libgcrypt.git
21 months agoRelease 1.8.0 libgcrypt-1.8.0
Werner Koch [Tue, 18 Jul 2017 14:13:18 +0000 (16:13 +0200)]
Release 1.8.0

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agobuild: Remove the configure run notice on EGD.
Werner Koch [Tue, 18 Jul 2017 12:57:36 +0000 (14:57 +0200)]
build: Remove the configure run notice on EGD.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agomac: Add selftests for HMAC-SHA3-xxx.
Werner Koch [Tue, 18 Jul 2017 12:11:26 +0000 (14:11 +0200)]
mac: Add selftests for HMAC-SHA3-xxx.

* cipher/hmac-tests.c (check_one): Add arg trunc and change all
callers to pass false.
(selftests_sha3): New.
(run_selftests): Call new selftests.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agoapi: New function gcry_mpi_point_copy.
Werner Koch [Tue, 18 Jul 2017 08:16:07 +0000 (10:16 +0200)]
api: New function gcry_mpi_point_copy.

* src/gcrypt.h.in (gcry_mpi_point_copy): New.
(mpi_point_copy): New macro.
* src/visibility.c (gcry_mpi_point_copy): New.
* src/libgcrypt.def, src/libgcrypt.vers: Add function.
* mpi/ec.c (_gcry_mpi_point_copy): New.
* tests/t-mpi-point.c (set_get_point): Add test.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agobuild: Bump LT version to C22/A2/R0.
Werner Koch [Mon, 17 Jul 2017 12:04:30 +0000 (14:04 +0200)]
build: Bump LT version to C22/A2/R0.

--

This is required to allow installation of 1.7 and 1.8.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agorandom: Minor fix for getting the rndjent version.
Werner Koch [Mon, 17 Jul 2017 10:34:13 +0000 (12:34 +0200)]
random: Minor fix for getting the rndjent version.

* random/rndjent.c (_gcry_rndjent_get_version): Always set R_ACTIVE.
* tests/version.c (test_get_config): Check number of fields for
rng-type.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agompi: Minor fix of mpi_pow.
NIIBE Yutaka [Fri, 7 Jul 2017 05:48:17 +0000 (14:48 +0900)]
mpi: Minor fix of mpi_pow.

* mpi/mpi-pow.c (_gcry_mpi_powm): Allocate size fix.

--

Same thing of 619ebae9847831f43314a95cc3180f4b329b4d3b applied.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
21 months agompi: Fix mpi_pow alternative implementation.
NIIBE Yutaka [Fri, 7 Jul 2017 03:00:03 +0000 (12:00 +0900)]
mpi: Fix mpi_pow alternative implementation.

* mpi/mpi-pow.c
  [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): Use
  mpi_set_cond.

--

Limbs of RES may be allocated more before the call of mpi_pow,
but it only uses the space of SIZE.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
21 months agoFix mpi_pow alternative implementation.
NIIBE Yutaka [Fri, 7 Jul 2017 02:39:09 +0000 (11:39 +0900)]
Fix mpi_pow alternative implementation.

* mpi/mpi-pow.c [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm):
Allocate size fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
21 months agoUpdate NEWS
Werner Koch [Thu, 6 Jul 2017 08:26:24 +0000 (10:26 +0200)]
Update NEWS

--

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agorsa: Use modern MPI allocation function.
Werner Koch [Thu, 29 Jun 2017 06:31:27 +0000 (08:31 +0200)]
rsa: Use modern MPI allocation function.

* cipher/rsa.c (secret_core_crt): Use modern function _gcry_mpi_snew.
--

Eventually we want to get rid of the notion of limb sizes in mpi using
code.  Thus it is better to use the modern function/macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agobuild: Minor API fixes to fix build problems on AIX.
Werner Koch [Wed, 5 Jul 2017 18:10:56 +0000 (20:10 +0200)]
build: Minor API fixes to fix build problems on AIX.

* src/gcrypt.h.in (gcry_error_from_errno): Fix return type.
* src/visibility.c (gcry_md_extract): Change return type to match the
prototype.
--

IBM compiler optimize enums and thus enums may be shorter than an
unsigned int.  Thus an

  assert (sizeof (gpg_error_t) == sizeof (gpg_err_code_t)

would fail.  The deatils seem to depend on the passed compiler options
which explains that it has been only reported now.

GnuPG-bug-id: 3256
Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agotools: Add left shift to mpicalc.
Werner Koch [Wed, 5 Jul 2017 18:05:41 +0000 (20:05 +0200)]
tools: Add left shift to mpicalc.

* src/mpicalc.c (do_lshift): New.
(main): Handle '<'.

Signed-off-by: Werner Koch <wk@gnupg.org>
21 months agompi: Fix mpi_set_secure.
NIIBE Yutaka [Tue, 4 Jul 2017 00:33:46 +0000 (09:33 +0900)]
mpi: Fix mpi_set_secure.

* mpi/mpiutil.c (mpi_set_secure): Allocate by ->alloced.

--

The code was simply wrong.  The question is if (1) it allocates
(possibly) more or (2) modifi ->alloced.  The choice is (1).

Because we have routines of mpi_set_cond and mpi_swap_cond which
assume no change for the allocated length of limbs, no surprise is
better.  See _gcry_mpi_ec_mul_point for concrete example for those
routines.  That's for constant-time computation.

Debian-bug-id: 866964
Suggested-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
21 months agorsa: Add exponent blinding.
NIIBE Yutaka [Thu, 29 Jun 2017 02:11:37 +0000 (11:11 +0900)]
rsa: Add exponent blinding.

* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.

--

Co-authored-by: Werner Koch <wk@gnupg.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
The paper describing attack: https://eprint.iacr.org/2017/627

Sliding right into disaster: Left-to-right sliding windows leak
by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
Christine van Vredendaal and Yuval Yarom

  It is well known that constant-time implementations of modular
  exponentiation cannot use sliding windows. However, software
  libraries such as Libgcrypt, used by GnuPG, continue to use sliding
  windows. It is widely believed that, even if the complete pattern of
  squarings and multiplications is observed through a side-channel
  attack, the number of exponent bits leaked is not sufficient to
  carry out a full key-recovery attack against RSA. Specifically,
  4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
  windows leak only 33% of the bits.

  In this paper we demonstrate a complete break of RSA-1024 as
  implemented in Libgcrypt. Our attack makes essential use of the fact
  that Libgcrypt uses the left-to-right method for computing the
  sliding-window expansion. We show for the first time that the
  direction of the encoding matters: the pattern of squarings and
  multiplications in left-to-right sliding windows leaks significantly
  more information about exponent bits than for right-to-left. We show
  how to incorporate this additional information into the
  Heninger-Shacham algorithm for partial key reconstruction, and use
  it to obtain very efficient full key recovery for RSA-1024. We also
  provide strong evidence that the same attack works for RSA-2048 with
  only moderately more computation.

Exponent blinding is a kind of workaround to add noise.  Signal (leak)
is still there for non-constant-time implementation.

