libgcrypt.git
4 months agoaarch64: Enable building the aarch64 cipher assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:40 +0000 (23:32 +0200)]
aarch64: Enable building the aarch64 cipher assembly for windows

* cipher/asm-common-aarch64.h: New.
* cipher/camellia-aarch64.S: Use ELF macro, use x19 instead of x18.
* cipher/chacha20-aarch64.S: Use ELF macro, don't use GOT on windows.
* cipher/cipher-gcm-armv8-aarch64-ce.S: Use ELF macro.
* cipher/rijndael-aarch64.S: Use ELF macro.
* cipher/rijndael-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha1-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha256-armv8-aarch64-ce.S: Use ELF macro.
* cipher/twofish-aarch64.S: Use ELF macro.
* configure.ac: Don't require .size and .type in aarch64 assembly check.
--
Don't require .type and .size in configure; we can make
them optional via a preprocessor macro.

This is mostly a mechanical change, wrapping the .type and .size
directives in an ELF() macro, with two actual manual changes:
(when targeting windows):
- Don't load global symbols via a GOT (in chacha20)
- Don't use the x18 register (in camellia); back up and restore x19
  in the prologue/epilogue and use that instead.

x18 is a platform specific register; on linux, it's free to be used
by user code, while it's reserved for platform use on windows and
darwin. Always use x19 instead of x18 for consistency.

Signed-off-by: Martin Storsjö <martin@martin.st>
4 months agoaarch64: camellia: Only use the lower 32 bit of an int parameter
Martin Storsjö [Thu, 22 Mar 2018 21:32:39 +0000 (23:32 +0200)]
aarch64: camellia: Only use the lower 32 bit of an int parameter

* cipher/camellia-aarch64.S: Use 'w3' instead of 'x3'.
--
The keybits parameter is declared as int, and in those cases, the
upper half of a register is undefined, not guaranteed to be zero.

Signed-off-by: Martin Storsjö <martin@martin.st>
4 months agoaarch64: Fix assembling chacha20-aarch64.S with clang/llvm
Martin Storsjö [Thu, 22 Mar 2018 21:32:38 +0000 (23:32 +0200)]
aarch64: Fix assembling chacha20-aarch64.S with clang/llvm

* cipher/chacha20-aarch64.S: Remove superfluous lane counts.
--
When referring to a specific lane, one doesn't need to specify
the total number of lanes of the register. With GNU binutils,
both forms are accepted, while clang/llvm rejects the form
with the unnecessary number of lanes.

Signed-off-by: Martin Storsjö <martin@martin.st>
4 months agoaarch64: mpi: Fix building the mpi aarch64 assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:37 +0000 (23:32 +0200)]
aarch64: mpi: Fix building the mpi aarch64 assembly for windows

* mpi/aarch64/mpih-add1.S: Use ELF macro.
* mpi/aarch64/mpih-mul1.S: Use ELF macro.
* mpi/aarch64/mpih-mul2.S: Use ELF macro.
* mpi/aarch64/mpih-mul3.S: Use ELF macro.
* mpi/aarch64/mpih-sub1.S: Use ELF macro.
* mpi/asm-common-aarch64.h: New.
--

The mpi aarch64 assembly is enabled as soon as the compiler supports
inline assembly, without checking for .type and .size, as is done
for the rest of the assembly in cipher/*.S. (The .type and .size
directives are only supported on ELF.)

Signed-off-by: Martin Storsjö <martin@martin.st>
4 months agorandom: Don't assume that _WIN64 implies x86_64
Martin Storsjö [Thu, 22 Mar 2018 21:32:36 +0000 (23:32 +0200)]
random: Don't assume that _WIN64 implies x86_64

* random/rndw32.c: Change _WIN64 ifdef into __x86_64__.
--

This fixes building this file for windows on aarch64.

Signed-off-by: Martin Storsjö <martin@martin.st>
4 months agoRegister DCO for Martin Storsjö
Jussi Kivilinna [Wed, 28 Mar 2018 17:32:56 +0000 (20:32 +0300)]
Register DCO for Martin Storsjö

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agotests/aeswrap: add in-place encryption/decryption testing
Jussi Kivilinna [Thu, 22 Mar 2018 19:54:20 +0000 (21:54 +0200)]
tests/aeswrap: add in-place encryption/decryption testing

* tests/aeswrap.c (check): Rename to...
(check_one): ...this and add in-place testing.
(check): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoAES-KW: fix in-place encryption
Stephan Mueller [Mon, 12 Mar 2018 21:24:37 +0000 (22:24 +0100)]
AES-KW: fix in-place encryption

* cipher/cipher-aeswrap.c: move memmove call before KW IV setting
--

In case AES-KW in-place encryption is performed, the plaintext must be
moved to the correct destination location before the first semiblock of
the destination buffer is modified. Without the patch, the first
semiblock of the plaintext is overwritten with a6a6a6a6a6a6a6a6.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
4 months agobench-slope: add CPU frequency auto-detection
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
bench-slope: add CPU frequency auto-detection

* tests/bench-slope.c (bench_obj): Add 'hd'.
(bench_encrypt_init, bench_encrypt_free, bench_encrypt_do_bench)
(bench_decrypt_do_bench, bench_xts_encrypt_init)
(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
(bench_ccm_encrypt_init, bench_ccm_encrypt_do_bench)
(bench_ccm_decrypt_do_bench, bench_aead_encrypt_init)
(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
(bench_hash_init, bench_hash_free, bench_hash_do_bench)
(bench_mac_init, bench_mac_free, bench_mac_do_bench): Use 'obj->hd'
for storing pointer to crypto context.
(auto_ghz): New.
(do_slope_benchmark): Rename to...
(slope_benchmark): ...this.
(auto_ghz_init, auto_ghz_free, auto_ghz_bench, auto_ghz_detect_ops)
(get_auto_ghz, do_slope_benchmark): New.
(double_to_str): Round number larger than 1000 to integer.
(bench_print_result_csv, bench_print_result_std)
(bench_print_result, bench_print_header, cipher_bench_one)
(hash_bench_one, mac_bench_one, kdf_bench_one, kdf_bench): Add
auto-detected frequency printing.
(print_help): Help for CPU speed auto-detection mode.
(main): Add parsing for "--cpu-mhz auto".
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months ago_gcry_burn_stack: use memset for clearing memory
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
_gcry_burn_stack: use memset for clearing memory

* src/misc.c (__gcry_burn_stack) [HAVE_VLA]: Use 'memset' for clearing
stack.
--

Patch switches stacking burning to use faster memset instead of
wipememory. Memset is accessed through volatile function pointer,
so that compiler will not optimize away the call.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agoImprove constant-time buffer compare
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:22 +0000 (21:42 +0200)]
Improve constant-time buffer compare

* cipher/bufhelp.h (buf_eq_const): Rewrite logic.
--

New implementation for constant-time buffer comparing that
avoids generating conditional code in comparison loop.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 months agodoc: Clarify the value range of the use-rsa-e parameter.
Werner Koch [Thu, 22 Mar 2018 14:28:04 +0000 (15:28 +0100)]
doc: Clarify the value range of the use-rsa-e parameter.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
6 months agoAdd Intel SHA Extensions accelerated SHA256 implementation
Jussi Kivilinna [Thu, 15 Feb 2018 20:13:28 +0000 (22:13 +0200)]
Add Intel SHA Extensions accelerated SHA256 implementation

* cipher/Makefile.am: Add 'sha256-intel-shaext.c'.
* cipher/sha256-intel-shaext.c: New.
* cipher/sha256.c (USE_SHAEXT)
(_gcry_sha256_transform_intel_shaext): New.
(SHA256_CONTEXT): Add 'use_shaext'.
(sha256_init, sha224_init) [USE_SHAEXT]: Use shaext if supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* configure.ac: Add 'sha256-intel-shaext.lo'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |     10.07 ns/B     94.72 MiB/s     15.10 c/B

After (3.7x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |      2.70 ns/B     353.8 MiB/s      4.04 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAdd Intel SHA Extensions accelerated SHA1 implementation
Jussi Kivilinna [Tue, 13 Feb 2018 18:22:41 +0000 (20:22 +0200)]
Add Intel SHA Extensions accelerated SHA1 implementation

