"Fossies" - the Fresh Open Source Software Archive 
Member "libgcrypt-1.10.3/ChangeLog" (14 Nov 2023, 717008 Bytes) of package /linux/misc/libgcrypt-1.10.3.tar.bz2:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "ChangeLog":
1.10.2_vs_1.10.3.
1 2023-11-14 Werner Koch <wk@gnupg.org>
2
3 Release 1.10.3.
4 + commit aa1610866f8e42bdc272584f0a717f32ee050a22
5
6
7 2023-11-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8
9 mpih_mod: avoid unintentional conditional branch.
10 + commit 11973c2219da0f732338cf080a4edeb6a89c313e
11 * mpi/mpih-const-time.c (_gcry_mpih_mod): Avoid conditional branch
12 on the_bit extraction.
13
14 mpih-const-time: use constant-time comparisons conditional add/sub/abs.
15 + commit 74588de441fd98f6dd99132e67e0c2632cb2a6bd
16 * mpi/mpih-const-time.c (mpih_ct_limb_greater_than)
17 (mpih_ct_limb_less_than): New.
18 (_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_abs_cond): Use
19 mpih_ct_limb_greater_than and mpih_ct_limb_less_than for comparisons.
20
21 const-time: add functions for generating masks from 0/1 input.
22 + commit 01e7052cb245619280769f683d697d6b2f68e041
23 * mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
24 (_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use mask
25 generating functions.
26 * mpi/mpi-internal.h (ct_limb_gen_mask, ct_limb_gen_inv_mask): New.
27 * mpi/mpih-const-time.c (_gcry_mpih_set_cond, _gcry_mpih_add_n_cond)
28 (_gcry_mpih_sub_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond):
29 Use mask generating functions.
30 * mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use mask
31 generating functions.
32 * src/const-time.h (DEFINE_CT_TYPE_GEN_MASK, ct_uintptr_gen_mask)
33 (ct_ulong_gen_mask, DEFINE_CT_TYPE_GEN_INV_MASK)
34 (ct_uintptr_gen_inv_mask, ct_ulong_gen_inv_mask): New.
35 (DEFINE_CT_TYPE_SELECT_FUNC): Use mask generating functions.
36 * src/const-time.c (_gcry_ct_memmov_cond): Use mask generating
37 functions.
38
39 ec: avoid unintentional condition branches for 25519, 448 and 256k1.
40 + commit 237523b49f423be66261fa769e4558a36b84d15f
41 * mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519, ec_addm_448)
42 (ec_subm_448, ec_mulm_448, ec_secp256k1_mod): Use mpih_limb_is_zero
43 and mpih_limb_is_not_zero instead of comparison to zero.
44
45 ec-nist: avoid unintentional conditional branch by comparison.
46 + commit 2ed34074474650a50592fa86d9639614aa86476b
47 * mpi/ec-nist.c (_gcry_mpi_ec_nist521_mod): Use mpih_limb_is_not_zero.
48 * mpi/mpi-internal.h (mpih_limb_is_not_zero): New.
49
50 mpih_cmp_ui: avoid unintentional conditional branch.
51 + commit 9acddd8b95e14fb7c82c96881c1ac9000a46d703
52 * mpi/mpi-internal.h (mpih_limb_is_zero): New.
53 * mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Use mpih_limb_is_zero
54 instead of comparison.
55
56 ec-nist: use global vone and vzero.
57 + commit 610667fb2558ac5aae1393b99ceec3e50199e901
58 * mpi/ec-nist.c (vzero, vone): Remove.
59 (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
60 (_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use _gcry_ct_vzero
61 and _gcry_ct_vone.
62
63 mpiutil: use global vone and vzero.
64 + commit 6377725ed01e090bea1223256f58eae0bfcc2021
65 * mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use
66 _gcry_ct_vzero and _gcry_ct_vone.
67
68 mpih-const-time: use global vzero/vone variable.
69 + commit 15cd08ae4c1e7fccda89a42bb3e87f15dab4452f
70 * mpi/mpih-const-time.c (vzero, vone): Remove.
71 (_gcry_mpih_set_cond, _gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond)
72 (_gcry_mpih_swap_cond, _gcry_mpih_abs_cond): Use _gcry_ct_vzero and
73 _gcry_ct_vone.
74
75 2023-11-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
76
77 const-time: ct_memmov_cond: switch to use dual mask approach.
78 + commit 9c0984ed2c553289a744197791a6683f4bd2ce18
79 * src/const-time.c (_gcry_ct_memmov_cond): Use dual mask + AND/OR
80 instead of single mask + XOR.
81
82 const-time: prefix global symbols with _gcry_
83 + commit 3fa1b81c92e5694ef0f2d01885eccbbc9944d267
84 * cipher/const-time.c (ct_not_memequal, ct_memequal)
85 (ct_memmov_cond): Rename these to ...
86 (_gcry_ct_not_memequal, _gcry_ct_memequal)
87 (_gcry_ct_memmov_cond): ... these.
88 * cipher/const-time.h (ct_not_memequal, ct_memequal)
89 (ct_memmov_cond): Rename these to ...
90 (_gcry_ct_not_memequal, _gcry_ct_memequal)
91 (_gcry_ct_memmov_cond): ... these.
92 (ct_not_memequal, ct_memequal, ct_memmov_cond): New macros.
93
94 mpih_set_cond: restore EM leakage mitigation.
95 + commit 7f0eb519897b05e41fe43b0981453181266d457c
96 * mpi/mpih-const-time.c (_gcry_mpih_set_cond): Replace single mask + XOR
97 with dual mask + AND/OR; Add comment about reason for dual mask usage.
98 (_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond)
99 (_gcry_mpih_abs_cond): Add comment about reason for dual mask usage.
100
101 rsa, elgamal: avoid logical not operator in constant-time code.
102 + commit 3583e2ebcad55bde178acc7a862cda30d1f2cd97
103 * cipher/elgamal.c (elg_decrypt): Replace ! operator with calls to
104 ct_is_not_zero/ct_is_zero/ct_ulong_select.
105 * cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Replace !
106 operator with call to ct_is_zero.
107 * cipher/rsa.c (rsa_decrypt): Replace ! operator with calls to
108 ct_is_not_zero/ct_is_zero/ct_ulong_select.
109 * src/const-time.c (_gcry_ct_vzero, _gcry_ct_vone): New.
110 * src/const-time.h (_gcry_ct_vzero, _gcry_ct_vone): New.
111 (ct_is_not_zero, ct_is_zero, DEFINE_CT_TYPE_SELECT_FUNC)
112 (ct_uintptr_select, ct_ulong_select): New.
113 (sexp_null_cond): Use ct_uintptr_select.
114
115 const-time: always avoid comparison operator for byte comparison.
116 + commit 5e9ba851948f97cd3fb70de474b87609b150d06a
117 * configure.ac: Remove POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON
118 macro.
119 * src/const-time.h (ct_not_equal_byte): Remove
120 POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON ifdef.
121
122 Use single constant-time memory comparison implementation.
123 + commit 892bc25ff74b1fb84259babd4292da399dc3b185
124 * src/const-time.c (ct_not_memequal): Use original 'buf_eq_const'
125 implementation here.
126 (ct_memequal): New.
127 * cipher/bufhelp.h (buf_eq_const): Call to 'ct_memequal'.
128
129 2023-11-06 NIIBE Yutaka <gniibe@fsij.org>
130
131 cipher: Fix ElGamal decryption.
132 + commit 2839aaee3e6eed6a96f0a798b02eef7e0302c7e7
133 * cipher/elgamal.c (elg_decrypt): Call sexp_build always.
134 * cipher/rsa.c (rsa_decrypt): Return an error code of sexp_build
135 when RC != 0.
136
137 rsa: Use memmov_independently when unpadding.
138 + commit c98b5e4a147170d578504498ba355a77de00b0f1
139 * cipher/rsa-common.c (memmov_independently): New.
140 (_gcry_rsa_pkcs1_decode_for_enc): Use memmov_independently.
141 (_gcry_rsa_oaep_decode): Use memmov_independently.
142
143 const-time: Add ct_memmov_cond, fix _gcry_mpih_set_cond.
144 + commit 45945be8f3c3a77ce3e86ebda7d814defcd3f76b
145 * src/const-time.c (ct_memmov_cond): New.
146 * src/const-time.h (ct_memmov_cond): New.
147 * mpi/mpih-const-time.c (_gcry_mpih_set_cond): Use XOR and a MASK.
148
149 const-time: Use ct_not_memequal, instead. Tested with AVR.
150 + commit e8072d8d32558c289ad4cf7b5be26a25eda03c20
151 * cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_not_memequal.
152 * src/const-time.c (ct_not_memequal): Use ct_not_equal_byte.
153 * src/const-time.h (ct_not_memequal): Rename from ct_memequal.
154
155 build: Check if arch is VAX or compiler is MSVC.
156 + commit fee1e63c7286cb12ff973ea446bc019f575887d2
157 * configure.ac (AH_BOTTOM): Add check for VAX and MSVC.
158 * src/const-time.h (POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON):
159 Rename.
160
161 rsa: Fix decoding of PKCS#1 v1.5 and OAEP padding.
162 + commit 45c9920201687754719ddc15a88a25018a552695
163 * src/Makefile.am (libgcrypt_la_SOURCES): Add const-time.h and
164 const-time.c.
165 * src/const-time.h (ct_not_equal_byte, sexp_null_cond): New.
166 (ct_memequal): New from NetBSD, modified return type and name.
167 * src/const-time.c: New.
168 * cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Examine whole
169 sequence of the byte-array. Use N0 to find the separator position, with
170 ct_not_equal_byte. Return the MPI even when the case of an error.
171 * cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_memequal to
172 check LHASH. Examine all the sequence of the byte-array. Use N1 to
173 find the separator of 0x01. Return the MPI even when the case of an
174 error.
175 * cipher/rsa.c (rsa_decrypt): Always build a SEXP.
176
177 2023-10-06 NIIBE Yutaka <gniibe@fsij.org>
178
179 sexp: String with \0 is considered "binary".
180 + commit 49e1e67f4e4e9f520586dc4ea8a8f2630bbf6e9c
181 * src/sexp.c (suitable_encoding): It's "binary" when
182 the buffer contains '\0'.
183
184 2023-09-01 NIIBE Yutaka <gniibe@fsij.org>
185
186 build: Change the default for --with-libtool-modification.
187 + commit 09ab619488455b0f9f27f2c8291ea646b089c13e
188 * configure.ac (--with-libtool-modification): default=never.
189
190 2023-08-22 NIIBE Yutaka <gniibe@fsij.org>
191
192 build: New configure option --with-libtool-modification.
193 + commit 0ddc823e331c2a38b71f887abc917d8a5a9003af
194 * Makefile.am (EXTRA_DIST): Add build-aux/libtool-patch.sed.
195 * build-aux/libtool-patch.sed: New.
196 * configure.ac (--with-libtool-modification): New.
197
198 2023-07-14 Bernhard Reiter <bernhard@intevation.de>
199
200 build: Fix the notice in configure.ac.
201 + commit c8ee15dfe8696c58ba493b118f6eff1c095e02ae
202 * configure.ac: Fix typo.
203
204 2023-06-19 NIIBE Yutaka <gniibe@fsij.org>
205
206 cipher:pubkey: Check digest size which should not be zero.
207 + commit 8cdd0d353e19a4514dfe3c99146d17f07bf0fb4d
208 * cipher/pubkey.c (gcry_pk_sign_md): Check the digest size
209 before calling _gcry_md_read.
210
211 2023-06-16 NIIBE Yutaka <gniibe@fsij.org>
212
213 tests: Allow KDF measurement in FIPS mode.
214 + commit 5547e5255c465e99ccd3ffce2b7622e75f2d89a4
215 * tests/bench-slope.c (bench_kdf_init): Tweak the iterations in FIPS
216 mode.
217 (bench_kdf_do_bench): Use larger values to avoid rejection in FIPS
218 mode.
219
220 cipher:kdf: Move FIPS mode check to _gcry_kdf_derive.
221 + commit 2c8562ca5a49edc0c82c8c4775edebabc31cf09e
222 * cipher/kdf.c (_gcry_kdf_pkdf2): Move the checks to...
223 (_gcry_kdf_derive): ... here.
224
225 Remove out of core handler setting message in FIPS mode.
226 + commit d37ad2823f849ce71b509245ecc169835cf80d1e
227 * src/global.c (_gcry_set_outofcore_handler): Don't call log_info.
228
229 cipher:ecc: Fix an error-path to release the KEY correctly.
230 + commit 31adc78fa503be388af430e9b218a83fb4b1ea7f
231 * cipher/ecc.c (ecc_generate): Set *R_SKEY to NULL.
232
233 2023-06-15 NIIBE Yutaka <gniibe@fsij.org>
234
235 cipher:pubkey: Fix non-use of flexible array member.
236 + commit 297c5a47837cfd94ed5b317b45f6e776502dd2cd
237 * cipher/pubkey.c (struct pk_single_data): Use 1 as the size.
238 (_gcry_pk_single_data_push): Use offsetof.
239
240 cipher:ecc: Fix public key computation for EdDSA.
241 + commit b863ec507dae17fe2c38653e1ccf22de62b68ac4
242 * cipher/ecc-misc.c (_gcry_ecc_compute_public): Fix hard-coded length
243 for digest lower bits.
244
245 2023-06-02 Werner Koch <wk@gnupg.org>
246
247 mpicalc: Allow for addm and subm.
248 + commit 2974a635e5d3ca477508527f5c401619879cb19f
249 * src/mpicalc.c (do_add, do_sub): Add arg usemod.
250 (main): Add oeprator 'M'.
251
252 2023-04-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
253
254 doc: add documentation for GCRYCTL_SET_ALLOW_WEAK_KEY.
255 + commit 7cdfc869b7afa057839fd361bfff9140cfbe63ed
256 * doc/gcrypt.texi: Add 'GCRYCTL_SET_ALLOW_WEAK_KEY' under
257 'gcry_cipher_ctl'.
258
259 Revert "cipher: Fix edge case for SET_ALLOW_WEAK_KEY."
260 + commit 9b1ee0574ed96800429aa9488b6dcb11a5407542
261 * cipher/cipher.c (cipher_setkey): Do not reset RC.
262
263 2023-04-16 Werner Koch <wk@gnupg.org>
264
265 cipher: Fix edge case for SET_ALLOW_WEAK_KEY.
266 + commit b75a58df84a5137954cb678adf8c202b39ee1def
267 * cipher/cipher.c (cipher_setkey): Reset RC.
268
269 2023-04-11 NIIBE Yutaka <gniibe@fsij.org>
270
271 random: Use getrandom only when it's appropriate.
272 + commit d41177937cea4aa1e9042ebcd195a349c40e8071
273 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random)
274 [GRND_RANDOM]: Conditionalize the use of getrandom, as it's
275 not a portable function.
276
277 2023-04-06 Werner Koch <wk@gnupg.org>
278
279 Release 1.10.2.
280 + commit 1c5cbacf3d88dded5063e959ee68678ff7d0fa56
281
282
283 2023-04-04 NIIBE Yutaka <gniibe@fsij.org>
284
285 cipher: Enable the fast path to ChaCha20 only when supported.
286 + commit 4128f73d3a83c7f901924488c3bbf047b75db20f
287 cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt)
288 (_gcry_cipher_poly1305_decrypt) [USE_CHACHA20]: Conditionalize.
289
290 build: Allow build with -Oz.
291 + commit f2ab06bc3cccd1f6c9a012275d90df9f3956572b
292 * cipher/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.
293 * random/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.
294
295 2023-04-03 NIIBE Yutaka <gniibe@fsij.org>
296
297 m4: Update gpg-error.m4.
298 + commit c118a8ddd0224f951f26ae78d58d0eed5ee35779
299 * m4/gpg-error.m4: Update from libgpg-error master.
300
301 2023-03-24 NIIBE Yutaka <gniibe@fsij.org>
302
303 fips: More elaborate way of getting FIPS pk flags indicators.
304 + commit f6f345fe89b0a61408bbc72058ab42ac6e6a7577
305 * src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
306 in the S-expression.
307 * doc/gcrypt.texi: Add document for the FIPS service indicator
308 GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
309
310 2023-03-23 NIIBE Yutaka <gniibe@fsij.org>
311
312 build: Update gpg-error.m4.
313 + commit f815ae113a2a914b0d20f0eb36d91c0351d5a797
314 * m4/gpg-error.m4: Update from libgpg-error master.
315
316 2023-03-14 Jakub Jelen <jjelen@redhat.com>
317
318 tests: Improve test coverage for FIPS service indicators.
319 + commit 22cb410dd4456a84b5bde8be6a907afdc38a792b
320 * tests/basic.c (check_digests): Check the FIPS indicators.
321 (check_mac): Ditto.
322
323 fips: Explicitly disable overriding random in FIPS mode.
324 + commit 251f1749900e355ee6b027ee6a5c070eba16c85f
325 * src/fips.c: (_gcry_fips_indicator_function): Mark using random
326 override non-approved in FIPS mode.
327
328 fips: Mark gcry_pk_encrypt/decrypt function non-approved.
329 + commit 051bbe84d889b413f158c665e5cc25b26c820388
330 * src/fips.c (_gcry_fips_indicator_function): Add
331 gcry_pk_encrypt/decrypt as non-approved.
332
333 fips: Fix fips indicator function.
334 + commit 6805d76b7ed4886f00bf704c77b0549408097219
335 * src/fips.c (_gcry_fips_indicator_function): Fix typo in sign/verify
336 function names.
337
338 fips: Explicitly allow only some PK flags.
339 + commit 0b2b30c0c42fa2fea646a83a1f21a99f7a902853
340 * src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
341 FIPS indicator for public key algorithm flags.
342 * src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
343 * src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
344 * src/global.c (_gcry_vcontrol): Handle the new option.
345 * doc/gcrypt.texi: Document new options.
346
347 2023-03-14 Tobias Heider <tobias.heider@canonical.com>
348
349 doc: Document the new FIPS indicators.
350 + commit fcb9ec67a11763ca10fa1b64166c206da95eb006
351 * doc/gcrypt.texi: Document the new options for FIPS indicators.
352
353 2023-03-08 Tobias Heider <tobias.heider@canonical.com>
354
355 fips: Unblock MD5 in fips mode but mark non-approved in indicator.
356 + commit 0024db5afee825185ddf26cd9a91f563b8c11b1a
357 * cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): Allow in fips mode.
358 * cipher/md5.c (_gcry_digest_spec_md5): Allow in fips mode.
359
360 fips: Add explicit indicators for md and mac algorithms.
361 + commit a51f0e66842ae989cd3966e5ef5eb1f62a3576b1
362 * src/fips.c (_gcry_fips_indicator_mac): New function indicating
363 non-approved mac algorithms.
364 (_gcry_fips_indicator_md): new functions indicating non-approved
365 message digest algorithms.
366 * src/g10lib.h (_gcry_fips_indicator_mac): New function.
367 (_gcry_fips_indicator_md): Ditto.
368 * src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols,
369 GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
370 GCRYCTL_FIPS_SERVICE_INDICATOR_MD.
371 * src/global.c (_gcry_vcontrol): Handle new FIPS indicators.
372
373 2023-03-07 Jakub Jelen <jjelen@redhat.com>
374
375 kdf: Update tests in regards to the allowed parameters in FIPS mode.
376 + commit 397ff085749e5b47095827d19561332a67007c02
377 * cipher/kdf.c (check_one): run selftests for more approved parameters
378 and check that wrong parameters correctly fail in FIPS mode.
379
380 fips: Check return value from ftell.
381 + commit 076dd2ffcd953d80172770d8bb98c2c945dad7c9
382 * src/fips.c (get_file_offset): Check return value of ftell to be able
383 to detect errors.
384
385 random: Remove unused SHA384 DRBGs.
386 + commit 4cff7e739829294d5f4a364d35584b42ef81af9f
387 * random/random-drbg.c (global): Remove unused SHA384-based defines.
388 (drbg_cores): Remove SHA384 configurations.
389 (drbg_sec_strength): Remove unused SHA384.
390
391 visibility: Check FIPS operational status for MD+Sign operation.
392 + commit fc19b27b543910833096a738dae0703b3dc57d51
393 * src/visibility.c (gcry_pk_hash_sign): Check fips status before
394 calling the operation itself.
395 (gcry_pk_hash_verify): Ditto.
396
397 ecc: Make the PCT recoverable in FIPS mode and consistent with RSA.
398 + commit c41d4f502f1b8aa08b2a79cbee3c8cd73e73adbe
399 * cipher/ecc.c (test_keys_fips): Replace calls to log_fatal with
400 return code on error.
401 (ecc_generate): Signal error when PCT fails in FIPS mode.
402
403 ecc: Do not allow skipping tests in FIPS Mode.
404 + commit 44a3f26539f7e88a77bbf4fe5d35ddd24f87ffcd
405 * cipher/ecc.c (ecc_generate): Do not allow skipping tests PCT tests
406 in FIPS mode.
407
408 2023-01-23 Jakub Jelen <jjelen@redhat.com>
409
410 fips: Remove GCM mode from the allowed FIPS indicators.
411 + commit 1540698389ba2091baab6e020e5ec7b0d0eead59
412 * src/fips.c (_gcry_fips_indicator_cipher): Do not mark GCM mode as
413 FIPS approved.
414
415 2022-12-16 NIIBE Yutaka <gniibe@fsij.org>
416
417 build: Fix m4 macros for strict C compiler.
418 + commit b1a3424e7f8030361c2e4806920e60ec06c1d9e3
419 * m4/ax_cc_for_build.m4: Fix for no arg.
420 * m4/noexecstack.m4: Likewise.
421
422 build: Fix configure.ac for strict C99.
423 + commit 83ea195b61d571e48f53803d2d297ec02035ae36
424 * configure.ac: Add function declarations for asm functions.
425
426 2022-12-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
427
428 t-rsa-testparm: fix 'function declaration isn’t a prototype' warning.
429 + commit bdeea2a53e9ef869caa2f8ae2dd876ad397aed12
430 * cipher/t-rsa-testparm.c (check_rsa_testparm): Define parameters as
431 void.
432
433 2022-12-07 Jakub Jelen <jjelen@redhat.com>
434
435 fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.
436 + commit 392e0ccd25f397d789a1cb59fae2f3faae46e78b
437 * cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
438 in FIPS mode.
439 * tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
440 (check_run): Skip checking X9.31 keys in FIPS mode.
441 * doc/gcrypt.texi: Document "test-parms" and clarify some cases around
442 the X9.31 keygen.
443
444 2022-12-05 Jakub Jelen <jjelen@redhat.com>
445
446 rsa: Prevent usage of long salt in FIPS mode.
447 + commit fdd2a8b3329eb892f90d2cd803762ef06222c226
448 * cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large
449 salt lengths
450 (_gcry_rsa_pss_verify): Ditto.
451 * tests/basic.c (check_pubkey_sign): Check longer salt length fails in
452 FIPS mode
453 * tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message
454
455 2022-11-18 Jakub Jelen <jjelen@redhat.com>
456
457 fips: Mark AES key wrapping as approved.
458 + commit 20ad5df60b035e721de7cfc40cd76a1a13051072
459 * src/fips.c (_gcry_fips_indicator_cipher): Add key wrapping mode as
460 approved.
461
462 pkdf2: Add checks for FIPS.
463 + commit 057844700ec2e652249b0b80136229c049d41975
464 * cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS.
465 Set bounds for salt length and iteration count in FIPS mode.
466
467 2022-11-01 NIIBE Yutaka <gniibe@fsij.org>
468
469 build: Prefer gpgrt-config when available.
470 + commit 5191379da3ad653fcf08ab1babb486ca952d1643
471 * src/libgcrypt.m4: Overriding the decision by
472 --with-libgcrypt-prefix, use gpgrt-config libgcrypt when gpgrt-config
473 is available.
474
475 2022-10-27 Jakub Jelen <jjelen@redhat.com>
476
477 hmac,hkdf: Check the HMAC key length in FIPS mode.
478 + commit e7b1fbda6a9e0b6bf99062fc86139445a4e0766e
479 * src/visibility.c (gcry_md_setkey): Add the check here, too.
480
481 Revert "kdf:pkdf2: Require longer input when FIPS mode."
482 + commit 7f4fafb5564dec6fe65f0e93a1125cb6ddb4d1ed
483 * cipher/kdf.c (_gcry_kdf_pkdf2): Remove the length limitation of
484 passphrase input length.
485
486 2022-10-24 NIIBE Yutaka <gniibe@fsij.org>
487
488 build: Update gpg-error.m4.
489 + commit e2c0920fd7dea6e254badd12958982c66080b7db
490 * m4/gpg-error.m4: Update from libgpg-error 1.46.
491
492 2022-10-06 Jakub Jelen <jjelen@redhat.com>
493
494 tests: Reproducer for short dklen in FIPS mode.
495 + commit e235f38f9b9fc3cd4464bbf9081da765d46ce87d
496 * tests/t-kdf.c (check_pbkdf2): Add test vector with short dklen and
497 verify it fails in FIPS mode
498
499 random: Extend the comment about FIPS specifics.
500 + commit 96615490c7b1d5f77de7f7f2b77e775540f7f6bf
501 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Clarify
502 description of the chainging DRBG in FIPS mode.
503
504 2022-10-04 Jakub Jelen <jjelen@redhat.com>
505
506 random: Get maximum 32B of entropy at once in FIPS Mode.
507 + commit ce0df08bbab741cd2ad19a5a0e8b65fb62774f87
508 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): In fips
509 mode, gather max 32 B of strong entropy for initialization.
510
511 keccak: Use size_t to avoid integer overflow.
512 + commit 9ee2d56e806b8018fa3ae354a65f1e70bf73dede
513 * cipher/keccak-armv7-neon.S: Fix function name in comment and change
514 parameter type to size_t.
515 * cipher/keccak.c (keccak_ops_t): Change absorb function signature to
516 use size_t.
517 (keccak_absorb_lanes64_avx512): Change nlanes type to size_t.
518 (_gcry_keccak_absorb_lanes64_armv7_neon): Ditto.
519 (keccak_absorb_lanes64_armv7_neon): Ditto.
520 (keccak_absorb_lanes32bi): Ditto.
521 (keccak_absorb_lanes32bi_bmi2): Ditto.
522 (keccak_write): Change nlanes variable to use size_t and avoid
523 overflow when calculating count.
524 * cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): Change
525 nlanes argument to use size_t.
526
527 2022-10-04 Tobias Heider <tobias.heider@canonical.com>
528
529 kdf:pkdf2: Check minimum allowed key size when running in FIPS mode.
530 + commit 52d48b710470dd48dd2a32a439898ece10ef05fd
531 * cipher/kdf.c (_gcry_kdf_pkdf2): Add output length check.
532
533 2022-10-04 NIIBE Yutaka <gniibe@fsij.org>
534
535 kdf:pkdf2: Require longer input when FIPS mode.
536 + commit d09d3d33c79daa2f8d385dfedf3f20ad205b0fba
537 * cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
538
539 2022-09-22 NIIBE Yutaka <gniibe@fsij.org>
540
541 build: Fix configure script.
542 + commit 44812a1d96fc003e6e0d01270c514b91e295d300
543 * configure.ac (AC_USE_SYSTEM_EXTENSIONS): Use it earlier.
544
545 2022-09-22 Clemens Lang <cllang@redhat.com>
546
547 fips: Skip PCT if RSA keygen test-parms specified.
548 + commit 4963c127ae698d98f30483ba9d15d093aae4e51d
549 * cipher/rsa.c (rsa_generate): Skip PCT is test-parms were specified.
550 * tests/t-rsa-testparm.c: Add test for this functionality
551 * tests/Makefile.am: Add test to build system
552
553 build: Skip PK-specific tests if algo is disabled.
554 + commit 1524b60a7ccc17fb82e91b90236a88a27b113175
555 * configure.ac: Define AM_CONDITIONALs for USE_DSA, USE_RSA,
556 USE_ELGAMAL, USE_ECC so Makefiles can depend on them.
557 * tests/Makefile.am: Skip tests that test only one public key algorithm
558 if that algorithm is disabled.
559
560 2022-09-20 NIIBE Yutaka <gniibe@fsij.org>
561
562 Fix _gcry_err_code_to_errno.
563 + commit 16ac1850b854abe9b6f693a489ceeb0048777bfa
564 * src/gcrypt-int.h: Use gpg_err_code_to_errno.
565
566 2022-08-30 Jakub Jelen <jjelen@redhat.com>
567
568 tests: Expect the OEAP tests to fail in FIPS mode.
569 + commit 658679e0ec8be9693a3deb6b85c2b39cb112218c
570 * tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption
571 to fail in FIPS mode
572 * tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS
573 mode
574
575 fips: Disable RSA-OAEP padding in FIPS mode.
576 + commit e5bfda492ab9496ed3d856a9f36250a2cc07ce70
577 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding
578 in FIPS mode for encryption
579 * cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for
580 decryption
581
582 random: Use getrandom (GRND_RANDOM) in FIPS mode.
583 + commit cf10c74bd9d5aa80798f1c0e23a9126f381b26b3
584 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
585 GRND_RANDOM in FIPS Mode
586
587 Simplify the PCT for RSA and ECDSA.
588 + commit 285bf54b1ac7b5609a675655fe2cb9117ab78d3d
589 Could be squashed.
590
591 * cipher/ecc.c (test_keys_fips): Simplify to accept key in SEXP format
592 (nist_generate_key): Skip call to test keys
593 (ecc_generate): Call test keys in FIPS mode later, when we have
594 complete SEXP key structure.
595 * cipher/rsa.c (test_keys_fips): Simplify to accept key in SEXP format
596 (generate_fips): Skip selftest at this stage
597 (rsa_generate): Test the keys later when we already have key in SEXP
598 format
599
600 ecc: Run PCT also with the digest step.
601 + commit 076a8adaf314d593ca25c245d2a74207710a4fe7
602 * cipher/ecc.c (test_keys_fips): New function
603 (nist_generate_key): In FIPS mode, execute new PCT test
604 ---
605
606 Cherry-picked from master commit:
607 505f048cac8e5af92d3431bd97ade492d1a30bc2
608
609 rsa: Run PCT in FIPS mode also with digest step.
610 + commit 78151e6d6bbbbf1248b7c32cbab0b9b638ad6c11
611 * cipher/rsa.c (test_keys_fips): New.
612 (generate_fips): Call test_keys_fips.
613
614 fips: Add function-name based FIPS indicator.
615 + commit 822ee57f07cad6b32fac265a1a9e195d7cf99fa9
616 * doc/gcrypt.texi: Document the new function-based fips indicator
617 GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
618 * src/fips.c (_gcry_fips_indicator_function): New function indicating
619 non-approved functions.
620 * src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
621 GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
622 * src/global.c (_gcry_vcontrol): Handle new FIPS indicator.
623
624 fips: Run digest&sign self tests for RSA and ECC in FIPS mode.
625 + commit 06c9350165d7284cd9fe569fd23e6c6cf371dba2
626 * cipher/ecc.c (selftest_hash_sign): Implement digest & sign KAT
627 (selftests_ecdsa): Run the original basic test only with extended tests
628 (run_selftests): Pass-through the extended argument
629 * cipher/rsa.c (selftest_hash_sign_2048): Implement digest & sign KAT
630 (selftests_rsa): Run the original basic test only with extended tests
631 (run_selftests): Pass-through the extended argument
632
633 2022-08-15 NIIBE Yutaka <gniibe@fsij.org>
634
635 hmac: Allow use of shorter salt.
636 + commit ab5aef9b7b6ef757eff7bea4a17ade0ce3d3191b
637 * cipher/md.c (prepare_macpads): Move the check to...
638 * src/visibility.c (gcry_mac_setkey): ... here.
639
640 2022-07-13 NIIBE Yutaka <gniibe@fsij.org>
641
642 cipher: Fix gcry_pk_hash_verify for explicit hash.
643 + commit 1d3a90a4d118eafa6b2f777c998e85327a77fb3c
644 * cipher/pubkey.c (_gcry_pk_verify_md): Implement support of explicit
645 hash.
646 * tests/t-ecdsa.c (one_test_sexp): Use explicit hash.
647
648 2022-07-13 Clemens Lang <cllang@redhat.com>
649
650 tests/t-kdf: Test KDF FIPS indicator.
651 + commit 3bbcf16e0b8b63d70893f6d9cc0fe77f7d8bc17b
652 * tests/t-kdf.c (check_fips_indicators): Add test for gcry_control
653 (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF).
654
655 tests: Test gcry_pk_hash_sign w/explicit hash algo.
656 + commit 04960f5179cd9732931b9f245a902a8a34bde964
657 * tests/t-ecdsa.c (one_test_sexp): Re-run signature operation with hash
658 algorithm explicitly specified in data_tmpl as documented in the
659 manpage.
660
661 2022-07-13 NIIBE Yutaka <gniibe@fsij.org>
662
663 random: Fix rndjent for Windows.
664 + commit bc01c770c75703992fc0585d76d84107bdcd9fea
665 * random/jitterentropy-base-user.h [HAVE_W32_SYSTEM] (jent_ncpu):
666 Implement.
667 * random/rndjent.c (_WIN32_WINNT): Define for GetNativeSystemInfo.
668 (EOPNOTSUPP): Define when not available.
669
670 2022-06-16 NIIBE Yutaka <gniibe@fsij.org>
671
672 mpi: Allow building with --disable-asm for HPPA.
673 + commit d1cb2599e9d746bb3a088c63b24f8191072e11ef
674 * mpi/longlong.h [__hppa] (udiv_qrnnd): Only define
675 when assembler is enabled.
676
677 2022-05-31 Jakub Jelen <jjelen@redhat.com>
678
679 tests: Fix copy paste error.
680 + commit 4b85bf33cce7ee331d4da1b99620aed6f9fbf846
681 * tests/basic.c (check_ocb_cipher_checksum): Check the right value for
682 errors
683
684 Fix memory leaks in tests.
685 + commit 735601494adb22a6ec8b1a4eacf1f75480a7c203
686 * tests/aeswrap.c (check_one_with_padding): Free hd on error paths
687 * tests/basic.c (check_ccm_cipher): Free context on error paths
688 (check_ocb_cipher_checksum): Ditto.
689 (do_check_xts_cipher): Ditto.
690 (check_gost28147_cipher_basic): Ditto.
691 * tests/bench-slope.c (bench_ecc_init): Free memory on invalid input.
692 * tests/t-cv25519.c (test_it): Free memory on error path
693 * tests/t-dsa.c (hex2buffer): Free memory on error path
694 * tests/t-ecdsa.c (hex2buffer): Free memory on error path
695 (one_test_sexp): Cleanup memory on exit
696 * tests/t-mpi-point.c (check_ec_mul): Free memory on error
697 (check_ec_mul_reduction): Ditto
698 * tests/t-rsa-15.c (hex2buffer): Ditto
699 * tests/t-rsa-pss.c (hex2buffer): Ditto
700 * tests/t-x448.c (test_it): Free memory on error path
701 * tests/testdrv.c (my_spawn): Free memory on error paths
702
703 2022-05-19 Jakub Jelen <jjelen@redhat.com>
704
705 cipher: Allow verification of small RSA signatures in FIPS mode.
706 + commit 468ffa8f9c471c910280e0d0ade521d0184ed533
707 * cipher/rsa.c (rsa_check_keysize): Formatting.
708 (rsa_check_verify_keysize): New function.
709 (rsa_verify): Allow using smaller keys for verification.
710
711 2022-05-17 NIIBE Yutaka <gniibe@fsij.org>
712
713 Fix internal declaration of _gcry_kdf_compute.
714 + commit 6d3708942f846e389bd87fe3d7c6e7a1b3615bca
715 * src/gcrypt-int.h (_gcry_kdf_compute): Return gcry_err_code_t.
716
717 2022-05-10 NIIBE Yutaka <gniibe@fsij.org>
718
719 mpi: Fix for 64-bit for _gcry_mpih_cmp_ui.
720 + commit 03af3d5cc5d54b6f810264568d6de22cd9e7d34f
721 * mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Compare 64-bit
722 value correctly.
723
724 2022-05-06 NIIBE Yutaka <gniibe@fsij.org>
725
726 random:drbg: Fix the behavior for child process.
727 + commit 019a40c99011390f12168e79e3bebd0ff52cc003
728 * random/random-drbg.c (_gcry_rngdrbg_randomize): Update change of PID
729 detection.
730
731 2022-05-06 Jakub Jelen <jjelen@redhat.com>
732
733 tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode.
734 + commit 1a270cda2ee5fe345f480b4eda13b92a7b7f556e
735 * tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to
736 fail in FIPS mode. Expect failure when wrong padding is selected
737 * tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to
738 fail in FIPS mode
739
740 tests: Replace custom bit with more generic flags.
741 + commit 9c55ba3bc1ce72307886f6d88f37d908e3fad39a
742 * tests/basic.c (global): New flag FLAG_SPECIAL
743 (check_pubkey_crypt): Change to use bitfield flags
744
745 Do not allow PKCS #1.5 padding for encryption in FIPS.
746 + commit d8a13d97ccb62c8f7564192f0c8dcdc0b4d9745a
747 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block PKCS #1.5
748 padding for encryption in FIPS mode
749 * cipher/rsa.c (rsa_decrypt): Block PKCS #1.5 decryption in FIPS mode
750
751 2022-05-06 NIIBE Yutaka <gniibe@fsij.org>
752
753 random: Not use secure memory for DRBG instance.
754 + commit 9452640125d239937dfb9cde49be7c0dde2f65ee
755 * random/random-drbg.c (drbg_instance): New at BSS.
756 (_drbg_init_internal): Don't allocate at secure memory.
757 (_gcry_rngdrbg_close_fds): Follow the change.
758
759 cipher: Change the bounds for RSA key generation round.
760 + commit f6a67c2215310e9463267e15569697d3103b27f7
761 * cipher/rsa.c (generate_fips): Use 10 for p, 20 for q.
762
763 2022-04-19 NIIBE Yutaka <gniibe@fsij.org>
764
765 cipher: Fix rsa key generation.
766 + commit 26df4b8d8c938fd837b99355de5163b9364d49a5
767 * cipher/rsa.c (generate_fips): Set the least significant bit.
768
769 2022-04-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
770
771 hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature.
772 + commit e073f0ed446601bffe787912462119a98e797fa3
773 * src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10.
774
775 2022-03-29 NIIBE Yutaka <gniibe@fsij.org>
776
777 kdf:argon2: Fix for the case output > 64.
778 + commit 13b5454d2620701863f6e89221f5f4c98d2aba8e
779 * cipher/blake2.c (blake2b_vl_hash): Fix the last step.
780 * cipher/kdf.c (argon2_open): Check the value.
781
782 2022-03-28 Werner Koch <wk@gnupg.org>
783
784 Release 1.10.1.
785 + commit ae0e567820c37f9640440b3cff77d7c185aa6742
786
787
788 hash: Add more OIDs.
789 + commit 52fd2305ba8a0c53214016c11fdf03d47761ee8e
790 * cipher/sha256.c: Add X9.62 OID.
791 * cipher/sha512.c: Ditto.
792
793 tests: Add brainpoolP256r1 to bench-slope.
794 + commit eeddd578120c6c28cf600016aae124223ef99e8b
795 * tests/bench-slope.c (ECC_ALGO_BRAINP256R1): New.
796 (ecc_algo_fips_allowed): Support this curve.
797 (ecc_algo_name): Ditto.
798 (ecc_algo_curve): Ditto.
799 (ecc_nbits): Ditto.
800 (bench_ecc_init): Ditto.
801
802 2022-02-22 NIIBE Yutaka <gniibe@fsij.org>
803
804 fips: Clarify what to be hashed for the integrity check.
805 + commit 9fa4c8946ac5e79c37941c6264ac3d6314d9a3c0
806 * src/fips.c (get_file_offset): Compute the maximum offset
807 of segments.
808 * src/gen-note-integrity.sh: Likewise.
809
810 fips: Fix gen-note-integrity.sh script not to use cmp utility.
811 + commit ad8b67f9e21982c841f31e92d2639f726f7ea4be
812 * src/gen-note-integrity.sh: Simplify detecting 32-bit machine
813 or 64-bit machine.
814
815 fips: More portable integrity check.
816 + commit dcc6979fd2ed32bb5a5e448e2c9da1158c1d93c2
817 * src/Makefile.am (EXTRA_DIST): Change the name of the script.
818 (libgcrypt.la.done): Invoce OBJCOPY with --add-section.
819 (libgcrypt.so.hmac): Specify ECHO_N.
820 * src/fips.c (get_file_offset): Rename from get_file_offsets.
821 Find the note section and return the value in HMAC.
822 (hmac256_check): Simplify by HMAC from the note section, not loaded.
823 (check_binary_integrity): Use dladdr instead of dladdr1.
824 * src/gen-note-integrity.sh: Rename from genhmac.sh.
825 Generate ElfN_Nhdr, and then the hmac.
826
827 fips: Integrity check improvement, with only loadable segments.
828 + commit 974f4c7e698b0c1ffe3de82bad9b3f8813d1f42b
829 * configure.ac (READELF): Check the tool.
830 * src/Makefile.am (libgcrypt.so.hmac): Use genhmac.sh with hmac256.
831 * src/fips.c (get_file_offsets): Rename from get_file_offset.
832 Determine the OFFSET2 at the end of loadable segments, too.
833 Add fixup of the ELF header to exclude section information.
834 (hmac256_check): Finish scanning at the end of loadble segments.
835 * src/genhmac.sh: New.
836
837 2022-02-22 Clemens Lang <cllang@redhat.com>
838
839 fips: Use ELF header to find hmac file offset.
840 + commit 4ed49a917212507de8679aaf08504922a95cf6ef
841 * src/fips.c [ENABLE_HMAC_BINARY_CHECK] (hmac256_check): Use ELF headers
842 to locate the file offset for the HMAC in addition to information from
843 the loader
844
845 2022-02-21 NIIBE Yutaka <gniibe@fsij.org>
846
847 Silence compiler warnings for possible alignment problem.
848 + commit 64fef214025949a1b0a76355b99c85594caea4ca
849 * cipher/kdf.c (_gcry_kdf_compute, _gcry_kdf_final, _gcry_kdf_close):
850 Fix the cast.
851
852 2022-02-18 NIIBE Yutaka <gniibe@fsij.org>
853
854 build: Fix m4/gpg-error.m4.
855 + commit b5b7b8c5c76838350f1857a40c428c9092f9da8e
856 * m4/gpg-error.m4: Unset GPGRT_CONFIG when it doesn't work well.
857
858 2022-02-14 Clemens Lang via Gcrypt-devel <gcrypt-devel@lists.gnupg.org>
859
860 hmac: Fix memory leak.
861 + commit 2bdc6614c866b0197f534e5cf3ec35d9f024facd
862 * src/hmac.c: Release HMAC256 context
863
864 fips: Fix memory leaks in FIPS mode.
865 + commit a60f8e43dd1b02adf7d1fd54c2e1d27564dd12c1
866 * cipher/pubkey.c (_gcry_pk_sign_md): Fix memory leak in FIPS mode when
867 used with SHA1
868 * tests/basic.c (check_one_cipher_core): Add missing free in error code
869 triggered in FIPS mode
870 * tests/dsa-rfc6979.c (check_dsa_rfc6979): Likewise
871 * tests/pubkey.c (check_x931_derived_key): Likewise
872
873 2022-02-14 NIIBE Yutaka <gniibe@fsij.org>
874
875 kdf: Use u64.
876 + commit 6683007d696dfe64640dc741c4332784ec246388
877 * cipher/kdf.c (rotr64): We use u64 in libgcrypt.
878
879 2022-02-04 Heiko Becker <heirecka@exherbo.org>
880
881 jitterentropy: Include <fcntl.h> and <limits.h>
882 + commit ffaef0be613121d3ee37867d82932a7a30c2bc6d
883 * random/jitterentropy-base-user.h: Include <fcntl.h> for O_RDONLY
884 * random/jitterentropy-base-user.h: Include <limits.h> for LONG_MAX
885
886 2022-02-01 Werner Koch <wk@gnupg.org>
887
888 Release 1.10.0.
889 + commit e4ab2147f3e236f7be95f9709ce09193b2ca5c1a
890
891
892 2022-01-31 Werner Koch <wk@gnupg.org>
893
894 rsa: Fix regression in not returning an error for prime generation.
895 + commit 217bf0a0e7be4a216a405a4bfb719e0fd437c2a3
896 * cipher/rsa.c (generate_fips): Set the default EC again.
897
898 2022-01-31 Jakub Jelen <jjelen@redhat.com>
899
900 cipher: Initialize values not to confuse static analyzers.
901 + commit cb9df21fcbb05d9650df7b45671d335eefad405b
902 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Initialize integer values
903 not to confuse static analyzers.
904 (_gcry_ecc_eddsa_verify): Ditto.
905
906 fips: Remove unused assignment.
907 + commit d2003618e6bf733f0c913f5c8961779f8e4dc05c
908 * src/fips.c (hmac256_check): Remove unused assignment.
909
910 cipher: Remove dead code in for the siv mode.
911 + commit 0f38e6a877f19db303672ca899b36333fb84c8fa
912 * cipher/cipher-siv.c (_gcry_cipher_siv_setkey): Remove dead code
913
914 random: Avoid dereference of the ec before checking for NULL.
915 + commit 904e168bdb2ac4cbfe32db86a6cd11ab462340ad
916 * random/jitterentropy-noise.c (jent_memaccess): Move check before
917 dereferencing the pointer.
918
919 2022-01-31 NIIBE Yutaka <gniibe@fsij.org>
920
921 kdf: Fix computation by big-endian machine.
922 + commit 77512c510bf744b341d3173e65e22b9dd0b5df03
923 * cipher/kdf.c (beswap64_block): New.
924 (argon2_fill_first_blocks): Convert to native endian.
925 (pseudo_random_generate): Run in native endian.
926 (argon2_compute_segment): Run in native endian.
927 (argon2_final): Convert from native endian.
928
929 ciper/blake2: Make sure to clean up the stack.
930 + commit 7dc488ae036addd69878681a4eab6d25e9d99c8e
931 * cipher/blake2.c (blake2b_vl_hash): Wipe the memory.
932
933 2022-01-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
934
935 kdf: handle errors from thread dispatch/wait functions.
936 + commit 54369c66bedd20d6846ed8fab678082ec8eecf5d
937 * cipher/kdf.c (argon2_compute): Handle failed job dispatch/wait.
938 * tests/t-kdf.c (pthread_jobs_launch_job)
939 (wait_all_jobs_completion): Handle errors returned from pthread functions.
940
941 kdf/argon2: use BLAKE2b hash_buffers function instead of _gcry_md_*
942 + commit 409f69167983deacee6d6c85c80a4be0e4b5d7c1
943 * cipher/kdf.c (argon2_fill_first_blocks): Convert to use iov
944 hash_buffers API instead of _gcry_md_*.
945
946 Rename KDF job functions and function types.
947 + commit c5aead8aebc7dfb699597eb6adf334bd2edbc374
948 * src/gcrypt.h.in (gcry_kdf_job_fn_t): New.
949 (gcry_kdf_dispatch_job_fn_t): Renamed from 'gcry_kdf_lauch_job_t'; Use
950 'gcry_kdf_job_fn_t' for function pointer parameter.
951 (gcry_kdf_wait_all_jobs_fn_t): Renamed from
952 'gcry_kdf_wait_all_jobs_completion_t'.
953 (gcry_kdf_thread_ops_t): Rename functions to 'dispatch_job' and
954 'wait_all_jobs'.
955 * cipher/kdf.c (argon2_compute): Change to use 'dispatch_job' and
956 'wait_all_jobs'.
957 * tests/t-kdf.c (job_thread_param, pthread_jobs_launch_job): Use
958 'gcry_kdf_job_fn_t' type for 'job'.
959
960 tests/t-kdf: few changes to pthread example and fix win32/win64 builds.
961 + commit 03a0eedefe3e8b979aee6fb9800fe8e794f50089
962 * src/gcrypt.h.in (gcry_kdf_thread_ops_t): New based on
963 'struct gcry_kdf_thread_ops'.
964 (gcry_kdf_compute): Use 'gcry_kdf_thread_ops_t' instead of
965 'struct gcry_kdf_thread_ops'.
966 * tests/Makefile.am: Define 't_kdf_LDADD' and 't_kdf_CFLAGS' on
967 win32/win64 target too.
968 * tests/t-kdf.c (pthread_jobs_launch_job): Set 'oldest_thread_idx' on
969 first thread creation.
970 (wait_all_jobs_completion): Reset 'oldest_thread_idx' to -1.
971 (my_kdf_derive): Merge HAVE_PTHREAD ifdefs; Initialize 'oldest_thread_idx'
972 to -1.
973
974 2022-01-28 NIIBE Yutaka <gniibe@fsij.org>
975 Jussi Kivilinna <jussi.kivilinna@iki.fi>
976
977 kdf: Change new KDF API.
978 + commit 254fb14044cfce87b619138dec7bb78a2534d1b3
979 * cipher/kdf.c (argon2_ctl): Remove.
980 (argon2_iterator): Remove.
981 (argon2_compute_segment): Change the API.
982 (argon2_compute): New.
983 (argon2_open): No optional N_THERADS any more.
984 (_gcry_kdf_ctl): Remove.
985 (_gcry_kdf_iterator, _gcry_kdf_compute_segment): Remove.
986 (_gcry_kdf_compute): New.
987 * src/gcrypt-int.h: Update declarations.
988 * src/gcrypt.h.in: Likewise.
989 * src/libgcrypt.def: Update.
990 * src/libgcrypt.vers: Update.
991 * src/visibility.c: Update.
992 * src/visibility.h: Update.
993 * tests/t-kdf.c (check_argon2): Update the test with change of new
994 API.
995
996 2022-01-28 NIIBE Yutaka <gniibe@fsij.org>
997
998 kdf: Implement Argon2 KDF using blake2b_vl_hash function.
999 + commit 4cbbd87e2af00c7b3f0236a56f12bd51e9295816
1000 * cipher/kdf.c (hash): Remove, as it's not possible to implement with
1001 _gcry_md_* programming interface.
1002 (xor_block): New.
1003 (argon2_fill_first_blocks): Rename from argon2_genh0_first_blocks.
1004 (argon2_init): Don't use ->HD any more.
1005 (fill_block, pseudo_random_generate, index_alpha): New.
1006 (argon2_compute_segment): Implement ARGOND, ARGON2I and ARGON2ID.
1007 (argon2_final): Fix using blake2b_vl_hash.
1008 (argon2_open): Fix for parameters and the restriction for output length.
1009 * tests/t-kdf.c (check_argon2): Update test vector for version 0x13.
1010 (main): Enable the test.
1011
1012 cipher: Implement variable-length hash function for Argon2.
1013 + commit 6467287ba121df9e5965d5a3a7a4f349793d49d2
1014 * cipher/blake2.c (blake2b_vl_hash): New.
1015
1016 2022-01-26 NIIBE Yutaka <gniibe@fsij.org>
1017
1018 kdf: Improve new KDF API.
1019 + commit 5d1da2c61981243729365724f14e3d4abacb0e6a
1020 * cipher/kdf.c (struct argon2_thread_data): Change layout.
1021 (argon2_iterator): Use struct gcry_kdf_pt_head.
1022 (argon2_compute_segment): Rename from argon2_compute_row.
1023 (argon2_open): Handle N_THREAD maximum.
1024 (_gcry_kdf_iterator): Use struct gcry_kdf_pt_head.
1025 (_gcry_kdf_compute_segment): Rename from _gcry_kdf_compute_row.
1026 * src/gcrypt-int.h: Update declarations.
1027 * src/gcrypt.h.in (struct gcry_kdf_pt_head): Expose the data type.
1028 * src/libgcrypt.def, src/libgcrypt.vers: Update.
1029 * src/visibility.c, src/visibility.h: Update.
1030 * tests/t-kdf.c (start_thread, my_kdf_derive): Follow the change.
1031
1032 kdf: Improve new KDF API.
1033 + commit f21871e241e96148cef3ad4314ad596178cf8967
1034 * cipher/kdf.c (struct argon2_thread_data): Change layout.
1035 (argon2_iterator): Use struct gcry_kdf_pt_head.
1036 (argon2_compute_segment): Rename from argon2_compute_row.
1037 (argon2_open): Handle N_THREAD maximum.
1038 (_gcry_kdf_iterator): Use struct gcry_kdf_pt_head.
1039 (_gcry_kdf_compute_segment): Rename from _gcry_kdf_compute_row.
1040 * src/gcrypt-int.h: Update declarations.
1041 * src/gcrypt.h.in (struct gcry_kdf_pt_head): Expose the data type.
1042 * src/libgcrypt.def, src/libgcrypt.vers: Update.
1043 * src/visibility.c, src/visibility.h: Update.
1044 * tests/t-kdf.c (start_thread, my_kdf_derive): Follow the change.
1045
1046 2022-01-25 NIIBE Yutaka <gniibe@fsij.org>
1047
1048 random: Include sys/random.h when available.
1049 + commit 5e2d792eb8d9e5aaf1b71205f9298286b8145462
1050 * configure.ac (AC_CHECK_HEADERS): Check sys/random.h.
1051 * random/rndgetentropy.c [HAVE_SYS_RANDOM_H]: Include it.
1052
1053 cipher: Add new API for modern KDF function.
1054 + commit bafdb90d97b65db541ea917088ca956e6a364f6b
1055 * cipher/kdf.c (hash, argon2_genh0_first_blocks): New for Argon2.
1056 (argon2_init, argon2_ctl, argon2_iterator): Likewise.
1057 (argon2_compute_row, argon2_final, argon2_close): Likewise.
1058 (argon2_open): Likewise.
1059 (balloon_open): New for Balloon.
1060 (_gcry_kdf_open, _gcry_kdf_ctl, _gcry_kdf_iterator): Add new API.
1061 (_gcry_kdf_compute_row, _gcry_kdf_final, _gcry_kdf_close): Likewise.
1062 * src/gcrypt-int.h: Add declarations for new API.
1063 * src/gcrypt.h.in: Likewise.
1064 (enum gcry_kdf_algos): Add GCRY_KDF_ARGON2 and GCRY_KDF_BALLOON.
1065 (enum gcry_kdf_subalgo_argon2): Add GCRY_KDF_ARGON2D,
1066 GCRY_KDF_ARGON2I, and GCRY_KDF_ARGON2ID.
1067 * src/libgcrypt.def, src/libgcrypt.vers: Update.
1068 * src/visibility.h: Likewise.
1069 * src/visibility.c: Add new API.
1070 * tests/Makefile.am (t_kdf_LDADD, t_kdf_CFLAGS): Enable use of pthread.
1071 * tests/t-kdf.c (check_argon2): New, not enabled yet.
1072
1073 Prefer uint64_t for the definition of u64.
1074 + commit 3d353782d84b9720262d7b05adfae3aef7ff843b
1075 * src/types.h (u64): Prefer use of uint64_t with C99 compliant
1076 compiler.
1077
1078 tests: Fix variable initialization for tests.
1079 + commit 99642f18ccbe45fb4cae55945af49f7884bcaceb
1080 * tests/t-rsa-15.c (one_test_sexp): Initialize OUT_LEN.
1081 * tests/t-rsa-pss.c (one_test_sexp): Initialize CTX and OUT_LEN.
1082 Fix the if condition.
1083
1084 2022-01-25 Jakub Jelen <jjelen@redhat.com>
1085
1086 mpi: Add missing header file to the tarball.
1087 + commit 08f3e0909f8c4fefc2c020dca206037693282186
1088 * mpi/Makefile.am: Add missing header file.
1089
1090 doc: Update more information about FIPS selftests and algorithms.
1091 + commit 1f299cb16afdfd0ccc3cd9e9ae65a789be6514f7
1092 * doc/gcrypt.texi: List implemented GOST curves.
1093 Update location of the HMAC selftests and add SHA3 ones.
1094 Add information about ECC selftests.
1095 Add information about KDF selftests.
1096 Update information about additional MAC selftests.
1097 Update ifnromation about FIPS allowed algorithms.
1098
1099 2022-01-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1100
1101 tests/t-kdf: fix format string argument type mismatch.
1102 + commit e9e723d5e320ff2c67bf9a9841777749a44e54d0
1103 * tests/t-kdf.c (check_pbkdf2, check_scrypt): Change fprintf format
1104 for plen from "%ld" to "%u" and cast plen to 'unsigned int'.
1105
1106 Fix building GCM when GCM_USE_ARM_NEON defined but GCM_USE_ARM_PMULL not
1107 + commit a35ac62ee7b5a6e799eb4a89a934da0313fb1158
1108 * cipher/cipher-gcm.c (setupM): Remove ifdef around 'features'.
1109
1110 2022-01-20 NIIBE Yutaka <gniibe@fsij.org>
1111
1112 scrypt: Fix the last step of SCRYPT.
1113 + commit 867435cf8847fb80e922eb818fbcfac131863b8c
1114 * cipher/scrypt.c (_gcry_kdf_scrypt): Single call to PBKDF2.
1115
1116 fips: Recover test cases for selftest, add skipping in FIPS mode.
1117 + commit 535a4d345872aa2cd2ab3a5f9c4411d0a0313328
1118 * cipher/kdf.c (check_one): Skip a test with shorter passphrase in
1119 FIPS mode.
1120 (selftest_pbkdf2): Recover selftest cases.
1121 * cipher/mac-hmac.c (check_one): Skip a test with shorter key in FIPS
1122 mode.
1123 (selftests_sha224, selftests_sha256): Recover selftest cases.
1124 (selftests_sha384, selftests_sha512, selftests_sha3): Likewise.
1125
1126 2022-01-19 NIIBE Yutaka <gniibe@fsij.org>
1127
1128 fips: Reject shorter key for HMAC in FIPS mode.
1129 + commit 76aad97dd312e83f2f9b8d086553f2b72ab6546f
1130 * cipher/md.c (prepare_macpads): Reject < 112-bit key.
1131 * cipher/kdf.c (selftest_pbkdf2): Remove selftest cases with shorter
1132 key.
1133 * cipher/mac-hmac.c (selftests_sha224, selftests_sha256): Likewise.
1134 (selftests_sha384, selftests_sha512, selftests_sha3): Likewise.
1135 * tests/basic.c (check_one_hmac) Handle an error when shorter key
1136 is rejected.
1137 (check_one_mac): Likewise.
1138 * tests/t-kdf.c (check_pbkdf2, check_scrypt): Likewise.
1139
1140 2022-01-18 NIIBE Yutaka <gniibe@fsij.org>
1141
1142 build: Fix .m4 files in distribution.
1143 + commit 6f225308d3e59f8749403ad743d8e6c591142f8f
1144 * m4/Makefile.am (EXTRA_DIST): Remove sys_socket_h.m4.
1145
1146 2022-01-17 NIIBE Yutaka <gniibe@fsij.org>
1147
1148 fips: Remove GCRYCTL_FIPS_SERVICE_INDICATOR and renumber the enum.
1149 + commit d0db6a5abf7b8cc5637de5a080a7ed986e3ff63f
1150 * src/gcrypt.h.in (enum gcry_ctl_cmds): Remove
1151 GCRYCTL_FIPS_SERVICE_INDICATOR.
1152 * src/fips.c (_gcry_fips_indicator_cipher): Use gcry_kdf_algos.
1153 * tests/basic.c: Use GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER.
1154
1155 2022-01-17 Jakub Jelen <jjelen@redhat.com>
1156
1157 Update documentation related to FIPS.
1158 + commit e023e10ee89baf5d5909de4d8c13ba6dfbc8ed99
1159 * cipher/rsa.c (selftest_encr_2048): Fix error message
1160 * doc/gcrypt.texi: Add missing hwfeatures
1161 Add description of the service indicator API
1162 Fix typo in tampered word
1163 Add some missing curves
1164 Remove algoriths no longer used in FIPS mode and update claims given
1165
1166 fips: Add support for KDF FIPS indicators.
1167 + commit 8611c9f276ad0f51fcdd4da0481108880104338f
1168 * src/fips.c (_gcry_fips_indicator): rename to
1169 _gcry_fips_indicator_cipher().
1170 (_gcry_fips_indicator_kdf): New function.
1171 * src/g10lib.h: Rename _gcry_fips_indicator to
1172 _gcry_fips_indicator_cipher() and add _gcry_fips_indicator_kdf()
1173 * src/gcrypt.h.in (enum gcry_ctl_cmds): Add
1174 GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER and
1175 GCRYCTL_FIPS_SERVICE_INDICATOR_KDF.
1176 * src/global.c (_gcry_vcontrol): Implement support for KDF FIPS
1177 Indicator separate from the cipher one.
1178
1179 2022-01-11 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1180
1181 rijndael-aesni: small optimization for cbc-enc and cfb-enc.
1182 + commit dfd53c7eddf0beaf9e85daaed92c0bd756112470
1183 * cipher/rijndael-aesni.c (_gcry_aes_aesni_cfb_enc)
1184 (_gcry_aes_aesni_cbc_enc): Copy contents of 'do_aesni_enc' here and
1185 merge input/output and first/last round key xoring to shorten critical
1186 path.
1187
1188 mpi/amd64: remove extra 'ret' from assembly functions.
1189 + commit 0c0f27a89205842b5ef8e56a9726074f6b738f73
1190 * mpi/amd64/mpih-add1.S: Remove 'ret' as it is already included by
1191 FUNC_EXIT macro.
1192 * mpi/amd64/mpih-lshift.S: Likewise.
1193 * mpi/amd64/mpih-mul1.S: Likewise.
1194 * mpi/amd64/mpih-mul2.S: Likewise.
1195 * mpi/amd64/mpih-mul3.S: Likewise.
1196 * mpi/amd64/mpih-rshift.S: Likewise.
1197 * mpi/amd64/mpih-sub1.S: Likewise.
1198
1199 mpi/config.links: merge i586 targets with rest i*86 targets.
1200 + commit 9bbb6c2c5d03c19b7f4356628a76eb8bde3ab026
1201 * mpi/config.links: Merge i586 targets with rest i[3467]86 targets.
1202
1203 mpi: remove unused i586 and pentium4 assembly.
1204 + commit 2800de892585c405099039d6f9dc346c3a71c16e
1205 * mpi/config.links: Remove 'i586' from paths.
1206 * mpi/i586*: Remove.
1207 * mpi/pentium4/*: Remove.
1208
1209 Add straight-line speculation hardening for aarch64 assembly.
1210 + commit 34bcc102158a651781f4e7639e2654068a39db6d
1211 * cipher/asm-common-aarch64.h (ret_spec_stop): New.
1212 * cipher/asm-poly1305-aarch64.h: Use 'ret_spec_stop' for 'ret'
1213 instruction.
1214 * cipher/camellia-aarch64.S: Likewise.
1215 * cipher/chacha20-aarch64.S: Likewise.
1216 * cipher/cipher-gcm-armv8-aarch64-ce.S: Likewise.
1217 * cipher/crc-armv8-aarch64-ce.S: Likewise.
1218 * cipher/rijndael-aarch64.S: Likewise.
1219 * cipher/rijndael-armv8-aarch64-ce.S: Likewise.
1220 * cipher/sha1-armv8-aarch64-ce.S: Likewise.
1221 * cipher/sha256-armv8-aarch64-ce.S: Likewise.
1222 * cipher/sm3-aarch64.S: Likewise.
1223 * cipher/twofish-aarch64.S: Likewise.
1224 * mpi/aarch64/mpih-add1.S: Likewise.
1225 * mpi/aarch64/mpih-mul1.S: Likewise.
1226 * mpi/aarch64/mpih-mul2.S: Likewise.
1227 * mpi/aarch64/mpih-mul3.S: Likewise.
1228 * mpi/aarch64/mpih-sub1.S: Likewise.
1229
1230 Add straight-line speculation hardening for amd64 and i386 assembly.
1231 + commit 11ade08efbfbc36dbf3571f1026946269950bc40
1232 * cipher/asm-common-amd64.h (ret_spec_stop): New.
1233 * cipher/arcfour-amd64.S: Use 'ret_spec_stop' for 'ret' instruction.
1234 * cipher/blake2b-amd64-avx2.S: Likewise.
1235 * cipher/blake2s-amd64-avx.S: Likewise.
1236 * cipher/blowfish-amd64.S: Likewise.
1237 * cipher/camellia-aesni-avx-amd64.S: Likewise.
1238 * cipher/camellia-aesni-avx2-amd64.h: Likewise.
1239 * cipher/cast5-amd64.S: Likewise.
1240 * cipher/chacha20-amd64-avx2.S: Likewise.
1241 * cipher/chacha20-amd64-ssse3.S: Likewise.
1242 * cipher/des-amd64.S: Likewise.
1243 * cipher/rijndael-aarch64.S: Likewise.
1244 * cipher/rijndael-amd64.S: Likewise.
1245 * cipher/rijndael-ssse3-amd64-asm.S: Likewise.
1246 * cipher/rijndael-vaes-avx2-amd64.S: Likewise.
1247 * cipher/salsa20-amd64.S: Likewise.
1248 * cipher/serpent-avx2-amd64.S: Likewise.
1249 * cipher/serpent-sse2-amd64.S: Likewise.
1250 * cipher/sha1-avx-amd64.S: Likewise.
1251 * cipher/sha1-avx-bmi2-amd64.S: Likewise.
1252 * cipher/sha1-avx2-bmi2-amd64.S: Likewise.
1253 * cipher/sha1-ssse3-amd64.S: Likewise.
1254 * cipher/sha256-avx-amd64.S: Likewise.
1255 * cipher/sha256-avx2-bmi2-amd64.S: Likewise.
1256 * cipher/sha256-ssse3-amd64.S: Likewise.
1257 * cipher/sha512-avx-amd64.S: Likewise.
1258 * cipher/sha512-avx2-bmi2-amd64.S: Likewise.
1259 * cipher/sha512-ssse3-amd64.S: Likewise.
1260 * cipher/sm3-avx-bmi2-amd64.S: Likewise.
1261 * cipher/sm4-aesni-avx-amd64.S: Likewise.
1262 * cipher/sm4-aesni-avx2-amd64.S: Likewise.
1263 * cipher/twofish-amd64.S: Likewise.
1264 * cipher/twofish-avx2-amd64.S: Likewise.
1265 * cipher/whirlpool-sse2-amd64.S: Likewise.
1266 * mpi/amd64/func_abi.h (CFI_*): Remove, include from "asm-common-amd64.h"
1267 instead.
1268 (FUNC_EXIT): Use 'ret_spec_stop' for 'ret' instruction.
1269 * mpi/asm-common-amd64.h: New.
1270 * mpi/i386/mpih-add1.S: Use 'ret_spec_stop' for 'ret' instruction.
1271 * mpi/i386/mpih-lshift.S: Likewise.
1272 * mpi/i386/mpih-mul1.S: Likewise.
1273 * mpi/i386/mpih-mul2.S: Likewise.
1274 * mpi/i386/mpih-mul3.S: Likewise.
1275 * mpi/i386/mpih-rshift.S: Likewise.
1276 * mpi/i386/mpih-sub1.S: Likewise.
1277 * mpi/i386/syntax.h (ret_spec_stop): New.
1278
1279 Optimizations for AES aarch64-ce assembly implementation.
1280 + commit ff2a647d36677f6ad9edbe992a6c0ab0f7cf9510
1281 * cipher/rijndael-armv8-aarch64-ce.S (vk14): Remove.
1282 (vklast, __, _): New.
1283 (aes_preload_keys): Setup vklast.
1284 (do_aes_one128/192/256): Split to ...
1285 (do_aes_one_part1, do_aes_part2_128/192/256): ... these and add
1286 interleave ops.
1287 (do_aes_one128/192/256): New using above part1 and part2 macros.
1288 (aes_round_4): Rename to ...
1289 (aes_round_4_multikey): ... this and allow different key used for
1290 parallel blocks.
1291 (aes_round_4): New using above multikey macro.
1292 (aes_lastround_4): Reorder AES round and xor instructions, allow
1293 different last key for parallel blocks.
1294 (do_aes_4_128/192/256): Split to ...
1295 (do_aes_4_part1_multikey, do_aes_4_part1)
1296 (do_aes_4_part2_128/192/256): ... these.
1297 (do_aes_4_128/192/256): New using above part1 and part2 macros.
1298 (CLEAR_REG): Use movi for clearing registers.
1299 (aes_clear_keys): Remove branching and clear all key registers.
1300 (_gcry_aes_enc_armv8_ce, _gcry_aes_dec_armv8_ce): Adjust to macro
1301 changes.
1302 (_gcry_aes_cbc_enc_armv8_ce, _gcry_aes_cbc_dec_armv8_ce)
1303 (_gcry_aes_cfb_enc_armv8_ce, _gcry_aes_cfb_enc_armv8_ce)
1304 (_gcry_aes_ctr32le_enc_armv8_ce): Apply entry/loop-body/exit
1305 optimization for better interleaving of input/output processing;
1306 First/last round key and input/output xoring optimization to reduce
1307 critical path length.
1308 (_gcry_aes_ctr_enc_armv8_ce): Add fast path for counter incrementing
1309 without byte-swaps when counter does not overflow 8-bit; Apply
1310 entry/loop-body/exit optimization for better interleaving of
1311 input/output processing; First/last round key and input/output
1312 xoring optimization to reduce critical path length.
1313 (_gcry_aes_ocb_enc_armv8_ce, _gcry_aes_ocb_dec_armv8_ce): Add aligned
1314 processing for nblk and OCB offsets; Apply entry/loop-body/exit
1315 optimization for better interleaving of input/output processing;
1316 First/last round key and input/output xoring optimization to reduce
1317 critical path length; Change to use same function body macro for
1318 both encryption and decryption.
1319 (_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Apply
1320 entry/loop-body/exit optimization for better interleaving of
1321 input/output processing; First/last round key and input/output
1322 xoring optimization to reduce critical path length; Change to use
1323 same function body macro for both encryption and decryption.
1324
1325 Add armv8/pmull accelerated POLYVAL for GCM-SIV.
1326 + commit 4e6f1ef5a00e15128e5f2398e2c282d31152d276
1327 * cipher/cipher-gcm-armv8-aarch32-ce.S
1328 (_gcry_polyval_armv8_ce_pmull): New.
1329 * cipher/cipher-gcm-armv8-aarch64-ce.S
1330 (_gcry_polyval_armv8_ce_pmull): New.
1331 * cipher/cipher-gcm.c (_gcry_polyval_armv8_ce_pmull)
1332 (polyval_armv8_ce_pmull): New.
1333 (setupM) [GCM_USE_ARM_PMULL]: Setup 'polyval_armv8_ce_pmull' as POLYVAL
1334 function.
1335
1336 Use 'vmov' and 'movi' for vector register clearing in ARM assembly.
1337 + commit 859b6ac7fbdb6ec18d1536e14b9ee83c1add224e
1338 * cipher/chacha20-aarch64.S (clear): Use 'movi'.
1339 * cipher/chacha20-armv7-neon.S (clear): Use 'vmov'.
1340 * cipher/cipher-gcm-armv7-neon.S (clear): Use 'vmov'.
1341 * cipher/cipher-gcm-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
1342 * cipher/cipher-gcm-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
1343 * cipher/rijndael-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
1344 * cipher/sha1-armv7-neon.S (clear): Use 'vmov'.
1345 * cipher/sha1-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
1346 * cipher/sha1-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
1347 * cipher/sha256-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
1348 * cipher/sha256-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
1349 * cipher/sha512-armv7-neon.S (CLEAR_REG): New using 'vmov'.
1350 (_gcry_sha512_transform_armv7_neon): Use CLEAR_REG for clearing
1351 registers.
1352
1353 Add SM3 ARM/AArch64 assembly implementation.
1354 + commit f664333a4749eab03c6b19bae2f28863b8501a24
1355 * cipher/Makefile.am: Add 'sm3-aarch64.S'.
1356 * cipher/sm3-aarch64.S: New.
1357 * cipher/sm3.c (USE_AARCH64_SIMD): New.
1358 [USE_AARCH64_SIMD] (_gcry_sm3_transform_aarch64)
1359 (do_sm3_transform_aarch64): New.
1360 (sm3_init) [USE_AARCH64_SIMD]: New.
1361 * configure.ac: Add 'sm3-aarch64.lo'.
1362 * tests/basic.c (main): Add command-line option '--hash' for running
1363 only hash algorithm tests.
1364
1365 2022-01-11 NIIBE Yutaka <gniibe@fsij.org>
1366
1367 random: Rename rndlinux module to rndoldlinux.
1368 + commit 560943805a525a6f479b666578b0ff7d51e6f833
1369 * configure.ac (USE_RNDOLDLINUX): Rename from USE_RNDLINUX.
1370 (GCRYPT_RANDOM): Use rndoldlinux.lo.
1371 * doc/gcrypt.texi: Update.
1372 * random/Makefile.am (EXTRA_librandom_la_SOURCES): Update.
1373 * random/rndoldlinux.c: Rename from rndlinux.c. Rename the function.
1374 * random/rand-internal.h: Update the function name.
1375 * random/random-csprng.c: Update the calls to the function.
1376 * random/random-drbg.c: Likewise.
1377 * random/random-system.c: Likewise.
1378 * src/global.c: Use USE_RNDOLDLINUX.
1379
1380 2022-01-11 Jakub Jelen <jjelen@redhat.com>
1381
1382 configure: Fix help text for the fips module version.
1383 + commit 83e58191d3d960b3efda960dd6fe50e8f0b02bda
1384 * configure.ac: Fix unmatched parenthesis and add more verbose
1385 description of the --with-fips-module-version configure option.
1386
1387 2022-01-11 NIIBE Yutaka <gniibe@fsij.org>
1388
1389 fips: Provide a mechanizm to put libgcrypt in non-FIPS mode.
1390 + commit 2a8b3fed1a80e74dfb12c03e426373a300407eda
1391 * doc/gcrypt.texi (Disabling FIPS mode): Add.
1392 * src/gcrypt.h.in (GCRYCTL_NO_FIPS_MODE): New.
1393 * src/global.c (_gcry_vcontrol): Support GCRYCTL_NO_FIPS_MODE.
1394 * tests/t-ed25519.c: Add --no-fips option to test non-FIPS mode.
1395
1396 cipher: Keep original behavior of Key Unwrap when not extended.
1397 + commit 383866f014f2ae8487d15e3fd99fe688b489d364
1398 * cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt_auto): Only
1399 allow unwrapping by KWP when GCRY_CIPHER_EXTENDED is specified.
1400
1401 2022-01-05 NIIBE Yutaka <gniibe@fsij.org>
1402
1403 cipher: Add an API to retrieve unwrapped key length for KWP.
1404 + commit 746b8e29969be56e086191dbe93978f7e0355aa0
1405 * cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt)
1406 (_gcry_cipher_keywrap_decrypt_padding): Merged into...
1407 (_gcry_cipher_keywrap_decrypt_auto): ... this.
1408 Write length information to struct gcry_cipher_handle.
1409 * cipher/cipher-internal.h (struct gcry_cipher_handle): Add
1410 u_mode.wrap.
1411 * cipher/cipher.c (_gcry_cipher_setup_mode_ops): Use
1412 _gcry_cipher_keywrap_decrypt_auto.
1413 (_gcry_cipher_info): Support GCRYCTL_GET_KEYLEN for
1414 GCRY_CIPHER_MODE_AESWRAP. Not that it's not length of KEK,
1415 but length of unwrapped key.
1416 * tests/aeswrap.c (check_one_with_padding): Add check
1417 for length of unwrapped key.
1418
1419 2022-01-04 NIIBE Yutaka <gniibe@fsij.org>
1420
1421 cipher: Use const for *_spec_t, if possible.
1422 + commit f9ba07942b10c72af50bd73c92c4851b6981546e
1423 * cipher/blake2.c: Use const.
1424 * cipher/camellia-glue.c, cipher/cipher.c, cipher/crc.c: Likewise.
1425 * cipher/des.c, cipher/gost28147.c, cipher/gostr3411-94.c: Likewise.
1426 * cipher/keccak.c, cipher/mac-cmac.c, cipher/mac-gmac.c: Likewise.
1427 * cipher/mac-hmac.c, cipher/mac-internal.h: Likewise.
1428 * cipher/mac-poly1305.c, cipher/mac.c, cipher/md.c: Likewise.
1429 * cipher/md.c, cipher/md2.c, cipher/md4.c, cipher/md5.c: Likewise.
1430 * cipher/pubkey.c, cipher/rfc2268.c, cipher/rijndael.c: Likewise.
1431 * cipher/rmd160.c, cipher/seed.c, cipher/serpent.c: Likewise.
1432 * cipher/sha1.c, cipher/sha256.c, cipher/sha512.c: Likewise.
1433 * cipher/sm3.c, cipher/sm4.c, cipher/stribog.c: Likewise.
1434 * cipher/pubkey.c, cipher/rfc2268.c, cipher/rijndael.c: Likewise.
1435 * src/cipher-proto.h, src/cipher.h: Likewise.
1436
1437 fips: Use flags.fips to check algo availability.
1438 + commit 034e4402dade7a4bcc239913b78c702c5c6f0dbb
1439 * cipher/cipher.c (check_cipher_algo): Check ->flags.fips.
1440 (_gcry_cipher_open_internal, _gcry_cipher_selftest): Likewise.
1441 (_gcry_cipher_init): Don't modify ->flags.disabled.
1442 * cipher/mac.c (_gcry_mac_init): Don't modify ->flags.disabled.
1443 (check_mac_algo): Check ->flags.fips.
1444 (mac_open, _gcry_mac_selftest): Likewise.
1445 * cipher/md.c (check_digest_algo): Check ->flags.fips.
1446 (md_enable, _gcry_md_hash_buffer): Likewise.
1447 (_gcry_md_hash_buffers_extract, _gcry_md_selftest): Likewise.
1448 (_gcry_md_init): Don't modify ->flags.disabled.
1449
1450 doc: Update doc/gcrypt.texi for random/.
1451 + commit 11ef7b50a708b92d94e1e1f47433fc53b3fd2cf3
1452 * doc/gcrypt.texi: Address rndgetentropy module. Remove X9.31 RPNG
1453 documentation, as the implementation has been removed already.
1454
1455 2022-01-03 NIIBE Yutaka <gniibe@fsij.org>
1456
1457 cipher: Add support of Key wrap with padding (KWP).
1458 + commit 2914f169f95467b9c789000105773b38ad2dea5a
1459 * src/gcrypt.h.in (GCRY_CIPHER_EXTENDED): New enum value.
1460 * cipher/cipher-aeswrap.c (wrap): New.
1461 (_gcry_cipher_keywrap_encrypt, unwrap): Use wrap.
1462 (_gcry_cipher_keywrap_encrypt_padding): New.
1463 (_gcry_cipher_keywrap_decrypt): Use unwrap.
1464 (_gcry_cipher_keywrap_decrypt_padding): New.
1465 * cipher/cipher-internal.h: Add declarations.
1466 * cipher/cipher.c (_gcry_cipher_open_internal): Support
1467 GCRY_CIPHER_EXTENDED.
1468 (_gcry_cipher_setup_mode_ops): Extend for GCRY_CIPHER_MODE_AESWRAP.
1469 * tests/aeswrap.c: Add two tests from RFC5649.
1470
1471 2021-12-22 NIIBE Yutaka <gniibe@fsij.org>
1472
1473 build: Update for newer autoconf.
1474 + commit 3204c3827e9840915af2b6cbf603f3cf51664568
1475 * configure.ac (AC_PREREQ): Require >= 2.69.
