Copyright (C) 1996-2006 Peter Gutmann, Matt Thomlinson and Blake Coverett
Copyright (C) 2003 Nikos Mavroyanopoulos
Copyright (C) 2006-2007 NTT (Nippon Telegraph and Telephone Corporation)
- Copyright (C) 2012-2016 g10 Code GmbH
+ Copyright (C) 2012-2017 g10 Code GmbH
Copyright (C) 2012 Simon Josefsson, Niels Möller
Copyright (c) 2012 Intel Corporation
Copyright (C) 2013 Christian Grothoff
- Copyright (C) 2013-2016 Jussi Kivilinna
+ Copyright (C) 2013-2017 Jussi Kivilinna
Copyright (C) 2013-2014 Dmitry Eremin-Solenikov
Copyright (C) 2014 Stephan Mueller
+2017-01-18 Werner Koch <wk@gnupg.org>
+
+ Release 1.7.6.
+ + commit 64e4808c05894b623f06c526a37ae2b77c31e36d
+ * configure.ac: Set LT version to C21/A1/R6.
+
+ Revert "rijndael-ssse3: move assembly functions to separate source-file"
+ + commit 5053e0112ee3ef757a3a4ae26eed117dd1fb0211
+ This reverts commit a77c36921bde79418cdf6d7a7543514c39c9796c.
+
+2017-01-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ mpi: amd64: fix too large jump alignment in mpih-rshift.
+ + commit 1817c9eab5699c097d3713f197e4a3e8b5c1442c
+ * mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment
+ with 'ALIGN(4)' instead of 256-byte.
+
+ rijndael-ssse3: move assembly functions to separate source-file.
+ + commit a77c36921bde79418cdf6d7a7543514c39c9796c
+ * cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'.
+ * cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions
+ here ...
+ * cipher/rinjdael-ssse3-amd64.c: ... from this file.
+ (_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload)
+ (_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core)
+ (_gcry_aes_ssse3_decrypt_core): New.
+ (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
+ (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
+ (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external
+ assembly functions; remove 'aes_const_ptr' variable usage.
+ (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt)
+ (_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
+ (_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
+ (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
+ (_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage.
+ * configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'.
+
+ rijndael-ssse3: fix counter operand from read-only to read/write.
+ + commit 34135cd4128b7d2b288323474a8d05a38022b4fa
+ * cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change
+ 'ctrlow' operand from read-only to read-write.
+
+2017-01-18 Werner Koch <wk@gnupg.org>
+
+ random: Call getrandom before select and emitting a progress callback.
+ + commit e4c0159974b011ddc1979acdec311234d9bc2ea8
+ * random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom
+ call before the select.
+
+2016-12-15 Werner Koch <wk@gnupg.org>
+
+ Release 1.7.5.
+ + commit 89ec6c103739d41624bb5b899926efc26b215dda
+ * configure.ac: Set LT version to C21/A1/R5.
+
+2016-12-15 Werner Koch <wk@gnupg.org>
+ Nicolas Porcel <nicolasporcel06@gmail.com>
+
+ Fix regression in broken mlock detection.
+ + commit b4d1ab824172b8221011680cda00d7623de5c9f5
+ * acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN.
+
+2016-12-09 Werner Koch <wk@gnupg.org>
+
+ Release 1.7.4.
+ + commit a72ce0a1fbb3648d80696885d6a7e78b3029bebc
+ * configure.ac: Bump LT version to C21/A1/R4.
+
+ Improve handling of mlock error codes.
+ + commit d6f84f4fc59235795ae393d8fab0081eb5889120
+ * acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
+ legitimate return code and does not indicate a broken mlock().
+ * src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
+ could have been overwritten by cap_from+text et al.
+
+2016-12-09 Stephan Mueller <smueller@chronox.de>
+
+ random: Eliminate unneeded memcpy invocations in the DRBG.
+ + commit 008fd92917547981d3c4dc77fd1e8c242bf4a7ea
+ * random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
+ pointer instead.
+ (drbg_instantiate): Reduce size of scratchpad.
+ (drbg_hmac_update): Avoid use of scratch buffers for the hash.
+ (drbg_hmac_generate, drbg_hash_df): Ditto.
+ (drbg_hash_process_addtl): Ditto.
+ (drbg_hash_hashgen): Ditto.
+ (drbg_hash_generate): Ditto.
+
+ random: Add performance improvements for the DRBG.
+ + commit c6b7041bbc11391b7c6b0bf649aa4979ad3d0b52
+ * random/random-drbg.c (struct drbg_state_ops_s): New function
+ pointers 'crypto_init' and 'crypto-fini'.
+ (struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
+ 'ctr_null'.
+ (drbg_hash_init, drbg_hash_fini): New.
+ (drbg_hmac_init, drbg_hmac_setkey): New.
+ (drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
+ (drbg_sym_ctr): New.
+ (drbg_ctr_bcc): Set the key.
+ (drbg_ctr_df): Ditto.
+ (drbg_hmac_update): Ditto.
+ (drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
+ (drbg_hash_df): Ditto.
+ (drbg_hash_process_addtl): Ditto.
+ (drbg_hash_hashgen): Ditto.
+ (drbg_ctr_update): Rework.
+ (drbg_ctr_generate): Rework.
+ (drbg_ctr_ops): Init new functions pointers.
+ (drbg_uninstantiate): Call fini function.
+ (drbg_instantiate): Call init function.
+
+ cipher: New function for reading the counter in CTR mode.
+ + commit 9678a9f3dcbd2944d62f12c63fa27a8fd72b1201
+ * cipher/cipher.c (gcry_cipher_getctr): New.
+
+2016-12-07 Werner Koch <wk@gnupg.org>
+
+ Implement overflow secmem pools for xmalloc style allocators.
+ + commit 73dca02b9cc6d542af153c527190832f9c421ef3
+ * src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
+ cur_blocks.
+ (cur_alloced, cur_blocks): Remove vars.
+ (ptr_into_pool_p): Make it inline.
+ (stats_update): Add arg pool and update the new pool specific
+ counters.
+ (_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
+ pools as needed.
+ (_gcry_secmem_malloc): Pass XHINTS along.
+ (_gcry_secmem_realloc_internal): Ditto.
+ (_gcry_secmem_realloc): Ditto.
+ (_gcry_secmem_free_internal): Take multiple pools in account. Add
+ return value to indicate whether the arg was freed.
+ (_gcry_secmem_free): Add return value to indicate whether the arg was
+ freed.
+ (_gcry_private_is_secure): Take multiple pools in account.
+ (_gcry_secmem_term): Release all pools.
+ (_gcry_secmem_dump_stats): Print stats for all pools.
+ * src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
+ test with a direct call of _gcry_secmem_free to avoid double checking.
+
+ Give the secmem allocators a hint when a xmalloc calls them.
+ + commit 1433fce11c90bb44ada51071f342ad67b469ea81
+ * src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
+ (_gcry_secmem_realloc): Ditto.
+ * src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
+ passed to the secmem functions.
+ (_gcry_private_realloc): Ditto.
+ * src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
+ * src/global.c (do_malloc): Pass this flag as XHINT to the private
+ allocator.
+ (_gcry_malloc_secure): Factor code out to ...
+ (_gcry_malloc_secure_core): this. Add arg XHINT.
+ (_gcry_realloc): Factor code out to ...
+ (_gcry_realloc_core): here. Add arg XHINT.
+ (_gcry_strdup): Factor code out to ...
+ (_gcry_strdup_core): here. Add arg XHINT.
+ (_gcry_xrealloc): Use the core function and pass true for XHINT.
+ (_gcry_xmalloc_secure): Ditto.
+ (_gcry_xstrdup): Ditto.
+
+ Reorganize code in secmem.c.
+ + commit 2bc361485d8bc0d8cdb3b4ae6e304885eeaab889
+ * src/secmem.c (pooldesc_t): New type to collect information about one
+ pool.
+ (pool_size): Remove. Now a member of pooldesc_t.
+ (pool_okay): Ditto.
+ (pool_is_mmapped): Ditto.
+ (pool): Rename variable ...
+ (mainpool): And change type to pooldesc_t.
+ (ptr_into_pool_p): Add arg 'pool'.
+ (mb_get_next): Ditto.
+ (mb_get_prev): Ditto.
+ (mb_merge): Ditto.
+ (mb_get_new): Ditto.
+ (init_pool): Ditto.
+ (lock_pool): Rename to ...
+ (look_pool_pages: this.
+ (secmem_init): Rename to ...
+ (_gcry_secmem_init_internal): this. Add local var POOL and init with
+ address of MAINPOOL.
+ (_gcry_secmem_malloc_internal): Add local var POOL and init with
+ address of MAINPOOL.
+ (_gcry_private_is_secure): Ditto.
+ (_gcry_secmem_term): Ditto.
+ (_gcry_secmem_dump_stats): Ditto.
+ (_gcry_secmem_free_internal): Ditto. Remove check for NULL arg.
+ (_gcry_secmem_free): Add check for NULL arg before taking the lock.
+ (_gcry_secmem_realloc): Factor most code out to ...
+ (_gcry_secmem_realloc_internal): this.
+
+2016-11-28 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ tests: Add PBKDF2 tests for Stribog512.
+ + commit a8b2d8b502d9cbc9157c261f12e4623ec20b3960
+ * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's
+ additions to PKCS#5.
+
+ tests: Add Stribog HMAC tests from TC26ALG.
+ + commit 432eaf2ab83631a4e70ad4ecd20a9b6f81c1c329
+ * tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document
+ for Stribog.
+
+ cipher: Add Stribog OIDs from TC26 space.
+ + commit d0940e3d194296bc334f06f97ae91b411e1f152f
+ * cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New.
+
+2016-11-28 Justus Winter <justus@g10code.com>
+
+ tests: Fix memory leak.
+ + commit 4bfec0a52af8c847f558b9ade56d896c224019b3
+ * tests/basic.c (check_gost28147_cipher): Free cipher handles.
+
+2016-11-25 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ Cast oid argument of gcry_cipher_set_sbox to disable compiler warning.
+ + commit a22d7bb3945cec2d8a6b23d8f2bd2f675bb2f4e6
+ * src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *).
+
+ gost: Rename tc26 s-box from A to Z.
+ + commit 298cb926d28ae76ab2af1b028e7b06ae2358a234
+ * cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is
+ the name that ended up in all standards.
+
+ tests: Add test to verify GOST 28147-89 against known results.
+ + commit 76fa65940ff9d4baf17b42f671191720b9ea96f1
+ * tests/basic.c (check_gost28147_cipher): new test function.
+
+2016-11-17 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ cipher/gost28147: Fix CryptoPro-B S-BOX.
+ + commit 15718db54b2888a704b020cb1032954b443c6686
+ * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
+ incorrect encryption/decryption using that s-box. Add missing data.
+
+2016-11-01 NIIBE Yutaka <gniibe@fsij.org>
+
+ cipher: Fix IDEA cipher for clearing memory.
+ + commit bf6d5b10cb4173826f47ac080506b68bb001acb2
+ * cipher/idea.c (invert_key): Use wipememory, since this kind of memset
+ may be removed by compiler optimization.
+
+2016-10-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ GCM: Add bulk processing for ARMv8/AArch64 implementation.
+ + commit bfd732f53a9b5dfe14217a68a0fa289bf6913ec0
+ * cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.
+
+ GCM: Add bulk processing for ARMv8/AArch32 implementation.
+ + commit 27747921cb1dfced83c5666cd1c474764724c52b
+ * cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
+ * tests/basic.c (check_digests): Print correct data length for "?"
+ tests.
+ (check_one_mac): Add large 1000000 bytes tests, when input is "!" or
+ "?".
+ (check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.
+
+2016-09-11 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Add Aarch64 assembly implementation of Twofish.
+ + commit 5418d9ca4c0e087fd6872ad350a996fe74880d86
+ * cipher/Makefile.am: Add 'twofish-aarch64.S'.
+ * cipher/twofish-aarch64.S: New.
+ * cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
+ HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
+ * configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.
+
+2016-09-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Add Aarch64 assembly implementation of Camellia.
+ + commit de73a2e7237ba7c34ce48bb5fb671aa3993de832
+ * cipher/Makefile.am: Add 'camellia-aarch64.S'.
+ * cipher/camellia-aarch64.S: New.
+ * cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
+ size to zero.
+ * cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
+ HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
+ * configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.
+
+ Add ARMv8/AArch64 Crypto Extension implementation of AES.
+ + commit 4cd8d40d698564d24ece2af24546e34c58bf2961
+ * cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
+ * cipher/rijndael-armv8-aarch64-ce.S: New.
+ * cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
+ * configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
+ 'rijndael-armv8-ce.lo' for ARMv8/AArch64.
+
+ Add ARMv8/AArch64 Crypto Extension implementation of GCM.
+ + commit 0b332c1aef03a735c1fb0df184f74d523deb2f98
+ * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
+ * cipher/cipher-gcm-armv8-aarch64-ce.S: New.
+ * cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
+ ARMv8/AArch64.
+
+ Add ARMv8/AArch64 Crypto Extension implementation of SHA-256.
+ + commit 2d4bbc0ad62c54bbdef77799f9db82d344b7219e
+ * cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
+ * cipher/sha256-armv8-aarch64-ce.S: New.
+ * cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
+ section.
+ * cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
+ * configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
+ 'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.
+
+ Add ARMv8/AArch64 Crypto Extension implementation of SHA-1.
+ + commit e4eb03f56683317c908cb55be727832810dc8c72
+ * cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
+ * cipher/sha1-armv8-aarch64-ce.S: New.
+ * cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
+ * configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.
+
+2016-09-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Add AArch64 assembly implementation of AES.
+ + commit 595251ad37bf1968261d7e781752513f67525803
+ * cipher/Makefile.am: Add 'rijndael-aarch64.S'.
+ * cipher/rijndael-aarch64.S: New.
+ * cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
+ HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
+ * configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
+ [host=aarch64]: Add 'rijndael-aarch64.lo'.
+
+2016-08-17 Werner Koch <wk@gnupg.org>
+
+ Release 1.7.3.
+ + commit f8241874971478bdcd2bc2082d901d05db7b256d
+ * configure.ac: Set LT version to C21/A1/R3.
+
+ random: Hash continuous areas in the csprng pool.
+ + commit 8dd45ad957b54b939c288a68720137386c7f6501
+ * random/random-csprng.c (mix_pool): Store the first hash at the end
+ of the pool.
+
+ random: Improve the diagram showing the random mixing.
+ + commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513
+ * random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.
+
+2016-07-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ crc-intel-pclmul: split assembly block to ease register pressure.
+ + commit f38199dbc290003898a1799adc367265267784c2
+ * cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
+ assembly block handling 4 byte input into multiple blocks.
+
+ rijndael-aesni: split assembly block to ease register pressure.
+ + commit a4d1595a2638db63ac4c73e722c8ba95fdd85ff7
+ * cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
+ constraint for passing 'bige_addb' to assembly block; split
+ first inline assembly block into two parts.
+
+2016-07-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Add ARMv8/AArch32 Crypto Extension implementation of AES.
+ + commit 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a
+ * cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
+ 'rijndael-armv-aarch32-ce.S'.
+ * cipher/rijndael-armv8-aarch32-ce.S: New.
+ * cipher/rijndael-armv8-ce.c: New.
+ * cipher/rijndael-internal.h (USE_ARM_CE): New.
+ (RIJNDAEL_context_s): Add 'use_arm_ce'.
+ * cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
+ (_gcry_aes_armv8_ce_prepare_decryption)
+ (_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
+ (_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
+ (_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
+ (_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
+ (_gcry_aes_armv8_ce_ocb_auth): New.
+ (do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
+ setup for ARM CE.
+ (prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
+ (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
+ (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
+ ARM CE support.
+ * configure.ac: Add 'rijndael-armv8-ce.lo' and
+ 'rijndael-armv8-aarch32-ce.lo'.
+
+ Add ARMv8/AArch32 Crypto Extension implementation of GCM.
+ + commit 962b15470663db11e5c35b86768f1b5d8e600017
+ * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
+ * cipher/cipher-gcm-armv8-aarch32-ce.S: New.
+ * cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
+ (_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
+ (ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
+ (setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
+ HWF_ARM_PULL HW feature flag is enabled.
+ * cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.
+
+ Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256.
+ + commit 34c64eb03178fbfd34190148fec5a189df2b8f83
+ * cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
+ * cipher/sha256-armv8-aarch32-ce.S: New.
+ * cipher/sha256.c (USE_ARM_CE): New.
+ (sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
+ [USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
+ (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
+ (SHA256_CONTEXT): Add 'use_arm_ce'.
+ * configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.
+
+ Add ARMv8/AArch32 Crypto Extension implementation of SHA-1.
+ + commit 3d6334f8d94c2a4df10eed203ae928298a4332ef
+ * cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
+ * cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
+ missing size.
+ * cipher/sha1-armv8-aarch32-ce.S: New.
+ * cipher/sha1.c (USE_ARM_CE): New.
+ (sha1_init): Check features for HWF_ARM_SHA1.
+ [USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
+ (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
+ it.
+ * cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
+ * configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.
+
+ Add HW feature check for ARMv8 AArch64 and crypto extensions.
+ + commit eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f
+ * configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
+ module on 64-bit ARM.
+ (armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
+ (gcry_cv_inline_asm_aarch64_neon)
+ (gcry_cv_gcc_inline_asm_aarch64_crypto): New.
+ * src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
+ (HWF_ARM_PMULL): New.
+ * src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
+ (feature_map_s): New.
+ [__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
+ (HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
+ [__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
+ (HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
+ (get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
+ 'unsigned long'.
+ (detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
+ (detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
+ (_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
+ * src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
+ and 'arm-pmull'.
+
+2016-07-14 Werner Koch <wk@gnupg.org>
+
+ Release 1.7.2.
+ + commit be0bec7d9208b2f2d2ffce9cc2ca6154853e7e59
+ * configure.ac: Set LT version to C21/A1/R2.
+ * Makefile.am (distcheck-hook): New.
+
+2016-07-13 Werner Koch <wk@gnupg.org>
+
+ build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
+ + commit e535ea1bdc42309553007d60599d3147b8defe93
+ * build-aux/config.guess: Update.
+ * build-aux/config.sub: Update.
+
+2016-07-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON.
+ + commit 1111d311fd6452abd4080d1072c75ddb1b5a3dd1
+ * cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
+ (UNALIGNED_LDMIA4): New.
+ (_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
+ ldm/stm instructions directly.
+ * cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
+ (UNALIGNED_LDMIA4): New.
+ (_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
+ (_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
+ of ldm instruction directly.
+
+2016-07-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ bench-slope: add unaligned buffer mode.
+ + commit 496790940753226f96b731a43d950bd268acd97a
+ * tests/bench-slope.c (unaligned_mode): New.
+ (do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
+ (print_help, main): Add '--unaligned' parameter.
+
+2016-07-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Fix static build.
+ + commit cb79630ec567a5f2e03e5f863cda168faa7b8cc8
+ * tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.
+
+2016-06-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Disallow encryption/decryption if key is not set.
+ + commit 07de9858032826f5a7b08c372f6bcc73bbb503eb
+ * cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
+ NONE, make sure that key is set.
+ * cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
+ 'marks.key' when reseting state.
+
+ Avoid unaligned accesses with ARM ldm/stm instructions.
+ + commit a6158a01a4d81a5d862e1e0a60bfd6063443311d
+ * cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
+ compile with unaligned load/store code paths.
+ * cipher/sha512-arm.S: Ditto.
+
+ Fix non-PIC reference in PIC for poly1305/ARMv7-NEON.
+ + commit a09126242a51c4ea4564b0f70b808e4f27fe5a91
+ * cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
+ (_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.
+
+ Fix wrong CPU feature #ifdef for SHA1/AVX.
+ + commit 4a983e3bef58b9d056517e25e0ab10b72d12ceba
+ * cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
+ HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.
+
+2016-06-30 Werner Koch <wk@gnupg.org>
+
+ random: Remove debug message about not supported getrandom syscall.
+ + commit 6965515c73632a088fb126a4a55e95121671fa98
+ * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
+ for getrandom error ENOSYS.
+
+2016-06-27 Werner Koch <wk@gnupg.org>
+
+ tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
+ + commit 4d634a098742ff425b324e9f2a67b9f62de09744
+ * tests/benchmark.c (md_bench): Do not test variable lengths algos
+ with the gcry_md_hash_buffer.
+
+ md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
+ + commit ae26edf4b60359bfa5fe3a27b2c24b336e7ec35c
+ * cipher/md.c (md_read): Detect missing read function.
+ (_gcry_md_hash_buffers): Return an error.
+
+2016-06-25 Werner Koch <wk@gnupg.org>
+
+ ecc: Fix memory leak.
+ + commit 7a7f7c147f888367dfee6093d26bfeaf750efc3a
+ * cipher/ecc.c (ecc_check_secret_key): Do not init point if already
+ set.
+
+ doc: Update yat2m.
+ + commit 1feb01940062a74c27230434fc3babdddca8caf4
+ * doc/yat2m.c: Update from Libgpg-error
+
+ tests: Add attributes to helper functions.
+ + commit c870cb5d385c1d6e1e28ca481cf9cf44b3bfeea9
+ * tests/t-common.h (die, fail, info): Add attributes.
+ * tests/random.c (die, inf): Ditto.
+ * tests/pubkey.c (die, fail, info): Add attributes.
+ * tests/fipsdrv.c (die): Add attribute.
+ (main): Take care of missing --key,--iv,--dt options.
+
+ Improve robustness and help lint.
+ + commit 5a5b055b81ee60a22a846bdf2031516b1c24df98
+ * cipher/rsa.c (rsa_encrypt): Check for !DATA.
+ * cipher/md.c (search_oid): Check early for !OID.
+ (md_copy): Use gpg_err_code_from_syserror. Replace chains of if(!err)
+ tests.
+ * cipher/cipher.c (search_oid): Check early for !OID.
+ * src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
+ * mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
+ analyzers.
+
+ cipher: Improve fatal error message for bad use of gcry_md_read.
+ + commit 3f98b1e92d5afd720d7cea5b4e8295c5018bf9ac
+ * cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.
+
+2016-06-16 Niibe Yutaka <gniibe@fsij.org>
+
+ ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
+ + commit b0b70e7fe37b1bf13ec0bfc8effcb5c7f5db6b7d
+ * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
+ (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
+ cofactor as 1, when not specified.
+
+ ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
+ + commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7
+ * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
+ (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
+ cofactor as 1, when not specified.
+
2016-06-15 Werner Koch <wk@gnupg.org>
Release 1.7.1.
+ + commit 48aa6d6602564d6ba0cef10cf08f9fb0c59b3223
+
doc: Describe envvars.
+ + commit c3173bbe3f1a9c73f81a538dd49ccfa0447bfcdc
* doc/gcrypt.texi: Add chapter Configuration.
random: Change names of debug envvars.
+ + commit 131b4f0634cee0e5c47d2250c59f51127b10f7b3
* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
2016-06-14 Werner Koch <wk@gnupg.org>
cipher: Assign OIDs to the Serpent cipher.
+ + commit e13a6a1ba53127af602713d0c2aaa85c94b3cd7e
* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
(serpent256_aliases, serpent192_aliases): New.
cipher: Assign OIDs to the Serpent cipher.
+ + commit 6cc2100c00a65dff07b095dea7b32cb5c5cd96d4
* cipher/serpent.c (serpent128_oids, serpent192_oids)
(serpent256_oids): New. Add them to the specs blow.
(serpent128_aliases): Add "SERPENT-128".
2016-06-08 Werner Koch <wk@gnupg.org>
rsa: Implement blinding also for signing.
+ + commit 1f769e3e8442bae2f1f73c656920bb2df70153c0
* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
random: Remove debug output for getrandom(2) output.
+ + commit 52cdfb1960808aaad48b5a501bbce0e3141c3961
* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
Fix gcc portability on Solaris 9 SPARC boxes.
+ + commit b766ea14ad1c27d6160531b200cc70aaa479c6dc
* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
2016-06-08 Jérémie Courrèges-Anglas <jca@wxcvbn.org>
Check for compiler SSE4.1 support in PCLMUL CRC code.
+ + commit dc76313308c184c92eb78452b503405b90fc7ebd
* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
2016-06-08 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix ecc_verify for cofactor support.
+ + commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e
* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".
2016-06-08 Werner Koch <wk@gnupg.org>
random: Try to use getrandom() instead of /dev/urandom (Linux only).
+ + commit c05837211e5221d3f56146865e823bc20b4ff1ab
* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.
2016-06-03 Werner Koch <wk@gnupg.org>
rsa: Implement blinding also for signing.
+ + commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8
* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
random: Remove debug output for getrandom(2) output.
+ + commit 82df6c63a72fdd969c3923523f10d0cef5713ac7
* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
2016-06-02 Werner Koch <wk@gnupg.org>
Fix gcc portability on Solaris 9 SPARC boxes.
+ + commit 4121f15122501d8946f1589b303d1f7949c15e30
* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
2016-05-28 Jérémie Courrèges-Anglas <jca@wxcvbn.org>
Check for compiler SSE4.1 support in PCLMUL CRC code.
+ + commit 3e8074ecd3a534e8bd7f11cf17f0b22d252584c8
* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
2016-05-06 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix ecc_verify for cofactor support.
+ + commit c7430aa752232aa690c5d8f16575a345442ad8d7
* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".
2016-04-26 Werner Koch <wk@gnupg.org>
random: Try to use getrandom() instead of /dev/urandom (Linux only).
+ + commit ee5a32226a7ca4ab067864e06623fc11a1768900
* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.
2016-04-19 Werner Koch <wk@gnupg.org>
asm fix for older gcc versions.
+ + commit caa9d14c914bf6116ec3f773a322a94e2be0c0fb
* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
asm fix for older gcc versions.
+ + commit 4545372c0f8dd35aef2a7abc12b588ed1a4a0363
* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
asm statements.
2016-04-15 Werner Koch <wk@gnupg.org>
Release 1.7.0.
+ + commit 795f9cb090c776658a0e3117996e3fb7e2ebd94a
+
2016-04-14 Werner Koch <wk@gnupg.org>
tests: Add test vectors for 256 GiB test of SHA3-256.
+ + commit 1737c546dc7268fa9edcd4a23b7439c56d37ee4f
* tests/hashtest.c: Add new test vectros.
2016-04-14 Justus Winter <justus@g10code.com>
src: Improve S-expression parsing.
+ + commit 491586bc7f7b9edc6b78331a77e653543983c9e4
* src/sexp.c (do_vsexp_sscan): Return an error if a closing
parenthesis is encountered with no matching opening parenthesis.
2016-04-14 Werner Koch <wk@gnupg.org>
cipher: Add constant for 8 bit CFB mode.
+ + commit 47c6a1f88eb763e9baa394e34d873b761abcebbe
* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.
tests: Add a new test for S-expressions.
+ + commit 88c6b98350193abbdcfb227754979b0c097ee09c
* tests/t-sexp.c (compare_to_canon): New.
(back_and_forth_one): Add another test.
2016-04-13 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix corner cases for X25519.
+ + commit 8472b71812e71c69d66e2fcc02a6e21b66755f8b
* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
GPG_ERR_INV_DATA instead of aborting with log_fatal. For X25519,
it's not an error, thus, let it return 0.
2016-04-12 Werner Koch <wk@gnupg.org>
cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
+ + commit b6d2a25a275a35ec4dbd53ecaa9ea0ed7aa99c7b
* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
aad_leftover and aad_nleftover to u_mode.ocb.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
2016-04-12 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix X25519 computation on Curve25519.
+ + commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5
* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
PUBKEY_FLAG_DJB_TWEAK is enabled.
(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.
ecc: Fix initialization of EC context.
+ + commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de
* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
by _gcry_mpi_ec_p_internal_new should carry FLAGS.
2016-04-06 Werner Koch <wk@gnupg.org>
Allow building with configure option --enable-hmac-binary-check.
+ + commit 65c63144b66392f40b991684789b8b793248e3ba
* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
* src/hmac256.c (main): Add option --stdkey
2016-04-06 NIIBE Yutaka <gniibe@fsij.org>
ecc: Positive values in computation.
+ + commit 6f386ceae86a058e26294f744750f1ed2a95e604
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
coefficients A and B are positive.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
2016-04-01 Werner Koch <wk@gnupg.org>
mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
+ + commit 862cf19a119427dd7ee7959a36c72d905f5ea5ca
* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
(mpi_fromstr): Check against this limit.
(_gcry_mpi_scan): Ditto.
2016-03-31 Werner Koch <wk@gnupg.org>
cipher: Remove specialized rmd160 functions.
+ + commit fcce0cb6e8af70b134c6ecc3f56afa07a7d31f27
* cipher/rmd160.c: Replace rmd.h by hash-common.h.
(RMD160_CONTEXT): Move from rmd.h to here.
(_gcry_rmd160_init): Remove.
* configure.ac (USE_RMD160): Allow to build without RMD160.
random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
+ + commit a9cbe2d1f6a517a831517da8bc1d29e3e0b2c0c0
* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
(_gcry_sha1_mixblock): New.
* random/random-csprng.c: Include sha1.h instead of rmd.h.
(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.
cipher: Move sha1 context definition to a separate file.
+ + commit 142a479a484cb4e84d0561be9b05b44dac9e6fe2
* cipher/sha1.c: Replace hash-common.h by sha1.h.
(SHA1_CONTEXT): Move to ...
* cipher/sha1.h: new. Always include all flags.
2016-03-29 Werner Koch <wk@gnupg.org>
tests: Fix buffer overflow in bench-slope.
+ + commit 48ee918400762281bec5b6fc218a9f0d119aac7c
* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
strncat.
2016-03-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
cipher: GCM: check that length of supplied tag is one of valid lengths.
+ + commit f2260e3a2e962ac80124ef938e54041bbea08561
* cipher/cipher-gcm.c (is_tag_length_valid): New.
(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
2016-03-24 Peter Wu <peter@lekensteyn.nl>
cipher: Fix memleaks in (self)tests.
+ + commit 4a064e2a06fe737f344d1dfd8a45cc4c2abbe4c9
* cipher/dsa.c: Release memory for MPI and sexp structures.
* cipher/ecc.c: Release memory for sexp structure.
* tests/keygen.c: Likewise.
Mark constant MPIs as non-leaked.
+ + commit 470a30db241a2d567739ef2adb2a2ee64992d8b4
* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.
2016-03-23 Werner Koch <wk@gnupg.org>
Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
+ + commit fea5971488e049f902d7912df22a945bc755ad6d
* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.
(check_ctr_cipher): Add negative test for new feature.
cipher: Avoid NULL-segv in GCM mode if a key has not been set.
+ + commit e709d86fe596a4bcf235799468947c13ae657d78
* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
has been initialized.
(_gcry_cipher_gcm_decrypt): Ditto.
(_gcry_cipher_gcm_tag): Ditto.
cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
+ + commit 7c9c82feecf94a455c66d9c38576f36c9c4b484c
* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
provided tag length matches the actual tag length.
2016-03-23 Peter Wu <peter@lekensteyn.nl>
Fix buffer overrun in gettag for Poly1305.
+ + commit 6821e1bd94969106a70e3de17b86f6e6181f4e59
* cipher/cipher-poly1305.c: copy a fixed length instead of the
user-supplied number.
2016-03-23 Werner Koch <wk@gnupg.org>
cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
+ + commit 15785bc9fb1787554bf371945ecb191830c15bfd
* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
tag length matches the actual tag length. Avoid gratuitous return
statements.
2016-03-23 Peter Wu <peter@lekensteyn.nl>
Fix buffer overrun in gettag for GCM.
+ + commit d3d7bdf8215275b3b20690dfde3f43dbe25b6f85
* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
number.
2016-03-22 Werner Koch <wk@gnupg.org>
tests: Add options --fips to keygen for manual tests.
+ + commit d328095dd4de83b839d9d8c4bdbeec0956971016
(main): Add option --fips.
* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
because that is valid in FIPS mode. Check that key generation fails
2016-03-22 Tomáš Mráz <tmraz@redhat.com>
rsa: Add FIPS 186-4 compliant RSA probable prime key generator.
+ + commit 5f9b3c2e220ca6d0eaff32324a973ef67933a844
* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
* cipher/rsa.c (generate_fips): New.
(rsa_generate): Use new function in fips mode or with test-parms.
2016-03-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix ARM NEON support detection on ARMv6 target.
+ + commit 583919d70763671ed9feeaa14e1f66379aff88cc
* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
instead of '.thumb'.
2016-03-18 Werner Koch <wk@gnupg.org>
Always require a 64 bit integer type.
+ + commit 897ccd21b7221982806b5c024518f4e989152f14
* configure.ac (available_digests_64): Merge with available_digests.
(available_kdfs_64): Merge with available_kdfs.
<64 bit datatype test>: Bail out if no such type is available.
2016-03-18 Vitezslav Cizek <vcizek@suse.com>
tests: Fix testsuite after the FIPS adjustments.
+ + commit 9ecc2690181ba0bb44f66451a7dce2fc19965793
* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
(main): Skip math tests that use P-192 and Ed25519 in FIPS.
tests: Add new --pss option to fipsdrv.
+ + commit 1a02d741cacc3b57fe3d6ffebd794d53a60c9e97
* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
to 0 for PSS.
cipher: Add option to specify salt length for PSS verification.
+ + commit 0bd8137e68c201b6c2290710e348aaf57efa2b2e
* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
salt-length token.
tests: Add support for RSA keygen tests to fipsdrv.
+ + commit 2e139456369a834cf87d983da4f61241fda76efe
* tests/fipsdrv.c (run_rsa_keygen): New.
(main): Support RSA keygen and RSA keygen KAT tests.
tests: Fixes for RSA testsuite in FIPS mode.
+ + commit c690230af5a66b809f8f6fbab1a6262a5ba078cb
* tests/basic.c (get_keys_new): Generate 2048 bit key.
* tests/benchmark.c (rsa_bench): Skip keys of lengths different
than 2048 and 3072 in FIPS mode.
* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.
rsa: Use 2048 bit RSA keys for selftest.
+ + commit 78cec8b4754fdf774edb2d575000cb3e972e244c
* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
(selftest_encr_1024): Replaced by selftest_encr_2048.
(selftest_sign_1024): Replaced by selftest_sign_2048.
* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.
Disable non-allowed algorithms in FIPS mode.
+ + commit ce1cbe16992a7340edcf8e6576973e3508267640
* cipher/cipher.c (_gcry_cipher_init),
* cipher/mac.c (_gcry_mac_init),
* cipher/md.c (_gcry_md_init),
2016-03-18 Werner Koch <wk@gnupg.org>
kdf: Make PBKDF2 check work on all platforms.
+ + commit c478cf175887c84dc071c4f73a7667603b354789
* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.
2016-03-18 Vitezslav Cizek <vcizek@suse.com>
kdf: Add upper bound for derived key length in PBKDF2.
+ + commit 0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6
* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.
ecc: ECDSA adjustments for FIPS 186-4.
+ + commit a242e3d9185e6e2dc13902ea9331131755bbba01
* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
* cipher/ecc.c: Add ECDSA self test.
* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
2016-03-18 Werner Koch <wk@gnupg.org>
dsa: Make regression tests work.
+ + commit e40939b2141306238cc30a340b867b60fa4dc2a3
* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
(ogenerate_fips186): Make it work with use-fips183-2 flag.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
2016-03-18 Vitezslav Cizek <vcizek@suse.com>
dsa: Adjustments to conform with FIPS 186-4.
+ + commit 80e9f95e6f419daa765e4876c858e3e36e808897
* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
buflen passed to _gcry_mpi_scan.
2016-03-16 Justus Winter <justus@g10code.com>
Update documentation for 'gcry_sexp_extract_param'.
+ + commit 4051fe7fec6ffdc7a2f5c3856665478866991ee7
* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
must be set to NULL first, and document how the function behaves in
case of errors.
'_gcry_sexp_extract_param'.
cipher: Update comment.
+ + commit fcf4358a7a7ba8d32bf385ea99ced5f47cbd3ae2
* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
that a curve parameter can be given.
2016-03-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add Intel PCLMUL implementations of CRC algorithms.
+ + commit 5d601dd57fcb41aa2015ab655fd6fc51537da667
* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
* cipher/crc-intel-pclmul.c: New.
* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
2016-02-25 NIIBE Yutaka <gniibe@fsij.org>
mpi: Normalize EXPO for mpi_powm.
+ + commit fdfa5bfefdde316688a3c8021bd3528c5273b0f4
* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.
2016-02-22 Andreas Metzler <ametzler@bebt.de>
Do not ship generated header file in tarball.
+ + commit 2b40a16333fa75f1cee85ab901a5aa9cff845a92
* src/Makefile.am: Move gcrypt.h from include_HEADERS to
nodist_include_HEADERS to prevent inclusion in release tarball.
This could break out-of-tree-builds because the potentially outdated
2016-02-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix building random-drbg for Win32/64.
+ + commit 531b25aa94c58f6d2168a9537c8cea6c53d7bbe0
* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
2016-02-20 Werner Koch <wk@gnupg.org>
tests: Do not test DRBG_REINIT from "make check"
+ + commit 839d12c221430b60db5e0d6fbb107f22e0a6837f
* tests/random.c (main): Run check_drbg_reinit only if the envvar
GCRYPT_IN_REGRESSION_TEST is set.
doc: Fix possible dependency problem.
+ + commit 3b57e5a1ba68e26dcaea38b763287fddba9b6b7c
* doc/Makefile.am (gcrypt.texi): Use the right traget.
2016-02-19 Stephan Mueller <smueller@chronox.de>
random: Remove ANSI X9.31 DRNG.
+ + commit e9b692d25d1c149b5417b70e18f2ce173bc25b6d
* random-fips.c: Remove.
2016-02-19 Werner Koch <wk@gnupg.org>
random: Add a test case for DRBG_REINIT.
+ + commit 934ba2ae5a95a96fdbb3b935b51ba43df66f11df
* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
* tests/random.c (check_drbg_reinit): New.
(main): Call new test.
random: Allow DRBG_REINIT before initialization.
+ + commit 7cdbd6e6a3cf1ee366b981e148d41b1187a6fdcf
* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
(_drbg_init_internal): Set the default type if no type has been set
before.
(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.
Add new private header gcrypt-testapi.h.
+ + commit 744b030cff61fd25114b0b25394c62782c153343
* src/gcrypt-testapi.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
* random/random.h: Include gcrypt-testapi.h.
(_gcry_rngdrbg_healthcheck_one): this.
random: Make the DRBG C-90 clean and use a flag string.
+ + commit 95f1db3affb9f5b8a2c814c211d4a02b30446c15
* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
"flagstr" and turn it into a string.
* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
(drbg_healthcheck_sanity): Ditto.
random: Symbol name cleanup for random-drbg.c.
+ + commit 85ed07790552297586258e8fe09b546eee357a8b
* random/random-drbg.c: Rename all static objects and macros from
"gcry_drbg" to "drbg".
(drbg_string_t): New typedef.
(gcry_drbg_healthcheck_sanity): Ditto.
random: Use our symbol name pattern also for drbg functions.
+ + commit 7cf3c929331133e4381dbceac53d3addd921c929
* random/random-drbg.c: Rename global functions from _gcry_drbg_*
to _gcry_rngdrbg_*.
* random/random.c: Adjust for this change.
* src/global.c: Ditto.
random: Rename drbg.c to random-drbg.c.
+ + commit e49b3f2c10e012509b5930c0df4d6df378d3b9f4
* random/drbg.c: Rename to ...
* random/random-drbg.c: this.
* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.
random: Remove the new API introduced by the new DRBG.
+ + commit dfac2b13d0068b2b1b420d77e9771a49964b81c1
* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
(struct gcry_drbg_string): Ditto.
(gcry_drbg_string_fill): Ditto.
convention.
Add helper function _gcry_strtokenize.
+ + commit 4e134b6e77f558730ec1eceb6b816b0bcfd845e9
* src/misc.c (_gcry_strtokenize): New.
2016-02-18 Werner Koch <wk@gnupg.org>
random: Remove DRBG constants from the public API.
+ + commit fd13372fa9069d3a72947ea59c57e33637c936bf
* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
* random/drbg.c: here.
2016-02-18 Stephan Mueller <smueller@chronox.de>
random: Add SP800-90A DRBG.
+ + commit ed57fed6de1465e02ec5e3bc0affeabdd35e2eb7
* random/drbg.c: New.
* random/random.c (_gcry_random_initialize): Replace rngfips init by
drbg init.
2016-02-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
bufhelp: disable unaligned memory accesses on powerpc.
+ + commit 1da793d089b65ac8c1ead65dacb6b8699f5b6e69
* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
__powerpc__ and __powerpc64__.
2016-02-12 NIIBE Yutaka <gniibe@fsij.org>
ecc: Not validate input point for Curve25519.
+ + commit 7a019bc7ecdbdfdef51094e090ce95e062da9b64
* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.
2016-02-10 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix memory leaks on error.
+ + commit b12dd550fd6af687ef95c584d0d8366c34965cc8
* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.
2016-02-09 NIIBE Yutaka <gniibe@fsij.org>
ecc: input validation on ECDH.
+ + commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0
* cipher/ecc.c (ecc_decrypt_raw): Validate the point.
2016-02-08 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add ARM assembly implementation of SHA-512.
+ + commit 8353884bc65c820d5bcacaf1ac23cdee72091a09
* cipher/Makefile.am: Add 'sha512-arm.S'.
* cipher/sha512-arm.S: New.
* cipher/sha512.c (USE_ARM_ASM): New.
2016-02-03 NIIBE Yutaka <gniibe@fsij.org>
tests: Add a test for Curve25519.
+ + commit b8b3361504950689ef1e779fb3357cecf8a9f739
* tests/Makefile.am (tests_bin): Add t-cv25519.
* tests/t-cv25519.c: New.
2016-02-02 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix Curve25519 for data by older implementation.
+ + commit 6cb6df9dddac6ad246002b83c2ce0aaa0ecf30e5
* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
short length data.
ecc: more fix of Curve25519.
+ + commit 48ba5a50066611ecacea850ced13f5cb66097a81
* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix. Clear the MSB, according to RFC7748.
ecc: Fix ECDH of Curve25519.
+ + commit a2f9afcd7fcdafd5951498b07f34957f9766dce9
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
and prefix detection.
* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
2016-01-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Improve performance of generic SHA256 implementation.
+ + commit f3e51161036382429c3491c7c881f36c0a653c7b
* cipher/sha256.c (R): Let caller do variable shuffling.
(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
(W, I): New.
2016-01-28 Werner Koch <wk@gnupg.org>
ecc: New API function gcry_mpi_ec_decode_point.
+ + commit 2cf2ca7bb9741ac86e8aa92d8f03b1c5f5938897
* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
* cipher/ecc-common.h: Move two prototypes to ...
* src/ec-context.h: here.
2016-01-15 Werner Koch <wk@gnupg.org>
Fix build problem for rndegd.c.
+ + commit 191c2e4fe2dc0e00f61aa44e011a9596887e6ce1
* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
* random/rndegd.c (_gcry_rndegd_connect_socket)
(my_make_filename): Use functions with '_' prefix.
random: Fix possible AIX problem with sysconf in rndunix.
+ + commit 6303b0e83856ee89374b447e710f0ab2af61caec
* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
2015-12-27 Werner Koch <wk@gnupg.org>
random: Take at max 25% from RDRAND.
+ + commit 5a78e7f15e0dd96a8bf64e2bb142880bf8ea6965
* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
RDRAND from 50% to 25%.
2015-12-07 Justus Winter <justus@g10code.com>
cipher: Improve error handling.
+ + commit b9c02fbeb7efb7d0593b33485fb30c298291cf80
* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.
cipher: Initialize 'flags'.
+ + commit ca06cd7f77acb317c2649c58918908f043dfe6bd
* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.
2015-12-05 NIIBE Yutaka <gniibe@fsij.org>
ecc: CHANGE point representation of Curve25519.
+ + commit dd3d06e7f113cf7608f060ceb043262efd0b0c9d
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
by MPI normalization.
2015-12-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
chacha20: fix alignment of self-test context.
+ + commit 6fadbcd088e2af3e48407b95d8d0c2a8b7ad6c38
* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
context structure.
salsa20: fix alignment of self-test context.
+ + commit 2cba0dbda462237f55438d4199eccd10c5e3f6ca
* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
context structure.
2015-12-02 Justus Winter <justus@g10code.com>
random: Drop fake entropy gathering function.
+ + commit d421ac283ec46d0ecaf6278ba4c24843f65fb2fa
* random/random-csprng.c (faked_rng): Drop variable.
(gather_faked): Drop prototype and function.
(initialize): Drop fallback code.
(_gcry_rngcsprng_is_faked): Change accordingly.
random: Fix selection of entropy gathering function.
+ + commit 468a5796ffb1a7776db4004d534376c1b981d740
* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
usable entropy gathering function is found. The callsite then
installs the fake gather function.
2015-11-26 NIIBE Yutaka <gniibe@fsij.org>
ecc: minor improvement of point multiplication.
+ + commit 3658afd09c3b03b4398aaa5748387220c93b1a94
* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.
2015-11-25 NIIBE Yutaka <gniibe@fsij.org>
ecc: Constant-time multiplication for Weierstrass curve.
+ + commit 88e1358962e902ff1cbec8d53ba3eee46407851a
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
method for Weierstrass curve when SCALAR is secure.
mpi: fix gcry_mpi_swap_cond.
+ + commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f
* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.
mpi: Fix mpi_set_cond and mpi_swap_cond .
+ + commit 8ad682c412047d3b9196950709dbd7bd14ac8732
* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
the operator of !!, but assume SET/SWAP is 0 or 1.
ecc: multiplication of Edwards curve to be constant-time.
+ + commit 295b1c3540752af4fc5e6f41480e6db215222fba
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.
ecc: Add point_resize and point_swap_cond.
+ + commit b6015176df6bfae107ac82f9baa29ef2c175c9f9
* mpi/ec.c (point_resize, point_swap_cond): New.
(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.
2015-11-18 Justus Winter <justus@g10code.com>
cipher: Fix error handling.
+ + commit 940dc8adc034a6c6c38742f6bfd7d837a532d537
* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.
2015-11-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Tweak Keccak for small speed-up.
+ + commit 6571a64331839d7d952292163afbf34c8bef62e0
* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
rounds with round constant pointer instead of separate round counter.
* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
absorb loops.
Update license information for CRC.
+ + commit 15ea0acf8bb0aa307eccc23024a0bd7878fb8080
* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
for 'cipher/crc.c' as result of rewrite of CRC implementations.
2015-11-17 Justus Winter <justus@g10code.com>
Fix typos found using codespell.
+ + commit 0e395944b70c7a92a6437f6bcc14f287c19ce9de
* cipher/cipher-ocb.c: Fix typos.
* cipher/des.c: Likewise.
* cipher/dsa-common.c: Likewise.
2015-11-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Improve performance of Tiger hash algorithms.
+ + commit 89fa74d6b3e58cd4fcd6e0939a35e46cbaca2ea0
* cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
to macros.
(transform_blk): Pass variable names instead of pointers to 'pass'.
Add ARMv7/NEON implementation of Keccak.
+ + commit a1cc7bb15473a2419b24ecac765ae0ce5989a13b
* cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
* cipher/keccak-armv7-neon.S: New.
* cipher/keccak.c (USE_64BIT_ARM_NEON): New.
* configure.ac: Add 'keccak-armv7-neon.lo'.
Optimize Keccak 64-bit absorb functions.
+ + commit 2857cb89c6dc1c02266600bc1fd2967a3cd5cf88
* cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
* cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
2015-10-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Enable CRC test vectors with zero bytes.
+ + commit 07e4839e75a7bca3a6c0a94aecfe75efe61d7ff2
* tests/basic.c (check_digests): Enable CRC test-vectors with zero
bytes.
Keccak: Add SHAKE Extendable-Output Functions.
+ + commit c0b9eee2d93a13930244f9ce0c14ed6b4aeb6c29
* src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
XOFs.
* src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
* tests/bench-slope.c (kdf_bench_one): Skip XOFs.
Few updates to documentation.
+ + commit 28de6f9e16e386018e81a9cdaee596be7616ccab
* doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
flag; Add mention of x86 RDRAND support in rndhw.
Add HMAC-SHA3 test vectors.
+ + commit 92ad19873562cfce7bcc4a0b5aed8195d8284cfc
* tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.
2015-10-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
md: add variable length output interface.
+ + commit 577dc2b63ceca6a8a716256d034ea4e7414f65fa
* cipher/crc.c (_gcry_digest_spec_crc32)
(_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
'extract' NULL.
* src/visibility.h (gcry_md_extract): New.
md: check hmac flag in prepare_macpads.
+ + commit cee2e122ec6c1886957a8d47498eb63a6a921725
* cipher/md.c (prepare_macpads): Check hmac flag.
keccak: rewrite for improved performance.
+ + commit 74184c28fbe7ff58cf57f0094ef957d94045da7d
* cipher/Makefile.am: Add 'keccak_permute_32.h' and
'keccak_permute_64.h'.
* cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
* cipher/keccak_permute_64.h: New.
hwf-x86: add detection for Intel CPUs with fast SHLD instruction.
+ + commit 909644ef5883927262366c356eed530e55aba478
* cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
HWF_INTEL_CPU.
* cipher/sha256.c (sha256_init, sha224_init): Ditto.
* src/hwfeatures.c (hwflist): Add "intel-fast-shld".
Fix OCB amd64 assembly implementations for x32.
+ + commit 16fd540f4d01eb6dc23d9509ae549353617c7a67
* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto.
bench-slope: add KDF/PBKDF2 benchmark.
+ + commit ae40af427fd2a856b24ec2a41323ec8b80ffc9c0
* tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free)
(bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New.
(print_help): Add 'kdf'.
2015-10-22 NIIBE Yutaka <gniibe@fsij.org>
md: keep contexts for HMAC in GcryDigestEntry.
+ + commit f7505b550dd591e33d3a3fab9277c43c460f1bad
* cipher/md.c (struct gcry_md_context): Add flags.hmac.
Remove macpads and mcpads_Bsize.
(md_open): Initialize flags.hmac. Remove macpads initialization.
2015-10-15 NIIBE Yutaka <gniibe@fsij.org>
Fix double free on error.
+ + commit 1c6d2698a84e4bf82735287c1d64954bfc1a1982
* src/hmac256.c (_gcry_hmac256_finalize): Don't free HD.
2015-10-14 NIIBE Yutaka <gniibe@fsij.org>
Fix gpg_error_t and gpg_err_code_t confusion.
+ + commit 813565a07ca575c87e1252c6ed26018653ecd338
* src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change.
* cipher/dsa.c (dsa_check_secret_key): Ditto.
* src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t.
2015-10-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix compiling AES/AES-NI implementation on linux-i386.
+ + commit fa94b6111948a614ebdcb67f7942eced8b84c579
* cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in
two parts to reduce number of register constraints needed.
2015-10-13 NIIBE Yutaka <gniibe@fsij.org>
Fix declaration of return type.
+ + commit 73374fdd27c7ba28b19f9672c68a6f5b72252fe5
* src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t.
* cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param.
* src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t.
2015-09-07 Werner Koch <wk@gnupg.org>
Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
+ + commit 3a3d5410cc83f7069c7cb1ab384905f382292d32
* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
functions if NO_PRIV_DROP is set.
2015-09-04 Werner Koch <wk@gnupg.org>
w32: Avoid a few compiler warnings.
+ + commit e97c62a4a687b56d00a2d0a63e072a977f8eb81c
* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
as unused.
* tests/random.c (writen, readn): Include on if needed.
w32: Fix alignment problem with AESNI on Windows >= 8.
+ + commit e2785a2268702312529521df3bd2f4e6b43cea3a
* cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New.
* cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
(selftest_basic_256): Allocate context on the heap.
2015-08-31 Werner Koch <wk@gnupg.org>
rsa: Add verify after sign to avoid Lenstra's CRT attack.
+ + commit c17f84bd02d7ee93845e92e20f6ddba814961588
* cipher/rsa.c (rsa_sign): Check the CRT.
Add pubkey algo id for EdDSA.
+ + commit dd87639abd38afc91a6f27af33f0ba17402ad02d
* src/gcrypt.h.in (GCRY_PK_EDDSA): New.
2015-08-25 Werner Koch <wk@gnupg.org>
Add configure option --enable-build-timestamp.
+ + commit a785cc3db0c4e8eb8ebbf784b833a40d2c42ec3e
* configure.ac (BUILD_TIMESTAMP): Set to "<none>" by default.
2015-08-23 Werner Koch <wk@gnupg.org>
tests: Add missing files for the make distcheck target.
+ + commit fb3cb47b0a29d3e73150297aa4495c20915e4a75
* tests/Makefile.am (EXTRA_DIST): Add sha3-x test vector files.
2015-08-19 Werner Koch <wk@gnupg.org>
Change SHA-3 algorithm ids.
+ + commit 65639ecaaeba642e40487446c40d045482001285
* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values.
2015-08-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Keccak: Fix array indexes in θ step.
+ + commit 48822ae0b436bcea0fe92dbf0d88475ba3179320
* cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5].
Simplify OCB offset calculation for parallel implementations.
+ + commit 24ebf53f1e8a8afa27dcd768339bda70a740bb03
* cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
(_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of
just if 'blkn % <parallel blocks> == 0'.
(check_ocb_cipher_largebuf): New.
Add carryless 8-bit addition fast-path for AES-NI CTR mode.
+ + commit e11895da1f4af9782d89e92ba2e6b1a63235b54b
* cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using
CTR in big-endian form, if least-significant byte does not overflow.
2015-08-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add additional SHA3 test-vectors.
+ + commit 80321eb3a63a20f86734d6eebb3f419c0ec895aa
* tests/basic.c (check_digests): Allow datalen to be specified so that
input data can have byte with value 0x00; Include sha3-*.h header files
to test-vector structure.
* tests/sha3-512.h: New.
Add generic SHA3 implementation.
+ + commit 434ba17d1d5ad59c70d721ad3ecb376c2403a7e5
* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize
USE_SHA3 enabled.
* cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New.
* tests/basic.c (check_digests): Add SHA3 test vectors.
Optimize OCB offset calculation.
+ + commit 49f52c67fb42c0656c8f9af655087f444562ca82
* cipher/cipher-internal.h (ocb_get_l): New.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
(ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
2015-08-10 NIIBE Yutaka <gniibe@fsij.org>
ecc: fix Montgomery curve bugs.
+ + commit ce746936b6c210e602d106cfbf45cf60b408d871
* cipher/ecc.c (check_secret_key): Y1 should not be NULL when check.
(ecc_check_secret_key): Support Montgomery curve.
* mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition.
2015-08-08 Werner Koch <wk@gnupg.org>
Add framework to eventually support SHA3.
+ + commit 0e17f7a05bba309a87811992aa47a77af9935b99
* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
(GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
2015-08-06 Werner Koch <wk@gnupg.org>
tools: Fix memory leak for functions "I" and "G".
+ + commit 10789e3cdda7b944acb4b59624c34a2ccfaea6e5
* src/mpicalc.c (do_inv, do_gcd): Init A after stack check.
2015-08-06 Ismo Puustinen <ismo.puustinen@intel.com>
ecc: Free memory also when in error branch.
+ + commit 1d896371fbc94c605fce35eabcde01e24dd22892
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto
leave on error.
2015-08-06 NIIBE Yutaka <gniibe@fsij.org>
Add Curve25519 support.
+ + commit e93f4c21c59756604440ad8cbf27e67d29c99ffd
* cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519.
* tests/curves.c (N_CURVES): It's 22 now.
* src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New.
2015-07-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Reduce code size for Twofish key-setup and remove key dependend branch.
+ + commit b4b1d872ba651bc44761b35d245b1a519a33f515
* cipher/twofish.c (poly_to_exp): Increase size by one, change type
from byte to u16 and insert '492' to index 0.
(exp_to_poly): Increase size by 256, let new cells have zero value.
CALC_K256 and CALC_K phases to reduce generated object size.
Reduce amount of duplicated code in OCB bulk implementations.
+ + commit e950052bc6f5ff11a7c23091ff3f6b5cc431e875
* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
(ocb_crypt): Change bulk function to return number of unprocessed
blocks.
Remove unaccelerated common code.
Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations.
+ + commit adbdca0d58f9c06dc3850b95e3455e179c1e6960
* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for Serpent.
* cipher/serpent-armv7-neon.S: Add OCB assembly functions.
* tests/basic.c (check_ocb_cipher): Add test-vector for serpent.
Add bulk OCB for Twofish AMD64 implementation.
+ + commit 7f6804c37c4b41d85fb26aa723b1c41e4a3cf278
* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
functions for Twofish.
* cipher/twofish-amd64.S: Add OCB assembly functions.
* tests/basic.c (check_ocb_cipher): Add test-vector for Twofish.
Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations.
+ + commit bb088c6b1620504fdc79e89af27c2bf3fb02b4b4
* cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions.
* cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions.
* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
2015-07-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add OCB bulk mode for AES SSSE3 implementation.
+ + commit 620e1e0300c79943a1846a49563b04386dc60546
* cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New.
[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use
'ssse3_state' for storing current SSSE3 state.
2015-07-26 Peter Wu <peter@lekensteyn.nl>
Fix undefined behavior wrt memcpy.
+ + commit 46c072669eb81ed610cc5b3c0dc0c75a143afbb4
* cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let
the function continue to add padding as needed though.
* cipher/mac-poly1305.c: If the caller requested to finish the hash
2015-07-23 Peter Wu <peter@lekensteyn.nl>
build: ignore scissor line for the commit-msg hook.
+ + commit ada0a7d302cca97b327faaacac7a5d0b8043df88
* build-aux/git-hooks/commit-msg: Stop processing more lines when the
scissor line is encountered.
2015-07-16 Peter Wu <peter@lekensteyn.nl>
rsa: Fix error in comments.
+ + commit 9cd55e8e948f0049cb23495f536decf797d072f7
* cipher/rsa.c: Fix.
2015-07-14 Peter Wu <peter@lekensteyn.nl>
sexp: Fix invalid deallocation in error path.
+ + commit 0f9532b186c1e0b54d7e7a6d76bce82b6226122b
* src/sexp.c: Fix wrong condition.
2015-07-10 Peter Wu <peter@lekensteyn.nl>
ecc: fix memory leak.
+ + commit 2a7aa3ea4d03a9c808d5888f5509c08cd27aa27c
* cipher/ecc.c (ecc_verify): Release memory which was allocated before
by _gcry_pk_util_preparse_sigval.
(ecc_decrypt_raw): Likewise.
2015-07-06 NIIBE Yutaka <gniibe@fsij.org>
ecc: fix memory leaks.
+ + commit 0a7547e487a8bc4e7ac9599c55579eb2e4a13f06
cipher/ecc.c (ecc_generate): Fix memory leak on error of
_gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint.
(ecc_check_secret_key): Fix memory leak on error of
2015-06-11 NIIBE Yutaka <gniibe@fsij.org>
mpi: Support FreeBSD 10 or later.
+ + commit a36ee7501f68ad7ebcfe31f9659430b9d2c3ddd1
* mpi/config.links: Include FreeBSD 10 to 29.
2015-05-21 Werner Koch <wk@gnupg.org>
ecc: Add key generation flag "no-keytest".
+ + commit 2bddd947fd1c11b4ec461576db65a5e34fea1b07
* src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
"no-keytest". Return an error for invalid flags of length 10.
no-keytest.
ecc: Avoid double conversion to affine coordinates in keygen.
+ + commit 102d68b3bd77813a3ff989526855bb1e283bf9d7
* cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
(ecc_generate): Rename vars. Convert to affine coordinates only if
not returned by the lower level generation function.
random: Change initial extra seeding from 2400 bits to 128 bits.
+ + commit 8124e357b732a719696bfd5271def4e528f2a1e1
* random/random-csprng.c (read_pool): Reduce initial seeding.
2015-05-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Enable AMD64 Twofish implementation on WIN64.
+ + commit 9b0c6c8141ae9bd056392a3f6b5704b505fc8501
* cipher/twofish-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
assembly functions.
Enable AMD64 Serpent implementations on WIN64.
+ + commit eb0ed576893b6c7990dbcb568510f831d246cea6
* cipher/serpent-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
ASM_FUNC_ABI.
Enable AMD64 Salsa20 implementation on WIN64.
+ + commit 12bc93ca8187b8061c2e705427ef22f5a71d29b0
* cipher/salsa20-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK.
Enable AMD64 Poly1305 implementations on WIN64.
+ + commit 8d7de4dbf7732c6eb9e9853ad7c19c89075ace6f
* cipher/poly1305-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(poly1305_finish_ext_ref8): Use OPS_FUNC_ABI.
Enable AMD64 3DES implementation on WIN64.
+ + commit b65e9e71d5ee992db5c96793c6af999545daad28
* cipher/des-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
assembly functions.
Enable AMD64 ChaCha20 implementations on WIN64.
+ + commit 9597cfddf03c467825da152be5ca0d12a8c30d88
* cipher/chacha20-avx2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(chacha20_core): Add ASM_EXTRA_STACK.
Enable AMD64 CAST5 implementation on WIN64.
+ + commit 6a6646df80386204675d8b149ab60e74d7ca124c
* cipher/cast5-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(RIP): Remove.
assembly functions.
Enable AMD64 Camellia implementations on WIN64.
+ + commit 9a4fb3709864bf3e3918800d44ff576590cd4e92
* cipher/camellia-aesni-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI.
Enable AMD64 Blowfish implementation on WIN64.
+ + commit e05682093ffb003b589a697428d918d755ac631d
* cipher/blowfish-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
..
Enable AMD64 arcfour implementation on WIN64.
+ + commit c46b015bedba7ce0db68929bd33a86a54ab3d919
* cipher/arcfour-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
assembly block to call AMD64 assembly function.
Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539.
+ + commit ee8fc4edcb3466b03246c8720b90731bf274ff1d
* cipher/cipher-poly1305.c: Add RFC-7539 to header.
* doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of
RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD.
hwf-x86: use edi for passing value to ebx for i386 cpuid.
+ + commit bac42c68b069f17abcca810a21439c7233815747
* src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead
of '=r'.
hwf-x86: add EDX as output register for xgetbv asm block.
+ + commit e15beb584a5ebdfc363e1ff15f87102508652d71
* src/hwf-x86.c (get_xgetbv): Add EDX as output.
2015-05-04 Werner Koch <wk@gnupg.org>
build: Update build-aux files.
+ + commit 5a7d55eed3316f40ca61acbee032bfc285e28803
+
Fix possible regression on old 32 bit mingw compilers.
+ + commit 090ca7435156b5f52064357dd59059570d466f46
* acinclude.m4: Add new pattern for mingw32.
build: Add new file.
+ + commit 4af52b2e72ce004b7d8f99e09c4324e3c2a84379
* mpi/amd64/distfiles: Add func_abi.h.
2015-05-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix WIN64 assembly glue for AES.
+ + commit 24a769a7c7601dbb85332e550f6fbd121b56df5f
* cipher/rinjdael.c (do_encrypt, do_decrypt)
[!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to
input+output to mark volatile nature of the used registers.
Add '1 million a characters' test vectors.
+ + commit 2f4fefdbc62857b6e2da26ce111ee140a068c471
* tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384,
SHA-512, RIPEMD160 and CRC32.
2015-05-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
More optimized CRC implementations.
+ + commit 06e122baa3321483a47bbf82fd2a4540becfa0c9
* cipher/crc.c (crc32_table, crc24_table): Replace with new table
contents.
(update_crc32, CRC24_INIT, CRC24_POLY): Remove.
* tests/basic.c (check_digests): Add CRC "123456789" tests.
Enable AMD64 AES implementation for WIN64.
+ + commit 66129b3334a5aa54ff8a97981507e4704f759571
* cipher/rijndael-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
assembly block to call AMD64 assembly encrypt/decrypt function.
Enable AMD64 Whirlpool implementation for WIN64.
+ + commit 8422d5d699265b960bd1ca837044ee052fc5b614
* cipher/whirlpool-sse2-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
burn value.
Enable AMD64 SHA512 implementations for WIN64.
+ + commit 1089a13073c26a9a456e43ec38d937e6ee7f4077
* cipher/sha512-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(transform): Add ASM_EXTRA_STACK to stack burn value.
Enable AMD64 SHA256 implementations for WIN64.
+ + commit 022959099644f64df5f2a83ade21159864f64837
* cipher/sha256-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
(transform): Add ASM_EXTRA_STACK to stack burn value.
Enable AMD64 SHA1 implementations for WIN64.
+ + commit e433676a899fa0d274d40547166b03c7c8bd8e78
* cipher/sha1-avx-amd64.S: Enable when
HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
(ELF): New macro to mask lines with ELF specific commands.
2015-05-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64.
+ + commit 4e09aaa36d151c3312019724a77fc09aa345b82f
* cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector
registers before use and restore after.
(gcry_cv_gcc_win64_platform_as_ok): New checks.
Add W64 support for mpi amd64 assembly.
+ + commit 460355f23e770637d29e3af7b998a957a2b5bc88
acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set
'ac_cv_sys_symbol_underscore=no' on MingW-W64.
mpi/amd64/func_abi.h: New.
[host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h.
DES: Silence compiler warnings on Windows.
+ + commit 6c21cf5fed1ad430fa41445eac2350802bc8aaed
* cipher/des.c (working_memcmp): Make pointer arguments 'const void *'.
Cast pointers to integers using uintptr_t instead of long.
+ + commit 9cf224322007d90193d4910f0da6e0e29ce01d70
+
Fix rndhw for 64-bit Windows build.
+ + commit d5a7e00b6b222566a5650639ef29684b047c1909
* configure.ac: Add sizeof check for 'void *'.
* random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8
instead of defined(__LP64__).
defined(__LP64__).
Prepare random/win32.c fast poll for 64-bit Windows.
+ + commit 0cdd24456b33defc7f8176fa82ab694fbc284385
* random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to
ADDINT.
(_gcry_rndw32_gather_random_fast): Add ADDPTR.
using intrinsic.
Disable GCM and AES-NI assembly implementations for WIN64.
+ + commit f701954555340a503f6e52cc18d58b0c515427b7
* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when
__WIN64__ defined.
* cipher/rijndael-internal.h (USE_AESNI): Ditto.
Disable building mpi assembly routines on WIN64.
+ + commit e78560a4b717f7154f910a8ce4128de152f586da
* mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'.
Fix packed attribute check for Windows targets.
+ + commit e886e4f5e73fe6a9f9191f5155852ce5d8bb88fe
* configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its
own packed structure.
Fix tail handling in buf_xor_1.
+ + commit c2dba93e639639bdac139b3a3a456d10ddc61f79
* cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail
handling.
Add --disable-hwf for basic tests.
+ + commit 839a3bbe2bb045139223b32753d656cc6c3d4669
* tests/basic.c (main): Add handling for '--disable-hwf'.
Use more odd chuck sizes for check_one_md.
+ + commit 9f086ffa43f2507b9d17522a0a2e394cb273baf8
* tests/basic.c (check_one_md): Make chuck size vary oddly, instead
of using fixed length of 1000 bytes.
Enable more modes in basic ciphers test.
+ + commit e40eff94f9f8654c3d29e03bbb7e5ee6a43c1435
* src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New.
* tests/basic.c (check_one_cipher_core_reset): New.
(check_one_cipher_core): Use check_one_cipher_core_reset inplace of
(check_ciphers): Add CCM and OCB modes for block cipher tests.
Fix reseting cipher in OCB mode.
+ + commit 88842cbc68beb4f73c87fdbcb74182cba818f789
* cipher/cipher.c (cipher_reset): Setup default taglen for OCB after
clearing state.
2015-04-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix buggy RC4 AMD64 assembly and add test to notice similar issues.
+ + commit 124dfce7c5a2d9405fa2b2832e91ac1267943830
* cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of
'x' and 'y'.
* tests/basic.c (get_algo_mode_blklen): New.
2015-04-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Disallow compiler from generating SSE instructions in mixed C+asm source
+ + commit f88266c0f868d7bf51a215d5531bb9f2b4dad19e
* cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target
pragma to disable compiler use of SSE.
* cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto.
2015-04-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add OCB bulk crypt/auth functions for AES/AES-NI.
+ + commit 305cc878d395475c46b4ef52f4764bd0c85bf8ac
* cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt
and bulk.ocb_auth.
(_gcry_cipher_ocb_get_l): New prototype.
2015-04-15 Werner Koch <wk@gnupg.org>
tests: Add option to time the S2K function.
+ + commit fe38d3815b4cd203cd529949e244aca80d32897f
* tests/t-kdf.c: Include stopwatch.h.
(dummy_consumer): new.
(bench_s2k): New.
(main): Add option parser and option --s2k.
tests: Improve stopwatch.h.
+ + commit 3b03a3b493233a472da531d8d9582d1be6d376b0
* tests/stopwatch.h (elapsed_time): Add arg divisor.
2015-04-13 Werner Koch <wk@gnupg.org>
mpi: Fix gcry_mpi_copy for NULL opaque data.
+ + commit 9fca46864e1b5a9c788072113589454adb89fa97
* mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed.
2015-03-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
wipememory: use one-byte aligned type for unaligned memory accesses.
+ + commit a06fbc0d1e98eb1218eff55ad2f37d471e4f33b2
* src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned
access only when HAVE_GCC_ATTRIBUTE_PACKED and
HAVE_GCC_ATTRIBUTE_ALIGNED defined.
(fast_wipememory2): Use 'fast_wipememory_t'.
bufhelp: use one-byte aligned type for unaligned memory accesses.
+ + commit 92fa5f16d69707e302c0f85b2e5e80af8dc037f1
* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when
HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined.
(bufhelp_int_t): New type.
* configure.ac (gcry_cv_gcc_attribute_packed): New.
tests/bench-slope: fix memory-leak and use-after-free bugs.
+ + commit aa234561d00c3fb15fe501df4bf58f3db7c7c06b
* tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end.
(bench_mac_init): Move 'key' free at end of function.
2015-03-19 Werner Koch <wk@gnupg.org>
Fix two pedantic warnings.
+ + commit f5832285b0e420d77be1b8da10a1e1d86583b414
* src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing
comma.
2015-03-16 Werner Koch <wk@gnupg.org>
Use well defined type instead of size_t in secmem.c.
+ + commit db8ae3616987fa288173446398a107e31e2e28aa
* src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.
Make uintptr_t global available.
+ + commit f0f60c1a04d664936bcf52e8f46705bdc63e7ad9
* cipher/bufhelp.h: Move include for uintptr_t to ...
* src/types.h: here. Check that config.h has been included.
mpi: Remove useless condition.
+ + commit 0a9cdb8ae092d050ca12a7a4f2f50e25b82154ec
* mpi/mpi-pow.c: Remove condition rp==mp.
cipher: Remove useless NULL check.
+ + commit fbb97dcf763e28e81e01092ad4c934b3eaf88cc8
* cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for
hd->buf.
2015-02-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix in-place encryption for OCB mode.
+ + commit 5e66a4f8d5a63f58caeee367433dd8dd32346083
* cipher/cipher-ocb.c (ocb_checksum): New.
(ocb_crypt): Move checksum calculation outside main crypt loop, do
checksum calculation for encryption before inbuf is overwritten.
2015-02-27 NIIBE Yutaka <gniibe@fsij.org>
tests: fix t-sexp.c.
+ + commit 505decf5369970219ddc9e78a20f97c623957b78
* tests/t-sexp.c (bug_1594): Free N and PUBKEY.
mpi: Avoid data-dependent timing variations in mpi_powm.
+ + commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
mpi_set_cond.
mpi: Revise mpi_powm.
+ + commit 1fa8cdb933505960d4e4b4842b122d4e06953e88
* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.
2015-02-23 Werner Koch <wk@gnupg.org>
cipher: Use ciphertext blinding for Elgamal decryption.
+ + commit 410d70bad9a650e3837055e36f157894ae49a57d
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
2015-02-12 NIIBE Yutaka <gniibe@fsij.org>
mpi: Add mpi_set_cond.
+ + commit 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288
* mpi/mpiutil.c (_gcry_mpi_set_cond): New.
(_gcry_mpi_swap_cond): Fix types.
* src/mpi.h (mpi_set_cond): New.
2015-01-30 Werner Koch <wk@gnupg.org>
w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.
+ + commit 40a7bdf50e19faaf106470897fed72af623adc50
* src/Makefile.am (extra_ltoptions): New.
(libgcrypt_la_LDFLAGS): Use it.
2015-01-28 Werner Koch <wk@gnupg.org>
Fix building of GOST s-boxes when cross-compiling.
+ + commit 2564d204e408b296425ac0660c6bdc6270575fb6
* cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
(noinst_PROGRAMS): Remove.
(EXTRA_DIST): New.
2015-01-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: fix wrong ifdef for SSSE3 setkey.
+ + commit ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47
* cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
around SSSE3 setkey selection.
2015-01-16 Werner Koch <wk@gnupg.org>
Add OCB cipher mode.
+ + commit 067d7d8752d4d8a98f8e0e5e9b1a5b13e1b7ff9c
* cipher/cipher-ocb.c: New.
* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c
* cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New.
2015-01-15 Werner Koch <wk@gnupg.org>
Add functions to count trailing zero bits in a word.
+ + commit 9d2a22c94ae99f9301321082c4fb8d73f4085fda
* cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New.
* configure.ac (HAVE_BUILTIN_CTZ): Add new test.
2015-01-08 Werner Koch <wk@gnupg.org>
cipher: Prepare for OCB mode.
+ + commit 9d328962660da72f094dc5424d5ef67abbaffdf6
* src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New.
2015-01-06 Werner Koch <wk@gnupg.org>
Make make distcheck work again.
+ + commit 4f7dcdc25af269b12275126edeef30b262fb891d
* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers.
* cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h.
2015-01-06 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
stribog: Reduce table size to the needed one.
+ + commit e4de52378a85cf383994ded8edf0d5cf98dcb10c
* cipher/stribog.c (C16): Avoid allocating superfluous space.
gostr3411-94: Fix the iteration count for length filling loop.
+ + commit 05dc5bcd234909ae9c9366b653346076b9a834ed
* cipher/gostr3411-94.c (gost3411_final): Fix loop
2015-01-05 Werner Koch <wk@gnupg.org>
random: Silent warning under NetBSD using rndunix.
+ + commit 817472358a093438e802380caecf7139406400cf
* random/rndunix.c (STDERR_FILENO): Define if needed.
(start_gatherer): Re-open standard descriptors. Fix an
unsigned/signed pointer warning.
primegen: Fix memory leak for invalid call sequences.
+ + commit 8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83
* cipher/primegen.c (prime_generate_internal): Refactor generator code
to not leak memory for non-implemented feature.
(_gcry_prime_group_generator): Refactor to not leak memory for invalid
args. Also make sure that R_G is set as soon as possible.
doc: Update yat2m to current upstream version (GnuPG).
+ + commit dd5df198727ea5d8f6b04288e14fd732051453c8
+
build: Require automake 1.14.
+ + commit f65276970a6dcd6d9bca94cecc49b68acdcc9492
* configure.ac (AM_INIT_AUTOMAKE): Add serial-tests.
Replace camel case of internal scrypt functions.
+ + commit 1a6d65ac0aab335541726d02f2046d883a768ec3
* cipher/scrypt.c (_salsa20_core): Rename to salsa20_core. Change
callers.
(_scryptBlockMix): Rename to scrypt_block_mix. Change callers.
2015-01-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rmd160: restore native-endian store in _gcry_rmd160_mixblock.
+ + commit d7c7453cf5e6b8f3c6b522a30e680f844a28c9de
* cipher/rmd160.c (_gcry_rmd160_mixblock): Store result to buffer in
native-endianess.
2014-12-27 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add Intel SSSE3 based vector permutation AES implementation.
+ + commit 8eabecc883332156adffc1df42d27f614c157e06
* cipher/Makefile.am: Add 'rijndael-ssse3-amd64.c'.
* cipher/rijndael-internal.h (USE_SSSE3): New.
(RIJNDAEL_context_s) [USE_SSSE3]: Add 'use_ssse3'.
2014-12-25 Jussi Kivilinna <jussi.kivilinna@iki.fi>
random-csprng: fix compiler warnings on ARM.
+ + commit c2e1f8fea271f3ef8027809547c4a52e0b1e24a2
* random/random-csprng.c (_gcry_rngcsprng_update_seed_file)
(read_pool): Cast keypool and rndpool to 'unsigned long *' through
'void *'.
scrypt: fix compiler warnings on ARM.
+ + commit 1dab4c9422bf0f3cdc7a4d3ccf9db090abd90e94
* cipher/scrypt.c (_scryptBlockMix): Cast X to 'u32 *' through 'void *'.
secmem: fix compiler warnings on ARM.
+ + commit 99faf9cb34f872144313403f29f3379798debfc9
* src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer
from 'char *' to 'memblock_t *' through 'void *'.
(MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'.
hash: fix compiler warning on ARM.
+ + commit 4515315f61fbf79413e150fbd1d5f5a2435f2bc5
* cipher/md.c (md_open, md_copy): Cast 'char *' to ctx through
'void *'.
* cipher/md4.c (md4_final): Use buf_put_* helper instead of
* cipher/tiger.c (tiger_final): Ditto.
rijndael: fix compiler warnings on ARM.
+ + commit cc26106dbebeb84d481661813edc3e5aea9a7d99
* cipher/rijndael-internal.h (RIJNDAEL_context_s): Add u32 variants of
keyschedule arrays to unions u1 and u2.
(keyschedenc32, keyscheddec32): New.
2014-12-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03
+ + commit 520070e02e2e6ee7228945015573a6e1f4895ec3
* cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
counters for AAD and data in Poly1305.
* cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
* tests/bench-slope.c (cipher_bench_one): Ditto.
chacha20: allow setting counter for stream random access.
+ + commit 11b8d2d449a7bc664b4371ae14c57caa6704d272
* cipher/chacha20.c (CHACHA20_CTR_SIZE): New.
(chacha20_ivsetup): Add setup for full counter.
(chacha20_setiv): Allow ivlen == CHACHA20_CTR_SIZE.
gcm: do not pass extra key pointer for setupM/fillM.
+ + commit c964321c8a1328e89d636d899a45d68802f5ac9f
* cipher/cipher-gcm-intel-pclmul.c
(_gcry_ghash_setup_intel_pclmul): Remove 'h' parameter.
* cipher/cipher-gcm.c (_gcry_ghash_setup_intel_pclmul): Ditto.
(_gcry_cipher_gcm_setkey): Only pass 'c' to setupM.
rijndael: use more compact look-up tables and add table prefetching.
+ + commit 2374753938df64f6fd8015b44613806a326eff1a
* cipher/rijndael-internal.h (rijndael_prefetchfn_t): New.
(RIJNDAEL_context): Add 'prefetch_enc_fn' and 'prefetch_dec_fn'.
* cipher/rijndael-tables.h (S, T1, T2, T3, T4, T5, T6, T7, T8, S5, U1)
2014-12-15 Werner Koch <wk@gnupg.org>
build: Add configure option --disable-doc.
+ + commit ad50e360ef4851e66e51a03fc420175636336b58
* Makefile.am (AUTOMAKE_OPTIONS): Remove.
(doc) [!BUILD_DOC]: Do not recurse into the dir.
* configure.ac (AM_INIT_AUTOMAKE): Add option formerly in Makefile.am.
2014-12-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: further optimizations for AES-NI accelerated CBC and CFB bulk modes
+ + commit 4f46374502eb988d701b904f83819e2cf7b1755c
* cipher/rijndael-aesni.c (do_aesni_enc, do_aesni_dec): Pass
input/output through SSE register XMM0.
(do_aesni_cfb): Remove.
(_gcry_aes_aesni_cbc_dec): Update to use renewed 'do_aesni_dec'.
GCM: move Intel PCLMUL accelerated implementation to separate file.
+ + commit 4a0795af021305f9240f23626a3796157db46bd7
* cipher/Makefile.am: Add 'cipher-gcm-intel-pclmul.c'.
* cipher/cipher-gcm-intel-pclmul.c: New.
* cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL]
2014-12-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: split Padlock part to separate file.
+ + commit cbf4c8cb6bbda15eea61885279f2a6f1d4bcedfd
* cipher/Makefile.am: Add 'rijndael-padlock.c'.
* cipher/rijndael-padlock.c: New.
* cipher/rijndael.c (do_padlock, do_padlock_encrypt)
2014-12-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: refactor to reduce number of #ifdefs and branches.
+ + commit 3d5b51786e2050c461e9791b59142a731462b66d
* cipher/rijndael-aesni.c (_gcry_aes_aesni_encrypt)
(_gcry_aes_aesni_decrypt): Make return stack burn depth.
* cipher/rijndael-amd64.S (_gcry_aes_amd64_encrypt_block)
(_gcry_aes_cbc_dec): Ditto; Make savebuf buffer 16-byte aligned.
rijndael: move AES-NI blocks before Padlock.
+ + commit dbf9e95dd3891f6e6ad370e8ab78fec03595687b
* cipher/rijndael.c (do_setkey, rijndael_encrypt, _gcry_aes_cfb_enc)
(rijndael_decrypt, _gcry_aes_cfb_dec): Move USE_AESNI before
USE_PADLOCK.
(prepare_decryption) [USE_PADLOCK]: ...here.
rijndael: split AES-NI functions to separate file.
+ + commit 67d529630e838daeb8cb9c6d7ef660c01ef34fee
* cipher/Makefile.in: Add 'rijndael-aesni.c'.
* cipher/rijndael-aesni.c: New.
* cipher/rijndael-internal.h: New.
2014-11-24 Werner Koch <wk@gnupg.org>
Remove duplicated prototypes.
+ + commit d53ea84bed37b973f7ce59262c50b33700cd8311
* src/gcrypt-int.h (_gcry_mpi_ec_new, _gcry_mpi_ec_set_mpi)
(gcry_mpi_ec_set_point): Remove.
tests: Add a prime mode to benchmark.
+ + commit 1b4210c204a5ef5e631187509e011b8468a134ef
* tests/benchmark.c (progress_cb): Add a single char mode.
(prime_bench): New.
(main): Add a "prime" mode. Factor with_progress out to file scope.
2014-11-19 NIIBE Yutaka <gniibe@fsij.org>
ecc: Improve Montgomery curve implementation.
+ + commit e6130034506013d6153465a2bedb6fb08a43f74d
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Support
MPI_EC_MONTGOMERY.
* cipher/ecc.c (test_ecdh_only_keys): New.
2014-11-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Disable NEON for CPUs that are known to have broken NEON implementation.
+ + commit 95eef21583d8e998efc48f22898c1ae31b77cb48
* src/hwf-arm.c (detect_arm_proc_cpuinfo): Add parsing for CPU version
information and check if CPU is known to have broken NEON
implementation.
(_gcry_hwf_detect_arm): Filter out broken HW features.
Add ARM/NEON implementation of Poly1305.
+ + commit 0b520128551054d83fb0bb2db8873394f38de498
* cipher/Makefile.am: Add 'poly1305-armv7-neon.S'.
* cipher/poly1305-armv7-neon.S: New.
* cipher/poly1305-internal.h (POLY1305_USE_NEON)
* configure.ac [neonsupport=yes]: Add 'poly1305-armv7-neon.lo'.
chacha20: add ARMv7/NEON implementation.
+ + commit c584f44543883346d5a565581ff99a0afce9c5e1
* cipher/Makefile.am: Add 'chacha20-armv7-neon.S'.
* cipher/chacha20-armv7-neon.S: New.
* cipher/chacha20.c (USE_NEON): New.
2014-10-08 Markus Teich <markus.teich@stusta.mhn.de>
mpi: Add gcry_mpi_ec_sub.
+ + commit 23ecadf309f8056c35cc092e58df801ac0eab862
* NEWS (gcry_mpi_ec_sub): New.
* doc/gcrypt.texi (gcry_mpi_ec_sub): New.
* mpi/ec.c (_gcry_mpi_ec_sub, sub_points_edwards): New.
2014-10-08 Werner Koch <wk@gnupg.org>
Fix prime test for 2 and lower and add check command to mpicalc.
+ + commit 5c906e2cdb14e93fb4915fdc69c7353a5fa35709
* cipher/primegen.c (check_prime): Return true for the small primes.
(_gcry_prime_check): Return correct values for 2 and lower numbers.
2014-10-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add Whirlpool AMD64/SSE2 assembly implementation.
+ + commit de0ccd4dce7ec185a678d78878d4538dd609ca0f
* cipher/Makefile.am: Add 'whirlpool-sse2-amd64.S'.
* cipher/whirlpool-sse2-amd64.S: New.
* cipher/whirlpool.c (USE_AMD64_ASM): New.
