt.texi: Add EAX mode.
* src/gcrypt.h.in (GCRY_CIPHER_MODE_EAX): New.
* tests/basic.c (_check_gcm_cipher, _check_poly1305_cipher): Constify
test vectors array.
(_check_eax_cipher, check_eax_cipher): New.
(check_ciphers, check_cipher_modes): Add EAX mode.
* tests/bench-slope.c (bench_eax_encrypt_do_bench)
(bench_eax_decrypt_do_bench, bench_eax_authenticate_do_bench)
(eax_encrypt_ops, eax_decrypt_ops, eax_authenticate_ops): New.
(cipher_modes): Add EAX mode.
* tests/benchmark.c (cipher_bench): Add EAX mode.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agocipher: constify spec arrays
Jussi Kivilinna [Sun, 7 Jan 2018 20:19:13 +0000 (22:19 +0200)]
cipher: constify spec arrays

* cipher/cipher.c (cipher_list): Constify array.
* cipher/mac.c (mac_list): Constify array.
* cipher/md.c (digest_list): Constify array.
* cipher/pubkey.c (pubkey_list): Constify array.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAdd ARMv8/CE acceleration for AES-XTS
Jussi Kivilinna [Sat, 20 Jan 2018 20:05:19 +0000 (22:05 +0200)]
Add ARMv8/CE acceleration for AES-XTS

* cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-ce.c (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce, xts_crypt_fn_t)
(_gcry_aes_armv8_ce_xts_crypt): New.
* cipher/rijndael.c (_gcry_aes_armv8_ce_xts_crypt): New.
(_gcry_aes_xts_crypt) [USE_ARM_CE]: New.
--

Benchmark on Cortex-A53 (AArch64, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      4.88 ns/B     195.5 MiB/s      5.62 c/B
        XTS dec |      4.94 ns/B     192.9 MiB/s      5.70 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      5.55 ns/B     171.8 MiB/s      6.39 c/B
        XTS dec |      5.61 ns/B     169.9 MiB/s      6.47 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.22 ns/B     153.3 MiB/s      7.17 c/B
        XTS dec |      6.29 ns/B     151.7 MiB/s      7.24 c/B
                =

After (~2.6x faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.83 ns/B     520.9 MiB/s      2.11 c/B
        XTS dec |      1.82 ns/B     524.9 MiB/s      2.09 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.97 ns/B     483.3 MiB/s      2.27 c/B
        XTS dec |      1.96 ns/B     486.9 MiB/s      2.26 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.11 ns/B     450.9 MiB/s      2.44 c/B
        XTS dec |      2.10 ns/B     453.8 MiB/s      2.42 c/B
                =

Benchmark on Cortex-A53 (AArch32, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.52 ns/B     146.2 MiB/s      7.51 c/B
        XTS dec |      6.57 ns/B     145.2 MiB/s      7.57 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.10 ns/B     134.3 MiB/s      8.18 c/B
        XTS dec |      7.11 ns/B     134.2 MiB/s      8.19 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.30 ns/B     130.7 MiB/s      8.41 c/B
        XTS dec |      7.38 ns/B     129.3 MiB/s      8.50 c/B
                =

After (~2.7x faster):
Cipher:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.33 ns/B     409.6 MiB/s      2.68 c/B
        XTS dec |      2.35 ns/B     405.3 MiB/s      2.71 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.53 ns/B     377.6 MiB/s      2.91 c/B
        XTS dec |      2.54 ns/B     375.5 MiB/s      2.93 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.75 ns/B     346.8 MiB/s      3.17 c/B
        XTS dec |      2.76 ns/B     345.2 MiB/s      3.18 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agorijndael-ssse3: call assembly functions directly
Jussi Kivilinna [Sat, 6 Jan 2018 21:21:44 +0000 (23:21 +0200)]
rijndael-ssse3: call assembly functions directly

* cipher/rijndael-ssse3-amd64-asm.S (_gcry_aes_ssse3_enc_preload)
(_gcry_aes_ssse3_dec_preload, _gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add
ENTER_SYSV_FUNC_PARAMS_* at function entry and EXIT_SYSV_FUNC at exit.
(_gcry_aes_ssse3_encrypt_core, _gcry_aes_ssse3_decrypt_core): Change
to input parameters to RDI and RSI registers.
* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add parameters
for function prototypes.
(PUSH_STACK_PTR, POP_STACK_PTR): Remove.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Remove inline assembly to
call functions, and call directly instead.
--