1476 (AC_CONFIG_HEADERS): Use it, instead of AC_CONFIG_HEADER.
1477 (AC_HEADER_STDC): Remove.
1478 * m4/sys_socket_h.m4: Remove.
1479
1480 2021-12-21 Danny Tsen <dtsen@us.ibm.com>
1481
1482 AES-GCM: Bulk implementation of AES-GCM acceleration for ppc64le.
1483 + commit 7205c715b3e0f6fd0b853e8916d174048f43c03b
1484 * configure.ac: Added p10 assembly implementation file and assiciated file.
1485 * cipher/Makefile.am: Added p10 assembly implementation file and associated
1486 file.
1487 * cipher/rijndael.c: Added p10 function.
1488 * cipher/rijndael-p10le.c: New wrapper file for AES-GCM call.
1489 * cipher/rijndael-gcm-p10le.s: New implementation of AES-GCM bulk function in
1490 Power Assembly.
1491 * src/g10lib.h: Added Power arch 3.1 definition for p10.
1492 * src/hwf-ppc.c: Added Power arch 3.1 definition for p10.
1493 * src/hwfeatures.c: Added Power arch 3.1 definition for p10.
1494
1495 2021-12-21 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
1496
1497 cipher: Fix SM3 avx/bmi2 compilation error.
1498 + commit 3b9f746c2fb16234dffe0582059dfe36b2c21bf8
1499 * cipher/sm3-avx-bmi2-amd64.S: Change K0-K63 macros to signed decimal.
1500
1501 2021-12-17 NIIBE Yutaka <gniibe@fsij.org>
1502
1503 random: Keep --enable-random-daemon, but not its use from runtime.
1504 + commit 27d945084f6926d0ebe8066fb60db785f3a8fb57
1505 * configure.ac (--enable-random-daemon): Don't define
1506 USE_RANDOM_DAEMON, but use the conditional ENABLE_RANDOM_DAEMON.
1507 * src/Makefile.am: Use the conditional ENABLE_RANDOM_DAEMON.
1508
1509 random: Remove random-daemon use remained.
1510 + commit 14f5d73e2731b83b18e9771eb3068c6dbba6f069
1511 * configure.ac (--enable-random-daemon): Fix the message.
1512 * random/random-csprng.c [USE_RANDOM_DAEMON] (initialize_basics):
1513 Remove the dependency to random daemon.
1514 * random/random.h [USE_RANDOM_DAEMON]: Likewise.
1515
1516 fips: Add constructor to run selftests.
1517 + commit 45974d87753978b953940045280e9f28f951dbe0
1518 * src/fips.c (_gcry_fips_to_activate): New.
1519 * src/g10lib.h (_gcry_fips_to_activate): New.
1520 * src/global.c [ENABLE_HMAC_BINARY_CHECK] (_gcry_global_constructor):
1521 New.
1522
1523 2021-12-16 NIIBE Yutaka <gniibe@fsij.org>
1524
1525 Simplify the logic for no_secure_memory.
1526 + commit 209d98dcf66bd7baeca37cd6b13b31c7f00f4625
1527 * src/global.c (_gcry_vcontrol): Don't set NO_SECURE_MEMORY when
1528 FIPS mode is enabled.
1529 (get_no_secure_memory): Remove. Don't touch NO_SECURE_MEMORY,
1530 when examining the variable.
1531 (do_malloc, _gcry_is_secure): Just use NO_SECURE_MEMORY.
1532
1533 2021-12-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1534
1535 Add SM3 x86-64 AVX/BMI2 assembly implementation.
1536 + commit 0c1d55a84c8970b8568ae645f24ce534bebdb5a4
1537 * cipher/Makefile.am: Add 'sm3-avx-bmi2-amd64.S'.
1538 * cipher/sm3-avx-bmi2-amd64.S: New.
1539 * cipher/sm3.c (USE_AVX_BMI2, ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
1540 (SM3_CONTEXT): Define 'h' as array instead of separate fields 'h1',
1541 'h2', etc.
1542 [USE_AVX_BMI2] (_gcry_sm3_transform_amd64_avx_bmi2)
1543 (do_sm3_transform_amd64_avx_bmi2): New.
1544 (sm3_init): Select AVX/BMI2 transform function if support by HW; Update
1545 to use 'hd->h' as array.
1546 (transform_blk, sm3_final): Update to use 'hd->h' as array.
1547 * configure.ac: Add 'sm3-avx-bmi2-amd64.lo'.
1548
1549 2021-12-10 Jakub Jelen <jjelen@redhat.com>
1550
1551 tests: Include the new input files for tests.
1552 + commit 02583e1216bc7e6f9f4219771bb274d1fe4491c8
1553 * tests/Makefile.am: Include the new .inp files needed for tests
1554
1555 2021-12-09 NIIBE Yutaka <gniibe@fsij.org>
1556
1557 tests,fips: Align the use of variable in_fips_mode.
1558 + commit 7d8403b59a105d2d3e5d0fd9d5d25b7e3b2d2787
1559 * tests/pubkey.c (check_run): Fix use of pkey and skey.
1560 * tests/*.c (in_fips_mode): No initialize by 0.
1561
1562 2021-12-09 Jakub Jelen <jjelen@redhat.com>
1563
1564 Adjust tests for proper disablement of non-approve PK operations.
1565 + commit 5b82f4b4dbf393d0ce901fc9e0c559c488b013cb
1566 * cipher/pubkey.c (_gcry_pk_genkey): Do not allow key generation of
1567 disabled key types
1568 * tests/benchmark.c (elg_bench): Skip Elgamal keys benchmark in FIPS
1569 mode
1570 (dsa_bench): Skip DSA keys benchmarking in FIPS mode
1571 * tests/dsa-rfc6979.c (check_dsa_rfc6979): DSA keys are no longer
1572 allowed in FIPS mode
1573 * tests/fips186-dsa.c (global): Use global in_fips_mode flag
1574 (check_dsa_gen_186_2): Expect DSA keygen fail in FIPS mode
1575 (check_dsa_gen_186_3): Ditto.
1576 (main): Use global fips mode flag.
1577 * tests/keygen.c (check_elg_keys): Verify Elgamal keys can not be
1578 generated in FIPS mode
1579 (check_dsa_keys): Verify DSA keys can not be generated in FIPS mode.
1580 * tests/pubkey.c (get_elg_key_new): Expect key generation to fail in
1581 FIPS mode
1582 (get_dsa_key_new): Expect DSA key generation to fail in FIPS mode
1583 (get_dsa_key_fips186_new): Ditto.
1584 (get_dsa_key_with_domain_new): Ditto.
1585 (get_dsa_key_fips186_with_seed_new): Ditto.
1586 (check_run): Do not try the Elgamal and DSA key operations in FIPS
1587 mode.
1588 * tests/t-dsa.c (one_test_sexp): Skip the DSA tests in FIPS mode.
1589
1590 2021-12-08 NIIBE Yutaka <gniibe@fsij.org>
1591
1592 tests: Add tests for gcry_pk_hash_sign/verify API.
1593 + commit a0a2b6796f58f9aac0fe49100b1ee4c68f9bdc72
1594 * tests/Makefile.am (tests_bin): Add t-dsa t-ecdsa t-rsa-pss t-rsa-15.
1595 * tests/t-dsa.c, tests/t-ecdsa.c: New tests.
1596 * tests/t-rsa-15.c, tests/t-rsa-pss.c: New tests.
1597 * tests/t-dsa.inp, tests/t-ecdsa.inp: New data for tests.
1598 * tests/t-rsa-15.inp, tests/t-rsa-pss.inp: New data for tests.
1599
1600 2021-12-08 Jakub Jelen <jjelen@redhat.com>
1601
1602 fips: Disable DSA in FIPS mode.
1603 + commit ea362090fc11caa28643153fc6444442243c8765
1604 * cipher/dsa.c (run_selftests): Disable DSA spec in FIPS mode.
1605 * src/fips.c (run_pubkey_selftests): Skip DSA power-on selftests.
1606
1607 2021-12-08 NIIBE Yutaka <gniibe@fsij.org>
1608
1609 random: Remove random-fips.c from repo.
1610 + commit 5521cac32d75f2b94894cd5a94deb2c5d25f43a5
1611 * random/random-fips.c: Remove.
1612
1613 2021-12-07 Alexander Kanavin <alex.kanavin@gmail.com>
1614
1615 build: cipher/Makefile.am, doc/Makefile.am: add a missing space.
1616 + commit 05472c1882df2fb84b867c0bdbbff510065785ba
1617 * cipher/Makefile.am: Add a space.
1618 * doc/Makefile.am: Ditto.
1619
1620 2021-12-07 NIIBE Yutaka <gniibe@fsij.org>
1621
1622 md: Fix disabled check.
1623 + commit 8ca3fe07d03e9329ee97534f40208593cde11bf7
1624 * cipher/md.c (md_enable): Fix accessing the disabled flag.
1625
1626 2021-12-07 Jakub Jelen <jjelen@redhat.com>
1627
1628 Properly enforce disablement in other pubkey API.
1629 + commit e96980022e5ec079c9d4e3492eb6a1131c68e0f2
1630 * cipher/pubkey.c (_gcry_pk_encrypt): Fail if algo is disabled
1631 (_gcry_pk_decrypt): Ditto.
1632 (_gcry_pk_sign): Ditto.
1633 (_gcry_pk_sign_md): Ditto.
1634 (_gcry_pk_verify): Ditto.
1635 (_gcry_pk_verify_md): Ditto.
1636 (_gcry_pk_testkey): Ditto.
1637 (_gcry_pk_get_nbits): Ditto.
1638 (_gcry_pk_get_curve): Ditto.
1639 * tests/basic.c (check_pubkey): Test also other API in FIPS mode to
1640 verify they fail as expected.
1641
1642 2021-12-07 NIIBE Yutaka <gniibe@fsij.org>
1643
1644 tests: Add paren for readability.
1645 + commit bea8b9672c3c47c9bffb7edc52fb32cf9091c231
1646 * tests/basic.c (check_pubkey): Add parentheses.
1647
1648 md: Fix checking to use ->disabled instead of ->fips directly.
1649 + commit 3152a565d9a426b6c984e161d1a95a8df347dc15
1650 * cipher/md.c (md_enable): Check by ->disabled.
1651 (_gcry_md_hash_buffer, _gcry_md_hash_buffers_extract): Likewise.
1652
1653 random: Remove use of experimental random daemon.
1654 + commit 754ad5815b5bb7462260414f2bc5f449bee0b1c6
1655 * random/Makefile.am (librandom_la_SOURCES): Remove random-daemon.c.
1656 * random/random-daemon.c: Remove.
1657 * random/rand-internal.h: Remove declarations.
1658 * random/random-csprng.c (_gcry_rngcsprng_set_daemon_socket)
1659 (_gcry_rngcsprng_use_daemon): Remove.
1660 [USE_RANDOM_DAEMON] (_gcry_rngcsprng_randomize): Don't call
1661 _gcry_daemon_randomize.
1662 * random/random.c (_gcry_set_random_daemon_socket)
1663 (_gcry_use_random_daemon): Remove.
1664 * src/global.c (_gcry_vcontrol): Return GPG_ERR_NOT_SUPPORTED.
1665 * tests/benchmark.c (main): Remove support of use_random_daemon.
1666
1667 2021-12-06 NIIBE Yutaka <gniibe@fsij.org>
1668
1669 random: Release memory in DRBG.
1670 + commit 751fcadd34ed42b2e595664e9ec3f88fd074d7b7
1671 * random/random-drbg.c (_gcry_rngdrbg_close_fds): Release DRBG_STATE.
1672
1673 fips: Factor out check_fips_system_setting function.
1674 + commit 5425052f38cd41a99469e4c3245a1c3e037410fe
1675 * src/fips.c (check_fips_system_setting): New.
1676 (_gcry_initialize_fips_mode): Use the new function.
1677
1678 cipher,tests: Consitent use of #if/#endif for algo selection.
1679 + commit b14aaf1a2dc71560e1f7c19ac88a7b16cc491f25
1680 * cipher/cipher.c: Use #if instead of #ifdef for algo.
1681 * cipher/mac-cmac.c: Likewise.
1682 * cipher/mac-hmac.c: Likewise.
1683 * cipher/mac-internal.h: Likewise.
1684 * cipher/mac.c: Likewise.
1685 * tests/basic.c: Likewise.
1686
1687 2021-12-06 Jakub Jelen <jjelen@redhat.com>
1688
1689 tests: Conditionalize other algorithms that might not be built-in.
1690 + commit 57b61b0f4f1be7513ed064a90321849bb9f47f29
1691 * tests/basic.c (check_cbc_mac_cipher): Do not run DES tests without DES
1692 being built-in.
1693 (check_ecb_cipher): Do not run blowfish and DES tests without them
1694 being built-in
1695 (check_cfb_cipher): Do not run DES tests without DES being built-in.
1696 (check_ccm_cipher): Do not run camellia tests without it being
1697 built-in.
1698 (check_ocb_cipher): Do not run Camellia, Twofish and Serpent tests
1699 without them being built-in.
1700 (check_digests): Do not run SM3 tests without them being built-in.
1701 (check_digests): Do not run DES, Camellia and GOST tests without them
1702 being built-in.
1703
1704 tests: Unbreak tests with SM4 disabled.
1705 + commit b601ef4dc9f9a337e3019fc5ad3c7b31fcdc43f3
1706 * tests/basic.c (check_ecb_cipher): Do not run SM4 tests when SM4 is not
1707 built.
1708 (check_ctr_cipher): Ditto.
1709 (check_cfb_cipher): Ditto.
1710 (check_ofb_cipher): Ditto.
1711 (check_ocb_cipher): Ditto.
1712
1713 2021-12-03 NIIBE Yutaka <gniibe@fsij.org>
1714 Jakub Jelen <jjelen@redhat.com>
1715
1716 rsa: Allow e=0 to select 65537 for keygeneration under X931.
1717 + commit e4a450d1d966cf19cc5ba4d772254be08782e463
1718 * cipher/rsa.c (generate_x931): Use e=65537.
1719
1720 2021-12-03 Jakub Jelen <jjelen@redhat.com>
1721
1722 random: Add missing header file to the release tarball.
1723 + commit 78ce1f9e0afe296eab916f1b547f967166f80e10
1724 * random/Makefile.am: Add missing header file.
1725
1726 2021-12-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1727
1728 gcry_mpi_sub_ui: fix subtracting from negative value.
1729 + commit d5bf106468e6c6b0f33b193abf04590e4e9fc011
1730 * mpi/mpi-add.c (_gcry_mpi_sub_ui): Set output sign bit when 'u'
1731 is negative.
1732 * tests/mpitests.c (test_add): Additional tests for mpi_add_ui; Check
1733 test output and fail if output does not match expected.
1734 (test_sub): Additional tests for mpi_sub_ui; Check test output and fail
1735 if output does not match expected.
1736 (test_mul): Additional tests for mpi_mul_ui; Check test output and fail
1737 if output does not match expected.
1738
1739 2021-12-01 NIIBE Yutaka <gniibe@fsij.org>
1740
1741 tests: Fix basic.c to show useful information on error.
1742 + commit bff9ed54285b9a332382589d89e317da987b5b38
1743 * tests/basic.c (check_ctr_cipher): Assign return value to ERR.
1744 (check_siv_cipher, check_ccm_cipher): Likewise.
1745
1746 2021-12-01 Jakub Jelen <jjelen@redhat.com>
1747
1748 tests: Improve error checking in regards to FIPS.
1749 + commit c8d2b0069e3cc97138c4e09224a84bb6ccf1b6b5
1750 * tests/basic.c (check_cbc_mac_cipher): Improve verbose alignment
1751 (check_ecb_cipher): Improve verbose message alignment.
1752 (check_ctr_cipher): Improve verbose message alignment.
1753 (check_cfb_cipher): Improve verbose message alignment and error
1754 reporting.
1755 (check_ofb_cipher): Improve verbose message alignment and error
1756 reporting.
1757 (_check_gcm_cipher): Improve error checking.
1758 (_check_eax_cipher): Improve error checking.
1759 (check_siv_cipher): Improve error checking.
1760 (check_gcm_siv_cipher): Improve error checking and indentation.
1761 (_check_poly1305_cipher): Improve verbose message alignment.
1762 (check_ccm_cipher): Improve verbose message alignment.
1763 (do_check_ocb_cipher): Improve error checking.
1764 (check_ocb_cipher_largebuf_split): Improve error checking.
1765 (check_ocb_cipher_checksum): Improve error checking.
1766 (check_ocb_cipher_splitaad): Improve error checking.
1767 (check_gost28147_cipher_basic): Improve verbose message alignment.
1768 (check_stream_cipher): Improve verbose message alignment.
1769 (check_one_cipher_core): Improve error checking.
1770 (check_ciphers): Improve error checking.
1771 (check_pubkey): Check explicitly the for failure in FIPS mode.
1772
1773 Disable 3DES in FIPS mode.
1774 + commit 23a58b779e31e6244a481c26096d1ad061eb024c
1775 * cipher/des.c (_gcry_cipher_spec_tripledes): Mark as non-FIPS
1776 * cipher/mac-cmac.c ( _gcry_mac_type_spec_cmac_tripledes): Mark non-FIPS
1777 * src/fips.c (run_cipher_selftests): skip 3DES selftests)
1778 (run_mac_selftests): skip CMAC_3DES selftests
1779 * tests/basic.c (check_cfb_cipher): Do not expect the 3DES working in
1780 FIPS mode
1781
1782 2021-11-30 Jakub Jelen <jjelen@redhat.com>
1783
1784 Implement explicit FIPS indicators for cipher modes.
1785 + commit 3d38968f4b751c5561679040c055c34a690bed75
1786 * src/fips.c (_gcry_fips_indicator): New.
1787 * src/g10lib.h (_gcry_fips_indicator): New declaration.
1788 * src/gcrypt.h.in (gcry_ctl_cmds): New GCRYCTL_FIPS_SERVICE_INDICATOR
1789 * src/global.c (_gcry_vcontrol): Handle GCRYCTL_FIPS_SERVICE_INDICATOR
1790 * tests/basic.c (do_check_ocb_cipher): Check excplicit FIPS indicator
1791 (check_ocb_cipher_largebuf_split): Ditto.
1792 (check_ocb_cipher_checksum): Ditto.
1793 (check_ocb_cipher_splitaad): Ditto.
1794 (check_bulk_cipher_modes): Ditto.
1795
1796 2021-11-24 NIIBE Yutaka <gniibe@fsij.org>
1797
1798 fips: Release random resources after selftests.
1799 + commit 40ab39966650489449bee3e2a68f43a9d38c4dd4
1800 * src/fips.c (_gcry_fips_is_operational): Call _cgry_random_close_fds.
1801
1802 random: Extend semantics of _gcry_random_close_fds.
1803 + commit 204be8a385ae6140175e3b495989a261410c34d0
1804 * random/random-csprng.c (_gcry_rngcsprng_close_fds): Add
1805 de-initialization.
1806 * random/random-drbg.c (_gcry_rngdrbg_close_fds): Likewise.
1807
1808 2021-11-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1809
1810 Do not build 'cipher/' assembly files when --disable-asm used.
1811 + commit 33f1a7ad3cd13602d8bffe156f383c3a704dfd67
1812 * configure.ac: Collect assembly implementation *.lo files under
1813 GCRYPT_ASM_CIPHERS and GCRYPT_ASM_DIGEST for --disable-asm
1814 selection.
1815
1816 Do not build poly1305-s390x.S on foreign architectures.
1817 + commit f10fa6b9a6ca7565408c4685d88a38893396d02b
1818 * configure.ac [host=s390x-*-*]: Add 'poly1305-s390x.lo'.
1819 * cipher/Makefile.am: Move 'poly1305-s390x.S' to
1820 'EXTRA_libcipher_la_SOURCES'.
1821
1822 jitterentropy: use wipememory for jent_memset_secure.
1823 + commit a44301f6d2051b6b4e20b4459f41aa2b95f8b2b7
1824 * random/jitterentropy-base-user.h (jent_memset_secure): Use wipememory.
1825
1826 jitterentropy: fix building on Win32.
1827 + commit c38ebc3b6c7d6844209a58677379b61750b6504d
1828 * random/jitterentropy.h (jent_notime_ctx): Add #ifdef
1829 JENT_CONF_ENABLE_INTERNAL_TIMER around pthread variables.
1830
1831 2021-11-18 NIIBE Yutaka <gniibe@fsij.org>
1832
1833 tests: Remove tweak for FIPS enabled.
1834 + commit 1183ffdd7a242955c1cc34eef0b02c002202a9ec
1835 * tests/t-secmem.c (test_secmem): Remove the tweak.
1836
1837 jitternetropy: Put our local change to use non-secure memory.
1838 + commit 85cb7375fec39bb9fb195ca0bbe95bbbfd6deb98
1839 * random/jitterentropy-base.c (jent_entropy_collector_alloc_internal):
1840 Let jent_memaccess use normal memory.
1841
1842 build: Fix excess quotation to enable config.status --recheck works.
1843 + commit 17f9eb20c94fd6711370546437b7150dc11a6335
1844 * configure.ac (DEF_HMAC_BINARY_CHECK): Fix quatation.
1845
1846 random: Fix rndgetentropy correctly uses rndjent.
1847 + commit 5493282b4aacd6b466c4ddd366ce9eb4036b3562
1848 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Call
1849 _gcry_rndjent_poll for GCRY_VERY_STRONG_RANDOM.
1850
1851 2021-11-17 NIIBE Yutaka <gniibe@fsij.org>
1852
1853 jitterentropy: Use jent_read_entropy_safe for rndjent.
1854 + commit 2101da04924b1361e2a1021b406a519a3bde9aee
1855 * random/rndjent.c (_gcry_rndjent_poll): Use jent_read_entropy_safe.
1856
1857 Fix jent_read_entropy for JENT_CPU_JITTERENTROPY_SECURE_MEMORY.
1858 + commit d0fcb4da98a05097bc0cd6dc7377cb02aaa8b61c
1859 * random/jitterentropy-base.c (jent_read_entropy): Fix conditional
1860 compile.
1861
1862 jitterentropy: Fix for C90 compiler.
1863 + commit cf85258e6aff87f5b0614097b4ff2972ceb703fd
1864 * random/jitterentropy-noise.c (jent_hash_time): Declare hash_loop_cnt
1865 at the beginning of the function.
1866
1867 jitterentropy: Disable use of pthread.
1868 + commit 964c9c5eee30cc45488b88ec4c0199a41861e4aa
1869 * random/jitterentropy.h (JENT_CONF_ENABLE_INTERNAL_TIMER): Undefine.
1870 * random/jitterentropy-base.c [JENT_CONF_ENABLE_INTERNAL_TIMER]
1871 (jent_entropy_switch_notime_impl): Add conditional compilation.
1872 * random/jitterentropy-base-user.h [JENT_CONF_ENABLE_INTERNAL_TIMER]
1873 (jent_yield): Likewise.
1874 * random/jitterentropy.h [JENT_CONF_ENABLE_INTERNAL_TIMER]
1875 (jent_entropy_switch_notime_impl): Likewise.
1876
1877 jitterentropy: Fix building rndjent.
1878 + commit d5ae5229db70f71301a3f3eefdd38a73a4fde499
1879 * random/Makefile.am: Update for new jitterentropy.
1880 * random/rndjent.c: Update to include the other files.
1881
1882 jitterentropy: Merge from jitterentropy-library-3.3.0.
1883 + commit 3bacdac611b9eb3bd5ae8d78156b1110e77e9518
1884 * random/jitterentropy-base.h: New.
1885 * random/jitterentropy-gcd.c: New.
1886 * random/jitterentropy-gcd.h: New.
1887 * random/jitterentropy-health.c: New.
1888 * random/jitterentropy-health.h: New.
1889 * random/jitterentropy-noise.c: New.
1890 * random/jitterentropy-noise.h: New.
1891 * random/jitterentropy-sha3.c: New.
1892 * random/jitterentropy-sha3.h: New.
1893 * random/jitterentropy-timer.c: New.
1894 * random/jitterentropy-timer.h: New.
1895 * random/jitterentropy-base.c: Update.
1896 * random/jitterentropy.h: Update.
1897 * random/jitterentropy-base-user.h: Update, keeping ours mostly.
1898
1899 2021-11-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
1900
1901 Add intel-pclmul accelerated POLYVAL for GCM-SIV.
1902 + commit 5e0187d84fc16d9ff0fbb0ccd4348657fea90d36
1903 * cipher/cipher-gcm-intel-pclmul.c (gfmul_pclmul_aggr4)
1904 (gfmul_pclmul_aggr8): Move assembly to new GFMUL_AGGRx_ASM* macros.
1905 (GFMUL_AGGR4_ASM_1, GFMUL_AGGR4_ASM_2, gfmul_pclmul_aggr4_le)
1906 (GFMUL_AGGR8_ASM, gfmul_pclmul_aggr8_le)
1907 (_gcry_polyval_intel_pclmul): New.
1908 * cipher/cipher-gcm-siv.c (do_polyval_buf): Use polyval function
1909 if available.
1910 * cipher/cipher-gcm.c (_gcry_polyval_intel_pclmul): New.
1911 (setupM): Setup 'c->u_mode.gcm.polyval_fn' with accelerated polyval
1912 function if available.
1913 * cipher/cipher-internal.h (gcry_cipher_handle): Add member
1914 'u_mode.gcm.polyval_fn'.
1915
1916 2021-11-15 NIIBE Yutaka <gniibe@fsij.org>
1917
1918 random: Include getentropy random module.
1919 + commit ec671cfa239888b67fcafda40b19006b61d9bbf2
1920 * random/rand-internal.h (_gcry_rndgetentropy_gather_random): Add.
1921 * random/random-csprng.c [USE_RNDLINUX] (_gcry_rngcsprng_close_fds)
1922 (getfnc_gather_random): Support getentropy random module.
1923 * random/random-drbg.c: Likewise.
1924 * random/random-fips.c: Likewise.
1925 * random/random-system.c: Likewise.
1926 * src/global.c [USE_RNDLINUX] (print_config): Show getentropy.
1927
1928 build: Support rndgetentropy random module.
1929 + commit e562e34c824dda9ce1c4a0af58e8366699a3d88b
1930 * configure.ac: Add getentropy random module.
1931 * random/Makefile.am (EXTRA_librandom_la_SOURCES): Add.
1932
1933 random:getentropy: Simplify more.
1934 + commit 6de43f11c625de381e75f01ce83cbb2d2634fb35
1935 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Remove
1936 'if'.
1937
1938 random:getentropy: Limit the size of buffer in exact size.
1939 + commit cebe5c78a9493c7b4ee894305c0ede0899815e6a
1940 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random):
1941 Redundant space had no sense.
1942
1943 random: Simplify rndgetentropy.
1944 + commit a8395fd7a40f4d9a8f57154a28cd1cae97e708f2
1945 * random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Simply
1946 call getentropy.
1947
1948 random: Start rnd-getentropy.c.
1949 + commit f36bfe7ec1b2cef7760aa338292fadb93783ced4
1950 * random/rnd-getentropy.c: Copied from rndlinux.c.
1951
1952 2021-11-11 NIIBE Yutaka <gniibe@fsij.org>
1953
1954 tests:pkcs1v2: Skip tests with small keys in FIPS mode.
1955 + commit 1481607cb9db977468a75f9f4638dc1cf3ade007
1956 * tests/pkcs1v2.c (in_fips_mode): New.
1957 (check_oaep): Skip when key size is less than 2048 in FIPS mode.
1958 (check_pss, check_v15crypt, check_v15sign): Likewise.
1959
1960 tests:pubkey: Replace RSA key to one of 2k.
1961 + commit 66119e0c1a024f7cf059393c3db827eb338339b0
1962 * tests/pubkey.c (sample_private_key_1): Use 2k key from basic.c.
1963 (sample_private_key_1_1): Likewise.
1964 (sample_private_key_1_2): Likewise.
1965
1966 2021-11-09 Jakub Jelen <jjelen@redhat.com>
1967
1968 tests: Benchmark also larger RSA keys in FIPS mode.
1969 + commit 2a899b5b84583f2e68bd8564034aa10846810e85
1970 * tests/benchmark.c (rsa_bench): Test also large RSA keys in FIPS mode
1971
1972 tests: Explicit FIPS checking for symmetric algorithms.
1973 + commit fb931073707ed521366f0e4a2e54b3935ce649a3
1974 * tests/basic.c (FLAG_CFB8): New.
1975 (check_ecb_cipher): Introduce new flag and explicitly check for
1976 algorithm functionality in regards to FIPS.
1977 (check_ctr_cipher): Ditto.
1978 (check_cfb_cipher): Replace the cfb8 flag with generic flag and
1979 explicitly check for algorithm funcionality in regards to FIPS.
1980 (check_ofb_cipher): Introduce new flag and explicitly check for
1981 algorithm functionality in regards to FIPS.
1982 (_check_poly1305_cipher): Explicitly check functionality in regards to
1983 FIPS mode.
1984 (check_ccm_cipher): Introduce new flag and explicitly check for
1985 algorithm functionality in regards to FIPS.
1986 (check_gost28147_cipher_basic): Explicitly check functionality in
1987 regards to FIPS mode.
1988 (check_stream_cipher_large_block): Explicitly check functionality in
1989 regards to FIPS mode.
1990
1991 2021-11-08 NIIBE Yutaka <gniibe@fsij.org>
1992
1993 dsa: Add checks in FIPS mode.
1994 + commit df66bd94e6e3650216b0d179d79d4c296f173855
1995 * cipher/dsa.c (dsa_check_keysize): New.
1996 (generate_fips186): Add call to dsa_check_keysize.
1997 (dsa_sign, dsa_verify): Likewise.
1998 * tests/benchmark.c (dsa_bench): Skip 1024-bit.
1999 * tests/dsa-rfc6979.c (check_dsa_rfc6979): 1024-bit
2000 now fails.
2001 * tests/fips186-dsa.c (main): Only test check_dsa_gen_186_3 in FIPS
2002 mode.
2003
2004 2021-11-08 Jakub Jelen <jjelen@redhat.com>
2005
2006 tests: Add 2k RSA key working in FIPS mode.
2007 + commit 1f45fec2082247f3634af050f1fdbf0a5858cf46
2008 * tests/basic.c (check_pubkey): The 1k RSA keys are no longer supposed
2009 to be working so have a new 2k one that should work. Taken from
2010 ciper/rsa.c's sample_secret_key.
2011
2012 2021-11-08 Jakub Jelen <jjelen@redhat.com>
2013 NIIBE Yutaka <gniibe@fsij.org>
2014
2015 rsa: Check keylen constraints for key operations.
2016 + commit 40d63d09b2d06631f4d2c3d1b167a620d50c99f8
2017 * cipher/rsa.c (rsa_check_keysize): New.
2018 (generate_fips): Factor out the bits check.
2019 (rsa_encrypt): Add checking key length.
2020 (rsa_decrypt, rsa_sign, rsa_verify): Likewise.
2021
2022 2021-11-08 NIIBE Yutaka <gniibe@fsij.org>
2023 NIIBE Yutaka <gniibe@fsij.org>
2024
2025 tests: Expect errors from algorithms not supported in FIPS mode.
2026 + commit cc3571a1f2244bdf829d7d16dd546131711eb8a9
2027 * tests/basic.c (FLAG_NOFIPS): New.
2028 (check_pubkey_sign): Pass and handle NOFIPS flag.
2029 (check_pubkey_sign_ecdsa): Likewise.
2030 (check_pubkey_crypt): Likewise.
2031 (do_check_one_pubkey): Pass flags.
2032 (check_pubkey): Mark explicitly algorithms expected not to work in
2033 FIPS mode and make sure they fail.
2034
2035 2021-11-08 NIIBE Yutaka <gniibe@fsij.org>
2036
2037 tests: Fix basic.c:check_pubkey.
2038 + commit 1b29be8e7e49a6ee04734b86db5732dc3eaca84b
2039 * tests/basic.c (check_pubkey): Don't call check_one_pubkey_new
2040 multiple times.
2041
2042 2021-11-08 Jakub Jelen <jjelen@redhat.com>
2043
2044 cipher: Respect the disabled flag of pubkey algorithms.
2045 + commit ff5ab6a809345112f02a6037957ef21bc4bf3bce
2046 * cipher/pubkey.c (check_pubkey_algo): Check the disabled flag before
2047 using the algorithm.
2048
2049 2021-11-05 Jakub Jelen <jjelen@redhat.com>
2050
2051 doc: Reference the new FIPS 140-3.
2052 + commit 976673425784eb2d056a4dbbe13b6d2ca5f8cbf2
2053 * doc/gcrypt.texi: Replace -2 with -3
2054 * cipher/ecc-curves.c: Replace -2 with -3
2055
2056 2021-11-01 NIIBE Yutaka <gniibe@fsij.org>
2057
2058 cipher:md: Check digest algo is supported when FIPS enabled.
2059 + commit cfd1dd6a838f70324a749dad0d589bc2dbe33651
2060 * cipher/md.c (_gcry_md_hash_buffer): Check for FIPS for
2061 hash_buffers method case.
2062 (_gcry_md_hash_buffers_extract): Likewise.
2063
2064 2021-10-29 NIIBE Yutaka <gniibe@fsij.org>
2065
2066 mpi: Allow opaque MPI with zero length.
2067 + commit 34d55589b7d91a239435d77e3d45cf0deeba59b6
2068 * mpi/mpiutil.c (_gcry_mpi_copy): Support zero length.
2069
2070 2021-10-25 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2071
2072 tests/bench-slope: avoid divide by zero.
2073 + commit ecd4d348ac87c073ced38eb1e6dbec03b532cdf2
2074 * tests/bench-slope.c (safe_div): New.
2075 (get_slope): Make static; Skip if number of points is too small; Use
2076 safe_div.
2077 (do_slope_benchmark): Retry benchmark if result does not make sense;
2078 Limit retries to 4 for non-auto-ghz and 1000 for auto-ghz.
2079 (get_auto_ghz, do_slope_benchmark, bench_print_result_csv)
2080 (bench_print_result_std): Use safe_div.
2081
2082 md: clear context with wipememory to avoid false warning.
2083 + commit 5881114e08601745857a68bc3318f3421155f645
2084 * cipher/md.c (md_open): Initialize ctx with wipememory2 instead
2085 of memset.
2086
2087 cipher/sha512: fix 'accessing 64 bytes in a region of size 8' warnings.
2088 + commit 6333cdeee5c1ca5bd4255f9cdcd266db314a2122
2089 * cipher/sha512.c (SHA512_STATESHA256_CONTEXT): Replace h0-h7 with h[8].
2090 (do_sha512_transform_i386_ssse3, do_sha512_transform_ppc8)
2091 (do_sha512_transform_ppc9, do_sha512_transform_s390x)
2092 (do_sha512_final_s390x, sha512_init, sha384_init, sha512_256_init)
2093 (sha512_224_init, do_transform_generic, sha512_final): Convert use
2094 of h0-h7 to h[0]-h[7].
2095
2096 poly1305: fix building with 'arm-linux-gnueabihf-gcc-11 -O3'
2097 + commit e4ce7ad0ecf6c356fa377e139d08c4dbcf6bf533
2098 * cipher/poly1305.c [HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS]
2099 (ADD_1305_32): Reduce number of register operands.
2100
2101 2021-10-20 NIIBE Yutaka <gniibe@fsij.org>
2102
2103 cipher: Reject SHA-1 for hash+sign/verify when FIPS enabled.
2104 + commit a23cf78102f3200dc441a3123c3fbeaa28f38b50
2105 * cipher/pubkey.c (_gcry_pk_sign_md): Reject SHA-1 when FIPS.
2106 (_gcry_pk_verify_md): Likewise.
2107
2108 2021-10-15 NIIBE Yutaka <gniibe@fsij.org>
2109
2110 doc: Add entries for hash+sign functions.
2111 + commit 8f31f652d453f480d4d2559dfa17e7bd42145a49
2112
2113
2114 2021-10-15 Jakub Jelen <jjelen@redhat.com>
2115
2116 fips: Improve selftests invocation.
2117 + commit d45db4ad16fec0fe7d32aae60f356a386fbf909b
2118 * src/fips.c (run_digest_selftests): Skip SHA256 selftest if they were
2119 already executed as part of the integrity check.
2120 (run_mac_selftests): Skip HMAC-SHA256 selftest if they were already
2121 executed as part of the integrity check.
2122 (run_hmac_sha256_selftests): Run SHA256 selftest too.
2123 (_gcry_fips_run_selftests): Run the sha256 selftests regardless of the
2124 fips mode status.
2125
2126 2021-10-14 Jakub Jelen <jjelen@redhat.com>
2127
2128 fips: Verify library integrity before running selftests.
2129 + commit d2c68849d19bd0ed4c8c3c040c5939737aa15981
2130 * src/fips.c (run_hmac_sha256_selftests): New function.
2131 (_gcry_fips_run_selftests): Move integrity check earlier and run
2132 HMAC-SHA256 tests before that.
2133
2134 cipher: Allow generation of RSA keys > 2k.
2135 + commit bba63fab1a22232e494d3de93d74280d300faf8d
2136 * cipher/rsa.c (generate_fips): Allow any larger key than 2k in FIPS
2137 mode.
2138
2139 2021-10-12 NIIBE Yutaka <gniibe@fsij.org>
2140
2141 build: Support specifying HMAC key by --enable-hmac-binary-check.
2142 + commit 10e02b90f65f3a85d72a719806b9d8873377c1a4
2143 * configure.ac (DEF_HMAC_BINARY_CHECK): New SUBSTITUTION.
2144 (DL_LIBS): Fix the condition.
2145 * src/Makefile.am (libgcrypt_la_CFLAGS): Use DEF_HMAC_BINARY_CHECK.
2146 (hmac256_CFLAGS): Likewise.
2147
2148 2021-10-11 NIIBE Yutaka <gniibe@fsij.org>
2149
2150 build: Use KEY_FOR_BINARY_CHECK for --enable-hmac-binary-check.
2151 + commit 0709359657633271c8c018d67b40d9052c630022
2152 * src/fips.c (KEY_FOR_BINARY_CHECK): Allow supplying externally.
2153 * src/hmac256.c: Use KEY_FOR_BINARY_CHECK macro.
2154
2155 2021-10-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2156
2157 cipher/sha256: fix 'accessing 32 bytes in a region of size 4' warnings.
2158 + commit 95425c6b0b96a4d2eae4e2a55a23d293b08f7993
2159 * cipher/sha256.c (SHA256_CONTEXT): Replace h0-h7 with h[8].
2160 (do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
2161 (do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
2162 (do_sha256_transform_armv8_ce, do_sha256_transform_ppc8)
2163 (do_sha256_transform_ppc9, do_sha256_transform_s390x)
2164 (do_sha256_final_s390x, sha256_init, sha224_init)
2165 (do_transform_generic, sha256_final): Convert use of h0-h7 to h[0]-h[7].
2166
2167 2021-10-07 NIIBE Yutaka <gniibe@fsij.org>
2168
2169 cipher: Add sign+hash, verify+hash, and random-override API.
2170 + commit 082ea0efa9b129e8ca7703eeb6b1c9325caeedfd
2171 * cipher/pubkey.c (_gcry_pk_sign_md, _gcry_pk_verify_md): New.
2172 (_gcry_pk_random_override_new): New.
2173 (_gcry_pk_get_random_override): New.
2174 * src/gcrypt-int.h: Add those routines.
2175 * src/context.h (CONTEXT_TYPE_RANDOM_OVERRIDE): New.
2176 * src/context.c (_gcry_ctx_alloc, _gcry_ctx_release): Handle
2177 CONTEXT_TYPE_RANDOM_OVERRIDE.
2178 * src/gcrypt.h.in (gcry_error_t gcry_pk_hash_sign): New.
2179 (gcry_error_t gcry_pk_hash_verify): New.
2180 (gcry_pk_random_override_new): New.
2181 * src/libgcrypt.def, src/libgcrypt.vers: Update.
2182 * src/visibility.c (gcry_pk_hash_sign, gcry_pk_hash_verify): New.
2183 (gcry_pk_random_override_new): New.
2184 * src/visibility.h: Add those routines.
2185
2186 cipher:dsa,ecdsa: Support supplying K externally.
2187 + commit 16a9eaad5d1add3a95b1da6e037b074f18b094c7
2188 * cipher/dsa.c (sign): Add an argument K for DSA.
2189 (test_keys, dsa_sign): Follow the change.
2190 * cipher/ecc-common.h (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
2191 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
2192 * cipher/ecc.c (test_keys, ecc_sign): Follow the change.
2193 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support "label"
2194 for K.
2195
2196 2021-10-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2197
2198 Fix building for Win64 target.
2199 + commit 9fc0d145278d46bb129660a57b7ca2f94577d461
2200 * random/random-csprng.c [HAVE_W32_SYSTEM]: Include <windows.h>.
2201 * tests/bench-slope.c [_WIN32]: Include <windows.h>.
2202
2203 2021-10-05 NIIBE Yutaka <gniibe@fsij.org>
2204
2205 build,gcrypt.h: Don't define gcry_socklen_t.
2206 + commit 71d4d592d8910ea6f9e091ae578cf68907cb5758
2207 * configure.ac (FALLBACK_SOCKLEN_T): Remove.
2208 * src/gcrypt.h.in: Remove FALLBACK_SOCKLEN_T.
2209
2210 build,gcrypt.h: Remove INSERT_SYS_SELECT_H.
2211 + commit 0f43570af93e56bdd4a4b2bf6eef722d0bff4a4f
2212 * configure.ac (INSERT_SYS_SELECT_H): Remove.
2213 Remove checking sys/select.h.
2214 * src/gcrypt.h.in: Remove INSERT_SYS_SELECT_H.
2215
2216 2021-10-05 NIIBE Yutaka <gniibe@fsij.org>
2217 Tomáš Mráz <tm@t8m.info>
2218
2219 random: Use poll instead of select.
2220 + commit 7da42a8e8cc587ced46dffefc8448c8a286b1ca0
2221 * random/rndlinux.c (open_device): Use poll.
2222 (_gcry_rndlinux_gather_random): Use poll.
2223
2224 2021-09-27 Werner Koch <wk@gnupg.org>
2225
2226 tests: Remove old CAVS test scripts.
2227 + commit db928d97b4b69f9aa1fee3c2a38a138534608c89
2228 * tests/cavs_driver.pl: Remove.
2229 * tests/cavs_tests.sh: Remove
2230 * tests/Makefile.am: (EXTRA_DIST): Remove them.
2231
2232 2021-09-27 NIIBE Yutaka <gniibe@fsij.org>
2233
2234 libtool: Link without -flat_namespace for macOS.
2235 + commit c9cebf3d1824d6ec90fd864a744bb81c97ac7d31
2236 * m4/libtool.m4: Not setting 10.0 to MACOSX_DEPLOYMENT_TARGET when not
2237 defined. Only specify -flat_namespace to linker for specific
2238 (older) versions and hosts.
2239
2240 2021-09-24 NIIBE Yutaka <gniibe@fsij.org>
2241
2242 build: Add hmac256.h to distribution.
2243 + commit 9511f469363b629a06e1f3dab6ee4ba333e72b93
2244 * src/Makefile.am (hmac256_SOURCES): Add hmac256.h.
2245
2246 2021-09-20 Jakub Jelen <jjelen@redhat.com>
2247
2248 Allow passing FIPS module version.
2249 + commit c74fde0c3f6114c594332fb28a09c7b817969231
2250 * README: Document new --with-fips-module-version=version switch
2251 * configure.ac: Implementation of the --with-fips-module-version
2252 * src/global.c (print_config): Print FIPS module version from above
2253
2254 Remove the forced fips mode.
2255 + commit 3f4dd47ba74e0a9f18feba1809eeddff8790707e
2256 * cipher/rsa.c (generate_fips): Drop reference to enforced fips mode and
2257 use normal FIPS mode check
2258 * doc/gcrypt.texi: Drop references to enforced FIPS mode
2259 * src/fips.c (enforced_fips_mode): Removed
2260 (_gcry_initialize_fips_mode): Remove reading of the FIPS_FORCE_FILE
2261 to enforce FIPS mode
2262 (_gcry_enforced_fips_mode): Remove
2263 (_gcry_set_enforced_fips_mode): Remove
2264 * src/g10lib.h (_gcry_enforced_fips_mode): Remove declaration
2265 (_gcry_set_enforced_fips_mode): Remova declaration
2266 * src/global.c (print_config): Remove the forced fips flag
2267 (_gcry_vcontrol): Deprecate GCRYCTL_SET_ENFORCED_FIPS_FLAG
2268 (get_no_secure_memory): Ignore the option in FIPS mode
2269
2270 Remove a way to inactive FIPS mode.
2271 + commit edbc1dd10bc3e1fcc0e355fe1a9c4c8769f51daf
2272 * cipher/md.c (_gcry_md_hash_buffer): Remove inactivation of FIPS mode
2273 when MD5 is used
2274 (_gcry_md_hash_buffers_extract): Ditto.
2275 * src/fips.c (gcry_is_fips_mode_inactive): Removed
2276 (_gcry_inactivate_fips_mode): Removed
2277 (_gcry_is_fips_mode_inactive): Removed
2278 * src/g10lib.h (_gcry_inactivate_fips_mode): Remove declaration
2279 (_gcry_is_fips_mode_inactive): Remove declaration
2280 * global.c (_gcry_vcontrol): Update the GCRYCTL_FIPS_MODE_P
2281 (_gcry_set_allocation_handler): Silently ignore custom alocation
2282 handlers in FIPS mode
2283
2284 2021-09-16 Jakub Jelen <jjelen@redhat.com>
2285
2286 tests: Improve FIPS detection in curves test.
2287 + commit fd116968ef2dcecb4058be2b2b3e8ab90f1e3181
2288 * tests/curves.c (check_matching): When FIPS mode enabled, skip a test
2289 with sample_key_2, which uses brainpoolP160r1 curve.
2290 (check_get_params): Replace "error_expected" filed to "flags" to hold
2291 TEST_ERROR_EXPECTED and/or TEST_NOFIPS. Put TEST_NOFIPS flags for
2292 non-FIPS curves. When FIPS mode enabled, don't skip supported curves.
2293
2294 tests: Fix typo in comment.
2295 + commit f9ae351c954c01a382c8ac915298efa25fc45177
2296 * tests/curves.c: Typo in comment
2297
2298 2021-09-14 NIIBE Yutaka <gniibe@fsij.org>
2299
2300 cipher: Fix support of sha512-224 and sha512-256.
2301 + commit d04b1be9edacd7be6f03faba6f4d6c44c4247eb7
2302 * cipher/pubkey-util.c (get_hash_algo): Add.
2303
2304 * cipher/sha512.c (sha512_256_asn, sha512_224_asn): Fill correct values.
2305
2306 cipher: Support internal hashing with "prehash" for RSA PKCS#1.
2307 + commit 422031a5943f2e698036e3c0df5955c585f22c16
2308 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support internal
2309 hashing.
2310
2311 2021-09-13 Werner Koch <wk@gnupg.org>
2312
2313 cipher: Clear AESWRAP scratch area immediately after use.
2314 + commit df4fe02794bb3511f7006d641e99736bad091c58
2315 * cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_decrypt): Call
2316 wipememory.
2317
2318 2021-08-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2319
2320 Add ARMv8-CE HW acceleration for GCM-SIV counter mode.
2321 + commit 47e425e07995454573e28c13c08229d2f8a75642
2322 * cipher/rijndael-armv8-aarch32-ce.S
2323 (_gcry_aes_ctr32le_enc_armv8_ce): New.
2324 * cipher/rijndael-armv8-aarch64-ce.S
2325 (_gcry_aes_ctr32le_enc_armv8_ce): New.
2326 * cipher/rijndael-armv8-ce.c
2327 (_gcry_aes_ctr32le_enc_armv8_ce)
2328 (_gcry_aes_armv8_ce_ctr32le_enc): New.
2329 * cipher/rijndael.c
2330 (_gcry_aes_armv8_ce_ctr32le_enc): New prototype.
2331 (do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for ARMv8-CE.
2332
2333 Add x86 HW acceleration for GCM-SIV counter mode.
2334 + commit 33aebb30d210768d510a2843d9cc0c0ecd4237d1
2335 * cipher/cipher-gcm-siv.c (do_ctr_le32): Use bulk function if
2336 available.
2337 * cipher/cipher-internal.h (cipher_bulk_ops): Add 'ctr32le_enc'.
2338 * cipher/rijndael-aesni.c (_gcry_aes_aesni_ctr32le_enc): New.
2339 * cipher/rijndael-vaes-avx2-amd64.S
2340 (_gcry_vaes_avx2_ctr32le_enc_amd64, .Lle_addd_*): New.
2341 * cipher/rijndael-vaes.c (_gcry_vaes_avx2_ctr32le_enc_amd64)
2342 (_gcry_aes_vaes_ctr32le_enc): New.
2343 * cipher/rijndael.c (_gcry_aes_aesni_ctr32le_enc)
2344 (_gcry_aes_vaes_ctr32le_enc): New prototypes.
2345 (do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for AES-NI and
2346 VAES.
2347 * tests/basic.c (check_gcm_siv_cipher): Add large test-vector for
2348 bulk ops testing.
2349
2350 Add AES-GCM-SIV mode (RFC 8452)
2351 + commit 1b8994c4ecf2cb53fff46fa84a95a7c259e7cec7
2352 * cipher/Makefile.am: Add 'cipher-gcm-siv.c'.
2353 * cipher/cipher-gcm-siv.c: New.
2354 * cipher/cipher-gcm.c (_gcry_cipher_gcm_setupM): New.
2355 * cipher/cipher-internal.h (gcry_cipher_handle): Add 'siv_keylen'.
2356 (_gcry_cipher_gcm_setupM, _gcry_cipher_gcm_siv_encrypt)
2357 (_gcry_cipher_gcm_siv_decrypt, _gcry_cipher_gcm_siv_set_nonce)
2358 (_gcry_cipher_gcm_siv_authenticate)
2359 (_gcry_cipher_gcm_siv_set_decryption_tag)
2360 (_gcry_cipher_gcm_siv_get_tag, _gcry_cipher_gcm_siv_check_tag)
2361 (_gcry_cipher_gcm_siv_setkey): New prototypes.
2362 (cipher_block_bswap): New helper function.
2363 * cipher/cipher.c (_gcry_cipher_open_internal): Add
2364 'GCRY_CIPHER_MODE_GCM_SIV'; Refactor mode requirement checks for
2365 better size optimization (check pointers & blocksize in same order
2366 for all).
2367 (cipher_setkey, cipher_reset, _gcry_cipher_setup_mode_ops)
2368 (_gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add GCM-SIV.
2369 (_gcry_cipher_ctl): Handle 'set decryption tag' for GCM-SIV.
2370 * doc/gcrypt.texi: Add GCM-SIV.
2371 * src/gcrypt.h.in (GCRY_CIPHER_MODE_GCM_SIV): New.
2372 (GCRY_SIV_BLOCK_LEN, gcry_cipher_set_decryption_tag): Add to comment
2373 that these are also for GCM-SIV in addition to SIV mode.
2374 * tests/basic.c (check_gcm_siv_cipher): New.
2375 (check_cipher_modes): Check for GCM-SIV.
2376 * tests/bench-slope.c (bench_gcm_siv_encrypt_do_bench)
2377 (bench_gcm_siv_decrypt_do_bench, bench_gcm_siv_authenticate_do_bench)
2378 (gcm_siv_encrypt_ops, gcm_siv_decrypt_ops)
2379 (gcm_siv_authenticate_ops): New.
2380 (cipher_modes): Add GCM-SIV.
2381 (cipher_bench_one): Check key length requirement for GCM-SIV.
2382
2383 Add SIV mode (RFC 5297)
2384 + commit 659a208cb065d686f60e2c4f51856f460d6b44f5
2385 * cipher/Makefile.am: Add 'cipher-siv.c'.
2386 * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Rename to
2387 _gcry_cipher_ctr_encrypt_ctx and add algo context parameter.
2388 (_gcry_cipher_ctr_encrypt): New using _gcry_cipher_ctr_encrypt_ctx.
2389 * cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.siv'.
2390 (_gcry_cipher_ctr_encrypt_ctx, _gcry_cipher_siv_encrypt)
2391 (_gcry_cipher_siv_decrypt, _gcry_cipher_siv_set_nonce)
2392 (_gcry_cipher_siv_authenticate, _gcry_cipher_siv_set_decryption_tag)
2393 (_gcry_cipher_siv_get_tag, _gcry_cipher_siv_check_tag)
2394 (_gcry_cipher_siv_setkey): New.
2395 * cipher/cipher-siv.c: New.
2396 * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
2397 (cipher_reset, _gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add
2398 GCRY_CIPHER_MODE_SIV handling.
2399 (_gcry_cipher_ctl): Add GCRYCTL_SET_DECRYPTION_TAG handling.
2400 * doc/gcrypt.texi: Add documentation for SIV mode.
2401 * src/gcrypt.h.in (GCRYCTL_SET_DECRYPTION_TAG): New.
2402 (GCRY_CIPHER_MODE_SIV): New.
2403 (gcry_cipher_set_decryption_tag): New.
2404 * tests/basic.c (check_siv_cipher): New.
2405 (check_cipher_modes): Add call for 'check_siv_cipher'.
2406 * tests/bench-slope.c (bench_encrypt_init): Use double size key for
2407 SIV mode.
2408 (bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
2409 (bench_aead_authenticate_do_bench): Reset cipher context on each run.
2410 (bench_aead_authenticate_do_bench): Support nonce-less operation.
2411 (bench_siv_encrypt_do_bench, bench_siv_decrypt_do_bench)
2412 (bench_siv_authenticate_do_bench, siv_encrypt_ops)
2413 (siv_decrypt_ops, siv_authenticate_ops): New.
2414 (cipher_modes): Add SIV mode benchmarks.
2415 (cipher_bench_one): Restrict SIV mode testing to 16 byte block-size.
2416
2417 mpi/longlong: fix variable shadowing from MIPS umul_ppmm macros.
2418 + commit 9e3b0446653fda6912e91fae84883cdbefdc2195
2419 * mpi/longlong.h [__mips__ && W_TIPE_SIZE == 32] (umul_ppmm): Rename
2420 temporary variable '_r' to '__r'.
2421 [__mips && W_TIPE_SIZE == 64] (umul_ppmm): Ditto.
2422
2423 2021-08-23 NIIBE Yutaka <gniibe@fsij.org>
2424
2425 cipher: Use offsetof for allocation of gcry_md_context.
2426 + commit 581e04386d875672ba6c3fc4a4232ca72bc46c8c
2427 * cipher/md.c (md_open): Allocate exact space for the allocation and
2428 use offsetof for the calculation.
2429
2430 2021-08-19 NIIBE Yutaka <gniibe@fsij.org>
2431
2432 hmac: Don't have the second implementation of hmac256.
2433 + commit c9acca865ba4abaa4443712f87fb8926fe7ad8b7
2434 * src/Makefile.am (libgcrypt_la_SOURCES): Remove hmac256.
2435 * cipher/mac-hmac.c (selftests_sha256): Remove the tests.
2436
2437 fips: Don't use gcry_check_version for integrity check any more.
2438 + commit c11788e5641be26371adc90f63e5a191cfc796f8
2439 * src/visibility.h [FIPS_FORCE_FILE]: Remove ifdef/endif.
2440
2441 fips: Use a .rodata1 section integrity check with hmac256.
2442 + commit f02dc5235e4751c57b16683ee9a8ef53014c6d13
2443 * src/fips.c (hmac256_check): New.
2444 (check_binary_integrity): Use hmac256_check.
2445
2446 build: Generate hash for integrity check with hmac256 (2).
2447 + commit 24aaded244a2b9427f2e90e4bf7adf086e0e0fef
2448 * src/Makefile.am (libgcrypt.la.done): Use the rodata1 section.
2449 * src/fips.c (_gcry_fips_run_selftests): Only enable
2450 check_binary_integrity by ENABLE_HMAC_BINARY_CHECK.
2451 [ENABLE_HMAC_BINARY_CHECK] (hmac_for_the_implementation): New.
2452 [ENABLE_HMAC_BINARY_CHECK] (check_binary_integrity): Use
2453 hmac_for_the_implementation in rodata.
2454
2455 2021-08-18 NIIBE Yutaka <gniibe@fsij.org>
2456
2457 build: Generate hash for integrity check with hmac256.
2458 + commit 3c89aad4a0d7f836fd747d4e2f0edfbf648ae318
2459 * configure.ac [ENABLE_HMAC_BINARY_CHECK]: Check objcopy.
2460 (USE_HMAC_BINARY_CHECK): New Automake conditional.
2461
2462 * src/Makefile.am (libgcrypt.la.done): New target.
2463 [USE_HMAC_BINARY_CHECK] (libgcrypt.so.hmac): Compute the hash.
2464 [USE_HMAC_BINARY_CHECK] (libgcrypt.la.done): Add .hmac section.
2465
2466 hmac: Fix hmac256 command option handling.
2467 + commit 07c21dd7d134e6403c9ee4e09250ec577c9b2867
2468 * src/hmac256.c (main): Fix use of --stdkey.
2469
2470 cipher: Fix the order of fields of gcry_md_context.
2471 + commit cbbdc015bf522d4aff656ff0417b83144ab4bb2a
2472 * cipher/md.c (struct gcry_md_context): Fix for better memory usage.
2473
2474 2021-08-17 Jakub Jelen <jjelen@redhat.com>
2475
2476 tests: Generating large-enough DSA keys works in FIPS mode.
2477 + commit 6e40fca726357f13790065a27e2a0b333129fc54
2478 The a93d678f previously added this condition, but the DSA key size
2479 changed since then to 2k, which is still allowed.
2480
2481 * tests/pubkey.c (get_dsa_key_with_domain_new): DSA keys still work in
2482 FIPS mode.
2483
2484 dsa: Drop dead code.
2485 + commit 564e51fde71116757cdb6bc813aacf481bb826ed
2486 * cipher/dsa.c (generate): This function is never called in FIPS mode
2487
2488 rsa: Do not allow 1024 RSA keys in FIPS mode.
2489 + commit 034055ffdca28602a40c4d0b5997173e8597af18
2490 Previously, the condition was in generate_std, which is never called in
2491 FIPS mode.
2492
2493 * cipher/rsa.c (generate_std): Remove dead code as FIPS is using
2494 'generate_fips'
2495 (generate_fips): Do not allow 1024 bit key generation
2496
2497 tests: Avoid confusing 'success' on error message.
2498 + commit 588b8bb6ef091db299ff2eade295d3119b62283a
2499 * tests/pubkey.c (get_dsa_key_with_domain_new): Remove bogus "success"
2500 on error.
2501
2502 2021-08-17 NIIBE Yutaka <gniibe@fsij.org>
2503
2504 fips: Fix tests in fips mode and non-fips mode.
2505 + commit 2ae56abd0eb60d755509d82155f52263bf2e37e8
2506 * tests/t-secmem.c (test_secmem): Only tweak when FIPS enabled.
2507
2508 2021-08-16 NIIBE Yutaka <gniibe@fsij.org>
2509
2510 tests: Skip tests when FIPS for keygrip computations.
2511 + commit 44c7c41af21c668826280abfee1257853020ba2d
2512 * tests/keygrip.c (check): Skip non-FIPS curves when FIPS.
2513 (main): Check if FIPS is enabled.
2514
2515 cipher: Raise an error for non-approved digests correctly.
2516 + commit acc1598ea891180660d1a531823a1b5385e7f4e6
2517 * cipher/md.c (md_enable): Remove check if it's enforced or not.
2518
2519 fips: Fix tests in fips mode.
2520 + commit 347817438990b7adf22dc71e4fb581e3232f03a7
2521 * src/global.c (_gcry_vcontrol): Don't check NO_SECURE_MEMORY for
2522 GCRYCTL_FIPS_MODE_P.
2523 * tests/t-secmem.c (test_secmem): Use smaller value.
2524
2525 2021-08-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2526
2527 tests/bench-slope: allow non-FIPS ECC benchmarking in non-FIPS mode.
2528 + commit a5982e35088a382b49c0e95e9a87365202267601
2529 * tests/bench-slope.c (_ecc_bench): Check for 'in_fips_mode'.
2530
2531 2021-08-06 NIIBE Yutaka <gniibe@fsij.org>
2532
2533 fips: Fix check_binary_integrity.
2534 + commit ca6797c5c5c61a0eae1f5aa82988d4870fe5edab
2535 * src/fips.c: Define FIPS_FORCE_FILE macro earlier.
2536 (check_binary_integrity): Use the address of gcry_check_version.
2537 * src/visibility.h [FIPS_FORCE_FILE] (gcry_check_version): Allow
2538 internal use of exported function.
2539
2540 2021-08-05 NIIBE Yutaka <gniibe@fsij.org>
2541
2542 build: Update checking headers.
2543 + commit 538090d829483696de6342f2ea564b2e25d6a294
2544 * configure.ac (AC_CHECK_HEADERS): Remove sys/msg.h.
2545
2546 2021-08-03 NIIBE Yutaka <gniibe@fsij.org>
2547
2548 tests: Fix values for DSA with larger key length.
2549 + commit 8bf9ade071b80c1141d4a76d1b51b9a235b8b340
2550 * tests/pubkey.c (get_dsa_key_with_domain_new): Update.
2551
2552 fips: Support LIBGCRYPT_FORCE_FIPS_MODE envvar.
2553 + commit 7ac72ebaf7f723203c5fe9befa249e9bcc78ee92
2554 * src/fips.c (_gcry_initialize_fips_mode): Check the
2555 environment variable LIBGCRYPT_FORCE_FIPS_MODE.
2556
2557 2021-07-29 Jakub Jelen <jjelen@redhat.com>
2558
2559 tests: Verify unsupported KDF tests fail in FIPS mode.
2560 + commit 0ab4e8063729147fb9abd463055785aac831bf5c
2561 * tests/t-kdf.c (check_pbkdf2): Verify tests based on algorithms
2562 unsupported in FIPS mode fail.
2563
2564 cipher: Do not use of non-approved digests in FIPS mode.
2565 + commit 0f118c2dfb8e1236893c30a9b86e7e231c8e5758
2566 * cipher/md.c (md_enable): Block all non-approved digest algorithms, not
2567 only the MD5 and do not drop from FIPS mode if not enforced.
2568
2569 tests: Generating DSA from domain should fail in FIPS mode.
2570 + commit a93d678fa5a349600fabdce3fbe5919837cdc282
2571 * tests/pubkey.c (get_dsa_key_with_domain_new): Expect failure in FIPS
2572 mode
2573 (check_x931_derived_key): Simplify testing for FIPS mode.
2574 (main): Check for fips mode.
2575
2576 tests: Transient DSA keys work in FIPS mode.
2577 + commit 83893f3f77da986951be98306a82238c97522bc1
2578 * tests/pubkey.c (check_run): Enable tests with DSA transient keys which
2579 work in FIPS.
2580
2581 tests: Skip secmem overflow test in FIPS mode.
2582 + commit 6df523bfb095bf4c3d9dc6a0699fefcdfc6cd594
2583 * tests/t-secmem.c (main): Skip overflow tests in FIPS mode because they
2584 are fatal and there is no way to override the outofcore handler.
2585
2586 tests: Expect the 192b ECDSA tests to fail in fips mode.
2587 + commit d2a26b30b5dbfa7b26a606e5b2fe5c238ab1afa1
2588 * tests/dsa-rfc6979.c (check_dsa_rfc6979): Expect ECDSA 192b keys to
2589 fail in FIPS mode.
2590 (main): Detect FIPS mode.
2591
2592 tests: Expect curves 25519/448 to fail in FIPS mode.
2593 + commit 3026148331523ec7ca81031339b5629431cafa23
2594 * tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS
2595 mode.
2596 (test_cv_x25519, test_it): Ditto.
2597 (main) Detect FIPS mode.
2598 * tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS
2599 mode.
2600 (main) Detect FIPS mode.
2601 * tests/t-ed448.c (one_test): Expect the operation to fail in FIPS
2602 mode.
2603 (main) Detect FIPS mode.
2604 * tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS
2605 mode.
2606 (test_cv_x448, test_cv): Ditto.
2607 (main) Detect FIPS mode.
2608
2609 tests: Skip unsupported mechanisms in FIPS mode.
2610 + commit 55dbac435c5ba31ef140f72ce997662e5f9fe55b
2611 * tests/bench-slope.c (cipher_bench_one): Skip GCM mode in FIPS mode
2612 (ecc_algo_fips_allowed): New function
2613 (_ecc_bench): Skip algorithms disabled in FIPS mode
2614 (main): Check for FIPS mode
2615 * tests/benchmark.c (cipher_bench): Skip GCM in FIPS mode
2616
2617 tests: Do not expect GCM work in FIPS.
2618 + commit f56a33df60dcce78c2b1aa5aeeee64549a26a0ce
2619 * tests/basic.c (check_one_cipher_core): Expect GCM ciphers to fail in
2620 FIPS mode
2621 (check_cipher_modes): Skip GCM ciphers tests as they fail quite late
2622 in gcry_cipher_gettag().
2623
2624 mac: Disable AES GMAC in FIPS mode.
2625 + commit aa1e9ebf8bdbe6ed27c8667dbe4e1a69713210a5
2626 * cipher/mac-gmac.c (_gcry_mac_type_spec_gmac_aes): Remove FIPS flag
2627
2628 2021-07-29 NIIBE Yutaka <gniibe@fsij.org>
2629
2630 hwfeatures: Enable hardware support also in FIPS mode.
2631 + commit 70e6cec07d86332f1aaf7a69bec75c7138306f6a
2632 * src/hwfeatures.c (_gcry_detect_hw_features): Remove skipping in FIPS
2633 mode.
2634
2635 cipher: Support internal hashing for DSA and ECDSA signing.
2636 + commit 4a3e71403225bd60a96d6747a8141a268bedda78
2637 * cipher/dsa-common.c (_gcry_dsa_compute_hash): New.
2638 * cipher/pubkey-internal.h (_gcry_dsa_compute_hash): New.
2639 * cipher/dsa.c (verify): Add FLAGS and HASHALGO.
2640 (test_keys): Follow the change of verify API.
2641 (sign, verify): Support PUBKEY_FLAG_PREHASH flag to hash internally.
2642 (selftest_sign): Test with "prehash" flag.
2643 * cipher/ecc-common.h (_gcry_ecc_ecdsa_verify): Add FLAGS and
2644 HASHALGO.
2645 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Support
2646 PUBKEY_FLAG_PREHASH flag to hash internally.
2647 (_gcry_ecc_ecdsa_verify): Likewise.
2648 * cipher/ecc.c (test_keys): Follow the change of
2649 _gcry_ecc_ecdsa_verify API.
2650 (selftest_sign): Test with "prehash" flag.
2651 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support handling
2652 of "hash-algo" and "value" with "prehash" flag.
2653
2654 2021-07-23 NIIBE Yutaka <gniibe@fsij.org>
2655
2656 cipher: Support internal hashing for RSA-PSS.
2657 + commit 877be1bf9df0b4e9aed9036db1592a64582a4bac
2658 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support
2659 "hash-algo" with "value" for internal hashing with RSA-PSS.
2660 * tests/basic.c (check_pubkey_sign): Add test cases.
2661
2662 cipher: Extend RSA-PSS internal function for verify, too.
2663 + commit 285b4cb70df1553c60fb5da6c94e1106694d4f9e
2664 * cipher/pubkey-internal.h (_gcry_rsa_pss_verify): Support internal
2665 hashing.
2666 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Use opaque MPI for
2667 RSA-PSS.
2668 * cipher/rsa-common.c (_gcry_rsa_pss_verify): Support internal
2669 hashing.
2670 * cipher/rsa.c (rsa_verify): Allow opaque MPI for RSA-PSS.
2671
2672 cipher: Extend RSA-PSS internal function.
2673 + commit 51307b1ceaa752d5a737b06ab0217d310faea403
2674 * cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
2675 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Follow the change.
2676 * cipher/rsa-common.c (_gcry_rsa_pss_encode): Support internal hashing.
2677
2678 cipher: Check by caller instead, not by callee for RSA-PSS.
2679 + commit 652e115e10f2bd53d1e1fbe161c2528f4ca89012
2680 * cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
2681 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Before the call to
2682 _gcry_rsa_pss_encode, check the condition here, raise GPG_ERR_INV_ARG
2683 if it's not good.
2684 * cipher/rsa-common.c (_gcry_rsa_pss_encode): No check inside.
2685
2686 2021-07-15 NIIBE Yutaka <gniibe@fsij.org>
2687
2688 hmac: Use xfree.
2689 + commit db9f7abb7af7b5c5bc2ec356c614a5cdb88d75a6
2690 * src/hmac256.c [STANDALONE] (xfree): Define.
2691 (_gcry_hmac256_new, _gcry_hmac256_release): Use xfree.
2692 (_gcry_hmac256_file): Likewise.
2693
2694 2021-07-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2695
2696 tests/basic: use SHA256 instead of RMD160 for SHAKE extract testing.
2697 + commit b98ca3f798abd17696f52163665204c4e83d9092
2698 * tests/basic.c (check_one_md): Use GCRY_MD_SHA256 as 'crcalgo' for
2699 SHAKE128/SHAKE256 testing.
2700
2701 2021-07-07 NIIBE Yutaka <gniibe@fsij.org>
2702
2703 tests: Fix tests/basic.c for FIPS mode.
2704 + commit ccb076e8aabb9c49e7026258b3a36a8422f6bbe4
2705 * tests/basic.c (main): Use bare gcry_control for
2706 GCRYCTL_FORCE_FIPS_MODE.
2707
2708 tests: Skip unavailable ciphers in FIPS mode.
2709 + commit 61c87070abc4baeb9d847db015e6a3031f349483
2710 * tests/basic.c (_check_poly1305_cipher):
2711 (check_ocb_cipher_largebuf_split): Skip unavailable ciphers when
2712 IN_FIPS_MODE.
2713 (check_ocb_cipher_checksum, check_gost28147_cipher_basic): Likewise.
2714
2715 2021-07-07 NIIBE Yutaka <gniibe@fsij.org>
2716 Jakub Jelen <jjelen@redhat.com>
2717
2718 tests: Fix messages to STDERR when FIPS mode is enabled.
2719 + commit 297d31294333f39201ae6f387108300b311bedd1
2720 * tests/basic.c (check_digests): Emit message when IN_FIPS_MODE.
2721 (check_hmac, check_mac): Likewise.
2722
2723 2021-07-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2724
2725 rinjdael-s390x: fix UBSAN warning on using index beyond end of array.
2726 + commit 4b76fa6a1f924a56d2a8c323a9c2d95de763d0dc
2727 * cipher/rijndael-s390x.c (aes_s390x_ocb_get_l): New.
2728 (aes_s390x_ocb_enc, aes_s390x_ocb_dec, aes_s390x_ocb_auth): Use
2729 'aes_s390x_ocb_get_l'.
2730
2731 2021-07-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2732
2733 ec: add zSeries/s390x accelerated scalar multiplication.
2734 + commit 69fdcb5433236c4fc5d24c1dcc269424a088086c
2735 * cipher/asm-inline-s390x.h (PCC_FUNCTION_*): New.
2736 (pcc_query, pcc_scalar_multiply): New.
2737 * mpi/Makefile.am: Add 'ec-hw-s390x.c'.
2738 * mpi/ec-hw-s390x.c: New.
2739 * mpi/ec-internal.h (_gcry_s390x_ec_hw_mul_point)
2740 (mpi_ec_hw_mul_point): New.
2741 * mpi/ec.c (_gcry_mpi_ec_mul_point): Call 'mpi_ec_hw_mul_point'.
2742 * src/g10lib.h (HWF_S390X_MSA_9): New.
2743 * src/hwf-s390x.c (s390x_features): Add MSA9.
2744 * src/hwfeatures.c (hwflist): Add 's390x-msa-9'.
2745
2746 tests/t-mpi-point: add one more NIST P-256 reduction test-vector.
2747 + commit 3f4a59299134c6804c5d29fb3f275ea0e04ac8ac
2748 * tests/t-mpi-point.c (check_ec_mul_reduction): Add second NIST P-256
2749 test vector from T5510.
2750
2751 2021-07-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2752
2753 bench-slope: add X25519 and X448 scalar multiplication.
2754 + commit 9911069388e762d2a85bc2a11ca6cfcc4c895e4f
2755 * tests/bench-slope.c (ECC_ALGO_X25519, ECC_ALGO_X448): New.
2756 (ecc_algo_name, ecc_algo_curve, ecc_nbits): Add X25519 and X448.
2757 (bench_ecc_mult_do_bench): Pass Y as NULL to ec_get_affine with
2758 X25519 and X448.
2759 (cipher_ecc_one): Run only multiplication bench for X25519 and X448.
2760
2761 mpi: optimizations for MPI scanning and printing.
2762 + commit 2fcac487069f9e40ff30366546624a8aff355b55
2763 * mpi/mpicoder.c (mpi_read_from_buffer): Add word-size buffer
2764 reading loop using 'buf_get_be(32|64)'.
2765 (mpi_fromstr): Use look-up tables for HEX conversion; Add fast-path
2766 loop for converting 8 hex-characters at once; Add string length
2767 parameter.
2768 (do_get_buffer): Use 'buf_put_be(32|64)' instead of byte writes; Add
2769 fast-path for reversing buffer with 'buf_get_(be64|be32|le64|le32)'.
2770 (_gcry_mpi_set_buffer): Use 'buf_get_be(32|64)' instead of byte reads.
2771 (twocompl): Use _gcry_ctz instead of open-coded if-clauses to get
2772 first bit set; Add fast-path for inverting buffer with
2773 'buf_get_(he64|he32)'.
2774 (_gcry_mpi_scan): Use 'buf_get_be32' where possible; Provide string
2775 length to 'mpi_fromstr'.
2776 (_gcry_mpi_print): Use 'buf_put_be32' where possible; Use look-up
2777 table for HEX conversion; Add fast-path loop for converting to
2778 8 hex-characters at once.
2779 * tests/t-convert.c (check_formats): Add new tests for larger values.
2780
2781 mpi/ec: cache converted field_table MPIs.
2782 + commit ef676b9c14da1c45db8f8538b740a8bbf603652d
2783 * mpi/ec.c (field_table_mpis): New.
2784 (ec_p_init): Cache converted field table MPIs.
2785
2786 mpi_ec_get_affine: fast path for Z==1 case.
2787 + commit 38d80fdfddd027fe87bf5508e453d3e2cdbaa337
2788 * mpi/ec.c (_gcry_mpi_ec_get_affine): Return X and Y as is
2789 if Z is 1 (for Weierstrass and Edwards curves).
2790
2791 tests/t-mpi-point: add reduction test-vectors for secp256k1.
2792 + commit 1652377763892213fa2cd53aa64884934b2c900f
2793 * tests/t-mpi-point.c (check_ec_mul_reduction): Add secp256k1 test
2794 vectors.
2795
2796 2021-06-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2797
2798 ec-nist: fix 'mod p' carry adjustment and output masking.
2799 + commit fc92c609dfdbcf59a09ca3aaf53a1c1b8408c351
2800 * mpi/ec-inline.h (MASK_AND64, LIMB_OR64): New.
2801 [__x86_64__]: Use "rme" operand type instead of "g" to fix use
2802 of large 32-bit constants.
2803 * mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
2804 (_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): At end,
2805 check if 's[]' is negative instead result of last addition, for
2806 output masks; Use 'p_mult' table entry for P instead of 'ctx->p'.
2807 (_gcry_mpi_ec_nist256_mod): Handle corner case were 2*P needs to be
2808 added after carry based subtraction.
2809 * tests/t-mpi-point.c (check_ec_mul_reduction): New.
2810 (main): Call 'check_ec_mul_reduction'.
2811
2812 2021-06-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2813
2814 mpi/ec: add fast reduction for secp256k1.
2815 + commit 6dfab8cfb94ccb485a15b13df3c499cbb06fddf2
2816 * mpi/ec.c (ec_secp256k1_mod): New.
2817 (field_table): Add 'secp256k1'.
2818 * tests/t-mpi-point.c (check_ec_mul): Add secp256k1 test vectors.
2819
2820 mpi/ec: add fast reduction functions for NIST curves.
2821 + commit 9d909cb67e70fd792926ac1e2ab305b2cc96bc27
2822 * configure.ac (ASM_DISABLED): New.
2823 * mpi/Makefile.am: Add 'ec-nist.c' and 'ec-inline.h'.
2824 * mpi/ec-nist.c: New.
2825 * mpi/ec-inline.h: New.
2826 * mpi/ec-internal.h (_gcry_mpi_ec_nist192_mod)
2827 (_gcry_mpi_ec_nist224_mod, _gcry_mpi_ec_nist256_mod)
2828 (_gcry_mpi_ec_nist384_mod, _gcry_mpi_ec_nist521_mod): New.
2829 * mpi/ec.c (ec_addm, ec_subm, ec_mulm, ec_mul2): Use
2830 'ctx->mod'.
2831 (field_table): Add 'mod' function; Add NIST reduction
2832 functions.
2833 (ec_p_init): Setup ctx->mod; Setup function pointers
2834 from field_table only if pointer is not NULL; Resize
2835 ctx->a and ctx->b only if set.
2836 * mpi/mpi-internal.h (RESIZE_AND_CLEAR_IF_NEEDED): New.
2837 * mpi/mpiutil.c (_gcry_mpi_resize): Clear all unused
2838 limbs also in realloc case.
2839 * src/ec-context.h (mpi_ec_ctx_s): Add 'mod' function.
2840
2841 mpi/ec: small optimization for ec_mulm_448.
2842 + commit ccfa9f2c1427b40483984198c3df41f8057f69f8
2843 * mpi/ec.c (ec_addm_448, ec_subm_448): Change order of sub_n and
2844 set_cond to remove need to clear 'n'.
2845 (ec_mulm_448): Use memcpy where possible; Use mpih_rshift where
2846 possible; Use mpih_lshift for doubling a3; Remove one addition
2847 at end.
2848
2849 mpi/ec: small optimization for ec_mulm_25519.
2850 + commit 9c12226c31d4fed4942c049724591a82c4428408
2851 * mpi/ec.c (ec_addm_25519): Remove one addition.
2852 (ec_subm_25519): Change order of add_n and set_cond to remove
2853 need to clear 'n'.
2854 (ec_mulm_25519): Avoid extra memory copies; Use _gcry_mpih_addmul_1
2855 for multiplying by 19 and adding; Remove one addition at end.
2856
2857 mpi/longlong.h: fix missing macro parameter parentheses.
2858 + commit 9722da5bfc4a519365f081b75319e96c4dd238f2
2859 * mpi/longlong.h [__alpha] (umul_ppmm): Add parentheses around
2860 used parameters.
2861 [__i370__] (sdiv_qrnnd): Ditto.
2862 [__mips__] (umul_ppmm): Ditto.
2863 [__vax__] (sdiv_qrnnd): Ditto.
2864
2865 tests/t-mpi-point: add NIST curve multiplication test vectors.
2866 + commit a0871a1e817f49e81b36b52e6b629f044bbd902e
2867 * tests/t-mpi-point.c (mpi_base10_scan, check_ec_mul): New.
2868 (main): Call 'check_ec_mul'.
2869
2870 tests/bench-slope: add ECC benchmarking.
2871 + commit 57cf83834bc00a7431378aabda692bf700e4876c
2872 * tests/bench-slope.c (bench_print_result_nsec_per_iteration): New.
2873 (bench_print_header_nsec_per_iteration): New.
