libgcrypt.git
2 days agosecmem: Prepare for easier debugging. master
Werner Koch [Wed, 12 Dec 2018 07:34:10 +0000 (08:34 +0100)]
secmem: Prepare for easier debugging.

* src/secmem.c (_gcry_secmem_dump_stats): Factor code out to ...
(secmem_dump_stats_internal): new.
--

This allows to insert call to the dump function during debug sessions
inside of the allocators or call secmem_dump_stats_internal from gdb.

Signed-off-by: Werner Koch <wk@gnupg.org>
13 days agorijndael-aesni: interleave last CTR encryption round with xoring
Jussi Kivilinna [Sat, 1 Dec 2018 10:21:14 +0000 (12:21 +0200)]
rijndael-aesni: interleave last CTR encryption round with xoring

* cipher/rijndael-aesni.c (do_aesni_ctr_8): Interleave aesenclast
with input xoring.
--

Structure of 'aesenclast' instruction allows reordering last
encryption round and xoring of input block for small ~0.5%
improvement in performance.

Intel i7-4790K @ 4.0 Ghz:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CTR enc |     0.159 ns/B      6002 MiB/s     0.636 c/B
        CTR dec |     0.159 ns/B      6001 MiB/s     0.636 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 weeks agoUse explicit_bzero for wipememory
Jussi Kivilinna [Tue, 13 Nov 2018 20:08:50 +0000 (22:08 +0200)]
Use explicit_bzero for wipememory

* configure.ac (AC_CHECK_FUNCS): Check for 'explicit_bzero'.
* src/g10lib.h (wipememory2): Use _gcry_fast_wipememory if _SET is
zero.
(_gcry_fast_wipememory): New.
(_gcry_wipememory2): Rename to...
(_gcry_fast_wipememory2): ...this.
* src/misc.c (_gcry_wipememory): New.
(_gcry_wipememory2): Rename to...
(_gcry_fast_wipememory2): ...this.
(_gcry_fast_wipememory2) [HAVE_EXPLICIT_BZERO]: Use explicit_bzero if
SET is zero.
(_gcry_burn_stack): Use _gcry_fast_wipememory.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 weeks agoAdd clang target pragma for mixed C/assembly x86-64 implementations
Jussi Kivilinna [Tue, 20 Nov 2018 19:16:08 +0000 (21:16 +0200)]
Add clang target pragma for mixed C/assembly x86-64 implementations

* cipher/cipher-gcm-intel-pclmul.c: Add target 'no-sse' attribute
pragma for clang.
* cipher/crc-intel-pclmul.c: Ditto.
* cipher/rijndael-aesni.c: Ditto.
* cipher/rijndael-ssse3-amd64.c: Ditto.
* cipher/sha1-intel-shaext.c: Ditto.
* cipher/sha256-intel-shaext.c: Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 weeks agoOptimizations for AES-NI OCB
Jussi Kivilinna [Tue, 20 Nov 2018 19:16:08 +0000 (21:16 +0200)]
Optimizations for AES-NI OCB

* cipher/cipher-internal.h (gcry_cipher_handle): New pre-computed OCB
values L0L1 and L0L1L0; Swap dimensions for OCB L table.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Setup L0L1 and
L0L1L0 values.
(ocb_crypt): Process input in 24KiB chunks for better cache locality
for checksumming.
* cipher/rijndael-aesni.c (ALWAYS_INLINE): New macro for always
inlining functions, change all functions with 'inline' to use
ALWAYS_INLINE.
(NO_INLINE): New macro.
(aesni_prepare_2_6_variable, aesni_prepare_7_15_variable): Rename to...
(aesni_prepare_2_7_variable, aesni_prepare_8_15_variable): ...these and
adjust accordingly (xmm7 moved from *_7_15 to *_2_7).
(aesni_prepare_2_6, aesni_prepare_7_15): Rename to...
(aesni_prepare_2_7, aesni_prepare_8_15): ...these and adjust
accordingly.
(aesni_cleanup_2_6, aesni_cleanup_7_15): Rename to...
(aesni_cleanup_2_7, aesni_cleanup_8_15): ...these and adjust
accordingly.
(aesni_ocb_checksum): New.
(aesni_ocb_enc, aesni_ocb_dec): Calculate OCB offsets in parallel
with help of pre-computed offsets L0+L1 ja L0+L1+L0; Do checksum
calculation as separate pass instead of inline; Use NO_INLINE.
(_gcry_aes_aesni_ocb_auth): Calculate OCB offsets in parallel
with help of pre-computed offsets L0+L1 ja L0+L1+L0.
* cipher/rijndael-internal.h (RIJNDAEL_context_s) [USE_AESNI]: Add
'use_avx2' and 'use_avx'.
* cipher/rijndael.c (do_setkey) [USE_AESNI]: Set 'use_avx2' if
Intel AVX2 HW feature is available and 'use_avx' if Intel AVX HW
feature is available.
* tests/basic.c (do_check_ocb_cipher): New test vector; increase
size of temporary buffers for new test vector.
(check_ocb_cipher_largebuf_split): Make test plaintext non-uniform
for better checksum testing.
(check_ocb_cipher_checksum): New.
(check_ocb_cipher_largebuf): Call check_ocb_cipher_checksum.
(check_ocb_cipher): New expected tags for check_ocb_cipher_largebuf
test runs.
--

Benchmark on Haswell i7-4970k @ 4.0Ghz:

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |     0.175 ns/B      5436 MiB/s     0.702 c/B
        OCB dec |     0.184 ns/B      5184 MiB/s     0.736 c/B
       OCB auth |     0.156 ns/B      6097 MiB/s     0.626 c/B

After (enc +2% faster, dec +7% faster):
        OCB enc |     0.172 ns/B      5547 MiB/s     0.688 c/B
        OCB dec |     0.171 ns/B      5582 MiB/s     0.683 c/B
       OCB auth |     0.156 ns/B      6097 MiB/s     0.626 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 weeks agodoc: Fix library initialization examples
Andreas Metzler [Sun, 18 Nov 2018 15:01:21 +0000 (16:01 +0100)]
doc: Fix library initialization examples

Signed-off-by: Andreas Metzler <ametzler@bebt.de>
4 weeks agorandom: Initialize variable as requested by valgrind
Werner Koch [Wed, 14 Nov 2018 13:14:23 +0000 (14:14 +0100)]
random: Initialize variable as requested by valgrind

random/jitterentropy-base.c: Init.
--

The variable ec does not need initialization for proper functioning of
the analyzer code. However, valgrind complains about the uninitialized
variable. Thus, initialize it.

Original-repo: https://github.com/smuellerDD/jitterentropy-library.git
Original-commit: 9048af7f06fc1488904f54852e0a2f8da45a4745
Original-Author:: Stephan Mueller <smueller@chronox.de>
Original-Date: Sun, 15 Jul 2018 19:14:02 +0200
Reported-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
4 weeks agolibgcrypt.m4: Prefer gpgrt-config to SYSROOT support.
NIIBE Yutaka [Tue, 13 Nov 2018 01:30:39 +0000 (10:30 +0900)]
libgcrypt.m4: Prefer gpgrt-config to SYSROOT support.

* libgcrypt.m4: Move SYSROOT support after check of GPGRT_CONFIG.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
4 weeks agobuild: Update autogen.rc.
NIIBE Yutaka [Tue, 13 Nov 2018 00:36:37 +0000 (09:36 +0900)]
build: Update autogen.rc.

