Age | Commit message (Collapse) | Author | Files | Lines |
|
* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Change dummy
variable to 'mpi_limb_t' type from 'int'.
--
Patch attempts to fix problem reported by Matthias Wachs:
while updating our buildbots I got another compile error:
On a OS X machine:
Darwin luke.net.in.tum.de 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan
12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64
/bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I.
-I.. -I../src -I../src -I/opt/local/include -I/opt/local/include -g -O2
-Wall -MT mpih-div.lo -MD -MP -MF .deps/mpih-div.Tpo -c -o mpih-div.lo
mpih-div.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src
-I/opt/local/include -I/opt/local/include -g -O2 -Wall -MT mpih-div.lo
-MD -MP -MF .deps/mpih-div.Tpo -c mpih-div.c -fno-common -DPIC -o
.libs/mpih-div.o
mpih-div.c: In function '_gcry_mpih_mod_1':
mpih-div.c:183: error: unsupported inline asm: input constraint with a
matching output constraint of incompatible type!
make[2]: *** [mpih-div.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
The new x86-64 inline assembly for MPI expects outputs to be limb sized
variables (64-bit), but mpi/mpih-div.c was using 32-bit dummy variable.
Appearently this mismatch between assembly output and variable sizes does not
fail on every platform.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* src/visibility.h: Remove remaining define/undef hacks for symbol
visibility. Add macros to detect the use of the public functions.
Change all affected functions by replacing them by the x-macros.
* src/g10lib.h: Add internal prototypes.
(xtrymalloc, xtrycalloc, xtrymalloc_secure, xtrycalloc_secure)
(xtryrealloc, xtrystrdup, xmalloc, xcalloc, xmalloc_secure)
(xcalloc_secure, xrealloc, xstrdup, xfree): New macros.
--
The use of xmalloc/xtrymalloc/xfree is a more common pattern than the
gcry_free etc. functions. Those functions behave like those defined
by C and thus for better readability we use these macros and not
the underscore prefixed functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/visibility.h: Remove almost all define/undef hacks for symbol
visibility. Add macros to detect the use of the public functions.
Change all affected functions by prefixing them explicitly with an
underscore and change all internal callers to call the underscore
prefixed versions. Provide convenience macros from sexp and mpi
functions.
* src/visibility.c: Change all functions to use only gpg_err_code_t
and translate to gpg_error_t only in visibility.c.
--
The use of the macro magic made if hard to follow the function calls
in the source. It was not easy to see if an internal or external
function (as defined by visibility.c) was called. The change is quite
large but hopefully makes Libgcrypt easier to maintain. Some
function have not yet been fixed; this will be done soon.
Because Libgcrypt does no make use of any other libgpg-error using
libraries it is useless to always translate between gpg_error_t and
gpg_err_code_t (i.e with and w/o error source identifier). This
translation has no mostly be moved to the function wrappers in
visibility.c. An additional advantage of using gpg_err_code_t is that
comparison can be done without using gpg_err_code().
I am sorry for that large patch, but a series of patches would
actually be more work to audit.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/longlong.h [__x86_64] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): New.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]:
Fix for the case where BASE is negative.
* tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* mpi/aarch64/mpi-asm-defs.h: New.
* mpi/aarch64/mpih-add1.S: New.
* mpi/aarch64/mpih-mul1.S: New.
* mpi/aarch64/mpih-mul2.S: New.
* mpi/aarch64/mpih-mul3.S: New.
* mpi/aarch64/mpih-sub1.S: New.
* mpi/config.links [host=aarch64-*-*]: Add configguration for aarch64
assembly.
* mpi/longlong.h [__aarch64__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(count_leading_zeros): New.
--
Add preliminary aarch64 assembly implementations for mpi.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/ec.c (_gcry_mpi_ec_mul_point): Try to do a constant time
operation if needed.
* tests/benchmark.c (main): Add option --use-secmem.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (_gcry_mpi_ec_curve_point): Use correct equation.
(ec_pow3): New.
(ec_p_init): Always copy B.
--
The code path was obviously never tested.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/gcrypt.h.in (GCRYMPI_FLAG_USER1, GCRYMPI_FLAG_USER2)
(GCRYMPI_FLAG_USER3, GCRYMPI_FLAG_USER4): New.
* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
(gcry_mpi_get_flag, _gcry_mpi_free): Implement them.