2874 (kdf_bench_one, kdf_bench): Use new print helper functions.
2875 [USE_ECC]: New ECC benchmarks.
2876 (ecc_bench): New.
2877 (print_help): Add 'ecc' option.
2878 (main): Add ECC benchmarks.
2879
2880 tests/benchmark: add benchmark for Ed448.
2881 + commit b53abf7905e05c39a2bdeffb77414458d2697d89
2882 * tests/benchmark.c (ecc_bench): Add Ed448.
2883
2884 2021-06-17 Werner Koch <wk@gnupg.org>
2885
2886 ecc: Fix bug in gcry_pk_get_param for Curve25519.
2887 + commit 692e9b1935ed4ad9517077c1f87da41ddefb9937
2888 * cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Simplify.
2889
2890 * cipher/pubkey.c (map_algo): Also map EDDSA to ECC.
2891 * tests/curves.c (check_get_params): Add simple param lookup tests by
2892 for all curves.
2893
2894 2021-06-16 Johannes Schindelin via Gcrypt-devel <gcrypt-devel@gnupg.org>
2895
2896 build: Fix broken mlock detection.
2897 + commit 66ff25ed4a8fd0c6897d8b18600be483c90ee436
2898 * acinclude.m4 [GNUPG_CHECK_MLOCK]: Use size_t for the ptr test.
2899
2900 2021-06-02 Werner Koch <wk@gnupg.org>
2901
2902 cipher: Extend convenience OID mapping table for AES.
2903 + commit 585f153e1f741c1952c8e8c1a7f3a89a1e641572
2904 * cipher/rijndael.c: Add OIDs for GCM and CCM.
2905
2906 Minor tweak to gcry_free.
2907 + commit b6de4080a97385423b6a78fd400606d31093806f
2908 * src/global.c (_gcry_free): Avoid setting errno again if it did not
2909 change.
2910
2911 2021-06-01 NIIBE Yutaka <gniibe@fsij.org>
2912
2913 random: Silence a warning for building rndjent by Clang.
2914 + commit f6a4e22d86d2e2e03d164ec6515bb662eb762ef3
2915 * random/jitterentropy-base.c: Conditionalize by __OPTIMIZE__.
2916
2917 2021-05-27 NIIBE Yutaka <gniibe@fsij.org>
2918
2919 build: _DARWIN_C_SOURCE should be 1.
2920 + commit b9a14725ec13747dab1d96658b2f7ce09b1ec874
2921 * configure.ac (*-apple-darwin*): Set _DARWIN_C_SOURCE 1.
2922
2923 2021-05-26 NIIBE Yutaka <gniibe@fsij.org>
2924
2925 cipher: Fix ElGamal encryption for other implementations.
2926 + commit 632d80ef30e13de6926d503aa697f92b5dbfbc5e
2927 * cipher/elgamal.c (gen_k): Remove support of smaller K.
2928 (do_encrypt): Never use smaller K.
2929 (sign): Folllow the change of gen_k.
2930
2931 2021-05-17 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
2932
2933 cipher: Fix memory leaks for EdDSA.
2934 + commit 14bb6d4ea0dcb4db008057df93396d105d4a8672
2935 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Initialize point Q when used.
2936
2937 2021-05-17 H.J. Lu <hjl.tools@gmail.com>
2938
2939 Always include <config.h> in cipher assembly codes.
2940 + commit a1f5d87ed49beaab2e4754532b84bd201ef3f68c
2941 * cipher/poly1305-s390x.S: Always include <config.h>.
2942
2943 2021-05-06 NIIBE Yutaka <gniibe@fsij.org>
2944
2945 ecc: Fix the input length check for Montgomery curve.
2946 + commit 5f814e8a4968c01a7ffc7762bcaf3ce040594caf
2947 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
2948
2949 2021-04-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2950
2951 hwf-x86: fix use of wrong operand type.
2952 + commit ec87511d9cd2dc31434e939b6351d74a38d4ceaa
2953 * src/hwf-x86.c (get_cpuid): Use xchg for swapping %ebx back
2954 and forth between operand register.
2955
2956 2021-04-27 NIIBE Yutaka <gniibe@fsij.org>
2957
2958 ecc: Check the input length for the point.
2959 + commit 060c378c050e7ec6206358c681a313d6e1967dcf
2960 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
2961 of valid point representation.
2962
2963 2021-04-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
2964
2965 keccak: add hash_buffers functions for SHAKE128 & SHAKE256.
2966 + commit e866c01e645d35475614d892665ac1c09513156d
2967 * cipher/keccak.c (_gcry_shake128_hash_buffers)
2968 (_gcry_shake256_hash_buffers): New.
2969 (_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): Add
2970 hash_buffers pointer.
2971
2972 hash_buffers: add output length param for XOF support.
2973 + commit eb96baf28473302b3d78187de92eb10093919f18
2974 * src/cipher-proto.h (gcry_md_hash_buffers_t): Add nbytes parameter
2975 for outbuf size for XOF algorithms.
2976 * cipher/md.c (_gcry_md_hash_buffer)
2977 (_gcry_md_hash_buffers_extract): Adjust for spec->hash_buffers
2978 parameter change.
2979 * cipher/keccak.c (_gcry_sha3_hash_buffers): Add nbytes parameter and
2980 handling for XOF output.
2981 * cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add nbytes parameter for
2982 hash_buffers.
2983 * cipher/rmd160.c (_gcry_rmd160_hash_buffers): Add nbytes parameter.
2984 * cipher/sha1.c (_gcry_sha1_hash_buffers): Add nbytes parameter.
2985 (_gcry_sha1_hash_buffer): Pass nbytes to _gcry_sha1_hash_buffers.
2986 * cipher/sha256.c (_gcry_sha256_hash_buffers)
2987 (_gcry_sha224_hash_buffers): Add nbytes parameter.
2988 * cipher/sha512.c (_gcry_sha512_hash_buffers)
2989 (_gcry_sha384_hash_buffers, _gcry_sha512_256_hash_buffers)
2990 (_gcry_sha512_224_hash_buffers): Add nbytes parameter.
2991 * cipher/sm3.c (_gcry_sm3_hash_buffers): Add nbytes parameter.
2992
2993 md: remove hash_buffer function from algorithms.
2994 + commit 580ae61db5fe47b558135c2c794fd72c2680fa20
2995 * cipher/md.c (_gcry_md_hash_buffer): Remove used of
2996 'spec->hash_buffer'.
2997 * cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Remove *_hash_buffer.
2998 * cipher/crc.c: Remove spec hash_buffer NULL pointers.
2999 * cipher/gostr3411-94.c: Remove spec hash_buffer NULL pointers.
3000 * cipher/keccak.c (_gcry_sha3_hash_buffer
3001 (_gcry_sha3_224_hash_buffer, _gcry_sha3_256_hash_buffer): Remove.
3002 (_gcry_sha3_384_hash_buffer, _gcry_sha3_512_hash_buffer): Remove.
3003 * cipher/md2.c: Remove spec hash_buffer NULL pointers.
3004 * cipher/md4.c: Remove spec hash_buffer NULL pointers.
3005 * cipher/md5.c: Remove spec hash_buffer NULL pointers.
3006 * cipher/rmd160.c (_gcry_rmd160_hash_buffer): Remove.
3007 * cipher/sha1.c (_gcry_sha1_hash_buffer): Rewrite using
3008 _gcry_sha1_hash_buffers.
3009 (_gcry_sha1_hash_buffers): Make static.
3010 (_gcry_digest_spec_sha1): Remove hash_buffer pointer.
3011 * cipher/sha256.c (_gcry_sha256_hash_buffer)
3012 (_gcry_sha224_hash_buffer): Remove.
3013 (_gcry_sha256_hash_buffers): Make static.
3014 * cipher/sha512.c (_gcry_sha512_hash_buffer)
3015 (_gcry_sha384_hash_buffer, _gcry_sha512_256_hash_buffer)
3016 (_gcry_sha512_224_hash_buffer): Remove.
3017 (_gcry_sha512_hash_buffers): Make static.
3018 * cipher/sm3.c (_gcry_sm3_hash_buffer): Remove.
3019 (_gcry_sm3_hash_buffers): Make static.
3020 * cipher/stribog.c: Remove spec hash_buffer NULL pointers.
3021 * cipher/tiger.c: Remove spec hash_buffer NULL pointers.
3022 * cipher/whirlpool.c: Remove spec hash_buffer NULL pointers.
3023 * src/cipher-proto.h (gcry_md_hash_buffer_t): Remove.
3024 (gcry_md_spec_t): Remove 'hash_buffer'.
3025 * src/cipher.h (_gcry_rmd160_hash_buffer, _gcry_sha1_hash_buffers)
3026 (_gcry_sha256_hash_buffer, _gcry_sha256_hash_buffers)
3027 (_gcry_sha512_hash_buffer, _gcry_sha512_hash_buffers)
3028 (_gcry_sm3_hash_buffer, _gcry_sm3_hash_buffers): Remove.
3029
3030 Add XOF output support for internal _gcry_md_hash_buffers.
3031 + commit f53d541d0947a894e6f09b4568658a859505a649
3032 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d, _gcry_ecc_eddsa_sign)
3033 (_gcry_ecc_eddsa_verify): Use same _gcry_md_hash_buffers_extract code
3034 path for SHA512 and SHAKE256.
3035 * cipher/md.c (_gcry_md_hash_buffers): Rename to ...
3036 (_gcry_md_hash_buffers_extract): ... this; Add digestlen and handling
3037 for XOF algorithms (SHAKE128, SHAKE256).
3038 (_gcry_md_hash_buffers): New.
3039 * src/gcrypt-int.h (_gcry_md_hash_buffers_extract): New.
3040
3041 Use memset for constant length wipememory2.
3042 + commit 4770ad72607f73b9d529511c687556a6b4109875
3043 * src/g10lib.h (fast_wipememory2_inline): New.
3044 (wipememory2): Use 'fast_wipememory2_inline', remove 'fast_wipememory2'
3045 use; Use _gcry_fast_wipememory* when _len or _set is not constant.
3046 (fast_wipememory_s, fast_wipememory2): Remove.
3047
3048 2021-04-19 Werner Koch <wk@gnupg.org>
3049
3050 Release 1.9.3.
3051 + commit cb78627203705365d24b48ec4fc4cf2fc804b277
3052
3053
3054 2021-04-15 NIIBE Yutaka <gniibe@fsij.org>
3055 Jakub Jelen <jjelen@redhat.com>
3056
3057 cipher: Fix memory leaks for EdDSA.
3058 + commit a8d6c6c1b258548260748eefba0532fd35c8ce47
3059 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Free the point Q.
3060 (_gcry_ecc_eddsa_verify): Avoid memory leaks for points and MPIs.
3061
3062 2021-04-13 NIIBE Yutaka <gniibe@fsij.org>
3063
3064 api: Avoid use of C99 feature.
3065 + commit 9c42db0b379c277ee976fcc696e84e31863a85a8
3066 * src/gcrypt.h.in (enum gcry_md_algos): Remove last comma.
3067
3068 random: Fix for iOS.
3069 + commit 0007f889bda884e40459ad86f13b6cd8b14c91df
3070 * random/rndlinux.c [TARGET_OS_IPHONE]: Don't define HAVE_GETENTROPY.
3071
3072 cipher: Hardening ElGamal by introducing exponent blinding too.
3073 + commit e8b7f10be275bcedb5fc05ed4837a89bfd605c61
3074 * cipher/elgamal.c (do_encrypt): Also do exponent blinding.
3075
3076 2021-04-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3077
3078 mpi: harden add_n_cond, sub_n_cond and abs_cond against EM leakage.
3079 + commit 9bc3d8de6e2a8cdef37c118f0a70376ed777eeee
3080 * mpi/mpih-const-time.c (_gcry_mpih_add_n_cond)
3081 (_gcry_mpih_sub_n_cond): Always perform calculation with both UP and
3082 VP; Use two masks for selecting output.
3083 (_gcry_mpih_abs_cond): Always calculate absolute value of UP; Use
3084 two masks for selecting output.
3085
3086 mpi: harden set_cond functions against EM leakage.
3087 + commit c7c25b6e6e6b52bbed26d8016145c404eb118f19
3088 * mpi/mpih-const-time.c (_gcry_mpih_set_cond): Use two masks for
3089 selecting output.
3090 * mpi/mpiutil.c (_gcry_mpi_set_cond): Use two masks for selecting
3091 output.
3092
3093 mpi: harden swap_cond functions against EM leakage.
3094 + commit 1266f5bb02b7f76f2e4697ecfb85ef19c2ae04a9
3095 * mpi/mpih-const-time.c (vzero, vone): New.
3096 (_gcry_mpih_swap_cond): Use two masks for selecting output.
3097 * mpi/mpiutil.c (vzero, vone): New.
3098 (_gcry_mpi_swap_cond): Use to masks for selecting output.
3099
3100 2021-04-02 NIIBE Yutaka <gniibe@fsij.org>
3101
3102 cipher: Return GPG_ERR_INV_KEYLEN when wrong key length.
3103 + commit 840713de1a685920b6b1e1379902d545eccc74cf
3104 * cipher/idea.c (do_setkey): Return GPG_ERR_INV_KEYLEN.
3105 * cipher/rfc2268.c (setkey_core): Likewise.
3106 * cipher/serpent.c (serpent_setkey_internal): Likewise.
3107 (serpent_setkey): Likewise.
3108
3109 2021-04-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3110
3111 cipher-gcm-ppc: add big-endian support.
3112 + commit aaa30381eac3cdb49a21e279b2d89ef6e695a138
3113 * cipher/cipher-gcm-ppc.c (ALIGNED_16): New.
3114 (vec_store_he, vec_load_he): Remove WORDS_BIGENDIAN ifdef.
3115 (vec_dup_byte_elem): New.
3116 (_gcry_ghash_setup_ppc_vpmsum): Match function declaration with
3117 prototype in cipher-gcm.c; Load C2 with VEC_LOAD_BE; Use
3118 vec_dup_byte_elem; Align constants to 16 bytes.
3119 (_gcry_ghash_ppc_vpmsum): Match function declaration with
3120 prototype in cipher-gcm.c; Align constant to 16 bytes.
3121 * cipher/cipher-gcm.c (ghash_ppc_vpmsum): Return value from
3122 _gcry_ghash_ppc_vpmsum.
3123 * cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): Remove requirement
3124 for !WORDS_BIGENDIAN.
3125
3126 mpi/aarch64: use C_SYMBOL_NAME for assembly function names.
3127 + commit 1cf5a568f2b2f2c3d83c154cdcf5a40aa1f83c50
3128 * mpi/aarch64/mpih-add1.S: Add missing C_SYMBOL_NAME.
3129 * mpi/aarch64/mpih-mul1.S: Add missing C_SYMBOL_NAME.
3130 * mpi/aarch64/mpih-mul2.S: Add missing C_SYMBOL_NAME.
3131 * mpi/aarch64/mpih-mul3.S: Add missing C_SYMBOL_NAME.
3132 * mpi/aarch64/mpih-sub1.S: Add missing C_SYMBOL_NAME.
3133
3134 2021-03-31 NIIBE Yutaka <gniibe@fsij.org>
3135
3136 build: Update gpg-error.m4.
3137 + commit d2b3d046fc66a3166dc0c003a430ce756532ff74
3138 * m4/gpg-error.m4: Update from libgpg-error.
3139
3140 2021-03-30 NIIBE Yutaka <gniibe@fsij.org>
3141
3142 build: Fix for make distcheck, no EPS support.
3143 + commit 35917373d64521d9c0d33b5fa9b60abd28964dd4
3144 * Makefile.am (AM_DISTCHECK_DVI_TARGET): Specify 'pdf'.
3145 * doc/Makefile.am (EXTRA_DIST, BUILT_SOURCES): Remove .eps files.
3146
3147 ecc: Fix the regression of gcry_mpi_ec_add.
3148 + commit 45e88b8ec6dfbd8f981ca89ded80ef48eca6f0e9
3149 * mpi/ec.c (_gcry_mpi_ec_point_resize): Export the routine
3150 for internal use.
3151 (add_points_edwards, _gcry_mpi_ec_mul_point): Use mpi_point_resize.
3152 * src/gcrypt-int.h (_gcry_mpi_ec_point_resize): Declare.
3153
3154 * src/visibility.c (gcry_mpi_ec_dup, gcry_mpi_ec_add): Make sure for
3155 the size of limb before calling the internal functions.
3156 (gcry_mpi_ec_sub): Likewise.
3157
3158 2021-03-25 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3159
3160 rijndael-s390x: fix checksum calculation in OCB decryption.
3161 + commit 68bb0ddc5504c9c0f3f52259a4085bb2fc1a02ad
3162 * cipher/rijndael-s390x.c (aes_s390x_ocb_dec): Calculate checksum
3163 after decryption instead of inlining.
3164
3165 tests/basic: OCB large buffer check: make input buffer non-repeatable.
3166 + commit 21c273cecfd58408b8d3287f5bc8c246c3010313
3167 * tests/basic.c (check_ocb_cipher_largebuf_split): Use SHA1 to
3168 initialize input buffer.
3169 (check_ocb_cipher): Update largebuf test vectors.
3170
3171 tests/basic: add decryption check to check_ocb_cipher_checksum.
3172 + commit 56da81ac47209dc41af08a129f5e0c15538261b2
3173 * tests/basic.c (check_ocb_cipher_checksum): Add decryption.
3174
3175 2021-03-25 NIIBE Yutaka <gniibe@fsij.org>
3176
3177 build: Remove intermediate PDF files from EXTRA_DIST.
3178 + commit 52f6e95159885431f3c7e9f64290d0132ca547ef
3179 * doc/Makefile.am (EXTRA_DIST): Remove PDF files.
3180 (BUILT_SOURCES): Likewise.
3181
3182 2021-03-24 Werner Koch <wk@gnupg.org>
3183
3184 ecc: Fix keygrip computation for compressed points.
3185 + commit c8c38757c428871af980a548bc38f38e5d9238d1
3186 * cipher/ecc-misc.c (_gcry_ecc_ec2os): Factor most code out to ...
3187 (_gcry_ecc_ec2os_buf): new.
3188 * cipher/ecc.c (compute_keygrip): Handle compressed keys.
3189 * tests/keygrip.c: Add new tests.
3190
3191 2021-03-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3192
3193 Compile arch specific GCM implementations only on target arch.
3194 + commit 43302b960f546fd60ed7fefb2b0404ee69491e93
3195 * cipher/Makefile.am: Move arch specific 'cipher-gcm-*.[cS]' files
3196 from libcipher_la_SOURCES to EXTRA_libcipher_la_SOURCES.
3197 * configure.ac: Add 'cipher-gcm-intel-pclmul.lo' and
3198 'cipher-gcm-arm*.lo'.
3199
3200 configure.ac: fix digest implementations going to cipher list.
3201 + commit 8892510bb8f45438144a7449440fcb32ae4c5f7b
3202 * configure.ac: Add 'crc-arm*.lo', 'crc-ppc.lo', 'sha*-ppc.lo' to
3203 GCRYPT_DIGESTS instead of GCRYPT_CIPHERS.
3204
3205 cipher-gcm-ppc: tweak for better performance.
3206 + commit 760ef8baee06db5ce4da55eb5648e605aa511d2d
3207 * cipher/cipher-gcm-ppc.c (asm_xor, asm_mergelo, asm_mergehi)
3208 (vec_be_swap, vec_load_he, vec_store_he): New.
3209 (vec_load_be, vec_perm2, vec_aligned_st, vec_aligned_ld): Remove.
3210 (asm_vpmsumd, asm_swap_u64, vec_perm2, asm_rot_block_left)
3211 (asm_rot_block_right, asm_ashl_128, vec_aligned_ld)
3212 (_gcry_ghash_setup_ppc_vpmsum): Update 'bswap_const'.
3213 (_gcry_ghash_ppc_vpmsum): Update 'bswap_const'; Use 'asm_mergehi'
3214 and 'asm_mergelo' instead of vec_perm2; Use 'asm_xor' for
3215 fast path to enforce instruction ordering; Use 'vec_load_he' and
3216 'vec_be_swap' for big-endian loads.
3217
3218 2021-03-07 Shawn Landden <shawn@git.icu>
3219
3220 VPMSUMD acceleration for GCM mode on PPC.
3221 + commit 440332532a1c107e2baeafda5464e0707f634be1
3222 * cipher/Makefile.am: Add 'cipher-gcm-ppc.c'.
3223 * cipher/cipher-gcm-ppc.c: New.
3224 * cipher/cipher-gcm.c [GCM_USE_PPC_VPMSUM] (_gcry_ghash_setup_ppc_vpmsum)
3225 (_gcry_ghash_ppc_vpmsum, ghash_setup_ppc_vpsum, ghash_ppc_vpmsum): New.
3226 (setupM) [GCM_USE_PPC_VPMSUM]: Select ppc-vpmsum implementation if
3227 HW feature "ppc-vcrypto" is available.
3228 * cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): New.
3229 (gcry_cipher_handle): Move 'ghash_fn' at end of 'gcm' block to align
3230 'gcm_table' to 16 bytes.
3231 * configure.ac: Add 'cipher-gcm-ppc.lo'.
3232 * tests/basic.c (_check_gcm_cipher): New AES256 test vector.
3233 * AUTHORS: Add 'CRYPTOGAMS'.
3234 * LICENSES: Add original license to 3-clause-BSD section.
3235
3236 2021-03-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3237
3238 src/hwfeatures: add reminder about documenting new HW features.
3239 + commit 7c4c992fe96f781e387bd26a11b17e70a27aa3c0
3240 * src/hwfeatures.c (hwflist): Add comment about updating
3241 'doc/gcrypt.texi' with new HW features.
3242
3243 2021-03-06 Jakub Jelen <jjelen@redhat.com>
3244
3245 doc: Document newly added optimizations.
3246 + commit 49ab649c69951cd7b6d40d3527e21db51d93a207
3247 * doc/gcrypt.texi: Add HW features 'intel-vaes-vpclmul', 'ppc-vcrypto',
3248 'ppc-arch_3_00', 'ppc-arch_2_07', 's390x-msa', 's390x-msa-4',
3249 's390x-msa-8' and 's390x-vx'.
3250
3251 2021-03-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3252
3253 poly1305: make --disable-asm work on x86, aarch64 and ppc.
3254 + commit 2b84da922660918129c610f4d27cb5c510ab0489
3255 * cipher/poly1305.c [__aarch64__] (ADD_1305_64): Check for
3256 HAVE_CPU_ARCH_ARM.
3257 [__x86_64__] (ADD_1305_64): Check for HAVE_CPU_ARCH_X86.
3258 [__powerpc__] (ADD_1305_64): Check for HAVE_CPU_ARCH_PPC.
3259 [__i386__] (ADD_1305_32): Check for HAVE_CPU_ARCH_X86.
3260
3261 poly1305: fix compiling on i386 gcc-4.7.
3262 + commit bcb180190e8921356c039b0475fd71f2c45d986d
3263 * cipher/poly1305.c [__i386__]: Limit i386 variant of ADD_1305_32 to
3264 GCC-5 or newer.
3265
3266 cipher-gcm-intel-pclmul: fix compiling with i386 gcc-4.7.
3267 + commit d1fcf3975c57c5312890199832100c8c363d5b18
3268 * cipher/cipher-gcm-intel-pclmul.c (gcm_lsh): Pass '*pconst' instead of
3269 'pconst' to asm block.
3270
3271 2021-02-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3272
3273 rijndael: add x86_64 VAES/AVX2 accelerated implementation.
3274 + commit e72498a54fdead503fb0c1c93e2b747cd91e7681
3275 * cipher/Makefile.am: Add 'rijndael-vaes.c' and
3276 'rijndael-vaes-avx2-amd64.S'.
3277 * cipher/rijndael-internal.h (USE_VAES): New.
3278 * cipher/rijndael-vaes-avx2-amd64.S: New.
3279 * cipher/rijndael-vaes.c: New.
3280 * cipher/rijndael.c (_gcry_aes_vaes_cfb_dec, _gcry_aes_vaes_cbc_dec)
3281 (_gcry_aes_vaes_ctr_enc, _gcry_aes_vaes_ocb_crypt)
3282 (_gcry_aes_vaes_xts_crypt): New.
3283 (do_setkey) [USE_VAES]: Add detection for VAES.
3284 (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128)
3285 [USE_VAES]: Increase number of selftest blocks.
3286 * configure.ac: Add 'rijndael-vaes.lo' and
3287 'rijndael-vaes-avx2-amd64.lo'.
3288
3289 rijndael-aesni: add 8-block parallel code path for XTS.
3290 + commit ffe1d53197031eeb65601c5aeafe55e78079a75e
3291 * cipher/rijndael-aesni.c (xts_gfmul_const): Fix array size from 16
3292 to 2.
3293 (_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_dec) [__x86_64__]: Add
3294 8-block parallel code paths.
3295
3296 camellia: add x86_64 VAES/AVX2 accelerated implementation.
3297 + commit 0e7e60241a0d054eae7a98116636a831ec6ccc97
3298 * cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.h' and
3299 'camellia-vaes-avx2-amd64.S'.
3300 * cipher/camellia-aesni-avx2-amd64.S: New, old content moved to...
3301 * cipher/camellia-aesni-avx2-amd64.h: ...here.
3302 (IF_AESNI, IF_VAES, FUNC_NAME): New.
3303 * cipher/camellia-vaes-avx2-amd64.S: New.
3304 * cipher/camellia-glue.c (USE_VAES_AVX2): New.
3305 (CAMELLIA_context): New member 'use_vaes_avx2'.
3306 (_gcry_camellia_vaes_avx2_ctr_enc, _gcry_camellia_vaes_avx2_cbc_dec)
3307 (_gcry_camellia_vaes_avx2_cfb_dec, _gcry_camellia_vaes_avx2_ocb_enc)
3308 (_gcry_camellia_vaes_avx2_ocb_dec)
3309 (_gcry_camellia_vaes_avx2_ocb_auth): New.
3310 (camellia_setkey): Check for HWF_INTEL_VAES.
3311 (_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
3312 (_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
3313 (_gcry_camellia_ocb_auth): Add USE_VAES_AVX2 code.
3314 * configure.ac: Add 'camellia-vaes-avx2-amd64.lo'.
3315
3316 hwf-x86: add "intel-vaes-vpclmul" HW feature.
3317 + commit eb404d8904532f6dca82421c952be286a1f4e11c
3318 * configure.ac (HAVE_GCC_INLINE_ASM_VAES_VPCLMUL): New.
3319 * src/g10lib.h (HWF_INTEL_VAES_VPCLMUL): New.
3320 * src/hwf-x86.c (detect_x86_gnuc): Check for VAES and VPCLMUL.
3321 * src/hwfeatures.c (hwflist): Add "intel-vaes-vpclmul".
3322
3323 2021-02-17 Werner Koch <wk@gnupg.org>
3324
3325 Release 1.9.2.
3326 + commit 24bd7e8215f7982b0c8db46fd87b47b370a52ec6
3327
3328
3329 2021-02-16 NIIBE Yutaka <gniibe@fsij.org>
3330
3331 build: Update gpg-error.m4.
3332 + commit 8e3cd4c4677c3b10ac6265a1b31f84c63c95cac4
3333 * m4/gpg-error.m4: Update from libgpg-error.
3334
3335 2021-02-12 NIIBE Yutaka <gniibe@fsij.org>
3336
3337 random: Fix build for macOS.
3338 + commit d78cdf42854b17e2216890e7b78f9e7e05c0b1f8
3339 * random/rndlinux.c [__APPLE__] (HAVE_GETENTROPY): Valid only when the
3340 macro __MAC_10_11 is available.
3341
3342 2021-02-08 Werner Koch <wk@gnupg.org>
3343
3344 tests: Fix minor glitches.
3345 + commit 82395f11b444651f544f5e51c62fc6b65c04f9ef
3346 * tests/basic.c (ALWAYS_INLINE): Make sure it is defined.
3347 * tests/version.c (main): Print the config info to stdout.
3348
3349 New test Makefile target xtestsuite.
3350 + commit ebc4d5670a1ada54ad907a4836eb8f6f573c2c38
3351 * tests/Makefile.am (xtestsuite, xcheck): New targets.
3352
3353 New test driver to allow for standalone regression tests.
3354 + commit b142da4c88deef4798ef96061dac399df3ddd73d
3355 * tests/testdrv.c: New.
3356
3357 2021-02-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3358
3359 sha256-avx2: fix reading beyond end of input buffer.
3360 + commit 24af2a55d862d45fe3aef6b5626a52d9bb0fb17e
3361 * cipher/sha256-avx2-bmi2-amd64.S
3362 (_gcry_sha256_transform_amd64_avx2): Use 'last block' code path if
3363 input length is only one block.
3364 * tests/basic.c (check_one_md_final): Use dynamic allocated buffer
3365 so that in future similar access errors get detected by
3366 tests/basic + valgrind.
3367
3368 ecc-ecdh: fix memory leak.
3369 + commit 289543544e41cd5fe90352c5c7548ac09da533cc
3370 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Free 'ec' at function exit.
3371
3372 tests: allow running 'make check' with ASAN.
3373 + commit f46a6bd9b3d7ef7d1a72c5b6da5cf34ace2ff156
3374 * tests/t-secmem.c (main): Skip test if environment variable
3375 GCRYPT_IN_ASAN_TEST is defined.
3376 * tests/t-sexp.c (main): Do not initialize secmem if environment
3377 variable GCRYPT_IN_ASAN_TEST is defined.
3378
3379 global: make sure that bulk config string is null-terminated.
3380 + commit 8716e4b2ada21456802aee67c2bc8edfec78f820
3381 * src/global.c (_gcry_get_config): Append null-terminator to output
3382 in the 'what == NULL' case.
3383
3384 Add handling for -Og with O-flag munging.
3385 + commit a71b7de32b0c7c41359335a488cfe4dd70c65121
3386 * cipher/Makefile.am (o_flag_munging): Add handling for '-Og'.
3387 * random/Makefile.am (o_flag_munging): Add handling for '-Og'.
3388
3389 jent: silence ubsan warning about signed overflow.
3390 + commit 6fc11291282a668839040c72a1d558a6ebbd4972
3391 * random/jitterentropy-base.c (jent_stuck): Cast 'delta2' values to
3392 'uint64_t' for calculation.
3393
3394 Fix ubsan warnings for i386 build.
3395 + commit 364e9e9d10503b36f98fbb1b489e00026f22c9d7
3396 * mpi/mpicoder.c (_gcry_mpi_set_buffer) [BYTES_PER_MPI_LIMB == 4]: Cast
3397 "*p--" values to mpi_limb_t before left shifting.
3398 * tests/t-lock.c (main): Cast 'time(NULL)' to unsigned type.
3399
3400 Fix building with --disable-asm on x86.
3401 + commit af23ab5c5482d625ff52e60606cf044e2b0106c8
3402 * cipher/keccak.c (USE_64BIT_BMI2, USE_64BIT_SHLD)
3403 (USE_32BIT_BMI2): Depend also on HAVE_CPU_ARCH_X86.
3404 * random/rndjent.c [__i386__ || __x86_64__] (USE_JENT): Depend
3405 also on HAVE_CPU_ARCH_X86.
3406
3407 md: clear bctx.count at final function.
3408 + commit cb95fc53003e9f34ff80fc33627ceda605de223c
3409 * cipher/md4.c (md4_final): Set bctx.count zero after
3410 finalizing.
3411 * cipher/md5.c (md5_final): Ditto.
3412 * cipher/rmd160.c (rmd160_final): Ditto.
3413 * cipher/sha1.c (sha1_final): Ditto.
3414 * cipher/sha256.c (sha256_final): Ditto.
3415 * cipher/sha512.c (sha512_final): Ditto.
3416 * cipher/sm3.c (sm3_final): Ditto.
3417 * cipher/stribog.c (stribog_final): Ditto.
3418 * cipher/tiger.c (tiger_final): Ditto.
3419
3420 2021-02-02 NIIBE Yutaka <gniibe@fsij.org>
3421
3422 ecc: Add checking key for ECDSA.
3423 + commit 598d0f3e0294a487e01b88cc714a8cd0a47329bb
3424 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_verify): Validate public key.
3425 * cipher/ecc-gost.c (_gcry_ecc_gost_verify): Likewise.
3426 * cipher/ecc-sm2.c (_gcry_ecc_sm2_verify): Likewise.
3427
3428 2021-01-29 Werner Koch <wk@gnupg.org>
3429
3430 Release 1.9.1.
3431 + commit 466299b1ceb82ec7c4dd0ca376de50399a896adf
3432 * configure.ac: Bump LT version to C23/A3/R1.
3433
3434 2021-01-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3435
3436 hash-common: fix heap overflow when writing more data after final.
3437 + commit 512c0c75276949f13b6373b5c04f7065af750b08
3438 * tests/basic.c (check_one_md): Test writing to digest after read.
3439 * cipher/hash-common.c (_gcry_md_block_write): Reset 'hd->count' if
3440 greater than blocksize.
3441
3442 2021-01-28 Werner Koch <wk@gnupg.org>
3443
3444 Add a compliance keyword to gcry_get_config.
3445 + commit aa3f595341eb263980210776c7fe377b2ed24c5e
3446 * src/global.c (print_config): New config line.
3447
3448 2021-01-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3449
3450 asm-common-aarch64: add MacOS support for GET_DATA_POINTER.
3451 + commit 014fed5153647641376b9131ea1d87dc5e88cf42
3452 * cipher/asm-common-aarch64.h [__APPLE__] (GET_DATA_POINTER): Add MacOS
3453 variant of macro.
3454
3455 2021-01-27 NIIBE Yutaka <gniibe@fsij.org>
3456
3457 random: Use getentropy on macOS when available.
3458 + commit 6cb0faf6ceec5b2e799e6fb5f04b85d135a7da9b
3459 * random/rndlinux.c [__APPLE__ && __MACH__] (getentropy): Declare.
3460 (_gcry_rndlinux_gather_random): Check the symbol and use getentropy.
3461
3462 mpi: Fix _gcry_mpih_mod implementation.
3463 + commit f06ff4e31c8e162f4a59986241c7ab43d5085927
3464 * mpi/mpih-const-time.c (_gcry_mpih_mod): Handle the overflow.
3465
3466 build: Check spawn.h for MacOS X Tiger.
3467 + commit fc901e978a0c18a3524cad5d1ef3451ed11b9347
3468 * configure.ac: Add check for spawn.h.
3469 * tests/random.c: Only use posix_spawn if available.
3470
3471 2021-01-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3472
3473 global: fix compile error at pragma GCC diagnostic.
3474 + commit 3d095206c30d772d5fc68bf69bfc384e43f766e9
3475 * src/global.c (_gcry_vcontrol): Move "pragma GCC diagnostics" outside
3476 function.
3477
3478 cipher-proto: remove forward typedef of cipher_bulk_ops_t.
3479 + commit 17aad639d29c7c835a7effb89181c7c99b16cb6a
3480 * cipher/cipher-proto (cipher_bulk_ops_t): Remove typedef, leave
3481 forward declaration of 'struct cipher_bulk_ops'.
3482 (gcry_cipher_setkey_t): Change 'bulk_ops' to
3483 'struct cipher_bulk_ops *'.
3484 * cipher/arcfour.c: Include 'cipher-internal.h'.
3485 * cipher/gost28147.c: Ditto.
3486 * cipher/idea.c: Ditto.
3487 * cipher/rfc2268.c: Ditto.
3488 * cipher/salsa20.c: Ditto.
3489 * cipher/seed.c: Ditto.
3490 * cipher/mac-internal.h (CTX_MAGIC_NORMAL): Rename to...
3491 (CTX_MAC_MAGIC_NORMAL): ... this.
3492 (CTX_MAGIC_SECURE): Rename to...
3493 (CTX_MAC_MAGIC_SECURE): ... this.
3494 * cipher/mac-cmac.c (cmac_open): Use CTX_MAC_MAGIC_SECURE.
3495 * cipher/mac-gmac.c (gmac_open): Ditto.
3496 * cipher/mac-hmac.c (hmac_open): Ditto.
3497 * cipher/mac-poly1305.c (poly1305mac_open): Ditto.
3498 * cipher/mac.c (mac_open): Use CTX_MAC_MAGIC_SECURE and
3499 CTX_MAC_MAGIC_NORMAL.
3500
3501 2021-01-26 David Michael <fedora.dm0@gmail.com>
3502
3503 cipher/sha512: Fix non-NEON ARM assembly implementation.
3504 + commit 1e72c50f864ae1c77ba80c191224b9ef1d22a2e2
3505 * cipher/sha512.c (do_transform_generic)
3506 [USE_ARM_ASM]: Switch to the non-NEON assembly implementation.
3507
3508 2021-01-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3509
3510 blake2: fix RIP register access for AVX/AVX2 implementations.
3511 + commit b2f78ae034b8d4aa3d4cc7bf85262317832f6e0a
3512 * cipher/blake2b-amd64-avx2.S: Use rRIP instead of (RIP).
3513 * cipher/blake2s-amd64-avx.S: Use rRIP instead of (RIP).
3514
3515 sha512/sha256: remove assembler macros from AMD64 implementations.
3516 + commit 9f49e806f9506533236fd44b17f17b85961b20f1
3517 * configure.ac (gcry_cv_gcc_platform_as_ok_for_intel_syntax): Remove
3518 assembler macro check from Intel syntax assembly support check.
3519 * cipher/sha256-avx-amd64.S: Replace assembler macros with C
3520 preprocessor counterparts.
3521 * cipher/sha256-avx2-bmi2-amd64.S: Ditto.
3522 * cipher/sha256-ssse3-amd64.S: Ditto.
3523 * cipher/sha512-avx-amd64.S: Ditto.
3524 * cipher/sha512-avx2-bmi2-amd64.S: Ditto.
3525 * cipher/sha512-ssse3-amd64.S: Ditto.
3526
3527 configure.ac: run assembler checks through linker for better LTO support
3528 + commit 393bd6c3d1aa2b2a1b05be0e2d7fb2514e6c5ad0
3529 * configure.ac (gcry_cv_gcc_arm_platform_as_ok)
3530 (gcry_cv_gcc_aarch64_platform_as_ok)
3531 (gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
3532 (gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
3533 (gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
3534 (gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_as_const_division_ok)
3535 (gcry_cv_gcc_as_const_division_with_wadivide_ok)
3536 (gcry_cv_gcc_amd64_platform_as_ok, gcry_cv_gcc_win64_platform_as_ok)
3537 (gcry_cv_gcc_platform_as_ok_for_intel_syntax)
3538 (gcry_cv_gcc_inline_asm_neon, gcry_cv_gcc_inline_asm_aarch32_crypto)
3539 (gcry_cv_gcc_inline_asm_aarch64_neon)
3540 (gcry_cv_gcc_inline_asm_aarch64_crypto)
3541 (gcry_cv_gcc_inline_asm_ppc_altivec)
3542 (gcry_cv_gcc_inline_asm_ppc_arch_3_00)
3543 (gcry_cv_gcc_inline_asm_s390x, gcry_cv_gcc_inline_asm_s390x): Use
3544 AC_LINK_IFELSE check instead of AC_COMPILE_IFELSE.
3545
3546 rijndael: remove unused use_xxx flags.
3547 + commit a14447f8169aff30a49f5c2ab06bd5bbd1cc3531
3548 * cipher/rijndael-internal.h (RIJNDAEL_context_s): Remove unused
3549 'use_padlock', 'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto'
3550 and 'use_ppc9le_crypto'.
3551 * cipher/rijndael.c (do_setkey): Do not setup 'use_padlock',
3552 'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto' and
3553 'use_ppc9le_crypto'.
3554
3555 Define HW-feature flags per architecture.
3556 + commit 8d404a629167d67ed56e45de3e65d1e0b7cdeb24
3557 * random/rand-internal.h (_gcry_rndhw_poll_slow): Add requested length
3558 parameter.
3559 * random/rndhw.c (_gcry_rndhw_poll_slow): Limit accounted bytes to 50%
3560 (or 25% for RDRAND) - this code is moved from caller side.
3561 * random/rndlinux.c (_gcry_rndlinux_gather_random): Move
3562 HWF_INTEL_RDRAND check to _gcry_rndhw_poll_slow.
3563 * src/g10lib.h (HWF_PADLOCK_*, HWF_INTEL_*): Define only if
3564 HAVE_CPU_ARCH_X86.
3565 (HWF_ARM_*): Define only if HAVE_CPU_ARCH_ARM.
3566 (HWF_PPC_*): Define only if HAVE_CPU_ARCH_PPC.
3567 (HWF_S390X_*): Define only if HAVE_CPU_ARCH_S390X.
3568
3569 Add configure option to force enable 'soft' HW feature bits.
3570 + commit 3b34bd6e178614d6021ee7d1140646f7c8ed7519
3571 * configure.ac (force_soft_hwfeatures)
3572 (ENABLE_FORCE_SOFT_HWFEATURES): New.
3573 * src/hwf-x86.c (detect_x86_gnuc): Enable HWF_INTEL_FAST_SHLD
3574 and HWF_INTEL_FAST_VPGATHER if ENABLE_FORCE_SOFT_HWFEATURES enabled.
3575
3576 2021-01-26 NIIBE Yutaka <gniibe@fsij.org>
3577
3578 ecc: Fix Ed25519 private key handling for preceding ZEROs.
3579 + commit 1b74f633bd3e358fb07a856a70597019980651d2
3580 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fill-up or remove
3581 preceding ZEROs correctly, fixing the third argument of mpi_set_opaque.
3582
3583 ecc: Fix initialization of CTX for sign and verify.
3584 + commit 652b102697cbfe2d7bc642fc7374cb21a9cf03e6
3585 * cipher/ecc.c (ecc_sign, ecc_verify): Call
3586 _gcry_pk_util_init_encoding_ctx at first.
3587
3588 2021-01-21 NIIBE Yutaka <gniibe@fsij.org>
3589
3590 build: Fix build of tests with non-default installation.
3591 + commit fa3420b011c105ca21894489e62c7e882a3ac4dd
3592 * tests/Makefile.am: Add forgotten @LDADD_FOR_TESTS_KLUDGE@.
3593
3594 2021-01-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3595
3596 Split inline assembly blocks with many memory operands.
3597 + commit 00df9f27181d77166ceb55f319329400bf2e6a48
3598 * cipher/rijndael-aesni.c (aesni_ocb_checksum, aesni_ocb_enc)
3599 (aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Split assembly blocks
3600 with more than 4 memory operands to smaller blocks.
3601 * cipher/sha512-ssse3-i386.c (W2): Split big assembly block to
3602 three smaller blocks.
3603
3604 tests/basic: fix build on ARM32 when NEON disabled.
3605 + commit 81354e911bfa3e135d3e07f6a8d9e98033cd921a
3606 * tests/basic.c (CLUTTER_VECTOR_REGISTER_NEON)
3607 (CLUTTER_VECTOR_REGISTER_AARCH64): Remove check for __ARM_FEATURE_SIMD32.
3608
3609 kdf: make self-test test-vector array read-only.
3610 + commit 097148bc89ec8c18b9e4795733e0f0b1ae0ecd1d
3611 * cipher/kdf.c (selftest_pbkdf2): Make 'tv[]' constant.
3612
3613 kdf: add missing null-terminator for self-test test-vector array.
3614 + commit c6425a5537294dfe2beaafc9105f7af4ceac677f
3615 * cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array.
3616
3617 cipher/bithelp: use __builtin_ctzl when available.
3618 + commit 807827cda3bacf5f475167ee6d34657713111838
3619 * cipher/bithelp.h (_gcry_ctz64): Use __builtin_ctzl if available.
3620
3621 mpi/longlong: make use of compiler provided __builtin_ctz/__builtin_clz.
3622 + commit 477355047e5c75ad2b2238a8716e4646b861184c
3623 * configure.ac (gcry_cv_have_builtin_ctzl, gcry_cv_have_builtin_clz)
3624 (gcry_cv_have_builtin_clzl): New checks.
3625 * mpi/longlong.h (count_leading_zeros, count_trailing_zeros): Use
3626 __buildin_clz[l]/__builtin_ctz[l] if available and bit counting
3627 macros not yet provided by inline assembly.
3628
3629 2021-01-19 Werner Koch <wk@gnupg.org>
3630
3631 Release 1.9.0.
3632 + commit 0dc49af9b5371c5e2f766b70c3bede2b10db9f7e
3633
3634
3635 2021-01-19 NIIBE Yutaka <gniibe@fsij.org>
3636
3637 Fix DSA for FIPS 186-3.
3638 + commit 30ed9593f632c728d918598037358deaeccd1968
3639 * cipher/dsa.c (generate_fips186): Supply INITIAL_SEED to
3640 _gcry_generate_fips186_3_prime.
3641 * tests/fips186-dsa.c (check_dsa_gen_186_2): Add where tv comes from.
3642 (check_dsa_gen_186_3): Implement tests.
3643 * tests/pubkey.c (get_dsa_key_fips186_with_seed_new): Use the qbits
3644 and seed of tests/fips186-dsa.c.
3645
3646 2021-01-19 NIIBE Yutaka <gniibe@fsij.org>
3647 Tomáš Mráz <tm@t8m.info>
3648
3649 Check if FIPS is operational and error return if not.
3650 + commit ebeae53222648c637907f4b358888fc0e7123dc9
3651 * src/visibility.c (gcry_kdf_derive): Add the check.
3652 (gcry_prime_generate, gcry_prime_group_generator): Likewise.
3653 (gcry_mpi_randomize): Likewise, but no return.
3654
3655 2021-01-18 Werner Koch <wk@gnupg.org>
3656
3657 ecc: Change an error code of gcry_ecc_mul_point.
3658 + commit ca5a90bf70598247589078478d237287ca524453
3659 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return
3660 GPG_ERR_UNKNOWN_CURVE.
3661
3662 2021-01-15 NIIBE Yutaka <gniibe@fsij.org>
3663 Tomáš Mráz <tm@t8m.info>
3664
3665 kdf: Add selftest.
3666 + commit 7a0da24925361a3109474d0e433511467a9e35d1
3667 * src/cipher-proto.h (_gcry_kdf_selftest): New.
3668 * cipher/kdf.c (check_one, selftest_pbkdf2): New.
3669 (_gcry_kdf_selftest): New.
3670 * src/fips.c (run_kdf_selftests): New.
3671 (_gcry_fips_run_selftests): Call run_kdf_selftests.
3672
3673 2021-01-13 NIIBE Yutaka <gniibe@fsij.org>
3674 Tomáš Mráz <tm@t8m.info>
3675
3676 cmac: Add selftest.
3677 + commit 385a89e35b0b95f15b4c6e4d5482b1fc6906f7c5
3678 * cipher/mac-cmac.c (check_one, selftests_cmac_3des): New.
3679 (selftests_cmac_aes, cmac_selftest): New.
3680 (cmac_ops): Add cmac_selftest.
3681 * src/fips.c (run_mac_selftests): Add CMAC selftests.
3682
3683 2021-01-13 NIIBE Yutaka <gniibe@fsij.org>
3684
3685 sexp: Raise an error when an integer is negative with USG.
3686 + commit 00d7c1c632019066a4884930d413ccc044d81af5
3687 * src/sexp.c (do_vsexp_sscan): Return GPG_ERR_INV_ARG if negative.
3688
3689 2021-01-08 NIIBE Yutaka <gniibe@fsij.org>
3690
3691 ecc: Add backward compatibility support for Ed25519 key in SEXP.
3692 + commit 4768baf74be03d8973d004725f796aef329c45bf
3693 * cipher/ecc-curves.c (_gcry_ecc_get_curve): Support Ed25519 keys with
3694 parameter {p,a,b,g,n}.
3695
3696 ecc: Minor implementation change for _gcry_ecc_get_curve.
3697 + commit 3fe7036d05f283df9441d42242f0047b6ea11a32
3698 * cipher/ecc-curves.c (_gcry_ecc_get_curve): Flatten.
3699
3700 2020-12-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3701
3702 Add s390x/zSeries implementation of Poly1305.
3703 + commit 1f75681cbba895ea2f7ea0637900721f4522e729
3704 * cipher/Makefile.am: Add 'poly1305-s390x.S' and
3705 'asm-poly1305-s390x.h'.
3706 * cipher/asm-poly1305-s390x.h: New
3707 * cipher/chacha20-s390x.S (_gcry_chacha20_poly1305_s390x_vx_blocks8)
3708 (_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New, stitched
3709 chacha20-poly1305 implementation.
3710 * cipher/chacha20.c (USE_S390X_VX_POLY1305): New.
3711 (_gcry_chacha20_poly1305_s390x_vx_blocks8)
3712 (_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New prototypes.
3713 (_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt): Add
3714 s390x/VX stitched chacha20-poly1305 code-path.
3715 * cipher/poly1305-s390x.S: New.
3716 * cipher/poly1305.c (USE_S390X_ASM, HAVE_ASM_POLY1305_BLOCKS): New.
3717 [USE_S390X_ASM] (_gcry_poly1305_s390x_blocks1, poly1305_blocks): New.
3718 * configure.ac (gcry_cv_gcc_inline_asm_s390x): Check for 'risbgn' and
3719 'algrk' instructions.
3720 * tests/basic.c (_check_poly1305_cipher): Add large chacha20-poly1305
3721 test vector.
3722
3723 Add s390x/zSeries implementation of ChaCha20.
3724 + commit 6a0bb9ab7f886087d7edb0725c90485086a1c0b4
3725 * cipher/Makefile.am: Add 'asm-common-s390x.h' and 'chacha20-s390x.S'.
3726 * cipher/asm-common-s390x.h: New.
3727 * cipher/chacha20-s390x.S: New.
3728 * cipher/chacha20.c (USE_S390X_VX): New.
3729 (CHACHA20_context_t): Change 'use_*' bit-field to unsigned type; Add
3730 'use_s390x'.
3731 (_gcry_chacha20_s390x_vx_blocks8)
3732 (_gcry_chacha20_s390x_vx_blocks4_2_1): New.
3733 (chacha20_do_setkey): Add HW feature detect for s390x/VX.
3734 (chacha20_blocks, do_chacha20_encrypt_stream_tail): Add s390x/VX
3735 code-path.
3736 * configure.ac: Add 'chacha20-s390x.lo'.
3737
3738 hwf-s390x: add VX vector instruction set detection.
3739 + commit 1d13794780e3d052cd5ed6f900bf5900cf44b377
3740 * configure.ac (gcry_cv_gcc_inline_asm_s390x_vx): New check.
3741 * src/g10lib.h (HWF_S390X_VX): New.
3742 * src/hwf-s390x.c (HWCAP_S390_VXRS): New.
3743 (s390x_features) [HAVE_GCC_INLINE_ASM_S390X_VX]: Add VX feature check.
3744 * src/hwfeatures.c (hwlist): Add "s390x-vx".
3745
3746 mpi/longlong: add s390x/zSeries macros.
3747 + commit 0252cc9b62dfe20c77211f093b4fda54786177d3
3748 * mpi/longlong.h [__s390x__] (add_ssaaaa, sub_ddmmss, UTItype)
3749 (umul_ppmm, udiv_qrnnd): New.
3750
3751 2020-12-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3752
3753 hwf-arm: fix incorrect HWCAP2 for SHA1 and SHA2 on AArch32.
3754 + commit 6b6bfd57d0a6b2b4577c084db35078cd9fadafa5
3755 * src/hwf-arm.c (HWCAP2_SHA1, HWCAP2_SHA2): Change from bit indexes to
3756 flags.
3757
3758 Add missing prototype for _gcry_mac_selftest.
3759 + commit e47f04b4a28947c90db70ccaf93e149cfd5213c9
3760 * src/cipher-proto.h (_gcry_hmac_selftest): Rename to...
3761 (_gcry_mac_selftest): ... this.
3762
3763 2020-12-21 NIIBE Yutaka <gniibe@fsij.org>
3764
3765 Merge hmac-tests.c into mac-hmac.c.
3766 + commit 2ab14b23afc092fd25395954c2a94db932ca4d95
3767 * cipher/Makefile.am (EXTRA_DIST): Remove hmac-tests.c.
3768 * cipher/hmac-tests.c: Remove, merge into...
3769 * cipher/mac-hmac.c: ... here.
3770
3771 2020-12-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3772
3773 Add s390x/zSeries acceleration for SHA3.
3774 + commit 7532e27cacb74c92fd561524a0897163b0fcd7f4
3775 * cipher/asm-inline-s390x.h (KLMD_PADDING_STATE): New.
3776 (kimd_execute): Change 'reg0' from read-only to read/write.
3777 (klmd_shake_execute): New.
3778 * cipher/keccak.c (USE_S390X_CRYPTO): New.
3779 (KECCAK_CONTEXT) [USE_S390X_CRYPTO]: New members.
3780 [USE_S390X_CRYPTO] (keccak_bwrite_s390x, keccak_final_s390x)
3781 (keccak_bextract_s390x, keccak_write_s390x, keccak_extract_s390x): New.
3782 (keccak_write) [USE_S390X_CRYPTO]: Use accelerated function if enabled.
3783 (keccak_final) [USE_S390X_CRYPTO]: Likewise.
3784 (keccak_extract) [USE_S390X_CRYPTO]: Likewise.
3785 (keccak_init) [USE_S390X_CRYPTO]: Detect and setup zSeries
3786 acceleration.
3787
3788 Add s390x/zSeries acceleration for SHA512.
3789 + commit 45f0ec0c4e3b08627cbf7e65f5f110c321710d01
3790 * cipher/sha512.c (USE_S390X_CRYPTO): New.
3791 (SHA512_CONTEXT) [USE_S390X_CRYPTO]: New members.
3792 (do_sha512_transform_s390x, do_sha512_final_s390x): New.
3793 (sha512_init_common) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
3794 acceleration.
3795 (sha512_final) [USE_S390X_CRYPTO]: Use accelerated final function.
3796
3797 Add s390x/zSeries acceleration for SHA256.
3798 + commit 0b555c3cc7c2b80ec2628685946a6139a1996911
3799 * cipher/sha256.c (USE_S390X_CRYPTO): New.
3800 (SHA256_CONTEXT) [USE_S390X_CRYPTO]: New members.
3801 (do_sha256_transform_s390x, do_sha256_final_s390x): New.
3802 (sha256_common_init) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
3803 acceleration.
3804 (sha256_final) [USE_S390X_CRYPTO]: Use accelerated final function.
3805
3806 Add s390x/zSeries acceleration for SHA1.
3807 + commit 88570515b4ca92a44c4e40c31f877c11cc00ab68
3808 * cipher/asm-inline-s390x.h (ALWAYS_INLINE): New.
3809 (klmd_query): New.
3810 (km_function_to_mask, kimd_execute, klmd_execute): Mark as always
3811 inline.
3812 * cipher/rijndael-s390x.c (ALWAYS_INLINE): Remove.
3813 * cipher/sha1.c (do_sha1_transform_s390x, do_sha1_final_s390x): New.
3814 (sha1_init) [SHA1_USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
3815 acceleration.
3816 (sha1_final) [SHA1_USE_S390X_CRYPTO]: Use accelerated final function.
3817 * cipher/sha1.h (SHA1_USE_S390X_CRYPTO): New.
3818 (SHA1_CONTEXT) [SHA1_USE_S390X_CRYPTO]: New.
3819
3820 Add bulk AES-GCM acceleration for s390x/zSeries.
3821 + commit 5aeb091f911398217b2e9facb9bdeb05c63d7844
3822 * cipher/Makefile.am: Add 'asm-inline-s390x.h'.
3823 * cipher/asm-inline-s390x.h: New.
3824 * cipher/cipher-gcm.c [GCM_USE_S390X_CRYPTO] (ghash_s390x_kimd): New.
3825 (setupM) [GCM_USE_S390X_CRYPTO]: Add setup for s390x GHASH function.
3826 * cipher/cipher-internal.h (GCM_USE_S390X_CRYPTO): New.
3827 * cipher/rijndael-s390x.c (u128_t, km_functions_e): Move to
3828 'asm-inline-s390x.h'.
3829 (aes_s390x_gcm_crypt): New.
3830 (_gcry_aes_s390x_setup_acceleration): Use 'km_function_to_mask'; Add
3831 setup for GCM bulk function.
3832
3833 Add bulk function interface for GCM mode.
3834 + commit f4e63e92dc0b79633f48b11d292dd7bdf2752ede
3835 * cipher/cipher-gcm.c (do_ghash_buf): Proper handling for the case
3836 where 'unused' gets filled to full blocksize.
3837 (gcm_crypt_inner): New.
3838 (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Use
3839 'gcm_crypt_inner'.
3840 * cipher/cipher-internal.h (cipher_bulk_ops_t): Add 'gcm_crypt'.
3841
3842 Add s390x/zSeries acceleration for AES.
3843 + commit 9219d9d1b60c01a4c7dbde05ee6b5b52e0d7d072
3844 * configure.ac: Add 'rijndael-s390x.lo'.
3845 * cipher/Makefile.am: Add 'rijndael-s390x.c'.
3846 * cipher/rijndael-internal.c (USE_S390X_CRYPTO): New.
3847 (RIJNDAEL_context_s) [USE_S390X_CRYPTO]: New 'km*_func' members.
3848 * cipher/rijndael-s390x.c: New.
3849 * cipher/rijndael.c (_gcry_aes_s390x_setup_acceleration)
3850 (_gcry_aes_s390x_setup_setkey)
3851 (_gcry_aes_s390x_setup_prepare_decryption, _gcry_aes_s390x_encrypt)
3852 (_gcry_aes_s390x_decrypt): New.
3853 (do_setkey) [USE_S390X_CRYPTO]: Add s390x acceleration setup.
3854
3855 Add bulk function interface for OFB mode.
3856 + commit f12b6788f2297391265af93a7794bfbc503de6d7
3857 * cipher/cipher-internal.h (cipher_bulk_ops): Add 'ofb_enc'.
3858 * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Use bulk encryption
3859 function if defined.
3860 * cipher/basic.c (check_bulk_cipher_modes): Add OFB-AES test vectors.
3861
3862 hwf: add detection of s390x/zSeries hardware features.
3863 + commit 128054767d5f864798a39d432997f7d38c4bf729
3864 * configure.ac (gcry_cv_gcc_inline_asm_s390x)
3865 (HAVE_CPU_ARCH_S390X): Add s390x detection support.
3866 * mpi/config.links: Add setup for s390x links.
3867 * src/Makefile.am: Add 'hwf-s390x.c'.
3868 * src/g10lib.h (HWF_S390X_MSA, HWF_S390X_MSA_4, HWF_S390X_8): New.
3869 * src/hwf_common.h (_gcry_hwf_detect_s390x): New.
3870 * src/hwf-s390x.c: New.
3871 * src/hwfeatures.c: Add "s390x-msa", "s390x-msa-4" and "s390x-msa-8".
3872
3873 tests/bench-slope: use same benchmarking for XTS as for other modes.
3874 + commit 0e37bb32e215feb4716341f7053c4f54806645cb
3875 * tests/bench-slope.c (bench_xts_encrypt_init): Use same buffer
3876 sizes as other tests.
3877 (bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench): Remove.
3878 (xts_encrypt_ops): Use 'bench_encrypt_do_bench'.
3879 (xts_decrypt_ops): Use 'bench_decrypt_do_bench'.
3880
3881 aarch64: mpi/longlong.h: fix operand size mismatch.
3882 + commit c59b5b03a063ebc73935dbb10bc4f568faddbedf
3883 * mpi/longlong.h [__aarch64__] (count_leading_zeros): Use correctly
3884 sized temporary variable for asm output.
3885
3886 aarch64: use configure check for assembly ELF directives support.
3887 + commit 8352b0ece5237e3f86f1525b072e8f690ad0fa94
3888 * configure.ac (gcry_cv_gcc_asm_elf_directives): New check.
3889 (HAVE_GCC_ASM_ELF_DIRECTIVES): New 'config.h' macro.
3890 * cipher/asm-common-aarch64.h (ELF): Change feature macro check from
3891 __ELF__ to HAVE_GCC_ASM_ELF_DIRECTIVES.
3892
3893 2020-12-18 NIIBE Yutaka <gniibe@fsij.org>
3894
3895 Reorganize self-tests for HMAC.
3896 + commit c90fb0d8fb7a84bbcc8d6832de6a554405591850
3897 * cipher/Makefile.am: Prepare merge of hmac-test.c into mac-hmac.c.
3898 * cipher/hmac-tests.c: Ifdef-out run_selftests and _gcry_hmac_selftest.
3899 * cipher/mac-internal.h: Include cipher-proto.h for selftest.
3900 (gcry_mac_spec_ops): Add selftest field.
3901 * cipher/mac-hmac.c: Include hmac-tests.c for migration.
3902 (hmac_selftest) New.
3903 (hmac_ops): Add hmac_selftest.
3904 * cipher/gost28147.c, cipher/mac-cmac.c: Add new field for selftest.
3905 * cipher/mac-gmac.c, cipher/mac-poly1305.c: Likewise..
3906 * cipher/mac.c (_gcry_mac_selftest): New.
3907 * src/fips.c (run_mac_selftests): Rename from run_hmac_selftests.
3908 Use GCRY_MAC_HMAC_*, and call _gcry_mac_selftest.
3909 (_gcry_fips_run_selftests): Use run_mac_selftests.
3910
3911 2020-12-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3912
3913 Prevent link-time optimization from inlining __gcry_burn_stack.
3914 + commit 1a83df98b198902ee6d71549231a3af37088d452
3915 * src/g10lib.h (NOINLINE_FUNC): New attribute macro.
3916 * src/misc.c (__gcry_burn_stack): Add NOINLINE_FUNC attribute.
3917
3918 tests/basic: check 32-bit and 64-bit overflow for CTR and ChaCha20.
3919 + commit 2065720b5b0642cc1a0e08086a434244ebb1abf2
3920 * tests/basic.c (check_one_cipher_ctr_reset)
3921 (check_one_cipher_ctr_overflow): New.
3922 (check_one_cipher): Add counter overflow tests for ChaCha20 and CTR
3923 mode.
3924
3925 chacha20-ppc: fix 32-bit counter overflow handling.
3926 + commit ed45eac3b721c1313902b977379fbd4886ccca7b
3927 * cipher/chacha20-ppc.c (vec_add_ctr_u64, ADD_U64): New.
3928 (_gcry_chacha20_ppc8_blocks1, _gcry_chacha20_ppc8_blocks4)
3929 (_gcry_chacha20_poly1305_ppc8_blocks4): Use ADD_U64 when incrementing
3930 counter.
3931
3932 2020-12-03 NIIBE Yutaka <gniibe@fsij.org>
3933
3934 tests: Put a work around to tests/random for macOS.
3935 + commit 9769b40b54cf010a0c41c4ab05a7a88e17d70613
3936 * configure.ac [*-apple-darwin*] (USE_POSIX_SPAWN_FOR_TESTS): New.
3937 * tests/random.c [USE_POSIX_SPAWN_FOR_TESTS] (run_all_rng_tests): New.
3938
3939 2020-11-18 NIIBE Yutaka <gniibe@fsij.org>
3940
3941 build: Update to newer autoconf constructs.
3942 + commit 9485ca7b5bf11194cff59edbfa6a0fba3bf6162a
3943 * acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Use AS_MESSAGE_LOG_FD
3944 instead of AC_FD_CC.
3945 (GNUPG_CHECK_MLOCK): Use AC_LINK_IFELSE instead of AC_TRY_LINK.
3946 Use AC_RUN_IFELSE instead of AC_TRY_RUN.
3947 * configure.ac (AC_ISC_POSIX): Replace by AC_SEARCH_LIBS.
3948 Use AC_USE_SYSTEM_EXTENSIONS instead of AC_GNU_SOURCE.
3949 Use AS_HELP_STRING instead of AC_HELP_STRING.
3950 (AC_TYPE_SIGNAL): Remove.
3951 (AC_DECL_SYS_SIGLIST): Remove.
3952 * m4/Makefile.am (EXTRA_DIST): Update.
3953 * m4/onceonly.m4: Remove.
3954 * m4/socklen.m4: Update from gnulib.
3955 * m4/libtool.m4: Update from libgpg-error.
3956 * m4/gpg-error.m4: Update from libgpg-error.
3957 * m4/noexecstack.m4: Use AS_HELP_STRING instead of AC_HELP_STRING.
3958
3959 build: Use modern Autoconf check for type.
3960 + commit 425bf499185d78aa8fcad6a30b8771e7865d449d
3961 * configure.ac (byte, ushort, us6, u32, u64): Use AC_CHECK_TYPES.
3962 * cipher/poly1305.c: Use HAVE_TYPE_U64.
3963 * src/hmac256.c: HAVE_TYPE_U32.
3964 * src/types.h: Use HAVE_TYPE_BYTE, HAVE_TYPE_USHORT, HAVE_TYPE_U16,
3965 HAVE_TYPE_U32, and HAVE_TYPE_U64.
3966
3967 m4: Update with newer autoconf constructs.
3968 + commit 908e347fb68b28e180ac816b5050406358e81a0f
3969 * src/libgcrypt.m4: Replace AC_HELP_STRING to AS_HELP_STRING.
3970
3971 2020-10-30 NIIBE Yutaka <gniibe@fsij.org>
3972
3973 ecc: Handle removed zeros at the beginning for Ed25519.
3974 + commit 361a0588489cf4a539da8debd1771024a1faa218
3975 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Accept private
3976 key with removed zeros.
3977
3978 2020-10-23 Werner Koch <wk@gnupg.org>
3979
3980 random: Allow for a Unicode random seed file on Windows.
3981 + commit 24341f58f0d38bd62c45d285bcf8472f82b56135
3982 * random/random-csprng.c (utf8_to_wchar) [W32]: New.
3983 (any8bitchar) [W32]: New.
3984 (my_open): New. Replace all calls to open with this.
3985
3986 2020-10-01 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
3987
3988 tests: Fix typo in comment.
3989 + commit 4a50c6b88d6d8d843e50add851a8a5e691349097
3990 * tests/basic.c: Fix typo in comment.
3991
3992 2020-09-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3993
3994 rijndael: clean-up prepare_decryption function.
3995 + commit 2051d5bd6f732a36e5a536cba734531a9e2e915f
3996 * cipher/rijndael-internal.h (rijndael_prepare_decfn_t): New.
3997 (RIJNDAEL_context_s): New member 'prepare_decryption'.
3998 * cipher/rijndael-padlock.c (_gcry_aes_padlock_prepare_decryption): New.
3999 * cipher/rijndael.c (_gcry_aes_padlock_prepare_decryption): New.
4000 (do_setkey): Setup 'ctx->prepare_decryption' for each acceleration type.
4001 (prepare_decryption): Remove calls to other prepare decryption functions.
4002 (check_decryption_preparation): Call 'ctx->prepare_decryption' instead
4003 of 'prepare_decryption'.
4004
4005 rijndael: clean-up generic bulk functions.
4006 + commit 7679c918ade9d334bc80cb8c10916bbc847ff382
4007 * cipher/rijndael.c (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
4008 (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
4009 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Remove
4010 calls to hardware accelerated AES bulk functions.
4011
4012 cipher: setup bulk functions at each algorithms key setup.
4013 + commit 51271eb86bcb0eb89e55a2add9607c503f182c89
4014 * cipher/cipher-internal.h (cipher_mode_ops_t, cipher_bulk_ops_t): New.
4015 (gcry_cipher_handle): Define members 'mode_ops' and 'bulk' using new
4016 types.
4017 * cipher/cipher.c (_gcry_cipher_open_internal): Remove bulk function
4018 setup.
4019 (cipher_setkey): Pass context bulk function pointer to algorithm setkey
4020 function.
4021 * cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
4022 (_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
4023 function parameter; Use bulk function returned by setkey function.
4024 * cipher/cipher-selftest.h (_gcry_selftest_helper_cbc)
4025 (_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
4026 function parameter.
4027 * cipher/arcfour.c (arcfour_setkey): Change 'hd' parameter to
4028 'bulk_ops'.
4029 * cipher/blowfish.c (bf_setkey): Change 'hd' parameter to
4030 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4031 (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
4032 (_gcry_blowfish_cfb_dec): Make static.
4033 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4034 to selftest helper.
4035 (selftest): Pass 'bulk_ops' to setkey function.
4036 * cipher/camellia.c (camellia_setkey): Change 'hd' parameter to
4037 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4038 (_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
4039 (_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
4040 (_gcry_camellia_ocb_auth): Make static.
4041 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4042 to selftest helper.
4043 (selftest): Pass 'bulk_ops' to setkey function.
4044 * cipher/cast5.c (cast_setkey): Change 'hd' parameter to
4045 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4046 (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Make
4047 static.
4048 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4049 to selftest helper.
4050 (selftest): Pass 'bulk_ops' to setkey function.
4051 * cipher/chacha20.c (chacha20_setkey): Change 'hd' parameter to
4052 'bulk_ops'.
4053 * cipher/cast5.c (do_tripledes_setkey): Change 'hd' parameter to
4054 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4055 (_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec): Make
4056 static.
4057 (bulk_selftest_setkey): Change 'hd' parameter to 'bulk_ops'.
4058 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4059 to selftest helper.
4060 (do_des_setkey): Change 'hd' parameter to 'bulk_ops'.
4061 * cipher/gost28147.c (gost_setkey): Change 'hd' parameter to
4062 'bulk_ops'.
4063 * cipher/idea.c (idea_setkey): Change 'hd' parameter to 'bulk_ops'.
4064 * cipher/rfc2268.c (do_setkey): Change 'hd' parameter to 'bulk_ops'.
4065 * cipher/rijndael.c (do_setkey): Change 'hd' parameter to
4066 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4067 (rijndael_setkey): Change 'hd' parameter to 'bulk_ops'.
4068 (_gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
4069 (_gcry_aes_cbc_dec, _gcry_aes_ctr_enc, _gcry_aes_ocb_crypt)
4070 (_gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Make static.
4071 (selftest_basic_128, selftest_basic_192, selftest_basic_256): Pass
4072 'bulk_ops' to setkey function.
4073 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4074 to selftest helper.
4075 * cipher/salsa20.c (salsa20_setkey): Change 'hd' parameter to
4076 'bulk_ops'.
4077 * cipher/seed.c (seed_setkey): Change 'hd' parameter to 'bulk_ops'.
4078 * cipher/serpent.c (serpent_setkey): Change 'hd' parameter to
4079 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4080 (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec, _gcry_serpent_cfb_dec)
4081 (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Make static.
4082 (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
4083 bulk function to selftest helper.
4084 * cipher/sm4.c (sm4_setkey): Change 'hd' parameter to 'bulk_ops'; Setup
4085 'bulk_ops' with bulk acceleration functions.
4086 (_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
4087 (_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Make static.
4088 (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
4089 bulk function to selftest helper.
4090 * cipher/twofish.c (twofish_setkey): Change 'hd' parameter to
4091 'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
4092 (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
4093 (_gcry_twofish_cfb_dec, _gcry_twofish_ocb_crypt)
4094 (_gcry_twofish_ocb_auth): Make static.
4095 (selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
4096 to selftest helper.
4097 (selftest, main): Pass 'bulk_ops' to setkey function.
4098 * src/cipher-proto.h: Forward declare 'cipher_bulk_ops_t'.
4099 (gcry_cipher_setkey_t): Replace 'hd' with 'bulk_ops'.
4100 * src/cipher.h: Remove bulk acceleration function prototypes for
4101 'aes', 'blowfish', 'cast5', 'camellia', '3des', 'serpent', 'sm4' and
4102 'twofish'.
4103
4104 2020-09-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4105
4106 rijndael: tidy do_setkey little bit.
4107 + commit e0829ae648d9d9da67cd8a8fae7aa05774a0d0f7
4108 * cipher/rijndael.c (do_setkey): Reduce number of ifdefs by using
4109 function pointer for accelerated key-setup.
4110
4111 2020-09-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4112
4113 rijndael-aesni: tweak x86_64 AES-NI for better performance on AMD Zen2.
4114 + commit f96989f0e9085fa58b475131d29b37f68ba564ec
4115 * cipher/rijndael-aesni.c (do_aesni_enc_vec8, do_aesni_dec_vec8): Move
4116 first round key xoring and last round out to caller.
4117 (do_aesni_ctr_4): Change low 8-bit counter overflow check to 8-bit
4118 addition to low-bits and detect overflow from carry flag; Adjust
4119 slow path to restore counter.
4120 (do_aesni_ctr_8): Same as above; Interleave first round key xoring and
4121 first round with CTR generation on fast path; Interleave last round
4122 with output xoring.
4123 (_gcry_aes_aesni_cfb_dec, _gcry_aes_aesni_cbc_dec): Add first round
4124 key xoring; Change order of last round xoring and output xoring
4125 (shorten the dependency path).
4126 (_gcry_aes_aesni_ocb_auth): Add first round key xoring and last round
4127 handling.
4128
4129 2020-08-26 Werner Koch <wk@gnupg.org>
4130
4131 build: Allow customization of the signing key.
4132 + commit 9cd92ebae21900e54cc3d8b607c8ed1afbf2eb9b
4133 * Makefile.am (sign-release): Read variabales from user configuration.
4134
4135 2020-08-21 NIIBE Yutaka <gniibe@fsij.org>
4136
4137 tests: Fix basic.c.
4138 + commit fd51bc523d095168ee9367fe3f18d18f7a88ad90
4139 * tests/basic.c (check_one_hmac): Fix error paths.
4140 (check_pubkey_crypt): Fix wrong call of gcry_sexp_new.
4141
4142 ecc: Fix an error path.
4143 + commit 65a2cd139e21250e6581a4f610015937e7b91451
4144 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Avoid null dereference on
4145 error.
4146
4147 2020-07-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4148
4149 chacha20-aarch64: improve performance through higher SIMD interleaving.
4150 + commit 8d7b1d0a52bde173646e5b42b31d23593eabecf2
4151 * cipher/chacha20-aarch64.S (ROTATE2, ROTATE2_8, ROTATE2_16)
4152 (QUARTERROUND2): Replace with...
4153 (ROTATE4, ROTATE4_8, ROTATE4_16, QUARTERROUND4): ...these.
4154 (_gcry_chacha20_aarch64_blocks4)
4155 (_gcry_chacha20_poly1305_aarch64_blocks4): Adjust to use QUARTERROUND4.
4156
4157 tests/bench-slope: improve CPU frequency auto-detection.
4158 + commit f1c3db3bf40e07cfd1a6a92209865ee7a98129ca
4159 * configure.ac (gcry_cv_have_asm_volatile_memory): Check also if
4160 assembly memory barrier with input/output register is supported.
4161 * tests/bench-slope.c (auto_ghz_bench): Change to use base operation
4162 that takes two CPU cycles and unroll loop by 1024 operations.
4163
4164 Enable jitter entropy also on non-x86 architectures.
4165 + commit 886120f33bd3f10e6e6a09920eca1f9ed81044e7
4166 * configure.ac: Do not force jentsupport to "n/a" on non-x86
4167 architectures.
4168
4169 random/jitterentropy: fix USE_JENT == JENT_USES_GETTIME code path.
4170 + commit 4ed9b949485448816a70d86260d572f08ae34621
4171 * random/jitterentropy-base-user.h (jent_get_nstime): Use 'tv' variable
4172 instead of non-existing 'time'.
4173
4174 Camellia AES-NI/AVX/AVX2 size optimization.
4175 + commit 4c0e244fc53e0f7b927bfe4cf54695b5d282fd27
4176 * cipher/camellia-aesni-avx-amd64.S: Use loop for handling repeating
4177 '(enc|dec)_rounds16/fls16' portions of encryption/decryption.
4178 * cipher/camellia-aesni-avx2-amd64.S: Use loop for handling repeating
4179 '(enc|dec)_rounds32/fls32' portions of encryption/decryption.
4180
4181 2020-07-14 NIIBE Yutaka <gniibe@fsij.org>
4182
4183 ecc: Support reading EC point in compressed format for good curves.
4184 + commit e0dabf74bf276500257f15b85ded9cf24ccc8334
4185 * cipher/ecc-curves.c (gcry_ecc_get_curve): Handle G, differently.
4186 * cipher/ecc-misc.c (_gcry_ecc_sec_decodepoint): Support compressed
4187 representation of EC point. Rename from _gcry_ecc_os2ec.
4188 * cipher/ecc-sm2.c (_gcry_ecc_sm2_decrypt) Follow the change.
4189 * cipher/ecc.c (ecc_decrypt_raw): Likewise.
4190 * mpi/ec.c (_gcry_mpi_ec_set_point): Likewise.
4191 * src/ec-context.h: API change _gcry_ecc_sec_decodepoint from
4192 _gcry_ecc_os2ec.
4193 * tests/basic.c (check_pubkey): Use compressed representation
4194 for two public keys of NIST P192 and NIST P256.
4195
4196 2020-07-06 Werner Koch <wk@gnupg.org>
4197
4198 mpi: Consider +0 and -0 the same in mpi_cmp.
4199 + commit 1f3a92e103d4a8e019d8d022647a2b9fb2681327
4200 * mpi/mpi-cmp.c (do_mpi_cmp): Check size of U an V.
4201
4202 2020-06-23 NIIBE Yutaka <gniibe@fsij.org>
4203
4204 ecc: Fix length computation.
4205 + commit 1db1dc7945b111b6e20a8420ad38a358316681ab
4206 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add one only for
4207 Edwards case.
4208
4209 2020-06-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4210
4211 Add SM4 x86-64/AES-NI/AVX2 implementation.
4212 + commit 35a78eb248d6bacd2a58477a122a0020d796ce63
4213 * cipher/Makefile.am: Add 'sm4-aesni-avx2-amd64.S'.
4214 * cipher/sm4-aesni-avx2-amd64.S: New.
4215 * cipher/sm4.c (USE_AESNI_AVX2): New.
4216 (SM4_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
4217 [USE_AESNI_AVX2] (_gcry_sm4_aesni_avx2_ctr_enc)
4218 (_gcry_sm4_aesni_avx2_cbc_dec, _gcry_sm4_aesni_avx2_cfb_dec)
4219 (_gcry_sm4_aesni_avx2_ocb_enc, _gcry_sm4_aesni_avx2_ocb_dec)
4220 (_gcry_sm4_aesni_avx_ocb_auth): New.
4221 (sm4_setkey): Enable AES-NI/AVX2 if supported by HW.
4222 (_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
4223 (_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX2]: Add
4224 AES-NI/AVX2 bulk functions.
4225 * configure.ac: Add ''sm4-aesni-avx2-amd64.lo'.
4226
4227 Add SM4 x86-64/AES-NI/AVX implementation.
4228 + commit c9a3f1bb91e63033e3bf3e06bdd6075622626d0d
4229 * cipher/Makefile.am: Add 'sm4-aesni-avx-amd64.S'.
4230 * cipher/sm4-aesni-avx-amd64.S: New.
4231 * cipher/sm4.c (USE_AESNI_AVX, ASM_FUNC_ABI): New.
4232 (SM4_context) [USE_AESNI_AVX]: Add 'use_aesni_avx'.
4233 [USE_AESNI_AVX] (_gcry_sm4_aesni_avx_expand_key)
4234 (_gcry_sm4_aesni_avx_crypt_blk1_8, _gcry_sm4_aesni_avx_ctr_enc)
4235 (_gcry_sm4_aesni_avx_cbc_dec, _gcry_sm4_aesni_avx_cfb_dec)
4236 (_gcry_sm4_aesni_avx_ocb_enc, _gcry_sm4_aesni_avx_ocb_dec)
4237 (_gcry_sm4_aesni_avx_ocb_auth, sm4_aesni_avx_crypt_blk1_8): New.
