From: Piotr Sawicki Date: Thu, 2 Nov 2017 10:05:20 +0000 (+0100) Subject: Imported Upstream version 1.8.1 X-Git-Tag: upstream/1.8.1^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f17b3a917acd419b1a68cc55bb662053c93e5567;p=platform%2Fupstream%2Flibgcrypt.git Imported Upstream version 1.8.1 --- diff --git a/AUTHORS b/AUTHORS index 82f82e2..0d1da12 100644 --- a/AUTHORS +++ b/AUTHORS @@ -21,7 +21,7 @@ year that would otherwise be listed individually. List of Copyright holders ========================= - Copyright (C) 1989,1991-2016 Free Software Foundation, Inc. + Copyright (C) 1989,1991-2017 Free Software Foundation, Inc. Copyright (C) 1994 X Consortium Copyright (C) 1996 L. Peter Deutsch Copyright (C) 1997 Werner Koch @@ -37,6 +37,7 @@ List of Copyright holders Copyright (C) 2013-2017 Jussi Kivilinna Copyright (C) 2013-2014 Dmitry Eremin-Solenikov Copyright (C) 2014 Stephan Mueller + Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik Authors with a FSF copyright assignment @@ -168,6 +169,9 @@ Jussi Kivilinna Markus Teich 2014-10-08:20141008180509.GA2770@trolle: +Mathias L. Baumann +2017-01-30:07c06d79-0828-b564-d604-fd16c7c86ebe@sociomantic.com: + Milan Broz 2014-01-13:52D44CC6.4050707@gmail.com: diff --git a/ChangeLog b/ChangeLog index 555340b..620858d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,16 +1,9418 @@ -No more ChangeLog files -======================== +2017-08-27 Werner Koch -Do not modify any of the ChangeLog files in Libgcrypt. Starting on -December 1st, 2011 we put change information only in the GIT commit -log, and generate a top-level ChangeLog file from logs at "make dist" -time. As such, there are strict requirements on the form of the -commit log messages. See doc/HACKING for details. The old ChangeLog -files have all be renamed to ChangeLog-2011. + Release 1.8.1. + + commit 80fd8615048c3897b91a315cca22ab139b056ccd + * configure.ac: Set LT version to C22/A2/R1. +2017-08-27 NIIBE Yutaka + ecc: Add input validation for X25519. + + commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9 + * cipher/ecc.c (ecc_decrypt_raw): Add input validation. + * mpi/ec.c (ec_p_init): Use scratch buffer for bad points. + (_gcry_mpi_ec_bad_point): New. -Local Variables: -buffer-read-only: t -mode: text -End: +2017-08-07 Marcus Brinkmann + + cipher: Add OID for SHA384WithECDSA. + + commit a7bd2cbd3eabda88fb3cac5cbc13c21c97a7b315 + * cipher/sha512.c (oid_spec_sha384): Add SHA384WithECDSA. + +2017-08-02 Werner Koch + + tests: Fix a printf glitch for a Windows test. + + commit df1e221b3012e96bbffbc7d5fd70836a9ae1cc19 + * tests/t-convert.c (check_formats): Fix print format glitch on + Windows. + * tests/t-ed25519.c: Typo fix. + + tests: Add benchmarking option to tests/random. + + commit 21d0f068a721c022f955084c28304934fd198c5e + * tests/random.c: Always include unistd.h. + (prepend_srcdir): New. + (run_benchmark): New. + (main): Add options --benchmark and --with-seed-file. Print whetehr + JENT has been used. + * tests/t-common.h (split_fields_colon): New. Taken from GnuPG. + License of that code changed to LGPLv2.1. + + random: Add more bytes to the pool in addition to the seed file. + + commit eea36574f37830a6a80b4fad884825e815b2912f + * random/random-csprng.c (read_seed_file): Read 128 or 32 butes + depending on whether we have the Jitter RNG. + +2017-08-01 Jussi Kivilinna + + Add script to run basic tests with all supported HWF combinations. + + commit 94a92a3db909aef0ebcc009c2d7f5a2663e99004 + * tests/basic_all_hwfeature_combinations.sh: New. + * tests/Makefile.am: Add basic_all_hwfeature_combinations.sh. + +2017-07-29 Jussi Kivilinna + + Fix return value type for _gcry_md_extract. + + commit cf1528e7f2761774d06ace0de48f39c96b52dc4f + * src/gcrypt-int.h (_gcry_md_extract): Use gpg_err_code_t instead of + gpg_error_t for internal function return type. + + Fix building AArch32 CE implementations when target is ARMv6 arch. + + commit 4a7aa30ae9f3ce798dd886c2f2d4164c43027748 + * cipher/cipher-gcm-armv8-aarch32-ce.S: Select ARMv8 architecure. + * cipher/rijndael-armv8-aarch32-ce.S: Ditto. + * cipher/sha1-armv8-aarch32-ce.S: Ditto. + * cipher/sha256-armv8-aarch32-ce.S: Ditto. + * configure.ac (gcry_cv_gcc_inline_asm_aarch32_crypto): Ditto. + +2017-07-25 NIIBE Yutaka + + sexp: Add fall through annotation. + + commit b7cd44335d9cde43be6f693dca6399ed0762649c + * src/dumpsexp.c (parse_and_print): It's fall through. + +2017-07-24 Werner Koch + + random: Fix the command line munging for jitterbase. + + commit ac39522ab08fcd2483edc223334c6ab9d19e91f3 + * random/Makefile.am (o_flag_munging): Make the first sed term also + global. + +2017-07-19 NIIBE Yutaka + + Remove byte order mark. + + commit 1d8e4c2c3a7d0a4154caf5bd720a9a0b04179390 + * random/jitterentropy-base.c, random/jitterentropy.h: Remove + byte order mark. + +2017-07-18 Werner Koch + + Release 1.8.0. + + commit 850aca744eeda5fd410f478a0778e353045ac962 + + + mac: Add selftests for HMAC-SHA3-xxx. + + commit 95194c550443e8d5558856633f920daec8a975c4 + * cipher/hmac-tests.c (check_one): Add arg trunc and change all + callers to pass false. + (selftests_sha3): New. + (run_selftests): Call new selftests. + + api: New function gcry_mpi_point_copy. + + commit ecf73dafb7aafed0d0f339d07235b58c2113f94c + * src/gcrypt.h.in (gcry_mpi_point_copy): New. + (mpi_point_copy): New macro. + * src/visibility.c (gcry_mpi_point_copy): New. + * src/libgcrypt.def, src/libgcrypt.vers: Add function. + * mpi/ec.c (_gcry_mpi_point_copy): New. + * tests/t-mpi-point.c (set_get_point): Add test. + +2017-07-17 Werner Koch + + random: Minor fix for getting the rndjent version. + + commit 9d99c6b973caa7fdf93b53cf764066214f763803 + * random/rndjent.c (_gcry_rndjent_get_version): Always set R_ACTIVE. + * tests/version.c (test_get_config): Check number of fields for + rng-type. + +2017-07-07 NIIBE Yutaka + + mpi: Minor fix of mpi_pow. + + commit 61b0f52c1cc85bf8c3cac9aba40e28682e4e1b8b + * mpi/mpi-pow.c (_gcry_mpi_powm): Allocate size fix. + + mpi: Fix mpi_pow alternative implementation. + + commit 66ed4d53789892def7b237756d8a0ab28df9d222 + * mpi/mpi-pow.c + [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): Use + mpi_set_cond. + + Fix mpi_pow alternative implementation. + + commit 619ebae9847831f43314a95cc3180f4b329b4d3b + * mpi/mpi-pow.c [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): + Allocate size fix. + +2017-07-06 Werner Koch + + rsa: Use modern MPI allocation function. + + commit 208aba6f9a0475ba049f5a66fe02cf9a6214a887 + * cipher/rsa.c (secret_core_crt): Use modern function _gcry_mpi_snew. + +2017-07-05 Werner Koch + + build: Minor API fixes to fix build problems on AIX. + + commit 85a9a913da9ecc6b2cd6f743e90e49983251d706 + * src/gcrypt.h.in (gcry_error_from_errno): Fix return type. + * src/visibility.c (gcry_md_extract): Change return type to match the + prototype. + + tools: Add left shift to mpicalc. + + commit 0d30a4a9791d20c8881b5b12bd44611d9f4274cd + * src/mpicalc.c (do_lshift): New. + (main): Handle '<'. + +2017-07-04 NIIBE Yutaka + + mpi: Fix mpi_set_secure. + + commit 5feaf1cc8f22c1f8d19a34850d86fe190f1432e2 + * mpi/mpiutil.c (mpi_set_secure): Allocate by ->alloced. + +2017-06-29 NIIBE Yutaka + Werner Koch + + rsa: Add exponent blinding. + + commit 8725c99ffa41778f382ca97233183bcd687bb0ce + * cipher/rsa.c (secret_core_crt): Blind secret D with randomized + nonce R for mpi_powm computation. + +2017-06-28 NIIBE Yutaka + + Same computation for square and multiply. + + commit 78130828e9a140a9de4dafadbc844dbb64cb709a + * mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move + the assignment to base_u into the loop. Copy content refered by RP to + BASE_U except the last of the loop. + +2017-06-24 Werner Koch + + rsa: Minor refactoring. + + commit e6a3dc9900433bbc8ad362a595a3837318c28fa9 + * cipher/rsa.c (secret): Factor code out to ... + (secret_core_std, secret_core_crt): new functions. + +2017-06-23 Werner Koch + + random: Add missing dependency. + + commit d091610377b2c92cf385282b1adfc30fa6cd5c75 + * random/Makefile.am (EXTRA_librandom_la_SOURCES): Fix file name. + (rndjent.o, rndjent.lo): Depend on jitterentropy-base-user.h. + + random: Update jitterentropy to 2.1.0. + + commit 8dfae89ecd3e9ae0967586cb38d12ef9111fc7cd + * random/rndjent.c (jent_get_nstime, jent_zfree) + (jent_fips_enabled, jent_zalloc): Move functions and macros to ... + * random/jitterentropy-base-user.h: this file. That files was not + used before. + * random/Makefile.am (EXTRA_librandom_la_SOURCES): Add + jitterentropy-base-user. + * random/jitterentropy-base.c: Update to version 2.1.0. + * random/jitterentropy.h: Ditto. + +2017-06-21 Werner Koch + + api: New function gcry_get_config. + + commit 27148e60ba15b0cb73b47a75c688fcb48a1a3444 + * src/misc.c (_gcry_log_info_with_dummy_fp): Remove. + * src/global.c (print_config): New arg WHAT. Remove arg FNC and use + gpgrt_fprintf directly. + (_gcry_get_config): New. + (_gcry_vcontrol) : Use _gcry_get_config instead + of print_config. + * src/gcrypt.h.in (gcry_get_config): New. + * src/libgcrypt.def, src/libgcrypt.vers: Add new function. + * src/visibility.c (gcry_get_config): New. + * src/visibility.h: Mark new function. + + * tests/version.c (test_get_config): New. + (main): Call new test. + + random: Allow building rndjent on non-x86. + + commit c2319464b03e61aaf34ef6d5f4b59b0c0483a373 + * random/jitterentropy-base.c (jent_version): Uncomment function. + * random/rndjent.c: Include time.h + (JENT_USES_RDTSC): New. + (JENT_USES_GETTIME): New. + (JENT_USES_READ_REAL_TIME): New. + (jent_get_nstime): Support clock_gettime and AIX specific + function. Taken from Stephan Müller's code. + (is_rng_available): New. + (_gcry_rndjent_dump_stats): Use that function. + (_gcry_rndjent_poll): Use that fucntion. Allow an ADD of NULL for an + intialize only mode. + (_gcry_rndjent_get_version): New. + +2017-06-18 Jussi Kivilinna + + rijndael-padlock: change asm operands from read-only to read/write. + + commit 32b4ab209067f6f08b87b27bc78ec27dc497b708 + * cipher/rijndael-padlock.c (do_padlock): Change ESI/EDI/ECX to use + read/write operands as XCRYPT instruction modifies these registers. + +2017-06-16 Werner Koch + + random: Make rndjent.c NTG.1 compliant. + + commit 82bc052eda5b3897724c7ad11e54f8203e8e88e9 + * random/rndjent.c (_gcry_rndjent_poll): Hash the retrieved jitter. + + md: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512. + + commit e6f90a392a1fd59b19b16f7a2bc7c439ae369d5f + * cipher/sha256.c (_gcry_sha256_hash_buffer): New. + (_gcry_sha256_hash_buffers): New. + * cipher/sha512.c (_gcry_sha512_hash_buffer): New. + (_gcry_sha512_hash_buffers): New. + * cipher/md.c (_gcry_md_hash_buffer): Optimize for SHA246 and SHA512. + (_gcry_md_hash_buffers): Ditto. + + random: Allow building rndjent.c with stats collecting enabled. + + commit ee3a74f5539cbc5182ce089994e37c16ce612149 + * random/rndjent.c: Change license to the one used by jitterentropy.h. + (jent_init_statistic): New. + (jent_bit_count): New. + (jent_statistic_copy_stat): new. + (jent_calc_statistic): New. + + New global config option "only-urandom". + + commit 8f6082e95f30c1ba68d2de23da90146f87f0c66c + * random/rand-internal.h (RANDOM_CONF_ONLY_URANDOM): New. + * random/random.c (_gcry_random_read_conf): Add option "only-urandom". + * random/rndlinux.c (_gcry_rndlinux_gather_random): Implement that + option. + * tests/keygen.c (main): Add option --no-quick for better manual + tests. + + Implement global config file /etc/gcrypt/random.conf. + + commit b05a4abc358b204dba343d9cfbd59fdc828c1686 + * src/hwfeatures.c (my_isascii): Move macro to ... + * src/g10lib.h: here. + * tests/random.c (main): Dump random stats. + * random/random.c (RANDOM_CONF_FILE): New. + (_gcry_random_read_conf): New. + (_gcry_random_dump_stats): Call rndjent stats. + * random/rndjent.c (jent_rng_totalcalls, jent_rng_totalbytes): New. + (_gcry_rndjent_poll): Take care of config option disable-jent. Wipe + buffer. Bump counters. + (_gcry_rndjent_dump_stats): New. + +2017-06-14 Werner Koch + + random: Add jitter RND based entropy collector. + + commit f5e7763ddca59dcd9ac9f2f4d50cb41b14a34a9e + * random/rndjent.c: New. + * random/rndlinux.c (_gcry_rndlinux_gather_random): Use rndjent. + * random/rndw32.c (_gcry_rndw32_gather_random): Use rndjent. + (slow_gatherer): Fix compiler warning. + * random/Makefile.am (librandom_la_SOURCES): Add rndjent.c + (EXTRA_librandom_la_SOURCES): Add jitterentropy-base.c and + jitterentropy.h. + (rndjent.o, rndjent.lo): New rules. + * configure.ac: New option --disbale-jent-support + (ENABLE_JENT_SUPPORT): New ac-define. + + cipher: New helper function rol64. + + commit 6c882fb1fdb6c7cba2215fa7391110d63e24b9dc + * cipher/bithelp.h (rol64): New inline functions. + + New hardware feature flag HWF_INTEL_RDTSC. + + commit 06f303a633ea2b992259688bef2b023c3f388f73 + * src/g10lib.h (HWF_INTEL_RDTSC): New. + * src/hwfeatures.c (hwflist): Add "intel-rdtsc". + * src/hwf-x86.c (detect_x86_gnuc): Get EDX features and test for TSC. + + random: Changes to original Jitter RNG implementation. + + commit a44c45675f8b631e11048a540bb1fbb7a022ebb4 + * random/jitterentropy-base.c: Change double underscore symbols and + make all functions static. + * random/jitterentropy.h: Likewise. + +2017-06-13 Stephan Mueller + + random: Add original Jitter RNG implementation. + + commit f0ae18ecf48fbe2da0b9fb3f354d0dd3173d91d3 + * random/jitterentropy-base-user.h: New. + * random/jitterentropy-base.c: New. + * random/jitterentropy.h: New. + +2017-06-08 Werner Koch + + build: Fix ChangeLog building for builds from other worktrees. + + commit cdfd7ea72a44657f037dd0dbba6e5ea0c2b344aa + * Makefile.am (gen-ChangeLog): Test for existance of ".git" regardless + on whether it is a file or directory. + +2017-06-02 NIIBE Yutaka + + secmem: Fix SEGV and stat calculation. + + commit e0958debe1a7db1bec1283115cdc6a14bf3b43e5 + * src/secmem (init_pool): Care about the header size. + (_gcry_secmem_malloc_internal): Likewise. + (_gcry_secmem_malloc_internal): Use mb->size for stats. + +2017-06-01 Jo Van Bulck + + ecc: Store EdDSA session key in secure memory. + + commit 5a22de904a0a366ae79f03ff1e13a1232a89e26b + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate + session key. + +2017-05-31 Werner Koch + + api: Deprecate gcry_md_info. + + commit 45c39340c9926c2c5801dbab7609687c41e9ff1f + + +2017-05-30 Werner Koch + + mpi: Distribute asm files for aarch64 and asm. + + commit c65f9558f12ffa2810538ef616e71b4052dacb81 + * mpi/aarch64/distfiles: New. + * mpi/arm/distfiles: New. + + mpi: Distribute asm definitions for amd64. + + commit 87e481137debabb7f989d7fa9b1c21c336e10c98 + * mpi/amd64/distfiles: Add mpi-asm-defs.h. + +2017-05-23 Werner Koch + + cipher: Fix compiler warnings. + + commit d764c9894013727ff82eb194da6030209c273528 + * cipher/poly1305.c (poly1305_default_ops): Move to the top. Add + prototypes and compile only if USE_SSE2 is not defined. + (poly1305_init_ext_ref32): Compile only if USE_SSE2 is not defined. + (poly1305_blocks_ref32): Ditto. + (poly1305_finish_ext_ref32): Ditto. + + doc: Comment fixes. + + commit c1bb3d9fdb6fe5f336af1d5a03fc42bfdc1f8b0b + + +2017-05-18 Jussi Kivilinna + + rijndael-ssse3: fix functions calls from assembly blocks. + + commit 4cd94994a9abec9b92fa5972869baf089a28fa76 + * cipher/rijndael-ssse3-amd64.c (PUSH_STACK_PTR, POP_STACK_PTR): New. + (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec) + (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption) + (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Use PUSH_STACK_PTR and + POP_STACK_PTR. + + chacha20-armv7-neon: fix to use fast code path when memory is aligned. + + commit 68861ae5d3e007d7a39f14ea27dc3dd8ef13ba02 + * cipher/chacha20-armv7-neon.S (UNALIGNED_LDMIA4): Uncomment + instruction for jump to aligned code path. + + Move data in AMD64 assembly to text section. + + commit 1a094bc5b2aa730833faf593a931d4e5d7f9ab4d + * cipher/camellia-aesni-avx-amd64.S: Move data to .text section to + ensure that RIP relative addressing of data will work. + * cipher/camellia-aesni-avx2-amd64.S: Ditto. + * cipher/chacha20-avx2-amd64.S: Ditto. + * cipher/chacha20-ssse3-amd64.S: Ditto. + * cipher/des-amd64.S: Ditto. + * cipher/serpent-avx2-amd64.S: Ditto. + * cipher/sha1-avx-amd64.S: Ditto. + * cipher/sha1-avx-bmi2-amd64.S: Ditto. + * cipher/sha1-ssse3-amd64.S: Ditto. + * cipher/sha256-avx-amd64.S: Ditto. + * cipher/sha256-avx2-bmi2-amd64.S: Ditto. + * cipher/sha256-ssse3-amd64.S: Ditto. + * cipher/sha512-avx-amd64.S: Ditto. + * cipher/sha512-avx2-bmi2-amd64.S: Ditto. + * cipher/sha512-ssse3-amd64.S: Ditto. + + cast5-amd64: use 64-bit relocation with large PIC memory model. + + commit ff02fca39c83bcf30c79368611ac65e273e77f6c + * cipher/cast5-amd64.S [__code_model_large__] + (GET_EXTERN_POINTER): New. + +2017-05-13 Jussi Kivilinna + + Fix building with x86-64 medium and large memory models. + + commit 434d4f2af39033fc626044ba9a060da298522293 + * cipher/cast5-amd64.S [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] + (GET_EXTERN_POINTER): Load 64-bit address instead of 32-bit. + * cipher/rijndael.c (do_encrypt, do_decrypt) + [USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Load + table pointer through register instead of generic reference. + +2017-04-04 NIIBE Yutaka + + mpi: Simplify mpi_powm. + + commit 719468e53133d3bdf12156c5bfdea2bf15f9f6f1 + * mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop. + +2017-03-08 Justus Winter + + build: Use macOS' compatibility macros to enable all features. + + commit 654024081cfa103c87bb163b117ea3568171d408 + * configure.ac: On macOS, use the compatibility macros to expose every + feature of the libc. This is the equivalent of _GNU_SOURCE on GNU + libc. + +2017-02-27 Jussi Kivilinna + + Add BLAKE2b and BLAKE2s hash algorithms (RFC 7693) + + commit 5bd530b8a4624f101b8d42e68f1b28bcc13f4f76 + * cipher/blake2.c: New. + * cipher/Makefile.am: Add 'blake2.c'. + * cipher/md.c (digest_list, prepare_macpads): Add BLAKE2. + (md_setkey): New. + (_gcry_md_setkey): Call 'md_setkey' for non-HMAC md. + * configure.ac: Add BLAKE2 digest. + * doc/gcrypt.texi: Add BLAKE2. + * src/cipher.h (_gcry_blake2_init_with_key) + (_gcry_digest_spec_blake2b_512, _gcry_digest_spec_blake2b_384) + (_gcry_digest_spec_blake2b_256, _gcry_digest_spec_blake2b_160) + (_gcry_digest_spec_blake2s_256, _gcry_digest_spec_blake2s_224) + (_gcry_digest_spec_blake2s_160, _gcry_digest_spec_blake2s_128): New. + * src/gcrypt.h.in (GCRY_MD_BLAKE2B_512, GCRY_MD_BLAKE2B_384) + (GCRY_MD_BLAKE2B_256, GCRY_MD_BLAKE2B_160, GCRY_MD_BLAKE2S_256) + (GCRY_MD_BLAKE2S_224, GCRY_MD_BLAKE2S_160, GCRY_MD_BLAKE2S_128): New. + * tests/basic.c (check_one_md): Add testing for keyed hashes. + (check_digests): Add BLAKE2 test vectors; Add testing for keyed hashes. + * tests/blake2b.h: New. + * tests/blake2s.h: New. + * tests/Makefile.am: Add 'blake2b.h' and 'blake2s.h'. + + Fix building with clang on ARM64/FreeBSD. + + commit da213db2c6cda6f57e5853e8c591d69bfa1cfa74 + * cipher/cipher-gcm-armv8-aarch64-ce.S: Use '.cpu generic+simd+crypto' + instead of '.arch armv8-a+crypto'. + * cipher/rijndael-armv8-aarch64-ce.S: Ditto. + * cipher/sha1-armv8-aarch64-ce.S: Ditto. + * cipher/sha256-armv8-aarch64-ce.S: Ditto. + * configure.ac (gcry_cv_gcc_inline_asm_aarch64_neon): Ditto. + (gcry_cv_gcc_inline_asm_aarch64_crypto): Ditto; and include NEON + instructions to crypto instructions check. + +2017-02-07 Justus Winter + + Fix building with a pre C99 compiler. + + commit 75d91ffeaf83098ade325bb3b6b2c8a76eb1f6a6 + * cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt): Move the + declaration of 'i' out of the loop. + (_gcry_cipher_cfb8_decrypt): Likewise. + +2017-02-04 Mathias L. Baumann + + Implement CFB with 8-bit mode. + + commit d1ee9a660571ce4a998c9ab2299d4f2419f99127 + * cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt) + (_gcry_cipher_cfg8_decrypt): Add 8-bit variants of decrypt/encrypt + functions. + * cipher/cipher-internal.h (_gcry_cipher_cfb8_encrypt) + (_gcry_cipher_cfg8_decrypt): Ditto. + * cipher/cipher.c: Adjust code flow to work with GCRY_CIPHER_MODE_CFB8. + * tests/basic.c: Add tests for cfb8 with AES and 3DES. + +2017-02-04 Jussi Kivilinna + + rndhw: add missing "memory" clobbers. + + commit c67c728478e8f47b6e8296b643fd35d66d4a1052 + * random/rndhw.c: (poll_padlock, rdrand_long): Add "memory" to asm + clobbers. + + Add UNLIKELY and LIKELY macros. + + commit 4b7451d3e8e7b87d8e407fbbd924ad5b13bd0f00 + * src/g10lib.h (LIKELY, UNLIKELY): New. + (gcry_assert): Use LIKELY for assert check. + (fast_wipememory2_unaligned_head): Use UNLIKELY for unaligned + branching. + * cipher/bufhelp.h (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst) + (buf_xor_n_copy_2): Ditto. + + rndhw: avoid type-punching. + + commit 37b537600f33fcf8e1c8dc2c658a142fbba44199 + * random/rndhw.c (rdrand_long, rdrand_nlong): Add 'volatile' for + pointer. + (poll_drng): Convert buffer to 'unsigned long[]' and make use of DIM + macro. + +2017-01-28 Jussi Kivilinna + + hwf-x86: avoid type-punching. + + commit 1407317a6112a23d4fec5827a9d74faef4196f66 + * src/hwf-x86.c (detect_x86_gnuc): Use union for vendor_id. + + cipher: add explicit blocksize checks to allow better optimization. + + commit efa9042f82ffed3d076b8e26ac62d29e00bb756a + * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt) + (_gcry_cipher_cbc_decrypt): Add explicit check for cipher blocksize of + 64-bit or 128-bit. + * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) + (_gcry_cipher_cfb_decrypt): Ditto. + * cipher/cipher-cmac.c (cmac_write, cmac_generate_subkeys) + (cmac_final): Ditto. + * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto. + * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Ditto. + + bufhelp: use unaligned dword and qword types for endianess helpers. + + commit e7b941c3de9c9b6319298c02f844cc0cadbf8562 + * cipher/bufhelp.h (BUFHELP_UNALIGNED_ACCESS): New, defined + if attributes 'packed', 'aligned' and 'may_alias' are supported. + (BUFHELP_FAST_UNALIGNED_ACCESS): Define if have + BUFHELP_UNALIGNED_ACCESS. + + rijndael-aesni: fix u128_t strict-aliasing rule breaking. + + commit 92b4a29d2453712192ced2d7226abc49679dcb1e + * cipher/rijndael-aesni.c (u128_t): Add attributes to tell GCC and clang + that casting from 'char *' to 'u128_t *' is ok. + + cipher-xts: fix pointer casting to wrong alignment and aliasing. + + commit 4f31d816dcc1e95dc647651e92acbdfed53f5c14 + * cipher/cipher-xts.c (xts_gfmul_byA, xts_inc128): Use buf_get_le64 + and buf_put_le64 for accessing data; Change parameter pointers to + 'unsigned char *' type. + (_gcry_cipher_xts_crypt): Do not cast buffer pointers to 'u64 *' + for helper functions. + + crc-intel-pclmul: fix undefined behavior with unaligned access. + + commit 55cf1b5588705cab5f45e2817c4aa1d204dc0042 + * cipher/crc-intel-pclmul.c (u16_unaligned_s): New. + (crc32_reflected_less_than_16, crc32_less_than_16): Use + 'u16_unaligned_s' for unaligned memory access. + + configure.ac: fix attribute checks. + + commit b29b1b9f576f501d4b993be0a751567045274a1a + * configure.ac: Add -Werror flag for attribute checks. + + configure.ac: fix may_alias attribute check. + + commit 136c8416ea540dd126be3997d94d7063b3aaf577 + * configure.ac: Test may_alias attribute on type, not on variable. + + bufhelp: add 'may_alias' attribute for properly aligned 'bufhelp_int_t' + + commit d1ae52a0e23308f33b78cffeba56005b687f23c0 + * cipher/bufhelp.h [!BUFHELP_FAST_UNALIGNED_ACCESS] + (bufhelp_int_t): Add 'may_alias' attribute. + +2017-01-27 Werner Koch + + w32: New envvar GCRYPT_RNDW32_DBG. + + commit a351fbde8548ce3f57298c618426f043844fbc78 + * random/rndw32.c (_gcry_rndw32_gather_random): Use getenv to set + DEBUG_ME. + +2017-01-23 Jussi Kivilinna + + rijndael-ssse3-amd64: fix building on x32. + + commit 39b9302da5d08bd52688d20befe626fee0b6c41d + * cipher/rijndael-ssse3-amd64.c: Use 64-bit call instructions + with 64-bit registers. + + bufhelp: use 'may_alias' attribute unaligned pointer types. + + commit bf9e0b79e620ca2324224893b07522462b125412 + * configure.ac (gcry_cv_gcc_attribute_may_alias) + (HAVE_GCC_ATTRIBUTE_MAY_ALIAS): New check for 'may_alias' attribute. + * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only if + HAVE_GCC_ATTRIBUTE_MAY_ALIAS is defined. + [BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_int_t, bufhelp_u32_t) + (bufhelp_u64_t): Add 'may_alias' attribute. + * src/g10lib.h (fast_wipememory_t): Add HAVE_GCC_ATTRIBUTE_MAY_ALIAS + defined check; Add 'may_alias' attribute. + +2017-01-18 Werner Koch + + random: Call getrandom before select and emitting a progress callback. + + commit 623aab8a940ea61afe3fef650ad485a755ed9fe7 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom + call before the select. + +2017-01-06 Jussi Kivilinna + + mpi: amd64: fix too large jump alignment in mpih-rshift. + + commit ddcfe31e2425e88b280e7cdaf3f0eaaad8ccc023 + * mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment + with 'ALIGN(4)' instead of 256-byte. + + rijndael-ssse3: move assembly functions to separate source-file. + + commit 54c57bc49edb5c00e9ed8103cc4837bb72c5e863 + * cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'. + * cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions + here ... + * cipher/rinjdael-ssse3-amd64.c: ... from this file. + (_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload) + (_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core) + (_gcry_aes_ssse3_decrypt_core): New. + (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec) + (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption) + (do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external + assembly functions; remove 'aes_const_ptr' variable usage. + (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt) + (_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc) + (_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec) + (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec) + (_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage. + * configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'. + + Add AVX2/vpgather bulk implementation of Twofish. + + commit c59a8ce51ceb9a80169c44ef86a67e95cf8528c3 + * cipher/Makefile.am: Add 'twofish-avx2-amd64.S'. + * cipher/twofish-avx2-amd64.S: New. + * cipher/twofish.c (USE_AVX2): New. + (TWOFISH_context) [USE_AVX2]: Add 'use_avx2' member. + (ASM_FUNC_ABI): New. + (twofish_setkey): Add check for AVX2 and fast VPGATHER HW features. + (_gcry_twofish_avx2_ctr_enc, _gcry_twofish_avx2_cbc_dec) + (_gcry_twofish_avx2_cfb_dec, _gcry_twofish_avx2_ocb_enc) + (_gcry_twofish_avx2_ocb_dec, _gcry_twofish_avx2_ocb_auth): New. + (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec) + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Add AVX2 bulk + handling. + (selftest_ctr, selftest_cbc, selftest_cfb): Increase nblocks from + 3+X to 16+X. + * configure.ac: Add 'twofish-avx2-amd64.lo'. + * src/g10lib.h (HWF_INTEL_FAST_VPGATHER): New. + * src/hwf-x86.c (detect_x86_gnuc): Add detection for + HWF_INTEL_FAST_VPGATHER. + * src/hwfeatures.c (HWF_INTEL_FAST_VPGATHER): Add + "intel-fast-vpgather" for HWF_INTEL_FAST_VPGATHER. + + Add XTS cipher mode. + + commit 232a129b1f915fc54881506e4b07c89cf84932e6 + * cipher/Makefile.am: Add 'cipher-xts.c'. + * cipher/cipher-internal.h (gcry_cipher_handle): Add 'bulk.xts_crypt' + and 'u_mode.xts' members. + (_gcry_cipher_xts_crypt): New prototype. + * cipher/cipher-xts.c: New. + * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey) + (cipher_reset, cipher_encrypt, cipher_decrypt): Add XTS mode handling. + * doc/gcrypt.texi: Add XTS mode to documentation. + * src/gcrypt.h.in (GCRY_CIPHER_MODE_XTS, GCRY_XTS_BLOCK_LEN): New. + * tests/basic.c (do_check_xts_cipher, check_xts_cipher): New. + (check_bulk_cipher_modes): Add XTS test-vectors. + (check_one_cipher_core, check_one_cipher, check_ciphers): Add XTS + testing support. + (check_cipher_modes): Add XTS test. + * tests/bench-slope.c (bench_xts_encrypt_init) + (bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench) + (xts_encrypt_ops, xts_decrypt_ops): New. + (cipher_modes, cipher_bench_one): Add XTS. + * tests/benchmark.c (cipher_bench): Add XTS testing. + +2017-01-04 Jussi Kivilinna + + rijndael-ssse3: fix counter operand from read-only to read/write. + + commit aada604594fd42224d366d3cb98f67fd3b989cd6 + * cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change + 'ctrlow' operand from read-only to read-write. + +2017-01-03 Werner Koch + + Extend GCRYCTL_PRINT_CONFIG to print compiler version. + + commit 98b49695b1ffe3c406ae39a45051b8594f903b9d + * src/global.c (print_config): Print version of libgpg-error and used + compiler. + + tests: Add option --disable-hwf to the version utility. + + commit 3582641469f1c74078f0d758c4d5458cc0ee5649 + * src/hwfeatures.c (_gcry_disable_hw_feature): Rewrite to allow + passing a colon delimited feature set. + (parse_hwf_deny_file): Remove unused var I. + * tests/version.c (main): Add options --verbose and --disable-hwf. + +2016-12-15 Werner Koch + Nicolas Porcel + + Fix regression in broken mlock detection. + + commit 0a90f87799903a3fb97189ef7cba19e7b3534e1c + * acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN. + +2016-12-10 Jussi Kivilinna + + hwfeatures: add 'all' for disabling all hardware features. + + commit c83d0d2a26059cf471d09f5cb8e7fc5d76c4907b + * .gitignore: Add 'tests/basic-disable-all-hwf'. + * configure.ac: Ditto. + * tests/Makefile.am: Ditto. + * src/hwfeatures.c (_gcry_disable_hw_feature): Match 'all' for + masking all HW features off. + (parse_hwf_deny_file): Use '_gcry_disable_hw_feature' for matching. + * tests/basic-disable-all-hwf.in: New. + + tests/hashtest-256g: add missing executable extension for Win32. + + commit 2b7b227b8a0bd5ff286258bc187782efac180a7e + * tests/hashtest-256g.in: Add @EXEEXT@. + + OCB ARM CE: Move ocb_get_l handling to assembly part. + + commit 5c418e597f0f20a546d953161695e6caf1f57689 + * cipher/rijndael-armv8-aarch32-ce.S: Add OCB 'L_{ntz(i)}' calculation. + * cipher/rijndael-armv8-aarch64-ce.S: Ditto. + * cipher/rijndael-armv8-ce.c (_gcry_aes_ocb_enc_armv8_ce) + (_gcry_aes_ocb_dec_armv8_ce, _gcry_aes_ocb_auth_armv8_ce) + (ocb_cryt_fn_t): Updated arguments. + (_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Remove + 'ocb_get_l' handling and splitting input to 32 block chunks, instead + pass full buffers to assembly. + + OCB: Move large L handling from bottom to upper level. + + commit 2d2e5286d53e1f62fe040dff4c6e01961f00afe2 + * cipher/cipher-ocb.c (_gcry_cipher_ocb_get_l): Remove. + (ocb_get_L_big): New. + (_gcry_cipher_ocb_authenticate): L-big handling done in upper + processing loop, so that lower level never sees the case where + 'aad_nblocks % 65536 == 0'; Add missing stack burn. + (ocb_aad_finalize): Add missing stack burn. + (ocb_crypt): L-big handling done in upper processing loop, so that + lower level never sees the case where 'data_nblocks % 65536 == 0'. + * cipher/cipher-internal.h (_gcry_cipher_ocb_get_l): Remove. + (ocb_get_l): Remove 'l_tmp' usage and simplify since input + is more limited now, 'N is not multiple of 65536'. + * cipher/rijndael-aesni.c (get_l): Remove. + (aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Remove + l_tmp; Use 'ocb_get_l'. + * cipher/rijndael-ssse3-amd64.c (get_l): Remove. + (ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Remove + l_tmp; Use 'ocb_get_l'. + * cipher/camellia-glue.c: Remove OCB l_tmp usage. + * cipher/rijndael-armv8-ce.c: Ditto. + * cipher/rijndael.c: Ditto. + * cipher/serpent.c: Ditto. + * cipher/twofish.c: Ditto. + + OCB: remove 'int64_t' usage. + + commit 161d339f48c03be7fd0f4249d730f7f1767ef8e4 + * cipher/cipher-ocb.c (double_block): Use alternative way to generate + sign-bit mask, without 'int64_t'. + + random-drbg: use bufhelp function for big-endian store. + + commit 0b03b658bebc69a84d87ef13f9b60a27b0c42305 + * random/random-drbg.c (drbg_cpu_to_be32): Remove. + (drbg_ctr_df, drbg_hash_df): Use 'buf_put_be32' instead of + 'drbg_cpu_to_be32'. + +2016-12-09 Werner Koch + + Improve handling of mlock error codes. + + commit 618b8978f46f4011c11512fd5f30c15e01652e2e + * acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a + legitimate return code and does not indicate a broken mlock(). + * src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which + could have been overwritten by cap_from+text et al. + +2016-12-08 Stephan Mueller + + random: Eliminate unneeded memcpy invocations in the DRBG. + + commit 656395ba4cf34f42dda3a120bda3ed1220755a3d + * random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a + pointer instead. + (drbg_instantiate): Reduce size of scratchpad. + (drbg_hmac_update): Avoid use of scratch buffers for the hash. + (drbg_hmac_generate, drbg_hash_df): Ditto. + (drbg_hash_process_addtl): Ditto. + (drbg_hash_hashgen): Ditto. + (drbg_hash_generate): Ditto. + + random: Add performance improvements for the DRBG. + + commit 20886fdcb841b0bf89bb1d44303d42f1804e38cb + * random/random-drbg.c (struct drbg_state_ops_s): New function + pointers 'crypto_init' and 'crypto-fini'. + (struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and + 'ctr_null'. + (drbg_hash_init, drbg_hash_fini): New. + (drbg_hmac_init, drbg_hmac_setkey): New. + (drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New. + (drbg_sym_ctr): New. + (drbg_ctr_bcc): Set the key. + (drbg_ctr_df): Ditto. + (drbg_hmac_update): Ditto. + (drbg_hmac_generate): Replace drgb_hmac by drbg_hash. + (drbg_hash_df): Ditto. + (drbg_hash_process_addtl): Ditto. + (drbg_hash_hashgen): Ditto. + (drbg_ctr_update): Rework. + (drbg_ctr_generate): Rework. + (drbg_ctr_ops): Init new functions pointers. + (drbg_uninstantiate): Call fini function. + (drbg_instantiate): Call init function. + + cipher: New function for reading the counter in CTR mode. + + commit 227099f179df9dcf083d0ef6be9883c775df0874 + * cipher/cipher.c (gcry_cipher_getctr): New. + +2016-12-07 Werner Koch + + Document the overflow pools and add a stupid test case. + + commit 95bac312644ad45e486c94c2efd25d0748b9a20b + * tests/t-secmem.c (test_secmem_overflow): New func. + (main): Disable warning and call new function. + + Implement overflow secmem pools for xmalloc style allocators. + + commit b6870cf25c0b1eb9c127a94af8326c446421a472 + * src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and + cur_blocks. + (cur_alloced, cur_blocks): Remove vars. + (ptr_into_pool_p): Make it inline. + (stats_update): Add arg pool and update the new pool specific + counters. + (_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow + pools as needed. + (_gcry_secmem_malloc): Pass XHINTS along. + (_gcry_secmem_realloc_internal): Ditto. + (_gcry_secmem_realloc): Ditto. + (_gcry_secmem_free_internal): Take multiple pools in account. Add + return value to indicate whether the arg was freed. + (_gcry_secmem_free): Add return value to indicate whether the arg was + freed. + (_gcry_private_is_secure): Take multiple pools in account. + (_gcry_secmem_term): Release all pools. + (_gcry_secmem_dump_stats): Print stats for all pools. + * src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure + test with a direct call of _gcry_secmem_free to avoid double checking. + + Give the secmem allocators a hint when a xmalloc calls them. + + commit b7df907dca4d525f8930c533b763ffce44ceed87 + * src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT. + (_gcry_secmem_realloc): Ditto. + * src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be + passed to the secmem functions. + (_gcry_private_realloc): Ditto. + * src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New. + * src/global.c (do_malloc): Pass this flag as XHINT to the private + allocator. + (_gcry_malloc_secure): Factor code out to ... + (_gcry_malloc_secure_core): this. Add arg XHINT. + (_gcry_realloc): Factor code out to ... + (_gcry_realloc_core): here. Add arg XHINT. + (_gcry_strdup): Factor code out to ... + (_gcry_strdup_core): here. Add arg XHINT. + (_gcry_xrealloc): Use the core function and pass true for XHINT. + (_gcry_xmalloc_secure): Ditto. + (_gcry_xstrdup): Ditto. + + tests: New test t-secmem. + + commit e366c19b34922c770af82cd035fd815680b29dee + * src/secmem.c (_gcry_secmem_dump_stats): Add arg EXTENDED and adjust + caller. + * src/gcrypt-testapi.h (PRIV_CTL_DUMP_SECMEM_STATS): New. + * src/global.c (_gcry_vcontrol): Implement that. + * tests/t-secmem.c: New. + * tests/Makefile.am (tests_bin): Add that test. + +2016-12-06 Werner Koch + + Fix compiler warning about possible-NULL-dreference. + + commit 995ce697308320c6a52a307f83dc49eeb8d784b4 + * src/mpi.h (mpi_is_const, mpi_is_immutable): Do check arg before + deref-ing. The are only used at places where the arg shall not be NULL. + + Fix possible NULL-deref in gcry_log_debugsxp. + + commit 984a97f0750f812f0ad3c343ee6a67560953a504 + * src/misc.c (_gcry_log_printsxp): Prevent passing NULL to strlen. + + Reorganize code in secmem.c. + + commit 603f479a919311f720a05da738150c2192d5e562 + * src/secmem.c (pooldesc_t): New type to collect information about one + pool. + (pool_size): Remove. Now a member of pooldesc_t. + (pool_okay): Ditto. + (pool_is_mmapped): Ditto. + (pool): Rename variable ... + (mainpool): And change type to pooldesc_t. + (ptr_into_pool_p): Add arg 'pool'. + (mb_get_next): Ditto. + (mb_get_prev): Ditto. + (mb_merge): Ditto. + (mb_get_new): Ditto. + (init_pool): Ditto. + (lock_pool): Rename to ... + (look_pool_pages: this. + (secmem_init): Rename to ... + (_gcry_secmem_init_internal): this. Add local var POOL and init with + address of MAINPOOL. + (_gcry_secmem_malloc_internal): Add local var POOL and init with + address of MAINPOOL. + (_gcry_private_is_secure): Ditto. + (_gcry_secmem_term): Ditto. + (_gcry_secmem_dump_stats): Ditto. + (_gcry_secmem_free_internal): Ditto. Remove check for NULL arg. + (_gcry_secmem_free): Add check for NULL arg before taking the lock. + (_gcry_secmem_realloc): Factor most code out to ... + (_gcry_secmem_realloc_internal): this. + +2016-11-28 Dmitry Eremin-Solenikov + + tests: Add PBKDF2 tests for Stribog512. + + commit a0580d446fef648a177ca4ab060d0e449780db84 + * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's + additions to PKCS#5. + + tests: Add Stribog HMAC tests from TC26ALG. + + commit fe6077e6ee8565bfcc91bad14a73e68f45b3c32b + * tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document + for Stribog. + + cipher: Add Stribog OIDs from TC26 space. + + commit ccffacaf6c3abe6120a0898db922981d28ab7af2 + * cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New. + +2016-11-25 Justus Winter + + tests: Fix memory leak. + + commit 5530a8234d703ce9b685f78fb6e951136eb0aeb2 + * tests/basic.c (check_gost28147_cipher): Free cipher handles. + +2016-11-25 Dmitry Eremin-Solenikov + + Cast oid argument of gcry_cipher_set_sbox to disable compiler warning. + + commit 1a67e3195896704f8b3ba09e3db1214bab834491 + * src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *). + + gost: Rename tc26 s-box from A to Z. + + commit dc8ceb8d2dfef949f3afa14fc75f9de8cd07c7ad + * cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is + the name that ended up in all standards. + + tests: Add test to verify GOST 28147-89 against known results. + + commit 4f5c26c73c66daf2e4aff966e43c22b2db7e0138 + * tests/basic.c (check_gost28147_cipher): new test function. + +2016-11-17 Dmitry Eremin-Solenikov + + cipher/gost28147: Fix CryptoPro-B S-BOX. + + commit 5ca63c92825453fdb369a97bbc19cb95b49b4296 + * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in + incorrect encryption/decryption using that s-box. Add missing data. + +2016-11-12 Werner Koch + + Put blocking calls into Libgpg-error's system call clamp. + + commit b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd + * src/gcrypt.h.in (GCRYCTL_REINIT_SYSCALL_CLAMP): New. + * configure.ac: Require Libgpg-error 1.25. Set version number to + 1.8.0. + * src/gcrypt-int.h: Remove error code emulation. + * src/global.c (pre_syscall_func, post_syscall_func): New. + (global_init): Call gpgrt_get_syscall_clamp. + (_gcry_vcontrol) : Ditto. + (_gcry_pre_syscall, _gcry_post_syscall): New. + * random/rndlinux.c (_gcry_rndlinux_gather_random): Use the new + functions. + +2016-11-01 NIIBE Yutaka + + cipher: Fix IDEA cipher for clearing memory. + + commit bf6d5b10cb4173826f47ac080506b68bb001acb2 + * cipher/idea.c (invert_key): Use wipememory, since this kind of memset + may be removed by compiler optimization. + +2016-10-09 Jussi Kivilinna + + GCM: Add bulk processing for ARMv8/AArch64 implementation. + + commit bfd732f53a9b5dfe14217a68a0fa289bf6913ec0 + * cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing. + + GCM: Add bulk processing for ARMv8/AArch32 implementation. + + commit 27747921cb1dfced83c5666cd1c474764724c52b + * cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing. + * tests/basic.c (check_digests): Print correct data length for "?" + tests. + (check_one_mac): Add large 1000000 bytes tests, when input is "!" or + "?". + (check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305. + +2016-09-11 Jussi Kivilinna + + Add Aarch64 assembly implementation of Twofish. + + commit 5418d9ca4c0e087fd6872ad350a996fe74880d86 + * cipher/Makefile.am: Add 'twofish-aarch64.S'. + * cipher/twofish-aarch64.S: New. + * cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and + HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined. + * configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'. + +2016-09-05 Jussi Kivilinna + + Add Aarch64 assembly implementation of Camellia. + + commit de73a2e7237ba7c34ce48bb5fb671aa3993de832 + * cipher/Makefile.am: Add 'camellia-aarch64.S'. + * cipher/camellia-aarch64.S: New. + * cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn + size to zero. + * cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and + HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined. + * configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'. + + Add ARMv8/AArch64 Crypto Extension implementation of AES. + + commit 4cd8d40d698564d24ece2af24546e34c58bf2961 + * cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'. + * cipher/rijndael-armv8-aarch64-ce.S: New. + * cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64. + * configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and + 'rijndael-armv8-ce.lo' for ARMv8/AArch64. + + Add ARMv8/AArch64 Crypto Extension implementation of GCM. + + commit 0b332c1aef03a735c1fb0df184f74d523deb2f98 + * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'. + * cipher/cipher-gcm-armv8-aarch64-ce.S: New. + * cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on + ARMv8/AArch64. + + Add ARMv8/AArch64 Crypto Extension implementation of SHA-256. + + commit 2d4bbc0ad62c54bbdef77799f9db82d344b7219e + * cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'. + * cipher/sha256-armv8-aarch64-ce.S: New. + * cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct + section. + * cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64. + * configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for + 'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'. + + Add ARMv8/AArch64 Crypto Extension implementation of SHA-1. + + commit e4eb03f56683317c908cb55be727832810dc8c72 + * cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'. + * cipher/sha1-armv8-aarch64-ce.S: New. + * cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64. + * configure.ac: Add 'sha1-armv8-aarch64-ce.lo'. + +2016-09-04 Jussi Kivilinna + + Add AArch64 assembly implementation of AES. + + commit 595251ad37bf1968261d7e781752513f67525803 + * cipher/Makefile.am: Add 'rijndael-aarch64.S'. + * cipher/rijndael-aarch64.S: New. + * cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and + HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined. + * configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check. + [host=aarch64]: Add 'rijndael-aarch64.lo'. + +2016-08-17 Werner Koch + + Release 1.7.3. + + commit f8241874971478bdcd2bc2082d901d05db7b256d + * configure.ac: Set LT version to C21/A1/R3. + + random: Hash continuous areas in the csprng pool. + + commit 8dd45ad957b54b939c288a68720137386c7f6501 + * random/random-csprng.c (mix_pool): Store the first hash at the end + of the pool. + + random: Improve the diagram showing the random mixing. + + commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 + * random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20. + +2016-07-19 Jussi Kivilinna + + crc-intel-pclmul: split assembly block to ease register pressure. + + commit f38199dbc290003898a1799adc367265267784c2 + * cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline + assembly block handling 4 byte input into multiple blocks. + + rijndael-aesni: split assembly block to ease register pressure. + + commit a4d1595a2638db63ac4c73e722c8ba95fdd85ff7 + * cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register + constraint for passing 'bige_addb' to assembly block; split + first inline assembly block into two parts. + +2016-07-14 Jussi Kivilinna + + Add ARMv8/AArch32 Crypto Extension implementation of AES. + + commit 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a + * cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and + 'rijndael-armv-aarch32-ce.S'. + * cipher/rijndael-armv8-aarch32-ce.S: New. + * cipher/rijndael-armv8-ce.c: New. + * cipher/rijndael-internal.h (USE_ARM_CE): New. + (RIJNDAEL_context_s): Add 'use_arm_ce'. + * cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey) + (_gcry_aes_armv8_ce_prepare_decryption) + (_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt) + (_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc) + (_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec) + (_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt) + (_gcry_aes_armv8_ce_ocb_auth): New. + (do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key + setup for ARM CE. + (prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc) + (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec) + (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add + ARM CE support. + * configure.ac: Add 'rijndael-armv8-ce.lo' and + 'rijndael-armv8-aarch32-ce.lo'. + + Add ARMv8/AArch32 Crypto Extension implementation of GCM. + + commit 962b15470663db11e5c35b86768f1b5d8e600017 + * cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'. + * cipher/cipher-gcm-armv8-aarch32-ce.S: New. + * cipher/cipher-gcm.c [GCM_USE_ARM_PMULL] + (_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull) + (ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New. + (setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if + HWF_ARM_PULL HW feature flag is enabled. + * cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New. + + Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256. + + commit 34c64eb03178fbfd34190148fec5a189df2b8f83 + * cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'. + * cipher/sha256-armv8-aarch32-ce.S: New. + * cipher/sha256.c (USE_ARM_CE): New. + (sha256_init, sha224_init): Check features for HWF_ARM_SHA1. + [USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New. + (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports. + (SHA256_CONTEXT): Add 'use_arm_ce'. + * configure.ac: Add 'sha256-armv8-aarch32-ce.lo'. + + Add ARMv8/AArch32 Crypto Extension implementation of SHA-1. + + commit 3d6334f8d94c2a4df10eed203ae928298a4332ef + * cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'. + * cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add + missing size. + * cipher/sha1-armv8-aarch32-ce.S: New. + * cipher/sha1.c (USE_ARM_CE): New. + (sha1_init): Check features for HWF_ARM_SHA1. + [USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New. + (transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports + it. + * cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'. + * configure.ac: Add 'sha1-armv8-aarch32-ce.lo'. + + Add HW feature check for ARMv8 AArch64 and crypto extensions. + + commit eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f + * configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm + module on 64-bit ARM. + (armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto) + (gcry_cv_inline_asm_aarch64_neon) + (gcry_cv_gcc_inline_asm_aarch64_crypto): New. + * src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2) + (HWF_ARM_PMULL): New. + * src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode. + (feature_map_s): New. + [__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL) + (HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New. + [__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES) + (HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New. + (get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use + 'unsigned long'. + (detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags. + (detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags. + (_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__. + * src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2' + and 'arm-pmull'. + +2016-07-14 Werner Koch + + Release 1.7.2. + + commit be0bec7d9208b2f2d2ffce9cc2ca6154853e7e59 + * configure.ac: Set LT version to C21/A1/R2. + * Makefile.am (distcheck-hook): New. + +2016-07-13 Werner Koch + + build: Update config.{guess,sub} to {2016-05-15,2016-06-20}. + + commit e535ea1bdc42309553007d60599d3147b8defe93 + * build-aux/config.guess: Update. + * build-aux/config.sub: Update. + +2016-07-08 Jussi Kivilinna + + Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON. + + commit 1111d311fd6452abd4080d1072c75ddb1b5a3dd1 + * cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8) + (UNALIGNED_LDMIA4): New. + (_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of + ldm/stm instructions directly. + * cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2) + (UNALIGNED_LDMIA4): New. + (_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks) + (_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead + of ldm instruction directly. + +2016-07-03 Jussi Kivilinna + + bench-slope: add unaligned buffer mode. + + commit 496790940753226f96b731a43d950bd268acd97a + * tests/bench-slope.c (unaligned_mode): New. + (do_slope_benchmark): Unalign buffer if in unaligned mode enabled. + (print_help, main): Add '--unaligned' parameter. + +2016-07-01 Jussi Kivilinna + + Fix static build. + + commit cb79630ec567a5f2e03e5f863cda168faa7b8cc8 + * tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'. + +2016-06-30 Jussi Kivilinna + + Disallow encryption/decryption if key is not set. + + commit 07de9858032826f5a7b08c372f6bcc73bbb503eb + * cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not + NONE, make sure that key is set. + * cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear + 'marks.key' when reseting state. + + Avoid unaligned accesses with ARM ldm/stm instructions. + + commit a6158a01a4d81a5d862e1e0a60bfd6063443311d + * cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always + compile with unaligned load/store code paths. + * cipher/sha512-arm.S: Ditto. + + Fix non-PIC reference in PIC for poly1305/ARMv7-NEON. + + commit a09126242a51c4ea4564b0f70b808e4f27fe5a91 + * cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New. + (_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER. + + Fix wrong CPU feature #ifdef for SHA1/AVX. + + commit 4a983e3bef58b9d056517e25e0ab10b72d12ceba + * cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of + HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2. + +2016-06-30 Werner Koch + + random: Remove debug message about not supported getrandom syscall. + + commit 6965515c73632a088fb126a4a55e95121671fa98 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug + for getrandom error ENOSYS. + +2016-06-27 Werner Koch + + tests: Do not test SHAKE128 et al with gcry_md_hash_buffer. + + commit 4d634a098742ff425b324e9f2a67b9f62de09744 + * tests/benchmark.c (md_bench): Do not test variable lengths algos + with the gcry_md_hash_buffer. + + md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer. + + commit ae26edf4b60359bfa5fe3a27b2c24b336e7ec35c + * cipher/md.c (md_read): Detect missing read function. + (_gcry_md_hash_buffers): Return an error. + +2016-06-25 Werner Koch + + ecc: Fix memory leak. + + commit 7a7f7c147f888367dfee6093d26bfeaf750efc3a + * cipher/ecc.c (ecc_check_secret_key): Do not init point if already + set. + + doc: Update yat2m. + + commit 1feb01940062a74c27230434fc3babdddca8caf4 + * doc/yat2m.c: Update from Libgpg-error + + tests: Add attributes to helper functions. + + commit c870cb5d385c1d6e1e28ca481cf9cf44b3bfeea9 + * tests/t-common.h (die, fail, info): Add attributes. + * tests/random.c (die, inf): Ditto. + * tests/pubkey.c (die, fail, info): Add attributes. + * tests/fipsdrv.c (die): Add attribute. + (main): Take care of missing --key,--iv,--dt options. + + Improve robustness and help lint. + + commit 5a5b055b81ee60a22a846bdf2031516b1c24df98 + * cipher/rsa.c (rsa_encrypt): Check for !DATA. + * cipher/md.c (search_oid): Check early for !OID. + (md_copy): Use gpg_err_code_from_syserror. Replace chains of if(!err) + tests. + * cipher/cipher.c (search_oid): Check early for !OID. + * src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0. + * mpi/mpicoder.c (onecompl): Allow for A==NULL to help static + analyzers. + + cipher: Improve fatal error message for bad use of gcry_md_read. + + commit 3f98b1e92d5afd720d7cea5b4e8295c5018bf9ac + * cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG. + +2016-06-16 Niibe Yutaka + + ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM. + + commit b0b70e7fe37b1bf13ec0bfc8effcb5c7f5db6b7d + * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify) + (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default + cofactor as 1, when not specified. + + ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM. + + commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7 + * cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify) + (ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default + cofactor as 1, when not specified. + +2016-06-15 Werner Koch + + Release 1.7.1. + + commit 48aa6d6602564d6ba0cef10cf08f9fb0c59b3223 + + + doc: Describe envvars. + + commit c3173bbe3f1a9c73f81a538dd49ccfa0447bfcdc + * doc/gcrypt.texi: Add chapter Configuration. + + random: Change names of debug envvars. + + commit 131b4f0634cee0e5c47d2250c59f51127b10f7b3 + * random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to + GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG. + * random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to + GCRYPT_RNDW32_NOPERF. + +2016-06-14 Werner Koch + + cipher: Assign OIDs to the Serpent cipher. + + commit e13a6a1ba53127af602713d0c2aaa85c94b3cd7e + * cipher/serpent.c (serpent128_oids, serpent192_oids) + (serpent256_oids): New. Add them to the specs blow. + (serpent128_aliases): Add "SERPENT-128". + (serpent256_aliases, serpent192_aliases): New. + + cipher: Assign OIDs to the Serpent cipher. + + commit 6cc2100c00a65dff07b095dea7b32cb5c5cd96d4 + * cipher/serpent.c (serpent128_oids, serpent192_oids) + (serpent256_oids): New. Add them to the specs blow. + (serpent128_aliases): Add "SERPENT-128". + (serpent256_aliases, serpent192_aliases): New. + +2016-06-08 Werner Koch + + rsa: Implement blinding also for signing. + + commit 1f769e3e8442bae2f1f73c656920bb2df70153c0 + * cipher/rsa.c (rsa_decrypt): Factor blinding code out to ... + (secret_blinded): new. + (rsa_sign): Use blinding by default. + + random: Remove debug output for getrandom(2) output. + + commit 52cdfb1960808aaad48b5a501bbce0e3141c3961 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug + output. + + Fix gcc portability on Solaris 9 SPARC boxes. + + commit b766ea14ad1c27d6160531b200cc70aaa479c6dc + * mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__. + +2016-06-08 Jérémie Courrèges-Anglas + + Check for compiler SSE4.1 support in PCLMUL CRC code. + + commit dc76313308c184c92eb78452b503405b90fc7ebd + * cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if + compiler supports PCLMUL *and* SSE4.1 + * cipher/crc.c: Ditto + * configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New. + +2016-06-08 NIIBE Yutaka + + ecc: Fix ecc_verify for cofactor support. + + commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e + * cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h". + +2016-06-08 Werner Koch + + random: Try to use getrandom() instead of /dev/urandom (Linux only). + + commit c05837211e5221d3f56146865e823bc20b4ff1ab + * configure.ac: Check for syscall. + * random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h. + (_gcry_rndlinux_gather_random): Use getrandom is available. + +2016-06-03 Werner Koch + + rsa: Implement blinding also for signing. + + commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8 + * cipher/rsa.c (rsa_decrypt): Factor blinding code out to ... + (secret_blinded): new. + (rsa_sign): Use blinding by default. + + random: Remove debug output for getrandom(2) output. + + commit 82df6c63a72fdd969c3923523f10d0cef5713ac7 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug + output. + +2016-06-02 Werner Koch + + Fix gcc portability on Solaris 9 SPARC boxes. + + commit 4121f15122501d8946f1589b303d1f7949c15e30 + * mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__. + +2016-05-28 Jérémie Courrèges-Anglas + + Check for compiler SSE4.1 support in PCLMUL CRC code. + + commit 3e8074ecd3a534e8bd7f11cf17f0b22d252584c8 + * cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if + compiler supports PCLMUL *and* SSE4.1 + * cipher/crc.c: Ditto + * configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New. + +2016-05-06 NIIBE Yutaka + + ecc: Fix ecc_verify for cofactor support. + + commit c7430aa752232aa690c5d8f16575a345442ad8d7 + * cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h". + +2016-04-26 Werner Koch + + random: Try to use getrandom() instead of /dev/urandom (Linux only). + + commit ee5a32226a7ca4ab067864e06623fc11a1768900 + * configure.ac: Check for syscall. + * random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h. + (_gcry_rndlinux_gather_random): Use getrandom is available. + +2016-04-19 Werner Koch + + asm fix for older gcc versions. + + commit caa9d14c914bf6116ec3f773a322a94e2be0c0fb + * cipher/crc-intel-pclmul.c: Remove extra trailing colon from + asm statements. + + asm fix for older gcc versions. + + commit 4545372c0f8dd35aef2a7abc12b588ed1a4a0363 + * cipher/crc-intel-pclmul.c: Remove extra trailing colon from + asm statements. + +2016-04-15 Werner Koch + + Release 1.7.0. + + commit 795f9cb090c776658a0e3117996e3fb7e2ebd94a + + +2016-04-14 Werner Koch + + tests: Add test vectors for 256 GiB test of SHA3-256. + + commit 1737c546dc7268fa9edcd4a23b7439c56d37ee4f + * tests/hashtest.c: Add new test vectros. + +2016-04-14 Justus Winter + + src: Improve S-expression parsing. + + commit 491586bc7f7b9edc6b78331a77e653543983c9e4 + * src/sexp.c (do_vsexp_sscan): Return an error if a closing + parenthesis is encountered with no matching opening parenthesis. + +2016-04-14 Werner Koch + + cipher: Add constant for 8 bit CFB mode. + + commit 47c6a1f88eb763e9baa394e34d873b761abcebbe + * src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New. + * tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests. + + tests: Add a new test for S-expressions. + + commit 88c6b98350193abbdcfb227754979b0c097ee09c + * tests/t-sexp.c (compare_to_canon): New. + (back_and_forth_one): Add another test. + +2016-04-13 NIIBE Yutaka + + ecc: Fix corner cases for X25519. + + commit 8472b71812e71c69d66e2fcc02a6e21b66755f8b + * cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns + GPG_ERR_INV_DATA instead of aborting with log_fatal. For X25519, + it's not an error, thus, let it return 0. + (ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish + X25519, not by the name of the curve. + (ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead + of aborting with log_fatal. For X25519, it's not an error by its + definition, but we deliberately let it return the error to detect + looks-like-encrypted-message. + * tests/t-cv25519.c: Add points to record the issue. + +2016-04-12 Werner Koch + + cipher: Buffer data from gcry_cipher_authenticate in OCB mode. + + commit b6d2a25a275a35ec4dbd53ecaa9ea0ed7aa99c7b + * cipher/cipher-internal.h (gcry_cipher_handle): Add fields + aad_leftover and aad_nleftover to u_mode.ocb. + * cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear + aad_nleftover. + (_gcry_cipher_ocb_authenticate): Add buffering and facor some code out + to ... + (ocb_aad_finalize): new. + (compute_tag_if_needed): Call new function. + * tests/basic.c (check_ocb_cipher_splitaad): New. + (check_ocb_cipher): Call new function. + (main): Also call check_cipher_modes with --ciper-modes. + +2016-04-12 NIIBE Yutaka + + ecc: Fix X25519 computation on Curve25519. + + commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5 + * cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when + PUBKEY_FLAG_DJB_TWEAK is enabled. + (ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled. + * tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt. + + ecc: Fix initialization of EC context. + + commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de + * cipher/ecc.c (test_ecdh_only_keys, ecc_generate) + (ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize + by _gcry_mpi_ec_p_internal_new should carry FLAGS. + +2016-04-06 Werner Koch + + Allow building with configure option --enable-hmac-binary-check. + + commit 65c63144b66392f40b991684789b8b793248e3ba + * src/Makefile.am (mpicalc_LDADD): Add DL_LIBS. + * src/fips.c (check_binary_integrity): Allow use of hmac256 output. + * src/hmac256.c (main): Add option --stdkey + +2016-04-06 NIIBE Yutaka + + ecc: Positive values in computation. + + commit 6f386ceae86a058e26294f744750f1ed2a95e604 + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure + coefficients A and B are positive. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do + "P - T" instead of "-T", so that the result will be positive. + (_gcry_ecc_eddsa_verify): Likewise. + * cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve + instead of _gcry_ecc_update_curve_param. + * mpi/ec.c (ec_subm): Make sure the result will be positive. + (dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use + mpi_sub instead of mpi_neg. + (add_points_edwards): Simply use ec_addm. + * tests/t-mpi-point.c (test_curve): Define curves with positive + coefficients. + +2016-04-01 Werner Koch + + mpi: Explicitly limit the allowed input length for gcry_mpi_scan. + + commit 862cf19a119427dd7ee7959a36c72d905f5ea5ca + * mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New. + (mpi_fromstr): Check against this limit. + (_gcry_mpi_scan): Ditto. + * tests/mpitests.c (test_maxsize): New. + (main): Cal that test. + +2016-03-31 Werner Koch + + cipher: Remove specialized rmd160 functions. + + commit fcce0cb6e8af70b134c6ecc3f56afa07a7d31f27 + * cipher/rmd160.c: Replace rmd.h by hash-common.h. + (RMD160_CONTEXT): Move from rmd.h to here. + (_gcry_rmd160_init): Remove. + (_gcry_rmd160_mixblock): Remove. + (_gcry_rmd160_hash_buffer): Use rmd160_init directly. + * cipher/md.c: Remove rmd.h which was not actually used. + * cipher/rmd.h: Remove. + * cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h. + * configure.ac (USE_RMD160): Allow to build without RMD160. + + random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool. + + commit a9cbe2d1f6a517a831517da8bc1d29e3e0b2c0c0 + * cipher/sha1.c (_gcry_sha1_mixblock_init): New. + (_gcry_sha1_mixblock): New. + * random/random-csprng.c: Include sha1.h instead of rmd.h. + (mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing. + + cipher: Move sha1 context definition to a separate file. + + commit 142a479a484cb4e84d0561be9b05b44dac9e6fe2 + * cipher/sha1.c: Replace hash-common.h by sha1.h. + (SHA1_CONTEXT): Move to ... + * cipher/sha1.h: new. Always include all flags. + * cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h. + +2016-03-29 Werner Koch + + tests: Fix buffer overflow in bench-slope. + + commit 48ee918400762281bec5b6fc218a9f0d119aac7c + * tests/bench-slope.c (bench_print_result_std): Remove wrong use of + strncat. + +2016-03-27 Jussi Kivilinna + + cipher: GCM: check that length of supplied tag is one of valid lengths. + + commit f2260e3a2e962ac80124ef938e54041bbea08561 + * cipher/cipher-gcm.c (is_tag_length_valid): New. + (_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length. + * tests/basic.c (_check_gcm_cipher): Add test-vectors with different + valid tag lengths and negative test vectors with invalid lengths. + +2016-03-24 Peter Wu + + cipher: Fix memleaks in (self)tests. + + commit 4a064e2a06fe737f344d1dfd8a45cc4c2abbe4c9 + * cipher/dsa.c: Release memory for MPI and sexp structures. + * cipher/ecc.c: Release memory for sexp structure. + * tests/keygen.c: Likewise. + + Mark constant MPIs as non-leaked. + + commit 470a30db241a2d567739ef2adb2a2ee64992d8b4 + * mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked. + +2016-03-23 Werner Koch + + Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info. + + commit fea5971488e049f902d7912df22a945bc755ad6d + * src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New. + * cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature. + + * tests/basic.c (_check_gcm_cipher): Check that new feature. + (_check_poly1305_cipher): Ditto. + (check_ccm_cipher): Ditto. + (do_check_ocb_cipher): Ditto. + (check_ctr_cipher): Add negative test for new feature. + + cipher: Avoid NULL-segv in GCM mode if a key has not been set. + + commit e709d86fe596a4bcf235799468947c13ae657d78 + * cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN + has been initialized. + (_gcry_cipher_gcm_decrypt): Ditto. + (_gcry_cipher_gcm_authenticate): Ditto. + (_gcry_cipher_gcm_initiv): Ditto. + (_gcry_cipher_gcm_tag): Ditto. + + cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag. + + commit 7c9c82feecf94a455c66d9c38576f36c9c4b484c + * cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the + provided tag length matches the actual tag length. + +2016-03-23 Peter Wu + + Fix buffer overrun in gettag for Poly1305. + + commit 6821e1bd94969106a70e3de17b86f6e6181f4e59 + * cipher/cipher-poly1305.c: copy a fixed length instead of the + user-supplied number. + +2016-03-23 Werner Koch + + cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag. + + commit 15785bc9fb1787554bf371945ecb191830c15bfd + * cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided + tag length matches the actual tag length. Avoid gratuitous return + statements. + +2016-03-23 Peter Wu + + Fix buffer overrun in gettag for GCM. + + commit d3d7bdf8215275b3b20690dfde3f43dbe25b6f85 + * cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied + number. + +2016-03-22 Werner Koch + + tests: Add options --fips to keygen for manual tests. + + commit d328095dd4de83b839d9d8c4bdbeec0956971016 + (main): Add option --fips. + * tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539 + because that is valid in FIPS mode. Check that key generation fails + for too short keys in FIPS mode. + (check_ecc_keys): Check that key generation fails for Ed25519 keys in + FIPS mode. + +2016-03-22 Tomáš Mráz + + rsa: Add FIPS 186-4 compliant RSA probable prime key generator. + + commit 5f9b3c2e220ca6d0eaff32324a973ef67933a844 + * cipher/primegen.c (_gcry_fips186_4_prime_check): New. + * cipher/rsa.c (generate_fips): New. + (rsa_generate): Use new function in fips mode or with test-parms. + + * tests/keygen.c (check_rsa_keys): Add test using e=65539. + +2016-03-20 Jussi Kivilinna + + Fix ARM NEON support detection on ARMv6 target. + + commit 583919d70763671ed9feeaa14e1f66379aff88cc + * configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive + instead of '.thumb'. + +2016-03-18 Werner Koch + + Always require a 64 bit integer type. + + commit 897ccd21b7221982806b5c024518f4e989152f14 + * configure.ac (available_digests_64): Merge with available_digests. + (available_kdfs_64): Merge with available_kdfs. + <64 bit datatype test>: Bail out if no such type is available. + * src/types.h: Emit #error if no u64 can be defined. + (PROPERLY_ALIGNED_TYPE): Always add u64 type. + * cipher/bithelp.h: Remove all code paths which handle the + case of !HAVE_U64_TYPEDEF. + * cipher/bufhelp.h: Ditto. + * cipher/cipher-ccm.c: Ditto. + * cipher/cipher-gcm.c: Ditto. + * cipher/cipher-internal.h: Ditto. + * cipher/cipher.c: Ditto. + * cipher/hash-common.h: Ditto. + * cipher/md.c: Ditto. + * cipher/poly1305.c: Ditto. + * cipher/scrypt.c: Ditto. + * cipher/tiger.c: Ditto. + * src/g10lib.h: Ditto. + * tests/basic.c: Ditto. + * tests/bench-slope.c: Ditto. + * tests/benchmark.c: Ditto. + +2016-03-18 Vitezslav Cizek + + tests: Fix testsuite after the FIPS adjustments. + + commit 9ecc2690181ba0bb44f66451a7dce2fc19965793 + * tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS. + * tests/curves.c (check_get_params): Skip Brainpool curves in FIPS. + * tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys. + (check_ecc_keys): Skip Ed25519 in FIPS mode. + * tests/random.c (main): Don't switch DRBG in FIPS mode. + * tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode. + * tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS. + * tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS. + (main): Skip math tests that use P-192 and Ed25519 in FIPS. + + tests: Add new --pss option to fipsdrv. + + commit 1a02d741cacc3b57fe3d6ffebd794d53a60c9e97 + * tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length + to 0 for PSS. + + cipher: Add option to specify salt length for PSS verification. + + commit 0bd8137e68c201b6c2290710e348aaf57efa2b2e + * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for + salt-length token. + + tests: Add support for RSA keygen tests to fipsdrv. + + commit 2e139456369a834cf87d983da4f61241fda76efe + * tests/fipsdrv.c (run_rsa_keygen): New. + (main): Support RSA keygen and RSA keygen KAT tests. + + tests: Fixes for RSA testsuite in FIPS mode. + + commit c690230af5a66b809f8f6fbab1a6262a5ba078cb + * tests/basic.c (get_keys_new): Generate 2048 bit key. + * tests/benchmark.c (rsa_bench): Skip keys of lengths different + than 2048 and 3072 in FIPS mode. + * tests/keygen.c (check_rsa_keys): Failure if short keys can be + generated in FIPS mode. + (check_dsa_keys): Ditto for DSA keys. + * tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS. + + rsa: Use 2048 bit RSA keys for selftest. + + commit 78cec8b4754fdf774edb2d575000cb3e972e244c + * cipher/rsa.c (selftests_rsa): Use 2048 bit keys. + (selftest_encr_1024): Replaced by selftest_encr_2048. + (selftest_sign_1024): Replaced by selftest_sign_2048. + (selftest_encr_2048): Add check against known ciphertext. + (selftest_sign_2048): Add check against known signature. + (selftest_sign_2048): Free SIG_MPI. + * tests/pubkey.c (get_keys_new): Generate 2048 bit keys. + + Disable non-allowed algorithms in FIPS mode. + + commit ce1cbe16992a7340edcf8e6576973e3508267640 + * cipher/cipher.c (_gcry_cipher_init), + * cipher/mac.c (_gcry_mac_init), + * cipher/md.c (_gcry_md_init), + * cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the + non-allowed ciphers. + * cipher/md5.c: Mark MD5 as not allowed in FIPS. + * src/g10lib.h (_gcry_mac_init): New. + * src/global.c (global_init): Call the new _gcry_mac_init. + * tests/basic.c (check_ciphers): Fix a typo. + +2016-03-18 Werner Koch + + kdf: Make PBKDF2 check work on all platforms. + + commit c478cf175887c84dc071c4f73a7667603b354789 + * cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long. + +2016-03-18 Vitezslav Cizek + + kdf: Add upper bound for derived key length in PBKDF2. + + commit 0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6 + * cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen. + + ecc: ECDSA adjustments for FIPS 186-4. + + commit a242e3d9185e6e2dc13902ea9331131755bbba01 + * cipher/ecc-curves.c: Unmark curve P-192 for FIPS. + * cipher/ecc.c: Add ECDSA self test. + * cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2 + in FIPS mode. + * tests/fipsdrv.c: Add support for ECDSA signatures. + +2016-03-18 Werner Koch + + dsa: Make regression tests work. + + commit e40939b2141306238cc30a340b867b60fa4dc2a3 + * cipher/dsa.c (sample_secret_key_1024): Comment out unused constant. + (ogenerate_fips186): Make it work with use-fips183-2 flag. + * cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs + standard comment out format. + * tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion. + (main): Call it. + (main): Compare against current version. + * tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key. + (get_dsa_key_fips186_with_seed_new): Ditto. + (get_dsa_key_fips186_with_domain_new): Comment out. + (check_run): Do not call that function. + +2016-03-18 Vitezslav Cizek + + dsa: Adjustments to conform with FIPS 186-4. + + commit 80e9f95e6f419daa765e4876c858e3e36e808897 + * cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments. + * cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect + buflen passed to _gcry_mpi_scan. + +2016-03-16 Justus Winter + + Update documentation for 'gcry_sexp_extract_param'. + + commit 4051fe7fec6ffdc7a2f5c3856665478866991ee7 + * doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs + must be set to NULL first, and document how the function behaves in + case of errors. + * src/sexp.c (_gcry_sexp_extract_param): Likewise. + * src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from + '_gcry_sexp_extract_param'. + + cipher: Update comment. + + commit fcf4358a7a7ba8d32bf385ea99ced5f47cbd3ae2 + * cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact + that a curve parameter can be given. + +2016-03-12 Jussi Kivilinna + + Add Intel PCLMUL implementations of CRC algorithms. + + commit 5d601dd57fcb41aa2015ab655fd6fc51537da667 + * cipher/Makefile.am: Add 'crc-intel-pclmul.c'. + * cipher/crc-intel-pclmul.c: New. + * cipher/crc.c (USE_INTEL_PCLMUL): New macro. + (CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'. + [USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul) + (gcry_crc24rfc2440_intel_pclmul): New. + (crc32_init, crc32rfc1510_init, crc24rfc2440_init) + [USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL + HW features detected. + (crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL + implementation if enabled. + (crc24_init): Document storage format of 24-bit CRC. + (crc24_next4): Use only 'data' for last table look-up. + * configure.ac: Add 'crc-intel-pclmul.lo'. + * src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include + Intel SSE4.1. + * src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection. + * src/hwfeatures.c (hwflist): Add 'intel-sse4.1'. + * tests/basic.c (fillbuf_count): New. + (check_one_md): Add "?" check (million byte data-set with byte pattern + 0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?" + checks. + (check_one_md_multi): Skip "?". + (check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256, + SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160, + CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!" + test-vectors for CRC32_RFC1510 and CRC24_RFC2440. + +2016-02-25 NIIBE Yutaka + + mpi: Normalize EXPO for mpi_powm. + + commit fdfa5bfefdde316688a3c8021bd3528c5273b0f4 + * mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP. + +2016-02-22 Andreas Metzler + + Do not ship generated header file in tarball. + + commit 2b40a16333fa75f1cee85ab901a5aa9cff845a92 + * src/Makefile.am: Move gcrypt.h from include_HEADERS to + nodist_include_HEADERS to prevent inclusion in release tarball. + This could break out-of-tree-builds because the potentially outdated + src/gcrypt.h was not updated but was in the compiler search path. + +2016-02-20 Jussi Kivilinna + + Fix building random-drbg for Win32/64. + + commit 531b25aa94c58f6d2168a9537c8cea6c53d7bbe0 + * random/random-drbg.c: Remove include for sys/types.h and asm/types.h. + (DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH) + (DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384) + (DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192) + (DRBG_SYM256): Change 'u_int32_t' to 'u32'. + (drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters + 'drbg_read_cb' and 'len'. + +2016-02-20 Werner Koch + + tests: Do not test DRBG_REINIT from "make check" + + commit 839d12c221430b60db5e0d6fbb107f22e0a6837f + * tests/random.c (main): Run check_drbg_reinit only if the envvar + GCRYPT_IN_REGRESSION_TEST is set. + + doc: Fix possible dependency problem. + + commit 3b57e5a1ba68e26dcaea38b763287fddba9b6b7c + * doc/Makefile.am (gcrypt.texi): Use the right traget. + +2016-02-19 Stephan Mueller + + random: Remove ANSI X9.31 DRNG. + + commit e9b692d25d1c149b5417b70e18f2ce173bc25b6d + * random-fips.c: Remove. + +2016-02-19 Werner Koch + + random: Add a test case for DRBG_REINIT. + + commit 934ba2ae5a95a96fdbb3b935b51ba43df66f11df + * src/global.c (_gcry_vcontrol) : Test for FIPS RNG. + * tests/random.c (check_drbg_reinit): New. + (main): Call new test. + + random: Allow DRBG_REINIT before initialization. + + commit 7cdbd6e6a3cf1ee366b981e148d41b1187a6fdcf + * random/random-drbg.c (DRBG_DEFAULT_TYPE): New. + (_drbg_init_internal): Set the default type if no type has been set + before. + (_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default. + + Add new private header gcrypt-testapi.h. + + commit 744b030cff61fd25114b0b25394c62782c153343 + * src/gcrypt-testapi.h: New. + * src/Makefile.am (libgcrypt_la_SOURCES): Add new file. + * random/random.h: Include gcrypt-testapi.h. + (struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h. + * src/global.c: Include gcrypt-testapi.h. + (_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61. + * cipher/cipher.c: Include gcrypt-testapi.h. + (_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62. + * tests/fipsdrv.c: Include gcrypt-testapi.h. Remove definition of + PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_ + constants. + * tests/t-lock.c: Include gcrypt-testapi.h. Remove + PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants. + + * random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ... + (_gcry_rngdrbg_cavs_test): this. + (gcry_rngdrbg_healthcheck_one): Rename to ... + (_gcry_rngdrbg_healthcheck_one): this. + + random: Make the DRBG C-90 clean and use a flag string. + + commit 95f1db3affb9f5b8a2c814c211d4a02b30446c15 + * random/random.h (struct gcry_drbg_test_vector): Rename "flags" to + "flagstr" and turn it into a string. + * random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of + designated initializers. Use a string for the flags. + (gcry_rngdrbg_cavs_test): Parse the flag string into a flag value. + (drbg_healthcheck_sanity): Ditto. + + random: Symbol name cleanup for random-drbg.c. + + commit 85ed07790552297586258e8fe09b546eee357a8b + * random/random-drbg.c: Rename all static objects and macros from + "gcry_drbg" to "drbg". + (drbg_string_t): New typedef. + (drbg_gen_t): New typedef. + (drbg_state_t): New typedef. Replace all "struct drbg_state_s *" by + this. + (_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so + that an error if actually returned. + (gcry_rngdrbg_cavs_test): Ditto. + (gcry_drbg_healthcheck_sanity): Ditto. + + random: Use our symbol name pattern also for drbg functions. + + commit 7cf3c929331133e4381dbceac53d3addd921c929 + * random/random-drbg.c: Rename global functions from _gcry_drbg_* + to _gcry_rngdrbg_*. + * random/random.c: Adjust for this change. + * src/global.c: Ditto. + + random: Rename drbg.c to random-drbg.c. + + commit e49b3f2c10e012509b5930c0df4d6df378d3b9f4 + * random/drbg.c: Rename to ... + * random/random-drbg.c: this. + * random/Makefile.am (librandom_la_SOURCES): Adjust accordingly. + + random: Remove the new API introduced by the new DRBG. + + commit dfac2b13d0068b2b1b420d77e9771a49964b81c1 + * src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c. + (struct gcry_drbg_string): Ditto. + (gcry_drbg_string_fill): Ditto. + (gcry_randomize_drbg): Remove. + * random/drbg.c (parse_flag_string): New. + (_gcry_drbg_reinit): Change the way the arguments are passed. + * src/global.c (_gcry_vcontrol) : Change calling + convention. + + Add helper function _gcry_strtokenize. + + commit 4e134b6e77f558730ec1eceb6b816b0bcfd845e9 + * src/misc.c (_gcry_strtokenize): New. + +2016-02-18 Werner Koch + + random: Remove DRBG constants from the public API. + + commit fd13372fa9069d3a72947ea59c57e33637c936bf + * src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ... + * random/drbg.c: here. + +2016-02-18 Stephan Mueller + + random: Add SP800-90A DRBG. + + commit ed57fed6de1465e02ec5e3bc0affeabdd35e2eb7 + * random/drbg.c: New. + * random/random.c (_gcry_random_initialize): Replace rngfips init by + drbg init. + (__gcry_random_close_fds): Likewise. + (_gcry_random_dump_stats): Likewise. + (_gcry_random_is_faked): Likewise. + (do_randomize): Likewise. + (_gcry_random_selftest): Likewise. + (_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize. + (_gcry_random_init_external_test): Remove. + (_gcry_random_run_external_test): Remove. + (_gcry_random_deinit_external_test): Remove. + * random/random.h (struct gcry_drbg_test_vector): New. + * src/gcrypt.h.in (struct gcry_drbg_gen): New. + (struct gcry_drbg_string): New. + (gcry_drbg_string_fill): New. + (gcry_randomize_drbg): New. + (GCRY_DRBG_): Lots of new macros. + * src/global.c (_gcry_vcontrol) : Turn into + a nop. + (_gcry_vcontrol) : Ditto. + (_gcry_vcontrol) : Change. + (_gcry_vcontrol) : New. + +2016-02-13 Jussi Kivilinna + + bufhelp: disable unaligned memory accesses on powerpc. + + commit 1da793d089b65ac8c1ead65dacb6b8699f5b6e69 + * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for + __powerpc__ and __powerpc64__. + +2016-02-12 NIIBE Yutaka + + ecc: Not validate input point for Curve25519. + + commit 7a019bc7ecdbdfdef51094e090ce95e062da9b64 + * cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception. + +2016-02-10 NIIBE Yutaka + + ecc: Fix memory leaks on error. + + commit b12dd550fd6af687ef95c584d0d8366c34965cc8 + * cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory. + * mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise. + +2016-02-09 NIIBE Yutaka + + ecc: input validation on ECDH. + + commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0 + * cipher/ecc.c (ecc_decrypt_raw): Validate the point. + +2016-02-08 Jussi Kivilinna + + Add ARM assembly implementation of SHA-512. + + commit 8353884bc65c820d5bcacaf1ac23cdee72091a09 + * cipher/Makefile.am: Add 'sha512-arm.S'. + * cipher/sha512-arm.S: New. + * cipher/sha512.c (USE_ARM_ASM): New. + (_gcry_sha512_transform_arm): New. + (transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of + generic. + * configure.ac: Add 'sha512-arm.lo'. + +2016-02-03 NIIBE Yutaka + + tests: Add a test for Curve25519. + + commit b8b3361504950689ef1e779fb3357cecf8a9f739 + * tests/Makefile.am (tests_bin): Add t-cv25519. + * tests/t-cv25519.c: New. + +2016-02-02 NIIBE Yutaka + + ecc: Fix Curve25519 for data by older implementation. + + commit 6cb6df9dddac6ad246002b83c2ce0aaa0ecf30e5 + * cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for + short length data. + + ecc: more fix of Curve25519. + + commit 48ba5a50066611ecacea850ced13f5cb66097a81 + * cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of + prefix. Clear the MSB, according to RFC7748. + + ecc: Fix ECDH of Curve25519. + + commit a2f9afcd7fcdafd5951498b07f34957f9766dce9 + * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS + and prefix detection. + * cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS. + (ecc_encrypt_raw): Use NBITS from curve instead of from P. + Fix rawmpilen calculation. + (ecc_decrypt_raw): Likewise. Add debug output. + +2016-01-29 Jussi Kivilinna + + Improve performance of generic SHA256 implementation. + + commit f3e51161036382429c3491c7c881f36c0a653c7b + * cipher/sha256.c (R): Let caller do variable shuffling. + (Chro, Maj, Sum0, Sum1): Convert from inline functions to macros. + (W, I): New. + (transform_blk): Unroll round loop; inline message expansion to rounds + to make message expansion buffer smaller. + +2016-01-28 Werner Koch + + ecc: New API function gcry_mpi_ec_decode_point. + + commit 2cf2ca7bb9741ac86e8aa92d8f03b1c5f5938897 + * mpi/ec.c (_gcry_mpi_ec_decode_point): New. + * cipher/ecc-common.h: Move two prototypes to ... + * src/ec-context.h: here. + * src/gcrypt.h.in (gcry_mpi_ec_decode_point): New. + * src/libgcrypt.def (gcry_mpi_ec_decode_point): New. + * src/libgcrypt.vers (gcry_mpi_ec_decode_point): New. + * src/visibility.c (gcry_mpi_ec_decode_point): New. + * src/visibility.h: Add new function. + +2016-01-15 Werner Koch + + Fix build problem for rndegd.c. + + commit 191c2e4fe2dc0e00f61aa44e011a9596887e6ce1 + * Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules. + * random/rndegd.c (_gcry_rndegd_connect_socket) + (my_make_filename): Use functions with '_' prefix. + + random: Fix possible AIX problem with sysconf in rndunix. + + commit 6303b0e83856ee89374b447e710f0ab2af61caec + * random/rndunix.c [HAVE_STDINT_H]: Include stdint.h. + (start_gatherer): Detect misbehaving sysconf. + +2015-12-27 Werner Koch + + random: Take at max 25% from RDRAND. + + commit 5a78e7f15e0dd96a8bf64e2bb142880bf8ea6965 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of + RDRAND from 50% to 25%. + +2015-12-07 Justus Winter + + cipher: Improve error handling. + + commit b9c02fbeb7efb7d0593b33485fb30c298291cf80 + * cipher/ecc.c (ecc_decrypt_raw): Improve error handling. + + cipher: Initialize 'flags'. + + commit ca06cd7f77acb317c2649c58918908f043dfe6bd + * cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0. + +2015-12-05 NIIBE Yutaka + + ecc: CHANGE point representation of Curve25519. + + commit dd3d06e7f113cf7608f060ceb043262efd0b0c9d + * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with + the prefix 0x40, additional 0x00 by MPI handling, and shorter octets + by MPI normalization. + * cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw): + Always add the prefix 0x40. + +2015-12-03 Jussi Kivilinna + + chacha20: fix alignment of self-test context. + + commit 6fadbcd088e2af3e48407b95d8d0c2a8b7ad6c38 + * cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20 + context structure. + + salsa20: fix alignment of self-test context. + + commit 2cba0dbda462237f55438d4199eccd10c5e3f6ca + * cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20 + context structure. + +2015-12-02 Justus Winter + + random: Drop fake entropy gathering function. + + commit d421ac283ec46d0ecaf6278ba4c24843f65fb2fa + * random/random-csprng.c (faked_rng): Drop variable. + (gather_faked): Drop prototype and function. + (initialize): Drop fallback code. + (_gcry_rngcsprng_is_faked): Change accordingly. + + random: Fix selection of entropy gathering function. + + commit 468a5796ffb1a7776db4004d534376c1b981d740 + * random/random-csprng.c (getfnc_gather_random): Do return NULL if no + usable entropy gathering function is found. The callsite then + installs the fake gather function. + +2015-11-26 NIIBE Yutaka + + ecc: minor improvement of point multiplication. + + commit 3658afd09c3b03b4398aaa5748387220c93b1a94 + * mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop. + +2015-11-25 NIIBE Yutaka + + ecc: Constant-time multiplication for Weierstrass curve. + + commit 88e1358962e902ff1cbec8d53ba3eee46407851a + * mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary + method for Weierstrass curve when SCALAR is secure. + + mpi: fix gcry_mpi_swap_cond. + + commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f + * mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition. + + mpi: Fix mpi_set_cond and mpi_swap_cond . + + commit 8ad682c412047d3b9196950709dbd7bd14ac8732 + * mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use + the operator of !!, but assume SET/SWAP is 0 or 1. + + ecc: multiplication of Edwards curve to be constant-time. + + commit 295b1c3540752af4fc5e6f41480e6db215222fba + * mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond. + + ecc: Add point_resize and point_swap_cond. + + commit b6015176df6bfae107ac82f9baa29ef2c175c9f9 + * mpi/ec.c (point_resize, point_swap_cond): New. + (_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond. + +2015-11-18 Justus Winter + + cipher: Fix error handling. + + commit 940dc8adc034a6c6c38742f6bfd7d837a532d537 + * cipher/cipher.c (_gcry_cipher_ctl): Fix error handling. + +2015-11-18 Jussi Kivilinna + + Tweak Keccak for small speed-up. + + commit 6571a64331839d7d952292163afbf34c8bef62e0 + * cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track + rounds with round constant pointer instead of separate round counter. + * cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto. + (KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk + absorb loops. + + Update license information for CRC. + + commit 15ea0acf8bb0aa307eccc23024a0bd7878fb8080 + * LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses + for 'cipher/crc.c' as result of rewrite of CRC implementations. + +2015-11-17 Justus Winter + + Fix typos found using codespell. + + commit 0e395944b70c7a92a6437f6bcc14f287c19ce9de + * cipher/cipher-ocb.c: Fix typos. + * cipher/des.c: Likewise. + * cipher/dsa-common.c: Likewise. + * cipher/ecc.c: Likewise. + * cipher/pubkey.c: Likewise. + * cipher/rsa-common.c: Likewise. + * cipher/scrypt.c: Likewise. + * random/random-csprng.c: Likewise. + * random/random-fips.c: Likewise. + * random/rndw32.c: Likewise. + * src/cipher-proto.h: Likewise. + * src/context.c: Likewise. + * src/fips.c: Likewise. + * src/gcrypt.h.in: Likewise. + * src/global.c: Likewise. + * src/sexp.c: Likewise. + * tests/mpitests.c: Likewise. + * tests/t-lock.c: Likewise. + +2015-11-01 Jussi Kivilinna + + Improve performance of Tiger hash algorithms. + + commit 89fa74d6b3e58cd4fcd6e0939a35e46cbaca2ea0 + * cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions + to macros. + (transform_blk): Pass variable names instead of pointers to 'pass'. + + Add ARMv7/NEON implementation of Keccak. + + commit a1cc7bb15473a2419b24ecac765ae0ce5989a13b + * cipher/Makefile.am: Add 'keccak-armv7-neon.S'. + * cipher/keccak-armv7-neon.S: New. + * cipher/keccak.c (USE_64BIT_ARM_NEON): New. + (NEED_COMMON64): Select if USE_64BIT_ARM_NEON. + [NEED_COMMON64] (round_consts_64bit): Rename to... + [NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add + terminator at end. + [USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon) + (_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon) + (keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New. + (keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation + if supported by HW. + * cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update + to use new round constant table. + * configure.ac: Add 'keccak-armv7-neon.lo'. + + Optimize Keccak 64-bit absorb functions. + + commit 2857cb89c6dc1c02266600bc1fd2967a3cd5cf88 + * cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8) + (absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New. + * cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8) + (absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New. + [USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New. + [USE_64BIT] (keccak_absorb_lanes64): Remove. + [USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New. + [USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove. + [USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New. + [USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove. + * cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New. + +2015-10-31 Jussi Kivilinna + + Enable CRC test vectors with zero bytes. + + commit 07e4839e75a7bca3a6c0a94aecfe75efe61d7ff2 + * tests/basic.c (check_digests): Enable CRC test-vectors with zero + bytes. + + Keccak: Add SHAKE Extendable-Output Functions. + + commit c0b9eee2d93a13930244f9ce0c14ed6b4aeb6c29 + * src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for + XOFs. + * src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract' + and add 'pos' argument. + (KECCAK_CONTEXT): Add 'suffix'. + (keccak_extract_inplace64): Rename to... + (keccak_extract64): ...this; Add handling for 'pos' argument. + (keccak_extract_inplace32bi): Rename to... + (keccak_extract32bi): ...this; Add handling for 'pos' argument. + (keccak_extract_inplace64): Rename to... + (keccak_extract64): ...this; Add handling for 'pos' argument. + (keccak_extract_inplace32bi_bmi2): Rename to... + (keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument. + (keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256. + (shake128_init, shake256_init): New. + (keccak_final): Do not initial permute for SHAKE output; use correct + suffix for SHAKE. + (keccak_extract): New. + (keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors. + (run_selftests): Add SHAKE128 & SHAKE256. + (shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256) + (_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New. + * cipher/md.c (digest_list): Add SHAKE128 & SHAKE256. + * doc/gcrypt.texi: Ditto. + * src/cipher.h (_gcry_digest_spec_shake128) + (_gcry_digest_spec_shake256): New. + * src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New. + * tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument. + (check_one_md_multi): Skip if algo is XOF. + (check_digests): Add SHAKE128 & SHAKE256 test vectors. + * tests/bench-slope.c (kdf_bench_one): Skip XOFs. + + Few updates to documentation. + + commit 28de6f9e16e386018e81a9cdaee596be7616ccab + * doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature + flag; Add mention of x86 RDRAND support in rndhw. + + Add HMAC-SHA3 test vectors. + + commit 92ad19873562cfce7bcc4a0b5aed8195d8284cfc + * tests/basic.c (check_mac): Add HMAC_SHA3 test vectors. + +2015-10-28 Jussi Kivilinna + + md: add variable length output interface. + + commit 577dc2b63ceca6a8a716256d034ea4e7414f65fa + * cipher/crc.c (_gcry_digest_spec_crc32) + (_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set + 'extract' NULL. + * cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94) + (_gcry_digest_spec_gost3411_cp): Ditto. + * cipher/keccak.c (_gcry_digest_spec_sha3_224) + (_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384) + (_gcry_digest_spec_sha3_512): Ditto. + * cipher/md2.c (_gcry_digest_spec_md2): Ditto. + * cipher/md4.c (_gcry_digest_spec_md4): Ditto. + * cipher/md5.c (_gcry_digest_spec_md5): Ditto. + * cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto. + * cipher/sha1.c (_gcry_digest_spec_sha1): Ditto. + * cipher/sha256.c (_gcry_digest_spec_sha224) + (_gcry_digest_spec_sha256): Ditto. + * cipher/sha512.c (_gcry_digest_spec_sha384) + (_gcry_digest_spec_sha512): Ditto. + * cipher/stribog.c (_gcry_digest_spec_stribog_256) + (_gcry_digest_spec_stribog_512): Ditto. + * cipher/tiger.c (_gcry_digest_spec_tiger) + (_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto. + * cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto. + * cipher/md.c (md_enable): Do not allow combination of HMAC and + 'expandable-output function'. + (md_final): Check if spec->read is NULL before calling. + (md_read): Ditto. + (md_extract, _gcry_md_extract): New. + * doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract. + * src/cipher-proto.h (gcry_md_extract_t): New. + (gcry_md_spec_t): Add 'extract'. + * src/gcrypt-int.g (_gcry_md_extract): New. + * src/gcrypt.h.in (gcry_md_extract): New. + * src/libgcrypt.def: Add gcry_md_extract. + * src/libgcrypt.vers: Add gcry_md_extract. + * src/visibility.c (gcry_md_extract): New. + * src/visibility.h (gcry_md_extract): New. + + md: check hmac flag in prepare_macpads. + + commit cee2e122ec6c1886957a8d47498eb63a6a921725 + * cipher/md.c (prepare_macpads): Check hmac flag. + + keccak: rewrite for improved performance. + + commit 74184c28fbe7ff58cf57f0094ef957d94045da7d + * cipher/Makefile.am: Add 'keccak_permute_32.h' and + 'keccak_permute_64.h'. + * cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove. + * cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2) + (USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI) + (keccak_ops_t): New. + (KECCAK_STATE): Add 'state64' and 'state32bi' members. + (KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'. + (rol64, keccak_f1600_state_permute): Remove. + [NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New. + [NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi) + (keccak_absorb_lane32bi): New. + [USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64) + (keccak_absorb_lanes64, keccak_generic64_ops): New. + [USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld) + (keccak_absorb_lanes64_shld, keccak_shld_64_ops): New. + [USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2) + (keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New. + [USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi) + (keccak_absorb_lanes32bi, keccak_generic32bi_ops): New. + [USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2) + (pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2) + (keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New. + (keccak_write): New. + (keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation + selection based on HWF features. + (keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops' + for state manipulation. + (keccak_read): Adjust to KECCAK_CONTEXT changes. + (_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256) + (_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use + 'keccak_write' instead of '_gcry_md_block_write'. + * cipher/keccak_permute_32.h: New. + * cipher/keccak_permute_64.h: New. + + hwf-x86: add detection for Intel CPUs with fast SHLD instruction. + + commit 909644ef5883927262366c356eed530e55aba478 + * cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of + HWF_INTEL_CPU. + * cipher/sha256.c (sha256_init, sha224_init): Ditto. + * cipher/sha512.c (sha512_init, sha384_init): Ditto. + * src/g10lib.h (HWF_INTEL_FAST_SHLD): New. + (HWF_INTEL_BMI2, HWF_INTEL_SSSE3, HWF_INTEL_PCLMUL, HWF_INTEL_AESNI) + (HWF_INTEL_RDRAND, HWF_INTEL_AVX, HWF_INTEL_AVX2) + (HWF_ARM_NEON): Update. + * src/hwf-x86.c (detect_x86_gnuc): Add detection of Intel Core + CPUs with fast SHLD/SHRD instruction. + * src/hwfeatures.c (hwflist): Add "intel-fast-shld". + + Fix OCB amd64 assembly implementations for x32. + + commit 16fd540f4d01eb6dc23d9509ae549353617c7a67 + * cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc) + (_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth) + (_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec) + (_gcry_camellia_aesni_avx2_ocb_auth, _gcry_camellia_ocb_crypt) + (_gcry_camellia_ocb_auth): Change 'Ls' from pointer array to u64 array. + * cipher/serpent.c (_gcry_serpent_sse2_ocb_enc) + (_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth) + (_gcry_serpent_avx2_ocb_enc, _gcry_serpent_avx2_ocb_dec) + (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Ditto. + * cipher/twofish.c (_gcry_twofish_amd64_ocb_enc) + (_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth) + (twofish_amd64_ocb_enc, twofish_amd64_ocb_dec, twofish_amd64_ocb_auth) + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto. + + bench-slope: add KDF/PBKDF2 benchmark. + + commit ae40af427fd2a856b24ec2a41323ec8b80ffc9c0 + * tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free) + (bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New. + (print_help): Add 'kdf'. + (main): Add KDF benchmarks. + +2015-10-22 NIIBE Yutaka + + md: keep contexts for HMAC in GcryDigestEntry. + + commit f7505b550dd591e33d3a3fab9277c43c460f1bad + * cipher/md.c (struct gcry_md_context): Add flags.hmac. + Remove macpads and mcpads_Bsize. + (md_open): Initialize flags.hmac. Remove macpads initialization. + (md_enable): Allocate contexts when flags.hmac is enabled. + (md_copy): Remove macpads copying. Add copying contexts. + (_gcry_md_reset): When flags.hmac is enabled, restore precomputed + context with input pad + (md_close): Remove macpads wiping. + (md_final): When flags.hmac is enabled, compute hmac by precomputed + context with output pad. + (prepare_macpads): Prepare precomputed contexts with input pad and + output pad for each registered digest entry. + (_gcry_md_setkey): Just call prepare_macpads. + +2015-10-15 NIIBE Yutaka + + Fix double free on error. + + commit 1c6d2698a84e4bf82735287c1d64954bfc1a1982 + * src/hmac256.c (_gcry_hmac256_finalize): Don't free HD. + +2015-10-14 NIIBE Yutaka + + Fix gpg_error_t and gpg_err_code_t confusion. + + commit 813565a07ca575c87e1252c6ed26018653ecd338 + * src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change. + * cipher/dsa.c (dsa_check_secret_key): Ditto. + * src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t. + + * src/gcrypt-int.h (_gcry_err_make_from_errno) + (_gcry_error_from_errno): Return gpg_error_t. + * cipher/cipher.c (_gcry_cipher_open_internal) + (_gcry_cipher_ctl, _gcry_cipher_ctl): Don't use gcry_error. + * src/global.c (_gcry_vcontrol): Likewise. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Use + gpg_err_code_from_syserror. + * cipher/mac.c (mac_reset, mac_setkey, mac_setiv, mac_write) + (mac_read, mac_verify): Return gcry_err_code_t. + * cipher/rsa-common.c (mgf1): Use gcry_err_code_t for ERR. + * src/visibility.c (gcry_error_from_errno): Return gpg_error_t. + +2015-10-13 Jussi Kivilinna + + Fix compiling AES/AES-NI implementation on linux-i386. + + commit fa94b6111948a614ebdcb67f7942eced8b84c579 + * cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in + two parts to reduce number of register constraints needed. + +2015-10-13 NIIBE Yutaka + + Fix declaration of return type. + + commit 73374fdd27c7ba28b19f9672c68a6f5b72252fe5 + * src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t. + * cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param. + * src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t. + * src/visibility.c (gcry_mpi_snatch): Fix call to _gcry_mpi_snatch. + +2015-09-07 Werner Koch + + Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls. + + commit 3a3d5410cc83f7069c7cb1ab384905f382292d32 + * src/secmem.c (lock_pool, secmem_init): Do not call any cap_ + functions if NO_PRIV_DROP is set. + +2015-09-04 Werner Koch + + w32: Avoid a few compiler warnings. + + commit e97c62a4a687b56d00a2d0a63e072a977f8eb81c + * cipher/cipher-selftest.c (_gcry_selftest_helper_cbc) + (_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable + as unused. + * random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch + warning. + * src/secmem.c (init_pool): Avoid unused variable warning. + * tests/random.c (writen, readn): Include on if needed. + + w32: Fix alignment problem with AESNI on Windows >= 8. + + commit e2785a2268702312529521df3bd2f4e6b43cea3a + * cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New. + * cipher/rijndael.c (selftest_basic_128, selftest_basic_192) + (selftest_basic_256): Allocate context on the heap. + +2015-08-31 Werner Koch + + rsa: Add verify after sign to avoid Lenstra's CRT attack. + + commit c17f84bd02d7ee93845e92e20f6ddba814961588 + * cipher/rsa.c (rsa_sign): Check the CRT. + + Add pubkey algo id for EdDSA. + + commit dd87639abd38afc91a6f27af33f0ba17402ad02d + * src/gcrypt.h.in (GCRY_PK_EDDSA): New. + +2015-08-25 Werner Koch + + Add configure option --enable-build-timestamp. + + commit a785cc3db0c4e8eb8ebbf784b833a40d2c42ec3e + * configure.ac (BUILD_TIMESTAMP): Set to "" by default. + +2015-08-23 Werner Koch + + tests: Add missing files for the make distcheck target. + + commit fb3cb47b0a29d3e73150297aa4495c20915e4a75 + * tests/Makefile.am (EXTRA_DIST): Add sha3-x test vector files. + +2015-08-19 Werner Koch + + Change SHA-3 algorithm ids. + + commit 65639ecaaeba642e40487446c40d045482001285 + * src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256) + (GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values. + +2015-08-12 Jussi Kivilinna + + Keccak: Fix array indexes in θ step. + + commit 48822ae0b436bcea0fe92dbf0d88475ba3179320 + * cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5]. + + Simplify OCB offset calculation for parallel implementations. + + commit 24ebf53f1e8a8afa27dcd768339bda70a740bb03 + * cipher/camellia-glue.c (_gcry_camellia_ocb_crypt) + (_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of + just if 'blkn % == 0'. + * cipher/serpent.c (_gcry_serpent_ocb_crypt) + (_gcry_serpent_ocb_auth): Ditto. + * cipher/rijndael-aesni.c (get_l): Remove low-bit checks. + (aes_ocb_enc, aes_ocb_dec, _gcry_aes_aesni_ocb_auth): Handle leading + blocks until block counter is multiple of 4, so that parallel block + processing loop can use 'c->u_mode.ocb.L' array directly. + * tests/basic.c (check_ocb_cipher_largebuf): Rename to... + (check_ocb_cipher_largebuf_split): ...this and add option to process + large buffer as two split buffers. + (check_ocb_cipher_largebuf): New. + + Add carryless 8-bit addition fast-path for AES-NI CTR mode. + + commit e11895da1f4af9782d89e92ba2e6b1a63235b54b + * cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using + CTR in big-endian form, if least-significant byte does not overflow. + +2015-08-10 Jussi Kivilinna + + Add additional SHA3 test-vectors. + + commit 80321eb3a63a20f86734d6eebb3f419c0ec895aa + * tests/basic.c (check_digests): Allow datalen to be specified so that + input data can have byte with value 0x00; Include sha3-*.h header files + to test-vector structure. + * tests/sha3-224.h: New. + * tests/sha3-256.h: New. + * tests/sha3-384.h: New. + * tests/sha3-512.h: New. + + Add generic SHA3 implementation. + + commit 434ba17d1d5ad59c70d721ad3ecb376c2403a7e5 + * cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize + USE_SHA3 enabled. + * cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New. + (KECCAK_STATE): Add proper state. + (KECCAK_CONTEXT): Add 'outlen'. + (rol64, keccak_f1600_state_permute, transform_blk, transform): New. + (keccak_init): Add proper initialization. + (keccak_final): Add proper finalization. + (selftests_keccak): Add selftests. + (oid_spec_sha3_224, oid_spec_sha3_256, oid_spec_sha3_384) + (oid_spec_sha3_512): Add OID. + (_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256) + (_gcry_digest_spec_sha3_384, _gcry_digest_spec_sha3_512): Fix output + length. + * cipher/mac-hmac.c (map_mac_algo_to_md): Fix mapping for SHA3-512. + (hmac_get_keylen): Return proper blocksizes for SHA3 algorithms. + [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224) + (_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384) + (_gcry_mac_type_spec_hmac_sha3_512): New. + * cipher/mac-internal [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224) + (_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384) + (_gcry_mac_type_spec_hmac_sha3_512): New. + * cipher/mac.c (mac_list) [USE_SHA3]: Add SHA3 algorithms. + * cipher/md.c (md_open): Use proper SHA-3 blocksizes for HMAC macpads. + * tests/basic.c (check_digests): Add SHA3 test vectors. + + Optimize OCB offset calculation. + + commit 49f52c67fb42c0656c8f9af655087f444562ca82 + * cipher/cipher-internal.h (ocb_get_l): New. + * cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate) + (ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'. + * cipher/camellia-glue.c (get_l): Remove. + (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Precalculate + offset array when block count matches parallel operation size; Use + 'ocb_get_l' instead of 'get_l'. + * cipher/rijndael-aesni.c (get_l): Add fast path for 75% most common + offsets. + (aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Precalculate + offset array when block count matches parallel operation size. + * cipher/rijndael-ssse3-amd64.c (get_l): Add fast path for 75% most + common offsets. + * cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Use + 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'. + * cipher/serpent.c (get_l): Remove. + (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Precalculate + offset array when block count matches parallel operation size; Use + 'ocb_get_l' instead of 'get_l'. + * cipher/twofish.c (get_l): Remove. + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Use 'ocb_get_l' + instead of 'get_l'. + +2015-08-10 NIIBE Yutaka + + ecc: fix Montgomery curve bugs. + + commit ce746936b6c210e602d106cfbf45cf60b408d871 + * cipher/ecc.c (check_secret_key): Y1 should not be NULL when check. + (ecc_check_secret_key): Support Montgomery curve. + * mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition. + +2015-08-08 Werner Koch + + Add framework to eventually support SHA3. + + commit 0e17f7a05bba309a87811992aa47a77af9935b99 + * src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256) + (GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New. + (GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256) + (GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New. + * cipher/keccak.c: New with stub functions. + * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c. + * configure.ac (available_digests): Add sha3. + (USE_SHA3): New. + * src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests. + * cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos. + (md_open): Ditto for hmac processing. + * cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping. + * cipher/hmac-tests.c (run_selftests): Prepare for tests. + * cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx". + +2015-08-06 Werner Koch + + tools: Fix memory leak for functions "I" and "G". + + commit 10789e3cdda7b944acb4b59624c34a2ccfaea6e5 + * src/mpicalc.c (do_inv, do_gcd): Init A after stack check. + +2015-08-06 Ismo Puustinen + + ecc: Free memory also when in error branch. + + commit 1d896371fbc94c605fce35eabcde01e24dd22892 + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto + leave on error. + +2015-08-06 NIIBE Yutaka + + Add Curve25519 support. + + commit e93f4c21c59756604440ad8cbf27e67d29c99ffd + * cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519. + * tests/curves.c (N_CURVES): It's 22 now. + * src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New. + * cipher/ecc-common.h (_gcry_ecc_mont_decodepoint): New. + * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): New. + * cipher/ecc.c (nist_generate_key): Handle the case of + PUBKEY_FLAG_DJB_TWEAK and Montgomery curve. + (test_ecdh_only_keys, check_secret_key): Likewise. + (ecc_generate): Support Curve25519 which is Montgomery curve with flag + PUBKEY_FLAG_DJB_TWEAK and PUBKEY_FLAG_COMP. + (ecc_encrypt_raw): Get flags from KEYPARMS and handle + PUBKEY_FLAG_DJB_TWEAK and Montgomery curve. + (ecc_decrypt_raw): Likewise. + (compute_keygrip): Handle the case of PUBKEY_FLAG_DJB_TWEAK. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): + PUBKEY_FLAG_EDDSA implies PUBKEY_FLAG_DJB_TWEAK. + Parse "djb-tweak" for PUBKEY_FLAG_DJB_TWEAK. + +2015-07-27 Jussi Kivilinna + + Reduce code size for Twofish key-setup and remove key dependend branch. + + commit b4b1d872ba651bc44761b35d245b1a519a33f515 + * cipher/twofish.c (poly_to_exp): Increase size by one, change type + from byte to u16 and insert '492' to index 0. + (exp_to_poly): Increase size by 256, let new cells have zero value. + (CALC_S): Execute unconditionally with help of modified tables. + (do_twofish_setkey): Change type for 'tmp' to 'unsigned int'; Un-unroll + CALC_K256 and CALC_K phases to reduce generated object size. + + Reduce amount of duplicated code in OCB bulk implementations. + + commit e950052bc6f5ff11a7c23091ff3f6b5cc431e875 + * cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate) + (ocb_crypt): Change bulk function to return number of unprocessed + blocks. + * src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) + (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth) + (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth) + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type + to 'size_t'. + * cipher/camellia-glue.c (get_l): Only if USE_AESNI_AVX or + USE_AESNI_AVX2 defined. + (_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Change return type + to 'size_t' and return remaining blocks; Remove unaccelerated common + code path. Enable remaining common code only if USE_AESNI_AVX or + USE_AESNI_AVX2 defined; Remove unaccelerated common code. + * cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Change + return type to 'size_t' and return zero. + * cipher/serpent.c (get_l): Only if USE_SSE2, USE_AVX2 or USE_NEON + defined. + (_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Change return type + to 'size_t' and return remaining blocks; Remove unaccelerated common + code path. Enable remaining common code only if USE_SSE2, USE_AVX2 or + USE_NEON defined; Remove unaccelerated common code. + * cipher/twofish.c (get_l): Only if USE_AMD64_ASM defined. + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type + to 'size_t' and return remaining blocks; Remove unaccelerated common + code path. Enable remaining common code only if USE_AMD64_ASM defined; + Remove unaccelerated common code. + + Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations. + + commit adbdca0d58f9c06dc3850b95e3455e179c1e6960 + * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk + functions for Serpent. + * cipher/serpent-armv7-neon.S: Add OCB assembly functions. + * cipher/serpent-avx2-amd64.S: Add OCB assembly functions. + * cipher/serpent-sse2-amd64.S: Add OCB assembly functions. + * cipher/serpent.c (_gcry_serpent_sse2_ocb_enc) + (_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth) + (_gcry_serpent_neon_ocb_enc, _gcry_serpent_neon_ocb_dec) + (_gcry_serpent_neon_ocb_auth, _gcry_serpent_avx2_ocb_enc) + (_gcry_serpent_avx2_ocb_dec, _gcry_serpent_avx2_ocb_auth): New + prototypes. + (get_l, _gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): New. + * src/cipher.h (_gcry_serpent_ocb_crypt) + (_gcry_serpent_ocb_auth): New. + * tests/basic.c (check_ocb_cipher): Add test-vector for serpent. + + Add bulk OCB for Twofish AMD64 implementation. + + commit 7f6804c37c4b41d85fb26aa723b1c41e4a3cf278 + * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk + functions for Twofish. + * cipher/twofish-amd64.S: Add OCB assembly functions. + * cipher/twofish.c (_gcry_twofish_amd64_ocb_enc) + (_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth): New + prototypes. + (call_sysv_fn5, call_sysv_fn6, twofish_amd64_ocb_enc) + (twofish_amd64_ocb_dec, twofish_amd64_ocb_auth, get_l) + (_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): New. + * src/cipher.h (_gcry_twofish_ocb_crypt) + (_gcry_twofish_ocb_auth): New. + * tests/basic.c (check_ocb_cipher): Add test-vector for Twofish. + + Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations. + + commit bb088c6b1620504fdc79e89af27c2bf3fb02b4b4 + * cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions. + * cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions. + * cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc) + (_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth) + (_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec) + (_gcry_camellia_aesni_avx2_ocb_auth): New prototypes. + (get_l, _gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): New. + * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk + functions for Camellia. + * src/cipher.h (_gcry_camellia_ocb_crypt) + (_gcry_camellia_ocb_auth): New. + * tests/basic.c (check_ocb_cipher): Add test-vector for Camellia. + +2015-07-26 Jussi Kivilinna + + Add OCB bulk mode for AES SSSE3 implementation. + + commit 620e1e0300c79943a1846a49563b04386dc60546 + * cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use + 'ssse3_state' for storing current SSSE3 state. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] + (vpaes_ssse3_cleanup): Restore SSSE3 state from 'ssse3_state'. + (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption) + (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc) + (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc) + (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec) + (_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_cbc_dec): Add 'ssse3_state' + array. + (get_l, ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_crypt) + (_gcry_aes_ssse3_ocb_auth): New. + * cipher/rijndael.c (_gcry_aes_ssse3_ocb_crypt) + (_gcry_aes_ssse3_ocb_auth): New. + (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_SSSE3]: Use SSSE3 + implementation for OCB. + +2015-07-26 Peter Wu + + Fix undefined behavior wrt memcpy. + + commit 46c072669eb81ed610cc5b3c0dc0c75a143afbb4 + * cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let + the function continue to add padding as needed though. + * cipher/mac-poly1305.c: If the caller requested to finish the hash + function without a copy of the result, return immediately. + +2015-07-23 Peter Wu + + build: ignore scissor line for the commit-msg hook. + + commit ada0a7d302cca97b327faaacac7a5d0b8043df88 + * build-aux/git-hooks/commit-msg: Stop processing more lines when the + scissor line is encountered. + +2015-07-16 Peter Wu + + rsa: Fix error in comments. + + commit 9cd55e8e948f0049cb23495f536decf797d072f7 + * cipher/rsa.c: Fix. + +2015-07-14 Peter Wu + + sexp: Fix invalid deallocation in error path. + + commit 0f9532b186c1e0b54d7e7a6d76bce82b6226122b + * src/sexp.c: Fix wrong condition. + +2015-07-10 Peter Wu + + ecc: fix memory leak. + + commit 2a7aa3ea4d03a9c808d5888f5509c08cd27aa27c + * cipher/ecc.c (ecc_verify): Release memory which was allocated before + by _gcry_pk_util_preparse_sigval. + (ecc_decrypt_raw): Likewise. + +2015-07-06 NIIBE Yutaka + + ecc: fix memory leaks. + + commit 0a7547e487a8bc4e7ac9599c55579eb2e4a13f06 + cipher/ecc.c (ecc_generate): Fix memory leak on error of + _gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint. + (ecc_check_secret_key): Fix memory leak on error of + _gcry_ecc_update_curve_param. + (ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Remove + unnecessary sexp_release and fix memory leak on error of + _gcry_ecc_fill_in_curve. + (ecc_decrypt_raw): Fix double free of the point kG and memory leak + on error of _gcry_ecc_os2ec. + +2015-06-11 NIIBE Yutaka + + mpi: Support FreeBSD 10 or later. + + commit a36ee7501f68ad7ebcfe31f9659430b9d2c3ddd1 + * mpi/config.links: Include FreeBSD 10 to 29. + +2015-05-21 Werner Koch + + ecc: Add key generation flag "no-keytest". + + commit 2bddd947fd1c11b4ec461576db65a5e34fea1b07 + * src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag + "no-keytest". Return an error for invalid flags of length 10. + + * cipher/ecc.c (nist_generate_key): Replace arg random_level by flags + set random level depending on flags. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto. + * cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and + remove var random_level. + (nist_generate_key): Implement "no-keytest" flag. + + * tests/keygen.c (check_ecc_keys): Add tests for transient-key and + no-keytest. + + ecc: Avoid double conversion to affine coordinates in keygen. + + commit 102d68b3bd77813a3ff989526855bb1e283bf9d7 + * cipher/ecc.c (nist_generate_key): Add args r_x and r_y. + (ecc_generate): Rename vars. Convert to affine coordinates only if + not returned by the lower level generation function. + + random: Change initial extra seeding from 2400 bits to 128 bits. + + commit 8124e357b732a719696bfd5271def4e528f2a1e1 + * random/random-csprng.c (read_pool): Reduce initial seeding. + +2015-05-14 Jussi Kivilinna + + Enable AMD64 Twofish implementation on WIN64. + + commit 9b0c6c8141ae9bd056392a3f6b5704b505fc8501 + * cipher/twofish-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/twofish.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New. + (twofish_amd64_encrypt_block, twofish_amd64_decrypt_block) + (twofish_amd64_ctr_enc, twofish_amd64_cbc_dec) + (twofish_amd64_cfb_dec): New wrapper functions for AMD64 + assembly functions. + + Enable AMD64 Serpent implementations on WIN64. + + commit eb0ed576893b6c7990dbcb568510f831d246cea6 + * cipher/serpent-avx2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/serpent-sse2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/chacha20.c (USE_SSE2, USE_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_SSE2 || USE_AVX2] (ASM_FUNC_ABI): New. + (_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec) + (_gcry_serpent_sse2_cfb_dec, _gcry_serpent_avx2_ctr_enc) + (_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Add + ASM_FUNC_ABI. + + Enable AMD64 Salsa20 implementation on WIN64. + + commit 12bc93ca8187b8061c2e705427ef22f5a71d29b0 + * cipher/salsa20-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/salsa20.c (USE_AMD64): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_AMD64] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New. + (_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup) + (_gcry_salsa20_amd64_encrypt_blocks): Add ASM_FUNC_ABI. + [USE_AMD64] (salsa20_core): Add ASM_EXTRA_STACK. + (salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK. + + Enable AMD64 Poly1305 implementations on WIN64. + + commit 8d7de4dbf7732c6eb9e9853ad7c19c89075ace6f + * cipher/poly1305-avx2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/poly1305-sse2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/poly1305-internal.h (POLY1305_SYSV_FUNC_ABI): New. + (POLY1305_USE_SSE2, POLY1305_USE_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (OPS_FUNC_ABI): New. + (poly1305_ops_t): Use OPS_FUNC_ABI. + * cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext) + (_gcry_poly1305_amd64_sse2_finish_ext) + (_gcry_poly1305_amd64_sse2_blocks, _gcry_poly1305_amd64_avx2_init_ext) + (_gcry_poly1305_amd64_avx2_finish_ext) + (_gcry_poly1305_amd64_avx2_blocks, _gcry_poly1305_armv7_neon_init_ext) + (_gcry_poly1305_armv7_neon_finish_ext) + (_gcry_poly1305_armv7_neon_blocks, poly1305_init_ext_ref32) + (poly1305_blocks_ref32, poly1305_finish_ext_ref32) + (poly1305_init_ext_ref8, poly1305_blocks_ref8) + (poly1305_finish_ext_ref8): Use OPS_FUNC_ABI. + + Enable AMD64 3DES implementation on WIN64. + + commit b65e9e71d5ee992db5c96793c6af999545daad28 + * cipher/des-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/des.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New. + (tripledes_ecb_crypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call + assembly function through 'call_sysv_fn'. + (tripledes_amd64_ctr_enc, tripledes_amd64_cbc_dec) + (tripledes_amd64_cfb_dec): New wrapper functions for bulk + assembly functions. + + Enable AMD64 ChaCha20 implementations on WIN64. + + commit 9597cfddf03c467825da152be5ca0d12a8c30d88 + * cipher/chacha20-avx2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/chacha20-sse2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/chacha20-ssse3-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/chacha20.c (USE_SSE2, USE_SSSE3, USE_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ASM_FUNC_ABI, ASM_EXTRA_STACK): New. + (chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks) + (_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks) + (_gcry_chacha20_armv7_neon_blocks, chacha20_blocks): Add ASM_FUNC_ABI. + (chacha20_core): Add ASM_EXTRA_STACK. + + Enable AMD64 CAST5 implementation on WIN64. + + commit 6a6646df80386204675d8b149ab60e74d7ca124c + * cipher/cast5-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (RIP): Remove. + (GET_EXTERN_POINTER): Use 'leaq' version on WIN64. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/cast5.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New. + (do_encrypt_block, do_decrypt_block) + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly + function through 'call_sysv_fn'. + (cast5_amd64_ctr_enc, cast5_amd64_cbc_dec) + (cast5_amd64_cfb_dec): New wrapper functions for bulk + assembly functions. + + Enable AMD64 Camellia implementations on WIN64. + + commit 9a4fb3709864bf3e3918800d44ff576590cd4e92 + * cipher/camellia-aesni-avx-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/camellia-aesni-avx2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/camellia-glue.c (USE_AESNI_AVX, USE_AESNI_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_AESNI_AVX || USE_AESNI_AVX2] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New. + (_gcry_camellia_aesni_avx_ctr_enc, _gcry_camellia_aesni_avx_cbc_dec) + (_gcry_camellia_aesni_avx_cfb_dec, _gcry_camellia_aesni_avx_keygen) + (_gcry_camellia_aesni_avx2_ctr_enc, _gcry_camellia_aesni_avx2_cbc_dec) + (_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI. + + Enable AMD64 Blowfish implementation on WIN64. + + commit e05682093ffb003b589a697428d918d755ac631d + * cipher/blowfish-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/blowfish.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New. + (do_encrypt, do_encrypt_block, do_decrypt_block) + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly + function through 'call_sysv_fn'. + (blowfish_amd64_ctr_enc, blowfish_amd64_cbc_dec) + (blowfish_amd64_cfb_dec): New wrapper functions for bulk + assembly functions. + .. + + Enable AMD64 arcfour implementation on WIN64. + + commit c46b015bedba7ce0db68929bd33a86a54ab3d919 + * cipher/arcfour-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/arcfour.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (do_encrypt, do_decrypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Use + assembly block to call AMD64 assembly function. + + Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539. + + commit ee8fc4edcb3466b03246c8720b90731bf274ff1d + * cipher/cipher-poly1305.c: Add RFC-7539 to header. + * doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of + RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD. + + hwf-x86: use edi for passing value to ebx for i386 cpuid. + + commit bac42c68b069f17abcca810a21439c7233815747 + * src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead + of '=r'. + + hwf-x86: add EDX as output register for xgetbv asm block. + + commit e15beb584a5ebdfc363e1ff15f87102508652d71 + * src/hwf-x86.c (get_xgetbv): Add EDX as output. + +2015-05-04 Werner Koch + + build: Update build-aux files. + + commit 5a7d55eed3316f40ca61acbee032bfc285e28803 + + + Fix possible regression on old 32 bit mingw compilers. + + commit 090ca7435156b5f52064357dd59059570d466f46 + * acinclude.m4: Add new pattern for mingw32. + + build: Add new file. + + commit 4af52b2e72ce004b7d8f99e09c4324e3c2a84379 + * mpi/amd64/distfiles: Add func_abi.h. + +2015-05-03 Jussi Kivilinna + + Fix WIN64 assembly glue for AES. + + commit 24a769a7c7601dbb85332e550f6fbd121b56df5f + * cipher/rinjdael.c (do_encrypt, do_decrypt) + [!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to + input+output to mark volatile nature of the used registers. + + Add '1 million a characters' test vectors. + + commit 2f4fefdbc62857b6e2da26ce111ee140a068c471 + * tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384, + SHA-512, RIPEMD160 and CRC32. + +2015-05-02 Jussi Kivilinna + + More optimized CRC implementations. + + commit 06e122baa3321483a47bbf82fd2a4540becfa0c9 + * cipher/crc.c (crc32_table, crc24_table): Replace with new table + contents. + (update_crc32, CRC24_INIT, CRC24_POLY): Remove. + (crc32_next, crc32_next4, crc24_init, crc24_next, crc24_next4) + (crc24_final): New. + (crc24rfc2440_init): Use crc24_init. + (crc32_write): Rewrite to use crc32_next & crc32_next4. + (crc24_write): Rewrite to use crc24_next & crc24_next4. + (crc32_final, crc32rfc1510_final): Use buf_put_be32. + (crc24rfc2440_final): Use crc24_final & buf_put_le32. + * tests/basic.c (check_digests): Add CRC "123456789" tests. + + Enable AMD64 AES implementation for WIN64. + + commit 66129b3334a5aa54ff8a97981507e4704f759571 + * cipher/rijndael-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/rijndael-internal.h (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (do_encrypt, do_decrypt) + [USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Use + assembly block to call AMD64 assembly encrypt/decrypt function. + + Enable AMD64 Whirlpool implementation for WIN64. + + commit 8422d5d699265b960bd1ca837044ee052fc5b614 + * cipher/whirlpool-sse2-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/whirlpool.c (USE_AMD64_ASM): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_AMD64_ASM] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New. + [USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64): Add ASM_FUNC_ABI to + prototype. + [USE_AMD64_ASM] (whirlpool_transform): Add ASM_EXTRA_STACK to stack + burn value. + + Enable AMD64 SHA512 implementations for WIN64. + + commit 1089a13073c26a9a456e43ec38d937e6ee7f4077 + * cipher/sha512-avx-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/sha512-avx-bmi2-amd64.S: Ditto. + * cipher/sha512-ssse3-amd64.S: Ditto. + * cipher/sha512.