libgcrypt.git
4 years agoChange SHA-3 algorithm ids
Werner Koch [Wed, 19 Aug 2015 10:43:43 +0000 (12:43 +0200)]
Change SHA-3 algorithm ids

* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values.
--

By using algorithm ids outside of the RFC-4880 range we make debugging
of GnuPG easier.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoKeccak: Fix array indexes in θ step
Jussi Kivilinna [Wed, 12 Aug 2015 15:17:01 +0000 (18:17 +0300)]
Keccak: Fix array indexes in θ step

* cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5].
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoSimplify OCB offset calculation for parallel implementations
Jussi Kivilinna [Tue, 11 Aug 2015 04:22:16 +0000 (07:22 +0300)]
Simplify OCB offset calculation for parallel implementations

* cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
(_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of
just if 'blkn % <parallel blocks> == 0'.
* cipher/serpent.c (_gcry_serpent_ocb_crypt)
(_gcry_serpent_ocb_auth): Ditto.
* cipher/rijndael-aesni.c (get_l): Remove low-bit checks.
(aes_ocb_enc, aes_ocb_dec, _gcry_aes_aesni_ocb_auth): Handle leading
blocks until block counter is multiple of 4, so that parallel block
processing loop can use 'c->u_mode.ocb.L' array directly.
* tests/basic.c (check_ocb_cipher_largebuf): Rename to...
(check_ocb_cipher_largebuf_split): ...this and add option to process
large buffer as two split buffers.
(check_ocb_cipher_largebuf): New.
--

Patch simplifies source and reduce object size.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd carryless 8-bit addition fast-path for AES-NI CTR mode
Jussi Kivilinna [Mon, 10 Aug 2015 17:48:02 +0000 (20:48 +0300)]
Add carryless 8-bit addition fast-path for AES-NI CTR mode

* cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using
CTR in big-endian form, if least-significant byte does not overflow.
--

Patch improves AES-NI CTR speed by 20%.

Benchmark on Intel Haswell (3.2 Ghz):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CTR enc |     0.273 ns/B    3489.8 MiB/s     0.875 c/B
        CTR dec |     0.273 ns/B    3491.0 MiB/s     0.874 c/B

After:
        CTR enc |     0.228 ns/B    4190.0 MiB/s     0.729 c/B
        CTR dec |     0.228 ns/B    4190.2 MiB/s     0.729 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd additional SHA3 test-vectors
Jussi Kivilinna [Sun, 9 Aug 2015 15:33:35 +0000 (18:33 +0300)]
Add additional SHA3 test-vectors

* tests/basic.c (check_digests): Allow datalen to be specified so that
input data can have byte with value 0x00; Include sha3-*.h header files
to test-vector structure.
* tests/sha3-224.h: New.
* tests/sha3-256.h: New.
* tests/sha3-384.h: New.
* tests/sha3-512.h: New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd generic SHA3 implementation
Jussi Kivilinna [Mon, 10 Aug 2015 19:09:56 +0000 (22:09 +0300)]
Add generic SHA3 implementation

* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize
USE_SHA3 enabled.
* cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New.
(KECCAK_STATE): Add proper state.
(KECCAK_CONTEXT): Add 'outlen'.
(rol64, keccak_f1600_state_permute, transform_blk, transform): New.
(keccak_init): Add proper initialization.
(keccak_final): Add proper finalization.
(selftests_keccak): Add selftests.
(oid_spec_sha3_224, oid_spec_sha3_256, oid_spec_sha3_384)
(oid_spec_sha3_512): Add OID.
(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
(_gcry_digest_spec_sha3_384, _gcry_digest_spec_sha3_512): Fix output
length.
* cipher/mac-hmac.c (map_mac_algo_to_md): Fix mapping for SHA3-512.
(hmac_get_keylen): Return proper blocksizes for SHA3 algorithms.
[USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
(_gcry_mac_type_spec_hmac_sha3_512): New.
* cipher/mac-internal [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
(_gcry_mac_type_spec_hmac_sha3_512): New.
* cipher/mac.c (mac_list) [USE_SHA3]: Add SHA3 algorithms.
* cipher/md.c (md_open): Use proper SHA-3 blocksizes for HMAC macpads.
* tests/basic.c (check_digests): Add SHA3 test vectors.
--

Patch adds generic implementation for SHA3. Currently missing with this
patch:
 - HMAC SHA3 test vectors, not available from NIST (yet?)
 - ASNs

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoOptimize OCB offset calculation
Jussi Kivilinna [Mon, 10 Aug 2015 19:09:56 +0000 (22:09 +0300)]
Optimize OCB offset calculation

* cipher/cipher-internal.h (ocb_get_l): New.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
(ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
* cipher/camellia-glue.c (get_l): Remove.
(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Precalculate
offset array when block count matches parallel operation size; Use
'ocb_get_l' instead of 'get_l'.
* cipher/rijndael-aesni.c (get_l): Add fast path for 75% most common
offsets.
(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Precalculate
offset array when block count matches parallel operation size.
* cipher/rijndael-ssse3-amd64.c (get_l): Add fast path for 75% most
common offsets.
* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Use
'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
* cipher/serpent.c (get_l): Remove.
(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Precalculate
offset array when block count matches parallel operation size; Use
'ocb_get_l' instead of 'get_l'.
* cipher/twofish.c (get_l): Remove.
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Use 'ocb_get_l'
instead of 'get_l'.
--

Patch optimizes OCB offset calculation for generic code and
assembly implementations with parallel block processing.

Benchmark of OCB AES-NI on Intel Haswell:

 $ tests/bench-slope --cpu-mhz 3201 cipher aes

 Before:
  AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
         CTR enc |     0.274 ns/B    3483.9 MiB/s     0.876 c/B
         CTR dec |     0.273 ns/B    3490.0 MiB/s     0.875 c/B
         OCB enc |     0.289 ns/B    3296.1 MiB/s     0.926 c/B
         OCB dec |     0.299 ns/B    3189.9 MiB/s     0.957 c/B
        OCB auth |     0.260 ns/B    3670.0 MiB/s     0.832 c/B

 After:
  AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
         CTR enc |     0.273 ns/B    3489.4 MiB/s     0.875 c/B
         CTR dec |     0.273 ns/B    3487.5 MiB/s     0.875 c/B
         OCB enc |     0.248 ns/B    3852.8 MiB/s     0.792 c/B
         OCB dec |     0.261 ns/B    3659.5 MiB/s     0.834 c/B
        OCB auth |     0.227 ns/B    4205.5 MiB/s     0.726 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoecc: fix Montgomery curve bugs.
NIIBE Yutaka [Mon, 10 Aug 2015 10:09:16 +0000 (19:09 +0900)]
ecc: fix Montgomery curve bugs.

* cipher/ecc.c (check_secret_key): Y1 should not be NULL when check.
(ecc_check_secret_key): Support Montgomery curve.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition.

4 years agoAdd framework to eventually support SHA3.
Werner Koch [Sat, 8 Aug 2015 08:47:55 +0000 (10:47 +0200)]
Add framework to eventually support SHA3.

* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
(GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
(GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New.
* cipher/keccak.c: New with stub functions.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c.
* configure.ac (available_digests): Add sha3.
(USE_SHA3): New.
* src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests.
* cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos.
(md_open): Ditto for hmac processing.
* cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping.
* cipher/hmac-tests.c (run_selftests): Prepare for tests.
* cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx".
--

Note that the algo GCRY_MD_SHA3_xxx are prelimanry.  We should try to
sync them with OpenPGP.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agotools: Fix memory leak for functions "I" and "G".
Werner Koch [Thu, 6 Aug 2015 12:57:44 +0000 (14:57 +0200)]
tools: Fix memory leak for functions "I" and "G".

* src/mpicalc.c (do_inv, do_gcd): Init A after stack check.
--

Reported-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoecc: Free memory also when in error branch.
Ismo Puustinen [Wed, 5 Aug 2015 12:27:43 +0000 (15:27 +0300)]
ecc: Free memory also when in error branch.

* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto
leave on error.
--

Fixing an issue found by static analysis.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Added DIGEST init and wrote Changelog.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoAdd Curve25519 support.
NIIBE Yutaka [Thu, 6 Aug 2015 08:31:41 +0000 (17:31 +0900)]
Add Curve25519 support.

* cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519.
* tests/curves.c (N_CURVES): It's 22 now.
* src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New.
* cipher/ecc-common.h (_gcry_ecc_mont_decodepoint): New.
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): New.
* cipher/ecc.c (nist_generate_key): Handle the case of
PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
(test_ecdh_only_keys, check_secret_key): Likewise.
(ecc_generate): Support Curve25519 which is Montgomery curve with flag
PUBKEY_FLAG_DJB_TWEAK and PUBKEY_FLAG_COMP.
(ecc_encrypt_raw): Get flags from KEYPARMS and handle
PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
(ecc_decrypt_raw): Likewise.
(compute_keygrip): Handle the case of PUBKEY_FLAG_DJB_TWEAK.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist):
PUBKEY_FLAG_EDDSA implies PUBKEY_FLAG_DJB_TWEAK.
Parse "djb-tweak" for PUBKEY_FLAG_DJB_TWEAK.

--

With PUBKEY_FLAG_DJB_TWEAK, secret key has msb set and it should be
always multiple by cofactor.

4 years agoReduce code size for Twofish key-setup and remove key dependend branch
Jussi Kivilinna [Mon, 13 Jul 2015 13:16:13 +0000 (16:16 +0300)]
Reduce code size for Twofish key-setup and remove key dependend branch

* cipher/twofish.c (poly_to_exp): Increase size by one, change type
from byte to u16 and insert '492' to index 0.
(exp_to_poly): Increase size by 256, let new cells have zero value.
(CALC_S): Execute unconditionally with help of modified tables.
(do_twofish_setkey): Change type for 'tmp' to 'unsigned int'; Un-unroll
CALC_K256 and CALC_K phases to reduce generated object size.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoReduce amount of duplicated code in OCB bulk implementations
Jussi Kivilinna [Sun, 26 Jul 2015 20:39:51 +0000 (23:39 +0300)]
Reduce amount of duplicated code in OCB bulk implementations

* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
(ocb_crypt): Change bulk function to return number of unprocessed
blocks.
* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth)
(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth)
(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth)
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
to 'size_t'.
* cipher/camellia-glue.c (get_l): Only if USE_AESNI_AVX or
USE_AESNI_AVX2 defined.
(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Change return type
to 'size_t' and return remaining blocks; Remove unaccelerated common
code path. Enable remaining common code only if USE_AESNI_AVX or
USE_AESNI_AVX2 defined; Remove unaccelerated common code.
* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Change
return type to 'size_t' and return zero.
* cipher/serpent.c (get_l): Only if USE_SSE2, USE_AVX2 or USE_NEON
defined.
(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Change return type
to 'size_t' and return remaining blocks; Remove unaccelerated common
code path. Enable remaining common code only if USE_SSE2, USE_AVX2 or
USE_NEON defined; Remove unaccelerated common code.
* cipher/twofish.c (get_l): Only if USE_AMD64_ASM defined.
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
to 'size_t' and return remaining blocks; Remove unaccelerated common
code path. Enable remaining common code only if USE_AMD64_ASM defined;
Remove unaccelerated common code.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd bulk OCB for Serpent SSE2, AVX2 and NEON implementations
Jussi Kivilinna [Sun, 26 Jul 2015 14:17:20 +0000 (17:17 +0300)]
Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations

* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for Serpent.
* cipher/serpent-armv7-neon.S: Add OCB assembly functions.
* cipher/serpent-avx2-amd64.S: Add OCB assembly functions.
* cipher/serpent-sse2-amd64.S: Add OCB assembly functions.
* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
(_gcry_serpent_neon_ocb_enc, _gcry_serpent_neon_ocb_dec)
(_gcry_serpent_neon_ocb_auth, _gcry_serpent_avx2_ocb_enc)
(_gcry_serpent_avx2_ocb_dec, _gcry_serpent_avx2_ocb_auth): New
prototypes.
(get_l, _gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): New.
* src/cipher.h (_gcry_serpent_ocb_crypt)
(_gcry_serpent_ocb_auth): New.
* tests/basic.c (check_ocb_cipher): Add test-vector for serpent.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd bulk OCB for Twofish AMD64 implementation
Jussi Kivilinna [Tue, 7 Jul 2015 18:52:34 +0000 (21:52 +0300)]
Add bulk OCB for Twofish AMD64 implementation

* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for Twofish.
* cipher/twofish-amd64.S: Add OCB assembly functions.
* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth): New
prototypes.
(call_sysv_fn5, call_sysv_fn6, twofish_amd64_ocb_enc)
(twofish_amd64_ocb_dec, twofish_amd64_ocb_auth, get_l)
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): New.
* src/cipher.h (_gcry_twofish_ocb_crypt)
(_gcry_twofish_ocb_auth): New.
* tests/basic.c (check_ocb_cipher): Add test-vector for Twofish.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations
Jussi Kivilinna [Tue, 7 Jul 2015 18:49:57 +0000 (21:49 +0300)]
Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations

* cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions.
* cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions.
* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
(_gcry_camellia_aesni_avx2_ocb_auth): New prototypes.
(get_l, _gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): New.
* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for Camellia.
* src/cipher.h (_gcry_camellia_ocb_crypt)
(_gcry_camellia_ocb_auth): New.
* tests/basic.c (check_ocb_cipher): Add test-vector for Camellia.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd OCB bulk mode for AES SSSE3 implementation
Jussi Kivilinna [Sun, 5 Jul 2015 17:58:56 +0000 (20:58 +0300)]
Add OCB bulk mode for AES SSSE3 implementation

* cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use
'ssse3_state' for storing current SSSE3 state.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(vpaes_ssse3_cleanup): Restore SSSE3 state from 'ssse3_state'.
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_cbc_dec): Add 'ssse3_state'
array.
(get_l, ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_crypt)
(_gcry_aes_ssse3_ocb_auth): New.
* cipher/rijndael.c (_gcry_aes_ssse3_ocb_crypt)
(_gcry_aes_ssse3_ocb_auth): New.
(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_SSSE3]: Use SSSE3
implementation for OCB.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix undefined behavior wrt memcpy
Peter Wu [Sun, 26 Jul 2015 13:50:33 +0000 (16:50 +0300)]
Fix undefined behavior wrt memcpy

* cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let
the function continue to add padding as needed though.
* cipher/mac-poly1305.c: If the caller requested to finish the hash
function without a copy of the result, return immediately.
--
Caught by UndefinedBehaviorSanitizer.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
4 years agobuild: ignore scissor line for the commit-msg hook
Peter Wu [Thu, 9 Jul 2015 15:11:33 +0000 (17:11 +0200)]
build: ignore scissor line for the commit-msg hook

* build-aux/git-hooks/commit-msg: Stop processing more lines when the
  scissor line is encountered.
--
This allows the command `git commit -v` to work even if the code is
longer than 72 characters. Note that comments are already ignored by the
previous line.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
4 years agoRegister DCO for Peter Wu.
Werner Koch [Thu, 23 Jul 2015 12:38:49 +0000 (14:38 +0200)]
Register DCO for Peter Wu.

--

4 years agorsa: Fix error in comments.
Peter Wu [Thu, 16 Jul 2015 04:59:44 +0000 (13:59 +0900)]
rsa: Fix error in comments.

* cipher/rsa.c: Fix.

--

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
4 years agosexp: Fix invalid deallocation in error path.
Peter Wu [Tue, 14 Jul 2015 00:53:38 +0000 (09:53 +0900)]
sexp: Fix invalid deallocation in error path.

* src/sexp.c: Fix wrong condition.

--

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
4 years agoecc: fix memory leak.
Peter Wu [Fri, 10 Jul 2015 01:15:26 +0000 (10:15 +0900)]
ecc: fix memory leak.

* cipher/ecc.c (ecc_verify): Release memory which was allocated before
by _gcry_pk_util_preparse_sigval.
(ecc_decrypt_raw): Likewise.

--

Caught by LeakSanitizer (LSan). Now the test suite (make check) passes
with no memleaks.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
The last commit (0a7547e487a8bc4e7ac9599c55579eb2e4a13f06) includes
wrong fixes for sexp_release.

ecc_decrypt_raw fix added by gniibe.

4 years agoecc: fix memory leaks.
NIIBE Yutaka [Mon, 6 Jul 2015 03:01:00 +0000 (12:01 +0900)]
ecc: fix memory leaks.

cipher/ecc.c (ecc_generate): Fix memory leak on error of
_gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint.
(ecc_check_secret_key): Fix memory leak on error of
_gcry_ecc_update_curve_param.
(ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Remove
unnecessary sexp_release and fix memory leak on error of
_gcry_ecc_fill_in_curve.
(ecc_decrypt_raw): Fix double free of the point kG and memory leak
on error of _gcry_ecc_os2ec.

4 years agompi: Support FreeBSD 10 or later.
NIIBE Yutaka [Thu, 11 Jun 2015 07:19:49 +0000 (16:19 +0900)]
mpi: Support FreeBSD 10 or later.

* mpi/config.links: Include FreeBSD 10 to 29.

--

Thanks to Yuta SATOH.

GnuPG-bug-id: 1936, 1974

4 years agoecc: Add key generation flag "no-keytest".
Werner Koch [Thu, 21 May 2015 14:24:36 +0000 (16:24 +0200)]
ecc: Add key generation flag "no-keytest".

* src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
"no-keytest".  Return an error for invalid flags of length 10.

* cipher/ecc.c (nist_generate_key): Replace arg random_level by flags
set random level depending on flags.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
* cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and
remove var random_level.
(nist_generate_key): Implement "no-keytest" flag.

* tests/keygen.c (check_ecc_keys): Add tests for transient-key and
no-keytest.
--

After key creation we usually run a test to check whether the keys
really work.  However for transient keys this might be too time
consuming and given that a failed test would anyway abort the process
the optional use of a flag to skip the test is appropriate.

Using Ed25519 for EdDSA and the "no-keytest" flags halves the time to
create such a key.  This was measured by looping the last test from
check_ecc_keys() 1000 times with and without the flag.

Due to a bug in the flags parser unknown flags with a length of 10
characters were not detected.  Thus the "no-keytest" flag can be
employed by all software even for libraries before this.  That bug is
however solved with this version.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoecc: Avoid double conversion to affine coordinates in keygen.
Werner Koch [Thu, 21 May 2015 09:12:42 +0000 (11:12 +0200)]
ecc: Avoid double conversion to affine coordinates in keygen.

* cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
(ecc_generate): Rename vars.  Convert to affine coordinates only if
not returned by the lower level generation function.
--

nist_generate_key already needs to convert to affine coordinates to
implement Jivsov's trick.  Thus we can return them and avoid calling
it in ecc_generate again.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agorandom: Change initial extra seeding from 2400 bits to 128 bits.
Werner Koch [Mon, 4 May 2015 14:46:02 +0000 (16:46 +0200)]
random: Change initial extra seeding from 2400 bits to 128 bits.

* random/random-csprng.c (read_pool): Reduce initial seeding.
--

See discussion starting at
 https://lists.gnupg.org/pipermail/gnupg-devel/2015-April/029750.html
and also in May.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoEnable AMD64 Twofish implementation on WIN64
Jussi Kivilinna [Thu, 14 May 2015 10:07:34 +0000 (13:07 +0300)]
Enable AMD64 Twofish implementation on WIN64

* cipher/twofish-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/twofish.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
(twofish_amd64_encrypt_block, twofish_amd64_decrypt_block)
(twofish_amd64_ctr_enc, twofish_amd64_cbc_dec)
(twofish_amd64_cfb_dec): New wrapper functions for AMD64
assembly functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Serpent implementations on WIN64
Jussi Kivilinna [Thu, 14 May 2015 10:07:48 +0000 (13:07 +0300)]
Enable AMD64 Serpent implementations on WIN64

* cipher/serpent-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/serpent-sse2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/chacha20.c (USE_SSE2, USE_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_SSE2 || USE_AVX2] (ASM_FUNC_ABI): New.
(_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec)
(_gcry_serpent_sse2_cfb_dec, _gcry_serpent_avx2_ctr_enc)
(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Add
ASM_FUNC_ABI.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Salsa20 implementation on WIN64
Jussi Kivilinna [Thu, 14 May 2015 09:37:21 +0000 (12:37 +0300)]
Enable AMD64 Salsa20 implementation on WIN64

* cipher/salsa20-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/salsa20.c (USE_AMD64): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_AMD64] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
(_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
(_gcry_salsa20_amd64_encrypt_blocks): Add ASM_FUNC_ABI.
[USE_AMD64] (salsa20_core): Add ASM_EXTRA_STACK.
(salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Poly1305 implementations on WIN64
Jussi Kivilinna [Thu, 14 May 2015 09:39:39 +0000 (12:39 +0300)]
Enable AMD64 Poly1305 implementations on WIN64