2014-10-04 Andrei Scherer <andsch@inbox.com>
Improved ripemd160 performance.
+ + commit 30bd759f398f45b04d0a783b875f59ce9bd1e51d
* cipher/rmd160.c (transform): Interleave the left and right lane
rounds to introduce more instruction level parallelism.
2014-10-02 Werner Koch <wk@gnupg.org>
build: Document SYSROOT.
+ + commit 0ecd136a6ca02252f63ad229fa5240897bfe6544
* configure.ac: Mark SYSROOT as arg var.
build: Support SYSROOT based config script finding.
+ + commit 1e8b86494cf8fa045696bd447b16267ffd1797f0
* src/libgcrypt.m4: Add support for SYSROOT and set
gpg_config_script_warn. Use AC_PATH_PROG instead of AC_PATH_TOOL
because the config script is not expected to be installed with a
2014-09-30 Werner Koch <wk@gnupg.org>
mac: Fix gcry_mac_close to allow for a NULL handle.
+ + commit 51dae8c8c4b63bb5e1685cbd8722e35342524737
* cipher/mac.c (_gcry_mac_close): Check for NULL.
2014-09-03 Werner Koch <wk@gnupg.org>
Add a constant for a forthcoming new RNG.
+ + commit 8b960a807d168000d2690897a7634bd384ac1346
* src/gcrypt.h.in (GCRYCTL_DRBG_REINIT): New constant.
2014-09-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add new Poly1305 MAC test vectors.
+ + commit 8a2a328742012a7c528dd007437185e4584c1e48
* tests/basic.c (check_mac): Add new test vectors for Poly1305 MAC.
2014-09-02 Werner Koch <wk@gnupg.org>
asm: Allow building x86 and amd64 using old compilers.
+ + commit 5eec04a43e6c562e956353449be931dd43dfe1cc
* src/hwf-x86.c (get_xgetbv): Build only if AVX support is enabled.
2014-08-21 Werner Koch <wk@gnupg.org>
sexp: Check args of gcry_sexp_build.
+ + commit e606d5f1bada1f2d21faeedd3fa2cf2dca7b274c
* src/sexp.c (do_vsexp_sscan): Return error for invalid args.
cipher: Fix a segv in case of calling with wrong parameters.
+ + commit f850add813d783f31ca6a60459dea25ef71bce7e
* cipher/md.c (_gcry_md_info): Fix arg testing.
cipher: Fix possible NULL deref in call to prime generator.
+ + commit 18056ace7f466cb8c1eaf08e5dc0400516d83b4c
* cipher/primegen.c (_gcry_generate_elg_prime): Change to return an
error code.
* cipher/dsa.c (generate): Take care of new return code.
2014-08-12 NIIBE Yutaka <gniibe@fsij.org>
ecc: Support Montgomery curve for gcry_mpi_ec_mul_point.
+ + commit 34bb55ee36df3aca3ebca88f8b61c786cd0c0701
* mpi/ec.c (_gcry_mpi_ec_get_affine): Support Montgomery curve.
(montgomery_ladder): New.
(_gcry_mpi_ec_mul_point): Implemention using montgomery_ladder.
2014-08-09 Werner Koch <wk@gnupg.org>
tests: Add a benchmark for Elgamal.
+ + commit e6d354865bf8f3d4c1bb5e8157a76fdd442cff41
* tests/benchmark.c (sample_public_elg_key_1024): New.
(sample_private_elg_key_1024): New.
(sample_public_elg_key_2048, sample_private_elg_key_2048): New.
2014-08-08 NIIBE Yutaka <gniibe@fsij.org>
ecc: Add cofactor to domain parameters.
+ + commit 9933b9e5e1a3f5b1019c75f93bd265d4a1ecc270
* src/ec-context.h (mpi_ec_ctx_s): Add cofactor 'h'.
* cipher/ecc-common.h (elliptic_curve_t): Add cofactor 'h'.
(_gcry_ecc_update_curve_param): New API adding cofactor.
2014-08-05 Werner Koch <wk@gnupg.org>
mpi: Fix regression for powerpc-apple-darwin detection.
+ + commit 4ce77b0a810d3c889c07dfb385127d90fa1ae36a
* mpi/config.links: Add separate entry for powerpc-apple-darwin.
Fix bug inhibiting the use of the sentinel attribute.
+ + commit d2d28298ccc0d0f3c0b03fd323deb1e8808ef74f
* src/gcrypt.h.in: Fix typo in macro.
mpi: Use BSD syntax for x86_64-apple-darwin.
+ + commit 71939faa7c54e7b4b28d115e748a85f134876a02
* mpi/config.links: Add case for x86_64-apple-darwin.
2014-08-05 Kristian Fiskerstrand <kf@sumptuouscapital.com>
Fix building for the x32 target without asm modules.
+ + commit a17c29844b63e9e869f7855d901bc9d859234ead
* mpi/generic/mpi-asm-defs.h: Use a fixed value for the x32 ABI.
2014-07-25 Werner Koch <wk@gnupg.org>
ecc: Support the non-standard 0x40 compression flag for EdDSA.
+ + commit 4556f9b19c024f16bdf542da7173395c0741b91d
* cipher/ecc.c (ecc_generate): Check the "comp" flag for EdDSA.
* cipher/ecc-eddsa.c (eddsa_encode_x_y): Add arg WITH_PREFIX.
(_gcry_ecc_eddsa_encodepoint): Ditto.
* tests/t-ed25519.inp: Ditto.
mpi: Extend the internal mpi_get_buffer.
+ + commit 0e10902ad7584277ac966367efc712b183784532
* mpi/mpicoder.c (do_get_buffer): Add arg EXTRAALLOC.
(_gcry_mpi_get_buffer_extra): New.
cipher: Fix compiler warning for chacha20.
+ + commit 4e0bf1b9190ce08fb23eb3ae0c3be58954ff36ab
* cipher/chacha20.c (chacha20_blocks) [!USE_SSE2]: Do not build.
2014-07-16 NIIBE Yutaka <gniibe@fsij.org>
mpi: Add mpi_swap_cond.
+ + commit 4846e52728970e3117f3a046ef9010be089a3ae4
* mpi/mpiutil.c (_gcry_mpi_swap_cond): New.
* src/mpi.h (mpi_swap_cond): New.
2014-06-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Speed-up SHA-1 NEON assembly implementation.
+ + commit 1b9b00bbe41bbed32563f1102049521e703e72bd
* cipher/sha1-armv7-neon.S: Tweak implementation for speed-up.
2014-06-28 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
gostr3411_94: rewrite to use u32 mathematic.
+ + commit 066f068bd0bc4d8e01f1f18b6153cdc8d2c245d7
* cipher/gost28147.c (_gcry_gost_enc_data): New.
* cipher/gostr3411-94.c: Rewrite implementation to use u32 mathematic
internally.
* cipher/gost28147.c (_gcry_gost_enc_one): Remove.
gost28147: use bufhelp helpers.
+ + commit 7aeba6c449169926076df83b01ddbfa6b41fe411
* cipher/gost28147.c (gost_setkey, gost_encrypt_block, gost_decrypt_block):
use buf_get_le32/buf_put_le32 helpers.
Fixup curve name in the GOST2012 test case.
+ + commit b78d504fa8745b8b04589acbbcf7dd5fe9279d13
* tests/basic.c (check_pubkey): fixup curve name in public key.
Update PBKDF2 tests with GOST R 34.11-94 test cases.
+ + commit 7533b2ad46f42e98d9dba52e88e79c0311d2d3b7
* tests/t-kdf.c (check_pbkdf2): Add MD_GOSTR3411_CP test cases.
Add GOST R 34.11-94 variant using id-GostR3411-94-CryptoProParamSet.
+ + commit 25d6af77e2336b5979ddbe8b90978fe5b61dfaf9
* src/gcrypt.h.in (GCRY_MD_GOSTR3411_CP): New.
* src/cipher.h (_gcry_digest_spec_gost3411_cp): New.
* cipher/gost28147.c (_gcry_gost_enc_one): Differentiate between
* cipher/md.c (md_open): GCRY_MD_GOSTR3411_CP also uses B=32.
gost28147: support GCRYCTL_SET_SBOX.
+ + commit 5ee35a04362c94e680ef3633fa83b72e0aee8626
cipher/gost28147.c (gost_set_extra_info, gost_set_sbox): New.
Support setting s-box for the ciphers that require it.
+ + commit fb074d113fcbf66a5c20592625cb19051f3430f5
* src/gcrypt.h.in (GCRYCTL_SET_SBOX, gcry_cipher_set_sbox): New.
* cipher/cipher.c (_gcry_cipher_ctl): pass GCRYCTL_SET_SBOX to
set_extra_info callback.
cipher/gost28147: generate optimized s-boxes from compact ones.
+ + commit 164738a0292b3f32c7747099ad9cadace58e5eda
* cipher/gost-s-box.c: New. Outputs optimized expanded representation of
s-boxes (4x256) from compact 16x8 representation.
* cipher/Makefile.am: Add gost-sb.h dependency to gost28147.lo
* cipher/gost28147.c (gost_val): Use sbox from the context.
gost28147: add OIDs used to define cipher mode.
+ + commit 34a58010000288515636706811c3837f32957b2e
* cipher/gost28147 (oids_gost28147): Add OID from RFC4357.
GOST R 34.11-94 add OIDs.
+ + commit 8b221cf5ce233c8c49a4e4ecebb70d523fc37837
* cipher/gostr3411-94.c: Add OIDs for GOST R 34.11-94 from RFC 4357.
2014-05-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
tests: add larger test-vectors for hash algorithms.
+ + commit f14fb5b427b5159fcd9603d2b3cde936889cf430
* tests/basic.c (check_digests): Add large test-vectors for MD5, SHA1,
SHA224, SHA256, SHA384, RMD160, CRC32, TIGER1, WHIRLPOOL and
GOSTR3411_94.
sha512: fix ARM/NEON implementation.
+ + commit beb901575f0d6cd6a0a27506ebea9a725754d0cc
* cipher/sha512-armv7-neon.S
(_gcry_sha512_transform_armv7_neon): Byte-swap RW67q and RW1011q
correctly in multi-block loop.
2014-05-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix ARM assembly when building __PIC__
+ + commit 994c758d8f5471c7e9c38c2834742cca2502d35f
* cipher/camellia-arm.S (GET_DATA_POINTER): New.
(_gcry_camellia_arm_encrypt_block): Use GET_DATA_POINTER.
(_gcry_camellia_arm_decrypt_block): Ditto.
2014-05-17 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add Poly1305 to documentation.
+ + commit bf4943932dae95a0573b63bf32a9b9acd5a6ddf3
* doc/gcrypt.texi: Add documentation for Poly1305 MACs and AEAD mode.
2014-05-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
chacha20: add SSE2/AMD64 optimized implementation.
+ + commit 323b1eb80ff3396d83fedbe5bba9a4e6c412d192
* cipher/Makefile.am: Add 'chacha20-sse2-amd64.S'.
* cipher/chacha20-sse2-amd64.S: New.
* cipher/chacha20.c (USE_SSE2): New.
* configure.ac [host=x86-64]: Add 'chacha20-sse2-amd64.lo'.
poly1305: add AMD64/AVX2 optimized implementation.
+ + commit 98f021961ee65669037bc8bb552a69fd78f610fc
* cipher/Makefile.am: Add 'poly1305-avx2-amd64.S'.
* cipher/poly1305-avx2-amd64.S: New.
* cipher/poly1305-internal.h (POLY1305_USE_AVX2)
2014-05-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
poly1305: add AMD64/SSE2 optimized implementation.
+ + commit 297532602ed2d881d8fdc393d1961068a143a891
* cipher/Makefile.am: Add 'poly1305-sse2-amd64.S'.
* cipher/poly1305-internal.h (POLY1305_USE_SSE2)
(POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
* configure.ac [host=x86_64]: Add 'poly1305-sse2-amd64.lo'.
Add Poly1305 based cipher AEAD mode.
+ + commit e813958419b0ec4439e6caf07d3b2234cffa2bfa
* cipher/Makefile.am: Add 'cipher-poly1305.c'.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.poly1305'.
(_gcry_cipher_poly1305_encrypt, _gcry_cipher_poly1305_decrypt)
(cipher_bench_one): Add special handling for Poly1305.
Add Poly1305-AES (-Camellia, etc) MACs.
+ + commit 73b3b75c2221a6e3bed4117e0a206a1193acd2ed
* cipher/mac-internal.h (_gcry_mac_type_spec_poly1305_aes)
(_gcry_mac_type_spec_poly1305_camellia)
(_gcry_mac_type_spec_poly1305_twofish)
* tests/bench-slope.c (mac_bench): Set IV for Poly1305-*** MACs.
Add Poly1305 MAC.
+ + commit b8794fed68ebe7567f4617141f0996ad290d9120
* cipher/Makefile.am: Add 'mac-poly1305.c', 'poly1305.c' and
'poly1305-internal.h'.
* cipher/mac-internal.h (poly1305mac_context_s): New.
* tests/benchmark.c (mac_bench): Ditto.
chacha20/AVX2: clear upper-halfs of YMM registers on entry.
+ + commit c20daeeb05329bfc6cc2c562cbd4b965291fe0e1
* cipher/chacha20-avx2-amd64.S (_gcry_chacha20_amd64_avx2_blocks): Add
'vzeroupper' at beginning.
chacha20/AVX2: check for ENABLE_AVX2_SUPPORT instead of HAVE_GCC_INLINE_ASM_AVX2
+ + commit a3062db748f272e0f7346e1ed9e0bf7ed61a4eae
* cipher/chacha20.c (USE_AVX2): Enable depending on
ENABLE_AVX2_SUPPORT, not HAVE_GCC_INLINE_ASM_AVX2.
* cipher/chacha20-avx2-amd64.S: Ditto.
chacha20/SSSE3: clear XMM registers after use.
+ + commit a7d9eeeba632b7eb4a5b15ff17f6565181642f3c
* cipher/chacha20-ssse3-amd64.S (_gcry_chacha20_amd64_ssse3_blocks): On
return, clear XMM registers.
2014-05-11 Jussi Kivilinna <jussi.kivilinna@iki.fi>
chacha20: add AVX2/AMD64 assembly implementation.
+ + commit a39ee7555691d18cae97560f130aaf952bfbd278
* cipher/Makefile.am: Add 'chacha20-avx2-amd64.S'.
* cipher/chacha20-avx2-amd64.S: New.
* cipher/chacha20.c (USE_AVX2): New macro.
* configure.ac [host=x86-64]: Add 'chacha20-avx2-amd64.lo'.
chacha20: add SSSE3 assembly implementation.
+ + commit def7d4cad386271c6d4e2f10aabe0cb4abd871e4
* cipher/Makefile.am: Add 'chacha20-ssse3-amd64.S'.
* cipher/chacha20-ssse3-amd64.S: New.
* cipher/chacha20.c (USE_SSSE3): New macro.
* configure.ac [host=x86-64]: Add 'chacha20-ssse3-amd64.lo'.
Add ChaCha20 stream cipher.
+ + commit 23f33d57c9b6f2295a8ddfc9a8eee5a2c30cf406
* cipher/Makefile.am: Add 'chacha20.c'.
* cipher/chacha20.c: New.
* cipher/cipher.c (cipher_list): Add ChaCha20.
2014-05-09 Werner Koch <wk@gnupg.org>
mpi: Fix a subtle bug setting spurious bits with in mpi_set_bit.
+ + commit 246b7aaae1ee459f440260bbc4ec2c01c5dc3362
* mpi/mpi-bit.c (_gcry_mpi_set_bit, _gcry_mpi_set_highbit): Clear
allocated but not used bits before resizing.
* tests/t-mpi-bits.c (set_bit_with_resize): New.
2014-05-07 Werner Koch <wk@gnupg.org>
Bump LT version.
+ + commit fc6ff6f73a51bcbbbb3757dc1386da40aa3ae75d
* configure.ac: Bumb LT version to C21/A1/R0.
2014-04-22 Werner Koch <wk@gnupg.org>
random: Small patch for consistency and really burn the stack.
+ + commit a79c4ad7c56ee4410f17beb73eeb58b0dd36bfc6
* random/rndlinux.c (_gcry_rndlinux_gather_random): s/int/size_t/.
(_gcry_rndlinux_gather_random): Replace memset by wipememory.
2014-04-16 Werner Koch <wk@gnupg.org>
pubkey: Re-map all depreccated RSA algo numbers.
+ + commit 773e23698218755e9172d2507031a8263c47cc0b
* cipher/pubkey.c (map_algo): Mape RSA_E and RSA_S.
2014-04-15 Werner Koch <wk@gnupg.org>
cipher: Fix possible NULL dereference.
+ + commit ae1fbce6dacf14747af0126e640bd4e54cb8c680
* cipher/md.c (_gcry_md_selftest): Check for spec being NULL.
2014-03-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3des: add amd64 assembly implementation for 3DES.
+ + commit b76b632a453b8d100d024e2439b4358454dc286e
* cipher/Makefile.am: Add 'des-amd64.S'.
* cipher/cipher-selftests.c (_gcry_selftest_helper_cbc)
(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Handle failures
2014-03-13 Werner Koch <wk@gnupg.org>
tests: Print diagnostics for skipped tests.
+ + commit 50aeee51a0b1a09dd9fff2bb71749a816fe7a791
* tests/basic.c (show_note): New.
(show_md_not_available):
(show_old_hmac_not_available):
2014-03-11 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Add MD2 message digest implementation.
+ + commit 5a8e1504bf8a2ffbc018be576dea77b685200444
* cipher/md2.c: New.
* cipher/md.c (digest_list): add _gcry_digest_spec_md2.
* tests/basic.c (check_digests): add MD2 test vectors.
2014-03-04 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Add an utility to calculate hashes over a set of files.
+ + commit 2b5403c408dfbd71be24c7635f5fa0b61ab4c9bb
* tests/gchash.c: New.
Add a simple (raw) PKCS#1 padding mode.
+ + commit ea8d597726305274214224757b32730644e12bd8
* src/cipher.h (PUBKEY_ENC_PKCS1_RAW): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Handle pkcs1-raw
flag.
2014-02-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix ARMv6 detection when CFLAGS modify target CPU architecture.
+ + commit 6be3032048ee2466511d2384fcf2d28b856219b2
* configure.ac (gcry_cv_cc_arm_arch_is_v6): Use compiler test instead
of preprocessor test.
2014-01-29 Werner Koch <wk@gnupg.org>
Reserve control code for FIPS extensions.
+ + commit aea96a64fbc58a0b6f9f435e97e93294c6eb1052
* src/gcrypt.h.in (GCRYCTL_INACTIVATE_FIPS_FLAG): New.
(GCRYCTL_REACTIVATE_FIPS_FLAG): New.
* src/global.c (_gcry_vcontrol): Add them but return not_implemented.
2014-01-29 NIIBE Yutaka <gniibe@fsij.org>
Fix RSA Blinding.
+ + commit 121a90d8931944974054f7d94f63b7f89df87fa5
* cipher/rsa.c (rsa_decrypt): Loop to get multiplicative inverse.
2014-01-28 Werner Koch <wk@gnupg.org>
cipher: Take care of ENABLE_NEON_SUPPORT.
+ + commit 52f7c48c901a3de51bd690a218f3de2f71e8d790
* cipher/salsa20.c (USE_ARM_NEON_ASM): Define only if
ENABLE_NEON_SUPPORT is defined.
* cipher/serpent.c (USE_NEON): Ditto.
* cipher/sha512.c (USE_ARM_NEON_ASM): Ditto.
sexp: Fix broken gcry_sexp_nth.
+ + commit cbdc355415f83ed62da4f3618767eba54d7e6d37
* src/sexp.c (_gcry_sexp_nth): Return a valid S-expression for a data
element.
(NODE): Remove unused typedef.
2014-01-27 Werner Koch <wk@gnupg.org>
tests: Improve t-common.h.
+ + commit 7460e9243b3cc050631c37ed4f2713ae7bcb6762
* tests/t-common.h: Add couple of macros. Check that config.h has
been included.
(show): Rename to info.
* tests/t-lock.c, tests/t-sexp.c: Adjust for changes.
mpi: Minor fix for Atari-mint.
+ + commit 3caa0f1319dc4779e0d6eee4460c1af2a12b2c3c
* mpi/config.links [m68k-atari-mint]: Do not assume 68020. Suggested
by Alan Hourihane.
2014-01-27 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fix most of memory leaks in tests code.
+ + commit 5c150ece094bf0a504a111ce6c7b72e8d0b0457a
* tests/basic.c (check_ccm_cipher): Close cipher after use.
* tests/basic.c (check_one_cipher): Correct length of used buffer.
* tests/benchmark.c (cipher_bench): Use xcalloc to make buffer
* tests/t-sexp.c (check_extract_param): Release extracted number.
Fix memory leaks in ecc code.
+ + commit 6d87e6abdfb7552323a95401f14e6367398a3e5a
* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Release passed mpi
values.
* cipher/ecc.c (compute_keygrip): Fix potential memory leak in error
* cipher/ecc.c (_gcry_ecc_get_curve): Release temporary mpi.
Fix number of blocks passed used in _gcry_rmd160_mixblock.
+ + commit 5d23e7b9a77421f3ebfda4a84c459a8729f3bb41
* cipher/rmd160.c (_gcry_rmd160_mixblock): pass 1 to transform
2014-01-27 Werner Koch <wk@gnupg.org>
Small Windows build tweaks.
+ + commit f7df906171854b6b6506b82d4fee2c2ebb0327ea
* configure.ac (HAVE_PTHREAD): Do test when building for Windows.
* tests/basic.c: Replace "%zi" by "%z" and a cast to make it work
under Windows.
Update gpg-error autoconf macros to fix threading problems.
+ + commit 79da0358fd555361e1ce4202f55494a8918eb8ae
* m4/gpg-error.m4: Update to version 2014-01-24.
* tests/Makefile.am (t_lock_LDADD): Use MT Libs.
2014-01-24 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
tests: Pass -no-install to libtool.
+ + commit bf34bfa5c458ee5ece91f25e3b4194d768498ab6
* tests/Makefile.am: add AM_LDFLAGS = -no-install
2014-01-24 Werner Koch <wk@gnupg.org>
tests: Add a test for the internal locking.
+ + commit ff91ec934ed52294cddcd7dcfacc04721a0487bf
* src/global.c (external_lock_test): New.
(_gcry_vcontrol): Call new function with formerly reserved code 61.
(t_lock_LDADD): New.
Check compiler features only for the relevant platform.
+ + commit 24e65d715812cea28732397870cb1585b8435521
* mpi/config.links (mpi_cpu_arch): Always set for ARM. Set for HPPA.
Set to "undefined" for unknown platforms.
(try_asm_modules): Act upon only after having detected the CPU.
2014-01-23 Werner Koch <wk@gnupg.org>
Support building using the latest mingw-w64 toolchain.
+ + commit 4ad3417acab5021db1f722c314314ce4b781833a
* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection.
2014-01-20 Werner Koch <wk@gnupg.org>
cipher: Fix commit 94030e44.
+ + commit dad06e4d1b835bac778b87090b1d3894b7535b14
* cipher/tiger.c (tiger_init): Add arg FLAGS.
(tiger1_init, tiger2_init): Ditto.
tests: Rename tsexp.c.
+ + commit 192e77d123fdb04c459c998b9eb1731618a833fa
* tests/tsexp.c: Rename to t-sexp.c
2014-01-19 Werner Koch <wk@gnupg.org>
md: Add Whirlpool bug emulation feature.
+ + commit 94030e44aaff805d754e368507f16dd51a531b72
* src/gcrypt.h.in (GCRY_MD_FLAG_BUGEMU1): New.
* src/cipher-proto.h (gcry_md_init_t): Add arg FLAGS. Change all code
to implement that flag.
2014-01-17 Werner Koch <wk@gnupg.org>
Actually check for uint64_t.
+ + commit c3b30bae7d1e157f8b65e32ba1b3a516f2bbf58b
* configure.ac: Check size of uint64_t and the UINT64_C macro.
2014-01-16 Werner Koch <wk@gnupg.org>
Replace ath based mutexes by gpgrt based locks.
+ + commit cfc151ba637200e4fc05d9481a8df2071b2f9a47
* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13.
(gl_LOCK): Remove.
* src/ath.c, src/ath.h: Remove. Remove from all files. Replace all
2014-01-15 NIIBE Yutaka <gniibe@fsij.org>
ecc: Fix _gcry_mpi_ec_p_new to allow secp256k1.
+ + commit 49edeebb43174865cf4fa2c170a42a8e4274c4f0
* mpi/ec.c (_gcry_mpi_ec_p_new): Remove checking a!=0.
* tests/t-mpi-point.c (context_alloc): Remove two spurious tests.
2014-01-14 Milan Broz <gmazyland@gmail.com>
PBKDF2: Use gcry_md_reset to speed up calculation.
+ + commit 04cda6b7cc16f3f52c12d9d3e46c56701003496e
* cipher/kdf.c (_gcry_kdf_pkdf2): Use gcry_md_reset
to speed up calculation.
2014-01-13 Werner Koch <wk@gnupg.org>
Fix macro conflict in NetBSD.
+ + commit 5f2af6c26bc04975c0b518881532871d7387d7ce
* cipher/bithelp.h (bswap32): Rename to _gcry_bswap32.
(bswap64): Rename to _gcry_bswap64.
Use internal malloc function in fips.c.
+ + commit 518ae274a1845ce626b2b4223a9b3805cbbab1a7
* src/fips.c (check_binary_integrity): s/gcry_malloc/xtrymalloc/.
2014-01-13 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Truncate hash values for ECDSA signature scheme.
+ + commit 9edcf1090e0485f9f383b6c54b18ea8ca3d4a225
* cipher/dsa-common (_gcry_dsa_normalize_hash): New. Truncate opaque
mpis as required for DSA and ECDSA signature schemas.
* cipher/dsa.c (verify): Return gpg_err_code_t value from verify() to
truncation.
Add GOST R 34.10-2012 curves proposed by TC26.
+ + commit 2c5ec803100ed8261e51442fb93b75367b7725ea
* cipher/ecc-curves.c (domain_parmss): Add two GOST R 34.10-2012 curves
proposed/pending to standardization by TC26 (Russian cryptography
technical comitee).
* tests/curves.c: Increase N_CURVES.
Add GOST R 34.10-2001 curves per RFC4357.
+ + commit 9bedc5c3b646dfe481678ca58f5466ac46decaf7
* cipher/ecc-curves.c (domain_parms): Add 3 curves defined in rfc4357.
* cipher/ecc-curves.c (curve_aliases): Add OID and Xch aliases for GOST
curves.
* tests/curves.c (N_CURVES): Update value.
Fix typo in search_oid.
+ + commit 7edcb574d8d6dffb6e234c2ba1996a9a04923859
* cipher/md.c (search_oid): Invert condition on oid comparison.
Add MD2-HMAC calculation support.
+ + commit 653b58cb5e85511b6c04c3f85ef3e372c2e9f74f
* src/gcrypt.h.in (GCRY_MAC_HMAC_MD2): New.
* cipher/mac-hmac.c: Support GCRY_MAC_HMAC_MD2.
Add a function to retrieve algorithm used by MAC handler.
+ + commit 8439a379c86ef1088465ea70ac10840759a1638e
* cipher/mac.c (_gcry_mac_get_algo): New function, returns used algo.
* src/visibility.c (gcry_mac_get_algo): New wrapper.
* src/visibility.h: Hanlde gcry_mac_get_algo.
* tests/basic.c (check_one_mac): Verify gcry_mac_get_algo.
Correct formatting of gcry_mac_get_algo_keylen documentation.
+ + commit 36c9e0e4eb4f935da90df1c8df484d1940bda5eb
* doc/gcrypt.texi: add braces near gcry_mac_get_algo_keylen
documentation.
2014-01-13 Werner Koch <wk@gnupg.org>
ecc: Make a macro shorter.
+ + commit 2ef48ba59c32bfa1a9265d5eea8ab225a658903a
* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage
all users.
* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
2014-01-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix assembly division check.
+ + commit ef3e66e168c4b9b86bfc4903001631e53a7125d8
* configure.ac (gcry_cv_gcc_as_const_division_ok): Correct variable
name mismatch at '--Wa,--divide' workaround check.
2014-01-12 NIIBE Yutaka <gniibe@fsij.org>
Add secp256k1 curve.
+ + commit 019e0e9e8c77a2edf283745e05e9301673ea6a0a
* cipher/ecc-curves.c (curve_aliases): Add secp256k1 and its OID.
(domain_parms): Add secp256k1's domain paramerter.
2014-01-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix constant division for AMD64 assembly on Solaris/x86.
+ + commit 43376891c01f4aff1fbfb23beafebb5adfd0868c
* configure.ac (gcry_cv_gcc_as_const_division_ok): Add new check for
constant division in assembly and test for "-Wa,--divide" workaround.
(gcry_cv_gcc_amd64_platform_as_ok): Check for also constant division.
2014-01-10 Werner Koch <wk@gnupg.org>
Use the generic autogen.sh script.
+ + commit b0ac1f9b143aa15855914ba93fef900288d45c9c
* autogen.rc: New.
* Makefile.am (EXTRA_DIST): Add it.
* autogen.sh: Update from current GnuPG.
Move all helper scripts to build-aux/
+ + commit df9b4eabf52faee6f289a4bc62219684442ae383
* scripts/: Rename to build-aux/.
* compile, config.guess, config.rpath, config.sub
* depcomp, doc/mdate-sh, doc/texinfo.tex
2013-12-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add blowfish/serpent ARM assembly files to Makefile.am.
+ + commit 7fef7f481c0a1542be34d1dc831f58d41846ac29
* cipher/Makefile.am: Add 'blowfish-arm.S' and 'serpent-armv7-neon.S'.
Add AMD64 assembly implementation for arcfour.
+ + commit 7547898109c72a97e3102b2a045ee4fdb2aa40bf
* cipher/Makefile.am: Add 'arcfour-amd64.S'.
* cipher/arcfour-amd64.S: New.
* cipher/arcfour.c (USE_AMD64_ASM): New.
* configure.ac [host=x86_64]: Add 'arcfour-amd64.lo'.
Parse /proc/cpuinfo for ARM HW features.
+ + commit a05be441d8cd89b90d8d58e3a343a436dae377d0
* src/hwf-arm.c [__linux__] (HAS_PROC_CPUINFO)
(detect_arm_proc_cpuinfo): New.
(_gcry_hwf_detect_arm) [HAS_PROC_CPUINFO]: Check '/proc/cpuinfo' for
HW features.
Fix buggy/incomplete detection of AVX/AVX2 support.
+ + commit bbcb12187afb1756cb27296166b57fa19ee45d4d
* configure.ac: Also check for 'xgetbv' instruction in AVX and AVX2
inline assembly checks.
* src/hwf-x86.c [__i386__] (get_xgetbv): New function.
2013-12-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Change utf-8 copyright characters to '(C)'
+ + commit b7e814f93ee40fcfe17a187a8989c07fde2ba0cd
cipher/blowfish-amd64.S: Change utf-8 encoded copyright character to
'(C)'.
cipher/blowfish-arm.S: Ditto.
cipher/serpent-sse2-amd64.S: Ditto.
Add ARM/NEON implementation for SHA-1.
+ + commit fc7dcf616937afaf73cfda1bf7bd79566a96b130
* cipher/Makefile.am: Add 'sha1-armv7-neon.S'.
* cipher/sha1-armv7-neon.S: New.
* cipher/sha1.c (USE_NEON): New.
* configure.ac: Add 'sha1-armv7-neon.lo'.
Improve performance of SHA-512/ARM/NEON implementation.
+ + commit df629ba53a662427ebd3ddca90c3fe9ddd6511d3
* cipher/sha512-armv7-neon.S (RT01q, RT23q, RT45q, RT67q): New.
(round_0_63, round_64_79): Remove.
(rounds2_0_63, rounds2_64_79): New.
(transform) [USE_ARM_NEON_ASM]: Pass nblks to assembly.
Add AVX and AVX2/BMI implementations for SHA-256.
+ + commit a5c2bbfe0db515d739ab683297903c77b1eec124
* LICENSES: Add 'cipher/sha256-avx-amd64.S' and
'cipher/sha256-avx2-bmi2-amd64.S'.
* cipher/Makefile.am: Add 'sha256-avx-amd64.S' and
2013-12-17 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add AVX and AVX/BMI2 implementations for SHA-1.
+ + commit e4e458465b124e25b6aec7a60174bf1ca32dc5fd
* cipher/Makefile.am: Add 'sha1-avx-amd64.S' and
'sha1-avx-bmi2-amd64.S'.
* cipher/sha1-avx-amd64.S: New.
* configure.ac: Add 'sha1-avx-amd64.lo' and 'sha1-avx-bmi2-amd64.lo'.
SHA-1/SSSE3: Improve performance on large buffers.
+ + commit 6fd0dd2a5f1362f91e2861cd9d300341a43842a5
* cipher/sha1-ssse3-amd64.S (RNBLKS): New.
(_gcry_sha1_transform_amd64_ssse3): Handle multiple input blocks, with
software pipelining of next data block processing.
(transform) [USE_SSSE3]: Pass nblks to assembly function.
Add bulk processing for hash transform functions.
+ + commit 50b8c8342d023038a4b528af83153293dd2756ea
* cipher/hash-common.c (_gcry_md_block_write): Preload 'hd->blocksize'
to stack, pass number of blocks to 'hd->bwrite'.
* cipher/hash-common.c (_gcry_md_block_write_t): Add 'nblks'.
2013-12-16 Werner Koch <wk@gnupg.org>
Release 1.6.0.
+ + commit 0ea9731e1c93a962f6266004ab0e7418c19d6277
+
doc: Change yat2m to allow arbitrary condition names.
+ + commit 9a912f8c4f366c53f1cdb94513b67b937e87178b
* doc/yat2m.c (MAX_CONDITION_NESTING): New.
(gpgone_defined): Remove.
(condition_s, condition_stack, condition_stack_idx): New.
(main): Change -D to define arbitrary macros.
tests: Add SHA-512 to the long hash test.
+ + commit 0d3bd23d7f730b9bbc81fc8da8d99f4853c36020
* tests/hashtest.c (testvectors): Add vectors for 256GiB SHA-512.
* tests/hashtest-256g.in (algos): Add test for SHA-512.
Add configure option --enable-large-data-tests.
+ + commit a6b9304a889397ac98e1c2c4ac3e178669d94492
* configure.ac: Add option --enable-large-data-tests.
* tests/hashtest-256g.in: New.
* tests/Makefile.am (EXTRA_DIST): Add hashtest-256g.in.
(bench-slope.log, hashtest-256g.log): New rules to enforce serial run.
random: Call random progress handler more often.
+ + commit 5a7ce59396fe56f0d681df314bfbdb5f7732d4b1
* random/rndlinux.c (_gcry_rndlinux_gather_random): Update progress
indicator earlier.
cipher: Normalize the MPIs used as input to secret key functions.
+ + commit dec048b2ec79271a2f4405be5b87b1e768b3f1a9
* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
2013-12-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Change dummy variable in mpih-div.c to mpi_limb_t type.
+ + commit 953535a7de68cf62b5b1ad6f96ea3a9edd83762c
* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Change dummy
variable to 'mpi_limb_t' type from 'int'.
Remove duplicate gcry_mac_hd_t typedef.
+ + commit 5c31990214b58c4e17edb01fbbe6d9f573975a22
* cipher/mac-internal.h (gcry_mac_hd_t): Remove.
2013-12-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Use u64 for CCM data lengths.
+ + commit 110fed2d6b0bbc97cb5cc0a3a564e05fc42afa2d
* cipher/cipher-ccm.c: Move code inside [HAVE_U64_TYPEDEF].
[HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_set_lengths): Use 'u64' for
data lengths.
2013-12-14 Werner Koch <wk@gnupg.org>
tests: Prevent rare failure of gcry_pk_decrypt test.
+ + commit bfb43a17d8db571fca4ed433ee8be5c366745844
* tests/basic.c (check_pubkey_crypt): Add special mode 1.
(main): Add option --loop.
2013-12-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Minor fixes to SHA assembly implementations.
+ + commit ffd9b2aa5abda7f4d7790ed48116ed5d71ab9995
* cipher/Makefile.am: Correct 'sha256-avx*.S' to 'sha512-avx*.S'.
* cipher/sha1-ssse3-amd64.S: First line, correct filename.
* cipher/sha256-ssse3-amd64.S: Return correct stack burn depth.
depth.
SHA-1/SSSE3: Do not check for Intel syntax assembly support.
+ + commit c86c35534a153b13e880d0bb0ea3e48e1c0ecaf9
* cipher/sha1-ssse3-amd64.S: Remove check for
HAVE_INTEL_SYNTAX_PLATFORM_AS.
* cipher/sha1.c [USE_SSSE3]: Ditto.
2013-12-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Convert SHA-1 SSSE3 implementation from mixed asm&C to pure asm.
+ + commit d2b853246c2ed056a92096d89c3ca057e45c9c92
* cipher/Makefile.am: Change 'sha1-ssse3-amd64.c' to
'sha1-ssse3-amd64.S'.
* cipher/sha1-ssse3-amd64.c: Remove.
* cipher/sha1-ssse3-amd64.S: New.
SHA-1: Add SSSE3 implementation.
+ + commit be2238f68abcc6f2b4e8c38ad9141376ce622a22
* cipher/Makefile.am: Add 'sha1-ssse3-amd64.c'.
* cipher/sha1-ssse3-amd64.c: New.
* cipher/sha1.c (USE_SSSE3): New.
* configure.ac [host=x86_64]: Add 'sha1-ssse3-amd64.lo'.
Add missing register clearing in to SHA-256 and SHA-512 assembly.
+ + commit 04615cc6803cdede25fa92e3ff697e252a23cd7a
* cipher/sha256-ssse3-amd64.S: Clear used XMM/YMM registers at return.
* cipher/sha512-avx-amd64.S: Ditto.
* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
2013-12-13 Werner Koch <wk@gnupg.org>
Update license information.
+ + commit 764643a3d5634bcbc47790bd8505f6a1a5280d9c
* LICENSES: New.
* Makefile.am (EXTRA_DIST): Add LICENSES.
* AUTHORS: Add list of copyright holders.
2013-12-13 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix empty clobber in AVX2 assembly check.
+ + commit e41d605ee41469e8a33cdc4d38f742cfb931f835
* configure.ac (gcry_cv_gcc_inline_asm_avx2): Add "cc" as assembly
globber.
Fix W32 build.
+ + commit a71b810ddd67ca3a1773d8f929d162551abb58eb
* random/rndw32.c (register_poll, slow_gatherer): Change gcry_xmalloc to
xmalloc, and gcry_xrealloc to xrealloc.
2013-12-12 Jussi Kivilinna <jussi.kivilinna@iki.fi>
SHA-512: Add AVX and AVX2 implementations for x86-64.
+ + commit 2e4253dc8eb512cd0e807360926dc6ba912c95b4
* cipher/Makefile.am: Add 'sha512-avx-amd64.S' and
'sha512-avx2-bmi2-amd64.S'.
* cipher/sha512-avx-amd64.S: New.
HWF_INTEL_BMI2.
SHA-512: Add SSSE3 implementation for x86-64.
+ + commit 69a6d0f9562fcd26112a589318c13de66ce1700e
* cipher/Makefile.am: Add 'sha512-ssse3-amd64.S'.
* cipher/sha512-ssse3-amd64.S: New.
* cipher/sha512.c (USE_SSSE3): New.
* configure.ac (sha512): Add 'sha512-ssse3-amd64.lo'.
SHA-256: Add SSSE3 implementation for x86-64.
+ + commit e1a3931263e67aacec3c0bfcaa86c7d1441d5c6a
* cipher/Makefile.am: Add 'sha256-ssse3-amd64.S'.
* cipher/sha256-ssse3-amd64.S: New.
* cipher/sha256.c (USE_SSSE3): New.
2013-12-12 Werner Koch <wk@gnupg.org>
Add a configuration file to disable hardware features.
+ + commit 5e1239b1e2948211ff2675f45cce2b28c3379cfb
* src/hwfeatures.c: Inclyde syslog.h and ctype.h.
(HWF_DENY_FILE): New.
(my_isascii): New.
"--print-config" and "--disable-hwf".
Move list of hardware features to hwfeatures.c.
+ + commit 4ae77322b681a13da62d01274bcab25be2af12d0
* src/global.c (hwflist, disabled_hw_features): Move to ..
* src/hwfeatures.c: here.
(_gcry_disable_hw_feature): New.
accordingly.
Remove macro hacks for internal vs. external functions. Part 2 and last.
+ + commit 3b30e9840d4b351c4de73b126e561154cb7df4cc
* src/visibility.h: Remove remaining define/undef hacks for symbol
visibility. Add macros to detect the use of the public functions.
Change all affected functions by replacing them by the x-macros.
2013-12-11 Werner Koch <wk@gnupg.org>
random: Add a feature to close device file descriptors.
+ + commit cd548ba2dc777b8b27d8d33182ba733c20222120
* src/gcrypt.h.in (GCRYCTL_CLOSE_RANDOM_DEVICE): New.
* src/global.c (_gcry_vcontrol): Call _gcry_random_close_fds.
* random/random.c (_gcry_random_close_fds): New.
2013-12-10 Werner Koch <wk@gnupg.org>
Fix last commit (9a37470c)
+ + commit eae1e7712e1b687bd77eb37d0eb505fc9d46d93c
* src/secmem.c (lock_pool): Remove remaining line. Reported by Ian
Goldberg.
2013-12-09 Werner Koch <wk@gnupg.org>
Fix one-off memory leak when build with Linux capability support.
+ + commit 9a37470c50ee9966cb2652617a404ddd54a9c096
* src/secmem.c (lock_pool, secmem_init): Use cap_free. Reported by
Mike Crowe <mac@mcrowe.com>.
2013-12-09 David 'Digit' Turner <digit@google.com>
Update libtool to support Android.
+ + commit 2516f0b660b1a7181ad38c44310c627f4f498595
* m4/libtool.m4: Add "linux*android*" case. Taken from the libtool
repository.
2013-12-09 Werner Koch <wk@gnupg.org>
tests: Speed up benchmarks in regression test mode.
+ + commit 2e5354fe8db5288939733d0fb63ad4c87bc20105
* tests/tsexp.c (check_extract_param): Fix compiler warning.
* tests/Makefile.am (TESTS_ENVIRONMENT): Set GCRYPT_IN_REGRESSION_TEST.
* tests/bench-slope.c (main): Speed up if in regression test mode.
* tests/benchmark.c (main): Ditto.
tests: Add --csv option to bench-slope.
+ + commit 8072e9fa4b42ae8e65e266aa158fd903f1bb0927
* tests/bench-slope.c (STR, STR2): New.
(cvs_mode): New.
(num_measurement_repetitions): New. Replace use of
2013-12-07 Werner Koch <wk@gnupg.org>
sexp: Allow long names and white space in gcry_sexp_extract_param.
+ + commit d4555433b6e422fa69a85cae99961f513e55d82b
* src/sexp.c (_gcry_sexp_vextract_param): Skip white space. Support
long parameter names.
* tests/tsexp.c (check_extract_param): Add test cases for long parameter
2013-12-06 Werner Koch <wk@gnupg.org>
ecc: Merge partly duplicated code.
+ + commit 405021cb6d4e470337302c65dec5bc91491a89c1
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Factor A hashing out to ...
(_gcry_ecc_eddsa_compute_h_d): new function.
* cipher/ecc-misc.c (_gcry_ecc_compute_public): Use new function.
(reverse_buffer): Remove.
ecc: Remove unused internal function.
+ + commit 4cf2c65fe15173c8d68a141a01b34fc1fb9080b7
* src/cipher-proto.h (gcry_pk_spec): Remove get_param.
* cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Merge in code from
_gcry_ecc_get_param.
2013-12-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix building on mingw32.
+ + commit 5917ce34e3b3eac4c15f62577e4723974024f818
* src/gcrypt-int.h: Include <types.h>.
2013-12-05 Werner Koch <wk@gnupg.org>
ecc: Change OID for Ed25519.
+ + commit 7ef43d1eebb4f8226e860982dfe5fa2e2c82ad0f
* cipher/ecc-curves.c (curve_aliased): Add more suitable OID for
Ed25519.
Remove macro hacks for internal vs. external functions. Part 1.
+ + commit 7bacf1812b55fa78db63abaa1f5a9220e9c6cccc
* src/visibility.h: Remove almost all define/undef hacks for symbol
visibility. Add macros to detect the use of the public functions.
Change all affected functions by prefixing them explicitly with an
2013-12-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
mpi: add inline assembly for x86-64.
+ + commit 85bb0a98ea5add0296cbcc415d557eaa1f6bd294
* mpi/longlong.h [__x86_64] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): New.
2013-12-04 NIIBE Yutaka <gniibe@fsij.org>
mpi: fix gcry_mpi_powm for negative base.
+ + commit c56080c26186d25dec05f01831494c77d8d07e13
* mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]:
Fix for the case where BASE is negative.
* tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19.
2013-12-03 Werner Koch <wk@gnupg.org>
Add build support for ppc64le.
+ + commit 2ff86db2e1b0f6cc22a1ca86037b526c5fa3be51
* config.guess, config.sub: Update to latest version (2013-11-29).
* m4/libtool.m4: Add patches for ppc64le.
2013-12-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: fix compiler warning on aarch64.
+ + commit 59b1a1b7ee2923e1bf091071ae716d180c6c6006
* cipher/rijndael.c (do_setkey): Use braces for empty if statement
instead of semicolon.
Add aarch64 (arm64) mpi assembly.
+ + commit 80896bc8f5e6ed9a627374e34f040ad5f3617584
* mpi/aarch64/mpi-asm-defs.h: New.
* mpi/aarch64/mpih-add1.S: New.
* mpi/aarch64/mpih-mul1.S: New.
2013-12-02 Werner Koch <wk@gnupg.org>
ecc: Use constant time point operation for Twisted Edwards.
+ + commit d4ce0cfe0d35d7ec69c115456848b5b735c928ea
* mpi/ec.c (_gcry_mpi_ec_mul_point): Try to do a constant time
operation if needed.
* tests/benchmark.c (main): Add option --use-secmem.
ecc: Make gcry_pk_testkey work for Ed25519.
+ + commit 14ae6224b1b17abbfc80c26ad0f4c60f1e8635e2
* cipher/ecc-misc.c (_gcry_ecc_compute_public): Add optional args G
and d. Change all callers.
* cipher/ecc.c (gen_y_2): Remove.
Ed25519 keys.
ecc: Fix eddsa point decompression.
+ + commit 485f35124b1a74af0bad321ed70be3a79d8d11d7
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): Fix the negative
case.
ecc: Fix gcry_mpi_ec_curve_point for Weierstrass.
+ + commit ecb90f8e7c6f2516080d27ed7da6a25f2314da3c
* mpi/ec.c (_gcry_mpi_ec_curve_point): Use correct equation.
(ec_pow3): New.
(ec_p_init): Always copy B.
mpi: Introduce 4 user flags for gcry_mpi_t.
+ + commit 29eddc2558d4cf39995f66d5fccd62f584d5b203
* src/gcrypt.h.in (GCRYMPI_FLAG_USER1, GCRYMPI_FLAG_USER2)
(GCRYMPI_FLAG_USER3, GCRYMPI_FLAG_USER4): New.
* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
2013-11-29 Vladimir 'φ-coder/phcoder' Serbinenko <phcoder@gmail.com>
Fix armv3 compile error.
+ + commit 3b1cc9e6c357574f54160298d731c18f3d717b6c
* mpi/longlong.h [__arm__ && __ARM_ARCH < 4] (umul_ppmm): Use
__AND_CLOBBER_CC instead of __CLOBBER_CC.
longlong.h on mips with clang.
+ + commit 1ecbd0bca31d462719a2a6590c1d03244e76ef89
* mpi/longlong.h [__mips__]: Use C-language version with clang.
2013-11-24 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Camellia: Tweaks for AES-NI implementations.
+ + commit 3ef21e7e1b8003db9792155044db95f9d9ced184
* cipher/camellia-aesni-avx-amd64.S: Align stack to 16 bytes; tweak
key-setup for small speed up.
* cipher/camellia-aesni-avx2-amd64.S: Use vmovdqu even with aligned
2013-11-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add GMAC to MAC API.
+ + commit a34448c929b13bfb7b66d69169c89e7319a18b31
* cipher/Makefile.am: Add 'mac-gmac.c'.
* cipher/mac-gmac.c: New.
* cipher/mac-internal.h (gcry_mac_handle): Add 'u.gcm'.
* tests/benchmark.c (mac_bench): Iterate algorithm numbers to 499.
GCM: Move gcm_table initialization to setkey.
+ + commit dbfa651618693da7ea73b4d2d00d4efd411bfb46
* cipher/cipher-gcm.c: Change all 'c->u_iv.iv' to
'c->u_mode.gcm.u_ghash_key.key'.
(_gcry_cipher_gcm_setkey): New.
2013-11-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
GCM: Add support for split data buffers and online operation.
+ + commit fb1e52e3fe231671de546eacd6becd31c26c4f7b
* cipher/cipher-gcm.c (do_ghash_buf): Add buffering for less than
blocksize length input and padding handling.
(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Add handling
sizes.
GCM: Use size_t for buffer sizes.
+ + commit 2d870a9142e8c8b3f008e1ad8e83e4bdf7a8e4e7
* cipher/cipher-gcm.c (ghash, gcm_bytecounter_add, do_ghash_buf)
(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_geniv)
for buffer lengths.
GCM: add FIPS mode restrictions.
+ + commit 56d352d6bdcf7abaa33c3399741f5063e2ddc32a
* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
(_gcry_cipher_gcm_get_tag): Do not allow using in FIPS mode is setiv
was invocated directly.
'u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode'.
GCM: Add clearing and checking of marks.tag.
+ + commit 32a2da9abc91394b23cf565c1c833fa964394083
* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
(_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Make sure
that tag has not been finalized yet.
(_gcry_cipher_gcm_setiv): Clear 'marks.tag'.
GCM: Add stack burning.
+ + commit 018f08354b1b116672e82f9ce942884b288aaf9e
* cipher/cipher-gcm.c (do_ghash, ghash): Return stack burn depth.
(setupM): Wipe 'tmp' buffer.
(do_ghash_buf): Wipe 'tmp' buffer and add stack burning.
Add aggregated bulk processing for GCM on x86-64.
+ + commit c9537fbf8ff0af919cff2bebadc4c6e7caea8076
* cipher/cipher-gcm.c [__x86_64__] (gfmul_pclmul_aggr4): New.
(ghash) [GCM_USE_INTEL_PCLMUL]: Add aggregated bulk processing
for __x86_64__.
processing.
GCM: Tweak Intel PCLMUL ghash loop for small speed-up.
+ + commit 9b6764944284fed733c2f88619b3d9eb5d5c259a
* cipher/cipher-gcm.c (do_ghash): Mark 'inline'.
[GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): Rename to...
[GCM_USE_INTEL_PCLMUL] (gfmul_pclmul): ..this and make inline function.
(ghash) [GCM_USE_INTEL_PCLMUL]: Preload data before ghash-pclmul loop.
GCM: Use counter mode code for speed-up.
+ + commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532
* cipher/cipher-gcm.c (ghash): Add process for multiple blocks.
(gcm_bytecounter_add, gcm_add32_be128, gcm_check_datalen)
(gcm_check_aadlen_or_ivlen, do_ghash_buf): New functions.
(_gcry_cipher_setiv): Handle error code from 'cipher_setiv'.
Add Intel PCLMUL acceleration for GCM.
+ + commit 5a65ffabadd50f174ab7375faad7a726cce49e61
* cipher/cipher-gcm.c (fillM): Rename...
(do_fillM): ...to this.
(ghash): Remove.
* src/hwf-x86.c (detect_x86_gnuc): Add check for Intel PCLMUL.
GCM: GHASH optimizations.
+ + commit 0e9e7d72f3c9eb7ac832746c3034855faaf8d02c
* cipher/cipher-gcm.c [GCM_USE_TABLES] (gcmR, ghash): Replace with new.
[GCM_USE_TABLES] [GCM_TABLES_USE_U64] (bshift, fillM, do_ghash): New.
[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (bshift, fillM): Replace with
for 32-bit and 64-bit platforms.
Add some documentation for GCM mode.
+ + commit 332da0ed7c8fab6c2bee841c94d8364c2ab4e30d
* doc/gcrypt.texi: Add mention of GCM mode.
2013-11-19 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Initial implementation of GCM.
+ + commit 90cce18b9eced4f412ceeec5bcae18c4493322df
* cipher/Makefile.am: Add 'cipher-gcm.c'.
* cipher/cipher-ccm.c (_gcry_ciphert_ccm_set_lengths)
(_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_tag)
2013-11-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Camellia: fix compiler warning.
+ + commit 9816ae9d9931b75e4fdc9a5be10e6af447132313
* cipher/camellia-glue.c (camellia_setkey): Use braces around empty if
statement.
Tweak Camellia-AVX key-setup for small speed-up.
+ + commit 77922a82c3f2e30eca04511fa5a355208349c657
* cipher/camellia-aesni-avx-amd64.S (camellia_f): Merge S-function output
rotation with P-function.
Add CMAC (Cipher-based MAC) to MAC API.
+ + commit b49cd64aaaff2e5488a84665362ef7150683226c
* cipher/Makefile.am: Add 'cipher-cmac.c' and 'mac-cmac.c'.
* cipher/cipher-cmac.c: New.
* cipher/cipher-internal.h (gcry_cipher_handle.u_mode): Add 'cmac'.
2013-11-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add new MAC API, initially with HMAC.
+ + commit fcd6da37d55f248d3558ee0ff385b41b866e7ded
* cipher/Makefile.am: Add 'mac.c', 'mac-internal.h' and 'mac-hmac.c'.
* cipher/bufhelp.h (buf_eq_const): New.
* cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Use 'buf_eq_const' for
(main): Add 'mac' benchmark options.
Use correct blocksize of 32 bytes for GOSTR3411-94 HMAC.
+ + commit b95a557a43aeed68ea5e5ce02aca42ee97bfdb3b
* cipher/md.c (md_open): Set macpads_Bsize to 32 for
GCRY_MD_GOST24311_94.
2013-11-15 Jussi Kivilinna <jussi.kivilinna@iki.fi>
cipher: use size_t for internal buffer lengths.
+ + commit b787657a9d2c1d8e19f9fcb0b21e31cb062630cf
* cipher/arcfour.c (do_encrypt_stream, encrypt_stream): Use 'size_t'
for buffer lengths.
* cipher/blowfish.c (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
(_gcry_twofish_ctr_enc): Ditto.
Camellia: Add AVX/AES-NI key setup.
+ + commit ef9f52cbb39e46918c96200b09c21e931eff174f
* cipher/camellia-aesni-avx-amd64.S (key_bitlength, key_table): New
order of fields in ctx.
(camellia_f, vec_rol128, vec_ror128): New macros.
available.
Avoid unneeded stack burning with AES-NI and reduce number of 'decryption_prepared' checks
+ + commit c8ad83fb605fdbf6dc0b0dbcc8aedfbd477640da
* cipher/rijndael.c (RIJNDAEL_context): Make 'decryption_prepared',
'use_padlock' and 'use_aesni' 1-bit members in bitfield.
(do_setkey): Move 'hwfeatures' inside [USE_AESNI || USE_PADLOCK].
2013-11-14 Werner Koch <wk@gnupg.org>
md: Fix hashing for data >= 256 GB.
+ + commit c43a8c0d81a711161f7a81b24ef7c33a1353eee0
* cipher/hash-common.h (gcry_md_block_ctx): Add "nblocks_high".
* cipher/hash-common.c (_gcry_md_block_write): Bump NBLOCKS_HIGH.
* cipher/md4.c (md4_init, md4_final): Take care of NBLOCKS_HIGH.
2013-11-13 Christian Grothoff <christian@grothoff.org>
ecc: Fix key generation for a plain Ed25519 key.
+ + commit 7d91e99bcd30a463dd4faed014b8521a663d8316
* cipher/ecc.c (nist_generate_key): Use custom code for ED25519.
ecc: Fix some memory leaks.
+ + commit c4f9af49f228df59c218381a25fa3c0f93ccbeae
* cipher/ecc-curves.c (_gcry_mpi_ec_new): Free ec->b before assigning.
* cipher/ecc.c (nist_generate_key): Release Q.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
2013-11-11 Werner Koch <wk@gnupg.org>
ecc: Change keygrip computation for Ed25519+EdDSA.
+ + commit 4fb3c8e5a7fc6a1568f54bcc0be17fecf75e0742
* cipher/ecc.c (compute_keygrip): Rework.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): New.
* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): New.
Ed25519.
mpi: Add special format GCRYMPI_FMT_OPAQUE.
+ + commit 8b3eecee2d89179297e43de7d650f74759c61a58
* src/gcrypt.h.in (GCRYMPI_FMT_OPAQUE): New.
(_gcry_sexp_nth_opaque_mpi): Remove.
* src/sexp.c (gcry_sexp_nth_mpi): Add support for GCRYMPI_FMT_OPAQUE.
2013-11-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix error output in CTR selftest.
+ + commit 7b26586e35a6d407ca31b41528b0810b1408fd4b
* cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Change
fprintf(stderr,...) to syslog(); Correct error output for bulk
IV check, plaintext mismatch => ciphertext mismatch.
2013-11-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix Serpent-AVX2 and Camellia-AVX2 counter modes.
+ + commit df29831d008e32faf74091d080a415731418d158
* cipher/camellia-aesni-avx2-amd64.S
(_gcry_camellia_aesni_avx2_ctr_enc): Byte-swap before checking for
overflow handling.
2013-11-09 Sergey V <sftp.mtuci@gmail.com>
cipher/gost28147: optimization: use precomputed S-box tables.
+ + commit 51501b638546665163bbb85a14308fdb99211a28
* cipher/gost.h (GOST28147_context): Remove unneeded subst and
subst_set members.
* cipher/gost28147.c (max): Remove unneeded macro.
2013-11-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix tail handling for AES-NI counter mode.
+ + commit 60ed0abbbc7cb15812f1e713143c72555acea69e
* cipher/rijndael.c (do_aesni_ctr): Fix outputting of updated
counter-IV.
2013-11-08 Werner Koch <wk@gnupg.org>
ecc: Improve gcry_pk_get_curve.
+ + commit 03aed1acec611362285db5156a6b92c91604fba4
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Factor some code out
to ..
(find_domain_parms_idx): new.
(_gcry_ecc_get_curve): Find by curve name on error.
cipher: Avoid signed divisions in idea.c.
+ + commit e241dde1420475459e32608137829e52748d0212
* cipher/idea.c (mul_inv): Use unsigned division.
ecc: Implement the "nocomp" flag for key generation.
+ + commit 9f63c0f7a3b2c15c7e258cd17395cabd0a8f00cc
* cipher/ecc.c (ecc_generate): Support the "nocomp" flag.
* tests/keygen.c (check_ecc_keys): Add a test for it.
ecc: Make "noparam" the default and replace by "param".
+ + commit ed45fd2e60c88e2f005282e6eadd018b59dcf65b
* src/cipher.h (PUBKEY_FLAG_NOCOMP): New.
(PUBKEY_FLAG_NOPARAM): Remove.
(PUBKEY_FLAG_PARAM): New.
2013-11-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix decryption function size in AES AMD64 assembly.
+ + commit bfe4f6523b80bae0040328ef324b9000ee5b38a4
* cipher/rijndael-amd64.S (_gcry_aes_amd64_decrypt_block): Set '.size'
for '_gcry_aes_amd64_decrypt_block', not '..._encrypt_block'.
Change 64-bit shift to 32-bit in AES AMD64 assembly.
+ + commit 57b296ea3a5204cd3711b7bf57c8fb14d8542402
* cipher/rijndael-amd64.S (do16bit_shr): Change 'shrq' to 'shrl'.
2013-11-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Speed-up AES-NI key setup.
+ + commit f702d62d888b30e24c19f203566a1473098b2b31
* cipher/rijndael.c [USE_AESNI] (m128i_t): Remove.
[USE_AESNI] (u128_t): New.
[USE_AESNI] (aesni_do_setkey): New.
(do_decrypt): Do not burning stack after prepare_decryption.
Avoid burn stack in Arcfour setkey.
+ + commit a50a6ba3540f49fc7dcdb32e691327d5942e3509
* cipher/arcfour.c (arcfour_setkey): Remove stack burning.
Avoid burn_stack in CAST5 setkey.
+ + commit 5797ebc268b4e953cedd0c729c5cdb1f8fd764e4
* cipher/cast5.c (do_cast_setkey): Use wipememory instead of memset.
(cast_setkey): Remove stack burning.
Improve Serpent key setup speed.
+ + commit 9897ccb381503455edc490679b2e9251a09ac5cb
* cipher/serpent.c (SBOX, SBOX_INVERSE): Remove index argument.
(serpent_subkeys_generate): Use smaller temporary arrays for subkey
generation and perform stack clearing locally.
(serpent_setkey): Remove unneeded _gcry_burn_stack.
Modify encrypt/decrypt arguments for in-place.
+ + commit b8515aa70b00baba3fba8121ed305edcd029c8c7
* cipher/cipher.c (gcry_cipher_encrypt, gcry_cipher_decrypt): Modify
local arguments if in-place operation.
Speed up Stribog.
+ + commit a48d07ccadee4cb8b666a9a4ba2f00129bad5b2f
* cipher/stribog.c (STRIBOG_TABLES): Remove.
(Pi): Remove.
[!STRIBOG_TABLES] (A, strido): Remove.
(g): Small tweaks.
Tweak AES-NI bulk CTR mode slightly.
+ + commit 3b5058b58a183fa23ecf3ef819e2ae6ac64c0216
* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_2_5): Rename to...
(aesni_cleanup_2_6): ...this and clear also 'xmm6'.
[USE_AESNI && __i386__] (do_aesni_ctr, do_aesni_ctr_4): Prevent
'aesni_cleanup_2_6'.
Tweak bench-slope parameters.
+ + commit 7e98eecc1a955bc253765f92a166b6560f085b8c
* tests/bench-slope.c (BUF_STEP_SIZE): Half step size to 64.
(NUM_MEASUREMENT_REPETITIONS): Double repetitions to 64.
Optimize Blowfish weak key check.
+ + commit 8e1c0f9b894c39b6554c544208dc000682f520c7
* cipher/blowfish.c (hashset_elem, val_to_hidx, add_val): New.
(do_bf_setkey): Use faster algorithm for detecting weak keys.
(bf_setkey): Move stack burning to do_bf_setkey.
Fix __builtin_bswap32/64 checks.
+ + commit 2590a5df6f5fc884614c8c379324027d2d61b9b5
* configure.ac (gcry_cv_have_builtin_bswap32)
(gcry_cv_have_builtin_bswap64): Change compile checks to link checks.
Fix 'u32' build error with Camellia.
+ + commit 84bcb400e7db7268abfc29b5ab1513b0c063b293
* cipher/camellia.c: Add include for <config.h> and "types.h".
(u32): Remove.
(u8): Typedef as 'byte'.
2013-11-06 Werner Koch <wk@gnupg.org>
pubkey: Add forward compatibility feature.
+ + commit 6d169b654c7ff04c10f73afe80b2c70cefa410c1
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add
"igninvflag".
2013-11-05 Werner Koch <wk@gnupg.org>
ecc: Require "eddsa" flag for curve Ed25519.
+ + commit b9fd3988b54b50109f4e7179e7fe0739bb1d97c5
* src/cipher.h (PUBKEY_FLAG_ECDSA): Remove.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Remove "ecdsa".
* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Require "eddsa" flag.
* tests/t-ed25519.c, tests/t-mpi-point.c: Adjust for changed flags.
ecc: Fully implement Ed25519 compression in ECDSA mode.
+ + commit f09ffe8a4802af65a116e79eceeb1cb4ed4fa2f4
* src/ec-context.h (mpi_ec_ctx_s): Add field FLAGS.
* mpi/ec.c (ec_p_init): Add arg FLAGS. Change all callers to pass it.
* cipher/ecc-curves.c (point_from_keyparam): Add arg EC, parse as
curve.
mpi: Add function gcry_mpi_set_opaque_copy.
+ + commit 630aca794ddf057fb7265b7dc346374743036af4
* src/gcrypt.h.in (gcry_mpi_set_opaque_copy): New.
* src/visibility.c (gcry_mpi_set_opaque_copy): New.
* src/visibility.h (gcry_mpi_set_opaque_copy): Mark visible.
2013-11-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Make test vectors 'static const'
+ + commit d50a88d1e29124d038196fec6082fd093e922604
* cipher/arcfour.c (selftest): Change test vectors to 'static const'.
* cipher/blowfish.c (selftest): Ditto.
* cipher/camellia-glue.c (selftest): Ditto.
2013-11-03 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Make jump labels local in Salsa20 assembly.
+ + commit d4697862266f3c96b6946dc92139dd8f3e81e5f6
* cipher/salsa20-amd64.S: Rename '._labels' to '.L_labels'.
* cipher/salsa20-armv7-neon.S: Ditto.
2013-10-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
bithelp: fix undefined behaviour with rol and ror.
+ + commit d1cadd145199040299538891ab2ccd1208f7776e
* cipher/bithelp.h (rol, ror): Mask shift with 31.
2013-10-29 Werner Koch <wk@gnupg.org>
tests: Add feature to skip benchmarks.
+ + commit ba6bffafd17bea11985afc500022d66da261d59a
* tests/benchmark.c (main): Add feature to skip the test.
* tests/bench-slope.c (main): Ditto.
(get_slope): Repace C++ style comment.
symbols.
ecc: Finish Ed25519/ECDSA hack.
+ + commit c284f15db99e9cb135612de710199abb23baafd3
* cipher/ecc.c (ecc_generate): Fix Ed25519/ECDSA case.
(ecc_verify): Implement ED25519/ECDSA uncompression.
ecc: Add flags "noparam" and "comp".
+ + commit ba892a0a874c8b2a83dbf0940608cd7e2911ce01
* src/cipher.h (PUBKEY_FLAG_NOPARAM, PUBKEY_FLAG_COMP): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse new flags
and change code for possible faster parsing.
2013-10-28 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix typos in documentation.
+ + commit 1faa61845f180bd47e037e400dde2d864ee83c89
* doc/gcrypt.texi: Fix some typos.
Add ARM NEON assembly implementation of Serpent.
+ + commit 2cb6e1f323d24359b1c5b113be5c2f79a2a4cded
* cipher/Makefile.am: Add 'serpent-armv7-neon.S'.
* cipher/serpent-armv7-neon.S: New.
* cipher/serpent.c (USE_NEON): New macro.
* configure.ac [neonsupport]: Add 'serpent-armv7-neon.lo'.
Add ARM NEON assembly implementation of Salsa20.
+ + commit 3ff9d2571c18cd7a34359f9c60a10d3b0f932b23
* cipher/Makefile.am: Add 'salsa20-armv7-neon.S'.
* cipher/salsa20-armv7-neon.S: New.
* cipher/salsa20.c [USE_ARM_NEON_ASM]: New macro.
* configure.ac [neonsupport]: 'Add salsa20-armv7-neon.lo'.
Add AMD64 assembly implementation of Salsa20.
+ + commit 5a3d43485efdc09912be0967ee0a3ce345b3b15a
* cipher/Makefile.am: Add 'salsa20-amd64.S'.
* cipher/salsa20-amd64.S: New.
* cipher/salsa20.c (USE_AMD64): New macro.
* configure.ac [x86-64]: Add 'salsa20-amd64.lo'.
Add new benchmarking utility, bench-slope.
+ + commit e214e8392671dd30e9c33260717b5e756debf3bf
* tests/Makefile.am (TESTS): Add 'bench-slope'.
* tests/bench-slope.c: New.
Change .global to .globl in assembly files.
+ + commit ebc8abfcb09d6106fcfce40f240a513e276f46e9
* cipher/blowfish-arm.S: Change '.global' to '.globl'.
* cipher/camellia-aesni-avx-amd64.S: Ditto.
* cipher/camellia-aesni-avx2-amd64.S: Ditto.
2013-10-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Deduplicate code for ECB encryption and decryption.
+ + commit 51f1beab3d1e879942a95f58b08de7dbcce75dce
* cipher/cipher.c (do_ecb_crypt): New, based on old 'do_ecb_encrypt'.
(do_ecb_encrypt): Use 'do_ecb_crypt', pass encryption function.
(do_ecb_decrypt): Use 'do_ecb_crypt', pass decryption function.
2013-10-26 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Drop _gcry_cipher_ofb_decrypt as it duplicates _gcry_cipher_ofb_encrypt.
+ + commit d9431725952e40f201c7eda000d3c8511ebd5b33
* cipher/cipher.c (cipher_decrypt): Use _gcry_cipher_ofb_encrypt for OFB
decryption.
* cipher/cipher-internal.h: Remove _gcry_cipher_ofb_decrypt declaration.
2013-10-25 Werner Koch <wk@gnupg.org>
tests: Add tests for mpi_cmp.
+ + commit 6c6d4810927de7310ae7bac61b4ff5467d7cb485
* tests/mpitests.c (die): Modernize.
(fail): New.
(test_opaque, test_add, test_sub, test_mul): Use gcry_log_xx
2013-10-24 Werner Koch <wk@gnupg.org>
ecc: Change algorithm for Ed25519 x recovery.
+ + commit c630fd71b336eb9209e914d24dc1e26a34521882
* cipher/ecc-eddsa.c (scanval): Add as temporary hack.
(_gcry_ecc_eddsa_recover_x): Use the algorithm from page 15 of the
paper. Return an error code.
* mpi/mpi-mul.c (gcry_mpi_mulm): Use truncated division.
ecc: Refactor _gcry_ecc_eddsa_decodepoint.
+ + commit 1cf5699b6febab1ef9d300531acc2ee33a7df739
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Factor some code
out to ..
(_gcry_ecc_eddsa_recover_x): new.
2013-10-24 Jussi Kivilinna <jussi.kivilinna@iki.fi>
ecc-gost: Add missing include.
+ + commit 9ce54e5b512418ddf45ce18f2cbd48cdced779f5
* ecc-gost.c: Include "pubkey-internal.h".
2013-10-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Replace architecture specific fast_wipememory2 with generic.
+ + commit 54df6fcd806f8c150cffe6cc09925bb8b638bb5b
* src/g10lib.h (fast_wipememory2): Remove architecture specific
implementations and add generic implementation.
Improve the speed of the cipher mode code.
+ + commit 293e93672fdabc829e35cc624c397276342bafe4
* cipher/bufhelp.h (buf_cpy): New.
(buf_xor, buf_xor_2dst): If buffers unaligned, always jump to per-byte
processing.
* cipher/cipher.c (do_ecb_encrypt, do_ecb_decrypt): Ditto.
bufhelp: enable unaligned memory accesses for AArch64 (64-bit ARM)
+ + commit 2901a10dbf1264707debc8402546c07eeac60932
* cipher/bufhelp.h [__aarch64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
macro on AArch64.
2013-10-23 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Enable assembler optimizations on earlier ARM cores.
+ + commit 2fd83faa876d0be91ab7884b1a9eaa7793559eb9
* cipher/blowfish-armv6.S => cipher/blowfish-arm.S: adapt to pre-armv6 CPUs.
* cipher/blowfish.c: enable assembly on armv4/armv5 little-endian CPUs.
* cipher/camellia-armv6.S => cipher/camellia-arm.S: adapt to pre-armv6 CPUs.
* cipher/twofish.c: enable assembly on armv4/armv5 little-endian CPUs.
mpi: enable assembler on all arm architectures.
+ + commit 0b39fce7e3ce6761d6bd5195d093ec6857edb7c2
* mpi/config.links: remove check for arm >= v6
* mpi/armv6 => mpi/arm: rename directory to reflect that is is generic
enough
Correct ASM assembly test in configure.ac.
+ + commit 10bf6a7e16ed193f90d2749970a420f00d1d3320
* configure.ac: correct HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS test to
require neither ARMv6, nor thumb mode. Our assembly code works
perfectly even on ARMv4 now.
2013-10-23 Werner Koch <wk@gnupg.org>
ecc: Refactor ecc.c.
+ + commit 164eb8c85d773ef4f0939115ec45f5e4b47c1700
* cipher/ecc-ecdsa.c, cipher/ecc-eddsa.c, cipher/ecc-gost.c: New.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new files.
(_gcry_ecc_eddsa_encodepoint, _gcry_ecc_eddsa_decodepoint): Ditto.
mpi: Fix scanning of negative SSH formats and add more tests.
+ + commit 45f6e6268bfdc4b608beaba6b7086b2286e33c71
* mpi/mpicoder.c (gcry_mpi_scan): Fix sign setting for SSH format.
* tests/t-convert.c (negative_zero): Test all formats.
(check_formats): Add tests for PGP and scan tests for SSH and USG.
2013-10-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
twofish: add ARMv6 assembly implementation.
+ + commit 98674fdaa30ab22a3ac86ca05d688b5b6112895d
* cipher/Makefile.am: Add 'twofish-armv6.S'.
* cipher/twofish-armv6.S: New.
* cipher/twofish.c (USE_ARMV6_ASM): New macro.
* configure.ac [arm]: Add 'twofish-armv6.lo'.
mpi: allow building with clang on ARM.
+ + commit e67c67321ce240c93dd0fa2b21c649c0a8e233f7
* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
(count_leading_zeros): Do not cast assembly output arguments.
[__arm__] (umul_ppmm): Remove the extra '%' ahead of assembly comment.
registers.
serpent-amd64: do not use GAS macros.
+ + commit c7efaa5fe0ee92e321a7b49d56752cc12eb75fe0
* cipher/serpent-avx2-amd64.S: Remove use of GAS macros.
* cipher/serpent-sse2-amd64.S: Ditto.
* configure.ac [HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Do not check
for GAS macros.
Add Counter with CBC-MAC mode (CCM)
+ + commit 335d9bf7b035815750b63a3a8334d6ce44dc4449
* cipher/Makefile.am: Add 'cipher-ccm.c'.
* cipher/cipher-ccm.c: New.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode'.
(cipher_bench): Add handling for AEAD modes and add CCM benchmarking.
Add API to support AEAD cipher modes.
+ + commit 95654041f2aa62f71aac4d8614dafe8433d10f95
* cipher/cipher.c (_gcry_cipher_authenticate, _gcry_cipher_checktag)
(_gcry_cipher_gettag): New.
* doc/gcrypt.texi: Add documentation for new API functions.
2013-10-22 NIIBE Yutaka <gniibe@fsij.org>
ecc: Correct compliant key generation for Edwards curves.
+ + commit a5a277a9016ccb34f1858a65e0ed1791b2fc3db3
* cipher/ecc.c: Add case for Edwards curves.
2013-10-17 Werner Koch <wk@gnupg.org>
tests: Add test options to keygen.
+ + commit f7711e6eb5f02d03c74911f6f037ab28075e7c0d
* tests/keygen.c (usage): New.
(main): Print usage info. Allow running just one algo.
mpi: Do not clear the sign of the mpi_mod result.
+ + commit 91e007606f1f6f8e1416c403fe809d47fddf9b1f
* mpi/mpi-mod.c (_gcry_mpi_mod): Remove sign setting.
ecc: Put the curve name again into the output of gcry_pk_genkey.
+ + commit 4776dcd394ce59fa50d959921857b3427c5a63c8
* cipher/ecc.c (ecc_generate): Use the correct var. Release
CURVE_FLAGS.
ecc: Support Weierstrass curves in gcry_mpi_ec_curve_point.
+ + commit b22417158c50ec3a0b2ff55b4ade063b42a87e8f
* mpi/ec.c (_gcry_mpi_ec_curve_point): Support MPI_EC_WEIERSTRASS.
2013-10-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
arcfour: more optimized version for non-i386 architectures.
+ + commit f9371c026aad09ff48746d22c8333746c886e773
* cipher/arcfour.c (ARCFOUR_context): Reorder members.
(do_encrypt_stream) [!__i386__]: Faster implementation for non-i386.
(do_arcfour_setkey): Avoid modulo operations.
Avoid void* pointer arithmetic.
+ + commit c89ab921ccfaefe6c4f6a724d01e0df41a1a381f
* tests/tsexp.c (check_extract_param): Cast void* pointers to char*
before doing arithmetics.
2013-10-16 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
ecc: Add support for GOST R 34.10-2001/-2012 signatures.
+ + commit 83902f1f1dbc8263a0c3f61be59cd2eb95293c97
* src/cipher.h: define PUBKEY_FLAG_GOST
* cipher/ecc-curves.c: Add GOST2001-test and GOST2012-test curves
defined in standards. Typical applications would use either those
avoid parsing those hex strings. -wk
Fix 256-bit ecdsa test key definition.
+ + commit 187b2bb541b985255aee262d181434a7cb4ae2e7
* tests/basic.c (check_pubkey): fix nistp256 testing key declaration -
add missing comma.
2013-10-16 Werner Koch <wk@gnupg.org>
sexp: Add function gcry_sexp_extract_param.
+ + commit a329b6abf00c990faf1986f9fbad7b4d71c13bcb
* src/gcrypt.h.in (_GCRY_GCC_ATTR_SENTINEL): New.
(gcry_sexp_extract_param): New.
* src/visibility.c (gcry_sexp_extract_param): New.
2013-10-16 NIIBE Yutaka <gniibe@fsij.org>
mpi: mpi-pow improvement.
+ + commit 45aa6131e93fac89d46733b3436d960f35fb99b2
* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
k-ary exponentiation.
2013-10-15 Werner Koch <wk@gnupg.org>
ecc: Support use of Ed25519 with ECDSA.
+ + commit 537969fbbb1104b8305a7edb331b7666d54eff2c
* src/cipher.h (PUBKEY_FLAG_ECDSA): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag "ecdsa".
* cipher/ecc.c (verify_ecdsa, verify_eddsa): Remove some debug output.
2013-10-14 Werner Koch <wk@gnupg.org>
pubkey: Support flags list in gcry_pk_genkey.
+ + commit d3a605d7827b8a73ef844e9e5183590bd6b1389a
* src/cipher.h (PUBKEY_FLAG_TRANSIENT_KEY): New.
(PUBKEY_FLAG_USE_X931): New.
(PUBKEY_FLAG_USE_FIPS186): New.
* cipher/rsa.c (rsa_generate): Ditto.
pubkey: Remove duplicated flag parsing code.
+ + commit 5be2345ddec4147e535d5b039ee74f84bcacf9e4
* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval)
(_gcry_pk_util_data_to_mpi): Factor flag parsing code out to ..
(parse_flag_list): New.
* src/cipher.h (PUBKEY_FLAG_RAW_FLAG): New.
mpicalc: Accept lowercase hex digits.
+ + commit 0cd551faa775ad5309a40629ae30bf86b75fca09
* src/mpicalc.c (main): Test for lowercase hex digits.
2013-10-11 Werner Koch <wk@gnupg.org>
pubkey: Move sexp parsing of remaining fucntions to the modules.
+ + commit a951c061523e1c13f1358c9760fc3a9d787ab2d4
* cipher/pubkey.c (release_mpi_array): Remove.
(pubkey_check_secret_key): Remove.
(sexp_elements_extract): Remove.
used parameters on error to NULL.
pubkey: Move sexp parsing for gcry_pk_decrypt to the modules.
+ + commit 07950c865a901afc48acb46f0695040cadfd5068
* cipher/rsa.c (rsa_decrypt): Revamp.
* cipher/elgamal.c (elg_decrypt): Revamp.
* cipher/ecc.c (ecc_decrypt_raw): Revamp.
* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval): New.
pubkey: Move sexp parsing for gcry_pk_encrypt to the modules.
+ + commit 6bd5d18c45a4a3ce8f0f66f56c83b80594877f53
* cipher/rsa.c (rsa_encrypt): Revamp.
* cipher/elgamal.c (elg_encrypt): Revamp.
* cipher/ecc.c (ecc_encrypt_raw): Revamp.
that they are initialized even after an encrypt failure.
pubkey: Move sexp parsing for gcry_pk_sign to the modules.
+ + commit d0ae6635e4e6ae273c3a137c513d518f28f6eab3
* cipher/rsa.c (rsa_sign): Revamp.
* cipher/dsa.c (dsa_sign): Revamp.
* cipher/elgamal.c (elg_sign): Revamp.
2013-10-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Prevent tail call optimization with _gcry_burn_stack.
+ + commit 150c0313f971bcea62d2802f0389c883e11ebb31
* configure.ac: New check, HAVE_GCC_ASM_VOLATILE_MEMORY.
* src/g10lib.h (_gcry_burn_stack): Rename to __gcry_burn_stack.
(__gcry_burn_stack_dummy): New.
2013-10-09 Werner Koch <wk@gnupg.org>
pubkey: Move sexp parsing for gcry_pk_verify to the modules.
+ + commit 94b652ecb006c29fa2ffb1badc9f02b758581737
* cipher/rsa.c (rsa_verify): Revamp.
* cipher/dsa.c (dsa_verify): Revamp.
* cipher/elgamal.c (elg_verify): Revamp.
2013-10-08 Werner Koch <wk@gnupg.org>
pubkey: Move sexp parsing for gcry_pk_get_nbits to the modules.
+ + commit 4645f3728bb0900591b0aef85831fdee52c59e3c
* cipher/pubkey.c (spec_from_sexp): New.
(gcry_pk_get_nbits): Simplify.
* cipher/rsa.c (rsa_get_nbits): Take only PARMS as args and do sexp
CURVE.
pubkey: Move sexp parsing for gcry_pk_getkey to the modules.
+ + commit 3816e46ce211e63adf46dbc775510aa137572248
* cipher/pubkey-util.c: New.
(_gcry_pk_util_get_nbits): New. Based on code from gcry_pk_genkey.
(_gcry_pk_util_get_rsa_use_e): Ditto.
* cipher/ecc.c (ecc_generate): Ditto.
cipher: Deprecate GCRY_PK_ELG_E.
+ + commit f79d3e13d3229115c47cbe5007647cb44105fe3f
* cipher/elgamal.c (_gcry_pubkey_spec_elg_e): Remove.
* cipher/pubkey.c (pubkey_list): Remove double included
_gcry_pubkey_spec_elg.
2013-10-02 Werner Koch <wk@gnupg.org>
Provide Pth compatiblity for use with GnuPG 2.0.
+ + commit 2f767f6a17f7e99da4075882f7fe3ca597b31bdb
* src/ath.c (ath_install): Call ath_init and declare Pth as
compatible.
2013-10-02 Jussi Kivilinna <jussi.kivilinna@iki.fi>
sha512: fix building on ARM.
+ + commit 6410152338a2b2ac1216e70c153cd16f9199c94e
* cipher/sha512.c (transform) [USE_ARM_NEON_ASM]: Fix 'hd' to 'ctx'.
2013-10-02 Werner Koch <wk@gnupg.org>
Remove deprecated control codes.
+ + commit f04a1db22d982627ba87da4e5df52df9b994c779
* src/gcrypt.h.in (GCRYCTL_SET_KEY): Remove.
(GCRYCTL_SET_IV): Remove.
(GCRYCTL_SET_CTR): Remove.
2013-10-02 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fix errors when building with Clang on PPC.
+ + commit 33757c1e03f1d885920633edf543cd1c77999455
* mpi/longlong.h (add_ssaaaa, sub_ddmmss, count_leading_zeros,
umul_ppmm): Do not cast asm output to USItype.
2013-10-02 Werner Koch <wk@gnupg.org>
Remove last remains of the former module system.
+ + commit 628ed5ba0ef4b1f04b5a77e29e4bc49a1fe13c07
* src/gcrypt-module.h, src/module.c: Remove.
* src/visibility.h: Do not include gcrypt-module.h.
* src/g10lib.h: Remove all prototypes from module.c
* cipher/cipher-internal.h (gcry_cipher_handle): Remove unused field.
Fix missing prototype warning in visibility.c.
+ + commit 52783d483293d48cd468143ae6ae2cccbfe17200
* src/ec-context.h (_gcry_mpi_ec_new): Move prototype to mpi.h.
md: Simplify the message digest dispatcher md.c.
+ + commit 0d39997932617ba20656f8bcc230ba744b76c87e
* src/gcrypt-module.h (gcry_md_spec_t): Move to ...
* src/cipher-proto.h: here. Merge with md_extra_spec_t. Add fields
ALGO and FLAGS. Set these fields in all digest modules.
2013-10-01 Werner Koch <wk@gnupg.org>
cipher: Simplify the cipher dispatcher cipher.c.
+ + commit 3ca180b25e8df252fc16f802cfdc27496e307830
* src/gcrypt-module.h (gcry_cipher_spec_t): Move to ...
