Age | Commit message (Collapse) | Author | Files | Lines |
|
* random-fips.c: Remove.
--
The ANSI X9.31 DRNG is removed as it is completely replaced with the
SP800-90A DRBG.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
* tests/random.c (check_drbg_reinit): New.
(main): Call new test.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
(_drbg_init_internal): Set the default type if no type has been set
before.
(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
--
Without this change we can't call GCRYCTL_DRBG_REINIT before
intialization.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/gcrypt-testapi.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
* random/random.h: Include gcrypt-testapi.h.
(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
* src/global.c: Include gcrypt-testapi.h.
(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
* cipher/cipher.c: Include gcrypt-testapi.h.
(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
* tests/fipsdrv.c: Include gcrypt-testapi.h. Remove definition of
PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
constants.
* tests/t-lock.c: Include gcrypt-testapi.h. Remove
PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.
* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
(_gcry_rngdrbg_cavs_test): this.
(gcry_rngdrbg_healthcheck_one): Rename to ...
(_gcry_rngdrbg_healthcheck_one): this.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
"flagstr" and turn it into a string.
* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
designated initializers. Use a string for the flags.
(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
(drbg_healthcheck_sanity): Ditto.
--
Libgcrypt needs to be build-able on C-90 only systems and thus we
can't use C-99 designated initializers. Because we have removed the
flag macros from the API we should not use them in the CAVS test code
either. Thus they are replaced by the flag string which also tests
the flag string parser.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/random-drbg.c: Rename all static objects and macros from
"gcry_drbg" to "drbg".
(drbg_string_t): New typedef.
(drbg_gen_t): New typedef.
(drbg_state_t): New typedef. Replace all "struct drbg_state_s *" by
this.
(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
that an error if actually returned.
(gcry_rngdrbg_cavs_test): Ditto.
(gcry_drbg_healthcheck_sanity): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/random-drbg.c: Rename global functions from _gcry_drbg_*
to _gcry_rngdrbg_*.
* random/random.c: Adjust for this change.
* src/global.c: Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/drbg.c: Rename to ...
* random/random-drbg.c: this.
* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.
--
We should stick to our name comventions.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
(struct gcry_drbg_string): Ditto.
(gcry_drbg_string_fill): Ditto.
(gcry_randomize_drbg): Remove.
* random/drbg.c (parse_flag_string): New.
(_gcry_drbg_reinit): Change the way the arguments are passed.
* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
convention.
--
It does not make sense to extend the API for a somewhat questionable
feature. For GCRYCTL_DRBG_REINIT we change to use a string with flags
and libgcrypt's native buffer data structure.
NB: GCRYCTL_DRBG_REINIT has not been tested!
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/misc.c (_gcry_strtokenize): New.
--
The code has been taken from GnuPG and re-licensed to LPGLv2+ by me as
its original author. Minor changes for use in Libgcrypt.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
* random/drbg.c: here.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/drbg.c: New.
* random/random.c (_gcry_random_initialize): Replace rngfips init by
drbg init.
(__gcry_random_close_fds): Likewise.
(_gcry_random_dump_stats): Likewise.
(_gcry_random_is_faked): Likewise.
(do_randomize): Likewise.
(_gcry_random_selftest): Likewise.
(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
(_gcry_random_init_external_test): Remove.
(_gcry_random_run_external_test): Remove.
(_gcry_random_deinit_external_test): Remove.
* random/random.h (struct gcry_drbg_test_vector): New.
* src/gcrypt.h.in (struct gcry_drbg_gen): New.
(struct gcry_drbg_string): New.
(gcry_drbg_string_fill): New.
(gcry_randomize_drbg): New.
(GCRY_DRBG_): Lots of new macros.
* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
a nop.
(_gcry_vcontrol) <Deinit external random test>: Ditto.
(_gcry_vcontrol) <Run external random test>: Change.
(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.
--
This patch set adds the SP800-90A DRBG for AES128, AES192, AES256 with
derivation function, SHA-1 through SHA-512 with derivation function,
HMAC SHA-1 through HMAC SHA-512. All DRBGs are provided with and without
prediction resistance. In addition, all DRBGs allow reseeding by the
caller.
The default DRBG is HMAC SHA-256 without prediction resistance.
The caller may re-initialize the DRBG with the control
GCRYCTL_DRBG_REINIT:
The patch replaces the invocation of the existing ANSI X9.31 DRNG. This
covers the control calls of 58 through 60. Control call 58 and 60 are
simply deactivated. Control 59 is replaced with the DRBG CAVS test
interface.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
ChangeLog entries added by -wk
|
|
* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
__powerpc__ and __powerpc64__.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
--
Add license and copyright statement for cipher/arcfour-amd64.S (public
domain) and cipher/cipher-ocb.c (OCB license 1)
|
|
* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Together with 88e1358962e902ff1cbec8d53ba3eee46407851a, it
could be an effective contermeasure to some chosen cipher
text attacks.