* cipher/Makefile.am: Add 'sha1-intel-shaext.c'.
* cipher/sha1-intel-shaext.c: New.
* cipher/sha1.c (USE_SHAEXT, _gcry_sha1_transform_intel_shaext): New.
(sha1_init) [USE_SHAEXT]: Use shaext implementation is supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* cipher/sha1.h (SHA1_CONTEXT): Add 'use_shaext'.
* configure.ac: Add 'sha1-intel-shaext.lo'.
(shaextsupport, gcry_cv_gcc_inline_asm_shaext): New.
* src/g10lib.h: Add HWF_INTEL_SHAEXT and reorder HWF flags.
* src/hwf-x86.c (detect_x86_gnuc): Detect SHA Extensions.
* src/hwfeatures.c (hwflist): Add 'intel-shaext'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      4.50 ns/B     211.7 MiB/s      6.76 c/B

After (4.0x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      1.11 ns/B     858.1 MiB/s      1.67 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAVX implementation of BLAKE2s
Jussi Kivilinna [Thu, 8 Feb 2018 17:45:10 +0000 (19:45 +0200)]
AVX implementation of BLAKE2s

* cipher/Makefile.am: Add 'blake2s-amd64-avx.S'.
* cipher/blake2.c (USE_AVX, _gry_blake2s_transform_amd64_avx): New.
(BLAKE2S_CONTEXT) [USE_AVX]: Add 'use_avx'.
(blake2s_transform): Rename to ...
(blake2s_transform_generic): ... this.
(blake2s_transform): New.
(blake2s_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2s_init_ctx): Check HW features and enable AVX implementation
if supported.
* cipher/blake2s-amd64-avx.S: New.
* configure.ac: Add 'blake2s-amd64-avx.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.77 ns/B     538.2 MiB/s      7.09 c/B

After (~1.3x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.34 ns/B     711.4 MiB/s      5.36 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAVX2 implementation of BLAKE2b
Jussi Kivilinna [Sun, 14 Jan 2018 14:48:17 +0000 (16:48 +0200)]
AVX2 implementation of BLAKE2b

* cipher/Makefile.am: Add 'blake2b-amd64-avx2.S'.
* cipher/blake2.c (USE_AVX2, ASM_FUNC_ABI, ASM_EXTRA_STACK)
(_gry_blake2b_transform_amd64_avx2): New.
(BLAKE2B_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
(blake2b_transform): Rename to ...
(blake2b_transform_generic): ... this.
(blake2b_transform): New.
(blake2b_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2b_init_ctx): Check HW features and enable AVX2 implementation
if supported.
* cipher/blake2b-amd64-avx2.S: New.
* configure.ac: Add 'blake2b-amd64-avx2.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |      1.07 ns/B     887.8 MiB/s      4.30 c/B

After (~1.4x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |     0.771 ns/B    1236.8 MiB/s      3.08 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoFix incorrect counter overflow handling for GCM
Jussi Kivilinna [Wed, 31 Jan 2018 18:02:48 +0000 (20:02 +0200)]
Fix incorrect counter overflow handling for GCM

* cipher/cipher-gcm.c (gcm_ctr_encrypt): New function to handle
32-bit CTR increment for GCM.
(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Do not use
generic CTR implementation directly, use gcm_ctr_encrypt instead.
* tests/basic.c (_check_gcm_cipher): Add test-vectors for 32-bit
CTR overflow.
(check_gcm_cipher): Add 'split input to 15 bytes and 17 bytes'
test-runs.
--

Reported-by: Clemens Lang <Clemens.Lang@bmw.de>
> I believe we have found what seems to be a bug in counter overflow
> handling in AES-GCM in libgcrypt's implementation. This leads to
> incorrect results when using a non-12-byte IV and decrypting payloads
> encrypted with other AES-GCM implementations, such as OpenSSL.
>
> According to the NIST Special Publication 800-38D "Recommendation for
> Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC",
> section 7.1, algorithm 4, step 3 [NIST38D], the counter increment is
> defined as inc_32. Section 6.2 of the same document defines the
> incrementing function inc_s for positive integers s as follows:
>
> | the function increments the right-most s bits of the string, regarded
> | as the binary representation of an integer, modulo 2^s; the remaining,
> | left-most len(X) - s bits remain unchanged
>
> (X is the complete counter value in this case)
>
> This problem does not occur when using a 12-byte IV, because AES-GCM has
> a special case for the inital counter value with 12-byte IVs:
>
> | If len(IV)=96, then J_0 = IV || 0^31 || 1
>
> i.e., one would have to encrypt (UINT_MAX - 1) * blocksize of data to
> hit an overflow. However, for non-12-byte IVs, the initial counter value
> is the output of a hash function, which makes hitting an overflow much
> more likely.
>
> In practice, we have found that using
>
>  iv = 9e 79 18 8c ff 09 56 1e c9 90 99 cc 6d 5d f6 d3
>  key = 26 56 e5 73 76 03 c6 95 0d 22 07 31 5d 32 5c 6b a5 54 5f 40 23 98 60 f6 f7 06 6f 7a 4f c2 ca 40
>
> will reliably trigger an overflow when encrypting 10 MiB of data. It
> seems that this is caused by re-using the AES-CTR implementation for
> incrementing the counter.

Bug was introduced by commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532
"GCM: Use counter mode code for speed-up".

GnuPG-bug-id: 3764
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoFix use of AVX instructions in Chaha20 SSSE3 implementation
Jussi Kivilinna [Mon, 22 Jan 2018 20:17:50 +0000 (22:17 +0200)]
Fix use of AVX instructions in Chaha20 SSSE3 implementation

* cipher/chacha20-amd64-ssse3.S: Replace two 'vmovdqa' instructions
with 'movdqa'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agodoc: fix double "See" in front of reference
Jussi Kivilinna [Sat, 20 Jan 2018 19:12:12 +0000 (21:12 +0200)]
doc: fix double "See" in front of reference

* doc/gcrypt.texi: Change @xref to @ref when text already has 'see' in
the front.
--

@xref references start with `See ...'. Use @ref instead
when text already has 'see' in front.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAdd EAX mode
Jussi Kivilinna [Sat, 20 Jan 2018 19:08:37 +0000 (21:08 +0200)]
Add EAX mode

* cipher/Makefile.am: Add 'cipher-eax.c'.
* cipher/cipher-cmac.c (cmac_write): Rename to ...
(_gcry_cmac_write): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_generate_subkeys): Rename to ...
(_gcry_cmac_generate_subkeys): ... this; Take CMAC context as new
input parameter; Return error code.
(cmac_final): Rename to ...
(_gcry_cmac_final): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_tag): Take CMAC context as new input parameter.
(_gcry_cmac_reset): New.
(_gcry_cipher_cmac_authenticate): Remove duplicate tag flag check;
Adapt to changes above.
(_gcry_cipher_cmac_get_tag): Adapt to changes above.
(_gcry_cipher_cmac_check_tag): Ditto.
(_gcry_cipher_cmac_set_subkeys): Ditto.
* cipher-eax.c: New.
* cipher-internal.h (gcry_cmac_context_t): New.
(gcry_cipher_handle): Update u_mode.cmac; Add u_mode.eax.
(_gcry_cmac_write, _gcry_cmac_generate_subkeys, _gcry_cmac_final)
(_gcry_cmac_reset, _gcry_cipher_eax_encrypt, _gcry_cipher_eax_decrypt)
(_gcry_cipher_eax_set_nonce, _gcry_cipher_eax_authenticate)
(_gcry_cipher_eax_get_tag, _gcry_cipher_eax_check_tag)
(_gcry_cipher_eax_setkey): New prototypes.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
(_gcry_cipher_authenticate, _gcry_cipher_gettag, _gcry_cipher_checktag)
(_gcry_cipher_info): Add EAX mode.
* doc/gcrypt.texi: Add EAX mode.
* src/gcrypt.h.in (GCRY_CIPHER_MODE_EAX): New.
* tests/basic.c (_check_gcm_cipher, _check_poly1305_cipher): Constify
test vectors array.
(_check_eax_cipher, check_eax_cipher): New.
(check_ciphers, check_cipher_modes): Add EAX mode.
* tests/bench-slope.c (bench_eax_encrypt_do_bench)
(bench_eax_decrypt_do_bench, bench_eax_authenticate_do_bench)
(eax_encrypt_ops, eax_decrypt_ops, eax_authenticate_ops): New.
(cipher_modes): Add EAX mode.
* tests/benchmark.c (cipher_bench): Add EAX mode.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agocipher: constify spec arrays
Jussi Kivilinna [Sun, 7 Jan 2018 20:19:13 +0000 (22:19 +0200)]
cipher: constify spec arrays