21 months agoSame computation for square and multiply.
NIIBE Yutaka [Sat, 24 Jun 2017 11:46:20 +0000 (20:46 +0900)]
Same computation for square and multiply.

* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
the assignment to base_u into the loop.  Copy content refered by RP to
BASE_U except the last of the loop.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
22 months agorsa: Minor refactoring.
Werner Koch [Sat, 24 Jun 2017 10:03:14 +0000 (12:03 +0200)]
rsa: Minor refactoring.

* cipher/rsa.c (secret): Factor code out to ...
(secret_core_std, secret_core_crt): new functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Add missing dependency.
Werner Koch [Fri, 23 Jun 2017 07:34:35 +0000 (09:34 +0200)]
random: Add missing dependency.

* random/Makefile.am (EXTRA_librandom_la_SOURCES): Fix file name.
(rndjent.o, rndjent.lo): Depend on jitterentropy-base-user.h.
--

Fixes-commit: 8dfae89ecd3e9ae0967586cb38d12ef9111fc7cd
Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Update jitterentropy to 2.1.0.
Werner Koch [Fri, 23 Jun 2017 07:11:47 +0000 (09:11 +0200)]
random: Update jitterentropy to 2.1.0.

* random/rndjent.c (jent_get_nstime, jent_zfree)
(jent_fips_enabled, jent_zalloc): Move functions and macros to ...
* random/jitterentropy-base-user.h: this file.   That files was not
used before.
* random/Makefile.am (EXTRA_librandom_la_SOURCES): Add
jitterentropy-base-user.
* random/jitterentropy-base.c: Update to version 2.1.0.
* random/jitterentropy.h: Ditto.
--

The files jitterentropy-base.c and jitterentropy.h are are now
verbatim copies of the upstream source using a private copy received
prior to a push to the upstream repo.  Though, 3 white spaces issues
were fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agoapi: New function gcry_get_config.
Werner Koch [Wed, 21 Jun 2017 07:29:09 +0000 (09:29 +0200)]
api: New function gcry_get_config.

* src/misc.c (_gcry_log_info_with_dummy_fp): Remove.
* src/global.c (print_config): New arg WHAT.  Remove arg FNC and use
gpgrt_fprintf directly.
(_gcry_get_config): New.
(_gcry_vcontrol) <GCRYCTL_PRINT_CONFIG>: Use _gcry_get_config instead
of print_config.
* src/gcrypt.h.in (gcry_get_config): New.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
* src/visibility.c (gcry_get_config): New.
* src/visibility.h: Mark new function.

* tests/version.c (test_get_config): New.
(main): Call new test.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Allow building rndjent on non-x86.
Werner Koch [Wed, 21 Jun 2017 07:24:42 +0000 (09:24 +0200)]
random: Allow building rndjent on non-x86.

* random/jitterentropy-base.c (jent_version): Uncomment function.
* random/rndjent.c: Include time.h
(JENT_USES_RDTSC): New.
(JENT_USES_GETTIME): New.
(JENT_USES_READ_REAL_TIME): New.
(jent_get_nstime): Support clock_gettime and AIX specific
function.  Taken from Stephan Müller's code.
(is_rng_available): New.
(_gcry_rndjent_dump_stats): Use that function.
(_gcry_rndjent_poll): Use that fucntion.  Allow an ADD of NULL for an
intialize only mode.
(_gcry_rndjent_get_version): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorijndael-padlock: change asm operands from read-only to read/write
Jussi Kivilinna [Sun, 18 Jun 2017 07:35:50 +0000 (10:35 +0300)]
rijndael-padlock: change asm operands from read-only to read/write

* cipher/rijndael-padlock.c (do_padlock): Change ESI/EDI/ECX to use
read/write operands as XCRYPT instruction modifies these registers.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
22 months agorandom: Make rndjent.c NTG.1 compliant.
Werner Koch [Fri, 16 Jun 2017 15:09:20 +0000 (17:09 +0200)]
random: Make rndjent.c NTG.1 compliant.

* random/rndjent.c (_gcry_rndjent_poll): Hash the retrieved jitter.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agomd: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.
Werner Koch [Fri, 16 Jun 2017 14:53:33 +0000 (16:53 +0200)]
md: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.

* cipher/sha256.c (_gcry_sha256_hash_buffer): New.
(_gcry_sha256_hash_buffers): New.
* cipher/sha512.c (_gcry_sha512_hash_buffer): New.
(_gcry_sha512_hash_buffers): New.
* cipher/md.c (_gcry_md_hash_buffer): Optimize for SHA246 and SHA512.
(_gcry_md_hash_buffers): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Allow building rndjent.c with stats collecting enabled.
Werner Koch [Fri, 16 Jun 2017 10:31:11 +0000 (12:31 +0200)]
random: Allow building rndjent.c with stats collecting enabled.

* random/rndjent.c: Change license to the one used by jitterentropy.h.
(jent_init_statistic): New.
(jent_bit_count): New.
(jent_statistic_copy_stat): new.
(jent_calc_statistic): New.
--

New code taken from Stephan's jitterentropy-stat.c.  This does now
build with CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT defined; not sure
whether this is already useful.  Changed the license due to the new
code.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agoNew global config option "only-urandom".
Werner Koch [Fri, 16 Jun 2017 09:55:50 +0000 (11:55 +0200)]
New global config option "only-urandom".

* random/rand-internal.h (RANDOM_CONF_ONLY_URANDOM): New.
* random/random.c (_gcry_random_read_conf): Add option "only-urandom".
* random/rndlinux.c (_gcry_rndlinux_gather_random): Implement that
option.
* tests/keygen.c (main): Add option --no-quick for better manual
tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agoImplement global config file /etc/gcrypt/random.conf
Werner Koch [Fri, 16 Jun 2017 08:42:44 +0000 (10:42 +0200)]
Implement global config file /etc/gcrypt/random.conf

* src/hwfeatures.c (my_isascii): Move macro to ...
* src/g10lib.h: here.
* tests/random.c (main): Dump random stats.
* random/random.c (RANDOM_CONF_FILE): New.
(_gcry_random_read_conf): New.
(_gcry_random_dump_stats): Call rndjent stats.
* random/rndjent.c (jent_rng_totalcalls, jent_rng_totalbytes): New.
(_gcry_rndjent_poll): Take care of config option disable-jent.  Wipe
buffer.  Bump counters.
(_gcry_rndjent_dump_stats): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Add jitter RND based entropy collector.
Werner Koch [Wed, 14 Jun 2017 12:03:05 +0000 (14:03 +0200)]
random: Add jitter RND based entropy collector.

* random/rndjent.c: New.
* random/rndlinux.c (_gcry_rndlinux_gather_random): Use rndjent.
* random/rndw32.c (_gcry_rndw32_gather_random): Use rndjent.
(slow_gatherer): Fix compiler warning.
* random/Makefile.am (librandom_la_SOURCES): Add rndjent.c
(EXTRA_librandom_la_SOURCES): Add jitterentropy-base.c and
jitterentropy.h.
(rndjent.o, rndjent.lo): New rules.
* configure.ac: New option --disbale-jent-support
(ENABLE_JENT_SUPPORT): New ac-define.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agocipher: New helper function rol64.
Werner Koch [Wed, 14 Jun 2017 11:58:18 +0000 (13:58 +0200)]
cipher: New helper function rol64.