4238 (sm4_expand_key) [USE_AESNI_AVX]: Use AES-NI/AVX key setup.
4239 (sm4_setkey): Enable AES-NI/AVX if supported by HW.
4240 (_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
4241 (_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX]: Add
4242 AES-NI/AVX bulk functions.
4243 * configure.ac: Add ''sm4-aesni-avx-amd64.lo'.
4244
4245 Optimizations for SM4 cipher.
4246 + commit 81fee26bbbae820a311a3ce3ac55e304655c2acd
4247 * cipher/cipher.c (_gcry_cipher_open_internal): Add SM4 bulk
4248 functions.
4249 * cipher/sm4.c (ATTR_ALIGNED_64): New.
4250 (sbox): Convert to ...
4251 (sbox_table): ... this structure for sbox hardening as is done
4252 for AES and GCM.
4253 (prefetch_sbox_table): New.
4254 (sm4_t_non_lin_sub): Make inline; Optimize sbox access pattern.
4255 (sm4_key_lin_sub): Make inline; Tune slightly.
4256 (sm4_key_sub, sm4_enc_sub): Make inline.
4257 (sm4_round): Make inline; Take 'x' as separate parameters instead
4258 of array.
4259 (sm4_expand_key): Return void; Drop keylen; Unroll loops by 4;
4260 Wipe sensitive variables at end; Move key-length check to
4261 'sm4_setkey'.
4262 (sm4_setkey): Add initial self-test step; Add key-length check;
4263 Remove burn stack (as variables wiped in 'sm4_expand_key').
4264 (sm4_do_crypt): Return burn stack depth; Unroll loops by 4.
4265 (sm4_encrypt, sm4_decrypt): Prefetch sbox table; Return burn
4266 stack from 'sm4_do_crypt', as allows tail-call optimization
4267 by compiler.
4268 (sm4_do_crypt_blks2): New two parallel block function for greater
4269 instruction level parallelism.
4270 (sm4_crypt_blocks, _gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
4271 (_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New
4272 bulk processing functions.
4273 (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): New
4274 bulk processing self-tests.
4275 (sm4_selftest): Clear SM4 context before use; Use 'sm4_expand_key'
4276 instead of 'sm4_setkey'; Call bulk processing self-tests.
4277 * src/cipher.h (_gcry_sm4_ctr_enc, _gcry_sm4_ctr_dec)
4278 (_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New.
4279 * tests/basic.c (check_ocb_cipher): Add SM4-OCB test vector.
4280
4281 2020-06-18 NIIBE Yutaka <gniibe@fsij.org>
4282
4283 ecc: For Ed448, it's only for EdDSA.
4284 + commit a6177e1bc948a7af052d62bcd62aa6b5825bfaff
4285 * cipher/ecc.c (ecc_sign): Ed448 is only for EdDSA.
4286 Hash algo is determined by the curve.
4287 (ecc_verify): Likewise.
4288 * tests/t-ed448.c (one_test): Don't specify (flags eddsa).
4289 Don't specify hash-algo.
4290
4291 ecc: Fix the condition for EdDSA data handling.
4292 + commit f2847d56cce2afdd993f797812a673495a41c234
4293 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): It may be
4294 the encoding context which determines EdDSA. Hash-algo can be
4295 omitted. Flags are OR-ed.
4296
4297 ecc: Support EdDSA with context and enabling PH(M).
4298 + commit ba78ad8f19674b94edfdf4998f40feee081481bc
4299 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Simplify.
4300 (DOM4_0_NONE, DOM4_0_NONE_LEN): Remove.
4301 (DOM25519, DOM25519_LEN): New.
4302 (DOM448, DOM448_LEN): New.
4303 (_gcry_ecc_eddsa_sign): Support EdDSA with context and PH.
4304 (_gcry_ecc_eddsa_verify): Likewise.
4305 * tests/t-ed448.c: Add tests with context and PH=1.
4306 * tests/t-ed448.inp: Add test data.
4307
4308 ecc: Change EdDSA internal API.
4309 + commit 2856ac14ae3e4c9e6288e1f0d8bc1945bb874081
4310 * cipher/ecc-common.h (_gcry_ecc_eddsa_sign): Last arg is CTX.
4311 (_gcry_ecc_eddsa_verify): Ditto.
4312 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Get hash algo from CTX.
4313 (_gcry_ecc_eddsa_verify): Ditto.
4314 * cipher/ecc.c (ecc_sign, ecc_verify): Follow the change.
4315
4316 2020-06-17 NIIBE Yutaka <gniibe@fsij.org>
4317
4318 ecc: Support "label" for EdDSA context in data.
4319 + commit 1cf49754694611620fd383327cf127e91f6883df
4320 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Handle ctx->label.
4321
4322 ecc: Initialize key before handling data.
4323 + commit d51a9c259d49c63121fab48bce48d826e9b57733
4324 * cipher/ecc.c (ecc_sign): Initialize key at first.
4325 (ecc_verify): Likewise.
4326
4327 ecc: Add new flag "prehash".
4328 + commit 9a640eba6dd7504c90a65151cdaf1e4093a8b475
4329 * src/cipher.h (PUBKEY_FLAG_PREHASH): New.
4330 * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse it.
4331
4332 ecc: No (flags eddsa) required for Ed448.
4333 + commit b1721f9b291a4c226caa2bfbe4fefe8fde5216e0
4334 * cipher/ecc.c (check_secret_key): Ed448 means EdDSA.
4335 (ecc_generate): Likewise.
4336 * tests/t-ed448.c (one_test): Remove the flag in key.
4337
4338 ecc: Support Ed448 by _gcry_ecc_compute_public.
4339 + commit 5585ee4947082f932ee01d93dfe295c769e96671
4340 * cipher/ecc-misc.c (_gcry_ecc_compute_public): Handle Ed448.
4341
4342 2020-06-16 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
4343
4344 tests: Add basic test-vectors for SM4.
4345 + commit c1535d0b8797e9b3bbfb5193b6ab23bf788ffd36
4346 * tests/basic.c (check_ciphers): Add SM4 check and test-vectors.
4347
4348 Add SM4 symmetric cipher algorithm.
4349 + commit ddcce166ab8bc6f51f5b509bcbea13a8746384ec
4350 * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm4.c.
4351 * cipher/cipher.c (cipher_list, cipher_list_algo301): Add
4352 _gcry_cipher_spec_sm4.
4353 * cipher/mac-cmac.c (map_mac_algo_to_cipher): Add cmac SM4.
4354 (_gcry_mac_type_spec_cmac_sm4): Add cmac SM4.
4355 * cipher/mac-internal.h: Declare spec_cmac_sm4.
4356 * cipher/mac.c (mac_list, mac_list_algo201): Add cmac SM4.
4357 * cipher/sm4.c: New.
4358 * configure.ac (available_ciphers): Add sm4.
4359 * doc/gcrypt.texi: Add SM4 document.
4360 * src/cipher.h: Add declarations for SM4 and cmac SM4.
4361 * src/gcrypt.h.in (gcry_cipher_algos): Add algorithm ID for SM4.
4362
4363 2020-06-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4364
4365 doc: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and GCRY_MAC_GOST28147_IMIT.
4366 + commit 6c571bfda6409d7d668f5d44cea0c6c31e2688be
4367 * doc/gcrypt.texi: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and
4368 GCRY_MAC_GOST28147_IMIT.
4369
4370 2020-06-16 NIIBE Yutaka <gniibe@fsij.org>
4371
4372 ecc: Fix Ed448 key generation.
4373 + commit c15cc1a38199cf0d758579eb01d0e88c99cd4b80
4374 * cipher/ecc.c (ecc_generate): Fix point representation for Ed448.
4375
4376 ecc,test: Add testing Ed448.
4377 + commit c7779e499e9051ee79ed720f576dbf40d90cdfb1
4378
4379
4380 ecc: Support Ed448 for verify.
4381 + commit d1baad35c65030e41fcba69854c57032eee0d111
4382 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Support Ed448.
4383
4384 ecc: Support Ed448 signing.
4385 + commit 951b37c5038667b461692454397bb058b5e1e184
4386 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Support Ed448.
4387
4388 ecc: Use SHAKE256 in EdDSA with Ed448.
4389 + commit 32d6d73d44d372dd1ec0b08ba03f1b7b085c09d9
4390 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Fix for SHAKE256.
4391
4392 ecc: Support shake128 and shake256 for message digest.
4393 + commit f6815a96e51be44a361ddcd3a20a5b969b1dab1b
4394 * cipher/pubkey-util.c (get_hash_algo): Add shake128 and shake256.
4395
4396 ecc: Support Ed448 for key generation.
4397 + commit e25446ecc04442b399302ce72db6d5ea2e9e85e8
4398 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Support Ed448.
4399 (_gcry_ecc_eddsa_genkey): Support Ed448, using
4400 _gcry_ecc_eddsa_compute_h_d.
4401
4402 ecc: Support Ed448 in decoding point.
4403 + commit bd22b029bbf50737f90535c506fba4f812bcf040
4404 * cipher/ecc-eddsa.c (ecc_ed448_recover_x): New.
4405 (_gcry_ecc_eddsa_recover_x): Support Ed448.
4406 (_gcry_ecc_eddsa_decodepoint): Support Ed448.
4407 * mpi/ec.c (_gcry_mpi_ec_decode_point): For Ed448, use
4408 _gcry_ecc_eddsa_decodepoint.
4409
4410 ecc: Add new curve: Ed448.
4411 + commit 339b03acf0971a31997901dd674fb75c4dde31d0
4412 * cipher/ecc-curves.c (curve_aliases): Add Ed448.
4413 (domain_parms): Add domain parameters for Ed448.
4414 * tests/curves.c (N_CURVES): Increment.
4415
4416 ecc: Fix EdDSA encoding for Ed448.
4417 + commit 3386aaf84d4d89b6ff931533df2ff82ed3f7c7f9
4418 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fix point/scalar
4419 length condition.
4420 * cipher/ecc-eddsa.c (eddsa_encodempi): The second argument is NBITS.
4421 (eddsa_encode_x_y): Likewise.
4422 (_gcry_ecc_eddsa_encodepoint): Follow the change.
4423 (_gcry_ecc_eddsa_ensure_compact): Likewise.
4424 (_gcry_ecc_eddsa_decodepoint): Likewise.
4425 (_gcry_ecc_eddsa_sign): Likewise. Remove restriction of 256 bits.
4426
4427 2020-06-12 NIIBE Yutaka <gniibe@fsij.org>
4428
4429 ecc: Fix NBITS in domain_parms.
4430 + commit db7b2c591004868abedbc2c19d3bb2efebf8529d
4431 * cipher/ecc-curves.c (cipher/ecc-curves.c): It's NBITS of 'p'.
4432
4433 2020-06-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4434
4435 rijndael: fix UBSAN warning on left shift by 24 places with type 'int'
4436 + commit 6cdd7268fe19b066ddb373e2f3c0b7ebf9b938dd
4437 * cipher/rijndael.c (do_encrypt_fn, do_decrypt_fn): Cast final
4438 sbox/inv_sbox look-ups to 'u32' type.
4439
4440 Disable all assembly modules with --disable-asm.
4441 + commit 3060aadec396802af13f08c4b2dd1b28f2a68c5d
4442 * configure.ac (try_asm_modules): Update description,
4443 "MPI" => "MPI and cipher".
4444 (gcry_cv_gcc_arm_platform_as_ok, gcry_cv_gcc_aarch64_platform_as_ok)
4445 (gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
4446 (gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
4447 (gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
4448 (gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_amd64_platform_as_ok)
4449 (gcry_cv_gcc_platform_as_ok_for_intel_syntax)
4450 (gcry_cv_cc_arm_arch_is_v6, gcry_cv_gcc_inline_asm_neon)
4451 (gcry_cv_gcc_inline_asm_aarch32_crypto)
4452 (gcry_cv_gcc_inline_asm_aarch64_neon)
4453 (gcry_cv_gcc_inline_asm_aarch64_crypto)
4454 (gcry_cv_cc_ppc_altivec, gcry_cv_gcc_inline_asm_ppc_altivec)
4455 (gcry_cv_gcc_inline_asm_ppc_arch_3_00): Check for "try_asm_modules".
4456 * mpi/config.links: Set "mpi_cpu_arch" to "disabled"
4457 with --disable-asm.
4458
4459 2020-06-05 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
4460
4461 mpicalc: fix typo.
4462 + commit 2dd3e27fc53cf408f799d2e7b379c1441e0d62c8
4463 * src/mpicalc.c (print_help): fix typo in commands description.
4464
4465 2020-06-04 NIIBE Yutaka <gniibe@fsij.org>
4466
4467 mpi: Fix flags in mpi_copy for opaque MPI.
4468 + commit 78a5a1aa7627afaa24e2ea1eb9b08f1cfdd71561
4469 * mpi/mpiutil.c (_gcry_mpi_copy): Copy flags.
4470
4471 2020-06-03 NIIBE Yutaka <gniibe@fsij.org>
4472
4473 ecc: Use opaque MPI for 'd' of Ed25519/EdDSA.
4474 + commit 0d8346f84a1f5865da3375ce92420d92fb5ae652
4475 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add FLAGS.
4476 Use opaque MPI for Ed25519/EdDSA, too.
4477 (_gcry_mpi_ec_internal_new): Follow the change.
4478 (_gcry_mpi_ec_new): Likewise.
4479
4480 2020-06-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4481
4482 cipher-ocb: fix out-of-array stack memory access.
4483 + commit 8cfaeae42522778052c36fceccab504826a30cbf
4484 * cipher/cipher-ocb.c (bit_copy): Do not access memory beyond
4485 's' array when bitoff > 8.
4486
4487 2020-06-01 NIIBE Yutaka <gniibe@fsij.org>
4488
4489 mpi: More fix of off-by-one mistake mpi_invm_pow2.
4490 + commit 6a2cd0fe78a9cdc78911694a84b08762dd8658b4
4491 * mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.
4492
4493 ecc: Consistently handle parameters as unsigned value.
4494 + commit 6f8b1d4cb798375e6d830fd6b73c71da93ee5f3f
4495 * cipher/ecc-curves.c (_gcry_ecc_get_curve): Parse as unsigned value.
4496
4497 2020-05-27 NIIBE Yutaka <gniibe@fsij.org>
4498
4499 sexp: Fix coding of line break.
4500 + commit 33c972b6a6fe79aacb0a732d1df9a9deacafca29
4501 * src/sexp.c (_gcry_sexp_vextract_param): Add missing newline.
4502
4503 2020-05-14 NIIBE Yutaka <gniibe@fsij.org>
4504
4505 ecc: Make sure it's the fixed size bytes.
4506 + commit eb2288f3b1f338a9aec11d559ec84bdb201960e1
4507 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Checking the size
4508 of EC point representation, return GPG_ERR_INV_OBJ if not valid.
4509
4510 2020-05-13 Werner Koch <wk@gnupg.org>
4511
4512 ecc: Detect the use of a Montgomery curve earlier in ecc_verify.
4513 + commit d0f995afe2e0228d3b9e30b0fc7091631d7d0090
4514 * cipher/ecc.c (ecc_verify): Do not allow a Montgomery curve.
4515
4516 2020-05-13 NIIBE Yutaka <gniibe@fsij.org>
4517
4518 mpi: Fix off-by-one mistake mpi_invm_pow2.
4519 + commit 69b55f87053ce2494cd4b38dc600f867bc4355be
4520 * mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.
4521
4522 2020-05-12 Werner Koch <wk@gnupg.org>
4523
4524 ecc: Initialize a dummy parameter.
4525 + commit 75a7b17878e02c3882070d6c86e0d2efbc3d680a
4526 * cipher/ecc.c (ecc_verify): Rename flags to dummy_flags and
4527 initialize.
4528
4529 2020-05-06 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
4530
4531 tests/benchmark.c: fix error message for invalid MAC algo.
4532 + commit 79e196a610b1b734a1f573288b148d62787f5281
4533
4534
4535 2020-04-27 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
4536
4537 ecc: Fix typo error in ecc-gost.
4538 + commit fe688ce7e14f14d7d3a7e16aa0304d24b5b1a179
4539 * cipher/ecc-gost.c (_gcry_ecc_gost_verify): Fix typo in comment.
4540
4541 2020-04-27 NIIBE Yutaka <gniibe@fsij.org>
4542
4543 mpi: Fix the return value of mpi_invm_generic.
4544 + commit f10eb240a30ac115cfeb63848c67a936e1059ab9
4545 * mpi/mpi-inv.c (mpi_invm_generic): Return correct value.
4546
4547 2020-04-24 NIIBE Yutaka <gniibe@fsij.org>
4548
4549 mpi: Fix return value of mpi_invm_generic.
4550 + commit bc3b6a6a45cf9fa6cc0556da870628c53570f52f
4551 * mpi/mpi-inv.c (mpi_invm_generic): Return 0 if inverse does not exist.
4552
4553 mpi: More use of mpih API for _gcry_mpi_invm.
4554 + commit 559ba9b36c9cdf4762d28beb3b4c59665c671818
4555 * mpi/mpi-inv.c (mpi_invm_pow2): Remove.
4556 (_gcry_mpi_invm): Use mpih_invm_pow2 instead.
4557
4558 mpi: Use mpih interface internally for mpi-inv.
4559 + commit beefbb90d71d7fbd0b4429472b7d4b39670ff64b
4560 * mpi/mpi-inv.c (mpih_invm_pow2): Converted from mpi_invm_pow2.
4561 (mpi_invm_pow2): Use mpih_invm_pow2.
4562
4563 mpi: Fix size of A in mpi_invm_pow2.
4564 + commit efa5151ea1c2a2c049b2651581e71b6becba4e16
4565 * mpi/mpi-inv.c (mpi_invm_pow2): Fix size of A.
4566
4567 2020-04-23 NIIBE Yutaka <gniibe@fsij.org>
4568
4569 mpi: More fix for _gcry_mpi_invm.
4570 + commit f81a1dd7317513000e5bc4d1bfffd6d2bfb8c2a2
4571 * mpi/mpi-inv.c (_gcry_mpi_invm): Fix comments and use of CRT path.
4572
4573 2020-04-22 NIIBE Yutaka <gniibe@fsij.org>
4574
4575 mpi: Fix off-by-one mistake mpi_invm_pow2.
4576 + commit 3bb9f74764b3626ed1116fc7e517921232d6be54
4577 * mpi/mpi-inv.c (mpi_invm_pow2): Fix computation of iterations.
4578
4579 2020-04-21 NIIBE Yutaka <gniibe@fsij.org>
4580
4581 mpi: Use mpi_invm_pow2 for mpi_invm.
4582 + commit bac01a6cfb3d645ff8439cbd3b310d255735d792
4583 * mpi/mpi-inv.c (_gcry_mpi_invm): Use mpi_invm_pow2.
4584
4585 mpi: Fix mpi_invm_pow2.
4586 + commit 2a3c58a0b4db01c17da0bf8c035fb1def2af114c
4587 * mpi/mpi-inv.c (mpi_invm_pow2): Fix the algo implementation.
4588
4589 2020-04-19 Dmitry Baryshkov <dbaryshkov@gmail.com>
4590
4591 gost28147: implement special MAC mode called imitovstavka (IMIT)
4592 + commit 45f21f871982753716d4a7676d948e8c7d644db5
4593 * src/gcrypt.h.in (GCRY_MAC_GOST28147_IMIT): New.
4594 * cipher/gost28147.c (gost_imit_open, gost_imit_close)
4595 (gost_imit_setkey, gost_imit_setiv, gost_imit_reset, _gost_imit_block)
4596 (gost_imit_block, gost_imit_write, gost_imit_finish, gost_imit_read)
4597 (gost_imit_verify, gost_imit_get_maclen, gost_imit_get_keylen)
4598 (gost_imit_set_extra_info): New functions implementing GOST 28147-89
4599 MAC (imitovstavka, IMIT) mode.
4600 * cipher/gost28147.c (gost_imit_ops)
4601 (_gcry_mac_type_spec_gost28147_imit): declare GOST 28147-89 IMIT
4602 handler.
4603 * cipher/mac-internal.h (gcry_mac_handle): add fields to support GOST
4604 28147-89 IMIT mode.
4605 * cipher/mac.c (mac_list): add _gcry_mac_type_spec_gost28147_imit.
4606 (spec_from_algo): handle GCRY_MAC_GOST28147_IMIT.
4607 * tests/basic.c (check_mac): add GOST28147-89 IMIT test vector.
4608
4609 mac: add support for gcry_mac_ctl(GCRYCTL_SET_SBOX)
4610 + commit d7fa70ed9ddc6e0189a8b59016b1f17717a26865
4611 * cipher/mac-internal.h (gcry_mac_spec_ops_t): add set_extra_info field
4612 for providing additional settings.
4613 * cipher/mac.c (_gcry_mac_ctl): support GCRYCTL_SET_SBOX call.
4614 * cipher/mac-cmac.c (cmac_ops): set set_extra_info to NULL.
4615 * cipher/mac-gmac.c (gmac_ops): the same.
4616 * cipher/mac-hmac.c (hmac_ops): the same.
4617 * cipher/mac-poly1305.c (poly1305mac_ops): the same.
4618
4619 2020-04-17 NIIBE Yutaka <gniibe@fsij.org>
4620
4621 mpi: Use mpi_invm_pow2 for N=2^k.
4622 + commit 469e2fefb64e3a4bd80995935f82caf416e3a4ae
4623 * mpi/mpi-inv.c (mpi_invm_pow2): Fix.
4624 (_gcry_mpi_invm): Use mpi_invm_pow2.
4625
4626 mpi: Rewrite mpi_invm_odd into mpih_invm_odd.
4627 + commit 05ceac8e2f6f28f97428c005d0a318d71d7cf9d9
4628 * mpi/mpi-inv.c (mpih_invm_odd): Use mpi_ptr_t API.
4629 (_gcry_mpi_invm): Use _gcry_mpih_mod and mpih_invm_odd.
4630
4631 mpi: Add _gcry_mpih_cmp_ui.
4632 + commit 128045a12139fe2e4be877df59da10c7d4857d9a
4633 * mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): New.
4634
4635 mpi: Add internal functipn mpi_invm_pow2.
4636 + commit 515bd6e9fae448e966f71e23635503716201158d
4637 * mpi/mpi-inv.c (mpi_invm_pow2): New.
4638
4639 2020-04-16 NIIBE Yutaka <gniibe@fsij.org>
4640
4641 mpi: Add mpi_set_bit_cond.
4642 + commit a91bd0211c4e5f0ce575b3a63a36049dd9edbf90
4643 * mpi/mpiutil.c (_gcry_mpi_set_bit_cond): New.
4644 * src/mpi.h (mpi_set_bit_cond): New macro.
4645 (_gcry_mpi_set_bit_cond): New.
4646
4647 mpi: Add _gcry_mpih_mod.
4648 + commit 95bdfd9ce9e114f447f3639e551e8f4f63d024fe
4649 * mpi/mpi-internal.h (mpih_mod, _gcry_mpih_mod): New.
4650 * mpi/mpih-const-time.c (_gcry_mpih_mod): New.
4651
4652 mpih: Expose const-time MPI helper functions.
4653 + commit 9b7e0d89006fce0641da05d8ef2696b1fb73145b
4654 * mpi/Makefile.am (libmpi_la_SOURCES): Add mpih-const-time.c.
4655 * mpi/ec.c (mpih_set_cond): Move to mpih-const-time.c.
4656 * mpi/mpi-internal.h: Add macros and declarations.
4657 * mpi/mpi-inv.c (mpih_add_n_cond): Likewise.
4658 (mpih_sub_n_cond, mpih_swap_cond, mpih_abs_cond): Likewise.
4659 * mpi/mpih-const-time.c: New.
4660
4661 2020-04-14 Werner Koch <wk@gnupg.org>
4662
4663 sexp: Extend gcry_sexp_extract_param with a multi-string extractor.
4664 + commit 32b08e38628b3ed409054db05a7f73b1ab86464a
4665 * src/sexp.c (_gcry_sexp_vextract_param): Implement "%#s" control
4666 sequence.
4667
4668 2020-04-14 NIIBE Yutaka <gniibe@fsij.org>
4669
4670 ecc: Remove hard-coded value for ECC_DIALECT_ED25519.
4671 + commit 0ff36e04f7cdef961610e7bc674a9c9ef0fd4853
4672 * mpi/ec.c (ec_p_init): Remove special handling for Ed25519.
4673 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_encodepoint): Fix assumption
4674 ec->nbits is 256 for EdDSA.
4675 (_gcry_ecc_eddsa_decodepoint): Likewise.
4676 (_gcry_ecc_eddsa_verify): Likewise.
4677
4678 2020-04-09 Werner Koch <wk@gnupg.org>
4679
4680 sexp: Extend gcry_sexp_extract_param with new format specifiers.
4681 + commit 60c179b59e538aebb3a5f7621d92eee60b90c785
4682 * src/sexp.c (_gcry_sexp_vextract_param): Add new conversion methods.
4683 * tests/t-sexp.c (check_extract_param): Add corresponding tests.
4684
4685 2020-04-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4686
4687 ppc: avoid using vec_vsx_ld/vec_vsx_st for 2x64-bit vectors.
4688 + commit 1250a9cd859d99f487ca8d76a98d70d464324bbe
4689 * cipher/crc-ppc.c (CRC_VEC_U64_LOAD, CRC_VEC_U64_LOAD_LE)
4690 (CRC_VEC_U64_LOAD_BE): Remove vec_vsx_ld usage.
4691 (asm_vec_u64_load, asm_vec_u64_load_le): New.
4692 * cipher/sha512-ppc.c (vec_vshasigma_u64): Use '__asm__' instead of
4693 'asm' for assembly block.
4694 (vec_u64_load, vec_u64_store): New.
4695 (_gcry_sha512_transform_ppc8): Use vec_u64_load/store instead of
4696 vec_vsx_ld/vec_vsx_st.
4697 * configure.ac (gcy_cv_cc_ppc_altivec)
4698 (gcy_cv_cc_ppc_altivec_cflags): Add check for vec_vsx_ld with
4699 'unsigned int *' pointer type.
4700
4701 2020-04-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4702
4703 asm-poly1305-aarch64: fix building with clang.
4704 + commit 89b3ded8df969fe5fb31313c60419dd34d36b605
4705 * cipher/asm-poly1305-aarch64.h (POLY1305_BLOCK_PART25): Use correct
4706 instruction format for right-shifting.
4707
4708 2020-03-31 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4709
4710 libgcrypt.m4: Fix spelling.
4711 + commit 6a5743469a4366b1e238d378e427442f04400950
4712
4713
4714 libgcrypt.m4: Fix spelling.
4715 + commit e16e7e619183f36720d17855419860d1dc6fe3a5
4716
4717
4718 2020-03-20 Dmitry Baryshkov <dbaryshkov@gmail.com>
4719
4720 tests/basic: add GOST 28147 keymeshing testcase from LibreSSL testsuite.
4721 + commit 3441f4c94c49a589c5e323b1526d2d6b5974cf2f
4722 * tests/basic.c (check_cfb_cipher): add check for GOST 28147 CFB with
4723 KeyMeshing enabled.
4724
4725 gost28147: add support for CryptoPro key meshing per RFC 4357.
4726 + commit dcee00adbd1c0a2cde1aeed1bb94421e81d0de3b
4727 * cipher/gost28147.c (gost_do_set_sbox, cryptopro_key_meshing,
4728 CryptoProMeshingKey, gost_encrypt_block_mesh): New.
4729 (_gcry_cipher_spec_gost28147_mesh): New cipher with keymeshing,
4730 (_gcry_cipher_spec_gost28147): Remove OIDs for this cipher should not
4731 be selected using these OIDs (they are for CFB with keymeshing).
4732
4733 * cipher/cipher.c (cipher_list, cipher_list_algo301): add
4734 _gcry_cipher_spec_gost28147_mesh.
4735
4736 * src/gcrypt.h.in (GCRY_CIPHER_GOST28147_MESH): New cipher with
4737 keymeshing.
4738
4739 * doc/gcrypt.texi (GCRY_CIPHER_GOST28147_MESH): Add definition.
4740
4741 * tests/basic.c (check_gost28147_cipher, check_gost28147_cipher_basic):
4742 Run basic tests on GCRY_CIPHER_GOST28147_MESH.
4743
4744 gost: add keymeshing support per RFC 4357.
4745 + commit 18cd3f0c473ae909cdaa5a820faef50d7670fcbb
4746 * cipher/gost-s-box.c (gost_sbox): define if keymeshing should be
4747 enabled or not.
4748 (main): output whether we should enable or disable keymeshing for a
4749 particular parameters set.
4750
4751 2020-03-18 NIIBE Yutaka <gniibe@fsij.org>
4752
4753 DSA,ECDSA: Fix use of mpi_invm.
4754 + commit ada758e3019c2585213a132960613b1ac48502b8
4755 * cipher/dsa.c (sign): Call mpi_invm before _gcry_dsa_modify_k.
4756 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
4757
4758 mpi: Constant time mpi_inv with some conditions.
4759 + commit 20082ca965eab5665af60956c4ed72709836b1ed
4760 * mpi/mpi-inv.c (mpih_add_n_cond, mpih_sub_n_cond, mpih_swap_cond)
4761 (mpih_abs_cond): New.
4762 (mpi_invm_odd): New.
4763 (mpi_invm_generic): Rename from _gcry_mpi_invm.
4764 (_gcry_mpi_invm): Use mpi_invm_odd for usual odd cases.
4765
4766 2020-03-11 NIIBE Yutaka <gniibe@fsij.org>
4767
4768 mpi: Support opaque MPI with gcry_mpi_print.
4769 + commit b4b04ae6c2e55bc2b24efc663d1eeaa0b3613f4c
4770 * mpi/mpicoder.c (_gcry_mpi_get_buffer): Return the bytes as-is.
4771
4772 2020-03-09 Werner Koch <wk@gnupg.org>
4773
4774 mpi: Abort on division by zero also in _gcry_mpi_tdiv_qr.
4775 + commit afbab896fa04d9481dbb9f4d01f607b12e31dcbf
4776 * mpi/mpi-div.c (_gcry_mpi_tdiv_qr): Error out on division by zero.
4777
4778 2020-02-25 NIIBE Yutaka <gniibe@fsij.org>
4779
4780 build: More accurate dependency to -lgpg-error.
4781 + commit 9b8ac13761f0407bd701e43b0a65fbada204958f
4782 * configure.ac (LIBGCRYPT_CONFIG_LIBS): Remove DL_LIBS.
4783 * src/libgcrypt.c.in: Distinguish static link use case.
4784 * tests/Makefile.am: Fix use of -lgpg-error.
4785
4786 build: Fix linking -ldl.
4787 + commit c21e5d72e24e62752559f92b1825287298ae2f03
4788 * src/Makefile.am (libgcrypt_la_LIBADD): Add DL_LIBS.
4789 (mpicalc_LDADD): Remove DL_LIBS.
4790 * tests/Makefile.am (standard_ldadd): Remove DL_LIBS.
4791
4792 2020-02-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4793
4794 crc-ppc: fix bad register used for vector load/store assembly.
4795 + commit b64b029318e7d0b66123015146614118f466a7a9
4796 * cipher/crc-ppc.c (CRC_VEC_U64_LOAD_BE): Move implementation to...
4797 (asm_vec_u64_load_be): ...here; Add "r0" to clobber list for load
4798 instruction when offset is not zero; Add zero offset path.
4799
4800 rinjdael-aes: use zero offset vector load/store when possible.
4801 + commit 89776d45c824032409f581e5fd1db6bf149df57f
4802 * cipher/rijndael-ppc-common.h (asm_aligned_ld, asm_aligned_st): Use
4803 zero offset instruction variant when input offset is constant zero.
4804 * cipher/rijndael-ppc.c (asm_load_be_noswap)
4805 (asm_store_be_noswap): Likewise.
4806
4807 Add POWER9 little-endian variant of PPC AES implementation.
4808 + commit 114bbc45e9717f9ad9641f64d8df8690db8da434
4809 * configure.ac: Add 'rijndael-ppc9le.lo'.
4810 * cipher/Makefile.am: Add 'rijndael-ppc9le.c', 'rijndael-ppc-common.h'
4811 and 'rijndael-ppc-functions.h'.
4812 * cipher/rijndael-internal.h (USE_PPC_CRYPTO_WITH_PPC9LE): New.
4813 (RIJNDAEL_context_s): Add 'use_ppc9le_crypto'.
4814 * cipher/rijndael.c (_gcry_aes_ppc9le_encrypt)
4815 (_gcry_aes_ppc9le_decrypt, _gcry_aes_ppc9le_cfb_enc)
4816 (_gcry_aes_ppc9le_cfb_dec, _gcry_aes_ppc9le_ctr_enc)
4817 (_gcry_aes_ppc9le_cbc_enc, _gcry_aes_ppc9le_cbc_dec)
4818 (_gcry_aes_ppc9le_ocb_crypt, _gcry_aes_ppc9le_ocb_auth)
4819 (_gcry_aes_ppc9le_xts_crypt): New.
4820 (do_setkey, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
4821 (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
4822 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt)
4823 [USE_PPC_CRYPTO_WITH_PPC9LE]: New.
4824 * cipher/rijndael-ppc.c: Split common code to headers
4825 'rijndael-ppc-common.h' and 'rijndael-ppc-functions.h'.
4826 * cipher/rijndael-ppc-common.h: Split from 'rijndael-ppc.c'.
4827 (asm_add_uint64, asm_sra_int64, asm_swap_uint64_halfs): New.
4828 * cipher/rijndael-ppc-functions.h: Split from 'rijndael-ppc.c'.
4829 (CFB_ENC_FUNC, CBC_ENC_FUNC): Unroll loop by 2.
4830 (XTS_CRYPT_FUNC, GEN_TWEAK): Tweak generation without vperm
4831 instruction.
4832 * cipher/rijndael-ppc9le.c: New.
4833
4834 Add gcry_cipher_ctl command to allow weak keys in testing use-cases.
4835 + commit 5beadf201312d0c649971b0c1d4c3827b434a0b5
4836 * cipher/cipher-internal.h (gcry_cipher_handle): Add
4837 'marks.allow_weak_key' flag.
4838 * cipher/cipher.c (cipher_setkey): Do not handle weak key as error when
4839 weak keys are allowed.
4840 (cipher_reset): Preserve 'marks.allow_weak_key' flag on object reset.
4841 (_gcry_cipher_ctl): Add handling for GCRYCTL_SET_ALLOW_WEAK_KEY.
4842 * src/gcrypt.h.in (gcry_ctl_cmds): Add GCRYCTL_SET_ALLOW_WEAK_KEY.
4843 * tests/basic.c (check_ecb_cipher): Add tests for weak key errors and
4844 for GCRYCTL_SET_ALLOW_WEAK_KEY.
4845
4846 2020-01-23 NIIBE Yutaka <gniibe@fsij.org>
4847
4848 random: Fix include of config.h.
4849 + commit e0898d0628789414da23e0526c87df1885c8b3ae
4850 * random/random-drbg.c: Include config.h earlier.
4851
4852 2020-01-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4853
4854 sexp: fix cast from 'int' pointer to 'size_t' pointer.
4855 + commit 8b31091da092e22dba78b2402c2f436bbffc1c73
4856 * src/sexp.c (do_vsexp_sscan): Change 'datalen' from 'int' to
4857 'size_t'; Remove &datalen pointer cast to 'size_t *' type.
4858
4859 mpi/i386: fix DWARF CFI for _gcry_mpih_sub_n and _gcry_mpih_add_n.
4860 + commit 5f098f7e6ceb899ac27a0a30ee036de5f1be4e3d
4861 * mpi/i386/mpih-add1.S (_gcry_mpih_add_n) [PIC]: Adjust CFI CFA offset
4862 when making call and restoring stack pointer.
4863 * mpi/i386/mpih-sub1.S (_gcry_mpih_sub_n) [PIC]: Ditto.
4864
4865 2020-01-22 H.J. Lu <hjl.tools@gmail.com>
4866
4867 i386: Add _CET_ENDBR to indirect jump targets.
4868 + commit cb9f0a2df8225eed071ae0a56265e38e9f6ff184
4869 * mpi/i386/mpih-add1.S (_gcry_mpih_add_n): Save and restore
4870 %ebx if IBT is enabed. Add _CET_ENDBR to indirect jump targets
4871 and adjust jump destination for _CET_ENDBR.
4872 * mpi/i386/mpih-sub1.S (_gcry_mpih_sub_n): Likewise.
4873
4874 amd64: Always include <config.h> in cipher assembly codes.
4875 + commit 22e577071790834f07753c42a191a568c9f2644d
4876 * cipher/camellia-aesni-avx-amd64.S: Always include <config.h>.
4877 * cipher/camellia-aesni-avx2-amd64.S: Likewise.
4878 * cipher/serpent-avx2-amd64.S: Likewise.
4879
4880 mpi: Add .note.gnu.property section for Intel CET.
4881 + commit 24b4d5c10a97aaf82ac7402cc3a5b429d580cd66
4882 * mpi/config.links: Include <cet.h> in <asm-syntax.h>.
4883
4884 x86: Add .note.gnu.property section for Intel CET.
4885 + commit 4c88c2bd2a418435506325cd53246acaaa52750c
4886 * configure.ac: Include <cet.h> in <config.h> for assembly
4887 codes.
4888
4889 2020-01-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4890
4891 tests/basic: add vector cluttering to detect implementation bugs.
4892 + commit 4aa8ff904262f331abbb8c988069a7029ca13502
4893 * src/global.c (_gcry_check_version): Fix missing newline.
4894 * src/basic.c (ALWAYS_INLINE, CLUTTER_REGISTER_*, prepare_vector_data)
4895 (clutter_vector_registers): New.
4896 (progress_handler): Make static function.
4897 (check_bulk_cipher_modes, check_one_cipher_core_reset)
4898 (check_one_cipher_core, check_one_md, check_one_md_multi)
4899 (check_one_md_final, check_one_mac): Clutter vector registers before
4900 gcry_* calls to cipher/md/mac algorithms.
4901
4902 2020-01-22 Marvin W <git@larma.de>
4903
4904 Set vZZ.16b register to zero before use in armv8 gcm implementation.
4905 + commit 79ed620ec46adbb08f5cea6a4865a95a436e4109
4906 * cipher/cipher-gcm-armv8-aarch64-ce.S
4907 (_gcry_ghash_setup_armv8_ce_pmull): Set vZZ to zero.
4908
4909 2020-01-21 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
4910
4911 tests: Add basic test cases for sm2.
4912 + commit aa9c78afa1d867bb7b9b3c695cf31a832c9419e5
4913 * tests/basic.c (check_pubkey): Add test cases for ecc-sm2.
4914
4915 Add elliptic curve SM2 implementation.
4916 + commit 6b55246c77089dd372eb1807808111660fd789c7
4917 * configure.ac (enabled_pubkey_ciphers): Add ecc-sm2.
4918 * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add ecc-sm2.c.
4919 * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist,
4920 _gcry_pk_util_preparse_sigval): Add sm2 flags.
4921 * cipher/ecc.c: Support ecc-sm2.
4922 * cipher/ecc-common.h: Add declarations for ecc-sm2.
4923 * cipher/ecc-sm2.c: New.
4924 * src/cipher.h: Define PUBKEY_FLAG_SM2.
4925
4926 ecc: Simplify signature code.
4927 + commit 8d9958910e54f3fecbab6e133c3971843f6ef310
4928 * cipher/ecc-gost.c (_gcry_ecc_gost_sign): Use implemented function.
4929 * cipher/ecc.c (ecc_verify): Remove redundant code.
4930
4931 2020-01-21 NIIBE Yutaka <gniibe@fsij.org>
4932 NIIBE Yutaka <gniibe@fsij.org>
4933
4934 tests: Fix check_pubkey.
4935 + commit 95e9cee802419adf6f4b01b29d7874793004fa8d
4936 * tests/basic.c (check_pubkey): Fix constants of pubkeys.
4937
4938 2020-01-21 NIIBE Yutaka <gniibe@fsij.org>
4939
4940 Avoid use of ulong in internal code.
4941 + commit 4997139b3e83761c9af0246cec829305c3d7d13b
4942 * configure.ac (HAVE_ULONG_TYPEDEF): Remove.
4943 * mpi/mpi-div.c (_gcry_mpi_fdiv_r_ui): Use unsigned long.
4944 (_gcry_mpi_divisible_ui): Likewise.
4945 * random/rndunix.c (_gcry_rndunix_gather_random): Likewise.
4946 * random/rndw32.c (_gcry_rndw32_gather_random_fast): Likewise.
4947 (ADDINT): Likewise.
4948 * random/rndw32ce.c (_gcry_rndw32ce_gather_random_fast): Likewise.
4949 * src/mpi.h: Follow the change.
4950 * src/types.h (HAVE_ULONG_TYPEDEF): Remove.
4951
4952 2020-01-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4953
4954 gcrypt.texi: fix GCRYCTL_GET_ALGO_NENCR typo.
4955 + commit 5ebb2f0671c902863eee91cbcfc85a72be506410
4956 * doc/gcrypt.texi: Fix GCRYCTL_GET_ALGO_NENC to GCRYCTL_GET_ALGO_NENCR.
4957
4958 2020-01-19 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
4959
4960 mpi: Fix error that point not uninitialized.
4961 + commit 7e3aac7ba49b3b6e6c5ebe7c880b5b323c423ef7
4962 * cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Initialize E->G poing
4963
4964 ecc: Wrong flag and elements_enc fix.
4965 + commit 43cfc1632dd3a9579a906f31cd3b6c88d242d1a5
4966 * cipher/ecc.c (ecc_generate): Fix wrong flag and elements_enc.
4967
4968 Update .gitignore.
4969 + commit 176a5f162acd0cfebc5517d061205681bc3658d0
4970
4971
4972 2020-01-16 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
4973
4974 Add new curve named sm2p256v1.
4975 + commit d154c1e9e11019980253f0a65758932cd0656470
4976 * cipher/ecc-curves.c (domain_parms): Add sm2p256v1 for SM2.
4977 * tests/curves.c (N_CURVES): Update N_CURVES for SM2.
4978
4979 2019-12-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
4980
4981 rijndael-ppc: performance improvements.
4982 + commit 110077505acacae62cec3d09b32a084b9cee0368
4983 * cipher/rijndael-ppc.c (ALIGNED_LOAD, ALIGNED_STORE, VEC_LOAD_BE)
4984 (VEC_STORE_BE): Rewrite.
4985 (VEC_BE_SWAP, VEC_LOAD_BE_NOSWAP, VEC_STORE_BE_NOSWAP): New.
4986 (PRELOAD_ROUND_KEYS, AES_ENCRYPT, AES_DECRYPT): Adjust to new
4987 input parameters for vector load macros.
4988 (ROUND_KEY_VARIABLES_ALL, PRELOAD_ROUND_KEYS_ALL)
4989 (AES_ENCRYPT_ALL): New.
4990 (vec_bswap32_const_neg): New.
4991 (vec_aligned_ld, vec_aligned_st, vec_load_be_const): Rename to...
4992 (asm_aligned_ls, asm_aligned_st, asm_load_be_const): ...these.
4993 (asm_be_swap, asm_vperm1, asm_load_be_noswap)
4994 (asm_store_be_noswap): New.
4995 (vec_add_uint128): Rename to...
4996 (asm_add_uint128): ...this.
4997 (asm_xor, asm_cipher_be, asm_cipherlast_be, asm_ncipher_be)
4998 (asm_ncipherlast_be): New inline assembly functions with volatile
4999 keyword to allow manual instruction ordering.
5000 (_gcry_aes_ppc8_setkey, aes_ppc8_prepare_decryption)
5001 (_gcry_aes_ppc8_encrypt, _gcry_aes_ppc8_decrypt)
5002 (_gcry_aes_ppc8_cfb_enc, _gcry_aes_ppc8_cbc_enc)
5003 (_gcry_aes_ppc8_ocb_auth): Update to use new&rewritten helper macros.
5004 (_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_dec)
5005 (_gcry_aes_ppc8_ctr_enc, _gcry_aes_ppc8_ocb_crypt)
5006 (_gcry_aes_ppc8_xts_crypt): Update to use new&rewritten helper
5007 macros; Tune 8-block parallel paths with manual instruction ordering.
5008
5009 rijndael-ppc: fix bad register used for vector load/store assembly.
5010 + commit 0837d7e6be3e604c1f7b86d18c582d8aa7ed858c
5011 * cipher/rijndael-ppc.c (vec_aligned_ld, vec_load_be, vec_aligned_st)
5012 (vec_store_be): Add "r0" to clobber list for load/store instructions.
5013
5014 2019-12-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5015
5016 cipher: fix typo in error log.
5017 + commit 5b9ea3df0dc355d77b9f061f63064614a97b8b67
5018 * cipher/cipher.c (_gcry_cipher_encrypt): Fix log "cipher_decrypt: ..."
5019 to "cipher_encrypt: ...".
5020
5021 2019-11-21 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
5022
5023 gost28147: inline gost_val function to speed up code.
5024 + commit e5c4cf0efb8fd297963e6b4392ab98c41dbad536
5025 * cipher/gost28147.c (gost_val): mark function as inline
5026
5027 gost28147: do not use GOST28147_CONTEXT outside of GOST 28147 calculation
5028 + commit f9894240bed36eab17fabf5aa482799b148618e2
5029 * cipher/gost28147.c (_gcry_gost_enc_data): remove unused context
5030 argument
5031 * cipher/gostr3411-94.c (GOSTR3411_CONTEXT, gostr3411_init,
5032 do_hash_step): remove unused GOST 28147-89 context.
5033
5034 gost28147: simplify internal code.
5035 + commit d164a8e7f6829163f1279517f07b61805311f8f2
5036 * cipher/gost28147.c (gost_val, _gost_encrypt_data): don't use gost
5037 context internally
5038 * cipher/gost28147.c (gost_encrypt_block, gost_decrypt_block,
5039 _gcry_gost_enc_data): adapt to internal changes.
5040
5041 gostr3411-94: small speedup.
5042 + commit 8f573a67d12e6d9026f1676a6dae7813105bc490
5043 * cipher/gostr3411-94.c (do_p): unroll loop for a small spedup
5044
5045 2019-11-18 Paul Wolneykien <manowar@altlinux.org>
5046
5047 ecc: update GOST2012 curves.
5048 + commit a3a866f63e7a527fe3c053758b84d70c142f8283
5049 * cipher/ecc-curves.c (domain_parms): rename GOST 2012 curves to contain
5050 curve bit size
5051 (curve_aliases): rename curves, provide backwards-compatible
5052 aliases, add new OIDs and two new curves.
5053 * cipher/ecc-curves.c (curve_aliases): add new OIDs and aliases for
5054 * tests/basic.c (check_pubkey): use new name for GOST2012 512-bit test
5055 curve.
5056 * tests/benchmark.c (ecc_bench): use new name for GOST2012 512-bit test
5057 curve.
5058
5059 2019-11-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5060
5061 ec: fix left shift overflows on WIN64 build.
5062 + commit bdbd032d1626dbb34e1840e5f5393524dd546a1d
5063 * mpi/ec.c (ec_mulm_448): Cast constants to (mpi_limb_t) before
5064 shifting left by 32.
5065
5066 mpi/amd64: use SSE2 for shifting instead of MMX.
5067 + commit 1322c6a5d1e9aa0c69a2b259aa5ec7bcf5cb5653
5068 * mpi/amd64/mpih-lshift.S: Convert to SSE2.
5069 * mpi/amd64/mpih-rshift.S: Ditto.
5070
5071 Add i386/SSSE3 implementation of SHA512.
5072 + commit b52dde860963c794b12d14b0a9c5848bca7ba51e
5073 * LICENSES: Add 'sha512-ssse3-i386.c'.
5074 * configure.ac: Add 'sha512-ssse3-i386.lo'.
5075 * cipher/Makefile.am: Add 'sha512-ssse3-i386.c'.
5076 * cipher/sha512-ssse3-i386.c: New.
5077 * cipher/sha512.c (USE_SSSE3_I386, _gcry_sha512_transform_i386_ssse3)
5078 (do_sha512_transform_i386_ssse3): New.
5079 (_gcry_sha512_transform_arm) [USE_SSSE3_I386]: Use i386/SSSE3 transform
5080 function if supported by CPU.
5081
5082 2019-10-28 NIIBE Yutaka <gniibe@fsij.org>
5083
5084 ecc: Add Curve for X448 with ECC_DIALECT_SAFECURVE.
5085 + commit d9c418305e1053decebefbd5a98a95f845404a09
5086 * cipher/ecc-curves.c (domain_parms): Add X448.
5087 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Support X448.
5088 * mpi/ec.c (ec_addm_448, ec_subm_448, ec_mulm_448): New.
5089 (ec_mul2_448, ec_pow2_448): New.
5090 (field_table): Add for X448.
5091 (curve448_bad_points): New.
5092 (bad_points_table): New.
5093 (ec_p_init): Use bad_points_table.
5094 * tests/Makefile.am (t-x448): Add.
5095 * tests/curves.c (N_CURVES): Update.
5096 * tests/t-x448.c: New.
5097
5098 2019-10-25 NIIBE Yutaka <gniibe@fsij.org>
5099
5100 ecc: Introduce new dialect: ECC_DIALECT_SAFECURVE.
5101 + commit 498ab6d9f2f8b0775da41553be7868e59cf4cc2e
5102 * src/mpi.h (ECC_DIALECT_SAFECURVE): New.
5103 * cipher/ecc-misc.c (_gcry_ecc_dialect2str): Support the new dialect.
5104 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Support opaque
5105 MPI handling of secret 'd' for ECC_DIALECT_SAFECURVE.
5106 * cipher/ecc.c (nist_generate_key): Support opaque secret for
5107 ECC_DIALECT_SAFECURVE.
5108 (test_ecdh_only_keys): Likewise.
5109 (ecc_generate): Support native point representation for
5110 ECC_DIALECT_SAFECURVE.
5111 (ecc_encrypt_raw): Support opaque MPI handling of secret and
5112 native point representation for ECC_DIALECT_SAFECURVE.
5113 (ecc_decrypt_raw): Support native point representation for
5114 ECC_DIALECT_SAFECURVE.
5115 (_gcry_pk_ecc_get_sexp): Likewise.
5116
5117 ecc: Make _gcry_mpi_ec_mul_point friendly to X25519 computation.
5118 + commit 2dfedafe08ac57a87e6892d1af4d72cbb398fe40
5119 * mpi/ec.c (_gcry_mpi_ec_mul_point): Support scalar input as an opaque
5120 MPI in little-endian native format.
5121 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use an opaque scalar.
5122
5123 pubkey: Support a method to get data as an opaque MPI.
5124 + commit 050e0b4accfae6a49dda6b1bac52749edec5ce22
5125 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support an
5126 opaque MPI in old style.
5127
5128 2019-10-24 NIIBE Yutaka <gniibe@fsij.org>
5129
5130 ecc: Support an opaque MPI handling in mpi_from_keyparam.
5131 + commit 05a7d2f262bc5c2d108dcfa6e3d907dd895a4074
5132 * cipher/ecc-curves.c (mpi_from_keyparam): Add OPAQUE argument.
5133
5134 ecc: Fix handling of point representation in EdDSA.
5135 + commit 3d5a05767b84e0f781ed5dfe434adb4d4e9d2aa5
5136 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): Use
5137 GCRYMPI_FMT_USG, since integer is defined as unsigned in SEC1.
5138 (_gcry_ecc_eddsa_decodepoint): Likewise.
5139
5140 ecc: Return an opaque MPI by _gcry_ecc_ec2os.
5141 + commit 8fce1027c2531127dd52a8b883f34333ffd3763b
5142 * cipher/ecc-misc.c (_gcry_ecc_ec2os): Use mpi_set_opaque instead of
5143 _gcry_mpi_scan to make an opaque MPI.
5144
5145 ecc: String constant fix.
5146 + commit 35c1faaea2b0aee9b127d02d93158826d17eb107
5147 * cipher/ecc-curves.c (domain_parms): Same string length for NIST
5148 P-521.
5149
5150 ecc: Simplify _gcry_ecc_compute_public.
5151 + commit ad8927f40169364003f72fc188ea60b295ef5e59
5152 * cipher/ecc-misc.c (_gcry_ecc_compute_public): Don't need G and d.
5153 Use ec->G and ec->d.
5154 * cipher/ecc-curves.c (_gcry_ecc_get_mpi): Follow the change.
5155 (_gcry_ecc_get_point): Likewise.
5156 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Don't need d,
5157 but use ec->d.
5158 (_gcry_ecc_eddsa_sign): Follow the change.
5159
5160 2019-10-23 NIIBE Yutaka <gniibe@fsij.org>
5161
5162 ecc: Use opaque MPI for _gcry_ecc_mul_point.
5163 + commit c5a7191c1bd18292a34ad4da45d743dfac035f9a
5164 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use opaque MPI for U.
5165
5166 ecc: Fix _gcry_ecc_mont_decodepoint for data by old implementation.
5167 + commit bbe15758c893dbf546416c1a6bccdad1ab000ad7
5168 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Support data by old
5169 implementation by opaque public key.
5170 Fix confusion of endian, in the handling of data by normal MPI key.
5171
5172 ecc: ECDH clean up for use of ec->nbits.
5173 + commit 27e848666b4a03939b0c8db15aa6e6f79bc7db30
5174 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use ec->nbits.
5175 * cipher/ecc.c (test_ecdh_only_keys): Likewise.
5176 (ecc_encrypt_raw): Likewise.
5177 (ecc_generate): Fix debug output format.
5178
5179 2019-10-22 NIIBE Yutaka <gniibe@fsij.org>
5180
5181 ecc: Fix key generation for ECDH.
5182 + commit 82441bbb82903c21cd2b9b4e2d50202b14fdc24c
5183 * cipher/ecc.c (test_ecdh_only_keys): Don't free EC here.
5184
5185 ecc: Fix debug output.
5186 + commit 6d93812aa312a92d4de2dc034bdf87c276a24b8a
5187 * cipher/ecc-curves.c (_gcry_mpi_ec_internal_new): Fix debug output.
5188
5189 ecc: Simplify using mpi_ec_t directly.
5190 + commit 6a30a9a2cc48d2343c3e9815567dbd4bf9eec058
5191 * cipher/ecc-common.h (ECC_public_key, ECC_secret_key): Remove.
5192 (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify): Use mpi_ec_t.
5193 (_gcry_ecc_eddsa_genkey, gcry_ecc_eddsa_sign): Likewise.
5194 (_gcry_ecc_eddsa_verify): Likewise.
5195 (_gcry_ecc_gost_sign, _gcry_ecc_gost_verify): Likewise.
5196 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Use mpi_ec_t directly.
5197 (_gcry_ecc_ecdsa_verify): Likewise.
5198 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
5199 (_gcry_ecc_eddsa_sign, _gcry_ecc_eddsa_verify): Likewise.
5200 * cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
5201 (_gcry_ecc_gost_verify): Likewise.
5202
5203 ecc: Fix for NBITS support.
5204 + commit 975de38796917392e83152447c6575648a5a5ee3
5205 * cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Fill curve
5206 parameters by NBITS.
5207 (_gcry_mpi_ec_internal_new): Show "EdDSA".
5208
5209 ecc: Add NAME member to struct mpi_ec_ctx_s.
5210 + commit e921ad5b3ad093304312aca90a3c971de05cbf03
5211 * src/ec-context.h (struct mpi_ec_ctx_s): Add NAME.
5212 * cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Initialize NAME.
5213
5214 ecc: Add key generation support to mpi_ec_get_elliptic_curve.
5215 + commit 488704be6e044e23770d95344511c5a347b533c5
5216 * cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Handle params for
5217 key generation.
5218 (_gcry_mpi_ec_internal_new): Remove duplication for handling of flags.
5219
5220 ecc: Consolidate with _gcry_mpi_ec_internal_new.
5221 + commit 5415bc578080018e1cd36aa44cf5c0a9995cbafc
5222 * cipher/ecc-ecdh.c (prepare_ec): Use _gcry_mpi_ec_internal_new.
5223 (_gcry_ecc_mul_point): Don't need to have E of elliptic_curve_t.
5224 * cipher/ecc.c (ecc_encrypt_raw): Use _gcry_mpi_ec_internal_new.
5225 (ecc_decrypt_raw): Likewise.
5226
5227 ecc: Support flags and debug print in _gcry_mpi_ec_internal_new.
5228 + commit c2aa333dd88b4cd337329128a2018dd3b00f5114
5229 * cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Don't set *r_flags.
5230 (_gcry_mpi_ec_internal_new): Add r_flags argument.
5231 Parse the flag list.
5232 Output to debug channel when DBG_CIPHER.
5233
5234 2019-10-21 NIIBE Yutaka <gniibe@fsij.org>
5235
5236 ecc: Add new function _gcry_mpi_ec_internal_new.
5237 + commit c7b97ac9bdf96f5a89ae553cac12954043ab174d
5238 * cipher/ecc-curves.c (mpi_ec_get_elliptic_curve)
5239 (mpi_ec_setup_elliptic_curve): Factor out from _gcry_mpi_ec_new.
5240 (_gcry_mpi_ec_internal_new): New.
5241 (_gcry_mpi_ec_new): Rewrite using mpi_ec_get_elliptic_curve and
5242 mpi_ec_setup_elliptic_curve.
5243
5244 ecc: Simplify ecc_encrypt_raw and ecc_decrypt_raw.
5245 + commit 10b8cc280a535f14b017106c87f2b26bb68d9489
5246 * cipher/ecc.c (ecc_encrypt_raw): Use elliptic_curve_t directly.
5247 (ecc_decrypt_raw): Likewise.
5248
5249 ecc: More fixes for cofactor with PUBKEY_FLAG_PARAM.
5250 + commit 61a0518282537ad52367354c96986c3d1b698d6f
5251 * cipher/ecc.c (ecc_check_secret_key): Support "h" in KEYPARMS.
5252 (ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Likewise.
5253
5254 ecc: Simply use unsigned int for cofactor, not MPI.
5255 + commit a258ae728de62607b3ef4eca940cfbcf9965fa5f
5256 * cipher/ecc-common.h (elliptic_curve_t): Use unsigned int for H.
5257 * src/ec-context.h (struct mpi_ec_ctx_s): Ditto.
5258 * cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
5259 (domain_parms): Update for the cofactors.
5260 (_gcry_ecc_fill_in_curve): H is no longer MPI, but unsigned int.
5261 (_gcry_ecc_get_curve): Remove handling for H.
5262 (_gcry_mpi_ec_new): In KEYPARM, cofactor is still MPI.
5263 (_gcry_ecc_get_param_sexp): H is no longer MPI, but unsigned int.
5264 (_gcry_ecc_get_mpi): Keep the API, returning MPI for "h".
5265 (_gcry_ecc_set_mpi): Likewise.
5266 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Fix for unsigned int.
5267 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
5268 * cipher/ecc-misc.c (_gcry_ecc_curve_free): Likewise.
5269 * cipher/ecc.c (nist_generate_key, test_ecdh_only_keys): Likewise.
5270 (test_ecdh_only_keys, ecc_generate, ecc_check_secret_key): Likewise.
5271 (ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Likewise.
5272 (_gcry_pk_ecc_get_sexp): Likewise.
5273 * mpi/ec.c (ec_deinit): Likewise.
5274
5275 2019-10-18 NIIBE Yutaka <gniibe@fsij.org>
5276
5277 ecc: Simplify compute_keygrip.
5278 + commit 579d5d6017d63b5eabec588b24d1a22566455bac
5279 * cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Remove H.
5280 * cipher/ecc.c (compute_keygrip): Don't get H, since it's not
5281 used in the computation.
5282
5283 ecc: Clean up key generation code.
5284 + commit 95cc9b8f4483fd7edfc7555199f6a05cfa68a236
5285 * cipher/ecc.c (test_ecdh_only_keys): No need to make PK by SK.
5286
5287 2019-10-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5288
5289 Fix building t-lock for WIN32.
5290 + commit 7e1383cfd43fdc2b6f743e6a1304f0f0b2142847
5291 * tests/t-lock.c (external_lock_test_init, external_lock_test_lock)
5292 (externel_lock_test_unlock, external_lock_test_destroy)
5293 (nonce_thread, get_rand, pick_account, pick_value, revision_thread)
5294 (accountant_thread): Build also if _WIN32 defined in addition to
5295 HAVE_PTHREAD.
5296
5297 hash-common: avoid integer division to reduce call overhead.
5298 + commit f9d8b5a0369cc94e125d36d9c8864d5cd2eaa1d2
5299 * cipher/hash-common.h (gcry_md_block_ctx): Replace 'blocksize' with
5300 'blocksize_shift'.
5301 * cipher/hash-common.c (_gcry_md_block_write): Use bit-level operations
5302 instead of division to get number of blocks.
5303 * cipher/gostr2411-94.c (gost3411_init): Initialize 'blocksize_shift'
5304 instead of 'blocksize'.
5305 * cipher/md2.c (md2_init): Ditto.
5306 * cipher/md4.c (md4_init): Ditto.
5307 * cipher/md5.c (md5_init): Ditto.
5308 * cipher/rmd160.c (rmd160_init): Ditto.
5309 * cipher/sha1.c (sha1_init): Ditto.
5310 * cipher/sha256.c (sha256_common_init): Ditto.
5311 * cipher/sha512.c (sha512_init_common): Ditto.
5312 * cipher/sm3.c (sm3_init): Ditto.
5313 * cipher/stribog.c (stribog_init_512): Ditto.
5314 * cipher/tiger.c (do_init): Ditto.
5315 * cipher/whirlpool.c (whirlpool_init): Ditto.
5316
5317 2019-10-11 NIIBE Yutaka <gniibe@fsij.org>
5318
5319 ecc: Handle ephemeral key as opaque octets.
5320 + commit ff0f1782560eb45458d9a8dd97088dabeddb34e7
5321 * cipher/ecc.c (ecc_decrypt_raw): Extract an ephemeral key
5322 as opaque octets.
5323
5324 2019-10-10 NIIBE Yutaka <gniibe@fsij.org>
5325
5326 ecc: Consolidate encoding a point for Montgomery curve.
5327 + commit 80cf289905ace9f174eb06d7f55f38980f7e4dbd
5328 * cipher/ecc-common.h (_gcry_ecc_mont_encodepoint): New.
5329 * cipher/ecc-misc.c (_gcry_ecc_mont_encodepoint): New.
5330 * cipher/ecc.c (ecc_generate): Use _gcry_ecc_mont_encodepoint.
5331 (ecc_encrypt_raw, ecc_decrypt_raw, _gcry_pk_ecc_get_sexp): Likewise.
5332
5333 2019-10-09 NIIBE Yutaka <gniibe@fsij.org>
5334
5335 ecc: More clean-up for Ed25519 and Curve25519.
5336 + commit ba0b31f2636632b1b39ebd2202de3ba5d60588b8
5337 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): Fix calc for
5338 bytes.
5339 * cipher/ecc.c (ecc_encrypt_raw): Use public key as opaque byte-string
5340 with "/q" for both cases, since it is always fixed size with a prefix.
5341 (compute_keygrip): Likewise.
5342 Fix hard-coded value of 256 for Ed25519.
5343 Handle Curve25519 differently.
5344
5345 2019-10-08 NIIBE Yutaka <gniibe@fsij.org>
5346
5347 ecc: Fix hard-coded value for 25519 to allow other modern curves.
5348 + commit d66a4856eb0c39823bf3414b3ca4cf6322f32aef
5349 * cipher/ecc.c (nist_generate_key): Support other modern curves.
5350 (test_ecdh_only_keys): Likewise.
5351 (check_secret_key): Don't use ECC_DIALECT_ED25519 for the check.
5352 (_gcry_pk_ecc_get_sexp): Support Montgomery curve.
5353
5354 ecc: Clean up for decoding point.
5355 + commit 254c5279058f0aea2d3568d6e756002242e82f8f
5356 * cipher/ecc-curves.c (point_from_keyparam): Possibly supporting
5357 Montgomery curve, use _gcry_mpi_ec_decode_point.
5358 (_gcry_ecc_set_mpi): Likewise.
5359 * cipher/ecc.c (ecc_check_secret_key): Likewise.
5360
5361 random: Clean up unused old internal API.
5362 + commit 6e57242c61bca38b3cc8fdf424b5667ab953e4cd
5363 * random/random.h (_gcry_get_random_bits): Remove.
5364
5365 2019-10-02 NIIBE Yutaka <gniibe@fsij.org>
5366
5367 ecc: Fix regression in keygrip computation for cv25519 (2).
5368 + commit 1cfe2329b91cc7be30f7c3a14fc634ec89a1be96
5369 * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Recover g_y
5370 for Curve25519.
5371
5372 2019-09-28 Werner Koch <wk@gnupg.org>
5373
5374 ecc: Fix regression in keygrip computation for cv25519.
5375 + commit f67b6492e0b0a2a661cd53a08b20f23e6e3f9f89
5376 * cipher/ecc-curves.c (domain_parms): Revert g_y for cv25519.
5377 * tests/keygrip.c: Add test case for cv25519.
5378
5379 2019-09-24 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5380
5381 Add stitched ChaCha20-Poly1305 ARMv8/AArch64 implementation.
5382 + commit 4bebafb7bae8343f543728937caf7d3453c88b7c
5383 * cipher/Makefile.am: Add 'asm-poly1305-aarch64.h'.
5384 * cipher/asm-poly1305-aarch64.h: New.
5385 * cipher/chacha20-aarch64.S (ROT8, _, ROTATE2_8): New.
5386 (ROTATE2): Add interleave operator.
5387 (QUARTERROUND2): Add interleave operators; Use ROTATE2_8.
5388 (chacha20_data): Rename to...
5389 (_gcry_chacha20_aarch64_blocks4_data_inc_counter): ...to this.
5390 (_gcry_chacha20_aarch64_blocks4_data_rot8): New.
5391 (_gcry_chacha20_aarch64_blocks4): Preload ROT8; Fill empty parameters
5392 for QUARTERROUND2 interleave operators.
5393 (_gcry_chacha20_poly1305_aarch64_blocks4): New.
5394 * cipher/chacha20.c
5395 [USE_AARCH64_SIMD] (_gcry_chacha20_poly1305_aarch64_blocks4): New.
5396 (_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt)
5397 [USE_AARCH64_SIMD]: Use stitched implementation if ctr->use_neon is
5398 set.
5399
5400 2019-09-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5401
5402 Small tweak for PowerPC Chacha20-Poly1305 round loop.
5403 + commit 96b91e164160dfbd913aefe258f472d386f5b642
5404 * cipher/chacha20-ppc.c (_gcry_chacha20_poly1305_ppc8_block4): Use
5405 inner/outer round loop structure instead of two separate loops for
5406 stitched and non-stitched parts.
5407
5408 Reduce size of x86-64 stitched Chacha20-Poly1305 implementations.
5409 + commit 664370ea02df883d16db1ffdd9ada023335b0f63
5410 * cipher/chacha20-amd64-avx2.c
5411 (_gcry_chacha20_poly1305_amd64_avx2_blocks8): De-unroll round loop.
5412 * cipher/chacha20-amd64-ssse3.c
5413 (_gcry_chacha20_poly1305_amd64_ssse3_blocks4):
5414 (_gcry_chacha20_poly1305_amd64_ssse3_blocks1): Ditto.
5415
5416 2019-09-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5417
5418 Add PowerPC extra CFLAGS also for chacha20-ppc and crc-ppc.
5419 + commit 5516072451d46be8827455afff840eb6d49155fb
5420 * cipher/Makefile.am: Add 'ppc_vcrypto_cflags' for chacha20-ppc.o/.lo
5421 and crc-ppc.o/.lo.
5422
5423 2019-09-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5424
5425 Add PowerPC vpmsum implementation of CRC.
5426 + commit 0486b85bd1fb65013e77f858cae9ea4530f868df
5427 * cipher/Makefile.am: Add 'crc-ppc.c'.
5428 * cipher/crc-armv8-ce.c: Remove 'USE_INTEL_PCLMUL' comment.
5429 * cipher/crc-ppc.c: New.
5430 * cipher/crc.c (USE_PPC_VPMSUM): New.
5431 (CRC_CONTEXT): Add 'use_vpmsum'.
5432 (_gcry_crc32_ppc8_vpmsum, _gcry_crc24rfc2440_ppc8_vpmsum): New.
5433 (crc32_init, crc24rfc2440_init): Add HWF check for 'use_vpmsum'.
5434 (crc32_write, crc24rfc2440_write): Add 'use_vpmsum' code-path.
5435 * configure.ac: Add 'vpmsumd' instruction to PowerPC VSX inline
5436 assembly check; Add 'crc-ppc.lo'.
5437
5438 Add PowerPC vector implementation of ChaCha20.
5439 + commit 557702f0d53a7ad1cf2ce0333c9df799a8abad59
5440 * cipher/Makefile.am: Add 'chacha20-ppc.c'.
5441 * cipher/chacha20-ppc.c: New.
5442 * cipher/chacha20.c (USE_PPC_VEC, _gcry_chacha20_ppc8_blocks4)
5443 (_gcry_chacha20_ppc8_blocks1, USE_PPC_VEC_POLY1305)
5444 (_gcry_chacha20_poly1305_ppc8_blocks4): New.
5445 (CHACHA20_context_t): Add 'use_ppc'.
5446 (chacha20_blocks, chacha20_keysetup)
5447 (do_chacha20_encrypt_stream_tail): Add USE_PPC_VEC code.
5448 (_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt): Add
5449 USE_PPC_VEC_POLY1305 code.
5450 * configure.ac: Add 'chacha20-ppc.lo'.
5451 * src/g10lib.h (HWF_PPC_ARCH_2_07): New.
5452 * src/hwf-ppc.c (PPC_FEATURE2_ARCH_2_07): New.
5453 (ppc_features): Add HWF_PPC_ARCH_2_07.
5454 * src/hwfeatures.c (hwflist): Add 'ppc-arch_2_07'.
5455
5456 2019-09-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5457
5458 poly1305: add fast addition macro for ppc64.
5459 + commit 0564757b934d24c7fef10df8594099985fbbc0ac
5460 * cipher/poly1305.c [USE_MPI_64BIT && __powerpc__] (ADD_1305_64): New.
5461
5462 2019-09-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5463
5464 Add SHA-512 implementations for POWER8 and POWER9.
5465 + commit 93632f1adf57f142e5d9e9653c405f2ca8c601c0
5466 * cipher/Makefile.am: Add 'sha512-ppc.c'; Add extra CFLAG handling for
5467 'sha512-ppc.c'.
5468 * cipher/sha512-ppc.c: New.
5469 * cipher/sha512.c (USE_PPC_CRYPTO, _gcry_sha512_transform_ppc8)
5470 (_gcry_sha512_transform_ppc9, do_sha512_transform_ppc8)
5471 (do_sha512_transform_ppc9): New.
5472 (sha512_init_common): Add PowerPC HW feature detection and
5473 implementation selection.
5474 * configure.ac: Add 'vshasigmad' instruction to PowerPC assembly
5475 support check; Add 'sha512-ppc.lo'.
5476
5477 2019-08-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5478
5479 Add SHA-256 implementations for POWER8 and POWER9.
5480 + commit e19dc973bc8e2a0ce92dd87515df3ee338265a8d
5481 * cipher/Makefile.am: Add 'sha256-ppc.c'; Add extra CFLAG handling for
5482 'sha256-ppc.c'.
5483 * cipher/sha256-ppc.c: New.
5484 * cipher/sha256.c (USE_PPC_CRYPTO, _gcry_sha256_transform_ppc8)
5485 (_gcry_sha256_transform_ppc9, do_sha256_transform_ppc8)
5486 (do_sha256_transform_ppc9): New.
5487 (sha256_init, sha224_init): Split common part to new function named...
5488 (sha256_common_init): ...this; Add PowerPC HW feature detection and
5489 implementation selection.
5490 * configure.ac: Add 'vshasigmaw' instruction to PowerPC assembly
5491 support check; Add 'sha256-ppc.lo'.
5492
5493 2019-08-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5494
5495 hwf-ppc: add detection for PowerISA 3.00.
5496 + commit 418179593080f3028426657c4ef1941cdad85513
5497 * src/g10lib.h (HWF_PPC_ARCH_3_00): New.
5498 * src/hwf-ppc.c (feature_map_s): Remove unused 'feature_match'.
5499 (PPC_FEATURE2_ARCH_3_00): New.
5500 (ppc_features, get_hwcap): Add PowerISA 3.00.
5501 * src/hwfeatures.c (hwflist): Rename "ppc-crypto" to "ppc-vcrypto"; Add
5502 "ppc-arch_3_00".
5503
5504 rijndael-ppc: add bulk modes for CBC, CFB, CTR and XTS.
5505 + commit 81d555d3473016eb9382fb1df153ba1effbbe32e
5506 * cipher/rijndael-ppc.c (vec_add_uint128, _gcry_aes_ppc8_cfb_enc)
5507 (_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_enc)
5508 (_gcry_aes_ppc8_cbc_dec, _gcry_aes_ppc8_ctr_enc)
5509 (_gcry_aes_ppc8_xts_crypt): New.
5510 * cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_cfb_enc)
5511 (_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_enc)
5512 (_gcry_aes_ppc8_cbc_dec, _gcry_aes_ppc8_ctr_enc)
5513 (_gcry_aes_ppc8_xts_crypt): New.
5514 (do_setkey, _gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
5515 (_gcry_aes_cbc_dec, _gcry_aes_ctr_enc)
5516 (_gcry_aes_xts_crypto) [USE_PPC_CRYPTO]: Enable PowerPC AES
5517 CFB/CBC/CTR/XTS bulk implementations.
5518 * configure.ac (gcry_cv_gcc_inline_asm_ppc_altivec): Add 'vadduwm'
5519 instruction.
5520
5521 rijndael-ppc: add bulk mode for ocb_auth.
5522 + commit bd1367bb607846d582ad09ded6c4ce4be4e52778
5523 * cipher/rijndael-ppc.c (_gcry_aes_ppc8_ocb_auth): New.
5524 * cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_ocb_auth): New
5525 prototype.
5526 (do_setkey, _gcry_aes_ocb_auth) [USE_PPC_CRYPTO]: Add PowerPC AES
5527 ocb_auth.
5528
5529 rijndael-ppc: enable PowerPC AES-OCB implemention.
5530 + commit 821602c60c7d144c978c335f91ae1641cf668df5
5531 * cipher/rijndael-ppc.c (ROUND_KEY_VARIABLES, PRELOAD_ROUND_KEYS)
5532 (AES_ENCRYPT, AES_DECRYPT): New.
5533 (_gcry_aes_ppc8_prepare_decryption): Rename to...
5534 (aes_ppc8_prepare_decryption): ... this.
5535 (_gcry_aes_ppc8_prepare_decryption): New.
5536 (aes_ppc8_encrypt_altivec, aes_ppc8_decrypt_altivec): Remove.
5537 (_gcry_aes_ppc8_encrypt): Use AES_ENCRYPT macro.
5538 (_gcry_aes_ppc8_decrypt): Use AES_DECRYPT macro.
5539 (_gcry_aes_ppc8_ocb_crypt): Uncomment; Optimizations for OCB offset
5540 calculations, etc; Use new load/store and encryption/decryption macros.
5541 * cipher/rijndaelc [USE_PPC_CRYPTO] (_gcry_aes_ppc8_ocb_crypt): New
5542 prototype.
5543 (do_setkey, _gcry_aes_ocb_crypt) [USE_PPC_CRYPTO]: Add PowerPC AES OCB
5544 encryption/decryption.
5545
5546 rijndael-ppc: add key setup and enable single block PowerPC AES.
5547 + commit 9dca65ef71b4bdbd89a087f41f4dbba71e6d2822
5548 * cipher/Makefile.am: Add 'rijndael-ppc.c'.
5549 * cipher/rijndael-internal.h (USE_PPC_CRYPTO): New.
5550 (RIJNDAEL_context): Add 'use_ppc_crypto'.
5551 * cipher/rijndael-ppc.c (backwards, swap_if_le): Remove.
5552 (u128_t, ALWAYS_INLINE, NO_INLINE, NO_INSTRUMENT_FUNCTION)
5553 (ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE, ASM_FUNC_ATTR_NOINLINE)
5554 (ALIGNED_LOAD, ALIGNED_STORE, VEC_LOAD_BE, VEC_STORE_BE)
5555 (vec_bswap32_const, vec_aligned_ld, vec_load_be_const)
5556 (vec_load_be, vec_aligned_st, vec_store_be, _gcry_aes_sbox4_ppc8)
5557 (_gcry_aes_ppc8_setkey, _gcry_aes_ppc8_prepare_decryption)
5558 (aes_ppc8_encrypt_altivec, aes_ppc8_decrypt_altivec): New.
5559 (_gcry_aes_ppc8_encrypt, _gcry_aes_ppc8_decrypt): Rewrite.
5560 (_gcry_aes_ppc8_ocb_crypt): Comment out.
5561 * cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_setkey)
5562 (_gcry_aes_ppc8_prepare_decryption, _gcry_aes_ppc8_encrypt)
5563 (_gcry_aes_ppc8_decrypt): New prototypes.
5564 (do_setkey) [USE_PPC_CRYPTO]: Add setup for PowerPC AES.
5565 (prepare_decryption) [USE_PPC_CRYPTO]: Ditto.
5566 * configure.ac: Add 'rijndael-ppc.lo'.
5567 (gcry_cv_ppc_altivec, gcry_cv_cc_ppc_altivec_cflags)
5568 (gcry_cv_gcc_inline_asm_ppc_altivec)
5569 (gcry_cv_gcc_inline_asm_ppc_arch_3_00): New checks.
5570
5571 2019-08-26 Shawn Landden <shawn@git.icu>
5572
5573 rijndael/ppc: implement single-block mode, and implement OCB block cipher
5574 + commit 92f38a619b1cf759057e9cd532ae7c1d0331100f
5575 * cipher/rijndael-ppc.c: New implementation of single-block mode, and
5576 implementation of OCB mode.
5577
5578 hwf: add detection of PowerPC hardware features.
5579 + commit b4a3c76fabfa07c10fd18b90230f60b806ad9620
5580 * src/Makefile.am: PowerPC hardware detection.
5581 * src/g10lib.h: Likewise.
5582 * src/hwf-common.h: Likewise.
5583 * src/hwf-ppc.c: Likewise.
5584 * src/hwfeatures.c: Likewise.
5585 * configure.ac: Likewise.
5586
5587 2019-08-20 NIIBE Yutaka <gniibe@fsij.org>
5588
5589 pkgconfig: Fix libgcrypt.pc.
5590 + commit 761d12f140b77b907087590646651d9578b68a54
5591 * src/libgcrypt.pc.in (Cflags, Libs): Have flags.
5592
5593 2019-08-16 NIIBE Yutaka <gniibe@fsij.org>
5594
5595 build: Fix build with !HAVE_PTHREAD.
5596 + commit 900647d96cb7806cd9b2de343e4a4bd66c073fba
5597 * tests/t-lock.c [!HAVE_PTHREAD]: Buildable now.
5598
5599 ecdsa: Fix unblinding too early.
5600 + commit cdaeb86f067b94d9dff4235ade20dde6479d9bb8
5601 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Keep the blinding until
5602 the last step.
5603
5604 2019-08-12 NIIBE Yutaka <gniibe@fsij.org>
5605
5606 build: Fix testapi.c to be buildable.