* cipher/cipher.c (cipher_list): Constify array.
* cipher/mac.c (mac_list): Constify array.
* cipher/md.c (digest_list): Constify array.
* cipher/pubkey.c (pubkey_list): Constify array.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 months agoAdd ARMv8/CE acceleration for AES-XTS
Jussi Kivilinna [Sat, 20 Jan 2018 20:05:19 +0000 (22:05 +0200)]
Add ARMv8/CE acceleration for AES-XTS

* cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-ce.c (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce, xts_crypt_fn_t)
(_gcry_aes_armv8_ce_xts_crypt): New.
* cipher/rijndael.c (_gcry_aes_armv8_ce_xts_crypt): New.
(_gcry_aes_xts_crypt) [USE_ARM_CE]: New.
--

Benchmark on Cortex-A53 (AArch64, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      4.88 ns/B     195.5 MiB/s      5.62 c/B
        XTS dec |      4.94 ns/B     192.9 MiB/s      5.70 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      5.55 ns/B     171.8 MiB/s      6.39 c/B
        XTS dec |      5.61 ns/B     169.9 MiB/s      6.47 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.22 ns/B     153.3 MiB/s      7.17 c/B
        XTS dec |      6.29 ns/B     151.7 MiB/s      7.24 c/B
                =

After (~2.6x faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.83 ns/B     520.9 MiB/s      2.11 c/B
        XTS dec |      1.82 ns/B     524.9 MiB/s      2.09 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.97 ns/B     483.3 MiB/s      2.27 c/B
        XTS dec |      1.96 ns/B     486.9 MiB/s      2.26 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.11 ns/B     450.9 MiB/s      2.44 c/B
        XTS dec |      2.10 ns/B     453.8 MiB/s      2.42 c/B
                =

Benchmark on Cortex-A53 (AArch32, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.52 ns/B     146.2 MiB/s      7.51 c/B
        XTS dec |      6.57 ns/B     145.2 MiB/s      7.57 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.10 ns/B     134.3 MiB/s      8.18 c/B
        XTS dec |      7.11 ns/B     134.2 MiB/s      8.19 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.30 ns/B     130.7 MiB/s      8.41 c/B
        XTS dec |      7.38 ns/B     129.3 MiB/s      8.50 c/B
                =

After (~2.7x faster):
Cipher:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.33 ns/B     409.6 MiB/s      2.68 c/B
        XTS dec |      2.35 ns/B     405.3 MiB/s      2.71 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.53 ns/B     377.6 MiB/s      2.91 c/B
        XTS dec |      2.54 ns/B     375.5 MiB/s      2.93 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.75 ns/B     346.8 MiB/s      3.17 c/B
        XTS dec |      2.76 ns/B     345.2 MiB/s      3.18 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agorijndael-ssse3: call assembly functions directly
Jussi Kivilinna [Sat, 6 Jan 2018 21:21:44 +0000 (23:21 +0200)]
rijndael-ssse3: call assembly functions directly

* cipher/rijndael-ssse3-amd64-asm.S (_gcry_aes_ssse3_enc_preload)
(_gcry_aes_ssse3_dec_preload, _gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add
ENTER_SYSV_FUNC_PARAMS_* at function entry and EXIT_SYSV_FUNC at exit.
(_gcry_aes_ssse3_encrypt_core, _gcry_aes_ssse3_decrypt_core): Change
to input parameters to RDI and RSI registers.
* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add parameters
for function prototypes.
(PUSH_STACK_PTR, POP_STACK_PTR): Remove.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Remove inline assembly to
call functions, and call directly instead.
--

Instead of using inline assembly to call assembly functions in
AES SSSE3 implementation, change assembly functions so that they
can be called directly instead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoMove AMD64 MS to SysV calling convention conversion to assembly side
Jussi Kivilinna [Sat, 6 Jan 2018 20:19:56 +0000 (22:19 +0200)]
Move AMD64 MS to SysV calling convention conversion to assembly side

* cipher/Makefile.am: Add 'asm-common-amd64.h'.
* cipher/asm-common-amd64.h: New.
* cipher/blowfish-amd64.S: Add ENTER_SYSV_FUNC_* and EXIT_SYSV_FUNC for
each global function from 'asm-common-amd64.h'.
* cipher/cast5-amd64.S: Ditto.
* cipher/des-amd64.S: Ditto.
* cipher/rijndael-amd64.S: Ditto.
* cipher/twofish-amd64.S: Ditto.
* cipher/arcfour-amd64.S: Ditto.
* cipher/blowfish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn): Remove.
* cipher/cast5.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn): Remove.
* cipher/twofish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(call_sysv_fn, call_sysv_fn5, call_sysv_fn6): Remove.
* cipher/rijndael.c (do_encrypt, do_decrypt)
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Remove assembly block for
calling SysV ABI function.
* cipher/arcfour.c [USE_AMD64_ASM] (encrypt_stream): Ditto.
--

Old approach was to convert MS ABI to SysV ABI calling convention
for AMD64 assembly functions at caller side. This patch moves
calling convention conversion to assembly/callee side.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoMake BMI2 inline assembly check more robust
Jussi Kivilinna [Sat, 6 Jan 2018 18:26:52 +0000 (20:26 +0200)]
Make BMI2 inline assembly check more robust

* configure.ac (gcry_cv_gcc_inline_asm_bmi2): New assembly test.
--

Use actual assembly snippets from keccak.c to check that compiler
has proper support for used BMI2 instructions.

GnuPG-bug-id: 3408
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoAdd AES-NI acceleration for AES-XTS
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
Add AES-NI acceleration for AES-XTS

* cipher/cipher-internal.h (gcry_cipher_handle): Change bulk
XTS function to take cipher context.
* cipher/cipher-xts.c (_gcry_cipher_xts_crypt): Ditto.
* cipher/cipher.c (_gcry_cipher_open_internal): Setup AES-NI
XTS bulk function.
* cipher/rijndael-aesni.c (xts_gfmul_const, _gcry_aes_aesni_xts_enc)
(_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_crypt): New.
* cipher/rijndael.c (_gcry_aes_aesni_xts_crypt)
(_gcry_aes_xts_crypt): New.
* src/cipher.h (_gcry_aes_xts_crypt): New.
--

Benchmarks on Intel Core i7-4790K, 4.0Ghz (no turbo):

Before:
        XTS enc |      1.66 ns/B     575.7 MiB/s      6.63 c/B
        XTS dec |      1.66 ns/B     575.5 MiB/s      6.63 c/B

After (~6x faster):
        XTS enc |     0.270 ns/B    3528.5 MiB/s      1.08 c/B
        XTS dec |     0.272 ns/B    3511.5 MiB/s      1.09 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoAES-NI improvements for AMD64
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
AES-NI improvements for AMD64

* cipher/rijndael-aesni.c [__x86_64__] (aesni_prepare_7_15_variable)
(aesni_prepare_7_15, aesni_cleanup_7_15, do_aesni_enc_vec8)
(do_aesni_dec_vec8, do_aesni_ctr_8): New.
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec, aesni_ocb_enc, aesni_ocb_dec)
(_gcry_aes_aesni_ocb_auth) [__x86_64__]: Add 8 parallel blocks
processing.
--