(gcry_mpi_set_opaque): Keep user flags.
--
The space for the flags in the MPI struct is free and thus we can help
applications to make use of some flags. This is for example useful to
indicate that an MPI needs special processing before use.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/longlong.h [__arm__ && __ARM_ARCH < 4] (umul_ppmm): Use
__AND_CLOBBER_CC instead of __CLOBBER_CC.
--
ARMv3 code uses __CLOBBER_CC at the end of clobber list while it should have
been __AND_CLOBBER_CC.
[jk: add changelog, rebase on libgcrypt repository]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/longlong.h [__mips__]: Use C-language version with clang.
--
clang doesn't recognise =l / =h assembly operand specifiers but apparently
handles C version well.
[jk: add changelog, rebase on libgcrypt repository, reformat changed line so it
does not go over 80 characters]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* src/ec-context.h (mpi_ec_ctx_s): Add field FLAGS.
* mpi/ec.c (ec_p_init): Add arg FLAGS. Change all callers to pass it.
* cipher/ecc-curves.c (point_from_keyparam): Add arg EC, parse as
opaque mpi and use eddsa decoding depending on the flag.
(_gcry_mpi_ec_new): Rearrange to parse Q and D after knowing the
curve.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
--
|
|
* cipher/ecc-eddsa.c (scanval): Add as temporary hack.
(_gcry_ecc_eddsa_recover_x): Use the algorithm from page 15 of the
paper. Return an error code.
(_gcry_ecc_eddsa_decodepoint): Take care of the error code.
* mpi/mpi-mul.c (gcry_mpi_mulm): Use truncated division.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/config.links: remove check for arm >= v6
* mpi/armv6 => mpi/arm: rename directory to reflect that is is generic
enough
--
MPI ARM assembly do not depend on CPU being armv6. Verified on PXA255:
Before:
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 3990ms 57980ms 1680ms
RSA 2048 bit 59620ms 389430ms 5690ms
RSA 3072 bit 535850ms 1223200ms 12000ms
RSA 4096 bit 449350ms 2707370ms 20050ms
After:
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 2190ms 13730ms 320ms
RSA 2048 bit 12750ms 67640ms 810ms
RSA 3072 bit 110520ms 166100ms 1350ms
RSA 4096 bit 100870ms 357560ms 2170ms
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
[ jk: ARMv6 => ARM in header comments ]
|
|
* mpi/mpicoder.c (gcry_mpi_scan): Fix sign setting for SSH format.
* tests/t-convert.c (negative_zero): Test all formats.
(check_formats): Add tests for PGP and scan tests for SSH and USG.
* src/gcrypt.h.in (mpi_is_neg): Fix macro.
* mpi/mpi-scan.c (_gcry_mpi_getbyte, _gcry_mpi_putbyte): Comment out
these unused functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(count_leading_zeros): Do not cast assembly output arguments.
[__arm__] (umul_ppmm): Remove the extra '%' ahead of assembly comment.
[_ARM_ARCH >= 4] (umul_ppmm): Use correct inputs and outputs instead of
registers.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpi-mod.c (_gcry_mpi_mod): Remove sign setting.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (_gcry_mpi_ec_curve_point): Support MPI_EC_WEIERSTRASS.
|
|
* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
k-ary exponentiation.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
For the Yarom/Falkner flush+reload cache side-channel attack, we
changed the code so that it always calls the multiplication routine
(even if we can skip it to get result). This results some performance
regression.
This change is for recovering performance with efficient algorithm.
|
|
* mpi/longlong.h (add_ssaaaa, sub_ddmmss, count_leading_zeros,
umul_ppmm): Do not cast asm output to USItype.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
* mpi/mpiutil.c (_gcry_mpi_neg): Copy U to W.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec-ed25519.c: New but empty file.
* mpi/ec-internal.h: New.
* mpi/ec.c: Include ec-internal.h.
(ec_mod): New.
(ec_addm): Use ec_mod.
(ec_mulm): Remove commented code. Use ec_mod.
(ec_subm): Call simple sub.
(ec_pow2): Use ec_mulm.
(ec_mul2): New.
(dup_point_weierstrass): Use ec_mul2.
(dup_point_twistededwards): Add special case for a == -1. Use
ec_mul2.
(add_points_weierstrass): Use ec_mul2.
(add_points_twistededwards): Add special case for a == -1.