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI) + (ASM_EXTRA_STACK): New. + (_gcry_sha512_transform_amd64_ssse3, _gcry_sha512_transform_amd64_avx) + (_gcry_sha512_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to + prototypes. + (transform): Add ASM_EXTRA_STACK to stack burn value. + + Enable AMD64 SHA256 implementations for WIN64. + + commit 022959099644f64df5f2a83ade21159864f64837 + * cipher/sha256-avx-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/sha256-avx2-bmi2-amd64.S: Ditto. + * cipher/sha256-ssse3-amd64.S: Ditto. + * cipher/sha256.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI) + (ASM_EXTRA_STACK): New. + (_gcry_sha256_transform_amd64_ssse3, _gcry_sha256_transform_amd64_avx) + (_gcry_sha256_transform_amd64_avx2): Add ASM_FUNC_ABI to prototypes. + (transform): Add ASM_EXTRA_STACK to stack burn value. + + Enable AMD64 SHA1 implementations for WIN64. + + commit e433676a899fa0d274d40547166b03c7c8bd8e78 + * cipher/sha1-avx-amd64.S: Enable when + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + (ELF): New macro to mask lines with ELF specific commands. + * cipher/sha1-avx-bmi2-amd64.S: Ditto. + * cipher/sha1-ssse3-amd64.S: Ditto. + * cipher/sha1.c (USE_SSSE3, USE_AVX, USE_BMI2): Enable + when HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined. + [USE_SSSE3 || USE_AVX || USE_BMI2] (ASM_FUNC_ABI) + (ASM_EXTRA_STACK): New. + (_gcry_sha1_transform_amd64_ssse3, _gcry_sha1_transform_amd64_avx) + (_gcry_sha1_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to + prototypes. + (transform): Add ASM_EXTRA_STACK to stack burn value. + +2015-05-01 Jussi Kivilinna + + Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64. + + commit 4e09aaa36d151c3312019724a77fc09aa345b82f + * cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul) + ( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector + registers before use and restore after. + * cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Remove dependency + on !defined(__WIN64__). + * cipher/rijndael-aesni.c [__WIN64__] (aesni_prepare_2_6_variable, + aesni_prepare, aesni_prepare_2_6, aesni_cleanup) + ( aesni_cleanup_2_6): New. + [!__WIN64__] (aesni_prepare_2_6_variable, aesni_prepare_2_6): New. + (_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_cbc_enc) + (_gcry_aesni_ctr_enc, _gcry_aesni_cfb_dec, _gcry_aesni_cbc_dec) + (_gcry_aesni_ocb_crypt, _gcry_aesni_ocb_auth): Use + 'aesni_prepare_2_6'. + * cipher/rijndael-internal.h (USE_SSSE3): Enable if + HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS or + HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS. + (USE_AESNI): Remove dependency on !defined(__WIN64__) + * cipher/rijndael-ssse3-amd64.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] + (vpaes_ssse3_prepare, vpaes_ssse3_cleanup): New. + [!HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): New. + (vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec): Use + 'vpaes_ssse3_prepare'. + (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption): Use + 'vpaes_ssse3_prepare' and 'vpaes_ssse3_cleanup'. + [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (X): Add masking macro to + exclude '.type' and '.size' markers from assembly code, as they are + not support on WIN64/COFF objects. + * configure.ac (gcry_cv_gcc_attribute_ms_abi) + (gcry_cv_gcc_attribute_sysv_abi, gcry_cv_gcc_default_abi_is_ms_abi) + (gcry_cv_gcc_default_abi_is_sysv_abi) + (gcry_cv_gcc_win64_platform_as_ok): New checks. + + Add W64 support for mpi amd64 assembly. + + commit 460355f23e770637d29e3af7b998a957a2b5bc88 + acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set + 'ac_cv_sys_symbol_underscore=no' on MingW-W64. + mpi/amd64/func_abi.h: New. + mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): Add FUNC_ENTRY and FUNC_EXIT. + mpi/amd64/mpih-lshift.S (_gcry_mpih_lshift): Ditto. + mpi/amd64/mpih-mul1.S (_gcry_mpih_mul_1): Ditto. + mpi/amd64/mpih-mul2.S (_gcry_mpih_addmul_1): Ditto. + mpi/amd64/mpih-mul3.S (_gcry_mpih_submul_1): Ditto. + mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Ditto. + mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Ditto. + mpi/config.links [host=x86_64-*mingw*]: Enable assembly modules. + [host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h. + + DES: Silence compiler warnings on Windows. + + commit 6c21cf5fed1ad430fa41445eac2350802bc8aaed + * cipher/des.c (working_memcmp): Make pointer arguments 'const void *'. + + Cast pointers to integers using uintptr_t instead of long. + + commit 9cf224322007d90193d4910f0da6e0e29ce01d70 + + + Fix rndhw for 64-bit Windows build. + + commit d5a7e00b6b222566a5650639ef29684b047c1909 + * configure.ac: Add sizeof check for 'void *'. + * random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8 + instead of defined(__LP64__). + (RDRAND_LONG): Check for SIZEOF_UNSIGNED_LONG == 8 instead of + defined(__LP64__). + + Prepare random/win32.c fast poll for 64-bit Windows. + + commit 0cdd24456b33defc7f8176fa82ab694fbc284385 + * random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to + ADDINT. + (_gcry_rndw32_gather_random_fast): Add ADDPTR. + (_gcry_rndw32_gather_random_fast): Disable entropy gathering from + GetQueueStatus(QS_ALLEVENTS). + (_gcry_rndw32_gather_random_fast): Change minimumWorkingSetSize and + maximumWorkingSetSize to SIZE_T from DWORD. + (_gcry_rndw32_gather_random_fast): Only add lower 32-bits of + minimumWorkingSetSize and maximumWorkingSetSize to random poll. + (_gcry_rndw32_gather_random_fast) [__WIN64__]: Read TSC directly + using intrinsic. + + Disable GCM and AES-NI assembly implementations for WIN64. + + commit f701954555340a503f6e52cc18d58b0c515427b7 + * cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when + __WIN64__ defined. + * cipher/rijndael-internal.h (USE_AESNI): Ditto. + + Disable building mpi assembly routines on WIN64. + + commit e78560a4b717f7154f910a8ce4128de152f586da + * mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'. + + Fix packed attribute check for Windows targets. + + commit e886e4f5e73fe6a9f9191f5155852ce5d8bb88fe + * configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its + own packed structure. + + Fix tail handling in buf_xor_1. + + commit c2dba93e639639bdac139b3a3a456d10ddc61f79 + * cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail + handling. + + Add --disable-hwf for basic tests. + + commit 839a3bbe2bb045139223b32753d656cc6c3d4669 + * tests/basic.c (main): Add handling for '--disable-hwf'. + + Use more odd chuck sizes for check_one_md. + + commit 9f086ffa43f2507b9d17522a0a2e394cb273baf8 + * tests/basic.c (check_one_md): Make chuck size vary oddly, instead + of using fixed length of 1000 bytes. + + Enable more modes in basic ciphers test. + + commit e40eff94f9f8654c3d29e03bbb7e5ee6a43c1435 + * src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New. + * tests/basic.c (check_one_cipher_core_reset): New. + (check_one_cipher_core): Use check_one_cipher_core_reset inplace of + gcry_cipher_reset. + (check_ciphers): Add CCM and OCB modes for block cipher tests. + + Fix reseting cipher in OCB mode. + + commit 88842cbc68beb4f73c87fdbcb74182cba818f789 + * cipher/cipher.c (cipher_reset): Setup default taglen for OCB after + clearing state. + +2015-04-30 Jussi Kivilinna + + Fix buggy RC4 AMD64 assembly and add test to notice similar issues. + + commit 124dfce7c5a2d9405fa2b2832e91ac1267943830 + * cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of + 'x' and 'y'. + * tests/basic.c (get_algo_mode_blklen): New. + (check_one_cipher_core): Add new tests for split buffer input on + encryption and decryption. + +2015-04-26 Jussi Kivilinna + + Disallow compiler from generating SSE instructions in mixed C+asm source + + commit f88266c0f868d7bf51a215d5531bb9f2b4dad19e + * cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target + pragma to disable compiler use of SSE. + * cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto. + * cipher/rijndael-ssse3-amd64.c [gcc-version >= 4.4]: Ditto. + +2015-04-18 Jussi Kivilinna + + Add OCB bulk crypt/auth functions for AES/AES-NI. + + commit 305cc878d395475c46b4ef52f4764bd0c85bf8ac + * cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt + and bulk.ocb_auth. + (_gcry_cipher_ocb_get_l): New prototype. + * cipher/cipher-ocb.c (get_l): Rename to ... + (_gcry_cipher_ocb_get_l): ... this. + (_gcry_cipher_ocb_authenticate, ocb_crypt): Use bulk function when + available. + * cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk + functions for AES. + * cipher/rijndael-aesni.c (get_l, aesni_ocb_enc, aes_ocb_dec) + (_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): New. + * cipher/rijndael.c [USE_AESNI] (_gcry_aes_aesni_ocb_crypt) + (_gcry_aes_aesni_ocb_auth): New prototypes. + (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New. + * src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New + prototypes. + * tests/basic.c (check_ocb_cipher_largebuf): New. + (check_ocb_cipher): Add large buffer encryption/decryption test. + +2015-04-15 Werner Koch + + tests: Add option to time the S2K function. + + commit fe38d3815b4cd203cd529949e244aca80d32897f + * tests/t-kdf.c: Include stopwatch.h. + (dummy_consumer): new. + (bench_s2k): New. + (main): Add option parser and option --s2k. + + tests: Improve stopwatch.h. + + commit 3b03a3b493233a472da531d8d9582d1be6d376b0 + * tests/stopwatch.h (elapsed_time): Add arg divisor. + +2015-04-13 Werner Koch + + mpi: Fix gcry_mpi_copy for NULL opaque data. + + commit 9fca46864e1b5a9c788072113589454adb89fa97 + * mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed. + +2015-03-21 Jussi Kivilinna + + wipememory: use one-byte aligned type for unaligned memory accesses. + + commit a06fbc0d1e98eb1218eff55ad2f37d471e4f33b2 + * src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned + access only when HAVE_GCC_ATTRIBUTE_PACKED and + HAVE_GCC_ATTRIBUTE_ALIGNED defined. + (fast_wipememory_t): New. + (fast_wipememory2): Use 'fast_wipememory_t'. + + bufhelp: use one-byte aligned type for unaligned memory accesses. + + commit 92fa5f16d69707e302c0f85b2e5e80af8dc037f1 + * cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when + HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined. + (bufhelp_int_t): New type. + (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst, buf_xor_n_copy_2): Use + 'bufhelp_int_t'. + [BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_u32_t, bufhelp_u64_t): New. + [BUFHELP_FAST_UNALIGNED_ACCESS] (buf_get_be32, buf_get_le32) + (buf_put_be32, buf_put_le32, buf_get_be64, buf_get_le64) + (buf_put_be64, buf_put_le64): Use 'bufhelp_uXX_t'. + * configure.ac (gcry_cv_gcc_attribute_packed): New. + + tests/bench-slope: fix memory-leak and use-after-free bugs. + + commit aa234561d00c3fb15fe501df4bf58f3db7c7c06b + * tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end. + (bench_mac_init): Move 'key' free at end of function. + +2015-03-19 Werner Koch + + Fix two pedantic warnings. + + commit f5832285b0e420d77be1b8da10a1e1d86583b414 + * src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing + comma. + +2015-03-16 Werner Koch + + Use well defined type instead of size_t in secmem.c. + + commit db8ae3616987fa288173446398a107e31e2e28aa + * src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t. + + Make uintptr_t global available. + + commit f0f60c1a04d664936bcf52e8f46705bdc63e7ad9 + * cipher/bufhelp.h: Move include for uintptr_t to ... + * src/types.h: here. Check that config.h has been included. + + mpi: Remove useless condition. + + commit 0a9cdb8ae092d050ca12a7a4f2f50e25b82154ec + * mpi/mpi-pow.c: Remove condition rp==mp. + + cipher: Remove useless NULL check. + + commit fbb97dcf763e28e81e01092ad4c934b3eaf88cc8 + * cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for + hd->buf. + +2015-02-28 Jussi Kivilinna + + Fix in-place encryption for OCB mode. + + commit 5e66a4f8d5a63f58caeee367433dd8dd32346083 + * cipher/cipher-ocb.c (ocb_checksum): New. + (ocb_crypt): Move checksum calculation outside main crypt loop, do + checksum calculation for encryption before inbuf is overwritten. + * tests/basic.c (check_ocb_cipher): Rename to ... + (do_check_ocb_cipher): ... to this and add argument for testing + in-place encryption/decryption. + (check_ocb_cipher): New. + +2015-02-27 NIIBE Yutaka + + tests: fix t-sexp.c. + + commit 505decf5369970219ddc9e78a20f97c623957b78 + * tests/t-sexp.c (bug_1594): Free N and PUBKEY. + + mpi: Avoid data-dependent timing variations in mpi_powm. + + commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82 + * mpi/mpi-pow.c (mpi_powm): Access all data in the table by + mpi_set_cond. + + mpi: Revise mpi_powm. + + commit 1fa8cdb933505960d4e4b4842b122d4e06953e88 + * mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP. + +2015-02-23 Werner Koch + + cipher: Use ciphertext blinding for Elgamal decryption. + + commit 410d70bad9a650e3837055e36f157894ae49a57d + * cipher/elgamal.c (USE_BLINDING): New. + (decrypt): Rewrite to use ciphertext blinding. + +2015-02-12 NIIBE Yutaka + + mpi: Add mpi_set_cond. + + commit 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288 + * mpi/mpiutil.c (_gcry_mpi_set_cond): New. + (_gcry_mpi_swap_cond): Fix types. + * src/mpi.h (mpi_set_cond): New. + +2015-01-30 Werner Koch + + w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll. + + commit 40a7bdf50e19faaf106470897fed72af623adc50 + * src/Makefile.am (extra_ltoptions): New. + (libgcrypt_la_LDFLAGS): Use it. + +2015-01-28 Werner Koch + + Fix building of GOST s-boxes when cross-compiling. + + commit 2564d204e408b296425ac0660c6bdc6270575fb6 + * cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD. + (noinst_PROGRAMS): Remove. + (EXTRA_DIST): New. + (CLEANFILES): New. + +2015-01-20 Jussi Kivilinna + + rijndael: fix wrong ifdef for SSSE3 setkey. + + commit ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47 + * cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI + around SSSE3 setkey selection. + +2015-01-16 Werner Koch + + Add OCB cipher mode. + + commit 067d7d8752d4d8a98f8e0e5e9b1a5b13e1b7ff9c + * cipher/cipher-ocb.c: New. + * cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c + * cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New. + (gcry_cipher_handle): Add fields marks.finalize and u_mode.ocb. + * cipher/cipher.c (_gcry_cipher_open_internal): Add OCB mode. + (_gcry_cipher_open_internal): Setup default taglen of OCB. + (cipher_reset): Clear OCB specific data. + (cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate) + (_gcry_cipher_gettag, _gcry_cipher_checktag): Call OCB functions. + (_gcry_cipher_setiv): Add OCB specific nonce setting. + (_gcry_cipher_ctl): Add GCRYCTL_FINALIZE and GCRYCTL_SET_TAGLEN + + * src/gcrypt.h.in (GCRYCTL_SET_TAGLEN): New. + (gcry_cipher_final): New. + + * cipher/bufhelp.h (buf_xor_1): New. + + * tests/basic.c (hex2buffer): New. + (check_ocb_cipher): New. + (main): Call it here. Add option --cipher-modes. + * tests/bench-slope.c (bench_aead_encrypt_do_bench): Call + gcry_cipher_final. + (bench_aead_decrypt_do_bench): Ditto. + (bench_aead_authenticate_do_bench): Ditto. Check error code. + (bench_ocb_encrypt_do_bench): New. + (bench_ocb_decrypt_do_bench): New. + (bench_ocb_authenticate_do_bench): New. + (ocb_encrypt_ops): New. + (ocb_decrypt_ops): New. + (ocb_authenticate_ops): New. + (cipher_modes): Add them. + (cipher_bench_one): Skip wrong block length for OCB. + * tests/benchmark.c (cipher_bench): Add field noncelen to MODES. Add + OCB support. + +2015-01-15 Werner Koch + + Add functions to count trailing zero bits in a word. + + commit 9d2a22c94ae99f9301321082c4fb8d73f4085fda + * cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New. + * configure.ac (HAVE_BUILTIN_CTZ): Add new test. + +2015-01-08 Werner Koch + + cipher: Prepare for OCB mode. + + commit 9d328962660da72f094dc5424d5ef67abbaffdf6 + * src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New. + +2015-01-06 Werner Koch + + Make make distcheck work again. + + commit 4f7dcdc25af269b12275126edeef30b262fb891d + * Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers. + * cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h. + +2015-01-06 Dmitry Eremin-Solenikov + + stribog: Reduce table size to the needed one. + + commit e4de52378a85cf383994ded8edf0d5cf98dcb10c + * cipher/stribog.c (C16): Avoid allocating superfluous space. + + gostr3411-94: Fix the iteration count for length filling loop. + + commit 05dc5bcd234909ae9c9366b653346076b9a834ed + * cipher/gostr3411-94.c (gost3411_final): Fix loop + +2015-01-05 Werner Koch + + random: Silent warning under NetBSD using rndunix. + + commit 817472358a093438e802380caecf7139406400cf + * random/rndunix.c (STDERR_FILENO): Define if needed. + (start_gatherer): Re-open standard descriptors. Fix an + unsigned/signed pointer warning. + + primegen: Fix memory leak for invalid call sequences. + + commit 8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83 + * cipher/primegen.c (prime_generate_internal): Refactor generator code + to not leak memory for non-implemented feature. + (_gcry_prime_group_generator): Refactor to not leak memory for invalid + args. Also make sure that R_G is set as soon as possible. + + doc: Update yat2m to current upstream version (GnuPG). + + commit dd5df198727ea5d8f6b04288e14fd732051453c8 + + + build: Require automake 1.14. + + commit f65276970a6dcd6d9bca94cecc49b68acdcc9492 + * configure.ac (AM_INIT_AUTOMAKE): Add serial-tests. + + Replace camel case of internal scrypt functions. + + commit 1a6d65ac0aab335541726d02f2046d883a768ec3 + * cipher/scrypt.c (_salsa20_core): Rename to salsa20_core. Change + callers. + (_scryptBlockMix): Rename to scrypt_block_mix. Change callers. + (_scryptROMix): Rename to scrypt_ro_mix. Change callers. + +2015-01-02 Jussi Kivilinna + + rmd160: restore native-endian store in _gcry_rmd160_mixblock. + + commit d7c7453cf5e6b8f3c6b522a30e680f844a28c9de + * cipher/rmd160.c (_gcry_rmd160_mixblock): Store result to buffer in + native-endianess. + +2014-12-27 Jussi Kivilinna + + Add Intel SSSE3 based vector permutation AES implementation. + + commit 8eabecc883332156adffc1df42d27f614c157e06 + * cipher/Makefile.am: Add 'rijndael-ssse3-amd64.c'. + * cipher/rijndael-internal.h (USE_SSSE3): New. + (RIJNDAEL_context_s) [USE_SSSE3]: Add 'use_ssse3'. + * cipher/rijndael-ssse3-amd64.c: New. + * cipher/rijndael.c [USE_SSSE3] (_gcry_aes_ssse3_do_setkey) + (_gcry_aes_ssse3_prepare_decryption, _gcry_aes_ssse3_encrypt) + (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_enc) + (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc) + (_gcry_aes_ssse3_cfb_dec, _gcry_aes_ssse3_cbc_dec): New. + (do_setkey): Add HWF check for SSSE3 and setup for SSSE3 + implementation. + (prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc) + (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Add + selection for SSSE3 implementation. + * configure.ac [host=x86_64]: Add 'rijndael-ssse3-amd64.lo'. + +2014-12-25 Jussi Kivilinna + + random-csprng: fix compiler warnings on ARM. + + commit c2e1f8fea271f3ef8027809547c4a52e0b1e24a2 + * random/random-csprng.c (_gcry_rngcsprng_update_seed_file) + (read_pool): Cast keypool and rndpool to 'unsigned long *' through + 'void *'. + + scrypt: fix compiler warnings on ARM. + + commit 1dab4c9422bf0f3cdc7a4d3ccf9db090abd90e94 + * cipher/scrypt.c (_scryptBlockMix): Cast X to 'u32 *' through 'void *'. + + secmem: fix compiler warnings on ARM. + + commit 99faf9cb34f872144313403f29f3379798debfc9 + * src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer + from 'char *' to 'memblock_t *' through 'void *'. + (MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'. + + hash: fix compiler warning on ARM. + + commit 4515315f61fbf79413e150fbd1d5f5a2435f2bc5 + * cipher/md.c (md_open, md_copy): Cast 'char *' to ctx through + 'void *'. + * cipher/md4.c (md4_final): Use buf_put_* helper instead of + converting 'char *' to 'u32 *'. + * cipher/md5.c (md5_final): Ditto. + * cipher/rmd160.c (_gcry_rmd160_mixblock, rmd160_final): Ditto. + * cipher/sha1.c (sha1_final): Ditto. + * cipher/sha256.c (sha256_final): Ditto. + * cipher/sha512.c (sha512_final): Ditto. + * cipher/tiger.c (tiger_final): Ditto. + + rijndael: fix compiler warnings on ARM. + + commit cc26106dbebeb84d481661813edc3e5aea9a7d99 + * cipher/rijndael-internal.h (RIJNDAEL_context_s): Add u32 variants of + keyschedule arrays to unions u1 and u2. + (keyschedenc32, keyscheddec32): New. + * cipher/rijndael.c (u32_a_t): Remove. + (do_setkey): Add and use tkk[].data32, k_u32, tk_u32 and W_u32; Remove + casting byte arrays to u32_a_t. + (prepare_decryption, do_encrypt_fn, do_decrypt_fn): Use keyschedenc32 + and keyscheddec32; Remove casting byte arrays to u32_a_t. + +2014-12-23 Jussi Kivilinna + + Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03 + + commit 520070e02e2e6ee7228945015573a6e1f4895ec3 + * cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte + counters for AAD and data in Poly1305. + * cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove. + (poly1305_fill_bytecounts, poly1305_do_padding): New. + (poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD + length. + (_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt) + (_gcry_cipher_poly1305_decrypt): Update AAD and data length separately. + (_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305. + (_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset + AAD and data byte counts; only allow 96-bit IV. + * cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to + ChaCha20 cipher. + * tests/basic.c (_check_poly1305_cipher): Update test-vectors. + (check_ciphers): Limit Poly1305-AEAD checks to ChaCha20. + * tests/bench-slope.c (cipher_bench_one): Ditto. + + chacha20: allow setting counter for stream random access. + + commit 11b8d2d449a7bc664b4371ae14c57caa6704d272 + * cipher/chacha20.c (CHACHA20_CTR_SIZE): New. + (chacha20_ivsetup): Add setup for full counter. + (chacha20_setiv): Allow ivlen == CHACHA20_CTR_SIZE. + + gcm: do not pass extra key pointer for setupM/fillM. + + commit c964321c8a1328e89d636d899a45d68802f5ac9f + * cipher/cipher-gcm-intel-pclmul.c + (_gcry_ghash_setup_intel_pclmul): Remove 'h' parameter. + * cipher/cipher-gcm.c (_gcry_ghash_setup_intel_pclmul): Ditto. + (fillM): Get 'h' pointer from 'c'. + (setupM): Remome 'h' parameter. + (_gcry_cipher_gcm_setkey): Only pass 'c' to setupM. + + rijndael: use more compact look-up tables and add table prefetching. + + commit 2374753938df64f6fd8015b44613806a326eff1a + * cipher/rijndael-internal.h (rijndael_prefetchfn_t): New. + (RIJNDAEL_context): Add 'prefetch_enc_fn' and 'prefetch_dec_fn'. + * cipher/rijndael-tables.h (S, T1, T2, T3, T4, T5, T6, T7, T8, S5, U1) + (U2, U3, U4): Remove. + (encT, dec_tables, decT, inv_sbox): Add. + * cipher/rijndael.c (_gcry_aes_amd64_encrypt_block) + (_gcry_aes_amd64_decrypt_block, _gcry_aes_arm_encrypt_block) + (_gcry_aes_arm_encrypt_block): Add parameter for passing table pointer + to assembly implementation. + (prefetch_table, prefetch_enc, prefetch_dec): New. + (do_setkey): Setup context prefetch functions depending on selected + rijndael implementation; Use new tables for key setup. + (prepare_decryption): Use new tables for decryption key setup. + (do_encrypt_aligned): Rename to... + (do_encrypt_fn): ... to this, change to use new compact tables, + make handle unaligned input and unroll rounds loop by two. + (do_encrypt): Remove handling of unaligned input/output; pass table + pointer to assembly implementations. + (rijndael_encrypt, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc) + (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec): Prefetch encryption tables + before encryption. + (do_decrypt_aligned): Rename to... + (do_decrypt_fn): ... to this, change to use new compact tables, + make handle unaligned input and unroll rounds loop by two. + (do_decrypt): Remove handling of unaligned input/output; pass table + pointer to assembly implementations. + (rijndael_decrypt, _gcry_aes_cbc_dec): Prefetch decryption tables + before decryption. + * cipher/rijndael-amd64.S: Use 1+1.25 KiB tables for + encryption+decryption; remove tables from assembly file. + * cipher/rijndael-arm.S: Ditto. + +2014-12-15 Werner Koch + + build: Add configure option --disable-doc. + + commit ad50e360ef4851e66e51a03fc420175636336b58 + * Makefile.am (AUTOMAKE_OPTIONS): Remove. + (doc) [!BUILD_DOC]: Do not recurse into the dir. + * configure.ac (AM_INIT_AUTOMAKE): Add option formerly in Makefile.am. + (BUILD_DOC): Add new am_conditional. + +2014-12-12 Jussi Kivilinna + + rijndael: further optimizations for AES-NI accelerated CBC and CFB bulk modes + + commit 4f46374502eb988d701b904f83819e2cf7b1755c + * cipher/rijndael-aesni.c (do_aesni_enc, do_aesni_dec): Pass + input/output through SSE register XMM0. + (do_aesni_cfb): Remove. + (_gcry_aes_aesni_encrypt, _gcry_aes_aesni_decrypt): Add loading/storing + input/output to/from XMM0. + (_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc) + (_gcry_aes_aesni_cfb_dec): Update to use renewed 'do_aesni_enc' and + move IV loading/storing outside loop. + (_gcry_aes_aesni_cbc_dec): Update to use renewed 'do_aesni_dec'. + + GCM: move Intel PCLMUL accelerated implementation to separate file. + + commit 4a0795af021305f9240f23626a3796157db46bd7 + * cipher/Makefile.am: Add 'cipher-gcm-intel-pclmul.c'. + * cipher/cipher-gcm-intel-pclmul.c: New. + * cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL] + (_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): New + prototypes. + [GCM_USE_INTEL_PCLMUL] (gfmul_pclmul, gfmul_pclmul_aggr4): Move + to 'cipher-gcm-intel-pclmul.c'. + (ghash): Rename to... + (ghash_internal): ...this and move GCM_USE_INTEL_PCLMUL part to new + function in 'cipher-gcm-intel-pclmul.c'. + (setupM): Move GCM_USE_INTEL_PCLMUL part to new function in + 'cipher-gcm-intel-pclmul.c'; Add selection of ghash function based + on available HW acceleration. + (do_ghash_buf): Change use of 'ghash' to 'c->u_mode.gcm.ghash_fn'. + * cipher/internal.h (ghash_fn_t): New. + (gcry_cipher_handle): Remove 'use_intel_pclmul'; Add 'ghash_fn'. + +2014-12-06 Jussi Kivilinna + + rijndael: split Padlock part to separate file. + + commit cbf4c8cb6bbda15eea61885279f2a6f1d4bcedfd + * cipher/Makefile.am: Add 'rijndael-padlock.c'. + * cipher/rijndael-padlock.c: New. + * cipher/rijndael.c (do_padlock, do_padlock_encrypt) + (do_padlock_decrypt): Move to 'rijndael-padlock.c'. + * configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-padlock.lo'. + +2014-12-01 Jussi Kivilinna + + rijndael: refactor to reduce number of #ifdefs and branches. + + commit 3d5b51786e2050c461e9791b59142a731462b66d + * cipher/rijndael-aesni.c (_gcry_aes_aesni_encrypt) + (_gcry_aes_aesni_decrypt): Make return stack burn depth. + * cipher/rijndael-amd64.S (_gcry_aes_amd64_encrypt_block) + (_gcry_aes_amd64_decrypt_block): Ditto. + * cipher/rijndael-arm.S (_gcry_aes_arm_encrypt_block) + (_gcry_aes_arm_decrypt_block): Ditto. + * cipher/rijndael-internal.h (RIJNDAEL_context_s) + (rijndael_cryptfn_t): New. + (RIJNDAEL_context): New members 'encrypt_fn' and 'decrypt_fn'. + * cipher/rijndael.c (_gcry_aes_amd64_encrypt_block) + (_gcry_aes_amd64_decrypt_block, _gcry_aes_aesni_encrypt) + (_gcry_aes_aesni_decrypt, _gcry_aes_arm_encrypt_block) + (_gcry_aes_arm_decrypt_block): Change prototypes. + (do_padlock_encrypt, do_padlock_decrypt): New. + (do_setkey): Separate key-length to rounds conversion from + HW features check; Add selection for ctx->encrypt_fn and + ctx->decrypt_fn. + (do_encrypt_aligned, do_decrypt_aligned): Move inside + '[!USE_AMD64_ASM && !USE_ARM_ASM]'; Move USE_AMD64_ASM and + USE_ARM_ASM to... + (do_encrypt, do_decrypt): ...here; Return stack depth; Remove second + temporary buffer from non-aligned input/output case. + (do_padlock): Move decrypt_flag to last argument; Return stack depth. + (rijndael_encrypt): Remove #ifdefs, just call ctx->encrypt_fn. + (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc): Remove USE_PADLOCK; Call + ctx->encrypt_fn in place of do_encrypt/do_encrypt_aligned. + (_gcry_aes_ctr_enc): Call ctx->encrypt_fn in place of + do_encrypt_aligned; Make tmp buffer 16-byte aligned and wipe buffer + after use. + (rijndael_encrypt): Remove #ifdefs, just call ctx->decrypt_fn. + (_gcry_aes_cfb_dec): Remove USE_PADLOCK; Call ctx->decrypt_fn in place + of do_decrypt/do_decrypt_aligned. + (_gcry_aes_cbc_dec): Ditto; Make savebuf buffer 16-byte aligned. + + rijndael: move AES-NI blocks before Padlock. + + commit dbf9e95dd3891f6e6ad370e8ab78fec03595687b + * cipher/rijndael.c (do_setkey, rijndael_encrypt, _gcry_aes_cfb_enc) + (rijndael_decrypt, _gcry_aes_cfb_dec): Move USE_AESNI before + USE_PADLOCK. + (check_decryption_praparation) [USE_PADLOCK]: Move to... + (prepare_decryption) [USE_PADLOCK]: ...here. + + rijndael: split AES-NI functions to separate file. + + commit 67d529630e838daeb8cb9c6d7ef660c01ef34fee + * cipher/Makefile.in: Add 'rijndael-aesni.c'. + * cipher/rijndael-aesni.c: New. + * cipher/rijndael-internal.h: New. + * cipher/rijndael.c (MAXKC, MAXROUNDS, BLOCKSIZE, ATTR_ALIGNED_16) + (USE_AMD64_ASM, USE_ARM_ASM, USE_PADLOCK, USE_AESNI, RIJNDAEL_context) + (keyschenc, keyschdec, padlockkey): Move to 'rijndael-internal.h'. + (u128_s, aesni_prepare, aesni_cleanup, aesni_cleanup_2_6) + (aesni_do_setkey, do_aesni_enc, do_aesni_dec, do_aesni_enc_vec4) + (do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Move + to 'rijndael-aesni.c'. + (prepare_decryption, rijndael_encrypt, _gcry_aes_cfb_enc) + (_gcry_aes_cbc_enc, _gcry_aes_ctr_enc, rijndael_decrypt) + (_gcry_aes_cfb_dec, _gcry_aes_cbc_dec) [USE_AESNI]: Move to functions + in 'rijdael-aesni.c'. + * configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-aesni.lo'. + +2014-11-24 Werner Koch + + Remove duplicated prototypes. + + commit d53ea84bed37b973f7ce59262c50b33700cd8311 + * src/gcrypt-int.h (_gcry_mpi_ec_new, _gcry_mpi_ec_set_mpi) + (gcry_mpi_ec_set_point): Remove. + + tests: Add a prime mode to benchmark. + + commit 1b4210c204a5ef5e631187509e011b8468a134ef + * tests/benchmark.c (progress_cb): Add a single char mode. + (prime_bench): New. + (main): Add a "prime" mode. Factor with_progress out to file scope. + +2014-11-19 NIIBE Yutaka + + ecc: Improve Montgomery curve implementation. + + commit e6130034506013d6153465a2bedb6fb08a43f74d + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Support + MPI_EC_MONTGOMERY. + * cipher/ecc.c (test_ecdh_only_keys): New. + (nist_generate_key): Call test_ecdh_only_keys for MPI_EC_MONTGOMERY. + (check_secret_key): Handle Montgomery curve of x-coordinate only. + * mpi/ec.c (_gcry_mpi_ec_mul_point): Resize points before the loop. + Simplify, using pointers of Q1, Q2, PRD, and SUM. + +2014-11-02 Jussi Kivilinna + + Disable NEON for CPUs that are known to have broken NEON implementation. + + commit 95eef21583d8e998efc48f22898c1ae31b77cb48 + * src/hwf-arm.c (detect_arm_proc_cpuinfo): Add parsing for CPU version + information and check if CPU is known to have broken NEON + implementation. + (_gcry_hwf_detect_arm): Filter out broken HW features. + + Add ARM/NEON implementation of Poly1305. + + commit 0b520128551054d83fb0bb2db8873394f38de498 + * cipher/Makefile.am: Add 'poly1305-armv7-neon.S'. + * cipher/poly1305-armv7-neon.S: New. + * cipher/poly1305-internal.h (POLY1305_USE_NEON) + (POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE) + (POLY1305_NEON_ALIGNMENT): New. + * cipher/poly1305.c [POLY1305_USE_NEON] + (_gcry_poly1305_armv7_neon_init_ext) + (_gcry_poly1305_armv7_neon_finish_ext) + (_gcry_poly1305_armv7_neon_blocks, poly1305_armv7_neon_ops): New. + (_gcry_poly1305_init) [POLY1305_USE_NEON]: Select NEON implementation + if HWF_ARM_NEON set. + * configure.ac [neonsupport=yes]: Add 'poly1305-armv7-neon.lo'. + + chacha20: add ARMv7/NEON implementation. + + commit c584f44543883346d5a565581ff99a0afce9c5e1 + * cipher/Makefile.am: Add 'chacha20-armv7-neon.S'. + * cipher/chacha20-armv7-neon.S: New. + * cipher/chacha20.c (USE_NEON): New. + [USE_NEON] (_gcry_chacha20_armv7_neon_blocks): New. + (chacha20_do_setkey) [USE_NEON]: Use Neon implementation if + HWF_ARM_NEON flag set. + (selftest): Self-test encrypting buffer byte by byte. + * configure.ac [neonsupport=yes]: Add 'chacha20-armv7-neon.lo'. + +2014-10-08 Markus Teich + + mpi: Add gcry_mpi_ec_sub. + + commit 23ecadf309f8056c35cc092e58df801ac0eab862 + * NEWS (gcry_mpi_ec_sub): New. + * doc/gcrypt.texi (gcry_mpi_ec_sub): New. + * mpi/ec.c (_gcry_mpi_ec_sub, sub_points_edwards): New. + (sub_points_montgomery, sub_points_weierstrass): New stubs. + * src/gcrypt-int.h (_gcry_mpi_ec_sub): New. + * src/gcrypt.h.in (gcry_mpi_ec_sub): New. + * src/libgcrypt.def (gcry_mpi_ec_sub): New. + * src/libgcrypt.vers (gcry_mpi_ec_sub): New. + * src/mpi.h (_gcry_mpi_ec_sub_points): New. + * src/visibility.c (gcry_mpi_ec_sub): New. + * src/visibility.h (gcry_mpi_ec_sub): New. + +2014-10-08 Werner Koch + + Fix prime test for 2 and lower and add check command to mpicalc. + + commit 5c906e2cdb14e93fb4915fdc69c7353a5fa35709 + * cipher/primegen.c (check_prime): Return true for the small primes. + (_gcry_prime_check): Return correct values for 2 and lower numbers. + + * src/mpicalc.c (do_primecheck): New. + (main): Add command 'P'. + (main): Allow for larger input data. + +2014-10-04 Jussi Kivilinna + + Add Whirlpool AMD64/SSE2 assembly implementation. + + commit de0ccd4dce7ec185a678d78878d4538dd609ca0f + * cipher/Makefile.am: Add 'whirlpool-sse2-amd64.S'. + * cipher/whirlpool-sse2-amd64.S: New. + * cipher/whirlpool.c (USE_AMD64_ASM): New. + (whirlpool_tables_s): New. + (rc, C0, C1, C2, C3, C4, C5, C6, C7): Combine these tables into single + structure and replace old tables with macros of same name. + (tab): New structure containing above tables. + [USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64) + (whirlpool_transform): New. + * configure.ac [host=x86_64]: Add 'whirlpool-sse2-amd64.lo'. + +2014-10-04 Andrei Scherer + + Improved ripemd160 performance. + + commit 30bd759f398f45b04d0a783b875f59ce9bd1e51d + * cipher/rmd160.c (transform): Interleave the left and right lane + rounds to introduce more instruction level parallelism. + +2014-10-02 Werner Koch + + build: Document SYSROOT. + + commit 0ecd136a6ca02252f63ad229fa5240897bfe6544 + * configure.ac: Mark SYSROOT as arg var. + + build: Support SYSROOT based config script finding. + + commit 1e8b86494cf8fa045696bd447b16267ffd1797f0 + * src/libgcrypt.m4: Add support for SYSROOT and set + gpg_config_script_warn. Use AC_PATH_PROG instead of AC_PATH_TOOL + because the config script is not expected to be installed with a + prefix for its name + * configure.ac: Print a library mismatch warning. + * m4/gpg-error.m4: Update from git master. + +2014-09-30 Werner Koch + + mac: Fix gcry_mac_close to allow for a NULL handle. + + commit 51dae8c8c4b63bb5e1685cbd8722e35342524737 + * cipher/mac.c (_gcry_mac_close): Check for NULL. + +2014-09-03 Werner Koch + + Add a constant for a forthcoming new RNG. + + commit 8b960a807d168000d2690897a7634bd384ac1346 + * src/gcrypt.h.in (GCRYCTL_DRBG_REINIT): New constant. + +2014-09-02 Jussi Kivilinna + + Add new Poly1305 MAC test vectors. + + commit 8a2a328742012a7c528dd007437185e4584c1e48 + * tests/basic.c (check_mac): Add new test vectors for Poly1305 MAC. + +2014-09-02 Werner Koch + + asm: Allow building x86 and amd64 using old compilers. + + commit 5eec04a43e6c562e956353449be931dd43dfe1cc + * src/hwf-x86.c (get_xgetbv): Build only if AVX support is enabled. + +2014-08-21 Werner Koch + + sexp: Check args of gcry_sexp_build. + + commit e606d5f1bada1f2d21faeedd3fa2cf2dca7b274c + * src/sexp.c (do_vsexp_sscan): Return error for invalid args. + + cipher: Fix a segv in case of calling with wrong parameters. + + commit f850add813d783f31ca6a60459dea25ef71bce7e + * cipher/md.c (_gcry_md_info): Fix arg testing. + + cipher: Fix possible NULL deref in call to prime generator. + + commit 18056ace7f466cb8c1eaf08e5dc0400516d83b4c + * cipher/primegen.c (_gcry_generate_elg_prime): Change to return an + error code. + * cipher/dsa.c (generate): Take care of new return code. + * cipher/elgamal.c (generate): Change to return an error code. Take + care of _gcry_generate_elg_prime return code. + (generate_using_x): Take care of _gcry_generate_elg_prime return code. + (elg_generate): Propagate return code from generate. + +2014-08-12 NIIBE Yutaka + + ecc: Support Montgomery curve for gcry_mpi_ec_mul_point. + + commit 34bb55ee36df3aca3ebca88f8b61c786cd0c0701 + * mpi/ec.c (_gcry_mpi_ec_get_affine): Support Montgomery curve. + (montgomery_ladder): New. + (_gcry_mpi_ec_mul_point): Implemention using montgomery_ladder. + (_gcry_mpi_ec_curve_point): Check x-coordinate is valid. + +2014-08-09 Werner Koch + + tests: Add a benchmark for Elgamal. + + commit e6d354865bf8f3d4c1bb5e8157a76fdd442cff41 + * tests/benchmark.c (sample_public_elg_key_1024): New. + (sample_private_elg_key_1024): New. + (sample_public_elg_key_2048, sample_private_elg_key_2048): New. + (sample_public_elg_key_3072, sample_private_elg_key_3072): New. + (elg_bench): New. + (main): Add elg_bench. Add commands "elg" and "public". + +2014-08-08 NIIBE Yutaka + + ecc: Add cofactor to domain parameters. + + commit 9933b9e5e1a3f5b1019c75f93bd265d4a1ecc270 + * src/ec-context.h (mpi_ec_ctx_s): Add cofactor 'h'. + * cipher/ecc-common.h (elliptic_curve_t): Add cofactor 'h'. + (_gcry_ecc_update_curve_param): New API adding cofactor. + + * cipher/ecc-curves.c (ecc_domain_parms_t): Add cofactor 'h'. + (ecc_domain_parms_t domain_parms): Add cofactors. + (_gcry_ecc_fill_in_curve, _gcry_ecc_update_curve_param) + (_gcry_ecc_get_curve, _gcry_mpi_ec_new, _gcry_ecc_get_param_sexp) + (_gcry_ecc_get_mpi): Handle cofactor. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise. + * cipher/ecc-misc.c (_gcry_ecc_curve_free) + (_gcry_ecc_curve_copy): Likewise. + * cipher/ecc.c (nist_generate_key, ecc_generate) + (ecc_check_secret_key, ecc_sign, ecc_verify, ecc_encrypt_raw) + (ecc_decrypt_raw, _gcry_pk_ecc_get_sexp, _gcry_pubkey_spec_ecc): + Likewise. + (compute_keygrip): Handle cofactor, but skip it for its computation. + * mpi/ec.c (ec_deinit): Likewise. + * tests/t-mpi-point.c (context_param): Likewise. + (test_curve): Add cofactors. + * tests/curves.c (sample_key_1, sample_key_2): Add cofactors. + * tests/keygrip.c (key_grips): Add cofactors. + +2014-08-05 Werner Koch + + mpi: Fix regression for powerpc-apple-darwin detection. + + commit 4ce77b0a810d3c889c07dfb385127d90fa1ae36a + * mpi/config.links: Add separate entry for powerpc-apple-darwin. + + Fix bug inhibiting the use of the sentinel attribute. + + commit d2d28298ccc0d0f3c0b03fd323deb1e8808ef74f + * src/gcrypt.h.in: Fix typo in macro. + + mpi: Use BSD syntax for x86_64-apple-darwin. + + commit 71939faa7c54e7b4b28d115e748a85f134876a02 + * mpi/config.links: Add case for x86_64-apple-darwin. + +2014-08-05 Kristian Fiskerstrand + + Fix building for the x32 target without asm modules. + + commit a17c29844b63e9e869f7855d901bc9d859234ead + * mpi/generic/mpi-asm-defs.h: Use a fixed value for the x32 ABI. + +2014-07-25 Werner Koch + + ecc: Support the non-standard 0x40 compression flag for EdDSA. + + commit 4556f9b19c024f16bdf542da7173395c0741b91d + * cipher/ecc.c (ecc_generate): Check the "comp" flag for EdDSA. + * cipher/ecc-eddsa.c (eddsa_encode_x_y): Add arg WITH_PREFIX. + (_gcry_ecc_eddsa_encodepoint): Ditto. + (_gcry_ecc_eddsa_ensure_compact): Handle the 0x40 compression prefix. + (_gcry_ecc_eddsa_decodepoint): Ditto. + * tests/keygrip.c: Check an compresssed with prefix Ed25519 key. + * tests/t-ed25519.inp: Ditto. + + mpi: Extend the internal mpi_get_buffer. + + commit 0e10902ad7584277ac966367efc712b183784532 + * mpi/mpicoder.c (do_get_buffer): Add arg EXTRAALLOC. + (_gcry_mpi_get_buffer_extra): New. + + cipher: Fix compiler warning for chacha20. + + commit 4e0bf1b9190ce08fb23eb3ae0c3be58954ff36ab + * cipher/chacha20.c (chacha20_blocks) [!USE_SSE2]: Do not build. + +2014-07-16 NIIBE Yutaka + + mpi: Add mpi_swap_cond. + + commit 4846e52728970e3117f3a046ef9010be089a3ae4 + * mpi/mpiutil.c (_gcry_mpi_swap_cond): New. + * src/mpi.h (mpi_swap_cond): New. + +2014-06-29 Jussi Kivilinna + + Speed-up SHA-1 NEON assembly implementation. + + commit 1b9b00bbe41bbed32563f1102049521e703e72bd + * cipher/sha1-armv7-neon.S: Tweak implementation for speed-up. + +2014-06-28 Dmitry Eremin-Solenikov + + gostr3411_94: rewrite to use u32 mathematic. + + commit 066f068bd0bc4d8e01f1f18b6153cdc8d2c245d7 + * cipher/gost28147.c (_gcry_gost_enc_data): New. + * cipher/gostr3411-94.c: Rewrite implementation to use u32 mathematic + internally. + * cipher/gost28147.c (_gcry_gost_enc_one): Remove. + + gost28147: use bufhelp helpers. + + commit 7aeba6c449169926076df83b01ddbfa6b41fe411 + * cipher/gost28147.c (gost_setkey, gost_encrypt_block, gost_decrypt_block): + use buf_get_le32/buf_put_le32 helpers. + + Fixup curve name in the GOST2012 test case. + + commit b78d504fa8745b8b04589acbbcf7dd5fe9279d13 + * tests/basic.c (check_pubkey): fixup curve name in public key. + + Update PBKDF2 tests with GOST R 34.11-94 test cases. + + commit 7533b2ad46f42e98d9dba52e88e79c0311d2d3b7 + * tests/t-kdf.c (check_pbkdf2): Add MD_GOSTR3411_CP test cases. + + Add GOST R 34.11-94 variant using id-GostR3411-94-CryptoProParamSet. + + commit 25d6af77e2336b5979ddbe8b90978fe5b61dfaf9 + * src/gcrypt.h.in (GCRY_MD_GOSTR3411_CP): New. + * src/cipher.h (_gcry_digest_spec_gost3411_cp): New. + * cipher/gost28147.c (_gcry_gost_enc_one): Differentiate between + CryptoPro and Test S-Boxes. + * cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_cp, + gost3411_cp_init): New. + * cipher/md.c (md_open): GCRY_MD_GOSTR3411_CP also uses B=32. + + gost28147: support GCRYCTL_SET_SBOX. + + commit 5ee35a04362c94e680ef3633fa83b72e0aee8626 + cipher/gost28147.c (gost_set_extra_info, gost_set_sbox): New. + + Support setting s-box for the ciphers that require it. + + commit fb074d113fcbf66a5c20592625cb19051f3430f5 + * src/gcrypt.h.in (GCRYCTL_SET_SBOX, gcry_cipher_set_sbox): New. + * cipher/cipher.c (_gcry_cipher_ctl): pass GCRYCTL_SET_SBOX to + set_extra_info callback. + + cipher/gost28147: generate optimized s-boxes from compact ones. + + commit 164738a0292b3f32c7747099ad9cadace58e5eda + * cipher/gost-s-box.c: New. Outputs optimized expanded representation of + s-boxes (4x256) from compact 16x8 representation. + * cipher/Makefile.am: Add gost-sb.h dependency to gost28147.lo + * cipher/gost.h: Add sbox to the GOST28147_context structure. + * cipher/gost28147.c (gost_setkey): Set default s-box to test s-box from + GOST R 34.11 (this was the only one S-box before). + * cipher/gost28147.c (gost_val): Use sbox from the context. + + gost28147: add OIDs used to define cipher mode. + + commit 34a58010000288515636706811c3837f32957b2e + * cipher/gost28147 (oids_gost28147): Add OID from RFC4357. + + GOST R 34.11-94 add OIDs. + + commit 8b221cf5ce233c8c49a4e4ecebb70d523fc37837 + * cipher/gostr3411-94.c: Add OIDs for GOST R 34.11-94 from RFC 4357. + +2014-05-21 Jussi Kivilinna + + tests: add larger test-vectors for hash algorithms. + + commit f14fb5b427b5159fcd9603d2b3cde936889cf430 + * tests/basic.c (check_digests): Add large test-vectors for MD5, SHA1, + SHA224, SHA256, SHA384, RMD160, CRC32, TIGER1, WHIRLPOOL and + GOSTR3411_94. + + sha512: fix ARM/NEON implementation. + + commit beb901575f0d6cd6a0a27506ebea9a725754d0cc + * cipher/sha512-armv7-neon.S + (_gcry_sha512_transform_armv7_neon): Byte-swap RW67q and RW1011q + correctly in multi-block loop. + * tests/basic.c (check_digests): Add large test vector for SHA512. + +2014-05-20 Jussi Kivilinna + + Fix ARM assembly when building __PIC__ + + commit 994c758d8f5471c7e9c38c2834742cca2502d35f + * cipher/camellia-arm.S (GET_DATA_POINTER): New. + (_gcry_camellia_arm_encrypt_block): Use GET_DATA_POINTER. + (_gcry_camellia_arm_decrypt_block): Ditto. + * cipher/cast5-arm.S (GET_DATA_POINTER): New. + (_gcry_cast5_arm_encrypt_block, _gcry_cast5_arm_decrypt_block) + (_gcry_cast5_arm_enc_blk2, _gcry_cast5_arm_dec_blk2): Use + GET_DATA_POINTER. + * cipher/rijndael-arm.S (GET_DATA_POINTER): New. + (_gcry_aes_arm_encrypt_block, _gcry_aes_arm_decrypt_block): Use + GET_DATA_POINTER. + * cipher/sha1-armv7-neon.S (GET_DATA_POINTER): New. + (.LK_VEC): Move from .text to .data section. + (_gcry_sha1_transform_armv7_neon): Use GET_DATA_POINTER. + +2014-05-17 Jussi Kivilinna + + Add Poly1305 to documentation. + + commit bf4943932dae95a0573b63bf32a9b9acd5a6ddf3 + * doc/gcrypt.texi: Add documentation for Poly1305 MACs and AEAD mode. + +2014-05-16 Jussi Kivilinna + + chacha20: add SSE2/AMD64 optimized implementation. + + commit 323b1eb80ff3396d83fedbe5bba9a4e6c412d192 + * cipher/Makefile.am: Add 'chacha20-sse2-amd64.S'. + * cipher/chacha20-sse2-amd64.S: New. + * cipher/chacha20.c (USE_SSE2): New. + [USE_SSE2] (_gcry_chacha20_amd64_sse2_blocks): New. + (chacha20_do_setkey) [USE_SSE2]: Use SSE2 implementation for blocks + function. + * configure.ac [host=x86-64]: Add 'chacha20-sse2-amd64.lo'. + + poly1305: add AMD64/AVX2 optimized implementation. + + commit 98f021961ee65669037bc8bb552a69fd78f610fc + * cipher/Makefile.am: Add 'poly1305-avx2-amd64.S'. + * cipher/poly1305-avx2-amd64.S: New. + * cipher/poly1305-internal.h (POLY1305_USE_AVX2) + (POLY1305_AVX2_BLOCKSIZE, POLY1305_AVX2_STATESIZE) + (POLY1305_AVX2_ALIGNMENT): New. + (POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE) + (POLY1305_STATE_ALIGNMENT): Use AVX2 versions when needed. + * cipher/poly1305.c [POLY1305_USE_AVX2] + (_gcry_poly1305_amd64_avx2_init_ext) + (_gcry_poly1305_amd64_avx2_finish_ext) + (_gcry_poly1305_amd64_avx2_blocks, poly1305_amd64_avx2_ops): New. + (_gcry_poly1305_init) [POLY1305_USE_AVX2]: Use AVX2 implementation if + AVX2 supported by CPU. + * configure.ac [host=x86_64]: Add 'poly1305-avx2-amd64.lo'. + +2014-05-12 Jussi Kivilinna + + poly1305: add AMD64/SSE2 optimized implementation. + + commit 297532602ed2d881d8fdc393d1961068a143a891 + * cipher/Makefile.am: Add 'poly1305-sse2-amd64.S'. + * cipher/poly1305-internal.h (POLY1305_USE_SSE2) + (POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE) + (POLY1305_SSE2_ALIGNMENT): New. + (POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE) + (POLY1305_STATE_ALIGNMENT): Use SSE2 versions when needed. + * cipher/poly1305-sse2-amd64.S: New. + * cipher/poly1305.c [POLY1305_USE_SSE2] + (_gcry_poly1305_amd64_sse2_init_ext) + (_gcry_poly1305_amd64_sse2_finish_ext) + (_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops): New. + (_gcry_polu1305_init) [POLY1305_USE_SSE2]: Use SSE2 version. + * configure.ac [host=x86_64]: Add 'poly1305-sse2-amd64.lo'. + + Add Poly1305 based cipher AEAD mode. + + commit e813958419b0ec4439e6caf07d3b2234cffa2bfa + * cipher/Makefile.am: Add 'cipher-poly1305.c'. + * cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.poly1305'. + (_gcry_cipher_poly1305_encrypt, _gcry_cipher_poly1305_decrypt) + (_gcry_cipher_poly1305_setiv, _gcry_cipher_poly1305_authenticate) + (_gcry_cipher_poly1305_get_tag, _gcry_cipher_poly1305_check_tag): New. + * cipher/cipher-poly1305.c: New. + * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey) + (cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv) + (_gcry_cipher_authenticate, _gcry_cipher_gettag) + (_gcry_cipher_checktag): Handle 'GCRY_CIPHER_MODE_POLY1305'. + (cipher_setiv): Move handling of 'GCRY_CIPHER_MODE_GCM' to ... + (_gcry_cipher_setiv): ... here, as with other modes. + * src/gcrypt.h.in: Add 'GCRY_CIPHER_MODE_POLY1305'. + * tests/basic.c (_check_poly1305_cipher, check_poly1305_cipher): New. + (check_ciphers): Add Poly1305 check. + (check_cipher_modes): Call 'check_poly1305_cipher'. + * tests/bench-slope.c (bench_gcm_encrypt_do_bench): Rename to + bench_aead_... and take nonce as argument. + (bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench): Ditto. + (bench_gcm_encrypt_do_bench, bench_gcm_decrypt_do_bench) + (bench_gcm_authenticate_do_bench, bench_poly1305_encrypt_do_bench) + (bench_poly1305_decrypt_do_bench) + (bench_poly1305_authenticate_do_bench, poly1305_encrypt_ops) + (poly1305_decrypt_ops, poly1305_authenticate_ops): New. + (cipher_modes): Add Poly1305. + (cipher_bench_one): Add special handling for Poly1305. + + Add Poly1305-AES (-Camellia, etc) MACs. + + commit 73b3b75c2221a6e3bed4117e0a206a1193acd2ed + * cipher/mac-internal.h (_gcry_mac_type_spec_poly1305_aes) + (_gcry_mac_type_spec_poly1305_camellia) + (_gcry_mac_type_spec_poly1305_twofish) + (_gcry_mac_type_spec_poly1305_serpent) + (_gcry_mac_type_spec_poly1305_seed): New. + * cipher/mac-poly1305.c (poly1305mac_context_s): Add 'hd' and + 'nonce_set'. + (poly1305mac_open, poly1305mac_close, poly1305mac_setkey): Add handling + for Poly1305-*** MACs. + (poly1305mac_prepare_key, poly1305mac_setiv): New. + (poly1305mac_reset, poly1305mac_write, poly1305mac_read): Add handling + for 'nonce_set'. + (poly1305mac_ops): Add 'poly1305mac_setiv'. + (_gcry_mac_type_spec_poly1305_aes) + (_gcry_mac_type_spec_poly1305_camellia) + (_gcry_mac_type_spec_poly1305_twofish) + (_gcry_mac_type_spec_poly1305_serpent) + (_gcry_mac_type_spec_poly1305_seed): New. + * cipher/mac.c (mac_list): Add Poly1305-AES, Poly1305-Twofish, + Poly1305-Serpent, Poly1305-SEED and Poly1305-Camellia. + * src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305_AES', + 'GCRY_MAC_POLY1305_CAMELLIA', 'GCRY_MAC_POLY1305_TWOFISH', + 'GCRY_MAC_POLY1305_SERPENT' and 'GCRY_MAC_POLY1305_SEED'. + * tests/basic.c (check_mac): Add Poly1305-AES test vectors. + * tests/bench-slope.c (bench_mac_init): Set IV for Poly1305-*** MACs. + * tests/bench-slope.c (mac_bench): Set IV for Poly1305-*** MACs. + + Add Poly1305 MAC. + + commit b8794fed68ebe7567f4617141f0996ad290d9120 + * cipher/Makefile.am: Add 'mac-poly1305.c', 'poly1305.c' and + 'poly1305-internal.h'. + * cipher/mac-internal.h (poly1305mac_context_s): New. + (gcry_mac_handle): Add 'u.poly1305mac'. + (_gcry_mac_type_spec_poly1305mac): New. + * cipher/mac-poly1305.c: New. + * cipher/mac.c (mac_list): Add Poly1305. + * cipher/poly1305-internal.h: New. + * cipher/poly1305.c: New. + * src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305'. + * tests/basic.c (check_mac): Add Poly1035 test vectors; Allow + overriding lengths of data and key buffers. + * tests/bench-slope.c (mac_bench): Increase max algo number from 500 to + 600. + * tests/benchmark.c (mac_bench): Ditto. + + chacha20/AVX2: clear upper-halfs of YMM registers on entry. + + commit c20daeeb05329bfc6cc2c562cbd4b965291fe0e1 + * cipher/chacha20-avx2-amd64.S (_gcry_chacha20_amd64_avx2_blocks): Add + 'vzeroupper' at beginning. + + chacha20/AVX2: check for ENABLE_AVX2_SUPPORT instead of HAVE_GCC_INLINE_ASM_AVX2 + + commit a3062db748f272e0f7346e1ed9e0bf7ed61a4eae + * cipher/chacha20.c (USE_AVX2): Enable depending on + ENABLE_AVX2_SUPPORT, not HAVE_GCC_INLINE_ASM_AVX2. + * cipher/chacha20-avx2-amd64.S: Ditto. + + chacha20/SSSE3: clear XMM registers after use. + + commit a7d9eeeba632b7eb4a5b15ff17f6565181642f3c + * cipher/chacha20-ssse3-amd64.S (_gcry_chacha20_amd64_ssse3_blocks): On + return, clear XMM registers. + +2014-05-11 Jussi Kivilinna + + chacha20: add AVX2/AMD64 assembly implementation. + + commit a39ee7555691d18cae97560f130aaf952bfbd278 + * cipher/Makefile.am: Add 'chacha20-avx2-amd64.S'. + * cipher/chacha20-avx2-amd64.S: New. + * cipher/chacha20.c (USE_AVX2): New macro. + [USE_AVX2] (_gcry_chacha20_amd64_avx2_blocks): New. + (chacha20_do_setkey): Select AVX2 implementation if there is HW + support. + (selftest): Increase size of buf by 256. + * configure.ac [host=x86-64]: Add 'chacha20-avx2-amd64.lo'. + + chacha20: add SSSE3 assembly implementation. + + commit def7d4cad386271c6d4e2f10aabe0cb4abd871e4 + * cipher/Makefile.am: Add 'chacha20-ssse3-amd64.S'. + * cipher/chacha20-ssse3-amd64.S: New. + * cipher/chacha20.c (USE_SSSE3): New macro. + [USE_SSSE3] (_gcry_chacha20_amd64_ssse3_blocks): New. + (chacha20_do_setkey): Select SSSE3 implementation if there is HW + support. + * configure.ac [host=x86-64]: Add 'chacha20-ssse3-amd64.lo'. + + Add ChaCha20 stream cipher. + + commit 23f33d57c9b6f2295a8ddfc9a8eee5a2c30cf406 + * cipher/Makefile.am: Add 'chacha20.c'. + * cipher/chacha20.c: New. + * cipher/cipher.c (cipher_list): Add ChaCha20. + * configure.ac: Add ChaCha20. + * doc/gcrypt.texi: Add ChaCha20. + * src/cipher.h (_gcry_cipher_spec_chacha20): New. + * src/gcrypt.h.in (GCRY_CIPHER_CHACHA20): Add new algo. + * tests/basic.c (MAX_DATA_LEN): Increase to 128 from 100. + (check_stream_cipher): Add ChaCha20 test-vectors. + (check_ciphers): Add ChaCha20. + +2014-05-09 Werner Koch + + mpi: Fix a subtle bug setting spurious bits with in mpi_set_bit. + + commit 246b7aaae1ee459f440260bbc4ec2c01c5dc3362 + * mpi/mpi-bit.c (_gcry_mpi_set_bit, _gcry_mpi_set_highbit): Clear + allocated but not used bits before resizing. + * tests/t-mpi-bits.c (set_bit_with_resize): New. + +2014-05-07 Werner Koch + + Bump LT version. + + commit fc6ff6f73a51bcbbbb3757dc1386da40aa3ae75d + * configure.ac: Bumb LT version to C21/A1/R0. + +2014-04-22 Werner Koch + + random: Small patch for consistency and really burn the stack. + + commit a79c4ad7c56ee4410f17beb73eeb58b0dd36bfc6 + * random/rndlinux.c (_gcry_rndlinux_gather_random): s/int/size_t/. + (_gcry_rndlinux_gather_random): Replace memset by wipememory. + +2014-04-16 Werner Koch + + pubkey: Re-map all depreccated RSA algo numbers. + + commit 773e23698218755e9172d2507031a8263c47cc0b + * cipher/pubkey.c (map_algo): Mape RSA_E and RSA_S. + +2014-04-15 Werner Koch + + cipher: Fix possible NULL dereference. + + commit ae1fbce6dacf14747af0126e640bd4e54cb8c680 + * cipher/md.c (_gcry_md_selftest): Check for spec being NULL. + +2014-03-30 Jussi Kivilinna + + 3des: add amd64 assembly implementation for 3DES. + + commit b76b632a453b8d100d024e2439b4358454dc286e + * cipher/Makefile.am: Add 'des-amd64.S'. + * cipher/cipher-selftests.c (_gcry_selftest_helper_cbc) + (_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Handle failures + from 'setkey' function. + * cipher/cipher.c (_gcry_cipher_open_internal) [USE_DES]: Setup bulk + functions for 3DES. + * cipher/des-amd64.S: New file. + * cipher/des.c (USE_AMD64_ASM, ATTR_ALIGNED_16): New macros. + [USE_AMD64_ASM] (_gcry_3des_amd64_crypt_block) + (_gcry_3des_amd64_ctr_enc), _gcry_3des_amd64_cbc_dec) + (_gcry_3des_amd64_cfb_dec): New prototypes. + [USE_AMD64_ASM] (tripledes_ecb_crypt): New function. + (TRIPLEDES_ECB_BURN_STACK): New macro. + (_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec) + (bulk_selftest_setkey, selftest_ctr, selftest_cbc, selftest_cfb): New + functions. + (selftest): Add call to CTR, CBC and CFB selftest functions. + (do_tripledes_encrypt, do_tripledes_decrypt): Use + TRIPLEDES_ECB_BURN_STACK. + * configure.ac [host=x86-64]: Add 'des-amd64.lo'. + * src/cipher.h (_gcry_3des_ctr_enc, _gcry_3des_cbc_dec) + (_gcry_3des_cfb_dec): New prototypes. + +2014-03-13 Werner Koch + + tests: Print diagnostics for skipped tests. + + commit 50aeee51a0b1a09dd9fff2bb71749a816fe7a791 + * tests/basic.c (show_note): New. + (show_md_not_available): + (show_old_hmac_not_available): + (show_mac_not_available): + (check_digests): Remove USE_foo cpp tests from the test table. Call + show_md_not_available if algo is not available. + (check_hmac): Likewise. + (check_mac): Likewise. + +2014-03-11 Dmitry Eremin-Solenikov + + Add MD2 message digest implementation. + + commit 5a8e1504bf8a2ffbc018be576dea77b685200444 + * cipher/md2.c: New. + * cipher/md.c (digest_list): add _gcry_digest_spec_md2. + * tests/basic.c (check_digests): add MD2 test vectors. + * configure.ac (default_digests): disable md2 by default. + +2014-03-04 Dmitry Eremin-Solenikov + + Add an utility to calculate hashes over a set of files. + + commit 2b5403c408dfbd71be24c7635f5fa0b61ab4c9bb + * tests/gchash.c: New. + + Add a simple (raw) PKCS#1 padding mode. + + commit ea8d597726305274214224757b32730644e12bd8 + * src/cipher.h (PUBKEY_ENC_PKCS1_RAW): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Handle pkcs1-raw + flag. + * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): + Handle s-exp like (data (flags pkcs1-raw) (value xxxxx)) + * cipher/rsa-common.c (_gcry_rsa_pkcs1_encode_raw_for_sig): + PKCS#1-encode data with embedded hash OID for signature verification. + * tests/basic.c (check_pubkey_sign): Add tests for s-exps with pkcs1-raw + flag. + +2014-02-04 Jussi Kivilinna + + Fix ARMv6 detection when CFLAGS modify target CPU architecture. + + commit 6be3032048ee2466511d2384fcf2d28b856219b2 + * configure.ac (gcry_cv_cc_arm_arch_is_v6): Use compiler test instead + of preprocessor test. + +2014-01-29 Werner Koch + + Reserve control code for FIPS extensions. + + commit aea96a64fbc58a0b6f9f435e97e93294c6eb1052 + * src/gcrypt.h.in (GCRYCTL_INACTIVATE_FIPS_FLAG): New. + (GCRYCTL_REACTIVATE_FIPS_FLAG): New. + * src/global.c (_gcry_vcontrol): Add them but return not_implemented. + +2014-01-29 NIIBE Yutaka + + Fix RSA Blinding. + + commit 121a90d8931944974054f7d94f63b7f89df87fa5 + * cipher/rsa.c (rsa_decrypt): Loop to get multiplicative inverse. + +2014-01-28 Werner Koch + + cipher: Take care of ENABLE_NEON_SUPPORT. + + commit 52f7c48c901a3de51bd690a218f3de2f71e8d790 + * cipher/salsa20.c (USE_ARM_NEON_ASM): Define only if + ENABLE_NEON_SUPPORT is defined. + * cipher/serpent.c (USE_NEON): Ditto. + * cipher/sha1.c (USE_NEON): Ditto. + * cipher/sha512.c (USE_ARM_NEON_ASM): Ditto. + + sexp: Fix broken gcry_sexp_nth. + + commit cbdc355415f83ed62da4f3618767eba54d7e6d37 + * src/sexp.c (_gcry_sexp_nth): Return a valid S-expression for a data + element. + (NODE): Remove unused typedef. + (ST_HINT): Comment unused macro. + + * tests/t-sexp.c (bug_1594): New. + (main): Run new test. + +2014-01-27 Werner Koch + + tests: Improve t-common.h. + + commit 7460e9243b3cc050631c37ed4f2713ae7bcb6762 + * tests/t-common.h: Add couple of macros. Check that config.h has + been included. + (show): Rename to info. + * tests/t-lock.c, tests/t-sexp.c: Adjust for changes. + + mpi: Minor fix for Atari-mint. + + commit 3caa0f1319dc4779e0d6eee4460c1af2a12b2c3c + * mpi/config.links [m68k-atari-mint]: Do not assume 68020. Suggested + by Alan Hourihane. + + (cherry picked from commit 420f42a5752e90a8b27d58ffa1ddfe6e4ab341e8) + +2014-01-27 Dmitry Eremin-Solenikov + + Fix most of memory leaks in tests code. + + commit 5c150ece094bf0a504a111ce6c7b72e8d0b0457a + * tests/basic.c (check_ccm_cipher): Close cipher after use. + * tests/basic.c (check_one_cipher): Correct length of used buffer. + * tests/benchmark.c (cipher_bench): Use xcalloc to make buffer + initialized. + * tests/keygen.c (check_ecc_keys): Release generated key. + * tests/t-mpi-point.c (context_param): Release mpi Q. + * tests/t-sexp.c (check_extract_param): Release extracted number. + + Fix memory leaks in ecc code. + + commit 6d87e6abdfb7552323a95401f14e6367398a3e5a + * cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Release passed mpi + values. + * cipher/ecc.c (compute_keygrip): Fix potential memory leak in error + path. + * cipher/ecc.c (_gcry_ecc_get_curve): Release temporary mpi. + + Fix number of blocks passed used in _gcry_rmd160_mixblock. + + commit 5d23e7b9a77421f3ebfda4a84c459a8729f3bb41 + * cipher/rmd160.c (_gcry_rmd160_mixblock): pass 1 to transform + +2014-01-27 Werner Koch + + Small Windows build tweaks. + + commit f7df906171854b6b6506b82d4fee2c2ebb0327ea + * configure.ac (HAVE_PTHREAD): Do test when building for Windows. + + * tests/basic.c: Replace "%zi" by "%z" and a cast to make it work + under Windows. + + Update gpg-error autoconf macros to fix threading problems. + + commit 79da0358fd555361e1ce4202f55494a8918eb8ae + * m4/gpg-error.m4: Update to version 2014-01-24. + * tests/Makefile.am (t_lock_LDADD): Use MT Libs. + +2014-01-24 Dmitry Eremin-Solenikov + + tests: Pass -no-install to libtool. + + commit bf34bfa5c458ee5ece91f25e3b4194d768498ab6 + * tests/Makefile.am: add AM_LDFLAGS = -no-install + +2014-01-24 Werner Koch + + tests: Add a test for the internal locking. + + commit ff91ec934ed52294cddcd7dcfacc04721a0487bf + * src/global.c (external_lock_test): New. + (_gcry_vcontrol): Call new function with formerly reserved code 61. + + * tests/t-common.h: New. Taken from current libgpg-error. + * tests/t-lock.c: New. Based on t-lock.c from libgpg-error. + * configure.ac (HAVE_PTHREAD): Set macro to 1 if defined. + (AC_CHECK_FUNCS): Check for flockfile. + * tests/Makefile.am (tests_bin): Add t-lock. + (noinst_HEADERS): Add t-common.h + (LDADD): Move value to ... + (default_ldadd): new. + (t_lock_LDADD): New. + + Check compiler features only for the relevant platform. + + commit 24e65d715812cea28732397870cb1585b8435521 + * mpi/config.links (mpi_cpu_arch): Always set for ARM. Set for HPPA. + Set to "undefined" for unknown platforms. + (try_asm_modules): Act upon only after having detected the CPU. + * configure.ac: Move the call to config.links before the platform + specific compiler checks. Check platform specific features only if + the platform is targeted. + +2014-01-23 Werner Koch + + Support building using the latest mingw-w64 toolchain. + + commit 4ad3417acab5021db1f722c314314ce4b781833a + * acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection. + +2014-01-20 Werner Koch + + cipher: Fix commit 94030e44. + + commit dad06e4d1b835bac778b87090b1d3894b7535b14 + * cipher/tiger.c (tiger_init): Add arg FLAGS. + (tiger1_init, tiger2_init): Ditto. + + tests: Rename tsexp.c. + + commit 192e77d123fdb04c459c998b9eb1731618a833fa + * tests/tsexp.c: Rename to t-sexp.c + +2014-01-19 Werner Koch + + md: Add Whirlpool bug emulation feature. + + commit 94030e44aaff805d754e368507f16dd51a531b72 + * src/gcrypt.h.in (GCRY_MD_FLAG_BUGEMU1): New. + * src/cipher-proto.h (gcry_md_init_t): Add arg FLAGS. Change all code + to implement that flag. + * cipher/md.c (gcry_md_context): Replace SECURE and FINALIZED by bit + field FLAGS. Add flag BUGEMU1. Change all users. + (md_open): Replace args SECURE and HMAC by FLAGS. Init flags.bugemu1. + (_gcry_md_open): Add for GCRY_MD_FLAG_BUGEMU1. + (md_enable): Pass bugemu1 flag to the hash init function. + (_gcry_md_reset): Ditto. + +2014-01-17 Werner Koch + + Actually check for uint64_t. + + commit c3b30bae7d1e157f8b65e32ba1b3a516f2bbf58b + * configure.ac: Check size of uint64_t and the UINT64_C macro. + +2014-01-16 Werner Koch + + Replace ath based mutexes by gpgrt based locks. + + commit cfc151ba637200e4fc05d9481a8df2071b2f9a47 + * configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13. + (gl_LOCK): Remove. + * src/ath.c, src/ath.h: Remove. Remove from all files. Replace all + mutexes by gpgrt based statically initialized locks. + * src/global.c (global_init): Remove ath_init. + (_gcry_vcontrol): Make ath install a dummy function. + (print_config): Remove threads info line. + + * doc/gcrypt.texi: Simplify the multi-thread related documentation. + +2014-01-15 NIIBE Yutaka + + ecc: Fix _gcry_mpi_ec_p_new to allow secp256k1. + + commit 49edeebb43174865cf4fa2c170a42a8e4274c4f0 + * mpi/ec.c (_gcry_mpi_ec_p_new): Remove checking a!=0. + * tests/t-mpi-point.c (context_alloc): Remove two spurious tests. + +2014-01-14 Milan Broz + + PBKDF2: Use gcry_md_reset to speed up calculation. + + commit 04cda6b7cc16f3f52c12d9d3e46c56701003496e + * cipher/kdf.c (_gcry_kdf_pkdf2): Use gcry_md_reset + to speed up calculation. + +2014-01-13 Werner Koch + + Fix macro conflict in NetBSD. + + commit 5f2af6c26bc04975c0b518881532871d7387d7ce + * cipher/bithelp.h (bswap32): Rename to _gcry_bswap32. + (bswap64): Rename to _gcry_bswap64. + + Use internal malloc function in fips.c. + + commit 518ae274a1845ce626b2b4223a9b3805cbbab1a7 + * src/fips.c (check_binary_integrity): s/gcry_malloc/xtrymalloc/. + +2014-01-13 Dmitry Eremin-Solenikov + + Truncate hash values for ECDSA signature scheme. + + commit 9edcf1090e0485f9f383b6c54b18ea8ca3d4a225 + * cipher/dsa-common (_gcry_dsa_normalize_hash): New. Truncate opaque + mpis as required for DSA and ECDSA signature schemas. + * cipher/dsa.c (verify): Return gpg_err_code_t value from verify() to + behave like the rest of internal sign/verify functions. + * cipher/dsa.c (sign, verify, dsa_verify): Factor out hash truncation. + * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Factor out hash truncation. + * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_verify): + as required by ECDSA scheme, truncate hash values to bitlength of + used curve. + * tests/pubkey.c (check_ecc_sample_key): add a testcase for hash + truncation. + + Add GOST R 34.10-2012 curves proposed by TC26. + + commit 2c5ec803100ed8261e51442fb93b75367b7725ea + * cipher/ecc-curves.c (domain_parmss): Add two GOST R 34.10-2012 curves + proposed/pending to standardization by TC26 (Russian cryptography + technical comitee). + * cipher/ecc-curves.c (curve_alias): Add OID aliases. + * tests/curves.c: Increase N_CURVES. + + Add GOST R 34.10-2001 curves per RFC4357. + + commit 9bedc5c3b646dfe481678ca58f5466ac46decaf7 + * cipher/ecc-curves.c (domain_parms): Add 3 curves defined in rfc4357. + * cipher/ecc-curves.c (curve_aliases): Add OID and Xch aliases for GOST + curves. + * tests/curves.c (N_CURVES): Update value. + + Fix typo in search_oid. + + commit 7edcb574d8d6dffb6e234c2ba1996a9a04923859 + * cipher/md.c (search_oid): Invert condition on oid comparison. + + Add MD2-HMAC calculation support. + + commit 653b58cb5e85511b6c04c3f85ef3e372c2e9f74f + * src/gcrypt.h.in (GCRY_MAC_HMAC_MD2): New. + * cipher/mac-hmac.c: Support GCRY_MAC_HMAC_MD2. + + Add a function to retrieve algorithm used by MAC handler. + + commit 8439a379c86ef1088465ea70ac10840759a1638e + * cipher/mac.c (_gcry_mac_get_algo): New function, returns used algo. + * src/visibility.c (gcry_mac_get_algo): New wrapper. + * src/visibility.h: Hanlde gcry_mac_get_algo. + * src/gcrypt-int.h (_gcry_mac_get_algo): New. + * src/gcrypt.h.in (gcry_mac_get_algo): New. + * src/libgcrypt.def (gcry_mac_get_algo): New. + * src/libgcrypt.vers (gcry_mac_get_algo): New. + * doc/gcrypt.texi: Document gcry_mac_get_algo. + * tests/basic.c (check_one_mac): Verify gcry_mac_get_algo. + + Correct formatting of gcry_mac_get_algo_keylen documentation. + + commit 36c9e0e4eb4f935da90df1c8df484d1940bda5eb + * doc/gcrypt.texi: add braces near gcry_mac_get_algo_keylen + documentation. + + Use braces around unsigned int in gcry_mac_get_algo_keylen + documentation, otherwise texinfo breaks that and uses 'int' as a + function definition. + +2014-01-13 Werner Koch + + ecc: Make a macro shorter. + + commit 2ef48ba59c32bfa1a9265d5eea8ab225a658903a + * src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage + all users. + * cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as + comment. + * mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards. + (add_points_twistededwards): Rename to add_points_edwards. + +2014-01-12 Jussi Kivilinna + + Fix assembly division check. + + commit ef3e66e168c4b9b86bfc4903001631e53a7125d8 + * configure.ac (gcry_cv_gcc_as_const_division_ok): Correct variable + name mismatch at '--Wa,--divide' workaround check. + +2014-01-12 NIIBE Yutaka + + Add secp256k1 curve. + + commit 019e0e9e8c77a2edf283745e05e9301673ea6a0a + * cipher/ecc-curves.c (curve_aliases): Add secp256k1 and its OID. + (domain_parms): Add secp256k1's domain paramerter. + + * tests/basic.c (check_pubkey): Add a key of secp256k1. + + * tests/curves.c (N_CURVES): Updated. + +2014-01-12 Jussi Kivilinna + + Fix constant division for AMD64 assembly on Solaris/x86. + + commit 43376891c01f4aff1fbfb23beafebb5adfd0868c + * configure.ac (gcry_cv_gcc_as_const_division_ok): Add new check for + constant division in assembly and test for "-Wa,--divide" workaround. + (gcry_cv_gcc_amd64_platform_as_ok): Check for also constant division. + +2014-01-10 Werner Koch + + Use the generic autogen.sh script. + + commit b0ac1f9b143aa15855914ba93fef900288d45c9c + * autogen.rc: New. + * Makefile.am (EXTRA_DIST): Add it. + * autogen.sh: Update from current GnuPG. + + Move all helper scripts to build-aux/ + + commit df9b4eabf52faee6f289a4bc62219684442ae383 + * scripts/: Rename to build-aux/. + * compile, config.guess, config.rpath, config.sub + * depcomp, doc/mdate-sh, doc/texinfo.tex + * install-sh, ltmain.sh, missing: Move to build-aux/. + * Makefile.am (EXTRA_DIST): Adjust. + * configure.ac (AC_CONFIG_AUX_DIR): New. + (AM_SILENT_RULES): New. + +2013-12-30 Jussi Kivilinna + + Add blowfish/serpent ARM assembly files to Makefile.am. + + commit 7fef7f481c0a1542be34d1dc831f58d41846ac29 + * cipher/Makefile.am: Add 'blowfish-arm.S' and 'serpent-armv7-neon.S'. + + Add AMD64 assembly implementation for arcfour. + + commit 7547898109c72a97e3102b2a045ee4fdb2aa40bf + * cipher/Makefile.am: Add 'arcfour-amd64.S'. + * cipher/arcfour-amd64.S: New. + * cipher/arcfour.c (USE_AMD64_ASM): New. + [USE_AMD64_ASM] (ARCFOUR_context, _gcry_arcfour_amd64) + (encrypt_stream): New. + * configure.ac [host=x86_64]: Add 'arcfour-amd64.lo'. + + Parse /proc/cpuinfo for ARM HW features. + + commit a05be441d8cd89b90d8d58e3a343a436dae377d0 + * src/hwf-arm.c [__linux__] (HAS_PROC_CPUINFO) + (detect_arm_proc_cpuinfo): New. + (_gcry_hwf_detect_arm) [HAS_PROC_CPUINFO]: Check '/proc/cpuinfo' for + HW features. + + Fix buggy/incomplete detection of AVX/AVX2 support. + + commit bbcb12187afb1756cb27296166b57fa19ee45d4d + * configure.ac: Also check for 'xgetbv' instruction in AVX and AVX2 + inline assembly checks. + * src/hwf-x86.c [__i386__] (get_xgetbv): New function. + [__x86_64__] (get_xgetbv): New function. + [HAS_X86_CPUID] (detect_x86_gnuc): Check for OSXSAVE and OS support for + XMM&YMM registers and enable AVX/AVX2 only if XMM&YMM registers are + supported by OS. + +2013-12-18 Jussi Kivilinna + + Change utf-8 copyright characters to '(C)' + + commit b7e814f93ee40fcfe17a187a8989c07fde2ba0cd + cipher/blowfish-amd64.S: Change utf-8 encoded copyright character to + '(C)'. + cipher/blowfish-arm.S: Ditto. + cipher/bufhelp.h: Ditto. + cipher/camellia-aesni-avx-amd64.S: Ditto. + cipher/camellia-aesni-avx2-amd64.S: Ditto. + cipher/camellia-arm.S: Ditto. + cipher/cast5-amd64.S: Ditto. + cipher/cast5-arm.S: Ditto. + cipher/cipher-ccm.c: Ditto. + cipher/cipher-cmac.c: Ditto. + cipher/cipher-gcm.c: Ditto. + cipher/cipher-selftest.c: Ditto. + cipher/cipher-selftest.h: Ditto. + cipher/mac-cmac.c: Ditto. + cipher/mac-gmac.c: Ditto. + cipher/mac-hmac.c: Ditto. + cipher/mac-internal.h: Ditto. + cipher/mac.c: Ditto. + cipher/rijndael-amd64.S: Ditto. + cipher/rijndael-arm.S: Ditto. + cipher/salsa20-amd64.S: Ditto. + cipher/salsa20-armv7-neon.S: Ditto. + cipher/serpent-armv7-neon.S: Ditto. + cipher/serpent-avx2-amd64.S: Ditto. + cipher/serpent-sse2-amd64.S: Ditto. + + Add ARM/NEON implementation for SHA-1. + + commit fc7dcf616937afaf73cfda1bf7bd79566a96b130 + * cipher/Makefile.am: Add 'sha1-armv7-neon.S'. + * cipher/sha1-armv7-neon.S: New. + * cipher/sha1.c (USE_NEON): New. + (SHA1_CONTEXT, sha1_init) [USE_NEON]: Add and initialize 'use_neon'. + [USE_NEON] (_gcry_sha1_transform_armv7_neon): New. + (transform) [USE_NEON]: Use ARM/NEON assembly if enabled. + * configure.ac: Add 'sha1-armv7-neon.lo'. + + Improve performance of SHA-512/ARM/NEON implementation. + + commit df629ba53a662427ebd3ddca90c3fe9ddd6511d3 + * cipher/sha512-armv7-neon.S (RT01q, RT23q, RT45q, RT67q): New. + (round_0_63, round_64_79): Remove. + (rounds2_0_63, rounds2_64_79): New. + (_gcry_sha512_transform_armv7_neon): Add 'nblks' input; Handle multiple + input blocks; Use new round macros. + * cipher/sha512.c [USE_ARM_NEON_ASM] + (_gcry_sha512_transform_armv7_neon): Add 'num_blks'. + (transform) [USE_ARM_NEON_ASM]: Pass nblks to assembly. + + Add AVX and AVX2/BMI implementations for SHA-256. + + commit a5c2bbfe0db515d739ab683297903c77b1eec124 + * LICENSES: Add 'cipher/sha256-avx-amd64.S' and + 'cipher/sha256-avx2-bmi2-amd64.S'. + * cipher/Makefile.am: Add 'sha256-avx-amd64.S' and + 'sha256-avx2-bmi2-amd64.S'. + * cipher/sha256-avx-amd64.S: New. + * cipher/sha256-avx2-bmi2-amd64.S: New. + * cipher/sha256-ssse3-amd64.S: Use 'lea' instead of 'add' in few + places for tiny speed improvement. + * cipher/sha256.c (USE_AVX, USE_AVX2): New. + (SHA256_CONTEXT) [USE_AVX, USE_AVX2]: Add 'use_avx' and 'use_avx2'. + (sha256_init, sha224_init) [USE_AVX, USE_AVX2]: Initialize above + new context members. + [USE_AVX] (_gcry_sha256_transform_amd64_avx): New. + [USE_AVX2] (_gcry_sha256_transform_amd64_avx2): New. + (transform) [USE_AVX2]: Use AVX2 assembly if enabled. + (transform) [USE_AVX]: Use AVX assembly if enabled. + * configure.ac: Add 'sha256-avx-amd64.lo' and + 'sha256-avx2-bmi2-amd64.lo'. + +2013-12-17 Jussi Kivilinna + + Add AVX and AVX/BMI2 implementations for SHA-1. + + commit e4e458465b124e25b6aec7a60174bf1ca32dc5fd + * cipher/Makefile.am: Add 'sha1-avx-amd64.S' and + 'sha1-avx-bmi2-amd64.S'. + * cipher/sha1-avx-amd64.S: New. + * cipher/sha1-avx-bmi2-amd64.S: New. + * cipher/sha1.c (USE_AVX, USE_BMI2): New. + (SHA1_CONTEXT) [USE_AVX]: Add 'use_avx'. + (SHA1_CONTEXT) [USE_BMI2]: Add 'use_bmi2'. + (sha1_init): Initialize 'use_avx' and 'use_bmi2'. + [USE_AVX] (_gcry_sha1_transform_amd64_avx): New. + [USE_BMI2] (_gcry_sha1_transform_amd64_bmi2): New. + (transform) [USE_BMI2]: Use BMI2 assembly if enabled. + (transform) [USE_AVX]: Use AVX assembly if enabled. + * configure.ac: Add 'sha1-avx-amd64.lo' and 'sha1-avx-bmi2-amd64.lo'. + + SHA-1/SSSE3: Improve performance on large buffers. + + commit 6fd0dd2a5f1362f91e2861cd9d300341a43842a5 + * cipher/sha1-ssse3-amd64.S (RNBLKS): New. + (_gcry_sha1_transform_amd64_ssse3): Handle multiple input blocks, with + software pipelining of next data block processing. + * cipher/sha1.c [USE_SSSE3] (_gcry_sha1_transform_amd64_ssse3): Add + 'nblks'. + (transform) [USE_SSSE3]: Pass nblks to assembly function. + + Add bulk processing for hash transform functions. + + commit 50b8c8342d023038a4b528af83153293dd2756ea + * cipher/hash-common.c (_gcry_md_block_write): Preload 'hd->blocksize' + to stack, pass number of blocks to 'hd->bwrite'. + * cipher/hash-common.c (_gcry_md_block_write_t): Add 'nblks'. + * cipher/gostr3411-94.c: Rename 'transform' function to + 'transform_blk', add new 'transform' function with 'nblks' as + additional input. + * cipher/md4.c: Ditto. + * cipher/md5.c: Ditto. + * cipher/md4.c: Ditto. + * cipher/rmd160.c: Ditto. + * cipher/sha1.c: Ditto. + * cipher/sha256.c: Ditto. + * cipher/sha512.c: Ditto. + * cipher/stribog.c: Ditto. + * cipher/tiger.c: Ditto. + * cipher/whirlpool.c: Ditto. + +2013-12-16 Werner Koch + + Release 1.6.0. + + commit 0ea9731e1c93a962f6266004ab0e7418c19d6277 + + + doc: Change yat2m to allow arbitrary condition names. + + commit 9a912f8c4f366c53f1cdb94513b67b937e87178b + * doc/yat2m.c (MAX_CONDITION_NESTING): New. + (gpgone_defined): Remove. + (condition_s, condition_stack, condition_stack_idx): New. + (cond_is_active, cond_in_verbatim): New. + (add_predefined_macro, set_macro, macro_set_p): New. + (evaluate_conditions, push_condition, pop_condition): New. + (parse_file): Rewrite to use the condition stack. + (top_parse_file): Set prefined macros. + (main): Change -D to define arbitrary macros. + + tests: Add SHA-512 to the long hash test. + + commit 0d3bd23d7f730b9bbc81fc8da8d99f4853c36020 + * tests/hashtest.c (testvectors): Add vectors for 256GiB SHA-512. + * tests/hashtest-256g.in (algos): Add test for SHA-512. + + Add configure option --enable-large-data-tests. + + commit a6b9304a889397ac98e1c2c4ac3e178669d94492 + * configure.ac: Add option --enable-large-data-tests. + * tests/hashtest-256g.in: New. + * tests/Makefile.am (EXTRA_DIST): Add hashtest-256g.in. + (TESTS): Split up into tests_bin, tests_bin_last, tests_sh, and + tests_sh_last. + (tests_sh_last): Add hashtest-256g + (noinst_PROGRAMS): Add only tests_bin and tests_bin_last. + (bench-slope.log, hashtest-256g.log): New rules to enforce serial run. + + random: Call random progress handler more often. + + commit 5a7ce59396fe56f0d681df314bfbdb5f7732d4b1 + * random/rndlinux.c (_gcry_rndlinux_gather_random): Update progress + indicator earlier. + + cipher: Normalize the MPIs used as input to secret key functions. + + commit dec048b2ec79271a2f4405be5b87b1e768b3f1a9 + * cipher/dsa.c (sign): Normalize INPUT. + * cipher/elgamal.c (decrypt): Normalize A and B. + * cipher/rsa.c (secret): Normalize the INPUT. + (rsa_decrypt): Reduce DATA before passing to secret. + +2013-12-16 Jussi Kivilinna + + Change dummy variable in mpih-div.c to mpi_limb_t type. + + commit 953535a7de68cf62b5b1ad6f96ea3a9edd83762c + * mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Change dummy + variable to 'mpi_limb_t' type from 'int'. + + Remove duplicate gcry_mac_hd_t typedef. + + commit 5c31990214b58c4e17edb01fbbe6d9f573975a22 + * cipher/mac-internal.h (gcry_mac_hd_t): Remove. + +2013-12-15 Jussi Kivilinna + + Use u64 for CCM data lengths. + + commit 110fed2d6b0bbc97cb5cc0a3a564e05fc42afa2d + * cipher/cipher-ccm.c: Move code inside [HAVE_U64_TYPEDEF]. + [HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_set_lengths): Use 'u64' for + data lengths. + [!HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_encrypt) + (_gcry_cipher_ccm_decrypt, _gcry_cipher_ccm_set_nonce) + (_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_get_tag) + (_gcry_cipher_ccm_check_tag): Dummy functions returning + GPG_ERROR_NOT_SUPPORTED. + * cipher/cipher-internal.h (gcry_cipher_handle.u_mode.ccm) + (_gcry_cipher_ccm_set_lengths): Move inside [HAVE_U64_TYPEDEF] and use + u64 instead of size_t for CCM data lengths. + * cipher/cipher.c (_gcry_cipher_open_internal, cipher_reset) + (_gcry_cipher_ctl) [!HAVE_U64_TYPEDEF]: Return GPG_ERR_NOT_SUPPORTED + for CCM. + (_gcry_cipher_ctl) [HAVE_U64_TYPEDEF]: Use u64 for + GCRYCTL_SET_CCM_LENGTHS length parameters. + * tests/basic.c: Do not use CCM if !HAVE_U64_TYPEDEF. + * tests/bench-slope.c: Ditto. + * tests/benchmark.c: Ditto. + +2013-12-14 Werner Koch + + tests: Prevent rare failure of gcry_pk_decrypt test. + + commit bfb43a17d8db571fca4ed433ee8be5c366745844 + * tests/basic.c (check_pubkey_crypt): Add special mode 1. + (main): Add option --loop. + +2013-12-14 Jussi Kivilinna + + Minor fixes to SHA assembly implementations. + + commit ffd9b2aa5abda7f4d7790ed48116ed5d71ab9995 + * cipher/Makefile.am: Correct 'sha256-avx*.S' to 'sha512-avx*.S'. + * cipher/sha1-ssse3-amd64.S: First line, correct filename. + * cipher/sha256-ssse3-amd64.S: Return correct stack burn depth. + * cipher/sha512-avx-amd64.S: Use 'vzeroall' to clear registers. + * cipher/sha512-avx2-bmi2-amd64.S: Ditto and return correct stack burn + depth. + + SHA-1/SSSE3: Do not check for Intel syntax assembly support. + + commit c86c35534a153b13e880d0bb0ea3e48e1c0ecaf9 + * cipher/sha1-ssse3-amd64.S: Remove check for + HAVE_INTEL_SYNTAX_PLATFORM_AS. + * cipher/sha1.c [USE_SSSE3]: Ditto. + +2013-12-13 Jussi Kivilinna + + Convert SHA-1 SSSE3 implementation from mixed asm&C to pure asm. + + commit d2b853246c2ed056a92096d89c3ca057e45c9c92 + * cipher/Makefile.am: Change 'sha1-ssse3-amd64.c' to + 'sha1-ssse3-amd64.S'. + * cipher/sha1-ssse3-amd64.c: Remove. + * cipher/sha1-ssse3-amd64.S: New. + + SHA-1: Add SSSE3 implementation. + + commit be2238f68abcc6f2b4e8c38ad9141376ce622a22 + * cipher/Makefile.am: Add 'sha1-ssse3-amd64.c'. + * cipher/sha1-ssse3-amd64.c: New. + * cipher/sha1.c (USE_SSSE3): New. + (SHA1_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'. + (sha1_init) [USE_SSSE3]: Initialize 'use_ssse3'. + (transform): Rename to... + (_transform): this. + (transform): New. + * configure.ac [host=x86_64]: Add 'sha1-ssse3-amd64.lo'. + + Add missing register clearing in to SHA-256 and SHA-512 assembly. + + commit 04615cc6803cdede25fa92e3ff697e252a23cd7a + * cipher/sha256-ssse3-amd64.S: Clear used XMM/YMM registers at return. + * cipher/sha512-avx-amd64.S: Ditto. + * cipher/sha512-avx2-bmi2-amd64.S: Ditto. + * cipher/sha512-ssse3-amd64.S: Ditto. + +2013-12-13 Werner Koch + + Update license information. + + commit 764643a3d5634bcbc47790bd8505f6a1a5280d9c + * LICENSES: New. + * Makefile.am (EXTRA_DIST): Add LICENSES. + * AUTHORS: Add list of copyright holders. + * README: Reference AUTHORS. + +2013-12-13 Jussi Kivilinna + + Fix empty clobber in AVX2 assembly check. + + commit e41d605ee41469e8a33cdc4d38f742cfb931f835 + * configure.ac (gcry_cv_gcc_inline_asm_avx2): Add "cc" as assembly + globber. + + Fix W32 build. + + commit a71b810ddd67ca3a1773d8f929d162551abb58eb + * random/rndw32.c (register_poll, slow_gatherer): Change gcry_xmalloc to + xmalloc, and gcry_xrealloc to xrealloc. + +2013-12-12 Jussi Kivilinna + + SHA-512: Add AVX and AVX2 implementations for x86-64. + + commit 2e4253dc8eb512cd0e807360926dc6ba912c95b4 + * cipher/Makefile.am: Add 'sha512-avx-amd64.S' and + 'sha512-avx2-bmi2-amd64.S'. + * cipher/sha512-avx-amd64.S: New. + * cipher/sha512-avx2-bmi2-amd64.S: New. + * cipher/sha512.c (USE_AVX, USE_AVX2): New. + (SHA512_CONTEXT) [USE_AVX]: Add 'use_avx'. + (SHA512_CONTEXT) [USE_AVX2]: Add 'use_avx2'. + (sha512_init, sha384_init) [USE_AVX]: Initialize 'use_avx'. + (sha512_init, sha384_init) [USE_AVX2]: Initialize 'use_avx2'. + [USE_AVX] (_gcry_sha512_transform_amd64_avx): New. + [USE_AVX2] (_gcry_sha512_transform_amd64_avx2): New. + (transform) [USE_AVX2]: Add call for AVX2 implementation. + (transform) [USE_AVX]: Add call for AVX implementation. + * configure.ac (HAVE_GCC_INLINE_ASM_BMI2): New check. + (sha512): Add 'sha512-avx-amd64.lo' and 'sha512-avx2-bmi2-amd64.lo'. + * doc/gcrypt.texi: Document 'intel-cpu' and 'intel-bmi2'. + * src/g10lib.h (HWF_INTEL_CPU, HWF_INTEL_BMI2): New. + * src/hwfeatures.c (hwflist): Add "intel-cpu" and "intel-bmi2". + * src/hwf-x86.c (detect_x86_gnuc): Check for HWF_INTEL_CPU and + HWF_INTEL_BMI2. + + SHA-512: Add SSSE3 implementation for x86-64. + + commit 69a6d0f9562fcd26112a589318c13de66ce1700e + * cipher/Makefile.am: Add 'sha512-ssse3-amd64.S'. + * cipher/sha512-ssse3-amd64.S: New. + * cipher/sha512.c (USE_SSSE3): New. + (SHA512_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'. + (sha512_init, sha384_init) [USE_SSSE3]: Initialize 'use_ssse3'. + [USE_SSSE3] (_gcry_sha512_transform_amd64_ssse3): New. + (transform) [USE_SSSE3]: Call SSSE3 implementation. + * configure.ac (sha512): Add 'sha512-ssse3-amd64.lo'. + + SHA-256: Add SSSE3 implementation for x86-64. + + commit e1a3931263e67aacec3c0bfcaa86c7d1441d5c6a + * cipher/Makefile.am: Add 'sha256-ssse3-amd64.S'. + * cipher/sha256-ssse3-amd64.S: New. + * cipher/sha256.c (USE_SSSE3): New. + (SHA256_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'. + (sha256_init, sha224_init) [USE_SSSE3]: Initialize 'use_ssse3'. + (transform): Rename to... + (_transform): This. + [USE_SSSE3] (_gcry_sha256_transform_amd64_ssse3): New. + (transform): New. + * configure.ac (HAVE_INTEL_SYNTAX_PLATFORM_AS): New check. + (sha256): Add 'sha256-ssse3-amd64.lo'. + * doc/gcrypt.texi: Document 'intel-ssse3'. + * src/g10lib.h (HWF_INTEL_SSSE3): New. + * src/hwfeatures.c (hwflist): Add "intel-ssse3". + * src/hwf-x86.c (detect_x86_gnuc): Test for SSSE3. + +2013-12-12 Werner Koch + + Add a configuration file to disable hardware features. + + commit 5e1239b1e2948211ff2675f45cce2b28c3379cfb + * src/hwfeatures.c: Inclyde syslog.h and ctype.h. + (HWF_DENY_FILE): New. + (my_isascii): New. + (parse_hwf_deny_file): New. + (_gcry_detect_hw_features): Call it. + + * src/mpicalc.c (main): Correctly initialize Libgcrypt. Add options + "--print-config" and "--disable-hwf". + + Move list of hardware features to hwfeatures.c. + + commit 4ae77322b681a13da62d01274bcab25be2af12d0 + * src/global.c (hwflist, disabled_hw_features): Move to .. + * src/hwfeatures.c: here. + (_gcry_disable_hw_feature): New. + (_gcry_enum_hw_features): New. + (_gcry_detect_hw_features): Remove arg DISABLED_FEATURES. + * src/global.c (print_config, _gcry_vcontrol, global_init): Adjust + accordingly. + + Remove macro hacks for internal vs. external functions. Part 2 and last. + + commit 3b30e9840d4b351c4de73b126e561154cb7df4cc + * src/visibility.h: Remove remaining define/undef hacks for symbol + visibility. Add macros to detect the use of the public functions. + Change all affected functions by replacing them by the x-macros. + * src/g10lib.h: Add internal prototypes. + (xtrymalloc, xtrycalloc, xtrymalloc_secure, xtrycalloc_secure) + (xtryrealloc, xtrystrdup, xmalloc, xcalloc, xmalloc_secure) + (xcalloc_secure, xrealloc, xstrdup, xfree): New macros. + +2013-12-11 Werner Koch + + random: Add a feature to close device file descriptors. + + commit cd548ba2dc777b8b27d8d33182ba733c20222120 + * src/gcrypt.h.in (GCRYCTL_CLOSE_RANDOM_DEVICE): New. + * src/global.c (_gcry_vcontrol): Call _gcry_random_close_fds. + * random/random.c (_gcry_random_close_fds): New. + * random/random-csprng.c (_gcry_rngcsprng_close_fds): New. + * random/random-fips.c (_gcry_rngfips_close_fds): New. + * random/random-system.c (_gcry_rngsystem_close_fds): New. + * random/rndlinux.c (open_device): Add arg retry. + (_gcry_rndlinux_gather_random): Add mode to close open fds. + + * tests/random.c (check_close_random_device): New. + (main): Call new test. + +2013-12-10 Werner Koch + + Fix last commit (9a37470c) + + commit eae1e7712e1b687bd77eb37d0eb505fc9d46d93c + * src/secmem.c (lock_pool): Remove remaining line. Reported by Ian + Goldberg. + +2013-12-09 Werner Koch + + Fix one-off memory leak when build with Linux capability support. + + commit 9a37470c50ee9966cb2652617a404ddd54a9c096 + * src/secmem.c (lock_pool, secmem_init): Use cap_free. Reported by + Mike Crowe . + +2013-12-09 David 'Digit' Turner + + Update libtool to support Android. + + commit 2516f0b660b1a7181ad38c44310c627f4f498595 + * m4/libtool.m4: Add "linux*android*" case. Taken from the libtool + repository. + +2013-12-09 Werner Koch + + tests: Speed up benchmarks in regression test mode. + + commit 2e5354fe8db5288939733d0fb63ad4c87bc20105 + * tests/tsexp.c (check_extract_param): Fix compiler warning. + * tests/Makefile.am (TESTS_ENVIRONMENT): Set GCRYPT_IN_REGRESSION_TEST. + * tests/bench-slope.c (main): Speed up if in regression test mode. + * tests/benchmark.c (main): Ditto. + + tests: Add --csv option to bench-slope. + + commit 8072e9fa4b42ae8e65e266aa158fd903f1bb0927 + * tests/bench-slope.c (STR, STR2): New. + (cvs_mode): New. + (num_measurement_repetitions): New. Replace use of + NUM_MEASUREMENT_REPETITIONS by this. + (current_section_name, current_algo_name, current_mode_name): New. + (bench_print_result_csv): New. + (bench_print_result_std): Rename from bench_print_result. + (bench_print_result): New. Divert depending on CSV_MODE. + (bench_print_header, bench_print_footer): take care of CSV_MODE. + (bench_print_algo, bench_print_mode): New. Use them instead of + explicit printfs. + (main): Add options --csv and --repetitions. + +2013-12-07 Werner Koch + + sexp: Allow long names and white space in gcry_sexp_extract_param. + + commit d4555433b6e422fa69a85cae99961f513e55d82b + * src/sexp.c (_gcry_sexp_vextract_param): Skip white space. Support + long parameter names. + * tests/tsexp.c (check_extract_param): Add test cases for long parameter + names and white space. + +2013-12-06 Werner Koch + + ecc: Merge partly duplicated code. + + commit 405021cb6d4e470337302c65dec5bc91491a89c1 + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Factor A hashing out to ... + (_gcry_ecc_eddsa_compute_h_d): new function. + * cipher/ecc-misc.c (_gcry_ecc_compute_public): Use new function. + (reverse_buffer): Remove. + + ecc: Remove unused internal function. + + commit 4cf2c65fe15173c8d68a141a01b34fc1fb9080b7 + * src/cipher-proto.h (gcry_pk_spec): Remove get_param. + * cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Merge in code from + _gcry_ecc_get_param. + (_gcry_ecc_get_param): Remove. + * cipher/ecc.c (_gcry_pubkey_spec_ecc): Remove _gcry_ecc_get_param. + +2013-12-06 Jussi Kivilinna + + Fix building on mingw32. + + commit 5917ce34e3b3eac4c15f62577e4723974024f818 + * src/gcrypt-int.h: Include . + +2013-12-05 Werner Koch + + ecc: Change OID for Ed25519. + + commit 7ef43d1eebb4f8226e860982dfe5fa2e2c82ad0f + * cipher/ecc-curves.c (curve_aliased): Add more suitable OID for + Ed25519. + + Remove macro hacks for internal vs. external functions. Part 1. + + commit 7bacf1812b55fa78db63abaa1f5a9220e9c6cccc + * src/visibility.h: Remove almost all define/undef hacks for symbol + visibility. Add macros to detect the use of the public functions. + Change all affected functions by prefixing them explicitly with an + underscore and change all internal callers to call the underscore + prefixed versions. Provide convenience macros from sexp and mpi + functions. + * src/visibility.c: Change all functions to use only gpg_err_code_t + and translate to gpg_error_t only in visibility.c. + +2013-12-04 Jussi Kivilinna + + mpi: add inline assembly for x86-64. + + commit 85bb0a98ea5add0296cbcc415d557eaa1f6bd294 + * mpi/longlong.h [__x86_64] (add_ssaaaa, sub_ddmmss, umul_ppmm) + (udiv_qrnnd, count_leading_zeros, count_trailing_zeros): New. + +2013-12-04 NIIBE Yutaka + + mpi: fix gcry_mpi_powm for negative base. + + commit c56080c26186d25dec05f01831494c77d8d07e13 + * mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]: + Fix for the case where BASE is negative. + * tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19. + +2013-12-03 Werner Koch + + Add build support for ppc64le. + + commit 2ff86db2e1b0f6cc22a1ca86037b526c5fa3be51 + * config.guess, config.sub: Update to latest version (2013-11-29). + * m4/libtool.m4: Add patches for ppc64le. + +2013-12-03 Jussi Kivilinna + + rijndael: fix compiler warning on aarch64. + + commit 59b1a1b7ee2923e1bf091071ae716d180c6c6006 + * cipher/rijndael.c (do_setkey): Use braces for empty if statement + instead of semicolon. + + Add aarch64 (arm64) mpi assembly. + + commit 80896bc8f5e6ed9a627374e34f040ad5f3617584 + * mpi/aarch64/mpi-asm-defs.h: New. + * mpi/aarch64/mpih-add1.S: New. + * mpi/aarch64/mpih-mul1.S: New. + * mpi/aarch64/mpih-mul2.S: New. + * mpi/aarch64/mpih-mul3.S: New. + * mpi/aarch64/mpih-sub1.S: New. + * mpi/config.links [host=aarch64-*-*]: Add configguration for aarch64 + assembly. + * mpi/longlong.h [__aarch64__] (add_ssaaaa, sub_ddmmss, umul_ppmm) + (count_leading_zeros): New. + +2013-12-02 Werner Koch + + ecc: Use constant time point operation for Twisted Edwards. + + commit d4ce0cfe0d35d7ec69c115456848b5b735c928ea + * mpi/ec.c (_gcry_mpi_ec_mul_point): Try to do a constant time + operation if needed. + * tests/benchmark.c (main): Add option --use-secmem. + + ecc: Make gcry_pk_testkey work for Ed25519. + + commit 14ae6224b1b17abbfc80c26ad0f4c60f1e8635e2 + * cipher/ecc-misc.c (_gcry_ecc_compute_public): Add optional args G + and d. Change all callers. + * cipher/ecc.c (gen_y_2): Remove. + (check_secret_key): Use generic public key compute function. Adjust + for use with Ed25519 and EdDSA. + (nist_generate_key): Do not use the compliant key thingy for Ed25519. + (ecc_check_secret_key): Make parameter parsing similar to the other + functions. + * cipher/ecc-curves.c (domain_parms): Zero prefix some parameters so + that _gcry_ecc_update_curve_param works correctly. + * tests/keygen.c (check_ecc_keys): Add "param" flag. Check all + Ed25519 keys. + + ecc: Fix eddsa point decompression. + + commit 485f35124b1a74af0bad321ed70be3a79d8d11d7 + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): Fix the negative + case. + + ecc: Fix gcry_mpi_ec_curve_point for Weierstrass. + + commit ecb90f8e7c6f2516080d27ed7da6a25f2314da3c + * mpi/ec.c (_gcry_mpi_ec_curve_point): Use correct equation. + (ec_pow3): New. + (ec_p_init): Always copy B. + + mpi: Introduce 4 user flags for gcry_mpi_t. + + commit 29eddc2558d4cf39995f66d5fccd62f584d5b203 + * src/gcrypt.h.in (GCRYMPI_FLAG_USER1, GCRYMPI_FLAG_USER2) + (GCRYMPI_FLAG_USER3, GCRYMPI_FLAG_USER4): New. + * mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag) + (gcry_mpi_get_flag, _gcry_mpi_free): Implement them. + (gcry_mpi_set_opaque): Keep user flags. + +2013-11-29 Vladimir 'φ-coder/phcoder' Serbinenko + + Fix armv3 compile error. + + commit 3b1cc9e6c357574f54160298d731c18f3d717b6c + * mpi/longlong.h [__arm__ && __ARM_ARCH < 4] (umul_ppmm): Use + __AND_CLOBBER_CC instead of __CLOBBER_CC. + + longlong.h on mips with clang. + + commit 1ecbd0bca31d462719a2a6590c1d03244e76ef89 + * mpi/longlong.h [__mips__]: Use C-language version with clang. + +2013-11-24 Jussi Kivilinna + + Camellia: Tweaks for AES-NI implementations. + + commit 3ef21e7e1b8003db9792155044db95f9d9ced184 + * cipher/camellia-aesni-avx-amd64.S: Align stack to 16 bytes; tweak + key-setup for small speed up. + * cipher/camellia-aesni-avx2-amd64.S: Use vmovdqu even with aligned + stack; reorder vinsert128 instructions; use rbp for stack frame. + +2013-11-21 Jussi Kivilinna + + Add GMAC to MAC API. + + commit a34448c929b13bfb7b66d69169c89e7319a18b31 + * cipher/Makefile.am: Add 'mac-gmac.c'. + * cipher/mac-gmac.c: New. + * cipher/mac-internal.h (gcry_mac_handle): Add 'u.gcm'. + (_gcry_mac_type_spec_gmac_aes, _gcry_mac_type_spec_gmac_twofish) + (_gcry_mac_type_spec_gmac_serpent, _gcry_mac_type_spec_gmac_seed) + (_gcry_mac_type_spec_gmac_camellia): New externs. + * cipher/mac.c (mac_list): Add GMAC specifications. + * doc/gcrypt.texi: Add mention of GMAC. + * src/gcrypt.h.in (gcry_mac_algos): Add GCM algorithms. + * tests/basic.c (check_one_mac): Add support for MAC IVs. + (check_mac): Add support for MAC IVs and add GMAC test vectors. + * tests/bench-slope.c (mac_bench): Iterate algorithm numbers to 499. + * tests/benchmark.c (mac_bench): Iterate algorithm numbers to 499. + + GCM: Move gcm_table initialization to setkey. + + commit dbfa651618693da7ea73b4d2d00d4efd411bfb46 + * cipher/cipher-gcm.c: Change all 'c->u_iv.iv' to + 'c->u_mode.gcm.u_ghash_key.key'. + (_gcry_cipher_gcm_setkey): New. + (_gcry_cipher_gcm_initiv): Move ghash initialization to function above. + * cipher/cipher-internal.h (gcry_cipher_handle): Add + 'u_mode.gcm.u_ghash_key'; Reorder 'u_mode.gcm' members for partial + clearing in gcry_cipher_reset. + (_gcry_cipher_gcm_setkey): New prototype. + * cipher/cipher.c (cipher_setkey): Add GCM setkey. + (cipher_reset): Clear 'u_mode' only partially for GCM. + +2013-11-20 Jussi Kivilinna + + GCM: Add support for split data buffers and online operation. + + commit fb1e52e3fe231671de546eacd6becd31c26c4f7b + * cipher/cipher-gcm.c (do_ghash_buf): Add buffering for less than + blocksize length input and padding handling. + (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Add handling + for AAD padding and check if data has already being padded. + (_gcry_cipher_gcm_authenticate): Check that AAD or data has not being + padded yet. + (_gcry_cipher_gcm_initiv): Clear padding marks. + (_gcry_cipher_gcm_tag): Add finalization and padding; Clear sensitive + data from cipher handle, since they are not used after generating tag. + * cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.gcm.macbuf', + 'u_mode.gcm.mac_unused', 'u_mode.gcm.ghash_data_finalized' and + 'u_mode.gcm.ghash_aad_finalized'. + * tests/basic.c (check_gcm_cipher): Rename to... + (_check_gcm_cipher): ...this and add handling for different buffer step + lengths; Enable per byte buffer testing. + (check_gcm_cipher): Call _check_gcm_cipher with different buffer step + sizes. + + GCM: Use size_t for buffer sizes. + + commit 2d870a9142e8c8b3f008e1ad8e83e4bdf7a8e4e7 + * cipher/cipher-gcm.c (ghash, gcm_bytecounter_add, do_ghash_buf) + (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt) + (_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_geniv) + (_gcry_cipher_gcm_tag): Use size_t for buffer lengths. + * cipher/cipher-internal.h (_gcry_cipher_gcm_encrypt) + (_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Use size_t + for buffer lengths. + + GCM: add FIPS mode restrictions. + + commit 56d352d6bdcf7abaa33c3399741f5063e2ddc32a + * cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt) + (_gcry_cipher_gcm_get_tag): Do not allow using in FIPS mode is setiv + was invocated directly. + (_gcry_cipher_gcm_setiv): Rename to... + (_gcry_cipher_gcm_initiv): ...this. + (_gcry_cipher_gcm_setiv): New setiv function with check for FIPS mode. + [TODO] (_gcry_cipher_gcm_getiv): New. + * cipher/cipher-internal.h (gcry_cipher_handle): Add + 'u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode'. + + GCM: Add clearing and checking of marks.tag. + + commit 32a2da9abc91394b23cf565c1c833fa964394083 + * cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt) + (_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Make sure + that tag has not been finalized yet. + (_gcry_cipher_gcm_setiv): Clear 'marks.tag'. + + GCM: Add stack burning. + + commit 018f08354b1b116672e82f9ce942884b288aaf9e + * cipher/cipher-gcm.c (do_ghash, ghash): Return stack burn depth. + (setupM): Wipe 'tmp' buffer. + (do_ghash_buf): Wipe 'tmp' buffer and add stack burning. + + Add aggregated bulk processing for GCM on x86-64. + + commit c9537fbf8ff0af919cff2bebadc4c6e7caea8076 + * cipher/cipher-gcm.c [__x86_64__] (gfmul_pclmul_aggr4): New. + (ghash) [GCM_USE_INTEL_PCLMUL]: Add aggregated bulk processing + for __x86_64__. + (setupM) [__x86_64__]: Add initialization for aggregated bulk + processing. + + GCM: Tweak Intel PCLMUL ghash loop for small speed-up. + + commit 9b6764944284fed733c2f88619b3d9eb5d5c259a + * cipher/cipher-gcm.c (do_ghash): Mark 'inline'. + [GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): Rename to... + [GCM_USE_INTEL_PCLMUL] (gfmul_pclmul): ..this and make inline function. + (ghash) [GCM_USE_INTEL_PCLMUL]: Preload data before ghash-pclmul loop. + + GCM: Use counter mode code for speed-up. + + commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532 + * cipher/cipher-gcm.c (ghash): Add process for multiple blocks. + (gcm_bytecounter_add, gcm_add32_be128, gcm_check_datalen) + (gcm_check_aadlen_or_ivlen, do_ghash_buf): New functions. + (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt) + (_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_set_iv) + (_gcry_cipher_gcm_tag): Adjust to use above new functions and + counter mode functions for encryption/decryption. + * cipher/cipher-internal.h (gcry_cipher_handle): Remove 'length'; Add + 'u_mode.gcm.(addlen|datalen|tagiv|datalen_over_limits)'. + (_gcry_cipher_gcm_setiv): Return gcry_err_code_t. + * cipher/cipher.c (cipher_setiv): Return error code. + (_gcry_cipher_setiv): Handle error code from 'cipher_setiv'. + + Add Intel PCLMUL acceleration for GCM. + + commit 5a65ffabadd50f174ab7375faad7a726cce49e61 + * cipher/cipher-gcm.c (fillM): Rename... + (do_fillM): ...to this. + (ghash): Remove. + (fillM): New macro. + (GHASH): Use 'do_ghash' instead of 'ghash'. + [GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): New. + (ghash): New. + (setupM): New. + (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt) + (_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_setiv) + (_gcry_cipher_gcm_tag): Use 'ghash' instead of 'GHASH' and + 'c->u_mode.gcm.u_tag.tag' instead of 'c->u_tag.tag'. + * cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): New. + (gcry_cipher_handle): Move 'u_tag' and 'gcm_table' under + 'u_mode.gcm'. + * configure.ac (pclmulsupport, gcry_cv_gcc_inline_asm_pclmul): New. + * src/g10lib.h (HWF_INTEL_PCLMUL): New. + * src/global.c: Add "intel-pclmul". + * src/hwf-x86.c (detect_x86_gnuc): Add check for Intel PCLMUL. + + GCM: GHASH optimizations. + + commit 0e9e7d72f3c9eb7ac832746c3034855faaf8d02c + * cipher/cipher-gcm.c [GCM_USE_TABLES] (gcmR, ghash): Replace with new. + [GCM_USE_TABLES] [GCM_TABLES_USE_U64] (bshift, fillM, do_ghash): New. + [GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (bshift, fillM): Replace with + new. + [GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (do_ghash): New. + (_gcry_cipher_gcm_tag): Remove extra memcpy to outbuf and use + buf_eq_const for comparing authentication tag. + * cipher/cipher-internal.h (gcry_cipher_handle): Different 'gcm_table' + for 32-bit and 64-bit platforms. + + Add some documentation for GCM mode. + + commit 332da0ed7c8fab6c2bee841c94d8364c2ab4e30d + * doc/gcrypt.texi: Add mention of GCM mode. + +2013-11-19 Dmitry Eremin-Solenikov + + Initial implementation of GCM. + + commit 90cce18b9eced4f412ceeec5bcae18c4493322df + * cipher/Makefile.am: Add 'cipher-gcm.c'. + * cipher/cipher-ccm.c (_gcry_ciphert_ccm_set_lengths) + (_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_tag) + (_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Change + 'c->u_mode.ccm.tag' to 'c->marks.tag'. + * cipher/cipher-gcm.c: New. + * cipher/cipher-internal.h (GCM_USE_TABLES): New. + (gcry_cipher_handle): Add 'marks.tag', 'u_tag', 'length' and + 'gcm_table'; Remove 'u_mode.ccm.tag'. + (_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt) + (_gcry_cipher_gcm_setiv, _gcry_cipher_gcm_authenticate) + (_gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag): New. + * cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey) + (cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate) + (_gcry_cipher_gettag, _gcry_cipher_checktag): Add GCM mode handling. + * src/gcrypt.h.in (gcry_cipher_modes): Add GCRY_CIPHER_MODE_GCM. + (GCRY_GCM_BLOCK_LEN): New. + * tests/basic.c (check_gcm_cipher): New. + (check_ciphers): Add GCM check. + (check_cipher_modes): Call 'check_gcm_cipher'. + * tests/bench-slope.c (bench_gcm_encrypt_do_bench) + (bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench) + (gcm_encrypt_ops, gcm_decrypt_ops, gcm_authenticate_ops): New. + (cipher_modes): Add GCM enc/dec/auth. + (cipher_bench_one): Limit GCM to block ciphers with 16 byte block-size. + * tests/benchmark.c (cipher_bench): Add GCM. + +2013-11-19 Jussi Kivilinna + + Camellia: fix compiler warning. + + commit 9816ae9d9931b75e4fdc9a5be10e6af447132313 + * cipher/camellia-glue.c (camellia_setkey): Use braces around empty if + statement. + + Tweak Camellia-AVX key-setup for small speed-up. + + commit 77922a82c3f2e30eca04511fa5a355208349c657 + * cipher/camellia-aesni-avx-amd64.S (camellia_f): Merge S-function output + rotation with P-function. + + Add CMAC (Cipher-based MAC) to MAC API. + + commit b49cd64aaaff2e5488a84665362ef7150683226c + * cipher/Makefile.am: Add 'cipher-cmac.c' and 'mac-cmac.c'. + * cipher/cipher-cmac.c: New. + * cipher/cipher-internal.h (gcry_cipher_handle.u_mode): Add 'cmac'. + * cipher/cipher.c (gcry_cipher_open): Rename to... + (_gcry_cipher_open_internal): ...this and add CMAC. + (gcry_cipher_open): New wrapper that disallows use of internal + modes (CMAC) from outside. + (cipher_setkey, cipher_encrypt, cipher_decrypt) + (_gcry_cipher_authenticate, _gcry_cipher_gettag) + (_gcry_cipher_checktag): Add handling for CMAC mode. + (cipher_reset): Do not reset 'marks.key' and do not clear subkeys in + 'u_mode' in CMAC mode. + * cipher/mac-cmac.c: New. + * cipher/mac-internal.h: Add CMAC support and algorithms. + * cipher/mac.c: Add CMAC algorithms. + * doc/gcrypt.texi: Add documentation for CMAC. + * src/cipher.h (gcry_cipher_internal_modes): New. + (_gcry_cipher_open_internal, _gcry_cipher_cmac_authenticate) + (_gcry_cipher_cmac_get_tag, _gcry_cipher_cmac_check_tag) + (_gcry_cipher_cmac_set_subkeys): New prototypes. + * src/gcrypt.h.in (gcry_mac_algos): Add CMAC algorithms. + * tests/basic.c (check_mac): Add CMAC test vectors. + +2013-11-16 Jussi Kivilinna + + Add new MAC API, initially with HMAC. + + commit fcd6da37d55f248d3558ee0ff385b41b866e7ded + * cipher/Makefile.am: Add 'mac.c', 'mac-internal.h' and 'mac-hmac.c'. + * cipher/bufhelp.h (buf_eq_const): New. + * cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Use 'buf_eq_const' for + constant-time compare. + * cipher/mac-hmac.c: New. + * cipher/mac-internal.h: New. + * cipher/mac.c: New. + * doc/gcrypt.texi: Add documentation for MAC API. + * src/gcrypt-int.h [GPG_ERROR_VERSION_NUMBER < 1.13] + (GPG_ERR_MAC_ALGO): New. + * src/gcrypt.h.in (gcry_mac_handle, gcry_mac_hd_t, gcry_mac_algos) + (gcry_mac_flags, gcry_mac_open, gcry_mac_close, gcry_mac_ctl) + (gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write) + (gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen) + (gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name) + (gcry_mac_reset, gcry_mac_test_algo): New. + * src/libgcrypt.def (gcry_mac_open, gcry_mac_close, gcry_mac_ctl) + (gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write) + (gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen) + (gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New. + * src/libgcrypt.vers (gcry_mac_open, gcry_mac_close, gcry_mac_ctl) + (gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write) + (gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen) + (gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New. + * src/visibility.c (gcry_mac_open, gcry_mac_close, gcry_mac_ctl) + (gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write) + (gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen) + (gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New. + * src/visibility.h (gcry_mac_open, gcry_mac_close, gcry_mac_ctl) + (gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write) + (gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen) + (gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New. + * tests/basic.c (check_one_mac, check_mac): New. + (main): Call 'check_mac'. + * tests/bench-slope.c (bench_print_header, bench_print_footer): Allow + variable algorithm name width. + (_cipher_bench, hash_bench): Update to above change. + (bench_hash_do_bench): Add 'gcry_md_reset'. + (bench_mac_mode, bench_mac_init, bench_mac_free, bench_mac_do_bench) + (mac_ops, mac_modes, mac_bench_one, _mac_bench, mac_bench): New. + (main): Add 'mac' benchmark options. + * tests/benchmark.c (mac_repetitions, mac_bench): New. + (main): Add 'mac' benchmark options. + + Use correct blocksize of 32 bytes for GOSTR3411-94 HMAC. + + commit b95a557a43aeed68ea5e5ce02aca42ee97bfdb3b + * cipher/md.c (md_open): Set macpads_Bsize to 32 for + GCRY_MD_GOST24311_94. + +2013-11-15 Jussi Kivilinna + + cipher: use size_t for internal buffer lengths. + + commit b787657a9d2c1d8e19f9fcb0b21e31cb062630cf + * cipher/arcfour.c (do_encrypt_stream, encrypt_stream): Use 'size_t' + for buffer lengths. + * cipher/blowfish.c (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec) + (_gcry_blowfish_cfb_dec): Ditto. + * cipher/camellia-glue.c (_gcry_camellia_ctr_enc) + (_gcry_camellia_cbc_dec, _gcry_blowfish_cfb_dec): Ditto. + * cipher/cast5.c (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec) + (_gcry_cast5_cfb_dec): Ditto. + * cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt) + (_gcry_cipher_aeswrap_decrypt): Ditto. + * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt) + (_gcry_cipher_cbc_decrypt): Ditto. + * cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt) + (_gcry_cipher_ccm_decrypt): Ditto. + * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) + (_gcry_cipher_cfb_decrypt): Ditto. + * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto. + * cipher/cipher-internal.h (gcry_cipher_handle->bulk) + (_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt) + (_gcry_cipher_cfb_encrypt, _gcry_cipher_cfb_decrypt) + (_gcry_cipher_ofb_encrypt, _gcry_cipher_ctr_encrypt) + (_gcry_cipher_aeswrap_encrypt, _gcry_cipher_aeswrap_decrypt) + (_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Ditto. + * cipher/cipher-ofb.c (_gcry_cipher_cbc_encrypt): Ditto. + * cipher/cipher-selftest.h (gcry_cipher_bulk_cbc_dec_t) + (gcry_cipher_bulk_cfb_dec_t, gcry_cipher_bulk_ctr_enc_t): Ditto. + * cipher/cipher.c (cipher_setkey, cipher_setiv, do_ecb_crypt) + (do_ecb_encrypt, do_ecb_decrypt, cipher_encrypt) + (cipher_decrypt): Ditto. + * cipher/rijndael.c (_gcry_aes_ctr_enc, _gcry_aes_cbc_dec) + (_gcry_aes_cfb_dec, _gcry_aes_cbc_enc, _gcry_aes_cfb_enc): Ditto. + * cipher/salsa20.c (salsa20_setiv, salsa20_do_encrypt_stream) + (salsa20_encrypt_stream, salsa20r12_encrypt_stream): Ditto. + * cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec) + (_gcry_serpent_cfb_dec): Ditto. + * cipher/twofish.c (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec) + (_gcry_twofish_cfb_dec): Ditto. + * src/cipher-proto.h (gcry_cipher_stencrypt_t) + (gcry_cipher_stdecrypt_t, cipher_setiv_fuct_t): Ditto. + * src/cipher.h (_gcry_aes_cfb_enc, _gcry_aes_cfb_dec) + (_gcry_aes_cbc_enc, _gcry_aes_cbc_dec, _gcry_aes_ctr_enc) + (_gcry_blowfish_cfb_dec, _gcry_blowfish_cbc_dec) + (_gcry_blowfish_ctr_enc, _gcry_cast5_cfb_dec, _gcry_cast5_cbc_dec) + (_gcry_cast5_ctr_enc, _gcry_camellia_cfb_dec, _gcry_camellia_cbc_dec) + (_gcry_camellia_ctr_enc, _gcry_serpent_cfb_dec, _gcry_serpent_cbc_dec) + (_gcry_serpent_ctr_enc, _gcry_twofish_cfb_dec, _gcry_twofish_cbc_dec) + (_gcry_twofish_ctr_enc): Ditto. + + Camellia: Add AVX/AES-NI key setup. + + commit ef9f52cbb39e46918c96200b09c21e931eff174f + * cipher/camellia-aesni-avx-amd64.S (key_bitlength, key_table): New + order of fields in ctx. + (camellia_f, vec_rol128, vec_ror128): New macros. + (__camellia_avx_setup128, __camellia_avx_setup256) + (_gcry_camellia_aesni_avx_keygen): New functions. + * cipher/camellia-aesni-avx2-amd64.S (key_bitlength, key_table): New + order of fields in ctx. + * cipher/camellia-arm.S (CAMELLIA_TABLE_BYTE_LEN, key_length): Remove + unused macros. + * cipher/camellia-glue.c (CAMELLIA_context): Move keytable to head for + better alignment; Make 'use_aesni_avx' and 'use_aesni_avx2' bitfield + members. + [USE_AESNI_AVX] (_gcry_camellia_aesni_avx_keygen): New prototype. + (camellia_setkey) [USE_AESNI_AVX || USE_AESNI_AVX2]: Read hw features + to variable 'hwf' and match features from it. + (camellia_setkey) [USE_AESNI_AVX]: Use AES-NI/AVX key setup if + available. + + Avoid unneeded stack burning with AES-NI and reduce number of 'decryption_prepared' checks + + commit c8ad83fb605fdbf6dc0b0dbcc8aedfbd477640da + * cipher/rijndael.c (RIJNDAEL_context): Make 'decryption_prepared', + 'use_padlock' and 'use_aesni' 1-bit members in bitfield. + (do_setkey): Move 'hwfeatures' inside [USE_AESNI || USE_PADLOCK]. + (do_aesni_enc_aligned): Rename to... + (do_aesni_enc): ...this, as function does not require aligned input. + (do_aesni_dec_aligned): Rename to... + (do_aesni_dec): ...this, as function does not require aligned input. + (do_aesni): Remove. + (rijndael_encrypt): Call 'do_aesni_enc' instead of 'do_aesni'. + (rijndael_decrypt): Call 'do_aesni_dec' instead of 'do_aesni'. + (check_decryption_preparation): New. + (do_decrypt): Remove 'decryption_prepared' check. + (rijndael_decrypt): Ditto and call 'check_decryption_preparation'. + (_gcry_aes_cbc_dec): Ditto. + (_gcry_aes_cfb_enc): Add 'burn_depth' and burn stack only when needed. + (_gcry_aes_cbc_enc): Ditto. + (_gcry_aes_ctr_enc): Ditto. + (_gcry_aes_cfb_dec): Ditto. + (_gcry_aes_cbc_dec): Ditto and correct clearing of 'savebuf'. + +2013-11-14 Werner Koch + + md: Fix hashing for data >= 256 GB. + + commit c43a8c0d81a711161f7a81b24ef7c33a1353eee0 + * cipher/hash-common.h (gcry_md_block_ctx): Add "nblocks_high". + * cipher/hash-common.c (_gcry_md_block_write): Bump NBLOCKS_HIGH. + * cipher/md4.c (md4_init, md4_final): Take care of NBLOCKS_HIGH. + * cipher/md5.c (md5_init, md5_final): Ditto. + * cipher/rmd160.c (_gcry_rmd160_init, rmd160_final): Ditto. + * cipher/sha1.c (sha1_init, sha1_final): Ditto. + * cipher/sha256.c (sha256_init, sha224_init, sha256_final): Ditto. + * cipher/sha512.c (sha512_init, sha384_init, sha512_final): Ditto. + * cipher/tiger.c (do_init, tiger_final): Ditto. + * cipher/whirlpool.c (whirlpool_final): Ditto. + + * cipher/md.c (gcry_md_algo_info): Add GCRYCTL_SELFTEST. + (_gcry_md_selftest): Return "not implemented" as required. + * tests/hashtest.c: New. + * tests/genhashdata.c: New. + * tests/Makefile.am (TESTS): Add hashtest. + (noinst_PROGRAMS): Add genhashdata + +2013-11-13 Christian Grothoff + + ecc: Fix key generation for a plain Ed25519 key. + + commit 7d91e99bcd30a463dd4faed014b8521a663d8316 + * cipher/ecc.c (nist_generate_key): Use custom code for ED25519. + + ecc: Fix some memory leaks. + + commit c4f9af49f228df59c218381a25fa3c0f93ccbeae + * cipher/ecc-curves.c (_gcry_mpi_ec_new): Free ec->b before assigning. + * cipher/ecc.c (nist_generate_key): Release Q. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto. + +2013-11-11 Werner Koch + + ecc: Change keygrip computation for Ed25519+EdDSA. + + commit 4fb3c8e5a7fc6a1568f54bcc0be17fecf75e0742 + * cipher/ecc.c (compute_keygrip): Rework. + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): New. + * cipher/ecc-curves.c (_gcry_ecc_update_curve_param): New. + * tests/keygrip.c (key_grips): Add flag param and test cases for + Ed25519. + + mpi: Add special format GCRYMPI_FMT_OPAQUE. + + commit 8b3eecee2d89179297e43de7d650f74759c61a58 + * src/gcrypt.h.in (GCRYMPI_FMT_OPAQUE): New. + (_gcry_sexp_nth_opaque_mpi): Remove. + * src/sexp.c (gcry_sexp_nth_mpi): Add support for GCRYMPI_FMT_OPAQUE. + (_gcry_sexp_vextract_param): Replace removed function by + GCRYMPI_FMT_OPAQUE. + +2013-11-10 Jussi Kivilinna + + Fix error output in CTR selftest. + + commit 7b26586e35a6d407ca31b41528b0810b1408fd4b + * cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Change + fprintf(stderr,...) to syslog(); Correct error output for bulk + IV check, plaintext mismatch => ciphertext mismatch. + +2013-11-09 Jussi Kivilinna + + Fix Serpent-AVX2 and Camellia-AVX2 counter modes. + + commit df29831d008e32faf74091d080a415731418d158 + * cipher/camellia-aesni-avx2-amd64.S + (_gcry_camellia_aesni_avx2_ctr_enc): Byte-swap before checking for + overflow handling. + * cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128) + (selftest_cbc_128): Add 16 to nblocks. + * cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Add test with + non-overflowing IV and modify overflow IV to detect broken endianness + handling. + * cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc): Byte-swap + before checking for overflow handling; Fix crazy-mixed-endian IV + construction to big-endian. + * cipher/serpent.c (selftest_ctr_128, selftest_cfb_128) + (selftest_cbc_128): Add 8 to nblocks. + +2013-11-09 Sergey V + + cipher/gost28147: optimization: use precomputed S-box tables. + + commit 51501b638546665163bbb85a14308fdb99211a28 + * cipher/gost.h (GOST28147_context): Remove unneeded subst and + subst_set members. + * cipher/gost28147.c (max): Remove unneeded macro. + (test_sbox): Replace with new precomputed tables. + (gost_set_subst): Remove function. + (gost_val): Use new S-box tables. + (gost_encrypt_block, gost_decrypt_block): Tweak to use new ctx and + S-box tables. + +2013-11-09 Jussi Kivilinna + + Fix tail handling for AES-NI counter mode. + + commit 60ed0abbbc7cb15812f1e713143c72555acea69e + * cipher/rijndael.c (do_aesni_ctr): Fix outputting of updated + counter-IV. + +2013-11-08 Werner Koch + + ecc: Improve gcry_pk_get_curve. + + commit 03aed1acec611362285db5156a6b92c91604fba4 + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Factor some code out + to .. + (find_domain_parms_idx): new. + (_gcry_ecc_get_curve): Find by curve name on error. + + cipher: Avoid signed divisions in idea.c. + + commit e241dde1420475459e32608137829e52748d0212 + * cipher/idea.c (mul_inv): Use unsigned division. + + ecc: Implement the "nocomp" flag for key generation. + + commit 9f63c0f7a3b2c15c7e258cd17395cabd0a8f00cc + * cipher/ecc.c (ecc_generate): Support the "nocomp" flag. + * tests/keygen.c (check_ecc_keys): Add a test for it. + + ecc: Make "noparam" the default and replace by "param". + + commit ed45fd2e60c88e2f005282e6eadd018b59dcf65b + * src/cipher.h (PUBKEY_FLAG_NOCOMP): New. + (PUBKEY_FLAG_NOPARAM): Remove. + (PUBKEY_FLAG_PARAM): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Support the new + flags and ignore the obsolete "noparam" flag. + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return the curve name + also for curves selected by NBITS. + (_gcry_mpi_ec_new): Support the "param" flag. + * cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Ditto. + * tests/keygen.c (check_ecc_keys): Remove the "noparam" flag. + +2013-11-07 Jussi Kivilinna + + Fix decryption function size in AES AMD64 assembly. + + commit bfe4f6523b80bae0040328ef324b9000ee5b38a4 + * cipher/rijndael-amd64.S (_gcry_aes_amd64_decrypt_block): Set '.size' + for '_gcry_aes_amd64_decrypt_block', not '..._encrypt_block'. + + Change 64-bit shift to 32-bit in AES AMD64 assembly. + + commit 57b296ea3a5204cd3711b7bf57c8fb14d8542402 + * cipher/rijndael-amd64.S (do16bit_shr): Change 'shrq' to 'shrl'. + +2013-11-06 Jussi Kivilinna + + Speed-up AES-NI key setup. + + commit f702d62d888b30e24c19f203566a1473098b2b31 + * cipher/rijndael.c [USE_AESNI] (m128i_t): Remove. + [USE_AESNI] (u128_t): New. + [USE_AESNI] (aesni_do_setkey): New. + (do_setkey) [USE_AESNI]: Move AES-NI accelerated key setup to + 'aesni_do_setkey'. + (do_setkey): Call _gcry_get_hw_features only once. Clear stack after + use in generic key setup part. + (rijndael_setkey): Remove stack burning. + (prepare_decryption) [USE_AESNI]: Use 'u128_t' instead of 'm128i_t' to + avoid compiler generated SSE2 instructions and XMM register usage, + unroll 'aesimc' setup loop + (prepare_decryption): Clear stack after use. + [USE_AESNI] (do_aesni_enc_aligned): Update comment about alignment. + (do_decrypt): Do not burning stack after prepare_decryption. + + Avoid burn stack in Arcfour setkey. + + commit a50a6ba3540f49fc7dcdb32e691327d5942e3509 + * cipher/arcfour.c (arcfour_setkey): Remove stack burning. + + Avoid burn_stack in CAST5 setkey. + + commit 5797ebc268b4e953cedd0c729c5cdb1f8fd764e4 + * cipher/cast5.c (do_cast_setkey): Use wipememory instead of memset. + (cast_setkey): Remove stack burning. + + Improve Serpent key setup speed. + + commit 9897ccb381503455edc490679b2e9251a09ac5cb + * cipher/serpent.c (SBOX, SBOX_INVERSE): Remove index argument. + (serpent_subkeys_generate): Use smaller temporary arrays for subkey + generation and perform stack clearing locally. + (serpent_setkey_internal): Use wipememory to clear stack and remove + _gcry_burn_stack. + (serpent_setkey): Remove unneeded _gcry_burn_stack. + + Modify encrypt/decrypt arguments for in-place. + + commit b8515aa70b00baba3fba8121ed305edcd029c8c7 + * cipher/cipher.c (gcry_cipher_encrypt, gcry_cipher_decrypt): Modify + local arguments if in-place operation. + + Speed up Stribog. + + commit a48d07ccadee4cb8b666a9a4ba2f00129bad5b2f + * cipher/stribog.c (STRIBOG_TABLES): Remove. + (Pi): Remove. + [!STRIBOG_TABLES] (A, strido): Remove. + (stribog_table): New table pre-reordered with Pi values. + (strido): Rewrite for new table. + (LPSX): Rewrite for new table. + (xor): Remove. + (g): Small tweaks. + + Tweak AES-NI bulk CTR mode slightly. + + commit 3b5058b58a183fa23ecf3ef819e2ae6ac64c0216 + * cipher/rijndael.c [USE_AESNI] (aesni_cleanup_2_5): Rename to... + (aesni_cleanup_2_6): ...this and clear also 'xmm6'. + [USE_AESNI && __i386__] (do_aesni_ctr, do_aesni_ctr_4): Prevent + inlining only on i386, allow on AMD64. + [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Use counter block from + 'xmm5' and byte-swap mask from 'xmm6'. + (_gcry_aes_ctr_enc) [USE_AESNI]: Preload counter block to 'xmm5' and + byte-swap mask to 'xmm6'. + (_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Use + 'aesni_cleanup_2_6'. + + Tweak bench-slope parameters. + + commit 7e98eecc1a955bc253765f92a166b6560f085b8c + * tests/bench-slope.c (BUF_STEP_SIZE): Half step size to 64. + (NUM_MEASUREMENT_REPETITIONS): Double repetitions to 64. + + Optimize Blowfish weak key check. + + commit 8e1c0f9b894c39b6554c544208dc000682f520c7 + * cipher/blowfish.c (hashset_elem, val_to_hidx, add_val): New. + (do_bf_setkey): Use faster algorithm for detecting weak keys. + (bf_setkey): Move stack burning to do_bf_setkey. + + Fix __builtin_bswap32/64 checks. + + commit 2590a5df6f5fc884614c8c379324027d2d61b9b5 + * configure.ac (gcry_cv_have_builtin_bswap32) + (gcry_cv_have_builtin_bswap64): Change compile checks to link checks. + + Fix 'u32' build error with Camellia. + + commit 84bcb400e7db7268abfc29b5ab1513b0c063b293 + * cipher/camellia.c: Add include for and "types.h". + (u32): Remove. + (u8): Typedef as 'byte'. + +2013-11-06 Werner Koch + + pubkey: Add forward compatibility feature. + + commit 6d169b654c7ff04c10f73afe80b2c70cefa410c1 + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add + "igninvflag". + +2013-11-05 Werner Koch + + ecc: Require "eddsa" flag for curve Ed25519. + + commit b9fd3988b54b50109f4e7179e7fe0739bb1d97c5 + * src/cipher.h (PUBKEY_FLAG_ECDSA): Remove. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Remove "ecdsa". + * cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Require "eddsa" flag. + * cipher/ecc-misc.c (_gcry_ecc_compute_public): Depend "eddsa" flag. + * tests/benchmark.c, tests/keygen.c, tests/pubkey.c + * tests/t-ed25519.c, tests/t-mpi-point.c: Adjust for changed flags. + + ecc: Fully implement Ed25519 compression in ECDSA mode. + + commit f09ffe8a4802af65a116e79eceeb1cb4ed4fa2f4 + * src/ec-context.h (mpi_ec_ctx_s): Add field FLAGS. + * mpi/ec.c (ec_p_init): Add arg FLAGS. Change all callers to pass it. + * cipher/ecc-curves.c (point_from_keyparam): Add arg EC, parse as + opaque mpi and use eddsa decoding depending on the flag. + (_gcry_mpi_ec_new): Rearrange to parse Q and D after knowing the + curve. + + mpi: Add function gcry_mpi_set_opaque_copy. + + commit 630aca794ddf057fb7265b7dc346374743036af4 + * src/gcrypt.h.in (gcry_mpi_set_opaque_copy): New. + * src/visibility.c (gcry_mpi_set_opaque_copy): New. + * src/visibility.h (gcry_mpi_set_opaque_copy): Mark visible. + * src/libgcrypt.def, src/libgcrypt.vers: Add new API. + * tests/mpitests.c (test_opaque): Add test. + +2013-11-04 Jussi Kivilinna + + Make test vectors 'static const' + + commit d50a88d1e29124d038196fec6082fd093e922604 + * cipher/arcfour.c (selftest): Change test vectors to 'static const'. + * cipher/blowfish.c (selftest): Ditto. + * cipher/camellia-glue.c (selftest): Ditto. + * cipher/cast5.c (selftest): Ditto. + * cipher/des.c (selftest): Ditto. + * cipher/rijndael.c (selftest): Ditto. + * tests/basic.c (cipher_cbc_mac_cipher, check_aes128_cbc_cts_cipher) + (check_ctr_cipher, check_cfb_cipher, check_ofb_cipher) + (check_ccm_cipher, check_stream_cipher) + (check_stream_cipher_large_block, check_bulk_cipher_modes) + (check_ciphers, check_digests, check_hmac, check_pubkey_sign) + (check_pubkey_sign_ecdsa, check_pubkey_crypt, check_pubkey): Ditto. + +2013-11-03 Jussi Kivilinna + + Make jump labels local in Salsa20 assembly. + + commit d4697862266f3c96b6946dc92139dd8f3e81e5f6 + * cipher/salsa20-amd64.S: Rename '._labels' to '.L_labels'. + * cipher/salsa20-armv7-neon.S: Ditto. + +2013-10-30 Jussi Kivilinna + + bithelp: fix undefined behaviour with rol and ror. + + commit d1cadd145199040299538891ab2ccd1208f7776e + * cipher/bithelp.h (rol, ror): Mask shift with 31. + +2013-10-29 Werner Koch + + tests: Add feature to skip benchmarks. + + commit ba6bffafd17bea11985afc500022d66da261d59a + * tests/benchmark.c (main): Add feature to skip the test. + * tests/bench-slope.c (main): Ditto. + (get_slope): Repace C++ style comment. + (double_cmp, cipher_bench, _hash_bench): Repalce system reserved + symbols. + + ecc: Finish Ed25519/ECDSA hack. + + commit c284f15db99e9cb135612de710199abb23baafd3 + * cipher/ecc.c (ecc_generate): Fix Ed25519/ECDSA case. + (ecc_verify): Implement ED25519/ECDSA uncompression. + + ecc: Add flags "noparam" and "comp". + + commit ba892a0a874c8b2a83dbf0940608cd7e2911ce01 + * src/cipher.h (PUBKEY_FLAG_NOPARAM, PUBKEY_FLAG_COMP): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse new flags + and change code for possible faster parsing. + * cipher/ecc.c (ecc_generate): Implement the "noparam" flag. + (ecc_sign): Ditto. + (ecc_verify): Ditto. + * tests/keygen.c (check_ecc_keys): Use the "noparam" flag. + + * cipher/ecc.c (ecc_generate): Fix parsing of the deprecated + transient-flag parameter. + (ecc_verify): Do not make Q optional in the extract-param call. + +2013-10-28 Jussi Kivilinna + + Fix typos in documentation. + + commit 1faa61845f180bd47e037e400dde2d864ee83c89 + * doc/gcrypt.texi: Fix some typos. + + Add ARM NEON assembly implementation of Serpent. + + commit 2cb6e1f323d24359b1c5b113be5c2f79a2a4cded + * cipher/Makefile.am: Add 'serpent-armv7-neon.S'. + * cipher/serpent-armv7-neon.S: New. + * cipher/serpent.c (USE_NEON): New macro. + (serpent_context_t) [USE_NEON]: Add 'use_neon'. + [USE_NEON] (_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec) + (_gcry_serpent_neon_cbc_dec): New prototypes. + (serpent_setkey_internal) [USE_NEON]: Detect NEON support. + (_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec) + (_gcry_serpent_neon_cbc_dec) [USE_NEON]: Use NEON implementations + to process eight blocks in parallel. + * configure.ac [neonsupport]: Add 'serpent-armv7-neon.lo'. + + Add ARM NEON assembly implementation of Salsa20. + + commit 3ff9d2571c18cd7a34359f9c60a10d3b0f932b23 + * cipher/Makefile.am: Add 'salsa20-armv7-neon.S'. + * cipher/salsa20-armv7-neon.S: New. + * cipher/salsa20.c [USE_ARM_NEON_ASM]: New macro. + (struct SALSA20_context_s, salsa20_core_t, salsa20_keysetup_t) + (salsa20_ivsetup_t): New. + (SALSA20_context_t) [USE_ARM_NEON_ASM]: Add 'use_neon'. + (SALSA20_context_t): Add 'keysetup', 'ivsetup' and 'core'. + (salsa20_core): Change 'src' argument to 'ctx'. + [USE_ARM_NEON_ASM] (_gcry_arm_neon_salsa20_encrypt): New prototype. + [USE_ARM_NEON_ASM] (salsa20_core_neon, salsa20_keysetup_neon) + (salsa20_ivsetup_neon): New. + (salsa20_do_setkey): Setup keysetup, ivsetup and core with default + functions. + (salsa20_do_setkey) [USE_ARM_NEON_ASM]: When NEON support detect, + set keysetup, ivsetup and core with ARM NEON functions. + (salsa20_do_setkey): Call 'ctx->keysetup'. + (salsa20_setiv): Call 'ctx->ivsetup'. + (salsa20_do_encrypt_stream) [USE_ARM_NEON_ASM]: Process large buffers + in ARM NEON implementation. + (salsa20_do_encrypt_stream): Call 'ctx->core' instead of directly + calling 'salsa20_core'. + (selftest): Add test to check large buffer processing and block counter + updating. + * configure.ac [neonsupport]: 'Add salsa20-armv7-neon.lo'. + + Add AMD64 assembly implementation of Salsa20. + + commit 5a3d43485efdc09912be0967ee0a3ce345b3b15a + * cipher/Makefile.am: Add 'salsa20-amd64.S'. + * cipher/salsa20-amd64.S: New. + * cipher/salsa20.c (USE_AMD64): New macro. + [USE_AMD64] (_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup) + (_gcry_salsa20_amd64_encrypt_blocks): New prototypes. + [USE_AMD64] (salsa20_keysetup, salsa20_ivsetup, salsa20_core): New. + [!USE_AMD64] (salsa20_core): Change 'src' to non-constant, update block + counter in 'salsa20_core' and return burn stack depth. + [!USE_AMD64] (salsa20_keysetup, salsa20_ivsetup): New. + (salsa20_do_setkey): Move generic key setup to 'salsa20_keysetup'. + (salsa20_setkey): Fix burn stack depth. + (salsa20_setiv): Move generic IV setup to 'salsa20_ivsetup'. + (salsa20_do_encrypt_stream) [USE_AMD64]: Process large buffers in AMD64 + implementation. + (salsa20_do_encrypt_stream): Move stack burning to this function... + (salsa20_encrypt_stream, salsa20r12_encrypt_stream): ...from these + functions. + * configure.ac [x86-64]: Add 'salsa20-amd64.lo'. + + Add new benchmarking utility, bench-slope. + + commit e214e8392671dd30e9c33260717b5e756debf3bf + * tests/Makefile.am (TESTS): Add 'bench-slope'. + * tests/bench-slope.c: New. + + Change .global to .globl in assembly files. + + commit ebc8abfcb09d6106fcfce40f240a513e276f46e9 + * cipher/blowfish-arm.S: Change '.global' to '.globl'. + * cipher/camellia-aesni-avx-amd64.S: Ditto. + * cipher/camellia-aesni-avx2-amd64.S: Ditto. + * cipher/camellia-arm.S: Ditto. + * cipher/cast5-amd64.S: Ditto. + * cipher/rijndael-amd64.S: Ditto. + * cipher/rijndael-arm.S: Ditto. + * cipher/serpent-avx2-amd64.S: Ditto. + * cipher/serpent-sse2-amd64.S: Ditto. + * cipher/twofish-amd64.S: Ditto. + * cipher/twofish-arm.S: Ditto. + +2013-10-26 Jussi Kivilinna + + Deduplicate code for ECB encryption and decryption. + + commit 51f1beab3d1e879942a95f58b08de7dbcce75dce + * cipher/cipher.c (do_ecb_crypt): New, based on old 'do_ecb_encrypt'. + (do_ecb_encrypt): Use 'do_ecb_crypt', pass encryption function. + (do_ecb_decrypt): Use 'do_ecb_crypt', pass decryption function. + +2013-10-26 Dmitry Eremin-Solenikov + + Drop _gcry_cipher_ofb_decrypt as it duplicates _gcry_cipher_ofb_encrypt. + + commit d9431725952e40f201c7eda000d3c8511ebd5b33 + * cipher/cipher.c (cipher_decrypt): Use _gcry_cipher_ofb_encrypt for OFB + decryption. + * cipher/cipher-internal.h: Remove _gcry_cipher_ofb_decrypt declaration. + * cipher/cipher-ofb.c (_gcry_cipher_ofb_decrypt): Remove. + (_gcry_cipher_ofb_encrypt): remove copying of IV to lastiv, it's + unused there. + +2013-10-25 Werner Koch + + tests: Add tests for mpi_cmp. + + commit 6c6d4810927de7310ae7bac61b4ff5467d7cb485 + * tests/mpitests.c (die): Modernize. + (fail): New. + (test_opaque, test_add, test_sub, test_mul): Use gcry_log_xx + (main): Return error count. + (test_cmp): New. + +2013-10-24 Werner Koch + + ecc: Change algorithm for Ed25519 x recovery. + + commit c630fd71b336eb9209e914d24dc1e26a34521882 + * cipher/ecc-eddsa.c (scanval): Add as temporary hack. + (_gcry_ecc_eddsa_recover_x): Use the algorithm from page 15 of the + paper. Return an error code. + (_gcry_ecc_eddsa_decodepoint): Take care of the error code. + * mpi/mpi-mul.c (gcry_mpi_mulm): Use truncated division. + + ecc: Refactor _gcry_ecc_eddsa_decodepoint. + + commit 1cf5699b6febab1ef9d300531acc2ee33a7df739 + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Factor some code + out to .. + (_gcry_ecc_eddsa_recover_x): new. + +2013-10-24 Jussi Kivilinna + + ecc-gost: Add missing include. + + commit 9ce54e5b512418ddf45ce18f2cbd48cdced779f5 + * ecc-gost.c: Include "pubkey-internal.h". + +2013-10-23 Jussi Kivilinna + + Replace architecture specific fast_wipememory2 with generic. + + commit 54df6fcd806f8c150cffe6cc09925bb8b638bb5b + * src/g10lib.h (fast_wipememory2): Remove architecture specific + implementations and add generic implementation. + + Improve the speed of the cipher mode code. + + commit 293e93672fdabc829e35cc624c397276342bafe4 + * cipher/bufhelp.h (buf_cpy): New. + (buf_xor, buf_xor_2dst): If buffers unaligned, always jump to per-byte + processing. + (buf_xor_n_copy_2): New. + (buf_xor_n_copy): Use 'buf_xor_n_copy_2'. + * cipher/blowfish.c (_gcry_blowfish_cbc_dec): Avoid extra memory copy + and use new 'buf_xor_n_copy_2'. + * cipher/camellia-glue.c (_gcry_camellia_cbc_dec): Ditto. + * cipher/cast5.c (_gcry_cast_cbc_dec): Ditto. + * cipher/serpent.c (_gcry_serpent_cbc_dec): Ditto. + * cipher/twofish.c (_gcry_twofish_cbc_dec): Ditto. + * cipher/rijndael.c (_gcry_aes_cbc_dec): Ditto. + (do_encrypt, do_decrypt): Use 'buf_cpy' instead of 'memcpy'. + (_gcry_aes_cbc_enc): Avoid copying IV, use 'last_iv' pointer instead. + * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt): Avoid copying IV, + update pointer to IV instead. + (_gcry_cipher_cbc_decrypt): Avoid extra memory copy and use new + 'buf_xor_n_copy_2'. + (_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Avoid extra + accesses to c->spec, use 'buf_cpy' instead of memcpy. + * cipher/cipher-ccm.c (do_cbc_mac): Ditto. + * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) + (_gcry_cipher_cfb_decrypt): Ditto. + * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto. + * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt) + (_gcry_cipher_ofb_decrypt): Ditto. + * cipher/cipher.c (do_ecb_encrypt, do_ecb_decrypt): Ditto. + + bufhelp: enable unaligned memory accesses for AArch64 (64-bit ARM) + + commit 2901a10dbf1264707debc8402546c07eeac60932 + * cipher/bufhelp.h [__aarch64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set + macro on AArch64. + +2013-10-23 Dmitry Eremin-Solenikov + + Enable assembler optimizations on earlier ARM cores. + + commit 2fd83faa876d0be91ab7884b1a9eaa7793559eb9 + * cipher/blowfish-armv6.S => cipher/blowfish-arm.S: adapt to pre-armv6 CPUs. + * cipher/blowfish.c: enable assembly on armv4/armv5 little-endian CPUs. + * cipher/camellia-armv6.S => cipher/camellia-arm.S: adapt to pre-armv6 CPUs. + * cipher/camellia.c, cipher-camellia-glue.c: enable assembly on armv4/armv5 + little-endian CPUs. + * cipher/cast5-armv6.S => cipher/cast5-arm.S: adapt to pre-armv6 CPUs. + * cipher/cast5.c: enable assembly on armv4/armv5 little-endian CPUs. + * cipher/rijndael-armv6.S => cipher/rijndael-arm.S: adapt to pre-armv6 CPUs. + * cipher/rijndael.c: enable assembly on armv4/armv5 little-endian CPUs. + * cipher/twofish-armv6.S => cipher/twofish-arm.S: adapt to pre-armv6 CPUs. + * cipher/twofish.c: enable assembly on armv4/armv5 little-endian CPUs. + + mpi: enable assembler on all arm architectures. + + commit 0b39fce7e3ce6761d6bd5195d093ec6857edb7c2 + * mpi/config.links: remove check for arm >= v6 + * mpi/armv6 => mpi/arm: rename directory to reflect that is is generic + enough + + Correct ASM assembly test in configure.ac. + + commit 10bf6a7e16ed193f90d2749970a420f00d1d3320 + * configure.ac: correct HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS test to + require neither ARMv6, nor thumb mode. Our assembly code works + perfectly even on ARMv4 now. + +2013-10-23 Werner Koch + + ecc: Refactor ecc.c. + + commit 164eb8c85d773ef4f0939115ec45f5e4b47c1700 + * cipher/ecc-ecdsa.c, cipher/ecc-eddsa.c, cipher/ecc-gost.c: New. + * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files. + * configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new files. + * cipher/ecc.c (point_init, point_free): Move to ecc-common.h. + (sign_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_sign. + (verify_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_verify. + (sign_gost): Move to ecc-gots.c as _gcry_ecc_gost_sign. + (verify_gost): Move to ecc-gost.c as _gcry_ecc_gost_verify. + (sign_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_sign. + (verify_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_verify. + (eddsa_generate_key): Move to ecc-eddsa.c as _gcry_ecc_eddsa_genkey. + (reverse_buffer): Move to ecc-eddsa.c. + (eddsa_encodempi, eddsa_encode_x_y): Ditto. + (_gcry_ecc_eddsa_encodepoint, _gcry_ecc_eddsa_decodepoint): Ditto. + + mpi: Fix scanning of negative SSH formats and add more tests. + + commit 45f6e6268bfdc4b608beaba6b7086b2286e33c71 + * mpi/mpicoder.c (gcry_mpi_scan): Fix sign setting for SSH format. + * tests/t-convert.c (negative_zero): Test all formats. + (check_formats): Add tests for PGP and scan tests for SSH and USG. + + * src/gcrypt.h.in (mpi_is_neg): Fix macro. + + * mpi/mpi-scan.c (_gcry_mpi_getbyte, _gcry_mpi_putbyte): Comment out + these unused functions. + +2013-10-22 Jussi Kivilinna + + twofish: add ARMv6 assembly implementation. + + commit 98674fdaa30ab22a3ac86ca05d688b5b6112895d + * cipher/Makefile.am: Add 'twofish-armv6.S'. + * cipher/twofish-armv6.S: New. + * cipher/twofish.c (USE_ARMV6_ASM): New macro. + [USE_ARMV6_ASM] (_gcry_twofish_armv6_encrypt_block) + (_gcry_twofish_armv6_decrypt_block): New prototypes. + [USE_AMDV6_ASM] (twofish_encrypt, twofish_decrypt): Add. + [USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt): Remove. + (_gcry_twofish_ctr_enc, _gcry_twofish_cfb_dec): Use 'twofish_encrypt' + instead of 'do_twofish_encrypt'. + (_gcry_twofish_cbc_dec): Use 'twofish_decrypt' instead of + 'do_twofish_decrypt'. + * configure.ac [arm]: Add 'twofish-armv6.lo'. + + mpi: allow building with clang on ARM. + + commit e67c67321ce240c93dd0fa2b21c649c0a8e233f7 + * mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss, umul_ppmm) + (count_leading_zeros): Do not cast assembly output arguments. + [__arm__] (umul_ppmm): Remove the extra '%' ahead of assembly comment. + [_ARM_ARCH >= 4] (umul_ppmm): Use correct inputs and outputs instead of + registers. + + serpent-amd64: do not use GAS macros. + + commit c7efaa5fe0ee92e321a7b49d56752cc12eb75fe0 + * cipher/serpent-avx2-amd64.S: Remove use of GAS macros. + * cipher/serpent-sse2-amd64.S: Ditto. + * configure.ac [HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Do not check + for GAS macros. + + Add Counter with CBC-MAC mode (CCM) + + commit 335d9bf7b035815750b63a3a8334d6ce44dc4449 + * cipher/Makefile.am: Add 'cipher-ccm.c'. + * cipher/cipher-ccm.c: New. + * cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode'. + (_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt) + (_gcry_cipher_ccm_set_nonce, _gcry_cipher_ccm_authenticate) + (_gcry_cipher_ccm_get_tag, _gcry_cipher_ccm_check_tag) + (_gcry_cipher_ccm_set_lengths): New prototypes. + * cipher/cipher.c (gcry_cipher_open, cipher_encrypt, cipher_decrypt) + (_gcry_cipher_setiv, _gcry_cipher_authenticate, _gcry_cipher_gettag) + (_gcry_cipher_checktag, gry_cipher_ctl): Add handling for CCM mode. + * doc/gcrypt.texi: Add documentation for GCRY_CIPHER_MODE_CCM. + * src/gcrypt.h.in (gcry_cipher_modes): Add 'GCRY_CIPHER_MODE_CCM'. + (gcry_ctl_cmds): Add 'GCRYCTL_SET_CCM_LENGTHS'. + (GCRY_CCM_BLOCK_LEN): New. + * tests/basic.c (check_ccm_cipher): New. + (check_cipher_modes): Call 'check_ccm_cipher'. + * tests/benchmark.c (ccm_aead_init): New. + (cipher_bench): Add handling for AEAD modes and add CCM benchmarking. + + Add API to support AEAD cipher modes. + + commit 95654041f2aa62f71aac4d8614dafe8433d10f95 + * cipher/cipher.c (_gcry_cipher_authenticate, _gcry_cipher_checktag) + (_gcry_cipher_gettag): New. + * doc/gcrypt.texi: Add documentation for new API functions. + * src/visibility.c (gcry_cipher_authenticate, gcry_cipher_checktag) + (gcry_cipher_gettag): New. + * src/gcrypt.h.in, src/visibility.h: add declarations of these + functions. + * src/libgcrypt.defs, src/libgcrypt.vers: export functions. + +2013-10-22 NIIBE Yutaka + + ecc: Correct compliant key generation for Edwards curves. + + commit a5a277a9016ccb34f1858a65e0ed1791b2fc3db3 + * cipher/ecc.c: Add case for Edwards curves. + +2013-10-17 Werner Koch + + tests: Add test options to keygen. + + commit f7711e6eb5f02d03c74911f6f037ab28075e7c0d + * tests/keygen.c (usage): New. + (main): Print usage info. Allow running just one algo. + + mpi: Do not clear the sign of the mpi_mod result. + + commit 91e007606f1f6f8e1416c403fe809d47fddf9b1f + * mpi/mpi-mod.c (_gcry_mpi_mod): Remove sign setting. + + ecc: Put the curve name again into the output of gcry_pk_genkey. + + commit 4776dcd394ce59fa50d959921857b3427c5a63c8 + * cipher/ecc.c (ecc_generate): Use the correct var. Release + CURVE_FLAGS. + + ecc: Support Weierstrass curves in gcry_mpi_ec_curve_point. + + commit b22417158c50ec3a0b2ff55b4ade063b42a87e8f + * mpi/ec.c (_gcry_mpi_ec_curve_point): Support MPI_EC_WEIERSTRASS. + +2013-10-16 Jussi Kivilinna + + arcfour: more optimized version for non-i386 architectures. + + commit f9371c026aad09ff48746d22c8333746c886e773 + * cipher/arcfour.c (ARCFOUR_context): Reorder members. + (do_encrypt_stream) [!__i386__]: Faster implementation for non-i386. + (do_arcfour_setkey): Avoid modulo operations. + + Avoid void* pointer arithmetic. + + commit c89ab921ccfaefe6c4f6a724d01e0df41a1a381f + * tests/tsexp.c (check_extract_param): Cast void* pointers to char* + before doing arithmetics. + +2013-10-16 Dmitry Eremin-Solenikov + + ecc: Add support for GOST R 34.10-2001/-2012 signatures. + + commit 83902f1f1dbc8263a0c3f61be59cd2eb95293c97 + * src/cipher.h: define PUBKEY_FLAG_GOST + * cipher/ecc-curves.c: Add GOST2001-test and GOST2012-test curves + defined in standards. Typical applications would use either those + curves, or curves defined in RFC 4357 (will be added later). + * cipher/ecc.c (sign_gost, verify_gost): New. + (ecc_sign, ecc_verify): use sign_gost/verify_gost if PUBKEY_FLAG_GOST + is set. + (ecc_names): add "gost" for gost signatures. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist, + _gcry_pk_util_preparse_sigval): set PUBKEY_FLAG_GOST if gost flag + is present in s-exp. + * tests/benchmark.c (ecc_bench): also benchmark GOST signatures. + * tests/basic.c (check_pubkey): add two public keys from + GOST R 34.10-2012 standard. + (check_pubkey_sign_ecdsa): add two data sets to check gost signatures. + * tests/curves.c: correct N_CURVES as we now have 2 more curves. + + + Removed some comments from the new curve definitions in ecc-curves.c + to avoid line wrapping. Eventually we will develop a precompiler to + avoid parsing those hex strings. -wk + + Fix 256-bit ecdsa test key definition. + + commit 187b2bb541b985255aee262d181434a7cb4ae2e7 + * tests/basic.c (check_pubkey): fix nistp256 testing key declaration - + add missing comma. + +2013-10-16 Werner Koch + + sexp: Add function gcry_sexp_extract_param. + + commit a329b6abf00c990faf1986f9fbad7b4d71c13bcb + * src/gcrypt.h.in (_GCRY_GCC_ATTR_SENTINEL): New. + (gcry_sexp_extract_param): New. + * src/visibility.c (gcry_sexp_extract_param): New. + * src/visibility.h (gcry_sexp_extract_param): Add hack to detect + internal use. + * cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Move and split + into ... + * src/sexp.c (_gcry_sexp_vextract_param) + (_gcry_sexp_extract_param): this. Change all callers. Add support for buffer + descriptors and a path option/ + + * tests/tsexp.c (die, hex2buffer, hex2mpi, hex2mpiopa): New. + (cmp_mpihex, cmp_bufhex): New. + (check_extract_param): New. + +2013-10-16 NIIBE Yutaka + + mpi: mpi-pow improvement. + + commit 45aa6131e93fac89d46733b3436d960f35fb99b2 + * mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right + k-ary exponentiation. + +2013-10-15 Werner Koch + + ecc: Support use of Ed25519 with ECDSA. + + commit 537969fbbb1104b8305a7edb331b7666d54eff2c + * src/cipher.h (PUBKEY_FLAG_ECDSA): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag "ecdsa". + * cipher/ecc.c (verify_ecdsa, verify_eddsa): Remove some debug output. + (ecc_generate, ecc_sign, ecc_verify): Support Ed25519 with ECDSA. + * tests/keygen.c (check_ecc_keys): Create such a test key. + * tests/pubkey.c (fail, info, data_from_hex, extract_cmp_data): New. + Take from dsa-6979.c + (check_ed25519ecdsa_sample_key): new. + (main): Call new test. + +2013-10-14 Werner Koch + + pubkey: Support flags list in gcry_pk_genkey. + + commit d3a605d7827b8a73ef844e9e5183590bd6b1389a + * src/cipher.h (PUBKEY_FLAG_TRANSIENT_KEY): New. + (PUBKEY_FLAG_USE_X931): New. + (PUBKEY_FLAG_USE_FIPS186): New. + (PUBKEY_FLAG_USE_FIPS186_2): New. + * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Rename from + parse_flags_list. Parse new flags. + * cipher/dsa.c (dsa_generate): Support flag list. + * cipher/ecc.c (ecc_generate): Ditto. + * cipher/rsa.c (rsa_generate): Ditto. + + pubkey: Remove duplicated flag parsing code. + + commit 5be2345ddec4147e535d5b039ee74f84bcacf9e4 + * cipher/pubkey-util.c (_gcry_pk_util_preparse_encval) + (_gcry_pk_util_data_to_mpi): Factor flag parsing code out to .. + (parse_flag_list): New. + * src/cipher.h (PUBKEY_FLAG_RAW_FLAG): New. + + mpicalc: Accept lowercase hex digits. + + commit 0cd551faa775ad5309a40629ae30bf86b75fca09 + * src/mpicalc.c (main): Test for lowercase hex digits. + +2013-10-11 Werner Koch + + pubkey: Move sexp parsing of remaining fucntions to the modules. + + commit a951c061523e1c13f1358c9760fc3a9d787ab2d4 + * cipher/pubkey.c (release_mpi_array): Remove. + (pubkey_check_secret_key): Remove. + (sexp_elements_extract): Remove. + (sexp_elements_extract_ecc): Remove. + (sexp_to_key): Remove. + (get_hash_algo): Remove. + (gcry_pk_testkey): Revamp. + (gcry_pk_get_curve): Revamp. + * cipher/rsa.c (rsa_check_secret_key): Revamp. + * cipher/elgamal.c (elg_check_secret_key): Revamp. + * cipher/dsa.c (dsa_check_secret_key): Revamp. + * cipher/ecc.c (ecc_check_secret_key): Revamp. + * cipher/ecc-curves.c: Include cipher.h and pubkey-internal.h + (_gcry_ecc_get_curve): Revamp. + + * cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Set passed and + used parameters on error to NULL. + + pubkey: Move sexp parsing for gcry_pk_decrypt to the modules. + + commit 07950c865a901afc48acb46f0695040cadfd5068 + * cipher/rsa.c (rsa_decrypt): Revamp. + * cipher/elgamal.c (elg_decrypt): Revamp. + * cipher/ecc.c (ecc_decrypt_raw): Revamp. + * cipher/pubkey.c (gcry_pk_decrypt): Simplify. + (sexp_to_enc): Remove. + * cipher/pubkey-util.c (_gcry_pk_util_preparse_encval): New. + + pubkey: Move sexp parsing for gcry_pk_encrypt to the modules. + + commit 6bd5d18c45a4a3ce8f0f66f56c83b80594877f53 + * cipher/rsa.c (rsa_encrypt): Revamp. + * cipher/elgamal.c (elg_encrypt): Revamp. + * cipher/ecc.c (ecc_encrypt_raw): Revamp. + * cipher/pubkey.c (gcry_pk_encrypt): Simplify. + + * tests/basic.c (check_pubkey_crypt): Init plain, ciph, and data so + that they are initialized even after an encrypt failure. + + pubkey: Move sexp parsing for gcry_pk_sign to the modules. + + commit d0ae6635e4e6ae273c3a137c513d518f28f6eab3 + * cipher/rsa.c (rsa_sign): Revamp. + * cipher/dsa.c (dsa_sign): Revamp. + * cipher/elgamal.c (elg_sign): Revamp. + * cipher/ecc.c (ecc_sign): Revamp. + * cipher/pubkey.c (gcry_pk_sign): Simplify. + +2013-10-10 Jussi Kivilinna + + Prevent tail call optimization with _gcry_burn_stack. + + commit 150c0313f971bcea62d2802f0389c883e11ebb31 + * configure.ac: New check, HAVE_GCC_ASM_VOLATILE_MEMORY. + * src/g10lib.h (_gcry_burn_stack): Rename to __gcry_burn_stack. + (__gcry_burn_stack_dummy): New. + (_gcry_burn_stack): New macro. + * src/misc.c (_gcry_burn_stack): Rename to __gcry_burn_stack. + (__gcry_burn_stack_dummy): New. + +2013-10-09 Werner Koch + + pubkey: Move sexp parsing for gcry_pk_verify to the modules. + + commit 94b652ecb006c29fa2ffb1badc9f02b758581737 + * cipher/rsa.c (rsa_verify): Revamp. + * cipher/dsa.c (dsa_verify): Revamp. + * cipher/elgamal.c (elg_verify): Revamp. + * cipher/ecc.c (ecc_verify): Revamp. + * cipher/pubkey.c (sexp_to_sig): Remove. + (pss_verify_cmp): Move to pubkey-util.c + (sexp_data_to_mpi): Ditto. + (init_encoding_ctx): Ditto. + (gcry_pk_verify): Simplify. + * cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Add. Take + from pubkey.c + (get_hash_algo): Ditto. + (_gcry_pk_util_data_to_mpi): Ditto. + (pss_verify_cmp): Ditto. + (_gcry_pk_util_extract_mpis): New. + (_gcry_pk_util_preparse_sigval): New. + (_gcry_pk_util_free_encoding_ctx): New. + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make curve init + optional. + + * src/g10lib.h (GCC_ATTR_SENTINEL): New. + + * tests/basic.c (check_pubkey_sign): Print the algo name. + (main): Add option --pubkey. + +2013-10-08 Werner Koch + + pubkey: Move sexp parsing for gcry_pk_get_nbits to the modules. + + commit 4645f3728bb0900591b0aef85831fdee52c59e3c + * cipher/pubkey.c (spec_from_sexp): New. + (gcry_pk_get_nbits): Simplify. + * cipher/rsa.c (rsa_get_nbits): Take only PARMS as args and do sexp + parsing here. + * cipher/dsa.c (dsa_get_nbits): Ditto. + * cipher/elgamal.c (elg_get_nbits): Ditto. + * cipher/ecc.c (ecc_get_nbits): Ditto. + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Allow NULL for arg + CURVE. + + pubkey: Move sexp parsing for gcry_pk_getkey to the modules. + + commit 3816e46ce211e63adf46dbc775510aa137572248 + * cipher/pubkey-util.c: New. + (_gcry_pk_util_get_nbits): New. Based on code from gcry_pk_genkey. + (_gcry_pk_util_get_rsa_use_e): Ditto. + * cipher/pubkey.c (gcry_pk_genkey): Strip most code and pass. + * cipher/rsa.c (rsa_generate): Remove args ALGO, NBITS and EVALUE. + Call new fucntions to get these values. + * cipher/dsa.c (dsa_generate): Remove args ALGO, NBITS and EVALUE. + Call _gcry_pk_util_get_nbits to get nbits. Always parse genparms. + * cipher/elgamal.c (elg_generate): Ditto. + * cipher/ecc.c (ecc_generate): Ditto. + + cipher: Deprecate GCRY_PK_ELG_E. + + commit f79d3e13d3229115c47cbe5007647cb44105fe3f + * cipher/elgamal.c (_gcry_pubkey_spec_elg_e): Remove. + * cipher/pubkey.c (pubkey_list): Remove double included + _gcry_pubkey_spec_elg. + (map_algo): MAke ELG_E to ELG. + +2013-10-02 Werner Koch + + Provide Pth compatiblity for use with GnuPG 2.0. + + commit 2f767f6a17f7e99da4075882f7fe3ca597b31bdb + * src/ath.c (ath_install): Call ath_init and declare Pth as + compatible. + +2013-10-02 Jussi Kivilinna + + sha512: fix building on ARM. + + commit 6410152338a2b2ac1216e70c153cd16f9199c94e + * cipher/sha512.c (transform) [USE_ARM_NEON_ASM]: Fix 'hd' to 'ctx'. + +2013-10-02 Werner Koch + + Remove deprecated control codes. + + commit f04a1db22d982627ba87da4e5df52df9b994c779 + * src/gcrypt.h.in (GCRYCTL_SET_KEY): Remove. + (GCRYCTL_SET_IV): Remove. + (GCRYCTL_SET_CTR): Remove. + * cipher/md.c (gcry_md_ctl): Remove deprecated GCRYCTL_SET_KEY. + * cipher/cipher.c (gcry_cipher_ctl): Remove deprecated + GCRYCTL_SET_KEY, GCRYCTL_SET_IV, GCRYCTL_SET_CTR. + +2013-10-02 Dmitry Eremin-Solenikov + + Fix errors when building with Clang on PPC. + + commit 33757c1e03f1d885920633edf543cd1c77999455 + * mpi/longlong.h (add_ssaaaa, sub_ddmmss, count_leading_zeros, + umul_ppmm): Do not cast asm output to USItype. + +2013-10-02 Werner Koch + + Remove last remains of the former module system. + + commit 628ed5ba0ef4b1f04b5a77e29e4bc49a1fe13c07 + * src/gcrypt-module.h, src/module.c: Remove. + * src/visibility.h: Do not include gcrypt-module.h. + * src/g10lib.h: Remove all prototypes from module.c + (gcry_module): Remove. + * cipher/cipher-internal.h (gcry_cipher_handle): Remove unused field. + + Fix missing prototype warning in visibility.c. + + commit 52783d483293d48cd468143ae6ae2cccbfe17200 + * src/ec-context.h (_gcry_mpi_ec_new): Move prototype to mpi.h. + + md: Simplify the message digest dispatcher md.c. + + commit 0d39997932617ba20656f8bcc230ba744b76c87e + * src/gcrypt-module.h (gcry_md_spec_t): Move to ... + * src/cipher-proto.h: here. Merge with md_extra_spec_t. Add fields + ALGO and FLAGS. Set these fields in all digest modules. + * cipher/md.c: Change most code to replace the former module + system by a simpler system to gain information about the algorithms. + +2013-10-01 Werner Koch + + cipher: Simplify the cipher dispatcher cipher.c. + + commit 3ca180b25e8df252fc16f802cfdc27496e307830 + * src/gcrypt-module.h (gcry_cipher_spec_t): Move to ... + * src/cipher-proto.h (gcry_cipher_spec_t): here. Merge with + cipher_extra_spec_t. Add fields ALGO and FLAGS. Set these fields in + all cipher modules. + * cipher/cipher.c: Change most code to replace the former module + system by a simpler system to gain information about the algorithms. + (disable_pubkey_algo): Simplified. Not anymore thread-safe, though. + + * cipher/md.c (_gcry_md_selftest): Use correct structure. Not a real + problem because both define the same function as their first field. + + * cipher/pubkey.c (_gcry_pk_selftest): Take care of the disabled flag. + + mpi: Fix gcry_mpi_neg. + + commit 4153fa859816e799e506055321a22e6450aacdcc + * mpi/mpiutil.c (_gcry_mpi_neg): Copy U to W. + +2013-10-01 Peter Wu + + cipher: Add support for 128-bit keys in RC2. + + commit 738177ec0eae05069ec61bc4f724a69d4e052e42 + * cipher/rfc2268.c (oids_rfc2268_128): New + (_gcry_cipher_spec_rfc2268_128): New. + * cipher/cipher.c (cipher_table_entry): Add GCRY_CIPHER_RFC2268_128. + +2013-09-30 Werner Koch + + ecc: Use faster b parameter for Ed25519. + + commit 1d85452412b65e7976bc94969fc513ff6b880ed8 + * cipher/ecc-curves.c (domain_parms): Replace b. + * tests/t-mpi-point.c (test_curve): Ditto. + + ecc: Prepare for future Ed25519 optimization. + + commit a2618c822e666d4121cba29bee3fd50bf70c9743 + * mpi/ec-ed25519.c: New but empty file. + * mpi/ec-internal.h: New. + * mpi/ec.c: Include ec-internal.h. + (ec_mod): New. + (ec_addm): Use ec_mod. + (ec_mulm): Remove commented code. Use ec_mod. + (ec_subm): Call simple sub. + (ec_pow2): Use ec_mulm. + (ec_mul2): New. + (dup_point_weierstrass): Use ec_mul2. + (dup_point_twistededwards): Add special case for a == -1. Use + ec_mul2. + (add_points_weierstrass): Use ec_mul2. + (add_points_twistededwards): Add special case for a == -1. + (_gcry_mpi_ec_curve_point): Ditto. + (ec_p_init): Add hack to test Barrett functions. + * src/ec-context.h (mpi_ec_ctx_s): Add P_BARRETT. + + * mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem. + + ecc: Fix recomputing of Q for Ed25519. + + commit c325adb8f5092b80a626bd3bb5e49cf7f3a29fc8 + * cipher/ecc-misc.c (reverse_buffer): New. + (_gcry_ecc_compute_public): Add ED255519 specific code. + * cipher/ecc.c (sign_eddsa): Allocate DIGEST in secure memory. Get + rid of HASH_D. + * tests/t-mpi-point.c (context_param): Test recomputing of Q for + Ed25519. + + log: Try to print s-expressions in a more compact format. + + commit d69a13d3d1c14ad6a6aa7cd349d6d2dfb152d422 + * src/misc.c (count_closing_parens): New. + (_gcry_log_printsxp): Use new function. + * mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point. + +2013-09-30 Jussi Kivilinna + + Make Whirlpool use the _gcry_md_block_write helper. + + commit 68cefd0f1d60ac33b58031df9b1d165cb1bf0f14 + * cipher/whirlpool.c (whirlpool_context_t): Add 'bctx', remove + 'buffer', 'count' and 'nblocks'. + (whirlpool_init): Initialize 'bctx'. + (whirlpool_transform): Adjust context argument type and burn stack + depth. + (whirlpool_add): Remove. + (whirlpool_write): Use _gcry_md_block_write. + (whirlpool_final, whirlpool_read): Adjust for 'bctx' usage. + + whirlpool: add stack burning after transform. + + commit a96d622e1a36d40d1504b7ada567e90ec9957443 + * cipher/whirlpool.c (whirlpool_transform): Return burn stack depth. + (whirlpool_add): Do burn_stack. + + whirlpool: do bitcount calculation in finalization part. + + commit 10d7351411f19bb2c03d2e24ca5a38dabe45023b + * cipher/whirlpool.c (whirlpool_context_t): Remove 'length', add + 'nblocks'. + (whirlpool_add): Update 'nblocks' instead of 'length', and add early + return at one spot. + (whirlpool_write): Check for 'nblocks' overflow. + (whirlpool_final): Convert 'nblocks' to bit-counter, and use + whirlpool_write instead of whirlpool_add. + +2013-09-30 Werner Koch + + Add logging functions to the API. + + commit d2076f27bb7c5d505abf25fc622d21794c4a5df3 + * src/gcrypt.h.in (_GCRY_GCC_ATTR_PRINTF): New. + (gcry_log_debug, gcry_log_debughex, gcry_log_debugmpi): New. + (gcry_log_debugpnt, gcry_log_debugsxp): New. + * src/visibility.c (gcry_log_debug): New. + (gcry_log_debughex, gcry_log_debugmpi, gcry_log_debugpnt): New. + (gcry_log_debugsxp): New. + * src/libgcrypt.def, src/libgcrypt.vers: Add new functions. + * src/misc.c (_gcry_logv): Make public. + (_gcry_log_printsxp): New. + * src/g10lib.h (log_printsxp): New macro. + +2013-09-26 Jussi Kivilinna + + Make libgcrypt build with Clang on i386. + + commit db60d828137c4f3682ca4ca2a54fe3d96d3db5f9 + * cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss) + (umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype. + +2013-09-25 Werner Koch + + mpi: Change not yet used _gcry_mpi_set_opaque_copy. + + commit 1c6660debdbf1e4c3e80074c846a3e3097f214bb + * mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype. + (_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure. + + sexp: Improve printing of data with a leading zero. + + commit 9b7c49971588edf6acfc74bfb797eb79d19cb350 + * src/sexp.c (suitable_encoding): Detect leading zero byte. + + ecc: Allow the name "q@eddsa" to get/set the public key. + + commit d6683d2a6065986a9198d2d2eaa02c005b68cea4 + * cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa". + (_gcry_ecc_set_mpi): Support "q". + * cipher/ecc.c (eddsa_encodepoint): Rename to ... + (_gcry_ecc_eddsa_encodepoint): this and make global. Remove arg + MINLEN and take from context. + (eddsa_decodepoint): Rename to + (_gcry_ecc_eddsa_decodepoint): this and make global. Remove arg LEN + and take from context. + (sign_eddsa, verify_eddsa): Take B from context. + (ecc_sign, ecc_verify): Add hack to set DIALECT. + (_gcry_pk_ecc_get_sexp): Use _gcry_ecc_compute_public. Handle EdDSA. + * src/ec-context.h (mpi_ec_ctx_s): Add field NBITS. + * mpi/ec.c (ec_p_init): Init NBITS. + * tests/t-mpi-point.c (test_curve): Add Ed25519. + (sample_ed25519_q): New. + (context_param): Check new sample key. + (hex2buffer, hex2mpiopa): New. + (cmp_mpihex): Take care of opaque MPIs. + + mpicalc: Add statement to compute the number of bits. + + commit 9a4447ccd1b90bcd701941e80a7f484a1825fcea + * src/mpicalc.c (do_nbits): New. + (main): Add statement 'b'. + + ecc: Refactor low-level access functions. + + commit 64a7d347847d606eb5f4c156e24ba060271b8f6b + * mpi/ec.c (point_copy): Move to cipher/ecc-curves.c. + (ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global. + (_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi. + (_gcry_mpi_ec_get_point): Factor most code out to _gcry_ecc_get_point. + (_gcry_mpi_ec_set_mpi): Factor most code out to _gcry_ecc_set_mpi. + (_gcry_mpi_ec_set_point): Factor most code out to _gcry_ecc_set_point. + * cipher/ecc-curves.c (_gcry_ecc_get_mpi): New. + (_gcry_ecc_get_point, _gcry_ecc_set_mpi, _gcry_ecc_set_point): New. + * cipher/ecc-misc.c (_gcry_ecc_compute_public): New. + + ecc: Fix highly unlikely endless loop in sign_ecdsa. + + commit 1f5f4452e5bca105ec2197a4facbf9778e7dc31e + * cipher/ecc.c (sign_ecdsa): Turn while-do into do-while loops. + +2013-09-24 Werner Koch + + ecc: Allow the use of an uncompressed public key. + + commit df013c9820709421ef9550158ac5df0060d73379 + * cipher/ecc.c (eddsa_encodepoint): Factor most code out to ... + (eddsa_encode_x_y): new fucntion. + (eddsa_decodepoint): Allow use of an uncompressed public key. + * tests/t-ed25519.c (N_TESTS): Adjust. + * tests/t-ed25519.inp: Add test 1025. + +2013-09-23 Werner Koch + + pk: Add algo id GCRY_PK_ECC and deprecate ECDSA and ECDH. + + commit d5f91466695c5736f441c9bf1998436184a4bf61 + * src/gcrypt.h.in (GCRY_PK_ECC): New. + * cipher/pubkey.c (map_algo): New. + (spec_from_algo, gcry_pk_get_param, _gcry_pk_selftest): Use it. + * cipher/ecc.c (selftests_ecdsa): Report using GCRY_PK_ECC. + (run_selftests): Simplify. + (ecdh_names, ecdsa_names): Merge into a new ecc_names. + (_gcry_pubkey_spec_ecdh, _gcry_pubkey_spec_ecdsa): Merge into new + _gcry_pubkey_spec_ecc. + + ec: Use mpi_mulm instead of mpi_powm. + + commit 4552437bb3c5ff96a889fd31e4bc504b2a12fac7 + * mpi/ec.c (ec_pow2): New. + (ec_powm): Remove call to mpi_abs. + (dup_point_weierstrass, dup_point_twistededwards) + (add_points_weierstrass, add_points_twistededwards) + (_gcry_mpi_ec_curve_point): Use ec_pow2. + +2013-09-21 Jussi Kivilinna + + bufhelp: enable fast unaligned memory accesses on powerpc. + + commit 925d4fb3e8f2df3c5566ec6b5df7620a3d3504e5 + * cipher/bufhelp.h [__powerpc__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set + macro enabled. + [__powerpc64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Ditto. + + Remove i386 inline assembly version of rotation functions. + + commit cfea5c28a3822e1e7e401e5107ebe07ba7fdcf37 + * cipher/bithelp.h (rol, ror): Remove i386 version, change + macros to inline functions. + * src/hmac256.c (ror): Ditto. + + Optimize and cleanup 32-bit and 64-bit endianess transforms. + + commit 9337e03824a5bdd3bbbcb8382cabefe6d6c32e1e + * cipher/bithelp.h (bswap32, bswap64, le_bswap32, be_bswap32) + (le_bswap64, be_bswap64): New. + * cipher/bufhelp.h (buf_get_be32, buf_get_le32, buf_put_le32) + (buf_put_be32, buf_get_be64, buf_get_le64, buf_put_be64) + (buf_put_le64): New. + * cipher/blowfish.c (do_encrypt_block, do_decrypt_block): Use new + endian conversion helpers. + (do_bf_setkey): Turn endian specific code to generic. + * cipher/camellia.c (GETU32, PUTU32): Use new endian conversion + helpers. + * cipher/cast5.c (rol): Remove, use rol from bithelp. + (F1, F2, F3): Fix to use rol from bithelp. + (do_encrypt_block, do_decrypt_block, do_cast_setkey): Use new endian + conversion helpers. + * cipher/des.c (READ_64BIT_DATA, WRITE_64BIT_DATA): Ditto. + * cipher/md4.c (transform, md4_final): Ditto. + * cipher/md5.c (transform, md5_final): Ditto. + * cipher/rmd160.c (transform, rmd160_final): Ditto. + * cipher/salsa20.c (LE_SWAP32, LE_READ_UINT32): Ditto. + * cipher/scrypt.c (READ_UINT64, LE_READ_UINT64, LE_SWAP32): Ditto. + * cipher/seed.c (GETU32, PUTU32): Ditto. + * cipher/serpent.c (byte_swap_32): Remove. + (serpent_key_prepare, serpent_encrypt_internal) + (serpent_decrypt_internal): Use new endian conversion helpers. + * cipher/sha1.c (transform, sha1_final): Ditto. + * cipher/sha256.c (transform, sha256_final): Ditto. + * cipher/sha512.c (__transform, sha512_final): Ditto. + * cipher/stribog.c (transform, stribog_final): Ditto. + * cipher/tiger.c (transform, tiger_final): Ditto. + * cipher/twofish.c (INPACK, OUTUNPACK): Ditto. + * cipher/whirlpool.c (buffer_to_block, block_to_buffer): Ditto. + * configure.ac (gcry_cv_have_builtin_bswap32): Check for compiler + provided __builtin_bswap32. + (gcry_cv_have_builtin_bswap64): Check for compiler provided + __builtin_bswap64. + + gostr3411_94: set better burn stack depth estimate. + + commit 7409de7bc28ff8847c9d71d8c3e35e1968d59d60 + * cipher/gost28147.c (_gcry_gost_enc_one): Account function stack to + burn stack depth. + * cipher/gostr3411-94.c (max): New macro. + (do_hash_step, transform): Return stack burn depth. + + Use hash transform function return type for passing burn stack depth. + + commit 592c2ab3deeeccbb6d3b078ed7bf0e6627c8e1fb + * cipher/gostr4311-94.c (transform): Return stack burn depth. + * cipher/hash-common.c (_gcry_md_block_write): Use stack burn depth + returned by 'hd->bwrite'. + * cipher/hash-common.h (_gcry_md_block_write_t): Change return type to + 'unsigned int'. + (gry_md_block_ctx_t): Remove 'stack_burn'. + * cipher/md4.c (transform): Return stack burn depth. + (md4_final): Use stack burn depth from transform. + * cipher/md5.c (transform): Return stack burn depth. + (md5_final): Use stack burn depth from transform. + * cipher/rmd160.c (transform): Return stack burn depth. + (rmd160_final): Use stack burn depth from transform. + * cipher/sha1.c (transform): Return stack burn depth. + (sha1_final): Use stack burn depth from transform. + * cipher/sha256.c (transform): Return stack burn depth. + (sha256_final): Use stack burn depth from transform. + * cipher/sha512.c (__transform, transform): Return stack burn depth. + (sha512_final): Use stack burn depth from transform. + * cipher/stribog.c (transform64): Return stack burn depth. + * cipher/tiger.c (transform): Return stack burn depth. + (tiger_final): Use stack burn depth from transform. + + Make STRIBOG use the new _gcry_md_block_write helper. + + commit 902ea6052c11108bd19333c31b03e084bed1fb86 + * cipher/stribog.c (STRIBOG_STRUCT): Add 'bctx' and remove 'buf' and + 'count'. + (stribog_init_512): Initialize 'bctx'. + (transform64): New function. + (stribog_write): Remove. + (stribog_final): Use _gcry_md_block_write and bctx. + (_gcry_digest_spec_stribog_256, _gcry_digest_spec_stribog_512): Use + _gcry_md_block_write. + + Make SHA-512 use the new _gcry_md_block_write helper. + + commit cce7449efe471b076c5a97929ac8907162011394 + * cipher/hash-common.c (_gcry_md_block_write): Check that hd->buf is + large enough. + * cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE, MD_NBLOCKS_TYPE): New + macros. + (gcry_md_block_ctx_t): Use above macros for 'nblocks' and 'buf'. + * cipher/sha512.c (SHA512_STATE): New struct. + (SHA512_CONTEXT): Add 'bctx' and 'state'. + (sha512_init, sha384_init): Initialize 'bctx'. + (__transform, _gcry_sha512_transform_armv7_neon): Use SHA512_STATE for + 'hd'. + (transform): For now, do not return burn stack. + (sha512_write): Remove. + (sha512_final): Use _gcry_md_block_write and bctx. + (_gcry_digest_spec_sha512, _gcry_digest_spec_sha384): Use + _gcry_md_block_write. + +2013-09-20 Werner Koch + + sexp: Change internal versions to always use gpg_err_code_t. + + commit 3e5cfa20acfeccb9df2c3fae2730344b40b36104 + * src/sexp.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_build) + (gcry_sexp_build_array, gcry_sexp_canon_len): Change error return type + from gpg_error_t to gpg_err_code_t. Remove all calls to gpg_error. + * src/visibility.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_sscan) + (gcry_sexp_build, gcry_sexp_build_array, gcry_sexp_canon_len): Map + error codes via gpg_error. + * cipher/dsa.c, cipher/ecc.c, cipher/elgamal.c, cipher/rsa.c: Remove + use gpg_err_code wrappers. + + pk: Move s-exp creation for gcry_pk_decrypt to the modules. + + commit 722bfc1e5f2268453db62f38cc46b5ec6ef3adee + * cipher/pubkey.c (sexp_to_enc): Remove RET_MODERN arg and merge it + into FLAGS. + (gcry_pk_decrypt): Move result s-exp building into the modules. + * src/cipher-proto.h (gcry_pk_decrypt_t): Add some args. + * cipher/ecc.c (ecc_decrypt_raw): Change to return an s-exp. + * cipher/elgamal.c (elg_decrypt): Ditto. + * cipher/rsa.c (rsa_decrypt): Ditto. + (rsa_blind, rsa_unblind): Merge into rsa_decrypt. This saves several + extra MPI allocations. + + pk: Remove unused function. + + commit 64cd7ab93da7c95cc8aa320c61c6e29f9e2399c4 + * cipher/pubkey.c (_gcry_pk_aliased_algo_name): Remove + +2013-09-19 Werner Koch + + Beautify debug output of the prime generator. + + commit 6576f0a7684292cb5691bfcabad0acca4c06c014 + * cipher/primegen.c: Adjust output of log_mpidump to recently changed + log_mpidump code changes. + + pk: Move s-expr creation for genkey to the modules. + + commit 1bf08850bf9343146c938bc03917417e16393e9a + * cipher/pubkey.c (pubkey_generate): Fold into gcry_pk_genkey + (gcry_pk_genkey): Move result s-exp creation into the modules. + * cipher/dsa.c (dsa_generate): Create result as s-exp. + * cipher/elgamal.c (elg_generate): Ditto. + * cipher/rsa.c (rsa_generate): Ditto. + * cipher/ecc.c (ecc_generate): Ditto. + * src/cipher-proto.h (pk_ext_generate_t): Remove type + (gcry_pk_spec): and remove from struct. + + tests: Beautify some diagnostics. + + commit 2fe084873333c4d67bcfba0b527d63cd3cff6c47 + * tests/benchmark.c (ecc_bench): Print the key sexp in very verbose + mode. + (main): Add option --pk-count. + * tests/keygen.c: Add Elgamal generation and improved diagnostics. + * tests/t-ed25519.c (check_ed25519): Print running number of tests + done. + + sexp: Improve printing data representing a negative number. + + commit b3f3d47d347c14ed41d755cee580f000309b9c03 + * src/sexp.c (suitable_encoding): Detect a negative number. + + pk: Move RSA encoding functions to a new file. + + commit 071f70b9a766187fc70f6abc6a69d50752449285 + * cipher/rsa-common: New. + * cipher/pubkey.c (pkcs1_encode_for_encryption): Move to rsa-common.c + and rename to _gcry_rsa_pkcs1_encode_for_enc. + (pkcs1_decode_for_encryption): Move to rsa-common.c and rename to + _gcry_rsa_pkcs1_decode_for_enc. + (pkcs1_encode_for_signature): Move to rsa-common.c and rename to + _gcry_rsa_pkcs1_encode_for_sig. + (oaep_encode): Move to rsa-common.c and rename to + _gcry_rsa_oaep_encode. + (oaep_decode): Move to rsa-common.c and rename to + _gcry_rsa_oaep_decode. + (pss_encode): Move to rsa-common.c and rename to _gcry_rsa_pss_encode. + (pss_verify): Move to rsa-common.c and rename to _gcry_rsa_pss_decode. + (octet_string_from_mpi, mgf1): Move to rsa-common.c. + + pk: Move s-expr creation for sign and encrypt to the modules. + + commit eca9e2e50ddd4c9020fe1d4a9a3c77d20ebb90f6 + * cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt. + (pubkey_decrypt): Fold into gcry_pk_decrypt. + (pubkey_sign): Fold into gcry_pk_sign. + (pubkey_verify): Fold into gcry_pk_verify. + (octet_string_from_mpi): Make it a wrapper and factor code out to ... + * mpi/mpicoder.c (_gcry_mpi_to_octet_string): New function. + + * src/cipher.h (PUBKEY_FLAG_FIXEDLEN): New. + * cipher/pubkey.c (sexp_data_to_mpi): Set flag for some encodings. + (gcry_pk_encrypt): Simply by moving the s-expr generation to the modules. + (gcry_pk_sign): Ditto. + * cipher/dsa.c (dsa_sign): Create s-expr. + * cipher/elgamal.c (elg_encrypt, elg_sign): Ditto. + * cipher/rsa.c (rsa_encrypt, rsa_sign): Ditto. + * cipher/ecc.c (ecc_sign, ecc_encrypt_raw): Ditto. + (ecdsa_names): Add "eddsa". + * tests/t-ed25519.c (one_test): Expect "eddsa" token. + +2013-09-19 Dmitry Eremin-Solenikov + + Fix Stribog digest on bigendian platforms. + + commit d399faf5db71d429bfd6fa4a9cfc82e2a55055f0 + * cipher/stribog.c (stribog_final): swap bytes in the result of digest + calculations. + +2013-09-18 Werner Koch + + pk: Simplify the public key dispatcher pubkey.c. + + commit 85722afb379f7a392a8117b895de273fd88c4ebc + * src/cipher-proto.h (gcry_pk_spec_t): Add fields ALGO and FLAGS. + * cipher/dsa.c (_gcry_pubkey_spec_dsa): Set these fields. + * cipher/ecc.c (_gcry_pubkey_spec_ecdsa): Ditto. + (_gcry_pubkey_spec_ecdh): Ditto. + * cipher/rsa.c (_gcry_pubkey_spec_rsa): Ditto. + * cipher/elgamal.c (_gcry_pubkey_spec_elg): Ditto + (_gcry_pubkey_spec_elg_e): New. + * cipher/pubkey.c: Change most code to replace the former module + system by a simpler system to gain information about the algorithms. + (disable_pubkey_algo): SImplified. Not anymore thread-safe, though. + + pk: Merge extraspecs struct with standard specs struct. + + commit 89103ce00e862cc709e80fa41f2ee13d54093ec5 + * src/gcrypt-module.h (gcry_pk_spec_t): Move this typedef and the + corresponding function typedefs to ... + * src/cipher-proto.h: here. + (pk_extra_spec_t): Remove typedef and merge fields into + gcry_pk_spec_t. + * cipher/rsa.c, cipher/dsa.c, cipher/elg.c, cipher/ecc.c: Ditto. + * cipher/pubkey.c: Change accordingly. + * src/cipher.h (_gcry_pubkey_extraspec_rsa): Remove. + (_gcry_pubkey_extraspec_dsa): Remove. + (_gcry_pubkey_extraspec_elg): Remove. + (_gcry_pubkey_extraspec_ecdsa): Remove. + +2013-09-18 Jussi Kivilinna + + Fix encryption/decryption return type for GOST28147. + + commit 2ad7ea9cb388fd31e4b0852b68d77f599ef4adce + * cipher/gost.h (_gcry_gost_enc_one): Change return type to + 'unsigned int'. + * cipher/gost28147.c (max): New macro. + (gost_encrypt_block, gost_decrypt_block): Return burn stack depth. + (_gcry_gost_enc_one): Return burn stack depth from gost_encrypt_block. + +2013-09-18 Dmitry Eremin-Solenikov + + doc: fix building of ps and pdf documentation. + + commit bd33fa21c9afc6c81e0da24016fc13001e9c7390 + * doc/gcrypt.texi, doc/gpl.texi, doc/lgpl.texi: fix texinfo errors. + + Add GOST R 34.11-2012 implementation (Stribog) + + commit c22064bdd773a807801e300aa9214b2fdcafcf20 + * src/gcrypt.h.in (GCRY_MD_GOSTR3411_12_256) + (GCRY_MD_GOSTR3411_12_512): New. + * cipher/stribog.c: New. + * configure.ac (available_digests_64): Add stribog. + * src/cipher.h: Declare Stribog declarations. + * cipher/md.c: Register Stribog digest. + * tests/basic.c (check_digests) Add 4 testcases for Stribog from + standard. + * doc/gcrypt.texi: Document new constants. + + Add basic implementation of GOST R 34.11-94 message digest. + + commit b0579baaa04fb91eabbbdc295bcabea04cf84056 + * src/gcrypt.h.in (GCRY_MD_GOSTR3411_94): New. + * cipher/gostr3411-94.c: New. + * configure.ac (available_digests): Add gostr3411-94. + * src/cipher.h: Add gostr3411-94 definitions. + * cipher/md.c: Register GOST R 34.11-94. + * tests/basic.c (check_digests): Add 4 tests for GOST R 34.11-94 + hash algo. Two are defined in the standard itself, two other are + more or less common tests - an empty string an exclamation mark. + * doc/gcrypt.texi: Add an entry describing GOST R 34.11-94 to the MD + algorithms table. + + Separate common md block code. + + commit ecde77ad98690540abb21db08e5531297ed72bd0 + * cipher/hash-common.c (_gcry_md_block_write): New function to handle + block md operations. The current implementation is limited to 64 byte + buffer and u32 block counter. + + * cipher/md4.c, cipher/md5.c, cipher/rmd.h, cipher/rmd160.c + *cipher/sha1.c, cipher/sha256.c, cipher/tiger.c: Convert to use + _gcry_md_block_write. + + Add limited implementation of GOST 28147-89 cipher. + + commit 56b5949f71f501744998f5ebc12488ebf6f1c0b5 + * src/gcrypt.h.in (GCRY_CIPHER_GOST28147): New. + * cipher/gost.h, cipher/gost28147.c: New. + * configure.ac (available_ciphers): Add gost28147. + * src/cipher.h: Add gost28147 definitions. + * cipher/cipher.c: Register gost28147. + * tests/basic.c (check_ciphers): Enable simple test for gost28147. + * doc/gcrypt.texi: document GCRY_CIPHER_GOST28147. + +2013-09-18 Werner Koch + + ecc: Add Ed25519 key generation and prepare for optimizations. + + commit 63cd3474425cb5a7ec4d1a56be15b248ecda4680 + * src/mpi.h (enum ecc_dialects): New. + * src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT. + * cipher/ecc-common.h (elliptic_curve_t): Ditto. + * cipher/ecc-curves.c (ecc_domain_parms_t): Ditto. + (domain_parms): Add dialect values. + (_gcry_ecc_fill_in_curve): Set dialect. + (_gcry_ecc_get_curve): Ditto. + (_gcry_mpi_ec_new): Ditto. + (_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now. + * cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect. + (_gcry_ecc_dialect2str): New. + * mpi/ec.c (ec_p_init): Add arg DIALECT. + (_gcry_mpi_ec_p_internal_new): Ditto. + (_gcry_mpi_ec_p_new): Ditto. + + * mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag. + (_gcry_mpi_set_opaque_copy): New. + + * cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI. + * cipher/ecc.c (eddsa_generate_key): New. + (generate_key): Rename to nist_generate_key and factor some code out + to ... + (ecc_generate_ext): here. Divert to eddsa_generate_key if desired. + (eddsa_decodepoint): Take care of an opaque MPI. + (ecc_check_secret_key): Ditto. + (ecc_sign): Ditto. + * cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret + key as opaque MPIs. + (gcry_pk_genkey): Add the curve_name also to the private key part of + the result. + + * tests/benchmark.c (ecc_bench): Support Ed25519. + (main): Add option --debug. + * tests/curves.c (sample_key_2): Make sure that P and N are positive. + * tests/keygen.c (show): New. + (check_ecc_keys): Support Ed25519. + +2013-09-17 Werner Koch + + mpi: Support printing of negative numbers. + + commit 89fe2173649a72019d75e059e6c6938efd10421f + * mpi/mpicoder.c (twocompl, onecompl): New. + (gcry_mpi_print): Use it for STD and SSH. + (gcry_mpi_scan): Use it for STD and SSH. Always set NSCANNED. + (gcry_mpi_aprint): Clear the extra allocated byte. + * tests/t-convert.c (showhex, showmpi): New. + (mpi2bitstr_nlz): New. + (check_formats): New. + (main): Call new test. + +2013-09-16 Werner Koch + + Fix bug in _gcry_mpi_tdiv_q_2exp. + + commit a7a9cdcaaf3979baa18dad51e722882581349f45 + * mpi/mpi-internal.h (MPN_COPY_INCR): Make it work. + + ecc: Implement Curve Ed25519 signing and verification. + + commit bc5199a02abe428ad377443280b3eda60141a1d6 + * cipher/ecc-curves.c (domain_parms): Add curve "Ed25519". + * cipher/ecc.c (reverse_buffer): New. + (eddsa_encodempi): New. + (eddsa_encodepoint): New. + (eddsa_decodepoint): New. + (sign_eddsa): Implement. + (verify_eddsa): Implement. + (ecc_sign): Init unused Q. Pass public key to sign_eddsa. + (ecc_verify): Init pk.Q if not used. Pass public key verbatim to + verify_eddsa. + * cipher/pubkey.c (sexp_elements_extract): Add arg OPAQUE. Change all + callers to pass 0. + (sexp_to_sig): Add arg OPAQUE and pass it to sexp_elements_extract. + (sexp_data_to_mpi): Allow for a zero length "value". + (gcry_pk_verify): Reorder parameter processing. Pass OPAQUE flag as + required. + * mpi/ec.c (ec_invm): Print a warning if the inverse does not exist. + (_gcry_mpi_ec_get_affine): Implement for our Twisted Edwards curve + model. + (dup_point_twistededwards): Implement. + (add_points_twistededwards): Implement. + (_gcry_mpi_ec_mul_point): Support Twisted Edwards. + + * mpi/mpicoder.c (do_get_buffer): Add arg FILL_LE. + (_gcry_mpi_get_buffer): Ditto. Change all callers. + (_gcry_mpi_get_secure_buffer): Ditto. + + * src/sexp.c (_gcry_sexp_nth_opaque_mpi): New. + + * tests/t-ed25519.c: New. + * tests/t-ed25519.inp: New. + * tests/t-mpi-point.c (basic_ec_math_simplified): Print some output + only in debug mode. + (twistededwards_math): New test. + (main): Call new test. + + mpi: Add internal convenience function. + + commit 44a2c34e90ed7de149952398787906d8823b636b + * mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New. + + mpi: Add debug function to print a point. + + commit 8ebc94d11a1eb93f2365c93f555e958700fdfbd4 + * mpi/ec.c (_gcry_mpi_point_log): New. + * src/mpi.h (log_printpnt): new macro. + + tests: Factor time measurement code out. + + commit 58eaf0c4332ac2f645ede28c4d18337389dfa753 + * tests/benchmark.c (started_at, stopped_at, start_timer, stop_timer) + (elapsed time): Factor out to .. + * tests/stopwatch.h: new file. + +2013-09-12 Werner Koch + + Fix _gcry_log_printmpi to print 00 instead of a sole sign. + + commit 1c76349c69c70a62b516a4f837c6287def640807 + * src/misc.c: Special case an mpi length of 0. + +2013-09-11 Werner Koch + + Streamline the use of the internal mpi and hex debug functions. + + commit e35ed615acc624a8b6c07576ea0650aac2bdb0db + * mpi/mpicoder.c (gcry_mpi_dump): Remove. + (_gcry_log_mpidump): Remove. + * src/misc.c (_gcry_log_printhex): Factor all code out to ... + (do_printhex): new. Add line wrapping a and compact printing. + (_gcry_log_printmpi): New. + * src/mpi.h (log_mpidump): Remove macro. + * src/g10lib.h (log_mpidump): Add compatibility macro. + (log_printmpi): New macro + * src/visibility.c (gcry_mpi_dump): Call _gcry_log_printmpi. + * cipher/primegen.c (prime_generate_internal): Replace gcry_mpi_dump + by log_printmpi. + (gcry_prime_group_generator): Ditto. + * cipher/pubkey.c: Remove extra colons from log_mpidump call. + * cipher/rsa.c (stronger_key_check): Use log_printmpi. + +2013-09-10 Werner Koch + + md: Add function gcry_md_hash_buffers. + + commit f3bca0c77c4979504f95fdbc618f7458e61e3e45 + * src/gcrypt.h.in (gcry_buffer_t): new. + (gcry_md_hash_buffers): New. + * src/visibility.c, src/visibility.h: Add wrapper for new function. + * src/libgcrypt.def, src/libgcrypt.vers: Export new function. + * cipher/md.c (gcry_md_hash_buffers): New. + * cipher/sha1.c (_gcry_sha1_hash_buffers): New. + * tests/basic.c (check_one_md_multi): New. + (check_digests): Run that test. + * tests/hmac.c (check_hmac_multi): New. + (main): Run that test. + + md: Fix Whirlpool flaw. + + commit 0a28b2d2c9181a536fc894e24626714832619923 + * cipher/whirlpool.c (whirlpool_add): Remove shortcut return so that + byte counter is always properly updated. + +2013-09-07 Jussi Kivilinna + + Fix static build on AMD64. + + commit 90fdf25f0dcc5feac7195ede55bd15948a11363e + * cipher/rijndael-amd64.S: Correct 'RIP' macro for non-PIC build. + + scrypt: fix for big-endian systems. + + commit 38a038a135d82231eff9d84f1ae3c4a25c6a5e75 + * cipher/scrypt.c (_salsa20_core): Fix endianess issues. + +2013-09-07 Werner Koch + + Use gcc "unused" attribute only with gcc >= 3.5. + + commit f7135e299e659d78906aac3dfdf30f380b5cf9c6 + * src/g10lib.h (GCC_ATTR_UNUSED): Fix gcc version detection. + +2013-09-07 Dmitry Eremin-Solenikov + + Add support for Salsa20/12 - 12 round version of Salsa20. + + commit ae6f6c47d2e0c536f3eab0823b5f23d26956cda2 + * src/gcrypt.h.in (GCRY_CIPHER_SALSA20R12): New. + * src/salsa20.c (salsa20_core, salsa20_do_encrypt_stream): Add support + for reduced round versions. + (salsa20r12_encrypt_stream, _gcry_cipher_spec_salsa20r12): Implement + Salsa20/12 - a 12 round version of Salsa20 selected by eStream. + * src/cipher.h: Declsare Salsa20/12 definition. + * cipher/cipher.c: Register Salsa20/12 + * tests/basic.c: (check_stream_cipher, check_stream_cipher_large_block): + Populate Salsa20/12 tests with test vectors from ecrypt + (check_ciphers): Add simple test for Salsa20/12 + +2013-09-07 Werner Koch + + Add configure option --disable-amd64-as-feature-detection. + + commit 49d5b9dcd622cdc87fb02a211bd51e3d46345bf2 + * configure.ac: Implement new disable flag. + + mpi: Improve support for non-Weierstrass support. + + commit 4d8c8c7aa88cddb1624301957e6245405f46d027 + * mpi/ec.c (ec_p_init): Add args MODEL and P. Change all callers. + (_gcry_mpi_ec_p_internal_new): Ditto. + (_gcry_mpi_ec_p_new): Ditto. + * cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return + GPG_ERR_UNKNOWN_CURVE instead of invalid value. Init curve model. + * cipher/ecc.c (ecc_verify, ecc_encrypt_raw): Ditto. + * cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking. + + mpi: Add gcry_mpi_ec_curve_point. + + commit ddfefe429660cc5d798f3517208936449247ae5c + * mpi/ec.c (_gcry_mpi_ec_curve_point): New. + (ec_powm): Return the absolute value. + * src/visibility.c, src/visibility.c: Add wrappers. + * src/libgcrypt.def, src/libgcrypt.vers: Export them. + + mpi: Add functions to manipulate the sign. + + commit 1bd2c67aa55b40589654d3fa5dea05cf1ed7dc5f + * src/gcrypt.h.in (gcry_mpi_is_neg): New. + (gcry_mpi_neg, gcry_mpi_abs): New. + * mpi/mpiutil.c (_gcry_mpi_is_neg): New. + (_gcry_mpi_neg, _gcry_mpi_abs): New. + * src/visibility.c, src/visibility.h: Add wrappers. + * src/libgcrypt.def, src/libgcrypt.vers: Export them. + * src/mpi.h (mpi_is_neg): New. Rename old macro to mpi_has_sign. + * mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Use mpi_has_sign. + * mpi/mpi-mpow.c (calc_barrett): Ditto. + * cipher/primegen.c (_gcry_derive_x931_prime): Ditto + * cipher/rsa.c (secret): Ditto. + +2013-09-06 Jussi Kivilinna + + Tune armv6 mpi assembly. + + commit 4e4440153258e2f0dfdcaa8443820af06984ecb1 + * mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8. + * mpi/armv6/mpih-mul2.S: Ditto. + * mpi/armv6/mpih-mul3.S: Ditto. + +2013-09-05 Jussi Kivilinna + + Change _gcry_burn_stack take burn depth as unsigned integer. + + commit e0ae31fcce3bd57b24751ff3c82cba820e493c3a + * src/misc.c (_gcry_burn_stack): Change to handle 'unsigned int' bytes. + + mpicalc: fix building on linux and win32. + + commit 50ec983666f0ca9d50c84aa1afad0d7bd5810779 + * src/Makefile.am (mpicalc): Adjust CFLAGS and LDADD. + +2013-09-04 Werner Koch + + Change mpicalc to use Libgcrypt and install it. + + commit 1d23040b659661b4086c079cb9fd5f37189a7020 + * src/mpicalc.c: Make use of gcry_ functions. + (MPICALC_VERSION): New. Set to 2.0. + (strusage): Remove. + (scan_mpi): New. Replaces mpi_fromstr. + (print_mpi): New. Replaces mpi_print. + (my_getc): New. + (print_help): New. + (main): Use simple option parser and print version info. + * src/Makefile.am (bin_PROGRAMS): Add mpicalc. + (mpicalc_SOURCES, mpicalc_CFLAGS, mpicalc_LDADD): New. + + Add mpicalc.c to help with testing. + + commit a70c46e29c480fa0f56ab4814666a5b115f84fd7 + * src/mpicalc.c: Take from GnuPG 1.4 + + Prepare support for EdDSA. + + commit c47d4001033f68212d2847b3074a0bdda990342e + * src/cipher.h (PUBKEY_FLAG_EDDSA): New. + * cipher/pubkey.c (pubkey_verify): Repalce args CMP and OPAQUEV by + CTX. Pass flags and hash algo to the verify function. Change all + verify functions to accept these args. + (sexp_data_to_mpi): Implement new flag "eddsa". + (gcry_pk_verify): Pass CTX instead of the compare function to + pubkey_verify. + * cipher/ecc.c (sign): Rename to sign_ecdsa. Change all callers. + (verify): Rename to verify_ecdsa. Change all callers. + (sign_eddsa, verify_eddsa): New stub functions. + (ecc_sign): Divert to sign_ecdsa or sign_eddsa. + (ecc_verify): Divert to verify_ecdsa or verify_eddsa. + + Prepare support for non-Weierstrass EC equations. + + commit c26be7a337d0bf98193bc58e043209e46d0769bb + * src/mpi.h (gcry_mpi_ec_models): New. + * src/ec-context.h (mpi_ec_ctx_s): Add MODEL. + * cipher/ecc-common.h (elliptic_curve_t): Ditto. + * cipher/ecc-curves.c (ecc_domain_parms_t): Ditto. + (domain_parms): Mark als as Weierstrass. + (_gcry_ecc_fill_in_curve): Check model. + (_gcry_ecc_get_curve): Set model to Weierstrass. + * cipher/ecc-misc.c (_gcry_ecc_model2str): New. + * cipher/ecc.c (generate_key, ecc_generate_ext): Print model in the + debug output. + + * mpi/ec.c (_gcry_mpi_ec_dup_point): Switch depending on model. + Factor code out to ... + (dup_point_weierstrass): new. + (dup_point_montgomery, dup_point_twistededwards): New stub functions. + (_gcry_mpi_ec_add_points): Switch depending on model. Factor code out + to ... + (add_points_weierstrass): new. + (add_points_montgomery, add_points_twistededwards): New stub + functions. + + * tests/Makefile.am (TESTS): Reorder tests. + + mpi: Suppress newer gcc warnings. + + commit 8698530b2f9ef95542f1dd550961de7af86cc256 + * src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5. + * mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy + as unused. + * mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused. + + Do not check with cpp for typedefed constants. + + commit b28b1f732e1b4f9c62a9de87c22c6bb0d3f8fdb8 + * src/gcrypt-int.h: Include error code replacements depeding on the + version of libgpg-error. + +2013-09-04 Jussi Kivilinna + + Make _gcry_burn_stack use variable length array. + + commit 4b0edf53440239d3bcc95941980c062a0801a149 + * configure.ac (HAVE_VLA): Add check. + * src/misc.c (_gcry_burn_stack) [HAVE_VLA]: Add VLA code. + + Move stack burning from block ciphers to cipher modes. + + commit a3aaa6ad03388ea3eaa24304b604cb864633332f + * src/gcrypt-module.h (gcry_cipher_encrypt_t) + (gcry_cipher_decrypt_t): Return 'unsigned int'. + * cipher/cipher.c (dummy_encrypt_block, dummy_decrypt_block): Return + zero. + (do_ecb_encrypt, do_ecb_decrypt): Get largest stack burn depth from + block cipher crypt function and burn stack at end. + * cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt) + (_gcry_cipher_aeswrap_decrypt): Ditto. + * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt) + (_gcry_cipher_cbc_decrypt): Ditto. + * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) + (_gcry_cipher_cfb_decrypt): Ditto. + * cipher/cipher-ctr.c (_gcry_cipher_cbc_encrypt): Ditto. + * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt) + (_gcry_cipher_ofb_decrypt): Ditto. + * cipher/blowfish.c (encrypt_block, decrypt_block): Return burn stack + depth. + * cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Ditto. + * cipher/cast5.c (encrypt_block, decrypt_block): Ditto. + * cipher/des.c (do_tripledes_encrypt, do_tripledes_decrypt) + (do_des_encrypt, do_des_decrypt): Ditto. + * cipher/idea.c (idea_encrypt, idea_decrypt): Ditto. + * cipher/rijndael.c (rijndael_encrypt, rijndael_decrypt): Ditto. + * cipher/seed.c (seed_encrypt, seed_decrypt): Ditto. + * cipher/serpent.c (serpent_encrypt, serpent_decrypt): Ditto. + * cipher/twofish.c (twofish_encrypt, twofish_decrypt): Ditto. + * cipher/rfc2268.c (encrypt_block, decrypt_block): New. + (_gcry_cipher_spec_rfc2268_40): Use encrypt_block and decrypt_block. + +2013-09-01 Jussi Kivilinna + + camellia-aesni-avx2-amd64: Move register clearing to assembly functions. + + commit f3515240de9513ead975985c9f8ab714022cac8e + * cipher/camellia-aesni-avx2-amd64.S + (_gcry_camellia_aesni_avx2_ctr_enc): Add 'vzeroall'. + (_gcry_camellia_aesni_avx2_cbc_dec) + (_gcry_camellia_aesni_avx2_cfb_dec): Add 'vzeroupper' at head and + 'vzeroall' at tail. + * cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec) + (_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX2]: Remove register + clearing. + + camellia-aesni-avx-amd64: Move register clearing to assembly functions. + + commit 8b735cb563dff7aafbf8a970972522b5621e665c + * cipher/camellia-aesni-avx-amd64.S (_gcry_camellia_aesni_avx_ctr_enc) + (_gcry_camellia_aesni_avx_cbc_dec) + (_gcry_camellia_aesni_avx_cfb_dec): Add 'vzeroupper' at head and + 'vzeroall' at tail. + * cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec) + (_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX]: Remove register clearing. + + serpent-avx2-amd64: Move register clearing to assembly. + + commit d12828cd821a4b4428eae19de5aee02cf536e536 + * cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc) + (_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Change last + 'vzeroupper' to 'vzeroall'. + * cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec) + (_gcry_serpent_avx2_cfb_dec) [USE_AVX2]: Remove register clearing with + 'vzeroall'. + + Fix building for x32 target. + + commit fd6721c235a5bdcb332c8eb708fbd4f96e52e824 + * mpi/amd64/mpi-asm-defs.h: New file. + * random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is + defined. + [USE_DRNG, __x86_64__]: Also check if __LP64__ is defined. + +2013-08-31 Jussi Kivilinna + + sha512: add ARM/NEON assembly version of transform function. + + commit 99d15543b8d94a8f1ef66c6ccb862b0ce82c514d + * cipher/Makefile.am: Add 'sha512-armv7-neon.S'. + * cipher/sha512-armv7-neon.S: New file. + * cipher/sha512.c (USE_ARM_NEON_ASM): New macro. + (SHA512_CONTEXT) [USE_ARM_NEON_ASM]: Add 'use_neon'. + (sha512_init, sha384_init) [USE_ARM_NEON_ASM]: Enable 'use_neon' if + CPU support NEON instructions. + (k): Round constant array moved outside of 'transform' function. + (__transform): Renamed from 'tranform' function. + [USE_ARM_NEON_ASM] (_gcry_sha512_transform_armv7_neon): New prototype. + (transform): New wrapper function for different transform versions. + (sha512_write, sha512_final): Burn stack by the amount returned by + transform function. + * configure.ac (sha512) [neonsupport]: Add 'sha512-armv7-neon.lo'. + + sha512: reduce stack use in transform function by 512 bytes. + + commit 03da7f8ba3ec24d4639a2bcebbc0d9d831734c08 + * cipher/sha512.c (transform): Change 'u64 w[80]' to 'u64 w[16]' and + inline input expansion to first 64 rounds. + (sha512_write, sha512_final): Reduce burn_stack depth by 512 bytes. + + Add ARM HW feature detection module and add NEON detection. + + commit 9c95be105f518d18407115c2c06893857c24b116 + * configure.ac: Add option --disable-neon-support. + (HAVE_GCC_INLINE_ASM_NEON): New. + (ENABLE_NEON_SUPPORT): New. + [arm]: Add 'hwf-arm.lo' as HW feature module. + * src/Makefile.am: Add 'hwf-arm.c'. + * src/g10lib.h (HWF_ARM_NEON): New macro. + * src/global.c (hwflist): Add HWF_ARM_NEON entry. + * src/hwf-arm.c: New file. + * src/hwf-common.h (_gcry_hwf_detect_arm): New prototype. + * src/hwfeatures.c (_gcry_detect_hw_features) [HAVE_CPU_ARCH_ARM]: Add + call to _gcry_hwf_detect_arm. + + Correct mpi_cpu_arch for ARMv6. + + commit 7b0ebe69fe35f2ee13e1e1beb2766a1eaadb7f0c + * mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of + "armv6". + +2013-08-30 Werner Koch + + mpi: Make gcry_mpi_print work with negative zeroes. + + commit e9b711e6ddb480a71d2996465074e436c752c005 + * mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero. + (gcry_mpi_aprint): Allocate at least 1 byte. + * tests/t-convert.c: New. + * tests/Makefile.am (TESTS): Add t-convert. + + Refactor the ECC code into 3 files. + + commit 800d4e01376d52a94a157b53978c7c3f957fc476 + * cipher/ecc-common.h, cipher/ecc-curves.c, cipher/ecc-misc.c: New. + * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files. + * configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new .c files. + * cipher/ecc.c (curve_aliases, ecc_domain_parms_t, domain_parms) + (scanval): Move to ecc-curves.c. + (fill_in_curve): Move to ecc-curve.c as _gcry_ecc_fill_in_curve. + (ecc_get_curve): Move to ecc-curve.c as _gcry_ecc_get_curve. + (_gcry_mpi_ec_ec2os): Move to ecc-misc.c. + (ec2os): Move to ecc-misc.c as _gcry_ecc_ec2os. + (os2ec): Move to ecc-misc.c as _gcry_ecc_os2ec. + (point_set): Move as inline function to ecc-common.h. + (_gcry_ecc_curve_free): Move to ecc-misc.c as _gcry_ecc_curve_free. + (_gcry_ecc_curve_copy): Move to ecc-misc.c as _gcry_ecc_curve_copy. + (mpi_from_keyparam, point_from_keyparam): Move to ecc-curves.c. + (_gcry_mpi_ec_new): Move to ecc-curves.c. + (ecc_get_param): Move to ecc-curves.c as _gcry_ecc_get_param. + (ecc_get_param_sexp): Move to ecc-curves.c as _gcry_ecc_get_param_sexp. + +2013-08-22 Jussi Kivilinna + + serpent-sse2-amd64: Move register clearing to assembly functions. + + commit 040aa7688296e93659cb32ca31e9a001a6ab1edd + cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_ctr_enc) + (_gcry_serpent_sse2_cbc_dec, _gcry_serpent_sse2_cfb_dec): Clear used + XMM registers. + cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec) + ( _gcry_serpent_cfb_dec) [USE_SSE2]: Remove XMM register clearing from + bulk functions. + + twofish-amd64: do not make __twofish_dec_blk3 global. + + commit 82db04a6a0058cf870485459abe7c1659b138ec5 + * cipher/twofish-amd64.S (__twofish_dec_blk3): Do not export symbol as + global. + (__twofish_dec_blk3): Mark symbol as function. + +2013-08-20 Jussi Kivilinna + + mpi: add ARMv6 assembly. + + commit da327aef3fe24fdf98fffbc8aea69de42ed12456 + * mpi/armv6/mpi-asm-defs.h: New. + * mpi/armv6/mpih-add1.S: New. + * mpi/armv6/mpih-mul1.S: New. + * mpi/armv6/mpih-mul2.S: New. + * mpi/armv6/mpih-mul3.S: New. + * mpi/armv6/mpih-sub1.S: New. + * mpi/config.links [arm]: Enable ARMv6 assembly. + + Move ARMv6 detection to configure.ac. + + commit 151f1e518be2d16bed748ba832384b0472ddcf9b + * cipher/blowfish-armv6.S: Replace __ARM_ARCH >= 6 checks with + HAVE_ARM_ARCH_V6. + * cipher/blowfish.c: Ditto. + * cipher/camellia-armv6.S: Ditto. + * cipher/camellia.h: Ditto. + * cipher/cast5-armv6.S: Ditto. + * cipher/cast5.c: Ditto. + * cipher/rijndael-armv6.S: Ditto. + * cipher/rijndael.c: Ditto. + * configure.ac: Add HAVE_ARM_ARCH_V6 check. + +2013-08-19 Jussi Kivilinna + + Add optimized wipememory for ARM. + + commit c030e33533fb819afe195eff5f89ec39863b1fbc + src/g10lib.h [__arm__] (fast_wipememory2_unaligned_head) + (fast_wipememory2): New macros. + + cipher: bufhelp: allow unaligned memory accesses on ARM. + + commit 796dda37b957b20dba391343937c6325a8c8b288 + * cipher/bufhelp.h [__arm__ && __ARM_FEATURE_UNALIGNED]: Enable + BUFHELP_FAST_UNALIGNED_ACCESS. + +2013-08-17 Jussi Kivilinna + + Remove burn_stack optimization. + + commit 79895b9459b9bf8c60cb7abf09d5bf16ed0cf6e3 + * src/misc.c (_gcry_burn_stack): Remove SIZEOF_UNSIGNED_LONG == 4 or 8 + optimization. + +2013-08-16 Jussi Kivilinna + + camellia: add ARMv6 assembly implementation. + + commit cafadc1e4fb97581262b0081ba251e05613d4394 + * cipher/Makefile.am: Add 'camellia-armv6.S'. + * cipher/camellia-armv6.S: New file. + * cipher/camellia-glue.c [USE_ARMV6_ASM] + (_gcry_camellia_armv6_encrypt_block) + (_gcry_camellia_armv6_decrypt_block): New prototypes. + [USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock) + (camellia_encrypt, camellia_decrypt): New functions. + * cipher/camellia.c [!USE_ARMV6_ASM]: Compile encryption and decryption + routines if USE_ARMV6_ASM macro is _not_ defined. + * cipher/camellia.h (USE_ARMV6_ASM): New macro. + [!USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock): If + USE_ARMV6_ASM is defined, disable these function prototypes. + (camellia) [arm]: Add 'camellia-armv6.lo'. + + blowfish: add ARMv6 assembly implementation. + + commit 31e4b1a96a07e9a3698fcb7be0643a136ebb8e5c + * cipher/Makefile.am: Add 'blowfish-armv6.S'. + * cipher/blowfish-armv6.S: New file. + * cipher/blowfish.c (USE_ARMV6_ASM): New macro. + [USE_ARMV6_ASM] (_gcry_blowfish_armv6_do_encrypt) + (_gcry_blowfish_armv6_encrypt_block) + (_gcry_blowfish_armv6_decrypt_block, _gcry_blowfish_armv6_ctr_enc) + (_gcry_blowfish_armv6_cbc_dec, _gcry_blowfish_armv6_cfb_dec): New + prototypes. + [USE_ARMV6_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block) + (encrypt_block, decrypt_block): New functions. + (_gcry_blowfish_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (_gcry_blowfish_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (_gcry_blowfish_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + * configure.ac (blowfish) [arm]: Add 'blowfish-armv6.lo'. + + cast5: add ARMv6 assembly implementation. + + commit 8d1faf56714598301580ce370e0bfa6d65e73644 + * cipher/Makefile.am: Add 'cast5-armv6.S'. + * cipher/cast5-armv6.S: New file. + * cipher/cast5.c (USE_ARMV6_ASM): New macro. + (CAST5_context) [USE_ARMV6_ASM]: New members 'Kr_arm_enc' and + 'Kr_arm_dec'. + [USE_ARMV6_ASM] (_gcry_cast5_armv6_encrypt_block) + (_gcry_cast5_armv6_decrypt_block, _gcry_cast5_armv6_ctr_enc) + (_gcry_cast5_armv6_cbc_dec, _gcry_cast5_armv6_cfb_dec): New prototypes. + [USE_ARMV6_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block) + (decrypt_block): New functions. + (_gcry_cast5_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (_gcry_cast5_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (_gcry_cast5_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (do_cast_setkey) [USE_ARMV6_ASM]: Initialize 'Kr_arm_enc' and + 'Kr_arm_dec'. + * configure.ac (cast5) [arm]: Add 'cast5-armv6.lo'. + +2013-08-14 Jussi Kivilinna + + rijndael: add ARMv6 assembly implementation. + + commit f365961422f1c8b3d89b8bcd9c99828f38c1f158 + * cipher/Makefile.am: Add 'rijndael-armv6.S'. + * cipher/rijndael-armv6.S: New file. + * cipher/rijndael.c (USE_ARMV6_ASM): New macro. + [USE_ARMV6_ASM] (_gcry_aes_armv6_encrypt_block) + (_gcry_aes_armv6_decrypt_block): New prototypes. + (do_encrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (do_encrypt): Disable input/output alignment when USE_ARMV6_ASM. + (do_decrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function. + (do_decrypt): Disable input/output alignment when USE_ARMV6_ASM. + * configure.ac (HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS): New check for + gcc/as compatibility with ARM assembly implementations. + (aes) [arm]: Add 'rijndael-armv6.lo'. + +2013-08-09 NIIBE Yutaka + + cipher: fix memory leak. + + commit 2b5bbe264fcd61e5e458e5f71a6507ba0271c729 + * cipher/pubkey.c (gcry_pk_sign): Handle the specific case of ECC, + where there is NULL whichi is not the sentinel. + +2013-08-08 Werner Koch + + mpi: Clear immutable flag on the result of gcry_mpi_set. + + commit 426cbc9feca0c8f46208fb3670adab95f9e46087 + * mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags. + * tests/mpitests.c (test_const_and_immutable): Add a test for this. + +2013-08-07 NIIBE Yutaka + + tests: fix memory leaks. + + commit cc082642c1b0f2a3e9ca78e1ffd3f64417c204bd + * tests/benchmark.c (dsa_bench): Release SIG. + + * tests/mpitests.c (test_powm): Release BASE, EXP, MOD, and RES. + + * tests/prime.c (check_primes): Release PRIME. + + * tests/tsexp.c (basic): Use intermediate variable M for constant. + Release S1, S2 and A. + +2013-08-07 Jussi Kivilinna + + Fix building on W32 (cannot export symbol 'gcry_sexp_get_buffer') + + commit 065d446478bf68553339fc77a89b8369bd110a18 + * src/libgcrypt.def: Change 'gcry_sexp_get_buffer' to + 'gcry_sexp_nth_buffer'. + +2013-08-06 NIIBE Yutaka + + cipher: fix another memory leak. + + commit 9a421813123a2f5db0a91eaee4a45138efc9ad34 + * cipher/ecc.c (ecc_get_curve): Free TMP. + + tests: fix memory leaks. + + commit 87eddc31ccba6decbddd1761dd42a208666cd311 + * tests/pubkey.c (check_keys_crypt): Release L, X0, and X1. + (check_keys): Release X. + + cipher: fix memory leaks. + + commit ae6ffd9af38cbcac57c220960f683aab91db85cb + * cipher/elgamal.c (elg_generate_ext): Free XVALUE. + + * cipher/pubkey.c (sexp_elements_extract): Don't use IDX for loop. + Call mpi_free. + (sexp_elements_extract_ecc): Call mpi_free. + +2013-08-05 Werner Koch + + mpi: Improve gcry_mpi_invm to detect bad input. + + commit d8e99a04dba6a606e879464cd11deee760d1e000 + * mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input. + +2013-07-31 Dmitry Eremin-Solenikov + + Correct checks for ecc secret key. + + commit 10dfa41b43a906031bc674ea41cd3073701011f3 + * cipher/ecc.c (check_secret_key): replace wrong comparison of Q and + sk->Q points with correct one. + +2013-07-29 Werner Koch + + sexp: Allow white space anywhere in a hex format. + + commit 43320961a8751ee28dc95cdb0ae01ea8a7ff7f91 + * src/sexp.c (hextobyte): Remove. + (hextonibble): New. + (vsexp_sscan): Skip whtespace between hex nibbles. + + Implement deterministic ECDSA as specified by rfc-6979. + + commit 6e0a9786637d649b48aae0e611a12e12beef9b3b + * cipher/ecc.c (sign): Add args FLAGS and HASHALGO. Convert an opaque + MPI as INPUT. Implement rfc-6979. + (ecc_sign): Remove the opaque MPI code and pass FLAGS to sign. + (verify): Do not allocate and compute Y; it is not used. + (ecc_verify): Truncate the hash value if needed. + * tests/dsa-rfc6979.c (check_dsa_rfc6979): Add ECDSA test cases. + +2013-07-26 Werner Koch + + Implement deterministic DSA as specified by rfc-6979. + + commit 1cfa79aabc5d0fd8d124901054475e90ab7d9cde + * cipher/dsa.c (dsa_sign): Move opaque mpi extraction to sign. + (sign): Add args FLAGS and HASHALGO. Implement deterministic DSA. + Add code path for R==0 to comply with the standard. + (dsa_verify): Left fill opaque mpi based hash values. + * cipher/dsa-common.c (int2octets, bits2octets): New. + (_gcry_dsa_gen_rfc6979_k): New. + * tests/dsa-rfc6979.c: New. + * tests/Makefile.am (TESTS): Add dsa-rfc6979. + + Allow the use of a private-key s-expression with gcry_pk_verify. + + commit b72d312ad11887fc416aa821786f6bdb663c0f4a + * cipher/pubkey.c (sexp_to_key): Fallback to private key. + +2013-07-25 Werner Koch + + Mitigate a flush+reload cache attack on RSA secret exponents. + + commit 287bf0e543f244d784cf8b58340bf0ab3c6aba97 + * mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for + exponents in secure memory. + +2013-07-19 Werner Koch + + pk: Allow the use of a hash element for DSA sign and verify. + + commit 37d0a1ebdc2dc74df4fb6bf0621045018122a68f + * cipher/pubkey.c (pubkey_sign): Add arg ctx and pass it to the sign + module. + (gcry_pk_sign): Pass CTX to pubkey_sign. + (sexp_data_to_mpi): Add flag rfc6979 and code to alls hash with *DSA + * cipher/rsa.c (rsa_sign, rsa_verify): Return an error if an opaque + MPI is given for DATA/HASH. + * cipher/elgamal.c (elg_sign, elg_verify): Ditto. + * cipher/dsa.c (dsa_sign, dsa_verify): Convert a given opaque MPI. + * cipher/ecc.c (ecc_sign, ecc_verify): Ditto. + * tests/basic.c (check_pubkey_sign_ecdsa): Add a test for using a hash + element with DSA. + + sexp: Add function gcry_sexp_nth_buffer. + + commit 2d3e8d4d9562d666420aadd9ffa8ac0456a1cd91 + * src/sexp.c (gcry_sexp_nth_buffer): New. + * src/visibility.c, src/visibility.h: Add function wrapper. + * src/libgcrypt.vers, src/libgcrypt.def: Add to API. + * src/gcrypt.h.in: Add prototype. + +2013-07-18 Werner Koch + + Add support for Salsa20. + + commit c4885092088431e7928e4459fda20cc0e8ceb201 + * src/gcrypt.h.in (GCRY_CIPHER_SALSA20): New. + * cipher/salsa20.c: New. + * configure.ac (available_ciphers): Add Salsa20. + * cipher/cipher.c: Register Salsa20. + (cipher_setiv): Allow to divert an IV to a cipher module. + * src/cipher-proto.h (cipher_setiv_func_t): New. + (cipher_extra_spec): Add field setiv. + * src/cipher.h: Declare Salsa20 definitions. + * tests/basic.c (check_stream_cipher): New. + (check_stream_cipher_large_block): New. + (check_cipher_modes): Run new test functions. + (check_ciphers): Add simple test for Salsa20. + +2013-07-17 Werner Koch + + Allow gcry_mpi_dump to print opaque MPIs. + + commit 364d019e3ffedfcb434576702f73e767cb9389ef + * mpi/mpicoder.c (gcry_mpi_dump): Detect abd print opaque MPIs. + * tests/mpitests.c (test_opaque): New. + (main): Call new test. + + cipher: Prepare to pass extra info to the sign functions. + + commit 5940e66cbefea3de5924f494f18aed69bb694bff + * src/gcrypt-module.h (gcry_pk_sign_t): Add parms flags and hashalgo. + * cipher/rsa.c (rsa_sign): Add parms and mark them as unused. + * cipher/dsa.c (dsa_sign): Ditto. + * cipher/elgamal.c (elg_sign): Ditto. + * cipher/pubkey.c (dummy_sign): Ditto. + (pubkey_sign): Pass 0 for the new args. + + Fix a special case bug in mpi_powm for e==0. + + commit 6e1adb05d290aeeb1c230c763970695f4a538526 + * mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that + the result has been allocated. + +2013-07-15 Dmitry Eremin-Solenikov + + Fix memory leak in t-mpi-point test. + + commit a7b80e9fba6b1b095f7c53469747967b40ebfbfd + * tests/t-mpi-point.c (basic_ec_math, basic_ec_math_simplified): add + calls to gcry_ctx_release() to free contexts after they become unused. + +2013-07-10 Jussi Kivilinna + + Fix 'Please include winsock2.h before windows.h' warnings with mingw32. + + commit d6c9c86cb7f571ae0bd9aee4efa01a0f9c4c3104 + * random/rndw32.c: include winsock2.h before windows.h. + * src/ath.h [_WIN32]: Ditto. + * tests/benchmark.c [_WIN32]: Ditto. + + Remove duplicate header from mpi/amd64/mpih-mul2.S. + + commit c64a0dcbefc5b0055954e37a3c86b32ff7a1b1da + * mpi/amd64/mpih-mul2.S: remove duplicated header. + + Fix i386/amd64 inline assembly "cc" clobbers. + + commit ed0a598172208ec67234a4edd73189bf6808fd04 + * cipher/bithelp.h [__GNUC__, __i386__] (rol, ror): add "cc" globber + for inline assembly. + * cipher/cast5.c [__GNUC__, __i386__] (rol): Ditto. + * random/rndhw.c [USE_DRNG] (rdrand_long): Ditto. + * src/hmac256.c [__GNUC__, __i386__] (ror): Ditto. + * mpi/longlong.c [__i386__] (add_ssaaaa, sub_ddmmss, umul_ppmm) + (udiv_qrnnd, count_leading_zeros, count_trailing_zeros): Ditto. + + bufhelp: Suppress 'cast increases required alignment' warning. + + commit c3902a6b5cea9acef2e15fbee24eb601eeb25168 + * cipher/bufhelp.h (buf_xor, buf_xor_2dst, buf_xor_n_copy): Cast + to larger element pointer through (void *) to suppress -Wcast-error. + + mpi: Add __ARM_ARCH for older GCC. + + commit 97f392f43cf2e4da1297cbecacbfbff33a869478 + * mpi/longlong.h [__arm__]: Construct __ARM_ARCH if not provided by + compiler. + + mpi: add missing "cc" clobber for ARM assembly. + + commit 8aa4f2161cf643ce36d87d2e2786b546736f8232 + * mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC. + [__arm__][__ARM_ARCH <= 3] (umul_ppmm): Ditto. + + Tweak ARM inline assembly for mpi. + + commit 71dda4507053379433dc8b0fc6462c15de7299df + mpi/longlong.h [__arm__]: Enable inline assembly if __thumb2__ is + defined. + [__arm__]: Use __ARCH_ARM when defined. + [__arm__] [__ARM_ARCH >= 5] (count_leading_zeros): New. + +2013-06-26 Werner Koch + + Make gpg-error replacement defines more robust. + + commit 6540b84a6e9113813e7e49e3ad2024d4a0073300 + * configure.ac (AH_BOTTOM): Move GPG_ERR_ replacement defines to ... + * src/gcrypt-int.h: new file. + * src/visibility.h, src/cipher.h: Replace gcrypt.h by gcrypt-int.h. + * tests/: Ditto for all test files. + +2013-06-20 Jussi Kivilinna + + Check if assembler is compatible with AMD64 assembly implementations. + + commit 3544fa8aa63bef9a35abf236e9376191b5ec206b + * cipher/blowfish-amd64.S: Enable only if + HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined. + * cipher/camellia-aesni-avx-amd64.S: Ditto. + * cipher/camellia-aesni-avx2-amd64.S: Ditto. + * cipher/cast5-amd64.S: Ditto. + * cipher/rinjdael-amd64.S: Ditto. + * cipher/serpent-avx2-amd64.S: Ditto. + * cipher/serpent-sse2-amd64.S: Ditto. + * cipher/twofish-amd64.S: Ditto. + * cipher/blowfish.c: Use AMD64 assembly implementation only if + HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined + * cipher/camellia-glue.c: Ditto. + * cipher/cast5.c: Ditto. + * cipher/rijndael.c: Ditto. + * cipher/serpent.c: Ditto. + * cipher/twofish.c: Ditto. + * configure.ac: Check gcc/as compatibility with AMD64 assembly + implementations. + +2013-06-09 Jussi Kivilinna + + Optimize _gcry_burn_stack for 32-bit and 64-bit architectures. + + commit ec2f8de409a93c80efa658134df22074a9bca5a4 + * src/misc.c (_gcry_burn_stack): Add optimization for 32-bit and 64-bit + architectures. + + Add Camellia AES-NI/AVX2 implementation. + + commit d94ec5f5f8a5d40a7d344025aa466f276f9718df + * cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.S'. + * cipher/camellia-aesni-avx2-amd64.S: New file. + * cipher/camellia-glue.c (USE_AESNI_AVX2): New macro. + (CAMELLIA_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'. + [USE_AESNI_AVX2] (_gcry_camellia_aesni_avx2_ctr_enc) + (_gcry_camellia_aesni_avx2_cbc_dec) + (_gcry_camellia_aesni_avx2_cfb_dec): New prototypes. + (camellia_setkey) [USE_AESNI_AVX2]: Check AVX2+AES-NI capable hardware + and set 'ctx->use_aesni_avx2'. + (_gcry_camellia_ctr_enc) [USE_AESNI_AVX2]: Add AVX2 accelerated code. + (_gcry_camellia_cbc_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code. + (_gcry_camellia_cfb_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code. + (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks' + so that AVX2 codepaths get tested. + * configure.ac (camellia) [avx2support, aesnisupport]: Add + 'camellia-aesni-avx2-amd64.lo'. + + Add Serpent AVX2 implementation. + + commit e7ab4e1a7396f4609b9033207015b239ab4a5140 + * cipher/Makefile.am: Add 'serpent-avx2-amd64.S'. + * cipher/serpent-avx2-amd64.S: New file. + * cipher/serpent.c (USE_AVX2): New macro. + (serpent_context_t) [USE_AVX2]: Add 'use_avx2'. + [USE_AVX2] (_gcry_serpent_avx2_ctr_enc, _gcry_serpent_avx2_cbc_dec) + (_gcry_serpent_avx2_cfb_dec): New prototypes. + (serpent_setkey_internal) [USE_AVX2]: Check for AVX2 capable hardware + and set 'use_avx2'. + (_gcry_serpent_ctr_enc) [USE_AVX2]: Use AVX2 accelerated functions. + (_gcry_serpent_cbc_dec) [USE_AVX2]: Use AVX2 accelerated functions. + (_gcry_serpent_cfb_dec) [USE_AVX2]: Use AVX2 accelerated functions. + (selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks' + so that AVX2 codepaths are tested. + * configure.ac (serpent) [avx2support]: Add 'serpent-avx2-amd64.lo'. + + Add detection for Intel AVX2 instruction set. + + commit 3289bca708bdd02c69a331095ac6ca9a1efd74cc + * configure.ac: Add option --disable-avx2-support. + (HAVE_GCC_INLINE_ASM_AVX2): New. + (ENABLE_AVX2_SUPPORT): New. + * src/g10lib.h (HWF_INTEL_AVX2): New. + * src/global.c (hwflist): Add HWF_INTEL_AVX2. + * src/hwf-x86.c [__i386__] (get_cpuid): Initialize registers to zero + before cpuid. + [__x86_64__] (get_cpuid): Initialize registers to zero before cpuid. + (detect_x86_gnuc): Store maximum cpuid level. + (detect_x86_gnuc) [ENABLE_AVX2_SUPPORT]: Add detection for AVX2. + + twofish: add amd64 assembly implementation. + + commit d325ab5d86e6107a46007a4d0131122bbd719f8c + * cipher/Makefile.am: Add 'twofish-amd64.S'. + * cipher/twofish-amd64.S: New file. + * cipher/twofish.c (USE_AMD64_ASM): New macro. + [USE_AMD64_ASM] (_gcry_twofish_amd64_encrypt_block) + (_gcry_twofish_amd64_decrypt_block, _gcry_twofish_amd64_ctr_enc) + (_gcry_twofish_amd64_cbc_dec, _gcry_twofish_amd64_cfb_dec): New + prototypes. + [USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt) + (twofish_encrypt, twofish_decrypt): New functions. + (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec) + (selftest_ctr, selftest_cbc, selftest_cfb): New functions. + (selftest): Call new bulk selftests. + * cipher/cipher.c (gcry_cipher_open) [USE_TWOFISH]: Register Twofish + bulk functions for ctr-enc, cbc-dec and cfb-dec. + * configure.ac (twofish) [x86_64]: Add 'twofish-amd64.lo'. + * src/cipher.h (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec) + (gcry_twofish_cfb_dec): New prototypes. + +2013-05-29 Jussi Kivilinna + + rinjdael: add amd64 assembly implementation. + + commit 7317fcfadf00789df140e51c0d16b60f6b144b59 + * cipher/Makefile.am: Add 'rijndael-amd64.S'. + * cipher/rijndael-amd64.S: New file. + * cipher/rijndael.c (USE_AMD64_ASM): New macro. + [USE_AMD64_ASM] (_gcry_aes_amd64_encrypt_block) + (_gcry_aes_amd64_decrypt_block): New prototypes. + (do_encrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function. + (do_encrypt): Disable input/output alignment when USE_AMD64_ASM is set. + (do_decrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function. + (do_decrypt): Disable input/output alignment when USE_AMD64_AES is set. + * configure.ac (aes) [x86-64]: Add 'rijndael-amd64.lo'. + + blowfish: add amd64 assembly implementation. + + commit 9a61edd1f00cefe8ffa3ad54a53eed163883053c + * cipher/Makefile.am: Add 'blowfish-amd64.S'. + * cipher/blowfish-amd64.S: New file. + * cipher/blowfish.c (USE_AMD64_ASM): New macro. + [USE_AMD64_ASM] (_gcry_blowfish_amd64_do_encrypt) + (_gcry_blowfish_amd64_encrypt_block) + (_gcry_blowfish_amd64_decrypt_block, _gcry_blowfish_amd64_ctr_enc) + (_gcry_blowfish_amd64_cbc_dec, _gcry_blowfish_amd64_cfb_dec): New + prototypes. + [USE_AMD64_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block) + (encrypt_block, decrypt_block): New functions. + (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec) + (_gcry_blowfish_cfb_dec, selftest_ctr, selftest_cbc, selftest_cfb): New + functions. + (selftest): Call new bulk selftests. + * cipher/cipher.c (gcry_cipher_open) [USE_BLOWFISH]: Register Blowfish + bulk functions for ctr-enc, cbc-dec and cfb-dec. + * configure.ac (blowfish) [x86_64]: Add 'blowfish-amd64.lo'. + * src/cipher.h (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec) + (gcry_blowfish_cfb_dec): New prototypes. + +2013-05-24 Werner Koch + + ecc: Simplify the compliant point generation. + + commit 99b18aa536703ef90c9a1f5c8f40bc68b2064593 + * cipher/ecc.c (generate_key): Use point_snatch_set, replaces unneeded + variable copies, etc. + + ecc: Fix a minor flaw in the generation of K. + + commit 9711384f75564a71979e3fb971b5f4cadcf1afef + * cipher/dsa.c (gen_k): Factor code out to .. + * cipher/dsa-common.c (_gcry_dsa_gen_k): new file and function. Add + arg security_level and re-indent a bit. + * cipher/ecc.c (gen_k): Remove and change callers to _gcry_dsa_gen_k. + * cipher/dsa.c: Include pubkey-internal. + * cipher/Makefile.am (libcipher_la_SOURCES): Add dsa-common.c + +2013-05-24 Jussi Kivilinna + + cast5: add amd64 assembly implementation. + + commit 0bdf26eea8cdbffefe7e37578f8f896c4f5f5275 + * cipher/Makefile.am: Add 'cast5-amd64.S'. + * cipher/cast5-amd64.S: New file. + * cipher/cast5.c (USE_AMD64_ASM): New macro. + (_gcry_cast5_s1tos4): Merge arrays s1, s2, s3, s4 to single array to + simplify access from assembly implementation. + (s1, s2, s3, s4): New macros pointing to subarrays in + _gcry_cast5_s1tos4. + [USE_AMD64_ASM] (_gcry_cast5_amd64_encrypt_block) + (_gcry_cast5_amd64_decrypt_block, _gcry_cast5_amd64_ctr_enc) + (_gcry_cast5_amd64_cbc_dec, _gcry_cast5_amd64_cfb_dec): New prototypes. + [USE_AMD64_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block) + (decrypt_block): New functions. + (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec) + (selftest_ctr, selftest_cbc, selftest_cfb): New functions. + (selftest): Call new bulk selftests. + * cipher/cipher.c (gcry_cipher_open) [USE_CAST5]: Register CAST5 bulk + functions for ctr-enc, cbc-dec and cfb-dec. + * configure.ac (cast5) [x86_64]: Add 'cast5-amd64.lo'. + * src/cipher.h (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec) + (gcry_cast5_cfb_dec): New prototypes. + + cipher-selftest: make selftest work with any block-size. + + commit ab8fc70b5f0c396a5bc941267f59166e860b8c5d + * cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128) + (_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed + functions from '_128' to ''. + (_gcry_selftest_helper_cbc, _gcry_selftest_helper_cfb) + (_gcry_selftest_helper_ctr): Make work with different block sizes. + * cipher/cipher-selftest.h (_gcry_selftest_helper_cbc_128) + (_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed + prototypes from '_128' to ''. + * cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128) + (selftest_ctr_128): Change to use new function names. + * cipher/rijndael.c (selftest_ctr_128, selftest_cfb_128) + (selftest_ctr_128): Change to use new function names. + * cipher/serpent.c (selftest_ctr_128, selftest_cfb_128) + (selftest_ctr_128): Change to use new function names. + +2013-05-23 Jussi Kivilinna + + serpent: add parallel processing for CFB decryption. + + commit 6deb0ccdf718a0670f80e6762a3842caf76437d6 + * cipher/cipher.c (gcry_cipher_open): Add bulf CFB decryption function + for Serpent. + * cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_cfb_dec): New + function. + * cipher/serpent.c (_gcry_serpent_sse2_cfb_dec): New prototype. + (_gcry_serpent_cfb_dec) New function. + (selftest_cfb_128) New function. + (selftest) Call selftest_cfb_128. + * src/cipher.h (_gcry_serpent_cfb_dec): New prototype. + + camellia: add parallel processing for CFB decryption. + + commit b60f06f70227c1e69e1010da8b47ea51ade48145 + * cipher/camellia-aesni-avx-amd64.S + (_gcry_camellia_aesni_avx_cfb_dec): New function. + * cipher/camellia-glue.c (_gcry_camellia_aesni_avx_cfb_dec): New + prototype. + (_gcry_camellia_cfb_dec): New function. + (selftest_cfb_128): New function. + (selftest): Call selftest_cfb_128. + * cipher/cipher.c (gry_cipher_open): Add bulk CFB decryption function + for Camellia. + * src/cipher.h (_gcry_camellia_cfb_dec): New prototype. + + rinjdael: add parallel processing for CFB decryption with AES-NI. + + commit 319ee14f2aab8db56a830fd7ac8926f91b4f738a + * cipher/cipher-selftest.c (_gcry_selftest_helper_cfb_128): New + function for CFB selftests. + * cipher/cipher-selftest.h (_gcry_selftest_helper_cfb_128): New + prototype. + * cipher/rijndael.c [USE_AESNI] (do_aesni_enc_vec4): New function. + (_gcry_aes_cfb_dec) [USE_AESNI]: Add parallelized CFB decryption. + (selftest_cfb_128): New function. + (selftest): Call selftest_cfb_128. + +2013-05-23 Werner Koch + + Avoid compiler warning due to the global symbol setkey. + + commit b402de8b9c4a9f269faf03ca952b1eb68a1f33c8 + * cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128) + (_gcry_selftest_helper_ctr_128): Rename setkey to setkey_func. + +2013-05-23 Jussi Kivilinna + + serpent: add SSE2 accelerated amd64 implementation. + + commit 2fd06e207dcea1d8a7f0e7e92f3359615a99421b + * configure.ac (serpent): Add 'serpent-sse2-amd64.lo'. + * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add + 'serpent-sse2-amd64.S'. + * cipher/cipher.c (gcry_cipher_open) [USE_SERPENT]: Register bulk + functions for CBC-decryption and CTR-mode. + * cipher/serpent.c (USE_SSE2): New macro. + [USE_SSE2] (_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec): + New prototypes to assembler functions. + (serpent_setkey): Set 'serpent_init_done' before calling serpent_test. + (_gcry_serpent_ctr_enc): New function. + (_gcry_serpent_cbc_dec): New function. + (selftest_ctr_128): New function. + (selftest_cbc_128): New function. + (selftest): Call selftest_ctr_128 and selftest_cbc_128. + * cipher/serpent-sse2-amd64.S: New file. + * src/cipher.h (_gcry_serpent_ctr_enc): New prototype. + (_gcry_serpent_cbc_dec): New prototype. + + Serpent: faster S-box implementation. + + commit c85501af8222913f0a1e20e77fceb88e93417925 + * cipher/serpent.c (SBOX0, SBOX1, SBOX2, SBOX3, SBOX4, SBOX5, SBOX6) + (SBOX7, SBOX0_INVERSE, SBOX1_INVERSE, SBOX2_INVERSE, SBOX3_INVERSE) + (SBOX4_INVERSE, SBOX5_INVERSE, SBOX6_INVERSE, SBOX7_INVERSE): Replace + with new definitions. + +2013-05-22 Werner Koch + + w32: Fix installing of .def file. + + commit 4e46d8bc78008ba06f106b368cefb0dddf15fe38 + * src/Makefile.am (install-def-file): Create libdir first. + + Add control commands to disable mlock and setuid dropping. + + commit 2b8014af202c9e0f7619f7a4377f5eb752235220 + * src/gcrypt.h.in (GCRYCTL_DISABLE_LOCKED_SECMEM): New. + (GCRYCTL_DISABLE_PRIV_DROP): New. + * src/global.c (_gcry_vcontrol): Implement them. + * src/secmem.h (GCRY_SECMEM_FLAG_NO_MLOCK): New. + (GCRY_SECMEM_FLAG_NO_PRIV_DROP): New. + * src/secmem.c (no_mlock, no_priv_drop): New. + (_gcry_secmem_set_flags, _gcry_secmem_get_flags): Set and get them. + (lock_pool): Handle no_mlock and no_priv_drop. + + Fix libtool 2.4.2 to correctly detect .def files. + + commit 05b3e2dda61d3d532a7f1ffd2487a85ed1c4f3ab + * ltmain.sh (sed_uncomment_deffile): New. + (orig_export_symbols): Uncomment def file before testing for EXPORTS. + * m4/libtool.m4: Do the same for the generated code. + +2013-05-22 Jussi Kivilinna + + Add AES bulk CBC decryption selftest. + + commit b65281a1b76d7898eb7607932246b78277d8570b + * cipher/rinjdael.c (selftest_cbc_128): New. + (selftest): Call selftest_cbc_128. + + Change AES bulk CTR encryption selftest use new selftest helper function + + commit 3637bdbb5f30a5e06745d448a6a8ad00e5cdd740 + * cipher/rinjdael.c: (selftest_ctr_128): Change to use new selftest + helper function. + + Convert bulk CTR and CBC selftest functions in Camellia to generic selftest helper functions + + commit eed4042fa028b3f73bad6a768f5b0a82f642e545 + * cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-selftest files. + * cipher/camellia-glue.c (selftest_ctr_128, selftest_cbc_128): Change + to use the new selftest helper functions. + * cipher/cipher-selftest.c: New. + * cipher/cipher-selftest.h: New. + + camellia: add bulk CBC decryption selftest. + + commit f2986f03d1ae59f973bae56ce4333e5457003de5 + * cipher/camellia-glue.c: (selftest_cbc_128): New selftest function for + bulk CBC decryption. + (selftest): Add call to selftest_cbc_128. + + camellia: Rename camellia_aesni_avx_x86-64.S to camellia-aesni-avx-amd64.S + + commit 194ae35da7830a76b96e9b21121a2e1248762d3f + * cipher/camellia_aesni_avx_x86-64.S: Remove. + * cipher/camellia-aesni-avx-amd64.S: New. + * cipher/Makefile.am: Use the new filename. + * configure.ac: Use the new filename. + +2013-05-21 Werner Koch + + Fix indentation and save on string space. + + commit 2ac3a7c2b7154379738d17cfde8cd9017dc142f0 + * cipher/ecc.c (generate_key): Use the same string for both fatal + messages. + +2013-05-20 Andrey + + cipher: Fix segv in last ECC change. + + commit eb4937914db3fb7317502e97e4f0e40c1857f59d + * cipher/ecc.c (generate_key): Make sure R is initialized. + +2013-05-09 Andrey + + cipher: Generate compliant ECC keys. + + commit 296f38a2bd2e25788643a42e4881faed00884a40 + * cipher/ecc.c (generate_key): Make sure a key is compliant for + using the compact representation. + +2013-04-18 Werner Koch + + cipher: Fix regression in Padlock support. + + commit 6c942ec4d63032539f1fc56c3b970cfec2369e2b + * cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case + and use the standard one. + + mpi: Yet another fix to get option flag munging right. + + commit 03557687a09b9c8878c77cbfdd0f5049940c72da + * cipher/Makefile.am (o_flag_munging): Yet another fix. + + mpi: Make using gcc's -Ofast easier. + + commit 1ab26bc304c559b0a8d29823d656f7ad8d10a59d + * cipher/Makefile.am (o_flag_munging): Take -Ofast in account. + + Fix alignment problem in idea.c. + + commit 3271b0dfda67e26c381d7ed667737f08f865ee40 + * cipher/idea.c (cipher): Rework parameter use to fix alignment + problems. + + * cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros. + + Fix alignment problem in idea.c. + + * cipher/idea.c (cipher): Rework parameter use to fix alignment + problems. + + * cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros. + + + (cherry picked from 4cd279556777e02eda79973f68efaa4b741f9175) + +2013-04-18 Vladimir Serbinenko + + Add some const attributes. + + commit ff0b94c22b36600fff1db9f1d48f9de61f9038f7 + * cipher/md4.c (transform): Add const attribute. + * cipher/md5.c (transform): Ditto. + * cipher/rmd160.c (transform): Ditto. + + Fix alignment problem in serpent.c. + + commit 86e72b490a5790a9c23341067c7e4d3e38be1634 + * cipher/serpent.c (serpent_key_prepare): Fix misaligned access. + (serpent_setkey): Likewise. + (serpent_encrypt_internal): Likewise. + (serpent_decrypt_internal): Likewise. + (serpent_encrypt): Don't put an alignment-increasing cast. + (serpent_decrypt): Likewise. + (serpent_test): Likewise. + +2013-04-16 Werner Koch + + Fix multiply by zero in gcry_mpi_ec_mul. + + commit 78cd0ba8a8eceee9d0b3397a2ab3bda6ba37c8a4 + * mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0. + * tests/t-mpi-point.c (basic_ec_math): Add a test case for this. + +2013-04-15 Werner Koch + + Add macros to return pre-defined MPIs. + + commit bd3afc27459a44df8cf501a7e1ae37bb849a8b0e + * src/gcrypt.h.in (GCRYMPI_CONST_ONE, GCRYMPI_CONST_TWO) + (GCRYMPI_CONST_THREE, GCRYMPI_CONST_FOUR, GCRYMPI_CONST_EIGHT): New. + (_gcry_mpi_get_const): New private function. + * src/visibility.c (_gcry_mpi_get_const): New. + * src/visibility.h: Mark it visible. + + Fix addition of EC points. + + commit 71b25a5562f68aad81eae52cc1bab9ca7731a7e9 + * mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine + coordinates. + +2013-04-12 Werner Koch + + Add hack to allow using an "ecc" key for "ecdsa" or "ecdh". + + commit af8a79aea80217a0c85a592db1fa001792a6bf0f + * cipher/pubkey.c (sexp_to_key): Add optional arg USE. + (gcry_pk_encrypt, gcry_pk_decrypt): Call sexp_to_key with usage sign. + (gcry_pk_sign, gcry_pk_verify): Call sexp_to_key with usage encrypt. + * tests/basic.c (show_sexp): New. + (check_pubkey_sign): Print test number and add cases for ecc. + (check_pubkey_sign_ecdsa): New. + (do_check_one_pubkey): Divert to new function. + +2013-04-11 Werner Koch + + Add gcry_pubkey_get_sexp. + + commit 1f3cfad66456dd6f2e48f20b8eb0c51343449a1c + * src/gcrypt.h.in (GCRY_PK_GET_PUBKEY): New. + (GCRY_PK_GET_SECKEY): New. + (gcry_pubkey_get_sexp): New. + * src/visibility.c (gcry_pubkey_get_sexp): New. + * src/visibility.h (gcry_pubkey_get_sexp): Mark visible. + * src/libgcrypt.def, src/libgcrypt.vers: Add new function. + * cipher/pubkey-internal.h: New. + * cipher/Makefile.am (libcipher_la_SOURCES): Add new file. + * cipher/ecc.c: Include pubkey-internal.h + (_gcry_pk_ecc_get_sexp): New. + * cipher/pubkey.c: Include pubkey-internal.h and context.h. + (_gcry_pubkey_get_sexp): New. + * src/context.c (_gcry_ctx_find_pointer): New. + * src/cipher-proto.h: Add _gcry_pubkey_get_sexp. + * tests/t-mpi-point.c (print_sexp): New. + (context_param, basic_ec_math_simplified): Add tests for the new + function. + + * configure.ac (NEED_GPG_ERROR_VERSION): Set to 1.11. + (AH_BOTTOM) Add error codes from gpg-error 1.12 + * src/g10lib.h (fips_not_operational): Use GPG_ERR_NOT_OPERATIONAL. + + * mpi/ec.c (_gcry_mpi_ec_get_mpi): Fix computation of Q. + (_gcry_mpi_ec_get_point): Ditto. + + Remove unused code. + + commit 7524da2ba83d83a766c22d704006380c893e1c49 + * cipher/pubkey.c (_gcry_pk_module_lookup, _gcry_pk_module_release) + (_gcry_pk_get_elements): Remove. + +2013-04-05 Werner Koch + + Make the Q parameter optional for ECC signing. + + commit fe91a642c7c257aca095b96406fbcace88fa3df4 + * cipher/ecc.c (ecc_sign): Remove the need for Q. + * cipher/pubkey.c (sexp_elements_extract_ecc): Make Q optional for a + private key. + (sexp_to_key): Add optional arg R_IS_ECC. + (gcry_pk_sign): Do not call gcry_pk_get_nbits for ECC keys. + * tests/pubkey.c (die): Make sure to print a LF. + (check_ecc_sample_key): New. + (main): Call new test. + + Add test case for SCRYPT and rework the code. + + commit f23a068bcb6ec9788710698578d8be0a2a006dbc + * tests/t-kdf.c (check_scrypt): New. + (main): Call new test. + + * configure.ac: Support disabling of the scrypt algorithm. Make KDF + enabling similar to the other algorithm classes. Disable scrypt if we + don't have a 64 bit type. + * cipher/memxor.c, cipher/memxor.h: Remove. + * cipher/scrypt.h: Remove. + * cipher/kdf-internal.h: New. + * cipher/Makefile.am: Remove files. Add new file. Move scrypt.c to + EXTRA_libcipher_la_SOURCES. + (GCRYPT_MODULES): Add GCRYPT_KDFS. + * src/gcrypt.h.in (GCRY_KDF_SCRYPT): Change value. + * cipher/kdf.c (pkdf2): Rename to _gcry_kdf_pkdf2. + (_gcry_kdf_pkdf2): Don't bail out for SALTLEN==0. + (gcry_kdf_derive): Allow for a passwordlen of zero for scrypt. Check + for SALTLEN > 0 for GCRY_KDF_PBKDF2. Pass algo to _gcry_kdf_scrypt. + (gcry_kdf_derive) [!USE_SCRYPT]: Return an error. + * cipher/scrypt.c: Replace memxor.h by bufhelp.h. Replace scrypt.h by + kdf-internal.h. Enable code only if HAVE_U64_TYPEDEF is defined. + Replace C99 types uint64_t, uint32_t, and uint8_t by libgcrypt types. + (_SALSA20_INPUT_LENGTH): Remove underscore from identifier. + (_scryptBlockMix): Replace memxor by buf_xor. + (_gcry_kdf_scrypt): Use gcry_malloc and gcry_free. Check for integer + overflow. Add hack to support blocksize of 1 for tests. Return + errors from calls to _gcry_kdf_pkdf2. + + * cipher/kdf.c (openpgp_s2k): Make static. + +2013-04-04 Christian Grothoff + + Add the SCRYPT KDF function. + + commit 855b1a8f81b5a3b5b31d0c3c303675425f58a5af + * scrypt.c, scrypt.h: New files. + * memxor.c, memxor.h: New files. + * cipher/Makefile.am: Add new files. + * cipher/kdf.c (gcry_kdf_derive): Support GCRY_KDF_SCRYPT. + * src/gcrypt.h.in (GCRY_KDF_SCRYPT): New. + +2013-03-22 Werner Koch + + Replace deprecated AM_CONFIG_HEADER macro. + + commit d0c8fda5af45354ac32928c9a01e688d6893599d + * configure.ac: s/AM_CONFIG_HEADER/AC_CONFIG_HEADER/ + + Disable AES-NI support if as does not support SSSE3. + + commit 9f4df1612ae21a5ce70d98930cb194e5193f5e2d + * configure.ac (HAVE_GCC_INLINE_ASM_SSSE3): New test. + (ENABLE_AESNI_SUPPORT): Do not define without SSSE3 support. + (HAVE_GCC_INLINE_ASM_SSSE3, ENABLE_AVX_SUPPORT): Split up detection + and definition. + +2013-03-21 Werner Koch + + Fix make dependency regression. + + commit 2a1e03c5a481689c43d197dd8034a1d73de0a1a4 + * src/Makefile.am (libgcrypt_la_DEPENDENCIES): Add missing backslash. + Reported by LRN. + +2013-03-20 Werner Koch + + Use finer grained on-the-fly helper computations for EC. + + commit 5fb3501aa0cf5f2b2a9012706bb9ad2b1c4bfd7d + * src/ec-context.h (mpi_ec_ctx_s): Replace NEED_SYNC by a bitfield. + * mpi/ec.c (ec_p_sync): Remove. + (ec_get_reset, ec_get_a_is_pminus3, ec_get_two_inv_p): New. + (ec_p_init): Use ec_get_reset. + (_gcry_mpi_ec_set_mpi, _gcry_mpi_ec_dup_point) + (_gcry_mpi_ec_add_points): Replace ec_p_sync by the ec_get_ accessors. + + Allow building with w64-mingw32. + + commit b402e550041782b770a6ae267c7c28ca8324a12e + * autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also + prepare for 64 bit building. + + Provide GCRYPT_VERSION_NUMBER macro, add build info to the binary. + + commit 1eaad0a8c4cab227685a6a8768e539df2f1f4dac + * src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New. + * configure.ac (VERSION_NUMBER): New ac_subst. + * src/global.c (_gcry_vcontrol): Move call to above function ... + (gcry_check_version): .. here. + + * configure.ac (BUILD_REVISION, BUILD_FILEVERSION) + (BUILD_TIMESTAMP): Define on all platforms. + * compat/compat.c (_gcry_compat_identification): Include revision and + timestamp. + + Fix a memory leak in the new EC code. + + commit de07974d807b703a2554d6ba885ea249e648bd44 + * cipher/ecc.c (point_from_keyparam): Always call mpi_free on A. + +2013-03-19 Werner Koch + + Extend the new EC interface and fix two bugs. + + commit 931e409e877d1e444edd53dead327ec8e64daf9a + * src/ec-context.h (mpi_ec_ctx_s): Add field NEED_SYNC. + * mpi/ec.c (ec_p_sync): New. + (ec_p_init): Only set NEED_SYNC. + (_gcry_mpi_ec_set_mpi): Set NEED_SYNC for 'p' and 'a'. + (_gcry_mpi_ec_dup_point, _gcry_mpi_ec_add_points) + (_gcry_mpi_ec_mul_point): Call ec_p_sync. + (_gcry_mpi_ec_get_point): Recompute 'q' is needed. + (_gcry_mpi_ec_get_mpi): Ditto. Also allow for names 'q', 'q.x', + 'q.y', and 'g'. + * cipher/ecc.c (_gcry_mpi_ec_ec2os): New. + + * cipher/ecc.c (_gcry_mpi_ec_new): Fix init from parameters 'Q'->'q', + 'G'->'q'. + +2013-03-15 Werner Koch + + mpi: Add functions to manipulate an EC context. + + commit 229f3219f80c9369ed9624242c0436ae6d293201 + * src/gcrypt.h.in (gcry_mpi_ec_p_new): Remove. + (gcry_mpi_ec_new): New. + (gcry_mpi_ec_get_mpi): New. + (gcry_mpi_ec_get_point): New. + (gcry_mpi_ec_set_mpi): New. + (gcry_mpi_ec_set_point): New. + * src/visibility.c (gcry_mpi_ec_p_new): Remove. + * mpi/ec.c (_gcry_mpi_ec_p_new): Make it an internal function and + change to return an error code. + (_gcry_mpi_ec_get_mpi): New. + (_gcry_mpi_ec_get_point): New. + (_gcry_mpi_ec_set_mpi): New. + (_gcry_mpi_ec_set_point): New. + * src/mpi.h: Add new prototypes. + * src/ec-context.h: New. + * mpi/ec.c: Include that header. + (mpi_ec_ctx_s): Move to ec-context.h, add new fields, and put some + fields into an inner struct. + (point_copy): New. + * cipher/ecc.c (fill_in_curve): Allow passing NULL for R_NBITS. + (mpi_from_keyparam, point_from_keyparam): New. + (_gcry_mpi_ec_new): New. + + * tests/t-mpi-point.c (test-curve): New. + (ec_p_new): New. Use it instead of the removed gcry_mpi_ec_p_new. + (get_and_cmp_mpi, get_and_cmp_point): New. + (context_param): New test. + (basic_ec_math_simplified): New test. + (main): Call new tests. + + * src/context.c (_gcry_ctx_get_pointer): Check for a NULL CTX. + +2013-03-13 Werner Koch + + Add GCRYMPI_FLAG_CONST and make use constants. + + commit e005629bd7bebb3e13945645c6e1230b44ab16a2 + * src/gcrypt.h.in (GCRYMPI_FLAG_CONST): New. + * src/mpi.h (mpi_is_const, mpi_const): New. + (enum gcry_mpi_constants, MPI_NUMBER_OF_CONSTANTS): New. + * mpi/mpiutil.c (_gcry_mpi_init): New. + (constants): New. + (_gcry_mpi_free): Do not release a constant flagged MPI. + (gcry_mpi_copy): Clear the const and immutable flags. + (gcry_mpi_set_flag, gcry_mpi_clear_flag, gcry_mpi_get_flag): Support + GCRYMPI_FLAG_CONST. + (_gcry_mpi_const): New. + * src/global.c (global_init): Call _gcry_mpi_init. + * mpi/ec.c (mpi_ec_ctx_s): Remove fields one, two, three, four, and + eight. Change all users to call mpi_const() instead. + + * src/mpiutils.c (gcry_mpi_set_opaque): Check the immutable flag. + + Add GCRYMPI_FLAG_IMMUTABLE to help debugging. + + commit 1fecae98ee7e0fa49b29f98efa6817ca121ed98a + * src/gcrypt.h.in (GCRYMPI_FLAG_IMMUTABLE): New. + * src/mpi.h (mpi_is_immutable): New macro. + * mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag) + (gcry_mpi_get_flag): Implement new flag + (_gcry_mpi_immutable_failed): New. + + * mpi/mpiutil.c (_gcry_mpi_clear, _gcry_mpi_free, gcry_mpi_snatch) + (gcry_mpi_set, gcry_mpi_randomize): Act upon the immutable flag. + * mpi/mpi-bit.c (gcry_mpi_set_bit, gcry_mpi_set_highbit) + (gcry_mpi_clear_highbit, gcry_mpi_clear_bit) + (_gcry_mpi_rshift_limbs, gcry_mpi_lshift): Ditto. + * mpi/mpicoder.c (_gcry_mpi_set_buffer): Ditto. + +2013-03-08 Werner Koch + + mpi: Add an API for EC math. + + commit 8ac9e756d3ca545a9b97e61ad3d42fc2e877d788 + * src/context.c, src/context.h: New. + * src/Makefile.am (libgcrypt_la_SOURCES): Add new files. + * src/gcrypt.h.in (struct gcry_context, gcry_ctx_t): New types. + (gcry_ctx_release): New prototype. + (gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup) + (gcry_mpi_ec_add, gcry_mpi_ec_mul): New prototypes. + * mpi/ec.c: Include errno.h and context.h. + (_gcry_mpi_ec_init): Rename to .. + (ec_p_init): this, make static, remove allocation and add arg CTX. + (_gcry_mpi_ec_p_internal_new): New; to replace _gcry_mpi_ec_init. + Change all callers to use this func. + (_gcry_mpi_ec_free): Factor code out to .. + (ec_deinit): New func. + (gcry_mpi_ec_p_new): New. + * src/visibility.c: Include context.h and mpi.h. + (gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup) + (gcry_mpi_ec_add, gcry_mpi_ec_mul) + (gcry_ctx_release): New wrapper functions. + * src/visibility.h: Mark new wrapper functions visible. + * src/libgcrypt.def, src/libgcrypt.vers: Add new symbols. + * tests/t-mpi-point.c (print_mpi, hex2mpi, cmp_mpihex): New. + (context_alloc): New. + (make_point, basic_ec_math): New. + + mpi: Add an API for EC point operations. + + commit 7cce620acddac2df024ca421ed3abc32a88f3738 + * mpi/ec.c (gcry_mpi_point_new, gcry_mpi_point_release): New. + (gcry_mpi_point_get, gcry_mpi_point_snatch_get): New. + (gcry_mpi_point_set, gcry_mpi_point_snatch_set): New. + * src/visibility.h, src/visibility.c: Add corresponding macros and + wrappers. + * src/gcrypt.h.in (struct gcry_mpi_point, gcry_mpi_point_t): New. + (gcry_mpi_point_new, gcry_mpi_point_release, gcry_mpi_point_get) + (gcry_mpi_point_snatch_get, gcry_mpi_point_set) + (gcry_mpi_point_snatch_set): New prototypes. + (mpi_point_new, mpi_point_release, mpi_point_get, mpi_point_snatch_get) + (mpi_point_set, mpi_point_snatch_set): New macros. + * src/libgcrypt.vers (gcry_mpi_point_new, gcry_mpi_point_release) + (gcry_mpi_point_get, gcry_mpi_point_snatch_get, gcry_mpi_point_set) + (gcry_mpi_point_snatch_set): New symbols. + * src/libgcrypt.def: Ditto. + * tests/t-mpi-point.c: New. + * tests/Makefile.am (TESTS): Add t-mpi-point + +2013-03-07 Werner Koch + + mpi: Add mpi_snatch and change an internal typedef. + + commit 6c4767637c512127a4362732b3ec51068554d328 + * src/mpi.h (struct mpi_point_s): Rename to struct gcry_mpi_point. + (mpi_point_struct): New typedef. + (mpi_point_t): Change typedef to a pointer. Replace all occurrences + to use mpi_point_struct. + * mpi/ec.c (_gcry_mpi_ec_point_init): Rename to .. + (_gcry_mpi_point_init): this. Change all callers. + (_gcry_mpi_ec_point_free): Rename to .. + (_gcry_mpi_point_free_parts): this. Change all callers. + + * mpi/mpiutil.c (gcry_mpi_snatch): New function. + * src/gcrypt.h.in (gcry_mpi_snatch, mpi_snatch): Add protoype and + macro. + * src/visibility.c (gcry_mpi_snatch): Add wrapper. + * src/visibility.h (gcry_mpi_snatch): Add macro magic. + * src/libgcrypt.def, src/libgcrypt.vers: Add new function. + + Pretty print the configure feedback. + + commit c620099e4ab2f35e0196b395a805bb655c984ac2 + * acinclude.m4 (GNUPG_MSG_PRINT): Remove. + (GCRY_MSG_SHOW, GCRY_MSG_WRAP): New. + * configure.ac: Use new macros for the feedback. + +2013-02-20 Werner Koch + + Fix building of hwf-x86.c. + + commit 70dcac663de06b012417015c175973d64e6980df + * src/Makefile.am (AM_CFLAGS): Set to GPG_ERROR_CFLAGS + (AM_CCASFLAGS): Set NOEXECSTACK_FLAGS. + + Remove build hacks for FreeBSD. + + commit fb48ebf7081400a24ee48f8a9894a361e8834b6e + * configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and + LDFLAGS. + +2013-02-19 Jussi Kivilinna + + Rinjdael: Fix use of SSE2 outside USE_AESNI/ctx->use_aesni. + + commit 0da77955a097bfd2469ad084b3e9fcac4fb1e3fa + * cipher/rijndael.c (_gcry_aes_cbc_enc): Check if AES-NI is enabled before + calling aesni_prepare() and aesni_cleanup(). + + Add AES-NI/AVX accelerated Camellia implementation. + + commit 63ac3ba07dba82fde040d31b90b4eff627bd92b9 + * configure.ac: Add option --disable-avx-support. + (HAVE_GCC_INLINE_ASM_AVX): New. + (ENABLE_AVX_SUPPORT): New. + (camellia) [ENABLE_AVX_SUPPORT, ENABLE_AESNI_SUPPORT]: Add + camellia_aesni_avx_x86-64.lo. + * cipher/Makefile.am (AM_CCASFLAGS): Add. + (EXTRA_libcipher_la_SOURCES): Add camellia_aesni_avx_x86-64.S + * cipher/camellia-glue.c [ENABLE_AESNI_SUPPORT, ENABLE_AVX_SUPPORT] + [__x86_64__] (USE_AESNI_AVX): Add macro. + (struct Camellia_context) [USE_AESNI_AVX]: Add use_aesni_avx. + [USE_AESNI_AVX] (_gcry_camellia_aesni_avx_ctr_enc) + (_gcry_camellia_aesni_avx_cbc_dec): New prototypes to assembly + functions. + (camellia_setkey) [USE_AESNI_AVX]: Enable AES-NI/AVX if hardware + support both. + (_gcry_camellia_ctr_enc) [USE_AESNI_AVX]: Add AES-NI/AVX code. + (_gcry_camellia_cbc_dec) [USE_AESNI_AVX]: Add AES-NI/AVX code. + * cipher/camellia_aesni_avx_x86-64.S: New. + * src/g10lib.h (HWF_INTEL_AVX): New. + * src/global.c (hwflist): Add HWF_INTEL_AVX. + * src/hwf-x86.c (detect_x86_gnuc) [ENABLE_AVX_SUPPORT]: Add detection + for AVX. + + camellia.c: Prepare for AES-NI/AVX implementation. + + commit 4de62d80644228fc5db2a9f9c94a7eb633d8de2e + * cipher/camellia-glue.c (CAMELLIA_encrypt_stack_burn_size) + (CAMELLIA_decrypt_stack_burn_size): Increase stack burn size. + * cipher/camellia.c (CAMELLIA_ROUNDSM): Move key-material mixing in + the front. + (camellia_setup128, camellia_setup256): Remove now unneeded + key-material mangling. + (camellia_encrypt128, camellia_decrypt128, amellia_encrypt256) + (camellia_decrypt256): Copy block to stack, so that compiler can + optimize it for register usage. + + Camellia, prepare glue code for AES-NI/AVX implementation. + + commit 537f12ce072d568f9fa344c447d32b2e0efffbe8 + * cipher/camellia-glue.c (ATTR_ALIGNED_16): Add macro. + (CAMELLIA_encrypt_stack_burn_size): Add macro. + (camellia_encrypt): Use macro above for stack burn size. + (CAMELLIA_decrypt_stack_burn_size): Add macro. + (camellia_decrypt): Use macro above for stack burn size. + (_gcry_camellia_ctr_enc): New function. + (_gcry_camellia_cbc_dec): New function. + (selftest_ctr_128): New function. + (selftest): Call function above. + * cipher/cipher.c (gcry_cipher_open) [USE_CAMELLIA]: Register bulk + functions for CBC-decryption and CTR-mode. + * src/cipher.h (_gcry_camellia_ctr_enc): New prototype. + (_gcry_camellia_cbc_dec): New prototype. + +2012-12-21 Werner Koch + + Prepare for hardware feature detection on other platforms. + + commit 09ac5d87d11aa0b1fa0e0a4184ab03b3671a73e2 + * configure.ac (GCRYPT_HWF_MODULES): New. + (HAVE_CPU_ARCH_X86, HAVE_CPU_ARCH_ALPHA, HAVE_CPU_ARCH_SPARC) + (HAVE_CPU_ARCH_MIPS, HAVE_CPU_ARCH_M68K, HAVE_CPU_ARCH_PPC) + (HAVE_CPU_ARCH_ARM): New AC_DEFINEs. + * mpi/config.links (mpi_cpu_arch): New. + * src/global.c (print_config): Print new tag "cpu-arch". + * src/Makefile.am (libgcrypt_la_SOURCES): Add hwf-common.h + (EXTRA_libgcrypt_la_SOURCES): New. + (gcrypt_hwf_modules): New. + (libgcrypt_la_DEPENDENCIES, libgcrypt_la_LIBADD): Add that one. + * src/hwfeatures.c: Factor most code out to ... + * src/hwf-x86.c: New file. + (detect_x86_gnuc): Return the feature vector. + (_gcry_hwf_detect_x86): New. + * src/hwf-common.h: New. + * src/hwfeatures.c (_gcry_detect_hw_features): Dispatch using + HAVE_CPU_ARCH_ macros. + +2012-12-21 Jussi Kivilinna + + Clean up i386/x86-64 cpuid usage in hwfeatures.c. + + commit d842eea55e22c05da3959a7a4422b5fcd7884f60 + * src/hwfeatures.c [__i386__ && __GNUC__] (detect_ia32_gnuc): Remove. + [__x86_64__ && __GNUC__] (detect_x86_64_gnuc): Remove. + [__i386__ && __GNUC__] (is_cpuid_available, get_cpuid) + (HAS_X86_CPUID): New. + [__x86_64__ && __GNUC__] (is_cpuid_available, get_cpuid) + (HAS_X86_CPUID): New. + [HAS_X86_CPUID] (detect_x86_gnuc): New. + (_gcry_detect_hw_features) [__i386__ && GNUC]: Remove detect_ia32_gnuc + call. + (_gcry_detect_hw_features) [__x86_64__ && GNUC]: Remove + detect_x86_64_gnuc call. + (_gcry_detect_hw_features) [HAS_X86_CPUID]: Add detect_x86_gnuc call. + +2012-12-18 Dmitry Kasatkin + + Add support for using DRNG random number generator. + + commit efd7002188e6d50013e4d9a920a8b9afa9d210e5 + * configure.ac: Add option --disable-drng-support. + (ENABLE_DRNG_SUPPORT): New. + * random/rndhw.c (USE_DRNG): New. + (rdrand_long, rdrand_nlong, poll_drng): New. + (_gcry_rndhw_poll_fast, _gcry_rndhw_poll_slow): Call poll function. + * src/g10lib.h (HWF_INTEL_RDRAND): New. + * src/global.c (hwflist): Add "intel-rdrand". + * src/hwfeatures.c (detect_x86_64_gnuc) [ENABLE_DRNG_SUPPORT]: Detect + RDRAND. + (detect_ia32_gnuc) [ENABLE_DRNG_SUPPORT]: Detect RDRAND. + +2012-12-03 Werner Koch + + random: Add a RNG selection interface and system RNG wrapper. + + commit 7607ab81504ce44060ed0b331d309606f5da1e75 + * random/random-system.c: New. + * random/Makefile.am (librandom_la_SOURCES): Add new module. + * random/random.c (struct rng_types): New. + (_gcry_set_preferred_rng_type, _gcry_get_rng_type): New. + (_gcry_random_initialize, gcry_random_add_bytes, do_randomize) + (_gcry_set_random_seed_file, _gcry_update_random_seed_file) + (_gcry_fast_random_poll): Dispatch to the actual RNG. + * src/gcrypt.h.in (GCRYCTL_SET_PREFERRED_RNG_TYPE): New. + GCRYCTL_GET_CURRENT_RNG_TYPE): New. + (gcry_rng_types): New. + * src/global.c (print_config): Print the TNG type. + (global_init, _gcry_vcontrol): Implement the new control codes. + * doc/gcrypt.texi (Controlling the library): Document the new control + codes. + + * tests/benchmark.c (main): Add options to test the RNG types. + * tests/random.c (main): Add new options. + (print_hex): Print to stderr. + (progress_cb, rng_type): New. + (check_rng_type_switching, check_early_rng_type_switching): New. + (run_all_rng_tests): New. + + tests: Allow use of random.c under Windows. + + commit 76c622e24a07f7c826812be173aa173b4334776b + * tests/Makefile.am (TESTS): Always include random.c + * tests/random.c [!W32]: Include sys/wait.h. + (inf): New. + (check_forking, check_nonce_forking): Print a notice what will be done. + (main) [W32]: Do not call signal. + + Make random-fips.c work multi-threaded. + + commit 75760021b511ba438606af746431223357e7a155 + * random/random-fips.c (basic_initialization): Fix reversed logic. + + Move nonce creation from csprng backend to random main module. + + commit c324644aa14e54fc7051983b38222db32b8ab227 + * random/random-csprng.c (_gcry_rngcsprng_create_nonce): Remove. + (nonce_buffer_lock): Remove. + (initialize_basics): Remove init of nonce_buffer_lock. + * random/random.c: Add a few header files. + (nonce_buffer_lock): New. + (_gcry_random_initialize): Init nonce_buffer_lock. + (gcry_create_nonce): Add code from _gcry_rngcsprng_create_nonce. + + * random/random-daemon.c (_gcry_daemon_create_nonce): Remove. + +2012-12-03 Jussi Kivilinna + + Fix building with CC="gcc -std=c90". + + commit f851b9a932ee64fa5a06000d1ac763ba4349f07d + * configure.ac: Add check for missing 'asm' keyword in C90 mode and + replacement with '__asm__'. + +2012-12-03 Werner Koch + + Try to use inttypes.h if stdint.h is not available. + + commit d9ec7aec1301b13a89e5c9c54d7ad52e1a29b846 + * cipher/bufhelp.h [HAVE_INTTYPES_H]: Include inttypes.h + +2012-12-03 Jussi Kivilinna + + Optimize buffer xoring. + + commit 162791bc08f4fc9b3882671e68ecdfd9e130ae59 + * cipher/Makefile.am (libcipher_la_SOURCES): Add 'bufhelp.h'. + * cipher/bufhelp.h: New. + * cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt) + (_gcry_cipher_aeswrap_decrypt): Use 'buf_xor' for buffer xoring. + * cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt) + (_gcry_cipher_cbc_decrypt): Use 'buf_xor' for buffer xoring and remove + resulting unused variables. + * cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) Use 'buf_xor_2dst' + for buffer xoring and remove resulting unused variables. + (_gcry_cipher_cfb_decrypt): Use 'buf_xor_n_copy' for buffer xoring and + remove resulting unused variables. + * cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Use 'buf_xor' for + buffer xoring and remove resulting unused variables. + * cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt) + (_gcry_cipher_ofb_decrypt): Use 'buf_xor' for buffer xoring and remove + resulting used variables. + * cipher/rijndael.c (_gry_aes_cfb_enc): Use 'buf_xor_2dst' for buffer + xoring and remove resulting unused variables. + (_gry_aes_cfb_dev): Use 'buf_xor_n_copy' for buffer xoring and remove + resulting unused variables. + (_gry_aes_cbc_enc, _gry_aes_ctr_enc, _gry_aes_cbc_dec): Use 'buf_xor' + for buffer xoring and remove resulting unused variables. + +2012-11-29 Jussi Kivilinna + + Optimize AES-NI CTR mode. + + commit 9ee9e25f519696d509b1a5c1cc04ab0121e98a51 + * cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Make + handling of 64-bit overflow and carry conditional. Avoid generic to + vector register passing of value '1'. Generate and use '-1' instead. + +2012-11-28 Werner Koch + + Make a cpp conditional in rijndael.c better readable. + + commit 6765e0a8618000d3dc7bda035163e0708c43791b + * cipher/rijndael.c (USE_AESNI): Modify cpp conditionals for better + readability. + +2012-11-28 Jussi Kivilinna + + Fix building with Clang on x86-64 and i386. + + commit 99e272d938fe23efec25af409bdb91dae0e659e5 + * cipher/rijndael.c [USE_AESNI] (do_aesni_enc_aligned) + (do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Add + explicit suffix to 'cmp' instructions. + +2012-11-26 Jussi Kivilinna + + Optimize wipememory2 for i386 and x86-64. + + commit faec12e23f03c7cd1614594bfdd51f1302cadb42 + * src/g10lib.h (wipememory2): Add call to fast_wipememory2. + (fast_wipememory2): New macros for i386 and x86-64 architectures. + Empty macro provided for other architectures. + + Fix missing 64bit carry handling in AES-NI CTR mode. + + commit fc37e805c6394c2e635d1a033670be961f36a6d2 + * cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Add + carry handling to 64-bit addition. + (selftest_ctr_128): New function for testing IV handling in bulk CTR + function. + (selftest): Add call to selftest_ctr_128. + + Add parallelized AES-NI CBC decryption. + + commit 35aff0cd43885b5f5c076432ec614698abeb63d8 + * cipher/rijndael.c [USE_AESNI] (aesni_cleanup_5): New macro. + [USE_AESNI] (do_aesni_dec_vec4): New function. + (_gcry_aes_cbc_dec) [USE_AESNI]: Add parallelized CBC loop. + (_gcry_aes_cbc_dec) [USE_AESNI]: Change IV storage register from xmm3 + to xmm5. + + Clear xmm5 after use in AES-NI CTR mode. + + commit 5acd0e5ae2a58dda51c2b56c879b80a1a6d2c42f + * cipher/rijndael.c [USE_AESNI]: Rename aesni_cleanup_2_4 to + aesni_cleanup_2_5. + [USE_AESNI] (aesni_cleanup_2_5): Clear xmm5 register. + (_gcry_aes_ctr_enc, _gcry_aes_cbc_dec) [USE_AESNI]: Use + aesni_cleanup_2_5 instead of aesni_cleanup_2_4. + + Optimize AES-NI CBC encryption. + + commit be3768994ad362dfc849a8cd0146b4c9bb287d20 + * cipher/rijndeal.c (_gcry_aes_cbc_enc) [USE_AESNI]: Add AES-NI + spesific loop and use SSE2 assembler for xoring and copying of + blocks. + + Improve parallelizability of CBC decryption for AES-NI. + + commit 3369d960158ab4231b83926a0f982e2a8819f173 + * cipher/rijndael.c (_gcry_aes_cbc_dec) [USE_AESNI]: Add AES-NI + specific CBC mode loop with temporary block and IV stored in free SSE + registers. + + Extend test of chained modes for 128bit ciphers. + + commit 55b96be08531664ed3f4230acebe0f45954bbc33 + * tests/basic.c (check_one_cipher_core, check_one_cipher): Increase + input and output buffer sizes from 16 bytes to 1024+16=1040 bytes. + (check_one_cipher_core): Add asserts to verify sizes of temporary + buffers. + +2012-11-21 Werner Koch + + Fix for strict aliasing rules. + + commit dfb4673da8ee52d95e0a62c9f49ca8599943f22e + * cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t for + casting. + + Do not detect AES-NI support if disabled by configure. + + commit 3047795794eb238aa684bd0729acf64c82a19e09 + * src/hwfeatures.c (detect_ia32_gnuc): Detect AESNI support only if + that support has been enabled. + +2012-11-21 Jussi Kivilinna + + Fix too large burn_stack in camellia-glue.c. + + commit 8afabc2813948778a3db52d9dee9a041a3dd50d4 + * cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Do not + take full array size of KEY_TABLE_TYPE, but argument size instead. + + Add x86_64 support for AES-NI. + + commit d8bdfa42ed582655c180e7db9b16d4e756a12a6e + * cipher/rijndael.c [ENABLE_AESNI_SUPPORT]: Enable USE_AESNI on x86-64. + (do_setkey) [USE_AESNI_is_disabled_here]: Use %[key] and %[ksch] + directly as registers instead of using temporary register %%esi. + [USE_AESNI] (do_aesni_enc_aligned, do_aesni_dec_aligned, do_aesni_cfb, + do_aesni_ctr, do_aesni_ctr_4): Use %[key] directly as register instead + of using temporary register %%esi. + [USE_AESNI] (do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Change %[key] + from generic "g" type to register "r". + * src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Do not + clear AES-NI feature flag. + + Fix cpuid vendor-id check for i386 and x86-64. + + commit 9e1552517f68459a165ddebbba85e7cf37ff4f0c + * src/hwfeatures.c (detect_x86_64_gnuc, detect_ia32_gnuc): Allow + Intel features be detect from CPU by other vendors too. + + Fix hwdetect assembler clobbers. + + commit 19b9efd1f47a5de9c450ce8212dfa3174a029c7a + * src/hwfeatures.c (detect_x86_64_gnuc): Add missing %ebx assembler + clobbers. + (detect_x86_64_gnuc, detect_ia32_gnuc) [ENABLE_PADLOCK_SUPPORT]: Add + missing %ecx assembler clobbers. + +2012-11-21 Werner Koch + + Use configure test for aligned attribute. + + commit 6368ed542150956ff4ba8170a15bbc534143675c + * configure.ac (HAVE_GCC_ATTRIBUTE_ALIGNED): New test and ac_define. + * cipher/cipher-internal.h, cipher/rijndael.c, random/rndhw.c: Use new + macro instead of a fixed test for __GNUC__. + + Fix segv with AES-NI on some platforms. + + commit a96974de734beb51a733a89b3283bcf7b433b54c + * cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes. + +2012-11-16 Werner Koch + + Improve parsing of the GIT revision number. + + commit 4b18e530f417d4af401a3fd721ad2a07e5310e3e + * configure.ac (mmm4_revision): Use git rev-parse. + +2012-11-08 Werner Koch + + Fix extern inline use for gcc > 4.3 in c99 mode. + + commit 5abc06114e91beca0177331e1c79815f5fb6d7be + * mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern + inline semantics in gcc. + +2012-11-07 Werner Koch + + Fix memory leak in gcry_pk_testkey for ECC. + + commit 8cbbad5f94f6e0429fffe66d689aea20f7e35957 + * cipher/ecc.c (check_secret_key): Restructure for easier allocation + tracking. Fix memory leak. + +2012-11-05 Werner Koch + + Prepare for a backported interface in 1.5.1. + + commit 7af98ef78d45e813f47ae4e180a02757a379953f + * configure.ac: Bump LT version at C20/A0/R0 to adjust for a planned + API update in 1.5.1. + + Adjust for stricter autoconf requirements. + + commit 1241fbbc896e9bbad68f1007a17b20493f6cd1af + * configure.ac: Fix usage of AC_LANG_PROGRAM. + + Update build helper scripts. + + commit a5c4d45e8d12737cd21b095c81da5c18e2afc39e + * config.guess, config.sub: Update to version 2012-07-31. + * ltmain.sh: Update to version 2.4.2. + * install-sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4 + * m4/lt~obsolete.m4: Update to autoconf 2.69 versions. + + Do not distribute a copy of gitlog-to-changelog. + + commit 40976d7da5420453bf93a9c99f0cc4c7044d0774 + * Makefile.am (GITLOG_TO_CHANGELOG): New. + (gen-ChangeLog): Require an installed gitlog-to-changelog. + * scripts/gitlog-to-changelog: Remove. + + * README.SVN: Remove. + * REMOVE.GIT: New. + + Allow building with w64-mingw32. + + commit 4f6fb150558d0ed250bfbd50352c258a4456ba50 + * autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also + prepare for 64 bit building. + : Remove option -c from chmod. + + Switch to the new automagic beta numbering scheme. + + commit 7d5195be76d9dd4adc28976ad153e8f7761c5855 + * configure.ac: Add all the required m4 magic. + + Avoid dereferencing pointer right after the end. + + commit 79502e2c1982047dcf2b776f52826f38bbd9b1fe + * mpi/mpicoder.c (do_get_buffer): Check the length before derefing P. + +2012-10-30 Werner Koch + + Make ancient test program useful again. + + commit 66adf76e634423bb72ce1f0b5ed78f4e4798f190 + * tests/testapi.c (test_sexp): Adjust to current API. Print the + return code. Mark unused args. + (test_genkey): Mark unused args. + (main): Do not pass NULL to printf. + + tests: Add ECC key generation tests. + + commit c13164884ade6b1e945cddacce2d244fd881de6b + * tests/keygen.c (check_generated_ecc_key): New. + (check_ecc_keys): New. + (main): Call simple ECC checks. + +2012-10-30 Milan Broz + + PBKDF2: Allow empty passphrase. + + commit 8528f1ba40e587dc17e02822e529fbd7ac69a189 + * cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2. + * tests/t-kdf.c (check_pbkdf2): Add test case for above. + +2012-08-16 Xi Wang + + Replace deliberate division by zero with _gcry_divide_by_zero. + + commit 2c54c4da19d3a79e9f749740828026dd41f0521a + * mpi/mpi-pow.c: Replace 1 / msize. + * mpi/mpih-div.c: Replace 1 / dsize. + * src/misc.c: Add _gcry_divide_by_zero. + +2012-06-21 Werner Koch + + Clear AESNI feature flag for x86_64. + + commit 2196728e2252917849c1be94417258076767021b + * src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Clear + AESNI feature flag. + + Beautify last change. + + commit 20e423212c9710ee663e12dd0f62580ceb245a6f + * cipher/rijndael.c: Replace C99 feature from last patch. Keep cpp + lines short. + * random/rndhw.c: Keep cpp lines short. + * src/hwfeatures.c (_gcry_detect_hw_features): Make cpp def chain + better readable. + +2012-06-21 Rafaël Carré + + Enable VIA Padlock on x86_64 platforms. + + commit baf0dc7e9c26167ab43ba2adebcf2f1abc9d9b3b + * cipher/rijndael.c: Duplicate x86 assembly and convert to x86_64. + * random/rndhw.c: Likewise. + * src/hwfeatures.c: Likewise. + +2012-05-14 Werner Koch + + Add curve aliases from RFC-5656. + + commit 39c123b729a472ace039f8536d07f8b9a5f4675a + * cipher/ecc.c (curve_aliases): Add "nistp???" entries. + +2012-04-16 Werner Koch + + State new contribution rules. + + commit 3bb858551cd5d84e43b800edfa2b07d1529718a9 + * doc/DCO: New. + * doc/HACKING: Document new rules. + +2012-04-04 Tomas Mraz + + Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command. + + commit 90e49a11733bfba9c3c505ac487282d35757f682 + * doc/gcrypt.texi: Add documentation of the new command. + * src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode + only when fips mode is enabled. + (_gcry_set_enforced_fips_mode): New function. + * src/g10lib.h: Add the _gcry_set_enforced_fips_mode prototype. + * src/gcrypt.h.in: Add the GCRYCTL_SET_ENFORCED_FIPS_FLAG. + * src/global.c (_gcry_vcontrol): Handle the new command. + +2012-02-17 Ulrich Müller + + Rework selftest in idea.c. + + commit 70cca617ed75ea292e1fed769114dda5cc1d76f1 + * cipher/idea.c (do_setkey): Execute selftest when first called. + (decrypt_block): Remove commented-out code. + (selftest): Execute all selftests. Return NULL on success, or + string in case of error. + +2012-02-16 Werner Koch + + Fix missing prototype. + + commit 46035d28c9b413851d43a4008fdc8e4cdf5d686b + * src/g10lib.h (_gcry_secmem_module_init): Make it a real prototype. + +2012-02-16 Ulrich Müller + + Add support for the IDEA cipher. + + commit 318fd85f377c060908d371f792d41e599b3b7483 + Adapt idea.c to the Libgcrypt framework. + Add IDEA to cipher_table and to the build system. + + Patents on IDEA have expired: + Europe: EP0482154 on 2011-05-16, + Japan: JP3225440 on 2011-05-16, + U.S.: 5,214,703 on 2012-01-07. + + * configure.ac: Add idea to the list of available ciphers. + Define USE_IDEA if idea is enabled. + * cipher/cipher.c (cipher_table): Add entry for IDEA. + * cipher/idea.c: Update comment about patents. + Include proper header files and remove redundant declarations. + (expand_key, cipher, do_setkey, encrypt_block, decrypt_block): + Define function arguments as const where appropriate. + (cipher): Test for !WORDS_BIGENDIAN instead of LITTLE_ENDIAN_HOST. + (do_setkey, decrypt_block): Don't call selftest. + (idea_setkey): New function, wrapper for do_setkey. + (idea_encrypt): New function, wrapper for encrypt_block. + (_gcry_cipher_spec_idea): Define. + * cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add idea.c. + * src/cipher.h (_gcry_cipher_spec_idea): Declare. + * tests/basic.c (check_ciphers): Add GCRY_CIPHER_IDEA. + +2012-01-09 Werner Koch + + Include an IDEA implementation. + + commit 6078b05f5340d886e0b9e6cee1d9b5043e0cb210 + The code is the old IDEA test code, written by me back in 1997 and + distributed on a Danish FTP server. This commit is only for + reference. To use the code it has to be adjusted to the Libgcrypt + framework. + +2012-01-03 Marcus Brinkmann + + Fix pthread locking and remove defunctional support for static lock init. + + commit 38fcd59ce774eaa3d65f2f7534c989afd860eb56 + * src/ath.c: Include assert.h. + (ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Dereference LOCK. + * src/g10lib.h (_gcry_secmem_module_init): New declaration. + * src/global.c (global_init): Call _gcry_secmem_module_init. + * src/secmem.c (_gcry_secmem_module_init): New function. + +2011-12-16 Werner Koch + + Add alignment tests for the cipher tests. + + commit 14cf1f7e338fedb8edaff5631441746605152bd6 + * tests/basic.c (check_one_cipher): Factor most code out to + check_one_cipher_core. Call that core function several times using + different alignment settings. + (check_one_cipher_core): New. Add extra args to allow alignment + testing. + +2011-12-07 Werner Koch + + tests/prime: Add option to create a well known private key. + + commit 16f5654643d584e3bc739b636752d779176b2191 + * tests/prime.c (print_mpi, create_42prime): New. + (main): Add option --42. + +2011-12-01 Werner Koch + + Do not build the random-daemon by make distcheck. + + commit ea1fb538d99f1ec093f2fef86f4f29176ec27826 + * Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Disable building of the + random daemon + + Generate the ChangeLog from commit logs. + + commit 137d73191c904926ba529376144ee8239af4ca02 + * scripts/gitlog-to-changelog: New script. Taken from gnulib. + * scripts/git-log-fix: New file. + * scripts/git-log-footer: New file. + * doc/HACKING: Describe the ChangeLog policy + * ChangeLog: New file. + * Makefile.am (EXTRA_DIST): Add new files. + (gen-ChangeLog): New. + (dist-hook): Run gen-ChangeLog. + + Rename all ChangeLog files to ChangeLog-2011. + +2011-12-01 Werner Koch + + NB: Changes done before December 1st, 2011 are described in + per directory files named ChangeLog-2011. See doc/HACKING for + details. + + ----- + Copyright (C) 2011 Free Software Foundation, Inc. + + Copying and distribution of this file and/or the original GIT + commit log messages, with or without modification, are + permitted provided the copyright notice and this notice are + preserved. diff --git a/LICENSES b/LICENSES index ebc18b3..f6733a6 100644 --- a/LICENSES +++ b/LICENSES @@ -54,6 +54,51 @@ with any binary distributions derived from the GNU C Library. SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #+end_quote + + For files: + - random/jitterentropy-base.c + - random/jitterentropy.h + - random/rndjent.c (plus common Libgcrypt copyright holders) + +#+begin_quote + * Copyright Stephan Mueller , 2013 + * + * License + * ======= + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. +#+end_quote + * X License For files: diff --git a/Makefile.am b/Makefile.am index f946df2..f97af7f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -78,7 +78,7 @@ distcheck-hook: gen_start_date = 2011-12-01T14:00:00 .PHONY: gen-ChangeLog gen-ChangeLog: - if test -d $(top_srcdir)/.git; then \ + if test -e $(top_srcdir)/.git; then \ (cd $(top_srcdir) && \ $(GITLOG_TO_CHANGELOG) --append-dot --tear-off \ --amend=build-aux/git-log-fix \ diff --git a/Makefile.in b/Makefile.in index 4515277..c8edfa4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -921,7 +921,7 @@ distcheck-hook: done ) | tee $(distdir).swdb .PHONY: gen-ChangeLog gen-ChangeLog: - if test -d $(top_srcdir)/.git; then \ + if test -e $(top_srcdir)/.git; then \ (cd $(top_srcdir) && \ $(GITLOG_TO_CHANGELOG) --append-dot --tear-off \ --amend=build-aux/git-log-fix \ diff --git a/NEWS b/NEWS index cd8b8de..39f70a3 100644 --- a/NEWS +++ b/NEWS @@ -1,65 +1,129 @@ -Noteworthy changes in version 1.7.7 (2017-06-02) [C21/A1/R7] +Noteworthy changes in version 1.8.1 (2017-08-27) [C22/A2/R1] ------------------------------------------------ * Bug fixes: - - Fix possible timing attack on EdDSA session key. + - Mitigate a local side-channel attack on Curve25519 dubbed "May + the Fourth be With You". [CVE-2017-0379] [also in 1.7.9] - - Fix long standing bug in secure memory implementation which could - lead to a segv on free. [bug#3027] + - Add more extra bytes to the pool after reading a seed file. + + - Add the OID SHA384WithECDSA from RFC-7427 to SHA-384. + + - Fix build problems with the Jitter RNG + + - Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE). -Noteworthy changes in version 1.7.6 (2017-01-18) [C21/A1/R6] +Noteworthy changes in version 1.8.0 (2017-07-18) [C22/A2/R0] ------------------------------------------------ - * Bug fixes: + * New interfaces: - - Fix AES CTR self-check detected failure in the SSSE3 based - implementation. + - New cipher mode XTS - - Remove gratuitous select before the getrandom syscall. + - New hash function Blake-2 + - New function gcry_mpi_point_copy. -Noteworthy changes in version 1.7.5 (2016-12-15) [C21/A1/R5] ------------------------------------------------- + - New function gcry_get_config. - * Bug fixes: + - GCRYCTL_REINIT_SYSCALL_CLAMP allows to init nPth after Libgcrypt. - - Fix regression in mlock detection [bug#2870]. + - New global configuration file /etc/gcrypt/random.conf. + * Extended interfaces: -Noteworthy changes in version 1.7.4 (2016-12-09) [C21/A1/R4] ------------------------------------------------- + - GCRYCTL_PRINT_CONFIG does now also print build information for + libgpg-error and the used compiler version. + + - GCRY_CIPHER_MODE_CFB8 is now supported. + + - Add Stribog OIDs. [also in 1.7.4] * Performance: + - A jitter based entropy collector is now used in addition to the + other entropy collectors. + + - Optimized gcry_md_hash_buffers for SHA-256 and SHA-512. + - More ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1. + [also in 1.7.4] - Add ARMv8/AArch32 assembly implementation for Twofish and - Camellia. + Camellia. [also in 1.7.4] - Add bulk processing implementation for ARMv8/AArch32. - - - Add Stribog OIDs. + [also in 1.7.4] - Improve the DRBG performance and sync the code with the Linux - version. + version. [also in 1.7.4] * Internal changes: + - Libgpg-error 1.25 is now required. This avoids stalling of nPth + threads due to contention on internal Libgcrypt locks (e.g. the + random pool lock). + + - The system call clamp of libgpg-error is now used to wrap the + blocking read of /dev/random. This allows other nPth threads to + run while Libgcrypt is gathering entropy. + - When secure memory is requested by the MPI functions or by gcry_xmalloc_secure, they do not anymore lead to a fatal error if the secure memory pool is used up. Instead new pools are allocated as needed. These new pools are not protected against being swapped out (mlock can't be used). However, these days this is considered a minor issue and can easily be mitigated by - using encrypted swap space. + using encrypted swap space. [also in 1.7.4] * Bug fixes: - - Fix GOST 28147 CryptoPro-B S-box. + - Fix AES CTR self-check detected failure in the SSSE3 based + implementation. [also in 1.7.6] + + - Remove gratuitous select before the getrandom syscall. + [also in 1.7.6] + + - Fix regression in mlock detection. [bug#2870] [also in 1.7.5] - - Fix error code handling of mlock calls. + - Fix GOST 28147 CryptoPro-B S-box. [also in 1.7.4] + + - Fix error code handling of mlock calls. [also in 1.7.4] + + - Fix possible timing attack on EdDSA session key. [also in 1.7.7] + + - Fix long standing bug in secure memory implementation which could + lead to a segv on free. [bug#3027] [also in 1.7.7] + + - Mitigate a flush+reload side-channel attack on RSA secret keys + dubbed "Sliding right into disaster". For details see + . [CVE-2017-7526] [also in 1.7.8] + + * Interface changes relative to the 1.7.0 release: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + gcry_get_config NEW function. + gcry_mpi_point_copy NEW function. + GCRYCTL_REINIT_SYSCALL_CLAMP NEW macro. + GCRY_MD_BLAKE2B_512 NEW constant. + GCRY_MD_BLAKE2B_384 NEW constant. + GCRY_MD_BLAKE2B_256 NEW constant. + GCRY_MD_BLAKE2B_160 NEW constant. + GCRY_MD_BLAKE2S_256 NEW constant. + GCRY_MD_BLAKE2S_224 NEW constant. + GCRY_MD_BLAKE2S_160 NEW constant. + GCRY_MD_BLAKE2S_128 NEW constant. + GCRY_CIPHER_MODE_XTS NEW constant. + gcry_md_info DEPRECATED. + + * Release dates of 1.7.x versions: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Version 1.7.8 (2017-06-29) [C21/A1/R8] + Version 1.7.7 (2017-06-02) [C21/A1/R7] + Version 1.7.6 (2017-01-18) [C21/A1/R6] + Version 1.7.5 (2016-12-15) [C21/A1/R5] + Version 1.7.4 (2016-12-09) [C21/A1/R4] Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3] diff --git a/README b/README index 7c08a5b..c14181a 100644 --- a/README +++ b/README @@ -2,7 +2,7 @@ ------------------------------------ Version 1.7 - Copyright (C) 1989,1991-2016 Free Software Foundation, Inc. + Copyright (C) 1989,1991-2017 Free Software Foundation, Inc. Copyright (C) 2012-2017 g10 Code GmbH Copyright (C) 2013-2017 Jussi Kivilinna diff --git a/TODO b/TODO index ffadc06..7aa4de1 100644 --- a/TODO +++ b/TODO @@ -18,7 +18,7 @@ * Add attributes to the MPI functions. -* cipher/pubkey.c and pubkey implementaions. +* cipher/pubkey.c and pubkey implementations. Don't rely on the secure memory based wiping function but add an extra wiping. diff --git a/VERSION b/VERSION index 91c74a5..a8fdfda 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.7.7 +1.8.1 diff --git a/acinclude.m4 b/acinclude.m4 index dcdadfd..fc208c5 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -29,7 +29,7 @@ define([GCRY_MSG_SHOW], dnl GCRY_MSG_WRAP(PREFIX, ALGOLIST) dnl Print a nicely formatted list of algorithms -dnl with an approriate line wrap. +dnl with an appropriate line wrap. dnl define([GCRY_MSG_WRAP], [ @@ -275,7 +275,7 @@ AC_CHECK_TOOL(AS, as, false) ]) dnl LIST_MEMBER() -dnl Check wether an element ist contained in a list. Set `found' to +dnl Check whether an element ist contained in a list. Set `found' to dnl `1' if the element is found in the list, to `0' otherwise. AC_DEFUN([LIST_MEMBER], [ diff --git a/build-aux/texinfo.tex b/build-aux/texinfo.tex index a181898..5a17f97 100644 --- a/build-aux/texinfo.tex +++ b/build-aux/texinfo.tex @@ -415,7 +415,7 @@ \def\argremovecomment#1\comment#2\ArgTerm{\argremovec #1\c\ArgTerm} \def\argremovec#1\c#2\ArgTerm{\argcheckspaces#1\^^M\ArgTerm} -% Each occurence of `\^^M' or `\^^M' is replaced by a single space. +% Each occurrence of `\^^M' or `\^^M' is replaced by a single space. % % \argremovec might leave us with trailing space, e.g., % @end itemize @c foo @@ -440,7 +440,7 @@ % to get _exactly_ the rest of the line, we had to prevent such situation. % We prepended an \empty token at the very beginning and we expand it now, % just before passing the control to \argtorun. -% (Similarily, we have to think about #3 of \argcheckspacesY above: it is +% (Similarly, we have to think about #3 of \argcheckspacesY above: it is % either the null string, or it ends with \^^M---thus there is no danger % that a pair of braces would be stripped. % @@ -497,7 +497,7 @@ % used to check whether the current environment is the one expected. % % Non-false conditionals (@iftex, @ifset) don't fit into this, so they -% are not treated as enviroments; they don't open a group. (The +% are not treated as environments; they don't open a group. (The % implementation of @end takes care not to call \endgroup in this % special case.) @@ -520,7 +520,7 @@ \fi } -% Evironment mismatch, #1 expected: +% Environment mismatch, #1 expected: \def\badenverr{% \errhelp = \EMsimple \errmessage{This command can appear only \inenvironment\temp, @@ -7034,7 +7034,7 @@ end % In case a @footnote appears in a vbox, save the footnote text and create % the real \insert just after the vbox finished. Otherwise, the insertion % would be lost. -% Similarily, if a @footnote appears inside an alignment, save the footnote +% Similarly, if a @footnote appears inside an alignment, save the footnote % text to a box and make the \insert when a row of the table is finished. % And the same can be done for other insert classes. --kasal, 16nov03. diff --git a/cipher/Makefile.am b/cipher/Makefile.am index ac0ec58..95c4510 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -44,7 +44,7 @@ cipher.c cipher-internal.h \ cipher-cbc.c cipher-cfb.c cipher-ofb.c cipher-ctr.c cipher-aeswrap.c \ cipher-ccm.c cipher-cmac.c cipher-gcm.c cipher-gcm-intel-pclmul.c \ cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \ -cipher-poly1305.c cipher-ocb.c \ +cipher-poly1305.c cipher-ocb.c cipher-xts.c \ cipher-selftest.c cipher-selftest.h \ pubkey.c pubkey-internal.h pubkey-util.c \ md.c \ @@ -80,7 +80,8 @@ md4.c \ md5.c \ poly1305-sse2-amd64.S poly1305-avx2-amd64.S poly1305-armv7-neon.S \ rijndael.c rijndael-internal.h rijndael-tables.h rijndael-aesni.c \ - rijndael-padlock.c rijndael-amd64.S rijndael-arm.S rijndael-ssse3-amd64.c \ + rijndael-padlock.c rijndael-amd64.S rijndael-arm.S \ + rijndael-ssse3-amd64.c rijndael-ssse3-amd64-asm.S \ rijndael-armv8-ce.c rijndael-armv8-aarch32-ce.S rijndael-armv8-aarch64-ce.S \ rijndael-aarch64.S \ rmd160.c \ @@ -100,9 +101,11 @@ stribog.c \ tiger.c \ whirlpool.c whirlpool-sse2-amd64.S \ twofish.c twofish-amd64.S twofish-arm.S twofish-aarch64.S \ + twofish-avx2-amd64.S \ rfc2268.c \ camellia.c camellia.h camellia-glue.c camellia-aesni-avx-amd64.S \ - camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S + camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S \ +blake2.c gost28147.lo: gost-sb.h gost-sb.h: gost-s-box diff --git a/cipher/Makefile.in b/cipher/Makefile.in index 90b7210..7c91bb9 100644 --- a/cipher/Makefile.in +++ b/cipher/Makefile.in @@ -122,10 +122,11 @@ am_libcipher_la_OBJECTS = cipher.lo cipher-cbc.lo cipher-cfb.lo \ cipher-ofb.lo cipher-ctr.lo cipher-aeswrap.lo cipher-ccm.lo \ cipher-cmac.lo cipher-gcm.lo cipher-gcm-intel-pclmul.lo \ cipher-gcm-armv8-aarch32-ce.lo cipher-gcm-armv8-aarch64-ce.lo \ - cipher-poly1305.lo cipher-ocb.lo cipher-selftest.lo pubkey.lo \ - pubkey-util.lo md.lo mac.lo mac-hmac.lo mac-cmac.lo \ - mac-gmac.lo mac-poly1305.lo poly1305.lo kdf.lo hmac-tests.lo \ - primegen.lo hash-common.lo dsa-common.lo rsa-common.lo + cipher-poly1305.lo cipher-ocb.lo cipher-xts.lo \ + cipher-selftest.lo pubkey.lo pubkey-util.lo md.lo mac.lo \ + mac-hmac.lo mac-cmac.lo mac-gmac.lo mac-poly1305.lo \ + poly1305.lo kdf.lo hmac-tests.lo primegen.lo hash-common.lo \ + dsa-common.lo rsa-common.lo libcipher_la_OBJECTS = $(am_libcipher_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -383,7 +384,7 @@ cipher.c cipher-internal.h \ cipher-cbc.c cipher-cfb.c cipher-ofb.c cipher-ctr.c cipher-aeswrap.c \ cipher-ccm.c cipher-cmac.c cipher-gcm.c cipher-gcm-intel-pclmul.c \ cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \ -cipher-poly1305.c cipher-ocb.c \ +cipher-poly1305.c cipher-ocb.c cipher-xts.c \ cipher-selftest.c cipher-selftest.h \ pubkey.c pubkey-internal.h pubkey-util.c \ md.c \ @@ -419,7 +420,8 @@ md4.c \ md5.c \ poly1305-sse2-amd64.S poly1305-avx2-amd64.S poly1305-armv7-neon.S \ rijndael.c rijndael-internal.h rijndael-tables.h rijndael-aesni.c \ - rijndael-padlock.c rijndael-amd64.S rijndael-arm.S rijndael-ssse3-amd64.c \ + rijndael-padlock.c rijndael-amd64.S rijndael-arm.S \ + rijndael-ssse3-amd64.c rijndael-ssse3-amd64-asm.S \ rijndael-armv8-ce.c rijndael-armv8-aarch32-ce.S rijndael-armv8-aarch64-ce.S \ rijndael-aarch64.S \ rmd160.c \ @@ -439,9 +441,11 @@ stribog.c \ tiger.c \ whirlpool.c whirlpool-sse2-amd64.S \ twofish.c twofish-amd64.S twofish-arm.S twofish-aarch64.S \ + twofish-avx2-amd64.S \ rfc2268.c \ camellia.c camellia.h camellia-glue.c camellia-aesni-avx-amd64.S \ - camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S + camellia-aesni-avx2-amd64.S camellia-arm.S camellia-aarch64.S \ +blake2.c @ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat @ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/-O\([2-9s][2-9s]*\)/-O1/' -e 's/-Ofast/-O1/g' @@ -502,6 +506,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/arcfour-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/arcfour.