Age | Commit message (Collapse) | Author | Files | Lines |
|
* mpi/ec-ed25519.c: New but empty file.
* mpi/ec-internal.h: New.
* mpi/ec.c: Include ec-internal.h.
(ec_mod): New.
(ec_addm): Use ec_mod.
(ec_mulm): Remove commented code. Use ec_mod.
(ec_subm): Call simple sub.
(ec_pow2): Use ec_mulm.
(ec_mul2): New.
(dup_point_weierstrass): Use ec_mul2.
(dup_point_twistededwards): Add special case for a == -1. Use
ec_mul2.
(add_points_weierstrass): Use ec_mul2.
(add_points_twistededwards): Add special case for a == -1.
(_gcry_mpi_ec_curve_point): Ditto.
(ec_p_init): Add hack to test Barrett functions.
* src/ec-context.h (mpi_ec_ctx_s): Add P_BARRETT.
* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/misc.c (count_closing_parens): New.
(_gcry_log_printsxp): Use new function.
* mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss)
(umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype.
--
Clang defines __GNUC__ even when it's not GCC compatible. As result Clang
enables GCC-only assembly code in mpi/longlong.h and fails to build.
However, since changes to make libgcrypt build with Clang are smallish, and
changes do not cause problems with GCC, patch just does them.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype.
(_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure.
|
|
* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa".
(_gcry_ecc_set_mpi): Support "q".
* cipher/ecc.c (eddsa_encodepoint): Rename to ...
(_gcry_ecc_eddsa_encodepoint): this and make global. Remove arg
MINLEN and take from context.
(eddsa_decodepoint): Rename to
(_gcry_ecc_eddsa_decodepoint): this and make global. Remove arg LEN
and take from context.
(sign_eddsa, verify_eddsa): Take B from context.
(ecc_sign, ecc_verify): Add hack to set DIALECT.
(_gcry_pk_ecc_get_sexp): Use _gcry_ecc_compute_public. Handle EdDSA.
* src/ec-context.h (mpi_ec_ctx_s): Add field NBITS.
* mpi/ec.c (ec_p_init): Init NBITS.
* tests/t-mpi-point.c (test_curve): Add Ed25519.
(sample_ed25519_q): New.
(context_param): Check new sample key.
(hex2buffer, hex2mpiopa): New.
(cmp_mpihex): Take care of opaque MPIs.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (point_copy): Move to cipher/ecc-curves.c.
(ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global.
(_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi.
(_gcry_mpi_ec_get_point): Factor most code out to _gcry_ecc_get_point.
(_gcry_mpi_ec_set_mpi): Factor most code out to _gcry_ecc_set_mpi.
(_gcry_mpi_ec_set_point): Factor most code out to _gcry_ecc_set_point.
* cipher/ecc-curves.c (_gcry_ecc_get_mpi): New.
(_gcry_ecc_get_point, _gcry_ecc_set_mpi, _gcry_ecc_set_point): New.
* cipher/ecc-misc.c (_gcry_ecc_compute_public): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (ec_pow2): New.
(ec_powm): Remove call to mpi_abs.
(dup_point_weierstrass, dup_point_twistededwards)
(add_points_weierstrass, add_points_twistededwards)
(_gcry_mpi_ec_curve_point): Use ec_pow2.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt.
(pubkey_decrypt): Fold into gcry_pk_decrypt.
(pubkey_sign): Fold into gcry_pk_sign.
(pubkey_verify): Fold into gcry_pk_verify.
(octet_string_from_mpi): Make it a wrapper and factor code out to ...
* mpi/mpicoder.c (_gcry_mpi_to_octet_string): New function.
* src/cipher.h (PUBKEY_FLAG_FIXEDLEN): New.
* cipher/pubkey.c (sexp_data_to_mpi): Set flag for some encodings.
(gcry_pk_encrypt): Simply by moving the s-expr generation to the modules.
(gcry_pk_sign): Ditto.
* cipher/dsa.c (dsa_sign): Create s-expr.
* cipher/elgamal.c (elg_encrypt, elg_sign): Ditto.
* cipher/rsa.c (rsa_encrypt, rsa_sign): Ditto.
* cipher/ecc.c (ecc_sign, ecc_encrypt_raw): Ditto.
(ecdsa_names): Add "eddsa".
* tests/t-ed25519.c (one_test): Expect "eddsa" token.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/mpi.h (enum ecc_dialects): New.
* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
(domain_parms): Add dialect values.
(_gcry_ecc_fill_in_curve): Set dialect.
(_gcry_ecc_get_curve): Ditto.
(_gcry_mpi_ec_new): Ditto.
(_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now.
* cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect.
(_gcry_ecc_dialect2str): New.
* mpi/ec.c (ec_p_init): Add arg DIALECT.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.
* mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag.
(_gcry_mpi_set_opaque_copy): New.
* cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI.
* cipher/ecc.c (eddsa_generate_key): New.
(generate_key): Rename to nist_generate_key and factor some code out
to ...
(ecc_generate_ext): here. Divert to eddsa_generate_key if desired.
(eddsa_decodepoint): Take care of an opaque MPI.
(ecc_check_secret_key): Ditto.
(ecc_sign): Ditto.
* cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret
key as opaque MPIs.
(gcry_pk_genkey): Add the curve_name also to the private key part of
the result.
* tests/benchmark.c (ecc_bench): Support Ed25519.
(main): Add option --debug.
* tests/curves.c (sample_key_2): Make sure that P and N are positive.
* tests/keygen.c (show): New.
(check_ecc_keys): Support Ed25519.
--
There are two main purposes of this patch: Add a key generation
feature for Ed25519 and add the "dialect" thingy which will eventually
be used to add curve specific optimization.
Note that the entire way of how we interface between the public key
modules and pubkey.c is overly complex and probably also the cause for
a lot of performance overhead. Given that we don't have the loadable
module system anymore, we should entirely get rid of the MPI-array
based internal interface and move parts of the s-expression handling
direct into the pubkey modules. This needs to be fixed or we are
turning Libgcrypt into another software incarnation of Heathrow
Airport.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpicoder.c (twocompl, onecompl): New.
(gcry_mpi_print): Use it for STD and SSH.
(gcry_mpi_scan): Use it for STD and SSH. Always set NSCANNED.
(gcry_mpi_aprint): Clear the extra allocated byte.
* tests/t-convert.c (showhex, showmpi): New.
(mpi2bitstr_nlz): New.
(check_formats): New.
(main): Call new test.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.
--
This bug has been with us since the version 0.0.0 of GnuPG.
Fortunately it only affects an optimized code path which is rarely
used in practice: If the shift size matches the size of a
limb (i.e.. 32 or 64); this is is_prime in primegen.c. Over there the
Rabin-Miller test may fail with a probability of 2^-31 (that is if the
to be tested prime - 1 has the low 32 bits cleared). In practice the
probability is even much less because we first do a Fermat test on the
randomly generated candidates which sorts out the majority of
composite numbers.
The bug in MPN_COPY_INCR was found by Sven Bjorn.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/ecc-curves.c (domain_parms): Add curve "Ed25519".
* cipher/ecc.c (reverse_buffer): New.
(eddsa_encodempi): New.
(eddsa_encodepoint): New.
(eddsa_decodepoint): New.
(sign_eddsa): Implement.
(verify_eddsa): Implement.
(ecc_sign): Init unused Q. Pass public key to sign_eddsa.
(ecc_verify): Init pk.Q if not used. Pass public key verbatim to
verify_eddsa.
* cipher/pubkey.c (sexp_elements_extract): Add arg OPAQUE. Change all
callers to pass 0.
(sexp_to_sig): Add arg OPAQUE and pass it to sexp_elements_extract.
(sexp_data_to_mpi): Allow for a zero length "value".
(gcry_pk_verify): Reorder parameter processing. Pass OPAQUE flag as
required.
* mpi/ec.c (ec_invm): Print a warning if the inverse does not exist.
(_gcry_mpi_ec_get_affine): Implement for our Twisted Edwards curve
model.
(dup_point_twistededwards): Implement.
(add_points_twistededwards): Implement.
(_gcry_mpi_ec_mul_point): Support Twisted Edwards.
* mpi/mpicoder.c (do_get_buffer): Add arg FILL_LE.
(_gcry_mpi_get_buffer): Ditto. Change all callers.
(_gcry_mpi_get_secure_buffer): Ditto.
* src/sexp.c (_gcry_sexp_nth_opaque_mpi): New.
* tests/t-ed25519.c: New.
* tests/t-ed25519.inp: New.
* tests/t-mpi-point.c (basic_ec_math_simplified): Print some output
only in debug mode.