(_gcry_mpi_ec_curve_point): Ditto.
(ec_p_init): Add hack to test Barrett functions.
* src/ec-context.h (mpi_ec_ctx_s): Add P_BARRETT.
* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/misc.c (count_closing_parens): New.
(_gcry_log_printsxp): Use new function.
* mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss)
(umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype.
--
Clang defines __GNUC__ even when it's not GCC compatible. As result Clang
enables GCC-only assembly code in mpi/longlong.h and fails to build.
However, since changes to make libgcrypt build with Clang are smallish, and
changes do not cause problems with GCC, patch just does them.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype.
(_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure.
|
|
* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa".
(_gcry_ecc_set_mpi): Support "q".
* cipher/ecc.c (eddsa_encodepoint): Rename to ...
(_gcry_ecc_eddsa_encodepoint): this and make global. Remove arg
MINLEN and take from context.
(eddsa_decodepoint): Rename to
(_gcry_ecc_eddsa_decodepoint): this and make global. Remove arg LEN
and take from context.
(sign_eddsa, verify_eddsa): Take B from context.
(ecc_sign, ecc_verify): Add hack to set DIALECT.
(_gcry_pk_ecc_get_sexp): Use _gcry_ecc_compute_public. Handle EdDSA.
* src/ec-context.h (mpi_ec_ctx_s): Add field NBITS.
* mpi/ec.c (ec_p_init): Init NBITS.
* tests/t-mpi-point.c (test_curve): Add Ed25519.
(sample_ed25519_q): New.
(context_param): Check new sample key.
(hex2buffer, hex2mpiopa): New.
(cmp_mpihex): Take care of opaque MPIs.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (point_copy): Move to cipher/ecc-curves.c.
(ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global.
(_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi.
(_gcry_mpi_ec_get_point): Factor most code out to _gcry_ecc_get_point.
(_gcry_mpi_ec_set_mpi): Factor most code out to _gcry_ecc_set_mpi.
(_gcry_mpi_ec_set_point): Factor most code out to _gcry_ecc_set_point.
* cipher/ecc-curves.c (_gcry_ecc_get_mpi): New.
(_gcry_ecc_get_point, _gcry_ecc_set_mpi, _gcry_ecc_set_point): New.
* cipher/ecc-misc.c (_gcry_ecc_compute_public): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (ec_pow2): New.
(ec_powm): Remove call to mpi_abs.
(dup_point_weierstrass, dup_point_twistededwards)
(add_points_weierstrass, add_points_twistededwards)
(_gcry_mpi_ec_curve_point): Use ec_pow2.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt.
(pubkey_decrypt): Fold into gcry_pk_decrypt.
(pubkey_sign): Fold into gcry_pk_sign.
(pubkey_verify): Fold into gcry_pk_verify.
(octet_string_from_mpi): Make it a wrapper and factor code out to ...
* mpi/mpicoder.c (_gcry_mpi_to_octet_string): New function.
* src/cipher.h (PUBKEY_FLAG_FIXEDLEN): New.
* cipher/pubkey.c (sexp_data_to_mpi): Set flag for some encodings.
(gcry_pk_encrypt): Simply by moving the s-expr generation to the modules.
(gcry_pk_sign): Ditto.
* cipher/dsa.c (dsa_sign): Create s-expr.
* cipher/elgamal.c (elg_encrypt, elg_sign): Ditto.
* cipher/rsa.c (rsa_encrypt, rsa_sign): Ditto.
* cipher/ecc.c (ecc_sign, ecc_encrypt_raw): Ditto.
(ecdsa_names): Add "eddsa".
* tests/t-ed25519.c (one_test): Expect "eddsa" token.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/mpi.h (enum ecc_dialects): New.
* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
(domain_parms): Add dialect values.
(_gcry_ecc_fill_in_curve): Set dialect.
(_gcry_ecc_get_curve): Ditto.
(_gcry_mpi_ec_new): Ditto.
(_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now.
* cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect.
(_gcry_ecc_dialect2str): New.
* mpi/ec.c (ec_p_init): Add arg DIALECT.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.
* mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag.
(_gcry_mpi_set_opaque_copy): New.
* cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI.
* cipher/ecc.c (eddsa_generate_key): New.
(generate_key): Rename to nist_generate_key and factor some code out
to ...