Benchmarks on Intel Core i7-4790K, 4.0Ghz (no turbo, no HT):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CBC dec |     0.175 ns/B    5448.7 MiB/s     0.700 c/B
        CFB dec |     0.174 ns/B    5466.2 MiB/s     0.698 c/B
        CTR enc |     0.182 ns/B    5226.0 MiB/s     0.730 c/B
        OCB enc |     0.194 ns/B    4913.9 MiB/s     0.776 c/B
        OCB dec |     0.200 ns/B    4769.2 MiB/s     0.800 c/B
       OCB auth |     0.172 ns/B    5545.0 MiB/s     0.688 c/B

After (1.08x to 1.14x faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CBC dec |     0.157 ns/B    6075.6 MiB/s     0.628 c/B
        CFB dec |     0.158 ns/B    6034.1 MiB/s     0.632 c/B
        CTR enc |     0.159 ns/B    5979.4 MiB/s     0.638 c/B
        OCB enc |     0.175 ns/B    5447.1 MiB/s     0.700 c/B
        OCB dec |     0.183 ns/B    5203.9 MiB/s     0.733 c/B
       OCB auth |     0.156 ns/B    6101.3 MiB/s     0.625 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoAdd ARMv8/AArch64 implementation of chacha20
Jussi Kivilinna [Sat, 6 Jan 2018 16:58:04 +0000 (18:58 +0200)]
Add ARMv8/AArch64 implementation of chacha20

* cipher/Makefile.am: Add 'chacha20-aarch64.S'.
* cipher/chacha20-aarch64.S: New.
* cipher/chacha20.c (USE_AARCH64_SIMD): New.
(_gcry_chacha20_aarch_blocks4): New.
(chacha20_do_setkey): Add HWF selection for Aarch64 implementation.
* configure.ac: Add 'chacha20-aarch64.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      7.91 ns/B     120.6 MiB/s      9.11 c/B
     STREAM dec |      7.91 ns/B     120.6 MiB/s      9.11 c/B

After (1.66x faster):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      4.74 ns/B     201.2 MiB/s      5.46 c/B
     STREAM dec |      4.74 ns/B     201.3 MiB/s      5.46 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoNew ChaCha implementations
Jussi Kivilinna [Tue, 9 Jan 2018 16:40:25 +0000 (18:40 +0200)]
New ChaCha implementations

* cipher/Makefile.am: Remove 'chacha20-sse2-amd64.S',
'chacha20-ssse3-amd64.S', 'chacha20-avx2-amd64.S'; Add
'chacha20-amd64-ssse3.S', 'chacha20-amd64-avx2.S'.
* cipher/chacha20-amd64-avx2.S: New.
* cipher/chacha20-amd64-ssse3.S: New.
* cipher/chacha20-armv7-neon.S: Rewrite.
* cipher/chacha20-avx2-amd64.S: Remove.
* cipher/chacha20-sse2-amd64.S: Remove.
* cipher/chacha20-ssse3-amd64.S: Remove.
* cipher/chacha20.c (CHACHA20_INPUT_LENGTH, USE_SSE2, USE_NEON)
(ASM_EXTRA_STACK, chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
(_gcry_chacha20_armv7_neon_blocks, QROUND, QOUT, chacha20_core)
(chacha20_do_encrypt_stream): Remove.
(_gcry_chacha20_amd64_ssse3_blocks4, _gcry_chacha20_amd64_avx2_blocks8)
(_gcry_chacha20_armv7_neon_blocks4, ROTATE, XOR, PLUS, PLUSONE)
(QUARTERROUND, BUF_XOR_LE32): New.
(CHACHA20_context_s, chacha20_blocks, chacha20_keysetup)
(chacha20_encrypt_stream): Rewrite.
(chacha20_do_setkey): Adjust for new CHACHA20_context_s.
* configure.ac: Remove 'chacha20-sse2-amd64.lo',
'chacha20-ssse3-amd64.lo', 'chacha20-avx2-amd64.lo'; Add
'chacha20-amd64-ssse3.lo', 'chacha20-amd64-avx2.lo'.
--

Intel Core i7-4790K CPU @ 4.00GHz (x86_64/AVX2):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |     0.319 ns/B    2988.5 MiB/s      1.28 c/B
     STREAM dec |     0.318 ns/B    2995.4 MiB/s      1.27 c/B

Intel Core i7-4790K CPU @ 4.00GHz (x86_64/SSSE3):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |     0.633 ns/B    1507.4 MiB/s      2.53 c/B
     STREAM dec |     0.633 ns/B    1506.6 MiB/s      2.53 c/B

Intel Core i7-4790K CPU @ 4.00GHz (i386):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      2.05 ns/B     465.2 MiB/s      8.20 c/B
     STREAM dec |      2.04 ns/B     467.5 MiB/s      8.16 c/B

Cortex-A53 @ 1152Mhz (armv7/neon):
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      5.29 ns/B     180.3 MiB/s      6.09 c/B
     STREAM dec |      5.29 ns/B     180.1 MiB/s      6.10 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agoNew Poly1305 implementations
Jussi Kivilinna [Sat, 6 Jan 2018 16:53:20 +0000 (18:53 +0200)]
New Poly1305 implementations

* cipher/Makefile.am: Include '../mpi' for 'longlong.h'; Remove
'poly1305-sse2-amd64.S', 'poly1305-avx2-amd64.S' and
'poly1305-armv7-neon.S'.
* cipher/poly1305-armv7-neon.S: Remove.
* cipher/poly1305-avx2-amd64.S: Remove.
* cipher/poly1305-sse2-amd64.S: Remove.
* cipher/poly1305-internal.h (POLY1305_BLOCKSIZE)
(POLY1305_STATE): New.
(POLY1305_SYSV_FUNC_ABI, POLY1305_REF_BLOCKSIZE)
(POLY1305_REF_STATESIZE, POLY1305_REF_ALIGNMENT)
(POLY1305_USE_SSE2, POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
(POLY1305_SSE2_ALIGNMENT, POLY1305_USE_AVX2, POLY1305_AVX2_BLOCKSIZE)
(POLY1305_AVX2_STATESIZE, POLY1305_AVX2_ALIGNMENT)
(POLY1305_USE_NEON, POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
(POLY1305_NEON_ALIGNMENT, POLY1305_LARGEST_BLOCKSIZE)
(POLY1305_LARGEST_STATESIZE, POLY1305_LARGEST_ALIGNMENT)
(POLY1305_STATE_BLOCKSIZE, POLY1305_STATE_STATESIZE)
(POLY1305_STATE_ALIGNMENT, OPS_FUNC_ABI, poly1305_key_s)
(poly1305_ops_s): Remove.
(poly1305_context_s): Rewrite.
* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
(_gcry_poly1305_amd64_sse2_finish_ext)
(_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops)
(poly1305_init_ext_ref32, poly1305_blocks_ref32)
(poly1305_finish_ext_ref32, poly1305_default_ops)
(_gcry_poly1305_amd64_avx2_init_ext)
(_gcry_poly1305_amd64_avx2_finish_ext)
(_gcry_poly1305_amd64_avx2_blocks)
(poly1305_amd64_avx2_ops, poly1305_get_state): Remove.
(poly1305_init): Rewrite.
(USE_MPI_64BIT, USE_MPI_32BIT): New.
[USE_MPI_64BIT] (ADD_1305_64, MUL_MOD_1305_64, poly1305_blocks)
(poly1305_final): New implementation using 64-bit limbs.
[USE_MPI_32BIT] (UMUL_ADD_32, ADD_1305_32, MUL_MOD_1305_32)
(poly1305_blocks): New implementation using 32-bit limbs.
(_gcry_poly1305_update, _gcry_poly1305_finish)
(_gcry_poly1305_init): Adapt to new implementation.
* configure.ac: Remove 'poly1305-sse2-amd64.lo',
'poly1305-avx2-amd64.lo' and 'poly1305-armv7-neon.lo'.
--

Intel Core i7-4790K CPU @ 4.00GHz (x86_64):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |     0.284 ns/B    3358.6 MiB/s      1.14 c/B

Intel Core i7-4790K CPU @ 4.00GHz (i386):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |     0.888 ns/B    1073.9 MiB/s      3.55 c/B

Cortex-A53 @ 1152Mhz (armv7):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |      4.40 ns/B     216.7 MiB/s      5.07 c/B

Cortex-A53 @ 1152Mhz (aarch64):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 POLY1305           |      2.60 ns/B     367.0 MiB/s      2.99 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
7 months agompi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit
Jussi Kivilinna [Sat, 6 Jan 2018 17:25:12 +0000 (19:25 +0200)]
mpi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit

* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Cast '1' to
mpi_limb_t before left shift.
--

Patch fixes mpi/ec.c compiler warnings and failing tests cases on
Win64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agotests: Add another test case to keygrip.c
Werner Koch [Fri, 8 Dec 2017 07:15:42 +0000 (08:15 +0100)]
tests: Add another test case to keygrip.c

--

This is mainly to answer a question on the ML.