(twistededwards_math): New test.
(main): Call new test.
--
This is a non optimized version which takes far too long. On my X220
Thinkpad the 1024 test cases take 14 seconds (12 with --sign-with-pk).
There should be a lot of room for improvements.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (_gcry_mpi_point_log): New.
* src/mpi.h (log_printpnt): new macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpicoder.c (gcry_mpi_dump): Remove.
(_gcry_log_mpidump): Remove.
* src/misc.c (_gcry_log_printhex): Factor all code out to ...
(do_printhex): new. Add line wrapping a and compact printing.
(_gcry_log_printmpi): New.
* src/mpi.h (log_mpidump): Remove macro.
* src/g10lib.h (log_mpidump): Add compatibility macro.
(log_printmpi): New macro
* src/visibility.c (gcry_mpi_dump): Call _gcry_log_printmpi.
* cipher/primegen.c (prime_generate_internal): Replace gcry_mpi_dump
by log_printmpi.
(gcry_prime_group_generator): Ditto.
* cipher/pubkey.c: Remove extra colons from log_mpidump call.
* cipher/rsa.c (stronger_key_check): Use log_printmpi.
--
The values to debug get longer and longer and the different debug
functions made it hard to check them out. Now MPIs and hex buffers are
printed very similar. Lines may now wrap with an backslash as
indicator. MPIs are distinguished from plain buffers in the output by
always using a sign.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (ec_p_init): Add args MODEL and P. Change all callers.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return
GPG_ERR_UNKNOWN_CURVE instead of invalid value. Init curve model.
* cipher/ecc.c (ecc_verify, ecc_encrypt_raw): Ditto.
* cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking.
--
(fixes commit c26be7a337d0bf98193bc58e043209e46d0769bb)
|
|
* mpi/ec.c (_gcry_mpi_ec_curve_point): New.
(ec_powm): Return the absolute value.
* src/visibility.c, src/visibility.c: Add wrappers.
* src/libgcrypt.def, src/libgcrypt.vers: Export them.
|
|
* src/gcrypt.h.in (gcry_mpi_is_neg): New.
(gcry_mpi_neg, gcry_mpi_abs): New.
* mpi/mpiutil.c (_gcry_mpi_is_neg): New.
(_gcry_mpi_neg, _gcry_mpi_abs): New.
* src/visibility.c, src/visibility.h: Add wrappers.
* src/libgcrypt.def, src/libgcrypt.vers: Export them.
* src/mpi.h (mpi_is_neg): New. Rename old macro to mpi_has_sign.
* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Use mpi_has_sign.
* mpi/mpi-mpow.c (calc_barrett): Ditto.
* cipher/primegen.c (_gcry_derive_x931_prime): Ditto
* cipher/rsa.c (secret): Ditto.
|
|
* mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8.
* mpi/armv6/mpih-mul2.S: Ditto.
* mpi/armv6/mpih-mul3.S: Ditto.
--
Little bit of tuning of assembly functions with help of Cortex-A8 profiler.
Old (armhf/Cortex-A8 1Ghz):
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 350ms 2230ms 50ms
RSA 2048 bit 3500ms 11890ms 150ms
RSA 3072 bit 23900ms 32540ms 280ms
RSA 4096 bit 15750ms 69420ms 450ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 990ms 930ms
DSA 2048/224 - 3840ms 3400ms
DSA 3072/256 - 8280ms 7620ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 60ms 1760ms 3300ms
ECDSA 224 bit 80ms 2240ms 4300ms
ECDSA 256 bit 110ms 2740ms 5420ms
ECDSA 384 bit 230ms 5680ms 11300ms
ECDSA 521 bit 540ms 13590ms 26890ms
New:
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 350ms 2190ms 60ms
RSA 2048 bit 8910ms 11800ms 150ms
RSA 3072 bit 11000ms 31810ms 270ms
RSA 4096 bit 50290ms 68690ms 450ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 980ms 920ms
DSA 2048/224 - 3780ms 3370ms
DSA 3072/256 - 8100ms 7060ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 70ms 1730ms 3200ms
ECDSA 224 bit 90ms 2180ms 4220ms
ECDSA 256 bit 110ms 2660ms 5200ms
ECDSA 384 bit 220ms 5660ms 10910ms
ECDSA 521 bit 530ms 13420ms 26000ms
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* src/mpi.h (gcry_mpi_ec_models): New.