Instead of using inline assembly to call assembly functions in
AES SSSE3 implementation, change assembly functions so that they
can be called directly instead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoMove AMD64 MS to SysV calling convention conversion to assembly side
Jussi Kivilinna [Sat, 6 Jan 2018 20:19:56 +0000 (22:19 +0200)]
Move AMD64 MS to SysV calling convention conversion to assembly side

* cipher/Makefile.am: Add 'asm-common-amd64.h'.
* cipher/asm-common-amd64.h: New.
* cipher/blowfish-amd64.S: Add ENTER_SYSV_FUNC_* and EXIT_SYSV_FUNC for
each global function from 'asm-common-amd64.h'.
* cipher/cast5-amd64.S: Ditto.
* cipher/des-amd64.S: Ditto.
* cipher/rijndael-amd64.S: Ditto.
* cipher/twofish-amd64.S: Ditto.
* cipher/arcfour-amd64.S: Ditto.
* cipher/blowfish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn): Remove.
* cipher/cast5.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn): Remove.
* cipher/twofish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn, call_sysv_fn5, call_sysv_fn6): Remove.
* cipher/rijndael.c (do_encrypt, do_decrypt)
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Remove assembly block for
calling SysV ABI function.
* cipher/arcfour.c [USE_AMD64_ASM] (encrypt_stream): Ditto.
--

Old approach was to convert MS ABI to SysV ABI calling convention
for AMD64 assembly functions at caller side. This patch moves
calling convention conversion to assembly/callee side.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoMake BMI2 inline assembly check more robust
Jussi Kivilinna [Sat, 6 Jan 2018 18:26:52 +0000 (20:26 +0200)]
Make BMI2 inline assembly check more robust

* configure.ac (gcry_cv_gcc_inline_asm_bmi2): New assembly test.
--

Use actual assembly snippets from keccak.c to check that compiler
has proper support for used BMI2 instructions.

GnuPG-bug-id: 3408
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAdd AES-NI acceleration for AES-XTS
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
Add AES-NI acceleration for AES-XTS

* cipher/cipher-internal.h (gcry_cipher_handle): Change bulk
XTS function to take cipher context.
* cipher/cipher-xts.c (_gcry_cipher_xts_crypt): Ditto.
* cipher/cipher.c (_gcry_cipher_open_internal): Setup AES-NI
XTS bulk function.
* cipher/rijndael-aesni.c (xts_gfmul_const, _gcry_aes_aesni_xts_enc)
(_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_crypt): New.
* cipher/rijndael.c (_gcry_aes_aesni_xts_crypt)
(_gcry_aes_xts_crypt): New.
* src/cipher.h (_gcry_aes_xts_crypt): New.
--

Benchmarks on Intel Core i7-4790K, 4.0Ghz (no turbo):

Before:
        XTS enc |      1.66 ns/B     575.7 MiB/s      6.63 c/B
        XTS dec |      1.66 ns/B     575.5 MiB/s      6.63 c/B

After (~6x faster):
        XTS enc |     0.270 ns/B    3528.5 MiB/s      1.08 c/B
        XTS dec |     0.272 ns/B    3511.5 MiB/s      1.09 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAES-NI improvements for AMD64
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
AES-NI improvements for AMD64

* cipher/rijndael-aesni.c [__x86_64__] (aesni_prepare_7_15_variable)
(aesni_prepare_7_15, aesni_cleanup_7_15, do_aesni_enc_vec8)
(do_aesni_dec_vec8, do_aesni_ctr_8): New.
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec, aesni_ocb_enc, aesni_ocb_dec)
(_gcry_aes_aesni_ocb_auth) [__x86_64__]: Add 8 parallel blocks
processing.
--

Benchmarks on Intel Core i7-4790K, 4.0Ghz (no turbo, no HT):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CBC dec |     0.175 ns/B    5448.7 MiB/s     0.700 c/B
        CFB dec |     0.174 ns/B    5466.2 MiB/s     0.698 c/B
        CTR enc |     0.182 ns/B    5226.0 MiB/s     0.730 c/B
        OCB enc |     0.194 ns/B    4913.9 MiB/s     0.776 c/B
        OCB dec |     0.200 ns/B    4769.2 MiB/s     0.800 c/B
       OCB auth |     0.172 ns/B    5545.0 MiB/s     0.688 c/B