(ecc_generate_ext): here. Divert to eddsa_generate_key if desired.
(eddsa_decodepoint): Take care of an opaque MPI.
(ecc_check_secret_key): Ditto.
(ecc_sign): Ditto.
* cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret
key as opaque MPIs.
(gcry_pk_genkey): Add the curve_name also to the private key part of
the result.
* tests/benchmark.c (ecc_bench): Support Ed25519.
(main): Add option --debug.
* tests/curves.c (sample_key_2): Make sure that P and N are positive.
* tests/keygen.c (show): New.
(check_ecc_keys): Support Ed25519.
--
There are two main purposes of this patch: Add a key generation
feature for Ed25519 and add the "dialect" thingy which will eventually
be used to add curve specific optimization.
Note that the entire way of how we interface between the public key
modules and pubkey.c is overly complex and probably also the cause for
a lot of performance overhead. Given that we don't have the loadable
module system anymore, we should entirely get rid of the MPI-array
based internal interface and move parts of the s-expression handling
direct into the pubkey modules. This needs to be fixed or we are
turning Libgcrypt into another software incarnation of Heathrow
Airport.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpicoder.c (twocompl, onecompl): New.
(gcry_mpi_print): Use it for STD and SSH.
(gcry_mpi_scan): Use it for STD and SSH. Always set NSCANNED.
(gcry_mpi_aprint): Clear the extra allocated byte.
* tests/t-convert.c (showhex, showmpi): New.
(mpi2bitstr_nlz): New.
(check_formats): New.
(main): Call new test.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.
--
This bug has been with us since the version 0.0.0 of GnuPG.
Fortunately it only affects an optimized code path which is rarely
used in practice: If the shift size matches the size of a
limb (i.e.. 32 or 64); this is is_prime in primegen.c. Over there the
Rabin-Miller test may fail with a probability of 2^-31 (that is if the
to be tested prime - 1 has the low 32 bits cleared). In practice the
probability is even much less because we first do a Fermat test on the
randomly generated candidates which sorts out the majority of
composite numbers.
The bug in MPN_COPY_INCR was found by Sven Bjorn.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* cipher/ecc-curves.c (domain_parms): Add curve "Ed25519".
* cipher/ecc.c (reverse_buffer): New.
(eddsa_encodempi): New.
(eddsa_encodepoint): New.
(eddsa_decodepoint): New.
(sign_eddsa): Implement.
(verify_eddsa): Implement.
(ecc_sign): Init unused Q. Pass public key to sign_eddsa.
(ecc_verify): Init pk.Q if not used. Pass public key verbatim to
verify_eddsa.
* cipher/pubkey.c (sexp_elements_extract): Add arg OPAQUE. Change all
callers to pass 0.
(sexp_to_sig): Add arg OPAQUE and pass it to sexp_elements_extract.
(sexp_data_to_mpi): Allow for a zero length "value".
(gcry_pk_verify): Reorder parameter processing. Pass OPAQUE flag as
required.
* mpi/ec.c (ec_invm): Print a warning if the inverse does not exist.
(_gcry_mpi_ec_get_affine): Implement for our Twisted Edwards curve
model.
(dup_point_twistededwards): Implement.
(add_points_twistededwards): Implement.
(_gcry_mpi_ec_mul_point): Support Twisted Edwards.
* mpi/mpicoder.c (do_get_buffer): Add arg FILL_LE.
(_gcry_mpi_get_buffer): Ditto. Change all callers.
(_gcry_mpi_get_secure_buffer): Ditto.
* src/sexp.c (_gcry_sexp_nth_opaque_mpi): New.
* tests/t-ed25519.c: New.
* tests/t-ed25519.inp: New.
* tests/t-mpi-point.c (basic_ec_math_simplified): Print some output
only in debug mode.
(twistededwards_math): New test.
(main): Call new test.
--
This is a non optimized version which takes far too long. On my X220
Thinkpad the 1024 test cases take 14 seconds (12 with --sign-with-pk).
There should be a lot of room for improvements.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (_gcry_mpi_point_log): New.
* src/mpi.h (log_printpnt): new macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpicoder.c (gcry_mpi_dump): Remove.
(_gcry_log_mpidump): Remove.
* src/misc.c (_gcry_log_printhex): Factor all code out to ...
(do_printhex): new. Add line wrapping a and compact printing.