* src/ec-context.h (mpi_ec_ctx_s): Add MODEL.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
(domain_parms): Mark als as Weierstrass.
(_gcry_ecc_fill_in_curve): Check model.
(_gcry_ecc_get_curve): Set model to Weierstrass.
* cipher/ecc-misc.c (_gcry_ecc_model2str): New.
* cipher/ecc.c (generate_key, ecc_generate_ext): Print model in the
debug output.
* mpi/ec.c (_gcry_mpi_ec_dup_point): Switch depending on model.
Factor code out to ...
(dup_point_weierstrass): new.
(dup_point_montgomery, dup_point_twistededwards): New stub functions.
(_gcry_mpi_ec_add_points): Switch depending on model. Factor code out
to ...
(add_points_weierstrass): new.
(add_points_montgomery, add_points_twistededwards): New stub
functions.
* tests/Makefile.am (TESTS): Reorder tests.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5.
* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy
as unused.
* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.
--
Due to the use of macros and longlong.h, we use variables which are
only used by some architectures. At least gcc 4.7.2 prints new
warnings abot set but not used variables. This patch silences them.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/amd64/mpi-asm-defs.h: New file.
* random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is
defined.
[USE_DRNG, __x86_64__]: Also check if __LP64__ is defined.
--
In short, x32 is new x86-64 ABI with 32-bit pointers. Adding support is
straightforward, small fix for mpi and fixes for random/rndhw.c. AMD64 assembly
functions appear to work fine with x32 and 'make check' passes.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of
"armv6".
--
Without this change, HAVE_CPU_ARCH_ARM stays undefined.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero.
(gcry_mpi_aprint): Allocate at least 1 byte.
* tests/t-convert.c: New.
* tests/Makefile.am (TESTS): Add t-convert.
--
Reported-by: Christian Fuchs
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/armv6/mpi-asm-defs.h: New.
* mpi/armv6/mpih-add1.S: New.
* mpi/armv6/mpih-mul1.S: New.
* mpi/armv6/mpih-mul2.S: New.
* mpi/armv6/mpih-mul3.S: New.
* mpi/armv6/mpih-sub1.S: New.
* mpi/config.links [arm]: Enable ARMv6 assembly.
--
Add mpi assembly for ARMv6 (or later). These are partly based on ARM assembly
found in GMP 4.2.1.
Old vs new (Cortex-A8, 1Ghz):
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 1.14x 1.10x 1.13x
ECDSA 224 bit 1.11x 1.12x 1.12x
ECDSA 256 bit 1.20x 1.13x 1.14x
ECDSA 384 bit 1.13x 1.21x 1.21x
ECDSA 521 bit 1.17x 1.20x 1.22x
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit - 1.31x 1.60x
RSA 2048 bit - 1.41x 1.47x
RSA 3072 bit - 1.50x 1.63x
RSA 4096 bit - 1.50x 1.57x
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1.39x 1.38x
DSA 2048/224 - 1.50x 1.51x
DSA 3072/256 - 1.59x 1.64x
NEW:
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 70ms 1750ms 3170ms
ECDSA 224 bit 90ms 2210ms 4250ms
ECDSA 256 bit 100ms 2710ms 5170ms
ECDSA 384 bit 230ms 5670ms 11040ms
ECDSA 521 bit 540ms 13370ms 25870ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 360ms 2200ms 50ms
RSA 2048 bit 2770ms 11900ms 150ms
RSA 3072 bit 6680ms 32530ms 270ms
RSA 4096 bit 10320ms 69440ms 460ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 990ms 910ms
DSA 2048/224 - 3830ms 3410ms
DSA 3072/256 - 8270ms 7030ms
OLD:
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 80ms 1920ms 3580ms
ECDSA 224 bit 100ms 2470ms 4760ms
ECDSA 256 bit 120ms 3050ms 5870ms
ECDSA 384 bit 260ms 6840ms 13330ms
ECDSA 521 bit 630ms 16080ms 31500ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 450ms 2890ms 80ms
RSA 2048 bit 2320ms 16760ms 220ms
RSA 3072 bit 26300ms 48650ms 440ms
RSA 4096 bit 15700ms 103910ms 720ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1380ms 1260ms
DSA 2048/224 - 5740ms 5140ms
DSA 3072/256 - 13130ms 11510ms
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags.
* tests/mpitests.c (test_const_and_immutable): Add a test for this.
