| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/sha256.c (SHA256_CONTEXT): Replace h0-h7 with h[8].
(do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
(do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
(do_sha256_transform_armv8_ce, do_sha256_transform_ppc8)
(do_sha256_transform_ppc9, do_sha256_transform_s390x)
(do_sha256_final_s390x, sha256_init, sha224_init)
(do_transform_generic, sha256_final): Convert use of h0-h7 to h[0]-h[7].
--
GCC-11 gives following warning on sha256.c:
warning: 'func' accessing 32 bytes in a region of size 4
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/pubkey.c (_gcry_pk_sign_md, _gcry_pk_verify_md): New.
(_gcry_pk_random_override_new): New.
(_gcry_pk_get_random_override): New.
* src/gcrypt-int.h: Add those routines.
* src/context.h (CONTEXT_TYPE_RANDOM_OVERRIDE): New.
* src/context.c (_gcry_ctx_alloc, _gcry_ctx_release): Handle
CONTEXT_TYPE_RANDOM_OVERRIDE.
* src/gcrypt.h.in (gcry_error_t gcry_pk_hash_sign): New.
(gcry_error_t gcry_pk_hash_verify): New.
(gcry_pk_random_override_new): New.
* src/libgcrypt.def, src/libgcrypt.vers: Update.
* src/visibility.c (gcry_pk_hash_sign, gcry_pk_hash_verify): New.
(gcry_pk_random_override_new): New.
* src/visibility.h: Add those routines.
--
GnuPG-bug-id: 4894
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/dsa.c (sign): Add an argument K for DSA.
(test_keys, dsa_sign): Follow the change.
* cipher/ecc-common.h (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
* cipher/ecc.c (test_keys, ecc_sign): Follow the change.
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support "label"
for K.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa.c (generate_fips): Drop reference to enforced fips mode and
use normal FIPS mode check
* doc/gcrypt.texi: Drop references to enforced FIPS mode
* src/fips.c (enforced_fips_mode): Removed
(_gcry_initialize_fips_mode): Remove reading of the FIPS_FORCE_FILE
to enforce FIPS mode
(_gcry_enforced_fips_mode): Remove
(_gcry_set_enforced_fips_mode): Remove
* src/g10lib.h (_gcry_enforced_fips_mode): Remove declaration
(_gcry_set_enforced_fips_mode): Remova declaration
* src/global.c (print_config): Remove the forced fips flag
(_gcry_vcontrol): Deprecate GCRYCTL_SET_ENFORCED_FIPS_FLAG
(get_no_secure_memory): Ignore the option in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
(_gcry_vcontrol): Simply ignore GCRYCTL_SET_ENFORCED_FIPS_FLAG.
Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 5244
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md.c (_gcry_md_hash_buffer): Remove inactivation of FIPS mode
when MD5 is used
(_gcry_md_hash_buffers_extract): Ditto.
* src/fips.c (gcry_is_fips_mode_inactive): Removed
(_gcry_inactivate_fips_mode): Removed
(_gcry_is_fips_mode_inactive): Removed
* src/g10lib.h (_gcry_inactivate_fips_mode): Remove declaration
(_gcry_is_fips_mode_inactive): Remove declaration
* global.c (_gcry_vcontrol): Update the GCRYCTL_FIPS_MODE_P
(_gcry_set_allocation_handler): Silently ignore custom alocation
handlers in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
| |
* cipher/pubkey-util.c (get_hash_algo): Add.
* cipher/sha512.c (sha512_256_asn, sha512_224_asn): Fill correct values.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
| |
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support internal
hashing.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_decrypt): Call
wipememory.
--
Note that gcry_cipher_close will do this also but some applications
keep the context for a long time and thus plaintext could be found in
memory during the time the context is open.
GnuPG-bug-id: 5597
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael-armv8-aarch32-ce.S
(_gcry_aes_ctr32le_enc_armv8_ce): New.
* cipher/rijndael-armv8-aarch64-ce.S
(_gcry_aes_ctr32le_enc_armv8_ce): New.
* cipher/rijndael-armv8-ce.c
(_gcry_aes_ctr32le_enc_armv8_ce)
(_gcry_aes_armv8_ce_ctr32le_enc): New.
* cipher/rijndael.c
(_gcry_aes_armv8_ce_ctr32le_enc): New prototype.
(do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for ARMv8-CE.