8 months agosexp: Avoid a fatal error in case of ENOMEM in called functions.
Werner Koch [Fri, 24 Nov 2017 09:44:24 +0000 (10:44 +0100)]
sexp: Avoid a fatal error in case of ENOMEM in called functions.

* src/sexp.c (do_vsexp_sscan): Replace BUG() by a proper error
return.  Replace sprintf by snprintf.
(convert_to_hex): Replace sprintf by snprintf.
(convert_to_string): Ditto.
(_gcry_sexp_sprint): Ditto.
--

_gcry_mpi_print can actually return ENOMEM because it inetrnally needs
to allocate temporary buffers.  Thus BUG was not the right thing to
do.  This was detected while investigating bug 3530.

Replacing sprintf by snprintf is not technically required but some
compilers print warnings for the use of sprintf.  So let's silence
them.

Signed-off-by: Werner Koch <wk@gnupg.org>
8 months agoapi: Add GCRYCTL_AUTO_EXPAND_SECMEM.
Werner Koch [Thu, 23 Nov 2017 18:15:41 +0000 (19:15 +0100)]
api: Add GCRYCTL_AUTO_EXPAND_SECMEM.

* src/gcrypt.h.in (GCRYCTL_AUTO_EXPAND_SECMEM): New enum.
* src/global.c (_gcry_vcontrol): Implement that.
* src/secmem.c (auto_expand): New var.
(_gcry_secmem_set_auto_expand): New.
(_gcry_secmem_malloc_internal): Act upon AUTO_EXPAND.
--

GnuPG-bug-id: 3530
Signed-off-by: Werner Koch <wk@gnupg.org>
9 months agodoc: Clarify gcry_mpi_div
Werner Koch [Wed, 15 Nov 2017 19:35:16 +0000 (20:35 +0100)]
doc: Clarify gcry_mpi_div

--

9 months agotests: Add HAVE_MMAP check for MinGW.
NIIBE Yutaka [Tue, 14 Nov 2017 00:01:50 +0000 (09:01 +0900)]
tests: Add HAVE_MMAP check for MinGW.

* tests/t-secmem.c (main): Conditionalize with HAVE_MMAP.

--

Thanks to: Andreas Metzler <ametzler@bebt.de>

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
9 months agoFix secmem test for machine with larger page.
NIIBE Yutaka [Thu, 9 Nov 2017 01:59:33 +0000 (10:59 +0900)]
Fix secmem test for machine with larger page.

* tests/t-secmem.c (main): Detect page size and setup chunk size.
* src/secmem.c (init_pool): Simplify the expression.

--

GnuPG-bug-id: 3351
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
9 months agobuild: Don't use /dev/srandom on OpenBSD.
Jeremie Courreges-Anglas [Mon, 6 Nov 2017 05:57:28 +0000 (14:57 +0900)]
build: Don't use /dev/srandom on OpenBSD.

--

Ported from GnuPG 1.4.

All /dev/*random devices have been equivalent since OpenBSD 4.9, on
purpose (/dev/random doesn't block).  /dev/srandom has been removed in
the OpenBSD 6.3 development cycle, /dev/arandom will likely follow.

Signed-off-by: Jeremie Courreges-Anglas <jca@wxcvbn.org>
9 months agoAdd OID information for SM3.
NIIBE Yutaka [Wed, 25 Oct 2017 03:04:30 +0000 (12:04 +0900)]
Add OID information for SM3.

* cipher/sm3.c (asn_sm3, oid_spec_sm3): New.
(_gcry_digest_spec_sm3): Add asn_sm3, oid_spec_sm3.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
9 months agoAdd crypto hash SM3.
Jia Zhang [Tue, 24 Oct 2017 06:55:12 +0000 (15:55 +0900)]
Add crypto hash SM3.

* configure.ac (available_digests): Add sm3.
* src/cipher.h: Add declarations for SM3.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm3.c.
* cipher/md.c [USE_SM3] (digest_list): Add _gcry_digest_spec_sm3.
* cipher/pubkey-util.c (hashnames): Add "sm3".
* cipher/sm3.c: New.
* tests/basic.c (check_digests): Add test vectors for SM3.
* tests/hashtest-256g.in (algos): Add SM3.
* tests/hashtest.c (testvectors): Add for SM3.

--

GnuPG-bug-id: 3454
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
9 months agoAdd new constant GCRY_MD_SM3 for crypto hash SM3.
NIIBE Yutaka [Tue, 24 Oct 2017 06:43:41 +0000 (15:43 +0900)]
Add new constant GCRY_MD_SM3 for crypto hash SM3.

* src/gcrypt.h.in (GCRY_MD_SM3): New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
10 months agoRegister DCO for Jia Zhang.
NIIBE Yutaka [Thu, 19 Oct 2017 02:35:00 +0000 (11:35 +0900)]
Register DCO for Jia Zhang.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
10 months agoapi: New function gcry_mpi_get_ui.
Werner Koch [Tue, 17 Oct 2017 13:00:08 +0000 (15:00 +0200)]
api: New function gcry_mpi_get_ui.

* src/gcrypt.h.in (gcry_mpi_get_ui): New.
(mpi_get_ui): New macro.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
* src/visibility.c (gcry_mpi_get_ui): New.
* src/visibility.h: Mark that function.
(gcry_mpi_get_ui): New.
* mpi/mpiutil.c (MY_UINT_MAX): New macro.
(_gcry_mpi_get_ui): Re-implemented.  This function existed but was
never imported or used.
* tests/mpitests.c (test_maxsize): Add some test for this function.
--

Note that in libgcrypt.def the cardinal 91 is used which was never
used in the past.

Signed-off-by: Werner Koch <wk@gnupg.org>
11 months agoTweak GCC version check.
NIIBE Yutaka [Tue, 29 Aug 2017 07:11:42 +0000 (16:11 +0900)]
Tweak GCC version check.

* src/global.c (_gcry_vcontrol): It's GCC 4.2 which started to support
diagnostic pragma.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agorandom: Fix warnings on Windows.
NIIBE Yutaka [Tue, 29 Aug 2017 07:10:54 +0000 (16:10 +0900)]
random: Fix warnings on Windows.

* random/random-csprng.c (lock_seed_file): Vars with no use.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agotests: Fix warnings on Windows.
NIIBE Yutaka [Tue, 29 Aug 2017 07:09:39 +0000 (16:09 +0900)]
tests: Fix warnings on Windows.

* tests/fipsdrv.c (print_dsa_domain_parameters, print_ecdsa_dq): Fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Fix scratch MPI.
NIIBE Yutaka [Tue, 29 Aug 2017 01:33:08 +0000 (10:33 +0900)]
ecc: Fix scratch MPI.

* mpi/ec.c (ec_p_init): Check if scratch MPI is allocated.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Fix ec_mulm_25519.
NIIBE Yutaka [Wed, 23 Aug 2017 04:03:07 +0000 (13:03 +0900)]
ecc: Fix ec_mulm_25519.

* mpi/ec.c (ec_mulm_25519): Improve reduction to 25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Use 25519 method also for ed25519.
NIIBE Yutaka [Wed, 23 Aug 2017 03:46:20 +0000 (12:46 +0900)]
ecc: Use 25519 method also for ed25519.

* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't use mpi_add
since it resizes to have more limbs.
* mpi/ec.c (point_resize): Fix for Edwards curve.
(ec_p_init): Support Edwards curve.
(_gcry_mpi_ec_get_affine): Use the methods.
(dup_point_edwards, add_points_edwards, sub_points_edwards): Ditto.
(_gcry_mpi_ec_mul_point): Resize MPIs of point to fixed size.
(_gcry_mpi_ec_curve_point): Use the methods.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Clean up curve specific method support.
NIIBE Yutaka [Wed, 23 Aug 2017 03:43:38 +0000 (12:43 +0900)]
ecc: Clean up curve specific method support.

* src/ec-context.h (struct mpi_ec_ctx_s): Remove MOD method.
* mpi/ec.c (ec_mod_25519): Remove.
(ec_p_init): Follow the removal of the MOD method.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Relax condition for 25519 computations.
NIIBE Yutaka [Wed, 23 Aug 2017 02:11:17 +0000 (11:11 +0900)]
ecc: Relax condition for 25519 computations.

* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Check number
of limbs, allocated more is OK.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Fix ec_mulm_25519.
NIIBE Yutaka [Wed, 23 Aug 2017 01:22:21 +0000 (10:22 +0900)]
ecc: Fix ec_mulm_25519.

* mpi/ec.c (ec_mulm_25519): Fix the cases of 0 to 18.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: field specific routines for 25519.
NIIBE Yutaka [Tue, 22 Aug 2017 23:48:53 +0000 (08:48 +0900)]
ecc: field specific routines for 25519.

* mpi/ec.c (point_resize): Improve for X25519.
(mpih_set_cond): New.
(ec_mod_25519, ec_addm_25519, ec_subm_25519, ec_mulm_25519)
(ec_mul2_25519, ec_pow2_25519): New.
(ec_p_init): Fill by FIELD_TABLE.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoecc: Add field specific computation methods.
NIIBE Yutaka [Mon, 21 Aug 2017 05:32:08 +0000 (14:32 +0900)]
ecc: Add field specific computation methods.

* src/ec-context.h (struct mpi_ec_ctx_s): Add methods.
* mpi/ec.c (ec_p_init): Initialize the default methods.
(montgomery_ladder): Use the methods.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoAlso bump the LT Current value.
Werner Koch [Sun, 27 Aug 2017 08:13:53 +0000 (10:13 +0200)]
Also bump the LT Current value.

--

11 months agoPrepare for the 1.9 branch
Werner Koch [Sun, 27 Aug 2017 08:08:58 +0000 (10:08 +0200)]
Prepare for the 1.9 branch

--

We need to bump the LT Age even if there won't be compatible interface
change.  This is so that we can keep on updating the Revision in the
1.8 branch.

Signed-off-by: Werner Koch <wk@gnupg.org>
11 months agoPost release updates
Werner Koch [Sun, 27 Aug 2017 07:36:37 +0000 (09:36 +0200)]
Post release updates

--

11 months agoRelease 1.8.1 libgcrypt-1.8.1
Werner Koch [Sun, 27 Aug 2017 07:22:09 +0000 (09:22 +0200)]
Release 1.8.1

* configure.ac: Set LT version to C22/A2/R1.

Signed-off-by: Werner Koch <wk@gnupg.org>
11 months agoecc: Add input validation for X25519.
NIIBE Yutaka [Fri, 25 Aug 2017 09:13:28 +0000 (18:13 +0900)]
ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

--

Following is the paper describing the attack:

    May the Fourth Be With You: A Microarchitectural Side Channel Attack
    on Real-World Applications of Curve25519
    by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points.  However, when attacked, the computation
will done with leak of private key, even it will results errors.  To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0.  By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation.  Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
11 months agoindent: Typo fix.
Werner Koch [Thu, 24 Aug 2017 09:43:05 +0000 (11:43 +0200)]
indent: Typo fix.

--

12 months agocipher: Add OID for SHA384WithECDSA.
Marcus Brinkmann [Mon, 7 Aug 2017 17:26:26 +0000 (19:26 +0200)]
cipher: Add OID for SHA384WithECDSA.

* cipher/sha512.c (oid_spec_sha384): Add SHA384WithECDSA.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
Suggested-by: Sven Fischer <sven@leiderfischer.de>
GnuPG-bug-id: 3336

12 months agotests: Fix a printf glitch for a Windows test.
Werner Koch [Wed, 2 Aug 2017 16:45:51 +0000 (18:45 +0200)]
tests: Fix a printf glitch for a Windows test.

* tests/t-convert.c (check_formats): Fix print format glitch on
Windows.
* tests/t-ed25519.c: Typo fix.

Signed-off-by: Werner Koch <wk@gnupg.org>
12 months agotests: Add benchmarking option to tests/random.
Werner Koch [Wed, 2 Aug 2017 16:44:14 +0000 (18:44 +0200)]
tests: Add benchmarking option to tests/random.

* tests/random.c: Always include unistd.h.
(prepend_srcdir): New.
(run_benchmark): New.
(main): Add options --benchmark and --with-seed-file.  Print whetehr
JENT has been used.
* tests/t-common.h (split_fields_colon): New. Taken from GnuPG.
License of that code changed to LGPLv2.1.

--

Running these tests on a KVM hosted Windows Vista using a statically
compiled tests/random and modifying the extra random added in
read_seed_file gave these results:

  | Seed | Jent | Bytes | Bits | Time (ms)  |
  |------+------+-------+------+------------|
  | yes  | yes  |    32 |  256 |  46 ..  62 |
  | yes  | yes  |    64 |  512 |  62 ..  78 |
  | yes  | yes  |   128 | 1024 |  78 ..  93 |
  | yes  | yes  |   256 | 2048 | 124 .. 156 |
  | yes  | yes  |   384 | 3072 | 171 .. 202 |
  | yes  | yes  |   512 | 4096 | 234 .. 249 |
  | yes  | no   |    32 |  256 |  15 ..  31 |
  | yes  | no   |    64 |  512 |  15 ..  31 |
  | yes  | no   |   128 | 1024 |  15        |
  | no   | yes  |     - |    - |  78 .. 93  |
  | no   | no   |     - |    - |  15        |

 Seed: Whether a seed file is used.
 Jent: Whether JENT was working.
Bytes: The number bytes mixed into the pool after reading
       the seed file.
 Bits: 8 * Bytes
 Time: Measured time including the time to read the seed file.
       Mimimun and maximum values are given.  Granularity of
       the used timer is quite large.

Signed-off-by: Werner Koch <wk@gnupg.org>
12 months agorandom: Add more bytes to the pool in addition to the seed file.
Werner Koch [Fri, 28 Jul 2017 13:31:03 +0000 (15:31 +0200)]
random: Add more bytes to the pool in addition to the seed file.

* random/random-csprng.c (read_seed_file): Read 128 or 32 butes
depending on whether we have the Jitter RNG.
--

These are actually 3 changes:

- We use GCRY_STRONG_RANDOM instead GCRY_WEAK_RANDOM, which we used
  for historical reasons.  However the entropy gather modules handle
  both identical; that is reading from /dev/urandom.  Only
  GCRY_VERY_STRONG_RANDOM would use a blocking read from /dev/random.

- We increase the number of extra buts from 128 or 256.

- If the Jitter RNG is available we assume that a fast entropy source
  is available and thus we read 4 times more entropy (1024 bits).

Note that on Windows GnuPG tests in DE-VS mode that the Jitter RNG is
available and properly working.  Thus we will add 1024 bits in
addition to the state read from the seed file.

Signed-off-by: Werner Koch <wk@gnupg.org>
12 months agoAdd script to run basic tests with all supported HWF combinations
Jussi Kivilinna [Tue, 1 Aug 2017 18:05:31 +0000 (21:05 +0300)]
Add script to run basic tests with all supported HWF combinations

* tests/basic_all_hwfeature_combinations.sh: New.
* tests/Makefile.am: Add basic_all_hwfeature_combinations.sh.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
12 months agoFix return value type for _gcry_md_extract
Jussi Kivilinna [Sat, 29 Jul 2017 11:34:23 +0000 (14:34 +0300)]
Fix return value type for _gcry_md_extract

* src/gcrypt-int.h (_gcry_md_extract): Use gpg_err_code_t instead of
gpg_error_t for internal function return type.
--

GnuPG-bug-id: 3314
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
12 months agoFix building AArch32 CE implementations when target is ARMv6 arch
Jussi Kivilinna [Sat, 29 Jul 2017 11:34:23 +0000 (14:34 +0300)]
Fix building AArch32 CE implementations when target is ARMv6 arch

* cipher/cipher-gcm-armv8-aarch32-ce.S: Select ARMv8 architecure.
* cipher/rijndael-armv8-aarch32-ce.S: Ditto.
* cipher/sha1-armv8-aarch32-ce.S: Ditto.
* cipher/sha256-armv8-aarch32-ce.S: Ditto.
* configure.ac (gcry_cv_gcc_inline_asm_aarch32_crypto): Ditto.
--

Raspbian distribution defaults to ARMv6 architecture thus 'rbit'
instruction is not available with default compiler flags. Patch
adds explicit architecture selection for ARMv8 to enable 'rbit'
usage with ARMv8/AArch32-CE assembly implementations of SHA,
GHASH and AES.

