libgcrypt.git
2 years agotests: Add test to verify GOST 28147-89 against known results.
Dmitry Eremin-Solenikov [Wed, 23 Nov 2016 05:38:31 +0000 (08:38 +0300)]
tests: Add test to verify GOST 28147-89 against known results.

* tests/basic.c (check_gost28147_cipher): new test function.

--
Currently the only test executed against GOST 28147-89 cipher is a
basic cipher test: it checks that decoding of encoded text returns
the original plaintext. Add a function to verify the cipher against
test vectors.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
2 years agocipher/gost28147: Fix CryptoPro-B S-BOX.
Dmitry Eremin-Solenikov [Wed, 16 Nov 2016 20:36:01 +0000 (23:36 +0300)]
cipher/gost28147: Fix CryptoPro-B S-BOX.

* cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
incorrect encryption/decryption using that s-box.  Add missing data.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
2 years agoPut blocking calls into Libgpg-error's system call clamp.
Werner Koch [Sat, 12 Nov 2016 10:34:49 +0000 (11:34 +0100)]
Put blocking calls into Libgpg-error's system call clamp.

* src/gcrypt.h.in (GCRYCTL_REINIT_SYSCALL_CLAMP): New.
* configure.ac: Require Libgpg-error 1.25.  Set version number to
1.8.0.
* src/gcrypt-int.h: Remove error code emulation.
* src/global.c (pre_syscall_func, post_syscall_func): New.
(global_init): Call gpgrt_get_syscall_clamp.
(_gcry_vcontrol) <GCRYCTL_REINIT_SYSCALL_CLAMP>: Ditto.
(_gcry_pre_syscall, _gcry_post_syscall): New.
* random/rndlinux.c (_gcry_rndlinux_gather_random): Use the new
functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Fix IDEA cipher for clearing memory.
NIIBE Yutaka [Tue, 1 Nov 2016 05:34:16 +0000 (14:34 +0900)]
cipher: Fix IDEA cipher for clearing memory.

* cipher/idea.c (invert_key): Use wipememory, since this kind of memset
may be removed by compiler optimization.

--
Reported-by: Zhaomo Yang and Brian Johannesmeyer
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agoGCM: Add bulk processing for ARMv8/AArch64 implementation
Jussi Kivilinna [Sun, 9 Oct 2016 09:53:48 +0000 (12:53 +0300)]
GCM: Add bulk processing for ARMv8/AArch64 implementation

* cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |      1.30 ns/B     731.6 MiB/s      1.50 c/B

After (1.49x faster):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |     0.873 ns/B    1092.1 MiB/s      1.01 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoGCM: Add bulk processing for ARMv8/AArch32 implementation
Jussi Kivilinna [Sun, 9 Oct 2016 09:52:55 +0000 (12:52 +0300)]
GCM: Add bulk processing for ARMv8/AArch32 implementation

* cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
* tests/basic.c (check_digests): Print correct data length for "?"
tests.
(check_one_mac): Add large 1000000 bytes tests, when input is "!" or
"?".
(check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |     0.924 ns/B    1032.2 MiB/s      1.06 c/B

After (1.21x faster):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |     0.764 ns/B    1248.2 MiB/s     0.880 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd Aarch64 assembly implementation of Twofish
Jussi Kivilinna [Wed, 27 Apr 2016 15:18:54 +0000 (18:18 +0300)]
Add Aarch64 assembly implementation of Twofish

* cipher/Makefile.am: Add 'twofish-aarch64.S'.
* cipher/twofish-aarch64.S: New.
* cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
* configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.
--

Patch adds ARMv8/Aarch64 implementation of Twofish.

Benchmark on Cortex-A53 (1152 Mhz):

 Before:
 TWOFISH        |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     27.51 ns/B     34.67 MiB/s     31.69 c/B
        ECB dec |     26.37 ns/B     36.17 MiB/s     30.38 c/B
        CBC enc |     28.64 ns/B     33.29 MiB/s     33.00 c/B
        CBC dec |     26.21 ns/B     36.39 MiB/s     30.19 c/B
        CFB enc |     28.54 ns/B     33.42 MiB/s     32.88 c/B
        CFB dec |     27.40 ns/B     34.81 MiB/s     31.56 c/B
        OFB enc |     28.38 ns/B     33.61 MiB/s     32.69 c/B
        OFB dec |     28.37 ns/B     33.61 MiB/s     32.69 c/B
        CTR enc |     27.57 ns/B     34.60 MiB/s     31.76 c/B
        CTR dec |     27.57 ns/B     34.60 MiB/s     31.76 c/B
        CCM enc |     55.28 ns/B     17.25 MiB/s     63.69 c/B
        CCM dec |     55.29 ns/B     17.25 MiB/s     63.70 c/B
       CCM auth |     27.83 ns/B     34.27 MiB/s     32.06 c/B
        GCM enc |     28.86 ns/B     33.04 MiB/s     33.25 c/B
        GCM dec |     28.87 ns/B     33.04 MiB/s     33.25 c/B
       GCM auth |      1.30 ns/B     731.9 MiB/s      1.50 c/B
        OCB enc |     29.69 ns/B     32.12 MiB/s     34.20 c/B
        OCB dec |     28.50 ns/B     33.47 MiB/s     32.83 c/B
       OCB auth |     29.04 ns/B     32.84 MiB/s     33.45 c/B
                =

 After (~1.3x faster):
 TWOFISH        |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     19.97 ns/B     47.77 MiB/s     23.00 c/B
        ECB dec |     18.29 ns/B     52.16 MiB/s     21.06 c/B
        CBC enc |     20.94 ns/B     45.54 MiB/s     24.13 c/B
        CBC dec |     18.34 ns/B     52.00 MiB/s     21.13 c/B
        CFB enc |     20.83 ns/B     45.77 MiB/s     24.00 c/B
        CFB dec |     19.97 ns/B     47.76 MiB/s     23.00 c/B
        OFB enc |     20.94 ns/B     45.54 MiB/s     24.13 c/B
        OFB dec |     20.94 ns/B     45.54 MiB/s     24.13 c/B
        CTR enc |     20.19 ns/B     47.24 MiB/s     23.26 c/B
        CTR dec |     20.19 ns/B     47.24 MiB/s     23.26 c/B
        CCM enc |     40.53 ns/B     23.53 MiB/s     46.69 c/B
        CCM dec |     40.53 ns/B     23.53 MiB/s     46.69 c/B
       CCM auth |     20.40 ns/B     46.74 MiB/s     23.50 c/B
        GCM enc |     21.49 ns/B     44.39 MiB/s     24.75 c/B
        GCM dec |     21.48 ns/B     44.39 MiB/s     24.75 c/B
       GCM auth |      1.30 ns/B     731.8 MiB/s      1.50 c/B
        OCB enc |     22.15 ns/B     43.05 MiB/s     25.52 c/B
        OCB dec |     20.47 ns/B     46.58 MiB/s     23.59 c/B
       OCB auth |     21.64 ns/B     44.07 MiB/s     24.93 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd Aarch64 assembly implementation of Camellia
Jussi Kivilinna [Wed, 27 Apr 2016 15:18:54 +0000 (18:18 +0300)]
Add Aarch64 assembly implementation of Camellia

* cipher/Makefile.am: Add 'camellia-aarch64.S'.
* cipher/camellia-aarch64.S: New.
* cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
size to zero.
* cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
* configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.
--

Patch adds ARMv8/Aarch64 implementation of Camellia.

Benchmark on Cortex-A53 (1152 Mhz):

 Before:
 CAMELLIA128    |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     39.71 ns/B     24.01 MiB/s     45.75 c/B
        ECB dec |     39.72 ns/B     24.01 MiB/s     45.75 c/B
        CBC enc |     40.80 ns/B     23.38 MiB/s     47.00 c/B
        CBC dec |     39.66 ns/B     24.05 MiB/s     45.69 c/B
        CFB enc |     40.69 ns/B     23.44 MiB/s     46.88 c/B
        CFB dec |     39.66 ns/B     24.05 MiB/s     45.69 c/B
        OFB enc |     40.69 ns/B     23.44 MiB/s     46.88 c/B
        OFB dec |     40.69 ns/B     23.44 MiB/s     46.88 c/B
        CTR enc |     39.88 ns/B     23.91 MiB/s     45.94 c/B
        CTR dec |     39.88 ns/B     23.91 MiB/s     45.94 c/B
        CCM enc |     79.97 ns/B     11.92 MiB/s     92.13 c/B
        CCM dec |     79.97 ns/B     11.93 MiB/s     92.13 c/B
       CCM auth |     40.20 ns/B     23.72 MiB/s     46.31 c/B
        GCM enc |     41.18 ns/B     23.16 MiB/s     47.44 c/B
        GCM dec |     41.18 ns/B     23.16 MiB/s     47.44 c/B
       GCM auth |      1.30 ns/B     732.7 MiB/s      1.50 c/B
        OCB enc |     42.04 ns/B     22.69 MiB/s     48.43 c/B
        OCB dec |     42.03 ns/B     22.69 MiB/s     48.42 c/B
       OCB auth |     41.38 ns/B     23.05 MiB/s     47.67 c/B
                =
 CAMELLIA256    |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     52.36 ns/B     18.22 MiB/s     60.31 c/B
        ECB dec |     52.36 ns/B     18.22 MiB/s     60.31 c/B
        CBC enc |     53.39 ns/B     17.86 MiB/s     61.50 c/B
        CBC dec |     52.14 ns/B     18.29 MiB/s     60.06 c/B
        CFB enc |     53.28 ns/B     17.90 MiB/s     61.38 c/B
        CFB dec |     52.14 ns/B     18.29 MiB/s     60.06 c/B
        OFB enc |     53.17 ns/B     17.94 MiB/s     61.25 c/B
        OFB dec |     53.17 ns/B     17.94 MiB/s     61.25 c/B
        CTR enc |     52.36 ns/B     18.21 MiB/s     60.32 c/B
        CTR dec |     52.36 ns/B     18.21 MiB/s     60.32 c/B
        CCM enc |     105.0 ns/B      9.08 MiB/s     120.9 c/B
        CCM dec |     105.0 ns/B      9.08 MiB/s     120.9 c/B
       CCM auth |     52.74 ns/B     18.08 MiB/s     60.75 c/B
        GCM enc |     53.66 ns/B     17.77 MiB/s     61.81 c/B
        GCM dec |     53.66 ns/B     17.77 MiB/s     61.82 c/B
       GCM auth |      1.30 ns/B     732.3 MiB/s      1.50 c/B
        OCB enc |     54.54 ns/B     17.49 MiB/s     62.83 c/B
        OCB dec |     54.48 ns/B     17.50 MiB/s     62.77 c/B
       OCB auth |     53.89 ns/B     17.70 MiB/s     62.09 c/B
                =