--
Benchmark on Cortex-A53 (aarch64):
Before:
AES | nanosecs/byte mebibytes/sec cycles/byte auto Mhz
GCM-SIV enc | 11.77 ns/B 81.03 MiB/s 7.63 c/B 647.9
GCM-SIV dec | 11.92 ns/B 79.98 MiB/s 7.73 c/B 647.9
GCM-SIV auth | 2.99 ns/B 318.9 MiB/s 1.94 c/B 648.0
After (~2.4x faster):
AES | nanosecs/byte mebibytes/sec cycles/byte auto Mhz
GCM-SIV enc | 4.66 ns/B 204.5 MiB/s 3.02 c/B 647.9
GCM-SIV dec | 4.82 ns/B 198.0 MiB/s 3.12 c/B 647.9
GCM-SIV auth | 3.00 ns/B 318.4 MiB/s 1.94 c/B 648.0
GnuPG-bug-id: T4485
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-gcm-siv.c (do_ctr_le32): Use bulk function if
available.
* cipher/cipher-internal.h (cipher_bulk_ops): Add 'ctr32le_enc'.
* cipher/rijndael-aesni.c (_gcry_aes_aesni_ctr32le_enc): New.
* cipher/rijndael-vaes-avx2-amd64.S
(_gcry_vaes_avx2_ctr32le_enc_amd64, .Lle_addd_*): New.
* cipher/rijndael-vaes.c (_gcry_vaes_avx2_ctr32le_enc_amd64)
(_gcry_aes_vaes_ctr32le_enc): New.
* cipher/rijndael.c (_gcry_aes_aesni_ctr32le_enc)
(_gcry_aes_vaes_ctr32le_enc): New prototypes.
(do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for AES-NI and
VAES.
* tests/basic.c (check_gcm_siv_cipher): Add large test-vector for
bulk ops testing.
--
Counter mode in GCM-SIV is little-endian on first 4 bytes of
of counter block, unlike regular CTR mode which works on
big-endian full block.
Benchmark on AMD Ryzen 7 5800X:
Before:
AES | nanosecs/byte mebibytes/sec cycles/byte auto Mhz
GCM-SIV enc | 1.00 ns/B 953.2 MiB/s 4.85 c/B 4850
GCM-SIV dec | 1.01 ns/B 940.1 MiB/s 4.92 c/B 4850
GCM-SIV auth | 0.118 ns/B 8051 MiB/s 0.575 c/B 4850
After (~6x faster):
AES | nanosecs/byte mebibytes/sec cycles/byte auto Mhz
GCM-SIV enc | 0.150 ns/B 6367 MiB/s 0.727 c/B 4850
GCM-SIV dec | 0.161 ns/B 5909 MiB/s 0.783 c/B 4850
GCM-SIV auth | 0.118 ns/B 8051 MiB/s 0.574 c/B 4850
GnuPG-bug-id: T4485
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am: Add 'cipher-gcm-siv.c'.
* cipher/cipher-gcm-siv.c: New.
* cipher/cipher-gcm.c (_gcry_cipher_gcm_setupM): New.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'siv_keylen'.
(_gcry_cipher_gcm_setupM, _gcry_cipher_gcm_siv_encrypt)
(_gcry_cipher_gcm_siv_decrypt, _gcry_cipher_gcm_siv_set_nonce)
(_gcry_cipher_gcm_siv_authenticate)
(_gcry_cipher_gcm_siv_set_decryption_tag)
(_gcry_cipher_gcm_siv_get_tag, _gcry_cipher_gcm_siv_check_tag)
(_gcry_cipher_gcm_siv_setkey): New prototypes.
(cipher_block_bswap): New helper function.
* cipher/cipher.c (_gcry_cipher_open_internal): Add
'GCRY_CIPHER_MODE_GCM_SIV'; Refactor mode requirement checks for
better size optimization (check pointers & blocksize in same order
for all).
(cipher_setkey, cipher_reset, _gcry_cipher_setup_mode_ops)
(_gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add GCM-SIV.
(_gcry_cipher_ctl): Handle 'set decryption tag' for GCM-SIV.
* doc/gcrypt.texi: Add GCM-SIV.
* src/gcrypt.h.in (GCRY_CIPHER_MODE_GCM_SIV): New.
(GCRY_SIV_BLOCK_LEN, gcry_cipher_set_decryption_tag): Add to comment
that these are also for GCM-SIV in addition to SIV mode.
* tests/basic.c (check_gcm_siv_cipher): New.