* src/cipher-proto.h (gcry_cipher_spec_t): here. Merge with
cipher_extra_spec_t. Add fields ALGO and FLAGS. Set these fields in
* cipher/pubkey.c (_gcry_pk_selftest): Take care of the disabled flag.
mpi: Fix gcry_mpi_neg.
+ + commit 4153fa859816e799e506055321a22e6450aacdcc
* mpi/mpiutil.c (_gcry_mpi_neg): Copy U to W.
2013-10-01 Peter Wu <lekensteyn@gmail.com>
cipher: Add support for 128-bit keys in RC2.
+ + commit 738177ec0eae05069ec61bc4f724a69d4e052e42
* cipher/rfc2268.c (oids_rfc2268_128): New
(_gcry_cipher_spec_rfc2268_128): New.
* cipher/cipher.c (cipher_table_entry): Add GCRY_CIPHER_RFC2268_128.
2013-09-30 Werner Koch <wk@gnupg.org>
ecc: Use faster b parameter for Ed25519.
+ + commit 1d85452412b65e7976bc94969fc513ff6b880ed8
* cipher/ecc-curves.c (domain_parms): Replace b.
* tests/t-mpi-point.c (test_curve): Ditto.
ecc: Prepare for future Ed25519 optimization.
+ + commit a2618c822e666d4121cba29bee3fd50bf70c9743
* mpi/ec-ed25519.c: New but empty file.
* mpi/ec-internal.h: New.
* mpi/ec.c: Include ec-internal.h.
* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem.
ecc: Fix recomputing of Q for Ed25519.
+ + commit c325adb8f5092b80a626bd3bb5e49cf7f3a29fc8
* cipher/ecc-misc.c (reverse_buffer): New.
(_gcry_ecc_compute_public): Add ED255519 specific code.
* cipher/ecc.c (sign_eddsa): Allocate DIGEST in secure memory. Get
Ed25519.
log: Try to print s-expressions in a more compact format.
+ + commit d69a13d3d1c14ad6a6aa7cd349d6d2dfb152d422
* src/misc.c (count_closing_parens): New.
(_gcry_log_printsxp): Use new function.
* mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point.
2013-09-30 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Make Whirlpool use the _gcry_md_block_write helper.
+ + commit 68cefd0f1d60ac33b58031df9b1d165cb1bf0f14
* cipher/whirlpool.c (whirlpool_context_t): Add 'bctx', remove
'buffer', 'count' and 'nblocks'.
(whirlpool_init): Initialize 'bctx'.
(whirlpool_final, whirlpool_read): Adjust for 'bctx' usage.
whirlpool: add stack burning after transform.
+ + commit a96d622e1a36d40d1504b7ada567e90ec9957443
* cipher/whirlpool.c (whirlpool_transform): Return burn stack depth.
(whirlpool_add): Do burn_stack.
whirlpool: do bitcount calculation in finalization part.
+ + commit 10d7351411f19bb2c03d2e24ca5a38dabe45023b
* cipher/whirlpool.c (whirlpool_context_t): Remove 'length', add
'nblocks'.
(whirlpool_add): Update 'nblocks' instead of 'length', and add early
2013-09-30 Werner Koch <wk@gnupg.org>
Add logging functions to the API.
+ + commit d2076f27bb7c5d505abf25fc622d21794c4a5df3
* src/gcrypt.h.in (_GCRY_GCC_ATTR_PRINTF): New.
(gcry_log_debug, gcry_log_debughex, gcry_log_debugmpi): New.
(gcry_log_debugpnt, gcry_log_debugsxp): New.
2013-09-26 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Make libgcrypt build with Clang on i386.
+ + commit db60d828137c4f3682ca4ca2a54fe3d96d3db5f9
* cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss)
(umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype.
2013-09-25 Werner Koch <wk@gnupg.org>
mpi: Change not yet used _gcry_mpi_set_opaque_copy.
+ + commit 1c6660debdbf1e4c3e80074c846a3e3097f214bb
* mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype.
(_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure.
sexp: Improve printing of data with a leading zero.
+ + commit 9b7c49971588edf6acfc74bfb797eb79d19cb350
* src/sexp.c (suitable_encoding): Detect leading zero byte.
ecc: Allow the name "q@eddsa" to get/set the public key.
+ + commit d6683d2a6065986a9198d2d2eaa02c005b68cea4
* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa".
(_gcry_ecc_set_mpi): Support "q".
* cipher/ecc.c (eddsa_encodepoint): Rename to ...
(cmp_mpihex): Take care of opaque MPIs.
mpicalc: Add statement to compute the number of bits.
+ + commit 9a4447ccd1b90bcd701941e80a7f484a1825fcea
* src/mpicalc.c (do_nbits): New.
(main): Add statement 'b'.
ecc: Refactor low-level access functions.
+ + commit 64a7d347847d606eb5f4c156e24ba060271b8f6b
* mpi/ec.c (point_copy): Move to cipher/ecc-curves.c.
(ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global.
(_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi.
* cipher/ecc-misc.c (_gcry_ecc_compute_public): New.
ecc: Fix highly unlikely endless loop in sign_ecdsa.
+ + commit 1f5f4452e5bca105ec2197a4facbf9778e7dc31e
* cipher/ecc.c (sign_ecdsa): Turn while-do into do-while loops.
2013-09-24 Werner Koch <wk@gnupg.org>
ecc: Allow the use of an uncompressed public key.
+ + commit df013c9820709421ef9550158ac5df0060d73379
* cipher/ecc.c (eddsa_encodepoint): Factor most code out to ...
(eddsa_encode_x_y): new fucntion.
(eddsa_decodepoint): Allow use of an uncompressed public key.
2013-09-23 Werner Koch <wk@gnupg.org>
pk: Add algo id GCRY_PK_ECC and deprecate ECDSA and ECDH.
+ + commit d5f91466695c5736f441c9bf1998436184a4bf61
* src/gcrypt.h.in (GCRY_PK_ECC): New.
* cipher/pubkey.c (map_algo): New.
(spec_from_algo, gcry_pk_get_param, _gcry_pk_selftest): Use it.
_gcry_pubkey_spec_ecc.
ec: Use mpi_mulm instead of mpi_powm.
+ + commit 4552437bb3c5ff96a889fd31e4bc504b2a12fac7
* mpi/ec.c (ec_pow2): New.
(ec_powm): Remove call to mpi_abs.
(dup_point_weierstrass, dup_point_twistededwards)
2013-09-21 Jussi Kivilinna <jussi.kivilinna@iki.fi>
bufhelp: enable fast unaligned memory accesses on powerpc.
+ + commit 925d4fb3e8f2df3c5566ec6b5df7620a3d3504e5
* cipher/bufhelp.h [__powerpc__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
macro enabled.
[__powerpc64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Ditto.
Remove i386 inline assembly version of rotation functions.
+ + commit cfea5c28a3822e1e7e401e5107ebe07ba7fdcf37
* cipher/bithelp.h (rol, ror): Remove i386 version, change
macros to inline functions.
* src/hmac256.c (ror): Ditto.
Optimize and cleanup 32-bit and 64-bit endianess transforms.
+ + commit 9337e03824a5bdd3bbbcb8382cabefe6d6c32e1e
* cipher/bithelp.h (bswap32, bswap64, le_bswap32, be_bswap32)
(le_bswap64, be_bswap64): New.
* cipher/bufhelp.h (buf_get_be32, buf_get_le32, buf_put_le32)
__builtin_bswap64.
gostr3411_94: set better burn stack depth estimate.
+ + commit 7409de7bc28ff8847c9d71d8c3e35e1968d59d60
* cipher/gost28147.c (_gcry_gost_enc_one): Account function stack to
burn stack depth.
* cipher/gostr3411-94.c (max): New macro.
(do_hash_step, transform): Return stack burn depth.
Use hash transform function return type for passing burn stack depth.
+ + commit 592c2ab3deeeccbb6d3b078ed7bf0e6627c8e1fb
* cipher/gostr4311-94.c (transform): Return stack burn depth.
* cipher/hash-common.c (_gcry_md_block_write): Use stack burn depth
returned by 'hd->bwrite'.
(tiger_final): Use stack burn depth from transform.
Make STRIBOG use the new _gcry_md_block_write helper.
+ + commit 902ea6052c11108bd19333c31b03e084bed1fb86
* cipher/stribog.c (STRIBOG_STRUCT): Add 'bctx' and remove 'buf' and
'count'.
(stribog_init_512): Initialize 'bctx'.
_gcry_md_block_write.
Make SHA-512 use the new _gcry_md_block_write helper.
+ + commit cce7449efe471b076c5a97929ac8907162011394
* cipher/hash-common.c (_gcry_md_block_write): Check that hd->buf is
large enough.
* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE, MD_NBLOCKS_TYPE): New
2013-09-20 Werner Koch <wk@gnupg.org>
sexp: Change internal versions to always use gpg_err_code_t.
+ + commit 3e5cfa20acfeccb9df2c3fae2730344b40b36104
* src/sexp.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_build)
(gcry_sexp_build_array, gcry_sexp_canon_len): Change error return type
from gpg_error_t to gpg_err_code_t. Remove all calls to gpg_error.
use gpg_err_code wrappers.
pk: Move s-exp creation for gcry_pk_decrypt to the modules.
+ + commit 722bfc1e5f2268453db62f38cc46b5ec6ef3adee
* cipher/pubkey.c (sexp_to_enc): Remove RET_MODERN arg and merge it
into FLAGS.
(gcry_pk_decrypt): Move result s-exp building into the modules.
extra MPI allocations.
pk: Remove unused function.
+ + commit 64cd7ab93da7c95cc8aa320c61c6e29f9e2399c4
* cipher/pubkey.c (_gcry_pk_aliased_algo_name): Remove
2013-09-19 Werner Koch <wk@gnupg.org>
Beautify debug output of the prime generator.
+ + commit 6576f0a7684292cb5691bfcabad0acca4c06c014
* cipher/primegen.c: Adjust output of log_mpidump to recently changed
log_mpidump code changes.
pk: Move s-expr creation for genkey to the modules.
+ + commit 1bf08850bf9343146c938bc03917417e16393e9a
* cipher/pubkey.c (pubkey_generate): Fold into gcry_pk_genkey
(gcry_pk_genkey): Move result s-exp creation into the modules.
* cipher/dsa.c (dsa_generate): Create result as s-exp.
(gcry_pk_spec): and remove from struct.
tests: Beautify some diagnostics.
+ + commit 2fe084873333c4d67bcfba0b527d63cd3cff6c47
* tests/benchmark.c (ecc_bench): Print the key sexp in very verbose
mode.
(main): Add option --pk-count.
done.
sexp: Improve printing data representing a negative number.
+ + commit b3f3d47d347c14ed41d755cee580f000309b9c03
* src/sexp.c (suitable_encoding): Detect a negative number.
pk: Move RSA encoding functions to a new file.
+ + commit 071f70b9a766187fc70f6abc6a69d50752449285
* cipher/rsa-common: New.
* cipher/pubkey.c (pkcs1_encode_for_encryption): Move to rsa-common.c
and rename to _gcry_rsa_pkcs1_encode_for_enc.
(octet_string_from_mpi, mgf1): Move to rsa-common.c.
pk: Move s-expr creation for sign and encrypt to the modules.
+ + commit eca9e2e50ddd4c9020fe1d4a9a3c77d20ebb90f6
* cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt.
(pubkey_decrypt): Fold into gcry_pk_decrypt.
(pubkey_sign): Fold into gcry_pk_sign.
2013-09-19 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fix Stribog digest on bigendian platforms.
+ + commit d399faf5db71d429bfd6fa4a9cfc82e2a55055f0
* cipher/stribog.c (stribog_final): swap bytes in the result of digest
calculations.
2013-09-18 Werner Koch <wk@gnupg.org>
pk: Simplify the public key dispatcher pubkey.c.
+ + commit 85722afb379f7a392a8117b895de273fd88c4ebc
* src/cipher-proto.h (gcry_pk_spec_t): Add fields ALGO and FLAGS.
* cipher/dsa.c (_gcry_pubkey_spec_dsa): Set these fields.
* cipher/ecc.c (_gcry_pubkey_spec_ecdsa): Ditto.
(disable_pubkey_algo): SImplified. Not anymore thread-safe, though.
pk: Merge extraspecs struct with standard specs struct.
+ + commit 89103ce00e862cc709e80fa41f2ee13d54093ec5
* src/gcrypt-module.h (gcry_pk_spec_t): Move this typedef and the
corresponding function typedefs to ...
* src/cipher-proto.h: here.
2013-09-18 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix encryption/decryption return type for GOST28147.
+ + commit 2ad7ea9cb388fd31e4b0852b68d77f599ef4adce
* cipher/gost.h (_gcry_gost_enc_one): Change return type to
'unsigned int'.
* cipher/gost28147.c (max): New macro.
2013-09-18 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
doc: fix building of ps and pdf documentation.
+ + commit bd33fa21c9afc6c81e0da24016fc13001e9c7390
* doc/gcrypt.texi, doc/gpl.texi, doc/lgpl.texi: fix texinfo errors.
Add GOST R 34.11-2012 implementation (Stribog)
+ + commit c22064bdd773a807801e300aa9214b2fdcafcf20
* src/gcrypt.h.in (GCRY_MD_GOSTR3411_12_256)
(GCRY_MD_GOSTR3411_12_512): New.
* cipher/stribog.c: New.
* doc/gcrypt.texi: Document new constants.
Add basic implementation of GOST R 34.11-94 message digest.
+ + commit b0579baaa04fb91eabbbdc295bcabea04cf84056
* src/gcrypt.h.in (GCRY_MD_GOSTR3411_94): New.
* cipher/gostr3411-94.c: New.
* configure.ac (available_digests): Add gostr3411-94.
algorithms table.
Separate common md block code.
+ + commit ecde77ad98690540abb21db08e5531297ed72bd0
* cipher/hash-common.c (_gcry_md_block_write): New function to handle
block md operations. The current implementation is limited to 64 byte
buffer and u32 block counter.
_gcry_md_block_write.
Add limited implementation of GOST 28147-89 cipher.
+ + commit 56b5949f71f501744998f5ebc12488ebf6f1c0b5
* src/gcrypt.h.in (GCRY_CIPHER_GOST28147): New.
* cipher/gost.h, cipher/gost28147.c: New.
* configure.ac (available_ciphers): Add gost28147.
2013-09-18 Werner Koch <wk@gnupg.org>
ecc: Add Ed25519 key generation and prepare for optimizations.
+ + commit 63cd3474425cb5a7ec4d1a56be15b248ecda4680
* src/mpi.h (enum ecc_dialects): New.
* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
2013-09-17 Werner Koch <wk@gnupg.org>
mpi: Support printing of negative numbers.
+ + commit 89fe2173649a72019d75e059e6c6938efd10421f
* mpi/mpicoder.c (twocompl, onecompl): New.
(gcry_mpi_print): Use it for STD and SSH.
(gcry_mpi_scan): Use it for STD and SSH. Always set NSCANNED.
2013-09-16 Werner Koch <wk@gnupg.org>
Fix bug in _gcry_mpi_tdiv_q_2exp.
+ + commit a7a9cdcaaf3979baa18dad51e722882581349f45
* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.
ecc: Implement Curve Ed25519 signing and verification.
+ + commit bc5199a02abe428ad377443280b3eda60141a1d6
* cipher/ecc-curves.c (domain_parms): Add curve "Ed25519".
* cipher/ecc.c (reverse_buffer): New.
(eddsa_encodempi): New.
(main): Call new test.
mpi: Add internal convenience function.
+ + commit 44a2c34e90ed7de149952398787906d8823b636b
* mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New.
mpi: Add debug function to print a point.
+ + commit 8ebc94d11a1eb93f2365c93f555e958700fdfbd4
* mpi/ec.c (_gcry_mpi_point_log): New.
* src/mpi.h (log_printpnt): new macro.
tests: Factor time measurement code out.
+ + commit 58eaf0c4332ac2f645ede28c4d18337389dfa753
* tests/benchmark.c (started_at, stopped_at, start_timer, stop_timer)
(elapsed time): Factor out to ..
* tests/stopwatch.h: new file.
2013-09-12 Werner Koch <wk@gnupg.org>
Fix _gcry_log_printmpi to print 00 instead of a sole sign.
+ + commit 1c76349c69c70a62b516a4f837c6287def640807
* src/misc.c: Special case an mpi length of 0.
2013-09-11 Werner Koch <wk@gnupg.org>
Streamline the use of the internal mpi and hex debug functions.
+ + commit e35ed615acc624a8b6c07576ea0650aac2bdb0db
* mpi/mpicoder.c (gcry_mpi_dump): Remove.
(_gcry_log_mpidump): Remove.
* src/misc.c (_gcry_log_printhex): Factor all code out to ...
2013-09-10 Werner Koch <wk@gnupg.org>
md: Add function gcry_md_hash_buffers.
+ + commit f3bca0c77c4979504f95fdbc618f7458e61e3e45
* src/gcrypt.h.in (gcry_buffer_t): new.
(gcry_md_hash_buffers): New.
* src/visibility.c, src/visibility.h: Add wrapper for new function.
(main): Run that test.
md: Fix Whirlpool flaw.
+ + commit 0a28b2d2c9181a536fc894e24626714832619923
* cipher/whirlpool.c (whirlpool_add): Remove shortcut return so that
byte counter is always properly updated.
2013-09-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix static build on AMD64.
+ + commit 90fdf25f0dcc5feac7195ede55bd15948a11363e
* cipher/rijndael-amd64.S: Correct 'RIP' macro for non-PIC build.
scrypt: fix for big-endian systems.
+ + commit 38a038a135d82231eff9d84f1ae3c4a25c6a5e75
* cipher/scrypt.c (_salsa20_core): Fix endianess issues.
2013-09-07 Werner Koch <wk@gnupg.org>
Use gcc "unused" attribute only with gcc >= 3.5.
+ + commit f7135e299e659d78906aac3dfdf30f380b5cf9c6
* src/g10lib.h (GCC_ATTR_UNUSED): Fix gcc version detection.
2013-09-07 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Add support for Salsa20/12 - 12 round version of Salsa20.
+ + commit ae6f6c47d2e0c536f3eab0823b5f23d26956cda2
* src/gcrypt.h.in (GCRY_CIPHER_SALSA20R12): New.
* src/salsa20.c (salsa20_core, salsa20_do_encrypt_stream): Add support
for reduced round versions.
2013-09-07 Werner Koch <wk@gnupg.org>
Add configure option --disable-amd64-as-feature-detection.
+ + commit 49d5b9dcd622cdc87fb02a211bd51e3d46345bf2
* configure.ac: Implement new disable flag.
mpi: Improve support for non-Weierstrass support.
+ + commit 4d8c8c7aa88cddb1624301957e6245405f46d027
* mpi/ec.c (ec_p_init): Add args MODEL and P. Change all callers.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.
* cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking.
mpi: Add gcry_mpi_ec_curve_point.
+ + commit ddfefe429660cc5d798f3517208936449247ae5c
* mpi/ec.c (_gcry_mpi_ec_curve_point): New.
(ec_powm): Return the absolute value.
* src/visibility.c, src/visibility.c: Add wrappers.
* src/libgcrypt.def, src/libgcrypt.vers: Export them.
mpi: Add functions to manipulate the sign.
+ + commit 1bd2c67aa55b40589654d3fa5dea05cf1ed7dc5f
* src/gcrypt.h.in (gcry_mpi_is_neg): New.
(gcry_mpi_neg, gcry_mpi_abs): New.
* mpi/mpiutil.c (_gcry_mpi_is_neg): New.
2013-09-06 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Tune armv6 mpi assembly.
+ + commit 4e4440153258e2f0dfdcaa8443820af06984ecb1
* mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8.
* mpi/armv6/mpih-mul2.S: Ditto.
* mpi/armv6/mpih-mul3.S: Ditto.
2013-09-05 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Change _gcry_burn_stack take burn depth as unsigned integer.
+ + commit e0ae31fcce3bd57b24751ff3c82cba820e493c3a
* src/misc.c (_gcry_burn_stack): Change to handle 'unsigned int' bytes.
mpicalc: fix building on linux and win32.
+ + commit 50ec983666f0ca9d50c84aa1afad0d7bd5810779
* src/Makefile.am (mpicalc): Adjust CFLAGS and LDADD.
2013-09-04 Werner Koch <wk@gnupg.org>
Change mpicalc to use Libgcrypt and install it.
+ + commit 1d23040b659661b4086c079cb9fd5f37189a7020
* src/mpicalc.c: Make use of gcry_ functions.
(MPICALC_VERSION): New. Set to 2.0.
(strusage): Remove.
(mpicalc_SOURCES, mpicalc_CFLAGS, mpicalc_LDADD): New.
Add mpicalc.c to help with testing.
+ + commit a70c46e29c480fa0f56ab4814666a5b115f84fd7
* src/mpicalc.c: Take from GnuPG 1.4
Prepare support for EdDSA.
+ + commit c47d4001033f68212d2847b3074a0bdda990342e
* src/cipher.h (PUBKEY_FLAG_EDDSA): New.
* cipher/pubkey.c (pubkey_verify): Repalce args CMP and OPAQUEV by
CTX. Pass flags and hash algo to the verify function. Change all
(ecc_verify): Divert to verify_ecdsa or verify_eddsa.
Prepare support for non-Weierstrass EC equations.
+ + commit c26be7a337d0bf98193bc58e043209e46d0769bb
* src/mpi.h (gcry_mpi_ec_models): New.
* src/ec-context.h (mpi_ec_ctx_s): Add MODEL.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* tests/Makefile.am (TESTS): Reorder tests.
mpi: Suppress newer gcc warnings.
+ + commit 8698530b2f9ef95542f1dd550961de7af86cc256
* src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5.
* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy
as unused.
* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.
Do not check with cpp for typedefed constants.
+ + commit b28b1f732e1b4f9c62a9de87c22c6bb0d3f8fdb8
* src/gcrypt-int.h: Include error code replacements depeding on the
version of libgpg-error.
2013-09-04 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Make _gcry_burn_stack use variable length array.
+ + commit 4b0edf53440239d3bcc95941980c062a0801a149
* configure.ac (HAVE_VLA): Add check.
* src/misc.c (_gcry_burn_stack) [HAVE_VLA]: Add VLA code.
Move stack burning from block ciphers to cipher modes.
+ + commit a3aaa6ad03388ea3eaa24304b604cb864633332f
* src/gcrypt-module.h (gcry_cipher_encrypt_t)
(gcry_cipher_decrypt_t): Return 'unsigned int'.
* cipher/cipher.c (dummy_encrypt_block, dummy_decrypt_block): Return
2013-09-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
camellia-aesni-avx2-amd64: Move register clearing to assembly functions.
+ + commit f3515240de9513ead975985c9f8ab714022cac8e
* cipher/camellia-aesni-avx2-amd64.S
(_gcry_camellia_aesni_avx2_ctr_enc): Add 'vzeroall'.
(_gcry_camellia_aesni_avx2_cbc_dec)
clearing.
camellia-aesni-avx-amd64: Move register clearing to assembly functions.
+ + commit 8b735cb563dff7aafbf8a970972522b5621e665c
* cipher/camellia-aesni-avx-amd64.S (_gcry_camellia_aesni_avx_ctr_enc)
(_gcry_camellia_aesni_avx_cbc_dec)
(_gcry_camellia_aesni_avx_cfb_dec): Add 'vzeroupper' at head and
(_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX]: Remove register clearing.
serpent-avx2-amd64: Move register clearing to assembly.
+ + commit d12828cd821a4b4428eae19de5aee02cf536e536
* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc)
(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Change last
'vzeroupper' to 'vzeroall'.
'vzeroall'.
Fix building for x32 target.
+ + commit fd6721c235a5bdcb332c8eb708fbd4f96e52e824
* mpi/amd64/mpi-asm-defs.h: New file.
* random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is
defined.
2013-08-31 Jussi Kivilinna <jussi.kivilinna@iki.fi>
sha512: add ARM/NEON assembly version of transform function.
+ + commit 99d15543b8d94a8f1ef66c6ccb862b0ce82c514d
* cipher/Makefile.am: Add 'sha512-armv7-neon.S'.
* cipher/sha512-armv7-neon.S: New file.
* cipher/sha512.c (USE_ARM_NEON_ASM): New macro.
* configure.ac (sha512) [neonsupport]: Add 'sha512-armv7-neon.lo'.
sha512: reduce stack use in transform function by 512 bytes.
+ + commit 03da7f8ba3ec24d4639a2bcebbc0d9d831734c08
* cipher/sha512.c (transform): Change 'u64 w[80]' to 'u64 w[16]' and
inline input expansion to first 64 rounds.
(sha512_write, sha512_final): Reduce burn_stack depth by 512 bytes.
Add ARM HW feature detection module and add NEON detection.
+ + commit 9c95be105f518d18407115c2c06893857c24b116
* configure.ac: Add option --disable-neon-support.
(HAVE_GCC_INLINE_ASM_NEON): New.
(ENABLE_NEON_SUPPORT): New.
call to _gcry_hwf_detect_arm.
Correct mpi_cpu_arch for ARMv6.
+ + commit 7b0ebe69fe35f2ee13e1e1beb2766a1eaadb7f0c
* mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of
"armv6".
2013-08-30 Werner Koch <wk@gnupg.org>
mpi: Make gcry_mpi_print work with negative zeroes.
+ + commit e9b711e6ddb480a71d2996465074e436c752c005
* mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero.
(gcry_mpi_aprint): Allocate at least 1 byte.
* tests/t-convert.c: New.
* tests/Makefile.am (TESTS): Add t-convert.
Refactor the ECC code into 3 files.
+ + commit 800d4e01376d52a94a157b53978c7c3f957fc476
* cipher/ecc-common.h, cipher/ecc-curves.c, cipher/ecc-misc.c: New.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new .c files.
2013-08-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
serpent-sse2-amd64: Move register clearing to assembly functions.
+ + commit 040aa7688296e93659cb32ca31e9a001a6ab1edd
cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_ctr_enc)
(_gcry_serpent_sse2_cbc_dec, _gcry_serpent_sse2_cfb_dec): Clear used
XMM registers.
bulk functions.
twofish-amd64: do not make __twofish_dec_blk3 global.
+ + commit 82db04a6a0058cf870485459abe7c1659b138ec5
* cipher/twofish-amd64.S (__twofish_dec_blk3): Do not export symbol as
global.
(__twofish_dec_blk3): Mark symbol as function.
2013-08-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
mpi: add ARMv6 assembly.
+ + commit da327aef3fe24fdf98fffbc8aea69de42ed12456
* mpi/armv6/mpi-asm-defs.h: New.
* mpi/armv6/mpih-add1.S: New.
* mpi/armv6/mpih-mul1.S: New.
* mpi/config.links [arm]: Enable ARMv6 assembly.
Move ARMv6 detection to configure.ac.
+ + commit 151f1e518be2d16bed748ba832384b0472ddcf9b
* cipher/blowfish-armv6.S: Replace __ARM_ARCH >= 6 checks with
HAVE_ARM_ARCH_V6.
* cipher/blowfish.c: Ditto.
2013-08-19 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add optimized wipememory for ARM.
+ + commit c030e33533fb819afe195eff5f89ec39863b1fbc
src/g10lib.h [__arm__] (fast_wipememory2_unaligned_head)
(fast_wipememory2): New macros.
cipher: bufhelp: allow unaligned memory accesses on ARM.
+ + commit 796dda37b957b20dba391343937c6325a8c8b288
* cipher/bufhelp.h [__arm__ && __ARM_FEATURE_UNALIGNED]: Enable
BUFHELP_FAST_UNALIGNED_ACCESS.
2013-08-17 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Remove burn_stack optimization.
+ + commit 79895b9459b9bf8c60cb7abf09d5bf16ed0cf6e3
* src/misc.c (_gcry_burn_stack): Remove SIZEOF_UNSIGNED_LONG == 4 or 8
optimization.
2013-08-16 Jussi Kivilinna <jussi.kivilinna@iki.fi>
camellia: add ARMv6 assembly implementation.
+ + commit cafadc1e4fb97581262b0081ba251e05613d4394
* cipher/Makefile.am: Add 'camellia-armv6.S'.
* cipher/camellia-armv6.S: New file.
* cipher/camellia-glue.c [USE_ARMV6_ASM]
(camellia) [arm]: Add 'camellia-armv6.lo'.
blowfish: add ARMv6 assembly implementation.
+ + commit 31e4b1a96a07e9a3698fcb7be0643a136ebb8e5c
* cipher/Makefile.am: Add 'blowfish-armv6.S'.
* cipher/blowfish-armv6.S: New file.
* cipher/blowfish.c (USE_ARMV6_ASM): New macro.
* configure.ac (blowfish) [arm]: Add 'blowfish-armv6.lo'.
cast5: add ARMv6 assembly implementation.
+ + commit 8d1faf56714598301580ce370e0bfa6d65e73644
* cipher/Makefile.am: Add 'cast5-armv6.S'.
* cipher/cast5-armv6.S: New file.
* cipher/cast5.c (USE_ARMV6_ASM): New macro.
2013-08-14 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rijndael: add ARMv6 assembly implementation.
+ + commit f365961422f1c8b3d89b8bcd9c99828f38c1f158
* cipher/Makefile.am: Add 'rijndael-armv6.S'.
* cipher/rijndael-armv6.S: New file.
* cipher/rijndael.c (USE_ARMV6_ASM): New macro.
2013-08-09 NIIBE Yutaka <gniibe@fsij.org>
cipher: fix memory leak.
+ + commit 2b5bbe264fcd61e5e458e5f71a6507ba0271c729
* cipher/pubkey.c (gcry_pk_sign): Handle the specific case of ECC,
where there is NULL whichi is not the sentinel.
2013-08-08 Werner Koch <wk@gnupg.org>
mpi: Clear immutable flag on the result of gcry_mpi_set.
+ + commit 426cbc9feca0c8f46208fb3670adab95f9e46087
* mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags.
* tests/mpitests.c (test_const_and_immutable): Add a test for this.
2013-08-07 NIIBE Yutaka <gniibe@fsij.org>
tests: fix memory leaks.
+ + commit cc082642c1b0f2a3e9ca78e1ffd3f64417c204bd
* tests/benchmark.c (dsa_bench): Release SIG.
* tests/mpitests.c (test_powm): Release BASE, EXP, MOD, and RES.
2013-08-07 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix building on W32 (cannot export symbol 'gcry_sexp_get_buffer')
+ + commit 065d446478bf68553339fc77a89b8369bd110a18
* src/libgcrypt.def: Change 'gcry_sexp_get_buffer' to
'gcry_sexp_nth_buffer'.
2013-08-06 NIIBE Yutaka <gniibe@fsij.org>
cipher: fix another memory leak.
+ + commit 9a421813123a2f5db0a91eaee4a45138efc9ad34
* cipher/ecc.c (ecc_get_curve): Free TMP.
tests: fix memory leaks.
+ + commit 87eddc31ccba6decbddd1761dd42a208666cd311
* tests/pubkey.c (check_keys_crypt): Release L, X0, and X1.
(check_keys): Release X.
cipher: fix memory leaks.
+ + commit ae6ffd9af38cbcac57c220960f683aab91db85cb
* cipher/elgamal.c (elg_generate_ext): Free XVALUE.
* cipher/pubkey.c (sexp_elements_extract): Don't use IDX for loop.
2013-08-05 Werner Koch <wk@gnupg.org>
mpi: Improve gcry_mpi_invm to detect bad input.
+ + commit d8e99a04dba6a606e879464cd11deee760d1e000
* mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input.
2013-07-31 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Correct checks for ecc secret key.
+ + commit 10dfa41b43a906031bc674ea41cd3073701011f3
* cipher/ecc.c (check_secret_key): replace wrong comparison of Q and
sk->Q points with correct one.
2013-07-29 Werner Koch <wk@gnupg.org>
sexp: Allow white space anywhere in a hex format.
+ + commit 43320961a8751ee28dc95cdb0ae01ea8a7ff7f91
* src/sexp.c (hextobyte): Remove.
(hextonibble): New.
(vsexp_sscan): Skip whtespace between hex nibbles.
Implement deterministic ECDSA as specified by rfc-6979.
+ + commit 6e0a9786637d649b48aae0e611a12e12beef9b3b
* cipher/ecc.c (sign): Add args FLAGS and HASHALGO. Convert an opaque
MPI as INPUT. Implement rfc-6979.
(ecc_sign): Remove the opaque MPI code and pass FLAGS to sign.
2013-07-26 Werner Koch <wk@gnupg.org>
Implement deterministic DSA as specified by rfc-6979.
+ + commit 1cfa79aabc5d0fd8d124901054475e90ab7d9cde
* cipher/dsa.c (dsa_sign): Move opaque mpi extraction to sign.
(sign): Add args FLAGS and HASHALGO. Implement deterministic DSA.
Add code path for R==0 to comply with the standard.
* tests/Makefile.am (TESTS): Add dsa-rfc6979.
Allow the use of a private-key s-expression with gcry_pk_verify.
+ + commit b72d312ad11887fc416aa821786f6bdb663c0f4a
* cipher/pubkey.c (sexp_to_key): Fallback to private key.
2013-07-25 Werner Koch <wk@gnupg.org>
Mitigate a flush+reload cache attack on RSA secret exponents.
+ + commit 287bf0e543f244d784cf8b58340bf0ab3c6aba97
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
2013-07-19 Werner Koch <wk@gnupg.org>
pk: Allow the use of a hash element for DSA sign and verify.
+ + commit 37d0a1ebdc2dc74df4fb6bf0621045018122a68f
* cipher/pubkey.c (pubkey_sign): Add arg ctx and pass it to the sign
module.
(gcry_pk_sign): Pass CTX to pubkey_sign.
element with DSA.
sexp: Add function gcry_sexp_nth_buffer.
+ + commit 2d3e8d4d9562d666420aadd9ffa8ac0456a1cd91
* src/sexp.c (gcry_sexp_nth_buffer): New.
* src/visibility.c, src/visibility.h: Add function wrapper.
* src/libgcrypt.vers, src/libgcrypt.def: Add to API.
2013-07-18 Werner Koch <wk@gnupg.org>
Add support for Salsa20.
+ + commit c4885092088431e7928e4459fda20cc0e8ceb201
* src/gcrypt.h.in (GCRY_CIPHER_SALSA20): New.
* cipher/salsa20.c: New.
* configure.ac (available_ciphers): Add Salsa20.
2013-07-17 Werner Koch <wk@gnupg.org>
Allow gcry_mpi_dump to print opaque MPIs.
+ + commit 364d019e3ffedfcb434576702f73e767cb9389ef
* mpi/mpicoder.c (gcry_mpi_dump): Detect abd print opaque MPIs.
* tests/mpitests.c (test_opaque): New.
(main): Call new test.
cipher: Prepare to pass extra info to the sign functions.
+ + commit 5940e66cbefea3de5924f494f18aed69bb694bff
* src/gcrypt-module.h (gcry_pk_sign_t): Add parms flags and hashalgo.
* cipher/rsa.c (rsa_sign): Add parms and mark them as unused.
* cipher/dsa.c (dsa_sign): Ditto.
(pubkey_sign): Pass 0 for the new args.
Fix a special case bug in mpi_powm for e==0.
+ + commit 6e1adb05d290aeeb1c230c763970695f4a538526
* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
2013-07-15 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fix memory leak in t-mpi-point test.
+ + commit a7b80e9fba6b1b095f7c53469747967b40ebfbfd
* tests/t-mpi-point.c (basic_ec_math, basic_ec_math_simplified): add
calls to gcry_ctx_release() to free contexts after they become unused.
2013-07-10 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Fix 'Please include winsock2.h before windows.h' warnings with mingw32.
+ + commit d6c9c86cb7f571ae0bd9aee4efa01a0f9c4c3104
* random/rndw32.c: include winsock2.h before windows.h.
* src/ath.h [_WIN32]: Ditto.
* tests/benchmark.c [_WIN32]: Ditto.
Remove duplicate header from mpi/amd64/mpih-mul2.S.
+ + commit c64a0dcbefc5b0055954e37a3c86b32ff7a1b1da
* mpi/amd64/mpih-mul2.S: remove duplicated header.
Fix i386/amd64 inline assembly "cc" clobbers.
+ + commit ed0a598172208ec67234a4edd73189bf6808fd04
* cipher/bithelp.h [__GNUC__, __i386__] (rol, ror): add "cc" globber
for inline assembly.
* cipher/cast5.c [__GNUC__, __i386__] (rol): Ditto.
(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): Ditto.
bufhelp: Suppress 'cast increases required alignment' warning.
+ + commit c3902a6b5cea9acef2e15fbee24eb601eeb25168
* cipher/bufhelp.h (buf_xor, buf_xor_2dst, buf_xor_n_copy): Cast
to larger element pointer through (void *) to suppress -Wcast-error.
mpi: Add __ARM_ARCH for older GCC.
+ + commit 97f392f43cf2e4da1297cbecacbfbff33a869478
* mpi/longlong.h [__arm__]: Construct __ARM_ARCH if not provided by
compiler.
mpi: add missing "cc" clobber for ARM assembly.
+ + commit 8aa4f2161cf643ce36d87d2e2786b546736f8232
* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.
[__arm__][__ARM_ARCH <= 3] (umul_ppmm): Ditto.
Tweak ARM inline assembly for mpi.
+ + commit 71dda4507053379433dc8b0fc6462c15de7299df
mpi/longlong.h [__arm__]: Enable inline assembly if __thumb2__ is
defined.
[__arm__]: Use __ARCH_ARM when defined.
2013-06-26 Werner Koch <wk@gnupg.org>
Make gpg-error replacement defines more robust.
+ + commit 6540b84a6e9113813e7e49e3ad2024d4a0073300
* configure.ac (AH_BOTTOM): Move GPG_ERR_ replacement defines to ...
* src/gcrypt-int.h: new file.
* src/visibility.h, src/cipher.h: Replace gcrypt.h by gcrypt-int.h.
2013-06-20 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Check if assembler is compatible with AMD64 assembly implementations.
+ + commit 3544fa8aa63bef9a35abf236e9376191b5ec206b
* cipher/blowfish-amd64.S: Enable only if
HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined.
* cipher/camellia-aesni-avx-amd64.S: Ditto.
2013-06-09 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Optimize _gcry_burn_stack for 32-bit and 64-bit architectures.
+ + commit ec2f8de409a93c80efa658134df22074a9bca5a4
* src/misc.c (_gcry_burn_stack): Add optimization for 32-bit and 64-bit
architectures.
Add Camellia AES-NI/AVX2 implementation.
+ + commit d94ec5f5f8a5d40a7d344025aa466f276f9718df
* cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.S'.
* cipher/camellia-aesni-avx2-amd64.S: New file.
* cipher/camellia-glue.c (USE_AESNI_AVX2): New macro.
'camellia-aesni-avx2-amd64.lo'.
Add Serpent AVX2 implementation.
+ + commit e7ab4e1a7396f4609b9033207015b239ab4a5140
* cipher/Makefile.am: Add 'serpent-avx2-amd64.S'.
* cipher/serpent-avx2-amd64.S: New file.
* cipher/serpent.c (USE_AVX2): New macro.
* configure.ac (serpent) [avx2support]: Add 'serpent-avx2-amd64.lo'.
Add detection for Intel AVX2 instruction set.
+ + commit 3289bca708bdd02c69a331095ac6ca9a1efd74cc
* configure.ac: Add option --disable-avx2-support.
(HAVE_GCC_INLINE_ASM_AVX2): New.
(ENABLE_AVX2_SUPPORT): New.
(detect_x86_gnuc) [ENABLE_AVX2_SUPPORT]: Add detection for AVX2.
twofish: add amd64 assembly implementation.
+ + commit d325ab5d86e6107a46007a4d0131122bbd719f8c
* cipher/Makefile.am: Add 'twofish-amd64.S'.
* cipher/twofish-amd64.S: New file.
* cipher/twofish.c (USE_AMD64_ASM): New macro.
2013-05-29 Jussi Kivilinna <jussi.kivilinna@iki.fi>
rinjdael: add amd64 assembly implementation.
+ + commit 7317fcfadf00789df140e51c0d16b60f6b144b59
* cipher/Makefile.am: Add 'rijndael-amd64.S'.
* cipher/rijndael-amd64.S: New file.
* cipher/rijndael.c (USE_AMD64_ASM): New macro.
* configure.ac (aes) [x86-64]: Add 'rijndael-amd64.lo'.
blowfish: add amd64 assembly implementation.
+ + commit 9a61edd1f00cefe8ffa3ad54a53eed163883053c
* cipher/Makefile.am: Add 'blowfish-amd64.S'.
* cipher/blowfish-amd64.S: New file.
* cipher/blowfish.c (USE_AMD64_ASM): New macro.
2013-05-24 Werner Koch <wk@gnupg.org>
ecc: Simplify the compliant point generation.
+ + commit 99b18aa536703ef90c9a1f5c8f40bc68b2064593
* cipher/ecc.c (generate_key): Use point_snatch_set, replaces unneeded
variable copies, etc.
ecc: Fix a minor flaw in the generation of K.
+ + commit 9711384f75564a71979e3fb971b5f4cadcf1afef
* cipher/dsa.c (gen_k): Factor code out to ..
* cipher/dsa-common.c (_gcry_dsa_gen_k): new file and function. Add
arg security_level and re-indent a bit.
2013-05-24 Jussi Kivilinna <jussi.kivilinna@iki.fi>
cast5: add amd64 assembly implementation.
+ + commit 0bdf26eea8cdbffefe7e37578f8f896c4f5f5275
* cipher/Makefile.am: Add 'cast5-amd64.S'.
* cipher/cast5-amd64.S: New file.
* cipher/cast5.c (USE_AMD64_ASM): New macro.
(gcry_cast5_cfb_dec): New prototypes.
cipher-selftest: make selftest work with any block-size.
+ + commit ab8fc70b5f0c396a5bc941267f59166e860b8c5d
* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
(_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed
functions from '<name>_128' to '<name>'.
2013-05-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
serpent: add parallel processing for CFB decryption.
+ + commit 6deb0ccdf718a0670f80e6762a3842caf76437d6
* cipher/cipher.c (gcry_cipher_open): Add bulf CFB decryption function
for Serpent.
* cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_cfb_dec): New
* src/cipher.h (_gcry_serpent_cfb_dec): New prototype.
camellia: add parallel processing for CFB decryption.
+ + commit b60f06f70227c1e69e1010da8b47ea51ade48145
* cipher/camellia-aesni-avx-amd64.S
(_gcry_camellia_aesni_avx_cfb_dec): New function.
* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_cfb_dec): New
* src/cipher.h (_gcry_camellia_cfb_dec): New prototype.
rinjdael: add parallel processing for CFB decryption with AES-NI.
+ + commit 319ee14f2aab8db56a830fd7ac8926f91b4f738a
* cipher/cipher-selftest.c (_gcry_selftest_helper_cfb_128): New
function for CFB selftests.
* cipher/cipher-selftest.h (_gcry_selftest_helper_cfb_128): New
2013-05-23 Werner Koch <wk@gnupg.org>
Avoid compiler warning due to the global symbol setkey.
+ + commit b402de8b9c4a9f269faf03ca952b1eb68a1f33c8
* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
(_gcry_selftest_helper_ctr_128): Rename setkey to setkey_func.
2013-05-23 Jussi Kivilinna <jussi.kivilinna@iki.fi>
serpent: add SSE2 accelerated amd64 implementation.
+ + commit 2fd06e207dcea1d8a7f0e7e92f3359615a99421b
* configure.ac (serpent): Add 'serpent-sse2-amd64.lo'.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add
'serpent-sse2-amd64.S'.
(_gcry_serpent_cbc_dec): New prototype.
Serpent: faster S-box implementation.
+ + commit c85501af8222913f0a1e20e77fceb88e93417925
* cipher/serpent.c (SBOX0, SBOX1, SBOX2, SBOX3, SBOX4, SBOX5, SBOX6)
(SBOX7, SBOX0_INVERSE, SBOX1_INVERSE, SBOX2_INVERSE, SBOX3_INVERSE)
(SBOX4_INVERSE, SBOX5_INVERSE, SBOX6_INVERSE, SBOX7_INVERSE): Replace
2013-05-22 Werner Koch <wk@gnupg.org>
w32: Fix installing of .def file.
+ + commit 4e46d8bc78008ba06f106b368cefb0dddf15fe38
* src/Makefile.am (install-def-file): Create libdir first.
Add control commands to disable mlock and setuid dropping.
+ + commit 2b8014af202c9e0f7619f7a4377f5eb752235220
* src/gcrypt.h.in (GCRYCTL_DISABLE_LOCKED_SECMEM): New.
(GCRYCTL_DISABLE_PRIV_DROP): New.
* src/global.c (_gcry_vcontrol): Implement them.
(lock_pool): Handle no_mlock and no_priv_drop.
Fix libtool 2.4.2 to correctly detect .def files.
+ + commit 05b3e2dda61d3d532a7f1ffd2487a85ed1c4f3ab
* ltmain.sh (sed_uncomment_deffile): New.
(orig_export_symbols): Uncomment def file before testing for EXPORTS.
* m4/libtool.m4: Do the same for the generated code.
2013-05-22 Jussi Kivilinna <jussi.kivilinna@iki.fi>
Add AES bulk CBC decryption selftest.
+ + commit b65281a1b76d7898eb7607932246b78277d8570b
* cipher/rinjdael.c (selftest_cbc_128): New.
(selftest): Call selftest_cbc_128.
Change AES bulk CTR encryption selftest use new selftest helper function
+ + commit 3637bdbb5f30a5e06745d448a6a8ad00e5cdd740
* cipher/rinjdael.c: (selftest_ctr_128): Change to use new selftest
helper function.
Convert bulk CTR and CBC selftest functions in Camellia to generic selftest helper functions
+ + commit eed4042fa028b3f73bad6a768f5b0a82f642e545
* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-selftest files.
* cipher/camellia-glue.c (selftest_ctr_128, selftest_cbc_128): Change
to use the new selftest helper functions.
* cipher/cipher-selftest.h: New.
camellia: add bulk CBC decryption selftest.
+ + commit f2986f03d1ae59f973bae56ce4333e5457003de5
* cipher/camellia-glue.c: (selftest_cbc_128): New selftest function for
bulk CBC decryption.
(selftest): Add call to selftest_cbc_128.
camellia: Rename camellia_aesni_avx_x86-64.S to camellia-aesni-avx-amd64.S
+ + commit 194ae35da7830a76b96e9b21121a2e1248762d3f
* cipher/camellia_aesni_avx_x86-64.S: Remove.
* cipher/camellia-aesni-avx-amd64.S: New.
* cipher/Makefile.am: Use the new filename.
2013-05-21 Werner Koch <wk@gnupg.org>
Fix indentation and save on string space.
+ + commit 2ac3a7c2b7154379738d17cfde8cd9017dc142f0
* cipher/ecc.c (generate_key): Use the same string for both fatal
messages.
2013-05-20 Andrey <andrey@brainhub.org>
cipher: Fix segv in last ECC change.
+ + commit eb4937914db3fb7317502e97e4f0e40c1857f59d
* cipher/ecc.c (generate_key): Make sure R is initialized.
2013-05-09 Andrey <andrey@brainhub.org>
cipher: Generate compliant ECC keys.
+ + commit 296f38a2bd2e25788643a42e4881faed00884a40
* cipher/ecc.c (generate_key): Make sure a key is compliant for
using the compact representation.
2013-04-18 Werner Koch <wk@gnupg.org>
cipher: Fix regression in Padlock support.
+ + commit 6c942ec4d63032539f1fc56c3b970cfec2369e2b
* cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case
and use the standard one.
mpi: Yet another fix to get option flag munging right.
+ + commit 03557687a09b9c8878c77cbfdd0f5049940c72da
* cipher/Makefile.am (o_flag_munging): Yet another fix.
mpi: Make using gcc's -Ofast easier.
+ + commit 1ab26bc304c559b0a8d29823d656f7ad8d10a59d
* cipher/Makefile.am (o_flag_munging): Take -Ofast in account.
Fix alignment problem in idea.c.
+ + commit 3271b0dfda67e26c381d7ed667737f08f865ee40
* cipher/idea.c (cipher): Rework parameter use to fix alignment
problems.
2013-04-18 Vladimir Serbinenko <phcoder@gmail.com>
Add some const attributes.
+ + commit ff0b94c22b36600fff1db9f1d48f9de61f9038f7
* cipher/md4.c (transform): Add const attribute.
* cipher/md5.c (transform): Ditto.
* cipher/rmd160.c (transform): Ditto.
Fix alignment problem in serpent.c.
+ + commit 86e72b490a5790a9c23341067c7e4d3e38be1634
* cipher/serpent.c (serpent_key_prepare): Fix misaligned access.
(serpent_setkey): Likewise.
(serpent_encrypt_internal): Likewise.
2013-04-16 Werner Koch <wk@wheatstone.g10code.de>
Fix multiply by zero in gcry_mpi_ec_mul.
+ + commit 78cd0ba8a8eceee9d0b3397a2ab3bda6ba37c8a4
* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
* tests/t-mpi-point.c (basic_ec_math): Add a test case for this.
2013-04-15 Werner Koch <wk@gnupg.org>
Add macros to return pre-defined MPIs.
+ + commit bd3afc27459a44df8cf501a7e1ae37bb849a8b0e
* src/gcrypt.h.in (GCRYMPI_CONST_ONE, GCRYMPI_CONST_TWO)
(GCRYMPI_CONST_THREE, GCRYMPI_CONST_FOUR, GCRYMPI_CONST_EIGHT): New.
(_gcry_mpi_get_const): New private function.
* src/visibility.h: Mark it visible.
Fix addition of EC points.
+ + commit 71b25a5562f68aad81eae52cc1bab9ca7731a7e9
* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
coordinates.
2013-04-12 Werner Koch <wk@gnupg.org>
Add hack to allow using an "ecc" key for "ecdsa" or "ecdh".
+ + commit af8a79aea80217a0c85a592db1fa001792a6bf0f
* cipher/pubkey.c (sexp_to_key): Add optional arg USE.
(gcry_pk_encrypt, gcry_pk_decrypt): Call sexp_to_key with usage sign.
(gcry_pk_sign, gcry_pk_verify): Call sexp_to_key with usage encrypt.
2013-04-11 Werner Koch <wk@gnupg.org>
Add gcry_pubkey_get_sexp.
+ + commit 1f3cfad66456dd6f2e48f20b8eb0c51343449a1c
* src/gcrypt.h.in (GCRY_PK_GET_PUBKEY): New.
(GCRY_PK_GET_SECKEY): New.
(gcry_pubkey_get_sexp): New.
(_gcry_mpi_ec_get_point): Ditto.
Remove unused code.
+ + commit 7524da2ba83d83a766c22d704006380c893e1c49
* cipher/pubkey.c (_gcry_pk_module_lookup, _gcry_pk_module_release)
(_gcry_pk_get_elements): Remove.
2013-04-05 Werner Koch <wk@gnupg.org>
Make the Q parameter optional for ECC signing.
+ + commit fe91a642c7c257aca095b96406fbcace88fa3df4
* cipher/ecc.c (ecc_sign): Remove the need for Q.
* cipher/pubkey.c (sexp_elements_extract_ecc): Make Q optional for a
private key.
(main): Call new test.
Add test case for SCRYPT and rework the code.
+ + commit f23a068bcb6ec9788710698578d8be0a2a006dbc
* tests/t-kdf.c (check_scrypt): New.
(main): Call new test.
2013-04-04 Christian Grothoff <christian@grothoff.org>
Add the SCRYPT KDF function.
+ + commit 855b1a8f81b5a3b5b31d0c3c303675425f58a5af
* scrypt.c, scrypt.h: New files.
* memxor.c, memxor.h: New files.
* cipher/Makefile.am: Add new files.
2013-03-22 Werner Koch <wk@gnupg.org>
Replace deprecated AM_CONFIG_HEADER macro.
+ + commit d0c8fda5af45354ac32928c9a01e688d6893599d
* configure.ac: s/AM_CONFIG_HEADER/AC_CONFIG_HEADER/
Disable AES-NI support if as does not support SSSE3.
+ + commit 9f4df1612ae21a5ce70d98930cb194e5193f5e2d
* configure.ac (HAVE_GCC_INLINE_ASM_SSSE3): New test.
(ENABLE_AESNI_SUPPORT): Do not define without SSSE3 support.
(HAVE_GCC_INLINE_ASM_SSSE3, ENABLE_AVX_SUPPORT): Split up detection
2013-03-21 Werner Koch <wk@gnupg.org>
Fix make dependency regression.
+ + commit 2a1e03c5a481689c43d197dd8034a1d73de0a1a4
* src/Makefile.am (libgcrypt_la_DEPENDENCIES): Add missing backslash.
Reported by LRN.
2013-03-20 Werner Koch <wk@gnupg.org>
Use finer grained on-the-fly helper computations for EC.
+ + commit 5fb3501aa0cf5f2b2a9012706bb9ad2b1c4bfd7d
* src/ec-context.h (mpi_ec_ctx_s): Replace NEED_SYNC by a bitfield.
* mpi/ec.c (ec_p_sync): Remove.
(ec_get_reset, ec_get_a_is_pminus3, ec_get_two_inv_p): New.
(_gcry_mpi_ec_add_points): Replace ec_p_sync by the ec_get_ accessors.
Allow building with w64-mingw32.
+ + commit b402e550041782b770a6ae267c7c28ca8324a12e
* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also
prepare for 64 bit building.
Provide GCRYPT_VERSION_NUMBER macro, add build info to the binary.
+ + commit 1eaad0a8c4cab227685a6a8768e539df2f1f4dac
* src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New.
* configure.ac (VERSION_NUMBER): New ac_subst.
* src/global.c (_gcry_vcontrol): Move call to above function ...
timestamp.
Fix a memory leak in the new EC code.
+ + commit de07974d807b703a2554d6ba885ea249e648bd44
* cipher/ecc.c (point_from_keyparam): Always call mpi_free on A.
2013-03-19 Werner Koch <wk@gnupg.org>
Extend the new EC interface and fix two bugs.
+ + commit 931e409e877d1e444edd53dead327ec8e64daf9a
* src/ec-context.h (mpi_ec_ctx_s): Add field NEED_SYNC.
* mpi/ec.c (ec_p_sync): New.
(ec_p_init): Only set NEED_SYNC.
2013-03-15 Werner Koch <wk@gnupg.org>
mpi: Add functions to manipulate an EC context.
+ + commit 229f3219f80c9369ed9624242c0436ae6d293201
* src/gcrypt.h.in (gcry_mpi_ec_p_new): Remove.
(gcry_mpi_ec_new): New.
(gcry_mpi_ec_get_mpi): New.
2013-03-13 Werner Koch <wk@gnupg.org>
Add GCRYMPI_FLAG_CONST and make use constants.
+ + commit e005629bd7bebb3e13945645c6e1230b44ab16a2
* src/gcrypt.h.in (GCRYMPI_FLAG_CONST): New.
* src/mpi.h (mpi_is_const, mpi_const): New.
(enum gcry_mpi_constants, MPI_NUMBER_OF_CONSTANTS): New.
* src/mpiutils.c (gcry_mpi_set_opaque): Check the immutable flag.
Add GCRYMPI_FLAG_IMMUTABLE to help debugging.
+ + commit 1fecae98ee7e0fa49b29f98efa6817ca121ed98a
* src/gcrypt.h.in (GCRYMPI_FLAG_IMMUTABLE): New.
* src/mpi.h (mpi_is_immutable): New macro.
* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
2013-03-08 Werner Koch <wk@gnupg.org>
mpi: Add an API for EC math.
+ + commit 8ac9e756d3ca545a9b97e61ad3d42fc2e877d788
* src/context.c, src/context.h: New.
* src/Makefile.am (libgcrypt_la_SOURCES): Add new files.
* src/gcrypt.h.in (struct gcry_context, gcry_ctx_t): New types.
(make_point, basic_ec_math): New.
mpi: Add an API for EC point operations.
+ + commit 7cce620acddac2df024ca421ed3abc32a88f3738
* mpi/ec.c (gcry_mpi_point_new, gcry_mpi_point_release): New.
(gcry_mpi_point_get, gcry_mpi_point_snatch_get): New.
(gcry_mpi_point_set, gcry_mpi_point_snatch_set): New.
2013-03-07 Werner Koch <wk@gnupg.org>
mpi: Add mpi_snatch and change an internal typedef.
+ + commit 6c4767637c512127a4362732b3ec51068554d328
* src/mpi.h (struct mpi_point_s): Rename to struct gcry_mpi_point.
(mpi_point_struct): New typedef.
(mpi_point_t): Change typedef to a pointer. Replace all occurrences
* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
Pretty print the configure feedback.
+ + commit c620099e4ab2f35e0196b395a805bb655c984ac2
* acinclude.m4 (GNUPG_MSG_PRINT): Remove.
(GCRY_MSG_SHOW, GCRY_MSG_WRAP): New.
* configure.ac: Use new macros for the feedback.
2013-02-20 Werner Koch <wk@gnupg.org>
Fix building of hwf-x86.c.
+ + commit 70dcac663de06b012417015c175973d64e6980df
* src/Makefile.am (AM_CFLAGS): Set to GPG_ERROR_CFLAGS
(AM_CCASFLAGS): Set NOEXECSTACK_FLAGS.
Remove build hacks for FreeBSD.
+ + commit fb48ebf7081400a24ee48f8a9894a361e8834b6e
* configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and
LDFLAGS.
2013-02-19 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Rinjdael: Fix use of SSE2 outside USE_AESNI/ctx->use_aesni.
+ + commit 0da77955a097bfd2469ad084b3e9fcac4fb1e3fa
* cipher/rijndael.c (_gcry_aes_cbc_enc): Check if AES-NI is enabled before
calling aesni_prepare() and aesni_cleanup().
Add AES-NI/AVX accelerated Camellia implementation.
+ + commit 63ac3ba07dba82fde040d31b90b4eff627bd92b9
* configure.ac: Add option --disable-avx-support.
(HAVE_GCC_INLINE_ASM_AVX): New.
(ENABLE_AVX_SUPPORT): New.
for AVX.
camellia.c: Prepare for AES-NI/AVX implementation.
+ + commit 4de62d80644228fc5db2a9f9c94a7eb633d8de2e
* cipher/camellia-glue.c (CAMELLIA_encrypt_stack_burn_size)
(CAMELLIA_decrypt_stack_burn_size): Increase stack burn size.
* cipher/camellia.c (CAMELLIA_ROUNDSM): Move key-material mixing in
optimize it for register usage.
Camellia, prepare glue code for AES-NI/AVX implementation.
+ + commit 537f12ce072d568f9fa344c447d32b2e0efffbe8
* cipher/camellia-glue.c (ATTR_ALIGNED_16): Add macro.
(CAMELLIA_encrypt_stack_burn_size): Add macro.
(camellia_encrypt): Use macro above for stack burn size.
2012-12-21 Werner Koch <wk@gnupg.org>
Prepare for hardware feature detection on other platforms.
+ + commit 09ac5d87d11aa0b1fa0e0a4184ab03b3671a73e2
* configure.ac (GCRYPT_HWF_MODULES): New.
(HAVE_CPU_ARCH_X86, HAVE_CPU_ARCH_ALPHA, HAVE_CPU_ARCH_SPARC)
(HAVE_CPU_ARCH_MIPS, HAVE_CPU_ARCH_M68K, HAVE_CPU_ARCH_PPC)
2012-12-21 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Clean up i386/x86-64 cpuid usage in hwfeatures.c.
+ + commit d842eea55e22c05da3959a7a4422b5fcd7884f60
* src/hwfeatures.c [__i386__ && __GNUC__] (detect_ia32_gnuc): Remove.
[__x86_64__ && __GNUC__] (detect_x86_64_gnuc): Remove.
[__i386__ && __GNUC__] (is_cpuid_available, get_cpuid)
2012-12-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Add support for using DRNG random number generator.
+ + commit efd7002188e6d50013e4d9a920a8b9afa9d210e5
* configure.ac: Add option --disable-drng-support.
(ENABLE_DRNG_SUPPORT): New.
* random/rndhw.c (USE_DRNG): New.
2012-12-03 Werner Koch <wk@gnupg.org>
random: Add a RNG selection interface and system RNG wrapper.
+ + commit 7607ab81504ce44060ed0b331d309606f5da1e75
* random/random-system.c: New.
* random/Makefile.am (librandom_la_SOURCES): Add new module.
* random/random.c (struct rng_types): New.
(run_all_rng_tests): New.
tests: Allow use of random.c under Windows.
+ + commit 76c622e24a07f7c826812be173aa173b4334776b
* tests/Makefile.am (TESTS): Always include random.c
* tests/random.c [!W32]: Include sys/wait.h.
(inf): New.
(main) [W32]: Do not call signal.
Make random-fips.c work multi-threaded.
+ + commit 75760021b511ba438606af746431223357e7a155
* random/random-fips.c (basic_initialization): Fix reversed logic.
Move nonce creation from csprng backend to random main module.
+ + commit c324644aa14e54fc7051983b38222db32b8ab227
* random/random-csprng.c (_gcry_rngcsprng_create_nonce): Remove.
(nonce_buffer_lock): Remove.
(initialize_basics): Remove init of nonce_buffer_lock.
2012-12-03 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Fix building with CC="gcc -std=c90".
+ + commit f851b9a932ee64fa5a06000d1ac763ba4349f07d
* configure.ac: Add check for missing 'asm' keyword in C90 mode and
replacement with '__asm__'.
2012-12-03 Werner Koch <wk@gnupg.org>
Try to use inttypes.h if stdint.h is not available.
+ + commit d9ec7aec1301b13a89e5c9c54d7ad52e1a29b846
* cipher/bufhelp.h [HAVE_INTTYPES_H]: Include inttypes.h
2012-12-03 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Optimize buffer xoring.
+ + commit 162791bc08f4fc9b3882671e68ecdfd9e130ae59
* cipher/Makefile.am (libcipher_la_SOURCES): Add 'bufhelp.h'.
* cipher/bufhelp.h: New.
* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
2012-11-29 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Optimize AES-NI CTR mode.
+ + commit 9ee9e25f519696d509b1a5c1cc04ab0121e98a51
* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Make
handling of 64-bit overflow and carry conditional. Avoid generic to
vector register passing of value '1'. Generate and use '-1' instead.
2012-11-28 Werner Koch <wk@gnupg.org>
Make a cpp conditional in rijndael.c better readable.
+ + commit 6765e0a8618000d3dc7bda035163e0708c43791b
* cipher/rijndael.c (USE_AESNI): Modify cpp conditionals for better
readability.
2012-11-28 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Fix building with Clang on x86-64 and i386.
+ + commit 99e272d938fe23efec25af409bdb91dae0e659e5
* cipher/rijndael.c [USE_AESNI] (do_aesni_enc_aligned)
(do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Add
explicit suffix to 'cmp' instructions.
2012-11-26 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Optimize wipememory2 for i386 and x86-64.
+ + commit faec12e23f03c7cd1614594bfdd51f1302cadb42
* src/g10lib.h (wipememory2): Add call to fast_wipememory2.
(fast_wipememory2): New macros for i386 and x86-64 architectures.
Empty macro provided for other architectures.
Fix missing 64bit carry handling in AES-NI CTR mode.
+ + commit fc37e805c6394c2e635d1a033670be961f36a6d2
* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Add
carry handling to 64-bit addition.
(selftest_ctr_128): New function for testing IV handling in bulk CTR
(selftest): Add call to selftest_ctr_128.
Add parallelized AES-NI CBC decryption.
+ + commit 35aff0cd43885b5f5c076432ec614698abeb63d8
* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_5): New macro.
[USE_AESNI] (do_aesni_dec_vec4): New function.
(_gcry_aes_cbc_dec) [USE_AESNI]: Add parallelized CBC loop.
to xmm5.
Clear xmm5 after use in AES-NI CTR mode.
+ + commit 5acd0e5ae2a58dda51c2b56c879b80a1a6d2c42f
* cipher/rijndael.c [USE_AESNI]: Rename aesni_cleanup_2_4 to
aesni_cleanup_2_5.
[USE_AESNI] (aesni_cleanup_2_5): Clear xmm5 register.
aesni_cleanup_2_5 instead of aesni_cleanup_2_4.
Optimize AES-NI CBC encryption.
+ + commit be3768994ad362dfc849a8cd0146b4c9bb287d20
* cipher/rijndeal.c (_gcry_aes_cbc_enc) [USE_AESNI]: Add AES-NI
spesific loop and use SSE2 assembler for xoring and copying of
blocks.
Improve parallelizability of CBC decryption for AES-NI.
+ + commit 3369d960158ab4231b83926a0f982e2a8819f173
* cipher/rijndael.c (_gcry_aes_cbc_dec) [USE_AESNI]: Add AES-NI
specific CBC mode loop with temporary block and IV stored in free SSE
registers.
Extend test of chained modes for 128bit ciphers.
+ + commit 55b96be08531664ed3f4230acebe0f45954bbc33
* tests/basic.c (check_one_cipher_core, check_one_cipher): Increase
input and output buffer sizes from 16 bytes to 1024+16=1040 bytes.
(check_one_cipher_core): Add asserts to verify sizes of temporary
2012-11-21 Werner Koch <wk@gnupg.org>
Fix for strict aliasing rules.
+ + commit dfb4673da8ee52d95e0a62c9f49ca8599943f22e
* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t for
casting.
Do not detect AES-NI support if disabled by configure.
+ + commit 3047795794eb238aa684bd0729acf64c82a19e09
* src/hwfeatures.c (detect_ia32_gnuc): Detect AESNI support only if
that support has been enabled.
2012-11-21 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Fix too large burn_stack in camellia-glue.c.
+ + commit 8afabc2813948778a3db52d9dee9a041a3dd50d4
* cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Do not
take full array size of KEY_TABLE_TYPE, but argument size instead.
Add x86_64 support for AES-NI.
+ + commit d8bdfa42ed582655c180e7db9b16d4e756a12a6e
* cipher/rijndael.c [ENABLE_AESNI_SUPPORT]: Enable USE_AESNI on x86-64.
(do_setkey) [USE_AESNI_is_disabled_here]: Use %[key] and %[ksch]
directly as registers instead of using temporary register %%esi.
clear AES-NI feature flag.
Fix cpuid vendor-id check for i386 and x86-64.
+ + commit 9e1552517f68459a165ddebbba85e7cf37ff4f0c
* src/hwfeatures.c (detect_x86_64_gnuc, detect_ia32_gnuc): Allow
Intel features be detect from CPU by other vendors too.
Fix hwdetect assembler clobbers.
+ + commit 19b9efd1f47a5de9c450ce8212dfa3174a029c7a
* src/hwfeatures.c (detect_x86_64_gnuc): Add missing %ebx assembler
clobbers.
(detect_x86_64_gnuc, detect_ia32_gnuc) [ENABLE_PADLOCK_SUPPORT]: Add
2012-11-21 Werner Koch <wk@gnupg.org>
Use configure test for aligned attribute.
+ + commit 6368ed542150956ff4ba8170a15bbc534143675c
* configure.ac (HAVE_GCC_ATTRIBUTE_ALIGNED): New test and ac_define.
* cipher/cipher-internal.h, cipher/rijndael.c, random/rndhw.c: Use new
macro instead of a fixed test for __GNUC__.
Fix segv with AES-NI on some platforms.
+ + commit a96974de734beb51a733a89b3283bcf7b433b54c
* cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes.
2012-11-16 Werner Koch <wk@gnupg.org>
Improve parsing of the GIT revision number.
+ + commit 4b18e530f417d4af401a3fd721ad2a07e5310e3e
* configure.ac (mmm4_revision): Use git rev-parse.
2012-11-08 Werner Koch <wk@gnupg.org>
Fix extern inline use for gcc > 4.3 in c99 mode.
+ + commit 5abc06114e91beca0177331e1c79815f5fb6d7be
* mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern
inline semantics in gcc.
2012-11-07 Werner Koch <wk@gnupg.org>
Fix memory leak in gcry_pk_testkey for ECC.
+ + commit 8cbbad5f94f6e0429fffe66d689aea20f7e35957
* cipher/ecc.c (check_secret_key): Restructure for easier allocation
tracking. Fix memory leak.
2012-11-05 Werner Koch <wk@gnupg.org>
Prepare for a backported interface in 1.5.1.
+ + commit 7af98ef78d45e813f47ae4e180a02757a379953f
* configure.ac: Bump LT version at C20/A0/R0 to adjust for a planned
API update in 1.5.1.
Adjust for stricter autoconf requirements.
+ + commit 1241fbbc896e9bbad68f1007a17b20493f6cd1af
* configure.ac: Fix usage of AC_LANG_PROGRAM.
Update build helper scripts.
+ + commit a5c4d45e8d12737cd21b095c81da5c18e2afc39e
* config.guess, config.sub: Update to version 2012-07-31.
* ltmain.sh: Update to version 2.4.2.
* install-sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4
* m4/lt~obsolete.m4: Update to autoconf 2.69 versions.
Do not distribute a copy of gitlog-to-changelog.
+ + commit 40976d7da5420453bf93a9c99f0cc4c7044d0774
* Makefile.am (GITLOG_TO_CHANGELOG): New.
(gen-ChangeLog): Require an installed gitlog-to-changelog.
* scripts/gitlog-to-changelog: Remove.
* REMOVE.GIT: New.
Allow building with w64-mingw32.
+ + commit 4f6fb150558d0ed250bfbd50352c258a4456ba50
* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also
prepare for 64 bit building.
<git-setup>: Remove option -c from chmod.
Switch to the new automagic beta numbering scheme.
+ + commit 7d5195be76d9dd4adc28976ad153e8f7761c5855
* configure.ac: Add all the required m4 magic.
Avoid dereferencing pointer right after the end.
+ + commit 79502e2c1982047dcf2b776f52826f38bbd9b1fe
* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
2012-10-30 Werner Koch <wk@gnupg.org>
Make ancient test program useful again.
+ + commit 66adf76e634423bb72ce1f0b5ed78f4e4798f190
* tests/testapi.c (test_sexp): Adjust to current API. Print the
return code. Mark unused args.
(test_genkey): Mark unused args.
(main): Do not pass NULL to printf.
tests: Add ECC key generation tests.
+ + commit c13164884ade6b1e945cddacce2d244fd881de6b
* tests/keygen.c (check_generated_ecc_key): New.
(check_ecc_keys): New.
(main): Call simple ECC checks.
2012-10-30 Milan Broz <mbroz@redhat.com>
PBKDF2: Allow empty passphrase.
+ + commit 8528f1ba40e587dc17e02822e529fbd7ac69a189
* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
* tests/t-kdf.c (check_pbkdf2): Add test case for above.
2012-08-16 Xi Wang <xi.wang@gmail.com>
Replace deliberate division by zero with _gcry_divide_by_zero.
+ + commit 2c54c4da19d3a79e9f749740828026dd41f0521a
* mpi/mpi-pow.c: Replace 1 / msize.
* mpi/mpih-div.c: Replace 1 / dsize.
* src/misc.c: Add _gcry_divide_by_zero.
2012-06-21 Werner Koch <wk@gnupg.org>
Clear AESNI feature flag for x86_64.
+ + commit 2196728e2252917849c1be94417258076767021b
* src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Clear
AESNI feature flag.
Beautify last change.
+ + commit 20e423212c9710ee663e12dd0f62580ceb245a6f
* cipher/rijndael.c: Replace C99 feature from last patch. Keep cpp
lines short.
* random/rndhw.c: Keep cpp lines short.
2012-06-21 Rafaël Carré <funman@videolan.org>
Enable VIA Padlock on x86_64 platforms.
+ + commit baf0dc7e9c26167ab43ba2adebcf2f1abc9d9b3b
* cipher/rijndael.c: Duplicate x86 assembly and convert to x86_64.
* random/rndhw.c: Likewise.
* src/hwfeatures.c: Likewise.
2012-05-14 Werner Koch <wk@gnupg.org>
Add curve aliases from RFC-5656.
+ + commit 39c123b729a472ace039f8536d07f8b9a5f4675a
* cipher/ecc.c (curve_aliases): Add "nistp???" entries.
2012-04-16 Werner Koch <wk@gnupg.org>
State new contribution rules.
+ + commit 3bb858551cd5d84e43b800edfa2b07d1529718a9
* doc/DCO: New.
* doc/HACKING: Document new rules.
2012-04-04 Tomas Mraz <tmraz@fedoraproject.org>
Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command.
+ + commit 90e49a11733bfba9c3c505ac487282d35757f682
* doc/gcrypt.texi: Add documentation of the new command.
* src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode
only when fips mode is enabled.
2012-02-17 Ulrich Müller <ulm@gentoo.org>
Rework selftest in idea.c.
+ + commit 70cca617ed75ea292e1fed769114dda5cc1d76f1
* cipher/idea.c (do_setkey): Execute selftest when first called.
(decrypt_block): Remove commented-out code.
(selftest): Execute all selftests. Return NULL on success, or
2012-02-16 Werner Koch <wk@gnupg.org>
Fix missing prototype.
+ + commit 46035d28c9b413851d43a4008fdc8e4cdf5d686b
* src/g10lib.h (_gcry_secmem_module_init): Make it a real prototype.
2012-02-16 Ulrich Müller <ulm@gentoo.org>
Add support for the IDEA cipher.
+ + commit 318fd85f377c060908d371f792d41e599b3b7483
Adapt idea.c to the Libgcrypt framework.
Add IDEA to cipher_table and to the build system.
2012-01-09 Werner Koch <wk@gnupg.org>
Include an IDEA implementation.
+ + commit 6078b05f5340d886e0b9e6cee1d9b5043e0cb210
The code is the old IDEA test code, written by me back in 1997 and
distributed on a Danish FTP server. This commit is only for
reference. To use the code it has to be adjusted to the Libgcrypt
2012-01-03 Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
Fix pthread locking and remove defunctional support for static lock init.
+ + commit 38fcd59ce774eaa3d65f2f7534c989afd860eb56
* src/ath.c: Include assert.h.
(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Dereference LOCK.
* src/g10lib.h (_gcry_secmem_module_init): New declaration.
2011-12-16 Werner Koch <wk@gnupg.org>
Add alignment tests for the cipher tests.
+ + commit 14cf1f7e338fedb8edaff5631441746605152bd6
* tests/basic.c (check_one_cipher): Factor most code out to
check_one_cipher_core. Call that core function several times using
different alignment settings.
2011-12-07 Werner Koch <wk@gnupg.org>
tests/prime: Add option to create a well known private key.
+ + commit 16f5654643d584e3bc739b636752d779176b2191
* tests/prime.c (print_mpi, create_42prime): New.
(main): Add option --42.
2011-12-01 Werner Koch <wk@gnupg.org>
Do not build the random-daemon by make distcheck.
+ + commit ea1fb538d99f1ec093f2fef86f4f29176ec27826
* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Disable building of the
random daemon
Generate the ChangeLog from commit logs.
+ + commit 137d73191c904926ba529376144ee8239af4ca02
* scripts/gitlog-to-changelog: New script. Taken from gnulib.
* scripts/git-log-fix: New file.
* scripts/git-log-footer: New file.
@set -e; \
echo "$(VERSION)" > $(distdir)/VERSION
+distcheck-hook:
+ set -e; ( \
+ pref="#+macro: $$(echo $(PACKAGE_NAME)|tr '-' '_')_" ;\
+ reldate="$$(date -u +%Y-%m-%d)" ;\
+ echo "$${pref}ver $(PACKAGE_VERSION)" ;\
+ echo "$${pref}date $${reldate}" ;\
+ list='$(DIST_ARCHIVES)'; for i in $$list; do \
+ case "$$i" in *.tar.bz2) \
+ echo "$${pref}size $$(wc -c <$$i|awk '{print int($$1/1024)}')k" ;\
+ echo "$${pref}sha1 $$(sha1sum <$$i|cut -d' ' -f1)" ;\
+ echo "$${pref}sha2 $$(sha256sum <$$i|cut -d' ' -f1)" ;;\
+ esac;\
+ done ) | tee $(distdir).swdb
+
+
gen_start_date = 2011-12-01T14:00:00
.PHONY: gen-ChangeLog
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
+ && $(MAKE) $(AM_MAKEFLAGS) distcheck-hook \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure \
done
@set -e; \
echo "$(VERSION)" > $(distdir)/VERSION
+
+distcheck-hook:
+ set -e; ( \
+ pref="#+macro: $$(echo $(PACKAGE_NAME)|tr '-' '_')_" ;\
+ reldate="$$(date -u +%Y-%m-%d)" ;\
+ echo "$${pref}ver $(PACKAGE_VERSION)" ;\
+ echo "$${pref}date $${reldate}" ;\
+ list='$(DIST_ARCHIVES)'; for i in $$list; do \
+ case "$$i" in *.tar.bz2) \
+ echo "$${pref}size $$(wc -c <$$i|awk '{print int($$1/1024)}')k" ;\
+ echo "$${pref}sha1 $$(sha1sum <$$i|cut -d' ' -f1)" ;\
+ echo "$${pref}sha2 $$(sha256sum <$$i|cut -d' ' -f1)" ;;\
+ esac;\
+ done ) | tee $(distdir).swdb
.PHONY: gen-ChangeLog
gen-ChangeLog:
if test -d $(top_srcdir)/.git; then \
+Noteworthy changes in version 1.7.6 (2017-01-18) [C21/A1/R6]
+------------------------------------------------
+
+ * Bug fixes:
+
+ - Fix AES CTR self-check detected failure in the SSSE3 based
+ implementation.
+
+ - Remove gratuitous select before the getrandom syscall.
+
+
+Noteworthy changes in version 1.7.5 (2016-12-15) [C21/A1/R5]
+------------------------------------------------
+
+ * Bug fixes:
+
+ - Fix regression in mlock detection [bug#2870].
+
+
+Noteworthy changes in version 1.7.4 (2016-12-09) [C21/A1/R4]
+------------------------------------------------
+
+ * Performance:
+
+ - More ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
+
+ - Add ARMv8/AArch32 assembly implementation for Twofish and
+ Camellia.
+
+ - Add bulk processing implementation for ARMv8/AArch32.
+
+ - Add Stribog OIDs.
+
+ - Improve the DRBG performance and sync the code with the Linux
+ version.
+
+ * Internal changes:
+
+ - When secure memory is requested by the MPI functions or by
+ gcry_xmalloc_secure, they do not anymore lead to a fatal error if
+ the secure memory pool is used up. Instead new pools are
+ allocated as needed. These new pools are not protected against
+ being swapped out (mlock can't be used). However, these days
+ this is considered a minor issue and can easily be mitigated by
+ using encrypted swap space.
+
+ * Bug fixes:
+
+ - Fix GOST 28147 CryptoPro-B S-box.
+
+ - Fix error code handling of mlock calls.
+
+
+Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3]
+------------------------------------------------
+
+ * Bug fixes:
+
+ - Fix critical security bug in the RNG [CVE-2016-6313]. An
+ attacker who obtains 580 bytes from the standard RNG can
+ trivially predict the next 20 bytes of output. Problem
+ detected by Felix Dörre and Vladimir Klebanov, KIT.
+
+ - Fix building of some asm modules with older compilers and CPUs.
+
+ * Performance:
+
+ - ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
+
+
+Noteworthy changes in version 1.7.2 (2016-07-14) [C21/A1/R2]
+------------------------------------------------
+
+ * Bug fixes:
+
+ - Fix setting of the ECC cofactor if parameters are specified.
+
+ - Fix memory leak in the ECC code.
+
+ - Remove debug message about unsupported getrandom syscall.
+
+ - Fix build problems related to AVX use.
+
+ - Fix bus errors on ARM for Poly1305, ChaCha20, AES, and SHA-512.
+
+ * Internal changes:
+
+ - Improved fatal error message for wrong use of gcry_md_read.
+
+ - Disallow symmetric encryption/decryption if key is not set.
+
+
Noteworthy changes in version 1.7.1 (2016-06-15) [C21/A1/R1]
------------------------------------------------
Version 1.7
Copyright (C) 1989,1991-2016 Free Software Foundation, Inc.
- Copyright (C) 2012-2016 g10 Code GmbH
- Copyright (C) 2013-2016 Jussi Kivilinna
+ Copyright (C) 2012-2017 g10 Code GmbH
+ Copyright (C) 2013-2017 Jussi Kivilinna
Libgcrypt is free software. See the file AUTHORS for full copying
notices, and LICENSES for notices about contributions that require
pool += (pgsize - ((long int)pool % pgsize));
err = mlock( pool, 4096 );
- if( !err || errno == EPERM )
+ if( !err || errno == EPERM || errno == EAGAIN)
return 0; /* okay */
return 1; /* hmmm */
#! /bin/sh
# Attempt to guess a canonical system name.
-# Copyright 1992-2015 Free Software Foundation, Inc.
+# Copyright 1992-2016 Free Software Foundation, Inc.
-timestamp='2015-01-01'
+timestamp='2016-05-15'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
#
# You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
#
# Please send patches to <config-patches@gnu.org>.
GNU config.guess ($timestamp)
Originally written by Per Bothner.
-Copyright 1992-2015 Free Software Foundation, Inc.
+Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
# Note: NetBSD doesn't particularly care about the vendor
# portion of the name. We always set it to "unknown".
sysctl="sysctl -n hw.machine_arch"
- UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
- /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+ UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
+ /sbin/$sysctl 2>/dev/null || \
+ /usr/sbin/$sysctl 2>/dev/null || \
+ echo unknown)`
case "${UNAME_MACHINE_ARCH}" in
armeb) machine=armeb-unknown ;;
arm*) machine=arm-unknown ;;
sh3el) machine=shl-unknown ;;
sh3eb) machine=sh-unknown ;;
sh5el) machine=sh5le-unknown ;;
+ earmv*)
+ arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
+ endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
+ machine=${arch}${endian}-unknown
+ ;;
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
esac
# The Operating System including object format, if it has switched
- # to ELF recently, or will in the future.
+ # to ELF recently (or will in the future) and ABI.
case "${UNAME_MACHINE_ARCH}" in
+ earm*)
+ os=netbsdelf
+ ;;
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
eval $set_cc_for_build
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
os=netbsd
;;
esac
+ # Determine ABI tags.
+ case "${UNAME_MACHINE_ARCH}" in
+ earm*)
+ expr='s/^earmv[0-9]/-eabi/;s/eb$//'
+ abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
+ ;;
+ esac
# The OS release
# Debian GNU/NetBSD machines have a different userland, and
# thus, need a distinct triplet. However, they do not need
release='-gnu'
;;
*)
- release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+ release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
;;
esac
# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
# contains redundant information, the shorter form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
- echo "${machine}-${os}${release}"
+ echo "${machine}-${os}${release}${abi}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;;
+ *:LibertyBSD:*:*)
+ UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
+ echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
+ exit ;;
*:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;;
*:MirBSD:*:*)
echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
exit ;;
+ *:Sortix:*:*)
+ echo ${UNAME_MACHINE}-unknown-sortix
+ exit ;;
alpha:OSF1:*:*)
case $UNAME_RELEASE in
*4.0)
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in
"EV4 (21064)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"EV4.5 (21064)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"EV5 (21164)")
- UNAME_MACHINE="alphaev5" ;;
+ UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)")
- UNAME_MACHINE="alphaev56" ;;
+ UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)")
- UNAME_MACHINE="alphapca56" ;;
+ UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)")
- UNAME_MACHINE="alphapca57" ;;
+ UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)")
- UNAME_MACHINE="alphaev6" ;;
+ UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)")
- UNAME_MACHINE="alphaev67" ;;
+ UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)")
- UNAME_MACHINE="alphaev69" ;;
+ UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)")
- UNAME_MACHINE="alphaev7" ;;
+ UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)")
- UNAME_MACHINE="alphaev79" ;;
+ UNAME_MACHINE=alphaev79 ;;
esac
# A Pn.n version is a patched version.
# A Vn.n version is a released version.
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
- echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+ echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$?
trap '' 0
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
- SUN_ARCH="i386"
+ SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
- SUN_ARCH="x86_64"
+ SUN_ARCH=x86_64
fi
fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
- test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+ test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in
sun3)
echo m68k-sun-sunos${UNAME_RELEASE}
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
- 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
- 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+ 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
+ 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
- 32) HP_ARCH="hppa2.0n" ;;
- 64) HP_ARCH="hppa2.0w" ;;
- '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
+ 32) HP_ARCH=hppa2.0n ;;
+ 64) HP_ARCH=hppa2.0w ;;
+ '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;;
esac
fi
exit (0);
}
EOF
- (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+ (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;;
esac
- if [ ${HP_ARCH} = "hppa2.0w" ]
+ if [ ${HP_ARCH} = hppa2.0w ]
then
eval $set_cc_for_build
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23
- if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+ if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__
then
- HP_ARCH="hppa2.0w"
+ HP_ARCH=hppa2.0w
else
- HP_ARCH="hppa64"
+ HP_ARCH=hppa64
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
- FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+ FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
+ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
+ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
- echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
+ echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
- if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
+ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
crisv32:Linux:*:*)
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
+ e2k:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ exit ;;
frv:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
+ k1om:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
- # prints for the "djgpp" host, or else GDB configury will decide that
+ # prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE}
exit ;;
+ SX-ACE:SUPER-UX:*:*)
+ echo sxace-nec-superux${UNAME_RELEASE}
+ exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
- if test "$UNAME_PROCESSOR" = "x86"; then
+ if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386
UNAME_MACHINE=pc
fi
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
- if test "$cputype" = "386"; then
+ if test "$cputype" = 386; then
UNAME_MACHINE=i386
else
UNAME_MACHINE="$cputype"
echo i386-pc-xenix
exit ;;
i*86:skyos:*:*)
- echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+ echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;;
i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
+ amd64:Isilon\ OneFS:*:*)
+ echo x86_64-unknown-onefs
+ exit ;;
esac
cat >&2 <<EOF
$0: unable to guess system type
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
+This script (version $timestamp), has failed to recognize the
+operating system you are using. If your script is old, overwrite
+config.guess and config.sub with the latest versions from:
- http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
and
- http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
+If $0 has already been updated, send the following data and any
+information you think might be pertinent to config-patches@gnu.org to
+provide the necessary information to handle your system.
config.guess timestamp = $timestamp
#! /bin/sh
# Configuration validation subroutine script.
-# Copyright 1992-2015 Free Software Foundation, Inc.