* cipher/bithelp.h (rol64): New inline functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agoNew hardware feature flag HWF_INTEL_RDTSC.
Werner Koch [Wed, 14 Jun 2017 11:57:45 +0000 (13:57 +0200)]
New hardware feature flag HWF_INTEL_RDTSC.

* src/g10lib.h (HWF_INTEL_RDTSC): New.
* src/hwfeatures.c (hwflist): Add "intel-rdtsc".
* src/hwf-x86.c (detect_x86_gnuc): Get EDX features and test for TSC.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Changes to original Jitter RNG implementation
Werner Koch [Wed, 14 Jun 2017 11:51:51 +0000 (13:51 +0200)]
random: Changes to original Jitter RNG implementation

* random/jitterentropy-base.c: Change double underscore symbols and
make all functions static.
* random/jitterentropy.h: Likewise.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agorandom: Add original Jitter RNG implementation
Stephan Mueller [Tue, 23 May 2017 16:53:21 +0000 (18:53 +0200)]
random: Add original Jitter RNG implementation

* random/jitterentropy-base-user.h: New.
* random/jitterentropy-base.c: New.
* random/jitterentropy.h: New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
- Tabs and trailing white spaces removed from original source.
- Source received by mail dated Fri, 27 Jan 2017 17:52:38 +0100 from
  Stephan

22 months agobuild: Fix ChangeLog building for builds from other worktrees.
Werner Koch [Thu, 8 Jun 2017 08:10:47 +0000 (10:10 +0200)]
build: Fix ChangeLog building for builds from other worktrees.

* Makefile.am (gen-ChangeLog): Test for existance of ".git" regardless
on whether it is a file or directory.
--

git worktree create a plain file ".git" and not a ".git" directory.
Thus we can't check for the existance of a directory.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agoAdd release info from 1.7.7 to NEWS
Werner Koch [Fri, 2 Jun 2017 07:19:05 +0000 (09:19 +0200)]
Add release info from 1.7.7 to NEWS

--

22 months agosecmem: Fix SEGV and stat calculation.
NIIBE Yutaka [Fri, 2 Jun 2017 01:34:42 +0000 (10:34 +0900)]
secmem: Fix SEGV and stat calculation.

* src/secmem (init_pool): Care about the header size.
(_gcry_secmem_malloc_internal): Likewise.
(_gcry_secmem_malloc_internal): Use mb->size for stats.

--

GnuPG-bug-id: 3027
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
22 months agoecc: Store EdDSA session key in secure memory.
Jo Van Bulck [Thu, 19 Jan 2017 16:00:15 +0000 (17:00 +0100)]
ecc: Store EdDSA session key in secure memory.

* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
session key.
--

An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily revover the long-
term secret key. Storing the session key in secure memory ensures that
constant time point operations are used in the MPI library.

Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
22 months agoapi: Deprecate gcry_md_info
Werner Koch [Wed, 31 May 2017 11:00:05 +0000 (13:00 +0200)]
api: Deprecate gcry_md_info

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agompi: Distribute asm files for aarch64 and asm
Werner Koch [Tue, 30 May 2017 13:27:47 +0000 (15:27 +0200)]
mpi: Distribute asm files for aarch64 and asm

* mpi/aarch64/distfiles: New.
* mpi/arm/distfiles: New.

Signed-off-by: Werner Koch <wk@gnupg.org>
22 months agompi: Distribute asm definitions for amd64
Werner Koch [Tue, 30 May 2017 13:23:45 +0000 (15:23 +0200)]
mpi: Distribute asm definitions for amd64

* mpi/amd64/distfiles: Add mpi-asm-defs.h.
--

The problem exhibits itself only on Windows64 where
sizeof(long) == sizeof(int).
For other platforms the definition from
generic/mpi-asm-defs.h works also for amd64.

GnuPG-bug-id: 3184
Signed-off-by: Werner Koch <wk@gnupg.org>
23 months agocipher: Fix compiler warnings.
Werner Koch [Tue, 23 May 2017 15:48:15 +0000 (17:48 +0200)]
cipher: Fix compiler warnings.

* cipher/poly1305.c (poly1305_default_ops): Move to the top.  Add
prototypes and compile only if USE_SSE2 is not defined.
(poly1305_init_ext_ref32): Compile only if USE_SSE2 is not defined.
(poly1305_blocks_ref32): Ditto.
(poly1305_finish_ext_ref32): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
23 months agodoc: Comment fixes
Werner Koch [Tue, 23 May 2017 15:28:46 +0000 (17:28 +0200)]
doc: Comment fixes

23 months agorijndael-ssse3: fix functions calls from assembly blocks
Jussi Kivilinna [Tue, 16 May 2017 18:22:11 +0000 (21:22 +0300)]
rijndael-ssse3: fix functions calls from assembly blocks

* cipher/rijndael-ssse3-amd64.c (PUSH_STACK_PTR, POP_STACK_PTR): New.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Use PUSH_STACK_PTR and
POP_STACK_PTR.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
23 months agochacha20-armv7-neon: fix to use fast code path when memory is aligned
Jussi Kivilinna [Sat, 13 May 2017 15:36:00 +0000 (18:36 +0300)]
chacha20-armv7-neon: fix to use fast code path when memory is aligned

* cipher/chacha20-armv7-neon.S (UNALIGNED_LDMIA4): Uncomment
instruction for jump to aligned code path.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
23 months agoMove data in AMD64 assembly to text section
Jussi Kivilinna [Sat, 13 May 2017 15:53:08 +0000 (18:53 +0300)]
Move data in AMD64 assembly to text section

* cipher/camellia-aesni-avx-amd64.S: Move data to .text section to
ensure that RIP relative addressing of data will work.
* cipher/camellia-aesni-avx2-amd64.S: Ditto.
* cipher/chacha20-avx2-amd64.S: Ditto.
* cipher/chacha20-ssse3-amd64.S: Ditto.
* cipher/des-amd64.S: Ditto.
* cipher/serpent-avx2-amd64.S: Ditto.
* cipher/sha1-avx-amd64.S: Ditto.
* cipher/sha1-avx-bmi2-amd64.S: Ditto.
* cipher/sha1-ssse3-amd64.S: Ditto.
* cipher/sha256-avx-amd64.S: Ditto.
* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
* cipher/sha256-ssse3-amd64.S: Ditto.
* cipher/sha512-avx-amd64.S: Ditto.
* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
* cipher/sha512-ssse3-amd64.S: Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
23 months agocast5-amd64: use 64-bit relocation with large PIC memory model
Jussi Kivilinna [Sat, 13 May 2017 15:35:30 +0000 (18:35 +0300)]
cast5-amd64: use 64-bit relocation with large PIC memory model

* cipher/cast5-amd64.S [__code_model_large__]
(GET_EXTERN_POINTER): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
23 months agoFix building with x86-64 medium and large memory models
Jussi Kivilinna [Sat, 13 May 2017 14:53:27 +0000 (17:53 +0300)]
Fix building with x86-64 medium and large memory models

* cipher/cast5-amd64.S [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(GET_EXTERN_POINTER): Load 64-bit address instead of 32-bit.
* cipher/rijndael.c (do_encrypt, do_decrypt)
[USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Load
table pointer through register instead of generic reference.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
23 months agoSpelling fixes in docs and comments.
NIIBE Yutaka [Fri, 28 Apr 2017 00:27:00 +0000 (09:27 +0900)]
Spelling fixes in docs and comments.

