libgcrypt.git
3 years agoFix buffer overrun in gettag for Poly1305
Peter Wu [Wed, 23 Mar 2016 02:45:21 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for Poly1305

* cipher/cipher-poly1305.c: copy a fixed length instead of the
  user-supplied number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
3 years agocipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
Werner Koch [Wed, 23 Mar 2016 10:07:52 +0000 (11:07 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
tag length matches the actual tag length.  Avoid gratuitous return
statements.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix buffer overrun in gettag for GCM
Peter Wu [Wed, 23 Mar 2016 02:45:20 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for GCM

* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
  number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Actually this is not a buffer overrun because we copy not more than
has been allocated for OUTBUF.  However a too long OUTBUFLEN accesses
data outside of the source buffer.  -wk

3 years agotests: Add options --fips to keygen for manual tests.
Werner Koch [Tue, 22 Mar 2016 16:49:50 +0000 (17:49 +0100)]
tests: Add options --fips to keygen for manual tests.

(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode.  Check that key generation fails
for too short keys in FIPS mode.
(check_ecc_keys): Check that key generation fails for Ed25519 keys in
FIPS mode.
--

This option allows to test the FIPS mode manually for key generation.
We should eventually expand all tests to allow testing in FIPS mode in
non FIPS enabled boxes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Add FIPS 186-4 compliant RSA probable prime key generator.
Tomáš Mráz [Tue, 22 Mar 2016 16:12:55 +0000 (17:12 +0100)]
rsa: Add FIPS 186-4 compliant RSA probable prime key generator.

* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
* cipher/rsa.c (generate_fips): New.
(rsa_generate): Use new function in fips mode or with test-parms.

* tests/keygen.c (check_rsa_keys): Add test using e=65539.

--
Signed-off-by: Tomáš Mráz <tmraz@redhat.com>
Tomáš's patch war originally for libgcrypt 1.6.3 and has been ported
to master (1.7) by wk.  Further changes:

  - ChangeLog entries.
  - Some re-indentation
  - Use an extra test case instead of changing an existing one.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix ARM NEON support detection on ARMv6 target
Jussi Kivilinna [Sun, 20 Mar 2016 13:21:40 +0000 (15:21 +0200)]
Fix ARM NEON support detection on ARMv6 target

* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
instead of '.thumb'.
--

Fix allows building ARM NEON assembly implementations when compiler
target is ARMv6. This enables NEON implementations on ARMv7+NEON CPUs
running on ARMv6 OS (for example, Raspbian on Raspberry Pi 2/3).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAlways require a 64 bit integer type
Werner Koch [Fri, 18 Mar 2016 17:57:19 +0000 (18:57 +0100)]
Always require a 64 bit integer type

* configure.ac (available_digests_64): Merge with available_digests.
(available_kdfs_64): Merge with available_kdfs.
<64 bit datatype test>: Bail out if no such type is available.
* src/types.h: Emit #error if no u64 can be defined.
(PROPERLY_ALIGNED_TYPE): Always add u64 type.
* cipher/bithelp.h: Remove all code paths which handle the
case of !HAVE_U64_TYPEDEF.
* cipher/bufhelp.h: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-internal.h: Ditto.
* cipher/cipher.c: Ditto.
* cipher/hash-common.h: Ditto.
* cipher/md.c: Ditto.
* cipher/poly1305.c: Ditto.
* cipher/scrypt.c: Ditto.
* cipher/tiger.c: Ditto.
* src/g10lib.h: Ditto.
* tests/basic.c: Ditto.
* tests/bench-slope.c: Ditto.
* tests/benchmark.c: Ditto.
--

Given that SHA-2 and some other algorithms require a 64 bit type it
does not make anymore sense to conditionally compile some part when
the platform does not provide such a type.

GnuPG-bug-id: 1815.
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Fix testsuite after the FIPS adjustments.
Vitezslav Cizek [Fri, 18 Mar 2016 16:54:36 +0000 (17:54 +0100)]
tests: Fix testsuite after the FIPS adjustments.

* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
(check_ecc_keys): Skip Ed25519 in FIPS mode.
* tests/random.c (main): Don't switch DRBG in FIPS mode.
* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
(main): Skip math tests that use P-192 and Ed25519 in FIPS.
--

Fix the testsuite to make it pass after the FIPS adjustmens.
This consists mostly of disabling the tests that use not approved
curves and algorithms as well as increasing the keysizes.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Removed changes already done with commit e40939b.  The original
    patch had these chnages:
      * tests/fips186-dsa.c (main): Merely suggest a future improvement.
      * tests/pubkey.c (get_dsa_key_*new): Increase keysizes.
      (check_run): Skip tests with small domain in FIPS.
      (main): Skip Ed25519 sample key test in FIPS.
    Noet that get_dsa_key_fips186_with_seed_new was not changed from
    1024 to 3072 but to 2048 bit.
  - Return with 77 (skip) from t-ed25519.c in FIPS mode.
  - Some code style changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add new --pss option to fipsdrv
Vitezslav Cizek [Fri, 30 Oct 2015 16:36:03 +0000 (17:36 +0100)]
tests: Add new --pss option to fipsdrv

* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
to 0 for PSS.
--

Add new --pss option to fipsdrv to specify RSA-PSS signature encoding.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Added by wk:
  - Help string for --pss
  - Check that only --pss or --pkcs1 is given.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Add option to specify salt length for PSS verification.
Vitezslav Cizek [Fri, 30 Oct 2015 16:34:04 +0000 (17:34 +0100)]
cipher: Add option to specify salt length for PSS verification.

* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
salt-length token.
--

Add possibility to use a different salt length for RSASSA-PSS
verification instead of the default 20.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Detect overlong salt-length
  - Release LIST on error.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add support for RSA keygen tests to fipsdrv.
Vitezslav Cizek [Fri, 30 Oct 2015 14:41:09 +0000 (15:41 +0100)]
tests: Add support for RSA keygen tests to fipsdrv.

* tests/fipsdrv.c (run_rsa_keygen): New.
(main): Support RSA keygen and RSA keygen KAT tests.
--

In fipsdrv implement support for KeyGen_RandomProbablyPrime
and Known Answer Test for probably primes RSA2VS tests.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agotests: Fixes for RSA testsuite in FIPS mode
Vitezslav Cizek [Fri, 30 Oct 2015 14:38:13 +0000 (15:38 +0100)]
tests: Fixes for RSA testsuite in FIPS mode

* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/keygen.c (check_rsa_keys): Failure if short keys can be
generated in FIPS mode.
(check_dsa_keys): Ditto for DSA keys.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
--

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Remove printing of "FAIL" in fail() because this is reserved for
    use by the test driver of the Makefile.
  - Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Use 2048 bit RSA keys for selftest.
Vitezslav Cizek [Fri, 30 Oct 2015 12:41:41 +0000 (13:41 +0100)]
rsa: Use 2048 bit RSA keys for selftest.

* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
(selftest_encr_1024): Replaced by selftest_encr_2048.
(selftest_sign_1024): Replaced by selftest_sign_2048.
(selftest_encr_2048): Add check against known ciphertext.
(selftest_sign_2048): Add check against known signature.
(selftest_sign_2048): Free SIG_MPI.
* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.
--

Use a 2048 bit keys for RSA selftest.
Check against the known signature/ciphertext after signing/encryption
in the selftests.
Also generate 2k keys in tests/pubkey.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Reformat some strings and comments.
  - Replace a free by xfree.
  - Free SIG_MPI.
  - Make two strings static.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoDisable non-allowed algorithms in FIPS mode
Vitezslav Cizek [Thu, 29 Oct 2015 16:13:16 +0000 (17:13 +0100)]
Disable non-allowed algorithms in FIPS mode

* cipher/cipher.c (_gcry_cipher_init),
* cipher/mac.c (_gcry_mac_init),
* cipher/md.c (_gcry_md_init),
* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
non-allowed ciphers.
* cipher/md5.c: Mark MD5 as not allowed in FIPS.
* src/g10lib.h (_gcry_mac_init): New.
* src/global.c (global_init): Call the new _gcry_mac_init.
* tests/basic.c (check_ciphers): Fix a typo.
--

When running in the FIPS mode, disable all the ciphers that don't have
the fips flag set.
Skip the non-allowed algos during testing in the FIPS mode.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agokdf: Make PBKDF2 check work on all platforms.
Werner Koch [Fri, 18 Mar 2016 14:38:26 +0000 (15:38 +0100)]
kdf: Make PBKDF2 check work on all platforms.

* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.
--

The previous pacth has no effect because on almost all platformans an
unsigned int is 32 bit and thus the 0xffffffff is anyway the largest
value.  This patch changes the variable to an unsigned long so that at
least on common 64 bit Unix systems (but not on 64 bit Windows) there
is an actual check.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agokdf: Add upper bound for derived key length in PBKDF2.
Vitezslav Cizek [Thu, 29 Oct 2015 13:00:26 +0000 (14:00 +0100)]
kdf: Add upper bound for derived key length in PBKDF2.

* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
--

Add a missing step 1 from PBKDF specification.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoecc: ECDSA adjustments for FIPS 186-4
Vitezslav Cizek [Tue, 27 Oct 2015 13:29:11 +0000 (14:29 +0100)]
ecc: ECDSA adjustments for FIPS 186-4

* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
* cipher/ecc.c: Add ECDSA self test.
* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
in FIPS mode.
* tests/fipsdrv.c: Add support for ECDSA signatures.
--

Enable ECC in FIPS mode.
According to NIST SP 800-131A, curve P-192 and SHA-1 are disallowed
for key pair generation and signature generation after 2013.

Thanks to Jan Matejek for the patch.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Minor source code re-formatting by -wk.

3 years agodsa: Make regression tests work.
Werner Koch [Fri, 18 Mar 2016 14:11:31 +0000 (15:11 +0100)]
dsa: Make regression tests work.

* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
(ogenerate_fips186): Make it work with use-fips183-2 flag.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
standard comment out format.
* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
(main): Call it.
(main): Compare against current version.
* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
(get_dsa_key_fips186_with_seed_new): Ditto.
(get_dsa_key_fips186_with_domain_new): Comment out.
(check_run): Do not call that function.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodsa: Adjustments to conform with FIPS 186-4.
Vitezslav Cizek [Tue, 27 Oct 2015 11:46:30 +0000 (12:46 +0100)]
dsa: Adjustments to conform with FIPS 186-4.

* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
  buflen passed to _gcry_mpi_scan.
--

Generate the DSA keypair by testing candidates. (FIPS 186-4 B.1.2)
Use 2048 bit key for the selftest.
Allow only 2048 and 3072 as pbits size.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoRegister DCO for Vitezslav Cizek.
Werner Koch [Fri, 18 Mar 2016 12:05:34 +0000 (13:05 +0100)]
Register DCO for Vitezslav Cizek.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoUpdate documentation for 'gcry_sexp_extract_param'.
Justus Winter [Wed, 16 Mar 2016 12:35:37 +0000 (13:35 +0100)]
Update documentation for 'gcry_sexp_extract_param'.

* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
must be set to NULL first, and document how the function behaves in
case of errors.
* src/sexp.c (_gcry_sexp_extract_param): Likewise.
* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
'_gcry_sexp_extract_param'.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Update comment.
Justus Winter [Wed, 16 Mar 2016 11:49:26 +0000 (12:49 +0100)]
cipher: Update comment.

* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
that a curve parameter can be given.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoAdd Intel PCLMUL implementations of CRC algorithms
Jussi Kivilinna [Sat, 12 Mar 2016 15:07:21 +0000 (17:07 +0200)]
Add Intel PCLMUL implementations of CRC algorithms

* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
* cipher/crc-intel-pclmul.c: New.
* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
(gcry_crc24rfc2440_intel_pclmul): New.
(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
HW features detected.
(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
implementation if enabled.
(crc24_init): Document storage format of 24-bit CRC.
(crc24_next4): Use only 'data' for last table look-up.
* configure.ac: Add 'crc-intel-pclmul.lo'.
* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
Intel SSE4.1.
* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
* tests/basic.c (fillbuf_count): New.
(check_one_md): Add "?" check (million byte data-set with byte pattern
0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
checks.
(check_one_md_multi): Skip "?".
(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
test-vectors for CRC32_RFC1510 and CRC24_RFC2440.
--

Add Intel PCLMUL accelerated implmentations of CRC algorithms.
CRC performance is improved ~11x on x86_64 and i386 on Intel
Haswell, and ~2.7x on Intel Sandy-bridge.

Benchmark on Intel Core i5-4570 (x86_64, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.865 ns/B    1103.0 MiB/s      2.77 c/B
  CRC32RFC1510   |     0.865 ns/B    1102.7 MiB/s      2.77 c/B
  CRC24RFC2440   |     0.865 ns/B    1103.0 MiB/s      2.77 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.079 ns/B   12051.7 MiB/s     0.253 c/B
  CRC32RFC1510   |     0.079 ns/B   12050.6 MiB/s     0.253 c/B
  CRC24RFC2440   |     0.079 ns/B   12100.0 MiB/s     0.252 c/B

Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.860 ns/B    1109.0 MiB/s      2.75 c/B
  CRC32RFC1510   |     0.861 ns/B    1108.3 MiB/s      2.75 c/B
  CRC24RFC2440   |     0.860 ns/B    1108.6 MiB/s      2.75 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC32RFC1510   |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC24RFC2440   |     0.080 ns/B   11925.6 MiB/s     0.256 c/B

Benchmark on Intel Core i5-2450M (x86_64, 2.5 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |      1.25 ns/B     762.3 MiB/s      3.13 c/B
  CRC32RFC1510   |      1.26 ns/B     759.1 MiB/s      3.14 c/B
  CRC24RFC2440   |      1.25 ns/B     764.9 MiB/s      3.12 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.451 ns/B    2114.3 MiB/s      1.13 c/B
  CRC32RFC1510   |     0.451 ns/B    2114.6 MiB/s      1.13 c/B
  CRC24RFC2440   |     0.457 ns/B    2085.0 MiB/s      1.14 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate .gitignore
Jussi Kivilinna [Sat, 12 Mar 2016 15:10:30 +0000 (17:10 +0200)]
Update .gitignore

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agompi: Normalize EXPO for mpi_powm.
NIIBE Yutaka [Thu, 25 Feb 2016 03:01:10 +0000 (12:01 +0900)]
mpi: Normalize EXPO for mpi_powm.

* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

--

Thanks to Dan Fandrich for the report with a reproducible test case.

GnuPG-bug-id: 2256

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoDo not ship generated header file in tarball.
Andreas Metzler [Sun, 21 Feb 2016 11:18:33 +0000 (12:18 +0100)]
Do not ship generated header file in tarball.

* src/Makefile.am: Move gcrypt.h from include_HEADERS to
  nodist_include_HEADERS to prevent inclusion in release tarball.
  This could break out-of-tree-builds because the potentially outdated
  src/gcrypt.h was not updated but was in the compiler search path.

3 years agoFix building random-drbg for Win32/64
Jussi Kivilinna [Sat, 20 Feb 2016 19:27:15 +0000 (21:27 +0200)]
Fix building random-drbg for Win32/64

* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
'drbg_read_cb' and 'len'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agotests: Do not test DRBG_REINIT from "make check"
Werner Koch [Sat, 20 Feb 2016 13:41:56 +0000 (14:41 +0100)]
tests: Do not test DRBG_REINIT from "make check"

* tests/random.c (main): Run check_drbg_reinit only if the envvar
GCRYPT_IN_REGRESSION_TEST is set.
--

Without a hardware entropy generator (e.g. the moonbase token) running
the regression suite would take too long.  We better use a set of test
vectors when run from "make check".

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Fix possible dependency problem.
Werner Koch [Wed, 17 Feb 2016 18:34:21 +0000 (19:34 +0100)]
doc: Fix possible dependency problem.

* doc/Makefile.am (gcrypt.texi): Use the right traget.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove ANSI X9.31 DRNG
Stephan Mueller [Tue, 16 Feb 2016 21:04:53 +0000 (22:04 +0100)]
random: Remove ANSI X9.31 DRNG

* random-fips.c: Remove.
--

The ANSI X9.31 DRNG is removed as it is completely replaced with the
SP800-90A DRBG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
3 years agorandom: Add a test case for DRBG_REINIT.
Werner Koch [Fri, 19 Feb 2016 14:35:03 +0000 (15:35 +0100)]
random: Add a test case for DRBG_REINIT.

* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
* tests/random.c (check_drbg_reinit): New.
(main): Call new test.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Allow DRBG_REINIT before initialization.
Werner Koch [Fri, 19 Feb 2016 14:32:44 +0000 (15:32 +0100)]
random: Allow DRBG_REINIT before initialization.

* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
(_drbg_init_internal): Set the default type if no type has been set
before.
(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
--

Without this change we can't call GCRYCTL_DRBG_REINIT before
intialization.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoAdd new private header gcrypt-testapi.h.
Werner Koch [Fri, 19 Feb 2016 11:57:00 +0000 (12:57 +0100)]
Add new private header gcrypt-testapi.h.

* src/gcrypt-testapi.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
* random/random.h: Include gcrypt-testapi.h.
(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
* src/global.c: Include gcrypt-testapi.h.
(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
* cipher/cipher.c: Include gcrypt-testapi.h.
(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
constants.
* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
(_gcry_rngdrbg_cavs_test): this.
(gcry_rngdrbg_healthcheck_one): Rename to ...
(_gcry_rngdrbg_healthcheck_one): this.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Make the DRBG C-90 clean and use a flag string.
Werner Koch [Fri, 19 Feb 2016 10:44:57 +0000 (11:44 +0100)]
random: Make the DRBG C-90 clean and use a flag string.

* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
"flagstr" and turn it into a string.
* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
designated initializers.  Use a string for the flags.
(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
(drbg_healthcheck_sanity): Ditto.
--

Libgcrypt needs to be build-able on C-90 only systems and thus we
can't use C-99 designated initializers.  Because we have removed the
flag macros from the API we should not use them in the CAVS test code
either.  Thus they are replaced by the flag string which also tests
the flag string parser.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Symbol name cleanup for random-drbg.c.
Werner Koch [Thu, 18 Feb 2016 19:44:10 +0000 (20:44 +0100)]
random: Symbol name cleanup for random-drbg.c.

* random/random-drbg.c: Rename all static objects and macros from
"gcry_drbg" to "drbg".
(drbg_string_t): New typedef.
(drbg_gen_t): New typedef.
(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
this.
(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
that an error if actually returned.
(gcry_rngdrbg_cavs_test): Ditto.
(gcry_drbg_healthcheck_sanity): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Use our symbol name pattern also for drbg functions.
Werner Koch [Thu, 18 Feb 2016 18:24:47 +0000 (19:24 +0100)]
random: Use our symbol name pattern also for drbg functions.

* random/random-drbg.c: Rename global functions from _gcry_drbg_*
to _gcry_rngdrbg_*.
* random/random.c: Adjust for this change.
* src/global.c: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Rename drbg.c to random-drbg.c.
Werner Koch [Thu, 18 Feb 2016 14:37:31 +0000 (15:37 +0100)]
random: Rename drbg.c to random-drbg.c.

* random/drbg.c: Rename to ...
* random/random-drbg.c: this.
* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.
--

We should stick to our name comventions.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove the new API introduced by the new DRBG.
Werner Koch [Thu, 18 Feb 2016 16:51:34 +0000 (17:51 +0100)]
random: Remove the new API introduced by the new DRBG.

* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
(struct gcry_drbg_string): Ditto.
(gcry_drbg_string_fill): Ditto.
(gcry_randomize_drbg): Remove.
* random/drbg.c (parse_flag_string): New.
(_gcry_drbg_reinit): Change the way the arguments are passed.
* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
convention.
--

It does not make sense to extend the API for a somewhat questionable
feature.  For GCRYCTL_DRBG_REINIT we change to use a string with flags
and libgcrypt's native buffer data structure.

NB: GCRYCTL_DRBG_REINIT has not been tested!
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoAdd helper function _gcry_strtokenize.
Werner Koch [Thu, 18 Feb 2016 14:37:32 +0000 (15:37 +0100)]
Add helper function _gcry_strtokenize.

* src/misc.c (_gcry_strtokenize): New.
--

The code has been taken from GnuPG and re-licensed to LPGLv2+ by me as
its original author.  Minor changes for use in Libgcrypt.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove DRBG constants from the public API.
Werner Koch [Thu, 18 Feb 2016 14:31:36 +0000 (15:31 +0100)]
random: Remove DRBG constants from the public API.

* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
* random/drbg.c: here.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Add SP800-90A DRBG
Stephan Mueller [Tue, 16 Feb 2016 21:04:28 +0000 (22:04 +0100)]
random: Add SP800-90A DRBG

* random/drbg.c: New.
* random/random.c (_gcry_random_initialize): Replace rngfips init by
drbg init.
(__gcry_random_close_fds): Likewise.
(_gcry_random_dump_stats): Likewise.
(_gcry_random_is_faked): Likewise.
(do_randomize): Likewise.
(_gcry_random_selftest): Likewise.
(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
(_gcry_random_init_external_test): Remove.
(_gcry_random_run_external_test): Remove.
(_gcry_random_deinit_external_test): Remove.
* random/random.h (struct gcry_drbg_test_vector): New.
* src/gcrypt.h.in (struct gcry_drbg_gen): New.
(struct gcry_drbg_string): New.
(gcry_drbg_string_fill): New.
(gcry_randomize_drbg): New.
(GCRY_DRBG_): Lots of new macros.
* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
a nop.
(_gcry_vcontrol) <Deinit external random test>: Ditto.
(_gcry_vcontrol) <Run external random test>: Change.
(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

--

This patch set adds the SP800-90A DRBG for AES128, AES192, AES256 with
derivation function, SHA-1 through SHA-512 with derivation function,
HMAC SHA-1 through HMAC SHA-512. All DRBGs are provided with and without
prediction resistance. In addition, all DRBGs allow reseeding by the
caller.

The default DRBG is HMAC SHA-256 without prediction resistance.

The caller may re-initialize the DRBG with the control
GCRYCTL_DRBG_REINIT:

The patch replaces the invocation of the existing ANSI X9.31 DRNG. This
covers the control calls of 58 through 60. Control call 58 and 60 are
simply deactivated. Control 59 is replaced with the DRBG CAVS test
interface.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChangeLog entries added by -wk

3 years agobufhelp: disable unaligned memory accesses on powerpc
Jussi Kivilinna [Sat, 13 Feb 2016 18:12:58 +0000 (20:12 +0200)]
bufhelp: disable unaligned memory accesses on powerpc

* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
__powerpc__ and __powerpc64__.

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoDocument more non LGPL-licensed code.
Andreas Metzler [Fri, 12 Feb 2016 13:19:23 +0000 (14:19 +0100)]
Document more non LGPL-licensed code.

--

Add license and copyright statement for cipher/arcfour-amd64.S (public
domain) and cipher/cipher-ocb.c (OCB license 1)

3 years agoecc: Not validate input point for Curve25519.
NIIBE Yutaka [Fri, 12 Feb 2016 04:50:02 +0000 (13:50 +0900)]
ecc: Not validate input point for Curve25519.

* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix memory leaks on error.
NIIBE Yutaka [Wed, 10 Feb 2016 08:35:43 +0000 (17:35 +0900)]
ecc: Fix memory leaks on error.

* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agodoc: about commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0
NIIBE Yutaka [Tue, 9 Feb 2016 09:50:47 +0000 (18:50 +0900)]
doc: about commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Together with 88e1358962e902ff1cbec8d53ba3eee46407851a, it
could be an effective contermeasure to some chosen cipher
text attacks.

CVE-id: CVE-2015-7511

Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
Tromer.   http://www.cs.tau.ac.IL/~tromer/ecdh/

3 years agoecc: input validation on ECDH.
NIIBE Yutaka [Tue, 24 Nov 2015 23:41:41 +0000 (08:41 +0900)]
ecc: input validation on ECDH.