--
gcry_mpi_set shall behave like gcry_mpi_copy and thus reset those
special flags. Problem reported by Christian Grothoff.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input.
--
Without this patch the function may enter and endless loop.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
(cherry picked from commit 55237c8f6920c6629debd23db65e90b42a3767de)
|
|
* mpi/mpicoder.c (gcry_mpi_dump): Detect abd print opaque MPIs.
* tests/mpitests.c (test_opaque): New.
(main): Call new test.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
--
This code triggered the problem:
modulus = gcry_mpi_set_ui(NULL, 100);
generator = gcry_mpi_set_ui(NULL, 3);
exponent = gcry_mpi_set_ui(NULL, 0);
result = gcry_mpi_new(0);
gcry_mpi_powm(result, generator, exponent, modulus);
gcry_mpi_new(0) does not allocate the limb space thus it is not
possible to write even into the first limb. Workaround was to use
gcry_mpi_new (1) but a real fix is better.
Reported-by: Ian Goldberg
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/amd64/mpih-mul2.S: remove duplicated header.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* cipher/bithelp.h [__GNUC__, __i386__] (rol, ror): add "cc" globber
for inline assembly.
* cipher/cast5.c [__GNUC__, __i386__] (rol): Ditto.
* random/rndhw.c [USE_DRNG] (rdrand_long): Ditto.
* src/hmac256.c [__GNUC__, __i386__] (ror): Ditto.
* mpi/longlong.c [__i386__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): Ditto.
--
These assembly snippets modify cflags but do not mark "cc" clobber.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/longlong.h [__arm__]: Construct __ARM_ARCH if not provided by
compiler.
--
GCC 4.8 defines __ARM_ARCH which provides forward compatible way to detect
ARM architecture. Use this when available and construct otherwise.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.
[__arm__][__ARM_ARCH <= 3] (umul_ppmm): Ditto.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
mpi/longlong.h [__arm__]: Enable inline assembly if __thumb2__ is
defined.
[__arm__]: Use __ARCH_ARM when defined.
[__arm__] [__ARM_ARCH >= 5] (count_leading_zeros): New.
--
Current ARM Linux distributions use EABI that enables thumb2, and therefore
inline assembly is disable (because !defined(__thumb__) selector). However
thumb2 allows the use of assembly instructions that longlong.h contains for
ARM. So this patch enables inline assembly for ARM when __thumb2__ is defined
in addition to __thumb__.
Patch also adds optimization for count_leading_zeros() macro for ARM.
Results on Cortex-A8, 1Ghz:
===
Before:
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 750ms 2780ms 110ms
RSA 2048 bit 14280ms 17250ms 300ms
RSA 3072 bit 38630ms 51300ms 650ms
RSA 4096 bit 60940ms 111430ms 1000ms
jussi@cubie:~/libgcrypt$ tests/benchmark dsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1410ms 1680ms
DSA 2048/224 - 6100ms 7390ms
DSA 3072/256 - 14350ms 17120ms
jussi@cubie:~/libgcrypt$ tests/benchmark ecc
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 90ms 2160ms 3940ms
ECDSA 224 bit 110ms 2810ms 5400ms
ECDSA 256 bit 150ms 3570ms 6970ms
ECDSA 384 bit 340ms 8320ms 16420ms
ECDSA 521 bit 850ms 19760ms 38480ms
After:
jussi@cubie:~/libgcrypt$ tests/benchmark rsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 590ms 2230ms 80ms
RSA 2048 bit 2320ms 13090ms 240ms
RSA 3072 bit 60580ms 38420ms 460ms
RSA 4096 bit 115130ms 82250ms 750ms
jussi@cubie:~/libgcrypt$ tests/benchmark dsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1070ms 1290ms
DSA 2048/224 - 4500ms 5550ms
DSA 3072/256 - 10280ms 12200ms
jussi@cubie:~/libgcrypt$ tests/benchmark ecc
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 70ms 1900ms 3560ms
ECDSA 224 bit 100ms 2490ms 4750ms
ECDSA 256 bit 120ms 3140ms 5920ms
ECDSA 384 bit 270ms 6990ms 13790ms
ECDSA 521 bit 680ms 17080ms 33490ms
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
* tests/t-mpi-point.c (basic_ec_math): Add a test case for this.
Signed-off-by: Werner Koch <wk@wheatstone.g10code.de>
|
|
* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
coordinates.
