libgcrypt.git
2 years agocipher: Assign OIDs to the Serpent cipher.
Werner Koch [Tue, 14 Jun 2016 13:53:10 +0000 (15:53 +0200)]
cipher: Assign OIDs to the Serpent cipher.

* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorsa: Implement blinding also for signing.
Werner Koch [Fri, 3 Jun 2016 13:42:53 +0000 (15:42 +0200)]
rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agorandom: Remove debug output for getrandom(2) output.
Werner Koch [Fri, 3 Jun 2016 13:15:36 +0000 (15:15 +0200)]
random: Remove debug output for getrandom(2) output.

* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--

Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk@gnupg.org>
2 years agoFix gcc portability on Solaris 9 SPARC boxes.
Werner Koch [Mon, 7 Sep 2015 13:38:04 +0000 (15:38 +0200)]
Fix gcc portability on Solaris 9 SPARC boxes.

* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--

This patch has been in use by pkgsrc for
  SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.

GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk@gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2 years agoCheck for compiler SSE4.1 support in PCLMUL CRC code.
Jérémie Courrèges-Anglas [Mon, 9 May 2016 02:04:59 +0000 (04:04 +0200)]
Check for compiler SSE4.1 support in PCLMUL CRC code.

* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
  compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.

Signed-off-by: Jérémie Courrèges-Anglas <jca@wxcvbn.org>
2 years agoecc: Fix ecc_verify for cofactor support.
NIIBE Yutaka [Fri, 6 May 2016 04:21:17 +0000 (13:21 +0900)]
ecc: Fix ecc_verify for cofactor support.

* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

--

Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 years agorandom: Try to use getrandom() instead of /dev/urandom (Linux only).
Werner Koch [Tue, 26 Apr 2016 13:46:30 +0000 (15:46 +0200)]
random: Try to use getrandom() instead of /dev/urandom (Linux only).

* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoasm fix for older gcc versions.
Werner Koch [Tue, 19 Apr 2016 18:05:07 +0000 (20:05 +0200)]
asm fix for older gcc versions.

* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
--

gcc 4.2 is not able to grok a third colon without clobber
expressions.  Reported for FreeBSD 9.

GnuPG-bug-id: 2326
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoPost release updates.
Werner Koch [Fri, 15 Apr 2016 14:06:04 +0000 (16:06 +0200)]
Post release updates.

--

3 years agoRelease 1.7.0 libgcrypt-1.7.0
Werner Koch [Fri, 15 Apr 2016 13:48:24 +0000 (15:48 +0200)]
Release 1.7.0

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add test vectors for 256 GiB test of SHA3-256.
Werner Koch [Thu, 14 Apr 2016 14:32:04 +0000 (16:32 +0200)]
tests: Add test vectors for 256 GiB test of SHA3-256.

* tests/hashtest.c: Add new test vectros.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agosrc: Improve S-expression parsing.
Justus Winter [Thu, 14 Apr 2016 11:53:55 +0000 (13:53 +0200)]
src: Improve S-expression parsing.

* src/sexp.c (do_vsexp_sscan): Return an error if a closing
parenthesis is encountered with no matching opening parenthesis.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Add constant for 8 bit CFB mode.
Werner Koch [Thu, 14 Apr 2016 12:39:31 +0000 (14:39 +0200)]
cipher: Add constant for 8 bit CFB mode.

* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.
--

Note that there is no implementation for the 8 bit CFB mode yet.  We
will add that as a bug fix after the release of 1.7.0.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add a new test for S-expressions.
Werner Koch [Thu, 14 Apr 2016 11:26:55 +0000 (13:26 +0200)]
tests: Add a new test for S-expressions.

* tests/t-sexp.c (compare_to_canon): New.
(back_and_forth_one): Add another test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Fix corner cases for X25519.
NIIBE Yutaka [Wed, 13 Apr 2016 01:10:53 +0000 (10:10 +0900)]
ecc: Fix corner cases for X25519.

* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
it's not an error, thus, let it return 0.
(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
X25519, not by the name of the curve.
(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
of aborting with log_fatal.  For X25519, it's not an error by its
definition, but we deliberately let it return the error to detect
looks-like-encrypted-message.
* tests/t-cv25519.c: Add points to record the issue.

--

For X25519 ECDH, this change introduces incompatibility to
crypto_scalarmult with the input which makes shared secret to be 0.
For crypto_scalarmult, the result is 0.  In libgcrypt, it's an error
of GPG_ERR_INV_DATA (we consider the input is invalid).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agocipher: Buffer data from gcry_cipher_authenticate in OCB mode.
Werner Koch [Tue, 12 Apr 2016 09:11:35 +0000 (11:11 +0200)]
cipher: Buffer data from gcry_cipher_authenticate in OCB mode.

* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
aad_leftover and aad_nleftover to u_mode.ocb.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
aad_nleftover.
(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
to ...
(ocb_aad_finalize): new.
(compute_tag_if_needed): Call new function.
* tests/basic.c (check_ocb_cipher_splitaad): New.
(check_ocb_cipher): Call new function.
(main): Also call check_cipher_modes with --ciper-modes.
--

It is more convenient to not require full blocks for
gcry_cipher_authenticate.  Other modes than OCB do this as well.

Note that the size of the context structure is not increased because
other modes require more context data.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Fix X25519 computation on Curve25519.
NIIBE Yutaka [Tue, 12 Apr 2016 00:58:12 +0000 (09:58 +0900)]
ecc: Fix X25519 computation on Curve25519.

* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
PUBKEY_FLAG_DJB_TWEAK is enabled.
(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

--

X25519 function is not a plain scalar multiplication, but does
two things; the scalar bits are tweaked before applying scalar
multiplication and X0 function is applied to the result of
scalar multiplication.

In libgcrypt, _gcry_mpi_ec_mul_point is a plain scalar multiplication
and those two things are done in functions for ECDH with X25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix initialization of EC context.
NIIBE Yutaka [Tue, 12 Apr 2016 00:19:32 +0000 (09:19 +0900)]
ecc: Fix initialization of EC context.

* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
by _gcry_mpi_ec_p_internal_new should carry FLAGS.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoSilence warning about missing HMAC-SHA3 selftests.
Werner Koch [Thu, 7 Apr 2016 07:21:44 +0000 (09:21 +0200)]
Silence warning about missing HMAC-SHA3 selftests.

--

We do not have a reliable source for test vectors.

3 years agoAllow building with configure option --enable-hmac-binary-check.
Werner Koch [Wed, 6 Apr 2016 18:16:19 +0000 (20:16 +0200)]
Allow building with configure option --enable-hmac-binary-check.

* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
* src/hmac256.c (main): Add option --stdkey
--

Note that when using that configure option "make check" won't work in
one go.  Instead use

  make
  cd src/.libs
  ../hmac256  --stdkey '' libgcrypt.so.20 >.libgcrypt.so.20.hmac
  cd ../..
  make check

Reported-by: Burt Silverman
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: Positive values in computation.
NIIBE Yutaka [Wed, 6 Apr 2016 09:05:38 +0000 (18:05 +0900)]
ecc: Positive values in computation.

* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
coefficients A and B are positive.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
"P - T" instead of "-T", so that the result will be positive.
(_gcry_ecc_eddsa_verify): Likewise.
* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
instead of _gcry_ecc_update_curve_param.
* mpi/ec.c (ec_subm): Make sure the result will be positive.
(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
mpi_sub instead of mpi_neg.
(add_points_edwards): Simply use ec_addm.
* tests/t-mpi-point.c (test_curve): Define curves with positive
coefficients.

--

We keep the coefficients of domain_parms in ecc-curves.c, so that
keygrip computations won't change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agompi: Explicitly limit the allowed input length for gcry_mpi_scan.
Werner Koch [Fri, 1 Apr 2016 11:42:01 +0000 (13:42 +0200)]
mpi: Explicitly limit the allowed input length for gcry_mpi_scan.

* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
(mpi_fromstr): Check against this limit.
(_gcry_mpi_scan): Ditto.
* tests/mpitests.c (test_maxsize): New.
(main): Cal that test.
--

A too large buffer length may lead to an unsigned integer overflow on
systems where size_t > unsigned int (ie. 64 bit systems).  The
computation of the required number of nlimbs may also be affected by
this.  However this is not a real world case because any processing
which has allocated such a long buffer from an external source would
be prone to other DoS attacks: The required buffer length to exhibit
this overflow is at least 2^32 - 8 bytes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Remove specialized rmd160 functions.
Werner Koch [Thu, 31 Mar 2016 18:16:10 +0000 (20:16 +0200)]
cipher: Remove specialized rmd160 functions.

* cipher/rmd160.c: Replace rmd.h by hash-common.h.
(RMD160_CONTEXT): Move from rmd.h to here.
(_gcry_rmd160_init): Remove.
(_gcry_rmd160_mixblock): Remove.
(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
* cipher/md.c: Remove rmd.h which was not actually used.
* cipher/rmd.h: Remove.
* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
* configure.ac (USE_RMD160): Allow to build without RMD160.
--

Those functions are not anymore required because random-csprng.c now
uses SHA-1.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
Werner Koch [Thu, 31 Mar 2016 17:33:43 +0000 (19:33 +0200)]
random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.

* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
(_gcry_sha1_mixblock): New.
* random/random-csprng.c: Include sha1.h instead of rmd.h.
(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Move sha1 context definition to a separate file.
Werner Koch [Thu, 31 Mar 2016 17:16:15 +0000 (19:16 +0200)]
cipher: Move sha1 context definition to a separate file.

* cipher/sha1.c: Replace hash-common.h by sha1.h.
(SHA1_CONTEXT): Move to ...
* cipher/sha1.h: new.  Always include all flags.
* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Fix buffer overflow in bench-slope.
Werner Koch [Tue, 29 Mar 2016 10:06:25 +0000 (12:06 +0200)]
tests: Fix buffer overflow in bench-slope.

* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
strncat.
--

Reported-by: Andreas Metzler <ametzler@bebt.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Update for gcry_cipher_gettag and gcry_cipher_checktag.
Werner Koch [Tue, 29 Mar 2016 09:31:55 +0000 (11:31 +0200)]
doc: Update for gcry_cipher_gettag and gcry_cipher_checktag.

--

Also re-indent one label.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: GCM: check that length of supplied tag is one of valid lengths
Jussi Kivilinna [Sun, 27 Mar 2016 08:17:39 +0000 (11:17 +0300)]
cipher: GCM: check that length of supplied tag is one of valid lengths

* cipher/cipher-gcm.c (is_tag_length_valid): New.
(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
valid tag lengths and negative test vectors with invalid lengths.
--

NIST SP 800-38D allows following tag lengths:
 128, 120, 112, 104, 96, 64 and 32 bits.

[v2: allow larger buffer when outputting tag. 128-bit tag is written
     to target buffer in this case]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agocipher: Fix memleaks in (self)tests.
Peter Wu [Wed, 23 Mar 2016 17:21:53 +0000 (18:21 +0100)]
cipher: Fix memleaks in (self)tests.

* cipher/dsa.c: Release memory for MPI and sexp structures.
* cipher/ecc.c: Release memory for sexp structure.
* tests/keygen.c: Likewise.
--

These leaks broke the mpitests, basic and keygen tests when running
under AddressSanitizer.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Minor formatting changes by -wk.

3 years agoMark constant MPIs as non-leaked
Peter Wu [Thu, 24 Mar 2016 10:06:23 +0000 (11:06 +0100)]
Mark constant MPIs as non-leaked

* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.
--

Requires libgpg-error 1.22 (unreleased) for the macros, but since it is
a minor debugging aid, do not bump the minimum required version.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
3 years agoAdd new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
Werner Koch [Wed, 23 Mar 2016 14:24:40 +0000 (15:24 +0100)]
Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.

* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

* tests/basic.c (_check_gcm_cipher): Check that new feature.
(_check_poly1305_cipher): Ditto.
(check_ccm_cipher): Ditto.
(do_check_ocb_cipher): Ditto.
(check_ctr_cipher): Add negative test for new feature.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Avoid NULL-segv in GCM mode if a key has not been set.
Werner Koch [Wed, 23 Mar 2016 13:13:18 +0000 (14:13 +0100)]
cipher: Avoid NULL-segv in GCM mode if a key has not been set.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
has been initialized.
(_gcry_cipher_gcm_decrypt): Ditto.
(_gcry_cipher_gcm_authenticate): Ditto.
(_gcry_cipher_gcm_initiv): Ditto.
(_gcry_cipher_gcm_tag): Ditto.
--

Avoid a crash if certain functions are used before setkey.

Reported-by: Peter Wu <peter@lekensteyn.nl>
  One crash is not fixed, that is the crash when setkey is not invoked
  before using the GCM ciphers (introduced in the 1.7.0 cycle). Either
  these functions should check that the key is present, or they should
  initialize the ghash table earlier. Affected functions:

    _gcry_cipher_gcm_encrypt
    _gcry_cipher_gcm_decrypt
    _gcry_cipher_gcm_authenticate
    _gcry_cipher_gcm_initiv
    (via _gcry_cipher_gcm_setiv)
    _gcry_cipher_gcm_tag
    (via _gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag)

Regression-due-to: 4a0795af021305f9240f23626a3796157db46bd7
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
Werner Koch [Wed, 23 Mar 2016 11:47:30 +0000 (12:47 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.

* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
provided tag length matches the actual tag length.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix buffer overrun in gettag for Poly1305
Peter Wu [Wed, 23 Mar 2016 02:45:21 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for Poly1305

* cipher/cipher-poly1305.c: copy a fixed length instead of the
  user-supplied number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
3 years agocipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
Werner Koch [Wed, 23 Mar 2016 10:07:52 +0000 (11:07 +0100)]
cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.

* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
tag length matches the actual tag length.  Avoid gratuitous return
statements.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix buffer overrun in gettag for GCM
Peter Wu [Wed, 23 Mar 2016 02:45:20 +0000 (03:45 +0100)]
Fix buffer overrun in gettag for GCM

* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
  number.
--

The outbuflen is used to check the minimum size, the real tag is always
of fixed length.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Actually this is not a buffer overrun because we copy not more than
has been allocated for OUTBUF.  However a too long OUTBUFLEN accesses
data outside of the source buffer.  -wk

3 years agotests: Add options --fips to keygen for manual tests.
Werner Koch [Tue, 22 Mar 2016 16:49:50 +0000 (17:49 +0100)]
tests: Add options --fips to keygen for manual tests.

(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode.  Check that key generation fails
for too short keys in FIPS mode.
(check_ecc_keys): Check that key generation fails for Ed25519 keys in
FIPS mode.
--

This option allows to test the FIPS mode manually for key generation.
We should eventually expand all tests to allow testing in FIPS mode in
non FIPS enabled boxes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Add FIPS 186-4 compliant RSA probable prime key generator.
Tomáš Mráz [Tue, 22 Mar 2016 16:12:55 +0000 (17:12 +0100)]
rsa: Add FIPS 186-4 compliant RSA probable prime key generator.

* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
* cipher/rsa.c (generate_fips): New.
(rsa_generate): Use new function in fips mode or with test-parms.

* tests/keygen.c (check_rsa_keys): Add test using e=65539.

--
Signed-off-by: Tomáš Mráz <tmraz@redhat.com>
Tomáš's patch war originally for libgcrypt 1.6.3 and has been ported
to master (1.7) by wk.  Further changes:

  - ChangeLog entries.
  - Some re-indentation
  - Use an extra test case instead of changing an existing one.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix ARM NEON support detection on ARMv6 target
Jussi Kivilinna [Sun, 20 Mar 2016 13:21:40 +0000 (15:21 +0200)]
Fix ARM NEON support detection on ARMv6 target

* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
instead of '.thumb'.
--

Fix allows building ARM NEON assembly implementations when compiler
target is ARMv6. This enables NEON implementations on ARMv7+NEON CPUs
running on ARMv6 OS (for example, Raspbian on Raspberry Pi 2/3).

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoAlways require a 64 bit integer type
Werner Koch [Fri, 18 Mar 2016 17:57:19 +0000 (18:57 +0100)]
Always require a 64 bit integer type

* configure.ac (available_digests_64): Merge with available_digests.
(available_kdfs_64): Merge with available_kdfs.
<64 bit datatype test>: Bail out if no such type is available.
* src/types.h: Emit #error if no u64 can be defined.
(PROPERLY_ALIGNED_TYPE): Always add u64 type.
* cipher/bithelp.h: Remove all code paths which handle the
case of !HAVE_U64_TYPEDEF.
* cipher/bufhelp.h: Ditto.
* cipher/cipher-ccm.c: Ditto.
* cipher/cipher-gcm.c: Ditto.
* cipher/cipher-internal.h: Ditto.
* cipher/cipher.c: Ditto.
* cipher/hash-common.h: Ditto.
* cipher/md.c: Ditto.
* cipher/poly1305.c: Ditto.
* cipher/scrypt.c: Ditto.
* cipher/tiger.c: Ditto.
* src/g10lib.h: Ditto.
* tests/basic.c: Ditto.
* tests/bench-slope.c: Ditto.
* tests/benchmark.c: Ditto.
--

Given that SHA-2 and some other algorithms require a 64 bit type it
does not make anymore sense to conditionally compile some part when
the platform does not provide such a type.

GnuPG-bug-id: 1815.
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Fix testsuite after the FIPS adjustments.
Vitezslav Cizek [Fri, 18 Mar 2016 16:54:36 +0000 (17:54 +0100)]
tests: Fix testsuite after the FIPS adjustments.

* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
(check_ecc_keys): Skip Ed25519 in FIPS mode.
* tests/random.c (main): Don't switch DRBG in FIPS mode.
* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
(main): Skip math tests that use P-192 and Ed25519 in FIPS.
--

Fix the testsuite to make it pass after the FIPS adjustmens.
This consists mostly of disabling the tests that use not approved
curves and algorithms as well as increasing the keysizes.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Removed changes already done with commit e40939b.  The original
    patch had these chnages:
      * tests/fips186-dsa.c (main): Merely suggest a future improvement.
      * tests/pubkey.c (get_dsa_key_*new): Increase keysizes.
      (check_run): Skip tests with small domain in FIPS.
      (main): Skip Ed25519 sample key test in FIPS.
    Noet that get_dsa_key_fips186_with_seed_new was not changed from
    1024 to 3072 but to 2048 bit.
  - Return with 77 (skip) from t-ed25519.c in FIPS mode.
  - Some code style changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add new --pss option to fipsdrv
Vitezslav Cizek [Fri, 30 Oct 2015 16:36:03 +0000 (17:36 +0100)]
tests: Add new --pss option to fipsdrv

* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
to 0 for PSS.
--

Add new --pss option to fipsdrv to specify RSA-PSS signature encoding.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Added by wk:
  - Help string for --pss
  - Check that only --pss or --pkcs1 is given.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agocipher: Add option to specify salt length for PSS verification.
Vitezslav Cizek [Fri, 30 Oct 2015 16:34:04 +0000 (17:34 +0100)]
cipher: Add option to specify salt length for PSS verification.

* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
salt-length token.
--

Add possibility to use a different salt length for RSASSA-PSS
verification instead of the default 20.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Detect overlong salt-length
  - Release LIST on error.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agotests: Add support for RSA keygen tests to fipsdrv.
Vitezslav Cizek [Fri, 30 Oct 2015 14:41:09 +0000 (15:41 +0100)]
tests: Add support for RSA keygen tests to fipsdrv.

* tests/fipsdrv.c (run_rsa_keygen): New.
(main): Support RSA keygen and RSA keygen KAT tests.
--

In fipsdrv implement support for KeyGen_RandomProbablyPrime
and Known Answer Test for probably primes RSA2VS tests.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agotests: Fixes for RSA testsuite in FIPS mode
Vitezslav Cizek [Fri, 30 Oct 2015 14:38:13 +0000 (15:38 +0100)]
tests: Fixes for RSA testsuite in FIPS mode

* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/keygen.c (check_rsa_keys): Failure if short keys can be
generated in FIPS mode.
(check_dsa_keys): Ditto for DSA keys.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
--

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Remove printing of "FAIL" in fail() because this is reserved for
    use by the test driver of the Makefile.
  - Move setting of IN_FIPS_MODE after gcry_check_version in keygen.c

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorsa: Use 2048 bit RSA keys for selftest.
Vitezslav Cizek [Fri, 30 Oct 2015 12:41:41 +0000 (13:41 +0100)]
rsa: Use 2048 bit RSA keys for selftest.

* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
(selftest_encr_1024): Replaced by selftest_encr_2048.
(selftest_sign_1024): Replaced by selftest_sign_2048.
(selftest_encr_2048): Add check against known ciphertext.
(selftest_sign_2048): Add check against known signature.
(selftest_sign_2048): Free SIG_MPI.
* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.
--

Use a 2048 bit keys for RSA selftest.
Check against the known signature/ciphertext after signing/encryption
in the selftests.
Also generate 2k keys in tests/pubkey.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Additional changes by wk:
  - Reformat some strings and comments.
  - Replace a free by xfree.
  - Free SIG_MPI.
  - Make two strings static.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoDisable non-allowed algorithms in FIPS mode
Vitezslav Cizek [Thu, 29 Oct 2015 16:13:16 +0000 (17:13 +0100)]
Disable non-allowed algorithms in FIPS mode

* cipher/cipher.c (_gcry_cipher_init),
* cipher/mac.c (_gcry_mac_init),
* cipher/md.c (_gcry_md_init),
* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
non-allowed ciphers.
* cipher/md5.c: Mark MD5 as not allowed in FIPS.
* src/g10lib.h (_gcry_mac_init): New.
* src/global.c (global_init): Call the new _gcry_mac_init.
* tests/basic.c (check_ciphers): Fix a typo.
--

When running in the FIPS mode, disable all the ciphers that don't have
the fips flag set.
Skip the non-allowed algos during testing in the FIPS mode.

Thanks to Ludwig Nussel.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agokdf: Make PBKDF2 check work on all platforms.
Werner Koch [Fri, 18 Mar 2016 14:38:26 +0000 (15:38 +0100)]
kdf: Make PBKDF2 check work on all platforms.

* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.
--

The previous pacth has no effect because on almost all platformans an
unsigned int is 32 bit and thus the 0xffffffff is anyway the largest
value.  This patch changes the variable to an unsigned long so that at
least on common 64 bit Unix systems (but not on 64 bit Windows) there
is an actual check.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agokdf: Add upper bound for derived key length in PBKDF2.
Vitezslav Cizek [Thu, 29 Oct 2015 13:00:26 +0000 (14:00 +0100)]
kdf: Add upper bound for derived key length in PBKDF2.

* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
--

Add a missing step 1 from PBKDF specification.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoecc: ECDSA adjustments for FIPS 186-4
Vitezslav Cizek [Tue, 27 Oct 2015 13:29:11 +0000 (14:29 +0100)]
ecc: ECDSA adjustments for FIPS 186-4

* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
* cipher/ecc.c: Add ECDSA self test.
* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
in FIPS mode.
* tests/fipsdrv.c: Add support for ECDSA signatures.
--

Enable ECC in FIPS mode.
According to NIST SP 800-131A, curve P-192 and SHA-1 are disallowed
for key pair generation and signature generation after 2013.

Thanks to Jan Matejek for the patch.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Minor source code re-formatting by -wk.

3 years agodsa: Make regression tests work.
Werner Koch [Fri, 18 Mar 2016 14:11:31 +0000 (15:11 +0100)]
dsa: Make regression tests work.

* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
(ogenerate_fips186): Make it work with use-fips183-2 flag.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
standard comment out format.
* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
(main): Call it.
(main): Compare against current version.
* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
(get_dsa_key_fips186_with_seed_new): Ditto.
(get_dsa_key_fips186_with_domain_new): Comment out.
(check_run): Do not call that function.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodsa: Adjustments to conform with FIPS 186-4.
Vitezslav Cizek [Tue, 27 Oct 2015 11:46:30 +0000 (12:46 +0100)]
dsa: Adjustments to conform with FIPS 186-4.

* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
  buflen passed to _gcry_mpi_scan.
--

Generate the DSA keypair by testing candidates. (FIPS 186-4 B.1.2)
Use 2048 bit key for the selftest.
Allow only 2048 and 3072 as pbits size.

Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
3 years agoRegister DCO for Vitezslav Cizek.
Werner Koch [Fri, 18 Mar 2016 12:05:34 +0000 (13:05 +0100)]
Register DCO for Vitezslav Cizek.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoUpdate documentation for 'gcry_sexp_extract_param'.
Justus Winter [Wed, 16 Mar 2016 12:35:37 +0000 (13:35 +0100)]
Update documentation for 'gcry_sexp_extract_param'.

* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
must be set to NULL first, and document how the function behaves in
case of errors.
* src/sexp.c (_gcry_sexp_extract_param): Likewise.
* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
'_gcry_sexp_extract_param'.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Update comment.
Justus Winter [Wed, 16 Mar 2016 11:49:26 +0000 (12:49 +0100)]
cipher: Update comment.

* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
that a curve parameter can be given.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoAdd Intel PCLMUL implementations of CRC algorithms
Jussi Kivilinna [Sat, 12 Mar 2016 15:07:21 +0000 (17:07 +0200)]
Add Intel PCLMUL implementations of CRC algorithms

* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
* cipher/crc-intel-pclmul.c: New.
* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
(gcry_crc24rfc2440_intel_pclmul): New.
(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
HW features detected.
(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
implementation if enabled.
(crc24_init): Document storage format of 24-bit CRC.
(crc24_next4): Use only 'data' for last table look-up.
* configure.ac: Add 'crc-intel-pclmul.lo'.
* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
Intel SSE4.1.
* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
* tests/basic.c (fillbuf_count): New.
(check_one_md): Add "?" check (million byte data-set with byte pattern
0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
checks.
(check_one_md_multi): Skip "?".
(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
test-vectors for CRC32_RFC1510 and CRC24_RFC2440.
--

Add Intel PCLMUL accelerated implmentations of CRC algorithms.
CRC performance is improved ~11x on x86_64 and i386 on Intel
Haswell, and ~2.7x on Intel Sandy-bridge.

Benchmark on Intel Core i5-4570 (x86_64, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.865 ns/B    1103.0 MiB/s      2.77 c/B
  CRC32RFC1510   |     0.865 ns/B    1102.7 MiB/s      2.77 c/B
  CRC24RFC2440   |     0.865 ns/B    1103.0 MiB/s      2.77 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.079 ns/B   12051.7 MiB/s     0.253 c/B
  CRC32RFC1510   |     0.079 ns/B   12050.6 MiB/s     0.253 c/B
  CRC24RFC2440   |     0.079 ns/B   12100.0 MiB/s     0.252 c/B

Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.860 ns/B    1109.0 MiB/s      2.75 c/B
  CRC32RFC1510   |     0.861 ns/B    1108.3 MiB/s      2.75 c/B
  CRC24RFC2440   |     0.860 ns/B    1108.6 MiB/s      2.75 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC32RFC1510   |     0.078 ns/B   12207.0 MiB/s     0.250 c/B
  CRC24RFC2440   |     0.080 ns/B   11925.6 MiB/s     0.256 c/B

Benchmark on Intel Core i5-2450M (x86_64, 2.5 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |      1.25 ns/B     762.3 MiB/s      3.13 c/B
  CRC32RFC1510   |      1.26 ns/B     759.1 MiB/s      3.14 c/B
  CRC24RFC2440   |      1.25 ns/B     764.9 MiB/s      3.12 c/B

 After:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  CRC32          |     0.451 ns/B    2114.3 MiB/s      1.13 c/B
  CRC32RFC1510   |     0.451 ns/B    2114.6 MiB/s      1.13 c/B
  CRC24RFC2440   |     0.457 ns/B    2085.0 MiB/s      1.14 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate .gitignore
Jussi Kivilinna [Sat, 12 Mar 2016 15:10:30 +0000 (17:10 +0200)]
Update .gitignore

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agompi: Normalize EXPO for mpi_powm.
NIIBE Yutaka [Thu, 25 Feb 2016 03:01:10 +0000 (12:01 +0900)]
mpi: Normalize EXPO for mpi_powm.

* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

--

Thanks to Dan Fandrich for the report with a reproducible test case.

GnuPG-bug-id: 2256

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoDo not ship generated header file in tarball.
Andreas Metzler [Sun, 21 Feb 2016 11:18:33 +0000 (12:18 +0100)]
Do not ship generated header file in tarball.

* src/Makefile.am: Move gcrypt.h from include_HEADERS to
  nodist_include_HEADERS to prevent inclusion in release tarball.
  This could break out-of-tree-builds because the potentially outdated
  src/gcrypt.h was not updated but was in the compiler search path.

3 years agoFix building random-drbg for Win32/64
Jussi Kivilinna [Sat, 20 Feb 2016 19:27:15 +0000 (21:27 +0200)]
Fix building random-drbg for Win32/64

* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
'drbg_read_cb' and 'len'.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agotests: Do not test DRBG_REINIT from "make check"
Werner Koch [Sat, 20 Feb 2016 13:41:56 +0000 (14:41 +0100)]
tests: Do not test DRBG_REINIT from "make check"

* tests/random.c (main): Run check_drbg_reinit only if the envvar
GCRYPT_IN_REGRESSION_TEST is set.
--

Without a hardware entropy generator (e.g. the moonbase token) running
the regression suite would take too long.  We better use a set of test
vectors when run from "make check".