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blake2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish-arm.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@ @@ -533,6 +538,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-ofb.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-selftest.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher-xts.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crc-intel-pclmul.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crc.Plo@am__quote@ @@ -579,6 +585,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-armv8-aarch64-ce.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-armv8-ce.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-padlock.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-ssse3-amd64-asm.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-ssse3-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rmd160.Plo@am__quote@ @@ -617,6 +624,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-aarch64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-arm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish-avx2-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whirlpool-sse2-amd64.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whirlpool.Plo@am__quote@ diff --git a/cipher/bithelp.h b/cipher/bithelp.h index 4575380..26ef7c3 100644 --- a/cipher/bithelp.h +++ b/cipher/bithelp.h @@ -35,6 +35,11 @@ static inline u32 ror(u32 x, int n) return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) ); } +static inline u64 rol64(u64 x, int n) +{ + return ( (x << (n&(64-1))) | (x >> ((64-n)&(64-1))) ); +} + /* Byte swap for 32-bit and 64-bit integers. If available, use compiler provided helpers. */ #ifdef HAVE_BUILTIN_BSWAP32 diff --git a/cipher/blake2.c b/cipher/blake2.c new file mode 100644 index 0000000..0e4cf9b --- /dev/null +++ b/cipher/blake2.c @@ -0,0 +1,872 @@ +/* blake2.c - BLAKE2b and BLAKE2s hash functions (RFC 7693) + * Copyright (C) 2017 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser general Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +/* The code is based on public-domain/CC0 BLAKE2 reference implementation + * by Samual Neves, at https://github.com/BLAKE2/BLAKE2/tree/master/ref + * Copyright 2012, Samuel Neves + */ + +#include +#include +#include "g10lib.h" +#include "bithelp.h" +#include "bufhelp.h" +#include "cipher.h" +#include "hash-common.h" + +#define BLAKE2B_BLOCKBYTES 128 +#define BLAKE2B_OUTBYTES 64 +#define BLAKE2B_KEYBYTES 64 + +#define BLAKE2S_BLOCKBYTES 64 +#define BLAKE2S_OUTBYTES 32 +#define BLAKE2S_KEYBYTES 32 + +typedef struct +{ + u64 h[8]; + u64 t[2]; + u64 f[2]; +} BLAKE2B_STATE; + +struct blake2b_param_s +{ + byte digest_length; + byte key_length; + byte fanout; + byte depth; + byte leaf_length[4]; + byte node_offset[4]; + byte xof_length[4]; + byte node_depth; + byte inner_length; + byte reserved[14]; + byte salt[16]; + byte personal[16]; +}; + +typedef struct BLAKE2B_CONTEXT_S +{ + BLAKE2B_STATE state; + byte buf[BLAKE2B_BLOCKBYTES]; + size_t buflen; + size_t outlen; +} BLAKE2B_CONTEXT; + +typedef struct +{ + u32 h[8]; + u32 t[2]; + u32 f[2]; +} BLAKE2S_STATE; + +struct blake2s_param_s +{ + byte digest_length; + byte key_length; + byte fanout; + byte depth; + byte leaf_length[4]; + byte node_offset[4]; + byte xof_length[2]; + byte node_depth; + byte inner_length; + /* byte reserved[0]; */ + byte salt[8]; + byte personal[8]; +}; + +typedef struct BLAKE2S_CONTEXT_S +{ + BLAKE2S_STATE state; + byte buf[BLAKE2S_BLOCKBYTES]; + size_t buflen; + size_t outlen; +} BLAKE2S_CONTEXT; + +typedef unsigned int (*blake2_transform_t)(void *S, const void *inblk, + size_t nblks); + + +static const u64 blake2b_IV[8] = +{ + U64_C(0x6a09e667f3bcc908), U64_C(0xbb67ae8584caa73b), + U64_C(0x3c6ef372fe94f82b), U64_C(0xa54ff53a5f1d36f1), + U64_C(0x510e527fade682d1), U64_C(0x9b05688c2b3e6c1f), + U64_C(0x1f83d9abfb41bd6b), U64_C(0x5be0cd19137e2179) +}; + +static const u32 blake2s_IV[8] = +{ + 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, + 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL +}; + +static byte zero_block[BLAKE2B_BLOCKBYTES] = { 0, }; + + +static void blake2_write(void *S, const void *inbuf, size_t inlen, + byte *tmpbuf, size_t *tmpbuflen, size_t blkbytes, + blake2_transform_t transform_fn) +{ + const byte* in = inbuf; + unsigned int burn = 0; + + if (inlen > 0) + { + size_t left = *tmpbuflen; + size_t fill = blkbytes - left; + size_t nblks; + + if (inlen > fill) + { + if (fill > 0) + buf_cpy (tmpbuf + left, in, fill); /* Fill buffer */ + left = 0; + + burn = transform_fn (S, tmpbuf, 1); /* Increment counter + Compress */ + + in += fill; + inlen -= fill; + + nblks = inlen / blkbytes - !(inlen % blkbytes); + if (nblks) + { + burn = transform_fn(S, in, nblks); + in += blkbytes * nblks; + inlen -= blkbytes * nblks; + } + } + + gcry_assert (inlen > 0); + + buf_cpy (tmpbuf + left, in, inlen); + *tmpbuflen = left + inlen; + } + + if (burn) + _gcry_burn_stack (burn); + + return; +} + + +static inline void blake2b_set_lastblock(BLAKE2B_STATE *S) +{ + S->f[0] = U64_C(0xffffffffffffffff); +} + +static inline int blake2b_is_lastblock(const BLAKE2B_STATE *S) +{ + return S->f[0] != 0; +} + +static inline void blake2b_increment_counter(BLAKE2B_STATE *S, const int inc) +{ + S->t[0] += (u64)inc; + S->t[1] += (S->t[0] < (u64)inc) - (inc < 0); +} + +static inline u64 rotr64(u64 x, u64 n) +{ + return ((x >> (n & 63)) | (x << ((64 - n) & 63))); +} + +static unsigned int blake2b_transform(void *vS, const void *inblks, + size_t nblks) +{ + static const byte blake2b_sigma[12][16] = + { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } + }; + BLAKE2B_STATE *S = vS; + const byte* in = inblks; + u64 m[16]; + u64 v[16]; + + while (nblks--) + { + /* Increment counter */ + blake2b_increment_counter (S, BLAKE2B_BLOCKBYTES); + + /* Compress */ + m[0] = buf_get_le64 (in + 0 * sizeof(m[0])); + m[1] = buf_get_le64 (in + 1 * sizeof(m[0])); + m[2] = buf_get_le64 (in + 2 * sizeof(m[0])); + m[3] = buf_get_le64 (in + 3 * sizeof(m[0])); + m[4] = buf_get_le64 (in + 4 * sizeof(m[0])); + m[5] = buf_get_le64 (in + 5 * sizeof(m[0])); + m[6] = buf_get_le64 (in + 6 * sizeof(m[0])); + m[7] = buf_get_le64 (in + 7 * sizeof(m[0])); + m[8] = buf_get_le64 (in + 8 * sizeof(m[0])); + m[9] = buf_get_le64 (in + 9 * sizeof(m[0])); + m[10] = buf_get_le64 (in + 10 * sizeof(m[0])); + m[11] = buf_get_le64 (in + 11 * sizeof(m[0])); + m[12] = buf_get_le64 (in + 12 * sizeof(m[0])); + m[13] = buf_get_le64 (in + 13 * sizeof(m[0])); + m[14] = buf_get_le64 (in + 14 * sizeof(m[0])); + m[15] = buf_get_le64 (in + 15 * sizeof(m[0])); + + v[ 0] = S->h[0]; + v[ 1] = S->h[1]; + v[ 2] = S->h[2]; + v[ 3] = S->h[3]; + v[ 4] = S->h[4]; + v[ 5] = S->h[5]; + v[ 6] = S->h[6]; + v[ 7] = S->h[7]; + v[ 8] = blake2b_IV[0]; + v[ 9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = blake2b_IV[4] ^ S->t[0]; + v[13] = blake2b_IV[5] ^ S->t[1]; + v[14] = blake2b_IV[6] ^ S->f[0]; + v[15] = blake2b_IV[7] ^ S->f[1]; + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + ROUND(10); + ROUND(11); + +#undef G +#undef ROUND + + S->h[0] = S->h[0] ^ v[0] ^ v[0 + 8]; + S->h[1] = S->h[1] ^ v[1] ^ v[1 + 8]; + S->h[2] = S->h[2] ^ v[2] ^ v[2 + 8]; + S->h[3] = S->h[3] ^ v[3] ^ v[3 + 8]; + S->h[4] = S->h[4] ^ v[4] ^ v[4 + 8]; + S->h[5] = S->h[5] ^ v[5] ^ v[5 + 8]; + S->h[6] = S->h[6] ^ v[6] ^ v[6 + 8]; + S->h[7] = S->h[7] ^ v[7] ^ v[7 + 8]; + + in += BLAKE2B_BLOCKBYTES; + } + + return sizeof(void *) * 4 + sizeof(u64) * 16 * 2; +} + +static void blake2b_final(void *ctx) +{ + BLAKE2B_CONTEXT *c = ctx; + BLAKE2B_STATE *S = &c->state; + unsigned int burn; + size_t i; + + gcry_assert (sizeof(c->buf) >= c->outlen); + if (blake2b_is_lastblock(S)) + return; + + if (c->buflen < BLAKE2B_BLOCKBYTES) + memset (c->buf + c->buflen, 0, BLAKE2B_BLOCKBYTES - c->buflen); /* Padding */ + blake2b_set_lastblock (S); + blake2b_increment_counter (S, (int)c->buflen - BLAKE2B_BLOCKBYTES); + burn = blake2b_transform (S, c->buf, 1); + + /* Output full hash to buffer */ + for (i = 0; i < 8; ++i) + buf_put_le64 (c->buf + sizeof(S->h[i]) * i, S->h[i]); + + /* Zero out extra buffer bytes. */ + if (c->outlen < sizeof(c->buf)) + memset (c->buf + c->outlen, 0, sizeof(c->buf) - c->outlen); + + if (burn) + _gcry_burn_stack (burn); +} + +static byte *blake2b_read(void *ctx) +{ + BLAKE2B_CONTEXT *c = ctx; + return c->buf; +} + +static void blake2b_write(void *ctx, const void *inbuf, size_t inlen) +{ + BLAKE2B_CONTEXT *c = ctx; + BLAKE2B_STATE *S = &c->state; + blake2_write(S, inbuf, inlen, c->buf, &c->buflen, BLAKE2B_BLOCKBYTES, + blake2b_transform); +} + +static inline void blake2b_init_param(BLAKE2B_STATE *S, + const struct blake2b_param_s *P) +{ + const byte *p = (const byte *)P; + size_t i; + + /* init xors IV with input parameter block */ + + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) + S->h[i] = blake2b_IV[i] ^ buf_get_le64(p + sizeof(S->h[i]) * i); +} + +static inline gcry_err_code_t blake2b_init(BLAKE2B_CONTEXT *ctx, + const byte *key, size_t keylen) +{ + struct blake2b_param_s P[1] = { { 0, } }; + BLAKE2B_STATE *S = &ctx->state; + + if (!ctx->outlen || ctx->outlen > BLAKE2B_OUTBYTES) + return GPG_ERR_INV_ARG; + if (sizeof(P[0]) != sizeof(u64) * 8) + return GPG_ERR_INTERNAL; + if (keylen && (!key || keylen > BLAKE2B_KEYBYTES)) + return GPG_ERR_INV_KEYLEN; + + P->digest_length = ctx->outlen; + P->key_length = keylen; + P->fanout = 1; + P->depth = 1; + + blake2b_init_param (S, P); + wipememory (P, sizeof(P)); + + if (key) + { + blake2b_write (ctx, key, keylen); + blake2b_write (ctx, zero_block, BLAKE2B_BLOCKBYTES - keylen); + } + + return 0; +} + +static gcry_err_code_t blake2b_init_ctx(void *ctx, unsigned int flags, + const byte *key, size_t keylen, + unsigned int dbits) +{ + BLAKE2B_CONTEXT *c = ctx; + + (void)flags; + + memset (c, 0, sizeof (*c)); + + c->outlen = dbits / 8; + c->buflen = 0; + return blake2b_init(c, key, keylen); +} + +static inline void blake2s_set_lastblock(BLAKE2S_STATE *S) +{ + S->f[0] = 0xFFFFFFFFUL; +} + +static inline int blake2s_is_lastblock(BLAKE2S_STATE *S) +{ + return S->f[0] != 0; +} + +static inline void blake2s_increment_counter(BLAKE2S_STATE *S, const int inc) +{ + S->t[0] += (u32)inc; + S->t[1] += (S->t[0] < (u32)inc) - (inc < 0); +} + +static unsigned int blake2s_transform(void *vS, const void *inblks, + size_t nblks) +{ + static const byte blake2s_sigma[10][16] = + { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 }, + }; + BLAKE2S_STATE *S = vS; + unsigned int burn = 0; + const byte* in = inblks; + u32 m[16]; + u32 v[16]; + + while (nblks--) + { + /* Increment counter */ + blake2s_increment_counter (S, BLAKE2S_BLOCKBYTES); + + /* Compress */ + m[0] = buf_get_le32 (in + 0 * sizeof(m[0])); + m[1] = buf_get_le32 (in + 1 * sizeof(m[0])); + m[2] = buf_get_le32 (in + 2 * sizeof(m[0])); + m[3] = buf_get_le32 (in + 3 * sizeof(m[0])); + m[4] = buf_get_le32 (in + 4 * sizeof(m[0])); + m[5] = buf_get_le32 (in + 5 * sizeof(m[0])); + m[6] = buf_get_le32 (in + 6 * sizeof(m[0])); + m[7] = buf_get_le32 (in + 7 * sizeof(m[0])); + m[8] = buf_get_le32 (in + 8 * sizeof(m[0])); + m[9] = buf_get_le32 (in + 9 * sizeof(m[0])); + m[10] = buf_get_le32 (in + 10 * sizeof(m[0])); + m[11] = buf_get_le32 (in + 11 * sizeof(m[0])); + m[12] = buf_get_le32 (in + 12 * sizeof(m[0])); + m[13] = buf_get_le32 (in + 13 * sizeof(m[0])); + m[14] = buf_get_le32 (in + 14 * sizeof(m[0])); + m[15] = buf_get_le32 (in + 15 * sizeof(m[0])); + + v[ 0] = S->h[0]; + v[ 1] = S->h[1]; + v[ 2] = S->h[2]; + v[ 3] = S->h[3]; + v[ 4] = S->h[4]; + v[ 5] = S->h[5]; + v[ 6] = S->h[6]; + v[ 7] = S->h[7]; + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = ror(d ^ a, 16); \ + c = c + d; \ + b = ror(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = ror(d ^ a, 8); \ + c = c + d; \ + b = ror(b ^ c, 7); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + +#undef G +#undef ROUND + + S->h[0] = S->h[0] ^ v[0] ^ v[0 + 8]; + S->h[1] = S->h[1] ^ v[1] ^ v[1 + 8]; + S->h[2] = S->h[2] ^ v[2] ^ v[2 + 8]; + S->h[3] = S->h[3] ^ v[3] ^ v[3 + 8]; + S->h[4] = S->h[4] ^ v[4] ^ v[4 + 8]; + S->h[5] = S->h[5] ^ v[5] ^ v[5 + 8]; + S->h[6] = S->h[6] ^ v[6] ^ v[6 + 8]; + S->h[7] = S->h[7] ^ v[7] ^ v[7 + 8]; + + in += BLAKE2S_BLOCKBYTES; + } + + return burn; +} + +static void blake2s_final(void *ctx) +{ + BLAKE2S_CONTEXT *c = ctx; + BLAKE2S_STATE *S = &c->state; + unsigned int burn; + size_t i; + + gcry_assert (sizeof(c->buf) >= c->outlen); + if (blake2s_is_lastblock(S)) + return; + + if (c->buflen < BLAKE2S_BLOCKBYTES) + memset (c->buf + c->buflen, 0, BLAKE2S_BLOCKBYTES - c->buflen); /* Padding */ + blake2s_set_lastblock (S); + blake2s_increment_counter (S, (int)c->buflen - BLAKE2S_BLOCKBYTES); + burn = blake2s_transform (S, c->buf, 1); + + /* Output full hash to buffer */ + for (i = 0; i < 8; ++i) + buf_put_le32 (c->buf + sizeof(S->h[i]) * i, S->h[i]); + + /* Zero out extra buffer bytes. */ + if (c->outlen < sizeof(c->buf)) + memset (c->buf + c->outlen, 0, sizeof(c->buf) - c->outlen); + + if (burn) + _gcry_burn_stack (burn); +} + +static byte *blake2s_read(void *ctx) +{ + BLAKE2S_CONTEXT *c = ctx; + return c->buf; +} + +static void blake2s_write(void *ctx, const void *inbuf, size_t inlen) +{ + BLAKE2S_CONTEXT *c = ctx; + BLAKE2S_STATE *S = &c->state; + blake2_write(S, inbuf, inlen, c->buf, &c->buflen, BLAKE2S_BLOCKBYTES, + blake2s_transform); +} + +static inline void blake2s_init_param(BLAKE2S_STATE *S, + const struct blake2s_param_s *P) +{ + const byte *p = (const byte *)P; + size_t i; + + /* init2 xors IV with input parameter block */ + + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) + S->h[i] ^= blake2s_IV[i] ^ buf_get_le32(&p[i * 4]); +} + +static inline gcry_err_code_t blake2s_init(BLAKE2S_CONTEXT *ctx, + const byte *key, size_t keylen) +{ + struct blake2s_param_s P[1] = { { 0, } }; + BLAKE2S_STATE *S = &ctx->state; + + if (!ctx->outlen || ctx->outlen > BLAKE2S_OUTBYTES) + return GPG_ERR_INV_ARG; + if (sizeof(P[0]) != sizeof(u32) * 8) + return GPG_ERR_INTERNAL; + if (keylen && (!key || keylen > BLAKE2S_KEYBYTES)) + return GPG_ERR_INV_KEYLEN; + + P->digest_length = ctx->outlen; + P->key_length = keylen; + P->fanout = 1; + P->depth = 1; + + blake2s_init_param (S, P); + wipememory (P, sizeof(P)); + + if (key) + { + blake2s_write (ctx, key, keylen); + blake2s_write (ctx, zero_block, BLAKE2S_BLOCKBYTES - keylen); + } + + return 0; +} + +static gcry_err_code_t blake2s_init_ctx(void *ctx, unsigned int flags, + const byte *key, size_t keylen, + unsigned int dbits) +{ + BLAKE2S_CONTEXT *c = ctx; + + (void)flags; + + memset (c, 0, sizeof (*c)); + + c->outlen = dbits / 8; + c->buflen = 0; + return blake2s_init(c, key, keylen); +} + +/* Selftests from "RFC 7693, Appendix E. BLAKE2b and BLAKE2s Self-Test + * Module C Source". */ +static void selftest_seq(byte *out, size_t len, u32 seed) +{ + size_t i; + u32 t, a, b; + + a = 0xDEAD4BAD * seed; + b = 1; + + for (i = 0; i < len; i++) + { + t = a + b; + a = b; + b = t; + out[i] = (t >> 24) & 0xFF; + } +} + +static gpg_err_code_t +selftests_blake2b (int algo, int extended, selftest_report_func_t report) +{ + static const byte blake2b_res[32] = + { + 0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD, + 0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56, + 0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73, + 0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75 + }; + static const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; + static const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; + size_t i, j, outlen, inlen; + byte in[1024], key[64]; + BLAKE2B_CONTEXT ctx; + BLAKE2B_CONTEXT ctx2; + const char *what; + const char *errtxt; + + (void)extended; + + what = "rfc7693 BLAKE2b selftest"; + + /* 256-bit hash for testing */ + if (blake2b_init_ctx(&ctx, 0, NULL, 0, 32 * 8)) + { + errtxt = "init failed"; + goto failed; + } + + for (i = 0; i < 4; i++) + { + outlen = b2b_md_len[i]; + for (j = 0; j < 6; j++) + { + inlen = b2b_in_len[j]; + + selftest_seq(in, inlen, inlen); /* unkeyed hash */ + blake2b_init_ctx(&ctx2, 0, NULL, 0, outlen * 8); + blake2b_write(&ctx2, in, inlen); + blake2b_final(&ctx2); + blake2b_write(&ctx, ctx2.buf, outlen); /* hash the hash */ + + selftest_seq(key, outlen, outlen); /* keyed hash */ + blake2b_init_ctx(&ctx2, 0, key, outlen, outlen * 8); + blake2b_write(&ctx2, in, inlen); + blake2b_final(&ctx2); + blake2b_write(&ctx, ctx2.buf, outlen); /* hash the hash */ + } + } + + /* compute and compare the hash of hashes */ + blake2b_final(&ctx); + for (i = 0; i < 32; i++) + { + if (ctx.buf[i] != blake2b_res[i]) + { + errtxt = "digest mismatch"; + goto failed; + } + } + + return 0; + +failed: + if (report) + report ("digest", algo, what, errtxt); + return GPG_ERR_SELFTEST_FAILED; +} + +static gpg_err_code_t +selftests_blake2s (int algo, int extended, selftest_report_func_t report) +{ + static const byte blake2s_res[32] = + { + 0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD, + 0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC, + 0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87, + 0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE + }; + static const size_t b2s_md_len[4] = { 16, 20, 28, 32 }; + static const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 }; + size_t i, j, outlen, inlen; + byte in[1024], key[32]; + BLAKE2S_CONTEXT ctx; + BLAKE2S_CONTEXT ctx2; + const char *what; + const char *errtxt; + + (void)extended; + + what = "rfc7693 BLAKE2s selftest"; + + /* 256-bit hash for testing */ + if (blake2s_init_ctx(&ctx, 0, NULL, 0, 32 * 8)) + { + errtxt = "init failed"; + goto failed; + } + + for (i = 0; i < 4; i++) + { + outlen = b2s_md_len[i]; + for (j = 0; j < 6; j++) + { + inlen = b2s_in_len[j]; + + selftest_seq(in, inlen, inlen); /* unkeyed hash */ + blake2s_init_ctx(&ctx2, 0, NULL, 0, outlen * 8); + blake2s_write(&ctx2, in, inlen); + blake2s_final(&ctx2); + blake2s_write(&ctx, ctx2.buf, outlen); /* hash the hash */ + + selftest_seq(key, outlen, outlen); /* keyed hash */ + blake2s_init_ctx(&ctx2, 0, key, outlen, outlen * 8); + blake2s_write(&ctx2, in, inlen); + blake2s_final(&ctx2); + blake2s_write(&ctx, ctx2.buf, outlen); /* hash the hash */ + } + } + + /* compute and compare the hash of hashes */ + blake2s_final(&ctx); + for (i = 0; i < 32; i++) + { + if (ctx.buf[i] != blake2s_res[i]) + { + errtxt = "digest mismatch"; + goto failed; + } + } + + return 0; + +failed: + if (report) + report ("digest", algo, what, errtxt); + return GPG_ERR_SELFTEST_FAILED; +} + + +gcry_err_code_t _gcry_blake2_init_with_key(void *ctx, unsigned int flags, + const unsigned char *key, + size_t keylen, int algo) +{ + gcry_err_code_t rc; + switch (algo) + { + case GCRY_MD_BLAKE2B_512: + rc = blake2b_init_ctx (ctx, flags, key, keylen, 512); + break; + case GCRY_MD_BLAKE2B_384: + rc = blake2b_init_ctx (ctx, flags, key, keylen, 384); + break; + case GCRY_MD_BLAKE2B_256: + rc = blake2b_init_ctx (ctx, flags, key, keylen, 256); + break; + case GCRY_MD_BLAKE2B_160: + rc = blake2b_init_ctx (ctx, flags, key, keylen, 160); + break; + case GCRY_MD_BLAKE2S_256: + rc = blake2s_init_ctx (ctx, flags, key, keylen, 256); + break; + case GCRY_MD_BLAKE2S_224: + rc = blake2s_init_ctx (ctx, flags, key, keylen, 224); + break; + case GCRY_MD_BLAKE2S_160: + rc = blake2s_init_ctx (ctx, flags, key, keylen, 160); + break; + case GCRY_MD_BLAKE2S_128: + rc = blake2s_init_ctx (ctx, flags, key, keylen, 128); + break; + default: + rc = GPG_ERR_DIGEST_ALGO; + break; + } + + return rc; +} + + +#define DEFINE_BLAKE2_VARIANT(bs, BS, dbits, oid_branch) \ + static void blake2##bs##_##dbits##_init(void *ctx, unsigned int flags) \ + { \ + int err = blake2##bs##_init_ctx (ctx, flags, NULL, 0, dbits); \ + gcry_assert (err == 0); \ + } \ + static byte blake2##bs##_##dbits##_asn[] = { 0x30 }; \ + static gcry_md_oid_spec_t oid_spec_blake2##bs##_##dbits[] = \ + { \ + { " 1.3.6.1.4.1.1722.12.2." oid_branch }, \ + { NULL } \ + }; \ + gcry_md_spec_t _gcry_digest_spec_blake2##bs##_##dbits = \ + { \ + GCRY_MD_BLAKE2##BS##_##dbits, {0, 0}, \ + "BLAKE2" #BS "_" #dbits, blake2##bs##_##dbits##_asn, \ + DIM (blake2##bs##_##dbits##_asn), oid_spec_blake2##bs##_##dbits, \ + dbits / 8, blake2##bs##_##dbits##_init, blake2##bs##_write, \ + blake2##bs##_final, blake2##bs##_read, NULL, \ + sizeof (BLAKE2##BS##_CONTEXT), selftests_blake2##bs \ + }; + +DEFINE_BLAKE2_VARIANT(b, B, 512, "1.16") +DEFINE_BLAKE2_VARIANT(b, B, 384, "1.12") +DEFINE_BLAKE2_VARIANT(b, B, 256, "1.8") +DEFINE_BLAKE2_VARIANT(b, B, 160, "1.5") + +DEFINE_BLAKE2_VARIANT(s, S, 256, "2.8") +DEFINE_BLAKE2_VARIANT(s, S, 224, "2.7") +DEFINE_BLAKE2_VARIANT(s, S, 160, "2.5") +DEFINE_BLAKE2_VARIANT(s, S, 128, "2.4") diff --git a/cipher/bufhelp.h b/cipher/bufhelp.h index df35594..b854bc0 100644 --- a/cipher/bufhelp.h +++ b/cipher/bufhelp.h @@ -1,5 +1,5 @@ /* bufhelp.h - Some buffer manipulation helpers - * Copyright (C) 2012 Jussi Kivilinna + * Copyright (C) 2012-2017 Jussi Kivilinna * * This file is part of Libgcrypt. * @@ -20,12 +20,23 @@ #define GCRYPT_BUFHELP_H +#include "g10lib.h" #include "bithelp.h" -#undef BUFHELP_FAST_UNALIGNED_ACCESS +#undef BUFHELP_UNALIGNED_ACCESS #if defined(HAVE_GCC_ATTRIBUTE_PACKED) && \ defined(HAVE_GCC_ATTRIBUTE_ALIGNED) && \ + defined(HAVE_GCC_ATTRIBUTE_MAY_ALIAS) +/* Compiler is supports attributes needed for automatically issuing unaligned + memory access instructions. + */ +# define BUFHELP_UNALIGNED_ACCESS 1 +#endif + + +#undef BUFHELP_FAST_UNALIGNED_ACCESS +#if defined(BUFHELP_UNALIGNED_ACCESS) && \ (defined(__i386__) || defined(__x86_64__) || \ (defined(__arm__) && defined(__ARM_FEATURE_UNALIGNED)) || \ defined(__aarch64__)) @@ -43,16 +54,23 @@ typedef struct bufhelp_int_s { uintptr_t a; -} __attribute__((packed, aligned(1))) bufhelp_int_t; +} __attribute__((packed, aligned(1), may_alias)) bufhelp_int_t; #else /* Define type with default alignment for other architectures (unaligned accessed handled in per byte loops). */ +#ifdef HAVE_GCC_ATTRIBUTE_MAY_ALIAS +typedef struct bufhelp_int_s +{ + uintptr_t a; +} __attribute__((may_alias)) bufhelp_int_t; +#else typedef struct bufhelp_int_s { uintptr_t a; } bufhelp_int_t; #endif +#endif /* Optimized function for small buffer copying */ @@ -71,7 +89,7 @@ buf_cpy(void *_dst, const void *_src, size_t len) const unsigned int longmask = sizeof(bufhelp_int_t) - 1; /* Skip fast processing if buffers are unaligned. */ - if (((uintptr_t)dst | (uintptr_t)src) & longmask) + if (UNLIKELY(((uintptr_t)dst | (uintptr_t)src) & longmask)) goto do_bytes; #endif @@ -107,7 +125,7 @@ buf_xor(void *_dst, const void *_src1, const void *_src2, size_t len) const unsigned int longmask = sizeof(bufhelp_int_t) - 1; /* Skip fast processing if buffers are unaligned. */ - if (((uintptr_t)dst | (uintptr_t)src1 | (uintptr_t)src2) & longmask) + if (UNLIKELY(((uintptr_t)dst | (uintptr_t)src1 | (uintptr_t)src2) & longmask)) goto do_bytes; #endif @@ -143,7 +161,7 @@ buf_xor_1(void *_dst, const void *_src, size_t len) const unsigned int longmask = sizeof(bufhelp_int_t) - 1; /* Skip fast processing if buffers are unaligned. */ - if (((uintptr_t)dst | (uintptr_t)src) & longmask) + if (UNLIKELY(((uintptr_t)dst | (uintptr_t)src) & longmask)) goto do_bytes; #endif @@ -179,7 +197,7 @@ buf_xor_2dst(void *_dst1, void *_dst2, const void *_src, size_t len) const unsigned int longmask = sizeof(bufhelp_int_t) - 1; /* Skip fast processing if buffers are unaligned. */ - if (((uintptr_t)src | (uintptr_t)dst1 | (uintptr_t)dst2) & longmask) + if (UNLIKELY(((uintptr_t)src | (uintptr_t)dst1 | (uintptr_t)dst2) & longmask)) goto do_bytes; #endif @@ -221,8 +239,8 @@ buf_xor_n_copy_2(void *_dst_xor, const void *_src_xor, void *_srcdst_cpy, const unsigned int longmask = sizeof(bufhelp_int_t) - 1; /* Skip fast processing if buffers are unaligned. */ - if (((uintptr_t)src_cpy | (uintptr_t)src_xor | (uintptr_t)dst_xor | - (uintptr_t)srcdst_cpy) & longmask) + if (UNLIKELY(((uintptr_t)src_cpy | (uintptr_t)src_xor | (uintptr_t)dst_xor | + (uintptr_t)srcdst_cpy) & longmask)) goto do_bytes; #endif @@ -282,7 +300,7 @@ buf_eq_const(const void *_a, const void *_b, size_t len) } -#ifndef BUFHELP_FAST_UNALIGNED_ACCESS +#ifndef BUFHELP_UNALIGNED_ACCESS /* Functions for loading and storing unaligned u32 values of different endianness. */ @@ -365,12 +383,12 @@ static inline void buf_put_le64(void *_buf, u64 val) out[0] = val; } -#else /*BUFHELP_FAST_UNALIGNED_ACCESS*/ +#else /*BUFHELP_UNALIGNED_ACCESS*/ typedef struct bufhelp_u32_s { u32 a; -} __attribute__((packed, aligned(1))) bufhelp_u32_t; +} __attribute__((packed, aligned(1), may_alias)) bufhelp_u32_t; /* Functions for loading and storing unaligned u32 values of different endianness. */ @@ -400,7 +418,7 @@ static inline void buf_put_le32(void *_buf, u32 val) typedef struct bufhelp_u64_s { u64 a; -} __attribute__((packed, aligned(1))) bufhelp_u64_t; +} __attribute__((packed, aligned(1), may_alias)) bufhelp_u64_t; /* Functions for loading and storing unaligned u64 values of different endianness. */ @@ -427,6 +445,6 @@ static inline void buf_put_le64(void *_buf, u64 val) } -#endif /*BUFHELP_FAST_UNALIGNED_ACCESS*/ +#endif /*BUFHELP_UNALIGNED_ACCESS*/ #endif /*GCRYPT_BUFHELP_H*/ diff --git a/cipher/camellia-aesni-avx-amd64.S b/cipher/camellia-aesni-avx-amd64.S index 5a3a3cb..8022934 100644 --- a/cipher/camellia-aesni-avx-amd64.S +++ b/cipher/camellia-aesni-avx-amd64.S @@ -629,7 +629,7 @@ vmovdqu y6, 14 * 16(rio); \ vmovdqu y7, 15 * 16(rio); -.data +.text .align 16 #define SHUFB_BYTES(idx) \ @@ -773,7 +773,6 @@ .L0f0f0f0f: .long 0x0f0f0f0f -.text .align 8 ELF(.type __camellia_enc_blk16,@function;) @@ -1702,7 +1701,6 @@ ELF(.size _gcry_camellia_aesni_avx_ocb_auth,.-_gcry_camellia_aesni_avx_ocb_auth; vpsllq $(64-(nror)), out, out; \ vpaddd t0, out, out; -.data .align 16 .Linv_shift_row_and_unpcklbw: @@ -1735,7 +1733,6 @@ ELF(.size _gcry_camellia_aesni_avx_ocb_auth,.-_gcry_camellia_aesni_avx_ocb_auth; .Lsigma6: .long 0xB3E6C1FD, 0xB05688C2; -.text .align 8 ELF(.type __camellia_avx_setup128,@function;) diff --git a/cipher/camellia-aesni-avx2-amd64.S b/cipher/camellia-aesni-avx2-amd64.S index 26381df..897e4ae 100644 --- a/cipher/camellia-aesni-avx2-amd64.S +++ b/cipher/camellia-aesni-avx2-amd64.S @@ -613,7 +613,7 @@ vmovdqu y6, 14 * 32(rio); \ vmovdqu y7, 15 * 32(rio); -.data +.text .align 32 #define SHUFB_BYTES(idx) \ @@ -752,7 +752,6 @@ .L0f0f0f0f: .long 0x0f0f0f0f -.text .align 8 ELF(.type __camellia_enc_blk32,@function;) diff --git a/cipher/camellia-glue.c b/cipher/camellia-glue.c index 1be35c9..7687094 100644 --- a/cipher/camellia-glue.c +++ b/cipher/camellia-glue.c @@ -619,7 +619,6 @@ _gcry_camellia_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, CAMELLIA_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; - unsigned char l_tmp[CAMELLIA_BLOCK_SIZE]; int burn_stack_depth; u64 blkn = c->u_mode.ocb.data_nblocks; @@ -664,9 +663,8 @@ _gcry_camellia_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 32 block chunks. */ while (nblocks >= 32) { - /* l_tmp will be used only every 65536-th block. */ blkn += 32; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 32); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 32); if (encrypt) _gcry_camellia_aesni_avx2_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, @@ -725,9 +723,8 @@ _gcry_camellia_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 16 block chunks. */ while (nblocks >= 16) { - /* l_tmp will be used only every 65536-th block. */ blkn += 16; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 16); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); if (encrypt) _gcry_camellia_aesni_avx_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, @@ -759,8 +756,6 @@ _gcry_camellia_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, #if defined(USE_AESNI_AVX) || defined(USE_AESNI_AVX2) c->u_mode.ocb.data_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #endif @@ -776,7 +771,6 @@ _gcry_camellia_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, #if defined(USE_AESNI_AVX) || defined(USE_AESNI_AVX2) CAMELLIA_context *ctx = (void *)&c->context.c; const unsigned char *abuf = abuf_arg; - unsigned char l_tmp[CAMELLIA_BLOCK_SIZE]; int burn_stack_depth; u64 blkn = c->u_mode.ocb.aad_nblocks; @@ -818,9 +812,8 @@ _gcry_camellia_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 32 block chunks. */ while (nblocks >= 32) { - /* l_tmp will be used only every 65536-th block. */ blkn += 32; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 32); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 32); _gcry_camellia_aesni_avx2_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, @@ -875,9 +868,8 @@ _gcry_camellia_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 16 block chunks. */ while (nblocks >= 16) { - /* l_tmp will be used only every 65536-th block. */ blkn += 16; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 16); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); _gcry_camellia_aesni_avx_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, @@ -905,8 +897,6 @@ _gcry_camellia_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, #if defined(USE_AESNI_AVX) || defined(USE_AESNI_AVX2) c->u_mode.ocb.aad_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #endif diff --git a/cipher/cast5-amd64.S b/cipher/cast5-amd64.S index a5f078e..c04015a 100644 --- a/cipher/cast5-amd64.S +++ b/cipher/cast5-amd64.S @@ -24,9 +24,22 @@ defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && defined(USE_CAST5) #if defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS) || !defined(__PIC__) -# define GET_EXTERN_POINTER(name, reg) leaq name, reg +# define GET_EXTERN_POINTER(name, reg) movabsq $name, reg #else -# define GET_EXTERN_POINTER(name, reg) movq name@GOTPCREL(%rip), reg +# ifdef __code_model_large__ +# define GET_EXTERN_POINTER(name, reg) \ + pushq %r15; \ + pushq %r14; \ + 1: leaq 1b(%rip), reg; \ + movabsq $_GLOBAL_OFFSET_TABLE_-1b, %r14; \ + movabsq $name@GOT, %r15; \ + addq %r14, reg; \ + popq %r14; \ + movq (reg, %r15), reg; \ + popq %r15; +# else +# define GET_EXTERN_POINTER(name, reg) movq name@GOTPCREL(%rip), reg +# endif #endif #ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS diff --git a/cipher/chacha20-armv7-neon.S b/cipher/chacha20-armv7-neon.S index 4d3340b..c1971fc 100644 --- a/cipher/chacha20-armv7-neon.S +++ b/cipher/chacha20-armv7-neon.S @@ -54,7 +54,7 @@ #define UNALIGNED_LDMIA4(ptr, l0, l1, l2, l3) \ tst ptr, #3; \ - /*beq 1f;*/ \ + beq 1f; \ vpush {d0-d1}; \ vld1.32 {d0-d1}, [ptr]; \ add ptr, #16; \ diff --git a/cipher/chacha20-avx2-amd64.S b/cipher/chacha20-avx2-amd64.S index 12bed35..8c085ba 100644 --- a/cipher/chacha20-avx2-amd64.S +++ b/cipher/chacha20-avx2-amd64.S @@ -947,7 +947,6 @@ _gcry_chacha20_amd64_avx2_blocks: ret ELF(.size _gcry_chacha20_amd64_avx2_blocks,.-_gcry_chacha20_amd64_avx2_blocks;) -.data .align 16 .LC: .byte 2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13 /* pshufb rotate by 16 */ diff --git a/cipher/chacha20-ssse3-amd64.S b/cipher/chacha20-ssse3-amd64.S index a1a843f..c04010e 100644 --- a/cipher/chacha20-ssse3-amd64.S +++ b/cipher/chacha20-ssse3-amd64.S @@ -623,7 +623,6 @@ _gcry_chacha20_amd64_ssse3_blocks: ret ELF(.size _gcry_chacha20_amd64_ssse3_blocks,.-_gcry_chacha20_amd64_ssse3_blocks;) -.data .align 16; .LC: .byte 2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13 /* pshufb rotate by 16 */ diff --git a/cipher/cipher-cbc.c b/cipher/cipher-cbc.c index 67814b7..95c49b2 100644 --- a/cipher/cipher-cbc.c +++ b/cipher/cipher-cbc.c @@ -44,6 +44,11 @@ _gcry_cipher_cbc_encrypt (gcry_cipher_hd_t c, size_t nblocks = inbuflen / blocksize; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < ((c->flags & GCRY_CIPHER_CBC_MAC)? blocksize : inbuflen)) return GPG_ERR_BUFFER_TOO_SHORT; @@ -133,6 +138,11 @@ _gcry_cipher_cbc_decrypt (gcry_cipher_hd_t c, size_t nblocks = inbuflen / blocksize; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < inbuflen) return GPG_ERR_BUFFER_TOO_SHORT; diff --git a/cipher/cipher-cfb.c b/cipher/cipher-cfb.c index f289ed3..c888e70 100644 --- a/cipher/cipher-cfb.c +++ b/cipher/cipher-cfb.c @@ -41,6 +41,11 @@ _gcry_cipher_cfb_encrypt (gcry_cipher_hd_t c, size_t blocksize_x_2 = blocksize + blocksize; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < inbuflen) return GPG_ERR_BUFFER_TOO_SHORT; @@ -138,6 +143,11 @@ _gcry_cipher_cfb_decrypt (gcry_cipher_hd_t c, size_t blocksize_x_2 = blocksize + blocksize; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < inbuflen) return GPG_ERR_BUFFER_TOO_SHORT; @@ -223,3 +233,93 @@ _gcry_cipher_cfb_decrypt (gcry_cipher_hd_t c, return 0; } + + +gcry_err_code_t +_gcry_cipher_cfb8_encrypt (gcry_cipher_hd_t c, + unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen) +{ + gcry_cipher_encrypt_t enc_fn = c->spec->encrypt; + size_t blocksize = c->spec->blocksize; + unsigned int burn, nburn; + + if (outbuflen < inbuflen) + return GPG_ERR_BUFFER_TOO_SHORT; + + burn = 0; + + while ( inbuflen > 0) + { + int i; + + /* Encrypt the IV. */ + nburn = enc_fn ( &c->context.c, c->lastiv, c->u_iv.iv ); + burn = nburn > burn ? nburn : burn; + + outbuf[0] = c->lastiv[0] ^ inbuf[0]; + + /* Bitshift iv by 8 bit to the left */ + for (i = 0; i < blocksize-1; i++) + c->u_iv.iv[i] = c->u_iv.iv[i+1]; + + /* append cipher text to iv */ + c->u_iv.iv[blocksize-1] = outbuf[0]; + + outbuf += 1; + inbuf += 1; + inbuflen -= 1; + } + + if (burn > 0) + _gcry_burn_stack (burn + 4 * sizeof(void *)); + + return 0; +} + + +gcry_err_code_t +_gcry_cipher_cfb8_decrypt (gcry_cipher_hd_t c, + unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen) +{ + gcry_cipher_encrypt_t enc_fn = c->spec->encrypt; + size_t blocksize = c->spec->blocksize; + unsigned int burn, nburn; + unsigned char appendee; + + if (outbuflen < inbuflen) + return GPG_ERR_BUFFER_TOO_SHORT; + + burn = 0; + + while (inbuflen > 0) + { + int i; + + /* Encrypt the IV. */ + nburn = enc_fn ( &c->context.c, c->lastiv, c->u_iv.iv ); + burn = nburn > burn ? nburn : burn; + + /* inbuf might == outbuf, make sure we keep the value + so we can append it later */ + appendee = inbuf[0]; + + outbuf[0] = inbuf[0] ^ c->lastiv[0]; + + /* Bitshift iv by 8 bit to the left */ + for (i = 0; i < blocksize-1; i++) + c->u_iv.iv[i] = c->u_iv.iv[i+1]; + + c->u_iv.iv[blocksize-1] = appendee; + + outbuf += 1; + inbuf += 1; + inbuflen -= 1; + } + + if (burn > 0) + _gcry_burn_stack (burn + 4 * sizeof(void *)); + + return 0; +} diff --git a/cipher/cipher-cmac.c b/cipher/cipher-cmac.c index eca1c1a..da3ef75 100644 --- a/cipher/cipher-cmac.c +++ b/cipher/cipher-cmac.c @@ -42,6 +42,11 @@ cmac_write (gcry_cipher_hd_t c, const byte * inbuf, size_t inlen) unsigned int burn = 0; unsigned int nblocks; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return; + if (!inlen || !inbuf) return; @@ -109,6 +114,11 @@ cmac_generate_subkeys (gcry_cipher_hd_t c) byte buf[MAX_BLOCKSIZE]; } u; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return; + if (MAX_BLOCKSIZE < blocksize) BUG (); @@ -149,6 +159,11 @@ cmac_final (gcry_cipher_hd_t c) unsigned int burn; byte *subkey; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return; + if (count == blocksize) subkey = c->u_mode.cmac.subkeys[0]; /* K1 */ else diff --git a/cipher/cipher-ctr.c b/cipher/cipher-ctr.c index 4bbfaae..f9cb6b5 100644 --- a/cipher/cipher-ctr.c +++ b/cipher/cipher-ctr.c @@ -42,6 +42,11 @@ _gcry_cipher_ctr_encrypt (gcry_cipher_hd_t c, size_t nblocks; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < inbuflen) return GPG_ERR_BUFFER_TOO_SHORT; diff --git a/cipher/cipher-gcm-armv8-aarch32-ce.S b/cipher/cipher-gcm-armv8-aarch32-ce.S index b61a787..1de66a1 100644 --- a/cipher/cipher-gcm-armv8-aarch32-ce.S +++ b/cipher/cipher-gcm-armv8-aarch32-ce.S @@ -24,6 +24,7 @@ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) .syntax unified +.arch armv8-a .fpu crypto-neon-fp-armv8 .arm diff --git a/cipher/cipher-gcm-armv8-aarch64-ce.S b/cipher/cipher-gcm-armv8-aarch64-ce.S index 4830b61..0cfaf1c 100644 --- a/cipher/cipher-gcm-armv8-aarch64-ce.S +++ b/cipher/cipher-gcm-armv8-aarch64-ce.S @@ -23,7 +23,7 @@ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) -.arch armv8-a+crypto +.cpu generic+simd+crypto .text diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h index 01352f3..b748125 100644 --- a/cipher/cipher-internal.h +++ b/cipher/cipher-internal.h @@ -124,7 +124,7 @@ struct gcry_cipher_handle /* A structure with function pointers for bulk operations. Due to limitations of the module system (we don't want to change the API) we need to keep these function pointers here. The cipher - open function intializes them and the actual encryption routines + open function initializes them and the actual encryption routines use them if they are not NULL. */ struct { void (*cfb_enc)(void *context, unsigned char *iv, @@ -146,6 +146,9 @@ struct gcry_cipher_handle const void *inbuf_arg, size_t nblocks, int encrypt); size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks); + void (*xts_crypt)(gcry_cipher_hd_t c, unsigned char *tweak, + void *outbuf_arg, const void *inbuf_arg, + size_t nblocks, int encrypt); } bulk; @@ -309,6 +312,12 @@ struct gcry_cipher_handle } ocb; + /* Mode specific storage for XTS mode. */ + struct { + /* Pointer to tweak cipher context, allocated after actual + * cipher context. */ + char *tweak_context; + } xts; } u_mode; /* What follows are two contexts of the cipher in use. The first @@ -339,6 +348,14 @@ gcry_err_code_t _gcry_cipher_cfb_decrypt /* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen, const unsigned char *inbuf, size_t inbuflen); +gcry_err_code_t _gcry_cipher_cfb8_encrypt +/* */ (gcry_cipher_hd_t c, + unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen); +gcry_err_code_t _gcry_cipher_cfb8_decrypt +/* */ (gcry_cipher_hd_t c, + unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen); /*-- cipher-ofb.c --*/ @@ -459,28 +476,34 @@ gcry_err_code_t _gcry_cipher_ocb_get_tag gcry_err_code_t _gcry_cipher_ocb_check_tag /* */ (gcry_cipher_hd_t c, const unsigned char *intag, size_t taglen); -const unsigned char *_gcry_cipher_ocb_get_l -/* */ (gcry_cipher_hd_t c, unsigned char *l_tmp, u64 n); -/* Inline version of _gcry_cipher_ocb_get_l, with hard-coded fast paths for - most common cases. */ +/*-- cipher-xts.c --*/ +gcry_err_code_t _gcry_cipher_xts_crypt +/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen, int encrypt); + + +/* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N + * will never be multiple of 65536 (1 << OCB_L_TABLE_SIZE), thus N can + * be directly passed to _gcry_ctz() function and resulting index will + * never overflow the table. */ static inline const unsigned char * -ocb_get_l (gcry_cipher_hd_t c, unsigned char *l_tmp, u64 n) +ocb_get_l (gcry_cipher_hd_t c, u64 n) { - if (n & 1) - return c->u_mode.ocb.L[0]; - else if (n & 2) - return c->u_mode.ocb.L[1]; - else - { - unsigned int ntz = _gcry_ctz64 (n); - - if (ntz < OCB_L_TABLE_SIZE) - return c->u_mode.ocb.L[ntz]; - else - return _gcry_cipher_ocb_get_l (c, l_tmp, n); - } + unsigned long ntz; + +#if ((defined(__i386__) || defined(__x86_64__)) && __GNUC__ >= 4) + /* Assumes that N != 0. */ + asm ("rep;bsfl %k[low], %k[ntz]\n\t" + : [ntz] "=r" (ntz) + : [low] "r" ((unsigned long)n) + : "cc"); +#else + ntz = _gcry_ctz (n); +#endif + + return c->u_mode.ocb.L[ntz]; } #endif /*G10_CIPHER_INTERNAL_H*/ diff --git a/cipher/cipher-ocb.c b/cipher/cipher-ocb.c index 92260d2..db42aaf 100644 --- a/cipher/cipher-ocb.c +++ b/cipher/cipher-ocb.c @@ -66,7 +66,7 @@ double_block (unsigned char *b) l = buf_get_be64 (b); r = buf_get_be64 (b + 8); - l_0 = (int64_t)l >> 63; + l_0 = -(l >> 63); l = (l + l) ^ (r >> 63); r = (r + r) ^ (l_0 & 135); @@ -109,25 +109,17 @@ bit_copy (unsigned char *d, const unsigned char *s, } -/* Return the L-value for block N. In most cases we use the table; - only if the lower OCB_L_TABLE_SIZE bits of N are zero we need to - compute it. With a table size of 16 we need to this this only - every 65536-th block. L_TMP is a helper buffer of size - OCB_BLOCK_LEN which is used to hold the computation if not taken - from the table. */ -const unsigned char * -_gcry_cipher_ocb_get_l (gcry_cipher_hd_t c, unsigned char *l_tmp, u64 n) +/* Get L_big value for block N, where N is multiple of 65536. */ +static void +ocb_get_L_big (gcry_cipher_hd_t c, u64 n, unsigned char *l_buf) { int ntz = _gcry_ctz64 (n); - if (ntz < OCB_L_TABLE_SIZE) - return c->u_mode.ocb.L[ntz]; + gcry_assert(ntz >= OCB_L_TABLE_SIZE); - double_block_cpy (l_tmp, c->u_mode.ocb.L[OCB_L_TABLE_SIZE - 1]); + double_block_cpy (l_buf, c->u_mode.ocb.L[OCB_L_TABLE_SIZE - 1]); for (ntz -= OCB_L_TABLE_SIZE; ntz; ntz--) - double_block (l_tmp); - - return l_tmp; + double_block (l_buf); } @@ -241,7 +233,11 @@ gcry_err_code_t _gcry_cipher_ocb_authenticate (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen) { + const size_t table_maxblks = 1 << OCB_L_TABLE_SIZE; + const u32 table_size_mask = ((1 << OCB_L_TABLE_SIZE) - 1); unsigned char l_tmp[OCB_BLOCK_LEN]; + unsigned int burn = 0; + unsigned int nburn; /* Check that a nonce and thus a key has been set and that we have not yet computed the tag. We also return an error if the aad has @@ -264,14 +260,24 @@ _gcry_cipher_ocb_authenticate (gcry_cipher_hd_t c, const unsigned char *abuf, { c->u_mode.ocb.aad_nblocks++; + if ((c->u_mode.ocb.aad_nblocks % table_maxblks) == 0) + { + /* Table overflow, L needs to be generated. */ + ocb_get_L_big(c, c->u_mode.ocb.aad_nblocks + 1, l_tmp); + } + else + { + buf_cpy (l_tmp, ocb_get_l (c, c->u_mode.ocb.aad_nblocks), + OCB_BLOCK_LEN); + } + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ - buf_xor_1 (c->u_mode.ocb.aad_offset, - ocb_get_l (c, l_tmp, c->u_mode.ocb.aad_nblocks), - OCB_BLOCK_LEN); + buf_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ buf_xor (l_tmp, c->u_mode.ocb.aad_offset, c->u_mode.ocb.aad_leftover, OCB_BLOCK_LEN); - c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + burn = nburn > burn ? nburn : burn; buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); c->u_mode.ocb.aad_nleftover = 0; @@ -279,40 +285,83 @@ _gcry_cipher_ocb_authenticate (gcry_cipher_hd_t c, const unsigned char *abuf, } if (!abuflen) - return 0; - - /* Use a bulk method if available. */ - if (abuflen >= OCB_BLOCK_LEN && c->bulk.ocb_auth) { - size_t nblks; - size_t nleft; - size_t ndone; + if (burn > 0) + _gcry_burn_stack (burn + 4*sizeof(void*)); - nblks = abuflen / OCB_BLOCK_LEN; - nleft = c->bulk.ocb_auth (c, abuf, nblks); - ndone = nblks - nleft; - - abuf += ndone * OCB_BLOCK_LEN; - abuflen -= ndone * OCB_BLOCK_LEN; - nblks = nleft; + return 0; } - /* Hash all full blocks. */ + /* Full blocks handling. */ while (abuflen >= OCB_BLOCK_LEN) { - c->u_mode.ocb.aad_nblocks++; + size_t nblks = abuflen / OCB_BLOCK_LEN; + size_t nmaxblks; - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ - buf_xor_1 (c->u_mode.ocb.aad_offset, - ocb_get_l (c, l_tmp, c->u_mode.ocb.aad_nblocks), - OCB_BLOCK_LEN); - /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ - buf_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, OCB_BLOCK_LEN); - c->spec->encrypt (&c->context.c, l_tmp, l_tmp); - buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); + /* Check how many blocks to process till table overflow. */ + nmaxblks = (c->u_mode.ocb.aad_nblocks + 1) % table_maxblks; + nmaxblks = (table_maxblks - nmaxblks) % table_maxblks; + + if (nmaxblks == 0) + { + /* Table overflow, generate L and process one block. */ + c->u_mode.ocb.aad_nblocks++; + ocb_get_L_big(c, c->u_mode.ocb.aad_nblocks, l_tmp); + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + buf_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); + /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ + buf_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, OCB_BLOCK_LEN); + nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + burn = nburn > burn ? nburn : burn; + buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); + + abuf += OCB_BLOCK_LEN; + abuflen -= OCB_BLOCK_LEN; + nblks--; + + /* With overflow handled, retry loop again. Next overflow will + * happen after 65535 blocks. */ + continue; + } + + nblks = nblks < nmaxblks ? nblks : nmaxblks; + + /* Use a bulk method if available. */ + if (nblks && c->bulk.ocb_auth) + { + size_t nleft; + size_t ndone; + + nleft = c->bulk.ocb_auth (c, abuf, nblks); + ndone = nblks - nleft; + + abuf += ndone * OCB_BLOCK_LEN; + abuflen -= ndone * OCB_BLOCK_LEN; + nblks = nleft; + } + + /* Hash all full blocks. */ + while (nblks) + { + c->u_mode.ocb.aad_nblocks++; + + gcry_assert(c->u_mode.ocb.aad_nblocks & table_size_mask); + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + buf_xor_1 (c->u_mode.ocb.aad_offset, + ocb_get_l (c, c->u_mode.ocb.aad_nblocks), + OCB_BLOCK_LEN); + /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ + buf_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, OCB_BLOCK_LEN); + nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + burn = nburn > burn ? nburn : burn; + buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); - abuf += OCB_BLOCK_LEN; - abuflen -= OCB_BLOCK_LEN; + abuf += OCB_BLOCK_LEN; + abuflen -= OCB_BLOCK_LEN; + nblks--; + } } /* Store away the remaining data. */ @@ -321,6 +370,9 @@ _gcry_cipher_ocb_authenticate (gcry_cipher_hd_t c, const unsigned char *abuf, c->u_mode.ocb.aad_leftover[c->u_mode.ocb.aad_nleftover++] = *abuf; gcry_assert (!abuflen); + if (burn > 0) + _gcry_burn_stack (burn + 4*sizeof(void*)); + return 0; } @@ -330,6 +382,8 @@ static void ocb_aad_finalize (gcry_cipher_hd_t c) { unsigned char l_tmp[OCB_BLOCK_LEN]; + unsigned int burn = 0; + unsigned int nburn; /* Check that a nonce and thus a key has been set and that we have not yet computed the tag. We also skip this if the aad has been @@ -352,7 +406,8 @@ ocb_aad_finalize (gcry_cipher_hd_t c) l_tmp[c->u_mode.ocb.aad_nleftover] = 0x80; buf_xor_1 (l_tmp, c->u_mode.ocb.aad_offset, OCB_BLOCK_LEN); /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */ - c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); + burn = nburn > burn ? nburn : burn; buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); c->u_mode.ocb.aad_nleftover = 0; @@ -361,6 +416,9 @@ ocb_aad_finalize (gcry_cipher_hd_t c) /* Mark AAD as finalized so that gcry_cipher_ocb_authenticate can * return an erro when called again. */ c->u_mode.ocb.aad_finalized = 1; + + if (burn > 0) + _gcry_burn_stack (burn + 4*sizeof(void*)); } @@ -387,10 +445,13 @@ ocb_crypt (gcry_cipher_hd_t c, int encrypt, unsigned char *outbuf, size_t outbuflen, const unsigned char *inbuf, size_t inbuflen) { + const size_t table_maxblks = 1 << OCB_L_TABLE_SIZE; + const u32 table_size_mask = ((1 << OCB_L_TABLE_SIZE) - 1); unsigned char l_tmp[OCB_BLOCK_LEN]; unsigned int burn = 0; unsigned int nburn; - size_t nblks = inbuflen / OCB_BLOCK_LEN; + gcry_cipher_encrypt_t crypt_fn = + encrypt ? c->spec->encrypt : c->spec->decrypt; /* Check that a nonce and thus a key has been set and that we are not yet in end of data state. */ @@ -407,58 +468,112 @@ ocb_crypt (gcry_cipher_hd_t c, int encrypt, else if ((inbuflen % OCB_BLOCK_LEN)) return GPG_ERR_INV_LENGTH; /* We support only full blocks for now. */ - /* Use a bulk method if available. */ - if (nblks && c->bulk.ocb_crypt) - { - size_t nleft; - size_t ndone; - - nleft = c->bulk.ocb_crypt (c, outbuf, inbuf, nblks, encrypt); - ndone = nblks - nleft; - - inbuf += ndone * OCB_BLOCK_LEN; - outbuf += ndone * OCB_BLOCK_LEN; - inbuflen -= ndone * OCB_BLOCK_LEN; - outbuflen -= ndone * OCB_BLOCK_LEN; - nblks = nleft; - } - - if (nblks) + /* Full blocks handling. */ + while (inbuflen >= OCB_BLOCK_LEN) { - gcry_cipher_encrypt_t crypt_fn = - encrypt ? c->spec->encrypt : c->spec->decrypt; + size_t nblks = inbuflen / OCB_BLOCK_LEN; + size_t nmaxblks; - if (encrypt) - { - /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_checksum (c->u_ctr.ctr, inbuf, nblks); - } + /* Check how many blocks to process till table overflow. */ + nmaxblks = (c->u_mode.ocb.data_nblocks + 1) % table_maxblks; + nmaxblks = (table_maxblks - nmaxblks) % table_maxblks; - /* Encrypt all full blocks. */ - while (inbuflen >= OCB_BLOCK_LEN) + if (nmaxblks == 0) { + /* Table overflow, generate L and process one block. */ c->u_mode.ocb.data_nblocks++; + ocb_get_L_big(c, c->u_mode.ocb.data_nblocks, l_tmp); + + if (encrypt) + { + /* Checksum_i = Checksum_{i-1} xor P_i */ + ocb_checksum (c->u_ctr.ctr, inbuf, 1); + } /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ - buf_xor_1 (c->u_iv.iv, - ocb_get_l (c, l_tmp, c->u_mode.ocb.data_nblocks), - OCB_BLOCK_LEN); + buf_xor_1 (c->u_iv.iv, l_tmp, OCB_BLOCK_LEN); /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ buf_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); nburn = crypt_fn (&c->context.c, outbuf, outbuf); burn = nburn > burn ? nburn : burn; buf_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); + if (!encrypt) + { + /* Checksum_i = Checksum_{i-1} xor P_i */ + ocb_checksum (c->u_ctr.ctr, outbuf, 1); + } + inbuf += OCB_BLOCK_LEN; inbuflen -= OCB_BLOCK_LEN; outbuf += OCB_BLOCK_LEN; outbuflen =- OCB_BLOCK_LEN; + nblks--; + + /* With overflow handled, retry loop again. Next overflow will + * happen after 65535 blocks. */ + continue; + } + + nblks = nblks < nmaxblks ? nblks : nmaxblks; + + /* Use a bulk method if available. */ + if (nblks && c->bulk.ocb_crypt) + { + size_t nleft; + size_t ndone; + + nleft = c->bulk.ocb_crypt (c, outbuf, inbuf, nblks, encrypt); + ndone = nblks - nleft; + + inbuf += ndone * OCB_BLOCK_LEN; + outbuf += ndone * OCB_BLOCK_LEN; + inbuflen -= ndone * OCB_BLOCK_LEN; + outbuflen -= ndone * OCB_BLOCK_LEN; + nblks = nleft; } - if (!encrypt) + if (nblks) { - /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_checksum (c->u_ctr.ctr, outbuf - nblks * OCB_BLOCK_LEN, nblks); + size_t nblks_chksum = nblks; + + if (encrypt) + { + /* Checksum_i = Checksum_{i-1} xor P_i */ + ocb_checksum (c->u_ctr.ctr, inbuf, nblks_chksum); + } + + /* Encrypt all full blocks. */ + while (nblks) + { + c->u_mode.ocb.data_nblocks++; + + gcry_assert(c->u_mode.ocb.data_nblocks & table_size_mask); + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + buf_xor_1 (c->u_iv.iv, + ocb_get_l (c, c->u_mode.ocb.data_nblocks), + OCB_BLOCK_LEN); + /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ + buf_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); + nburn = crypt_fn (&c->context.c, outbuf, outbuf); + burn = nburn > burn ? nburn : burn; + buf_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); + + inbuf += OCB_BLOCK_LEN; + inbuflen -= OCB_BLOCK_LEN; + outbuf += OCB_BLOCK_LEN; + outbuflen =- OCB_BLOCK_LEN; + nblks--; + } + + if (!encrypt) + { + /* Checksum_i = Checksum_{i-1} xor P_i */ + ocb_checksum (c->u_ctr.ctr, + outbuf - nblks_chksum * OCB_BLOCK_LEN, + nblks_chksum); + } } } diff --git a/cipher/cipher-ofb.c b/cipher/cipher-ofb.c index 7db7658..f821d1b 100644 --- a/cipher/cipher-ofb.c +++ b/cipher/cipher-ofb.c @@ -40,6 +40,11 @@ _gcry_cipher_ofb_encrypt (gcry_cipher_hd_t c, size_t blocksize = c->spec->blocksize; unsigned int burn, nburn; + /* Tell compiler that we require a cipher with a 64bit or 128 bit block + * length, to allow better optimization of this function. */ + if (blocksize > 16 || blocksize < 8 || blocksize & (8 - 1)) + return GPG_ERR_INV_LENGTH; + if (outbuflen < inbuflen) return GPG_ERR_BUFFER_TOO_SHORT; diff --git a/cipher/cipher-xts.c b/cipher/cipher-xts.c new file mode 100644 index 0000000..4da89e5 --- /dev/null +++ b/cipher/cipher-xts.c @@ -0,0 +1,170 @@ +/* cipher-xts.c - XTS mode implementation + * Copyright (C) 2017 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser general Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#include +#include +#include +#include +#include + +#include "g10lib.h" +#include "cipher.h" +#include "bufhelp.h" +#include "./cipher-internal.h" + + +static inline void xts_gfmul_byA (unsigned char *out, const unsigned char *in) +{ + u64 hi = buf_get_le64 (in + 8); + u64 lo = buf_get_le64 (in + 0); + u64 carry = -(hi >> 63) & 0x87; + + hi = (hi << 1) + (lo >> 63); + lo = (lo << 1) ^ carry; + + buf_put_le64 (out + 8, hi); + buf_put_le64 (out + 0, lo); +} + + +static inline void xts_inc128 (unsigned char *seqno) +{ + u64 lo = buf_get_le64 (seqno + 0); + u64 hi = buf_get_le64 (seqno + 8); + + hi += !(++lo); + + buf_put_le64 (seqno + 0, lo); + buf_put_le64 (seqno + 8, hi); +} + + +gcry_err_code_t +_gcry_cipher_xts_crypt (gcry_cipher_hd_t c, + unsigned char *outbuf, size_t outbuflen, + const unsigned char *inbuf, size_t inbuflen, + int encrypt) +{ + gcry_cipher_encrypt_t tweak_fn = c->spec->encrypt; + gcry_cipher_encrypt_t crypt_fn = + encrypt ? c->spec->encrypt : c->spec->decrypt; + union + { + cipher_context_alignment_t xcx; + byte x1[GCRY_XTS_BLOCK_LEN]; + u64 x64[GCRY_XTS_BLOCK_LEN / sizeof(u64)]; + } tmp; + unsigned int burn, nburn; + size_t nblocks; + + if (c->spec->blocksize != GCRY_XTS_BLOCK_LEN) + return GPG_ERR_CIPHER_ALGO; + if (outbuflen < inbuflen) + return GPG_ERR_BUFFER_TOO_SHORT; + if (inbuflen < GCRY_XTS_BLOCK_LEN) + return GPG_ERR_BUFFER_TOO_SHORT; + + /* Data-unit max length: 2^20 blocks. */ + if (inbuflen > GCRY_XTS_BLOCK_LEN << 20) + return GPG_ERR_INV_LENGTH; + + nblocks = inbuflen / GCRY_XTS_BLOCK_LEN; + nblocks -= !encrypt && (inbuflen % GCRY_XTS_BLOCK_LEN) != 0; + + /* Generate first tweak value. */ + burn = tweak_fn (c->u_mode.xts.tweak_context, c->u_ctr.ctr, c->u_iv.iv); + + /* Use a bulk method if available. */ + if (nblocks && c->bulk.xts_crypt) + { + c->bulk.xts_crypt (c, c->u_ctr.ctr, outbuf, inbuf, nblocks, encrypt); + inbuf += nblocks * GCRY_XTS_BLOCK_LEN; + outbuf += nblocks * GCRY_XTS_BLOCK_LEN; + inbuflen -= nblocks * GCRY_XTS_BLOCK_LEN; + nblocks = 0; + } + + /* If we don't have a bulk method use the standard method. We also + use this method for the a remaining partial block. */ + + while (nblocks) + { + /* Xor-Encrypt/Decrypt-Xor block. */ + buf_xor (tmp.x64, inbuf, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); + nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1); + burn = nburn > burn ? nburn : burn; + buf_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); + + outbuf += GCRY_XTS_BLOCK_LEN; + inbuf += GCRY_XTS_BLOCK_LEN; + inbuflen -= GCRY_XTS_BLOCK_LEN; + nblocks--; + + /* Generate next tweak. */ + xts_gfmul_byA (c->u_ctr.ctr, c->u_ctr.ctr); + } + + /* Handle remaining data with ciphertext stealing. */ + if (inbuflen) + { + if (!encrypt) + { + gcry_assert (inbuflen > GCRY_XTS_BLOCK_LEN); + gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN * 2); + + /* Generate last tweak. */ + xts_gfmul_byA (tmp.x1, c->u_ctr.ctr); + + /* Decrypt last block first. */ + buf_xor (outbuf, inbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); + nburn = crypt_fn (&c->context.c, outbuf, outbuf); + burn = nburn > burn ? nburn : burn; + buf_xor (outbuf, outbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); + + inbuflen -= GCRY_XTS_BLOCK_LEN; + inbuf += GCRY_XTS_BLOCK_LEN; + outbuf += GCRY_XTS_BLOCK_LEN; + } + + gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN); + outbuf -= GCRY_XTS_BLOCK_LEN; + + /* Steal ciphertext from previous block. */ + buf_cpy (tmp.x64, outbuf, GCRY_XTS_BLOCK_LEN); + buf_cpy (tmp.x64, inbuf, inbuflen); + buf_cpy (outbuf + GCRY_XTS_BLOCK_LEN, outbuf, inbuflen); + + /* Decrypt/Encrypt last block. */ + buf_xor (tmp.x64, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); + nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1); + burn = nburn > burn ? nburn : burn; + buf_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); + } + + /* Auto-increment data-unit sequence number */ + xts_inc128 (c->u_iv.iv); + + wipememory (&tmp, sizeof(tmp)); + wipememory (c->u_ctr.ctr, sizeof(c->u_ctr.ctr)); + + if (burn > 0) + _gcry_burn_stack (burn + 4 * sizeof(void *)); + + return 0; +} diff --git a/cipher/cipher.c b/cipher/cipher.c index 55853da..9812738 100644 --- a/cipher/cipher.c +++ b/cipher/cipher.c @@ -405,9 +405,17 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle, err = GPG_ERR_INV_CIPHER_MODE; break; + case GCRY_CIPHER_MODE_XTS: + if (spec->blocksize != GCRY_XTS_BLOCK_LEN) + err = GPG_ERR_INV_CIPHER_MODE; + if (!spec->encrypt || !spec->decrypt) + err = GPG_ERR_INV_CIPHER_MODE; + break; + case GCRY_CIPHER_MODE_ECB: case GCRY_CIPHER_MODE_CBC: case GCRY_CIPHER_MODE_CFB: + case GCRY_CIPHER_MODE_CFB8: case GCRY_CIPHER_MODE_OFB: case GCRY_CIPHER_MODE_CTR: case GCRY_CIPHER_MODE_AESWRAP: @@ -468,6 +476,18 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle, #endif /*NEED_16BYTE_ALIGNED_CONTEXT*/ ); + /* Space needed per mode. */ + switch (mode) + { + case GCRY_CIPHER_MODE_XTS: + /* Additional cipher context for tweak. */ + size += 2 * spec->contextsize + 15; + break; + + default: + break; + } + if (secure) h = xtrycalloc_secure (1, size); else @@ -478,6 +498,7 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle, else { size_t off = 0; + char *tc; #ifdef NEED_16BYTE_ALIGNED_CONTEXT if ( ((uintptr_t)h & 0x0f) ) @@ -578,6 +599,13 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle, h->u_mode.ocb.taglen = 16; /* Bytes. */ break; + case GCRY_CIPHER_MODE_XTS: + tc = h->context.c + spec->contextsize * 2; + tc += (16 - (uintptr_t)tc % 16) % 16; + h->u_mode.xts.tweak_context = tc; + + break; + default: break; } @@ -630,6 +658,23 @@ cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen) { gcry_err_code_t rc; + if (c->mode == GCRY_CIPHER_MODE_XTS) + { + /* XTS uses two keys. */ + if (keylen % 2) + return GPG_ERR_INV_KEYLEN; + keylen /= 2; + + if (fips_mode ()) + { + /* Reject key if subkeys Key_1 and Key_2 are equal. + See "Implementation Guidance for FIPS 140-2, A.9 XTS-AES + Key Generation Requirements" for details. */ + if (buf_eq_const (key, key + keylen, keylen)) + return GPG_ERR_WEAK_KEY; + } + } + rc = c->spec->setkey (&c->context.c, key, keylen); if (!rc) { @@ -653,6 +698,20 @@ cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen) _gcry_cipher_poly1305_setkey (c); break; + case GCRY_CIPHER_MODE_XTS: + /* Setup tweak cipher with second part of XTS key. */ + rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen, + keylen); + if (!rc) + { + /* Duplicate initial tweak context. */ + memcpy (c->u_mode.xts.tweak_context + c->spec->contextsize, + c->u_mode.xts.tweak_context, c->spec->contextsize); + } + else + c->marks.key = 0; + break; + default: break; }; @@ -751,6 +810,12 @@ cipher_reset (gcry_cipher_hd_t c) c->u_mode.ocb.taglen = 16; break; + case GCRY_CIPHER_MODE_XTS: + memcpy (c->u_mode.xts.tweak_context, + c->u_mode.xts.tweak_context + c->spec->contextsize, + c->spec->contextsize); + break; + default: break; /* u_mode unused by other modes. */ } @@ -838,6 +903,10 @@ cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, rc = _gcry_cipher_cfb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; + case GCRY_CIPHER_MODE_CFB8: + rc = _gcry_cipher_cfb8_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); + break; + case GCRY_CIPHER_MODE_OFB: rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; @@ -872,6 +941,10 @@ cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, rc = _gcry_cipher_ocb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; + case GCRY_CIPHER_MODE_XTS: + rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1); + break; + case GCRY_CIPHER_MODE_STREAM: c->spec->stencrypt (&c->context.c, outbuf, (byte*)/*arggg*/inbuf, inbuflen); @@ -933,7 +1006,7 @@ _gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize, /**************** * Decrypt INBUF to OUTBUF with the mode selected at open. * inbuf and outbuf may overlap or be the same. - * Depending on the mode some some contraints apply to INBUFLEN. + * Depending on the mode some some constraints apply to INBUFLEN. */ static gcry_err_code_t cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, @@ -961,6 +1034,10 @@ cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, rc = _gcry_cipher_cfb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; + case GCRY_CIPHER_MODE_CFB8: + rc = _gcry_cipher_cfb8_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); + break; + case GCRY_CIPHER_MODE_OFB: rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; @@ -995,6 +1072,10 @@ cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, rc = _gcry_cipher_ocb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); break; + case GCRY_CIPHER_MODE_XTS: + rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0); + break; + case GCRY_CIPHER_MODE_STREAM: c->spec->stdecrypt (&c->context.c, outbuf, (byte*)/*arggg*/inbuf, inbuflen); diff --git a/cipher/crc-intel-pclmul.c b/cipher/crc-intel-pclmul.c index 7a344e2..8ff08ec 100644 --- a/cipher/crc-intel-pclmul.c +++ b/cipher/crc-intel-pclmul.c @@ -44,6 +44,12 @@ #define ALIGNED_16 __attribute__ ((aligned (16))) +struct u16_unaligned_s +{ + u16 a; +} __attribute__((packed, aligned (1), may_alias)); + + /* Constants structure for generic reflected/non-reflected CRC32 CLMUL * functions. */ struct crc32_consts_s @@ -345,14 +351,14 @@ crc32_reflected_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, } else if (inlen == 2) { - data = *((const u16 *)inbuf); + data = ((const struct u16_unaligned_s *)inbuf)->a; data ^= crc; data <<= 16; crc >>= 16; } else { - data = *((const u16 *)inbuf); + data = ((const struct u16_unaligned_s *)inbuf)->a; data |= inbuf[2] << 16; data ^= crc; data <<= 8; @@ -709,14 +715,14 @@ crc32_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, } else if (inlen == 2) { - data = *((const u16 *)inbuf); + data = ((const struct u16_unaligned_s *)inbuf)->a; data ^= crc; data = _gcry_bswap32(data << 16); crc = _gcry_bswap32(crc >> 16); } else { - data = *((const u16 *)inbuf); + data = ((const struct u16_unaligned_s *)inbuf)->a; data |= inbuf[2] << 16; data ^= crc; data = _gcry_bswap32(data << 8); diff --git a/cipher/des-amd64.S b/cipher/des-amd64.S index 307d211..1b7cfba 100644 --- a/cipher/des-amd64.S +++ b/cipher/des-amd64.S @@ -766,7 +766,6 @@ _gcry_3des_amd64_cfb_dec: ret; ELF(.size _gcry_3des_amd64_cfb_dec,.-_gcry_3des_amd64_cfb_dec;) -.data .align 16 .L_s1: .quad 0x0010100001010400, 0x0000000000000000 diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c index 8f7b8c4..41debe4 100644 --- a/cipher/ecc-misc.c +++ b/cipher/ecc-misc.c @@ -333,7 +333,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) * 0x40 for x-only coordinate. * * For data with older implementation (non-released development - * version), it is possibe to have the 0x40 as a part of data. + * version), it is possible to have the 0x40 as a part of data. * Besides, when data was parsed as MPI, we might have 0x00 * prefix. * diff --git a/cipher/ecc.c b/cipher/ecc.c index e25bf09..4e3e5b1 100644 --- a/cipher/ecc.c +++ b/cipher/ecc.c @@ -1628,9 +1628,22 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) if (DBG_CIPHER) log_printpnt ("ecc_decrypt kG", &kG, NULL); - if (!(flags & PUBKEY_FLAG_DJB_TWEAK) + if ((flags & PUBKEY_FLAG_DJB_TWEAK)) + { /* For X25519, by its definition, validation should not be done. */ - && !_gcry_mpi_ec_curve_point (&kG, ec)) + /* (Instead, we do output check.) + * + * However, to mitigate secret key leak from our implementation, + * we also do input validation here. For constant-time + * implementation, we can remove this input validation. + */ + if (_gcry_mpi_ec_bad_point (&kG, ec)) + { + rc = GPG_ERR_INV_DATA; + goto leave; + } + } + else if (!_gcry_mpi_ec_curve_point (&kG, ec)) { rc = GPG_ERR_INV_DATA; goto leave; diff --git a/cipher/hmac-tests.c b/cipher/hmac-tests.c index 8c04708..78d260a 100644 --- a/cipher/hmac-tests.c +++ b/cipher/hmac-tests.c @@ -20,13 +20,18 @@ /* Although algorithm self-tests are usually implemented in the module implementing the algorithm, the case for HMAC is different because - HMAC is implemnetd on a higher level using a special feature of the + HMAC is implemented on a higher level using a special feature of the gcry_md_ functions. It would be possible to do this also in the digest algorithm modules, but that would blow up the code too much and spread the hmac tests over several modules. Thus we implement all HMAC tests in this test module and provide a function to run the tests. + + To run all the Libgcrypt selftest in a verbose mode, use + + $ tests/basic --selftest + */ #include @@ -42,21 +47,30 @@ #include "hmac256.h" /* Check one HMAC with digest ALGO using the regualr HAMC - API. (DATA,DATALEN) is the data to be MACed, (KEY,KEYLEN) the key - and (EXPECT,EXPECTLEN) the expected result. Returns NULL on - succdess or a string describing the failure. */ + * API. (DATA,DATALEN) is the data to be MACed, (KEY,KEYLEN) the key + * and (EXPECT,EXPECTLEN) the expected result. If TRUNC is set, the + * EXPECTLEN may be less than the digest length. Returns NULL on + * success or a string describing the failure. */ static const char * check_one (int algo, const void *data, size_t datalen, const void *key, size_t keylen, - const void *expect, size_t expectlen) + const void *expect, size_t expectlen, int trunc) { gcry_md_hd_t hd; const unsigned char *digest; /* printf ("HMAC algo %d\n", algo); */ - if (_gcry_md_get_algo_dlen (algo) != expectlen) - return "invalid tests data"; + if (trunc) + { + if (_gcry_md_get_algo_dlen (algo) < expectlen) + return "invalid tests data"; + } + else + { + if (_gcry_md_get_algo_dlen (algo) != expectlen) + return "invalid tests data"; + } if (_gcry_md_open (&hd, algo, GCRY_MD_FLAG_HMAC)) return "gcry_md_open failed"; if (_gcry_md_setkey (hd, key, keylen)) @@ -107,7 +121,7 @@ selftests_sha1 (int extended, selftest_report_func_t report) "Sample #1", 9, key, 64, "\x4f\x4c\xa3\xd5\xd6\x8b\xa7\xcc\x0a\x12" - "\x08\xc9\xc6\x1e\x9c\x5d\xa0\x40\x3c\x0a", 20); + "\x08\xc9\xc6\x1e\x9c\x5d\xa0\x40\x3c\x0a", 20, 0); if (errtxt) goto failed; @@ -120,7 +134,7 @@ selftests_sha1 (int extended, selftest_report_func_t report) "Sample #2", 9, key, 20, "\x09\x22\xd3\x40\x5f\xaa\x3d\x19\x4f\x82" - "\xa4\x58\x30\x73\x7d\x5c\xc6\xc7\x5d\x24", 20); + "\xa4\x58\x30\x73\x7d\x5c\xc6\xc7\x5d\x24", 20, 0); if (errtxt) goto failed; @@ -131,7 +145,7 @@ selftests_sha1 (int extended, selftest_report_func_t report) "Sample #3", 9, key, 100, "\xbc\xf4\x1e\xab\x8b\xb2\xd8\x02\xf3\xd0" - "\x5c\xaf\x7c\xb0\x92\xec\xf8\xd1\xa3\xaa", 20 ); + "\x5c\xaf\x7c\xb0\x92\xec\xf8\xd1\xa3\xaa", 20, 0); if (errtxt) goto failed; @@ -142,7 +156,7 @@ selftests_sha1 (int extended, selftest_report_func_t report) "Sample #4", 9, key, 49, "\x9e\xa8\x86\xef\xe2\x68\xdb\xec\xce\x42" - "\x0c\x75\x24\xdf\x32\xe0\x75\x1a\x2a\x26", 20 ); + "\x0c\x75\x24\xdf\x32\xe0\x75\x1a\x2a\x26", 20, 0); if (errtxt) goto failed; } @@ -255,7 +269,7 @@ selftests_sha224 (int extended, selftest_report_func_t report) errtxt = check_one (GCRY_MD_SHA224, tv[tvidx].data, strlen (tv[tvidx].data), tv[tvidx].key, strlen (tv[tvidx].key), - tv[tvidx].expect, DIM (tv[tvidx].expect) ); + tv[tvidx].expect, DIM (tv[tvidx].expect), 0); if (errtxt) goto failed; if (!extended) @@ -373,7 +387,7 @@ selftests_sha256 (int extended, selftest_report_func_t report) errtxt = check_one (GCRY_MD_SHA256, tv[tvidx].data, strlen (tv[tvidx].data), tv[tvidx].key, strlen (tv[tvidx].key), - tv[tvidx].expect, DIM (tv[tvidx].expect) ); + tv[tvidx].expect, DIM (tv[tvidx].expect), 0); if (errtxt) goto failed; @@ -523,7 +537,7 @@ selftests_sha384 (int extended, selftest_report_func_t report) errtxt = check_one (GCRY_MD_SHA384, tv[tvidx].data, strlen (tv[tvidx].data), tv[tvidx].key, strlen (tv[tvidx].key), - tv[tvidx].expect, DIM (tv[tvidx].expect) ); + tv[tvidx].expect, DIM (tv[tvidx].expect), 0); if (errtxt) goto failed; if (!extended) @@ -661,7 +675,7 @@ selftests_sha512 (int extended, selftest_report_func_t report) errtxt = check_one (GCRY_MD_SHA512, tv[tvidx].data, strlen (tv[tvidx].data), tv[tvidx].key, strlen (tv[tvidx].key), - tv[tvidx].expect, DIM (tv[tvidx].expect) ); + tv[tvidx].expect, DIM (tv[tvidx].expect), 0); if (errtxt) goto failed; if (!extended) @@ -678,6 +692,412 @@ selftests_sha512 (int extended, selftest_report_func_t report) +/* Test for the SHA3 algorithms. Vectors taken on 2017-07-18 from + * http://www.wolfgang-ehrhardt.de/hmac-sha3-testvectors.html */ +static gpg_err_code_t +selftests_sha3 (int hashalgo, int extended, selftest_report_func_t report) +{ + static struct + { + const char * const desc; + const char * const data; + const char * const key; + const char expect_224[28]; + const char expect_256[32]; + const char expect_384[48]; + const char expect_512[64]; + unsigned char trunc; + } tv[] = + { + { "data-9 key-20", /* Test 1 */ + "Hi There", + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b", + + { 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, + 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, + 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, + 0xf3, 0xc8, 0x60, 0xf7 }, + { 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, + 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, + 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, + 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb }, + { 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, + 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, + 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, + 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, + 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, + 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd }, + { 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, + 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, + 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, + 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, + 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, + 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, + 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, + 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e } + }, + + { "data-28 key-4", /* Test 2 */ + /* Test with a key shorter than the length of the HMAC output. */ + "what do ya want for nothing?", + "Jefe", + + { 0x7f, 0xdb, 0x8d, 0xd8, 0x8b, 0xd2, 0xf6, 0x0d, + 0x1b, 0x79, 0x86, 0x34, 0xad, 0x38, 0x68, 0x11, + 0xc2, 0xcf, 0xc8, 0x5b, 0xfa, 0xf5, 0xd5, 0x2b, + 0xba, 0xce, 0x5e, 0x66 }, + { 0xc7, 0xd4, 0x07, 0x2e, 0x78, 0x88, 0x77, 0xae, + 0x35, 0x96, 0xbb, 0xb0, 0xda, 0x73, 0xb8, 0x87, + 0xc9, 0x17, 0x1f, 0x93, 0x09, 0x5b, 0x29, 0x4a, + 0xe8, 0x57, 0xfb, 0xe2, 0x64, 0x5e, 0x1b, 0xa5 }, + { 0xf1, 0x10, 0x1f, 0x8c, 0xbf, 0x97, 0x66, 0xfd, + 0x67, 0x64, 0xd2, 0xed, 0x61, 0x90, 0x3f, 0x21, + 0xca, 0x9b, 0x18, 0xf5, 0x7c, 0xf3, 0xe1, 0xa2, + 0x3c, 0xa1, 0x35, 0x08, 0xa9, 0x32, 0x43, 0xce, + 0x48, 0xc0, 0x45, 0xdc, 0x00, 0x7f, 0x26, 0xa2, + 0x1b, 0x3f, 0x5e, 0x0e, 0x9d, 0xf4, 0xc2, 0x0a }, + { 0x5a, 0x4b, 0xfe, 0xab, 0x61, 0x66, 0x42, 0x7c, + 0x7a, 0x36, 0x47, 0xb7, 0x47, 0x29, 0x2b, 0x83, + 0x84, 0x53, 0x7c, 0xdb, 0x89, 0xaf, 0xb3, 0xbf, + 0x56, 0x65, 0xe4, 0xc5, 0xe7, 0x09, 0x35, 0x0b, + 0x28, 0x7b, 0xae, 0xc9, 0x21, 0xfd, 0x7c, 0xa0, + 0xee, 0x7a, 0x0c, 0x31, 0xd0, 0x22, 0xa9, 0x5e, + 0x1f, 0xc9, 0x2b, 0xa9, 0xd7, 0x7d, 0xf8, 0x83, + 0x96, 0x02, 0x75, 0xbe, 0xb4, 0xe6, 0x20, 0x24 } + }, + + { "data-50 key-20", /* Test 3 */ + /* Test with a combined length of key and data that is larger + * than 64 bytes (= block-size of SHA-224 and SHA-256). */ + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd", + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa", + + { 0x67, 0x6c, 0xfc, 0x7d, 0x16, 0x15, 0x36, 0x38, + 0x78, 0x03, 0x90, 0x69, 0x2b, 0xe1, 0x42, 0xd2, + 0xdf, 0x7c, 0xe9, 0x24, 0xb9, 0x09, 0xc0, 0xc0, + 0x8d, 0xbf, 0xdc, 0x1a }, + { 0x84, 0xec, 0x79, 0x12, 0x4a, 0x27, 0x10, 0x78, + 0x65, 0xce, 0xdd, 0x8b, 0xd8, 0x2d, 0xa9, 0x96, + 0x5e, 0x5e, 0xd8, 0xc3, 0x7b, 0x0a, 0xc9, 0x80, + 0x05, 0xa7, 0xf3, 0x9e, 0xd5, 0x8a, 0x42, 0x07 }, + { 0x27, 0x5c, 0xd0, 0xe6, 0x61, 0xbb, 0x8b, 0x15, + 0x1c, 0x64, 0xd2, 0x88, 0xf1, 0xf7, 0x82, 0xfb, + 0x91, 0xa8, 0xab, 0xd5, 0x68, 0x58, 0xd7, 0x2b, + 0xab, 0xb2, 0xd4, 0x76, 0xf0, 0x45, 0x83, 0x73, + 0xb4, 0x1b, 0x6a, 0xb5, 0xbf, 0x17, 0x4b, 0xec, + 0x42, 0x2e, 0x53, 0xfc, 0x31, 0x35, 0xac, 0x6e }, + { 0x30, 0x9e, 0x99, 0xf9, 0xec, 0x07, 0x5e, 0xc6, + 0xc6, 0xd4, 0x75, 0xed, 0xa1, 0x18, 0x06, 0x87, + 0xfc, 0xf1, 0x53, 0x11, 0x95, 0x80, 0x2a, 0x99, + 0xb5, 0x67, 0x74, 0x49, 0xa8, 0x62, 0x51, 0x82, + 0x85, 0x1c, 0xb3, 0x32, 0xaf, 0xb6, 0xa8, 0x9c, + 0x41, 0x13, 0x25, 0xfb, 0xcb, 0xcd, 0x42, 0xaf, + 0xcb, 0x7b, 0x6e, 0x5a, 0xab, 0x7e, 0xa4, 0x2c, + 0x66, 0x0f, 0x97, 0xfd, 0x85, 0x84, 0xbf, 0x03 } + }, + + { "data-50 key-25", /* Test 4 */ + /* Test with a combined length of key and data that is larger + * than 64 bytes (= block-size of SHA-224 and SHA-256). */ + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd", + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" + "\x11\x12\x13\x14\x15\x16\x17\x18\x19", + + { 0xa9, 0xd7, 0x68, 0x5a, 0x19, 0xc4, 0xe0, 0xdb, + 0xd9, 0xdf, 0x25, 0x56, 0xcc, 0x8a, 0x7d, 0x2a, + 0x77, 0x33, 0xb6, 0x76, 0x25, 0xce, 0x59, 0x4c, + 0x78, 0x27, 0x0e, 0xeb }, + { 0x57, 0x36, 0x6a, 0x45, 0xe2, 0x30, 0x53, 0x21, + 0xa4, 0xbc, 0x5a, 0xa5, 0xfe, 0x2e, 0xf8, 0xa9, + 0x21, 0xf6, 0xaf, 0x82, 0x73, 0xd7, 0xfe, 0x7b, + 0xe6, 0xcf, 0xed, 0xb3, 0xf0, 0xae, 0xa6, 0xd7 }, + { 0x3a, 0x5d, 0x7a, 0x87, 0x97, 0x02, 0xc0, 0x86, + 0xbc, 0x96, 0xd1, 0xdd, 0x8a, 0xa1, 0x5d, 0x9c, + 0x46, 0x44, 0x6b, 0x95, 0x52, 0x13, 0x11, 0xc6, + 0x06, 0xfd, 0xc4, 0xe3, 0x08, 0xf4, 0xb9, 0x84, + 0xda, 0x2d, 0x0f, 0x94, 0x49, 0xb3, 0xba, 0x84, + 0x25, 0xec, 0x7f, 0xb8, 0xc3, 0x1b, 0xc1, 0x36 }, + { 0xb2, 0x7e, 0xab, 0x1d, 0x6e, 0x8d, 0x87, 0x46, + 0x1c, 0x29, 0xf7, 0xf5, 0x73, 0x9d, 0xd5, 0x8e, + 0x98, 0xaa, 0x35, 0xf8, 0xe8, 0x23, 0xad, 0x38, + 0xc5, 0x49, 0x2a, 0x20, 0x88, 0xfa, 0x02, 0x81, + 0x99, 0x3b, 0xbf, 0xff, 0x9a, 0x0e, 0x9c, 0x6b, + 0xf1, 0x21, 0xae, 0x9e, 0xc9, 0xbb, 0x09, 0xd8, + 0x4a, 0x5e, 0xba, 0xc8, 0x17, 0x18, 0x2e, 0xa9, + 0x74, 0x67, 0x3f, 0xb1, 0x33, 0xca, 0x0d, 0x1d } + }, + + { "data-20 key-20 trunc", /* Test 5 */ + /* Test with a truncation of output to 128 bits. */ + "Test With Truncation", + "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" + "\x0c\x0c\x0c\x0c", + + { 0x49, 0xfd, 0xd3, 0xab, 0xd0, 0x05, 0xeb, 0xb8, + 0xae, 0x63, 0xfe, 0xa9, 0x46, 0xd1, 0x88, 0x3c }, + { 0x6e, 0x02, 0xc6, 0x45, 0x37, 0xfb, 0x11, 0x80, + 0x57, 0xab, 0xb7, 0xfb, 0x66, 0xa2, 0x3b, 0x3c }, + { 0x47, 0xc5, 0x1a, 0xce, 0x1f, 0xfa, 0xcf, 0xfd, + 0x74, 0x94, 0x72, 0x46, 0x82, 0x61, 0x57, 0x83 }, + { 0x0f, 0xa7, 0x47, 0x59, 0x48, 0xf4, 0x3f, 0x48, + 0xca, 0x05, 0x16, 0x67, 0x1e, 0x18, 0x97, 0x8c }, + 16 + }, + + { "data-54 key-131", /* Test 6 */ + /* Test with a key larger than 128 bytes (= block-size of + * SHA-384 and SHA-512). */ + "Test Using Larger Than Block-Size Key - Hash Key First", + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa", + + { 0xb4, 0xa1, 0xf0, 0x4c, 0x00, 0x28, 0x7a, 0x9b, + 0x7f, 0x60, 0x75, 0xb3, 0x13, 0xd2, 0x79, 0xb8, + 0x33, 0xbc, 0x8f, 0x75, 0x12, 0x43, 0x52, 0xd0, + 0x5f, 0xb9, 0x99, 0x5f }, + { 0xed, 0x73, 0xa3, 0x74, 0xb9, 0x6c, 0x00, 0x52, + 0x35, 0xf9, 0x48, 0x03, 0x2f, 0x09, 0x67, 0x4a, + 0x58, 0xc0, 0xce, 0x55, 0x5c, 0xfc, 0x1f, 0x22, + 0x3b, 0x02, 0x35, 0x65, 0x60, 0x31, 0x2c, 0x3b }, + { 0x0f, 0xc1, 0x95, 0x13, 0xbf, 0x6b, 0xd8, 0x78, + 0x03, 0x70, 0x16, 0x70, 0x6a, 0x0e, 0x57, 0xbc, + 0x52, 0x81, 0x39, 0x83, 0x6b, 0x9a, 0x42, 0xc3, + 0xd4, 0x19, 0xe4, 0x98, 0xe0, 0xe1, 0xfb, 0x96, + 0x16, 0xfd, 0x66, 0x91, 0x38, 0xd3, 0x3a, 0x11, + 0x05, 0xe0, 0x7c, 0x72, 0xb6, 0x95, 0x3b, 0xcc }, + { 0x00, 0xf7, 0x51, 0xa9, 0xe5, 0x06, 0x95, 0xb0, + 0x90, 0xed, 0x69, 0x11, 0xa4, 0xb6, 0x55, 0x24, + 0x95, 0x1c, 0xdc, 0x15, 0xa7, 0x3a, 0x5d, 0x58, + 0xbb, 0x55, 0x21, 0x5e, 0xa2, 0xcd, 0x83, 0x9a, + 0xc7, 0x9d, 0x2b, 0x44, 0xa3, 0x9b, 0xaf, 0xab, + 0x27, 0xe8, 0x3f, 0xde, 0x9e, 0x11, 0xf6, 0x34, + 0x0b, 0x11, 0xd9, 0x91, 0xb1, 0xb9, 0x1b, 0xf2, + 0xee, 0xe7, 0xfc, 0x87, 0x24, 0x26, 0xc3, 0xa4 } + }, + + { "data-54 key-147", /* Test 6a */ + /* Test with a key larger than 144 bytes (= block-size of + * SHA3-224). */ + "Test Using Larger Than Block-Size Key - Hash Key First", + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa", + + { 0xb9, 0x6d, 0x73, 0x0c, 0x14, 0x8c, 0x2d, 0xaa, + 0xd8, 0x64, 0x9d, 0x83, 0xde, 0xfa, 0xa3, 0x71, + 0x97, 0x38, 0xd3, 0x47, 0x75, 0x39, 0x7b, 0x75, + 0x71, 0xc3, 0x85, 0x15 }, + { 0xa6, 0x07, 0x2f, 0x86, 0xde, 0x52, 0xb3, 0x8b, + 0xb3, 0x49, 0xfe, 0x84, 0xcd, 0x6d, 0x97, 0xfb, + 0x6a, 0x37, 0xc4, 0xc0, 0xf6, 0x2a, 0xae, 0x93, + 0x98, 0x11, 0x93, 0xa7, 0x22, 0x9d, 0x34, 0x67 }, + { 0x71, 0x3d, 0xff, 0x03, 0x02, 0xc8, 0x50, 0x86, + 0xec, 0x5a, 0xd0, 0x76, 0x8d, 0xd6, 0x5a, 0x13, + 0xdd, 0xd7, 0x90, 0x68, 0xd8, 0xd4, 0xc6, 0x21, + 0x2b, 0x71, 0x2e, 0x41, 0x64, 0x94, 0x49, 0x11, + 0x14, 0x80, 0x23, 0x00, 0x44, 0x18, 0x5a, 0x99, + 0x10, 0x3e, 0xd8, 0x20, 0x04, 0xdd, 0xbf, 0xcc }, + { 0xb1, 0x48, 0x35, 0xc8, 0x19, 0xa2, 0x90, 0xef, + 0xb0, 0x10, 0xac, 0xe6, 0xd8, 0x56, 0x8d, 0xc6, + 0xb8, 0x4d, 0xe6, 0x0b, 0xc4, 0x9b, 0x00, 0x4c, + 0x3b, 0x13, 0xed, 0xa7, 0x63, 0x58, 0x94, 0x51, + 0xe5, 0xdd, 0x74, 0x29, 0x28, 0x84, 0xd1, 0xbd, + 0xce, 0x64, 0xe6, 0xb9, 0x19, 0xdd, 0x61, 0xdc, + 0x9c, 0x56, 0xa2, 0x82, 0xa8, 0x1c, 0x0b, 0xd1, + 0x4f, 0x1f, 0x36, 0x5b, 0x49, 0xb8, 0x3a, 0x5b } + }, + + { "data-152 key-131", /* Test 7 */ + /* Test with a key and data that is larger than 128 bytes (= + * block-size of SHA-384 and SHA-512). */ + "This is a test using a larger than block-size key and a larger " + "than block-size data. The key needs to be hashed before being " + "used by the HMAC algorithm.", + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa", + + { 0x05, 0xd8, 0xcd, 0x6d, 0x00, 0xfa, 0xea, 0x8d, + 0x1e, 0xb6, 0x8a, 0xde, 0x28, 0x73, 0x0b, 0xbd, + 0x3c, 0xba, 0xb6, 0x92, 0x9f, 0x0a, 0x08, 0x6b, + 0x29, 0xcd, 0x62, 0xa0 }, + { 0x65, 0xc5, 0xb0, 0x6d, 0x4c, 0x3d, 0xe3, 0x2a, + 0x7a, 0xef, 0x87, 0x63, 0x26, 0x1e, 0x49, 0xad, + 0xb6, 0xe2, 0x29, 0x3e, 0xc8, 0xe7, 0xc6, 0x1e, + 0x8d, 0xe6, 0x17, 0x01, 0xfc, 0x63, 0xe1, 0x23 }, + { 0x02, 0x6f, 0xdf, 0x6b, 0x50, 0x74, 0x1e, 0x37, + 0x38, 0x99, 0xc9, 0xf7, 0xd5, 0x40, 0x6d, 0x4e, + 0xb0, 0x9f, 0xc6, 0x66, 0x56, 0x36, 0xfc, 0x1a, + 0x53, 0x00, 0x29, 0xdd, 0xf5, 0xcf, 0x3c, 0xa5, + 0xa9, 0x00, 0xed, 0xce, 0x01, 0xf5, 0xf6, 0x1e, + 0x2f, 0x40, 0x8c, 0xdf, 0x2f, 0xd3, 0xe7, 0xe8 }, + { 0x38, 0xa4, 0x56, 0xa0, 0x04, 0xbd, 0x10, 0xd3, + 0x2c, 0x9a, 0xb8, 0x33, 0x66, 0x84, 0x11, 0x28, + 0x62, 0xc3, 0xdb, 0x61, 0xad, 0xcc, 0xa3, 0x18, + 0x29, 0x35, 0x5e, 0xaf, 0x46, 0xfd, 0x5c, 0x73, + 0xd0, 0x6a, 0x1f, 0x0d, 0x13, 0xfe, 0xc9, 0xa6, + 0x52, 0xfb, 0x38, 0x11, 0xb5, 0x77, 0xb1, 0xb1, + 0xd1, 0xb9, 0x78, 0x9f, 0x97, 0xae, 0x5b, 0x83, + 0xc6, 0xf4, 0x4d, 0xfc, 0xf1, 0xd6, 0x7e, 0xba } + }, + + { "data-152 key-147", /* Test 7a */ + /* Test with a key larger than 144 bytes (= block-size of + * SHA3-224). */ + "This is a test using a larger than block-size key and a larger " + "than block-size data. The key needs to be hashed before being " + "used by the HMAC algorithm.", + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa", + + { 0xc7, 0x9c, 0x9b, 0x09, 0x34, 0x24, 0xe5, 0x88, + 0xa9, 0x87, 0x8b, 0xbc, 0xb0, 0x89, 0xe0, 0x18, + 0x27, 0x00, 0x96, 0xe9, 0xb4, 0xb1, 0xa9, 0xe8, + 0x22, 0x0c, 0x86, 0x6a }, + { 0xe6, 0xa3, 0x6d, 0x9b, 0x91, 0x5f, 0x86, 0xa0, + 0x93, 0xca, 0xc7, 0xd1, 0x10, 0xe9, 0xe0, 0x4c, + 0xf1, 0xd6, 0x10, 0x0d, 0x30, 0x47, 0x55, 0x09, + 0xc2, 0x47, 0x5f, 0x57, 0x1b, 0x75, 0x8b, 0x5a }, + { 0xca, 0xd1, 0x8a, 0x8f, 0xf6, 0xc4, 0xcc, 0x3a, + 0xd4, 0x87, 0xb9, 0x5f, 0x97, 0x69, 0xe9, 0xb6, + 0x1c, 0x06, 0x2a, 0xef, 0xd6, 0x95, 0x25, 0x69, + 0xe6, 0xe6, 0x42, 0x18, 0x97, 0x05, 0x4c, 0xfc, + 0x70, 0xb5, 0xfd, 0xc6, 0x60, 0x5c, 0x18, 0x45, + 0x71, 0x12, 0xfc, 0x6a, 0xaa, 0xd4, 0x55, 0x85 }, + { 0xdc, 0x03, 0x0e, 0xe7, 0x88, 0x70, 0x34, 0xf3, + 0x2c, 0xf4, 0x02, 0xdf, 0x34, 0x62, 0x2f, 0x31, + 0x1f, 0x3e, 0x6c, 0xf0, 0x48, 0x60, 0xc6, 0xbb, + 0xd7, 0xfa, 0x48, 0x86, 0x74, 0x78, 0x2b, 0x46, + 0x59, 0xfd, 0xbd, 0xf3, 0xfd, 0x87, 0x78, 0x52, + 0x88, 0x5c, 0xfe, 0x6e, 0x22, 0x18, 0x5f, 0xe7, + 0xb2, 0xee, 0x95, 0x20, 0x43, 0x62, 0x9b, 0xc9, + 0xd5, 0xf3, 0x29, 0x8a, 0x41, 0xd0, 0x2c, 0x66 } + }/*,*/ + + /* Our API does not allow to specify a bit count and thus we + * can't use the following test. */ + /* { "data-5bit key-4", /\* Test 8 *\/ */ + /* /\* Test with data bit size no multiple of 8, the data bits are */ + /* * '11001' from the NIST example using SHA-3 order (= 5 bits */ + /* * from LSB hex byte 13 or 5 bits from MSB hex byte c8). *\/ */ + /* "\xc8", */ + /* "Jefe", */ + + /* { 0x5f, 0x8c, 0x0e, 0xa7, 0xfa, 0xfe, 0xcd, 0x0c, */ + /* 0x34, 0x63, 0xaa, 0xd0, 0x97, 0x42, 0xce, 0xce, */ + /* 0xb1, 0x42, 0xfe, 0x0a, 0xb6, 0xf4, 0x53, 0x94, */ + /* 0x38, 0xc5, 0x9d, 0xe8 }, */ + /* { 0xec, 0x82, 0x22, 0x77, 0x3f, 0xac, 0x68, 0xb3, */ + /* 0xd3, 0xdc, 0xb1, 0x82, 0xae, 0xc8, 0xb0, 0x50, */ + /* 0x7a, 0xce, 0x44, 0x48, 0xd2, 0x0a, 0x11, 0x47, */ + /* 0xe6, 0x82, 0x11, 0x8d, 0xa4, 0xe3, 0xf4, 0x4c }, */ + /* { 0x21, 0xfb, 0xd3, 0xbf, 0x3e, 0xbb, 0xa3, 0xcf, */ + /* 0xc9, 0xef, 0x64, 0xc0, 0x59, 0x1c, 0x92, 0xc5, */ + /* 0xac, 0xb2, 0x65, 0xe9, 0x2d, 0x87, 0x61, 0xd1, */ + /* 0xf9, 0x1a, 0x52, 0xa1, 0x03, 0xa6, 0xc7, 0x96, */ + /* 0x94, 0xcf, 0xd6, 0x7a, 0x9a, 0x2a, 0xc1, 0x32, */ + /* 0x4f, 0x02, 0xfe, 0xa6, 0x3b, 0x81, 0xef, 0xfc }, */ + /* { 0x27, 0xf9, 0x38, 0x8c, 0x15, 0x67, 0xef, 0x4e, */ + /* 0xf2, 0x00, 0x60, 0x2a, 0x6c, 0xf8, 0x71, 0xd6, */ + /* 0x8a, 0x6f, 0xb0, 0x48, 0xd4, 0x73, 0x7a, 0xc4, */ + /* 0x41, 0x8a, 0x2f, 0x02, 0x12, 0x89, 0xd1, 0x3d, */ + /* 0x1f, 0xd1, 0x12, 0x0f, 0xec, 0xb9, 0xcf, 0x96, */ + /* 0x4c, 0x5b, 0x11, 0x7a, 0xb5, 0xb1, 0x1c, 0x61, */ + /* 0x4b, 0x2d, 0xa3, 0x9d, 0xad, 0xd5, 0x1f, 0x2f, */ + /* 0x5e, 0x22, 0xaa, 0xcc, 0xec, 0x7d, 0x57, 0x6e } */ + /* } */ + + }; + const char *what; + const char *errtxt; + int tvidx; + const char *expect; + int nexpect; + + for (tvidx=0; tvidx < DIM(tv); tvidx++) + { + what = tv[tvidx].desc; + if (hashalgo == GCRY_MD_SHA3_224) + { + expect = tv[tvidx].expect_224; + nexpect = DIM (tv[tvidx].expect_224); + } + else if (hashalgo == GCRY_MD_SHA3_256) + { + expect = tv[tvidx].expect_256; + nexpect = DIM (tv[tvidx].expect_256); + } + else if (hashalgo == GCRY_MD_SHA3_384) + { + expect = tv[tvidx].expect_384; + nexpect = DIM (tv[tvidx].expect_384); + } + else if (hashalgo == GCRY_MD_SHA3_512) + { + expect = tv[tvidx].expect_512; + nexpect = DIM (tv[tvidx].expect_512); + } + else + BUG(); + + if (tv[tvidx].trunc && tv[tvidx].trunc < nexpect) + nexpect = tv[tvidx].trunc; + + errtxt = check_one (hashalgo, + tv[tvidx].data, strlen (tv[tvidx].data), + tv[tvidx].key, strlen (tv[tvidx].key), + expect, nexpect, !!tv[tvidx].trunc); + if (errtxt) + goto failed; + if (!extended) + break; + } + + return 0; /* Succeeded. */ + + failed: + if (report) + report ("hmac", hashalgo, what, errtxt); + return GPG_ERR_SELFTEST_FAILED; +} + + /* Run a full self-test for ALGO and return 0 on success. */ static gpg_err_code_t run_selftests (int algo, int extended, selftest_report_func_t report) @@ -706,10 +1126,7 @@ run_selftests (int algo, int extended, selftest_report_func_t report) case GCRY_MD_SHA3_256: case GCRY_MD_SHA3_384: case GCRY_MD_SHA3_512: - ec = 0; /* FIXME: Add selftests. */ -#if defined(__GNUC__) && defined(IS_DEVELOPMENT_VERSION) -# warning Please add self test functions for HMAC-SHA3 -#endif + ec = selftests_sha3 (algo, extended, report); break; default: diff --git a/cipher/md.c b/cipher/md.c index 27a0efb..c1f585f 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -57,11 +57,11 @@ static gcry_md_spec_t *digest_list[] = &_gcry_digest_spec_shake128, &_gcry_digest_spec_shake256, #endif -#ifdef USE_GOST_R_3411_94 +#if USE_GOST_R_3411_94 &_gcry_digest_spec_gost3411_94, &_gcry_digest_spec_gost3411_cp, #endif -#ifdef USE_GOST_R_3411_12 +#if USE_GOST_R_3411_12 &_gcry_digest_spec_stribog_256, &_gcry_digest_spec_stribog_512, #endif @@ -85,7 +85,17 @@ static gcry_md_spec_t *digest_list[] = #if USE_MD2 &_gcry_digest_spec_md2, #endif - NULL +#if USE_BLAKE2 + &_gcry_digest_spec_blake2b_512, + &_gcry_digest_spec_blake2b_384, + &_gcry_digest_spec_blake2b_256, + &_gcry_digest_spec_blake2b_160, + &_gcry_digest_spec_blake2s_256, + &_gcry_digest_spec_blake2s_224, + &_gcry_digest_spec_blake2s_160, + &_gcry_digest_spec_blake2s_128, +#endif + NULL }; @@ -673,6 +683,69 @@ md_final (gcry_md_hd_t a) } +static gcry_err_code_t +md_setkey (gcry_md_hd_t h, const unsigned char *key, size_t keylen) +{ + gcry_err_code_t rc = 0; + GcryDigestEntry *r; + int algo_had_setkey = 0; + + if (!h->ctx->list) + return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ + + if (h->ctx->flags.hmac) + return GPG_ERR_DIGEST_ALGO; /* Tried md_setkey for HMAC md. */ + + for (r = h->ctx->list; r; r = r->next) + { + switch (r->spec->algo) + { + /* TODO? add spec->init_with_key? */ + case GCRY_MD_BLAKE2B_512: + case GCRY_MD_BLAKE2B_384: + case GCRY_MD_BLAKE2B_256: + case GCRY_MD_BLAKE2B_160: + case GCRY_MD_BLAKE2S_256: + case GCRY_MD_BLAKE2S_224: + case GCRY_MD_BLAKE2S_160: + case GCRY_MD_BLAKE2S_128: + algo_had_setkey = 1; + memset (r->context.c, 0, r->spec->contextsize); + rc = _gcry_blake2_init_with_key (r->context.c, + h->ctx->flags.bugemu1 + ? GCRY_MD_FLAG_BUGEMU1:0, + key, keylen, r->spec->algo); + break; + default: + rc = GPG_ERR_DIGEST_ALGO; + break; + } + + if (rc) + break; + } + + if (rc && !algo_had_setkey) + { + /* None of algorithms had setkey implementation, so contexts were not + * modified. Just return error. */ + return rc; + } + else if (rc && algo_had_setkey) + { + /* Some of the contexts have been modified, but got error. Reset + * all contexts. */ + _gcry_md_reset (h); + return rc; + } + + /* Successful md_setkey implies reset. */ + h->bufpos = h->ctx->flags.finalized = 0; + + return 0; +} + + static gcry_err_code_t prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) { @@ -682,7 +755,7 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ if (!a->ctx->flags.hmac) - return GPG_ERR_DIGEST_ALGO; /* Tried setkey for non-HMAC md. */ + return GPG_ERR_DIGEST_ALGO; /* Tried prepare_macpads for non-HMAC md. */ for (r = a->ctx->list; r; r = r->next) { @@ -694,6 +767,7 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) switch (r->spec->algo) { + /* TODO: add spec->blocksize */ case GCRY_MD_SHA3_224: macpad_Bsize = 1152 / 8; break; @@ -708,6 +782,10 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) break; case GCRY_MD_SHA384: case GCRY_MD_SHA512: + case GCRY_MD_BLAKE2B_512: + case GCRY_MD_BLAKE2B_384: + case GCRY_MD_BLAKE2B_256: + case GCRY_MD_BLAKE2B_160: macpad_Bsize = 128; break; case GCRY_MD_GOSTR3411_94: @@ -794,9 +872,16 @@ _gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen) { gcry_err_code_t rc; - rc = prepare_macpads (hd, key, keylen); - if (!rc) - _gcry_md_reset (hd); + if (hd->ctx->flags.hmac) + { + rc = prepare_macpads (hd, key, keylen); + if (!rc) + _gcry_md_reset (hd); + } + else + { + rc = md_setkey (hd, key, keylen); + } return rc; } @@ -943,10 +1028,24 @@ void _gcry_md_hash_buffer (int algo, void *digest, const void *buffer, size_t length) { - if (algo == GCRY_MD_SHA1) + if (0) + ; +#if USE_SHA256 + else if (algo == GCRY_MD_SHA256) + _gcry_sha256_hash_buffer (digest, buffer, length); +#endif +#if USE_SHA512 + else if (algo == GCRY_MD_SHA512) + _gcry_sha512_hash_buffer (digest, buffer, length); +#endif +#if USE_SHA1 + else if (algo == GCRY_MD_SHA1) _gcry_sha1_hash_buffer (digest, buffer, length); +#endif +#if USE_RMD160 else if (algo == GCRY_MD_RMD160 && !fips_mode () ) _gcry_rmd160_hash_buffer (digest, buffer, length); +#endif else { /* For the others we do not have a fast function, so we use the @@ -1006,12 +1105,24 @@ _gcry_md_hash_buffers (int algo, unsigned int flags, void *digest, if (hmac && iovcnt < 1) return GPG_ERR_INV_ARG; - if (algo == GCRY_MD_SHA1 && !hmac) + if (0) + ; +#if USE_SHA256 + else if (algo == GCRY_MD_SHA256 && !hmac) + _gcry_sha256_hash_buffers (digest, iov, iovcnt); +#endif +#if USE_SHA512 + else if (algo == GCRY_MD_SHA512 && !hmac) + _gcry_sha512_hash_buffers (digest, iov, iovcnt); +#endif +#if USE_SHA1 + else if (algo == GCRY_MD_SHA1 && !hmac) _gcry_sha1_hash_buffers (digest, iov, iovcnt); +#endif else { /* For the others we do not have a fast function, so we use the - normal functions. */ + normal functions. */ gcry_md_hd_t h; gpg_err_code_t rc; int dlen; diff --git a/cipher/poly1305.c b/cipher/poly1305.c index 7ae3592..22255fb 100644 --- a/cipher/poly1305.c +++ b/cipher/poly1305.c @@ -55,7 +55,24 @@ static const poly1305_ops_t poly1305_amd64_sse2_ops = { _gcry_poly1305_amd64_sse2_finish_ext }; -#endif +#else /* !POLY1305_USE_SSE2 */ + +static OPS_FUNC_ABI void poly1305_init_ext_ref32 +/**/ (void *state, const poly1305_key_t *key); +static OPS_FUNC_ABI unsigned int poly1305_blocks_ref32 +/**/ (void *state, const byte *m, size_t bytes); +static OPS_FUNC_ABI unsigned int poly1305_finish_ext_ref32 +/**/ (void *state, const byte * m, + size_t remaining, byte mac[POLY1305_TAGLEN]); + +static const poly1305_ops_t poly1305_default_ops = { + POLY1305_REF_BLOCKSIZE, + poly1305_init_ext_ref32, + poly1305_blocks_ref32, + poly1305_finish_ext_ref32 +}; + +#endif /* !POLY1305_USE_SSE2 */ #ifdef POLY1305_USE_AVX2 @@ -111,6 +128,7 @@ typedef struct poly1305_state_ref32_s } poly1305_state_ref32_t; +#ifndef POLY1305_USE_SSE2 static OPS_FUNC_ABI void poly1305_init_ext_ref32 (void *state, const poly1305_key_t * key) { @@ -141,8 +159,10 @@ poly1305_init_ext_ref32 (void *state, const poly1305_key_t * key) st->final = 0; } +#endif /* !POLY1305_USE_SSE2 */ +#ifndef POLY1305_USE_SSE2 static OPS_FUNC_ABI unsigned int poly1305_blocks_ref32 (void *state, const byte * m, size_t bytes) { @@ -229,8 +249,10 @@ poly1305_blocks_ref32 (void *state, const byte * m, size_t bytes) return (16 * sizeof (u32) + 5 * sizeof (u64) + 5 * sizeof (void *)); } +#endif /* !POLY1305_USE_SSE2 */ +#ifndef POLY1305_USE_SSE2 static OPS_FUNC_ABI unsigned int poly1305_finish_ext_ref32 (void *state, const byte * m, size_t remaining, byte mac[POLY1305_TAGLEN]) @@ -347,15 +369,9 @@ poly1305_finish_ext_ref32 (void *state, const byte * m, return (13 * sizeof (u32) + sizeof (u64) + POLY1305_REF_BLOCKSIZE + 6 * sizeof (void *)) + burn; } +#endif /* !POLY1305_USE_SSE2*/ -static const poly1305_ops_t poly1305_default_ops = { - POLY1305_REF_BLOCKSIZE, - poly1305_init_ext_ref32, - poly1305_blocks_ref32, - poly1305_finish_ext_ref32 -}; - diff --git a/cipher/primegen.c b/cipher/primegen.c index cccda84..c7977d1 100644 --- a/cipher/primegen.c +++ b/cipher/primegen.c @@ -1301,7 +1301,7 @@ find_x931_prime (const gcry_mpi_t pfirst) mpi_set_bit (prime, 0); /* We use 64 Rabin-Miller rounds which is better and thus - sufficient. We do not have a Lucas test implementaion thus we + sufficient. We do not have a Lucas test implementation thus we can't do it in the X9.31 preferred way of running a few Rabin-Miller followed by one Lucas test. */ while ( !check_prime (prime, val_2, 64, NULL, NULL) ) diff --git a/cipher/rijndael-aesni.c b/cipher/rijndael-aesni.c index 8b28b3a..735e5cd 100644 --- a/cipher/rijndael-aesni.c +++ b/cipher/rijndael-aesni.c @@ -41,7 +41,10 @@ #endif -typedef struct u128_s { u32 a, b, c, d; } u128_t; +typedef struct u128_s +{ + u32 a, b, c, d; +} __attribute__((packed, aligned(1), may_alias)) u128_t; /* Two macros to be called prior and after the use of AESNI @@ -1331,74 +1334,10 @@ _gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, } -static inline const unsigned char * -get_l (gcry_cipher_hd_t c, unsigned char *l_tmp, u64 i, unsigned char *iv, - unsigned char *ctr) -{ - const unsigned char *l; - unsigned int ntz; - - if (i & 0xffffffffU) - { - asm ("rep;bsf %k[low], %k[ntz]\n\t" - : [ntz] "=r" (ntz) - : [low] "r" (i & 0xffffffffU) - : "cc"); - } - else - { - if (OCB_L_TABLE_SIZE < 32) - { - ntz = 32; - } - else if (i) - { - asm ("rep;bsf %k[high], %k[ntz]\n\t" - : [ntz] "=r" (ntz) - : [high] "r" (i >> 32) - : "cc"); - ntz += 32; - } - else - { - ntz = 64; - } - } - - if (ntz < OCB_L_TABLE_SIZE) - { - l = c->u_mode.ocb.L[ntz]; - } - else - { - /* Store Offset & Checksum before calling external function */ - asm volatile ("movdqu %%xmm5, %[iv]\n\t" - "movdqu %%xmm6, %[ctr]\n\t" - : [iv] "=m" (*iv), - [ctr] "=m" (*ctr) - : - : "memory" ); - - l = _gcry_cipher_ocb_get_l (c, l_tmp, i); - - /* Restore Offset & Checksum */ - asm volatile ("movdqu %[iv], %%xmm5\n\t" - "movdqu %[ctr], %%xmm6\n\t" - : /* No output */ - : [iv] "m" (*iv), - [ctr] "m" (*ctr) - : "memory" ); - } - - return l; -} - - static void aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; @@ -1420,7 +1359,7 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks && n % 4; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Checksum_i = Checksum_{i-1} xor P_i */ @@ -1449,9 +1388,8 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks > 3 ; nblocks -= 4 ) { - /* l_tmp will be used only every 65536-th block. */ n += 4; - l = get_l(c, l_tmp.x1, n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Checksum_i = Checksum_{i-1} xor P_i */ @@ -1522,7 +1460,7 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Checksum_i = Checksum_{i-1} xor P_i */ @@ -1559,8 +1497,6 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, aesni_cleanup (); aesni_cleanup_2_6 (); - - wipememory(&l_tmp, sizeof(l_tmp)); } @@ -1568,7 +1504,6 @@ static void aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; @@ -1589,7 +1524,7 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks && n % 4; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ @@ -1618,9 +1553,8 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks > 3 ; nblocks -= 4 ) { - /* l_tmp will be used only every 65536-th block. */ n += 4; - l = get_l(c, l_tmp.x1, n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ @@ -1691,7 +1625,7 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ @@ -1728,8 +1662,6 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, aesni_cleanup (); aesni_cleanup_2_6 (); - - wipememory(&l_tmp, sizeof(l_tmp)); } @@ -1748,7 +1680,6 @@ void _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; const unsigned char *abuf = abuf_arg; u64 n = c->u_mode.ocb.aad_nblocks; @@ -1768,8 +1699,7 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, for ( ;nblocks && n % 4; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ @@ -1794,10 +1724,8 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, for ( ;nblocks > 3 ; nblocks -= 4 ) { - /* l_tmp will be used only every 65536-th block. */ n += 4; - l = get_l(c, l_tmp.x1, n, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum); + l = ocb_get_l(c, n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ @@ -1849,8 +1777,7 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, for ( ;nblocks; nblocks-- ) { - l = get_l(c, l_tmp.x1, ++n, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ @@ -1883,8 +1810,6 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, aesni_cleanup (); aesni_cleanup_2_6 (); - - wipememory(&l_tmp, sizeof(l_tmp)); } diff --git a/cipher/rijndael-armv8-aarch32-ce.S b/cipher/rijndael-armv8-aarch32-ce.S index bf68f20..5c8fa3c 100644 --- a/cipher/rijndael-armv8-aarch32-ce.S +++ b/cipher/rijndael-armv8-aarch32-ce.S @@ -24,6 +24,7 @@ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) .syntax unified +.arch armv8-a .fpu crypto-neon-fp-armv8 .arm @@ -1021,9 +1022,10 @@ _gcry_aes_ctr_enc_armv8_ce: * const unsigned char *inbuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -1039,6 +1041,7 @@ _gcry_aes_ocb_enc_armv8_ce: * %st+4: Ls => r5 * %st+8: nblocks => r6 (0 < nblocks <= 32) * %st+12: nrounds => r7 + * %st+16: blkn => lr */ vpush {q4-q7} @@ -1047,6 +1050,7 @@ _gcry_aes_ocb_enc_armv8_ce: ldr r4, [sp, #(104+0)] ldr r5, [sp, #(104+4)] ldr r6, [sp, #(104+8)] + ldr lr, [sp, #(104+16)] cmp r7, #12 vld1.8 {q0}, [r3] /* load offset */ @@ -1059,6 +1063,7 @@ _gcry_aes_ocb_enc_armv8_ce: #define OCB_ENC(bits, ...) \ .Locb_enc_entry_##bits: \ cmp r6, #4; \ + add lr, #1; \ blo .Locb_enc_loop_##bits; \ \ .Locb_enc_loop4_##bits: \ @@ -1067,7 +1072,23 @@ _gcry_aes_ocb_enc_armv8_ce: /* Checksum_i = Checksum_{i-1} xor P_i */ \ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \ \ - ldm r5!, {r8, r9, r10, r11}; \ + add r9, lr, #1; \ + add r10, lr, #2; \ + add r11, lr, #3; \ + rbit r8, lr; \ + add lr, lr, #4; \ + rbit r9, r9; \ + rbit r10, r10; \ + rbit r11, r11; \ + clz r8, r8; /* ntz(i+0) */ \ + clz r9, r9; /* ntz(i+1) */ \ + clz r10, r10; /* ntz(i+2) */ \ + clz r11, r11; /* ntz(i+3) */ \ + add r8, r5, r8, lsl #4; \ + add r9, r5, r9, lsl #4; \ + add r10, r5, r10, lsl #4; \ + add r11, r5, r11, lsl #4; \ + \ sub r6, #4; \ \ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \ @@ -1120,7 +1141,11 @@ _gcry_aes_ocb_enc_armv8_ce: /* Checksum_i = Checksum_{i-1} xor P_i */ \ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \ \ - ldr r8, [r5], #4; \ + rbit r8, lr; \ + add lr, #1; \ + clz r8, r8; /* ntz(i) */ \ + add r8, r5, r8, lsl #4; \ + \ vld1.8 {q1}, [r2]!; /* load plaintext */ \ vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \ vld1.8 {q3}, [r4]; /* load checksum */ \ @@ -1171,9 +1196,10 @@ _gcry_aes_ocb_enc_armv8_ce: * const unsigned char *inbuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -1189,6 +1215,7 @@ _gcry_aes_ocb_dec_armv8_ce: * %st+4: Ls => r5 * %st+8: nblocks => r6 (0 < nblocks <= 32) * %st+12: nrounds => r7 + * %st+16: blkn => lr */ vpush {q4-q7} @@ -1197,6 +1224,7 @@ _gcry_aes_ocb_dec_armv8_ce: ldr r4, [sp, #(104+0)] ldr r5, [sp, #(104+4)] ldr r6, [sp, #(104+8)] + ldr lr, [sp, #(104+16)] cmp r7, #12 vld1.8 {q0}, [r3] /* load offset */ @@ -1209,6 +1237,7 @@ _gcry_aes_ocb_dec_armv8_ce: #define OCB_DEC(bits, ...) \ .Locb_dec_entry_##bits: \ cmp r6, #4; \ + add lr, #1; \ blo .Locb_dec_loop_##bits; \ \ .Locb_dec_loop4_##bits: \ @@ -1217,7 +1246,23 @@ _gcry_aes_ocb_dec_armv8_ce: /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \ /* Checksum_i = Checksum_{i-1} xor P_i */ \ \ - ldm r5!, {r8, r9, r10, r11}; \ + add r9, lr, #1; \ + add r10, lr, #2; \ + add r11, lr, #3; \ + rbit r8, lr; \ + add lr, lr, #4; \ + rbit r9, r9; \ + rbit r10, r10; \ + rbit r11, r11; \ + clz r8, r8; /* ntz(i+0) */ \ + clz r9, r9; /* ntz(i+1) */ \ + clz r10, r10; /* ntz(i+2) */ \ + clz r11, r11; /* ntz(i+3) */ \ + add r8, r5, r8, lsl #4; \ + add r9, r5, r9, lsl #4; \ + add r10, r5, r10, lsl #4; \ + add r11, r5, r11, lsl #4; \ + \ sub r6, #4; \ \ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \ @@ -1270,7 +1315,11 @@ _gcry_aes_ocb_dec_armv8_ce: /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \ /* Checksum_i = Checksum_{i-1} xor P_i */ \ \ - ldr r8, [r5], #4; \ + rbit r8, lr; \ + add lr, #1; \ + clz r8, r8; /* ntz(i) */ \ + add r8, r5, r8, lsl #4; \ + \ vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \ vld1.8 {q1}, [r2]!; /* load ciphertext */ \ subs r6, #1; \ @@ -1320,9 +1369,10 @@ _gcry_aes_ocb_dec_armv8_ce: * const unsigned char *abuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -1337,6 +1387,7 @@ _gcry_aes_ocb_auth_armv8_ce: * %st+0: Ls => r5 * %st+4: nblocks => r6 (0 < nblocks <= 32) * %st+8: nrounds => r7 + * %st+12: blkn => lr */ vpush {q4-q7} @@ -1344,6 +1395,7 @@ _gcry_aes_ocb_auth_armv8_ce: ldr r7, [sp, #(104+8)] ldr r5, [sp, #(104+0)] ldr r6, [sp, #(104+4)] + ldr lr, [sp, #(104+12)] cmp r7, #12 vld1.8 {q0}, [r2] /* load offset */ @@ -1356,6 +1408,7 @@ _gcry_aes_ocb_auth_armv8_ce: #define OCB_AUTH(bits, ...) \ .Locb_auth_entry_##bits: \ cmp r6, #4; \ + add lr, #1; \ blo .Locb_auth_loop_##bits; \ \ .Locb_auth_loop4_##bits: \ @@ -1363,7 +1416,23 @@ _gcry_aes_ocb_auth_armv8_ce: /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \ \ - ldm r5!, {r8, r9, r10, r11}; \ + add r9, lr, #1; \ + add r10, lr, #2; \ + add r11, lr, #3; \ + rbit r8, lr; \ + add lr, lr, #4; \ + rbit r9, r9; \ + rbit r10, r10; \ + rbit r11, r11; \ + clz r8, r8; /* ntz(i+0) */ \ + clz r9, r9; /* ntz(i+1) */ \ + clz r10, r10; /* ntz(i+2) */ \ + clz r11, r11; /* ntz(i+3) */ \ + add r8, r5, r8, lsl #4; \ + add r9, r5, r9, lsl #4; \ + add r10, r5, r10, lsl #4; \ + add r11, r5, r11, lsl #4; \ + \ sub r6, #4; \ \ vld1.8 {q9}, [r8]; /* load L_{ntz(i+0)} */ \ @@ -1401,8 +1470,12 @@ _gcry_aes_ocb_auth_armv8_ce: /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \ \ - ldr r8, [r5], #4; \ - vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \ + rbit r8, lr; \ + add lr, #1; \ + clz r8, r8; /* ntz(i) */ \ + add r8, r5, r8, lsl #4; \ + \ + vld1.8 {q2}, [r8]; /* load L_{ntz(i)} */ \ vld1.8 {q1}, [r1]!; /* load aadtext */ \ subs r6, #1; \ veor q0, q0, q2; \ diff --git a/cipher/rijndael-armv8-aarch64-ce.S b/cipher/rijndael-armv8-aarch64-ce.S index 21d0aec..708ef34 100644 --- a/cipher/rijndael-armv8-aarch64-ce.S +++ b/cipher/rijndael-armv8-aarch64-ce.S @@ -23,28 +23,11 @@ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) -.arch armv8-a+crypto +.cpu generic+simd+crypto .text -#if (SIZEOF_VOID_P == 4) - #define ptr8 w8 - #define ptr9 w9 - #define ptr10 w10 - #define ptr11 w11 - #define ptr_sz 4 -#elif (SIZEOF_VOID_P == 8) - #define ptr8 x8 - #define ptr9 x9 - #define ptr10 x10 - #define ptr11 x11 - #define ptr_sz 8 -#else - #error "missing SIZEOF_VOID_P" -#endif - - #define GET_DATA_POINTER(reg, name) \ adrp reg, :got:name ; \ ldr reg, [reg, #:got_lo12:name] ; @@ -855,9 +838,10 @@ _gcry_aes_cfb_dec_armv8_ce: * const unsigned char *inbuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -870,11 +854,13 @@ _gcry_aes_ocb_enc_armv8_ce: * x2: inbuf * x3: offset * x4: checksum - * x5: Ls + * x5: Ltable * x6: nblocks (0 < nblocks <= 32) * w7: nrounds + * %st+0: blkn => w12 */ + ldr w12, [sp] ld1 {v0.16b}, [x3] /* load offset */ ld1 {v16.16b}, [x4] /* load checksum */ @@ -886,6 +872,7 @@ _gcry_aes_ocb_enc_armv8_ce: #define OCB_ENC(bits, ...) \ .Locb_enc_entry_##bits: \ cmp x6, #4; \ + add x12, x12, #1; \ b.lo .Locb_enc_loop_##bits; \ \ .Locb_enc_loop4_##bits: \ @@ -894,10 +881,24 @@ _gcry_aes_ocb_enc_armv8_ce: /* Checksum_i = Checksum_{i-1} xor P_i */ \ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \ \ - ldp ptr8, ptr9, [x5], #(ptr_sz*2); \ + add w9, w12, #1; \ + add w10, w12, #2; \ + add w11, w12, #3; \ + rbit w8, w12; \ + add w12, w12, #4; \ + rbit w9, w9; \ + rbit w10, w10; \ + rbit w11, w11; \ + clz w8, w8; /* ntz(i+0) */ \ + clz w9, w9; /* ntz(i+1) */ \ + clz w10, w10; /* ntz(i+2) */ \ + clz w11, w11; /* ntz(i+3) */ \ + add x8, x5, x8, lsl #4; \ + ld1 {v1.16b-v4.16b}, [x2], #64; /* load P_i+<0-3> */ \ + add x9, x5, x9, lsl #4; \ + add x10, x5, x10, lsl #4; \ + add x11, x5, x11, lsl #4; \ \ - ld1 {v1.16b-v4.16b}, [x2], #64; /* load P_i+<0-3> */ \ - ldp ptr10, ptr11, [x5], #(ptr_sz*2); \ sub x6, x6, #4; \ \ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \ @@ -940,7 +941,11 @@ _gcry_aes_ocb_enc_armv8_ce: /* Checksum_i = Checksum_{i-1} xor P_i */ \ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ \ \ - ldr ptr8, [x5], #(ptr_sz); \ + rbit x8, x12; \ + add x12, x12, #1; \ + clz x8, x8; /* ntz(i) */ \ + add x8, x5, x8, lsl #4; \ + \ ld1 {v1.16b}, [x2], #16; /* load plaintext */ \ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \ sub x6, x6, #1; \ @@ -983,9 +988,10 @@ _gcry_aes_ocb_enc_armv8_ce: * const unsigned char *inbuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -998,11 +1004,13 @@ _gcry_aes_ocb_dec_armv8_ce: * x2: inbuf * x3: offset * x4: checksum - * x5: Ls + * x5: Ltable * x6: nblocks (0 < nblocks <= 32) * w7: nrounds + * %st+0: blkn => w12 */ + ldr w12, [sp] ld1 {v0.16b}, [x3] /* load offset */ ld1 {v16.16b}, [x4] /* load checksum */ @@ -1014,6 +1022,7 @@ _gcry_aes_ocb_dec_armv8_ce: #define OCB_DEC(bits) \ .Locb_dec_entry_##bits: \ cmp x6, #4; \ + add w12, w12, #1; \ b.lo .Locb_dec_loop_##bits; \ \ .Locb_dec_loop4_##bits: \ @@ -1022,10 +1031,24 @@ _gcry_aes_ocb_dec_armv8_ce: /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \ /* Checksum_i = Checksum_{i-1} xor P_i */ \ \ - ldp ptr8, ptr9, [x5], #(ptr_sz*2); \ + add w9, w12, #1; \ + add w10, w12, #2; \ + add w11, w12, #3; \ + rbit w8, w12; \ + add w12, w12, #4; \ + rbit w9, w9; \ + rbit w10, w10; \ + rbit w11, w11; \ + clz w8, w8; /* ntz(i+0) */ \ + clz w9, w9; /* ntz(i+1) */ \ + clz w10, w10; /* ntz(i+2) */ \ + clz w11, w11; /* ntz(i+3) */ \ + add x8, x5, x8, lsl #4; \ + ld1 {v1.16b-v4.16b}, [x2], #64; /* load C_i+<0-3> */ \ + add x9, x5, x9, lsl #4; \ + add x10, x5, x10, lsl #4; \ + add x11, x5, x11, lsl #4; \ \ - ld1 {v1.16b-v4.16b}, [x2], #64; /* load C_i+<0-3> */ \ - ldp ptr10, ptr11, [x5], #(ptr_sz*2); \ sub x6, x6, #4; \ \ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \ @@ -1068,7 +1091,11 @@ _gcry_aes_ocb_dec_armv8_ce: /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ \ /* Checksum_i = Checksum_{i-1} xor P_i */ \ \ - ldr ptr8, [x5], #(ptr_sz); \ + rbit w8, w12; \ + add w12, w12, #1; \ + clz w8, w8; /* ntz(i) */ \ + add x8, x5, x8, lsl #4; \ + \ ld1 {v1.16b}, [x2], #16; /* load ciphertext */ \ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \ sub x6, x6, #1; \ @@ -1110,9 +1137,10 @@ _gcry_aes_ocb_dec_armv8_ce: * const unsigned char *abuf, * unsigned char *offset, * unsigned char *checksum, - * void **Ls, + * unsigned char *L_table, * size_t nblocks, - * unsigned int nrounds); + * unsigned int nrounds, + * unsigned int blkn); */ .align 3 @@ -1124,10 +1152,12 @@ _gcry_aes_ocb_auth_armv8_ce: * x1: abuf * x2: offset => x3 * x3: checksum => x4 - * x4: Ls => x5 + * x4: Ltable => x5 * x5: nblocks => x6 (0 < nblocks <= 32) * w6: nrounds => w7 + * w7: blkn => w12 */ + mov x12, x7 mov x7, x6 mov x6, x5 mov x5, x4 @@ -1145,6 +1175,7 @@ _gcry_aes_ocb_auth_armv8_ce: #define OCB_AUTH(bits) \ .Locb_auth_entry_##bits: \ cmp x6, #4; \ + add w12, w12, #1; \ b.lo .Locb_auth_loop_##bits; \ \ .Locb_auth_loop4_##bits: \ @@ -1152,10 +1183,24 @@ _gcry_aes_ocb_auth_armv8_ce: /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \ \ - ldp ptr8, ptr9, [x5], #(ptr_sz*2); \ + add w9, w12, #1; \ + add w10, w12, #2; \ + add w11, w12, #3; \ + rbit w8, w12; \ + add w12, w12, #4; \ + rbit w9, w9; \ + rbit w10, w10; \ + rbit w11, w11; \ + clz w8, w8; /* ntz(i+0) */ \ + clz w9, w9; /* ntz(i+1) */ \ + clz w10, w10; /* ntz(i+2) */ \ + clz w11, w11; /* ntz(i+3) */ \ + add x8, x5, x8, lsl #4; \ + ld1 {v1.16b-v4.16b}, [x1], #64; /* load A_i+<0-3> */ \ + add x9, x5, x9, lsl #4; \ + add x10, x5, x10, lsl #4; \ + add x11, x5, x11, lsl #4; \ \ - ld1 {v1.16b-v4.16b}, [x1], #64; /* load A_i+<0-3> */ \ - ldp ptr10, ptr11, [x5], #(ptr_sz*2); \ sub x6, x6, #4; \ \ ld1 {v5.16b}, [x8]; /* load L_{ntz(i+0)} */ \ @@ -1192,7 +1237,11 @@ _gcry_aes_ocb_auth_armv8_ce: /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ \ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ \ \ - ldr ptr8, [x5], #(ptr_sz); \ + rbit w8, w12; \ + add w12, w12, #1; \ + clz w8, w8; /* ntz(i) */ \ + add x8, x5, x8, lsl #4; \ + \ ld1 {v1.16b}, [x1], #16; /* load aadtext */ \ ld1 {v2.16b}, [x8]; /* load L_{ntz(i)} */ \ sub x6, x6, #1; \ diff --git a/cipher/rijndael-armv8-ce.c b/cipher/rijndael-armv8-ce.c index bed4066..334cf68 100644 --- a/cipher/rijndael-armv8-ce.c +++ b/cipher/rijndael-armv8-ce.c @@ -80,30 +80,33 @@ extern void _gcry_aes_ocb_enc_armv8_ce (const void *keysched, const unsigned char *inbuf, unsigned char *offset, unsigned char *checksum, - void **Ls, + unsigned char *L_table, size_t nblocks, - unsigned int nrounds); + unsigned int nrounds, + unsigned int blkn); extern void _gcry_aes_ocb_dec_armv8_ce (const void *keysched, unsigned char *outbuf, const unsigned char *inbuf, unsigned char *offset, unsigned char *checksum, - void **Ls, + unsigned char *L_table, size_t nblocks, - unsigned int nrounds); + unsigned int nrounds, + unsigned int blkn); extern void _gcry_aes_ocb_auth_armv8_ce (const void *keysched, const unsigned char *abuf, unsigned char *offset, unsigned char *checksum, - void **Ls, + unsigned char *L_table, size_t nblocks, - unsigned int nrounds); + unsigned int nrounds, + unsigned int blkn); typedef void (*ocb_crypt_fn_t) (const void *keysched, unsigned char *outbuf, const unsigned char *inbuf, unsigned char *offset, unsigned char *checksum, - void **Ls, size_t nblocks, - unsigned int nrounds); + unsigned char *L_table, size_t nblocks, + unsigned int nrounds, unsigned int blkn); void _gcry_aes_armv8_ce_setkey (RIJNDAEL_context *ctx, const byte *key) @@ -334,66 +337,11 @@ _gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, const unsigned char *inbuf = inbuf_arg; unsigned int nrounds = ctx->rounds; u64 blkn = c->u_mode.ocb.data_nblocks; - u64 blkn_offs = blkn - blkn % 32; - unsigned int n = 32 - blkn % 32; - unsigned char l_tmp[16]; - void *Ls[32]; - void **l; - size_t i; c->u_mode.ocb.data_nblocks = blkn + nblocks; - if (nblocks >= 32) - { - for (i = 0; i < 32; i += 8) - { - Ls[(i + 0 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 1 + n) % 32] = (void *)c->u_mode.ocb.L[1]; - Ls[(i + 2 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 3 + n) % 32] = (void *)c->u_mode.ocb.L[2]; - Ls[(i + 4 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 5 + n) % 32] = (void *)c->u_mode.ocb.L[1]; - Ls[(i + 6 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - } - - Ls[(7 + n) % 32] = (void *)c->u_mode.ocb.L[3]; - Ls[(15 + n) % 32] = (void *)c->u_mode.ocb.L[4]; - Ls[(23 + n) % 32] = (void *)c->u_mode.ocb.L[3]; - l = &Ls[(31 + n) % 32]; - - /* Process data in 32 block chunks. */ - while (nblocks >= 32) - { - /* l_tmp will be used only every 65536-th block. */ - blkn_offs += 32; - *l = (void *)ocb_get_l(c, l_tmp, blkn_offs); - - crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, Ls, 32, - nrounds); - - nblocks -= 32; - outbuf += 32 * 16; - inbuf += 32 * 16; - } - - if (nblocks && l < &Ls[nblocks]) - { - *l = (void *)ocb_get_l(c, l_tmp, 32 + blkn_offs); - } - } - else - { - for (i = 0; i < nblocks; i++) - Ls[i] = (void *)ocb_get_l(c, l_tmp, ++blkn); - } - - if (nblocks) - { - crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, Ls, nblocks, - nrounds); - } - - wipememory(&l_tmp, sizeof(l_tmp)); + crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, + c->u_mode.ocb.L[0], nblocks, nrounds, (unsigned int)blkn); } void @@ -405,65 +353,12 @@ _gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c, void *abuf_arg, const unsigned char *abuf = abuf_arg; unsigned int nrounds = ctx->rounds; u64 blkn = c->u_mode.ocb.aad_nblocks; - u64 blkn_offs = blkn - blkn % 32; - unsigned int n = 32 - blkn % 32; - unsigned char l_tmp[16]; - void *Ls[32]; - void **l; - size_t i; c->u_mode.ocb.aad_nblocks = blkn + nblocks; - if (nblocks >= 32) - { - for (i = 0; i < 32; i += 8) - { - Ls[(i + 0 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 1 + n) % 32] = (void *)c->u_mode.ocb.L[1]; - Ls[(i + 2 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 3 + n) % 32] = (void *)c->u_mode.ocb.L[2]; - Ls[(i + 4 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - Ls[(i + 5 + n) % 32] = (void *)c->u_mode.ocb.L[1]; - Ls[(i + 6 + n) % 32] = (void *)c->u_mode.ocb.L[0]; - } - - Ls[(7 + n) % 32] = (void *)c->u_mode.ocb.L[3]; - Ls[(15 + n) % 32] = (void *)c->u_mode.ocb.L[4]; - Ls[(23 + n) % 32] = (void *)c->u_mode.ocb.L[3]; - l = &Ls[(31 + n) % 32]; - - /* Process data in 32 block chunks. */ - while (nblocks >= 32) - { - /* l_tmp will be used only every 65536-th block. */ - blkn_offs += 32; - *l = (void *)ocb_get_l(c, l_tmp, blkn_offs); - - _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum, Ls, 32, nrounds); - - nblocks -= 32; - abuf += 32 * 16; - } - - if (nblocks && l < &Ls[nblocks]) - { - *l = (void *)ocb_get_l(c, l_tmp, 32 + blkn_offs); - } - } - else - { - for (i = 0; i < nblocks; i++) - Ls[i] = (void *)ocb_get_l(c, l_tmp, ++blkn); - } - - if (nblocks) - { - _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum, Ls, nblocks, nrounds); - } - - wipememory(&l_tmp, sizeof(l_tmp)); + _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset, + c->u_mode.ocb.aad_sum, c->u_mode.ocb.L[0], + nblocks, nrounds, (unsigned int)blkn); } #endif /* USE_ARM_CE */ diff --git a/cipher/rijndael-padlock.c b/cipher/rijndael-padlock.c index 476772a..234751b 100644 --- a/cipher/rijndael-padlock.c +++ b/cipher/rijndael-padlock.c @@ -43,6 +43,8 @@ do_padlock (const RIJNDAEL_context *ctx, unsigned char *bx, unsigned char a[16] __attribute__ ((aligned (16))); unsigned char b[16] __attribute__ ((aligned (16))); unsigned int cword[4] __attribute__ ((aligned (16))); + unsigned char *pa = a; + unsigned char *pb = b; int blocks; /* The control word fields are: @@ -63,19 +65,19 @@ do_padlock (const RIJNDAEL_context *ctx, unsigned char *bx, ("pushfq\n\t" /* Force key reload. */ "popfq\n\t" ".byte 0xf3, 0x0f, 0xa7, 0xc8\n\t" /* REP XCRYPT ECB. */ - : /* No output */ - : "S" (a), "D" (b), "d" (cword), "b" (ctx->padlockkey), "c" (blocks) + : "+S" (pa), "+D" (pb), "+c" (blocks) + : "d" (cword), "b" (ctx->padlockkey) : "cc", "memory" ); #else asm volatile ("pushfl\n\t" /* Force key reload. */ "popfl\n\t" - "xchg %3, %%ebx\n\t" /* Load key. */ + "xchg %4, %%ebx\n\t" /* Load key. */ ".byte 0xf3, 0x0f, 0xa7, 0xc8\n\t" /* REP XCRYPT ECB. */ - "xchg %3, %%ebx\n" /* Restore GOT register. */ - : /* No output */ - : "S" (a), "D" (b), "d" (cword), "r" (ctx->padlockkey), "c" (blocks) + "xchg %4, %%ebx\n" /* Restore GOT register. */ + : "+S" (pa), "+D" (pb), "+c" (blocks) + : "d" (cword), "r" (ctx->padlockkey) : "cc", "memory" ); #endif diff --git a/cipher/rijndael-ssse3-amd64-asm.S b/cipher/rijndael-ssse3-amd64-asm.S new file mode 100644 index 0000000..3ae55e8 --- /dev/null +++ b/cipher/rijndael-ssse3-amd64-asm.S @@ -0,0 +1,853 @@ +/* SSSE3 vector permutation AES for Libgcrypt + * Copyright (C) 2014-2017 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + * + * + * The code is based on the public domain library libvpaes version 0.5 + * available at http://crypto.stanford.edu/vpaes/ and which carries + * this notice: + * + * libvpaes: constant-time SSSE3 AES encryption and decryption. + * version 0.5 + * + * By Mike Hamburg, Stanford University, 2009. Public domain. + * I wrote essentially all of this code. I did not write the test + * vectors; they are the NIST known answer tests. I hereby release all + * the code and documentation here that I wrote into the public domain. + * + * This is an implementation of AES following my paper, + * "Accelerating AES with Vector Permute Instructions + * CHES 2009; http://shiftleft.org/papers/vector_aes/ + */ + +#if defined(__x86_64__) +#include +#if defined(HAVE_GCC_INLINE_ASM_SSSE3) && \ + (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) + +#ifdef HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS +# define ELF(...) +#else +# define ELF(...) __VA_ARGS__ +#endif + +.text + +## +## _gcry_aes_ssse3_enc_preload +## +ELF(.type _gcry_aes_ssse3_enc_preload,@function) +.globl _gcry_aes_ssse3_enc_preload +_gcry_aes_ssse3_enc_preload: + lea .Laes_consts(%rip), %rax + movdqa (%rax), %xmm9 # 0F + movdqa .Lk_inv (%rax), %xmm10 # inv + movdqa .Lk_inv+16(%rax), %xmm11 # inva + movdqa .Lk_sb1 (%rax), %xmm13 # sb1u + movdqa .Lk_sb1+16(%rax), %xmm12 # sb1t + movdqa .Lk_sb2 (%rax), %xmm15 # sb2u + movdqa .Lk_sb2+16(%rax), %xmm14 # sb2t + ret +ELF(.size _gcry_aes_ssse3_enc_preload,.