+# Copyright 1992-2016 Free Software Foundation, Inc.
-timestamp='2015-01-01'
+timestamp='2016-06-20'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
- $0 [OPTION] ALIAS
+Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
Canonicalize a configuration name.
version="\
GNU config.sub ($timestamp)
-Copyright 1992-2015 Free Software Foundation, Inc.
+Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
case $maybe_os in
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
- knetbsd*-gnu* | netbsd*-gnu* | \
+ knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
kopensolaris*-gnu* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
+ | ba \
| be32 | be64 \
| bfin \
| c4x | c8051 | clipper \
| d10v | d30v | dlx | dsp16xx \
- | epiphany \
+ | e2k | epiphany \
| fido | fr30 | frv | ft32 \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| hexagon \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
- | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
+ | ba-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
| c8051-* | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
- | elxsi-* \
+ | e2k-* | elxsi-* \
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
| h8300-* | h8500-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
| pyramid-* \
+ | riscv32-* | riscv64-* \
| rl78-* | romp-* | rs6000-* | rx-* \
| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
| sparclite-* \
- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
| tahoe-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tile*-* \
basic_machine=i386-pc
os=-aros
;;
+ asmjs)
+ basic_machine=asmjs-unknown
+ ;;
aux)
basic_machine=m68k-apple
os=-aux
basic_machine=m68k-bull
os=-sysv3
;;
+ e500v[12])
+ basic_machine=powerpc-unknown
+ os=$os"spe"
+ ;;
+ e500v[12]-*)
+ basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+ os=$os"spe"
+ ;;
ebmon29k)
basic_machine=a29k-amd
os=-ebmon
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
- | -aos* | -aros* \
+ | -aos* | -aros* | -cloudabi* | -sortix* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
- | -bitrig* | -openbsd* | -solidbsd* \
+ | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* | -cegcc* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
- | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+ | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
- | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
+ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
+ | -onefs* | -tirtos* | -phoenix*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
;;
-nacl*)
;;
+ -ios)
+ ;;
-none)
;;
*)
cipher.c cipher-internal.h \
cipher-cbc.c cipher-cfb.c cipher-ofb.c cipher-ctr.c cipher-aeswrap.c \
cipher-ccm.c cipher-cmac.c cipher-gcm.c cipher-gcm-intel-pclmul.c \
+ cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \
cipher-poly1305.c cipher-ocb.c \
cipher-selftest.c cipher-selftest.h \
pubkey.c pubkey-internal.h pubkey-util.c \
poly1305-sse2-amd64.S poly1305-avx2-amd64.S poly1305-armv7-neon.S \
rijndael.c rijndael-internal.h rijndael-tables.h rijndael-aesni.c \
rijndael-padlock.c rijndael-amd64.S rijndael-arm.S rijndael-ssse3-amd64.c \
+ rijndael-armv8-ce.c rijndael-armv8-aarch32-ce.S rijndael-armv8-aarch64-ce.S \
+ rijndael-aarch64.S \
rmd160.c \
rsa.c \
salsa20.c salsa20-amd64.S salsa20-armv7-neon.S \
seed.c \
serpent.c serpent-sse2-amd64.S serpent-avx2-amd64.S serpent-armv7-neon.S \
sha1.c sha1-ssse3-amd64.S sha1-avx-amd64.S sha1-avx-bmi2-amd64.S \
- sha1-armv7-neon.S \
+ sha1-armv7-neon.S sha1-armv8-aarch32-ce.S sha1-armv8-aarch64-ce.S \
sha256.c sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S \
+ sha256-armv8-aarch32-ce.S sha256-armv8-aarch64-ce.S \
sha512.c sha512-ssse3-amd64.S sha512-avx-amd64.S sha512-avx2-bmi2-amd64.S \
sha512-armv7-neon.S sha512-arm.S \
keccak.c keccak_permute_32.h keccak_permute_64.h keccak-armv7-neon.S \
stribog.c \
tiger.c \
whirlpool.c whirlpool-sse2-amd64.S \
-twofish.c twofish-amd64.S twofish-arm.S \
+twofish.c twofish-amd64.S twofish-arm.S twofish-aarch64.S \
rfc2268.c \
camellia.c camellia.h camellia-glue.c camellia-aesni-avx-amd64.S \
- camellia-aesni-avx2-amd64.S camellia-arm.S
+ camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S
gost28147.lo: gost-sb.h
gost-sb.h: gost-s-box
am_libcipher_la_OBJECTS = cipher.lo cipher-cbc.lo cipher-cfb.lo \
cipher-ofb.lo cipher-ctr.lo cipher-aeswrap.lo cipher-ccm.lo \
cipher-cmac.lo cipher-gcm.lo cipher-gcm-intel-pclmul.lo \
+ cipher-gcm-armv8-aarch32-ce.lo cipher-gcm-armv8-aarch64-ce.lo \
cipher-poly1305.lo cipher-ocb.lo cipher-selftest.lo pubkey.lo \
pubkey-util.lo md.lo mac.lo mac-hmac.lo mac-cmac.lo \
mac-gmac.lo mac-poly1305.lo poly1305.lo kdf.lo hmac-tests.lo \
cipher.c cipher-internal.h \
cipher-cbc.c cipher-cfb.c cipher-ofb.c cipher-ctr.c cipher-aeswrap.c \
cipher-ccm.c cipher-cmac.c cipher-gcm.c cipher-gcm-intel-pclmul.c \
+ cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \
cipher-poly1305.c cipher-ocb.c \
cipher-selftest.c cipher-selftest.h \
pubkey.c pubkey-internal.h pubkey-util.c \
poly1305-sse2-amd64.S poly1305-avx2-amd64.S poly1305-armv7-neon.S \
rijndael.c rijndael-internal.h rijndael-tables.h rijndael-aesni.c \
rijndael-padlock.c rijndael-amd64.S rijndael-arm.S rijndael-ssse3-amd64.c \
+ rijndael-armv8-ce.c rijndael-armv8-aarch32-ce.S rijndael-armv8-aarch64-ce.S \
+ rijndael-aarch64.S \
rmd160.c \
rsa.c \
salsa20.c salsa20-amd64.S salsa20-armv7-neon.S \
seed.c \
serpent.c serpent-sse2-amd64.S serpent-avx2-amd64.S serpent-armv7-neon.S \
sha1.c sha1-ssse3-amd64.S sha1-avx-amd64.S sha1-avx-bmi2-amd64.S \
- sha1-armv7-neon.S \
+ sha1-armv7-neon.S sha1-armv8-aarch32-ce.S sha1-armv8-aarch64-ce.S \
sha256.c sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S \
+ sha256-armv8-aarch32-ce.S sha256-armv8-aarch64-ce.S \
sha512.c sha512-ssse3-amd64.S sha512-avx-amd64.S sha512-avx2-bmi2-amd64.S \
sha512-armv7-neon.S sha512-arm.S \
keccak.c keccak_permute_32.h keccak_permute_64.h keccak-armv7-neon.S \
stribog.c \
tiger.c \
whirlpool.c whirlpool-sse2-amd64.S \
-twofish.c twofish-amd64.S twofish-arm.S \
+twofish.c twofish-amd64.S twofish-arm.S twofish-aarch64.S \
rfc2268.c \
camellia.c camellia.h camellia-glue.c camellia-aesni-avx-amd64.S \
- camellia-aesni-avx2-amd64.S camellia-arm.S
+ camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S
@ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat
@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/-O\([2-9s][2-9s]*\)/-O1/' -e 's/-Ofast/-O1/g'
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish-arm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia-aarch64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia-aesni-avx-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia-aesni-avx2-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia-arm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-cfb.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-cmac.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-gcm-armv8-aarch32-ce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-gcm-armv8-aarch64-ce.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-gcm-intel-pclmul.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-gcm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-ocb.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-util.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rfc2268.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-aarch64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-aesni.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-arm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-armv8-aarch32-ce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-armv8-aarch64-ce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-armv8-ce.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-padlock.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-ssse3-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent-sse2-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-armv7-neon.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-armv8-aarch32-ce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-armv8-aarch64-ce.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-avx-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-avx-bmi2-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1-ssse3-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha256-armv8-aarch32-ce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha256-armv8-aarch64-ce.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha256-avx-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha256-avx2-bmi2-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha256-ssse3-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha512.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stribog.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tiger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-aarch64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-amd64.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-arm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Plo@am__quote@
--- /dev/null
+/* camellia-aarch64.S - ARMv8/AArch64 assembly implementation of Camellia
+ * cipher
+ *
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__)
+#ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+
+.text
+
+/* struct camellia_ctx: */
+#define key_table 0
+
+/* register macros */
+#define CTX x0
+#define RDST x1
+#define RSRC x2
+#define RKEYBITS x3
+
+#define RTAB1 x4
+#define RTAB2 x5
+#define RTAB3 x6
+#define RTAB4 x7
+#define RMASK w8
+
+#define IL w9
+#define IR w10
+
+#define xIL x9
+#define xIR x10
+
+#define XL w11
+#define XR w12
+#define YL w13
+#define YR w14
+
+#define RT0 w15
+#define RT1 w16
+#define RT2 w17
+#define RT3 w18
+
+#define xRT0 x15
+#define xRT1 x16
+#define xRT2 x17
+#define xRT3 x18
+
+#ifdef __AARCH64EL__
+ #define host_to_be(reg, rtmp) \
+ rev reg, reg;
+ #define be_to_host(reg, rtmp) \
+ rev reg, reg;
+#else
+ /* nop on big-endian */
+ #define host_to_be(reg, rtmp) /*_*/
+ #define be_to_host(reg, rtmp) /*_*/
+#endif
+
+#define ldr_input_aligned_be(rin, a, b, c, d, rtmp) \
+ ldr a, [rin, #0]; \
+ ldr b, [rin, #4]; \
+ be_to_host(a, rtmp); \
+ ldr c, [rin, #8]; \
+ be_to_host(b, rtmp); \
+ ldr d, [rin, #12]; \
+ be_to_host(c, rtmp); \
+ be_to_host(d, rtmp);
+
+#define str_output_aligned_be(rout, a, b, c, d, rtmp) \
+ be_to_host(a, rtmp); \
+ be_to_host(b, rtmp); \
+ str a, [rout, #0]; \
+ be_to_host(c, rtmp); \
+ str b, [rout, #4]; \
+ be_to_host(d, rtmp); \
+ str c, [rout, #8]; \
+ str d, [rout, #12];
+
+/* unaligned word reads/writes allowed */
+#define ldr_input_be(rin, ra, rb, rc, rd, rtmp) \
+ ldr_input_aligned_be(rin, ra, rb, rc, rd, rtmp)
+
+#define str_output_be(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
+ str_output_aligned_be(rout, ra, rb, rc, rd, rtmp0)
+
+/**********************************************************************
+ 1-way camellia
+ **********************************************************************/
+#define roundsm(xl, xr, kl, kr, yl, yr) \
+ ldr RT2, [CTX, #(key_table + ((kl) * 4))]; \
+ and IR, RMASK, xr, lsl#(4); /*sp1110*/ \
+ ldr RT3, [CTX, #(key_table + ((kr) * 4))]; \
+ and IL, RMASK, xl, lsr#(24 - 4); /*sp1110*/ \
+ and RT0, RMASK, xr, lsr#(16 - 4); /*sp3033*/ \
+ ldr IR, [RTAB1, xIR]; \
+ and RT1, RMASK, xl, lsr#(8 - 4); /*sp3033*/ \
+ eor yl, yl, RT2; \
+ ldr IL, [RTAB1, xIL]; \
+ eor yr, yr, RT3; \
+ \
+ ldr RT0, [RTAB3, xRT0]; \
+ ldr RT1, [RTAB3, xRT1]; \
+ \
+ and RT2, RMASK, xr, lsr#(24 - 4); /*sp0222*/ \
+ and RT3, RMASK, xl, lsr#(16 - 4); /*sp0222*/ \
+ \
+ eor IR, IR, RT0; \
+ eor IL, IL, RT1; \
+ \
+ ldr RT2, [RTAB2, xRT2]; \
+ and RT0, RMASK, xr, lsr#(8 - 4); /*sp4404*/ \
+ ldr RT3, [RTAB2, xRT3]; \
+ and RT1, RMASK, xl, lsl#(4); /*sp4404*/ \
+ \
+ ldr RT0, [RTAB4, xRT0]; \
+ ldr RT1, [RTAB4, xRT1]; \
+ \
+ eor IR, IR, RT2; \
+ eor IL, IL, RT3; \
+ eor IR, IR, RT0; \
+ eor IL, IL, RT1; \
+ \
+ eor IR, IR, IL; \
+ eor yr, yr, IL, ror#8; \
+ eor yl, yl, IR; \
+ eor yr, yr, IR;
+
+#define enc_rounds(n) \
+ roundsm(XL, XR, ((n) + 2) * 2 + 0, ((n) + 2) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 3) * 2 + 0, ((n) + 3) * 2 + 1, XL, XR); \
+ roundsm(XL, XR, ((n) + 4) * 2 + 0, ((n) + 4) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 5) * 2 + 0, ((n) + 5) * 2 + 1, XL, XR); \
+ roundsm(XL, XR, ((n) + 6) * 2 + 0, ((n) + 6) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 7) * 2 + 0, ((n) + 7) * 2 + 1, XL, XR);
+
+#define dec_rounds(n) \
+ roundsm(XL, XR, ((n) + 7) * 2 + 0, ((n) + 7) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 6) * 2 + 0, ((n) + 6) * 2 + 1, XL, XR); \
+ roundsm(XL, XR, ((n) + 5) * 2 + 0, ((n) + 5) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 4) * 2 + 0, ((n) + 4) * 2 + 1, XL, XR); \
+ roundsm(XL, XR, ((n) + 3) * 2 + 0, ((n) + 3) * 2 + 1, YL, YR); \
+ roundsm(YL, YR, ((n) + 2) * 2 + 0, ((n) + 2) * 2 + 1, XL, XR);
+
+/* perform FL and FL⁻¹ */
+#define fls(ll, lr, rl, rr, kll, klr, krl, krr) \
+ ldr RT0, [CTX, #(key_table + ((kll) * 4))]; \
+ ldr RT2, [CTX, #(key_table + ((krr) * 4))]; \
+ and RT0, RT0, ll; \
+ ldr RT3, [CTX, #(key_table + ((krl) * 4))]; \
+ orr RT2, RT2, rr; \
+ ldr RT1, [CTX, #(key_table + ((klr) * 4))]; \
+ eor rl, rl, RT2; \
+ eor lr, lr, RT0, ror#31; \
+ and RT3, RT3, rl; \
+ orr RT1, RT1, lr; \
+ eor ll, ll, RT1; \
+ eor rr, rr, RT3, ror#31;
+
+#define enc_fls(n) \
+ fls(XL, XR, YL, YR, \
+ (n) * 2 + 0, (n) * 2 + 1, \
+ (n) * 2 + 2, (n) * 2 + 3);
+
+#define dec_fls(n) \
+ fls(XL, XR, YL, YR, \
+ (n) * 2 + 2, (n) * 2 + 3, \
+ (n) * 2 + 0, (n) * 2 + 1);
+
+#define inpack(n) \
+ ldr_input_be(RSRC, XL, XR, YL, YR, RT0); \
+ ldr RT0, [CTX, #(key_table + ((n) * 8) + 0)]; \
+ ldr RT1, [CTX, #(key_table + ((n) * 8) + 4)]; \
+ eor XL, XL, RT0; \
+ eor XR, XR, RT1;
+
+#define outunpack(n) \
+ ldr RT0, [CTX, #(key_table + ((n) * 8) + 0)]; \
+ ldr RT1, [CTX, #(key_table + ((n) * 8) + 4)]; \
+ eor YL, YL, RT0; \
+ eor YR, YR, RT1; \
+ str_output_be(RDST, YL, YR, XL, XR, RT0, RT1);
+
+.globl _gcry_camellia_arm_encrypt_block
+.type _gcry_camellia_arm_encrypt_block,@function;
+
+_gcry_camellia_arm_encrypt_block:
+ /* input:
+ * x0: keytable
+ * x1: dst
+ * x2: src
+ * x3: keybitlen
+ */
+
+ adr RTAB1, _gcry_camellia_arm_tables;
+ mov RMASK, #(0xff<<4); /* byte mask */
+ add RTAB2, RTAB1, #(1 * 4);
+ add RTAB3, RTAB1, #(2 * 4);
+ add RTAB4, RTAB1, #(3 * 4);
+
+ inpack(0);
+
+ enc_rounds(0);
+ enc_fls(8);
+ enc_rounds(8);
+ enc_fls(16);
+ enc_rounds(16);
+
+ cmp RKEYBITS, #(16 * 8);
+ bne .Lenc_256;
+
+ outunpack(24);
+
+ ret;
+.ltorg
+
+.Lenc_256:
+ enc_fls(24);
+ enc_rounds(24);
+
+ outunpack(32);
+
+ ret;
+.ltorg
+.size _gcry_camellia_arm_encrypt_block,.-_gcry_camellia_arm_encrypt_block;
+
+.globl _gcry_camellia_arm_decrypt_block
+.type _gcry_camellia_arm_decrypt_block,@function;
+
+_gcry_camellia_arm_decrypt_block:
+ /* input:
+ * x0: keytable
+ * x1: dst
+ * x2: src
+ * x3: keybitlen
+ */
+
+ adr RTAB1, _gcry_camellia_arm_tables;
+ mov RMASK, #(0xff<<4); /* byte mask */
+ add RTAB2, RTAB1, #(1 * 4);
+ add RTAB3, RTAB1, #(2 * 4);
+ add RTAB4, RTAB1, #(3 * 4);
+
+ cmp RKEYBITS, #(16 * 8);
+ bne .Ldec_256;
+
+ inpack(24);
+
+.Ldec_128:
+ dec_rounds(16);
+ dec_fls(16);
+ dec_rounds(8);
+ dec_fls(8);
+ dec_rounds(0);
+
+ outunpack(0);
+
+ ret;
+.ltorg
+
+.Ldec_256:
+ inpack(32);
+ dec_rounds(24);
+ dec_fls(24);
+
+ b .Ldec_128;
+.ltorg
+.size _gcry_camellia_arm_decrypt_block,.-_gcry_camellia_arm_decrypt_block;
+
+/* Encryption/Decryption tables */
+.globl _gcry_camellia_arm_tables
+.type _gcry_camellia_arm_tables,@object;
+.balign 32
+_gcry_camellia_arm_tables:
+.Lcamellia_sp1110:
+.long 0x70707000
+.Lcamellia_sp0222:
+ .long 0x00e0e0e0
+.Lcamellia_sp3033:
+ .long 0x38003838
+.Lcamellia_sp4404:
+ .long 0x70700070
+.long 0x82828200, 0x00050505, 0x41004141, 0x2c2c002c
+.long 0x2c2c2c00, 0x00585858, 0x16001616, 0xb3b300b3
+.long 0xececec00, 0x00d9d9d9, 0x76007676, 0xc0c000c0
+.long 0xb3b3b300, 0x00676767, 0xd900d9d9, 0xe4e400e4
+.long 0x27272700, 0x004e4e4e, 0x93009393, 0x57570057
+.long 0xc0c0c000, 0x00818181, 0x60006060, 0xeaea00ea
+.long 0xe5e5e500, 0x00cbcbcb, 0xf200f2f2, 0xaeae00ae
+.long 0xe4e4e400, 0x00c9c9c9, 0x72007272, 0x23230023
+.long 0x85858500, 0x000b0b0b, 0xc200c2c2, 0x6b6b006b
+.long 0x57575700, 0x00aeaeae, 0xab00abab, 0x45450045
+.long 0x35353500, 0x006a6a6a, 0x9a009a9a, 0xa5a500a5
+.long 0xeaeaea00, 0x00d5d5d5, 0x75007575, 0xeded00ed
+.long 0x0c0c0c00, 0x00181818, 0x06000606, 0x4f4f004f
+.long 0xaeaeae00, 0x005d5d5d, 0x57005757, 0x1d1d001d
+.long 0x41414100, 0x00828282, 0xa000a0a0, 0x92920092
+.long 0x23232300, 0x00464646, 0x91009191, 0x86860086
+.long 0xefefef00, 0x00dfdfdf, 0xf700f7f7, 0xafaf00af
+.long 0x6b6b6b00, 0x00d6d6d6, 0xb500b5b5, 0x7c7c007c
+.long 0x93939300, 0x00272727, 0xc900c9c9, 0x1f1f001f
+.long 0x45454500, 0x008a8a8a, 0xa200a2a2, 0x3e3e003e
+.long 0x19191900, 0x00323232, 0x8c008c8c, 0xdcdc00dc
+.long 0xa5a5a500, 0x004b4b4b, 0xd200d2d2, 0x5e5e005e
+.long 0x21212100, 0x00424242, 0x90009090, 0x0b0b000b
+.long 0xededed00, 0x00dbdbdb, 0xf600f6f6, 0xa6a600a6
+.long 0x0e0e0e00, 0x001c1c1c, 0x07000707, 0x39390039
+.long 0x4f4f4f00, 0x009e9e9e, 0xa700a7a7, 0xd5d500d5
+.long 0x4e4e4e00, 0x009c9c9c, 0x27002727, 0x5d5d005d
+.long 0x1d1d1d00, 0x003a3a3a, 0x8e008e8e, 0xd9d900d9
+.long 0x65656500, 0x00cacaca, 0xb200b2b2, 0x5a5a005a
+.long 0x92929200, 0x00252525, 0x49004949, 0x51510051
+.long 0xbdbdbd00, 0x007b7b7b, 0xde00dede, 0x6c6c006c
+.long 0x86868600, 0x000d0d0d, 0x43004343, 0x8b8b008b
+.long 0xb8b8b800, 0x00717171, 0x5c005c5c, 0x9a9a009a
+.long 0xafafaf00, 0x005f5f5f, 0xd700d7d7, 0xfbfb00fb
+.long 0x8f8f8f00, 0x001f1f1f, 0xc700c7c7, 0xb0b000b0
+.long 0x7c7c7c00, 0x00f8f8f8, 0x3e003e3e, 0x74740074
+.long 0xebebeb00, 0x00d7d7d7, 0xf500f5f5, 0x2b2b002b
+.long 0x1f1f1f00, 0x003e3e3e, 0x8f008f8f, 0xf0f000f0
+.long 0xcecece00, 0x009d9d9d, 0x67006767, 0x84840084
+.long 0x3e3e3e00, 0x007c7c7c, 0x1f001f1f, 0xdfdf00df
+.long 0x30303000, 0x00606060, 0x18001818, 0xcbcb00cb
+.long 0xdcdcdc00, 0x00b9b9b9, 0x6e006e6e, 0x34340034
+.long 0x5f5f5f00, 0x00bebebe, 0xaf00afaf, 0x76760076
+.long 0x5e5e5e00, 0x00bcbcbc, 0x2f002f2f, 0x6d6d006d
+.long 0xc5c5c500, 0x008b8b8b, 0xe200e2e2, 0xa9a900a9
+.long 0x0b0b0b00, 0x00161616, 0x85008585, 0xd1d100d1
+.long 0x1a1a1a00, 0x00343434, 0x0d000d0d, 0x04040004
+.long 0xa6a6a600, 0x004d4d4d, 0x53005353, 0x14140014
+.long 0xe1e1e100, 0x00c3c3c3, 0xf000f0f0, 0x3a3a003a
+.long 0x39393900, 0x00727272, 0x9c009c9c, 0xdede00de
+.long 0xcacaca00, 0x00959595, 0x65006565, 0x11110011
+.long 0xd5d5d500, 0x00ababab, 0xea00eaea, 0x32320032
+.long 0x47474700, 0x008e8e8e, 0xa300a3a3, 0x9c9c009c
+.long 0x5d5d5d00, 0x00bababa, 0xae00aeae, 0x53530053
+.long 0x3d3d3d00, 0x007a7a7a, 0x9e009e9e, 0xf2f200f2
+.long 0xd9d9d900, 0x00b3b3b3, 0xec00ecec, 0xfefe00fe
+.long 0x01010100, 0x00020202, 0x80008080, 0xcfcf00cf
+.long 0x5a5a5a00, 0x00b4b4b4, 0x2d002d2d, 0xc3c300c3
+.long 0xd6d6d600, 0x00adadad, 0x6b006b6b, 0x7a7a007a
+.long 0x51515100, 0x00a2a2a2, 0xa800a8a8, 0x24240024
+.long 0x56565600, 0x00acacac, 0x2b002b2b, 0xe8e800e8
+.long 0x6c6c6c00, 0x00d8d8d8, 0x36003636, 0x60600060
+.long 0x4d4d4d00, 0x009a9a9a, 0xa600a6a6, 0x69690069
+.long 0x8b8b8b00, 0x00171717, 0xc500c5c5, 0xaaaa00aa
+.long 0x0d0d0d00, 0x001a1a1a, 0x86008686, 0xa0a000a0
+.long 0x9a9a9a00, 0x00353535, 0x4d004d4d, 0xa1a100a1
+.long 0x66666600, 0x00cccccc, 0x33003333, 0x62620062
+.long 0xfbfbfb00, 0x00f7f7f7, 0xfd00fdfd, 0x54540054
+.long 0xcccccc00, 0x00999999, 0x66006666, 0x1e1e001e
+.long 0xb0b0b000, 0x00616161, 0x58005858, 0xe0e000e0
+.long 0x2d2d2d00, 0x005a5a5a, 0x96009696, 0x64640064
+.long 0x74747400, 0x00e8e8e8, 0x3a003a3a, 0x10100010
+.long 0x12121200, 0x00242424, 0x09000909, 0x00000000
+.long 0x2b2b2b00, 0x00565656, 0x95009595, 0xa3a300a3
+.long 0x20202000, 0x00404040, 0x10001010, 0x75750075
+.long 0xf0f0f000, 0x00e1e1e1, 0x78007878, 0x8a8a008a
+.long 0xb1b1b100, 0x00636363, 0xd800d8d8, 0xe6e600e6
+.long 0x84848400, 0x00090909, 0x42004242, 0x09090009
+.long 0x99999900, 0x00333333, 0xcc00cccc, 0xdddd00dd
+.long 0xdfdfdf00, 0x00bfbfbf, 0xef00efef, 0x87870087
+.long 0x4c4c4c00, 0x00989898, 0x26002626, 0x83830083
+.long 0xcbcbcb00, 0x00979797, 0xe500e5e5, 0xcdcd00cd
+.long 0xc2c2c200, 0x00858585, 0x61006161, 0x90900090
+.long 0x34343400, 0x00686868, 0x1a001a1a, 0x73730073
+.long 0x7e7e7e00, 0x00fcfcfc, 0x3f003f3f, 0xf6f600f6
+.long 0x76767600, 0x00ececec, 0x3b003b3b, 0x9d9d009d
+.long 0x05050500, 0x000a0a0a, 0x82008282, 0xbfbf00bf
+.long 0x6d6d6d00, 0x00dadada, 0xb600b6b6, 0x52520052
+.long 0xb7b7b700, 0x006f6f6f, 0xdb00dbdb, 0xd8d800d8
+.long 0xa9a9a900, 0x00535353, 0xd400d4d4, 0xc8c800c8
+.long 0x31313100, 0x00626262, 0x98009898, 0xc6c600c6
+.long 0xd1d1d100, 0x00a3a3a3, 0xe800e8e8, 0x81810081
+.long 0x17171700, 0x002e2e2e, 0x8b008b8b, 0x6f6f006f
+.long 0x04040400, 0x00080808, 0x02000202, 0x13130013
+.long 0xd7d7d700, 0x00afafaf, 0xeb00ebeb, 0x63630063
+.long 0x14141400, 0x00282828, 0x0a000a0a, 0xe9e900e9
+.long 0x58585800, 0x00b0b0b0, 0x2c002c2c, 0xa7a700a7
+.long 0x3a3a3a00, 0x00747474, 0x1d001d1d, 0x9f9f009f
+.long 0x61616100, 0x00c2c2c2, 0xb000b0b0, 0xbcbc00bc
+.long 0xdedede00, 0x00bdbdbd, 0x6f006f6f, 0x29290029
+.long 0x1b1b1b00, 0x00363636, 0x8d008d8d, 0xf9f900f9
+.long 0x11111100, 0x00222222, 0x88008888, 0x2f2f002f
+.long 0x1c1c1c00, 0x00383838, 0x0e000e0e, 0xb4b400b4
+.long 0x32323200, 0x00646464, 0x19001919, 0x78780078
+.long 0x0f0f0f00, 0x001e1e1e, 0x87008787, 0x06060006
+.long 0x9c9c9c00, 0x00393939, 0x4e004e4e, 0xe7e700e7
+.long 0x16161600, 0x002c2c2c, 0x0b000b0b, 0x71710071
+.long 0x53535300, 0x00a6a6a6, 0xa900a9a9, 0xd4d400d4
+.long 0x18181800, 0x00303030, 0x0c000c0c, 0xabab00ab
+.long 0xf2f2f200, 0x00e5e5e5, 0x79007979, 0x88880088
+.long 0x22222200, 0x00444444, 0x11001111, 0x8d8d008d
+.long 0xfefefe00, 0x00fdfdfd, 0x7f007f7f, 0x72720072
+.long 0x44444400, 0x00888888, 0x22002222, 0xb9b900b9
+.long 0xcfcfcf00, 0x009f9f9f, 0xe700e7e7, 0xf8f800f8
+.long 0xb2b2b200, 0x00656565, 0x59005959, 0xacac00ac
+.long 0xc3c3c300, 0x00878787, 0xe100e1e1, 0x36360036
+.long 0xb5b5b500, 0x006b6b6b, 0xda00dada, 0x2a2a002a
+.long 0x7a7a7a00, 0x00f4f4f4, 0x3d003d3d, 0x3c3c003c
+.long 0x91919100, 0x00232323, 0xc800c8c8, 0xf1f100f1
+.long 0x24242400, 0x00484848, 0x12001212, 0x40400040
+.long 0x08080800, 0x00101010, 0x04000404, 0xd3d300d3
+.long 0xe8e8e800, 0x00d1d1d1, 0x74007474, 0xbbbb00bb
+.long 0xa8a8a800, 0x00515151, 0x54005454, 0x43430043
+.long 0x60606000, 0x00c0c0c0, 0x30003030, 0x15150015
+.long 0xfcfcfc00, 0x00f9f9f9, 0x7e007e7e, 0xadad00ad
+.long 0x69696900, 0x00d2d2d2, 0xb400b4b4, 0x77770077
+.long 0x50505000, 0x00a0a0a0, 0x28002828, 0x80800080
+.long 0xaaaaaa00, 0x00555555, 0x55005555, 0x82820082
+.long 0xd0d0d000, 0x00a1a1a1, 0x68006868, 0xecec00ec
+.long 0xa0a0a000, 0x00414141, 0x50005050, 0x27270027
+.long 0x7d7d7d00, 0x00fafafa, 0xbe00bebe, 0xe5e500e5
+.long 0xa1a1a100, 0x00434343, 0xd000d0d0, 0x85850085
+.long 0x89898900, 0x00131313, 0xc400c4c4, 0x35350035
+.long 0x62626200, 0x00c4c4c4, 0x31003131, 0x0c0c000c
+.long 0x97979700, 0x002f2f2f, 0xcb00cbcb, 0x41410041
+.long 0x54545400, 0x00a8a8a8, 0x2a002a2a, 0xefef00ef
+.long 0x5b5b5b00, 0x00b6b6b6, 0xad00adad, 0x93930093
+.long 0x1e1e1e00, 0x003c3c3c, 0x0f000f0f, 0x19190019
+.long 0x95959500, 0x002b2b2b, 0xca00caca, 0x21210021
+.long 0xe0e0e000, 0x00c1c1c1, 0x70007070, 0x0e0e000e
+.long 0xffffff00, 0x00ffffff, 0xff00ffff, 0x4e4e004e
+.long 0x64646400, 0x00c8c8c8, 0x32003232, 0x65650065
+.long 0xd2d2d200, 0x00a5a5a5, 0x69006969, 0xbdbd00bd
+.long 0x10101000, 0x00202020, 0x08000808, 0xb8b800b8
+.long 0xc4c4c400, 0x00898989, 0x62006262, 0x8f8f008f
+.long 0x00000000, 0x00000000, 0x00000000, 0xebeb00eb
+.long 0x48484800, 0x00909090, 0x24002424, 0xcece00ce
+.long 0xa3a3a300, 0x00474747, 0xd100d1d1, 0x30300030
+.long 0xf7f7f700, 0x00efefef, 0xfb00fbfb, 0x5f5f005f
+.long 0x75757500, 0x00eaeaea, 0xba00baba, 0xc5c500c5
+.long 0xdbdbdb00, 0x00b7b7b7, 0xed00eded, 0x1a1a001a
+.long 0x8a8a8a00, 0x00151515, 0x45004545, 0xe1e100e1
+.long 0x03030300, 0x00060606, 0x81008181, 0xcaca00ca
+.long 0xe6e6e600, 0x00cdcdcd, 0x73007373, 0x47470047
+.long 0xdadada00, 0x00b5b5b5, 0x6d006d6d, 0x3d3d003d
+.long 0x09090900, 0x00121212, 0x84008484, 0x01010001
+.long 0x3f3f3f00, 0x007e7e7e, 0x9f009f9f, 0xd6d600d6
+.long 0xdddddd00, 0x00bbbbbb, 0xee00eeee, 0x56560056
+.long 0x94949400, 0x00292929, 0x4a004a4a, 0x4d4d004d
+.long 0x87878700, 0x000f0f0f, 0xc300c3c3, 0x0d0d000d
+.long 0x5c5c5c00, 0x00b8b8b8, 0x2e002e2e, 0x66660066
+.long 0x83838300, 0x00070707, 0xc100c1c1, 0xcccc00cc
+.long 0x02020200, 0x00040404, 0x01000101, 0x2d2d002d
+.long 0xcdcdcd00, 0x009b9b9b, 0xe600e6e6, 0x12120012
+.long 0x4a4a4a00, 0x00949494, 0x25002525, 0x20200020
+.long 0x90909000, 0x00212121, 0x48004848, 0xb1b100b1
+.long 0x33333300, 0x00666666, 0x99009999, 0x99990099
+.long 0x73737300, 0x00e6e6e6, 0xb900b9b9, 0x4c4c004c
+.long 0x67676700, 0x00cecece, 0xb300b3b3, 0xc2c200c2
+.long 0xf6f6f600, 0x00ededed, 0x7b007b7b, 0x7e7e007e
+.long 0xf3f3f300, 0x00e7e7e7, 0xf900f9f9, 0x05050005
+.long 0x9d9d9d00, 0x003b3b3b, 0xce00cece, 0xb7b700b7
+.long 0x7f7f7f00, 0x00fefefe, 0xbf00bfbf, 0x31310031
+.long 0xbfbfbf00, 0x007f7f7f, 0xdf00dfdf, 0x17170017
+.long 0xe2e2e200, 0x00c5c5c5, 0x71007171, 0xd7d700d7
+.long 0x52525200, 0x00a4a4a4, 0x29002929, 0x58580058
+.long 0x9b9b9b00, 0x00373737, 0xcd00cdcd, 0x61610061
+.long 0xd8d8d800, 0x00b1b1b1, 0x6c006c6c, 0x1b1b001b
+.long 0x26262600, 0x004c4c4c, 0x13001313, 0x1c1c001c
+.long 0xc8c8c800, 0x00919191, 0x64006464, 0x0f0f000f
+.long 0x37373700, 0x006e6e6e, 0x9b009b9b, 0x16160016
+.long 0xc6c6c600, 0x008d8d8d, 0x63006363, 0x18180018
+.long 0x3b3b3b00, 0x00767676, 0x9d009d9d, 0x22220022
+.long 0x81818100, 0x00030303, 0xc000c0c0, 0x44440044
+.long 0x96969600, 0x002d2d2d, 0x4b004b4b, 0xb2b200b2
+.long 0x6f6f6f00, 0x00dedede, 0xb700b7b7, 0xb5b500b5
+.long 0x4b4b4b00, 0x00969696, 0xa500a5a5, 0x91910091
+.long 0x13131300, 0x00262626, 0x89008989, 0x08080008
+.long 0xbebebe00, 0x007d7d7d, 0x5f005f5f, 0xa8a800a8
+.long 0x63636300, 0x00c6c6c6, 0xb100b1b1, 0xfcfc00fc
+.long 0x2e2e2e00, 0x005c5c5c, 0x17001717, 0x50500050
+.long 0xe9e9e900, 0x00d3d3d3, 0xf400f4f4, 0xd0d000d0
+.long 0x79797900, 0x00f2f2f2, 0xbc00bcbc, 0x7d7d007d
+.long 0xa7a7a700, 0x004f4f4f, 0xd300d3d3, 0x89890089
+.long 0x8c8c8c00, 0x00191919, 0x46004646, 0x97970097
+.long 0x9f9f9f00, 0x003f3f3f, 0xcf00cfcf, 0x5b5b005b
+.long 0x6e6e6e00, 0x00dcdcdc, 0x37003737, 0x95950095
+.long 0xbcbcbc00, 0x00797979, 0x5e005e5e, 0xffff00ff
+.long 0x8e8e8e00, 0x001d1d1d, 0x47004747, 0xd2d200d2
+.long 0x29292900, 0x00525252, 0x94009494, 0xc4c400c4
+.long 0xf5f5f500, 0x00ebebeb, 0xfa00fafa, 0x48480048
+.long 0xf9f9f900, 0x00f3f3f3, 0xfc00fcfc, 0xf7f700f7
+.long 0xb6b6b600, 0x006d6d6d, 0x5b005b5b, 0xdbdb00db
+.long 0x2f2f2f00, 0x005e5e5e, 0x97009797, 0x03030003
+.long 0xfdfdfd00, 0x00fbfbfb, 0xfe00fefe, 0xdada00da
+.long 0xb4b4b400, 0x00696969, 0x5a005a5a, 0x3f3f003f
+.long 0x59595900, 0x00b2b2b2, 0xac00acac, 0x94940094
+.long 0x78787800, 0x00f0f0f0, 0x3c003c3c, 0x5c5c005c
+.long 0x98989800, 0x00313131, 0x4c004c4c, 0x02020002
+.long 0x06060600, 0x000c0c0c, 0x03000303, 0x4a4a004a
+.long 0x6a6a6a00, 0x00d4d4d4, 0x35003535, 0x33330033
+.long 0xe7e7e700, 0x00cfcfcf, 0xf300f3f3, 0x67670067
+.long 0x46464600, 0x008c8c8c, 0x23002323, 0xf3f300f3
+.long 0x71717100, 0x00e2e2e2, 0xb800b8b8, 0x7f7f007f
+.long 0xbababa00, 0x00757575, 0x5d005d5d, 0xe2e200e2
+.long 0xd4d4d400, 0x00a9a9a9, 0x6a006a6a, 0x9b9b009b
+.long 0x25252500, 0x004a4a4a, 0x92009292, 0x26260026
+.long 0xababab00, 0x00575757, 0xd500d5d5, 0x37370037
+.long 0x42424200, 0x00848484, 0x21002121, 0x3b3b003b
+.long 0x88888800, 0x00111111, 0x44004444, 0x96960096
+.long 0xa2a2a200, 0x00454545, 0x51005151, 0x4b4b004b
+.long 0x8d8d8d00, 0x001b1b1b, 0xc600c6c6, 0xbebe00be
+.long 0xfafafa00, 0x00f5f5f5, 0x7d007d7d, 0x2e2e002e
+.long 0x72727200, 0x00e4e4e4, 0x39003939, 0x79790079
+.long 0x07070700, 0x000e0e0e, 0x83008383, 0x8c8c008c
+.long 0xb9b9b900, 0x00737373, 0xdc00dcdc, 0x6e6e006e
+.long 0x55555500, 0x00aaaaaa, 0xaa00aaaa, 0x8e8e008e
+.long 0xf8f8f800, 0x00f1f1f1, 0x7c007c7c, 0xf5f500f5
+.long 0xeeeeee00, 0x00dddddd, 0x77007777, 0xb6b600b6
+.long 0xacacac00, 0x00595959, 0x56005656, 0xfdfd00fd
+.long 0x0a0a0a00, 0x00141414, 0x05000505, 0x59590059
+.long 0x36363600, 0x006c6c6c, 0x1b001b1b, 0x98980098
+.long 0x49494900, 0x00929292, 0xa400a4a4, 0x6a6a006a
+.long 0x2a2a2a00, 0x00545454, 0x15001515, 0x46460046
+.long 0x68686800, 0x00d0d0d0, 0x34003434, 0xbaba00ba
+.long 0x3c3c3c00, 0x00787878, 0x1e001e1e, 0x25250025
+.long 0x38383800, 0x00707070, 0x1c001c1c, 0x42420042
+.long 0xf1f1f100, 0x00e3e3e3, 0xf800f8f8, 0xa2a200a2
+.long 0xa4a4a400, 0x00494949, 0x52005252, 0xfafa00fa
+.long 0x40404000, 0x00808080, 0x20002020, 0x07070007
+.long 0x28282800, 0x00505050, 0x14001414, 0x55550055
+.long 0xd3d3d300, 0x00a7a7a7, 0xe900e9e9, 0xeeee00ee
+.long 0x7b7b7b00, 0x00f6f6f6, 0xbd00bdbd, 0x0a0a000a
+.long 0xbbbbbb00, 0x00777777, 0xdd00dddd, 0x49490049
+.long 0xc9c9c900, 0x00939393, 0xe400e4e4, 0x68680068
+.long 0x43434300, 0x00868686, 0xa100a1a1, 0x38380038
+.long 0xc1c1c100, 0x00838383, 0xe000e0e0, 0xa4a400a4
+.long 0x15151500, 0x002a2a2a, 0x8a008a8a, 0x28280028
+.long 0xe3e3e300, 0x00c7c7c7, 0xf100f1f1, 0x7b7b007b
+.long 0xadadad00, 0x005b5b5b, 0xd600d6d6, 0xc9c900c9
+.long 0xf4f4f400, 0x00e9e9e9, 0x7a007a7a, 0xc1c100c1
+.long 0x77777700, 0x00eeeeee, 0xbb00bbbb, 0xe3e300e3
+.long 0xc7c7c700, 0x008f8f8f, 0xe300e3e3, 0xf4f400f4
+.long 0x80808000, 0x00010101, 0x40004040, 0xc7c700c7
+.long 0x9e9e9e00, 0x003d3d3d, 0x4f004f4f, 0x9e9e009e
+.size _gcry_camellia_arm_tables,.-_gcry_camellia_arm_tables;
+
+#endif /*HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS*/
+#endif /*__AARCH64EL__*/
keyBitLength);
}
+#ifdef __aarch64__
+# define CAMELLIA_encrypt_stack_burn_size (0)
+# define CAMELLIA_decrypt_stack_burn_size (0)
+#else
+# define CAMELLIA_encrypt_stack_burn_size (15*4)
+# define CAMELLIA_decrypt_stack_burn_size (15*4)
+#endif
+
static unsigned int
camellia_encrypt(void *c, byte *outbuf, const byte *inbuf)
{
CAMELLIA_context *ctx = c;
Camellia_EncryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
-#define CAMELLIA_encrypt_stack_burn_size (15*4)
return /*burn_stack*/ (CAMELLIA_encrypt_stack_burn_size);
}
{
CAMELLIA_context *ctx=c;
Camellia_DecryptBlock(ctx->keybitlength,inbuf,ctx->keytable,outbuf);
-#define CAMELLIA_decrypt_stack_burn_size (15*4)
return /*burn_stack*/ (CAMELLIA_decrypt_stack_burn_size);
}
# define USE_ARM_ASM 1
# endif
# endif
+# if defined(__AARCH64EL__)
+# ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+# define USE_ARM_ASM 1
+# endif
+# endif
#endif
#ifdef CAMELLIA_EXT_SYM_PREFIX
#define CAMELLIA_PREFIX1(x,y) x ## y
const unsigned char *cipherText,
const KEY_TABLE_TYPE keyTable,
unsigned char *plaintext);
-#endif /*!USE_ARMV6_ASM*/
+#endif /*!USE_ARM_ASM*/
#ifdef __cplusplus
.fpu neon
.arm
+#define UNALIGNED_STMIA8(ptr, l0, l1, l2, l3, l4, l5, l6, l7) \
+ tst ptr, #3; \
+ beq 1f; \
+ vpush {d0-d3}; \
+ vmov s0, l0; \
+ vmov s1, l1; \
+ vmov s2, l2; \
+ vmov s3, l3; \
+ vmov s4, l4; \
+ vmov s5, l5; \
+ vmov s6, l6; \
+ vmov s7, l7; \
+ vst1.32 {d0-d3}, [ptr]; \
+ add ptr, #32; \
+ vpop {d0-d3}; \
+ b 2f; \
+ 1: stmia ptr!, {l0-l7}; \
+ 2: ;
+
+#define UNALIGNED_LDMIA4(ptr, l0, l1, l2, l3) \
+ tst ptr, #3; \
+ /*beq 1f;*/ \
+ vpush {d0-d1}; \
+ vld1.32 {d0-d1}, [ptr]; \
+ add ptr, #16; \
+ vmov l0, s0; \
+ vmov l1, s1; \
+ vmov l2, s2; \
+ vmov l3, s3; \
+ vpop {d0-d1}; \
+ b 2f; \
+ 1: ldmia ptr!, {l0-l3}; \
+ 2: ;
+
.text
.globl _gcry_chacha20_armv7_neon_blocks
add r7, r7, r11
vadd.i32 q11, q11, q14
beq .Lchacha_blocks_neon_nomessage11
- ldmia r12!, {r8-r11}
+ UNALIGNED_LDMIA4(r12, r8, r9, r10, r11)
+ tst r12, r12
eor r0, r0, r8
eor r1, r1, r9
eor r2, r2, r10
add r12, r12, #16
eor r7, r7, r11
.Lchacha_blocks_neon_nomessage11:
- stmia r14!, {r0-r7}
+ UNALIGNED_STMIA8(r14, r0, r1, r2, r3, r4, r5, r6, r7)
+ tst r12, r12
ldm sp, {r0-r7}
ldr r8, [sp, #(64 +32)]
ldr r9, [sp, #(64 +36)]
tst r12, r12
str r9, [sp, #(64 +52)]
beq .Lchacha_blocks_neon_nomessage12
- ldmia r12!, {r8-r11}
+ UNALIGNED_LDMIA4(r12, r8, r9, r10, r11)
+ tst r12, r12
eor r0, r0, r8
eor r1, r1, r9
eor r2, r2, r10
add r12, r12, #16
eor r7, r7, r11
.Lchacha_blocks_neon_nomessage12:
- stmia r14!, {r0-r7}
+ UNALIGNED_STMIA8(r14, r0, r1, r2, r3, r4, r5, r6, r7)
+ tst r12, r12
beq .Lchacha_blocks_neon_nomessage13
vld1.32 {q12,q13}, [r12]!
vld1.32 {q14,q15}, [r12]!
tst r12, r12
add r7, r7, r11
beq .Lchacha_blocks_neon_nomessage21
- ldmia r12!, {r8-r11}
+ UNALIGNED_LDMIA4(r12, r8, r9, r10, r11)
+ tst r12, r12
eor r0, r0, r8
eor r1, r1, r9
eor r2, r2, r10
add r12, r12, #16
eor r7, r7, r11
.Lchacha_blocks_neon_nomessage21:
- stmia r14!, {r0-r7}
+ UNALIGNED_STMIA8(r14, r0, r1, r2, r3, r4, r5, r6, r7)
ldm sp, {r0-r7}
ldr r8, [sp, #(64 +32)]
ldr r9, [sp, #(64 +36)]
tst r12, r12
str r9, [sp, #(64 +52)]
beq .Lchacha_blocks_neon_nomessage22
- ldmia r12!, {r8-r11}
+ UNALIGNED_LDMIA4(r12, r8, r9, r10, r11)
+ tst r12, r12
eor r0, r0, r8
eor r1, r1, r9
eor r2, r2, r10
add r12, r12, #16
eor r7, r7, r11
.Lchacha_blocks_neon_nomessage22:
- stmia r14!, {r0-r7}
+ UNALIGNED_STMIA8(r14, r0, r1, r2, r3, r4, r5, r6, r7)
str r12, [sp, #48]
str r14, [sp, #40]
ldr r3, [sp, #52]
_gcry_cipher_ccm_set_nonce (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen)
{
+ unsigned int marks_key;
size_t L = 15 - noncelen;
size_t L_;
return GPG_ERR_INV_LENGTH;
/* Reset state */
+ marks_key = c->marks.key;
memset (&c->u_mode, 0, sizeof(c->u_mode));
memset (&c->marks, 0, sizeof(c->marks));
memset (&c->u_iv, 0, sizeof(c->u_iv));
memset (&c->u_ctr, 0, sizeof(c->u_ctr));
memset (c->lastiv, 0, sizeof(c->lastiv));
c->unused = 0;
+ c->marks.key = marks_key;
/* Setup CTR */
c->u_ctr.ctr[0] = L_;
--- /dev/null
+/* cipher-gcm-armv8-aarch32-ce.S - ARM/CE accelerated GHASH
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
+ defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+
+.syntax unified
+.fpu crypto-neon-fp-armv8
+.arm
+
+.text
+
+#ifdef __PIC__
+# define GET_DATA_POINTER(reg, name, rtmp) \
+ ldr reg, 1f; \
+ ldr rtmp, 2f; \
+ b 3f; \
+ 1: .word _GLOBAL_OFFSET_TABLE_-(3f+8); \
+ 2: .word name(GOT); \
+ 3: add reg, pc, reg; \
+ ldr reg, [reg, rtmp];
+#else
+# define GET_DATA_POINTER(reg, name, rtmp) ldr reg, =name
+#endif
+
+
+/* Constants */
+
+.align 4
+gcry_gcm_reduction_constant:
+.Lrconst64:
+ .quad 0xc200000000000000
+
+
+/* Register macros */
+
+#define rhash q0
+#define rhash_l d0
+#define rhash_h d1
+
+#define rh1 q1
+#define rh1_l d2
+#define rh1_h d3
+
+#define rbuf q2
+#define rbuf_l d4
+#define rbuf_h d5
+
+#define rbuf1 q3
+#define rbuf1_l d6
+#define rbuf1_h d7
+
+#define rbuf2 q4
+#define rbuf2_l d8
+#define rbuf2_h d9
+
+#define rbuf3 q5
+#define rbuf3_l d10
+#define rbuf3_h d11
+
+#define rh2 q6
+#define rh2_l d12
+#define rh2_h d13
+
+#define rh3 q7
+#define rh3_l d14
+#define rh3_h d15
+
+#define rh4 q8
+#define rh4_l d16
+#define rh4_h d17
+
+#define rr2 q9
+#define rr2_l d18
+#define rr2_h d19
+
+#define rr3 q10
+#define rr3_l d20
+#define rr3_h d21
+
+#define rr0 q11
+#define rr0_l d22
+#define rr0_h d23
+
+#define rr1 q12
+#define rr1_l d24
+#define rr1_h d25
+
+#define rt0 q13
+#define rt0_l d26
+#define rt0_h d27
+
+#define rt1 q14
+#define rt1_l d28
+#define rt1_h d29
+
+#define rrconst q15
+#define rrconst_l d30
+#define rrconst_h d31
+
+/* GHASH macros */
+
+/* See "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
+ * Cryptology — CT-RSA 2015" for details.
+ */
+
+/* Input: 'a' and 'b', Output: 'r0:r1' (low 128-bits in r0, high in r1)
+ * Note: 'r1' may be 'a' or 'b', 'r0' must not be either 'a' or 'b'.
+ */
+#define PMUL_128x128(r0, r1, a, b, t, interleave_op) \
+ veor t##_h, b##_l, b##_h; \
+ veor t##_l, a##_l, a##_h; \
+ vmull.p64 r0, a##_l, b##_l; \
+ vmull.p64 r1, a##_h, b##_h; \
+ vmull.p64 t, t##_h, t##_l; \
+ interleave_op; \
+ veor t, r0; \
+ veor t, r1; \
+ veor r0##_h, t##_l; \
+ veor r1##_l, t##_h;
+
+/* Input: 'aA' and 'bA', Output: 'r0A:r1A' (low 128-bits in r0A, high in r1A)
+ * Note: 'r1A' may be 'aA' or 'bA', 'r0A' must not be either 'aA' or 'bA'.
+ * Input: 'aB' and 'bB', Output: 'r0B:r1B' (low 128-bits in r0B, high in r1B)
+ * Note: 'r1B' may be 'aB' or 'bB', 'r0B' must not be either 'aB' or 'bB'.
+ */
+#define PMUL_128x128_2(r0A, r1A, aA, bA, r0B, r1B, aB, bB, tA, tB, interleave_op) \
+ veor tA##_h, bA##_l, bA##_h; \
+ veor tA##_l, aA##_l, aA##_h; \
+ veor tB##_h, bB##_l, bB##_h; \
+ veor tB##_l, aB##_l, aB##_h; \
+ vmull.p64 r0A, aA##_l, bA##_l; \
+ vmull.p64 r1A, aA##_h, bA##_h; \
+ vmull.p64 tA, tA##_h, tA##_l; \
+ vmull.p64 r0B, aB##_l, bB##_l; \
+ vmull.p64 r1B, aB##_h, bB##_h; \
+ vmull.p64 tB, tB##_h, tB##_l; \
+ interleave_op; \
+ veor tA, r0A; \
+ veor tA, r1A; \
+ veor tB, r0B; \
+ veor tB, r1B; \
+ veor r0A##_h, tA##_l; \
+ veor r1A##_l, tA##_h; \
+ veor r0B##_h, tB##_l; \
+ veor r1B##_l, tB##_h; \
+
+/* Input: 'r0:r1', Output: 'a' */
+#define REDUCTION(a, r0, r1, rconst, t, interleave_op) \
+ vmull.p64 t, r0##_l, rconst; \
+ veor r0##_h, t##_l; \
+ veor r1##_l, t##_h; \
+ interleave_op; \
+ vmull.p64 t, r0##_h, rconst; \
+ veor r1, t; \
+ veor a, r0, r1;
+
+#define _(...) __VA_ARGS__
+#define __ _()
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) veor reg, reg;
+
+
+/*
+ * unsigned int _gcry_ghash_armv8_ce_pmull (void *gcm_key, byte *result,
+ * const byte *buf, size_t nblocks,
+ * void *gcm_table);
+ */
+.align 3
+.globl _gcry_ghash_armv8_ce_pmull
+.type _gcry_ghash_armv8_ce_pmull,%function;
+_gcry_ghash_armv8_ce_pmull:
+ /* input:
+ * r0: gcm_key
+ * r1: result/hash
+ * r2: buf
+ * r3: nblocks
+ * %st+0: gcm_table
+ */
+ push {r4-r6, lr}
+
+ cmp r3, #0
+ beq .Ldo_nothing
+
+ GET_DATA_POINTER(r4, .Lrconst64, lr)
+
+ vld1.64 {rhash}, [r1]
+ vld1.64 {rh1}, [r0]
+
+ vrev64.8 rhash, rhash /* byte-swap */
+ vld1.64 {rrconst_h}, [r4]
+ vext.8 rhash, rhash, rhash, #8
+
+ cmp r3, #4
+ blo .Less_than_4
+
+ /* Bulk processing of 4 blocks per loop iteration. */
+
+ ldr r5, [sp, #(4*4)];
+ add r6, r5, #32
+
+ vpush {q4-q7}
+
+ vld1.64 {rh2-rh3}, [r5]
+ vld1.64 {rh4}, [r6]
+
+ vld1.64 {rbuf-rbuf1}, [r2]!
+ sub r3, r3, #4
+ vld1.64 {rbuf2-rbuf3}, [r2]!
+
+ cmp r3, #4
+ vrev64.8 rbuf, rbuf /* byte-swap */
+ vrev64.8 rbuf1, rbuf1 /* byte-swap */
+ vrev64.8 rbuf2, rbuf2 /* byte-swap */
+ vrev64.8 rbuf3, rbuf3 /* byte-swap */
+
+ vext.8 rbuf, rbuf, rbuf, #8
+ vext.8 rbuf1, rbuf1, rbuf1, #8
+ vext.8 rbuf2, rbuf2, rbuf2, #8
+ vext.8 rbuf3, rbuf3, rbuf3, #8
+ veor rhash, rhash, rbuf /* in0 ^ hash */
+
+ blo .Lend_4
+
+.Loop_4:
+ /* (in0 ^ hash) * H⁴ => rr2:rr3 */
+ /* (in1) * H³ => rr0:rr1 */
+ PMUL_128x128_2(rr0, rr1, rbuf1, rh3, rr2, rr3, rhash, rh4, rt1, rt0, __)
+
+ vld1.64 {rbuf-rbuf1}, [r2]!
+ sub r3, r3, #4
+ veor rr0, rr0, rr2
+ veor rr1, rr1, rr3
+
+ /* (in2) * H² => rr2:rr3 */
+ /* (in3) * H¹ => rhash:rbuf3 */
+ PMUL_128x128_2(rr2, rr3, rbuf2, rh2, rhash, rbuf3, rbuf3, rh1, rt0, rt1,
+ _(vrev64.8 rbuf, rbuf))
+
+ vld1.64 {rbuf2}, [r2]!
+
+ vrev64.8 rbuf1, rbuf1
+ veor rr0, rr0, rr2
+ veor rr1, rr1, rr3
+
+ cmp r3, #4
+ vext.8 rbuf, rbuf, rbuf, #8
+ vext.8 rbuf1, rbuf1, rbuf1, #8
+
+ veor rr0, rr0, rhash
+ veor rr1, rr1, rbuf3
+
+ vld1.64 {rbuf3}, [r2]!
+
+ REDUCTION(rhash, rr0, rr1, rrconst_h, rt1,
+ _(vrev64.8 rbuf2, rbuf2;
+ vrev64.8 rbuf3, rbuf3))
+
+ vext.8 rbuf2, rbuf2, rbuf2, #8
+ vext.8 rbuf3, rbuf3, rbuf3, #8
+ veor rhash, rhash, rbuf /* in0 ^ hash */
+
+ bhs .Loop_4
+
+.Lend_4:
+ /* (in0 ^ hash) * H⁴ => rr2:rr3 */
+ /* (in1) * H³ => rr0:rr1 */
+ PMUL_128x128_2(rr0, rr1, rbuf1, rh3, rr2, rr3, rhash, rh4, rt1, rt0, __)
+
+ /* (in2) * H² => rhash:rbuf */
+ /* (in3) * H¹ => rbuf1:rbuf2 */
+ PMUL_128x128_2(rhash, rbuf, rbuf2, rh2, rbuf1, rbuf2, rbuf3, rh1, rt0, rt1,
+ _(veor rr0, rr0, rr2;
+ veor rr1, rr1, rr3))
+
+ veor rr0, rr0, rhash
+ veor rr1, rr1, rbuf
+
+ veor rr0, rr0, rbuf1
+ veor rr1, rr1, rbuf2
+
+ REDUCTION(rhash, rr0, rr1, rrconst_h, rt1,
+ _(CLEAR_REG(rr2);
+ CLEAR_REG(rr3);
+ CLEAR_REG(rbuf1);
+ CLEAR_REG(rbuf2);
+ CLEAR_REG(rbuf3);
+ CLEAR_REG(rh2);
+ CLEAR_REG(rh3);
+ CLEAR_REG(rh4)))
+
+ vpop {q4-q7}
+
+ cmp r3, #0
+ beq .Ldone
+
+.Less_than_4:
+ /* Handle remaining blocks. */
+
+ vld1.64 {rbuf}, [r2]!
+ subs r3, r3, #1
+
+ vrev64.8 rbuf, rbuf /* byte-swap */
+ vext.8 rbuf, rbuf, rbuf, #8
+
+ veor rhash, rhash, rbuf
+
+ beq .Lend
+
+.Loop:
+ vld1.64 {rbuf}, [r2]!
+ subs r3, r3, #1
+ PMUL_128x128(rr0, rr1, rhash, rh1, rt0, _(vrev64.8 rbuf, rbuf))
+ REDUCTION(rhash, rr0, rr1, rrconst_h, rt0, _(vext.8 rbuf, rbuf, rbuf, #8))
+ veor rhash, rhash, rbuf
+
+ bne .Loop
+
+.Lend:
+ PMUL_128x128(rr0, rr1, rhash, rh1, rt0, _(CLEAR_REG(rbuf)))
+ REDUCTION(rhash, rr0, rr1, rrconst_h, rt0, _(CLEAR_REG(rh1)))
+
+.Ldone:
+ CLEAR_REG(rr1)
+ vrev64.8 rhash, rhash /* byte-swap */
+ CLEAR_REG(rt0)
+ CLEAR_REG(rr0)
+ vext.8 rhash, rhash, rhash, #8
+ CLEAR_REG(rt1)
+ vst1.64 {rhash}, [r1]
+ CLEAR_REG(rhash)
+
+.Ldo_nothing:
+ mov r0, #0
+ pop {r4-r6, pc}
+.size _gcry_ghash_armv8_ce_pmull,.-_gcry_ghash_armv8_ce_pmull;
+
+
+/*
+ * void _gcry_ghash_setup_armv8_ce_pmull (void *gcm_key, void *gcm_table);
+ */
+.align 3
+.globl _gcry_ghash_setup_armv8_ce_pmull
+.type _gcry_ghash_setup_armv8_ce_pmull,%function;
+_gcry_ghash_setup_armv8_ce_pmull:
+ /* input:
+ * r0: gcm_key
+ * r1: gcm_table
+ */
+
+ vpush {q4-q7}
+
+ GET_DATA_POINTER(r2, .Lrconst64, r3)
+
+ vld1.64 {rrconst_h}, [r2]
+
+#define GCM_LSH_1(r_out, ia, ib, const_d, oa, ob, ma) \
+ /* H <<< 1 */ \
+ vshr.s64 ma, ib, #63; \
+ vshr.u64 oa, ib, #63; \
+ vshr.u64 ob, ia, #63; \
+ vand ma, const_d; \
+ vshl.u64 ib, ib, #1; \
+ vshl.u64 ia, ia, #1; \
+ vorr ob, ib; \
+ vorr oa, ia; \
+ veor ob, ma; \
+ vst1.64 {oa, ob}, [r_out]
+
+ vld1.64 {rhash}, [r0]
+ vrev64.8 rhash, rhash /* byte-swap */
+ vext.8 rhash, rhash, rhash, #8
+
+ vmov rbuf1, rhash
+ GCM_LSH_1(r0, rhash_l, rhash_h, rrconst_h, rh1_l, rh1_h, rt1_l) /* H<<<1 */
+
+ /* H² */
+ PMUL_128x128(rr0, rr1, rbuf1, rh1, rt0, __)
+ REDUCTION(rh2, rr0, rr1, rrconst_h, rt0, __)
+ vmov rhash, rh2
+ GCM_LSH_1(r1, rh2_l, rh2_h, rrconst_h, rbuf1_l, rbuf1_h, rt1_l) /* H²<<<1 */
+ add r1, r1, #16
+
+ /* H³ */
+ PMUL_128x128(rr0, rr1, rhash, rh1, rt1, __)
+ REDUCTION(rh3, rr0, rr1, rrconst_h, rt1, __)
+
+ /* H⁴ */
+ PMUL_128x128(rr0, rr1, rhash, rbuf1, rt0, __)
+ REDUCTION(rh4, rr0, rr1, rrconst_h, rt0, __)
+
+ GCM_LSH_1(r1, rh3_l, rh3_h, rrconst_h, rt0_l, rt0_h, rt1_l) /* H³<<<1 */
+ add r1, r1, #16
+ GCM_LSH_1(r1, rh4_l, rh4_h, rrconst_h, rt0_l, rt0_h, rt1_l) /* H⁴<<<1 */
+
+ CLEAR_REG(rt0)
+ CLEAR_REG(rt1)
+ CLEAR_REG(rr1)
+ CLEAR_REG(rr0)
+ CLEAR_REG(rh1)
+ CLEAR_REG(rh2)
+ CLEAR_REG(rh3)
+ CLEAR_REG(rh4)
+ CLEAR_REG(rhash)
+ CLEAR_REG(rbuf1)
+ CLEAR_REG(rrconst)
+ vpop {q4-q7}
+ bx lr
+.size _gcry_ghash_setup_armv8_ce_pmull,.-_gcry_ghash_setup_armv8_ce_pmull;
+
+#endif
--- /dev/null
+/* cipher-gcm-armv8-aarch64-ce.S - ARM/CE accelerated GHASH
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__) && \
+ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+
+.arch armv8-a+crypto
+
+.text
+
+#define GET_DATA_POINTER(reg, name) \
+ adrp reg, :got:name ; \
+ ldr reg, [reg, #:got_lo12:name] ;
+
+
+/* Constants */
+
+.align 4
+gcry_gcm_reduction_constant:
+.Lrconst:
+ .quad 0x87
+
+
+/* Register macros */
+
+#define rhash v0
+#define rr0 v1
+#define rr1 v2
+#define rbuf v3
+#define rbuf1 v4
+#define rbuf2 v5
+#define rbuf3 v6
+#define rbuf4 v7
+#define rbuf5 v8
+#define rr2 v9
+#define rr3 v10
+#define rr4 v11
+#define rr5 v12
+#define rr6 v13
+#define rr7 v14
+#define rr8 v15
+#define rr9 v16
+
+#define rrconst v18
+#define rh1 v19
+#define rh2 v20
+#define rh3 v21
+#define rh4 v22
+#define rh5 v23
+#define rh6 v24
+#define t0 v25
+#define t1 v26
+#define t2 v27
+#define t3 v28
+#define t4 v29
+#define t5 v30
+#define vZZ v31
+
+/* GHASH macros */
+
+/* See "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
+ * Cryptology — CT-RSA 2015" for details.
+ */
+
+/* Input: 'a' and 'b', Output: 'r0:r1' (low 128-bits in r0, high in r1) */
+#define PMUL_128x128(r0, r1, a, b, T0, T1, interleave_op) \
+ ext T0.16b, b.16b, b.16b, #8; \
+ pmull r0.1q, a.1d, b.1d; \
+ pmull2 r1.1q, a.2d, b.2d; \
+ pmull T1.1q, a.1d, T0.1d; \
+ pmull2 T0.1q, a.2d, T0.2d; \
+ interleave_op; \
+ eor T0.16b, T0.16b, T1.16b; \
+ ext T1.16b, vZZ.16b, T0.16b, #8; \
+ ext T0.16b, T0.16b, vZZ.16b, #8; \
+ eor r0.16b, r0.16b, T1.16b; \
+ eor r1.16b, r1.16b, T0.16b;
+
+/* Input: 'aA' and 'bA', Output: 'r0A:r1A' (low 128-bits in r0A, high in r1A)
+ * Input: 'aB' and 'bB', Output: 'r0B:r1B' (low 128-bits in r0B, high in r1B)
+ * Input: 'aC' and 'bC', Output: 'r0C:r1C' (low 128-bits in r0C, high in r1C)
+ */
+#define PMUL_128x128_3(r0A, r1A, aA, bA, t0A, t1A, \
+ r0B, r1B, aB, bB, t0B, t1B, \
+ r0C, r1C, aC, bC, t0C, t1C, interleave_op) \
+ ext t0A.16b, bA.16b, bA.16b, #8; \
+ pmull r0A.1q, aA.1d, bA.1d; \
+ pmull2 r1A.1q, aA.2d, bA.2d; \
+ ext t0B.16b, bB.16b, bB.16b, #8; \
+ pmull r0B.1q, aB.1d, bB.1d; \
+ pmull2 r1B.1q, aB.2d, bB.2d; \
+ ext t0C.16b, bC.16b, bC.16b, #8; \
+ pmull r0C.1q, aC.1d, bC.1d; \
+ pmull2 r1C.1q, aC.2d, bC.2d; \
+ pmull t1A.1q, aA.1d, t0A.1d; \
+ pmull2 t0A.1q, aA.2d, t0A.2d; \
+ pmull t1B.1q, aB.1d, t0B.1d; \
+ pmull2 t0B.1q, aB.2d, t0B.2d; \
+ pmull t1C.1q, aC.1d, t0C.1d; \
+ pmull2 t0C.1q, aC.2d, t0C.2d; \
+ eor t0A.16b, t0A.16b, t1A.16b; \
+ eor t0B.16b, t0B.16b, t1B.16b; \
+ eor t0C.16b, t0C.16b, t1C.16b; \
+ interleave_op; \
+ ext t1A.16b, vZZ.16b, t0A.16b, #8; \
+ ext t0A.16b, t0A.16b, vZZ.16b, #8; \
+ ext t1B.16b, vZZ.16b, t0B.16b, #8; \
+ ext t0B.16b, t0B.16b, vZZ.16b, #8; \
+ ext t1C.16b, vZZ.16b, t0C.16b, #8; \
+ ext t0C.16b, t0C.16b, vZZ.16b, #8; \
+ eor r0A.16b, r0A.16b, t1A.16b; \
+ eor r1A.16b, r1A.16b, t0A.16b; \
+ eor r0B.16b, r0B.16b, t1B.16b; \
+ eor r1B.16b, r1B.16b, t0B.16b; \
+ eor r0C.16b, r0C.16b, t1C.16b; \
+ eor r1C.16b, r1C.16b, t0C.16b; \
+
+/* Input: 'r0:r1', Output: 'a' */
+#define REDUCTION(a, r0, r1, rconst, T0, T1, interleave_op1, interleave_op2, \
+ interleave_op3) \
+ pmull2 T0.1q, r1.2d, rconst.2d; \
+ interleave_op1; \
+ ext T1.16b, T0.16b, vZZ.16b, #8; \
+ ext T0.16b, vZZ.16b, T0.16b, #8; \
+ interleave_op2; \
+ eor r1.16b, r1.16b, T1.16b; \
+ eor r0.16b, r0.16b, T0.16b; \
+ pmull T0.1q, r1.1d, rconst.1d; \
+ interleave_op3; \
+ eor a.16b, r0.16b, T0.16b;
+
+/* Other functional macros */
+
+#define _(...) __VA_ARGS__
+#define __ _()
+
+#define CLEAR_REG(reg) eor reg.16b, reg.16b, reg.16b;
+
+#define VPUSH_ABI \
+ stp d8, d9, [sp, #-16]!; \
+ stp d10, d11, [sp, #-16]!; \
+ stp d12, d13, [sp, #-16]!; \
+ stp d14, d15, [sp, #-16]!;
+
+#define VPOP_ABI \
+ ldp d14, d15, [sp], #16; \
+ ldp d12, d13, [sp], #16; \
+ ldp d10, d11, [sp], #16; \
+ ldp d8, d9, [sp], #16;
+
+/*
+ * unsigned int _gcry_ghash_armv8_ce_pmull (void *gcm_key, byte *result,
+ * const byte *buf, size_t nblocks,
+ * void *gcm_table);
+ */
+.align 3
+.globl _gcry_ghash_armv8_ce_pmull
+.type _gcry_ghash_armv8_ce_pmull,%function;
+_gcry_ghash_armv8_ce_pmull:
+ /* input:
+ * x0: gcm_key
+ * x1: result/hash
+ * x2: buf
+ * x3: nblocks
+ * x4: gcm_table
+ */
+ cbz x3, .Ldo_nothing;
+
+ GET_DATA_POINTER(x5, .Lrconst)
+
+ eor vZZ.16b, vZZ.16b, vZZ.16b
+ ld1 {rhash.16b}, [x1]
+ ld1 {rh1.16b}, [x0]
+
+ rbit rhash.16b, rhash.16b /* bit-swap */
+ ld1r {rrconst.2d}, [x5]
+
+ cmp x3, #6
+ b.lo .Less_than_6
+
+ add x6, x4, #64
+ VPUSH_ABI
+
+ ld1 {rh2.16b-rh5.16b}, [x4]
+ ld1 {rh6.16b}, [x6]
+
+ sub x3, x3, #6
+
+ ld1 {rbuf.16b-rbuf2.16b}, [x2], #(3*16)
+ ld1 {rbuf3.16b-rbuf5.16b}, [x2], #(3*16)
+
+ rbit rbuf.16b, rbuf.16b /* bit-swap */
+ rbit rbuf1.16b, rbuf1.16b /* bit-swap */
+ rbit rbuf2.16b, rbuf2.16b /* bit-swap */
+ rbit rbuf3.16b, rbuf3.16b /* bit-swap */
+ rbit rbuf4.16b, rbuf4.16b /* bit-swap */
+ rbit rbuf5.16b, rbuf5.16b /* bit-swap */
+ eor rhash.16b, rhash.16b, rbuf.16b
+
+ cmp x3, #6
+ b.lo .Lend_6
+
+.Loop_6:
+
+ /* (in1) * H⁵ => rr0:rr1 */
+ /* (in2) * H⁴ => rr2:rr3 */
+ /* (in0 ^ hash) * H⁶ => rr4:rr5 */
+ PMUL_128x128_3(rr0, rr1, rbuf1, rh5, t0, t1,
+ rr2, rr3, rbuf2, rh4, t2, t3,
+ rr4, rr5, rhash, rh6, t4, t5,
+ _(sub x3, x3, #6))
+
+ ld1 {rbuf.16b-rbuf2.16b}, [x2], #(3*16)
+ cmp x3, #6
+
+ eor rr0.16b, rr0.16b, rr2.16b
+ eor rr1.16b, rr1.16b, rr3.16b
+
+ /* (in3) * H³ => rr2:rr3 */
+ /* (in4) * H² => rr6:rr7 */
+ /* (in5) * H¹ => rr8:rr9 */
+ PMUL_128x128_3(rr2, rr3, rbuf3, rh3, t0, t1,
+ rr6, rr7, rbuf4, rh2, t2, t3,
+ rr8, rr9, rbuf5, rh1, t4, t5,
+ _(eor rr0.16b, rr0.16b, rr4.16b;
+ eor rr1.16b, rr1.16b, rr5.16b))
+
+ eor rr0.16b, rr0.16b, rr2.16b
+ eor rr1.16b, rr1.16b, rr3.16b
+ rbit rbuf.16b, rbuf.16b
+ eor rr0.16b, rr0.16b, rr6.16b
+ eor rr1.16b, rr1.16b, rr7.16b
+ rbit rbuf1.16b, rbuf1.16b
+ eor rr0.16b, rr0.16b, rr8.16b
+ eor rr1.16b, rr1.16b, rr9.16b
+ ld1 {rbuf3.16b-rbuf5.16b}, [x2], #(3*16)
+
+ REDUCTION(rhash, rr0, rr1, rrconst, t0, t1,
+ _(rbit rbuf2.16b, rbuf2.16b),
+ _(rbit rbuf3.16b, rbuf3.16b),
+ _(rbit rbuf4.16b, rbuf4.16b))
+
+ rbit rbuf5.16b, rbuf5.16b
+ eor rhash.16b, rhash.16b, rbuf.16b
+
+ b.hs .Loop_6
+
+.Lend_6:
+
+ /* (in1) * H⁵ => rr0:rr1 */
+ /* (in0 ^ hash) * H⁶ => rr2:rr3 */
+ /* (in2) * H⁴ => rr4:rr5 */
+ PMUL_128x128_3(rr0, rr1, rbuf1, rh5, t0, t1,
+ rr2, rr3, rhash, rh6, t2, t3,
+ rr4, rr5, rbuf2, rh4, t4, t5,
+ __)
+ eor rr0.16b, rr0.16b, rr2.16b
+ eor rr1.16b, rr1.16b, rr3.16b
+ eor rr0.16b, rr0.16b, rr4.16b
+ eor rr1.16b, rr1.16b, rr5.16b
+
+ /* (in3) * H³ => rhash:rbuf */
+ /* (in4) * H² => rr6:rr7 */
+ /* (in5) * H¹ => rr8:rr9 */
+ PMUL_128x128_3(rhash, rbuf, rbuf3, rh3, t0, t1,
+ rr6, rr7, rbuf4, rh2, t2, t3,
+ rr8, rr9, rbuf5, rh1, t4, t5,
+ _(CLEAR_REG(rh4);
+ CLEAR_REG(rh5);
+ CLEAR_REG(rh6)))
+ eor rr0.16b, rr0.16b, rhash.16b
+ eor rr1.16b, rr1.16b, rbuf.16b
+ eor rr0.16b, rr0.16b, rr6.16b
+ eor rr1.16b, rr1.16b, rr7.16b
+ eor rr0.16b, rr0.16b, rr8.16b
+ eor rr1.16b, rr1.16b, rr9.16b
+
+ REDUCTION(rhash, rr0, rr1, rrconst, t0, t1,
+ _(CLEAR_REG(rh2);
+ CLEAR_REG(rh3);
+ CLEAR_REG(rr2);
+ CLEAR_REG(rbuf2);
+ CLEAR_REG(rbuf3)),
+ _(CLEAR_REG(rr3);
+ CLEAR_REG(rr4);
+ CLEAR_REG(rr5);
+ CLEAR_REG(rr6);
+ CLEAR_REG(rr7)),
+ _(CLEAR_REG(rr8);
+ CLEAR_REG(rr9);
+ CLEAR_REG(rbuf1);
+ CLEAR_REG(rbuf2)))
+
+ CLEAR_REG(rbuf4)
+ CLEAR_REG(rbuf5)
+ CLEAR_REG(t2)
+ CLEAR_REG(t3)
+ CLEAR_REG(t4)
+ CLEAR_REG(t5)
+
+ VPOP_ABI
+
+ cbz x3, .Ldone
+
+.Less_than_6:
+ /* Handle remaining blocks. */
+
+ ld1 {rbuf.16b}, [x2], #16
+ sub x3, x3, #1
+
+ rbit rbuf.16b, rbuf.16b /* bit-swap */
+
+ eor rhash.16b, rhash.16b, rbuf.16b
+
+ cbz x3, .Lend
+
+.Loop:
+ PMUL_128x128(rr0, rr1, rh1, rhash, t0, t1, _(ld1 {rbuf.16b}, [x2], #16))
+ REDUCTION(rhash, rr0, rr1, rrconst, t0, t1,
+ _(sub x3, x3, #1),
+ _(rbit rbuf.16b, rbuf.16b),
+ __)
+ eor rhash.16b, rhash.16b, rbuf.16b
+
+ cbnz x3, .Loop
+
+.Lend:
+ PMUL_128x128(rr0, rr1, rh1, rhash, t0, t1, _(CLEAR_REG(rbuf)))
+ REDUCTION(rhash, rr0, rr1, rrconst, t0, t1, __, _(CLEAR_REG(rh1)), __)
+
+.Ldone:
+ CLEAR_REG(rr1)
+ CLEAR_REG(rr0)
+ rbit rhash.16b, rhash.16b /* bit-swap */
+ CLEAR_REG(t0)
+ CLEAR_REG(t1)
+
+ st1 {rhash.2d}, [x1]
+ CLEAR_REG(rhash)
+
+.Ldo_nothing:
+ mov x0, #0
+ ret
+.size _gcry_ghash_armv8_ce_pmull,.-_gcry_ghash_armv8_ce_pmull;
+
+
+/*
+ * void _gcry_ghash_setup_armv8_ce_pmull (void *gcm_key, void *gcm_table);
+ */
+.align 3
+.globl _gcry_ghash_setup_armv8_ce_pmull
+.type _gcry_ghash_setup_armv8_ce_pmull,%function;
+_gcry_ghash_setup_armv8_ce_pmull:
+ /* input:
+ * x0: gcm_key
+ * x1: gcm_table
+ */
+
+ GET_DATA_POINTER(x2, .Lrconst)
+
+ /* H¹ */
+ ld1 {rh1.16b}, [x0]
+ rbit rh1.16b, rh1.16b
+ st1 {rh1.16b}, [x0]
+
+ ld1r {rrconst.2d}, [x2]
+
+ /* H² */
+ PMUL_128x128(rr0, rr1, rh1, rh1, t0, t1, __)
+ REDUCTION(rh2, rr0, rr1, rrconst, t0, t1, __, __, __)
+
+ /* H³ */
+ PMUL_128x128(rr0, rr1, rh2, rh1, t0, t1, __)
+ REDUCTION(rh3, rr0, rr1, rrconst, t0, t1, __, __, __)
+
+ /* H⁴ */
+ PMUL_128x128(rr0, rr1, rh2, rh2, t0, t1, __)
+ REDUCTION(rh4, rr0, rr1, rrconst, t0, t1, __, __, __)
+
+ /* H⁵ */
+ PMUL_128x128(rr0, rr1, rh2, rh3, t0, t1, __)
+ REDUCTION(rh5, rr0, rr1, rrconst, t0, t1, __, __, __)
+
+ /* H⁶ */
+ PMUL_128x128(rr0, rr1, rh3, rh3, t0, t1, __)
+ REDUCTION(rh6, rr0, rr1, rrconst, t0, t1, __, __, __)
+
+ st1 {rh2.16b-rh4.16b}, [x1], #(3*16)
+ st1 {rh5.16b-rh6.16b}, [x1]
+
+ ret
+.size _gcry_ghash_setup_armv8_ce_pmull,.-_gcry_ghash_setup_armv8_ce_pmull;
+
+#endif
const byte *buf, size_t nblocks);
#endif
+#ifdef GCM_USE_ARM_PMULL
+extern void _gcry_ghash_setup_armv8_ce_pmull (void *gcm_key, void *gcm_table);
+
+extern unsigned int _gcry_ghash_armv8_ce_pmull (void *gcm_key, byte *result,
+ const byte *buf, size_t nblocks,
+ void *gcm_table);
+
+static void
+ghash_setup_armv8_ce_pmull (gcry_cipher_hd_t c)
+{
+ _gcry_ghash_setup_armv8_ce_pmull(c->u_mode.gcm.u_ghash_key.key,
+ c->u_mode.gcm.gcm_table);
+}
+
+static unsigned int
+ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf,
+ size_t nblocks)
+{
+ return _gcry_ghash_armv8_ce_pmull(c->u_mode.gcm.u_ghash_key.key, result, buf,
+ nblocks, c->u_mode.gcm.gcm_table);
+}
+
+#endif
+
#ifdef GCM_USE_TABLES
static const u16 gcmR[256] = {
static void
setupM (gcry_cipher_hd_t c)
{
+#if defined(GCM_USE_INTEL_PCLMUL) || defined(GCM_USE_ARM_PMULL)
+ unsigned int features = _gcry_get_hw_features ();
+#endif
+
if (0)
;
#ifdef GCM_USE_INTEL_PCLMUL
- else if (_gcry_get_hw_features () & HWF_INTEL_PCLMUL)
+ else if (features & HWF_INTEL_PCLMUL)
{
c->u_mode.gcm.ghash_fn = _gcry_ghash_intel_pclmul;
_gcry_ghash_setup_intel_pclmul (c);
}
#endif
+#ifdef GCM_USE_ARM_PMULL
+ else if (features & HWF_ARM_PMULL)
+ {
+ c->u_mode.gcm.ghash_fn = ghash_armv8_ce_pmull;
+ ghash_setup_armv8_ce_pmull (c);
+ }
+#endif
else
{
c->u_mode.gcm.ghash_fn = ghash_internal;
# endif
#endif /* GCM_USE_INTEL_PCLMUL */
+/* GCM_USE_ARM_PMULL indicates whether to compile GCM with ARMv8 PMULL code. */
+#undef GCM_USE_ARM_PMULL
+#if defined(ENABLE_ARM_CRYPTO_SUPPORT) && defined(GCM_USE_TABLES)
+# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
+ && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+# define GCM_USE_ARM_PMULL 1
+# elif defined(__AARCH64EL__) && \
+ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+# define GCM_USE_ARM_PMULL 1
+# endif
+#endif /* GCM_USE_ARM_PMULL */
+
typedef unsigned int (*ghash_fn_t) (gcry_cipher_hd_t c, byte *result,
const byte *buf, size_t nblocks);
gcry_cipher_spec_t *spec;
int i;
- if (oid && ((! strncmp (oid, "oid.", 4))
- || (! strncmp (oid, "OID.", 4))))
+ if (!oid)
+ return NULL;
+
+ if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
oid += 4;
spec = spec_from_oid (oid);
{
gcry_err_code_t rc;
+ if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
+ {
+ log_error ("cipher_encrypt: key not set\n");
+ return GPG_ERR_MISSING_KEY;
+ }
+
switch (c->mode)
{
case GCRY_CIPHER_MODE_ECB:
{
gcry_err_code_t rc;
+ if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
+ {
+ log_error ("cipher_decrypt: key not set\n");
+ return GPG_ERR_MISSING_KEY;
+ }
+
switch (c->mode)
{
case GCRY_CIPHER_MODE_ECB:
return 0;
}
+gpg_err_code_t
+_gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
+{
+ if (ctr && ctrlen == hd->spec->blocksize)
+ memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
+ else
+ return GPG_ERR_INV_ARG;
+
+ return 0;
+}
gcry_err_code_t
_gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
asm volatile ("movd %[crc], %%xmm0\n\t"
"movd %[in], %%xmm1\n\t"
"movdqa %[my_p], %%xmm5\n\t"
- "pxor %%xmm1, %%xmm0\n\t"
+ :
+ : [in] "m" (*inbuf),
+ [crc] "m" (*pcrc),
+ [my_p] "m" (consts->my_p[0])
+ : "cc" );
+
+ asm volatile ("pxor %%xmm1, %%xmm0\n\t"
"pshufb %[bswap], %%xmm0\n\t" /* [xx][00][00][00] */
"pclmulqdq $0x01, %%xmm5, %%xmm0\n\t" /* [00][xx][xx][00] */
"pclmulqdq $0x11, %%xmm5, %%xmm0\n\t" /* [00][00][xx][xx] */
+ :
+ : [bswap] "m" (*crc32_bswap_shuf)
+ : "cc" );
- /* store CRC in input endian */
+ asm volatile (/* store CRC in input endian */
"movd %%xmm0, %%eax\n\t"
"bswapl %%eax\n\t"
"movl %%eax, %[out]\n\t"
: [out] "=m" (*pcrc)
- : [in] "m" (*inbuf),
- [crc] "m" (*pcrc),
- [my_p] "m" (consts->my_p[0]),
- [bswap] "m" (*crc32_bswap_shuf)
- : "eax" );
+ :
+ : "eax", "cc" );
}
else
{
}
if (mpi_g)
{
- point_init (&sk.E.G);
+ if (!sk.E.G.x)
+ point_init (&sk.E.G);
rc = _gcry_ecc_os2ec (&sk.E.G, mpi_g);
if (rc)
goto leave;
sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
? ECC_DIALECT_ED25519
: ECC_DIALECT_STANDARD);
+ if (!sk.E.h)
+ sk.E.h = mpi_const (MPI_C_ONE);
}
if (DBG_CIPHER)
{
sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
? ECC_DIALECT_ED25519
: ECC_DIALECT_STANDARD);
+ if (!sk.E.h)
+ sk.E.h = mpi_const (MPI_C_ONE);
}
if (DBG_CIPHER)
{
pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
? ECC_DIALECT_ED25519
: ECC_DIALECT_STANDARD);
+ if (!pk.E.h)
+ pk.E.h = mpi_const (MPI_C_ONE);
}
if (DBG_CIPHER)
{
pk.E.model = MPI_EC_WEIERSTRASS;
pk.E.dialect = ECC_DIALECT_STANDARD;
+ if (!pk.E.h)
+ pk.E.h = mpi_const (MPI_C_ONE);
}
/*
{
sk.E.model = MPI_EC_WEIERSTRASS;
sk.E.dialect = ECC_DIALECT_STANDARD;
+ if (!sk.E.h)
+ sk.E.h = mpi_const (MPI_C_ONE);
}
if (DBG_CIPHER)
{
dialect = ((flags & PUBKEY_FLAG_EDDSA)
? ECC_DIALECT_ED25519
: ECC_DIALECT_STANDARD);
+ if (!values[5])
+ values[5] = mpi_const (MPI_C_ONE);
}
/* Check that all parameters are known and normalize all MPIs (that
0xA, 0x3, 0x8, 0xC, 0x0, 0x7, 0xD, 0x9,
0xC, 0xF, 0xF, 0xF, 0xD, 0xF, 0x0, 0x6,
+ 0xD, 0xB, 0x3, 0x4, 0x6, 0xA, 0x6, 0xF,
0x6, 0x8, 0x6, 0xE, 0x8, 0x0, 0xF, 0xD,
0x7, 0x6, 0x1, 0x9, 0xE, 0x9, 0x8, 0x5,
0xF, 0xE, 0x4, 0x8, 0x3, 0x5, 0xE, 0xC,
0x3, 0x1, 0x2, 0x8, 0x1, 0x6, 0x7, 0xE,
}
},
- { "TC26_A", "1.2.643.7.1.2.5.1.1", {
+ { "TC26_Z", "1.2.643.7.1.2.5.1.1", {
0xc, 0x6, 0xb, 0xc, 0x7, 0x5, 0x8, 0x1,
0x4, 0x8, 0x3, 0x8, 0xf, 0xd, 0xe, 0x7,
0x6, 0x2, 0x5, 0x2, 0x5, 0xf, 0x2, 0xe,
*--p = t2;
*--p = t1;
memcpy(dk, temp, sizeof(temp) );
- memset(temp, 0, sizeof(temp) ); /* burn temp */
+ wipememory(temp, sizeof(temp));
}
gcry_md_spec_t *spec;
int i;
- if (oid && ((! strncmp (oid, "oid.", 4))
- || (! strncmp (oid, "OID.", 4))))
+ if (!oid)
+ return NULL;
+
+ if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
oid += 4;
spec = spec_from_oid (oid);
else
bhd = xtrymalloc (n + sizeof (struct gcry_md_context));
- if (! bhd)
- err = gpg_err_code_from_errno (errno);
-
- if (! err)
+ if (!bhd)
{
- bhd->ctx = b = (void *) ((char *) bhd + n);
- /* No need to copy the buffer due to the write above. */
- gcry_assert (ahd->bufsize == (n - sizeof (struct gcry_md_handle) + 1));
- bhd->bufsize = ahd->bufsize;
- bhd->bufpos = 0;
- gcry_assert (! ahd->bufpos);
- memcpy (b, a, sizeof *a);
- b->list = NULL;
- b->debug = NULL;
+ err = gpg_err_code_from_syserror ();
+ goto leave;
}
+ bhd->ctx = b = (void *) ((char *) bhd + n);
+ /* No need to copy the buffer due to the write above. */
+ gcry_assert (ahd->bufsize == (n - sizeof (struct gcry_md_handle) + 1));
+ bhd->bufsize = ahd->bufsize;
+ bhd->bufpos = 0;
+ gcry_assert (! ahd->bufpos);
+ memcpy (b, a, sizeof *a);
+ b->list = NULL;
+ b->debug = NULL;
+
/* Copy the complete list of algorithms. The copied list is
reversed, but that doesn't matter. */
- if (!err)
+ for (ar = a->list; ar; ar = ar->next)
{
- for (ar = a->list; ar; ar = ar->next)
+ if (a->flags.secure)
+ br = xtrymalloc_secure (ar->actual_struct_size);
+ else
+ br = xtrymalloc (ar->actual_struct_size);
+ if (!br)
{
- if (a->flags.secure)
- br = xtrymalloc_secure (ar->actual_struct_size);
- else
- br = xtrymalloc (ar->actual_struct_size);
- if (!br)
- {
- err = gpg_err_code_from_errno (errno);
- md_close (bhd);
- break;
- }
-
- memcpy (br, ar, ar->actual_struct_size);
- br->next = b->list;
- b->list = br;
+ err = gpg_err_code_from_syserror ();
+ md_close (bhd);
+ goto leave;
}
+
+ memcpy (br, ar, ar->actual_struct_size);
+ br->next = b->list;
+ b->list = br;
}
- if (a->debug && !err)
+ if (a->debug)
md_start_debug (bhd, "unknown");
- if (!err)
- *b_hd = bhd;
+ *b_hd = bhd;
+ leave:
return err;
}
{
if (r->next)
log_debug ("more than one algorithm in md_read(0)\n");
- if (r->spec->read == NULL)
- return NULL;
- return r->spec->read (&r->context.c);
+ if (r->spec->read)
+ return r->spec->read (&r->context.c);
}
}
else
for (r = a->ctx->list; r; r = r->next)
if (r->spec->algo == algo)
{
- if (r->spec->read == NULL)
- return NULL;
- return r->spec->read (&r->context.c);
+ if (r->spec->read)
+ return r->spec->read (&r->context.c);
+ break;
}
}
- BUG();
+
+ if (r && !r->spec->read)
+ _gcry_fatal_error (GPG_ERR_DIGEST_ALGO,
+ "requested algo has no fixed digest length");
+ else
+ _gcry_fatal_error (GPG_ERR_DIGEST_ALGO, "requested algo not in md context");
return NULL;
}
normal functions. */
gcry_md_hd_t h;
gpg_err_code_t rc;
+ int dlen;
if (algo == GCRY_MD_MD5 && fips_mode ())
{
}
}
+ /* Detect SHAKE128 like algorithms which we can't use because
+ * our API does not allow for a variable length digest. */
+ dlen = md_digest_length (algo);
+ if (!dlen)
+ return GPG_ERR_DIGEST_ALGO;
+
rc = md_open (&h, algo, (hmac? GCRY_MD_FLAG_HMAC:0));
if (rc)
return rc;
for (;iovcnt; iov++, iovcnt--)
md_write (h, (const char*)iov[0].data + iov[0].off, iov[0].len);
md_final (h);
- memcpy (digest, md_read (h, algo), md_digest_length (algo));
+ memcpy (digest, md_read (h, algo), dlen);
md_close (h);
}
.fpu neon
.arm
+#ifdef __PIC__
+# define GET_DATA_POINTER(reg, name, rtmp) \
+ ldr reg, 1f; \
+ ldr rtmp, 2f; \
+ b 3f; \
+ 1: .word _GLOBAL_OFFSET_TABLE_-(3f+8); \
+ 2: .word name(GOT); \
+ 3: add reg, pc, reg; \
+ ldr reg, [reg, rtmp];
+#else
+# define GET_DATA_POINTER(reg, name, rtmp) ldr reg, =name
+#endif
+
+#define UNALIGNED_LDMIA2(ptr, l0, l1) \
+ tst ptr, #3; \
+ beq 1f; \
+ vpush {d0}; \
+ vld1.32 {d0}, [ptr]!; \
+ vmov l0, s0; \
+ vmov l1, s1; \
+ vpop {d0}; \
+ b 2f; \
+ 1: ldmia ptr!, {l0-l1}; \
+ 2: ;
+
+#define UNALIGNED_LDMIA4(ptr, l0, l1, l2, l3) \
+ tst ptr, #3; \
+ beq 1f; \
+ vpush {d0-d1}; \
+ vld1.32 {d0-d1}, [ptr]!; \
+ vmov l0, s0; \
+ vmov l1, s1; \
+ vmov l2, s2; \
+ vmov l3, s3; \
+ vpop {d0-d1}; \
+ b 2f; \
+ 1: ldmia ptr!, {l0-l3}; \
+ 2: ;
+
.text
.p2align 2
mov r14, r2
and r2, r2, r2
moveq r14, #-1
- ldmia r1!, {r2-r5}
- ldr r7, =.Lpoly1305_init_constants_neon
+ UNALIGNED_LDMIA4(r1, r2, r3, r4, r5)
+ GET_DATA_POINTER(r7,.Lpoly1305_init_constants_neon,r8)
mov r6, r2
mov r8, r2, lsr #26
mov r9, r3, lsr #20
eor r6, r6, r6
stmia r0!, {r2-r6}
stmia r0!, {r2-r6}
- ldmia r1!, {r2-r5}
+ UNALIGNED_LDMIA4(r1, r2, r3, r4, r5)
stmia r0, {r2-r6}
add sp, sp, #32
ldmfd sp!, {r4-r11, lr}
vmov d14, d12
vmul.i32 q6, q5, d0[0]
.Lpoly1305_blocks_neon_mainloop:
- ldmia r0!, {r2-r5}
+ UNALIGNED_LDMIA4(r0, r2, r3, r4, r5)
vmull.u32 q0, d25, d12[0]
mov r7, r2, lsr #26
vmlal.u32 q0, d24, d12[1]
orr r4, r8, r4, lsl #12
orr r5, r9, r5, lsl #18
vmlal.u32 q1, d24, d13[0]
- ldmia r0!, {r7-r10}
+ UNALIGNED_LDMIA4(r0, r7, r8, r9, r10)
vmlal.u32 q1, d23, d13[1]
mov r1, r7, lsr #26
vmlal.u32 q1, d22, d14[0]
vmlal.u32 q4, d21, d11[1]
vld1.64 {d21-d24}, [r14, :256]!