* autogen.rc: Remove obsolete --with-gpg-error-prefix option.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
5 weeks agoFix 'variable may be used uninitialized' warning for CTR mode
Jussi Kivilinna [Wed, 7 Nov 2018 17:12:29 +0000 (19:12 +0200)]
Fix 'variable may be used uninitialized' warning for CTR mode

* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Set N to BLOCKSIZE
before counter loop.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agoFix inlining of ocb_get_l for x86 AES implementations
Jussi Kivilinna [Tue, 6 Nov 2018 18:27:34 +0000 (20:27 +0200)]
Fix inlining of ocb_get_l for x86 AES implementations

* cipher/rijndael-aesni.c (aes_ocb_get_l): New.
(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Use
'aes_ocb_get_l'.
* cipher/rijndael-ssse3-amd4.c (aes_ocb_get_l): New.
(ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Use
'aes_ocb_get_l'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agostdmem: free: only call _gcry_secmem_free if needed
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
stdmem: free: only call _gcry_secmem_free if needed

* src/stdmem.c (_gcry_private_free): Check if memory is secure before
calling _gcry_secmem_free to avoid unnecessarily taking secmem lock.
--

Unnecessarily taking secmem lock on non-secure memory can result poor
performance on multi-threaded workloads:
  https://lists.gnupg.org/pipermail/gcrypt-devel/2018-August/004535.html

Reported-by: Christian Grothoff <grothoff@gnunet.org>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agosecmem: fix potential memory visibility issue
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
secmem: fix potential memory visibility issue

* configure.ac (gcry_cv_have_sync_synchronize): New check.
* src/secmem.c (pooldesc_s): Make next pointer volatile.
(memory_barrier): New.
(_gcry_secmem_malloc_internal): Insert memory barrier between
pool->next and mainpool.next assigments.
(_gcry_private_is_secure): Update comments.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agowipememory: use memset for non-constant length or large buffer wipes
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
wipememory: use memset for non-constant length or large buffer wipes

* src/g10lib.h (CONSTANT_P): New.
(_gcry_wipememory2): New prototype.
(wipememory2): Use _gcry_wipememory2 if _len not constant expression or
lenght is larger than 64 bytes.
(FASTWIPE_T, FASTWIPE_MULT, fast_wipememory2_unaligned_head): Remove.
(fast_wipememory2): Always handle buffer as unaligned.
* src/misc.c (__gcry_burn_stack): Move memset_ptr variable to...
(memset_ptr): ... here. New.
(_gcry_wipememory2): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agoChange buf_cpy and buf_xor* functions to use buf_put/buf_get helpers
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
Change buf_cpy and buf_xor* functions to use buf_put/buf_get helpers

* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS)
(bufhelp_int_s, buf_xor_1): Remove.
(buf_cpy, buf_xor, buf_xor_2dst, buf_xor_n_copy_2): Use
buf_put/buf_get helpers to handle unaligned memory accesses.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agorijndael: fix unused parameter warning
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
rijndael: fix unused parameter warning

* cipher/rijndael.c (do_setkey): Silence unused 'hd' warning.
--

This commit fixes "warning: unused parameter 'hd'" warning seen on
architectures that do not have alternative AES implementations.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agompi/longlong.h: enable inline assembly for powerpc64
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
mpi/longlong.h: enable inline assembly for powerpc64

* mpi/longlong.h [__powerpc__ && W_TYPE_SIZE == 64]: Remove '#if 0'.
--

PowerPC64 inline assembly was tested on QEMU ('make check' pass).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 weeks agoChange remaining users of _gcry_fips_mode to use fips_mode
Jussi Kivilinna [Mon, 5 Nov 2018 18:42:58 +0000 (20:42 +0200)]
Change remaining users of _gcry_fips_mode to use fips_mode

* src/fips.c (_gcry_fips_mode): Remove.
(_gcry_enforced_fips_mode, _gcry_inactivate_fips_mode)
(_gcry_is_fips_mode_inactive): Use fips_mode.
* src/g10lib.h (_gcry_fips_mode): Remove.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 weeks agoaarch64: mpi: Distribute the header file as a part of source.
NIIBE Yutaka [Fri, 2 Nov 2018 09:54:02 +0000 (18:54 +0900)]
aarch64: mpi: Distribute the header file as a part of source.

* mpi/Makefile.am (EXTRA_libmpi_la_SOURCES): Add asm-common-aarch64.h.

--

Fixes-commit: ec0a2f25c0f64a7b65b373508ce9081e10461965
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 weeks agobuild: Fix GCRYPT_HWF_MODULES.
NIIBE Yutaka [Fri, 2 Nov 2018 04:51:40 +0000 (13:51 +0900)]
build: Fix GCRYPT_HWF_MODULES.

* configure.ac (GCRYPT_HWF_MODULES): Add libgcrypt_la- prefix.

--

Before this change "make distcheck" fails because
src/.deps/hwf-x86.Plo remains.  Note that the distclean entry for the
file is libgcrypt_la-hwf-x86.Plo.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 weeks agobuild: Update gpg-error.m4 and libgcrypt.m4.
NIIBE Yutaka [Fri, 2 Nov 2018 03:06:11 +0000 (12:06 +0900)]
build: Update gpg-error.m4 and libgcrypt.m4.

* m4/gpg-error.m4: Update to 2018-11-02.
* src/libgrypt.m4: Add AC_MSG_NOTICE.
Bump the version date.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 weeks agobuild: Update gpg-error.m4 and ksba.m4.
NIIBE Yutaka [Mon, 29 Oct 2018 03:51:19 +0000 (12:51 +0900)]
build: Update gpg-error.m4 and ksba.m4.

* m4/gpg-error.m4: Update to 2018-10-29.
* src/libgrypt.m4: Follow the change of gpgrt-config.
Bump the version date.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 weeks agoFix missing global initialization in fips_is_operational
Jussi Kivilinna [Sat, 27 Oct 2018 12:48:29 +0000 (15:48 +0300)]
Fix missing global initialization in fips_is_operational

* src/g10lib.h (_gcry_global_any_init_done): New extern.
(fips_is_operational): Check for _gcry_global_any_init_done and call
_gcry_global_is_operational.
* src/global.c (any_init_done): Rename to ...
(_gcry_global_any_init_done): ... this and make externally available.
--

Commit b6e6ace324440f564df664e27f8276ef01f76795 "Add fast path for
_gcry_fips_is_operational" inadvertently replaced function call to
_gcry_global_is_operational with call to _gcry_fips_is_operational
in fips_is_operational macro. This can cause libgcrypt to miss
initialization. This patch restores _gcry_global_is_operational
functionality to fips_is_operational macro while keeping fast-path
to reduce call-overhead to gcry_* functions.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
6 weeks agoMerge release info from 1.8.4
Werner Koch [Fri, 26 Oct 2018 18:04:44 +0000 (20:04 +0200)]
Merge release info from 1.8.4

--

7 weeks agorandom: use getrandom() on Linux where available
Daniel Kahn Gillmor [Wed, 5 Sep 2018 14:34:04 +0000 (10:34 -0400)]
random: use getrandom() on Linux where available

* random/rndlinux.c (_gcry_rndlinux_gather_random): use the
getrandom() syscall on Linux if it exists, regardless of what kind of
entropy was requested.

--

This change avoids the serious usability problem of unnecessary
blocking on /dev/random when the kernel's PRNG is already seeded,
without introducing the risk of pulling from an uninitialized PRNG.
It only has an effect on Linux systems with a functioning getrandom()
syscall.  If that syscall is unavailable or fails, it should fall
through to the pre-existing behavior.

GnuPG-bug-id: 3894
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
7 weeks agorandom: Make sure to re-open /dev/random after a fork
Werner Koch [Fri, 26 Oct 2018 11:22:16 +0000 (13:22 +0200)]
random: Make sure to re-open /dev/random after a fork

* random/rndlinux.c (_gcry_rndlinux_gather_random): Detect fork and
re-open devices.
--

This mitigates about ill-behaving software which has closed the
standard fds but later dups them to /dev/null.

GnuPG-bug-id: 3491
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agoprimes: Avoid leaking bits of the prime test to pageable memory.
Werner Koch [Fri, 26 Oct 2018 10:57:30 +0000 (12:57 +0200)]
primes: Avoid leaking bits of the prime test to pageable memory.

* cipher/primegen.c (gen_prime): Allocate MODS in secure memory.
--

This increases the pressure on the secure memory by about 1400 byte
but given that we can meanwhile increase the size of the secmem area,
this is acceptable.

GnuPG-bug-id: 3848
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agolibgcrypt.m4: Better compatibility support.
NIIBE Yutaka [Fri, 26 Oct 2018 01:35:51 +0000 (10:35 +0900)]
libgcrypt.m4: Better compatibility support.

* src/gpg-error.m4: Update.
* src/libgcrypt.m4: Don't assume libgcrypt-config is newer.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Fix libgcrypt.m4.
NIIBE Yutaka [Fri, 26 Oct 2018 00:38:47 +0000 (09:38 +0900)]
build: Fix libgcrypt.m4.

* src/libgcrypt.m4: Use AC_PATH_PROG to detect libgcrypt-config.

--

Last commit using AC_PATH_TOOL was wrong.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Relax build requirements.
NIIBE Yutaka [Fri, 26 Oct 2018 00:09:51 +0000 (09:09 +0900)]
build: Relax build requirements.