* cipher/poly1305-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/poly1305-sse2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/poly1305-internal.h (POLY1305_SYSV_FUNC_ABI): New.
(POLY1305_USE_SSE2, POLY1305_USE_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(OPS_FUNC_ABI): New.
(poly1305_ops_t): Use OPS_FUNC_ABI.
* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
(_gcry_poly1305_amd64_sse2_finish_ext)
(_gcry_poly1305_amd64_sse2_blocks, _gcry_poly1305_amd64_avx2_init_ext)
(_gcry_poly1305_amd64_avx2_finish_ext)
(_gcry_poly1305_amd64_avx2_blocks, _gcry_poly1305_armv7_neon_init_ext)
(_gcry_poly1305_armv7_neon_finish_ext)
(_gcry_poly1305_armv7_neon_blocks, poly1305_init_ext_ref32)
(poly1305_blocks_ref32, poly1305_finish_ext_ref32)
(poly1305_init_ext_ref8, poly1305_blocks_ref8)
(poly1305_finish_ext_ref8): Use OPS_FUNC_ABI.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 3DES implementation on WIN64
Jussi Kivilinna [Thu, 14 May 2015 07:31:18 +0000 (10:31 +0300)]
Enable AMD64 3DES implementation on WIN64

* cipher/des-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/des.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
(tripledes_ecb_crypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call
assembly function through 'call_sysv_fn'.
(tripledes_amd64_ctr_enc, tripledes_amd64_cbc_dec)
(tripledes_amd64_cfb_dec): New wrapper functions for bulk
assembly functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 ChaCha20 implementations on WIN64
Jussi Kivilinna [Tue, 5 May 2015 18:02:43 +0000 (21:02 +0300)]
Enable AMD64 ChaCha20 implementations on WIN64

* cipher/chacha20-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/chacha20-sse2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/chacha20-ssse3-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/chacha20.c (USE_SSE2, USE_SSSE3, USE_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
(chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
(_gcry_chacha20_armv7_neon_blocks, chacha20_blocks): Add ASM_FUNC_ABI.
(chacha20_core): Add ASM_EXTRA_STACK.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 CAST5 implementation on WIN64
Jussi Kivilinna [Tue, 5 May 2015 17:46:10 +0000 (20:46 +0300)]
Enable AMD64 CAST5 implementation on WIN64

* cipher/cast5-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(RIP): Remove.
(GET_EXTERN_POINTER): Use 'leaq' version on WIN64.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/cast5.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
(do_encrypt_block, do_decrypt_block)
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
function through 'call_sysv_fn'.
(cast5_amd64_ctr_enc, cast5_amd64_cbc_dec)
(cast5_amd64_cfb_dec): New wrapper functions for bulk
assembly functions.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Camellia implementations on WIN64
Jussi Kivilinna [Thu, 14 May 2015 10:33:07 +0000 (13:33 +0300)]
Enable AMD64 Camellia implementations on WIN64

* cipher/camellia-aesni-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/camellia-aesni-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/camellia-glue.c (USE_AESNI_AVX, USE_AESNI_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_AESNI_AVX || USE_AESNI_AVX2] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
(_gcry_camellia_aesni_avx_ctr_enc, _gcry_camellia_aesni_avx_cbc_dec)
(_gcry_camellia_aesni_avx_cfb_dec, _gcry_camellia_aesni_avx_keygen)
(_gcry_camellia_aesni_avx2_ctr_enc, _gcry_camellia_aesni_avx2_cbc_dec)
(_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Blowfish implementation on WIN64
Jussi Kivilinna [Sun, 3 May 2015 14:28:40 +0000 (17:28 +0300)]
Enable AMD64 Blowfish implementation on WIN64

* cipher/blowfish-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/blowfish.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
(do_encrypt, do_encrypt_block, do_decrypt_block)
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
function through 'call_sysv_fn'.
(blowfish_amd64_ctr_enc, blowfish_amd64_cbc_dec)
(blowfish_amd64_cfb_dec): New wrapper functions for bulk
assembly functions.
..

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 arcfour implementation on WIN64
Jussi Kivilinna [Sun, 3 May 2015 14:06:56 +0000 (17:06 +0300)]
Enable AMD64 arcfour implementation on WIN64

* cipher/arcfour-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/arcfour.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(do_encrypt, do_decrypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Use
assembly block to call AMD64 assembly function.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoUpdate documentation for Poly1305-ChaCha20 AEAD, RFC-7539
Jussi Kivilinna [Thu, 14 May 2015 07:02:51 +0000 (10:02 +0300)]
Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539

* cipher/cipher-poly1305.c: Add RFC-7539 to header.
* doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of
RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agohwf-x86: use edi for passing value to ebx for i386 cpuid
Jussi Kivilinna [Fri, 8 May 2015 15:07:51 +0000 (18:07 +0300)]
hwf-x86: use edi for passing value to ebx for i386 cpuid

* src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead
of '=r'.
--

On Win32, %ebx can be assigned for '=r' (regs[1]). This results invalid
assembly:
pushl %ebx
movl %ebx, %ebx
cpuid
movl %ebx, %ebx
popl %ebx

So use '=D' (%esi) for regs[1] instead.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agohwf-x86: add EDX as output register for xgetbv asm block
Jussi Kivilinna [Mon, 4 May 2015 17:09:51 +0000 (20:09 +0300)]
hwf-x86: add EDX as output register for xgetbv asm block

* src/hwf-x86.c (get_xgetbv): Add EDX as output.
--

XGETBV instruction modifies EAX:EDX register pair, so we need to mark
EDX as output to let compiler know that contents in this register are
lost.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agobuild: Update build-aux files.
Werner Koch [Mon, 4 May 2015 08:29:22 +0000 (10:29 +0200)]
build: Update build-aux files.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoFix possible regression on old 32 bit mingw compilers.
Werner Koch [Mon, 4 May 2015 08:22:24 +0000 (10:22 +0200)]
Fix possible regression on old 32 bit mingw compilers.

* acinclude.m4: Add new pattern for mingw32.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agobuild: Add new file.
Werner Koch [Mon, 4 May 2015 08:23:12 +0000 (10:23 +0200)]
build: Add new file.

