libgcrypt.git
2 years agobuild: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
Werner Koch [Wed, 13 Jul 2016 17:05:34 +0000 (19:05 +0200)]
build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.

* build-aux/config.guess: Update.
* build-aux/config.sub: Update.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON
Jussi Kivilinna [Thu, 7 Jul 2016 22:22:58 +0000 (01:22 +0300)]
Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON

* cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
(UNALIGNED_LDMIA4): New.
(_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
ldm/stm instructions directly.
* cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
(UNALIGNED_LDMIA4): New.
(_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
(_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
of ldm instruction directly.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agobench-slope: add unaligned buffer mode
Jussi Kivilinna [Sun, 3 Jul 2016 15:39:40 +0000 (18:39 +0300)]
bench-slope: add unaligned buffer mode

* tests/bench-slope.c (unaligned_mode): New.
(do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
(print_help, main): Add '--unaligned' parameter.
--

Patch adds --unaligned parameter to allow measurement of unaligned
buffer overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix static build
Jussi Kivilinna [Fri, 1 Jul 2016 20:07:07 +0000 (23:07 +0300)]
Fix static build

* tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoDisallow encryption/decryption if key is not set
Jussi Kivilinna [Thu, 30 Jun 2016 18:51:50 +0000 (21:51 +0300)]
Disallow encryption/decryption if key is not set

* cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
NONE, make sure that key is set.
* cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
'marks.key' when reseting state.
--

Reported-by: Andreas Metzler <ametzler@bebt.de>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAvoid unaligned accesses with ARM ldm/stm instructions
Jussi Kivilinna [Thu, 30 Jun 2016 18:34:46 +0000 (21:34 +0300)]
Avoid unaligned accesses with ARM ldm/stm instructions

* cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
compile with unaligned load/store code paths.
* cipher/sha512-arm.S: Ditto.
--

Reported-by: Michael Plass <mfpnb@plass-family.net>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix non-PIC reference in PIC for poly1305/ARMv7-NEON
Jussi Kivilinna [Thu, 30 Jun 2016 18:23:05 +0000 (21:23 +0300)]
Fix non-PIC reference in PIC for poly1305/ARMv7-NEON

* cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
(_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.
--

Reported-by: Michael Plass <mfpnb@plass-family.net>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix wrong CPU feature #ifdef for SHA1/AVX
Jussi Kivilinna [Thu, 30 Jun 2016 18:17:32 +0000 (21:17 +0300)]
Fix wrong CPU feature #ifdef for SHA1/AVX

* cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorandom: Remove debug message about not supported getrandom syscall.
Werner Koch [Thu, 30 Jun 2016 11:00:50 +0000 (13:00 +0200)]
random: Remove debug message about not supported getrandom syscall.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
for getrandom error ENOSYS.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
Werner Koch [Mon, 27 Jun 2016 15:22:18 +0000 (17:22 +0200)]
tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.

* tests/benchmark.c (md_bench): Do not test variable lengths algos
with the gcry_md_hash_buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agomd: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
Werner Koch [Mon, 27 Jun 2016 15:11:23 +0000 (17:11 +0200)]
md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.

* cipher/md.c (md_read): Detect missing read function.
(_gcry_md_hash_buffers): Return an error.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Fix memory leak.
Werner Koch [Sat, 25 Jun 2016 18:52:47 +0000 (20:52 +0200)]
ecc: Fix memory leak.

* cipher/ecc.c (ecc_check_secret_key): Do not init point if already
set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agodoc: Update yat2m.
Werner Koch [Sat, 25 Jun 2016 14:07:16 +0000 (16:07 +0200)]
doc: Update yat2m.

* doc/yat2m.c: Update from Libgpg-error
--

Taken from Libgpg-error
commit 9b5e3d1608922f4aaf9958e022431849d5a58501

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Add attributes to helper functions.
Werner Koch [Sat, 25 Jun 2016 14:09:20 +0000 (16:09 +0200)]
tests: Add attributes to helper functions.

* tests/t-common.h (die, fail, info): Add attributes.
* tests/random.c (die, inf): Ditto.
* tests/pubkey.c (die, fail, info): Add attributes.
* tests/fipsdrv.c (die): Add attribute.
(main): Take care of missing --key,--iv,--dt options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoImprove robustness and help lint.
Werner Koch [Sat, 25 Jun 2016 13:38:06 +0000 (15:38 +0200)]
Improve robustness and help lint.

* cipher/rsa.c (rsa_encrypt): Check for !DATA.
* cipher/md.c (search_oid): Check early for !OID.
(md_copy): Use gpg_err_code_from_syserror.  Replace chains of if(!err)
tests.
* cipher/cipher.c (search_oid): Check early for !OID.
* src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
* mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
analyzers.
--

The change for md_copy is to help static analyzers which have no idea
that gpg_err_code_from_syserror will never return 0.  A gcc attribute
returns_nonzero would be a nice to have.

Some changes are due to the fact the macros like mpi_is_immutable
gracefully handle a NULL arg but a static analyzer the considers that
the function allows for a NULL arg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Improve fatal error message for bad use of gcry_md_read.
Werner Koch [Thu, 23 Jun 2016 08:29:08 +0000 (10:29 +0200)]
cipher: Improve fatal error message for bad use of gcry_md_read.

* cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
Niibe Yutaka [Thu, 16 Jun 2016 01:56:28 +0000 (10:56 +0900)]
ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.

* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
cofactor as 1, when not specified.

--

GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoPost release updates
Werner Koch [Wed, 15 Jun 2016 07:50:31 +0000 (09:50 +0200)]
Post release updates

--

3 years agoRelease 1.7.1 libgcrypt-1.7.1
Werner Koch [Wed, 15 Jun 2016 07:34:02 +0000 (09:34 +0200)]
Release 1.7.1

3 years agoMerge branch 'master' into LIBGCRYPT-1-7-BRANCH
Werner Koch [Wed, 15 Jun 2016 07:24:02 +0000 (09:24 +0200)]
Merge branch 'master' into LIBGCRYPT-1-7-BRANCH

--

3 years agodoc: Describe envvars.
Werner Koch [Wed, 15 Jun 2016 07:18:31 +0000 (09:18 +0200)]
doc: Describe envvars.

* doc/gcrypt.texi: Add chapter Configuration.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Change names of debug envvars.
Werner Koch [Wed, 15 Jun 2016 07:17:44 +0000 (09:17 +0200)]
random: Change names of debug envvars.

* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
GCRYPT_RNDW32_NOPERF.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Assign OIDs to the Serpent cipher.
Werner Koch [Tue, 14 Jun 2016 13:53:10 +0000 (15:53 +0200)]
cipher: Assign OIDs to the Serpent cipher.

* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Assign OIDs to the Serpent cipher.
Werner Koch [Tue, 14 Jun 2016 13:53:10 +0000 (15:53 +0200)]
cipher: Assign OIDs to the Serpent cipher.

* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Implement blinding also for signing.
Werner Koch [Fri, 3 Jun 2016 13:42:53 +0000 (15:42 +0200)]
rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove debug output for getrandom(2) output.
Werner Koch [Fri, 3 Jun 2016 13:15:36 +0000 (15:15 +0200)]
random: Remove debug output for getrandom(2) output.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--

Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix gcc portability on Solaris 9 SPARC boxes.
Werner Koch [Mon, 7 Sep 2015 13:38:04 +0000 (15:38 +0200)]
Fix gcc portability on Solaris 9 SPARC boxes.

* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--

This patch has been in use by pkgsrc for
  SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.

GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk@gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoCheck for compiler SSE4.1 support in PCLMUL CRC code.
Jérémie Courrèges-Anglas [Mon, 9 May 2016 02:04:59 +0000 (04:04 +0200)]
Check for compiler SSE4.1 support in PCLMUL CRC code.

* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
  compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.

Signed-off-by: Jérémie Courrèges-Anglas <jca@wxcvbn.org>
3 years agoecc: Fix ecc_verify for cofactor support.
NIIBE Yutaka [Fri, 6 May 2016 04:21:17 +0000 (13:21 +0900)]
ecc: Fix ecc_verify for cofactor support.

* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

--

Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agorandom: Try to use getrandom() instead of /dev/urandom (Linux only).
Werner Koch [Tue, 26 Apr 2016 13:46:30 +0000 (15:46 +0200)]
random: Try to use getrandom() instead of /dev/urandom (Linux only).

* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Implement blinding also for signing.
Werner Koch [Fri, 3 Jun 2016 13:42:53 +0000 (15:42 +0200)]
rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove debug output for getrandom(2) output.
Werner Koch [Fri, 3 Jun 2016 13:15:36 +0000 (15:15 +0200)]
random: Remove debug output for getrandom(2) output.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--

Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix gcc portability on Solaris 9 SPARC boxes.
Werner Koch [Mon, 7 Sep 2015 13:38:04 +0000 (15:38 +0200)]
Fix gcc portability on Solaris 9 SPARC boxes.

* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--

This patch has been in use by pkgsrc for
  SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.

GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk@gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoCheck for compiler SSE4.1 support in PCLMUL CRC code.
Jérémie Courrèges-Anglas [Mon, 9 May 2016 02:04:59 +0000 (04:04 +0200)]
Check for compiler SSE4.1 support in PCLMUL CRC code.

* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
  compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.

Signed-off-by: Jérémie Courrèges-Anglas <jca@wxcvbn.org>
3 years agoRegister DCO for Jérémie Courrèges-Anglas
Jussi Kivilinna [Sat, 28 May 2016 09:59:54 +0000 (12:59 +0300)]
Register DCO for Jérémie Courrèges-Anglas

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoecc: Fix ecc_verify for cofactor support.
NIIBE Yutaka [Fri, 6 May 2016 04:21:17 +0000 (13:21 +0900)]
ecc: Fix ecc_verify for cofactor support.

* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

--

Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agorandom: Try to use getrandom() instead of /dev/urandom (Linux only).
Werner Koch [Tue, 26 Apr 2016 13:46:30 +0000 (15:46 +0200)]
random: Try to use getrandom() instead of /dev/urandom (Linux only).

* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoasm fix for older gcc versions.
Werner Koch [Tue, 19 Apr 2016 18:05:07 +0000 (20:05 +0200)]
asm fix for older gcc versions.

* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
--

gcc 4.2 is not able to grok a third colon without clobber
expressions.  Reported for FreeBSD 9.

GnuPG-bug-id: 2326
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoasm fix for older gcc versions.
Werner Koch [Tue, 19 Apr 2016 18:05:07 +0000 (20:05 +0200)]
asm fix for older gcc versions.

* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
--

gcc 4.2 is not able to grok a third colon without clobber
expressions.  Reported for FreeBSD 9.

GnuPG-bug-id: 2326
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoPost release updates.
Werner Koch [Fri, 15 Apr 2016 14:06:04 +0000 (16:06 +0200)]
Post release updates.

--

3 years agoRelease 1.7.0 libgcrypt-1.7.0
Werner Koch [Fri, 15 Apr 2016 13:48:24 +0000 (15:48 +0200)]
Release 1.7.0

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add test vectors for 256 GiB test of SHA3-256.
Werner Koch [Thu, 14 Apr 2016 14:32:04 +0000 (16:32 +0200)]
tests: Add test vectors for 256 GiB test of SHA3-256.

* tests/hashtest.c: Add new test vectros.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agosrc: Improve S-expression parsing.
Justus Winter [Thu, 14 Apr 2016 11:53:55 +0000 (13:53 +0200)]
src: Improve S-expression parsing.

* src/sexp.c (do_vsexp_sscan): Return an error if a closing
parenthesis is encountered with no matching opening parenthesis.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Add constant for 8 bit CFB mode.
Werner Koch [Thu, 14 Apr 2016 12:39:31 +0000 (14:39 +0200)]
cipher: Add constant for 8 bit CFB mode.

* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.
--

Note that there is no implementation for the 8 bit CFB mode yet.  We
will add that as a bug fix after the release of 1.7.0.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add a new test for S-expressions.
Werner Koch [Thu, 14 Apr 2016 11:26:55 +0000 (13:26 +0200)]
tests: Add a new test for S-expressions.

* tests/t-sexp.c (compare_to_canon): New.
(back_and_forth_one): Add another test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Fix corner cases for X25519.
NIIBE Yutaka [Wed, 13 Apr 2016 01:10:53 +0000 (10:10 +0900)]
ecc: Fix corner cases for X25519.

* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
it's not an error, thus, let it return 0.
(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
X25519, not by the name of the curve.
(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
of aborting with log_fatal.  For X25519, it's not an error by its
definition, but we deliberately let it return the error to detect
looks-like-encrypted-message.
* tests/t-cv25519.c: Add points to record the issue.

--

For X25519 ECDH, this change introduces incompatibility to
crypto_scalarmult with the input which makes shared secret to be 0.
For crypto_scalarmult, the result is 0.  In libgcrypt, it's an error
of GPG_ERR_INV_DATA (we consider the input is invalid).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agocipher: Buffer data from gcry_cipher_authenticate in OCB mode.
Werner Koch [Tue, 12 Apr 2016 09:11:35 +0000 (11:11 +0200)]
cipher: Buffer data from gcry_cipher_authenticate in OCB mode.

* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
aad_leftover and aad_nleftover to u_mode.ocb.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
aad_nleftover.
(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
to ...
(ocb_aad_finalize): new.
(compute_tag_if_needed): Call new function.
* tests/basic.c (check_ocb_cipher_splitaad): New.
(check_ocb_cipher): Call new function.
(main): Also call check_cipher_modes with --ciper-modes.
--

It is more convenient to not require full blocks for
gcry_cipher_authenticate.  Other modes than OCB do this as well.

Note that the size of the context structure is not increased because
other modes require more context data.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Fix X25519 computation on Curve25519.
NIIBE Yutaka [Tue, 12 Apr 2016 00:58:12 +0000 (09:58 +0900)]
ecc: Fix X25519 computation on Curve25519.

* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
PUBKEY_FLAG_DJB_TWEAK is enabled.
(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

--

X25519 function is not a plain scalar multiplication, but does
two things; the scalar bits are tweaked before applying scalar
multiplication and X0 function is applied to the result of
scalar multiplication.

In libgcrypt, _gcry_mpi_ec_mul_point is a plain scalar multiplication
and those two things are done in functions for ECDH with X25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix initialization of EC context.
NIIBE Yutaka [Tue, 12 Apr 2016 00:19:32 +0000 (09:19 +0900)]
ecc: Fix initialization of EC context.

* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
by _gcry_mpi_ec_p_internal_new should carry FLAGS.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoSilence warning about missing HMAC-SHA3 selftests.
Werner Koch [Thu, 7 Apr 2016 07:21:44 +0000 (09:21 +0200)]
Silence warning about missing HMAC-SHA3 selftests.

--

We do not have a reliable source for test vectors.

3 years agoAllow building with configure option --enable-hmac-binary-check.
Werner Koch [Wed, 6 Apr 2016 18:16:19 +0000 (20:16 +0200)]
Allow building with configure option --enable-hmac-binary-check.

* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
* src/hmac256.c (main): Add option --stdkey
--

Note that when using that configure option "make check" won't work in
one go.  Instead use

  make
  cd src/.libs
  ../hmac256  --stdkey '' libgcrypt.so.20 >.libgcrypt.so.20.hmac
  cd ../..
  make check

Reported-by: Burt Silverman
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Positive values in computation.
NIIBE Yutaka [Wed, 6 Apr 2016 09:05:38 +0000 (18:05 +0900)]
ecc: Positive values in computation.

* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
coefficients A and B are positive.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
"P - T" instead of "-T", so that the result will be positive.
(_gcry_ecc_eddsa_verify): Likewise.
* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
instead of _gcry_ecc_update_curve_param.
* mpi/ec.c (ec_subm): Make sure the result will be positive.
(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
mpi_sub instead of mpi_neg.
(add_points_edwards): Simply use ec_addm.
* tests/t-mpi-point.c (test_curve): Define curves with positive
coefficients.

--

We keep the coefficients of domain_parms in ecc-curves.c, so that
keygrip computations won't change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agompi: Explicitly limit the allowed input length for gcry_mpi_scan.
Werner Koch [Fri, 1 Apr 2016 11:42:01 +0000 (13:42 +0200)]
mpi: Explicitly limit the allowed input length for gcry_mpi_scan.

* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
(mpi_fromstr): Check against this limit.
(_gcry_mpi_scan): Ditto.
* tests/mpitests.c (test_maxsize): New.
(main): Cal that test.
--

A too large buffer length may lead to an unsigned integer overflow on
systems where size_t > unsigned int (ie. 64 bit systems).  The
computation of the required number of nlimbs may also be affected by
this.  However this is not a real world case because any processing
which has allocated such a long buffer from an external source would
be prone to other DoS attacks: The required buffer length to exhibit
this overflow is at least 2^32 - 8 bytes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Remove specialized rmd160 functions.
Werner Koch [Thu, 31 Mar 2016 18:16:10 +0000 (20:16 +0200)]
cipher: Remove specialized rmd160 functions.

* cipher/rmd160.c: Replace rmd.h by hash-common.h.
(RMD160_CONTEXT): Move from rmd.h to here.
(_gcry_rmd160_init): Remove.
(_gcry_rmd160_mixblock): Remove.
(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
* cipher/md.c: Remove rmd.h which was not actually used.
* cipher/rmd.h: Remove.
* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
* configure.ac (USE_RMD160): Allow to build without RMD160.
--

Those functions are not anymore required because random-csprng.c now
uses SHA-1.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
Werner Koch [Thu, 31 Mar 2016 17:33:43 +0000 (19:33 +0200)]
random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.

* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
(_gcry_sha1_mixblock): New.
* random/random-csprng.c: Include sha1.h instead of rmd.h.
(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Move sha1 context definition to a separate file.
Werner Koch [Thu, 31 Mar 2016 17:16:15 +0000 (19:16 +0200)]
cipher: Move sha1 context definition to a separate file.

* cipher/sha1.c: Replace hash-common.h by sha1.h.
(SHA1_CONTEXT): Move to ...
* cipher/sha1.h: new.  Always include all flags.
* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Fix buffer overflow in bench-slope.
Werner Koch [Tue, 29 Mar 2016 10:06:25 +0000 (12:06 +0200)]
tests: Fix buffer overflow in bench-slope.

* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
strncat.
--

Reported-by: Andreas Metzler <ametzler@bebt.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Update for gcry_cipher_gettag and gcry_cipher_checktag.
Werner Koch [Tue, 29 Mar 2016 09:31:55 +0000 (11:31 +0200)]
doc: Update for gcry_cipher_gettag and gcry_cipher_checktag.

--

Also re-indent one label.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: GCM: check that length of supplied tag is one of valid lengths
Jussi Kivilinna [Sun, 27 Mar 2016 08:17:39 +0000 (11:17 +0300)]
cipher: GCM: check that length of supplied tag is one of valid lengths

* cipher/cipher-gcm.c (is_tag_length_valid): New.
(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
valid tag lengths and negative test vectors with invalid lengths.
--

NIST SP 800-38D allows following tag lengths:
 128, 120, 112, 104, 96, 64 and 32 bits.

[v2: allow larger buffer when outputting tag. 128-bit tag is written
     to target buffer in this case]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agocipher: Fix memleaks in (self)tests.
Peter Wu [Wed, 23 Mar 2016 17:21:53 +0000 (18:21 +0100)]
cipher: Fix memleaks in (self)tests.

* cipher/dsa.c: Release memory for MPI and sexp structures.
* cipher/ecc.c: Release memory for sexp structure.
* tests/keygen.c: Likewise.
--

These leaks broke the mpitests, basic and keygen tests when running
under AddressSanitizer.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Minor formatting changes by -wk.

3 years agoMark constant MPIs as non-leaked
Peter Wu [Thu, 24 Mar 2016 10:06:23 +0000 (11:06 +0100)]
Mark constant MPIs as non-leaked

* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.
--

Requires libgpg-error 1.22 (unreleased) for the macros, but since it is
a minor debugging aid, do not bump the minimum required version.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
3 years agoAdd new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
Werner Koch [Wed, 23 Mar 2016 14:24:40 +0000 (15:24 +0100)]
Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.

* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

* tests/basic.c (_check_gcm_cipher): Check that new feature.
(_check_poly1305_cipher): Ditto.
(check_ccm_cipher): Ditto.
(do_check_ocb_cipher): Ditto.
(check_ctr_cipher): Add negative test for new feature.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Avoid NULL-segv in GCM mode if a key has not been set.
Werner Koch [Wed, 23 Mar 2016 13:13:18 +0000 (14:13 +0100)]
cipher: Avoid NULL-segv in GCM mode if a key has not been set.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
has been initialized.
(_gcry_cipher_gcm_decrypt): Ditto.
(_gcry_cipher_gcm_authenticate): Ditto.
(_gcry_cipher_gcm_initiv): Ditto.
(_gcry_cipher_gcm_tag): Ditto.
--

Avoid a crash if certain functions are used before setkey.

Reported-by: Peter Wu <peter@lekensteyn.nl>
  One crash is not fixed, that is the crash when setkey is not invoked
  before using the GCM ciphers (introduced in the 1.7.0 cycle). Either
  these functions should check that the key is present, or they should
  initialize the ghash table earlier. Affected functions:

    _gcry_cipher_gcm_encrypt
    _gcry_cipher_gcm_decrypt
    _gcry_cipher_gcm_authenticate
    _gcry_cipher_gcm_initiv
    (via _gcry_cipher_gcm_setiv)
    _gcry_cipher_gcm_tag
    (via _gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag)

Regression-due-to: 4a0795af021305f9240f23626a3796157db46bd7
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
Werner Koch [Wed, 23 Mar 2016 11:47:30 +0000 (12:47 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.

* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
provided tag length matches the actual tag length.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix buffer overrun in gettag for Poly1305
Peter Wu [Wed, 23 Mar 2016 02:45:21 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for Poly1305

* cipher/cipher-poly1305.c: copy a fixed length instead of the
  user-supplied number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
3 years agocipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
Werner Koch [Wed, 23 Mar 2016 10:07:52 +0000 (11:07 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
tag length matches the actual tag length.  Avoid gratuitous return
statements.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix buffer overrun in gettag for GCM
Peter Wu [Wed, 23 Mar 2016 02:45:20 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for GCM

* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
  number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Actually this is not a buffer overrun because we copy not more than
has been allocated for OUTBUF.  However a too long OUTBUFLEN accesses
data outside of the source buffer.  -wk

3 years agotests: Add options --fips to keygen for manual tests.
Werner Koch [Tue, 22 Mar 2016 16:49:50 +0000 (17:49 +0100)]
tests: Add options --fips to keygen for manual tests.

(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode.  Check that key generation fails
for too short keys in FIPS mode.
(check_ecc_keys): Check that key generation fails for Ed25519 keys in
FIPS mode.
--

This option allows to test the FIPS mode manually for key generation.
We should eventually expand all tests to allow testing in FIPS mode in
non FIPS enabled boxes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Add FIPS 186-4 compliant RSA probable prime key generator.
Tomáš Mráz [Tue, 22 Mar 2016 16:12:55 +0000 (17:12 +0100)]
rsa: Add FIPS 186-4 compliant RSA probable prime key generator.

* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
* cipher/rsa.c (generate_fips): New.
(rsa_generate): Use new function in fips mode or with test-parms.

* tests/keygen.c (check_rsa_keys): Add test using e=65539.

--
Signed-off-by: Tomáš Mráz <tmraz@redhat.com>
Tomáš's patch war originally for libgcrypt 1.6.3 and has been ported
to master (1.7) by wk.  Further changes:

  - ChangeLog entries.
  - Some re-indentation
  - Use an extra test case instead of changing an existing one.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix ARM NEON support detection on ARMv6 target
Jussi Kivilinna [Sun, 20 Mar 2016 13:21:40 +0000 (15:21 +0200)]
Fix ARM NEON support detection on ARMv6 target

* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
instead of '.thumb'.
--

Fix allows building ARM NEON assembly implementations when compiler
target is ARMv6. This enables NEON implementations on ARMv7+NEON CPUs
running on ARMv6 OS (for example, Raspbian on Raspberry Pi 2/3).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAlways require a 64 bit integer type
Werner Koch [Fri, 18 Mar 2016 17:57:19 +0000 (18:57 +0100)]
Always require a 64 bit integer type

* configure.ac (available_digests_64): Merge with available_digests.
(available_kdfs_64): Merge with available_kdfs.
<64 bit datatype test>: Bail out if no such type is available.
* src/types.h: Emit #error if no u64 can be defined.
(PROPERLY_ALIGNED_TYPE): Always add u64 type.
* cipher/bithelp.h: Remove all code paths which handle the
case of !HAVE_U64_TYPEDEF.
* cipher/bufhelp.h: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-internal.h: Ditto.
* cipher/cipher.c: Ditto.
* cipher/hash-common.h: Ditto.
* cipher/md.c: Ditto.
* cipher/poly1305.c: Ditto.
* cipher/scrypt.c: Ditto.
* cipher/tiger.c: Ditto.
* src/g10lib.h: Ditto.
* tests/basic.c: Ditto.
* tests/bench-slope.c: Ditto.
* tests/benchmark.c: Ditto.
--

Given that SHA-2 and some other algorithms require a 64 bit type it
does not make anymore sense to conditionally compile some part when
the platform does not provide such a type.