vld1.64 {d25}, [r14, :64]
- ldmia r0!, {r2-r5}
+ UNALIGNED_LDMIA4(r0, r2, r3, r4, r5)
vmlal.u32 q0, d25, d26
mov r7, r2, lsr #26
vmlal.u32 q0, d24, d27
orr r4, r8, r4, lsl #12
orr r5, r9, r5, lsl #18
vmlal.u32 q1, d24, d28
- ldmia r0!, {r7-r10}
+ UNALIGNED_LDMIA4(r0, r7, r8, r9, r10)
vmlal.u32 q1, d23, d29
mov r1, r7, lsr #26
vmlal.u32 q1, d22, d20
.Lpoly1305_finish_ext_neon_skip16:
tst r7, #8
beq .Lpoly1305_finish_ext_neon_skip8
- ldmia r1!, {r10-r11}
+ UNALIGNED_LDMIA2(r1, r10, r11)
stmia r9!, {r10-r11}
.Lpoly1305_finish_ext_neon_skip8:
tst r7, #4
--- /dev/null
+/* rijndael-aarch64.S - ARMv8/AArch64 assembly implementation of AES cipher
+ *
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__)
+#ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+
+.text
+
+/* register macros */
+#define CTX x0
+#define RDST x1
+#define RSRC x2
+#define NROUNDS w3
+#define RTAB x4
+#define RMASK w5
+
+#define RA w8
+#define RB w9
+#define RC w10
+#define RD w11
+
+#define RNA w12
+#define RNB w13
+#define RNC w14
+#define RND w15
+
+#define RT0 w6
+#define RT1 w7
+#define RT2 w16
+#define xRT0 x6
+#define xRT1 x7
+#define xRT2 x16
+
+#define xw8 x8
+#define xw9 x9
+#define xw10 x10
+#define xw11 x11
+
+#define xw12 x12
+#define xw13 x13
+#define xw14 x14
+#define xw15 x15
+
+/***********************************************************************
+ * ARMv8/AArch64 assembly implementation of the AES cipher
+ ***********************************************************************/
+#define preload_first_key(round, ra) \
+ ldr ra, [CTX, #(((round) * 16) + 0 * 4)];
+
+#define dummy(round, ra) /* nothing */
+
+#define addroundkey(ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key) \
+ ldp rna, rnb, [CTX]; \
+ ldp rnc, rnd, [CTX, #8]; \
+ eor ra, ra, rna; \
+ eor rb, rb, rnb; \
+ eor rc, rc, rnc; \
+ preload_key(1, rna); \
+ eor rd, rd, rnd;
+
+#define do_encround(next_r, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key) \
+ ldr rnb, [CTX, #(((next_r) * 16) + 1 * 4)]; \
+ \
+ and RT0, RMASK, ra, lsl#2; \
+ ldr rnc, [CTX, #(((next_r) * 16) + 2 * 4)]; \
+ and RT1, RMASK, ra, lsr#(8 - 2); \
+ ldr rnd, [CTX, #(((next_r) * 16) + 3 * 4)]; \
+ and RT2, RMASK, ra, lsr#(16 - 2); \
+ ldr RT0, [RTAB, xRT0]; \
+ and ra, RMASK, ra, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rna, rna, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rd, lsl#2; \
+ ldr ra, [RTAB, x##ra]; \
+ \
+ eor rnd, rnd, RT1, ror #24; \
+ and RT1, RMASK, rd, lsr#(8 - 2); \
+ eor rnc, rnc, RT2, ror #16; \
+ and RT2, RMASK, rd, lsr#(16 - 2); \
+ eor rnb, rnb, ra, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rd, RMASK, rd, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnd, rnd, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rc, lsl#2; \
+ ldr rd, [RTAB, x##rd]; \
+ \
+ eor rnc, rnc, RT1, ror #24; \
+ and RT1, RMASK, rc, lsr#(8 - 2); \
+ eor rnb, rnb, RT2, ror #16; \
+ and RT2, RMASK, rc, lsr#(16 - 2); \
+ eor rna, rna, rd, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rc, RMASK, rc, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnc, rnc, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rb, lsl#2; \
+ ldr rc, [RTAB, x##rc]; \
+ \
+ eor rnb, rnb, RT1, ror #24; \
+ and RT1, RMASK, rb, lsr#(8 - 2); \
+ eor rna, rna, RT2, ror #16; \
+ and RT2, RMASK, rb, lsr#(16 - 2); \
+ eor rnd, rnd, rc, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rb, RMASK, rb, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnb, rnb, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ eor rna, rna, RT1, ror #24; \
+ ldr rb, [RTAB, x##rb]; \
+ \
+ eor rnd, rnd, RT2, ror #16; \
+ preload_key((next_r) + 1, ra); \
+ eor rnc, rnc, rb, ror #8;
+
+#define do_lastencround(ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ and RT0, RMASK, ra, lsl#2; \
+ and RT1, RMASK, ra, lsr#(8 - 2); \
+ and RT2, RMASK, ra, lsr#(16 - 2); \
+ ldrb rna, [RTAB, xRT0]; \
+ and ra, RMASK, ra, lsr#(24 - 2); \
+ ldrb rnd, [RTAB, xRT1]; \
+ and RT0, RMASK, rd, lsl#2; \
+ ldrb rnc, [RTAB, xRT2]; \
+ ror rnd, rnd, #24; \
+ ldrb rnb, [RTAB, x##ra]; \
+ and RT1, RMASK, rd, lsr#(8 - 2); \
+ ror rnc, rnc, #16; \
+ and RT2, RMASK, rd, lsr#(16 - 2); \
+ ror rnb, rnb, #8; \
+ ldrb RT0, [RTAB, xRT0]; \
+ and rd, RMASK, rd, lsr#(24 - 2); \
+ ldrb RT1, [RTAB, xRT1]; \
+ \
+ orr rnd, rnd, RT0; \
+ ldrb RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rc, lsl#2; \
+ ldrb rd, [RTAB, x##rd]; \
+ orr rnc, rnc, RT1, ror #24; \
+ and RT1, RMASK, rc, lsr#(8 - 2); \
+ orr rnb, rnb, RT2, ror #16; \
+ and RT2, RMASK, rc, lsr#(16 - 2); \
+ orr rna, rna, rd, ror #8; \
+ ldrb RT0, [RTAB, xRT0]; \
+ and rc, RMASK, rc, lsr#(24 - 2); \
+ ldrb RT1, [RTAB, xRT1]; \
+ \
+ orr rnc, rnc, RT0; \
+ ldrb RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rb, lsl#2; \
+ ldrb rc, [RTAB, x##rc]; \
+ orr rnb, rnb, RT1, ror #24; \
+ and RT1, RMASK, rb, lsr#(8 - 2); \
+ orr rna, rna, RT2, ror #16; \
+ ldrb RT0, [RTAB, xRT0]; \
+ and RT2, RMASK, rb, lsr#(16 - 2); \
+ ldrb RT1, [RTAB, xRT1]; \
+ orr rnd, rnd, rc, ror #8; \
+ ldrb RT2, [RTAB, xRT2]; \
+ and rb, RMASK, rb, lsr#(24 - 2); \
+ ldrb rb, [RTAB, x##rb]; \
+ \
+ orr rnb, rnb, RT0; \
+ orr rna, rna, RT1, ror #24; \
+ orr rnd, rnd, RT2, ror #16; \
+ orr rnc, rnc, rb, ror #8;
+
+#define firstencround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ addroundkey(ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_first_key); \
+ do_encround((round) + 1, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_first_key);
+
+#define encround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key) \
+ do_encround((round) + 1, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key);
+
+#define lastencround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ add CTX, CTX, #(((round) + 1) * 16); \
+ add RTAB, RTAB, #1; \
+ do_lastencround(ra, rb, rc, rd, rna, rnb, rnc, rnd); \
+ addroundkey(rna, rnb, rnc, rnd, ra, rb, rc, rd, dummy);
+
+.globl _gcry_aes_arm_encrypt_block
+.type _gcry_aes_arm_encrypt_block,%function;
+
+_gcry_aes_arm_encrypt_block:
+ /* input:
+ * %x0: keysched, CTX
+ * %x1: dst
+ * %x2: src
+ * %w3: number of rounds.. 10, 12 or 14
+ * %x4: encryption table
+ */
+
+ /* read input block */
+
+ /* aligned load */
+ ldp RA, RB, [RSRC];
+ ldp RC, RD, [RSRC, #8];
+#ifndef __AARCH64EL__
+ rev RA, RA;
+ rev RB, RB;
+ rev RC, RC;
+ rev RD, RD;
+#endif
+
+ mov RMASK, #(0xff<<2);
+
+ firstencround(0, RA, RB, RC, RD, RNA, RNB, RNC, RND);
+ encround(1, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(2, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(3, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(4, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(5, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(6, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(7, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+
+ cmp NROUNDS, #12;
+ bge .Lenc_not_128;
+
+ encround(8, RA, RB, RC, RD, RNA, RNB, RNC, RND, dummy);
+ lastencround(9, RNA, RNB, RNC, RND, RA, RB, RC, RD);
+
+.Lenc_done:
+
+ /* store output block */
+
+ /* aligned store */
+#ifndef __AARCH64EL__
+ rev RA, RA;
+ rev RB, RB;
+ rev RC, RC;
+ rev RD, RD;
+#endif
+ /* write output block */
+ stp RA, RB, [RDST];
+ stp RC, RD, [RDST, #8];
+
+ mov x0, #(0);
+ ret;
+
+.ltorg
+.Lenc_not_128:
+ beq .Lenc_192
+
+ encround(8, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(9, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(10, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(11, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(12, RA, RB, RC, RD, RNA, RNB, RNC, RND, dummy);
+ lastencround(13, RNA, RNB, RNC, RND, RA, RB, RC, RD);
+
+ b .Lenc_done;
+
+.ltorg
+.Lenc_192:
+ encround(8, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ encround(9, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ encround(10, RA, RB, RC, RD, RNA, RNB, RNC, RND, dummy);
+ lastencround(11, RNA, RNB, RNC, RND, RA, RB, RC, RD);
+
+ b .Lenc_done;
+.size _gcry_aes_arm_encrypt_block,.-_gcry_aes_arm_encrypt_block;
+
+#define addroundkey_dec(round, ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ ldr rna, [CTX, #(((round) * 16) + 0 * 4)]; \
+ ldr rnb, [CTX, #(((round) * 16) + 1 * 4)]; \
+ eor ra, ra, rna; \
+ ldr rnc, [CTX, #(((round) * 16) + 2 * 4)]; \
+ eor rb, rb, rnb; \
+ ldr rnd, [CTX, #(((round) * 16) + 3 * 4)]; \
+ eor rc, rc, rnc; \
+ preload_first_key((round) - 1, rna); \
+ eor rd, rd, rnd;
+
+#define do_decround(next_r, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key) \
+ ldr rnb, [CTX, #(((next_r) * 16) + 1 * 4)]; \
+ \
+ and RT0, RMASK, ra, lsl#2; \
+ ldr rnc, [CTX, #(((next_r) * 16) + 2 * 4)]; \
+ and RT1, RMASK, ra, lsr#(8 - 2); \
+ ldr rnd, [CTX, #(((next_r) * 16) + 3 * 4)]; \
+ and RT2, RMASK, ra, lsr#(16 - 2); \
+ ldr RT0, [RTAB, xRT0]; \
+ and ra, RMASK, ra, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rna, rna, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rb, lsl#2; \
+ ldr ra, [RTAB, x##ra]; \
+ \
+ eor rnb, rnb, RT1, ror #24; \
+ and RT1, RMASK, rb, lsr#(8 - 2); \
+ eor rnc, rnc, RT2, ror #16; \
+ and RT2, RMASK, rb, lsr#(16 - 2); \
+ eor rnd, rnd, ra, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rb, RMASK, rb, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnb, rnb, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rc, lsl#2; \
+ ldr rb, [RTAB, x##rb]; \
+ \
+ eor rnc, rnc, RT1, ror #24; \
+ and RT1, RMASK, rc, lsr#(8 - 2); \
+ eor rnd, rnd, RT2, ror #16; \
+ and RT2, RMASK, rc, lsr#(16 - 2); \
+ eor rna, rna, rb, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rc, RMASK, rc, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnc, rnc, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rd, lsl#2; \
+ ldr rc, [RTAB, x##rc]; \
+ \
+ eor rnd, rnd, RT1, ror #24; \
+ and RT1, RMASK, rd, lsr#(8 - 2); \
+ eor rna, rna, RT2, ror #16; \
+ and RT2, RMASK, rd, lsr#(16 - 2); \
+ eor rnb, rnb, rc, ror #8; \
+ ldr RT0, [RTAB, xRT0]; \
+ and rd, RMASK, rd, lsr#(24 - 2); \
+ \
+ ldr RT1, [RTAB, xRT1]; \
+ eor rnd, rnd, RT0; \
+ ldr RT2, [RTAB, xRT2]; \
+ eor rna, rna, RT1, ror #24; \
+ ldr rd, [RTAB, x##rd]; \
+ \
+ eor rnb, rnb, RT2, ror #16; \
+ preload_key((next_r) - 1, ra); \
+ eor rnc, rnc, rd, ror #8;
+
+#define do_lastdecround(ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ and RT0, RMASK, ra; \
+ and RT1, RMASK, ra, lsr#8; \
+ and RT2, RMASK, ra, lsr#16; \
+ ldrb rna, [RTAB, xRT0]; \
+ lsr ra, ra, #24; \
+ ldrb rnb, [RTAB, xRT1]; \
+ and RT0, RMASK, rb; \
+ ldrb rnc, [RTAB, xRT2]; \
+ ror rnb, rnb, #24; \
+ ldrb rnd, [RTAB, x##ra]; \
+ and RT1, RMASK, rb, lsr#8; \
+ ror rnc, rnc, #16; \
+ and RT2, RMASK, rb, lsr#16; \
+ ror rnd, rnd, #8; \
+ ldrb RT0, [RTAB, xRT0]; \
+ lsr rb, rb, #24; \
+ ldrb RT1, [RTAB, xRT1]; \
+ \
+ orr rnb, rnb, RT0; \
+ ldrb RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rc; \
+ ldrb rb, [RTAB, x##rb]; \
+ orr rnc, rnc, RT1, ror #24; \
+ and RT1, RMASK, rc, lsr#8; \
+ orr rnd, rnd, RT2, ror #16; \
+ and RT2, RMASK, rc, lsr#16; \
+ orr rna, rna, rb, ror #8; \
+ ldrb RT0, [RTAB, xRT0]; \
+ lsr rc, rc, #24; \
+ ldrb RT1, [RTAB, xRT1]; \
+ \
+ orr rnc, rnc, RT0; \
+ ldrb RT2, [RTAB, xRT2]; \
+ and RT0, RMASK, rd; \
+ ldrb rc, [RTAB, x##rc]; \
+ orr rnd, rnd, RT1, ror #24; \
+ and RT1, RMASK, rd, lsr#8; \
+ orr rna, rna, RT2, ror #16; \
+ ldrb RT0, [RTAB, xRT0]; \
+ and RT2, RMASK, rd, lsr#16; \
+ ldrb RT1, [RTAB, xRT1]; \
+ orr rnb, rnb, rc, ror #8; \
+ ldrb RT2, [RTAB, xRT2]; \
+ lsr rd, rd, #24; \
+ ldrb rd, [RTAB, x##rd]; \
+ \
+ orr rnd, rnd, RT0; \
+ orr rna, rna, RT1, ror #24; \
+ orr rnb, rnb, RT2, ror #16; \
+ orr rnc, rnc, rd, ror #8;
+
+#define firstdecround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ addroundkey_dec(((round) + 1), ra, rb, rc, rd, rna, rnb, rnc, rnd); \
+ do_decround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_first_key);
+
+#define decround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key) \
+ do_decround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd, preload_key);
+
+#define set_last_round_rmask(_, __) \
+ mov RMASK, #0xff;
+
+#define lastdecround(round, ra, rb, rc, rd, rna, rnb, rnc, rnd) \
+ add RTAB, RTAB, #(4 * 256); \
+ do_lastdecround(ra, rb, rc, rd, rna, rnb, rnc, rnd); \
+ addroundkey(rna, rnb, rnc, rnd, ra, rb, rc, rd, dummy);
+
+.globl _gcry_aes_arm_decrypt_block
+.type _gcry_aes_arm_decrypt_block,%function;
+
+_gcry_aes_arm_decrypt_block:
+ /* input:
+ * %x0: keysched, CTX
+ * %x1: dst
+ * %x2: src
+ * %w3: number of rounds.. 10, 12 or 14
+ * %x4: decryption table
+ */
+
+ /* read input block */
+
+ /* aligned load */
+ ldp RA, RB, [RSRC];
+ ldp RC, RD, [RSRC, #8];
+#ifndef __AARCH64EL__
+ rev RA, RA;
+ rev RB, RB;
+ rev RC, RC;
+ rev RD, RD;
+#endif
+
+ mov RMASK, #(0xff << 2);
+
+ cmp NROUNDS, #12;
+ bge .Ldec_256;
+
+ firstdecround(9, RA, RB, RC, RD, RNA, RNB, RNC, RND);
+.Ldec_tail:
+ decround(8, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(7, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ decround(6, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(5, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ decround(4, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(3, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ decround(2, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(1, RA, RB, RC, RD, RNA, RNB, RNC, RND, set_last_round_rmask);
+ lastdecround(0, RNA, RNB, RNC, RND, RA, RB, RC, RD);
+
+ /* store output block */
+
+ /* aligned store */
+#ifndef __AARCH64EL__
+ rev RA, RA;
+ rev RB, RB;
+ rev RC, RC;
+ rev RD, RD;
+#endif
+ /* write output block */
+ stp RA, RB, [RDST];
+ stp RC, RD, [RDST, #8];
+
+ mov x0, #(0);
+ ret;
+
+.ltorg
+.Ldec_256:
+ beq .Ldec_192;
+
+ firstdecround(13, RA, RB, RC, RD, RNA, RNB, RNC, RND);
+ decround(12, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(11, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+ decround(10, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(9, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+
+ b .Ldec_tail;
+
+.ltorg
+.Ldec_192:
+ firstdecround(11, RA, RB, RC, RD, RNA, RNB, RNC, RND);
+ decround(10, RNA, RNB, RNC, RND, RA, RB, RC, RD, preload_first_key);
+ decround(9, RA, RB, RC, RD, RNA, RNB, RNC, RND, preload_first_key);
+
+ b .Ldec_tail;
+.size _gcry_aes_arm_decrypt_block,.-_gcry_aes_arm_decrypt_block;
+
+#endif /*HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS*/
+#endif /*__AARCH64EL__ */
{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3 },
{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4 }
};
+ const void *bige_addb = bige_addb_const;
#define aesenc_xmm1_xmm0 ".byte 0x66, 0x0f, 0x38, 0xdc, 0xc1\n\t"
#define aesenc_xmm1_xmm2 ".byte 0x66, 0x0f, 0x38, 0xdc, 0xd1\n\t"
#define aesenc_xmm1_xmm3 ".byte 0x66, 0x0f, 0x38, 0xdc, 0xd9\n\t"
"ja .Ladd32bit%=\n\t"
"movdqa %%xmm5, %%xmm0\n\t" /* xmm0 := CTR (xmm5) */
- "movdqa %[addb_1], %%xmm2\n\t" /* xmm2 := be(1) */
- "movdqa %[addb_2], %%xmm3\n\t" /* xmm3 := be(2) */
- "movdqa %[addb_3], %%xmm4\n\t" /* xmm4 := be(3) */
- "movdqa %[addb_4], %%xmm5\n\t" /* xmm5 := be(4) */
+ "movdqa 0*16(%[addb]), %%xmm2\n\t" /* xmm2 := be(1) */
+ "movdqa 1*16(%[addb]), %%xmm3\n\t" /* xmm3 := be(2) */
+ "movdqa 2*16(%[addb]), %%xmm4\n\t" /* xmm4 := be(3) */
+ "movdqa 3*16(%[addb]), %%xmm5\n\t" /* xmm5 := be(4) */
"paddb %%xmm0, %%xmm2\n\t" /* xmm2 := be(1) + CTR (xmm0) */
"paddb %%xmm0, %%xmm3\n\t" /* xmm3 := be(2) + CTR (xmm0) */
"paddb %%xmm0, %%xmm4\n\t" /* xmm4 := be(3) + CTR (xmm0) */
"paddb %%xmm0, %%xmm5\n\t" /* xmm5 := be(4) + CTR (xmm0) */
"movdqa (%[key]), %%xmm1\n\t" /* xmm1 := key[0] */
- "movl %[rounds], %%esi\n\t"
"jmp .Lstore_ctr%=\n\t"
".Ladd32bit%=:\n\t"
".Lno_carry%=:\n\t"
"movdqa (%[key]), %%xmm1\n\t" /* xmm1 := key[0] */
- "movl %[rounds], %%esi\n\t"
"pshufb %%xmm6, %%xmm2\n\t" /* xmm2 := be(xmm2) */
"pshufb %%xmm6, %%xmm3\n\t" /* xmm3 := be(xmm3) */
".Lstore_ctr%=:\n\t"
"movdqa %%xmm5, (%[ctr])\n\t" /* Update CTR (mem). */
+ :
+ : [ctr] "r" (ctr),
+ [key] "r" (ctx->keyschenc),
+ [addb] "r" (bige_addb)
+ : "%esi", "cc", "memory");
- "pxor %%xmm1, %%xmm0\n\t" /* xmm0 ^= key[0] */
+ asm volatile ("pxor %%xmm1, %%xmm0\n\t" /* xmm0 ^= key[0] */
"pxor %%xmm1, %%xmm2\n\t" /* xmm2 ^= key[0] */
"pxor %%xmm1, %%xmm3\n\t" /* xmm3 ^= key[0] */
"pxor %%xmm1, %%xmm4\n\t" /* xmm4 ^= key[0] */
aesenc_xmm1_xmm3
aesenc_xmm1_xmm4
"movdqa 0xa0(%[key]), %%xmm1\n\t"
- "cmpl $10, %%esi\n\t"
+ "cmpl $10, %[rounds]\n\t"
"jz .Lenclast%=\n\t"
aesenc_xmm1_xmm0
aesenc_xmm1_xmm2
aesenc_xmm1_xmm3
aesenc_xmm1_xmm4
"movdqa 0xc0(%[key]), %%xmm1\n\t"
- "cmpl $12, %%esi\n\t"
+ "cmpl $12, %[rounds]\n\t"
"jz .Lenclast%=\n\t"
aesenc_xmm1_xmm0
aesenc_xmm1_xmm2
aesenclast_xmm1_xmm3
aesenclast_xmm1_xmm4
:
- : [ctr] "r" (ctr),
- [key] "r" (ctx->keyschenc),
- [rounds] "g" (ctx->rounds),
- [addb_1] "m" (bige_addb_const[0][0]),
- [addb_2] "m" (bige_addb_const[1][0]),
- [addb_3] "m" (bige_addb_const[2][0]),
- [addb_4] "m" (bige_addb_const[3][0])
- : "%esi", "cc", "memory");
+ : [key] "r" (ctx->keyschenc),
+ [rounds] "r" (ctx->rounds)
+ : "cc", "memory");
asm volatile ("movdqu (%[src]), %%xmm1\n\t" /* Get block 1. */
"pxor %%xmm1, %%xmm0\n\t" /* EncCTR-1 ^= input */
push {%r4-%r11, %ip, %lr};
/* read input block */
-#ifndef __ARM_FEATURE_UNALIGNED
+
/* test if src is unaligned */
tst %r2, #3;
beq 1f;
b 2f;
.ltorg
1:
-#endif
/* aligned load */
ldm %r2, {RA, RB, RC, RD};
#ifndef __ARMEL__
add %sp, #16;
/* store output block */
-#ifndef __ARM_FEATURE_UNALIGNED
+
/* test if dst is unaligned */
tst RT0, #3;
beq 1f;
b 2f;
.ltorg
1:
-#endif
/* aligned store */
#ifndef __ARMEL__
rev RA, RA;
push {%r4-%r11, %ip, %lr};
/* read input block */
-#ifndef __ARM_FEATURE_UNALIGNED
+
/* test if src is unaligned */
tst %r2, #3;
beq 1f;
b 2f;
.ltorg
1:
-#endif
/* aligned load */
ldm %r2, {RA, RB, RC, RD};
#ifndef __ARMEL__
add %sp, #16;
/* store output block */
-#ifndef __ARM_FEATURE_UNALIGNED
+
/* test if dst is unaligned */
tst RT0, #3;
beq 1f;
b 2f;
.ltorg
1:
-#endif
/* aligned store */
#ifndef __ARMEL__
rev RA, RA;
b .Ldec_tail;
.size _gcry_aes_arm_encrypt_block,.-_gcry_aes_arm_encrypt_block;
-#endif /*HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS*/
+#endif /*HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS*/
#endif /*__ARMEL__ */
--- /dev/null
+/* rijndael-armv8-aarch32-ce.S - ARMv8/CE accelerated AES
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
+ defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+
+.syntax unified
+.fpu crypto-neon-fp-armv8
+.arm
+
+.text
+
+#ifdef __PIC__
+# define GET_DATA_POINTER(reg, name, rtmp) \
+ ldr reg, 1f; \
+ ldr rtmp, 2f; \
+ b 3f; \
+ 1: .word _GLOBAL_OFFSET_TABLE_-(3f+8); \
+ 2: .word name(GOT); \
+ 3: add reg, pc, reg; \
+ ldr reg, [reg, rtmp];
+#else
+# define GET_DATA_POINTER(reg, name, rtmp) ldr reg, =name
+#endif
+
+
+/* AES macros */
+
+#define aes_preload_keys(keysched, rekeysched) \
+ vldmia keysched!, {q5-q7}; \
+ mov rekeysched, keysched; \
+ vldmialo keysched!, {q8-q15}; /* 128-bit */ \
+ addeq keysched, #(2*16); \
+ vldmiaeq keysched!, {q10-q15}; /* 192-bit */ \
+ addhi keysched, #(4*16); \
+ vldmiahi keysched!, {q12-q15}; /* 256-bit */ \
+
+#define do_aes_one128(ed, mcimc, qo, qb) \
+ aes##ed.8 qb, q5; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q6; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q7; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q8; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q9; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q10; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q11; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q12; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q13; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q14; \
+ veor qo, qb, q15;
+
+#define do_aes_one128re(ed, mcimc, qo, qb, keysched, rekeysched) \
+ vldm rekeysched, {q8-q9}; \
+ do_aes_one128(ed, mcimc, qo, qb);
+
+#define do_aes_one192(ed, mcimc, qo, qb, keysched, rekeysched) \
+ vldm rekeysched!, {q8}; \
+ aes##ed.8 qb, q5; \
+ aes##mcimc.8 qb, qb; \
+ vldm rekeysched, {q9}; \
+ aes##ed.8 qb, q6; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q7; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q8; \
+ aes##mcimc.8 qb, qb; \
+ vldmia keysched!, {q8}; \
+ aes##ed.8 qb, q9; \
+ aes##mcimc.8 qb, qb; \
+ sub rekeysched, #(1*16); \
+ aes##ed.8 qb, q10; \
+ aes##mcimc.8 qb, qb; \
+ vldm keysched, {q9}; \
+ aes##ed.8 qb, q11; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q12; \
+ aes##mcimc.8 qb, qb; \
+ sub keysched, #16; \
+ aes##ed.8 qb, q13; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q14; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q15; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q8; \
+ veor qo, qb, q9; \
+
+#define do_aes_one256(ed, mcimc, qo, qb, keysched, rekeysched) \
+ vldmia rekeysched!, {q8}; \
+ aes##ed.8 qb, q5; \
+ aes##mcimc.8 qb, qb; \
+ vldmia rekeysched!, {q9}; \
+ aes##ed.8 qb, q6; \
+ aes##mcimc.8 qb, qb; \
+ vldmia rekeysched!, {q10}; \
+ aes##ed.8 qb, q7; \
+ aes##mcimc.8 qb, qb; \
+ vldm rekeysched, {q11}; \
+ aes##ed.8 qb, q8; \
+ aes##mcimc.8 qb, qb; \
+ vldmia keysched!, {q8}; \
+ aes##ed.8 qb, q9; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q10; \
+ aes##mcimc.8 qb, qb; \
+ vldmia keysched!, {q9}; \
+ aes##ed.8 qb, q11; \
+ aes##mcimc.8 qb, qb; \
+ sub rekeysched, #(3*16); \
+ aes##ed.8 qb, q12; \
+ aes##mcimc.8 qb, qb; \
+ vldmia keysched!, {q10}; \
+ aes##ed.8 qb, q13; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q14; \
+ aes##mcimc.8 qb, qb; \
+ vldm keysched, {q11}; \
+ aes##ed.8 qb, q15; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q8; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q9; \
+ aes##mcimc.8 qb, qb; \
+ aes##ed.8 qb, q10; \
+ veor qo, qb, q11; \
+ sub keysched, #(3*16); \
+
+#define aes_round_4(ed, mcimc, b0, b1, b2, b3, key) \
+ aes##ed.8 b0, key; \
+ aes##mcimc.8 b0, b0; \
+ aes##ed.8 b1, key; \
+ aes##mcimc.8 b1, b1; \
+ aes##ed.8 b2, key; \
+ aes##mcimc.8 b2, b2; \
+ aes##ed.8 b3, key; \
+ aes##mcimc.8 b3, b3;
+
+#define do_aes_4_128(ed, mcimc, b0, b1, b2, b3) \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q5); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q6); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q7); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q8); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q9); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q10); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q11); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q12); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q13); \
+ aes##ed.8 b0, q14; \
+ veor b0, b0, q15; \
+ aes##ed.8 b1, q14; \
+ veor b1, b1, q15; \
+ aes##ed.8 b2, q14; \
+ veor b2, b2, q15; \
+ aes##ed.8 b3, q14; \
+ veor b3, b3, q15;
+
+#define do_aes_4_128re(ed, mcimc, b0, b1, b2, b3, keysched, rekeysched) \
+ vldm rekeysched, {q8-q9}; \
+ do_aes_4_128(ed, mcimc, b0, b1, b2, b3);
+
+#define do_aes_4_192(ed, mcimc, b0, b1, b2, b3, keysched, rekeysched) \
+ vldm rekeysched!, {q8}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q5); \
+ vldm rekeysched, {q9}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q6); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q7); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q8); \
+ vldmia keysched!, {q8}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q9); \
+ sub rekeysched, #(1*16); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q10); \
+ vldm keysched, {q9}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q11); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q12); \
+ sub keysched, #16; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q13); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q14); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q15); \
+ aes##ed.8 b0, q8; \
+ veor b0, b0, q9; \
+ aes##ed.8 b1, q8; \
+ veor b1, b1, q9; \
+ aes##ed.8 b2, q8; \
+ veor b2, b2, q9; \
+ aes##ed.8 b3, q8; \
+ veor b3, b3, q9;
+
+#define do_aes_4_256(ed, mcimc, b0, b1, b2, b3, keysched, rekeysched) \
+ vldmia rekeysched!, {q8}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q5); \
+ vldmia rekeysched!, {q9}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q6); \
+ vldmia rekeysched!, {q10}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q7); \
+ vldm rekeysched, {q11}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q8); \
+ vldmia keysched!, {q8}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q9); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q10); \
+ vldmia keysched!, {q9}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q11); \
+ sub rekeysched, #(3*16); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q12); \
+ vldmia keysched!, {q10}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q13); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q14); \
+ vldm keysched, {q11}; \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q15); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q8); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, q9); \
+ sub keysched, #(3*16); \
+ aes##ed.8 b0, q10; \
+ veor b0, b0, q11; \
+ aes##ed.8 b1, q10; \
+ veor b1, b1, q11; \
+ aes##ed.8 b2, q10; \
+ veor b2, b2, q11; \
+ aes##ed.8 b3, q10; \
+ veor b3, b3, q11;
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) veor reg, reg;
+
+
+/*
+ * unsigned int _gcry_aes_enc_armv8_ce(void *keysched, byte *dst,
+ * const byte *src,
+ * unsigned int nrounds);
+ */
+.align 3
+.globl _gcry_aes_enc_armv8_ce
+.type _gcry_aes_enc_armv8_ce,%function;
+_gcry_aes_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: dst
+ * r2: src
+ * r3: nrounds
+ */
+
+ vldmia r0!, {q1-q3} /* load 3 round keys */
+
+ cmp r3, #12
+
+ vld1.8 {q0}, [r2]
+
+ bhi .Lenc1_256
+ beq .Lenc1_192
+
+.Lenc1_128:
+
+.Lenc1_tail:
+ vldmia r0, {q8-q15} /* load 8 round keys */
+
+ aese.8 q0, q1
+ aesmc.8 q0, q0
+ CLEAR_REG(q1)
+
+ aese.8 q0, q2
+ aesmc.8 q0, q0
+ CLEAR_REG(q2)
+
+ aese.8 q0, q3
+ aesmc.8 q0, q0
+ CLEAR_REG(q3)
+
+ aese.8 q0, q8
+ aesmc.8 q0, q0
+ CLEAR_REG(q8)
+
+ aese.8 q0, q9
+ aesmc.8 q0, q0
+ CLEAR_REG(q9)
+
+ aese.8 q0, q10
+ aesmc.8 q0, q0
+ CLEAR_REG(q10)
+
+ aese.8 q0, q11
+ aesmc.8 q0, q0
+ CLEAR_REG(q11)
+
+ aese.8 q0, q12
+ aesmc.8 q0, q0
+ CLEAR_REG(q12)
+
+ aese.8 q0, q13
+ aesmc.8 q0, q0
+ CLEAR_REG(q13)
+
+ aese.8 q0, q14
+ veor q0, q15
+ CLEAR_REG(q14)
+ CLEAR_REG(q15)
+
+ vst1.8 {q0}, [r1]
+ CLEAR_REG(q0)
+
+ mov r0, #0
+ bx lr
+
+.Lenc1_192:
+ aese.8 q0, q1
+ aesmc.8 q0, q0
+ vmov q1, q3
+
+ aese.8 q0, q2
+ aesmc.8 q0, q0
+ vldm r0!, {q2-q3} /* load 3 round keys */
+
+ b .Lenc1_tail
+
+.Lenc1_256:
+ vldm r0!, {q15} /* load 1 round key */
+ aese.8 q0, q1
+ aesmc.8 q0, q0
+
+ aese.8 q0, q2
+ aesmc.8 q0, q0
+
+ aese.8 q0, q3
+ aesmc.8 q0, q0
+ vldm r0!, {q1-q3} /* load 3 round keys */
+
+ aese.8 q0, q15
+ aesmc.8 q0, q0
+
+ b .Lenc1_tail
+.size _gcry_aes_enc_armv8_ce,.-_gcry_aes_enc_armv8_ce;
+
+
+/*
+ * unsigned int _gcry_aes_dec_armv8_ce(void *keysched, byte *dst,
+ * const byte *src,
+ * unsigned int nrounds);
+ */
+.align 3
+.globl _gcry_aes_dec_armv8_ce
+.type _gcry_aes_dec_armv8_ce,%function;
+_gcry_aes_dec_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: dst
+ * r2: src
+ * r3: nrounds
+ */
+
+ vldmia r0!, {q1-q3} /* load 3 round keys */
+
+ cmp r3, #12
+
+ vld1.8 {q0}, [r2]
+
+ bhi .Ldec1_256
+ beq .Ldec1_192
+
+.Ldec1_128:
+
+.Ldec1_tail:
+ vldmia r0, {q8-q15} /* load 8 round keys */
+
+ aesd.8 q0, q1
+ aesimc.8 q0, q0
+ CLEAR_REG(q1)
+
+ aesd.8 q0, q2
+ aesimc.8 q0, q0
+ CLEAR_REG(q2)
+
+ aesd.8 q0, q3
+ aesimc.8 q0, q0
+ CLEAR_REG(q3)
+
+ aesd.8 q0, q8
+ aesimc.8 q0, q0
+ CLEAR_REG(q8)
+
+ aesd.8 q0, q9
+ aesimc.8 q0, q0
+ CLEAR_REG(q9)
+
+ aesd.8 q0, q10
+ aesimc.8 q0, q0
+ CLEAR_REG(q10)
+
+ aesd.8 q0, q11
+ aesimc.8 q0, q0
+ CLEAR_REG(q11)
+
+ aesd.8 q0, q12
+ aesimc.8 q0, q0
+ CLEAR_REG(q12)
+
+ aesd.8 q0, q13
+ aesimc.8 q0, q0
+ CLEAR_REG(q13)
+
+ aesd.8 q0, q14
+ veor q0, q15
+ CLEAR_REG(q14)
+ CLEAR_REG(q15)
+
+ vst1.8 {q0}, [r1]
+ CLEAR_REG(q0)
+
+ mov r0, #0
+ bx lr
+
+.Ldec1_192:
+ aesd.8 q0, q1
+ aesimc.8 q0, q0
+ vmov q1, q3
+
+ aesd.8 q0, q2
+ aesimc.8 q0, q0
+ vldm r0!, {q2-q3} /* load 3 round keys */
+
+ b .Ldec1_tail
+
+.Ldec1_256:
+ vldm r0!, {q15} /* load 1 round key */
+ aesd.8 q0, q1
+ aesimc.8 q0, q0
+
+ aesd.8 q0, q2
+ aesimc.8 q0, q0
+
+ aesd.8 q0, q3
+ aesimc.8 q0, q0
+ vldm r0!, {q1-q3} /* load 3 round keys */
+
+ aesd.8 q0, q15
+ aesimc.8 q0, q0
+
+ b .Ldec1_tail
+.size _gcry_aes_dec_armv8_ce,.-_gcry_aes_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cbc_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, size_t nblocks,
+ * int cbc_mac, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cbc_enc_armv8_ce
+.type _gcry_aes_cbc_enc_armv8_ce,%function;
+_gcry_aes_cbc_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * %st+0: nblocks => r4
+ * %st+4: cbc_mac => r5
+ * %st+8: nrounds => r6
+ */
+
+ push {r4-r6,lr} /* 4*4 = 16b */
+ ldr r4, [sp, #(16+0)]
+ ldr r5, [sp, #(16+4)]
+ cmp r4, #0
+ ldr r6, [sp, #(16+8)]
+ beq .Lcbc_enc_skip
+ cmp r5, #0
+ vpush {q4-q7}
+ moveq r5, #16
+ movne r5, #0
+
+ cmp r6, #12
+ vld1.8 {q1}, [r3] /* load IV */
+
+ aes_preload_keys(r0, lr);
+
+ beq .Lcbc_enc_loop192
+ bhi .Lcbc_enc_loop256
+
+#define CBC_ENC(bits, ...) \
+ .Lcbc_enc_loop##bits: \
+ vld1.8 {q0}, [r2]!; /* load plaintext */ \
+ veor q1, q0, q1; \
+ subs r4, r4, #1; \
+ \
+ do_aes_one##bits(e, mc, q1, q1, ##__VA_ARGS__); \
+ \
+ vst1.8 {q1}, [r1], r5; /* store ciphertext */ \
+ \
+ bne .Lcbc_enc_loop##bits; \
+ b .Lcbc_enc_done;
+
+ CBC_ENC(128)
+ CBC_ENC(192, r0, lr)
+ CBC_ENC(256, r0, lr)
+
+#undef CBC_ENC
+
+.Lcbc_enc_done:
+ vst1.8 {q1}, [r3] /* store IV */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ vpop {q4-q7}
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+.Lcbc_enc_skip:
+ pop {r4-r6,pc}
+.size _gcry_aes_cbc_enc_armv8_ce,.-_gcry_aes_cbc_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cbc_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cbc_dec_armv8_ce
+.type _gcry_aes_cbc_dec_armv8_ce,%function;
+_gcry_aes_cbc_dec_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * %st+0: nblocks => r4
+ * %st+4: nrounds => r5
+ */
+
+ push {r4-r6,lr} /* 4*4 = 16b */
+ ldr r4, [sp, #(16+0)]
+ ldr r5, [sp, #(16+4)]
+ cmp r4, #0
+ beq .Lcbc_dec_skip
+ vpush {q4-q7}
+
+ cmp r5, #12
+ vld1.8 {q0}, [r3] /* load IV */
+
+ aes_preload_keys(r0, r6);
+
+ beq .Lcbc_dec_entry_192
+ bhi .Lcbc_dec_entry_256
+
+#define CBC_DEC(bits, ...) \
+ .Lcbc_dec_entry_##bits: \
+ cmp r4, #4; \
+ blo .Lcbc_dec_loop_##bits; \
+ \
+ .Lcbc_dec_loop4_##bits: \
+ \
+ vld1.8 {q1-q2}, [r2]!; /* load ciphertext */ \
+ sub r4, r4, #4; \
+ vld1.8 {q3-q4}, [r2]; /* load ciphertext */ \
+ cmp r4, #4; \
+ sub r2, #32; \
+ \
+ do_aes_4_##bits(d, imc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ veor q1, q1, q0; \
+ vld1.8 {q0}, [r2]!; /* load next IV */ \
+ veor q2, q2, q0; \
+ vld1.8 {q0}, [r2]!; /* load next IV */ \
+ vst1.8 {q1-q2}, [r1]!; /* store plaintext */ \
+ veor q3, q3, q0; \
+ vld1.8 {q0}, [r2]!; /* load next IV */ \
+ veor q4, q4, q0; \
+ vld1.8 {q0}, [r2]!; /* load next IV */ \
+ vst1.8 {q3-q4}, [r1]!; /* store plaintext */ \
+ \
+ bhs .Lcbc_dec_loop4_##bits; \
+ cmp r4, #0; \
+ beq .Lcbc_dec_done; \
+ \
+ .Lcbc_dec_loop_##bits: \
+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \
+ subs r4, r4, #1; \
+ vmov q2, q1; \
+ \
+ do_aes_one##bits(d, imc, q1, q1, ##__VA_ARGS__); \
+ \
+ veor q1, q1, q0; \
+ vmov q0, q2; \
+ vst1.8 {q1}, [r1]!; /* store plaintext */ \
+ \
+ bne .Lcbc_dec_loop_##bits; \
+ b .Lcbc_dec_done;
+
+ CBC_DEC(128)
+ CBC_DEC(192, r0, r6)
+ CBC_DEC(256, r0, r6)
+
+#undef CBC_DEC
+
+.Lcbc_dec_done:
+ vst1.8 {q0}, [r3] /* store IV */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ vpop {q4-q7}
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+.Lcbc_dec_skip:
+ pop {r4-r6,pc}
+.size _gcry_aes_cbc_dec_armv8_ce,.-_gcry_aes_cbc_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cfb_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cfb_enc_armv8_ce
+.type _gcry_aes_cfb_enc_armv8_ce,%function;
+_gcry_aes_cfb_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * %st+0: nblocks => r4
+ * %st+4: nrounds => r5
+ */
+
+ push {r4-r6,lr} /* 4*4 = 16b */
+ ldr r4, [sp, #(16+0)]
+ ldr r5, [sp, #(16+4)]
+ cmp r4, #0
+ beq .Lcfb_enc_skip
+ vpush {q4-q7}
+
+ cmp r5, #12
+ vld1.8 {q0}, [r3] /* load IV */
+
+ aes_preload_keys(r0, r6);
+
+ beq .Lcfb_enc_entry_192
+ bhi .Lcfb_enc_entry_256
+
+#define CFB_ENC(bits, ...) \
+ .Lcfb_enc_entry_##bits: \
+ .Lcfb_enc_loop_##bits: \
+ vld1.8 {q1}, [r2]!; /* load plaintext */ \
+ subs r4, r4, #1; \
+ \
+ do_aes_one##bits(e, mc, q0, q0, ##__VA_ARGS__); \
+ \
+ veor q0, q1, q0; \
+ vst1.8 {q0}, [r1]!; /* store ciphertext */ \
+ \
+ bne .Lcfb_enc_loop_##bits; \
+ b .Lcfb_enc_done;
+
+ CFB_ENC(128)
+ CFB_ENC(192, r0, r6)
+ CFB_ENC(256, r0, r6)
+
+#undef CFB_ENC
+
+.Lcfb_enc_done:
+ vst1.8 {q0}, [r3] /* store IV */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ vpop {q4-q7}
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+.Lcfb_enc_skip:
+ pop {r4-r6,pc}
+.size _gcry_aes_cfb_enc_armv8_ce,.-_gcry_aes_cfb_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cfb_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cfb_dec_armv8_ce
+.type _gcry_aes_cfb_dec_armv8_ce,%function;
+_gcry_aes_cfb_dec_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * %st+0: nblocks => r4
+ * %st+4: nrounds => r5
+ */
+
+ push {r4-r6,lr} /* 4*4 = 16b */
+ ldr r4, [sp, #(16+0)]
+ ldr r5, [sp, #(16+4)]
+ cmp r4, #0
+ beq .Lcfb_dec_skip
+ vpush {q4-q7}
+
+ cmp r5, #12
+ vld1.8 {q0}, [r3] /* load IV */
+
+ aes_preload_keys(r0, r6);
+
+ beq .Lcfb_dec_entry_192
+ bhi .Lcfb_dec_entry_256
+
+#define CFB_DEC(bits, ...) \
+ .Lcfb_dec_entry_##bits: \
+ cmp r4, #4; \
+ blo .Lcfb_dec_loop_##bits; \
+ \
+ .Lcfb_dec_loop4_##bits: \
+ \
+ vld1.8 {q2-q3}, [r2]!; /* load ciphertext */ \
+ vmov q1, q0; \
+ sub r4, r4, #4; \
+ vld1.8 {q4}, [r2]; /* load ciphertext */ \
+ sub r2, #32; \
+ cmp r4, #4; \
+ \
+ do_aes_4_##bits(e, mc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ vld1.8 {q0}, [r2]!; /* load ciphertext */ \
+ veor q1, q1, q0; \
+ vld1.8 {q0}, [r2]!; /* load ciphertext */ \
+ veor q2, q2, q0; \
+ vst1.8 {q1-q2}, [r1]!; /* store plaintext */ \
+ vld1.8 {q0}, [r2]!; \
+ veor q3, q3, q0; \
+ vld1.8 {q0}, [r2]!; /* load next IV / ciphertext */ \
+ veor q4, q4, q0; \
+ vst1.8 {q3-q4}, [r1]!; /* store plaintext */ \
+ \
+ bhs .Lcfb_dec_loop4_##bits; \
+ cmp r4, #0; \
+ beq .Lcfb_dec_done; \
+ \
+ .Lcfb_dec_loop_##bits: \
+ \
+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \
+ \
+ subs r4, r4, #1; \
+ \
+ do_aes_one##bits(e, mc, q0, q0, ##__VA_ARGS__); \
+ \
+ veor q2, q1, q0; \
+ vmov q0, q1; \
+ vst1.8 {q2}, [r1]!; /* store plaintext */ \
+ \
+ bne .Lcfb_dec_loop_##bits; \
+ b .Lcfb_dec_done;
+
+ CFB_DEC(128)
+ CFB_DEC(192, r0, r6)
+ CFB_DEC(256, r0, r6)
+
+#undef CFB_DEC
+
+.Lcfb_dec_done:
+ vst1.8 {q0}, [r3] /* store IV */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ vpop {q4-q7}
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+.Lcfb_dec_skip:
+ pop {r4-r6,pc}
+.size _gcry_aes_cfb_dec_armv8_ce,.-_gcry_aes_cfb_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ctr_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ctr_enc_armv8_ce
+.type _gcry_aes_ctr_enc_armv8_ce,%function;
+_gcry_aes_ctr_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * %st+0: nblocks => r4
+ * %st+4: nrounds => r5
+ */
+
+ vpush {q4-q7}
+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */
+ ldr r4, [sp, #(104+0)]
+ ldr r5, [sp, #(104+4)]
+ cmp r4, #0
+ beq .Lctr_enc_skip
+
+ cmp r5, #12
+ ldm r3, {r7-r10}
+ vld1.8 {q0}, [r3] /* load IV */
+ rev r7, r7
+ rev r8, r8
+ rev r9, r9
+ rev r10, r10
+
+ aes_preload_keys(r0, r6);
+
+ beq .Lctr_enc_entry_192
+ bhi .Lctr_enc_entry_256
+
+#define CTR_ENC(bits, ...) \
+ .Lctr_enc_entry_##bits: \
+ cmp r4, #4; \
+ blo .Lctr_enc_loop_##bits; \
+ \
+ .Lctr_enc_loop4_##bits: \
+ cmp r10, #0xfffffffc; \
+ sub r4, r4, #4; \
+ blo .Lctr_enc_loop4_##bits##_nocarry; \
+ cmp r9, #0xffffffff; \
+ bne .Lctr_enc_loop4_##bits##_nocarry; \
+ \
+ adds r10, #1; \
+ vmov q1, q0; \
+ blcs .Lctr_overflow_one; \
+ rev r11, r10; \
+ vmov.32 d1[1], r11; \
+ \
+ adds r10, #1; \
+ vmov q2, q0; \
+ blcs .Lctr_overflow_one; \
+ rev r11, r10; \
+ vmov.32 d1[1], r11; \
+ \
+ adds r10, #1; \
+ vmov q3, q0; \
+ blcs .Lctr_overflow_one; \
+ rev r11, r10; \
+ vmov.32 d1[1], r11; \
+ \
+ adds r10, #1; \
+ vmov q4, q0; \
+ blcs .Lctr_overflow_one; \
+ rev r11, r10; \
+ vmov.32 d1[1], r11; \
+ \
+ b .Lctr_enc_loop4_##bits##_store_ctr; \
+ \
+ .Lctr_enc_loop4_##bits##_nocarry: \
+ \
+ veor q2, q2; \
+ vrev64.8 q1, q0; \
+ vceq.u32 d5, d5; \
+ vadd.u64 q3, q2, q2; \
+ vadd.u64 q4, q3, q2; \
+ vadd.u64 q0, q3, q3; \
+ vsub.u64 q2, q1, q2; \
+ vsub.u64 q3, q1, q3; \
+ vsub.u64 q4, q1, q4; \
+ vsub.u64 q0, q1, q0; \
+ vrev64.8 q1, q1; \
+ vrev64.8 q2, q2; \
+ vrev64.8 q3, q3; \
+ vrev64.8 q0, q0; \
+ vrev64.8 q4, q4; \
+ add r10, #4; \
+ \
+ .Lctr_enc_loop4_##bits##_store_ctr: \
+ \
+ vst1.8 {q0}, [r3]; \
+ cmp r4, #4; \
+ vld1.8 {q0}, [r2]!; /* load ciphertext */ \
+ \
+ do_aes_4_##bits(e, mc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ veor q1, q1, q0; \
+ vld1.8 {q0}, [r2]!; /* load ciphertext */ \
+ vst1.8 {q1}, [r1]!; /* store plaintext */ \
+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \
+ veor q2, q2, q0; \
+ veor q3, q3, q1; \
+ vld1.8 {q0}, [r2]!; /* load ciphertext */ \
+ vst1.8 {q2}, [r1]!; /* store plaintext */ \
+ veor q4, q4, q0; \
+ vld1.8 {q0}, [r3]; /* reload IV */ \
+ vst1.8 {q3-q4}, [r1]!; /* store plaintext */ \
+ \
+ bhs .Lctr_enc_loop4_##bits; \
+ cmp r4, #0; \
+ beq .Lctr_enc_done; \
+ \
+ .Lctr_enc_loop_##bits: \
+ \
+ adds r10, #1; \
+ vmov q1, q0; \
+ blcs .Lctr_overflow_one; \
+ rev r11, r10; \
+ subs r4, r4, #1; \
+ vld1.8 {q2}, [r2]!; /* load ciphertext */ \
+ vmov.32 d1[1], r11; \
+ \
+ do_aes_one##bits(e, mc, q1, q1, ##__VA_ARGS__); \
+ \
+ veor q1, q2, q1; \
+ vst1.8 {q1}, [r1]!; /* store plaintext */ \
+ \
+ bne .Lctr_enc_loop_##bits; \
+ b .Lctr_enc_done;
+
+ CTR_ENC(128)
+ CTR_ENC(192, r0, r6)
+ CTR_ENC(256, r0, r6)
+
+#undef CTR_ENC
+
+.Lctr_enc_done:
+ vst1.8 {q0}, [r3] /* store IV */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+.Lctr_enc_skip:
+ pop {r4-r12,lr}
+ vpop {q4-q7}
+ bx lr
+
+.Lctr_overflow_one:
+ adcs r9, #0
+ adcs r8, #0
+ adc r7, #0
+ rev r11, r9
+ rev r12, r8
+ vmov.32 d1[0], r11
+ rev r11, r7
+ vmov.32 d0[1], r12
+ vmov.32 d0[0], r11
+ bx lr
+.size _gcry_aes_ctr_enc_armv8_ce,.-_gcry_aes_ctr_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_enc_armv8_ce
+.type _gcry_aes_ocb_enc_armv8_ce,%function;
+_gcry_aes_ocb_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: offset
+ * %st+0: checksum => r4
+ * %st+4: Ls => r5
+ * %st+8: nblocks => r6 (0 < nblocks <= 32)
+ * %st+12: nrounds => r7
+ */
+
+ vpush {q4-q7}
+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */
+ ldr r7, [sp, #(104+12)]
+ ldr r4, [sp, #(104+0)]
+ ldr r5, [sp, #(104+4)]
+ ldr r6, [sp, #(104+8)]
+
+ cmp r7, #12
+ vld1.8 {q0}, [r3] /* load offset */
+
+ aes_preload_keys(r0, r12);
+
+ beq .Locb_enc_entry_192
+ bhi .Locb_enc_entry_256
+
+#define OCB_ENC(bits, ...) \
+ .Locb_enc_entry_##bits: \
+ cmp r6, #4; \
+ blo .Locb_enc_loop_##bits; \
+ \
+ .Locb_enc_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
+ \
+ ldm r5!, {r8, r9, r10, r11}; \
+ sub r6, #4; \
+ \
+ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \
+ vld1.8 {q1-q2}, [r2]!; /* load P_i+<0-1> */ \
+ vld1.8 {q8}, [r4]; /* load Checksum_{i-1} */ \
+ veor q0, q0, q9; /* Offset_i+0 */ \
+ vld1.8 {q9}, [r9]; /* load L_{ntz(i+1)} */ \
+ veor q8, q8, q1; /* Checksum_i+0 */ \
+ veor q1, q1, q0; /* P_i+0 xor Offset_i+0 */\
+ vld1.8 {q3-q4}, [r2]!; /* load P_i+<2-3> */ \
+ vst1.8 {q0}, [r1]!; /* store Offset_i+0 */\
+ veor q0, q0, q9; /* Offset_i+1 */ \
+ vld1.8 {q9}, [r10]; /* load L_{ntz(i+2)} */ \
+ veor q8, q8, q2; /* Checksum_i+1 */ \
+ veor q2, q2, q0; /* P_i+1 xor Offset_i+1 */\
+ vst1.8 {q0}, [r1]!; /* store Offset_i+1 */\
+ veor q0, q0, q9; /* Offset_i+2 */ \
+ vld1.8 {q9}, [r11]; /* load L_{ntz(i+3)} */ \
+ veor q8, q8, q3; /* Checksum_i+2 */ \
+ veor q3, q3, q0; /* P_i+2 xor Offset_i+2 */\
+ vst1.8 {q0}, [r1]!; /* store Offset_i+2 */\
+ veor q0, q0, q9; /* Offset_i+3 */ \
+ veor q8, q8, q4; /* Checksum_i+3 */ \
+ veor q4, q4, q0; /* P_i+3 xor Offset_i+3 */\
+ vst1.8 {q0}, [r1]; /* store Offset_i+3 */\
+ sub r1, #(3*16); \
+ vst1.8 {q8}, [r4]; /* store Checksum_i+3 */\
+ \
+ cmp r6, #4; \
+ \
+ do_aes_4_##bits(e, mc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ mov r8, r1; \
+ vld1.8 {q8-q9}, [r1]!; \
+ veor q1, q1, q8; \
+ veor q2, q2, q9; \
+ vld1.8 {q8-q9}, [r1]!; \
+ vst1.8 {q1-q2}, [r8]!; \
+ veor q3, q3, q8; \
+ veor q4, q4, q9; \
+ vst1.8 {q3-q4}, [r8]; \
+ \
+ bhs .Locb_enc_loop4_##bits; \
+ cmp r6, #0; \
+ beq .Locb_enc_done; \
+ \
+ .Locb_enc_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
+ \
+ ldr r8, [r5], #4; \
+ vld1.8 {q1}, [r2]!; /* load plaintext */ \
+ vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \
+ vld1.8 {q3}, [r4]; /* load checksum */ \
+ subs r6, #1; \
+ veor q0, q0, q2; \
+ veor q3, q3, q1; \
+ veor q1, q1, q0; \
+ vst1.8 {q3}, [r4]; /* store checksum */ \
+ \
+ do_aes_one##bits(e, mc, q1, q1, ##__VA_ARGS__); \
+ \
+ veor q1, q1, q0; \
+ vst1.8 {q1}, [r1]!; /* store ciphertext */ \
+ \
+ bne .Locb_enc_loop_##bits; \
+ b .Locb_enc_done;
+
+ OCB_ENC(128re, r0, r12)
+ OCB_ENC(192, r0, r12)
+ OCB_ENC(256, r0, r12)
+
+#undef OCB_ENC
+
+.Locb_enc_done:
+ vst1.8 {q0}, [r3] /* store offset */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+ pop {r4-r12,lr}
+ vpop {q4-q7}
+ bx lr
+.size _gcry_aes_ocb_enc_armv8_ce,.-_gcry_aes_ocb_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_dec_armv8_ce
+.type _gcry_aes_ocb_dec_armv8_ce,%function;
+_gcry_aes_ocb_dec_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: offset
+ * %st+0: checksum => r4
+ * %st+4: Ls => r5
+ * %st+8: nblocks => r6 (0 < nblocks <= 32)
+ * %st+12: nrounds => r7
+ */
+
+ vpush {q4-q7}
+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */
+ ldr r7, [sp, #(104+12)]
+ ldr r4, [sp, #(104+0)]
+ ldr r5, [sp, #(104+4)]
+ ldr r6, [sp, #(104+8)]
+
+ cmp r7, #12
+ vld1.8 {q0}, [r3] /* load offset */
+
+ aes_preload_keys(r0, r12);
+
+ beq .Locb_dec_entry_192
+ bhi .Locb_dec_entry_256
+
+#define OCB_DEC(bits, ...) \
+ .Locb_dec_entry_##bits: \
+ cmp r6, #4; \
+ blo .Locb_dec_loop_##bits; \
+ \
+ .Locb_dec_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ \
+ ldm r5!, {r8, r9, r10, r11}; \
+ sub r6, #4; \
+ \
+ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \
+ vld1.8 {q1-q2}, [r2]!; /* load P_i+<0-1> */ \
+ veor q0, q0, q9; /* Offset_i+0 */ \
+ vld1.8 {q9}, [r9]; /* load L_{ntz(i+1)} */ \
+ veor q1, q1, q0; /* P_i+0 xor Offset_i+0 */\
+ vld1.8 {q3-q4}, [r2]!; /* load P_i+<2-3> */ \
+ vst1.8 {q0}, [r1]!; /* store Offset_i+0 */\
+ veor q0, q0, q9; /* Offset_i+1 */ \
+ vld1.8 {q9}, [r10]; /* load L_{ntz(i+2)} */ \
+ veor q2, q2, q0; /* P_i+1 xor Offset_i+1 */\
+ vst1.8 {q0}, [r1]!; /* store Offset_i+1 */\
+ veor q0, q0, q9; /* Offset_i+2 */ \
+ vld1.8 {q9}, [r11]; /* load L_{ntz(i+3)} */ \
+ veor q3, q3, q0; /* P_i+2 xor Offset_i+2 */\
+ vst1.8 {q0}, [r1]!; /* store Offset_i+2 */\
+ veor q0, q0, q9; /* Offset_i+3 */ \
+ veor q4, q4, q0; /* P_i+3 xor Offset_i+3 */\
+ vst1.8 {q0}, [r1]; /* store Offset_i+3 */\
+ sub r1, #(3*16); \
+ \
+ cmp r6, #4; \
+ \
+ do_aes_4_##bits(d, imc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ mov r8, r1; \
+ vld1.8 {q8-q9}, [r1]!; \
+ veor q1, q1, q8; \
+ veor q2, q2, q9; \
+ vld1.8 {q8-q9}, [r1]!; \
+ vst1.8 {q1-q2}, [r8]!; \
+ veor q1, q1, q2; \
+ vld1.8 {q2}, [r4]; /* load Checksum_{i-1} */ \
+ veor q3, q3, q8; \
+ veor q1, q1, q3; \
+ veor q4, q4, q9; \
+ veor q1, q1, q4; \
+ vst1.8 {q3-q4}, [r8]; \
+ veor q2, q2, q1; \
+ vst1.8 {q2}, [r4]; /* store Checksum_i+3 */ \
+ \
+ bhs .Locb_dec_loop4_##bits; \
+ cmp r6, #0; \
+ beq .Locb_dec_done; \
+ \
+ .Locb_dec_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ \
+ ldr r8, [r5], #4; \
+ vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \
+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \
+ subs r6, #1; \
+ veor q0, q0, q2; \
+ veor q1, q1, q0; \
+ \
+ do_aes_one##bits(d, imc, q1, q1, ##__VA_ARGS__) \
+ \
+ vld1.8 {q2}, [r4]; /* load checksum */ \
+ veor q1, q1, q0; \
+ vst1.8 {q1}, [r1]!; /* store plaintext */ \
+ veor q2, q2, q1; \
+ vst1.8 {q2}, [r4]; /* store checksum */ \
+ \
+ bne .Locb_dec_loop_##bits; \
+ b .Locb_dec_done;
+
+ OCB_DEC(128re, r0, r12)
+ OCB_DEC(192, r0, r12)
+ OCB_DEC(256, r0, r12)
+
+#undef OCB_DEC
+
+.Locb_dec_done:
+ vst1.8 {q0}, [r3] /* store offset */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+ pop {r4-r12,lr}
+ vpop {q4-q7}
+ bx lr
+.size _gcry_aes_ocb_dec_armv8_ce,.-_gcry_aes_ocb_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_auth_armv8_ce (const void *keysched,
+ * const unsigned char *abuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_auth_armv8_ce
+.type _gcry_aes_ocb_auth_armv8_ce,%function;
+_gcry_aes_ocb_auth_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: abuf
+ * r2: offset
+ * r3: checksum
+ * %st+0: Ls => r5
+ * %st+4: nblocks => r6 (0 < nblocks <= 32)
+ * %st+8: nrounds => r7
+ */
+
+ vpush {q4-q7}
+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */
+ ldr r7, [sp, #(104+8)]
+ ldr r5, [sp, #(104+0)]
+ ldr r6, [sp, #(104+4)]
+
+ cmp r7, #12
+ vld1.8 {q0}, [r2] /* load offset */
+
+ aes_preload_keys(r0, r12);
+
+ beq .Locb_auth_entry_192
+ bhi .Locb_auth_entry_256
+
+#define OCB_AUTH(bits, ...) \
+ .Locb_auth_entry_##bits: \
+ cmp r6, #4; \
+ blo .Locb_auth_loop_##bits; \
+ \
+ .Locb_auth_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
+ \
+ ldm r5!, {r8, r9, r10, r11}; \
+ sub r6, #4; \
+ \
+ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \
+ vld1.8 {q1-q2}, [r1]!; /* load A_i+<0-1> */ \
+ veor q0, q0, q9; /* Offset_i+0 */ \
+ vld1.8 {q9}, [r9]; /* load L_{ntz(i+1)} */ \
+ veor q1, q1, q0; /* A_i+0 xor Offset_i+0 */\
+ vld1.8 {q3-q4}, [r1]!; /* load A_i+<2-3> */ \
+ veor q0, q0, q9; /* Offset_i+1 */ \
+ vld1.8 {q9}, [r10]; /* load L_{ntz(i+2)} */ \
+ veor q2, q2, q0; /* A_i+1 xor Offset_i+1 */\
+ veor q0, q0, q9; /* Offset_i+2 */ \
+ vld1.8 {q9}, [r11]; /* load L_{ntz(i+3)} */ \
+ veor q3, q3, q0; /* A_i+2 xor Offset_i+2 */\
+ veor q0, q0, q9; /* Offset_i+3 */ \
+ veor q4, q4, q0; /* A_i+3 xor Offset_i+3 */\
+ \
+ cmp r6, #4; \
+ \
+ do_aes_4_##bits(e, mc, q1, q2, q3, q4, ##__VA_ARGS__); \
+ \
+ veor q1, q1, q2; \
+ veor q3, q3, q4; \
+ vld1.8 {q2}, [r3]; \
+ veor q1, q1, q3; \
+ veor q2, q2, q1; \
+ vst1.8 {q2}, [r3]; \
+ \
+ bhs .Locb_auth_loop4_##bits; \
+ cmp r6, #0; \
+ beq .Locb_auth_done; \
+ \
+ .Locb_auth_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
+ \
+ ldr r8, [r5], #4; \
+ vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \
+ vld1.8 {q1}, [r1]!; /* load aadtext */ \
+ subs r6, #1; \
+ veor q0, q0, q2; \
+ vld1.8 {q2}, [r3]; /* load checksum */ \
+ veor q1, q1, q0; \
+ \
+ do_aes_one##bits(e, mc, q1, q1, ##__VA_ARGS__) \
+ \
+ veor q2, q2, q1; \
+ vst1.8 {q2}, [r3]; /* store checksum */ \
+ \
+ bne .Locb_auth_loop_##bits; \
+ b .Locb_auth_done;
+
+ OCB_AUTH(128re, r0, r12)
+ OCB_AUTH(192, r0, r12)
+ OCB_AUTH(256, r0, r12)
+
+#undef OCB_AUTH
+
+.Locb_auth_done:
+ vst1.8 {q0}, [r2] /* store offset */
+
+ CLEAR_REG(q0)
+ CLEAR_REG(q1)
+ CLEAR_REG(q2)
+ CLEAR_REG(q3)
+ CLEAR_REG(q8)
+ CLEAR_REG(q9)
+ CLEAR_REG(q10)
+ CLEAR_REG(q11)
+ CLEAR_REG(q12)
+ CLEAR_REG(q13)
+ CLEAR_REG(q14)
+
+ pop {r4-r12,lr}
+ vpop {q4-q7}
+ bx lr
+.size _gcry_aes_ocb_auth_armv8_ce,.-_gcry_aes_ocb_auth_armv8_ce;
+
+
+/*
+ * u32 _gcry_aes_sbox4_armv8_ce(u32 in4b);
+ */
+.align 3
+.globl _gcry_aes_sbox4_armv8_ce
+.type _gcry_aes_sbox4_armv8_ce,%function;
+_gcry_aes_sbox4_armv8_ce:
+ /* See "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
+ * Cryptology — CT-RSA 2015" for details.