5607 + commit 376124f86097414cf1f9cbbc17af935d30064c82
5608 * tests/testapi.c: Fix for xgcry_control.
5609
5610 2019-08-08 NIIBE Yutaka <gniibe@fsij.org>
5611
5612 dsa,ecdsa: Fix use of nonce, use larger one.
5613 + commit 7c2943309d14407b51c8166c4dcecb56a3628567
5614 * cipher/dsa-common.c (_gcry_dsa_modify_k): New.
5615 * cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
5616 * cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
5617 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
5618 * cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
5619
5620 2019-08-07 NIIBE Yutaka <gniibe@fsij.org>
5621 Ján Jančár <johny@neuromancer.sk>
5622
5623 ecc: Add mitigation against timing attack.
5624 + commit b9577f7c89b4327edc09f2231bc8b31521102c79
5625 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
5626 * mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
5627
5628 2019-08-07 NIIBE Yutaka <gniibe@fsij.org>
5629
5630 dsa,ecdsa: Allocate secure memory for RFC6979 generation.
5631 + commit 75c2fbc43d2f2cf5f4c60cb28001fda7324185c2
5632 * cipher/dsa-common.c (_gcry_dsa_gen_rfc6979_k): Use secure memory
5633 just like _gcry_dsa_gen_k does.
5634
5635 2019-07-22 NIIBE Yutaka <gniibe@fsij.org>
5636
5637 build: Fix previous commit.
5638 + commit 6126fc2f180a9b61064cea5c838d2ff7e0b7774a
5639
5640
5641 build: Use {CFLAGS,CPPFLAGS,LDFLAGS}_FOR_BUILD for helper programs.
5642 + commit 6d80f3f12dc2ff04b0eaa3ba29ee8725b6fb4f69
5643 * configure.ac (CC_FOR_BUILD): Use AX_CC_FOR_BUILD.
5644 * cipher/Makefile.am (gost-s-box): Add
5645 {CFLAGS,CPPFLAGS,LDFLAGS}_FOR_BUILD.
5646 * doc/Makefile.am (yat2m): Likewise.
5647 * m4/ax_cc_for_build.m4: New.
5648
5649 2019-07-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5650
5651 Fix use of AVX instruction in SHA1/SSSE3 assembly.
5652 + commit 320ed47963032aab7aadd8aefa054b9a7725c9f7
5653 * cipher/sha1-ssse3-amd64.S: Replace 'vmovdqa' with 'movdqa'
5654 instruction.
5655
5656 2019-07-15 Werner Koch <wk@gnupg.org>
5657
5658 sexp: Improve argument checking of sexp parser.
5659 + commit 1c2cecbb35e1a0760121d76c327651fe7b2b791a
5660 * src/sexp.c (do_vsexp_sscan): Check for bad length in '%b'.
5661
5662 2019-07-15 NIIBE Yutaka <gniibe@fsij.org>
5663
5664 tests: t-mpi-point: Remove implementation dependent checks.
5665 + commit 8a0bde8c211c70756a2d8aa46e1bcf1f6f89e55d
5666 * tests/t-mpi-point.c (basic_ec_math): Remove comparing X and Y,
5667 only comparison of Z is relevant, mathematically.
5668 Remove useless check, where different values in equivalence class
5669 exist.
5670 (basic_ec_math_simplified): Likewise.
5671
5672 2019-06-25 NIIBE Yutaka <gniibe@fsij.org>
5673
5674 sexp: Support reading base64.
5675 + commit ab57613f10ad57d2fec648017c18d7abb189863b
5676 * configure.ac (NEED_GPG_ERROR_VERSION): Require libgpg-error >= 1.27.
5677 * src/sexp.c (do_vsexp_sscan): Support data in base64 format.
5678 * tests/t-sexp.c (check_extract_param): Add a test case.
5679
5680 2019-06-24 NIIBE Yutaka <gniibe@fsij.org>
5681
5682 ecc: Correctly return an error.
5683 + commit b4a1114dc77617f0e772ddc4faf8820399b4354a
5684 * cipher/ecc-ecdh.c (_gcry_ecc_get_algo_keylen): Return 0 for
5685 unknow algorithm.
5686 (_gcry_ecc_mul_point): Return GPG_ERR_UNSUPPORTED_ALGORITHM for
5687 GCRY_ECC_CURVE448 for now.
5688 Return GPG_ERR_UNKNOWN_ALGORITHM, otherwise.
5689
5690 2019-06-21 NIIBE Yutaka <gniibe@fsij.org>
5691
5692 tests: Fix the Curve25519 test.
5693 + commit 6934711d572e13e9e78fb2c53bb119034b088c5a
5694 * tests/t-cv25519.c (test_cv_x25519): Initialize SCALAR.
5695
5696 ecc: Improve new ECDH API.
5697 + commit a658c9ccc2c741f40b0b5cdbcd184cfb9a841d17
5698 * cipher/ecc-ecdh.c (_gcry_ecc_get_algo_keylen): New.
5699 (_gcry_ecc_mul_point): Fill into the RESULT buffer, instead of
5700 allocating new buffer.
5701 * src/gcrypt-int.h: Change the API.
5702 * src/gcrypt.h.in: Likewise.
5703 * src/libgcrypt.def (gcry_ecc_get_algo_keylen): New.
5704 * src/libgcrypt.vers (gcry_ecc_get_algo_keylen): New.
5705 * src/visibility.c (gcry_ecc_get_algo_keylen): New.
5706 * src/visibility.h (gcry_ecc_get_algo_keylen): New.
5707 * tests/t-cv25519.c: Fix the use case.
5708
5709 2019-06-20 NIIBE Yutaka <gniibe@fsij.org>
5710
5711 ecc: X25519 API change to allow NULL for POINT.
5712 + commit 6d77c2054ea0358fb4c6f59b4c91c673c0a83b03
5713 * cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Allow NULL for point,
5714 meaning G.
5715
5716 ecc: Add an API for X25519 function as gcry_ecc_mul_point.
5717 + commit ec8c2cdf977aa8d9ca5af0a9bd25aeb9190570b3
5718 * configure.ac: Add ecc-ecdh.lo.
5719 * cipher/Makefile.am: Add ecc-ecdh.c.
5720 * cipher/ecc-common.h (reverse_buffer): Expose.
5721 * cipher/ecc-eddsa.c (reverse_buffer): Expose.
5722 * cipher/ecc-curves.c (domain_parms): Fix as the errata of RFC.
5723 * cipher/ecc-ecdh.c: New.
5724 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix for other curves
5725 than Curve25519.
5726 * src/gcrypt-int.h (_gcry_ecc_mul_point): New.
5727 * src/gcrypt.h.in (enum gcry_ecc_curves): New.
5728 (gcry_ecc_mul_point): new.
5729 * src/libgcrypt.def (gcry_ecc_mul_point): New.
5730 * src/libgcrypt.vers (gcry_ecc_mul_point): New.
5731 * src/visibility.h (gcry_ecc_mul_point): New.
5732 * src/visibility.c (gcry_ecc_mul_point): New.
5733 * tests/t-cv25519.c (test_cv_hl): Rename from test_cv.
5734 (test_cv_x25519): New.
5735 (test_cv): Call both of test_cv_hl and test_cv_x25519.
5736
5737 2019-06-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5738
5739 tests/basic: add CTR mode carry overflow test vectors.
5740 + commit 971d372f512ff6805d5b8b54e9ac1446f3f66643
5741 * tests/basic.c (check_ctr_cipher): Change tv structure 'plaintext'
5742 and 'out' to pointers; Add counter carry overflow test vectors; Make
5743 temporary buffer large enough for new test vectors.
5744
5745 GCM: move look-up table to .data section and unshare between processes.
5746 + commit a4c561aab1014c3630bc88faf6f5246fee16b020
5747 * cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
5748 (gcmR): Move to 'gcm_table' structure.
5749 (gcm_table): New structure for look-up table with counters before and
5750 after.
5751 (gcmR): New macro.
5752 (prefetch_table): Handle input with length not multiple of 256.
5753 (do_prefetch_tables): Modify pre- and post-table counters to unshare
5754 look-up table pages between processes.
5755
5756 AES: move look-up tables to .data section and unshare between processes.
5757 + commit daedbbb5541cd8ecda1459d3b843ea4d92788762
5758 * cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
5759 * cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
5760 (enc_tables): New structure for encryption table with counters before
5761 and after.
5762 (encT): New macro.
5763 (dec_tables): Add counters before and after encryption table; Move
5764 from .rodata to .data section.
5765 (do_encrypt): Change 'encT' to 'enc_tables.T'.
5766 (do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
5767 * cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
5768 with length not multiple of 256.
5769 (prefetch_enc, prefetch_dec): Modify pre- and post-table counters
5770 to unshare look-up table pages between processes.
5771
5772 2019-05-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5773
5774 cipher/Makefile.am: add '-fcoverage-*' to instrumentation munging.
5775 + commit c6ffa216976d80a13486b13f64d6776cdb8b6ccf
5776 * cipher/Makefile.am: Remove '-fcoverage-*' flag for mixed asm/C
5777 i386+amd64 implementations.
5778
5779 2019-05-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5780
5781 md: fix UBSAN warning.
5782 + commit dad94696d9c48c18b59576776c7caa95123dfa1b
5783 * cipher/md.c (gcry_md_list): Define 'context' as array of
5784 PROPERLY_ALIGNED_TYPE.
5785 (md_enable, _gcry_md_reset, _gcry_md_close, md_final, md_set_key)
5786 (prepare_macpads, md_read, md_extract): Access md context through
5787 'gcry_md_list->context' pointer instead of 'gcry_md_list->context.c'.
5788
5789 Disable instrumentation on mixed Intel SSE C/assembly implementations.
5790 + commit d24dae4538dbbda9e6c72a34fae69682cfb2fef0
5791 * cipher/Makefile.am: Make 'tiger.o' and 'tiger.lo' depend on Makefile;
5792 Add instrumentation option munging.
5793 * cipher/cipher-gcm-intel-pcmul.c (ALWAYS_INLINE)
5794 (NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
5795 (reduction, gfmul_pclmul, gfmul_pclmul_aggr4, gfmul_pclmul_aggr8)
5796 (gcm_lsh): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'.
5797 (_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): Define with
5798 'ASM_FUNC_ATTR'.
5799 * cipher/crc-intel-pcmul.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION)
5800 (ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
5801 (crc32_reflected_bulk, crc32_reflected_less_than_16, crc32_bulk)
5802 (crc32_less_than_16): Define with 'ASM_FUNC_ATTR_INLINE' instead of
5803 'inline'.
5804 (_gcry_crc32_intel_pclmul, _gcry_crc24rfc2440_intel_pclmul): Define
5805 with 'ASM_FUNC_ATTR'.
5806 * cipher/rijndael-aesni.c (NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR)
5807 (ASM_FUNC_ATTR_INLINE, ASM_FUNC_ATTR_NOINLINE): New.
5808 (aes_ocb_get_l, do_aesni_prepare_decryption, do_aesni_enc)
5809 (do_aesni_dec, do_aesni_enc_vec4, do_aesni_dec_vec4, do_aesni_enc_vec8)
5810 (do_aesni_dec_vec8, aesni_ocb_checksum): Define with
5811 'ASM_FUNC_ATTR_INLINE' instead of 'inline'.
5812 (do_aesni_ctr, do_aesni_ctr_4, do_aesni_ctr_8): Define wtih
5813 'ASM_FUNC_ATTR_INLINE'.
5814 (aesni_ocb_enc, aesni_ocb_dec): Define with 'ASM_FUNC_ATTR_NOINLINE'
5815 instead of 'NO_INLINE'.
5816 (_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_prepare_decryption)
5817 (_gcry_aes_aesni_encrypt, _gcry_aes_aesni_cfg_enc)
5818 (_gcry_aes_aesni_cbc_enc, _gcry_aes_aesni_ctr_enc)
5819 (_gcry_aes_aesni_decrypt, _gcry_aes_aesni_cfb_dec)
5820 (_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
5821 (_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_enc)
5822 (_gcry_aes_aesni_xts_dec, _gcry_aes_aesni_xts_crypt): Define with
5823 'ASM_FUNC_ATTR'.
5824 * cipher/rijndael-ssse3-amd64.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION)
5825 (ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
5826 (aes_ocb_get_l, do_ssse3_prepare_decryption, do_vpaes_ssse3_enc)
5827 (do_vpaes_ssse3_dec): Define with 'ASM_FUNC_ATTR_INLINE' instead of
5828 'inline'.
5829 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
5830 (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
5831 (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
5832 (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
5833 (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
5834 (_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Define with
5835 'ASM_FUNC_ATTR'.
5836 * cipher/sha1-intel-shaext.c (NO_INSTRUMENT_FUNCTION)
5837 (ASM_FUNC_ATTR): New.
5838 (_gcry_sha1_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'.
5839 * cipher/sha256-intel-shaext.c (NO_INSTRUMENT_FUNCTION)
5840 (ASM_FUNC_ATTR): New.
5841 (_gcry_sha256_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'.
5842 * configure.ac (ENABLE_INSTRUMENTATION_MUNGING): New.
5843
5844 tests/basic: fix signed interger overflow.
5845 + commit 3c7ff6bd1c40d5216d6c12b6b28f77fd1a57baa7
5846 * tests/basic.c (check_ocb_cipher_largebuf_split): Cast to unsigned
5847 when generating buffer values.
5848
5849 2019-05-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5850
5851 tests: do not use GCC variadic macro extension for xgcry_control.
5852 + commit be567cb5dd629e9aa22d81b29d4326e5aa97efa7
5853 * tests/t-common.h (xgcry_control): Use doubly nested parenthesis for
5854 passing arguments for gcry_control instead of GCC specific variadic
5855 macro extension.
5856 * tests/aeswrap.c: Change xgcry_control to use doubly nested
5857 parenthesis.
5858 * tests/basic.c: Ditto.
5859 * tests/bench-slope.c: Ditto.
5860 * tests/benchmark.c: Ditto.
5861 * tests/curves.c: Ditto.
5862 * tests/dsa-rfc6979.c: Ditto.
5863 * tests/fips186-dsa: Ditto.
5864 * tests/fipsdrv.c: Ditto.
5865 * tests/fipsrngdrv.c: Ditto.
5866 * tests/gchash.c: Ditto.
5867 * tests/hashtest.c: Ditto.
5868 * tests/hmac.c: Ditto.
5869 * tests/keygen.c: Ditto.
5870 * tests/keygrip.c: Ditto.
5871 * tests/mpitests.c: Ditto.
5872 * tests/pkbench.c: Ditto.
5873 * tests/pkcs1v2.c: Ditto.
5874 * tests/prime.c: Ditto.
5875 * tests/pubkey.c: Ditto.
5876 * tests/random.c: Ditto.
5877 * tests/rsacvt.c: Ditto.
5878 * tests/t-convert.c: Ditto.
5879 * tests/t-cv25519.c: Ditto.
5880 * tests/t-ed25519.c: Ditto.
5881 * tests/t-kdf.c: Ditto.
5882 * tests/t-lock.c: Ditto.
5883 * tests/t-mpi-bit.c: Ditto.
5884 * tests/t-mpi-point.c: Ditto.
5885 * tests/t-secmem.c: Ditto.
5886 * tests/t-sexp.c: Ditto.
5887 * tests/version.c: Ditto.
5888
5889 2019-05-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5890
5891 tests/basic: mark CFB and CFB8 as stream block cipher modes.
5892 + commit 34e9306a66b47785ddbab6594ae4c23581d35b5a
5893 * tests/basic.c (get_algo_mode_blklen): Return '1' for CFB and CFB8.
5894
5895 2019-05-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5896
5897 Fix message digest final function for MD4, MD5 and RMD160.
5898 + commit 15592cd52f543aadb2fab8f6c112c68075309ad6
5899 * cipher/md4.c (md4_final): Use buffer offset '64 + 56' for bit count
5900 on 'need one extra block' path.
5901 * cipher/md5.c (md5_final): Ditto.
5902 * cipher/rmd160.c (rmd160_final): Ditto.
5903 * tests/basic.c (check_one_md_final): New.
5904 (check_digest): Add new '*' test vectors and handle them with
5905 check_one_md_final.
5906
5907 2019-05-06 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
5908
5909 Fix carry overflow in Stribog in 512-bit addition.
5910 + commit da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c
5911 * cipher/stribog.c (transform_bits): properly calculate carry flag
5912 * tests/basic.c (check_digests): add two more test cases
5913
5914 2019-04-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5915
5916 Add support for explicit_memset.
5917 + commit 71b0eb3fb75d2e6bbd86df055dc667b2debab0c1
5918 * configure.ac: Add function check for 'explicit_memset'.
5919 * src/misc.c (_gcry_fast_wipememory, _gcry_fast_wipememory2): Use
5920 explicit_memset if available.
5921
5922 Fix CFI_PUSH/CFI_POP redefine build warning with AMD64 MPI.
5923 + commit 78b1047eded8d5f8a13162d13160fce1809f6ee4
5924 * mpi/amd64/func_abi.h: Move CFI macros into [__x86_64__] block.
5925 * mpi/i386/syntax.h: Move CFI macros into [__i386__] block.
5926
5927 Enable four block aggregated GCM Intel PCLMUL implementation on i386.
5928 + commit a6e7c411e5f67a9473675ca8d49017a4d13a8d3e
5929 * cipher/cipher-gcm-intel-pclmul.c (reduction): Change "%%xmm7" to
5930 "%%xmm5".
5931 (gfmul_pclmul_aggr4): Move outside [__x86_64__] block; Remove usage of
5932 XMM8-XMM15 registers; Do not preload H-values and be_mask to reduce
5933 register usage for i386.
5934 (_gcry_ghash_setup_intel_pclmul): Enable calculation of H2, H3 and H4
5935 on i386.
5936 (_gcry_ghash_intel_pclmul): Adjust to above gfmul_pclmul_aggr4
5937 changes; Move 'aggr4' code path outside [__x86_64__] block.
5938
5939 Prefetch GCM look-up tables.
5940 + commit 1374254c2904ab5b18ba4a890856824a102d4705
5941 * cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables)
5942 (prefetch_tables): New.
5943 (ghash_internal): Call prefetch_tables.
5944
5945 Optimizations for generic table-based GCM implementations.
5946 + commit ecd02cdd61e8c690f48637656f0e1e08b750fe30
5947 * cipher/cipher-gcm.c [GCM_TABLES_USE_U64] (do_fillM): Precalculate
5948 M[32..63] values.
5949 [GCM_TABLES_USE_U64] (do_ghash): Split processing of two 64-bit halfs
5950 of the input to two separate loops; Use precalculated M[] values.
5951 [GCM_USE_TABLES && !GCM_TABLES_USE_U64] (do_fillM): Precalculate
5952 M[64..127] values.
5953 [GCM_USE_TABLES && !GCM_TABLES_USE_U64] (do_ghash): Use precalculated
5954 M[] values.
5955 [GCM_USE_TABLES] (bshift): Avoid conditional execution for mask
5956 calculation.
5957 * cipher/cipher-internal.h (gcry_cipher_handle): Double gcm_table size.
5958
5959 2019-04-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5960
5961 Optimizations for GCM Intel/PCLMUL implementation.
5962 + commit af5f3fb08674608acf6617ea622ed0b9a2ee77a5
5963 * cipher/cipher-gcm-intel-pclmul.c (reduction): New.
5964 (glmul_pclmul): Include shifting to left into pclmul operations; Use
5965 'reduction' helper function.
5966 [__x86_64__] (gfmul_pclmul_aggr4): Reorder instructions and adjust
5967 register usage to free up registers; Use 'reduction' helper function;
5968 Include shifting to left into pclmul operations; Moving load H values
5969 and input from caller into this function.
5970 [__x86_64__] (gfmul_pclmul_aggr8): New.
5971 (gcm_lsh): New.
5972 (_gcry_ghash_setup_intel_pclmul): Left shift H values to left by
5973 one; Preserve XMM6-XMM15 registers on WIN64.
5974 (_gcry_ghash_intel_pclmul) [__x86_64__]: Use 8 block aggregated
5975 reduction function.
5976
5977 Move data pointer macro for 64-bit ARM assembly to common header.
5978 + commit b9be297bb8eba7a09fa8413261de1587adcfd381
5979 * cipher/asm-common-aarch64.h (GET_DATA_POINTER): New.
5980 * cipher/chacha20-aarch64.S (GET_DATA_POINTER): Remove.
5981 * cipher/cipher-gcm-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
5982 * cipher/crc-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
5983 * cipher/rijndael-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
5984 * cipher/sha1-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
5985 * cipher/sha256-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
5986
5987 Add CFI unwind assembly directives for 64-bit ARM assembly.
5988 + commit 5a2a96a63517838e04f9fc0fb2d932fac5124b8a
5989 * cipher/asm-common-aarch64.h (CFI_STARTPROC, CFI_ENDPROC)
5990 (CFI_REMEMBER_STATE, CFI_RESTORE_STATE, CFI_ADJUST_CFA_OFFSET)
5991 (CFI_REL_OFFSET, CFI_DEF_CFA_REGISTER, CFI_REGISTER, CFI_RESTORE)
5992 (DW_REGNO_SP, DW_SLEB128_7BIT, DW_SLEB128_28BIT, CFI_CFA_ON_STACK)
5993 (CFI_REG_ON_STACK): New.
5994 * cipher/camellia-aarch64.S: Add CFI directives.
5995 * cipher/chacha20-aarch64.S: Add CFI directives.
5996 * cipher/cipher-gcm-armv8-aarch64-ce.S: Add CFI directives.
5997 * cipher/crc-armv8-aarch64-ce.S: Add CFI directives.
5998 * cipher/rijndael-aarch64.S: Add CFI directives.
5999 * cipher/rijndael-armv8-aarch64-ce.S: Add CFI directives.
6000 * cipher/sha1-armv8-aarch64-ce.S: Add CFI directives.
6001 * cipher/sha256-armv8-aarch64-ce.S: Add CFI directives.
6002 * cipher/twofish-aarch64.S: Add CFI directives.
6003 * mpi/aarch64/mpih-add1.S: Add CFI directives.
6004 * mpi/aarch64/mpih-mul1.S: Add CFI directives.
6005 * mpi/aarch64/mpih-mul2.S: Add CFI directives.
6006 * mpi/aarch64/mpih-mul3.S: Add CFI directives.
6007 * mpi/aarch64/mpih-sub1.S: Add CFI directives.
6008 * mpi/asm-common-aarch64.h: Include "../cipher/asm-common-aarch64.h".
6009 (ELF): Remove.
6010
6011 Add 64-bit ARMv8/CE PMULL implementation of CRC.
6012 + commit 14c8a593ede42f51f567ed7ba77b53124151aa38
6013 * cipher/Makefile.am: Add 'crc-armv8-ce.c' and
6014 'crc-armv8-aarch64-ce.S'.
6015 * cipher/asm-common-aarch64.h [HAVE_GCC_ASM_CFI_DIRECTIVES]: Add CFI
6016 helper macros.
6017 * cipher/crc-armv8-aarch64-ce.S: New.
6018 * cipher/crc-armv8-ce.c: New.
6019 * cipher/crc.c (USE_ARM_PMULL): New.
6020 (CRC_CONTEXT) [USE_ARM_PMULL]: Add 'use_pmull'.
6021 [USE_ARM_PMULL] (_gcry_crc32_armv8_ce_pmull)
6022 (_gcry_crc24rfc2440_armv8_ce_pmull): New prototypes.
6023 (crc32_init, crc32rfc1510_init, crc24rfc2440_init): Enable ARM PMULL
6024 implementations if supported by HW features.
6025 (crc32_write, crc24rfc2440_write) [USE_ARM_PMULL]: Use ARM PMULL
6026 implementations if enabled.
6027 * configure.ac: Add 'crc-armv8-ce.lo' and 'crc-armv8-aarch64-ce.lo'.
6028
6029 2019-04-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6030
6031 mpi: make stack unwinding work at i386 mpi functions.
6032 + commit b878a986f3ab2c35aff89c7f66f137a91542ed5b
6033 * mpi/i386/syntax.h: Include 'config.h'.
6034 (CFI_STARTPROC, CFI_ENDPROC, CFI_ADJUST_CFA_OFFSET, CFI_REL_OFFSET)
6035 (CFI_RESTORE, CFI_PUSH, CFI_POP): New.
6036 * mpi/i386/mpih-add1.S: Add CFI directives.
6037 * mpi/i386/mpih-lshift.S: Add CFI directives.
6038 * mpi/i386/mpih-mul1.S: Add CFI directives.
6039 * mpi/i386/mpih-mul2.S: Add CFI directives.
6040 * mpi/i386/mpih-mul3.S: Add CFI directives.
6041 * mpi/i386/mpih-rshift.S: Add CFI directives.
6042 * mpi/i386/mpih-sub1.S: Add CFI directives.
6043
6044 hwf-x86: make stack unwinding work at i386 cpuid functions.
6045 + commit 0bd18e8bf7d67072f8c77352140b4ed4cfde3c6c
6046 * src/hwf-x86.c (FORCE_FUNC_FRAME_POINTER): New.
6047 [__i386__] (is_cpuid_available): Force use of stack frame pointer as
6048 inline assembly modifies stack register; Add 'memory' constraint for
6049 inline assembly.
6050 [__i386__] (get_cpuid): Avoid push/pop instruction when preserving
6051 %ebx register over cpuid.
6052
6053 Limit and document Blowfish key lengths to 8-576 bits.
6054 + commit 3546599e5578f89f9e77b08bf599f9c44b23da5f
6055 * cipher/blowfish.c (BLOWFISH_KEY_MIN_BITS)
6056 (BLOWFISH_KEY_MAX_BITS): New.
6057 (do_bf_setkey): Check input key length to MIN_BITS and MAX_BITS.
6058 * doc/gcrypt.texi: Update supported Blowfish key lengths.
6059 * tests/basic.c (check_ecb_cipher): New, with Blowfish test vectors
6060 for different key lengths.
6061 (check_cipher_modes): Call 'check_ecb_cipher'.
6062
6063 2019-04-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6064
6065 Add CFI unwind assembly directives for AMD64 assembly.
6066 + commit d11ae95d05dc39ec6b825d1109afadd964589880
6067 * configure.ac (gcry_cv_gcc_asm_cfi_directives): New.
6068 * cipher/asm-common-amd64.h (ADD_RIP, CFI_STARTPROC, CFI_ENDPROC)
6069 (CFI_REMEMBER_STATE, CFI_RESTORE_STATE, CFI_ADJUST_CFA_OFFSET)
6070 (CFI_REL_OFFSET, CFI_DEF_CFA_REGISTER, CFI_REGISTER, CFI_RESTORE)
6071 (CFI_PUSH, CFI_POP, CFI_POP_TMP_REG, CFI_LEAVE, DW_REGNO)
6072 (DW_SLEB128_7BIT, DW_SLEB128_28BIT, CFI_CFA_ON_STACK)
6073 (CFI_REG_ON_STACK): New.
6074 (ENTER_SYSV_FUNCPARAMS_0_4, EXIT_SYSV_FUNC): Add CFI directives.
6075 * cipher/arcfour-amd64.S: Add CFI directives.
6076 * cipher/blake2b-amd64-avx2.S: Add CFI directives.
6077 * cipher/blake2s-amd64-avx.S: Add CFI directives.
6078 * cipher/blowfish-amd64.S: Add CFI directives.
6079 * cipher/camellia-aesni-avx-amd64.S: Add CFI directives; Use
6080 'asm-common-amd64.h'.
6081 * cipher/camellia-aesni-avx2-amd64.S: Add CFI directives; Use
6082 'asm-common-amd64.h'.
6083 * cipher/cast5-amd64.S: Add CFI directives.
6084 * cipher/chacha20-amd64-avx2.S: Add CFI directives.
6085 * cipher/chacha20-amd64-ssse3.S: Add CFI directives.
6086 * cipher/des-amd64.S: Add CFI directives.
6087 * cipher/rijndael-amd64.S: Add CFI directives.
6088 * cipher/rijndael-ssse3-amd64-asm.S: Add CFI directives.
6089 * cipher/salsa20-amd64.S: Add CFI directives; Use 'asm-common-amd64.h'.
6090 * cipher/serpent-avx2-amd64.S: Add CFI directives; Use
6091 'asm-common-amd64.h'.
6092 * cipher/serpent-sse2-amd64.S: Add CFI directives; Use
6093 'asm-common-amd64.h'.
6094 * cipher/sha1-avx-amd64.S: Add CFI directives; Use
6095 'asm-common-amd64.h'.
6096 * cipher/sha1-avx-bmi2-amd64.S: Add CFI directives; Use
6097 'asm-common-amd64.h'.
6098 * cipher/sha1-avx2-bmi2-amd64.S: Add CFI directives; Use
6099 'asm-common-amd64.h'.
6100 * cipher/sha1-ssse3-amd64.S: Add CFI directives; Use
6101 'asm-common-amd64.h'.
6102 * cipher/sha256-avx-amd64.S: Add CFI directives; Use
6103 'asm-common-amd64.h'.
6104 * cipher/sha256-avx2-bmi2-amd64.S: Add CFI directives; Use
6105 'asm-common-amd64.h'.
6106 * cipher/sha256-ssse3-amd64.S: Add CFI directives; Use
6107 'asm-common-amd64.h'.
6108 * cipher/sha512-avx-amd64.S: Add CFI directives; Use
6109 'asm-common-amd64.h'.
6110 * cipher/sha512-avx2-bmi2-amd64.S: Add CFI directives; Use
6111 'asm-common-amd64.h'.
6112 * cipher/sha512-ssse3-amd64.S: Add CFI directives; Use
6113 'asm-common-amd64.h'.
6114 * cipher/twofish-amd64.S: Add CFI directives.
6115 * cipher/twofish-avx2-amd64.S: Add CFI directives; Use
6116 'asm-common-amd64.h'.
6117 * cipher/whirlpool-sse2-amd64.S: Add CFI directives; Use
6118 'asm-common-amd64.h'.
6119 * mpi/amd64/func_abi.h: Include 'config.h'.
6120 (CFI_STARTPROC, CFI_ENDPROC, CFI_ADJUST_CFA_OFFSET, CFI_REL_OFFSET)
6121 (CFI_RESTORE, CFI_PUSH, CFI_POP): New.
6122 (FUNC_ENTRY, FUNC_EXIT): Add CFI directives.
6123
6124 2019-04-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6125
6126 twofish-amd64: do not use xchg instruction.
6127 + commit 0903b215ef5a18332b740a24e6e2bfbed9e1d97b
6128 * cipher/twofish-amd64.S (g1g2_3): Swap ab and cd registers using
6129 'movq' instructions instead of 'xchgq'.
6130
6131 2019-04-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6132
6133 Use FreeBSD's elf_aux_info for detecting ARM HW features.
6134 + commit 2ffc689d4757f31f1e2c4961b94b0b0c8dc302b7
6135 * configure.ac: Add function check for 'elf_aux_info'.
6136 * src/hwf-arm.c [HAVE_ELF_AUX_INFO]: Include 'sys/auxv.h'.
6137 [HAVE_ELF_AUX_INFO && !HAVE_GETAUXVAL] (HAVE_GETAUXVAL)
6138 (getauxval): New.
6139
6140 2019-04-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6141
6142 Use getauxval system function for detecting ARM HW features.
6143 + commit 6812a2c5bd2d9129bfdf34f3daf89cd8543ed8e5
6144 * configure.ac: Add header check for 'sys/auxv.h'; Add function check
6145 for 'getauxval'.
6146 * src/hwf-arm.c [HAVE_SYS_AUXV_H && HAVE_GETAUXVAL]: Include
6147 'sys/auxv.h'.
6148 (HAS_SYS_AT_HWCAP): Enable AT_HWCAP if have 'getauxval' in addition of
6149 __linux__.
6150 (AT_HWCAP, AT_HWCAP2, HWCAP_NEON, HWCAP2_AES, HWCAP2_PMULL)
6151 (HWCAP2_SHA1, HWCAP2_SHA2, HWCAP_ASIMD, HWCAP_AES)
6152 (HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2): Define these macros only if not
6153 already defined.
6154 (get_hwcap) [HAVE_SYS_AUXV_H && HAVE_GETAUXVAL]: Use 'getauxval' to
6155 fetch HW capability flags.
6156
6157 Disable SM3 in FIPS mode.
6158 + commit 04a6c3c7482dd1ecb5113a049b1765b0d5f212fb
6159 * cipher/sm3.h (_gcry_digest_spec_sm3): Set flags.fips to zero.
6160
6161 2019-04-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6162
6163 Tune SHA-512/AVX2 and SHA-256/AVX2 implementations.
6164 + commit 478581c5107ae75281c54e56cdcef5165f3155ca
6165 * cipher/sha256-avx2-bmi2-amd64.S (ONE_ROUND_PART1, ONE_ROUND_PART2)
6166 (ONE_ROUND): New round function.
6167 (FOUR_ROUNDS_AND_SCHED, FOUR_ROUNDS): Use new round function.
6168 (_gcry_sha256_transform_amd64_avx2): Exit early if number of blocks is
6169 zero; Writing XFER to stack earlier and handle XREF writing in
6170 FOUR_ROUNDS_AND_SCHED.
6171 * cipher/sha512-avx2-bmi2-amd64.S (MASK_YMM_LO, MASK_YMM_LOx): New.
6172 (ONE_ROUND_PART1, ONE_ROUND_PART2, ONE_ROUND): New round function.
6173 (FOUR_ROUNDS_AND_SCHED, FOUR_ROUNDS): Use new round function.
6174 (_gcry_sha512_transform_amd64_avx2): Writing XFER to stack earlier and
6175 handle XREF writing in FOUR_ROUNDS_AND_SCHED.
6176
6177 2019-04-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6178
6179 Add SHA512/224 and SHA512/256 algorithms.
6180 + commit a3683b6f623189a4b65bb584bb9e65e3ad7b3139
6181 * cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping for SHA512/224
6182 and SHA512/256.
6183 (_gcry_mac_type_spec_hmac_sha512_256)
6184 (_gcry_mac_type_spec_hmac_sha512_224): New.
6185 * cipher/mac-internal.h (_gcry_mac_type_spec_hmac_sha512_256)
6186 (_gcry_mac_type_spec_hmac_sha512_224): New.
6187 * cipher/mac.c (mac_list, mac_list_algo101): Add SHA512/224 and
6188 SHA512/256.
6189 * cipher/md.c (digest_list, digest_list_algo301)
6190 (prepare_macpads): Ditto.
6191 * cipher/sha512.c (run_selftests): Ditto.
6192 (sha512_init_common): Move common initialization here.
6193 (sha512_init, sha384_init): Use common initialization function.
6194 (sha512_224_init, sha512_256_init, _gcry_sha512_224_hash_buffer)
6195 (_gcry_sha512_224_hash_buffers, _gcry_sha512_256_hash_buffer)
6196 (_gcry_sha512_256_hash_buffers, selftests_sha512_224)
6197 (selftests_sha512_256, sha512_224_asn, oid_spec_sha512_224)
6198 (_gcry_digest_spec_sha512_224, sha512_256_asn, oid_spec_sha512_256)
6199 (_gcry_digest_spec_sha512_256): New.
6200 * doc/gcrypt.texi: Add SHA512/224 and SHA512/256; Add missing
6201 HMAC-BLAKE2s and HMAC-BLAKE2b.
6202 * src/cipher.h (_gcry_digest_spec_sha512_224)
6203 (_gcry_digest_spec_sha512_256): New.
6204 * src/gcrypt.h.in (GCRY_MD_SHA512_256, GCRY_MD_SHA512_224): New.
6205 (GCRY_MAC_HMAC_SHA512_256, GCRY_MAC_HMAC_SHA512_224): New.
6206 * tests/basic.c (check_digests): Add SHA512/224 and SHA512/256
6207 test vectors.
6208
6209 Remove extra buffer flush at begining of digest final functions.
6210 + commit c6055aaccac86e1ca8a9d35c980d7abbacf2a9ff
6211 * cipher/md2.c (md2_final): Remove _gcry_md_block_write flush call
6212 from entry.
6213 * cipher/md4.c (md4_final): Ditto.
6214 * cipher/md5.c (md5_final): Ditto.
6215 * cipher/rmd160.c (rmd160_final): Ditto.
6216 * cipher/sha1.c (sha1_final): Ditto.
6217 * cipher/sha256.c (sha256_final): Ditto.
6218 * cipher/sha512.c (sha512_final): Ditto.
6219 * cipher/sm3.c (sm3_final): Ditto.
6220 * cipher/stribog.c (stribog_final): Ditto.
6221 * cipher/tiger.c (tiger_final): Ditto.
6222
6223 Optimizations for digest final functions.
6224 + commit e76cd0e2b1f6025c1319576a5848815d1d231aeb
6225 * cipher/md4.c (md4_final): Avoid byte-by-byte buffer setting when
6226 padding; Merge extra and last block processing.
6227 * cipher/md5.c (md5_final): Ditto.
6228 * cipher/rmd160.c (rmd160_final): Ditto.
6229 * cipher/sha1.c (sha1_final): Ditto.
6230 * cipher/sha256.c (sha256_final): Ditto.
6231 * cipher/sm3.c (sm3_final): Ditto.
6232 * cipher/tiger.c (tiger_final): Ditto.
6233 * cipher/sha512.c (sha512_final): Avoid byte-by-byte buffer setting
6234 when padding.
6235 * cipher/stribog.c (stribog_final): Ditto.
6236 * cipher/whirlpool.c (whirlpool_final): Ditto.
6237
6238 tests/basic: add hash test for small block sizes.
6239 + commit c54b1c96c644c941f3eb3d2a09432b82f25b6ff1
6240 * tests/basic.c (check_one_md): Compare hashing buffers sizes from 1 to
6241 129 as full buffer input and byte-by-byte input.
6242
6243 Burn stack in transform functions for SHA2 AMD64 implementations.
6244 + commit 74ef3ecbf94e704975e238a99c0e0480cebf46ac
6245 * cipher/sha256-avx-amd64.S: Burn stack inside transform functions.
6246 * cipher/sha256-avx2-bmi2-amd64.S: Ditto.
6247 * cipher/sha256-ssse3-amd64.S: Ditto.
6248 * cipher/sha512-avx-amd64.S: Ditto.
6249 * cipher/sha512-avx2-bmi2-amd64.S: Ditto.
6250 * cipher/sha512-ssse3-amd64.S: Ditto.
6251
6252 Burn stack in transform functions for SHA1 AMD64 implementations.
6253 + commit f3d4bd90662faaedd37ce0dae1f9e7f91748e91e
6254 * cipher/sha1-avx-amd64.S: Burn stack inside transform functions.
6255 * cipher/sha1-avx-bmi2-amd64.S: Ditto.
6256 * cipher/sha1-avx2-bmi2-amd64.S: Ditto.
6257 * cipher/sha1-ssse3-amd64.S: Ditto.
6258
6259 Add AVX2/BMI2 implementation of SHA1.
6260 + commit b982900bfe6403e95a157271d8d811c9c573af9e
6261 * cipher/Makefile.am: Add 'sha1-avx2-bmi2-amd64.S'.
6262 * cipher/hash-common.h (MD_BLOCK_CTX_BUFFER_SIZE): New.
6263 (gcry_md_block_ctx): Change buffer length to MD_BLOCK_CTX_BUFFER_SIZE.
6264 * cipher/sha1-avx-amd64.S: Add missing .size for transform function.
6265 * cipher/sha1-ssse3-amd64.S: Add missing .size for transform function.
6266 * cipher/sha1-avx-bmi2-amd64.S: Add missing .size for transform
6267 function; Tweak implementation for small ~1% speed increase.
6268 * cipher/sha1-avx2-bmi2-amd64.S: New.
6269 * cipher/sha1.c (USE_AVX2, _gcry_sha1_transform_amd64_avx2_bmi2)
6270 (do_sha1_transform_amd64_avx2_bmi2): New.
6271 (sha1_init) [USE_AVX2]: Enable AVX2 implementation if supported by
6272 HW features.
6273 (sha1_final): Merge processing of two last blocks when extra block is
6274 needed.
6275
6276 2019-03-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6277
6278 blowfish: add three rounds parallel handling to generic C implementation
6279 + commit ced7508c857c0cc37da2299a393e5b167dd28e54
6280 * cipher/blowfish.c (BLOWFISH_ROUNDS): Remove.
6281 [BLOWFISH_ROUNDS != 16] (function_F): Remove.
6282 (F): Replace big-endian and little-endian version with single
6283 endian-neutral version.
6284 (R3, do_encrypt_3, do_decrypt_3): New.
6285 (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
6286 (_gcry_blowfish_cfb_dec): Use new three block functions.
6287
6288 cast5: add three rounds parallel handling to generic C implementation.
6289 + commit 4ec566b3689eff4a712eacfcbb4161eb243bb1df
6290 * cipher/cast5.c (do_encrypt_block_3, do_decrypt_block_3): New.
6291 (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Use
6292 new three block functions.
6293
6294 cast5: read Kr four blocks at time and shift for current round.
6295 + commit 8a0e68be1020d0c359bf8191159ac1ebe32a5aa0
6296 * cipher/cast5.c (do_encrypt_block, do_decrypt_block): Read Kr as
6297 32-bit words instead of bytes and shift value for each round.
6298
6299 Add helper function for adding value to cipher block.
6300 + commit 0fe918fa897cca9e01cbdb80d14106cfe5af680e
6301 * cipher/cipher-internal.h (cipher_block_add): New.
6302 * cipher/blowfish.c (_gcry_blowfish_ctr_enc): Use new helper function
6303 for CTR block increment.
6304 * cipher/camellia-glue.c (_gcry_camellia_ctr_enc): Ditto.
6305 * cipher/cast5.c (_gcry_cast5_ctr_enc): Ditto.
6306 * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
6307 * cipher/des.c (_gcry_3des_ctr_enc): Ditto.
6308 * cipher/rijndael.c (_gcry_aes_ctr_enc): Ditto.
6309 * cipher/serpent.c (_gcry_serpent_ctr_enc): Ditto.
6310 * cipher/twofish.c (_gcry_twofish_ctr_enc): Ditto.
6311
6312 2019-03-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6313
6314 Optimize OCB set_key and set_nonce.
6315 + commit efd700e31dc8e1e386d367d1b682000977e0c810
6316 * cipher/cipher-ocb.c (double_block): Change to input/output
6317 host-endian block instead of big-endian buffer.
6318 (double_block_cpy): Remove.
6319 (bit_copy): Use fixed length copy and 'u64' for calculations.
6320 (ocb_get_L_big): Handle block endian conversions for double_block.
6321 (_gcry_cipher_ocb_setkey): Handle block endian conversions for
6322 double_block.
6323 (_gcry_cipher_ocb_set_nonce): Set full length of 'ktop' to zero; Drop
6324 length parameter for bit_copy.
6325
6326 AES-NI/OCB: Optimize last and first key XORing.
6327 + commit eacbd59b1333b95858886999c8049e04bf72ad74
6328 * cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec)
6329 [__x86_64__]: Reorder and mix first and last key XORing with OCB offset
6330 XOR operations.
6331
6332 AES-NI/OCB: Perform checksumming inline with encryption.
6333 + commit e924ce456d5728a81c148de4a6eb23373cb70ca0
6334 * cipher/rijndael-aesni.c (aesni_ocb_enc): Remove call to
6335 'aesni_ocb_checksum', instead perform checksumming inline with offset
6336 calculations.
6337
6338 2019-03-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6339
6340 AES-NI/OCB: Use stack for temporary storage.
6341 + commit b82dbbedf027327e0b4444a01edb045f51c4152b
6342 * cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec): Use stack
6343 allocated 'tmpbuf' instead of output buffer as temporary storage.
6344
6345 2019-03-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6346
6347 tests/basic: add large buffer testing for ciphers.
6348 + commit cabeebfc1179c8f5982834a8cbce02c55b3468e2
6349 * tests/basic.c (check_one_cipher_core): Allocate buffers from heap.
6350 (check_one_cipher): Add testing with large buffer (~65 KiB) in addition
6351 to medium size buffer (~2 KiB).
6352
6353 chacha20-poly1305: fix wrong en/decryption on large input buffers.
6354 + commit 049376470b31832d3331fc0037d273b4147e9d38
6355 * cipher/chacha20.c (_gcry_chacha20_poly1305_encrypt)
6356 (_gcry_chacha20_poly1305_decrypt): Correctly use 'currlen' for chacha20
6357 on the non-stitched code path.
6358
6359 2019-03-24 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6360
6361 doc: add mention about aligning data to cachelines for best performance.
6362 + commit bb03edcbba95e06686188957a65c1967ee07cd6a
6363 * doc/gcrypt.text: Add mention about aligning data to cachelines for
6364 best performance.
6365
6366 random-drbg: do not use calloc for zero ctr.
6367 + commit 5a20151213c2e496513c541c36e4ebd086b20be9
6368 * random/random-drbg.c (DRBG_CTR_NULL_LEN): Move to 'constants'
6369 section.
6370 (drbg_state_s): Remove 'ctr_null' member.
6371 (drbg_ctr_generate): Add 'drbg_ctr_null'.
6372 (drbg_sym_fini, drbg_sym_init): Remove 'drbg->ctr_null' usage.
6373
6374 2019-03-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6375
6376 Add ARMv7/NEON accelerated GCM implementation.
6377 + commit 2445cf7431fab921f6c1870da7084ee698992064
6378 * cipher/Makefile.am: Add 'cipher-gcm-armv7-neon.S'.
6379 * cipher/cipher-gcm-armv7-neon.S: New.
6380 * cipher/cipher-gcm.c [GCM_USE_ARM_NEON] (_gcry_ghash_setup_armv7_neon)
6381 (_gcry_ghash_armv7_neon, ghash_setup_armv7_neon)
6382 (ghash_armv7_neon): New.
6383 (setupM) [GCM_USE_ARM_NEON]: Use armv7/neon implementation if have
6384 HWF_ARM_NEON.
6385 * cipher/cipher-internal.h (GCM_USE_ARM_NEON): New.
6386
6387 Use memset instead of setting buffers byte by byte.
6388 + commit 6f2391d2df029b0e1a4e5dde17c3d97cc594a1c7
6389 * cipher/cipher-ccm.c (do_cbc_mac): Replace buffer setting loop with memset call.
6390 * cipher/cipher-gcm.c (do_ghash_buf): Ditto.
6391 * cipher/poly1305.c (poly1305_final): Ditto.
6392
6393 Use buf_cpy instead of copying buffers byte by byte.
6394 + commit 4db6d8796c0d95ab89e9ad69336509b604b957cd
6395 * cipher/bufhelp.h (buf_cpy): Skip memcpy if length is zero.
6396 * cipher/cipher-ccm.c (do_cbc_mac): Replace buffer copy loops with buf_cpy call.
6397 * cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
6398 * cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate): Ditto.
6399
6400 Reduce overhead on generic hash write function.
6401 + commit e76617cbab018dd8f41fd6b4ec6740b5303f7e13
6402 * cipher/hash-common.c (_gcry_md_block_write): Remove recursive
6403 function call; Use buf_cpy for copying buffers; Burn stack only once.
6404
6405 sha1-avx: use vmovdqa instead of movdqa.
6406 + commit f8d14df1abd645c3279b14da43b4a7983d87f89f
6407 * cipher/sha1-avx-amd64.S: Replace 'movdqa' with 'vmovdqa'.
6408 * cipher/sha1-avx-bmi2-amd64.S: Replace 'movdqa' with 'vmovdqa'.
6409
6410 doc/gcrypt.texi: update HW feature list.
6411 + commit 7abf65da84c7106250a5ed2de78b05610cf251f4
6412 * doc/gcrypt.texi: Update FW feature list.
6413
6414 2019-03-20 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
6415
6416 ecc: Adjust debugging output.
6417 + commit 54db6a4b44124ed7e95897174f32262482b4b0cb
6418 * cipher/ecc.c (ecc_check_secret_key): Adjust debugging output to use
6419 full column titles.
6420
6421 2019-02-25 NIIBE Yutaka <gniibe@fsij.org>
6422
6423 fips: Only test check_binary_integrity when fips_mode is enabled.
6424 + commit ad133fc79757236359252e92244fe16e9adb45a3
6425 * src/fips.c (_gcry_fips_run_selftests): Check the status of fips_mode
6426 before calling check_binary_integrity.
6427
6428 2019-02-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6429
6430 Add 2-way path for SSSE3 version of ChaCha20.
6431 + commit d455068988e5779b0200c51415ddab6b51e12dc4
6432 * cipher/chacha20-amd64-ssse3.S (_gcry_chacha20_amd64_ssse3_blocks1)
6433 (_gcry_chacha20_poly1305_amd64_ssse3_blocks1): Add 2-way code paths.
6434 * cipher/chacha20.c (_gcry_chacha20_poly1305_encrypt): Add
6435 preprosessing of 2 blocks with SSSE3.
6436
6437 2019-01-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6438
6439 Do not precalculate OCB offset L0+L1+L0.
6440 + commit afab94d222425ecb838eb56cb0723bdaf3e5de36
6441 * cipher/cipher-internal.h (gcry_cipher_handle): Remove OCB L0L1L0.
6442 * cipher/cipher-ocb.c (_gcry_cipher_ocb_setkey): Ditto.
6443 * cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec)
6444 (_gcry_aes_aesni_ocb_auth): Replace L0L1L0 use with L1.
6445
6446 Calculate OCB L-tables when setting key instead of when setting nonce.
6447 + commit c15409c49993166ab1325d45360b3a8fe72a5556
6448 * cipher/cipher-internal.h (gcry_cipher_handle): Mark areas of
6449 u_mode.ocb that are and are not cleared by gcry_cipher_reset.
6450 (_gcry_cipher_ocb_setkey): New.
6451 * cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Split
6452 L-table generation to ...
6453 (_gcry_cipher_ocb_setkey): ... this new function.
6454 * cipher/cipher.c (cipher_setkey): Add handling for OCB mode.
6455 (cipher_reset): Do not clear L-values for OCB mode.
6456
6457 chacha20-amd64-avx2: optimize output xoring.
6458 + commit 08e0650c21984bb9ddf5a1dabb1cc890fabf63ab
6459 * cipher/chacha20-amd64-avx2.S (STACK_TMP2): Remove.
6460 (transpose_16byte_2x2, xor_src_dst): New.
6461 (BUF_XOR_256_TO_128): Remove.
6462 (_gcry_chaha20_amd64_avx2_blocks8)
6463 (_gcry_chacha20_poly1305_amd64_avx2_blocks8): Replace
6464 BUF_XOR_256_TO_128 with transpose_16byte_2x2/xor_src_dst; Reduce stack
6465 usage; Better interleave chacha20 state merging and output xoring.
6466
6467 tests/bench-slope: prevent auto-mhz detection getting stuck.
6468 + commit 28614a77a28190ab902a2b98039de2cd0635c7c7
6469 * cipher/bench-slope.c (bench_ghz, bench_ghz_diff): New static
6470 variables.
6471 (AUTO_GHZ_TARGET_DIFF): New macro.
6472 (do_slope_benchmark): Reduce target auto-mhz accuracy after
6473 repeated failures.
6474 (bench_print_result_csv, bench_print_result_std): Print auto-ghz
6475 different if 1 Mhz or more.
6476 (do_slope_benchmark, bench_print_result_csv, bench_print_result_std)
6477 (bench_print_result): Remove 'bench_ghz' parameter.
6478 (cipher_bench_one, hash_bench_one, mac_bench_one)
6479 (kdf_bench_one): Remove 'bench_ghz' variable.
6480
6481 tests/bench-slope: add missing cipher context reset.
6482 + commit 546f13ae08918726791600cdd0d0be56cc52c790
6483 * tests/bench-slope.c (bench_encrypt_do_bench)
6484 (bench_decrypt_do_bench): Add call to 'gcry_cipher_reset'.
6485
6486 Add stitched ChaCha20-Poly1305 SSSE3 and AVX2 implementations.
6487 + commit d6330dfb4b0e9fb3f8eef65ea13146060b804a97
6488 * cipher/asm-poly1305-amd64.h: New.
6489 * cipher/Makefile.am: Add 'asm-poly1305-amd64.h'.
6490 * cipher/chacha20-amd64-avx2.S (QUATERROUND2): Add interleave
6491 operators.
6492 (_gcry_chacha20_poly1305_amd64_avx2_blocks8): New.
6493 * cipher/chacha20-amd64-ssse3.S (QUATERROUND2): Add interleave
6494 operators.
6495 (_gcry_chacha20_poly1305_amd64_ssse3_blocks4)
6496 (_gcry_chacha20_poly1305_amd64_ssse3_blocks1): New.
6497 * cipher/chacha20.c (_gcry_chacha20_poly1305_amd64_ssse3_blocks4)
6498 (_gcry_chacha20_poly1305_amd64_ssse3_blocks1)
6499 (_gcry_chacha20_poly1305_amd64_avx2_blocks8): New prototypes.
6500 (chacha20_encrypt_stream): Split tail to...
6501 (do_chacha20_encrypt_stream_tail): ... new function.
6502 (_gcry_chacha20_poly1305_encrypt)
6503 (_gcry_chacha20_poly1305_decrypt): New.
6504 * cipher/cipher-internal.h (_gcry_chacha20_poly1305_encrypt)
6505 (_gcry_chacha20_poly1305_decrypt): New prototypes.
6506 * cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt): Call
6507 '_gcry_chacha20_poly1305_encrypt' if cipher is ChaCha20.
6508 (_gcry_cipher_poly1305_decrypt): Call
6509 '_gcry_chacha20_poly1305_decrypt' if cipher is ChaCha20.
6510 * cipher/poly1305-internal.h (_gcry_cipher_poly1305_update_burn): New
6511 prototype.
6512 * cipher/poly1305.c (poly1305_blocks): Make static.
6513 (_gcry_poly1305_update): Split main function body to ...
6514 (_gcry_poly1305_update_burn): ... new function.
6515
6516 Add SSSE3 optimized non-parallel ChaCha20 function.
6517 + commit 7d9b2f114f3edf4d13640616cf34c79364234781
6518 * cipher/chacha20-amd64-ssse3.S (ROTATE_SHUF, ROTATE, WORD_SHUF)
6519 (QUARTERROUND4, _gcry_chacha20_amd64_ssse3_blocks1): New.
6520 * cipher/chacha20.c (_gcry_chacha20_amd64_ssse3_blocks1): New
6521 prototype.
6522 (chacha20_blocks): Rename to ...
6523 (do_chacha20_blocks): ... this.
6524 (chacha20_blocks): New.
6525 (chacha20_encrypt_stream): Adjust for new chacha20_blocks function.
6526
6527 tests/basic: increase buffer size for check_one_cipher.
6528 + commit 88e482d16ee80de41b6f133e77f0d15423fcd266
6529 * tests/basic.c (check_one_cipher_core)
6530 (check_one_cipher): Increase buffer from 1040 to 1904 bytes.
6531
6532 tests/basic: check AEAD tags in check_one_cipher test.
6533 + commit eee1f152a5b3040f6723d287d1b01fb939be67b7
6534 * tests/basic.c (get_algo_mode_taglen): New.
6535 (check_one_cipher_core_reset): Check that tags are same with
6536 AEAD modes.
6537
6538 2019-01-15 NIIBE Yutaka <gniibe@fsij.org>
6539
6540 build: With LD_LIBRARY_PATH defined, use --disable-new-dtags.
6541 + commit e5c2f8a2cd2b89d90ea30de2dedb0e92498a5f70
6542 * configure.ac (LDADD_FOR_TESTS_KLUDGE): New for --disable-new-dtags.
6543 * tests/Makefile.am (LDADD, t_lock_LDADD): Use LDADD_FOR_TESTS_KLUDGE.
6544
6545 random: Fix previous commit for getentropy function.
6546 + commit 17f246c7044ab9ed236f6ec73fc126654257f0f9
6547 * random/rndlinux.c [__NR_getrandom] (_gcry_rndlinux_gather_random):
6548 Check return value only for use of syscall.
6549
6550 random: Use getentropy when available for not GNU/Linux.
6551 + commit 2677d7d482bf2d078c1dce64854747c5b148924b
6552 * configure.ac: Detect getentropy.
6553 * random/rndlinux.c [__linux__] (getentropy): Macro defined.
6554 [HAVE_GETENTROPY] (_gcry_rndlinux_gather_random): Use getentropy.
6555
6556 2019-01-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6557
6558 camellia-aarch64: do not export look-up table globally.
6559 + commit 09c27280cc09798d15369b3a143036b7ab5ddd69
6560 * cipher/camellia-aarch64.S (_gcry_camellia_arm_tables): Remove
6561 '.globl' export.
6562
6563 2019-01-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6564
6565 Process CCM/EAX/GCM/Poly1305 AEAD cipher modes input in 24 KiB chucks.
6566 + commit 3ee6588de8311b461ef8707c70ff86d2b252966d
6567 * cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt)
6568 (_gcry_cipher_ccm_decrypt): Process data in 24 KiB chunks.
6569 * cipher/cipher-eax.c (_gcry_cipher_eax_encrypt)
6570 (_gcry_cipher_eax_decrypt): Ditto.
6571 * cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
6572 (_gcry_cipher_gcm_decrypt): Ditto.
6573 * cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt)
6574 (_gcry_cipher_poly1305_decrypt): Ditto.
6575
6576 tests/benchmark: add Chacha20-Poly1305 benchmarking.
6577 + commit 4871f11745f33c5c5051bfe6f325ac1c10764b04
6578 * tests/benchmark.c (cipher_bench): Add Chacha20-Poly1305.
6579
6580 tests/benchmark: add --huge-buffers option for cipher tests.
6581 + commit edde61f325e4b345f17c47369f3b6b1400656f04
6582 * tests/benchmark.c (huge_buffers, cipher_encrypt, cipher_decrypt): New.
6583 (cipher_bench): Add 'max_inlen' to modes structure; add huge buffers
6584 mode selection.
6585 (main): Add '--huge-buffers'.
6586
6587 2018-12-19 NIIBE Yutaka <gniibe@fsij.org>
6588
6589 random: Add finalizer for rndjent.
6590 + commit 3028a221d39c1b593ea0c1bcbfccd33959769692
6591 * random/rand-internal.h (_gcry_rndjent_fini): New.
6592 * random/rndjent.c (_gcry_rndjent_fini): New.
6593 * random/rndlinux.c (_gcry_rndlinux_gather_random): Call the finalizer
6594 when GCRYCTL_CLOSE_RANDOM_DEVICE.
6595
6596 2018-12-12 Werner Koch <wk@gnupg.org>
6597
6598 secmem: Prepare for easier debugging.
6599 + commit 876f7280e8604bc99ddda0526339ec5ec6b23c4b
6600 * src/secmem.c (_gcry_secmem_dump_stats): Factor code out to ...
6601 (secmem_dump_stats_internal): new.
6602
6603 2018-12-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6604
6605 rijndael-aesni: interleave last CTR encryption round with xoring.
6606 + commit 66d2b7fc17258f1424f4ca4adb1096e48b818bd0
6607 * cipher/rijndael-aesni.c (do_aesni_ctr_8): Interleave aesenclast
6608 with input xoring.
6609
6610 2018-11-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6611
6612 Use explicit_bzero for wipememory.
6613 + commit 168668228c7c49e70612cb4d602d6d603a2add2c
6614 * configure.ac (AC_CHECK_FUNCS): Check for 'explicit_bzero'.
6615 * src/g10lib.h (wipememory2): Use _gcry_fast_wipememory if _SET is
6616 zero.
6617 (_gcry_fast_wipememory): New.
6618 (_gcry_wipememory2): Rename to...
6619 (_gcry_fast_wipememory2): ...this.
6620 * src/misc.c (_gcry_wipememory): New.
6621 (_gcry_wipememory2): Rename to...
6622 (_gcry_fast_wipememory2): ...this.
6623 (_gcry_fast_wipememory2) [HAVE_EXPLICIT_BZERO]: Use explicit_bzero if
6624 SET is zero.
6625 (_gcry_burn_stack): Use _gcry_fast_wipememory.
6626
6627 Add clang target pragma for mixed C/assembly x86-64 implementations.
6628 + commit 9d9c4fd18b445ff414d11678285d54af3afdb222
6629 * cipher/cipher-gcm-intel-pclmul.c: Add target 'no-sse' attribute
6630 pragma for clang.
6631 * cipher/crc-intel-pclmul.c: Ditto.
6632 * cipher/rijndael-aesni.c: Ditto.
6633 * cipher/rijndael-ssse3-amd64.c: Ditto.
6634 * cipher/sha1-intel-shaext.c: Ditto.
6635 * cipher/sha256-intel-shaext.c: Ditto.
6636
6637 Optimizations for AES-NI OCB.
6638 + commit b42de67f34871a2520cfe370af513f2aab6e4f75
6639 * cipher/cipher-internal.h (gcry_cipher_handle): New pre-computed OCB
6640 values L0L1 and L0L1L0; Swap dimensions for OCB L table.
6641 * cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Setup L0L1 and
6642 L0L1L0 values.
6643 (ocb_crypt): Process input in 24KiB chunks for better cache locality
6644 for checksumming.
6645 * cipher/rijndael-aesni.c (ALWAYS_INLINE): New macro for always
6646 inlining functions, change all functions with 'inline' to use
6647 ALWAYS_INLINE.
6648 (NO_INLINE): New macro.
6649 (aesni_prepare_2_6_variable, aesni_prepare_7_15_variable): Rename to...
6650 (aesni_prepare_2_7_variable, aesni_prepare_8_15_variable): ...these and
6651 adjust accordingly (xmm7 moved from *_7_15 to *_2_7).
6652 (aesni_prepare_2_6, aesni_prepare_7_15): Rename to...
6653 (aesni_prepare_2_7, aesni_prepare_8_15): ...these and adjust
6654 accordingly.
6655 (aesni_cleanup_2_6, aesni_cleanup_7_15): Rename to...
6656 (aesni_cleanup_2_7, aesni_cleanup_8_15): ...these and adjust
6657 accordingly.
6658 (aesni_ocb_checksum): New.
6659 (aesni_ocb_enc, aesni_ocb_dec): Calculate OCB offsets in parallel
6660 with help of pre-computed offsets L0+L1 ja L0+L1+L0; Do checksum
6661 calculation as separate pass instead of inline; Use NO_INLINE.
6662 (_gcry_aes_aesni_ocb_auth): Calculate OCB offsets in parallel
6663 with help of pre-computed offsets L0+L1 ja L0+L1+L0.
6664 * cipher/rijndael-internal.h (RIJNDAEL_context_s) [USE_AESNI]: Add
6665 'use_avx2' and 'use_avx'.
6666 * cipher/rijndael.c (do_setkey) [USE_AESNI]: Set 'use_avx2' if
6667 Intel AVX2 HW feature is available and 'use_avx' if Intel AVX HW
6668 feature is available.
6669 * tests/basic.c (do_check_ocb_cipher): New test vector; increase
6670 size of temporary buffers for new test vector.
6671 (check_ocb_cipher_largebuf_split): Make test plaintext non-uniform
6672 for better checksum testing.
6673 (check_ocb_cipher_checksum): New.
6674 (check_ocb_cipher_largebuf): Call check_ocb_cipher_checksum.
6675 (check_ocb_cipher): New expected tags for check_ocb_cipher_largebuf
6676 test runs.
6677
6678 2018-11-19 Andreas Metzler <ametzler@bebt.de>
6679
6680 doc: Fix library initialization examples.
6681 + commit af0bbdb9019e0b4a72e87e8b1b4a55506d349834
6682
6683
6684 2018-11-14 Werner Koch <wk@gnupg.org>
6685
6686 random: Initialize variable as requested by valgrind.
6687 + commit aa686dfc9b563ff79c01d2f8560b88f69c42ecba
6688 random/jitterentropy-base.c: Init.
6689
6690 2018-11-13 NIIBE Yutaka <gniibe@fsij.org>
6691
6692 libgcrypt.m4: Prefer gpgrt-config to SYSROOT support.
6693 + commit 852245390ef7fd8ca9e36010886a4cf42cf710bf
6694 * libgcrypt.m4: Move SYSROOT support after check of GPGRT_CONFIG.
6695
6696 build: Update autogen.rc.
6697 + commit bea193446351c24b10a4342466978d57bd53f599
6698 * autogen.rc: Remove obsolete --with-gpg-error-prefix option.
6699
6700 2018-11-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6701
6702 Fix 'variable may be used uninitialized' warning for CTR mode.
6703 + commit 3f76319803a4abcd33fa29a0ac39f8ed9d646226
6704 * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Set N to BLOCKSIZE
6705 before counter loop.
6706
6707 2018-11-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6708
6709 Fix inlining of ocb_get_l for x86 AES implementations.
6710 + commit 9d6431604b5ee21572c1c2cfa8376e6d81162cbb
6711 * cipher/rijndael-aesni.c (aes_ocb_get_l): New.
6712 (aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Use
6713 'aes_ocb_get_l'.
6714 * cipher/rijndael-ssse3-amd4.c (aes_ocb_get_l): New.
6715 (ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Use
6716 'aes_ocb_get_l'.
6717
6718 2018-11-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6719
6720 stdmem: free: only call _gcry_secmem_free if needed.
6721 + commit 23f56d3359ca7d152aa87874ddd6305171a91408
6722 * src/stdmem.c (_gcry_private_free): Check if memory is secure before
6723 calling _gcry_secmem_free to avoid unnecessarily taking secmem lock.
6724
6725 secmem: fix potential memory visibility issue.
6726 + commit d6c6680ca31c05bafbb8becda56da051346eceb3
6727 * configure.ac (gcry_cv_have_sync_synchronize): New check.
6728 * src/secmem.c (pooldesc_s): Make next pointer volatile.
6729 (memory_barrier): New.
6730 (_gcry_secmem_malloc_internal): Insert memory barrier between
6731 pool->next and mainpool.next assigments.
6732 (_gcry_private_is_secure): Update comments.
6733
6734 wipememory: use memset for non-constant length or large buffer wipes.
6735 + commit 4faeaa1cbd235a2560fa04a8ac3766a07029acd8
6736 * src/g10lib.h (CONSTANT_P): New.
6737 (_gcry_wipememory2): New prototype.
6738 (wipememory2): Use _gcry_wipememory2 if _len not constant expression or
6739 lenght is larger than 64 bytes.
6740 (FASTWIPE_T, FASTWIPE_MULT, fast_wipememory2_unaligned_head): Remove.
6741 (fast_wipememory2): Always handle buffer as unaligned.
6742 * src/misc.c (__gcry_burn_stack): Move memset_ptr variable to...
6743 (memset_ptr): ... here. New.
6744 (_gcry_wipememory2): New.
6745
6746 Change buf_cpy and buf_xor* functions to use buf_put/buf_get helpers.
6747 + commit 0068d41d9304ebcdb2caba1fa8848925e2bfaac7
6748 * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS)
6749 (bufhelp_int_s, buf_xor_1): Remove.
6750 (buf_cpy, buf_xor, buf_xor_2dst, buf_xor_n_copy_2): Use
6751 buf_put/buf_get helpers to handle unaligned memory accesses.
6752
6753 rijndael: fix unused parameter warning.
6754 + commit 30e783ec487466132324673f197d36b85a91b060
6755 * cipher/rijndael.c (do_setkey): Silence unused 'hd' warning.
6756
6757 mpi/longlong.h: enable inline assembly for powerpc64.
6758 + commit ec49013d23d9a7b874c42d77ceb08bd313ba69e1
6759 * mpi/longlong.h [__powerpc__ && W_TYPE_SIZE == 64]: Remove '#if 0'.
6760
6761 Change remaining users of _gcry_fips_mode to use fips_mode.
6762 + commit 2aece89d3967e692743541cea857f2e4771b0b62
6763 * src/fips.c (_gcry_fips_mode): Remove.
6764 (_gcry_enforced_fips_mode, _gcry_inactivate_fips_mode)
6765 (_gcry_is_fips_mode_inactive): Use fips_mode.
6766 * src/g10lib.h (_gcry_fips_mode): Remove.
6767
6768 2018-11-02 NIIBE Yutaka <gniibe@fsij.org>
6769
6770 aarch64: mpi: Distribute the header file as a part of source.
6771 + commit a2e0cb1542818ad8a71de34ccbf191adab0a0b86
6772 * mpi/Makefile.am (EXTRA_libmpi_la_SOURCES): Add asm-common-aarch64.h.
6773
6774 build: Fix GCRYPT_HWF_MODULES.
6775 + commit f7395338d71d4d82180a11707fd6e77787162e24
6776 * configure.ac (GCRYPT_HWF_MODULES): Add libgcrypt_la- prefix.
6777
6778 build: Update gpg-error.m4 and libgcrypt.m4.
6779 + commit f46286851158878d5041ac5381b2807ecec541eb
6780 * m4/gpg-error.m4: Update to 2018-11-02.
6781 * src/libgrypt.m4: Add AC_MSG_NOTICE.
6782 Bump the version date.
6783
6784 2018-10-29 NIIBE Yutaka <gniibe@fsij.org>
6785
6786 build: Update gpg-error.m4 and ksba.m4.
6787 + commit 4a4d4a284ca996df874e2534f8529c1611289943
6788 * m4/gpg-error.m4: Update to 2018-10-29.
6789 * src/libgrypt.m4: Follow the change of gpgrt-config.
6790 Bump the version date.
6791
6792 2018-10-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6793
6794 Fix missing global initialization in fips_is_operational.
6795 + commit 6e669e09603e5a98b59dcf35f77f346db6c81eac
6796 * src/g10lib.h (_gcry_global_any_init_done): New extern.
6797 (fips_is_operational): Check for _gcry_global_any_init_done and call
6798 _gcry_global_is_operational.
6799 * src/global.c (any_init_done): Rename to ...
6800 (_gcry_global_any_init_done): ... this and make externally available.
6801
6802 2018-10-26 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
6803
6804 random: use getrandom() on Linux where available.
6805 + commit 7e662680c170968661ee0105d132813f8281d229
6806 * random/rndlinux.c (_gcry_rndlinux_gather_random): use the
6807 getrandom() syscall on Linux if it exists, regardless of what kind of
6808 entropy was requested.
6809
6810 2018-10-26 Werner Koch <wk@gnupg.org>
6811
6812 random: Make sure to re-open /dev/random after a fork.
6813 + commit 319f55e6e5793c59f1ba4cfe481b562bca42194d
6814 * random/rndlinux.c (_gcry_rndlinux_gather_random): Detect fork and
6815 re-open devices.
6816
6817 primes: Avoid leaking bits of the prime test to pageable memory.
6818 + commit 2e2e68ad4874a4678cfbe452b70ae987e0402eca
6819 * cipher/primegen.c (gen_prime): Allocate MODS in secure memory.
6820
6821 2018-10-26 NIIBE Yutaka <gniibe@fsij.org>
6822
6823 libgcrypt.m4: Better compatibility support.
6824 + commit a755bd0ea09af2ae5a66e3f5aeb8707673c687cf
6825 * src/gpg-error.m4: Update.
6826 * src/libgcrypt.m4: Don't assume libgcrypt-config is newer.
6827
6828 build: Fix libgcrypt.m4.
6829 + commit 630ece1b7e0a94442bca91d8e96d9b1d4cd3ec66
6830 * src/libgcrypt.m4: Use AC_PATH_PROG to detect libgcrypt-config.
6831
6832 build: Relax build requirements.
6833 + commit 8e5641ed65f86783542d5caccdeeee42eeb9457c
6834 * m4/gpg-error.m4: Update from libgpg-error 1.33.
6835 * src/libgcrypt.m4: Don't require AM_PATH_GPG_ERROR. Use GPGRT_CONFIG
6836 instead of libgcrypt-config when it is confirmed that it is available
6837 and working well.
6838 * configure.ac (AM_PATH_GPG_ERROR): No requirement for newer version
6839 (It was because of new gpgrt-config which supports *.pc files).
6840
6841 2018-10-25 NIIBE Yutaka <gniibe@fsij.org>
6842
6843 build: Require libgpg-error >= 1.33.
6844 + commit b376dc2abbb208b10bbc76998ff39adb2f301905
6845 * configure.ac (NEED_GPG_ERROR_VERSION): Require 1.33.
6846 * m4/gpg-error.m4: Update from libgpg-error 1.33.
6847 * src/libgcrypt.m4: Bump version date.
6848 Use --variable option.
6849
6850 2018-10-24 Werner Koch <wk@gnupg.org>
6851
6852 build: Add release make target.
6853 + commit 03bb25ee7ed6f1076bf788ab981ca68672880daa
6854 * Makefile.am (release, sign-release): New targets.
6855
6856 build: Make distcheck work again.
6857 + commit b0ad66e48c46b79af69349606e276cf0a6b9a020
6858 * cipher/Makefile.am: Prettified source file lists.
6859 EXTRA_libcipher_la_SOURCES): Add missing asm-common-aarch64.h.
6860
6861 Fix memory leak in secmem in out of core conditions.
6862 + commit f74687fd43f5772a372f54031d5a9527597f4ce4
6863 * src/secmem.c (_gcry_secmem_malloc_internal): Release pool descriptor
6864 if the pool could not be allocated.
6865
6866 ecc: Fix memory leak in the error case of ecc_encrypt_raw.
6867 + commit e57e75ea517f32109b508113f18298fc69fd1192
6868 * cipher/ecc.c (ecc_encrypt_raw): Add proper error cleanup in the main
6869 block.
6870
6871 ecc: Fix possible memory leakage in parameter check of eddsa.
6872 + commit 149ceb3cae03d0385341d32430aa5ae57de90007
6873 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Fix mem leak.
6874
6875 2018-10-24 NIIBE Yutaka <gniibe@fsij.org>
6876
6877 build: Fix libgcrypt.pc.
6878 + commit 0e071372fc0e6fed4a449955ed0789803ba5e709
6879 * src/libgcrypt.pc.in: Fix typo.
6880
6881 build: Compatibility to pkg-config.
6882 + commit c60eabb11435665fa84a3a82b2a15f48870cc4d7
6883 * src/libgcrypt-config.in: Support --variable and --modversion.
6884
6885 build: Make libgcrypt.m4 use gpg-error-config.
6886 + commit 7da887d69d72ea0ea0d106054c48a8c03e242a18
6887 * src/libgcrypt.m4: Use gpg-error-config.
6888
6889 build: Provide libgcrypt.pc, generated by configure.
6890 + commit 97194b422bc89a6137f4e218d4cdee118c63e96e
6891 * configure.ac: Generate src/libgcrypt.pc.
6892 * src/Makefile.am (pkgconfigdir, pkgconfig_DATA): New.
6893 (EXTRA_DIST): Add libgcrypt.pc.in.
6894 * src/libgcrypt-config.in: Use @PACKAGE_VERSION@.
6895 * src/libgcrypt.pc.in: New.
6896
6897 build: Update gpg-error.m4 from libgpg-error.
6898 + commit 5b1febb5e40d92072bef425bd9e63f7a07edd57e
6899 * m4/gpg-error.m4: Update from libgpg-error 1.33.
6900
6901 build: Don't default to underscore=yes for cross-build.
6902 + commit 0f4545b441b6fbdd6e9c4e95f5f2a367483e78ad
6903 * acinclude.m4: Don't set ac_cv_sys_symbol_underscore
6904 for cross build.
6905
6906 2018-10-23 Werner Koch <wk@gnupg.org>
6907
6908 ecc: Fix potential unintended freeing of an internal param.
6909 + commit e2da4e8dee4b371804f3b2659b53431fb6380d93
6910 * cipher/ecc-curves.c (_gcry_ecc_get_mpi): Fix c+p error
6911
6912 sexp: Fix uninitialized use of a var in the error case.
6913 + commit 9f2c7ec4d8b07e82663ad084c90c016d3c3b80c2
6914 * src/sexp.c (_gcry_sexp_vextract_param): Initialize L1.
6915
6916 2018-10-16 NIIBE Yutaka <gniibe@fsij.org>
6917
6918 build: Let configure create the VERSION file.
6919 + commit 0f2c6ce2c9504c6df435463243edaa669e57b109
6920 * autogen.sh: Update from libgpg-error.
6921 * configure.ac: Use mym4_versoin to create VERSION file.
6922 * Makefile.am (dist-hook): Do not create VERSION file.
6923 (EXTRA_DIST): Add VERSION.
6924
6925 2018-07-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6926
6927 Add size optimized cipher block copy and xor functions.
6928 + commit 86e5e06a97ae13b8bbf6923ecc76e02b9c429b46
6929 * cipher/bufhelp.h (buf_get_he32, buf_put_he32, buf_get_he64)
6930 (buf_put_he64): New.
6931 * cipher/cipher-internal.h (cipher_block_cpy, cipher_block_xor)
6932 (cipher_block_xor_1, cipher_block_xor_2dst, cipher_block_xor_n_copy_2)
6933 (cipher_block_xor_n_copy): New.
6934 * cipher/cipher-gcm-intel-pclmul.c
6935 (_gcry_ghash_setup_intel_pclmul): Use assembly for swapping endianness
6936 instead of buf_get_be64 and buf_cpy.
6937 * cipher/blowfish.c: Use new cipher_block_* functions for cipher block
6938 sized buf_cpy/xor* operations.
6939 * cipher/camellia-glue.c: Ditto.
6940 * cipher/cast5.c: Ditto.
6941 * cipher/cipher-aeswrap.c: Ditto.
6942 * cipher/cipher-cbc.c: Ditto.
6943 * cipher/cipher-ccm.c: Ditto.
6944 * cipher/cipher-cfb.c: Ditto.
6945 * cipher/cipher-cmac.c: Ditto.
6946 * cipher/cipher-ctr.c: Ditto.
6947 * cipher/cipher-eax.c: Ditto.
6948 * cipher/cipher-gcm.c: Ditto.
6949 * cipher/cipher-ocb.c: Ditto.
6950 * cipher/cipher-ofb.c: Ditto.
6951 * cipher/cipher-xts.c: Ditto.
6952 * cipher/des.c: Ditto.
6953 * cipher/rijndael.c: Ditto.
6954 * cipher/serpent.c: Ditto.
6955 * cipher/twofish.c: Ditto.
6956
6957 2018-07-04 NIIBE Yutaka <gniibe@fsij.org>
6958
6959 RFC-8439 was published.
6960 + commit 9660c3fafd732b1857bb2697c6f43aed077b9ad6
6961 * cipher/cipher-poly1305.c: Update RFC reference.
6962
6963 2018-06-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
6964
6965 Clean-up implementation selection for SHA1 and SHA2.
6966 + commit 8a44c55d2fb758f726b8b436aa5c0b88a6c6f112
6967 * cipher/sha1.c (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
6968 (do_sha1_transform_amd64_ssse3, do_sha1_transform_amd64_avx)
6969 (do_sha1_transform_amd64_avx_bmi2, do_sha1_transform_intel_shaext)
6970 (do_sha1_transform_armv7_neon, do_sha1_transform_armv8_ce): New.
6971 (transform_blk, transform): Merge to ...
6972 (do_transform_generic): ... this and remove calls to assembly
6973 implementations.
6974 (sha1_init): Select hd->bctx.bwrite based on HW features.
6975 (_gcry_sha1_mixblock, sha1_final): Call hd->bctx.bwrite instead of
6976 transform.
6977 * cipher/sha1.h (SHA1_CONTEXT): Remove implementation selection bits.
6978 * cipher/sha256.h (SHA256_CONTEXT): Remove implementation selection
6979 bits.
6980 (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
6981 (do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
6982 (do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
6983 (do_sha256_transform_armv8_ce): New.
6984 (transform_blk, transform): Merge to ...