* m4/gpg-error.m4: Update from libgpg-error 1.33.
* src/libgcrypt.m4: Don't require AM_PATH_GPG_ERROR.  Use GPGRT_CONFIG
instead of libgcrypt-config when it is confirmed that it is available
and working well.
* configure.ac (AM_PATH_GPG_ERROR): No requirement for newer version
(It was because of new gpgrt-config which supports *.pc files).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agocipher: Add comments about future OIDs.
Werner Koch [Thu, 25 Oct 2018 11:04:21 +0000 (13:04 +0200)]
cipher: Add comments about future OIDs.

--

7 weeks agobuild: Require libgpg-error >= 1.33.
NIIBE Yutaka [Thu, 25 Oct 2018 01:11:59 +0000 (10:11 +0900)]
build: Require libgpg-error >= 1.33.

* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.33.
* m4/gpg-error.m4: Update from libgpg-error 1.33.
* src/libgcrypt.m4: Bump version date.
Use --variable option.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Add release make target
Werner Koch [Wed, 24 Oct 2018 10:24:44 +0000 (12:24 +0200)]
build: Add release make target

* Makefile.am (release, sign-release): New targets.

Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agobuild: Make distcheck work again.
Werner Koch [Wed, 24 Oct 2018 10:23:47 +0000 (12:23 +0200)]
build: Make distcheck work again.

* cipher/Makefile.am: Prettified source file lists.
EXTRA_libcipher_la_SOURCES): Add missing asm-common-aarch64.h.

Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agodoc: Update yat2m.c from upstream (libgpg-error)
Werner Koch [Wed, 24 Oct 2018 10:06:07 +0000 (12:06 +0200)]
doc: Update yat2m.c from upstream (libgpg-error)

--
GnuPG-bug-id: 4102

Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agoFix memory leak in secmem in out of core conditions.
Werner Koch [Wed, 24 Oct 2018 09:55:34 +0000 (11:55 +0200)]
Fix memory leak in secmem in out of core conditions.

* src/secmem.c (_gcry_secmem_malloc_internal): Release pool descriptor
if the pool could not be allocated.
--

GnuPG-bug-id: 4211
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agoecc: Fix memory leak in the error case of ecc_encrypt_raw
Werner Koch [Wed, 24 Oct 2018 09:50:46 +0000 (11:50 +0200)]
ecc: Fix memory leak in the error case of ecc_encrypt_raw

* cipher/ecc.c (ecc_encrypt_raw): Add proper error cleanup in the main
block.
--

GnuPG-bug-id: 4210
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agoecc: Fix possible memory leakage in parameter check of eddsa.
Werner Koch [Wed, 24 Oct 2018 07:50:17 +0000 (09:50 +0200)]
ecc: Fix possible memory leakage in parameter check of eddsa.

* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Fix mem leak.
--

GnuPG-bug-id: 4209
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agobuild: Fix libgcrypt.pc.
NIIBE Yutaka [Wed, 24 Oct 2018 06:34:57 +0000 (15:34 +0900)]
build: Fix libgcrypt.pc.

* src/libgcrypt.pc.in: Fix typo.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Compatibility to pkg-config.
NIIBE Yutaka [Wed, 24 Oct 2018 06:13:40 +0000 (15:13 +0900)]
build: Compatibility to pkg-config.

* src/libgcrypt-config.in: Support --variable and --modversion.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Make libgcrypt.m4 use gpg-error-config.
NIIBE Yutaka [Wed, 24 Oct 2018 06:07:18 +0000 (15:07 +0900)]
build: Make libgcrypt.m4 use gpg-error-config.

* src/libgcrypt.m4: Use gpg-error-config.

--

With the option --with-libgcrypt-prefix, it still keeps using
libgcrypt-config script.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Provide libgcrypt.pc, generated by configure.
NIIBE Yutaka [Wed, 24 Oct 2018 05:57:53 +0000 (14:57 +0900)]
build: Provide libgcrypt.pc, generated by configure.

* configure.ac: Generate src/libgcrypt.pc.
* src/Makefile.am (pkgconfigdir, pkgconfig_DATA): New.
(EXTRA_DIST): Add libgcrypt.pc.in.
* src/libgcrypt-config.in: Use @PACKAGE_VERSION@.
* src/libgcrypt.pc.in: New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Update gpg-error.m4 from libgpg-error.
NIIBE Yutaka [Wed, 24 Oct 2018 05:33:23 +0000 (14:33 +0900)]
build: Update gpg-error.m4 from libgpg-error.

* m4/gpg-error.m4: Update from libgpg-error 1.33.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agobuild: Don't default to underscore=yes for cross-build.
NIIBE Yutaka [Wed, 24 Oct 2018 05:29:45 +0000 (14:29 +0900)]
build: Don't default to underscore=yes for cross-build.

* acinclude.m4: Don't set ac_cv_sys_symbol_underscore
for cross build.

--

It made sense in the past when cross compile were basically for a.out
system, but nowadays, it's better not to assume that.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
7 weeks agoecc: Fix potential unintended freeing of an internal param.
Werner Koch [Tue, 23 Oct 2018 20:58:09 +0000 (22:58 +0200)]
ecc: Fix potential unintended freeing of an internal param.

* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Fix c+p error
--

GnuPG-bug-id: 4208
Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agosexp: Fix uninitialized use of a var in the error case.
Werner Koch [Tue, 23 Oct 2018 20:51:40 +0000 (22:51 +0200)]
sexp: Fix uninitialized use of a var in the error case.

* src/sexp.c (_gcry_sexp_vextract_param): Initialize L1.
--
GnuPG-bug-id: 4212

Signed-off-by: Werner Koch <wk@gnupg.org>
7 weeks agodoc: Fix example for gcry_sexp_extract_param
Werner Koch [Thu, 14 Jun 2018 08:39:53 +0000 (10:39 +0200)]
doc: Fix example for gcry_sexp_extract_param

--

8 weeks agobuild: Let configure create the VERSION file.
NIIBE Yutaka [Tue, 16 Oct 2018 05:46:55 +0000 (14:46 +0900)]
build: Let configure create the VERSION file.

* autogen.sh: Update from libgpg-error.
* configure.ac: Use mym4_versoin to create VERSION file.
* Makefile.am (dist-hook): Do not create VERSION file.
(EXTRA_DIST): Add VERSION.

--

GnuPG-bug-id: 3283
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
4 months agoAdd size optimized cipher block copy and xor functions
Jussi Kivilinna [Sat, 21 Jul 2018 08:56:46 +0000 (11:56 +0300)]
Add size optimized cipher block copy and xor functions

* cipher/bufhelp.h (buf_get_he32, buf_put_he32, buf_get_he64)
(buf_put_he64): New.
* cipher/cipher-internal.h (cipher_block_cpy, cipher_block_xor)
(cipher_block_xor_1, cipher_block_xor_2dst, cipher_block_xor_n_copy_2)
(cipher_block_xor_n_copy): New.
* cipher/cipher-gcm-intel-pclmul.c
(_gcry_ghash_setup_intel_pclmul): Use assembly for swapping endianness
instead of buf_get_be64 and buf_cpy.
* cipher/blowfish.c: Use new cipher_block_* functions for cipher block
sized buf_cpy/xor* operations.
* cipher/camellia-glue.c: Ditto.
* cipher/cast5.c: Ditto.
* cipher/cipher-aeswrap.c: Ditto.
* cipher/cipher-cbc.c: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-cfb.c: Ditto.
* cipher/cipher-cmac.c: Ditto.
* cipher/cipher-ctr.c: Ditto.
* cipher/cipher-eax.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-ocb.c: Ditto.
* cipher/cipher-ofb.c: Ditto.
* cipher/cipher-xts.c: Ditto.
* cipher/des.c: Ditto.
* cipher/rijndael.c: Ditto.
* cipher/serpent.c: Ditto.
* cipher/twofish.c: Ditto.
--

This commit adds size-optimized functions for copying and xoring
cipher block sized buffers. These functions also allow GCC to use
inline auto-vectorization for block cipher copying and xoring on
higher optimization levels.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoRFC-8439 was published.
NIIBE Yutaka [Wed, 4 Jul 2018 05:09:38 +0000 (14:09 +0900)]
RFC-8439 was published.