+ */
+ vmov.i8 q0, #0x52
+ vmov.i8 q1, #0
+ vmov s0, r0
+ aese.8 q0, q1
+ veor d0, d1
+ vpadd.i32 d0, d0, d1
+ vmov r0, s0
+ CLEAR_REG(q0)
+ bx lr
+.size _gcry_aes_sbox4_armv8_ce,.-_gcry_aes_sbox4_armv8_ce;
+
+
+/*
+ * void _gcry_aes_invmixcol_armv8_ce(void *dst, const void *src);
+ */
+.align 3
+.globl _gcry_aes_invmixcol_armv8_ce
+.type _gcry_aes_invmixcol_armv8_ce,%function;
+_gcry_aes_invmixcol_armv8_ce:
+ vld1.8 {q0}, [r1]
+ aesimc.8 q0, q0
+ vst1.8 {q0}, [r0]
+ CLEAR_REG(q0)
+ bx lr
+.size _gcry_aes_invmixcol_armv8_ce,.-_gcry_aes_invmixcol_armv8_ce;
+
+#endif
--- /dev/null
+/* rijndael-armv8-aarch64-ce.S - ARMv8/CE accelerated AES
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__) && \
+ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+
+.arch armv8-a+crypto
+
+.text
+
+
+#if (SIZEOF_VOID_P == 4)
+ #define ptr8 w8
+ #define ptr9 w9
+ #define ptr10 w10
+ #define ptr11 w11
+ #define ptr_sz 4
+#elif (SIZEOF_VOID_P == 8)
+ #define ptr8 x8
+ #define ptr9 x9
+ #define ptr10 x10
+ #define ptr11 x11
+ #define ptr_sz 8
+#else
+ #error "missing SIZEOF_VOID_P"
+#endif
+
+
+#define GET_DATA_POINTER(reg, name) \
+ adrp reg, :got:name ; \
+ ldr reg, [reg, #:got_lo12:name] ;
+
+
+/* Register macros */
+
+#define vk0 v17
+#define vk1 v18
+#define vk2 v19
+#define vk3 v20
+#define vk4 v21
+#define vk5 v22
+#define vk6 v23
+#define vk7 v24
+#define vk8 v25
+#define vk9 v26
+#define vk10 v27
+#define vk11 v28
+#define vk12 v29
+#define vk13 v30
+#define vk14 v31
+
+
+/* AES macros */
+
+#define aes_preload_keys(keysched, nrounds) \
+ cmp nrounds, #12; \
+ ld1 {vk0.16b-vk3.16b}, [keysched], #64; \
+ ld1 {vk4.16b-vk7.16b}, [keysched], #64; \
+ ld1 {vk8.16b-vk10.16b}, [keysched], #48; \
+ b.lo 1f; \
+ ld1 {vk11.16b-vk12.16b}, [keysched], #32; \
+ b.eq 1f; \
+ ld1 {vk13.16b-vk14.16b}, [keysched]; \
+1: ;
+
+#define do_aes_one128(ed, mcimc, vo, vb) \
+ aes##ed vb.16b, vk0.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk1.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk2.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk3.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk4.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk5.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk6.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk7.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk8.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk9.16b; \
+ eor vo.16b, vb.16b, vk10.16b;
+
+#define do_aes_one192(ed, mcimc, vo, vb) \
+ aes##ed vb.16b, vk0.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk1.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk2.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk3.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk4.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk5.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk6.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk7.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk8.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk9.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk10.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk11.16b; \
+ eor vo.16b, vb.16b, vk12.16b;
+
+#define do_aes_one256(ed, mcimc, vo, vb) \
+ aes##ed vb.16b, vk0.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk1.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk2.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk3.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk4.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk5.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk6.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk7.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk8.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk9.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk10.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk11.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk12.16b; \
+ aes##mcimc vb.16b, vb.16b; \
+ aes##ed vb.16b, vk13.16b; \
+ eor vo.16b, vb.16b, vk14.16b;
+
+#define aes_round_4(ed, mcimc, b0, b1, b2, b3, key) \
+ aes##ed b0.16b, key.16b; \
+ aes##mcimc b0.16b, b0.16b; \
+ aes##ed b1.16b, key.16b; \
+ aes##mcimc b1.16b, b1.16b; \
+ aes##ed b2.16b, key.16b; \
+ aes##mcimc b2.16b, b2.16b; \
+ aes##ed b3.16b, key.16b; \
+ aes##mcimc b3.16b, b3.16b;
+
+#define aes_lastround_4(ed, b0, b1, b2, b3, key1, key2) \
+ aes##ed b0.16b, key1.16b; \
+ eor b0.16b, b0.16b, key2.16b; \
+ aes##ed b1.16b, key1.16b; \
+ eor b1.16b, b1.16b, key2.16b; \
+ aes##ed b2.16b, key1.16b; \
+ eor b2.16b, b2.16b, key2.16b; \
+ aes##ed b3.16b, key1.16b; \
+ eor b3.16b, b3.16b, key2.16b;
+
+#define do_aes_4_128(ed, mcimc, b0, b1, b2, b3) \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
+ aes_lastround_4(ed, b0, b1, b2, b3, vk9, vk10);
+
+#define do_aes_4_192(ed, mcimc, b0, b1, b2, b3) \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk9); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk10); \
+ aes_lastround_4(ed, b0, b1, b2, b3, vk11, vk12);
+
+#define do_aes_4_256(ed, mcimc, b0, b1, b2, b3) \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk0); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk1); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk2); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk3); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk4); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk5); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk6); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk7); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk8); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk9); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk10); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk11); \
+ aes_round_4(ed, mcimc, b0, b1, b2, b3, vk12); \
+ aes_lastround_4(ed, b0, b1, b2, b3, vk13, vk14);
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) eor reg.16b, reg.16b, reg.16b;
+
+#define aes_clear_keys(nrounds) \
+ cmp nrounds, #12; \
+ CLEAR_REG(vk0); \
+ CLEAR_REG(vk1); \
+ CLEAR_REG(vk2); \
+ CLEAR_REG(vk3); \
+ CLEAR_REG(vk4); \
+ CLEAR_REG(vk5); \
+ CLEAR_REG(vk6); \
+ CLEAR_REG(vk7); \
+ CLEAR_REG(vk9); \
+ CLEAR_REG(vk8); \
+ CLEAR_REG(vk10); \
+ b.lo 1f; \
+ CLEAR_REG(vk11); \
+ CLEAR_REG(vk12); \
+ b.eq 1f; \
+ CLEAR_REG(vk13); \
+ CLEAR_REG(vk14); \
+1: ;
+
+
+/*
+ * unsigned int _gcry_aes_enc_armv8_ce(void *keysched, byte *dst,
+ * const byte *src,
+ * unsigned int nrounds);
+ */
+.align 3
+.globl _gcry_aes_enc_armv8_ce
+.type _gcry_aes_enc_armv8_ce,%function;
+_gcry_aes_enc_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: dst
+ * x2: src
+ * w3: nrounds
+ */
+
+ aes_preload_keys(x0, w3);
+
+ ld1 {v0.16b}, [x2]
+
+ b.hi .Lenc1_256
+ b.eq .Lenc1_192
+
+.Lenc1_128:
+ do_aes_one128(e, mc, v0, v0);
+
+.Lenc1_tail:
+ CLEAR_REG(vk0)
+ CLEAR_REG(vk1)
+ CLEAR_REG(vk2)
+ CLEAR_REG(vk3)
+ CLEAR_REG(vk4)
+ CLEAR_REG(vk5)
+ CLEAR_REG(vk6)
+ CLEAR_REG(vk7)
+ CLEAR_REG(vk8)
+ CLEAR_REG(vk9)
+ CLEAR_REG(vk10)
+ st1 {v0.16b}, [x1]
+ CLEAR_REG(v0)
+
+ mov x0, #0
+ ret
+
+.Lenc1_192:
+ do_aes_one192(e, mc, v0, v0);
+
+ CLEAR_REG(vk11)
+ CLEAR_REG(vk12)
+ b .Lenc1_tail
+
+.Lenc1_256:
+ do_aes_one256(e, mc, v0, v0);
+
+ CLEAR_REG(vk11)
+ CLEAR_REG(vk12)
+ CLEAR_REG(vk13)
+ CLEAR_REG(vk14)
+ b .Lenc1_tail
+.size _gcry_aes_enc_armv8_ce,.-_gcry_aes_enc_armv8_ce;
+
+
+/*
+ * unsigned int _gcry_aes_dec_armv8_ce(void *keysched, byte *dst,
+ * const byte *src,
+ * unsigned int nrounds);
+ */
+.align 3
+.globl _gcry_aes_dec_armv8_ce
+.type _gcry_aes_dec_armv8_ce,%function;
+_gcry_aes_dec_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: dst
+ * x2: src
+ * w3: nrounds
+ */
+
+ aes_preload_keys(x0, w3);
+
+ ld1 {v0.16b}, [x2]
+
+ b.hi .Ldec1_256
+ b.eq .Ldec1_192
+
+.Ldec1_128:
+ do_aes_one128(d, imc, v0, v0);
+
+.Ldec1_tail:
+ CLEAR_REG(vk0)
+ CLEAR_REG(vk1)
+ CLEAR_REG(vk2)
+ CLEAR_REG(vk3)
+ CLEAR_REG(vk4)
+ CLEAR_REG(vk5)
+ CLEAR_REG(vk6)
+ CLEAR_REG(vk7)
+ CLEAR_REG(vk8)
+ CLEAR_REG(vk9)
+ CLEAR_REG(vk10)
+ st1 {v0.16b}, [x1]
+ CLEAR_REG(v0)
+
+ mov x0, #0
+ ret
+
+.Ldec1_192:
+ do_aes_one192(d, imc, v0, v0);
+
+ CLEAR_REG(vk11)
+ CLEAR_REG(vk12)
+ b .Ldec1_tail
+
+.Ldec1_256:
+ do_aes_one256(d, imc, v0, v0);
+
+ CLEAR_REG(vk11)
+ CLEAR_REG(vk12)
+ CLEAR_REG(vk13)
+ CLEAR_REG(vk14)
+ b .Ldec1_tail
+.size _gcry_aes_dec_armv8_ce,.-_gcry_aes_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cbc_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, size_t nblocks,
+ * int cbc_mac, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cbc_enc_armv8_ce
+.type _gcry_aes_cbc_enc_armv8_ce,%function;
+_gcry_aes_cbc_enc_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: outbuf
+ * x2: inbuf
+ * x3: iv
+ * x4: nblocks
+ * w5: cbc_mac
+ * w6: nrounds
+ */
+
+ cbz x4, .Lcbc_enc_skip
+
+ cmp w5, #0
+ ld1 {v1.16b}, [x3] /* load IV */
+ cset x5, eq
+
+ aes_preload_keys(x0, w6);
+ lsl x5, x5, #4
+
+ b.eq .Lcbc_enc_loop192
+ b.hi .Lcbc_enc_loop256
+
+#define CBC_ENC(bits) \
+ .Lcbc_enc_loop##bits: \
+ ld1 {v0.16b}, [x2], #16; /* load plaintext */ \
+ eor v1.16b, v0.16b, v1.16b; \
+ sub x4, x4, #1; \
+ \
+ do_aes_one##bits(e, mc, v1, v1); \
+ \
+ st1 {v1.16b}, [x1], x5; /* store ciphertext */ \
+ \
+ cbnz x4, .Lcbc_enc_loop##bits; \
+ b .Lcbc_enc_done;
+
+ CBC_ENC(128)
+ CBC_ENC(192)
+ CBC_ENC(256)
+
+#undef CBC_ENC
+
+.Lcbc_enc_done:
+ aes_clear_keys(w6)
+
+ st1 {v1.16b}, [x3] /* store IV */
+
+ CLEAR_REG(v1)
+ CLEAR_REG(v0)
+
+.Lcbc_enc_skip:
+ ret
+.size _gcry_aes_cbc_enc_armv8_ce,.-_gcry_aes_cbc_enc_armv8_ce;
+
+/*
+ * void _gcry_aes_cbc_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cbc_dec_armv8_ce
+.type _gcry_aes_cbc_dec_armv8_ce,%function;
+_gcry_aes_cbc_dec_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: outbuf
+ * x2: inbuf
+ * x3: iv
+ * x4: nblocks
+ * w5: nrounds
+ */
+
+ cbz x4, .Lcbc_dec_skip
+
+ ld1 {v0.16b}, [x3] /* load IV */
+
+ aes_preload_keys(x0, w5);
+
+ b.eq .Lcbc_dec_entry_192
+ b.hi .Lcbc_dec_entry_256
+
+#define CBC_DEC(bits) \
+ .Lcbc_dec_entry_##bits: \
+ cmp x4, #4; \
+ b.lo .Lcbc_dec_loop_##bits; \
+ \
+ .Lcbc_dec_loop4_##bits: \
+ \
+ ld1 {v1.16b-v4.16b}, [x2], #64; /* load ciphertext */ \
+ sub x4, x4, #4; \
+ mov v5.16b, v1.16b; \
+ mov v6.16b, v2.16b; \
+ mov v7.16b, v3.16b; \
+ mov v16.16b, v4.16b; \
+ cmp x4, #4; \
+ \
+ do_aes_4_##bits(d, imc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v0.16b; \
+ eor v2.16b, v2.16b, v5.16b; \
+ st1 {v1.16b-v2.16b}, [x1], #32; /* store plaintext */ \
+ eor v3.16b, v3.16b, v6.16b; \
+ eor v4.16b, v4.16b, v7.16b; \
+ mov v0.16b, v16.16b; /* next IV */ \
+ st1 {v3.16b-v4.16b}, [x1], #32; /* store plaintext */ \
+ \
+ b.hs .Lcbc_dec_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ CLEAR_REG(v16); \
+ cbz x4, .Lcbc_dec_done; \
+ \
+ .Lcbc_dec_loop_##bits: \
+ ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
+ sub x4, x4, #1; \
+ mov v2.16b, v1.16b; \
+ \
+ do_aes_one##bits(d, imc, v1, v1); \
+ \
+ eor v1.16b, v1.16b, v0.16b; \
+ mov v0.16b, v2.16b; \
+ st1 {v1.16b}, [x1], #16; /* store plaintext */ \
+ \
+ cbnz x4, .Lcbc_dec_loop_##bits; \
+ b .Lcbc_dec_done;
+
+ CBC_DEC(128)
+ CBC_DEC(192)
+ CBC_DEC(256)
+
+#undef CBC_DEC
+
+.Lcbc_dec_done:
+ aes_clear_keys(w5)
+
+ st1 {v0.16b}, [x3] /* store IV */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+
+.Lcbc_dec_skip:
+ ret
+.size _gcry_aes_cbc_dec_armv8_ce,.-_gcry_aes_cbc_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ctr_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ctr_enc_armv8_ce
+.type _gcry_aes_ctr_enc_armv8_ce,%function;
+_gcry_aes_ctr_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * x4: nblocks
+ * w5: nrounds
+ */
+
+ cbz x4, .Lctr_enc_skip
+
+ mov x6, #1
+ movi v16.16b, #0
+ mov v16.D[1], x6
+
+ /* load IV */
+ ldp x9, x10, [x3]
+ ld1 {v0.16b}, [x3]
+ rev x9, x9
+ rev x10, x10
+
+ aes_preload_keys(x0, w5);
+
+ b.eq .Lctr_enc_entry_192
+ b.hi .Lctr_enc_entry_256
+
+#define CTR_ENC(bits) \
+ .Lctr_enc_entry_##bits: \
+ cmp x4, #4; \
+ b.lo .Lctr_enc_loop_##bits; \
+ \
+ .Lctr_enc_loop4_##bits: \
+ cmp x10, #0xfffffffffffffffc; \
+ sub x4, x4, #4; \
+ b.lo .Lctr_enc_loop4_##bits##_nocarry; \
+ \
+ adds x10, x10, #1; \
+ mov v1.16b, v0.16b; \
+ adc x9, x9, xzr; \
+ mov v2.D[1], x10; \
+ mov v2.D[0], x9; \
+ \
+ adds x10, x10, #1; \
+ rev64 v2.16b, v2.16b; \
+ adc x9, x9, xzr; \
+ mov v3.D[1], x10; \
+ mov v3.D[0], x9; \
+ \
+ adds x10, x10, #1; \
+ rev64 v3.16b, v3.16b; \
+ adc x9, x9, xzr; \
+ mov v4.D[1], x10; \
+ mov v4.D[0], x9; \
+ \
+ adds x10, x10, #1; \
+ rev64 v4.16b, v4.16b; \
+ adc x9, x9, xzr; \
+ mov v0.D[1], x10; \
+ mov v0.D[0], x9; \
+ rev64 v0.16b, v0.16b; \
+ \
+ b .Lctr_enc_loop4_##bits##_store_ctr; \
+ \
+ .Lctr_enc_loop4_##bits##_nocarry: \
+ \
+ add v3.2d, v16.2d, v16.2d; /* 2 */ \
+ rev64 v6.16b, v0.16b; \
+ add x10, x10, #4; \
+ add v4.2d, v3.2d, v16.2d; /* 3 */ \
+ add v0.2d, v3.2d, v3.2d; /* 4 */ \
+ rev64 v1.16b, v6.16b; \
+ add v2.2d, v6.2d, v16.2d; \
+ add v3.2d, v6.2d, v3.2d; \
+ add v4.2d, v6.2d, v4.2d; \
+ add v0.2d, v6.2d, v0.2d; \
+ rev64 v2.16b, v2.16b; \
+ rev64 v3.16b, v3.16b; \
+ rev64 v0.16b, v0.16b; \
+ rev64 v4.16b, v4.16b; \
+ \
+ .Lctr_enc_loop4_##bits##_store_ctr: \
+ \
+ st1 {v0.16b}, [x3]; \
+ cmp x4, #4; \
+ ld1 {v5.16b-v7.16b}, [x2], #48; /* preload ciphertext */ \
+ \
+ do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v5.16b; \
+ ld1 {v5.16b}, [x2], #16; /* load ciphertext */ \
+ eor v2.16b, v2.16b, v6.16b; \
+ eor v3.16b, v3.16b, v7.16b; \
+ eor v4.16b, v4.16b, v5.16b; \
+ st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \
+ \
+ b.hs .Lctr_enc_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ cbz x4, .Lctr_enc_done; \
+ \
+ .Lctr_enc_loop_##bits: \
+ \
+ adds x10, x10, #1; \
+ mov v1.16b, v0.16b; \
+ adc x9, x9, xzr; \
+ mov v0.D[1], x10; \
+ mov v0.D[0], x9; \
+ sub x4, x4, #1; \
+ ld1 {v2.16b}, [x2], #16; /* load ciphertext */ \
+ rev64 v0.16b, v0.16b; \
+ \
+ do_aes_one##bits(e, mc, v1, v1); \
+ \
+ eor v1.16b, v2.16b, v1.16b; \
+ st1 {v1.16b}, [x1], #16; /* store plaintext */ \
+ \
+ cbnz x4, .Lctr_enc_loop_##bits; \
+ b .Lctr_enc_done;
+
+ CTR_ENC(128)
+ CTR_ENC(192)
+ CTR_ENC(256)
+
+#undef CTR_ENC
+
+.Lctr_enc_done:
+ aes_clear_keys(w5)
+
+ st1 {v0.16b}, [x3] /* store IV */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+
+.Lctr_enc_skip:
+ ret
+
+.size _gcry_aes_ctr_enc_armv8_ce,.-_gcry_aes_ctr_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cfb_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cfb_enc_armv8_ce
+.type _gcry_aes_cfb_enc_armv8_ce,%function;
+_gcry_aes_cfb_enc_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * x4: nblocks
+ * w5: nrounds
+ */
+
+ cbz x4, .Lcfb_enc_skip
+
+ /* load IV */
+ ld1 {v0.16b}, [x3]
+
+ aes_preload_keys(x0, w5);
+
+ b.eq .Lcfb_enc_entry_192
+ b.hi .Lcfb_enc_entry_256
+
+#define CFB_ENC(bits) \
+ .Lcfb_enc_entry_##bits: \
+ .Lcfb_enc_loop_##bits: \
+ ld1 {v1.16b}, [x2], #16; /* load plaintext */ \
+ sub x4, x4, #1; \
+ \
+ do_aes_one##bits(e, mc, v0, v0); \
+ \
+ eor v0.16b, v1.16b, v0.16b; \
+ st1 {v0.16b}, [x1], #16; /* store ciphertext */ \
+ \
+ cbnz x4, .Lcfb_enc_loop_##bits; \
+ b .Lcfb_enc_done;
+
+ CFB_ENC(128)
+ CFB_ENC(192)
+ CFB_ENC(256)
+
+#undef CFB_ENC
+
+.Lcfb_enc_done:
+ aes_clear_keys(w5)
+
+ st1 {v0.16b}, [x3] /* store IV */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+
+.Lcfb_enc_skip:
+ ret
+.size _gcry_aes_cfb_enc_armv8_ce,.-_gcry_aes_cfb_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_cfb_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *iv, unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_cfb_dec_armv8_ce
+.type _gcry_aes_cfb_dec_armv8_ce,%function;
+_gcry_aes_cfb_dec_armv8_ce:
+ /* input:
+ * r0: keysched
+ * r1: outbuf
+ * r2: inbuf
+ * r3: iv
+ * x4: nblocks
+ * w5: nrounds
+ */
+
+ cbz x4, .Lcfb_dec_skip
+
+ /* load IV */
+ ld1 {v0.16b}, [x3]
+
+ aes_preload_keys(x0, w5);
+
+ b.eq .Lcfb_dec_entry_192
+ b.hi .Lcfb_dec_entry_256
+
+#define CFB_DEC(bits) \
+ .Lcfb_dec_entry_##bits: \
+ cmp x4, #4; \
+ b.lo .Lcfb_dec_loop_##bits; \
+ \
+ .Lcfb_dec_loop4_##bits: \
+ \
+ ld1 {v2.16b-v4.16b}, [x2], #48; /* load ciphertext */ \
+ mov v1.16b, v0.16b; \
+ sub x4, x4, #4; \
+ cmp x4, #4; \
+ mov v5.16b, v2.16b; \
+ mov v6.16b, v3.16b; \
+ mov v7.16b, v4.16b; \
+ ld1 {v0.16b}, [x2], #16; /* load next IV / ciphertext */ \
+ \
+ do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v5.16b; \
+ eor v2.16b, v2.16b, v6.16b; \
+ eor v3.16b, v3.16b, v7.16b; \
+ eor v4.16b, v4.16b, v0.16b; \
+ st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \
+ \
+ b.hs .Lcfb_dec_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ cbz x4, .Lcfb_dec_done; \
+ \
+ .Lcfb_dec_loop_##bits: \
+ \
+ ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
+ \
+ sub x4, x4, #1; \
+ \
+ do_aes_one##bits(e, mc, v0, v0); \
+ \
+ eor v2.16b, v1.16b, v0.16b; \
+ mov v0.16b, v1.16b; \
+ st1 {v2.16b}, [x1], #16; /* store plaintext */ \
+ \
+ cbnz x4, .Lcfb_dec_loop_##bits; \
+ b .Lcfb_dec_done;
+
+ CFB_DEC(128)
+ CFB_DEC(192)
+ CFB_DEC(256)
+
+#undef CFB_DEC
+
+.Lcfb_dec_done:
+ aes_clear_keys(w5)
+
+ st1 {v0.16b}, [x3] /* store IV */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+
+.Lcfb_dec_skip:
+ ret
+.size _gcry_aes_cfb_dec_armv8_ce,.-_gcry_aes_cfb_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_enc_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_enc_armv8_ce
+.type _gcry_aes_ocb_enc_armv8_ce,%function;
+_gcry_aes_ocb_enc_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: outbuf
+ * x2: inbuf
+ * x3: offset
+ * x4: checksum
+ * x5: Ls
+ * x6: nblocks (0 < nblocks <= 32)
+ * w7: nrounds
+ */
+
+ ld1 {v0.16b}, [x3] /* load offset */
+ ld1 {v16.16b}, [x4] /* load checksum */
+
+ aes_preload_keys(x0, w7);
+
+ b.eq .Locb_enc_entry_192
+ b.hi .Locb_enc_entry_256
+
+#define OCB_ENC(bits, ...) \
+ .Locb_enc_entry_##bits: \
+ cmp x6, #4; \
+ b.lo .Locb_enc_loop_##bits; \
+ \
+ .Locb_enc_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
+ \
+ ldp ptr8, ptr9, [x5], #(ptr_sz*2); \
+ \
+ ld1 {v1.16b-v4.16b}, [x2], #64; /* load P_i+<0-3> */ \
+ ldp ptr10, ptr11, [x5], #(ptr_sz*2); \
+ sub x6, x6, #4; \
+ \
+ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
+ eor v16.16b, v16.16b, v1.16b; /* Checksum_i+0 */ \
+ ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
+ eor v16.16b, v16.16b, v2.16b; /* Checksum_i+1 */ \
+ ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
+ eor v16.16b, v16.16b, v3.16b; /* Checksum_i+2 */ \
+ eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
+ ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
+ eor v16.16b, v16.16b, v4.16b; /* Checksum_i+3 */ \
+ eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
+ eor v1.16b, v1.16b, v5.16b; /* P_i+0 xor Offset_i+0 */ \
+ eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
+ eor v2.16b, v2.16b, v6.16b; /* P_i+1 xor Offset_i+1 */ \
+ eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
+ cmp x6, #4; \
+ eor v3.16b, v3.16b, v7.16b; /* P_i+2 xor Offset_i+2 */ \
+ eor v4.16b, v4.16b, v0.16b; /* P_i+3 xor Offset_i+3 */ \
+ \
+ do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v5.16b; /* xor Offset_i+0 */ \
+ eor v2.16b, v2.16b, v6.16b; /* xor Offset_i+1 */ \
+ eor v3.16b, v3.16b, v7.16b; /* xor Offset_i+2 */ \
+ eor v4.16b, v4.16b, v0.16b; /* xor Offset_i+3 */ \
+ st1 {v1.16b-v4.16b}, [x1], #64; \
+ \
+ b.hs .Locb_enc_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ cbz x6, .Locb_enc_done; \
+ \
+ .Locb_enc_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \
+ \
+ ldr ptr8, [x5], #(ptr_sz); \
+ ld1 {v1.16b}, [x2], #16; /* load plaintext */ \
+ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
+ sub x6, x6, #1; \
+ eor v0.16b, v0.16b, v2.16b; \
+ eor v16.16b, v16.16b, v1.16b; \
+ eor v1.16b, v1.16b, v0.16b; \
+ \
+ do_aes_one##bits(e, mc, v1, v1); \
+ \
+ eor v1.16b, v1.16b, v0.16b; \
+ st1 {v1.16b}, [x1], #16; /* store ciphertext */ \
+ \
+ cbnz x6, .Locb_enc_loop_##bits; \
+ b .Locb_enc_done;
+
+ OCB_ENC(128)
+ OCB_ENC(192)
+ OCB_ENC(256)
+
+#undef OCB_ENC
+
+.Locb_enc_done:
+ aes_clear_keys(w7)
+
+ st1 {v16.16b}, [x4] /* store checksum */
+ st1 {v0.16b}, [x3] /* store offset */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+ CLEAR_REG(v16)
+
+ ret
+.size _gcry_aes_ocb_enc_armv8_ce,.-_gcry_aes_ocb_enc_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_dec_armv8_ce (const void *keysched,
+ * unsigned char *outbuf,
+ * const unsigned char *inbuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_dec_armv8_ce
+.type _gcry_aes_ocb_dec_armv8_ce,%function;
+_gcry_aes_ocb_dec_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: outbuf
+ * x2: inbuf
+ * x3: offset
+ * x4: checksum
+ * x5: Ls
+ * x6: nblocks (0 < nblocks <= 32)
+ * w7: nrounds
+ */
+
+ ld1 {v0.16b}, [x3] /* load offset */
+ ld1 {v16.16b}, [x4] /* load checksum */
+
+ aes_preload_keys(x0, w7);
+
+ b.eq .Locb_dec_entry_192
+ b.hi .Locb_dec_entry_256
+
+#define OCB_DEC(bits) \
+ .Locb_dec_entry_##bits: \
+ cmp x6, #4; \
+ b.lo .Locb_dec_loop_##bits; \
+ \
+ .Locb_dec_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ \
+ ldp ptr8, ptr9, [x5], #(ptr_sz*2); \
+ \
+ ld1 {v1.16b-v4.16b}, [x2], #64; /* load C_i+<0-3> */ \
+ ldp ptr10, ptr11, [x5], #(ptr_sz*2); \
+ sub x6, x6, #4; \
+ \
+ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
+ ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
+ ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
+ eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
+ ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
+ eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
+ eor v1.16b, v1.16b, v5.16b; /* C_i+0 xor Offset_i+0 */ \
+ eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
+ eor v2.16b, v2.16b, v6.16b; /* C_i+1 xor Offset_i+1 */ \
+ eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
+ cmp x6, #4; \
+ eor v3.16b, v3.16b, v7.16b; /* C_i+2 xor Offset_i+2 */ \
+ eor v4.16b, v4.16b, v0.16b; /* C_i+3 xor Offset_i+3 */ \
+ \
+ do_aes_4_##bits(d, imc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v5.16b; /* xor Offset_i+0 */ \
+ eor v2.16b, v2.16b, v6.16b; /* xor Offset_i+1 */ \
+ eor v16.16b, v16.16b, v1.16b; /* Checksum_i+0 */ \
+ eor v3.16b, v3.16b, v7.16b; /* xor Offset_i+2 */ \
+ eor v16.16b, v16.16b, v2.16b; /* Checksum_i+1 */ \
+ eor v4.16b, v4.16b, v0.16b; /* xor Offset_i+3 */ \
+ eor v16.16b, v16.16b, v3.16b; /* Checksum_i+2 */ \
+ eor v16.16b, v16.16b, v4.16b; /* Checksum_i+3 */ \
+ st1 {v1.16b-v4.16b}, [x1], #64; \
+ \
+ b.hs .Locb_dec_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ cbz x6, .Locb_dec_done; \
+ \
+ .Locb_dec_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \
+ /* Checksum_i = Checksum_{i-1} xor P_i */ \
+ \
+ ldr ptr8, [x5], #(ptr_sz); \
+ ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \
+ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
+ sub x6, x6, #1; \
+ eor v0.16b, v0.16b, v2.16b; \
+ eor v1.16b, v1.16b, v0.16b; \
+ \
+ do_aes_one##bits(d, imc, v1, v1) \
+ \
+ eor v1.16b, v1.16b, v0.16b; \
+ st1 {v1.16b}, [x1], #16; /* store plaintext */ \
+ eor v16.16b, v16.16b, v1.16b; \
+ \
+ cbnz x6, .Locb_dec_loop_##bits; \
+ b .Locb_dec_done;
+
+ OCB_DEC(128)
+ OCB_DEC(192)
+ OCB_DEC(256)
+
+#undef OCB_DEC
+
+.Locb_dec_done:
+ aes_clear_keys(w7)
+
+ st1 {v16.16b}, [x4] /* store checksum */
+ st1 {v0.16b}, [x3] /* store offset */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+ CLEAR_REG(v16)
+
+ ret
+.size _gcry_aes_ocb_dec_armv8_ce,.-_gcry_aes_ocb_dec_armv8_ce;
+
+
+/*
+ * void _gcry_aes_ocb_auth_armv8_ce (const void *keysched,
+ * const unsigned char *abuf,
+ * unsigned char *offset,
+ * unsigned char *checksum,
+ * void **Ls,
+ * size_t nblocks,
+ * unsigned int nrounds);
+ */
+
+.align 3
+.globl _gcry_aes_ocb_auth_armv8_ce
+.type _gcry_aes_ocb_auth_armv8_ce,%function;
+_gcry_aes_ocb_auth_armv8_ce:
+ /* input:
+ * x0: keysched
+ * x1: abuf
+ * x2: offset => x3
+ * x3: checksum => x4
+ * x4: Ls => x5
+ * x5: nblocks => x6 (0 < nblocks <= 32)
+ * w6: nrounds => w7
+ */
+ mov x7, x6
+ mov x6, x5
+ mov x5, x4
+ mov x4, x3
+ mov x3, x2
+
+ aes_preload_keys(x0, w7);
+
+ ld1 {v0.16b}, [x3] /* load offset */
+ ld1 {v16.16b}, [x4] /* load checksum */
+
+ beq .Locb_auth_entry_192
+ bhi .Locb_auth_entry_256
+
+#define OCB_AUTH(bits) \
+ .Locb_auth_entry_##bits: \
+ cmp x6, #4; \
+ b.lo .Locb_auth_loop_##bits; \
+ \
+ .Locb_auth_loop4_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
+ \
+ ldp ptr8, ptr9, [x5], #(ptr_sz*2); \
+ \
+ ld1 {v1.16b-v4.16b}, [x1], #64; /* load A_i+<0-3> */ \
+ ldp ptr10, ptr11, [x5], #(ptr_sz*2); \
+ sub x6, x6, #4; \
+ \
+ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \
+ ld1 {v6.16b}, [x9]; /* load L_{ntz(i+1)} */ \
+ ld1 {v7.16b}, [x10]; /* load L_{ntz(i+2)} */ \
+ eor v5.16b, v5.16b, v0.16b; /* Offset_i+0 */ \
+ ld1 {v0.16b}, [x11]; /* load L_{ntz(i+3)} */ \
+ eor v6.16b, v6.16b, v5.16b; /* Offset_i+1 */ \
+ eor v1.16b, v1.16b, v5.16b; /* A_i+0 xor Offset_i+0 */ \
+ eor v7.16b, v7.16b, v6.16b; /* Offset_i+2 */ \
+ eor v2.16b, v2.16b, v6.16b; /* A_i+1 xor Offset_i+1 */ \
+ eor v0.16b, v0.16b, v7.16b; /* Offset_i+3 */ \
+ cmp x6, #4; \
+ eor v3.16b, v3.16b, v7.16b; /* A_i+2 xor Offset_i+2 */ \
+ eor v4.16b, v4.16b, v0.16b; /* A_i+3 xor Offset_i+3 */ \
+ \
+ do_aes_4_##bits(e, mc, v1, v2, v3, v4); \
+ \
+ eor v1.16b, v1.16b, v2.16b; \
+ eor v16.16b, v16.16b, v3.16b; \
+ eor v1.16b, v1.16b, v4.16b; \
+ eor v16.16b, v16.16b, v1.16b; \
+ \
+ b.hs .Locb_auth_loop4_##bits; \
+ CLEAR_REG(v3); \
+ CLEAR_REG(v4); \
+ CLEAR_REG(v5); \
+ CLEAR_REG(v6); \
+ CLEAR_REG(v7); \
+ cbz x6, .Locb_auth_done; \
+ \
+ .Locb_auth_loop_##bits: \
+ \
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \
+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \
+ \
+ ldr ptr8, [x5], #(ptr_sz); \
+ ld1 {v1.16b}, [x1], #16; /* load aadtext */ \
+ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \
+ sub x6, x6, #1; \
+ eor v0.16b, v0.16b, v2.16b; \
+ eor v1.16b, v1.16b, v0.16b; \
+ \
+ do_aes_one##bits(e, mc, v1, v1) \
+ \
+ eor v16.16b, v16.16b, v1.16b; \
+ \
+ cbnz x6, .Locb_auth_loop_##bits; \
+ b .Locb_auth_done;
+
+ OCB_AUTH(128)
+ OCB_AUTH(192)
+ OCB_AUTH(256)
+
+#undef OCB_AUTH
+
+.Locb_auth_done:
+ aes_clear_keys(w7)
+
+ st1 {v16.16b}, [x4] /* store checksum */
+ st1 {v0.16b}, [x3] /* store offset */
+
+ CLEAR_REG(v0)
+ CLEAR_REG(v1)
+ CLEAR_REG(v2)
+ CLEAR_REG(v16)
+
+ ret
+.size _gcry_aes_ocb_auth_armv8_ce,.-_gcry_aes_ocb_auth_armv8_ce;
+
+
+/*
+ * u32 _gcry_aes_sbox4_armv8_ce(u32 in4b);
+ */
+.align 3
+.globl _gcry_aes_sbox4_armv8_ce
+.type _gcry_aes_sbox4_armv8_ce,%function;
+_gcry_aes_sbox4_armv8_ce:
+ /* See "Gouvêa, C. P. L. & López, J. Implementing GCM on ARMv8. Topics in
+ * Cryptology — CT-RSA 2015" for details.
+ */
+ movi v0.16b, #0x52
+ movi v1.16b, #0
+ mov v0.S[0], w0
+ aese v0.16b, v1.16b
+ addv s0, v0.4s
+ mov w0, v0.S[0]
+ CLEAR_REG(v0)
+ ret
+.size _gcry_aes_sbox4_armv8_ce,.-_gcry_aes_sbox4_armv8_ce;
+
+
+/*
+ * void _gcry_aes_invmixcol_armv8_ce(void *dst, const void *src);
+ */
+.align 3
+.globl _gcry_aes_invmixcol_armv8_ce
+.type _gcry_aes_invmixcol_armv8_ce,%function;
+_gcry_aes_invmixcol_armv8_ce:
+ ld1 {v0.16b}, [x1]
+ aesimc v0.16b, v0.16b
+ st1 {v0.16b}, [x0]
+ CLEAR_REG(v0)
+ ret
+.size _gcry_aes_invmixcol_armv8_ce,.-_gcry_aes_invmixcol_armv8_ce;
+
+#endif
--- /dev/null
+/* ARMv8 Crypto Extension AES for Libgcrypt
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h> /* for memcmp() */
+
+#include "types.h" /* for byte and u32 typedefs */
+#include "g10lib.h"
+#include "cipher.h"
+#include "bufhelp.h"
+#include "cipher-selftest.h"
+#include "rijndael-internal.h"
+#include "./cipher-internal.h"
+
+
+#ifdef USE_ARM_CE
+
+
+typedef struct u128_s { u32 a, b, c, d; } u128_t;
+
+extern u32 _gcry_aes_sbox4_armv8_ce(u32 in4b);
+extern void _gcry_aes_invmixcol_armv8_ce(u128_t *dst, const u128_t *src);
+
+extern unsigned int _gcry_aes_enc_armv8_ce(const void *keysched, byte *dst,
+ const byte *src,
+ unsigned int nrounds);
+extern unsigned int _gcry_aes_dec_armv8_ce(const void *keysched, byte *dst,
+ const byte *src,
+ unsigned int nrounds);
+
+extern void _gcry_aes_cbc_enc_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ int cbc_mac, unsigned int nrounds);
+extern void _gcry_aes_cbc_dec_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ unsigned int nrounds);
+
+extern void _gcry_aes_cfb_enc_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ unsigned int nrounds);
+extern void _gcry_aes_cfb_dec_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ unsigned int nrounds);
+
+extern void _gcry_aes_ctr_enc_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ unsigned int nrounds);
+
+extern void _gcry_aes_ocb_enc_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *offset,
+ unsigned char *checksum,
+ void **Ls,
+ size_t nblocks,
+ unsigned int nrounds);
+extern void _gcry_aes_ocb_dec_armv8_ce (const void *keysched,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *offset,
+ unsigned char *checksum,
+ void **Ls,
+ size_t nblocks,
+ unsigned int nrounds);
+extern void _gcry_aes_ocb_auth_armv8_ce (const void *keysched,
+ const unsigned char *abuf,
+ unsigned char *offset,
+ unsigned char *checksum,
+ void **Ls,
+ size_t nblocks,
+ unsigned int nrounds);
+
+typedef void (*ocb_crypt_fn_t) (const void *keysched, unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *offset, unsigned char *checksum,
+ void **Ls, size_t nblocks,
+ unsigned int nrounds);
+
+void
+_gcry_aes_armv8_ce_setkey (RIJNDAEL_context *ctx, const byte *key)
+{
+ union
+ {
+ PROPERLY_ALIGNED_TYPE dummy;
+ byte data[MAXKC][4];
+ u32 data32[MAXKC];
+ } tkk[2];
+ unsigned int rounds = ctx->rounds;
+ int KC = rounds - 6;
+ unsigned int keylen = KC * 4;
+ unsigned int i, r, t;
+ byte rcon = 1;
+ int j;
+#define k tkk[0].data
+#define k_u32 tkk[0].data32
+#define tk tkk[1].data
+#define tk_u32 tkk[1].data32
+#define W (ctx->keyschenc)
+#define W_u32 (ctx->keyschenc32)
+
+ for (i = 0; i < keylen; i++)
+ {
+ k[i >> 2][i & 3] = key[i];
+ }
+
+ for (j = KC-1; j >= 0; j--)
+ {
+ tk_u32[j] = k_u32[j];
+ }
+ r = 0;
+ t = 0;
+ /* Copy values into round key array. */
+ for (j = 0; (j < KC) && (r < rounds + 1); )
+ {
+ for (; (j < KC) && (t < 4); j++, t++)
+ {
+ W_u32[r][t] = le_bswap32(tk_u32[j]);
+ }
+ if (t == 4)
+ {
+ r++;
+ t = 0;
+ }
+ }
+
+ while (r < rounds + 1)
+ {
+ tk_u32[0] ^= _gcry_aes_sbox4_armv8_ce(rol(tk_u32[KC - 1], 24)) ^ rcon;
+
+ if (KC != 8)
+ {
+ for (j = 1; j < KC; j++)
+ {
+ tk_u32[j] ^= tk_u32[j-1];
+ }
+ }
+ else
+ {
+ for (j = 1; j < KC/2; j++)
+ {
+ tk_u32[j] ^= tk_u32[j-1];
+ }
+
+ tk_u32[KC/2] ^= _gcry_aes_sbox4_armv8_ce(tk_u32[KC/2 - 1]);
+
+ for (j = KC/2 + 1; j < KC; j++)
+ {
+ tk_u32[j] ^= tk_u32[j-1];
+ }
+ }
+
+ /* Copy values into round key array. */
+ for (j = 0; (j < KC) && (r < rounds + 1); )
+ {
+ for (; (j < KC) && (t < 4); j++, t++)
+ {
+ W_u32[r][t] = le_bswap32(tk_u32[j]);
+ }
+ if (t == 4)
+ {
+ r++;
+ t = 0;
+ }
+ }
+
+ rcon = (rcon << 1) ^ ((rcon >> 7) * 0x1b);
+ }
+
+#undef W
+#undef tk
+#undef k
+#undef W_u32
+#undef tk_u32
+#undef k_u32
+ wipememory(&tkk, sizeof(tkk));
+}
+
+/* Make a decryption key from an encryption key. */
+void
+_gcry_aes_armv8_ce_prepare_decryption (RIJNDAEL_context *ctx)
+{
+ u128_t *ekey = (u128_t *)(void *)ctx->keyschenc;
+ u128_t *dkey = (u128_t *)(void *)ctx->keyschdec;
+ int rounds = ctx->rounds;
+ int rr;
+ int r;
+
+#define DO_AESIMC() _gcry_aes_invmixcol_armv8_ce(&dkey[r], &ekey[rr])
+
+ dkey[0] = ekey[rounds];
+ r = 1;
+ rr = rounds-1;
+ DO_AESIMC(); r++; rr--; /* round 1 */
+ DO_AESIMC(); r++; rr--; /* round 2 */
+ DO_AESIMC(); r++; rr--; /* round 3 */
+ DO_AESIMC(); r++; rr--; /* round 4 */
+ DO_AESIMC(); r++; rr--; /* round 5 */
+ DO_AESIMC(); r++; rr--; /* round 6 */
+ DO_AESIMC(); r++; rr--; /* round 7 */
+ DO_AESIMC(); r++; rr--; /* round 8 */
+ DO_AESIMC(); r++; rr--; /* round 9 */
+ if (rounds >= 12)
+ {
+ if (rounds > 12)
+ {
+ DO_AESIMC(); r++; rr--; /* round 10 */
+ DO_AESIMC(); r++; rr--; /* round 11 */
+ }
+
+ DO_AESIMC(); r++; rr--; /* round 12 / 10 */
+ DO_AESIMC(); r++; rr--; /* round 13 / 11 */
+ }
+
+ dkey[r] = ekey[0];
+
+#undef DO_AESIMC
+}
+
+unsigned int
+_gcry_aes_armv8_ce_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst,
+ const unsigned char *src)
+{
+ const void *keysched = ctx->keyschenc32;
+ unsigned int nrounds = ctx->rounds;
+
+ return _gcry_aes_enc_armv8_ce(keysched, dst, src, nrounds);
+}
+
+unsigned int
+_gcry_aes_armv8_ce_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst,
+ const unsigned char *src)
+{
+ const void *keysched = ctx->keyschdec32;
+ unsigned int nrounds = ctx->rounds;
+
+ return _gcry_aes_dec_armv8_ce(keysched, dst, src, nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_cbc_enc (const RIJNDAEL_context *ctx, unsigned char *outbuf,
+ const unsigned char *inbuf, unsigned char *iv,
+ size_t nblocks, int cbc_mac)
+{
+ const void *keysched = ctx->keyschenc32;
+ unsigned int nrounds = ctx->rounds;
+
+ _gcry_aes_cbc_enc_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, cbc_mac,
+ nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf,
+ const unsigned char *inbuf, unsigned char *iv,
+ size_t nblocks)
+{
+ const void *keysched = ctx->keyschdec32;
+ unsigned int nrounds = ctx->rounds;
+
+ _gcry_aes_cbc_dec_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf,
+ const unsigned char *inbuf, unsigned char *iv,
+ size_t nblocks)
+{
+ const void *keysched = ctx->keyschenc32;
+ unsigned int nrounds = ctx->rounds;
+
+ _gcry_aes_cfb_enc_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf,
+ const unsigned char *inbuf, unsigned char *iv,
+ size_t nblocks)
+{
+ const void *keysched = ctx->keyschenc32;
+ unsigned int nrounds = ctx->rounds;
+
+ _gcry_aes_cfb_dec_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf,
+ const unsigned char *inbuf, unsigned char *iv,
+ size_t nblocks)
+{
+ const void *keysched = ctx->keyschenc32;
+ unsigned int nrounds = ctx->rounds;
+
+ _gcry_aes_ctr_enc_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds);
+}
+
+void
+_gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg,
+ const void *inbuf_arg, size_t nblocks,
+ int encrypt)
+{
+ RIJNDAEL_context *ctx = (void *)&c->context.c;
+ const void *keysched = encrypt ? ctx->keyschenc32 : ctx->keyschdec32;
+ ocb_crypt_fn_t crypt_fn = encrypt ? _gcry_aes_ocb_enc_armv8_ce
+ : _gcry_aes_ocb_dec_armv8_ce;
+ unsigned char *outbuf = outbuf_arg;
+ const unsigned char *inbuf = inbuf_arg;
+ unsigned int nrounds = ctx->rounds;
+ u64 blkn = c->u_mode.ocb.data_nblocks;
+ u64 blkn_offs = blkn - blkn % 32;
+ unsigned int n = 32 - blkn % 32;
+ unsigned char l_tmp[16];
+ void *Ls[32];
+ void **l;
+ size_t i;
+
+ c->u_mode.ocb.data_nblocks = blkn + nblocks;
+
+ if (nblocks >= 32)
+ {
+ for (i = 0; i < 32; i += 8)
+ {
+ Ls[(i + 0 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 1 + n) % 32] = (void *)c->u_mode.ocb.L[1];
+ Ls[(i + 2 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 3 + n) % 32] = (void *)c->u_mode.ocb.L[2];
+ Ls[(i + 4 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 5 + n) % 32] = (void *)c->u_mode.ocb.L[1];
+ Ls[(i + 6 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ }
+
+ Ls[(7 + n) % 32] = (void *)c->u_mode.ocb.L[3];
+ Ls[(15 + n) % 32] = (void *)c->u_mode.ocb.L[4];
+ Ls[(23 + n) % 32] = (void *)c->u_mode.ocb.L[3];
+ l = &Ls[(31 + n) % 32];
+
+ /* Process data in 32 block chunks. */
+ while (nblocks >= 32)
+ {
+ /* l_tmp will be used only every 65536-th block. */
+ blkn_offs += 32;
+ *l = (void *)ocb_get_l(c, l_tmp, blkn_offs);
+
+ crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, Ls, 32,
+ nrounds);
+
+ nblocks -= 32;
+ outbuf += 32 * 16;
+ inbuf += 32 * 16;
+ }
+
+ if (nblocks && l < &Ls[nblocks])
+ {
+ *l = (void *)ocb_get_l(c, l_tmp, 32 + blkn_offs);
+ }
+ }
+ else
+ {
+ for (i = 0; i < nblocks; i++)
+ Ls[i] = (void *)ocb_get_l(c, l_tmp, ++blkn);
+ }
+
+ if (nblocks)
+ {
+ crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, Ls, nblocks,
+ nrounds);
+ }
+
+ wipememory(&l_tmp, sizeof(l_tmp));
+}
+
+void
+_gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c, void *abuf_arg,
+ size_t nblocks)
+{
+ RIJNDAEL_context *ctx = (void *)&c->context.c;
+ const void *keysched = ctx->keyschenc32;
+ const unsigned char *abuf = abuf_arg;
+ unsigned int nrounds = ctx->rounds;
+ u64 blkn = c->u_mode.ocb.aad_nblocks;
+ u64 blkn_offs = blkn - blkn % 32;
+ unsigned int n = 32 - blkn % 32;
+ unsigned char l_tmp[16];
+ void *Ls[32];
+ void **l;
+ size_t i;
+
+ c->u_mode.ocb.aad_nblocks = blkn + nblocks;
+
+ if (nblocks >= 32)
+ {
+ for (i = 0; i < 32; i += 8)
+ {
+ Ls[(i + 0 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 1 + n) % 32] = (void *)c->u_mode.ocb.L[1];
+ Ls[(i + 2 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 3 + n) % 32] = (void *)c->u_mode.ocb.L[2];
+ Ls[(i + 4 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ Ls[(i + 5 + n) % 32] = (void *)c->u_mode.ocb.L[1];
+ Ls[(i + 6 + n) % 32] = (void *)c->u_mode.ocb.L[0];
+ }
+
+ Ls[(7 + n) % 32] = (void *)c->u_mode.ocb.L[3];
+ Ls[(15 + n) % 32] = (void *)c->u_mode.ocb.L[4];
+ Ls[(23 + n) % 32] = (void *)c->u_mode.ocb.L[3];
+ l = &Ls[(31 + n) % 32];
+
+ /* Process data in 32 block chunks. */
+ while (nblocks >= 32)
+ {
+ /* l_tmp will be used only every 65536-th block. */
+ blkn_offs += 32;
+ *l = (void *)ocb_get_l(c, l_tmp, blkn_offs);
+
+ _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset,
+ c->u_mode.ocb.aad_sum, Ls, 32, nrounds);
+
+ nblocks -= 32;
+ abuf += 32 * 16;
+ }
+
+ if (nblocks && l < &Ls[nblocks])
+ {
+ *l = (void *)ocb_get_l(c, l_tmp, 32 + blkn_offs);
+ }
+ }
+ else
+ {
+ for (i = 0; i < nblocks; i++)
+ Ls[i] = (void *)ocb_get_l(c, l_tmp, ++blkn);
+ }
+
+ if (nblocks)
+ {
+ _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset,
+ c->u_mode.ocb.aad_sum, Ls, nblocks, nrounds);
+ }
+
+ wipememory(&l_tmp, sizeof(l_tmp));
+}
+
+#endif /* USE_ARM_CE */
# define USE_ARM_ASM 1
# endif
#endif
+#if defined(__AARCH64EL__)
+# ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+# define USE_ARM_ASM 1
+# endif
+#endif
/* USE_PADLOCK indicates whether to compile the padlock specific
code. */
# endif
#endif /* ENABLE_AESNI_SUPPORT */
+/* USE_ARM_CE indicates whether to enable ARMv8 Crypto Extension assembly
+ * code. */
+#undef USE_ARM_CE
+#ifdef ENABLE_ARM_CRYPTO_SUPPORT
+# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
+ && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+# define USE_ARM_CE 1
+# elif defined(__AARCH64EL__) \
+ && defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+# define USE_ARM_CE 1
+# endif
+#endif /* ENABLE_ARM_CRYPTO_SUPPORT */
+
struct RIJNDAEL_context_s;
typedef unsigned int (*rijndael_cryptfn_t)(const struct RIJNDAEL_context_s *ctx,
#ifdef USE_SSSE3
unsigned int use_ssse3:1; /* SSSE3 shall be used. */
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ unsigned int use_arm_ce:1; /* ARMv8 CE shall be used. */
+#endif /*USE_ARM_CE*/
rijndael_cryptfn_t encrypt_fn;
rijndael_cryptfn_t decrypt_fn;
rijndael_prefetchfn_t prefetch_enc_fn;
".Lno_carry%=:\n\t"
"pshufb %%xmm6, %%xmm7\n\t"
- :
- : [ctr] "r" (ctr), [ctrlow] "r" (ctrlow)
+ : [ctrlow] "+r" (ctrlow)
+ : [ctr] "r" (ctr)
: "cc", "memory");
do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr);
const void *decT);
#endif /*USE_ARM_ASM*/
+#ifdef USE_ARM_CE
+/* ARMv8 Crypto Extension implementations of AES */
+extern void _gcry_aes_armv8_ce_setkey(RIJNDAEL_context *ctx, const byte *key);
+extern void _gcry_aes_armv8_ce_prepare_decryption(RIJNDAEL_context *ctx);
+
+extern unsigned int _gcry_aes_armv8_ce_encrypt(const RIJNDAEL_context *ctx,
+ unsigned char *dst,
+ const unsigned char *src);
+extern unsigned int _gcry_aes_armv8_ce_decrypt(const RIJNDAEL_context *ctx,
+ unsigned char *dst,
+ const unsigned char *src);
+
+extern void _gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_context *ctx,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks);
+extern void _gcry_aes_armv8_ce_cbc_enc (RIJNDAEL_context *ctx,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks,
+ int cbc_mac);
+extern void _gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_context *ctx,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *ctr, size_t nblocks);
+extern void _gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_context *ctx,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks);
+extern void _gcry_aes_armv8_ce_cbc_dec (RIJNDAEL_context *ctx,
+ unsigned char *outbuf,
+ const unsigned char *inbuf,
+ unsigned char *iv, size_t nblocks);
+extern void _gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg,
+ const void *inbuf_arg, size_t nblocks,
+ int encrypt);
+extern void _gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c,
+ const void *abuf_arg, size_t nblocks);
+#endif /*USE_ARM_ASM*/
+
static unsigned int do_encrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
const unsigned char *ax);
static unsigned int do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen)
{
static int initialized = 0;
- static const char *selftest_failed=0;
+ static const char *selftest_failed = 0;
int rounds;
int i,j, r, t, rconpointer = 0;
int KC;
-#if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3)
+#if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3) \
+ || defined(USE_ARM_CE)
unsigned int hwfeatures;
#endif
ctx->rounds = rounds;
-#if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3)
+#if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3) \
+ || defined(USE_ARM_CE)
hwfeatures = _gcry_get_hw_features ();
#endif
#ifdef USE_SSSE3
ctx->use_ssse3 = 0;
#endif
+#ifdef USE_ARM_CE
+ ctx->use_arm_ce = 0;
+#endif
if (0)
{
ctx->use_ssse3 = 1;
}
#endif
+#ifdef USE_ARM_CE
+ else if (hwfeatures & HWF_ARM_AES)
+ {
+ ctx->encrypt_fn = _gcry_aes_armv8_ce_encrypt;
+ ctx->decrypt_fn = _gcry_aes_armv8_ce_decrypt;
+ ctx->prefetch_enc_fn = NULL;
+ ctx->prefetch_dec_fn = NULL;
+ ctx->use_arm_ce = 1;
+ }
+#endif
else
{
ctx->encrypt_fn = do_encrypt;
else if (ctx->use_ssse3)
_gcry_aes_ssse3_do_setkey (ctx, key);
#endif
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ _gcry_aes_armv8_ce_setkey (ctx, key);
+#endif
else
{
const byte *sbox = ((const byte *)encT) + 1;
_gcry_aes_ssse3_prepare_decryption (ctx);
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_prepare_decryption (ctx);
+ }
+#endif /*USE_SSSE3*/
#ifdef USE_PADLOCK
else if (ctx->use_padlock)
{
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_cfb_enc (ctx, outbuf, inbuf, iv, nblocks);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_cbc_enc (ctx, outbuf, inbuf, iv, nblocks, cbc_mac);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_ctr_enc (ctx, outbuf, inbuf, ctr, nblocks);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } tmp;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_cfb_dec (ctx, outbuf, inbuf, iv, nblocks);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_cbc_dec (ctx, outbuf, inbuf, iv, nblocks);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
unsigned char savebuf[BLOCKSIZE] ATTR_ALIGNED_16;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else if (encrypt)
{
union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp;
burn_depth = 0;
}
#endif /*USE_SSSE3*/
+#ifdef USE_ARM_CE
+ else if (ctx->use_arm_ce)
+ {
+ _gcry_aes_armv8_ce_ocb_auth (c, abuf, nblocks);
+ burn_depth = 0;
+ }
+#endif /*USE_ARM_CE*/
else
{
union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp;
goto leave;
if (DBG_CIPHER)
log_mpidump ("rsa_encrypt data", data);
- if (mpi_is_opaque (data))
+ if (!data || mpi_is_opaque (data))
{
rc = GPG_ERR_INV_DATA;
goto leave;
.Ldo_nothing:
mov r0, #0;
bx lr
+.size _gcry_sha1_transform_armv7_neon,.-_gcry_sha1_transform_armv7_neon;
#endif
--- /dev/null
+/* sha1-armv8-aarch32-ce.S - ARM/CE accelerated SHA-1 transform function
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
+ defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) && defined(USE_SHA1)
+
+.syntax unified
+.fpu crypto-neon-fp-armv8
+.arm
+
+.text
+
+#ifdef __PIC__
+# define GET_DATA_POINTER(reg, name, rtmp) \
+ ldr reg, 1f; \
+ ldr rtmp, 2f; \
+ b 3f; \
+ 1: .word _GLOBAL_OFFSET_TABLE_-(3f+8); \
+ 2: .word name(GOT); \
+ 3: add reg, pc, reg; \
+ ldr reg, [reg, rtmp];
+#else
+# define GET_DATA_POINTER(reg, name, rtmp) ldr reg, =name
+#endif
+
+
+/* Constants */
+
+#define K1 0x5A827999
+#define K2 0x6ED9EBA1
+#define K3 0x8F1BBCDC
+#define K4 0xCA62C1D6
+.align 4
+gcry_sha1_aarch32_ce_K_VEC:
+.LK_VEC:
+.LK1: .long K1, K1, K1, K1
+.LK2: .long K2, K2, K2, K2
+.LK3: .long K3, K3, K3, K3
+.LK4: .long K4, K4, K4, K4
+
+
+/* Register macros */
+
+#define qH4 q0
+#define sH4 s0
+#define qH0123 q1
+
+#define qABCD q2
+#define qE0 q3
+#define qE1 q4
+
+#define qT0 q5
+#define qT1 q6
+
+#define qW0 q8
+#define qW1 q9
+#define qW2 q10
+#define qW3 q11
+
+#define qK1 q12
+#define qK2 q13
+#define qK3 q14
+#define qK4 q15
+
+
+/* Round macros */
+
+#define _(...) /*_*/
+#define do_add(dst, src0, src1) vadd.u32 dst, src0, src1;
+#define do_sha1su0(w0,w1,w2) sha1su0.32 w0,w1,w2;
+#define do_sha1su1(w0,w3) sha1su1.32 w0,w3;
+
+#define do_rounds(f, e0, e1, t, k, w0, w1, w2, w3, add_fn, sha1su0_fn, sha1su1_fn) \
+ sha1su1_fn( w3, w2 ); \
+ sha1h.32 e0, qABCD; \
+ sha1##f.32 qABCD, e1, t; \
+ add_fn( t, w2, k ); \
+ sha1su0_fn( w0, w1, w2 );
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) veor reg, reg;
+
+
+/*
+ * unsigned int
+ * _gcry_sha1_transform_armv8_ce (void *ctx, const unsigned char *data,
+ * size_t nblks)
+ */
+.align 3
+.globl _gcry_sha1_transform_armv8_ce
+.type _gcry_sha1_transform_armv8_ce,%function;
+_gcry_sha1_transform_armv8_ce:
+ /* input:
+ * r0: ctx, CTX
+ * r1: data (64*nblks bytes)
+ * r2: nblks
+ */
+
+ cmp r2, #0;
+ push {r4,lr};
+ beq .Ldo_nothing;
+
+ vpush {q4-q7};
+
+ GET_DATA_POINTER(r4, .LK_VEC, lr);
+
+ veor qH4, qH4
+ vld1.32 {qH0123}, [r0] /* load h0,h1,h2,h3 */
+
+ vld1.32 {qK1-qK2}, [r4]! /* load K1,K2 */
+ vldr sH4, [r0, #16] /* load h4 */
+ vld1.32 {qK3-qK4}, [r4] /* load K3,K4 */
+
+ vld1.8 {qW0-qW1}, [r1]!
+ vmov qABCD, qH0123
+ vld1.8 {qW2-qW3}, [r1]!
+
+ vrev32.8 qW0, qW0
+ vrev32.8 qW1, qW1
+ vrev32.8 qW2, qW2
+ do_add(qT0, qW0, qK1)
+ vrev32.8 qW3, qW3
+ do_add(qT1, qW1, qK1)
+
+.Loop:
+ do_rounds(c, qE1, qH4, qT0, qK1, qW0, qW1, qW2, qW3, do_add, do_sha1su0, _)
+ subs r2, r2, #1
+ do_rounds(c, qE0, qE1, qT1, qK1, qW1, qW2, qW3, qW0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, qE1, qE0, qT0, qK1, qW2, qW3, qW0, qW1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, qE0, qE1, qT1, qK2, qW3, qW0, qW1, qW2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, qE1, qE0, qT0, qK2, qW0, qW1, qW2, qW3, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(p, qE0, qE1, qT1, qK2, qW1, qW2, qW3, qW0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, qE1, qE0, qT0, qK2, qW2, qW3, qW0, qW1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, qE0, qE1, qT1, qK2, qW3, qW0, qW1, qW2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, qE1, qE0, qT0, qK3, qW0, qW1, qW2, qW3, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, qE0, qE1, qT1, qK3, qW1, qW2, qW3, qW0, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(m, qE1, qE0, qT0, qK3, qW2, qW3, qW0, qW1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, qE0, qE1, qT1, qK3, qW3, qW0, qW1, qW2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, qE1, qE0, qT0, qK3, qW0, qW1, qW2, qW3, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, qE0, qE1, qT1, qK4, qW1, qW2, qW3, qW0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, qE1, qE0, qT0, qK4, qW2, qW3, qW0, qW1, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(p, qE0, qE1, qT1, qK4, qW3, qW0, qW1, qW2, do_add, do_sha1su0, do_sha1su1)
+ beq .Lend
+
+ vld1.8 {qW0-qW1}, [r1]! /* preload */
+ do_rounds(p, qE1, qE0, qT0, qK4, _ , _ , qW2, qW3, do_add, _, do_sha1su1)
+ vrev32.8 qW0, qW0
+ vld1.8 {qW2}, [r1]!
+ vrev32.8 qW1, qW1
+ do_rounds(p, qE0, qE1, qT1, qK4, _ , _ , qW3, _ , do_add, _, _)
+ vld1.8 {qW3}, [r1]!
+ vrev32.8 qW2, qW2
+ do_rounds(p, qE1, qE0, qT0, _, _, _, _, _, _, _, _)
+ vrev32.8 qW3, qW3
+ do_rounds(p, qE0, qE1, qT1, _, _, _, _, _, _, _, _)
+
+ do_add(qT0, qW0, qK1)
+ vadd.u32 qH4, qE0
+ vadd.u32 qABCD, qH0123
+ do_add(qT1, qW1, qK1)
+
+ vmov qH0123, qABCD
+
+ b .Loop
+
+.Lend:
+ do_rounds(p, qE1, qE0, qT0, qK4, _ , _ , qW2, qW3, do_add, _, do_sha1su1)
+ do_rounds(p, qE0, qE1, qT1, qK4, _ , _ , qW3, _ , do_add, _, _)
+ do_rounds(p, qE1, qE0, qT0, _, _, _, _, _, _, _, _)
+ do_rounds(p, qE0, qE1, qT1, _, _, _, _, _, _, _, _)
+
+ vadd.u32 qH4, qE0
+ vadd.u32 qH0123, qABCD
+
+ CLEAR_REG(qW0)
+ CLEAR_REG(qW1)
+ CLEAR_REG(qW2)
+ CLEAR_REG(qW3)
+ CLEAR_REG(qABCD)
+ CLEAR_REG(qE1)
+ CLEAR_REG(qE0)
+
+ vstr sH4, [r0, #16] /* store h4 */
+ vst1.32 {qH0123}, [r0] /* store h0,h1,h2,h3 */
+
+ CLEAR_REG(qH0123)
+ CLEAR_REG(qH4)
+ vpop {q4-q7}
+
+.Ldo_nothing:
+ mov r0, #0
+ pop {r4,pc}
+.size _gcry_sha1_transform_armv8_ce,.-_gcry_sha1_transform_armv8_ce;
+
+#endif
--- /dev/null
+/* sha1-armv8-aarch64-ce.S - ARM/CE accelerated SHA-1 transform function
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__) && \
+ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) && defined(USE_SHA1)
+
+.arch armv8-a+crypto
+
+.text
+
+
+#define GET_DATA_POINTER(reg, name) \
+ adrp reg, :got:name ; \
+ ldr reg, [reg, #:got_lo12:name] ;
+
+
+/* Constants */
+
+#define K1 0x5A827999
+#define K2 0x6ED9EBA1
+#define K3 0x8F1BBCDC
+#define K4 0xCA62C1D6
+.align 4
+gcry_sha1_aarch64_ce_K_VEC:
+.LK_VEC:
+.LK1: .long K1, K1, K1, K1
+.LK2: .long K2, K2, K2, K2
+.LK3: .long K3, K3, K3, K3
+.LK4: .long K4, K4, K4, K4
+
+
+/* Register macros */
+
+#define sH4 s0
+#define vH4 v0
+#define vH0123 v1
+
+#define qABCD q2
+#define sABCD s2
+#define vABCD v2
+#define sE0 s3
+#define vE0 v3
+#define sE1 s4
+#define vE1 v4
+
+#define vT0 v5
+#define vT1 v6
+
+#define vW0 v16
+#define vW1 v17
+#define vW2 v18
+#define vW3 v19
+
+#define vK1 v20
+#define vK2 v21
+#define vK3 v22
+#define vK4 v23
+
+
+/* Round macros */
+
+#define _(...) /*_*/
+#define do_add(dst, src0, src1) add dst.4s, src0.4s, src1.4s;
+#define do_sha1su0(w0,w1,w2) sha1su0 w0.4s,w1.4s,w2.4s;
+#define do_sha1su1(w0,w3) sha1su1 w0.4s,w3.4s;
+
+#define do_rounds(f, e0, e1, t, k, w0, w1, w2, w3, add_fn, sha1su0_fn, sha1su1_fn) \
+ sha1su1_fn( v##w3, v##w2 ); \
+ sha1h e0, sABCD; \
+ sha1##f qABCD, e1, v##t.4s; \
+ add_fn( v##t, v##w2, v##k ); \
+ sha1su0_fn( v##w0, v##w1, v##w2 );
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) eor reg.16b, reg.16b, reg.16b;
+
+
+/*
+ * unsigned int
+ * _gcry_sha1_transform_armv8_ce (void *ctx, const unsigned char *data,
+ * size_t nblks)
+ */
+.align 3
+.globl _gcry_sha1_transform_armv8_ce
+.type _gcry_sha1_transform_armv8_ce,%function;
+_gcry_sha1_transform_armv8_ce:
+ /* input:
+ * x0: ctx, CTX
+ * x1: data (64*nblks bytes)
+ * x2: nblks
+ */
+
+ cbz x2, .Ldo_nothing;
+
+ GET_DATA_POINTER(x4, .LK_VEC);
+
+ ld1 {vH0123.4s}, [x0] /* load h0,h1,h2,h3 */
+ ld1 {vK1.4s-vK4.4s}, [x4] /* load K1,K2,K3,K4 */
+ ldr sH4, [x0, #16] /* load h4 */
+
+ ld1 {vW0.16b-vW3.16b}, [x1], #64
+ mov vABCD.16b, vH0123.16b
+
+ rev32 vW0.16b, vW0.16b
+ rev32 vW1.16b, vW1.16b
+ rev32 vW2.16b, vW2.16b
+ do_add(vT0, vW0, vK1)
+ rev32 vW3.16b, vW3.16b
+ do_add(vT1, vW1, vK1)
+
+.Loop:
+ do_rounds(c, sE1, sH4, T0, K1, W0, W1, W2, W3, do_add, do_sha1su0, _)
+ sub x2, x2, #1
+ do_rounds(c, sE0, sE1, T1, K1, W1, W2, W3, W0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, sE1, sE0, T0, K1, W2, W3, W0, W1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, sE0, sE1, T1, K2, W3, W0, W1, W2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(c, sE1, sE0, T0, K2, W0, W1, W2, W3, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(p, sE0, sE1, T1, K2, W1, W2, W3, W0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, sE1, sE0, T0, K2, W2, W3, W0, W1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, sE0, sE1, T1, K2, W3, W0, W1, W2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, sE1, sE0, T0, K3, W0, W1, W2, W3, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(p, sE0, sE1, T1, K3, W1, W2, W3, W0, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(m, sE1, sE0, T0, K3, W2, W3, W0, W1, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, sE0, sE1, T1, K3, W3, W0, W1, W2, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, sE1, sE0, T0, K3, W0, W1, W2, W3, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, sE0, sE1, T1, K4, W1, W2, W3, W0, do_add, do_sha1su0, do_sha1su1)
+ do_rounds(m, sE1, sE0, T0, K4, W2, W3, W0, W1, do_add, do_sha1su0, do_sha1su1)
+
+ do_rounds(p, sE0, sE1, T1, K4, W3, W0, W1, W2, do_add, do_sha1su0, do_sha1su1)
+ cbz x2, .Lend
+
+ ld1 {vW0.16b-vW1.16b}, [x1], #32 /* preload */
+ do_rounds(p, sE1, sE0, T0, K4, _ , _ , W2, W3, do_add, _, do_sha1su1)
+ rev32 vW0.16b, vW0.16b
+ ld1 {vW2.16b}, [x1], #16
+ rev32 vW1.16b, vW1.16b
+ do_rounds(p, sE0, sE1, T1, K4, _ , _ , W3, _ , do_add, _, _)
+ ld1 {vW3.16b}, [x1], #16
+ rev32 vW2.16b, vW2.16b
+ do_rounds(p, sE1, sE0, T0, _, _, _, _, _, _, _, _)
+ rev32 vW3.16b, vW3.16b
+ do_rounds(p, sE0, sE1, T1, _, _, _, _, _, _, _, _)
+
+ do_add(vT0, vW0, vK1)
+ add vH4.2s, vH4.2s, vE0.2s
+ add vABCD.4s, vABCD.4s, vH0123.4s
+ do_add(vT1, vW1, vK1)
+
+ mov vH0123.16b, vABCD.16b
+
+ b .Loop
+
+.Lend:
+ do_rounds(p, sE1, sE0, T0, K4, _ , _ , W2, W3, do_add, _, do_sha1su1)
+ do_rounds(p, sE0, sE1, T1, K4, _ , _ , W3, _ , do_add, _, _)
+ do_rounds(p, sE1, sE0, T0, _, _, _, _, _, _, _, _)
+ do_rounds(p, sE0, sE1, T1, _, _, _, _, _, _, _, _)
+
+ add vH4.2s, vH4.2s, vE0.2s
+ add vH0123.4s, vH0123.4s, vABCD.4s
+
+ CLEAR_REG(vW0)
+ CLEAR_REG(vW1)
+ CLEAR_REG(vW2)
+ CLEAR_REG(vW3)
+ CLEAR_REG(vABCD)
+ CLEAR_REG(vE1)
+ CLEAR_REG(vE0)
+
+ str sH4, [x0, #16] /* store h4 */
+ st1 {vH0123.4s}, [x0] /* store h0,h1,h2,h3 */
+
+ CLEAR_REG(vH0123)
+ CLEAR_REG(vH4)
+
+.Ldo_nothing:
+ mov x0, #0
+ ret
+.size _gcry_sha1_transform_armv8_ce,.-_gcry_sha1_transform_armv8_ce;
+
+#endif
#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \
- defined(HAVE_GCC_INLINE_ASM_BMI2) && \
- defined(HAVE_GCC_INLINE_ASM_AVX2) && defined(USE_SHA1)
+ defined(HAVE_GCC_INLINE_ASM_AVX) && defined(USE_SHA1)
#ifdef __PIC__
# define RIP (%rip)
&& defined(HAVE_GCC_INLINE_ASM_NEON)
# define USE_NEON 1
# endif
-#endif /*ENABLE_NEON_SUPPORT*/
+#endif
+/* USE_ARM_CE indicates whether to enable ARMv8 Crypto Extension assembly
+ * code. */
+#undef USE_ARM_CE
+#ifdef ENABLE_ARM_CRYPTO_SUPPORT
+# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
+ && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+# define USE_ARM_CE 1
+# elif defined(__AARCH64EL__) \
+ && defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+# define USE_ARM_CE 1
+# endif
+#endif
/* A macro to test whether P is properly aligned for an u32 type.
Note that config.h provides a suitable replacement for uintptr_t if
#ifdef USE_NEON
hd->use_neon = (features & HWF_ARM_NEON) != 0;
#endif
+#ifdef USE_ARM_CE
+ hd->use_arm_ce = (features & HWF_ARM_SHA1) != 0;
+#endif
(void)features;
}
} while(0)
-
#ifdef USE_NEON
unsigned int
_gcry_sha1_transform_armv7_neon (void *state, const unsigned char *data,
size_t nblks);
#endif
+#ifdef USE_ARM_CE
+unsigned int
+_gcry_sha1_transform_armv8_ce (void *state, const unsigned char *data,
+ size_t nblks);
+#endif
+
/*
* Transform NBLOCKS of each 64 bytes (16 32-bit words) at DATA.
*/
return _gcry_sha1_transform_amd64_ssse3 (&hd->h0, data, nblks)
+ 4 * sizeof(void*) + ASM_EXTRA_STACK;
#endif
+#ifdef USE_ARM_CE
+ if (hd->use_arm_ce)
+ return _gcry_sha1_transform_armv8_ce (&hd->h0, data, nblks);
+#endif
#ifdef USE_NEON
if (hd->use_neon)
return _gcry_sha1_transform_armv7_neon (&hd->h0, data, nblks)
unsigned int use_avx:1;
unsigned int use_bmi2:1;
unsigned int use_neon:1;
+ unsigned int use_arm_ce:1;
} SHA1_CONTEXT;
--- /dev/null
+/* sha256-armv8-aarch32-ce.S - ARM/CE accelerated SHA-256 transform function
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
+ defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) && defined(USE_SHA256)
+
+.syntax unified
+.fpu crypto-neon-fp-armv8
+.arm
+
+.text
+
+#ifdef __PIC__
+# define GET_DATA_POINTER(reg, name, rtmp) \
+ ldr reg, 1f; \
+ ldr rtmp, 2f; \
+ b 3f; \
+ 1: .word _GLOBAL_OFFSET_TABLE_-(3f+8); \
+ 2: .word name(GOT); \
+ 3: add reg, pc, reg; \
+ ldr reg, [reg, rtmp];
+#else
+# define GET_DATA_POINTER(reg, name, rtmp) ldr reg, =name
+#endif
+
+
+/* Constants */
+
+.align 4
+gcry_sha256_aarch32_ce_K:
+.LK:
+ .long 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5
+ .long 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5
+ .long 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3
+ .long 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174
+ .long 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc
+ .long 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da
+ .long 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7
+ .long 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967
+ .long 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13
+ .long 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85
+ .long 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3
+ .long 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070
+ .long 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5
+ .long 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3
+ .long 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208
+ .long 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+
+
+/* Register macros */
+
+#define qH0123 q0
+#define qH4567 q1
+
+#define qABCD0 q2
+#define qABCD1 q3
+#define qEFGH q4
+
+#define qT0 q5
+#define qT1 q6
+
+#define qW0 q8
+#define qW1 q9
+#define qW2 q10
+#define qW3 q11
+
+#define qK0 q12
+#define qK1 q13
+#define qK2 q14
+#define qK3 q15
+
+
+/* Round macros */
+
+#define _(...) /*_*/
+
+#define do_loadk(nk0, nk1) vld1.32 {nk0-nk1},[lr]!;
+#define do_add(a, b) vadd.u32 a, a, b;
+#define do_sha256su0(w0, w1) sha256su0.32 w0, w1;
+#define do_sha256su1(w0, w2, w3) sha256su1.32 w0, w2, w3;
+
+#define do_rounds(k, nk0, nk1, w0, w1, w2, w3, loadk_fn, add_fn, su0_fn, su1_fn) \
+ loadk_fn( nk0, nk1 ); \
+ su0_fn( w0, w1 ); \
+ vmov qABCD1, qABCD0; \
+ sha256h.32 qABCD0, qEFGH, k; \
+ sha256h2.32 qEFGH, qABCD1, k; \
+ add_fn( nk0, w2 ); \
+ su1_fn( w0, w2, w3 );
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) veor reg, reg;
+
+
+/*
+ * unsigned int
+ * _gcry_sha256_transform_armv8_ce (u32 state[8], const void *input_data,
+ * size_t num_blks)
+ */
+.align 3
+.globl _gcry_sha256_transform_armv8_ce
+.type _gcry_sha256_transform_armv8_ce,%function;
+_gcry_sha256_transform_armv8_ce:
+ /* input:
+ * r0: ctx, CTX
+ * r1: data (64*nblks bytes)
+ * r2: nblks
+ */
+
+ cmp r2, #0;
+ push {r4,lr};
+ beq .Ldo_nothing;
+
+ vpush {q4-q7};
+
+ GET_DATA_POINTER(r4, .LK, lr);
+ mov lr, r4
+
+ vld1.32 {qH0123-qH4567}, [r0] /* load state */
+
+ vld1.8 {qW0-qW1}, [r1]!
+ do_loadk(qK0, qK1)
+ vld1.8 {qW2-qW3}, [r1]!
+ vmov qABCD0, qH0123
+ vmov qEFGH, qH4567
+
+ vrev32.8 qW0, qW0
+ vrev32.8 qW1, qW1
+ vrev32.8 qW2, qW2
+ do_add(qK0, qW0)
+ vrev32.8 qW3, qW3
+ do_add(qK1, qW1)
+
+.Loop:
+ do_rounds(qK0, qK2, qK3, qW0, qW1, qW2, qW3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ subs r2,r2,#1
+ do_rounds(qK1, qK3, _ , qW1, qW2, qW3, qW0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK2, qK0, qK1, qW2, qW3, qW0, qW1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK3, qK1, _ , qW3, qW0, qW1, qW2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ do_rounds(qK0, qK2, qK3, qW0, qW1, qW2, qW3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK1, qK3, _ , qW1, qW2, qW3, qW0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK2, qK0, qK1, qW2, qW3, qW0, qW1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK3, qK1, _ , qW3, qW0, qW1, qW2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ do_rounds(qK0, qK2, qK3, qW0, qW1, qW2, qW3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK1, qK3, _ , qW1, qW2, qW3, qW0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK2, qK0, qK1, qW2, qW3, qW0, qW1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(qK3, qK1, _ , qW3, qW0, qW1, qW2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ beq .Lend
+
+ do_rounds(qK0, qK2, qK3, qW0, _ , qW2, qW3, do_loadk, do_add, _, _)
+ vld1.8 {qW0}, [r1]!
+ mov lr, r4
+ do_rounds(qK1, qK3, _ , qW1, _ , qW3, _ , _ , do_add, _, _)
+ vld1.8 {qW1}, [r1]!
+ vrev32.8 qW0, qW0
+ do_rounds(qK2, qK0, qK1, qW2, _ , qW0, _ , do_loadk, do_add, _, _)
+ vrev32.8 qW1, qW1
+ vld1.8 {qW2}, [r1]!
+ do_rounds(qK3, qK1, _ , qW3, _ , qW1, _ , _ , do_add, _, _)
+ vld1.8 {qW3}, [r1]!