--

GnuPG-bug-id: 3120
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agompi: Simplify mpi_powm.
NIIBE Yutaka [Tue, 4 Apr 2017 08:38:05 +0000 (17:38 +0900)]
mpi: Simplify mpi_powm.

* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.

--

This fix is not a solution for the problem reported (yet).  The
problem is that the current algorithm of _gcry_mpi_powm depends on
exponent and some information leaks is possible.

Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agobuild: Use macOS' compatibility macros to enable all features.
Justus Winter [Wed, 8 Mar 2017 12:09:11 +0000 (13:09 +0100)]
build: Use macOS' compatibility macros to enable all features.

* configure.ac: On macOS, use the compatibility macros to expose every
feature of the libc.  This is the equivalent of _GNU_SOURCE on GNU
libc.
--
Not defining this leads to compilation errors or superfluous warnings
on macOS.

GnuPG-bug-id: 2910
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agoAdd BLAKE2b and BLAKE2s hash algorithms (RFC 7693)
Jussi Kivilinna [Sun, 26 Feb 2017 17:55:34 +0000 (19:55 +0200)]
Add BLAKE2b and BLAKE2s hash algorithms (RFC 7693)

* cipher/blake2.c: New.
* cipher/Makefile.am: Add 'blake2.c'.
* cipher/md.c (digest_list, prepare_macpads): Add BLAKE2.
(md_setkey): New.
(_gcry_md_setkey): Call 'md_setkey' for non-HMAC md.
* configure.ac: Add BLAKE2 digest.
* doc/gcrypt.texi: Add BLAKE2.
* src/cipher.h (_gcry_blake2_init_with_key)
(_gcry_digest_spec_blake2b_512, _gcry_digest_spec_blake2b_384)
(_gcry_digest_spec_blake2b_256, _gcry_digest_spec_blake2b_160)
(_gcry_digest_spec_blake2s_256, _gcry_digest_spec_blake2s_224)
(_gcry_digest_spec_blake2s_160, _gcry_digest_spec_blake2s_128): New.
* src/gcrypt.h.in (GCRY_MD_BLAKE2B_512, GCRY_MD_BLAKE2B_384)
(GCRY_MD_BLAKE2B_256, GCRY_MD_BLAKE2B_160, GCRY_MD_BLAKE2S_256)
(GCRY_MD_BLAKE2S_224, GCRY_MD_BLAKE2S_160, GCRY_MD_BLAKE2S_128): New.
* tests/basic.c (check_one_md): Add testing for keyed hashes.
(check_digests): Add BLAKE2 test vectors; Add testing for keyed hashes.
* tests/blake2b.h: New.
* tests/blake2s.h: New.
* tests/Makefile.am: Add 'blake2b.h' and 'blake2s.h'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix building with clang on ARM64/FreeBSD
Jussi Kivilinna [Sun, 26 Feb 2017 17:55:34 +0000 (19:55 +0200)]
Fix building with clang on ARM64/FreeBSD

* cipher/cipher-gcm-armv8-aarch64-ce.S: Use '.cpu generic+simd+crypto'
instead of '.arch armv8-a+crypto'.
* cipher/rijndael-armv8-aarch64-ce.S: Ditto.
* cipher/sha1-armv8-aarch64-ce.S: Ditto.
* cipher/sha256-armv8-aarch64-ce.S: Ditto.
* configure.ac (gcry_cv_gcc_inline_asm_aarch64_neon): Ditto.
(gcry_cv_gcc_inline_asm_aarch64_crypto): Ditto; and include NEON
instructions to crypto instructions check.
--

GnuPG-bug-id: 2975
Reported-by: Kirill Ponomarev <kp@krion.cc>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix building with a pre C99 compiler.
Justus Winter [Tue, 7 Feb 2017 09:20:58 +0000 (10:20 +0100)]
Fix building with a pre C99 compiler.

* cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt): Move the
declaration of 'i' out of the loop.
(_gcry_cipher_cfb8_decrypt): Likewise.
--
Fixes build on OpenBSD.

Fixes-commit: d1ee9a660571ce4a998c9ab2299d4f2419f99127
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agoImplement CFB with 8-bit mode
Mathias L. Baumann [Sat, 4 Feb 2017 11:30:41 +0000 (13:30 +0200)]
Implement CFB with 8-bit mode

* cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt)
(_gcry_cipher_cfg8_decrypt): Add 8-bit variants of decrypt/encrypt
functions.
* cipher/cipher-internal.h (_gcry_cipher_cfb8_encrypt)
(_gcry_cipher_cfg8_decrypt): Ditto.
* cipher/cipher.c: Adjust code flow to work with GCRY_CIPHER_MODE_CFB8.
* tests/basic.c: Add tests for cfb8 with AES and 3DES.
--

Signed-off-by: Mathias L. Baumann <mathias.baumann at sociomantic.com>
[JK: edit changelog, fix email malformed patch]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoRegister DCO for Mathias L. Baumann
Jussi Kivilinna [Sat, 4 Feb 2017 11:29:50 +0000 (13:29 +0200)]
Register DCO for Mathias L. Baumann

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorndhw: add missing "memory" clobbers
Jussi Kivilinna [Sat, 4 Feb 2017 10:48:57 +0000 (12:48 +0200)]
rndhw: add missing "memory" clobbers

* random/rndhw.c: (poll_padlock, rdrand_long): Add "memory" to asm
clobbers.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd UNLIKELY and LIKELY macros
Jussi Kivilinna [Sat, 28 Jan 2017 09:00:35 +0000 (11:00 +0200)]
Add UNLIKELY and LIKELY macros

* src/g10lib.h (LIKELY, UNLIKELY): New.
(gcry_assert): Use LIKELY for assert check.
(fast_wipememory2_unaligned_head): Use UNLIKELY for unaligned
branching.
* cipher/bufhelp.h (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst)
(buf_xor_n_copy_2): Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorndhw: avoid type-punching
Jussi Kivilinna [Sat, 28 Jan 2017 13:00:28 +0000 (15:00 +0200)]
rndhw: avoid type-punching

* random/rndhw.c (rdrand_long, rdrand_nlong): Add 'volatile' for
pointer.
(poll_drng): Convert buffer to 'unsigned long[]' and make use of DIM
macro.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agohwf-x86: avoid type-punching
Jussi Kivilinna [Sat, 28 Jan 2017 12:59:56 +0000 (14:59 +0200)]
hwf-x86: avoid type-punching