* cipher/cipher-poly1305.c: Update RFC reference.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
5 months agoClean-up implementation selection for SHA1 and SHA2
Jussi Kivilinna [Tue, 19 Jun 2018 19:10:49 +0000 (22:10 +0300)]
Clean-up implementation selection for SHA1 and SHA2

* cipher/sha1.c (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha1_transform_amd64_ssse3, do_sha1_transform_amd64_avx)
(do_sha1_transform_amd64_avx_bmi2, do_sha1_transform_intel_shaext)
(do_sha1_transform_armv7_neon, do_sha1_transform_armv8_ce): New.
(transform_blk, transform): Merge to ...
(do_transform_generic): ... this and remove calls to assembly
implementations.
(sha1_init): Select hd->bctx.bwrite based on HW features.
(_gcry_sha1_mixblock, sha1_final): Call hd->bctx.bwrite instead of
transform.
* cipher/sha1.h (SHA1_CONTEXT): Remove implementation selection bits.
* cipher/sha256.h (SHA256_CONTEXT): Remove implementation selection
bits.
(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
(do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
(do_sha256_transform_armv8_ce): New.
(transform_blk, transform): Merge to ...
(do_transform_generic): ... this and remove calls to assembly
implementations.
(sha256_init, sha224_init): Select hd->bctx.bwrite based on HW
features.
(sha256_final): Call hd->bctx.bwrite instead of transform.
* cipher/sha512-armv7-neon.S
(_gcry_sha512_transform_armv7_neon): Return zero.
* cipher/sha512.h (SHA512_CONTEXT): Remove implementation selection
bits.
(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
(do_sha512_transform_armv7_neon, do_sha512_transform_amd64_ssse3)
(do_sha512_transform_amd64_avx, do_sha512_transform_amd64_avx2): New.
[USE_ARM_ASM] (do_transform_generic): New.
(transform_blk, transform): Merge to ...
[!USE_ARM_ASM] (do_transform_generic): ... this and remove calls to
assembly implementations.
(sha512_init, sha384_init): Select hd->bctx.bwrite based on HW
features.
(sha512_final): Call hd->bctx.bwrite instead of transform.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAdd hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2
Jussi Kivilinna [Sun, 17 Jun 2018 17:03:28 +0000 (20:03 +0300)]
Add hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2

* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add hash_buffer and
hash_buffers functions for BLAKE2 variants.
* cipher/keccak.c (_gcry_sha3_hash_buffer, _gcry_sha3_hash_buffers)
(_gcry_sha3_224_hash_buffer, _gcry_sha3_224_hash_buffers)
(_gcry_sha3_256_hash_buffer, _gcry_sha3_256_hash_buffers)
(_gcry_sha3_384_hash_buffer, _gcry_sha3_384_hash_buffers)
(_gcry_sha3_512_hash_buffer, _gcry_sha3_512_hash_buffers): New.
* cipher/sha256.c (_gcry_sha224_hash_buffer)
(_gcry_sha224_hash_buffers): New.
* cipher/sha512.c (_gcry_sha384_hash_buffer)
(_gcry_sha384_hash_buffers): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAdd hash_buffer and hash_buffers pointers to message digest spec
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add hash_buffer and hash_buffers pointers to message digest spec

* src/cipher-proto.h (gcry_md_hash_buffer_t)
(gcry_md_hash_buffers_t): New.
(gcry_md_spec): Add hash_buffer and hash_buffers.
* cipher/md.c (_gcry_md_hash_buffer, _gcry_md_hash_buffers): Use
hash_buffer/hash_buffers from MD spec instead of hard-coding supported
algorithms.
* cipher/blake2.c: Add NULL to MD spec hash_buffer and hash_buffers
pointers.
* cipher/crc.c: Ditto.
* cipher/gostr3411-94.c: Ditto.
* cipher/keccak.c: Ditto.
* cipher/md2.c: Ditto.
* cipher/md4.c: Ditto.
* cipher/md5.c: Ditto.
* cipher/stribog.c: Ditto.
* cipher/tiger.c: Ditto.
* cipher/whirlpool.c: Ditto.
* cipher/rmd160.c (_gcry_rmd160_hash_buffers): New.
(_gcry_digest_spec_rmd160): Add hash_buffer and hash_buffers functions.
* cipher/sha1.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
* cipher/sha256.c (_gcry_digest_spec_sha256): Add hash_buffer and
hash_buffers functions.
(_gcry_digest_spec_sha224): Add NULL pointers for hash_buffer and
hash_buffers.
* cipher/sha512.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
(_gcry_digest_spec_sha384): Add NULL pointers for hash_buffer and
hash_buffers.
* cipher/sm3.c (_gcry_digest_spec_sha1): Add hash_buffer and
hash_buffers functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAES: setup cipher object bulk routines with optimized versions
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
AES: setup cipher object bulk routines with optimized versions

* cipher/rijndael-aesni.c
(_gcry_aes_aesni_prepare_decryption): Rename...
(do_aesni_prepare_decryption): .. to this.
(_gcry_aes_aesni_prepare_decryption): New.
(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_aesni_cbc_dec, aesni_ocb_dec)
(_gcry_aes_aesni_xts_dec): Check and prepare decryption.
(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): Change return
type to size_t.
* cipher/rijndael-armv8-ce.c
(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
(_gcry_aes_armv8_ce_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
(_gcry_aes_armv8_ce_xts_dec): Check and prepare decryption.
(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Change
return type to size_t.
* cipher/rijndael-ssse3-amd64.c
(_gcry_ssse3_prepare_decryption): Rename...
(do_ssse3_prepare_decryption): .. to this.
(_gcry_ssse3_prepare_decryption): New.
(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec): Reorder parameters to match bulk
operations.
(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_dec): Check and prepare decryption.
(_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Change return
type to size_t.
* cipher/rijndael.c
(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
(_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
(_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_crypt)
(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_ocb_crypt)
(_gcry_aes_ssse3_ocb_auth, _gcry_aes_ssse3_xts_crypt)
(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
(_gcry_aes_armv8_ce_ocb_auth, _gcry_aes_armv8_ce_xts_crypt): Change
prototypes to match bulk operations.
(do_setkey): Setup bulk operations with optimized implementations.
(_gcry_aes_cfb_enc, _gcry_aes_cbc_enc, _gcry_aes_ctr_enc)
(_gcry_aes_cfb_dec, _gcry_aes_cbc_dec, _gcry_aes_ocb_crypt)
(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Update
usage to match new prototypes, avoid prefetch and decryption
preparation on optimized code paths.
--

Replace bulk operation functions of cipher object with faster
version for reduced per call overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoPass cipher object pointer to setkey functions
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Pass cipher object pointer to setkey functions

* cipher/cipher.c (cipher_setkey): Pass cipher object pointer to
cipher's setkey function.
* cipher/arcfour.c: Add gcry_cipher_hd_t parameter for setkey
functions and update selftests to pass NULL pointer.
* cipher/blowfish.c: Ditto.
* cipher/camellia-glue.c: Ditto.
* cipher/cast5.c: Ditto.
* cipher/chacha20.c: Ditto.
* cipher/cipher-selftest.c: Ditto.
* cipher/des.c: Ditto.
* cipher/gost28147.c: Ditto.
* cipher/idea.c: Ditto.
* cipher/rfc2268.c: Ditto.
* cipher/rijndael.c: Ditto.
* cipher/salsa20.c: Ditto.
* cipher/seed.c: Ditto.
* cipher/serpent.c: Ditto.
* cipher/twofish.c: Ditto.
* src/cipher-proto.h: Ditto.
--

This allows setkey function to replace bulk cipher operations
with faster alternative.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAdd fast path for _gcry_fips_is_operational
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add fast path for _gcry_fips_is_operational

* src/fips.c (no_fips_mode_required): Rename to...
(_gcry_no_fips_mode_required): ...this and make externally available.
* src/g10lib.h (_gcry_no_fips_mode_required): New extern.
(fips_mode): Inline _gcry_fips_mode to macro, use
_gcry_no_fips_mode_required directly.
(fips_is_operational): Inline fips_mode check from
_gcry_fips_in_operational.
--

Add fast path to reduce call overhead in src/visibility.c where
fips_is_operational is called before cipher/md/etc operations.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAccess cipher mode routines through routine pointers
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Access cipher mode routines through routine pointers

* cipher/cipher-internal.h (gcry_cipher_handle): Add function pointers
for mode operations.
(_gcry_cipher_xts_crypt): Remove.
(_gcry_cipher_xts_encrypt, _gcry_cipher_xts_decrypt): New.
* cipher/cipher-xts.c (_gcry_cipher_xts_encrypt)
(_gcry_cipher_xts_decrypt): New.
* cipher/cipher.c (_gcry_cipher_setup_mode_ops): New.
(_gcry_cipher_open_internal): Setup mode routines.
(cipher_encrypt, cipher_decrypt): Remove.
(do_stream_encrypt, do_stream_decrypt, do_encrypt_none_unknown)
(do_decrypt_none_unknown): New.
(_gcry_cipher_encrypt, _gcry_cipher_decrypt, _gcry_cipher_setiv)
(_gcry_cipher_authenticate, _gcry_cipher_gettag)
(_gcry_cipher_checktag): Adapted to use mode routines through pointers.
--