6985 (do_transform_generic): ... this and remove calls to assembly
6986 implementations.
6987 (sha256_init, sha224_init): Select hd->bctx.bwrite based on HW
6988 features.
6989 (sha256_final): Call hd->bctx.bwrite instead of transform.
6990 * cipher/sha512-armv7-neon.S
6991 (_gcry_sha512_transform_armv7_neon): Return zero.
6992 * cipher/sha512.h (SHA512_CONTEXT): Remove implementation selection
6993 bits.
6994 (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
6995 (do_sha512_transform_armv7_neon, do_sha512_transform_amd64_ssse3)
6996 (do_sha512_transform_amd64_avx, do_sha512_transform_amd64_avx2): New.
6997 [USE_ARM_ASM] (do_transform_generic): New.
6998 (transform_blk, transform): Merge to ...
6999 [!USE_ARM_ASM] (do_transform_generic): ... this and remove calls to
7000 assembly implementations.
7001 (sha512_init, sha384_init): Select hd->bctx.bwrite based on HW
7002 features.
7003 (sha512_final): Call hd->bctx.bwrite instead of transform.
7004
7005 Add hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2.
7006 + commit 59c4e344eec61cff45185e1caea6815b3266a0f8
7007 * cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add hash_buffer and
7008 hash_buffers functions for BLAKE2 variants.
7009 * cipher/keccak.c (_gcry_sha3_hash_buffer, _gcry_sha3_hash_buffers)
7010 (_gcry_sha3_224_hash_buffer, _gcry_sha3_224_hash_buffers)
7011 (_gcry_sha3_256_hash_buffer, _gcry_sha3_256_hash_buffers)
7012 (_gcry_sha3_384_hash_buffer, _gcry_sha3_384_hash_buffers)
7013 (_gcry_sha3_512_hash_buffer, _gcry_sha3_512_hash_buffers): New.
7014 * cipher/sha256.c (_gcry_sha224_hash_buffer)
7015 (_gcry_sha224_hash_buffers): New.
7016 * cipher/sha512.c (_gcry_sha384_hash_buffer)
7017 (_gcry_sha384_hash_buffers): New.
7018
7019 Add hash_buffer and hash_buffers pointers to message digest spec.
7020 + commit b136703ea0ddbd9fec6dfd1f8dfda8373653ba39
7021 * src/cipher-proto.h (gcry_md_hash_buffer_t)
7022 (gcry_md_hash_buffers_t): New.
7023 (gcry_md_spec): Add hash_buffer and hash_buffers.
7024 * cipher/md.c (_gcry_md_hash_buffer, _gcry_md_hash_buffers): Use
7025 hash_buffer/hash_buffers from MD spec instead of hard-coding supported
7026 algorithms.
7027 * cipher/blake2.c: Add NULL to MD spec hash_buffer and hash_buffers
7028 pointers.
7029 * cipher/crc.c: Ditto.
7030 * cipher/gostr3411-94.c: Ditto.
7031 * cipher/keccak.c: Ditto.
7032 * cipher/md2.c: Ditto.
7033 * cipher/md4.c: Ditto.
7034 * cipher/md5.c: Ditto.
7035 * cipher/stribog.c: Ditto.
7036 * cipher/tiger.c: Ditto.
7037 * cipher/whirlpool.c: Ditto.
7038 * cipher/rmd160.c (_gcry_rmd160_hash_buffers): New.
7039 (_gcry_digest_spec_rmd160): Add hash_buffer and hash_buffers functions.
7040 * cipher/sha1.c (_gcry_digest_spec_sha1): Add hash_buffer and
7041 hash_buffers functions.
7042 * cipher/sha256.c (_gcry_digest_spec_sha256): Add hash_buffer and
7043 hash_buffers functions.
7044 (_gcry_digest_spec_sha224): Add NULL pointers for hash_buffer and
7045 hash_buffers.
7046 * cipher/sha512.c (_gcry_digest_spec_sha1): Add hash_buffer and
7047 hash_buffers functions.
7048 (_gcry_digest_spec_sha384): Add NULL pointers for hash_buffer and
7049 hash_buffers.
7050 * cipher/sm3.c (_gcry_digest_spec_sha1): Add hash_buffer and
7051 hash_buffers functions.
7052
7053 AES: setup cipher object bulk routines with optimized versions.
7054 + commit a15c1def7e0f170f6663635db84fecab1cbfcca7
7055 * cipher/rijndael-aesni.c
7056 (_gcry_aes_aesni_prepare_decryption): Rename...
7057 (do_aesni_prepare_decryption): .. to this.
7058 (_gcry_aes_aesni_prepare_decryption): New.
7059 (_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
7060 (_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
7061 (_gcry_aes_aesni_cbc_dec): Reorder parameters to match bulk
7062 operations.
7063 (_gcry_aes_aesni_cbc_dec, aesni_ocb_dec)
7064 (_gcry_aes_aesni_xts_dec): Check and prepare decryption.
7065 (_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): Change return
7066 type to size_t.
7067 * cipher/rijndael-armv8-ce.c
7068 (_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
7069 (_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
7070 (_gcry_aes_armv8_ce_cbc_dec): Reorder parameters to match bulk
7071 operations.
7072 (_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
7073 (_gcry_aes_armv8_ce_xts_dec): Check and prepare decryption.
7074 (_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Change
7075 return type to size_t.
7076 * cipher/rijndael-ssse3-amd64.c
7077 (_gcry_ssse3_prepare_decryption): Rename...
7078 (do_ssse3_prepare_decryption): .. to this.
7079 (_gcry_ssse3_prepare_decryption): New.
7080 (_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
7081 (_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
7082 (_gcry_aes_ssse3_cbc_dec): Reorder parameters to match bulk
7083 operations.
7084 (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_dec): Check and prepare decryption.
7085 (_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Change return
7086 type to size_t.
7087 * cipher/rijndael.c
7088 (_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
7089 (_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
7090 (_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
7091 (_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_crypt)
7092 (_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
7093 (_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
7094 (_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_ocb_crypt)
7095 (_gcry_aes_ssse3_ocb_auth, _gcry_aes_ssse3_xts_crypt)
7096 (_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
7097 (_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
7098 (_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
7099 (_gcry_aes_armv8_ce_ocb_auth, _gcry_aes_armv8_ce_xts_crypt): Change
7100 prototypes to match bulk operations.
7101 (do_setkey): Setup bulk operations with optimized implementations.
7102 (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc, _gcry_aes_ctr_enc)
7103 (_gcry_aes_cfb_dec, _gcry_aes_cbc_dec, _gcry_aes_ocb_crypt)
7104 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Update
7105 usage to match new prototypes, avoid prefetch and decryption
7106 preparation on optimized code paths.
7107
7108 Pass cipher object pointer to setkey functions.
7109 + commit ca21a24808efa5d562ac91f683504ae0d6dfa69f
7110 * cipher/cipher.c (cipher_setkey): Pass cipher object pointer to
7111 cipher's setkey function.
7112 * cipher/arcfour.c: Add gcry_cipher_hd_t parameter for setkey
7113 functions and update selftests to pass NULL pointer.
7114 * cipher/blowfish.c: Ditto.
7115 * cipher/camellia-glue.c: Ditto.
7116 * cipher/cast5.c: Ditto.
7117 * cipher/chacha20.c: Ditto.
7118 * cipher/cipher-selftest.c: Ditto.
7119 * cipher/des.c: Ditto.
7120 * cipher/gost28147.c: Ditto.
7121 * cipher/idea.c: Ditto.
7122 * cipher/rfc2268.c: Ditto.
7123 * cipher/rijndael.c: Ditto.
7124 * cipher/salsa20.c: Ditto.
7125 * cipher/seed.c: Ditto.
7126 * cipher/serpent.c: Ditto.
7127 * cipher/twofish.c: Ditto.
7128 * src/cipher-proto.h: Ditto.
7129
7130 Add fast path for _gcry_fips_is_operational.
7131 + commit b6e6ace324440f564df664e27f8276ef01f76795
7132 * src/fips.c (no_fips_mode_required): Rename to...
7133 (_gcry_no_fips_mode_required): ...this and make externally available.
7134 * src/g10lib.h (_gcry_no_fips_mode_required): New extern.
7135 (fips_mode): Inline _gcry_fips_mode to macro, use
7136 _gcry_no_fips_mode_required directly.
7137 (fips_is_operational): Inline fips_mode check from
7138 _gcry_fips_in_operational.
7139
7140 Access cipher mode routines through routine pointers.
7141 + commit 233e2049a2cc1c1110f541b6a7ef145a737e2c65
7142 * cipher/cipher-internal.h (gcry_cipher_handle): Add function pointers
7143 for mode operations.
7144 (_gcry_cipher_xts_crypt): Remove.
7145 (_gcry_cipher_xts_encrypt, _gcry_cipher_xts_decrypt): New.
7146 * cipher/cipher-xts.c (_gcry_cipher_xts_encrypt)
7147 (_gcry_cipher_xts_decrypt): New.
7148 * cipher/cipher.c (_gcry_cipher_setup_mode_ops): New.
7149 (_gcry_cipher_open_internal): Setup mode routines.
7150 (cipher_encrypt, cipher_decrypt): Remove.
7151 (do_stream_encrypt, do_stream_decrypt, do_encrypt_none_unknown)
7152 (do_decrypt_none_unknown): New.
7153 (_gcry_cipher_encrypt, _gcry_cipher_decrypt, _gcry_cipher_setiv)
7154 (_gcry_cipher_authenticate, _gcry_cipher_gettag)
7155 (_gcry_cipher_checktag): Adapted to use mode routines through pointers.
7156
7157 Add separate handlers for CBC-CTS variant.
7158 + commit 87d8caa47e00f1b1cea968fe38cf30c0ccc9749c
7159 * cipher/cipher-cbc.c (cbc_encrypt_inner, cbc_decrypt_inner)
7160 (_gcry_cipher_cbc_cts_encrypt, _gcry_cipher_cbc_cts_decrypt): New.
7161 (_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Remove CTS
7162 handling.
7163 * cipher/cipher-internal.h (_gcry_cipher_cbc_cts_encrypt)
7164 (_gcry_cipher_cbc_cts_decrypt): New.
7165 * cipher/cipher.c (cipher_encrypt, cipher_decrypt): Call CBC-CTS
7166 handler if CBC-CTS flag is set.
7167
7168 Avoid division by spec->blocksize in cipher mode handlers.
7169 + commit f5168091c1930e948af8f25da11cad5dfa62c7ba
7170 * cipher/cipher-internal.h (_gcry_blocksize_shift): New.
7171 * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
7172 (_gcry_cipherp_cbc_decrypt): Use bit-level operations instead of
7173 division to get number of blocks and check input length against
7174 blocksize.
7175 * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
7176 (_gcry_cipher_cfb_decrypt): Ditto.
7177 * cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
7178 * cipher/cipher-ctr.c (_gcry_cipher_ctr_crypt): Ditto.
7179 * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
7180 (_gcry_cipher_ofb_decrypt): Ditto.
7181
7182 Fix CBC-CTS+CBC-MAC flag check.
7183 + commit a69021535b472556651eb2bab65666206c56c24b
7184 * cipher/cipher.c (_gcry_cipher_open_internal): Check flags separately
7185 instead of AND masking two flags to zero.
7186
7187 tests/basic: silence GCC-8 warning.
7188 + commit 2a94bdfc0538a340a24c1a7b524bb0c5f606457c
7189 * tests/basic.c (check_ofb_cipher, check_stream_cipher): Change
7190 tv[].data[].inlen type from signed to unsigned integer.
7191
7192 2018-06-19 Will Dietz <w@wdtz.org>
7193
7194 random: Fix hang of _gcry_rndjent_get_version.
7195 + commit 355f5b7f69075c010fe33aa5b10ac60c08fae0c7
7196 * random/rndjent.c (_gcry_rndjent_get_version): Move locking.
7197
7198 2018-06-13 NIIBE Yutaka <gniibe@fsij.org>
7199
7200 ecc: Add blinding for ECDSA.
7201 + commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
7202 * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
7203 randomized nonce B.
7204
7205 2018-06-06 Werner Koch <wk@gnupg.org>
7206
7207 ecc: Improve gcry_mpi_ec_curve_point.
7208 + commit 7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf
7209 * mpi/ec.c (_gcry_mpi_ec_curve_point): Check range of coordinates.
7210 * tests/t-mpi-point.c (point_on_curve): New.
7211
7212 2018-06-05 Werner Koch <wk@gnupg.org>
7213
7214 mpi: New internal function _gcry_mpi_cmpabs.
7215 + commit 6606ae44e0de1069b29dd4215ee9748280940e1b
7216 * mpi/mpi-cmp.c (_gcry_mpi_cmp): Factor out to ...
7217 (do_mpi_cmp): New. Add arg absmode.
7218 (_gcry_mpi_cmpabs): New.
7219 * src/gcrypt-int.h (mpi_cmpabs): New macro.
7220
7221 2018-04-29 Werner Koch <wk@gnupg.org>
7222
7223 build: Convince gcc not to delete NULL ptr checks.
7224 + commit 61dbb7c08ab11c10060e193b52e3e1d2ec6dd062
7225 * configure.ac: Try to use -fno-delete-null-pointer-checks.
7226
7227 2018-04-28 Werner Koch <wk@gnupg.org>
7228
7229 prime: Avoid rare assertion failure in gcry_prime_check.
7230 + commit f3362f10f6f671246c38115ed12b0047966c200e
7231 * cipher/primegen.c (is_prime): Don't fail on the assert X > 1.
7232
7233 2018-04-17 Werner Koch <wk@gnupg.org>
7234
7235 mpi: Fix for buidling for MIPS64 with Clang.
7236 + commit e7ae0ae243c8978a67c802169183187d88557be8
7237 * mpi/longlong.h [MIPS64][__clang__]: Use the C version like we
7238 already do for 32 bit MIPS.
7239
7240 2018-04-11 NIIBE Yutaka <gniibe@fsij.org>
7241
7242 hmac: Use xtrymalloc.
7243 + commit 3e3b520fb32a37c5c23762531a7b3168e112ac36
7244 * src/hmac256.c (_gcry_hmac256_new): Use xtrymalloc.
7245 (_gcry_hmac256_file): Likewise.
7246
7247 2018-04-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7248
7249 basic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks.
7250 + commit 5e01705ca90830c27a4cbd8bad41243915f4538a
7251 * tests/basic_all_hwfeature_combinations.sh: Use $njobs to limit
7252 parallel tasks instead of fixed number "8".
7253
7254 Faster look-up for spec by algo for digests, ciphers and MAC.
7255 + commit 634a85412a4073aa1890589ce5e97eac7b0f3ca3
7256 * cipher/cipher.c (cipher_list_algo0, cipher_list_algo301): New cipher
7257 spec lists with same order and spacing as 'gcry_cipher_algos'
7258 enumeration.
7259 (spec_from_algo): Use new spec lists for faster look-up.
7260 * cipher/mac.c (mac_list_algo101, mac_list_algo201, mac_list_algo401)
7261 (mac_list_algo501): New MAC spec lists with same order and spacing as
7262 'gcry_mac_algos' enumeration.
7263 (spec_from_algo): Use new spec lists for faster look-up.
7264 * cipher/md.c (digest_list_algo0, digest_list_algo301): New digest
7265 spec lists with same order and spacing as 'gcry_md_algos'
7266 enumeration.
7267 (spec_from_algo): Use new spec lists for faster look-up.
7268
7269 Fix building with BLAKE2 disabled.
7270 + commit 35b59d0ea52e8a1c30c43554dc4dbca97da4bf87
7271 * cipher/md.c (md_setkey): Enclose Blake2 part with USE_BLAKE2.
7272
7273 Add missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface.
7274 + commit 52e52eb0e3e5541cfc86e04c5047500db5d538b7
7275 * cipher/mac-hmac.c (map_mac_algo_to_md): Add GOSTR3411_CP, BLAKE2 and
7276 SM3.
7277 (_gcry_mac_type_spec_hmac_gost3411_cp)
7278 (_gcry_mac_type_spec_hmac_blake2b_512)
7279 (_gcry_mac_type_spec_hmac_blake2b_384)
7280 (_gcry_mac_type_spec_hmac_blake2b_256)
7281 (_gcry_mac_type_spec_hmac_blake2b_160)
7282 (_gcry_mac_type_spec_hmac_blake2s_256)
7283 (_gcry_mac_type_spec_hmac_blake2s_224)
7284 (_gcry_mac_type_spec_hmac_blake2s_160)
7285 (_gcry_mac_type_spec_hmac_blake2s_128)
7286 (_gcry_mac_type_spec_hmac_sm3): New.
7287 * cipher/mac-internal.h (_gcry_mac_type_spec_hmac_gost3411_cp)
7288 (_gcry_mac_type_spec_hmac_blake2b_512)
7289 (_gcry_mac_type_spec_hmac_blake2b_384)
7290 (_gcry_mac_type_spec_hmac_blake2b_256)
7291 (_gcry_mac_type_spec_hmac_blake2b_160)
7292 (_gcry_mac_type_spec_hmac_blake2s_256)
7293 (_gcry_mac_type_spec_hmac_blake2s_224)
7294 (_gcry_mac_type_spec_hmac_blake2s_160)
7295 (_gcry_mac_type_spec_hmac_blake2s_128)
7296 (_gcry_mac_type_spec_hmac_sm3): New.
7297 * cipher/mac.c (mac_list): Add GOSTR3411_CP, BLAKE2 and SM3.
7298 * src/gcrypt.h.in (GCRY_MAC_HMAC_GOSTR3411_CP)
7299 (GCRY_MAC_HMAC_BLAKE2B_512, GCRY_MAC_HMAC_BLAKE2B_384)
7300 (GCRY_MAC_HMAC_BLAKE2B_256, GCRY_MAC_HMAC_BLAKE2B_160)
7301 (GCRY_MAC_HMAC_BLAKE2S_256, GCRY_MAC_HMAC_BLAKE2S_224)
7302 (GCRY_MAC_HMAC_BLAKE2S_160, GCRY_MAC_HMAC_BLAKE2S_128)
7303 (GCRY_MAC_HMAC_SM3): New.
7304
7305 2018-04-10 NIIBE Yutaka <gniibe@fsij.org>
7306
7307 random: Protect another use of jent_rng_collector.
7308 + commit 0de2a22fcf6607d0aecb550feefa414cee3731b2
7309 * random/rndjent.c (_gcry_rndjent_get_version): Lock the access.
7310
7311 2018-03-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7312
7313 aarch64/assembly: only use the lower 32 bit of an int parameters.
7314 + commit 9b58e4a03ba3aeff7bae3f40da706977870c9649
7315 * cipher/camellia-aarch64.S (_gcry_camellia_arm_encrypt_block)
7316 (__gcry_camellia_arm_decrypt_block): Make comment section about input
7317 registers match usage.
7318 * cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_ocb_auth_armv8_ce): Use
7319 'w12' and 'w7' instead of 'x12' and 'x7'.
7320 (_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Fix function
7321 prototype in comments.
7322 * mpi/aarch64/mpih-add1.S: Use 32-bit registers for 32-bit mpi_size_t
7323 parameters.
7324 * mpi/aarch64/mpih-mul1.S: Ditto.
7325 * mpi/aarch64/mpih-mul2.S: Ditto.
7326 * mpi/aarch64/mpih-mul3.S: Ditto.
7327 * mpi/aarch64/mpih-sub1.S: Ditto.
7328
7329 poly1305: silence compiler warning on clang/aarch64.
7330 + commit 8cdb010f04528703a502344e00d52447de12547d
7331 * cipher/poly1305.c (MUL_MOD_1305_64): cast zero constant to 64-bits.
7332
7333 2018-03-28 Martin Storsjö <martin@martin.st>
7334
7335 aarch64: Enable building the aarch64 cipher assembly for windows.
7336 + commit 0de2191a07d69ef1fa34ca4c5d5fc4985ff7b4c4
7337 * cipher/asm-common-aarch64.h: New.
7338 * cipher/camellia-aarch64.S: Use ELF macro, use x19 instead of x18.
7339 * cipher/chacha20-aarch64.S: Use ELF macro, don't use GOT on windows.
7340 * cipher/cipher-gcm-armv8-aarch64-ce.S: Use ELF macro.
7341 * cipher/rijndael-aarch64.S: Use ELF macro.
7342 * cipher/rijndael-armv8-aarch64-ce.S: Use ELF macro.
7343 * cipher/sha1-armv8-aarch64-ce.S: Use ELF macro.
7344 * cipher/sha256-armv8-aarch64-ce.S: Use ELF macro.
7345 * cipher/twofish-aarch64.S: Use ELF macro.
7346 * configure.ac: Don't require .size and .type in aarch64 assembly check.
7347
7348 aarch64: camellia: Only use the lower 32 bit of an int parameter.
7349 + commit 4e1b628f492643d4e9b830bcdab7b49daaec5854
7350 * cipher/camellia-aarch64.S: Use 'w3' instead of 'x3'.
7351
7352 aarch64: Fix assembling chacha20-aarch64.S with clang/llvm.
7353 + commit 36e916fc332eda74963192b1c0bf6860a3e5d67b
7354 * cipher/chacha20-aarch64.S: Remove superfluous lane counts.
7355
7356 aarch64: mpi: Fix building the mpi aarch64 assembly for windows.
7357 + commit ec0a2f25c0f64a7b65b373508ce9081e10461965
7358 * mpi/aarch64/mpih-add1.S: Use ELF macro.
7359 * mpi/aarch64/mpih-mul1.S: Use ELF macro.
7360 * mpi/aarch64/mpih-mul2.S: Use ELF macro.
7361 * mpi/aarch64/mpih-mul3.S: Use ELF macro.
7362 * mpi/aarch64/mpih-sub1.S: Use ELF macro.
7363 * mpi/asm-common-aarch64.h: New.
7364
7365 random: Don't assume that _WIN64 implies x86_64.
7366 + commit ed41d6d6fb4551342b22ef763de1bd60e964e186
7367 * random/rndw32.c: Change _WIN64 ifdef into __x86_64__.
7368
7369 2018-03-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7370
7371 tests/aeswrap: add in-place encryption/decryption testing.
7372 + commit 885f031fbd17abc1c0fedbb98df22823b647fc11
7373 * tests/aeswrap.c (check): Rename to...
7374 (check_one): ...this and add in-place testing.
7375 (check): New.
7376
7377 2018-03-22 Stephan Mueller <smueller@chronox.de>
7378
7379 AES-KW: fix in-place encryption.
7380 + commit 330ec66e0babdabb658dc7d6db78f37b2a1b996e
7381 * cipher/cipher-aeswrap.c: move memmove call before KW IV setting
7382
7383 2018-03-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7384
7385 bench-slope: add CPU frequency auto-detection.
7386 + commit 617f5e746f8295cc36d1002c8c53edc95d04d0f6
7387 * tests/bench-slope.c (bench_obj): Add 'hd'.
7388 (bench_encrypt_init, bench_encrypt_free, bench_encrypt_do_bench)
7389 (bench_decrypt_do_bench, bench_xts_encrypt_init)
7390 (bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
7391 (bench_ccm_encrypt_init, bench_ccm_encrypt_do_bench)
7392 (bench_ccm_decrypt_do_bench, bench_aead_encrypt_init)
7393 (bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
7394 (bench_hash_init, bench_hash_free, bench_hash_do_bench)
7395 (bench_mac_init, bench_mac_free, bench_mac_do_bench): Use 'obj->hd'
7396 for storing pointer to crypto context.
7397 (auto_ghz): New.
7398 (do_slope_benchmark): Rename to...
7399 (slope_benchmark): ...this.
7400 (auto_ghz_init, auto_ghz_free, auto_ghz_bench, auto_ghz_detect_ops)
7401 (get_auto_ghz, do_slope_benchmark): New.
7402 (double_to_str): Round number larger than 1000 to integer.
7403 (bench_print_result_csv, bench_print_result_std)
7404 (bench_print_result, bench_print_header, cipher_bench_one)
7405 (hash_bench_one, mac_bench_one, kdf_bench_one, kdf_bench): Add
7406 auto-detected frequency printing.
7407 (print_help): Help for CPU speed auto-detection mode.
7408 (main): Add parsing for "--cpu-mhz auto".
7409
7410 _gcry_burn_stack: use memset for clearing memory.
7411 + commit 3841b23c0ccb24d555b7570083bba958e3126d26
7412 * src/misc.c (__gcry_burn_stack) [HAVE_VLA]: Use 'memset' for clearing
7413 stack.
7414
7415 Improve constant-time buffer compare.
7416 + commit a1127dbbada4302abf09eec90fbaceca87bfcdf0
7417 * cipher/bufhelp.h (buf_eq_const): Rewrite logic.
7418
7419 2018-02-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7420
7421 Add Intel SHA Extensions accelerated SHA256 implementation.
7422 + commit 0b3ec359e2279c3b46b171372b1b7733bba20cd7
7423 * cipher/Makefile.am: Add 'sha256-intel-shaext.c'.
7424 * cipher/sha256-intel-shaext.c: New.
7425 * cipher/sha256.c (USE_SHAEXT)
7426 (_gcry_sha256_transform_intel_shaext): New.
7427 (SHA256_CONTEXT): Add 'use_shaext'.
7428 (sha256_init, sha224_init) [USE_SHAEXT]: Use shaext if supported.
7429 (transform) [USE_SHAEXT]: Use shaext if enabled.
7430 (transform): Only add ASM_EXTRA_STACK if returned burn length is not
7431 zero.
7432 * configure.ac: Add 'sha256-intel-shaext.lo'.
7433
7434 Add Intel SHA Extensions accelerated SHA1 implementation.
7435 + commit d02958bd300d2c80bc92b1e072103e95e256b297
7436 * cipher/Makefile.am: Add 'sha1-intel-shaext.c'.
7437 * cipher/sha1-intel-shaext.c: New.
7438 * cipher/sha1.c (USE_SHAEXT, _gcry_sha1_transform_intel_shaext): New.
7439 (sha1_init) [USE_SHAEXT]: Use shaext implementation is supported.
7440 (transform) [USE_SHAEXT]: Use shaext if enabled.
7441 (transform): Only add ASM_EXTRA_STACK if returned burn length is not
7442 zero.
7443 * cipher/sha1.h (SHA1_CONTEXT): Add 'use_shaext'.
7444 * configure.ac: Add 'sha1-intel-shaext.lo'.
7445 (shaextsupport, gcry_cv_gcc_inline_asm_shaext): New.
7446 * src/g10lib.h: Add HWF_INTEL_SHAEXT and reorder HWF flags.
7447 * src/hwf-x86.c (detect_x86_gnuc): Detect SHA Extensions.
7448 * src/hwfeatures.c (hwflist): Add 'intel-shaext'.
7449
7450 AVX implementation of BLAKE2s.
7451 + commit da58a62ac1b7a8d97b0895dcb41d15af531e45e5
7452 * cipher/Makefile.am: Add 'blake2s-amd64-avx.S'.
7453 * cipher/blake2.c (USE_AVX, _gry_blake2s_transform_amd64_avx): New.
7454 (BLAKE2S_CONTEXT) [USE_AVX]: Add 'use_avx'.
7455 (blake2s_transform): Rename to ...
7456 (blake2s_transform_generic): ... this.
7457 (blake2s_transform): New.
7458 (blake2s_final): Pass 'ctx' pointer to transform function instead of
7459 'S'.
7460 (blake2s_init_ctx): Check HW features and enable AVX implementation
7461 if supported.
7462 * cipher/blake2s-amd64-avx.S: New.
7463 * configure.ac: Add 'blake2s-amd64-avx.lo'.
7464
7465 2018-02-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7466
7467 AVX2 implementation of BLAKE2b.
7468 + commit af7fc732f9a7af7a70276f1e8364d2132db314f1
7469 * cipher/Makefile.am: Add 'blake2b-amd64-avx2.S'.
7470 * cipher/blake2.c (USE_AVX2, ASM_FUNC_ABI, ASM_EXTRA_STACK)
7471 (_gry_blake2b_transform_amd64_avx2): New.
7472 (BLAKE2B_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
7473 (blake2b_transform): Rename to ...
7474 (blake2b_transform_generic): ... this.
7475 (blake2b_transform): New.
7476 (blake2b_final): Pass 'ctx' pointer to transform function instead of
7477 'S'.
7478 (blake2b_init_ctx): Check HW features and enable AVX2 implementation
7479 if supported.
7480 * cipher/blake2b-amd64-avx2.S: New.
7481 * configure.ac: Add 'blake2b-amd64-avx2.lo'.
7482
7483 2018-01-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7484
7485 Fix incorrect counter overflow handling for GCM.
7486 + commit ffdc6f3623a0bcb41324d562340b2cd1c288e387
7487 * cipher/cipher-gcm.c (gcm_ctr_encrypt): New function to handle
7488 32-bit CTR increment for GCM.
7489 (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Do not use
7490 generic CTR implementation directly, use gcm_ctr_encrypt instead.
7491 * tests/basic.c (_check_gcm_cipher): Add test-vectors for 32-bit
7492 CTR overflow.
7493 (check_gcm_cipher): Add 'split input to 15 bytes and 17 bytes'
7494 test-runs.
7495
7496 2018-01-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7497
7498 Fix use of AVX instructions in Chaha20 SSSE3 implementation.
7499 + commit 0b55f349a8b8f4b0ac9ed724c2d5b8dcc9f5401c
7500 * cipher/chacha20-amd64-ssse3.S: Replace two 'vmovdqa' instructions
7501 with 'movdqa'.
7502
7503 2018-01-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7504
7505 doc: fix double "See" in front of reference.
7506 + commit bd75f0e89817b5708c57efab49e3eb4e035186e2
7507 * doc/gcrypt.texi: Change @xref to @ref when text already has 'see' in
7508 the front.
7509
7510 Add EAX mode.
7511 + commit e8629e535bd0e9711b07904d4501de8ad57aaecd
7512 * cipher/Makefile.am: Add 'cipher-eax.c'.
7513 * cipher/cipher-cmac.c (cmac_write): Rename to ...
7514 (_gcry_cmac_write): ... this; Take CMAC context as new input
7515 parameter; Return error code.
7516 (cmac_generate_subkeys): Rename to ...
7517 (_gcry_cmac_generate_subkeys): ... this; Take CMAC context as new
7518 input parameter; Return error code.
7519 (cmac_final): Rename to ...
7520 (_gcry_cmac_final): ... this; Take CMAC context as new input
7521 parameter; Return error code.
7522 (cmac_tag): Take CMAC context as new input parameter.
7523 (_gcry_cmac_reset): New.
7524 (_gcry_cipher_cmac_authenticate): Remove duplicate tag flag check;
7525 Adapt to changes above.
7526 (_gcry_cipher_cmac_get_tag): Adapt to changes above.
7527 (_gcry_cipher_cmac_check_tag): Ditto.
7528 (_gcry_cipher_cmac_set_subkeys): Ditto.
7529 * cipher-eax.c: New.
7530 * cipher-internal.h (gcry_cmac_context_t): New.
7531 (gcry_cipher_handle): Update u_mode.cmac; Add u_mode.eax.
7532 (_gcry_cmac_write, _gcry_cmac_generate_subkeys, _gcry_cmac_final)
7533 (_gcry_cmac_reset, _gcry_cipher_eax_encrypt, _gcry_cipher_eax_decrypt)
7534 (_gcry_cipher_eax_set_nonce, _gcry_cipher_eax_authenticate)
7535 (_gcry_cipher_eax_get_tag, _gcry_cipher_eax_check_tag)
7536 (_gcry_cipher_eax_setkey): New prototypes.
7537 * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
7538 (cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
7539 (_gcry_cipher_authenticate, _gcry_cipher_gettag, _gcry_cipher_checktag)
7540 (_gcry_cipher_info): Add EAX mode.
7541 * doc/gcrypt.texi: Add EAX mode.
7542 * src/gcrypt.h.in (GCRY_CIPHER_MODE_EAX): New.
7543 * tests/basic.c (_check_gcm_cipher, _check_poly1305_cipher): Constify
7544 test vectors array.
7545 (_check_eax_cipher, check_eax_cipher): New.
7546 (check_ciphers, check_cipher_modes): Add EAX mode.
7547 * tests/bench-slope.c (bench_eax_encrypt_do_bench)
7548 (bench_eax_decrypt_do_bench, bench_eax_authenticate_do_bench)
7549 (eax_encrypt_ops, eax_decrypt_ops, eax_authenticate_ops): New.
7550 (cipher_modes): Add EAX mode.
7551 * tests/benchmark.c (cipher_bench): Add EAX mode.
7552
7553 cipher: constify spec arrays.
7554 + commit cd7ed2e3546b12dd98df4211949f1cdbf5827013
7555 * cipher/cipher.c (cipher_list): Constify array.
7556 * cipher/mac.c (mac_list): Constify array.
7557 * cipher/md.c (digest_list): Constify array.
7558 * cipher/pubkey.c (pubkey_list): Constify array.
7559
7560 Add ARMv8/CE acceleration for AES-XTS.
7561 + commit 93503c127a52c1f6a193750e2bf181a744ba3e6b
7562 * cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_xts_enc_armv8_ce)
7563 (_gcry_aes_xts_dec_armv8_ce): New.
7564 * cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_xts_enc_armv8_ce)
7565 (_gcry_aes_xts_dec_armv8_ce): New.
7566 * cipher/rijndael-armv8-ce.c (_gcry_aes_xts_enc_armv8_ce)
7567 (_gcry_aes_xts_dec_armv8_ce, xts_crypt_fn_t)
7568 (_gcry_aes_armv8_ce_xts_crypt): New.
7569 * cipher/rijndael.c (_gcry_aes_armv8_ce_xts_crypt): New.
7570 (_gcry_aes_xts_crypt) [USE_ARM_CE]: New.
7571
7572 2018-01-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7573
7574 rijndael-ssse3: call assembly functions directly.
7575 + commit c3d60acc3ab5c6d60c2258882175bf31351cc998
7576 * cipher/rijndael-ssse3-amd64-asm.S (_gcry_aes_ssse3_enc_preload)
7577 (_gcry_aes_ssse3_dec_preload, _gcry_aes_ssse3_encrypt_core)
7578 (_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add
7579 ENTER_SYSV_FUNC_PARAMS_* at function entry and EXIT_SYSV_FUNC at exit.
7580 (_gcry_aes_ssse3_encrypt_core, _gcry_aes_ssse3_decrypt_core): Change
7581 to input parameters to RDI and RSI registers.
7582 * cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_encrypt_core)
7583 (_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add parameters
7584 for function prototypes.
7585 (PUSH_STACK_PTR, POP_STACK_PTR): Remove.
7586 (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
7587 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
7588 (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Remove inline assembly to
7589 call functions, and call directly instead.
7590
7591 Move AMD64 MS to SysV calling convention conversion to assembly side.
7592 + commit a518b6680ea80a4325731028545a701c1d71fc02
7593 * cipher/Makefile.am: Add 'asm-common-amd64.h'.
7594 * cipher/asm-common-amd64.h: New.
7595 * cipher/blowfish-amd64.S: Add ENTER_SYSV_FUNC_* and EXIT_SYSV_FUNC for
7596 each global function from 'asm-common-amd64.h'.
7597 * cipher/cast5-amd64.S: Ditto.
7598 * cipher/des-amd64.S: Ditto.
7599 * cipher/rijndael-amd64.S: Ditto.
7600 * cipher/twofish-amd64.S: Ditto.
7601 * cipher/arcfour-amd64.S: Ditto.
7602 * cipher/blowfish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
7603 (call_sysv_fn): Remove.
7604 * cipher/cast5.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
7605 (call_sysv_fn): Remove.
7606 * cipher/twofish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
7607 (call_sysv_fn, call_sysv_fn5, call_sysv_fn6): Remove.
7608 * cipher/rijndael.c (do_encrypt, do_decrypt)
7609 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Remove assembly block for
7610 calling SysV ABI function.
7611 * cipher/arcfour.c [USE_AMD64_ASM] (encrypt_stream): Ditto.
7612
7613 Make BMI2 inline assembly check more robust.
7614 + commit 135250e3060e79be698d4f36a819aa8a880789f8
7615 * configure.ac (gcry_cv_gcc_inline_asm_bmi2): New assembly test.
7616
7617 Add AES-NI acceleration for AES-XTS.
7618 + commit a00c5b2988cea256c7823a76ce601febf02c790f
7619 * cipher/cipher-internal.h (gcry_cipher_handle): Change bulk
7620 XTS function to take cipher context.
7621 * cipher/cipher-xts.c (_gcry_cipher_xts_crypt): Ditto.
7622 * cipher/cipher.c (_gcry_cipher_open_internal): Setup AES-NI
7623 XTS bulk function.
7624 * cipher/rijndael-aesni.c (xts_gfmul_const, _gcry_aes_aesni_xts_enc)
7625 (_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_crypt): New.
7626 * cipher/rijndael.c (_gcry_aes_aesni_xts_crypt)
7627 (_gcry_aes_xts_crypt): New.
7628 * src/cipher.h (_gcry_aes_xts_crypt): New.
7629
7630 AES-NI improvements for AMD64.
7631 + commit c9e9cb2eb6a1c659d3825ca627228b732f2f2152
7632 * cipher/rijndael-aesni.c [__x86_64__] (aesni_prepare_7_15_variable)
7633 (aesni_prepare_7_15, aesni_cleanup_7_15, do_aesni_enc_vec8)
7634 (do_aesni_dec_vec8, do_aesni_ctr_8): New.
7635 (_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
7636 (_gcry_aes_aesni_cbc_dec, aesni_ocb_enc, aesni_ocb_dec)
7637 (_gcry_aes_aesni_ocb_auth) [__x86_64__]: Add 8 parallel blocks
7638 processing.
7639
7640 Add ARMv8/AArch64 implementation of chacha20.
7641 + commit b3ec0f752c925cde36f560f0f9309ab6450bbfd9
7642 * cipher/Makefile.am: Add 'chacha20-aarch64.S'.
7643 * cipher/chacha20-aarch64.S: New.
7644 * cipher/chacha20.c (USE_AARCH64_SIMD): New.
7645 (_gcry_chacha20_aarch_blocks4): New.
7646 (chacha20_do_setkey): Add HWF selection for Aarch64 implementation.
7647 * configure.ac: Add 'chacha20-aarch64.lo'.
7648
7649 New ChaCha implementations.
7650 + commit 172ad09cbedc893f147180875335f4c525393c0b
7651 * cipher/Makefile.am: Remove 'chacha20-sse2-amd64.S',
7652 'chacha20-ssse3-amd64.S', 'chacha20-avx2-amd64.S'; Add
7653 'chacha20-amd64-ssse3.S', 'chacha20-amd64-avx2.S'.
7654 * cipher/chacha20-amd64-avx2.S: New.
7655 * cipher/chacha20-amd64-ssse3.S: New.
7656 * cipher/chacha20-armv7-neon.S: Rewrite.
7657 * cipher/chacha20-avx2-amd64.S: Remove.
7658 * cipher/chacha20-sse2-amd64.S: Remove.
7659 * cipher/chacha20-ssse3-amd64.S: Remove.
7660 * cipher/chacha20.c (CHACHA20_INPUT_LENGTH, USE_SSE2, USE_NEON)
7661 (ASM_EXTRA_STACK, chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
7662 (_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
7663 (_gcry_chacha20_armv7_neon_blocks, QROUND, QOUT, chacha20_core)
7664 (chacha20_do_encrypt_stream): Remove.
7665 (_gcry_chacha20_amd64_ssse3_blocks4, _gcry_chacha20_amd64_avx2_blocks8)
7666 (_gcry_chacha20_armv7_neon_blocks4, ROTATE, XOR, PLUS, PLUSONE)
7667 (QUARTERROUND, BUF_XOR_LE32): New.
7668 (CHACHA20_context_s, chacha20_blocks, chacha20_keysetup)
7669 (chacha20_encrypt_stream): Rewrite.
7670 (chacha20_do_setkey): Adjust for new CHACHA20_context_s.
7671 * configure.ac: Remove 'chacha20-sse2-amd64.lo',
7672 'chacha20-ssse3-amd64.lo', 'chacha20-avx2-amd64.lo'; Add
7673 'chacha20-amd64-ssse3.lo', 'chacha20-amd64-avx2.lo'.
7674
7675 New Poly1305 implementations.
7676 + commit b9a471ccf5f02f89e25c7ccc29898d0e4e486099
7677 * cipher/Makefile.am: Include '../mpi' for 'longlong.h'; Remove
7678 'poly1305-sse2-amd64.S', 'poly1305-avx2-amd64.S' and
7679 'poly1305-armv7-neon.S'.
7680 * cipher/poly1305-armv7-neon.S: Remove.
7681 * cipher/poly1305-avx2-amd64.S: Remove.
7682 * cipher/poly1305-sse2-amd64.S: Remove.
7683 * cipher/poly1305-internal.h (POLY1305_BLOCKSIZE)
7684 (POLY1305_STATE): New.
7685 (POLY1305_SYSV_FUNC_ABI, POLY1305_REF_BLOCKSIZE)
7686 (POLY1305_REF_STATESIZE, POLY1305_REF_ALIGNMENT)
7687 (POLY1305_USE_SSE2, POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
7688 (POLY1305_SSE2_ALIGNMENT, POLY1305_USE_AVX2, POLY1305_AVX2_BLOCKSIZE)
7689 (POLY1305_AVX2_STATESIZE, POLY1305_AVX2_ALIGNMENT)
7690 (POLY1305_USE_NEON, POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
7691 (POLY1305_NEON_ALIGNMENT, POLY1305_LARGEST_BLOCKSIZE)
7692 (POLY1305_LARGEST_STATESIZE, POLY1305_LARGEST_ALIGNMENT)
7693 (POLY1305_STATE_BLOCKSIZE, POLY1305_STATE_STATESIZE)
7694 (POLY1305_STATE_ALIGNMENT, OPS_FUNC_ABI, poly1305_key_s)
7695 (poly1305_ops_s): Remove.
7696 (poly1305_context_s): Rewrite.
7697 * cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
7698 (_gcry_poly1305_amd64_sse2_finish_ext)
7699 (_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops)
7700 (poly1305_init_ext_ref32, poly1305_blocks_ref32)
7701 (poly1305_finish_ext_ref32, poly1305_default_ops)
7702 (_gcry_poly1305_amd64_avx2_init_ext)
7703 (_gcry_poly1305_amd64_avx2_finish_ext)
7704 (_gcry_poly1305_amd64_avx2_blocks)
7705 (poly1305_amd64_avx2_ops, poly1305_get_state): Remove.
7706 (poly1305_init): Rewrite.
7707 (USE_MPI_64BIT, USE_MPI_32BIT): New.
7708 [USE_MPI_64BIT] (ADD_1305_64, MUL_MOD_1305_64, poly1305_blocks)
7709 (poly1305_final): New implementation using 64-bit limbs.
7710 [USE_MPI_32BIT] (UMUL_ADD_32, ADD_1305_32, MUL_MOD_1305_32)
7711 (poly1305_blocks): New implementation using 32-bit limbs.
7712 (_gcry_poly1305_update, _gcry_poly1305_finish)
7713 (_gcry_poly1305_init): Adapt to new implementation.
7714 * configure.ac: Remove 'poly1305-sse2-amd64.lo',
7715 'poly1305-avx2-amd64.lo' and 'poly1305-armv7-neon.lo'.
7716
7717 mpi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit.
7718 + commit d39deb0a41dbeec81174704904d3d29c66d10d7e
7719 * mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Cast '1' to
7720 mpi_limb_t before left shift.
7721
7722 2017-11-24 Werner Koch <wk@gnupg.org>
7723
7724 sexp: Avoid a fatal error in case of ENOMEM in called functions.
7725 + commit 2ad912d5b7794fb32192fddab1b559c7b86303a2
7726 * src/sexp.c (do_vsexp_sscan): Replace BUG() by a proper error
7727 return. Replace sprintf by snprintf.
7728 (convert_to_hex): Replace sprintf by snprintf.
7729 (convert_to_string): Ditto.
7730 (_gcry_sexp_sprint): Ditto.
7731
7732 api: Add GCRYCTL_AUTO_EXPAND_SECMEM.
7733 + commit 1f6b2f6099ebcfd785e2d2ae0aeca810394dbbac
7734 * src/gcrypt.h.in (GCRYCTL_AUTO_EXPAND_SECMEM): New enum.
7735 * src/global.c (_gcry_vcontrol): Implement that.
7736 * src/secmem.c (auto_expand): New var.
7737 (_gcry_secmem_set_auto_expand): New.
7738 (_gcry_secmem_malloc_internal): Act upon AUTO_EXPAND.
7739
7740 2017-11-14 NIIBE Yutaka <gniibe@fsij.org>
7741
7742 tests: Add HAVE_MMAP check for MinGW.
7743 + commit c594f187bd457b757112adc551ffa4db92962dc1
7744 * tests/t-secmem.c (main): Conditionalize with HAVE_MMAP.
7745
7746 2017-11-09 NIIBE Yutaka <gniibe@fsij.org>
7747
7748 Fix secmem test for machine with larger page.
7749 + commit 621f5c4e837347308a6b06a8cfbfc47ca9fae69e
7750 * tests/t-secmem.c (main): Detect page size and setup chunk size.
7751 * src/secmem.c (init_pool): Simplify the expression.
7752
7753 2017-10-25 NIIBE Yutaka <gniibe@fsij.org>
7754
7755 Add OID information for SM3.
7756 + commit 94b84360ca55c407222a3eb8222d8b1816fc617f
7757 * cipher/sm3.c (asn_sm3, oid_spec_sm3): New.
7758 (_gcry_digest_spec_sm3): Add asn_sm3, oid_spec_sm3.
7759
7760 2017-10-24 Jia Zhang <qianyue.zj@alibaba-inc.com>
7761
7762 Add crypto hash SM3.
7763 + commit 4423bf3cc4432b9bfe801ff74cb05e6f0dd3eccd
7764 * configure.ac (available_digests): Add sm3.
7765 * src/cipher.h: Add declarations for SM3.
7766 * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm3.c.
7767 * cipher/md.c [USE_SM3] (digest_list): Add _gcry_digest_spec_sm3.
7768 * cipher/pubkey-util.c (hashnames): Add "sm3".
7769 * cipher/sm3.c: New.
7770 * tests/basic.c (check_digests): Add test vectors for SM3.
7771 * tests/hashtest-256g.in (algos): Add SM3.
7772 * tests/hashtest.c (testvectors): Add for SM3.
7773
7774 2017-10-24 NIIBE Yutaka <gniibe@fsij.org>
7775
7776 Add new constant GCRY_MD_SM3 for crypto hash SM3.
7777 + commit 5b31e22d9fc542bdccb1586ef2c83d9794a731d3
7778 * src/gcrypt.h.in (GCRY_MD_SM3): New.
7779
7780 2017-10-17 Werner Koch <wk@gnupg.org>
7781
7782 api: New function gcry_mpi_get_ui.
7783 + commit c6e42e7ec3d1046969d783c443c13aad7cb61bb8
7784 * src/gcrypt.h.in (gcry_mpi_get_ui): New.
7785 (mpi_get_ui): New macro.
7786 * src/libgcrypt.def, src/libgcrypt.vers: Add new function.
7787 * src/visibility.c (gcry_mpi_get_ui): New.
7788 * src/visibility.h: Mark that function.
7789 (gcry_mpi_get_ui): New.
7790 * mpi/mpiutil.c (MY_UINT_MAX): New macro.
7791 (_gcry_mpi_get_ui): Re-implemented. This function existed but was
7792 never imported or used.
7793 * tests/mpitests.c (test_maxsize): Add some test for this function.
7794
7795 2017-08-29 NIIBE Yutaka <gniibe@fsij.org>
7796
7797 Tweak GCC version check.
7798 + commit e4dc458b0b7dc9b8417a2177ef17822d9b9064ec
7799 * src/global.c (_gcry_vcontrol): It's GCC 4.2 which started to support
7800 diagnostic pragma.
7801
7802 random: Fix warnings on Windows.
7803 + commit 8126a6717c80d4fc1766d7f975e872bee2f9f203
7804 * random/random-csprng.c (lock_seed_file): Vars with no use.
7805
7806 tests: Fix warnings on Windows.
7807 + commit a848ef44470a524c05624afb54b92cf25595acd2
7808 * tests/fipsdrv.c (print_dsa_domain_parameters, print_ecdsa_dq): Fix.
7809
7810 ecc: Fix scratch MPI.
7811 + commit db3a8d6890fb4a6436e082b49378c0bd891563ca
7812 * mpi/ec.c (ec_p_init): Check if scratch MPI is allocated.
7813
7814 ecc: Fix ec_mulm_25519.
7815 + commit 1d5f726668b9cc32d6bb601f2329987058146c6c
7816 * mpi/ec.c (ec_mulm_25519): Improve reduction to 25519.
7817
7818 ecc: Use 25519 method also for ed25519.
7819 + commit fab712d654b2ccd24696ed90bc239860a128ad5b
7820 * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't use mpi_add
7821 since it resizes to have more limbs.
7822 * mpi/ec.c (point_resize): Fix for Edwards curve.
7823 (ec_p_init): Support Edwards curve.
7824 (_gcry_mpi_ec_get_affine): Use the methods.
7825 (dup_point_edwards, add_points_edwards, sub_points_edwards): Ditto.
7826 (_gcry_mpi_ec_mul_point): Resize MPIs of point to fixed size.
7827 (_gcry_mpi_ec_curve_point): Use the methods.
7828
7829 ecc: Clean up curve specific method support.
7830 + commit 1ac3d3637dd80013b78e03b9b9f582091710d908
7831 * src/ec-context.h (struct mpi_ec_ctx_s): Remove MOD method.
7832 * mpi/ec.c (ec_mod_25519): Remove.
7833 (ec_p_init): Follow the removal of the MOD method.
7834
7835 ecc: Relax condition for 25519 computations.
7836 + commit e9be23c4ad9f42c9d3198c706f912b7e27f574bc
7837 * mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Check number
7838 of limbs, allocated more is OK.
7839
7840 ecc: Fix ec_mulm_25519.
7841 + commit 449459a2770d3aecb1f36502bf1903e0cbd2873e
7842 * mpi/ec.c (ec_mulm_25519): Fix the cases of 0 to 18.
7843
7844 ecc: field specific routines for 25519.
7845 + commit 9ed0fb37bd637d1a2e9498c24097cfeadec682ec
7846 * mpi/ec.c (point_resize): Improve for X25519.
7847 (mpih_set_cond): New.
7848 (ec_mod_25519, ec_addm_25519, ec_subm_25519, ec_mulm_25519)
7849 (ec_mul2_25519, ec_pow2_25519): New.
7850 (ec_p_init): Fill by FIELD_TABLE.
7851
7852 ecc: Add field specific computation methods.
7853 + commit d4cd381defe5b37dda19bbda0986bdd38065bd31
7854 * src/ec-context.h (struct mpi_ec_ctx_s): Add methods.
7855 * mpi/ec.c (ec_p_init): Initialize the default methods.
7856 (montgomery_ladder): Use the methods.
7857
7858 2017-08-27 Werner Koch <wk@gnupg.org>
7859
7860 Release 1.8.1.
7861 + commit 80fd8615048c3897b91a315cca22ab139b056ccd
7862 * configure.ac: Set LT version to C22/A2/R1.
7863
7864 2017-08-27 NIIBE Yutaka <gniibe@fsij.org>
7865
7866 ecc: Add input validation for X25519.
7867 + commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
7868 * cipher/ecc.c (ecc_decrypt_raw): Add input validation.
7869 * mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
7870 (_gcry_mpi_ec_bad_point): New.
7871
7872 2017-08-07 Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
7873
7874 cipher: Add OID for SHA384WithECDSA.
7875 + commit a7bd2cbd3eabda88fb3cac5cbc13c21c97a7b315
7876 * cipher/sha512.c (oid_spec_sha384): Add SHA384WithECDSA.
7877
7878 2017-08-02 Werner Koch <wk@gnupg.org>
7879
7880 tests: Fix a printf glitch for a Windows test.
7881 + commit df1e221b3012e96bbffbc7d5fd70836a9ae1cc19
7882 * tests/t-convert.c (check_formats): Fix print format glitch on
7883 Windows.
7884 * tests/t-ed25519.c: Typo fix.
7885
7886 tests: Add benchmarking option to tests/random.
7887 + commit 21d0f068a721c022f955084c28304934fd198c5e
7888 * tests/random.c: Always include unistd.h.
7889 (prepend_srcdir): New.
7890 (run_benchmark): New.
7891 (main): Add options --benchmark and --with-seed-file. Print whetehr
7892 JENT has been used.
7893 * tests/t-common.h (split_fields_colon): New. Taken from GnuPG.
7894 License of that code changed to LGPLv2.1.
7895
7896 random: Add more bytes to the pool in addition to the seed file.
7897 + commit eea36574f37830a6a80b4fad884825e815b2912f
7898 * random/random-csprng.c (read_seed_file): Read 128 or 32 butes
7899 depending on whether we have the Jitter RNG.
7900
7901 2017-08-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7902
7903 Add script to run basic tests with all supported HWF combinations.
7904 + commit 94a92a3db909aef0ebcc009c2d7f5a2663e99004
7905 * tests/basic_all_hwfeature_combinations.sh: New.
7906 * tests/Makefile.am: Add basic_all_hwfeature_combinations.sh.
7907
7908 2017-07-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
7909
7910 Fix return value type for _gcry_md_extract.
7911 + commit cf1528e7f2761774d06ace0de48f39c96b52dc4f
7912 * src/gcrypt-int.h (_gcry_md_extract): Use gpg_err_code_t instead of
7913 gpg_error_t for internal function return type.
7914
7915 Fix building AArch32 CE implementations when target is ARMv6 arch.
7916 + commit 4a7aa30ae9f3ce798dd886c2f2d4164c43027748
7917 * cipher/cipher-gcm-armv8-aarch32-ce.S: Select ARMv8 architecure.
7918 * cipher/rijndael-armv8-aarch32-ce.S: Ditto.
7919 * cipher/sha1-armv8-aarch32-ce.S: Ditto.
7920 * cipher/sha256-armv8-aarch32-ce.S: Ditto.
7921 * configure.ac (gcry_cv_gcc_inline_asm_aarch32_crypto): Ditto.
7922
7923 2017-07-25 NIIBE Yutaka <gniibe@fsij.org>
7924
7925 sexp: Add fall through annotation.
7926 + commit b7cd44335d9cde43be6f693dca6399ed0762649c
7927 * src/dumpsexp.c (parse_and_print): It's fall through.
7928
7929 2017-07-24 Werner Koch <wk@gnupg.org>
7930
7931 random: Fix the command line munging for jitterbase.
7932 + commit ac39522ab08fcd2483edc223334c6ab9d19e91f3
7933 * random/Makefile.am (o_flag_munging): Make the first sed term also
7934 global.
7935
7936 2017-07-19 NIIBE Yutaka <gniibe@fsij.org>
7937
7938 Remove byte order mark.
7939 + commit 1d8e4c2c3a7d0a4154caf5bd720a9a0b04179390
7940 * random/jitterentropy-base.c, random/jitterentropy.h: Remove
7941 byte order mark.
7942
7943 2017-07-18 Werner Koch <wk@gnupg.org>
7944
7945 Release 1.8.0.
7946 + commit 850aca744eeda5fd410f478a0778e353045ac962
7947
7948
7949 mac: Add selftests for HMAC-SHA3-xxx.
7950 + commit 95194c550443e8d5558856633f920daec8a975c4
7951 * cipher/hmac-tests.c (check_one): Add arg trunc and change all
7952 callers to pass false.
7953 (selftests_sha3): New.
7954 (run_selftests): Call new selftests.
7955
7956 api: New function gcry_mpi_point_copy.
7957 + commit ecf73dafb7aafed0d0f339d07235b58c2113f94c
7958 * src/gcrypt.h.in (gcry_mpi_point_copy): New.
7959 (mpi_point_copy): New macro.
7960 * src/visibility.c (gcry_mpi_point_copy): New.
7961 * src/libgcrypt.def, src/libgcrypt.vers: Add function.
7962 * mpi/ec.c (_gcry_mpi_point_copy): New.
7963 * tests/t-mpi-point.c (set_get_point): Add test.
7964
7965 2017-07-17 Werner Koch <wk@gnupg.org>
7966
7967 random: Minor fix for getting the rndjent version.
7968 + commit 9d99c6b973caa7fdf93b53cf764066214f763803
7969 * random/rndjent.c (_gcry_rndjent_get_version): Always set R_ACTIVE.
7970 * tests/version.c (test_get_config): Check number of fields for
7971 rng-type.
7972
7973 2017-07-07 NIIBE Yutaka <gniibe@fsij.org>
7974
7975 mpi: Minor fix of mpi_pow.
7976 + commit 61b0f52c1cc85bf8c3cac9aba40e28682e4e1b8b
7977 * mpi/mpi-pow.c (_gcry_mpi_powm): Allocate size fix.
7978
7979 mpi: Fix mpi_pow alternative implementation.
7980 + commit 66ed4d53789892def7b237756d8a0ab28df9d222
7981 * mpi/mpi-pow.c
7982 [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): Use
7983 mpi_set_cond.
7984
7985 Fix mpi_pow alternative implementation.
7986 + commit 619ebae9847831f43314a95cc3180f4b329b4d3b
7987 * mpi/mpi-pow.c [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm):
7988 Allocate size fix.
7989
7990 2017-07-06 Werner Koch <wk@gnupg.org>
7991
7992 rsa: Use modern MPI allocation function.
7993 + commit 208aba6f9a0475ba049f5a66fe02cf9a6214a887
7994 * cipher/rsa.c (secret_core_crt): Use modern function _gcry_mpi_snew.
7995
7996 2017-07-05 Werner Koch <wk@gnupg.org>
7997
7998 build: Minor API fixes to fix build problems on AIX.
7999 + commit 85a9a913da9ecc6b2cd6f743e90e49983251d706
8000 * src/gcrypt.h.in (gcry_error_from_errno): Fix return type.
8001 * src/visibility.c (gcry_md_extract): Change return type to match the
8002 prototype.
8003
8004 tools: Add left shift to mpicalc.
8005 + commit 0d30a4a9791d20c8881b5b12bd44611d9f4274cd
8006 * src/mpicalc.c (do_lshift): New.
8007 (main): Handle '<'.
8008
8009 2017-07-04 NIIBE Yutaka <gniibe@fsij.org>
8010
8011 mpi: Fix mpi_set_secure.
8012 + commit 5feaf1cc8f22c1f8d19a34850d86fe190f1432e2
8013 * mpi/mpiutil.c (mpi_set_secure): Allocate by ->alloced.
8014
8015 2017-06-29 NIIBE Yutaka <gniibe@fsij.org>
8016 Werner Koch <wk@gnupg.org>
8017
8018 rsa: Add exponent blinding.
8019 + commit 8725c99ffa41778f382ca97233183bcd687bb0ce
8020 * cipher/rsa.c (secret_core_crt): Blind secret D with randomized
8021 nonce R for mpi_powm computation.
8022
8023 2017-06-28 NIIBE Yutaka <gniibe@fsij.org>
8024
8025 Same computation for square and multiply.
8026 + commit 78130828e9a140a9de4dafadbc844dbb64cb709a
8027 * mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move
8028 the assignment to base_u into the loop. Copy content refered by RP to
8029 BASE_U except the last of the loop.
8030
8031 2017-06-24 Werner Koch <wk@gnupg.org>
8032
8033 rsa: Minor refactoring.
8034 + commit e6a3dc9900433bbc8ad362a595a3837318c28fa9
8035 * cipher/rsa.c (secret): Factor code out to ...
8036 (secret_core_std, secret_core_crt): new functions.
8037
8038 2017-06-23 Werner Koch <wk@gnupg.org>
8039
8040 random: Add missing dependency.
8041 + commit d091610377b2c92cf385282b1adfc30fa6cd5c75
8042 * random/Makefile.am (EXTRA_librandom_la_SOURCES): Fix file name.
8043 (rndjent.o, rndjent.lo): Depend on jitterentropy-base-user.h.
8044
8045 random: Update jitterentropy to 2.1.0.
8046 + commit 8dfae89ecd3e9ae0967586cb38d12ef9111fc7cd
8047 * random/rndjent.c (jent_get_nstime, jent_zfree)
8048 (jent_fips_enabled, jent_zalloc): Move functions and macros to ...
8049 * random/jitterentropy-base-user.h: this file. That files was not
8050 used before.
8051 * random/Makefile.am (EXTRA_librandom_la_SOURCES): Add
8052 jitterentropy-base-user.
8053 * random/jitterentropy-base.c: Update to version 2.1.0.
8054 * random/jitterentropy.h: Ditto.
8055
8056 2017-06-21 Werner Koch <wk@gnupg.org>
8057
8058 api: New function gcry_get_config.
8059 + commit 27148e60ba15b0cb73b47a75c688fcb48a1a3444
8060 * src/misc.c (_gcry_log_info_with_dummy_fp): Remove.
8061 * src/global.c (print_config): New arg WHAT. Remove arg FNC and use
8062 gpgrt_fprintf directly.
8063 (_gcry_get_config): New.
8064 (_gcry_vcontrol) <GCRYCTL_PRINT_CONFIG>: Use _gcry_get_config instead
8065 of print_config.
8066 * src/gcrypt.h.in (gcry_get_config): New.
8067 * src/libgcrypt.def, src/libgcrypt.vers: Add new function.
8068 * src/visibility.c (gcry_get_config): New.
8069 * src/visibility.h: Mark new function.
8070
8071 * tests/version.c (test_get_config): New.
8072 (main): Call new test.
8073
8074 random: Allow building rndjent on non-x86.
8075 + commit c2319464b03e61aaf34ef6d5f4b59b0c0483a373
8076 * random/jitterentropy-base.c (jent_version): Uncomment function.
8077 * random/rndjent.c: Include time.h
8078 (JENT_USES_RDTSC): New.
8079 (JENT_USES_GETTIME): New.
8080 (JENT_USES_READ_REAL_TIME): New.
8081 (jent_get_nstime): Support clock_gettime and AIX specific
8082 function. Taken from Stephan Müller's code.
8083 (is_rng_available): New.
8084 (_gcry_rndjent_dump_stats): Use that function.
8085 (_gcry_rndjent_poll): Use that fucntion. Allow an ADD of NULL for an
8086 intialize only mode.
8087 (_gcry_rndjent_get_version): New.
8088
8089 2017-06-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8090
8091 rijndael-padlock: change asm operands from read-only to read/write.
8092 + commit 32b4ab209067f6f08b87b27bc78ec27dc497b708
8093 * cipher/rijndael-padlock.c (do_padlock): Change ESI/EDI/ECX to use
8094 read/write operands as XCRYPT instruction modifies these registers.
8095
8096 2017-06-16 Werner Koch <wk@gnupg.org>
8097
8098 random: Make rndjent.c NTG.1 compliant.
8099 + commit 82bc052eda5b3897724c7ad11e54f8203e8e88e9
8100 * random/rndjent.c (_gcry_rndjent_poll): Hash the retrieved jitter.
8101
8102 md: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.
8103 + commit e6f90a392a1fd59b19b16f7a2bc7c439ae369d5f
8104 * cipher/sha256.c (_gcry_sha256_hash_buffer): New.
8105 (_gcry_sha256_hash_buffers): New.
8106 * cipher/sha512.c (_gcry_sha512_hash_buffer): New.
8107 (_gcry_sha512_hash_buffers): New.
8108 * cipher/md.c (_gcry_md_hash_buffer): Optimize for SHA246 and SHA512.
8109 (_gcry_md_hash_buffers): Ditto.
8110
8111 random: Allow building rndjent.c with stats collecting enabled.
8112 + commit ee3a74f5539cbc5182ce089994e37c16ce612149
8113 * random/rndjent.c: Change license to the one used by jitterentropy.h.
8114 (jent_init_statistic): New.
8115 (jent_bit_count): New.
8116 (jent_statistic_copy_stat): new.
8117 (jent_calc_statistic): New.
8118
8119 New global config option "only-urandom".
8120 + commit 8f6082e95f30c1ba68d2de23da90146f87f0c66c
8121 * random/rand-internal.h (RANDOM_CONF_ONLY_URANDOM): New.
8122 * random/random.c (_gcry_random_read_conf): Add option "only-urandom".
8123 * random/rndlinux.c (_gcry_rndlinux_gather_random): Implement that
8124 option.
8125 * tests/keygen.c (main): Add option --no-quick for better manual
8126 tests.
8127
8128 Implement global config file /etc/gcrypt/random.conf.
8129 + commit b05a4abc358b204dba343d9cfbd59fdc828c1686
8130 * src/hwfeatures.c (my_isascii): Move macro to ...
8131 * src/g10lib.h: here.
8132 * tests/random.c (main): Dump random stats.
8133 * random/random.c (RANDOM_CONF_FILE): New.
8134 (_gcry_random_read_conf): New.
8135 (_gcry_random_dump_stats): Call rndjent stats.
8136 * random/rndjent.c (jent_rng_totalcalls, jent_rng_totalbytes): New.
8137 (_gcry_rndjent_poll): Take care of config option disable-jent. Wipe
8138 buffer. Bump counters.
8139 (_gcry_rndjent_dump_stats): New.
8140
8141 2017-06-14 Werner Koch <wk@gnupg.org>
8142
8143 random: Add jitter RND based entropy collector.
8144 + commit f5e7763ddca59dcd9ac9f2f4d50cb41b14a34a9e
8145 * random/rndjent.c: New.
8146 * random/rndlinux.c (_gcry_rndlinux_gather_random): Use rndjent.
8147 * random/rndw32.c (_gcry_rndw32_gather_random): Use rndjent.
8148 (slow_gatherer): Fix compiler warning.
8149 * random/Makefile.am (librandom_la_SOURCES): Add rndjent.c
8150 (EXTRA_librandom_la_SOURCES): Add jitterentropy-base.c and
8151 jitterentropy.h.
8152 (rndjent.o, rndjent.lo): New rules.
8153 * configure.ac: New option --disbale-jent-support
8154 (ENABLE_JENT_SUPPORT): New ac-define.
8155
8156 cipher: New helper function rol64.
8157 + commit 6c882fb1fdb6c7cba2215fa7391110d63e24b9dc
8158 * cipher/bithelp.h (rol64): New inline functions.
8159
8160 New hardware feature flag HWF_INTEL_RDTSC.
8161 + commit 06f303a633ea2b992259688bef2b023c3f388f73
8162 * src/g10lib.h (HWF_INTEL_RDTSC): New.
8163 * src/hwfeatures.c (hwflist): Add "intel-rdtsc".
8164 * src/hwf-x86.c (detect_x86_gnuc): Get EDX features and test for TSC.
8165
8166 random: Changes to original Jitter RNG implementation.
8167 + commit a44c45675f8b631e11048a540bb1fbb7a022ebb4
8168 * random/jitterentropy-base.c: Change double underscore symbols and
8169 make all functions static.
8170 * random/jitterentropy.h: Likewise.
8171
8172 2017-06-13 Stephan Mueller <smueller@chronox.de>
8173
8174 random: Add original Jitter RNG implementation.
8175 + commit f0ae18ecf48fbe2da0b9fb3f354d0dd3173d91d3
8176 * random/jitterentropy-base-user.h: New.
8177 * random/jitterentropy-base.c: New.
8178 * random/jitterentropy.h: New.
8179
8180 2017-06-08 Werner Koch <wk@gnupg.org>
8181
8182 build: Fix ChangeLog building for builds from other worktrees.
8183 + commit cdfd7ea72a44657f037dd0dbba6e5ea0c2b344aa
8184 * Makefile.am (gen-ChangeLog): Test for existance of ".git" regardless
8185 on whether it is a file or directory.
8186
8187 2017-06-02 NIIBE Yutaka <gniibe@fsij.org>
8188
8189 secmem: Fix SEGV and stat calculation.
8190 + commit e0958debe1a7db1bec1283115cdc6a14bf3b43e5
8191 * src/secmem (init_pool): Care about the header size.
8192 (_gcry_secmem_malloc_internal): Likewise.
8193 (_gcry_secmem_malloc_internal): Use mb->size for stats.
8194
8195 2017-06-01 Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
8196
8197 ecc: Store EdDSA session key in secure memory.
8198 + commit 5a22de904a0a366ae79f03ff1e13a1232a89e26b
8199 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
8200 session key.
8201
8202 2017-05-31 Werner Koch <wk@gnupg.org>
8203
8204 api: Deprecate gcry_md_info.
8205 + commit 45c39340c9926c2c5801dbab7609687c41e9ff1f
8206
8207
8208 2017-05-30 Werner Koch <wk@gnupg.org>
8209
8210 mpi: Distribute asm files for aarch64 and asm.
8211 + commit c65f9558f12ffa2810538ef616e71b4052dacb81
8212 * mpi/aarch64/distfiles: New.
8213 * mpi/arm/distfiles: New.
8214
8215 mpi: Distribute asm definitions for amd64.
8216 + commit 87e481137debabb7f989d7fa9b1c21c336e10c98
8217 * mpi/amd64/distfiles: Add mpi-asm-defs.h.
8218
8219 2017-05-23 Werner Koch <wk@gnupg.org>
8220
8221 cipher: Fix compiler warnings.
8222 + commit d764c9894013727ff82eb194da6030209c273528
8223 * cipher/poly1305.c (poly1305_default_ops): Move to the top. Add
8224 prototypes and compile only if USE_SSE2 is not defined.
8225 (poly1305_init_ext_ref32): Compile only if USE_SSE2 is not defined.
8226 (poly1305_blocks_ref32): Ditto.
8227 (poly1305_finish_ext_ref32): Ditto.
8228
8229 doc: Comment fixes.
8230 + commit c1bb3d9fdb6fe5f336af1d5a03fc42bfdc1f8b0b
8231
8232
8233 2017-05-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8234
8235 rijndael-ssse3: fix functions calls from assembly blocks.
8236 + commit 4cd94994a9abec9b92fa5972869baf089a28fa76
8237 * cipher/rijndael-ssse3-amd64.c (PUSH_STACK_PTR, POP_STACK_PTR): New.
8238 (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
8239 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
8240 (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Use PUSH_STACK_PTR and
8241 POP_STACK_PTR.
8242
8243 chacha20-armv7-neon: fix to use fast code path when memory is aligned.
8244 + commit 68861ae5d3e007d7a39f14ea27dc3dd8ef13ba02
8245 * cipher/chacha20-armv7-neon.S (UNALIGNED_LDMIA4): Uncomment
8246 instruction for jump to aligned code path.
8247
8248 Move data in AMD64 assembly to text section.
8249 + commit 1a094bc5b2aa730833faf593a931d4e5d7f9ab4d
8250 * cipher/camellia-aesni-avx-amd64.S: Move data to .text section to
8251 ensure that RIP relative addressing of data will work.
8252 * cipher/camellia-aesni-avx2-amd64.S: Ditto.
8253 * cipher/chacha20-avx2-amd64.S: Ditto.
8254 * cipher/chacha20-ssse3-amd64.S: Ditto.
8255 * cipher/des-amd64.S: Ditto.
8256 * cipher/serpent-avx2-amd64.S: Ditto.
8257 * cipher/sha1-avx-amd64.S: Ditto.
8258 * cipher/sha1-avx-bmi2-amd64.S: Ditto.
8259 * cipher/sha1-ssse3-amd64.S: Ditto.
8260 * cipher/sha256-avx-amd64.S: Ditto.
8261 * cipher/sha256-avx2-bmi2-amd64.S: Ditto.
8262 * cipher/sha256-ssse3-amd64.S: Ditto.
8263 * cipher/sha512-avx-amd64.S: Ditto.
8264 * cipher/sha512-avx2-bmi2-amd64.S: Ditto.
8265 * cipher/sha512-ssse3-amd64.S: Ditto.
8266
8267 cast5-amd64: use 64-bit relocation with large PIC memory model.
8268 + commit ff02fca39c83bcf30c79368611ac65e273e77f6c
8269 * cipher/cast5-amd64.S [__code_model_large__]
8270 (GET_EXTERN_POINTER): New.
8271
8272 2017-05-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8273
8274 Fix building with x86-64 medium and large memory models.
8275 + commit 434d4f2af39033fc626044ba9a060da298522293
8276 * cipher/cast5-amd64.S [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
8277 (GET_EXTERN_POINTER): Load 64-bit address instead of 32-bit.
8278 * cipher/rijndael.c (do_encrypt, do_decrypt)
8279 [USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Load
8280 table pointer through register instead of generic reference.
8281
8282 2017-04-04 NIIBE Yutaka <gniibe@fsij.org>
8283
8284 mpi: Simplify mpi_powm.
8285 + commit 719468e53133d3bdf12156c5bfdea2bf15f9f6f1
8286 * mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
8287
8288 2017-03-08 Justus Winter <justus@g10code.com>
8289
8290 build: Use macOS' compatibility macros to enable all features.
8291 + commit 654024081cfa103c87bb163b117ea3568171d408
8292 * configure.ac: On macOS, use the compatibility macros to expose every
8293 feature of the libc. This is the equivalent of _GNU_SOURCE on GNU
8294 libc.
8295
8296 2017-02-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8297
8298 Add BLAKE2b and BLAKE2s hash algorithms (RFC 7693)
8299 + commit 5bd530b8a4624f101b8d42e68f1b28bcc13f4f76
8300 * cipher/blake2.c: New.
8301 * cipher/Makefile.am: Add 'blake2.c'.
8302 * cipher/md.c (digest_list, prepare_macpads): Add BLAKE2.
8303 (md_setkey): New.
8304 (_gcry_md_setkey): Call 'md_setkey' for non-HMAC md.
8305 * configure.ac: Add BLAKE2 digest.
8306 * doc/gcrypt.texi: Add BLAKE2.
8307 * src/cipher.h (_gcry_blake2_init_with_key)
8308 (_gcry_digest_spec_blake2b_512, _gcry_digest_spec_blake2b_384)
8309 (_gcry_digest_spec_blake2b_256, _gcry_digest_spec_blake2b_160)
8310 (_gcry_digest_spec_blake2s_256, _gcry_digest_spec_blake2s_224)
8311 (_gcry_digest_spec_blake2s_160, _gcry_digest_spec_blake2s_128): New.
8312 * src/gcrypt.h.in (GCRY_MD_BLAKE2B_512, GCRY_MD_BLAKE2B_384)
8313 (GCRY_MD_BLAKE2B_256, GCRY_MD_BLAKE2B_160, GCRY_MD_BLAKE2S_256)
8314 (GCRY_MD_BLAKE2S_224, GCRY_MD_BLAKE2S_160, GCRY_MD_BLAKE2S_128): New.
8315 * tests/basic.c (check_one_md): Add testing for keyed hashes.
8316 (check_digests): Add BLAKE2 test vectors; Add testing for keyed hashes.
8317 * tests/blake2b.h: New.
8318 * tests/blake2s.h: New.
8319 * tests/Makefile.am: Add 'blake2b.h' and 'blake2s.h'.
8320
8321 Fix building with clang on ARM64/FreeBSD.
8322 + commit da213db2c6cda6f57e5853e8c591d69bfa1cfa74
8323 * cipher/cipher-gcm-armv8-aarch64-ce.S: Use '.cpu generic+simd+crypto'
8324 instead of '.arch armv8-a+crypto'.
8325 * cipher/rijndael-armv8-aarch64-ce.S: Ditto.
8326 * cipher/sha1-armv8-aarch64-ce.S: Ditto.
8327 * cipher/sha256-armv8-aarch64-ce.S: Ditto.
8328 * configure.ac (gcry_cv_gcc_inline_asm_aarch64_neon): Ditto.
8329 (gcry_cv_gcc_inline_asm_aarch64_crypto): Ditto; and include NEON
8330 instructions to crypto instructions check.
8331
8332 2017-02-07 Justus Winter <justus@g10code.com>
8333
8334 Fix building with a pre C99 compiler.
8335 + commit 75d91ffeaf83098ade325bb3b6b2c8a76eb1f6a6
8336 * cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt): Move the
8337 declaration of 'i' out of the loop.
8338 (_gcry_cipher_cfb8_decrypt): Likewise.
8339
8340 2017-02-04 Mathias L. Baumann <mathias.baumann_at_sociomantic.com>
8341
8342 Implement CFB with 8-bit mode.
8343 + commit d1ee9a660571ce4a998c9ab2299d4f2419f99127
8344 * cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt)
8345 (_gcry_cipher_cfg8_decrypt): Add 8-bit variants of decrypt/encrypt
8346 functions.
8347 * cipher/cipher-internal.h (_gcry_cipher_cfb8_encrypt)
8348 (_gcry_cipher_cfg8_decrypt): Ditto.
8349 * cipher/cipher.c: Adjust code flow to work with GCRY_CIPHER_MODE_CFB8.
8350 * tests/basic.c: Add tests for cfb8 with AES and 3DES.
8351
8352 2017-02-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8353
8354 rndhw: add missing "memory" clobbers.
8355 + commit c67c728478e8f47b6e8296b643fd35d66d4a1052
8356 * random/rndhw.c: (poll_padlock, rdrand_long): Add "memory" to asm
8357 clobbers.
8358
8359 Add UNLIKELY and LIKELY macros.
8360 + commit 4b7451d3e8e7b87d8e407fbbd924ad5b13bd0f00
8361 * src/g10lib.h (LIKELY, UNLIKELY): New.
8362 (gcry_assert): Use LIKELY for assert check.
8363 (fast_wipememory2_unaligned_head): Use UNLIKELY for unaligned
8364 branching.
8365 * cipher/bufhelp.h (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst)
8366 (buf_xor_n_copy_2): Ditto.
8367
8368 rndhw: avoid type-punching.
8369 + commit 37b537600f33fcf8e1c8dc2c658a142fbba44199
8370 * random/rndhw.c (rdrand_long, rdrand_nlong): Add 'volatile' for
8371 pointer.
8372 (poll_drng): Convert buffer to 'unsigned long[]' and make use of DIM
8373 macro.
8374
8375 2017-01-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8376
8377 hwf-x86: avoid type-punching.
8378 + commit 1407317a6112a23d4fec5827a9d74faef4196f66
8379 * src/hwf-x86.c (detect_x86_gnuc): Use union for vendor_id.
8380
8381 cipher: add explicit blocksize checks to allow better optimization.
8382 + commit efa9042f82ffed3d076b8e26ac62d29e00bb756a
8383 * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
8384 (_gcry_cipher_cbc_decrypt): Add explicit check for cipher blocksize of
8385 64-bit or 128-bit.
8386 * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
8387 (_gcry_cipher_cfb_decrypt): Ditto.
8388 * cipher/cipher-cmac.c (cmac_write, cmac_generate_subkeys)
8389 (cmac_final): Ditto.
8390 * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
8391 * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Ditto.
8392
8393 bufhelp: use unaligned dword and qword types for endianess helpers.
8394 + commit e7b941c3de9c9b6319298c02f844cc0cadbf8562
8395 * cipher/bufhelp.h (BUFHELP_UNALIGNED_ACCESS): New, defined
8396 if attributes 'packed', 'aligned' and 'may_alias' are supported.
8397 (BUFHELP_FAST_UNALIGNED_ACCESS): Define if have
8398 BUFHELP_UNALIGNED_ACCESS.
8399
8400 rijndael-aesni: fix u128_t strict-aliasing rule breaking.
8401 + commit 92b4a29d2453712192ced2d7226abc49679dcb1e
8402 * cipher/rijndael-aesni.c (u128_t): Add attributes to tell GCC and clang
8403 that casting from 'char *' to 'u128_t *' is ok.