* src/hwf-x86.c (detect_x86_gnuc): Use union for vendor_id.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agocipher: add explicit blocksize checks to allow better optimization
Jussi Kivilinna [Sat, 28 Jan 2017 08:26:09 +0000 (10:26 +0200)]
cipher: add explicit blocksize checks to allow better optimization

* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
(_gcry_cipher_cbc_decrypt): Add explicit check for cipher blocksize of
64-bit or 128-bit.
* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
(_gcry_cipher_cfb_decrypt): Ditto.
* cipher/cipher-cmac.c (cmac_write, cmac_generate_subkeys)
(cmac_final): Ditto.
* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agobufhelp: use unaligned dword and qword types for endianess helpers
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
bufhelp: use unaligned dword and qword types for endianess helpers

* cipher/bufhelp.h (BUFHELP_UNALIGNED_ACCESS): New, defined
if attributes 'packed', 'aligned' and 'may_alias' are supported.
(BUFHELP_FAST_UNALIGNED_ACCESS): Define if have
BUFHELP_UNALIGNED_ACCESS.
--

Now that compiler is properly told that reads from these types
may do not follow strict-aliasing and may be unaligned, we
enable use of these for all architectures and compiler will
emit more optimized, yet correct, code (for example, use
special unaligned read/write instructions instead of accessing
byte-by-byte).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorijndael-aesni: fix u128_t strict-aliasing rule breaking
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
rijndael-aesni: fix u128_t strict-aliasing rule breaking

* cipher/rijndael-aesni.c (u128_t): Add attributes to tell GCC and clang
that casting from 'char *' to 'u128_t *' is ok.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agocipher-xts: fix pointer casting to wrong alignment and aliasing
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
cipher-xts: fix pointer casting to wrong alignment and aliasing

* cipher/cipher-xts.c (xts_gfmul_byA, xts_inc128): Use buf_get_le64
and buf_put_le64 for accessing data; Change parameter pointers to
'unsigned char *' type.
(_gcry_cipher_xts_crypt): Do not cast buffer pointers to 'u64 *'
for helper functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agocrc-intel-pclmul: fix undefined behavior with unaligned access
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
crc-intel-pclmul: fix undefined behavior with unaligned access

* cipher/crc-intel-pclmul.c (u16_unaligned_s): New.
(crc32_reflected_less_than_16, crc32_less_than_16): Use
'u16_unaligned_s' for unaligned memory access.
--

GnuPG-bug-id: 2292
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoconfigure.ac: fix attribute checks
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
configure.ac: fix attribute checks

* configure.ac: Add -Werror flag for attribute checks.
--

Compilter ignores unknown attributes and just shows warning. Therefore
attribute checks need to be run with -Werror.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoconfigure.ac: fix may_alias attribute check
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
configure.ac: fix may_alias attribute check

* configure.ac: Test may_alias attribute on type, not on variable.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agobufhelp: add 'may_alias' attribute for properly aligned 'bufhelp_int_t'
Jussi Kivilinna [Sat, 28 Jan 2017 09:26:02 +0000 (11:26 +0200)]
bufhelp: add 'may_alias' attribute for properly aligned 'bufhelp_int_t'

* cipher/bufhelp.h [!BUFHELP_FAST_UNALIGNED_ACCESS]
(bufhelp_int_t): Add 'may_alias' attribute.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agow32: New envvar GCRYPT_RNDW32_DBG.
Werner Koch [Fri, 27 Jan 2017 08:16:31 +0000 (09:16 +0100)]
w32: New envvar GCRYPT_RNDW32_DBG.

* random/rndw32.c (_gcry_rndw32_gather_random): Use getenv to set
DEBUG_ME.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoUpdate NEWS with release info from 1.7.4 to 1.7.6.
Werner Koch [Fri, 27 Jan 2017 08:13:07 +0000 (09:13 +0100)]
Update NEWS with release info from 1.7.4 to 1.7.6.

--

2 years agorijndael-ssse3-amd64: fix building on x32
Jussi Kivilinna [Mon, 23 Jan 2017 18:01:32 +0000 (20:01 +0200)]
rijndael-ssse3-amd64: fix building on x32

* cipher/rijndael-ssse3-amd64.c: Use 64-bit call instructions
with 64-bit registers.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agobufhelp: use 'may_alias' attribute unaligned pointer types
Jussi Kivilinna [Mon, 23 Jan 2017 17:48:28 +0000 (19:48 +0200)]
bufhelp: use 'may_alias' attribute unaligned pointer types

* configure.ac (gcry_cv_gcc_attribute_may_alias)
(HAVE_GCC_ATTRIBUTE_MAY_ALIAS): New check for 'may_alias' attribute.
* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only if
HAVE_GCC_ATTRIBUTE_MAY_ALIAS is defined.
[BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_int_t, bufhelp_u32_t)
(bufhelp_u64_t): Add 'may_alias' attribute.
* src/g10lib.h (fast_wipememory_t): Add HAVE_GCC_ATTRIBUTE_MAY_ALIAS
defined check; Add 'may_alias' attribute.
--

Attribute 'may_alias' was missing from bufhelp unaligned memory access
pointer types, and was causing problems with newer GCC versions (with
more aggressive optimization). This patch fixes broken Camellia-CFB
with '-O3 -flto' flags with GCC-6 on x86-64 and generic GCM with
default '-O2' on x32.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorandom: Call getrandom before select and emitting a progress callback.
Werner Koch [Wed, 18 Jan 2017 09:24:06 +0000 (10:24 +0100)]
random: Call getrandom before select and emitting a progress callback.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom
call before the select.
--

A select for getrandom does not make any sense because there is no
file descriptor for getrandom.  Thus if getrandom is available we now
select only when we want to read from the blocking /dev/random.  In
most cases this avoids all progress callbacks.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agompi: amd64: fix too large jump alignment in mpih-rshift
Jussi Kivilinna [Wed, 4 Jan 2017 20:30:26 +0000 (22:30 +0200)]
mpi: amd64: fix too large jump alignment in mpih-rshift

* mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment
with 'ALIGN(4)' instead of 256-byte.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorijndael-ssse3: move assembly functions to separate source-file
Jussi Kivilinna [Wed, 4 Jan 2017 17:16:26 +0000 (19:16 +0200)]
rijndael-ssse3: move assembly functions to separate source-file

* cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'.
* cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions
here ...
* cipher/rinjdael-ssse3-amd64.c: ... from this file.
(_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload)
(_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core): New.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external
assembly functions; remove 'aes_const_ptr' variable usage.
(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt)
(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
(_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage.
* configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'.
--

After this change, libgcrypt can be compiled with -flto optimization
enabled on x86-64.