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Fix possible dependency problem.
Werner Koch [Wed, 17 Feb 2016 18:34:21 +0000 (19:34 +0100)]
doc: Fix possible dependency problem.

* doc/Makefile.am (gcrypt.texi): Use the right traget.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove ANSI X9.31 DRNG
Stephan Mueller [Tue, 16 Feb 2016 21:04:53 +0000 (22:04 +0100)]
random: Remove ANSI X9.31 DRNG

* random-fips.c: Remove.
--

The ANSI X9.31 DRNG is removed as it is completely replaced with the
SP800-90A DRBG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
3 years agorandom: Add a test case for DRBG_REINIT.
Werner Koch [Fri, 19 Feb 2016 14:35:03 +0000 (15:35 +0100)]
random: Add a test case for DRBG_REINIT.

* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
* tests/random.c (check_drbg_reinit): New.
(main): Call new test.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Allow DRBG_REINIT before initialization.
Werner Koch [Fri, 19 Feb 2016 14:32:44 +0000 (15:32 +0100)]
random: Allow DRBG_REINIT before initialization.

* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
(_drbg_init_internal): Set the default type if no type has been set
before.
(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
--

Without this change we can't call GCRYCTL_DRBG_REINIT before
intialization.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoAdd new private header gcrypt-testapi.h.
Werner Koch [Fri, 19 Feb 2016 11:57:00 +0000 (12:57 +0100)]
Add new private header gcrypt-testapi.h.

* src/gcrypt-testapi.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
* random/random.h: Include gcrypt-testapi.h.
(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
* src/global.c: Include gcrypt-testapi.h.
(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
* cipher/cipher.c: Include gcrypt-testapi.h.
(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
constants.
* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
(_gcry_rngdrbg_cavs_test): this.
(gcry_rngdrbg_healthcheck_one): Rename to ...
(_gcry_rngdrbg_healthcheck_one): this.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Make the DRBG C-90 clean and use a flag string.
Werner Koch [Fri, 19 Feb 2016 10:44:57 +0000 (11:44 +0100)]
random: Make the DRBG C-90 clean and use a flag string.

* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
"flagstr" and turn it into a string.
* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
designated initializers.  Use a string for the flags.
(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
(drbg_healthcheck_sanity): Ditto.
--

Libgcrypt needs to be build-able on C-90 only systems and thus we
can't use C-99 designated initializers.  Because we have removed the
flag macros from the API we should not use them in the CAVS test code
either.  Thus they are replaced by the flag string which also tests
the flag string parser.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Symbol name cleanup for random-drbg.c.
Werner Koch [Thu, 18 Feb 2016 19:44:10 +0000 (20:44 +0100)]
random: Symbol name cleanup for random-drbg.c.

* random/random-drbg.c: Rename all static objects and macros from
"gcry_drbg" to "drbg".
(drbg_string_t): New typedef.
(drbg_gen_t): New typedef.
(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
this.
(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
that an error if actually returned.
(gcry_rngdrbg_cavs_test): Ditto.
(gcry_drbg_healthcheck_sanity): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Use our symbol name pattern also for drbg functions.
Werner Koch [Thu, 18 Feb 2016 18:24:47 +0000 (19:24 +0100)]
random: Use our symbol name pattern also for drbg functions.

* random/random-drbg.c: Rename global functions from _gcry_drbg_*
to _gcry_rngdrbg_*.
* random/random.c: Adjust for this change.
* src/global.c: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Rename drbg.c to random-drbg.c.
Werner Koch [Thu, 18 Feb 2016 14:37:31 +0000 (15:37 +0100)]
random: Rename drbg.c to random-drbg.c.

* random/drbg.c: Rename to ...
* random/random-drbg.c: this.
* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.
--

We should stick to our name comventions.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove the new API introduced by the new DRBG.
Werner Koch [Thu, 18 Feb 2016 16:51:34 +0000 (17:51 +0100)]
random: Remove the new API introduced by the new DRBG.

* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
(struct gcry_drbg_string): Ditto.
(gcry_drbg_string_fill): Ditto.
(gcry_randomize_drbg): Remove.
* random/drbg.c (parse_flag_string): New.
(_gcry_drbg_reinit): Change the way the arguments are passed.
* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
convention.
--

It does not make sense to extend the API for a somewhat questionable
feature.  For GCRYCTL_DRBG_REINIT we change to use a string with flags
and libgcrypt's native buffer data structure.

NB: GCRYCTL_DRBG_REINIT has not been tested!
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoAdd helper function _gcry_strtokenize.
Werner Koch [Thu, 18 Feb 2016 14:37:32 +0000 (15:37 +0100)]
Add helper function _gcry_strtokenize.

* src/misc.c (_gcry_strtokenize): New.
--

The code has been taken from GnuPG and re-licensed to LPGLv2+ by me as
its original author.  Minor changes for use in Libgcrypt.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Remove DRBG constants from the public API.
Werner Koch [Thu, 18 Feb 2016 14:31:36 +0000 (15:31 +0100)]
random: Remove DRBG constants from the public API.

* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
* random/drbg.c: here.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Add SP800-90A DRBG
Stephan Mueller [Tue, 16 Feb 2016 21:04:28 +0000 (22:04 +0100)]
random: Add SP800-90A DRBG

* random/drbg.c: New.
* random/random.c (_gcry_random_initialize): Replace rngfips init by
drbg init.
(__gcry_random_close_fds): Likewise.
(_gcry_random_dump_stats): Likewise.
(_gcry_random_is_faked): Likewise.
(do_randomize): Likewise.
(_gcry_random_selftest): Likewise.
(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
(_gcry_random_init_external_test): Remove.
(_gcry_random_run_external_test): Remove.
(_gcry_random_deinit_external_test): Remove.
* random/random.h (struct gcry_drbg_test_vector): New.
* src/gcrypt.h.in (struct gcry_drbg_gen): New.
(struct gcry_drbg_string): New.
(gcry_drbg_string_fill): New.
(gcry_randomize_drbg): New.
(GCRY_DRBG_): Lots of new macros.
* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
a nop.
(_gcry_vcontrol) <Deinit external random test>: Ditto.
(_gcry_vcontrol) <Run external random test>: Change.
(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

--

This patch set adds the SP800-90A DRBG for AES128, AES192, AES256 with
derivation function, SHA-1 through SHA-512 with derivation function,
HMAC SHA-1 through HMAC SHA-512. All DRBGs are provided with and without
prediction resistance. In addition, all DRBGs allow reseeding by the
caller.