(_gcry_log_printmpi): New.
* src/mpi.h (log_mpidump): Remove macro.
* src/g10lib.h (log_mpidump): Add compatibility macro.
(log_printmpi): New macro
* src/visibility.c (gcry_mpi_dump): Call _gcry_log_printmpi.
* cipher/primegen.c (prime_generate_internal): Replace gcry_mpi_dump
by log_printmpi.
(gcry_prime_group_generator): Ditto.
* cipher/pubkey.c: Remove extra colons from log_mpidump call.
* cipher/rsa.c (stronger_key_check): Use log_printmpi.
--
The values to debug get longer and longer and the different debug
functions made it hard to check them out. Now MPIs and hex buffers are
printed very similar. Lines may now wrap with an backslash as
indicator. MPIs are distinguished from plain buffers in the output by
always using a sign.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/ec.c (ec_p_init): Add args MODEL and P. Change all callers.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return
GPG_ERR_UNKNOWN_CURVE instead of invalid value. Init curve model.
* cipher/ecc.c (ecc_verify, ecc_encrypt_raw): Ditto.
* cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking.
--
(fixes commit c26be7a337d0bf98193bc58e043209e46d0769bb)
|
|
* mpi/ec.c (_gcry_mpi_ec_curve_point): New.
(ec_powm): Return the absolute value.
* src/visibility.c, src/visibility.c: Add wrappers.
* src/libgcrypt.def, src/libgcrypt.vers: Export them.
|
|
* src/gcrypt.h.in (gcry_mpi_is_neg): New.
(gcry_mpi_neg, gcry_mpi_abs): New.
* mpi/mpiutil.c (_gcry_mpi_is_neg): New.
(_gcry_mpi_neg, _gcry_mpi_abs): New.
* src/visibility.c, src/visibility.h: Add wrappers.
* src/libgcrypt.def, src/libgcrypt.vers: Export them.
* src/mpi.h (mpi_is_neg): New. Rename old macro to mpi_has_sign.
* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Use mpi_has_sign.
* mpi/mpi-mpow.c (calc_barrett): Ditto.
* cipher/primegen.c (_gcry_derive_x931_prime): Ditto
* cipher/rsa.c (secret): Ditto.
|
|
* mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8.
* mpi/armv6/mpih-mul2.S: Ditto.
* mpi/armv6/mpih-mul3.S: Ditto.
--
Little bit of tuning of assembly functions with help of Cortex-A8 profiler.
Old (armhf/Cortex-A8 1Ghz):
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 350ms 2230ms 50ms
RSA 2048 bit 3500ms 11890ms 150ms
RSA 3072 bit 23900ms 32540ms 280ms
RSA 4096 bit 15750ms 69420ms 450ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 990ms 930ms
DSA 2048/224 - 3840ms 3400ms
DSA 3072/256 - 8280ms 7620ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 60ms 1760ms 3300ms
ECDSA 224 bit 80ms 2240ms 4300ms
ECDSA 256 bit 110ms 2740ms 5420ms
ECDSA 384 bit 230ms 5680ms 11300ms
ECDSA 521 bit 540ms 13590ms 26890ms
New:
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 350ms 2190ms 60ms
RSA 2048 bit 8910ms 11800ms 150ms
RSA 3072 bit 11000ms 31810ms 270ms
RSA 4096 bit 50290ms 68690ms 450ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 980ms 920ms
DSA 2048/224 - 3780ms 3370ms
DSA 3072/256 - 8100ms 7060ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 70ms 1730ms 3200ms
ECDSA 224 bit 90ms 2180ms 4220ms
ECDSA 256 bit 110ms 2660ms 5200ms
ECDSA 384 bit 220ms 5660ms 10910ms
ECDSA 521 bit 530ms 13420ms 26000ms
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* src/mpi.h (gcry_mpi_ec_models): New.
* src/ec-context.h (mpi_ec_ctx_s): Add MODEL.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
(domain_parms): Mark als as Weierstrass.
(_gcry_ecc_fill_in_curve): Check model.
(_gcry_ecc_get_curve): Set model to Weierstrass.
* cipher/ecc-misc.c (_gcry_ecc_model2str): New.
* cipher/ecc.c (generate_key, ecc_generate_ext): Print model in the
debug output.
* mpi/ec.c (_gcry_mpi_ec_dup_point): Switch depending on model.