GnuPG-bug-id: 2882
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd AVX2/vpgather bulk implementation of Twofish
Jussi Kivilinna [Wed, 4 Jan 2017 08:18:36 +0000 (10:18 +0200)]
Add AVX2/vpgather bulk implementation of Twofish

* cipher/Makefile.am: Add 'twofish-avx2-amd64.S'.
* cipher/twofish-avx2-amd64.S: New.
* cipher/twofish.c (USE_AVX2): New.
(TWOFISH_context) [USE_AVX2]: Add 'use_avx2' member.
(ASM_FUNC_ABI): New.
(twofish_setkey): Add check for AVX2 and fast VPGATHER HW features.
(_gcry_twofish_avx2_ctr_enc, _gcry_twofish_avx2_cbc_dec)
(_gcry_twofish_avx2_cfb_dec, _gcry_twofish_avx2_ocb_enc)
(_gcry_twofish_avx2_ocb_dec, _gcry_twofish_avx2_ocb_auth): New.
(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec)
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Add AVX2 bulk
handling.
(selftest_ctr, selftest_cbc, selftest_cfb): Increase nblocks from
3+X to 16+X.
* configure.ac: Add 'twofish-avx2-amd64.lo'.
* src/g10lib.h (HWF_INTEL_FAST_VPGATHER): New.
* src/hwf-x86.c (detect_x86_gnuc): Add detection for
HWF_INTEL_FAST_VPGATHER.
* src/hwfeatures.c (HWF_INTEL_FAST_VPGATHER): Add
"intel-fast-vpgather" for HWF_INTEL_FAST_VPGATHER.
--

Benchmark on Intel Core i3-6100 (3.7 Ghz):

Before:
 TWOFISH        |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      4.25 ns/B     224.5 MiB/s     15.71 c/B
        ECB dec |      4.16 ns/B     229.5 MiB/s     15.38 c/B
        CBC enc |      4.53 ns/B     210.4 MiB/s     16.77 c/B
        CBC dec |      2.71 ns/B     351.6 MiB/s     10.04 c/B
        CFB enc |      4.60 ns/B     207.3 MiB/s     17.02 c/B
        CFB dec |      2.70 ns/B     353.5 MiB/s      9.98 c/B
        OFB enc |      4.25 ns/B     224.2 MiB/s     15.74 c/B
        OFB dec |      4.24 ns/B     225.0 MiB/s     15.68 c/B
        CTR enc |      2.72 ns/B     350.6 MiB/s     10.06 c/B
        CTR dec |      2.72 ns/B     350.7 MiB/s     10.06 c/B
        CCM enc |      7.25 ns/B     131.5 MiB/s     26.83 c/B
        CCM dec |      7.25 ns/B     131.5 MiB/s     26.83 c/B
       CCM auth |      4.57 ns/B     208.9 MiB/s     16.89 c/B
        GCM enc |      3.02 ns/B     315.3 MiB/s     11.19 c/B
        GCM dec |      3.02 ns/B     315.6 MiB/s     11.18 c/B
       GCM auth |     0.297 ns/B    3208.4 MiB/s      1.10 c/B
        OCB enc |      2.73 ns/B     349.7 MiB/s     10.09 c/B
        OCB dec |      2.82 ns/B     338.3 MiB/s     10.43 c/B
       OCB auth |      2.77 ns/B     343.7 MiB/s     10.27 c/B

After (CBC-dec & CFB-dec & CTR & OCB, ~1.5x faster):
 TWOFISH        |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      4.25 ns/B     224.2 MiB/s     15.74 c/B
        ECB dec |      4.15 ns/B     229.5 MiB/s     15.37 c/B
        CBC enc |      4.61 ns/B     206.8 MiB/s     17.06 c/B
        CBC dec |      1.75 ns/B     544.0 MiB/s      6.49 c/B
        CFB enc |      4.52 ns/B     211.0 MiB/s     16.72 c/B
        CFB dec |      1.72 ns/B     554.1 MiB/s      6.37 c/B
        OFB enc |      4.27 ns/B     223.3 MiB/s     15.80 c/B
        OFB dec |      4.28 ns/B     222.7 MiB/s     15.84 c/B
        CTR enc |      1.73 ns/B     549.9 MiB/s      6.42 c/B
        CTR dec |      1.75 ns/B     545.1 MiB/s      6.47 c/B
        CCM enc |      6.31 ns/B     151.2 MiB/s     23.34 c/B
        CCM dec |      6.42 ns/B     148.5 MiB/s     23.76 c/B
       CCM auth |      4.56 ns/B     208.9 MiB/s     16.89 c/B
        GCM enc |      1.90 ns/B     502.8 MiB/s      7.02 c/B
        GCM dec |      2.00 ns/B     477.8 MiB/s      7.38 c/B
       GCM auth |     0.300 ns/B    3178.6 MiB/s      1.11 c/B
        OCB enc |      1.76 ns/B     542.2 MiB/s      6.51 c/B
        OCB dec |      1.76 ns/B     540.7 MiB/s      6.53 c/B
       OCB auth |      1.76 ns/B     542.8 MiB/s      6.50 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd XTS cipher mode
Jussi Kivilinna [Fri, 6 Jan 2017 10:48:17 +0000 (12:48 +0200)]
Add XTS cipher mode

* cipher/Makefile.am: Add 'cipher-xts.c'.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'bulk.xts_crypt'
and 'u_mode.xts' members.
(_gcry_cipher_xts_crypt): New prototype.
* cipher/cipher-xts.c: New.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, cipher_encrypt, cipher_decrypt): Add XTS mode handling.
* doc/gcrypt.texi: Add XTS mode to documentation.
* src/gcrypt.h.in (GCRY_CIPHER_MODE_XTS, GCRY_XTS_BLOCK_LEN): New.
* tests/basic.c (do_check_xts_cipher, check_xts_cipher): New.
(check_bulk_cipher_modes): Add XTS test-vectors.
(check_one_cipher_core, check_one_cipher, check_ciphers): Add XTS
testing support.
(check_cipher_modes): Add XTS test.
* tests/bench-slope.c (bench_xts_encrypt_init)
(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
(xts_encrypt_ops, xts_decrypt_ops): New.
(cipher_modes, cipher_bench_one): Add XTS.
* tests/benchmark.c (cipher_bench): Add XTS testing.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorijndael-ssse3: fix counter operand from read-only to read/write
Jussi Kivilinna [Wed, 4 Jan 2017 10:02:36 +0000 (12:02 +0200)]
rijndael-ssse3: fix counter operand from read-only to read/write

* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change
'ctrlow' operand from read-only to read-write.
--

With read-only operand, compiler is allowed to pass temporary
register to assembly block and throw away any calculation that
have been done on that register. On the other hand, compiler is
also allowed to keep operand value permanently in one register
as value is treated as read-only, and effectly operates as
expected. Selection between these two depends on compiler
version and used flags.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoExtend GCRYCTL_PRINT_CONFIG to print compiler version.
Werner Koch [Tue, 3 Jan 2017 15:30:54 +0000 (16:30 +0100)]
Extend GCRYCTL_PRINT_CONFIG to print compiler version.

* src/global.c (print_config): Print version of libgpg-error and used
compiler.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Add option --disable-hwf to the version utility.
Werner Koch [Tue, 3 Jan 2017 14:34:33 +0000 (15:34 +0100)]
tests: Add option --disable-hwf to the version utility.