The default DRBG is HMAC SHA-256 without prediction resistance.

The caller may re-initialize the DRBG with the control
GCRYCTL_DRBG_REINIT:

The patch replaces the invocation of the existing ANSI X9.31 DRNG. This
covers the control calls of 58 through 60. Control call 58 and 60 are
simply deactivated. Control 59 is replaced with the DRBG CAVS test
interface.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChangeLog entries added by -wk

3 years agobufhelp: disable unaligned memory accesses on powerpc
Jussi Kivilinna [Sat, 13 Feb 2016 18:12:58 +0000 (20:12 +0200)]
bufhelp: disable unaligned memory accesses on powerpc

* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
__powerpc__ and __powerpc64__.

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoDocument more non LGPL-licensed code.
Andreas Metzler [Fri, 12 Feb 2016 13:19:23 +0000 (14:19 +0100)]
Document more non LGPL-licensed code.

--

Add license and copyright statement for cipher/arcfour-amd64.S (public
domain) and cipher/cipher-ocb.c (OCB license 1)

3 years agoecc: Not validate input point for Curve25519.
NIIBE Yutaka [Fri, 12 Feb 2016 04:50:02 +0000 (13:50 +0900)]
ecc: Not validate input point for Curve25519.

* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix memory leaks on error.
NIIBE Yutaka [Wed, 10 Feb 2016 08:35:43 +0000 (17:35 +0900)]
ecc: Fix memory leaks on error.

* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agodoc: about commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0
NIIBE Yutaka [Tue, 9 Feb 2016 09:50:47 +0000 (18:50 +0900)]
doc: about commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Together with 88e1358962e902ff1cbec8d53ba3eee46407851a, it
could be an effective contermeasure to some chosen cipher
text attacks.

CVE-id: CVE-2015-7511

Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
Tromer.   http://www.cs.tau.ac.IL/~tromer/ecdh/

3 years agoecc: input validation on ECDH.
NIIBE Yutaka [Tue, 24 Nov 2015 23:41:41 +0000 (08:41 +0900)]
ecc: input validation on ECDH.

* cipher/ecc.c (ecc_decrypt_raw): Validate the point.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(forward port from LIBGCRYPT-1-6-BRANCH
 commit 28eb424e4427b320ec1c9c4ce56af25d495230bd)

3 years agoAdd ARM assembly implementation of SHA-512
Jussi Kivilinna [Mon, 8 Feb 2016 18:13:38 +0000 (20:13 +0200)]
Add ARM assembly implementation of SHA-512

* cipher/Makefile.am: Add 'sha512-arm.S'.
* cipher/sha512-arm.S: New.
* cipher/sha512.c (USE_ARM_ASM): New.
(_gcry_sha512_transform_arm): New.
(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
generic.
* configure.ac: Add 'sha512-arm.lo'.
--

Benchmark on Cortex-A8 (armv6, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA512         |     112.0 ns/B      8.52 MiB/s     112.9 c/B

 After (3.3x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA512         |     34.01 ns/B     28.04 MiB/s     34.28 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agotests: Add a test for Curve25519.
NIIBE Yutaka [Wed, 3 Feb 2016 03:24:46 +0000 (12:24 +0900)]
tests: Add a test for Curve25519.

* tests/Makefile.am (tests_bin): Add t-cv25519.
* tests/t-cv25519.c: New.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix Curve25519 for data by older implementation.
NIIBE Yutaka [Tue, 2 Feb 2016 11:58:04 +0000 (20:58 +0900)]
ecc: Fix Curve25519 for data by older implementation.

* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
short length data.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: more fix of Curve25519.
NIIBE Yutaka [Tue, 2 Feb 2016 08:24:10 +0000 (17:24 +0900)]
ecc: more fix of Curve25519.

* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix.  Clear the MSB, according to RFC7748.

--

This change fixes two things.

* Handle the case the prefix 0x40 comes at the end when scanned as
  standard MPI.

* Implement MSB handling.  In the page 7 of RFC7748, it says about
  decoding u-coordinate:

    When receiving such an array, implementations of X25519 (but not
    X448) MUST mask the most significant bit in the final byte.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 years agoecc: Fix ECDH of Curve25519.
NIIBE Yutaka [Tue, 2 Feb 2016 04:58:48 +0000 (13:58 +0900)]
ecc: Fix ECDH of Curve25519.

* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
and prefix detection.
* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
(ecc_encrypt_raw): Use NBITS from curve instead of from P.
Fix rawmpilen calculation.
(ecc_decrypt_raw): Likewise.  Add debug output.
--

This fixes the commit dd3d06e7.  NBITS is defined 256 in ecc-curves.c,
thus, ecc_get_nbits returns 256.  But CTX->NBITS has 255 for Montgomery
curve.