(check_cipher_modes): Check for GCM-SIV.
* tests/bench-slope.c (bench_gcm_siv_encrypt_do_bench)
(bench_gcm_siv_decrypt_do_bench, bench_gcm_siv_authenticate_do_bench)
(gcm_siv_encrypt_ops, gcm_siv_decrypt_ops)
(gcm_siv_authenticate_ops): New.
(cipher_modes): Add GCM-SIV.
(cipher_bench_one): Check key length requirement for GCM-SIV.
--
GnuPG-bug-id: T4485
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am: Add 'cipher-siv.c'.
* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Rename to
_gcry_cipher_ctr_encrypt_ctx and add algo context parameter.
(_gcry_cipher_ctr_encrypt): New using _gcry_cipher_ctr_encrypt_ctx.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.siv'.
(_gcry_cipher_ctr_encrypt_ctx, _gcry_cipher_siv_encrypt)
(_gcry_cipher_siv_decrypt, _gcry_cipher_siv_set_nonce)
(_gcry_cipher_siv_authenticate, _gcry_cipher_siv_set_decryption_tag)
(_gcry_cipher_siv_get_tag, _gcry_cipher_siv_check_tag)
(_gcry_cipher_siv_setkey): New.
* cipher/cipher-siv.c: New.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, _gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add
GCRY_CIPHER_MODE_SIV handling.
(_gcry_cipher_ctl): Add GCRYCTL_SET_DECRYPTION_TAG handling.
* doc/gcrypt.texi: Add documentation for SIV mode.
* src/gcrypt.h.in (GCRYCTL_SET_DECRYPTION_TAG): New.
(GCRY_CIPHER_MODE_SIV): New.
(gcry_cipher_set_decryption_tag): New.
* tests/basic.c (check_siv_cipher): New.
(check_cipher_modes): Add call for 'check_siv_cipher'.
* tests/bench-slope.c (bench_encrypt_init): Use double size key for
SIV mode.
(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
(bench_aead_authenticate_do_bench): Reset cipher context on each run.
(bench_aead_authenticate_do_bench): Support nonce-less operation.
(bench_siv_encrypt_do_bench, bench_siv_decrypt_do_bench)
(bench_siv_authenticate_do_bench, siv_encrypt_ops)
(siv_decrypt_ops, siv_authenticate_ops): New.
(cipher_modes): Add SIV mode benchmarks.
(cipher_bench_one): Restrict SIV mode testing to 16 byte block-size.
--
GnuPG-bug-id: T4486
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md.c (md_open): Allocate exact space for the allocation and
use offsetof for the calculation.
--
Also, use hd->buf to get the pointer for CTX, so that compiler can
detect it's flexible array (for GCC 11).
GnuPG-bug-id: 5556
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
| |
* src/Makefile.am (libgcrypt_la_SOURCES): Remove hmac256.
* cipher/mac-hmac.c (selftests_sha256): Remove the tests.
--
GnuPG-bug-id: 5550
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
| |
* cipher/md.c (struct gcry_md_context): Fix for better memory usage.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
| |
* cipher/dsa.c (generate): This function is never called in FIPS mode
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, the condition was in generate_std, which is never called in
FIPS mode.
* cipher/rsa.c (generate_std): Remove dead code as FIPS is using
'generate_fips'
(generate_fips): Do not allow 1024 bit key generation
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* cipher/md.c (md_enable): Remove check if it's enforced or not.
--
GnuPG-bug-id: 5244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
| |
* cipher/md.c (md_enable): Block all non-approved digest algorithms, not
only the MD5 and do not drop from FIPS mode if not enforced.
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* cipher/mac-gmac.c (_gcry_mac_type_spec_gmac_aes): Remove FIPS flag
--
The GMAC does not work in FIPS mode until libgcrypt will have internal
IV generator.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/dsa-common.c (_gcry_dsa_compute_hash): New.
* cipher/pubkey-internal.h (_gcry_dsa_compute_hash): New.
* cipher/dsa.c (verify): Add FLAGS and HASHALGO.
(test_keys): Follow the change of verify API.
(sign, verify): Support PUBKEY_FLAG_PREHASH flag to hash internally.
(selftest_sign): Test with "prehash" flag.
* cipher/ecc-common.h (_gcry_ecc_ecdsa_verify): Add FLAGS and
HASHALGO.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Support
PUBKEY_FLAG_PREHASH flag to hash internally.