* cipher/ecc.c (ecc_decrypt_raw): Validate the point.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(forward port from LIBGCRYPT-1-6-BRANCH
 commit 28eb424e4427b320ec1c9c4ce56af25d495230bd)

3 years agoAdd ARM assembly implementation of SHA-512
Jussi Kivilinna [Mon, 8 Feb 2016 18:13:38 +0000 (20:13 +0200)]
Add ARM assembly implementation of SHA-512

* cipher/Makefile.am: Add 'sha512-arm.S'.
* cipher/sha512-arm.S: New.
* cipher/sha512.c (USE_ARM_ASM): New.
(_gcry_sha512_transform_arm): New.
(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
generic.
* configure.ac: Add 'sha512-arm.lo'.
--

Benchmark on Cortex-A8 (armv6, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA512         |     112.0 ns/B      8.52 MiB/s     112.9 c/B

 After (3.3x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA512         |     34.01 ns/B     28.04 MiB/s     34.28 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agotests: Add a test for Curve25519.
NIIBE Yutaka [Wed, 3 Feb 2016 03:24:46 +0000 (12:24 +0900)]
tests: Add a test for Curve25519.

* tests/Makefile.am (tests_bin): Add t-cv25519.
* tests/t-cv25519.c: New.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix Curve25519 for data by older implementation.
NIIBE Yutaka [Tue, 2 Feb 2016 11:58:04 +0000 (20:58 +0900)]
ecc: Fix Curve25519 for data by older implementation.

* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
short length data.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: more fix of Curve25519.
NIIBE Yutaka [Tue, 2 Feb 2016 08:24:10 +0000 (17:24 +0900)]
ecc: more fix of Curve25519.

* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix.  Clear the MSB, according to RFC7748.

--

This change fixes two things.

* Handle the case the prefix 0x40 comes at the end when scanned as
  standard MPI.

* Implement MSB handling.  In the page 7 of RFC7748, it says about
  decoding u-coordinate:

    When receiving such an array, implementations of X25519 (but not
    X448) MUST mask the most significant bit in the final byte.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix ECDH of Curve25519.
NIIBE Yutaka [Tue, 2 Feb 2016 04:58:48 +0000 (13:58 +0900)]
ecc: Fix ECDH of Curve25519.

* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
and prefix detection.
* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
(ecc_encrypt_raw): Use NBITS from curve instead of from P.
Fix rawmpilen calculation.
(ecc_decrypt_raw): Likewise.  Add debug output.
--

This fixes the commit dd3d06e7.  NBITS is defined 256 in ecc-curves.c,
thus, ecc_get_nbits returns 256.  But CTX->NBITS has 255 for Montgomery
curve.

3 years agoUpdate 'Interface changes' in NEWS
Jussi Kivilinna [Fri, 29 Jan 2016 15:42:41 +0000 (17:42 +0200)]
Update 'Interface changes' in NEWS

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoImprove performance of generic SHA256 implementation
Jussi Kivilinna [Fri, 29 Jan 2016 15:42:41 +0000 (17:42 +0200)]
Improve performance of generic SHA256 implementation

* cipher/sha256.c (R): Let caller do variable shuffling.
(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
(W, I): New.
(transform_blk): Unroll round loop; inline message expansion to rounds
to make message expansion buffer smaller.
--

Benchmark on Cortex-A8 (armv6, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     27.63 ns/B     34.52 MiB/s     27.85 c/B

 After (1.31x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     20.97 ns/B     45.48 MiB/s     21.13 c/B

Benchmark on Cortex-A8 (armv7, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     24.18 ns/B     39.43 MiB/s     24.38 c/B

 After (1.13x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     21.28 ns/B     44.82 MiB/s     21.45 c/B

Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |      5.78 ns/B     164.9 MiB/s     18.51 c/B

 After (1.06x faster)
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |      5.41 ns/B     176.1 MiB/s     17.33 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate NEWS
Jussi Kivilinna [Thu, 28 Jan 2016 17:07:50 +0000 (19:07 +0200)]
Update NEWS

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agodoc: Fix typos in gcry_mpi_ec_new.
Werner Koch [Thu, 28 Jan 2016 17:16:22 +0000 (18:16 +0100)]
doc: Fix typos in gcry_mpi_ec_new.

--
Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: New API function gcry_mpi_ec_decode_point.
Werner Koch [Thu, 28 Jan 2016 16:33:51 +0000 (17:33 +0100)]
ecc: New API function gcry_mpi_ec_decode_point.

* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
* cipher/ecc-common.h: Move two prototypes to ...
* src/ec-context.h: here.
* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
* src/visibility.c (gcry_mpi_ec_decode_point): New.
* src/visibility.h: Add new function.
--

This new function make the use of the gcry_mpi_ec_curve_point function
possible in many contexts.  Here is a code snippet which could be used
in gpg to check a point:

static gpg_error_t
check_point (PKT_public_key *pk, gcry_mpi_t m_point)
{
  gpg_error_t err;
  char *curve;
  gcry_ctx_t gctx = NULL;
  gcry_mpi_point_t point = NULL;

  /* Get the curve name from the first OpenPGP key parameter.  */
  curve = openpgp_oid_to_str (pk->pkey[0]);
  if (!curve)
    {
      err = gpg_error_from_syserror ();
      goto leave;
    }

  point = gcry_mpi_point_new (0);
  if (!point)
    {
      err = gpg_error_from_syserror ();
      goto leave;
    }

  err = gcry_mpi_ec_new (&gctx, NULL, curve);
  if (err)
    goto leave;

  err = gcry_mpi_ec_decode_point (point, m_point, gctx);
  if (err)
    goto leave;

  if (!gcry_mpi_ec_curve_point (point, gctx))
    err = gpg_error (GPG_ERR_BAD_DATA);

 leave:
  gcry_ctx_release (gctx);
  gcry_mpi_point_release (point);
  xfree (curve);
  return err;
}

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix build problem for rndegd.c
Werner Koch [Fri, 15 Jan 2016 15:10:34 +0000 (16:10 +0100)]
Fix build problem for rndegd.c

* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
* random/rndegd.c (_gcry_rndegd_connect_socket)
(my_make_filename): Use functions with '_' prefix.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Fix possible AIX problem with sysconf in rndunix.
Werner Koch [Fri, 15 Jan 2016 15:01:35 +0000 (16:01 +0100)]
random: Fix possible AIX problem with sysconf in rndunix.

* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
--

See
GnuPG-bug-id: 1778
for the reason of this patch. There is no concrete bug report but this
change should not harm.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Take at max 25% from RDRAND
Werner Koch [Sun, 27 Dec 2015 11:39:45 +0000 (12:39 +0100)]
random: Take at max 25% from RDRAND

* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
RDRAND from 50% to 25%.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Typo fix and .gitignore addition.
Werner Koch [Fri, 2 Oct 2015 13:05:19 +0000 (15:05 +0200)]
doc: Typo fix and .gitignore addition.

--

3 years agodoc: Fix typo.
Justus Winter [Wed, 2 Dec 2015 11:49:59 +0000 (12:49 +0100)]
doc: Fix typo.

--
Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Improve error handling.
Justus Winter [Mon, 7 Dec 2015 11:44:48 +0000 (12:44 +0100)]
cipher: Improve error handling.

* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.
--
Found using the Clang Static Analyzer.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Initialize 'flags'.
Justus Winter [Mon, 7 Dec 2015 11:39:41 +0000 (12:39 +0100)]
cipher: Initialize 'flags'.

* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.
--
Found using the Clang Static Analyzer.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoecc: CHANGE point representation of Curve25519.
NIIBE Yutaka [Sat, 5 Dec 2015 01:08:51 +0000 (10:08 +0900)]
ecc: CHANGE point representation of Curve25519.

* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
by MPI normalization.
* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
Always add the prefix 0x40.

--

Curve25519 native little-endian point representation is not friendly
to existing practice of OpenPGP code, where MPI is assumed.  MPI
handling might insert 0x00 in the beginning to avoid sign confusion.
MPI handling also might remove 0x00s in the front.  So, it is safe
to put the prefix 0x40.

While we support old point representation of no prefix in
ecc_mont_decodepoint, new libgcrypt always put the prefix.