* src/hwfeatures.c (_gcry_disable_hw_feature): Rewrite to allow
passing a colon delimited feature set.
(parse_hwf_deny_file): Remove unused var I.
* tests/version.c (main): Add options --verbose and --disable-hwf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoAdd release info from 1.7.5
Werner Koch [Thu, 15 Dec 2016 08:49:47 +0000 (09:49 +0100)]
Add release info from 1.7.5

--

2 years agoFix regression in broken mlock detection.
Werner Koch [Thu, 15 Dec 2016 07:50:40 +0000 (08:50 +0100)]
Fix regression in broken mlock detection.

* acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN.
--

GnuPG-bug-id: 2870
Fixes-commit: 618b8978f46f4011c11512fd5f30c15e01652e2e
Co-authored-by: Nicolas Porcel <nicolasporcel06@gmail.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Check the result of all gcry_control operations.
Justus Winter [Tue, 13 Dec 2016 12:33:45 +0000 (13:33 +0100)]
tests: Check the result of all gcry_control operations.

--
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agotests: Use common code for all tests.
Justus Winter [Tue, 13 Dec 2016 12:24:51 +0000 (13:24 +0100)]
tests: Use common code for all tests.

--
Also fix minor fallout from the format string warnings.

Signed-off-by: Justus Winter <justus@g10code.com>
2 years agotests: Rename 'show' to 'info'.
Justus Winter [Tue, 13 Dec 2016 11:20:32 +0000 (12:20 +0100)]
tests: Rename 'show' to 'info'.

--
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agotests: Rename 'PGMNAME' to 'PGM'.
Justus Winter [Tue, 13 Dec 2016 11:12:26 +0000 (12:12 +0100)]
tests: Rename 'PGMNAME' to 'PGM'.

--
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agotests: Rename 'errorcount' to 'error_count'.
Justus Winter [Tue, 13 Dec 2016 11:09:40 +0000 (12:09 +0100)]
tests: Rename 'errorcount' to 'error_count'.

--
Signed-off-by: Justus Winter <justus@g10code.com>
2 years agohwfeatures: add 'all' for disabling all hardware features
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
hwfeatures: add 'all' for disabling all hardware features

* .gitignore: Add 'tests/basic-disable-all-hwf'.
* configure.ac: Ditto.
* tests/Makefile.am: Ditto.
* src/hwfeatures.c (_gcry_disable_hw_feature): Match 'all' for
masking all HW features off.
(parse_hwf_deny_file): Use '_gcry_disable_hw_feature' for matching.
* tests/basic-disable-all-hwf.in: New.
--

Also add new test to run 'basic' with all HWF disable. With current
assembly implementations and build servers using new CPUs, generic
implementations are not being tested enough anymore and compiler
problems might end up unnoticed.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agotests/hashtest-256g: add missing executable extension for Win32
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
tests/hashtest-256g: add missing executable extension for Win32

* tests/hashtest-256g.in: Add @EXEEXT@.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoOCB ARM CE: Move ocb_get_l handling to assembly part
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
OCB ARM CE: Move ocb_get_l handling to assembly part

* cipher/rijndael-armv8-aarch32-ce.S: Add OCB 'L_{ntz(i)}' calculation.
* cipher/rijndael-armv8-aarch64-ce.S: Ditto.
* cipher/rijndael-armv8-ce.c (_gcry_aes_ocb_enc_armv8_ce)
(_gcry_aes_ocb_dec_armv8_ce, _gcry_aes_ocb_auth_armv8_ce)
(ocb_cryt_fn_t): Updated arguments.
(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Remove
'ocb_get_l' handling and splitting input to 32 block chunks, instead
pass full buffers to assembly.
--

Performance on Cortex-A53 (AArch32):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |      1.63 ns/B     583.8 MiB/s      1.88 c/B
        OCB dec |      1.67 ns/B     572.1 MiB/s      1.92 c/B
       OCB auth |      1.33 ns/B     717.1 MiB/s      1.53 c/B

After (~12% faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |      1.47 ns/B     650.2 MiB/s      1.69 c/B
        OCB dec |      1.48 ns/B     644.5 MiB/s      1.70 c/B
       OCB auth |      1.19 ns/B     798.2 MiB/s      1.38 c/B

Performance on Cortex-A53 (AArch64):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |      1.29 ns/B     738.5 MiB/s      1.49 c/B
        OCB dec |      1.32 ns/B     723.5 MiB/s      1.52 c/B
       OCB auth |      1.15 ns/B     827.0 MiB/s      1.33 c/B

After (~8% faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |      1.21 ns/B     789.1 MiB/s      1.39 c/B
        OCB dec |      1.21 ns/B     789.2 MiB/s      1.39 c/B
       OCB auth |      1.10 ns/B     867.0 MiB/s      1.27 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoOCB: Move large L handling from bottom to upper level
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
OCB: Move large L handling from bottom to upper level

* cipher/cipher-ocb.c (_gcry_cipher_ocb_get_l): Remove.
(ocb_get_L_big): New.
(_gcry_cipher_ocb_authenticate): L-big handling done in upper
processing loop, so that lower level never sees the case where
'aad_nblocks % 65536 == 0'; Add missing stack burn.
(ocb_aad_finalize): Add missing stack burn.
(ocb_crypt): L-big handling done in upper processing loop, so that
lower level never sees the case where 'data_nblocks % 65536 == 0'.
* cipher/cipher-internal.h (_gcry_cipher_ocb_get_l): Remove.
(ocb_get_l): Remove 'l_tmp' usage and simplify since input
is more limited now, 'N is not multiple of 65536'.
* cipher/rijndael-aesni.c (get_l): Remove.
(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Remove
l_tmp; Use 'ocb_get_l'.
* cipher/rijndael-ssse3-amd64.c (get_l): Remove.
(ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Remove
l_tmp; Use 'ocb_get_l'.
* cipher/camellia-glue.c: Remove OCB l_tmp usage.
* cipher/rijndael-armv8-ce.c: Ditto.
* cipher/rijndael.c: Ditto.
* cipher/serpent.c: Ditto.
* cipher/twofish.c: Ditto.
--

Move large L value generation to up-most level to simplify lower level
ocb_get_l for greater performance and simpler implementation. This helps
implementing OCB in assembly as 'ocb_get_l' no longer has function call
on slow-path.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoOCB: remove 'int64_t' usage
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
OCB: remove 'int64_t' usage

* cipher/cipher-ocb.c (double_block): Use alternative way to generate
sign-bit mask, without 'int64_t'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorandom-drbg: use bufhelp function for big-endian store
Jussi Kivilinna [Sat, 10 Dec 2016 10:29:12 +0000 (12:29 +0200)]
random-drbg: use bufhelp function for big-endian store

* random/random-drbg.c (drbg_cpu_to_be32): Remove.
(drbg_ctr_df, drbg_hash_df): Use 'buf_put_be32' instead of
'drbg_cpu_to_be32'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd release info from 1.7.4
Werner Koch [Fri, 9 Dec 2016 14:57:33 +0000 (15:57 +0100)]
Add release info from 1.7.4

--

2 years agoImprove handling of mlock error codes.
Werner Koch [Fri, 9 Dec 2016 11:10:54 +0000 (12:10 +0100)]
Improve handling of mlock error codes.

* acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
legitimate return code and does not indicate a broken mlock().
* src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
could have been overwritten by cap_from+text et al.
--

  On FreeBSD, if there are not enough free pages, mlock() can return
  EAGAIN, as documented in mlock(2). That doesn't mean that mlock is
  broken. I suspect this same issue also exists on the other BSD's.

Suggested-by: Ruben Kerkhof <ruben@rubenkerkhof.com>
This is (now) also true for Linux.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Eliminate unneeded memcpy invocations in the DRBG.
Stephan Mueller [Sat, 3 Dec 2016 18:18:01 +0000 (19:18 +0100)]
random: Eliminate unneeded memcpy invocations in the DRBG.

* random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
pointer instead.
(drbg_instantiate): Reduce size of scratchpad.
(drbg_hmac_update): Avoid use of scratch buffers for the hash.
(drbg_hmac_generate, drbg_hash_df): Ditto.
(drbg_hash_process_addtl): Ditto.
(drbg_hash_hashgen): Ditto.
(drbg_hash_generate): Ditto.

--
The gcry_md_read returns a pointer to the hash which can be directly
used instead of copying it into a scratch buffer. This eliminates a
number of memcpy invocations for HMAC and Hash DRBG and reduces the
memory footprint of the Hash DRBG by the block size of the used hash.

The performance increase is between 1 and 3 MB/s depending on the output
buffer size.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChangeLog entries above written by -wk.

2 years agorandom: Add performance improvements for the DRBG.
Stephan Mueller [Thu, 1 Dec 2016 16:15:10 +0000 (17:15 +0100)]
random: Add performance improvements for the DRBG.

* random/random-drbg.c (struct drbg_state_ops_s): New function
pointers 'crypto_init' and 'crypto-fini'.
(struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
'ctr_null'.
(drbg_hash_init, drbg_hash_fini): New.
(drbg_hmac_init, drbg_hmac_setkey): New.
(drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
(drbg_sym_ctr): New.
(drbg_ctr_bcc): Set the key.
(drbg_ctr_df): Ditto.
(drbg_hmac_update): Ditto.
(drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
(drbg_hash_df): Ditto.
(drbg_hash_process_addtl): Ditto.
(drbg_hash_hashgen): Ditto.
(drbg_ctr_update): Rework.
(drbg_ctr_generate): Rework.
(drbg_ctr_ops): Init new functions pointers.
(drbg_uninstantiate): Call fini function.
(drbg_instantiate): Call init function.

--
The performance improvements can be categorized as follows:

* Initialize the cipher handle of the backend ciphers once and re-use
  them for subsequent cipher invocations.

* Limit the invocation of setkey to the cases when the key is newly
  created.

* Use the AES CTR mode and rip out the counter maintenance in the DRBG
  code. This allows the use of accelerated CTR AES implementations. To
  use the CTR AES mode, a NULL buffer is created that is used as the
  "plaintext" to the CTR mode, because the DRBG CTR AES operation is the
  result of the encryption of the CTR (i.e. the NULL buffer makes the
  final XOR of the CTR AES mode a noop).

The following timing measurements are made. The measurement do not use a
precise timing operation and should rather serve as a general hint to
the performance improvements.

 On a Broadwell i7 CPU:

block size 4096 1024 128 32 16
 aes256 old 28MB/s 27MB/s 19MB/s 11MB/s 6MB/s
 aes128 old 29MB/s 32MB/s 23MB/s 15MB/s 9MB/s
 sha256 old 48MB/s 48MB/s 33MB/s 16MB/s 8MB/s
 hmac sha256 old 15MB/s 15MB/s 10MB/s 5MB/s 2MB/s

 aes256 new 180MB/s 169MB/s 93MB/s 37MB/s 20MB/s
 aes128 new 240MB/s 221MB/s 125MB/s 51MB/s 27MB/s
 sha256 new 75MB/s 69MB/s 48MB/s 23MB/s 11MB/s
 hmac sha256 new 37MB/s 34MB/s 21MB/s 8MB/s 4MB/s

Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChnageLog entries above written by -wk

2 years agocipher: New function for reading the counter in CTR mode
Stephan Mueller [Thu, 1 Dec 2016 16:11:42 +0000 (17:11 +0100)]
cipher: New function for reading the counter in CTR mode

* cipher/cipher.c (gcry_cipher_getctr): New.
--
The API call allows reading the current counter of the CTR mode. The API
remains internal to libgcrypt and is not exported to external callers.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChangeLog entry above added by -wk

2 years agodoc: Remove comment that is not applicable any more.
Stephan Mueller [Sun, 27 Nov 2016 09:14:21 +0000 (10:14 +0100)]
doc: Remove comment that is not applicable any more.

--
Signed-off-by: Stephan Mueller <smueller@chronox.de>
2 years agodoc: Update NEWS.
Werner Koch [Wed, 7 Dec 2016 17:55:06 +0000 (18:55 +0100)]
doc: Update NEWS.

--

2 years agoDocument the overflow pools and add a stupid test case.
Werner Koch [Wed, 7 Dec 2016 16:01:19 +0000 (17:01 +0100)]
Document the overflow pools and add a stupid test case.

* tests/t-secmem.c (test_secmem_overflow): New func.
(main): Disable warning and call new function.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoImplement overflow secmem pools for xmalloc style allocators.
Werner Koch [Wed, 7 Dec 2016 15:59:57 +0000 (16:59 +0100)]
Implement overflow secmem pools for xmalloc style allocators.

* src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
cur_blocks.
(cur_alloced, cur_blocks): Remove vars.
(ptr_into_pool_p): Make it inline.
(stats_update): Add arg pool and update the new pool specific
counters.
(_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
pools as needed.
(_gcry_secmem_malloc): Pass XHINTS along.
(_gcry_secmem_realloc_internal): Ditto.
(_gcry_secmem_realloc): Ditto.
(_gcry_secmem_free_internal): Take multiple pools in account.  Add
return value to indicate whether the arg was freed.
(_gcry_secmem_free): Add return value to indicate whether the arg was
freed.
(_gcry_private_is_secure): Take multiple pools in account.
(_gcry_secmem_term): Release all pools.
(_gcry_secmem_dump_stats): Print stats for all pools.
* src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
test with a direct call of _gcry_secmem_free to avoid double checking.
--

This patch avoids process termination due to an out-of-secure-memory
condition in the MPI subsystem.  We consider it more important to have
reliable MPI computations than process termination due the need for
memory which is protected against being swapped out.  Using encrypted
swap is anyway a more reliable protection than those mlock'ed pages.
Note also that mlock'ed pages won't help against hibernation.

GnuPG-bug-id: 2857
Signed-off-by: Werner Koch <wk@gnupg.org>