(_gcry_ecc_ecdsa_verify): Likewise.
* cipher/ecc.c (test_keys): Follow the change of
_gcry_ecc_ecdsa_verify API.
(selftest_sign): Test with "prehash" flag.
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support handling
of "hash-algo" and "value" with "prehash" flag.
--
GnuPG-bug-id: 5530
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support
"hash-algo" with "value" for internal hashing with RSA-PSS.
* tests/basic.c (check_pubkey_sign): Add test cases.
--
GnuPG-bug-id: 5529
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/pubkey-internal.h (_gcry_rsa_pss_verify): Support internal
hashing.
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Use opaque MPI for
RSA-PSS.
* cipher/rsa-common.c (_gcry_rsa_pss_verify): Support internal
hashing.
* cipher/rsa.c (rsa_verify): Allow opaque MPI for RSA-PSS.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
| |
* cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Follow the change.
* cipher/rsa-common.c (_gcry_rsa_pss_encode): Support internal hashing.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
| |
* cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Before the call to
_gcry_rsa_pss_encode, check the condition here, raise GPG_ERR_INV_ARG
if it's not good.
* cipher/rsa-common.c (_gcry_rsa_pss_encode): No check inside.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
| |
* cipher/rijndael-s390x.c (aes_s390x_ocb_get_l): New.
(aes_s390x_ocb_enc, aes_s390x_ocb_dec, aes_s390x_ocb_auth): Use
'aes_s390x_ocb_get_l'.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/asm-inline-s390x.h (PCC_FUNCTION_*): New.
(pcc_query, pcc_scalar_multiply): New.
* mpi/Makefile.am: Add 'ec-hw-s390x.c'.
* mpi/ec-hw-s390x.c: New.
* mpi/ec-internal.h (_gcry_s390x_ec_hw_mul_point)
(mpi_ec_hw_mul_point): New.
* mpi/ec.c (_gcry_mpi_ec_mul_point): Call 'mpi_ec_hw_mul_point'.
* src/g10lib.h (HWF_S390X_MSA_9): New.
* src/hwf-s390x.c (s390x_features): Add MSA9.
* src/hwfeatures.c (hwflist): Add 's390x-msa-9'.
--
Patch adds ECC scalar multiplication acceleration using
s390x's PCC instruction. Following curves are supported:
- Ed25519
- Ed448
- X25519
- X448
- NIST curves P-256, P-384 and P-521
Benchmark on z15 (5.2Ghz):
Before:
Ed25519 | nanosecs/iter cycles/iter
mult | 389791 2026916
keygen | 572017 2974487
sign | 636603 3310336
verify | 1189097 6183305
=
X25519 | nanosecs/iter cycles/iter
mult | 296805 1543385
=
Ed448 | nanosecs/iter cycles/iter
mult | 1693373 8805541
keygen | 2382473 12388858
sign | 2609562 13569725
verify | 5177606 26923552
=
X448 | nanosecs/iter cycles/iter
mult | 1136178 5908127
=
NIST-P256 | nanosecs/iter cycles/iter
mult | 792620 4121625
keygen | 4627835 24064740
sign | 1528268 7946991
verify | 1678205 8726664
=
NIST-P384 | nanosecs/iter cycles/iter
mult | 1766418 9185373
keygen | 10158485 52824123
sign | 3341172 17374095
verify | 3694750 19212700
=
NIST-P521 | nanosecs/iter cycles/iter
mult | 3172566 16497346
keygen | 18184747 94560683
sign | 6039956 31407771
verify | 6480882 33700588
After:
Ed25519 | nanosecs/iter cycles/iter speed-up
mult | 25913 134746 15x
keygen | 44447 231124 12x
sign | 106928 556028 6x
verify | 164681 856341 7x
=
X25519 | nanosecs/iter cycles/iter speed-up
mult | 17761 92358 16x
=
Ed448 | nanosecs/iter cycles/iter speed-up
mult | 50808 264199 33x
keygen | 68644 356951 34x
sign | 317446 1650720 8x
verify | 457115 2376997 11x
=
X448 | nanosecs/iter cycles/iter speed-up
mult | 35637 185313 31x
=
NIST-P256 | nanosecs/iter cycles/iter speed-up
mult | 30678 159528 25x
keygen | 323722 1683356 14x
sign | 114176 593713 13x
verify | 169901 883487 9x
=
NIST-P384 | nanosecs/iter cycles/iter speed-up
mult | 59966 311822 29x
keygen | 607778 3160445 16x
sign | 209832 1091128 16x
verify | 329506 1713431 11x
=
NIST-P521 | nanosecs/iter cycles/iter speed-up
mult | 98230 510797 32x
keygen | 1131686 5884765 16x
sign | 397777 2068442 15x
verify | 623076 3239998 10x
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Simplify.