Reported-by: Chris Horry <zerbey@gmail.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
12 months agosexp: Add fall through annotation.
NIIBE Yutaka [Tue, 25 Jul 2017 06:26:33 +0000 (15:26 +0900)]
sexp: Add fall through annotation.

* src/dumpsexp.c (parse_and_print): It's fall through.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
12 months agorandom: Fix the command line munging for jitterbase.
Werner Koch [Mon, 24 Jul 2017 07:32:25 +0000 (09:32 +0200)]
random: Fix the command line munging for jitterbase.

* random/Makefile.am (o_flag_munging): Make the first sed term also
global.
--

The sed script did not caught multiple -O which are not -O0.

GnuPG-bug-id: 3293
Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agodoc: Typo fix.
Werner Koch [Thu, 20 Jul 2017 08:49:24 +0000 (10:49 +0200)]
doc: Typo fix.

--

13 months agoRemove byte order mark.
NIIBE Yutaka [Wed, 19 Jul 2017 05:28:14 +0000 (14:28 +0900)]
Remove byte order mark.

* random/jitterentropy-base.c, random/jitterentropy.h: Remove
byte order mark.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoPost release updates
Werner Koch [Tue, 18 Jul 2017 14:27:13 +0000 (16:27 +0200)]
Post release updates

--

13 months agoRelease 1.8.0 libgcrypt-1.8.0
Werner Koch [Tue, 18 Jul 2017 14:13:18 +0000 (16:13 +0200)]
Release 1.8.0

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agobuild: Remove the configure run notice on EGD.
Werner Koch [Tue, 18 Jul 2017 12:57:36 +0000 (14:57 +0200)]
build: Remove the configure run notice on EGD.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agomac: Add selftests for HMAC-SHA3-xxx.
Werner Koch [Tue, 18 Jul 2017 12:11:26 +0000 (14:11 +0200)]
mac: Add selftests for HMAC-SHA3-xxx.

* cipher/hmac-tests.c (check_one): Add arg trunc and change all
callers to pass false.
(selftests_sha3): New.
(run_selftests): Call new selftests.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agoapi: New function gcry_mpi_point_copy.
Werner Koch [Tue, 18 Jul 2017 08:16:07 +0000 (10:16 +0200)]
api: New function gcry_mpi_point_copy.

* src/gcrypt.h.in (gcry_mpi_point_copy): New.
(mpi_point_copy): New macro.
* src/visibility.c (gcry_mpi_point_copy): New.
* src/libgcrypt.def, src/libgcrypt.vers: Add function.
* mpi/ec.c (_gcry_mpi_point_copy): New.
* tests/t-mpi-point.c (set_get_point): Add test.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agobuild: Bump LT version to C22/A2/R0.
Werner Koch [Mon, 17 Jul 2017 12:04:30 +0000 (14:04 +0200)]
build: Bump LT version to C22/A2/R0.

--

This is required to allow installation of 1.7 and 1.8.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agorandom: Minor fix for getting the rndjent version.
Werner Koch [Mon, 17 Jul 2017 10:34:13 +0000 (12:34 +0200)]
random: Minor fix for getting the rndjent version.

* random/rndjent.c (_gcry_rndjent_get_version): Always set R_ACTIVE.
* tests/version.c (test_get_config): Check number of fields for
rng-type.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agompi: Minor fix of mpi_pow.
NIIBE Yutaka [Fri, 7 Jul 2017 05:48:17 +0000 (14:48 +0900)]
mpi: Minor fix of mpi_pow.

* mpi/mpi-pow.c (_gcry_mpi_powm): Allocate size fix.

--

Same thing of 619ebae9847831f43314a95cc3180f4b329b4d3b applied.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agompi: Fix mpi_pow alternative implementation.
NIIBE Yutaka [Fri, 7 Jul 2017 03:00:03 +0000 (12:00 +0900)]
mpi: Fix mpi_pow alternative implementation.

* mpi/mpi-pow.c
  [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): Use
  mpi_set_cond.

--

Limbs of RES may be allocated more before the call of mpi_pow,
but it only uses the space of SIZE.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoFix mpi_pow alternative implementation.
NIIBE Yutaka [Fri, 7 Jul 2017 02:39:09 +0000 (11:39 +0900)]
Fix mpi_pow alternative implementation.

* mpi/mpi-pow.c [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm):
Allocate size fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agoUpdate NEWS
Werner Koch [Thu, 6 Jul 2017 08:26:24 +0000 (10:26 +0200)]
Update NEWS

--

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agorsa: Use modern MPI allocation function.
Werner Koch [Thu, 29 Jun 2017 06:31:27 +0000 (08:31 +0200)]
rsa: Use modern MPI allocation function.

* cipher/rsa.c (secret_core_crt): Use modern function _gcry_mpi_snew.
--

Eventually we want to get rid of the notion of limb sizes in mpi using
code.  Thus it is better to use the modern function/macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agobuild: Minor API fixes to fix build problems on AIX.
Werner Koch [Wed, 5 Jul 2017 18:10:56 +0000 (20:10 +0200)]
build: Minor API fixes to fix build problems on AIX.

* src/gcrypt.h.in (gcry_error_from_errno): Fix return type.
* src/visibility.c (gcry_md_extract): Change return type to match the
prototype.
--

IBM compiler optimize enums and thus enums may be shorter than an
unsigned int.  Thus an

  assert (sizeof (gpg_error_t) == sizeof (gpg_err_code_t)

would fail.  The deatils seem to depend on the passed compiler options
which explains that it has been only reported now.

GnuPG-bug-id: 3256
Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agotools: Add left shift to mpicalc.
Werner Koch [Wed, 5 Jul 2017 18:05:41 +0000 (20:05 +0200)]
tools: Add left shift to mpicalc.

* src/mpicalc.c (do_lshift): New.
(main): Handle '<'.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agompi: Fix mpi_set_secure.
NIIBE Yutaka [Tue, 4 Jul 2017 00:33:46 +0000 (09:33 +0900)]
mpi: Fix mpi_set_secure.

* mpi/mpiutil.c (mpi_set_secure): Allocate by ->alloced.

--

The code was simply wrong.  The question is if (1) it allocates
(possibly) more or (2) modifi ->alloced.  The choice is (1).

Because we have routines of mpi_set_cond and mpi_swap_cond which
assume no change for the allocated length of limbs, no surprise is
better.  See _gcry_mpi_ec_mul_point for concrete example for those
routines.  That's for constant-time computation.

Debian-bug-id: 866964
Suggested-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agorsa: Add exponent blinding.
NIIBE Yutaka [Thu, 29 Jun 2017 02:11:37 +0000 (11:11 +0900)]
rsa: Add exponent blinding.

* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.

--

Co-authored-by: Werner Koch <wk@gnupg.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
The paper describing attack: https://eprint.iacr.org/2017/627

Sliding right into disaster: Left-to-right sliding windows leak
by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
Christine van Vredendaal and Yuval Yarom

  It is well known that constant-time implementations of modular
  exponentiation cannot use sliding windows. However, software
  libraries such as Libgcrypt, used by GnuPG, continue to use sliding
  windows. It is widely believed that, even if the complete pattern of
  squarings and multiplications is observed through a side-channel
  attack, the number of exponent bits leaked is not sufficient to
  carry out a full key-recovery attack against RSA. Specifically,
  4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
  windows leak only 33% of the bits.