-_gcry_aes_ssse3_enc_preload) + +## +## _gcry_aes_ssse3_dec_preload +## +ELF(.type _gcry_aes_ssse3_dec_preload,@function) +.globl _gcry_aes_ssse3_dec_preload +_gcry_aes_ssse3_dec_preload: + lea .Laes_consts(%rip), %rax + movdqa (%rax), %xmm9 # 0F + movdqa .Lk_inv (%rax), %xmm10 # inv + movdqa .Lk_inv+16(%rax), %xmm11 # inva + movdqa .Lk_dsb9 (%rax), %xmm13 # sb9u + movdqa .Lk_dsb9+16(%rax), %xmm12 # sb9t + movdqa .Lk_dsbd (%rax), %xmm15 # sbdu + movdqa .Lk_dsbb (%rax), %xmm14 # sbbu + movdqa .Lk_dsbe (%rax), %xmm8 # sbeu + ret +ELF(.size _gcry_aes_ssse3_dec_preload,.-_gcry_aes_ssse3_dec_preload) + +## +## Constant-time SSSE3 AES core implementation. +## +## By Mike Hamburg (Stanford University), 2009 +## Public domain. +## + +## +## _aes_encrypt_core +## +## AES-encrypt %xmm0. +## +## Inputs: +## %xmm0 = input +## %xmm9-%xmm15 as in .Laes_preheat +## (%rdx) = scheduled keys +## %rax = nrounds - 1 +## +## Output in %xmm0 +## Clobbers %xmm1-%xmm4, %r9, %r11, %rax, %rcx +## Preserves %xmm6 - %xmm7 so you get some local vectors +## +## +.align 16 +ELF(.type _gcry_aes_ssse3_encrypt_core,@function) +.globl _gcry_aes_ssse3_encrypt_core +_gcry_aes_ssse3_encrypt_core: +_aes_encrypt_core: + lea .Laes_consts(%rip), %rcx + leaq .Lk_mc_backward(%rcx), %rdi + mov $16, %rsi + movdqa .Lk_ipt (%rcx), %xmm2 # iptlo + movdqa %xmm9, %xmm1 + pandn %xmm0, %xmm1 + psrld $4, %xmm1 + pand %xmm9, %xmm0 + pshufb %xmm0, %xmm2 + movdqa .Lk_ipt+16(%rcx), %xmm0 # ipthi + pshufb %xmm1, %xmm0 + pxor (%rdx),%xmm2 + pxor %xmm2, %xmm0 + add $16, %rdx + jmp .Laes_entry + +.align 8 +.Laes_loop: + # middle of middle round + movdqa %xmm13, %xmm4 # 4 : sb1u + pshufb %xmm2, %xmm4 # 4 = sb1u + pxor (%rdx), %xmm4 # 4 = sb1u + k + movdqa %xmm12, %xmm0 # 0 : sb1t + pshufb %xmm3, %xmm0 # 0 = sb1t + pxor %xmm4, %xmm0 # 0 = A + movdqa %xmm15, %xmm4 # 4 : sb2u + pshufb %xmm2, %xmm4 # 4 = sb2u + movdqa .Lk_mc_forward-.Lk_mc_backward(%rsi,%rdi), %xmm1 + movdqa %xmm14, %xmm2 # 2 : sb2t + pshufb %xmm3, %xmm2 # 2 = sb2t + pxor %xmm4, %xmm2 # 2 = 2A + movdqa %xmm0, %xmm3 # 3 = A + pshufb %xmm1, %xmm0 # 0 = B + pxor %xmm2, %xmm0 # 0 = 2A+B + pshufb (%rsi,%rdi), %xmm3 # 3 = D + lea 16(%esi),%esi # next mc + pxor %xmm0, %xmm3 # 3 = 2A+B+D + lea 16(%rdx),%rdx # next key + pshufb %xmm1, %xmm0 # 0 = 2B+C + pxor %xmm3, %xmm0 # 0 = 2A+3B+C+D + and $48, %rsi # ... mod 4 + dec %rax # nr-- + +.Laes_entry: + # top of round + movdqa %xmm9, %xmm1 # 1 : i + pandn %xmm0, %xmm1 # 1 = i<<4 + psrld $4, %xmm1 # 1 = i + pand %xmm9, %xmm0 # 0 = k + movdqa %xmm11, %xmm2 # 2 : a/k + pshufb %xmm0, %xmm2 # 2 = a/k + pxor %xmm1, %xmm0 # 0 = j + movdqa %xmm10, %xmm3 # 3 : 1/i + pshufb %xmm1, %xmm3 # 3 = 1/i + pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k + movdqa %xmm10, %xmm4 # 4 : 1/j + pshufb %xmm0, %xmm4 # 4 = 1/j + pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k + movdqa %xmm10, %xmm2 # 2 : 1/iak + pshufb %xmm3, %xmm2 # 2 = 1/iak + pxor %xmm0, %xmm2 # 2 = io + movdqa %xmm10, %xmm3 # 3 : 1/jak + pshufb %xmm4, %xmm3 # 3 = 1/jak + pxor %xmm1, %xmm3 # 3 = jo + jnz .Laes_loop + + # middle of last round + movdqa .Lk_sbo(%rcx), %xmm4 # 3 : sbou + pshufb %xmm2, %xmm4 # 4 = sbou + pxor (%rdx), %xmm4 # 4 = sb1u + k + movdqa .Lk_sbo+16(%rcx), %xmm0 # 0 : sbot + pshufb %xmm3, %xmm0 # 0 = sb1t + pxor %xmm4, %xmm0 # 0 = A + pshufb .Lk_sr(%rsi,%rcx), %xmm0 + ret +ELF(.size _aes_encrypt_core,.-_aes_encrypt_core) + +## +## Decryption core +## +## Same API as encryption core. +## +.align 16 +.globl _gcry_aes_ssse3_decrypt_core +ELF(.type _gcry_aes_ssse3_decrypt_core,@function) +_gcry_aes_ssse3_decrypt_core: +_aes_decrypt_core: + lea .Laes_consts(%rip), %rcx + movl %eax, %esi + shll $4, %esi + xorl $48, %esi + andl $48, %esi + movdqa .Lk_dipt (%rcx), %xmm2 # iptlo + movdqa %xmm9, %xmm1 + pandn %xmm0, %xmm1 + psrld $4, %xmm1 + pand %xmm9, %xmm0 + pshufb %xmm0, %xmm2 + movdqa .Lk_dipt+16(%rcx), %xmm0 # ipthi + pshufb %xmm1, %xmm0 + pxor (%rdx), %xmm2 + pxor %xmm2, %xmm0 + movdqa .Lk_mc_forward+48(%rcx), %xmm5 + lea 16(%rdx), %rdx + neg %rax + jmp .Laes_dec_entry + +.align 16 +.Laes_dec_loop: +## +## Inverse mix columns +## + movdqa %xmm13, %xmm4 # 4 : sb9u + pshufb %xmm2, %xmm4 # 4 = sb9u + pxor (%rdx), %xmm4 + movdqa %xmm12, %xmm0 # 0 : sb9t + pshufb %xmm3, %xmm0 # 0 = sb9t + movdqa .Lk_dsbd+16(%rcx),%xmm1 # 1 : sbdt + pxor %xmm4, %xmm0 # 0 = ch + lea 16(%rdx), %rdx # next round key + + pshufb %xmm5, %xmm0 # MC ch + movdqa %xmm15, %xmm4 # 4 : sbdu + pshufb %xmm2, %xmm4 # 4 = sbdu + pxor %xmm0, %xmm4 # 4 = ch + pshufb %xmm3, %xmm1 # 1 = sbdt + pxor %xmm4, %xmm1 # 1 = ch + + pshufb %xmm5, %xmm1 # MC ch + movdqa %xmm14, %xmm4 # 4 : sbbu + pshufb %xmm2, %xmm4 # 4 = sbbu + inc %rax # nr-- + pxor %xmm1, %xmm4 # 4 = ch + movdqa .Lk_dsbb+16(%rcx),%xmm0 # 0 : sbbt + pshufb %xmm3, %xmm0 # 0 = sbbt + pxor %xmm4, %xmm0 # 0 = ch + + pshufb %xmm5, %xmm0 # MC ch + movdqa %xmm8, %xmm4 # 4 : sbeu + pshufb %xmm2, %xmm4 # 4 = sbeu + pshufd $0x93, %xmm5, %xmm5 + pxor %xmm0, %xmm4 # 4 = ch + movdqa .Lk_dsbe+16(%rcx),%xmm0 # 0 : sbet + pshufb %xmm3, %xmm0 # 0 = sbet + pxor %xmm4, %xmm0 # 0 = ch + +.Laes_dec_entry: + # top of round + movdqa %xmm9, %xmm1 # 1 : i + pandn %xmm0, %xmm1 # 1 = i<<4 + psrld $4, %xmm1 # 1 = i + pand %xmm9, %xmm0 # 0 = k + movdqa %xmm11, %xmm2 # 2 : a/k + pshufb %xmm0, %xmm2 # 2 = a/k + pxor %xmm1, %xmm0 # 0 = j + movdqa %xmm10, %xmm3 # 3 : 1/i + pshufb %xmm1, %xmm3 # 3 = 1/i + pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k + movdqa %xmm10, %xmm4 # 4 : 1/j + pshufb %xmm0, %xmm4 # 4 = 1/j + pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k + movdqa %xmm10, %xmm2 # 2 : 1/iak + pshufb %xmm3, %xmm2 # 2 = 1/iak + pxor %xmm0, %xmm2 # 2 = io + movdqa %xmm10, %xmm3 # 3 : 1/jak + pshufb %xmm4, %xmm3 # 3 = 1/jak + pxor %xmm1, %xmm3 # 3 = jo + jnz .Laes_dec_loop + + # middle of last round + movdqa .Lk_dsbo(%rcx), %xmm4 # 3 : sbou + pshufb %xmm2, %xmm4 # 4 = sbou + pxor (%rdx), %xmm4 # 4 = sb1u + k + movdqa .Lk_dsbo+16(%rcx), %xmm0 # 0 : sbot + pshufb %xmm3, %xmm0 # 0 = sb1t + pxor %xmm4, %xmm0 # 0 = A + pshufb .Lk_sr(%rsi,%rcx), %xmm0 + ret +ELF(.size _aes_decrypt_core,.-_aes_decrypt_core) + +######################################################## +## ## +## AES key schedule ## +## ## +######################################################## + +.align 16 +.globl _gcry_aes_ssse3_schedule_core +ELF(.type _gcry_aes_ssse3_schedule_core,@function) +_gcry_aes_ssse3_schedule_core: +_aes_schedule_core: + # rdi = key + # rsi = size in bits + # rdx = buffer + # rcx = direction. 0=encrypt, 1=decrypt + + # load the tables + lea .Laes_consts(%rip), %r10 + movdqa (%r10), %xmm9 # 0F + movdqa .Lk_inv (%r10), %xmm10 # inv + movdqa .Lk_inv+16(%r10), %xmm11 # inva + movdqa .Lk_sb1 (%r10), %xmm13 # sb1u + movdqa .Lk_sb1+16(%r10), %xmm12 # sb1t + movdqa .Lk_sb2 (%r10), %xmm15 # sb2u + movdqa .Lk_sb2+16(%r10), %xmm14 # sb2t + + movdqa .Lk_rcon(%r10), %xmm8 # load rcon + movdqu (%rdi), %xmm0 # load key (unaligned) + + # input transform + movdqu %xmm0, %xmm3 + lea .Lk_ipt(%r10), %r11 + call .Laes_schedule_transform + movdqu %xmm0, %xmm7 + + test %rcx, %rcx + jnz .Laes_schedule_am_decrypting + + # encrypting, output zeroth round key after transform + movdqa %xmm0, (%rdx) + jmp .Laes_schedule_go + +.Laes_schedule_am_decrypting: + # decrypting, output zeroth round key after shiftrows + pshufb .Lk_sr(%r8,%r10),%xmm3 + movdqa %xmm3, (%rdx) + xor $48, %r8 + +.Laes_schedule_go: + cmp $192, %rsi + je .Laes_schedule_192 + cmp $256, %rsi + je .Laes_schedule_256 + # 128: fall though + +## +## .Laes_schedule_128 +## +## 128-bit specific part of key schedule. +## +## This schedule is really simple, because all its parts +## are accomplished by the subroutines. +## +.Laes_schedule_128: + mov $10, %rsi + +.Laes_schedule_128_L: + call .Laes_schedule_round + dec %rsi + jz .Laes_schedule_mangle_last + call .Laes_schedule_mangle # write output + jmp .Laes_schedule_128_L + +## +## .Laes_schedule_192 +## +## 192-bit specific part of key schedule. +## +## The main body of this schedule is the same as the 128-bit +## schedule, but with more smearing. The long, high side is +## stored in %xmm7 as before, and the short, low side is in +## the high bits of %xmm6. +## +## This schedule is somewhat nastier, however, because each +## round produces 192 bits of key material, or 1.5 round keys. +## Therefore, on each cycle we do 2 rounds and produce 3 round +## keys. +## +.Laes_schedule_192: + movdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) + call .Laes_schedule_transform # input transform + pshufd $0x0E, %xmm0, %xmm6 + pslldq $8, %xmm6 # clobber low side with zeros + mov $4, %rsi + +.Laes_schedule_192_L: + call .Laes_schedule_round + palignr $8,%xmm6,%xmm0 + call .Laes_schedule_mangle # save key n + call .Laes_schedule_192_smear + call .Laes_schedule_mangle # save key n+1 + call .Laes_schedule_round + dec %rsi + jz .Laes_schedule_mangle_last + call .Laes_schedule_mangle # save key n+2 + call .Laes_schedule_192_smear + jmp .Laes_schedule_192_L + +## +## .Laes_schedule_192_smear +## +## Smear the short, low side in the 192-bit key schedule. +## +## Inputs: +## %xmm7: high side, b a x y +## %xmm6: low side, d c 0 0 +## %xmm13: 0 +## +## Outputs: +## %xmm6: b+c+d b+c 0 0 +## %xmm0: b+c+d b+c b a +## +.Laes_schedule_192_smear: + pshufd $0x80, %xmm6, %xmm0 # d c 0 0 -> c 0 0 0 + pxor %xmm0, %xmm6 # -> c+d c 0 0 + pshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a + pxor %xmm6, %xmm0 # -> b+c+d b+c b a + pshufd $0x0E, %xmm0, %xmm6 + pslldq $8, %xmm6 # clobber low side with zeros + ret + +## +## .Laes_schedule_256 +## +## 256-bit specific part of key schedule. +## +## The structure here is very similar to the 128-bit +## schedule, but with an additional 'low side' in +## %xmm6. The low side's rounds are the same as the +## high side's, except no rcon and no rotation. +## +.Laes_schedule_256: + movdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) + call .Laes_schedule_transform # input transform + mov $7, %rsi + +.Laes_schedule_256_L: + call .Laes_schedule_mangle # output low result + movdqa %xmm0, %xmm6 # save cur_lo in xmm6 + + # high round + call .Laes_schedule_round + dec %rsi + jz .Laes_schedule_mangle_last + call .Laes_schedule_mangle + + # low round. swap xmm7 and xmm6 + pshufd $0xFF, %xmm0, %xmm0 + movdqa %xmm7, %xmm5 + movdqa %xmm6, %xmm7 + call .Laes_schedule_low_round + movdqa %xmm5, %xmm7 + + jmp .Laes_schedule_256_L + +## +## .Laes_schedule_round +## +## Runs one main round of the key schedule on %xmm0, %xmm7 +## +## Specifically, runs subbytes on the high dword of %xmm0 +## then rotates it by one byte and xors into the low dword of +## %xmm7. +## +## Adds rcon from low byte of %xmm8, then rotates %xmm8 for +## next rcon. +## +## Smears the dwords of %xmm7 by xoring the low into the +## second low, result into third, result into highest. +## +## Returns results in %xmm7 = %xmm0. +## Clobbers %xmm1-%xmm4, %r11. +## +.Laes_schedule_round: + # extract rcon from xmm8 + pxor %xmm1, %xmm1 + palignr $15, %xmm8, %xmm1 + palignr $15, %xmm8, %xmm8 + pxor %xmm1, %xmm7 + + # rotate + pshufd $0xFF, %xmm0, %xmm0 + palignr $1, %xmm0, %xmm0 + + # fall through... + + # low round: same as high round, but no rotation and no rcon. +.Laes_schedule_low_round: + # smear xmm7 + movdqa %xmm7, %xmm1 + pslldq $4, %xmm7 + pxor %xmm1, %xmm7 + movdqa %xmm7, %xmm1 + pslldq $8, %xmm7 + pxor %xmm1, %xmm7 + pxor .Lk_s63(%r10), %xmm7 + + # subbytes + movdqa %xmm9, %xmm1 + pandn %xmm0, %xmm1 + psrld $4, %xmm1 # 1 = i + pand %xmm9, %xmm0 # 0 = k + movdqa %xmm11, %xmm2 # 2 : a/k + pshufb %xmm0, %xmm2 # 2 = a/k + pxor %xmm1, %xmm0 # 0 = j + movdqa %xmm10, %xmm3 # 3 : 1/i + pshufb %xmm1, %xmm3 # 3 = 1/i + pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k + movdqa %xmm10, %xmm4 # 4 : 1/j + pshufb %xmm0, %xmm4 # 4 = 1/j + pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k + movdqa %xmm10, %xmm2 # 2 : 1/iak + pshufb %xmm3, %xmm2 # 2 = 1/iak + pxor %xmm0, %xmm2 # 2 = io + movdqa %xmm10, %xmm3 # 3 : 1/jak + pshufb %xmm4, %xmm3 # 3 = 1/jak + pxor %xmm1, %xmm3 # 3 = jo + movdqa .Lk_sb1(%r10), %xmm4 # 4 : sbou + pshufb %xmm2, %xmm4 # 4 = sbou + movdqa .Lk_sb1+16(%r10), %xmm0 # 0 : sbot + pshufb %xmm3, %xmm0 # 0 = sb1t + pxor %xmm4, %xmm0 # 0 = sbox output + + # add in smeared stuff + pxor %xmm7, %xmm0 + movdqa %xmm0, %xmm7 + ret + +## +## .Laes_schedule_transform +## +## Linear-transform %xmm0 according to tables at (%r11) +## +## Requires that %xmm9 = 0x0F0F... as in preheat +## Output in %xmm0 +## Clobbers %xmm1, %xmm2 +## +.Laes_schedule_transform: + movdqa %xmm9, %xmm1 + pandn %xmm0, %xmm1 + psrld $4, %xmm1 + pand %xmm9, %xmm0 + movdqa (%r11), %xmm2 # lo + pshufb %xmm0, %xmm2 + movdqa 16(%r11), %xmm0 # hi + pshufb %xmm1, %xmm0 + pxor %xmm2, %xmm0 + ret + +## +## .Laes_schedule_mangle +## +## Mangle xmm0 from (basis-transformed) standard version +## to our version. +## +## On encrypt, +## xor with 0x63 +## multiply by circulant 0,1,1,1 +## apply shiftrows transform +## +## On decrypt, +## xor with 0x63 +## multiply by 'inverse mixcolumns' circulant E,B,D,9 +## deskew +## apply shiftrows transform +## +## +## Writes out to (%rdx), and increments or decrements it +## Keeps track of round number mod 4 in %r8 +## Preserves xmm0 +## Clobbers xmm1-xmm5 +## +.Laes_schedule_mangle: + movdqa %xmm0, %xmm4 # save xmm0 for later + movdqa .Lk_mc_forward(%r10),%xmm5 + test %rcx, %rcx + jnz .Laes_schedule_mangle_dec + + # encrypting + add $16, %rdx + pxor .Lk_s63(%r10),%xmm4 + pshufb %xmm5, %xmm4 + movdqa %xmm4, %xmm3 + pshufb %xmm5, %xmm4 + pxor %xmm4, %xmm3 + pshufb %xmm5, %xmm4 + pxor %xmm4, %xmm3 + + jmp .Laes_schedule_mangle_both + +.Laes_schedule_mangle_dec: + lea .Lk_dks_1(%r10), %r11 # first table: *9 + call .Laes_schedule_transform + movdqa %xmm0, %xmm3 + pshufb %xmm5, %xmm3 + + add $32, %r11 # next table: *B + call .Laes_schedule_transform + pxor %xmm0, %xmm3 + pshufb %xmm5, %xmm3 + + add $32, %r11 # next table: *D + call .Laes_schedule_transform + pxor %xmm0, %xmm3 + pshufb %xmm5, %xmm3 + + add $32, %r11 # next table: *E + call .Laes_schedule_transform + pxor %xmm0, %xmm3 + pshufb %xmm5, %xmm3 + + movdqa %xmm4, %xmm0 # restore %xmm0 + add $-16, %rdx + +.Laes_schedule_mangle_both: + pshufb .Lk_sr(%r8,%r10),%xmm3 + add $-16, %r8 + and $48, %r8 + movdqa %xmm3, (%rdx) + ret + +## +## .Laes_schedule_mangle_last +## +## Mangler for last round of key schedule +## Mangles %xmm0 +## when encrypting, outputs out(%xmm0) ^ 63 +## when decrypting, outputs unskew(%xmm0) +## +## Always called right before return... jumps to cleanup and exits +## +.Laes_schedule_mangle_last: + # schedule last round key from xmm0 + lea .Lk_deskew(%r10),%r11 # prepare to deskew + test %rcx, %rcx + jnz .Laes_schedule_mangle_last_dec + + # encrypting + pshufb .Lk_sr(%r8,%r10),%xmm0 # output permute + lea .Lk_opt(%r10), %r11 # prepare to output transform + add $32, %rdx + +.Laes_schedule_mangle_last_dec: + add $-16, %rdx + pxor .Lk_s63(%r10), %xmm0 + call .Laes_schedule_transform # output transform + movdqa %xmm0, (%rdx) # save last key + + #_aes_cleanup + pxor %xmm0, %xmm0 + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + pxor %xmm6, %xmm6 + pxor %xmm7, %xmm7 + pxor %xmm8, %xmm8 + ret +ELF(.size _aes_schedule_core,.-_aes_schedule_core) + +######################################################## +## ## +## Constants ## +## ## +######################################################## + +.align 16 +ELF(.type _aes_consts,@object) +.Laes_consts: +_aes_consts: + # s0F + .Lk_s0F = .-.Laes_consts + .quad 0x0F0F0F0F0F0F0F0F + .quad 0x0F0F0F0F0F0F0F0F + + # input transform (lo, hi) + .Lk_ipt = .-.Laes_consts + .quad 0xC2B2E8985A2A7000 + .quad 0xCABAE09052227808 + .quad 0x4C01307D317C4D00 + .quad 0xCD80B1FCB0FDCC81 + + # inv, inva + .Lk_inv = .-.Laes_consts + .quad 0x0E05060F0D080180 + .quad 0x040703090A0B0C02 + .quad 0x01040A060F0B0780 + .quad 0x030D0E0C02050809 + + # sb1u, sb1t + .Lk_sb1 = .-.Laes_consts + .quad 0xB19BE18FCB503E00 + .quad 0xA5DF7A6E142AF544 + .quad 0x3618D415FAE22300 + .quad 0x3BF7CCC10D2ED9EF + + + # sb2u, sb2t + .Lk_sb2 = .-.Laes_consts + .quad 0xE27A93C60B712400 + .quad 0x5EB7E955BC982FCD + .quad 0x69EB88400AE12900 + .quad 0xC2A163C8AB82234A + + # sbou, sbot + .Lk_sbo = .-.Laes_consts + .quad 0xD0D26D176FBDC700 + .quad 0x15AABF7AC502A878 + .quad 0xCFE474A55FBB6A00 + .quad 0x8E1E90D1412B35FA + + # mc_forward + .Lk_mc_forward = .-.Laes_consts + .quad 0x0407060500030201 + .quad 0x0C0F0E0D080B0A09 + .quad 0x080B0A0904070605 + .quad 0x000302010C0F0E0D + .quad 0x0C0F0E0D080B0A09 + .quad 0x0407060500030201 + .quad 0x000302010C0F0E0D + .quad 0x080B0A0904070605 + + # mc_backward + .Lk_mc_backward = .-.Laes_consts + .quad 0x0605040702010003 + .quad 0x0E0D0C0F0A09080B + .quad 0x020100030E0D0C0F + .quad 0x0A09080B06050407 + .quad 0x0E0D0C0F0A09080B + .quad 0x0605040702010003 + .quad 0x0A09080B06050407 + .quad 0x020100030E0D0C0F + + # sr + .Lk_sr = .-.Laes_consts + .quad 0x0706050403020100 + .quad 0x0F0E0D0C0B0A0908 + .quad 0x030E09040F0A0500 + .quad 0x0B06010C07020D08 + .quad 0x0F060D040B020900 + .quad 0x070E050C030A0108 + .quad 0x0B0E0104070A0D00 + .quad 0x0306090C0F020508 + + # rcon + .Lk_rcon = .-.Laes_consts + .quad 0x1F8391B9AF9DEEB6 + .quad 0x702A98084D7C7D81 + + # s63: all equal to 0x63 transformed + .Lk_s63 = .-.Laes_consts + .quad 0x5B5B5B5B5B5B5B5B + .quad 0x5B5B5B5B5B5B5B5B + + # output transform + .Lk_opt = .-.Laes_consts + .quad 0xFF9F4929D6B66000 + .quad 0xF7974121DEBE6808 + .quad 0x01EDBD5150BCEC00 + .quad 0xE10D5DB1B05C0CE0 + + # deskew tables: inverts the sbox's 'skew' + .Lk_deskew = .-.Laes_consts + .quad 0x07E4A34047A4E300 + .quad 0x1DFEB95A5DBEF91A + .quad 0x5F36B5DC83EA6900 + .quad 0x2841C2ABF49D1E77 + +## +## Decryption stuff +## Key schedule constants +## + # decryption key schedule: x -> invskew x*9 + .Lk_dks_1 = .-.Laes_consts + .quad 0xB6116FC87ED9A700 + .quad 0x4AED933482255BFC + .quad 0x4576516227143300 + .quad 0x8BB89FACE9DAFDCE + + # decryption key schedule: invskew x*9 -> invskew x*D + .Lk_dks_2 = .-.Laes_consts + .quad 0x27438FEBCCA86400 + .quad 0x4622EE8AADC90561 + .quad 0x815C13CE4F92DD00 + .quad 0x73AEE13CBD602FF2 + + # decryption key schedule: invskew x*D -> invskew x*B + .Lk_dks_3 = .-.Laes_consts + .quad 0x03C4C50201C6C700 + .quad 0xF83F3EF9FA3D3CFB + .quad 0xEE1921D638CFF700 + .quad 0xA5526A9D7384BC4B + + # decryption key schedule: invskew x*B -> invskew x*E + 0x63 + .Lk_dks_4 = .-.Laes_consts + .quad 0xE3C390B053732000 + .quad 0xA080D3F310306343 + .quad 0xA0CA214B036982E8 + .quad 0x2F45AEC48CE60D67 + +## +## Decryption stuff +## Round function constants +## + # decryption input transform + .Lk_dipt = .-.Laes_consts + .quad 0x0F505B040B545F00 + .quad 0x154A411E114E451A + .quad 0x86E383E660056500 + .quad 0x12771772F491F194 + + # decryption sbox output *9*u, *9*t + .Lk_dsb9 = .-.Laes_consts + .quad 0x851C03539A86D600 + .quad 0xCAD51F504F994CC9 + .quad 0xC03B1789ECD74900 + .quad 0x725E2C9EB2FBA565 + + # decryption sbox output *D*u, *D*t + .Lk_dsbd = .-.Laes_consts + .quad 0x7D57CCDFE6B1A200 + .quad 0xF56E9B13882A4439 + .quad 0x3CE2FAF724C6CB00 + .quad 0x2931180D15DEEFD3 + + # decryption sbox output *B*u, *B*t + .Lk_dsbb = .-.Laes_consts + .quad 0xD022649296B44200 + .quad 0x602646F6B0F2D404 + .quad 0xC19498A6CD596700 + .quad 0xF3FF0C3E3255AA6B + + # decryption sbox output *E*u, *E*t + .Lk_dsbe = .-.Laes_consts + .quad 0x46F2929626D4D000 + .quad 0x2242600464B4F6B0 + .quad 0x0C55A6CDFFAAC100 + .quad 0x9467F36B98593E32 + + # decryption sbox final output + .Lk_dsbo = .-.Laes_consts + .quad 0x1387EA537EF94000 + .quad 0xC7AA6DB9D4943E2D + .quad 0x12D7560F93441D00 + .quad 0xCA4B8159D8C58E9C +ELF(.size _aes_consts,.-_aes_consts) + +#endif +#endif diff --git a/cipher/rijndael-ssse3-amd64.c b/cipher/rijndael-ssse3-amd64.c index e2ee0c9..da5339e 100644 --- a/cipher/rijndael-ssse3-amd64.c +++ b/cipher/rijndael-ssse3-amd64.c @@ -1,5 +1,5 @@ /* SSSE3 vector permutation AES for Libgcrypt - * Copyright (C) 2014-2015 Jussi Kivilinna + * Copyright (C) 2014-2017 Jussi Kivilinna * * This file is part of Libgcrypt. * @@ -57,11 +57,22 @@ #endif +/* Assembly functions in rijndael-ssse3-amd64-asm.S. Note that these + have custom calling convention and need to be called from assembly + blocks, not directly. */ +extern void _gcry_aes_ssse3_enc_preload(void); +extern void _gcry_aes_ssse3_dec_preload(void); +extern void _gcry_aes_ssse3_schedule_core(void); +extern void _gcry_aes_ssse3_encrypt_core(void); +extern void _gcry_aes_ssse3_decrypt_core(void); + + + /* Two macros to be called prior and after the use of SSSE3 - instructions. There should be no external function calls between - the use of these macros. There purpose is to make sure that the - SSE registers are cleared and won't reveal any information about - the key or the data. */ + instructions. There should be no external function calls between + the use of these macros. There purpose is to make sure that the + SSE registers are cleared and won't reveal any information about + the key or the data. */ #ifdef HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS # define SSSE3_STATE_SIZE (16 * 10) /* XMM6-XMM15 are callee-saved registers on WIN64. */ @@ -99,6 +110,8 @@ : \ : "r" (ssse3_state) \ : "memory" ) +# define PUSH_STACK_PTR +# define POP_STACK_PTR #else # define SSSE3_STATE_SIZE 1 # define vpaes_ssse3_prepare() (void)ssse3_state @@ -113,36 +126,30 @@ "pxor %%xmm7, %%xmm7 \n\t" \ "pxor %%xmm8, %%xmm8 \n\t" \ ::: "memory" ) +/* Old GCC versions use red-zone of AMD64 SYSV ABI and stack pointer is + * not properly adjusted for assembly block. Therefore stack pointer + * needs to be manually corrected. */ +# define PUSH_STACK_PTR "subq $128, %%rsp;\n\t" +# define POP_STACK_PTR "addq $128, %%rsp;\n\t" #endif -#define vpaes_ssse3_prepare_enc(const_ptr) \ +#define vpaes_ssse3_prepare_enc() \ vpaes_ssse3_prepare(); \ - asm volatile ("lea .Laes_consts(%%rip), %q0 \n\t" \ - "movdqa (%q0), %%xmm9 # 0F \n\t" \ - "movdqa .Lk_inv (%q0), %%xmm10 # inv \n\t" \ - "movdqa .Lk_inv+16(%q0), %%xmm11 # inva \n\t" \ - "movdqa .Lk_sb1 (%q0), %%xmm13 # sb1u \n\t" \ - "movdqa .Lk_sb1+16(%q0), %%xmm12 # sb1t \n\t" \ - "movdqa .Lk_sb2 (%q0), %%xmm15 # sb2u \n\t" \ - "movdqa .Lk_sb2+16(%q0), %%xmm14 # sb2t \n\t" \ - : "=c" (const_ptr) \ + asm volatile (PUSH_STACK_PTR \ + "callq *%q[core] \n\t" \ + POP_STACK_PTR \ : \ - : "memory" ) + : [core] "r" (_gcry_aes_ssse3_enc_preload) \ + : "rax", "cc", "memory" ) -#define vpaes_ssse3_prepare_dec(const_ptr) \ +#define vpaes_ssse3_prepare_dec() \ vpaes_ssse3_prepare(); \ - asm volatile ("lea .Laes_consts(%%rip), %q0 \n\t" \ - "movdqa (%q0), %%xmm9 # 0F \n\t" \ - "movdqa .Lk_inv (%q0), %%xmm10 # inv \n\t" \ - "movdqa .Lk_inv+16(%q0), %%xmm11 # inva \n\t" \ - "movdqa .Lk_dsb9 (%q0), %%xmm13 # sb9u \n\t" \ - "movdqa .Lk_dsb9+16(%q0), %%xmm12 # sb9t \n\t" \ - "movdqa .Lk_dsbd (%q0), %%xmm15 # sbdu \n\t" \ - "movdqa .Lk_dsbb (%q0), %%xmm14 # sbbu \n\t" \ - "movdqa .Lk_dsbe (%q0), %%xmm8 # sbeu \n\t" \ - : "=c" (const_ptr) \ + asm volatile (PUSH_STACK_PTR \ + "callq *%q[core] \n\t" \ + POP_STACK_PTR \ : \ - : "memory" ) + : [core] "r" (_gcry_aes_ssse3_dec_preload) \ + : "rax", "cc", "memory" ) @@ -159,9 +166,12 @@ _gcry_aes_ssse3_do_setkey (RIJNDAEL_context *ctx, const byte *key) "leaq %[buf], %%rdx" "\n\t" "movl %[dir], %%ecx" "\n\t" "movl %[rotoffs], %%r8d" "\n\t" - "call _aes_schedule_core" "\n\t" + PUSH_STACK_PTR + "callq *%q[core]" "\n\t" + POP_STACK_PTR : - : [key] "m" (*key), + : [core] "r" (&_gcry_aes_ssse3_schedule_core), + [key] "m" (*key), [bits] "g" (keybits), [buf] "m" (ctx->keyschenc32[0][0]), [dir] "g" (0), @@ -169,10 +179,31 @@ _gcry_aes_ssse3_do_setkey (RIJNDAEL_context *ctx, const byte *key) : "r8", "r9", "r10", "r11", "rax", "rcx", "rdx", "rdi", "rsi", "cc", "memory"); - vpaes_ssse3_cleanup(); - /* Save key for setting up decryption. */ - memcpy(&ctx->keyschdec32[0][0], key, keybits / 8); + if (keybits > 192) + asm volatile ("movdqu (%[src]), %%xmm0\n\t" + "movdqu 16(%[src]), %%xmm1\n\t" + "movdqu %%xmm0, (%[dst])\n\t" + "movdqu %%xmm1, 16(%[dst])\n\t" + : /* No output */ + : [dst] "r" (&ctx->keyschdec32[0][0]), [src] "r" (key) + : "memory" ); + else if (keybits == 192) + asm volatile ("movdqu (%[src]), %%xmm0\n\t" + "movq 16(%[src]), %%xmm1\n\t" + "movdqu %%xmm0, (%[dst])\n\t" + "movq %%xmm1, 16(%[dst])\n\t" + : /* No output */ + : [dst] "r" (&ctx->keyschdec32[0][0]), [src] "r" (key) + : "memory" ); + else + asm volatile ("movdqu (%[src]), %%xmm0\n\t" + "movdqu %%xmm0, (%[dst])\n\t" + : /* No output */ + : [dst] "r" (&ctx->keyschdec32[0][0]), [src] "r" (key) + : "memory" ); + + vpaes_ssse3_cleanup(); } @@ -190,9 +221,12 @@ _gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) "leaq %[buf], %%rdx" "\n\t" "movl %[dir], %%ecx" "\n\t" "movl %[rotoffs], %%r8d" "\n\t" - "call _aes_schedule_core" "\n\t" + PUSH_STACK_PTR + "callq *%q[core]" "\n\t" + POP_STACK_PTR : - : [key] "m" (ctx->keyschdec32[0][0]), + : [core] "r" (_gcry_aes_ssse3_schedule_core), + [key] "m" (ctx->keyschdec32[0][0]), [bits] "g" (keybits), [buf] "m" (ctx->keyschdec32[ctx->rounds][0]), [dir] "g" (1), @@ -207,32 +241,34 @@ _gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) /* Encrypt one block using the Intel SSSE3 instructions. Block is input * and output through SSE register xmm0. */ static inline void -do_vpaes_ssse3_enc (const RIJNDAEL_context *ctx, unsigned int nrounds, - const void *aes_const_ptr) +do_vpaes_ssse3_enc (const RIJNDAEL_context *ctx, unsigned int nrounds) { unsigned int middle_rounds = nrounds - 1; const void *keysched = ctx->keyschenc32; - asm volatile ("call _aes_encrypt_core" "\n\t" - : "+a" (middle_rounds), "+d" (keysched) - : "c" (aes_const_ptr) - : "rdi", "rsi", "cc", "memory"); + asm volatile (PUSH_STACK_PTR + "callq *%q[core]" "\n\t" + POP_STACK_PTR + : "+a" (middle_rounds), "+d" (keysched) + : [core] "r" (_gcry_aes_ssse3_encrypt_core) + : "rcx", "rsi", "rdi", "cc", "memory"); } /* Decrypt one block using the Intel SSSE3 instructions. Block is input * and output through SSE register xmm0. */ static inline void -do_vpaes_ssse3_dec (const RIJNDAEL_context *ctx, unsigned int nrounds, - const void *aes_const_ptr) +do_vpaes_ssse3_dec (const RIJNDAEL_context *ctx, unsigned int nrounds) { unsigned int middle_rounds = nrounds - 1; const void *keysched = ctx->keyschdec32; - asm volatile ("call _aes_decrypt_core" "\n\t" - : "+a" (middle_rounds), "+d" (keysched) - : "c" (aes_const_ptr) - : "rsi", "cc", "memory"); + asm volatile (PUSH_STACK_PTR + "callq *%q[core]" "\n\t" + POP_STACK_PTR + : "+a" (middle_rounds), "+d" (keysched) + : [core] "r" (_gcry_aes_ssse3_decrypt_core) + : "rcx", "rsi", "cc", "memory"); } @@ -241,15 +277,14 @@ _gcry_aes_ssse3_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); asm volatile ("movdqu %[src], %%xmm0\n\t" : : [src] "m" (*src) : "memory" ); - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("movdqu %%xmm0, %[dst]\n\t" : [dst] "=m" (*dst) : @@ -265,10 +300,9 @@ _gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, size_t nblocks) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); asm volatile ("movdqu %[iv], %%xmm0\n\t" : /* No output */ @@ -277,7 +311,7 @@ _gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, for ( ;nblocks; nblocks-- ) { - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("movdqu %[inbuf], %%xmm1\n\t" "pxor %%xmm1, %%xmm0\n\t" @@ -305,10 +339,9 @@ _gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, size_t nblocks, int cbc_mac) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); asm volatile ("movdqu %[iv], %%xmm7\n\t" : /* No output */ @@ -323,7 +356,7 @@ _gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, : [inbuf] "m" (*inbuf) : "memory" ); - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("movdqa %%xmm0, %%xmm7\n\t" "movdqu %%xmm0, %[outbuf]\n\t" @@ -353,11 +386,10 @@ _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, static const unsigned char be_mask[16] __attribute__ ((aligned (16))) = { 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; u64 ctrlow; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); asm volatile ("movdqa %[mask], %%xmm6\n\t" /* Preload mask */ "movdqa (%[ctr]), %%xmm7\n\t" /* Preload CTR */ @@ -388,10 +420,10 @@ _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, "pshufb %%xmm6, %%xmm7\n\t" : [ctrlow] "+r" (ctrlow) - : [ctr] "r" (ctr) + : : "cc", "memory"); - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("movdqu %[src], %%xmm1\n\t" /* xmm1 := input */ "pxor %%xmm1, %%xmm0\n\t" /* EncCTR ^= input */ @@ -418,15 +450,14 @@ _gcry_aes_ssse3_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_dec (aes_const_ptr); + vpaes_ssse3_prepare_dec (); asm volatile ("movdqu %[src], %%xmm0\n\t" : : [src] "m" (*src) : "memory" ); - do_vpaes_ssse3_dec (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_dec (ctx, nrounds); asm volatile ("movdqu %%xmm0, %[dst]\n\t" : [dst] "=m" (*dst) : @@ -442,10 +473,9 @@ _gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, size_t nblocks) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); asm volatile ("movdqu %[iv], %%xmm0\n\t" : /* No output */ @@ -454,7 +484,7 @@ _gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, for ( ;nblocks; nblocks-- ) { - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("movdqa %%xmm0, %%xmm6\n\t" "movdqu %[inbuf], %%xmm0\n\t" @@ -483,145 +513,57 @@ _gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, size_t nblocks) { unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_dec (aes_const_ptr); + vpaes_ssse3_prepare_dec (); - asm volatile - ("movdqu %[iv], %%xmm7\n\t" /* use xmm7 as fast IV storage */ - : /* No output */ - : [iv] "m" (*iv) - : "memory"); + asm volatile ("movdqu %[iv], %%xmm7\n\t" /* use xmm7 as fast IV storage */ + : /* No output */ + : [iv] "m" (*iv) + : "memory"); for ( ;nblocks; nblocks-- ) { - asm volatile - ("movdqu %[inbuf], %%xmm0\n\t" - "movdqa %%xmm0, %%xmm6\n\t" /* use xmm6 as savebuf */ - : /* No output */ - : [inbuf] "m" (*inbuf) - : "memory"); - - do_vpaes_ssse3_dec (ctx, nrounds, aes_const_ptr); - - asm volatile - ("pxor %%xmm7, %%xmm0\n\t" /* xor IV with output */ - "movdqu %%xmm0, %[outbuf]\n\t" - "movdqu %%xmm6, %%xmm7\n\t" /* store savebuf as new IV */ - : [outbuf] "=m" (*outbuf) - : - : "memory"); + asm volatile ("movdqu %[inbuf], %%xmm0\n\t" + "movdqa %%xmm0, %%xmm6\n\t" /* use xmm6 as savebuf */ + : /* No output */ + : [inbuf] "m" (*inbuf) + : "memory"); + + do_vpaes_ssse3_dec (ctx, nrounds); + + asm volatile ("pxor %%xmm7, %%xmm0\n\t" /* xor IV with output */ + "movdqu %%xmm0, %[outbuf]\n\t" + "movdqu %%xmm6, %%xmm7\n\t" /* store savebuf as new IV */ + : [outbuf] "=m" (*outbuf) + : + : "memory"); outbuf += BLOCKSIZE; inbuf += BLOCKSIZE; } - asm volatile - ("movdqu %%xmm7, %[iv]\n\t" /* store IV */ - : /* No output */ - : [iv] "m" (*iv) - : "memory"); + asm volatile ("movdqu %%xmm7, %[iv]\n\t" /* store IV */ + : /* No output */ + : [iv] "m" (*iv) + : "memory"); vpaes_ssse3_cleanup (); } -static inline const unsigned char * -get_l (gcry_cipher_hd_t c, unsigned char *l_tmp, u64 i, unsigned char *iv, - unsigned char *ctr, const void **aes_const_ptr, - byte ssse3_state[SSSE3_STATE_SIZE], int encrypt) -{ - const unsigned char *l; - unsigned int ntz; - - if (i & 1) - return c->u_mode.ocb.L[0]; - else if (i & 2) - return c->u_mode.ocb.L[1]; - else if (i & 0xffffffffU) - { - asm ("rep;bsf %k[low], %k[ntz]\n\t" - : [ntz] "=r" (ntz) - : [low] "r" (i & 0xffffffffU) - : "cc"); - } - else - { - if (OCB_L_TABLE_SIZE < 32) - { - ntz = 32; - } - else if (i) - { - asm ("rep;bsf %k[high], %k[ntz]\n\t" - : [ntz] "=r" (ntz) - : [high] "r" (i >> 32) - : "cc"); - ntz += 32; - } - else - { - ntz = 64; - } - } - - if (ntz < OCB_L_TABLE_SIZE) - { - l = c->u_mode.ocb.L[ntz]; - } - else - { - /* Store Offset & Checksum before calling external function */ - asm volatile ("movdqu %%xmm7, %[iv]\n\t" - "movdqu %%xmm6, %[ctr]\n\t" - : [iv] "=m" (*iv), - [ctr] "=m" (*ctr) - : - : "memory" ); - - /* Restore SSSE3 state. */ - vpaes_ssse3_cleanup(); - - l = _gcry_cipher_ocb_get_l (c, l_tmp, i); - - /* Save SSSE3 state. */ - if (encrypt) - { - vpaes_ssse3_prepare_enc (*aes_const_ptr); - } - else - { - vpaes_ssse3_prepare_dec (*aes_const_ptr); - } - - /* Restore Offset & Checksum */ - asm volatile ("movdqu %[iv], %%xmm7\n\t" - "movdqu %[ctr], %%xmm6\n\t" - : /* No output */ - : [iv] "m" (*iv), - [ctr] "m" (*ctr) - : "memory" ); - } - - return l; -} - - static void ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; u64 n = c->u_mode.ocb.data_nblocks; unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); /* Preload Offset and Checksum */ asm volatile ("movdqu %[iv], %%xmm7\n\t" @@ -635,8 +577,7 @@ ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, { const unsigned char *l; - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr, &aes_const_ptr, - ssse3_state, 1); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Checksum_i = Checksum_{i-1} xor P_i */ @@ -651,7 +592,7 @@ ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, [inbuf] "m" (*inbuf) : "memory" ); - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("pxor %%xmm7, %%xmm0\n\t" "movdqu %%xmm0, %[outbuf]\n\t" @@ -671,7 +612,6 @@ ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, : : "memory" ); - wipememory(&l_tmp, sizeof(l_tmp)); vpaes_ssse3_cleanup (); } @@ -679,16 +619,14 @@ static void ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; u64 n = c->u_mode.ocb.data_nblocks; unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_dec (aes_const_ptr); + vpaes_ssse3_prepare_dec (); /* Preload Offset and Checksum */ asm volatile ("movdqu %[iv], %%xmm7\n\t" @@ -702,8 +640,7 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, { const unsigned char *l; - l = get_l(c, l_tmp.x1, ++n, c->u_iv.iv, c->u_ctr.ctr, &aes_const_ptr, - ssse3_state, 0); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ @@ -717,7 +654,7 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, [inbuf] "m" (*inbuf) : "memory" ); - do_vpaes_ssse3_dec (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_dec (ctx, nrounds); asm volatile ("pxor %%xmm7, %%xmm0\n\t" "pxor %%xmm0, %%xmm6\n\t" @@ -738,7 +675,6 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, : : "memory" ); - wipememory(&l_tmp, sizeof(l_tmp)); vpaes_ssse3_cleanup (); } @@ -758,15 +694,13 @@ void _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks) { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; RIJNDAEL_context *ctx = (void *)&c->context.c; const unsigned char *abuf = abuf_arg; u64 n = c->u_mode.ocb.aad_nblocks; unsigned int nrounds = ctx->rounds; - const void *aes_const_ptr; byte ssse3_state[SSSE3_STATE_SIZE]; - vpaes_ssse3_prepare_enc (aes_const_ptr); + vpaes_ssse3_prepare_enc (); /* Preload Offset and Sum */ asm volatile ("movdqu %[iv], %%xmm7\n\t" @@ -780,8 +714,7 @@ _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, { const unsigned char *l; - l = get_l(c, l_tmp.x1, ++n, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum, &aes_const_ptr, ssse3_state, 1); + l = ocb_get_l(c, ++n); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ @@ -794,7 +727,7 @@ _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, [abuf] "m" (*abuf) : "memory" ); - do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr); + do_vpaes_ssse3_enc (ctx, nrounds); asm volatile ("pxor %%xmm0, %%xmm6\n\t" : @@ -812,778 +745,7 @@ _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, : : "memory" ); - wipememory(&l_tmp, sizeof(l_tmp)); vpaes_ssse3_cleanup (); } - -#ifdef HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS -# define X(...) -#else -# define X(...) __VA_ARGS__ -#endif - -asm ( - "\n\t" "##" - "\n\t" "## Constant-time SSSE3 AES core implementation." - "\n\t" "##" - "\n\t" "## By Mike Hamburg (Stanford University), 2009" - "\n\t" "## Public domain." - "\n\t" "##" - - "\n\t" ".text" - - "\n\t" "##" - "\n\t" "## _aes_encrypt_core" - "\n\t" "##" - "\n\t" "## AES-encrypt %xmm0." - "\n\t" "##" - "\n\t" "## Inputs:" - "\n\t" "## %xmm0 = input" - "\n\t" "## %xmm9-%xmm15 as in .Laes_preheat" - "\n\t" "## %rcx = .Laes_consts" - "\n\t" "## (%rdx) = scheduled keys" - "\n\t" "## %rax = nrounds - 1" - "\n\t" "##" - "\n\t" "## Output in %xmm0" - "\n\t" "## Clobbers %xmm1-%xmm4, %r9, %r11, %rax" - "\n\t" "## Preserves %xmm6 - %xmm7 so you get some local vectors" - "\n\t" "##" - "\n\t" "##" - "\n\t" ".align 16" -X("\n\t" ".type _aes_encrypt_core,@function") - "\n\t" "_aes_encrypt_core:" - "\n\t" " leaq .Lk_mc_backward(%rcx), %rdi" - "\n\t" " mov $16, %rsi" - "\n\t" " movdqa .Lk_ipt (%rcx), %xmm2 # iptlo" - "\n\t" " movdqa %xmm9, %xmm1" - "\n\t" " pandn %xmm0, %xmm1" - "\n\t" " psrld $4, %xmm1" - "\n\t" " pand %xmm9, %xmm0" - "\n\t" " pshufb %xmm0, %xmm2" - "\n\t" " movdqa .Lk_ipt+16(%rcx), %xmm0 # ipthi" - "\n\t" " pshufb %xmm1, %xmm0" - "\n\t" " pxor (%rdx),%xmm2" - "\n\t" " pxor %xmm2, %xmm0" - "\n\t" " add $16, %rdx" - "\n\t" " jmp .Laes_entry" - - "\n\t" ".align 8" - "\n\t" ".Laes_loop:" - "\n\t" " # middle of middle round" - "\n\t" " movdqa %xmm13, %xmm4 # 4 : sb1u" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sb1u" - "\n\t" " pxor (%rdx), %xmm4 # 4 = sb1u + k" - "\n\t" " movdqa %xmm12, %xmm0 # 0 : sb1t" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sb1t" - "\n\t" " pxor %xmm4, %xmm0 # 0 = A" - "\n\t" " movdqa %xmm15, %xmm4 # 4 : sb2u" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sb2u" - "\n\t" " movdqa .Lk_mc_forward-.Lk_mc_backward(%rsi,%rdi), %xmm1" - "\n\t" " movdqa %xmm14, %xmm2 # 2 : sb2t" - "\n\t" " pshufb %xmm3, %xmm2 # 2 = sb2t" - "\n\t" " pxor %xmm4, %xmm2 # 2 = 2A" - "\n\t" " movdqa %xmm0, %xmm3 # 3 = A" - "\n\t" " pshufb %xmm1, %xmm0 # 0 = B" - "\n\t" " pxor %xmm2, %xmm0 # 0 = 2A+B" - "\n\t" " pshufb (%rsi,%rdi), %xmm3 # 3 = D" - "\n\t" " lea 16(%esi),%esi # next mc" - "\n\t" " pxor %xmm0, %xmm3 # 3 = 2A+B+D" - "\n\t" " lea 16(%rdx),%rdx # next key" - "\n\t" " pshufb %xmm1, %xmm0 # 0 = 2B+C" - "\n\t" " pxor %xmm3, %xmm0 # 0 = 2A+3B+C+D" - "\n\t" " and $48, %rsi # ... mod 4" - "\n\t" " dec %rax # nr--" - - "\n\t" ".Laes_entry:" - "\n\t" " # top of round" - "\n\t" " movdqa %xmm9, %xmm1 # 1 : i" - "\n\t" " pandn %xmm0, %xmm1 # 1 = i<<4" - "\n\t" " psrld $4, %xmm1 # 1 = i" - "\n\t" " pand %xmm9, %xmm0 # 0 = k" - "\n\t" " movdqa %xmm11, %xmm2 # 2 : a/k" - "\n\t" " pshufb %xmm0, %xmm2 # 2 = a/k" - "\n\t" " pxor %xmm1, %xmm0 # 0 = j" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/i" - "\n\t" " pshufb %xmm1, %xmm3 # 3 = 1/i" - "\n\t" " pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k" - "\n\t" " movdqa %xmm10, %xmm4 # 4 : 1/j" - "\n\t" " pshufb %xmm0, %xmm4 # 4 = 1/j" - "\n\t" " pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k" - "\n\t" " movdqa %xmm10, %xmm2 # 2 : 1/iak" - "\n\t" " pshufb %xmm3, %xmm2 # 2 = 1/iak" - "\n\t" " pxor %xmm0, %xmm2 # 2 = io" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/jak" - "\n\t" " pshufb %xmm4, %xmm3 # 3 = 1/jak" - "\n\t" " pxor %xmm1, %xmm3 # 3 = jo" - "\n\t" " jnz .Laes_loop" - - "\n\t" " # middle of last round" - "\n\t" " movdqa .Lk_sbo(%rcx), %xmm4 # 3 : sbou" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbou" - "\n\t" " pxor (%rdx), %xmm4 # 4 = sb1u + k" - "\n\t" " movdqa .Lk_sbo+16(%rcx), %xmm0 # 0 : sbot" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sb1t" - "\n\t" " pxor %xmm4, %xmm0 # 0 = A" - "\n\t" " pshufb .Lk_sr(%rsi,%rcx), %xmm0" - "\n\t" " ret" -X("\n\t" ".size _aes_encrypt_core,.-_aes_encrypt_core") - - "\n\t" "##" - "\n\t" "## Decryption core" - "\n\t" "##" - "\n\t" "## Same API as encryption core." - "\n\t" "##" - "\n\t" ".align 16" -X("\n\t" ".type _aes_decrypt_core,@function") - "\n\t" "_aes_decrypt_core:" - "\n\t" " movl %eax, %esi" - "\n\t" " shll $4, %esi" - "\n\t" " xorl $48, %esi" - "\n\t" " andl $48, %esi" - "\n\t" " movdqa .Lk_dipt (%rcx), %xmm2 # iptlo" - "\n\t" " movdqa %xmm9, %xmm1" - "\n\t" " pandn %xmm0, %xmm1" - "\n\t" " psrld $4, %xmm1" - "\n\t" " pand %xmm9, %xmm0" - "\n\t" " pshufb %xmm0, %xmm2" - "\n\t" " movdqa .Lk_dipt+16(%rcx), %xmm0 # ipthi" - "\n\t" " pshufb %xmm1, %xmm0" - "\n\t" " pxor (%rdx), %xmm2" - "\n\t" " pxor %xmm2, %xmm0" - "\n\t" " movdqa .Lk_mc_forward+48(%rcx), %xmm5" - "\n\t" " lea 16(%rdx), %rdx" - "\n\t" " neg %rax" - "\n\t" " jmp .Laes_dec_entry" - - "\n\t" ".align 16" - "\n\t" ".Laes_dec_loop:" - "\n\t" "##" - "\n\t" "## Inverse mix columns" - "\n\t" "##" - "\n\t" " movdqa %xmm13, %xmm4 # 4 : sb9u" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sb9u" - "\n\t" " pxor (%rdx), %xmm4" - "\n\t" " movdqa %xmm12, %xmm0 # 0 : sb9t" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sb9t" - "\n\t" " movdqa .Lk_dsbd+16(%rcx),%xmm1 # 1 : sbdt" - "\n\t" " pxor %xmm4, %xmm0 # 0 = ch" - "\n\t" " lea 16(%rdx), %rdx # next round key" - - "\n\t" " pshufb %xmm5, %xmm0 # MC ch" - "\n\t" " movdqa %xmm15, %xmm4 # 4 : sbdu" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbdu" - "\n\t" " pxor %xmm0, %xmm4 # 4 = ch" - "\n\t" " pshufb %xmm3, %xmm1 # 1 = sbdt" - "\n\t" " pxor %xmm4, %xmm1 # 1 = ch" - - "\n\t" " pshufb %xmm5, %xmm1 # MC ch" - "\n\t" " movdqa %xmm14, %xmm4 # 4 : sbbu" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbbu" - "\n\t" " inc %rax # nr--" - "\n\t" " pxor %xmm1, %xmm4 # 4 = ch" - "\n\t" " movdqa .Lk_dsbb+16(%rcx),%xmm0 # 0 : sbbt" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sbbt" - "\n\t" " pxor %xmm4, %xmm0 # 0 = ch" - - "\n\t" " pshufb %xmm5, %xmm0 # MC ch" - "\n\t" " movdqa %xmm8, %xmm4 # 4 : sbeu" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbeu" - "\n\t" " pshufd $0x93, %xmm5, %xmm5" - "\n\t" " pxor %xmm0, %xmm4 # 4 = ch" - "\n\t" " movdqa .Lk_dsbe+16(%rcx),%xmm0 # 0 : sbet" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sbet" - "\n\t" " pxor %xmm4, %xmm0 # 0 = ch" - - "\n\t" ".Laes_dec_entry:" - "\n\t" " # top of round" - "\n\t" " movdqa %xmm9, %xmm1 # 1 : i" - "\n\t" " pandn %xmm0, %xmm1 # 1 = i<<4" - "\n\t" " psrld $4, %xmm1 # 1 = i" - "\n\t" " pand %xmm9, %xmm0 # 0 = k" - "\n\t" " movdqa %xmm11, %xmm2 # 2 : a/k" - "\n\t" " pshufb %xmm0, %xmm2 # 2 = a/k" - "\n\t" " pxor %xmm1, %xmm0 # 0 = j" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/i" - "\n\t" " pshufb %xmm1, %xmm3 # 3 = 1/i" - "\n\t" " pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k" - "\n\t" " movdqa %xmm10, %xmm4 # 4 : 1/j" - "\n\t" " pshufb %xmm0, %xmm4 # 4 = 1/j" - "\n\t" " pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k" - "\n\t" " movdqa %xmm10, %xmm2 # 2 : 1/iak" - "\n\t" " pshufb %xmm3, %xmm2 # 2 = 1/iak" - "\n\t" " pxor %xmm0, %xmm2 # 2 = io" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/jak" - "\n\t" " pshufb %xmm4, %xmm3 # 3 = 1/jak" - "\n\t" " pxor %xmm1, %xmm3 # 3 = jo" - "\n\t" " jnz .Laes_dec_loop" - - "\n\t" " # middle of last round" - "\n\t" " movdqa .Lk_dsbo(%rcx), %xmm4 # 3 : sbou" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbou" - "\n\t" " pxor (%rdx), %xmm4 # 4 = sb1u + k" - "\n\t" " movdqa .Lk_dsbo+16(%rcx), %xmm0 # 0 : sbot" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sb1t" - "\n\t" " pxor %xmm4, %xmm0 # 0 = A" - "\n\t" " pshufb .Lk_sr(%rsi,%rcx), %xmm0" - "\n\t" " ret" -X("\n\t" ".size _aes_decrypt_core,.-_aes_decrypt_core") - - "\n\t" "########################################################" - "\n\t" "## ##" - "\n\t" "## AES key schedule ##" - "\n\t" "## ##" - "\n\t" "########################################################" - - "\n\t" ".align 16" -X("\n\t" ".type _aes_schedule_core,@function") - "\n\t" "_aes_schedule_core:" - "\n\t" " # rdi = key" - "\n\t" " # rsi = size in bits" - "\n\t" " # rdx = buffer" - "\n\t" " # rcx = direction. 0=encrypt, 1=decrypt" - - "\n\t" " # load the tables" - "\n\t" " lea .Laes_consts(%rip), %r10" - "\n\t" " movdqa (%r10), %xmm9 # 0F" - "\n\t" " movdqa .Lk_inv (%r10), %xmm10 # inv" - "\n\t" " movdqa .Lk_inv+16(%r10), %xmm11 # inva" - "\n\t" " movdqa .Lk_sb1 (%r10), %xmm13 # sb1u" - "\n\t" " movdqa .Lk_sb1+16(%r10), %xmm12 # sb1t" - "\n\t" " movdqa .Lk_sb2 (%r10), %xmm15 # sb2u" - "\n\t" " movdqa .Lk_sb2+16(%r10), %xmm14 # sb2t" - - "\n\t" " movdqa .Lk_rcon(%r10), %xmm8 # load rcon" - "\n\t" " movdqu (%rdi), %xmm0 # load key (unaligned)" - - "\n\t" " # input transform" - "\n\t" " movdqu %xmm0, %xmm3" - "\n\t" " lea .Lk_ipt(%r10), %r11" - "\n\t" " call .Laes_schedule_transform" - "\n\t" " movdqu %xmm0, %xmm7" - - "\n\t" " test %rcx, %rcx" - "\n\t" " jnz .Laes_schedule_am_decrypting" - - "\n\t" " # encrypting, output zeroth round key after transform" - "\n\t" " movdqa %xmm0, (%rdx)" - "\n\t" " jmp .Laes_schedule_go" - - "\n\t" ".Laes_schedule_am_decrypting:" - "\n\t" " # decrypting, output zeroth round key after shiftrows" - "\n\t" " pshufb .Lk_sr(%r8,%r10),%xmm3" - "\n\t" " movdqa %xmm3, (%rdx)" - "\n\t" " xor $48, %r8" - - "\n\t" ".Laes_schedule_go:" - "\n\t" " cmp $192, %rsi" - "\n\t" " je .Laes_schedule_192" - "\n\t" " cmp $256, %rsi" - "\n\t" " je .Laes_schedule_256" - "\n\t" " # 128: fall though" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_128" - "\n\t" "##" - "\n\t" "## 128-bit specific part of key schedule." - "\n\t" "##" - "\n\t" "## This schedule is really simple, because all its parts" - "\n\t" "## are accomplished by the subroutines." - "\n\t" "##" - "\n\t" ".Laes_schedule_128:" - "\n\t" " mov $10, %rsi" - - "\n\t" ".Laes_schedule_128_L:" - "\n\t" " call .Laes_schedule_round" - "\n\t" " dec %rsi" - "\n\t" " jz .Laes_schedule_mangle_last" - "\n\t" " call .Laes_schedule_mangle # write output" - "\n\t" " jmp .Laes_schedule_128_L" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_192" - "\n\t" "##" - "\n\t" "## 192-bit specific part of key schedule." - "\n\t" "##" - "\n\t" "## The main body of this schedule is the same as the 128-bit" - "\n\t" "## schedule, but with more smearing. The long, high side is" - "\n\t" "## stored in %xmm7 as before, and the short, low side is in" - "\n\t" "## the high bits of %xmm6." - "\n\t" "##" - "\n\t" "## This schedule is somewhat nastier, however, because each" - "\n\t" "## round produces 192 bits of key material, or 1.5 round keys." - "\n\t" "## Therefore, on each cycle we do 2 rounds and produce 3 round" - "\n\t" "## keys." - "\n\t" "##" - "\n\t" ".Laes_schedule_192:" - "\n\t" " movdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned)" - "\n\t" " call .Laes_schedule_transform # input transform" - "\n\t" " pshufd $0x0E, %xmm0, %xmm6" - "\n\t" " pslldq $8, %xmm6 # clobber low side with zeros" - "\n\t" " mov $4, %rsi" - - "\n\t" ".Laes_schedule_192_L:" - "\n\t" " call .Laes_schedule_round" - "\n\t" " palignr $8,%xmm6,%xmm0 " - "\n\t" " call .Laes_schedule_mangle # save key n" - "\n\t" " call .Laes_schedule_192_smear" - "\n\t" " call .Laes_schedule_mangle # save key n+1" - "\n\t" " call .Laes_schedule_round" - "\n\t" " dec %rsi" - "\n\t" " jz .Laes_schedule_mangle_last" - "\n\t" " call .Laes_schedule_mangle # save key n+2" - "\n\t" " call .Laes_schedule_192_smear" - "\n\t" " jmp .Laes_schedule_192_L" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_192_smear" - "\n\t" "##" - "\n\t" "## Smear the short, low side in the 192-bit key schedule." - "\n\t" "##" - "\n\t" "## Inputs:" - "\n\t" "## %xmm7: high side, b a x y" - "\n\t" "## %xmm6: low side, d c 0 0" - "\n\t" "## %xmm13: 0" - "\n\t" "##" - "\n\t" "## Outputs:" - "\n\t" "## %xmm6: b+c+d b+c 0 0" - "\n\t" "## %xmm0: b+c+d b+c b a" - "\n\t" "##" - "\n\t" ".Laes_schedule_192_smear:" - "\n\t" " pshufd $0x80, %xmm6, %xmm0 # d c 0 0 -> c 0 0 0" - "\n\t" " pxor %xmm0, %xmm6 # -> c+d c 0 0" - "\n\t" " pshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a" - "\n\t" " pxor %xmm6, %xmm0 # -> b+c+d b+c b a" - "\n\t" " pshufd $0x0E, %xmm0, %xmm6" - "\n\t" " pslldq $8, %xmm6 # clobber low side with zeros" - "\n\t" " ret" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_256" - "\n\t" "##" - "\n\t" "## 256-bit specific part of key schedule." - "\n\t" "##" - "\n\t" "## The structure here is very similar to the 128-bit" - "\n\t" "## schedule, but with an additional 'low side' in" - "\n\t" "## %xmm6. The low side's rounds are the same as the" - "\n\t" "## high side's, except no rcon and no rotation." - "\n\t" "##" - "\n\t" ".Laes_schedule_256:" - "\n\t" " movdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)" - "\n\t" " call .Laes_schedule_transform # input transform" - "\n\t" " mov $7, %rsi" - - "\n\t" ".Laes_schedule_256_L:" - "\n\t" " call .Laes_schedule_mangle # output low result" - "\n\t" " movdqa %xmm0, %xmm6 # save cur_lo in xmm6" - - "\n\t" " # high round" - "\n\t" " call .Laes_schedule_round" - "\n\t" " dec %rsi" - "\n\t" " jz .Laes_schedule_mangle_last" - "\n\t" " call .Laes_schedule_mangle " - - "\n\t" " # low round. swap xmm7 and xmm6" - "\n\t" " pshufd $0xFF, %xmm0, %xmm0" - "\n\t" " movdqa %xmm7, %xmm5" - "\n\t" " movdqa %xmm6, %xmm7" - "\n\t" " call .Laes_schedule_low_round" - "\n\t" " movdqa %xmm5, %xmm7" - - "\n\t" " jmp .Laes_schedule_256_L" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_round" - "\n\t" "##" - "\n\t" "## Runs one main round of the key schedule on %xmm0, %xmm7" - "\n\t" "##" - "\n\t" "## Specifically, runs subbytes on the high dword of %xmm0" - "\n\t" "## then rotates it by one byte and xors into the low dword of" - "\n\t" "## %xmm7." - "\n\t" "##" - "\n\t" "## Adds rcon from low byte of %xmm8, then rotates %xmm8 for" - "\n\t" "## next rcon." - "\n\t" "##" - "\n\t" "## Smears the dwords of %xmm7 by xoring the low into the" - "\n\t" "## second low, result into third, result into highest." - "\n\t" "##" - "\n\t" "## Returns results in %xmm7 = %xmm0." - "\n\t" "## Clobbers %xmm1-%xmm4, %r11." - "\n\t" "##" - "\n\t" ".Laes_schedule_round:" - "\n\t" " # extract rcon from xmm8" - "\n\t" " pxor %xmm1, %xmm1" - "\n\t" " palignr $15, %xmm8, %xmm1" - "\n\t" " palignr $15, %xmm8, %xmm8" - "\n\t" " pxor %xmm1, %xmm7" - - "\n\t" " # rotate" - "\n\t" " pshufd $0xFF, %xmm0, %xmm0" - "\n\t" " palignr $1, %xmm0, %xmm0" - - "\n\t" " # fall through..." - - "\n\t" " # low round: same as high round, but no rotation and no rcon." - "\n\t" ".Laes_schedule_low_round:" - "\n\t" " # smear xmm7" - "\n\t" " movdqa %xmm7, %xmm1" - "\n\t" " pslldq $4, %xmm7" - "\n\t" " pxor %xmm1, %xmm7" - "\n\t" " movdqa %xmm7, %xmm1" - "\n\t" " pslldq $8, %xmm7" - "\n\t" " pxor %xmm1, %xmm7" - "\n\t" " pxor .Lk_s63(%r10), %xmm7" - - "\n\t" " # subbytes" - "\n\t" " movdqa %xmm9, %xmm1" - "\n\t" " pandn %xmm0, %xmm1" - "\n\t" " psrld $4, %xmm1 # 1 = i" - "\n\t" " pand %xmm9, %xmm0 # 0 = k" - "\n\t" " movdqa %xmm11, %xmm2 # 2 : a/k" - "\n\t" " pshufb %xmm0, %xmm2 # 2 = a/k" - "\n\t" " pxor %xmm1, %xmm0 # 0 = j" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/i" - "\n\t" " pshufb %xmm1, %xmm3 # 3 = 1/i" - "\n\t" " pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k" - "\n\t" " movdqa %xmm10, %xmm4 # 4 : 1/j" - "\n\t" " pshufb %xmm0, %xmm4 # 4 = 1/j" - "\n\t" " pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k" - "\n\t" " movdqa %xmm10, %xmm2 # 2 : 1/iak" - "\n\t" " pshufb %xmm3, %xmm2 # 2 = 1/iak" - "\n\t" " pxor %xmm0, %xmm2 # 2 = io" - "\n\t" " movdqa %xmm10, %xmm3 # 3 : 1/jak" - "\n\t" " pshufb %xmm4, %xmm3 # 3 = 1/jak" - "\n\t" " pxor %xmm1, %xmm3 # 3 = jo" - "\n\t" " movdqa .Lk_sb1(%r10), %xmm4 # 4 : sbou" - "\n\t" " pshufb %xmm2, %xmm4 # 4 = sbou" - "\n\t" " movdqa .Lk_sb1+16(%r10), %xmm0 # 0 : sbot" - "\n\t" " pshufb %xmm3, %xmm0 # 0 = sb1t" - "\n\t" " pxor %xmm4, %xmm0 # 0 = sbox output" - - "\n\t" " # add in smeared stuff" - "\n\t" " pxor %xmm7, %xmm0 " - "\n\t" " movdqa %xmm0, %xmm7" - "\n\t" " ret" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_transform" - "\n\t" "##" - "\n\t" "## Linear-transform %xmm0 according to tables at (%r11)" - "\n\t" "##" - "\n\t" "## Requires that %xmm9 = 0x0F0F... as in preheat" - "\n\t" "## Output in %xmm0" - "\n\t" "## Clobbers %xmm1, %xmm2" - "\n\t" "##" - "\n\t" ".Laes_schedule_transform:" - "\n\t" " movdqa %xmm9, %xmm1" - "\n\t" " pandn %xmm0, %xmm1" - "\n\t" " psrld $4, %xmm1" - "\n\t" " pand %xmm9, %xmm0" - "\n\t" " movdqa (%r11), %xmm2 # lo" - "\n\t" " pshufb %xmm0, %xmm2" - "\n\t" " movdqa 16(%r11), %xmm0 # hi" - "\n\t" " pshufb %xmm1, %xmm0" - "\n\t" " pxor %xmm2, %xmm0" - "\n\t" " ret" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_mangle" - "\n\t" "##" - "\n\t" "## Mangle xmm0 from (basis-transformed) standard version" - "\n\t" "## to our version." - "\n\t" "##" - "\n\t" "## On encrypt," - "\n\t" "## xor with 0x63" - "\n\t" "## multiply by circulant 0,1,1,1" - "\n\t" "## apply shiftrows transform" - "\n\t" "##" - "\n\t" "## On decrypt," - "\n\t" "## xor with 0x63" - "\n\t" "## multiply by 'inverse mixcolumns' circulant E,B,D,9" - "\n\t" "## deskew" - "\n\t" "## apply shiftrows transform" - "\n\t" "##" - "\n\t" "##" - "\n\t" "## Writes out to (%rdx), and increments or decrements it" - "\n\t" "## Keeps track of round number mod 4 in %r8" - "\n\t" "## Preserves xmm0" - "\n\t" "## Clobbers xmm1-xmm5" - "\n\t" "##" - "\n\t" ".Laes_schedule_mangle:" - "\n\t" " movdqa %xmm0, %xmm4 # save xmm0 for later" - "\n\t" " movdqa .Lk_mc_forward(%r10),%xmm5" - "\n\t" " test %rcx, %rcx" - "\n\t" " jnz .Laes_schedule_mangle_dec" - - "\n\t" " # encrypting" - "\n\t" " add $16, %rdx" - "\n\t" " pxor .Lk_s63(%r10),%xmm4" - "\n\t" " pshufb %xmm5, %xmm4" - "\n\t" " movdqa %xmm4, %xmm3" - "\n\t" " pshufb %xmm5, %xmm4" - "\n\t" " pxor %xmm4, %xmm3" - "\n\t" " pshufb %xmm5, %xmm4" - "\n\t" " pxor %xmm4, %xmm3" - - "\n\t" " jmp .Laes_schedule_mangle_both" - - "\n\t" ".Laes_schedule_mangle_dec:" - "\n\t" " lea .Lk_dks_1(%r10), %r11 # first table: *9" - "\n\t" " call .Laes_schedule_transform" - "\n\t" " movdqa %xmm0, %xmm3" - "\n\t" " pshufb %xmm5, %xmm3" - - "\n\t" " add $32, %r11 # next table: *B" - "\n\t" " call .Laes_schedule_transform" - "\n\t" " pxor %xmm0, %xmm3" - "\n\t" " pshufb %xmm5, %xmm3" - - "\n\t" " add $32, %r11 # next table: *D" - "\n\t" " call .Laes_schedule_transform" - "\n\t" " pxor %xmm0, %xmm3" - "\n\t" " pshufb %xmm5, %xmm3" - - "\n\t" " add $32, %r11 # next table: *E" - "\n\t" " call .Laes_schedule_transform" - "\n\t" " pxor %xmm0, %xmm3" - "\n\t" " pshufb %xmm5, %xmm3" - - "\n\t" " movdqa %xmm4, %xmm0 # restore %xmm0" - "\n\t" " add $-16, %rdx" - - "\n\t" ".Laes_schedule_mangle_both:" - "\n\t" " pshufb .Lk_sr(%r8,%r10),%xmm3" - "\n\t" " add $-16, %r8" - "\n\t" " and $48, %r8" - "\n\t" " movdqa %xmm3, (%rdx)" - "\n\t" " ret" - - "\n\t" "##" - "\n\t" "## .Laes_schedule_mangle_last" - "\n\t" "##" - "\n\t" "## Mangler for last round of key schedule" - "\n\t" "## Mangles %xmm0" - "\n\t" "## when encrypting, outputs out(%xmm0) ^ 63" - "\n\t" "## when decrypting, outputs unskew(%xmm0)" - "\n\t" "##" - "\n\t" "## Always called right before return... jumps to cleanup and exits" - "\n\t" "##" - "\n\t" ".Laes_schedule_mangle_last:" - "\n\t" " # schedule last round key from xmm0" - "\n\t" " lea .Lk_deskew(%r10),%r11 # prepare to deskew" - "\n\t" " test %rcx, %rcx" - "\n\t" " jnz .Laes_schedule_mangle_last_dec" - - "\n\t" " # encrypting" - "\n\t" " pshufb .Lk_sr(%r8,%r10),%xmm0 # output permute" - "\n\t" " lea .Lk_opt(%r10), %r11 # prepare to output transform" - "\n\t" " add $32, %rdx" - - "\n\t" ".Laes_schedule_mangle_last_dec:" - "\n\t" " add $-16, %rdx" - "\n\t" " pxor .Lk_s63(%r10), %xmm0" - "\n\t" " call .Laes_schedule_transform # output transform" - "\n\t" " movdqa %xmm0, (%rdx) # save last key" - - "\n\t" " #_aes_cleanup" - "\n\t" " pxor %xmm0, %xmm0" - "\n\t" " pxor %xmm1, %xmm1" - "\n\t" " pxor %xmm2, %xmm2" - "\n\t" " pxor %xmm3, %xmm3" - "\n\t" " pxor %xmm4, %xmm4" - "\n\t" " pxor %xmm5, %xmm5" - "\n\t" " pxor %xmm6, %xmm6" - "\n\t" " pxor %xmm7, %xmm7" - "\n\t" " pxor %xmm8, %xmm8" - "\n\t" " ret" -X("\n\t" ".size _aes_schedule_core,.-_aes_schedule_core") - - "\n\t" "########################################################" - "\n\t" "## ##" - "\n\t" "## Constants ##" - "\n\t" "## ##" - "\n\t" "########################################################" - - "\n\t" ".align 16" -X("\n\t" ".type _aes_consts,@object") - "\n\t" ".Laes_consts:" - "\n\t" "_aes_consts:" - "\n\t" " # s0F" - "\n\t" " .Lk_s0F = .-.Laes_consts" - "\n\t" " .quad 0x0F0F0F0F0F0F0F0F" - "\n\t" " .quad 0x0F0F0F0F0F0F0F0F" - - "\n\t" " # input transform (lo, hi)" - "\n\t" " .Lk_ipt = .-.Laes_consts" - "\n\t" " .quad 0xC2B2E8985A2A7000" - "\n\t" " .quad 0xCABAE09052227808" - "\n\t" " .quad 0x4C01307D317C4D00" - "\n\t" " .quad 0xCD80B1FCB0FDCC81" - - "\n\t" " # inv, inva" - "\n\t" " .Lk_inv = .-.Laes_consts" - "\n\t" " .quad 0x0E05060F0D080180" - "\n\t" " .quad 0x040703090A0B0C02" - "\n\t" " .quad 0x01040A060F0B0780" - "\n\t" " .quad 0x030D0E0C02050809" - - "\n\t" " # sb1u, sb1t" - "\n\t" " .Lk_sb1 = .-.Laes_consts" - "\n\t" " .quad 0xB19BE18FCB503E00" - "\n\t" " .quad 0xA5DF7A6E142AF544" - "\n\t" " .quad 0x3618D415FAE22300" - "\n\t" " .quad 0x3BF7CCC10D2ED9EF" - - - "\n\t" " # sb2u, sb2t" - "\n\t" " .Lk_sb2 = .-.Laes_consts" - "\n\t" " .quad 0xE27A93C60B712400" - "\n\t" " .quad 0x5EB7E955BC982FCD" - "\n\t" " .quad 0x69EB88400AE12900" - "\n\t" " .quad 0xC2A163C8AB82234A" - - "\n\t" " # sbou, sbot" - "\n\t" " .Lk_sbo = .-.Laes_consts" - "\n\t" " .quad 0xD0D26D176FBDC700" - "\n\t" " .quad 0x15AABF7AC502A878" - "\n\t" " .quad 0xCFE474A55FBB6A00" - "\n\t" " .quad 0x8E1E90D1412B35FA" - - "\n\t" " # mc_forward" - "\n\t" " .Lk_mc_forward = .-.Laes_consts" - "\n\t" " .quad 0x0407060500030201" - "\n\t" " .quad 0x0C0F0E0D080B0A09" - "\n\t" " .quad 0x080B0A0904070605" - "\n\t" " .quad 0x000302010C0F0E0D" - "\n\t" " .quad 0x0C0F0E0D080B0A09" - "\n\t" " .quad 0x0407060500030201" - "\n\t" " .quad 0x000302010C0F0E0D" - "\n\t" " .quad 0x080B0A0904070605" - - "\n\t" " # mc_backward" - "\n\t" " .Lk_mc_backward = .-.Laes_consts" - "\n\t" " .quad 0x0605040702010003" - "\n\t" " .quad 0x0E0D0C0F0A09080B" - "\n\t" " .quad 0x020100030E0D0C0F" - "\n\t" " .quad 0x0A09080B06050407" - "\n\t" " .quad 0x0E0D0C0F0A09080B" - "\n\t" " .quad 0x0605040702010003" - "\n\t" " .quad 0x0A09080B06050407" - "\n\t" " .quad 0x020100030E0D0C0F" - - "\n\t" " # sr" - "\n\t" " .Lk_sr = .-.Laes_consts" - "\n\t" " .quad 0x0706050403020100" - "\n\t" " .quad 0x0F0E0D0C0B0A0908" - "\n\t" " .quad 0x030E09040F0A0500" - "\n\t" " .quad 0x0B06010C07020D08" - "\n\t" " .quad 0x0F060D040B020900" - "\n\t" " .quad 0x070E050C030A0108" - "\n\t" " .quad 0x0B0E0104070A0D00" - "\n\t" " .quad 0x0306090C0F020508" - - "\n\t" " # rcon" - "\n\t" " .Lk_rcon = .-.Laes_consts" - "\n\t" " .quad 0x1F8391B9AF9DEEB6" - "\n\t" " .quad 0x702A98084D7C7D81" - - "\n\t" " # s63: all equal to 0x63 transformed" - "\n\t" " .Lk_s63 = .-.Laes_consts" - "\n\t" " .quad 0x5B5B5B5B5B5B5B5B" - "\n\t" " .quad 0x5B5B5B5B5B5B5B5B" - - "\n\t" " # output transform" - "\n\t" " .Lk_opt = .-.Laes_consts" - "\n\t" " .quad 0xFF9F4929D6B66000" - "\n\t" " .quad 0xF7974121DEBE6808" - "\n\t" " .quad 0x01EDBD5150BCEC00" - "\n\t" " .quad 0xE10D5DB1B05C0CE0" - - "\n\t" " # deskew tables: inverts the sbox's 'skew'" - "\n\t" " .Lk_deskew = .-.Laes_consts" - "\n\t" " .quad 0x07E4A34047A4E300" - "\n\t" " .quad 0x1DFEB95A5DBEF91A" - "\n\t" " .quad 0x5F36B5DC83EA6900" - "\n\t" " .quad 0x2841C2ABF49D1E77" - - "\n\t" "##" - "\n\t" "## Decryption stuff" - "\n\t" "## Key schedule constants" - "\n\t" "##" - "\n\t" " # decryption key schedule: x -> invskew x*9" - "\n\t" " .Lk_dks_1 = .-.Laes_consts" - "\n\t" " .quad 0xB6116FC87ED9A700" - "\n\t" " .quad 0x4AED933482255BFC" - "\n\t" " .quad 0x4576516227143300" - "\n\t" " .quad 0x8BB89FACE9DAFDCE" - - "\n\t" " # decryption key schedule: invskew x*9 -> invskew x*D" - "\n\t" " .Lk_dks_2 = .-.Laes_consts" - "\n\t" " .quad 0x27438FEBCCA86400" - "\n\t" " .quad 0x4622EE8AADC90561" - "\n\t" " .quad 0x815C13CE4F92DD00" - "\n\t" " .quad 0x73AEE13CBD602FF2" - - "\n\t" " # decryption key schedule: invskew x*D -> invskew x*B" - "\n\t" " .Lk_dks_3 = .-.Laes_consts" - "\n\t" " .quad 0x03C4C50201C6C700" - "\n\t" " .quad 0xF83F3EF9FA3D3CFB" - "\n\t" " .quad 0xEE1921D638CFF700" - "\n\t" " .quad 0xA5526A9D7384BC4B" - - "\n\t" " # decryption key schedule: invskew x*B -> invskew x*E + 0x63" - "\n\t" " .Lk_dks_4 = .-.Laes_consts" - "\n\t" " .quad 0xE3C390B053732000" - "\n\t" " .quad 0xA080D3F310306343" - "\n\t" " .quad 0xA0CA214B036982E8" - "\n\t" " .quad 0x2F45AEC48CE60D67" - - "\n\t" "##" - "\n\t" "## Decryption stuff" - "\n\t" "## Round function constants" - "\n\t" "##" - "\n\t" " # decryption input transform" - "\n\t" " .Lk_dipt = .-.Laes_consts" - "\n\t" " .quad 0x0F505B040B545F00" - "\n\t" " .quad 0x154A411E114E451A" - "\n\t" " .quad 0x86E383E660056500" - "\n\t" " .quad 0x12771772F491F194" - - "\n\t" " # decryption sbox output *9*u, *9*t" - "\n\t" " .Lk_dsb9 = .-.Laes_consts" - "\n\t" " .quad 0x851C03539A86D600" - "\n\t" " .quad 0xCAD51F504F994CC9" - "\n\t" " .quad 0xC03B1789ECD74900" - "\n\t" " .quad 0x725E2C9EB2FBA565" - - "\n\t" " # decryption sbox output *D*u, *D*t" - "\n\t" " .Lk_dsbd = .-.Laes_consts" - "\n\t" " .quad 0x7D57CCDFE6B1A200" - "\n\t" " .quad 0xF56E9B13882A4439" - "\n\t" " .quad 0x3CE2FAF724C6CB00" - "\n\t" " .quad 0x2931180D15DEEFD3" - - "\n\t" " # decryption sbox output *B*u, *B*t" - "\n\t" " .Lk_dsbb = .-.Laes_consts" - "\n\t" " .quad 0xD022649296B44200" - "\n\t" " .quad 0x602646F6B0F2D404" - "\n\t" " .quad 0xC19498A6CD596700" - "\n\t" " .quad 0xF3FF0C3E3255AA6B" - - "\n\t" " # decryption sbox output *E*u, *E*t" - "\n\t" " .Lk_dsbe = .-.Laes_consts" - "\n\t" " .quad 0x46F2929626D4D000" - "\n\t" " .quad 0x2242600464B4F6B0" - "\n\t" " .quad 0x0C55A6CDFFAAC100" - "\n\t" " .quad 0x9467F36B98593E32" - - "\n\t" " # decryption sbox final output" - "\n\t" " .Lk_dsbo = .-.Laes_consts" - "\n\t" " .quad 0x1387EA537EF94000" - "\n\t" " .quad 0xC7AA6DB9D4943E2D" - "\n\t" " .quad 0x12D7560F93441D00" - "\n\t" " .quad 0xCA4B8159D8C58E9C" -X("\n\t" ".size _aes_consts,.-_aes_consts") -); - #endif /* USE_SSSE3 */ diff --git a/cipher/rijndael.c b/cipher/rijndael.c index cc6a722..8637195 100644 --- a/cipher/rijndael.c +++ b/cipher/rijndael.c @@ -752,7 +752,7 @@ do_encrypt (const RIJNDAEL_context *ctx, "+d" (ax), "+c" (rounds) : "0" (_gcry_aes_amd64_encrypt_block), - [encT] "g" (encT) + [encT] "r" (encT) : "cc", "memory", "r8", "r9", "r10", "r11"); return ret; # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ @@ -1135,7 +1135,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, "+d" (ax), "+c" (rounds) : "0" (_gcry_aes_amd64_decrypt_block), - [dectabs] "g" (&dec_tables) + [dectabs] "r" (&dec_tables) : "cc", "memory", "r8", "r9", "r10", "r11"); return ret; # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ @@ -1353,7 +1353,7 @@ _gcry_aes_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks; nblocks-- ) { u64 i = ++c->u_mode.ocb.data_nblocks; - const unsigned char *l = ocb_get_l(c, l_tmp.x1, i); + const unsigned char *l = ocb_get_l(c, i); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ buf_xor_1 (c->u_iv.iv, l, BLOCKSIZE); @@ -1378,7 +1378,7 @@ _gcry_aes_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, for ( ;nblocks; nblocks-- ) { u64 i = ++c->u_mode.ocb.data_nblocks; - const unsigned char *l = ocb_get_l(c, l_tmp.x1, i); + const unsigned char *l = ocb_get_l(c, i); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ buf_xor_1 (c->u_iv.iv, l, BLOCKSIZE); @@ -1445,7 +1445,7 @@ _gcry_aes_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks) for ( ;nblocks; nblocks-- ) { u64 i = ++c->u_mode.ocb.aad_nblocks; - const unsigned char *l = ocb_get_l(c, l_tmp.x1, i); + const unsigned char *l = ocb_get_l(c, i); /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ buf_xor_1 (c->u_mode.ocb.aad_offset, l, BLOCKSIZE); diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c index 7b56237..29b7bc8 100644 --- a/cipher/rsa-common.c +++ b/cipher/rsa-common.c @@ -233,7 +233,7 @@ _gcry_rsa_pkcs1_decode_for_enc (unsigned char **r_result, size_t *r_resultlen, } -/* Encode {VALUE,VALUELEN} for an NBITS keys and hash algorith ALGO +/* Encode {VALUE,VALUELEN} for an NBITS keys and hash algorithm ALGO using the pkcs#1 block type 1 padding. On success the result is stored as a new MPI at R_RESULT. On error the value at R_RESULT is undefined. diff --git a/cipher/rsa.c b/cipher/rsa.c index 2e13fd6..575ea94 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -710,7 +710,7 @@ generate_x931 (RSA_secret_key *sk, unsigned int nbits, unsigned long e_value, if (e_value < 3) return GPG_ERR_INV_VALUE; - /* Our implementaion requires E to be odd. */ + /* Our implementation requires E to be odd. */ if (!(e_value & 1)) return GPG_ERR_INV_VALUE; @@ -991,20 +991,85 @@ stronger_key_check ( RSA_secret_key *skey ) #endif - -/**************** - * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT. + +/* Secret key operation - standard version. * * m = c^d mod n - * - * Or faster: + */ +static void +secret_core_std (gcry_mpi_t M, gcry_mpi_t C, + gcry_mpi_t D, gcry_mpi_t N) +{ + mpi_powm (M, C, D, N); +} + + +/* Secret key operation - using the CRT. * * m1 = c ^ (d mod (p-1)) mod p * m2 = c ^ (d mod (q-1)) mod q * h = u * (m2 - m1) mod q * m = m1 + h * p - * - * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY. + */ +static void +secret_core_crt (gcry_mpi_t M, gcry_mpi_t C, + gcry_mpi_t D, unsigned int Nlimbs, + gcry_mpi_t P, gcry_mpi_t Q, gcry_mpi_t U) +{ + gcry_mpi_t m1 = mpi_alloc_secure ( Nlimbs + 1 ); + gcry_mpi_t m2 = mpi_alloc_secure ( Nlimbs + 1 ); + gcry_mpi_t h = mpi_alloc_secure ( Nlimbs + 1 ); + gcry_mpi_t D_blind = mpi_alloc_secure ( Nlimbs + 1 ); + gcry_mpi_t r; + unsigned int r_nbits; + + r_nbits = mpi_get_nbits (P) / 4; + if (r_nbits < 96) + r_nbits = 96; + r = mpi_secure_new (r_nbits); + + /* d_blind = (d mod (p-1)) + (p-1) * r */ + /* m1 = c ^ d_blind mod p */ + _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); + mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui ( h, P, 1 ); + mpi_mul ( D_blind, h, r ); + mpi_fdiv_r ( h, D, h ); + mpi_add ( D_blind, D_blind, h ); + mpi_powm ( m1, C, D_blind, P ); + + /* d_blind = (d mod (q-1)) + (q-1) * r */ + /* m2 = c ^ d_blind mod q */ + _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); + mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui ( h, Q, 1 ); + mpi_mul ( D_blind, h, r ); + mpi_fdiv_r ( h, D, h ); + mpi_add ( D_blind, D_blind, h ); + mpi_powm ( m2, C, D_blind, Q ); + + mpi_free ( r ); + mpi_free ( D_blind ); + + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub ( h, m2, m1 ); + if ( mpi_has_sign ( h ) ) + mpi_add ( h, h, Q ); + mpi_mulm ( h, U, h, Q ); + + /* m = m1 + h * p */ + mpi_mul ( h, h, P ); + mpi_add ( M, m1, h ); + + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); +} + + +/* Secret key operation. + * Encrypt INPUT with SKEY and put result into + * OUTPUT. SKEY has the secret key parameters. */ static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) @@ -1014,37 +1079,16 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) if (!skey->p || !skey->q || !skey->u) { - mpi_powm (output, input, skey->d, skey->n); + secret_core_std (output, input, skey->d, skey->n); } else { - gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); - gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); - gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); - - /* m1 = c ^ (d mod (p-1)) mod p */ - mpi_sub_ui( h, skey->p, 1 ); - mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m1, input, h, skey->p ); - /* m2 = c ^ (d mod (q-1)) mod q */ - mpi_sub_ui( h, skey->q, 1 ); - mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m2, input, h, skey->q ); - /* h = u * ( m2 - m1 ) mod q */ - mpi_sub( h, m2, m1 ); - if ( mpi_has_sign ( h ) ) - mpi_add ( h, h, skey->q ); - mpi_mulm( h, skey->u, h, skey->q ); - /* m = m1 + h * p */ - mpi_mul ( h, h, skey->p ); - mpi_add ( output, m1, h ); - - mpi_free ( h ); - mpi_free ( m1 ); - mpi_free ( m2 ); + secret_core_crt (output, input, skey->d, mpi_get_nlimbs (skey->n), + skey->p, skey->q, skey->u); } } + static void secret_blinded (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *sk, unsigned int nbits) @@ -1088,6 +1132,7 @@ secret_blinded (gcry_mpi_t output, gcry_mpi_t input, _gcry_mpi_release (ri); } + /********************************************* ************** interface ****************** *********************************************/ diff --git a/cipher/serpent-avx2-amd64.S b/cipher/serpent-avx2-amd64.S index 2902dab..8d60a15 100644 --- a/cipher/serpent-avx2-amd64.S +++ b/cipher/serpent-avx2-amd64.S @@ -1113,7 +1113,6 @@ _gcry_serpent_avx2_ocb_auth: ret; ELF(.size _gcry_serpent_avx2_ocb_auth,.-_gcry_serpent_avx2_ocb_auth;) -.data .align 16 /* For CTR-mode IV byteswap */ diff --git a/cipher/serpent.c b/cipher/serpent.c index ef19d3b..ea4b8ed 100644 --- a/cipher/serpent.c +++ b/cipher/serpent.c @@ -1235,7 +1235,6 @@ _gcry_serpent_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, serpent_context_t *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; - unsigned char l_tmp[sizeof(serpent_block_t)]; int burn_stack_depth = 2 * sizeof (serpent_block_t); u64 blkn = c->u_mode.ocb.data_nblocks; #else @@ -1275,9 +1274,8 @@ _gcry_serpent_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 16 block chunks. */ while (nblocks >= 16) { - /* l_tmp will be used only every 65536-th block. */ blkn += 16; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 16); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); if (encrypt) _gcry_serpent_avx2_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, @@ -1327,9 +1325,8 @@ _gcry_serpent_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 8 block chunks. */ while (nblocks >= 8) { - /* l_tmp will be used only every 65536-th block. */ blkn += 8; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 8); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 8); if (encrypt) _gcry_serpent_sse2_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, @@ -1378,9 +1375,8 @@ _gcry_serpent_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 8 block chunks. */ while (nblocks >= 8) { - /* l_tmp will be used only every 65536-th block. */ blkn += 8; - *l = ocb_get_l(c, l_tmp, blkn - blkn % 8); + *l = ocb_get_l(c, blkn - blkn % 8); if (encrypt) _gcry_serpent_neon_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, @@ -1410,8 +1406,6 @@ _gcry_serpent_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, #if defined(USE_AVX2) || defined(USE_SSE2) || defined(USE_NEON) c->u_mode.ocb.data_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #endif @@ -1427,7 +1421,6 @@ _gcry_serpent_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, #if defined(USE_AVX2) || defined(USE_SSE2) || defined(USE_NEON) serpent_context_t *ctx = (void *)&c->context.c; const unsigned char *abuf = abuf_arg; - unsigned char l_tmp[sizeof(serpent_block_t)]; int burn_stack_depth = 2 * sizeof(serpent_block_t); u64 blkn = c->u_mode.ocb.aad_nblocks; #else @@ -1465,9 +1458,8 @@ _gcry_serpent_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 16 block chunks. */ while (nblocks >= 16) { - /* l_tmp will be used only every 65536-th block. */ blkn += 16; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 16); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); _gcry_serpent_avx2_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, c->u_mode.ocb.aad_sum, Ls); @@ -1512,9 +1504,8 @@ _gcry_serpent_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 8 block chunks. */ while (nblocks >= 8) { - /* l_tmp will be used only every 65536-th block. */ blkn += 8; - *l = (uintptr_t)(void *)ocb_get_l(c, l_tmp, blkn - blkn % 8); + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 8); _gcry_serpent_sse2_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, c->u_mode.ocb.aad_sum, Ls); @@ -1558,9 +1549,8 @@ _gcry_serpent_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 8 block chunks. */ while (nblocks >= 8) { - /* l_tmp will be used only every 65536-th block. */ blkn += 8; - *l = ocb_get_l(c, l_tmp, blkn - blkn % 8); + *l = ocb_get_l(c, blkn - blkn % 8); _gcry_serpent_neon_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, c->u_mode.ocb.aad_sum, Ls); @@ -1585,8 +1575,6 @@ _gcry_serpent_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, #if defined(USE_AVX2) || defined(USE_SSE2) || defined(USE_NEON) c->u_mode.ocb.aad_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #endif diff --git a/cipher/sha1-armv8-aarch32-ce.S b/cipher/sha1-armv8-aarch32-ce.S index b0bc5ff..bf2b233 100644 --- a/cipher/sha1-armv8-aarch32-ce.S +++ b/cipher/sha1-armv8-aarch32-ce.S @@ -24,6 +24,7 @@ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) && defined(USE_SHA1) .syntax unified +.arch armv8-a .fpu crypto-neon-fp-armv8 .arm diff --git a/cipher/sha1-armv8-aarch64-ce.S b/cipher/sha1-armv8-aarch64-ce.S index dcc33a3..ec1810d 100644 --- a/cipher/sha1-armv8-aarch64-ce.S +++ b/cipher/sha1-armv8-aarch64-ce.S @@ -23,7 +23,7 @@ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) && defined(USE_SHA1) -.arch armv8-a+crypto +.cpu generic+simd+crypto .text diff --git a/cipher/sha1-avx-amd64.S b/cipher/sha1-avx-amd64.S index 3b3a6d1..b14603b 100644 --- a/cipher/sha1-avx-amd64.S +++ b/cipher/sha1-avx-amd64.S @@ -58,7 +58,7 @@ /* Constants */ -.data +.text #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC @@ -214,7 +214,6 @@ * _gcry_sha1_transform_amd64_avx (void *ctx, const unsigned char *data, * size_t nblks) */ -.text .globl _gcry_sha1_transform_amd64_avx ELF(.type _gcry_sha1_transform_amd64_avx,@function) .align 16 diff --git a/cipher/sha1-avx-bmi2-amd64.S b/cipher/sha1-avx-bmi2-amd64.S index 22bcbb3..b267693 100644 --- a/cipher/sha1-avx-bmi2-amd64.S +++ b/cipher/sha1-avx-bmi2-amd64.S @@ -59,7 +59,7 @@ /* Constants */ -.data +.text #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC @@ -212,7 +212,6 @@ * _gcry_sha1_transform_amd64_avx_bmi2 (void *ctx, const unsigned char *data, * size_t nblks) */ -.text .globl _gcry_sha1_transform_amd64_avx_bmi2 ELF(.type _gcry_sha1_transform_amd64_avx_bmi2,@function) .align 16 diff --git a/cipher/sha1-ssse3-amd64.S b/cipher/sha1-ssse3-amd64.S index 98a19e6..2b43947 100644 --- a/cipher/sha1-ssse3-amd64.S +++ b/cipher/sha1-ssse3-amd64.S @@ -58,7 +58,7 @@ /* Constants */ -.data +.text #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC @@ -226,7 +226,6 @@ * _gcry_sha1_transform_amd64_ssse3 (void *ctx, const unsigned char *data, * size_t nblks) */ -.text .globl _gcry_sha1_transform_amd64_ssse3 ELF(.type _gcry_sha1_transform_amd64_ssse3,@function) .align 16 diff --git a/cipher/sha256-armv8-aarch32-ce.S b/cipher/sha256-armv8-aarch32-ce.S index 2041a23..2b17ab1 100644 --- a/cipher/sha256-armv8-aarch32-ce.S +++ b/cipher/sha256-armv8-aarch32-ce.S @@ -24,6 +24,7 @@ defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO) && defined(USE_SHA256) .syntax unified +.arch armv8-a .fpu crypto-neon-fp-armv8 .arm diff --git a/cipher/sha256-armv8-aarch64-ce.S b/cipher/sha256-armv8-aarch64-ce.S index 257204f..a4575da 100644 --- a/cipher/sha256-armv8-aarch64-ce.S +++ b/cipher/sha256-armv8-aarch64-ce.S @@ -23,7 +23,7 @@ defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \ defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO) && defined(USE_SHA256) -.arch armv8-a+crypto +.cpu generic+simd+crypto .text diff --git a/cipher/sha256-avx-amd64.S b/cipher/sha256-avx-amd64.S index 8bf26bd..6953855 100644 --- a/cipher/sha256-avx-amd64.S +++ b/cipher/sha256-avx-amd64.S @@ -496,7 +496,6 @@ _gcry_sha256_transform_amd64_avx: ret -.data .align 16 .LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff --git a/cipher/sha256-avx2-bmi2-amd64.S b/cipher/sha256-avx2-bmi2-amd64.S index 74b6063..85e663f 100644 --- a/cipher/sha256-avx2-bmi2-amd64.S +++ b/cipher/sha256-avx2-bmi2-amd64.S @@ -763,7 +763,6 @@ _gcry_sha256_transform_amd64_avx2: ret -.data .align 64 .LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff --git a/cipher/sha256-ssse3-amd64.S b/cipher/sha256-ssse3-amd64.S index 9ec87e4..a9213e4 100644 --- a/cipher/sha256-ssse3-amd64.S +++ b/cipher/sha256-ssse3-amd64.S @@ -516,7 +516,6 @@ _gcry_sha256_transform_amd64_ssse3: ret -.data .align 16 .LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff --git a/cipher/sha256.c b/cipher/sha256.c index b450a12..d174321 100644 --- a/cipher/sha256.c +++ b/cipher/sha256.c @@ -509,6 +509,35 @@ sha256_read (void *context) } +/* Shortcut functions which puts the hash value of the supplied buffer + * into outbuf which must have a size of 32 bytes. */ +void +_gcry_sha256_hash_buffer (void *outbuf, const void *buffer, size_t length) +{ + SHA256_CONTEXT hd; + + sha256_init (&hd, 0); + _gcry_md_block_write (&hd, buffer, length); + sha256_final (&hd); + memcpy (outbuf, hd.bctx.buf, 32); +} + + +/* Variant of the above shortcut function using multiple buffers. */ +void +_gcry_sha256_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt) +{ + SHA256_CONTEXT hd; + + sha256_init (&hd, 0); + for (;iovcnt > 0; iov++, iovcnt--) + _gcry_md_block_write (&hd, + (const char*)iov[0].data + iov[0].off, iov[0].len); + sha256_final (&hd); + memcpy (outbuf, hd.bctx.buf, 32); +} + + /* Self-test section. diff --git a/cipher/sha512-avx-amd64.S b/cipher/sha512-avx-amd64.S index 699c271..446a8b4 100644 --- a/cipher/sha512-avx-amd64.S +++ b/cipher/sha512-avx-amd64.S @@ -368,8 +368,6 @@ _gcry_sha512_transform_amd64_avx: ;;; Binary Data */ -.data - .align 16 /* Mask for byte-swapping a couple of qwords in an XMM register using (v)pshufb. */ diff --git a/cipher/sha512-avx2-bmi2-amd64.S b/cipher/sha512-avx2-bmi2-amd64.S index 02f95af..05bef64 100644 --- a/cipher/sha512-avx2-bmi2-amd64.S +++ b/cipher/sha512-avx2-bmi2-amd64.S @@ -735,8 +735,6 @@ _gcry_sha512_transform_amd64_avx2: /*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; */ /*;; Binary Data */ -.data - .align 64 /* K[t] used in SHA512 hashing */ .LK512: diff --git a/cipher/sha512-ssse3-amd64.S b/cipher/sha512-ssse3-amd64.S index c721bcf..51193b3 100644 --- a/cipher/sha512-ssse3-amd64.S +++ b/cipher/sha512-ssse3-amd64.S @@ -373,8 +373,6 @@ _gcry_sha512_transform_amd64_ssse3: ;;; Binary Data */ -.data - .align 16 /* Mask for byte-swapping a couple of qwords in an XMM register using (v)pshufb. */ diff --git a/cipher/sha512.c b/cipher/sha512.c index 5b25965..06e8a2b 100644 --- a/cipher/sha512.c +++ b/cipher/sha512.c @@ -739,6 +739,35 @@ sha512_read (void *context) } +/* Shortcut functions which puts the hash value of the supplied buffer + * into outbuf which must have a size of 64 bytes. */ +void +_gcry_sha512_hash_buffer (void *outbuf, const void *buffer, size_t length) +{ + SHA512_CONTEXT hd; + + sha512_init (&hd, 0); + _gcry_md_block_write (&hd, buffer, length); + sha512_final (&hd); + memcpy (outbuf, hd.bctx.buf, 64); +} + + +/* Variant of the above shortcut function using multiple buffers. */ +void +_gcry_sha512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt) +{ + SHA512_CONTEXT hd; + + sha512_init (&hd, 0); + for (;iovcnt > 0; iov++, iovcnt--) + _gcry_md_block_write (&hd, + (const char*)iov[0].data + iov[0].off, iov[0].len); + sha512_final (&hd); + memcpy (outbuf, hd.bctx.buf, 64); +} + + /* Self-test section. @@ -914,6 +943,9 @@ static gcry_md_oid_spec_t oid_spec_sha384[] = /* PKCS#1 sha384WithRSAEncryption */ { "1.2.840.113549.1.1.12" }, + /* SHA384WithECDSA: RFC 7427 (A.3.3.) */ + { "1.2.840.10045.4.3.3" }, + { NULL }, }; diff --git a/cipher/twofish-avx2-amd64.S b/cipher/twofish-avx2-amd64.S new file mode 100644 index 0000000..db6e218 --- /dev/null +++ b/cipher/twofish-avx2-amd64.S @@ -0,0 +1,1012 @@ +/* twofish-avx2-amd64.S - AMD64/AVX2 assembly implementation of Twofish cipher + * + * Copyright (C) 2013-2017 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#ifdef __x86_64 +#include +#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && defined(USE_TWOFISH) && \ + defined(ENABLE_AVX2_SUPPORT) + +#ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS +# define ELF(...) __VA_ARGS__ +#else +# define ELF(...) /*_*/ +#endif + +#ifdef __PIC__ +# define RIP (%rip) +#else +# define RIP +#endif + +.text + +/* structure of TWOFISH_context: */ +#define s0 0 +#define s1 ((s0) + 4 * 256) +#define s2 ((s1) + 4 * 256) +#define s3 ((s2) + 4 * 256) +#define w ((s3) + 4 * 256) +#define k ((w) + 4 * 8) + +/* register macros */ +#define CTX %rdi + +#define RROUND %rbp +#define RROUNDd %ebp +#define RS0 CTX +#define RS1 %r8 +#define RS2 %r9 +#define RS3 %r10 +#define RK %r11 +#define RW %rax + +#define RA0 %ymm8 +#define RB0 %ymm9 +#define RC0 %ymm10 +#define RD0 %ymm11 +#define RA1 %ymm12 +#define RB1 %ymm13 +#define RC1 %ymm14 +#define RD1 %ymm15 + +/* temp regs */ +#define RX0 %ymm0 +#define RY0 %ymm1 +#define RX1 %ymm2 +#define RY1 %ymm3 +#define RT0 %ymm4 +#define RIDX %ymm5 + +#define RX0x %xmm0 +#define RY0x %xmm1 +#define RX1x %xmm2 +#define RY1x %xmm3 +#define RT0x %xmm4 +#define RIDXx %xmm5 + +#define RTMP0 RX0 +#define RTMP0x RX0x +#define RTMP1 RX1 +#define RTMP1x RX1x +#define RTMP2 RY0 +#define RTMP2x RY0x +#define RTMP3 RY1 +#define RTMP3x RY1x +#define RTMP4 RIDX +#define RTMP4x RIDXx + +/* vpgatherdd mask and '-1' */ +#define RNOT %ymm6 +#define RNOTx %xmm6 + +/* byte mask, (-1 >> 24) */ +#define RBYTE %ymm7 + +/********************************************************************** + 16-way AVX2 twofish + **********************************************************************/ +#define init_round_constants() \ + vpcmpeqd RNOT, RNOT, RNOT; \ + leaq k(CTX), RK; \ + leaq w(CTX), RW; \ + vpsrld $24, RNOT, RBYTE; \ + leaq s1(CTX), RS1; \ + leaq s2(CTX), RS2; \ + leaq s3(CTX), RS3; \ + +#define g16(ab, rs0, rs1, rs2, rs3, xy) \ + vpand RBYTE, ab ## 0, RIDX; \ + vpgatherdd RNOT, (rs0, RIDX, 4), xy ## 0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + \ + vpand RBYTE, ab ## 1, RIDX; \ + vpgatherdd RNOT, (rs0, RIDX, 4), xy ## 1; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + \ + vpsrld $8, ab ## 0, RIDX; \ + vpand RBYTE, RIDX, RIDX; \ + vpgatherdd RNOT, (rs1, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 0, xy ## 0; \ + \ + vpsrld $8, ab ## 1, RIDX; \ + vpand RBYTE, RIDX, RIDX; \ + vpgatherdd RNOT, (rs1, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 1, xy ## 1; \ + \ + vpsrld $16, ab ## 0, RIDX; \ + vpand RBYTE, RIDX, RIDX; \ + vpgatherdd RNOT, (rs2, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 0, xy ## 0; \ + \ + vpsrld $16, ab ## 1, RIDX; \ + vpand RBYTE, RIDX, RIDX; \ + vpgatherdd RNOT, (rs2, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 1, xy ## 1; \ + \ + vpsrld $24, ab ## 0, RIDX; \ + vpgatherdd RNOT, (rs3, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 0, xy ## 0; \ + \ + vpsrld $24, ab ## 1, RIDX; \ + vpgatherdd RNOT, (rs3, RIDX, 4), RT0; \ + vpcmpeqd RNOT, RNOT, RNOT; \ + vpxor RT0, xy ## 1, xy ## 1; + +#define g1_16(a, x) \ + g16(a, RS0, RS1, RS2, RS3, x); + +#define g2_16(b, y) \ + g16(b, RS1, RS2, RS3, RS0, y); + +#define encrypt_round_end16(a, b, c, d, nk, r) \ + vpaddd RY0, RX0, RX0; \ + vpaddd RX0, RY0, RY0; \ + vpbroadcastd ((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RX0, RX0; \ + vpbroadcastd 4+((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RY0, RY0; \ + \ + vpxor RY0, d ## 0, d ## 0; \ + \ + vpxor RX0, c ## 0, c ## 0; \ + vpsrld $1, c ## 0, RT0; \ + vpslld $31, c ## 0, c ## 0; \ + vpor RT0, c ## 0, c ## 0; \ + \ + vpaddd RY1, RX1, RX1; \ + vpaddd RX1, RY1, RY1; \ + vpbroadcastd ((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RX1, RX1; \ + vpbroadcastd 4+((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RY1, RY1; \ + \ + vpxor RY1, d ## 1, d ## 1; \ + \ + vpxor RX1, c ## 1, c ## 1; \ + vpsrld $1, c ## 1, RT0; \ + vpslld $31, c ## 1, c ## 1; \ + vpor RT0, c ## 1, c ## 1; \ + +#define encrypt_round16(a, b, c, d, nk, r) \ + g2_16(b, RY); \ + \ + vpslld $1, b ## 0, RT0; \ + vpsrld $31, b ## 0, b ## 0; \ + vpor RT0, b ## 0, b ## 0; \ + \ + vpslld $1, b ## 1, RT0; \ + vpsrld $31, b ## 1, b ## 1; \ + vpor RT0, b ## 1, b ## 1; \ + \ + g1_16(a, RX); \ + \ + encrypt_round_end16(a, b, c, d, nk, r); + +#define encrypt_round_first16(a, b, c, d, nk, r) \ + vpslld $1, d ## 0, RT0; \ + vpsrld $31, d ## 0, d ## 0; \ + vpor RT0, d ## 0, d ## 0; \ + \ + vpslld $1, d ## 1, RT0; \ + vpsrld $31, d ## 1, d ## 1; \ + vpor RT0, d ## 1, d ## 1; \ + \ + encrypt_round16(a, b, c, d, nk, r); + +#define encrypt_round_last16(a, b, c, d, nk, r) \ + g2_16(b, RY); \ + \ + g1_16(a, RX); \ + \ + encrypt_round_end16(a, b, c, d, nk, r); + +#define decrypt_round_end16(a, b, c, d, nk, r) \ + vpaddd RY0, RX0, RX0; \ + vpaddd RX0, RY0, RY0; \ + vpbroadcastd ((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RX0, RX0; \ + vpbroadcastd 4+((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RY0, RY0; \ + \ + vpxor RX0, c ## 0, c ## 0; \ + \ + vpxor RY0, d ## 0, d ## 0; \ + vpsrld $1, d ## 0, RT0; \ + vpslld $31, d ## 0, d ## 0; \ + vpor RT0, d ## 0, d ## 0; \ + \ + vpaddd RY1, RX1, RX1; \ + vpaddd RX1, RY1, RY1; \ + vpbroadcastd ((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RX1, RX1; \ + vpbroadcastd 4+((nk)+((r)*8))(RK), RT0; \ + vpaddd RT0, RY1, RY1; \ + \ + vpxor RX1, c ## 1, c ## 1; \ + \ + vpxor RY1, d ## 1, d ## 1; \ + vpsrld $1, d ## 1, RT0; \ + vpslld $31, d ## 1, d ## 1; \ + vpor RT0, d ## 1, d ## 1; + +#define decrypt_round16(a, b, c, d, nk, r) \ + g1_16(a, RX); \ + \ + vpslld $1, a ## 0, RT0; \ + vpsrld $31, a ## 0, a ## 0; \ + vpor RT0, a ## 0, a ## 0; \ + \ + vpslld $1, a ## 1, RT0; \ + vpsrld $31, a ## 1, a ## 1; \ + vpor RT0, a ## 1, a ## 1; \ + \ + g2_16(b, RY); \ + \ + decrypt_round_end16(a, b, c, d, nk, r); + +#define decrypt_round_first16(a, b, c, d, nk, r) \ + vpslld $1, c ## 0, RT0; \ + vpsrld $31, c ## 0, c ## 0; \ + vpor RT0, c ## 0, c ## 0; \ + \ + vpslld $1, c ## 1, RT0; \ + vpsrld $31, c ## 1, c ## 1; \ + vpor RT0, c ## 1, c ## 1; \ + \ + decrypt_round16(a, b, c, d, nk, r) + +#define decrypt_round_last16(a, b, c, d, nk, r) \ + g1_16(a, RX); \ + \ + g2_16(b, RY); \ + \ + decrypt_round_end16(a, b, c, d, nk, r); + +#define encrypt_cycle16(r) \ + encrypt_round16(RA, RB, RC, RD, 0, r); \ + encrypt_round16(RC, RD, RA, RB, 8, r); + +#define encrypt_cycle_first16(r) \ + encrypt_round_first16(RA, RB, RC, RD, 0, r); \ + encrypt_round16(RC, RD, RA, RB, 8, r); + +#define encrypt_cycle_last16(r) \ + encrypt_round16(RA, RB, RC, RD, 0, r); \ + encrypt_round_last16(RC, RD, RA, RB, 8, r); + +#define decrypt_cycle16(r) \ + decrypt_round16(RC, RD, RA, RB, 8, r); \ + decrypt_round16(RA, RB, RC, RD, 0, r); + +#define decrypt_cycle_first16(r) \ + decrypt_round_first16(RC, RD, RA, RB, 8, r); \ + decrypt_round16(RA, RB, RC, RD, 0, r); + +#define decrypt_cycle_last16(r) \ + decrypt_round16(RC, RD, RA, RB, 8, r); \ + decrypt_round_last16(RA, RB, RC, RD, 0, r); + +#define transpose_4x4(x0,x1,x2,x3,t1,t2) \ + vpunpckhdq x1, x0, t2; \ + vpunpckldq x1, x0, x0; \ + \ + vpunpckldq x3, x2, t1; \ + vpunpckhdq x3, x2, x2; \ + \ + vpunpckhqdq t1, x0, x1; \ + vpunpcklqdq t1, x0, x0; \ + \ + vpunpckhqdq x2, t2, x3; \ + vpunpcklqdq x2, t2, x2; + +#define read_blocks8(offs,a,b,c,d) \ + vmovdqu 16*offs(RIO), a; \ + vmovdqu 16*offs+32(RIO), b; \ + vmovdqu 16*offs+64(RIO), c; \ + vmovdqu 16*offs+96(RIO), d; \ + \ + transpose_4x4(a, b, c, d, RX0, RY0); + +#define write_blocks8(offs,a,b,c,d) \ + transpose_4x4(a, b, c, d, RX0, RY0); \ + \ + vmovdqu a, 16*offs(RIO); \ + vmovdqu b, 16*offs+32(RIO); \ + vmovdqu c, 16*offs+64(RIO); \ + vmovdqu d, 16*offs+96(RIO); + +#define inpack_enc8(a,b,c,d) \ + vpbroadcastd 4*0(RW), RT0; \ + vpxor RT0, a, a; \ + \ + vpbroadcastd 4*1(RW), RT0; \ + vpxor RT0, b, b; \ + \ + vpbroadcastd 4*2(RW), RT0; \ + vpxor RT0, c, c; \ + \ + vpbroadcastd 4*3(RW), RT0; \ + vpxor RT0, d, d; + +#define outunpack_enc8(a,b,c,d) \ + vpbroadcastd 4*4(RW), RX0; \ + vpbroadcastd 4*5(RW), RY0; \ + vpxor RX0, c, RX0; \ + vpxor RY0, d, RY0; \ + \ + vpbroadcastd 4*6(RW), RT0; \ + vpxor RT0, a, c; \ + vpbroadcastd 4*7(RW), RT0; \ + vpxor RT0, b, d; \ + \ + vmovdqa RX0, a; \ + vmovdqa RY0, b; + +#define inpack_dec8(a,b,c,d) \ + vpbroadcastd 4*4(RW), RX0; \ + vpbroadcastd 4*5(RW), RY0; \ + vpxor RX0, a, RX0; \ + vpxor RY0, b, RY0; \ + \ + vpbroadcastd 4*6(RW), RT0; \ + vpxor RT0, c, a; \ + vpbroadcastd 4*7(RW), RT0; \ + vpxor RT0, d, b; \ + \ + vmovdqa RX0, c; \ + vmovdqa RY0, d; + +#define outunpack_dec8(a,b,c,d) \ + vpbroadcastd 4*0(RW), RT0; \ + vpxor RT0, a, a; \ + \ + vpbroadcastd 4*1(RW), RT0; \ + vpxor RT0, b, b; \ + \ + vpbroadcastd 4*2(RW), RT0; \ + vpxor RT0, c, c; \ + \ + vpbroadcastd 4*3(RW), RT0; \ + vpxor RT0, d, d; + +#define transpose4x4_16(a,b,c,d) \ + transpose_4x4(a ## 0, b ## 0, c ## 0, d ## 0, RX0, RY0); \ + transpose_4x4(a ## 1, b ## 1, c ## 1, d ## 1, RX0, RY0); + +#define inpack_enc16(a,b,c,d) \ + inpack_enc8(a ## 0, b ## 0, c ## 0, d ## 0); \ + inpack_enc8(a ## 1, b ## 1, c ## 1, d ## 1); + +#define outunpack_enc16(a,b,c,d) \ + outunpack_enc8(a ## 0, b ## 0, c ## 0, d ## 0); \ + outunpack_enc8(a ## 1, b ## 1, c ## 1, d ## 1); + +#define inpack_dec16(a,b,c,d) \ + inpack_dec8(a ## 0, b ## 0, c ## 0, d ## 0); \ + inpack_dec8(a ## 1, b ## 1, c ## 1, d ## 1); + +#define outunpack_dec16(a,b,c,d) \ + outunpack_dec8(a ## 0, b ## 0, c ## 0, d ## 0); \ + outunpack_dec8(a ## 1, b ## 1, c ## 1, d ## 1); + +.align 8 +ELF(.type __twofish_enc_blk16,@function;) +__twofish_enc_blk16: + /* input: + * %rdi: ctx, CTX + * RA0, RB0, RC0, RD0, RA1, RB1, RC1, RD1: sixteen parallel + * plaintext blocks + * output: + * RA0, RB0, RC0, RD0, RA1, RB1, RC1, RD1: sixteen parallel + * ciphertext blocks + */ + init_round_constants(); + + transpose4x4_16(RA, RB, RC, RD); + inpack_enc16(RA, RB, RC, RD); + + encrypt_cycle_first16(0); + encrypt_cycle16(2); + encrypt_cycle16(4); + encrypt_cycle16(6); + encrypt_cycle16(8); + encrypt_cycle16(10); + encrypt_cycle16(12); + encrypt_cycle_last16(14); + + outunpack_enc16(RA, RB, RC, RD); + transpose4x4_16(RA, RB, RC, RD); + + ret; +ELF(.size __twofish_enc_blk16,.-__twofish_enc_blk16;) + +.align 8 +ELF(.type __twofish_dec_blk16,@function;) +__twofish_dec_blk16: + /* input: + * %rdi: ctx, CTX + * RA0, RB0, RC0, RD0, RA1, RB1, RC1, RD1: sixteen parallel + * plaintext blocks + * output: + * RA0, RB0, RC0, RD0, RA1, RB1, RC1, RD1: sixteen parallel + * ciphertext blocks + */ + init_round_constants(); + + transpose4x4_16(RA, RB, RC, RD); + inpack_dec16(RA, RB, RC, RD); + + decrypt_cycle_first16(14); + decrypt_cycle16(12); + decrypt_cycle16(10); + decrypt_cycle16(8); + decrypt_cycle16(6); + decrypt_cycle16(4); + decrypt_cycle16(2); + decrypt_cycle_last16(0); + + outunpack_dec16(RA, RB, RC, RD); + transpose4x4_16(RA, RB, RC, RD); + + ret; +ELF(.size __twofish_dec_blk16,.-__twofish_dec_blk16;) + +#define inc_le128(x, minus_one, tmp) \ + vpcmpeqq minus_one, x, tmp; \ + vpsubq minus_one, x, x; \ + vpslldq $8, tmp, tmp; \ + vpsubq tmp, x, x; + +.align 8 +.globl _gcry_twofish_avx2_ctr_enc +ELF(.type _gcry_twofish_avx2_ctr_enc,@function;) +_gcry_twofish_avx2_ctr_enc: + /* input: + * %rdi: ctx, CTX + * %rsi: dst (16 blocks) + * %rdx: src (16 blocks) + * %rcx: iv (big endian, 128bit) + */ + + movq 8(%rcx), %rax; + bswapq %rax; + + vzeroupper; + + vbroadcasti128 .Lbswap128_mask RIP, RTMP3; + vpcmpeqd RNOT, RNOT, RNOT; + vpsrldq $8, RNOT, RNOT; /* ab: -1:0 ; cd: -1:0 */ + vpaddq RNOT, RNOT, RTMP2; /* ab: -2:0 ; cd: -2:0 */ + + /* load IV and byteswap */ + vmovdqu (%rcx), RTMP4x; + vpshufb RTMP3x, RTMP4x, RTMP4x; + vmovdqa RTMP4x, RTMP0x; + inc_le128(RTMP4x, RNOTx, RTMP1x); + vinserti128 $1, RTMP4x, RTMP0, RTMP0; + vpshufb RTMP3, RTMP0, RA0; /* +1 ; +0 */ + + /* check need for handling 64-bit overflow and carry */ + cmpq $(0xffffffffffffffff - 16), %rax; + ja .Lhandle_ctr_carry; + + /* construct IVs */ + vpsubq RTMP2, RTMP0, RTMP0; /* +3 ; +2 */ + vpshufb RTMP3, RTMP0, RB0; + vpsubq RTMP2, RTMP0, RTMP0; /* +5 ; +4 */ + vpshufb RTMP3, RTMP0, RC0; + vpsubq RTMP2, RTMP0, RTMP0; /* +7 ; +6 */ + vpshufb RTMP3, RTMP0, RD0; + vpsubq RTMP2, RTMP0, RTMP0; /* +9 ; +8 */ + vpshufb RTMP3, RTMP0, RA1; + vpsubq RTMP2, RTMP0, RTMP0; /* +11 ; +10 */ + vpshufb RTMP3, RTMP0, RB1; + vpsubq RTMP2, RTMP0, RTMP0; /* +13 ; +12 */ + vpshufb RTMP3, RTMP0, RC1; + vpsubq RTMP2, RTMP0, RTMP0; /* +15 ; +14 */ + vpshufb RTMP3, RTMP0, RD1; + vpsubq RTMP2, RTMP0, RTMP0; /* +16 */ + vpshufb RTMP3x, RTMP0x, RTMP0x; + + jmp .Lctr_carry_done; + +.Lhandle_ctr_carry: + /* construct IVs */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RB0; /* +3 ; +2 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RC0; /* +5 ; +4 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RD0; /* +7 ; +6 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RA1; /* +9 ; +8 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RB1; /* +11 ; +10 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RC1; /* +13 ; +12 */ + inc_le128(RTMP0, RNOT, RTMP1); + inc_le128(RTMP0, RNOT, RTMP1); + vpshufb RTMP3, RTMP0, RD1; /* +15 ; +14 */ + inc_le128(RTMP0, RNOT, RTMP1); + vextracti128 $1, RTMP0, RTMP0x; + vpshufb RTMP3x, RTMP0x, RTMP0x; /* +16 */ + +.align 4 +.Lctr_carry_done: + /* store new IV */ + vmovdqu RTMP0x, (%rcx); + + call __twofish_enc_blk16; + + vpxor (0 * 32)(%rdx), RA0, RA0; + vpxor (1 * 32)(%rdx), RB0, RB0; + vpxor (2 * 32)(%rdx), RC0, RC0; + vpxor (3 * 32)(%rdx), RD0, RD0; + vpxor (4 * 32)(%rdx), RA1, RA1; + vpxor (5 * 32)(%rdx), RB1, RB1; + vpxor (6 * 32)(%rdx), RC1, RC1; + vpxor (7 * 32)(%rdx), RD1, RD1; + + vmovdqu RA0, (0 * 32)(%rsi); + vmovdqu RB0, (1 * 32)(%rsi); + vmovdqu RC0, (2 * 32)(%rsi); + vmovdqu RD0, (3 * 32)(%rsi); + vmovdqu RA1, (4 * 32)(%rsi); + vmovdqu RB1, (5 * 32)(%rsi); + vmovdqu RC1, (6 * 32)(%rsi); + vmovdqu RD1, (7 * 32)(%rsi); + + vzeroall; + + ret +ELF(.size _gcry_twofish_avx2_ctr_enc,.-_gcry_twofish_avx2_ctr_enc;) + +.align 8 +.globl _gcry_twofish_avx2_cbc_dec +ELF(.type _gcry_twofish_avx2_cbc_dec,@function;) +_gcry_twofish_avx2_cbc_dec: + /* input: + * %rdi: ctx, CTX + * %rsi: dst (16 blocks) + * %rdx: src (16 blocks) + * %rcx: iv + */ + + vzeroupper; + + vmovdqu (0 * 32)(%rdx), RA0; + vmovdqu (1 * 32)(%rdx), RB0; + vmovdqu (2 * 32)(%rdx), RC0; + vmovdqu (3 * 32)(%rdx), RD0; + vmovdqu (4 * 32)(%rdx), RA1; + vmovdqu (5 * 32)(%rdx), RB1; + vmovdqu (6 * 32)(%rdx), RC1; + vmovdqu (7 * 32)(%rdx), RD1; + + call __twofish_dec_blk16; + + vmovdqu (%rcx), RNOTx; + vinserti128 $1, (%rdx), RNOT, RNOT; + vpxor RNOT, RA0, RA0; + vpxor (0 * 32 + 16)(%rdx), RB0, RB0; + vpxor (1 * 32 + 16)(%rdx), RC0, RC0; + vpxor (2 * 32 + 16)(%rdx), RD0, RD0; + vpxor (3 * 32 + 16)(%rdx), RA1, RA1; + vpxor (4 * 32 + 16)(%rdx), RB1, RB1; + vpxor (5 * 32 + 16)(%rdx), RC1, RC1; + vpxor (6 * 32 + 16)(%rdx), RD1, RD1; + vmovdqu (7 * 32 + 16)(%rdx), RNOTx; + vmovdqu RNOTx, (%rcx); /* store new IV */ + + vmovdqu RA0, (0 * 32)(%rsi); + vmovdqu RB0, (1 * 32)(%rsi); + vmovdqu RC0, (2 * 32)(%rsi); + vmovdqu RD0, (3 * 32)(%rsi); + vmovdqu RA1, (4 * 32)(%rsi); + vmovdqu RB1, (5 * 32)(%rsi); + vmovdqu RC1, (6 * 32)(%rsi); + vmovdqu RD1, (7 * 32)(%rsi); + + vzeroall; + + ret +ELF(.size _gcry_twofish_avx2_cbc_dec,.-_gcry_twofish_avx2_cbc_dec;) + +.align 8 +.globl _gcry_twofish_avx2_cfb_dec +ELF(.type _gcry_twofish_avx2_cfb_dec,@function;) +_gcry_twofish_avx2_cfb_dec: + /* input: + * %rdi: ctx, CTX + * %rsi: dst (16 blocks) + * %rdx: src (16 blocks) + * %rcx: iv + */ + + vzeroupper; + + /* Load input */ + vmovdqu (%rcx), RNOTx; + vinserti128 $1, (%rdx), RNOT, RA0; + vmovdqu (0 * 32 + 16)(%rdx), RB0; + vmovdqu (1 * 32 + 16)(%rdx), RC0; + vmovdqu (2 * 32 + 16)(%rdx), RD0; + vmovdqu (3 * 32 + 16)(%rdx), RA1; + vmovdqu (4 * 32 + 16)(%rdx), RB1; + vmovdqu (5 * 32 + 16)(%rdx), RC1; + vmovdqu (6 * 32 + 16)(%rdx), RD1; + + /* Update IV */ + vmovdqu (7 * 32 + 16)(%rdx), RNOTx; + vmovdqu RNOTx, (%rcx); + + call __twofish_enc_blk16; + + vpxor (0 * 32)(%rdx), RA0, RA0; + vpxor (1 * 32)(%rdx), RB0, RB0; + vpxor (2 * 32)(%rdx), RC0, RC0; + vpxor (3 * 32)(%rdx), RD0, RD0; + vpxor (4 * 32)(%rdx), RA1, RA1; + vpxor (5 * 32)(%rdx), RB1, RB1; + vpxor (6 * 32)(%rdx), RC1, RC1; + vpxor (7 * 32)(%rdx), RD1, RD1; + + vmovdqu RA0, (0 * 32)(%rsi); + vmovdqu RB0, (1 * 32)(%rsi); + vmovdqu RC0, (2 * 32)(%rsi); + vmovdqu RD0, (3 * 32)(%rsi); + vmovdqu RA1, (4 * 32)(%rsi); + vmovdqu RB1, (5 * 32)(%rsi); + vmovdqu RC1, (6 * 32)(%rsi); + vmovdqu RD1, (7 * 32)(%rsi); + + vzeroall; + + ret +ELF(.size _gcry_twofish_avx2_cfb_dec,.-_gcry_twofish_avx2_cfb_dec;) + +.align 8 +.globl _gcry_twofish_avx2_ocb_enc +ELF(.type _gcry_twofish_avx2_ocb_enc,@function;) + +_gcry_twofish_avx2_ocb_enc: + /* input: + * %rdi: ctx, CTX + * %rsi: dst (16 blocks) + * %rdx: src (16 blocks) + * %rcx: offset + * %r8 : checksum + * %r9 : L pointers (void *L[16]) + */ + + vzeroupper; + + subq $(4 * 8), %rsp; + + movq %r10, (0 * 8)(%rsp); + movq %r11, (1 * 8)(%rsp); + movq %r12, (2 * 8)(%rsp); + movq %r13, (3 * 8)(%rsp); + + vmovdqu (%rcx), RTMP0x; + vmovdqu (%r8), RTMP1x; + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + /* Checksum_i = Checksum_{i-1} xor P_i */ + /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ + +#define OCB_INPUT(n, l0reg, l1reg, yreg) \ + vmovdqu (n * 32)(%rdx), yreg; \ + vpxor (l0reg), RTMP0x, RNOTx; \ + vpxor (l1reg), RNOTx, RTMP0x; \ + vinserti128 $1, RTMP0x, RNOT, RNOT; \ + vpxor yreg, RTMP1, RTMP1; \ + vpxor yreg, RNOT, yreg; \ + vmovdqu RNOT, (n * 32)(%rsi); + + movq (0 * 8)(%r9), %r10; + movq (1 * 8)(%r9), %r11; + movq (2 * 8)(%r9), %r12; + movq (3 * 8)(%r9), %r13; + OCB_INPUT(0, %r10, %r11, RA0); + OCB_INPUT(1, %r12, %r13, RB0); + movq (4 * 8)(%r9), %r10; + movq (5 * 8)(%r9), %r11; + movq (6 * 8)(%r9), %r12; + movq (7 * 8)(%r9), %r13; + OCB_INPUT(2, %r10, %r11, RC0); + OCB_INPUT(3, %r12, %r13, RD0); + movq (8 * 8)(%r9), %r10; + movq (9 * 8)(%r9), %r11; + movq (10 * 8)(%r9), %r12; + movq (11 * 8)(%r9), %r13; + OCB_INPUT(4, %r10, %r11, RA1); + OCB_INPUT(5, %r12, %r13, RB1); + movq (12 * 8)(%r9), %r10; + movq (13 * 8)(%r9), %r11; + movq (14 * 8)(%r9), %r12; + movq (15 * 8)(%r9), %r13; + OCB_INPUT(6, %r10, %r11, RC1); + OCB_INPUT(7, %r12, %r13, RD1); +#undef OCB_INPUT + + vextracti128 $1, RTMP1, RNOTx; + vmovdqu RTMP0x, (%rcx); + vpxor RNOTx, RTMP1x, RTMP1x; + vmovdqu RTMP1x, (%r8); + + movq (0 * 8)(%rsp), %r10; + movq (1 * 8)(%rsp), %r11; + movq (2 * 8)(%rsp), %r12; + movq (3 * 8)(%rsp), %r13; + + call __twofish_enc_blk16; + + addq $(4 * 8), %rsp; + + vpxor (0 * 32)(%rsi), RA0, RA0; + vpxor (1 * 32)(%rsi), RB0, RB0; + vpxor (2 * 32)(%rsi), RC0, RC0; + vpxor (3 * 32)(%rsi), RD0, RD0; + vpxor (4 * 32)(%rsi), RA1, RA1; + vpxor (5 * 32)(%rsi), RB1, RB1; + vpxor (6 * 32)(%rsi), RC1, RC1; + vpxor (7 * 32)(%rsi), RD1, RD1; + + vmovdqu RA0, (0 * 32)(%rsi); + vmovdqu RB0, (1 * 32)(%rsi); + vmovdqu RC0, (2 * 32)(%rsi); + vmovdqu RD0, (3 * 32)(%rsi); + vmovdqu RA1, (4 * 32)(%rsi); + vmovdqu RB1, (5 * 32)(%rsi); + vmovdqu RC1, (6 * 32)(%rsi); + vmovdqu RD1, (7 * 32)(%rsi); + + vzeroall; + + ret; +ELF(.size _gcry_twofish_avx2_ocb_enc,.-_gcry_twofish_avx2_ocb_enc;) + +.align 8 +.globl _gcry_twofish_avx2_ocb_dec +ELF(.type _gcry_twofish_avx2_ocb_dec,@function;) + +_gcry_twofish_avx2_ocb_dec: + /* input: + * %rdi: ctx, CTX + * %rsi: dst (16 blocks) + * %rdx: src (16 blocks) + * %rcx: offset + * %r8 : checksum + * %r9 : L pointers (void *L[16]) + */ + + vzeroupper; + + subq $(4 * 8), %rsp; + + movq %r10, (0 * 8)(%rsp); + movq %r11, (1 * 8)(%rsp); + movq %r12, (2 * 8)(%rsp); + movq %r13, (3 * 8)(%rsp); + + vmovdqu (%rcx), RTMP0x; + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ + +#define OCB_INPUT(n, l0reg, l1reg, yreg) \ + vmovdqu (n * 32)(%rdx), yreg; \ + vpxor (l0reg), RTMP0x, RNOTx; \ + vpxor (l1reg), RNOTx, RTMP0x; \ + vinserti128 $1, RTMP0x, RNOT, RNOT; \ + vpxor yreg, RNOT, yreg; \ + vmovdqu RNOT, (n * 32)(%rsi); + + movq (0 * 8)(%r9), %r10; + movq (1 * 8)(%r9), %r11; + movq (2 * 8)(%r9), %r12; + movq (3 * 8)(%r9), %r13; + OCB_INPUT(0, %r10, %r11, RA0); + OCB_INPUT(1, %r12, %r13, RB0); + movq (4 * 8)(%r9), %r10; + movq (5 * 8)(%r9), %r11; + movq (6 * 8)(%r9), %r12; + movq (7 * 8)(%r9), %r13; + OCB_INPUT(2, %r10, %r11, RC0); + OCB_INPUT(3, %r12, %r13, RD0); + movq (8 * 8)(%r9), %r10; + movq (9 * 8)(%r9), %r11; + movq (10 * 8)(%r9), %r12; + movq (11 * 8)(%r9), %r13; + OCB_INPUT(4, %r10, %r11, RA1); + OCB_INPUT(5, %r12, %r13, RB1); + movq (12 * 8)(%r9), %r10; + movq (13 * 8)(%r9), %r11; + movq (14 * 8)(%r9), %r12; + movq (15 * 8)(%r9), %r13; + OCB_INPUT(6, %r10, %r11, RC1); + OCB_INPUT(7, %r12, %r13, RD1); +#undef OCB_INPUT + + vmovdqu RTMP0x, (%rcx); + mov %r8, %rcx + + movq (0 * 8)(%rsp), %r10; + movq (1 * 8)(%rsp), %r11; + movq (2 * 8)(%rsp), %r12; + movq (3 * 8)(%rsp), %r13; + + call __twofish_dec_blk16; + + vmovdqu (%rcx), RTMP1x; + + vpxor (0 * 32)(%rsi), RA0, RA0; + vpxor (1 * 32)(%rsi), RB0, RB0; + vpxor (2 * 32)(%rsi), RC0, RC0; + vpxor (3 * 32)(%rsi), RD0, RD0; + vpxor (4 * 32)(%rsi), RA1, RA1; + vpxor (5 * 32)(%rsi), RB1, RB1; + vpxor (6 * 32)(%rsi), RC1, RC1; + vpxor (7 * 32)(%rsi), RD1, RD1; + + addq $(4 * 8), %rsp; + + /* Checksum_i = Checksum_{i-1} xor P_i */ + + vmovdqu RA0, (0 * 32)(%rsi); + vpxor RA0, RTMP1, RTMP1; + vmovdqu RB0, (1 * 32)(%rsi); + vpxor RB0, RTMP1, RTMP1; + vmovdqu RC0, (2 * 32)(%rsi); + vpxor RC0, RTMP1, RTMP1; + vmovdqu RD0, (3 * 32)(%rsi); + vpxor RD0, RTMP1, RTMP1; + vmovdqu RA1, (4 * 32)(%rsi); + vpxor RA1, RTMP1, RTMP1; + vmovdqu RB1, (5 * 32)(%rsi); + vpxor RB1, RTMP1, RTMP1; + vmovdqu RC1, (6 * 32)(%rsi); + vpxor RC1, RTMP1, RTMP1; + vmovdqu RD1, (7 * 32)(%rsi); + vpxor RD1, RTMP1, RTMP1; + + vextracti128 $1, RTMP1, RNOTx; + vpxor RNOTx, RTMP1x, RTMP1x; + vmovdqu RTMP1x, (%rcx); + + vzeroall; + + ret; +ELF(.size _gcry_twofish_avx2_ocb_dec,.-_gcry_twofish_avx2_ocb_dec;) + +.align 8 +.globl _gcry_twofish_avx2_ocb_auth +ELF(.type _gcry_twofish_avx2_ocb_auth,@function;) + +_gcry_twofish_avx2_ocb_auth: + /* input: + * %rdi: ctx, CTX + * %rsi: abuf (16 blocks) + * %rdx: offset + * %rcx: checksum + * %r8 : L pointers (void *L[16]) + */ + + vzeroupper; + + subq $(4 * 8), %rsp; + + movq %r10, (0 * 8)(%rsp); + movq %r11, (1 * 8)(%rsp); + movq %r12, (2 * 8)(%rsp); + movq %r13, (3 * 8)(%rsp); + + vmovdqu (%rdx), RTMP0x; + + /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ + /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ + +#define OCB_INPUT(n, l0reg, l1reg, yreg) \ + vmovdqu (n * 32)(%rsi), yreg; \ + vpxor (l0reg), RTMP0x, RNOTx; \ + vpxor (l1reg), RNOTx, RTMP0x; \ + vinserti128 $1, RTMP0x, RNOT, RNOT; \ + vpxor yreg, RNOT, yreg; + + movq (0 * 8)(%r8), %r10; + movq (1 * 8)(%r8), %r11; + movq (2 * 8)(%r8), %r12; + movq (3 * 8)(%r8), %r13; + OCB_INPUT(0, %r10, %r11, RA0); + OCB_INPUT(1, %r12, %r13, RB0); + movq (4 * 8)(%r8), %r10; + movq (5 * 8)(%r8), %r11; + movq (6 * 8)(%r8), %r12; + movq (7 * 8)(%r8), %r13; + OCB_INPUT(2, %r10, %r11, RC0); + OCB_INPUT(3, %r12, %r13, RD0); + movq (8 * 8)(%r8), %r10; + movq (9 * 8)(%r8), %r11; + movq (10 * 8)(%r8), %r12; + movq (11 * 8)(%r8), %r13; + OCB_INPUT(4, %r10, %r11, RA1); + OCB_INPUT(5, %r12, %r13, RB1); + movq (12 * 8)(%r8), %r10; + movq (13 * 8)(%r8), %r11; + movq (14 * 8)(%r8), %r12; + movq (15 * 8)(%r8), %r13; + OCB_INPUT(6, %r10, %r11, RC1); + OCB_INPUT(7, %r12, %r13, RD1); +#undef OCB_INPUT + + vmovdqu RTMP0x, (%rdx); + + movq (0 * 8)(%rsp), %r10; + movq (1 * 8)(%rsp), %r11; + movq (2 * 8)(%rsp), %r12; + movq (3 * 8)(%rsp), %r13; + + call __twofish_enc_blk16; + + vpxor RA0, RB0, RA0; + vpxor RC0, RD0, RC0; + vpxor RA1, RB1, RA1; + vpxor RC1, RD1, RC1; + + vpxor RA0, RC0, RA0; + vpxor RA1, RC1, RA1; + + addq $(4 * 8), %rsp; + + vpxor RA1, RA0, RTMP1; + + vextracti128 $1, RTMP1, RNOTx; + vpxor (%rcx), RTMP1x, RTMP1x; + vpxor RNOTx, RTMP1x, RTMP1x; + vmovdqu RTMP1x, (%rcx); + + vzeroall; + + ret; +ELF(.size _gcry_twofish_avx2_ocb_auth,.-_gcry_twofish_avx2_ocb_auth;) + +.align 16 + +/* For CTR-mode IV byteswap */ + _gcry_twofish_bswap128_mask: +.Lbswap128_mask: + .byte 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 +ELF(.size _gcry_twofish_bswap128_mask,.-_gcry_twofish_bswap128_mask;) + +#endif /*defined(USE_TWOFISH) && defined(ENABLE_AVX2_SUPPORT)*/ +#endif /*__x86_64*/ diff --git a/cipher/twofish.c b/cipher/twofish.c index 7a4d26a..942e8d4 100644 --- a/cipher/twofish.c +++ b/cipher/twofish.c @@ -72,6 +72,15 @@ # endif # endif +/* USE_AVX2 indicates whether to compile with AMD64 AVX2 code. */ +#undef USE_AVX2 +#if defined(__x86_64__) && (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) +# if defined(ENABLE_AVX2_SUPPORT) +# define USE_AVX2 1 +# endif +#endif + /* Prototype for the self-test function. */ static const char *selftest(void); @@ -82,8 +91,25 @@ static const char *selftest(void); * that k[i] corresponds to what the Twofish paper calls K[i+8]. */ typedef struct { u32 s[4][256], w[8], k[32]; + +#ifdef USE_AVX2 + int use_avx2; +#endif } TWOFISH_context; + +/* Assembly implementations use SystemV ABI, ABI conversion and additional + * stack to store XMM6-XMM15 needed on Win64. */ +#undef ASM_FUNC_ABI +#if defined(USE_AVX2) +# ifdef HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS +# define ASM_FUNC_ABI __attribute__((sysv_abi)) +# else +# define ASM_FUNC_ABI +# endif +#endif + + /* These two tables are the q0 and q1 permutations, exactly as described in * the Twofish paper. */ @@ -711,12 +737,66 @@ static gcry_err_code_t twofish_setkey (void *context, const byte *key, unsigned int keylen) { TWOFISH_context *ctx = context; - int rc = do_twofish_setkey (ctx, key, keylen); + unsigned int hwfeatures = _gcry_get_hw_features (); + int rc; + + rc = do_twofish_setkey (ctx, key, keylen); + +#ifdef USE_AVX2 + ctx->use_avx2 = 0; + if ((hwfeatures & HWF_INTEL_AVX2) && (hwfeatures & HWF_INTEL_FAST_VPGATHER)) + { + ctx->use_avx2 = 1; + } +#endif + + (void)hwfeatures; + _gcry_burn_stack (23+6*sizeof(void*)); return rc; } +#ifdef USE_AVX2 +/* Assembler implementations of Twofish using AVX2. Process 16 block in + parallel. + */ +extern void _gcry_twofish_avx2_ctr_enc(const TWOFISH_context *ctx, + unsigned char *out, + const unsigned char *in, + unsigned char *ctr) ASM_FUNC_ABI; + +extern void _gcry_twofish_avx2_cbc_dec(const TWOFISH_context *ctx, + unsigned char *out, + const unsigned char *in, + unsigned char *iv) ASM_FUNC_ABI; + +extern void _gcry_twofish_avx2_cfb_dec(const TWOFISH_context *ctx, + unsigned char *out, + const unsigned char *in, + unsigned char *iv) ASM_FUNC_ABI; + +extern void _gcry_twofish_avx2_ocb_enc(const TWOFISH_context *ctx, + unsigned char *out, + const unsigned char *in, + unsigned char *offset, + unsigned char *checksum, + const u64 Ls[16]) ASM_FUNC_ABI; + +extern void _gcry_twofish_avx2_ocb_dec(const TWOFISH_context *ctx, + unsigned char *out, + const unsigned char *in, + unsigned char *offset, + unsigned char *checksum, + const u64 Ls[16]) ASM_FUNC_ABI; + +extern void _gcry_twofish_avx2_ocb_auth(const TWOFISH_context *ctx, + const unsigned char *abuf, + unsigned char *offset, + unsigned char *checksum, + const u64 Ls[16]) ASM_FUNC_ABI; +#endif + #ifdef USE_AMD64_ASM @@ -1111,6 +1191,31 @@ _gcry_twofish_ctr_enc(void *context, unsigned char *ctr, void *outbuf_arg, unsigned int burn, burn_stack_depth = 0; int i; +#ifdef USE_AVX2 + if (ctx->use_avx2) + { + int did_use_avx2 = 0; + + /* Process data in 16 block chunks. */ + while (nblocks >= 16) + { + _gcry_twofish_avx2_ctr_enc(ctx, outbuf, inbuf, ctr); + + nblocks -= 16; + outbuf += 16 * TWOFISH_BLOCKSIZE; + inbuf += 16 * TWOFISH_BLOCKSIZE; + did_use_avx2 = 1; + } + + if (did_use_avx2) + { + /* twofish-avx2 assembly code does not use stack */ + if (nblocks == 0) + burn_stack_depth = 0; + } + } +#endif + #ifdef USE_AMD64_ASM { /* Process data in 3 block chunks. */ @@ -1169,6 +1274,31 @@ _gcry_twofish_cbc_dec(void *context, unsigned char *iv, void *outbuf_arg, unsigned char savebuf[TWOFISH_BLOCKSIZE]; unsigned int burn, burn_stack_depth = 0; +#ifdef USE_AVX2 + if (ctx->use_avx2) + { + int did_use_avx2 = 0; + + /* Process data in 16 block chunks. */ + while (nblocks >= 16) + { + _gcry_twofish_avx2_cbc_dec(ctx, outbuf, inbuf, iv); + + nblocks -= 16; + outbuf += 16 * TWOFISH_BLOCKSIZE; + inbuf += 16 * TWOFISH_BLOCKSIZE; + did_use_avx2 = 1; + } + + if (did_use_avx2) + { + /* twofish-avx2 assembly code does not use stack */ + if (nblocks == 0) + burn_stack_depth = 0; + } + } +#endif + #ifdef USE_AMD64_ASM { /* Process data in 3 block chunks. */ @@ -1218,6 +1348,31 @@ _gcry_twofish_cfb_dec(void *context, unsigned char *iv, void *outbuf_arg, const unsigned char *inbuf = inbuf_arg; unsigned int burn, burn_stack_depth = 0; +#ifdef USE_AVX2 + if (ctx->use_avx2) + { + int did_use_avx2 = 0; + + /* Process data in 16 block chunks. */ + while (nblocks >= 16) + { + _gcry_twofish_avx2_cfb_dec(ctx, outbuf, inbuf, iv); + + nblocks -= 16; + outbuf += 16 * TWOFISH_BLOCKSIZE; + inbuf += 16 * TWOFISH_BLOCKSIZE; + did_use_avx2 = 1; + } + + if (did_use_avx2) + { + /* twofish-avx2 assembly code does not use stack */ + if (nblocks == 0) + burn_stack_depth = 0; + } + } +#endif + #ifdef USE_AMD64_ASM { /* Process data in 3 block chunks. */ @@ -1261,10 +1416,65 @@ _gcry_twofish_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, TWOFISH_context *ctx = (void *)&c->context.c; unsigned char *outbuf = outbuf_arg; const unsigned char *inbuf = inbuf_arg; - unsigned char l_tmp[TWOFISH_BLOCKSIZE]; unsigned int burn, burn_stack_depth = 0; u64 blkn = c->u_mode.ocb.data_nblocks; +#ifdef USE_AVX2 + if (ctx->use_avx2) + { + int did_use_avx2 = 0; + u64 Ls[16]; + unsigned int n = 16 - (blkn % 16); + u64 *l; + int i; + + if (nblocks >= 16) + { + for (i = 0; i < 16; i += 8) + { + /* Use u64 to store pointers for x32 support (assembly function + * assumes 64-bit pointers). */ + Ls[(i + 0 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 1 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[1]; + Ls[(i + 2 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 3 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[2]; + Ls[(i + 4 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 5 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[1]; + Ls[(i + 6 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + } + + Ls[(7 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[3]; + l = &Ls[(15 + n) % 16]; + + /* Process data in 16 block chunks. */ + while (nblocks >= 16) + { + blkn += 16; + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); + + if (encrypt) + _gcry_twofish_avx2_ocb_enc(ctx, outbuf, inbuf, c->u_iv.iv, + c->u_ctr.ctr, Ls); + else + _gcry_twofish_avx2_ocb_dec(ctx, outbuf, inbuf, c->u_iv.iv, + c->u_ctr.ctr, Ls); + + nblocks -= 16; + outbuf += 16 * TWOFISH_BLOCKSIZE; + inbuf += 16 * TWOFISH_BLOCKSIZE; + did_use_avx2 = 1; + } + } + + if (did_use_avx2) + { + /* twofish-avx2 assembly code does not use stack */ + if (nblocks == 0) + burn_stack_depth = 0; + } + } +#endif + { /* Use u64 to store pointers for x32 support (assembly function * assumes 64-bit pointers). */ @@ -1273,10 +1483,9 @@ _gcry_twofish_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, /* Process data in 3 block chunks. */ while (nblocks >= 3) { - /* l_tmp will be used only every 65536-th block. */ - Ls[0] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 1); - Ls[1] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 2); - Ls[2] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 3); + Ls[0] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 1); + Ls[1] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 2); + Ls[2] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 3); blkn += 3; if (encrypt) @@ -1300,8 +1509,6 @@ _gcry_twofish_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, c->u_mode.ocb.data_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #else @@ -1322,10 +1529,62 @@ _gcry_twofish_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, #ifdef USE_AMD64_ASM TWOFISH_context *ctx = (void *)&c->context.c; const unsigned char *abuf = abuf_arg; - unsigned char l_tmp[TWOFISH_BLOCKSIZE]; unsigned int burn, burn_stack_depth = 0; u64 blkn = c->u_mode.ocb.aad_nblocks; +#ifdef USE_AVX2 + if (ctx->use_avx2) + { + int did_use_avx2 = 0; + u64 Ls[16]; + unsigned int n = 16 - (blkn % 16); + u64 *l; + int i; + + if (nblocks >= 16) + { + for (i = 0; i < 16; i += 8) + { + /* Use u64 to store pointers for x32 support (assembly function + * assumes 64-bit pointers). */ + Ls[(i + 0 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 1 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[1]; + Ls[(i + 2 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 3 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[2]; + Ls[(i + 4 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + Ls[(i + 5 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[1]; + Ls[(i + 6 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[0]; + } + + Ls[(7 + n) % 16] = (uintptr_t)(void *)c->u_mode.ocb.L[3]; + l = &Ls[(15 + n) % 16]; + + /* Process data in 16 block chunks. */ + while (nblocks >= 16) + { + blkn += 16; + *l = (uintptr_t)(void *)ocb_get_l(c, blkn - blkn % 16); + + _gcry_twofish_avx2_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, + c->u_mode.ocb.aad_sum, Ls); + + nblocks -= 16; + abuf += 16 * TWOFISH_BLOCKSIZE; + did_use_avx2 = 1; + } + } + + if (did_use_avx2) + { + /* twofish-avx2 assembly code does not use stack */ + if (nblocks == 0) + burn_stack_depth = 0; + } + + /* Use generic code to handle smaller chunks... */ + } +#endif + { /* Use u64 to store pointers for x32 support (assembly function * assumes 64-bit pointers). */ @@ -1334,10 +1593,9 @@ _gcry_twofish_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, /* Process data in 3 block chunks. */ while (nblocks >= 3) { - /* l_tmp will be used only every 65536-th block. */ - Ls[0] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 1); - Ls[1] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 2); - Ls[2] = (uintptr_t)(const void *)ocb_get_l(c, l_tmp, blkn + 3); + Ls[0] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 1); + Ls[1] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 2); + Ls[2] = (uintptr_t)(const void *)ocb_get_l(c, blkn + 3); blkn += 3; twofish_amd64_ocb_auth(ctx, abuf, c->u_mode.ocb.aad_offset, @@ -1356,8 +1614,6 @@ _gcry_twofish_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, c->u_mode.ocb.aad_nblocks = blkn; - wipememory(&l_tmp, sizeof(l_tmp)); - if (burn_stack_depth) _gcry_burn_stack (burn_stack_depth + 4 * sizeof(void *)); #else @@ -1375,7 +1631,7 @@ _gcry_twofish_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, static const char * selftest_ctr (void) { - const int nblocks = 3+1; + const int nblocks = 16+1; const int blocksize = TWOFISH_BLOCKSIZE; const int context_size = sizeof(TWOFISH_context); @@ -1389,7 +1645,7 @@ selftest_ctr (void) static const char * selftest_cbc (void) { - const int nblocks = 3+2; + const int nblocks = 16+2; const int blocksize = TWOFISH_BLOCKSIZE; const int context_size = sizeof(TWOFISH_context); @@ -1403,7 +1659,7 @@ selftest_cbc (void) static const char * selftest_cfb (void) { - const int nblocks = 3+2; + const int nblocks = 16+2; const int blocksize = TWOFISH_BLOCKSIZE; const int context_size = sizeof(TWOFISH_context); diff --git a/compat/clock.c b/compat/clock.c index 7f250f3..2a2c205 100644 --- a/compat/clock.c +++ b/compat/clock.c @@ -23,7 +23,7 @@ clock_t _gcry_clock (void) { assert (CLOCKS_PER_SEC == 1000); -#warning Replace by a correct implementaion. +#warning Replace by a correct implementation. /* It seems that GetProcessTimes is available in the kernel but without a declaration. If that fails we would need to walk over all threads and tally up the GetThreadTimes. */ diff --git a/compat/compat.c b/compat/compat.c index 1bf0682..b835293 100644 --- a/compat/compat.c +++ b/compat/compat.c @@ -30,7 +30,7 @@ _gcry_compat_identification (void) static const char blurb[] = "\n\n" "This is Libgcrypt " PACKAGE_VERSION " - The GNU Crypto Library\n" - "Copyright (C) 2000-2016 Free Software Foundation, Inc.\n" + "Copyright (C) 2000-2017 Free Software Foundation, Inc.\n" "Copyright (C) 2012-2017 g10 Code GmbH\n" "Copyright (C) 2013-2017 Jussi Kivilinna\n" "\n" diff --git a/config.h.in b/config.h.in index 87409e6..24f9120 100644 --- a/config.h.in +++ b/config.h.in @@ -17,7 +17,7 @@ /* The time this package was configured for a build */ #undef BUILD_TIMESTAMP -/* configure did not test for endianess */ +/* configure did not test for endianness */ #undef DISABLED_ENDIAN_CHECK /* Define if you don't want the default EGD socket name. For details see @@ -42,6 +42,9 @@ /* Define to support an HMAC based integrity check */ #undef ENABLE_HMAC_BINARY_CHECK +/* Enable support for the jitter entropy collector. */ +#undef ENABLE_JENT_SUPPORT + /* Enable support for ARM NEON instructions. */ #undef ENABLE_NEON_SUPPORT @@ -159,6 +162,9 @@ /* Defined if a GCC style "__attribute__ ((aligned (n))" is supported */ #undef HAVE_GCC_ATTRIBUTE_ALIGNED +/* Defined if a GCC style "__attribute__ ((may_alias))" is supported */ +#undef HAVE_GCC_ATTRIBUTE_MAY_ALIAS + /* Defined if compiler supports "__attribute__ ((ms_abi))" function attribute */ #undef HAVE_GCC_ATTRIBUTE_MS_ABI @@ -438,6 +444,9 @@ /* Defined if this module should be included */ #undef USE_ARCFOUR +/* Defined if this module should be included */ +#undef USE_BLAKE2 + /* Defined if this module should be included */ #undef USE_BLOWFISH @@ -595,6 +604,9 @@ # endif #endif +/* Expose all libc features (__DARWIN_C_FULL). */ +#undef _DARWIN_C_SOURCE + /* Define to 1 if on MINIX. */ #undef _MINIX diff --git a/configure b/configure index d14596e..895df42 100755 --- a/configure +++ b/configure @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libgcrypt 1.7.7. +# Generated by GNU Autoconf 2.69 for libgcrypt 1.8.1. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libgcrypt' PACKAGE_TARNAME='libgcrypt' -PACKAGE_VERSION='1.7.7' -PACKAGE_STRING='libgcrypt 1.7.7' +PACKAGE_VERSION='1.8.1' +PACKAGE_STRING='libgcrypt 1.8.1' PACKAGE_BUGREPORT='http://bugs.gnupg.org' PACKAGE_URL='' @@ -878,6 +878,7 @@ enable_m_guard enable_large_data_tests with_capabilities enable_hmac_binary_check +enable_jent_support enable_padlock_support enable_aesni_support enable_pclmul_support @@ -1452,7 +1453,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libgcrypt 1.7.7 to adapt to many kinds of systems. +\`configure' configures libgcrypt 1.8.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1522,7 +1523,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libgcrypt 1.7.7:";; + short | recursive ) echo "Configuration of libgcrypt 1.8.1:";; esac cat <<\_ACEOF @@ -1562,6 +1563,7 @@ Optional Features: Enable the real long ruinning large data tests --enable-hmac-binary-check Enable library integrity check + --disable-jent-support Disable support for the Jitter entropy collector --disable-padlock-support Disable support for the PadLock Engine of VIA processors @@ -1690,7 +1692,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libgcrypt configure 1.7.7 +libgcrypt configure 1.8.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2342,7 +2344,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libgcrypt $as_me 1.7.7, which was +It was created by libgcrypt $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2695,9 +2697,9 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu # (Interfaces removed: CURRENT++, AGE=0, REVISION=0) # (Interfaces added: CURRENT++, AGE++, REVISION=0) # (No interfaces changed: REVISION++) -LIBGCRYPT_LT_CURRENT=21 -LIBGCRYPT_LT_AGE=1 -LIBGCRYPT_LT_REVISION=7 +LIBGCRYPT_LT_CURRENT=22 +LIBGCRYPT_LT_AGE=2 +LIBGCRYPT_LT_REVISION=1 # If the API is changed in an incompatible way: increment the next counter. @@ -2708,7 +2710,7 @@ LIBGCRYPT_CONFIG_API_VERSION=1 # If you change the required gpg-error version, please remove # unnecessary error code defines in src/gcrypt-int.h. -NEED_GPG_ERROR_VERSION=1.13 +NEED_GPG_ERROR_VERSION=1.25 PACKAGE=$PACKAGE_NAME VERSION=$PACKAGE_VERSION @@ -3229,7 +3231,7 @@ fi # Define the identity of the package. PACKAGE='libgcrypt' - VERSION='1.7.7' + VERSION='1.8.1' cat >>confdefs.h <<_ACEOF @@ -3484,7 +3486,7 @@ cat >>confdefs.h <<_ACEOF #define VERSION "$VERSION" _ACEOF -VERSION_NUMBER=0x010707 +VERSION_NUMBER=0x010801 @@ -12934,8 +12936,8 @@ available_pubkey_ciphers="dsa elgamal rsa ecc" enabled_pubkey_ciphers="" # Definitions for message digests. -available_digests="crc gostr3411-94 md2 md4 md5 rmd160 sha1 sha256" -available_digests="$available_digests sha512 sha3 tiger whirlpool stribog" +available_digests="crc gostr3411-94 md2 md4 md5 rmd160 sha1 sha256 sha512" +available_digests="$available_digests sha3 tiger whirlpool stribog blake2" enabled_digests="" # Definitions for kdfs (optional ones) @@ -12950,7 +12952,6 @@ auto_random_modules="$available_random_modules" LIBGCRYPT_THREAD_MODULES="" # Other definitions. -print_egd_notice=no have_w32_system=no have_w32ce_system=no have_pthread=no @@ -13012,6 +13013,11 @@ $as_echo "#define HAVE_DOSISH_SYSTEM 1" >>confdefs.h fi ;; m68k-atari-mint) + ;; + *-apple-darwin*) + +$as_echo "#define _DARWIN_C_SOURCE 900000L" >>confdefs.h + ;; *) ;; @@ -13936,6 +13942,19 @@ $as_echo "#define ENABLE_HMAC_BINARY_CHECK 1" >>confdefs.h fi +# Implementation of the --disable-jent-support switch. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether jitter entropy support is requested" >&5 +$as_echo_n "checking whether jitter entropy support is requested... " >&6; } +# Check whether --enable-jent-support was given. +if test "${enable_jent_support+set}" = set; then : + enableval=$enable_jent_support; jentsupport=$enableval +else + jentsupport=yes +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $jentsupport" >&5 +$as_echo "$jentsupport" >&6; } + # Implementation of the --disable-padlock-support switch. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether padlock support is requested" >&5 $as_echo_n "checking whether padlock support is requested... " >&6; } @@ -15592,6 +15611,12 @@ $as_echo "#define GCRY_USE_VISIBILITY 1" >>confdefs.h fi +# Following attribute tests depend on warnings to cause compile to fail, +# so set -Werror temporarily. +_gcc_cflags_save=$CFLAGS +CFLAGS="$CFLAGS -Werror" + + # # Check whether the compiler supports the GCC style aligned attribute # @@ -15651,6 +15676,38 @@ $as_echo "#define HAVE_GCC_ATTRIBUTE_PACKED 1" >>confdefs.h fi +# +# Check whether the compiler supports the GCC style may_alias attribute +# +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the GCC style may_alias attribute is supported" >&5 +$as_echo_n "checking whether the GCC style may_alias attribute is supported... " >&6; } +if ${gcry_cv_gcc_attribute_may_alias+:} false; then : + $as_echo_n "(cached) " >&6 +else + gcry_cv_gcc_attribute_may_alias=no + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +typedef struct foo_s { int a; } + __attribute__ ((may_alias)) foo_t; +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + gcry_cv_gcc_attribute_may_alias=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcry_cv_gcc_attribute_may_alias" >&5 +$as_echo "$gcry_cv_gcc_attribute_may_alias" >&6; } +if test "$gcry_cv_gcc_attribute_may_alias" = "yes" ; then + +$as_echo "#define HAVE_GCC_ATTRIBUTE_MAY_ALIAS 1" >>confdefs.h + +fi + + +# Restore flags. +CFLAGS=$_gcc_cflags_save; + + # # Check whether the compiler supports 'asm' or '__asm__' keyword for # assembler blocks. @@ -16093,6 +16150,7 @@ if test "$mpi_cpu_arch" != "x86" ; then avxsupport="n/a" avx2support="n/a" padlocksupport="n/a" + jentsupport="n/a" drngsupport="n/a" fi @@ -16725,6 +16783,7 @@ else /* end confdefs.h. */ __asm__( ".syntax unified\n\t" + ".arch armv8-a\n\t" ".arm\n\t" ".fpu crypto-neon-fp-armv8\n\t" @@ -16779,7 +16838,7 @@ else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ __asm__( - ".arch armv8-a\n\t" + ".cpu generic+simd\n\t" "mov w0, \#42;\n\t" "dup v0.8b, w0;\n\t" "ld4 {v0.8b,v1.8b,v2.8b,v3.8b},[x0],\#32;\n\t" @@ -16816,7 +16875,11 @@ else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ __asm__( - ".arch armv8-a+crypto\n\t" + ".cpu generic+simd+crypto\n\t" + + "mov w0, \#42;\n\t" + "dup v0.8b, w0;\n\t" + "ld4 {v0.8b,v1.8b,v2.8b,v3.8b},[x0],\#32;\n\t" "sha1h s0, s0;\n\t" "sha1c q0, s0, v0.4s;\n\t" @@ -17190,7 +17253,7 @@ fi # -# Check wether it is necessary to link against libdl. +# Check whether it is necessary to link against libdl. # DL_LIBS="" if test "$use_hmac_binary_check" = yes ; then @@ -17658,6 +17721,11 @@ if test x"$armcryptosupport" = xyes ; then $as_echo "#define ENABLE_ARM_CRYPTO_SUPPORT 1" >>confdefs.h +fi +if test x"$jentsupport" = xyes ; then + +$as_echo "#define ENABLE_JENT_SUPPORT 1" >>confdefs.h + fi if test x"$padlocksupport" = xyes ; then @@ -17806,6 +17874,7 @@ $as_echo "#define USE_AES 1" >>confdefs.h # Build with the SSSE3 implementation GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ssse3-amd64.lo" + GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ssse3-amd64-asm.lo" ;; arm*-*-*) # Build with the assembly implementation @@ -17857,6 +17926,11 @@ $as_echo "#define USE_TWOFISH 1" >>confdefs.h x86_64-*-*) # Build with the assembly implementation GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-amd64.lo" + + if test x"$avx2support" = xyes ; then + # Build with the AVX2 implementation + GCRYPT_CIPHERS="$GCRYPT_CIPHERS twofish-avx2-amd64.lo" + fi ;; arm*-*-*) # Build with the assembly implementation @@ -18459,6 +18533,24 @@ $as_echo "#define USE_WHIRLPOOL 1" >>confdefs.h esac fi + +name=blake2 +list=$enabled_digests +found=0 + +for n in $list; do + if test "x$name" = "x$n"; then + found=1 + fi +done + +if test "$found" = "1" ; then + GCRYPT_DIGESTS="$GCRYPT_DIGESTS blake2.lo" + +$as_echo "#define USE_BLAKE2 1" >>confdefs.h + +fi + # SHA-1 needs to be included always for example because it is used by # random-csprng.c. GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1.lo" @@ -18536,7 +18628,6 @@ if test "$found" = "1" ; then $as_echo "#define USE_RNDUNIX 1" >>confdefs.h - print_egd_notice=yes fi @@ -18712,7 +18803,7 @@ fi # # Provide information about the build. # -BUILD_REVISION="d9cebf5" +BUILD_REVISION="80fd861" cat >>confdefs.h <<_ACEOF @@ -18721,7 +18812,7 @@ _ACEOF BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'` -BUILD_FILEVERSION="${BUILD_FILEVERSION}55758" +BUILD_FILEVERSION="${BUILD_FILEVERSION}33021" # Check whether --enable-build-timestamp was given. @@ -18748,6 +18839,8 @@ ac_config_files="$ac_config_files Makefile m4/Makefile compat/Makefile mpi/Makef ac_config_files="$ac_config_files tests/hashtest-256g" +ac_config_files="$ac_config_files tests/basic-disable-all-hwf" + cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure @@ -19387,7 +19480,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libgcrypt $as_me 1.7.7, which was +This file was extended by libgcrypt $as_me 1.8.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19457,7 +19550,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libgcrypt config.status 1.7.7 +libgcrypt config.status 1.8.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -19964,6 +20057,7 @@ do "src/versioninfo.rc") CONFIG_FILES="$CONFIG_FILES src/versioninfo.rc" ;; "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; "tests/hashtest-256g") CONFIG_FILES="$CONFIG_FILES tests/hashtest-256g" ;; + "tests/basic-disable-all-hwf") CONFIG_FILES="$CONFIG_FILES tests/basic-disable-all-hwf" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -21460,6 +21554,7 @@ _LT_EOF chmod +x src/libgcrypt-config ;; "tests/hashtest-256g":F) chmod +x tests/hashtest-256g ;; + "tests/basic-disable-all-hwf":F) chmod +x tests/basic-disable-all-hwf ;; esac done # for ac_tag @@ -21607,6 +21702,9 @@ test -n "$detection_module" || detection_module="none" echo " Random number generator: $random" 1>&6 + echo " Try using jitter entropy: $jentsupport" 1>&6 + + echo " Using linux capabilities: $use_capabilities" 1>&6 @@ -21647,23 +21745,6 @@ cat <: Public-Key Subsystem Architecture. (line 50) +* XTS, XTS mode: Available cipher modes. + (line 74)  File: gcrypt.info, Node: Function and Data Index, Prev: Concept Index, Up: Top @@ -6948,8 +7087,9 @@ Function and Data Index * gcry_err_source: Error Values. (line 48) * gcry_err_source_t: Error Values. (line 13) * gcry_fips_mode_active: Controlling the library. - (line 251) + (line 252) * gcry_free: Memory allocation. (line 33) +* gcry_get_config: Config reporting. (line 10) * gcry_handler_alloc_t: Allocation handler. (line 10) * gcry_handler_error_t: Error handler. (line 25) * gcry_handler_free_t: Allocation handler. (line 19) @@ -6990,49 +7130,49 @@ Function and Data Index * gcry_malloc: Memory allocation. (line 6) * gcry_malloc_secure: Memory allocation. (line 12) * gcry_md_algo_name: Working with hash algorithms. - (line 225) + (line 227) * gcry_md_close: Working with hash algorithms. - (line 76) + (line 78) * gcry_md_copy: Working with hash algorithms. - (line 99) + (line 101) * gcry_md_debug: Working with hash algorithms. - (line 296) + (line 298) * gcry_md_enable: Working with hash algorithms. (line 57) * gcry_md_extract: Working with hash algorithms. - (line 165) + (line 167) * gcry_md_final: Working with hash algorithms. - (line 135) + (line 137) * gcry_md_get_algo: Working with hash algorithms. - (line 273) + (line 275) * gcry_md_get_algo_dlen: Working with hash algorithms. - (line 263) + (line 265) * gcry_md_get_asnoid: Working with hash algorithms. - (line 242) + (line 244) * gcry_md_hash_buffer: Working with hash algorithms. - (line 206) + (line 208) * gcry_md_hash_buffers: Working with hash algorithms. - (line 180) + (line 182) * gcry_md_is_enabled: Working with hash algorithms. - (line 286) + (line 288) * gcry_md_is_secure: Working with hash algorithms. - (line 280) + (line 282) * gcry_md_map_name: Working with hash algorithms. - (line 232) + (line 234) * gcry_md_open: Working with hash algorithms. (line 9) * gcry_md_putc: Working with hash algorithms. - (line 124) + (line 126) * gcry_md_read: Working with hash algorithms. - (line 149) + (line 151) * gcry_md_reset: Working with hash algorithms. - (line 87) + (line 89) * gcry_md_setkey: Working with hash algorithms. (line 66) * gcry_md_test_algo: Working with hash algorithms. - (line 256) + (line 258) * gcry_md_write: Working with hash algorithms. - (line 113) + (line 115) * gcry_mpi_abs: Basic functions. (line 63) * gcry_mpi_add: Calculations. (line 8) * gcry_mpi_addm: Calculations. (line 19) @@ -7046,18 +7186,18 @@ Function and Data Index * gcry_mpi_copy: Basic functions. (line 24) * gcry_mpi_div: Calculations. (line 61) * gcry_mpi_dump: MPI formats. (line 74) -* gcry_mpi_ec_add: EC functions. (line 158) -* gcry_mpi_ec_curve_point: EC functions. (line 177) -* gcry_mpi_ec_decode_point: EC functions. (line 128) -* gcry_mpi_ec_dup: EC functions. (line 152) -* gcry_mpi_ec_get_affine: EC functions. (line 139) -* gcry_mpi_ec_get_mpi: EC functions. (line 83) -* gcry_mpi_ec_get_point: EC functions. (line 101) -* gcry_mpi_ec_mul: EC functions. (line 171) -* gcry_mpi_ec_new: EC functions. (line 61) -* gcry_mpi_ec_set_mpi: EC functions. (line 114) -* gcry_mpi_ec_set_point: EC functions. (line 121) -* gcry_mpi_ec_sub: EC functions. (line 164) +* gcry_mpi_ec_add: EC functions. (line 166) +* gcry_mpi_ec_curve_point: EC functions. (line 185) +* gcry_mpi_ec_decode_point: EC functions. (line 136) +* gcry_mpi_ec_dup: EC functions. (line 160) +* gcry_mpi_ec_get_affine: EC functions. (line 147) +* gcry_mpi_ec_get_mpi: EC functions. (line 91) +* gcry_mpi_ec_get_point: EC functions. (line 109) +* gcry_mpi_ec_mul: EC functions. (line 179) +* gcry_mpi_ec_new: EC functions. (line 69) +* gcry_mpi_ec_set_mpi: EC functions. (line 122) +* gcry_mpi_ec_set_point: EC functions. (line 129) +* gcry_mpi_ec_sub: EC functions. (line 172) * gcry_mpi_gcd: Calculations. (line 78) * gcry_mpi_get_flag: Miscellaneous. (line 85) * gcry_mpi_get_nbits: Bit manipulations. (line 9) @@ -7072,12 +7212,13 @@ Function and Data Index * gcry_mpi_mul_ui: Calculations. (line 46) * gcry_mpi_neg: Basic functions. (line 59) * gcry_mpi_new: Basic functions. (line 9) -* gcry_mpi_point_get: EC functions. (line 23) +* gcry_mpi_point_copy: EC functions. (line 23) +* gcry_mpi_point_get: EC functions. (line 31) * gcry_mpi_point_new: EC functions. (line 10) * gcry_mpi_point_release: EC functions. (line 18) -* gcry_mpi_point_set: EC functions. (line 39) -* gcry_mpi_point_snatch_get: EC functions. (line 30) -* gcry_mpi_point_snatch_set: EC functions. (line 49) +* gcry_mpi_point_set: EC functions. (line 47) +* gcry_mpi_point_snatch_get: EC functions. (line 38) +* gcry_mpi_point_snatch_set: EC functions. (line 57) * gcry_mpi_point_t: Data types. (line 9) * gcry_mpi_powm: Calculations. (line 73) * gcry_mpi_print: MPI formats. (line 49) @@ -7190,108 +7331,109 @@ Function and Data Index  Tag Table: -Node: Top828 -Node: Introduction3346 -Node: Getting Started3718 -Node: Features4598 -Node: Overview5382 -Node: Preparation6005 -Node: Header6928 -Node: Building sources7999 -Node: Building sources using Automake9916 -Node: Initializing the library11844 -Ref: sample-use-suspend-secmem14912 -Ref: sample-use-resume-secmem15755 -Node: Multi-Threading16658 -Ref: Multi-Threading-Footnote-117837 -Node: Enabling FIPS mode18246 -Ref: enabling fips mode18427 -Node: Hardware features20239 -Ref: hardware features20406 -Ref: Hardware features-Footnote-121473 -Node: Generalities21634 -Node: Controlling the library21893 -Node: Error Handling38861 -Node: Error Values41400 -Node: Error Sources46340 -Node: Error Codes48608 -Node: Error Strings52084 -Node: Handler Functions53268 -Node: Progress handler53827 -Node: Allocation handler55976 -Node: Error handler57522 -Node: Logging handler59088 -Node: Symmetric cryptography59680 -Node: Available ciphers60420 -Node: Available cipher modes63101 -Node: Working with cipher handles66104 -Node: General cipher functions77573 -Node: Public Key cryptography81099 -Node: Available algorithms81865 -Node: Used S-expressions82214 -Node: RSA key parameters83331 -Node: DSA key parameters84606 -Node: ECC key parameters85260 -Ref: ecc_keyparam85411 -Node: Cryptographic Functions87282 -Node: General public-key related Functions99101 -Node: Hashing112621 -Node: Available hash algorithms113354 -Node: Working with hash algorithms118141 -Node: Message Authentication Codes132094 -Node: Available MAC algorithms132762 -Node: Working with MAC algorithms137924 -Node: Key Derivation143912 -Node: Random Numbers146314 -Node: Quality of random numbers146597 -Node: Retrieving random numbers147280 -Node: S-expressions148769 -Node: Data types for S-expressions149414 -Node: Working with S-expressions149740 -Node: MPI library163405 -Node: Data types164427 -Node: Basic functions164736 -Node: MPI formats167200 -Node: Calculations170724 -Node: Comparisons172993 -Node: Bit manipulations173996 -Node: EC functions175318 -Ref: gcry_mpi_ec_new178023 -Node: Miscellaneous183582 -Node: Prime numbers187726 -Node: Generation187996 -Node: Checking189283 -Node: Utilities189693 -Node: Memory allocation190005 -Node: Context management191361 -Ref: gcry_ctx_release191799 -Node: Buffer description191960 -Node: Tools192722 -Node: hmac256192889 -Node: Configuration193895 -Node: Architecture196081 -Ref: fig:subsystems197605 -Ref: Architecture-Footnote-1198691 -Ref: Architecture-Footnote-2198753 -Node: Public-Key Subsystem Architecture198837 -Node: Symmetric Encryption Subsystem Architecture201115 -Node: Hashing and MACing Subsystem Architecture202561 -Node: Multi-Precision-Integer Subsystem Architecture204484 -Node: Prime-Number-Generator Subsystem Architecture205922 -Ref: Prime-Number-Generator Subsystem Architecture-Footnote-1207853 -Node: Random-Number Subsystem Architecture208145 -Node: CSPRNG Description210669 -Ref: CSPRNG Description-Footnote-1212225 -Node: FIPS PRNG Description212348 -Node: Self-Tests214482 -Node: FIPS Mode225941 -Ref: fig:fips-fsm229767 -Ref: tbl:fips-states229870 -Ref: tbl:fips-state-transitions231122 -Node: Library Copying234743 -Node: Copying262849 -Node: Figures and Tables282025 -Node: Concept Index282450 -Node: Function and Data Index293047 +Node: Top835 +Node: Introduction3361 +Node: Getting Started3733 +Node: Features4613 +Node: Overview5397 +Node: Preparation6020 +Node: Header6943 +Node: Building sources8014 +Node: Building sources using Automake9931 +Node: Initializing the library11859 +Ref: sample-use-suspend-secmem14927 +Ref: sample-use-resume-secmem15770 +Node: Multi-Threading16673 +Ref: Multi-Threading-Footnote-117852 +Node: Enabling FIPS mode18261 +Ref: enabling fips mode18442 +Node: Hardware features20254 +Ref: hardware features20421 +Ref: Hardware features-Footnote-121502 +Node: Generalities21663 +Node: Controlling the library21922 +Node: Error Handling40084 +Node: Error Values42623 +Node: Error Sources47563 +Node: Error Codes49831 +Node: Error Strings53307 +Node: Handler Functions54491 +Node: Progress handler55050 +Node: Allocation handler57199 +Node: Error handler58745 +Node: Logging handler60311 +Node: Symmetric cryptography60903 +Node: Available ciphers61643 +Node: Available cipher modes64324 +Node: Working with cipher handles68177 +Node: General cipher functions79681 +Node: Public Key cryptography83207 +Node: Available algorithms83973 +Node: Used S-expressions84322 +Node: RSA key parameters85439 +Node: DSA key parameters86714 +Node: ECC key parameters87368 +Ref: ecc_keyparam87519 +Node: Cryptographic Functions89390 +Node: General public-key related Functions101209 +Node: Hashing114729 +Node: Available hash algorithms115462 +Node: Working with hash algorithms121425 +Node: Message Authentication Codes135557 +Node: Available MAC algorithms136225 +Node: Working with MAC algorithms141387 +Node: Key Derivation147375 +Node: Random Numbers149777 +Node: Quality of random numbers150060 +Node: Retrieving random numbers150743 +Node: S-expressions152232 +Node: Data types for S-expressions152877 +Node: Working with S-expressions153203 +Node: MPI library166868 +Node: Data types167890 +Node: Basic functions168199 +Node: MPI formats170663 +Node: Calculations174187 +Node: Comparisons176456 +Node: Bit manipulations177459 +Node: EC functions178781 +Ref: gcry_mpi_ec_new181730 +Node: Miscellaneous187289 +Node: Prime numbers191433 +Node: Generation191703 +Node: Checking192990 +Node: Utilities193400 +Node: Memory allocation193777 +Node: Context management195133 +Ref: gcry_ctx_release195571 +Node: Buffer description195732 +Node: Config reporting196519 +Node: Tools197469 +Node: hmac256197636 +Node: Configuration198642 +Node: Architecture201695 +Ref: fig:subsystems203219 +Ref: Architecture-Footnote-1204305 +Ref: Architecture-Footnote-2204367 +Node: Public-Key Subsystem Architecture204451 +Node: Symmetric Encryption Subsystem Architecture206729 +Node: Hashing and MACing Subsystem Architecture208175 +Node: Multi-Precision-Integer Subsystem Architecture210098 +Node: Prime-Number-Generator Subsystem Architecture211536 +Ref: Prime-Number-Generator Subsystem Architecture-Footnote-1213467 +Node: Random-Number Subsystem Architecture213759 +Node: CSPRNG Description216708 +Ref: CSPRNG Description-Footnote-1218264 +Node: FIPS PRNG Description218387 +Node: Self-Tests220521 +Node: FIPS Mode231980 +Ref: fig:fips-fsm235806 +Ref: tbl:fips-states235909 +Ref: tbl:fips-state-transitions237161 +Node: Library Copying240782 +Node: Copying268888 +Node: Figures and Tables288064 +Node: Concept Index288489 +Node: Function and Data Index299824  End Tag Table diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 5b5fce2..2bf23a5 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -14,7 +14,7 @@ which is GNU's library of cryptographic building blocks. @noindent Copyright @copyright{} 2000, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2011, 2012 Free Software Foundation, Inc. @* -Copyright @copyright{} 2012, 2013, 2016 g10 Code GmbH +Copyright @copyright{} 2012, 2013, 2016, 2017 g10 Code GmbH @quotation Permission is granted to copy, distribute and/or modify this document @@ -95,7 +95,7 @@ section entitled ``GNU General Public License''. * Prime numbers:: How to use the Prime number related functions. * Utilities:: Utility functions. * Tools:: Utility tools. -* Configuration:: Configuration files and evironment variables. +* Configuration:: Configuration files and environment variables. * Architecture:: How Libgcrypt works internally. Appendices @@ -570,6 +570,7 @@ are @item intel-rdrand @item intel-avx @item intel-avx2 +@item intel-rdtsc @item arm-neon @end table @@ -823,7 +824,8 @@ proper random device. This command dumps information pertaining to the configuration of the library to the given stream. If NULL is given for @var{stream}, the log system is used. This command may be used before the initialization has -been finished but not before a @code{gcry_check_version}. +been finished but not before a @code{gcry_check_version}. Note that +the macro @code{estream_t} can be used instead of @code{gpgrt_stream_t}. @item GCRYCTL_OPERATIONAL_P; Arguments: none This command returns true if the library is in an operational state. @@ -906,10 +908,29 @@ success or an error code on failure. Libgcrypt detects certain features of the CPU at startup time. For performance tests it is sometimes required not to use such a feature. This option may be used to disable a certain feature; i.e. Libgcrypt -behaves as if this feature has not been detected. Note that the -detection code might be run if the feature has been disabled. This -command must be used at initialization time; i.e. before calling -@code{gcry_check_version}. +behaves as if this feature has not been detected. This call can be +used several times to disable a set of features, or features may be +given as a colon or comma delimited string. The special feature +"all" can be used to disable all available features. + +Note that the detection code might be run if the feature has been +disabled. This command must be used at initialization time; +i.e. before calling @code{gcry_check_version}. + +@item GCRYCTL_REINIT_SYSCALL_CLAMP; Arguments: none + +Libgcrypt wraps blocking system calls with two functions calls +(``system call clamp'') to give user land threading libraries a hook +for re-scheduling. This works by reading the system call clamp from +Libgpg-error at initialization time. However sometimes Libgcrypt +needs to be initialized before the user land threading systems and at +that point the system call clamp has not been registered with +Libgpg-error and in turn Libgcrypt would not use them. The control +code can be used to tell Libgcrypt that a system call clamp has now +been registered with Libgpg-error and advised it to read the clamp +again. Obviously this control code may only be used before a second +thread is started in a process. + @end table @@ -1673,6 +1694,23 @@ set to 12 (for 96 bit) or 8 (for 64 bit) provided for the Note that the use of @code{gcry_cipher_final} is required. +@item GCRY_CIPHER_MODE_XTS +@cindex XTS, XTS mode +XEX-based tweaked-codebook mode with ciphertext stealing (XTS) mode +is used to implement the AES-XTS as specified in IEEE 1619 Standard +Architecture for Encrypted Shared Storage Media and NIST SP800-38E. + +The XTS mode requires doubling key-length, for example, using 512-bit +key with AES-256 (@code{GCRY_CIPHER_AES256}). The 128-bit tweak value +is feed to XTS mode as little-endian byte array using +@code{gcry_cipher_setiv} function. When encrypting or decrypting, +full-sized data unit buffers needs to be passed to +@code{gcry_cipher_encrypt} or @code{gcry_cipher_decrypt}. The tweak +value is automatically incremented after each call of +@code{gcry_cipher_encrypt} and @code{gcry_cipher_decrypt}. +Auto-increment allows avoiding need of setting IV between processing +of sequential data units. + @end table @node Working with cipher handles @@ -1706,9 +1744,9 @@ ChaCha20 stream cipher. The block cipher modes @code{GCRY_CIPHER_MODE_CFB}, @code{GCRY_CIPHER_MODE_OFB} and @code{GCRY_CIPHER_MODE_CTR}) will work with any block cipher algorithm. GCM mode (@code{GCRY_CIPHER_MODE_CCM}), CCM mode -(@code{GCRY_CIPHER_MODE_GCM}), and OCB mode -(@code{GCRY_CIPHER_MODE_OCB}) will only work with block cipher -algorithms which have the block size of 16 bytes. +(@code{GCRY_CIPHER_MODE_GCM}), OCB mode (@code{GCRY_CIPHER_MODE_OCB}), +and XTS mode (@code{GCRY_CIPHER_MODE_XTS}) will only work +with block cipher algorithms which have the block size of 16 bytes. The third argument @var{flags} can either be passed as @code{0} or as the bit-wise OR of the following constants. @@ -3079,6 +3117,8 @@ are also supported. @cindex TIGER, TIGER1, TIGER2 @cindex HAVAL @cindex Whirlpool +@cindex BLAKE2b-512, BLAKE2b-384, BLAKE2b-256, BLAKE2b-160 +@cindex BLAKE2s-256, BLAKE2s-224, BLAKE2s-160, BLAKE2s-128 @cindex CRC32 @table @code @item GCRY_MD_NONE @@ -3203,6 +3243,38 @@ which yields a message digest of 32 bytes. This is the 512-bit version of hash algorithm described in GOST R 34.11-2012 which yields a message digest of 64 bytes. +@item GCRY_MD_BLAKE2B_512 +This is the BLAKE2b-512 algorithm which yields a message digest of 64 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2B_384 +This is the BLAKE2b-384 algorithm which yields a message digest of 48 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2B_256 +This is the BLAKE2b-256 algorithm which yields a message digest of 32 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2B_160 +This is the BLAKE2b-160 algorithm which yields a message digest of 20 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2S_256 +This is the BLAKE2s-256 algorithm which yields a message digest of 32 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2S_224 +This is the BLAKE2s-224 algorithm which yields a message digest of 28 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2S_160 +This is the BLAKE2s-160 algorithm which yields a message digest of 20 bytes. +See RFC 7693 for the specification. + +@item GCRY_MD_BLAKE2S_128 +This is the BLAKE2s-128 algorithm which yields a message digest of 16 bytes. +See RFC 7693 for the specification. + @end table @c end table of hash algorithms @@ -3281,9 +3353,12 @@ be set using the function: @deftypefun gcry_error_t gcry_md_setkey (gcry_md_hd_t @var{h}, const void *@var{key}, size_t @var{keylen}) -For use with the HMAC feature, set the MAC key to the value of -@var{key} of length @var{keylen} bytes. There is no restriction on -the length of the key. +For use with the HMAC feature or BLAKE2 keyed hash, set the MAC key to +the value of @var{key} of length @var{keylen} bytes. For HMAC, there +is no restriction on the length of the key. For keyed BLAKE2b hash, +length of the key must be 64 bytes or less. For keyed BLAKE2s hash, +length of the key must be 32 bytes or less. + @end deftypefun @@ -4801,6 +4876,13 @@ Release @var{point} and free all associated resources. Passing @code{NULL} is allowed and ignored. @end deftypefun +@deftypefun gcry_mpi_point_t gcry_mpi_point_copy (@w{gcry_mpi_point_t @var{point}}) + +Allocate and return a new point object and initialize it with +@var{point}. If @var{point} is NULL the function is identical to +@code{gcry_mpi_point_new(0)}. +@end deftypefun + @deftypefun void gcry_mpi_point_get (@w{gcry_mpi_t @var{x}}, @ @w{gcry_mpi_t @var{y}}, @w{gcry_mpi_t @var{z}}, @ @w{gcry_mpi_point_t @var{point}}) @@ -5159,6 +5241,7 @@ wrong. * Memory allocation:: Functions related with memory allocation. * Context management:: Functions related with context management. * Buffer description:: A data type to describe buffers. +* Config reporting:: How to return Libgcrypt's configuration. @end menu @@ -5243,6 +5326,27 @@ of this structure are: @end table @end deftp +@node Config reporting +@section How to return Libgcrypt's configuration. + +Although @code{GCRYCTL_PRINT_CONFIG} can be used to print +configuration options, it is sometimes necessary to check them in a +program. This can be accomplished by using this function: + +@deftypefun {char *} gcry_get_config @ + (@w{int @var{mode}}, @ + @w{const char *@var{what}}) + +This function returns a malloced string with colon delimited configure +options. With a value of 0 for @var{mode} this string resembles the +output of @code{GCRYCTL_PRINT_CONFIG}. However, if @var{what} is not +NULL, only the line where the first field (e.g. "cpu-arch") matches +@var{what} is returned. + +Other values than 0 for @var{mode} are not defined. The caller shall +free the string using @code{gcry_free}. On error NULL is returned and +ERRNO is set; if a value for WHAT is unknow ERRNO will be set to 0. +@end deftypefun @c ********************************************************** @@ -5318,7 +5422,7 @@ Print version of the program and exit. @c **************** Environment Variables ***************** @c ********************************************************** @node Configuration -@chapter Configuration files and evironment variables +@chapter Configuration files and environment variables This chapter describes which files and environment variables can be used to change the behaviour of Libgcrypt. @@ -5352,6 +5456,13 @@ for entropy. On some older Windows systems this could help to speed up the creation of random numbers but also decreases the amount of data used to init the random number generator. +@item GCRYPT_RNDW32_DBG +@cindex GCRYPT_RNDW32_DBG +Setting the value of this variable to a positive integer logs +information about the Windows entropy gatherer using the standard log +interface. + + @item HOME @cindex HOME This is used to locate the socket to connect to the EGD random @@ -5374,6 +5485,28 @@ are: This file can be used to disable the use of hardware based optimizations, @pxref{hardware features}. + +@item /etc/gcrypt/random.conf +@cindex /etc/gcrypt/random.conf +This file can be used to globally change parameters of the random +generator. The file is a simple text file where empty lines and +lines with the first non white-space character being '#' are +ignored. Supported options are + +@table @file +@item disable-jent +@cindex disable-jent +Disable the use of the jitter based entropy generator. + +@item only-urandom +@cindex only-urandom +Always use the non-blocking /dev/urandom or the respective system call +instead of the blocking /dev/random. If Libgcrypt is used early in +the boot process of the system, this option should only be used if the +system also supports the getrandom system call. + +@end table + @item /etc/gcrypt/fips_enabled @itemx /proc/sys/crypto/fips_enabled @cindex /etc/gcrypt/fips_enabled @@ -5730,8 +5863,10 @@ Both generators make use of so-called entropy gathering modules: @table @asis @item rndlinux -Uses the operating system provided -@file{/dev/random} and @file{/dev/urandom} devices. +Uses the operating system provided @file{/dev/random} and +@file{/dev/urandom} devices. The @file{/dev/gcrypt/random.conf} +config option @option{only-urandom} can be used to inhibit the use of +the blocking @file{/dev/random} device. @item rndunix Runs several operating system commands to collect entropy from sources @@ -5757,6 +5892,12 @@ random number generator. As of now the supported hardware RNG is the Padlock engine of VIA (Centaur) CPUs and x86 CPUs with the RDRAND instruction. It is not available in FIPS mode. +@item rndjent +Extra module to collect additional entropy using a CPU jitter based +approach. This is only used on X86 hardware where the RDTSC opcode is +available. The @file{/dev/gcrypt/random.conf} config option +@option{disable-jent} can be used to inhibit the use of this module. + @end table @@ -5789,7 +5930,7 @@ to mix in enough data from the gather modules before returning the actual random output. Process fork detection and protection is implemented. -@c FIXME: The design and implementaion needs a more verbose description. +@c FIXME: The design and implementation needs a more verbose description. The implementation of the nonce generator (for @code{gcry_create_nonce}) is a straightforward repeated hash design: A diff --git a/doc/libgcrypt-modules.eps b/doc/libgcrypt-modules.eps index 5d6e03d..d33ce9f 100644 --- a/doc/libgcrypt-modules.eps +++ b/doc/libgcrypt-modules.eps @@ -1,7 +1,7 @@ %!PS-Adobe-3.0 EPSF-3.0 -%%Title: /home/wk/s/libgcrypt-1.7/doc/libgcrypt-modules.fig +%%Title: /home/wk/s/libgcrypt/doc/libgcrypt-modules.fig %%Creator: fig2dev Version 3.2 Patchlevel 5e -%%CreationDate: Thu Jun 1 16:17:17 2017 +%%CreationDate: Tue Jan 6 19:07:13 2015 %%BoundingBox: 0 0 488 300 %Magnification: 1.0000 %%EndComments diff --git a/doc/libgcrypt-modules.pdf b/doc/libgcrypt-modules.pdf index b8a41bc..d340c9e 100644 Binary files a/doc/libgcrypt-modules.pdf and b/doc/libgcrypt-modules.pdf differ diff --git a/doc/stamp-vti b/doc/stamp-vti index 133b4b6..8aef12c 100644 --- a/doc/stamp-vti +++ b/doc/stamp-vti @@ -1,4 +1,4 @@ -@set UPDATED 2 June 2017 -@set UPDATED-MONTH June 2017 -@set EDITION 1.7.7 -@set VERSION 1.7.7 +@set UPDATED 18 July 2017 +@set UPDATED-MONTH July 2017 +@set EDITION 1.8.1 +@set VERSION 1.8.1 diff --git a/doc/version.texi b/doc/version.texi index 133b4b6..8aef12c 100644 --- a/doc/version.texi +++ b/doc/version.texi @@ -1,4 +1,4 @@ -@set UPDATED 2 June 2017 -@set UPDATED-MONTH June 2017 -@set EDITION 1.7.7 -@set VERSION 1.7.7 +@set UPDATED 18 July 2017 +@set UPDATED-MONTH July 2017 +@set EDITION 1.8.1 +@set VERSION 1.8.1 diff --git a/mpi/alpha/README b/mpi/alpha/README index 55c0a29..00addfd 100644 --- a/mpi/alpha/README +++ b/mpi/alpha/README @@ -5,7 +5,7 @@ RELEVANT OPTIMIZATION ISSUES EV4 1. This chip has very limited store bandwidth. The on-chip L1 cache is -write-through, and a cache line is transfered from the store buffer to the +write-through, and a cache line is transferred from the store buffer to the off-chip L2 in as much 15 cycles on most systems. This delay hurts mpn_add_n, mpn_sub_n, mpn_lshift, and mpn_rshift. @@ -20,7 +20,7 @@ EV5 1. The memory bandwidth of this chip seems excellent, both for loads and stores. Even when the working set is larger than the on-chip L1 and L2 -caches, the perfromance remain almost unaffected. +caches, the performance remain almost unaffected. 2. mulq has a measured latency of 13 cycles and an issue rate of 1 each 8th cycle. umulh has a measured latency of 15 cycles and an issue rate of 1 diff --git a/mpi/ec.c b/mpi/ec.c index 3ac0547..4c16603 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -35,7 +35,7 @@ #define point_free(a) _gcry_mpi_point_free_parts ((a)) -/* Print a point using the log fucntions. If CTX is not NULL affine +/* Print a point using the log functions. If CTX is not NULL affine coordinates will be printed. */ void _gcry_mpi_point_log (const char *name, mpi_point_t point, mpi_ec_t ctx) @@ -139,6 +139,20 @@ point_set (mpi_point_t d, mpi_point_t s) } +/* Return a copy of POINT. */ +gcry_mpi_point_t +_gcry_mpi_point_copy (gcry_mpi_point_t point) +{ + mpi_point_t newpoint; + + newpoint = _gcry_mpi_point_new (0); + if (point) + point_set (newpoint, point); + + return newpoint; +} + + static void point_resize (mpi_point_t p, mpi_ec_t ctx) { @@ -382,6 +396,29 @@ ec_get_two_inv_p (mpi_ec_t ec) } +static const char *curve25519_bad_points[] = { + "0x0000000000000000000000000000000000000000000000000000000000000000", + "0x0000000000000000000000000000000000000000000000000000000000000001", + "0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0", + "0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f", + "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec", + "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", + "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee", + NULL +}; + +static gcry_mpi_t +scanval (const char *string) +{ + gpg_err_code_t rc; + gcry_mpi_t val; + + rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); + if (rc) + log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc)); + return val; +} + /* This function initialized a context for elliptic curve based on the field GF(p). P is the prime specifying this field, A is the first @@ -420,9 +457,17 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model, _gcry_mpi_ec_get_reset (ctx); - /* Allocate scratch variables. */ - for (i=0; i< DIM(ctx->t.scratch); i++) - ctx->t.scratch[i] = mpi_alloc_like (ctx->p); + if (model == MPI_EC_MONTGOMERY) + { + for (i=0; i< DIM(ctx->t.scratch) && curve25519_bad_points[i]; i++) + ctx->t.scratch[i] = scanval (curve25519_bad_points[i]); + } + else + { + /* Allocate scratch variables. */ + for (i=0; i< DIM(ctx->t.scratch); i++) + ctx->t.scratch[i] = mpi_alloc_like (ctx->p); + } /* Prepare for fast reduction. */ /* FIXME: need a test for NIST values. However it does not gain us @@ -1558,3 +1603,17 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx) return res; } + + +int +_gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx) +{ + int i; + gcry_mpi_t x_bad; + + for (i = 0; (x_bad = ctx->t.scratch[i]); i++) + if (!mpi_cmp (point->x, x_bad)) + return 1; + + return 0; +} diff --git a/mpi/mips3/README b/mpi/mips3/README index e94b2c7..4ba4546 100644 --- a/mpi/mips3/README +++ b/mpi/mips3/README @@ -9,7 +9,7 @@ RELEVANT OPTIMIZATION ISSUES On the R4600, branches takes a single cycle - On the R8000, branches often take no noticable cycles, as they are + On the R8000, branches often take no noticeable cycles, as they are executed in a separate function unit.. 2. The R4000 and R4400 have a load latency of 4 cycles. diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c index a780ebd..62b4a80 100644 --- a/mpi/mpi-pow.c +++ b/mpi/mpi-pow.c @@ -188,9 +188,15 @@ _gcry_mpi_powm (gcry_mpi_t res, mpi_limb_t e; mpi_limb_t carry_limb; struct karatsuba_ctx karactx; + struct gcry_mpi w, u; - xp_nlimbs = msec? (2 * (msize + 1)):0; - xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); + xp_nlimbs = msec? size:0; + xp = xp_marker = mpi_alloc_limb_space( size, msec ); + + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.alloced = w.nlimbs = size; /* RES->alloc may be longer. */ + u.alloced = u.nlimbs = size; memset( &karactx, 0, sizeof karactx ); negative_result = (ep[0] & 1) && bsign; @@ -267,11 +273,11 @@ _gcry_mpi_powm (gcry_mpi_t res, xsize = msize; } } - if ( (mpi_limb_signed_t)e < 0 ) - { - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } + + w.d = rp; + u.d = xp; + mpi_set_cond (&w, &u, ((mpi_limb_signed_t)e < 0)); + e <<= 1; c--; } @@ -546,8 +552,8 @@ _gcry_mpi_powm (gcry_mpi_t res, struct karatsuba_ctx karactx; mpi_ptr_t tp; - xp_nlimbs = msec? (2 * (msize + 1)):0; - xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); + xp_nlimbs = msec? size:0; + xp = xp_marker = mpi_alloc_limb_space( size, msec ); memset( &karactx, 0, sizeof karactx ); negative_result = (ep[0] & 1) && bsign; @@ -573,6 +579,8 @@ _gcry_mpi_powm (gcry_mpi_t res, MPN_COPY (precomp[i], rp, rsize); } + if (msize > max_u_size) + max_u_size = msize; base_u = mpi_alloc_limb_space (max_u_size, esec); MPN_ZERO (base_u, max_u_size); @@ -609,12 +617,8 @@ _gcry_mpi_powm (gcry_mpi_t res, if (e == 0) { j += c; - i--; - if ( i < 0 ) - { - c = 0; - break; - } + if ( --i < 0 ) + break; e = ep[i]; c = BITS_PER_MPI_LIMB; @@ -623,79 +627,78 @@ _gcry_mpi_powm (gcry_mpi_t res, { int c0; mpi_limb_t e0; + struct gcry_mpi w, u; + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.d = base_u; count_leading_zeros (c0, e); e = (e << c0); c -= c0; j += c0; + e0 = (e >> (BITS_PER_MPI_LIMB - W)); if (c >= W) - { - e0 = (e >> (BITS_PER_MPI_LIMB - W)); - e = (e << W); - c -= W; - } + c0 = 0; else { - i--; - if ( i < 0 ) + if ( --i < 0 ) { - e = (e >> (BITS_PER_MPI_LIMB - c)); - break; + e0 = (e >> (BITS_PER_MPI_LIMB - c)); + j += c - W; + goto last_step; + } + else + { + c0 = c; + e = ep[i]; + c = BITS_PER_MPI_LIMB; + e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); } - - c0 = c; - e0 = (e >> (BITS_PER_MPI_LIMB - W)) - | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); - e = (ep[i] << (W - c0)); - c = BITS_PER_MPI_LIMB - W + c0; } + e = e << (W - c0); + c -= (W - c0); + + last_step: count_trailing_zeros (c0, e0); e0 = (e0 >> c0) >> 1; - for (j += W - c0; j; j--) + for (j += W - c0; j >= 0; j--) { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); + + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] + */ + base_u_size = 0; + for (k = 0; k < (1<< (W - 1)); k++) + { + w.alloced = w.nlimbs = precomp_size[k]; + u.alloced = u.nlimbs = precomp_size[k]; + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); + base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); + } + + w.alloced = w.nlimbs = rsize; + u.alloced = u.nlimbs = rsize; + u.d = rp; + mpi_set_cond (&w, &u, j != 0); + base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); tp = rp; rp = xp; xp = tp; rsize = xsize; } - /* - * base_u <= precomp[e0] - * base_u_size <= precomp_size[e0] - */ - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) - { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; - - mpi_set_cond (&w, &u, k == e0); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); - } - - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - j = c0; + if ( i < 0 ) + break; } - if (c != 0) - { - j += c; - count_trailing_zeros (c, e); - e = (e >> c); - j -= c; - } - while (j--) { mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); @@ -703,40 +706,6 @@ _gcry_mpi_powm (gcry_mpi_t res, rsize = xsize; } - if (e != 0) - { - /* - * base_u <= precomp[(e>>1)] - * base_u_size <= precomp_size[(e>>1)] - */ - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) - { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; - - mpi_set_cond (&w, &u, k == (e>>1)); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); - } - - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - - for (; c; c--) - { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } - } - /* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT steps. Adjust the result by reducing it with the original MOD. diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c index 6dee0b9..3ae84c3 100644 --- a/mpi/mpiutil.c +++ b/mpi/mpiutil.c @@ -256,7 +256,7 @@ mpi_set_secure( gcry_mpi_t a ) gcry_assert (!ap); return; } - bp = mpi_alloc_limb_space (a->nlimbs, 1); + bp = mpi_alloc_limb_space (a->alloced, 1); MPN_COPY( bp, ap, a->nlimbs ); a->d = bp; _gcry_mpi_free_limb_space (ap, a->alloced); diff --git a/random/Makefile.am b/random/Makefile.am index 92aba20..60af5b4 100644 --- a/random/Makefile.am +++ b/random/Makefile.am @@ -36,6 +36,7 @@ rand-internal.h \ random-csprng.c \ random-drbg.c \ random-system.c \ +rndjent.c \ rndhw.c if USE_RANDOM_DAEMON @@ -48,4 +49,21 @@ rndlinux.c \ rndegd.c \ rndunix.c \ rndw32.c \ -rndw32ce.c +rndw32ce.c \ +jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h + + +# The rndjent module needs to be compiled without optimization. */ +if ENABLE_O_FLAG_MUNGING +o_flag_munging = sed -e 's/-O\([1-9s][1-9s]*\)/-O0/g' -e 's/-Ofast/-O0/g' +else +o_flag_munging = cat +endif + +rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ + $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h + `echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + +rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ + $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h + `echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` diff --git a/random/Makefile.in b/random/Makefile.in index 3307190..c23bb2e 100644 --- a/random/Makefile.in +++ b/random/Makefile.in @@ -119,11 +119,11 @@ CONFIG_CLEAN_VPATH_FILES = LTLIBRARIES = $(noinst_LTLIBRARIES) am__DEPENDENCIES_1 = am__librandom_la_SOURCES_DIST = random.c random.h rand-internal.h \ - random-csprng.c random-drbg.c random-system.c rndhw.c \ - random-daemon.c + random-csprng.c random-drbg.c random-system.c rndjent.c \ + rndhw.c random-daemon.c @USE_RANDOM_DAEMON_TRUE@am__objects_1 = random-daemon.lo am_librandom_la_OBJECTS = random.lo random-csprng.lo random-drbg.lo \ - random-system.lo rndhw.lo $(am__objects_1) + random-system.lo rndjent.lo rndhw.lo $(am__objects_1) librandom_la_OBJECTS = $(am_librandom_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -362,15 +362,20 @@ GCRYPT_MODULES = @GCRYPT_RANDOM@ librandom_la_DEPENDENCIES = $(GCRYPT_MODULES) librandom_la_LIBADD = $(GCRYPT_MODULES) librandom_la_SOURCES = random.c random.h rand-internal.h \ - random-csprng.c random-drbg.c random-system.c rndhw.c \ - $(am__append_1) + random-csprng.c random-drbg.c random-system.c rndjent.c \ + rndhw.c $(am__append_1) EXTRA_librandom_la_SOURCES = \ rndlinux.c \ rndegd.c \ rndunix.c \ rndw32.c \ -rndw32ce.c +rndw32ce.c \ +jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h +@ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat + +# The rndjent module needs to be compiled without optimization. */ +@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/-O\([1-9s][1-9s]*\)/-O0/g' -e 's/-Ofast/-O0/g' all: all-am .SUFFIXES: @@ -426,6 +431,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-base.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-csprng.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-daemon.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-drbg.Plo@am__quote@ @@ -433,6 +439,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndegd.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndhw.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndjent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndlinux.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndunix.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rndw32.Plo@am__quote@ @@ -669,6 +676,14 @@ uninstall-am: tags tags-am uninstall uninstall-am +rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ + $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h + `echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + +rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ + $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h + `echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/random/jitterentropy-base-user.h b/random/jitterentropy-base-user.h new file mode 100644 index 0000000..75dd768 --- /dev/null +++ b/random/jitterentropy-base-user.h @@ -0,0 +1,134 @@ +/* + * Non-physical true random number generator based on timing jitter. + * + * Copyright Stephan Mueller , 2013 + * + * License + * ======= + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#ifndef GCRYPT_JITTERENTROPY_BASE_USER_H +#define GCRYPT_JITTERENTROPY_BASE_USER_H + +/* + * This is Libgcrypt specific platform dependent code. We use a + * separate file because jitterentropy.h expects such a file. + */ + +#ifndef USE_JENT +# error This file expects to be included from rndjent.c (via jitterentropy.h) +#endif +#ifndef HAVE_STDINT_H +# error This module needs stdint.h - try ./configure --disable-jent-support +#endif + + +/* When using the libgcrypt secure memory mechanism, all precautions + * are taken to protect our state. If the user disables secmem during + * runtime, it is his decision and we thus try not to overrule his + * decision for less memory protection. */ +#define JENT_CPU_JITTERENTROPY_SECURE_MEMORY 1 +#define jent_zalloc(n) _gcry_calloc_secure (1, (n)) + + +static void +jent_get_nstime(u64 *out) +{ +#if USE_JENT == JENT_USES_RDTSC + + u32 t_eax, t_edx; + + asm volatile (".byte 0x0f,0x31\n\t" + : "=a" (t_eax), "=d" (t_edx) + ); + *out = (((u64)t_edx << 32) | t_eax); + +#elif USE_JENT == JENT_USES_GETTIME + + struct timespec tv; + u64 tmp; + + /* On Linux we could use CLOCK_MONOTONIC(_RAW), but with + * CLOCK_REALTIME we get some nice extra entropy once in a while + * from the NTP actions that we want to use as well... though, we do + * not rely on that extra little entropy. */ + if (!clock_gettime (CLOCK_REALTIME, &tv)) + { + tmp = time.tv_sec; + tmp = tmp << 32; + tmp = tmp | time.tv_nsec; + } + else + tmp = 0; + *out = tmp; + +#elif USE_JENT == JENT_USES_READ_REAL_TIME + + /* clock_gettime() on AIX returns a timer value that increments in + * steps of 1000. */ + u64 tmp = 0; + + timebasestruct_t aixtime; + read_real_time (&aixtime, TIMEBASE_SZ); + tmp = aixtime.tb_high; + tmp = tmp << 32; + tmp = tmp | aixtime.tb_low; + *out = tmp; + +#else +# error No clock available in jent_get_nstime +#endif +} + + +static GPGRT_INLINE void +jent_zfree (void *ptr, unsigned int len) +{ + if (ptr) + { + wipememory (ptr, len); + _gcry_free (ptr); + } +} + + +static GPGRT_INLINE int +jent_fips_enabled(void) +{ + return fips_mode(); +} + + +#endif /* GCRYPT_JITTERENTROPY_BASE_USER_H */ diff --git a/random/jitterentropy-base.c b/random/jitterentropy-base.c new file mode 100644 index 0000000..dc907b2 --- /dev/null +++ b/random/jitterentropy-base.c @@ -0,0 +1,789 @@ +/* + * Non-physical true random number generator based on timing jitter. + * + * Copyright Stephan Mueller , 2014 - 2017 + * + * Design + * ====== + * + * See documentation in doc/ folder. + * + * Interface + * ========= + * + * See documentation in doc/ folder. + * + * License + * ======= + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL2 are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#undef _FORTIFY_SOURCE +#pragma GCC optimize ("O0") + +#include "jitterentropy.h" + +#ifndef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT + /* only check optimization in a compilation for real work */ + #ifdef __OPTIMIZE__ + #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy-base.c." + #endif +#endif + +#define MAJVERSION 2 /* API / ABI incompatible changes, functional changes that + * require consumer to be updated (as long as this number + * is zero, the API is not considered stable and can + * change without a bump of the major version) */ +#define MINVERSION 1 /* API compatible, ABI may change, functional + * enhancements only, consumer can be left unchanged if + * enhancements are not considered */ +#define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no + * enhancements, bug fixes only */ + +/** + * jent_version() - Return machine-usable version number of jent library + * + * The function returns a version number that is monotonic increasing + * for newer versions. The version numbers are multiples of 100. For example, + * version 1.2.3 is converted to 1020300 -- the last two digits are reserved + * for future use. + * + * The result of this function can be used in comparing the version number + * in a calling program if version-specific calls need to be make. + * + * Return: Version number of kcapi library + */ +JENT_PRIVATE_STATIC +unsigned int jent_version(void) +{ + unsigned int version = 0; + + version = MAJVERSION * 1000000; + version += MINVERSION * 10000; + version += PATCHLEVEL * 100; + + return version; +} + +/** + * Update of the loop count used for the next round of + * an entropy collection. + * + * Input: + * @ec entropy collector struct -- may be NULL + * @bits is the number of low bits of the timer to consider + * @min is the number of bits we shift the timer value to the right at + * the end to make sure we have a guaranteed minimum value + * + * @return Newly calculated loop counter + */ +static uint64_t jent_loop_shuffle(struct rand_data *ec, + unsigned int bits, unsigned int min) +{ + uint64_t time = 0; + uint64_t shuffle = 0; + unsigned int i = 0; + unsigned int mask = (1<data; + /* + * We fold the time value as much as possible to ensure that as many + * bits of the time stamp are included as possible. + */ + for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) { + shuffle ^= time & mask; + time = time >> bits; + } + + /* + * We add a lower boundary value to ensure we have a minimum + * RNG loop count. + */ + return (shuffle + (1<data + * + * @return Number of loops the folding operation is performed + */ +static uint64_t jent_lfsr_time(struct rand_data *ec, uint64_t time, + uint64_t loop_cnt) +{ + unsigned int i; + uint64_t j = 0; + uint64_t new = 0; +#define MAX_FOLD_LOOP_BIT 4 +#define MIN_FOLD_LOOP_BIT 0 + uint64_t fold_loop_cnt = + jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT); + + /* + * testing purposes -- allow test app to set the counter, not + * needed during runtime + */ + if (loop_cnt) + fold_loop_cnt = loop_cnt; + for (j = 0; j < fold_loop_cnt; j++) { + new = ec->data; + for (i = 1; (DATA_SIZE_BITS) >= i; i++) { + uint64_t tmp = time << (DATA_SIZE_BITS - i); + + tmp = tmp >> (DATA_SIZE_BITS - 1); + + /* + * Fibonacci LSFR with polynomial of + * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is + * primitive according to + * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf + * (the shift values are the polynomial values minus one + * due to counting bits from 0 to 63). As the current + * position is always the LSB, the polynomial only needs + * to shift data in from the left without wrap. + */ + new ^= tmp; + new ^= ((new >> 63) & 1); + new ^= ((new >> 60) & 1); + new ^= ((new >> 55) & 1); + new ^= ((new >> 30) & 1); + new ^= ((new >> 27) & 1); + new ^= ((new >> 22) & 1); + new = rol64(new, 1); + } + } + ec->data = new; + + return fold_loop_cnt; +} + +/** + * Memory Access noise source -- this is a noise source based on variations in + * memory access times + * + * This function performs memory accesses which will add to the timing + * variations due to an unknown amount of CPU wait states that need to be + * added when accessing memory. The memory size should be larger than the L1 + * caches as outlined in the documentation and the associated testing. + * + * The L1 cache has a very high bandwidth, albeit its access rate is usually + * slower than accessing CPU registers. Therefore, L1 accesses only add minimal + * variations as the CPU has hardly to wait. Starting with L2, significant + * variations are added because L2 typically does not belong to the CPU any more + * and therefore a wider range of CPU wait states is necessary for accesses. + * L3 and real memory accesses have even a wider range of wait states. However, + * to reliably access either L3 or memory, the ec->mem memory must be quite + * large which is usually not desirable. + * + * Input: + * @ec Reference to the entropy collector with the memory access data -- if + * the reference to the memory block to be accessed is NULL, this noise + * source is disabled + * @loop_cnt if a value not equal to 0 is set, use the given value as number of + * loops to perform the folding + * + * @return Number of memory access operations + */ +static unsigned int jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) +{ + unsigned int wrap = 0; + uint64_t i = 0; +#define MAX_ACC_LOOP_BIT 7 +#define MIN_ACC_LOOP_BIT 0 + uint64_t acc_loop_cnt = + jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); + + if (NULL == ec || NULL == ec->mem) + return 0; + wrap = ec->memblocksize * ec->memblocks; + + /* + * testing purposes -- allow test app to set the counter, not + * needed during runtime + */ + if (loop_cnt) + acc_loop_cnt = loop_cnt; + + for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { + unsigned char *tmpval = ec->mem + ec->memlocation; + /* + * memory access: just add 1 to one byte, + * wrap at 255 -- memory access implies read + * from and write to memory location + */ + *tmpval = (*tmpval + 1) & 0xff; + /* + * Addition of memblocksize - 1 to pointer + * with wrap around logic to ensure that every + * memory location is hit evenly + */ + ec->memlocation = ec->memlocation + ec->memblocksize - 1; + ec->memlocation = ec->memlocation % wrap; + } + return i; +} + +/*************************************************************************** + * Start of entropy processing logic + ***************************************************************************/ + +/** + * Stuck test by checking the: + * 1st derivation of the jitter measurement (time delta) + * 2nd derivation of the jitter measurement (delta of time deltas) + * 3rd derivation of the jitter measurement (delta of delta of time deltas) + * + * All values must always be non-zero. + * + * Input: + * @ec Reference to entropy collector + * @current_delta Jitter time delta + * + * @return + * 0 jitter measurement not stuck (good bit) + * 1 jitter measurement stuck (reject bit) + */ +static int jent_stuck(struct rand_data *ec, uint64_t current_delta) +{ + int64_t delta2 = ec->last_delta - current_delta; + int64_t delta3 = delta2 - ec->last_delta2; + + ec->last_delta = current_delta; + ec->last_delta2 = delta2; + + if (!current_delta || !delta2 || !delta3) + return 1; + + return 0; +} + +/** + * This is the heart of the entropy generation: calculate time deltas and + * use the CPU jitter in the time deltas. The jitter is injected into the + * entropy pool. + * + * WARNING: ensure that ->prev_time is primed before using the output + * of this function! This can be done by calling this function + * and not using its result. + * + * Input: + * @entropy_collector Reference to entropy collector + * + * @return: result of stuck test + */ +static int jent_measure_jitter(struct rand_data *ec) +{ + uint64_t time = 0; + uint64_t current_delta = 0; + int stuck; + + /* Invoke one noise source before time measurement to add variations */ + jent_memaccess(ec, 0); + + /* + * Get time stamp and calculate time delta to previous + * invocation to measure the timing variations + */ + jent_get_nstime(&time); + current_delta = time - ec->prev_time; + ec->prev_time = time; + + /* Now call the next noise sources which also injects the data */ + jent_lfsr_time(ec, current_delta, 0); + + /* Check whether we have a stuck measurement. */ + stuck = jent_stuck(ec, current_delta); + + /* + * Rotate the data buffer by a prime number (any odd number would + * do) to ensure that every bit position of the input time stamp + * has an even chance of being merged with a bit position in the + * entropy pool. We do not use one here as the adjacent bits in + * successive time deltas may have some form of dependency. The + * chosen value of 7 implies that the low 7 bits of the next + * time delta value is concatenated with the current time delta. + */ + if (!stuck) + ec->data = rol64(ec->data, 7); + + return stuck; +} + +/** + * Shuffle the pool a bit by mixing some value with a bijective function (XOR) + * into the pool. + * + * The function generates a mixer value that depends on the bits set and the + * location of the set bits in the random number generated by the entropy + * source. Therefore, based on the generated random number, this mixer value + * can have 2**64 different values. That mixer value is initialized with the + * first two SHA-1 constants. After obtaining the mixer value, it is XORed into + * the random number. + * + * The mixer value is not assumed to contain any entropy. But due to the XOR + * operation, it can also not destroy any entropy present in the entropy pool. + * + * Input: + * @entropy_collector Reference to entropy collector + */ +static void jent_stir_pool(struct rand_data *entropy_collector) +{ + /* + * to shut up GCC on 32 bit, we have to initialize the 64 variable + * with two 32 bit variables + */ + union c { + uint64_t uint64; + uint32_t uint32[2]; + }; + /* + * This constant is derived from the first two 32 bit initialization + * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1 + */ + union c constant; + /* + * The start value of the mixer variable is derived from the third + * and fourth 32 bit initialization vector of SHA-1 as defined in + * FIPS 180-4 section 5.3.1 + */ + union c mixer; + unsigned int i = 0; + + /* Ensure that the function implements a constant time operation. */ + union c throw_away; + + /* + * Store the SHA-1 constants in reverse order to make up the 64 bit + * value -- this applies to a little endian system, on a big endian + * system, it reverses as expected. But this really does not matter + * as we do not rely on the specific numbers. We just pick the SHA-1 + * constants as they have a good mix of bit set and unset. + */ + constant.uint32[1] = 0x67452301; + constant.uint32[0] = 0xefcdab89; + mixer.uint32[1] = 0x98badcfe; + mixer.uint32[0] = 0x10325476; + + for (i = 0; i < DATA_SIZE_BITS; i++) { + /* + * get the i-th bit of the input random number and only XOR + * the constant into the mixer value when that bit is set + */ + if ((entropy_collector->data >> i) & 1) + mixer.uint64 ^= constant.uint64; + else + throw_away.uint64 ^= constant.uint64; + mixer.uint64 = rol64(mixer.uint64, 1); + } + entropy_collector->data ^= mixer.uint64; +} + +/** + * Generator of one 64 bit random number + * Function fills rand_data->data + * + * Input: + * @ec Reference to entropy collector + */ +static void jent_gen_entropy(struct rand_data *ec) +{ + unsigned int k = 0; + + /* priming of the ->prev_time value */ + jent_measure_jitter(ec); + + while (1) { + /* If a stuck measurement is received, repeat measurement */ + if (jent_measure_jitter(ec)) + continue; + + /* + * We multiply the loop value with ->osr to obtain the + * oversampling rate requested by the caller + */ + if (++k >= (DATA_SIZE_BITS * ec->osr)) + break; + } + if (ec->stir) + jent_stir_pool(ec); +} + +/** + * The continuous test required by FIPS 140-2 -- the function automatically + * primes the test if needed. + * + * Return: + * 0 if FIPS test passed + * < 0 if FIPS test failed + */ +static int jent_fips_test(struct rand_data *ec) +{ + if (ec->fips_enabled == -1) + return 0; + + if (ec->fips_enabled == 0) { + if (!jent_fips_enabled()) { + ec->fips_enabled = -1; + return 0; + } else + ec->fips_enabled = 1; + } + + /* prime the FIPS test */ + if (!ec->old_data) { + ec->old_data = ec->data; + jent_gen_entropy(ec); + } + + if (ec->data == ec->old_data) + return -1; + + ec->old_data = ec->data; + + return 0; +} + +/** + * Entry function: Obtain entropy for the caller. + * + * This function invokes the entropy gathering logic as often to generate + * as many bytes as requested by the caller. The entropy gathering logic + * creates 64 bit per invocation. + * + * This function truncates the last 64 bit entropy value output to the exact + * size specified by the caller. + * + * Input: + * @ec Reference to entropy collector + * @data pointer to buffer for storing random data -- buffer must already + * exist + * @len size of the buffer, specifying also the requested number of random + * in bytes + * + * @return number of bytes returned when request is fulfilled or an error + * + * The following error codes can occur: + * -1 entropy_collector is NULL + * -2 FIPS test failed + */ +JENT_PRIVATE_STATIC +ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len) +{ + char *p = data; + size_t orig_len = len; + + if (NULL == ec) + return -1; + + while (0 < len) { + size_t tocopy; + + jent_gen_entropy(ec); + if (jent_fips_test(ec)) + return -2; + + if ((DATA_SIZE_BITS / 8) < len) + tocopy = (DATA_SIZE_BITS / 8); + else + tocopy = len; + memcpy(p, &ec->data, tocopy); + + len -= tocopy; + p += tocopy; + } + + /* + * To be on the safe side, we generate one more round of entropy + * which we do not give out to the caller. That round shall ensure + * that in case the calling application crashes, memory dumps, pages + * out, or due to the CPU Jitter RNG lingering in memory for long + * time without being moved and an attacker cracks the application, + * all he reads in the entropy pool is a value that is NEVER EVER + * being used for anything. Thus, he does NOT see the previous value + * that was returned to the caller for cryptographic purposes. + */ + /* + * If we use secured memory, do not use that precaution as the secure + * memory protects the entropy pool. Moreover, note that using this + * call reduces the speed of the RNG by up to half + */ +#ifndef CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY + jent_gen_entropy(ec); +#endif + return orig_len; +} + +/*************************************************************************** + * Initialization logic + ***************************************************************************/ + +JENT_PRIVATE_STATIC +struct rand_data *jent_entropy_collector_alloc(unsigned int osr, + unsigned int flags) +{ + struct rand_data *entropy_collector; + + entropy_collector = jent_zalloc(sizeof(struct rand_data)); + if (NULL == entropy_collector) + return NULL; + + if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { + /* Allocate memory for adding variations based on memory + * access + */ + entropy_collector->mem = + (unsigned char *)jent_zalloc(JENT_MEMORY_SIZE); + if (NULL == entropy_collector->mem) { + jent_zfree(entropy_collector, sizeof(struct rand_data)); + return NULL; + } + entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; + entropy_collector->memblocks = JENT_MEMORY_BLOCKS; + entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; + } + + /* verify and set the oversampling rate */ + if (0 == osr) + osr = 1; /* minimum sampling rate is 1 */ + entropy_collector->osr = osr; + + entropy_collector->stir = 1; + if (flags & JENT_DISABLE_STIR) + entropy_collector->stir = 0; + if (flags & JENT_DISABLE_UNBIAS) + entropy_collector->disable_unbias = 1; + + /* fill the data pad with non-zero values */ + jent_gen_entropy(entropy_collector); + + return entropy_collector; +} + +JENT_PRIVATE_STATIC +void jent_entropy_collector_free(struct rand_data *entropy_collector) +{ + if (NULL != entropy_collector) { + if (NULL != entropy_collector->mem) { + jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); + entropy_collector->mem = NULL; + } + jent_zfree(entropy_collector, sizeof(struct rand_data)); + } +} + +JENT_PRIVATE_STATIC +int jent_entropy_init(void) +{ + int i; + uint64_t delta_sum = 0; + uint64_t old_delta = 0; + int time_backwards = 0; + int count_mod = 0; + int count_stuck = 0; + struct rand_data ec; + + /* We could perform statistical tests here, but the problem is + * that we only have a few loop counts to do testing. These + * loop counts may show some slight skew and we produce + * false positives. + * + * Moreover, only old systems show potentially problematic + * jitter entropy that could potentially be caught here. But + * the RNG is intended for hardware that is available or widely + * used, but not old systems that are long out of favor. Thus, + * no statistical tests. + */ + + /* + * We could add a check for system capabilities such as clock_getres or + * check for CONFIG_X86_TSC, but it does not make much sense as the + * following sanity checks verify that we have a high-resolution + * timer. + */ + /* + * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is + * definitely too little. + */ +#define TESTLOOPCOUNT 300 +#define CLEARCACHE 100 + for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { + uint64_t time = 0; + uint64_t time2 = 0; + uint64_t delta = 0; + unsigned int lowdelta = 0; + int stuck; + + /* Invoke core entropy collection logic */ + jent_get_nstime(&time); + ec.prev_time = time; + jent_lfsr_time(&ec, time, 0); + jent_get_nstime(&time2); + + /* test whether timer works */ + if (!time || !time2) + return ENOTIME; + delta = time2 - time; + /* + * test whether timer is fine grained enough to provide + * delta even when called shortly after each other -- this + * implies that we also have a high resolution timer + */ + if (!delta) + return ECOARSETIME; + + stuck = jent_stuck(&ec, delta); + + /* + * up to here we did not modify any variable that will be + * evaluated later, but we already performed some work. Thus we + * already have had an impact on the caches, branch prediction, + * etc. with the goal to clear it to get the worst case + * measurements. + */ + if (CLEARCACHE > i) + continue; + + if (stuck) + count_stuck++; + + /* test whether we have an increasing timer */ + if (!(time2 > time)) + time_backwards++; + + /* use 32 bit value to ensure compilation on 32 bit arches */ + lowdelta = time2 - time; + if (!(lowdelta % 100)) + count_mod++; + + /* + * ensure that we have a varying delta timer which is necessary + * for the calculation of entropy -- perform this check + * only after the first loop is executed as we need to prime + * the old_data value + */ + if (delta > old_delta) + delta_sum += (delta - old_delta); + else + delta_sum += (old_delta - delta); + old_delta = delta; + } + + /* + * we allow up to three times the time running backwards. + * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, + * if such an operation just happens to interfere with our test, it + * should not fail. The value of 3 should cover the NTP case being + * performed during our test run. + */ + if (3 < time_backwards) + return ENOMONOTONIC; + + /* + * Variations of deltas of time must on average be larger + * than 1 to ensure the entropy estimation + * implied with 1 is preserved + */ + if ((delta_sum) <= 1) + return EMINVARVAR; + + /* + * Ensure that we have variations in the time stamp below 10 for at least + * 10% of all checks -- on some platforms, the counter increments in + * multiples of 100, but not always + */ + if ((TESTLOOPCOUNT/10 * 9) < count_mod) + return ECOARSETIME; + + /* + * If we have more than 90% stuck results, then this Jitter RNG is + * likely to not work well. + */ + if (JENT_STUCK_INIT_THRES(TESTLOOPCOUNT) < count_stuck) + return ESTUCK; + + return 0; +} + +/*************************************************************************** + * Statistical test logic not compiled for regular operation + ***************************************************************************/ + +#ifdef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT +/* + * Statistical test: return the time duration for the folding operation. If min + * is set, perform the given number of LFSR ops. Otherwise, allow the + * loop count shuffling to define the number of LFSR ops. + */ +JENT_PRIVATE_STATIC +uint64_t jent_lfsr_var_stat(struct rand_data *ec, unsigned int min) +{ + uint64_t time = 0; + uint64_t time2 = 0; + + jent_get_nstime(&time); + jent_memaccess(ec, min); + jent_lfsr_time(ec, time, min); + jent_get_nstime(&time2); + return ((time2 - time)); +} +#endif /* CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT */ diff --git a/random/jitterentropy.h b/random/jitterentropy.h new file mode 100644 index 0000000..3b7d14a --- /dev/null +++ b/random/jitterentropy.h @@ -0,0 +1,148 @@ +/* + * Non-physical true random number generator based on timing jitter. + * + * Copyright Stephan Mueller , 2014 + * + * License + * ======= + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#ifndef _JITTERENTROPY_H +#define _JITTERENTROPY_H + +#ifdef __KERNEL__ +#include "jitterentropy-base-kernel.h" +#else +#include "jitterentropy-base-user.h" +#endif /* __KERNEL__ */ + +/* The entropy pool */ +struct rand_data +{ + /* all data values that are vital to maintain the security + * of the RNG are marked as SENSITIVE. A user must not + * access that information while the RNG executes its loops to + * calculate the next random value. */ + uint64_t data; /* SENSITIVE Actual random number */ + uint64_t old_data; /* SENSITIVE Previous random number */ + uint64_t prev_time; /* SENSITIVE Previous time stamp */ +#define DATA_SIZE_BITS ((sizeof(uint64_t)) * 8) + uint64_t last_delta; /* SENSITIVE stuck test */ + int64_t last_delta2; /* SENSITIVE stuck test */ + unsigned int osr; /* Oversample rate */ + int fips_enabled; /* FIPS enabled? */ + unsigned int stir:1; /* Post-processing stirring */ + unsigned int disable_unbias:1; /* Deactivate Von-Neuman unbias */ +#define JENT_MEMORY_BLOCKS 64 +#define JENT_MEMORY_BLOCKSIZE 32 +#define JENT_MEMORY_ACCESSLOOPS 128 +#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE) + unsigned char *mem; /* Memory access location with size of + * memblocks * memblocksize */ + unsigned int memlocation; /* Pointer to byte in *mem */ + unsigned int memblocks; /* Number of memory blocks in *mem */ + unsigned int memblocksize; /* Size of one memory block in bytes */ + unsigned int memaccessloops; /* Number of memory accesses per random + * bit generation */ +}; + +/* Flags that can be used to initialize the RNG */ +#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */ +#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */ +#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more + entropy, saves MEMORY_SIZE RAM for + entropy collector */ + +/* -- BEGIN Main interface functions -- */ + +#ifndef JENT_STUCK_INIT_THRES +/* + * Per default, not more than 90% of all measurements during initialization + * are allowed to be stuck. + * + * It is allowed to change this value as required for the intended environment. + */ +#define JENT_STUCK_INIT_THRES(x) (x/10 * 9) +#endif + +#ifdef JENT_PRIVATE_COMPILE +# define JENT_PRIVATE_STATIC static +#else /* JENT_PRIVATE_COMPILE */ +# define JENT_PRIVATE_STATIC +#endif + +/* Number of low bits of the time value that we want to consider */ +/* get raw entropy */ +JENT_PRIVATE_STATIC +ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len); +/* initialize an instance of the entropy collector */ +JENT_PRIVATE_STATIC +struct rand_data *jent_entropy_collector_alloc(unsigned int osr, + unsigned int flags); +/* clearing of entropy collector */ +JENT_PRIVATE_STATIC +void jent_entropy_collector_free(struct rand_data *entropy_collector); + +/* initialization of entropy collector */ +JENT_PRIVATE_STATIC +int jent_entropy_init(void); + +/* return version number of core library */ +JENT_PRIVATE_STATIC +unsigned int jent_version(void); + +/* -- END of Main interface functions -- */ + +/* -- BEGIN error codes for init function -- */ +#define ENOTIME 1 /* Timer service not available */ +#define ECOARSETIME 2 /* Timer too coarse for RNG */ +#define ENOMONOTONIC 3 /* Timer is not monotonic increasing */ +#define EMINVARIATION 4 /* Timer variations too small for RNG */ +#define EVARVAR 5 /* Timer does not produce variations of variations + (2nd derivation of time is zero) */ +#define EMINVARVAR 6 /* Timer variations of variations is too small */ +#define EPROGERR 7 /* Programming error */ +#define ESTUCK 8 /* Too many stuck results during init. */ + +/* -- BEGIN statistical test functions only complied with CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT -- */ + +#ifdef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT +JENT_PRIVATE_STATIC +uint64_t jent_lfsr_var_stat(struct rand_data *ec, unsigned int min); +#endif /* CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT */ + +/* -- END of statistical test function -- */ + +#endif /* _JITTERENTROPY_H */ diff --git a/random/rand-internal.h b/random/rand-internal.h index 8c8623e..2bc05f4 100644 --- a/random/rand-internal.h +++ b/random/rand-internal.h @@ -35,9 +35,12 @@ enum random_origins random request. */ }; +#define RANDOM_CONF_DISABLE_JENT 1 +#define RANDOM_CONF_ONLY_URANDOM 2 /*-- random.c --*/ +unsigned int _gcry_random_read_conf (void); void _gcry_random_progress (const char *what, int printchar, int current, int total); @@ -98,7 +101,7 @@ int _gcry_rndunix_gather_random (void (*add) (const void *, size_t, enum random_origins origin, size_t length, int level); -/*-- rndelg.c --*/ +/*-- rndegd.c --*/ int _gcry_rndegd_gather_random (void (*add) (const void *, size_t, enum random_origins), enum random_origins origin, @@ -123,6 +126,13 @@ void _gcry_rndw32ce_gather_random_fast (void (*add)(const void*, size_t, enum random_origins), enum random_origins origin ); +/*-- rndjent.c --*/ +size_t _gcry_rndjent_poll (void (*add)(const void*, + size_t, enum random_origins), + enum random_origins origin, + size_t length); +void _gcry_rndjent_dump_stats (void); + /*-- rndhw.c --*/ int _gcry_rndhw_failed_p (void); void _gcry_rndhw_poll_fast (void (*add)(const void*, size_t, diff --git a/random/random-csprng.c b/random/random-csprng.c index 5a771c2..8cb35e7 100644 --- a/random/random-csprng.c +++ b/random/random-csprng.c @@ -115,7 +115,7 @@ static size_t pool_writepos; static size_t pool_readpos; /* This flag is set to true as soon as the pool has been completely - filled the first time. This may happen either by rereading a seed + filled the first time. This may happen either by reading a seed file or by adding enough entropy. */ static int pool_filled; @@ -717,12 +717,12 @@ lock_seed_file (int fd, const char *fname, int for_write) out the same pool and then race for updating it (the last update overwrites earlier updates). They will differentiate only by the weak entropy that is added in read_seed_file based on the PID and - clock, and up to 16 bytes of weak random non-blockingly. The + clock, and up to 32 bytes from a non-blocking entropy source. The consequence is that the output of these different instances is correlated to some extent. In the perfect scenario, the attacker can control (or at least guess) the PID and clock of the application, and drain the system's entropy pool to reduce the "up - to 16 bytes" above to 0. Then the dependencies of the initial + to 32 bytes" above to 0. Then the dependencies of the initial states of the pools are completely known. */ static int read_seed_file (void) @@ -814,12 +814,16 @@ read_seed_file (void) add_randomness( &x, sizeof(x), RANDOM_ORIGIN_INIT ); } - /* And read a few bytes from our entropy source. By using a level - * of 0 this will not block and might not return anything with some - * entropy drivers, however the rndlinux driver will use - * /dev/urandom and return some stuff - Do not read too much as we - * want to be friendly to the scare system entropy resource. */ - read_random_source ( RANDOM_ORIGIN_INIT, 16, GCRY_WEAK_RANDOM ); + /* And read a few bytes from our entropy source. If we have the + * Jitter RNG we can fast get a lot of entropy. Thus we read 1024 + * bits from that source. + * + * Without the Jitter RNG we keep the old method of reading only a + * few bytes usually from /dev/urandom which won't block. */ + if (_gcry_rndjent_get_version (NULL)) + read_random_source (RANDOM_ORIGIN_INIT, 128, GCRY_STRONG_RANDOM); + else + read_random_source (RANDOM_ORIGIN_INIT, 32, GCRY_STRONG_RANDOM); allow_seed_file_update = 1; return 1; diff --git a/random/random-drbg.c b/random/random-drbg.c index e2fe861..7f66997 100644 --- a/random/random-drbg.c +++ b/random/random-drbg.c @@ -155,7 +155,7 @@ #include "g10lib.h" #include "random.h" #include "rand-internal.h" -#include "../cipher/bithelp.h" +#include "../cipher/bufhelp.h" @@ -546,27 +546,6 @@ drbg_sec_strength (u32 flags) return 32; } -/* - * Convert an integer into a byte representation of this integer. - * The byte representation is big-endian - * - * @val value to be converted - * @buf buffer holding the converted integer -- caller must ensure that - * buffer size is at least 32 bit - */ -static inline void -drbg_cpu_to_be32 (u32 val, unsigned char *buf) -{ - /* FIXME: This may raise a bus error. */ - struct s - { - u32 conv; - }; - struct s *conversion = (struct s *) buf; - - conversion->conv = be_bswap32 (val); -} - static void drbg_add_buf (unsigned char *dst, size_t dstlen, unsigned char *add, size_t addlen) @@ -802,10 +781,10 @@ drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data, /* 10.4.2 step 2 -- calculate the entire length of all input data */ for (; NULL != tempstr; tempstr = tempstr->next) inputlen += tempstr->len; - drbg_cpu_to_be32 (inputlen, &L_N[0]); + buf_put_be32 (&L_N[0], inputlen); /* 10.4.2 step 3 */ - drbg_cpu_to_be32 (bytes_to_return, &L_N[4]); + buf_put_be32 (&L_N[4], bytes_to_return); /* 10.4.2 step 5: length is size of L_N, input_string, one byte, padding */ padlen = (inputlen + sizeof (L_N) + 1) % (drbg_blocklen (drbg)); @@ -838,7 +817,7 @@ drbg_ctr_df (drbg_state_t drbg, unsigned char *df_data, /* 10.4.2 step 9.1 - the padding is implicit as the buffer * holds zeros after allocation -- even the increment of i * is irrelevant as the increment remains within length of i */ - drbg_cpu_to_be32 (i, iv); + buf_put_be32 (iv, i); /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ ret = drbg_ctr_bcc (drbg, temp + templen, K, &S1); if (ret) @@ -1137,7 +1116,7 @@ drbg_hash_df (drbg_state_t drbg, /* 10.4.1 step 3 */ input[0] = 1; - drbg_cpu_to_be32 ((outlen * 8), &input[1]); + buf_put_be32 (&input[1], (outlen * 8)); /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ drbg_string_fill (&data1, input, 5); @@ -2454,7 +2433,7 @@ drbg_healthcheck_sanity (struct gcry_drbg_test_vector *test) goto outbuf; max_addtllen = drbg_max_addtl (); max_request_bytes = drbg_max_request_bytes (); - /* overflow addtllen with additonal info string */ + /* overflow addtllen with additional info string */ drbg_string_fill (&addtl, test->addtla, (max_addtllen + 1)); len = drbg_generate (drbg, buf, test->expectedlen, &addtl); if (len) diff --git a/random/random.c b/random/random.c index ff9be16..9aab789 100644 --- a/random/random.c +++ b/random/random.c @@ -29,12 +29,19 @@ #include #include #include +#ifdef HAVE_SYSLOG +# include +#endif /*HAVE_SYSLOG*/ +#include #include "g10lib.h" #include "random.h" #include "rand-internal.h" #include "cipher.h" /* For _gcry_sha1_hash_buffer(). */ +/* The name of a file used to globally configure the RNG. */ +#define RANDOM_CONF_FILE "/etc/gcrypt/random.conf" + /* If not NULL a progress function called from certain places and the opaque value passed along. Registered by @@ -81,6 +88,75 @@ _gcry_random_progress (const char *what, int printchar, int current, int total) } +/* Read a file with configure options. The file is a simple text file + * where empty lines and lines with the first non white-space + * character being '#' are ignored. Supported configure options are: + * + * disable-jent - Disable the jitter based extra entropy generator. + * This sets the RANDOM_CONF_DISABLE_JENT bit. + * only-urandom - Always use /dev/urandom instead of /dev/random. + * This sets the RANDOM_CONF_ONLY_URANDOM bit. + * + * The function returns a bit vector with flags read from the file. + */ +unsigned int +_gcry_random_read_conf (void) +{ + const char *fname = RANDOM_CONF_FILE; + FILE *fp; + char buffer[256]; + char *p, *pend; + int lnr = 0; + unsigned int result = 0; + + fp = fopen (fname, "r"); + if (!fp) + return result; + + for (;;) + { + if (!fgets (buffer, sizeof buffer, fp)) + { + if (!feof (fp)) + { +#ifdef HAVE_SYSLOG + syslog (LOG_USER|LOG_WARNING, + "Libgcrypt warning: error reading '%s', line %d", + fname, lnr); +#endif /*HAVE_SYSLOG*/ + } + fclose (fp); + return result; + } + lnr++; + for (p=buffer; my_isascii (*p) && isspace (*p); p++) + ; + pend = strchr (p, '\n'); + if (pend) + *pend = 0; + pend = p + (*p? (strlen (p)-1):0); + for ( ;pend > p; pend--) + if (my_isascii (*pend) && isspace (*pend)) + *pend = 0; + if (!*p || *p == '#') + continue; + + if (!strcmp (p, "disable-jent")) + result |= RANDOM_CONF_DISABLE_JENT; + else if (!strcmp (p, "only-urandom")) + result |= RANDOM_CONF_ONLY_URANDOM; + else + { +#ifdef HAVE_SYSLOG + syslog (LOG_USER|LOG_WARNING, + "Libgcrypt warning: unknown option in '%s', line %d", + fname, lnr); +#endif /*HAVE_SYSLOG*/ + } + } +} + + /* Set the preferred RNG type. This may be called at any time even before gcry_check_version. Thus we can't assume any thread system initialization. A type of 0 is used to indicate that any Libgcrypt @@ -202,6 +278,7 @@ _gcry_random_dump_stats (void) _gcry_rngdrbg_dump_stats (); else _gcry_rngcsprng_dump_stats (); + _gcry_rndjent_dump_stats (); } diff --git a/random/random.h b/random/random.h index 30e6fdf..af99346 100644 --- a/random/random.h +++ b/random/random.h @@ -65,6 +65,10 @@ gpg_err_code_t _gcry_rngdrbg_healthcheck_one (struct gcry_drbg_test_vector *t); /*-- rndegd.c --*/ gpg_error_t _gcry_rndegd_set_socket_name (const char *name); +/*-- rndjent.c --*/ +unsigned int _gcry_rndjent_get_version (int *r_active); + + /*-- random-daemon.c (only used from random.c) --*/ #ifdef USE_RANDOM_DAEMON void _gcry_daemon_initialize_basics (void); diff --git a/random/rndhw.c b/random/rndhw.c index 8e50751..2829382 100644 --- a/random/rndhw.c +++ b/random/rndhw.c @@ -61,7 +61,7 @@ poll_padlock (void (*add)(const void*, size_t, enum random_origins), /* Peter Gutmann's cryptlib tests again whether the RNG is enabled but we don't do so. We would have to do this also for our AES - implementaion and that is definitely too time consuming. There + implementation and that is definitely too time consuming. There would be a race condition anyway. Thus we assume that the OS does not change the Padlock initialization while a user process is running. */ @@ -76,7 +76,7 @@ poll_padlock (void (*add)(const void*, size_t, enum random_origins), ".byte 0x0f, 0xa7, 0xc0\n\t" /* XSTORE RNG. */ : "=a" (status) : "g" (p) - : "%rdx", "%rdi", "cc" + : "%rdx", "%rdi", "cc", "memory" ); #else asm volatile @@ -85,7 +85,7 @@ poll_padlock (void (*add)(const void*, size_t, enum random_origins), ".byte 0x0f, 0xa7, 0xc0\n\t" /* XSTORE RNG. */ : "=a" (status) : "g" (p) - : "%edx", "%edi", "cc" + : "%edx", "%edi", "cc", "memory" ); #endif if ((status & (1<<6)) /* RNG still enabled. */ @@ -129,7 +129,7 @@ poll_padlock (void (*add)(const void*, size_t, enum random_origins), # define RDRAND_LONG RDRAND_INT # endif static inline int -rdrand_long (unsigned long *v) +rdrand_long (volatile unsigned long *v) { int ok; asm volatile ("1: " RDRAND_LONG "\n\t" @@ -139,13 +139,13 @@ rdrand_long (unsigned long *v) "2:" : "=r" (ok), "=a" (*v) : "0" (RDRAND_RETRY_LOOPS) - : "cc"); + : "cc", "memory"); return ok; } static inline int -rdrand_nlong (unsigned long *v, int count) +rdrand_nlong (volatile unsigned long *v, int count) { while (count--) if (!rdrand_long(v++)) @@ -157,12 +157,12 @@ rdrand_nlong (unsigned long *v, int count) static size_t poll_drng (add_fn_t add, enum random_origins origin, int fast) { - volatile char buffer[64] __attribute__ ((aligned (8))); + volatile unsigned long buffer[8] __attribute__ ((aligned (8))); unsigned int nbytes = sizeof (buffer); (void)fast; - if (!rdrand_nlong ((unsigned long *)buffer, sizeof(buffer)/sizeof(long))) + if (!rdrand_nlong (buffer, DIM(buffer))) return 0; (*add)((void *)buffer, nbytes, origin); return nbytes; diff --git a/random/rndjent.c b/random/rndjent.c new file mode 100644 index 0000000..6e56c8a --- /dev/null +++ b/random/rndjent.c @@ -0,0 +1,369 @@ +/* rndjent.c - Driver for the jitterentropy module. + * Copyright (C) 2017 g10 Code GmbH + * Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik + * Copyright (C) 2013 Stephan Mueller + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#include +#include +#include +#include +#ifdef HAVE_STDINT_H +# include +#endif + +#include "types.h" +#include "g10lib.h" +#include "../cipher/bithelp.h" +#include "rand-internal.h" + +/* + * Decide whether we can support jent at compile time. + */ +#undef USE_JENT +#define JENT_USES_RDTSC 1 +#define JENT_USES_GETTIME 2 +#define JENT_USES_READ_REAL_TIME 3 +#ifdef ENABLE_JENT_SUPPORT +# if defined (__i386__) || defined(__x86_64__) +# define USE_JENT JENT_USES_RDTSC +# elif defined (HAVE_CLOCK_GETTIME) +# if _AIX +# define USE_JENT JENT_USES_READ_REAL_TIME +# else +# define USE_JENT JENT_USES_GETTIME +# endif +# endif +#endif /*ENABLE_JENT_SUPPORT*/ + + +#ifdef USE_JENT + +#undef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT +/* Uncomment the next line to build with statistics. */ +/* #define CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT 1 */ + + +/* Note that we source include the actual jitter entropy code. + * Platform dependent code is indirectly included from our own + * jitterentropy-user-base.h file. */ + +/* Tell jitterentropy* that all functions shall be static. */ +#define JENT_PRIVATE_COMPILE 1 + +#include "jitterentropy-base.c" + + +/* This is the lock we use to serialize access to this RNG. The extra + * integer variable is only used to check the locking state; that is, + * it is not meant to be thread-safe but merely as a failsafe feature + * to assert proper locking. */ +GPGRT_LOCK_DEFINE (jent_rng_lock); +static int jent_rng_is_locked; + +/* This flag tracks whether the RNG has been initialized - either + * with error or with success. Protected by JENT_RNG_LOCK. */ +static int jent_rng_is_initialized; + +/* Our collector. The RNG is in a working state if its value is not + * NULL. Protected by JENT_RNG_LOCK. */ +struct rand_data *jent_rng_collector; + +/* The number of times the core entropy function has been called and + * the number of random bytes retrieved. */ +static unsigned long jent_rng_totalcalls; +static unsigned long jent_rng_totalbytes; + + + +/* JENT statistic helper code. */ +#ifdef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT + +static void +jent_init_statistic (struct rand_data *rand_data) +{ + /* int i; */ + /* struct entropy_stat *stat = &rand_data->entropy_stat; */ + + /* for (i = 0; i < 64; i++) */ + /* { */ + /* stat->bitslot[i] = 0; */ + /* stat->bitvar[i] = 0; */ + /* } */ + + /* jent_get_nstime (&stat->collection_begin); */ +} + +static void +jent_bit_count (struct rand_data *rand_data, u64 prev_data) +{ + /* int i; */ + + /* if (!rand_data->entropy_stat.enable_bit_test) */ + /* return; */ + + /* for (i = 0; i < 64; i++) */ + /* { */ + /* /\* collect the count of set bits per bit position in the */ + /* * current ->data field *\/ */ + /* rand_data->entropy_stat.bitslot[i] += (rand_data->data & 1<data & 1<entropy_stat.bitvar[i] += 1; */ + /* } */ +} + + +static void +jent_statistic_copy_stat (struct entropy_stat *src, struct entropy_stat *dst) +{ + /* /\* not copying bitslot and bitvar as they are not needed for */ + /* * statistic printout *\/ */ + /* dst->collection_begin = src->collection_begin; */ + /* dst->collection_end = src->collection_end; */ + /* dst->old_delta = src->old_delta; */ + /* dst->setbits = src->setbits; */ + /* dst->varbits = src->varbits; */ + /* dst->obsbits = src->obsbits; */ + /* dst->collection_loop_cnt= src->collection_loop_cnt; */ +} + + +/* + * Assessment of statistical behavior of the generated output and returning + * the information to the caller by filling the target value. + * + * Details about the bit statistics are given in chapter 4 of the doc. + * Chapter 5 documents the timer analysis and the resulting entropy. + */ +static void +jent_calc_statistic (struct rand_data *rand_data, + struct entropy_stat *target, unsigned int loop_cnt) +{ + /* int i; */ + /* struct entropy_stat *stat = &rand_data->entropy_stat; */ + + /* jent_get_nstime(&stat->collection_end); */ + + /* stat->collection_loop_cnt = loop_cnt; */ + + /* stat->setbits = 0; */ + /* stat->varbits = 0; */ + /* stat->obsbits = 0; */ + + /* for (i = 0; i < DATA_SIZE_BITS; i++) */ + /* { */ + /* stat->setbits += stat->bitslot[i]; */ + /* stat->varbits += stat->bitvar[i]; */ + + /* /\* This is the sum of set bits in the current observation */ + /* * of the random data. *\/ */ + /* stat->obsbits += (rand_data->data & 1<old_delta = (stat->collection_end - stat->collection_begin); */ +} + +#endif /*CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT*/ + + +/* Acquire the jent_rng_lock. */ +static void +lock_rng (void) +{ + gpg_err_code_t rc; + + rc = gpgrt_lock_lock (&jent_rng_lock); + if (rc) + log_fatal ("failed to acquire the Jent RNG lock: %s\n", + gpg_strerror (rc)); + jent_rng_is_locked = 1; +} + + +/* Release the jent_rng_lock. */ +static void +unlock_rng (void) +{ + gpg_err_code_t rc; + + jent_rng_is_locked = 0; + rc = gpgrt_lock_unlock (&jent_rng_lock); + if (rc) + log_fatal ("failed to release the Jent RNG lock: %s\n", + gpg_strerror (rc)); +} + + +/* Return true if the JENT RNG code can be run. It may not yet been + * initialized, though. */ +static int +is_rng_available (void) +{ +#if USE_JENT == JENT_USES_RDTSC + return !!(_gcry_get_hw_features () & HWF_INTEL_RDTSC); +#elif USE_JENT == JENT_USES_GETTIME + return 2; +#elif USE_JENT == JENT_USES_READ_REAL_TIME + return 3; +#else /* Ooops */ + return 0; +#endif +} + +#endif /* USE_JENT */ + + +/* + * The API used by the high level code. + */ + +/* Read up to LENGTH bytes from a jitter RNG and return the number of + * bytes actually read. */ +size_t +_gcry_rndjent_poll (void (*add)(const void*, size_t, enum random_origins), + enum random_origins origin, size_t length) +{ + size_t nbytes = 0; + +#ifdef USE_JENT + if ( is_rng_available () ) + { + lock_rng (); + + if (!jent_rng_is_initialized) + { + /* Auto-initialize. */ + jent_rng_is_initialized = 1; + jent_entropy_collector_free (jent_rng_collector); + jent_rng_collector = NULL; + if ( !(_gcry_random_read_conf () & RANDOM_CONF_DISABLE_JENT)) + { + if (!jent_entropy_init ()) + jent_rng_collector = jent_entropy_collector_alloc (1, 0); + } + } + + if (jent_rng_collector && add) + { + /* We have a working JENT and it has not been disabled. */ + char buffer[32]; + + while (length) + { + int rc; + size_t n = length < sizeof(buffer)? length : sizeof (buffer); + + jent_rng_totalcalls++; + rc = jent_read_entropy (jent_rng_collector, buffer, n); + if (rc < 0) + break; + /* We need to hash the output to conform to the BSI + * NTG.1 specs. */ + _gcry_md_hash_buffer (GCRY_MD_SHA256, buffer, buffer, rc); + n = rc < 32? rc : 32; + (*add) (buffer, n, origin); + length -= n; + nbytes += n; + jent_rng_totalbytes += n; + } + wipememory (buffer, sizeof buffer); + } + + unlock_rng (); + } + +#else + + (void)add; + (void)origin; + +#endif + + return nbytes; +} + + +/* Return the version number of the JENT RNG. If the RNG is not + * initialized or usable 0 is returned. If R_ACTIVE is not NULL the + * jitter RNG will be initialized and true is stored at R_ACTIVE if + * the initialization succeeded. */ +unsigned int +_gcry_rndjent_get_version (int *r_active) +{ + if (r_active) + *r_active = 0; +#ifdef USE_JENT + if ( is_rng_available () ) + { + if (r_active) + { + /* Make sure the RNG is initialized. */ + _gcry_rndjent_poll (NULL, 0, 0); + /* To ease debugging we store 2 for a clock_gettime based + * implementation and 1 for a rdtsc based code. */ + *r_active = jent_rng_collector? is_rng_available () : 0; + } + return jent_version (); + } + else + return 0; +#else + return 0; +#endif +} + + +/* Log statistical informantion about the use of this module. */ +void +_gcry_rndjent_dump_stats (void) +{ + /* In theory we would need to lock the stats here. However this + * function is usually called during cleanup and then we _might_ run + * into problems. */ + +#ifdef USE_JENT + if ( is_rng_available () ) + { + log_info ("rndjent stat: collector=%p calls=%lu bytes=%lu\n", + jent_rng_collector, jent_rng_totalcalls, jent_rng_totalbytes); + + } +#endif /*USE_JENT*/ +} diff --git a/random/rndlinux.c b/random/rndlinux.c index 4ef3d39..1bb7c76 100644 --- a/random/rndlinux.c +++ b/random/rndlinux.c @@ -115,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, { static int fd_urandom = -1; static int fd_random = -1; + static int only_urandom = -1; static unsigned char ever_opened; int fd; int n; @@ -125,6 +126,17 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, int any_need_entropy = 0; int delay; + /* On the first call read the conf file to check whether we want to + * use only urandom. */ + if (only_urandom == -1) + { + if ((_gcry_random_read_conf () & RANDOM_CONF_ONLY_URANDOM)) + only_urandom = 1; + else + only_urandom = 0; + } + + if (!add) { /* Special mode to close the descriptors. */ @@ -158,6 +170,19 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, if (length > 1) length -= n_hw; + /* When using a blocking random generator try to get some entropy + * from the jitter based RNG. In this case we take up to 50% of the + * remaining requested bytes. */ + if (level >= GCRY_VERY_STRONG_RANDOM) + { + n_hw = _gcry_rndjent_poll (add, origin, length/2); + if (n_hw > length/2) + n_hw = length/2; + if (length > 1) + length -= n_hw; + } + + /* Open the requested device. The first time a device is to be opened we fail with a fatal error if the device does not exists. In case the device has ever been closed, further open requests @@ -165,7 +190,7 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, that we always require the device to be existent but want a more graceful behaviour if the rarely needed close operation has been used and the device needs to be re-opened later. */ - if (level >= 2) + if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom) { if (fd_random == -1) { @@ -215,8 +240,10 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, nbytes = length < sizeof(buffer)? length : sizeof(buffer); if (nbytes > 256) nbytes = 256; + _gcry_pre_syscall (); ret = syscall (__NR_getrandom, (void*)buffer, (size_t)nbytes, (unsigned int)0); + _gcry_post_syscall (); } while (ret == -1 && errno == EINTR); if (ret == -1 && errno == ENOSYS) @@ -262,7 +289,10 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, FD_SET(fd, &rfds); tv.tv_sec = delay; tv.tv_usec = delay? 0 : 100000; - if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) ) + _gcry_pre_syscall (); + rc = select (fd+1, &rfds, NULL, NULL, &tv); + _gcry_post_syscall (); + if (!rc) { any_need_entropy = 1; delay = 3; /* Use 3 seconds henceforth. */ @@ -278,7 +308,6 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, } } - /* Read from the device. */ do { size_t nbytes; diff --git a/random/rndunix.c b/random/rndunix.c index e7238f4..fcb45b7 100644 --- a/random/rndunix.c +++ b/random/rndunix.c @@ -319,7 +319,7 @@ static struct RI { { "/usr/bin/lpstat", "-t", SC(0.1), NULL, 0, 0, 0, 1 }, { "/usr/ucb/lpstat", "-t", SC(0.1), NULL, 0, 0, 0, 0 }, { "/usr/bin/tcpdump", "-c 5 -efvvx", SC(1), NULL, 0, 0, 0, 0 }, - /* This is very environment-dependant. If network traffic is low, it'll + /* This is very environment-dependent. If network traffic is low, it'll * probably time out before delivering 5 packets, which is OK because * it'll probably be fixed stuff like ARP anyway */ { "/usr/sbin/advfsstat", "-b usr_domain", diff --git a/random/rndw32.c b/random/rndw32.c index de6e783..7e9ac50 100644 --- a/random/rndw32.c +++ b/random/rndw32.c @@ -184,7 +184,7 @@ typedef struct double ssHigh; /* Highest readout */ long ssCount; /* Total number of readout */ char sspadding2[4]; /* Padding of 4 bytes */ - long double ssTotal; /* Total amout of all readouts */ + long double ssTotal; /* Total amount of all readouts */ char sspadding3[6]; /* Padding of 6 bytes */ double ssAlarm1; /* Temp & fan: high alarm; voltage: % off */ double ssAlarm2; /* Temp: low alarm */ @@ -221,7 +221,7 @@ typedef struct -/* One time intialized handles and function pointers. We use dynamic +/* One time initialized handles and function pointers. We use dynamic loading of the DLLs to do without them in case libgcrypt does not need any random. */ static HANDLE hNetAPI32; @@ -245,12 +245,13 @@ static RTLGENRANDOM pRtlGenRandom; static int system_rng_available; /* Whether a system RNG is available. */ static HCRYPTPROV hRNGProv; /* Handle to Intel RNG CSP. */ -static int debug_me; /* Debug flag. */ +/* The debug flag. Debugging is enabled if the value of the envvar + * GCRY_RNDW32_DBG is a positive number.*/ +static int debug_me; static int system_is_w2000; /* True if running on W2000. */ - /* Try and connect to the system RNG if there's one present. */ static void @@ -583,8 +584,8 @@ slow_gatherer ( void (*add)(const void*, size_t, enum random_origins), if (hNetAPI32 && !pNetStatisticsGet (NULL, - is_workstation ? L"LanmanWorkstation" : - L"LanmanServer", 0, 0, &lpBuffer)) + (LPWSTR)(is_workstation ? L"LanmanWorkstation" : + L"LanmanServer"), 0, 0, &lpBuffer)) { if ( debug_me ) log_debug ("rndw32#slow_gatherer: get netstats\n" ); @@ -775,6 +776,7 @@ _gcry_rndw32_gather_random (void (*add)(const void*, size_t, size_t length, int level ) { static int is_initialized; + size_t n; if (!level) return 0; @@ -787,11 +789,16 @@ _gcry_rndw32_gather_random (void (*add)(const void*, size_t, if (!is_initialized) { OSVERSIONINFO osvi = { sizeof( osvi ) }; + const char *s; + + if ((s = getenv ("GCRYPT_RNDW32_DBG")) && atoi (s) > 0) + debug_me = 1; GetVersionEx( &osvi ); if (osvi.dwPlatformId != VER_PLATFORM_WIN32_NT) log_fatal ("can only run on a Windows NT platform\n" ); system_is_w2000 = (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0); + init_system_rng (); is_initialized = 1; } @@ -802,6 +809,13 @@ _gcry_rndw32_gather_random (void (*add)(const void*, size_t, slow_gatherer (add, origin); + /* Round requested LENGTH up to full 32 bytes. */ + n = _gcry_rndjent_poll (add, origin, ((length + 31) / 32) * 32); + + if (debug_me) + log_debug ("rndw32#gather_random: jent contributed extra %u bytes\n", + (unsigned int)n); + return 0; } diff --git a/src/cipher.h b/src/cipher.h index c4b306a..f2acb55 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -121,6 +121,23 @@ void _gcry_sha1_hash_buffer (void *outbuf, void _gcry_sha1_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt); +/*-- sha256.c --*/ +void _gcry_sha256_hash_buffer (void *outbuf, + const void *buffer, size_t length); +void _gcry_sha256_hash_buffers (void *outbuf, + const gcry_buffer_t *iov, int iovcnt); + +/*-- sha512.c --*/ +void _gcry_sha512_hash_buffer (void *outbuf, + const void *buffer, size_t length); +void _gcry_sha512_hash_buffers (void *outbuf, + const gcry_buffer_t *iov, int iovcnt); + +/*-- blake2.c --*/ +gcry_err_code_t _gcry_blake2_init_with_key(void *ctx, unsigned int flags, + const unsigned char *key, + size_t keylen, int algo); + /*-- rijndael.c --*/ void _gcry_aes_cfb_enc (void *context, unsigned char *iv, void *outbuf, const void *inbuf, @@ -301,6 +318,14 @@ extern gcry_md_spec_t _gcry_digest_spec_tiger; extern gcry_md_spec_t _gcry_digest_spec_tiger1; extern gcry_md_spec_t _gcry_digest_spec_tiger2; extern gcry_md_spec_t _gcry_digest_spec_whirlpool; +extern gcry_md_spec_t _gcry_digest_spec_blake2b_512; +extern gcry_md_spec_t _gcry_digest_spec_blake2b_384; +extern gcry_md_spec_t _gcry_digest_spec_blake2b_256; +extern gcry_md_spec_t _gcry_digest_spec_blake2b_160; +extern gcry_md_spec_t _gcry_digest_spec_blake2s_256; +extern gcry_md_spec_t _gcry_digest_spec_blake2s_224; +extern gcry_md_spec_t _gcry_digest_spec_blake2s_160; +extern gcry_md_spec_t _gcry_digest_spec_blake2s_128; /* Declarations for the pubkey cipher specifications. */ extern gcry_pk_spec_t _gcry_pubkey_spec_rsa; diff --git a/src/dumpsexp.c b/src/dumpsexp.c index f6384d7..5aeb77d 100644 --- a/src/dumpsexp.c +++ b/src/dumpsexp.c @@ -546,6 +546,7 @@ parse_and_print (FILE *fp) state = IN_DATA; printctl ("begindata"); init_data (); + /* fall through */ case IN_DATA: if (datalen) { diff --git a/src/g10lib.h b/src/g10lib.h index 376b0bf..961b515 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -75,6 +75,14 @@ #define GCC_ATTR_UNUSED #endif +#if __GNUC__ >= 3 +#define LIKELY( expr ) __builtin_expect( !!(expr), 1 ) +#define UNLIKELY( expr ) __builtin_expect( !!(expr), 0 ) +#else +#define LIKELY( expr ) (!!(expr)) +#define UNLIKELY( expr ) (!!(expr)) +#endif + /* Gettext macros. */ #define _(a) _gcry_gettext(a) @@ -88,14 +96,21 @@ #define DIM(v) (sizeof(v)/sizeof((v)[0])) #define DIMof(type,member) DIM(((type *)0)->member) +#define my_isascii(c) (!((c) & 0x80)) + + /*-- src/global.c -*/ int _gcry_global_is_operational (void); gcry_err_code_t _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr); -void _gcry_check_heap (const void *a); +void _gcry_check_heap (const void *a); +void _gcry_pre_syscall (void); +void _gcry_post_syscall (void); int _gcry_get_debug_flag (unsigned int mask); +char *_gcry_get_config (int mode, const char *what); + /* Malloc functions and common wrapper macros. */ void *_gcry_malloc (size_t n) _GCRY_GCC_ATTR_MALLOC; void *_gcry_calloc (size_t n, size_t m) _GCRY_GCC_ATTR_MALLOC; @@ -150,8 +165,6 @@ void _gcry_log_bug( const char *fmt, ... ) JNLIB_GCC_A_NR_PRINTF(1,2); void _gcry_log_fatal( const char *fmt, ... ) JNLIB_GCC_A_NR_PRINTF(1,2); void _gcry_log_error( const char *fmt, ... ) JNLIB_GCC_A_PRINTF(1,2); void _gcry_log_info( const char *fmt, ... ) JNLIB_GCC_A_PRINTF(1,2); -int _gcry_log_info_with_dummy_fp (FILE *fp, const char *fmt, ... ) - JNLIB_GCC_A_PRINTF(2,3); void _gcry_log_debug( const char *fmt, ... ) JNLIB_GCC_A_PRINTF(1,2); void _gcry_log_printf ( const char *fmt, ... ) JNLIB_GCC_A_PRINTF(1,2); void _gcry_log_printhex (const char *text, const void *buffer, size_t length); @@ -161,17 +174,18 @@ void _gcry_log_printsxp (const char *text, gcry_sexp_t sexp); void _gcry_set_log_verbosity( int level ); int _gcry_log_verbosity( int level ); + #ifdef JNLIB_GCC_M_FUNCTION #define BUG() _gcry_bug( __FILE__ , __LINE__, __FUNCTION__ ) -#define gcry_assert(expr) ((expr)? (void)0 \ +#define gcry_assert(expr) (LIKELY(expr)? (void)0 \ : _gcry_assert_failed (STR(expr), __FILE__, __LINE__, __FUNCTION__)) #elif __STDC_VERSION__ >= 199901L #define BUG() _gcry_bug( __FILE__ , __LINE__, __func__ ) -#define gcry_assert(expr) ((expr)? (void)0 \ +#define gcry_assert(expr) (LIKELY(expr)? (void)0 \ : _gcry_assert_failed (STR(expr), __FILE__, __LINE__, __func__)) #else #define BUG() _gcry_bug( __FILE__ , __LINE__ ) -#define gcry_assert(expr) ((expr)? (void)0 \ +#define gcry_assert(expr) (LIKELY(expr)? (void)0 \ : _gcry_assert_failed (STR(expr), __FILE__, __LINE__)) #endif @@ -194,27 +208,31 @@ char **_gcry_strtokenize (const char *string, const char *delim); /*-- src/hwfeatures.c --*/ -#define HWF_PADLOCK_RNG (1 << 0) -#define HWF_PADLOCK_AES (1 << 1) -#define HWF_PADLOCK_SHA (1 << 2) -#define HWF_PADLOCK_MMUL (1 << 3) - -#define HWF_INTEL_CPU (1 << 4) -#define HWF_INTEL_FAST_SHLD (1 << 5) -#define HWF_INTEL_BMI2 (1 << 6) -#define HWF_INTEL_SSSE3 (1 << 7) -#define HWF_INTEL_SSE4_1 (1 << 8) -#define HWF_INTEL_PCLMUL (1 << 9) -#define HWF_INTEL_AESNI (1 << 10) -#define HWF_INTEL_RDRAND (1 << 11) -#define HWF_INTEL_AVX (1 << 12) -#define HWF_INTEL_AVX2 (1 << 13) - -#define HWF_ARM_NEON (1 << 14) -#define HWF_ARM_AES (1 << 15) -#define HWF_ARM_SHA1 (1 << 16) -#define HWF_ARM_SHA2 (1 << 17) -#define HWF_ARM_PMULL (1 << 18) +#define HWF_PADLOCK_RNG (1 << 0) +#define HWF_PADLOCK_AES (1 << 1) +#define HWF_PADLOCK_SHA (1 << 2) +#define HWF_PADLOCK_MMUL (1 << 3) + +#define HWF_INTEL_CPU (1 << 4) +#define HWF_INTEL_FAST_SHLD (1 << 5) +#define HWF_INTEL_BMI2 (1 << 6) +#define HWF_INTEL_SSSE3 (1 << 7) +#define HWF_INTEL_SSE4_1 (1 << 8) +#define HWF_INTEL_PCLMUL (1 << 9) +#define HWF_INTEL_AESNI (1 << 10) +#define HWF_INTEL_RDRAND (1 << 11) +#define HWF_INTEL_AVX (1 << 12) +#define HWF_INTEL_AVX2 (1 << 13) +#define HWF_INTEL_FAST_VPGATHER (1 << 14) + +#define HWF_ARM_NEON (1 << 15) +#define HWF_ARM_AES (1 << 16) +#define HWF_ARM_SHA1 (1 << 17) +#define HWF_ARM_SHA2 (1 << 18) +#define HWF_ARM_PMULL (1 << 19) + +#define HWF_INTEL_RDTSC (1 << 20) + gpg_err_code_t _gcry_disable_hw_feature (const char *name); @@ -331,6 +349,7 @@ void __gcry_burn_stack (unsigned int bytes); /* Following architectures can handle unaligned accesses fast. */ #if defined(HAVE_GCC_ATTRIBUTE_PACKED) && \ defined(HAVE_GCC_ATTRIBUTE_ALIGNED) && \ + defined(HAVE_GCC_ATTRIBUTE_MAY_ALIAS) && \ (defined(__i386__) || defined(__x86_64__) || \ defined(__powerpc__) || defined(__powerpc64__) || \ (defined(__arm__) && defined(__ARM_FEATURE_UNALIGNED)) || \ @@ -339,10 +358,10 @@ void __gcry_burn_stack (unsigned int bytes); typedef struct fast_wipememory_s { FASTWIPE_T a; -} __attribute__((packed, aligned(1))) fast_wipememory_t; +} __attribute__((packed, aligned(1), may_alias)) fast_wipememory_t; #else #define fast_wipememory2_unaligned_head(_vptr,_vset,_vlen) do { \ - while((size_t)(_vptr)&(sizeof(FASTWIPE_T)-1) && _vlen) \ + while(UNLIKELY((size_t)(_vptr)&(sizeof(FASTWIPE_T)-1)) && _vlen) \ { *_vptr=(_vset); _vptr++; _vlen--; } \ } while(0) typedef struct fast_wipememory_s diff --git a/src/gcrypt-int.h b/src/gcrypt-int.h index 549605b..ad719be 100644 --- a/src/gcrypt-int.h +++ b/src/gcrypt-int.h @@ -28,19 +28,8 @@ #include "types.h" /* These error codes are used but not defined in the required - libgpg-error 1.11. Define them here. */ -#if GPG_ERROR_VERSION_NUMBER < 0x010c00 /* 1.12 */ -# define GPG_ERR_NO_CRYPT_CTX 191 -# define GPG_ERR_WRONG_CRYPT_CTX 192 -# define GPG_ERR_BAD_CRYPT_CTX 193 -# define GPG_ERR_CRYPT_CTX_CONFLICT 194 -# define GPG_ERR_BROKEN_PUBKEY 195 -# define GPG_ERR_BROKEN_SECKEY 196 -#endif + * libgpg-error N.MM. Define them here. [None right now.] */ -#if GPG_ERROR_VERSION_NUMBER < 0x010d00 /* 1.13 */ -# define GPG_ERR_MAC_ALGO 197 -#endif /* Context used with elliptic curve functions. */ @@ -50,7 +39,7 @@ typedef struct mpi_ec_ctx_s *mpi_ec_t; /* Underscore prefixed internal versions of the public functions. - They return gpg_err_code and not gpg_error_t. Some macros also + They return gpg_err_code_t and not gpg_error_t. Some macros also need an underscore prefixed internal version. Note that the memory allocation functions and macros (xmalloc etc.) @@ -131,8 +120,8 @@ gpg_err_code_t _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen); void _gcry_md_write (gcry_md_hd_t hd, const void *buffer, size_t length); unsigned char *_gcry_md_read (gcry_md_hd_t hd, int algo); -gpg_error_t _gcry_md_extract (gcry_md_hd_t hd, int algo, void *buffer, - size_t length); +gpg_err_code_t _gcry_md_extract (gcry_md_hd_t hd, int algo, void *buffer, + size_t length); void _gcry_md_hash_buffer (int algo, void *digest, const void *buffer, size_t length); gpg_err_code_t _gcry_md_hash_buffers (int algo, unsigned int flags, @@ -411,6 +400,7 @@ int _gcry_mpi_gcd (gcry_mpi_t g, gcry_mpi_t a, gcry_mpi_t b); int _gcry_mpi_invm (gcry_mpi_t x, gcry_mpi_t a, gcry_mpi_t m); gcry_mpi_point_t _gcry_mpi_point_new (unsigned int nbits); void _gcry_mpi_point_release (gcry_mpi_point_t point); +gcry_mpi_point_t _gcry_mpi_point_copy (gcry_mpi_point_t point); void _gcry_mpi_point_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, gcry_mpi_point_t point); void _gcry_mpi_point_snatch_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, @@ -509,6 +499,8 @@ int _gcry_mpi_get_flag (gcry_mpi_t a, enum gcry_mpi_flag flag); } \ while (0) +#define mpi_point_copy(p) _gcry_mpi_point_copy((p)) + #define mpi_point_get(x,y,z,p) _gcry_mpi_point_get((x),(y),(z),(p)) #define mpi_point_snatch_get(x,y,z,p) _gcry_mpi_point_snatch_get((x),(y), \ (z),(p)) diff --git a/src/gcrypt-testapi.h b/src/gcrypt-testapi.h index 23d3800..0417754 100644 --- a/src/gcrypt-testapi.h +++ b/src/gcrypt-testapi.h @@ -31,6 +31,7 @@ #define PRIV_CTL_RUN_EXTRNG_TEST 59 #define PRIV_CTL_DEINIT_EXTRNG_TEST 60 #define PRIV_CTL_EXTERNAL_LOCK_TEST 61 +#define PRIV_CTL_DUMP_SECMEM_STATS 62 #define EXTERNAL_LOCK_TEST_INIT 30111 #define EXTERNAL_LOCK_TEST_LOCK 30112 diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 34a3cb7..89b1303 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -1,6 +1,6 @@ /* gcrypt.h - GNU Cryptographic Library Interface -*- c -*- - * Copyright (C) 1998-2016 Free Software Foundation, Inc. - * Copyright (C) 2012-2016 g10 Code GmbH + * Copyright (C) 1998-2017 Free Software Foundation, Inc. + * Copyright (C) 2012-2017 g10 Code GmbH * * This file is part of Libgcrypt. * @@ -189,7 +189,7 @@ int gcry_err_code_to_errno (gcry_err_code_t code); gcry_error_t gcry_err_make_from_errno (gcry_err_source_t source, int err); /* Return an error value with the system error ERR. */ -gcry_err_code_t gcry_error_from_errno (int err); +gcry_error_t gcry_error_from_errno (int err); /* NOTE: Since Libgcrypt 1.6 the thread callbacks are not anymore @@ -331,7 +331,8 @@ enum gcry_ctl_cmds GCRYCTL_SET_SBOX = 73, GCRYCTL_DRBG_REINIT = 74, GCRYCTL_SET_TAGLEN = 75, - GCRYCTL_GET_TAGLEN = 76 + GCRYCTL_GET_TAGLEN = 76, + GCRYCTL_REINIT_SYSCALL_CLAMP = 77 }; /* Perform various operations defined by CMD. */ @@ -390,7 +391,7 @@ gcry_error_t gcry_sexp_build_array (gcry_sexp_t *retsexp, size_t *erroff, /* Release the S-expression object SEXP */ void gcry_sexp_release (gcry_sexp_t sexp); -/* Calculate the length of an canonized S-expresion in BUFFER and +/* Calculate the length of an canonized S-expression in BUFFER and check for a valid encoding. */ size_t gcry_sexp_canon_len (const unsigned char *buffer, size_t length, size_t *erroff, gcry_error_t *errcode); @@ -697,6 +698,9 @@ gcry_mpi_point_t gcry_mpi_point_new (unsigned int nbits); /* Release the object POINT. POINT may be NULL. */ void gcry_mpi_point_release (gcry_mpi_point_t point); +/* Return a copy of POINT. */ +gcry_mpi_point_t gcry_mpi_point_copy (gcry_mpi_point_t point); + /* Store the projective coordinates from POINT into X, Y, and Z. */ void gcry_mpi_point_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, gcry_mpi_point_t point); @@ -867,6 +871,7 @@ gcry_mpi_t _gcry_mpi_get_const (int no); (p) = NULL; \ } \ while (0) +#define mpi_point_copy(p) gcry_mpi_point_copy((p)) #define mpi_point_get(x,y,z,p) gcry_mpi_point_get((x),(y),(z),(p)) #define mpi_point_snatch_get(x,y,z,p) gcry_mpi_point_snatch_get((x),(y),(z),(p)) #define mpi_point_set(p,x,y,z) gcry_mpi_point_set((p),(x),(y),(z)) @@ -960,7 +965,8 @@ enum gcry_cipher_modes GCRY_CIPHER_MODE_GCM = 9, /* Galois Counter Mode. */ GCRY_CIPHER_MODE_POLY1305 = 10, /* Poly1305 based AEAD mode. */ GCRY_CIPHER_MODE_OCB = 11, /* OCB3 mode. */ - GCRY_CIPHER_MODE_CFB8 = 12 /* Cipher feedback (8 bit mode). */ + GCRY_CIPHER_MODE_CFB8 = 12, /* Cipher feedback (8 bit mode). */ + GCRY_CIPHER_MODE_XTS = 13 /* XTS mode. */ }; /* Flags used with the open function. */ @@ -981,6 +987,9 @@ enum gcry_cipher_flags /* OCB works only with blocks of 128 bits. */ #define GCRY_OCB_BLOCK_LEN (128 / 8) +/* XTS works only with blocks of 128 bits. */ +#define GCRY_XTS_BLOCK_LEN (128 / 8) + /* Create a handle for algorithm ALGO to be used in MODE. FLAGS may be given as an bitwise OR of the gcry_cipher_flags values. */ gcry_error_t gcry_cipher_open (gcry_cipher_hd_t *handle, @@ -1223,7 +1232,15 @@ enum gcry_md_algos GCRY_MD_SHA3_384 = 314, GCRY_MD_SHA3_512 = 315, GCRY_MD_SHAKE128 = 316, - GCRY_MD_SHAKE256 = 317 + GCRY_MD_SHAKE256 = 317, + GCRY_MD_BLAKE2B_512 = 318, + GCRY_MD_BLAKE2B_384 = 319, + GCRY_MD_BLAKE2B_256 = 320, + GCRY_MD_BLAKE2B_160 = 321, + GCRY_MD_BLAKE2S_256 = 322, + GCRY_MD_BLAKE2S_224 = 323, + GCRY_MD_BLAKE2S_160 = 324, + GCRY_MD_BLAKE2S_128 = 325 }; /* Flags used with the open function. */ @@ -1320,9 +1337,9 @@ int gcry_md_is_enabled (gcry_md_hd_t a, int algo); /* Return true if the digest object A is allocated in "secure" memory. */ int gcry_md_is_secure (gcry_md_hd_t a); -/* Retrieve various information about the object H. */ +/* Deprecated: Use gcry_md_is_enabled or gcry_md_is_secure. */ gcry_error_t gcry_md_info (gcry_md_hd_t h, int what, void *buffer, - size_t *nbytes); + size_t *nbytes) _GCRY_ATTR_INTERNAL; /* Retrieve various information about the algorithm ALGO. */ gcry_error_t gcry_md_algo_info (int algo, int what, void *buffer, @@ -1656,7 +1673,7 @@ gcry_error_t gcry_prime_group_generator (gcry_mpi_t *r_g, void gcry_prime_release_factors (gcry_mpi_t *factors); -/* Check wether the number X is prime. */ +/* Check whether the number X is prime. */ gcry_error_t gcry_prime_check (gcry_mpi_t x, unsigned int flags); @@ -1678,6 +1695,7 @@ void gcry_log_debugpnt (const char *text, gcry_mpi_point_t point, gcry_ctx_t ctx); void gcry_log_debugsxp (const char *text, gcry_sexp_t sexp); +char *gcry_get_config (int mode, const char *what); /* Log levels used by the internal logging facility. */ enum gcry_log_levels diff --git a/src/global.c b/src/global.c index 4283460..4e2e274 100644 --- a/src/global.c +++ b/src/global.c @@ -2,7 +2,7 @@ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 * 2004, 2005, 2006, 2008, 2011, * 2012 Free Software Foundation, Inc. - * Copyright (C) 2013, 2014 g10 Code GmbH + * Copyright (C) 2013, 2014, 2017 g10 Code GmbH * * This file is part of Libgcrypt. * @@ -56,6 +56,15 @@ static int force_fips_mode; /* Controlled by global_init(). */ static int any_init_done; +/* + * Functions called before and after blocking syscalls. + * Initialized by global_init and used via + * _gcry_pre_syscall and _gcry_post_syscall. + */ +static void (*pre_syscall_func)(void); +static void (*post_syscall_func)(void); + + /* Memory management. */ static gcry_handler_alloc_t alloc_func; @@ -89,6 +98,10 @@ global_init (void) /* Tell the random module that we have seen an init call. */ _gcry_set_preferred_rng_type (0); + /* Get the system call clamp functions. */ + if (!pre_syscall_func) + gpgrt_get_syscall_clamp (&pre_syscall_func, &post_syscall_func); + /* See whether the system is in FIPS mode. This needs to come as early as possible but after ATH has been initialized. */ _gcry_initialize_fips_mode (force_fips_mode); @@ -260,73 +273,181 @@ _gcry_check_version (const char *req_version) static void -print_config ( int (*fnc)(FILE *fp, const char *format, ...), FILE *fp) +print_config (const char *what, gpgrt_stream_t fp) { - unsigned int hwfeatures, afeature; int i; const char *s; - fnc (fp, "version:%s:\n", VERSION); - fnc (fp, "ciphers:%s:\n", LIBGCRYPT_CIPHERS); - fnc (fp, "pubkeys:%s:\n", LIBGCRYPT_PUBKEY_CIPHERS); - fnc (fp, "digests:%s:\n", LIBGCRYPT_DIGESTS); - fnc (fp, "rnd-mod:" + if (!what || !strcmp (what, "version")) + { + gpgrt_fprintf (fp, "version:%s:%x:%s:%x:\n", + VERSION, GCRYPT_VERSION_NUMBER, + GPGRT_VERSION, GPGRT_VERSION_NUMBER); + } + if (!what || !strcmp (what, "cc")) + { + gpgrt_fprintf (fp, "cc:%d:%s:\n", +#if GPGRT_VERSION_NUMBER >= 0x011b00 /* 1.27 */ + GPGRT_GCC_VERSION +#else + _GPG_ERR_GCC_VERSION /* Due to a bug in gpg-error.h. */ +#endif + , +#ifdef __clang__ + "clang:" __VERSION__ +#elif __GNUC__ + "gcc:" __VERSION__ +#else + ":" +#endif + ); + } + + if (!what || !strcmp (what, "ciphers")) + gpgrt_fprintf (fp, "ciphers:%s:\n", LIBGCRYPT_CIPHERS); + if (!what || !strcmp (what, "pubkeys")) + gpgrt_fprintf (fp, "pubkeys:%s:\n", LIBGCRYPT_PUBKEY_CIPHERS); + if (!what || !strcmp (what, "digests")) + gpgrt_fprintf (fp, "digests:%s:\n", LIBGCRYPT_DIGESTS); + + if (!what || !strcmp (what, "rnd-mod")) + { + gpgrt_fprintf (fp, "rnd-mod:" #if USE_RNDEGD - "egd:" + "egd:" #endif #if USE_RNDLINUX - "linux:" + "linux:" #endif #if USE_RNDUNIX - "unix:" + "unix:" #endif #if USE_RNDW32 - "w32:" + "w32:" #endif - "\n"); - fnc (fp, "cpu-arch:" + "\n"); + } + + if (!what || !strcmp (what, "cpu-arch")) + { + gpgrt_fprintf (fp, "cpu-arch:" #if defined(HAVE_CPU_ARCH_X86) - "x86" + "x86" #elif defined(HAVE_CPU_ARCH_ALPHA) - "alpha" + "alpha" #elif defined(HAVE_CPU_ARCH_SPARC) - "sparc" + "sparc" #elif defined(HAVE_CPU_ARCH_MIPS) - "mips" + "mips" #elif defined(HAVE_CPU_ARCH_M68K) - "m68k" + "m68k" #elif defined(HAVE_CPU_ARCH_PPC) - "ppc" + "ppc" #elif defined(HAVE_CPU_ARCH_ARM) - "arm" + "arm" #endif - ":\n"); - fnc (fp, "mpi-asm:%s:\n", _gcry_mpi_get_hw_config ()); - hwfeatures = _gcry_get_hw_features (); - fnc (fp, "hwflist:"); - for (i=0; (s = _gcry_enum_hw_features (i, &afeature)); i++) - if ((hwfeatures & afeature)) - fnc (fp, "%s:", s); - fnc (fp, "\n"); - /* We use y/n instead of 1/0 for the simple reason that Emacsen's - compile error parser would accidentally flag that line when printed - during "make check" as an error. */ - fnc (fp, "fips-mode:%c:%c:\n", - fips_mode ()? 'y':'n', - _gcry_enforced_fips_mode ()? 'y':'n' ); - /* The currently used RNG type. */ - { - i = _gcry_get_rng_type (0); - switch (i) - { - case GCRY_RNG_TYPE_STANDARD: s = "standard"; break; - case GCRY_RNG_TYPE_FIPS: s = "fips"; break; - case GCRY_RNG_TYPE_SYSTEM: s = "system"; break; - default: BUG (); - } - fnc (fp, "rng-type:%s:%d:\n", s, i); - } + ":\n"); + } + + if (!what || !strcmp (what, "mpi-asm")) + gpgrt_fprintf (fp, "mpi-asm:%s:\n", _gcry_mpi_get_hw_config ()); + + if (!what || !strcmp (what, "hwflist")) + { + unsigned int hwfeatures, afeature; + + hwfeatures = _gcry_get_hw_features (); + gpgrt_fprintf (fp, "hwflist:"); + for (i=0; (s = _gcry_enum_hw_features (i, &afeature)); i++) + if ((hwfeatures & afeature)) + gpgrt_fprintf (fp, "%s:", s); + gpgrt_fprintf (fp, "\n"); + } + + if (!what || !strcmp (what, "fips-mode")) + { + /* We use y/n instead of 1/0 for the stupid reason that + * Emacsen's compile error parser would accidentally flag that + * line when printed during "make check" as an error. */ + gpgrt_fprintf (fp, "fips-mode:%c:%c:\n", + fips_mode ()? 'y':'n', + _gcry_enforced_fips_mode ()? 'y':'n' ); + } + + if (!what || !strcmp (what, "rng-type")) + { + /* The currently used RNG type. */ + unsigned int jver; + int active; + + i = _gcry_get_rng_type (0); + switch (i) + { + case GCRY_RNG_TYPE_STANDARD: s = "standard"; break; + case GCRY_RNG_TYPE_FIPS: s = "fips"; break; + case GCRY_RNG_TYPE_SYSTEM: s = "system"; break; + default: BUG (); + } + jver = _gcry_rndjent_get_version (&active); + gpgrt_fprintf (fp, "rng-type:%s:%d:%u:%d:\n", s, i, jver, active); + } +} + +/* With a MODE of 0 return a malloced string with configured features. + * In that case a WHAT of NULL returns everything in the same way + * GCRYCTL_PRINT_CONFIG would do. With a specific WHAT string only + * the requested feature is returned (w/o the trailing LF. On error + * NULL is returned. */ +char * +_gcry_get_config (int mode, const char *what) +{ + gpgrt_stream_t fp; + int save_errno; + void *data; + char *p; + + if (mode) + { + gpg_err_set_errno (EINVAL); + return NULL; + } + + fp = gpgrt_fopenmem (0, "w+b,samethread"); + if (!fp) + return NULL; + + print_config (what, fp); + if (gpgrt_ferror (fp)) + { + save_errno = errno; + gpgrt_fclose (fp); + gpg_err_set_errno (save_errno); + return NULL; + } + + gpgrt_rewind (fp); + if (gpgrt_fclose_snatch (fp, &data, NULL)) + { + save_errno = errno; + gpgrt_fclose (fp); + gpg_err_set_errno (save_errno); + return NULL; + } + + if (!data) + { + /* Nothing was printed (unknown value for WHAT). This is okay, + * so clear ERRNO to indicate this. */ + gpg_err_set_errno (0); + return NULL; + } + + /* Strip trailing LF. */ + if (what && (p = strchr (data, '\n'))) + *p = 0; + + return data; } @@ -518,12 +639,21 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) /* This command dumps information pertaining to the configuration of libgcrypt to the given stream. It may be used before the initialization has been finished but not - before a gcry_version_check. */ + before a gcry_version_check. See also gcry_get_config. */ case GCRYCTL_PRINT_CONFIG: { FILE *fp = va_arg (arg_ptr, FILE *); + char *tmpstr; _gcry_set_preferred_rng_type (0); - print_config (fp?fprintf:_gcry_log_info_with_dummy_fp, fp); + tmpstr = _gcry_get_config (0, NULL); + if (tmpstr) + { + if (fp) + fputs (tmpstr, fp); + else + log_info ("%s", tmpstr); + xfree (tmpstr); + } } break; @@ -550,7 +680,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) _gcry_set_preferred_rng_type (0); if (!any_init_done) { - /* Not yet intialized at all. Set a flag so that we are put + /* Not yet initialized at all. Set a flag so that we are put into fips mode during initialization. */ force_fips_mode = 1; } @@ -600,7 +730,8 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) case PRIV_CTL_EXTERNAL_LOCK_TEST: /* Run external lock test */ rc = external_lock_test (va_arg (arg_ptr, int)); break; - case 62: /* RFU */ + case PRIV_CTL_DUMP_SECMEM_STATS: + _gcry_secmem_dump_stats (1); break; #if _GCRY_GCC_VERSION >= 40600 # pragma GCC diagnostic pop @@ -673,6 +804,11 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) } break; + case GCRYCTL_REINIT_SYSCALL_CLAMP: + if (!pre_syscall_func) + gpgrt_get_syscall_clamp (&pre_syscall_func, &post_syscall_func); + break; + default: _gcry_set_preferred_rng_type (0); rc = GPG_ERR_INV_OP; @@ -1079,6 +1215,24 @@ _gcry_xstrdup (const char *string) } +/* Used before blocking system calls. */ +void +_gcry_pre_syscall (void) +{ + if (pre_syscall_func) + pre_syscall_func (); +} + + +/* Used after blocking system calls. */ +void +_gcry_post_syscall (void) +{ + if (post_syscall_func) + post_syscall_func (); +} + + int _gcry_get_debug_flag (unsigned int mask) { diff --git a/src/hwf-x86.c b/src/hwf-x86.c index eeacccb..0d3a1f4 100644 --- a/src/hwf-x86.c +++ b/src/hwf-x86.c @@ -170,28 +170,31 @@ get_xgetbv(void) static unsigned int detect_x86_gnuc (void) { - char vendor_id[12+1]; - unsigned int features; + union + { + char c[12+1]; + unsigned int ui[3]; + } vendor_id; + unsigned int features, features2; unsigned int os_supports_avx_avx2_registers = 0; unsigned int max_cpuid_level; unsigned int fms, family, model; unsigned int result = 0; + unsigned int avoid_vpgather = 0; (void)os_supports_avx_avx2_registers; if (!is_cpuid_available()) return 0; - get_cpuid(0, &max_cpuid_level, - (unsigned int *)&vendor_id[0], - (unsigned int *)&vendor_id[8], - (unsigned int *)&vendor_id[4]); - vendor_id[12] = 0; + get_cpuid(0, &max_cpuid_level, &vendor_id.ui[0], &vendor_id.ui[2], + &vendor_id.ui[1]); + vendor_id.c[12] = 0; if (0) ; /* Just to make "else if" and ifdef macros look pretty. */ #ifdef ENABLE_PADLOCK_SUPPORT - else if (!strcmp (vendor_id, "CentaurHauls")) + else if (!strcmp (vendor_id.c, "CentaurHauls")) { /* This is a VIA CPU. Check what PadLock features we have. */ @@ -224,12 +227,12 @@ detect_x86_gnuc (void) } } #endif /*ENABLE_PADLOCK_SUPPORT*/ - else if (!strcmp (vendor_id, "GenuineIntel")) + else if (!strcmp (vendor_id.c, "GenuineIntel")) { /* This is an Intel CPU. */ result |= HWF_INTEL_CPU; } - else if (!strcmp (vendor_id, "AuthenticAMD")) + else if (!strcmp (vendor_id.c, "AuthenticAMD")) { /* This is an AMD CPU. */ } @@ -237,8 +240,8 @@ detect_x86_gnuc (void) /* Detect Intel features, that might also be supported by other vendors. */ - /* Get CPU family/model/stepping (EAX) and Intel feature flags (ECX). */ - get_cpuid(1, &fms, NULL, &features, NULL); + /* Get CPU family/model/stepping (EAX) and Intel feature flags (ECX, EDX). */ + get_cpuid(1, &fms, NULL, &features, &features2); family = ((fms & 0xf00) >> 8) + ((fms & 0xff00000) >> 20); model = ((fms & 0xf0) >> 4) + ((fms & 0xf0000) >> 12); @@ -262,11 +265,33 @@ detect_x86_gnuc (void) case 0x47: case 0x4E: case 0x5E: + case 0x8E: + case 0x9E: case 0x55: case 0x66: result |= HWF_INTEL_FAST_SHLD; break; } + + /* These Intel Core processors that have AVX2 have slow VPGATHER and + * should be avoided for table-lookup use. */ + switch (model) + { + case 0x3C: + case 0x3F: + case 0x45: + case 0x46: + /* Haswell */ + avoid_vpgather |= 1; + break; + } + } + else + { + /* Avoid VPGATHER for non-Intel CPUs as testing is needed to + * make sure it is fast enough. */ + + avoid_vpgather |= 1; } #ifdef ENABLE_PCLMUL_SUPPORT @@ -306,6 +331,10 @@ detect_x86_gnuc (void) result |= HWF_INTEL_RDRAND; #endif /*ENABLE_DRNG_SUPPORT*/ + /* Test bit 4 of EDX for TSC. */ + if (features2 & 0x00000010) + result |= HWF_INTEL_RDTSC; + /* Check additional Intel feature flags. Early Intel P5 processors report * too high max_cpuid_level, so don't check level 7 if processor does not * support SSE3 (as cpuid:7 contains only features for newer processors). @@ -324,6 +353,9 @@ detect_x86_gnuc (void) if (features & 0x00000020) if (os_supports_avx_avx2_registers) result |= HWF_INTEL_AVX2; + + if ((result & HWF_INTEL_AVX2) && !avoid_vpgather) + result |= HWF_INTEL_FAST_VPGATHER; #endif /*ENABLE_AVX_SUPPORT*/ } diff --git a/src/hwfeatures.c b/src/hwfeatures.c index 07221e8..1cad546 100644 --- a/src/hwfeatures.c +++ b/src/hwfeatures.c @@ -42,25 +42,27 @@ static struct const char *desc; } hwflist[] = { - { HWF_PADLOCK_RNG, "padlock-rng" }, - { HWF_PADLOCK_AES, "padlock-aes" }, - { HWF_PADLOCK_SHA, "padlock-sha" }, - { HWF_PADLOCK_MMUL, "padlock-mmul"}, - { HWF_INTEL_CPU, "intel-cpu" }, - { HWF_INTEL_FAST_SHLD, "intel-fast-shld" }, - { HWF_INTEL_BMI2, "intel-bmi2" }, - { HWF_INTEL_SSSE3, "intel-ssse3" }, - { HWF_INTEL_SSE4_1, "intel-sse4.1" }, - { HWF_INTEL_PCLMUL, "intel-pclmul" }, - { HWF_INTEL_AESNI, "intel-aesni" }, - { HWF_INTEL_RDRAND, "intel-rdrand" }, - { HWF_INTEL_AVX, "intel-avx" }, - { HWF_INTEL_AVX2, "intel-avx2" }, - { HWF_ARM_NEON, "arm-neon" }, - { HWF_ARM_AES, "arm-aes" }, - { HWF_ARM_SHA1, "arm-sha1" }, - { HWF_ARM_SHA2, "arm-sha2" }, - { HWF_ARM_PMULL, "arm-pmull" } + { HWF_PADLOCK_RNG, "padlock-rng" }, + { HWF_PADLOCK_AES, "padlock-aes" }, + { HWF_PADLOCK_SHA, "padlock-sha" }, + { HWF_PADLOCK_MMUL, "padlock-mmul"}, + { HWF_INTEL_CPU, "intel-cpu" }, + { HWF_INTEL_FAST_SHLD, "intel-fast-shld" }, + { HWF_INTEL_BMI2, "intel-bmi2" }, + { HWF_INTEL_SSSE3, "intel-ssse3" }, + { HWF_INTEL_SSE4_1, "intel-sse4.1" }, + { HWF_INTEL_PCLMUL, "intel-pclmul" }, + { HWF_INTEL_AESNI, "intel-aesni" }, + { HWF_INTEL_RDRAND, "intel-rdrand" }, + { HWF_INTEL_AVX, "intel-avx" }, + { HWF_INTEL_AVX2, "intel-avx2" }, + { HWF_INTEL_FAST_VPGATHER, "intel-fast-vpgather" }, + { HWF_INTEL_RDTSC, "intel-rdtsc" }, + { HWF_ARM_NEON, "arm-neon" }, + { HWF_ARM_AES, "arm-aes" }, + { HWF_ARM_SHA1, "arm-sha1" }, + { HWF_ARM_SHA2, "arm-sha2" }, + { HWF_ARM_PMULL, "arm-pmull" } }; /* A bit vector with the hardware features which shall not be used. @@ -71,9 +73,6 @@ static unsigned int disabled_hw_features; available. */ static unsigned int hw_features; -/* Convenience macros. */ -#define my_isascii(c) (!((c) & 0x80)) - /* Disable a feature by name. This function must be called *before* @@ -82,14 +81,34 @@ gpg_err_code_t _gcry_disable_hw_feature (const char *name) { int i; + size_t n1, n2; - for (i=0; i < DIM (hwflist); i++) - if (!strcmp (hwflist[i].desc, name)) - { - disabled_hw_features |= hwflist[i].flag; - return 0; - } - return GPG_ERR_INV_NAME; + while (name && *name) + { + n1 = strcspn (name, ":,"); + if (!n1) + ; + else if (n1 == 3 && !strncmp (name, "all", 3)) + disabled_hw_features = ~0; + else + { + for (i=0; i < DIM (hwflist); i++) + { + n2 = strlen (hwflist[i].desc); + if (n1 == n2 && !strncmp (hwflist[i].desc, name, n2)) + { + disabled_hw_features |= hwflist[i].flag; + break; + } + } + if (!(i < DIM (hwflist))) + return GPG_ERR_INV_NAME; + } + name += n1; + if (*name) + name++; /* Skip delimiter ':' or ','. */ + } + return 0; } @@ -125,7 +144,7 @@ parse_hwf_deny_file (void) FILE *fp; char buffer[256]; char *p, *pend; - int i, lnr = 0; + int lnr = 0; fp = fopen (fname, "r"); if (!fp) @@ -159,15 +178,7 @@ parse_hwf_deny_file (void) if (!*p || *p == '#') continue; - for (i=0; i < DIM (hwflist); i++) - { - if (!strcmp (hwflist[i].desc, p)) - { - disabled_hw_features |= hwflist[i].flag; - break; - } - } - if (i == DIM (hwflist)) + if (_gcry_disable_hw_feature (p) == GPG_ERR_INV_NAME) { #ifdef HAVE_SYSLOG syslog (LOG_USER|LOG_WARNING, diff --git a/src/libgcrypt.def b/src/libgcrypt.def index 067cb84..a76b377 100644 --- a/src/libgcrypt.def +++ b/src/libgcrypt.def @@ -282,4 +282,8 @@ EXPORTS gcry_mpi_ec_decode_point @246 + gcry_get_config @247 + + gcry_mpi_point_copy @248 + ;; end of file with public symbols for Windows. diff --git a/src/libgcrypt.vers b/src/libgcrypt.vers index 785b8ed..1aa830f 100644 --- a/src/libgcrypt.vers +++ b/src/libgcrypt.vers @@ -107,10 +107,13 @@ GCRYPT_1.6 { gcry_mpi_ec_get_affine; gcry_mpi_ec_dup; gcry_mpi_ec_add; gcry_mpi_ec_sub; gcry_mpi_ec_mul; gcry_mpi_ec_curve_point; gcry_mpi_ec_decode_point; + gcry_mpi_point_copy; gcry_log_debug; gcry_log_debughex; gcry_log_debugmpi; gcry_log_debugpnt; gcry_log_debugsxp; + gcry_get_config; + _gcry_mpi_get_const; gcry_ctx_release; diff --git a/src/misc.c b/src/misc.c index 413d7d8..002a84f 100644 --- a/src/misc.c +++ b/src/misc.c @@ -198,18 +198,6 @@ _gcry_log_info( const char *fmt, ... ) va_end(arg_ptr); } -int -_gcry_log_info_with_dummy_fp (FILE *fp, const char *fmt, ... ) -{ - va_list arg_ptr; - - (void)fp; - va_start( arg_ptr, fmt ) ; - _gcry_logv( GCRY_LOG_INFO, fmt, arg_ptr ); - va_end(arg_ptr); - return 0; -} - void _gcry_log_error( const char *fmt, ... ) { @@ -406,7 +394,7 @@ _gcry_log_printsxp (const char *text, gcry_sexp_t sexp) do { if (any && !with_lf) - log_debug ("%*s ", (int)strlen(text), ""); + log_debug ("%*s ", text?