8404
8405 cipher-xts: fix pointer casting to wrong alignment and aliasing.
8406 + commit 4f31d816dcc1e95dc647651e92acbdfed53f5c14
8407 * cipher/cipher-xts.c (xts_gfmul_byA, xts_inc128): Use buf_get_le64
8408 and buf_put_le64 for accessing data; Change parameter pointers to
8409 'unsigned char *' type.
8410 (_gcry_cipher_xts_crypt): Do not cast buffer pointers to 'u64 *'
8411 for helper functions.
8412
8413 crc-intel-pclmul: fix undefined behavior with unaligned access.
8414 + commit 55cf1b5588705cab5f45e2817c4aa1d204dc0042
8415 * cipher/crc-intel-pclmul.c (u16_unaligned_s): New.
8416 (crc32_reflected_less_than_16, crc32_less_than_16): Use
8417 'u16_unaligned_s' for unaligned memory access.
8418
8419 configure.ac: fix attribute checks.
8420 + commit b29b1b9f576f501d4b993be0a751567045274a1a
8421 * configure.ac: Add -Werror flag for attribute checks.
8422
8423 configure.ac: fix may_alias attribute check.
8424 + commit 136c8416ea540dd126be3997d94d7063b3aaf577
8425 * configure.ac: Test may_alias attribute on type, not on variable.
8426
8427 bufhelp: add 'may_alias' attribute for properly aligned 'bufhelp_int_t'
8428 + commit d1ae52a0e23308f33b78cffeba56005b687f23c0
8429 * cipher/bufhelp.h [!BUFHELP_FAST_UNALIGNED_ACCESS]
8430 (bufhelp_int_t): Add 'may_alias' attribute.
8431
8432 2017-01-27 Werner Koch <wk@gnupg.org>
8433
8434 w32: New envvar GCRYPT_RNDW32_DBG.
8435 + commit a351fbde8548ce3f57298c618426f043844fbc78
8436 * random/rndw32.c (_gcry_rndw32_gather_random): Use getenv to set
8437 DEBUG_ME.
8438
8439 2017-01-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8440
8441 rijndael-ssse3-amd64: fix building on x32.
8442 + commit 39b9302da5d08bd52688d20befe626fee0b6c41d
8443 * cipher/rijndael-ssse3-amd64.c: Use 64-bit call instructions
8444 with 64-bit registers.
8445
8446 bufhelp: use 'may_alias' attribute unaligned pointer types.
8447 + commit bf9e0b79e620ca2324224893b07522462b125412
8448 * configure.ac (gcry_cv_gcc_attribute_may_alias)
8449 (HAVE_GCC_ATTRIBUTE_MAY_ALIAS): New check for 'may_alias' attribute.
8450 * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only if
8451 HAVE_GCC_ATTRIBUTE_MAY_ALIAS is defined.
8452 [BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_int_t, bufhelp_u32_t)
8453 (bufhelp_u64_t): Add 'may_alias' attribute.
8454 * src/g10lib.h (fast_wipememory_t): Add HAVE_GCC_ATTRIBUTE_MAY_ALIAS
8455 defined check; Add 'may_alias' attribute.
8456
8457 2017-01-18 Werner Koch <wk@gnupg.org>
8458
8459 random: Call getrandom before select and emitting a progress callback.
8460 + commit 623aab8a940ea61afe3fef650ad485a755ed9fe7
8461 * random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom
8462 call before the select.
8463
8464 2017-01-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8465
8466 mpi: amd64: fix too large jump alignment in mpih-rshift.
8467 + commit ddcfe31e2425e88b280e7cdaf3f0eaaad8ccc023
8468 * mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment
8469 with 'ALIGN(4)' instead of 256-byte.
8470
8471 rijndael-ssse3: move assembly functions to separate source-file.
8472 + commit 54c57bc49edb5c00e9ed8103cc4837bb72c5e863
8473 * cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'.
8474 * cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions
8475 here ...
8476 * cipher/rinjdael-ssse3-amd64.c: ... from this file.
8477 (_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload)
8478 (_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core)
8479 (_gcry_aes_ssse3_decrypt_core): New.
8480 (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
8481 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
8482 (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external
8483 assembly functions; remove 'aes_const_ptr' variable usage.
8484 (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt)
8485 (_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
8486 (_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
8487 (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
8488 (_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage.
8489 * configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'.
8490
8491 Add AVX2/vpgather bulk implementation of Twofish.
8492 + commit c59a8ce51ceb9a80169c44ef86a67e95cf8528c3
8493 * cipher/Makefile.am: Add 'twofish-avx2-amd64.S'.
8494 * cipher/twofish-avx2-amd64.S: New.
8495 * cipher/twofish.c (USE_AVX2): New.
8496 (TWOFISH_context) [USE_AVX2]: Add 'use_avx2' member.
8497 (ASM_FUNC_ABI): New.
8498 (twofish_setkey): Add check for AVX2 and fast VPGATHER HW features.
8499 (_gcry_twofish_avx2_ctr_enc, _gcry_twofish_avx2_cbc_dec)
8500 (_gcry_twofish_avx2_cfb_dec, _gcry_twofish_avx2_ocb_enc)
8501 (_gcry_twofish_avx2_ocb_dec, _gcry_twofish_avx2_ocb_auth): New.
8502 (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec)
8503 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Add AVX2 bulk
8504 handling.
8505 (selftest_ctr, selftest_cbc, selftest_cfb): Increase nblocks from
8506 3+X to 16+X.
8507 * configure.ac: Add 'twofish-avx2-amd64.lo'.
8508 * src/g10lib.h (HWF_INTEL_FAST_VPGATHER): New.
8509 * src/hwf-x86.c (detect_x86_gnuc): Add detection for
8510 HWF_INTEL_FAST_VPGATHER.
8511 * src/hwfeatures.c (HWF_INTEL_FAST_VPGATHER): Add
8512 "intel-fast-vpgather" for HWF_INTEL_FAST_VPGATHER.
8513
8514 Add XTS cipher mode.
8515 + commit 232a129b1f915fc54881506e4b07c89cf84932e6
8516 * cipher/Makefile.am: Add 'cipher-xts.c'.
8517 * cipher/cipher-internal.h (gcry_cipher_handle): Add 'bulk.xts_crypt'
8518 and 'u_mode.xts' members.
8519 (_gcry_cipher_xts_crypt): New prototype.
8520 * cipher/cipher-xts.c: New.
8521 * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
8522 (cipher_reset, cipher_encrypt, cipher_decrypt): Add XTS mode handling.
8523 * doc/gcrypt.texi: Add XTS mode to documentation.
8524 * src/gcrypt.h.in (GCRY_CIPHER_MODE_XTS, GCRY_XTS_BLOCK_LEN): New.
8525 * tests/basic.c (do_check_xts_cipher, check_xts_cipher): New.
8526 (check_bulk_cipher_modes): Add XTS test-vectors.
8527 (check_one_cipher_core, check_one_cipher, check_ciphers): Add XTS
8528 testing support.
8529 (check_cipher_modes): Add XTS test.
8530 * tests/bench-slope.c (bench_xts_encrypt_init)
8531 (bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
8532 (xts_encrypt_ops, xts_decrypt_ops): New.
8533 (cipher_modes, cipher_bench_one): Add XTS.
8534 * tests/benchmark.c (cipher_bench): Add XTS testing.
8535
8536 2017-01-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8537
8538 rijndael-ssse3: fix counter operand from read-only to read/write.
8539 + commit aada604594fd42224d366d3cb98f67fd3b989cd6
8540 * cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change
8541 'ctrlow' operand from read-only to read-write.
8542
8543 2017-01-03 Werner Koch <wk@gnupg.org>
8544
8545 Extend GCRYCTL_PRINT_CONFIG to print compiler version.
8546 + commit 98b49695b1ffe3c406ae39a45051b8594f903b9d
8547 * src/global.c (print_config): Print version of libgpg-error and used
8548 compiler.
8549
8550 tests: Add option --disable-hwf to the version utility.
8551 + commit 3582641469f1c74078f0d758c4d5458cc0ee5649
8552 * src/hwfeatures.c (_gcry_disable_hw_feature): Rewrite to allow
8553 passing a colon delimited feature set.
8554 (parse_hwf_deny_file): Remove unused var I.
8555 * tests/version.c (main): Add options --verbose and --disable-hwf.
8556
8557 2016-12-15 Werner Koch <wk@gnupg.org>
8558 Nicolas Porcel <nicolasporcel06@gmail.com>
8559
8560 Fix regression in broken mlock detection.
8561 + commit 0a90f87799903a3fb97189ef7cba19e7b3534e1c
8562 * acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN.
8563
8564 2016-12-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8565
8566 hwfeatures: add 'all' for disabling all hardware features.
8567 + commit c83d0d2a26059cf471d09f5cb8e7fc5d76c4907b
8568 * .gitignore: Add 'tests/basic-disable-all-hwf'.
8569 * configure.ac: Ditto.
8570 * tests/Makefile.am: Ditto.
8571 * src/hwfeatures.c (_gcry_disable_hw_feature): Match 'all' for
8572 masking all HW features off.
8573 (parse_hwf_deny_file): Use '_gcry_disable_hw_feature' for matching.
8574 * tests/basic-disable-all-hwf.in: New.
8575
8576 tests/hashtest-256g: add missing executable extension for Win32.
8577 + commit 2b7b227b8a0bd5ff286258bc187782efac180a7e
8578 * tests/hashtest-256g.in: Add @EXEEXT@.
8579
8580 OCB ARM CE: Move ocb_get_l handling to assembly part.
8581 + commit 5c418e597f0f20a546d953161695e6caf1f57689
8582 * cipher/rijndael-armv8-aarch32-ce.S: Add OCB 'L_{ntz(i)}' calculation.
8583 * cipher/rijndael-armv8-aarch64-ce.S: Ditto.
8584 * cipher/rijndael-armv8-ce.c (_gcry_aes_ocb_enc_armv8_ce)
8585 (_gcry_aes_ocb_dec_armv8_ce, _gcry_aes_ocb_auth_armv8_ce)
8586 (ocb_cryt_fn_t): Updated arguments.
8587 (_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Remove
8588 'ocb_get_l' handling and splitting input to 32 block chunks, instead
8589 pass full buffers to assembly.
8590
8591 OCB: Move large L handling from bottom to upper level.
8592 + commit 2d2e5286d53e1f62fe040dff4c6e01961f00afe2
8593 * cipher/cipher-ocb.c (_gcry_cipher_ocb_get_l): Remove.
8594 (ocb_get_L_big): New.
8595 (_gcry_cipher_ocb_authenticate): L-big handling done in upper
8596 processing loop, so that lower level never sees the case where
8597 'aad_nblocks % 65536 == 0'; Add missing stack burn.
8598 (ocb_aad_finalize): Add missing stack burn.
8599 (ocb_crypt): L-big handling done in upper processing loop, so that
8600 lower level never sees the case where 'data_nblocks % 65536 == 0'.
8601 * cipher/cipher-internal.h (_gcry_cipher_ocb_get_l): Remove.
8602 (ocb_get_l): Remove 'l_tmp' usage and simplify since input
8603 is more limited now, 'N is not multiple of 65536'.
8604 * cipher/rijndael-aesni.c (get_l): Remove.
8605 (aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Remove
8606 l_tmp; Use 'ocb_get_l'.
8607 * cipher/rijndael-ssse3-amd64.c (get_l): Remove.
8608 (ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Remove
8609 l_tmp; Use 'ocb_get_l'.
8610 * cipher/camellia-glue.c: Remove OCB l_tmp usage.
8611 * cipher/rijndael-armv8-ce.c: Ditto.
8612 * cipher/rijndael.c: Ditto.
8613 * cipher/serpent.c: Ditto.
8614 * cipher/twofish.c: Ditto.
8615
8616 OCB: remove 'int64_t' usage.
8617 + commit 161d339f48c03be7fd0f4249d730f7f1767ef8e4
8618 * cipher/cipher-ocb.c (double_block): Use alternative way to generate
8619 sign-bit mask, without 'int64_t'.
8620
8621 random-drbg: use bufhelp function for big-endian store.
8622 + commit 0b03b658bebc69a84d87ef13f9b60a27b0c42305
8623 * random/random-drbg.c (drbg_cpu_to_be32): Remove.
8624 (drbg_ctr_df, drbg_hash_df): Use 'buf_put_be32' instead of
8625 'drbg_cpu_to_be32'.
8626
8627 2016-12-09 Werner Koch <wk@gnupg.org>
8628
8629 Improve handling of mlock error codes.
8630 + commit 618b8978f46f4011c11512fd5f30c15e01652e2e
8631 * acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
8632 legitimate return code and does not indicate a broken mlock().
8633 * src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
8634 could have been overwritten by cap_from+text et al.
8635
8636 2016-12-08 Stephan Mueller <smueller@chronox.de>
8637
8638 random: Eliminate unneeded memcpy invocations in the DRBG.
8639 + commit 656395ba4cf34f42dda3a120bda3ed1220755a3d
8640 * random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
8641 pointer instead.
8642 (drbg_instantiate): Reduce size of scratchpad.
8643 (drbg_hmac_update): Avoid use of scratch buffers for the hash.
8644 (drbg_hmac_generate, drbg_hash_df): Ditto.
8645 (drbg_hash_process_addtl): Ditto.
8646 (drbg_hash_hashgen): Ditto.
8647 (drbg_hash_generate): Ditto.
8648
8649 random: Add performance improvements for the DRBG.
8650 + commit 20886fdcb841b0bf89bb1d44303d42f1804e38cb
8651 * random/random-drbg.c (struct drbg_state_ops_s): New function
8652 pointers 'crypto_init' and 'crypto-fini'.
8653 (struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
8654 'ctr_null'.
8655 (drbg_hash_init, drbg_hash_fini): New.
8656 (drbg_hmac_init, drbg_hmac_setkey): New.
8657 (drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
8658 (drbg_sym_ctr): New.
8659 (drbg_ctr_bcc): Set the key.
8660 (drbg_ctr_df): Ditto.
8661 (drbg_hmac_update): Ditto.
8662 (drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
8663 (drbg_hash_df): Ditto.
8664 (drbg_hash_process_addtl): Ditto.
8665 (drbg_hash_hashgen): Ditto.
8666 (drbg_ctr_update): Rework.
8667 (drbg_ctr_generate): Rework.
8668 (drbg_ctr_ops): Init new functions pointers.
8669 (drbg_uninstantiate): Call fini function.
8670 (drbg_instantiate): Call init function.
8671
8672 cipher: New function for reading the counter in CTR mode.
8673 + commit 227099f179df9dcf083d0ef6be9883c775df0874
8674 * cipher/cipher.c (gcry_cipher_getctr): New.
8675
8676 2016-12-07 Werner Koch <wk@gnupg.org>
8677
8678 Document the overflow pools and add a stupid test case.
8679 + commit 95bac312644ad45e486c94c2efd25d0748b9a20b
8680 * tests/t-secmem.c (test_secmem_overflow): New func.
8681 (main): Disable warning and call new function.
8682
8683 Implement overflow secmem pools for xmalloc style allocators.
8684 + commit b6870cf25c0b1eb9c127a94af8326c446421a472
8685 * src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
8686 cur_blocks.
8687 (cur_alloced, cur_blocks): Remove vars.
8688 (ptr_into_pool_p): Make it inline.
8689 (stats_update): Add arg pool and update the new pool specific
8690 counters.
8691 (_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
8692 pools as needed.
8693 (_gcry_secmem_malloc): Pass XHINTS along.
8694 (_gcry_secmem_realloc_internal): Ditto.
8695 (_gcry_secmem_realloc): Ditto.
8696 (_gcry_secmem_free_internal): Take multiple pools in account. Add
8697 return value to indicate whether the arg was freed.
8698 (_gcry_secmem_free): Add return value to indicate whether the arg was
8699 freed.
8700 (_gcry_private_is_secure): Take multiple pools in account.
8701 (_gcry_secmem_term): Release all pools.
8702 (_gcry_secmem_dump_stats): Print stats for all pools.
8703 * src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
8704 test with a direct call of _gcry_secmem_free to avoid double checking.
8705
8706 Give the secmem allocators a hint when a xmalloc calls them.
8707 + commit b7df907dca4d525f8930c533b763ffce44ceed87
8708 * src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
8709 (_gcry_secmem_realloc): Ditto.
8710 * src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
8711 passed to the secmem functions.
8712 (_gcry_private_realloc): Ditto.
8713 * src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
8714 * src/global.c (do_malloc): Pass this flag as XHINT to the private
8715 allocator.
8716 (_gcry_malloc_secure): Factor code out to ...
8717 (_gcry_malloc_secure_core): this. Add arg XHINT.
8718 (_gcry_realloc): Factor code out to ...
8719 (_gcry_realloc_core): here. Add arg XHINT.
8720 (_gcry_strdup): Factor code out to ...
8721 (_gcry_strdup_core): here. Add arg XHINT.
8722 (_gcry_xrealloc): Use the core function and pass true for XHINT.
8723 (_gcry_xmalloc_secure): Ditto.
8724 (_gcry_xstrdup): Ditto.
8725
8726 tests: New test t-secmem.
8727 + commit e366c19b34922c770af82cd035fd815680b29dee
8728 * src/secmem.c (_gcry_secmem_dump_stats): Add arg EXTENDED and adjust
8729 caller.
8730 * src/gcrypt-testapi.h (PRIV_CTL_DUMP_SECMEM_STATS): New.
8731 * src/global.c (_gcry_vcontrol): Implement that.
8732 * tests/t-secmem.c: New.
8733 * tests/Makefile.am (tests_bin): Add that test.
8734
8735 2016-12-06 Werner Koch <wk@gnupg.org>
8736
8737 Fix compiler warning about possible-NULL-dreference.
8738 + commit 995ce697308320c6a52a307f83dc49eeb8d784b4
8739 * src/mpi.h (mpi_is_const, mpi_is_immutable): Do check arg before
8740 deref-ing. The are only used at places where the arg shall not be NULL.
8741
8742 Fix possible NULL-deref in gcry_log_debugsxp.
8743 + commit 984a97f0750f812f0ad3c343ee6a67560953a504
8744 * src/misc.c (_gcry_log_printsxp): Prevent passing NULL to strlen.
8745
8746 Reorganize code in secmem.c.
8747 + commit 603f479a919311f720a05da738150c2192d5e562
8748 * src/secmem.c (pooldesc_t): New type to collect information about one
8749 pool.
8750 (pool_size): Remove. Now a member of pooldesc_t.
8751 (pool_okay): Ditto.
8752 (pool_is_mmapped): Ditto.
8753 (pool): Rename variable ...
8754 (mainpool): And change type to pooldesc_t.
8755 (ptr_into_pool_p): Add arg 'pool'.
8756 (mb_get_next): Ditto.
8757 (mb_get_prev): Ditto.
8758 (mb_merge): Ditto.
8759 (mb_get_new): Ditto.
8760 (init_pool): Ditto.
8761 (lock_pool): Rename to ...
8762 (look_pool_pages: this.
8763 (secmem_init): Rename to ...
8764 (_gcry_secmem_init_internal): this. Add local var POOL and init with
8765 address of MAINPOOL.
8766 (_gcry_secmem_malloc_internal): Add local var POOL and init with
8767 address of MAINPOOL.
8768 (_gcry_private_is_secure): Ditto.
8769 (_gcry_secmem_term): Ditto.
8770 (_gcry_secmem_dump_stats): Ditto.
8771 (_gcry_secmem_free_internal): Ditto. Remove check for NULL arg.
8772 (_gcry_secmem_free): Add check for NULL arg before taking the lock.
8773 (_gcry_secmem_realloc): Factor most code out to ...
8774 (_gcry_secmem_realloc_internal): this.
8775
8776 2016-11-28 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
8777
8778 tests: Add PBKDF2 tests for Stribog512.
8779 + commit a0580d446fef648a177ca4ab060d0e449780db84
8780 * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's
8781 additions to PKCS#5.
8782
8783 tests: Add Stribog HMAC tests from TC26ALG.
8784 + commit fe6077e6ee8565bfcc91bad14a73e68f45b3c32b
8785 * tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document
8786 for Stribog.
8787
8788 cipher: Add Stribog OIDs from TC26 space.
8789 + commit ccffacaf6c3abe6120a0898db922981d28ab7af2
8790 * cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New.
8791
8792 2016-11-25 Justus Winter <justus@g10code.com>
8793
8794 tests: Fix memory leak.
8795 + commit 5530a8234d703ce9b685f78fb6e951136eb0aeb2
8796 * tests/basic.c (check_gost28147_cipher): Free cipher handles.
8797
8798 2016-11-25 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
8799
8800 Cast oid argument of gcry_cipher_set_sbox to disable compiler warning.
8801 + commit 1a67e3195896704f8b3ba09e3db1214bab834491
8802 * src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *).
8803
8804 gost: Rename tc26 s-box from A to Z.
8805 + commit dc8ceb8d2dfef949f3afa14fc75f9de8cd07c7ad
8806 * cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is
8807 the name that ended up in all standards.
8808
8809 tests: Add test to verify GOST 28147-89 against known results.
8810 + commit 4f5c26c73c66daf2e4aff966e43c22b2db7e0138
8811 * tests/basic.c (check_gost28147_cipher): new test function.
8812
8813 2016-11-17 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
8814
8815 cipher/gost28147: Fix CryptoPro-B S-BOX.
8816 + commit 5ca63c92825453fdb369a97bbc19cb95b49b4296
8817 * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
8818 incorrect encryption/decryption using that s-box. Add missing data.
8819
8820 2016-11-12 Werner Koch <wk@gnupg.org>
8821
8822 Put blocking calls into Libgpg-error's system call clamp.
8823 + commit b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd
8824 * src/gcrypt.h.in (GCRYCTL_REINIT_SYSCALL_CLAMP): New.
8825 * configure.ac: Require Libgpg-error 1.25. Set version number to
8826 1.8.0.
8827 * src/gcrypt-int.h: Remove error code emulation.
8828 * src/global.c (pre_syscall_func, post_syscall_func): New.
8829 (global_init): Call gpgrt_get_syscall_clamp.
8830 (_gcry_vcontrol) <GCRYCTL_REINIT_SYSCALL_CLAMP>: Ditto.
8831 (_gcry_pre_syscall, _gcry_post_syscall): New.
8832 * random/rndlinux.c (_gcry_rndlinux_gather_random): Use the new
8833 functions.
8834
8835 2016-11-01 NIIBE Yutaka <gniibe@fsij.org>
8836
8837 cipher: Fix IDEA cipher for clearing memory.
8838 + commit bf6d5b10cb4173826f47ac080506b68bb001acb2
8839 * cipher/idea.c (invert_key): Use wipememory, since this kind of memset
8840 may be removed by compiler optimization.
8841
8842 2016-10-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8843
8844 GCM: Add bulk processing for ARMv8/AArch64 implementation.
8845 + commit bfd732f53a9b5dfe14217a68a0fa289bf6913ec0
8846 * cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.
8847
8848 GCM: Add bulk processing for ARMv8/AArch32 implementation.
8849 + commit 27747921cb1dfced83c5666cd1c474764724c52b
8850 * cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
8851 * tests/basic.c (check_digests): Print correct data length for "?"
8852 tests.
8853 (check_one_mac): Add large 1000000 bytes tests, when input is "!" or
8854 "?".
8855 (check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.
8856
8857 2016-09-11 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8858
8859 Add Aarch64 assembly implementation of Twofish.
8860 + commit 5418d9ca4c0e087fd6872ad350a996fe74880d86
8861 * cipher/Makefile.am: Add 'twofish-aarch64.S'.
8862 * cipher/twofish-aarch64.S: New.
8863 * cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
8864 HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
8865 * configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.
8866
8867 2016-09-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8868
8869 Add Aarch64 assembly implementation of Camellia.
8870 + commit de73a2e7237ba7c34ce48bb5fb671aa3993de832
8871 * cipher/Makefile.am: Add 'camellia-aarch64.S'.
8872 * cipher/camellia-aarch64.S: New.
8873 * cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
8874 size to zero.
8875 * cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
8876 HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
8877 * configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.
8878
8879 Add ARMv8/AArch64 Crypto Extension implementation of AES.
8880 + commit 4cd8d40d698564d24ece2af24546e34c58bf2961
8881 * cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
8882 * cipher/rijndael-armv8-aarch64-ce.S: New.
8883 * cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
8884 * configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
8885 'rijndael-armv8-ce.lo' for ARMv8/AArch64.
8886
8887 Add ARMv8/AArch64 Crypto Extension implementation of GCM.
8888 + commit 0b332c1aef03a735c1fb0df184f74d523deb2f98
8889 * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
8890 * cipher/cipher-gcm-armv8-aarch64-ce.S: New.
8891 * cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
8892 ARMv8/AArch64.
8893
8894 Add ARMv8/AArch64 Crypto Extension implementation of SHA-256.
8895 + commit 2d4bbc0ad62c54bbdef77799f9db82d344b7219e
8896 * cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
8897 * cipher/sha256-armv8-aarch64-ce.S: New.
8898 * cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
8899 section.
8900 * cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
8901 * configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
8902 'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.
8903
8904 Add ARMv8/AArch64 Crypto Extension implementation of SHA-1.
8905 + commit e4eb03f56683317c908cb55be727832810dc8c72
8906 * cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
8907 * cipher/sha1-armv8-aarch64-ce.S: New.
8908 * cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
8909 * configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.
8910
8911 2016-09-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8912
8913 Add AArch64 assembly implementation of AES.
8914 + commit 595251ad37bf1968261d7e781752513f67525803
8915 * cipher/Makefile.am: Add 'rijndael-aarch64.S'.
8916 * cipher/rijndael-aarch64.S: New.
8917 * cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
8918 HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
8919 * configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
8920 [host=aarch64]: Add 'rijndael-aarch64.lo'.
8921
8922 2016-08-17 Werner Koch <wk@gnupg.org>
8923
8924 Release 1.7.3.
8925 + commit f8241874971478bdcd2bc2082d901d05db7b256d
8926 * configure.ac: Set LT version to C21/A1/R3.
8927
8928 random: Hash continuous areas in the csprng pool.
8929 + commit 8dd45ad957b54b939c288a68720137386c7f6501
8930 * random/random-csprng.c (mix_pool): Store the first hash at the end
8931 of the pool.
8932
8933 random: Improve the diagram showing the random mixing.
8934 + commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513
8935 * random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.
8936
8937 2016-07-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8938
8939 crc-intel-pclmul: split assembly block to ease register pressure.
8940 + commit f38199dbc290003898a1799adc367265267784c2
8941 * cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
8942 assembly block handling 4 byte input into multiple blocks.
8943
8944 rijndael-aesni: split assembly block to ease register pressure.
8945 + commit a4d1595a2638db63ac4c73e722c8ba95fdd85ff7
8946 * cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
8947 constraint for passing 'bige_addb' to assembly block; split
8948 first inline assembly block into two parts.
8949
8950 2016-07-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8951
8952 Add ARMv8/AArch32 Crypto Extension implementation of AES.
8953 + commit 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a
8954 * cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
8955 'rijndael-armv-aarch32-ce.S'.
8956 * cipher/rijndael-armv8-aarch32-ce.S: New.
8957 * cipher/rijndael-armv8-ce.c: New.
8958 * cipher/rijndael-internal.h (USE_ARM_CE): New.
8959 (RIJNDAEL_context_s): Add 'use_arm_ce'.
8960 * cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
8961 (_gcry_aes_armv8_ce_prepare_decryption)
8962 (_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
8963 (_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
8964 (_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
8965 (_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
8966 (_gcry_aes_armv8_ce_ocb_auth): New.
8967 (do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
8968 setup for ARM CE.
8969 (prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
8970 (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
8971 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
8972 ARM CE support.
8973 * configure.ac: Add 'rijndael-armv8-ce.lo' and
8974 'rijndael-armv8-aarch32-ce.lo'.
8975
8976 Add ARMv8/AArch32 Crypto Extension implementation of GCM.
8977 + commit 962b15470663db11e5c35b86768f1b5d8e600017
8978 * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
8979 * cipher/cipher-gcm-armv8-aarch32-ce.S: New.
8980 * cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
8981 (_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
8982 (ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
8983 (setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
8984 HWF_ARM_PULL HW feature flag is enabled.
8985 * cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.
8986
8987 Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256.
8988 + commit 34c64eb03178fbfd34190148fec5a189df2b8f83
8989 * cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
8990 * cipher/sha256-armv8-aarch32-ce.S: New.
8991 * cipher/sha256.c (USE_ARM_CE): New.
8992 (sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
8993 [USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
8994 (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
8995 (SHA256_CONTEXT): Add 'use_arm_ce'.
8996 * configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.
8997
8998 Add ARMv8/AArch32 Crypto Extension implementation of SHA-1.
8999 + commit 3d6334f8d94c2a4df10eed203ae928298a4332ef
9000 * cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
9001 * cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
9002 missing size.
9003 * cipher/sha1-armv8-aarch32-ce.S: New.
9004 * cipher/sha1.c (USE_ARM_CE): New.
9005 (sha1_init): Check features for HWF_ARM_SHA1.
9006 [USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
9007 (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
9008 it.
9009 * cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
9010 * configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.
9011
9012 Add HW feature check for ARMv8 AArch64 and crypto extensions.
9013 + commit eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f
9014 * configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
9015 module on 64-bit ARM.
9016 (armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
9017 (gcry_cv_inline_asm_aarch64_neon)
9018 (gcry_cv_gcc_inline_asm_aarch64_crypto): New.
9019 * src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
9020 (HWF_ARM_PMULL): New.
9021 * src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
9022 (feature_map_s): New.
9023 [__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
9024 (HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
9025 [__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
9026 (HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
9027 (get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
9028 'unsigned long'.
9029 (detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
9030 (detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
9031 (_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
9032 * src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
9033 and 'arm-pmull'.
9034
9035 2016-07-14 Werner Koch <wk@gnupg.org>
9036
9037 Release 1.7.2.
9038 + commit be0bec7d9208b2f2d2ffce9cc2ca6154853e7e59
9039 * configure.ac: Set LT version to C21/A1/R2.
9040 * Makefile.am (distcheck-hook): New.
9041
9042 2016-07-13 Werner Koch <wk@gnupg.org>
9043
9044 build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
9045 + commit e535ea1bdc42309553007d60599d3147b8defe93
9046 * build-aux/config.guess: Update.
9047 * build-aux/config.sub: Update.
9048
9049 2016-07-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9050
9051 Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON.
9052 + commit 1111d311fd6452abd4080d1072c75ddb1b5a3dd1
9053 * cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
9054 (UNALIGNED_LDMIA4): New.
9055 (_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
9056 ldm/stm instructions directly.
9057 * cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
9058 (UNALIGNED_LDMIA4): New.
9059 (_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
9060 (_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
9061 of ldm instruction directly.
9062
9063 2016-07-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9064
9065 bench-slope: add unaligned buffer mode.
9066 + commit 496790940753226f96b731a43d950bd268acd97a
9067 * tests/bench-slope.c (unaligned_mode): New.
9068 (do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
9069 (print_help, main): Add '--unaligned' parameter.
9070
9071 2016-07-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9072
9073 Fix static build.
9074 + commit cb79630ec567a5f2e03e5f863cda168faa7b8cc8
9075 * tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.
9076
9077 2016-06-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9078
9079 Disallow encryption/decryption if key is not set.
9080 + commit 07de9858032826f5a7b08c372f6bcc73bbb503eb
9081 * cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
9082 NONE, make sure that key is set.
9083 * cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
9084 'marks.key' when reseting state.
9085
9086 Avoid unaligned accesses with ARM ldm/stm instructions.
9087 + commit a6158a01a4d81a5d862e1e0a60bfd6063443311d
9088 * cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
9089 compile with unaligned load/store code paths.
9090 * cipher/sha512-arm.S: Ditto.
9091
9092 Fix non-PIC reference in PIC for poly1305/ARMv7-NEON.
9093 + commit a09126242a51c4ea4564b0f70b808e4f27fe5a91
9094 * cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
9095 (_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.
9096
9097 Fix wrong CPU feature #ifdef for SHA1/AVX.
9098 + commit 4a983e3bef58b9d056517e25e0ab10b72d12ceba
9099 * cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
9100 HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.
9101
9102 2016-06-30 Werner Koch <wk@gnupg.org>
9103
9104 random: Remove debug message about not supported getrandom syscall.
9105 + commit 6965515c73632a088fb126a4a55e95121671fa98
9106 * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
9107 for getrandom error ENOSYS.
9108
9109 2016-06-27 Werner Koch <wk@gnupg.org>
9110
9111 tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
9112 + commit 4d634a098742ff425b324e9f2a67b9f62de09744
9113 * tests/benchmark.c (md_bench): Do not test variable lengths algos
9114 with the gcry_md_hash_buffer.
9115
9116 md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
9117 + commit ae26edf4b60359bfa5fe3a27b2c24b336e7ec35c
9118 * cipher/md.c (md_read): Detect missing read function.
9119 (_gcry_md_hash_buffers): Return an error.
9120
9121 2016-06-25 Werner Koch <wk@gnupg.org>
9122
9123 ecc: Fix memory leak.
9124 + commit 7a7f7c147f888367dfee6093d26bfeaf750efc3a
9125 * cipher/ecc.c (ecc_check_secret_key): Do not init point if already
9126 set.
9127
9128 doc: Update yat2m.
9129 + commit 1feb01940062a74c27230434fc3babdddca8caf4
9130 * doc/yat2m.c: Update from Libgpg-error
9131
9132 tests: Add attributes to helper functions.
9133 + commit c870cb5d385c1d6e1e28ca481cf9cf44b3bfeea9
9134 * tests/t-common.h (die, fail, info): Add attributes.
9135 * tests/random.c (die, inf): Ditto.
9136 * tests/pubkey.c (die, fail, info): Add attributes.
9137 * tests/fipsdrv.c (die): Add attribute.
9138 (main): Take care of missing --key,--iv,--dt options.
9139
9140 Improve robustness and help lint.
9141 + commit 5a5b055b81ee60a22a846bdf2031516b1c24df98
9142 * cipher/rsa.c (rsa_encrypt): Check for !DATA.
9143 * cipher/md.c (search_oid): Check early for !OID.
9144 (md_copy): Use gpg_err_code_from_syserror. Replace chains of if(!err)
9145 tests.
9146 * cipher/cipher.c (search_oid): Check early for !OID.
9147 * src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
9148 * mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
9149 analyzers.
9150
9151 cipher: Improve fatal error message for bad use of gcry_md_read.
9152 + commit 3f98b1e92d5afd720d7cea5b4e8295c5018bf9ac
9153 * cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.
9154
9155 2016-06-16 Niibe Yutaka <gniibe@fsij.org>
9156
9157 ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
9158 + commit b0b70e7fe37b1bf13ec0bfc8effcb5c7f5db6b7d
9159 * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
9160 (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
9161 cofactor as 1, when not specified.
9162
9163 ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
9164 + commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7
9165 * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
9166 (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
9167 cofactor as 1, when not specified.
9168
9169 2016-06-15 Werner Koch <wk@gnupg.org>
9170
9171 Release 1.7.1.
9172 + commit 48aa6d6602564d6ba0cef10cf08f9fb0c59b3223
9173
9174
9175 doc: Describe envvars.
9176 + commit c3173bbe3f1a9c73f81a538dd49ccfa0447bfcdc
9177 * doc/gcrypt.texi: Add chapter Configuration.
9178
9179 random: Change names of debug envvars.
9180 + commit 131b4f0634cee0e5c47d2250c59f51127b10f7b3
9181 * random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
9182 GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
9183 * random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
9184 GCRYPT_RNDW32_NOPERF.
9185
9186 2016-06-14 Werner Koch <wk@gnupg.org>
9187
9188 cipher: Assign OIDs to the Serpent cipher.
9189 + commit e13a6a1ba53127af602713d0c2aaa85c94b3cd7e
9190 * cipher/serpent.c (serpent128_oids, serpent192_oids)
9191 (serpent256_oids): New. Add them to the specs blow.
9192 (serpent128_aliases): Add "SERPENT-128".
9193 (serpent256_aliases, serpent192_aliases): New.
9194
9195 cipher: Assign OIDs to the Serpent cipher.
9196 + commit 6cc2100c00a65dff07b095dea7b32cb5c5cd96d4
9197 * cipher/serpent.c (serpent128_oids, serpent192_oids)
9198 (serpent256_oids): New. Add them to the specs blow.
9199 (serpent128_aliases): Add "SERPENT-128".
9200 (serpent256_aliases, serpent192_aliases): New.
9201
9202 2016-06-08 Werner Koch <wk@gnupg.org>
9203
9204 rsa: Implement blinding also for signing.
9205 + commit 1f769e3e8442bae2f1f73c656920bb2df70153c0
9206 * cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
9207 (secret_blinded): new.
9208 (rsa_sign): Use blinding by default.
9209
9210 random: Remove debug output for getrandom(2) output.
9211 + commit 52cdfb1960808aaad48b5a501bbce0e3141c3961
9212 * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
9213 output.
9214
9215 Fix gcc portability on Solaris 9 SPARC boxes.
9216 + commit b766ea14ad1c27d6160531b200cc70aaa479c6dc
9217 * mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
9218
9219 2016-06-08 Jérémie Courrèges-Anglas <jca@wxcvbn.org>
9220
9221 Check for compiler SSE4.1 support in PCLMUL CRC code.
9222 + commit dc76313308c184c92eb78452b503405b90fc7ebd
9223 * cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
9224 compiler supports PCLMUL *and* SSE4.1
9225 * cipher/crc.c: Ditto
9226 * configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
9227
9228 2016-06-08 NIIBE Yutaka <gniibe@fsij.org>
9229
9230 ecc: Fix ecc_verify for cofactor support.
9231 + commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e
9232 * cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".
9233
9234 2016-06-08 Werner Koch <wk@gnupg.org>
9235
9236 random: Try to use getrandom() instead of /dev/urandom (Linux only).
9237 + commit c05837211e5221d3f56146865e823bc20b4ff1ab
9238 * configure.ac: Check for syscall.
9239 * random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
9240 (_gcry_rndlinux_gather_random): Use getrandom is available.
9241
9242 2016-06-03 Werner Koch <wk@gnupg.org>
9243
9244 rsa: Implement blinding also for signing.
9245 + commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8
9246 * cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
9247 (secret_blinded): new.
9248 (rsa_sign): Use blinding by default.
9249
9250 random: Remove debug output for getrandom(2) output.
9251 + commit 82df6c63a72fdd969c3923523f10d0cef5713ac7
9252 * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
9253 output.
9254
9255 2016-06-02 Werner Koch <wk@gnupg.org>
9256
9257 Fix gcc portability on Solaris 9 SPARC boxes.
9258 + commit 4121f15122501d8946f1589b303d1f7949c15e30
9259 * mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
9260
9261 2016-05-28 Jérémie Courrèges-Anglas <jca@wxcvbn.org>
9262
9263 Check for compiler SSE4.1 support in PCLMUL CRC code.
9264 + commit 3e8074ecd3a534e8bd7f11cf17f0b22d252584c8
9265 * cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
9266 compiler supports PCLMUL *and* SSE4.1
9267 * cipher/crc.c: Ditto
9268 * configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
9269
9270 2016-05-06 NIIBE Yutaka <gniibe@fsij.org>
9271
9272 ecc: Fix ecc_verify for cofactor support.
9273 + commit c7430aa752232aa690c5d8f16575a345442ad8d7
9274 * cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".
9275
9276 2016-04-26 Werner Koch <wk@gnupg.org>
9277
9278 random: Try to use getrandom() instead of /dev/urandom (Linux only).
9279 + commit ee5a32226a7ca4ab067864e06623fc11a1768900
9280 * configure.ac: Check for syscall.
9281 * random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
9282 (_gcry_rndlinux_gather_random): Use getrandom is available.
9283
9284 2016-04-19 Werner Koch <wk@gnupg.org>
9285
9286 asm fix for older gcc versions.
9287 + commit caa9d14c914bf6116ec3f773a322a94e2be0c0fb
9288 * cipher/crc-intel-pclmul.c: Remove extra trailing colon from
9289 asm statements.
9290
9291 asm fix for older gcc versions.
9292 + commit 4545372c0f8dd35aef2a7abc12b588ed1a4a0363
9293 * cipher/crc-intel-pclmul.c: Remove extra trailing colon from
9294 asm statements.
9295
9296 2016-04-15 Werner Koch <wk@gnupg.org>
9297
9298 Release 1.7.0.
9299 + commit 795f9cb090c776658a0e3117996e3fb7e2ebd94a
9300
9301
9302 2016-04-14 Werner Koch <wk@gnupg.org>
9303
9304 tests: Add test vectors for 256 GiB test of SHA3-256.
9305 + commit 1737c546dc7268fa9edcd4a23b7439c56d37ee4f
9306 * tests/hashtest.c: Add new test vectros.
9307
9308 2016-04-14 Justus Winter <justus@g10code.com>
9309
9310 src: Improve S-expression parsing.
9311 + commit 491586bc7f7b9edc6b78331a77e653543983c9e4
9312 * src/sexp.c (do_vsexp_sscan): Return an error if a closing
9313 parenthesis is encountered with no matching opening parenthesis.
9314
9315 2016-04-14 Werner Koch <wk@gnupg.org>
9316
9317 cipher: Add constant for 8 bit CFB mode.
9318 + commit 47c6a1f88eb763e9baa394e34d873b761abcebbe
9319 * src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
9320 * tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.
9321
9322 tests: Add a new test for S-expressions.
9323 + commit 88c6b98350193abbdcfb227754979b0c097ee09c
9324 * tests/t-sexp.c (compare_to_canon): New.
9325 (back_and_forth_one): Add another test.
9326
9327 2016-04-13 NIIBE Yutaka <gniibe@fsij.org>
9328
9329 ecc: Fix corner cases for X25519.
9330 + commit 8472b71812e71c69d66e2fcc02a6e21b66755f8b
9331 * cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
9332 GPG_ERR_INV_DATA instead of aborting with log_fatal. For X25519,
9333 it's not an error, thus, let it return 0.
9334 (ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
9335 X25519, not by the name of the curve.
9336 (ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
9337 of aborting with log_fatal. For X25519, it's not an error by its
9338 definition, but we deliberately let it return the error to detect
9339 looks-like-encrypted-message.
9340 * tests/t-cv25519.c: Add points to record the issue.
9341
9342 2016-04-12 Werner Koch <wk@gnupg.org>
9343
9344 cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
9345 + commit b6d2a25a275a35ec4dbd53ecaa9ea0ed7aa99c7b
9346 * cipher/cipher-internal.h (gcry_cipher_handle): Add fields
9347 aad_leftover and aad_nleftover to u_mode.ocb.
9348 * cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
9349 aad_nleftover.
9350 (_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
9351 to ...
9352 (ocb_aad_finalize): new.
9353 (compute_tag_if_needed): Call new function.
9354 * tests/basic.c (check_ocb_cipher_splitaad): New.
9355 (check_ocb_cipher): Call new function.
9356 (main): Also call check_cipher_modes with --ciper-modes.
9357
9358 2016-04-12 NIIBE Yutaka <gniibe@fsij.org>
9359
9360 ecc: Fix X25519 computation on Curve25519.
9361 + commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5
9362 * cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
9363 PUBKEY_FLAG_DJB_TWEAK is enabled.
9364 (ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
9365 * tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.
9366
9367 ecc: Fix initialization of EC context.
9368 + commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de
9369 * cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
9370 (ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
9371 by _gcry_mpi_ec_p_internal_new should carry FLAGS.
9372
9373 2016-04-06 Werner Koch <wk@gnupg.org>
9374
9375 Allow building with configure option --enable-hmac-binary-check.
9376 + commit 65c63144b66392f40b991684789b8b793248e3ba
9377 * src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
9378 * src/fips.c (check_binary_integrity): Allow use of hmac256 output.
9379 * src/hmac256.c (main): Add option --stdkey
9380
9381 2016-04-06 NIIBE Yutaka <gniibe@fsij.org>
9382
9383 ecc: Positive values in computation.
9384 + commit 6f386ceae86a058e26294f744750f1ed2a95e604
9385 * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
9386 coefficients A and B are positive.
9387 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
9388 "P - T" instead of "-T", so that the result will be positive.
9389 (_gcry_ecc_eddsa_verify): Likewise.
9390 * cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
9391 instead of _gcry_ecc_update_curve_param.
9392 * mpi/ec.c (ec_subm): Make sure the result will be positive.
9393 (dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
9394 mpi_sub instead of mpi_neg.
9395 (add_points_edwards): Simply use ec_addm.
9396 * tests/t-mpi-point.c (test_curve): Define curves with positive
9397 coefficients.
9398
9399 2016-04-01 Werner Koch <wk@gnupg.org>
9400
9401 mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
9402 + commit 862cf19a119427dd7ee7959a36c72d905f5ea5ca
9403 * mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
9404 (mpi_fromstr): Check against this limit.
9405 (_gcry_mpi_scan): Ditto.
9406 * tests/mpitests.c (test_maxsize): New.
9407 (main): Cal that test.
9408
9409 2016-03-31 Werner Koch <wk@gnupg.org>
9410
9411 cipher: Remove specialized rmd160 functions.
9412 + commit fcce0cb6e8af70b134c6ecc3f56afa07a7d31f27
9413 * cipher/rmd160.c: Replace rmd.h by hash-common.h.
9414 (RMD160_CONTEXT): Move from rmd.h to here.
9415 (_gcry_rmd160_init): Remove.
9416 (_gcry_rmd160_mixblock): Remove.
9417 (_gcry_rmd160_hash_buffer): Use rmd160_init directly.
9418 * cipher/md.c: Remove rmd.h which was not actually used.
9419 * cipher/rmd.h: Remove.
9420 * cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
9421 * configure.ac (USE_RMD160): Allow to build without RMD160.
9422
9423 random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
9424 + commit a9cbe2d1f6a517a831517da8bc1d29e3e0b2c0c0
9425 * cipher/sha1.c (_gcry_sha1_mixblock_init): New.
9426 (_gcry_sha1_mixblock): New.
9427 * random/random-csprng.c: Include sha1.h instead of rmd.h.
9428 (mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.
9429
9430 cipher: Move sha1 context definition to a separate file.
9431 + commit 142a479a484cb4e84d0561be9b05b44dac9e6fe2
9432 * cipher/sha1.c: Replace hash-common.h by sha1.h.
9433 (SHA1_CONTEXT): Move to ...
9434 * cipher/sha1.h: new. Always include all flags.
9435 * cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.
9436
9437 2016-03-29 Werner Koch <wk@gnupg.org>
9438
9439 tests: Fix buffer overflow in bench-slope.
9440 + commit 48ee918400762281bec5b6fc218a9f0d119aac7c
9441 * tests/bench-slope.c (bench_print_result_std): Remove wrong use of
9442 strncat.
9443
9444 2016-03-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9445
9446 cipher: GCM: check that length of supplied tag is one of valid lengths.
9447 + commit f2260e3a2e962ac80124ef938e54041bbea08561
9448 * cipher/cipher-gcm.c (is_tag_length_valid): New.
9449 (_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
9450 * tests/basic.c (_check_gcm_cipher): Add test-vectors with different
9451 valid tag lengths and negative test vectors with invalid lengths.
9452
9453 2016-03-24 Peter Wu <peter@lekensteyn.nl>
9454
9455 cipher: Fix memleaks in (self)tests.
9456 + commit 4a064e2a06fe737f344d1dfd8a45cc4c2abbe4c9
9457 * cipher/dsa.c: Release memory for MPI and sexp structures.
9458 * cipher/ecc.c: Release memory for sexp structure.
9459 * tests/keygen.c: Likewise.
9460
9461 Mark constant MPIs as non-leaked.
9462 + commit 470a30db241a2d567739ef2adb2a2ee64992d8b4
9463 * mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.
9464
9465 2016-03-23 Werner Koch <wk@gnupg.org>
9466
9467 Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
9468 + commit fea5971488e049f902d7912df22a945bc755ad6d
9469 * src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
9470 * cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.
9471
9472 * tests/basic.c (_check_gcm_cipher): Check that new feature.
9473 (_check_poly1305_cipher): Ditto.
9474 (check_ccm_cipher): Ditto.
9475 (do_check_ocb_cipher): Ditto.
9476 (check_ctr_cipher): Add negative test for new feature.
9477
9478 cipher: Avoid NULL-segv in GCM mode if a key has not been set.
9479 + commit e709d86fe596a4bcf235799468947c13ae657d78
9480 * cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
9481 has been initialized.
9482 (_gcry_cipher_gcm_decrypt): Ditto.
9483 (_gcry_cipher_gcm_authenticate): Ditto.
9484 (_gcry_cipher_gcm_initiv): Ditto.
9485 (_gcry_cipher_gcm_tag): Ditto.
9486
9487 cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
9488 + commit 7c9c82feecf94a455c66d9c38576f36c9c4b484c
9489 * cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
9490 provided tag length matches the actual tag length.
9491
9492 2016-03-23 Peter Wu <peter@lekensteyn.nl>
9493
9494 Fix buffer overrun in gettag for Poly1305.
9495 + commit 6821e1bd94969106a70e3de17b86f6e6181f4e59
9496 * cipher/cipher-poly1305.c: copy a fixed length instead of the
9497 user-supplied number.
9498
9499 2016-03-23 Werner Koch <wk@gnupg.org>
9500
9501 cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
9502 + commit 15785bc9fb1787554bf371945ecb191830c15bfd
9503 * cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
9504 tag length matches the actual tag length. Avoid gratuitous return
9505 statements.
9506
9507 2016-03-23 Peter Wu <peter@lekensteyn.nl>
9508
9509 Fix buffer overrun in gettag for GCM.
9510 + commit d3d7bdf8215275b3b20690dfde3f43dbe25b6f85
9511 * cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
9512 number.
9513
9514 2016-03-22 Werner Koch <wk@gnupg.org>
9515
9516 tests: Add options --fips to keygen for manual tests.
9517 + commit d328095dd4de83b839d9d8c4bdbeec0956971016
9518 (main): Add option --fips.
9519 * tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
9520 because that is valid in FIPS mode. Check that key generation fails
9521 for too short keys in FIPS mode.
9522 (check_ecc_keys): Check that key generation fails for Ed25519 keys in
9523 FIPS mode.
9524
9525 2016-03-22 Tomáš Mráz <tmraz@redhat.com>
9526
9527 rsa: Add FIPS 186-4 compliant RSA probable prime key generator.
9528 + commit 5f9b3c2e220ca6d0eaff32324a973ef67933a844
9529 * cipher/primegen.c (_gcry_fips186_4_prime_check): New.
9530 * cipher/rsa.c (generate_fips): New.
9531 (rsa_generate): Use new function in fips mode or with test-parms.
9532
9533 * tests/keygen.c (check_rsa_keys): Add test using e=65539.
9534
9535 2016-03-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9536
9537 Fix ARM NEON support detection on ARMv6 target.
9538 + commit 583919d70763671ed9feeaa14e1f66379aff88cc
9539 * configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
9540 instead of '.thumb'.
9541
9542 2016-03-18 Werner Koch <wk@gnupg.org>
9543
9544 Always require a 64 bit integer type.
9545 + commit 897ccd21b7221982806b5c024518f4e989152f14
9546 * configure.ac (available_digests_64): Merge with available_digests.
9547 (available_kdfs_64): Merge with available_kdfs.
9548 <64 bit datatype test>: Bail out if no such type is available.
9549 * src/types.h: Emit #error if no u64 can be defined.
9550 (PROPERLY_ALIGNED_TYPE): Always add u64 type.
9551 * cipher/bithelp.h: Remove all code paths which handle the
9552 case of !HAVE_U64_TYPEDEF.
9553 * cipher/bufhelp.h: Ditto.
9554 * cipher/cipher-ccm.c: Ditto.
9555 * cipher/cipher-gcm.c: Ditto.
9556 * cipher/cipher-internal.h: Ditto.
9557 * cipher/cipher.c: Ditto.
9558 * cipher/hash-common.h: Ditto.
9559 * cipher/md.c: Ditto.
9560 * cipher/poly1305.c: Ditto.
9561 * cipher/scrypt.c: Ditto.
9562 * cipher/tiger.c: Ditto.
9563 * src/g10lib.h: Ditto.
9564 * tests/basic.c: Ditto.
9565 * tests/bench-slope.c: Ditto.
9566 * tests/benchmark.c: Ditto.
9567
9568 2016-03-18 Vitezslav Cizek <vcizek@suse.com>
9569
9570 tests: Fix testsuite after the FIPS adjustments.
9571 + commit 9ecc2690181ba0bb44f66451a7dce2fc19965793
9572 * tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
9573 * tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
9574 * tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
9575 (check_ecc_keys): Skip Ed25519 in FIPS mode.
9576 * tests/random.c (main): Don't switch DRBG in FIPS mode.
9577 * tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
9578 * tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
9579 * tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
9580 (main): Skip math tests that use P-192 and Ed25519 in FIPS.
9581
9582 tests: Add new --pss option to fipsdrv.
9583 + commit 1a02d741cacc3b57fe3d6ffebd794d53a60c9e97
9584 * tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
9585 to 0 for PSS.
9586
9587 cipher: Add option to specify salt length for PSS verification.
9588 + commit 0bd8137e68c201b6c2290710e348aaf57efa2b2e
9589 * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
9590 salt-length token.
9591
9592 tests: Add support for RSA keygen tests to fipsdrv.
9593 + commit 2e139456369a834cf87d983da4f61241fda76efe
9594 * tests/fipsdrv.c (run_rsa_keygen): New.
9595 (main): Support RSA keygen and RSA keygen KAT tests.
9596
9597 tests: Fixes for RSA testsuite in FIPS mode.
9598 + commit c690230af5a66b809f8f6fbab1a6262a5ba078cb
9599 * tests/basic.c (get_keys_new): Generate 2048 bit key.
9600 * tests/benchmark.c (rsa_bench): Skip keys of lengths different
9601 than 2048 and 3072 in FIPS mode.
9602 * tests/keygen.c (check_rsa_keys): Failure if short keys can be
9603 generated in FIPS mode.
9604 (check_dsa_keys): Ditto for DSA keys.
9605 * tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
9606
9607 rsa: Use 2048 bit RSA keys for selftest.
9608 + commit 78cec8b4754fdf774edb2d575000cb3e972e244c
9609 * cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
9610 (selftest_encr_1024): Replaced by selftest_encr_2048.
9611 (selftest_sign_1024): Replaced by selftest_sign_2048.
9612 (selftest_encr_2048): Add check against known ciphertext.
9613 (selftest_sign_2048): Add check against known signature.
9614 (selftest_sign_2048): Free SIG_MPI.
9615 * tests/pubkey.c (get_keys_new): Generate 2048 bit keys.
9616
9617 Disable non-allowed algorithms in FIPS mode.
9618 + commit ce1cbe16992a7340edcf8e6576973e3508267640
9619 * cipher/cipher.c (_gcry_cipher_init),
9620 * cipher/mac.c (_gcry_mac_init),
9621 * cipher/md.c (_gcry_md_init),
9622 * cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
9623 non-allowed ciphers.
9624 * cipher/md5.c: Mark MD5 as not allowed in FIPS.
9625 * src/g10lib.h (_gcry_mac_init): New.
9626 * src/global.c (global_init): Call the new _gcry_mac_init.
9627 * tests/basic.c (check_ciphers): Fix a typo.
9628
9629 2016-03-18 Werner Koch <wk@gnupg.org>
9630
9631 kdf: Make PBKDF2 check work on all platforms.
9632 + commit c478cf175887c84dc071c4f73a7667603b354789
9633 * cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.
9634
9635 2016-03-18 Vitezslav Cizek <vcizek@suse.com>
9636
9637 kdf: Add upper bound for derived key length in PBKDF2.
9638 + commit 0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6
9639 * cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
9640
9641 ecc: ECDSA adjustments for FIPS 186-4.
9642 + commit a242e3d9185e6e2dc13902ea9331131755bbba01
9643 * cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
9644 * cipher/ecc.c: Add ECDSA self test.
9645 * cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
9646 in FIPS mode.
9647 * tests/fipsdrv.c: Add support for ECDSA signatures.
9648
9649 2016-03-18 Werner Koch <wk@gnupg.org>
9650
9651 dsa: Make regression tests work.
9652 + commit e40939b2141306238cc30a340b867b60fa4dc2a3
9653 * cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
9654 (ogenerate_fips186): Make it work with use-fips183-2 flag.
9655 * cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
9656 standard comment out format.
9657 * tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
9658 (main): Call it.
9659 (main): Compare against current version.
9660 * tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
9661 (get_dsa_key_fips186_with_seed_new): Ditto.
9662 (get_dsa_key_fips186_with_domain_new): Comment out.
9663 (check_run): Do not call that function.
9664
9665 2016-03-18 Vitezslav Cizek <vcizek@suse.com>
9666
9667 dsa: Adjustments to conform with FIPS 186-4.
9668 + commit 80e9f95e6f419daa765e4876c858e3e36e808897
9669 * cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
9670 * cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
9671 buflen passed to _gcry_mpi_scan.
9672
9673 2016-03-16 Justus Winter <justus@g10code.com>
9674
9675 Update documentation for 'gcry_sexp_extract_param'.
9676 + commit 4051fe7fec6ffdc7a2f5c3856665478866991ee7
9677 * doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
9678 must be set to NULL first, and document how the function behaves in
9679 case of errors.
9680 * src/sexp.c (_gcry_sexp_extract_param): Likewise.
9681 * src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
9682 '_gcry_sexp_extract_param'.
9683
9684 cipher: Update comment.
9685 + commit fcf4358a7a7ba8d32bf385ea99ced5f47cbd3ae2
9686 * cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
9687 that a curve parameter can be given.
9688
9689 2016-03-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9690
9691 Add Intel PCLMUL implementations of CRC algorithms.
9692 + commit 5d601dd57fcb41aa2015ab655fd6fc51537da667
9693 * cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
9694 * cipher/crc-intel-pclmul.c: New.
9695 * cipher/crc.c (USE_INTEL_PCLMUL): New macro.
9696 (CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
9697 [USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
9698 (gcry_crc24rfc2440_intel_pclmul): New.
9699 (crc32_init, crc32rfc1510_init, crc24rfc2440_init)
9700 [USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
9701 HW features detected.
9702 (crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
9703 implementation if enabled.
9704 (crc24_init): Document storage format of 24-bit CRC.
9705 (crc24_next4): Use only 'data' for last table look-up.
9706 * configure.ac: Add 'crc-intel-pclmul.lo'.
9707 * src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
9708 Intel SSE4.1.
9709 * src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
9710 * src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
9711 * tests/basic.c (fillbuf_count): New.
9712 (check_one_md): Add "?" check (million byte data-set with byte pattern
9713 0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
9714 checks.
9715 (check_one_md_multi): Skip "?".
9716 (check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
9717 SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
9718 CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
9719 test-vectors for CRC32_RFC1510 and CRC24_RFC2440.
9720
9721 2016-02-25 NIIBE Yutaka <gniibe@fsij.org>
9722
9723 mpi: Normalize EXPO for mpi_powm.
9724 + commit fdfa5bfefdde316688a3c8021bd3528c5273b0f4
9725 * mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.
9726
9727 2016-02-22 Andreas Metzler <ametzler@bebt.de>
9728
9729 Do not ship generated header file in tarball.
9730 + commit 2b40a16333fa75f1cee85ab901a5aa9cff845a92
9731 * src/Makefile.am: Move gcrypt.h from include_HEADERS to
9732 nodist_include_HEADERS to prevent inclusion in release tarball.
9733 This could break out-of-tree-builds because the potentially outdated
9734 src/gcrypt.h was not updated but was in the compiler search path.
9735
9736 2016-02-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9737
9738 Fix building random-drbg for Win32/64.
9739 + commit 531b25aa94c58f6d2168a9537c8cea6c53d7bbe0
9740 * random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
9741 (DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
9742 (DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
9743 (DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
9744 (DRBG_SYM256): Change 'u_int32_t' to 'u32'.
9745 (drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
9746 'drbg_read_cb' and 'len'.
9747
9748 2016-02-20 Werner Koch <wk@gnupg.org>
9749
9750 tests: Do not test DRBG_REINIT from "make check"
9751 + commit 839d12c221430b60db5e0d6fbb107f22e0a6837f
9752 * tests/random.c (main): Run check_drbg_reinit only if the envvar
9753 GCRYPT_IN_REGRESSION_TEST is set.
9754
9755 doc: Fix possible dependency problem.
9756 + commit 3b57e5a1ba68e26dcaea38b763287fddba9b6b7c
9757 * doc/Makefile.am (gcrypt.texi): Use the right traget.
9758
9759 2016-02-19 Stephan Mueller <smueller@chronox.de>
9760
9761 random: Remove ANSI X9.31 DRNG.
9762 + commit e9b692d25d1c149b5417b70e18f2ce173bc25b6d
9763 * random-fips.c: Remove.
9764
9765 2016-02-19 Werner Koch <wk@gnupg.org>
9766
9767 random: Add a test case for DRBG_REINIT.
9768 + commit 934ba2ae5a95a96fdbb3b935b51ba43df66f11df
9769 * src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
9770 * tests/random.c (check_drbg_reinit): New.
9771 (main): Call new test.
9772
9773 random: Allow DRBG_REINIT before initialization.
9774 + commit 7cdbd6e6a3cf1ee366b981e148d41b1187a6fdcf
9775 * random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
9776 (_drbg_init_internal): Set the default type if no type has been set
9777 before.
9778 (_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
9779
9780 Add new private header gcrypt-testapi.h.
9781 + commit 744b030cff61fd25114b0b25394c62782c153343
9782 * src/gcrypt-testapi.h: New.
9783 * src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
9784 * random/random.h: Include gcrypt-testapi.h.
9785 (struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
9786 * src/global.c: Include gcrypt-testapi.h.
9787 (_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
9788 * cipher/cipher.c: Include gcrypt-testapi.h.
9789 (_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
9790 * tests/fipsdrv.c: Include gcrypt-testapi.h. Remove definition of
9791 PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
9792 constants.
9793 * tests/t-lock.c: Include gcrypt-testapi.h. Remove
9794 PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.
9795
9796 * random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
9797 (_gcry_rngdrbg_cavs_test): this.
9798 (gcry_rngdrbg_healthcheck_one): Rename to ...
9799 (_gcry_rngdrbg_healthcheck_one): this.
9800
9801 random: Make the DRBG C-90 clean and use a flag string.
9802 + commit 95f1db3affb9f5b8a2c814c211d4a02b30446c15
9803 * random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
9804 "flagstr" and turn it into a string.
9805 * random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
9806 designated initializers. Use a string for the flags.
9807 (gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
9808 (drbg_healthcheck_sanity): Ditto.
9809
9810 random: Symbol name cleanup for random-drbg.c.
9811 + commit 85ed07790552297586258e8fe09b546eee357a8b
9812 * random/random-drbg.c: Rename all static objects and macros from
9813 "gcry_drbg" to "drbg".
9814 (drbg_string_t): New typedef.
9815 (drbg_gen_t): New typedef.
9816 (drbg_state_t): New typedef. Replace all "struct drbg_state_s *" by
9817 this.
9818 (_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
9819 that an error if actually returned.
9820 (gcry_rngdrbg_cavs_test): Ditto.
9821 (gcry_drbg_healthcheck_sanity): Ditto.
9822
9823 random: Use our symbol name pattern also for drbg functions.
9824 + commit 7cf3c929331133e4381dbceac53d3addd921c929
9825 * random/random-drbg.c: Rename global functions from _gcry_drbg_*
9826 to _gcry_rngdrbg_*.
9827 * random/random.c: Adjust for this change.
9828 * src/global.c: Ditto.
9829
9830 random: Rename drbg.c to random-drbg.c.
9831 + commit e49b3f2c10e012509b5930c0df4d6df378d3b9f4
9832 * random/drbg.c: Rename to ...
9833 * random/random-drbg.c: this.
9834 * random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.
9835
9836 random: Remove the new API introduced by the new DRBG.
9837 + commit dfac2b13d0068b2b1b420d77e9771a49964b81c1
9838 * src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
9839 (struct gcry_drbg_string): Ditto.
9840 (gcry_drbg_string_fill): Ditto.
9841 (gcry_randomize_drbg): Remove.
9842 * random/drbg.c (parse_flag_string): New.
9843 (_gcry_drbg_reinit): Change the way the arguments are passed.
9844 * src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
9845 convention.
9846
9847 Add helper function _gcry_strtokenize.
9848 + commit 4e134b6e77f558730ec1eceb6b816b0bcfd845e9
9849 * src/misc.c (_gcry_strtokenize): New.
9850
9851 2016-02-18 Werner Koch <wk@gnupg.org>
9852
9853 random: Remove DRBG constants from the public API.
9854 + commit fd13372fa9069d3a72947ea59c57e33637c936bf
9855 * src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
9856 * random/drbg.c: here.
9857
9858 2016-02-18 Stephan Mueller <smueller@chronox.de>
9859
9860 random: Add SP800-90A DRBG.
9861 + commit ed57fed6de1465e02ec5e3bc0affeabdd35e2eb7
9862 * random/drbg.c: New.
9863 * random/random.c (_gcry_random_initialize): Replace rngfips init by
9864 drbg init.
9865 (__gcry_random_close_fds): Likewise.
9866 (_gcry_random_dump_stats): Likewise.
9867 (_gcry_random_is_faked): Likewise.
9868 (do_randomize): Likewise.
9869 (_gcry_random_selftest): Likewise.
9870 (_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
9871 (_gcry_random_init_external_test): Remove.
9872 (_gcry_random_run_external_test): Remove.
9873 (_gcry_random_deinit_external_test): Remove.
9874 * random/random.h (struct gcry_drbg_test_vector): New.
9875 * src/gcrypt.h.in (struct gcry_drbg_gen): New.
9876 (struct gcry_drbg_string): New.
9877 (gcry_drbg_string_fill): New.
9878 (gcry_randomize_drbg): New.
9879 (GCRY_DRBG_): Lots of new macros.
9880 * src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
9881 a nop.
9882 (_gcry_vcontrol) <Deinit external random test>: Ditto.
9883 (_gcry_vcontrol) <Run external random test>: Change.
9884 (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.
9885
9886 2016-02-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9887
9888 bufhelp: disable unaligned memory accesses on powerpc.
9889 + commit 1da793d089b65ac8c1ead65dacb6b8699f5b6e69
9890 * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
9891 __powerpc__ and __powerpc64__.
9892
9893 2016-02-12 NIIBE Yutaka <gniibe@fsij.org>
9894
9895 ecc: Not validate input point for Curve25519.
9896 + commit 7a019bc7ecdbdfdef51094e090ce95e062da9b64
9897 * cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.
9898
9899 2016-02-10 NIIBE Yutaka <gniibe@fsij.org>
9900
9901 ecc: Fix memory leaks on error.
9902 + commit b12dd550fd6af687ef95c584d0d8366c34965cc8
9903 * cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
9904 * mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.
9905
9906 2016-02-09 NIIBE Yutaka <gniibe@fsij.org>
9907
9908 ecc: input validation on ECDH.
9909 + commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0
9910 * cipher/ecc.c (ecc_decrypt_raw): Validate the point.
9911
9912 2016-02-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9913
9914 Add ARM assembly implementation of SHA-512.
9915 + commit 8353884bc65c820d5bcacaf1ac23cdee72091a09
9916 * cipher/Makefile.am: Add 'sha512-arm.S'.
9917 * cipher/sha512-arm.S: New.
9918 * cipher/sha512.c (USE_ARM_ASM): New.
9919 (_gcry_sha512_transform_arm): New.
9920 (transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
9921 generic.
9922 * configure.ac: Add 'sha512-arm.lo'.
9923
9924 2016-02-03 NIIBE Yutaka <gniibe@fsij.org>
9925
9926 tests: Add a test for Curve25519.
9927 + commit b8b3361504950689ef1e779fb3357cecf8a9f739
9928 * tests/Makefile.am (tests_bin): Add t-cv25519.
9929 * tests/t-cv25519.c: New.
9930
9931 2016-02-02 NIIBE Yutaka <gniibe@fsij.org>
9932
9933 ecc: Fix Curve25519 for data by older implementation.
9934 + commit 6cb6df9dddac6ad246002b83c2ce0aaa0ecf30e5
9935 * cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
9936 short length data.
9937
9938 ecc: more fix of Curve25519.
9939 + commit 48ba5a50066611ecacea850ced13f5cb66097a81
9940 * cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
9941 prefix. Clear the MSB, according to RFC7748.
9942
9943 ecc: Fix ECDH of Curve25519.
9944 + commit a2f9afcd7fcdafd5951498b07f34957f9766dce9
9945 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
9946 and prefix detection.
9947 * cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
9948 (ecc_encrypt_raw): Use NBITS from curve instead of from P.
9949 Fix rawmpilen calculation.
9950 (ecc_decrypt_raw): Likewise. Add debug output.
9951
9952 2016-01-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
9953
9954 Improve performance of generic SHA256 implementation.
9955 + commit f3e51161036382429c3491c7c881f36c0a653c7b
9956 * cipher/sha256.c (R): Let caller do variable shuffling.
9957 (Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
9958 (W, I): New.
9959 (transform_blk): Unroll round loop; inline message expansion to rounds
9960 to make message expansion buffer smaller.
9961
9962 2016-01-28 Werner Koch <wk@gnupg.org>
9963
9964 ecc: New API function gcry_mpi_ec_decode_point.
9965 + commit 2cf2ca7bb9741ac86e8aa92d8f03b1c5f5938897
9966 * mpi/ec.c (_gcry_mpi_ec_decode_point): New.
9967 * cipher/ecc-common.h: Move two prototypes to ...
9968 * src/ec-context.h: here.
9969 * src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
9970 * src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
9971 * src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
9972 * src/visibility.c (gcry_mpi_ec_decode_point): New.
9973 * src/visibility.h: Add new function.
9974
9975 2016-01-15 Werner Koch <wk@gnupg.org>
9976
9977 Fix build problem for rndegd.c.
9978 + commit 191c2e4fe2dc0e00f61aa44e011a9596887e6ce1
9979 * Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
9980 * random/rndegd.c (_gcry_rndegd_connect_socket)
9981 (my_make_filename): Use functions with '_' prefix.
9982
9983 random: Fix possible AIX problem with sysconf in rndunix.
9984 + commit 6303b0e83856ee89374b447e710f0ab2af61caec
9985 * random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
9986 (start_gatherer): Detect misbehaving sysconf.
9987
9988 2015-12-27 Werner Koch <wk@gnupg.org>
9989
9990 random: Take at max 25% from RDRAND.
9991 + commit 5a78e7f15e0dd96a8bf64e2bb142880bf8ea6965
9992 * random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
9993 RDRAND from 50% to 25%.
9994
9995 2015-12-07 Justus Winter <justus@g10code.com>
9996
9997 cipher: Improve error handling.
9998 + commit b9c02fbeb7efb7d0593b33485fb30c298291cf80
9999 * cipher/ecc.c (ecc_decrypt_raw): Improve error handling.
10000
10001 cipher: Initialize 'flags'.
10002 + commit ca06cd7f77acb317c2649c58918908f043dfe6bd
10003 * cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.
10004
10005 2015-12-05 NIIBE Yutaka <gniibe@fsij.org>
10006
10007 ecc: CHANGE point representation of Curve25519.
10008 + commit dd3d06e7f113cf7608f060ceb043262efd0b0c9d
10009 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
10010 the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
10011 by MPI normalization.
10012 * cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
10013 Always add the prefix 0x40.
10014
10015 2015-12-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10016
10017 chacha20: fix alignment of self-test context.
10018 + commit 6fadbcd088e2af3e48407b95d8d0c2a8b7ad6c38
10019 * cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
10020 context structure.
10021
10022 salsa20: fix alignment of self-test context.
10023 + commit 2cba0dbda462237f55438d4199eccd10c5e3f6ca
10024 * cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
10025 context structure.
10026
10027 2015-12-02 Justus Winter <justus@g10code.com>
10028
10029 random: Drop fake entropy gathering function.
10030 + commit d421ac283ec46d0ecaf6278ba4c24843f65fb2fa
10031 * random/random-csprng.c (faked_rng): Drop variable.
10032 (gather_faked): Drop prototype and function.
10033 (initialize): Drop fallback code.
10034 (_gcry_rngcsprng_is_faked): Change accordingly.
10035
10036 random: Fix selection of entropy gathering function.
10037 + commit 468a5796ffb1a7776db4004d534376c1b981d740
10038 * random/random-csprng.c (getfnc_gather_random): Do return NULL if no
10039 usable entropy gathering function is found. The callsite then
10040 installs the fake gather function.
10041
10042 2015-11-26 NIIBE Yutaka <gniibe@fsij.org>
10043
10044 ecc: minor improvement of point multiplication.
10045 + commit 3658afd09c3b03b4398aaa5748387220c93b1a94
10046 * mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.
10047
10048 2015-11-25 NIIBE Yutaka <gniibe@fsij.org>
10049
10050 ecc: Constant-time multiplication for Weierstrass curve.
10051 + commit 88e1358962e902ff1cbec8d53ba3eee46407851a
10052 * mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
10053 method for Weierstrass curve when SCALAR is secure.
10054
10055 mpi: fix gcry_mpi_swap_cond.
10056 + commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f
10057 * mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.
10058
10059 mpi: Fix mpi_set_cond and mpi_swap_cond .
10060 + commit 8ad682c412047d3b9196950709dbd7bd14ac8732
10061 * mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
10062 the operator of !!, but assume SET/SWAP is 0 or 1.
10063
10064 ecc: multiplication of Edwards curve to be constant-time.
10065 + commit 295b1c3540752af4fc5e6f41480e6db215222fba
10066 * mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.
10067
10068 ecc: Add point_resize and point_swap_cond.
10069 + commit b6015176df6bfae107ac82f9baa29ef2c175c9f9
10070 * mpi/ec.c (point_resize, point_swap_cond): New.
10071 (_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.
10072
10073 2015-11-18 Justus Winter <justus@g10code.com>
10074
10075 cipher: Fix error handling.
10076 + commit 940dc8adc034a6c6c38742f6bfd7d837a532d537
10077 * cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.
10078
10079 2015-11-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10080
10081 Tweak Keccak for small speed-up.
10082 + commit 6571a64331839d7d952292163afbf34c8bef62e0
10083 * cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
10084 rounds with round constant pointer instead of separate round counter.
10085 * cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
10086 (KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
10087 absorb loops.
10088
10089 Update license information for CRC.
10090 + commit 15ea0acf8bb0aa307eccc23024a0bd7878fb8080
10091 * LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
10092 for 'cipher/crc.c' as result of rewrite of CRC implementations.
10093
10094 2015-11-17 Justus Winter <justus@g10code.com>
10095
10096 Fix typos found using codespell.
10097 + commit 0e395944b70c7a92a6437f6bcc14f287c19ce9de
10098 * cipher/cipher-ocb.c: Fix typos.
10099 * cipher/des.c: Likewise.
10100 * cipher/dsa-common.c: Likewise.
10101 * cipher/ecc.c: Likewise.
10102 * cipher/pubkey.c: Likewise.
10103 * cipher/rsa-common.c: Likewise.
10104 * cipher/scrypt.c: Likewise.
10105 * random/random-csprng.c: Likewise.
10106 * random/random-fips.c: Likewise.
10107 * random/rndw32.c: Likewise.
10108 * src/cipher-proto.h: Likewise.
10109 * src/context.c: Likewise.
10110 * src/fips.c: Likewise.
10111 * src/gcrypt.h.in: Likewise.
10112 * src/global.c: Likewise.
10113 * src/sexp.c: Likewise.
10114 * tests/mpitests.c: Likewise.
10115 * tests/t-lock.c: Likewise.
10116
10117 2015-11-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10118
10119 Improve performance of Tiger hash algorithms.
10120 + commit 89fa74d6b3e58cd4fcd6e0939a35e46cbaca2ea0
10121 * cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
10122 to macros.
10123 (transform_blk): Pass variable names instead of pointers to 'pass'.
10124
10125 Add ARMv7/NEON implementation of Keccak.
10126 + commit a1cc7bb15473a2419b24ecac765ae0ce5989a13b
10127 * cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
10128 * cipher/keccak-armv7-neon.S: New.
10129 * cipher/keccak.c (USE_64BIT_ARM_NEON): New.
10130 (NEED_COMMON64): Select if USE_64BIT_ARM_NEON.
10131 [NEED_COMMON64] (round_consts_64bit): Rename to...
10132 [NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add
10133 terminator at end.
10134 [USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon)
10135 (_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon)
10136 (keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New.
10137 (keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation
10138 if supported by HW.
10139 * cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update
10140 to use new round constant table.
10141 * configure.ac: Add 'keccak-armv7-neon.lo'.
10142
10143 Optimize Keccak 64-bit absorb functions.
10144 + commit 2857cb89c6dc1c02266600bc1fd2967a3cd5cf88
10145 * cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
10146 (absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
10147 * cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
10148 (absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
10149 [USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
10150 [USE_64BIT] (keccak_absorb_lanes64): Remove.
10151 [USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
10152 [USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove.
10153 [USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
10154 [USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove.
10155 * cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New.
10156
10157 2015-10-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10158
10159 Enable CRC test vectors with zero bytes.
10160 + commit 07e4839e75a7bca3a6c0a94aecfe75efe61d7ff2
10161 * tests/basic.c (check_digests): Enable CRC test-vectors with zero
10162 bytes.
10163
10164 Keccak: Add SHAKE Extendable-Output Functions.
10165 + commit c0b9eee2d93a13930244f9ce0c14ed6b4aeb6c29
10166 * src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
10167 XOFs.
10168 * src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
10169 and add 'pos' argument.
10170 (KECCAK_CONTEXT): Add 'suffix'.
10171 (keccak_extract_inplace64): Rename to...
10172 (keccak_extract64): ...this; Add handling for 'pos' argument.
10173 (keccak_extract_inplace32bi): Rename to...
10174 (keccak_extract32bi): ...this; Add handling for 'pos' argument.
10175 (keccak_extract_inplace64): Rename to...
10176 (keccak_extract64): ...this; Add handling for 'pos' argument.
10177 (keccak_extract_inplace32bi_bmi2): Rename to...
10178 (keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument.
10179 (keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256.
10180 (shake128_init, shake256_init): New.
10181 (keccak_final): Do not initial permute for SHAKE output; use correct
10182 suffix for SHAKE.
10183 (keccak_extract): New.
10184 (keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors.
10185 (run_selftests): Add SHAKE128 & SHAKE256.
10186 (shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256)
10187 (_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New.
10188 * cipher/md.c (digest_list): Add SHAKE128 & SHAKE256.
10189 * doc/gcrypt.texi: Ditto.
10190 * src/cipher.h (_gcry_digest_spec_shake128)
10191 (_gcry_digest_spec_shake256): New.
10192 * src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New.
10193 * tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument.
10194 (check_one_md_multi): Skip if algo is XOF.
10195 (check_digests): Add SHAKE128 & SHAKE256 test vectors.
10196 * tests/bench-slope.c (kdf_bench_one): Skip XOFs.
10197
10198 Few updates to documentation.
10199 + commit 28de6f9e16e386018e81a9cdaee596be7616ccab
10200 * doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
10201 flag; Add mention of x86 RDRAND support in rndhw.
10202
10203 Add HMAC-SHA3 test vectors.
10204 + commit 92ad19873562cfce7bcc4a0b5aed8195d8284cfc
10205 * tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.