  In this paper we demonstrate a complete break of RSA-1024 as
  implemented in Libgcrypt. Our attack makes essential use of the fact
  that Libgcrypt uses the left-to-right method for computing the
  sliding-window expansion. We show for the first time that the
  direction of the encoding matters: the pattern of squarings and
  multiplications in left-to-right sliding windows leaks significantly
  more information about exponent bits than for right-to-left. We show
  how to incorporate this additional information into the
  Heninger-Shacham algorithm for partial key reconstruction, and use
  it to obtain very efficient full key recovery for RSA-1024. We also
  provide strong evidence that the same attack works for RSA-2048 with
  only moderately more computation.

Exponent blinding is a kind of workaround to add noise.  Signal (leak)
is still there for non-constant-time implementation.

13 months agoSame computation for square and multiply.
NIIBE Yutaka [Sat, 24 Jun 2017 11:46:20 +0000 (20:46 +0900)]
Same computation for square and multiply.

* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
the assignment to base_u into the loop.  Copy content refered by RP to
BASE_U except the last of the loop.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
13 months agorsa: Minor refactoring.
Werner Koch [Sat, 24 Jun 2017 10:03:14 +0000 (12:03 +0200)]
rsa: Minor refactoring.

* cipher/rsa.c (secret): Factor code out to ...
(secret_core_std, secret_core_crt): new functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agorandom: Add missing dependency.
Werner Koch [Fri, 23 Jun 2017 07:34:35 +0000 (09:34 +0200)]
random: Add missing dependency.

* random/Makefile.am (EXTRA_librandom_la_SOURCES): Fix file name.
(rndjent.o, rndjent.lo): Depend on jitterentropy-base-user.h.
--

Fixes-commit: 8dfae89ecd3e9ae0967586cb38d12ef9111fc7cd
Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agorandom: Update jitterentropy to 2.1.0.
Werner Koch [Fri, 23 Jun 2017 07:11:47 +0000 (09:11 +0200)]
random: Update jitterentropy to 2.1.0.

* random/rndjent.c (jent_get_nstime, jent_zfree)
(jent_fips_enabled, jent_zalloc): Move functions and macros to ...
* random/jitterentropy-base-user.h: this file.   That files was not
used before.
* random/Makefile.am (EXTRA_librandom_la_SOURCES): Add
jitterentropy-base-user.
* random/jitterentropy-base.c: Update to version 2.1.0.
* random/jitterentropy.h: Ditto.
--

The files jitterentropy-base.c and jitterentropy.h are are now
verbatim copies of the upstream source using a private copy received
prior to a push to the upstream repo.  Though, 3 white spaces issues
were fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agoapi: New function gcry_get_config.
Werner Koch [Wed, 21 Jun 2017 07:29:09 +0000 (09:29 +0200)]
api: New function gcry_get_config.

* src/misc.c (_gcry_log_info_with_dummy_fp): Remove.
* src/global.c (print_config): New arg WHAT.  Remove arg FNC and use
gpgrt_fprintf directly.
(_gcry_get_config): New.
(_gcry_vcontrol) <GCRYCTL_PRINT_CONFIG>: Use _gcry_get_config instead
of print_config.
* src/gcrypt.h.in (gcry_get_config): New.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
* src/visibility.c (gcry_get_config): New.
* src/visibility.h: Mark new function.

* tests/version.c (test_get_config): New.
(main): Call new test.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 months agorandom: Allow building rndjent on non-x86.
Werner Koch [Wed, 21 Jun 2017 07:24:42 +0000 (09:24 +0200)]
random: Allow building rndjent on non-x86.

* random/jitterentropy-base.c (jent_version): Uncomment function.
* random/rndjent.c: Include time.h
(JENT_USES_RDTSC): New.
(JENT_USES_GETTIME): New.
(JENT_USES_READ_REAL_TIME): New.
(jent_get_nstime): Support clock_gettime and AIX specific
function.  Taken from Stephan Müller's code.
(is_rng_available): New.
(_gcry_rndjent_dump_stats): Use that function.
(_gcry_rndjent_poll): Use that fucntion.  Allow an ADD of NULL for an
intialize only mode.
(_gcry_rndjent_get_version): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agorijndael-padlock: change asm operands from read-only to read/write
Jussi Kivilinna [Sun, 18 Jun 2017 07:35:50 +0000 (10:35 +0300)]
rijndael-padlock: change asm operands from read-only to read/write

* cipher/rijndael-padlock.c (do_padlock): Change ESI/EDI/ECX to use
read/write operands as XCRYPT instruction modifies these registers.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
14 months agorandom: Make rndjent.c NTG.1 compliant.
Werner Koch [Fri, 16 Jun 2017 15:09:20 +0000 (17:09 +0200)]
random: Make rndjent.c NTG.1 compliant.

* random/rndjent.c (_gcry_rndjent_poll): Hash the retrieved jitter.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agomd: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.
Werner Koch [Fri, 16 Jun 2017 14:53:33 +0000 (16:53 +0200)]
md: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.

* cipher/sha256.c (_gcry_sha256_hash_buffer): New.
(_gcry_sha256_hash_buffers): New.
* cipher/sha512.c (_gcry_sha512_hash_buffer): New.
(_gcry_sha512_hash_buffers): New.
* cipher/md.c (_gcry_md_hash_buffer): Optimize for SHA246 and SHA512.
(_gcry_md_hash_buffers): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agorandom: Allow building rndjent.c with stats collecting enabled.
Werner Koch [Fri, 16 Jun 2017 10:31:11 +0000 (12:31 +0200)]
random: Allow building rndjent.c with stats collecting enabled.

* random/rndjent.c: Change license to the one used by jitterentropy.h.
(jent_init_statistic): New.
(jent_bit_count): New.
(jent_statistic_copy_stat): new.
(jent_calc_statistic): New.
--

New code taken from Stephan's jitterentropy-stat.c.  This does now
build with CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT defined; not sure
whether this is already useful.  Changed the license due to the new
code.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agoNew global config option "only-urandom".
Werner Koch [Fri, 16 Jun 2017 09:55:50 +0000 (11:55 +0200)]
New global config option "only-urandom".

* random/rand-internal.h (RANDOM_CONF_ONLY_URANDOM): New.
* random/random.c (_gcry_random_read_conf): Add option "only-urandom".
* random/rndlinux.c (_gcry_rndlinux_gather_random): Implement that
option.
* tests/keygen.c (main): Add option --no-quick for better manual
tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agoImplement global config file /etc/gcrypt/random.conf
Werner Koch [Fri, 16 Jun 2017 08:42:44 +0000 (10:42 +0200)]
Implement global config file /etc/gcrypt/random.conf

* src/hwfeatures.c (my_isascii): Move macro to ...
* src/g10lib.h: here.
* tests/random.c (main): Dump random stats.
* random/random.c (RANDOM_CONF_FILE): New.
(_gcry_random_read_conf): New.
(_gcry_random_dump_stats): Call rndjent stats.
* random/rndjent.c (jent_rng_totalcalls, jent_rng_totalbytes): New.
(_gcry_rndjent_poll): Take care of config option disable-jent.  Wipe
buffer.  Bump counters.
(_gcry_rndjent_dump_stats): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
14 months agorandom: Add jitter RND based entropy collector.
Werner Koch [Wed, 14 Jun 2017 12:03:05 +0000 (14:03 +0200)]
random: Add jitter RND based entropy collector.

* random/rndjent.c: New.
* random/rndlinux.c (_gcry_rndlinux_gather_random): Use rndjent.
* random/rndw32.c (_gcry_rndw32_gather_random): Use rndjent.
(slow_gatherer): Fix compiler warning.
* random/Makefile.am (librandom_la_SOURCES): Add rndjent.c
(EXTRA_librandom_la_SOURCES): Add jitterentropy-base.c and
jitterentropy.h.
(rndjent.o, rndjent.lo): New rules.
* configure.ac: New option --disbale-jent-support
(ENABLE_JENT_SUPPORT): New ac-define.

Signed-off-by: Werner Koch <wk@gnupg.org>