+
+ vadd.u32 qH0123, qABCD0
+ vadd.u32 qH4567, qEFGH
+
+ vrev32.8 qW2, qW2
+ vmov qABCD0, qH0123
+ vrev32.8 qW3, qW3
+ vmov qEFGH, qH4567
+
+ b .Loop
+
+.Lend:
+
+ do_rounds(qK0, qK2, qK3, qW0, _ , qW2, qW3, do_loadk, do_add, _, _)
+ do_rounds(qK1, qK3, _ , qW1, _ , qW3, _ , _ , do_add, _, _)
+ do_rounds(qK2, _ , _ , qW2, _ , _ , _ , _ , _, _, _)
+ do_rounds(qK3, _ , _ , qW3, _ , _ , _ , _ , _, _, _)
+
+ CLEAR_REG(qW0)
+ CLEAR_REG(qW1)
+ CLEAR_REG(qW2)
+ CLEAR_REG(qW3)
+ CLEAR_REG(qK0)
+ CLEAR_REG(qK1)
+ CLEAR_REG(qK2)
+ CLEAR_REG(qK3)
+
+ vadd.u32 qH0123, qABCD0
+ vadd.u32 qH4567, qEFGH
+
+ CLEAR_REG(qABCD0)
+ CLEAR_REG(qABCD1)
+ CLEAR_REG(qEFGH)
+
+ vst1.32 {qH0123-qH4567}, [r0] /* store state */
+
+ CLEAR_REG(qH0123)
+ CLEAR_REG(qH4567)
+ vpop {q4-q7}
+
+.Ldo_nothing:
+ mov r0, #0
+ pop {r4,pc}
+.size _gcry_sha256_transform_armv8_ce,.-_gcry_sha256_transform_armv8_ce;
+
+#endif
--- /dev/null
+/* sha256-armv8-aarch64-ce.S - ARM/CE accelerated SHA-256 transform function
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__) && \
+ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
+ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) && defined(USE_SHA256)
+
+.arch armv8-a+crypto
+
+.text
+
+
+#define GET_DATA_POINTER(reg, name) \
+ adrp reg, :got:name ; \
+ ldr reg, [reg, #:got_lo12:name] ;
+
+
+/* Constants */
+
+.align 4
+gcry_sha256_aarch64_ce_K:
+.LK:
+ .long 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5
+ .long 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5
+ .long 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3
+ .long 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174
+ .long 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc
+ .long 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da
+ .long 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7
+ .long 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967
+ .long 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13
+ .long 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85
+ .long 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3
+ .long 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070
+ .long 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5
+ .long 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3
+ .long 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208
+ .long 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+
+
+/* Register macros */
+
+#define vH0123 v0
+#define vH4567 v1
+
+#define vABCD0 v2
+#define qABCD0 q2
+#define vABCD1 v3
+#define qABCD1 q3
+#define vEFGH v4
+#define qEFGH q4
+
+#define vT0 v5
+#define vT1 v6
+
+#define vW0 v16
+#define vW1 v17
+#define vW2 v18
+#define vW3 v19
+
+#define vK0 v20
+#define vK1 v21
+#define vK2 v22
+#define vK3 v23
+
+
+/* Round macros */
+
+#define _(...) /*_*/
+
+#define do_loadk(nk0, nk1) ld1 {nk0.16b-nk1.16b},[x3],#32;
+#define do_add(a, b) add a.4s, a.4s, b.4s;
+#define do_sha256su0(w0, w1) sha256su0 w0.4s, w1.4s;
+#define do_sha256su1(w0, w2, w3) sha256su1 w0.4s, w2.4s, w3.4s;
+
+#define do_rounds(k, nk0, nk1, w0, w1, w2, w3, loadk_fn, add_fn, su0_fn, su1_fn) \
+ loadk_fn( v##nk0, v##nk1 ); \
+ su0_fn( v##w0, v##w1 ); \
+ mov vABCD1.16b, vABCD0.16b; \
+ sha256h qABCD0, qEFGH, v##k.4s; \
+ sha256h2 qEFGH, qABCD1, v##k.4s; \
+ add_fn( v##nk0, v##w2 ); \
+ su1_fn( v##w0, v##w2, v##w3 );
+
+
+/* Other functional macros */
+
+#define CLEAR_REG(reg) eor reg.16b, reg.16b, reg.16b;
+
+
+/*
+ * unsigned int
+ * _gcry_sha256_transform_armv8_ce (u32 state[8], const void *input_data,
+ * size_t num_blks)
+ */
+.align 3
+.globl _gcry_sha256_transform_armv8_ce
+.type _gcry_sha256_transform_armv8_ce,%function;
+_gcry_sha256_transform_armv8_ce:
+ /* input:
+ * r0: ctx, CTX
+ * r1: data (64*nblks bytes)
+ * r2: nblks
+ */
+
+ cbz x2, .Ldo_nothing;
+
+ GET_DATA_POINTER(x3, .LK);
+ mov x4, x3
+
+ ld1 {vH0123.4s-vH4567.4s}, [x0] /* load state */
+
+ ld1 {vW0.16b-vW1.16b}, [x1], #32
+ do_loadk(vK0, vK1)
+ ld1 {vW2.16b-vW3.16b}, [x1], #32
+ mov vABCD0.16b, vH0123.16b
+ mov vEFGH.16b, vH4567.16b
+
+ rev32 vW0.16b, vW0.16b
+ rev32 vW1.16b, vW1.16b
+ rev32 vW2.16b, vW2.16b
+ do_add(vK0, vW0)
+ rev32 vW3.16b, vW3.16b
+ do_add(vK1, vW1)
+
+.Loop:
+ do_rounds(K0, K2, K3, W0, W1, W2, W3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ sub x2,x2,#1
+ do_rounds(K1, K3, _ , W1, W2, W3, W0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K2, K0, K1, W2, W3, W0, W1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K3, K1, _ , W3, W0, W1, W2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ do_rounds(K0, K2, K3, W0, W1, W2, W3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K1, K3, _ , W1, W2, W3, W0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K2, K0, K1, W2, W3, W0, W1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K3, K1, _ , W3, W0, W1, W2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ do_rounds(K0, K2, K3, W0, W1, W2, W3, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K1, K3, _ , W1, W2, W3, W0, _ , do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K2, K0, K1, W2, W3, W0, W1, do_loadk, do_add, do_sha256su0, do_sha256su1)
+ do_rounds(K3, K1, _ , W3, W0, W1, W2, _ , do_add, do_sha256su0, do_sha256su1)
+
+ cbz x2, .Lend
+
+ do_rounds(K0, K2, K3, W0, _ , W2, W3, do_loadk, do_add, _, _)
+ ld1 {vW0.16b}, [x1], #16
+ mov x3, x4
+ do_rounds(K1, K3, _ , W1, _ , W3, _ , _ , do_add, _, _)
+ ld1 {vW1.16b}, [x1], #16
+ rev32 vW0.16b, vW0.16b
+ do_rounds(K2, K0, K1, W2, _ , W0, _ , do_loadk, do_add, _, _)
+ rev32 vW1.16b, vW1.16b
+ ld1 {vW2.16b}, [x1], #16
+ do_rounds(K3, K1, _ , W3, _ , W1, _ , _ , do_add, _, _)
+ ld1 {vW3.16b}, [x1], #16
+
+ do_add(vH0123, vABCD0)
+ do_add(vH4567, vEFGH)
+
+ rev32 vW2.16b, vW2.16b
+ mov vABCD0.16b, vH0123.16b
+ rev32 vW3.16b, vW3.16b
+ mov vEFGH.16b, vH4567.16b
+
+ b .Loop
+
+.Lend:
+
+ do_rounds(K0, K2, K3, W0, _ , W2, W3, do_loadk, do_add, _, _)
+ do_rounds(K1, K3, _ , W1, _ , W3, _ , _ , do_add, _, _)
+ do_rounds(K2, _ , _ , W2, _ , _ , _ , _ , _, _, _)
+ do_rounds(K3, _ , _ , W3, _ , _ , _ , _ , _, _, _)
+
+ CLEAR_REG(vW0)
+ CLEAR_REG(vW1)
+ CLEAR_REG(vW2)
+ CLEAR_REG(vW3)
+ CLEAR_REG(vK0)
+ CLEAR_REG(vK1)
+ CLEAR_REG(vK2)
+ CLEAR_REG(vK3)
+
+ do_add(vH0123, vABCD0)
+ do_add(vH4567, vEFGH)
+
+ CLEAR_REG(vABCD0)
+ CLEAR_REG(vABCD1)
+ CLEAR_REG(vEFGH)
+
+ st1 {vH0123.4s-vH4567.4s}, [x0] /* store state */
+
+ CLEAR_REG(vH0123)
+ CLEAR_REG(vH4567)
+
+.Ldo_nothing:
+ mov x0, #0
+ ret
+.size _gcry_sha256_transform_armv8_ce,.-_gcry_sha256_transform_armv8_ce;
+
+#endif
# define USE_AVX2 1
#endif
+/* USE_ARM_CE indicates whether to enable ARMv8 Crypto Extension assembly
+ * code. */
+#undef USE_ARM_CE
+#ifdef ENABLE_ARM_CRYPTO_SUPPORT
+# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
+ && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
+# define USE_ARM_CE 1
+# elif defined(__AARCH64EL__) \
+ && defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) \
+ && defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
+# define USE_ARM_CE 1
+# endif
+#endif
+
typedef struct {
gcry_md_block_ctx_t bctx;
#ifdef USE_AVX2
unsigned int use_avx2:1;
#endif
+#ifdef USE_ARM_CE
+ unsigned int use_arm_ce:1;
+#endif
} SHA256_CONTEXT;
#ifdef USE_AVX2
hd->use_avx2 = (features & HWF_INTEL_AVX2) && (features & HWF_INTEL_BMI2);
#endif
+#ifdef USE_ARM_CE
+ hd->use_arm_ce = (features & HWF_ARM_SHA2) != 0;
+#endif
(void)features;
}
#ifdef USE_AVX2
hd->use_avx2 = (features & HWF_INTEL_AVX2) && (features & HWF_INTEL_BMI2);
#endif
+#ifdef USE_ARM_CE
+ hd->use_arm_ce = (features & HWF_ARM_SHA2) != 0;
+#endif
(void)features;
}
size_t num_blks) ASM_FUNC_ABI;
#endif
+#ifdef USE_ARM_CE
+unsigned int _gcry_sha256_transform_armv8_ce(u32 state[8],
+ const void *input_data,
+ size_t num_blks);
+#endif
static unsigned int
transform (void *ctx, const unsigned char *data, size_t nblks)
+ 4 * sizeof(void*) + ASM_EXTRA_STACK;
#endif
+#ifdef USE_ARM_CE
+ if (hd->use_arm_ce)
+ return _gcry_sha256_transform_armv8_ce (&hd->h0, data, nblks);
+#endif
+
do
{
burn = transform_blk (hd, data);
stm RWhi, {RT1lo,RT1hi,RT2lo,RT2hi,RT3lo,RT3hi,RT4lo,RT4hi}
/* Load input to w[16] */
-#ifndef __ARM_FEATURE_UNALIGNED
+
/* test if data is unaligned */
tst %r1, #3;
beq 1f;
read_be64_unaligned_4(%r1, 12 * 8, RT1lo, RT1hi, RT2lo, RT2hi, RT3lo, RT3hi, RT4lo, RT4hi, RWlo);
b 2f;
-#endif
1:
/* aligned load */
add RWhi, %sp, #(w(0));
return hd->result + 32;
}
+static gcry_md_oid_spec_t oid_spec_stribog256[] =
+ {
+ /* id-tc26-signwithdigest-gost3410-12-256 */
+ { "1.2.643.7.1.1.3.2" },
+ /* id-tc26-gost3411-12-256 */
+ { "1.2.643.7.1.1.2.2" },
+ { NULL },
+ };
+
+static gcry_md_oid_spec_t oid_spec_stribog512[] =
+ {
+ /* id-tc26-signwithdigest-gost3410-12-512 */
+ { "1.2.643.7.1.1.3.3" },
+ /* id-tc26-gost3411-12-512 */
+ { "1.2.643.7.1.1.2.3" },
+ { NULL },
+ };
+
gcry_md_spec_t _gcry_digest_spec_stribog_256 =
{
GCRY_MD_STRIBOG256, {0, 0},
- "STRIBOG256", NULL, 0, NULL, 32,
+ "STRIBOG256", NULL, 0, oid_spec_stribog256, 32,
stribog_init_256, _gcry_md_block_write, stribog_final, stribog_read_256,
NULL,
sizeof (STRIBOG_CONTEXT)
gcry_md_spec_t _gcry_digest_spec_stribog_512 =
{
GCRY_MD_STRIBOG512, {0, 0},
- "STRIBOG512", NULL, 0, NULL, 64,
+ "STRIBOG512", NULL, 0, oid_spec_stribog512, 64,
stribog_init_512, _gcry_md_block_write, stribog_final, stribog_read_512,
NULL,
sizeof (STRIBOG_CONTEXT)
--- /dev/null
+/* twofish-aarch64.S - ARMv8/AArch64 assembly implementation of Twofish cipher
+ *
+ * Copyright (C) 2016 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#if defined(__AARCH64EL__)
+#ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+
+.text
+
+/* structure of TWOFISH_context: */
+#define s0 0
+#define s1 ((s0) + 4 * 256)
+#define s2 ((s1) + 4 * 256)
+#define s3 ((s2) + 4 * 256)
+#define w ((s3) + 4 * 256)
+#define k ((w) + 4 * 8)
+
+/* register macros */
+#define CTX x0
+#define RDST x1
+#define RSRC x2
+#define CTXs0 CTX
+#define CTXs1 x3
+#define CTXs2 x4
+#define CTXs3 x5
+#define CTXw x17
+
+#define RA w6
+#define RB w7
+#define RC w8
+#define RD w9
+
+#define RX w10
+#define RY w11
+
+#define xRX x10
+#define xRY x11
+
+#define RMASK w12
+
+#define RT0 w13
+#define RT1 w14
+#define RT2 w15
+#define RT3 w16
+
+#define xRT0 x13
+#define xRT1 x14
+#define xRT2 x15
+#define xRT3 x16
+
+/* helper macros */
+#ifndef __AARCH64EL__
+ /* bswap on big-endian */
+ #define host_to_le(reg) \
+ rev reg, reg;
+ #define le_to_host(reg) \
+ rev reg, reg;
+#else
+ /* nop on little-endian */
+ #define host_to_le(reg) /*_*/
+ #define le_to_host(reg) /*_*/
+#endif
+
+#define ldr_input_aligned_le(rin, a, b, c, d) \
+ ldr a, [rin, #0]; \
+ ldr b, [rin, #4]; \
+ le_to_host(a); \
+ ldr c, [rin, #8]; \
+ le_to_host(b); \
+ ldr d, [rin, #12]; \
+ le_to_host(c); \
+ le_to_host(d);
+
+#define str_output_aligned_le(rout, a, b, c, d) \
+ le_to_host(a); \
+ le_to_host(b); \
+ str a, [rout, #0]; \
+ le_to_host(c); \
+ str b, [rout, #4]; \
+ le_to_host(d); \
+ str c, [rout, #8]; \
+ str d, [rout, #12];
+
+/* unaligned word reads/writes allowed */
+#define ldr_input_le(rin, ra, rb, rc, rd, rtmp) \
+ ldr_input_aligned_le(rin, ra, rb, rc, rd)
+
+#define str_output_le(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
+ str_output_aligned_le(rout, ra, rb, rc, rd)
+
+/**********************************************************************
+ 1-way twofish
+ **********************************************************************/
+#define encrypt_round(a, b, rc, rd, n, ror_a, adj_a) \
+ and RT0, RMASK, b, lsr#(8 - 2); \
+ and RY, RMASK, b, lsr#(16 - 2); \
+ and RT1, RMASK, b, lsr#(24 - 2); \
+ ldr RY, [CTXs3, xRY]; \
+ and RT2, RMASK, b, lsl#(2); \
+ ldr RT0, [CTXs2, xRT0]; \
+ and RT3, RMASK, a, lsr#(16 - 2 + (adj_a)); \
+ ldr RT1, [CTXs0, xRT1]; \
+ and RX, RMASK, a, lsr#(8 - 2 + (adj_a)); \
+ ldr RT2, [CTXs1, xRT2]; \
+ ldr RX, [CTXs1, xRX]; \
+ ror_a(a); \
+ \
+ eor RY, RY, RT0; \
+ ldr RT3, [CTXs2, xRT3]; \
+ and RT0, RMASK, a, lsl#(2); \
+ eor RY, RY, RT1; \
+ and RT1, RMASK, a, lsr#(24 - 2); \
+ eor RY, RY, RT2; \
+ ldr RT0, [CTXs0, xRT0]; \
+ eor RX, RX, RT3; \
+ ldr RT1, [CTXs3, xRT1]; \
+ eor RX, RX, RT0; \
+ \
+ ldr RT3, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
+ eor RX, RX, RT1; \
+ ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
+ \
+ add RT0, RX, RY, lsl #1; \
+ add RX, RX, RY; \
+ add RT0, RT0, RT3; \
+ add RX, RX, RT2; \
+ eor rd, RT0, rd, ror #31; \
+ eor rc, rc, RX;
+
+#define dummy(x) /*_*/
+
+#define ror1(r) \
+ ror r, r, #1;
+
+#define decrypt_round(a, b, rc, rd, n, ror_b, adj_b) \
+ and RT3, RMASK, b, lsl#(2 - (adj_b)); \
+ and RT1, RMASK, b, lsr#(8 - 2 + (adj_b)); \
+ ror_b(b); \
+ and RT2, RMASK, a, lsl#(2); \
+ and RT0, RMASK, a, lsr#(8 - 2); \
+ \
+ ldr RY, [CTXs1, xRT3]; \
+ ldr RX, [CTXs0, xRT2]; \
+ and RT3, RMASK, b, lsr#(16 - 2); \
+ ldr RT1, [CTXs2, xRT1]; \
+ and RT2, RMASK, a, lsr#(16 - 2); \
+ ldr RT0, [CTXs1, xRT0]; \
+ \
+ ldr RT3, [CTXs3, xRT3]; \
+ eor RY, RY, RT1; \
+ \
+ and RT1, RMASK, b, lsr#(24 - 2); \
+ eor RX, RX, RT0; \
+ ldr RT2, [CTXs2, xRT2]; \
+ and RT0, RMASK, a, lsr#(24 - 2); \
+ \
+ ldr RT1, [CTXs0, xRT1]; \
+ \
+ eor RY, RY, RT3; \
+ ldr RT0, [CTXs3, xRT0]; \
+ eor RX, RX, RT2; \
+ eor RY, RY, RT1; \
+ \
+ ldr RT1, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
+ eor RX, RX, RT0; \
+ ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
+ \
+ add RT0, RX, RY, lsl #1; \
+ add RX, RX, RY; \
+ add RT0, RT0, RT1; \
+ add RX, RX, RT2; \
+ eor rd, rd, RT0; \
+ eor rc, RX, rc, ror #31;
+
+#define first_encrypt_cycle(nc) \
+ encrypt_round(RA, RB, RC, RD, (nc) * 2, dummy, 0); \
+ encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);
+
+#define encrypt_cycle(nc) \
+ encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
+ encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);
+
+#define last_encrypt_cycle(nc) \
+ encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
+ encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
+ ror1(RA);
+
+#define first_decrypt_cycle(nc) \
+ decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, dummy, 0); \
+ decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);
+
+#define decrypt_cycle(nc) \
+ decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
+ decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);
+
+#define last_decrypt_cycle(nc) \
+ decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
+ decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
+ ror1(RD);
+
+.globl _gcry_twofish_arm_encrypt_block
+.type _gcry_twofish_arm_encrypt_block,%function;
+
+_gcry_twofish_arm_encrypt_block:
+ /* input:
+ * x0: ctx
+ * x1: dst
+ * x2: src
+ */
+
+ add CTXw, CTX, #(w);
+
+ ldr_input_le(RSRC, RA, RB, RC, RD, RT0);
+
+ /* Input whitening */
+ ldp RT0, RT1, [CTXw, #(0*8)];
+ ldp RT2, RT3, [CTXw, #(1*8)];
+ add CTXs3, CTX, #(s3);
+ add CTXs2, CTX, #(s2);
+ add CTXs1, CTX, #(s1);
+ mov RMASK, #(0xff << 2);
+ eor RA, RA, RT0;
+ eor RB, RB, RT1;
+ eor RC, RC, RT2;
+ eor RD, RD, RT3;
+
+ first_encrypt_cycle(0);
+ encrypt_cycle(1);
+ encrypt_cycle(2);
+ encrypt_cycle(3);
+ encrypt_cycle(4);
+ encrypt_cycle(5);
+ encrypt_cycle(6);
+ last_encrypt_cycle(7);
+
+ /* Output whitening */
+ ldp RT0, RT1, [CTXw, #(2*8)];
+ ldp RT2, RT3, [CTXw, #(3*8)];
+ eor RC, RC, RT0;
+ eor RD, RD, RT1;
+ eor RA, RA, RT2;
+ eor RB, RB, RT3;
+
+ str_output_le(RDST, RC, RD, RA, RB, RT0, RT1);
+
+ ret;
+.ltorg
+.size _gcry_twofish_arm_encrypt_block,.-_gcry_twofish_arm_encrypt_block;
+
+.globl _gcry_twofish_arm_decrypt_block
+.type _gcry_twofish_arm_decrypt_block,%function;
+
+_gcry_twofish_arm_decrypt_block:
+ /* input:
+ * %r0: ctx
+ * %r1: dst
+ * %r2: src
+ */
+
+ add CTXw, CTX, #(w);
+
+ ldr_input_le(RSRC, RC, RD, RA, RB, RT0);
+
+ /* Input whitening */
+ ldp RT0, RT1, [CTXw, #(2*8)];
+ ldp RT2, RT3, [CTXw, #(3*8)];
+ add CTXs3, CTX, #(s3);
+ add CTXs2, CTX, #(s2);
+ add CTXs1, CTX, #(s1);
+ mov RMASK, #(0xff << 2);
+ eor RC, RC, RT0;
+ eor RD, RD, RT1;
+ eor RA, RA, RT2;
+ eor RB, RB, RT3;
+
+ first_decrypt_cycle(7);
+ decrypt_cycle(6);
+ decrypt_cycle(5);
+ decrypt_cycle(4);
+ decrypt_cycle(3);
+ decrypt_cycle(2);
+ decrypt_cycle(1);
+ last_decrypt_cycle(0);
+
+ /* Output whitening */
+ ldp RT0, RT1, [CTXw, #(0*8)];
+ ldp RT2, RT3, [CTXw, #(1*8)];
+ eor RA, RA, RT0;
+ eor RB, RB, RT1;
+ eor RC, RC, RT2;
+ eor RD, RD, RT3;
+
+ str_output_le(RDST, RA, RB, RC, RD, RT0, RT1);
+
+ ret;
+.size _gcry_twofish_arm_decrypt_block,.-_gcry_twofish_arm_decrypt_block;
+
+#endif /*HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS*/
+#endif /*__AARCH64EL__*/
# define USE_ARM_ASM 1
# endif
#endif
+# if defined(__AARCH64EL__)
+# ifdef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+# define USE_ARM_ASM 1
+# endif
+# endif
/* Prototype for the self-test function. */
"\n\n"
"This is Libgcrypt " PACKAGE_VERSION " - The GNU Crypto Library\n"
"Copyright (C) 2000-2016 Free Software Foundation, Inc.\n"
- "Copyright (C) 2012-2016 g10 Code GmbH\n"
- "Copyright (C) 2013-2016 Jussi Kivilinna\n"
+ "Copyright (C) 2012-2017 g10 Code GmbH\n"
+ "Copyright (C) 2013-2017 Jussi Kivilinna\n"
"\n"
"(" BUILD_REVISION " " BUILD_TIMESTAMP ")\n"
"\n\n";
/* Enable support for Intel AES-NI instructions. */
#undef ENABLE_AESNI_SUPPORT
+/* Enable support for ARMv8 Crypto Extension instructions. */
+#undef ENABLE_ARM_CRYPTO_SUPPORT
+
/* Enable support for Intel AVX2 instructions. */
#undef ENABLE_AVX2_SUPPORT
/* Define to 1 if you have the `clock_gettime' function. */
#undef HAVE_CLOCK_GETTIME
+/* Defined if underlying assembler is compatible with ARMv8/Aarch64 assembly
+ implementations */
+#undef HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS
+
/* Defined if underlying assembler is compatible with amd64 assembly
implementations */
#undef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
/* Defined for Alpha platforms */
#undef HAVE_CPU_ARCH_ALPHA
-/* Defined for ARM platforms */
+/* Defined for ARM AArch64 platforms */
#undef HAVE_CPU_ARCH_ARM
/* Defined for M68k platforms */
/* Defined if default calling convention is 'sysv_abi' */
#undef HAVE_GCC_DEFAULT_ABI_IS_SYSV_ABI
+/* Defined if inline assembler supports AArch32 Crypto Extension instructions
+ */
+#undef HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO
+
+/* Defined if inline assembler supports AArch64 Crypto Extension instructions
+ */
+#undef HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO
+
+/* Defined if inline assembler supports AArch64 NEON instructions */
+#undef HAVE_GCC_INLINE_ASM_AARCH64_NEON
+
/* Defined if inline assembler supports AVX instructions */
#undef HAVE_GCC_INLINE_ASM_AVX
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libgcrypt 1.7.1.
+# Generated by GNU Autoconf 2.69 for libgcrypt 1.7.6.
#
# Report bugs to <http://bugs.gnupg.org>.
#
# Identity of this package.
PACKAGE_NAME='libgcrypt'
PACKAGE_TARNAME='libgcrypt'
-PACKAGE_VERSION='1.7.1'
-PACKAGE_STRING='libgcrypt 1.7.1'
+PACKAGE_VERSION='1.7.6'
+PACKAGE_STRING='libgcrypt 1.7.6'
PACKAGE_BUGREPORT='http://bugs.gnupg.org'
PACKAGE_URL=''
enable_avx_support
enable_avx2_support
enable_neon_support
+enable_arm_crypto_support
enable_O_flag_munging
enable_amd64_as_feature_detection
enable_ld_version_script
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libgcrypt 1.7.1 to adapt to many kinds of systems.
+\`configure' configures libgcrypt 1.7.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libgcrypt 1.7.1:";;
+ short | recursive ) echo "Configuration of libgcrypt 1.7.6:";;
esac
cat <<\_ACEOF
--disable-avx-support Disable support for the Intel AVX instructions
--disable-avx2-support Disable support for the Intel AVX2 instructions
--disable-neon-support Disable support for the ARM NEON instructions
+ --disable-arm-crypto-support
+ Disable support for the ARMv8 Crypto Extension
+ instructions
--disable-O-flag-munging
Disable modification of the cc -O flag
--disable-amd64-as-feature-detection
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libgcrypt configure 1.7.1
+libgcrypt configure 1.7.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libgcrypt $as_me 1.7.1, which was
+It was created by libgcrypt $as_me 1.7.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
# (No interfaces changed: REVISION++)
LIBGCRYPT_LT_CURRENT=21
LIBGCRYPT_LT_AGE=1
-LIBGCRYPT_LT_REVISION=1
+LIBGCRYPT_LT_REVISION=6
# If the API is changed in an incompatible way: increment the next counter.
# Define the identity of the package.
PACKAGE='libgcrypt'
- VERSION='1.7.1'
+ VERSION='1.7.6'
cat >>confdefs.h <<_ACEOF
#define VERSION "$VERSION"
_ACEOF
-VERSION_NUMBER=0x010701
+VERSION_NUMBER=0x010706
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $neonsupport" >&5
$as_echo "$neonsupport" >&6; }
+# Implementation of the --disable-arm-crypto-support switch.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ARMv8 Crypto Extension support is requested" >&5
+$as_echo_n "checking whether ARMv8 Crypto Extension support is requested... " >&6; }
+# Check whether --enable-arm-crypto-support was given.
+if test "${enable_arm_crypto_support+set}" = set; then :
+ enableval=$enable_arm_crypto_support; armcryptosupport=$enableval
+else
+ armcryptosupport=yes
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $armcryptosupport" >&5
+$as_echo "$armcryptosupport" >&6; }
+
# Implementation of the --disable-O-flag-munging switch.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a -O flag munging is requested" >&5
$as_echo_n "checking whether a -O flag munging is requested... " >&6; }
#
+# Check whether GCC assembler supports features needed for our ARMv8/Aarch64
+# implementations. This needs to be done before setting up the
+# assembler stuff.
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether GCC assembler is compatible for ARMv8/Aarch64 assembly implementations" >&5
+$as_echo_n "checking whether GCC assembler is compatible for ARMv8/Aarch64 assembly implementations... " >&6; }
+if ${gcry_cv_gcc_aarch64_platform_as_ok+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ gcry_cv_gcc_aarch64_platform_as_ok=no
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+__asm__(
+ "asmfunc:\n\t"
+ "eor x0, x0, x30, ror #12;\n\t"
+ "add x0, x0, x30, asr #12;\n\t"
+ "eor v0.16b, v0.16b, v31.16b;\n\t"
+
+ /* Test if '.type' and '.size' are supported. */
+ ".size asmfunc,.-asmfunc;\n\t"
+ ".type asmfunc,@function;\n\t"
+ );
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ gcry_cv_gcc_aarch64_platform_as_ok=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcry_cv_gcc_aarch64_platform_as_ok" >&5
+$as_echo "$gcry_cv_gcc_aarch64_platform_as_ok" >&6; }
+if test "$gcry_cv_gcc_aarch64_platform_as_ok" = "yes" ; then
+
+$as_echo "#define HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS 1" >>confdefs.h
+
+fi
+
+
+#
# Check whether underscores in symbols are required. This needs to be
# done before setting up the assembler stuff.
#
fi
if test "$mpi_cpu_arch" != "arm" ; then
- neonsupport="n/a"
+ if test "$mpi_cpu_arch" != "aarch64" ; then
+ neonsupport="n/a"
+ armcryptosupport="n/a"
+ fi
fi
fi
+#
+# Check whether GCC inline assembler supports AArch32 Crypto Extension instructions
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether GCC inline assembler supports AArch32 Crypto Extension instructions" >&5
+$as_echo_n "checking whether GCC inline assembler supports AArch32 Crypto Extension instructions... " >&6; }
+if ${gcry_cv_gcc_inline_asm_aarch32_crypto+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "$mpi_cpu_arch" != "arm" ; then
+ gcry_cv_gcc_inline_asm_aarch32_crypto="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch32_crypto=no
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+__asm__(
+ ".syntax unified\n\t"
+ ".arm\n\t"
+ ".fpu crypto-neon-fp-armv8\n\t"
+
+ "sha1h.32 q0, q0;\n\t"
+ "sha1c.32 q0, q0, q0;\n\t"
+ "sha1p.32 q0, q0, q0;\n\t"
+ "sha1su0.32 q0, q0, q0;\n\t"
+ "sha1su1.32 q0, q0;\n\t"
+
+ "sha256h.32 q0, q0, q0;\n\t"
+ "sha256h2.32 q0, q0, q0;\n\t"
+ "sha1p.32 q0, q0, q0;\n\t"
+ "sha256su0.32 q0, q0;\n\t"
+ "sha256su1.32 q0, q0, q15;\n\t"
+
+ "aese.8 q0, q0;\n\t"
+ "aesd.8 q0, q0;\n\t"
+ "aesmc.8 q0, q0;\n\t"
+ "aesimc.8 q0, q0;\n\t"
+
+ "vmull.p64 q0, d0, d0;\n\t"
+ );
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ gcry_cv_gcc_inline_asm_aarch32_crypto=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcry_cv_gcc_inline_asm_aarch32_crypto" >&5
+$as_echo "$gcry_cv_gcc_inline_asm_aarch32_crypto" >&6; }
+if test "$gcry_cv_gcc_inline_asm_aarch32_crypto" = "yes" ; then
+
+$as_echo "#define HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO 1" >>confdefs.h
+
+fi
+
+
+#
+# Check whether GCC inline assembler supports AArch64 NEON instructions
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether GCC inline assembler supports AArch64 NEON instructions" >&5
+$as_echo_n "checking whether GCC inline assembler supports AArch64 NEON instructions... " >&6; }
+if ${gcry_cv_gcc_inline_asm_aarch64_neon+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "$mpi_cpu_arch" != "aarch64" ; then
+ gcry_cv_gcc_inline_asm_aarch64_neon="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch64_neon=no
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+__asm__(
+ ".arch armv8-a\n\t"
+ "mov w0, \#42;\n\t"
+ "dup v0.8b, w0;\n\t"
+ "ld4 {v0.8b,v1.8b,v2.8b,v3.8b},[x0],\#32;\n\t"
+ );
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ gcry_cv_gcc_inline_asm_aarch64_neon=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcry_cv_gcc_inline_asm_aarch64_neon" >&5
+$as_echo "$gcry_cv_gcc_inline_asm_aarch64_neon" >&6; }
+if test "$gcry_cv_gcc_inline_asm_aarch64_neon" = "yes" ; then
+
+$as_echo "#define HAVE_GCC_INLINE_ASM_AARCH64_NEON 1" >>confdefs.h
+
+fi
+
+
+#
+# Check whether GCC inline assembler supports AArch64 Crypto Extension instructions
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether GCC inline assembler supports AArch64 Crypto Extension instructions" >&5
+$as_echo_n "checking whether GCC inline assembler supports AArch64 Crypto Extension instructions... " >&6; }
+if ${gcry_cv_gcc_inline_asm_aarch64_crypto+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "$mpi_cpu_arch" != "aarch64" ; then
+ gcry_cv_gcc_inline_asm_aarch64_crypto="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch64_crypto=no
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+__asm__(
+ ".arch armv8-a+crypto\n\t"
+
+ "sha1h s0, s0;\n\t"
+ "sha1c q0, s0, v0.4s;\n\t"
+ "sha1p q0, s0, v0.4s;\n\t"
+ "sha1su0 v0.4s, v0.4s, v0.4s;\n\t"
+ "sha1su1 v0.4s, v0.4s;\n\t"
+
+ "sha256h q0, q0, v0.4s;\n\t"
+ "sha256h2 q0, q0, v0.4s;\n\t"
+ "sha1p q0, s0, v0.4s;\n\t"
+ "sha256su0 v0.4s, v0.4s;\n\t"
+ "sha256su1 v0.4s, v0.4s, v31.4s;\n\t"
+
+ "aese v0.16b, v0.16b;\n\t"
+ "aesd v0.16b, v0.16b;\n\t"
+ "aesmc v0.16b, v0.16b;\n\t"
+ "aesimc v0.16b, v0.16b;\n\t"
+
+ "pmull v0.1q, v0.1d, v31.1d;\n\t"
+ "pmull2 v0.1q, v0.2d, v31.2d;\n\t"
+ );
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ gcry_cv_gcc_inline_asm_aarch64_crypto=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcry_cv_gcc_inline_asm_aarch64_crypto" >&5
+$as_echo "$gcry_cv_gcc_inline_asm_aarch64_crypto" >&6; }
+if test "$gcry_cv_gcc_inline_asm_aarch64_crypto" = "yes" ; then
+
+$as_echo "#define HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO 1" >>confdefs.h
+
+fi
+
+
#######################################
#### Checks for library functions. ####
#######################################
pool += (pgsize - ((long int)pool % pgsize));
err = mlock( pool, 4096 );
- if( !err || errno == EPERM )
+ if( !err || errno == EPERM || errno == EAGAIN)
return 0; /* okay */
return 1; /* hmmm */
fi
if test x"$neonsupport" = xyes ; then
if test "$gcry_cv_gcc_inline_asm_neon" != "yes" ; then
- neonsupport="no (unsupported by compiler)"
+ if test "$gcry_cv_gcc_inline_asm_aarch64_neon" != "yes" ; then
+ neonsupport="no (unsupported by compiler)"
+ fi
+ fi
+fi
+if test x"$armcryptosupport" = xyes ; then
+ if test "$gcry_cv_gcc_inline_asm_aarch32_crypto" != "yes" ; then
+ if test "$gcry_cv_gcc_inline_asm_aarch64_crypto" != "yes" ; then
+ neonsupport="no (unsupported by compiler)"
+ fi
fi
fi
$as_echo "#define ENABLE_NEON_SUPPORT 1" >>confdefs.h
fi
+if test x"$armcryptosupport" = xyes ; then
+
+$as_echo "#define ENABLE_ARM_CRYPTO_SUPPORT 1" >>confdefs.h
+
+fi
if test x"$padlocksupport" = xyes ; then
$as_echo "#define ENABLE_PADLOCK_SUPPORT 1" >>confdefs.h
arm*-*-*)
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-arm.lo"
+
+ # Build with the ARMv8/AArch32 CE implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-ce.lo"
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-aarch64.lo"
+
+ # Build with the ARMv8/AArch64 CE implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-ce.lo"
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-aarch64-ce.lo"
;;
esac
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-arm.lo"
;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-aarch64.lo"
+ ;;
esac
fi
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS camellia-arm.lo"
;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS camellia-aarch64.lo"
+ ;;
esac
if test x"$avxsupport" = xyes ; then
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-avx-amd64.lo"
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-avx2-bmi2-amd64.lo"
;;
+ arm*-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-armv8-aarch64-ce.lo"
+ ;;
esac
fi
arm*-*-*)
# Build with the assembly implementation
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv7-neon.lo"
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv8-aarch64-ce.lo"
;;
esac
GCRYPT_HWF_MODULES="hwf-arm.lo"
;;
+ aarch64)
+
+$as_echo "#define HAVE_CPU_ARCH_ARM 1" >>confdefs.h
+
+ GCRYPT_HWF_MODULES="hwf-arm.lo"
+ ;;
esac
#
# Provide information about the build.
#
-BUILD_REVISION="48aa6d6"
+BUILD_REVISION="64e4808"
cat >>confdefs.h <<_ACEOF
BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'`
-BUILD_FILEVERSION="${BUILD_FILEVERSION}18602"
+BUILD_FILEVERSION="${BUILD_FILEVERSION}25828"
# Check whether --enable-build-timestamp was given.
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libgcrypt $as_me 1.7.1, which was
+This file was extended by libgcrypt $as_me 1.7.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libgcrypt config.status 1.7.1
+libgcrypt config.status 1.7.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
echo " Try using ARM NEON: $neonsupport" 1>&6
+ echo " Try using ARMv8 crypto: $armcryptosupport" 1>&6
+
+
echo " " 1>&6
# Configure.ac script for Libgcrypt
# Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2006,
# 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
-# Copyright (C) 2012, 2013, 2014, 2015, 2016 g10 Code GmbH
+# Copyright (C) 2012, 2013, 2014, 2015, 2016, 2017 g10 Code GmbH
#
# This file is part of Libgcrypt.
#
# for the LT versions.
m4_define(mym4_version_major, [1])
m4_define(mym4_version_minor, [7])
-m4_define(mym4_version_micro, [1])
+m4_define(mym4_version_micro, [6])
# Below is m4 magic to extract and compute the revision number, the
# decimalized short revision number, a beta version string, and a flag
# (No interfaces changed: REVISION++)
LIBGCRYPT_LT_CURRENT=21
LIBGCRYPT_LT_AGE=1
-LIBGCRYPT_LT_REVISION=1
+LIBGCRYPT_LT_REVISION=6
# If the API is changed in an incompatible way: increment the next counter.
neonsupport=$enableval,neonsupport=yes)
AC_MSG_RESULT($neonsupport)
+# Implementation of the --disable-arm-crypto-support switch.
+AC_MSG_CHECKING([whether ARMv8 Crypto Extension support is requested])
+AC_ARG_ENABLE(arm-crypto-support,
+ AC_HELP_STRING([--disable-arm-crypto-support],
+ [Disable support for the ARMv8 Crypto Extension instructions]),
+ armcryptosupport=$enableval,armcryptosupport=yes)
+AC_MSG_RESULT($armcryptosupport)
+
# Implementation of the --disable-O-flag-munging switch.
AC_MSG_CHECKING([whether a -O flag munging is requested])
AC_ARG_ENABLE([O-flag-munging],
#
+# Check whether GCC assembler supports features needed for our ARMv8/Aarch64
+# implementations. This needs to be done before setting up the
+# assembler stuff.
+#
+AC_CACHE_CHECK([whether GCC assembler is compatible for ARMv8/Aarch64 assembly implementations],
+ [gcry_cv_gcc_aarch64_platform_as_ok],
+ [gcry_cv_gcc_aarch64_platform_as_ok=no
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+ [[__asm__(
+ "asmfunc:\n\t"
+ "eor x0, x0, x30, ror #12;\n\t"
+ "add x0, x0, x30, asr #12;\n\t"
+ "eor v0.16b, v0.16b, v31.16b;\n\t"
+
+ /* Test if '.type' and '.size' are supported. */
+ ".size asmfunc,.-asmfunc;\n\t"
+ ".type asmfunc,@function;\n\t"
+ );]])],
+ [gcry_cv_gcc_aarch64_platform_as_ok=yes])])
+if test "$gcry_cv_gcc_aarch64_platform_as_ok" = "yes" ; then
+ AC_DEFINE(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS,1,
+ [Defined if underlying assembler is compatible with ARMv8/Aarch64 assembly implementations])
+fi
+
+
+#
# Check whether underscores in symbols are required. This needs to be
# done before setting up the assembler stuff.
#
fi
if test "$mpi_cpu_arch" != "arm" ; then
- neonsupport="n/a"
+ if test "$mpi_cpu_arch" != "aarch64" ; then
+ neonsupport="n/a"
+ armcryptosupport="n/a"
+ fi
fi
fi
+#
+# Check whether GCC inline assembler supports AArch32 Crypto Extension instructions
+#
+AC_CACHE_CHECK([whether GCC inline assembler supports AArch32 Crypto Extension instructions],
+ [gcry_cv_gcc_inline_asm_aarch32_crypto],
+ [if test "$mpi_cpu_arch" != "arm" ; then
+ gcry_cv_gcc_inline_asm_aarch32_crypto="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch32_crypto=no
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+ [[__asm__(
+ ".syntax unified\n\t"
+ ".arm\n\t"
+ ".fpu crypto-neon-fp-armv8\n\t"
+
+ "sha1h.32 q0, q0;\n\t"
+ "sha1c.32 q0, q0, q0;\n\t"
+ "sha1p.32 q0, q0, q0;\n\t"
+ "sha1su0.32 q0, q0, q0;\n\t"
+ "sha1su1.32 q0, q0;\n\t"
+
+ "sha256h.32 q0, q0, q0;\n\t"
+ "sha256h2.32 q0, q0, q0;\n\t"
+ "sha1p.32 q0, q0, q0;\n\t"
+ "sha256su0.32 q0, q0;\n\t"
+ "sha256su1.32 q0, q0, q15;\n\t"
+
+ "aese.8 q0, q0;\n\t"
+ "aesd.8 q0, q0;\n\t"
+ "aesmc.8 q0, q0;\n\t"
+ "aesimc.8 q0, q0;\n\t"
+
+ "vmull.p64 q0, d0, d0;\n\t"
+ );
+ ]])],
+ [gcry_cv_gcc_inline_asm_aarch32_crypto=yes])
+ fi])
+if test "$gcry_cv_gcc_inline_asm_aarch32_crypto" = "yes" ; then
+ AC_DEFINE(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO,1,
+ [Defined if inline assembler supports AArch32 Crypto Extension instructions])
+fi
+
+
+#
+# Check whether GCC inline assembler supports AArch64 NEON instructions
+#
+AC_CACHE_CHECK([whether GCC inline assembler supports AArch64 NEON instructions],
+ [gcry_cv_gcc_inline_asm_aarch64_neon],
+ [if test "$mpi_cpu_arch" != "aarch64" ; then
+ gcry_cv_gcc_inline_asm_aarch64_neon="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch64_neon=no
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+ [[__asm__(
+ ".arch armv8-a\n\t"
+ "mov w0, \#42;\n\t"
+ "dup v0.8b, w0;\n\t"
+ "ld4 {v0.8b,v1.8b,v2.8b,v3.8b},[x0],\#32;\n\t"
+ );
+ ]])],
+ [gcry_cv_gcc_inline_asm_aarch64_neon=yes])
+ fi])
+if test "$gcry_cv_gcc_inline_asm_aarch64_neon" = "yes" ; then
+ AC_DEFINE(HAVE_GCC_INLINE_ASM_AARCH64_NEON,1,
+ [Defined if inline assembler supports AArch64 NEON instructions])
+fi
+
+
+#
+# Check whether GCC inline assembler supports AArch64 Crypto Extension instructions
+#
+AC_CACHE_CHECK([whether GCC inline assembler supports AArch64 Crypto Extension instructions],
+ [gcry_cv_gcc_inline_asm_aarch64_crypto],
+ [if test "$mpi_cpu_arch" != "aarch64" ; then
+ gcry_cv_gcc_inline_asm_aarch64_crypto="n/a"
+ else
+ gcry_cv_gcc_inline_asm_aarch64_crypto=no
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+ [[__asm__(
+ ".arch armv8-a+crypto\n\t"
+
+ "sha1h s0, s0;\n\t"
+ "sha1c q0, s0, v0.4s;\n\t"
+ "sha1p q0, s0, v0.4s;\n\t"
+ "sha1su0 v0.4s, v0.4s, v0.4s;\n\t"
+ "sha1su1 v0.4s, v0.4s;\n\t"
+
+ "sha256h q0, q0, v0.4s;\n\t"
+ "sha256h2 q0, q0, v0.4s;\n\t"
+ "sha1p q0, s0, v0.4s;\n\t"
+ "sha256su0 v0.4s, v0.4s;\n\t"
+ "sha256su1 v0.4s, v0.4s, v31.4s;\n\t"
+
+ "aese v0.16b, v0.16b;\n\t"
+ "aesd v0.16b, v0.16b;\n\t"
+ "aesmc v0.16b, v0.16b;\n\t"
+ "aesimc v0.16b, v0.16b;\n\t"
+
+ "pmull v0.1q, v0.1d, v31.1d;\n\t"
+ "pmull2 v0.1q, v0.2d, v31.2d;\n\t"
+ );
+ ]])],
+ [gcry_cv_gcc_inline_asm_aarch64_crypto=yes])
+ fi])
+if test "$gcry_cv_gcc_inline_asm_aarch64_crypto" = "yes" ; then
+ AC_DEFINE(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO,1,
+ [Defined if inline assembler supports AArch64 Crypto Extension instructions])
+fi
+
+
#######################################
#### Checks for library functions. ####
#######################################
fi
if test x"$neonsupport" = xyes ; then
if test "$gcry_cv_gcc_inline_asm_neon" != "yes" ; then
- neonsupport="no (unsupported by compiler)"
+ if test "$gcry_cv_gcc_inline_asm_aarch64_neon" != "yes" ; then
+ neonsupport="no (unsupported by compiler)"
+ fi
+ fi
+fi
+if test x"$armcryptosupport" = xyes ; then
+ if test "$gcry_cv_gcc_inline_asm_aarch32_crypto" != "yes" ; then
+ if test "$gcry_cv_gcc_inline_asm_aarch64_crypto" != "yes" ; then
+ neonsupport="no (unsupported by compiler)"
+ fi
fi
fi
AC_DEFINE(ENABLE_NEON_SUPPORT,1,
[Enable support for ARM NEON instructions.])
fi
+if test x"$armcryptosupport" = xyes ; then
+ AC_DEFINE(ENABLE_ARM_CRYPTO_SUPPORT,1,
+ [Enable support for ARMv8 Crypto Extension instructions.])
+fi
if test x"$padlocksupport" = xyes ; then
AC_DEFINE(ENABLE_PADLOCK_SUPPORT, 1,
[Enable support for the PadLock engine.])
arm*-*-*)
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-arm.lo"
+
+ # Build with the ARMv8/AArch32 CE implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-ce.lo"
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-aarch64.lo"
+
+ # Build with the ARMv8/AArch64 CE implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-ce.lo"
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-aarch64-ce.lo"
;;
esac
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-arm.lo"
;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-aarch64.lo"
+ ;;
esac
fi
# Build with the assembly implementation
GCRYPT_CIPHERS="$GCRYPT_CIPHERS camellia-arm.lo"
;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS camellia-aarch64.lo"
+ ;;
esac
if test x"$avxsupport" = xyes ; then
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-avx-amd64.lo"
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-avx2-bmi2-amd64.lo"
;;
+ arm*-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha256-armv8-aarch64-ce.lo"
+ ;;
esac
fi
arm*-*-*)
# Build with the assembly implementation
GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv7-neon.lo"
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv8-aarch32-ce.lo"
+ ;;
+ aarch64-*-*)
+ # Build with the assembly implementation
+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1-armv8-aarch64-ce.lo"
;;
esac
AC_DEFINE(HAVE_CPU_ARCH_ARM, 1, [Defined for ARM platforms])
GCRYPT_HWF_MODULES="hwf-arm.lo"
;;
+ aarch64)
+ AC_DEFINE(HAVE_CPU_ARCH_ARM, 1, [Defined for ARM AArch64 platforms])
+ GCRYPT_HWF_MODULES="hwf-arm.lo"
+ ;;
esac
AC_SUBST([GCRYPT_HWF_MODULES])
GCRY_MSG_SHOW([Try using Intel AVX: ],[$avxsupport])
GCRY_MSG_SHOW([Try using Intel AVX2: ],[$avx2support])
GCRY_MSG_SHOW([Try using ARM NEON: ],[$neonsupport])
+GCRY_MSG_SHOW([Try using ARMv8 crypto: ],[$armcryptosupport])
GCRY_MSG_SHOW([],[])
if test "x${gpg_config_script_warn}" != x; then
-This is gcrypt.info, produced by makeinfo version 5.2 from gcrypt.texi.
+This is gcrypt.info, produced by makeinfo version 6.3 from gcrypt.texi.
-This manual is for Libgcrypt (version 1.7.1, 15 June 2016), which is
+This manual is for Libgcrypt (version 1.7.6, 18 January 2017), which is
GNU's library of cryptographic building blocks.
Copyright (C) 2000, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2011, 2012
The Libgcrypt Library
*********************
-This manual is for Libgcrypt (version 1.7.1, 15 June 2016), which is
+This manual is for Libgcrypt (version 1.7.6, 18 January 2017), which is
GNU's library of cryptographic building blocks.
Copyright (C) 2000, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2011, 2012
process might still be running with increased privileges and that
the secure memory has not been initialized. */
- /* Allocate a pool of 16k secure memory. This make the secure memory
- available and also drops privileges where needed. */
+ /* Allocate a pool of 16k secure memory. This makes the secure memory
+ available and also drops privileges where needed. Note that by
+ using functions like gcry_xmalloc_secure and gcry_mpi_snew Libgcrypt
+ may extend the secure memory pool with memory which lacks the
+ property of not being swapped out to disk. */
gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
/* It is now okay to let Libgcrypt complain when there was/is
This command disables the use of the mlock call for secure
memory. Disabling the use of mlock may for example be done if
an encrypted swap space is in use. This command should be
- executed right after 'gcry_check_version'.
+ executed right after 'gcry_check_version'. Note that by using
+ functions like gcry_xmalloc_secure and gcry_mpi_snew Libgcrypt
+ may extend the secure memory pool with memory which lacks the
+ property of not being swapped out to disk (but will still be
+ zeroed out on free).
'GCRYCTL_DISABLE_PRIV_DROP; Arguments: none'
This command sets a global flag to tell the secure memory
session key which is in turn used for the actual encryption of the real
data. There are 2 functions to do this:
- -- Function: gcry_error_t gcry_pk_encrypt (gcry_sexp_t *R_CIPH, gcry_sexp_t DATA,
- gcry_sexp_t PKEY)
+ -- Function: gcry_error_t gcry_pk_encrypt (gcry_sexp_t *R_CIPH,
+ gcry_sexp_t DATA, gcry_sexp_t PKEY)
Obviously a public key must be provided for encryption. It is
expected as an appropriate S-expression (see above) in PKEY. The
Where A-MPI and B-MPI are MPIs with the result of the Elgamal
encryption operation.
- -- Function: gcry_error_t gcry_pk_decrypt (gcry_sexp_t *R_PLAIN, gcry_sexp_t DATA,
- gcry_sexp_t SKEY)
+ -- Function: gcry_error_t gcry_pk_decrypt (gcry_sexp_t *R_PLAIN,
+ gcry_sexp_t DATA, gcry_sexp_t SKEY)
Obviously a private key must be provided for decryption. It is
expected as an appropriate S-expression (see above) in SKEY. The
management. Libgcrypt supports digital signatures using 2 functions,
similar to the encryption functions:
- -- Function: gcry_error_t gcry_pk_sign (gcry_sexp_t *R_SIG, gcry_sexp_t DATA,
- gcry_sexp_t SKEY)
+ -- Function: gcry_error_t gcry_pk_sign (gcry_sexp_t *R_SIG,
+ gcry_sexp_t DATA, gcry_sexp_t SKEY)
This function creates a digital signature for DATA using the
private key SKEY and place it into the variable at the address of
memory, two fast convenience function are available for this task:
-- Function: gpg_err_code_t gcry_md_hash_buffers ( int ALGO,
- unsigned int FLAGS, void *DIGEST, const gcry_buffer_t *IOV, int IOVCNT
- )
+ unsigned int FLAGS, void *DIGEST, const gcry_buffer_t *IOV,
+ int IOVCNT )
'gcry_md_hash_buffers' is a shortcut function to calculate a
message digest from several buffers. This function does not
-- Function: gpg_error_t gcry_kdf_derive ( const void *PASSPHRASE,
size_t PASSPHRASELEN, int ALGO, int SUBALGO, const void *SALT,
- size_t SALTLEN, unsigned long ITERATIONS, size_t KEYSIZE, void *KEYBUFFER
- )
+ size_t SALTLEN, unsigned long ITERATIONS, size_t KEYSIZE,
+ void *KEYBUFFER )
Derive a key from a passphrase. KEYSIZE gives the requested size
of the keys in octets. KEYBUFFER is a caller provided buffer
(1) Chae Hoon Lim and Pil Joong Lee. A key recovery attack on
discrete log-based schemes using a prime order subgroup. In Burton S.
-Kaliski Jr., editor, Advances in Cryptology: Crypto '97, pages
-249-263, Berlin / Heidelberg / New York, 1997. Springer-Verlag.
-Described on page 260.
+Kaliski Jr., editor, Advances in Cryptology: Crypto '97, pages 249-263,
+Berlin / Heidelberg / New York, 1997. Springer-Verlag. Described on
+page 260.
\1f
File: gcrypt.info, Node: Random-Number Subsystem Architecture, Prev: Prime-Number-Generator Subsystem Architecture, Up: Architecture
* gcry_ctx_release: Context management. (line 13)
* gcry_ctx_t: Context management. (line 10)
* gcry_error: Error Values. (line 63)
-* gcry_error_from_errno: Error Values. (line 85)
+* gcry_error_from_errno: Error Values. (line 86)
* gcry_error_t: Error Values. (line 24)
* gcry_err_code: Error Values. (line 42)
-* gcry_err_code_from_errno: Error Values. (line 94)
+* gcry_err_code_from_errno: Error Values. (line 95)
* gcry_err_code_t: Error Values. (line 6)
-* gcry_err_code_to_errno: Error Values. (line 99)
+* gcry_err_code_to_errno: Error Values. (line 100)
* gcry_err_make: Error Values. (line 55)
* gcry_err_make_from_errno: Error Values. (line 79)
* gcry_err_source: Error Values. (line 48)
* gcry_err_source_t: Error Values. (line 13)
* gcry_fips_mode_active: Controlling the library.
- (line 247)
+ (line 251)
* gcry_free: Memory allocation. (line 33)
* gcry_handler_alloc_t: Allocation handler. (line 10)
* gcry_handler_error_t: Error handler. (line 25)
(line 113)
* gcry_mpi_abs: Basic functions. (line 63)
* gcry_mpi_add: Calculations. (line 8)
-* gcry_mpi_addm: Calculations. (line 18)
-* gcry_mpi_add_ui: Calculations. (line 13)
+* gcry_mpi_addm: Calculations. (line 19)
+* gcry_mpi_add_ui: Calculations. (line 14)
* gcry_mpi_aprint: MPI formats. (line 59)
* gcry_mpi_clear_bit: Bit manipulations. (line 21)
-* gcry_mpi_clear_flag: Miscellaneous. (line 75)
+* gcry_mpi_clear_flag: Miscellaneous. (line 77)
* gcry_mpi_clear_highbit: Bit manipulations. (line 29)
* gcry_mpi_cmp: Comparisons. (line 8)
* gcry_mpi_cmp_ui: Comparisons. (line 17)
* gcry_mpi_copy: Basic functions. (line 24)
-* gcry_mpi_div: Calculations. (line 58)
+* gcry_mpi_div: Calculations. (line 61)
* gcry_mpi_dump: MPI formats. (line 74)
-* gcry_mpi_ec_add: EC functions. (line 156)
-* gcry_mpi_ec_curve_point: EC functions. (line 175)
-* gcry_mpi_ec_decode_point: EC functions. (line 127)
-* gcry_mpi_ec_dup: EC functions. (line 150)
-* gcry_mpi_ec_get_affine: EC functions. (line 137)
-* gcry_mpi_ec_get_mpi: EC functions. (line 82)
-* gcry_mpi_ec_get_point: EC functions. (line 100)
-* gcry_mpi_ec_mul: EC functions. (line 169)
-* gcry_mpi_ec_new: EC functions. (line 60)
-* gcry_mpi_ec_set_mpi: EC functions. (line 113)
-* gcry_mpi_ec_set_point: EC functions. (line 120)
-* gcry_mpi_ec_sub: EC functions. (line 162)
-* gcry_mpi_gcd: Calculations. (line 74)
-* gcry_mpi_get_flag: Miscellaneous. (line 83)
+* gcry_mpi_ec_add: EC functions. (line 158)
+* gcry_mpi_ec_curve_point: EC functions. (line 177)
+* gcry_mpi_ec_decode_point: EC functions. (line 128)
+* gcry_mpi_ec_dup: EC functions. (line 152)
+* gcry_mpi_ec_get_affine: EC functions. (line 139)
+* gcry_mpi_ec_get_mpi: EC functions. (line 83)
+* gcry_mpi_ec_get_point: EC functions. (line 101)
+* gcry_mpi_ec_mul: EC functions. (line 171)
+* gcry_mpi_ec_new: EC functions. (line 61)
+* gcry_mpi_ec_set_mpi: EC functions. (line 114)
+* gcry_mpi_ec_set_point: EC functions. (line 121)
+* gcry_mpi_ec_sub: EC functions. (line 164)
+* gcry_mpi_gcd: Calculations. (line 78)
+* gcry_mpi_get_flag: Miscellaneous. (line 85)
* gcry_mpi_get_nbits: Bit manipulations. (line 9)
* gcry_mpi_get_opaque: Miscellaneous. (line 31)
-* gcry_mpi_invm: Calculations. (line 80)
+* gcry_mpi_invm: Calculations. (line 84)
* gcry_mpi_is_neg: Comparisons. (line 23)
* gcry_mpi_lshift: Bit manipulations. (line 39)
-* gcry_mpi_mod: Calculations. (line 64)
-* gcry_mpi_mul: Calculations. (line 38)
-* gcry_mpi_mulm: Calculations. (line 48)
-* gcry_mpi_mul_2exp: Calculations. (line 53)
-* gcry_mpi_mul_ui: Calculations. (line 43)
+* gcry_mpi_mod: Calculations. (line 68)
+* gcry_mpi_mul: Calculations. (line 40)
+* gcry_mpi_mulm: Calculations. (line 51)
+* gcry_mpi_mul_2exp: Calculations. (line 56)
+* gcry_mpi_mul_ui: Calculations. (line 46)
* gcry_mpi_neg: Basic functions. (line 59)
* gcry_mpi_new: Basic functions. (line 9)
* gcry_mpi_point_get: EC functions. (line 23)
* gcry_mpi_point_release: EC functions. (line 18)
* gcry_mpi_point_set: EC functions. (line 39)
* gcry_mpi_point_snatch_get: EC functions. (line 30)
-* gcry_mpi_point_snatch_set: EC functions. (line 48)
+* gcry_mpi_point_snatch_set: EC functions. (line 49)
* gcry_mpi_point_t: Data types. (line 9)
-* gcry_mpi_powm: Calculations. (line 69)
+* gcry_mpi_powm: Calculations. (line 73)
* gcry_mpi_print: MPI formats. (line 49)
-* gcry_mpi_randomize: Miscellaneous. (line 91)
+* gcry_mpi_randomize: Miscellaneous. (line 94)
* gcry_mpi_release: Basic functions. (line 29)
* gcry_mpi_rshift: Bit manipulations. (line 33)
* gcry_mpi_scan: MPI formats. (line 9)
* gcry_mpi_set: Basic functions. (line 37)
* gcry_mpi_set_bit: Bit manipulations. (line 17)
-* gcry_mpi_set_flag: Miscellaneous. (line 68)
+* gcry_mpi_set_flag: Miscellaneous. (line 69)
* gcry_mpi_set_highbit: Bit manipulations. (line 25)
* gcry_mpi_set_opaque: Miscellaneous. (line 9)
* gcry_mpi_set_opaque_copy: Miscellaneous. (line 25)
* gcry_mpi_set_ui: Basic functions. (line 42)
* gcry_mpi_snatch: Basic functions. (line 54)
* gcry_mpi_snew: Basic functions. (line 17)
-* gcry_mpi_sub: Calculations. (line 23)
-* gcry_mpi_subm: Calculations. (line 33)
-* gcry_mpi_sub_ui: Calculations. (line 28)
+* gcry_mpi_sub: Calculations. (line 24)
+* gcry_mpi_subm: Calculations. (line 35)
+* gcry_mpi_sub_ui: Calculations. (line 30)
* gcry_mpi_swap: Basic functions. (line 50)
* gcry_mpi_t: Data types. (line 6)
* gcry_mpi_test_bit: Bit manipulations. (line 13)
* gcry_pk_algo_name: General public-key related Functions.
(line 9)
* gcry_pk_ctl: General public-key related Functions.
- (line 100)
+ (line 101)
* gcry_pk_decrypt: Cryptographic Functions.
- (line 149)
+ (line 148)
* gcry_pk_encrypt: Cryptographic Functions.
(line 91)
* gcry_pk_genkey: General public-key related Functions.
- (line 117)
+ (line 119)
* gcry_pk_get_keygrip: General public-key related Functions.
(line 31)
* gcry_pk_get_nbits: General public-key related Functions.
* gcry_pk_map_name: General public-key related Functions.
(line 16)
* gcry_pk_sign: Cryptographic Functions.
- (line 189)
+ (line 187)
* gcry_pk_testkey: General public-key related Functions.
(line 43)
* gcry_pk_test_algo: General public-key related Functions.
(line 21)
* gcry_pk_verify: Cryptographic Functions.
- (line 281)
+ (line 278)
* gcry_prime_check: Checking. (line 6)
* gcry_prime_generate: Generation. (line 6)
* gcry_prime_group_generator: Generation. (line 18)
* gcry_prime_release_factors: Generation. (line 26)
* gcry_pubkey_get_sexp: General public-key related Functions.
- (line 309)
+ (line 311)
* gcry_randomize: Retrieving random numbers.
(line 6)
* gcry_random_bytes: Retrieving random numbers.
* gcry_set_outofcore_handler: Error handler. (line 13)
* gcry_set_progress_handler: Progress handler. (line 19)
* gcry_sexp_build: Working with S-expressions.
- (line 44)
+ (line 46)
* gcry_sexp_canon_len: Working with S-expressions.
- (line 132)
+ (line 134)
* gcry_sexp_car: Working with S-expressions.
- (line 165)
+ (line 168)
* gcry_sexp_cdr: Working with S-expressions.
- (line 172)
+ (line 175)
* gcry_sexp_create: Working with S-expressions.
(line 24)
* gcry_sexp_dump: Working with S-expressions.
- (line 123)
+ (line 125)
* gcry_sexp_extract_param: Working with S-expressions.
- (line 240)
+ (line 244)
* gcry_sexp_find_token: Working with S-expressions.
- (line 144)
+ (line 146)
* gcry_sexp_length: Working with S-expressions.
- (line 153)
+ (line 155)
* gcry_sexp_new: Working with S-expressions.
(line 11)
* gcry_sexp_nth: Working with S-expressions.
- (line 158)
+ (line 160)
* gcry_sexp_nth_buffer: Working with S-expressions.
- (line 199)
+ (line 202)
* gcry_sexp_nth_data: Working with S-expressions.
- (line 180)
+ (line 183)
* gcry_sexp_nth_mpi: Working with S-expressions.
- (line 228)
+ (line 232)
* gcry_sexp_nth_string: Working with S-expressions.
- (line 220)
+ (line 224)
* gcry_sexp_release: Working with S-expressions.
- (line 87)
+ (line 89)
* gcry_sexp_sprint: Working with S-expressions.
- (line 98)
+ (line 100)
* gcry_sexp_sscan: Working with S-expressions.
- (line 37)
+ (line 39)
* gcry_sexp_t: Data types for S-expressions.
(line 6)
* gcry_strerror: Error Strings. (line 6)
\1f
Tag Table:
-Node: Top\7f829
-Node: Introduction\7f3348
-Node: Getting Started\7f3720
-Node: Features\7f4600
-Node: Overview\7f5384
-Node: Preparation\7f6007
-Node: Header\7f6930
-Node: Building sources\7f8001
-Node: Building sources using Automake\7f9918
-Node: Initializing the library\7f11846
-Ref: sample-use-suspend-secmem\7f14914
-Ref: sample-use-resume-secmem\7f15537
-Node: Multi-Threading\7f16440
-Ref: Multi-Threading-Footnote-1\7f17619
-Node: Enabling FIPS mode\7f18028
-Ref: enabling fips mode\7f18209
-Node: Hardware features\7f20021
-Ref: hardware features\7f20188
-Ref: Hardware features-Footnote-1\7f21255
-Node: Generalities\7f21416
-Node: Controlling the library\7f21675
-Node: Error Handling\7f38376
-Node: Error Values\7f40915
-Node: Error Sources\7f45855
-Node: Error Codes\7f48123
-Node: Error Strings\7f51599
-Node: Handler Functions\7f52783
-Node: Progress handler\7f53342
-Node: Allocation handler\7f55491
-Node: Error handler\7f57037
-Node: Logging handler\7f58603
-Node: Symmetric cryptography\7f59195
-Node: Available ciphers\7f59935
-Node: Available cipher modes\7f62616
-Node: Working with cipher handles\7f65619
-Node: General cipher functions\7f77088
-Node: Public Key cryptography\7f80614
-Node: Available algorithms\7f81380
-Node: Used S-expressions\7f81729
-Node: RSA key parameters\7f82846
-Node: DSA key parameters\7f84121
-Node: ECC key parameters\7f84775
-Ref: ecc_keyparam\7f84926
-Node: Cryptographic Functions\7f86797
-Node: General public-key related Functions\7f98616
-Node: Hashing\7f112136
-Node: Available hash algorithms\7f112869
-Node: Working with hash algorithms\7f117656
-Node: Message Authentication Codes\7f131609
-Node: Available MAC algorithms\7f132277
-Node: Working with MAC algorithms\7f137439
-Node: Key Derivation\7f143427
-Node: Random Numbers\7f145829
-Node: Quality of random numbers\7f146112
-Node: Retrieving random numbers\7f146795
-Node: S-expressions\7f148284
-Node: Data types for S-expressions\7f148929
-Node: Working with S-expressions\7f149255
-Node: MPI library\7f162920
-Node: Data types\7f163942
-Node: Basic functions\7f164251
-Node: MPI formats\7f166715
-Node: Calculations\7f170239
-Node: Comparisons\7f172508
-Node: Bit manipulations\7f173511
-Node: EC functions\7f174833
-Ref: gcry_mpi_ec_new\7f177538
-Node: Miscellaneous\7f183097
-Node: Prime numbers\7f187241
-Node: Generation\7f187511
-Node: Checking\7f188798
-Node: Utilities\7f189208
-Node: Memory allocation\7f189520
-Node: Context management\7f190876
-Ref: gcry_ctx_release\7f191314
-Node: Buffer description\7f191475
-Node: Tools\7f192237
-Node: hmac256\7f192404
-Node: Configuration\7f193410
-Node: Architecture\7f195596
-Ref: fig:subsystems\7f197120
-Ref: Architecture-Footnote-1\7f198206
-Ref: Architecture-Footnote-2\7f198268
-Node: Public-Key Subsystem Architecture\7f198352
-Node: Symmetric Encryption Subsystem Architecture\7f200630
-Node: Hashing and MACing Subsystem Architecture\7f202076
-Node: Multi-Precision-Integer Subsystem Architecture\7f203999
-Node: Prime-Number-Generator Subsystem Architecture\7f205437
-Ref: Prime-Number-Generator Subsystem Architecture-Footnote-1\7f207368
-Node: Random-Number Subsystem Architecture\7f207659
-Node: CSPRNG Description\7f210183
-Ref: CSPRNG Description-Footnote-1\7f211739
-Node: FIPS PRNG Description\7f211862
-Node: Self-Tests\7f213996
-Node: FIPS Mode\7f225455
-Ref: fig:fips-fsm\7f229281
-Ref: tbl:fips-states\7f229384
-Ref: tbl:fips-state-transitions\7f230636
-Node: Library Copying\7f234257
-Node: Copying\7f262363
-Node: Figures and Tables\7f281539
-Node: Concept Index\7f281964
-Node: Function and Data Index\7f292561
+Node: Top\7f832
+Node: Introduction\7f3354
+Node: Getting Started\7f3726
+Node: Features\7f4606
+Node: Overview\7f5390
+Node: Preparation\7f6013
+Node: Header\7f6936
+Node: Building sources\7f8007
+Node: Building sources using Automake\7f9924
+Node: Initializing the library\7f11852
+Ref: sample-use-suspend-secmem\7f14920
+Ref: sample-use-resume-secmem\7f15763
+Node: Multi-Threading\7f16666
+Ref: Multi-Threading-Footnote-1\7f17845
+Node: Enabling FIPS mode\7f18254
+Ref: enabling fips mode\7f18435
+Node: Hardware features\7f20247
+Ref: hardware features\7f20414
+Ref: Hardware features-Footnote-1\7f21481
+Node: Generalities\7f21642
+Node: Controlling the library\7f21901
+Node: Error Handling\7f38869
+Node: Error Values\7f41408
+Node: Error Sources\7f46348
+Node: Error Codes\7f48616
+Node: Error Strings\7f52092
+Node: Handler Functions\7f53276
+Node: Progress handler\7f53835
+Node: Allocation handler\7f55984
+Node: Error handler\7f57530
+Node: Logging handler\7f59096
+Node: Symmetric cryptography\7f59688
+Node: Available ciphers\7f60428
+Node: Available cipher modes\7f63109
+Node: Working with cipher handles\7f66112
+Node: General cipher functions\7f77581
+Node: Public Key cryptography\7f81107
+Node: Available algorithms\7f81873
+Node: Used S-expressions\7f82222
+Node: RSA key parameters\7f83339
+Node: DSA key parameters\7f84614
+Node: ECC key parameters\7f85268
+Ref: ecc_keyparam\7f85419
+Node: Cryptographic Functions\7f87290
+Node: General public-key related Functions\7f99109
+Node: Hashing\7f112629
+Node: Available hash algorithms\7f113362
+Node: Working with hash algorithms\7f118149
+Node: Message Authentication Codes\7f132102
+Node: Available MAC algorithms\7f132770
+Node: Working with MAC algorithms\7f137932
+Node: Key Derivation\7f143920
+Node: Random Numbers\7f146322
+Node: Quality of random numbers\7f146605
+Node: Retrieving random numbers\7f147288
+Node: S-expressions\7f148777
+Node: Data types for S-expressions\7f149422
+Node: Working with S-expressions\7f149748
+Node: MPI library\7f163413
+Node: Data types\7f164435
+Node: Basic functions\7f164744
+Node: MPI formats\7f167208
+Node: Calculations\7f170732
+Node: Comparisons\7f173001
+Node: Bit manipulations\7f174004
+Node: EC functions\7f175326
+Ref: gcry_mpi_ec_new\7f178031
+Node: Miscellaneous\7f183590
+Node: Prime numbers\7f187734
+Node: Generation\7f188004
+Node: Checking\7f189291
+Node: Utilities\7f189701
+Node: Memory allocation\7f190013
+Node: Context management\7f191369
+Ref: gcry_ctx_release\7f191807
+Node: Buffer description\7f191968
+Node: Tools\7f192730
+Node: hmac256\7f192897
+Node: Configuration\7f193903
+Node: Architecture\7f196089
+Ref: fig:subsystems\7f197613
+Ref: Architecture-Footnote-1\7f198699
+Ref: Architecture-Footnote-2\7f198761
+Node: Public-Key Subsystem Architecture\7f198845
+Node: Symmetric Encryption Subsystem Architecture\7f201123
+Node: Hashing and MACing Subsystem Architecture\7f202569
+Node: Multi-Precision-Integer Subsystem Architecture\7f204492
+Node: Prime-Number-Generator Subsystem Architecture\7f205930
+Ref: Prime-Number-Generator Subsystem Architecture-Footnote-1\7f207861
+Node: Random-Number Subsystem Architecture\7f208153
+Node: CSPRNG Description\7f210677
+Ref: CSPRNG Description-Footnote-1\7f212233
+Node: FIPS PRNG Description\7f212356
+Node: Self-Tests\7f214490
+Node: FIPS Mode\7f225949
+Ref: fig:fips-fsm\7f229775
+Ref: tbl:fips-states\7f229878
+Ref: tbl:fips-state-transitions\7f231130
+Node: Library Copying\7f234751
+Node: Copying\7f262857
+Node: Figures and Tables\7f282033
+Node: Concept Index\7f282458
+Node: Function and Data Index\7f293055
\1f
End Tag Table
process might still be running with increased privileges and that
the secure memory has not been initialized. */
- /* Allocate a pool of 16k secure memory. This make the secure memory
- available and also drops privileges where needed. */
+ /* Allocate a pool of 16k secure memory. This makes the secure memory
+ available and also drops privileges where needed. Note that by
+ using functions like gcry_xmalloc_secure and gcry_mpi_snew Libgcrypt
+ may extend the secure memory pool with memory which lacks the
+ property of not being swapped out to disk. */
gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
@anchor{sample-use-resume-secmem}
This command disables the use of the mlock call for secure memory.
Disabling the use of mlock may for example be done if an encrypted
swap space is in use. This command should be executed right after
-@code{gcry_check_version}.
+@code{gcry_check_version}. Note that by using functions like
+gcry_xmalloc_secure and gcry_mpi_snew Libgcrypt may extend the secure
+memory pool with memory which lacks the property of not being swapped
+out to disk (but will still be zeroed out on free).
@item GCRYCTL_DISABLE_PRIV_DROP; Arguments: none
This command sets a global flag to tell the secure memory subsystem
-@set UPDATED 15 June 2016
-@set UPDATED-MONTH June 2016
-@set EDITION 1.7.1
-@set VERSION 1.7.1
+@set UPDATED 18 January 2017
+@set UPDATED-MONTH January 2017
+@set EDITION 1.7.6
+@set VERSION 1.7.6
-@set UPDATED 15 June 2016
-@set UPDATED-MONTH June 2016
-@set EDITION 1.7.1
-@set VERSION 1.7.1
+@set UPDATED 18 January 2017
+@set UPDATED-MONTH January 2017
+@set EDITION 1.7.6
+@set VERSION 1.7.6
/* yat2m.c - Yet Another Texi 2 Man converter
- * Copyright (C) 2005, 2013 g10 Code GmbH
+ * Copyright (C) 2005, 2013, 2015, 2016 g10 Code GmbH
* Copyright (C) 2006, 2008, 2011 Free Software Foundation, Inc.
*
* This program is free software; you can redistribute it and/or modify
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
/*
#include <time.h>
+#if __GNUC__
+# define MY_GCC_VERSION (__GNUC__ * 10000 \
+ + __GNUC_MINOR__ * 100 \
+ + __GNUC_PATCHLEVEL__)
+#else
+# define MY_GCC_VERSION 0
+#endif
+
+#if MY_GCC_VERSION >= 20500
+# define ATTR_PRINTF(f, a) __attribute__ ((format(printf,f,a)))
+# define ATTR_NR_PRINTF(f, a) __attribute__ ((noreturn, format(printf,f,a)))
+#else
+# define ATTR_PRINTF(f, a)
+# define ATTR_NR_PRINTF(f, a)
+#endif
+#if MY_GCC_VERSION >= 30200
+# define ATTR_MALLOC __attribute__ ((__malloc__))
+#else
+# define ATTR_MALLOC
+#endif
+
+
+
#define PGM "yat2m"
#define VERSION "1.0"
static int debug;
static const char *opt_source;
static const char *opt_release;
+static const char *opt_date;
static const char *opt_select;
static const char *opt_include;
static int opt_store;
static void proc_texi_buffer (FILE *fp, const char *line, size_t len,
int *table_level, int *eol_action);
+static void die (const char *format, ...) ATTR_NR_PRINTF(1,2);
+static void err (const char *format, ...) ATTR_PRINTF(1,2);
+static void inf (const char *format, ...) ATTR_PRINTF(1,2);
+static void *xmalloc (size_t n) ATTR_MALLOC;
+static void *xcalloc (size_t n, size_t m) ATTR_MALLOC;
+
+/*-- Functions --*/
+
/* Print diagnostic message and exit with failure. */
static void
die (const char *format, ...)
{
static char buffer[11+5];
struct tm *tp;
- time_t atime = time (NULL);
+ time_t atime;
+ if (opt_date && *opt_date)
+ atime = strtoul (opt_date, NULL, 10);
+ else
+ atime = time (NULL);
if (atime < 0)
strcpy (buffer, "????" "-??" "-??");
else
for (i=0; i < thepage.n_sections; i++)
if (!thepage.sections[i].name)
break;
- if (i < thepage.n_sections)
+ if (thepage.n_sections && i < thepage.n_sections)
sect = thepage.sections + i;
else
{
} cmdtbl[] = {
{ "command", 0, "\\fB", "\\fR" },
{ "code", 0, "\\fB", "\\fR" },
+ { "url", 0, "\\fB", "\\fR" },
{ "sc", 0, "\\fB", "\\fR" },
{ "var", 0, "\\fI", "\\fR" },
{ "samp", 0, "\\(aq", "\\(aq" },
{ "emph", 0, "\\fI", "\\fR" },
{ "w", 1 },
{ "c", 5 },
+ { "efindex", 1 },
{ "opindex", 1 },
{ "cpindex", 1 },
{ "cindex", 1 },
}
else
inf ("texinfo command '%s' not supported (%.*s)", command,
- ((s = memchr (rest, '\n', len)), (s? (s-rest) : len)), rest);
+ (int)((s = memchr (rest, '\n', len)), (s? (s-rest) : len)), rest);
}
if (*rest == '{')
assert (n <= len);
s += n; len -= n;
s--; len++;
- in_cmd = 0;
+ /* in_cmd = 0; -- doc only */
}
}
}
if (!incfp)
- err ("can't open include file '%s':%s",
+ err ("can't open include file '%s': %s",
incname, strerror (errno));
else
{
"Extract man pages from a Texinfo source.\n\n"
" --source NAME use NAME as source field\n"
" --release STRING use STRING as the release field\n"
+ " --date EPOCH use EPOCH as publication date\n"
" --store write output using @manpage name\n"
" --select NAME only output pages with @manpage NAME\n"
" --verbose enable extra informational output\n"
" --debug enable additional debug output\n"
" --help display this help and exit\n"
" -I DIR also search in include DIR\n"
- " -D gpgone the only useable define\n\n"
+ " -D gpgone the only usable define\n\n"
"With no FILE, or when FILE is -, read standard input.\n\n"
"Report bugs to <bugs@g10code.com>.");
exit (0);
argc--; argv++;
}
}
+ else if (!strcmp (*argv, "--date"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_date = *argv;
+ argc--; argv++;
+ }
+ }
else if (!strcmp (*argv, "--store"))
{
opt_store = 1;
addq $2, %rdx
jg .Lendo
- ALIGN(8) /* minimal alignment for claimed speed */
+ ALIGN(4) /* minimal alignment for claimed speed */
.Loop: movq -8(%rsi,%rdx,8), %mm6
movq %mm6, %mm2
psllq %mm0, %mm6
mpi_ptr_t ap;
mpi_size_t n;
unsigned int i;
- unsigned int nbits = mpi_get_nbits (a);
+ unsigned int nbits;
- if (mpi_is_immutable (a))
+ if (!a || mpi_is_immutable (a))
{
mpi_immutable_failed ();
return;
}
+ nbits = mpi_get_nbits (a);
+
mpi_normalize (a);
ap = a->d;
n = a->nlimbs;
/*
- Mix the pool:
-
- |........blocks*20byte........|20byte|..44byte..|
- <..44byte..> <20byte>
- | |
- | +------+
- +---------------------------|----------+
- v v
- |........blocks*20byte........|20byte|..44byte..|
- <.....64bytes.....>
- |
- +----------------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
- | |
- | +---------------------+
- +-----------------------------+ |
- v v
- |.............................|20byte|..44byte..|
- <.....64byte......>
- |
- +-------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
-
- and so on until we did this for all blocks.
-
- To better protect against implementation errors in this code, we
- xor a digest of the entire pool into the pool before mixing.
-
- Note: this function must only be called with a locked pool.
+ * Mix the 600 byte pool. Note that the 64 byte scratch area directly
+ * follows the pool. The numbers in the diagram give the number of
+ * bytes.
+ * <................600...............> <.64.>
+ * pool |------------------------------------| |------|
+ * <20><.24.> <20>
+ * | | +-----+
+ * +-----|-------------------------------|-+
+ * +-------------------------------|-|-+
+ * v v v
+ * |------|
+ * <hash>
+ * +---------------------------------------+
+ * v
+ * <20>
+ * pool' |------------------------------------|
+ * <20><20><.24.>
+ * +---|-----|---------------------------+
+ * +-----|---------------------------|-+
+ * +---------------------------|-|-+
+ * v v v
+ * |------|
+ * <hash>
+ * |
+ * +-----------------------------------+
+ * v
+ * <20>
+ * pool'' |------------------------------------|
+ * <20><20><20><.24.>
+ * +---|-----|-----------------------+
+ * +-----|-----------------------|-+
+ * +-----------------------|-|-+
+ * v v v
+ *
+ * and so on until we did this for all 30 blocks.
+ *
+ * To better protect against implementation errors in this code, we
+ * xor a digest of the entire pool into the pool before mixing.
+ *
+ * Note: this function must only be called with a locked pool.
*/
static void
mix_pool(unsigned char *pool)
gcry_assert (pool_is_locked);
_gcry_sha1_mixblock_init (&md);
- /* Loop over the pool. */
+ /* pool_0 -> pool'. */
pend = pool + POOLSIZE;
- memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
- memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN);
+ memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
nburn = _gcry_sha1_mixblock (&md, hashbuf);
- memcpy(pool, hashbuf, 20 );
+ memcpy (pool, hashbuf, DIGESTLEN);
if (failsafe_digest_valid && pool == rndpool)
{
- for (i=0; i < 20; i++)
+ for (i=0; i < DIGESTLEN; i++)
pool[i] ^= failsafe_digest[i];
}
+ /* Loop for the remaining iterations. */
p = pool;
for (n=1; n < POOLBLOCKS; n++)
{
- memcpy (hashbuf, p, DIGESTLEN);
-
- p += DIGESTLEN;
- if (p+DIGESTLEN+BLOCKLEN < pend)
- memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
+ if (p + BLOCKLEN < pend)
+ memcpy (hashbuf, p, BLOCKLEN);
else
{
- unsigned char *pp = p + DIGESTLEN;
+ unsigned char *pp = p;
- for (i=DIGESTLEN; i < BLOCKLEN; i++ )
+ for (i=0; i < BLOCKLEN; i++ )
{
if ( pp >= pend )
pp = pool;
}
_gcry_sha1_mixblock (&md, hashbuf);
- memcpy(p, hashbuf, 20 );
+ p += DIGESTLEN;
+ memcpy (p, hashbuf, DIGESTLEN);
}
/* Our hash implementation does only leave small parts (64 bytes)
gpg_err_code_t (*generate) (drbg_state_t drbg,
unsigned char *buf, unsigned int buflen,
drbg_string_t *addtl);
+ gpg_err_code_t (*crypto_init) (drbg_state_t drbg);
+ void (*crypto_fini) (drbg_state_t drbg);
};
struct drbg_test_data_s
* 10.1.1.1 1c) */
unsigned char *scratchpad; /* some memory the DRBG can use for its
* operation -- allocated during init */
+ void *priv_data; /* Cipher handle */
+ gcry_cipher_hd_t ctr_handle; /* CTR mode cipher handle */
+#define DRBG_CTR_NULL_LEN 128
+ unsigned char *ctr_null; /* CTR mode zero buffer */
int seeded:1; /* DRBG fully seeded? */
int pr:1; /* Prediction resistance enabled? */
/* Taken from libgcrypt ANSI X9.31 DRNG: We need to keep track of the
{DRBG_CTRAES | DRBG_SYM256, 48, 16, GCRY_CIPHER_AES256}
};
-static gpg_err_code_t drbg_sym (drbg_state_t drbg,
- const unsigned char *key,
- unsigned char *outval,
- const drbg_string_t *buf);
-static gpg_err_code_t drbg_hmac (drbg_state_t drbg,
- const unsigned char *key,
- unsigned char *outval,
- const drbg_string_t *buf);
+static gpg_err_code_t drbg_hash_init (drbg_state_t drbg);
+static gpg_err_code_t drbg_hmac_init (drbg_state_t drbg);
+static gpg_err_code_t drbg_hmac_setkey (drbg_state_t drbg,
+ const unsigned char *key);
+static void drbg_hash_fini (drbg_state_t drbg);
+static byte *drbg_hash (drbg_state_t drbg, const drbg_string_t *buf);
+static gpg_err_code_t drbg_sym_init (drbg_state_t drbg);
+static void drbg_sym_fini (drbg_state_t drbg);
+static gpg_err_code_t drbg_sym_setkey (drbg_state_t drbg,
+ const unsigned char *key);
+static gpg_err_code_t drbg_sym (drbg_state_t drbg, unsigned char *outval,
+ const drbg_string_t *buf);
+static gpg_err_code_t drbg_sym_ctr (drbg_state_t drbg,
+ const unsigned char *inbuf, unsigned int inbuflen,
+ unsigned char *outbuf, unsigned int outbuflen);
/******************************************************************
******************************************************************
/* 10.4.3 step 1 */
memset (out, 0, drbg_blocklen (drbg));
+ ret = drbg_sym_setkey(drbg, key);
+ if (ret)
+ return ret;
+
/* 10.4.3 step 2 / 4 */
while (inpos)
{
}
}
/* 10.4.3 step 4.2 */
- ret = drbg_sym (drbg, key, out, &data);
+ ret = drbg_sym (drbg, out, &data);
if (ret)
return ret;
/* 10.4.3 step 2 */
/* 10.4.2 step 12: overwriting of outval */
/* 10.4.2 step 13 */
+ ret = drbg_sym_setkey(drbg, temp);
+ if (ret)
+ goto out;
while (generated_len < bytes_to_return)
{
short blocklen = 0;
/* the truncation of the key length is implicit as the key
* is only drbg_blocklen in size -- check for the implementation
* of the cipher function callback */
- ret = drbg_sym (drbg, temp, X, &cipherin);
+ ret = drbg_sym (drbg, X, &cipherin);
if (ret)
goto out;
- blocklen = (drbg_blocklen (drbg) <
- (bytes_to_return - generated_len)) ?
+ blocklen = (drbg_blocklen (drbg) < (bytes_to_return - generated_len)) ?
drbg_blocklen (drbg) : (bytes_to_return - generated_len);
/* 10.4.2 step 13.2 and 14 */
memcpy (df_data + generated_len, X, blocklen);
unsigned char *temp = drbg->scratchpad;
unsigned char *df_data = drbg->scratchpad +
drbg_statelen (drbg) + drbg_blocklen (drbg);
- unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
- unsigned int len = 0;
- drbg_string_t cipherin;
unsigned char prefix = DRBG_PREFIX1;
memset (temp, 0, drbg_statelen (drbg) + drbg_blocklen (drbg));
if (3 > reseed)
memset (df_data, 0, drbg_statelen (drbg));
- /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
- /* TODO use reseed variable to avoid re-doing DF operation */
- (void) reseed;
- if (addtl && 0 < addtl->len)
+ if (!reseed)
{
- ret =
- drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
+ /*
+ * The DRBG uses the CTR mode of the underlying AES cipher. The
+ * CTR mode increments the counter value after the AES operation
+ * but SP800-90A requires that the counter is incremented before
+ * the AES operation. Hence, we increment it at the time we set
+ * it by one.