* mpi/amd64/distfiles: Add func_abi.h.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoFix WIN64 assembly glue for AES
Jussi Kivilinna [Sun, 3 May 2015 14:16:08 +0000 (17:16 +0300)]
Fix WIN64 assembly glue for AES

* cipher/rinjdael.c (do_encrypt, do_decrypt)
[!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to
input+output to mark volatile nature of the used registers.
--

Function arguments cannot be passed to assembly block as input operands
as target function modifies those input registers.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd '1 million a characters' test vectors
Jussi Kivilinna [Sat, 2 May 2015 22:24:50 +0000 (01:24 +0300)]
Add '1 million a characters' test vectors

* tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384,
SHA-512, RIPEMD160 and CRC32.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoMore optimized CRC implementations
Jussi Kivilinna [Sat, 2 May 2015 21:34:34 +0000 (00:34 +0300)]
More optimized CRC implementations

* cipher/crc.c (crc32_table, crc24_table): Replace with new table
contents.
(update_crc32, CRC24_INIT, CRC24_POLY): Remove.
(crc32_next, crc32_next4, crc24_init, crc24_next, crc24_next4)
(crc24_final): New.
(crc24rfc2440_init): Use crc24_init.
(crc32_write): Rewrite to use crc32_next & crc32_next4.
(crc24_write): Rewrite to use crc24_next & crc24_next4.
(crc32_final, crc32rfc1510_final): Use buf_put_be32.
(crc24rfc2440_final): Use crc24_final & buf_put_le32.
* tests/basic.c (check_digests): Add CRC "123456789" tests.
--

Patch adds more optimized CRC implementations generated with universal_crc
tool by Danjel McGougan: http://www.mcgougan.se/universal_crc/

Benchmark on Intel Haswell (no-turbo, 3200 Mhz):

Before:
 CRC32          |      2.52 ns/B     378.3 MiB/s      8.07 c/B
 CRC32RFC1510   |      2.52 ns/B     378.1 MiB/s      8.07 c/B
 CRC24RFC2440   |     46.62 ns/B     20.46 MiB/s     149.2 c/B

After:
 CRC32          |     0.918 ns/B    1039.3 MiB/s      2.94 c/B
 CRC32RFC1510   |     0.918 ns/B    1039.0 MiB/s      2.94 c/B
 CRC24RFC2440   |     0.918 ns/B    1039.4 MiB/s      2.94 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 AES implementation for WIN64
Jussi Kivilinna [Sat, 2 May 2015 10:27:06 +0000 (13:27 +0300)]
Enable AMD64 AES implementation for WIN64

* cipher/rijndael-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/rijndael-internal.h (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(do_encrypt, do_decrypt)
[USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Use
assembly block to call AMD64 assembly encrypt/decrypt function.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 Whirlpool implementation for WIN64
Jussi Kivilinna [Sat, 2 May 2015 10:26:46 +0000 (13:26 +0300)]
Enable AMD64 Whirlpool implementation for WIN64

* cipher/whirlpool-sse2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/whirlpool.c (USE_AMD64_ASM): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_AMD64_ASM] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
[USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64): Add ASM_FUNC_ABI to
prototype.
[USE_AMD64_ASM] (whirlpool_transform): Add ASM_EXTRA_STACK to stack
burn value.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 SHA512 implementations for WIN64
Jussi Kivilinna [Sat, 2 May 2015 10:05:12 +0000 (13:05 +0300)]
Enable AMD64 SHA512 implementations for WIN64

* cipher/sha512-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/sha512-avx-bmi2-amd64.S: Ditto.
* cipher/sha512-ssse3-amd64.S: Ditto.
* cipher/sha512.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
(ASM_EXTRA_STACK): New.
(_gcry_sha512_transform_amd64_ssse3, _gcry_sha512_transform_amd64_avx)
(_gcry_sha512_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
prototypes.
(transform): Add ASM_EXTRA_STACK to stack burn value.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 SHA256 implementations for WIN64
Jussi Kivilinna [Sat, 2 May 2015 10:05:02 +0000 (13:05 +0300)]
Enable AMD64 SHA256 implementations for WIN64

* cipher/sha256-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
* cipher/sha256-ssse3-amd64.S: Ditto.
* cipher/sha256.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
(ASM_EXTRA_STACK): New.
(_gcry_sha256_transform_amd64_ssse3, _gcry_sha256_transform_amd64_avx)
(_gcry_sha256_transform_amd64_avx2): Add ASM_FUNC_ABI to prototypes.
(transform): Add ASM_EXTRA_STACK to stack burn value.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AMD64 SHA1 implementations for WIN64
Jussi Kivilinna [Sat, 2 May 2015 09:57:07 +0000 (12:57 +0300)]
Enable AMD64 SHA1 implementations for WIN64

* cipher/sha1-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
* cipher/sha1-avx-bmi2-amd64.S: Ditto.
* cipher/sha1-ssse3-amd64.S: Ditto.
* cipher/sha1.c (USE_SSSE3, USE_AVX, USE_BMI2): Enable
when HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
[USE_SSSE3 || USE_AVX || USE_BMI2] (ASM_FUNC_ABI)
(ASM_EXTRA_STACK): New.
(_gcry_sha1_transform_amd64_ssse3, _gcry_sha1_transform_amd64_avx)
(_gcry_sha1_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
prototypes.
(transform): Add ASM_EXTRA_STACK to stack burn value.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64

* cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector
registers before use and restore after.
* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Remove dependency
on !defined(__WIN64__).
* cipher/rijndael-aesni.c [__WIN64__] (aesni_prepare_2_6_variable,
aesni_prepare, aesni_prepare_2_6, aesni_cleanup)
( aesni_cleanup_2_6): New.
[!__WIN64__] (aesni_prepare_2_6_variable, aesni_prepare_2_6): New.
(_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_cbc_enc)
(_gcry_aesni_ctr_enc, _gcry_aesni_cfb_dec, _gcry_aesni_cbc_dec)
(_gcry_aesni_ocb_crypt, _gcry_aesni_ocb_auth): Use
'aesni_prepare_2_6'.
* cipher/rijndael-internal.h (USE_SSSE3): Enable if
HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS or
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS.
(USE_AESNI): Remove dependency on !defined(__WIN64__)
* cipher/rijndael-ssse3-amd64.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
(vpaes_ssse3_prepare, vpaes_ssse3_cleanup): New.
[!HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): New.
(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec): Use
'vpaes_ssse3_prepare'.
(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption): Use
'vpaes_ssse3_prepare' and 'vpaes_ssse3_cleanup'.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (X): Add masking macro to
exclude '.type' and '.size' markers from assembly code, as they are
not support on WIN64/COFF objects.
* configure.ac (gcry_cv_gcc_attribute_ms_abi)
(gcry_cv_gcc_attribute_sysv_abi, gcry_cv_gcc_default_abi_is_ms_abi)
(gcry_cv_gcc_default_abi_is_sysv_abi)
(gcry_cv_gcc_win64_platform_as_ok): New checks.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd W64 support for mpi amd64 assembly
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Add W64 support for mpi amd64 assembly

acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set
'ac_cv_sys_symbol_underscore=no' on MingW-W64.
mpi/amd64/func_abi.h: New.
mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): Add FUNC_ENTRY and FUNC_EXIT.
mpi/amd64/mpih-lshift.S (_gcry_mpih_lshift): Ditto.
mpi/amd64/mpih-mul1.S (_gcry_mpih_mul_1): Ditto.
mpi/amd64/mpih-mul2.S (_gcry_mpih_addmul_1): Ditto.
mpi/amd64/mpih-mul3.S (_gcry_mpih_submul_1): Ditto.
mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Ditto.
mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Ditto.
mpi/config.links [host=x86_64-*mingw*]: Enable assembly modules.
[host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoDES: Silence compiler warnings on Windows
Jussi Kivilinna [Fri, 1 May 2015 16:15:34 +0000 (19:15 +0300)]
DES: Silence compiler warnings on Windows