3 years agochacha20: fix alignment of self-test context
Jussi Kivilinna [Thu, 3 Dec 2015 19:06:50 +0000 (21:06 +0200)]
chacha20: fix alignment of self-test context

* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
context structure.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agosalsa20: fix alignment of self-test context
Jussi Kivilinna [Thu, 3 Dec 2015 19:06:50 +0000 (21:06 +0200)]
salsa20: fix alignment of self-test context

* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
context structure.
--

Reported-by: Carlos J Puga Medina <cpm@fbsd.es>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agorandom: Drop fake entropy gathering function.
Justus Winter [Wed, 2 Dec 2015 11:12:55 +0000 (12:12 +0100)]
random: Drop fake entropy gathering function.

* random/random-csprng.c (faked_rng): Drop variable.
(gather_faked): Drop prototype and function.
(initialize): Drop fallback code.
(_gcry_rngcsprng_is_faked): Change accordingly.

--
The fake entropy gathering function is deemed too dangerous to be
used by accident, and is therefore removed.

This reverts commit 468a5796ffb1a7776db4004d534376c1b981d740.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agorandom: Fix selection of entropy gathering function.
Justus Winter [Wed, 2 Dec 2015 10:54:40 +0000 (11:54 +0100)]
random: Fix selection of entropy gathering function.

* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
usable entropy gathering function is found.  The callsite then
installs the fake gather function.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoecc: minor improvement of point multiplication.
NIIBE Yutaka [Thu, 26 Nov 2015 02:37:47 +0000 (11:37 +0900)]
ecc: minor improvement of point multiplication.

* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.

3 years agoecc: Constant-time multiplication for Weierstrass curve.
NIIBE Yutaka [Wed, 25 Nov 2015 03:46:19 +0000 (12:46 +0900)]
ecc: Constant-time multiplication for Weierstrass curve.

* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
method for Weierstrass curve when SCALAR is secure.

3 years agompi: fix gcry_mpi_swap_cond.
NIIBE Yutaka [Wed, 25 Nov 2015 03:13:04 +0000 (12:13 +0900)]
mpi: fix gcry_mpi_swap_cond.

* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.

3 years agompi: Fix mpi_set_cond and mpi_swap_cond .
NIIBE Yutaka [Wed, 25 Nov 2015 01:52:57 +0000 (10:52 +0900)]
mpi: Fix mpi_set_cond and mpi_swap_cond .

* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
the operator of !!, but assume SET/SWAP is 0 or 1.

--

If the code for !! would include a branch, it spoils the purpose of
mpi_set_cond/mpi_swap_cond at all.  It's better to make sure the use
of this function to be called with 0 or 1 for SET/SWAP.  Note that it
conforms when SET/SWAP is the result of conditional expression of
mpi_test_bit.

Reported-by: Taylor R Campbell.
3 years agoecc: multiplication of Edwards curve to be constant-time.
NIIBE Yutaka [Wed, 25 Nov 2015 01:42:47 +0000 (10:42 +0900)]
ecc: multiplication of Edwards curve to be constant-time.

* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.

--

Reported-by: Taylor R Campbell.
3 years agoecc: Add point_resize and point_swap_cond.
NIIBE Yutaka [Wed, 25 Nov 2015 01:19:39 +0000 (10:19 +0900)]
ecc: Add point_resize and point_swap_cond.

* mpi/ec.c (point_resize, point_swap_cond): New.
(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.

--

Thanks to Taylor R Campbell who suggests.

3 years agocipher: Fix error handling.
Justus Winter [Tue, 17 Nov 2015 15:00:16 +0000 (16:00 +0100)]
cipher: Fix error handling.

* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.
--
Found using the Clang Static Analyzer.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoTweak Keccak for small speed-up
Jussi Kivilinna [Wed, 18 Nov 2015 07:44:18 +0000 (09:44 +0200)]
Tweak Keccak for small speed-up

* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
rounds with round constant pointer instead of separate round counter.
* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
(KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
absorb loops.
--

Patch makes small tweaks to improve performance.

Benchmark on Intel Haswell @ 3.2 Ghz:

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |      2.27 ns/B     420.5 MiB/s      7.26 c/B
 SHAKE256       |      2.79 ns/B     341.4 MiB/s      8.94 c/B
 SHA3-224       |      2.64 ns/B     361.7 MiB/s      8.44 c/B
 SHA3-256       |      2.79 ns/B     341.4 MiB/s      8.94 c/B
 SHA3-384       |      3.65 ns/B     261.3 MiB/s     11.68 c/B
 SHA3-512       |      5.27 ns/B     181.0 MiB/s     16.86 c/B

After:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |      2.25 ns/B     423.5 MiB/s      7.21 c/B
 SHAKE256       |      2.77 ns/B     343.9 MiB/s      8.88 c/B
 SHA3-224       |      2.62 ns/B     364.1 MiB/s      8.38 c/B
 SHA3-256       |      2.77 ns/B     343.8 MiB/s      8.88 c/B
 SHA3-384       |      3.63 ns/B     262.6 MiB/s     11.63 c/B
 SHA3-512       |      5.23 ns/B     182.3 MiB/s     16.75 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate license information for CRC
Jussi Kivilinna [Wed, 18 Nov 2015 07:44:18 +0000 (09:44 +0200)]
Update license information for CRC

* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
for 'cipher/crc.c' as result of rewrite of CRC implementations.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoFix typos found using codespell
Justus Winter [Mon, 16 Nov 2015 11:18:47 +0000 (12:18 +0100)]
Fix typos found using codespell

* cipher/cipher-ocb.c: Fix typos.
* cipher/des.c: Likewise.
* cipher/dsa-common.c: Likewise.
* cipher/ecc.c: Likewise.
* cipher/pubkey.c: Likewise.
* cipher/rsa-common.c: Likewise.
* cipher/scrypt.c: Likewise.
* random/random-csprng.c: Likewise.
* random/random-fips.c: Likewise.
* random/rndw32.c: Likewise.
* src/cipher-proto.h: Likewise.
* src/context.c: Likewise.
* src/fips.c: Likewise.
* src/gcrypt.h.in: Likewise.
* src/global.c: Likewise.
* src/sexp.c: Likewise.
* tests/mpitests.c: Likewise.
* tests/t-lock.c: Likewise.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoImprove performance of Tiger hash algorithms
Jussi Kivilinna [Sun, 1 Nov 2015 18:44:09 +0000 (20:44 +0200)]
Improve performance of Tiger hash algorithms

* cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
to macros.
(transform_blk): Pass variable names instead of pointers to 'pass'.
--

Benchmark results on Intel Haswell @ 3.2 Ghz:

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 TIGER          |      3.25 ns/B     293.5 MiB/s     10.40 c/B

After (1.75x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 TIGER          |      1.85 ns/B     515.3 MiB/s      5.92 c/B

Benchmark results on Cortex-A8 @ 1008 Mhz:

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 TIGER          |     63.42 ns/B     15.04 MiB/s     63.93 c/B

After (1.26x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 TIGER          |     49.99 ns/B     19.08 MiB/s     50.39 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAdd ARMv7/NEON implementation of Keccak
Jussi Kivilinna [Sun, 1 Nov 2015 14:06:26 +0000 (16:06 +0200)]
Add ARMv7/NEON implementation of Keccak

* cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
* cipher/keccak-armv7-neon.S: New.
* cipher/keccak.c (USE_64BIT_ARM_NEON): New.
(NEED_COMMON64): Select if USE_64BIT_ARM_NEON.
[NEED_COMMON64] (round_consts_64bit): Rename to...
[NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add
terminator at end.
[USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon)
(_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon)
(keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New.
(keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation
if supported by HW.
* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update
to use new round constant table.
* configure.ac: Add 'keccak-armv7-neon.lo'.
--

Patch adds ARMv7/NEON implementation of Keccak (SHAKE/SHA3). Patch
is based on public-domain implementation by Ronny Van Keer from
SUPERCOP package:
 https://github.com/floodyberry/supercop/blob/master/crypto_hash/\
keccakc1024/inplace-armv7a-neon/keccak2.s

Benchmark results on Cortex-A8 @ 1008 Mhz:

Before (generic 32-bit bit-interleaved impl.):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |     83.00 ns/B     11.49 MiB/s     83.67 c/B
 SHAKE256       |     101.7 ns/B      9.38 MiB/s     102.5 c/B
 SHA3-224       |     96.13 ns/B      9.92 MiB/s     96.90 c/B
 SHA3-256       |     101.5 ns/B      9.40 MiB/s     102.3 c/B
 SHA3-384       |     131.4 ns/B      7.26 MiB/s     132.5 c/B
 SHA3-512       |     189.1 ns/B      5.04 MiB/s     190.6 c/B

After (ARM/NEON, ~3.2x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |     25.09 ns/B     38.01 MiB/s     25.29 c/B
 SHAKE256       |     30.95 ns/B     30.82 MiB/s     31.19 c/B
 SHA3-224       |     29.24 ns/B     32.61 MiB/s     29.48 c/B
 SHA3-256       |     30.95 ns/B     30.82 MiB/s     31.19 c/B
 SHA3-384       |     40.42 ns/B     23.59 MiB/s     40.74 c/B
 SHA3-512       |     58.37 ns/B     16.34 MiB/s     58.84 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoOptimize Keccak 64-bit absorb functions
Jussi Kivilinna [Sat, 31 Oct 2015 19:29:56 +0000 (21:29 +0200)]
Optimize Keccak 64-bit absorb functions

* cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
* cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
[USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
[USE_64BIT] (keccak_absorb_lanes64): Remove.
[USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
[USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove.
[USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
[USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove.
* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New.
--

Optimize 64-bit absorb functions for small speed-up. After this
change, 64-bit BMI2 implementation matches speed of fastest results
from SUPERCOP for Intel Haswell CPUs (long messages).

Benchmark on Intel Haswell @ 3.2 Ghz:

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |      2.32 ns/B     411.7 MiB/s      7.41 c/B
 SHAKE256       |      2.84 ns/B     336.2 MiB/s      9.08 c/B
 SHA3-224       |      2.69 ns/B     354.9 MiB/s      8.60 c/B
 SHA3-256       |      2.84 ns/B     336.0 MiB/s      9.08 c/B
 SHA3-384       |      3.69 ns/B     258.4 MiB/s     11.81 c/B
 SHA3-512       |      5.30 ns/B     179.9 MiB/s     16.97 c/B

After:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHAKE128       |      2.27 ns/B     420.6 MiB/s      7.26 c/B
 SHAKE256       |      2.79 ns/B     341.4 MiB/s      8.94 c/B
 SHA3-224       |      2.64 ns/B     361.7 MiB/s      8.44 c/B
 SHA3-256       |      2.79 ns/B     341.5 MiB/s      8.94 c/B
 SHA3-384       |      3.65 ns/B     261.4 MiB/s     11.68 c/B
 SHA3-512       |      5.27 ns/B     181.0 MiB/s     16.87 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoEnable CRC test vectors with zero bytes
Jussi Kivilinna [Sat, 31 Oct 2015 18:19:59 +0000 (20:19 +0200)]
Enable CRC test vectors with zero bytes

* tests/basic.c (check_digests): Enable CRC test-vectors with zero
bytes.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoKeccak: Add SHAKE Extendable-Output Functions
Jussi Kivilinna [Sun, 25 Oct 2015 18:34:50 +0000 (20:34 +0200)]
Keccak: Add SHAKE Extendable-Output Functions

* src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
XOFs.
* src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
and add 'pos' argument.
(KECCAK_CONTEXT): Add 'suffix'.
(keccak_extract_inplace64): Rename to...
(keccak_extract64): ...this; Add handling for 'pos' argument.
(keccak_extract_inplace32bi): Rename to...
(keccak_extract32bi): ...this; Add handling for 'pos' argument.
(keccak_extract_inplace64): Rename to...
(keccak_extract64): ...this; Add handling for 'pos' argument.
(keccak_extract_inplace32bi_bmi2): Rename to...
(keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument.
(keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256.
(shake128_init, shake256_init): New.
(keccak_final): Do not initial permute for SHAKE output; use correct
suffix for SHAKE.
(keccak_extract): New.
(keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors.
(run_selftests): Add SHAKE128 & SHAKE256.
(shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256)
(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New.
* cipher/md.c (digest_list): Add SHAKE128 & SHAKE256.
* doc/gcrypt.texi: Ditto.
* src/cipher.h (_gcry_digest_spec_shake128)
(_gcry_digest_spec_shake256): New.
* src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New.
* tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument.
(check_one_md_multi): Skip if algo is XOF.
(check_digests): Add SHAKE128 & SHAKE256 test vectors.
* tests/bench-slope.c (kdf_bench_one): Skip XOFs.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoFew updates to documentation
Jussi Kivilinna [Sun, 25 Oct 2015 16:57:15 +0000 (18:57 +0200)]
Few updates to documentation

* doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
flag; Add mention of x86 RDRAND support in rndhw.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAdd HMAC-SHA3 test vectors
Jussi Kivilinna [Sun, 25 Oct 2015 15:59:33 +0000 (17:59 +0200)]
Add HMAC-SHA3 test vectors

* tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agomd: add variable length output interface
Jussi Kivilinna [Sun, 25 Oct 2015 12:50:41 +0000 (14:50 +0200)]
md: add variable length output interface

* cipher/crc.c (_gcry_digest_spec_crc32)
(_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
'extract' NULL.
* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94)
(_gcry_digest_spec_gost3411_cp): Ditto.
* cipher/keccak.c (_gcry_digest_spec_sha3_224)
(_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384)
(_gcry_digest_spec_sha3_512): Ditto.
* cipher/md2.c (_gcry_digest_spec_md2): Ditto.
* cipher/md4.c (_gcry_digest_spec_md4): Ditto.
* cipher/md5.c (_gcry_digest_spec_md5): Ditto.
* cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto.
* cipher/sha1.c (_gcry_digest_spec_sha1): Ditto.
* cipher/sha256.c (_gcry_digest_spec_sha224)
(_gcry_digest_spec_sha256): Ditto.
* cipher/sha512.c (_gcry_digest_spec_sha384)
(_gcry_digest_spec_sha512): Ditto.
* cipher/stribog.c (_gcry_digest_spec_stribog_256)
(_gcry_digest_spec_stribog_512): Ditto.
* cipher/tiger.c (_gcry_digest_spec_tiger)
(_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto.
* cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto.
* cipher/md.c (md_enable): Do not allow combination of HMAC and
'expandable-output function'.
(md_final): Check if spec->read is NULL before calling.
(md_read): Ditto.
(md_extract, _gcry_md_extract): New.
* doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract.
* src/cipher-proto.h (gcry_md_extract_t): New.
(gcry_md_spec_t): Add 'extract'.
* src/gcrypt-int.g (_gcry_md_extract): New.
* src/gcrypt.h.in (gcry_md_extract): New.
* src/libgcrypt.def: Add gcry_md_extract.
* src/libgcrypt.vers: Add gcry_md_extract.
* src/visibility.c (gcry_md_extract): New.
* src/visibility.h (gcry_md_extract): New.
--

Patch adds new interface for reading output from 'expandable-output
function' MD algorithms that can give variable length output (ie.
SHAKE algorithms from FIPS-202). New function to read output is

 gpg_error_t gcry_md_extract(gcry_md_hd_t md, int algo,
     void *buffer, size_t length);

Function implicitly finalizes algorithm so that no new input can
be given. Subsequents calls of the function return more output
bytes from the algorithm.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agomd: check hmac flag in prepare_macpads
Jussi Kivilinna [Sun, 25 Oct 2015 13:11:14 +0000 (15:11 +0200)]
md: check hmac flag in prepare_macpads

* cipher/md.c (prepare_macpads): Check hmac flag.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agokeccak: rewrite for improved performance
Jussi Kivilinna [Fri, 23 Oct 2015 19:30:48 +0000 (22:30 +0300)]
keccak: rewrite for improved performance

* cipher/Makefile.am: Add 'keccak_permute_32.h' and
'keccak_permute_64.h'.
* cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
* cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2)
(USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI)
(keccak_ops_t): New.
(KECCAK_STATE): Add 'state64' and 'state32bi' members.
(KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'.
(rol64, keccak_f1600_state_permute): Remove.
[NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New.
[NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi)
(keccak_absorb_lane32bi): New.
[USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64)
(keccak_absorb_lanes64, keccak_generic64_ops): New.
[USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld)
(keccak_absorb_lanes64_shld, keccak_shld_64_ops): New.
[USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2)
(keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New.
[USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi)
(keccak_absorb_lanes32bi, keccak_generic32bi_ops): New.
[USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2)
(pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2)
(keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New.
(keccak_write): New.
(keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation
selection based on HWF features.
(keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops'
for state manipulation.
(keccak_read): Adjust to KECCAK_CONTEXT changes.
(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
(_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use
'keccak_write' instead of '_gcry_md_block_write'.
* cipher/keccak_permute_32.h: New.
* cipher/keccak_permute_64.h: New.
--

Patch adds new generic 64-bit and 32-bit implementations and
optimized implementations for SHA3:
 - Generic 64-bit implementation based on 'simple' implementation
   from SUPERCOP package.
 - Generic 32-bit bit-inteleaved implementataion based on
   'simple32bi' implementation from SUPERCOP package.
 - Intel BMI2 optimized variants of 64-bit and 32-bit BI
   implementations.
 - Intel SHLD optimized variant of 64-bit implementation.