 After (~1.7x faster):
 CAMELLIA128    |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     22.25 ns/B     42.87 MiB/s     25.63 c/B
        ECB dec |     22.25 ns/B     42.87 MiB/s     25.63 c/B
        CBC enc |     23.27 ns/B     40.97 MiB/s     26.81 c/B
        CBC dec |     22.14 ns/B     43.08 MiB/s     25.50 c/B
        CFB enc |     23.17 ns/B     41.17 MiB/s     26.69 c/B
        CFB dec |     22.14 ns/B     43.08 MiB/s     25.50 c/B
        OFB enc |     23.11 ns/B     41.26 MiB/s     26.63 c/B
        OFB dec |     23.11 ns/B     41.26 MiB/s     26.63 c/B
        CTR enc |     22.36 ns/B     42.65 MiB/s     25.76 c/B
        CTR dec |     22.36 ns/B     42.65 MiB/s     25.76 c/B
        CCM enc |     44.87 ns/B     21.26 MiB/s     51.69 c/B
        CCM dec |     44.87 ns/B     21.25 MiB/s     51.69 c/B
       CCM auth |     22.62 ns/B     42.15 MiB/s     26.06 c/B
        GCM enc |     23.66 ns/B     40.31 MiB/s     27.25 c/B
        GCM dec |     23.66 ns/B     40.31 MiB/s     27.25 c/B
       GCM auth |      1.30 ns/B     732.0 MiB/s      1.50 c/B
        OCB enc |     24.32 ns/B     39.21 MiB/s     28.02 c/B
        OCB dec |     24.32 ns/B     39.21 MiB/s     28.02 c/B
       OCB auth |     23.75 ns/B     40.15 MiB/s     27.36 c/B
                =
 CAMELLIA256    |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     29.08 ns/B     32.79 MiB/s     33.50 c/B
        ECB dec |     29.19 ns/B     32.67 MiB/s     33.63 c/B
        CBC enc |     30.11 ns/B     31.67 MiB/s     34.69 c/B
        CBC dec |     29.05 ns/B     32.83 MiB/s     33.47 c/B
        CFB enc |     30.00 ns/B     31.79 MiB/s     34.56 c/B
        CFB dec |     28.97 ns/B     32.91 MiB/s     33.38 c/B
        OFB enc |     29.95 ns/B     31.84 MiB/s     34.50 c/B
        OFB dec |     29.95 ns/B     31.84 MiB/s     34.50 c/B
        CTR enc |     29.19 ns/B     32.67 MiB/s     33.63 c/B
        CTR dec |     29.19 ns/B     32.67 MiB/s     33.63 c/B
        CCM enc |     58.54 ns/B     16.29 MiB/s     67.43 c/B
        CCM dec |     58.54 ns/B     16.29 MiB/s     67.44 c/B
       CCM auth |     29.46 ns/B     32.37 MiB/s     33.94 c/B
        GCM enc |     30.49 ns/B     31.28 MiB/s     35.12 c/B
        GCM dec |     30.49 ns/B     31.27 MiB/s     35.13 c/B
       GCM auth |      1.30 ns/B     731.6 MiB/s      1.50 c/B
        OCB enc |     31.16 ns/B     30.61 MiB/s     35.90 c/B
        OCB dec |     31.22 ns/B     30.55 MiB/s     35.96 c/B
       OCB auth |     30.59 ns/B     31.18 MiB/s     35.24 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch64 Crypto Extension implementation of AES
Jussi Kivilinna [Sun, 4 Sep 2016 10:41:02 +0000 (13:41 +0300)]
Add ARMv8/AArch64 Crypto Extension implementation of AES

* cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
* cipher/rijndael-armv8-aarch64-ce.S: New.
* cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
* configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
'rijndael-armv8-ce.lo' for ARMv8/AArch64.
--

Improvement vs AArch64 assembly on Cortex-A53:

           AES-128  AES-192  AES-256
CBC enc:    13.19x   13.53x   13.76x
CBC dec:    20.53x   21.91x   22.60x
CFB enc:    14.29x   14.50x   14.63x
CFB dec:    20.42x   21.69x   22.50x
CTR:        18.29x   19.61x   20.53x
OCB enc:    15.21x   16.32x   17.12x
OCB dec:    14.95x   16.11x   16.88x
OCB auth:   16.73x   17.93x   18.66x

Benchmark on Cortex-A53 (1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     21.86 ns/B     43.62 MiB/s     25.19 c/B
        ECB dec |     22.68 ns/B     42.05 MiB/s     26.13 c/B
        CBC enc |     18.66 ns/B     51.10 MiB/s     21.50 c/B
        CBC dec |     18.72 ns/B     50.95 MiB/s     21.56 c/B
        CFB enc |     18.61 ns/B     51.25 MiB/s     21.44 c/B
        CFB dec |     18.61 ns/B     51.25 MiB/s     21.44 c/B
        OFB enc |     22.84 ns/B     41.75 MiB/s     26.31 c/B
        OFB dec |     22.84 ns/B     41.75 MiB/s     26.31 c/B
        CTR enc |     18.89 ns/B     50.50 MiB/s     21.76 c/B
        CTR dec |     18.89 ns/B     50.50 MiB/s     21.76 c/B
        CCM enc |     37.55 ns/B     25.40 MiB/s     43.25 c/B
        CCM dec |     37.55 ns/B     25.40 MiB/s     43.25 c/B
       CCM auth |     18.77 ns/B     50.80 MiB/s     21.63 c/B
        GCM enc |     20.18 ns/B     47.25 MiB/s     23.25 c/B
        GCM dec |     20.18 ns/B     47.25 MiB/s     23.25 c/B
       GCM auth |      1.30 ns/B     732.5 MiB/s      1.50 c/B
        OCB enc |     19.67 ns/B     48.48 MiB/s     22.66 c/B
        OCB dec |     19.73 ns/B     48.34 MiB/s     22.72 c/B
       OCB auth |     19.46 ns/B     49.00 MiB/s     22.42 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     25.39 ns/B     37.56 MiB/s     29.25 c/B
        ECB dec |     26.15 ns/B     36.47 MiB/s     30.13 c/B
        CBC enc |     22.08 ns/B     43.19 MiB/s     25.44 c/B
        CBC dec |     22.25 ns/B     42.87 MiB/s     25.63 c/B
        CFB enc |     22.03 ns/B     43.30 MiB/s     25.38 c/B
        CFB dec |     22.03 ns/B     43.29 MiB/s     25.38 c/B
        OFB enc |     26.26 ns/B     36.32 MiB/s     30.25 c/B
        OFB dec |     26.26 ns/B     36.32 MiB/s     30.25 c/B
        CTR enc |     22.30 ns/B     42.76 MiB/s     25.69 c/B
        CTR dec |     22.30 ns/B     42.76 MiB/s     25.69 c/B
        CCM enc |     44.38 ns/B     21.49 MiB/s     51.13 c/B
        CCM dec |     44.38 ns/B     21.49 MiB/s     51.13 c/B
       CCM auth |     22.20 ns/B     42.97 MiB/s     25.57 c/B
        GCM enc |     23.60 ns/B     40.41 MiB/s     27.19 c/B
        GCM dec |     23.60 ns/B     40.41 MiB/s     27.19 c/B
       GCM auth |      1.30 ns/B     732.4 MiB/s      1.50 c/B
        OCB enc |     23.09 ns/B     41.31 MiB/s     26.60 c/B
        OCB dec |     23.21 ns/B     41.09 MiB/s     26.74 c/B
       OCB auth |     22.88 ns/B     41.68 MiB/s     26.36 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     28.76 ns/B     33.17 MiB/s     33.13 c/B
        ECB dec |     29.46 ns/B     32.37 MiB/s     33.94 c/B
        CBC enc |     25.45 ns/B     37.48 MiB/s     29.31 c/B
        CBC dec |     25.50 ns/B     37.40 MiB/s     29.38 c/B
        CFB enc |     25.39 ns/B     37.56 MiB/s     29.25 c/B
        CFB dec |     25.39 ns/B     37.56 MiB/s     29.25 c/B
        OFB enc |     29.62 ns/B     32.19 MiB/s     34.13 c/B
        OFB dec |     29.62 ns/B     32.19 MiB/s     34.13 c/B
        CTR enc |     25.67 ns/B     37.15 MiB/s     29.57 c/B
        CTR dec |     25.67 ns/B     37.15 MiB/s     29.57 c/B
        CCM enc |     51.11 ns/B     18.66 MiB/s     58.88 c/B
        CCM dec |     51.11 ns/B     18.66 MiB/s     58.88 c/B
       CCM auth |     25.56 ns/B     37.32 MiB/s     29.44 c/B
        GCM enc |     26.96 ns/B     35.37 MiB/s     31.06 c/B
        GCM dec |     26.98 ns/B     35.35 MiB/s     31.08 c/B
       GCM auth |      1.30 ns/B     733.4 MiB/s      1.50 c/B
        OCB enc |     26.45 ns/B     36.05 MiB/s     30.47 c/B
        OCB dec |     26.53 ns/B     35.95 MiB/s     30.56 c/B
       OCB auth |     26.24 ns/B     36.34 MiB/s     30.23 c/B
                =