--
This was a plain copy and paste error, which was found due to explicit
use of affine coordinates by GNUnet's new pseudonyms code.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/gcrypt.h.in (GCRY_PK_GET_PUBKEY): New.
(GCRY_PK_GET_SECKEY): New.
(gcry_pubkey_get_sexp): New.
* src/visibility.c (gcry_pubkey_get_sexp): New.
* src/visibility.h (gcry_pubkey_get_sexp): Mark visible.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
* cipher/pubkey-internal.h: New.
* cipher/Makefile.am (libcipher_la_SOURCES): Add new file.
* cipher/ecc.c: Include pubkey-internal.h
(_gcry_pk_ecc_get_sexp): New.
* cipher/pubkey.c: Include pubkey-internal.h and context.h.
(_gcry_pubkey_get_sexp): New.
* src/context.c (_gcry_ctx_find_pointer): New.
* src/cipher-proto.h: Add _gcry_pubkey_get_sexp.
* tests/t-mpi-point.c (print_sexp): New.
(context_param, basic_ec_math_simplified): Add tests for the new
function.
* configure.ac (NEED_GPG_ERROR_VERSION): Set to 1.11.
(AH_BOTTOM) Add error codes from gpg-error 1.12
* src/g10lib.h (fips_not_operational): Use GPG_ERR_NOT_OPERATIONAL.
* mpi/ec.c (_gcry_mpi_ec_get_mpi): Fix computation of Q.
(_gcry_mpi_ec_get_point): Ditto.
--
While checking the new code I figured that the auto-computation of Q
must have led to a segv. It seems we had no test case for that.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/ec-context.h (mpi_ec_ctx_s): Replace NEED_SYNC by a bitfield.
* mpi/ec.c (ec_p_sync): Remove.
(ec_get_reset, ec_get_a_is_pminus3, ec_get_two_inv_p): New.
(ec_p_init): Use ec_get_reset.
(_gcry_mpi_ec_set_mpi, _gcry_mpi_ec_dup_point)
(_gcry_mpi_ec_add_points): Replace ec_p_sync by the ec_get_ accessors.
|
|
* src/ec-context.h (mpi_ec_ctx_s): Add field NEED_SYNC.
* mpi/ec.c (ec_p_sync): New.
(ec_p_init): Only set NEED_SYNC.
(_gcry_mpi_ec_set_mpi): Set NEED_SYNC for 'p' and 'a'.
(_gcry_mpi_ec_dup_point, _gcry_mpi_ec_add_points)
(_gcry_mpi_ec_mul_point): Call ec_p_sync.
(_gcry_mpi_ec_get_point): Recompute 'q' is needed.
(_gcry_mpi_ec_get_mpi): Ditto. Also allow for names 'q', 'q.x',
'q.y', and 'g'.
* cipher/ecc.c (_gcry_mpi_ec_ec2os): New.
* cipher/ecc.c (_gcry_mpi_ec_new): Fix init from parameters 'Q'->'q',
'G'->'q'.
--
Note that the parameter names are all lowercase. This patch fixes an
inconsistency.
The other bug was that changing the parameters D or A may have
resulted in wrong computations because helper variables were not
updated. Now we delay the computation of those helper variables until
we need them.
|
|
* src/gcrypt.h.in (gcry_mpi_ec_p_new): Remove.
(gcry_mpi_ec_new): New.
(gcry_mpi_ec_get_mpi): New.
(gcry_mpi_ec_get_point): New.
(gcry_mpi_ec_set_mpi): New.
(gcry_mpi_ec_set_point): New.
* src/visibility.c (gcry_mpi_ec_p_new): Remove.
* mpi/ec.c (_gcry_mpi_ec_p_new): Make it an internal function and
change to return an error code.
(_gcry_mpi_ec_get_mpi): New.
(_gcry_mpi_ec_get_point): New.
(_gcry_mpi_ec_set_mpi): New.
(_gcry_mpi_ec_set_point): New.
* src/mpi.h: Add new prototypes.
* src/ec-context.h: New.
* mpi/ec.c: Include that header.
(mpi_ec_ctx_s): Move to ec-context.h, add new fields, and put some
fields into an inner struct.
(point_copy): New.
* cipher/ecc.c (fill_in_curve): Allow passing NULL for R_NBITS.
(mpi_from_keyparam, point_from_keyparam): New.