Patch also makes proper use of sponge construction to avoid
use of addition input buffer.

Below are bench-slope benchmarks for new 64-bit implementations
made on Intel Core i5-4570 (no turbo, 3.2 Ghz, gcc-4.9.2).

Before (amd64):

 SHA3-224       |      3.92 ns/B     243.2 MiB/s     12.55 c/B
 SHA3-256       |      4.15 ns/B     230.0 MiB/s     13.27 c/B
 SHA3-384       |      5.40 ns/B     176.6 MiB/s     17.29 c/B
 SHA3-512       |      7.77 ns/B     122.7 MiB/s     24.87 c/B

After (generic 64-bit, amd64), 1.10x faster):

 SHA3-224       |      3.57 ns/B     267.4 MiB/s     11.42 c/B
 SHA3-256       |      3.77 ns/B     252.8 MiB/s     12.07 c/B
 SHA3-384       |      4.91 ns/B     194.1 MiB/s     15.72 c/B
 SHA3-512       |      7.06 ns/B     135.0 MiB/s     22.61 c/B

After (Intel SHLD 64-bit, amd64, 1.13x faster):

 SHA3-224       |      3.48 ns/B     273.7 MiB/s     11.15 c/B
 SHA3-256       |      3.68 ns/B     258.9 MiB/s     11.79 c/B
 SHA3-384       |      4.80 ns/B     198.7 MiB/s     15.36 c/B
 SHA3-512       |      6.89 ns/B     138.4 MiB/s     22.05 c/B

After (Intel BMI2 64-bit, amd64, 1.45x faster):

 SHA3-224       |      2.71 ns/B     352.1 MiB/s      8.67 c/B
 SHA3-256       |      2.86 ns/B     333.2 MiB/s      9.16 c/B
 SHA3-384       |      3.72 ns/B     256.2 MiB/s     11.91 c/B
 SHA3-512       |      5.34 ns/B     178.5 MiB/s     17.10 c/B

Benchmarks of new 32-bit implementations on Intel Core i5-4570
(no turbo, 3.2 Ghz, gcc-4.9.2):

Before (win32):

 SHA3-224       |     12.05 ns/B     79.16 MiB/s     38.56 c/B
 SHA3-256       |     12.75 ns/B     74.78 MiB/s     40.82 c/B
 SHA3-384       |     16.63 ns/B     57.36 MiB/s     53.22 c/B
 SHA3-512       |     23.97 ns/B     39.79 MiB/s     76.72 c/B

After (generic 32-bit BI, win32, 1.23x to 1.29x faster):

 SHA3-224       |      9.76 ns/B     97.69 MiB/s     31.25 c/B
 SHA3-256       |     10.27 ns/B     92.82 MiB/s     32.89 c/B
 SHA3-384       |     13.22 ns/B     72.16 MiB/s     42.31 c/B
 SHA3-512       |     18.65 ns/B     51.13 MiB/s     59.70 c/B

After (Intel BMI2 32-bit BI, win32, 1.66x to 1.70x faster):

 SHA3-224       |      7.26 ns/B     131.4 MiB/s     23.23 c/B
 SHA3-256       |      7.65 ns/B     124.7 MiB/s     24.47 c/B
 SHA3-384       |      9.87 ns/B     96.67 MiB/s     31.58 c/B
 SHA3-512       |     14.05 ns/B     67.85 MiB/s     44.99 c/B

Benchmarks of new 32-bit implementation on ARM Cortex-A8
(1008 Mhz, gcc-4.9.1):

Before:

 SHA3-224       |     148.6 ns/B      6.42 MiB/s     149.8 c/B
 SHA3-256       |     157.2 ns/B      6.07 MiB/s     158.4 c/B
 SHA3-384       |     205.3 ns/B      4.65 MiB/s     206.9 c/B
 SHA3-512       |     296.3 ns/B      3.22 MiB/s     298.6 c/B

After (1.56x faster):

 SHA3-224       |     96.12 ns/B      9.92 MiB/s     96.89 c/B
 SHA3-256       |     101.5 ns/B      9.40 MiB/s     102.3 c/B
 SHA3-384       |     131.4 ns/B      7.26 MiB/s     132.5 c/B
 SHA3-512       |     188.2 ns/B      5.07 MiB/s     189.7 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agohwf-x86: add detection for Intel CPUs with fast SHLD instruction
Jussi Kivilinna [Fri, 23 Oct 2015 19:39:47 +0000 (22:39 +0300)]
hwf-x86: add detection for Intel CPUs with fast SHLD instruction

* cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
HWF_INTEL_CPU.
* cipher/sha256.c (sha256_init, sha224_init): Ditto.
* cipher/sha512.c (sha512_init, sha384_init): Ditto.
* src/g10lib.h (HWF_INTEL_FAST_SHLD): New.
(HWF_INTEL_BMI2, HWF_INTEL_SSSE3, HWF_INTEL_PCLMUL, HWF_INTEL_AESNI)
(HWF_INTEL_RDRAND, HWF_INTEL_AVX, HWF_INTEL_AVX2)
(HWF_ARM_NEON): Update.
* src/hwf-x86.c (detect_x86_gnuc): Add detection of Intel Core
CPUs with fast SHLD/SHRD instruction.
* src/hwfeatures.c (hwflist): Add "intel-fast-shld".
--

Intel Core CPUs since codename sandy-bridge have been able to
execute SHLD/SHRD instructions faster than rotate instructions
ROL/ROR. Since SHLD/SHRD can be used to do rotation, some
optimized implementations (SHA1/SHA256/SHA512) use SHLD/SHRD
instructions in-place of ROL/ROR.

This patch provides more accurate detection of CPUs with
fast SHLD implementation.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoFix OCB amd64 assembly implementations for x32
Jussi Kivilinna [Sat, 24 Oct 2015 09:41:23 +0000 (12:41 +0300)]
Fix OCB amd64 assembly implementations for x32

* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
(_gcry_camellia_aesni_avx2_ocb_auth, _gcry_camellia_ocb_crypt)
(_gcry_camellia_ocb_auth): Change 'Ls' from pointer array to u64 array.
* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
(_gcry_serpent_avx2_ocb_enc, _gcry_serpent_avx2_ocb_dec)
(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Ditto.
* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth)
(twofish_amd64_ocb_enc, twofish_amd64_ocb_dec, twofish_amd64_ocb_auth)
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto.
--

Pointers on x32 are 32-bit, but amd64 assembly implementations
expect 64-bit pointers. Pass 'Ls' array to 64-bit integers so
that input arrays has correct format for assembly functions.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agobench-slope: add KDF/PBKDF2 benchmark
Jussi Kivilinna [Fri, 23 Oct 2015 19:24:47 +0000 (22:24 +0300)]
bench-slope: add KDF/PBKDF2 benchmark

* tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free)
(bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New.
(print_help): Add 'kdf'.
(main): Add KDF benchmarks.
--

Introduce KDF benchmarking to bench-slope. Output is given as
nanosecs/iter (and cycles/iter if --cpu-mhz used). Only PBKDF2
is support with this initial patch.