Change to use mode operations through pointers to reduce per call
overhead for cipher operations.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAdd separate handlers for CBC-CTS variant
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Add separate handlers for CBC-CTS variant

* cipher/cipher-cbc.c (cbc_encrypt_inner, cbc_decrypt_inner)
(_gcry_cipher_cbc_cts_encrypt, _gcry_cipher_cbc_cts_decrypt): New.
(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Remove CTS
handling.
* cipher/cipher-internal.h (_gcry_cipher_cbc_cts_encrypt)
(_gcry_cipher_cbc_cts_decrypt): New.
* cipher/cipher.c (cipher_encrypt, cipher_decrypt): Call CBC-CTS
handler if CBC-CTS flag is set.
--

Separate CTS handling to separate function for small decrease in
CBC per call overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoAvoid division by spec->blocksize in cipher mode handlers
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Avoid division by spec->blocksize in cipher mode handlers

* cipher/cipher-internal.h (_gcry_blocksize_shift): New.
* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
(_gcry_cipherp_cbc_decrypt): Use bit-level operations instead of
division to get number of blocks and check input length against
blocksize.
* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
(_gcry_cipher_cfb_decrypt): Ditto.
* cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
* cipher/cipher-ctr.c (_gcry_cipher_ctr_crypt): Ditto.
* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
(_gcry_cipher_ofb_decrypt): Ditto.
--

Integer division was causing 10 to 20 cycles per call overhead
for cipher modes on x86-64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agoFix CBC-CTS+CBC-MAC flag check
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
Fix CBC-CTS+CBC-MAC flag check

* cipher/cipher.c (_gcry_cipher_open_internal): Check flags separately
instead of AND masking two flags to zero.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agotests/basic: silence GCC-8 warning
Jussi Kivilinna [Tue, 19 Jun 2018 15:34:33 +0000 (18:34 +0300)]
tests/basic: silence GCC-8 warning

* tests/basic.c (check_ofb_cipher, check_stream_cipher): Change
tv[].data[].inlen type from signed to unsigned integer.
--

Patch silences new GCC-8 compiler warning:
 '__builtin_memcmp_eq' specified size between 18446744071562067968 and
 18446744073709551615 exceeds maximum object size 9223372036854775807
 [-Wstringop-overflow=]

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 months agorandom: Fix hang of _gcry_rndjent_get_version.
Will Dietz [Sun, 17 Jun 2018 23:53:58 +0000 (18:53 -0500)]
random: Fix hang of _gcry_rndjent_get_version.

* random/rndjent.c (_gcry_rndjent_get_version): Move locking.

--

While the protection for jent_rng_collector is needed,
_gcry_rndjent_poll is also acquiring the lock for the variable.
Thus, it hangs.

This change is sub-optimal, the lock is once released after the call
of _gcry_rndjent_poll.  It might be good to modify the API of
_gcry_rndjent_poll to explicitly allow this use case of forcing
initialization keeping the lock.

Comments and change log entry by gniibe.

GnuPG-bug-id: 4034
Fixes-commit: 0de2a22fcf6607d0aecb550feefa414cee3731b2

6 months agoAdd NEWS from the 1.8 and 1.7 branches.
Werner Koch [Wed, 13 Jun 2018 08:37:59 +0000 (10:37 +0200)]
Add NEWS from the 1.8 and 1.7 branches.

--

6 months agoecc: Add blinding for ECDSA.
NIIBE Yutaka [Wed, 13 Jun 2018 06:28:58 +0000 (15:28 +0900)]
ecc: Add blinding for ECDSA.

* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.

--

Reported-by: Keegan Ryan <Keegan.Ryan@nccgroup.trust>
CVE-id: CVE-2018-0495
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
6 months agoecc: Improve gcry_mpi_ec_curve_point
Werner Koch [Tue, 5 Jun 2018 12:33:01 +0000 (14:33 +0200)]
ecc: Improve gcry_mpi_ec_curve_point

* mpi/ec.c (_gcry_mpi_ec_curve_point): Check range of coordinates.
* tests/t-mpi-point.c (point_on_curve): New.
--

Due to the conversion to affine coordinates we didn't detected points
with values >= P.  The solution here might not be the best according
to the NIST standard (it is done there at an earlier opportunity) but
it reliably detects points we do not expect to receive.

The new test vectors have been compared against gnutls/nettle.

Reported-by: Stephan Müller
Signed-off-by: Werner Koch <wk@gnupg.org>
6 months agompi: New internal function _gcry_mpi_cmpabs.
Werner Koch [Tue, 5 Jun 2018 12:29:53 +0000 (14:29 +0200)]
mpi: New internal function _gcry_mpi_cmpabs.

* mpi/mpi-cmp.c (_gcry_mpi_cmp): Factor out to ...
(do_mpi_cmp): New.  Add arg absmode.
(_gcry_mpi_cmpabs): New.
* src/gcrypt-int.h (mpi_cmpabs): New macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
7 months agobuild: Convince gcc not to delete NULL ptr checks.
Werner Koch [Sun, 29 Apr 2018 16:01:24 +0000 (18:01 +0200)]
build: Convince gcc not to delete NULL ptr checks.

* configure.ac: Try to use -fno-delete-null-pointer-checks.

Signed-off-by: Werner Koch <wk@gnupg.org>
7 months agoprime: Avoid rare assertion failure in gcry_prime_check.
Werner Koch [Sat, 28 Apr 2018 16:30:53 +0000 (18:30 +0200)]
prime: Avoid rare assertion failure in gcry_prime_check.

* cipher/primegen.c (is_prime): Don't fail on the assert X > 1.
--

When using gcry_prime_check the function is_prime can be called with
quite small candidates so there is a real chance that the random X
values is indeed 0 or 1.  This would trigger the assert.  To avoid
this we now retry in this case.

Reported-by: Heiko Stamer
Signed-off-by: Werner Koch <wk@gnupg.org>
7 months agompi: Fix for buidling for MIPS64 with Clang
Werner Koch [Tue, 17 Apr 2018 15:15:30 +0000 (17:15 +0200)]
mpi: Fix for buidling for MIPS64 with Clang

* mpi/longlong.h [MIPS64][__clang__]: Use the C version like we
already do for 32 bit MIPS.
--

GnuPG-bug-id: 3915
Signed-off-by: Werner Koch <wk@gnupg.org>
8 months agohmac: Use xtrymalloc.
NIIBE Yutaka [Tue, 10 Apr 2018 23:45:22 +0000 (08:45 +0900)]
hmac: Use xtrymalloc.

* src/hmac256.c (_gcry_hmac256_new): Use xtrymalloc.
(_gcry_hmac256_file): Likewise.

--

Don't require config.h but stdint.h for STANDALONE.
Drop STANDALONE support for WindowsCE.

GnuPG-bug-id: 3877
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
8 months agobasic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks
Jussi Kivilinna [Tue, 10 Apr 2018 19:14:39 +0000 (22:14 +0300)]
basic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks

* tests/basic_all_hwfeature_combinations.sh: Use $njobs to limit
parallel tasks instead of fixed number "8".
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoFaster look-up for spec by algo for digests, ciphers and MAC
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Faster look-up for spec by algo for digests, ciphers and MAC

* cipher/cipher.c (cipher_list_algo0, cipher_list_algo301): New cipher
spec lists with same order and spacing as 'gcry_cipher_algos'
enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
* cipher/mac.c (mac_list_algo101, mac_list_algo201, mac_list_algo401)
(mac_list_algo501): New MAC spec lists with same order and spacing as
'gcry_mac_algos' enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
* cipher/md.c (digest_list_algo0, digest_list_algo301): New digest
spec lists with same order and spacing as 'gcry_md_algos'
enumeration.
(spec_from_algo): Use new spec lists for faster look-up.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoFix building with BLAKE2 disabled
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Fix building with BLAKE2 disabled

* cipher/md.c (md_setkey): Enclose Blake2 part with USE_BLAKE2.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoAdd missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface
Jussi Kivilinna [Tue, 10 Apr 2018 19:03:49 +0000 (22:03 +0300)]
Add missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface

* cipher/mac-hmac.c (map_mac_algo_to_md): Add GOSTR3411_CP, BLAKE2 and
SM3.
(_gcry_mac_type_spec_hmac_gost3411_cp)
(_gcry_mac_type_spec_hmac_blake2b_512)
(_gcry_mac_type_spec_hmac_blake2b_384)
(_gcry_mac_type_spec_hmac_blake2b_256)
(_gcry_mac_type_spec_hmac_blake2b_160)
(_gcry_mac_type_spec_hmac_blake2s_256)
(_gcry_mac_type_spec_hmac_blake2s_224)
(_gcry_mac_type_spec_hmac_blake2s_160)
(_gcry_mac_type_spec_hmac_blake2s_128)
(_gcry_mac_type_spec_hmac_sm3): New.
* cipher/mac-internal.h (_gcry_mac_type_spec_hmac_gost3411_cp)
(_gcry_mac_type_spec_hmac_blake2b_512)
(_gcry_mac_type_spec_hmac_blake2b_384)
(_gcry_mac_type_spec_hmac_blake2b_256)
(_gcry_mac_type_spec_hmac_blake2b_160)
(_gcry_mac_type_spec_hmac_blake2s_256)
(_gcry_mac_type_spec_hmac_blake2s_224)
(_gcry_mac_type_spec_hmac_blake2s_160)
(_gcry_mac_type_spec_hmac_blake2s_128)
(_gcry_mac_type_spec_hmac_sm3): New.
* cipher/mac.c (mac_list): Add GOSTR3411_CP, BLAKE2 and SM3.
* src/gcrypt.h.in (GCRY_MAC_HMAC_GOSTR3411_CP)
(GCRY_MAC_HMAC_BLAKE2B_512, GCRY_MAC_HMAC_BLAKE2B_384)
(GCRY_MAC_HMAC_BLAKE2B_256, GCRY_MAC_HMAC_BLAKE2B_160)
(GCRY_MAC_HMAC_BLAKE2S_256, GCRY_MAC_HMAC_BLAKE2S_224)
(GCRY_MAC_HMAC_BLAKE2S_160, GCRY_MAC_HMAC_BLAKE2S_128)
(GCRY_MAC_HMAC_SM3): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agorandom: Protect another use of jent_rng_collector.
NIIBE Yutaka [Tue, 10 Apr 2018 02:01:57 +0000 (11:01 +0900)]
random: Protect another use of jent_rng_collector.

* random/rndjent.c (_gcry_rndjent_get_version): Lock the access.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
8 months agoaarch64/assembly: only use the lower 32 bit of an int parameters
Jussi Kivilinna [Sat, 24 Mar 2018 15:49:16 +0000 (17:49 +0200)]
aarch64/assembly: only use the lower 32 bit of an int parameters

* cipher/camellia-aarch64.S (_gcry_camellia_arm_encrypt_block)
(__gcry_camellia_arm_decrypt_block): Make comment section about input
registers match usage.
* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_ocb_auth_armv8_ce): Use
'w12' and 'w7' instead of 'x12' and 'x7'.
(_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Fix function
prototype in comments.
* mpi/aarch64/mpih-add1.S: Use 32-bit registers for 32-bit mpi_size_t
parameters.
* mpi/aarch64/mpih-mul1.S: Ditto.
* mpi/aarch64/mpih-mul2.S: Ditto.
* mpi/aarch64/mpih-mul3.S: Ditto.
* mpi/aarch64/mpih-sub1.S: Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agopoly1305: silence compiler warning on clang/aarch64
Jussi Kivilinna [Sat, 24 Mar 2018 15:22:45 +0000 (17:22 +0200)]
poly1305: silence compiler warning on clang/aarch64

* cipher/poly1305.c (MUL_MOD_1305_64): cast zero constant to 64-bits.
--

This patch fixes "value size does not match register size specified
by the constraint and modifier [-Wasm-operand-widths]" warnings when
building with clang/aarch64.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoaarch64: Enable building the aarch64 cipher assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:40 +0000 (23:32 +0200)]
aarch64: Enable building the aarch64 cipher assembly for windows

* cipher/asm-common-aarch64.h: New.
* cipher/camellia-aarch64.S: Use ELF macro, use x19 instead of x18.
* cipher/chacha20-aarch64.S: Use ELF macro, don't use GOT on windows.
* cipher/cipher-gcm-armv8-aarch64-ce.S: Use ELF macro.
* cipher/rijndael-aarch64.S: Use ELF macro.
* cipher/rijndael-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha1-armv8-aarch64-ce.S: Use ELF macro.
* cipher/sha256-armv8-aarch64-ce.S: Use ELF macro.
* cipher/twofish-aarch64.S: Use ELF macro.
* configure.ac: Don't require .size and .type in aarch64 assembly check.
--
Don't require .type and .size in configure; we can make
them optional via a preprocessor macro.

This is mostly a mechanical change, wrapping the .type and .size
directives in an ELF() macro, with two actual manual changes:
(when targeting windows):
- Don't load global symbols via a GOT (in chacha20)
- Don't use the x18 register (in camellia); back up and restore x19
  in the prologue/epilogue and use that instead.

x18 is a platform specific register; on linux, it's free to be used
by user code, while it's reserved for platform use on windows and
darwin. Always use x19 instead of x18 for consistency.

Signed-off-by: Martin Storsjö <martin@martin.st>
8 months agoaarch64: camellia: Only use the lower 32 bit of an int parameter
Martin Storsjö [Thu, 22 Mar 2018 21:32:39 +0000 (23:32 +0200)]
aarch64: camellia: Only use the lower 32 bit of an int parameter

* cipher/camellia-aarch64.S: Use 'w3' instead of 'x3'.
--
The keybits parameter is declared as int, and in those cases, the
upper half of a register is undefined, not guaranteed to be zero.

Signed-off-by: Martin Storsjö <martin@martin.st>
8 months agoaarch64: Fix assembling chacha20-aarch64.S with clang/llvm
Martin Storsjö [Thu, 22 Mar 2018 21:32:38 +0000 (23:32 +0200)]
aarch64: Fix assembling chacha20-aarch64.S with clang/llvm

* cipher/chacha20-aarch64.S: Remove superfluous lane counts.
--
When referring to a specific lane, one doesn't need to specify
the total number of lanes of the register. With GNU binutils,
both forms are accepted, while clang/llvm rejects the form
with the unnecessary number of lanes.

Signed-off-by: Martin Storsjö <martin@martin.st>
8 months agoaarch64: mpi: Fix building the mpi aarch64 assembly for windows
Martin Storsjö [Thu, 22 Mar 2018 21:32:37 +0000 (23:32 +0200)]
aarch64: mpi: Fix building the mpi aarch64 assembly for windows

* mpi/aarch64/mpih-add1.S: Use ELF macro.
* mpi/aarch64/mpih-mul1.S: Use ELF macro.
* mpi/aarch64/mpih-mul2.S: Use ELF macro.
* mpi/aarch64/mpih-mul3.S: Use ELF macro.
* mpi/aarch64/mpih-sub1.S: Use ELF macro.
* mpi/asm-common-aarch64.h: New.
--

The mpi aarch64 assembly is enabled as soon as the compiler supports
inline assembly, without checking for .type and .size, as is done
for the rest of the assembly in cipher/*.S. (The .type and .size
directives are only supported on ELF.)

Signed-off-by: Martin Storsjö <martin@martin.st>
8 months agorandom: Don't assume that _WIN64 implies x86_64
Martin Storsjö [Thu, 22 Mar 2018 21:32:36 +0000 (23:32 +0200)]
random: Don't assume that _WIN64 implies x86_64

* random/rndw32.c: Change _WIN64 ifdef into __x86_64__.
--

This fixes building this file for windows on aarch64.