(_gcry_mpi_ec_new): New.
* tests/t-mpi-point.c (test-curve): New.
(ec_p_new): New. Use it instead of the removed gcry_mpi_ec_p_new.
(get_and_cmp_mpi, get_and_cmp_point): New.
(context_param): New test.
(basic_ec_math_simplified): New test.
(main): Call new tests.
* src/context.c (_gcry_ctx_get_pointer): Check for a NULL CTX.
--
gcry_mpi_ec_p_new() was a specialized version of the more general new
gcry_mpi_ec_new(). It was added to master only a few days ago, thus
there should be no problem to remove it. A replacement can easily be
written (cf. t-mpi-point.c).
Note that gcry_mpi_ec_set_mpi and gcry_mpi_ec_set_point have not yet
been tested.
|
|
* src/gcrypt.h.in (GCRYMPI_FLAG_CONST): New.
* src/mpi.h (mpi_is_const, mpi_const): New.
(enum gcry_mpi_constants, MPI_NUMBER_OF_CONSTANTS): New.
* mpi/mpiutil.c (_gcry_mpi_init): New.
(constants): New.
(_gcry_mpi_free): Do not release a constant flagged MPI.
(gcry_mpi_copy): Clear the const and immutable flags.
(gcry_mpi_set_flag, gcry_mpi_clear_flag, gcry_mpi_get_flag): Support
GCRYMPI_FLAG_CONST.
(_gcry_mpi_const): New.
* src/global.c (global_init): Call _gcry_mpi_init.
* mpi/ec.c (mpi_ec_ctx_s): Remove fields one, two, three, four, and
eight. Change all users to call mpi_const() instead.
* src/mpiutils.c (gcry_mpi_set_opaque): Check the immutable flag.
--
Allocating the trivial constants newly for every EC context is a waste
of memory and cpu cycles. We instead provide a simple mechanism to
internally support such constants. Using a new flag in THE API also
allows to mark an arbitrary MPI as constant. The drawback of the
constants is the their memory will never be deallocated. However,
that is what constants are about.
|
|
* src/gcrypt.h.in (GCRYMPI_FLAG_IMMUTABLE): New.
* src/mpi.h (mpi_is_immutable): New macro.
* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
(gcry_mpi_get_flag): Implement new flag
(_gcry_mpi_immutable_failed): New.
* mpi/mpiutil.c (_gcry_mpi_clear, _gcry_mpi_free, gcry_mpi_snatch)
(gcry_mpi_set, gcry_mpi_randomize): Act upon the immutable flag.
* mpi/mpi-bit.c (gcry_mpi_set_bit, gcry_mpi_set_highbit)
(gcry_mpi_clear_highbit, gcry_mpi_clear_bit)
(_gcry_mpi_rshift_limbs, gcry_mpi_lshift): Ditto.
* mpi/mpicoder.c (_gcry_mpi_set_buffer): Ditto.
--
Note that this flag is currently only checked by a few MPI functions.
The reason why we eventually need such a flag is to help implementing
a generic way to retrieve and set ECC parameters without accidentally
changing a curve parameter taken from a list of predefined curves.
|
|
* src/context.c, src/context.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new files.
* src/gcrypt.h.in (struct gcry_context, gcry_ctx_t): New types.
(gcry_ctx_release): New prototype.
(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
(gcry_mpi_ec_add, gcry_mpi_ec_mul): New prototypes.
* mpi/ec.c: Include errno.h and context.h.
(_gcry_mpi_ec_init): Rename to ..
(ec_p_init): this, make static, remove allocation and add arg CTX.
(_gcry_mpi_ec_p_internal_new): New; to replace _gcry_mpi_ec_init.
Change all callers to use this func.
(_gcry_mpi_ec_free): Factor code out to ..
(ec_deinit): New func.
(gcry_mpi_ec_p_new): New.
* src/visibility.c: Include context.h and mpi.h.
(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
(gcry_mpi_ec_add, gcry_mpi_ec_mul)
(gcry_ctx_release): New wrapper functions.
* src/visibility.h: Mark new wrapper functions visible.
* src/libgcrypt.def, src/libgcrypt.vers: Add new symbols.
* tests/t-mpi-point.c (print_mpi, hex2mpi, cmp_mpihex): New.
(context_alloc): New.
(make_point, basic_ec_math): New.