* cipher/pubkey.c (map_algo): Also map EDDSA to ECC.
* tests/curves.c (check_get_params): Add simple param lookup tests by
for all curves.
--
There is no actual need to compute affine ccordinates given that we
already got them in the curve parameter table. Thus most code could
be removed and thus won't run into the problem getting an Y coordinate
for a Montgomery curve.
EDDSA was not mapped to ECC: The map function was written a year
before EDDSA and I obviously forgot to add it.
GnuPG-bug-id: 5490
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
| |
* cipher/rijndael.c: Add OIDs for GCM and CCM.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/elgamal.c (gen_k): Remove support of smaller K.
(do_encrypt): Never use smaller K.
(sign): Folllow the change of gen_k.
--
This change basically reverts encryption changes in two commits:
74386120dad6b3da62db37f7044267c8ef34689b
78531373a342aeb847950f404343a05e36022065
Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).
For detail, please see:
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
"On the (in)security of ElGamal in OpenPGP";
in the proceedings of CCS'2021.
CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
| |
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Initialize point Q when used.
--
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/poly1305-s390x.S: Always include <config.h>.
--
When Intel CET is enabled, we need to include <cet.h> in assembly codes
to mark Intel CET support even if it is empty. We should always include
<config.h> in cipher assembly codes so that they will be marked for
Intel CET support when compiling for x86-64 and i686.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
--
Fixes-commit: 060c378c050e7ec6206358c681a313d6e1967dcf
GnuPG-bug-id: 5423
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
of valid point representation.
--
In the use case of GnuPG, ECDH decryption for anonymous recipient may
try to decrypt with different curves. When the input data of
ephemeral key does not match one of the private key, it should return
GPG_ERR_INV_OBJ.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
| |
* cipher/keccak.c (_gcry_shake128_hash_buffers)
(_gcry_shake256_hash_buffers): New.
(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): Add
hash_buffers pointer.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/cipher-proto.h (gcry_md_hash_buffers_t): Add nbytes parameter
for outbuf size for XOF algorithms.
* cipher/md.c (_gcry_md_hash_buffer)
(_gcry_md_hash_buffers_extract): Adjust for spec->hash_buffers
parameter change.
* cipher/keccak.c (_gcry_sha3_hash_buffers): Add nbytes parameter and
handling for XOF output.
* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add nbytes parameter for
hash_buffers.
* cipher/rmd160.c (_gcry_rmd160_hash_buffers): Add nbytes parameter.
* cipher/sha1.c (_gcry_sha1_hash_buffers): Add nbytes parameter.
(_gcry_sha1_hash_buffer): Pass nbytes to _gcry_sha1_hash_buffers.
* cipher/sha256.c (_gcry_sha256_hash_buffers)
(_gcry_sha224_hash_buffers): Add nbytes parameter.
* cipher/sha512.c (_gcry_sha512_hash_buffers)
(_gcry_sha384_hash_buffers, _gcry_sha512_256_hash_buffers)
(_gcry_sha512_224_hash_buffers): Add nbytes parameter.
* cipher/sm3.c (_gcry_sm3_hash_buffers): Add nbytes parameter.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md.c (_gcry_md_hash_buffer): Remove used of
'spec->hash_buffer'.
* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Remove *_hash_buffer.
* cipher/crc.c: Remove spec hash_buffer NULL pointers.
* cipher/gostr3411-94.c: Remove spec hash_buffer NULL pointers.
* cipher/keccak.c (_gcry_sha3_hash_buffer
(_gcry_sha3_224_hash_buffer, _gcry_sha3_256_hash_buffer): Remove.
(_gcry_sha3_384_hash_buffer, _gcry_sha3_512_hash_buffer): Remove.
* cipher/md2.c: Remove spec hash_buffer NULL pointers.
* cipher/md4.c: Remove spec hash_buffer NULL pointers.
* cipher/md5.c: Remove spec hash_buffer NULL pointers.
* cipher/rmd160.c (_gcry_rmd160_hash_buffer): Remove.