After:
Cipher:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      4.83 ns/B     197.5 MiB/s      5.56 c/B
        ECB dec |      4.99 ns/B     191.1 MiB/s      5.75 c/B
        CBC enc |      1.41 ns/B     675.5 MiB/s      1.63 c/B
        CBC dec |     0.911 ns/B    1046.9 MiB/s      1.05 c/B
        CFB enc |      1.30 ns/B     732.2 MiB/s      1.50 c/B
        CFB dec |     0.911 ns/B    1046.7 MiB/s      1.05 c/B
        OFB enc |      5.81 ns/B     164.3 MiB/s      6.69 c/B
        OFB dec |      5.81 ns/B     164.3 MiB/s      6.69 c/B
        CTR enc |      1.03 ns/B     924.0 MiB/s      1.19 c/B
        CTR dec |      1.03 ns/B     924.1 MiB/s      1.19 c/B
        CCM enc |      2.50 ns/B     381.8 MiB/s      2.88 c/B
        CCM dec |      2.50 ns/B     381.7 MiB/s      2.88 c/B
       CCM auth |      1.57 ns/B     606.1 MiB/s      1.81 c/B
        GCM enc |      2.33 ns/B     408.5 MiB/s      2.69 c/B
        GCM dec |      2.34 ns/B     408.4 MiB/s      2.69 c/B
       GCM auth |      1.30 ns/B     732.1 MiB/s      1.50 c/B
        OCB enc |      1.29 ns/B     736.6 MiB/s      1.49 c/B
        OCB dec |      1.32 ns/B     724.4 MiB/s      1.52 c/B
       OCB auth |      1.16 ns/B     819.6 MiB/s      1.34 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      5.48 ns/B     174.0 MiB/s      6.31 c/B
        ECB dec |      5.64 ns/B     169.0 MiB/s      6.50 c/B
        CBC enc |      1.63 ns/B     585.8 MiB/s      1.88 c/B
        CBC dec |      1.02 ns/B     935.8 MiB/s      1.17 c/B
        CFB enc |      1.52 ns/B     627.7 MiB/s      1.75 c/B
        CFB dec |      1.02 ns/B     935.9 MiB/s      1.17 c/B
        OFB enc |      6.46 ns/B     147.7 MiB/s      7.44 c/B
        OFB dec |      6.46 ns/B     147.7 MiB/s      7.44 c/B
        CTR enc |      1.14 ns/B     836.1 MiB/s      1.31 c/B
        CTR dec |      1.14 ns/B     835.9 MiB/s      1.31 c/B
        CCM enc |      2.83 ns/B     337.6 MiB/s      3.25 c/B
        CCM dec |      2.82 ns/B     338.0 MiB/s      3.25 c/B
       CCM auth |      1.79 ns/B     532.7 MiB/s      2.06 c/B
        GCM enc |      2.44 ns/B     390.3 MiB/s      2.82 c/B
        GCM dec |      2.44 ns/B     390.2 MiB/s      2.82 c/B
       GCM auth |      1.30 ns/B     731.9 MiB/s      1.50 c/B
        OCB enc |      1.41 ns/B     674.7 MiB/s      1.63 c/B
        OCB dec |      1.44 ns/B     662.0 MiB/s      1.66 c/B
       OCB auth |      1.28 ns/B     746.1 MiB/s      1.47 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      6.13 ns/B     155.5 MiB/s      7.06 c/B
        ECB dec |      6.29 ns/B     151.5 MiB/s      7.25 c/B
        CBC enc |      1.85 ns/B     516.8 MiB/s      2.13 c/B
        CBC dec |      1.13 ns/B     845.6 MiB/s      1.30 c/B
        CFB enc |      1.74 ns/B     549.5 MiB/s      2.00 c/B
        CFB dec |      1.13 ns/B     846.1 MiB/s      1.30 c/B
        OFB enc |      7.11 ns/B     134.2 MiB/s      8.19 c/B
        OFB dec |      7.11 ns/B     134.2 MiB/s      8.19 c/B
        CTR enc |      1.25 ns/B     763.5 MiB/s      1.44 c/B
        CTR dec |      1.25 ns/B     763.4 MiB/s      1.44 c/B
        CCM enc |      3.15 ns/B     302.9 MiB/s      3.63 c/B
        CCM dec |      3.15 ns/B     302.9 MiB/s      3.63 c/B
       CCM auth |      2.01 ns/B     474.2 MiB/s      2.32 c/B
        GCM enc |      2.55 ns/B     374.2 MiB/s      2.94 c/B
        GCM dec |      2.55 ns/B     373.7 MiB/s      2.94 c/B
       GCM auth |      1.30 ns/B     732.2 MiB/s      1.50 c/B
        OCB enc |      1.54 ns/B     617.6 MiB/s      1.78 c/B
        OCB dec |      1.57 ns/B     606.8 MiB/s      1.81 c/B
       OCB auth |      1.40 ns/B     679.8 MiB/s      1.62 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch64 Crypto Extension implementation of GCM
Jussi Kivilinna [Sun, 4 Sep 2016 10:41:02 +0000 (13:41 +0300)]
Add ARMv8/AArch64 Crypto Extension implementation of GCM

* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
* cipher/cipher-gcm-armv8-aarch64-ce.S: New.
* cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
ARMv8/AArch64.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |     15.54 ns/B     61.36 MiB/s     17.91 c/B

After (11.9x faster):
                    |  nanosecs/byte   mebibytes/sec   cycles/byte
 GMAC_AES           |      1.30 ns/B     731.5 MiB/s      1.50 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch64 Crypto Extension implementation of SHA-256
Jussi Kivilinna [Sun, 4 Sep 2016 10:41:02 +0000 (13:41 +0300)]
Add ARMv8/AArch64 Crypto Extension implementation of SHA-256

* cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
* cipher/sha256-armv8-aarch64-ce.S: New.
* cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
section.
* cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
* configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |     13.34 ns/B     71.51 MiB/s     15.36 c/B

After (7.2x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA256         |      1.85 ns/B     516.3 MiB/s      2.13 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch64 Crypto Extension implementation of SHA-1
Jussi Kivilinna [Sun, 4 Sep 2016 10:41:02 +0000 (13:41 +0300)]
Add ARMv8/AArch64 Crypto Extension implementation of SHA-1

* cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
* cipher/sha1-armv8-aarch64-ce.S: New.
* cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
* configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      7.54 ns/B     126.4 MiB/s      8.69 c/B

After (4.3x faster):
                |  nanosecs/byte   mebibytes/sec   cycles/byte
 SHA1           |      1.72 ns/B     553.0 MiB/s      1.99 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd AArch64 assembly implementation of AES
Jussi Kivilinna [Sun, 4 Sep 2016 10:41:02 +0000 (13:41 +0300)]
Add AArch64 assembly implementation of AES

* cipher/Makefile.am: Add 'rijndael-aarch64.S'.
* cipher/rijndael-aarch64.S: New.
* cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
* configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
[host=aarch64]: Add 'rijndael-aarch64.lo'.
--

Patch adds ARMv8/Aarch64 implementation of AES.

Benchmark on Cortex-A53 (1536 Mhz):

 Before:

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     19.37 ns/B     49.22 MiB/s     29.76 c/B
        ECB dec |     19.85 ns/B     48.03 MiB/s     30.50 c/B
        CBC enc |     16.84 ns/B     56.62 MiB/s     25.87 c/B
        CBC dec |     16.81 ns/B     56.74 MiB/s     25.82 c/B
        CFB enc |     16.80 ns/B     56.75 MiB/s     25.81 c/B
        CFB dec |     16.81 ns/B     56.75 MiB/s     25.81 c/B
        OFB enc |     20.02 ns/B     47.64 MiB/s     30.75 c/B
        OFB dec |     20.02 ns/B     47.64 MiB/s     30.75 c/B
        CTR enc |     17.06 ns/B     55.91 MiB/s     26.20 c/B
        CTR dec |     17.06 ns/B     55.92 MiB/s     26.20 c/B
        CCM enc |     33.94 ns/B     28.10 MiB/s     52.13 c/B
        CCM dec |     33.94 ns/B     28.10 MiB/s     52.14 c/B
       CCM auth |     16.97 ns/B     56.18 MiB/s     26.07 c/B
        GCM enc |     28.70 ns/B     33.23 MiB/s     44.09 c/B
        GCM dec |     28.70 ns/B     33.23 MiB/s     44.09 c/B
       GCM auth |     11.66 ns/B     81.81 MiB/s     17.90 c/B
        OCB enc |     17.66 ns/B     53.99 MiB/s     27.13 c/B
        OCB dec |     17.61 ns/B     54.16 MiB/s     27.05 c/B
       OCB auth |     17.44 ns/B     54.69 MiB/s     26.78 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     21.82 ns/B     43.71 MiB/s     33.51 c/B
        ECB dec |     22.55 ns/B     42.30 MiB/s     34.63 c/B
        CBC enc |     19.33 ns/B     49.33 MiB/s     29.70 c/B
        CBC dec |     19.50 ns/B     48.91 MiB/s     29.95 c/B
        CFB enc |     19.29 ns/B     49.44 MiB/s     29.63 c/B
        CFB dec |     19.28 ns/B     49.46 MiB/s     29.61 c/B
        OFB enc |     22.49 ns/B     42.40 MiB/s     34.55 c/B
        OFB dec |     22.50 ns/B     42.38 MiB/s     34.56 c/B
        CTR enc |     19.53 ns/B     48.83 MiB/s     30.00 c/B
        CTR dec |     19.54 ns/B     48.80 MiB/s     30.02 c/B
        CCM enc |     38.91 ns/B     24.51 MiB/s     59.77 c/B
        CCM dec |     38.90 ns/B     24.51 MiB/s     59.76 c/B
       CCM auth |     19.45 ns/B     49.02 MiB/s     29.88 c/B
        GCM enc |     31.13 ns/B     30.63 MiB/s     47.82 c/B
        GCM dec |     31.14 ns/B     30.63 MiB/s     47.82 c/B
       GCM auth |     11.66 ns/B     81.80 MiB/s     17.91 c/B
        OCB enc |     20.15 ns/B     47.33 MiB/s     30.95 c/B
        OCB dec |     20.30 ns/B     46.98 MiB/s     31.18 c/B
       OCB auth |     19.92 ns/B     47.88 MiB/s     30.59 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     24.33 ns/B     39.19 MiB/s     37.38 c/B
        ECB dec |     25.23 ns/B     37.80 MiB/s     38.76 c/B
        CBC enc |     21.82 ns/B     43.71 MiB/s     33.51 c/B
        CBC dec |     22.18 ns/B     42.99 MiB/s     34.07 c/B
        CFB enc |     21.77 ns/B     43.80 MiB/s     33.44 c/B
        CFB dec |     21.77 ns/B     43.81 MiB/s     33.44 c/B
        OFB enc |     24.99 ns/B     38.16 MiB/s     38.39 c/B
        OFB dec |     24.99 ns/B     38.17 MiB/s     38.38 c/B
        CTR enc |     22.02 ns/B     43.32 MiB/s     33.82 c/B
        CTR dec |     22.02 ns/B     43.31 MiB/s     33.82 c/B
        CCM enc |     43.86 ns/B     21.74 MiB/s     67.38 c/B
        CCM dec |     43.87 ns/B     21.74 MiB/s     67.39 c/B
       CCM auth |     21.94 ns/B     43.48 MiB/s     33.69 c/B
        GCM enc |     33.66 ns/B     28.33 MiB/s     51.71 c/B
        GCM dec |     33.66 ns/B     28.33 MiB/s     51.70 c/B
       GCM auth |     11.69 ns/B     81.59 MiB/s     17.95 c/B
        OCB enc |     22.90 ns/B     41.65 MiB/s     35.17 c/B
        OCB dec |     23.25 ns/B     41.02 MiB/s     35.71 c/B
       OCB auth |     22.69 ns/B     42.03 MiB/s     34.85 c/B
                =