--
This part finishes the basic API to do EC math. It provides a wrapper
around all internal functions. tests/t-mpi-point.c may be useful as
sample code. Eventually we will add function to retrieve curve
parameters etc.
|
|
* mpi/ec.c (gcry_mpi_point_new, gcry_mpi_point_release): New.
(gcry_mpi_point_get, gcry_mpi_point_snatch_get): New.
(gcry_mpi_point_set, gcry_mpi_point_snatch_set): New.
* src/visibility.h, src/visibility.c: Add corresponding macros and
wrappers.
* src/gcrypt.h.in (struct gcry_mpi_point, gcry_mpi_point_t): New.
(gcry_mpi_point_new, gcry_mpi_point_release, gcry_mpi_point_get)
(gcry_mpi_point_snatch_get, gcry_mpi_point_set)
(gcry_mpi_point_snatch_set): New prototypes.
(mpi_point_new, mpi_point_release, mpi_point_get, mpi_point_snatch_get)
(mpi_point_set, mpi_point_snatch_set): New macros.
* src/libgcrypt.vers (gcry_mpi_point_new, gcry_mpi_point_release)
(gcry_mpi_point_get, gcry_mpi_point_snatch_get, gcry_mpi_point_set)
(gcry_mpi_point_snatch_set): New symbols.
* src/libgcrypt.def: Ditto.
* tests/t-mpi-point.c: New.
* tests/Makefile.am (TESTS): Add t-mpi-point
|
|
* src/mpi.h (struct mpi_point_s): Rename to struct gcry_mpi_point.
(mpi_point_struct): New typedef.
(mpi_point_t): Change typedef to a pointer. Replace all occurrences
to use mpi_point_struct.
* mpi/ec.c (_gcry_mpi_ec_point_init): Rename to ..
(_gcry_mpi_point_init): this. Change all callers.
(_gcry_mpi_ec_point_free): Rename to ..
(_gcry_mpi_point_free_parts): this. Change all callers.
* mpi/mpiutil.c (gcry_mpi_snatch): New function.
* src/gcrypt.h.in (gcry_mpi_snatch, mpi_snatch): Add protoype and
macro.
* src/visibility.c (gcry_mpi_snatch): Add wrapper.
* src/visibility.h (gcry_mpi_snatch): Add macro magic.
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
--
This patch is a prerequisite to implement a public point API. The new
function gcry_mpi_snatch is actually not needed for this but is useful
anyway and will be used to implement the point API.
|
|
* configure.ac (GCRYPT_HWF_MODULES): New.
(HAVE_CPU_ARCH_X86, HAVE_CPU_ARCH_ALPHA, HAVE_CPU_ARCH_SPARC)
(HAVE_CPU_ARCH_MIPS, HAVE_CPU_ARCH_M68K, HAVE_CPU_ARCH_PPC)
(HAVE_CPU_ARCH_ARM): New AC_DEFINEs.
* mpi/config.links (mpi_cpu_arch): New.
* src/global.c (print_config): Print new tag "cpu-arch".
* src/Makefile.am (libgcrypt_la_SOURCES): Add hwf-common.h
(EXTRA_libgcrypt_la_SOURCES): New.
(gcrypt_hwf_modules): New.
(libgcrypt_la_DEPENDENCIES, libgcrypt_la_LIBADD): Add that one.
* src/hwfeatures.c: Factor most code out to ...
* src/hwf-x86.c: New file.
(detect_x86_gnuc): Return the feature vector.
(_gcry_hwf_detect_x86): New.
* src/hwf-common.h: New.
* src/hwfeatures.c (_gcry_detect_hw_features): Dispatch using
HAVE_CPU_ARCH_ macros.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern
inline semantics in gcc.
--
I am not use how this will work out with non-gcc. However, we had no
problems in the past and thus this change is the least invasive for
non-gcc compilers.
GnuPG-bug-id: 1406, 1435
|
|
* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
--
Christian Grothoff found this bug using Valgrind.
|
|
* mpi/mpi-pow.c: Replace 1 / msize.
* mpi/mpih-div.c: Replace 1 / dsize.
* src/misc.c: Add _gcry_divide_by_zero.
--
1) Division by zero doesn't "provoke a signal" on architectures
like PowerPC.
2) C compilers like clang will optimize away these divisions, even
though the code tries "to make the compiler not remove" them.
This patch redirects these cases to _gcry_divide_by_zero.
|