After (1.08x to 1.14x faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CBC dec |     0.157 ns/B    6075.6 MiB/s     0.628 c/B
        CFB dec |     0.158 ns/B    6034.1 MiB/s     0.632 c/B
        CTR enc |     0.159 ns/B    5979.4 MiB/s     0.638 c/B
        OCB enc |     0.175 ns/B    5447.1 MiB/s     0.700 c/B
        OCB dec |     0.183 ns/B    5203.9 MiB/s     0.733 c/B
       OCB auth |     0.156 ns/B    6101.3 MiB/s     0.625 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAdd ARMv8/AArch64 implementation of chacha20
Jussi Kivilinna [Sat, 6 Jan 2018 16:58:04 +0000 (18:58 +0200)]
Add ARMv8/AArch64 implementation of chacha20

* cipher/Makefile.am: Add 'chacha20-aarch64.S'.
* cipher/chacha20-aarch64.S: New.
* cipher/chacha20.c (USE_AARCH64_SIMD): New.
(_gcry_chacha20_aarch_blocks4): New.
(chacha20_do_setkey): Add HWF selection for Aarch64 implementation.
* configure.ac: Add 'chacha20-aarch64.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      7.91 ns/B     120.6 MiB/s      9.11 c/B
     STREAM dec |      7.91 ns/B     120.6 MiB/s      9.11 c/B

After (1.66x faster):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      4.74 ns/B     201.2 MiB/s      5.46 c/B
     STREAM dec |      4.74 ns/B     201.3 MiB/s      5.46 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoNew ChaCha implementations
Jussi Kivilinna [Tue, 9 Jan 2018 16:40:25 +0000 (18:40 +0200)]
New ChaCha implementations

* cipher/Makefile.am: Remove 'chacha20-sse2-amd64.S',
'chacha20-ssse3-amd64.S', 'chacha20-avx2-amd64.S'; Add
'chacha20-amd64-ssse3.S', 'chacha20-amd64-avx2.S'.
* cipher/chacha20-amd64-avx2.S: New.
* cipher/chacha20-amd64-ssse3.S: New.
* cipher/chacha20-armv7-neon.S: Rewrite.
* cipher/chacha20-avx2-amd64.S: Remove.
* cipher/chacha20-sse2-amd64.S: Remove.
* cipher/chacha20-ssse3-amd64.S: Remove.
* cipher/chacha20.c (CHACHA20_INPUT_LENGTH, USE_SSE2, USE_NEON)
(ASM_EXTRA_STACK, chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
(_gcry_chacha20_armv7_neon_blocks, QROUND, QOUT, chacha20_core)
(chacha20_do_encrypt_stream): Remove.
(_gcry_chacha20_amd64_ssse3_blocks4, _gcry_chacha20_amd64_avx2_blocks8)
(_gcry_chacha20_armv7_neon_blocks4, ROTATE, XOR, PLUS, PLUSONE)
(QUARTERROUND, BUF_XOR_LE32): New.
(CHACHA20_context_s, chacha20_blocks, chacha20_keysetup)
(chacha20_encrypt_stream): Rewrite.
(chacha20_do_setkey): Adjust for new CHACHA20_context_s.
* configure.ac: Remove 'chacha20-sse2-amd64.lo',
'chacha20-ssse3-amd64.lo', 'chacha20-avx2-amd64.lo'; Add
'chacha20-amd64-ssse3.lo', 'chacha20-amd64-avx2.lo'.
--

Intel Core i7-4790K CPU @ 4.00GHz (x86_64/AVX2):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |     0.319 ns/B    2988.5 MiB/s      1.28 c/B
     STREAM dec |     0.318 ns/B    2995.4 MiB/s      1.27 c/B

Intel Core i7-4790K CPU @ 4.00GHz (x86_64/SSSE3):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |     0.633 ns/B    1507.4 MiB/s      2.53 c/B
     STREAM dec |     0.633 ns/B    1506.6 MiB/s      2.53 c/B

Intel Core i7-4790K CPU @ 4.00GHz (i386):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      2.05 ns/B     465.2 MiB/s      8.20 c/B
     STREAM dec |      2.04 ns/B     467.5 MiB/s      8.16 c/B