For example, below shows output of KDF bench-slope before
and after commit "md: keep contexts for HMAC in GcryDigestEntry",
on Intel Core i5-4570 @ 3.2 Ghz:

Before:

$ tests/bench-slope --cpu-mhz 3201 kdf
KDF:
                          |  nanosecs/iter   cycles/iter
 PBKDF2-HMAC-MD5          |          882.4        2824.7
 PBKDF2-HMAC-SHA1         |          832.6        2665.0
 PBKDF2-HMAC-RIPEMD160    |         1148.3        3675.6
 PBKDF2-HMAC-TIGER192     |         1339.6        4288.2
 PBKDF2-HMAC-SHA256       |         1460.5        4675.1
 PBKDF2-HMAC-SHA384       |         1723.2        5515.8
 PBKDF2-HMAC-SHA512       |         1729.1        5534.7
 PBKDF2-HMAC-SHA224       |         1424.0        4558.3
 PBKDF2-HMAC-WHIRLPOOL    |         2459.7        7873.5
 PBKDF2-HMAC-TIGER        |         1350.2        4322.1
 PBKDF2-HMAC-TIGER2       |         1348.7        4317.3
 PBKDF2-HMAC-GOSTR3411_94 |         7374.1       23604.4
 PBKDF2-HMAC-STRIBOG256   |         6060.0       19398.1
 PBKDF2-HMAC-STRIBOG512   |         7512.8       24048.3
 PBKDF2-HMAC-GOSTR3411_CP |         7378.3       23618.0
 PBKDF2-HMAC-SHA3-224     |         2789.6        8929.5
 PBKDF2-HMAC-SHA3-256     |         2785.1        8915.0
 PBKDF2-HMAC-SHA3-384     |         2955.5        9460.5
 PBKDF2-HMAC-SHA3-512     |         2859.7        9153.9
                          =

After:

$ tests/bench-slope --cpu-mhz 3201 kdf
KDF:
                          |  nanosecs/iter   cycles/iter
 PBKDF2-HMAC-MD5          |          405.9        1299.2
 PBKDF2-HMAC-SHA1         |          392.1        1255.0
 PBKDF2-HMAC-RIPEMD160    |          540.9        1731.5
 PBKDF2-HMAC-TIGER192     |          637.1        2039.4
 PBKDF2-HMAC-SHA256       |          691.8        2214.3
 PBKDF2-HMAC-SHA384       |          848.0        2714.3
 PBKDF2-HMAC-SHA512       |          875.7        2803.1
 PBKDF2-HMAC-SHA224       |          689.2        2206.0
 PBKDF2-HMAC-WHIRLPOOL    |         1535.6        4915.5
 PBKDF2-HMAC-TIGER        |          636.3        2036.7
 PBKDF2-HMAC-TIGER2       |          636.6        2037.7
 PBKDF2-HMAC-GOSTR3411_94 |         5311.5       17002.2
 PBKDF2-HMAC-STRIBOG256   |         4308.0       13790.0
 PBKDF2-HMAC-STRIBOG512   |         5767.4       18461.4
 PBKDF2-HMAC-GOSTR3411_CP |         5309.4       16995.4
 PBKDF2-HMAC-SHA3-224     |         1333.1        4267.2
 PBKDF2-HMAC-SHA3-256     |         1327.8        4250.4
 PBKDF2-HMAC-SHA3-384     |         1392.8        4458.3
 PBKDF2-HMAC-SHA3-512     |         1428.5        4572.7
                          =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agomd: keep contexts for HMAC in GcryDigestEntry.
NIIBE Yutaka [Thu, 22 Oct 2015 00:58:24 +0000 (09:58 +0900)]
md: keep contexts for HMAC in GcryDigestEntry.

* cipher/md.c (struct gcry_md_context): Add flags.hmac.
Remove macpads and mcpads_Bsize.
(md_open): Initialize flags.hmac.  Remove macpads initialization.
(md_enable): Allocate contexts when flags.hmac is enabled.
(md_copy): Remove macpads copying.  Add copying contexts.
(_gcry_md_reset): When flags.hmac is enabled, restore precomputed
context with input pad
(md_close): Remove macpads wiping.
(md_final): When flags.hmac is enabled, compute hmac by precomputed
context with output pad.
(prepare_macpads): Prepare precomputed contexts with input pad and
output pad for each registered digest entry.
(_gcry_md_setkey): Just call prepare_macpads.

--

This change is making things straight in HMAC computation.  This makes
HMAC computation allow multple algorithms in future.

Libgcrypt's code has a potential to compute digests for multiple
algorithms at once (currently, it's not enabled).  HMAC code didn't
work well with multple algorithms, because the macpads were only
allocated for an algorithm.  Now, it's allocated for each algorithm.

We now precompute hash contexts, instead of keeping input pad and
output pad.  This can be performance improvement, which is described
in RFC 2104.

Thanks to:

   Andrea Visconti, Simone Bossi, Hany Ragab and Alexandro Calò

For the discussion and their paper of CANS2015, which titled:

   On the weaknesses of PBKDF2

3 years agoFix double free on error.
NIIBE Yutaka [Thu, 15 Oct 2015 02:28:54 +0000 (11:28 +0900)]
Fix double free on error.

* src/hmac256.c (_gcry_hmac256_finalize): Don't free HD.

3 years agoFix gpg_error_t and gpg_err_code_t confusion.
NIIBE Yutaka [Wed, 14 Oct 2015 02:52:40 +0000 (11:52 +0900)]
Fix gpg_error_t and gpg_err_code_t confusion.

* src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change.
* cipher/dsa.c (dsa_check_secret_key): Ditto.
* src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t.

* src/gcrypt-int.h (_gcry_err_make_from_errno)
(_gcry_error_from_errno): Return gpg_error_t.
* cipher/cipher.c (_gcry_cipher_open_internal)
(_gcry_cipher_ctl, _gcry_cipher_ctl): Don't use gcry_error.
* src/global.c (_gcry_vcontrol): Likewise.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Use
 gpg_err_code_from_syserror.
* cipher/mac.c (mac_reset, mac_setkey, mac_setiv, mac_write)
(mac_read, mac_verify): Return gcry_err_code_t.
* cipher/rsa-common.c (mgf1): Use gcry_err_code_t for ERR.
* src/visibility.c (gcry_error_from_errno): Return gpg_error_t.

--

Reverting a part of 73374fdd and fix _gcry_sexp_extract_param
return type, instead.

Fix similar coding mistakes, throughout.

3 years agoFix compiling AES/AES-NI implementation on linux-i386
Jussi Kivilinna [Tue, 13 Oct 2015 05:33:00 +0000 (08:33 +0300)]
Fix compiling AES/AES-NI implementation on linux-i386

* cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in
two parts to reduce number of register constraints needed.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoFix declaration of return type.
NIIBE Yutaka [Tue, 13 Oct 2015 03:28:00 +0000 (12:28 +0900)]
Fix declaration of return type.

* src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t.
* cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param.
* src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t.
* src/visibility.c (gcry_mpi_snatch): Fix call to _gcry_mpi_snatch.

--

GnuPG-bug-id: 2074

3 years agoImprove GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
Werner Koch [Mon, 7 Sep 2015 12:02:09 +0000 (14:02 +0200)]
Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.

* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
functions if NO_PRIV_DROP is set.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agow32: Avoid a few compiler warnings.
Werner Koch [Fri, 4 Sep 2015 10:39:56 +0000 (12:39 +0200)]
w32: Avoid a few compiler warnings.

* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
as unused.
* random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch
warning.
* src/secmem.c (init_pool): Avoid unused variable warning.
* tests/random.c (writen, readn): Include on if needed.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agow32: Fix alignment problem with AESNI on Windows >= 8
Werner Koch [Fri, 4 Sep 2015 10:32:16 +0000 (12:32 +0200)]
w32: Fix alignment problem with AESNI on Windows >= 8

* cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New.
* cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
(selftest_basic_256): Allocate context on the heap.
--

The stack alignment on Windows changed and because ld seems to limit
stack variables to a 8 byte alignment (we request 16), we get bus
errors from the selftests if AESNI is in use.

GnuPG-bug-id: 2085
Signed-off-by: Werner Koch <wk@gnupg.org>