 After (~1.2x faster):

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     16.40 ns/B     58.16 MiB/s     25.19 c/B
        ECB dec |     17.01 ns/B     56.07 MiB/s     26.13 c/B
        CBC enc |     13.99 ns/B     68.15 MiB/s     21.49 c/B
        CBC dec |     14.04 ns/B     67.94 MiB/s     21.56 c/B
        CFB enc |     13.96 ns/B     68.32 MiB/s     21.44 c/B
        CFB dec |     13.95 ns/B     68.34 MiB/s     21.43 c/B
        OFB enc |     17.14 ns/B     55.65 MiB/s     26.32 c/B
        OFB dec |     17.13 ns/B     55.67 MiB/s     26.31 c/B
        CTR enc |     14.17 ns/B     67.31 MiB/s     21.76 c/B
        CTR dec |     14.17 ns/B     67.29 MiB/s     21.77 c/B
        CCM enc |     28.16 ns/B     33.86 MiB/s     43.26 c/B
        CCM dec |     28.16 ns/B     33.87 MiB/s     43.26 c/B
       CCM auth |     14.08 ns/B     67.71 MiB/s     21.63 c/B
        GCM enc |     25.82 ns/B     36.94 MiB/s     39.66 c/B
        GCM dec |     25.82 ns/B     36.94 MiB/s     39.65 c/B
       GCM auth |     11.67 ns/B     81.74 MiB/s     17.92 c/B
        OCB enc |     14.78 ns/B     64.55 MiB/s     22.69 c/B
        OCB dec |     14.80 ns/B     64.43 MiB/s     22.74 c/B
       OCB auth |     14.59 ns/B     65.36 MiB/s     22.41 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     19.05 ns/B     50.07 MiB/s     29.25 c/B
        ECB dec |     19.62 ns/B     48.62 MiB/s     30.13 c/B
        CBC enc |     16.56 ns/B     57.59 MiB/s     25.44 c/B
        CBC dec |     16.69 ns/B     57.14 MiB/s     25.64 c/B
        CFB enc |     16.52 ns/B     57.71 MiB/s     25.38 c/B
        CFB dec |     16.52 ns/B     57.73 MiB/s     25.37 c/B
        OFB enc |     19.70 ns/B     48.41 MiB/s     30.26 c/B
        OFB dec |     19.69 ns/B     48.43 MiB/s     30.24 c/B
        CTR enc |     16.73 ns/B     57.00 MiB/s     25.70 c/B
        CTR dec |     16.73 ns/B     57.01 MiB/s     25.70 c/B
        CCM enc |     33.29 ns/B     28.65 MiB/s     51.13 c/B
        CCM dec |     33.29 ns/B     28.65 MiB/s     51.13 c/B
       CCM auth |     16.65 ns/B     57.29 MiB/s     25.57 c/B
        GCM enc |     28.39 ns/B     33.60 MiB/s     43.60 c/B
        GCM dec |     28.39 ns/B     33.59 MiB/s     43.60 c/B
       GCM auth |     11.64 ns/B     81.92 MiB/s     17.88 c/B
        OCB enc |     17.33 ns/B     55.03 MiB/s     26.62 c/B
        OCB dec |     17.40 ns/B     54.82 MiB/s     26.72 c/B
       OCB auth |     17.16 ns/B     55.59 MiB/s     26.35 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     21.56 ns/B     44.23 MiB/s     33.12 c/B
        ECB dec |     22.09 ns/B     43.17 MiB/s     33.93 c/B
        CBC enc |     19.09 ns/B     49.97 MiB/s     29.31 c/B
        CBC dec |     19.13 ns/B     49.86 MiB/s     29.38 c/B
        CFB enc |     19.04 ns/B     50.09 MiB/s     29.24 c/B
        CFB dec |     19.04 ns/B     50.08 MiB/s     29.25 c/B
        OFB enc |     22.22 ns/B     42.93 MiB/s     34.13 c/B
        OFB dec |     22.22 ns/B     42.92 MiB/s     34.13 c/B
        CTR enc |     19.25 ns/B     49.53 MiB/s     29.57 c/B
        CTR dec |     19.25 ns/B     49.55 MiB/s     29.57 c/B
        CCM enc |     38.33 ns/B     24.88 MiB/s     58.88 c/B
        CCM dec |     38.34 ns/B     24.88 MiB/s     58.88 c/B
       CCM auth |     19.17 ns/B     49.76 MiB/s     29.44 c/B
        GCM enc |     30.91 ns/B     30.86 MiB/s     47.47 c/B
        GCM dec |     30.91 ns/B     30.85 MiB/s     47.48 c/B
       GCM auth |     11.71 ns/B     81.47 MiB/s     17.98 c/B
        OCB enc |     19.85 ns/B     48.04 MiB/s     30.49 c/B
        OCB dec |     19.89 ns/B     47.95 MiB/s     30.55 c/B
       OCB auth |     19.67 ns/B     48.48 MiB/s     30.22 c/B
                =

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoPost release updates
Werner Koch [Wed, 17 Aug 2016 11:40:19 +0000 (13:40 +0200)]
Post release updates

--

2 years agoRelease 1.7.3 libgcrypt-1.7.3
Werner Koch [Wed, 17 Aug 2016 11:31:12 +0000 (13:31 +0200)]
Release 1.7.3

* configure.ac: Set LT version to C21/A1/R3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Hash continuous areas in the csprng pool.
Werner Koch [Mon, 8 Aug 2016 10:54:08 +0000 (12:54 +0200)]
random: Hash continuous areas in the csprng pool.

* random/random-csprng.c (mix_pool): Store the first hash at the end
of the pool.
--

This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.

For use in GnuPG this bug does not affect the default generation of
keys because running gpg for key creation creates at most 2 keys from
the pool: For a single 4096 bit RSA key 512 byte of random are
required and thus for the second key (encryption subkey), 20 bytes
could be predicted from the the first key.  However, the security of
an OpenPGP key depends on the primary key (which was generated first)
and thus the 20 predictable bytes should not be a problem.  For the
default key length of 2048 bit nothing will be predictable.

For the former default of DSA+Elgamal key it is complicate to give an
answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
about 300 bits each are first created.  This reads at least 1140 bytes
from the pool and thus parts could be predicted.  At some point a 256
bit secret is read from the pool; which in the worst case might be
partly predictable.

The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology.  A paper describing the problem in
detail will shortly be published.

CVE-id: CVE-2016-6313
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Improve the diagram showing the random mixing
Werner Koch [Mon, 8 Aug 2016 10:08:43 +0000 (12:08 +0200)]
random: Improve the diagram showing the random mixing

* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocrc-intel-pclmul: split assembly block to ease register pressure
Jussi Kivilinna [Tue, 19 Jul 2016 10:20:53 +0000 (13:20 +0300)]
crc-intel-pclmul: split assembly block to ease register pressure

* cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
assembly block handling 4 byte input into multiple blocks.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorijndael-aesni: split assembly block to ease register pressure
Jussi Kivilinna [Tue, 19 Jul 2016 10:20:13 +0000 (13:20 +0300)]
rijndael-aesni: split assembly block to ease register pressure

* cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
constraint for passing 'bige_addb' to assembly block; split
first inline assembly block into two parts.
--

Fixes compiling on i386 with GCC-4.8 and older.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch32 Crypto Extension implementation of AES
Jussi Kivilinna [Thu, 14 Jul 2016 14:55:28 +0000 (17:55 +0300)]
Add ARMv8/AArch32 Crypto Extension implementation of AES

* cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
'rijndael-armv-aarch32-ce.S'.
* cipher/rijndael-armv8-aarch32-ce.S: New.
* cipher/rijndael-armv8-ce.c: New.
* cipher/rijndael-internal.h (USE_ARM_CE): New.
(RIJNDAEL_context_s): Add 'use_arm_ce'.
* cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
(_gcry_aes_armv8_ce_prepare_decryption)
(_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
(_gcry_aes_armv8_ce_ocb_auth): New.
(do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
setup for ARM CE.
(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
ARM CE support.
* configure.ac: Add 'rijndael-armv8-ce.lo' and
'rijndael-armv8-aarch32-ce.lo'.
--

Improvement vs ARM assembly on Cortex-A53:

           AES-128  AES-192  AES-256
CBC enc:   14.8x    12.8x    11.4x
CBC dec:   21.4x    20.5x    19.4x
CFB enc:   16.2x    13.6x    11.6x
CFB dec:   21.6x    20.5x    19.4x
CTR:       19.1x    18.6x    17.8x
OCB enc:   16.0x    16.2x    16.1x
OCB dec:   15.6x    15.9x    15.8x
OCB auth:  18.3x    18.4x    18.0x

Benchmark on Cortex-A53 (1152 Mhz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     24.42 ns/B     39.06 MiB/s     28.13 c/B
        ECB dec |     25.07 ns/B     38.05 MiB/s     28.88 c/B
        CBC enc |     21.05 ns/B     45.30 MiB/s     24.25 c/B
        CBC dec |     21.16 ns/B     45.07 MiB/s     24.38 c/B
        CFB enc |     21.05 ns/B     45.31 MiB/s     24.25 c/B
        CFB dec |     21.38 ns/B     44.61 MiB/s     24.62 c/B
        OFB enc |     26.15 ns/B     36.47 MiB/s     30.13 c/B
        OFB dec |     26.15 ns/B     36.47 MiB/s     30.13 c/B
        CTR enc |     21.17 ns/B     45.06 MiB/s     24.38 c/B
        CTR dec |     21.16 ns/B     45.06 MiB/s     24.38 c/B
        CCM enc |     42.32 ns/B     22.53 MiB/s     48.75 c/B
        CCM dec |     42.32 ns/B     22.53 MiB/s     48.75 c/B
       CCM auth |     21.17 ns/B     45.06 MiB/s     24.38 c/B
        GCM enc |     22.08 ns/B     43.19 MiB/s     25.44 c/B
        GCM dec |     22.08 ns/B     43.18 MiB/s     25.44 c/B
       GCM auth |     0.923 ns/B    1032.8 MiB/s      1.06 c/B
        OCB enc |     26.20 ns/B     36.40 MiB/s     30.18 c/B
        OCB dec |     25.97 ns/B     36.73 MiB/s     29.91 c/B
       OCB auth |     24.52 ns/B     38.90 MiB/s     28.24 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     27.83 ns/B     34.26 MiB/s     32.06 c/B
        ECB dec |     28.54 ns/B     33.42 MiB/s     32.88 c/B
        CBC enc |     24.47 ns/B     38.97 MiB/s     28.19 c/B
        CBC dec |     25.27 ns/B     37.74 MiB/s     29.11 c/B
        CFB enc |     25.08 ns/B     38.02 MiB/s     28.89 c/B
        CFB dec |     25.31 ns/B     37.68 MiB/s     29.16 c/B
        OFB enc |     29.57 ns/B     32.25 MiB/s     34.06 c/B
        OFB dec |     29.57 ns/B     32.25 MiB/s     34.06 c/B
        CTR enc |     25.24 ns/B     37.78 MiB/s     29.08 c/B
        CTR dec |     25.24 ns/B     37.79 MiB/s     29.08 c/B
        CCM enc |     49.81 ns/B     19.15 MiB/s     57.38 c/B
        CCM dec |     49.80 ns/B     19.15 MiB/s     57.37 c/B
       CCM auth |     24.58 ns/B     38.80 MiB/s     28.32 c/B
        GCM enc |     26.15 ns/B     36.47 MiB/s     30.13 c/B
        GCM dec |     26.11 ns/B     36.52 MiB/s     30.08 c/B
       GCM auth |     0.923 ns/B    1033.0 MiB/s      1.06 c/B
        OCB enc |     29.59 ns/B     32.23 MiB/s     34.09 c/B
        OCB dec |     29.42 ns/B     32.42 MiB/s     33.89 c/B
       OCB auth |     27.92 ns/B     34.16 MiB/s     32.16 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |     31.20 ns/B     30.57 MiB/s     35.94 c/B
        ECB dec |     31.80 ns/B     29.99 MiB/s     36.63 c/B
        CBC enc |     27.83 ns/B     34.27 MiB/s     32.06 c/B
        CBC dec |     27.87 ns/B     34.21 MiB/s     32.11 c/B
        CFB enc |     27.88 ns/B     34.20 MiB/s     32.12 c/B
        CFB dec |     28.16 ns/B     33.87 MiB/s     32.44 c/B
        OFB enc |     32.93 ns/B     28.96 MiB/s     37.94 c/B
        OFB dec |     32.93 ns/B     28.96 MiB/s     37.94 c/B
        CTR enc |     27.95 ns/B     34.13 MiB/s     32.19 c/B
        CTR dec |     27.95 ns/B     34.12 MiB/s     32.20 c/B
        CCM enc |     55.88 ns/B     17.07 MiB/s     64.38 c/B
        CCM dec |     55.88 ns/B     17.07 MiB/s     64.38 c/B
       CCM auth |     27.95 ns/B     34.12 MiB/s     32.20 c/B
        GCM enc |     28.86 ns/B     33.05 MiB/s     33.25 c/B
        GCM dec |     28.87 ns/B     33.04 MiB/s     33.25 c/B
       GCM auth |     0.923 ns/B    1033.0 MiB/s      1.06 c/B
        OCB enc |     32.96 ns/B     28.94 MiB/s     37.97 c/B
        OCB dec |     32.73 ns/B     29.14 MiB/s     37.70 c/B
       OCB auth |     31.29 ns/B     30.48 MiB/s     36.04 c/B

After:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      5.10 ns/B     187.0 MiB/s      5.88 c/B
        ECB dec |      5.27 ns/B     181.0 MiB/s      6.07 c/B
        CBC enc |      1.41 ns/B     675.8 MiB/s      1.63 c/B
        CBC dec |     0.992 ns/B     961.7 MiB/s      1.14 c/B
        CFB enc |      1.30 ns/B     732.4 MiB/s      1.50 c/B
        CFB dec |     0.991 ns/B     962.7 MiB/s      1.14 c/B
        OFB enc |      7.05 ns/B     135.2 MiB/s      8.13 c/B
        OFB dec |      7.05 ns/B     135.2 MiB/s      8.13 c/B
        CTR enc |      1.11 ns/B     856.9 MiB/s      1.28 c/B
        CTR dec |      1.11 ns/B     857.0 MiB/s      1.28 c/B
        CCM enc |      2.58 ns/B     369.8 MiB/s      2.97 c/B
        CCM dec |      2.58 ns/B     369.5 MiB/s      2.97 c/B
       CCM auth |      1.58 ns/B     605.2 MiB/s      1.82 c/B
        GCM enc |      2.04 ns/B     467.9 MiB/s      2.35 c/B
        GCM dec |      2.04 ns/B     466.6 MiB/s      2.35 c/B
       GCM auth |     0.923 ns/B    1033.0 MiB/s      1.06 c/B
        OCB enc |      1.64 ns/B     579.8 MiB/s      1.89 c/B
        OCB dec |      1.66 ns/B     574.5 MiB/s      1.91 c/B
       OCB auth |      1.33 ns/B     715.5 MiB/s      1.54 c/B
                =
 AES192         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      5.64 ns/B     169.0 MiB/s      6.50 c/B
        ECB dec |      5.81 ns/B     164.3 MiB/s      6.69 c/B
        CBC enc |      1.90 ns/B     502.1 MiB/s      2.19 c/B
        CBC dec |      1.24 ns/B     771.7 MiB/s      1.42 c/B
        CFB enc |      1.84 ns/B     517.1 MiB/s      2.12 c/B
        CFB dec |      1.23 ns/B     772.5 MiB/s      1.42 c/B
        OFB enc |      7.60 ns/B     125.5 MiB/s      8.75 c/B
        OFB dec |      7.60 ns/B     125.6 MiB/s      8.75 c/B
        CTR enc |      1.36 ns/B     702.7 MiB/s      1.56 c/B
        CTR dec |      1.36 ns/B     702.5 MiB/s      1.56 c/B
        CCM enc |      3.31 ns/B     287.8 MiB/s      3.82 c/B
        CCM dec |      3.31 ns/B     288.0 MiB/s      3.81 c/B
       CCM auth |      2.06 ns/B     462.1 MiB/s      2.38 c/B
        GCM enc |      2.28 ns/B     418.4 MiB/s      2.63 c/B
        GCM dec |      2.28 ns/B     418.0 MiB/s      2.63 c/B
       GCM auth |     0.923 ns/B    1032.8 MiB/s      1.06 c/B
        OCB enc |      1.83 ns/B     520.1 MiB/s      2.11 c/B
        OCB dec |      1.84 ns/B     517.8 MiB/s      2.12 c/B
       OCB auth |      1.52 ns/B     626.1 MiB/s      1.75 c/B
                =
 AES256         |  nanosecs/byte   mebibytes/sec   cycles/byte
        ECB enc |      5.86 ns/B     162.7 MiB/s      6.75 c/B
        ECB dec |      6.02 ns/B     158.3 MiB/s      6.94 c/B
        CBC enc |      2.44 ns/B     390.5 MiB/s      2.81 c/B
        CBC dec |      1.45 ns/B     656.4 MiB/s      1.67 c/B
        CFB enc |      2.39 ns/B     399.5 MiB/s      2.75 c/B
        CFB dec |      1.45 ns/B     656.8 MiB/s      1.67 c/B
        OFB enc |      7.81 ns/B     122.1 MiB/s      9.00 c/B
        OFB dec |      7.81 ns/B     122.1 MiB/s      9.00 c/B
        CTR enc |      1.57 ns/B     605.8 MiB/s      1.81 c/B
        CTR dec |      1.57 ns/B     605.9 MiB/s      1.81 c/B
        CCM enc |      4.07 ns/B     234.3 MiB/s      4.69 c/B
        CCM dec |      4.07 ns/B     234.1 MiB/s      4.69 c/B
       CCM auth |      2.61 ns/B     365.7 MiB/s      3.00 c/B
        GCM enc |      2.50 ns/B     381.9 MiB/s      2.88 c/B
        GCM dec |      2.49 ns/B     382.3 MiB/s      2.87 c/B
       GCM auth |     0.926 ns/B    1029.7 MiB/s      1.07 c/B
        OCB enc |      2.05 ns/B     465.6 MiB/s      2.36 c/B
        OCB dec |      2.06 ns/B     462.0 MiB/s      2.38 c/B
       OCB auth |      1.74 ns/B     548.4 MiB/s      2.00 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch32 Crypto Extension implementation of GCM
Jussi Kivilinna [Thu, 14 Jul 2016 14:55:28 +0000 (17:55 +0300)]
Add ARMv8/AArch32 Crypto Extension implementation of GCM

* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
* cipher/cipher-gcm-armv8-aarch32-ce.S: New.
* cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
(_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
(ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
(setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
HWF_ARM_PULL HW feature flag is enabled.
* cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:
                     |  nanosecs/byte   mebibytes/sec   cycles/byte
  GMAC_AES           |     24.10 ns/B     39.57 MiB/s     27.76 c/B

After (~26x faster):
                     |  nanosecs/byte   mebibytes/sec   cycles/byte
  GMAC_AES           |     0.924 ns/B    1032.2 MiB/s      1.06 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch32 Crypto Extension implemenation of SHA-256
Jussi Kivilinna [Thu, 14 Jul 2016 14:55:28 +0000 (17:55 +0300)]
Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256

* cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
* cipher/sha256-armv8-aarch32-ce.S: New.
* cipher/sha256.c (USE_ARM_CE): New.
(sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
[USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
(SHA256_CONTEXT): Add 'use_arm_ce'.
* configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before:

                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     17.38 ns/B     54.88 MiB/s     20.02 c/B

After (~9.3x faster):

                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |      1.85 ns/B     515.7 MiB/s      2.13 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd ARMv8/AArch32 Crypto Extension implementation of SHA-1
Jussi Kivilinna [Thu, 14 Jul 2016 14:55:28 +0000 (17:55 +0300)]
Add ARMv8/AArch32 Crypto Extension implementation of SHA-1

* cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
* cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
missing size.
* cipher/sha1-armv8-aarch32-ce.S: New.
* cipher/sha1.c (USE_ARM_CE): New.
(sha1_init): Check features for HWF_ARM_SHA1.
[USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
it.
* cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
* configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.
--

Benchmark on Cortex-A53 (1152 Mhz):

Before (SHA-1 NEON):

                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA1           |      6.62 ns/B     144.2 MiB/s      7.62 c/B

After (~3.8x faster):

                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA1           |      1.73 ns/B     552.2 MiB/s      1.99 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAdd HW feature check for ARMv8 AArch64 and crypto extensions
Jussi Kivilinna [Thu, 14 Jul 2016 14:55:28 +0000 (17:55 +0300)]
Add HW feature check for ARMv8 AArch64 and crypto extensions

* configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
module on 64-bit ARM.
(armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
(gcry_cv_inline_asm_aarch64_neon)
(gcry_cv_gcc_inline_asm_aarch64_crypto): New.
* src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
(HWF_ARM_PMULL): New.
* src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
(feature_map_s): New.
[__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
(HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
[__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
(HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
(get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
'unsigned long'.
(detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
(detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
(_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
* src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
and 'arm-pmull'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoPost release updates
Werner Koch [Thu, 14 Jul 2016 09:36:40 +0000 (11:36 +0200)]
Post release updates

--

2 years agoRelease 1.7.2 libgcrypt-1.7.2
Werner Koch [Thu, 14 Jul 2016 09:23:34 +0000 (11:23 +0200)]
Release 1.7.2

* configure.ac: Set LT version to C21/A1/R2.
* Makefile.am (distcheck-hook): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoMerge branch 'master' into LIBGCRYPT-1-7-BRANCH
Werner Koch [Thu, 14 Jul 2016 09:19:22 +0000 (11:19 +0200)]
Merge branch 'master' into LIBGCRYPT-1-7-BRANCH

2 years agobuild: Update NEWS.
Werner Koch [Thu, 14 Jul 2016 09:15:38 +0000 (11:15 +0200)]
build: Update NEWS.

--

2 years agobuild: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
Werner Koch [Wed, 13 Jul 2016 17:05:34 +0000 (19:05 +0200)]
build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.

* build-aux/config.guess: Update.
* build-aux/config.sub: Update.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON
Jussi Kivilinna [Thu, 7 Jul 2016 22:22:58 +0000 (01:22 +0300)]
Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON

* cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
(UNALIGNED_LDMIA4): New.
(_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
ldm/stm instructions directly.
* cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
(UNALIGNED_LDMIA4): New.
(_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
(_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
of ldm instruction directly.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agobench-slope: add unaligned buffer mode
Jussi Kivilinna [Sun, 3 Jul 2016 15:39:40 +0000 (18:39 +0300)]
bench-slope: add unaligned buffer mode

* tests/bench-slope.c (unaligned_mode): New.
(do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
(print_help, main): Add '--unaligned' parameter.
--

Patch adds --unaligned parameter to allow measurement of unaligned
buffer overhead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix static build
Jussi Kivilinna [Fri, 1 Jul 2016 20:07:07 +0000 (23:07 +0300)]
Fix static build

* tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoDisallow encryption/decryption if key is not set
Jussi Kivilinna [Thu, 30 Jun 2016 18:51:50 +0000 (21:51 +0300)]
Disallow encryption/decryption if key is not set

* cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
NONE, make sure that key is set.
* cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
'marks.key' when reseting state.
--

Reported-by: Andreas Metzler <ametzler@bebt.de>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoAvoid unaligned accesses with ARM ldm/stm instructions
Jussi Kivilinna [Thu, 30 Jun 2016 18:34:46 +0000 (21:34 +0300)]
Avoid unaligned accesses with ARM ldm/stm instructions

* cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
compile with unaligned load/store code paths.
* cipher/sha512-arm.S: Ditto.
--

Reported-by: Michael Plass <mfpnb@plass-family.net>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix non-PIC reference in PIC for poly1305/ARMv7-NEON
Jussi Kivilinna [Thu, 30 Jun 2016 18:23:05 +0000 (21:23 +0300)]
Fix non-PIC reference in PIC for poly1305/ARMv7-NEON

* cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
(_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.
--

Reported-by: Michael Plass <mfpnb@plass-family.net>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoFix wrong CPU feature #ifdef for SHA1/AVX
Jussi Kivilinna [Thu, 30 Jun 2016 18:17:32 +0000 (21:17 +0300)]
Fix wrong CPU feature #ifdef for SHA1/AVX

* cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agorandom: Remove debug message about not supported getrandom syscall.
Werner Koch [Thu, 30 Jun 2016 11:00:50 +0000 (13:00 +0200)]
random: Remove debug message about not supported getrandom syscall.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
for getrandom error ENOSYS.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
Werner Koch [Mon, 27 Jun 2016 15:22:18 +0000 (17:22 +0200)]
tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.

* tests/benchmark.c (md_bench): Do not test variable lengths algos
with the gcry_md_hash_buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agomd: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
Werner Koch [Mon, 27 Jun 2016 15:11:23 +0000 (17:11 +0200)]
md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.

* cipher/md.c (md_read): Detect missing read function.
(_gcry_md_hash_buffers): Return an error.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Fix memory leak.
Werner Koch [Sat, 25 Jun 2016 18:52:47 +0000 (20:52 +0200)]
ecc: Fix memory leak.

* cipher/ecc.c (ecc_check_secret_key): Do not init point if already
set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agodoc: Update yat2m.
Werner Koch [Sat, 25 Jun 2016 14:07:16 +0000 (16:07 +0200)]
doc: Update yat2m.

* doc/yat2m.c: Update from Libgpg-error
--

Taken from Libgpg-error
commit 9b5e3d1608922f4aaf9958e022431849d5a58501

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Add attributes to helper functions.
Werner Koch [Sat, 25 Jun 2016 14:09:20 +0000 (16:09 +0200)]
tests: Add attributes to helper functions.

* tests/t-common.h (die, fail, info): Add attributes.
* tests/random.c (die, inf): Ditto.
* tests/pubkey.c (die, fail, info): Add attributes.
* tests/fipsdrv.c (die): Add attribute.
(main): Take care of missing --key,--iv,--dt options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoImprove robustness and help lint.
Werner Koch [Sat, 25 Jun 2016 13:38:06 +0000 (15:38 +0200)]
Improve robustness and help lint.

* cipher/rsa.c (rsa_encrypt): Check for !DATA.
* cipher/md.c (search_oid): Check early for !OID.
(md_copy): Use gpg_err_code_from_syserror.  Replace chains of if(!err)
tests.
* cipher/cipher.c (search_oid): Check early for !OID.
* src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
* mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
analyzers.
--

The change for md_copy is to help static analyzers which have no idea
that gpg_err_code_from_syserror will never return 0.  A gcc attribute
returns_nonzero would be a nice to have.

Some changes are due to the fact the macros like mpi_is_immutable
gracefully handle a NULL arg but a static analyzer the considers that
the function allows for a NULL arg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Improve fatal error message for bad use of gcry_md_read.
Werner Koch [Thu, 23 Jun 2016 08:29:08 +0000 (10:29 +0200)]
cipher: Improve fatal error message for bad use of gcry_md_read.

* cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
Niibe Yutaka [Thu, 16 Jun 2016 01:56:28 +0000 (10:56 +0900)]
ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.

* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
cofactor as 1, when not specified.

--

GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(backport from master
commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7)

2 years agoecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
Niibe Yutaka [Thu, 16 Jun 2016 01:56:28 +0000 (10:56 +0900)]
ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.

* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
cofactor as 1, when not specified.

--

GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agoPost release updates
Werner Koch [Wed, 15 Jun 2016 07:50:31 +0000 (09:50 +0200)]
Post release updates

--

2 years agoRelease 1.7.1 libgcrypt-1.7.1
Werner Koch [Wed, 15 Jun 2016 07:34:02 +0000 (09:34 +0200)]
Release 1.7.1

2 years agoMerge branch 'master' into LIBGCRYPT-1-7-BRANCH
Werner Koch [Wed, 15 Jun 2016 07:24:02 +0000 (09:24 +0200)]
Merge branch 'master' into LIBGCRYPT-1-7-BRANCH

--

2 years agodoc: Describe envvars.
Werner Koch [Wed, 15 Jun 2016 07:18:31 +0000 (09:18 +0200)]
doc: Describe envvars.