Cortex-A53 @ 1152Mhz (armv7/neon):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      5.29 ns/B     180.3 MiB/s      6.09 c/B
     STREAM dec |      5.29 ns/B     180.1 MiB/s      6.10 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoNew Poly1305 implementations
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
New Poly1305 implementations

* cipher/Makefile.am: Include '../mpi' for 'longlong.h'; Remove
'poly1305-sse2-amd64.S', 'poly1305-avx2-amd64.S' and
'poly1305-armv7-neon.S'.
* cipher/poly1305-armv7-neon.S: Remove.
* cipher/poly1305-avx2-amd64.S: Remove.
* cipher/poly1305-sse2-amd64.S: Remove.
* cipher/poly1305-internal.h (POLY1305_BLOCKSIZE)
(POLY1305_STATE): New.
(POLY1305_SYSV_FUNC_ABI, POLY1305_REF_BLOCKSIZE)
(POLY1305_REF_STATESIZE, POLY1305_REF_ALIGNMENT)
(POLY1305_USE_SSE2, POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
(POLY1305_SSE2_ALIGNMENT, POLY1305_USE_AVX2, POLY1305_AVX2_BLOCKSIZE)
(POLY1305_AVX2_STATESIZE, POLY1305_AVX2_ALIGNMENT)
(POLY1305_USE_NEON, POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
(POLY1305_NEON_ALIGNMENT, POLY1305_LARGEST_BLOCKSIZE)
(POLY1305_LARGEST_STATESIZE, POLY1305_LARGEST_ALIGNMENT)
(POLY1305_STATE_BLOCKSIZE, POLY1305_STATE_STATESIZE)
(POLY1305_STATE_ALIGNMENT, OPS_FUNC_ABI, poly1305_key_s)
(poly1305_ops_s): Remove.
(poly1305_context_s): Rewrite.
* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
(_gcry_poly1305_amd64_sse2_finish_ext)
(_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops)
(poly1305_init_ext_ref32, poly1305_blocks_ref32)
(poly1305_finish_ext_ref32, poly1305_default_ops)
(_gcry_poly1305_amd64_avx2_init_ext)
(_gcry_poly1305_amd64_avx2_finish_ext)
(_gcry_poly1305_amd64_avx2_blocks)
(poly1305_amd64_avx2_ops, poly1305_get_state): Remove.
(poly1305_init): Rewrite.
(USE_MPI_64BIT, USE_MPI_32BIT): New.
[USE_MPI_64BIT] (ADD_1305_64, MUL_MOD_1305_64, poly1305_blocks)
(poly1305_final): New implementation using 64-bit limbs.
[USE_MPI_32BIT] (UMUL_ADD_32, ADD_1305_32, MUL_MOD_1305_32)
(poly1305_blocks): New implementation using 32-bit limbs.
(_gcry_poly1305_update, _gcry_poly1305_finish)
(_gcry_poly1305_init): Adapt to new implementation.
* configure.ac: Remove 'poly1305-sse2-amd64.lo',
'poly1305-avx2-amd64.lo' and 'poly1305-armv7-neon.lo'.
--

Intel Core i7-4790K CPU @ 4.00GHz (x86_64):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |     0.284 ns/B    3358.6 MiB/s      1.14 c/B

Intel Core i7-4790K CPU @ 4.00GHz (i386):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |     0.888 ns/B    1073.9 MiB/s      3.55 c/B

Cortex-A53 @ 1152Mhz (armv7):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |      4.40 ns/B     216.7 MiB/s      5.07 c/B

Cortex-A53 @ 1152Mhz (aarch64):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |      2.60 ns/B     367.0 MiB/s      2.99 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agompi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit
Jussi Kivilinna [Sat, 6 Jan 2018 17:25:12 +0000 (19:25 +0200)]
mpi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit

* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Cast '1' to
mpi_limb_t before left shift.
--

Patch fixes mpi/ec.c compiler warnings and failing tests cases on
Win64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agotests: Add another test case to keygrip.c
Werner Koch [Fri, 8 Dec 2017 07:15:42 +0000 (08:15 +0100)]
tests: Add another test case to keygrip.c

--

This is mainly to answer a question on the ML.