CVE-id: CVE-2015-7511
Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
Tromer. http://www.cs.tau.ac.IL/~tromer/ecdh/
|
|
* cipher/ecc.c (ecc_decrypt_raw): Validate the point.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(forward port from LIBGCRYPT-1-6-BRANCH
commit 28eb424e4427b320ec1c9c4ce56af25d495230bd)
|
|
* cipher/Makefile.am: Add 'sha512-arm.S'.
* cipher/sha512-arm.S: New.
* cipher/sha512.c (USE_ARM_ASM): New.
(_gcry_sha512_transform_arm): New.
(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
generic.
* configure.ac: Add 'sha512-arm.lo'.
--
Benchmark on Cortex-A8 (armv6, 1008 Mhz):
Before:
| nanosecs/byte mebibytes/sec cycles/byte
SHA512 | 112.0 ns/B 8.52 MiB/s 112.9 c/B
After (3.3x faster):
| nanosecs/byte mebibytes/sec cycles/byte
SHA512 | 34.01 ns/B 28.04 MiB/s 34.28 c/B
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* tests/Makefile.am (tests_bin): Add t-cv25519.
* tests/t-cv25519.c: New.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
short length data.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix. Clear the MSB, according to RFC7748.
--
This change fixes two things.
* Handle the case the prefix 0x40 comes at the end when scanned as
standard MPI.
* Implement MSB handling. In the page 7 of RFC7748, it says about
decoding u-coordinate:
When receiving such an array, implementations of X25519 (but not
X448) MUST mask the most significant bit in the final byte.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
and prefix detection.
* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
(ecc_encrypt_raw): Use NBITS from curve instead of from P.
Fix rawmpilen calculation.
(ecc_decrypt_raw): Likewise. Add debug output.
--
This fixes the commit dd3d06e7. NBITS is defined 256 in ecc-curves.c,
thus, ecc_get_nbits returns 256. But CTX->NBITS has 255 for Montgomery
curve.
|
|
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* cipher/sha256.c (R): Let caller do variable shuffling.
(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
(W, I): New.
(transform_blk): Unroll round loop; inline message expansion to rounds
to make message expansion buffer smaller.
--
Benchmark on Cortex-A8 (armv6, 1008 Mhz):
Before:
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 27.63 ns/B 34.52 MiB/s 27.85 c/B
After (1.31x faster):
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 20.97 ns/B 45.48 MiB/s 21.13 c/B
Benchmark on Cortex-A8 (armv7, 1008 Mhz):
Before:
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 24.18 ns/B 39.43 MiB/s 24.38 c/B
After (1.13x faster):
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 21.28 ns/B 44.82 MiB/s 21.45 c/B
Benchmark on Intel Core i5-4570 (i386, 3.2 Ghz):
Before:
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 5.78 ns/B 164.9 MiB/s 18.51 c/B
After (1.06x faster)
| nanosecs/byte mebibytes/sec cycles/byte
SHA256 | 5.41 ns/B 176.1 MiB/s 17.33 c/B
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
--
Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
* cipher/ecc-common.h: Move two prototypes to ...
* src/ec-context.h: here.
* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
* src/visibility.c (gcry_mpi_ec_decode_point): New.
* src/visibility.h: Add new function.
--
This new function make the use of the gcry_mpi_ec_curve_point function
possible in many contexts. Here is a code snippet which could be used
in gpg to check a point:
static gpg_error_t
check_point (PKT_public_key *pk, gcry_mpi_t m_point)
{
gpg_error_t err;
char *curve;
gcry_ctx_t gctx = NULL;
gcry_mpi_point_t point = NULL;
/* Get the curve name from the first OpenPGP key parameter. */
curve = openpgp_oid_to_str (pk->pkey[0]);
if (!curve)
{
err = gpg_error_from_syserror ();
goto leave;
}
point = gcry_mpi_point_new (0);
if (!point)
{
err = gpg_error_from_syserror ();
goto leave;
}
err = gcry_mpi_ec_new (&gctx, NULL, curve);
if (err)
goto leave;
err = gcry_mpi_ec_decode_point (point, m_point, gctx);
if (err)
goto leave;
if (!gcry_mpi_ec_curve_point (point, gctx))
err = gpg_error (GPG_ERR_BAD_DATA);
leave:
gcry_ctx_release (gctx);
gcry_mpi_point_release (point);
xfree (curve);
return err;
}
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
* random/rndegd.c (_gcry_rndegd_connect_socket)
(my_make_filename): Use functions with '_' prefix.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
--
See
GnuPG-bug-id: 1778
for the reason of this patch. There is no concrete bug report but this
change should not harm.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
RDRAND from 50% to 25%.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
--
|
|
--
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.