GnuPG-bug-id: 1815.
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Fix testsuite after the FIPS adjustments.
Vitezslav Cizek [Fri, 18 Mar 2016 16:54:36 +0000 (17:54 +0100)]
tests: Fix testsuite after the FIPS adjustments.

* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
(check_ecc_keys): Skip Ed25519 in FIPS mode.
* tests/random.c (main): Don't switch DRBG in FIPS mode.
* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
(main): Skip math tests that use P-192 and Ed25519 in FIPS.
--

Fix the testsuite to make it pass after the FIPS adjustmens.
This consists mostly of disabling the tests that use not approved
curves and algorithms as well as increasing the keysizes.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Removed changes already done with commit e40939b.  The original
    patch had these chnages:
      * tests/fips186-dsa.c (main): Merely suggest a future improvement.
      * tests/pubkey.c (get_dsa_key_*new): Increase keysizes.
      (check_run): Skip tests with small domain in FIPS.
      (main): Skip Ed25519 sample key test in FIPS.
    Noet that get_dsa_key_fips186_with_seed_new was not changed from
    1024 to 3072 but to 2048 bit.
  - Return with 77 (skip) from t-ed25519.c in FIPS mode.
  - Some code style changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add new --pss option to fipsdrv
Vitezslav Cizek [Fri, 30 Oct 2015 16:36:03 +0000 (17:36 +0100)]
tests: Add new --pss option to fipsdrv

* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
to 0 for PSS.
--

Add new --pss option to fipsdrv to specify RSA-PSS signature encoding.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Added by wk:
  - Help string for --pss
  - Check that only --pss or --pkcs1 is given.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Add option to specify salt length for PSS verification.
Vitezslav Cizek [Fri, 30 Oct 2015 16:34:04 +0000 (17:34 +0100)]
cipher: Add option to specify salt length for PSS verification.

* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
salt-length token.
--

Add possibility to use a different salt length for RSASSA-PSS
verification instead of the default 20.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Detect overlong salt-length
  - Release LIST on error.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add support for RSA keygen tests to fipsdrv.
Vitezslav Cizek [Fri, 30 Oct 2015 14:41:09 +0000 (15:41 +0100)]
tests: Add support for RSA keygen tests to fipsdrv.

* tests/fipsdrv.c (run_rsa_keygen): New.
(main): Support RSA keygen and RSA keygen KAT tests.
--

In fipsdrv implement support for KeyGen_RandomProbablyPrime
and Known Answer Test for probably primes RSA2VS tests.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agotests: Fixes for RSA testsuite in FIPS mode
Vitezslav Cizek [Fri, 30 Oct 2015 14:38:13 +0000 (15:38 +0100)]
tests: Fixes for RSA testsuite in FIPS mode

* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/keygen.c (check_rsa_keys): Failure if short keys can be
generated in FIPS mode.
(check_dsa_keys): Ditto for DSA keys.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
--

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Remove printing of "FAIL" in fail() because this is reserved for
    use by the test driver of the Makefile.
  - Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Use 2048 bit RSA keys for selftest.
Vitezslav Cizek [Fri, 30 Oct 2015 12:41:41 +0000 (13:41 +0100)]
rsa: Use 2048 bit RSA keys for selftest.

* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
(selftest_encr_1024): Replaced by selftest_encr_2048.
(selftest_sign_1024): Replaced by selftest_sign_2048.
(selftest_encr_2048): Add check against known ciphertext.
(selftest_sign_2048): Add check against known signature.
(selftest_sign_2048): Free SIG_MPI.
* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.
--

Use a 2048 bit keys for RSA selftest.
Check against the known signature/ciphertext after signing/encryption
in the selftests.
Also generate 2k keys in tests/pubkey.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Reformat some strings and comments.
  - Replace a free by xfree.
  - Free SIG_MPI.
  - Make two strings static.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoDisable non-allowed algorithms in FIPS mode
Vitezslav Cizek [Thu, 29 Oct 2015 16:13:16 +0000 (17:13 +0100)]
Disable non-allowed algorithms in FIPS mode

* cipher/cipher.c (_gcry_cipher_init),
* cipher/mac.c (_gcry_mac_init),
* cipher/md.c (_gcry_md_init),
* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
non-allowed ciphers.
* cipher/md5.c: Mark MD5 as not allowed in FIPS.
* src/g10lib.h (_gcry_mac_init): New.
* src/global.c (global_init): Call the new _gcry_mac_init.
* tests/basic.c (check_ciphers): Fix a typo.
--

When running in the FIPS mode, disable all the ciphers that don't have
the fips flag set.
Skip the non-allowed algos during testing in the FIPS mode.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agokdf: Make PBKDF2 check work on all platforms.
Werner Koch [Fri, 18 Mar 2016 14:38:26 +0000 (15:38 +0100)]
kdf: Make PBKDF2 check work on all platforms.

* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.
--

The previous pacth has no effect because on almost all platformans an
unsigned int is 32 bit and thus the 0xffffffff is anyway the largest
value.  This patch changes the variable to an unsigned long so that at
least on common 64 bit Unix systems (but not on 64 bit Windows) there
is an actual check.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agokdf: Add upper bound for derived key length in PBKDF2.
Vitezslav Cizek [Thu, 29 Oct 2015 13:00:26 +0000 (14:00 +0100)]
kdf: Add upper bound for derived key length in PBKDF2.

* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
--

Add a missing step 1 from PBKDF specification.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoecc: ECDSA adjustments for FIPS 186-4
Vitezslav Cizek [Tue, 27 Oct 2015 13:29:11 +0000 (14:29 +0100)]
ecc: ECDSA adjustments for FIPS 186-4

* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
* cipher/ecc.c: Add ECDSA self test.
* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
in FIPS mode.
* tests/fipsdrv.c: Add support for ECDSA signatures.
--

Enable ECC in FIPS mode.
According to NIST SP 800-131A, curve P-192 and SHA-1 are disallowed
for key pair generation and signature generation after 2013.

Thanks to Jan Matejek for the patch.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Minor source code re-formatting by -wk.

3 years agodsa: Make regression tests work.
Werner Koch [Fri, 18 Mar 2016 14:11:31 +0000 (15:11 +0100)]
dsa: Make regression tests work.

* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
(ogenerate_fips186): Make it work with use-fips183-2 flag.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
standard comment out format.
* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
(main): Call it.
(main): Compare against current version.
* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
(get_dsa_key_fips186_with_seed_new): Ditto.
(get_dsa_key_fips186_with_domain_new): Comment out.
(check_run): Do not call that function.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodsa: Adjustments to conform with FIPS 186-4.
Vitezslav Cizek [Tue, 27 Oct 2015 11:46:30 +0000 (12:46 +0100)]
dsa: Adjustments to conform with FIPS 186-4.

* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
  buflen passed to _gcry_mpi_scan.
--

Generate the DSA keypair by testing candidates. (FIPS 186-4 B.1.2)
Use 2048 bit key for the selftest.
Allow only 2048 and 3072 as pbits size.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoRegister DCO for Vitezslav Cizek.
Werner Koch [Fri, 18 Mar 2016 12:05:34 +0000 (13:05 +0100)]
Register DCO for Vitezslav Cizek.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoUpdate documentation for 'gcry_sexp_extract_param'.
Justus Winter [Wed, 16 Mar 2016 12:35:37 +0000 (13:35 +0100)]
Update documentation for 'gcry_sexp_extract_param'.

* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
must be set to NULL first, and document how the function behaves in
case of errors.
* src/sexp.c (_gcry_sexp_extract_param): Likewise.
* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
'_gcry_sexp_extract_param'.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Update comment.
Justus Winter [Wed, 16 Mar 2016 11:49:26 +0000 (12:49 +0100)]
cipher: Update comment.

* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
that a curve parameter can be given.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoAdd Intel PCLMUL implementations of CRC algorithms
Jussi Kivilinna [Sat, 12 Mar 2016 15:07:21 +0000 (17:07 +0200)]
Add Intel PCLMUL implementations of CRC algorithms

* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
* cipher/crc-intel-pclmul.c: New.
* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
(gcry_crc24rfc2440_intel_pclmul): New.
(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
HW features detected.
(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
implementation if enabled.
(crc24_init): Document storage format of 24-bit CRC.
(crc24_next4): Use only 'data' for last table look-up.
* configure.ac: Add 'crc-intel-pclmul.lo'.
* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
Intel SSE4.1.
* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
* tests/basic.c (fillbuf_count): New.
(check_one_md): Add "?" check (million byte data-set with byte pattern
0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
checks.
(check_one_md_multi): Skip "?".
(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
test-vectors for CRC32_RFC1510 and CRC24_RFC2440.
--

Add Intel PCLMUL accelerated implmentations of CRC algorithms.
CRC performance is improved ~11x on x86_64 and i386 on Intel
Haswell, and ~2.7x on Intel Sandy-bridge.

Benchmark on Intel Core i5-4570 (x86_64, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.865 ns/B    1103.0 MiB/s      2.77 c/B
  CRC32RFC1510   |     0.865 ns/B    1102.7 MiB/s      2.77 c/B
  CRC24RFC2440   |     0.865 ns/B    1103.0 MiB/s      2.77 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.079 ns/B   12051.7 MiB/s     0.253 c/B
  CRC32RFC1510   |     0.079 ns/B   12050.6 MiB/s     0.253 c/B
  CRC24RFC2440   |     0.079 ns/B   12100.0 MiB/s     0.252 c/B

Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.860 ns/B    1109.0 MiB/s      2.75 c/B
  CRC32RFC1510   |     0.861 ns/B    1108.3 MiB/s      2.75 c/B
  CRC24RFC2440   |     0.860 ns/B    1108.6 MiB/s      2.75 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC32RFC1510   |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC24RFC2440   |     0.080 ns/B   11925.6 MiB/s     0.256 c/B

Benchmark on Intel Core i5-2450M (x86_64, 2.5 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |      1.25 ns/B     762.3 MiB/s      3.13 c/B
  CRC32RFC1510   |      1.26 ns/B     759.1 MiB/s      3.14 c/B
  CRC24RFC2440   |      1.25 ns/B     764.9 MiB/s      3.12 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.451 ns/B    2114.3 MiB/s      1.13 c/B
  CRC32RFC1510   |     0.451 ns/B    2114.6 MiB/s      1.13 c/B
  CRC24RFC2440   |     0.457 ns/B    2085.0 MiB/s      1.14 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate .gitignore
Jussi Kivilinna [Sat, 12 Mar 2016 15:10:30 +0000 (17:10 +0200)]
Update .gitignore

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agompi: Normalize EXPO for mpi_powm.
NIIBE Yutaka [Thu, 25 Feb 2016 03:01:10 +0000 (12:01 +0900)]
mpi: Normalize EXPO for mpi_powm.

* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

--

Thanks to Dan Fandrich for the report with a reproducible test case.

GnuPG-bug-id: 2256

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoDo not ship generated header file in tarball.
Andreas Metzler [Sun, 21 Feb 2016 11:18:33 +0000 (12:18 +0100)]
Do not ship generated header file in tarball.

* src/Makefile.am: Move gcrypt.h from include_HEADERS to
  nodist_include_HEADERS to prevent inclusion in release tarball.
  This could break out-of-tree-builds because the potentially outdated
  src/gcrypt.h was not updated but was in the compiler search path.

3 years agoFix building random-drbg for Win32/64
Jussi Kivilinna [Sat, 20 Feb 2016 19:27:15 +0000 (21:27 +0200)]
Fix building random-drbg for Win32/64

* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
'drbg_read_cb' and 'len'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agotests: Do not test DRBG_REINIT from "make check"
Werner Koch [Sat, 20 Feb 2016 13:41:56 +0000 (14:41 +0100)]
tests: Do not test DRBG_REINIT from "make check"

* tests/random.c (main): Run check_drbg_reinit only if the envvar
GCRYPT_IN_REGRESSION_TEST is set.
--

Without a hardware entropy generator (e.g. the moonbase token) running
the regression suite would take too long.  We better use a set of test
vectors when run from "make check".

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Fix possible dependency problem.
Werner Koch [Wed, 17 Feb 2016 18:34:21 +0000 (19:34 +0100)]
doc: Fix possible dependency problem.

* doc/Makefile.am (gcrypt.texi): Use the right traget.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove ANSI X9.31 DRNG
Stephan Mueller [Tue, 16 Feb 2016 21:04:53 +0000 (22:04 +0100)]
random: Remove ANSI X9.31 DRNG

* random-fips.c: Remove.
--

The ANSI X9.31 DRNG is removed as it is completely replaced with the
SP800-90A DRBG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
3 years agorandom: Add a test case for DRBG_REINIT.
Werner Koch [Fri, 19 Feb 2016 14:35:03 +0000 (15:35 +0100)]
random: Add a test case for DRBG_REINIT.

* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
* tests/random.c (check_drbg_reinit): New.
(main): Call new test.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Allow DRBG_REINIT before initialization.
Werner Koch [Fri, 19 Feb 2016 14:32:44 +0000 (15:32 +0100)]
random: Allow DRBG_REINIT before initialization.

* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
(_drbg_init_internal): Set the default type if no type has been set
before.
(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
--

Without this change we can't call GCRYCTL_DRBG_REINIT before
intialization.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoAdd new private header gcrypt-testapi.h.
Werner Koch [Fri, 19 Feb 2016 11:57:00 +0000 (12:57 +0100)]
Add new private header gcrypt-testapi.h.

* src/gcrypt-testapi.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
* random/random.h: Include gcrypt-testapi.h.
(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
* src/global.c: Include gcrypt-testapi.h.
(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
* cipher/cipher.c: Include gcrypt-testapi.h.
(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
constants.
* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
(_gcry_rngdrbg_cavs_test): this.
(gcry_rngdrbg_healthcheck_one): Rename to ...
(_gcry_rngdrbg_healthcheck_one): this.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Make the DRBG C-90 clean and use a flag string.
Werner Koch [Fri, 19 Feb 2016 10:44:57 +0000 (11:44 +0100)]
random: Make the DRBG C-90 clean and use a flag string.

* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
"flagstr" and turn it into a string.
* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
designated initializers.  Use a string for the flags.
(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
(drbg_healthcheck_sanity): Ditto.
--

Libgcrypt needs to be build-able on C-90 only systems and thus we
can't use C-99 designated initializers.  Because we have removed the
flag macros from the API we should not use them in the CAVS test code
either.  Thus they are replaced by the flag string which also tests
the flag string parser.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Symbol name cleanup for random-drbg.c.
Werner Koch [Thu, 18 Feb 2016 19:44:10 +0000 (20:44 +0100)]
random: Symbol name cleanup for random-drbg.c.

* random/random-drbg.c: Rename all static objects and macros from
"gcry_drbg" to "drbg".
(drbg_string_t): New typedef.
(drbg_gen_t): New typedef.
(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
this.
(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
that an error if actually returned.
(gcry_rngdrbg_cavs_test): Ditto.
(gcry_drbg_healthcheck_sanity): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Use our symbol name pattern also for drbg functions.
Werner Koch [Thu, 18 Feb 2016 18:24:47 +0000 (19:24 +0100)]
random: Use our symbol name pattern also for drbg functions.

* random/random-drbg.c: Rename global functions from _gcry_drbg_*
to _gcry_rngdrbg_*.
* random/random.c: Adjust for this change.
* src/global.c: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>