* cipher/des.c (working_memcmp): Make pointer arguments 'const void *'.
--

Following warning seen on Windows target build:

des.c: In function 'is_weak_key':
des.c:1019:40: warning: pointer targets in passing argument 1 of 'working_memcmp' differ in signedness [-Wpointer-sign]
       if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) )
                                        ^
des.c:149:1: note: expected 'const char *' but argument is of type 'unsigned char *'
 working_memcmp( const char *a, const char *b, size_t n )
 ^
des.c:1019:46: warning: pointer targets in passing argument 2 of 'working_memcmp' differ in signedness [-Wpointer-sign]
       if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) )
                                              ^
des.c:149:1: note: expected 'const char *' but argument is of type 'unsigned char *'
 working_memcmp( const char *a, const char *b, size_t n )
 ^

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoCast pointers to integers using uintptr_t instead of long
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Cast pointers to integers using uintptr_t instead of long

4 years agoFix rndhw for 64-bit Windows build
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Fix rndhw for 64-bit Windows build

* configure.ac: Add sizeof check for 'void *'.
* random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8
instead of defined(__LP64__).
(RDRAND_LONG): Check for SIZEOF_UNSIGNED_LONG == 8 instead of
defined(__LP64__).
--

__LP64__ is not predefined for 64-bit mingw64-gcc, which caused wrong
assembly code selections. Do selection based on type sizes instead,
to support x86_64, x32 and win64 properly.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoPrepare random/win32.c fast poll for 64-bit Windows
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Prepare random/win32.c fast poll for 64-bit Windows

* random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to
ADDINT.
(_gcry_rndw32_gather_random_fast): Add ADDPTR.
(_gcry_rndw32_gather_random_fast): Disable entropy gathering from
GetQueueStatus(QS_ALLEVENTS).
(_gcry_rndw32_gather_random_fast): Change minimumWorkingSetSize and
maximumWorkingSetSize to SIZE_T from DWORD.
(_gcry_rndw32_gather_random_fast): Only add lower 32-bits of
minimumWorkingSetSize and maximumWorkingSetSize to random poll.
(_gcry_rndw32_gather_random_fast) [__WIN64__]: Read TSC directly
using intrinsic.
--

Introduce entropy gatherer changes related to 64-bit Windows platform as done
in cryptlib fast poll:
 - Change ADD macro to ADDPTR/ADDINT to handle pointer values. ADDPTR
   discards high 32-bits of 64-bit pointer values.
 - minimum/maximumWorkingSetSize changed to SIZE_T type to avoid stack
   corruption on 64-bit; only low 32-bits are used for entropy.
 - Use __rdtsc() intrinsic on 64-bit (as TSC is always available).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoDisable GCM and AES-NI assembly implementations for WIN64
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Disable GCM and AES-NI assembly implementations for WIN64

* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when
__WIN64__ defined.
* cipher/rijndael-internal.h (USE_AESNI): Ditto.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoDisable building mpi assembly routines on WIN64
Jussi Kivilinna [Wed, 29 Apr 2015 15:18:07 +0000 (18:18 +0300)]
Disable building mpi assembly routines on WIN64

* mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix packed attribute check for Windows targets
Jussi Kivilinna [Fri, 1 May 2015 16:07:07 +0000 (19:07 +0300)]
Fix packed attribute check for Windows targets

* configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its
own packed structure.
--

Change packed attribute test so that it works with both MS ABI and SYSV ABI.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix tail handling in buf_xor_1
Jussi Kivilinna [Fri, 1 May 2015 15:50:34 +0000 (18:50 +0300)]
Fix tail handling in buf_xor_1

* cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail
handling.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd --disable-hwf for basic tests
Jussi Kivilinna [Fri, 1 May 2015 12:03:38 +0000 (15:03 +0300)]
Add --disable-hwf for basic tests

* tests/basic.c (main): Add handling for '--disable-hwf'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoUse more odd chuck sizes for check_one_md
Jussi Kivilinna [Fri, 1 May 2015 11:55:58 +0000 (14:55 +0300)]
Use more odd chuck sizes for check_one_md

* tests/basic.c (check_one_md): Make chuck size vary oddly, instead
of using fixed length of 1000 bytes.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoEnable more modes in basic ciphers test
Jussi Kivilinna [Fri, 1 May 2015 11:33:29 +0000 (14:33 +0300)]
Enable more modes in basic ciphers test

* src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New.
* tests/basic.c (check_one_cipher_core_reset): New.
(check_one_cipher_core): Use check_one_cipher_core_reset inplace of
gcry_cipher_reset.
(check_ciphers): Add CCM and OCB modes for block cipher tests.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix reseting cipher in OCB mode
Jussi Kivilinna [Fri, 1 May 2015 11:32:36 +0000 (14:32 +0300)]
Fix reseting cipher in OCB mode

* cipher/cipher.c (cipher_reset): Setup default taglen for OCB after
clearing state.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix buggy RC4 AMD64 assembly and add test to notice similar issues
Jussi Kivilinna [Thu, 30 Apr 2015 13:57:57 +0000 (16:57 +0300)]
Fix buggy RC4 AMD64 assembly and add test to notice similar issues

* cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of
'x' and 'y'.
* tests/basic.c (get_algo_mode_blklen): New.
(check_one_cipher_core): Add new tests for split buffer input on
encryption and decryption.
--

Reported-by: Dima Kukulniak <dima.ky@gmail.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoDisallow compiler from generating SSE instructions in mixed C+asm source
Jussi Kivilinna [Wed, 22 Apr 2015 17:29:05 +0000 (20:29 +0300)]
Disallow compiler from generating SSE instructions in mixed C+asm source

* cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target
pragma to disable compiler use of SSE.
* cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto.
* cipher/rijndael-ssse3-amd64.c [gcc-version >= 4.4]: Ditto.
--

These implementations assume that compiler does not use XMM registers
between assembly blocks.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd OCB bulk crypt/auth functions for AES/AES-NI
Jussi Kivilinna [Sat, 18 Apr 2015 14:41:34 +0000 (17:41 +0300)]
Add OCB bulk crypt/auth functions for AES/AES-NI

* cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt
and bulk.ocb_auth.
(_gcry_cipher_ocb_get_l): New prototype.
* cipher/cipher-ocb.c (get_l): Rename to ...
(_gcry_cipher_ocb_get_l): ... this.
(_gcry_cipher_ocb_authenticate, ocb_crypt): Use bulk function when
available.
* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for AES.
* cipher/rijndael-aesni.c (get_l, aesni_ocb_enc, aes_ocb_dec)
(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): New.
* cipher/rijndael.c [USE_AESNI] (_gcry_aes_aesni_ocb_crypt)
(_gcry_aes_aesni_ocb_auth): New prototypes.
(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New.
* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New
prototypes.
* tests/basic.c (check_ocb_cipher_largebuf): New.
(check_ocb_cipher): Add large buffer encryption/decryption test.
--

Patch adds bulk encryption/decryption/authentication code for AES-NI
accelerated AES.