(int)strlen(text):0, ""); else any = 1; pend = strchr (p, '\n'); diff --git a/src/mpi.h b/src/mpi.h index cd539f5..aeba7f8 100644 --- a/src/mpi.h +++ b/src/mpi.h @@ -109,8 +109,8 @@ struct gcry_mpi void _gcry_mpi_immutable_failed (void); #define mpi_immutable_failed() _gcry_mpi_immutable_failed () -#define mpi_is_const(a) ((a) && ((a)->flags&32)) -#define mpi_is_immutable(a) ((a) && ((a)->flags&16)) +#define mpi_is_const(a) ((a)->flags&32) +#define mpi_is_immutable(a) ((a)->flags&16) #define mpi_is_opaque(a) ((a) && ((a)->flags&4)) #define mpi_is_secure(a) ((a) && ((a)->flags&1)) #define mpi_clear(a) _gcry_mpi_clear ((a)) @@ -296,6 +296,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t result, gcry_mpi_t scalar, mpi_point_t point, mpi_ec_t ctx); int _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx); +int _gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx); gcry_mpi_t _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx); diff --git a/src/mpicalc.c b/src/mpicalc.c index ebd1bbb..11246f3 100644 --- a/src/mpicalc.c +++ b/src/mpicalc.c @@ -231,6 +231,17 @@ do_gcd (void) stackidx--; } +static void +do_lshift (void) +{ + if (stackidx < 1) + { + fputs ("stack underflow\n", stderr); + return; + } + mpi_lshift (stack[stackidx - 1], stack[stackidx - 1], 1); +} + static void do_rshift (void) { @@ -242,7 +253,6 @@ do_rshift (void) mpi_rshift (stack[stackidx - 1], stack[stackidx - 1], 1); } - static void do_nbits (void) { @@ -305,6 +315,7 @@ print_help (void) "* multiply [0] := [1] * [0] {-1}\n" "/ divide [0] := [1] - [0] {-1}\n" "% modulo [0] := [1] % [0] {-1}\n" + "< left shift [0] := [0] << 1 {0}\n" "> right shift [0] := [0] >> 1 {0}\n" "++ increment [0] := [0]++ {0}\n" "-- decrement [0] := [0]-- {0}\n" @@ -487,6 +498,9 @@ main (int argc, char **argv) case '^': do_powm (); break; + case '<': + do_lshift (); + break; case '>': do_rshift (); break; diff --git a/src/secmem.c b/src/secmem.c index b2a9667..86de72d 100644 --- a/src/secmem.c +++ b/src/secmem.c @@ -91,7 +91,7 @@ typedef struct pooldesc_s static pooldesc_t mainpool; -/* A couple of flags whith some beeing set early. */ +/* A couple of flags whith some being set early. */ static int disable_secmem; static int show_warning; static int not_locked; @@ -841,6 +841,8 @@ _gcry_secmem_term () } +/* Print stats of the secmem allocator. With EXTENDED passwed as true + * a detiled listing is returned (used for testing). */ void _gcry_secmem_dump_stats (int extended) { @@ -872,6 +874,5 @@ _gcry_secmem_dump_stats (int extended) mb->size); } } - SECMEM_UNLOCK; } diff --git a/src/versioninfo.rc.in b/src/versioninfo.rc.in index 1adb4e9..b85d494 100644 --- a/src/versioninfo.rc.in +++ b/src/versioninfo.rc.in @@ -39,7 +39,7 @@ BEGIN VALUE "FileDescription", "Libgcrypt - The GNU Crypto Library\0" VALUE "FileVersion", "@LIBGCRYPT_LT_CURRENT@.@LIBGCRYPT_LT_AGE@.@LIBGCRYPT_LT_REVISION@.@BUILD_REVISION@\0" VALUE "InternalName", "libgcrypt\0" - VALUE "LegalCopyright", "Copyright © 2016 Free Software Foundation, Inc.\0" + VALUE "LegalCopyright", "Copyright © 2017 Free Software Foundation, Inc.\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "libgcrypt.dll\0" VALUE "PrivateBuild", "\0" diff --git a/src/visibility.c b/src/visibility.c index 3abbd37..104c70d 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -484,6 +484,12 @@ gcry_mpi_point_release (gcry_mpi_point_t point) _gcry_mpi_point_release (point); } +gcry_mpi_point_t +gcry_mpi_point_copy (gcry_mpi_point_t point) +{ + return _gcry_mpi_point_copy (point); +} + void gcry_mpi_point_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, gcry_mpi_point_t point) @@ -1174,10 +1180,10 @@ gcry_md_read (gcry_md_hd_t hd, int algo) return _gcry_md_read (hd, algo); } -gcry_err_code_t +gcry_error_t gcry_md_extract (gcry_md_hd_t hd, int algo, void *buffer, size_t length) { - return _gcry_md_extract(hd, algo, buffer, length); + return gpg_error (_gcry_md_extract(hd, algo, buffer, length)); } void @@ -1435,6 +1441,12 @@ gcry_log_debugsxp (const char *text, gcry_sexp_t sexp) _gcry_log_printsxp (text, sexp); } +char * +gcry_get_config (int mode, const char *what) +{ + return _gcry_get_config (mode, what); +} + void gcry_set_progress_handler (gcry_handler_progress_t cb, void *cb_data) { diff --git a/src/visibility.h b/src/visibility.h index 7ecd75e..df2caf6 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -246,6 +246,7 @@ MARK_VISIBLEX (gcry_mpi_new) MARK_VISIBLEX (gcry_mpi_point_get) MARK_VISIBLEX (gcry_mpi_point_new) MARK_VISIBLEX (gcry_mpi_point_release) +MARK_VISIBLEX (gcry_mpi_point_copy) MARK_VISIBLEX (gcry_mpi_point_set) MARK_VISIBLEX (gcry_mpi_point_snatch_get) MARK_VISIBLEX (gcry_mpi_point_snatch_set) @@ -279,6 +280,8 @@ MARK_VISIBLEX (gcry_log_debugmpi) MARK_VISIBLEX (gcry_log_debugpnt) MARK_VISIBLEX (gcry_log_debugsxp) +MARK_VISIBLEX (gcry_get_config) + /* Functions used to implement macros. */ MARK_VISIBLEX (_gcry_mpi_get_const) @@ -464,6 +467,7 @@ MARK_VISIBLEX (_gcry_mpi_get_const) #define gcry_mpi_point_get _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_point_new _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_point_release _gcry_USE_THE_UNDERSCORED_FUNCTION +#define gcry_mpi_point_copy _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_point_set _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_point_snatch_get _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_point_snatch_set _gcry_USE_THE_UNDERSCORED_FUNCTION diff --git a/tests/Makefile.am b/tests/Makefile.am index d462f30..eee24fa 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -19,14 +19,14 @@ ## Process this file with automake to produce Makefile.in tests_bin = \ - version mpitests t-sexp t-convert \ + version t-secmem mpitests t-sexp t-convert \ t-mpi-bit t-mpi-point curves t-lock \ prime basic keygen pubkey hmac hashtest t-kdf keygrip \ fips186-dsa aeswrap pkcs1v2 random dsa-rfc6979 t-ed25519 t-cv25519 tests_bin_last = benchmark bench-slope -tests_sh = +tests_sh = basic-disable-all-hwf tests_sh_last = hashtest-256g @@ -58,7 +58,9 @@ noinst_HEADERS = t-common.h EXTRA_DIST = README rsa-16k.key cavs_tests.sh cavs_driver.pl \ pkcs1v2-oaep.h pkcs1v2-pss.h pkcs1v2-v15c.h pkcs1v2-v15s.h \ t-ed25519.inp stopwatch.h hashtest-256g.in \ - sha3-224.h sha3-256.h sha3-384.h sha3-512.h + sha3-224.h sha3-256.h sha3-384.h sha3-512.h \ + blake2b.h blake2s.h \ + basic-disable-all-hwf.in basic_all_hwfeature_combinations.sh LDADD = $(standard_ldadd) $(GPG_ERROR_LIBS) t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) diff --git a/tests/Makefile.in b/tests/Makefile.in index 000ec67..9dc0244 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -97,15 +97,14 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = $(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_2) \ - $(tests_sh_last) +TESTS = $(am__EXEEXT_1) $(tests_sh) $(am__EXEEXT_2) $(tests_sh_last) EXTRA_PROGRAMS = testapi$(EXEEXT) pkbench$(EXEEXT) noinst_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) fipsdrv$(EXEEXT) \ rsacvt$(EXEEXT) genhashdata$(EXEEXT) gchash$(EXEEXT) subdir = tests DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/hashtest-256g.in $(top_srcdir)/build-aux/depcomp \ - $(noinst_HEADERS) README + $(srcdir)/hashtest-256g.in $(srcdir)/basic-disable-all-hwf.in \ + $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gpg-error.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ @@ -118,16 +117,16 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = hashtest-256g +CONFIG_CLEAN_FILES = hashtest-256g basic-disable-all-hwf CONFIG_CLEAN_VPATH_FILES = -am__EXEEXT_1 = version$(EXEEXT) mpitests$(EXEEXT) t-sexp$(EXEEXT) \ - t-convert$(EXEEXT) t-mpi-bit$(EXEEXT) t-mpi-point$(EXEEXT) \ - curves$(EXEEXT) t-lock$(EXEEXT) prime$(EXEEXT) basic$(EXEEXT) \ - keygen$(EXEEXT) pubkey$(EXEEXT) hmac$(EXEEXT) \ - hashtest$(EXEEXT) t-kdf$(EXEEXT) keygrip$(EXEEXT) \ - fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) pkcs1v2$(EXEEXT) \ - random$(EXEEXT) dsa-rfc6979$(EXEEXT) t-ed25519$(EXEEXT) \ - t-cv25519$(EXEEXT) +am__EXEEXT_1 = version$(EXEEXT) t-secmem$(EXEEXT) mpitests$(EXEEXT) \ + t-sexp$(EXEEXT) t-convert$(EXEEXT) t-mpi-bit$(EXEEXT) \ + t-mpi-point$(EXEEXT) curves$(EXEEXT) t-lock$(EXEEXT) \ + prime$(EXEEXT) basic$(EXEEXT) keygen$(EXEEXT) pubkey$(EXEEXT) \ + hmac$(EXEEXT) hashtest$(EXEEXT) t-kdf$(EXEEXT) \ + keygrip$(EXEEXT) fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) \ + pkcs1v2$(EXEEXT) random$(EXEEXT) dsa-rfc6979$(EXEEXT) \ + t-ed25519$(EXEEXT) t-cv25519$(EXEEXT) am__EXEEXT_2 = benchmark$(EXEEXT) bench-slope$(EXEEXT) PROGRAMS = $(noinst_PROGRAMS) aeswrap_SOURCES = aeswrap.c @@ -251,6 +250,10 @@ t_mpi_point_SOURCES = t-mpi-point.c t_mpi_point_OBJECTS = t-mpi-point.$(OBJEXT) t_mpi_point_LDADD = $(LDADD) t_mpi_point_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) +t_secmem_SOURCES = t-secmem.c +t_secmem_OBJECTS = t-secmem.$(OBJEXT) +t_secmem_LDADD = $(LDADD) +t_secmem_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) t_sexp_SOURCES = t-sexp.c t_sexp_OBJECTS = t-sexp.$(OBJEXT) t_sexp_LDADD = $(LDADD) @@ -302,13 +305,13 @@ SOURCES = aeswrap.c basic.c bench-slope.c benchmark.c curves.c \ hashtest.c hmac.c keygen.c keygrip.c mpitests.c pkbench.c \ pkcs1v2.c prime.c pubkey.c random.c rsacvt.c t-convert.c \ t-cv25519.c t-ed25519.c t-kdf.c t-lock.c t-mpi-bit.c \ - t-mpi-point.c t-sexp.c testapi.c version.c + t-mpi-point.c t-secmem.c t-sexp.c testapi.c version.c DIST_SOURCES = aeswrap.c basic.c bench-slope.c benchmark.c curves.c \ dsa-rfc6979.c fips186-dsa.c fipsdrv.c gchash.c genhashdata.c \ hashtest.c hmac.c keygen.c keygrip.c mpitests.c pkbench.c \ pkcs1v2.c prime.c pubkey.c random.c rsacvt.c t-convert.c \ t-cv25519.c t-ed25519.c t-kdf.c t-lock.c t-mpi-bit.c \ - t-mpi-point.c t-sexp.c testapi.c version.c + t-mpi-point.c t-secmem.c t-sexp.c testapi.c version.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -356,7 +359,6 @@ am__tty_colors = { \ std=''; \ fi; \ } -am__EXEEXT_3 = DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -520,13 +522,13 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tests_bin = \ - version mpitests t-sexp t-convert \ + version t-secmem mpitests t-sexp t-convert \ t-mpi-bit t-mpi-point curves t-lock \ prime basic keygen pubkey hmac hashtest t-kdf keygrip \ fips186-dsa aeswrap pkcs1v2 random dsa-rfc6979 t-ed25519 t-cv25519 tests_bin_last = benchmark bench-slope -tests_sh = +tests_sh = basic-disable-all-hwf tests_sh_last = hashtest-256g TESTS_ENVIRONMENT = GCRYPT_IN_REGRESSION_TEST=1 @@ -543,7 +545,9 @@ noinst_HEADERS = t-common.h EXTRA_DIST = README rsa-16k.key cavs_tests.sh cavs_driver.pl \ pkcs1v2-oaep.h pkcs1v2-pss.h pkcs1v2-v15c.h pkcs1v2-v15s.h \ t-ed25519.inp stopwatch.h hashtest-256g.in \ - sha3-224.h sha3-256.h sha3-384.h sha3-512.h + sha3-224.h sha3-256.h sha3-384.h sha3-512.h \ + blake2b.h blake2s.h \ + basic-disable-all-hwf.in basic_all_hwfeature_combinations.sh LDADD = $(standard_ldadd) $(GPG_ERROR_LIBS) t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @@ -584,6 +588,8 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): hashtest-256g: $(top_builddir)/config.status $(srcdir)/hashtest-256g.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +basic-disable-all-hwf: $(top_builddir)/config.status $(srcdir)/basic-disable-all-hwf.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ clean-noinstPROGRAMS: @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ @@ -706,6 +712,10 @@ t-mpi-point$(EXEEXT): $(t_mpi_point_OBJECTS) $(t_mpi_point_DEPENDENCIES) $(EXTRA @rm -f t-mpi-point$(EXEEXT) $(AM_V_CCLD)$(LINK) $(t_mpi_point_OBJECTS) $(t_mpi_point_LDADD) $(LIBS) +t-secmem$(EXEEXT): $(t_secmem_OBJECTS) $(t_secmem_DEPENDENCIES) $(EXTRA_t_secmem_DEPENDENCIES) + @rm -f t-secmem$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(t_secmem_OBJECTS) $(t_secmem_LDADD) $(LIBS) + t-sexp$(EXEEXT): $(t_sexp_OBJECTS) $(t_sexp_DEPENDENCIES) $(EXTRA_t_sexp_DEPENDENCIES) @rm -f t-sexp$(EXEEXT) $(AM_V_CCLD)$(LINK) $(t_sexp_OBJECTS) $(t_sexp_LDADD) $(LIBS) @@ -751,6 +761,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t-kdf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t-mpi-bit.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t-mpi-point.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t-secmem.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t-sexp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t_lock-t-lock.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/testapi.Po@am__quote@ diff --git a/tests/aeswrap.c b/tests/aeswrap.c index 16b576d..90add11 100644 --- a/tests/aeswrap.c +++ b/tests/aeswrap.c @@ -26,33 +26,8 @@ #include #include -#include "../src/gcrypt-int.h" - -static int verbose; -static int error_count; - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - +#define PGM "aeswrap" +#include "t-common.h" static void @@ -239,8 +214,6 @@ check_all (void) int main (int argc, char **argv) { - int debug = 0; - if (argc > 1 && !strcmp (argv[1], "--verbose")) verbose = 1; else if (argc > 1 && !strcmp (argv[1], "--debug")) @@ -249,10 +222,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); check_all (); return error_count ? 1 : 0; diff --git a/tests/basic-disable-all-hwf.in b/tests/basic-disable-all-hwf.in new file mode 100644 index 0000000..1f0a4de --- /dev/null +++ b/tests/basic-disable-all-hwf.in @@ -0,0 +1,4 @@ +#!/bin/sh + +echo " now running 'basic' test with all hardware features disabled." +exec ./basic@EXEEXT@ --disable-hwf all diff --git a/tests/basic.c b/tests/basic.c index ffb4397..89b7917 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -30,11 +30,8 @@ #include "../src/gcrypt-int.h" -#ifndef DIM -# define DIM(v) (sizeof(v)/sizeof((v)[0])) -#endif - #define PGM "basic" +#include "t-common.h" typedef struct test_spec_pubkey_key { @@ -56,40 +53,10 @@ test_spec_pubkey_t; #define FLAG_SIGN (1 << 1) #define FLAG_GRIP (1 << 2) -static int verbose; -static int error_count; static int in_fips_mode; -static int die_on_error; #define MAX_DATA_LEN 128 -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xstrdup(a) gcry_xstrdup ((a)) -#define xfree(a) gcry_free ((a)) - - - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; - if (die_on_error) - exit (1); -} - static void mismatch (const void *expected, size_t expectedlen, @@ -107,18 +74,6 @@ mismatch (const void *expected, size_t expectedlen, } -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - /* Convert STRING consisting of hex characters into its binary representation and return it as an allocated buffer. The valid length of the buffer is returned at R_LENGTH. The string is @@ -938,7 +893,104 @@ check_cfb_cipher (void) 16, "\x75\xa3\x85\x74\x1a\xb9\xce\xf8\x20\x31\x62\x3d\x55\xb1\xe4\x71" } } - } + }, + { GCRY_CIPHER_AES, 1, + "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", + { { "\x6b", + 1, + "\x3b"}, + { "\xc1", + 1, + "\x79"}, + { "\xbe", + 1, + "\x42"}, + { "\xe2", + 1, + "\x4c"}, + } + }, + { GCRY_CIPHER_AES192, 1, + "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5" + "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", + { { "\x6b", + 1, + "\xcd"}, + { "\xc1", + 1, + "\xa2"}, + { "\xbe", + 1, + "\x52"}, + { "\xe2", + 1, + "\x1e"}, + } + }, + { GCRY_CIPHER_AES256, 1, + "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81" + "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", + { { "\x6b", + 1, + "\xdc"}, + { "\xc1", + 1, + "\x1f"}, + { "\xbe", + 1, + "\x1a"}, + { "\xe2", + 1, + "\x85"}, + } + }, + { GCRY_CIPHER_AES, 1, + "\x3a\x6f\x91\x59\x26\x3f\xa6\xce\xf2\xa0\x75\xca\xfa\xce\x58\x17", + "\x0f\xc2\x36\x62\xb7\xdb\xf7\x38\x27\xf0\xc7\xde\x32\x1c\xa3\x6e", + { { "\x87\xef\xeb\x8d\x55\x9e\xd3\x36\x77\x28", + 10, + "\x8e\x9c\x50\x42\x56\x14\xd5\x40\xce\x11"}, + } + }, + { GCRY_CIPHER_AES192, 1, + "\x53\x7e\x7b\xf6\x61\xfd\x40\x24\xa0\x24\x61\x3f\x15\xb1\x36\x90" + "\xf7\xd0\xc8\x47\xc1\xe1\x89\x65", + "\x3a\x81\xf9\xd9\xd3\xc1\x55\xb0\xca\xad\x5d\x73\x34\x94\x76\xfc", + { { "\xd3\xd8\xb9\xb9\x84\xad\xc2\x42\x37\xee", + 10, + "\x38\x79\xfe\xa7\x2a\xc9\x99\x29\xe5\x3a"}, + } + }, + { GCRY_CIPHER_AES256, 1, + "\xeb\xbb\x45\x66\xb5\xe1\x82\xe0\xf0\x72\x46\x6b\x0b\x31\x1d\xf3" + "\x8f\x91\x75\xbc\x02\x13\xa5\x53\x0b\xce\x2e\xc4\xd7\x4f\x40\x0d", + "\x09\x56\xa4\x8e\x01\x00\x2c\x9e\x16\x37\x6d\x6e\x30\x8d\xba\xd1", + { { "\xb0\xfe\x25\xac\x8d\x3d\x28\xa2\xf4\x71", + 10, + "\x63\x8c\x68\x23\xe7\x25\x6f\xb5\x62\x6e"}, + } + }, + { GCRY_CIPHER_3DES, 1, + "\xe3\x34\x7a\x6b\x0b\xc1\x15\x2c\x64\x2a\x25\xcb\xd3\xbc\x31\xab" + "\xfb\xa1\x62\xa8\x1f\x19\x7c\x15", + "\xb7\x40\xcc\x21\xe9\x25\xe3\xc8", + { { "\xdb\xe9\x15\xfc\xb3\x3b\xca\x18\xef\x14", + 10, + "\xf4\x80\x1a\x8d\x03\x9d\xb4\xca\x8f\xf6"}, + } + }, + { GCRY_CIPHER_3DES, 1, + "\x7c\xa2\x89\x38\xba\x6b\xec\x1f\xfe\xc7\x8f\x7c\xd6\x97\x61\x94" + "\x7c\xa2\x89\x38\xba\x6b\xec\x1f", + "\x95\x38\x96\x58\x6e\x49\xd3\x8f", + { { "\x2e\xa9\x56\xd4\xa2\x11\xdb\x68\x59\xb7", + 10, + "\xf2\x0e\x53\x66\x74\xa6\x6f\xa7\x38\x05"}, + } + }, }; gcry_cipher_hd_t hde, hdd; unsigned char out[MAX_DATA_LEN]; @@ -1593,8 +1645,8 @@ _check_gcm_cipher (unsigned int step) err = gcry_cipher_authenticate(hde, tv[i].aad + pos, poslen); if (err) { - fail ("aes-gcm, gcry_cipher_authenticate (%d) (%d:%d) failed: " - "%s\n", i, pos, step, gpg_strerror (err)); + fail ("aes-gcm, gcry_cipher_authenticate (%d) (%lu:%d) failed: " + "%s\n", i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -1602,8 +1654,8 @@ _check_gcm_cipher (unsigned int step) err = gcry_cipher_authenticate(hdd, tv[i].aad + pos, poslen); if (err) { - fail ("aes-gcm, de gcry_cipher_authenticate (%d) (%d:%d) failed: " - "%s\n", i, pos, step, gpg_strerror (err)); + fail ("aes-gcm, de gcry_cipher_authenticate (%d) (%lu:%d) failed: " + "%s\n", i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -1618,8 +1670,8 @@ _check_gcm_cipher (unsigned int step) tv[i].plaintext + pos, poslen); if (err) { - fail ("aes-gcm, gcry_cipher_encrypt (%d) (%d:%d) failed: %s\n", - i, pos, step, gpg_strerror (err)); + fail ("aes-gcm, gcry_cipher_encrypt (%d) (%lu:%d) failed: %s\n", + i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -1636,8 +1688,8 @@ _check_gcm_cipher (unsigned int step) err = gcry_cipher_decrypt (hdd, out + pos, poslen, NULL, 0); if (err) { - fail ("aes-gcm, gcry_cipher_decrypt (%d) (%d:%d) failed: %s\n", - i, pos, step, gpg_strerror (err)); + fail ("aes-gcm, gcry_cipher_decrypt (%d) (%lu:%d) failed: %s\n", + i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -1750,8 +1802,8 @@ _check_gcm_cipher (unsigned int step) if (tv[i].should_fail) goto next_tv; - fail ("aes-gcm, gcry_cipher_gettag(%d, %d) (byte-buf) failed: %s\n", - i, taglen2, gpg_strerror (err)); + fail ("aes-gcm, gcry_cipher_gettag(%d, %lu) (byte-buf) failed: %s\n", + i, (unsigned long) taglen2, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -1998,8 +2050,8 @@ _check_poly1305_cipher (unsigned int step) err = gcry_cipher_authenticate(hde, tv[i].aad + pos, poslen); if (err) { - fail ("poly1305, gcry_cipher_authenticate (%d) (%d:%d) failed: " - "%s\n", i, pos, step, gpg_strerror (err)); + fail ("poly1305, gcry_cipher_authenticate (%d) (%lu:%d) failed: " + "%s\n", i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2007,8 +2059,8 @@ _check_poly1305_cipher (unsigned int step) err = gcry_cipher_authenticate(hdd, tv[i].aad + pos, poslen); if (err) { - fail ("poly1305, de gcry_cipher_authenticate (%d) (%d:%d) failed: " - "%s\n", i, pos, step, gpg_strerror (err)); + fail ("poly1305, de gcry_cipher_authenticate (%d) (%lu:%d) failed: " + "%s\n", i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2023,8 +2075,8 @@ _check_poly1305_cipher (unsigned int step) tv[i].plaintext + pos, poslen); if (err) { - fail ("poly1305, gcry_cipher_encrypt (%d) (%d:%d) failed: %s\n", - i, pos, step, gpg_strerror (err)); + fail ("poly1305, gcry_cipher_encrypt (%d) (%lu:%d) failed: %s\n", + i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2041,8 +2093,8 @@ _check_poly1305_cipher (unsigned int step) err = gcry_cipher_decrypt (hdd, out + pos, poslen, NULL, 0); if (err) { - fail ("poly1305, gcry_cipher_decrypt (%d) (%d:%d) failed: %s\n", - i, pos, step, gpg_strerror (err)); + fail ("poly1305, gcry_cipher_decrypt (%d) (%lu:%d) failed: %s\n", + i, (unsigned long) pos, step, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2709,8 +2761,8 @@ check_ccm_cipher (void) err = gcry_cipher_info (hde, GCRYCTL_GET_TAGLEN, NULL, &taglen2); if (err) { - fail ("cipher-ccm, gcryctl_get_taglen failed (tv %d): %s\n", - i, gpg_strerror (err)); + fail ("cipher-ccm, gcryctl_get_taglen failed (tv %lu): %s\n", + (unsigned long) i, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2718,8 +2770,8 @@ check_ccm_cipher (void) if (taglen2 != authlen) { fail ("cipher-ccm, gcryctl_get_taglen returned bad length" - " (tv %d): got=%zu want=%zu\n", - i, taglen2, authlen); + " (tv %lu): got=%zu want=%zu\n", + (unsigned long) i, taglen2, authlen); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2758,8 +2810,8 @@ check_ccm_cipher (void) split); if (err) { - fail ("cipher-ccm, gcry_cipher_encrypt (%d:%d) failed: %s\n", - i, j, gpg_strerror (err)); + fail ("cipher-ccm, gcry_cipher_encrypt (%lu:%lu) failed: %s\n", + (unsigned long) i, (unsigned long) j, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -2768,15 +2820,16 @@ check_ccm_cipher (void) err = gcry_cipher_gettag (hde, &out[tv[i].plainlen], authlen); if (err) { - fail ("cipher-ccm, gcry_cipher_gettag (%d:%d) failed: %s\n", - i, j, gpg_strerror (err)); + fail ("cipher-ccm, gcry_cipher_gettag (%lu:%lu) failed: %s\n", + (unsigned long) i, (unsigned long) j, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; } if (memcmp (tv[i].ciphertext, out, tv[i].cipherlen)) - fail ("cipher-ccm, encrypt mismatch entry %d:%d\n", i, j); + fail ("cipher-ccm, encrypt mismatch entry %lu:%lu\n", + (unsigned long) i, (unsigned long) j); err = gcry_cipher_decrypt (hdd, out, tv[i].plainlen - split, NULL, 0); if (!err) @@ -2784,21 +2837,22 @@ check_ccm_cipher (void) NULL, 0); if (err) { - fail ("cipher-ccm, gcry_cipher_decrypt (%d:%d) failed: %s\n", - i, j, gpg_strerror (err)); + fail ("cipher-ccm, gcry_cipher_decrypt (%lu:%lu) failed: %s\n", + (unsigned long) i, (unsigned long) j, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; } if (memcmp (tv[i].plaintext, out, tv[i].plainlen)) - fail ("cipher-ccm, decrypt mismatch entry %d:%d\n", i, j); + fail ("cipher-ccm, decrypt mismatch entry %lu:%lu\n", + (unsigned long) i, (unsigned long) j); err = gcry_cipher_checktag (hdd, &out[tv[i].plainlen], authlen); if (err) { - fail ("cipher-ccm, gcry_cipher_checktag (%d:%d) failed: %s\n", - i, j, gpg_strerror (err)); + fail ("cipher-ccm, gcry_cipher_checktag (%lu:%lu) failed: %s\n", + (unsigned long) i, (unsigned long) j, gpg_strerror (err)); gcry_cipher_close (hde); gcry_cipher_close (hdd); return; @@ -3874,6 +3928,343 @@ check_ocb_cipher (void) check_ocb_cipher_splitaad (); } + + +static void +do_check_xts_cipher (int inplace) +{ + /* Note that we use hex strings and not binary strings in TV. That + makes it easier to maintain the test vectors. */ + static const struct + { + int algo; + const char *key; /* NULL means "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F" */ + const char *iv; + const char *plain; + const char *ciph; + } tv[] = { + /* CAVS; hex/XTSGenAES128.rsp; COUNT=100 */ + { GCRY_CIPHER_AES, + "bcb6613c495de4bdad9c19f04e4b3915f9ecb379e1a575b633337e934fca1050", + "64981173159d58ac355a20120c8e81f1", + "189acacee06dfa7c94484c7dae59e166", + "7900191d0f19a97668fdba9def84eedc" + }, + /* CAVS; hex/XTSGenAES128.rsp; COUNT=101 */ + { GCRY_CIPHER_AES, + "b7b93f516aef295eff3a29d837cf1f135347e8a21dae616ff5062b2e8d78ce5e", + "873edea653b643bd8bcf51403197ed14", + "236f8a5b58dd55f6194ed70c4ac1a17f1fe60ec9a6c454d087ccb77d6b638c47", + "22e6a3c6379dcf7599b052b5a749c7f78ad8a11b9f1aa9430cf3aef445682e19" + }, + /* CAVS; hex/XTSGenAES128.rsp; COUNT=301 */ + { GCRY_CIPHER_AES, + "394c97881abd989d29c703e48a72b397a7acf51b59649eeea9b33274d8541df4", + "4b15c684a152d485fe9937d39b168c29", + "2f3b9dcfbae729583b1d1ffdd16bb6fe2757329435662a78f0", + "f3473802e38a3ffef4d4fb8e6aa266ebde553a64528a06463e" + }, + /* CAVS; hex/XTSGenAES128.rsp; COUNT=500 */ + { GCRY_CIPHER_AES, + "783a83ec52a27405dff9de4c57f9c979b360b6a5df88d67ec1a052e6f582a717", + "886e975b29bdf6f0c01bb47f61f6f0f5", + "b04d84da856b9a59ce2d626746f689a8051dacd6bce3b990aa901e4030648879", + "f941039ebab8cac39d59247cbbcb4d816c726daed11577692c55e4ac6d3e6820" + }, + /* CAVS; hex/XTSGenAES256.rsp; COUNT=1 */ + { GCRY_CIPHER_AES256, + "1ea661c58d943a0e4801e42f4b0947149e7f9f8e3e68d0c7505210bd311a0e7c" + "d6e13ffdf2418d8d1911c004cda58da3d619b7e2b9141e58318eea392cf41b08", + "adf8d92627464ad2f0428e84a9f87564", + "2eedea52cd8215e1acc647e810bbc3642e87287f8d2e57e36c0a24fbc12a202e", + "cbaad0e2f6cea3f50b37f934d46a9b130b9d54f07e34f36af793e86f73c6d7db" + }, + /* CAVS; hex/XTSGenAES256.rsp; COUNT=101 */ + { GCRY_CIPHER_AES256, + "266c336b3b01489f3267f52835fd92f674374b88b4e1ebd2d36a5f457581d9d0" + "42c3eef7b0b7e5137b086496b4d9e6ac658d7196a23f23f036172fdb8faee527", + "06b209a7a22f486ecbfadb0f3137ba42", + "ca7d65ef8d3dfad345b61ccddca1ad81de830b9e86c7b426d76cb7db766852d9" + "81c6b21409399d78f42cc0b33a7bbb06", + "c73256870cc2f4dd57acc74b5456dbd776912a128bc1f77d72cdebbf270044b7" + "a43ceed29025e1e8be211fa3c3ed002d" + }, + /* CAVS; hex/XTSGenAES256.rsp; COUNT=401 */ + { GCRY_CIPHER_AES256, + "33e89e817ff8d037d6ac5a2296657503f20885d94c483e26449066bd9284d130" + "2dbdbb4b66b6b9f4687f13dd028eb6aa528ca91deb9c5f40db93218806033801", + "a78c04335ab7498a52b81ed74b48e6cf", + "14c3ac31291b075f40788247c3019e88c7b40bac3832da45bbc6c4fe7461371b" + "4dfffb63f71c9f8edb98f28ff4f33121", + "dead7e587519bc78c70d99279fbe3d9b1ad13cdaae69824e0ab8135413230bfd" + "b13babe8f986fbb30d46ab5ec56b916e" + }, + /* From https://github.com/heisencoder/XTS-AES/blob/master/testvals/ */ + { GCRY_CIPHER_AES, + "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f10", + "7fb2e8beccbb5c118aa52ddca31220bb1b" + }, + { GCRY_CIPHER_AES, + "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e", + "d05bc090a8e04f1b3d3ecdd5baec0fd4edbf9dace45d6f6a7306e64be5dd82" + }, + { GCRY_CIPHER_AES, + "2718281828459045235360287471352631415926535897932384626433832795", + "00000000000000000000000000000000", + "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F" + "20212223", + "27A7479BEFA1D476489F308CD4CFA6E288F548E5C4239F91712A587E2B05AC3D" + "A96E4BBE" + }, + { GCRY_CIPHER_AES256, + "2718281828459045235360287471352662497757247093699959574966967627" + "3141592653589793238462643383279502884197169399375105820974944592", + "11000000000000000000000000000000", + "3A060A8CAD115A6F44572E3759E43C8F8832FEDC28A8E35B357B5CF3EDBEF788" + "CAD8BFCB23", + "6D1C78A8BAD91DB2924C507CCEDE835F5BADD157DA0AF55C98BBC28CF676F9FA" + "61618FA696" + }, + { GCRY_CIPHER_AES256, + "2718281828459045235360287471352662497757247093699959574966967627" + "3141592653589793238462643383279502884197169399375105820974944592", + "11000000000000000000000000000000", + "3A060A8CAD115A6F44572E3759E43C8F8832FEDC28A8E35B357B5CF3EDBEF788" + "CAD8BFCB23", + "6D1C78A8BAD91DB2924C507CCEDE835F5BADD157DA0AF55C98BBC28CF676F9FA" + "61618FA696" + }, + { GCRY_CIPHER_AES, + "e0e1e2e3e4e5e6e7e8e9eaebecedeeefc0c1c2c3c4c5c6c7c8c9cacbcccdcecf", + "21436587a90000000000000000000000", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" + "0001020304050607", + "38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be6" + "8b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42cc" + "bd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad3854" + "9c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a177" + "41990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee3" + "9936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d4" + "8b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe" + "41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d" + "19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64" + "a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b88334272" + "9e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648" + "346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394" + "d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2" + "cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a" + "5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf" + "92cefc151b5cc1611a167893819b63fb37ec662bc0fc907db74a94468a55a7bc" + "8a6b18e86de60290" + }, + { GCRY_CIPHER_AES256, + "2718281828459045235360287471352662497757247093699959574966967627" + "3141592653589793238462643383279502884197169399375105820974944592", + "ffffffff000000000000000000000000", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" + "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" + "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" + "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", + "bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5" + "520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1" + "c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac" + "7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e" + "919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d3" + "50875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f5" + "69768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed9" + "0fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c" + "1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053" + "027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e7" + "5d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df" + "73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc00" + "77ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460" + "d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a4155" + "6cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88c" + "f6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220" + } + }; + gpg_error_t err = 0; + gcry_cipher_hd_t hde, hdd; + int tidx; + int got_err = 0; + + if (verbose) + fprintf (stderr, " Starting XTS checks.\n"); + + for (tidx = 0; !got_err && tidx < DIM (tv); tidx++) + { + const char *hexkey = tv[tidx].key; + char *key, *iv, *ciph, *plain, *out; + size_t keylen, ivlen, ciphlen, plainlen, outlen; + + if (verbose) + fprintf (stderr, " checking XTS mode for %s [%i] (tv %d)\n", + gcry_cipher_algo_name (tv[tidx].algo), tv[tidx].algo, tidx); + + if (!hexkey) + hexkey = "000102030405060708090A0B0C0D0E0F" + "101112131415161718191A1B1C1D1E1F"; + + /* Convert to hex strings to binary. */ + key = hex2buffer (hexkey, &keylen); + iv = hex2buffer (tv[tidx].iv, &ivlen); + plain = hex2buffer (tv[tidx].plain, &plainlen); + ciph = hex2buffer (tv[tidx].ciph, &ciphlen); + outlen = plainlen + 5; + out = xmalloc (outlen); + + assert (plainlen == ciphlen); + assert (plainlen <= outlen); + assert (out); + + err = gcry_cipher_open (&hde, tv[tidx].algo, GCRY_CIPHER_MODE_XTS, 0); + if (!err) + err = gcry_cipher_open (&hdd, tv[tidx].algo, GCRY_CIPHER_MODE_XTS, 0); + if (err) + { + fail ("cipher-xts, gcry_cipher_open failed (tv %d): %s\n", + tidx, gpg_strerror (err)); + return; + } + + err = gcry_cipher_setkey (hde, key, keylen); + if (err && in_fips_mode && memcmp(key, key + keylen/2, keylen/2) == 0) + { + /* Since both halves of key are the same, fail to set key in FIPS + mode is expected. */ + goto next_tv; + } + if (!err) + err = gcry_cipher_setkey (hdd, key, keylen); + if (err) + { + fail ("cipher-xts, gcry_cipher_setkey failed (tv %d): %s\n", + tidx, gpg_strerror (err)); + goto err_out; + } + + err = gcry_cipher_setiv (hde, iv, ivlen); + if (!err) + err = gcry_cipher_setiv (hdd, iv, ivlen); + if (err) + { + fail ("cipher-xts, gcry_cipher_setiv failed (tv %d): %s\n", + tidx, gpg_strerror (err)); + goto err_out; + } + + if (inplace) + { + memcpy(out, plain, plainlen); + err = gcry_cipher_encrypt (hde, out, plainlen, NULL, 0); + } + else + { + err = gcry_cipher_encrypt (hde, out, outlen, plain, plainlen); + } + if (err) + { + fail ("cipher-xts, gcry_cipher_encrypt failed (tv %d): %s\n", + tidx, gpg_strerror (err)); + goto err_out; + } + + /* Check that the encrypt output matches the expected cipher text. */ + if (memcmp (ciph, out, plainlen)) + { + mismatch (ciph, plainlen, out, plainlen); + fail ("cipher-xts, encrypt data mismatch (tv %d)\n", tidx); + } + + /* Now for the decryption. */ + if (inplace) + { + err = gcry_cipher_decrypt (hdd, out, plainlen, NULL, 0); + } + else + { + memcpy(ciph, out, ciphlen); + err = gcry_cipher_decrypt (hdd, out, plainlen, ciph, ciphlen); + } + if (err) + { + fail ("cipher-xts, gcry_cipher_decrypt (tv %d) failed: %s\n", + tidx, gpg_strerror (err)); + goto err_out; + } + + /* Check that the decrypt output matches the expected plain text. */ + if (memcmp (plain, out, plainlen)) + { + mismatch (plain, plainlen, out, plainlen); + fail ("cipher-xts, decrypt data mismatch (tv %d)\n", tidx); + } + + if (0) + { +err_out: + got_err = 1; + } + +next_tv: + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + + xfree (iv); + xfree (ciph); + xfree (plain); + xfree (key); + xfree (out); + } + + if (verbose) + fprintf (stderr, " Completed XTS checks.\n"); +} + + +static void +check_xts_cipher (void) +{ + /* Check XTS cipher with separate destination and source buffers for + * encryption/decryption. */ + do_check_xts_cipher(0); + + /* Check XTS cipher with inplace encrypt/decrypt. */ + do_check_xts_cipher(1); +} + + static void check_gost28147_cipher (void) { @@ -5158,7 +5549,7 @@ check_stream_cipher_large_block (void) -/* Check that our bulk encryption fucntions work properly. */ +/* Check that our bulk encryption functions work properly. */ static void check_bulk_cipher_modes (void) { @@ -5276,6 +5667,20 @@ check_bulk_cipher_modes (void) /*[14]*/ { 0x2d, 0x71, 0x54, 0xb9, 0xc5, 0x28, 0x76, 0xff, 0x76, 0xb5, 0x99, 0x37, 0x99, 0x9d, 0xf7, 0x10, 0x6d, 0x86, 0x4f, 0x3f } + }, + { GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_XTS, + "abcdefghijklmnopABCDEFGHIJKLMNOP", 32, + "1234567890123456", 16, +/*[15]*/ + { 0x71, 0x46, 0x40, 0xb0, 0xed, 0x6f, 0xc4, 0x82, 0x2b, 0x3f, + 0xb6, 0xf7, 0x81, 0x08, 0x4c, 0x8b, 0xc1, 0x66, 0x4c, 0x1b } + }, + { GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_XTS, + "abcdefghijklmnopABCDEFGHIJKLMNOP_abcdefghijklmnopABCDEFGHIJKLMNO", 64, + "1234567890123456", 16, +/*[16]*/ + { 0x8e, 0xbc, 0xa5, 0x21, 0x0a, 0x4b, 0x53, 0x14, 0x79, 0x81, + 0x25, 0xad, 0x24, 0x45, 0x98, 0xbd, 0x9f, 0x27, 0x5f, 0x01 } } }; gcry_cipher_hd_t hde = NULL; @@ -5480,15 +5885,16 @@ check_one_cipher_core (int algo, int mode, int flags, blklen = get_algo_mode_blklen(algo, mode); - assert (nkey == 32); + assert (nkey == 64); assert (nplain == 1040); assert (sizeof(in_buffer) == nplain + 1); assert (sizeof(out_buffer) == sizeof(in_buffer)); assert (blklen > 0); - if (mode == GCRY_CIPHER_MODE_CBC && (flags & GCRY_CIPHER_CBC_CTS)) + if ((mode == GCRY_CIPHER_MODE_CBC && (flags & GCRY_CIPHER_CBC_CTS)) || + mode == GCRY_CIPHER_MODE_XTS) { - /* TODO: examine why CBC with CTS fails. */ + /* Input cannot be split in to multiple operations with CTS . */ blklen = nplain; } @@ -5527,6 +5933,11 @@ check_one_cipher_core (int algo, int mode, int flags, return -1; } + if (mode == GCRY_CIPHER_MODE_XTS) + { + keylen *= 2; + } + err = gcry_cipher_open (&hd, algo, mode, flags); if (err) { @@ -5738,14 +6149,15 @@ check_one_cipher_core (int algo, int mode, int flags, static void check_one_cipher (int algo, int mode, int flags) { - char key[32+1]; + char key[64+1]; unsigned char plain[1040+1]; int bufshift, i; for (bufshift=0; bufshift < 4; bufshift++) { /* Pass 0: Standard test. */ - memcpy (key, "0123456789abcdef.,;/[]{}-=ABCDEF", 32); + memcpy (key, "0123456789abcdef.,;/[]{}-=ABCDEF_" + "0123456789abcdef.,;/[]{}-=ABCDEF", 64); memcpy (plain, "foobar42FOOBAR17", 16); for (i = 16; i < 1040; i += 16) { @@ -5756,25 +6168,25 @@ check_one_cipher (int algo, int mode, int flags) plain[i+14]++; } - if (check_one_cipher_core (algo, mode, flags, key, 32, plain, 1040, + if (check_one_cipher_core (algo, mode, flags, key, 64, plain, 1040, bufshift, 0+10*bufshift)) return; /* Pass 1: Key not aligned. */ - memmove (key+1, key, 32); - if (check_one_cipher_core (algo, mode, flags, key+1, 32, plain, 1040, + memmove (key+1, key, 64); + if (check_one_cipher_core (algo, mode, flags, key+1, 64, plain, 1040, bufshift, 1+10*bufshift)) return; /* Pass 2: Key not aligned and data not aligned. */ memmove (plain+1, plain, 1040); - if (check_one_cipher_core (algo, mode, flags, key+1, 32, plain+1, 1040, + if (check_one_cipher_core (algo, mode, flags, key+1, 64, plain+1, 1040, bufshift, 2+10*bufshift)) return; /* Pass 3: Key aligned and data not aligned. */ - memmove (key, key+1, 32); - if (check_one_cipher_core (algo, mode, flags, key, 32, plain+1, 1040, + memmove (key, key+1, 64); + if (check_one_cipher_core (algo, mode, flags, key, 64, plain+1, 1040, bufshift, 3+10*bufshift)) return; } @@ -5864,6 +6276,7 @@ check_ciphers (void) check_one_cipher (algos[i], GCRY_CIPHER_MODE_ECB, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_CFB, 0); + check_one_cipher (algos[i], GCRY_CIPHER_MODE_CFB8, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_OFB, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, 0); check_one_cipher (algos[i], GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_CBC_CTS); @@ -5874,6 +6287,8 @@ check_ciphers (void) check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0); if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN) check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0); + if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_XTS_BLOCK_LEN) + check_one_cipher (algos[i], GCRY_CIPHER_MODE_XTS, 0); } for (i = 0; algos2[i]; i++) @@ -5917,6 +6332,7 @@ check_cipher_modes(void) check_gcm_cipher (); check_poly1305_cipher (); check_ocb_cipher (); + check_xts_cipher (); check_gost28147_cipher (); check_stream_cipher (); check_stream_cipher_large_block (); @@ -5935,7 +6351,8 @@ fillbuf_count (char *buf, size_t buflen, unsigned char pos) static void -check_one_md (int algo, const char *data, int len, const char *expect, int elen) +check_one_md (int algo, const char *data, int len, const char *expect, int elen, + const char *key, int klen) { gcry_md_hd_t hd, hd2; unsigned char *p; @@ -5960,11 +6377,23 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen) } else { + gcry_md_close (hd); fail ("algo %d, gcry_md_get_algo_dlen failed: %d\n", algo, mdlen); return; } } + if (key && klen) + { + err = gcry_md_setkey (hd, key, klen); + if (err) + { + gcry_md_close (hd); + fail ("algo %d, gcry_md_setkey failed: %s\n", algo, gpg_strerror (err)); + return; + } + } + if ((*data == '!' && !data[1]) || /* hash one million times a "a" */ (*data == '?' && !data[1])) /* hash million byte data-set with byte pattern 0x00,0x01,0x02,... */ { @@ -6041,7 +6470,6 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen) fail ("algo %d, digest mismatch\n", algo); } - } else { @@ -6267,6 +6695,23 @@ check_one_md_multi (int algo, const char *data, int len, const char *expect) static void check_digests (void) { + static const char blake2_data_vector[] = + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" + "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" + "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f" + "\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" + "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f" + "\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" + "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" + "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" + "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf" + "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" + "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf" + "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" + "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" + "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"; static const struct algos { int md; @@ -6274,6 +6719,8 @@ check_digests (void) const char *expect; int datalen; int expectlen; + const char *key; + int keylen; } algos[] = { { GCRY_MD_MD2, "", @@ -7044,6 +7491,285 @@ check_digests (void) "\x1b\xeb\x65\x53\xf2\x81\xfa\x75\x69\x48\xc4\x38\x49\x4b\x19\xb4" "\xee\x69\xa5\x43\x6b\x22\x2b\xc9\x88\xed\xa4\xac\x60\x00\x24\xc9", 0, 512, }, + { GCRY_MD_BLAKE2B_512, "abc", + "\xBA\x80\xA5\x3F\x98\x1C\x4D\x0D\x6A\x27\x97\xB6\x9F\x12\xF6\xE9" + "\x4C\x21\x2F\x14\x68\x5A\xC4\xB7\x4B\x12\xBB\x6F\xDB\xFF\xA2\xD1" + "\x7D\x87\xC5\x39\x2A\xAB\x79\x2D\xC2\x52\xD5\xDE\x45\x33\xCC\x95" + "\x18\xD3\x8A\xA8\xDB\xF1\x92\x5A\xB9\x23\x86\xED\xD4\x00\x99\x23" }, + { GCRY_MD_BLAKE2B_512, "\x00", + "\x96\x1f\x6d\xd1\xe4\xdd\x30\xf6\x39\x01\x69\x0c\x51\x2e\x78\xe4" + "\xb4\x5e\x47\x42\xed\x19\x7c\x3c\x5e\x45\xc5\x49\xfd\x25\xf2\xe4" + "\x18\x7b\x0b\xc9\xfe\x30\x49\x2b\x16\xb0\xd0\xbc\x4e\xf9\xb0\xf3" + "\x4c\x70\x03\xfa\xc0\x9a\x5e\xf1\x53\x2e\x69\x43\x02\x34\xce\xbd", + 1, 64, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" + "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f", + 64 }, +#include "./blake2b.h" + { GCRY_MD_BLAKE2B_160, + "", + "\xad\x75\xea\xd7\x9f\x71\x21\xd1\xf0\x8a\xfe\x59\x99\x27\xa5\xa3" + "\x8b\xe1\xb1\x79", + 0, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2B_160, + "\x9c\x9c\x38", + "\x82\x79\x9d\x7b\xe8\xf4\xd1\x69\xfb\x85\xe6\x63\x6a\x7b\x6c\x50" + "\xa0\x1f\x70\xa2", + 3, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2B_256, + "", + "\x89\x36\x29\x47\x52\x79\xdf\xd8\x2a\x84\x1a\x8f\x21\xa3\x72\xed" + "\x30\xcc\xb8\xae\x34\x62\xe1\x90\x7f\x50\x66\x3f\x3c\x03\x66\x83", + 0, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2B_256, + "\x9c\x9c\x38", + "\x01\x6a\x18\xbb\x10\xe0\xc3\xa5\xe5\x9f\xce\xfd\x1a\x40\x7a\xb7" + "\xf1\xc0\x36\x1b\x3f\x98\x34\x77\x42\x54\xd3\xf0\x4c\xda\x38\x98", + 3, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2B_384, + "", + "\xd7\x2c\x9b\x4a\x73\x4e\xb2\x07\xe9\xdd\xbf\xf0\x0b\x10\xc3\x70" + "\xc8\x9d\x67\xd7\x96\xc3\xa7\xb9\x68\x15\xa9\x53\x92\x1b\xb2\x97" + "\x59\xd2\x9d\x25\x63\xf3\xda\x4d\x7f\x3e\xa4\xa6\xe3\x4c\x32\x6b", + 0, 48, + "\xc0\xc0\x80\x41\xc2\x03\xc6\xca\x90\x5b\xeb\x46\x32\x79\xac\x26" + "\xd3\xf9\xcc\xc6\x93\x5a\xed\x48\x35\x7d\xb3\x31\xe5\x16\xfb\x12" + "\x0e\x21\x2f\x51\x80\xd1\x52\x24\x77\x9c\x13\xaf\xc3\x73\x37\xaa", + 48 }, + { GCRY_MD_BLAKE2B_384, + "\x9c\x9c\x38", + "\xef\x46\xfa\x54\xa2\xc2\x20\xda\x06\xa8\x4c\x77\x6e\x87\xdd\x0a" + "\x21\xee\xb5\xe9\x40\x1a\x0a\x78\x11\x19\x74\x18\xfe\x92\x70\x15" + "\x77\xd0\xa8\x53\x24\x48\xe8\xb8\x53\x6a\xa6\xc7\x42\xcd\x2c\x62", + 3, 48, + "\xc0\xc0\x80\x41\xc2\x03\xc6\xca\x90\x5b\xeb\x46\x32\x79\xac\x26" + "\xd3\xf9\xcc\xc6\x93\x5a\xed\x48\x35\x7d\xb3\x31\xe5\x16\xfb\x12" + "\x0e\x21\x2f\x51\x80\xd1\x52\x24\x77\x9c\x13\xaf\xc3\x73\x37\xaa", + 48 }, + { GCRY_MD_BLAKE2B_512, + "", + "\xd7\x4b\xf3\x1e\x5c\xe5\xd8\xa2\x5d\x09\x21\x52\x53\xca\xd2\xf8" + "\xd2\xfd\xa9\x10\x09\x30\x16\x05\xa6\x8c\xc3\x86\x5b\xb7\x93\x5b" + "\xca\xff\x6f\x2a\xf6\x43\xa7\x76\x99\xe8\x02\x61\xa1\xfd\x2c\x80" + "\xe8\x37\xb5\x62\x32\xf7\xb1\x46\x43\x4a\xa7\x4d\x71\x18\xbb\x16", + 0, 64, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + 64 }, + { GCRY_MD_BLAKE2B_512, + "\x9c\x9c\x38", + "\x70\xfc\x57\xe1\x49\x5f\xe4\x39\x0d\x38\xa1\xd3\x97\x05\xee\xf6" + "\xaa\xbb\xd2\x64\xc7\xce\x66\x11\x8d\x0a\x87\xd4\x25\x94\xb3\x87" + "\xdc\x50\x18\x8b\xba\x61\xf0\x91\xd6\xb3\x4f\xf5\x4e\x09\x1e\x70" + "\x24\x01\x83\xcd\xb9\x21\x1f\x14\x39\x77\x5c\xc6\xe6\xe9\x35\x73", + 3, 64, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + 64 }, + { GCRY_MD_BLAKE2B_512, "!", + "\x98\xfb\x3e\xfb\x72\x06\xfd\x19\xeb\xf6\x9b\x6f\x31\x2c\xf7\xb6" + "\x4e\x3b\x94\xdb\xe1\xa1\x71\x07\x91\x39\x75\xa7\x93\xf1\x77\xe1" + "\xd0\x77\x60\x9d\x7f\xba\x36\x3c\xbb\xa0\x0d\x05\xf7\xaa\x4e\x4f" + "\xa8\x71\x5d\x64\x28\x10\x4c\x0a\x75\x64\x3b\x0f\xf3\xfd\x3e\xaf" }, + { GCRY_MD_BLAKE2B_512, "?", + "\xae\x9c\xf5\x7a\xc2\xff\x7b\x37\x7a\x5b\xb5\xcc\x2e\x62\x92\x20" + "\xa9\xba\x0a\x09\xc2\x2a\x0f\xdb\xd9\xa3\xae\xd6\x32\xc1\x72\x0e" + "\x6d\x82\x9f\x74\x7f\xba\x12\xe8\x31\xa2\x45\x8d\xf0\x73\x4e\xe0" + "\x12\x27\x52\xd3\xe2\x2c\x36\xc4\x42\x89\x3b\xcd\xd1\xbd\xd9\x08" }, + { GCRY_MD_BLAKE2B_384, "?", + "\x22\x66\x8e\x05\x81\x44\x52\xa5\x23\x84\xce\x67\xd4\xad\x0e\x03" + "\xdf\xe7\x1a\xc1\x56\x9d\x95\x4a\xd2\x22\x7a\x70\x2a\xfe\x6c\x68" + "\x5c\x7d\x65\x30\x2b\xc0\xde\xc6\xea\x72\x1e\xdd\x46\xdf\xb2\x08" }, + { GCRY_MD_BLAKE2B_256, "?", + "\xfa\x11\x30\xd8\xba\x8a\x4c\x5a\x0e\x6f\x4f\x4c\xd2\xd1\x38\x0c" + "\xb9\x22\x2a\xbd\xf6\x20\x70\xf8\x02\x1b\x34\xdd\xd7\x24\x92\x1b" }, + { GCRY_MD_BLAKE2B_160, "?", + "\xe7\x86\x08\x31\xf8\x96\x8d\x64\x9b\xe0\x15\x68\x33\xf3\xbd\x2a" + "\x5f\x0b\xdb\x40" }, + { GCRY_MD_BLAKE2S_256, "abc", + "\x50\x8C\x5E\x8C\x32\x7C\x14\xE2\xE1\xA7\x2B\xA3\x4E\xEB\x45\x2F" + "\x37\x45\x8B\x20\x9E\xD6\x3A\x29\x4D\x99\x9B\x4C\x86\x67\x59\x82" }, +#include "./blake2s.h" + { GCRY_MD_BLAKE2S_128, + "", + "\x84\x89\x68\xb3\x59\x01\xe9\x57\x9a\x4d\xbf\x28\xdf\x99\xec\x23", + 0, 16, + "\xea\xea\xd5\xc0\x96\x56\xec\x43\x30\x73\xa3\x17\xbb\xd3\x8e\x62", + 16 }, + { GCRY_MD_BLAKE2S_128, + "\x9c\x9c\x38", + "\x2e\xbb\x18\x78\xda\x34\x05\xad\x98\x1a\x33\x06\x50\x35\xd3\x75", + 3, 16, + "\xea\xea\xd5\xc0\x96\x56\xec\x43\x30\x73\xa3\x17\xbb\xd3\x8e\x62", + 16 }, + { GCRY_MD_BLAKE2S_128, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + "\x3c\xd4\xea\xd7\x88\x0b\x8e\x82\xde\x07\x9c\x1f\xad\x34\x17\xd4", + 64, 16, + "\xea\xea\xd5\xc0\x96\x56\xec\x43\x30\x73\xa3\x17\xbb\xd3\x8e\x62", + 16 }, + { GCRY_MD_BLAKE2S_128, + "\x8a\x8a\x14\x9e\xb2\x50\x02\x52\x54\xa6\xfa\xa0\x9a\x3a\xd4\x0e" + "\xe3\xf2\xd5\xc7\x9d\x64\x02\x66\x68\xcf\x38\x08\x41\x49\x8a\xd3" + "\x5e\x32\x90\xc2\x53\x15\x68\x7e\xe6\x65\x4b\xb0\xfc\xad\xaa\x58" + "\x02\x5b\x5e\xb9\x18\xd1\xe9\xbb\xa5\x61\x07\x68\x70\xd9\x49\x22" + "\x6b", + "\xee\x92\xc5\x25\x4c\x29\x7a\x88\xe6\x9a\x23\x69\x56\xb6\x7c\xee", + 65, 16, + "\xea\xea\xd5\xc0\x96\x56\xec\x43\x30\x73\xa3\x17\xbb\xd3\x8e\x62", + 16 }, + { GCRY_MD_BLAKE2S_160, + "", + "\x68\x64\x48\x80\x0c\x80\xc6\xd0\x4f\xb7\x3f\xc1\x7f\xa0\x8c\xa2" + "\x39\x03\xe1\xe9", + 0, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2S_160, + "\x9c\x9c\x38", + "\xba\xb3\x5b\x8c\x87\x04\x1a\x00\x24\x44\xa5\xca\x45\x13\x2d\x75" + "\xef\xd3\x4c\xb9", + 3, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2S_160, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + "\xe8\xc3\xf1\xdb\x1c\xf8\xe9\xd1\xb5\x4a\x54\x0a\xdc\xe7\x18\x13" + "\x0f\xf4\x12\x98", + 64, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2S_160, + "\x8a\x8a\x14\x9e\xb2\x50\x02\x52\x54\xa6\xfa\xa0\x9a\x3a\xd4\x0e" + "\xe3\xf2\xd5\xc7\x9d\x64\x02\x66\x68\xcf\x38\x08\x41\x49\x8a\xd3" + "\x5e\x32\x90\xc2\x53\x15\x68\x7e\xe6\x65\x4b\xb0\xfc\xad\xaa\x58" + "\x02\x5b\x5e\xb9\x18\xd1\xe9\xbb\xa5\x61\x07\x68\x70\xd9\x49\x22" + "\x6b", + "\x59\x02\xf8\x38\x18\x77\x9c\xd8\x13\x40\x0f\xd6\xbb\x23\x04\x1b" + "\x64\x9a\x57\xa7", + 65, 20, + "\x65\x65\xcb\x30\xfb\x2c\x28\x54\x7c\xd0\x4c\x1d\x6a\x88\xf2\x7a" + "\x6d\xe8\x55\x3d", + 20 }, + { GCRY_MD_BLAKE2S_224, + "", + "\xa8\x66\x86\x63\x35\x3a\xe0\x8f\x4e\x4b\x6b\x1e\xcb\x43\x19\xc8" + "\x2b\x41\x3f\x5e\xe5\x43\x95\x9c\xa5\x9a\x73\x1b", + 0, 28, + "\x5a\x5a\xb5\x10\xc6\xd7\x9e\x76\x14\x8a\x9e\x29\xc8\xf1\xba\xab" + "\x65\x11\x77\x89\x00\x89\x8a\x14\x9f\xb4\x53\x07", + 28 }, + { GCRY_MD_BLAKE2S_224, + "\x9c\x9c\x38", + "\x1a\x34\x9d\xc1\x51\xbd\x8b\xa2\xa7\xa6\x6b\xe4\x93\x98\x51\x88" + "\x33\x49\x71\x02\x09\xb1\x20\x85\x8c\x4c\x67\xb8", + 3, 28, + "\x5a\x5a\xb5\x10\xc6\xd7\x9e\x76\x14\x8a\x9e\x29\xc8\xf1\xba\xab" + "\x65\x11\x77\x89\x00\x89\x8a\x14\x9f\xb4\x53\x07", + 28 }, + { GCRY_MD_BLAKE2S_224, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + "\x3a\x0e\xd5\x46\x95\x8c\xd6\xf9\x7c\x38\xd0\xe7\x1c\xfd\xd4\xc5" + "\x67\x6d\x5c\xcc\x35\x06\xec\x87\x87\x09\x26\x39", + 64, 28, + "\x5a\x5a\xb5\x10\xc6\xd7\x9e\x76\x14\x8a\x9e\x29\xc8\xf1\xba\xab" + "\x65\x11\x77\x89\x00\x89\x8a\x14\x9f\xb4\x53\x07", + 28 }, + { GCRY_MD_BLAKE2S_224, + "\x8a\x8a\x14\x9e\xb2\x50\x02\x52\x54\xa6\xfa\xa0\x9a\x3a\xd4\x0e" + "\xe3\xf2\xd5\xc7\x9d\x64\x02\x66\x68\xcf\x38\x08\x41\x49\x8a\xd3" + "\x5e\x32\x90\xc2\x53\x15\x68\x7e\xe6\x65\x4b\xb0\xfc\xad\xaa\x58" + "\x02\x5b\x5e\xb9\x18\xd1\xe9\xbb\xa5\x61\x07\x68\x70\xd9\x49\x22" + "\x6b", + "\x63\xd7\x98\xcc\x8e\xe3\x00\x45\x2f\xd8\x19\x83\x02\x94\x7f\xf1" + "\xb3\x82\x73\xaa\x19\xae\x72\x8b\x1f\x64\xbe\x88", + 65, 28, + "\x5a\x5a\xb5\x10\xc6\xd7\x9e\x76\x14\x8a\x9e\x29\xc8\xf1\xba\xab" + "\x65\x11\x77\x89\x00\x89\x8a\x14\x9f\xb4\x53\x07", + 28 }, + { GCRY_MD_BLAKE2S_256, + "", + "\x98\xf3\x21\xe5\x43\xb8\x07\x35\x27\x9c\x86\x1c\x36\x33\x9b\x43" + "\x45\x50\xc6\x9d\x23\xc6\xc8\xff\x96\xbf\x4e\x03\x86\x10\x24\xfd", + 0, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2S_256, + "\x9c\x9c\x38", + "\x7b\x10\xa3\x67\xb8\x5d\x29\x9a\x91\x27\x37\x05\x9d\x05\x9d\x3d" + "\xe6\x42\xa3\x19\x04\x57\x01\xb6\x25\x0b\xfd\x3c\x6c\xb9\x4f\x87", + 3, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2S_256, + "\xab\xab\x56\x01\x58\x5a\xb3\x0d\xc1\xce\x8f\x5e\xee\x4d\x3b\x88" + "\xc4\x4c\x11\x5e\x6f\xcd\x3d\x0a\x47\x52\x9a\xec\x86\x73\xfa\x6e" + "\x68\xd6\x3f\x16\x55\x6b\xc1\x2d\xef\x1d\x0c\x29\x35\x5f\x94\xf3" + "\x88\x7c\x04\x81\x86\x07\x8e\x95\x23\xb9\xdd\x97\x74\x0c\x80\x8c", + "\xd7\x8b\x98\x28\x54\x4c\xc1\x62\x9e\xab\x7d\xfe\xb1\xfa\xdd\x2b" + "\xed\x98\x1c\xe6\x5f\xef\xd8\x08\x42\x9a\x11\x1e\x97\x44\x92\xa3", + 64, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2S_256, + "\x8a\x8a\x14\x9e\xb2\x50\x02\x52\x54\xa6\xfa\xa0\x9a\x3a\xd4\x0e" + "\xe3\xf2\xd5\xc7\x9d\x64\x02\x66\x68\xcf\x38\x08\x41\x49\x8a\xd3" + "\x5e\x32\x90\xc2\x53\x15\x68\x7e\xe6\x65\x4b\xb0\xfc\xad\xaa\x58" + "\x02\x5b\x5e\xb9\x18\xd1\xe9\xbb\xa5\x61\x07\x68\x70\xd9\x49\x22" + "\x6b", + "\x1b\x9e\x26\x9a\x90\xf8\x73\x51\x73\xbc\x4f\x65\xce\x29\x2c\x61" + "\x16\x65\xc7\xb0\x72\x07\xa8\x0b\xfb\x2e\xea\x12\x7d\x97\xcd\x06", + 65, 32, + "\xd5\xd5\xab\x80\x2c\xad\xd9\x86\x60\xe7\x47\x2f\x77\xa6\x1d\xc4" + "\xe2\xa6\x88\x2f\xb7\xe6\x9e\x85\x23\xa9\xcd\x76\x43\xb9\xfd\xb7", + 32 }, + { GCRY_MD_BLAKE2S_256, "!", + "\xbe\xc0\xc0\xe6\xcd\xe5\xb6\x7a\xcb\x73\xb8\x1f\x79\xa6\x7a\x40" + "\x79\xae\x1c\x60\xda\xc9\xd2\x66\x1a\xf1\x8e\x9f\x8b\x50\xdf\xa5" }, + { GCRY_MD_BLAKE2S_256, "?", + "\xdc\x5a\xe7\x1b\xd4\x63\xa1\xf8\x4d\x73\x33\x44\x63\x6b\xa6\x87" + "\xe6\xbd\xf4\xba\xed\xc3\xef\xc8\xb3\x86\x55\xbb\x08\x56\x3e\xdb" }, + { GCRY_MD_BLAKE2S_224, "?", + "\x2e\x34\x7d\x6b\xcc\x80\xbe\xc3\xf8\x61\x35\x6a\x88\x27\xcd\x84" + "\x32\xd4\xd4\x05\xe0\x43\x20\x58\xc7\xb6\xda\xa3" }, + { GCRY_MD_BLAKE2S_160, "?", + "\xaa\x83\xe1\xcd\x8d\x4e\x9c\xb7\xf4\x6b\x43\xe1\xbc\x6f\x73\x3b" + "\x0e\xfc\x29\xde" }, + { GCRY_MD_BLAKE2S_128, "?", + "\x70\x0b\x8a\x71\x1d\x34\x0a\xf0\x13\x93\x19\x93\x5e\xd7\x54\x9c" }, { 0 } }; gcry_error_t err; @@ -7076,11 +7802,16 @@ check_digests (void) check_one_md (algos[i].md, algos[i].data, algos[i].datalen > 0 ? algos[i].datalen : strlen (algos[i].data), - algos[i].expect, algos[i].expectlen); + algos[i].expect, algos[i].expectlen, + algos[i].key, algos[i].keylen); + + if (algos[i].key && algos[i].keylen) + continue; + check_one_md_multi (algos[i].md, algos[i].data, algos[i].datalen > 0 ? algos[i].datalen : strlen (algos[i].data), - algos[i].expect); + algos[i].expect); } /* Check the Whirlpool bug emulation. */ @@ -9544,7 +10275,6 @@ main (int argc, char **argv) { gpg_error_t err; int last_argc = -1; - int debug = 0; int use_fips = 0; int selftest_only = 0; int pubkey_only = 0; @@ -9625,10 +10355,10 @@ main (int argc, char **argv) } } - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (use_fips) - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); /* Check that we test exactly our version - including the patchlevel. */ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) @@ -9639,16 +10369,16 @@ main (int argc, char **argv) in_fips_mode = 1; if (!in_fips_mode) - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (verbose) gcry_set_progress_handler (progress_handler, NULL); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); do { @@ -9685,7 +10415,7 @@ main (int argc, char **argv) gcry_md_hd_t md; /* First trigger a self-test. */ - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("not in operational state after self-test\n"); @@ -9714,7 +10444,7 @@ main (int argc, char **argv) { /* Now run a self-test and to get back into operational state. */ - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("did not reach operational after error " "and self-test\n"); diff --git a/tests/basic_all_hwfeature_combinations.sh b/tests/basic_all_hwfeature_combinations.sh new file mode 100755 index 0000000..8ec97bf --- /dev/null +++ b/tests/basic_all_hwfeature_combinations.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# Run basic tests with all HW feature combinations +# Copyright 2017 Jussi Kivilinna +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# + +# Use BINEXT to set executable extension +# For example for Windows executables: BINEXT=.exe +if [ "x$BINEXT" != "x" ] && [ -e "tests/version$BINEXT" ]; then + binext="$BINEXT" +else + binext="" +fi + +# Use BINPRE to set executable prefix +# For example to run Windows executable with WINE: BINPRE="wine " +if [ "x$BINPRE" != "x" ]; then + binpre="$BINPRE" +else + binpre="" +fi + +# Use NJOBS to define number of parallel tasks +if [ "x$NJOBS" != "x" ]; then + njobs="$NJOBS" +else + # default to cpu count + ncpus=$(nproc --all) + if [ "x@cpus" != "x" ]; then + njobs=$ncpus + else + # could not get cpu count, use 4 parallel tasks instead + njobs=4 + fi +fi + +get_supported_hwfeatures() { + $binpre "tests/version$binext" 2>&1 | \ + grep "hwflist" | \ + sed -e 's/hwflist://' -e 's/:/ /g' -e 's/\x0d/\x0a/g' +} + +hwfs=($(get_supported_hwfeatures)) +retcodes=() +optslist=() +echo "Total HW-feature combinations: $((1<<${#hwfs[@]}))" +for ((cbits=0; cbits < (1<<${#hwfs[@]}); cbits++)); do + for ((mask=0; mask < ${#hwfs[@]}; mask++)); do + match=$(((1<priv; + gcry_cipher_hd_t hd; + int err, keylen; + + /* For XTS, benchmark with typical data-unit size (512 byte sectors). */ + obj->min_bufsize = 512; + obj->max_bufsize = 16 * obj->min_bufsize; + obj->step_size = obj->min_bufsize; + obj->num_measure_repetitions = num_measurement_repetitions; + + err = gcry_cipher_open (&hd, mode->algo, mode->mode, 0); + if (err) + { + fprintf (stderr, PGM ": error opening cipher `%s'\n", + gcry_cipher_algo_name (mode->algo)); + exit (1); + } + + /* Double key-length for XTS. */ + keylen = gcry_cipher_get_algo_keylen (mode->algo) * 2; + if (keylen) + { + char key[keylen]; + int i; + + for (i = 0; i < keylen; i++) + key[i] = 0x33 ^ (11 - i); + + err = gcry_cipher_setkey (hd, key, keylen); + if (err) + { + fprintf (stderr, PGM ": gcry_cipher_setkey failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hd); + exit (1); + } + } + else + { + fprintf (stderr, PGM ": failed to get key length for algorithm `%s'\n", + gcry_cipher_algo_name (mode->algo)); + gcry_cipher_close (hd); + exit (1); + } + + obj->priv = hd; + + return 0; +} + +static void +bench_xts_encrypt_do_bench (struct bench_obj *obj, void *buf, size_t buflen) +{ + gcry_cipher_hd_t hd = obj->priv; + unsigned int pos; + static const char tweak[16] = { 0xff, 0xff, 0xfe, }; + size_t sectorlen = obj->step_size; + char *cbuf = buf; + int err; + + gcry_cipher_setiv (hd, tweak, sizeof (tweak)); + + /* Process each sector separately. */ + + for (pos = 0; pos < buflen; pos += sectorlen, cbuf += sectorlen) + { + err = gcry_cipher_encrypt (hd, cbuf, sectorlen, cbuf, sectorlen); + if (err) + { + fprintf (stderr, PGM ": gcry_cipher_encrypt failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hd); + exit (1); + } + } +} + +static void +bench_xts_decrypt_do_bench (struct bench_obj *obj, void *buf, size_t buflen) +{ + gcry_cipher_hd_t hd = obj->priv; + unsigned int pos; + static const char tweak[16] = { 0xff, 0xff, 0xfe, }; + size_t sectorlen = obj->step_size; + char *cbuf = buf; + int err; + + gcry_cipher_setiv (hd, tweak, sizeof (tweak)); + + /* Process each sector separately. */ + + for (pos = 0; pos < buflen; pos += sectorlen, cbuf += sectorlen) + { + err = gcry_cipher_decrypt (hd, cbuf, sectorlen, cbuf, sectorlen); + if (err) + { + fprintf (stderr, PGM ": gcry_cipher_encrypt failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hd); + exit (1); + } + } +} + +static struct bench_ops xts_encrypt_ops = { + &bench_xts_encrypt_init, + &bench_encrypt_free, + &bench_xts_encrypt_do_bench +}; + +static struct bench_ops xts_decrypt_ops = { + &bench_xts_encrypt_init, + &bench_encrypt_free, + &bench_xts_decrypt_do_bench +}; + + static void bench_ccm_encrypt_do_bench (struct bench_obj *obj, void *buf, size_t buflen) { @@ -1165,6 +1286,8 @@ static struct bench_cipher_mode cipher_modes[] = { {GCRY_CIPHER_MODE_OFB, "OFB dec", &decrypt_ops}, {GCRY_CIPHER_MODE_CTR, "CTR enc", &encrypt_ops}, {GCRY_CIPHER_MODE_CTR, "CTR dec", &decrypt_ops}, + {GCRY_CIPHER_MODE_XTS, "XTS enc", &xts_encrypt_ops}, + {GCRY_CIPHER_MODE_XTS, "XTS dec", &xts_decrypt_ops}, {GCRY_CIPHER_MODE_CCM, "CCM enc", &ccm_encrypt_ops}, {GCRY_CIPHER_MODE_CCM, "CCM dec", &ccm_decrypt_ops}, {GCRY_CIPHER_MODE_CCM, "CCM auth", &ccm_authenticate_ops}, @@ -1218,8 +1341,12 @@ cipher_bench_one (int algo, struct bench_cipher_mode *pmode) if (mode.mode == GCRY_CIPHER_MODE_GCM && blklen != GCRY_GCM_BLOCK_LEN) return; - /* Our OCB implementaion has restrictions for block-size. */ - if (mode.mode == GCRY_CIPHER_MODE_OCB && blklen != 16) + /* XTS has restrictions for block-size */ + if (mode.mode == GCRY_CIPHER_MODE_XTS && blklen != GCRY_XTS_BLOCK_LEN) + return; + + /* Our OCB implementation has restrictions for block-size. */ + if (mode.mode == GCRY_CIPHER_MODE_OCB && blklen != GCRY_OCB_BLOCK_LEN) return; bench_print_mode (14, mode.name); @@ -1781,7 +1908,6 @@ int main (int argc, char **argv) { int last_argc = -1; - int debug = 0; if (argc) { @@ -1891,7 +2017,7 @@ main (int argc, char **argv) } } - gcry_control (GCRYCTL_SET_VERBOSITY, (int) verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int) verbose); if (!gcry_check_version (GCRYPT_VERSION)) { @@ -1901,11 +2027,11 @@ main (int argc, char **argv) } if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (in_regression_test) fputs ("Note: " PGM " running in quick regression test mode.\n", stdout); diff --git a/tests/benchmark.c b/tests/benchmark.c index d387c56..44a8711 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -35,8 +35,7 @@ #define PGM "benchmark" - -static int verbose; +#include "t-common.h" /* Do encryption tests with large buffers. */ static int large_buffers; @@ -392,26 +391,10 @@ static const char sample_private_elg_key_3072[] = " ))"; -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) #define BUG() do {fprintf ( stderr, "Ooops at %s:%d\n", __FILE__ , __LINE__ );\ exit(2);} while(0) -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - va_start( arg_ptr, format ) ; - putchar ('\n'); - fputs ( PGM ": ", stderr); - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - exit (1); -} - - static void show_sexp (const char *prefix, gcry_sexp_t a) { @@ -475,7 +458,7 @@ random_bench (int very_strong) putchar ('\n'); if (verbose) - gcry_control (GCRYCTL_DUMP_RANDOM_STATS); + xgcry_control (GCRYCTL_DUMP_RANDOM_STATS); } @@ -781,12 +764,15 @@ cipher_bench ( const char *algoname ) int req_blocksize; int authlen; int noncelen; + int doublekey; } modes[] = { { GCRY_CIPHER_MODE_ECB, " ECB/Stream", 1 }, { GCRY_CIPHER_MODE_CBC, " CBC", 1 }, { GCRY_CIPHER_MODE_CFB, " CFB", 0 }, { GCRY_CIPHER_MODE_OFB, " OFB", 0 }, { GCRY_CIPHER_MODE_CTR, " CTR", 0 }, + { GCRY_CIPHER_MODE_XTS, " XTS", 0, + NULL, GCRY_XTS_BLOCK_LEN, 0, 0, 1 }, { GCRY_CIPHER_MODE_CCM, " CCM", 0, ccm_aead_init, GCRY_CCM_BLOCK_LEN, 8 }, { GCRY_CIPHER_MODE_GCM, " GCM", 0, @@ -858,13 +844,13 @@ cipher_bench ( const char *algoname ) algoname); exit (1); } - if ( keylen > sizeof key ) + if ( keylen * 2 > sizeof key ) { fprintf (stderr, PGM ": algo %d, keylength problem (%d)\n", algo, keylen ); exit (1); } - for (i=0; i < keylen; i++) + for (i=0; i < keylen * 2; i++) key[i] = i + (clock () & 0xff); blklen = gcry_cipher_get_algo_blklen (algo); @@ -880,6 +866,8 @@ cipher_bench ( const char *algoname ) for (modeidx=0; modes[modeidx].mode; modeidx++) { + size_t modekeylen = keylen * (!!modes[modeidx].doublekey + 1); + if ((blklen > 1 && modes[modeidx].mode == GCRY_CIPHER_MODE_STREAM) || (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) continue; @@ -903,7 +891,7 @@ cipher_bench ( const char *algoname ) if (!cipher_with_keysetup) { - err = gcry_cipher_setkey (hd, key, keylen); + err = gcry_cipher_setkey (hd, key, modekeylen); if (err) { fprintf (stderr, "gcry_cipher_setkey failed: %s\n", @@ -922,7 +910,7 @@ cipher_bench ( const char *algoname ) { if (cipher_with_keysetup) { - err = gcry_cipher_setkey (hd, key, keylen); + err = gcry_cipher_setkey (hd, key, modekeylen); if (err) { fprintf (stderr, "gcry_cipher_setkey failed: %s\n", @@ -986,7 +974,7 @@ cipher_bench ( const char *algoname ) if (!cipher_with_keysetup) { - err = gcry_cipher_setkey (hd, key, keylen); + err = gcry_cipher_setkey (hd, key, modekeylen); if (err) { fprintf (stderr, "gcry_cipher_setkey failed: %s\n", @@ -1001,7 +989,7 @@ cipher_bench ( const char *algoname ) { if (cipher_with_keysetup) { - err = gcry_cipher_setkey (hd, key, keylen); + err = gcry_cipher_setkey (hd, key, modekeylen); if (err) { fprintf (stderr, "gcry_cipher_setkey failed: %s\n", @@ -1670,7 +1658,6 @@ main( int argc, char **argv ) int no_blinding = 0; int use_random_daemon = 0; int use_secmem = 0; - int debug = 0; int pk_count = 100; buffer_alignment = 1; @@ -1729,17 +1716,17 @@ main( int argc, char **argv ) { /* This is anyway the default, but we may want to use it for debugging. */ - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); argc--; argv++; } else if (!strcmp (*argv, "--prefer-fips-rng")) { - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); argc--; argv++; } else if (!strcmp (*argv, "--prefer-system-rng")) { - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); argc--; argv++; } else if (!strcmp (*argv, "--no-blinding")) @@ -1817,7 +1804,7 @@ main( int argc, char **argv ) { argc--; argv++; /* This command needs to be called before gcry_check_version. */ - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); } else if (!strcmp (*argv, "--progress")) { @@ -1829,7 +1816,7 @@ main( int argc, char **argv ) if (buffer_alignment < 1 || buffer_alignment > 16) die ("value for --alignment must be in the range 1 to 16\n"); - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (!gcry_check_version (GCRYPT_VERSION)) { @@ -1839,20 +1826,20 @@ main( int argc, char **argv ) } if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); if (gcry_fips_mode_active ()) in_fips_mode = 1; else if (!use_secmem) - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (use_random_daemon) - gcry_control (GCRYCTL_USE_RANDOM_DAEMON, 1); + xgcry_control (GCRYCTL_USE_RANDOM_DAEMON, 1); if (with_progress) gcry_set_progress_handler (progress_cb, NULL); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (cipher_repetitions < 1) cipher_repetitions = 1; @@ -1866,7 +1853,7 @@ main( int argc, char **argv ) if ( !argc ) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); md_bench (NULL); putchar ('\n'); mac_bench (NULL); @@ -1888,9 +1875,9 @@ main( int argc, char **argv ) random_bench ((**argv == 's')); else if (argc == 2) { - gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, argv[1]); + xgcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, argv[1]); random_bench ((**argv == 's')); - gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE); + xgcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE); } else fputs ("usage: benchmark [strong]random [seedfile]\n", stdout); @@ -1925,7 +1912,7 @@ main( int argc, char **argv ) } else if ( !strcmp (*argv, "pubkey")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); rsa_bench (pk_count, 1, no_blinding); elg_bench (pk_count, 0); dsa_bench (pk_count, 0); @@ -1933,27 +1920,27 @@ main( int argc, char **argv ) } else if ( !strcmp (*argv, "rsa")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); rsa_bench (pk_count, 1, no_blinding); } else if ( !strcmp (*argv, "elg")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); elg_bench (pk_count, 1); } else if ( !strcmp (*argv, "dsa")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); dsa_bench (pk_count, 1); } else if ( !strcmp (*argv, "ecc")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); ecc_bench (pk_count, 1); } else if ( !strcmp (*argv, "prime")) { - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); prime_bench (); } else diff --git a/tests/blake2b.h b/tests/blake2b.h new file mode 100644 index 0000000..1bec43b --- /dev/null +++ b/tests/blake2b.h @@ -0,0 +1,1539 @@ +/* Generated from https://raw.githubusercontent.com/BLAKE2/BLAKE2/master/testvectors/blake2-kat.h */ + + /* blake2b_kat[]: */ + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x78\x6a\x02\xf7\x42\x01\x59\x03\xc6\xc6\xfd\x85\x25\x52\xd2\x72" + "\x91\x2f\x47\x40\xe1\x58\x47\x61\x8a\x86\xe2\x17\xf7\x1f\x54\x19" + "\xd2\x5e\x10\x31\xaf\xee\x58\x53\x13\x89\x64\x44\x93\x4e\xb0\x4b" + "\x90\x3a\x68\x5b\x14\x48\xb7\x55\xd5\x6f\x70\x1a\xfe\x9b\xe2\xce", + 0 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x2f\xa3\xf6\x86\xdf\x87\x69\x95\x16\x7e\x7c\x2e\x5d\x74\xc4\xc7" + "\xb6\xe4\x8f\x80\x68\xfe\x0e\x44\x20\x83\x44\xd4\x80\xf7\x90\x4c" + "\x36\x96\x3e\x44\x11\x5f\xe3\xeb\x2a\x3a\xc8\x69\x4c\x28\xbc\xb4" + "\xf5\xa0\xf3\x27\x6f\x2e\x79\x48\x7d\x82\x19\x05\x7a\x50\x6e\x4b", + 1 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x1c\x08\x79\x8d\xc6\x41\xab\xa9\xde\xe4\x35\xe2\x25\x19\xa4\x72" + "\x9a\x09\xb2\xbf\xe0\xff\x00\xef\x2d\xcd\x8e\xd6\xf8\xa0\x7d\x15" + "\xea\xf4\xae\xe5\x2b\xbf\x18\xab\x56\x08\xa6\x19\x0f\x70\xb9\x04" + "\x86\xc8\xa7\xd4\x87\x37\x10\xb1\x11\x5d\x3d\xeb\xbb\x43\x27\xb5", + 2 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x40\xa3\x74\x72\x73\x02\xd9\xa4\x76\x9c\x17\xb5\xf4\x09\xff\x32" + "\xf5\x8a\xa2\x4f\xf1\x22\xd7\x60\x3e\x4f\xda\x15\x09\xe9\x19\xd4" + "\x10\x7a\x52\xc5\x75\x70\xa6\xd9\x4e\x50\x96\x7a\xea\x57\x3b\x11" + "\xf8\x6f\x47\x3f\x53\x75\x65\xc6\x6f\x70\x39\x83\x0a\x85\xd1\x86", + 3 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x77\xdd\xf4\xb1\x44\x25\xeb\x3d\x05\x3c\x1e\x84\xe3\x46\x9d\x92" + "\xc4\xcd\x91\x0e\xd2\x0f\x92\x03\x5e\x0c\x99\xd8\xa7\xa8\x6c\xec" + "\xaf\x69\xf9\x66\x3c\x20\xa7\xaa\x23\x0b\xc8\x2f\x60\xd2\x2f\xb4" + "\xa0\x0b\x09\xd3\xeb\x8f\xc6\x5e\xf5\x47\xfe\x63\xc8\xd3\xdd\xce", + 4 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcb\xaa\x0b\xa7\xd4\x82\xb1\xf3\x01\x10\x9a\xe4\x10\x51\x99\x1a" + "\x32\x89\xbc\x11\x98\x00\x5a\xf2\x26\xc5\xe4\xf1\x03\xb6\x65\x79" + "\xf4\x61\x36\x10\x44\xc8\xba\x34\x39\xff\x12\xc5\x15\xfb\x29\xc5" + "\x21\x61\xb7\xeb\x9c\x28\x37\xb7\x6a\x5d\xc3\x3f\x7c\xb2\xe2\xe8", + 5 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf9\x5d\x45\xcf\x69\xaf\x5c\x20\x23\xbd\xb5\x05\x82\x1e\x62\xe8" + "\x5d\x7c\xae\xdf\x7b\xed\xa1\x2c\x02\x48\x77\x5b\x0c\x88\x20\x5e" + "\xeb\x35\xaf\x3a\x90\x81\x6f\x66\x08\xce\x7d\xd4\x4e\xc2\x8d\xb1" + "\x14\x06\x14\xe1\xdd\xeb\xf3\xaa\x9c\xd1\x84\x3e\x0f\xad\x2c\x36", + 6 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x8f\x94\x5b\xa7\x00\xf2\x53\x0e\x5c\x2a\x7d\xf7\xd5\xdc\xe0\xf8" + "\x3f\x9e\xfc\x78\xc0\x73\xfe\x71\xae\x1f\x88\x20\x4a\x4f\xd1\xcf" + "\x70\xa0\x73\xf5\xd1\xf9\x42\xed\x62\x3a\xa1\x6e\x90\xa8\x71\x24" + "\x6c\x90\xc4\x5b\x62\x1b\x34\x01\xa5\xdd\xbd\x9d\xf6\x26\x41\x65", + 7 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe9\x98\xe0\xdc\x03\xec\x30\xeb\x99\xbb\x6b\xfa\xaf\x66\x18\xac" + "\xc6\x20\x32\x0d\x72\x20\xb3\xaf\x2b\x23\xd1\x12\xd8\xe9\xcb\x12" + "\x62\xf3\xc0\xd6\x0d\x18\x3b\x1e\xe7\xf0\x96\xd1\x2d\xae\x42\xc9" + "\x58\x41\x86\x00\x21\x4d\x04\xf5\xed\x6f\x5e\x71\x8b\xe3\x55\x66", + 8 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6a\x9a\x09\x0c\x61\xb3\x41\x0a\xed\xe7\xec\x91\x38\x14\x6c\xeb" + "\x2c\x69\x66\x2f\x46\x0c\x3d\xa5\x3c\x65\x15\xc1\xeb\x31\xf4\x1c" + "\xa3\xd2\x80\xe5\x67\x88\x2f\x95\xcf\x66\x4a\x94\x14\x7d\x78\xf4" + "\x2c\xfc\x71\x4a\x40\xd2\x2e\xf1\x94\x70\xe0\x53\x49\x35\x08\xa2", + 9 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x29\x10\x25\x11\xd7\x49\xdb\x3c\xc9\xb4\xe3\x35\xfa\x1f\x5e\x8f" + "\xac\xa8\x42\x1d\x55\x8f\x6a\x3f\x33\x21\xd5\x0d\x04\x4a\x24\x8b" + "\xa5\x95\xcf\xc3\xef\xd3\xd2\xad\xc9\x73\x34\xda\x73\x24\x13\xf5" + "\xcb\xf4\x75\x1c\x36\x2b\xa1\xd5\x38\x62\xac\x1e\x8d\xab\xee\xe8", + 10 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc9\x7a\x47\x79\xd4\x7e\x6f\x77\x72\x9b\x59\x17\xd0\x13\x8a\xbb" + "\x35\x98\x0a\xb6\x41\xbd\x73\xa8\x85\x9e\xb1\xac\x98\xc0\x53\x62" + "\xed\x7d\x60\x8f\x2e\x95\x87\xd6\xba\x9e\x27\x1d\x34\x31\x25\xd4" + "\x0d\x93\x3a\x8e\xd0\x4e\xc1\xfe\x75\xec\x40\x7c\x7a\x53\xc3\x4e", + 11 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x10\xf0\xdc\x91\xb9\xf8\x45\xfb\x95\xfa\xd6\x86\x0e\x6c\xe1\xad" + "\xfa\x00\x2c\x7f\xc3\x27\x11\x6d\x44\xd0\x47\xcd\x7d\x58\x70\xd7" + "\x72\xbb\x12\xb5\xfa\xc0\x0e\x02\xb0\x8a\xc2\xa0\x17\x4d\x04\x46" + "\xc3\x6a\xb3\x5f\x14\xca\x31\x89\x4c\xd6\x1c\x78\xc8\x49\xb4\x8a", + 12 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xde\xa9\x10\x1c\xac\x62\xb8\xf6\xa3\xc6\x50\xf9\x0e\xea\x5b\xfa" + "\xe2\x65\x3a\x4e\xaf\xd6\x3a\x6d\x1f\x0f\x13\x2d\xb9\xe4\xf2\xb1" + "\xb6\x62\x43\x2e\xc8\x5b\x17\xbc\xac\x41\xe7\x75\x63\x78\x81\xf6" + "\xaa\xb3\x8d\xd6\x6d\xcb\xd0\x80\xf0\x99\x0a\x7a\x6e\x98\x54\xfe", + 13 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x44\x1f\xfa\xa0\x8c\xd7\x9d\xff\x4a\xfc\x9b\x9e\x5b\x56\x20\xee" + "\xc0\x86\x73\x0c\x25\xf6\x61\xb1\xd6\xfb\xfb\xd1\xce\xc3\x14\x8d" + "\xd7\x22\x58\xc6\x56\x41\xf2\xfc\xa5\xeb\x15\x5f\xad\xbc\xab\xb1" + "\x3c\x6e\x21\xdc\x11\xfa\xf7\x2c\x2a\x28\x1b\x7d\x56\x14\x5f\x19", + 14 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x44\x4b\x24\x0f\xe3\xed\x86\xd0\xe2\xef\x4c\xe7\xd8\x51\xed\xde" + "\x22\x15\x55\x82\xaa\x09\x14\x79\x7b\x72\x6c\xd0\x58\xb6\xf4\x59" + "\x32\xe0\xe1\x29\x51\x68\x76\x52\x7b\x1d\xd8\x8f\xc6\x6d\x71\x19" + "\xf4\xab\x3b\xed\x93\xa6\x1a\x0e\x2d\x2d\x2a\xea\xc3\x36\xd9\x58", + 15 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbf\xba\xbb\xef\x45\x55\x4c\xcf\xa0\xdc\x83\x75\x2a\x19\xcc\x35" + "\xd5\x92\x09\x56\xb3\x01\xd5\x58\xd7\x72\x28\x2b\xc8\x67\x00\x91" + "\x68\xe9\xe9\x86\x06\xbb\x5b\xa7\x3a\x38\x5d\xe5\x74\x92\x28\xc9" + "\x25\xa8\x50\x19\xb7\x1f\x72\xfe\x29\xb3\xcd\x37\xca\x52\xef\xe6", + 16 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\x4d\x0c\x3e\x1c\xdb\xbf\x48\x5b\xec\x86\xf4\x1c\xec\x7c\x98" + "\x37\x3f\x0e\x09\xf3\x92\x84\x9a\xaa\x22\x9e\xbf\xbf\x39\x7b\x22" + "\x08\x55\x29\xcb\x7e\xf3\x9f\x9c\x7c\x22\x22\xa5\x14\x18\x2b\x1e" + "\xff\xaa\x17\x8c\xc3\x68\x7b\x1b\x2b\x6c\xbc\xb6\xfd\xeb\x96\xf8", + 17 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x47\x71\x76\xb3\xbf\xcb\xad\xd7\x65\x7c\x23\xc2\x46\x25\xe4\xd0" + "\xd6\x74\xd1\x86\x8f\x00\x60\x06\x39\x8a\xf9\x7a\xa4\x18\x77\xc8" + "\xe7\x0d\x3d\x14\xc3\xbb\xc9\xbb\xcd\xce\xa8\x01\xbd\x0e\x15\x99" + "\xaf\x1f\x3e\xec\x67\x40\x51\x70\xf4\xe2\x6c\x96\x4a\x57\xa8\xb7", + 18 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa7\x8c\x49\x0e\xda\x31\x73\xbb\x3f\x10\xde\xe5\x2f\x11\x0f\xb1" + "\xc0\x8e\x03\x02\x23\x0b\x85\xdd\xd7\xc1\x12\x57\xd9\x2d\xe1\x48" + "\x78\x5e\xf0\x0c\x03\x9c\x0b\xb8\xeb\x98\x08\xa3\x5b\x2d\x8c\x08" + "\x0f\x57\x28\x59\x71\x4c\x9d\x40\x69\xc5\xbc\xaf\x09\x0e\x89\x8e", + 19 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x58\xd0\x23\x39\x7b\xeb\x5b\x41\x45\xcb\x22\x55\xb0\x7d\x74\x29" + "\x0b\x36\xd9\xfd\x1e\x59\x4a\xfb\xd8\xee\xa4\x7c\x20\x5b\x2e\xfb" + "\xfe\x6f\x46\x19\x0f\xaf\x95\xaf\x50\x4a\xb0\x72\xe3\x6f\x6c\x85" + "\xd7\x67\xa3\x21\xbf\xd7\xf2\x26\x87\xa4\xab\xbf\x49\x4a\x68\x9c", + 20 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x40\x01\xec\x74\xd5\xa4\x6f\xd2\x9c\x2c\x3c\xdb\xe5\xd1\xb9\xf2" + "\x0e\x51\xa9\x41\xbe\x98\xd2\xa4\xe1\xe2\xfb\xf8\x66\xa6\x72\x12" + "\x1d\xb6\xf8\x1a\x51\x4c\xfd\x10\xe7\x35\x8d\x57\x1b\xdb\xa4\x8e" + "\x4c\xe7\x08\xb9\xd1\x24\x89\x4b\xc0\xb5\xed\x55\x49\x35\xf7\x3a", + 21 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcc\xd1\xb2\x2d\xab\x65\x11\x22\x5d\x24\x01\xea\x2d\x86\x25\xd2" + "\x06\xa1\x24\x73\xcc\x73\x2b\x61\x5e\x56\x40\xce\xff\xf0\xa4\xad" + "\xf9\x71\xb0\xe8\x27\xa6\x19\xe0\xa8\x0f\x5d\xb9\xcc\xd0\x96\x23" + "\x29\x01\x0d\x07\xe3\x4a\x20\x64\xe7\x31\xc5\x20\x81\x7b\x21\x83", + 22 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb4\xa0\xa9\xe3\x57\x4e\xdb\x9e\x1e\x72\xaa\x31\xe3\x9c\xc5\xf3" + "\x0d\xbf\x94\x3f\x8c\xab\xc4\x08\x44\x96\x54\xa3\x91\x31\xe6\x6d" + "\x71\x8a\x18\x81\x91\x43\xe3\xea\x96\xb4\xa1\x89\x59\x88\xa1\xc0" + "\x05\x6c\xf2\xb6\xe0\x4f\x9a\xc1\x9d\x65\x73\x83\xc2\x91\x0c\x44", + 23 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x44\x7b\xec\xab\x16\x63\x06\x08\xd3\x9f\x4f\x05\x8b\x16\xf7\xaf" + "\x95\xb8\x5a\x76\xaa\x0f\xa7\xce\xa2\xb8\x07\x55\xfb\x76\xe9\xc8" + "\x04\xf2\xca\x78\xf0\x26\x43\xc9\x15\xfb\xf2\xfc\xe5\xe1\x9d\xe8" + "\x60\x00\xde\x03\xb1\x88\x61\x81\x5a\x83\x12\x60\x71\xf8\xa3\x7b", + 24 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x54\xe6\xda\xb9\x97\x73\x80\xa5\x66\x58\x22\xdb\x93\x37\x4e\xda" + "\x52\x8d\x9b\xeb\x62\x6f\x9b\x94\x02\x70\x71\xcb\x26\x67\x5e\x11" + "\x2b\x4a\x7f\xec\x94\x1e\xe6\x0a\x81\xe4\xd2\xea\x3f\xf7\xbc\x52" + "\xcf\xc4\x5d\xfb\xfe\x73\x5a\x1c\x64\x6b\x2c\xf6\xd6\xa4\x9b\x62", + 25 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3e\xa6\x26\x25\x94\x9e\x36\x46\x70\x4d\x7e\x3c\x90\x6f\x82\xf6" + "\xc0\x28\xf5\x40\xf5\xf7\x2a\x79\x4b\x0c\x57\xbf\x97\xb7\x64\x9b" + "\xfe\xb9\x0b\x01\xd3\xca\x3e\x82\x9d\xe2\x1b\x38\x26\xe6\xf8\x70" + "\x14\xd3\xc7\x73\x50\xcb\x5a\x15\xff\x5d\x46\x8a\x81\xbe\xc1\x60", + 26 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x21\x3c\xfe\x14\x5c\x54\xa3\x36\x91\x56\x99\x80\xe5\x93\x8c\x88" + "\x83\xa4\x6d\x84\xd1\x49\xc8\xff\x1a\x67\xcd\x28\x7b\x4d\x49\xc6" + "\xda\x69\xd3\xa0\x35\x44\x3d\xb0\x85\x98\x3d\x0e\xfe\x63\x70\x6b" + "\xd5\xb6\xf1\x5a\x7d\xa4\x59\xe8\xd5\x0a\x19\x09\x3d\xb5\x5e\x80", + 27 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x57\x16\xc4\xa3\x8f\x38\xdb\x10\x4e\x49\x4a\x0a\x27\xcb\xe8\x9a" + "\x26\xa6\xbb\x6f\x49\x9e\xc0\x1c\x8c\x01\xaa\x7c\xb8\x84\x97\xe7" + "\x51\x48\xcd\x6e\xee\x12\xa7\x16\x8b\x6f\x78\xab\x74\xe4\xbe\x74" + "\x92\x51\xa1\xa7\x4c\x38\xc8\x6d\x61\x29\x17\x7e\x28\x89\xe0\xb6", + 28 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x03\x04\x60\xa9\x8b\xdf\x9f\xf1\x7c\xd9\x64\x04\xf2\x8f\xc3\x04" + "\xf2\xb7\xc0\x4e\xaa\xde\x53\x67\x7f\xd2\x8f\x78\x8c\xa2\x21\x86" + "\xb8\xbc\x80\xdd\x21\xd1\x7f\x85\x49\xc7\x11\xaf\xf0\xe5\x14\xe1" + "\x9d\x4e\x15\xf5\x99\x02\x52\xa0\x3e\x08\x2f\x28\xdc\x20\x52\xf6", + 29 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x19\xe7\xf1\xcc\xee\x88\xa1\x06\x72\x33\x3e\x39\x0c\xf2\x20\x13" + "\xa8\xc7\x34\xc6\xcb\x9e\xab\x41\xf1\x7c\x3c\x80\x32\xa2\xe4\xac" + "\xa0\x56\x9e\xa3\x6f\x08\x60\xc7\xa1\xaf\x28\xfa\x47\x68\x40\xd6" + "\x60\x11\x16\x88\x59\x33\x4a\x9e\x4e\xf9\xcc\x2e\x61\xa0\xe2\x9e", + 30 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x29\xf8\xb8\xc7\x8c\x80\xf2\xfc\xb4\xbd\xf7\x82\x5e\xd9\x0a\x70" + "\xd6\x25\xff\x78\x5d\x26\x26\x77\xe2\x50\xc0\x4f\x37\x20\xc8\x88" + "\xd0\x3f\x80\x45\xe4\xed\xf3\xf5\x28\x5b\xd3\x9d\x92\x8a\x10\xa7" + "\xd0\xa5\xdf\x00\xb8\x48\x4a\xc2\x86\x81\x42\xa1\xe8\xbe\xa3\x51", + 31 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5c\x52\x92\x0a\x72\x63\xe3\x9d\x57\x92\x0c\xa0\xcb\x75\x2a\xc6" + "\xd7\x9a\x04\xfe\xf8\xa7\xa2\x16\xa1\xec\xb7\x11\x5c\xe0\x6d\x89" + "\xfd\x7d\x73\x5b\xd6\xf4\x27\x25\x55\xdb\xa2\x2c\x2d\x1c\x96\xe6" + "\x35\x23\x22\xc6\x2c\x56\x30\xfd\xe0\xf4\x77\x7a\x76\xc3\xde\x2c", + 32 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x83\xb0\x98\xf2\x62\x25\x1b\xf6\x60\x06\x4a\x9d\x35\x11\xce\x76" + "\x87\xa0\x9e\x6d\xfb\xb8\x78\x29\x9c\x30\xe9\x3d\xfb\x43\xa9\x31" + "\x4d\xb9\xa6\x00\x33\x7d\xb2\x6e\xbe\xed\xaf\x22\x56\xa9\x6d\xab" + "\xe9\xb2\x9e\x75\x73\xad\x11\xc3\x52\x3d\x87\x4d\xde\x5b\xe7\xed", + 33 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x94\x47\xd9\x8a\xa5\xc9\x33\x13\x52\xf4\x3d\x3e\x56\xd0\xa9\xa9" + "\xf9\x58\x18\x65\x99\x8e\x28\x85\xcc\x56\xdd\x0a\x0b\xd5\xa7\xb5" + "\x05\x95\xbd\x10\xf7\x52\x9b\xcd\x31\xf3\x7d\xc1\x6a\x14\x65\xd5" + "\x94\x07\x96\x67\xda\x2a\x3f\xcb\x70\x40\x14\x98\x83\x7c\xed\xeb", + 34 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x86\x77\x32\xf2\xfe\xeb\x23\x89\x30\x97\x56\x1a\xc7\x10\xa4\xbf" + "\xf4\x53\xbe\x9c\xfb\xed\xba\x8b\xa3\x24\xf9\xd3\x12\xa8\x2d\x73" + "\x2e\x1b\x83\xb8\x29\xfd\xcd\x17\x7b\x88\x2c\xa0\xc1\xbf\x54\x4b" + "\x22\x3b\xe5\x29\x92\x4a\x24\x6a\x63\xcf\x05\x9b\xfd\xc5\x0a\x1b", + 35 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf1\x5a\xb2\x6d\x4c\xdf\xcf\x56\xe1\x96\xbb\x6b\xa1\x70\xa8\xfc" + "\xcc\x41\x4d\xe9\x28\x5a\xfd\x98\xa3\xd3\xcf\x2f\xb8\x8f\xcb\xc0" + "\xf1\x98\x32\xac\x43\x3a\x5b\x2c\xc2\x39\x2a\x4c\xe3\x43\x32\x98" + "\x7d\x8d\x2c\x2b\xef\x6c\x34\x66\x13\x8d\xb0\xc6\xe4\x2f\xa4\x7b", + 36 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x28\x13\x51\x6d\x68\xed\x4a\x08\xb3\x9d\x64\x8a\xa6\xaa\xcd\x81" + "\xe9\xd6\x55\xec\xd5\xf0\xc1\x35\x56\xc6\x0f\xdf\x0d\x33\x3e\xa3" + "\x84\x64\xb3\x6c\x02\xba\xcc\xd7\x46\xe9\x57\x5e\x96\xc6\x30\x14" + "\xf0\x74\xae\x34\xa0\xa2\x5b\x32\x0f\x0f\xbe\xdd\x6a\xcf\x76\x65", + 37 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd3\x25\x9a\xfc\xa8\xa4\x89\x62\xfa\x89\x2e\x14\x5a\xcf\x54\x7f" + "\x26\x92\x3a\xe8\xd4\x92\x4c\x8a\x53\x15\x81\x52\x6b\x04\xb4\x4c" + "\x7a\xf8\x3c\x64\x3e\xf5\xa0\xbc\x28\x2d\x36\xf3\xfb\x04\xc8\x4e" + "\x28\xb3\x51\xf4\x0c\x74\xb6\x9d\xc7\x84\x0b\xc7\x17\xb6\xf1\x5f", + 38 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf1\x4b\x06\x1a\xe3\x59\xfa\x31\xb9\x89\xe3\x03\x32\xbf\xe8\xde" + "\x8c\xc8\xcd\xb5\x68\xe1\x4b\xe2\x14\xa2\x22\x3b\x84\xca\xab\x74" + "\x19\x54\x9e\xcf\xcc\x96\xce\x2a\xce\xc1\x19\x48\x5d\x87\xd1\x57" + "\xd3\xa8\x73\x4f\xc4\x26\x59\x7d\x64\xf3\x65\x70\xce\xaf\x22\x4d", + 39 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x55\xe7\x0b\x01\xd1\xfb\xf8\xb2\x3b\x57\xfb\x62\xe2\x6c\x2c\xe5" + "\x4f\x13\xf8\xfa\x24\x64\xe6\xeb\x98\xd1\x6a\x61\x17\x02\x6d\x8b" + "\x90\x81\x90\x12\x49\x6d\x40\x71\xeb\xe2\xe5\x95\x57\xec\xe3\x51" + "\x9a\x7a\xa4\x58\x02\xf9\x61\x53\x74\x87\x73\x32\xb7\x34\x90\xb3", + 40 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x25\x26\x1e\xb2\x96\x97\x1d\x6e\x4a\x71\xb2\x92\x8e\x64\x83\x9c" + "\x67\xd4\x22\x87\x2b\xf9\xf3\xc3\x19\x93\x61\x52\x22\xde\x9f\x8f" + "\x0b\x2c\x4b\xe8\x54\x85\x59\xb4\xb3\x54\xe7\x36\x41\x6e\x32\x18" + "\xd4\xe8\xa1\xe2\x19\xa4\xa6\xd4\x3e\x1a\x9a\x52\x1d\x0e\x75\xfc", + 41 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x08\x30\x7f\x34\x7c\x41\x29\x4e\x34\xbb\x54\xcb\x42\xb1\x52\x2d" + "\x22\xf8\x24\xf7\xb6\xe5\xdb\x50\xfd\xa0\x96\x79\x8e\x18\x1a\x8f" + "\x02\x6f\xa2\x7b\x4a\xe4\x5d\x52\xa6\x2c\xaf\x9d\x51\x98\xe2\x4a" + "\x49\x13\xc6\x67\x17\x75\xb2\xd7\x23\xc1\x23\x9b\xfb\xf0\x16\xd7", + 42 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x1e\x5c\x62\xe7\xe9\xbf\xa1\xb1\x18\x74\x7a\x2d\xe0\x8b\x3c\xa1" + "\x01\x12\xaf\x96\xa4\x6e\x4b\x22\xc3\xfc\x06\xf9\xbf\xee\x4e\xb5" + "\xc4\x9e\x05\x7a\x4a\x48\x86\x23\x43\x24\x57\x25\x76\xbb\x9b\x5e" + "\xcf\xde\x0d\x99\xb0\xde\x4f\x98\xec\x16\xe4\xd1\xb8\x5f\xa9\x47", + 43 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc7\x4a\x77\x39\x5f\xb8\xbc\x12\x64\x47\x45\x48\x38\xe5\x61\xe9" + "\x62\x85\x3d\xc7\xeb\x49\xa1\xe3\xcb\x67\xc3\xd0\x85\x1f\x3e\x39" + "\x51\x7b\xe8\xc3\x50\xac\x91\x09\x03\xd4\x9c\xd2\xbf\xdf\x54\x5c" + "\x99\x31\x6d\x03\x46\x17\x0b\x73\x9f\x0a\xdd\x5d\x53\x3c\x2c\xfc", + 44 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x0d\xd5\x7b\x42\x3c\xc0\x1e\xb2\x86\x13\x91\xeb\x88\x6a\x0d\x17" + "\x07\x9b\x93\x3f\xc7\x6e\xb3\xfc\x08\xa1\x9f\x8a\x74\x95\x2c\xb6" + "\x8f\x6b\xcd\xc6\x44\xf7\x73\x70\x96\x6e\x4d\x13\xe8\x05\x60\xbc" + "\xf0\x82\xef\x04\x79\xd4\x8f\xbb\xab\x4d\xf0\x3b\x53\xa4\xe1\x78", + 45 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x4d\x8d\xc3\x92\x3e\xdc\xcd\xfc\xe7\x00\x72\x39\x8b\x8a\x3d\xa5" + "\xc3\x1f\xcb\x3e\xe3\xb6\x45\xc8\x5f\x71\x7c\xba\xeb\x4b\x67\x3a" + "\x19\x39\x44\x25\xa5\x85\xbf\xb4\x64\xd9\x2f\x15\x97\xd0\xb7\x54" + "\xd1\x63\xf9\x7c\xed\x34\x3b\x25\xdb\x5a\x70\xef\x48\xeb\xb3\x4f", + 46 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf0\xa5\x05\x53\xe4\xdf\xb0\xc4\xe3\xe3\xd3\xba\x82\x03\x48\x57" + "\xe3\xb1\xe5\x09\x18\xf5\xb8\xa7\xd6\x98\xe1\x0d\x24\x2b\x0f\xb5" + "\x44\xaf\x6c\x92\xd0\xc3\xaa\xf9\x93\x22\x20\x41\x61\x17\xb4\xe7" + "\x8e\xcb\x8a\x8f\x43\x0e\x13\xb8\x2a\x59\x15\x29\x0a\x58\x19\xc5", + 47 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb1\x55\x43\xf3\xf7\x36\x08\x66\x27\xcc\x53\x65\xe7\xe8\x98\x8c" + "\x2e\xf1\x55\xc0\xfd\x4f\x42\x89\x61\xb0\x0d\x15\x26\xf0\x4d\x6d" + "\x6a\x65\x8b\x4b\x8e\xd3\x2c\x5d\x86\x21\xe7\xf4\xf8\xe8\xa9\x33" + "\xd9\xec\xc9\xdd\x1b\x83\x33\xcb\xe2\x8c\xfc\x37\xd9\x71\x9e\x1c", + 48 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7b\x4f\xa1\x58\xe4\x15\xfe\xf0\x23\x24\x72\x64\xcb\xbe\x15\xd1" + "\x6d\x91\xa4\x44\x24\xa8\xdb\x70\x7e\xb1\xe2\x03\x3c\x30\xe9\xe1" + "\xe7\xc8\xc0\x86\x45\x95\xd2\xcb\x8c\x58\x0e\xb4\x7e\x9d\x16\xab" + "\xbd\x7e\x44\xe8\x24\xf7\xce\xdb\x7d\xef\x57\x13\x0e\x52\xcf\xe9", + 49 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x60\x42\x4f\xf2\x32\x34\xc3\x4d\xc9\x68\x7a\xd5\x02\x86\x93\x72" + "\xcc\x31\xa5\x93\x80\x18\x6b\xc2\x36\x1c\x83\x5d\x97\x2f\x49\x66" + "\x6e\xb1\xac\x69\x62\x9d\xe6\x46\xf0\x3f\x9b\x4d\xb9\xe2\xac\xe0" + "\x93\xfb\xfd\xf8\xf2\x0a\xb5\xf9\x85\x41\x97\x8b\xe8\xef\x54\x9f", + 50 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x74\x06\x01\x8c\xe7\x04\xd8\x4f\x5e\xb9\xc7\x9f\xea\x97\xda\x34" + "\x56\x99\x46\x8a\x35\x0e\xe0\xb2\xd0\xf3\xa4\xbf\x20\x70\x30\x4e" + "\xa8\x62\xd7\x2a\x51\xc5\x7d\x30\x64\x94\x72\x86\xf5\x31\xe0\xea" + "\xf7\x56\x37\x02\x26\x2e\x6c\x72\x4a\xbf\x5e\xd8\xc8\x39\x8d\x17", + 51 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x14\xef\x5c\x6d\x64\x7b\x3b\xd1\xe6\xe3\x20\x06\xc2\x31\x19\x98" + "\x10\xde\x5c\x4d\xc8\x8e\x70\x24\x02\x73\xb0\xea\x18\xe6\x51\xa3" + "\xeb\x4f\x5c\xa3\x11\x4b\x8a\x56\x71\x69\x69\xc7\xcd\xa2\x7e\x0c" + "\x8d\xb8\x32\xad\x5e\x89\xa2\xdc\x6c\xb0\xad\xbe\x7d\x93\xab\xd1", + 52 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x38\xcf\x6c\x24\xe3\xe0\x8b\xcf\x1f\x6c\xf3\xd1\xb1\xf6\x5b\x90" + "\x52\x39\xa3\x11\x80\x33\x24\x9e\x44\x81\x13\xec\x63\x2e\xa6\xdc" + "\x34\x6f\xee\xb2\x57\x1c\x38\xbd\x9a\x73\x98\xb2\x22\x12\x80\x32" + "\x80\x02\xb2\x3e\x1a\x45\xad\xaf\xfe\x66\xd9\x3f\x65\x64\xea\xa2", + 53 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6c\xd7\x20\x8a\x4b\xc7\xe7\xe5\x62\x01\xbb\xba\x02\xa0\xf4\x89" + "\xcd\x38\x4a\xbe\x40\xaf\xd4\x22\x2f\x15\x8b\x3d\x98\x6e\xe7\x2a" + "\x54\xc5\x0f\xb6\x4f\xd4\xed\x25\x30\xed\xa2\xc8\xaf\x29\x28\xa0" + "\xda\x6d\x4f\x83\x0a\xe1\xc9\xdb\x46\x9d\xfd\x97\x0f\x12\xa5\x6f", + 54 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x65\x98\x58\xf0\xb5\xc9\xed\xab\x5b\x94\xfd\x73\x2f\x6e\x6b\x17" + "\xc5\x1c\xc0\x96\x10\x4f\x09\xbe\xb3\xaf\xc3\xaa\x46\x7c\x2e\xcf" + "\x88\x5c\x4c\x65\x41\xef\xfa\x90\x23\xd3\xb5\x73\x8a\xe5\xa1\x4d" + "\x86\x7e\x15\xdb\x06\xfe\x1f\x9d\x11\x27\xb7\x7e\x1a\xab\xb5\x16", + 55 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x26\xcc\xa0\x12\x6f\x5d\x1a\x81\x3c\x62\xe5\xc7\x10\x01\xc0\x46" + "\xf9\xc9\x20\x95\x70\x45\x50\xbe\x58\x73\xa4\x95\xa9\x99\xad\x01" + "\x0a\x4f\x79\x49\x1f\x24\xf2\x86\x50\x0a\xdc\xe1\xa1\x37\xbc\x20" + "\x84\xe4\x94\x9f\x5b\x72\x94\xce\xfe\x51\xec\xaf\xf8\xe9\x5c\xba", + 56 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x41\x47\xc1\xf5\x51\x72\x78\x8c\x55\x67\xc5\x61\xfe\xef\x87\x6f" + "\x62\x1f\xff\x1c\xe8\x77\x86\xb8\x46\x76\x37\xe7\x0d\xfb\xcd\x0d" + "\xbd\xb6\x41\x5c\xb6\x00\x95\x4a\xb9\xc0\x4c\x0e\x45\x7e\x62\x5b" + "\x40\x72\x22\xc0\xfe\x1a\xe2\x1b\x21\x43\x68\x8a\xda\x94\xdc\x58", + 57 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5b\x1b\xf1\x54\xc6\x2a\x8a\xf6\xe9\x3d\x35\xf1\x8f\x7f\x90\xab" + "\xb1\x6a\x6e\xf0\xe8\xd1\xae\xcd\x11\x8b\xf7\x01\x67\xba\xb2\xaf" + "\x08\x93\x5c\x6f\xdc\x06\x63\xce\x74\x48\x2d\x17\xa8\xe5\x4b\x54" + "\x6d\x1c\x29\x66\x31\xc6\x5f\x3b\x52\x2a\x51\x58\x39\xd4\x3d\x71", + 58 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9f\x60\x04\x19\xa4\xe8\xf4\xfb\x83\x4c\x24\xb0\xf7\xfc\x13\xbf" + "\x4e\x27\x9d\x98\xe8\xa3\xc7\x65\xee\x93\x49\x17\x40\x3e\x3a\x66" + "\x09\x71\x82\xea\x21\x45\x3c\xb6\x3e\xbb\xe8\xb7\x3a\x9c\x21\x67" + "\x59\x64\x46\x43\x8c\x57\x62\x7f\x33\x0b\xad\xd4\xf5\x69\xf7\xd6", + 59 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x45\x7e\xf6\x46\x6a\x89\x24\xfd\x80\x11\xa3\x44\x71\xa5\xa1\xac" + "\x8c\xcd\x9b\xd0\xd0\x7a\x97\x41\x4a\xc9\x43\x02\x1c\xe4\xb9\xe4" + "\xb9\xc8\xdb\x0a\x28\xf0\x16\xed\x43\xb1\x54\x24\x81\x99\x00\x22" + "\x14\x7b\x31\x3e\x19\x46\x71\x13\x1e\x70\x8d\xd4\x3a\x3e\xd7\xdc", + 60 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x99\x97\xb2\x19\x4d\x9a\xf6\xdf\xcb\x91\x43\xf4\x1c\x0e\xd8\x3d" + "\x3a\x3f\x43\x88\x36\x11\x03\xd3\x8c\x2a\x49\xb2\x80\xa5\x81\x21" + "\x27\x15\xfd\x90\x8d\x41\xc6\x51\xf5\xc7\x15\xca\x38\xc0\xce\x28" + "\x30\xa3\x7e\x00\xe5\x08\xce\xd1\xbc\xdc\x32\x0e\x5e\x4d\x1e\x2e", + 61 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5c\x6b\xbf\x16\xba\xa1\x80\xf9\x86\xbd\x40\xa1\x28\x7e\xd4\xc5" + "\x49\x77\x0e\x72\x84\x85\x8f\xc4\x7b\xc2\x1a\xb9\x5e\xbb\xf3\x37" + "\x4b\x4e\xe3\xfd\x9f\x2a\xf6\x0f\x33\x95\x22\x1b\x2a\xcc\x76\xf2" + "\xd3\x4c\x13\x29\x54\x04\x9f\x8a\x3a\x99\x6f\x1e\x32\xec\x84\xe5", + 62 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd1\x0b\xf9\xa1\x5b\x1c\x9f\xc8\xd4\x1f\x89\xbb\x14\x0b\xf0\xbe" + "\x08\xd2\xf3\x66\x61\x76\xd1\x3b\xaa\xc4\xd3\x81\x35\x8a\xd0\x74" + "\xc9\xd4\x74\x8c\x30\x05\x20\xeb\x02\x6d\xae\xae\xa7\xc5\xb1\x58" + "\x89\x2f\xde\x4e\x8e\xc1\x7d\xc9\x98\xdc\xd5\x07\xdf\x26\xeb\x63", + 63 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x2f\xc6\xe6\x9f\xa2\x6a\x89\xa5\xed\x26\x90\x92\xcb\x9b\x2a\x44" + "\x9a\x44\x09\xa7\xa4\x40\x11\xee\xca\xd1\x3d\x7c\x4b\x04\x56\x60" + "\x2d\x40\x2f\xa5\x84\x4f\x1a\x7a\x75\x81\x36\xce\x3d\x5d\x8d\x0e" + "\x8b\x86\x92\x1f\xff\xf4\xf6\x92\xdd\x95\xbd\xc8\xe5\xff\x00\x52", + 64 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xfc\xbe\x8b\xe7\xdc\xb4\x9a\x32\xdb\xdf\x23\x94\x59\xe2\x63\x08" + "\xb8\x4d\xff\x1e\xa4\x80\xdf\x8d\x10\x4e\xef\xf3\x4b\x46\xfa\xe9" + "\x86\x27\xb4\x50\xc2\x26\x7d\x48\xc0\x94\x6a\x69\x7c\x5b\x59\x53" + "\x14\x52\xac\x04\x84\xf1\xc8\x4e\x3a\x33\xd0\xc3\x39\xbb\x2e\x28", + 65 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa1\x90\x93\xa6\xe3\xbc\xf5\x95\x2f\x85\x0f\x20\x30\xf6\x9b\x96" + "\x06\xf1\x47\xf9\x0b\x8b\xae\xe3\x36\x2d\xa7\x1d\x9f\x35\xb4\x4e" + "\xf9\xd8\xf0\xa7\x71\x2b\xa1\x87\x7f\xdd\xcd\x2d\x8e\xa8\xf1\xe5" + "\xa7\x73\xd0\xb7\x45\xd4\x72\x56\x05\x98\x3a\x2d\xe9\x01\xf8\x03", + 66 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3c\x20\x06\x42\x3f\x73\xe2\x68\xfa\x59\xd2\x92\x03\x77\xeb\x29" + "\xa4\xf9\xa8\xb4\x62\xbe\x15\x98\x3e\xe3\xb8\x5a\xe8\xa7\x8e\x99" + "\x26\x33\x58\x1a\x90\x99\x89\x3b\x63\xdb\x30\x24\x1c\x34\xf6\x43" + "\x02\x7d\xc8\x78\x27\x9a\xf5\x85\x0d\x7e\x2d\x4a\x26\x53\x07\x3a", + 67 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd0\xf2\xf2\xe3\x78\x76\x53\xf7\x7c\xce\x2f\xa2\x48\x35\x78\x5b" + "\xbd\x0c\x43\x3f\xc7\x79\x46\x5a\x11\x51\x49\x90\x5a\x9d\xd1\xcb" + "\x82\x7a\x62\x85\x06\xd4\x57\xfc\xf1\x24\xa0\xc2\xae\xf9\xce\x2d" + "\x2a\x0a\x0f\x63\x54\x55\x70\xd8\x66\x7f\xf9\xe2\xeb\xa0\x73\x34", + 68 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x78\xa9\xfc\x04\x8e\x25\xc6\xdc\xb5\xde\x45\x66\x7d\xe8\xff\xdd" + "\x3a\x93\x71\x11\x41\xd5\x94\xe9\xfa\x62\xa9\x59\x47\x5d\xa6\x07" + "\x5e\xa8\xf0\x91\x6e\x84\xe4\x5a\xd9\x11\xb7\x54\x67\x07\x7e\xe5" + "\x2d\x2c\x9a\xeb\xf4\xd5\x8f\x20\xce\x4a\x3a\x00\x45\x8b\x05\xd4", + 69 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x45\x81\x3f\x44\x17\x69\xab\x6e\xd3\x7d\x34\x9f\xf6\xe7\x22\x67" + "\xd7\x6a\xe6\xbb\x3e\x3c\x61\x2e\xc0\x5c\x6e\x02\xa1\x2a\xf5\xa3" + "\x7c\x91\x8b\x52\xbf\x74\x26\x7c\x3f\x6a\x3f\x18\x3a\x80\x64\xff" + "\x84\xc0\x7b\x19\x3d\x08\x06\x67\x89\xa0\x1a\xcc\xdb\x6f\x93\x40", + 70 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x95\x6d\xa1\xc6\x8d\x83\xa7\xb8\x81\xe0\x1b\x9a\x96\x6c\x3c\x0b" + "\xf2\x7f\x68\x60\x6a\x8b\x71\xd4\x57\xbd\x01\x6d\x4c\x41\xdd\x8a" + "\x38\x0c\x70\x9a\x29\x6c\xb4\xc6\x54\x47\x92\x92\x0f\xd7\x88\x83" + "\x57\x71\xa0\x7d\x4a\x16\xfb\x52\xed\x48\x05\x03\x31\xdc\x4c\x8b", + 71 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xdf\x18\x6c\x2d\xc0\x9c\xaa\x48\xe1\x4e\x94\x2f\x75\xde\x5a\xc1" + "\xb7\xa2\x1e\x4f\x9f\x07\x2a\x5b\x37\x1e\x09\xe0\x73\x45\xb0\x74" + "\x0c\x76\x17\x7b\x01\x27\x88\x08\xfe\xc0\x25\xed\xed\x98\x22\xc1" + "\x22\xaf\xd1\xc6\x3e\x6f\x0c\xe2\xe3\x26\x31\x04\x10\x63\x14\x5c", + 72 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x87\x47\x56\x40\x96\x6a\x9f\xdc\xd6\xd3\xa3\xb5\xa2\xcc\xa5\xc0" + "\x8f\x0d\x88\x2b\x10\x24\x3c\x0e\xc1\xbf\x3c\x6b\x1c\x37\xf2\xcd" + "\x32\x12\xf1\x9a\x05\x78\x64\x47\x7d\x5e\xaf\x8f\xae\xd7\x3f\x29" + "\x37\xc7\x68\xa0\xaf\x41\x5e\x84\xbb\xce\x6b\xd7\xde\x23\xb6\x60", + 73 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc3\xb5\x73\xbb\xe1\x09\x49\xa0\xfb\xd4\xff\x88\x4c\x44\x6f\x22" + "\x29\xb7\x69\x02\xf9\xdf\xdb\xb8\xa0\x35\x3d\xa5\xc8\x3c\xa1\x4e" + "\x81\x51\xbb\xaa\xc8\x2f\xd1\x57\x6a\x00\x9a\xdc\x6f\x19\x35\xcf" + "\x26\xed\xd4\xf1\xfb\x8d\xa4\x83\xe6\xc5\xcd\x9d\x89\x23\xad\xc3", + 74 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb0\x9d\x8d\x0b\xba\x8a\x72\x86\xe4\x35\x68\xf7\x90\x75\x50\xe4" + "\x20\x36\xd6\x74\xe3\xc8\xfc\x34\xd8\xca\x46\xf7\x71\xd6\x46\x6b" + "\x70\xfb\x60\x58\x75\xf6\xa8\x63\xc8\x77\xd1\x2f\x07\x06\x3f\xdc" + "\x2e\x90\xcc\xd4\x59\xb1\x91\x0d\xcd\x52\xd8\xf1\x0b\x2b\x0a\x15", + 75 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xaf\x3a\x22\xbf\x75\xb2\x1a\xbf\xb0\xac\xd5\x44\x22\xba\x1b\x73" + "\x00\xa9\x52\xef\xf0\x2e\xbe\xb6\x5b\x5c\x23\x44\x71\xa9\x8d\xf3" + "\x2f\x4f\x96\x43\xce\x19\x04\x10\x8a\x16\x87\x67\x92\x42\x80\xbd" + "\x76\xc8\x3f\x8c\x82\xd9\xa7\x9d\x92\x59\xb1\x95\x36\x2a\x2a\x04", + 76 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbf\x4f\xf2\x22\x1b\x7e\x69\x57\xa7\x24\xcd\x96\x4a\xa3\xd5\xd0" + "\xd9\x94\x1f\x54\x04\x13\x75\x2f\x46\x99\xd8\x10\x1b\x3e\x53\x75" + "\x08\xbf\x09\xf8\x50\x8b\x31\x77\x36\xff\xd2\x65\xf2\x84\x7a\xa7" + "\xd8\x4b\xd2\xd9\x75\x69\xc4\x9d\x63\x2a\xed\x99\x45\xe5\xfa\x5e", + 77 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\x6b\x6b\x78\x19\x9b\x1b\xda\xcb\x43\x00\xe3\x14\x79\xfa\x62" + "\x2a\x6b\x5b\xc8\x0d\x46\x78\xa6\x07\x8f\x88\xa8\x26\x8c\xd7\x20" + "\x6a\x27\x99\xe8\xd4\x62\x1a\x46\x4e\xf6\xb4\x3d\xd8\xad\xff\xe9" + "\x7c\xaf\x22\x1b\x22\xb6\xb8\x77\x8b\x14\x9a\x82\x2a\xef\xbb\x09", + 78 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x89\x06\x56\xf0\x9c\x99\xd2\x80\xb5\xec\xb3\x81\xf5\x64\x27\xb8" + "\x13\x75\x1b\xc6\x52\xc7\x82\x80\x78\xb2\x3a\x4a\xf8\x3b\x4e\x3a" + "\x61\xfd\xba\xc6\x1f\x89\xbe\xe8\x4e\xa6\xbe\xe7\x60\xc0\x47\xf2" + "\x5c\x6b\x0a\x20\x1c\x69\xa3\x8f\xd6\xfd\x97\x1a\xf1\x85\x88\xbb", + 79 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x31\xa0\x46\xf7\x88\x2f\xfe\x6f\x83\xce\x47\x2e\x9a\x07\x01\x83" + "\x2e\xc7\xb3\xf7\x6f\xbc\xfd\x1d\xf6\x0f\xe3\xea\x48\xfd\xe1\x65" + "\x12\x54\x24\x7c\x3f\xd9\x5e\x10\x0f\x91\x72\x73\x1e\x17\xfd\x52" + "\x97\xc1\x1f\x4b\xb3\x28\x36\x3c\xa3\x61\x62\x4a\x81\xaf\x79\x7c", + 80 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x27\xa6\x0b\x2d\x00\xe7\xa6\x71\xd4\x7d\x0a\xec\x2a\x68\x6a\x0a" + "\xc0\x4b\x52\xf4\x0a\xb6\x62\x90\x28\xeb\x7d\x13\xf4\xba\xa9\x9a" + "\xc0\xfe\x46\xee\x6c\x81\x49\x44\xf2\xf4\xb4\xd2\x0e\x93\x78\xe4" + "\x84\x7e\xa4\x4c\x13\x17\x80\x91\xe2\x77\xb8\x7e\xa7\xa5\x57\x11", + 81 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x8b\x5c\xce\xf1\x94\x16\x2c\x1f\x19\xd6\x8f\x91\xe0\xb0\x92\x8f" + "\x28\x9e\xc5\x28\x37\x20\x84\x0c\x2f\x73\xd2\x53\x11\x12\x38\xdc" + "\xfe\x94\xaf\x2b\x59\xc2\xc1\xca\x25\x91\x90\x1a\x7b\xc0\x60\xe7" + "\x45\x9b\x6c\x47\xdf\x0f\x71\x70\x1a\x35\xcc\x0a\xa8\x31\xb5\xb6", + 82 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x57\xab\x6c\x4b\x22\x29\xae\xb3\xb7\x04\x76\xd8\x03\xcd\x63\x81" + "\x2f\x10\x7c\xe6\xda\x17\xfe\xd9\xb1\x78\x75\xe8\xf8\x6c\x72\x4f" + "\x49\xe0\x24\xcb\xf3\xa1\xb8\xb1\x19\xc5\x03\x57\x65\x2b\x81\x87" + "\x9d\x2a\xde\x2d\x58\x8b\x9e\x4f\x7c\xed\xba\x0e\x46\x44\xc9\xee", + 83 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x01\x90\xa8\xda\xc3\x20\xa7\x39\xf3\x22\xe1\x57\x31\xaa\x14\x0d" + "\xda\xf5\xbe\xd2\x94\xd5\xc8\x2e\x54\xfe\xf2\x9f\x21\x4e\x18\xaa" + "\xfa\xa8\x4f\x8b\xe9\x9a\xf6\x29\x50\x26\x6b\x8f\x90\x1f\x15\xdd" + "\x4c\x5d\x35\x51\x6f\xc3\x5b\x4c\xab\x2e\x96\xe4\x69\x5b\xbe\x1c", + 84 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd1\x4d\x7c\x4c\x41\x5e\xeb\x0e\x10\xb1\x59\x22\x4b\xea\x12\x7e" + "\xbd\x84\xf9\x59\x1c\x70\x2a\x33\x0f\x5b\xb7\xbb\x7a\xa4\x4e\xa3" + "\x9d\xe6\xed\x01\xf1\x8d\xa7\xad\xf4\x0c\xfb\x97\xc5\xd1\x52\xc2" + "\x75\x28\x82\x4b\x21\xe2\x39\x52\x6a\xf8\xf3\x6b\x21\x4e\x0c\xfb", + 85 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbe\x28\xc4\xbe\x70\x69\x70\x48\x8f\xac\x7d\x29\xc3\xbd\x5c\x4e" + "\x98\x60\x85\xc4\xc3\x33\x2f\x1f\x3f\xd3\x09\x73\xdb\x61\x41\x64" + "\xba\x2f\x31\xa7\x88\x75\xff\xdc\x15\x03\x25\xc8\x83\x27\xa9\x44" + "\x3e\xd0\x4f\xdf\xe5\xbe\x93\x87\x6d\x16\x28\x56\x0c\x76\x4a\x80", + 86 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x03\x1d\xa1\x06\x9e\x3a\x2e\x9c\x33\x82\xe4\x36\xff\xd7\x9d\xf7" + "\x4b\x1c\xa6\xa8\xad\xb2\xde\xab\xe6\x76\xab\x45\x99\x4c\xbc\x05" + "\x4f\x03\x7d\x2f\x0e\xac\xe8\x58\xd3\x2c\x14\xe2\xd1\xc8\xb4\x60" + "\x77\x30\x8e\x3b\xdc\x2c\x1b\x53\x17\x2e\xcf\x7a\x8c\x14\xe3\x49", + 87 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x46\x65\xce\xf8\xba\x4d\xb4\xd0\xac\xb1\x18\xf2\x98\x7f\x0b\xb0" + "\x9f\x8f\x86\xaa\x44\x5a\xa3\xd5\xfc\x9a\x8b\x34\x68\x64\x78\x74" + "\x89\xe8\xfc\xec\xc1\x25\xd1\x7e\x9b\x56\xe1\x29\x88\xea\xc5\xec" + "\xc7\x28\x68\x83\xdb\x06\x61\xb8\xff\x05\xda\x2a\xff\xf3\x0f\xe4", + 88 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x63\xb7\x03\x2e\x5f\x93\x0c\xc9\x93\x95\x17\xf9\xe9\x86\x81\x6c" + "\xfb\xec\x2b\xe5\x9b\x95\x68\xb1\x3f\x2e\xad\x05\xba\xe7\x77\x7c" + "\xab\x62\x0c\x66\x59\x40\x4f\x74\x09\xe4\x19\x9a\x3b\xe5\xf7\x86" + "\x5a\xa7\xcb\xdf\x8c\x42\x53\xf7\xe8\x21\x9b\x1b\xd5\xf4\x6f\xea", + 89 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9f\x09\xbf\x09\x3a\x2b\x0f\xf8\xc2\x63\x4b\x49\xe3\x7f\x1b\x21" + "\x35\xb4\x47\xaa\x91\x44\xc9\x78\x7d\xbf\xd9\x21\x29\x31\x6c\x99" + "\xe8\x8a\xab\x8a\x21\xfd\xef\x23\x72\xd1\x18\x9a\xec\x50\x0f\x95" + "\x77\x5f\x1f\x92\xbf\xb4\x55\x45\xe4\x25\x9f\xb9\xb7\xb0\x2d\x14", + 90 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf9\xf8\x49\x3c\x68\x08\x88\x07\xdf\x7f\x6a\x26\x93\xd6\x4e\xa5" + "\x9f\x03\xe9\xe0\x5a\x22\x3e\x68\x52\x4c\xa3\x21\x95\xa4\x73\x4b" + "\x65\x4f\xce\xa4\xd2\x73\x4c\x86\x6c\xf9\x5c\x88\x9f\xb1\x0c\x49" + "\x15\x9b\xe2\xf5\x04\x3d\xc9\x8b\xb5\x5e\x02\xef\x7b\xdc\xb0\x82", + 91 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3c\x9a\x73\x59\xab\x4f\xeb\xce\x07\xb2\x0a\xc4\x47\xb0\x6a\x24" + "\x0b\x7f\xe1\xda\xe5\x43\x9c\x49\xb6\x0b\x58\x19\xf7\x81\x2e\x4c" + "\x17\x24\x06\xc1\xaa\xc3\x16\x71\x3c\xf0\xdd\xed\x10\x38\x07\x72" + "\x58\xe2\xef\xf5\xb3\x39\x13\xd9\xd9\x5c\xae\xb4\xe6\xc6\xb9\x70", + 92 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xad\x6a\xab\x80\x84\x51\x0e\x82\x2c\xfc\xe8\x62\x5d\x62\xcf\x4d" + "\xe6\x55\xf4\x76\x38\x84\xc7\x1e\x80\xba\xb9\xac\x9d\x53\x18\xdb" + "\xa4\xa6\x03\x3e\xd2\x90\x84\xe6\x52\x16\xc0\x31\x60\x6c\xa1\x76" + "\x15\xdc\xfe\x3b\xa1\x1d\x26\x85\x1a\xe0\x99\x9c\xa6\xe2\x32\xcf", + 93 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x15\x6e\x9e\x62\x61\x37\x4c\x9d\xc8\x84\xf3\x6e\x70\xf0\xfe\x1a" + "\xb9\x29\x79\x97\xb8\x36\xfa\x7d\x17\x0a\x9c\x9e\xbf\x57\x5b\x88" + "\x1e\x7b\xce\xa4\x4d\x6c\x02\x48\xd3\x55\x97\x90\x71\x54\x82\x89" + "\x55\xbe\x19\x13\x58\x52\xf9\x22\x88\x15\xec\xa0\x24\xa8\xad\xfb", + 94 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x42\x15\x40\x76\x33\xf4\xcc\xa9\xb6\x78\x8b\xe9\x3e\x6a\xa3\xd9" + "\x63\xc7\xd6\xce\x4b\x14\x72\x47\x09\x9f\x46\xa3\xac\xb5\x00\xa3" + "\x00\x38\xcb\x3e\x78\x8c\x3d\x29\xf1\x32\xad\x84\x4e\x80\xe9\xe9" + "\x92\x51\xf6\xdb\x96\xac\xd8\xa0\x91\xcf\xc7\x70\xaf\x53\x84\x7b", + 95 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x1c\x07\x7e\x27\x9d\xe6\x54\x85\x23\x50\x2b\x6d\xf8\x00\xff\xda" + "\xb5\xe2\xc3\xe9\x44\x2e\xb8\x38\xf5\x8c\x29\x5f\x3b\x14\x7c\xef" + "\x9d\x70\x1c\x41\xc3\x21\x28\x3f\x00\xc7\x1a\xff\xa0\x61\x93\x10" + "\x39\x91\x26\x29\x5b\x78\xdd\x4d\x1a\x74\x57\x2e\xf9\xed\x51\x35", + 96 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf0\x7a\x55\x5f\x49\xfe\x48\x1c\xf4\xcd\x0a\x87\xb7\x1b\x82\xe4" + "\xa9\x50\x64\xd0\x66\x77\xfd\xd9\x0a\x0e\xb5\x98\x87\x7b\xa1\xc8" + "\x3d\x46\x77\xb3\x93\xc3\xa3\xb6\x66\x1c\x42\x1f\x5b\x12\xcb\x99" + "\xd2\x03\x76\xba\x72\x75\xc2\xf3\xa8\xf5\xa9\xb7\x82\x17\x20\xda", + 97 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb5\x91\x1b\x38\x0d\x20\xc7\xb0\x43\x23\xe4\x02\x6b\x38\xe2\x00" + "\xf5\x34\x25\x92\x33\xb5\x81\xe0\x2c\x1e\x3e\x2d\x84\x38\xd6\xc6" + "\x6d\x5a\x4e\xb2\x01\xd5\xa8\xb7\x50\x72\xc4\xec\x29\x10\x63\x34" + "\xda\x70\xbc\x79\x52\x1b\x0c\xed\x2c\xfd\x53\x3f\x5f\xf8\x4f\x95", + 98 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x01\xf0\x70\xa0\x9b\xae\x91\x12\x96\x36\x1f\x91\xaa\x0e\x8e\x0d" + "\x09\xa7\x72\x54\x78\x53\x6d\x9d\x48\xc5\xfe\x1e\x5e\x7c\x3c\x5b" + "\x9b\x9d\x6e\xb0\x77\x96\xf6\xda\x57\xae\x56\x2a\x7d\x70\xe8\x82" + "\xe3\x7a\xdf\xde\x83\xf0\xc4\x33\xc2\xcd\x36\x35\x36\xbb\x22\xc8", + 99 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6f\x79\x3e\xb4\x37\x4a\x48\xb0\x77\x5a\xca\xf9\xad\xcf\x8e\x45" + "\xe5\x42\x70\xc9\x47\x5f\x00\x4a\xd8\xd5\x97\x3e\x2a\xca\x52\x74" + "\x7f\xf4\xed\x04\xae\x96\x72\x75\xb9\xf9\xeb\x0e\x1f\xf7\x5f\xb4" + "\xf7\x94\xfa\x8b\xe9\xad\xd7\xa4\x13\x04\x86\x8d\x10\x3f\xab\x10", + 100 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x96\x5f\x20\xf1\x39\x76\x5f\xcc\x4c\xe4\xba\x37\x94\x67\x58\x63" + "\xca\xc2\x4d\xb4\x72\xcd\x2b\x79\x9d\x03\x5b\xce\x3d\xbe\xa5\x02" + "\xda\x7b\x52\x48\x65\xf6\xb8\x11\xd8\xc5\x82\x8d\x3a\x88\x96\x46" + "\xfe\x64\xa3\x80\xda\x1a\xa7\xc7\x04\x4e\x9f\x24\x5d\xce\xd1\x28", + 101 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xec\x29\x5b\x57\x83\x60\x12\x44\xc3\x0e\x46\x41\xe3\xb4\x5b\xe2" + "\x22\xc4\xdc\xe7\x7a\x58\x70\x0f\x53\xbc\x8e\xc5\x2a\x94\x16\x90" + "\xb4\xd0\xb0\x87\xfb\x6f\xcb\x3f\x39\x83\x2b\x9d\xe8\xf7\x5e\xc2" + "\x0b\xd4\x30\x79\x81\x17\x49\xcd\xc9\x07\xed\xb9\x41\x57\xd1\x80", + 102 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x61\xc7\x2f\x8c\xcc\x91\xdb\xb5\x4c\xa6\x75\x0b\xc4\x89\x67\x2d" + "\xe0\x9f\xae\xdb\x8f\xdd\x4f\x94\xff\x23\x20\x90\x9a\x30\x3f\x5d" + "\x5a\x98\x48\x1c\x0b\xc1\xa6\x25\x41\x9f\xb4\xde\xbf\xbf\x7f\x8a" + "\x53\xbb\x07\xec\x3d\x98\x5e\x8e\xa1\x1e\x72\xd5\x59\x94\x07\x80", + 103 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xaf\xd8\x14\x5b\x25\x9e\xef\xc8\xd1\x26\x20\xc3\xc5\xb0\x3e\x1e" + "\xd8\xfd\x2c\xce\xfe\x03\x65\x07\x8c\x80\xfd\x42\xc1\x77\x0e\x28" + "\xb4\x49\x48\xf2\x7e\x65\xa1\x88\x66\x90\x11\x0d\xb8\x14\x39\x7b" + "\x68\xe4\x3d\x80\xd1\xba\x16\xdf\xa3\x58\xe7\x39\xc8\x98\xcf\xa3", + 104 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x55\x2f\xc7\x89\x3c\xf1\xce\x93\x3a\xda\x35\xc0\xda\x98\x84\x4e" + "\x41\x54\x5e\x24\x4c\x31\x57\xa1\x42\x8d\x7b\x4c\x21\xf9\xcd\x7e" + "\x40\x71\xae\xd7\x7b\x7c\xa9\xf1\xc3\x8f\xba\x32\x23\x74\x12\xef" + "\x21\xa3\x42\x74\x2e\xc8\x32\x43\x78\xf2\x1e\x50\x7f\xaf\xdd\x88", + 105 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x46\x7a\x33\xfb\xad\xf5\xeb\xc5\x25\x96\xef\x86\xaa\xae\xfc\x6f" + "\xab\xa8\xee\x65\x1b\x1c\xe0\x4d\xe3\x68\xa0\x3a\x5a\x90\x40\xef" + "\x28\x35\xe0\x0a\xdb\x09\xab\xb3\xfb\xd2\xbc\xe8\x18\xa2\x41\x3d" + "\x0b\x02\x53\xb5\xbd\xa4\xfc\x5b\x2f\x6f\x85\xf3\xfd\x5b\x55\xf2", + 106 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x22\xef\xf8\xe6\xdd\x52\x36\xf5\xf5\x7d\x94\xed\xe8\x74\xd6\xc9" + "\x42\x8e\x8f\x5d\x56\x6f\x17\xcd\x6d\x18\x48\xcd\x75\x2f\xe1\x3c" + "\x65\x5c\xb1\x0f\xba\xaf\xf7\x68\x72\xf2\xbf\x2d\xa9\x9e\x15\xdc" + "\x62\x40\x75\xe1\xec\x2f\x58\xa3\xf6\x40\x72\x12\x18\x38\x56\x9e", + 107 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\xec\x6b\xbf\x62\xc4\xbc\xe4\x13\x8a\xba\xe1\xcb\xec\x8d\xad" + "\x31\x95\x04\x44\xe9\x03\x21\xb1\x34\x71\x96\x83\x4c\x11\x4b\x86" + "\x4a\xf3\xf3\xcc\x35\x08\xf8\x37\x51\xff\xb4\xed\xa7\xc8\x4d\x14" + "\x07\x34\xbb\x42\x63\xc3\x62\x5c\x00\xf0\x4f\x4c\x80\x68\x98\x1b", + 108 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa8\xb6\x0f\xa4\xfc\x24\x42\xf6\xf1\x51\x4a\xd7\x40\x26\x26\x92" + "\x0c\xc7\xc2\xc9\xf7\x21\x24\xb8\xcb\xa8\xee\x2c\xb7\xc4\x58\x6f" + "\x65\x8a\x44\x10\xcf\xfc\xc0\xab\x88\x34\x39\x55\xe0\x94\xc6\xaf" + "\x0d\x20\xd0\xc7\x14\xfb\x0a\x98\x8f\x54\x3f\x30\x0f\x58\xd3\x89", + 109 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x82\x71\xcc\x45\xdf\xa5\xe4\x17\x0e\x84\x7e\x86\x30\xb9\x52\xcf" + "\x9c\x2a\xa7\x77\xd0\x6f\x26\xa7\x58\x5b\x83\x81\xf1\x88\xda\xcc" + "\x73\x37\x39\x1c\xfc\xc9\x4b\x05\x3d\xc4\xec\x29\xcc\x17\xf0\x77" + "\x87\x04\x28\xf1\xac\x23\xfd\xdd\xa1\x65\xef\x5a\x3f\x15\x5f\x39", + 110 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbf\x23\xc0\xc2\x5c\x80\x60\xe4\xf6\x99\x5f\x16\x23\xa3\xbe\xbe" + "\xca\xa9\x6e\x30\x86\x80\x00\x0a\x8a\xa3\xcd\x56\xbb\x1a\x6d\xa0" + "\x99\xe1\x0d\x92\x31\xb3\x7f\x45\x19\xb2\xef\xd2\xc2\x4d\xe7\x2f" + "\x31\xa5\xf1\x95\x35\x24\x1b\x4a\x59\xfa\x3c\x03\xce\xb7\x90\xe7", + 111 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x87\x7f\xd6\x52\xc0\x52\x81\x00\x9c\x0a\x52\x50\xe7\xa3\xa6\x71" + "\xf8\xb1\x8c\x10\x88\x17\xfe\x4a\x87\x4d\xe2\x2d\xa8\xe4\x5d\xb1" + "\x19\x58\xa6\x00\xc5\xf6\x2e\x67\xd3\x6c\xbf\x84\x47\x4c\xf2\x44" + "\xa9\xc2\xb0\x3a\x9f\xb9\xdc\x71\x1c\xd1\xa2\xca\xb6\xf3\xfa\xe0", + 112 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x29\xdf\x4d\x87\xea\x44\x4b\xaf\x5b\xcd\xf5\xf4\xe4\x15\x79\xe2" + "\x8a\x67\xde\x84\x14\x9f\x06\xc0\x3f\x11\x0e\xa8\x4f\x57\x2a\x9f" + "\x67\x6a\xdd\xd0\x4c\x48\x78\xf4\x9c\x5c\x00\xac\xcd\xa4\x41\xb1" + "\xa3\x87\xca\xce\xb2\xe9\x93\xbb\x7a\x10\xcd\x8c\x2d\x67\x17\xe1", + 113 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x71\x0d\xac\xb1\x66\x84\x46\x39\xcd\x7b\x63\x7c\x27\x42\x09\x42" + "\x4e\x24\x49\xdc\x35\xd7\x90\xbb\xfa\x4f\x76\x17\x70\x54\xa3\x6b" + "\x3b\x76\xfa\xc0\xca\x6e\x61\xdf\x1e\x68\x70\x00\x67\x8a\xc0\x74" + "\x6d\xf7\x5d\x0a\x39\x54\x89\x76\x81\xfd\x39\x3a\x15\x5a\x1b\xb4", + 114 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc1\xd5\xf9\x3b\x8d\xea\x1f\x25\x71\xba\xbc\xcb\xc0\x17\x64\x54" + "\x1a\x0c\xda\x87\xe4\x44\xd6\x73\xc5\x09\x66\xca\x55\x9c\x33\x35" + "\x4b\x3a\xcb\x26\xe5\xd5\x78\x1f\xfb\x28\x84\x7a\x4b\x47\x54\xd7" + "\x70\x08\xc6\x2a\x83\x58\x35\xf5\x00\xde\xa7\xc3\xb5\x8b\xda\xe2", + 115 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa4\x1e\x41\x27\x1c\xda\xb8\xaf\x4d\x72\xb1\x04\xbf\xb2\xad\x04" + "\x1a\xc4\xdf\x14\x67\x7d\xa6\x71\xd8\x56\x40\xc4\xb1\x87\xf5\x0c" + "\x2b\x66\x51\x3c\x46\x19\xfb\xd5\xd5\xdc\x4f\xe6\x5d\xd3\x7b\x90" + "\x42\xe9\x84\x8d\xda\x55\x6a\x50\x4c\xaa\x2b\x1c\x6a\xfe\x47\x30", + 116 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe7\xbc\xba\xcd\xc3\x79\xc4\x3d\x81\xeb\xad\xcb\x37\x78\x15\x52" + "\xfc\x1d\x75\x3e\x8c\xf3\x10\xd9\x68\x39\x2d\x06\xc9\x1f\x1d\x64" + "\xcc\x9e\x90\xce\x1d\x22\xc3\x2d\x27\x7f\xc6\xcd\xa4\x33\xa4\xd4" + "\x42\xc7\x62\xe9\xea\xcf\x2c\x25\x9f\x32\xd6\x4c\xf9\xda\x3a\x22", + 117 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x51\x75\x5b\x4a\xc5\x45\x6b\x13\x21\x8a\x19\xc5\xb9\x24\x2f\x57" + "\xc4\xa9\x81\xe4\xd4\xec\xdc\xe0\x9a\x31\x93\x36\x2b\x80\x8a\x57" + "\x93\x45\xd4\x88\x1c\x26\x07\xa5\x65\x34\xdd\x7f\x21\x95\x6a\xff" + "\x72\xc2\xf4\x17\x3a\x6e\x7b\x6c\xc2\x21\x2b\xa0\xe3\xda\xee\x1f", + 118 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xdc\xc2\xc4\xbe\xb9\xc1\xf2\x60\x7b\x78\x6c\x20\xc6\x31\x97\x23" + "\x47\x03\x4c\x1c\xc0\x2f\xcc\x7d\x02\xff\x01\x09\x9c\xfe\x1c\x69" + "\x89\x84\x0a\xc2\x13\x92\x36\x29\x11\x3a\xa8\xba\xd7\x13\xcc\xf0" + "\xfe\x4c\xe1\x32\x64\xfb\x32\xb8\xb0\xfe\x37\x2d\xa3\x82\x54\x4a", + 119 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3d\x55\x17\x6a\xce\xa4\xa7\xe3\xa6\x5f\xfa\x9f\xb1\x0a\x7a\x17" + "\x67\x19\x9c\xf0\x77\xce\xe9\xf7\x15\x32\xd6\x7c\xd7\xc7\x3c\x9f" + "\x93\xcf\xc3\x7c\xcd\xcc\x1f\xde\xf5\x0a\xad\x46\xa5\x04\xa6\x50" + "\xd2\x98\xd5\x97\xa3\xa9\xfa\x95\xc6\xc4\x0c\xb7\x1f\xa5\xe7\x25", + 120 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd0\x77\x13\xc0\x05\xde\x96\xdd\x21\xd2\xeb\x8b\xbe\xca\x66\x74" + "\x6e\xa5\x1a\x31\xae\x92\x2a\x3e\x74\x86\x48\x89\x54\x0a\x48\xdb" + "\x27\xd7\xe4\xc9\x03\x11\x63\x8b\x22\x4b\xf0\x20\x1b\x50\x18\x91" + "\x75\x48\x48\x11\x3c\x26\x61\x08\xd0\xad\xb1\x3d\xb7\x19\x09\xc7", + 121 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x58\x98\x3c\x21\x43\x3d\x95\x0c\xaa\x23\xe4\xbc\x18\x54\x3b\x8e" + "\x60\x1c\x20\x43\x18\x53\x21\x52\xda\xf5\xe1\x59\xa0\xcd\x14\x80" + "\x18\x3d\x29\x28\x5c\x05\xf1\x29\xcb\x0c\xc3\x16\x46\x87\x92\x80" + "\x86\xff\xe3\x80\x15\x8d\xf1\xd3\x94\xc6\xac\x0d\x42\x88\xbc\xa8", + 122 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x81\x00\xa8\xdc\x52\x8d\x2b\x68\x2a\xb4\x25\x08\x01\xba\x33\xf0" + "\x2a\x3e\x94\xc5\x4d\xac\x0a\xe1\x48\x2a\xa2\x1f\x51\xef\x3a\x82" + "\xf3\x80\x7e\x6f\xac\xb0\xae\xb0\x59\x47\xbf\x7a\xa2\xad\xcb\x03" + "\x43\x56\xf9\x0f\xa4\x56\x0e\xde\x02\x20\x1a\x37\xe4\x11\xec\x1a", + 123 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x07\x02\x5f\x1b\xb6\xc7\x84\xf3\xfe\x49\xde\x5c\x14\xb9\x36\xa5" + "\xac\xac\xac\xaa\xb3\x3f\x6a\xc4\xd0\xe0\x0a\xb6\xa1\x24\x83\xd6" + "\xbe\xc0\x0b\x4f\xe6\x7c\x7c\xa5\xcc\x50\x8c\x2a\x53\xef\xb5\xbf" + "\xa5\x39\x87\x69\xd8\x43\xff\x0d\x9e\x8b\x14\xd3\x6a\x01\xa7\x7f", + 124 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xba\x6a\xef\xd9\x72\xb6\x18\x6e\x02\x7a\x76\x27\x3a\x4a\x72\x33" + "\x21\xa3\xf5\x80\xcf\xa8\x94\xda\x5a\x9c\xe8\xe7\x21\xc8\x28\x55" + "\x2c\x64\xda\xce\xe3\xa7\xfd\x2d\x74\x3b\x5c\x35\xad\x0c\x8e\xfa" + "\x71\xf8\xce\x99\xbf\x96\x33\x47\x10\xe2\xc2\x34\x6e\x8f\x3c\x52", + 125 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe0\x72\x1e\x02\x51\x7a\xed\xfa\x4e\x7e\x9b\xa5\x03\xe0\x25\xfd" + "\x46\xe7\x14\x56\x6d\xc8\x89\xa8\x4c\xbf\xe5\x6a\x55\xdf\xbe\x2f" + "\xc4\x93\x8a\xc4\x12\x05\x88\x33\x5d\xea\xc8\xef\x3f\xa2\x29\xad" + "\xc9\x64\x7f\x54\xad\x2e\x34\x72\x23\x4f\x9b\x34\xef\xc4\x65\x43", + 126 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb6\x29\x26\x69\xcc\xd3\x8d\x5f\x01\xca\xae\x96\xba\x27\x2c\x76" + "\xa8\x79\xa4\x57\x43\xaf\xa0\x72\x5d\x83\xb9\xeb\xb2\x66\x65\xb7" + "\x31\xf1\x84\x8c\x52\xf1\x19\x72\xb6\x64\x4f\x55\x4c\x06\x4f\xa9" + "\x07\x80\xdb\xbb\xf3\xa8\x9d\x4f\xc3\x1f\x67\xdf\x3e\x58\x57\xef", + 127 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x23\x19\xe3\x78\x9c\x47\xe2\xda\xa5\xfe\x80\x7f\x61\xbe\xc2\xa1" + "\xa6\x53\x7f\xa0\x3f\x19\xff\x32\xe8\x7e\xec\xbf\xd6\x4b\x7e\x0e" + "\x8c\xcf\xf4\x39\xac\x33\x3b\x04\x0f\x19\xb0\xc4\xdd\xd1\x1a\x61" + "\xe2\x4a\xc1\xfe\x0f\x10\xa0\x39\x80\x6c\x5d\xcc\x0d\xa3\xd1\x15", + 128 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf5\x97\x11\xd4\x4a\x03\x1d\x5f\x97\xa9\x41\x3c\x06\x5d\x1e\x61" + "\x4c\x41\x7e\xde\x99\x85\x90\x32\x5f\x49\xba\xd2\xfd\x44\x4d\x3e" + "\x44\x18\xbe\x19\xae\xc4\xe1\x14\x49\xac\x1a\x57\x20\x78\x98\xbc" + "\x57\xd7\x6a\x1b\xcf\x35\x66\x29\x2c\x20\xc6\x83\xa5\xc4\x64\x8f", + 129 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xdf\x0a\x9d\x0c\x21\x28\x43\xa6\xa9\x34\xe3\x90\x2b\x2d\xd3\x0d" + "\x17\xfb\xa5\xf9\x69\xd2\x03\x0b\x12\xa5\x46\xd8\xa6\xa4\x5e\x80" + "\xcf\x56\x35\xf0\x71\xf0\x45\x2e\x9c\x91\x92\x75\xda\x99\xbe\xd5" + "\x1e\xb1\x17\x3c\x1a\xf0\x51\x87\x26\xb7\x5b\x0e\xc3\xba\xe2\xb5", + 130 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa3\xeb\x6e\x6c\x7b\xf2\xfb\x8b\x28\xbf\xe8\xb1\x5e\x15\xbb\x50" + "\x0f\x78\x1e\xcc\x86\xf7\x78\xc3\xa4\xe6\x55\xfc\x58\x69\xbf\x28" + "\x46\xa2\x45\xd4\xe3\x3b\x7b\x14\x43\x6a\x17\xe6\x3b\xe7\x9b\x36" + "\x65\x5c\x22\x6a\x50\xff\xbc\x71\x24\x20\x7b\x02\x02\x34\x2d\xb5", + 131 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x56\xd4\xcb\xcd\x07\x05\x63\x42\x6a\x01\x70\x69\x42\x5c\x2c\xd2" + "\xae\x54\x06\x68\x28\x7a\x5f\xb9\xda\xc4\x32\xeb\x8a\xb1\xa3\x53" + "\xa3\x0f\x2f\xe1\xf4\x0d\x83\x33\x3a\xfe\x69\x6a\x26\x77\x95\x40" + "\x8a\x92\xfe\x7d\xa0\x7a\x0c\x18\x14\xcf\x77\xf3\x6e\x10\x5e\xe8", + 132 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe5\x9b\x99\x87\xd4\x28\xb3\xed\xa3\x7d\x80\xab\xdb\x16\xcd\x2b" + "\x0a\xef\x67\x4c\x2b\x1d\xda\x44\x32\xea\x91\xee\x6c\x93\x5c\x68" + "\x4b\x48\xb4\x42\x8a\x8c\xc7\x40\xe5\x79\xa3\x0d\xef\xf3\x5a\x80" + "\x30\x13\x82\x0d\xd2\x3f\x14\xae\x1d\x84\x13\xb5\xc8\x67\x2a\xec", + 133 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcd\x9f\xcc\x99\xf9\x9d\x4c\xc1\x6d\x03\x19\x00\xb2\xa7\x36\xe1" + "\x50\x8d\xb4\xb5\x86\x81\x4e\x63\x45\x85\x7f\x35\x4a\x70\xcc\xec" + "\xb1\xdf\x3b\x50\xa1\x9a\xda\xf4\x3c\x27\x8e\xfa\x42\x3f\xf4\xbb" + "\x6c\x52\x3e\xc7\xfd\x78\x59\xb9\x7b\x16\x8a\x7e\xbf\xf8\x46\x7c", + 134 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x06\x02\x18\x5d\x8c\x3a\x78\x73\x8b\x99\x16\x4b\x8b\xc6\xff\xb2" + "\x1c\x7d\xeb\xeb\xbf\x80\x63\x72\xe0\xda\x44\xd1\x21\x54\x55\x97" + "\xb9\xc6\x62\xa2\x55\xdc\x31\x54\x2c\xf9\x95\xec\xbe\x6a\x50\xfb" + "\x5e\x6e\x0e\xe4\xef\x24\x0f\xe5\x57\xed\xed\x11\x88\x08\x7e\x86", + 135 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc0\x8a\xfa\x5b\x92\x7b\xf0\x80\x97\xaf\xc5\xff\xf9\xca\x4e\x78" + "\x00\x12\x5c\x1f\x52\xf2\xaf\x35\x53\xfa\x2b\x89\xe1\xe3\x01\x5c" + "\x4f\x87\xd5\xe0\xa4\x89\x56\xad\x31\x45\x0b\x08\x3d\xad\x14\x7f" + "\xfb\x5e\xc0\x34\x34\xa2\x68\x30\xcf\x37\xd1\x03\xab\x50\xc5\xda", + 136 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x36\xf1\xe1\xc1\x1d\x6e\xf6\xbc\x3b\x53\x6d\x50\x5d\x54\x4a\x87" + "\x15\x22\xc5\xc2\xa2\x53\x06\x7e\xc9\x93\x3b\x6e\xc2\x54\x64\xda" + "\xf9\x85\x52\x5f\x5b\x95\x60\xa1\x6d\x89\x02\x59\xac\x1b\xb5\xcc" + "\x67\xc0\xc4\x69\xcd\xe1\x33\xde\xf0\x00\xea\x1d\x68\x6f\x4f\x5d", + 137 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbf\x2a\xb2\xe2\x47\x0f\x54\x38\xc3\xb6\x89\xe6\x6e\x76\x86\xff" + "\xfa\x0c\xb1\xe1\x79\x8a\xd3\xa8\x6f\xf9\x90\x75\xbf\x61\x38\xe3" + "\x3d\x9c\x0c\xe5\x9a\xfb\x24\xac\x67\xa0\x2a\xf3\x44\x28\x19\x1a" + "\x9a\x0a\x60\x41\xc0\x74\x71\xb7\xc3\xb1\xa7\x52\xd6\xfc\x0b\x8b", + 138 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd4\x00\x60\x1f\x97\x28\xcc\xc4\xc9\x23\x42\xd9\x78\x7d\x8d\x28" + "\xab\x32\x3a\xf3\x75\xca\x56\x24\xb4\xbb\x91\xd1\x72\x71\xfb\xae" + "\x86\x2e\x41\x3b\xe7\x3f\x1f\x68\xe6\x15\xb8\xc5\xc3\x91\xbe\x0d" + "\xbd\x91\x44\x74\x6e\xb3\x39\xad\x54\x15\x47\xba\x9c\x46\x8a\x17", + 139 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x79\xfe\x2f\xe1\x57\xeb\x85\xa0\x38\xab\xb8\xeb\xbc\x64\x77\x31" + "\xd2\xc8\x3f\x51\xb0\xac\x6e\xe1\x4a\xa2\x84\xcb\x6a\x35\x49\xa4" + "\xdc\xce\xb3\x00\x74\x0a\x82\x5f\x52\xf5\xfb\x30\xb0\x3b\x8c\x4d" + "\x8b\x0f\x4a\xa6\x7a\x63\xf4\xa9\x4e\x33\x03\xc4\xed\xa4\xc0\x2b", + 140 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x75\x35\x13\x13\xb5\x2a\x85\x29\x29\x8d\x8c\x18\x6b\x17\x68\x66" + "\x6d\xcc\xa8\x59\x53\x17\xd7\xa4\x81\x6e\xb8\x8c\x06\x20\x20\xc0" + "\xc8\xef\xc5\x54\xbb\x34\x1b\x64\x68\x8d\xb5\xcc\xaf\xc3\x5f\x3c" + "\x3c\xd0\x9d\x65\x64\xb3\x6d\x7b\x04\xa2\x48\xe1\x46\x98\x0d\x4b", + 141 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe3\x12\x8b\x1d\x31\x1d\x02\x17\x9d\x7f\x25\xf9\x7a\x5a\x8b\xee" + "\x2c\xc8\xc8\x63\x03\x64\x4f\xcd\x66\x4e\x15\x7d\x1f\xef\x00\xf2" + "\x3e\x46\xf9\xa5\xe8\xe5\xc8\x90\xce\x56\x5b\xb6\xab\xd4\x30\x2c" + "\xe0\x64\x69\xd5\x2a\x5b\xd5\x3e\x1c\x5a\x54\xd0\x46\x49\xdc\x03", + 142 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc2\x38\x2a\x72\xd2\xd3\xac\xe9\xd5\x93\x3d\x00\xb6\x08\x27\xed" + "\x38\x0c\xda\x08\xd0\xba\x5f\x6d\xd4\x1e\x29\xee\x6d\xbe\x8e\xcb" + "\x92\x35\xf0\x6b\xe9\x5d\x83\xb6\x81\x6a\x2f\xb7\xa5\xad\x47\x03" + "\x5e\x8a\x4b\x69\xa4\x88\x4b\x99\xe4\xbe\xce\x58\xca\xb2\x5d\x44", + 143 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6b\x1c\x69\x46\x0b\xbd\x50\xac\x2e\xd6\xf3\x2e\x6e\x88\x7c\xfe" + "\xd4\x07\xd4\x7d\xcf\x0a\xaa\x60\x38\x7f\xe3\x20\xd7\x80\xbd\x03" + "\xea\xb6\xd7\xba\xeb\x2a\x07\xd1\x0c\xd5\x52\xa3\x00\x34\x13\x54" + "\xea\x9a\x5f\x03\x18\x3a\x62\x3f\x92\xa2\xd4\xd9\xf0\x09\x26\xaf", + 144 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6c\xda\x20\x6c\x80\xcd\xc9\xc4\x4b\xa9\x90\xe0\x32\x8c\x31\x4f" + "\x81\x9b\x14\x2d\x00\x63\x04\x04\xc4\x8c\x05\xdc\x76\xd1\xb0\x0c" + "\xe4\xd7\x2f\xc6\xa4\x8e\x14\x69\xdd\xef\x60\x94\x12\xc3\x64\x82" + "\x08\x54\x21\x4b\x48\x69\xaf\x09\x0f\x00\xd3\xc1\xba\x44\x3e\x1b", + 145 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7f\xfc\x8c\x26\xfb\xd6\xa0\xf7\xa6\x09\xe6\xe1\x93\x9f\x6a\x9e" + "\xdf\x1b\x0b\x06\x66\x41\xfb\x76\xc4\xf9\x60\x2e\xd7\x48\xd1\x16" + "\x02\x49\x6b\x35\x35\x5b\x1a\xa2\x55\x85\x0a\x50\x9d\x2f\x8e\xe1" + "\x8c\x8f\x3e\x1d\x7d\xcb\xc3\x7a\x13\x65\x98\xf5\x6a\x59\xed\x17", + 146 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x70\xde\x1f\x08\xdd\x4e\x09\xd5\xfc\x15\x1f\x17\xfc\x99\x1a\x23" + "\xab\xfc\x05\x10\x42\x90\xd5\x04\x68\x88\x2e\xfa\xf5\x82\xb6\xec" + "\x2f\x14\xf5\x77\xc0\xd6\x8c\x3a\xd0\x66\x26\x91\x6e\x3c\x86\xe6" + "\xda\xab\x6c\x53\xe5\x16\x3e\x82\xb6\xbd\x0c\xe4\x9f\xc0\xd8\xdf", + 147 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x4f\x81\x93\x57\x56\xed\x35\xee\x20\x58\xee\x0c\x6a\x61\x10\xd6" + "\xfa\xc5\xcb\x6a\x4f\x46\xaa\x94\x11\x60\x3f\x99\x96\x58\x23\xb6" + "\xda\x48\x38\x27\x6c\x5c\x06\xbc\x78\x80\xe3\x76\xd9\x27\x58\x36" + "\x9e\xe7\x30\x5b\xce\xc8\xd3\xcf\xd2\x8c\xca\xbb\x7b\x4f\x05\x79", + 148 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xab\xcb\x61\xcb\x36\x83\xd1\x8f\x27\xad\x52\x79\x08\xed\x2d\x32" + "\xa0\x42\x6c\xb7\xbb\x4b\xf1\x80\x61\x90\x3a\x7d\xc4\x2e\x7e\x76" + "\xf9\x82\x38\x23\x04\xd1\x8a\xf8\xc8\x0d\x91\xdd\x58\xdd\x47\xaf" + "\x76\xf8\xe2\xc3\x6e\x28\xaf\x24\x76\xb4\xbc\xcf\x82\xe8\x9f\xdf", + 149 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x02\xd2\x61\xad\x56\xa5\x26\x33\x1b\x64\x3d\xd2\x18\x6d\xe9\xa8" + "\x2e\x72\xa5\x82\x23\xcd\x1e\x72\x36\x86\xc5\x3d\x86\x9b\x83\xb9" + "\x46\x32\xb7\xb6\x47\xab\x2a\xfc\x0d\x52\x2e\x29\xda\x3a\x56\x15" + "\xb7\x41\xd8\x28\x52\xe0\xdf\x41\xb6\x60\x07\xdb\xcb\xa9\x05\x43", + 150 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc5\x83\x27\x41\xfa\x30\xc5\x43\x68\x23\x01\x53\x83\xd2\x97\xff" + "\x4c\x4a\x5d\x72\x76\xc3\xf9\x02\x12\x20\x66\xe0\x4b\xe5\x43\x1b" + "\x1a\x85\xfa\xf7\x3b\x91\x84\x34\xf9\x30\x09\x63\xd1\xde\xa9\xe8" + "\xac\x39\x24\xef\x49\x02\x26\xed\xee\xa5\xf7\x43\xe4\x10\x66\x9f", + 151 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcf\xae\xab\x26\x8c\xd0\x75\xa5\xa6\xae\xd5\x15\x02\x3a\x03\x2d" + "\x54\xf2\xf2\xff\x73\x3c\xe0\xcb\xc7\x8d\xb5\x1d\xb4\x50\x4d\x67" + "\x59\x23\xf8\x27\x46\xd6\x59\x46\x06\xad\x5d\x67\x73\x4b\x11\xa6" + "\x7c\xc6\xa4\x68\xc2\x03\x2e\x43\xca\x1a\x94\xc6\x27\x3a\x98\x5e", + 152 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x86\x08\x50\xf9\x2e\xb2\x68\x27\x2b\x67\xd1\x33\x60\x9b\xd6\x4e" + "\x34\xf6\x1b\xf0\x3f\x4c\x17\x38\x64\x5c\x17\xfe\xc8\x18\x46\x5d" + "\x7e\xcd\x2b\xe2\x90\x76\x41\x13\x00\x25\xfd\xa7\x94\x70\xab\x73" + "\x16\x46\xe7\xf6\x94\x40\xe8\x36\x7e\xa7\x6a\xc4\xce\xe8\xa1\xdf", + 153 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x84\xb1\x54\xed\x29\xbb\xed\xef\xa6\x48\x28\x68\x39\x04\x6f\x4b" + "\x5a\xa3\x44\x30\xe2\xd6\x7f\x74\x96\xe4\xc3\x9f\x2c\x7e\xa7\x89" + "\x95\xf6\x9e\x12\x92\x20\x00\x16\xf1\x6a\xc3\xb3\x77\x00\xe6\xc7" + "\xe7\x86\x1a\xfc\x39\x6b\x64\xa5\x9a\x1d\xbf\x47\xa5\x5c\x4b\xbc", + 154 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xae\xee\xc2\x60\xa5\xd8\xef\xf5\xcc\xab\x8b\x95\xda\x43\x5a\x63" + "\xed\x7a\x21\xea\x7f\xc7\x55\x94\x13\xfd\x61\x7e\x33\x60\x9f\x8c" + "\x29\x0e\x64\xbb\xac\xc5\x28\xf6\xc0\x80\x26\x22\x88\xb0\xf0\xa3" + "\x21\x9b\xe2\x23\xc9\x91\xbe\xe9\x2e\x72\x34\x95\x93\xe6\x76\x38", + 155 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x8a\xd7\x8a\x9f\x26\x60\x1d\x12\x7e\x8d\x2f\x2f\x97\x6e\x63\xd1" + "\x9a\x05\x4a\x17\xdc\xf5\x9e\x0f\x01\x3a\xb5\x4a\x68\x87\xbb\xdf" + "\xfd\xe7\xaa\xae\x11\x7e\x0f\xbf\x32\x71\x01\x65\x95\xb9\xd9\xc7" + "\x12\xc0\x1b\x2c\x53\xe9\x65\x5a\x38\x2b\xc4\x52\x2e\x61\x66\x45", + 156 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x89\x34\x15\x9d\xad\xe1\xac\x74\x14\x7d\xfa\x28\x2c\x75\x95\x4f" + "\xce\xf4\x43\xef\x25\xf8\x0d\xfe\x9f\xb6\xea\x63\x3b\x85\x45\x11" + "\x1d\x08\xb3\x4e\xf4\x3f\xff\x17\x02\x6c\x79\x64\xf5\xde\xac\x6d" + "\x2b\x3c\x29\xda\xcf\x27\x47\xf0\x22\xdf\x59\x67\xdf\xdc\x1a\x0a", + 157 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcd\x36\xdd\x0b\x24\x06\x14\xcf\x2f\xa2\xb9\xe9\x59\x67\x9d\xcd" + "\xd7\x2e\xc0\xcd\x58\xa4\x3d\xa3\x79\x0a\x92\xf6\xcd\xeb\x9e\x1e" + "\x79\x5e\x47\x8a\x0a\x47\xd3\x71\x10\x0d\x34\x0c\x5c\xed\xcd\xbb" + "\xc9\xe6\x8b\x3f\x46\x08\x18\xe5\xbd\xff\x7b\x4c\xda\x4c\x27\x44", + 158 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x00\xdf\x4e\x09\x9b\x80\x71\x37\xa8\x59\x90\xf4\x9d\x3a\x94\x31" + "\x5e\x5a\x5f\x7f\x7a\x60\x76\xb3\x03\xe9\x6b\x05\x6f\xb9\x38\x00" + "\x11\x1f\x47\x96\x28\xe2\xf8\xdb\x59\xae\xb6\xac\x70\xc3\xb6\x1f" + "\x51\xf9\xb4\x6e\x80\xff\xde\xae\x25\xeb\xdd\xb4\xaf\x6c\xb4\xee", + 159 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x2b\x9c\x95\x5e\x6c\xae\xd4\xb7\xc9\xe2\x46\xb8\x6f\x9a\x17\x26" + "\xe8\x10\xc5\x9d\x12\x6c\xee\x66\xed\x71\xbf\x01\x5b\x83\x55\x8a" + "\x4b\x6d\x84\xd1\x8d\xc3\xff\x46\x20\xc2\xff\xb7\x22\x35\x9f\xde" + "\xf8\x5b\xa0\xd4\xe2\xd2\x2e\xcb\xe0\xed\x78\x4f\x99\xaf\xe5\x87", + 160 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x18\x1d\xf0\xa2\x61\xa2\xf7\xd2\x9e\xa5\xa1\x57\x72\x71\x51\x05" + "\xd4\x50\xa4\xb6\xc2\x36\xf6\x99\xf4\x62\xd6\x0c\xa7\x64\x87\xfe" + "\xed\xfc\x9f\x5e\xb9\x2d\xf8\x38\xe8\xfb\x5d\xc3\x69\x4e\x84\xc5" + "\xe0\xf4\xa1\x0b\x76\x1f\x50\x67\x62\xbe\x05\x2c\x74\x5a\x6e\xe8", + 161 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x21\xfb\x20\x34\x58\xbf\x3a\x7e\x9a\x80\x43\x9f\x9a\x90\x28\x99" + "\xcd\x5d\xe0\x13\x9d\xfd\x56\xf7\x11\x0c\x9d\xec\x84\x37\xb2\x6b" + "\xda\x63\xde\x2f\x56\x59\x26\xd8\x5e\xdb\x1d\x6c\x68\x25\x66\x97" + "\x43\xdd\x99\x92\x65\x3d\x13\x97\x95\x44\xd5\xdc\x82\x28\xbf\xaa", + 162 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xef\x02\x1f\x29\xc5\xff\xb8\x30\xe6\x4b\x9a\xa9\x05\x8d\xd6\x60" + "\xfd\x2f\xcb\x81\xc4\x97\xa7\xe6\x98\xbc\xfb\xf5\x9d\xe5\xad\x4a" + "\x86\xff\x93\xc1\x0a\x4b\x9d\x1a\xe5\x77\x47\x25\xf9\x07\x2d\xcd" + "\xe9\xe1\xf1\x99\xba\xb9\x1f\x8b\xff\x92\x18\x64\xaa\x50\x2e\xee", + 163 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb3\xcf\xda\x40\x52\x6b\x7f\x1d\x37\x56\x9b\xdf\xcd\xf9\x11\xe5" + "\xa6\xef\xe6\xb2\xec\x90\xa0\x45\x4c\x47\xb2\xc0\x46\xbf\x13\x0f" + "\xc3\xb3\x52\xb3\x4d\xf4\x81\x3d\x48\xd3\x3a\xb8\xe2\x69\xb6\x9b" + "\x07\x56\x76\xcb\x6d\x00\xa8\xdc\xf9\xe1\xf9\x67\xec\x19\x1b\x2c", + 164 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb4\xc6\xc3\xb2\x67\x07\x1e\xef\xb9\xc8\xc7\x2e\x0e\x2b\x94\x12" + "\x93\x64\x1f\x86\x73\xcb\x70\xc1\xcc\x26\xad\x1e\x73\xcf\x14\x17" + "\x55\x86\x0a\xd1\x9b\x34\xc2\xf3\x4e\xd3\x5b\xb5\x2e\xc4\x50\x7c" + "\xc1\xfe\x59\x04\x77\x43\xa5\xf0\xc6\xfe\xbd\xe6\x25\xe2\x60\x91", + 165 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x57\xa3\x4f\x2b\xcc\xa6\x0d\x4b\x85\x10\x3b\x83\x0c\x9d\x79\x52" + "\xa4\x16\xbe\x52\x63\xae\x42\x9c\x9e\x5e\x53\xfe\x85\x90\xa8\xf7" + "\x8e\xc6\x5a\x51\x10\x9e\xa8\x5d\xcd\xf7\xb6\x22\x3f\x9f\x2b\x34" + "\x05\x39\xfa\xd8\x19\x23\xdb\xf8\xed\xab\xf9\x51\x29\xe4\xdf\xf6", + 166 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\xf4\x66\x62\xfc\xd6\x1a\x23\x22\x77\xb6\x85\x66\x3b\x8b\x5d" + "\xa8\x32\xdf\xd9\xa3\xb8\xcc\xfe\xec\x99\x3e\xc6\xac\x41\x5a\xd0" + "\x7e\x04\x8a\xdf\xe4\x14\xdf\x27\x27\x70\xdb\xa8\x67\xda\x5c\x12" + "\x24\xc6\xfd\x0a\xa0\xc2\x18\x7d\x42\x6a\xc6\x47\xe9\x88\x73\x61", + 167 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5c\xe1\x04\x2a\xb4\xd5\x42\xc2\xf9\xee\x9d\x17\x26\x2a\xf8\x16" + "\x40\x98\x93\x5b\xef\x17\x3d\x0e\x18\x48\x9b\x04\x84\x17\x46\xcd" + "\x2f\x2d\xf8\x66\xbd\x7d\xa6\xe5\xef\x90\x24\xc6\x48\x02\x3e\xc7" + "\x23\xab\x9c\x62\xfd\x80\x28\x57\x39\xd8\x4f\x15\xd2\xab\x51\x5a", + 168 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x84\x88\x39\x6b\xd4\xa8\x72\x9b\x7a\x47\x31\x78\xf2\x32\xda\xdf" + "\x3f\x0f\x8e\x22\x67\x8b\xa5\xa4\x3e\x04\x1e\x72\xda\x1e\x2c\xf8" + "\x21\x94\xc3\x07\x20\x7a\x54\xcb\x81\x56\x29\x33\x39\xea\xec\x69" + "\x3f\xf6\x6b\xfc\xd5\xef\xc6\x5e\x95\xe4\xec\xaf\x54\x53\x0a\xbd", + 169 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xf5\x98\xda\x90\x1c\x38\x35\xbc\xa5\x60\x77\x90\x37\xdf\xde\x9f" + "\x0c\x51\xdc\x61\xc0\xb7\x60\xfc\x15\x22\xd7\xb4\x70\xee\x63\xf5" + "\xbd\xc6\x49\x84\x76\xe8\x60\x49\xad\x86\xe4\xe2\x1a\xf2\x85\x4a" + "\x98\x4c\xc9\x05\x42\x7d\x2f\x17\xf6\x6b\x1f\x41\xc3\xda\x6f\x61", + 170 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5f\x93\x26\x97\x98\xcf\x02\x13\x21\x07\x33\x76\x60\xa8\xd7\xa1" + "\x77\x35\x4c\x02\x12\xeb\x93\xe5\x55\xe7\xc3\x7a\x08\xae\xf3\xd8" + "\xdc\xe0\x12\x17\x01\x1c\xd9\x65\xc0\x4d\xd2\xc1\x05\xf2\xe2\xb6" + "\xca\xe5\xe4\xe6\xbc\xaf\x09\xdf\xbe\xe3\xe0\xa6\xa6\x35\x7c\x37", + 171 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x0e\xcf\x58\x1d\x47\xba\xc9\x23\x09\x86\xfa\xab\xd7\x0c\x2f\x5b" + "\x80\xe9\x10\x66\xf0\xec\x55\xa8\x42\x93\x78\x82\x28\x6d\x2c\xa0" + "\x07\xbb\x4e\x97\x3b\x0b\x09\x1d\x52\x16\x7f\xf7\xc4\x00\x9c\x7a" + "\xb4\xad\x38\xff\xf1\xdc\xea\xcd\xb7\xbe\x81\xef\x4a\x45\x29\x52", + 172 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5a\xec\xa8\xab\xe1\x52\x85\x82\xb2\xa3\x07\xb4\x00\x95\x85\x49" + "\x8a\x3d\x46\x7c\xa6\x10\x1c\xb0\xc5\x12\x6f\x99\x76\x05\x6e\x9f" + "\xfc\x12\x3c\xc2\x0c\x30\x2b\x2a\x73\x7f\x49\x2c\x75\xd2\x1f\x01" + "\x51\x2c\x90\xca\x05\x41\xdf\xa5\x6e\x95\x0a\x32\x1d\xcb\x28\xd8", + 173 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x73\x2f\xbf\x8f\x1c\xb2\xb8\x32\x92\x63\xed\xe2\x78\x58\xfe\x46" + "\xf8\xd3\x35\x4d\x37\x6b\xcd\xa0\x54\x8e\x7c\xe1\xfa\x9d\xd1\x1f" + "\x85\xeb\x66\x1f\xe9\x50\xb5\x43\xaa\x63\x5c\xa4\xd3\xf0\x4e\xde" + "\x5b\x32\xd6\xb6\x56\xe5\xce\x1c\x44\xd3\x5c\x4a\x6c\x56\xcf\xf8", + 174 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd5\xe9\x38\x73\x5d\x63\x78\x8c\x80\x10\x0a\xef\xd1\x86\x48\xd1" + "\x8c\xf2\x72\xf6\x9f\x20\xff\x24\xcf\xe2\x89\x5c\x08\x8a\xd0\x8b" + "\x01\x04\xda\x16\x72\xa4\xeb\x26\xfc\x52\x54\x5c\xc7\xd7\xa0\x1b" + "\x26\x6c\xf5\x46\xc4\x03\xc4\x5b\xd1\x29\xeb\x41\xbd\xd9\x20\x0b", + 175 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x65\xa2\x45\xb4\x93\x52\xee\x29\x7d\x91\xaf\x8c\x8b\xe0\x05\x28" + "\xac\x6e\x04\x6d\xd8\x3a\xc7\xbd\x46\x5a\x98\x81\x6d\xd6\x8f\x3e" + "\x00\xe1\xae\x8f\x89\x53\x27\xa7\xe9\xa8\xc9\x32\x65\x98\x37\x9a" + "\x29\xc9\xfc\x91\xec\x0c\x6e\xef\x08\xf3\xe2\xb2\x16\xc1\x10\x08", + 176 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc9\x56\x54\xb6\x30\x19\x13\x0a\xb4\x5d\xd0\xfb\x49\x41\xb9\x8a" + "\xeb\x3a\xf2\xa1\x23\x91\x3e\xca\x2c\xe9\x9b\x3e\x97\x41\x0a\x7b" + "\xf8\x66\x1c\xc7\xfb\xaa\x2b\xc1\xcf\x2b\x13\x11\x3b\x1e\xd4\x0a" + "\x01\x18\xb8\x8e\x5f\xff\xc3\x54\x27\x59\xea\x00\x7e\xd4\xc5\x8d", + 177 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x1e\xb2\x62\xf3\x8f\xa4\x94\x43\x1f\x01\x7d\xad\x44\xc0\xdf\xb6" + "\x93\x24\xac\x03\x2f\x04\xb6\x57\xfc\x91\xa8\x86\x47\xbb\x74\x76" + "\x0f\x24\xe7\xc9\x56\x51\x4f\x0c\xf0\x02\x99\x0b\x18\x2c\x16\x42" + "\xb9\xb2\x42\x6e\x96\xa6\x11\x87\xe4\xe0\x12\xf0\x0e\x21\x7d\x84", + 178 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3b\x95\x5a\xee\xbf\xa5\x15\x1a\xc1\xab\x8e\x3f\x5c\xc1\xe3\x76" + "\x70\x84\xc8\x42\xa5\x75\xd3\x62\x69\x83\x6e\x97\x35\x3d\x41\x62" + "\x2b\x73\x1d\xdd\xcd\x5f\x26\x95\x50\xa3\xa5\xb8\x7b\xe1\xe9\x03" + "\x26\x34\x0b\x6e\x0e\x62\x55\x58\x15\xd9\x60\x05\x97\xac\x6e\xf9", + 179 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x68\x28\x9f\x66\x05\x47\x3b\xa0\xe4\xf2\x41\xba\xf7\x47\x7a\x98" + "\x85\x42\x6a\x85\x8f\x19\xef\x2a\x18\xb0\xd4\x0e\xf8\xe4\x12\x82" + "\xed\x55\x26\xb5\x19\x79\x9e\x27\x0f\x13\x88\x13\x27\x91\x82\x78" + "\x75\x57\x11\x07\x1d\x85\x11\xfe\x96\x3e\x3b\x56\x06\xaa\x37\x16", + 180 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x80\xa3\x37\x87\x54\x26\x12\xc3\x8f\x6b\xcd\x7c\xd8\x6c\xab\x46" + "\x02\x27\x50\x9b\x1c\xba\xd5\xec\x40\x8a\x91\x41\x3d\x51\x15\x5a" + "\x04\x76\xda\xdb\xf3\xa2\x51\x8e\x4a\x6e\x77\xcc\x34\x66\x22\xe3" + "\x47\xa4\x69\xbf\x8b\xaa\x5f\x04\xeb\x2d\x98\x70\x53\x55\xd0\x63", + 181 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x34\x62\x9b\xc6\xd8\x31\x39\x1c\x4c\xdf\x8a\xf1\xb4\xb7\xb6\xb8" + "\xe8\xee\x17\xcf\x98\xc7\x0e\x5d\xd5\x86\xcd\x99\xf1\x4b\x11\xdf" + "\x94\x51\x66\x23\x6a\x95\x71\xe6\xd5\x91\xbb\x83\xee\x4d\x16\x4d" + "\x46\xf6\xb9\xd8\xef\x86\xff\x86\x5a\x81\xbf\xb9\x1b\x00\x42\x4b", + 182 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x8b\x7c\xc3\x39\x16\x38\x63\xbb\x43\x83\xe5\x42\xb0\xef\x0e\x7c" + "\xf3\x6b\x84\xad\x93\x2c\xdf\x5a\x80\x41\x9e\xc9\xad\x69\x2e\x7a" + "\x7e\x78\x4d\x2c\x7c\xb3\x79\x6a\x18\xb8\xf8\x00\x03\x5f\x3a\xa0" + "\x6c\x82\x41\x00\x61\x11\x20\xa7\xbd\xeb\x35\x61\x8c\xcb\x81\xb7", + 183 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x4f\x08\x4e\x49\x39\xdd\x5a\x7f\x5a\x65\x8f\xad\x58\xa1\x8a\x15" + "\xc2\x5c\x32\xec\x1c\x7f\xd5\xc5\xc6\xc3\xe8\x92\xb3\x97\x1a\xea" + "\xac\x30\x83\x04\xef\x17\xb1\xc4\x72\x39\xea\x4b\xb3\x98\xb3\xfd" + "\x6d\x45\x28\xd8\xde\x8e\x76\x8a\xe0\xf1\xa5\xa5\xc6\xb5\xc2\x97", + 184 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x48\xf4\x07\xa1\xaf\x5b\x80\x09\xb2\x05\x17\x42\xe8\xcf\x5c\xd5" + "\x65\x66\x69\xe7\xd7\x22\xee\x8e\x7b\xd2\x02\x06\x08\x49\x44\x21" + "\x68\xd8\xfa\xcc\x11\x7c\x01\x2b\xfb\x7b\xf4\x49\xd9\x9b\xef\xff" + "\x6a\x34\xae\xa2\x03\xf1\xd8\xd3\x52\x72\x2b\xe5\x01\x4e\xc8\x18", + 185 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa6\xaa\x82\xcd\x1e\x42\x6f\x9a\x73\xbf\xa3\x9a\x29\x03\x78\x76" + "\x11\x46\x55\xb8\xc2\x2d\x6d\x3f\xf8\xb6\x38\xae\x7d\xea\x6b\x17" + "\x84\x3e\x09\xe5\x2e\xb6\x6f\xa1\xe4\x75\xe4\xa8\xa3\xde\x42\x9b" + "\x7d\x0f\x4a\x77\x6f\xcb\x8b\xdc\x9b\x9f\xed\xe7\xd5\x2e\x81\x5f", + 186 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x58\x17\x02\x7d\x6b\xdd\x00\xc5\xdd\x10\xac\x59\x3c\xd5\x60\x37" + "\x22\x70\x77\x5a\x18\x52\x6d\x7e\x6f\x13\x87\x2a\x2e\x20\xea\xb6" + "\x64\x62\x5b\xe7\x16\x8a\xc4\xbd\x7c\x9e\x0c\xe7\xfc\x40\x99\xe0" + "\xf4\x84\x42\xe2\xc7\x67\x19\x1c\x6e\x12\x84\xe9\xb2\xcc\xea\x8c", + 187 