* cipher/sha1.c (_gcry_sha1_hash_buffer): Rewrite using
_gcry_sha1_hash_buffers.
(_gcry_sha1_hash_buffers): Make static.
(_gcry_digest_spec_sha1): Remove hash_buffer pointer.
* cipher/sha256.c (_gcry_sha256_hash_buffer)
(_gcry_sha224_hash_buffer): Remove.
(_gcry_sha256_hash_buffers): Make static.
* cipher/sha512.c (_gcry_sha512_hash_buffer)
(_gcry_sha384_hash_buffer, _gcry_sha512_256_hash_buffer)
(_gcry_sha512_224_hash_buffer): Remove.
(_gcry_sha512_hash_buffers): Make static.
* cipher/sm3.c (_gcry_sm3_hash_buffer): Remove.
(_gcry_sm3_hash_buffers): Make static.
* cipher/stribog.c: Remove spec hash_buffer NULL pointers.
* cipher/tiger.c: Remove spec hash_buffer NULL pointers.
* cipher/whirlpool.c: Remove spec hash_buffer NULL pointers.
* src/cipher-proto.h (gcry_md_hash_buffer_t): Remove.
(gcry_md_spec_t): Remove 'hash_buffer'.
* src/cipher.h (_gcry_rmd160_hash_buffer, _gcry_sha1_hash_buffers)
(_gcry_sha256_hash_buffer, _gcry_sha256_hash_buffers)
(_gcry_sha512_hash_buffer, _gcry_sha512_hash_buffers)
(_gcry_sm3_hash_buffer, _gcry_sm3_hash_buffers): Remove.
--
Patch removes hash_buffer functions and uses hash_buffers instead
for code deduplication.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d, _gcry_ecc_eddsa_sign)
(_gcry_ecc_eddsa_verify): Use same _gcry_md_hash_buffers_extract code
path for SHA512 and SHAKE256.
* cipher/md.c (_gcry_md_hash_buffers): Rename to ...
(_gcry_md_hash_buffers_extract): ... this; Add digestlen and handling
for XOF algorithms (SHAKE128, SHAKE256).
(_gcry_md_hash_buffers): New.
* src/gcrypt-int.h (_gcry_md_hash_buffers_extract): New.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Free the point Q.
(_gcry_ecc_eddsa_verify): Avoid memory leaks for points and MPIs.
--
GnuPG-bug-id: 5385
Co-authored-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
--
Base blinding had been introduced with USE_BLINDING. This patch add
exponent blinding as well to mitigate side-channel attack on mpi_powm.
GnuPG-bug-id: 5328
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/idea.c (do_setkey): Return GPG_ERR_INV_KEYLEN.
* cipher/rfc2268.c (setkey_core): Likewise.
* cipher/serpent.c (serpent_setkey_internal): Likewise.
(serpent_setkey): Likewise.
--
Reported-by: Guido Vranken <guidovranken@gmail.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-gcm-ppc.c (ALIGNED_16): New.
(vec_store_he, vec_load_he): Remove WORDS_BIGENDIAN ifdef.
(vec_dup_byte_elem): New.
(_gcry_ghash_setup_ppc_vpmsum): Match function declaration with
prototype in cipher-gcm.c; Load C2 with VEC_LOAD_BE; Use
vec_dup_byte_elem; Align constants to 16 bytes.
(_gcry_ghash_ppc_vpmsum): Match function declaration with
prototype in cipher-gcm.c; Align constant to 16 bytes.
* cipher/cipher-gcm.c (ghash_ppc_vpmsum): Return value from
_gcry_ghash_ppc_vpmsum.
* cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): Remove requirement
for !WORDS_BIGENDIAN.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael-s390x.c (aes_s390x_ocb_dec): Calculate checksum
after decryption instead of inlining.
--
OCB decryption was missing checksum inlining in 64 block loop.
GnuPG-bug-id: T5356
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/ecc-misc.c (_gcry_ecc_ec2os): Factor most code out to ...
(_gcry_ecc_ec2os_buf): new.
* cipher/ecc.c (compute_keygrip): Handle compressed keys.
* tests/keygrip.c: Add new tests.
--
It is important to get the keygrips right even if we do not have full
support for compressed points. Case in point is that I god a
smartcard which returns the key in compressed format. We need to
early compute the keygrip and use it before doing any computation.
The code has been lifted from _gcry_ecc_sec_decodepoint. We should
factors parts of the code out to a new function.