3 years agoUpdate 'Interface changes' in NEWS
Jussi Kivilinna [Fri, 29 Jan 2016 15:42:41 +0000 (17:42 +0200)]
Update 'Interface changes' in NEWS

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoImprove performance of generic SHA256 implementation
Jussi Kivilinna [Fri, 29 Jan 2016 15:42:41 +0000 (17:42 +0200)]
Improve performance of generic SHA256 implementation

* cipher/sha256.c (R): Let caller do variable shuffling.
(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
(W, I): New.
(transform_blk): Unroll round loop; inline message expansion to rounds
to make message expansion buffer smaller.
--

Benchmark on Cortex-A8 (armv6, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     27.63 ns/B     34.52 MiB/s     27.85 c/B

 After (1.31x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     20.97 ns/B     45.48 MiB/s     21.13 c/B

Benchmark on Cortex-A8 (armv7, 1008 Mhz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     24.18 ns/B     39.43 MiB/s     24.38 c/B

 After (1.13x faster):
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |     21.28 ns/B     44.82 MiB/s     21.45 c/B

Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):

 Before:
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |      5.78 ns/B     164.9 MiB/s     18.51 c/B

 After (1.06x faster)
                 |  nanosecs/byte   mebibytes/sec   cycles/byte
  SHA256         |      5.41 ns/B     176.1 MiB/s     17.33 c/B

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agoUpdate NEWS
Jussi Kivilinna [Thu, 28 Jan 2016 17:07:50 +0000 (19:07 +0200)]
Update NEWS

--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agodoc: Fix typos in gcry_mpi_ec_new.
Werner Koch [Thu, 28 Jan 2016 17:16:22 +0000 (18:16 +0100)]
doc: Fix typos in gcry_mpi_ec_new.

--
Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoecc: New API function gcry_mpi_ec_decode_point.
Werner Koch [Thu, 28 Jan 2016 16:33:51 +0000 (17:33 +0100)]
ecc: New API function gcry_mpi_ec_decode_point.

* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
* cipher/ecc-common.h: Move two prototypes to ...
* src/ec-context.h: here.
* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
* src/visibility.c (gcry_mpi_ec_decode_point): New.
* src/visibility.h: Add new function.
--

This new function make the use of the gcry_mpi_ec_curve_point function
possible in many contexts.  Here is a code snippet which could be used
in gpg to check a point:

static gpg_error_t
check_point (PKT_public_key *pk, gcry_mpi_t m_point)
{
  gpg_error_t err;
  char *curve;
  gcry_ctx_t gctx = NULL;
  gcry_mpi_point_t point = NULL;

  /* Get the curve name from the first OpenPGP key parameter.  */
  curve = openpgp_oid_to_str (pk->pkey[0]);
  if (!curve)
    {
      err = gpg_error_from_syserror ();
      goto leave;
    }

  point = gcry_mpi_point_new (0);
  if (!point)
    {
      err = gpg_error_from_syserror ();
      goto leave;
    }

  err = gcry_mpi_ec_new (&gctx, NULL, curve);
  if (err)
    goto leave;

  err = gcry_mpi_ec_decode_point (point, m_point, gctx);
  if (err)
    goto leave;

  if (!gcry_mpi_ec_curve_point (point, gctx))
    err = gpg_error (GPG_ERR_BAD_DATA);

 leave:
  gcry_ctx_release (gctx);
  gcry_mpi_point_release (point);
  xfree (curve);
  return err;
}

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agoFix build problem for rndegd.c
Werner Koch [Fri, 15 Jan 2016 15:10:34 +0000 (16:10 +0100)]
Fix build problem for rndegd.c

* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
* random/rndegd.c (_gcry_rndegd_connect_socket)
(my_make_filename): Use functions with '_' prefix.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Fix possible AIX problem with sysconf in rndunix.
Werner Koch [Fri, 15 Jan 2016 15:01:35 +0000 (16:01 +0100)]
random: Fix possible AIX problem with sysconf in rndunix.

* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
--

See
GnuPG-bug-id: 1778
for the reason of this patch. There is no concrete bug report but this
change should not harm.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agorandom: Take at max 25% from RDRAND
Werner Koch [Sun, 27 Dec 2015 11:39:45 +0000 (12:39 +0100)]
random: Take at max 25% from RDRAND

* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
RDRAND from 50% to 25%.

Signed-off-by: Werner Koch <wk@gnupg.org>
3 years agodoc: Typo fix and .gitignore addition.
Werner Koch [Fri, 2 Oct 2015 13:05:19 +0000 (15:05 +0200)]
doc: Typo fix and .gitignore addition.

--

3 years agodoc: Fix typo.
Justus Winter [Wed, 2 Dec 2015 11:49:59 +0000 (12:49 +0100)]
doc: Fix typo.

--
Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Improve error handling.
Justus Winter [Mon, 7 Dec 2015 11:44:48 +0000 (12:44 +0100)]
cipher: Improve error handling.

* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.
--
Found using the Clang Static Analyzer.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agocipher: Initialize 'flags'.
Justus Winter [Mon, 7 Dec 2015 11:39:41 +0000 (12:39 +0100)]
cipher: Initialize 'flags'.

* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.
--
Found using the Clang Static Analyzer.

Signed-off-by: Justus Winter <justus@g10code.com>
3 years agoecc: CHANGE point representation of Curve25519.
NIIBE Yutaka [Sat, 5 Dec 2015 01:08:51 +0000 (10:08 +0900)]
ecc: CHANGE point representation of Curve25519.

* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
by MPI normalization.
* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
Always add the prefix 0x40.

--

Curve25519 native little-endian point representation is not friendly
to existing practice of OpenPGP code, where MPI is assumed.  MPI
handling might insert 0x00 in the beginning to avoid sign confusion.
MPI handling also might remove 0x00s in the front.  So, it is safe
to put the prefix 0x40.

While we support old point representation of no prefix in
ecc_mont_decodepoint, new libgcrypt always put the prefix.

3 years agochacha20: fix alignment of self-test context
Jussi Kivilinna [Thu, 3 Dec 2015 19:06:50 +0000 (21:06 +0200)]
chacha20: fix alignment of self-test context

* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
context structure.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
3 years agosalsa20: fix alignment of self-test context
Jussi Kivilinna [Thu, 3 Dec 2015 19:06:50 +0000 (21:06 +0200)]
salsa20: fix alignment of self-test context

* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
context structure.
--

Reported-by: Carlos J Puga Medina <cpm@fbsd.es>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>