10 months agosexp: Avoid a fatal error in case of ENOMEM in called functions.
Werner Koch [Fri, 24 Nov 2017 09:44:24 +0000 (10:44 +0100)]
sexp: Avoid a fatal error in case of ENOMEM in called functions.

* src/sexp.c (do_vsexp_sscan): Replace BUG() by a proper error
return.  Replace sprintf by snprintf.
(convert_to_hex): Replace sprintf by snprintf.
(convert_to_string): Ditto.
(_gcry_sexp_sprint): Ditto.
--

_gcry_mpi_print can actually return ENOMEM because it inetrnally needs
to allocate temporary buffers.  Thus BUG was not the right thing to
do.  This was detected while investigating bug 3530.

Replacing sprintf by snprintf is not technically required but some
compilers print warnings for the use of sprintf.  So let's silence
them.

Signed-off-by: Werner Koch <wk@gnupg.org>
10 months agoapi: Add GCRYCTL_AUTO_EXPAND_SECMEM.
Werner Koch [Thu, 23 Nov 2017 18:15:41 +0000 (19:15 +0100)]
api: Add GCRYCTL_AUTO_EXPAND_SECMEM.

* src/gcrypt.h.in (GCRYCTL_AUTO_EXPAND_SECMEM): New enum.
* src/global.c (_gcry_vcontrol): Implement that.
* src/secmem.c (auto_expand): New var.
(_gcry_secmem_set_auto_expand): New.
(_gcry_secmem_malloc_internal): Act upon AUTO_EXPAND.
--

GnuPG-bug-id: 3530
Signed-off-by: Werner Koch <wk@gnupg.org>
11 months agodoc: Clarify gcry_mpi_div
Werner Koch [Wed, 15 Nov 2017 19:35:16 +0000 (20:35 +0100)]
doc: Clarify gcry_mpi_div

--

11 months agotests: Add HAVE_MMAP check for MinGW.
NIIBE Yutaka [Tue, 14 Nov 2017 00:01:50 +0000 (09:01 +0900)]
tests: Add HAVE_MMAP check for MinGW.

* tests/t-secmem.c (main): Conditionalize with HAVE_MMAP.

--

Thanks to: Andreas Metzler <ametzler@bebt.de>

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoFix secmem test for machine with larger page.
NIIBE Yutaka [Thu, 9 Nov 2017 01:59:33 +0000 (10:59 +0900)]
Fix secmem test for machine with larger page.

* tests/t-secmem.c (main): Detect page size and setup chunk size.
* src/secmem.c (init_pool): Simplify the expression.

--

GnuPG-bug-id: 3351
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agobuild: Don't use /dev/srandom on OpenBSD.
Jeremie Courreges-Anglas [Mon, 6 Nov 2017 05:57:28 +0000 (14:57 +0900)]
build: Don't use /dev/srandom on OpenBSD.

--

Ported from GnuPG 1.4.

All /dev/*random devices have been equivalent since OpenBSD 4.9, on
purpose (/dev/random doesn't block).  /dev/srandom has been removed in
the OpenBSD 6.3 development cycle, /dev/arandom will likely follow.

Signed-off-by: Jeremie Courreges-Anglas <jca@wxcvbn.org>
11 months agoAdd OID information for SM3.
NIIBE Yutaka [Wed, 25 Oct 2017 03:04:30 +0000 (12:04 +0900)]
Add OID information for SM3.

* cipher/sm3.c (asn_sm3, oid_spec_sm3): New.
(_gcry_digest_spec_sm3): Add asn_sm3, oid_spec_sm3.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoAdd crypto hash SM3.
Jia Zhang [Tue, 24 Oct 2017 06:55:12 +0000 (15:55 +0900)]
Add crypto hash SM3.

* configure.ac (available_digests): Add sm3.
* src/cipher.h: Add declarations for SM3.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm3.c.
* cipher/md.c [USE_SM3] (digest_list): Add _gcry_digest_spec_sm3.
* cipher/pubkey-util.c (hashnames): Add "sm3".
* cipher/sm3.c: New.
* tests/basic.c (check_digests): Add test vectors for SM3.
* tests/hashtest-256g.in (algos): Add SM3.
* tests/hashtest.c (testvectors): Add for SM3.