Benchmark on Intel i5-4570 (3200 Mhz, turbo off):

Before:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |      2.12 ns/B     449.7 MiB/s      6.79 c/B
        OCB dec |      2.12 ns/B     449.6 MiB/s      6.79 c/B
       OCB auth |      2.07 ns/B     459.9 MiB/s      6.64 c/B

After:
 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        OCB enc |     0.292 ns/B    3262.5 MiB/s     0.935 c/B
        OCB dec |     0.297 ns/B    3212.2 MiB/s     0.950 c/B
       OCB auth |     0.260 ns/B    3666.1 MiB/s     0.832 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agotests: Add option to time the S2K function.
Werner Koch [Wed, 15 Apr 2015 10:34:38 +0000 (12:34 +0200)]
tests: Add option to time the S2K function.

* tests/t-kdf.c: Include stopwatch.h.
(dummy_consumer): new.
(bench_s2k): New.
(main): Add option parser and option --s2k.
--

For example:

  $ ./t-kdf --s2k 17659904
 88.0ms
  $ ./t-kdf --s2k 65536
  0.3ms

This test is similar to the code done by gpg-agent to calibrate the
S2K count.

4 years agotests: Improve stopwatch.h
Werner Koch [Wed, 15 Apr 2015 10:30:50 +0000 (12:30 +0200)]
tests: Improve stopwatch.h

* tests/stopwatch.h (elapsed_time): Add arg divisor.

4 years agompi: Fix gcry_mpi_copy for NULL opaque data.
Werner Koch [Mon, 13 Apr 2015 09:48:33 +0000 (11:48 +0200)]
mpi: Fix gcry_mpi_copy for NULL opaque data.

* mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed.
--

gcry_mpi_set_opaque allows to store NULL as opaque data.  Thus we also
need to take care when copying such data.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoAdd git url to AUTHORS
Werner Koch [Sun, 12 Apr 2015 17:50:49 +0000 (19:50 +0200)]
Add git url to AUTHORS

--

4 years agowipememory: use one-byte aligned type for unaligned memory accesses
Jussi Kivilinna [Sat, 21 Mar 2015 11:01:38 +0000 (13:01 +0200)]
wipememory: use one-byte aligned type for unaligned memory accesses

* src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned
access only when HAVE_GCC_ATTRIBUTE_PACKED and
HAVE_GCC_ATTRIBUTE_ALIGNED defined.
(fast_wipememory_t): New.
(fast_wipememory2): Use 'fast_wipememory_t'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agobufhelp: use one-byte aligned type for unaligned memory accesses
Jussi Kivilinna [Sat, 21 Mar 2015 11:01:38 +0000 (13:01 +0200)]
bufhelp: use one-byte aligned type for unaligned memory accesses

* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when
HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined.
(bufhelp_int_t): New type.
(buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst, buf_xor_n_copy_2): Use
'bufhelp_int_t'.
[BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_u32_t, bufhelp_u64_t): New.
[BUFHELP_FAST_UNALIGNED_ACCESS] (buf_get_be32, buf_get_le32)
(buf_put_be32, buf_put_le32, buf_get_be64, buf_get_le64)
(buf_put_be64, buf_put_le64): Use 'bufhelp_uXX_t'.
* configure.ac (gcry_cv_gcc_attribute_packed): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agotests/bench-slope: fix memory-leak and use-after-free bugs
Jussi Kivilinna [Sat, 21 Mar 2015 11:01:38 +0000 (13:01 +0200)]
tests/bench-slope: fix memory-leak and use-after-free bugs

* tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end.
(bench_mac_init): Move 'key' free at end of function.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoFix two pedantic warnings.
Werner Koch [Thu, 19 Mar 2015 09:43:55 +0000 (10:43 +0100)]
Fix two pedantic warnings.

* src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing
comma.
--

Reported-by: Opal Raava <opalraava@hushmail.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoUse well defined type instead of size_t in secmem.c
Werner Koch [Mon, 16 Mar 2015 10:50:23 +0000 (11:50 +0100)]
Use well defined type instead of size_t in secmem.c

* src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.
--

This is more or less cosmetic.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoMake uintptr_t global available.
Werner Koch [Mon, 16 Mar 2015 10:32:07 +0000 (11:32 +0100)]
Make uintptr_t global available.

* cipher/bufhelp.h: Move include for uintptr_t to ...
* src/types.h: here.  Check that config.h has been included.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoIndentation fix.
Werner Koch [Mon, 16 Mar 2015 08:32:44 +0000 (09:32 +0100)]
Indentation fix.

--

4 years agompi: Remove useless condition.
Werner Koch [Mon, 16 Mar 2015 08:29:27 +0000 (09:29 +0100)]
mpi: Remove useless condition.

* mpi/mpi-pow.c: Remove condition rp==mp.
--

MP has already been allocated and thus can't match RP.  The followinf
assert would have been triggred anyway due to the prior allocation.

Detected by Stack 0.3.

4 years agocipher: Remove useless NULL check.
Werner Koch [Mon, 16 Mar 2015 08:01:24 +0000 (09:01 +0100)]
cipher: Remove useless NULL check.

* cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for
hd->buf.
--

HD->BUF is not allocated but part of the struct.  HD has already be
dereferenced twice thus the check does not make sense.  Detected by
Stack 0.3:

  bug: anti-simplify
  model: |
    %cmp4 = icmp eq i8* %arraydecay, null, !dbg !29
    -->  false
  stack:
    - /home/wk/s/libgcrypt/cipher/hash-common.c:114:0
  ncore: 1
  core:
    - /home/wk/s/libgcrypt/cipher/hash-common.c:108:0
      - null pointer dereference

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoFix in-place encryption for OCB mode
Jussi Kivilinna [Sat, 28 Feb 2015 16:04:34 +0000 (18:04 +0200)]
Fix in-place encryption for OCB mode

* cipher/cipher-ocb.c (ocb_checksum): New.
(ocb_crypt): Move checksum calculation outside main crypt loop, do
checksum calculation for encryption before inbuf is overwritten.
* tests/basic.c (check_ocb_cipher): Rename to ...
(do_check_ocb_cipher): ... to this and add argument for testing
in-place encryption/decryption.
(check_ocb_cipher): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agotests: fix t-sexp.c.
NIIBE Yutaka [Fri, 27 Feb 2015 08:24:49 +0000 (17:24 +0900)]
tests: fix t-sexp.c.

* tests/t-sexp.c (bug_1594): Free N and PUBKEY.

4 years agompi: Avoid data-dependent timing variations in mpi_powm.
NIIBE Yutaka [Thu, 26 Feb 2015 12:07:01 +0000 (21:07 +0900)]
mpi: Avoid data-dependent timing variations in mpi_powm.

* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
mpi_set_cond.

--

Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack.  This change fixes
this particular data-dependent access pattern.

Cherry-picked from commit  5e72b6c76ebee720f69b8a5c212f52d38eb50287
in LIBGCRYPT-1-6-BRANCH.

4 years agompi: Revise mpi_powm.
NIIBE Yutaka [Wed, 11 Feb 2015 13:30:02 +0000 (22:30 +0900)]
mpi: Revise mpi_powm.

* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.