--
Found using the Clang Static Analyzer.
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.
--
Found using the Clang Static Analyzer.
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
by MPI normalization.
* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
Always add the prefix 0x40.
--
Curve25519 native little-endian point representation is not friendly
to existing practice of OpenPGP code, where MPI is assumed. MPI
handling might insert 0x00 in the beginning to avoid sign confusion.
MPI handling also might remove 0x00s in the front. So, it is safe
to put the prefix 0x40.
While we support old point representation of no prefix in
ecc_mont_decodepoint, new libgcrypt always put the prefix.
|
|
* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
context structure.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
context structure.
--
Reported-by: Carlos J Puga Medina <cpm@fbsd.es>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* random/random-csprng.c (faked_rng): Drop variable.
(gather_faked): Drop prototype and function.
(initialize): Drop fallback code.
(_gcry_rngcsprng_is_faked): Change accordingly.
--
The fake entropy gathering function is deemed too dangerous to be
used by accident, and is therefore removed.
This reverts commit 468a5796ffb1a7776db4004d534376c1b981d740.
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
usable entropy gathering function is found. The callsite then
installs the fake gather function.
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.
|
|
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
method for Weierstrass curve when SCALAR is secure.
|
|
* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.
|
|
* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
the operator of !!, but assume SET/SWAP is 0 or 1.
--
If the code for !! would include a branch, it spoils the purpose of
mpi_set_cond/mpi_swap_cond at all. It's better to make sure the use
of this function to be called with 0 or 1 for SET/SWAP. Note that it
conforms when SET/SWAP is the result of conditional expression of
mpi_test_bit.
Reported-by: Taylor R Campbell.
|
|
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.
--
Reported-by: Taylor R Campbell.
|
|
* mpi/ec.c (point_resize, point_swap_cond): New.
(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.
--
Thanks to Taylor R Campbell who suggests.
|
|
* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.
--
Found using the Clang Static Analyzer.
Signed-off-by: Justus Winter <justus@g10code.com>
|
|
* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
rounds with round constant pointer instead of separate round counter.
* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
(KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
absorb loops.
--
Patch makes small tweaks to improve performance.
Benchmark on Intel Haswell @ 3.2 Ghz:
Before:
| nanosecs/byte mebibytes/sec cycles/byte
SHAKE128 | 2.27 ns/B 420.5 MiB/s 7.26 c/B
SHAKE256 | 2.79 ns/B 341.4 MiB/s 8.94 c/B
SHA3-224 | 2.64 ns/B 361.7 MiB/s 8.44 c/B
SHA3-256 | 2.79 ns/B 341.4 MiB/s 8.94 c/B
SHA3-384 | 3.65 ns/B 261.3 MiB/s 11.68 c/B
SHA3-512 | 5.27 ns/B 181.0 MiB/s 16.86 c/B
After:
| nanosecs/byte mebibytes/sec cycles/byte
SHAKE128 | 2.25 ns/B 423.5 MiB/s 7.21 c/B
SHAKE256 | 2.77 ns/B 343.9 MiB/s 8.88 c/B
SHA3-224 | 2.62 ns/B 364.1 MiB/s 8.38 c/B
SHA3-256 | 2.77 ns/B 343.8 MiB/s 8.88 c/B
SHA3-384 | 3.63 ns/B 262.6 MiB/s 11.63 c/B
SHA3-512 | 5.23 ns/B 182.3 MiB/s 16.75 c/B
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
for 'cipher/crc.c' as result of rewrite of CRC implementations.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* cipher/cipher-ocb.c: Fix typos.
* cipher/des.c: Likewise.
* cipher/dsa-common.c: Likewise.
* cipher/ecc.c: Likewise.
* cipher/pubkey.c: Likewise.
* cipher/rsa-common.c: Likewise.
* cipher/scrypt.c: Likewise.
* random/random-csprng.c: Likewise.
* random/random-fips.c: Likewise.
* random/rndw32.c: Likewise.
* src/cipher-proto.h: Likewise.
* src/context.c: Likewise.
* src/fips.c: Likewise.
* src/gcrypt.h.in: Likewise.
* src/global.c: Likewise.
* src/sexp.c: Likewise.
* tests/mpitests.c: Likewise.
* tests/t-lock.c: Likewise.
Signed-off-by: Justus Winter <justus@g10code.com>
|