--

GnuPG-bug-id: 3454
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
11 months agoAdd new constant GCRY_MD_SM3 for crypto hash SM3.
NIIBE Yutaka [Tue, 24 Oct 2017 06:43:41 +0000 (15:43 +0900)]
Add new constant GCRY_MD_SM3 for crypto hash SM3.

* src/gcrypt.h.in (GCRY_MD_SM3): New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
12 months agoRegister DCO for Jia Zhang.
NIIBE Yutaka [Thu, 19 Oct 2017 02:35:00 +0000 (11:35 +0900)]
Register DCO for Jia Zhang.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
12 months agoapi: New function gcry_mpi_get_ui.
Werner Koch [Tue, 17 Oct 2017 13:00:08 +0000 (15:00 +0200)]
api: New function gcry_mpi_get_ui.

* src/gcrypt.h.in (gcry_mpi_get_ui): New.
(mpi_get_ui): New macro.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
* src/visibility.c (gcry_mpi_get_ui): New.
* src/visibility.h: Mark that function.
(gcry_mpi_get_ui): New.
* mpi/mpiutil.c (MY_UINT_MAX): New macro.
(_gcry_mpi_get_ui): Re-implemented.  This function existed but was
never imported or used.
* tests/mpitests.c (test_maxsize): Add some test for this function.
--

Note that in libgcrypt.def the cardinal 91 is used which was never
used in the past.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agoTweak GCC version check.
NIIBE Yutaka [Tue, 29 Aug 2017 07:11:42 +0000 (16:11 +0900)]
Tweak GCC version check.

* src/global.c (_gcry_vcontrol): It's GCC 4.2 which started to support
diagnostic pragma.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agorandom: Fix warnings on Windows.
NIIBE Yutaka [Tue, 29 Aug 2017 07:10:54 +0000 (16:10 +0900)]
random: Fix warnings on Windows.

* random/random-csprng.c (lock_seed_file): Vars with no use.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agotests: Fix warnings on Windows.
NIIBE Yutaka [Tue, 29 Aug 2017 07:09:39 +0000 (16:09 +0900)]
tests: Fix warnings on Windows.

* tests/fipsdrv.c (print_dsa_domain_parameters, print_ecdsa_dq): Fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Fix scratch MPI.
NIIBE Yutaka [Tue, 29 Aug 2017 01:33:08 +0000 (10:33 +0900)]
ecc: Fix scratch MPI.

* mpi/ec.c (ec_p_init): Check if scratch MPI is allocated.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Fix ec_mulm_25519.
NIIBE Yutaka [Wed, 23 Aug 2017 04:03:07 +0000 (13:03 +0900)]
ecc: Fix ec_mulm_25519.

* mpi/ec.c (ec_mulm_25519): Improve reduction to 25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Use 25519 method also for ed25519.
NIIBE Yutaka [Wed, 23 Aug 2017 03:46:20 +0000 (12:46 +0900)]
ecc: Use 25519 method also for ed25519.

* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't use mpi_add
since it resizes to have more limbs.
* mpi/ec.c (point_resize): Fix for Edwards curve.
(ec_p_init): Support Edwards curve.
(_gcry_mpi_ec_get_affine): Use the methods.
(dup_point_edwards, add_points_edwards, sub_points_edwards): Ditto.
(_gcry_mpi_ec_mul_point): Resize MPIs of point to fixed size.
(_gcry_mpi_ec_curve_point): Use the methods.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Clean up curve specific method support.
NIIBE Yutaka [Wed, 23 Aug 2017 03:43:38 +0000 (12:43 +0900)]
ecc: Clean up curve specific method support.

* src/ec-context.h (struct mpi_ec_ctx_s): Remove MOD method.
* mpi/ec.c (ec_mod_25519): Remove.
(ec_p_init): Follow the removal of the MOD method.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Relax condition for 25519 computations.
NIIBE Yutaka [Wed, 23 Aug 2017 02:11:17 +0000 (11:11 +0900)]
ecc: Relax condition for 25519 computations.

* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Check number
of limbs, allocated more is OK.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Fix ec_mulm_25519.
NIIBE Yutaka [Wed, 23 Aug 2017 01:22:21 +0000 (10:22 +0900)]
ecc: Fix ec_mulm_25519.