--

The name of precomputed table was b_2i3 which stands for BASE^(2*I+3).
But it's too cryptic, so, it's renamed.  Besides, we needed to
distinguish the case of I==0, that was not good.  Since it's OK to
increase the size of table by one, it's BASE^(2*I+1), now.

4 years agocipher: Use ciphertext blinding for Elgamal decryption.
Werner Koch [Mon, 23 Feb 2015 10:39:58 +0000 (11:39 +0100)]
cipher: Use ciphertext blinding for Elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):

  Algorithm         generate  100*priv  100*public
  ------------------------------------------------
  ELG 1024 bit             -     100ms        90ms
  ELG 2048 bit             -     330ms       350ms
  ELG 3072 bit             -     660ms       790ms

  Algorithm         generate  100*priv  100*public
  ------------------------------------------------
  ELG 1024 bit             -     150ms        90ms
  ELG 2048 bit             -     520ms       360ms
  ELG 3072 bit             -    1100ms       800ms

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agompi: Add mpi_set_cond.
NIIBE Yutaka [Wed, 11 Feb 2015 12:42:22 +0000 (21:42 +0900)]
mpi: Add mpi_set_cond.

* mpi/mpiutil.c (_gcry_mpi_set_cond): New.
(_gcry_mpi_swap_cond): Fix types.
* src/mpi.h (mpi_set_cond): New.

4 years agow32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.
Werner Koch [Fri, 30 Jan 2015 15:58:02 +0000 (16:58 +0100)]
w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.

* src/Makefile.am (extra_ltoptions): New.
(libgcrypt_la_LDFLAGS): Use it.
--

Since gcc 4.8 there is a regression in that plain C programs may link
to libgcc_s.a which has a dependency on libgcc_s_sjlj.dll.  This is
for example triggered by using long long arithmetic on a 32 bit
Windows (e.g symbol __udivdi3).

As usual the gcc maintainers don't care about backward compatibility
and declare that as some kind of compatibility fix and not as
regression from 4.7 and all earlier versions.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoFix building of GOST s-boxes when cross-compiling.
Werner Koch [Wed, 28 Jan 2015 14:13:50 +0000 (15:13 +0100)]
Fix building of GOST s-boxes when cross-compiling.

* cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
(noinst_PROGRAMS): Remove.
(EXTRA_DIST): New.
(CLEANFILES): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agorijndael: fix wrong ifdef for SSSE3 setkey
Jussi Kivilinna [Tue, 20 Jan 2015 16:54:13 +0000 (18:54 +0200)]
rijndael: fix wrong ifdef for SSSE3 setkey

* cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
around SSSE3 setkey selection.
--

Reported-by: Richard H Lee <ricardohenrylee@gmail.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
4 years agoAdd OCB cipher mode
Werner Koch [Fri, 16 Jan 2015 13:55:03 +0000 (14:55 +0100)]
Add OCB cipher mode

* cipher/cipher-ocb.c: New.
* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c
* cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New.
(gcry_cipher_handle): Add fields marks.finalize and u_mode.ocb.
* cipher/cipher.c (_gcry_cipher_open_internal): Add OCB mode.
(_gcry_cipher_open_internal): Setup default taglen of OCB.
(cipher_reset): Clear OCB specific data.
(cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
(_gcry_cipher_gettag, _gcry_cipher_checktag): Call OCB functions.
(_gcry_cipher_setiv): Add OCB specific nonce setting.
(_gcry_cipher_ctl): Add GCRYCTL_FINALIZE and GCRYCTL_SET_TAGLEN

* src/gcrypt.h.in (GCRYCTL_SET_TAGLEN): New.
(gcry_cipher_final): New.

* cipher/bufhelp.h (buf_xor_1): New.

* tests/basic.c (hex2buffer): New.
(check_ocb_cipher): New.
(main): Call it here.  Add option --cipher-modes.
* tests/bench-slope.c (bench_aead_encrypt_do_bench): Call
gcry_cipher_final.
(bench_aead_decrypt_do_bench): Ditto.
(bench_aead_authenticate_do_bench): Ditto.  Check error code.
(bench_ocb_encrypt_do_bench): New.
(bench_ocb_decrypt_do_bench): New.
(bench_ocb_authenticate_do_bench): New.
(ocb_encrypt_ops): New.
(ocb_decrypt_ops): New.
(ocb_authenticate_ops): New.
(cipher_modes): Add them.
(cipher_bench_one): Skip wrong block length for OCB.
* tests/benchmark.c (cipher_bench): Add field noncelen to MODES.  Add
OCB support.

--

See the comments on top of cipher/cipher-ocb.c for the patent status
of the OCB mode.

The implementation has not yet been optimized and as such is not faster
that the other AEAD modes.  A first candidate for optimization is the
double_block function.  Large improvements can be expected by writing
an AES ECB function to work on multiple blocks.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoAdd functions to count trailing zero bits in a word.
Werner Koch [Thu, 15 Jan 2015 09:04:43 +0000 (10:04 +0100)]
Add functions to count trailing zero bits in a word.

* cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New.
* configure.ac (HAVE_BUILTIN_CTZ): Add new test.
--

Note that these functions return the number of bits in the word when
passing 0.

Signed-off-by: Werner Koch <wk@gnupg.org>
4 years agoRe-indent types.h for easier reading.
Werner Koch [Thu, 15 Jan 2015 09:02:28 +0000 (10:02 +0100)]
Re-indent types.h for easier reading.

--

4 years agocipher: Prepare for OCB mode.
Werner Koch [Thu, 8 Jan 2015 08:07:09 +0000 (09:07 +0100)]
cipher: Prepare for OCB mode.

* src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New.
--

This is merely a claim that I am working on OCB mode.

4 years agoMake make distcheck work again.
Werner Koch [Tue, 6 Jan 2015 19:30:37 +0000 (20:30 +0100)]
Make make distcheck work again.

* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers.
* cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h.

4 years agoRemove the old Manifest files
Werner Koch [Tue, 6 Jan 2015 17:54:24 +0000 (18:54 +0100)]
Remove the old Manifest files

--

The Manifest file have been part of an experiment a long time ago to
implement source level integrity.  I is not maintained for more than a
decade and with the advent of git this is superfluous anyway.

4 years agostribog: Reduce table size to the needed one.
Dmitry Eremin-Solenikov [Sun, 28 Dec 2014 09:15:33 +0000 (12:15 +0300)]
stribog: Reduce table size to the needed one.

* cipher/stribog.c (C16): Avoid allocating superfluous space.

--

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
4 years agogostr3411-94: Fix the iteration count for length filling loop.
Dmitry Eremin-Solenikov [Sun, 28 Dec 2014 09:05:43 +0000 (12:05 +0300)]
gostr3411-94: Fix the iteration count for length filling loop.

* cipher/gostr3411-94.c (gost3411_final): Fix loop
--

The maximum iteration count for filling the l (bit length) array was
incrrectly set to 32 (missed that in u8->u32 refactoring). This was
not resulting in stack corruption, since nblocks variable would be
exausted earlier compared to 8 32-bit values (the size of the array).

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>