Signed-off-by: Martin Storsjö <martin@martin.st>
8 months agoRegister DCO for Martin Storsjö
Jussi Kivilinna [Wed, 28 Mar 2018 17:32:56 +0000 (20:32 +0300)]
Register DCO for Martin Storsjö

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agotests/aeswrap: add in-place encryption/decryption testing
Jussi Kivilinna [Thu, 22 Mar 2018 19:54:20 +0000 (21:54 +0200)]
tests/aeswrap: add in-place encryption/decryption testing

* tests/aeswrap.c (check): Rename to...
(check_one): ...this and add in-place testing.
(check): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoAES-KW: fix in-place encryption
Stephan Mueller [Mon, 12 Mar 2018 21:24:37 +0000 (22:24 +0100)]
AES-KW: fix in-place encryption

* cipher/cipher-aeswrap.c: move memmove call before KW IV setting
--

In case AES-KW in-place encryption is performed, the plaintext must be
moved to the correct destination location before the first semiblock of
the destination buffer is modified. Without the patch, the first
semiblock of the plaintext is overwritten with a6a6a6a6a6a6a6a6.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
8 months agobench-slope: add CPU frequency auto-detection
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
bench-slope: add CPU frequency auto-detection

* tests/bench-slope.c (bench_obj): Add 'hd'.
(bench_encrypt_init, bench_encrypt_free, bench_encrypt_do_bench)
(bench_decrypt_do_bench, bench_xts_encrypt_init)
(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
(bench_ccm_encrypt_init, bench_ccm_encrypt_do_bench)
(bench_ccm_decrypt_do_bench, bench_aead_encrypt_init)
(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
(bench_hash_init, bench_hash_free, bench_hash_do_bench)
(bench_mac_init, bench_mac_free, bench_mac_do_bench): Use 'obj->hd'
for storing pointer to crypto context.
(auto_ghz): New.
(do_slope_benchmark): Rename to...
(slope_benchmark): ...this.
(auto_ghz_init, auto_ghz_free, auto_ghz_bench, auto_ghz_detect_ops)
(get_auto_ghz, do_slope_benchmark): New.
(double_to_str): Round number larger than 1000 to integer.
(bench_print_result_csv, bench_print_result_std)
(bench_print_result, bench_print_header, cipher_bench_one)
(hash_bench_one, mac_bench_one, kdf_bench_one, kdf_bench): Add
auto-detected frequency printing.
(print_help): Help for CPU speed auto-detection mode.
(main): Add parsing for "--cpu-mhz auto".
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months ago_gcry_burn_stack: use memset for clearing memory
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:23 +0000 (21:42 +0200)]
_gcry_burn_stack: use memset for clearing memory

* src/misc.c (__gcry_burn_stack) [HAVE_VLA]: Use 'memset' for clearing
stack.
--

Patch switches stacking burning to use faster memset instead of
wipememory. Memset is accessed through volatile function pointer,
so that compiler will not optimize away the call.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agoImprove constant-time buffer compare
Jussi Kivilinna [Thu, 22 Mar 2018 19:42:22 +0000 (21:42 +0200)]
Improve constant-time buffer compare

* cipher/bufhelp.h (buf_eq_const): Rewrite logic.
--

New implementation for constant-time buffer comparing that
avoids generating conditional code in comparison loop.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 months agodoc: Clarify the value range of the use-rsa-e parameter.
Werner Koch [Thu, 22 Mar 2018 14:28:04 +0000 (15:28 +0100)]
doc: Clarify the value range of the use-rsa-e parameter.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
9 months agoAdd Intel SHA Extensions accelerated SHA256 implementation
Jussi Kivilinna [Thu, 15 Feb 2018 20:13:28 +0000 (22:13 +0200)]
Add Intel SHA Extensions accelerated SHA256 implementation

* cipher/Makefile.am: Add 'sha256-intel-shaext.c'.
* cipher/sha256-intel-shaext.c: New.
* cipher/sha256.c (USE_SHAEXT)
(_gcry_sha256_transform_intel_shaext): New.
(SHA256_CONTEXT): Add 'use_shaext'.
(sha256_init, sha224_init) [USE_SHAEXT]: Use shaext if supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* configure.ac: Add 'sha256-intel-shaext.lo'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |     10.07 ns/B     94.72 MiB/s     15.10 c/B

After (3.7x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |      2.70 ns/B     353.8 MiB/s      4.04 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAdd Intel SHA Extensions accelerated SHA1 implementation
Jussi Kivilinna [Tue, 13 Feb 2018 18:22:41 +0000 (20:22 +0200)]
Add Intel SHA Extensions accelerated SHA1 implementation

* cipher/Makefile.am: Add 'sha1-intel-shaext.c'.
* cipher/sha1-intel-shaext.c: New.
* cipher/sha1.c (USE_SHAEXT, _gcry_sha1_transform_intel_shaext): New.
(sha1_init) [USE_SHAEXT]: Use shaext implementation is supported.
(transform) [USE_SHAEXT]: Use shaext if enabled.
(transform): Only add ASM_EXTRA_STACK if returned burn length is not
zero.
* cipher/sha1.h (SHA1_CONTEXT): Add 'use_shaext'.
* configure.ac: Add 'sha1-intel-shaext.lo'.
(shaextsupport, gcry_cv_gcc_inline_asm_shaext): New.
* src/g10lib.h: Add HWF_INTEL_SHAEXT and reorder HWF flags.
* src/hwf-x86.c (detect_x86_gnuc): Detect SHA Extensions.
* src/hwfeatures.c (hwflist): Add 'intel-shaext'.
--

Benchmark on Intel Celeron J3455 (1500 Mhz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      4.50 ns/B     211.7 MiB/s      6.76 c/B

After (4.0x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      1.11 ns/B     858.1 MiB/s      1.67 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
9 months agoAVX implementation of BLAKE2s
Jussi Kivilinna [Thu, 8 Feb 2018 17:45:10 +0000 (19:45 +0200)]
AVX implementation of BLAKE2s

* cipher/Makefile.am: Add 'blake2s-amd64-avx.S'.
* cipher/blake2.c (USE_AVX, _gry_blake2s_transform_amd64_avx): New.
(BLAKE2S_CONTEXT) [USE_AVX]: Add 'use_avx'.
(blake2s_transform): Rename to ...
(blake2s_transform_generic): ... this.
(blake2s_transform): New.
(blake2s_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2s_init_ctx): Check HW features and enable AVX implementation
if supported.
* cipher/blake2s-amd64-avx.S: New.
* configure.ac: Add 'blake2s-amd64-avx.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.77 ns/B     538.2 MiB/s      7.09 c/B

After (~1.3x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2S_256    |      1.34 ns/B     711.4 MiB/s      5.36 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agoAVX2 implementation of BLAKE2b
Jussi Kivilinna [Sun, 14 Jan 2018 14:48:17 +0000 (16:48 +0200)]
AVX2 implementation of BLAKE2b

* cipher/Makefile.am: Add 'blake2b-amd64-avx2.S'.
* cipher/blake2.c (USE_AVX2, ASM_FUNC_ABI, ASM_EXTRA_STACK)
(_gry_blake2b_transform_amd64_avx2): New.
(BLAKE2B_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
(blake2b_transform): Rename to ...
(blake2b_transform_generic): ... this.
(blake2b_transform): New.
(blake2b_final): Pass 'ctx' pointer to transform function instead of
'S'.
(blake2b_init_ctx): Check HW features and enable AVX2 implementation
if supported.
* cipher/blake2b-amd64-avx2.S: New.
* configure.ac: Add 'blake2b-amd64-avx2.lo'.
--

Benchmark on Intel Core i7-4790K (4.0 Ghz, no turbo):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |      1.07 ns/B     887.8 MiB/s      4.30 c/B

After (~1.4x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 BLAKE2B_512    |     0.771 ns/B    1236.8 MiB/s      3.08 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agoFix incorrect counter overflow handling for GCM
Jussi Kivilinna [Wed, 31 Jan 2018 18:02:48 +0000 (20:02 +0200)]
Fix incorrect counter overflow handling for GCM

* cipher/cipher-gcm.c (gcm_ctr_encrypt): New function to handle
32-bit CTR increment for GCM.
(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Do not use
generic CTR implementation directly, use gcm_ctr_encrypt instead.
* tests/basic.c (_check_gcm_cipher): Add test-vectors for 32-bit
CTR overflow.
(check_gcm_cipher): Add 'split input to 15 bytes and 17 bytes'
test-runs.
--

Reported-by: Clemens Lang <Clemens.Lang@bmw.de>
> I believe we have found what seems to be a bug in counter overflow
> handling in AES-GCM in libgcrypt's implementation. This leads to
> incorrect results when using a non-12-byte IV and decrypting payloads
> encrypted with other AES-GCM implementations, such as OpenSSL.
>
> According to the NIST Special Publication 800-38D "Recommendation for
> Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC",
> section 7.1, algorithm 4, step 3 [NIST38D], the counter increment is
> defined as inc_32. Section 6.2 of the same document defines the
> incrementing function inc_s for positive integers s as follows:
>
> | the function increments the right-most s bits of the string, regarded
> | as the binary representation of an integer, modulo 2^s; the remaining,
> | left-most len(X) - s bits remain unchanged
>
> (X is the complete counter value in this case)
>
> This problem does not occur when using a 12-byte IV, because AES-GCM has
> a special case for the inital counter value with 12-byte IVs:
>
> | If len(IV)=96, then J_0 = IV || 0^31 || 1
>
> i.e., one would have to encrypt (UINT_MAX - 1) * blocksize of data to
> hit an overflow. However, for non-12-byte IVs, the initial counter value
> is the output of a hash function, which makes hitting an overflow much
> more likely.
>
> In practice, we have found that using
>
>  iv = 9e 79 18 8c ff 09 56 1e c9 90 99 cc 6d 5d f6 d3
>  key = 26 56 e5 73 76 03 c6 95 0d 22 07 31 5d 32 5c 6b a5 54 5f 40 23 98 60 f6 f7 06 6f 7a 4f c2 ca 40
>
> will reliably trigger an overflow when encrypting 10 MiB of data. It
> seems that this is caused by re-using the AES-CTR implementation for
> incrementing the counter.