* mpi/ec.c (ec_mulm_25519): Fix the cases of 0 to 18.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: field specific routines for 25519.
NIIBE Yutaka [Tue, 22 Aug 2017 23:48:53 +0000 (08:48 +0900)]
ecc: field specific routines for 25519.

* mpi/ec.c (point_resize): Improve for X25519.
(mpih_set_cond): New.
(ec_mod_25519, ec_addm_25519, ec_subm_25519, ec_mulm_25519)
(ec_mul2_25519, ec_pow2_25519): New.
(ec_p_init): Fill by FIELD_TABLE.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoecc: Add field specific computation methods.
NIIBE Yutaka [Mon, 21 Aug 2017 05:32:08 +0000 (14:32 +0900)]
ecc: Add field specific computation methods.

* src/ec-context.h (struct mpi_ec_ctx_s): Add methods.
* mpi/ec.c (ec_p_init): Initialize the default methods.
(montgomery_ladder): Use the methods.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoAlso bump the LT Current value.
Werner Koch [Sun, 27 Aug 2017 08:13:53 +0000 (10:13 +0200)]
Also bump the LT Current value.

--

13 months agoPrepare for the 1.9 branch
Werner Koch [Sun, 27 Aug 2017 08:08:58 +0000 (10:08 +0200)]
Prepare for the 1.9 branch

--

We need to bump the LT Age even if there won't be compatible interface
change.  This is so that we can keep on updating the Revision in the
1.8 branch.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agoPost release updates
Werner Koch [Sun, 27 Aug 2017 07:36:37 +0000 (09:36 +0200)]
Post release updates

--

13 months agoRelease 1.8.1 libgcrypt-1.8.1
Werner Koch [Sun, 27 Aug 2017 07:22:09 +0000 (09:22 +0200)]
Release 1.8.1

* configure.ac: Set LT version to C22/A2/R1.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agoecc: Add input validation for X25519.
NIIBE Yutaka [Fri, 25 Aug 2017 09:13:28 +0000 (18:13 +0900)]
ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

--

Following is the paper describing the attack:

    May the Fourth Be With You: A Microarchitectural Side Channel Attack
    on Real-World Applications of Curve25519
    by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points.  However, when attacked, the computation
will done with leak of private key, even it will results errors.  To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0.  By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation.  Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoindent: Typo fix.
Werner Koch [Thu, 24 Aug 2017 09:43:05 +0000 (11:43 +0200)]
indent: Typo fix.

--

14 months agocipher: Add OID for SHA384WithECDSA.
Marcus Brinkmann [Mon, 7 Aug 2017 17:26:26 +0000 (19:26 +0200)]
cipher: Add OID for SHA384WithECDSA.

* cipher/sha512.c (oid_spec_sha384): Add SHA384WithECDSA.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
Suggested-by: Sven Fischer <sven@leiderfischer.de>
GnuPG-bug-id: 3336

14 months agotests: Fix a printf glitch for a Windows test.
Werner Koch [Wed, 2 Aug 2017 16:45:51 +0000 (18:45 +0200)]
tests: Fix a printf glitch for a Windows test.

* tests/t-convert.c (check_formats): Fix print format glitch on
Windows.
* tests/t-ed25519.c: Typo fix.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agotests: Add benchmarking option to tests/random.
Werner Koch [Wed, 2 Aug 2017 16:44:14 +0000 (18:44 +0200)]
tests: Add benchmarking option to tests/random.

* tests/random.c: Always include unistd.h.
(prepend_srcdir): New.
(run_benchmark): New.
(main): Add options --benchmark and --with-seed-file.  Print whetehr
JENT has been used.
* tests/t-common.h (split_fields_colon): New. Taken from GnuPG.
License of that code changed to LGPLv2.1.

--

Running these tests on a KVM hosted Windows Vista using a statically
compiled tests/random and modifying the extra random added in
read_seed_file gave these results:

  | Seed | Jent | Bytes | Bits | Time (ms)  |
  |------+------+-------+------+------------|
  | yes  | yes  |    32 |  256 |  46 ..  62 |
  | yes  | yes  |    64 |  512 |  62 ..  78 |
  | yes  | yes  |   128 | 1024 |  78 ..  93 |
  | yes  | yes  |   256 | 2048 | 124 .. 156 |
  | yes  | yes  |   384 | 3072 | 171 .. 202 |
  | yes  | yes  |   512 | 4096 | 234 .. 249 |
  | yes  | no   |    32 |  256 |  15 ..  31 |
  | yes  | no   |    64 |  512 |  15 ..  31 |
  | yes  | no   |   128 | 1024 |  15        |
  | no   | yes  |     - |    - |  78 .. 93  |
  | no   | no   |     - |    - |  15        |