* doc/gcrypt.texi: Add chapter Configuration.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Change names of debug envvars.
Werner Koch [Wed, 15 Jun 2016 07:17:44 +0000 (09:17 +0200)]
random: Change names of debug envvars.

* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
GCRYPT_RNDW32_NOPERF.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Assign OIDs to the Serpent cipher.
Werner Koch [Tue, 14 Jun 2016 13:53:10 +0000 (15:53 +0200)]
cipher: Assign OIDs to the Serpent cipher.

* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Assign OIDs to the Serpent cipher.
Werner Koch [Tue, 14 Jun 2016 13:53:10 +0000 (15:53 +0200)]
cipher: Assign OIDs to the Serpent cipher.

* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorsa: Implement blinding also for signing.
Werner Koch [Fri, 3 Jun 2016 13:42:53 +0000 (15:42 +0200)]
rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Remove debug output for getrandom(2) output.
Werner Koch [Fri, 3 Jun 2016 13:15:36 +0000 (15:15 +0200)]
random: Remove debug output for getrandom(2) output.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--

Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix gcc portability on Solaris 9 SPARC boxes.
Werner Koch [Mon, 7 Sep 2015 13:38:04 +0000 (15:38 +0200)]
Fix gcc portability on Solaris 9 SPARC boxes.

* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--

This patch has been in use by pkgsrc for
  SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.

GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk@gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoCheck for compiler SSE4.1 support in PCLMUL CRC code.
Jérémie Courrèges-Anglas [Mon, 9 May 2016 02:04:59 +0000 (04:04 +0200)]
Check for compiler SSE4.1 support in PCLMUL CRC code.

* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
  compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.

Signed-off-by: Jérémie Courrèges-Anglas <jca@wxcvbn.org>
2 years agoecc: Fix ecc_verify for cofactor support.
NIIBE Yutaka [Fri, 6 May 2016 04:21:17 +0000 (13:21 +0900)]
ecc: Fix ecc_verify for cofactor support.

* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

--

Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agorandom: Try to use getrandom() instead of /dev/urandom (Linux only).
Werner Koch [Tue, 26 Apr 2016 13:46:30 +0000 (15:46 +0200)]
random: Try to use getrandom() instead of /dev/urandom (Linux only).

* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorsa: Implement blinding also for signing.
Werner Koch [Fri, 3 Jun 2016 13:42:53 +0000 (15:42 +0200)]
rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Remove debug output for getrandom(2) output.
Werner Koch [Fri, 3 Jun 2016 13:15:36 +0000 (15:15 +0200)]
random: Remove debug output for getrandom(2) output.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--

Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix gcc portability on Solaris 9 SPARC boxes.
Werner Koch [Mon, 7 Sep 2015 13:38:04 +0000 (15:38 +0200)]
Fix gcc portability on Solaris 9 SPARC boxes.

* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--

This patch has been in use by pkgsrc for
  SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.

GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk@gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoCheck for compiler SSE4.1 support in PCLMUL CRC code.
Jérémie Courrèges-Anglas [Mon, 9 May 2016 02:04:59 +0000 (04:04 +0200)]
Check for compiler SSE4.1 support in PCLMUL CRC code.

* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
  compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.

Signed-off-by: Jérémie Courrèges-Anglas <jca@wxcvbn.org>
2 years agoRegister DCO for Jérémie Courrèges-Anglas
Jussi Kivilinna [Sat, 28 May 2016 09:59:54 +0000 (12:59 +0300)]
Register DCO for Jérémie Courrèges-Anglas

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoecc: Fix ecc_verify for cofactor support.
NIIBE Yutaka [Fri, 6 May 2016 04:21:17 +0000 (13:21 +0900)]
ecc: Fix ecc_verify for cofactor support.

* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

--

Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agorandom: Try to use getrandom() instead of /dev/urandom (Linux only).
Werner Koch [Tue, 26 Apr 2016 13:46:30 +0000 (15:46 +0200)]
random: Try to use getrandom() instead of /dev/urandom (Linux only).

* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoasm fix for older gcc versions.
Werner Koch [Tue, 19 Apr 2016 18:05:07 +0000 (20:05 +0200)]
asm fix for older gcc versions.

* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
--

gcc 4.2 is not able to grok a third colon without clobber
expressions.  Reported for FreeBSD 9.

GnuPG-bug-id: 2326
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoasm fix for older gcc versions.
Werner Koch [Tue, 19 Apr 2016 18:05:07 +0000 (20:05 +0200)]
asm fix for older gcc versions.

* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
--

gcc 4.2 is not able to grok a third colon without clobber
expressions.  Reported for FreeBSD 9.

GnuPG-bug-id: 2326
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoPost release updates.
Werner Koch [Fri, 15 Apr 2016 14:06:04 +0000 (16:06 +0200)]
Post release updates.

--

2 years agoRelease 1.7.0 libgcrypt-1.7.0
Werner Koch [Fri, 15 Apr 2016 13:48:24 +0000 (15:48 +0200)]
Release 1.7.0

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Add test vectors for 256 GiB test of SHA3-256.
Werner Koch [Thu, 14 Apr 2016 14:32:04 +0000 (16:32 +0200)]
tests: Add test vectors for 256 GiB test of SHA3-256.

* tests/hashtest.c: Add new test vectros.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agosrc: Improve S-expression parsing.
Justus Winter [Thu, 14 Apr 2016 11:53:55 +0000 (13:53 +0200)]
src: Improve S-expression parsing.

* src/sexp.c (do_vsexp_sscan): Return an error if a closing
parenthesis is encountered with no matching opening parenthesis.

Signed-off-by: Justus Winter <justus@g10code.com>
2 years agocipher: Add constant for 8 bit CFB mode.
Werner Koch [Thu, 14 Apr 2016 12:39:31 +0000 (14:39 +0200)]
cipher: Add constant for 8 bit CFB mode.

* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.
--

Note that there is no implementation for the 8 bit CFB mode yet.  We
will add that as a bug fix after the release of 1.7.0.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Add a new test for S-expressions.
Werner Koch [Thu, 14 Apr 2016 11:26:55 +0000 (13:26 +0200)]
tests: Add a new test for S-expressions.

* tests/t-sexp.c (compare_to_canon): New.
(back_and_forth_one): Add another test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Fix corner cases for X25519.
NIIBE Yutaka [Wed, 13 Apr 2016 01:10:53 +0000 (10:10 +0900)]
ecc: Fix corner cases for X25519.

* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
it's not an error, thus, let it return 0.
(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
X25519, not by the name of the curve.
(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
of aborting with log_fatal.  For X25519, it's not an error by its
definition, but we deliberately let it return the error to detect
looks-like-encrypted-message.
* tests/t-cv25519.c: Add points to record the issue.

--

For X25519 ECDH, this change introduces incompatibility to
crypto_scalarmult with the input which makes shared secret to be 0.
For crypto_scalarmult, the result is 0.  In libgcrypt, it's an error
of GPG_ERR_INV_DATA (we consider the input is invalid).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agocipher: Buffer data from gcry_cipher_authenticate in OCB mode.
Werner Koch [Tue, 12 Apr 2016 09:11:35 +0000 (11:11 +0200)]
cipher: Buffer data from gcry_cipher_authenticate in OCB mode.

* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
aad_leftover and aad_nleftover to u_mode.ocb.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
aad_nleftover.
(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
to ...
(ocb_aad_finalize): new.
(compute_tag_if_needed): Call new function.
* tests/basic.c (check_ocb_cipher_splitaad): New.
(check_ocb_cipher): Call new function.
(main): Also call check_cipher_modes with --ciper-modes.
--

It is more convenient to not require full blocks for
gcry_cipher_authenticate.  Other modes than OCB do this as well.

Note that the size of the context structure is not increased because
other modes require more context data.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Fix X25519 computation on Curve25519.
NIIBE Yutaka [Tue, 12 Apr 2016 00:58:12 +0000 (09:58 +0900)]
ecc: Fix X25519 computation on Curve25519.

* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
PUBKEY_FLAG_DJB_TWEAK is enabled.
(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

--

X25519 function is not a plain scalar multiplication, but does
two things; the scalar bits are tweaked before applying scalar
multiplication and X0 function is applied to the result of
scalar multiplication.

In libgcrypt, _gcry_mpi_ec_mul_point is a plain scalar multiplication
and those two things are done in functions for ECDH with X25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agoecc: Fix initialization of EC context.
NIIBE Yutaka [Tue, 12 Apr 2016 00:19:32 +0000 (09:19 +0900)]
ecc: Fix initialization of EC context.

* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
by _gcry_mpi_ec_p_internal_new should carry FLAGS.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agoSilence warning about missing HMAC-SHA3 selftests.
Werner Koch [Thu, 7 Apr 2016 07:21:44 +0000 (09:21 +0200)]
Silence warning about missing HMAC-SHA3 selftests.

--

We do not have a reliable source for test vectors.

2 years agoAllow building with configure option --enable-hmac-binary-check.
Werner Koch [Wed, 6 Apr 2016 18:16:19 +0000 (20:16 +0200)]
Allow building with configure option --enable-hmac-binary-check.

* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
* src/hmac256.c (main): Add option --stdkey
--

Note that when using that configure option "make check" won't work in
one go.  Instead use

  make
  cd src/.libs
  ../hmac256  --stdkey '' libgcrypt.so.20 >.libgcrypt.so.20.hmac
  cd ../..
  make check

Reported-by: Burt Silverman
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoecc: Positive values in computation.
NIIBE Yutaka [Wed, 6 Apr 2016 09:05:38 +0000 (18:05 +0900)]
ecc: Positive values in computation.

* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
coefficients A and B are positive.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
"P - T" instead of "-T", so that the result will be positive.
(_gcry_ecc_eddsa_verify): Likewise.
* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
instead of _gcry_ecc_update_curve_param.
* mpi/ec.c (ec_subm): Make sure the result will be positive.
(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
mpi_sub instead of mpi_neg.
(add_points_edwards): Simply use ec_addm.
* tests/t-mpi-point.c (test_curve): Define curves with positive
coefficients.

--

We keep the coefficients of domain_parms in ecc-curves.c, so that
keygrip computations won't change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agompi: Explicitly limit the allowed input length for gcry_mpi_scan.
Werner Koch [Fri, 1 Apr 2016 11:42:01 +0000 (13:42 +0200)]
mpi: Explicitly limit the allowed input length for gcry_mpi_scan.

* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
(mpi_fromstr): Check against this limit.
(_gcry_mpi_scan): Ditto.
* tests/mpitests.c (test_maxsize): New.
(main): Cal that test.
--

A too large buffer length may lead to an unsigned integer overflow on
systems where size_t > unsigned int (ie. 64 bit systems).  The
computation of the required number of nlimbs may also be affected by
this.  However this is not a real world case because any processing
which has allocated such a long buffer from an external source would
be prone to other DoS attacks: The required buffer length to exhibit
this overflow is at least 2^32 - 8 bytes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Remove specialized rmd160 functions.
Werner Koch [Thu, 31 Mar 2016 18:16:10 +0000 (20:16 +0200)]
cipher: Remove specialized rmd160 functions.

* cipher/rmd160.c: Replace rmd.h by hash-common.h.
(RMD160_CONTEXT): Move from rmd.h to here.
(_gcry_rmd160_init): Remove.
(_gcry_rmd160_mixblock): Remove.
(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
* cipher/md.c: Remove rmd.h which was not actually used.
* cipher/rmd.h: Remove.
* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
* configure.ac (USE_RMD160): Allow to build without RMD160.
--

Those functions are not anymore required because random-csprng.c now
uses SHA-1.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
Werner Koch [Thu, 31 Mar 2016 17:33:43 +0000 (19:33 +0200)]
random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.

* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
(_gcry_sha1_mixblock): New.
* random/random-csprng.c: Include sha1.h instead of rmd.h.
(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Move sha1 context definition to a separate file.
Werner Koch [Thu, 31 Mar 2016 17:16:15 +0000 (19:16 +0200)]
cipher: Move sha1 context definition to a separate file.

* cipher/sha1.c: Replace hash-common.h by sha1.h.
(SHA1_CONTEXT): Move to ...
* cipher/sha1.h: new.  Always include all flags.
* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agotests: Fix buffer overflow in bench-slope.
Werner Koch [Tue, 29 Mar 2016 10:06:25 +0000 (12:06 +0200)]
tests: Fix buffer overflow in bench-slope.

* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
strncat.
--

Reported-by: Andreas Metzler <ametzler@bebt.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agodoc: Update for gcry_cipher_gettag and gcry_cipher_checktag.
Werner Koch [Tue, 29 Mar 2016 09:31:55 +0000 (11:31 +0200)]
doc: Update for gcry_cipher_gettag and gcry_cipher_checktag.

--

Also re-indent one label.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: GCM: check that length of supplied tag is one of valid lengths
Jussi Kivilinna [Sun, 27 Mar 2016 08:17:39 +0000 (11:17 +0300)]
cipher: GCM: check that length of supplied tag is one of valid lengths

* cipher/cipher-gcm.c (is_tag_length_valid): New.
(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
valid tag lengths and negative test vectors with invalid lengths.
--

NIST SP 800-38D allows following tag lengths:
 128, 120, 112, 104, 96, 64 and 32 bits.

[v2: allow larger buffer when outputting tag. 128-bit tag is written
     to target buffer in this case]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agocipher: Fix memleaks in (self)tests.
Peter Wu [Wed, 23 Mar 2016 17:21:53 +0000 (18:21 +0100)]
cipher: Fix memleaks in (self)tests.

* cipher/dsa.c: Release memory for MPI and sexp structures.
* cipher/ecc.c: Release memory for sexp structure.
* tests/keygen.c: Likewise.
--

These leaks broke the mpitests, basic and keygen tests when running
under AddressSanitizer.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Minor formatting changes by -wk.

2 years agoMark constant MPIs as non-leaked
Peter Wu [Thu, 24 Mar 2016 10:06:23 +0000 (11:06 +0100)]
Mark constant MPIs as non-leaked

* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.
--

Requires libgpg-error 1.22 (unreleased) for the macros, but since it is
a minor debugging aid, do not bump the minimum required version.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2 years agoAdd new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
Werner Koch [Wed, 23 Mar 2016 14:24:40 +0000 (15:24 +0100)]
Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.

* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

* tests/basic.c (_check_gcm_cipher): Check that new feature.
(_check_poly1305_cipher): Ditto.
(check_ccm_cipher): Ditto.
(do_check_ocb_cipher): Ditto.
(check_ctr_cipher): Add negative test for new feature.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Avoid NULL-segv in GCM mode if a key has not been set.
Werner Koch [Wed, 23 Mar 2016 13:13:18 +0000 (14:13 +0100)]
cipher: Avoid NULL-segv in GCM mode if a key has not been set.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
has been initialized.
(_gcry_cipher_gcm_decrypt): Ditto.
(_gcry_cipher_gcm_authenticate): Ditto.
(_gcry_cipher_gcm_initiv): Ditto.
(_gcry_cipher_gcm_tag): Ditto.
--

Avoid a crash if certain functions are used before setkey.

Reported-by: Peter Wu <peter@lekensteyn.nl>
  One crash is not fixed, that is the crash when setkey is not invoked
  before using the GCM ciphers (introduced in the 1.7.0 cycle). Either
  these functions should check that the key is present, or they should
  initialize the ghash table earlier. Affected functions:

    _gcry_cipher_gcm_encrypt
    _gcry_cipher_gcm_decrypt
    _gcry_cipher_gcm_authenticate
    _gcry_cipher_gcm_initiv
    (via _gcry_cipher_gcm_setiv)
    _gcry_cipher_gcm_tag
    (via _gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag)

Regression-due-to: 4a0795af021305f9240f23626a3796157db46bd7
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agocipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
Werner Koch [Wed, 23 Mar 2016 11:47:30 +0000 (12:47 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.

* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
provided tag length matches the actual tag length.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix buffer overrun in gettag for Poly1305
Peter Wu [Wed, 23 Mar 2016 02:45:21 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for Poly1305

* cipher/cipher-poly1305.c: copy a fixed length instead of the
  user-supplied number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2 years agocipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
Werner Koch [Wed, 23 Mar 2016 10:07:52 +0000 (11:07 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
tag length matches the actual tag length.  Avoid gratuitous return
statements.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix buffer overrun in gettag for GCM
Peter Wu [Wed, 23 Mar 2016 02:45:20 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for GCM

* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
  number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Actually this is not a buffer overrun because we copy not more than
has been allocated for OUTBUF.  However a too long OUTBUFLEN accesses
data outside of the source buffer.  -wk

2 years agotests: Add options --fips to keygen for manual tests.
Werner Koch [Tue, 22 Mar 2016 16:49:50 +0000 (17:49 +0100)]
tests: Add options --fips to keygen for manual tests.

(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode.  Check that key generation fails
for too short keys in FIPS mode.
(check_ecc_keys): Check that key generation fails for Ed25519 keys in
FIPS mode.
--

This option allows to test the FIPS mode manually for key generation.
We should eventually expand all tests to allow testing in FIPS mode in
non FIPS enabled boxes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorsa: Add FIPS 186-4 compliant RSA probable prime key generator.
Tomáš Mráz [Tue, 22 Mar 2016 16:12:55 +0000 (17:12 +0100)]
rsa: Add FIPS 186-4 compliant RSA probable prime key generator.

* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
* cipher/rsa.c (generate_fips): New.
(rsa_generate): Use new function in fips mode or with test-parms.

* tests/keygen.c (check_rsa_keys): Add test using e=65539.

--
Signed-off-by: Tomáš Mráz <tmraz@redhat.com>
Tomáš's patch war originally for libgcrypt 1.6.3 and has been ported
to master (1.7) by wk.  Further changes:

  - ChangeLog entries.
  - Some re-indentation
  - Use an extra test case instead of changing an existing one.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix ARM NEON support detection on ARMv6 target
Jussi Kivilinna [Sun, 20 Mar 2016 13:21:40 +0000 (15:21 +0200)]
Fix ARM NEON support detection on ARMv6 target

* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
instead of '.thumb'.
--

Fix allows building ARM NEON assembly implementations when compiler
target is ARMv6. This enables NEON implementations on ARMv7+NEON CPUs
running on ARMv6 OS (for example, Raspbian on Raspberry Pi 2/3).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAlways require a 64 bit integer type
Werner Koch [Fri, 18 Mar 2016 17:57:19 +0000 (18:57 +0100)]
Always require a 64 bit integer type

* configure.ac (available_digests_64): Merge with available_digests.
(available_kdfs_64): Merge with available_kdfs.
<64 bit datatype test>: Bail out if no such type is available.
* src/types.h: Emit #error if no u64 can be defined.
(PROPERLY_ALIGNED_TYPE): Always add u64 type.
* cipher/bithelp.h: Remove all code paths which handle the
case of !HAVE_U64_TYPEDEF.
* cipher/bufhelp.h: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-internal.h: Ditto.
* cipher/cipher.c: Ditto.
* cipher/hash-common.h: Ditto.
* cipher/md.c: Ditto.
* cipher/poly1305.c: Ditto.
* cipher/scrypt.c: Ditto.
* cipher/tiger.c: Ditto.
* src/g10lib.h: Ditto.
* tests/basic.c: Ditto.
* tests/bench-slope.c: Ditto.
* tests/benchmark.c: Ditto.
--

Given that SHA-2 and some other algorithms require a 64 bit type it
does not make anymore sense to conditionally compile some part when
the platform does not provide such a type.

GnuPG-bug-id: 1815.
Signed-off-by: Werner Koch <wk@gnupg.org>