+ */
+ drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
+
+ ret = _gcry_cipher_setkey (drbg->ctr_handle, drbg->C, drbg_keylen (drbg));
if (ret)
- goto out;
+ goto out;
}
- drbg_string_fill (&cipherin, drbg->V, drbg_blocklen (drbg));
- /* 10.2.1.3.2 step 2 and 3 -- are already covered as we memset(0)
- * all memory during initialization */
- while (len < (drbg_statelen (drbg)))
+ /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
+ if (addtl && 0 < addtl->len)
{
- /* 10.2.1.2 step 2.1 */
- drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
- /* 10.2.1.2 step 2.2 */
- /* using target of temp + len: 10.2.1.2 step 2.3 and 3 */
- ret = drbg_sym (drbg, drbg->C, temp + len, &cipherin);
+ ret =
+ drbg_ctr_df (drbg, df_data, drbg_statelen (drbg), addtl);
if (ret)
goto out;
- /* 10.2.1.2 step 2.3 and 3 */
- len += drbg_blocklen (drbg);
}
- /* 10.2.1.2 step 4 */
- temp_p = temp;
- df_data_p = df_data;
- for (len = 0; len < drbg_statelen (drbg); len++)
- {
- *temp_p ^= *df_data_p;
- df_data_p++;
- temp_p++;
- }
+ ret = drbg_sym_ctr (drbg, df_data, drbg_statelen(drbg),
+ temp, drbg_statelen(drbg));
+ if (ret)
+ goto out;
/* 10.2.1.2 step 5 */
- memcpy (drbg->C, temp, drbg_keylen (drbg));
+ ret = _gcry_cipher_setkey (drbg->ctr_handle, temp, drbg_keylen (drbg));
+ if (ret)
+ goto out;
+
/* 10.2.1.2 step 6 */
memcpy (drbg->V, temp + drbg_keylen (drbg), drbg_blocklen (drbg));
+ /* See above: increment counter by one to compensate timing of CTR op */
+ drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
ret = 0;
out:
drbg_string_t *addtl)
{
gpg_err_code_t ret = 0;
- unsigned int len = 0;
- drbg_string_t data;
- unsigned char prefix = DRBG_PREFIX1;
memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
}
/* 10.2.1.5.2 step 4.1 */
- drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
- drbg_string_fill (&data, drbg->V, drbg_blocklen (drbg));
- while (len < buflen)
- {
- unsigned int outlen = 0;
- /* 10.2.1.5.2 step 4.2 */
- ret = drbg_sym (drbg, drbg->C, drbg->scratchpad, &data);
- if (ret)
- goto out;
- outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
- drbg_blocklen (drbg) : (buflen - len);
- /* 10.2.1.5.2 step 4.3 */
- memcpy (buf + len, drbg->scratchpad, outlen);
- len += outlen;
- /* 10.2.1.5.2 step 6 */
- if (len < buflen)
- drbg_add_buf (drbg->V, drbg_blocklen (drbg), &prefix, 1);
- }
+ ret = drbg_sym_ctr (drbg, drbg->ctr_null, DRBG_CTR_NULL_LEN, buf, buflen);
+ if (ret)
+ goto out;
/* 10.2.1.5.2 step 6 */
if (addtl)
ret = drbg_ctr_update (drbg, addtl, 3);
out:
- memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
return ret;
}
static struct drbg_state_ops_s drbg_ctr_ops = {
drbg_ctr_update,
- drbg_ctr_generate
+ drbg_ctr_generate,
+ drbg_sym_init,
+ drbg_sym_fini,
};
/******************************************************************
/* 10.1.2.3 step 2 already implicitly covered with
* the initial memset(0) of drbg->C */
memset (drbg->V, 1, drbg_statelen (drbg));
+ ret = drbg_hmac_setkey (drbg, drbg->C);
+ if (ret)
+ return ret;
}
/* build linked list which implements the concatenation and fill
/* we execute two rounds of V/K massaging */
for (i = 2; 0 < i; i--)
{
+ byte *retval;
/* first round uses 0x0, second 0x1 */
unsigned char prefix = DRBG_PREFIX0;
if (1 == i)
prefix = DRBG_PREFIX1;
/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
seed2.buf = &prefix;
- ret = drbg_hmac (drbg, drbg->C, drbg->C, &seed1);
+ retval = drbg_hash (drbg, &seed1);
+ ret = drbg_hmac_setkey (drbg, retval);
if (ret)
return ret;
/* 10.1.2.2 step 2 and 5 -- HMAC for V */
- ret = drbg_hmac (drbg, drbg->C, drbg->V, &cipherin);
- if (ret)
- return ret;
+ retval = drbg_hash (drbg, &cipherin);
+ memcpy(drbg->V, retval, drbg_blocklen (drbg));
/* 10.1.2.2 step 3 */
if (!seed || 0 == seed->len)
{
unsigned int outlen = 0;
/* 10.1.2.5 step 4.1 */
- ret = drbg_hmac (drbg, drbg->C, drbg->V, &data);
- if (ret)
- return ret;
+ byte *retval = drbg_hash (drbg, &data);
+ memcpy(drbg->V, retval, drbg_blocklen (drbg));
outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
drbg_blocklen (drbg) : (buflen - len);
static struct drbg_state_ops_s drbg_hmac_ops = {
drbg_hmac_update,
- drbg_hmac_generate
+ drbg_hmac_generate,
+ drbg_hmac_init,
+ drbg_hash_fini,
};
/******************************************************************
unsigned char *outval, size_t outlen,
drbg_string_t *entropy)
{
- gpg_err_code_t ret = 0;
size_t len = 0;
unsigned char input[5];
- unsigned char *tmp = drbg->scratchpad + drbg_statelen (drbg);
drbg_string_t data1;
- memset (tmp, 0, drbg_blocklen (drbg));
-
/* 10.4.1 step 3 */
input[0] = 1;
drbg_cpu_to_be32 ((outlen * 8), &input[1]);
{
short blocklen = 0;
/* 10.4.1 step 4.1 */
- ret = drbg_hmac (drbg, NULL, tmp, &data1);
- if (ret)
- goto out;
+ byte *retval = drbg_hash (drbg, &data1);
/* 10.4.1 step 4.2 */
input[0]++;
blocklen = (drbg_blocklen (drbg) < (outlen - len)) ?
drbg_blocklen (drbg) : (outlen - len);
- memcpy (outval + len, tmp, blocklen);
+ memcpy (outval + len, retval, blocklen);
len += blocklen;
}
- out:
- memset (tmp, 0, drbg_blocklen (drbg));
- return ret;
+ return 0;
}
/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
static gpg_err_code_t
drbg_hash_process_addtl (drbg_state_t drbg, drbg_string_t *addtl)
{
- gpg_err_code_t ret = 0;
drbg_string_t data1, data2;
drbg_string_t *data3;
unsigned char prefix = DRBG_PREFIX2;
-
- /* this is value w as per documentation */
- memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
+ byte *retval;
/* 10.1.1.4 step 2 */
if (!addtl || 0 == addtl->len)
data2.next = data3;
data3->next = NULL;
/* 10.1.1.4 step 2a -- cipher invocation */
- ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
- if (ret)
- goto out;
+ retval = drbg_hash (drbg, &data1);
/* 10.1.1.4 step 2b */
- drbg_add_buf (drbg->V, drbg_statelen (drbg),
- drbg->scratchpad, drbg_blocklen (drbg));
+ drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
- out:
- memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
- return ret;
+ return 0;
}
/*
* Hashgen defined in 10.1.1.4
*/
static gpg_err_code_t
-drbg_hash_hashgen (drbg_state_t drbg,
- unsigned char *buf, unsigned int buflen)
+drbg_hash_hashgen (drbg_state_t drbg, unsigned char *buf, unsigned int buflen)
{
- gpg_err_code_t ret = 0;
unsigned int len = 0;
unsigned char *src = drbg->scratchpad;
- unsigned char *dst = drbg->scratchpad + drbg_statelen (drbg);
drbg_string_t data;
unsigned char prefix = DRBG_PREFIX1;
- /* use the scratchpad as a lookaside buffer */
- memset (src, 0, drbg_statelen (drbg));
- memset (dst, 0, drbg_blocklen (drbg));
-
/* 10.1.1.4 step hashgen 2 */
memcpy (src, drbg->V, drbg_statelen (drbg));
{
unsigned int outlen = 0;
/* 10.1.1.4 step hashgen 4.1 */
- ret = drbg_hmac (drbg, NULL, dst, &data);
- if (ret)
- goto out;
+ byte *retval = drbg_hash (drbg, &data);
outlen = (drbg_blocklen (drbg) < (buflen - len)) ?
drbg_blocklen (drbg) : (buflen - len);
/* 10.1.1.4 step hashgen 4.2 */
- memcpy (buf + len, dst, outlen);
+ memcpy (buf + len, retval, outlen);
len += outlen;
/* 10.1.1.4 hashgen step 4.3 */
if (len < buflen)
drbg_add_buf (src, drbg_statelen (drbg), &prefix, 1);
}
- out:
- memset (drbg->scratchpad, 0,
- (drbg_statelen (drbg) + drbg_blocklen (drbg)));
- return ret;
+ memset (drbg->scratchpad, 0, drbg_statelen (drbg));
+ return 0;
}
/* Generate function for Hash DRBG as defined in 10.1.1.4 */
static gpg_err_code_t
-drbg_hash_generate (drbg_state_t drbg,
- unsigned char *buf, unsigned int buflen,
- drbg_string_t *addtl)
+drbg_hash_generate (drbg_state_t drbg, unsigned char *buf, unsigned int buflen,
+ drbg_string_t *addtl)
{
- gpg_err_code_t ret = 0;
+ gpg_err_code_t ret;
unsigned char prefix = DRBG_PREFIX3;
drbg_string_t data1, data2;
+ byte *retval;
union
{
unsigned char req[8];
u64 req_int;
} u;
- /*
- * scratchpad usage: drbg_hash_process_addtl uses the scratchpad, but
- * fully completes before returning. Thus, we can reuse the scratchpad
- */
/* 10.1.1.4 step 2 */
ret = drbg_hash_process_addtl (drbg, addtl);
if (ret)
if (ret)
return ret;
- /* this is the value H as documented in 10.1.1.4 */
- memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
/* 10.1.1.4 step 4 */
drbg_string_fill (&data1, &prefix, 1);
drbg_string_fill (&data2, drbg->V, drbg_statelen (drbg));
data1.next = &data2;
- ret = drbg_hmac (drbg, NULL, drbg->scratchpad, &data1);
- if (ret)
- goto out;
+
+ /* this is the value H as documented in 10.1.1.4 */
+ retval = drbg_hash (drbg, &data1);
/* 10.1.1.4 step 5 */
- drbg_add_buf (drbg->V, drbg_statelen (drbg),
- drbg->scratchpad, drbg_blocklen (drbg));
- drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C,
- drbg_statelen (drbg));
+ drbg_add_buf (drbg->V, drbg_statelen (drbg), retval, drbg_blocklen (drbg));
+ drbg_add_buf (drbg->V, drbg_statelen (drbg), drbg->C, drbg_statelen (drbg));
u.req_int = be_bswap64 (drbg->reseed_ctr);
- drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req,
- sizeof (u.req));
+ drbg_add_buf (drbg->V, drbg_statelen (drbg), u.req, sizeof (u.req));
- out:
- memset (drbg->scratchpad, 0, drbg_blocklen (drbg));
return ret;
}
*/
static struct drbg_state_ops_s drbg_hash_ops = {
drbg_hash_update,
- drbg_hash_generate
+ drbg_hash_generate,
+ drbg_hash_init,
+ drbg_hash_fini,
};
/******************************************************************
{
if (!drbg)
return GPG_ERR_INV_ARG;
+ drbg->d_ops->crypto_fini(drbg);
xfree (drbg->V);
drbg->V = NULL;
xfree (drbg->C);
/* 9.1 step 4 is implicit in drbg_sec_strength */
- /* no allocation of drbg as this is done by the kernel crypto API */
+ ret = drbg->d_ops->crypto_init(drbg);
+ if (ret)
+ goto err;
+
drbg->V = xcalloc_secure (1, drbg_statelen (drbg));
if (!drbg->V)
- goto err;
+ goto fini;
drbg->C = xcalloc_secure (1, drbg_statelen (drbg));
if (!drbg->C)
- goto err;
+ goto fini;
/* scratchpad is only generated for CTR and Hash */
if (drbg->core->flags & DRBG_HMAC)
sb_size = 0;
drbg_blocklen (drbg) + /* iv */
drbg_statelen (drbg) + drbg_blocklen (drbg); /* temp */
else
- sb_size = drbg_statelen (drbg) + drbg_blocklen (drbg);
+ sb_size = drbg_statelen (drbg);
if (0 < sb_size)
{
drbg->scratchpad = xcalloc_secure (1, sb_size);
if (!drbg->scratchpad)
- goto err;
+ goto fini;
}
dbg (("DRBG: state allocated with scratchpad size %u bytes\n", sb_size));
/* 9.1 step 6 through 11 */
ret = drbg_seed (drbg, pers, 0);
if (ret)
- goto err;
+ goto fini;
dbg (("DRBG: core %d %s prediction resistance successfully initialized\n",
coreref, pr ? "with" : "without"));
return 0;
+ fini:
+ drbg->d_ops->crypto_fini(drbg);
err:
drbg_uninstantiate (drbg);
return ret;
***************************************************************/
static gpg_err_code_t
-drbg_hmac (drbg_state_t drbg, const unsigned char *key,
- unsigned char *outval, const drbg_string_t *buf)
+drbg_hash_init (drbg_state_t drbg)
{
+ gcry_md_hd_t hd;
gpg_error_t err;
+
+ err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
+ if (err)
+ return err;
+
+ drbg->priv_data = hd;
+
+ return 0;
+}
+
+static gpg_err_code_t
+drbg_hmac_init (drbg_state_t drbg)
+{
gcry_md_hd_t hd;
+ gpg_error_t err;
- if (key)
- {
- err =
- _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
- if (err)
- return err;
- err = _gcry_md_setkey (hd, key, drbg_statelen (drbg));
- if (err)
- return err;
- }
- else
- {
- err = _gcry_md_open (&hd, drbg->core->backend_cipher, 0);
- if (err)
- return err;
- }
+ err = _gcry_md_open (&hd, drbg->core->backend_cipher, GCRY_MD_FLAG_HMAC);
+ if (err)
+ return err;
+
+ drbg->priv_data = hd;
+
+ return 0;
+}
+
+static gpg_err_code_t
+drbg_hmac_setkey (drbg_state_t drbg, const unsigned char *key)
+{
+ gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
+
+ return _gcry_md_setkey (hd, key, drbg_statelen (drbg));
+}
+
+static void
+drbg_hash_fini (drbg_state_t drbg)
+{
+ gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
+
+ _gcry_md_close (hd);
+}
+
+static byte *
+drbg_hash (drbg_state_t drbg, const drbg_string_t *buf)
+{
+ gcry_md_hd_t hd = (gcry_md_hd_t)drbg->priv_data;
+
+ _gcry_md_reset(hd);
for (; NULL != buf; buf = buf->next)
_gcry_md_write (hd, buf->buf, buf->len);
_gcry_md_final (hd);
- memcpy (outval, _gcry_md_read (hd, drbg->core->backend_cipher),
- drbg_blocklen (drbg));
- _gcry_md_close (hd);
- return 0;
+ return _gcry_md_read (hd, drbg->core->backend_cipher);
+}
+
+static void
+drbg_sym_fini (drbg_state_t drbg)
+{
+ gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
+
+ if (hd)
+ _gcry_cipher_close (hd);
+ if (drbg->ctr_handle)
+ _gcry_cipher_close (drbg->ctr_handle);
+ if (drbg->ctr_null)
+ free(drbg->ctr_null);
}
static gpg_err_code_t
-drbg_sym (drbg_state_t drbg, const unsigned char *key,
- unsigned char *outval, const drbg_string_t *buf)
+drbg_sym_init (drbg_state_t drbg)
{
- gpg_error_t err;
gcry_cipher_hd_t hd;
+ gpg_error_t err;
+
+ drbg->ctr_null = calloc(1, DRBG_CTR_NULL_LEN);
+ if (!drbg->ctr_null)
+ return GPG_ERR_ENOMEM;
err = _gcry_cipher_open (&hd, drbg->core->backend_cipher,
- GCRY_CIPHER_MODE_ECB, 0);
+ GCRY_CIPHER_MODE_ECB, 0);
if (err)
- return err;
+ {
+ drbg_sym_fini (drbg);
+ return err;
+ }
+ drbg->priv_data = hd;
+
+ err = _gcry_cipher_open (&drbg->ctr_handle, drbg->core->backend_cipher,
+ GCRY_CIPHER_MODE_CTR, 0);
+ if (err)
+ {
+ drbg_sym_fini (drbg);
+ return err;
+ }
+
+
if (drbg_blocklen (drbg) !=
_gcry_cipher_get_algo_blklen (drbg->core->backend_cipher))
- return -GPG_ERR_NO_ERROR;
+ {
+ drbg_sym_fini (drbg);
+ return -GPG_ERR_NO_ERROR;
+ }
+
+ return 0;
+}
+
+static gpg_err_code_t
+drbg_sym_setkey (drbg_state_t drbg, const unsigned char *key)
+{
+ gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
+
+ return _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
+}
+
+static gpg_err_code_t
+drbg_sym (drbg_state_t drbg, unsigned char *outval, const drbg_string_t *buf)
+{
+ gcry_cipher_hd_t hd = (gcry_cipher_hd_t)drbg->priv_data;
+
+ _gcry_cipher_reset(hd);
if (drbg_blocklen (drbg) < buf->len)
return -GPG_ERR_NO_ERROR;
- err = _gcry_cipher_setkey (hd, key, drbg_keylen (drbg));
+ /* in is only component */
+ return _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
+ buf->len);
+}
+
+static gpg_err_code_t
+drbg_sym_ctr (drbg_state_t drbg,
+ const unsigned char *inbuf, unsigned int inbuflen,
+ unsigned char *outbuf, unsigned int outbuflen)
+{
+ gpg_error_t err;
+
+ _gcry_cipher_reset(drbg->ctr_handle);
+ err = _gcry_cipher_setctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
if (err)
return err;
- /* in is only component */
- _gcry_cipher_encrypt (hd, outval, drbg_blocklen (drbg), buf->buf,
- buf->len);
- _gcry_cipher_close (hd);
- return 0;
+
+ while (outbuflen)
+ {
+ unsigned int cryptlen = (inbuflen > outbuflen) ? outbuflen : inbuflen;
+
+ err = _gcry_cipher_encrypt (drbg->ctr_handle, outbuf, cryptlen, inbuf,
+ cryptlen);
+ if (err)
+ return err;
+
+ outbuflen -= cryptlen;
+ outbuf += cryptlen;
+ }
+ return _gcry_cipher_getctr(drbg->ctr_handle, drbg->V, drbg_blocklen (drbg));
}
struct timeval tv;
int rc;
- /* If we collected some bytes update the progress indicator. We
- do this always and not just if the select timed out because
- often just a few bytes are gathered within the timeout
- period. */
- if (any_need_entropy || last_so_far != (want - length) )
- {
- last_so_far = want - length;
- _gcry_random_progress ("need_entropy", 'X',
- (int)last_so_far, (int)want);
- any_need_entropy = 1;
- }
-
- /* If the system has no limit on the number of file descriptors
- and we encounter an fd which is larger than the fd_set size,
- we don't use the select at all. The select code is only used
- to emit progress messages. A better solution would be to
- fall back to poll() if available. */
-#ifdef FD_SETSIZE
- if (fd < FD_SETSIZE)
-#endif
- {
- FD_ZERO(&rfds);
- FD_SET(fd, &rfds);
- tv.tv_sec = delay;
- tv.tv_usec = delay? 0 : 100000;
- if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) )
- {
- any_need_entropy = 1;
- delay = 3; /* Use 3 seconds henceforth. */
- continue;
- }
- else if( rc == -1 )
- {
- log_error ("select() error: %s\n", strerror(errno));
- if (!delay)
- delay = 1; /* Use 1 second if we encounter an error before
- we have ever blocked. */
- continue;
- }
- }
-
/* If we have a modern Linux kernel and we want to read from the
* the non-blocking /dev/urandom, we first try to use the new
* getrandom syscall. That call guarantees that the kernel's
length -= nbytes;
continue; /* until LENGTH is zero. */
}
- log_debug ("syscall(getrandom) not supported; errno = %d\n", errno);
}
#endif
+ /* If we collected some bytes update the progress indicator. We
+ do this always and not just if the select timed out because
+ often just a few bytes are gathered within the timeout
+ period. */
+ if (any_need_entropy || last_so_far != (want - length) )
+ {
+ last_so_far = want - length;
+ _gcry_random_progress ("need_entropy", 'X',
+ (int)last_so_far, (int)want);
+ any_need_entropy = 1;
+ }
+
+ /* If the system has no limit on the number of file descriptors
+ and we encounter an fd which is larger than the fd_set size,
+ we don't use the select at all. The select code is only used
+ to emit progress messages. A better solution would be to
+ fall back to poll() if available. */
+#ifdef FD_SETSIZE
+ if (fd < FD_SETSIZE)
+#endif
+ {
+ FD_ZERO(&rfds);
+ FD_SET(fd, &rfds);
+ tv.tv_sec = delay;
+ tv.tv_usec = delay? 0 : 100000;
+ if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) )
+ {
+ any_need_entropy = 1;
+ delay = 3; /* Use 3 seconds henceforth. */
+ continue;
+ }
+ else if( rc == -1 )
+ {
+ log_error ("select() error: %s\n", strerror(errno));
+ if (!delay)
+ delay = 1; /* Use 1 second if we encounter an error before
+ we have ever blocked. */
+ continue;
+ }
+ }
+
+ /* Read from the device. */
do
{
size_t nbytes;
#define HWF_INTEL_AVX2 (1 << 13)
#define HWF_ARM_NEON (1 << 14)
+#define HWF_ARM_AES (1 << 15)
+#define HWF_ARM_SHA1 (1 << 16)
+#define HWF_ARM_SHA2 (1 << 17)
+#define HWF_ARM_PMULL (1 << 18)
gpg_err_code_t _gcry_disable_hw_feature (const char *name);
/* Memory management. */
#define GCRY_ALLOC_FLAG_SECURE (1 << 0)
+#define GCRY_ALLOC_FLAG_XHINT (1 << 1) /* Called from xmalloc. */
/*-- sexp.c --*/
size_t taglen);
gpg_err_code_t _gcry_cipher_setctr (gcry_cipher_hd_t hd,
const void *ctr, size_t ctrlen);
+gpg_err_code_t _gcry_cipher_getctr (gcry_cipher_hd_t hd,
+ void *ctr, size_t ctrlen);
size_t _gcry_cipher_get_algo_keylen (int algo);
size_t _gcry_cipher_get_algo_blklen (int algo);
NULL, on )
#define gcry_cipher_set_sbox(h,oid) gcry_cipher_ctl( (h), GCRYCTL_SET_SBOX, \
- (oid), 0);
+ (void *) oid, 0);
/* Indicate to the encrypt and decrypt functions that the next call
provides the final data. Only used with some modes. */
break;
case GCRYCTL_DUMP_SECMEM_STATS:
- _gcry_secmem_dump_stats ();
+ _gcry_secmem_dump_stats (0);
break;
case GCRYCTL_DROP_PRIVS:
if (alloc_secure_func)
m = (*alloc_secure_func) (n);
else
- m = _gcry_private_malloc_secure (n);
+ m = _gcry_private_malloc_secure (n, !!(flags & GCRY_ALLOC_FLAG_XHINT));
}
else
{
return mem;
}
-void *
-_gcry_malloc_secure (size_t n)
+static void *
+_gcry_malloc_secure_core (size_t n, int xhint)
{
void *mem = NULL;
- do_malloc (n, GCRY_ALLOC_FLAG_SECURE, &mem);
+ do_malloc (n, (GCRY_ALLOC_FLAG_SECURE | (xhint? GCRY_ALLOC_FLAG_XHINT:0)),
+ &mem);
return mem;
}
+void *
+_gcry_malloc_secure (size_t n)
+{
+ return _gcry_malloc_secure_core (n, 0);
+}
+
int
_gcry_is_secure (const void *a)
{
#endif
}
-void *
-_gcry_realloc (void *a, size_t n)
+static void *
+_gcry_realloc_core (void *a, size_t n, int xhint)
{
void *p;
if (realloc_func)
p = realloc_func (a, n);
else
- p = _gcry_private_realloc (a, n);
+ p = _gcry_private_realloc (a, n, xhint);
if (!p && !errno)
gpg_err_set_errno (ENOMEM);
return p;
}
+
+void *
+_gcry_realloc (void *a, size_t n)
+{
+ return _gcry_realloc_core (a, n, 0);
+}
+
+
void
_gcry_free (void *p)
{
}
-/* Create and return a copy of the null-terminated string STRING. If
- it is contained in secure memory, the copy will be contained in
- secure memory as well. In an out-of-memory condition, NULL is
- returned. */
-char *
-_gcry_strdup (const char *string)
+static char *
+_gcry_strdup_core (const char *string, int xhint)
{
char *string_cp = NULL;
size_t string_n = 0;
string_n = strlen (string);
if (_gcry_is_secure (string))
- string_cp = _gcry_malloc_secure (string_n + 1);
+ string_cp = _gcry_malloc_secure_core (string_n + 1, xhint);
else
string_cp = _gcry_malloc (string_n + 1);
return string_cp;
}
+/* Create and return a copy of the null-terminated string STRING. If
+ * it is contained in secure memory, the copy will be contained in
+ * secure memory as well. In an out-of-memory condition, NULL is
+ * returned. */
+char *
+_gcry_strdup (const char *string)
+{
+ return _gcry_strdup_core (string, 0);
+}
void *
_gcry_xmalloc( size_t n )
{
void *p;
- while ( !(p = _gcry_realloc( a, n )) )
+ while (!(p = _gcry_realloc_core (a, n, 1)))
{
if ( fips_mode ()
|| !outofcore_handler
{
void *p;
- while ( !(p = _gcry_malloc_secure( n )) )
+ while (!(p = _gcry_malloc_secure_core (n, 1)))
{
if ( fips_mode ()
|| !outofcore_handler
{
char *p;
- while ( !(p = _gcry_strdup (string)) )
+ while ( !(p = _gcry_strdup_core (string, 1)) )
{
size_t n = strlen (string);
int is_sec = !!_gcry_is_secure (string);
#include "g10lib.h"
#include "hwf-common.h"
-#if !defined (__arm__)
+#if !defined (__arm__) && !defined (__aarch64__)
# error Module build for wrong CPU.
#endif
#undef HAS_PROC_CPUINFO
#ifdef __linux__
+struct feature_map_s {
+ unsigned int hwcap_flag;
+ unsigned int hwcap2_flag;
+ const char *feature_match;
+ unsigned int hwf_flag;
+};
+
#define HAS_SYS_AT_HWCAP 1
+#define HAS_PROC_CPUINFO 1
+
+#ifdef __arm__
+
+#define AT_HWCAP 16
+#define AT_HWCAP2 26
+
+#define HWCAP_NEON 4096
-#define AT_HWCAP 16
-#define HWCAP_NEON 4096
+#define HWCAP2_AES 1
+#define HWCAP2_PMULL 2
+#define HWCAP2_SHA1 3
+#define HWCAP2_SHA2 4
+
+static const struct feature_map_s arm_features[] =
+ {
+#ifdef ENABLE_NEON_SUPPORT
+ { HWCAP_NEON, 0, " neon", HWF_ARM_NEON },
+#endif
+#ifdef ENABLE_ARM_CRYPTO_SUPPORT
+ { 0, HWCAP2_AES, " aes", HWF_ARM_AES },
+ { 0, HWCAP2_SHA1," sha1", HWF_ARM_SHA1 },
+ { 0, HWCAP2_SHA2, " sha2", HWF_ARM_SHA2 },
+ { 0, HWCAP2_PMULL, " pmull", HWF_ARM_PMULL },
+#endif
+ };
+
+#elif defined(__aarch64__)
+
+#define AT_HWCAP 16
+#define AT_HWCAP2 -1
+
+#define HWCAP_ASIMD 2
+#define HWCAP_AES 8
+#define HWCAP_PMULL 16
+#define HWCAP_SHA1 32
+#define HWCAP_SHA2 64
+
+static const struct feature_map_s arm_features[] =
+ {
+#ifdef ENABLE_NEON_SUPPORT
+ { HWCAP_ASIMD, 0, " asimd", HWF_ARM_NEON },
+#endif
+#ifdef ENABLE_ARM_CRYPTO_SUPPORT
+ { HWCAP_AES, 0, " aes", HWF_ARM_AES },
+ { HWCAP_SHA1, 0, " sha1", HWF_ARM_SHA1 },
+ { HWCAP_SHA2, 0, " sha2", HWF_ARM_SHA2 },
+ { HWCAP_PMULL, 0, " pmull", HWF_ARM_PMULL },
+#endif
+ };
+
+#endif
static int
-get_hwcap(unsigned int *hwcap)
+get_hwcap(unsigned int *hwcap, unsigned int *hwcap2)
{
- struct { unsigned int a_type; unsigned int a_val; } auxv;
+ struct { unsigned long a_type; unsigned long a_val; } auxv;
FILE *f;
int err = -1;
static int hwcap_initialized = 0;
- static unsigned int stored_hwcap;
+ static unsigned int stored_hwcap = 0;
+ static unsigned int stored_hwcap2 = 0;
if (hwcap_initialized)
{
*hwcap = stored_hwcap;
+ *hwcap2 = stored_hwcap2;
return 0;
}
if (!f)
{
*hwcap = stored_hwcap;
+ *hwcap2 = stored_hwcap2;
return -1;
}
while (fread(&auxv, sizeof(auxv), 1, f) > 0)
{
- if (auxv.a_type != AT_HWCAP)
- continue;
-
- stored_hwcap = auxv.a_val;
- hwcap_initialized = 1;
- err = 0;
- break;
+ if (auxv.a_type == AT_HWCAP)
+ {
+ stored_hwcap = auxv.a_val;
+ hwcap_initialized = 1;
+ }
+
+ if (auxv.a_type == AT_HWCAP2)
+ {
+ stored_hwcap2 = auxv.a_val;
+ hwcap_initialized = 1;
+ }
}
+ if (hwcap_initialized)
+ err = 0;
+
fclose(f);
*hwcap = stored_hwcap;
+ *hwcap2 = stored_hwcap2;
return err;
}
detect_arm_at_hwcap(void)
{
unsigned int hwcap;
+ unsigned int hwcap2;
unsigned int features = 0;
+ unsigned int i;
- if (get_hwcap(&hwcap) < 0)
+ if (get_hwcap(&hwcap, &hwcap2) < 0)
return features;
-#ifdef ENABLE_NEON_SUPPORT
- if (hwcap & HWCAP_NEON)
- features |= HWF_ARM_NEON;
-#endif
+ for (i = 0; i < DIM(arm_features); i++)
+ {
+ if (hwcap & arm_features[i].hwcap_flag)
+ features |= arm_features[i].hwf_flag;
+
+ if (hwcap2 & arm_features[i].hwcap2_flag)
+ features |= arm_features[i].hwf_flag;
+ }
return features;
}
-#define HAS_PROC_CPUINFO 1
-
static unsigned int
detect_arm_proc_cpuinfo(unsigned int *broken_hwfs)
{
char buf[1024]; /* large enough */
- char *str_features, *str_neon;
+ char *str_features, *str_feat;
int cpu_implementer, cpu_arch, cpu_variant, cpu_part, cpu_revision;
FILE *f;
int readlen, i;
+ size_t mlen;
static int cpuinfo_initialized = 0;
static unsigned int stored_cpuinfo_features;
static unsigned int stored_broken_hwfs;
continue;
str += 2;
- *cpu_entries[i].value = strtoul(str, NULL, 0);
+ if (strcmp(cpu_entries[i].name, "CPU architecture") == 0
+ && strcmp(str, "AArch64") == 0)
+ *cpu_entries[i].value = 8;
+ else
+ *cpu_entries[i].value = strtoul(str, NULL, 0);
}
/* Lines to strings. */
if (buf[i] == '\n')
buf[i] = '\0';
- /* Check for NEON. */
- str_neon = strstr(str_features, " neon");
- if (str_neon && (str_neon[5] == ' ' || str_neon[5] == '\0'))
- stored_cpuinfo_features |= HWF_ARM_NEON;
+ /* Check features. */
+ for (i = 0; i < DIM(arm_features); i++)
+ {
+ str_feat = strstr(str_features, arm_features[i].feature_match);
+ if (str_feat)
+ {
+ mlen = strlen(arm_features[i].feature_match);
+ if (str_feat[mlen] == ' ' || str_feat[mlen] == '\0')
+ {
+ stored_cpuinfo_features |= arm_features[i].hwf_flag;
+ }
+ }
+ }
/* Check for CPUs with broken NEON implementation. See
* https://code.google.com/p/chromium/issues/detail?id=341598
ret |= detect_arm_proc_cpuinfo (&broken_hwfs);
#endif
-#if defined(__ARM_NEON__) && defined(ENABLE_NEON_SUPPORT)
+#if defined(__ARM_NEON) && defined(ENABLE_NEON_SUPPORT)
ret |= HWF_ARM_NEON;
#endif
{ HWF_INTEL_RDRAND, "intel-rdrand" },
{ HWF_INTEL_AVX, "intel-avx" },
{ HWF_INTEL_AVX2, "intel-avx2" },
- { HWF_ARM_NEON, "arm-neon" }
+ { HWF_ARM_NEON, "arm-neon" },
+ { HWF_ARM_AES, "arm-aes" },
+ { HWF_ARM_SHA1, "arm-sha1" },
+ { HWF_ARM_SHA2, "arm-sha2" },
+ { HWF_ARM_PMULL, "arm-pmull" }
};
/* A bit vector with the hardware features which shall not be used.
log_debug ("%*s ", (int)strlen(text), "");
}
}
- if (length)
+ if (length && buffer)
{
const unsigned char *p = buffer;
for (; length--; p++)
/* secmem.c - memory allocation from a secure heap
* Copyright (C) 1998, 1999, 2000, 2001, 2002,
* 2003, 2007 Free Software Foundation, Inc.
- * Copyright (C) 2013 g10 Code GmbH
+ * Copyright (C) 2013, 2016 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
/* This flag specifies that the memory block is in use. */
#define MB_FLAG_ACTIVE (1 << 0)
-/* The pool of secure memory. */
-static void *pool;
+/* An object describing a memory pool. */
+typedef struct pooldesc_s
+{
+ /* A link to the next pool. This is used to connect the overflow
+ * pools. */
+ struct pooldesc_s *next;
+
+ /* A memory buffer used as allocation pool. */
+ void *mem;
+
+ /* The allocated size of MEM. */
+ size_t size;
+
+ /* Flag indicating that this memory pool is ready for use. May be
+ * checked in an atexit function. */
+ volatile int okay;
-/* Size of POOL in bytes. */
-static size_t pool_size;
+ /* Flag indicating whether MEM is mmapped. */
+ volatile int is_mmapped;
-/* True, if the memory pool is ready for use. May be checked in an
- atexit function. */
-static volatile int pool_okay;
+ /* The number of allocated bytes and the number of used blocks in
+ * this pool. */
+ unsigned int cur_alloced, cur_blocks;
+} pooldesc_t;
-/* True, if the memory pool is mmapped. */
-static volatile int pool_is_mmapped;
-/* FIXME? */
+/* The pool of secure memory. This is the head of a linked list with
+ * the first element being the standard mlock-ed pool and the
+ * following elements being the overflow pools. */
+static pooldesc_t mainpool;
+
+
+/* A couple of flags whith some beeing set early. */
static int disable_secmem;
static int show_warning;
static int not_locked;
static int no_mlock;
static int no_priv_drop;
-/* Stats. */
-static unsigned int cur_alloced, cur_blocks;
-
-/* Lock protecting accesses to the memory pool. */
+/* Lock protecting accesses to the memory pools. */
GPGRT_LOCK_DEFINE (secmem_lock);
/* Convenient macros. */
#define ADDR_TO_BLOCK(addr) \
(memblock_t *) (void *) ((char *) addr - BLOCK_HEAD_SIZE)
-/* Check whether P points into the pool. */
-static int
-ptr_into_pool_p (const void *p)
+/* Check whether P points into POOL. */
+static inline int
+ptr_into_pool_p (pooldesc_t *pool, const void *p)
{
/* We need to convert pointers to addresses. This is required by
C-99 6.5.8 to avoid undefined behaviour. See also
http://lists.gnupg.org/pipermail/gcrypt-devel/2007-February/001102.html
*/
uintptr_t p_addr = (uintptr_t)p;
- uintptr_t pool_addr = (uintptr_t)pool;
+ uintptr_t pool_addr = (uintptr_t)pool->mem;
- return p_addr >= pool_addr && p_addr < pool_addr + pool_size;
+ return p_addr >= pool_addr && p_addr < pool_addr + pool->size;
}
/* Update the stats. */
static void
-stats_update (size_t add, size_t sub)
+stats_update (pooldesc_t *pool, size_t add, size_t sub)
{
if (add)
{
- cur_alloced += add;
- cur_blocks++;
+ pool->cur_alloced += add;
+ pool->cur_blocks++;
}
if (sub)
{
- cur_alloced -= sub;
- cur_blocks--;
+ pool->cur_alloced -= sub;
+ pool->cur_blocks--;
}
}
/* Return the block following MB or NULL, if MB is the last block. */
static memblock_t *
-mb_get_next (memblock_t *mb)
+mb_get_next (pooldesc_t *pool, memblock_t *mb)
{
memblock_t *mb_next;
mb_next = (memblock_t *) (void *) ((char *) mb + BLOCK_HEAD_SIZE + mb->size);
- if (! ptr_into_pool_p (mb_next))
+ if (! ptr_into_pool_p (pool, mb_next))
mb_next = NULL;
return mb_next;
/* Return the block preceding MB or NULL, if MB is the first
block. */
static memblock_t *
-mb_get_prev (memblock_t *mb)
+mb_get_prev (pooldesc_t *pool, memblock_t *mb)
{
memblock_t *mb_prev, *mb_next;
- if (mb == pool)
+ if (mb == pool->mem)
mb_prev = NULL;
else
{
- mb_prev = (memblock_t *) pool;
+ mb_prev = (memblock_t *) pool->mem;
while (1)
{
- mb_next = mb_get_next (mb_prev);
+ mb_next = mb_get_next (pool, mb_prev);
if (mb_next == mb)
break;
else
/* If the preceding block of MB and/or the following block of MB
exist and are not active, merge them to form a bigger block. */
static void
-mb_merge (memblock_t *mb)
+mb_merge (pooldesc_t *pool, memblock_t *mb)
{
memblock_t *mb_prev, *mb_next;
- mb_prev = mb_get_prev (mb);
- mb_next = mb_get_next (mb);
+ mb_prev = mb_get_prev (pool, mb);
+ mb_next = mb_get_next (pool, mb);
if (mb_prev && (! (mb_prev->flags & MB_FLAG_ACTIVE)))
{
/* Return a new block, which can hold SIZE bytes. */
static memblock_t *
-mb_get_new (memblock_t *block, size_t size)
+mb_get_new (pooldesc_t *pool, memblock_t *block, size_t size)
{
memblock_t *mb, *mb_split;
- for (mb = block; ptr_into_pool_p (mb); mb = mb_get_next (mb))
+ for (mb = block; ptr_into_pool_p (pool, mb); mb = mb_get_next (pool, mb))
if (! (mb->flags & MB_FLAG_ACTIVE) && mb->size >= size)
{
/* Found a free block. */
mb->size = size;
- mb_merge (mb_split);
+ mb_merge (pool, mb_split);
}
break;
}
- if (! ptr_into_pool_p (mb))
+ if (! ptr_into_pool_p (pool, mb))
{
gpg_err_set_errno (ENOMEM);
mb = NULL;
log_info (_("Warning: using insecure memory!\n"));
}
-/* Lock the memory pages into core and drop privileges. */
+
+/* Lock the memory pages of pool P of size N into core and drop
+ * privileges. */
static void
-lock_pool (void *p, size_t n)
+lock_pool_pages (void *p, size_t n)
{
#if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
int err;
if (err)
{
- if (errno != EPERM
-#ifdef EAGAIN /* OpenBSD returns this */
- && errno != EAGAIN
+ if (err != EPERM
+#ifdef EAGAIN /* BSD and also Linux may return EAGAIN */
+ && err != EAGAIN
#endif
#ifdef ENOSYS /* Some SCOs return this (function not implemented) */
- && errno != ENOSYS
+ && err != ENOSYS
#endif
#ifdef ENOMEM /* Linux might return this. */
- && errno != ENOMEM
+ && err != ENOMEM
#endif
)
log_error ("can't lock memory: %s\n", strerror (err));
if (err)
{
- if (errno != EPERM
-#ifdef EAGAIN /* OpenBSD returns this. */
- && errno != EAGAIN
+ if (err != EPERM
+#ifdef EAGAIN /* BSD and also Linux may return this. */
+ && err != EAGAIN
#endif
#ifdef ENOSYS /* Some SCOs return this (function not implemented). */
- && errno != ENOSYS
+ && err != ENOSYS
#endif
#ifdef ENOMEM /* Linux might return this. */
- && errno != ENOMEM
+ && err != ENOMEM
#endif
)
log_error ("can't lock memory: %s\n", strerror (err));
/* Initialize POOL. */
static void
-init_pool (size_t n)
+init_pool (pooldesc_t *pool, size_t n)
{
memblock_t *mb;
- pool_size = n;
+ pool->size = n;
if (disable_secmem)
log_bug ("secure memory is disabled");
# endif
pgsize = (pgsize_val != -1 && pgsize_val > 0)? pgsize_val:DEFAULT_PAGE_SIZE;
- pool_size = (pool_size + pgsize - 1) & ~(pgsize - 1);
+ pool->size = (pool->size + pgsize - 1) & ~(pgsize - 1);
# ifdef MAP_ANONYMOUS
- pool = mmap (0, pool_size, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ pool->mem = mmap (0, pool->size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
# else /* map /dev/zero instead */
{
int fd;
if (fd == -1)
{
log_error ("can't open /dev/zero: %s\n", strerror (errno));
- pool = (void *) -1;
+ pool->mem = (void *) -1;
}
else
{
- pool = mmap (0, pool_size,
- (PROT_READ | PROT_WRITE), MAP_PRIVATE, fd, 0);
+ pool->mem = mmap (0, pool->size,
+ (PROT_READ | PROT_WRITE), MAP_PRIVATE, fd, 0);
close (fd);
}
}
# endif
- if (pool == (void *) -1)
+ if (pool->mem == (void *) -1)
log_info ("can't mmap pool of %u bytes: %s - using malloc\n",
- (unsigned) pool_size, strerror (errno));
+ (unsigned) pool->size, strerror (errno));
else
{
- pool_is_mmapped = 1;
- pool_okay = 1;
+ pool->is_mmapped = 1;
+ pool->okay = 1;
}
}
#endif /*HAVE_MMAP*/
- if (!pool_okay)
+ if (!pool->okay)
{
- pool = malloc (pool_size);
- if (!pool)
+ pool->mem = malloc (pool->size);
+ if (!pool->mem)
log_fatal ("can't allocate memory pool of %u bytes\n",
- (unsigned) pool_size);
+ (unsigned) pool->size);
else
- pool_okay = 1;
+ pool->okay = 1;
}
/* Initialize first memory block. */
- mb = (memblock_t *) pool;
- mb->size = pool_size;
+ mb = (memblock_t *) pool->mem;
+ mb->size = pool->size;
mb->flags = 0;
}
}
-/* See _gcry_secmem_init. This function is expected to be called with
- the secmem lock held. */
+/* This function initializes the main memory pool MAINPOOL. Itis
+ * expected to be called with the secmem lock held. */
static void
-secmem_init (size_t n)
+_gcry_secmem_init_internal (size_t n)
{
+ pooldesc_t *pool;
+
+ pool = &mainpool;
if (!n)
{
#ifdef USE_CAPABILITIES
{
if (n < MINIMUM_POOL_SIZE)
n = MINIMUM_POOL_SIZE;
- if (! pool_okay)
+ if (! pool->okay)
{
- init_pool (n);
- lock_pool (pool, n);
+ init_pool (pool, n);
+ lock_pool_pages (pool->mem, n);
}
else
log_error ("Oops, secure memory pool already initialized\n");
{
SECMEM_LOCK;
- secmem_init (n);
+ _gcry_secmem_init_internal (n);
SECMEM_UNLOCK;
}
static void *
-_gcry_secmem_malloc_internal (size_t size)
+_gcry_secmem_malloc_internal (size_t size, int xhint)
{
+ pooldesc_t *pool;
memblock_t *mb;
- if (!pool_okay)
+ pool = &mainpool;
+
+ if (!pool->okay)
{
/* Try to initialize the pool if the user forgot about it. */
- secmem_init (STANDARD_POOL_SIZE);
- if (!pool_okay)
+ _gcry_secmem_init_internal (STANDARD_POOL_SIZE);
+ if (!pool->okay)
{
log_info (_("operation is not possible without "
"initialized secure memory\n"));
/* Blocks are always a multiple of 32. */
size = ((size + 31) / 32) * 32;
- mb = mb_get_new ((memblock_t *) pool, size);
+ mb = mb_get_new (pool, (memblock_t *) pool->mem, size);
if (mb)
- stats_update (size, 0);
+ {
+ stats_update (pool, size, 0);
+ return &mb->aligned.c;
+ }
+
+ /* If we are called from xmalloc style function resort to the
+ * overflow pools to return memory. We don't do this in FIPS mode,
+ * though. */
+ if (xhint && !fips_mode ())
+ {
+ for (pool = pool->next; pool; pool = pool->next)
+ {
+ mb = mb_get_new (pool, (memblock_t *) pool->mem, size);
+ if (mb)
+ {
+ stats_update (pool, size, 0);
+ return &mb->aligned.c;
+ }
+ }
+ /* Allocate a new overflow pool. We put a new pool right after
+ * the mainpool so that the next allocation will happen in that
+ * pool and not in one of the older pools. When this new pool
+ * gets full we will try to find space in the older pools. */
+ pool = calloc (1, sizeof *pool);
+ if (!pool)
+ return NULL; /* Not enough memory for a new pool descriptor. */
+ pool->size = STANDARD_POOL_SIZE;
+ pool->mem = malloc (pool->size);
+ if (!pool->mem)
+ return NULL; /* Not enough memory available for a new pool. */
+ /* Initialize first memory block. */
+ mb = (memblock_t *) pool->mem;
+ mb->size = pool->size;
+ mb->flags = 0;
+
+ pool->okay = 1;
+
+ /* Take care: in _gcry_private_is_secure we do not lock and thus
+ * we assume that the second assignment below is atomic. */
+ pool->next = mainpool.next;
+ mainpool.next = pool;
+
+ /* After the first time we allocated an overflow pool, print a
+ * warning. */
+ if (!pool->next)
+ print_warn ();
+
+ /* Allocate. */
+ mb = mb_get_new (pool, (memblock_t *) pool->mem, size);
+ if (mb)
+ {
+ stats_update (pool, size, 0);
+ return &mb->aligned.c;
+ }
+ }
- return mb ? &mb->aligned.c : NULL;
+ return NULL;
}
+
+/* Allocate a block from the secmem of SIZE. With XHINT set assume
+ * that the caller is a xmalloc style function. */
void *
-_gcry_secmem_malloc (size_t size)
+_gcry_secmem_malloc (size_t size, int xhint)
{
void *p;
SECMEM_LOCK;
- p = _gcry_secmem_malloc_internal (size);
+ p = _gcry_secmem_malloc_internal (size, xhint);
SECMEM_UNLOCK;
return p;
}
-static void
+static int
_gcry_secmem_free_internal (void *a)
{
+ pooldesc_t *pool;
memblock_t *mb;
int size;
- if (!a)
- return;
+ for (pool = &mainpool; pool; pool = pool->next)
+ if (pool->okay && ptr_into_pool_p (pool, a))
+ break;
+ if (!pool)
+ return 0; /* A does not belong to use. */
mb = ADDR_TO_BLOCK (a);
size = mb->size;
MB_WIPE_OUT (0x55);
MB_WIPE_OUT (0x00);
- stats_update (0, size);
+ /* Update stats. */
+ stats_update (pool, 0, size);
mb->flags &= ~MB_FLAG_ACTIVE;
- /* Update stats. */
+ mb_merge (pool, mb);
- mb_merge (mb);
+ return 1; /* Freed. */
}
-/* Wipe out and release memory. */
-void
+
+/* Wipe out and release memory. Returns true if this function
+ * actually released A. */
+int
_gcry_secmem_free (void *a)
{
+ int mine;
+
+ if (!a)
+ return 1; /* Tell caller that we handled it. */
+
SECMEM_LOCK;
- _gcry_secmem_free_internal (a);
+ mine = _gcry_secmem_free_internal (a);
SECMEM_UNLOCK;
+ return mine;
}
-/* Realloc memory. */
-void *
-_gcry_secmem_realloc (void *p, size_t newsize)
+
+static void *
+_gcry_secmem_realloc_internal (void *p, size_t newsize, int xhint)
{
memblock_t *mb;
size_t size;
void *a;
- SECMEM_LOCK;
-
mb = (memblock_t *) (void *) ((char *) p
- ((size_t) &((memblock_t *) 0)->aligned.c));
size = mb->size;
}
else
{
- a = _gcry_secmem_malloc_internal (newsize);
+ a = _gcry_secmem_malloc_internal (newsize, xhint);
if (a)
{
memcpy (a, p, size);
}
}
+ return a;
+}
+
+
+/* Realloc memory. With XHINT set assume that the caller is a xmalloc
+ * style function. */
+void *
+_gcry_secmem_realloc (void *p, size_t newsize, int xhint)
+{
+ void *a;
+
+ SECMEM_LOCK;
+ a = _gcry_secmem_realloc_internal (p, newsize, xhint);
SECMEM_UNLOCK;
return a;
}
-/* Return true if P points into the secure memory area. */
+/* Return true if P points into the secure memory areas. */
int
_gcry_private_is_secure (const void *p)
{
- return pool_okay && ptr_into_pool_p (p);
+ pooldesc_t *pool;
+
+ /* We do no lock here because once a pool is allocatred it will not
+ * be removed anymore (except for gcry_secmem_term). Further,
+ * adding a new pool to the list should be atomic. */
+ for (pool = &mainpool; pool; pool = pool->next)
+ if (pool->okay && ptr_into_pool_p (pool, p))
+ return 1;
+
+ return 0;
}
void
_gcry_secmem_term ()
{
- if (!pool_okay)
- return;
+ pooldesc_t *pool, *next;
- wipememory2 (pool, 0xff, pool_size);
- wipememory2 (pool, 0xaa, pool_size);
- wipememory2 (pool, 0x55, pool_size);
- wipememory2 (pool, 0x00, pool_size);
+ for (pool = &mainpool; pool; pool = next)
+ {
+ next = pool->next;
+ if (!pool->okay)
+ continue;
+
+ wipememory2 (pool->mem, 0xff, pool->size);
+ wipememory2 (pool->mem, 0xaa, pool->size);
+ wipememory2 (pool->mem, 0x55, pool->size);
+ wipememory2 (pool->mem, 0x00, pool->size);
+ if (0)
+ ;
#if HAVE_MMAP
- if (pool_is_mmapped)
- munmap (pool, pool_size);
+ else if (pool->is_mmapped)
+ munmap (pool->mem, pool->size);
#endif
- pool = NULL;
- pool_okay = 0;
- pool_size = 0;
+ else
+ free (pool->mem);
+ pool->mem = NULL;
+ pool->okay = 0;
+ pool->size = 0;
+ if (pool != &mainpool)
+ free (pool);
+ }
+ mainpool.next = NULL;
not_locked = 0;
}
void
-_gcry_secmem_dump_stats ()
+_gcry_secmem_dump_stats (int extended)
{
-#if 1
- SECMEM_LOCK;
-
- if (pool_okay)
- log_info ("secmem usage: %u/%lu bytes in %u blocks\n",
- cur_alloced, (unsigned long)pool_size, cur_blocks);
- SECMEM_UNLOCK;
-#else
+ pooldesc_t *pool;
memblock_t *mb;
- int i;
+ int i, poolno;
SECMEM_LOCK;
- for (i = 0, mb = (memblock_t *) pool;
- ptr_into_pool_p (mb);
- mb = mb_get_next (mb), i++)
- log_info ("SECMEM: [%s] block: %i; size: %i\n",
- (mb->flags & MB_FLAG_ACTIVE) ? "used" : "free",
- i,
- mb->size);
+ for (pool = &mainpool, poolno = 0; pool; pool = pool->next, poolno++)
+ {
+ if (!extended)
+ {
+ if (pool->okay)
+ log_info ("%-13s %u/%lu bytes in %u blocks\n",
+ pool == &mainpool? "secmem usage:":"",
+ pool->cur_alloced, (unsigned long)pool->size,
+ pool->cur_blocks);
+ }
+ else
+ {
+ for (i = 0, mb = (memblock_t *) pool->mem;
+ ptr_into_pool_p (pool, mb);
+ mb = mb_get_next (pool, mb), i++)
+ log_info ("SECMEM: pool %d %s block %i size %i\n",
+ poolno,
+ (mb->flags & MB_FLAG_ACTIVE) ? "used" : "free",
+ i,
+ mb->size);
+ }
+ }
+
SECMEM_UNLOCK;
-#endif
}
void _gcry_secmem_init (size_t npool);
void _gcry_secmem_term (void);
-void *_gcry_secmem_malloc (size_t size) _GCRY_GCC_ATTR_MALLOC;
-void *_gcry_secmem_realloc (void *a, size_t newsize);
-void _gcry_secmem_free (void *a);
-void _gcry_secmem_dump_stats (void);
+void *_gcry_secmem_malloc (size_t size, int xhint) _GCRY_GCC_ATTR_MALLOC;
+void *_gcry_secmem_realloc (void *a, size_t newsize, int xhint);
+int _gcry_secmem_free (void *a);
+void _gcry_secmem_dump_stats (int extended);
void _gcry_secmem_set_flags (unsigned flags);
unsigned _gcry_secmem_get_flags(void);
int _gcry_private_is_secure (const void *p);
/*
* Allocate memory of size N from the secure memory pool. Return NULL
- * if we are out of memory.
+ * if we are out of memory. XHINT tells the allocator that the caller
+ * used an xmalloc style call.
*/
void *
-_gcry_private_malloc_secure (size_t n)
+_gcry_private_malloc_secure (size_t n, int xhint)
{
if (!n)
{
{
char *p;
- if ( !(p = _gcry_secmem_malloc (n +EXTRA_ALIGN+ 5)) )
+ if (!(p = _gcry_secmem_malloc (n + EXTRA_ALIGN + 5, xhint)))
return NULL;
((byte*)p)[EXTRA_ALIGN+0] = n;
((byte*)p)[EXTRA_ALIGN+1] = n >> 8 ;
}
else
{
- return _gcry_secmem_malloc( n );
+ return _gcry_secmem_malloc (n, xhint);
}
}
/*
- * Realloc and clear the old space
- * Return NULL if there is not enough memory.
+ * Realloc and clear the old space. XHINT tells the allocator that
+ * the caller used an xmalloc style call. Returns NULL if there is
+ * not enough memory.
*/
void *
-_gcry_private_realloc ( void *a, size_t n )
+_gcry_private_realloc (void *a, size_t n, int xhint)
{
if (use_m_guard)
{
if( len >= n ) /* We don't shrink for now. */
return a;
if (p[-1] == MAGIC_SEC_BYTE)
- b = _gcry_private_malloc_secure(n);
+ b = _gcry_private_malloc_secure (n, xhint);
else
b = _gcry_private_malloc(n);
if (!b)
}
else if ( _gcry_private_is_secure(a) )
{
- return _gcry_secmem_realloc( a, n );
+ return _gcry_secmem_realloc (a, n, xhint);
}
else
{
if (use_m_guard )
{
_gcry_private_check_heap(p);
- if ( _gcry_private_is_secure(a) )
- _gcry_secmem_free(p-EXTRA_ALIGN-4);
- else
+ if (! _gcry_secmem_free (p - EXTRA_ALIGN - 4))
{
- free(p-EXTRA_ALIGN-4);
+ free (p - EXTRA_ALIGN - 4);
}
}
- else if ( _gcry_private_is_secure(a) )
- _gcry_secmem_free(p);
- else
- free(p);
+ else if (!_gcry_secmem_free (p))
+ {
+ free(p);
+ }
}
void _gcry_private_enable_m_guard(void);
void *_gcry_private_malloc (size_t n) _GCRY_GCC_ATTR_MALLOC;
-void *_gcry_private_malloc_secure (size_t n) _GCRY_GCC_ATTR_MALLOC;
-void *_gcry_private_realloc (void *a, size_t n);
+void *_gcry_private_malloc_secure (size_t n, int xhint) _GCRY_GCC_ATTR_MALLOC;
+void *_gcry_private_realloc (void *a, size_t n, int xhint);
void _gcry_private_check_heap (const void *a);
void _gcry_private_free (void *a);
check_ocb_cipher_splitaad ();
}
+static void
+check_gost28147_cipher (void)
+{
+#if USE_GOST28147
+ static const struct {
+ char key[MAX_DATA_LEN];
+ const char *oid;
+ unsigned char plaintext[MAX_DATA_LEN];
+ int inlen;
+ char out[MAX_DATA_LEN];
+ } tv[] =
+ {
+ {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.7.1.2.5.1.1",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\xce\x5a\x5e\xd7\xe0\x57\x7a\x5f",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.31.0",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\x98\x56\xcf\x8b\xfc\xc2\x82\xf4",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.31.1",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\x66\x81\x84\xae\xdc\x48\xc9\x17",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.31.2",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\xdb\xee\x81\x14\x7b\x74\xb0\xf2",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.31.3",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\x31\xa3\x85\x9d\x0a\xee\xb8\x0e",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.31.4",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\xb1\x32\x3e\x0b\x21\x73\xcb\xd1",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.30.0",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\xce\xd5\x2a\x7f\xf7\xf2\x60\xd5",
+ }, {
+ "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
+ "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0",
+ "1.2.643.2.2.30.1",
+ "\x01\x02\x03\x04\x05\x06\x07\x08",
+ 8,
+ "\xe4\x21\x75\xe1\x69\x22\xd0\xa8",
+ }
+ };
+
+ gcry_cipher_hd_t hde, hdd;
+ unsigned char out[MAX_DATA_LEN];
+ int i, keylen;
+ gcry_error_t err = 0;
+
+ if (verbose)
+ fprintf (stderr, " Starting GOST28147 cipher checks.\n");
+ keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_GOST28147);
+ if (!keylen)
+ {
+ fail ("gost28147, gcry_cipher_get_algo_keylen failed\n");
+ return;
+ }
+
+ for (i = 0; i < sizeof (tv) / sizeof (tv[0]); i++)
+ {
+ err = gcry_cipher_open (&hde, GCRY_CIPHER_GOST28147,
+ GCRY_CIPHER_MODE_ECB, 0);
+ if (!err)
+ err = gcry_cipher_open (&hdd, GCRY_CIPHER_GOST28147,
+ GCRY_CIPHER_MODE_ECB, 0);
+ if (err)
+ {
+ fail ("gost28147, gcry_cipher_open failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ err = gcry_cipher_setkey (hde, tv[i].key, keylen);
+ if (!err)
+ err = gcry_cipher_setkey (hdd, tv[i].key, keylen);
+ if (err)
+ {
+ fail ("gost28147, gcry_cipher_setkey failed: %s\n",
+ gpg_strerror (err));
+ gcry_cipher_close (hde);
+ gcry_cipher_close (hdd);
+ return;
+ }
+
+ err = gcry_cipher_set_sbox (hde, tv[i].oid);
+ if (!err)
+ err = gcry_cipher_set_sbox (hdd, tv[i].oid);
+ if (err)
+ {
+ fail ("gost28147, gcry_cipher_set_sbox failed: %s\n",
+ gpg_strerror (err));
+ gcry_cipher_close (hde);
+ gcry_cipher_close (hdd);
+ return;
+ }
+
+ err = gcry_cipher_encrypt (hde, out, MAX_DATA_LEN,
+ tv[i].plaintext,
+ tv[i].inlen == -1 ?
+ strlen ((char*)tv[i].plaintext) :
+ tv[i].inlen);
+ if (err)
+ {
+ fail ("gost28147, gcry_cipher_encrypt (%d) failed: %s\n",
+ i, gpg_strerror (err));
+ gcry_cipher_close (hde);
+ gcry_cipher_close (hdd);
+ return;
+ }
+
+ if (memcmp (tv[i].out, out, tv[i].inlen))
+ {
+ fail ("gost28147, encrypt mismatch entry %d\n", i);
+ mismatch (tv[i].out, tv[i].inlen,
+ out, tv[i].inlen);
+ }
+
+ err = gcry_cipher_decrypt (hdd, out, tv[i].inlen, NULL, 0);
+ if (err)
+ {
+ fail ("gost28147, gcry_cipher_decrypt (%d) failed: %s\n",
+ i, gpg_strerror (err));
+ gcry_cipher_close (hde);
+ gcry_cipher_close (hdd);
+ return;
+ }
+
+ if (memcmp (tv[i].plaintext, out, tv[i].inlen))
+ {
+ fail ("gost28147, decrypt mismatch entry %d\n", i);
+ mismatch (tv[i].plaintext, tv[i].inlen,
+ out, tv[i].inlen);
+ }
+
+ gcry_cipher_close (hde);
+ gcry_cipher_close (hdd);
+ }
+
+#endif
+}
+
static void
check_stream_cipher (void)
check_gcm_cipher ();
check_poly1305_cipher ();
check_ocb_cipher ();
+ check_gost28147_cipher ();
check_stream_cipher ();
check_stream_cipher_large_block ();
fprintf (stderr, " checking %s [%i] for length %d\n",
gcry_md_algo_name (algos[i].md),
algos[i].md,
- !strcmp (algos[i].data, "!")?
+ (!strcmp (algos[i].data, "!") || !strcmp (algos[i].data, "?"))?
1000000 : (int)strlen(algos[i].data));
check_one_md (algos[i].md, algos[i].data,
int i;
gcry_error_t err = 0;
+ if (test_buffering)
+ {
+ if ((*data == '!' && !data[1]) ||
+ (*data == '?' && !data[1]))
+ {
+ return; /* Skip. */
+ }
+ }
+
err = gcry_mac_open (&hd, algo, 0, NULL);
if (err)
{
}
else
{
- err = gcry_mac_write (hd, data, datalen);
+ if ((*data == '!' && !data[1]) || /* hash one million times a "a" */
+ (*data == '?' && !data[1])) /* hash million byte data-set with byte pattern 0x00,0x01,0x02,... */
+ {
+ char aaa[1000];
+ size_t left = 1000 * 1000;
+ size_t startlen = 1;
+ size_t piecelen = startlen;
+
+ if (*data == '!')
+ memset (aaa, 'a', 1000);
+
+ /* Write in chuck with all sizes 1 to 1000 (500500 bytes) */
+ for (i = 1; i <= 1000 && left > 0; i++)
+ {
+ piecelen = i;
+ if (piecelen > sizeof(aaa))
+ piecelen = sizeof(aaa);
+ if (piecelen > left)
+ piecelen = left;
+
+ if (*data == '?')
+ fillbuf_count(aaa, piecelen, 1000 * 1000 - left);
+
+ gcry_mac_write (hd, aaa, piecelen);
+
+ left -= piecelen;
+ }
+
+ /* Write in odd size chunks so that we test the buffering. */
+ while (left > 0)
+ {
+ if (piecelen > sizeof(aaa))
+ piecelen = sizeof(aaa);
+ if (piecelen > left)
+ piecelen = left;
+
+ if (*data == '?')
+ fillbuf_count(aaa, piecelen, 1000 * 1000 - left);
+
+ gcry_mac_write (hd, aaa, piecelen);
+
+ left -= piecelen;
+
+ if (piecelen == sizeof(aaa))
+ piecelen = ++startlen;
+ else
+ piecelen = piecelen * 2 - ((piecelen != startlen) ? startlen : 0);
+ }
+ }
+ else
+ {
+ err = gcry_mac_write (hd, data, datalen);
+ }
+
if (err)
fail("algo %d, mac gcry_mac_write failed: %s\n", algo, gpg_strerror (err));
if (err)
err = gcry_mac_verify (hd, expect, maclen);
if (err)
fail("algo %d, mac gcry_mac_verify failed: %s\n", algo, gpg_strerror (err));
- if (err)
- goto out;
macoutlen = maclen;
err = gcry_mac_read (hd, p, &macoutlen);
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa",
"\x6f\x63\x0f\xad\x67\xcd\xa0\xee\x1f\xb1\xf5\x62\xdb\x3a\xa5\x3e", },
+ { GCRY_MAC_HMAC_MD5, "?", "????????????????",
+ "\x7e\x28\xf8\x8e\xf4\x6c\x48\x30\xa2\x0c\xe3\xe1\x42\xd4\xb5\x6b" },
{ GCRY_MAC_HMAC_SHA256, "what do ya want for nothing?", "Jefe",
"\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a"
"\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43" },
"\xaa\xaa\xaa",
"\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44"
"\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2" },
+ { GCRY_MAC_HMAC_SHA256, "?", "????????????????",
+ "\x1c\x0e\x57\xad\x4a\x02\xd2\x30\xce\x7e\xf8\x08\x23\x25\x71\x5e"
+ "\x16\x9b\x30\xca\xc3\xf4\x99\xc5\x1d\x4c\x25\x32\xa9\xf2\x15\x28" },
{ GCRY_MAC_HMAC_SHA224, "what do ya want for nothing?", "Jefe",
"\xa3\x0e\x01\x09\x8b\xc6\xdb\xbf\x45\x69\x0f\x3a\x7e\x9e\x6d\x0f"
"\x8b\xbe\xa2\xa3\x9e\x61\x48\x00\x8f\xd0\x5e\x44" },
"\xaa\xaa\xaa",
"\x3a\x85\x41\x66\xac\x5d\x9f\x02\x3f\x54\xd5\x17\xd0\xb3\x9d\xbd"
"\x94\x67\x70\xdb\x9c\x2b\x95\xc9\xf6\xf5\x65\xd1" },
+ { GCRY_MAC_HMAC_SHA224, "?", "????????????????",
+ "\xc1\x88\xaf\xcf\xce\x51\xa2\x14\x3d\xc1\xaf\x93\xcc\x2b\xe9\x4d"
+ "\x39\x55\x90\x4c\x46\x70\xfc\xc2\x04\xcf\xab\xfa" },
{ GCRY_MAC_HMAC_SHA384, "what do ya want for nothing?", "Jefe",
"\xaf\x45\xd2\xe3\x76\x48\x40\x31\x61\x7f\x78\xd2\xb5\x8a\x6b\x1b"
"\x9c\x7e\xf4\x64\xf5\xa0\x1b\x47\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
"\x66\x17\x17\x8e\x94\x1f\x02\x0d\x35\x1e\x2f\x25\x4e\x8f\xd3\x2c"
"\x60\x24\x20\xfe\xb0\xb8\xfb\x9a\xdc\xce\xbb\x82\x46\x1e\x99\xc5"
"\xa6\x78\xcc\x31\xe7\x99\x17\x6d\x38\x60\xe6\x11\x0c\x46\x52\x3e" },
+ { GCRY_MAC_HMAC_SHA384, "?", "????????????????",
+ "\xe7\x96\x29\xa3\x40\x5f\x1e\x6e\x92\xa5\xdb\xa5\xc6\xe9\x60\xa8"
+ "\xf5\xd1\x6d\xcb\x10\xec\x30\x2f\x6b\x9c\x37\xe0\xea\xf1\x53\x28"
+ "\x08\x01\x9b\xe3\x4a\x43\xc6\xc2\x2b\x0c\xd9\x43\x64\x35\x25\x78" },
{ GCRY_MAC_HMAC_SHA512, "what do ya want for nothing?", "Jefe",
"\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0\xa3"
"\x87\xbd\x64\x22\x2e\x83\x1f\xd6\x10\x27\x0c\xd7\xea\x25\x05\x54"
"\xde\xbd\x71\xf8\x86\x72\x89\x86\x5d\xf5\xa3\x2d\x20\xcd\xc9\x44"
"\xb6\x02\x2c\xac\x3c\x49\x82\xb1\x0d\x5e\xeb\x55\xc3\xe4\xde\x15"
"\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58" },
+ { GCRY_MAC_HMAC_SHA512, "?", "????????????????",
+ "\xd4\x43\x61\xfa\x3d\x3d\x57\xd6\xac\xc3\x9f\x1c\x3d\xd9\x26\x84"
+ "\x1f\xfc\x4d\xf2\xbf\x78\x87\x72\x5e\x6c\x3e\x00\x6d\x39\x5f\xfa"
+ "\xd7\x3a\xf7\x83\xb7\xb5\x61\xbd\xfb\x33\xe0\x03\x97\xa7\x72\x79"
+ "\x66\x66\xbf\xbd\x44\xfa\x04\x01\x1b\xc1\x48\x1d\x9e\xde\x5b\x8e" },
/* HMAC-SHA3 test vectors from
* http://wolfgang-ehrhardt.de/hmac-sha3-testvectors.html */
{ GCRY_MAC_HMAC_SHA3_224,
"\x1f\x3e\x6c\xf0\x48\x60\xc6\xbb\xd7\xfa\x48\x86\x74\x78\x2b\x46"
"\x59\xfd\xbd\xf3\xfd\x87\x78\x52\x88\x5c\xfe\x6e\x22\x18\x5f\xe7"
"\xb2\xee\x95\x20\x43\x62\x9b\xc9\xd5\xf3\x29\x8a\x41\xd0\x2c\x66" },
+ { GCRY_MAC_HMAC_SHA3_224, "?", "????????????????",
+ "\x80\x2b\x3c\x84\xfe\x3e\x01\x22\x14\xf8\xba\x74\x79\xfd\xb5\x02"
+ "\xea\x0c\x06\xa4\x7e\x01\xe3\x2c\xc7\x24\x89\xc3" },
+ { GCRY_MAC_HMAC_SHA3_256, "?", "????????????????",
+ "\x6c\x7c\x96\x5b\x19\xba\xcd\x61\x69\x8a\x2c\x7a\x2b\x96\xa1\xc3"
+ "\x33\xa0\x3c\x5d\x54\x87\x37\x60\xc8\x2f\xa2\xa6\x12\x38\x8d\x1b" },
+ { GCRY_MAC_HMAC_SHA3_384, "?", "????????????????",
+ "\xc0\x20\xd0\x9b\xa7\xb9\xd5\xb8\xa6\xa4\xba\x20\x55\xd9\x0b\x35"
+ "\x8b\xe0\xb7\xec\x1e\x9f\xe6\xb9\xbd\xd5\xe9\x9b\xfc\x0a\x11\x3a"
+ "\x15\x41\xed\xfd\xef\x30\x8d\x03\xb8\xca\x3a\xa8\xc7\x2d\x89\x32" },
+ { GCRY_MAC_HMAC_SHA3_512, "?", "????????????????",
+ "\xb4\xef\x24\xd2\x07\xa7\x01\xb3\xe1\x81\x11\x22\x93\x83\x64\xe0"
+ "\x5e\xad\x03\xb7\x43\x4f\x87\xa1\x14\x8e\x17\x8f\x2a\x97\x7d\xe8"
+ "\xbd\xb0\x37\x3b\x67\xb9\x97\x36\xa5\x82\x9b\xdc\x0d\xe4\x5a\x8c"
+ "\x5e\xda\xb5\xca\xea\xa9\xb4\x6e\xba\xca\x25\xc8\xbf\xa1\x0e\xb0" },
+ { GCRY_MAC_HMAC_STRIBOG256,
+ "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00",
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+ "\xa1\xaa\x5f\x7d\xe4\x02\xd7\xb3\xd3\x23\xf2\x99\x1c\x8d\x45\x34"
+ "\x01\x31\x37\x01\x0a\x83\x75\x4f\xd0\xaf\x6d\x7c\xd4\x92\x2e\xd9",
+ NULL, 16, 32 },
+ { GCRY_MAC_HMAC_STRIBOG512,
+ "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00",
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+ "\xa5\x9b\xab\x22\xec\xae\x19\xc6\x5f\xbd\xe6\xe5\xf4\xe9\xf5\xd8"
+ "\x54\x9d\x31\xf0\x37\xf9\xdf\x9b\x90\x55\x00\xe1\x71\x92\x3a\x77"
+ "\x3d\x5f\x15\x30\xf2\xed\x7e\x96\x4c\xb2\xee\xdc\x29\xe9\xad\x2f"
+ "\x3a\xfe\x93\xb2\x81\x4f\x79\xf5\x00\x0f\xfc\x03\x66\xc2\x51\xe6",
+ NULL, 16, 32 },
/* CMAC AES and DES test vectors from
http://web.archive.org/web/20130930212819/http://csrc.nist.gov/publica\
tions/nistpubs/800-38B/Updated_CMAC_Examples.pdf */
"\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81"
"\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
"\xe1\x99\x21\x90\x54\x9f\x6e\xd5\x69\x6a\x2c\x05\x6c\x31\x54\x10" },
+ { GCRY_MAC_CMAC_AES, "?", "????????????????????????????????",
+ "\x9f\x72\x73\x68\xb0\x49\x2e\xb1\x35\xa0\x1d\xf9\xa8\x0a\xf6\xee" },
{ GCRY_MAC_CMAC_3DES,
"",
"\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58"
"\x4c\xf1\x51\x34\xa2\x85\x0d\xd5\x8a\x3d\x10\xba\x80\x57\x0d\x38"
"\x4c\xf1\x51\x34\xa2\x85\x0d\xd5",
"\x31\xb1\xe4\x31\xda\xbc\x4e\xb8" },
+ { GCRY_MAC_CMAC_3DES, "?", "????????????????????????",
+ "\xc1\x38\x13\xb2\x31\x8f\x3a\xdf" },
/* CMAC Camellia test vectors from
http://tools.ietf.org/html/draft-kato-ipsec-camellia-cmac96and128-05 */
{ GCRY_MAC_CMAC_CAMELLIA,
"\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
"\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
"\xc2\x69\x9a\x6e\xba\x55\xce\x9d\x93\x9a\x8a\x4e\x19\x46\x6e\xe9" },
+ { GCRY_MAC_CMAC_CAMELLIA, "?", "????????????????????????????????",
+ "\xba\x8a\x5a\x8d\xa7\x54\x26\x83\x3e\xb1\x20\xb5\x45\xd0\x9f\x4e" },
/* http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip */
{ GCRY_MAC_GMAC_AES,
"",
"\xc9\xfc\xa7\x29\xab\x60\xad\xa0",
"\x20\x4b\xdb\x1b\xd6\x21\x54\xbf\x08\x92\x2a\xaa\x54\xee\xd7\x05",
"\x05\xad\x13\xa5\xe2\xc2\xab\x66\x7e\x1a\x6f\xbc" },
+ { GCRY_MAC_GMAC_AES, "?", "????????????????????????????????",
+ "\x84\x37\xc3\x42\xae\xf5\xd0\x40\xd3\x73\x90\xa9\x36\xed\x8a\x12" },
/* from NaCl */
{ GCRY_MAC_POLY1305,
"\x8e\x99\x3b\x9f\x48\x68\x12\x73\xc2\x96\x50\xba\x32\xfc\x76\xce"
"\x12\x97\x6a\x08\xc4\x42\x6d\x0c\xe8\xa8\x24\x07\xc4\xf4\x82\x07"
"\x80\xf8\xc2\x0a\xa7\x12\x02\xd1\xe2\x91\x79\xcb\xcb\x55\x5a\x57",
"\x51\x54\xad\x0d\x2c\xb2\x6e\x01\x27\x4f\xc5\x11\x48\x49\x1f\x1b" },
+ { GCRY_MAC_POLY1305, "?", "????????????????????????????????",
+ "\xc3\x88\xce\x8a\x52\xd6\xe7\x21\x86\xfa\xaa\x5d\x2d\x16\xf9\xa3" },
/* from http://cr.yp.to/mac/poly1305-20050329.pdf */
{ GCRY_MAC_POLY1305_AES,
"\xf3\xf6",
"\x51\x54\xad\x0d\x2c\xb2\x6e\x01\x27\x4f\xc5\x11\x48\x49\x1f\x1b",
"\x9a\xe8\x31\xe7\x43\x97\x8d\x3a\x23\x52\x7c\x71\x28\x14\x9e\x3a",
0, 32 },
+ { GCRY_MAC_POLY1305_AES, "?", "????????????????????????????????",
+ "\x9d\xeb\xb0\xcd\x24\x90\xd3\x9b\x47\x78\x37\x0a\x81\xf2\x83\x2a",
+ "\x61\xee\x09\x21\x8d\x29\xb0\xaa\xed\x7e\x15\x4a\x2c\x55\x09\xcc",
+ 0, 32 },
{ 0 },
};
int i;
fprintf (stderr,
" checking %s [%i] for %d byte key and %d byte data\n",
gcry_mac_algo_name (algos[i].algo),
- algos[i].algo,
- (int)strlen(algos[i].key), (int)strlen(algos[i].data));
+ algos[i].algo, (int)strlen(algos[i].key),
+ (!strcmp(algos[i].data, "!") || !strcmp(algos[i].data, "?"))
+ ? 1000000 : (int)strlen(algos[i].data));
klen = algos[i].klen ? algos[i].klen : strlen(algos[i].key);
dlen = algos[i].dlen ? algos[i].dlen : strlen (algos[i].data);
static int verbose;
static int csv_mode;
+static int unaligned_mode;
static int num_measurement_repetitions;
/* CPU Ghz value provided by user, allows constructing cycles/byte and other
obj->max_bufsize < 1 || obj->min_bufsize > obj->max_bufsize)
goto err_free;
- real_buffer = malloc (obj->max_bufsize + 128);
+ real_buffer = malloc (obj->max_bufsize + 128 + unaligned_mode);
if (!real_buffer)
goto err_free;
/* Get aligned buffer */
buffer = real_buffer;
buffer += 128 - ((real_buffer - (unsigned char *) 0) & (128 - 1));
+ if (unaligned_mode)
+ buffer += unaligned_mode; /* Make buffer unaligned */
for (i = 0; i < obj->max_bufsize; i++)
buffer[i] = 0x55 ^ (-i);
" for benchmarking.",
" --repetitions <n> Use N repetitions (default "
STR2(NUM_MEASUREMENT_REPETITIONS) ")",
+ " --unaligned Use unaligned input buffers.",
" --csv Use CSV output format",
NULL
};
argc--;
argv++;
}
+ else if (!strcmp (*argv, "--unaligned"))
+ {
+ unaligned_mode = 1;
+ argc--;
+ argv++;
+ }
else if (!strcmp (*argv, "--disable-hwf"))
{
argc--;
if (gcry_md_get_algo_dlen (algo) > sizeof digest)
die ("digest buffer too short\n");
- largebuf_base = malloc (10000+15);
- if (!largebuf_base)
- die ("out of core\n");
- largebuf = (largebuf_base
- + ((16 - ((size_t)largebuf_base & 0x0f)) % buffer_alignment));
-
- for (i=0; i < 10000; i++)
- largebuf[i] = i;
- start_timer ();
- for (repcount=0; repcount < hash_repetitions; repcount++)
- for (i=0; i < 100; i++)
- gcry_md_hash_buffer (algo, digest, largebuf, 10000);
- stop_timer ();
- printf (" %s", elapsed_time (1));
- free (largebuf_base);
+ if (gcry_md_get_algo_dlen (algo))
+ {
+ largebuf_base = malloc (10000+15);
+ if (!largebuf_base)
+ die ("out of core\n");
+ largebuf = (largebuf_base
+ + ((16 - ((size_t)largebuf_base & 0x0f)) % buffer_alignment));
+
+ for (i=0; i < 10000; i++)
+ largebuf[i] = i;
+ start_timer ();
+ for (repcount=0; repcount < hash_repetitions; repcount++)
+ for (i=0; i < 100; i++)
+ gcry_md_hash_buffer (algo, digest, largebuf, 10000);
+ stop_timer ();
+ printf (" %s", elapsed_time (1));
+ free (largebuf_base);
+ }
putchar ('\n');
fflush (stdout);
};
+/* If we have a decent libgpg-error we can use some gcc attributes. */
+#ifdef GPGRT_ATTR_NORETURN
+static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+#endif /*GPGRT_ATTR_NORETURN*/
+
/* Print a error message and exit the process with an error code. */
static void
blocklen = gcry_cipher_get_algo_blklen (cipher_algo);
if (!blocklen || blocklen > sizeof output)
- die ("invalid block length %d\n", blocklen);
+ die ("invalid block length %d\n", (int)blocklen);
gcry_cipher_ctl (hd, PRIV_CIPHERCTL_DISABLE_WEAK_KEY, NULL, 0);
die ("no version info in input\n");
}
if (atoi (key_buffer) != 1)
- die ("unsupported input version %s\n", key_buffer);
+ die ("unsupported input version %s\n",
+ (const char*)key_buffer);
gcry_free (key_buffer);
if (!(key_buffer = read_textline (input)))
die ("no iteration count in input\n");
unsigned char buffer[16];
size_t count = 0;
- if (hex2bin (key_string, key, 16) < 0 )
+ if (!key_string || hex2bin (key_string, key, 16) < 0 )
die ("value for --key are not 32 hex digits\n");
- if (hex2bin (iv_string, seed, 16) < 0 )
+ if (!iv_string || hex2bin (iv_string, seed, 16) < 0 )
die ("value for --iv are not 32 hex digits\n");
- if (hex2bin (dt_string, dt, 16) < 0 )
+ if (!dt_string || hex2bin (dt_string, dt, 16) < 0 )
die ("value for --dt are not 32 hex digits\n");
/* The flag value 1 disables the dup check, so that the RNG
static int verbose;
static int error_count;
+
+/* If we have a decent libgpg-error we can use some gcc attributes. */
+#ifdef GPGRT_ATTR_NORETURN
+static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+static void fail (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+static void info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+#endif /*GPGRT_ATTR_NORETURN*/
+
+
static void
die (const char *format, ...)
{
}
/* from ../cipher/pubkey-util.c */
-gpg_err_code_t
+static gpg_err_code_t
_gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits)
{
char buf[50];
static int debug;
static int with_progress;
+/* If we have a decent libgpg-error we can use some gcc attributes. */
+#ifdef GPGRT_ATTR_NORETURN
+static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+static void inf (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+#endif /*GPGRT_ATTR_NORETURN*/
+
+
static void
die (const char *format, ...)
{
static int debug;
static int errorcount;
+/* If we have a decent libgpg-error we can use some gcc attributes. */
+#ifdef GPGRT_ATTR_NORETURN
+static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+static void fail (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+static void info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+#endif /*GPGRT_ATTR_NORETURN*/
+
/* Reporting functions. */
static void
20,
"\x43\xe0\x6c\x55\x90\xb0\x8c\x02\x25\x24"
"\x23\x73\x12\x7e\xdf\x9c\x8e\x9c\x32\x91"
+ },
+ {
+ "password", 8,
+ "salt", 4,
+ GCRY_MD_STRIBOG512,
+ 1,
+ 64,
+ "\x64\x77\x0a\xf7\xf7\x48\xc3\xb1\xc9\xac\x83\x1d\xbc\xfd\x85\xc2"
+ "\x61\x11\xb3\x0a\x8a\x65\x7d\xdc\x30\x56\xb8\x0c\xa7\x3e\x04\x0d"
+ "\x28\x54\xfd\x36\x81\x1f\x6d\x82\x5c\xc4\xab\x66\xec\x0a\x68\xa4"
+ "\x90\xa9\xe5\xcf\x51\x56\xb3\xa2\xb7\xee\xcd\xdb\xf9\xa1\x6b\x47"
+ },
+ {
+ "password", 8,
+ "salt", 4,
+ GCRY_MD_STRIBOG512,
+ 2,
+ 64,
+ "\x5a\x58\x5b\xaf\xdf\xbb\x6e\x88\x30\xd6\xd6\x8a\xa3\xb4\x3a\xc0"
+ "\x0d\x2e\x4a\xeb\xce\x01\xc9\xb3\x1c\x2c\xae\xd5\x6f\x02\x36\xd4"
+ "\xd3\x4b\x2b\x8f\xbd\x2c\x4e\x89\xd5\x4d\x46\xf5\x0e\x47\xd4\x5b"
+ "\xba\xc3\x01\x57\x17\x43\x11\x9e\x8d\x3c\x42\xba\x66\xd3\x48\xde"
+ },
+ {
+ "password", 8,
+ "salt", 4,
+ GCRY_MD_STRIBOG512,
+ 4096,
+ 64,
+ "\xe5\x2d\xeb\x9a\x2d\x2a\xaf\xf4\xe2\xac\x9d\x47\xa4\x1f\x34\xc2"
+ "\x03\x76\x59\x1c\x67\x80\x7f\x04\x77\xe3\x25\x49\xdc\x34\x1b\xc7"
+ "\x86\x7c\x09\x84\x1b\x6d\x58\xe2\x9d\x03\x47\xc9\x96\x30\x1d\x55"
+ "\xdf\x0d\x34\xe4\x7c\xf6\x8f\x4e\x3c\x2c\xda\xf1\xd9\xab\x86\xc3"
+ },
+ /* { -- takes toooo long
+ "password", 8,
+ "salt", 4,
+ GCRY_MD_STRIBOG512,
+ 16777216,
+ 64,
+ "\x49\xe4\x84\x3b\xba\x76\xe3\x00\xaf\xe2\x4c\x4d\x23\xdc\x73\x92"
+ "\xde\xf1\x2f\x2c\x0e\x24\x41\x72\x36\x7c\xd7\x0a\x89\x82\xac\x36"
+ "\x1a\xdb\x60\x1c\x7e\x2a\x31\x4e\x8c\xb7\xb1\xe9\xdf\x84\x0e\x36"
+ "\xab\x56\x15\xbe\x5d\x74\x2b\x6c\xf2\x03\xfb\x55\xfd\xc4\x80\x71"
+ }, */
+ {
+ "passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
+ GCRY_MD_STRIBOG512,
+ 4096,
+ 100,
+ "\xb2\xd8\xf1\x24\x5f\xc4\xd2\x92\x74\x80\x20\x57\xe4\xb5\x4e\x0a"
+ "\x07\x53\xaa\x22\xfc\x53\x76\x0b\x30\x1c\xf0\x08\x67\x9e\x58\xfe"
+ "\x4b\xee\x9a\xdd\xca\xe9\x9b\xa2\xb0\xb2\x0f\x43\x1a\x9c\x5e\x50"
+ "\xf3\x95\xc8\x93\x87\xd0\x94\x5a\xed\xec\xa6\xeb\x40\x15\xdf\xc2"
+ "\xbd\x24\x21\xee\x9b\xb7\x11\x83\xba\x88\x2c\xee\xbf\xef\x25\x9f"
+ "\x33\xf9\xe2\x7d\xc6\x17\x8c\xb8\x9d\xc3\x74\x28\xcf\x9c\xc5\x2a"
+ "\x2b\xaa\x2d\x3a"
+ },
+ {
+ "pass\0word", 9,
+ "sa\0lt", 5,
+ GCRY_MD_STRIBOG512,
+ 4096,
+ 64,
+ "\x50\xdf\x06\x28\x85\xb6\x98\x01\xa3\xc1\x02\x48\xeb\x0a\x27\xab"
+ "\x6e\x52\x2f\xfe\xb2\x0c\x99\x1c\x66\x0f\x00\x14\x75\xd7\x3a\x4e"
+ "\x16\x7f\x78\x2c\x18\xe9\x7e\x92\x97\x6d\x9c\x1d\x97\x08\x31\xea"
+ "\x78\xcc\xb8\x79\xf6\x70\x68\xcd\xac\x19\x10\x74\x08\x44\xe8\x30"
}
};
int tvidx;
gpg_error_t err;
- unsigned char outbuf[40];
+ unsigned char outbuf[100];
int i;
for (tvidx=0; tvidx < DIM(tv); tvidx++)
die ("hex2mpiopa '%s' failed: parser error\n", string);
val = gcry_mpi_set_opaque (NULL, buffer, buflen*8);
if (!buffer)
- die ("hex2mpiopa '%s' failed: set_opaque error%s\n", string);
+ die ("hex2mpiopa '%s' failed: set_opaque error\n", string);
return val;
}
}
if (compare_to_canon (se1, canon, canonlen))
{
- fail ("baf %d: converting to advanced failed.\n",
+ fail ("baf %d: converting to advanced failed: %s\n",
testno, gpg_strerror (rc));
return;
}
projects / platform / upstream / libgcrypt.git / commitdiff