 Seed: Whether a seed file is used.
 Jent: Whether JENT was working.
Bytes: The number bytes mixed into the pool after reading
       the seed file.
 Bits: 8 * Bytes
 Time: Measured time including the time to read the seed file.
       Mimimun and maximum values are given.  Granularity of
       the used timer is quite large.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agorandom: Add more bytes to the pool in addition to the seed file.
Werner Koch [Fri, 28 Jul 2017 13:31:03 +0000 (15:31 +0200)]
random: Add more bytes to the pool in addition to the seed file.

* random/random-csprng.c (read_seed_file): Read 128 or 32 butes
depending on whether we have the Jitter RNG.
--

These are actually 3 changes:

- We use GCRY_STRONG_RANDOM instead GCRY_WEAK_RANDOM, which we used
  for historical reasons.  However the entropy gather modules handle
  both identical; that is reading from /dev/urandom.  Only
  GCRY_VERY_STRONG_RANDOM would use a blocking read from /dev/random.

- We increase the number of extra buts from 128 or 256.

- If the Jitter RNG is available we assume that a fast entropy source
  is available and thus we read 4 times more entropy (1024 bits).

Note that on Windows GnuPG tests in DE-VS mode that the Jitter RNG is
available and properly working.  Thus we will add 1024 bits in
addition to the state read from the seed file.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agoAdd script to run basic tests with all supported HWF combinations
Jussi Kivilinna [Tue, 1 Aug 2017 18:05:31 +0000 (21:05 +0300)]
Add script to run basic tests with all supported HWF combinations

* tests/basic_all_hwfeature_combinations.sh: New.
* tests/Makefile.am: Add basic_all_hwfeature_combinations.sh.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
14 months agoFix return value type for _gcry_md_extract
Jussi Kivilinna [Sat, 29 Jul 2017 11:34:23 +0000 (14:34 +0300)]
Fix return value type for _gcry_md_extract

* src/gcrypt-int.h (_gcry_md_extract): Use gpg_err_code_t instead of
gpg_error_t for internal function return type.
--

GnuPG-bug-id: 3314
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
14 months agoFix building AArch32 CE implementations when target is ARMv6 arch
Jussi Kivilinna [Sat, 29 Jul 2017 11:34:23 +0000 (14:34 +0300)]
Fix building AArch32 CE implementations when target is ARMv6 arch

* cipher/cipher-gcm-armv8-aarch32-ce.S: Select ARMv8 architecure.
* cipher/rijndael-armv8-aarch32-ce.S: Ditto.
* cipher/sha1-armv8-aarch32-ce.S: Ditto.
* cipher/sha256-armv8-aarch32-ce.S: Ditto.
* configure.ac (gcry_cv_gcc_inline_asm_aarch32_crypto): Ditto.
--

Raspbian distribution defaults to ARMv6 architecture thus 'rbit'
instruction is not available with default compiler flags. Patch
adds explicit architecture selection for ARMv8 to enable 'rbit'
usage with ARMv8/AArch32-CE assembly implementations of SHA,
GHASH and AES.

Reported-by: Chris Horry <zerbey@gmail.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
14 months agosexp: Add fall through annotation.
NIIBE Yutaka [Tue, 25 Jul 2017 06:26:33 +0000 (15:26 +0900)]
sexp: Add fall through annotation.

* src/dumpsexp.c (parse_and_print): It's fall through.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
14 months agorandom: Fix the command line munging for jitterbase.
Werner Koch [Mon, 24 Jul 2017 07:32:25 +0000 (09:32 +0200)]
random: Fix the command line munging for jitterbase.

* random/Makefile.am (o_flag_munging): Make the first sed term also
global.
--

The sed script did not caught multiple -O which are not -O0.

GnuPG-bug-id: 3293
Signed-off-by: Werner Koch <wk@gnupg.org>
15 months agodoc: Typo fix.
Werner Koch [Thu, 20 Jul 2017 08:49:24 +0000 (10:49 +0200)]
doc: Typo fix.

--