Bug was introduced by commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532
"GCM: Use counter mode code for speed-up".

GnuPG-bug-id: 3764
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agoFix use of AVX instructions in Chaha20 SSSE3 implementation
Jussi Kivilinna [Mon, 22 Jan 2018 20:17:50 +0000 (22:17 +0200)]
Fix use of AVX instructions in Chaha20 SSSE3 implementation

* cipher/chacha20-amd64-ssse3.S: Replace two 'vmovdqa' instructions
with 'movdqa'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agodoc: fix double "See" in front of reference
Jussi Kivilinna [Sat, 20 Jan 2018 19:12:12 +0000 (21:12 +0200)]
doc: fix double "See" in front of reference

* doc/gcrypt.texi: Change @xref to @ref when text already has 'see' in
the front.
--

@xref references start with `See ...'. Use @ref instead
when text already has 'see' in front.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agoAdd EAX mode
Jussi Kivilinna [Sat, 20 Jan 2018 19:08:37 +0000 (21:08 +0200)]
Add EAX mode

* cipher/Makefile.am: Add 'cipher-eax.c'.
* cipher/cipher-cmac.c (cmac_write): Rename to ...
(_gcry_cmac_write): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_generate_subkeys): Rename to ...
(_gcry_cmac_generate_subkeys): ... this; Take CMAC context as new
input parameter; Return error code.
(cmac_final): Rename to ...
(_gcry_cmac_final): ... this; Take CMAC context as new input
parameter; Return error code.
(cmac_tag): Take CMAC context as new input parameter.
(_gcry_cmac_reset): New.
(_gcry_cipher_cmac_authenticate): Remove duplicate tag flag check;
Adapt to changes above.
(_gcry_cipher_cmac_get_tag): Adapt to changes above.
(_gcry_cipher_cmac_check_tag): Ditto.
(_gcry_cipher_cmac_set_subkeys): Ditto.
* cipher-eax.c: New.
* cipher-internal.h (gcry_cmac_context_t): New.
(gcry_cipher_handle): Update u_mode.cmac; Add u_mode.eax.
(_gcry_cmac_write, _gcry_cmac_generate_subkeys, _gcry_cmac_final)
(_gcry_cmac_reset, _gcry_cipher_eax_encrypt, _gcry_cipher_eax_decrypt)
(_gcry_cipher_eax_set_nonce, _gcry_cipher_eax_authenticate)
(_gcry_cipher_eax_get_tag, _gcry_cipher_eax_check_tag)
(_gcry_cipher_eax_setkey): New prototypes.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
(_gcry_cipher_authenticate, _gcry_cipher_gettag, _gcry_cipher_checktag)
(_gcry_cipher_info): Add EAX mode.
* doc/gcrypt.texi: Add EAX mode.
* src/gcrypt.h.in (GCRY_CIPHER_MODE_EAX): New.
* tests/basic.c (_check_gcm_cipher, _check_poly1305_cipher): Constify
test vectors array.
(_check_eax_cipher, check_eax_cipher): New.
(check_ciphers, check_cipher_modes): Add EAX mode.
* tests/bench-slope.c (bench_eax_encrypt_do_bench)
(bench_eax_decrypt_do_bench, bench_eax_authenticate_do_bench)
(eax_encrypt_ops, eax_decrypt_ops, eax_authenticate_ops): New.
(cipher_modes): Add EAX mode.
* tests/benchmark.c (cipher_bench): Add EAX mode.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agocipher: constify spec arrays
Jussi Kivilinna [Sun, 7 Jan 2018 20:19:13 +0000 (22:19 +0200)]
cipher: constify spec arrays

* cipher/cipher.c (cipher_list): Constify array.
* cipher/mac.c (mac_list): Constify array.
* cipher/md.c (digest_list): Constify array.
* cipher/pubkey.c (pubkey_list): Constify array.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
10 months agoAdd ARMv8/CE acceleration for AES-XTS
Jussi Kivilinna [Sat, 20 Jan 2018 20:05:19 +0000 (22:05 +0200)]
Add ARMv8/CE acceleration for AES-XTS

* cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce): New.
* cipher/rijndael-armv8-ce.c (_gcry_aes_xts_enc_armv8_ce)
(_gcry_aes_xts_dec_armv8_ce, xts_crypt_fn_t)
(_gcry_aes_armv8_ce_xts_crypt): New.
* cipher/rijndael.c (_gcry_aes_armv8_ce_xts_crypt): New.
(_gcry_aes_xts_crypt) [USE_ARM_CE]: New.
--

Benchmark on Cortex-A53 (AArch64, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      4.88 ns/B     195.5 MiB/s      5.62 c/B
        XTS dec |      4.94 ns/B     192.9 MiB/s      5.70 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      5.55 ns/B     171.8 MiB/s      6.39 c/B
        XTS dec |      5.61 ns/B     169.9 MiB/s      6.47 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.22 ns/B     153.3 MiB/s      7.17 c/B
        XTS dec |      6.29 ns/B     151.7 MiB/s      7.24 c/B
                =

After (~2.6x faster):
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.83 ns/B     520.9 MiB/s      2.11 c/B
        XTS dec |      1.82 ns/B     524.9 MiB/s      2.09 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      1.97 ns/B     483.3 MiB/s      2.27 c/B
        XTS dec |      1.96 ns/B     486.9 MiB/s      2.26 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.11 ns/B     450.9 MiB/s      2.44 c/B
        XTS dec |      2.10 ns/B     453.8 MiB/s      2.42 c/B
                =

Benchmark on Cortex-A53 (AArch32, 1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      6.52 ns/B     146.2 MiB/s      7.51 c/B
        XTS dec |      6.57 ns/B     145.2 MiB/s      7.57 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.10 ns/B     134.3 MiB/s      8.18 c/B
        XTS dec |      7.11 ns/B     134.2 MiB/s      8.19 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      7.30 ns/B     130.7 MiB/s      8.41 c/B
        XTS dec |      7.38 ns/B     129.3 MiB/s      8.50 c/B
                =

After (~2.7x faster):
Cipher:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.33 ns/B     409.6 MiB/s      2.68 c/B
        XTS dec |      2.35 ns/B     405.3 MiB/s      2.71 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.53 ns/B     377.6 MiB/s      2.91 c/B
        XTS dec |      2.54 ns/B     375.5 MiB/s      2.93 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        XTS enc |      2.75 ns/B     346.8 MiB/s      3.17 c/B
        XTS dec |      2.76 ns/B     345.2 MiB/s      3.18 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
11 months agorijndael-ssse3: call assembly functions directly
Jussi Kivilinna [Sat, 6 Jan 2018 21:21:44 +0000 (23:21 +0200)]
rijndael-ssse3: call assembly functions directly

* cipher/rijndael-ssse3-amd64-asm.S (_gcry_aes_ssse3_enc_preload)
(_gcry_aes_ssse3_dec_preload, _gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add
ENTER_SYSV_FUNC_PARAMS_* at function entry and EXIT_SYSV_FUNC at exit.
(_gcry_aes_ssse3_encrypt_core, _gcry_aes_ssse3_decrypt_core): Change
to input parameters to RDI and RSI registers.
* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_encrypt_core)
(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add parameters
for function prototypes.
(PUSH_STACK_PTR, POP_STACK_PTR): Remove.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Remove inline assembly to
call functions, and call directly instead.
--

Instead of using inline assembly to call assembly functions in
AES SSSE3 implementation, change assembly functions so that they
can be called directly instead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>