GnuPG-bug-id: 4961
Signed-off-by: Werner Koch <wk@gnupg.org>
|
| |
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am: Move arch specific 'cipher-gcm-*.[cS]' files
from libcipher_la_SOURCES to EXTRA_libcipher_la_SOURCES.
* configure.ac: Add 'cipher-gcm-intel-pclmul.lo' and
'cipher-gcm-arm*.lo'.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-gcm-ppc.c (asm_xor, asm_mergelo, asm_mergehi)
(vec_be_swap, vec_load_he, vec_store_he): New.
(vec_load_be, vec_perm2, vec_aligned_st, vec_aligned_ld): Remove.
(asm_vpmsumd, asm_swap_u64, vec_perm2, asm_rot_block_left)
(asm_rot_block_right, asm_ashl_128, vec_aligned_ld)
(_gcry_ghash_setup_ppc_vpmsum): Update 'bswap_const'.
(_gcry_ghash_ppc_vpmsum): Update 'bswap_const'; Use 'asm_mergehi'
and 'asm_mergelo' instead of vec_perm2; Use 'asm_xor' for
fast path to enforce instruction ordering; Use 'vec_load_he' and
'vec_be_swap' for big-endian loads.
--
Benchmark on POWER8 (3700Mhz):
Before:
| nanosecs/byte mebibytes/sec cycles/byte
GMAC_AES | 0.169 ns/B 5647 MiB/s 0.625 c/B
After (~13% faster):
| nanosecs/byte mebibytes/sec cycles/byte
GMAC_AES | 0.149 ns/B 6385 MiB/s 0.553 c/B
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/Makefile.am: Add 'cipher-gcm-ppc.c'.
* cipher/cipher-gcm-ppc.c: New.
* cipher/cipher-gcm.c [GCM_USE_PPC_VPMSUM] (_gcry_ghash_setup_ppc_vpmsum)
(_gcry_ghash_ppc_vpmsum, ghash_setup_ppc_vpsum, ghash_ppc_vpmsum): New.
(setupM) [GCM_USE_PPC_VPMSUM]: Select ppc-vpmsum implementation if
HW feature "ppc-vcrypto" is available.
* cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): New.
(gcry_cipher_handle): Move 'ghash_fn' at end of 'gcm' block to align
'gcm_table' to 16 bytes.
* configure.ac: Add 'cipher-gcm-ppc.lo'.
* tests/basic.c (_check_gcm_cipher): New AES256 test vector.
* AUTHORS: Add 'CRYPTOGAMS'.
* LICENSES: Add original license to 3-clause-BSD section.
--
https://dev.gnupg.org/D501:
10-20X speed.
However this Power 9 machine is faster than the last Power 9 benchmarks
on the optimized versions, so while better than the last patch, it is
not all due to the code.
Before:
GCM enc | 4.23 ns/B 225.3 MiB/s - c/B
GCM dec | 3.58 ns/B 266.2 MiB/s - c/B
GCM auth | 3.34 ns/B 285.3 MiB/s - c/B
After:
GCM enc | 0.370 ns/B 2578 MiB/s - c/B
GCM dec | 0.371 ns/B 2571 MiB/s - c/B
GCM auth | 0.159 ns/B 6003 MiB/s - c/B
Signed-off-by: Shawn Landden <shawn@git.icu>
[jk: coding style fixes, Makefile.am integration, patch from Differential
to git, commit changelog, fixed few compiler warnings]
GnuPG-bug-id: 5040
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* cipher/poly1305.c [__aarch64__] (ADD_1305_64): Check for
HAVE_CPU_ARCH_ARM.
[__x86_64__] (ADD_1305_64): Check for HAVE_CPU_ARCH_X86.
[__powerpc__] (ADD_1305_64): Check for HAVE_CPU_ARCH_PPC.
[__i386__] (ADD_1305_32): Check for HAVE_CPU_ARCH_X86.
--
Reported-by: Horst Wente <horst.wente@posteo.de>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
|
| |
* cipher/poly1305.c [__i386__]: Limit i386 variant of ADD_1305_32 to
GCC-5 or newer.
--
Reported-by: Horst Wente <horst.wente@posteo.de>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
| |
|
|
|
|
|
|
| |
* cipher/cipher-gcm-intel-pclmul.c (gcm_lsh): Pass '*pconst' instead of
'pconst' to asm block.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