10206
10207 2015-10-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10208
10209 md: add variable length output interface.
10210 + commit 577dc2b63ceca6a8a716256d034ea4e7414f65fa
10211 * cipher/crc.c (_gcry_digest_spec_crc32)
10212 (_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
10213 'extract' NULL.
10214 * cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94)
10215 (_gcry_digest_spec_gost3411_cp): Ditto.
10216 * cipher/keccak.c (_gcry_digest_spec_sha3_224)
10217 (_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384)
10218 (_gcry_digest_spec_sha3_512): Ditto.
10219 * cipher/md2.c (_gcry_digest_spec_md2): Ditto.
10220 * cipher/md4.c (_gcry_digest_spec_md4): Ditto.
10221 * cipher/md5.c (_gcry_digest_spec_md5): Ditto.
10222 * cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto.
10223 * cipher/sha1.c (_gcry_digest_spec_sha1): Ditto.
10224 * cipher/sha256.c (_gcry_digest_spec_sha224)
10225 (_gcry_digest_spec_sha256): Ditto.
10226 * cipher/sha512.c (_gcry_digest_spec_sha384)
10227 (_gcry_digest_spec_sha512): Ditto.
10228 * cipher/stribog.c (_gcry_digest_spec_stribog_256)
10229 (_gcry_digest_spec_stribog_512): Ditto.
10230 * cipher/tiger.c (_gcry_digest_spec_tiger)
10231 (_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto.
10232 * cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto.
10233 * cipher/md.c (md_enable): Do not allow combination of HMAC and
10234 'expandable-output function'.
10235 (md_final): Check if spec->read is NULL before calling.
10236 (md_read): Ditto.
10237 (md_extract, _gcry_md_extract): New.
10238 * doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract.
10239 * src/cipher-proto.h (gcry_md_extract_t): New.
10240 (gcry_md_spec_t): Add 'extract'.
10241 * src/gcrypt-int.g (_gcry_md_extract): New.
10242 * src/gcrypt.h.in (gcry_md_extract): New.
10243 * src/libgcrypt.def: Add gcry_md_extract.
10244 * src/libgcrypt.vers: Add gcry_md_extract.
10245 * src/visibility.c (gcry_md_extract): New.
10246 * src/visibility.h (gcry_md_extract): New.
10247
10248 md: check hmac flag in prepare_macpads.
10249 + commit cee2e122ec6c1886957a8d47498eb63a6a921725
10250 * cipher/md.c (prepare_macpads): Check hmac flag.
10251
10252 keccak: rewrite for improved performance.
10253 + commit 74184c28fbe7ff58cf57f0094ef957d94045da7d
10254 * cipher/Makefile.am: Add 'keccak_permute_32.h' and
10255 'keccak_permute_64.h'.
10256 * cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
10257 * cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2)
10258 (USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI)
10259 (keccak_ops_t): New.
10260 (KECCAK_STATE): Add 'state64' and 'state32bi' members.
10261 (KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'.
10262 (rol64, keccak_f1600_state_permute): Remove.
10263 [NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New.
10264 [NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi)
10265 (keccak_absorb_lane32bi): New.
10266 [USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64)
10267 (keccak_absorb_lanes64, keccak_generic64_ops): New.
10268 [USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld)
10269 (keccak_absorb_lanes64_shld, keccak_shld_64_ops): New.
10270 [USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2)
10271 (keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New.
10272 [USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi)
10273 (keccak_absorb_lanes32bi, keccak_generic32bi_ops): New.
10274 [USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2)
10275 (pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2)
10276 (keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New.
10277 (keccak_write): New.
10278 (keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation
10279 selection based on HWF features.
10280 (keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops'
10281 for state manipulation.
10282 (keccak_read): Adjust to KECCAK_CONTEXT changes.
10283 (_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
10284 (_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use
10285 'keccak_write' instead of '_gcry_md_block_write'.
10286 * cipher/keccak_permute_32.h: New.
10287 * cipher/keccak_permute_64.h: New.
10288
10289 hwf-x86: add detection for Intel CPUs with fast SHLD instruction.
10290 + commit 909644ef5883927262366c356eed530e55aba478
10291 * cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
10292 HWF_INTEL_CPU.
10293 * cipher/sha256.c (sha256_init, sha224_init): Ditto.
10294 * cipher/sha512.c (sha512_init, sha384_init): Ditto.
10295 * src/g10lib.h (HWF_INTEL_FAST_SHLD): New.
10296 (HWF_INTEL_BMI2, HWF_INTEL_SSSE3, HWF_INTEL_PCLMUL, HWF_INTEL_AESNI)
10297 (HWF_INTEL_RDRAND, HWF_INTEL_AVX, HWF_INTEL_AVX2)
10298 (HWF_ARM_NEON): Update.
10299 * src/hwf-x86.c (detect_x86_gnuc): Add detection of Intel Core
10300 CPUs with fast SHLD/SHRD instruction.
10301 * src/hwfeatures.c (hwflist): Add "intel-fast-shld".
10302
10303 Fix OCB amd64 assembly implementations for x32.
10304 + commit 16fd540f4d01eb6dc23d9509ae549353617c7a67
10305 * cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
10306 (_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
10307 (_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
10308 (_gcry_camellia_aesni_avx2_ocb_auth, _gcry_camellia_ocb_crypt)
10309 (_gcry_camellia_ocb_auth): Change 'Ls' from pointer array to u64 array.
10310 * cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
10311 (_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
10312 (_gcry_serpent_avx2_ocb_enc, _gcry_serpent_avx2_ocb_dec)
10313 (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Ditto.
10314 * cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
10315 (_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth)
10316 (twofish_amd64_ocb_enc, twofish_amd64_ocb_dec, twofish_amd64_ocb_auth)
10317 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto.
10318
10319 bench-slope: add KDF/PBKDF2 benchmark.
10320 + commit ae40af427fd2a856b24ec2a41323ec8b80ffc9c0
10321 * tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free)
10322 (bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New.
10323 (print_help): Add 'kdf'.
10324 (main): Add KDF benchmarks.
10325
10326 2015-10-22 NIIBE Yutaka <gniibe@fsij.org>
10327
10328 md: keep contexts for HMAC in GcryDigestEntry.
10329 + commit f7505b550dd591e33d3a3fab9277c43c460f1bad
10330 * cipher/md.c (struct gcry_md_context): Add flags.hmac.
10331 Remove macpads and mcpads_Bsize.
10332 (md_open): Initialize flags.hmac. Remove macpads initialization.
10333 (md_enable): Allocate contexts when flags.hmac is enabled.
10334 (md_copy): Remove macpads copying. Add copying contexts.
10335 (_gcry_md_reset): When flags.hmac is enabled, restore precomputed
10336 context with input pad
10337 (md_close): Remove macpads wiping.
10338 (md_final): When flags.hmac is enabled, compute hmac by precomputed
10339 context with output pad.
10340 (prepare_macpads): Prepare precomputed contexts with input pad and
10341 output pad for each registered digest entry.
10342 (_gcry_md_setkey): Just call prepare_macpads.
10343
10344 2015-10-15 NIIBE Yutaka <gniibe@fsij.org>
10345
10346 Fix double free on error.
10347 + commit 1c6d2698a84e4bf82735287c1d64954bfc1a1982
10348 * src/hmac256.c (_gcry_hmac256_finalize): Don't free HD.
10349
10350 2015-10-14 NIIBE Yutaka <gniibe@fsij.org>
10351
10352 Fix gpg_error_t and gpg_err_code_t confusion.
10353 + commit 813565a07ca575c87e1252c6ed26018653ecd338
10354 * src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change.
10355 * cipher/dsa.c (dsa_check_secret_key): Ditto.
10356 * src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t.
10357
10358 * src/gcrypt-int.h (_gcry_err_make_from_errno)
10359 (_gcry_error_from_errno): Return gpg_error_t.
10360 * cipher/cipher.c (_gcry_cipher_open_internal)
10361 (_gcry_cipher_ctl, _gcry_cipher_ctl): Don't use gcry_error.
10362 * src/global.c (_gcry_vcontrol): Likewise.
10363 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Use
10364 gpg_err_code_from_syserror.
10365 * cipher/mac.c (mac_reset, mac_setkey, mac_setiv, mac_write)
10366 (mac_read, mac_verify): Return gcry_err_code_t.
10367 * cipher/rsa-common.c (mgf1): Use gcry_err_code_t for ERR.
10368 * src/visibility.c (gcry_error_from_errno): Return gpg_error_t.
10369
10370 2015-10-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10371
10372 Fix compiling AES/AES-NI implementation on linux-i386.
10373 + commit fa94b6111948a614ebdcb67f7942eced8b84c579
10374 * cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in
10375 two parts to reduce number of register constraints needed.
10376
10377 2015-10-13 NIIBE Yutaka <gniibe@fsij.org>
10378
10379 Fix declaration of return type.
10380 + commit 73374fdd27c7ba28b19f9672c68a6f5b72252fe5
10381 * src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t.
10382 * cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param.
10383 * src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t.
10384 * src/visibility.c (gcry_mpi_snatch): Fix call to _gcry_mpi_snatch.
10385
10386 2015-09-07 Werner Koch <wk@gnupg.org>
10387
10388 Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
10389 + commit 3a3d5410cc83f7069c7cb1ab384905f382292d32
10390 * src/secmem.c (lock_pool, secmem_init): Do not call any cap_
10391 functions if NO_PRIV_DROP is set.
10392
10393 2015-09-04 Werner Koch <wk@gnupg.org>
10394
10395 w32: Avoid a few compiler warnings.
10396 + commit e97c62a4a687b56d00a2d0a63e072a977f8eb81c
10397 * cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
10398 (_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
10399 as unused.
10400 * random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch
10401 warning.
10402 * src/secmem.c (init_pool): Avoid unused variable warning.
10403 * tests/random.c (writen, readn): Include on if needed.
10404
10405 w32: Fix alignment problem with AESNI on Windows >= 8.
10406 + commit e2785a2268702312529521df3bd2f4e6b43cea3a
10407 * cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New.
10408 * cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
10409 (selftest_basic_256): Allocate context on the heap.
10410
10411 2015-08-31 Werner Koch <wk@gnupg.org>
10412
10413 rsa: Add verify after sign to avoid Lenstra's CRT attack.
10414 + commit c17f84bd02d7ee93845e92e20f6ddba814961588
10415 * cipher/rsa.c (rsa_sign): Check the CRT.
10416
10417 Add pubkey algo id for EdDSA.
10418 + commit dd87639abd38afc91a6f27af33f0ba17402ad02d
10419 * src/gcrypt.h.in (GCRY_PK_EDDSA): New.
10420
10421 2015-08-25 Werner Koch <wk@gnupg.org>
10422
10423 Add configure option --enable-build-timestamp.
10424 + commit a785cc3db0c4e8eb8ebbf784b833a40d2c42ec3e
10425 * configure.ac (BUILD_TIMESTAMP): Set to "<none>" by default.
10426
10427 2015-08-23 Werner Koch <wk@gnupg.org>
10428
10429 tests: Add missing files for the make distcheck target.
10430 + commit fb3cb47b0a29d3e73150297aa4495c20915e4a75
10431 * tests/Makefile.am (EXTRA_DIST): Add sha3-x test vector files.
10432
10433 2015-08-19 Werner Koch <wk@gnupg.org>
10434
10435 Change SHA-3 algorithm ids.
10436 + commit 65639ecaaeba642e40487446c40d045482001285
10437 * src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
10438 (GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values.
10439
10440 2015-08-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10441
10442 Keccak: Fix array indexes in θ step.
10443 + commit 48822ae0b436bcea0fe92dbf0d88475ba3179320
10444 * cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5].
10445
10446 Simplify OCB offset calculation for parallel implementations.
10447 + commit 24ebf53f1e8a8afa27dcd768339bda70a740bb03
10448 * cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
10449 (_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of
10450 just if 'blkn % <parallel blocks> == 0'.
10451 * cipher/serpent.c (_gcry_serpent_ocb_crypt)
10452 (_gcry_serpent_ocb_auth): Ditto.
10453 * cipher/rijndael-aesni.c (get_l): Remove low-bit checks.
10454 (aes_ocb_enc, aes_ocb_dec, _gcry_aes_aesni_ocb_auth): Handle leading
10455 blocks until block counter is multiple of 4, so that parallel block
10456 processing loop can use 'c->u_mode.ocb.L' array directly.
10457 * tests/basic.c (check_ocb_cipher_largebuf): Rename to...
10458 (check_ocb_cipher_largebuf_split): ...this and add option to process
10459 large buffer as two split buffers.
10460 (check_ocb_cipher_largebuf): New.
10461
10462 Add carryless 8-bit addition fast-path for AES-NI CTR mode.
10463 + commit e11895da1f4af9782d89e92ba2e6b1a63235b54b
10464 * cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using
10465 CTR in big-endian form, if least-significant byte does not overflow.
10466
10467 2015-08-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10468
10469 Add additional SHA3 test-vectors.
10470 + commit 80321eb3a63a20f86734d6eebb3f419c0ec895aa
10471 * tests/basic.c (check_digests): Allow datalen to be specified so that
10472 input data can have byte with value 0x00; Include sha3-*.h header files
10473 to test-vector structure.
10474 * tests/sha3-224.h: New.
10475 * tests/sha3-256.h: New.
10476 * tests/sha3-384.h: New.
10477 * tests/sha3-512.h: New.
10478
10479 Add generic SHA3 implementation.
10480 + commit 434ba17d1d5ad59c70d721ad3ecb376c2403a7e5
10481 * cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize
10482 USE_SHA3 enabled.
10483 * cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New.
10484 (KECCAK_STATE): Add proper state.
10485 (KECCAK_CONTEXT): Add 'outlen'.
10486 (rol64, keccak_f1600_state_permute, transform_blk, transform): New.
10487 (keccak_init): Add proper initialization.
10488 (keccak_final): Add proper finalization.
10489 (selftests_keccak): Add selftests.
10490 (oid_spec_sha3_224, oid_spec_sha3_256, oid_spec_sha3_384)
10491 (oid_spec_sha3_512): Add OID.
10492 (_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
10493 (_gcry_digest_spec_sha3_384, _gcry_digest_spec_sha3_512): Fix output
10494 length.
10495 * cipher/mac-hmac.c (map_mac_algo_to_md): Fix mapping for SHA3-512.
10496 (hmac_get_keylen): Return proper blocksizes for SHA3 algorithms.
10497 [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
10498 (_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
10499 (_gcry_mac_type_spec_hmac_sha3_512): New.
10500 * cipher/mac-internal [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
10501 (_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
10502 (_gcry_mac_type_spec_hmac_sha3_512): New.
10503 * cipher/mac.c (mac_list) [USE_SHA3]: Add SHA3 algorithms.
10504 * cipher/md.c (md_open): Use proper SHA-3 blocksizes for HMAC macpads.
10505 * tests/basic.c (check_digests): Add SHA3 test vectors.
10506
10507 Optimize OCB offset calculation.
10508 + commit 49f52c67fb42c0656c8f9af655087f444562ca82
10509 * cipher/cipher-internal.h (ocb_get_l): New.
10510 * cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
10511 (ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
10512 * cipher/camellia-glue.c (get_l): Remove.
10513 (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Precalculate
10514 offset array when block count matches parallel operation size; Use
10515 'ocb_get_l' instead of 'get_l'.
10516 * cipher/rijndael-aesni.c (get_l): Add fast path for 75% most common
10517 offsets.
10518 (aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Precalculate
10519 offset array when block count matches parallel operation size.
10520 * cipher/rijndael-ssse3-amd64.c (get_l): Add fast path for 75% most
10521 common offsets.
10522 * cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Use
10523 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
10524 * cipher/serpent.c (get_l): Remove.
10525 (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Precalculate
10526 offset array when block count matches parallel operation size; Use
10527 'ocb_get_l' instead of 'get_l'.
10528 * cipher/twofish.c (get_l): Remove.
10529 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Use 'ocb_get_l'
10530 instead of 'get_l'.
10531
10532 2015-08-10 NIIBE Yutaka <gniibe@fsij.org>
10533
10534 ecc: fix Montgomery curve bugs.
10535 + commit ce746936b6c210e602d106cfbf45cf60b408d871
10536 * cipher/ecc.c (check_secret_key): Y1 should not be NULL when check.
10537 (ecc_check_secret_key): Support Montgomery curve.
10538 * mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition.
10539
10540 2015-08-08 Werner Koch <wk@gnupg.org>
10541
10542 Add framework to eventually support SHA3.
10543 + commit 0e17f7a05bba309a87811992aa47a77af9935b99
10544 * src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
10545 (GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
10546 (GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
10547 (GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New.
10548 * cipher/keccak.c: New with stub functions.
10549 * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c.
10550 * configure.ac (available_digests): Add sha3.
10551 (USE_SHA3): New.
10552 * src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests.
10553 * cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos.
10554 (md_open): Ditto for hmac processing.
10555 * cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping.
10556 * cipher/hmac-tests.c (run_selftests): Prepare for tests.
10557 * cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx".
10558
10559 2015-08-06 Werner Koch <wk@gnupg.org>
10560
10561 tools: Fix memory leak for functions "I" and "G".
10562 + commit 10789e3cdda7b944acb4b59624c34a2ccfaea6e5
10563 * src/mpicalc.c (do_inv, do_gcd): Init A after stack check.
10564
10565 2015-08-06 Ismo Puustinen <ismo.puustinen@intel.com>
10566
10567 ecc: Free memory also when in error branch.
10568 + commit 1d896371fbc94c605fce35eabcde01e24dd22892
10569 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto
10570 leave on error.
10571
10572 2015-08-06 NIIBE Yutaka <gniibe@fsij.org>
10573
10574 Add Curve25519 support.
10575 + commit e93f4c21c59756604440ad8cbf27e67d29c99ffd
10576 * cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519.
10577 * tests/curves.c (N_CURVES): It's 22 now.
10578 * src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New.
10579 * cipher/ecc-common.h (_gcry_ecc_mont_decodepoint): New.
10580 * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): New.
10581 * cipher/ecc.c (nist_generate_key): Handle the case of
10582 PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
10583 (test_ecdh_only_keys, check_secret_key): Likewise.
10584 (ecc_generate): Support Curve25519 which is Montgomery curve with flag
10585 PUBKEY_FLAG_DJB_TWEAK and PUBKEY_FLAG_COMP.
10586 (ecc_encrypt_raw): Get flags from KEYPARMS and handle
10587 PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
10588 (ecc_decrypt_raw): Likewise.
10589 (compute_keygrip): Handle the case of PUBKEY_FLAG_DJB_TWEAK.
10590 * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist):
10591 PUBKEY_FLAG_EDDSA implies PUBKEY_FLAG_DJB_TWEAK.
10592 Parse "djb-tweak" for PUBKEY_FLAG_DJB_TWEAK.
10593
10594 2015-07-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10595
10596 Reduce code size for Twofish key-setup and remove key dependend branch.
10597 + commit b4b1d872ba651bc44761b35d245b1a519a33f515
10598 * cipher/twofish.c (poly_to_exp): Increase size by one, change type
10599 from byte to u16 and insert '492' to index 0.
10600 (exp_to_poly): Increase size by 256, let new cells have zero value.
10601 (CALC_S): Execute unconditionally with help of modified tables.
10602 (do_twofish_setkey): Change type for 'tmp' to 'unsigned int'; Un-unroll
10603 CALC_K256 and CALC_K phases to reduce generated object size.
10604
10605 Reduce amount of duplicated code in OCB bulk implementations.
10606 + commit e950052bc6f5ff11a7c23091ff3f6b5cc431e875
10607 * cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
10608 (ocb_crypt): Change bulk function to return number of unprocessed
10609 blocks.
10610 * src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth)
10611 (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth)
10612 (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth)
10613 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
10614 to 'size_t'.
10615 * cipher/camellia-glue.c (get_l): Only if USE_AESNI_AVX or
10616 USE_AESNI_AVX2 defined.
10617 (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Change return type
10618 to 'size_t' and return remaining blocks; Remove unaccelerated common
10619 code path. Enable remaining common code only if USE_AESNI_AVX or
10620 USE_AESNI_AVX2 defined; Remove unaccelerated common code.
10621 * cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Change
10622 return type to 'size_t' and return zero.
10623 * cipher/serpent.c (get_l): Only if USE_SSE2, USE_AVX2 or USE_NEON
10624 defined.
10625 (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Change return type
10626 to 'size_t' and return remaining blocks; Remove unaccelerated common
10627 code path. Enable remaining common code only if USE_SSE2, USE_AVX2 or
10628 USE_NEON defined; Remove unaccelerated common code.
10629 * cipher/twofish.c (get_l): Only if USE_AMD64_ASM defined.
10630 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
10631 to 'size_t' and return remaining blocks; Remove unaccelerated common
10632 code path. Enable remaining common code only if USE_AMD64_ASM defined;
10633 Remove unaccelerated common code.
10634
10635 Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations.
10636 + commit adbdca0d58f9c06dc3850b95e3455e179c1e6960
10637 * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
10638 functions for Serpent.
10639 * cipher/serpent-armv7-neon.S: Add OCB assembly functions.
10640 * cipher/serpent-avx2-amd64.S: Add OCB assembly functions.
10641 * cipher/serpent-sse2-amd64.S: Add OCB assembly functions.
10642 * cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
10643 (_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
10644 (_gcry_serpent_neon_ocb_enc, _gcry_serpent_neon_ocb_dec)
10645 (_gcry_serpent_neon_ocb_auth, _gcry_serpent_avx2_ocb_enc)
10646 (_gcry_serpent_avx2_ocb_dec, _gcry_serpent_avx2_ocb_auth): New
10647 prototypes.
10648 (get_l, _gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): New.
10649 * src/cipher.h (_gcry_serpent_ocb_crypt)
10650 (_gcry_serpent_ocb_auth): New.
10651 * tests/basic.c (check_ocb_cipher): Add test-vector for serpent.
10652
10653 Add bulk OCB for Twofish AMD64 implementation.
10654 + commit 7f6804c37c4b41d85fb26aa723b1c41e4a3cf278
10655 * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
10656 functions for Twofish.
10657 * cipher/twofish-amd64.S: Add OCB assembly functions.
10658 * cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
10659 (_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth): New
10660 prototypes.
10661 (call_sysv_fn5, call_sysv_fn6, twofish_amd64_ocb_enc)
10662 (twofish_amd64_ocb_dec, twofish_amd64_ocb_auth, get_l)
10663 (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): New.
10664 * src/cipher.h (_gcry_twofish_ocb_crypt)
10665 (_gcry_twofish_ocb_auth): New.
10666 * tests/basic.c (check_ocb_cipher): Add test-vector for Twofish.
10667
10668 Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations.
10669 + commit bb088c6b1620504fdc79e89af27c2bf3fb02b4b4
10670 * cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions.
10671 * cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions.
10672 * cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
10673 (_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
10674 (_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
10675 (_gcry_camellia_aesni_avx2_ocb_auth): New prototypes.
10676 (get_l, _gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): New.
10677 * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
10678 functions for Camellia.
10679 * src/cipher.h (_gcry_camellia_ocb_crypt)
10680 (_gcry_camellia_ocb_auth): New.
10681 * tests/basic.c (check_ocb_cipher): Add test-vector for Camellia.
10682
10683 2015-07-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10684
10685 Add OCB bulk mode for AES SSSE3 implementation.
10686 + commit 620e1e0300c79943a1846a49563b04386dc60546
10687 * cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New.
10688 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use
10689 'ssse3_state' for storing current SSSE3 state.
10690 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
10691 (vpaes_ssse3_cleanup): Restore SSSE3 state from 'ssse3_state'.
10692 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
10693 (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
10694 (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
10695 (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
10696 (_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_cbc_dec): Add 'ssse3_state'
10697 array.
10698 (get_l, ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_crypt)
10699 (_gcry_aes_ssse3_ocb_auth): New.
10700 * cipher/rijndael.c (_gcry_aes_ssse3_ocb_crypt)
10701 (_gcry_aes_ssse3_ocb_auth): New.
10702 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_SSSE3]: Use SSSE3
10703 implementation for OCB.
10704
10705 2015-07-26 Peter Wu <peter@lekensteyn.nl>
10706
10707 Fix undefined behavior wrt memcpy.
10708 + commit 46c072669eb81ed610cc5b3c0dc0c75a143afbb4
10709 * cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let
10710 the function continue to add padding as needed though.
10711 * cipher/mac-poly1305.c: If the caller requested to finish the hash
10712 function without a copy of the result, return immediately.
10713
10714 2015-07-23 Peter Wu <peter@lekensteyn.nl>
10715
10716 build: ignore scissor line for the commit-msg hook.
10717 + commit ada0a7d302cca97b327faaacac7a5d0b8043df88
10718 * build-aux/git-hooks/commit-msg: Stop processing more lines when the
10719 scissor line is encountered.
10720
10721 2015-07-16 Peter Wu <peter@lekensteyn.nl>
10722
10723 rsa: Fix error in comments.
10724 + commit 9cd55e8e948f0049cb23495f536decf797d072f7
10725 * cipher/rsa.c: Fix.
10726
10727 2015-07-14 Peter Wu <peter@lekensteyn.nl>
10728
10729 sexp: Fix invalid deallocation in error path.
10730 + commit 0f9532b186c1e0b54d7e7a6d76bce82b6226122b
10731 * src/sexp.c: Fix wrong condition.
10732
10733 2015-07-10 Peter Wu <peter@lekensteyn.nl>
10734
10735 ecc: fix memory leak.
10736 + commit 2a7aa3ea4d03a9c808d5888f5509c08cd27aa27c
10737 * cipher/ecc.c (ecc_verify): Release memory which was allocated before
10738 by _gcry_pk_util_preparse_sigval.
10739 (ecc_decrypt_raw): Likewise.
10740
10741 2015-07-06 NIIBE Yutaka <gniibe@fsij.org>
10742
10743 ecc: fix memory leaks.
10744 + commit 0a7547e487a8bc4e7ac9599c55579eb2e4a13f06
10745 cipher/ecc.c (ecc_generate): Fix memory leak on error of
10746 _gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint.
10747 (ecc_check_secret_key): Fix memory leak on error of
10748 _gcry_ecc_update_curve_param.
10749 (ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Remove
10750 unnecessary sexp_release and fix memory leak on error of
10751 _gcry_ecc_fill_in_curve.
10752 (ecc_decrypt_raw): Fix double free of the point kG and memory leak
10753 on error of _gcry_ecc_os2ec.
10754
10755 2015-06-11 NIIBE Yutaka <gniibe@fsij.org>
10756
10757 mpi: Support FreeBSD 10 or later.
10758 + commit a36ee7501f68ad7ebcfe31f9659430b9d2c3ddd1
10759 * mpi/config.links: Include FreeBSD 10 to 29.
10760
10761 2015-05-21 Werner Koch <wk@gnupg.org>
10762
10763 ecc: Add key generation flag "no-keytest".
10764 + commit 2bddd947fd1c11b4ec461576db65a5e34fea1b07
10765 * src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
10766 * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
10767 "no-keytest". Return an error for invalid flags of length 10.
10768
10769 * cipher/ecc.c (nist_generate_key): Replace arg random_level by flags
10770 set random level depending on flags.
10771 * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
10772 * cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and
10773 remove var random_level.
10774 (nist_generate_key): Implement "no-keytest" flag.
10775
10776 * tests/keygen.c (check_ecc_keys): Add tests for transient-key and
10777 no-keytest.
10778
10779 ecc: Avoid double conversion to affine coordinates in keygen.
10780 + commit 102d68b3bd77813a3ff989526855bb1e283bf9d7
10781 * cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
10782 (ecc_generate): Rename vars. Convert to affine coordinates only if
10783 not returned by the lower level generation function.
10784
10785 random: Change initial extra seeding from 2400 bits to 128 bits.
10786 + commit 8124e357b732a719696bfd5271def4e528f2a1e1
10787 * random/random-csprng.c (read_pool): Reduce initial seeding.
10788
10789 2015-05-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10790
10791 Enable AMD64 Twofish implementation on WIN64.
10792 + commit 9b0c6c8141ae9bd056392a3f6b5704b505fc8501
10793 * cipher/twofish-amd64.S: Enable when
10794 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10795 (ELF): New macro to mask lines with ELF specific commands.
10796 * cipher/twofish.c (USE_AMD64_ASM): Enable when
10797 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10798 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
10799 (twofish_amd64_encrypt_block, twofish_amd64_decrypt_block)
10800 (twofish_amd64_ctr_enc, twofish_amd64_cbc_dec)
10801 (twofish_amd64_cfb_dec): New wrapper functions for AMD64
10802 assembly functions.
10803
10804 Enable AMD64 Serpent implementations on WIN64.
10805 + commit eb0ed576893b6c7990dbcb568510f831d246cea6
10806 * cipher/serpent-avx2-amd64.S: Enable when
10807 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10808 (ELF): New macro to mask lines with ELF specific commands.
10809 * cipher/serpent-sse2-amd64.S: Enable when
10810 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10811 (ELF): New macro to mask lines with ELF specific commands.
10812 * cipher/chacha20.c (USE_SSE2, USE_AVX2): Enable when
10813 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10814 [USE_SSE2 || USE_AVX2] (ASM_FUNC_ABI): New.
10815 (_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec)
10816 (_gcry_serpent_sse2_cfb_dec, _gcry_serpent_avx2_ctr_enc)
10817 (_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Add
10818 ASM_FUNC_ABI.
10819
10820 Enable AMD64 Salsa20 implementation on WIN64.
10821 + commit 12bc93ca8187b8061c2e705427ef22f5a71d29b0
10822 * cipher/salsa20-amd64.S: Enable when
10823 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10824 (ELF): New macro to mask lines with ELF specific commands.
10825 * cipher/salsa20.c (USE_AMD64): Enable when
10826 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10827 [USE_AMD64] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
10828 (_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
10829 (_gcry_salsa20_amd64_encrypt_blocks): Add ASM_FUNC_ABI.
10830 [USE_AMD64] (salsa20_core): Add ASM_EXTRA_STACK.
10831 (salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK.
10832
10833 Enable AMD64 Poly1305 implementations on WIN64.
10834 + commit 8d7de4dbf7732c6eb9e9853ad7c19c89075ace6f
10835 * cipher/poly1305-avx2-amd64.S: Enable when
10836 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10837 (ELF): New macro to mask lines with ELF specific commands.
10838 * cipher/poly1305-sse2-amd64.S: Enable when
10839 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10840 (ELF): New macro to mask lines with ELF specific commands.
10841 * cipher/poly1305-internal.h (POLY1305_SYSV_FUNC_ABI): New.
10842 (POLY1305_USE_SSE2, POLY1305_USE_AVX2): Enable when
10843 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10844 (OPS_FUNC_ABI): New.
10845 (poly1305_ops_t): Use OPS_FUNC_ABI.
10846 * cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
10847 (_gcry_poly1305_amd64_sse2_finish_ext)
10848 (_gcry_poly1305_amd64_sse2_blocks, _gcry_poly1305_amd64_avx2_init_ext)
10849 (_gcry_poly1305_amd64_avx2_finish_ext)
10850 (_gcry_poly1305_amd64_avx2_blocks, _gcry_poly1305_armv7_neon_init_ext)
10851 (_gcry_poly1305_armv7_neon_finish_ext)
10852 (_gcry_poly1305_armv7_neon_blocks, poly1305_init_ext_ref32)
10853 (poly1305_blocks_ref32, poly1305_finish_ext_ref32)
10854 (poly1305_init_ext_ref8, poly1305_blocks_ref8)
10855 (poly1305_finish_ext_ref8): Use OPS_FUNC_ABI.
10856
10857 Enable AMD64 3DES implementation on WIN64.
10858 + commit b65e9e71d5ee992db5c96793c6af999545daad28
10859 * cipher/des-amd64.S: Enable when
10860 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10861 (ELF): New macro to mask lines with ELF specific commands.
10862 * cipher/des.c (USE_AMD64_ASM): Enable when
10863 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10864 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
10865 (tripledes_ecb_crypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call
10866 assembly function through 'call_sysv_fn'.
10867 (tripledes_amd64_ctr_enc, tripledes_amd64_cbc_dec)
10868 (tripledes_amd64_cfb_dec): New wrapper functions for bulk
10869 assembly functions.
10870
10871 Enable AMD64 ChaCha20 implementations on WIN64.
10872 + commit 9597cfddf03c467825da152be5ca0d12a8c30d88
10873 * cipher/chacha20-avx2-amd64.S: Enable when
10874 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10875 (ELF): New macro to mask lines with ELF specific commands.
10876 * cipher/chacha20-sse2-amd64.S: Enable when
10877 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10878 (ELF): New macro to mask lines with ELF specific commands.
10879 * cipher/chacha20-ssse3-amd64.S: Enable when
10880 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10881 (ELF): New macro to mask lines with ELF specific commands.
10882 * cipher/chacha20.c (USE_SSE2, USE_SSSE3, USE_AVX2): Enable when
10883 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10884 (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
10885 (chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
10886 (_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
10887 (_gcry_chacha20_armv7_neon_blocks, chacha20_blocks): Add ASM_FUNC_ABI.
10888 (chacha20_core): Add ASM_EXTRA_STACK.
10889
10890 Enable AMD64 CAST5 implementation on WIN64.
10891 + commit 6a6646df80386204675d8b149ab60e74d7ca124c
10892 * cipher/cast5-amd64.S: Enable when
10893 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10894 (RIP): Remove.
10895 (GET_EXTERN_POINTER): Use 'leaq' version on WIN64.
10896 (ELF): New macro to mask lines with ELF specific commands.
10897 * cipher/cast5.c (USE_AMD64_ASM): Enable when
10898 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10899 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
10900 (do_encrypt_block, do_decrypt_block)
10901 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
10902 function through 'call_sysv_fn'.
10903 (cast5_amd64_ctr_enc, cast5_amd64_cbc_dec)
10904 (cast5_amd64_cfb_dec): New wrapper functions for bulk
10905 assembly functions.
10906
10907 Enable AMD64 Camellia implementations on WIN64.
10908 + commit 9a4fb3709864bf3e3918800d44ff576590cd4e92
10909 * cipher/camellia-aesni-avx-amd64.S: Enable when
10910 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10911 (ELF): New macro to mask lines with ELF specific commands.
10912 * cipher/camellia-aesni-avx2-amd64.S: Enable when
10913 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10914 (ELF): New macro to mask lines with ELF specific commands.
10915 * cipher/camellia-glue.c (USE_AESNI_AVX, USE_AESNI_AVX2): Enable when
10916 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10917 [USE_AESNI_AVX || USE_AESNI_AVX2] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
10918 (_gcry_camellia_aesni_avx_ctr_enc, _gcry_camellia_aesni_avx_cbc_dec)
10919 (_gcry_camellia_aesni_avx_cfb_dec, _gcry_camellia_aesni_avx_keygen)
10920 (_gcry_camellia_aesni_avx2_ctr_enc, _gcry_camellia_aesni_avx2_cbc_dec)
10921 (_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI.
10922
10923 Enable AMD64 Blowfish implementation on WIN64.
10924 + commit e05682093ffb003b589a697428d918d755ac631d
10925 * cipher/blowfish-amd64.S: Enable when
10926 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10927 (ELF): New macro to mask lines with ELF specific commands.
10928 * cipher/blowfish.c (USE_AMD64_ASM): Enable when
10929 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10930 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
10931 (do_encrypt, do_encrypt_block, do_decrypt_block)
10932 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
10933 function through 'call_sysv_fn'.
10934 (blowfish_amd64_ctr_enc, blowfish_amd64_cbc_dec)
10935 (blowfish_amd64_cfb_dec): New wrapper functions for bulk
10936 assembly functions.
10937 ..
10938
10939 Enable AMD64 arcfour implementation on WIN64.
10940 + commit c46b015bedba7ce0db68929bd33a86a54ab3d919
10941 * cipher/arcfour-amd64.S: Enable when
10942 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10943 (ELF): New macro to mask lines with ELF specific commands.
10944 * cipher/arcfour.c (USE_AMD64_ASM): Enable when
10945 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
10946 (do_encrypt, do_decrypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Use
10947 assembly block to call AMD64 assembly function.
10948
10949 Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539.
10950 + commit ee8fc4edcb3466b03246c8720b90731bf274ff1d
10951 * cipher/cipher-poly1305.c: Add RFC-7539 to header.
10952 * doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of
10953 RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD.
10954
10955 hwf-x86: use edi for passing value to ebx for i386 cpuid.
10956 + commit bac42c68b069f17abcca810a21439c7233815747
10957 * src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead
10958 of '=r'.
10959
10960 hwf-x86: add EDX as output register for xgetbv asm block.
10961 + commit e15beb584a5ebdfc363e1ff15f87102508652d71
10962 * src/hwf-x86.c (get_xgetbv): Add EDX as output.
10963
10964 2015-05-04 Werner Koch <wk@gnupg.org>
10965
10966 build: Update build-aux files.
10967 + commit 5a7d55eed3316f40ca61acbee032bfc285e28803
10968
10969
10970 Fix possible regression on old 32 bit mingw compilers.
10971 + commit 090ca7435156b5f52064357dd59059570d466f46
10972 * acinclude.m4: Add new pattern for mingw32.
10973
10974 build: Add new file.
10975 + commit 4af52b2e72ce004b7d8f99e09c4324e3c2a84379
10976 * mpi/amd64/distfiles: Add func_abi.h.
10977
10978 2015-05-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10979
10980 Fix WIN64 assembly glue for AES.
10981 + commit 24a769a7c7601dbb85332e550f6fbd121b56df5f
10982 * cipher/rinjdael.c (do_encrypt, do_decrypt)
10983 [!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to
10984 input+output to mark volatile nature of the used registers.
10985
10986 Add '1 million a characters' test vectors.
10987 + commit 2f4fefdbc62857b6e2da26ce111ee140a068c471
10988 * tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384,
10989 SHA-512, RIPEMD160 and CRC32.
10990
10991 2015-05-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
10992
10993 More optimized CRC implementations.
10994 + commit 06e122baa3321483a47bbf82fd2a4540becfa0c9
10995 * cipher/crc.c (crc32_table, crc24_table): Replace with new table
10996 contents.
10997 (update_crc32, CRC24_INIT, CRC24_POLY): Remove.
10998 (crc32_next, crc32_next4, crc24_init, crc24_next, crc24_next4)
10999 (crc24_final): New.
11000 (crc24rfc2440_init): Use crc24_init.
11001 (crc32_write): Rewrite to use crc32_next & crc32_next4.
11002 (crc24_write): Rewrite to use crc24_next & crc24_next4.
11003 (crc32_final, crc32rfc1510_final): Use buf_put_be32.
11004 (crc24rfc2440_final): Use crc24_final & buf_put_le32.
11005 * tests/basic.c (check_digests): Add CRC "123456789" tests.
11006
11007 Enable AMD64 AES implementation for WIN64.
11008 + commit 66129b3334a5aa54ff8a97981507e4704f759571
11009 * cipher/rijndael-amd64.S: Enable when
11010 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11011 (ELF): New macro to mask lines with ELF specific commands.
11012 * cipher/rijndael-internal.h (USE_AMD64_ASM): Enable when
11013 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11014 (do_encrypt, do_decrypt)
11015 [USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Use
11016 assembly block to call AMD64 assembly encrypt/decrypt function.
11017
11018 Enable AMD64 Whirlpool implementation for WIN64.
11019 + commit 8422d5d699265b960bd1ca837044ee052fc5b614
11020 * cipher/whirlpool-sse2-amd64.S: Enable when
11021 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11022 (ELF): New macro to mask lines with ELF specific commands.
11023 * cipher/whirlpool.c (USE_AMD64_ASM): Enable when
11024 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11025 [USE_AMD64_ASM] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
11026 [USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64): Add ASM_FUNC_ABI to
11027 prototype.
11028 [USE_AMD64_ASM] (whirlpool_transform): Add ASM_EXTRA_STACK to stack
11029 burn value.
11030
11031 Enable AMD64 SHA512 implementations for WIN64.
11032 + commit 1089a13073c26a9a456e43ec38d937e6ee7f4077
11033 * cipher/sha512-avx-amd64.S: Enable when
11034 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11035 (ELF): New macro to mask lines with ELF specific commands.
11036 * cipher/sha512-avx-bmi2-amd64.S: Ditto.
11037 * cipher/sha512-ssse3-amd64.S: Ditto.
11038 * cipher/sha512.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
11039 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11040 [USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
11041 (ASM_EXTRA_STACK): New.
11042 (_gcry_sha512_transform_amd64_ssse3, _gcry_sha512_transform_amd64_avx)
11043 (_gcry_sha512_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
11044 prototypes.
11045 (transform): Add ASM_EXTRA_STACK to stack burn value.
11046
11047 Enable AMD64 SHA256 implementations for WIN64.
11048 + commit 022959099644f64df5f2a83ade21159864f64837
11049 * cipher/sha256-avx-amd64.S: Enable when
11050 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11051 (ELF): New macro to mask lines with ELF specific commands.
11052 * cipher/sha256-avx2-bmi2-amd64.S: Ditto.
11053 * cipher/sha256-ssse3-amd64.S: Ditto.
11054 * cipher/sha256.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
11055 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11056 [USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
11057 (ASM_EXTRA_STACK): New.
11058 (_gcry_sha256_transform_amd64_ssse3, _gcry_sha256_transform_amd64_avx)
11059 (_gcry_sha256_transform_amd64_avx2): Add ASM_FUNC_ABI to prototypes.
11060 (transform): Add ASM_EXTRA_STACK to stack burn value.
11061
11062 Enable AMD64 SHA1 implementations for WIN64.
11063 + commit e433676a899fa0d274d40547166b03c7c8bd8e78
11064 * cipher/sha1-avx-amd64.S: Enable when
11065 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11066 (ELF): New macro to mask lines with ELF specific commands.
11067 * cipher/sha1-avx-bmi2-amd64.S: Ditto.
11068 * cipher/sha1-ssse3-amd64.S: Ditto.
11069 * cipher/sha1.c (USE_SSSE3, USE_AVX, USE_BMI2): Enable
11070 when HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
11071 [USE_SSSE3 || USE_AVX || USE_BMI2] (ASM_FUNC_ABI)
11072 (ASM_EXTRA_STACK): New.
11073 (_gcry_sha1_transform_amd64_ssse3, _gcry_sha1_transform_amd64_avx)
11074 (_gcry_sha1_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
11075 prototypes.
11076 (transform): Add ASM_EXTRA_STACK to stack burn value.
11077
11078 2015-05-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11079
11080 Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64.
11081 + commit 4e09aaa36d151c3312019724a77fc09aa345b82f
11082 * cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
11083 ( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector
11084 registers before use and restore after.
11085 * cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Remove dependency
11086 on !defined(__WIN64__).
11087 * cipher/rijndael-aesni.c [__WIN64__] (aesni_prepare_2_6_variable,
11088 aesni_prepare, aesni_prepare_2_6, aesni_cleanup)
11089 ( aesni_cleanup_2_6): New.
11090 [!__WIN64__] (aesni_prepare_2_6_variable, aesni_prepare_2_6): New.
11091 (_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_cbc_enc)
11092 (_gcry_aesni_ctr_enc, _gcry_aesni_cfb_dec, _gcry_aesni_cbc_dec)
11093 (_gcry_aesni_ocb_crypt, _gcry_aesni_ocb_auth): Use
11094 'aesni_prepare_2_6'.
11095 * cipher/rijndael-internal.h (USE_SSSE3): Enable if
11096 HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS or
11097 HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS.
11098 (USE_AESNI): Remove dependency on !defined(__WIN64__)
11099 * cipher/rijndael-ssse3-amd64.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
11100 (vpaes_ssse3_prepare, vpaes_ssse3_cleanup): New.
11101 [!HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): New.
11102 (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec): Use
11103 'vpaes_ssse3_prepare'.
11104 (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption): Use
11105 'vpaes_ssse3_prepare' and 'vpaes_ssse3_cleanup'.
11106 [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (X): Add masking macro to
11107 exclude '.type' and '.size' markers from assembly code, as they are
11108 not support on WIN64/COFF objects.
11109 * configure.ac (gcry_cv_gcc_attribute_ms_abi)
11110 (gcry_cv_gcc_attribute_sysv_abi, gcry_cv_gcc_default_abi_is_ms_abi)
11111 (gcry_cv_gcc_default_abi_is_sysv_abi)
11112 (gcry_cv_gcc_win64_platform_as_ok): New checks.
11113
11114 Add W64 support for mpi amd64 assembly.
11115 + commit 460355f23e770637d29e3af7b998a957a2b5bc88
11116 acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set
11117 'ac_cv_sys_symbol_underscore=no' on MingW-W64.
11118 mpi/amd64/func_abi.h: New.
11119 mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): Add FUNC_ENTRY and FUNC_EXIT.
11120 mpi/amd64/mpih-lshift.S (_gcry_mpih_lshift): Ditto.
11121 mpi/amd64/mpih-mul1.S (_gcry_mpih_mul_1): Ditto.
11122 mpi/amd64/mpih-mul2.S (_gcry_mpih_addmul_1): Ditto.
11123 mpi/amd64/mpih-mul3.S (_gcry_mpih_submul_1): Ditto.
11124 mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Ditto.
11125 mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Ditto.
11126 mpi/config.links [host=x86_64-*mingw*]: Enable assembly modules.
11127 [host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h.
11128
11129 DES: Silence compiler warnings on Windows.
11130 + commit 6c21cf5fed1ad430fa41445eac2350802bc8aaed
11131 * cipher/des.c (working_memcmp): Make pointer arguments 'const void *'.
11132
11133 Cast pointers to integers using uintptr_t instead of long.
11134 + commit 9cf224322007d90193d4910f0da6e0e29ce01d70
11135
11136
11137 Fix rndhw for 64-bit Windows build.
11138 + commit d5a7e00b6b222566a5650639ef29684b047c1909
11139 * configure.ac: Add sizeof check for 'void *'.
11140 * random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8
11141 instead of defined(__LP64__).
11142 (RDRAND_LONG): Check for SIZEOF_UNSIGNED_LONG == 8 instead of
11143 defined(__LP64__).
11144
11145 Prepare random/win32.c fast poll for 64-bit Windows.
11146 + commit 0cdd24456b33defc7f8176fa82ab694fbc284385
11147 * random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to
11148 ADDINT.
11149 (_gcry_rndw32_gather_random_fast): Add ADDPTR.
11150 (_gcry_rndw32_gather_random_fast): Disable entropy gathering from
11151 GetQueueStatus(QS_ALLEVENTS).
11152 (_gcry_rndw32_gather_random_fast): Change minimumWorkingSetSize and
11153 maximumWorkingSetSize to SIZE_T from DWORD.
11154 (_gcry_rndw32_gather_random_fast): Only add lower 32-bits of
11155 minimumWorkingSetSize and maximumWorkingSetSize to random poll.
11156 (_gcry_rndw32_gather_random_fast) [__WIN64__]: Read TSC directly
11157 using intrinsic.
11158
11159 Disable GCM and AES-NI assembly implementations for WIN64.
11160 + commit f701954555340a503f6e52cc18d58b0c515427b7
11161 * cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when
11162 __WIN64__ defined.
11163 * cipher/rijndael-internal.h (USE_AESNI): Ditto.
11164
11165 Disable building mpi assembly routines on WIN64.
11166 + commit e78560a4b717f7154f910a8ce4128de152f586da
11167 * mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'.
11168
11169 Fix packed attribute check for Windows targets.
11170 + commit e886e4f5e73fe6a9f9191f5155852ce5d8bb88fe
11171 * configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its
11172 own packed structure.
11173
11174 Fix tail handling in buf_xor_1.
11175 + commit c2dba93e639639bdac139b3a3a456d10ddc61f79
11176 * cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail
11177 handling.
11178
11179 Add --disable-hwf for basic tests.
11180 + commit 839a3bbe2bb045139223b32753d656cc6c3d4669
11181 * tests/basic.c (main): Add handling for '--disable-hwf'.
11182
11183 Use more odd chuck sizes for check_one_md.
11184 + commit 9f086ffa43f2507b9d17522a0a2e394cb273baf8
11185 * tests/basic.c (check_one_md): Make chuck size vary oddly, instead
11186 of using fixed length of 1000 bytes.
11187
11188 Enable more modes in basic ciphers test.
11189 + commit e40eff94f9f8654c3d29e03bbb7e5ee6a43c1435
11190 * src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New.
11191 * tests/basic.c (check_one_cipher_core_reset): New.
11192 (check_one_cipher_core): Use check_one_cipher_core_reset inplace of
11193 gcry_cipher_reset.
11194 (check_ciphers): Add CCM and OCB modes for block cipher tests.
11195
11196 Fix reseting cipher in OCB mode.
11197 + commit 88842cbc68beb4f73c87fdbcb74182cba818f789
11198 * cipher/cipher.c (cipher_reset): Setup default taglen for OCB after
11199 clearing state.
11200
11201 2015-04-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11202
11203 Fix buggy RC4 AMD64 assembly and add test to notice similar issues.
11204 + commit 124dfce7c5a2d9405fa2b2832e91ac1267943830
11205 * cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of
11206 'x' and 'y'.
11207 * tests/basic.c (get_algo_mode_blklen): New.
11208 (check_one_cipher_core): Add new tests for split buffer input on
11209 encryption and decryption.
11210
11211 2015-04-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11212
11213 Disallow compiler from generating SSE instructions in mixed C+asm source
11214 + commit f88266c0f868d7bf51a215d5531bb9f2b4dad19e
11215 * cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target
11216 pragma to disable compiler use of SSE.
11217 * cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto.
11218 * cipher/rijndael-ssse3-amd64.c [gcc-version >= 4.4]: Ditto.
11219
11220 2015-04-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11221
11222 Add OCB bulk crypt/auth functions for AES/AES-NI.
11223 + commit 305cc878d395475c46b4ef52f4764bd0c85bf8ac
11224 * cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt
11225 and bulk.ocb_auth.
11226 (_gcry_cipher_ocb_get_l): New prototype.
11227 * cipher/cipher-ocb.c (get_l): Rename to ...
11228 (_gcry_cipher_ocb_get_l): ... this.
11229 (_gcry_cipher_ocb_authenticate, ocb_crypt): Use bulk function when
11230 available.
11231 * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
11232 functions for AES.
11233 * cipher/rijndael-aesni.c (get_l, aesni_ocb_enc, aes_ocb_dec)
11234 (_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): New.
11235 * cipher/rijndael.c [USE_AESNI] (_gcry_aes_aesni_ocb_crypt)
11236 (_gcry_aes_aesni_ocb_auth): New prototypes.
11237 (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New.
11238 * src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New
11239 prototypes.
11240 * tests/basic.c (check_ocb_cipher_largebuf): New.
11241 (check_ocb_cipher): Add large buffer encryption/decryption test.
11242
11243 2015-04-15 Werner Koch <wk@gnupg.org>
11244
11245 tests: Add option to time the S2K function.
11246 + commit fe38d3815b4cd203cd529949e244aca80d32897f
11247 * tests/t-kdf.c: Include stopwatch.h.
11248 (dummy_consumer): new.
11249 (bench_s2k): New.
11250 (main): Add option parser and option --s2k.
11251
11252 tests: Improve stopwatch.h.
11253 + commit 3b03a3b493233a472da531d8d9582d1be6d376b0
11254 * tests/stopwatch.h (elapsed_time): Add arg divisor.
11255
11256 2015-04-13 Werner Koch <wk@gnupg.org>
11257
11258 mpi: Fix gcry_mpi_copy for NULL opaque data.
11259 + commit 9fca46864e1b5a9c788072113589454adb89fa97
11260 * mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed.
11261
11262 2015-03-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11263
11264 wipememory: use one-byte aligned type for unaligned memory accesses.
11265 + commit a06fbc0d1e98eb1218eff55ad2f37d471e4f33b2
11266 * src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned
11267 access only when HAVE_GCC_ATTRIBUTE_PACKED and
11268 HAVE_GCC_ATTRIBUTE_ALIGNED defined.
11269 (fast_wipememory_t): New.
11270 (fast_wipememory2): Use 'fast_wipememory_t'.
11271
11272 bufhelp: use one-byte aligned type for unaligned memory accesses.
11273 + commit 92fa5f16d69707e302c0f85b2e5e80af8dc037f1
11274 * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when
11275 HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined.
11276 (bufhelp_int_t): New type.
11277 (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst, buf_xor_n_copy_2): Use
11278 'bufhelp_int_t'.
11279 [BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_u32_t, bufhelp_u64_t): New.
11280 [BUFHELP_FAST_UNALIGNED_ACCESS] (buf_get_be32, buf_get_le32)
11281 (buf_put_be32, buf_put_le32, buf_get_be64, buf_get_le64)
11282 (buf_put_be64, buf_put_le64): Use 'bufhelp_uXX_t'.
11283 * configure.ac (gcry_cv_gcc_attribute_packed): New.
11284
11285 tests/bench-slope: fix memory-leak and use-after-free bugs.
11286 + commit aa234561d00c3fb15fe501df4bf58f3db7c7c06b
11287 * tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end.
11288 (bench_mac_init): Move 'key' free at end of function.
11289
11290 2015-03-19 Werner Koch <wk@gnupg.org>
11291
11292 Fix two pedantic warnings.
11293 + commit f5832285b0e420d77be1b8da10a1e1d86583b414
11294 * src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing
11295 comma.
11296
11297 2015-03-16 Werner Koch <wk@gnupg.org>
11298
11299 Use well defined type instead of size_t in secmem.c.
11300 + commit db8ae3616987fa288173446398a107e31e2e28aa
11301 * src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.
11302
11303 Make uintptr_t global available.
11304 + commit f0f60c1a04d664936bcf52e8f46705bdc63e7ad9
11305 * cipher/bufhelp.h: Move include for uintptr_t to ...
11306 * src/types.h: here. Check that config.h has been included.
11307
11308 mpi: Remove useless condition.
11309 + commit 0a9cdb8ae092d050ca12a7a4f2f50e25b82154ec
11310 * mpi/mpi-pow.c: Remove condition rp==mp.
11311
11312 cipher: Remove useless NULL check.
11313 + commit fbb97dcf763e28e81e01092ad4c934b3eaf88cc8
11314 * cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for
11315 hd->buf.
11316
11317 2015-02-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11318
11319 Fix in-place encryption for OCB mode.
11320 + commit 5e66a4f8d5a63f58caeee367433dd8dd32346083
11321 * cipher/cipher-ocb.c (ocb_checksum): New.
11322 (ocb_crypt): Move checksum calculation outside main crypt loop, do
11323 checksum calculation for encryption before inbuf is overwritten.
11324 * tests/basic.c (check_ocb_cipher): Rename to ...
11325 (do_check_ocb_cipher): ... to this and add argument for testing
11326 in-place encryption/decryption.
11327 (check_ocb_cipher): New.
11328
11329 2015-02-27 NIIBE Yutaka <gniibe@fsij.org>
11330
11331 tests: fix t-sexp.c.
11332 + commit 505decf5369970219ddc9e78a20f97c623957b78
11333 * tests/t-sexp.c (bug_1594): Free N and PUBKEY.
11334
11335 mpi: Avoid data-dependent timing variations in mpi_powm.
11336 + commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
11337 * mpi/mpi-pow.c (mpi_powm): Access all data in the table by
11338 mpi_set_cond.
11339
11340 mpi: Revise mpi_powm.
11341 + commit 1fa8cdb933505960d4e4b4842b122d4e06953e88
11342 * mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.
11343
11344 2015-02-23 Werner Koch <wk@gnupg.org>
11345
11346 cipher: Use ciphertext blinding for Elgamal decryption.
11347 + commit 410d70bad9a650e3837055e36f157894ae49a57d
11348 * cipher/elgamal.c (USE_BLINDING): New.
11349 (decrypt): Rewrite to use ciphertext blinding.
11350
11351 2015-02-12 NIIBE Yutaka <gniibe@fsij.org>
11352
11353 mpi: Add mpi_set_cond.
11354 + commit 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288
11355 * mpi/mpiutil.c (_gcry_mpi_set_cond): New.
11356 (_gcry_mpi_swap_cond): Fix types.
11357 * src/mpi.h (mpi_set_cond): New.
11358
11359 2015-01-30 Werner Koch <wk@gnupg.org>
11360
11361 w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.
11362 + commit 40a7bdf50e19faaf106470897fed72af623adc50
11363 * src/Makefile.am (extra_ltoptions): New.
11364 (libgcrypt_la_LDFLAGS): Use it.
11365
11366 2015-01-28 Werner Koch <wk@gnupg.org>
11367
11368 Fix building of GOST s-boxes when cross-compiling.
11369 + commit 2564d204e408b296425ac0660c6bdc6270575fb6
11370 * cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
11371 (noinst_PROGRAMS): Remove.
11372 (EXTRA_DIST): New.
11373 (CLEANFILES): New.
11374
11375 2015-01-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11376
11377 rijndael: fix wrong ifdef for SSSE3 setkey.
11378 + commit ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47
11379 * cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
11380 around SSSE3 setkey selection.
11381
11382 2015-01-16 Werner Koch <wk@gnupg.org>
11383
11384 Add OCB cipher mode.
11385 + commit 067d7d8752d4d8a98f8e0e5e9b1a5b13e1b7ff9c
11386 * cipher/cipher-ocb.c: New.
11387 * cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c
11388 * cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New.
11389 (gcry_cipher_handle): Add fields marks.finalize and u_mode.ocb.
11390 * cipher/cipher.c (_gcry_cipher_open_internal): Add OCB mode.
11391 (_gcry_cipher_open_internal): Setup default taglen of OCB.
11392 (cipher_reset): Clear OCB specific data.
11393 (cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
11394 (_gcry_cipher_gettag, _gcry_cipher_checktag): Call OCB functions.
11395 (_gcry_cipher_setiv): Add OCB specific nonce setting.
11396 (_gcry_cipher_ctl): Add GCRYCTL_FINALIZE and GCRYCTL_SET_TAGLEN
11397
11398 * src/gcrypt.h.in (GCRYCTL_SET_TAGLEN): New.
11399 (gcry_cipher_final): New.
11400
11401 * cipher/bufhelp.h (buf_xor_1): New.
11402
11403 * tests/basic.c (hex2buffer): New.
11404 (check_ocb_cipher): New.
11405 (main): Call it here. Add option --cipher-modes.
11406 * tests/bench-slope.c (bench_aead_encrypt_do_bench): Call
11407 gcry_cipher_final.
11408 (bench_aead_decrypt_do_bench): Ditto.
11409 (bench_aead_authenticate_do_bench): Ditto. Check error code.
11410 (bench_ocb_encrypt_do_bench): New.
11411 (bench_ocb_decrypt_do_bench): New.
11412 (bench_ocb_authenticate_do_bench): New.
11413 (ocb_encrypt_ops): New.
11414 (ocb_decrypt_ops): New.
11415 (ocb_authenticate_ops): New.
11416 (cipher_modes): Add them.
11417 (cipher_bench_one): Skip wrong block length for OCB.
11418 * tests/benchmark.c (cipher_bench): Add field noncelen to MODES. Add
11419 OCB support.
11420
11421 2015-01-15 Werner Koch <wk@gnupg.org>
11422
11423 Add functions to count trailing zero bits in a word.
11424 + commit 9d2a22c94ae99f9301321082c4fb8d73f4085fda
11425 * cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New.
11426 * configure.ac (HAVE_BUILTIN_CTZ): Add new test.
11427
11428 2015-01-08 Werner Koch <wk@gnupg.org>
11429
11430 cipher: Prepare for OCB mode.
11431 + commit 9d328962660da72f094dc5424d5ef67abbaffdf6
11432 * src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New.
11433
11434 2015-01-06 Werner Koch <wk@gnupg.org>
11435
11436 Make make distcheck work again.
11437 + commit 4f7dcdc25af269b12275126edeef30b262fb891d
11438 * Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers.
11439 * cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h.
11440
11441 2015-01-06 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
11442
11443 stribog: Reduce table size to the needed one.
11444 + commit e4de52378a85cf383994ded8edf0d5cf98dcb10c
11445 * cipher/stribog.c (C16): Avoid allocating superfluous space.
11446
11447 gostr3411-94: Fix the iteration count for length filling loop.
11448 + commit 05dc5bcd234909ae9c9366b653346076b9a834ed
11449 * cipher/gostr3411-94.c (gost3411_final): Fix loop
11450
11451 2015-01-05 Werner Koch <wk@gnupg.org>
11452
11453 random: Silent warning under NetBSD using rndunix.
11454 + commit 817472358a093438e802380caecf7139406400cf
11455 * random/rndunix.c (STDERR_FILENO): Define if needed.
11456 (start_gatherer): Re-open standard descriptors. Fix an
11457 unsigned/signed pointer warning.
11458
11459 primegen: Fix memory leak for invalid call sequences.
11460 + commit 8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83
11461 * cipher/primegen.c (prime_generate_internal): Refactor generator code
11462 to not leak memory for non-implemented feature.
11463 (_gcry_prime_group_generator): Refactor to not leak memory for invalid
11464 args. Also make sure that R_G is set as soon as possible.
11465
11466 doc: Update yat2m to current upstream version (GnuPG).
11467 + commit dd5df198727ea5d8f6b04288e14fd732051453c8
11468
11469
11470 build: Require automake 1.14.
11471 + commit f65276970a6dcd6d9bca94cecc49b68acdcc9492
11472 * configure.ac (AM_INIT_AUTOMAKE): Add serial-tests.
11473
11474 Replace camel case of internal scrypt functions.
11475 + commit 1a6d65ac0aab335541726d02f2046d883a768ec3
11476 * cipher/scrypt.c (_salsa20_core): Rename to salsa20_core. Change
11477 callers.
11478 (_scryptBlockMix): Rename to scrypt_block_mix. Change callers.
11479 (_scryptROMix): Rename to scrypt_ro_mix. Change callers.
11480
11481 2015-01-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11482
11483 rmd160: restore native-endian store in _gcry_rmd160_mixblock.
11484 + commit d7c7453cf5e6b8f3c6b522a30e680f844a28c9de
11485 * cipher/rmd160.c (_gcry_rmd160_mixblock): Store result to buffer in
11486 native-endianess.
11487
11488 2014-12-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11489
11490 Add Intel SSSE3 based vector permutation AES implementation.
11491 + commit 8eabecc883332156adffc1df42d27f614c157e06
11492 * cipher/Makefile.am: Add 'rijndael-ssse3-amd64.c'.
11493 * cipher/rijndael-internal.h (USE_SSSE3): New.
11494 (RIJNDAEL_context_s) [USE_SSSE3]: Add 'use_ssse3'.
11495 * cipher/rijndael-ssse3-amd64.c: New.
11496 * cipher/rijndael.c [USE_SSSE3] (_gcry_aes_ssse3_do_setkey)
11497 (_gcry_aes_ssse3_prepare_decryption, _gcry_aes_ssse3_encrypt)
11498 (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_enc)
11499 (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
11500 (_gcry_aes_ssse3_cfb_dec, _gcry_aes_ssse3_cbc_dec): New.
11501 (do_setkey): Add HWF check for SSSE3 and setup for SSSE3
11502 implementation.
11503 (prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
11504 (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Add
11505 selection for SSSE3 implementation.
11506 * configure.ac [host=x86_64]: Add 'rijndael-ssse3-amd64.lo'.
11507
11508 2014-12-25 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11509
11510 random-csprng: fix compiler warnings on ARM.
11511 + commit c2e1f8fea271f3ef8027809547c4a52e0b1e24a2
11512 * random/random-csprng.c (_gcry_rngcsprng_update_seed_file)
11513 (read_pool): Cast keypool and rndpool to 'unsigned long *' through
11514 'void *'.
11515
11516 scrypt: fix compiler warnings on ARM.
11517 + commit 1dab4c9422bf0f3cdc7a4d3ccf9db090abd90e94
11518 * cipher/scrypt.c (_scryptBlockMix): Cast X to 'u32 *' through 'void *'.
11519
11520 secmem: fix compiler warnings on ARM.
11521 + commit 99faf9cb34f872144313403f29f3379798debfc9
11522 * src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer
11523 from 'char *' to 'memblock_t *' through 'void *'.
11524 (MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'.
11525
11526 hash: fix compiler warning on ARM.
11527 + commit 4515315f61fbf79413e150fbd1d5f5a2435f2bc5
11528 * cipher/md.c (md_open, md_copy): Cast 'char *' to ctx through
11529 'void *'.
11530 * cipher/md4.c (md4_final): Use buf_put_* helper instead of
11531 converting 'char *' to 'u32 *'.
11532 * cipher/md5.c (md5_final): Ditto.
11533 * cipher/rmd160.c (_gcry_rmd160_mixblock, rmd160_final): Ditto.
11534 * cipher/sha1.c (sha1_final): Ditto.
11535 * cipher/sha256.c (sha256_final): Ditto.
11536 * cipher/sha512.c (sha512_final): Ditto.
11537 * cipher/tiger.c (tiger_final): Ditto.
11538
11539 rijndael: fix compiler warnings on ARM.
11540 + commit cc26106dbebeb84d481661813edc3e5aea9a7d99
11541 * cipher/rijndael-internal.h (RIJNDAEL_context_s): Add u32 variants of
11542 keyschedule arrays to unions u1 and u2.
11543 (keyschedenc32, keyscheddec32): New.
11544 * cipher/rijndael.c (u32_a_t): Remove.
11545 (do_setkey): Add and use tkk[].data32, k_u32, tk_u32 and W_u32; Remove
11546 casting byte arrays to u32_a_t.
11547 (prepare_decryption, do_encrypt_fn, do_decrypt_fn): Use keyschedenc32
11548 and keyscheddec32; Remove casting byte arrays to u32_a_t.
11549
11550 2014-12-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11551
11552 Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03
11553 + commit 520070e02e2e6ee7228945015573a6e1f4895ec3
11554 * cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
11555 counters for AAD and data in Poly1305.
11556 * cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
11557 (poly1305_fill_bytecounts, poly1305_do_padding): New.
11558 (poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD
11559 length.
11560 (_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt)
11561 (_gcry_cipher_poly1305_decrypt): Update AAD and data length separately.
11562 (_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305.
11563 (_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset
11564 AAD and data byte counts; only allow 96-bit IV.
11565 * cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to
11566 ChaCha20 cipher.
11567 * tests/basic.c (_check_poly1305_cipher): Update test-vectors.
11568 (check_ciphers): Limit Poly1305-AEAD checks to ChaCha20.
11569 * tests/bench-slope.c (cipher_bench_one): Ditto.
11570
11571 chacha20: allow setting counter for stream random access.
11572 + commit 11b8d2d449a7bc664b4371ae14c57caa6704d272
11573 * cipher/chacha20.c (CHACHA20_CTR_SIZE): New.
11574 (chacha20_ivsetup): Add setup for full counter.
11575 (chacha20_setiv): Allow ivlen == CHACHA20_CTR_SIZE.
11576
11577 gcm: do not pass extra key pointer for setupM/fillM.
11578 + commit c964321c8a1328e89d636d899a45d68802f5ac9f
11579 * cipher/cipher-gcm-intel-pclmul.c
11580 (_gcry_ghash_setup_intel_pclmul): Remove 'h' parameter.
11581 * cipher/cipher-gcm.c (_gcry_ghash_setup_intel_pclmul): Ditto.
11582 (fillM): Get 'h' pointer from 'c'.
11583 (setupM): Remome 'h' parameter.
11584 (_gcry_cipher_gcm_setkey): Only pass 'c' to setupM.
11585
11586 rijndael: use more compact look-up tables and add table prefetching.
11587 + commit 2374753938df64f6fd8015b44613806a326eff1a
11588 * cipher/rijndael-internal.h (rijndael_prefetchfn_t): New.
11589 (RIJNDAEL_context): Add 'prefetch_enc_fn' and 'prefetch_dec_fn'.
11590 * cipher/rijndael-tables.h (S, T1, T2, T3, T4, T5, T6, T7, T8, S5, U1)
11591 (U2, U3, U4): Remove.
11592 (encT, dec_tables, decT, inv_sbox): Add.
11593 * cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
11594 (_gcry_aes_amd64_decrypt_block, _gcry_aes_arm_encrypt_block)
11595 (_gcry_aes_arm_encrypt_block): Add parameter for passing table pointer
11596 to assembly implementation.
11597 (prefetch_table, prefetch_enc, prefetch_dec): New.
11598 (do_setkey): Setup context prefetch functions depending on selected
11599 rijndael implementation; Use new tables for key setup.
11600 (prepare_decryption): Use new tables for decryption key setup.
11601 (do_encrypt_aligned): Rename to...
11602 (do_encrypt_fn): ... to this, change to use new compact tables,
11603 make handle unaligned input and unroll rounds loop by two.
11604 (do_encrypt): Remove handling of unaligned input/output; pass table
11605 pointer to assembly implementations.
11606 (rijndael_encrypt, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
11607 (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec): Prefetch encryption tables
11608 before encryption.
11609 (do_decrypt_aligned): Rename to...
11610 (do_decrypt_fn): ... to this, change to use new compact tables,
11611 make handle unaligned input and unroll rounds loop by two.
11612 (do_decrypt): Remove handling of unaligned input/output; pass table
11613 pointer to assembly implementations.
11614 (rijndael_decrypt, _gcry_aes_cbc_dec): Prefetch decryption tables
11615 before decryption.
11616 * cipher/rijndael-amd64.S: Use 1+1.25 KiB tables for
11617 encryption+decryption; remove tables from assembly file.
11618 * cipher/rijndael-arm.S: Ditto.
11619
11620 2014-12-15 Werner Koch <wk@gnupg.org>
11621
11622 build: Add configure option --disable-doc.
11623 + commit ad50e360ef4851e66e51a03fc420175636336b58
11624 * Makefile.am (AUTOMAKE_OPTIONS): Remove.
11625 (doc) [!BUILD_DOC]: Do not recurse into the dir.
11626 * configure.ac (AM_INIT_AUTOMAKE): Add option formerly in Makefile.am.
11627 (BUILD_DOC): Add new am_conditional.
11628
11629 2014-12-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11630
11631 rijndael: further optimizations for AES-NI accelerated CBC and CFB bulk modes
11632 + commit 4f46374502eb988d701b904f83819e2cf7b1755c
11633 * cipher/rijndael-aesni.c (do_aesni_enc, do_aesni_dec): Pass
11634 input/output through SSE register XMM0.
11635 (do_aesni_cfb): Remove.
11636 (_gcry_aes_aesni_encrypt, _gcry_aes_aesni_decrypt): Add loading/storing
11637 input/output to/from XMM0.
11638 (_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
11639 (_gcry_aes_aesni_cfb_dec): Update to use renewed 'do_aesni_enc' and
11640 move IV loading/storing outside loop.
11641 (_gcry_aes_aesni_cbc_dec): Update to use renewed 'do_aesni_dec'.
11642
11643 GCM: move Intel PCLMUL accelerated implementation to separate file.
11644 + commit 4a0795af021305f9240f23626a3796157db46bd7
11645 * cipher/Makefile.am: Add 'cipher-gcm-intel-pclmul.c'.
11646 * cipher/cipher-gcm-intel-pclmul.c: New.
11647 * cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL]
11648 (_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): New
11649 prototypes.
11650 [GCM_USE_INTEL_PCLMUL] (gfmul_pclmul, gfmul_pclmul_aggr4): Move
11651 to 'cipher-gcm-intel-pclmul.c'.
11652 (ghash): Rename to...
11653 (ghash_internal): ...this and move GCM_USE_INTEL_PCLMUL part to new
11654 function in 'cipher-gcm-intel-pclmul.c'.
11655 (setupM): Move GCM_USE_INTEL_PCLMUL part to new function in
11656 'cipher-gcm-intel-pclmul.c'; Add selection of ghash function based
11657 on available HW acceleration.
11658 (do_ghash_buf): Change use of 'ghash' to 'c->u_mode.gcm.ghash_fn'.
11659 * cipher/internal.h (ghash_fn_t): New.
11660 (gcry_cipher_handle): Remove 'use_intel_pclmul'; Add 'ghash_fn'.
11661
11662 2014-12-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11663
11664 rijndael: split Padlock part to separate file.
11665 + commit cbf4c8cb6bbda15eea61885279f2a6f1d4bcedfd
11666 * cipher/Makefile.am: Add 'rijndael-padlock.c'.
11667 * cipher/rijndael-padlock.c: New.
11668 * cipher/rijndael.c (do_padlock, do_padlock_encrypt)
11669 (do_padlock_decrypt): Move to 'rijndael-padlock.c'.
11670 * configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-padlock.lo'.
11671
11672 2014-12-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11673
11674 rijndael: refactor to reduce number of #ifdefs and branches.
11675 + commit 3d5b51786e2050c461e9791b59142a731462b66d
11676 * cipher/rijndael-aesni.c (_gcry_aes_aesni_encrypt)
11677 (_gcry_aes_aesni_decrypt): Make return stack burn depth.
11678 * cipher/rijndael-amd64.S (_gcry_aes_amd64_encrypt_block)
11679 (_gcry_aes_amd64_decrypt_block): Ditto.
11680 * cipher/rijndael-arm.S (_gcry_aes_arm_encrypt_block)
11681 (_gcry_aes_arm_decrypt_block): Ditto.
11682 * cipher/rijndael-internal.h (RIJNDAEL_context_s)
11683 (rijndael_cryptfn_t): New.
11684 (RIJNDAEL_context): New members 'encrypt_fn' and 'decrypt_fn'.
11685 * cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
11686 (_gcry_aes_amd64_decrypt_block, _gcry_aes_aesni_encrypt)
11687 (_gcry_aes_aesni_decrypt, _gcry_aes_arm_encrypt_block)
11688 (_gcry_aes_arm_decrypt_block): Change prototypes.
11689 (do_padlock_encrypt, do_padlock_decrypt): New.
11690 (do_setkey): Separate key-length to rounds conversion from
11691 HW features check; Add selection for ctx->encrypt_fn and
11692 ctx->decrypt_fn.
11693 (do_encrypt_aligned, do_decrypt_aligned): Move inside
11694 '[!USE_AMD64_ASM && !USE_ARM_ASM]'; Move USE_AMD64_ASM and
11695 USE_ARM_ASM to...
11696 (do_encrypt, do_decrypt): ...here; Return stack depth; Remove second
11697 temporary buffer from non-aligned input/output case.
11698 (do_padlock): Move decrypt_flag to last argument; Return stack depth.
11699 (rijndael_encrypt): Remove #ifdefs, just call ctx->encrypt_fn.
11700 (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc): Remove USE_PADLOCK; Call
11701 ctx->encrypt_fn in place of do_encrypt/do_encrypt_aligned.
11702 (_gcry_aes_ctr_enc): Call ctx->encrypt_fn in place of
11703 do_encrypt_aligned; Make tmp buffer 16-byte aligned and wipe buffer
11704 after use.
11705 (rijndael_encrypt): Remove #ifdefs, just call ctx->decrypt_fn.
11706 (_gcry_aes_cfb_dec): Remove USE_PADLOCK; Call ctx->decrypt_fn in place
11707 of do_decrypt/do_decrypt_aligned.
11708 (_gcry_aes_cbc_dec): Ditto; Make savebuf buffer 16-byte aligned.
11709
11710 rijndael: move AES-NI blocks before Padlock.
11711 + commit dbf9e95dd3891f6e6ad370e8ab78fec03595687b
11712 * cipher/rijndael.c (do_setkey, rijndael_encrypt, _gcry_aes_cfb_enc)
11713 (rijndael_decrypt, _gcry_aes_cfb_dec): Move USE_AESNI before
11714 USE_PADLOCK.
11715 (check_decryption_praparation) [USE_PADLOCK]: Move to...
11716 (prepare_decryption) [USE_PADLOCK]: ...here.
11717
11718 rijndael: split AES-NI functions to separate file.
11719 + commit 67d529630e838daeb8cb9c6d7ef660c01ef34fee
11720 * cipher/Makefile.in: Add 'rijndael-aesni.c'.
11721 * cipher/rijndael-aesni.c: New.
11722 * cipher/rijndael-internal.h: New.
11723 * cipher/rijndael.c (MAXKC, MAXROUNDS, BLOCKSIZE, ATTR_ALIGNED_16)
11724 (USE_AMD64_ASM, USE_ARM_ASM, USE_PADLOCK, USE_AESNI, RIJNDAEL_context)
11725 (keyschenc, keyschdec, padlockkey): Move to 'rijndael-internal.h'.
11726 (u128_s, aesni_prepare, aesni_cleanup, aesni_cleanup_2_6)
11727 (aesni_do_setkey, do_aesni_enc, do_aesni_dec, do_aesni_enc_vec4)
11728 (do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Move
11729 to 'rijndael-aesni.c'.
11730 (prepare_decryption, rijndael_encrypt, _gcry_aes_cfb_enc)
11731 (_gcry_aes_cbc_enc, _gcry_aes_ctr_enc, rijndael_decrypt)
11732 (_gcry_aes_cfb_dec, _gcry_aes_cbc_dec) [USE_AESNI]: Move to functions
11733 in 'rijdael-aesni.c'.
11734 * configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-aesni.lo'.
11735
11736 2014-11-24 Werner Koch <wk@gnupg.org>
11737
11738 Remove duplicated prototypes.
11739 + commit d53ea84bed37b973f7ce59262c50b33700cd8311
11740 * src/gcrypt-int.h (_gcry_mpi_ec_new, _gcry_mpi_ec_set_mpi)
11741 (gcry_mpi_ec_set_point): Remove.
11742
11743 tests: Add a prime mode to benchmark.
11744 + commit 1b4210c204a5ef5e631187509e011b8468a134ef
11745 * tests/benchmark.c (progress_cb): Add a single char mode.
11746 (prime_bench): New.
11747 (main): Add a "prime" mode. Factor with_progress out to file scope.
11748
11749 2014-11-19 NIIBE Yutaka <gniibe@fsij.org>
11750
11751 ecc: Improve Montgomery curve implementation.
11752 + commit e6130034506013d6153465a2bedb6fb08a43f74d
11753 * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Support
11754 MPI_EC_MONTGOMERY.
11755 * cipher/ecc.c (test_ecdh_only_keys): New.
11756 (nist_generate_key): Call test_ecdh_only_keys for MPI_EC_MONTGOMERY.
11757 (check_secret_key): Handle Montgomery curve of x-coordinate only.
11758 * mpi/ec.c (_gcry_mpi_ec_mul_point): Resize points before the loop.
11759 Simplify, using pointers of Q1, Q2, PRD, and SUM.
11760
11761 2014-11-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
11762
11763 Disable NEON for CPUs that are known to have broken NEON implementation.
11764 + commit 95eef21583d8e998efc48f22898c1ae31b77cb48
11765 * src/hwf-arm.c (detect_arm_proc_cpuinfo): Add parsing for CPU version
11766 information and check if CPU is known to have broken NEON
11767 implementation.
11768 (_gcry_hwf_detect_arm): Filter out broken HW features.
11769
11770 Add ARM/NEON implementation of Poly1305.
11771 + commit 0b520128551054d83fb0bb2db8873394f38de498
11772 * cipher/Makefile.am: Add 'poly1305-armv7-neon.S'.
11773 * cipher/poly1305-armv7-neon.S: New.
11774 * cipher/poly1305-internal.h (POLY1305_USE_NEON)
11775 (POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
11776 (POLY1305_NEON_ALIGNMENT): New.
11777 * ciph