Factor code out to ...
(dup_point_weierstrass): new.
(dup_point_montgomery, dup_point_twistededwards): New stub functions.
(_gcry_mpi_ec_add_points): Switch depending on model. Factor code out
to ...
(add_points_weierstrass): new.
(add_points_montgomery, add_points_twistededwards): New stub
functions.
* tests/Makefile.am (TESTS): Reorder tests.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5.
* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy
as unused.
* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.
--
Due to the use of macros and longlong.h, we use variables which are
only used by some architectures. At least gcc 4.7.2 prints new
warnings abot set but not used variables. This patch silences them.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/amd64/mpi-asm-defs.h: New file.
* random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is
defined.
[USE_DRNG, __x86_64__]: Also check if __LP64__ is defined.
--
In short, x32 is new x86-64 ABI with 32-bit pointers. Adding support is
straightforward, small fix for mpi and fixes for random/rndhw.c. AMD64 assembly
functions appear to work fine with x32 and 'make check' passes.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of
"armv6".
--
Without this change, HAVE_CPU_ARCH_ARM stays undefined.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero.
(gcry_mpi_aprint): Allocate at least 1 byte.
* tests/t-convert.c: New.
* tests/Makefile.am (TESTS): Add t-convert.
--
Reported-by: Christian Fuchs
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/armv6/mpi-asm-defs.h: New.
* mpi/armv6/mpih-add1.S: New.
* mpi/armv6/mpih-mul1.S: New.
* mpi/armv6/mpih-mul2.S: New.
* mpi/armv6/mpih-mul3.S: New.
* mpi/armv6/mpih-sub1.S: New.
* mpi/config.links [arm]: Enable ARMv6 assembly.
--
Add mpi assembly for ARMv6 (or later). These are partly based on ARM assembly
found in GMP 4.2.1.
Old vs new (Cortex-A8, 1Ghz):
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 1.14x 1.10x 1.13x
ECDSA 224 bit 1.11x 1.12x 1.12x
ECDSA 256 bit 1.20x 1.13x 1.14x
ECDSA 384 bit 1.13x 1.21x 1.21x
ECDSA 521 bit 1.17x 1.20x 1.22x
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit - 1.31x 1.60x
RSA 2048 bit - 1.41x 1.47x
RSA 3072 bit - 1.50x 1.63x
RSA 4096 bit - 1.50x 1.57x
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1.39x 1.38x
DSA 2048/224 - 1.50x 1.51x
DSA 3072/256 - 1.59x 1.64x
NEW:
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 70ms 1750ms 3170ms
ECDSA 224 bit 90ms 2210ms 4250ms
ECDSA 256 bit 100ms 2710ms 5170ms
ECDSA 384 bit 230ms 5670ms 11040ms
ECDSA 521 bit 540ms 13370ms 25870ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 360ms 2200ms 50ms
RSA 2048 bit 2770ms 11900ms 150ms
RSA 3072 bit 6680ms 32530ms 270ms
RSA 4096 bit 10320ms 69440ms 460ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 990ms 910ms
DSA 2048/224 - 3830ms 3410ms
DSA 3072/256 - 8270ms 7030ms
OLD:
Algorithm generate 100*sign 100*verify
------------------------------------------------
ECDSA 192 bit 80ms 1920ms 3580ms
ECDSA 224 bit 100ms 2470ms 4760ms
ECDSA 256 bit 120ms 3050ms 5870ms
ECDSA 384 bit 260ms 6840ms 13330ms
ECDSA 521 bit 630ms 16080ms 31500ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 450ms 2890ms 80ms
RSA 2048 bit 2320ms 16760ms 220ms
RSA 3072 bit 26300ms 48650ms 440ms
RSA 4096 bit 15700ms 103910ms 720ms
Algorithm generate 100*sign 100*verify
------------------------------------------------
DSA 1024/160 - 1380ms 1260ms
DSA 2048/224 - 5740ms 5140ms
DSA 3072/256 - 13130ms 11510ms
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
* mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags.
* tests/mpitests.c (test_const_and_immutable): Add a test for this.
--
gcry_mpi_set shall behave like gcry_mpi_copy and thus reset those
special flags. Problem reported by Christian Grothoff.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input.
--
Without this patch the function may enter and endless loop.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
(cherry picked from commit 55237c8f6920c6629debd23db65e90b42a3767de)
|