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x08\xe4\x10\x28\x34\x0a\x45\xc7\x4e\x40\x52\xb3\xa8\xd6\x38\x9e" + "\x22\xe0\x43\xa1\xad\xab\x5e\x28\xd9\x76\x19\x45\x0d\x72\x34\x69" + "\xb6\x20\xca\xa5\x19\xb8\x1c\x14\x52\x38\x54\xf6\x19\xfd\x30\x27" + "\xe3\x84\x7b\xd0\x32\x76\xe6\x06\x04\xa8\x0d\xdb\x4d\xe8\x76\xd6", + 188 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x13\x0b\x84\x20\x53\x7e\xb0\x7d\x72\xab\xda\x07\xc8\x5a\xcb\xd8" + "\xb9\xa4\x4f\x16\x32\x1d\xd0\x42\x21\x45\xf8\x09\x67\x3d\x30\xf2" + "\xb5\x32\x13\x26\xe2\xbf\xf3\x17\xef\x3f\xef\x98\x3c\x51\xc4\xf8" + "\xab\x24\xa3\x25\xd2\x98\xe3\x4a\xfc\xe5\x69\xa8\x25\x55\x77\x4c", + 189 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xac\x49\xb8\x44\xaf\xaa\x01\x2e\x31\xc4\x74\xca\x26\x36\x48\x84" + "\x4f\xd2\xf6\x30\x79\x92\xc2\xf7\x52\xac\xa0\x2c\x38\x28\x96\x51" + "\x75\x79\x4d\xee\xe2\xd2\xee\x95\xc6\x1c\xd2\x84\xf6\xb5\xa2\xd7" + "\x5e\x2e\xf2\xb2\x9e\xe8\x14\x9e\x77\xfb\x81\x44\x7b\x2f\xd0\x4b", + 190 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb9\xd7\xca\x81\xcc\x60\xbb\x95\x78\xe4\x40\x24\xe5\xa0\xa0\xbe" + "\x80\xf2\x73\x36\xa6\xa9\xf4\xe5\x3d\xf3\x99\x9c\xb1\x91\x28\x0b" + "\x09\x0e\x2a\xc2\xd2\x9c\x5b\xaa\xd9\xd7\x14\x15\xbd\xc1\x29\xe6" + "\x9a\xa2\x66\x7a\xf6\xa7\xfd\x5e\x18\x9f\xcc\xdc\xee\x81\x73\x40", + 191 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa7\x55\xe1\x13\x38\x65\x72\xc7\x5c\xed\x61\xd7\x19\x70\x60\x70" + "\xb9\x14\x60\x48\xe4\x2a\x9f\x8c\xd3\x56\x67\xa0\x88\xb4\x2f\x08" + "\x80\x8a\xbd\xf7\x7e\x61\x8a\xbd\x95\x9a\xfc\x75\x73\x79\xca\x2c" + "\x00\xbc\xc1\xa4\x83\x90\xfa\x2b\xff\x61\x8b\x1e\x00\x78\xa6\x13", + 192 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa7\x3c\x7d\xeb\xed\x32\x6f\x1c\x0d\xb0\x79\x5e\xe7\xd6\xe3\x94" + "\x68\x94\xb8\x26\xb1\xf8\x10\x1c\x56\xc8\x23\xba\x17\x16\x83\x12" + "\xe7\xf5\x3f\xc7\xdb\xe5\x2c\x3e\x11\xe6\x98\x52\xc4\x04\x85\xe2" + "\xef\x18\x24\x77\x86\x2e\xa6\xa3\x4e\xc1\x36\xe2\xdf\xee\xa6\xf4", + 193 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6c\xb8\xf9\xd5\x2c\x56\xd8\x2c\xac\x28\xf3\x9e\xa1\x59\x3e\x8b" + "\xb2\x50\x62\x93\xac\x0d\x68\x37\x6a\x17\x09\xb6\x2a\x46\xdf\x14" + "\xa4\xae\x64\xb2\xd8\xfa\xb7\x67\x33\xa1\xce\xd2\xd5\x48\xe3\xf3" + "\xc6\xfc\xb4\x9d\x40\xc3\xd5\x80\x8e\x44\x9c\xd8\x3d\x1c\x2a\xa2", + 194 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x68\x3f\xa2\xb2\x36\x9a\x10\x16\x2c\x1c\x1c\x7b\x24\xbc\x97\x0e" + "\xe6\x7d\xa2\x20\x56\x4f\x32\x20\x3f\x62\x56\x96\xc0\x35\x2a\x0b" + "\x9a\xd9\x66\x24\x36\x2d\x95\x2d\x84\x46\x3c\x11\x06\xa2\xdb\xa7" + "\xa0\x92\x59\x98\x84\xb3\x5a\x0b\x89\xc8\xf1\xb6\xa9\xb5\xa6\x1e", + 195 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xaa\xd9\xad\x44\x61\x01\x18\xb7\x7d\x50\x8a\xeb\x1b\xbc\xd1\xc1" + "\xb7\xd0\x17\x13\x97\xfb\x51\x0a\x40\x1b\xbc\x0e\xc3\x46\x23\x67" + "\x0d\x86\xa2\xdc\x3c\x8f\x3a\xb5\xa2\x04\x4d\xf7\x30\x25\x67\x27" + "\x54\x5f\x08\x60\xce\x21\xa1\xea\xc7\x17\xdf\xc4\x8f\x5d\x22\x8e", + 196 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc4\x25\x78\xde\x23\xb4\xc9\x87\xd5\xe1\xac\x4d\x68\x9e\xd5\xde" + "\x4b\x04\x17\xf9\x70\x4b\xc6\xbc\xe9\x69\xfa\x13\x47\x15\x85\xd6" + "\x2c\x2c\xb1\x21\x2a\x94\x4f\x39\x7f\xc9\xca\x2c\x37\x47\xc3\xbe" + "\xb6\x94\xec\x4c\x5b\xe6\x88\x28\xdd\xa5\x3e\xf4\x3f\xae\xc6\xc0", + 197 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x47\x0f\x00\x84\x1e\xe8\x24\x4e\x63\xed\x2c\x7e\xa3\x0e\x2e\x41" + "\x98\x97\xc1\x97\x46\x2e\xcc\xce\xcf\x71\x3b\x42\xa5\x06\x5f\xff" + "\x59\x14\xbc\x9b\x79\xaf\xfe\x8f\x6b\x65\x78\x75\xe7\x89\xae\x21" + "\x3b\xd9\x14\xcd\x35\xbd\x17\x4d\x46\xe9\xd1\x8b\xd8\x43\x77\x3d", + 198 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x34\xfc\x42\x13\x73\x0f\x47\xa5\xe9\xa3\x58\x0f\x64\x3e\x12\x94" + "\x5c\xfc\xb3\x1b\xf2\x06\xf6\xad\x45\x0c\xe5\x28\xda\x3f\xa4\x32" + "\xe0\x05\xd6\xb0\xec\xce\x10\xdc\xa7\xc5\x99\x5f\x6a\xac\xc5\x15" + "\x0e\x1b\x00\x9e\x19\x75\x1e\x83\x09\xf8\x85\x95\x31\x84\x43\x74", + 199 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xfb\x3c\x1f\x0f\x56\xa5\x6f\x8e\x31\x6f\xdf\x5d\x85\x3c\x8c\x87" + "\x2c\x39\x63\x5d\x08\x36\x34\xc3\x90\x4f\xc3\xac\x07\xd1\xb5\x78" + "\xe8\x5f\xf0\xe4\x80\xe9\x2d\x44\xad\xe3\x3b\x62\xe8\x93\xee\x32" + "\x34\x3e\x79\xdd\xf6\xef\x29\x2e\x89\xb5\x82\xd3\x12\x50\x23\x14", + 200 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc7\xc9\x7f\xc6\x5d\xd2\xb9\xe3\xd3\xd6\x07\xd3\x15\x98\xd3\xf8" + "\x42\x61\xe9\x91\x92\x51\xe9\xc8\xe5\x7b\xb5\xf8\x29\x37\x7d\x5f" + "\x73\xea\xbb\xed\x55\xc6\xc3\x81\x18\x0f\x29\xad\x02\xe5\xbe\x79" + "\x7f\xfe\xc7\xe5\x7b\xde\xcb\xc5\x0a\xd3\xd0\x62\xf0\x99\x3a\xb0", + 201 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa5\x7a\x49\xcd\xbe\x67\xae\x7d\x9f\x79\x7b\xb5\xcc\x7e\xfc\x2d" + "\xf0\x7f\x4e\x1b\x15\x95\x5f\x85\xda\xe7\x4b\x76\xe2\xec\xb8\x5a" + "\xfb\x6c\xd9\xee\xed\x88\x88\xd5\xca\x3e\xc5\xab\x65\xd2\x7a\x7b" + "\x19\xe5\x78\x47\x57\x60\xa0\x45\xac\x3c\x92\xe1\x3a\x93\x8e\x77", + 202 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc7\x14\x3f\xce\x96\x14\xa1\x7f\xd6\x53\xae\xb1\x40\x72\x6d\xc9" + "\xc3\xdb\xb1\xde\x6c\xc5\x81\xb2\x72\x68\x97\xec\x24\xb7\xa5\x03" + "\x59\xad\x49\x22\x43\xbe\x66\xd9\xed\xd8\xc9\x33\xb5\xb8\x0e\x0b" + "\x91\xbb\x61\xea\x98\x05\x60\x06\x51\x69\x76\xfa\xe8\xd9\x9a\x35", + 203 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x65\xbb\x58\xd0\x7f\x93\x7e\x2d\x3c\x7e\x65\x38\x5f\x9c\x54\x73" + "\x0b\x70\x41\x05\xcc\xdb\x69\x1f\x6e\x14\x6d\x4e\xe8\xf6\xc0\x86" + "\xf4\x95\x11\x03\x51\x10\xa9\xad\x60\x31\xfd\xce\xb9\x43\xe0\xf9" + "\x61\x3b\xcb\x27\x6d\xd4\x0f\x06\x24\xef\x0f\x92\x4f\x80\x97\x83", + 204 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xe5\x40\x27\x7f\x68\x3b\x11\x86\xdd\x3b\x5b\x3f\x61\x43\x33\x96" + "\x58\x1a\x35\xfe\xb1\x20\x02\xbe\x8c\x6a\x62\x31\xfc\x40\xff\xa7" + "\x0f\x08\x08\x1b\xc5\x8b\x2d\x94\xf7\x64\x95\x43\x61\x4a\x43\x5f" + "\xaa\x2d\x62\x11\x0e\x13\xda\xbc\x7b\x86\x62\x9b\x63\xaf\x9c\x24", + 205 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x41\x85\x00\x87\x8c\x5f\xbc\xb5\x84\xc4\x32\xf4\x28\x5e\x05\xe4" + "\x9f\x2e\x3e\x07\x53\x99\xa0\xdb\xfc\xf8\x74\xeb\xf8\xc0\x3d\x02" + "\xbf\x16\xbc\x69\x89\xd1\x61\xc7\x7c\xa0\x78\x6b\x05\x05\x3c\x6c" + "\x70\x94\x33\x71\x23\x19\x19\x21\x28\x83\x5c\xf0\xb6\x60\x59\x5b", + 206 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x88\x90\x90\xdb\xb1\x94\x4b\xdc\x94\x33\xee\x5e\xf1\x01\x0c\x7a" + "\x4a\x24\xa8\xe7\x1e\xce\xa8\xe1\x2a\x31\x31\x8c\xe4\x9d\xca\xb0" + "\xac\xa5\xc3\x80\x23\x34\xaa\xb2\xcc\x84\xb1\x4c\x6b\x93\x21\xfe" + "\x58\x6b\xf3\xf8\x76\xf1\x9c\xd4\x06\xeb\x11\x27\xfb\x94\x48\x01", + 207 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x53\xb6\xa2\x89\x10\xaa\x92\xe2\x7e\x53\x6f\xb5\x49\xcf\x9b\x99" + "\x18\x79\x10\x60\x89\x8e\x0b\x9f\xe1\x83\x57\x7f\xf4\x3b\x5e\x9c" + "\x76\x89\xc7\x45\xb3\x2e\x41\x22\x69\x83\x7c\x31\xb8\x9e\x6c\xc1" + "\x2b\xf7\x6e\x13\xca\xd3\x66\xb7\x4e\xce\x48\xbb\x85\xfd\x09\xe9", + 208 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7c\x09\x20\x80\xc6\xa8\x0d\x67\x24\x09\xd0\x81\xd3\xd1\x77\x10" + "\x6b\xcd\x63\x56\x77\x85\x14\x07\x19\x49\x09\x50\xae\x07\xae\x8f" + "\xca\xab\xba\xaa\xb3\x30\xcf\xbc\xf7\x37\x44\x82\xc2\x20\xaf\x2e" + "\xad\xee\xb7\x3d\xcb\xb3\x5e\xd8\x23\x34\x4e\x14\x4e\x7d\x48\x99", + 209 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\xcd\xe5\x66\xd2\x40\x05\x09\x18\x11\x11\xf3\x2d\xde\x4c\xd6" + "\x32\x09\xfe\x59\xa3\x0c\x11\x45\x46\xad\x27\x76\xd8\x89\xa4\x1b" + "\xad\x8f\xa1\xbb\x46\x8c\xb2\xf9\xd4\x2c\xa9\x92\x8a\x77\x70\xfe" + "\xf8\xe8\xba\x4d\x0c\x81\x2d\x9a\x1e\x75\xc3\xd8\xd2\xcc\xd7\x5a", + 210 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6e\x29\x3b\xf5\xd0\x3f\xe4\x39\x77\xcf\xe3\xf5\x7c\xcd\xb3\xae" + "\x28\x2a\x85\x45\x5d\xca\x33\xf3\x7f\x4b\x74\xf8\x39\x8c\xc6\x12" + "\x43\x3d\x75\x5c\xbe\xc4\x12\xf8\xf8\x2a\x3b\xd3\xbc\x4a\x27\x8f" + "\x7e\xcd\x0d\xfa\x9b\xbd\xc4\x0b\xe7\xa7\x87\xc8\xf1\x59\xb2\xdf", + 211 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc5\x65\x46\xfb\x21\x78\x45\x6f\x33\x61\x64\xc1\x8b\x90\xde\xff" + "\xc8\x3a\xe2\xb5\xa3\xac\xa7\x7b\x68\x84\xd3\x6d\x2c\x1d\xb3\x95" + "\x01\xb3\xe6\x5e\x36\xc7\x58\xc6\x6e\x31\x88\x45\x1f\xdb\x35\x15" + "\xee\x16\x2c\x00\x1f\x06\xc3\xe8\xcb\x57\x3a\xdf\x30\xf7\xa1\x01", + 212 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6f\x82\xf8\x9f\x29\x9e\xbc\xa2\xfe\x01\x4b\x59\xbf\xfe\x1a\xa8" + "\x4e\x88\xb1\x91\x5f\xe2\x56\xaf\xb6\x46\xfd\x84\x48\xaf\x2b\x88" + "\x91\xa7\xfa\xb3\x7a\x4e\xa6\xf9\xa5\x0e\x6c\x31\x70\x39\xd8\xcf" + "\x87\x8f\x4c\x8e\x1a\x0d\xd4\x64\xf0\xb4\xd6\xff\x1c\x7e\xa8\x53", + 213 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x2b\x85\x99\xff\x9c\x3d\x61\x98\x63\x7a\xd5\x1e\x57\xd1\x99\x8b" + "\x0d\x75\x31\x3f\xe2\xdd\x61\xa5\x33\xc9\x64\xa6\xdd\x96\x07\xc6" + "\xf7\x23\xe9\x45\x2c\xe4\x6e\x01\x4b\x1c\x1d\x6d\xe7\x7b\xa5\xb8" + "\x8c\x91\x4d\x1c\x59\x7b\xf1\xea\xe1\x34\x74\xb4\x29\x0e\x89\xb2", + 214 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x08\xbf\x34\x6d\x38\xe1\xdf\x06\xc8\x26\x0e\xdb\x1d\xa7\x55\x79" + "\x27\x59\x48\xd5\xc0\xa0\xaa\x9e\xd2\x88\x6f\x88\x56\xde\x54\x17" + "\xa1\x56\x99\x87\x58\xf5\xb1\x7e\x52\xf1\x01\xca\x95\x7a\x71\x13" + "\x74\x73\xdf\xd1\x8d\x7d\x20\x9c\x4c\x10\xd9\x23\x3c\x93\x69\x1d", + 215 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6d\xf2\x15\x6d\x77\x31\x14\xd3\x10\xb6\x3d\xb9\xee\x53\x50\xd7" + "\x7e\x6b\xcf\x25\xb0\x5f\xcd\x91\x0f\x9b\x31\xbc\x42\xbb\x13\xfe" + "\x82\x25\xeb\xcb\x2a\x23\xa6\x22\x80\x77\x7b\x6b\xf7\x4e\x2c\xd0" + "\x91\x7c\x76\x40\xb4\x3d\xef\xe4\x68\xcd\x1e\x18\xc9\x43\xc6\x6a", + 216 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7c\x70\x38\xbc\x13\xa9\x11\x51\x82\x8a\x5b\xa8\x2b\x4a\x96\x04" + "\x0f\x25\x8a\x4d\xfb\x1b\x13\x73\xf0\xd3\x59\x16\x8a\xfb\x05\x17" + "\xa2\x0b\x28\xa1\x2d\x36\x44\x04\x6b\xe6\x6b\x8d\x08\xd8\xae\x7f" + "\x6a\x92\x3e\xa1\xc0\x01\x87\xc6\xd1\x1d\xc5\x02\xba\xc7\x13\x05", + 217 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xbc\xd1\xb3\x0d\x80\x8f\xb7\x39\xb9\x87\xcb\xf1\x54\xbe\xa0\x0d" + "\xa9\xd4\x03\x80\xb8\x61\xd4\xc1\xd6\x37\x71\x22\xda\xdd\x61\xc0" + "\xe5\x90\x18\xb7\x19\x41\xcf\xb6\x2e\x00\xdc\xd7\x0a\xeb\x9a\xbf" + "\x04\x73\xe8\x0f\x0a\x7e\xca\x6b\x6d\xea\x24\x6a\xb2\x29\xdd\x2b", + 218 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7e\xd4\x46\x8d\x96\x85\x30\xfe\x7a\xb2\xc3\x35\x40\xb2\x6d\x8c" + "\x3b\xd3\xed\x44\xb3\x4f\xbe\x8c\x2a\x9d\x7f\x80\x5b\x5a\xda\x0e" + "\xa2\x52\xee\xad\xe4\xfc\xe9\x7f\x89\x72\x8a\xd8\x5b\xc8\xbb\x24" + "\x30\xb1\xbe\xf2\xcd\xdd\x32\xc8\x44\x6e\x59\xb8\xe8\xba\x3c\x67", + 219 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x6d\x30\xb7\xc6\xce\x8a\x32\x36\xc0\xca\x2f\x8d\x72\x8b\x10\x88" + "\xca\x06\x98\x3a\x80\x43\xe6\x21\xd5\xdc\xf0\xc5\x37\xd1\x3b\x08" + "\x79\x1e\xde\xb0\x1a\x3c\xf0\x94\x3e\xc1\xc8\x90\xab\x6e\x29\xb1" + "\x46\xa2\x36\xcd\x46\xbc\xb9\xd9\x3b\xf5\x16\xfb\x67\xc6\x3f\xe5", + 220 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x97\xfe\x03\xce\xf3\x14\x38\x50\x89\x11\xbd\xed\x97\x59\x80\xa6" + "\x60\x29\x30\x5d\xc5\xe3\xfa\x8a\xd1\xb4\xfb\x22\xfc\xdf\x5a\x19" + "\xa7\x33\x32\x03\x27\xd8\xf7\x1c\xcf\x49\x6c\xb3\xa4\x4a\x77\xaf" + "\x56\xe3\xdd\xe7\x3d\x3a\x5f\x17\x68\x96\xcc\x57\xc9\xa5\xad\x99", + 221 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x78\x5a\x9d\x0f\xbd\x21\x13\x6d\xbc\xe8\xfa\x7e\xaf\xd6\x3c\x9d" + "\xad\x22\x00\x52\x97\x84\x16\xb3\x1d\x97\x53\xea\xa1\x49\x09\x78" + "\x47\xed\x9b\x30\xa6\x5c\x70\x50\x7e\xff\x01\x87\x91\x49\xed\x5c" + "\xf0\x47\x1d\x37\x79\x8e\xdc\x05\xab\xd5\x6a\xd4\xa2\xcc\xcb\x1d", + 222 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xad\x40\x8d\x2a\xbd\xdf\xd3\x7b\x3b\xf3\x47\x94\xc1\xa3\x37\x1d" + "\x92\x8e\xd7\xfc\x8d\x96\x62\x25\x33\x35\x84\xc5\x66\x58\x17\x83" + "\x2a\x37\xc0\x7f\x0d\xc7\xcb\x5a\xa8\x74\xcd\x7d\x20\xfe\x8f\xab" + "\x8e\xab\xcb\x9b\x33\xd2\xe0\x84\x1f\x6e\x20\x09\x60\x89\x9d\x95", + 223 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x97\x66\x8f\x74\x5b\x60\x32\xfc\x81\x5d\x95\x79\x32\x27\x69\xdc" + "\xcd\x95\x01\xa5\x08\x00\x29\xb8\xae\x82\x6b\xef\xb6\x74\x23\x31" + "\xbd\x9f\x76\xef\xeb\x3e\x2b\x8e\x81\xa9\x78\x6b\x28\x2f\x50\x68" + "\xa3\xa2\x42\x46\x97\xa7\x7c\x41\x87\x6b\x7e\x75\x3f\x4c\x77\x67", + 224 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x26\xbb\x98\x5f\x47\xe7\xfe\xe0\xcf\xd2\x52\xd4\xef\x96\xbe\xd4" + "\x2b\x9c\x37\x0c\x1c\x6a\x3e\x8c\x9e\xb0\x4e\xf7\xf7\x81\x8b\x83" + "\x3a\x0d\x1f\x04\x3e\xba\xfb\x91\x1d\xc7\x79\xe0\x27\x40\xa0\x2a" + "\x44\xd3\xa1\xea\x45\xed\x4a\xd5\x5e\x68\x6c\x92\x7c\xaf\xe9\x7e", + 225 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5b\xfe\x2b\x1d\xcf\x7f\xe9\xb9\x50\x88\xac\xed\xb5\x75\xc1\x90" + "\x16\xc7\x43\xb2\xe7\x63\xbf\x58\x51\xac\x40\x7c\x9e\xda\x43\x71" + "\x5e\xdf\xa4\x8b\x48\x25\x49\x2c\x51\x79\x59\x3f\xff\x21\x35\x1b" + "\x76\xe8\xb7\xe0\x34\xe4\xc5\x3c\x79\xf6\x1f\x29\xc4\x79\xbd\x08", + 226 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xc7\x65\x09\xef\x72\xf4\xa6\xf9\xc9\xc4\x06\x18\xed\x52\xb2\x08" + "\x4f\x83\x50\x22\x32\xe0\xac\x8b\xda\xf3\x26\x43\x68\xe4\xd0\x18" + "\x0f\x68\x54\xc4\xab\xf4\xf6\x50\x9c\x79\xca\xaf\xc4\x4c\xf3\x19" + "\x4a\xfc\x57\xbd\x07\x7b\xd7\xb3\xc9\xbd\xa3\xd4\xb8\x77\x58\x16", + 227 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd6\x6f\x2b\xea\xb9\x90\xe3\x54\xcc\xb9\x10\xe4\xe9\xc7\xac\x61" + "\x8c\x7b\x63\xef\x29\x2a\x96\xb5\x52\x34\x1d\xe7\x8d\xc4\x6d\x3e" + "\xc8\xcf\xab\xc6\x99\xb5\x0a\xf4\x1f\xda\x39\xcf\x1b\x01\x73\x66" + "\x09\x23\x51\x0a\xd6\x7f\xae\xde\xf5\x20\x7c\xff\xe8\x64\x1d\x20", + 228 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7d\x8f\x06\x72\x99\x2b\x79\xbe\x3a\x36\x4d\x8e\x59\x04\xf4\xab" + "\x71\x3b\xbc\x8a\xb0\x1b\x4f\x30\x9a\xd8\xcc\xf2\x23\xce\x10\x34" + "\xa8\x60\xdc\xb0\xb0\x05\x50\x61\x2c\xc2\xfa\x17\xf2\x96\x9e\x18" + "\xf2\x2e\x14\x27\xd2\x54\xb4\xa8\x2b\x3a\x03\xa3\xeb\x39\x4a\xdf", + 229 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa5\x6d\x67\x25\xbf\xb3\xde\x47\xc1\x41\x4a\xdf\x25\xfc\x8f\x0f" + "\xc9\x84\x6f\x69\x87\x72\x2b\xc0\x63\x66\xd5\xca\x4e\x89\x72\x29" + "\x25\xeb\xbc\x88\x14\x18\x84\x40\x75\x39\x7a\x0c\xa8\x98\x42\xc7" + "\xb9\xe9\xe0\x7e\x1d\x9d\x18\x3e\xbe\xb3\x9e\x12\x0b\x48\x3b\xf7", + 230 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xaf\x5e\x03\xd7\xfe\x60\xc6\x7e\x10\x31\x33\x44\x43\x4e\x79\x48" + "\x5a\x03\xa7\x58\xd6\xdc\xe9\x85\x57\x47\x45\x76\x3c\x1c\x5c\x77" + "\xd4\xfb\x3e\x6f\xb1\x22\x30\x36\x83\x70\x99\x3b\xf9\x0f\xee\xd0" + "\xc5\xd1\x60\x75\x24\x56\x2d\x7c\x09\xc0\xc2\x10\xed\x39\x3d\x7c", + 231 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x7a\x20\x54\x0c\xc0\x7b\xf7\x2b\x58\x24\x21\xfc\x34\x2e\x82\xf5" + "\x21\x34\xb6\x98\x41\xec\x28\xed\x18\x9e\x2e\xa6\xa2\x9d\xd2\xf8" + "\x2a\x64\x03\x52\xd2\x22\xb5\x2f\x29\x11\xdc\x72\xa7\xda\xb3\x1c" + "\xaa\xdd\x80\xc6\x11\x8f\x13\xc5\x6b\x2a\x1e\x43\x73\xbe\x0e\xa3", + 232 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x48\x6f\x02\xc6\x3e\x54\x67\xea\x1f\xdd\xe7\xe8\x2b\xfa\xcc\x2c" + "\x1b\xa5\xd6\x36\xd9\xf3\xd0\x8b\x21\x0d\xa3\xf3\x72\xf7\x06\xec" + "\x21\x8c\xc1\x7f\xf6\x0a\xef\x70\x3b\xbe\x0c\x15\xc3\x8a\xe5\x5d" + "\x28\x6a\x68\x4f\x86\x4c\x78\x21\x1c\xca\xb4\x17\x8c\x92\xad\xba", + 233 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x1c\x7a\x5c\x1d\xed\xcd\x04\xa9\x21\x78\x8f\x7e\xb2\x33\x61\xca" + "\x19\x53\xb0\x4b\x9c\x7a\xec\x35\xd6\x5e\xa3\xe4\x99\x6d\xb2\x6f" + "\x28\x12\x78\xea\x4a\xe6\x66\xad\x81\x02\x7d\x98\xaf\x57\x26\x2c" + "\xdb\xfa\x4c\x08\x5f\x42\x10\x56\x8c\x7e\x15\xee\xc7\x80\x51\x14", + 234 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x9c\xe3\xfa\x9a\x86\x0b\xdb\xd5\x37\x8f\xd6\xd7\xb8\xb6\x71\xc6" + "\xcb\x76\x92\x91\x0c\xe8\xf9\xb6\xcb\x41\x22\xcb\xcb\xe6\xac\x06" + "\xca\x04\x22\xce\xf1\x22\x59\x35\x05\x3b\x7d\x19\x3a\x81\xb9\xe9" + "\x72\xeb\x85\xa1\xd3\x07\x4f\x14\xcb\xb5\xec\x9f\x05\x73\x89\x2d", + 235 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xa9\x11\x87\xbe\x5c\x37\x1c\x42\x65\xc1\x74\xfd\x46\x53\xb8\xab" + "\x70\x85\x51\xf8\x3d\x1f\xee\x1c\xc1\x47\x95\x81\xbc\x00\x6d\x6f" + "\xb7\x8f\xcc\x9a\x5d\xee\x1d\xb3\x66\x6f\x50\x8f\x97\x80\xa3\x75" + "\x93\xeb\xcc\xcf\x5f\xbe\xd3\x96\x67\xdc\x63\x61\xe9\x21\xf7\x79", + 236 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x46\x25\x76\x7d\x7b\x1d\x3d\x3e\xd2\xfb\xc6\x74\xaf\x14\xe0\x24" + "\x41\x52\xf2\xa4\x02\x1f\xcf\x33\x11\x50\x5d\x89\xbd\x81\xe2\xf9" + "\xf9\xa5\x00\xc3\xb1\x99\x91\x4d\xb4\x95\x00\xb3\xc9\x8d\x03\xea" + "\x93\x28\x67\x51\xa6\x86\xa3\xb8\x75\xda\xab\x0c\xcd\x63\xb4\x4f", + 237 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x43\xdf\xdf\xe1\xb0\x14\xfe\xd3\xa2\xac\xab\xb7\xf3\xe9\xa1\x82" + "\xf2\xaa\x18\x01\x9d\x27\xe3\xe6\xcd\xcf\x31\xa1\x5b\x42\x8e\x91" + "\xe7\xb0\x8c\xf5\xe5\xc3\x76\xfc\xe2\xd8\xa2\x8f\xf8\x5a\xb0\xa0" + "\xa1\x65\x6e\xdb\x4a\x0a\x91\x53\x26\x20\x09\x6d\x9a\x5a\x65\x2d", + 238 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x27\x9e\x32\x02\xbe\x39\x89\xba\x31\x12\x77\x25\x85\x17\x74\x87" + "\xe4\xfe\x3e\xe3\xea\xb4\x9c\x2f\x7f\xa7\xfe\x87\xcf\xe7\xb8\x0d" + "\x3e\x03\x55\xed\xff\x6d\x03\x1e\x6c\x96\xc7\x95\xdb\x1c\x6f\x04" + "\x18\x80\xec\x38\x24\xde\xfa\xcf\x92\x63\x82\x0a\x8e\x73\x27\xde", + 239 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xea\x2d\x06\x6a\xc2\x29\xd4\xd4\xb6\x16\xa8\xbe\xde\xc7\x34\x32" + "\x52\x24\xe4\xb4\xe5\x8f\x1a\xe6\xda\xd7\xe4\x0c\x2d\xa2\x91\x96" + "\xc3\xb1\xea\x95\x71\xda\xcc\x81\xe8\x73\x28\xca\xa0\x21\x1e\x09" + "\x02\x7b\x05\x24\xaa\x3f\x4a\x84\x99\x17\xb3\x58\x67\x47\xeb\xbb", + 240 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x49\xf0\x14\xf5\xc6\x18\x22\xc8\x99\xab\x5c\xae\x51\xbe\x40\x44" + "\xa4\x49\x5e\x77\x7d\xeb\x7d\xa9\xb6\xd8\x49\x0e\xfb\xb8\x75\x30" + "\xad\xf2\x93\xda\xf0\x79\xf9\x4c\x33\xb7\x04\x4e\xf6\x2e\x2e\x5b" + "\xb3\xeb\x11\xe1\x73\x04\xf8\x45\x3e\xe6\xce\x24\xf0\x33\xdd\xb0", + 241 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x92\x33\x49\x03\x44\xe5\xb0\xdc\x59\x12\x67\x1b\x7a\xe5\x4c\xee" + "\x77\x30\xdb\xe1\xf4\xc7\xd9\x2a\x4d\x3e\x3a\xab\x50\x57\x17\x08" + "\xdb\x51\xdc\xf9\xc2\x94\x45\x91\xdb\x65\x1d\xb3\x2d\x22\x93\x5b" + "\x86\x94\x49\x69\xbe\x77\xd5\xb5\xfe\xae\x6c\x38\x40\xa8\xdb\x26", + 242 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb6\xe7\x5e\x6f\x4c\x7f\x45\x3b\x74\x65\xd2\x5b\x5a\xc8\xc7\x19" + "\x69\x02\xea\xa9\x53\x87\x52\x28\xc8\x63\x4e\x16\xe2\xae\x1f\x38" + "\xbc\x32\x75\x30\x43\x35\xf5\x98\x9e\xcc\xc1\xe3\x41\x67\xd4\xe6" + "\x8d\x77\x19\x96\x8f\xba\x8e\x2f\xe6\x79\x47\xc3\x5c\x48\xe8\x06", + 243 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcc\x14\xca\x66\x5a\xf1\x48\x3e\xfb\xc3\xaf\x80\x08\x0e\x65\x0d" + "\x50\x46\xa3\x93\x2f\x4f\x51\xf3\xfe\x90\xa0\x70\x5e\xc2\x51\x04" + "\xad\xf0\x78\x39\x26\x5d\xc5\x1d\x43\x40\x14\x11\x24\x6e\x47\x4f" + "\x0d\x5e\x56\x37\xaf\x94\x76\x72\x83\xd5\x3e\x06\x17\xe9\x81\xf4", + 244 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x23\x0a\x1c\x85\x7c\xb2\xe7\x85\x2e\x41\xb6\x47\xe9\x0e\x45\x85" + "\xd2\xd8\x81\xe1\x73\x4d\xc3\x89\x55\x35\x6e\x8d\xd7\xbf\xf3\x90" + "\x53\x09\x2c\x6b\x38\xe2\x36\xe1\x89\x95\x25\x64\x70\x73\xdd\xdf" + "\x68\x95\xd6\x42\x06\x32\x5e\x76\x47\xf2\x75\x56\x7b\x25\x59\x09", + 245 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xcb\xb6\x53\x21\xac\x43\x6e\x2f\xfd\xab\x29\x36\x35\x9c\xe4\x90" + "\x23\xf7\xde\xe7\x61\x4e\xf2\x8d\x17\x3c\x3d\x27\xc5\xd1\xbf\xfa" + "\x51\x55\x3d\x43\x3f\x8e\xe3\xc9\xe4\x9c\x05\xa2\xb8\x83\xcc\xe9" + "\x54\xc9\xa8\x09\x3b\x80\x61\x2a\x0c\xdd\x47\x32\xe0\x41\xf9\x95", + 246 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x3e\x7e\x57\x00\x74\x33\x72\x75\xef\xb5\x13\x15\x58\x80\x34\xc3" + "\xcf\x0d\xdd\xca\x20\xb4\x61\x2e\x0b\xd5\xb8\x81\xe7\xe5\x47\x6d" + "\x31\x9c\xe4\xfe\x9f\x19\x18\x6e\x4c\x08\x26\xf4\x4f\x13\x1e\xb0" + "\x48\xe6\x5b\xe2\x42\xb1\x17\x2c\x63\xba\xdb\x12\x3a\xb0\xcb\xe8", + 247 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xd3\x2e\x9e\xc0\x2d\x38\xd4\xe1\xb8\x24\x9d\xf8\xdc\xb0\x0c\x5b" + "\x9c\x68\xeb\x89\x22\x67\x2e\x35\x05\x39\x3b\x6a\x21\x0b\xa5\x6f" + "\x94\x96\xe5\xee\x04\x90\xef\x38\x7c\x3c\xde\xc0\x61\xf0\x6b\xc0" + "\x38\x2d\x93\x04\xca\xfb\xb8\xe0\xcd\x33\xd5\x70\x29\xe6\x2d\xf2", + 248 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x8c\x15\x12\x46\x60\x89\xf0\x5b\x37\x75\xc2\x62\xb6\x2d\x22\xb8" + "\x38\x54\xa8\x32\x18\x13\x0b\x4e\xc9\x1b\x3c\xcb\xd2\x93\xd2\xa5" + "\x43\x02\xce\xca\xab\x9b\x10\x0c\x68\xd1\xe6\xdd\xc8\xf0\x7c\xdd" + "\xbd\xfe\x6f\xda\xaa\xf0\x99\xcc\x09\xd6\xb7\x25\x87\x9c\x63\x69", + 249 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x91\xa7\xf6\x1c\x97\xc2\x91\x1e\x4c\x81\x2e\xf7\x1d\x78\x0a\xd8" + "\xfa\x78\x87\x94\x56\x1d\x08\x30\x3f\xd1\xc1\xcb\x60\x8a\x46\xa1" + "\x25\x63\x08\x6e\xc5\xb3\x9d\x47\x1a\xed\x94\xfb\x0f\x6c\x67\x8a" + "\x43\xb8\x79\x29\x32\xf9\x02\x8d\x77\x2a\x22\x76\x8e\xa2\x3a\x9b", + 250 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x4f\x6b\xb2\x22\xa3\x95\xe8\xb1\x8f\x6b\xa1\x55\x47\x7a\xed\x3f" + "\x07\x29\xac\x9e\x83\xe1\x6d\x31\xa2\xa8\xbc\x65\x54\x22\xb8\x37" + "\xc8\x91\xc6\x19\x9e\x6f\x0d\x75\x79\x9e\x3b\x69\x15\x25\xc5\x81" + "\x95\x35\x17\xf2\x52\xc4\xb9\xe3\xa2\x7a\x28\xfb\xaf\x49\x64\x4c", + 251 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5d\x06\xc0\x7e\x7a\x64\x6c\x41\x3a\x50\x1c\x3f\x4b\xb2\xfc\x38" + "\x12\x7d\xe7\x50\x9b\x70\x77\xc4\xd9\xb5\x61\x32\x01\xc1\xaa\x02" + "\xfd\x5f\x79\xd2\x74\x59\x15\xdd\x57\xfb\xcb\x4c\xe0\x86\x95\xf6" + "\xef\xc0\xcb\x3d\x2d\x33\x0e\x19\xb4\xb0\xe6\x00\x4e\xa6\x47\x1e", + 252 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xb9\x67\x56\xe5\x79\x09\x96\x8f\x14\xb7\x96\xa5\xd3\x0f\x4c\x9d" + "\x67\x14\x72\xcf\x82\xc8\xcf\xb2\xca\xca\x7a\xc7\xa4\x4c\xa0\xa1" + "\x4c\x98\x42\xd0\x0c\x82\xe3\x37\x50\x2c\x94\xd5\x96\x0a\xca\x4c" + "\x49\x2e\xa7\xb0\xdf\x91\x9d\xdf\x1a\xad\xa2\xa2\x75\xbb\x10\xd4", + 253 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\xff\x0a\x01\x5e\x98\xdb\x9c\x99\xf0\x39\x77\x71\x0a\xac\x3e\x65" + "\x8c\x0d\x89\x6f\x6d\x71\xd6\x18\xba\x79\xdc\x6c\xf7\x2a\xc7\x5b" + "\x7c\x03\x8e\xb6\x86\x2d\xed\xe4\x54\x3e\x14\x54\x13\xa6\x36\x8d" + "\x69\xf5\x72\x2c\x82\x7b\xa3\xef\x25\xb6\xae\x64\x40\xd3\x92\x76", + 254 }, + { GCRY_MD_BLAKE2B_512, blake2_data_vector, + "\x5b\x21\xc5\xfd\x88\x68\x36\x76\x12\x47\x4f\xa2\xe7\x0e\x9c\xfa" + "\x22\x01\xff\xee\xe8\xfa\xfa\xb5\x79\x7a\xd5\x8f\xef\xa1\x7c\x9b" + "\x5b\x10\x7d\xa4\xa3\xdb\x63\x20\xba\xaf\x2c\x86\x17\xd5\xa5\x1d" + "\xf9\x14\xae\x88\xda\x38\x67\xc2\xd4\x1f\x0c\xc1\x4f\xa6\x79\x28", + 255 }, diff --git a/tests/blake2s.h b/tests/blake2s.h new file mode 100644 index 0000000..82e3237 --- /dev/null +++ b/tests/blake2s.h @@ -0,0 +1,1027 @@ +/* Generated from https://raw.githubusercontent.com/BLAKE2/BLAKE2/master/testvectors/blake2-kat.h */ + + /* blake2s_kat[]: */ + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x69\x21\x7a\x30\x79\x90\x80\x94\xe1\x11\x21\xd0\x42\x35\x4a\x7c" + "\x1f\x55\xb6\x48\x2c\xa1\xa5\x1e\x1b\x25\x0d\xfd\x1e\xd0\xee\xf9", + 0 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe3\x4d\x74\xdb\xaf\x4f\xf4\xc6\xab\xd8\x71\xcc\x22\x04\x51\xd2" + "\xea\x26\x48\x84\x6c\x77\x57\xfb\xaa\xc8\x2f\xe5\x1a\xd6\x4b\xea", + 1 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xdd\xad\x9a\xb1\x5d\xac\x45\x49\xba\x42\xf4\x9d\x26\x24\x96\xbe" + "\xf6\xc0\xba\xe1\xdd\x34\x2a\x88\x08\xf8\xea\x26\x7c\x6e\x21\x0c", + 2 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe8\xf9\x1c\x6e\xf2\x32\xa0\x41\x45\x2a\xb0\xe1\x49\x07\x0c\xdd" + "\x7d\xd1\x76\x9e\x75\xb3\xa5\x92\x1b\xe3\x78\x76\xc4\x5c\x99\x00", + 3 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0c\xc7\x0e\x00\x34\x8b\x86\xba\x29\x44\xd0\xc3\x20\x38\xb2\x5c" + "\x55\x58\x4f\x90\xdf\x23\x04\xf5\x5f\xa3\x32\xaf\x5f\xb0\x1e\x20", + 4 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xec\x19\x64\x19\x10\x87\xa4\xfe\x9d\xf1\xc7\x95\x34\x2a\x02\xff" + "\xc1\x91\xa5\xb2\x51\x76\x48\x56\xae\x5b\x8b\x57\x69\xf0\xc6\xcd", + 5 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe1\xfa\x51\x61\x8d\x7d\xf4\xeb\x70\xcf\x0d\x5a\x9e\x90\x6f\x80" + "\x6e\x9d\x19\xf7\xf4\xf0\x1e\x3b\x62\x12\x88\xe4\x12\x04\x05\xd6", + 6 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x59\x80\x01\xfa\xfb\xe8\xf9\x4e\xc6\x6d\xc8\x27\xd0\x12\xcf\xcb" + "\xba\x22\x28\x56\x9f\x44\x8e\x89\xea\x22\x08\xc8\xbf\x76\x92\x93", + 7 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc7\xe8\x87\xb5\x46\x62\x36\x35\xe9\x3e\x04\x95\x59\x8f\x17\x26" + "\x82\x19\x96\xc2\x37\x77\x05\xb9\x3a\x1f\x63\x6f\x87\x2b\xfa\x2d", + 8 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc3\x15\xa4\x37\xdd\x28\x06\x2a\x77\x0d\x48\x19\x67\x13\x6b\x1b" + "\x5e\xb8\x8b\x21\xee\x53\xd0\x32\x9c\x58\x97\x12\x6e\x9d\xb0\x2c", + 9 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xbb\x47\x3d\xed\xdc\x05\x5f\xea\x62\x28\xf2\x07\xda\x57\x53\x47" + "\xbb\x00\x40\x4c\xd3\x49\xd3\x8c\x18\x02\x63\x07\xa2\x24\xcb\xff", + 10 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x68\x7e\x18\x73\xa8\x27\x75\x91\xbb\x33\xd9\xad\xf9\xa1\x39\x12" + "\xef\xef\xe5\x57\xca\xfc\x39\xa7\x95\x26\x23\xe4\x72\x55\xf1\x6d", + 11 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1a\xc7\xba\x75\x4d\x6e\x2f\x94\xe0\xe8\x6c\x46\xbf\xb2\x62\xab" + "\xbb\x74\xf4\x50\xef\x45\x6d\x6b\x4d\x97\xaa\x80\xce\x6d\xa7\x67", + 12 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x01\x2c\x97\x80\x96\x14\x81\x6b\x5d\x94\x94\x47\x7d\x4b\x68\x7d" + "\x15\xb9\x6e\xb6\x9c\x0e\x80\x74\xa8\x51\x6f\x31\x22\x4b\x5c\x98", + 13 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x91\xff\xd2\x6c\xfa\x4d\xa5\x13\x4c\x7e\xa2\x62\xf7\x88\x9c\x32" + "\x9f\x61\xf6\xa6\x57\x22\x5c\xc2\x12\xf4\x00\x56\xd9\x86\xb3\xf4", + 14 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xd9\x7c\x82\x8d\x81\x82\xa7\x21\x80\xa0\x6a\x78\x26\x83\x30\x67" + "\x3f\x7c\x4e\x06\x35\x94\x7c\x04\xc0\x23\x23\xfd\x45\xc0\xa5\x2d", + 15 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xef\xc0\x4c\xdc\x39\x1c\x7e\x91\x19\xbd\x38\x66\x8a\x53\x4e\x65" + "\xfe\x31\x03\x6d\x6a\x62\x11\x2e\x44\xeb\xeb\x11\xf9\xc5\x70\x80", + 16 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x99\x2c\xf5\xc0\x53\x44\x2a\x5f\xbc\x4f\xaf\x58\x3e\x04\xe5\x0b" + "\xb7\x0d\x2f\x39\xfb\xb6\xa5\x03\xf8\x9e\x56\xa6\x3e\x18\x57\x8a", + 17 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x38\x64\x0e\x9f\x21\x98\x3e\x67\xb5\x39\xca\xcc\xae\x5e\xcf\x61" + "\x5a\xe2\x76\x4f\x75\xa0\x9c\x9c\x59\xb7\x64\x83\xc1\xfb\xc7\x35", + 18 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x21\x3d\xd3\x4c\x7e\xfe\x4f\xb2\x7a\x6b\x35\xf6\xb4\x00\x0d\x1f" + "\xe0\x32\x81\xaf\x3c\x72\x3e\x5c\x9f\x94\x74\x7a\x5f\x31\xcd\x3b", + 19 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xec\x24\x6e\xee\xb9\xce\xd3\xf7\xad\x33\xed\x28\x66\x0d\xd9\xbb" + "\x07\x32\x51\x3d\xb4\xe2\xfa\x27\x8b\x60\xcd\xe3\x68\x2a\x4c\xcd", + 20 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xac\x9b\x61\xd4\x46\x64\x8c\x30\x05\xd7\x89\x2b\xf3\xa8\x71\x9f" + "\x4c\x81\x81\xcf\xdc\xbc\x2b\x79\xfe\xf1\x0a\x27\x9b\x91\x10\x95", + 21 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7b\xf8\xb2\x29\x59\xe3\x4e\x3a\x43\xf7\x07\x92\x23\xe8\x3a\x97" + "\x54\x61\x7d\x39\x1e\x21\x3d\xfd\x80\x8e\x41\xb9\xbe\xad\x4c\xe7", + 22 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x68\xd4\xb5\xd4\xfa\x0e\x30\x2b\x64\xcc\xc5\xaf\x79\x29\x13\xac" + "\x4c\x88\xec\x95\xc0\x7d\xdf\x40\x69\x42\x56\xeb\x88\xce\x9f\x3d", + 23 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb2\xc2\x42\x0f\x05\xf9\xab\xe3\x63\x15\x91\x93\x36\xb3\x7e\x4e" + "\x0f\xa3\x3f\xf7\xe7\x6a\x49\x27\x67\x00\x6f\xdb\x5d\x93\x54\x62", + 24 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x13\x4f\x61\xbb\xd0\xbb\xb6\x9a\xed\x53\x43\x90\x45\x51\xa3\xe6" + "\xc1\xaa\x7d\xcd\xd7\x7e\x90\x3e\x70\x23\xeb\x7c\x60\x32\x0a\xa7", + 25 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x46\x93\xf9\xbf\xf7\xd4\xf3\x98\x6a\x7d\x17\x6e\x6e\x06\xf7\x2a" + "\xd1\x49\x0d\x80\x5c\x99\xe2\x53\x47\xb8\xde\x77\xb4\xdb\x6d\x9b", + 26 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x85\x3e\x26\xf7\x41\x95\x3b\x0f\xd5\xbd\xb4\x24\xe8\xab\x9e\x8b" + "\x37\x50\xea\xa8\xef\x61\xe4\x79\x02\xc9\x1e\x55\x4e\x9c\x73\xb9", + 27 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf7\xde\x53\x63\x61\xab\xaa\x0e\x15\x81\x56\xcf\x0e\xa4\xf6\x3a" + "\x99\xb5\xe4\x05\x4f\x8f\xa4\xc9\xd4\x5f\x62\x85\xca\xd5\x56\x94", + 28 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x4c\x23\x06\x08\x86\x0a\x99\xae\x8d\x7b\xd5\xc2\xcc\x17\xfa\x52" + "\x09\x6b\x9a\x61\xbe\xdb\x17\xcb\x76\x17\x86\x4a\xd2\x9c\xa7\xa6", + 29 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xae\xb9\x20\xea\x87\x95\x2d\xad\xb1\xfb\x75\x92\x91\xe3\x38\x81" + "\x39\xa8\x72\x86\x50\x01\x88\x6e\xd8\x47\x52\xe9\x3c\x25\x0c\x2a", + 30 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xab\xa4\xad\x9b\x48\x0b\x9d\xf3\xd0\x8c\xa5\xe8\x7b\x0c\x24\x40" + "\xd4\xe4\xea\x21\x22\x4c\x2e\xb4\x2c\xba\xe4\x69\xd0\x89\xb9\x31", + 31 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x05\x82\x56\x07\xd7\xfd\xf2\xd8\x2e\xf4\xc3\xc8\xc2\xae\xa9\x61" + "\xad\x98\xd6\x0e\xdf\xf7\xd0\x18\x98\x3e\x21\x20\x4c\x0d\x93\xd1", + 32 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa7\x42\xf8\xb6\xaf\x82\xd8\xa6\xca\x23\x57\xc5\xf1\xcf\x91\xde" + "\xfb\xd0\x66\x26\x7d\x75\xc0\x48\xb3\x52\x36\x65\x85\x02\x59\x62", + 33 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2b\xca\xc8\x95\x99\x00\x0b\x42\xc9\x5a\xe2\x38\x35\xa7\x13\x70" + "\x4e\xd7\x97\x89\xc8\x4f\xef\x14\x9a\x87\x4f\xf7\x33\xf0\x17\xa2", + 34 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xac\x1e\xd0\x7d\x04\x8f\x10\x5a\x9e\x5b\x7a\xb8\x5b\x09\xa4\x92" + "\xd5\xba\xff\x14\xb8\xbf\xb0\xe9\xfd\x78\x94\x86\xee\xa2\xb9\x74", + 35 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe4\x8d\x0e\xcf\xaf\x49\x7d\x5b\x27\xc2\x5d\x99\xe1\x56\xcb\x05" + "\x79\xd4\x40\xd6\xe3\x1f\xb6\x24\x73\x69\x6d\xbf\x95\xe0\x10\xe4", + 36 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x12\xa9\x1f\xad\xf8\xb2\x16\x44\xfd\x0f\x93\x4f\x3c\x4a\x8f\x62" + "\xba\x86\x2f\xfd\x20\xe8\xe9\x61\x15\x4c\x15\xc1\x38\x84\xed\x3d", + 37 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7c\xbe\xe9\x6e\x13\x98\x97\xdc\x98\xfb\xef\x3b\xe8\x1a\xd4\xd9" + "\x64\xd2\x35\xcb\x12\x14\x1f\xb6\x67\x27\xe6\xe5\xdf\x73\xa8\x78", + 38 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xeb\xf6\x6a\xbb\x59\x7a\xe5\x72\xa7\x29\x7c\xb0\x87\x1e\x35\x5a" + "\xcc\xaf\xad\x83\x77\xb8\xe7\x8b\xf1\x64\xce\x2a\x18\xde\x4b\xaf", + 39 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x71\xb9\x33\xb0\x7e\x4f\xf7\x81\x8c\xe0\x59\xd0\x08\x82\x9e\x45" + "\x3c\x6f\xf0\x2e\xc0\xa7\xdb\x39\x3f\xc2\xd8\x70\xf3\x7a\x72\x86", + 40 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7c\xf7\xc5\x13\x31\x22\x0b\x8d\x3e\xba\xed\x9c\x29\x39\x8a\x16" + "\xd9\x81\x56\xe2\x61\x3c\xb0\x88\xf2\xb0\xe0\x8a\x1b\xe4\xcf\x4f", + 41 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3e\x41\xa1\x08\xe0\xf6\x4a\xd2\x76\xb9\x79\xe1\xce\x06\x82\x79" + "\xe1\x6f\x7b\xc7\xe4\xaa\x1d\x21\x1e\x17\xb8\x11\x61\xdf\x16\x02", + 42 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x88\x65\x02\xa8\x2a\xb4\x7b\xa8\xd8\x67\x10\xaa\x9d\xe3\xd4\x6e" + "\xa6\x5c\x47\xaf\x6e\xe8\xde\x45\x0c\xce\xb8\xb1\x1b\x04\x5f\x50", + 43 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc0\x21\xbc\x5f\x09\x54\xfe\xe9\x4f\x46\xea\x09\x48\x7e\x10\xa8" + "\x48\x40\xd0\x2f\x64\x81\x0b\xc0\x8d\x9e\x55\x1f\x7d\x41\x68\x14", + 44 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x20\x30\x51\x6e\x8a\x5f\xe1\x9a\xe7\x9c\x33\x6f\xce\x26\x38\x2a" + "\x74\x9d\x3f\xd0\xec\x91\xe5\x37\xd4\xbd\x23\x58\xc1\x2d\xfb\x22", + 45 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x55\x66\x98\xda\xc8\x31\x7f\xd3\x6d\xfb\xdf\x25\xa7\x9c\xb1\x12" + "\xd5\x42\x58\x60\x60\x5c\xba\xf5\x07\xf2\x3b\xf7\xe9\xf4\x2a\xfe", + 46 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2f\x86\x7b\xa6\x77\x73\xfd\xc3\xe9\x2f\xce\xd9\x9a\x64\x09\xad" + "\x39\xd0\xb8\x80\xfd\xe8\xf1\x09\xa8\x17\x30\xc4\x45\x1d\x01\x78", + 47 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x17\x2e\xc2\x18\xf1\x19\xdf\xae\x98\x89\x6d\xff\x29\xdd\x98\x76" + "\xc9\x4a\xf8\x74\x17\xf9\xae\x4c\x70\x14\xbb\x4e\x4b\x96\xaf\xc7", + 48 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3f\x85\x81\x4a\x18\x19\x5f\x87\x9a\xa9\x62\xf9\x5d\x26\xbd\x82" + "\xa2\x78\xf2\xb8\x23\x20\x21\x8f\x6b\x3b\xd6\xf7\xf6\x67\xa6\xd9", + 49 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1b\x61\x8f\xba\xa5\x66\xb3\xd4\x98\xc1\x2e\x98\x2c\x9e\xc5\x2e" + "\x4d\xa8\x5a\x8c\x54\xf3\x8f\x34\xc0\x90\x39\x4f\x23\xc1\x84\xc1", + 50 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0c\x75\x8f\xb5\x69\x2f\xfd\x41\xa3\x57\x5d\x0a\xf0\x0c\xc7\xfb" + "\xf2\xcb\xe5\x90\x5a\x58\x32\x3a\x88\xae\x42\x44\xf6\xe4\xc9\x93", + 51 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa9\x31\x36\x0c\xad\x62\x8c\x7f\x12\xa6\xc1\xc4\xb7\x53\xb0\xf4" + "\x06\x2a\xef\x3c\xe6\x5a\x1a\xe3\xf1\x93\x69\xda\xdf\x3a\xe2\x3d", + 52 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xcb\xac\x7d\x77\x3b\x1e\x3b\x3c\x66\x91\xd7\xab\xb7\xe9\xdf\x04" + "\x5c\x8b\xa1\x92\x68\xde\xd1\x53\x20\x7f\x5e\x80\x43\x52\xec\x5d", + 53 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x23\xa1\x96\xd3\x80\x2e\xd3\xc1\xb3\x84\x01\x9a\x82\x32\x58\x40" + "\xd3\x2f\x71\x95\x0c\x45\x80\xb0\x34\x45\xe0\x89\x8e\x14\x05\x3c", + 54 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf4\x49\x54\x70\xf2\x26\xc8\xc2\x14\xbe\x08\xfd\xfa\xd4\xbc\x4a" + "\x2a\x9d\xbe\xa9\x13\x6a\x21\x0d\xf0\xd4\xb6\x49\x29\xe6\xfc\x14", + 55 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe2\x90\xdd\x27\x0b\x46\x7f\x34\xab\x1c\x00\x2d\x34\x0f\xa0\x16" + "\x25\x7f\xf1\x9e\x58\x33\xfd\xbb\xf2\xcb\x40\x1c\x3b\x28\x17\xde", + 56 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9f\xc7\xb5\xde\xd3\xc1\x50\x42\xb2\xa6\x58\x2d\xc3\x9b\xe0\x16" + "\xd2\x4a\x68\x2d\x5e\x61\xad\x1e\xff\x9c\x63\x30\x98\x48\xf7\x06", + 57 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x8c\xca\x67\xa3\x6d\x17\xd5\xe6\x34\x1c\xb5\x92\xfd\x7b\xef\x99" + "\x26\xc9\xe3\xaa\x10\x27\xea\x11\xa7\xd8\xbd\x26\x0b\x57\x6e\x04", + 58 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x40\x93\x92\xf5\x60\xf8\x68\x31\xda\x43\x73\xee\x5e\x00\x74\x26" + "\x05\x95\xd7\xbc\x24\x18\x3b\x60\xed\x70\x0d\x45\x83\xd3\xf6\xf0", + 59 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x28\x02\x16\x5d\xe0\x90\x91\x55\x46\xf3\x39\x8c\xd8\x49\x16\x4a" + "\x19\xf9\x2a\xdb\xc3\x61\xad\xc9\x9b\x0f\x20\xc8\xea\x07\x10\x54", + 60 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xad\x83\x91\x68\xd9\xf8\xa4\xbe\x95\xba\x9e\xf9\xa6\x92\xf0\x72" + "\x56\xae\x43\xfe\x6f\x98\x64\xe2\x90\x69\x1b\x02\x56\xce\x50\xa9", + 61 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x75\xfd\xaa\x50\x38\xc2\x84\xb8\x6d\x6e\x8a\xff\xe8\xb2\x80\x7e" + "\x46\x7b\x86\x60\x0e\x79\xaf\x36\x89\xfb\xc0\x63\x28\xcb\xf8\x94", + 62 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe5\x7c\xb7\x94\x87\xdd\x57\x90\x24\x32\xb2\x50\x73\x38\x13\xbd" + "\x96\xa8\x4e\xfc\xe5\x9f\x65\x0f\xac\x26\xe6\x69\x6a\xef\xaf\xc3", + 63 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x56\xf3\x4e\x8b\x96\x55\x7e\x90\xc1\xf2\x4b\x52\xd0\xc8\x9d\x51" + "\x08\x6a\xcf\x1b\x00\xf6\x34\xcf\x1d\xde\x92\x33\xb8\xea\xaa\x3e", + 64 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1b\x53\xee\x94\xaa\xf3\x4e\x4b\x15\x9d\x48\xde\x35\x2c\x7f\x06" + "\x61\xd0\xa4\x0e\xdf\xf9\x5a\x0b\x16\x39\xb4\x09\x0e\x97\x44\x72", + 65 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x05\x70\x5e\x2a\x81\x75\x7c\x14\xbd\x38\x3e\xa9\x8d\xda\x54\x4e" + "\xb1\x0e\x6b\xc0\x7b\xae\x43\x5e\x25\x18\xdb\xe1\x33\x52\x53\x75", + 66 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xd8\xb2\x86\x6e\x8a\x30\x9d\xb5\x3e\x52\x9e\xc3\x29\x11\xd8\x2f" + "\x5c\xa1\x6c\xff\x76\x21\x68\x91\xa9\x67\x6a\xa3\x1a\xaa\x6c\x42", + 67 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf5\x04\x1c\x24\x12\x70\xeb\x04\xc7\x1e\xc2\xc9\x5d\x4c\x38\xd8" + "\x03\xb1\x23\x7b\x0f\x29\xfd\x4d\xb3\xeb\x39\x76\x69\xe8\x86\x99", + 68 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9a\x4c\xe0\x77\xc3\x49\x32\x2f\x59\x5e\x0e\xe7\x9e\xd0\xda\x5f" + "\xab\x66\x75\x2c\xbf\xef\x8f\x87\xd0\xe9\xd0\x72\x3c\x75\x30\xdd", + 69 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x65\x7b\x09\xf3\xd0\xf5\x2b\x5b\x8f\x2f\x97\x16\x3a\x0e\xdf\x0c" + "\x04\xf0\x75\x40\x8a\x07\xbb\xeb\x3a\x41\x01\xa8\x91\x99\x0d\x62", + 70 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1e\x3f\x7b\xd5\xa5\x8f\xa5\x33\x34\x4a\xa8\xed\x3a\xc1\x22\xbb" + "\x9e\x70\xd4\xef\x50\xd0\x04\x53\x08\x21\x94\x8f\x5f\xe6\x31\x5a", + 71 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x80\xdc\xcf\x3f\xd8\x3d\xfd\x0d\x35\xaa\x28\x58\x59\x22\xab\x89" + "\xd5\x31\x39\x97\x67\x3e\xaf\x90\x5c\xea\x9c\x0b\x22\x5c\x7b\x5f", + 72 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x8a\x0d\x0f\xbf\x63\x77\xd8\x3b\xb0\x8b\x51\x4b\x4b\x1c\x43\xac" + "\xc9\x5d\x75\x17\x14\xf8\x92\x56\x45\xcb\x6b\xc8\x56\xca\x15\x0a", + 73 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9f\xa5\xb4\x87\x73\x8a\xd2\x84\x4c\xc6\x34\x8a\x90\x19\x18\xf6" + "\x59\xa3\xb8\x9e\x9c\x0d\xfe\xea\xd3\x0d\xd9\x4b\xcf\x42\xef\x8e", + 74 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x80\x83\x2c\x4a\x16\x77\xf5\xea\x25\x60\xf6\x68\xe9\x35\x4d\xd3" + "\x69\x97\xf0\x37\x28\xcf\xa5\x5e\x1b\x38\x33\x7c\x0c\x9e\xf8\x18", + 75 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xab\x37\xdd\xb6\x83\x13\x7e\x74\x08\x0d\x02\x6b\x59\x0b\x96\xae" + "\x9b\xb4\x47\x72\x2f\x30\x5a\x5a\xc5\x70\xec\x1d\xf9\xb1\x74\x3c", + 76 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3e\xe7\x35\xa6\x94\xc2\x55\x9b\x69\x3a\xa6\x86\x29\x36\x1e\x15" + "\xd1\x22\x65\xad\x6a\x3d\xed\xf4\x88\xb0\xb0\x0f\xac\x97\x54\xba", + 77 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xd6\xfc\xd2\x32\x19\xb6\x47\xe4\xcb\xd5\xeb\x2d\x0a\xd0\x1e\xc8" + "\x83\x8a\x4b\x29\x01\xfc\x32\x5c\xc3\x70\x19\x81\xca\x6c\x88\x8b", + 78 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x05\x20\xec\x2f\x5b\xf7\xa7\x55\xda\xcb\x50\xc6\xbf\x23\x3e\x35" + "\x15\x43\x47\x63\xdb\x01\x39\xcc\xd9\xfa\xef\xbb\x82\x07\x61\x2d", + 79 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xaf\xf3\xb7\x5f\x3f\x58\x12\x64\xd7\x66\x16\x62\xb9\x2f\x5a\xd3" + "\x7c\x1d\x32\xbd\x45\xff\x81\xa4\xed\x8a\xdc\x9e\xf3\x0d\xd9\x89", + 80 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xd0\xdd\x65\x0b\xef\xd3\xba\x63\xdc\x25\x10\x2c\x62\x7c\x92\x1b" + "\x9c\xbe\xb0\xb1\x30\x68\x69\x35\xb5\xc9\x27\xcb\x7c\xcd\x5e\x3b", + 81 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe1\x14\x98\x16\xb1\x0a\x85\x14\xfb\x3e\x2c\xab\x2c\x08\xbe\xe9" + "\xf7\x3c\xe7\x62\x21\x70\x12\x46\xa5\x89\xbb\xb6\x73\x02\xd8\xa9", + 82 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7d\xa3\xf4\x41\xde\x90\x54\x31\x7e\x72\xb5\xdb\xf9\x79\xda\x01" + "\xe6\xbc\xee\xbb\x84\x78\xea\xe6\xa2\x28\x49\xd9\x02\x92\x63\x5c", + 83 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x12\x30\xb1\xfc\x8a\x7d\x92\x15\xed\xc2\xd4\xa2\xde\xcb\xdd\x0a" + "\x6e\x21\x6c\x92\x42\x78\xc9\x1f\xc5\xd1\x0e\x7d\x60\x19\x2d\x94", + 84 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x57\x50\xd7\x16\xb4\x80\x8f\x75\x1f\xeb\xc3\x88\x06\xba\x17\x0b" + "\xf6\xd5\x19\x9a\x78\x16\xbe\x51\x4e\x3f\x93\x2f\xbe\x0c\xb8\x71", + 85 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6f\xc5\x9b\x2f\x10\xfe\xba\x95\x4a\xa6\x82\x0b\x3c\xa9\x87\xee" + "\x81\xd5\xcc\x1d\xa3\xc6\x3c\xe8\x27\x30\x1c\x56\x9d\xfb\x39\xce", + 86 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc7\xc3\xfe\x1e\xeb\xdc\x7b\x5a\x93\x93\x26\xe8\xdd\xb8\x3e\x8b" + "\xf2\xb7\x80\xb6\x56\x78\xcb\x62\xf2\x08\xb0\x40\xab\xdd\x35\xe2", + 87 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0c\x75\xc1\xa1\x5c\xf3\x4a\x31\x4e\xe4\x78\xf4\xa5\xce\x0b\x8a" + "\x6b\x36\x52\x8e\xf7\xa8\x20\x69\x6c\x3e\x42\x46\xc5\xa1\x58\x64", + 88 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x21\x6d\xc1\x2a\x10\x85\x69\xa3\xc7\xcd\xde\x4a\xed\x43\xa6\xc3" + "\x30\x13\x9d\xda\x3c\xcc\x4a\x10\x89\x05\xdb\x38\x61\x89\x90\x50", + 89 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa5\x7b\xe6\xae\x67\x56\xf2\x8b\x02\xf5\x9d\xad\xf7\xe0\xd7\xd8" + "\x80\x7f\x10\xfa\x15\xce\xd1\xad\x35\x85\x52\x1a\x1d\x99\x5a\x89", + 90 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x81\x6a\xef\x87\x59\x53\x71\x6c\xd7\xa5\x81\xf7\x32\xf5\x3d\xd4" + "\x35\xda\xb6\x6d\x09\xc3\x61\xd2\xd6\x59\x2d\xe1\x77\x55\xd8\xa8", + 91 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9a\x76\x89\x32\x26\x69\x3b\x6e\xa9\x7e\x6a\x73\x8f\x9d\x10\xfb" + "\x3d\x0b\x43\xae\x0e\x8b\x7d\x81\x23\xea\x76\xce\x97\x98\x9c\x7e", + 92 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x8d\xae\xdb\x9a\x27\x15\x29\xdb\xb7\xdc\x3b\x60\x7f\xe5\xeb\x2d" + "\x32\x11\x77\x07\x58\xdd\x3b\x0a\x35\x93\xd2\xd7\x95\x4e\x2d\x5b", + 93 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x16\xdb\xc0\xaa\x5d\xd2\xc7\x74\xf5\x05\x10\x0f\x73\x37\x86\xd8" + "\xa1\x75\xfc\xbb\xb5\x9c\x43\xe1\xfb\xff\x3e\x1e\xaf\x31\xcb\x4a", + 94 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x86\x06\xcb\x89\x9c\x6a\xea\xf5\x1b\x9d\xb0\xfe\x49\x24\xa9\xfd" + "\x5d\xab\xc1\x9f\x88\x26\xf2\xbc\x1c\x1d\x7d\xa1\x4d\x2c\x2c\x99", + 95 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x84\x79\x73\x1a\xed\xa5\x7b\xd3\x7e\xad\xb5\x1a\x50\x7e\x30\x7f" + "\x3b\xd9\x5e\x69\xdb\xca\x94\xf3\xbc\x21\x72\x60\x66\xad\x6d\xfd", + 96 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x58\x47\x3a\x9e\xa8\x2e\xfa\x3f\x3b\x3d\x8f\xc8\x3e\xd8\x86\x31" + "\x27\xb3\x3a\xe8\xde\xae\x63\x07\x20\x1e\xdb\x6d\xde\x61\xde\x29", + 97 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9a\x92\x55\xd5\x3a\xf1\x16\xde\x8b\xa2\x7c\xe3\x5b\x4c\x7e\x15" + "\x64\x06\x57\xa0\xfc\xb8\x88\xc7\x0d\x95\x43\x1d\xac\xd8\xf8\x30", + 98 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9e\xb0\x5f\xfb\xa3\x9f\xd8\x59\x6a\x45\x49\x3e\x18\xd2\x51\x0b" + "\xf3\xef\x06\x5c\x51\xd6\xe1\x3a\xbe\x66\xaa\x57\xe0\x5c\xfd\xb7", + 99 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x81\xdc\xc3\xa5\x05\xea\xce\x3f\x87\x9d\x8f\x70\x27\x76\x77\x0f" + "\x9d\xf5\x0e\x52\x1d\x14\x28\xa8\x5d\xaf\x04\xf9\xad\x21\x50\xe0", + 100 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe3\xe3\xc4\xaa\x3a\xcb\xbc\x85\x33\x2a\xf9\xd5\x64\xbc\x24\x16" + "\x5e\x16\x87\xf6\xb1\xad\xcb\xfa\xe7\x7a\x8f\x03\xc7\x2a\xc2\x8c", + 101 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x67\x46\xc8\x0b\x4e\xb5\x6a\xea\x45\xe6\x4e\x72\x89\xbb\xa3\xed" + "\xbf\x45\xec\xf8\x20\x64\x81\xff\x63\x02\x12\x29\x84\xcd\x52\x6a", + 102 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2b\x62\x8e\x52\x76\x4d\x7d\x62\xc0\x86\x8b\x21\x23\x57\xcd\xd1" + "\x2d\x91\x49\x82\x2f\x4e\x98\x45\xd9\x18\xa0\x8d\x1a\xe9\x90\xc0", + 103 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe4\xbf\xe8\x0d\x58\xc9\x19\x94\x61\x39\x09\xdc\x4b\x1a\x12\x49" + "\x68\x96\xc0\x04\xaf\x7b\x57\x01\x48\x3d\xe4\x5d\x28\x23\xd7\x8e", + 104 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xeb\xb4\xba\x15\x0c\xef\x27\x34\x34\x5b\x5d\x64\x1b\xbe\xd0\x3a" + "\x21\xea\xfa\xe9\x33\xc9\x9e\x00\x92\x12\xef\x04\x57\x4a\x85\x30", + 105 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x39\x66\xec\x73\xb1\x54\xac\xc6\x97\xac\x5c\xf5\xb2\x4b\x40\xbd" + "\xb0\xdb\x9e\x39\x88\x36\xd7\x6d\x4b\x88\x0e\x3b\x2a\xf1\xaa\x27", + 106 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xef\x7e\x48\x31\xb3\xa8\x46\x36\x51\x8d\x6e\x4b\xfc\xe6\x4a\x43" + "\xdb\x2a\x5d\xda\x9c\xca\x2b\x44\xf3\x90\x33\xbd\xc4\x0d\x62\x43", + 107 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7a\xbf\x6a\xcf\x5c\x8e\x54\x9d\xdb\xb1\x5a\xe8\xd8\xb3\x88\xc1" + "\xc1\x97\xe6\x98\x73\x7c\x97\x85\x50\x1e\xd1\xf9\x49\x30\xb7\xd9", + 108 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x88\x01\x8d\xed\x66\x81\x3f\x0c\xa9\x5d\xef\x47\x4c\x63\x06\x92" + "\x01\x99\x67\xb9\xe3\x68\x88\xda\xdd\x94\x12\x47\x19\xb6\x82\xf6", + 109 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x39\x30\x87\x6b\x9f\xc7\x52\x90\x36\xb0\x08\xb1\xb8\xbb\x99\x75" + "\x22\xa4\x41\x63\x5a\x0c\x25\xec\x02\xfb\x6d\x90\x26\xe5\x5a\x97", + 110 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0a\x40\x49\xd5\x7e\x83\x3b\x56\x95\xfa\xc9\x3d\xd1\xfb\xef\x31" + "\x66\xb4\x4b\x12\xad\x11\x24\x86\x62\x38\x3a\xe0\x51\xe1\x58\x27", + 111 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x81\xdc\xc0\x67\x8b\xb6\xa7\x65\xe4\x8c\x32\x09\x65\x4f\xe9\x00" + "\x89\xce\x44\xff\x56\x18\x47\x7e\x39\xab\x28\x64\x76\xdf\x05\x2b", + 112 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe6\x9b\x3a\x36\xa4\x46\x19\x12\xdc\x08\x34\x6b\x11\xdd\xcb\x9d" + "\xb7\x96\xf8\x85\xfd\x01\x93\x6e\x66\x2f\xe2\x92\x97\xb0\x99\xa4", + 113 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x5a\xc6\x50\x3b\x0d\x8d\xa6\x91\x76\x46\xe6\xdc\xc8\x7e\xdc\x58" + "\xe9\x42\x45\x32\x4c\xc2\x04\xf4\xdd\x4a\xf0\x15\x63\xac\xd4\x27", + 114 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xdf\x6d\xda\x21\x35\x9a\x30\xbc\x27\x17\x80\x97\x1c\x1a\xbd\x56" + "\xa6\xef\x16\x7e\x48\x08\x87\x88\x8e\x73\xa8\x6d\x3b\xf6\x05\xe9", + 115 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe8\xe6\xe4\x70\x71\xe7\xb7\xdf\x25\x80\xf2\x25\xcf\xbb\xed\xf8" + "\x4c\xe6\x77\x46\x62\x66\x28\xd3\x30\x97\xe4\xb7\xdc\x57\x11\x07", + 116 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x53\xe4\x0e\xad\x62\x05\x1e\x19\xcb\x9b\xa8\x13\x3e\x3e\x5c\x1c" + "\xe0\x0d\xdc\xad\x8a\xcf\x34\x2a\x22\x43\x60\xb0\xac\xc1\x47\x77", + 117 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9c\xcd\x53\xfe\x80\xbe\x78\x6a\xa9\x84\x63\x84\x62\xfb\x28\xaf" + "\xdf\x12\x2b\x34\xd7\x8f\x46\x87\xec\x63\x2b\xb1\x9d\xe2\x37\x1a", + 118 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xcb\xd4\x80\x52\xc4\x8d\x78\x84\x66\xa3\xe8\x11\x8c\x56\xc9\x7f" + "\xe1\x46\xe5\x54\x6f\xaa\xf9\x3e\x2b\xc3\xc4\x7e\x45\x93\x97\x53", + 119 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x25\x68\x83\xb1\x4e\x2a\xf4\x4d\xad\xb2\x8e\x1b\x34\xb2\xac\x0f" + "\x0f\x4c\x91\xc3\x4e\xc9\x16\x9e\x29\x03\x61\x58\xac\xaa\x95\xb9", + 120 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x44\x71\xb9\x1a\xb4\x2d\xb7\xc4\xdd\x84\x90\xab\x95\xa2\xee\x8d" + "\x04\xe3\xef\x5c\x3d\x6f\xc7\x1a\xc7\x4b\x2b\x26\x91\x4d\x16\x41", + 121 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa5\xeb\x08\x03\x8f\x8f\x11\x55\xed\x86\xe6\x31\x90\x6f\xc1\x30" + "\x95\xf6\xbb\xa4\x1d\xe5\xd4\xe7\x95\x75\x8e\xc8\xc8\xdf\x8a\xf1", + 122 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xdc\x1d\xb6\x4e\xd8\xb4\x8a\x91\x0e\x06\x0a\x6b\x86\x63\x74\xc5" + "\x78\x78\x4e\x9a\xc4\x9a\xb2\x77\x40\x92\xac\x71\x50\x19\x34\xac", + 123 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x28\x54\x13\xb2\xf2\xee\x87\x3d\x34\x31\x9e\xe0\xbb\xfb\xb9\x0f" + "\x32\xda\x43\x4c\xc8\x7e\x3d\xb5\xed\x12\x1b\xb3\x98\xed\x96\x4b", + 124 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x02\x16\xe0\xf8\x1f\x75\x0f\x26\xf1\x99\x8b\xc3\x93\x4e\x3e\x12" + "\x4c\x99\x45\xe6\x85\xa6\x0b\x25\xe8\xfb\xd9\x62\x5a\xb6\xb5\x99", + 125 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x38\xc4\x10\xf5\xb9\xd4\x07\x20\x50\x75\x5b\x31\xdc\xa8\x9f\xd5" + "\x39\x5c\x67\x85\xee\xb3\xd7\x90\xf3\x20\xff\x94\x1c\x5a\x93\xbf", + 126 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf1\x84\x17\xb3\x9d\x61\x7a\xb1\xc1\x8f\xdf\x91\xeb\xd0\xfc\x6d" + "\x55\x16\xbb\x34\xcf\x39\x36\x40\x37\xbc\xe8\x1f\xa0\x4c\xec\xb1", + 127 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1f\xa8\x77\xde\x67\x25\x9d\x19\x86\x3a\x2a\x34\xbc\xc6\x96\x2a" + "\x2b\x25\xfc\xbf\x5c\xbe\xcd\x7e\xde\x8f\x1f\xa3\x66\x88\xa7\x96", + 128 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x5b\xd1\x69\xe6\x7c\x82\xc2\xc2\xe9\x8e\xf7\x00\x8b\xdf\x26\x1f" + "\x2d\xdf\x30\xb1\xc0\x0f\x9e\x7f\x27\x5b\xb3\xe8\xa2\x8d\xc9\xa2", + 129 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc8\x0a\xbe\xeb\xb6\x69\xad\x5d\xee\xb5\xf5\xec\x8e\xa6\xb7\xa0" + "\x5d\xdf\x7d\x31\xec\x4c\x0a\x2e\xe2\x0b\x0b\x98\xca\xec\x67\x46", + 130 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe7\x6d\x3f\xbd\xa5\xba\x37\x4e\x6b\xf8\xe5\x0f\xad\xc3\xbb\xb9" + "\xba\x5c\x20\x6e\xbd\xec\x89\xa3\xa5\x4c\xf3\xdd\x84\xa0\x70\x16", + 131 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7b\xba\x9d\xc5\xb5\xdb\x20\x71\xd1\x77\x52\xb1\x04\x4c\x1e\xce" + "\xd9\x6a\xaf\x2d\xd4\x6e\x9b\x43\x37\x50\xe8\xea\x0d\xcc\x18\x70", + 132 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf2\x9b\x1b\x1a\xb9\xba\xb1\x63\x01\x8e\xe3\xda\x15\x23\x2c\xca" + "\x78\xec\x52\xdb\xc3\x4e\xda\x5b\x82\x2e\xc1\xd8\x0f\xc2\x1b\xd0", + 133 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9e\xe3\xe3\xe7\xe9\x00\xf1\xe1\x1d\x30\x8c\x4b\x2b\x30\x76\xd2" + "\x72\xcf\x70\x12\x4f\x9f\x51\xe1\xda\x60\xf3\x78\x46\xcd\xd2\xf4", + 134 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x70\xea\x3b\x01\x76\x92\x7d\x90\x96\xa1\x85\x08\xcd\x12\x3a\x29" + "\x03\x25\x92\x0a\x9d\x00\xa8\x9b\x5d\xe0\x42\x73\xfb\xc7\x6b\x85", + 135 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x67\xde\x25\xc0\x2a\x4a\xab\xa2\x3b\xdc\x97\x3c\x8b\xb0\xb5\x79" + "\x6d\x47\xcc\x06\x59\xd4\x3d\xff\x1f\x97\xde\x17\x49\x63\xb6\x8e", + 136 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb2\x16\x8e\x4e\x0f\x18\xb0\xe6\x41\x00\xb5\x17\xed\x95\x25\x7d" + "\x73\xf0\x62\x0d\xf8\x85\xc1\x3d\x2e\xcf\x79\x36\x7b\x38\x4c\xee", + 137 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2e\x7d\xec\x24\x28\x85\x3b\x2c\x71\x76\x07\x45\x54\x1f\x7a\xfe" + "\x98\x25\xb5\xdd\x77\xdf\x06\x51\x1d\x84\x41\xa9\x4b\xac\xc9\x27", + 138 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xca\x9f\xfa\xc4\xc4\x3f\x0b\x48\x46\x1d\xc5\xc2\x63\xbe\xa3\xf6" + "\xf0\x06\x11\xce\xac\xab\xf6\xf8\x95\xba\x2b\x01\x01\xdb\xb6\x8d", + 139 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x74\x10\xd4\x2d\x8f\xd1\xd5\xe9\xd2\xf5\x81\x5c\xb9\x34\x17\x99" + "\x88\x28\xef\x3c\x42\x30\xbf\xbd\x41\x2d\xf0\xa4\xa7\xa2\x50\x7a", + 140 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x50\x10\xf6\x84\x51\x6d\xcc\xd0\xb6\xee\x08\x52\xc2\x51\x2b\x4d" + "\xc0\x06\x6c\xf0\xd5\x6f\x35\x30\x29\x78\xdb\x8a\xe3\x2c\x6a\x81", + 141 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xac\xaa\xb5\x85\xf7\xb7\x9b\x71\x99\x35\xce\xb8\x95\x23\xdd\xc5" + "\x48\x27\xf7\x5c\x56\x88\x38\x56\x15\x4a\x56\xcd\xcd\x5e\xe9\x88", + 142 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x66\x6d\xe5\xd1\x44\x0f\xee\x73\x31\xaa\xf0\x12\x3a\x62\xef\x2d" + "\x8b\xa5\x74\x53\xa0\x76\x96\x35\xac\x6c\xd0\x1e\x63\x3f\x77\x12", + 143 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa6\xf9\x86\x58\xf6\xea\xba\xf9\x02\xd8\xb3\x87\x1a\x4b\x10\x1d" + "\x16\x19\x6e\x8a\x4b\x24\x1e\x15\x58\xfe\x29\x96\x6e\x10\x3e\x8d", + 144 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x89\x15\x46\xa8\xb2\x9f\x30\x47\xdd\xcf\xe5\xb0\x0e\x45\xfd\x55" + "\x75\x63\x73\x10\x5e\xa8\x63\x7d\xfc\xff\x54\x7b\x6e\xa9\x53\x5f", + 145 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x18\xdf\xbc\x1a\xc5\xd2\x5b\x07\x61\x13\x7d\xbd\x22\xc1\x7c\x82" + "\x9d\x0f\x0e\xf1\xd8\x23\x44\xe9\xc8\x9c\x28\x66\x94\xda\x24\xe8", + 146 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb5\x4b\x9b\x67\xf8\xfe\xd5\x4b\xbf\x5a\x26\x66\xdb\xdf\x4b\x23" + "\xcf\xf1\xd1\xb6\xf4\xaf\xc9\x85\xb2\xe6\xd3\x30\x5a\x9f\xf8\x0f", + 147 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x7d\xb4\x42\xe1\x32\xba\x59\xbc\x12\x89\xaa\x98\xb0\xd3\xe8\x06" + "\x00\x4f\x8e\xc1\x28\x11\xaf\x1e\x2e\x33\xc6\x9b\xfd\xe7\x29\xe1", + 148 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x25\x0f\x37\xcd\xc1\x5e\x81\x7d\x2f\x16\x0d\x99\x56\xc7\x1f\xe3" + "\xeb\x5d\xb7\x45\x56\xe4\xad\xf9\xa4\xff\xaf\xba\x74\x01\x03\x96", + 149 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x4a\xb8\xa3\xdd\x1d\xdf\x8a\xd4\x3d\xab\x13\xa2\x7f\x66\xa6\x54" + "\x4f\x29\x05\x97\xfa\x96\x04\x0e\x0e\x1d\xb9\x26\x3a\xa4\x79\xf8", + 150 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xee\x61\x72\x7a\x07\x66\xdf\x93\x9c\xcd\xc8\x60\x33\x40\x44\xc7" + "\x9a\x3c\x9b\x15\x62\x00\xbc\x3a\xa3\x29\x73\x48\x3d\x83\x41\xae", + 151 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3f\x68\xc7\xec\x63\xac\x11\xeb\xb9\x8f\x94\xb3\x39\xb0\x5c\x10" + "\x49\x84\xfd\xa5\x01\x03\x06\x01\x44\xe5\xa2\xbf\xcc\xc9\xda\x95", + 152 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x05\x6f\x29\x81\x6b\x8a\xf8\xf5\x66\x82\xbc\x4d\x7c\xf0\x94\x11" + "\x1d\xa7\x73\x3e\x72\x6c\xd1\x3d\x6b\x3e\x8e\xa0\x3e\x92\xa0\xd5", + 153 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf5\xec\x43\xa2\x8a\xcb\xef\xf1\xf3\x31\x8a\x5b\xca\xc7\xc6\x6d" + "\xdb\x52\x30\xb7\x9d\xb2\xd1\x05\xbc\xbe\x15\xf3\xc1\x14\x8d\x69", + 154 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2a\x69\x60\xad\x1d\x8d\xd5\x47\x55\x5c\xfb\xd5\xe4\x60\x0f\x1e" + "\xaa\x1c\x8e\xda\x34\xde\x03\x74\xec\x4a\x26\xea\xaa\xa3\x3b\x4e", + 155 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xdc\xc1\xea\x7b\xaa\xb9\x33\x84\xf7\x6b\x79\x68\x66\x19\x97\x54" + "\x74\x2f\x7b\x96\xd6\xb4\xc1\x20\x16\x5c\x04\xa6\xc4\xf5\xce\x10", + 156 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x13\xd5\xdf\x17\x92\x21\x37\x9c\x6a\x78\xc0\x7c\x79\x3f\xf5\x34" + "\x87\xca\xe6\xbf\x9f\xe8\x82\x54\x1a\xb0\xe7\x35\xe3\xea\xda\x3b", + 157 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x8c\x59\xe4\x40\x76\x41\xa0\x1e\x8f\xf9\x1f\x99\x80\xdc\x23\x6f" + "\x4e\xcd\x6f\xcf\x52\x58\x9a\x09\x9a\x96\x16\x33\x96\x77\x14\xe1", + 158 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x83\x3b\x1a\xc6\xa2\x51\xfd\x08\xfd\x6d\x90\x8f\xea\x2a\x4e\xe1" + "\xe0\x40\xbc\xa9\x3f\xc1\xa3\x8e\xc3\x82\x0e\x0c\x10\xbd\x82\xea", + 159 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa2\x44\xf9\x27\xf3\xb4\x0b\x8f\x6c\x39\x15\x70\xc7\x65\x41\x8f" + "\x2f\x6e\x70\x8e\xac\x90\x06\xc5\x1a\x7f\xef\xf4\xaf\x3b\x2b\x9e", + 160 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3d\x99\xed\x95\x50\xcf\x11\x96\xe6\xc4\xd2\x0c\x25\x96\x20\xf8" + "\x58\xc3\xd7\x03\x37\x4c\x12\x8c\xe7\xb5\x90\x31\x0c\x83\x04\x6d", + 161 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2b\x35\xc4\x7d\x7b\x87\x76\x1f\x0a\xe4\x3a\xc5\x6a\xc2\x7b\x9f" + "\x25\x83\x03\x67\xb5\x95\xbe\x8c\x24\x0e\x94\x60\x0c\x6e\x33\x12", + 162 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x5d\x11\xed\x37\xd2\x4d\xc7\x67\x30\x5c\xb7\xe1\x46\x7d\x87\xc0" + "\x65\xac\x4b\xc8\xa4\x26\xde\x38\x99\x1f\xf5\x9a\xa8\x73\x5d\x02", + 163 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb8\x36\x47\x8e\x1c\xa0\x64\x0d\xce\x6f\xd9\x10\xa5\x09\x62\x72" + "\xc8\x33\x09\x90\xcd\x97\x86\x4a\xc2\xbf\x14\xef\x6b\x23\x91\x4a", + 164 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x91\x00\xf9\x46\xd6\xcc\xde\x3a\x59\x7f\x90\xd3\x9f\xc1\x21\x5b" + "\xad\xdc\x74\x13\x64\x3d\x85\xc2\x1c\x3e\xee\x5d\x2d\xd3\x28\x94", + 165 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xda\x70\xee\xdd\x23\xe6\x63\xaa\x1a\x74\xb9\x76\x69\x35\xb4\x79" + "\x22\x2a\x72\xaf\xba\x5c\x79\x51\x58\xda\xd4\x1a\x3b\xd7\x7e\x40", + 166 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf0\x67\xed\x6a\x0d\xbd\x43\xaa\x0a\x92\x54\xe6\x9f\xd6\x6b\xdd" + "\x8a\xcb\x87\xde\x93\x6c\x25\x8c\xfb\x02\x28\x5f\x2c\x11\xfa\x79", + 167 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x71\x5c\x99\xc7\xd5\x75\x80\xcf\x97\x53\xb4\xc1\xd7\x95\xe4\x5a" + "\x83\xfb\xb2\x28\xc0\xd3\x6f\xbe\x20\xfa\xf3\x9b\xdd\x6d\x4e\x85", + 168 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe4\x57\xd6\xad\x1e\x67\xcb\x9b\xbd\x17\xcb\xd6\x98\xfa\x6d\x7d" + "\xae\x0c\x9b\x7a\xd6\xcb\xd6\x53\x96\x34\xe3\x2a\x71\x9c\x84\x92", + 169 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xec\xe3\xea\x81\x03\xe0\x24\x83\xc6\x4a\x70\xa4\xbd\xce\xe8\xce" + "\xb6\x27\x8f\x25\x33\xf3\xf4\x8d\xbe\xed\xfb\xa9\x45\x31\xd4\xae", + 170 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x38\x8a\xa5\xd3\x66\x7a\x97\xc6\x8d\x3d\x56\xf8\xf3\xee\x8d\x3d" + "\x36\x09\x1f\x17\xfe\x5d\x1b\x0d\x5d\x84\xc9\x3b\x2f\xfe\x40\xbd", + 171 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x8b\x6b\x31\xb9\xad\x7c\x3d\x5c\xd8\x4b\xf9\x89\x47\xb9\xcd\xb5" + "\x9d\xf8\xa2\x5f\xf7\x38\x10\x10\x13\xbe\x4f\xd6\x5e\x1d\xd1\xa3", + 172 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x06\x62\x91\xf6\xbb\xd2\x5f\x3c\x85\x3d\xb7\xd8\xb9\x5c\x9a\x1c" + "\xfb\x9b\xf1\xc1\xc9\x9f\xb9\x5a\x9b\x78\x69\xd9\x0f\x1c\x29\x03", + 173 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa7\x07\xef\xbc\xcd\xce\xed\x42\x96\x7a\x66\xf5\x53\x9b\x93\xed" + "\x75\x60\xd4\x67\x30\x40\x16\xc4\x78\x0d\x77\x55\xa5\x65\xd4\xc4", + 174 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x38\xc5\x3d\xfb\x70\xbe\x7e\x79\x2b\x07\xa6\xa3\x5b\x8a\x6a\x0a" + "\xba\x02\xc5\xc5\xf3\x8b\xaf\x5c\x82\x3f\xdf\xd9\xe4\x2d\x65\x7e", + 175 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf2\x91\x13\x86\x50\x1d\x9a\xb9\xd7\x20\xcf\x8a\xd1\x05\x03\xd5" + "\x63\x4b\xf4\xb7\xd1\x2b\x56\xdf\xb7\x4f\xec\xc6\xe4\x09\x3f\x68", + 176 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc6\xf2\xbd\xd5\x2b\x81\xe6\xe4\xf6\x59\x5a\xbd\x4d\x7f\xb3\x1f" + "\x65\x11\x69\xd0\x0f\xf3\x26\x92\x6b\x34\x94\x7b\x28\xa8\x39\x59", + 177 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x29\x3d\x94\xb1\x8c\x98\xbb\x32\x23\x36\x6b\x8c\xe7\x4c\x28\xfb" + "\xdf\x28\xe1\xf8\x4a\x33\x50\xb0\xeb\x2d\x18\x04\xa5\x77\x57\x9b", + 178 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2c\x2f\xa5\xc0\xb5\x15\x33\x16\x5b\xc3\x75\xc2\x2e\x27\x81\x76" + "\x82\x70\xa3\x83\x98\x5d\x13\xbd\x6b\x67\xb6\xfd\x67\xf8\x89\xeb", + 179 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xca\xa0\x9b\x82\xb7\x25\x62\xe4\x3f\x4b\x22\x75\xc0\x91\x91\x8e" + "\x62\x4d\x91\x16\x61\xcc\x81\x1b\xb5\xfa\xec\x51\xf6\x08\x8e\xf7", + 180 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x24\x76\x1e\x45\xe6\x74\x39\x53\x79\xfb\x17\x72\x9c\x78\xcb\x93" + "\x9e\x6f\x74\xc5\xdf\xfb\x9c\x96\x1f\x49\x59\x82\xc3\xed\x1f\xe3", + 181 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x55\xb7\x0a\x82\x13\x1e\xc9\x48\x88\xd7\xab\x54\xa7\xc5\x15\x25" + "\x5c\x39\x38\xbb\x10\xbc\x78\x4d\xc9\xb6\x7f\x07\x6e\x34\x1a\x73", + 182 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6a\xb9\x05\x7b\x97\x7e\xbc\x3c\xa4\xd4\xce\x74\x50\x6c\x25\xcc" + "\xcd\xc5\x66\x49\x7c\x45\x0b\x54\x15\xa3\x94\x86\xf8\x65\x7a\x03", + 183 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x24\x06\x6d\xee\xe0\xec\xee\x15\xa4\x5f\x0a\x32\x6d\x0f\x8d\xbc" + "\x79\x76\x1e\xbb\x93\xcf\x8c\x03\x77\xaf\x44\x09\x78\xfc\xf9\x94", + 184 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x20\x00\x0d\x3f\x66\xba\x76\x86\x0d\x5a\x95\x06\x88\xb9\xaa\x0d" + "\x76\xcf\xea\x59\xb0\x05\xd8\x59\x91\x4b\x1a\x46\x65\x3a\x93\x9b", + 185 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb9\x2d\xaa\x79\x60\x3e\x3b\xdb\xc3\xbf\xe0\xf4\x19\xe4\x09\xb2" + "\xea\x10\xdc\x43\x5b\xee\xfe\x29\x59\xda\x16\x89\x5d\x5d\xca\x1c", + 186 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe9\x47\x94\x87\x05\xb2\x06\xd5\x72\xb0\xe8\xf6\x2f\x66\xa6\x55" + "\x1c\xbd\x6b\xc3\x05\xd2\x6c\xe7\x53\x9a\x12\xf9\xaa\xdf\x75\x71", + 187 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3d\x67\xc1\xb3\xf9\xb2\x39\x10\xe3\xd3\x5e\x6b\x0f\x2c\xcf\x44" + "\xa0\xb5\x40\xa4\x5c\x18\xba\x3c\x36\x26\x4d\xd4\x8e\x96\xaf\x6a", + 188 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc7\x55\x8b\xab\xda\x04\xbc\xcb\x76\x4d\x0b\xbf\x33\x58\x42\x51" + "\x41\x90\x2d\x22\x39\x1d\x9f\x8c\x59\x15\x9f\xec\x9e\x49\xb1\x51", + 189 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0b\x73\x2b\xb0\x35\x67\x5a\x50\xff\x58\xf2\xc2\x42\xe4\x71\x0a" + "\xec\xe6\x46\x70\x07\x9c\x13\x04\x4c\x79\xc9\xb7\x49\x1f\x70\x00", + 190 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xd1\x20\xb5\xef\x6d\x57\xeb\xf0\x6e\xaf\x96\xbc\x93\x3c\x96\x7b" + "\x16\xcb\xe6\xe2\xbf\x00\x74\x1c\x30\xaa\x1c\x54\xba\x64\x80\x1f", + 191 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x58\xd2\x12\xad\x6f\x58\xae\xf0\xf8\x01\x16\xb4\x41\xe5\x7f\x61" + "\x95\xbf\xef\x26\xb6\x14\x63\xed\xec\x11\x83\xcd\xb0\x4f\xe7\x6d", + 192 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb8\x83\x6f\x51\xd1\xe2\x9b\xdf\xdb\xa3\x25\x56\x53\x60\x26\x8b" + "\x8f\xad\x62\x74\x73\xed\xec\xef\x7e\xae\xfe\xe8\x37\xc7\x40\x03", + 193 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc5\x47\xa3\xc1\x24\xae\x56\x85\xff\xa7\xb8\xed\xaf\x96\xec\x86" + "\xf8\xb2\xd0\xd5\x0c\xee\x8b\xe3\xb1\xf0\xc7\x67\x63\x06\x9d\x9c", + 194 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x5d\x16\x8b\x76\x9a\x2f\x67\x85\x3d\x62\x95\xf7\x56\x8b\xe4\x0b" + "\xb7\xa1\x6b\x8d\x65\xba\x87\x63\x5d\x19\x78\xd2\xab\x11\xba\x2a", + 195 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa2\xf6\x75\xdc\x73\x02\x63\x8c\xb6\x02\x01\x06\x4c\xa5\x50\x77" + "\x71\x4d\x71\xfe\x09\x6a\x31\x5f\x2f\xe7\x40\x12\x77\xca\xa5\xaf", + 196 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc8\xaa\xb5\xcd\x01\x60\xae\x78\xcd\x2e\x8a\xc5\xfb\x0e\x09\x3c" + "\xdb\x5c\x4b\x60\x52\xa0\xa9\x7b\xb0\x42\x16\x82\x6f\xa7\xa4\x37", + 197 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xff\x68\xca\x40\x35\xbf\xeb\x43\xfb\xf1\x45\xfd\xdd\x5e\x43\xf1" + "\xce\xa5\x4f\x11\xf7\xbe\xe1\x30\x58\xf0\x27\x32\x9a\x4a\x5f\xa4", + 198 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1d\x4e\x54\x87\xae\x3c\x74\x0f\x2b\xa6\xe5\x41\xac\x91\xbc\x2b" + "\xfc\xd2\x99\x9c\x51\x8d\x80\x7b\x42\x67\x48\x80\x3a\x35\x0f\xd4", + 199 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6d\x24\x4e\x1a\x06\xce\x4e\xf5\x78\xdd\x0f\x63\xaf\xf0\x93\x67" + "\x06\x73\x51\x19\xca\x9c\x8d\x22\xd8\x6c\x80\x14\x14\xab\x97\x41", + 200 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xde\xcf\x73\x29\xdb\xcc\x82\x7b\x8f\xc5\x24\xc9\x43\x1e\x89\x98" + "\x02\x9e\xce\x12\xce\x93\xb7\xb2\xf3\xe7\x69\xa9\x41\xfb\x8c\xea", + 201 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2f\xaf\xcc\x0f\x2e\x63\xcb\xd0\x77\x55\xbe\x7b\x75\xec\xea\x0a" + "\xdf\xf9\xaa\x5e\xde\x2a\x52\xfd\xab\x4d\xfd\x03\x74\xcd\x48\x3f", + 202 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xaa\x85\x01\x0d\xd4\x6a\x54\x6b\x53\x5e\xf4\xcf\x5f\x07\xd6\x51" + "\x61\xe8\x98\x28\xf3\xa7\x7d\xb7\xb9\xb5\x6f\x0d\xf5\x9a\xae\x45", + 203 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x07\xe8\xe1\xee\x73\x2c\xb0\xd3\x56\xc9\xc0\xd1\x06\x9c\x89\xd1" + "\x7a\xdf\x6a\x9a\x33\x4f\x74\x5e\xc7\x86\x73\x32\x54\x8c\xa8\xe9", + 204 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0e\x01\xe8\x1c\xad\xa8\x16\x2b\xfd\x5f\x8a\x8c\x81\x8a\x6c\x69" + "\xfe\xdf\x02\xce\xb5\x20\x85\x23\xcb\xe5\x31\x3b\x89\xca\x10\x53", + 205 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6b\xb6\xc6\x47\x26\x55\x08\x43\x99\x85\x2e\x00\x24\x9f\x8c\xb2" + "\x47\x89\x6d\x39\x2b\x02\xd7\x3b\x7f\x0d\xd8\x18\xe1\xe2\x9b\x07", + 206 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x42\xd4\x63\x6e\x20\x60\xf0\x8f\x41\xc8\x82\xe7\x6b\x39\x6b\x11" + "\x2e\xf6\x27\xcc\x24\xc4\x3d\xd5\xf8\x3a\x1d\x1a\x7e\xad\x71\x1a", + 207 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x48\x58\xc9\xa1\x88\xb0\x23\x4f\xb9\xa8\xd4\x7d\x0b\x41\x33\x65" + "\x0a\x03\x0b\xd0\x61\x1b\x87\xc3\x89\x2e\x94\x95\x1f\x8d\xf8\x52", + 208 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x3f\xab\x3e\x36\x98\x8d\x44\x5a\x51\xc8\x78\x3e\x53\x1b\xe3\xa0" + "\x2b\xe4\x0c\xd0\x47\x96\xcf\xb6\x1d\x40\x34\x74\x42\xd3\xf7\x94", + 209 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xeb\xab\xc4\x96\x36\xbd\x43\x3d\x2e\xc8\xf0\xe5\x18\x73\x2e\xf8" + "\xfa\x21\xd4\xd0\x71\xcc\x3b\xc4\x6c\xd7\x9f\xa3\x8a\x28\xb8\x10", + 210 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xa1\xd0\x34\x35\x23\xb8\x93\xfc\xa8\x4f\x47\xfe\xb4\xa6\x4d\x35" + "\x0a\x17\xd8\xee\xf5\x49\x7e\xce\x69\x7d\x02\xd7\x91\x78\xb5\x91", + 211 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x26\x2e\xbf\xd9\x13\x0b\x7d\x28\x76\x0d\x08\xef\x8b\xfd\x3b\x86" + "\xcd\xd3\xb2\x11\x3d\x2c\xae\xf7\xea\x95\x1a\x30\x3d\xfa\x38\x46", + 212 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf7\x61\x58\xed\xd5\x0a\x15\x4f\xa7\x82\x03\xed\x23\x62\x93\x2f" + "\xcb\x82\x53\xaa\xe3\x78\x90\x3e\xde\xd1\xe0\x3f\x70\x21\xa2\x57", + 213 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x26\x17\x8e\x95\x0a\xc7\x22\xf6\x7a\xe5\x6e\x57\x1b\x28\x4c\x02" + "\x07\x68\x4a\x63\x34\xa1\x77\x48\xa9\x4d\x26\x0b\xc5\xf5\x52\x74", + 214 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc3\x78\xd1\xe4\x93\xb4\x0e\xf1\x1f\xe6\xa1\x5d\x9c\x27\x37\xa3" + "\x78\x09\x63\x4c\x5a\xba\xd5\xb3\x3d\x7e\x39\x3b\x4a\xe0\x5d\x03", + 215 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x98\x4b\xd8\x37\x91\x01\xbe\x8f\xd8\x06\x12\xd8\xea\x29\x59\xa7" + "\x86\x5e\xc9\x71\x85\x23\x55\x01\x07\xae\x39\x38\xdf\x32\x01\x1b", + 216 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc6\xf2\x5a\x81\x2a\x14\x48\x58\xac\x5c\xed\x37\xa9\x3a\x9f\x47" + "\x59\xba\x0b\x1c\x0f\xdc\x43\x1d\xce\x35\xf9\xec\x1f\x1f\x4a\x99", + 217 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x92\x4c\x75\xc9\x44\x24\xff\x75\xe7\x4b\x8b\x4e\x94\x35\x89\x58" + "\xb0\x27\xb1\x71\xdf\x5e\x57\x89\x9a\xd0\xd4\xda\xc3\x73\x53\xb6", + 218 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x0a\xf3\x58\x92\xa6\x3f\x45\x93\x1f\x68\x46\xed\x19\x03\x61\xcd" + "\x07\x30\x89\xe0\x77\x16\x57\x14\xb5\x0b\x81\xa2\xe3\xdd\x9b\xa1", + 219 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xcc\x80\xce\xfb\x26\xc3\xb2\xb0\xda\xef\x23\x3e\x60\x6d\x5f\xfc" + "\x80\xfa\x17\x42\x7d\x18\xe3\x04\x89\x67\x3e\x06\xef\x4b\x87\xf7", + 220 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc2\xf8\xc8\x11\x74\x47\xf3\x97\x8b\x08\x18\xdc\xf6\xf7\x01\x16" + "\xac\x56\xfd\x18\x4d\xd1\x27\x84\x94\xe1\x03\xfc\x6d\x74\xa8\x87", + 221 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xbd\xec\xf6\xbf\xc1\xba\x0d\xf6\xe8\x62\xc8\x31\x99\x22\x07\x79" + "\x6a\xcc\x79\x79\x68\x35\x88\x28\xc0\x6e\x7a\x51\xe0\x90\x09\x8f", + 222 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x24\xd1\xa2\x6e\x3d\xab\x02\xfe\x45\x72\xd2\xaa\x7d\xbd\x3e\xc3" + "\x0f\x06\x93\xdb\x26\xf2\x73\xd0\xab\x2c\xb0\xc1\x3b\x5e\x64\x51", + 223 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xec\x56\xf5\x8b\x09\x29\x9a\x30\x0b\x14\x05\x65\xd7\xd3\xe6\x87" + "\x82\xb6\xe2\xfb\xeb\x4b\x7e\xa9\x7a\xc0\x57\x98\x90\x61\xdd\x3f", + 224 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x11\xa4\x37\xc1\xab\xa3\xc1\x19\xdd\xfa\xb3\x1b\x3e\x8c\x84\x1d" + "\xee\xeb\x91\x3e\xf5\x7f\x7e\x48\xf2\xc9\xcf\x5a\x28\xfa\x42\xbc", + 225 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x53\xc7\xe6\x11\x4b\x85\x0a\x2c\xb4\x96\xc9\xb3\xc6\x9a\x62\x3e" + "\xae\xa2\xcb\x1d\x33\xdd\x81\x7e\x47\x65\xed\xaa\x68\x23\xc2\x28", + 226 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x15\x4c\x3e\x96\xfe\xe5\xdb\x14\xf8\x77\x3e\x18\xaf\x14\x85\x79" + "\x13\x50\x9d\xa9\x99\xb4\x6c\xdd\x3d\x4c\x16\x97\x60\xc8\x3a\xd2", + 227 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x40\xb9\x91\x6f\x09\x3e\x02\x7a\x87\x86\x64\x18\x18\x92\x06\x20" + "\x47\x2f\xbc\xf6\x8f\x70\x1d\x1b\x68\x06\x32\xe6\x99\x6b\xde\xd3", + 228 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x24\xc4\xcb\xba\x07\x11\x98\x31\xa7\x26\xb0\x53\x05\xd9\x6d\xa0" + "\x2f\xf8\xb1\x48\xf0\xda\x44\x0f\xe2\x33\xbc\xaa\x32\xc7\x2f\x6f", + 229 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x5d\x20\x15\x10\x25\x00\x20\xb7\x83\x68\x96\x88\xab\xbf\x8e\xcf" + "\x25\x94\xa9\x6a\x08\xf2\xbf\xec\x6c\xe0\x57\x44\x65\xdd\xed\x71", + 230 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x04\x3b\x97\xe3\x36\xee\x6f\xdb\xbe\x2b\x50\xf2\x2a\xf8\x32\x75" + "\xa4\x08\x48\x05\xd2\xd5\x64\x59\x62\x45\x4b\x6c\x9b\x80\x53\xa0", + 231 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x56\x48\x35\xcb\xae\xa7\x74\x94\x85\x68\xbe\x36\xcf\x52\xfc\xdd" + "\x83\x93\x4e\xb0\xa2\x75\x12\xdb\xe3\xe2\xdb\x47\xb9\xe6\x63\x5a", + 232 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf2\x1c\x33\xf4\x7b\xde\x40\xa2\xa1\x01\xc9\xcd\xe8\x02\x7a\xaf" + "\x61\xa3\x13\x7d\xe2\x42\x2b\x30\x03\x5a\x04\xc2\x70\x89\x41\x83", + 233 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x9d\xb0\xef\x74\xe6\x6c\xbb\x84\x2e\xb0\xe0\x73\x43\xa0\x3c\x5c" + "\x56\x7e\x37\x2b\x3f\x23\xb9\x43\xc7\x88\xa4\xf2\x50\xf6\x78\x91", + 234 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xab\x8d\x08\x65\x5f\xf1\xd3\xfe\x87\x58\xd5\x62\x23\x5f\xd2\x3e" + "\x7c\xf9\xdc\xaa\xd6\x58\x87\x2a\x49\xe5\xd3\x18\x3b\x6c\xce\xbd", + 235 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6f\x27\xf7\x7e\x7b\xcf\x46\xa1\xe9\x63\xad\xe0\x30\x97\x33\x54" + "\x30\x31\xdc\xcd\xd4\x7c\xaa\xc1\x74\xd7\xd2\x7c\xe8\x07\x7e\x8b", + 236 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xe3\xcd\x54\xda\x7e\x44\x4c\xaa\x62\x07\x56\x95\x25\xa6\x70\xeb" + "\xae\x12\x78\xde\x4e\x3f\xe2\x68\x4b\x3e\x33\xf5\xef\x90\xcc\x1b", + 237 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb2\xc3\xe3\x3a\x51\xd2\x2c\x4c\x08\xfc\x09\x89\xc8\x73\xc9\xcc" + "\x41\x50\x57\x9b\x1e\x61\x63\xfa\x69\x4a\xd5\x1d\x53\xd7\x12\xdc", + 238 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xbe\x7f\xda\x98\x3e\x13\x18\x9b\x4c\x77\xe0\xa8\x09\x20\xb6\xe0" + "\xe0\xea\x80\xc3\xb8\x4d\xbe\x7e\x71\x17\xd2\x53\xf4\x81\x12\xf4", + 239 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb6\x00\x8c\x28\xfa\xe0\x8a\xa4\x27\xe5\xbd\x3a\xad\x36\xf1\x00" + "\x21\xf1\x6c\x77\xcf\xea\xbe\xd0\x7f\x97\xcc\x7d\xc1\xf1\x28\x4a", + 240 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6e\x4e\x67\x60\xc5\x38\xf2\xe9\x7b\x3a\xdb\xfb\xbc\xde\x57\xf8" + "\x96\x6b\x7e\xa8\xfc\xb5\xbf\x7e\xfe\xc9\x13\xfd\x2a\x2b\x0c\x55", + 241 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x4a\xe5\x1f\xd1\x83\x4a\xa5\xbd\x9a\x6f\x7e\xc3\x9f\xc6\x63\x33" + "\x8d\xc5\xd2\xe2\x07\x61\x56\x6d\x90\xcc\x68\xb1\xcb\x87\x5e\xd8", + 242 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb6\x73\xaa\xd7\x5a\xb1\xfd\xb5\x40\x1a\xbf\xa1\xbf\x89\xf3\xad" + "\xd2\xeb\xc4\x68\xdf\x36\x24\xa4\x78\xf4\xfe\x85\x9d\x8d\x55\xe2", + 243 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x13\xc9\x47\x1a\x98\x55\x91\x35\x39\x83\x66\x60\x39\x8d\xa0\xf3" + "\xf9\x9a\xda\x08\x47\x9c\x69\xd1\xb7\xfc\xaa\x34\x61\xdd\x7e\x59", + 244 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x2c\x11\xf4\xa7\xf9\x9a\x1d\x23\xa5\x8b\xb6\x36\x35\x0f\xe8\x49" + "\xf2\x9c\xba\xc1\xb2\xa1\x11\x2d\x9f\x1e\xd5\xbc\x5b\x31\x3c\xcd", + 245 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc7\xd3\xc0\x70\x6b\x11\xae\x74\x1c\x05\xa1\xef\x15\x0d\xd6\x5b" + "\x54\x94\xd6\xd5\x4c\x9a\x86\xe2\x61\x78\x54\xe6\xae\xee\xbb\xd9", + 246 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x19\x4e\x10\xc9\x38\x93\xaf\xa0\x64\xc3\xac\x04\xc0\xdd\x80\x8d" + "\x79\x1c\x3d\x4b\x75\x56\xe8\x9d\x8d\x9c\xb2\x25\xc4\xb3\x33\x39", + 247 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x6f\xc4\x98\x8b\x8f\x78\x54\x6b\x16\x88\x99\x18\x45\x90\x8f\x13" + "\x4b\x6a\x48\x2e\x69\x94\xb3\xd4\x83\x17\xbf\x08\xdb\x29\x21\x85", + 248 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x56\x65\xbe\xb8\xb0\x95\x55\x25\x81\x3b\x59\x81\xcd\x14\x2e\xd4" + "\xd0\x3f\xba\x38\xa6\xf3\xe5\xad\x26\x8e\x0c\xc2\x70\xd1\xcd\x11", + 249 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xb8\x83\xd6\x8f\x5f\xe5\x19\x36\x43\x1b\xa4\x25\x67\x38\x05\x3b" + "\x1d\x04\x26\xd4\xcb\x64\xb1\x6e\x83\xba\xdc\x5e\x9f\xbe\x3b\x81", + 250 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x53\xe7\xb2\x7e\xa5\x9c\x2f\x6d\xbb\x50\x76\x9e\x43\x55\x4d\xf3" + "\x5a\xf8\x9f\x48\x22\xd0\x46\x6b\x00\x7d\xd6\xf6\xde\xaf\xff\x02", + 251 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\x1f\x1a\x02\x29\xd4\x64\x0f\x01\x90\x15\x88\xd9\xde\xc2\x2d\x13" + "\xfc\x3e\xb3\x4a\x61\xb3\x29\x38\xef\xbf\x53\x34\xb2\x80\x0a\xfa", + 252 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc2\xb4\x05\xaf\xa0\xfa\x66\x68\x85\x2a\xee\x4d\x88\x04\x08\x53" + "\xfa\xb8\x00\xe7\x2b\x57\x58\x14\x18\xe5\x50\x6f\x21\x4c\x7d\x1f", + 253 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xc0\x8a\xa1\xc2\x86\xd7\x09\xfd\xc7\x47\x37\x44\x97\x71\x88\xc8" + "\x95\xba\x01\x10\x14\x24\x7e\x4e\xfa\x8d\x07\xe7\x8f\xec\x69\x5c", + 254 }, + { GCRY_MD_BLAKE2S_256, blake2_data_vector, + "\xf0\x3f\x57\x89\xd3\x33\x6b\x80\xd0\x02\xd5\x9f\xdf\x91\x8b\xdb" + "\x77\x5b\x00\x95\x6e\xd5\x52\x8e\x86\xaa\x99\x4a\xcb\x38\xfe\x2d", + 255 }, diff --git a/tests/cavs_driver.pl b/tests/cavs_driver.pl index b95e9b1..bc93feb 100755 --- a/tests/cavs_driver.pl +++ b/tests/cavs_driver.pl @@ -1381,7 +1381,7 @@ sub rsa_siggen($$$) { # RSA SigVer test # $1: Message to be verified in hex form -# $2: Hash algoritm +# $2: Hash algorithm # $3: Signature of message in hex form # $4: n of the RSA key in hex in hex form # $5: e of the RSA key in hex in hex form diff --git a/tests/curves.c b/tests/curves.c index 2732bbd..9e75fd5 100644 --- a/tests/curves.c +++ b/tests/curves.c @@ -28,6 +28,10 @@ #include "../src/gcrypt-int.h" + +#define PGM "curves" +#include "t-common.h" + /* Number of curves defined in ../cipger/ecc.c */ #define N_CURVES 22 @@ -66,33 +70,6 @@ static char const sample_key_2_curve[] = "brainpoolP160r1"; static unsigned int sample_key_2_nbits = 160; -/* Program option flags. */ -static int verbose; -static int error_count; - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - static void list_curves (void) { @@ -193,8 +170,6 @@ check_get_params (void) int main (int argc, char **argv) { - int debug = 0; - if (argc > 1 && !strcmp (argv[1], "--verbose")) verbose = 1; else if (argc > 1 && !strcmp (argv[1], "--debug")) @@ -203,10 +178,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); list_curves (); check_matching (); check_get_params (); diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c index 4ecdef9..2cfa94a 100644 --- a/tests/dsa-rfc6979.c +++ b/tests/dsa-rfc6979.c @@ -26,58 +26,13 @@ #include #include -#ifdef _GCRYPT_IN_LIBGCRYPT -# include "../src/gcrypt-int.h" -#else +#ifndef _GCRYPT_IN_LIBGCRYPT # include #endif +#define PGM "dsa-rfc6979" +#include "t-common.h" -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - -static int verbose; -static int error_count; - -static void -info (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} static void show_sexp (const char *prefix, gcry_sexp_t a) @@ -1003,8 +958,6 @@ check_dsa_rfc6979 (void) int main (int argc, char **argv) { - int debug = 0; - if (argc > 1 && !strcmp (argv[1], "--verbose")) verbose = 1; else if (argc > 1 && !strcmp (argv[1], "--debug")) @@ -1013,16 +966,16 @@ main (int argc, char **argv) debug = 1; } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); /* Check that we test exactly our version - including the patchlevel. */ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) die ("version mismatch; pgm=%s, library=%s\n", GCRYPT_VERSION,gcry_check_version (NULL)); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); check_dsa_rfc6979 (); diff --git a/tests/fips186-dsa.c b/tests/fips186-dsa.c index 5ee829e..b5f0cf0 100644 --- a/tests/fips186-dsa.c +++ b/tests/fips186-dsa.c @@ -31,52 +31,9 @@ # include #endif +#define PGM "fips186-dsa" +#include "t-common.h" -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - -static int verbose; -static int error_count; - -static void -info (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} static void show_sexp (const char *prefix, gcry_sexp_t a) @@ -446,8 +403,6 @@ check_dsa_gen_186_3 (void) int main (int argc, char **argv) { - int debug = 0; - if (argc > 1 && !strcmp (argv[1], "--verbose")) verbose = 1; else if (argc > 1 && !strcmp (argv[1], "--debug")) @@ -456,14 +411,14 @@ main (int argc, char **argv) debug = 1; } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); check_dsa_gen_186_2 (); diff --git a/tests/fipsdrv.c b/tests/fipsdrv.c index 63c5176..f9d9c45 100644 --- a/tests/fipsdrv.c +++ b/tests/fipsdrv.c @@ -34,9 +34,7 @@ #include #include -#ifdef _GCRYPT_IN_LIBGCRYPT -# include "../src/gcrypt-int.h" -#else +#ifndef _GCRYPT_IN_LIBGCRYPT # include # define PACKAGE_BUGREPORT "devnull@example.org" # define PACKAGE_VERSION "[build on " __DATE__ " " __TIME__ "]" @@ -44,23 +42,9 @@ #include "../src/gcrypt-testapi.h" #define PGM "fipsdrv" - -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - +#include "t-common.h" -/* Verbose mode flag. */ -static int verbose; - /* Binary input flag. */ static int binary_input; @@ -134,26 +118,6 @@ struct tag_info }; -/* If we have a decent libgpg-error we can use some gcc attributes. */ -#ifdef GPGRT_ATTR_NORETURN -static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2); -#endif /*GPGRT_ATTR_NORETURN*/ - - -/* Print a error message and exit the process with an error code. */ -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - fputs (PGM ": ", stderr); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - static void showhex (const char *prefix, const void *buffer, size_t length) { @@ -965,7 +929,7 @@ run_external_rng_test (void *context, void *buffer, size_t buflen) static void deinit_external_rng_test (void *context) { - gcry_control (PRIV_CTL_DEINIT_EXTRNG_TEST, context); + xgcry_control (PRIV_CTL_DEINIT_EXTRNG_TEST, context); } @@ -2512,16 +2476,16 @@ main (int argc, char **argv) if (verbose) fprintf (stderr, PGM ": started (mode=%s)\n", mode_string); - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (!no_fips) - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); if (!gcry_check_version ("1.4.3")) die ("Libgcrypt is not sufficient enough\n"); if (verbose) fprintf (stderr, PGM ": using Libgcrypt %s\n", gcry_check_version (NULL)); if (no_fips) - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); /* Most operations need some input data. */ if (!chunksize diff --git a/tests/gchash.c b/tests/gchash.c index 7ff99e0..83dc7b5 100644 --- a/tests/gchash.c +++ b/tests/gchash.c @@ -31,6 +31,9 @@ # include #endif +#define PGM "gchash" +#include "t-common.h" + void init_gcrypt (void) @@ -40,15 +43,15 @@ init_gcrypt (void) exit (2); } - gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + xgcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); /* Allocate a pool of 16k secure memory. This make the secure memory * available and also drops privileges where needed. */ - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + xgcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); - gcry_control (GCRYCTL_RESUME_SECMEM_WARN); + xgcry_control (GCRYCTL_RESUME_SECMEM_WARN); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } int diff --git a/tests/genhashdata.c b/tests/genhashdata.c index e16c49b..138a534 100644 --- a/tests/genhashdata.c +++ b/tests/genhashdata.c @@ -55,6 +55,9 @@ de40eedef66cb1afd94c61e285fa9327e01336e804903740a9145ab1f065c2d5 - */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include @@ -62,21 +65,7 @@ de40eedef66cb1afd94c61e285fa9327e01336e804903740a9145ab1f065c2d5 - #include #define PGM "genhashdata" - -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} +#include "t-common.h" int main (int argc, char **argv) diff --git a/tests/hashtest-256g.in b/tests/hashtest-256g.in index e897c54..92b1c1b 100755 --- a/tests/hashtest-256g.in +++ b/tests/hashtest-256g.in @@ -4,4 +4,4 @@ algos="SHA1 SHA256 SHA512" test "@RUN_LARGE_DATA_TESTS@" = yes || exit 77 echo " now running 256 GiB tests for $algos - this takes looong" -exec ./hashtest --gigs 256 $algos +exec ./hashtest@EXEEXT@ --gigs 256 $algos diff --git a/tests/hashtest.c b/tests/hashtest.c index 33907fb..2ecbc1f 100644 --- a/tests/hashtest.c +++ b/tests/hashtest.c @@ -1,4 +1,4 @@ -/* hashtest.c - Check the hash fucntions +/* hashtest.c - Check the hash functions * Copyright (C) 2013 g10 Code GmbH * * This file is part of Libgcrypt. @@ -32,24 +32,8 @@ #include "stopwatch.h" #define PGM "hashtest" +#include "t-common.h" -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xstrdup(a) gcry_xstrdup ((a)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - -static int verbose; -static int debug; -static int error_count; static int missing_test_vectors; static struct { @@ -122,55 +106,6 @@ static struct { }; - -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start( arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - /* if (wherestr) */ - /* fprintf (stderr, "%s: ", wherestr); */ - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - error_count++; - if (error_count >= 50) - die ("stopped after 50 errors."); -} - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - va_end (arg_ptr); -} - - static void showhex (const void *buffer, size_t buflen, const char *format, ...) { @@ -241,10 +176,10 @@ run_selftest (int algo) fail ("extended selftest for %s (%d) failed: %s", gcry_md_algo_name (algo), algo, gpg_strerror (err)); else if (err && verbose) - show ("extended selftest for %s (%d) not implemented", + info ("extended selftest for %s (%d) not implemented", gcry_md_algo_name (algo), algo); else if (verbose) - show ("extended selftest for %s (%d) passed", + info ("extended selftest for %s (%d) passed", gcry_md_algo_name (algo), algo); } @@ -268,7 +203,7 @@ cmp_digest (const unsigned char *digest, size_t digestlen, } if (!testvectors[idx].algo) { - show ("%d GiB %+3d %-10s warning: %s", + info ("%d GiB %+3d %-10s warning: %s", gigs, bytes, gcry_md_algo_name (algo), "no test vector"); missing_test_vectors++; return 1; @@ -448,13 +383,13 @@ main (int argc, char **argv) if (gigs < 0 || gigs > 1024*1024) die ("value for --gigs must be in the range 0 to %d", 1024*1024); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); /* A quick check that all given algorithms are valid. */ for (idx=0; idx < argc; idx++) @@ -499,7 +434,7 @@ main (int argc, char **argv) fail ("Some test vectors are missing"); if (verbose) - show ("All tests completed in %s. Errors: %d\n", + info ("All tests completed in %s. Errors: %d\n", elapsed_time (1), error_count); return !!error_count; } diff --git a/tests/hmac.c b/tests/hmac.c index f4dc945..5852ee4 100644 --- a/tests/hmac.c +++ b/tests/hmac.c @@ -26,33 +26,8 @@ #include #include -#include "../src/gcrypt-int.h" - -static int verbose; -static int error_count; - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - +#define PGM "hmac" +#include "t-common.h" static void @@ -186,7 +161,8 @@ check_hmac_multi (void) err = gcry_md_hash_buffers (algo, GCRY_MD_FLAG_HMAC, digest, iov, 4); if (err) { - fail ("gcry_md_hash_buffers failed: %s\n", algo, gpg_strerror (err)); + fail ("gcry_md_hash_buffers failed for algo %d: %s\n", + algo, gpg_strerror (err)); return; } @@ -208,8 +184,6 @@ check_hmac_multi (void) int main (int argc, char **argv) { - int debug = 0; - if (argc > 1 && !strcmp (argv[1], "--verbose")) verbose = 1; else if (argc > 1 && !strcmp (argv[1], "--debug")) @@ -218,10 +192,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); check_hmac (); check_hmac_multi (); diff --git a/tests/keygen.c b/tests/keygen.c index c4520e9..6b6a60a 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -29,68 +29,11 @@ #define PGM "keygen" +#include "t-common.h" -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xstrdup(a) gcry_xstrdup ((a)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - - -static int verbose; -static int debug; -static int error_count; static int in_fips_mode; -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start( arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - /* if (wherestr) */ - /* fprintf (stderr, "%s: ", wherestr); */ - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - error_count++; - if (error_count >= 50) - die ("stopped after 50 errors."); -} - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - va_end (arg_ptr); -} - - /* static void */ /* show_note (const char *format, ...) */ /* { */ @@ -197,7 +140,7 @@ check_rsa_keys (void) int rc; if (verbose) - show ("creating 2048 bit RSA key\n"); + info ("creating 2048 bit RSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" @@ -211,7 +154,7 @@ check_rsa_keys (void) die ("error generating RSA key: %s\n", gpg_strerror (rc)); if (verbose) - show ("creating 1024 bit RSA key\n"); + info ("creating 1024 bit RSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" @@ -237,7 +180,7 @@ check_rsa_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating 2048 bit RSA key with e=65539\n"); + info ("creating 2048 bit RSA key with e=65539\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" @@ -257,7 +200,7 @@ check_rsa_keys (void) if (verbose) - show ("creating 512 bit RSA key with e=257\n"); + info ("creating 512 bit RSA key with e=257\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" @@ -274,7 +217,7 @@ check_rsa_keys (void) fail ("generating 512 bit RSA key must not work!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); if (!rc) @@ -282,7 +225,7 @@ check_rsa_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating 512 bit RSA key with default e\n"); + info ("creating 512 bit RSA key with default e\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (rsa\n" @@ -299,7 +242,7 @@ check_rsa_keys (void) fail ("generating 512 bit RSA key must not work!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); @@ -316,7 +259,7 @@ check_elg_keys (void) int rc; if (verbose) - show ("creating 1024 bit Elgamal key\n"); + info ("creating 1024 bit Elgamal key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (elg\n" @@ -344,7 +287,7 @@ check_dsa_keys (void) /* Check that DSA generation works and that it can grok the qbits argument. */ if (verbose) - show ("creating 5 1024 bit DSA keys\n"); + info ("creating 5 1024 bit DSA keys\n"); for (i=0; i < 5; i++) { rc = gcry_sexp_new (&keyparm, @@ -366,7 +309,7 @@ check_dsa_keys (void) } if (verbose) - show ("creating 1536 bit DSA key\n"); + info ("creating 1536 bit DSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (dsa\n" @@ -386,7 +329,7 @@ check_dsa_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating 3072 bit DSA key\n"); + info ("creating 3072 bit DSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (dsa\n" @@ -404,7 +347,7 @@ check_dsa_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating 2048/256 bit DSA key\n"); + info ("creating 2048/256 bit DSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (dsa\n" @@ -422,7 +365,7 @@ check_dsa_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating 2048/224 bit DSA key\n"); + info ("creating 2048/224 bit DSA key\n"); rc = gcry_sexp_new (&keyparm, "(genkey\n" " (dsa\n" @@ -488,7 +431,7 @@ check_ecc_keys (void) for (testno=0; curves[testno]; testno++) { if (verbose) - show ("creating ECC key using curve %s\n", curves[testno]); + info ("creating ECC key using curve %s\n", curves[testno]); if (!strcmp (curves[testno], "Ed25519")) { /* Ed25519 isn't allowed in fips mode */ @@ -519,7 +462,7 @@ check_ecc_keys (void) } if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA\n"); + info ("creating ECC key using curve Ed25519 for ECDSA\n"); rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve Ed25519)))"); if (rc) die ("error creating S-expression: %s\n", gpg_strerror (rc)); @@ -532,7 +475,7 @@ check_ecc_keys (void) fail ("generating Ed25519 key must not work!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); if (!rc) @@ -545,7 +488,7 @@ check_ecc_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA (nocomp)\n"); + info ("creating ECC key using curve Ed25519 for ECDSA (nocomp)\n"); rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve Ed25519)(flags nocomp)))"); if (rc) @@ -560,12 +503,12 @@ check_ecc_keys (void) fail ("generating Ed25519 key must not work in FIPS mode!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); gcry_sexp_release (key); if (verbose) - show ("creating ECC key using curve NIST P-384 for ECDSA\n"); + info ("creating ECC key using curve NIST P-384 for ECDSA\n"); /* Must be specified as nistp384 (one word), because ecc_generate * uses _gcry_sexp_nth_string which takes the first word of the name @@ -586,7 +529,7 @@ check_ecc_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating ECC key using curve NIST P-384 for ECDSA (nocomp)\n"); + info ("creating ECC key using curve NIST P-384 for ECDSA (nocomp)\n"); rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve nistp384)(flags nocomp)))"); if (rc) @@ -606,7 +549,7 @@ check_ecc_keys (void) if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA (transient-key)\n"); + info ("creating ECC key using curve Ed25519 for ECDSA (transient-key)\n"); rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve Ed25519)(flags transient-key)))"); if (rc) @@ -621,7 +564,7 @@ check_ecc_keys (void) fail ("generating Ed25519 key must not work in FIPS mode!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); if (!rc) @@ -633,7 +576,7 @@ check_ecc_keys (void) gcry_sexp_release (key); if (verbose) - show ("creating ECC key using curve Ed25519 for ECDSA " + info ("creating ECC key using curve Ed25519 for ECDSA " "(transient-key no-keytest)\n"); rc = gcry_sexp_build (&keyparm, NULL, "(genkey(ecc(curve Ed25519)" @@ -650,7 +593,7 @@ check_ecc_keys (void) fail ("generating Ed25519 key must not work in FIPS mode!"); if (verbose && rc && in_fips_mode) - show ("... correctly rejected key creation in FIPS mode (%s)\n", + info ("... correctly rejected key creation in FIPS mode (%s)\n", gpg_strerror (rc)); if (!rc) @@ -671,7 +614,7 @@ check_nonce (void) int oops=0; if (verbose) - show ("checking gcry_create_nonce\n"); + info ("checking gcry_create_nonce\n"); gcry_create_nonce (a, sizeof a); for (i=0; i < 10; i++) @@ -727,6 +670,7 @@ usage (int mode) " --verbose be verbose\n" " --debug flyswatter\n" " --fips run in FIPS mode\n" + " --no-quick To not use the quick RNG hack\n" " --progress print progress indicators\n", mode? stderr : stdout); if (mode) @@ -739,6 +683,7 @@ main (int argc, char **argv) int last_argc = -1; int opt_fips = 0; int with_progress = 0; + int no_quick = 0; if (argc) { argc--; argv++; } @@ -777,27 +722,33 @@ main (int argc, char **argv) argc--; argv++; with_progress = 1; } + else if (!strcmp (*argv, "--no-quick")) + { + argc--; argv++; + no_quick = 1; + } else if (!strncmp (*argv, "--", 2)) die ("unknown option '%s'", *argv); else break; } - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (opt_fips) - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (!opt_fips) - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + if (!no_quick) + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (with_progress) gcry_set_progress_handler (progress_cb, NULL); diff --git a/tests/keygrip.c b/tests/keygrip.c index 3ef1de1..f775f7a 100644 --- a/tests/keygrip.c +++ b/tests/keygrip.c @@ -28,24 +28,13 @@ #include #include -#include "../src/gcrypt-int.h" +#define PGM "keygrip" +#include "t-common.h" -static int verbose; static int repetitions; -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - static void print_hex (const char *text, const void *buf, size_t n) { @@ -263,7 +252,6 @@ int main (int argc, char **argv) { int last_argc = -1; - int debug = 0; if (argc) { argc--; argv++; } @@ -306,10 +294,10 @@ main (int argc, char **argv) gcry_set_progress_handler (progress_handler, NULL); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); check (); diff --git a/tests/mpitests.c b/tests/mpitests.c index b663029..18156d1 100644 --- a/tests/mpitests.c +++ b/tests/mpitests.c @@ -33,43 +33,7 @@ #endif #define PGM "mpitests" - -static int verbose; -static int debug; -static int error_count; - - -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - error_count++; - if (error_count >= 50) - die ("stopped after 50 errors."); -} +#include "t-common.h" /* Set up some test patterns */ @@ -601,7 +565,7 @@ main (int argc, char* argv[]) fputs ("version mismatch\n", stderr); exit (1); } - gcry_control(GCRYCTL_DISABLE_SECMEM); + xgcry_control(GCRYCTL_DISABLE_SECMEM); test_const_and_immutable (); test_opaque (); diff --git a/tests/pkbench.c b/tests/pkbench.c index 15192f0..e458b42 100644 --- a/tests/pkbench.c +++ b/tests/pkbench.c @@ -35,11 +35,7 @@ #include #define PGM "pkbench" - - -static int verbose; -static int debug; -static int error_count; +#include "t-common.h" typedef struct context @@ -54,31 +50,6 @@ typedef struct context typedef int (*work_t) (context_t context, unsigned int final); -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fputs ( PGM ": ", stderr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - putchar ('\n'); - fputs ( PGM ": ", stderr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - static void show_sexp (const char *prefix, gcry_sexp_t a) { @@ -470,12 +441,12 @@ main (int argc, char **argv) } } - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (fips_mode) - gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - gcry_control (GCRYCTL_DISABLE_SECMEM); + xgcry_control (GCRYCTL_DISABLE_SECMEM); if (!gcry_check_version (GCRYPT_VERSION)) { fprintf (stderr, PGM ": version mismatch\n"); @@ -485,11 +456,11 @@ main (int argc, char **argv) if (genkey_mode) { /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); } if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (genkey_mode && argc == 2) diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c index 20f1b64..b52bff8 100644 --- a/tests/pkcs1v2.c +++ b/tests/pkcs1v2.c @@ -32,56 +32,10 @@ #endif -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - -static int verbose; -static int die_on_error; -static int error_count; +#define PGM "pkcs1v2" +#include "t-common.h" -static void -info (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; - if (die_on_error) - exit (1); -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - static void show_sexp (const char *prefix, gcry_sexp_t a) { @@ -639,7 +593,6 @@ int main (int argc, char **argv) { int last_argc = -1; - int debug = 0; int run_oaep = 0; int run_pss = 0; int run_v15c = 0; @@ -697,15 +650,15 @@ main (int argc, char **argv) if (!run_oaep && !run_pss && !run_v15c && !run_v15s) run_oaep = run_pss = run_v15c = run_v15s = 1; - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version ("1.5.0")) die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (run_oaep) check_oaep (); diff --git a/tests/prime.c b/tests/prime.c index 89800e8..5e90ce0 100644 --- a/tests/prime.c +++ b/tests/prime.c @@ -24,20 +24,8 @@ #include #include -#include "../src/gcrypt-int.h" - -static int verbose; - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} +#define PGM "prime" +#include "t-common.h" static void check_primes (void) @@ -227,7 +215,6 @@ create_42prime (void) int main (int argc, char **argv) { - int debug = 0; int mode42 = 0; if ((argc > 1) && (! strcmp (argv[1], "--verbose"))) @@ -237,13 +224,13 @@ main (int argc, char **argv) else if ((argc > 1) && (! strcmp (argv[1], "--42"))) verbose = debug = mode42 = 1; - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (! gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); if (mode42) create_42prime (); diff --git a/tests/pubkey.c b/tests/pubkey.c index 1271e43..fbb7bbb 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -26,18 +26,8 @@ #include -#include "../src/gcrypt-int.h" - -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) +#define PGM "pubkey" +#include "t-common.h" /* Sample RSA keys, taken from basic.c. */ @@ -112,52 +102,6 @@ static const char sample_public_key_1[] = ")\n"; -static int verbose; -static int error_count; - - -/* If we have a decent libgpg-error we can use some gcc attributes. */ -#ifdef GPGRT_ATTR_NORETURN -static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2); -static void fail (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); -static void info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); -#endif /*GPGRT_ATTR_NORETURN*/ - - -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - va_start( arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -info (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - static void show_sexp (const char *prefix, gcry_sexp_t a) { @@ -1225,7 +1169,6 @@ check_ed25519ecdsa_sample_key (void) int main (int argc, char **argv) { - int debug = 0; int i; if (argc > 1 && !strcmp (argv[1], "--verbose")) @@ -1236,14 +1179,14 @@ main (int argc, char **argv) debug = 1; } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); /* No valuable keys are create, so we can speed up our RNG. */ - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); for (i=0; i < 2; i++) check_run (); diff --git a/tests/random.c b/tests/random.c index 65e5670..2f48323 100644 --- a/tests/random.c +++ b/tests/random.c @@ -24,54 +24,38 @@ #include #include #include +#include #ifndef HAVE_W32_SYSTEM # include -# include # include #endif -#include "../src/gcrypt-int.h" +#include "stopwatch.h" -#define PGM "random" - -#ifndef DIM -# define DIM(v) (sizeof(v)/sizeof((v)[0])) -#endif +#define PGM "random" +#define NEED_EXTRA_TEST_SUPPORT 1 +#include "t-common.h" -static int verbose; -static int debug; static int with_progress; -/* If we have a decent libgpg-error we can use some gcc attributes. */ -#ifdef GPGRT_ATTR_NORETURN -static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2); -static void inf (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); -#endif /*GPGRT_ATTR_NORETURN*/ - -static void -die (const char *format, ...) +/* Prepend FNAME with the srcdir environment variable's value and + * return an allocated filename. */ +static char * +prepend_srcdir (const char *fname) { - va_list arg_ptr; + static const char *srcdir; + char *result; - va_start (arg_ptr, format); - fputs ( PGM ": ", stderr); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - -static void -inf (const char *format, ...) -{ - va_list arg_ptr; + if (!srcdir && !(srcdir = getenv ("srcdir"))) + srcdir = "."; - va_start (arg_ptr, format); - fputs ( PGM ": ", stderr); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); + result = xmalloc (strlen (srcdir) + 1 + strlen (fname) + 1); + strcpy (result, srcdir); + strcat (result, "/"); + strcat (result, fname); + return result; } @@ -80,7 +64,7 @@ print_hex (const char *text, const void *buf, size_t n) { const unsigned char *p = buf; - inf ("%s", text); + info ("%s", text); for (; n; n--, p++) fprintf (stderr, "%02X", *p); putc ('\n', stderr); @@ -93,7 +77,7 @@ progress_cb (void *cb_data, const char *what, int printchar, { (void)cb_data; - inf ("progress (%s %c %d %d)\n", what, printchar, current, total); + info ("progress (%s %c %d %d)\n", what, printchar, current, total); fflush (stderr); } @@ -159,7 +143,7 @@ check_forking (void) { #ifdef HAVE_W32_SYSTEM if (verbose) - inf ("check_forking skipped: not applicable on Windows\n"); + info ("check_forking skipped: not applicable on Windows\n"); #else /*!HAVE_W32_SYSTEM*/ pid_t pid; int rp[2]; @@ -168,7 +152,7 @@ check_forking (void) char tmp1[16], tmp1c[16], tmp1p[16]; if (verbose) - inf ("checking that a fork won't cause the same random output\n"); + info ("checking that a fork won't cause the same random output\n"); /* We better make sure that the RNG has been initialzied. */ gcry_randomize (tmp1, sizeof tmp1, GCRY_STRONG_RANDOM); @@ -224,7 +208,7 @@ check_nonce_forking (void) { #ifdef HAVE_W32_SYSTEM if (verbose) - inf ("check_nonce_forking skipped: not applicable on Windows\n"); + info ("check_nonce_forking skipped: not applicable on Windows\n"); #else /*!HAVE_W32_SYSTEM*/ pid_t pid; int rp[2]; @@ -233,7 +217,7 @@ check_nonce_forking (void) char nonce1[10], nonce1c[10], nonce1p[10]; if (verbose) - inf ("checking that a fork won't cause the same nonce output\n"); + info ("checking that a fork won't cause the same nonce output\n"); /* We won't get the same nonce back if we never initialized the nonce subsystem, thus we get one nonce here and forget about @@ -290,14 +274,14 @@ check_close_random_device (void) { #ifdef HAVE_W32_SYSTEM if (verbose) - inf ("check_close_random_device skipped: not applicable on Windows\n"); + info ("check_close_random_device skipped: not applicable on Windows\n"); #else /*!HAVE_W32_SYSTEM*/ pid_t pid; int i, status; char buf[4]; if (verbose) - inf ("checking that close_random_device works\n"); + info ("checking that close_random_device works\n"); gcry_randomize (buf, sizeof buf, GCRY_STRONG_RANDOM); if (verbose) @@ -308,7 +292,7 @@ check_close_random_device (void) die ("fork failed: %s\n", strerror (errno)); if (!pid) { - gcry_control (GCRYCTL_CLOSE_RANDOM_DEVICE, 0); + xgcry_control (GCRYCTL_CLOSE_RANDOM_DEVICE, 0); /* The next call will re-open the device. */ gcry_randomize (buf, sizeof buf, GCRY_STRONG_RANDOM); @@ -349,11 +333,11 @@ check_rng_type_switching (void) char tmp1[4]; if (verbose) - inf ("checking whether RNG type switching works\n"); + info ("checking whether RNG type switching works\n"); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); initial = rngtype; gcry_randomize (tmp1, sizeof tmp1, GCRY_STRONG_RANDOM); if (debug) @@ -361,11 +345,11 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (rngtype != initial) die ("switching to System RNG unexpectedly succeeded\n"); gcry_randomize (tmp1, sizeof tmp1, GCRY_STRONG_RANDOM); @@ -374,11 +358,11 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (rngtype != initial) die ("switching to FIPS RNG unexpectedly succeeded\n"); gcry_randomize (tmp1, sizeof tmp1, GCRY_STRONG_RANDOM); @@ -387,11 +371,11 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (rngtype != GCRY_RNG_TYPE_STANDARD) die ("switching to standard RNG failed\n"); gcry_randomize (tmp1, sizeof tmp1, GCRY_STRONG_RANDOM); @@ -408,34 +392,34 @@ check_early_rng_type_switching (void) int rngtype, initial; if (verbose) - inf ("checking whether RNG type switching works in the early stage\n"); + info ("checking whether RNG type switching works in the early stage\n"); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); initial = rngtype; - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (initial >= GCRY_RNG_TYPE_SYSTEM && rngtype != GCRY_RNG_TYPE_SYSTEM) die ("switching to System RNG failed\n"); - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (initial >= GCRY_RNG_TYPE_FIPS && rngtype != GCRY_RNG_TYPE_FIPS) die ("switching to FIPS RNG failed\n"); - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); rngtype = rng_type (); if (debug) - inf ("rng type: %d\n", rngtype); + info ("rng type: %d\n", rngtype); if (rngtype != GCRY_RNG_TYPE_STANDARD) die ("switching to standard RNG failed\n"); } @@ -472,7 +456,7 @@ check_drbg_reinit (void) gcry_buffer_t pers[1]; if (verbose) - inf ("checking DRBG_REINIT\n"); + info ("checking DRBG_REINIT\n"); memset (pers, 0, sizeof pers); pers[0].data = pers_string; @@ -558,7 +542,7 @@ run_all_rng_tests (const char *program) for (idx=0; options[idx]; idx++) { if (verbose) - inf ("now running with options '%s'\n", options[idx]); + info ("now running with options '%s'\n", options[idx]); strcpy (cmdline, program); strcat (cmdline, " --in-recursion"); if (verbose) @@ -576,12 +560,43 @@ run_all_rng_tests (const char *program) free (cmdline); } + +static void +run_benchmark (void) +{ + char rndbuf[32]; + int i, j; + + if (verbose) + info ("benchmarking GCRY_STRONG_RANDOM (/dev/urandom)\n"); + + start_timer (); + gcry_randomize (rndbuf, sizeof rndbuf, GCRY_STRONG_RANDOM); + stop_timer (); + + info ("getting first 256 bits: %s", elapsed_time (1)); + + for (j=0; j < 5; j++) + { + start_timer (); + for (i=0; i < 100; i++) + gcry_randomize (rndbuf, sizeof rndbuf, GCRY_STRONG_RANDOM); + stop_timer (); + + info ("100 calls of 256 bits each: %s", elapsed_time (100)); + } + +} + + int main (int argc, char **argv) { int last_argc = -1; int early_rng = 0; int in_recursion = 0; + int benchmark = 0; + int with_seed_file = 0; const char *program = NULL; if (argc) @@ -625,34 +640,60 @@ main (int argc, char **argv) in_recursion = 1; argc--; argv++; } + else if (!strcmp (*argv, "--benchmark")) + { + benchmark = 1; + argc--; argv++; + } else if (!strcmp (*argv, "--early-rng-check")) { early_rng = 1; argc--; argv++; } + else if (!strcmp (*argv, "--with-seed-file")) + { + with_seed_file = 1; + argc--; argv++; + } else if (!strcmp (*argv, "--prefer-standard-rng")) { /* This is anyway the default, but we may want to use it for debugging. */ - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, + GCRY_RNG_TYPE_STANDARD); argc--; argv++; } else if (!strcmp (*argv, "--prefer-fips-rng")) { - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); argc--; argv++; } else if (!strcmp (*argv, "--prefer-system-rng")) { - gcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); argc--; argv++; } + else if (!strcmp (*argv, "--disable-hwf")) + { + argc--; + argv++; + if (argc) + { + if (gcry_control (GCRYCTL_DISABLE_HWF, *argv, NULL)) + die ("unknown hardware feature `%s'\n", *argv); + argc--; + argv++; + } + } } #ifndef HAVE_W32_SYSTEM signal (SIGPIPE, SIG_IGN); #endif + if (benchmark && !verbose) + verbose = 1; + if (early_rng) { /* Don't switch RNG in fips mode. */ @@ -660,18 +701,32 @@ main (int argc, char **argv) check_early_rng_type_switching (); } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (with_progress) gcry_set_progress_handler (progress_cb, NULL); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + if (with_seed_file) + { + char *fname = prepend_srcdir ("random.seed"); + + if (access (fname, F_OK)) + info ("random seed file '%s' not found\n", fname); + gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, fname); + xfree (fname); + } + + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - if (!in_recursion) + if (benchmark) + { + run_benchmark (); + } + else if (!in_recursion) { check_forking (); check_nonce_forking (); @@ -679,15 +734,33 @@ main (int argc, char **argv) } /* For now we do not run the drgb_reinit check from "make check" due to its high requirement for entropy. */ - if (!getenv ("GCRYPT_IN_REGRESSION_TEST")) + if (!benchmark && !getenv ("GCRYPT_IN_REGRESSION_TEST")) check_drbg_reinit (); /* Don't switch RNG in fips mode. */ - if (!gcry_fips_mode_active()) + if (!benchmark && !gcry_fips_mode_active()) check_rng_type_switching (); - if (!in_recursion) + if (!in_recursion && !benchmark) run_all_rng_tests (program); + /* Print this info last so that it does not influence the + * initialization and thus the benchmarking. */ + if (!in_recursion && verbose) + { + char *buf; + char *fields[5]; + + buf = gcry_get_config (0, "rng-type"); + if (buf + && split_fields_colon (buf, fields, DIM (fields)) >= 5 + && atoi (fields[4]) > 0) + info ("The JENT RNG was active\n"); + gcry_free (buf); + } + + if (debug) + xgcry_control (GCRYCTL_DUMP_RANDOM_STATS); + return 0; } diff --git a/tests/rsacvt.c b/tests/rsacvt.c index 6fb5c76..3d83264 100644 --- a/tests/rsacvt.c +++ b/tests/rsacvt.c @@ -61,21 +61,8 @@ e7a7ca5367c661f8e6[...]71 #define PGM "rsacvt" +#include "t-common.h" -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - - -/* Verbose mode flag. */ -static int verbose; /* Prefix output with labels. */ static int with_labels; @@ -88,20 +75,6 @@ static int keep_lz; static int openpgp_mode; -/* Print a error message and exit the process with an error code. */ -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - fputs (PGM ": ", stderr); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - static char * read_textline (FILE *fp) { @@ -388,11 +361,11 @@ main (int argc, char **argv) else input = stdin; - gcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); if (!gcry_check_version ("1.4.0")) die ("Libgcrypt is not sufficient enough\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); do { diff --git a/tests/t-common.h b/tests/t-common.h index 68a7804..2040f09 100644 --- a/tests/t-common.h +++ b/tests/t-common.h @@ -21,8 +21,8 @@ #include "../src/gcrypt.h" -#ifndef PGMNAME -# error Macro PGMNAME not defined. +#ifndef PGM +# error Macro PGM not defined. #endif #ifndef _GCRYPT_CONFIG_H_INCLUDED # error config.h not included @@ -32,6 +32,11 @@ #ifndef DIM # define DIM(v) (sizeof(v)/sizeof((v)[0])) #endif +#define DIMof(type,member) DIM(((type *)0)->member) +#define xmalloc(a) gcry_xmalloc ((a)) +#define xcalloc(a,b) gcry_xcalloc ((a),(b)) +#define xstrdup(a) gcry_xstrdup ((a)) +#define xfree(a) gcry_free ((a)) #define my_isascii(c) (!((c) & 0x80)) #define digitp(p) (*(p) >= '0' && *(p) <= '9') #define hexdigitp(a) (digitp (a) \ @@ -48,15 +53,20 @@ /* Standard global variables. */ +static const char *wherestr; static int verbose; static int debug; -static int errorcount; +static int error_count; +static int die_on_error; /* If we have a decent libgpg-error we can use some gcc attributes. */ #ifdef GPGRT_ATTR_NORETURN -static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2); -static void fail (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); -static void info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); +static void die (const char *format, ...) + GPGRT_ATTR_UNUSED GPGRT_ATTR_NR_PRINTF(1,2); +static void fail (const char *format, ...) + GPGRT_ATTR_UNUSED GPGRT_ATTR_PRINTF(1,2); +static void info (const char *format, ...) \ + GPGRT_ATTR_UNUSED GPGRT_ATTR_PRINTF(1,2); #endif /*GPGRT_ATTR_NORETURN*/ @@ -66,11 +76,16 @@ die (const char *format, ...) { va_list arg_ptr ; + /* Avoid warning. */ + (void) debug; + fflush (stdout); #ifdef HAVE_FLOCKFILE flockfile (stderr); #endif - fprintf (stderr, "%s: ", PGMNAME); + fprintf (stderr, "%s: ", PGM); + if (wherestr) + fprintf (stderr, "%s: ", wherestr); va_start (arg_ptr, format) ; vfprintf (stderr, format, arg_ptr); va_end (arg_ptr); @@ -92,7 +107,9 @@ fail (const char *format, ...) #ifdef HAVE_FLOCKFILE flockfile (stderr); #endif - fprintf (stderr, "%s: ", PGMNAME); + fprintf (stderr, "%s: ", PGM); + if (wherestr) + fprintf (stderr, "%s: ", wherestr); va_start (arg_ptr, format); vfprintf (stderr, format, arg_ptr); va_end (arg_ptr); @@ -101,8 +118,10 @@ fail (const char *format, ...) #ifdef HAVE_FLOCKFILE funlockfile (stderr); #endif - errorcount++; - if (errorcount >= 50) + if (die_on_error) + exit (1); + error_count++; + if (error_count >= 50) die ("stopped after 50 errors."); } @@ -117,7 +136,9 @@ info (const char *format, ...) #ifdef HAVE_FLOCKFILE flockfile (stderr); #endif - fprintf (stderr, "%s: ", PGMNAME); + fprintf (stderr, "%s: ", PGM); + if (wherestr) + fprintf (stderr, "%s: ", wherestr); va_start (arg_ptr, format); vfprintf (stderr, format, arg_ptr); if (*format && format[strlen(format)-1] != '\n') @@ -127,3 +148,51 @@ info (const char *format, ...) funlockfile (stderr); #endif } + + +/* Convenience macro for initializing gcrypt with error checking. */ +#define xgcry_control(cmd...) \ + do { \ + gcry_error_t err__ = gcry_control (cmd); \ + if (err__) \ + die ("line %d: gcry_control (%s) failed: %s", \ + __LINE__, #cmd, gcry_strerror (err__)); \ + } while (0) + + +/* Split a string into colon delimited fields A pointer to each field + * is stored in ARRAY. Stop splitting at ARRAYSIZE fields. The + * function modifies STRING. The number of parsed fields is returned. + * Note that leading and trailing spaces are not removed from the fields. + * Example: + * + * char *fields[2]; + * if (split_fields (string, fields, DIM (fields)) < 2) + * return // Not enough args. + * foo (fields[0]); + * foo (fields[1]); + */ +#ifdef NEED_EXTRA_TEST_SUPPORT +static int +split_fields_colon (char *string, char **array, int arraysize) +{ + int n = 0; + char *p, *pend; + + p = string; + do + { + if (n == arraysize) + break; + array[n++] = p; + pend = strchr (p, ':'); + if (!pend) + break; + *pend++ = 0; + p = pend; + } + while (*p); + + return n; +} +#endif /*NEED_EXTRA_TEST_SUPPORT*/ diff --git a/tests/t-convert.c b/tests/t-convert.c index 072bf32..121039c 100644 --- a/tests/t-convert.c +++ b/tests/t-convert.c @@ -26,36 +26,9 @@ #include #include -#include "../src/gcrypt-int.h" - #define PGM "t-convert" +#include "t-common.h" -#define DIM(v) (sizeof(v)/sizeof((v)[0])) -#define DIMof(type,member) DIM(((type *)0)->member) - -static const char *wherestr; -static int verbose; -static int debug; -static int error_count; - - -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - if (!verbose) - return; - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} static void showhex (const char *prefix, const void *buffer, size_t buflen) @@ -112,37 +85,6 @@ showmpi (const char *prefix, gcry_mpi_t a) } -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - /* Check that mpi_print does not return a negative zero. */ static void negative_zero (void) @@ -163,7 +105,7 @@ negative_zero (void) int i; if (debug) - show ("negative zero printing\n"); + info ("negative zero printing\n"); a = gcry_mpi_new (0); for (i=0; fmts[i].name; i++) @@ -351,7 +293,7 @@ check_formats (void) for (idx=0; idx < DIM(data); idx++) { if (debug) - show ("print test %d\n", data[idx].value); + info ("print test %d\n", data[idx].value); if (data[idx].value < 0) { @@ -371,8 +313,8 @@ check_formats (void) { fail ("error printing value %d as %s: %s\n", data[idx].value, "HEX", "wrong result"); - show ("expected: '%s'\n", data[idx].a.hex); - show (" got: '%s'\n", buf); + info ("expected: '%s'\n", data[idx].a.hex); + info (" got: '%s'\n", buf); } gcry_free (buf); } @@ -457,7 +399,7 @@ check_formats (void) for (idx=0; idx < DIM(data); idx++) { if (debug) - show ("scan test %d\n", data[idx].value); + info ("scan test %d\n", data[idx].value); if (data[idx].value < 0) { @@ -492,8 +434,9 @@ check_formats (void) { if (gcry_mpi_cmp (a, b) || data[idx].a.stdlen != buflen) { - fail ("error scanning value %d from %s: %s (%u)\n", - data[idx].value, "STD", "wrong result", buflen); + fail ("error scanning value %d from %s: %s (%lu)\n", + data[idx].value, "STD", "wrong result", + (long unsigned int)buflen); showmpi ("expected:", a); showmpi (" got:", b); } @@ -509,8 +452,9 @@ check_formats (void) { if (gcry_mpi_cmp (a, b) || data[idx].a.sshlen != buflen) { - fail ("error scanning value %d from %s: %s (%u)\n", - data[idx].value, "SSH", "wrong result", buflen); + fail ("error scanning value %d from %s: %s (%lu)\n", + data[idx].value, "SSH", "wrong result", + (long unsigned int)buflen); showmpi ("expected:", a); showmpi (" got:", b); } @@ -528,8 +472,9 @@ check_formats (void) gcry_mpi_neg (b, b); if (gcry_mpi_cmp (a, b) || data[idx].a.usglen != buflen) { - fail ("error scanning value %d from %s: %s (%u)\n", - data[idx].value, "USG", "wrong result", buflen); + fail ("error scanning value %d from %s: %s (%lu)\n", + data[idx].value, "USG", "wrong result", + (long unsigned int)buflen); showmpi ("expected:", a); showmpi (" got:", b); } @@ -549,8 +494,9 @@ check_formats (void) { if (gcry_mpi_cmp (a, b) || data[idx].a.pgplen != buflen) { - fail ("error scanning value %d from %s: %s (%u)\n", - data[idx].value, "PGP", "wrong result", buflen); + fail ("error scanning value %d from %s: %s (%lu)\n", + data[idx].value, "PGP", "wrong result", + (long unsigned int)buflen); showmpi ("expected:", a); showmpi (" got:", b); } @@ -574,15 +520,15 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); negative_zero (); check_formats (); - show ("All tests completed. Errors: %d\n", error_count); + info ("All tests completed. Errors: %d\n", error_count); return error_count ? 1 : 0; } diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c index 098c66a..8c4a53e 100644 --- a/tests/t-cv25519.c +++ b/tests/t-cv25519.c @@ -27,30 +27,12 @@ #include #include -#include "../src/gcrypt-int.h" - #include "stopwatch.h" #define PGM "t-cv25519" +#include "t-common.h" #define N_TESTS 18 -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xstrdup(a) gcry_xstrdup ((a)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - -static int verbose; -static int debug; -static int error_count; static void print_mpi (const char *text, gcry_mpi_t a) @@ -70,55 +52,6 @@ print_mpi (const char *text, gcry_mpi_t a) } } -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start( arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - /* if (wherestr) */ - /* fprintf (stderr, "%s: ", wherestr); */ - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - error_count++; - if (error_count >= 50) - die ("stopped after 50 errors."); -} - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - if (!verbose) - return; - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - va_end (arg_ptr); -} - static void show_note (const char *format, ...) @@ -201,7 +134,7 @@ test_cv (int testno, const char *k_str, const char *u_str, size_t res_len; if (verbose > 1) - show ("Running test %d\n", testno); + info ("Running test %d\n", testno); if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32) { @@ -271,7 +204,7 @@ test_cv (int testno, const char *k_str, const char *u_str, r0 = r = xmalloc (2*(res_len)+1); if (!r0) { - fail ("memory allocation", testno); + fail ("memory allocation for test %d", testno); goto leave; } @@ -281,8 +214,8 @@ test_cv (int testno, const char *k_str, const char *u_str, { fail ("gcry_pk_encrypt failed for test %d: %s", testno, "wrong value returned"); - show (" expected: '%s'", result_str); - show (" got: '%s'", r0); + info (" expected: '%s'", result_str); + info (" got: '%s'", r0); } xfree (r0); } @@ -320,7 +253,7 @@ test_it (int testno, const char *k_str, int iter, const char *result_str) gcry_mpi_t mpi_kk = NULL; if (verbose > 1) - show ("Running test %d: iteration=%d\n", testno, iter); + info ("Running test %d: iteration=%d\n", testno, iter); gcry_mpi_ec_new (&ctx, NULL, "Curve25519"); Q = gcry_mpi_point_new (0); @@ -379,7 +312,7 @@ test_it (int testno, const char *k_str, int iter, const char *result_str) r0 = r = xmalloc (65); if (!r0) { - fail ("memory allocation", testno); + fail ("memory allocation for test %d", testno); goto leave; } @@ -390,8 +323,8 @@ test_it (int testno, const char *k_str, int iter, const char *result_str) { fail ("curv25519 failed for test %d: %s", testno, "wrong value returned"); - show (" expected: '%s'", result_str); - show (" got: '%s'", r0); + info (" expected: '%s'", result_str); + info (" got: '%s'", r0); } xfree (r0); } @@ -438,7 +371,7 @@ check_cv25519 (void) { int ntests; - show ("Checking Curve25519.\n"); + info ("Checking Curve25519.\n"); ntests = 0; @@ -620,19 +553,19 @@ main (int argc, char **argv) die ("unknown option '%s'", *argv); } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); start_timer (); check_cv25519 (); stop_timer (); - show ("All tests completed in %s. Errors: %d\n", + info ("All tests completed in %s. Errors: %d\n", elapsed_time (1), error_count); return !!error_count; } diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c index d63c145..73628a8 100644 --- a/tests/t-ed25519.c +++ b/tests/t-ed25519.c @@ -27,83 +27,16 @@ #include #include -#include "../src/gcrypt-int.h" - #include "stopwatch.h" #define PGM "t-ed25519" +#include "t-common.h" #define N_TESTS 1026 -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xstrdup(a) gcry_xstrdup ((a)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - -static int verbose; -static int debug; -static int error_count; static int sign_with_pk; static int no_verify; static int custom_data_file; -static void -die (const char *format, ...) -{ - va_list arg_ptr ; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - va_start( arg_ptr, format ) ; - vfprintf (stderr, format, arg_ptr ); - va_end(arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - exit (1); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - /* if (wherestr) */ - /* fprintf (stderr, "%s: ", wherestr); */ - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - error_count++; - if (error_count >= 50) - die ("stopped after 50 errors."); -} - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - if (!verbose) - return; - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - if (*format && format[strlen(format)-1] != '\n') - putc ('\n', stderr); - va_end (arg_ptr); -} - static void show_note (const char *format, ...) @@ -141,7 +74,7 @@ show_sexp (const char *prefix, gcry_sexp_t a) /* Prepend FNAME with the srcdir environment variable's value and - retrun an allocated filename. */ + * return an allocated filename. */ char * prepend_srcdir (const char *fname) { @@ -185,7 +118,7 @@ read_textline (FILE *fp, int *lineno) } while (!*line || *line == '#'); /* if (debug) */ - /* show ("read line: '%s'\n", line); */ + /* info ("read line: '%s'\n", line); */ return xstrdup (line); } @@ -269,7 +202,7 @@ one_test (int testno, const char *sk, const char *pk, size_t sig_r_len, sig_s_len; if (verbose > 1) - show ("Running test %d\n", testno); + info ("Running test %d\n", testno); if (!(buffer = hex2buffer (sk, &buflen))) { @@ -384,8 +317,8 @@ one_test (int testno, const char *sk, const char *pk, { fail ("gcry_pk_sign failed for test %d: %s", testno, "wrong value returned"); - show (" expected: '%s'", sig); - show (" got: '%s'", sig_rs_string); + info (" expected: '%s'", sig); + info (" got: '%s'", sig_rs_string); } } @@ -417,7 +350,7 @@ check_ed25519 (const char *fname) int testno; char *sk, *pk, *msg, *sig; - show ("Checking Ed25519.\n"); + info ("Checking Ed25519.\n"); fp = fopen (fname, "r"); if (!fp) @@ -540,13 +473,13 @@ main (int argc, char **argv) else custom_data_file = 1; - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); /* Ed25519 isn't supported in fips mode */ if (gcry_fips_mode_active()) @@ -558,7 +491,7 @@ main (int argc, char **argv) xfree (fname); - show ("All tests completed in %s. Errors: %d\n", + info ("All tests completed in %s. Errors: %d\n", elapsed_time (1), error_count); return !!error_count; } diff --git a/tests/t-kdf.c b/tests/t-kdf.c index 4299141..e011ef4 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -27,40 +27,9 @@ #include #include -#include "../src/gcrypt-int.h" #include "stopwatch.h" - - -#ifndef DIM -# define DIM(v) (sizeof(v)/sizeof((v)[0])) -#endif - -/* Program option flags. */ -static int verbose; -static int debug; -static int error_count; - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} +#define PGM "t-kdf" +#include "t-common.h" static void @@ -1296,19 +1265,19 @@ main (int argc, char **argv) if (s2kcount) { if (argc != 1) - die ("usage: t-kdf --s2k S2KCOUNT\n", stderr ); + die ("usage: t-kdf --s2k S2KCOUNT\n"); s2kcount = strtoul (*argv, NULL, 10); if (!s2kcount) - die ("t-kdf: S2KCOUNT must be positive\n", stderr ); + die ("t-kdf: S2KCOUNT must be positive\n"); } if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); if (s2kcount) bench_s2k (s2kcount); diff --git a/tests/t-lock.c b/tests/t-lock.c index 2c1997d..7e5732e 100644 --- a/tests/t-lock.c +++ b/tests/t-lock.c @@ -31,7 +31,7 @@ # include #endif -#define PGMNAME "t-lock" +#define PGM "t-lock" #include "t-common.h" #include "../src/gcrypt-testapi.h" @@ -213,7 +213,7 @@ check_nonce_lock (void) } -/* Initialze all accounts. */ +/* Initialize all accounts. */ static void init_accounts (void) { @@ -429,15 +429,15 @@ main (int argc, char **argv) srand (time(NULL)*getpid()); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch"); /* We are using non-public interfaces - check the exact version. */ if (strcmp (gcry_check_version (NULL), GCRYPT_VERSION)) die ("exact version match failed"); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); check_nonce_lock (); @@ -454,5 +454,5 @@ main (int argc, char **argv) if (verbose) print_accounts (); - return errorcount ? 1 : 0; + return error_count ? 1 : 0; } diff --git a/tests/t-mpi-bit.c b/tests/t-mpi-bit.c index 3d7b793..91116ca 100644 --- a/tests/t-mpi-bit.c +++ b/tests/t-mpi-bit.c @@ -28,61 +28,9 @@ #include #include -#include "../src/gcrypt-int.h" - #define PGM "t-mpi-bit" +#include "t-common.h" -static const char *wherestr; -static int verbose; -static int error_count; - -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - if (!verbose) - return; - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} /* Allocate a bit string consisting of '0' and '1' from the MPI A. Return the LENGTH least significant bits. Caller needs to xfree @@ -171,7 +119,7 @@ one_bit_only (int highbit) int i; wherestr = "one_bit_only"; - show ("checking that set_%sbit does only set one bit\n", highbit?"high":""); + info ("checking that set_%sbit does only set one bit\n", highbit?"high":""); a = gcry_mpi_new (0); gcry_mpi_randomize (a, 70, GCRY_WEAK_RANDOM); @@ -207,7 +155,7 @@ test_rshift (int pass) int i; wherestr = "test_rshift"; - show ("checking that rshift works as expected (pass %d)\n", pass); + info ("checking that rshift works as expected (pass %d)\n", pass); a = gcry_mpi_new (0); b = gcry_mpi_new (0); @@ -222,8 +170,8 @@ test_rshift (int pass) rshiftbitstring (result2, i); if (strcmp (result, result2)) { - show ("got =%s\n", result); - show ("want=%s\n", result2); + info ("got =%s\n", result); + info ("want=%s\n", result2); fail ("rshift by %d failed\n", i); } xfree (result); @@ -244,8 +192,8 @@ test_rshift (int pass) rshiftbitstring (result2, i); if (strcmp (result, result2)) { - show ("got =%s\n", result); - show ("want=%s\n", result2); + info ("got =%s\n", result); + info ("want=%s\n", result2); fail ("in-place rshift by %d failed\n", i); } xfree (result2); @@ -267,7 +215,7 @@ test_lshift (int pass) int i; wherestr = "test_lshift"; - show ("checking that lshift works as expected (pass %d)\n", pass); + info ("checking that lshift works as expected (pass %d)\n", pass); for (size_idx=0; size_list[size_idx]; size_idx++) { @@ -289,8 +237,8 @@ test_lshift (int pass) xfree (tmpstr); if (strcmp (result, result2)) { - show ("got =%s\n", result); - show ("want=%s\n", result2); + info ("got =%s\n", result); + info ("want=%s\n", result2); fail ("lshift by %d failed\n", i); } xfree (result); @@ -313,8 +261,8 @@ test_lshift (int pass) xfree (tmpstr); if (strcmp (result, result2)) { - show ("got =%s\n", result); - show ("want=%s\n", result2); + info ("got =%s\n", result); + info ("want=%s\n", result2); fail ("in-place lshift by %d failed\n", i); } xfree (result2); @@ -338,7 +286,7 @@ set_bit_with_resize (void) int i; wherestr = "set_bit_with_resize"; - show ("checking that set_bit initializes all limbs\n"); + info ("checking that set_bit initializes all limbs\n"); a = gcry_mpi_new (1536); gcry_mpi_set_bit (a, 1536); @@ -358,7 +306,7 @@ set_bit_with_resize (void) gcry_mpi_release (a); wherestr = "set_highbit_with_resize"; - show ("checking that set_highbit initializes all limbs\n"); + info ("checking that set_highbit initializes all limbs\n"); a = gcry_mpi_new (1536); gcry_mpi_set_highbit (a, 1536); @@ -382,7 +330,6 @@ set_bit_with_resize (void) int main (int argc, char **argv) { - int debug = 0; int i; if (argc > 1 && !strcmp (argv[1], "--verbose")) @@ -393,12 +340,12 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); one_bit_only (0); one_bit_only (1); @@ -410,6 +357,6 @@ main (int argc, char **argv) set_bit_with_resize (); - show ("All tests completed. Errors: %d\n", error_count); + info ("All tests completed. Errors: %d\n", error_count); return error_count ? 1 : 0; } diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c index 84da7cc..1eaa08a 100644 --- a/tests/t-mpi-point.c +++ b/tests/t-mpi-point.c @@ -26,29 +26,8 @@ #include #include -#include "../src/gcrypt-int.h" - #define PGM "t-mpi-point" - -static const char *wherestr; -static int verbose; -static int debug; -static int error_count; - - -#define my_isascii(c) (!((c) & 0x80)) -#define digitp(p) (*(p) >= '0' && *(p) <= '9') -#define hexdigitp(a) (digitp (a) \ - || (*(a) >= 'A' && *(a) <= 'F') \ - || (*(a) >= 'a' && *(a) <= 'f')) -#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ - *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) -#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) -#define xmalloc(a) gcry_xmalloc ((a)) -#define xcalloc(a,b) gcry_xcalloc ((a),(b)) -#define xfree(a) gcry_free ((a)) -#define pass() do { ; } while (0) - +#include "t-common.h" static struct { @@ -166,50 +145,6 @@ static const char sample_ed25519_d[] = "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60"; -static void -show (const char *format, ...) -{ - va_list arg_ptr; - - if (!verbose) - return; - fprintf (stderr, "%s: ", PGM); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); -} - -static void -fail (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - error_count++; -} - -static void -die (const char *format, ...) -{ - va_list arg_ptr; - - fflush (stdout); - fprintf (stderr, "%s: ", PGM); - if (wherestr) - fprintf (stderr, "%s: ", wherestr); - va_start (arg_ptr, format); - vfprintf (stderr, format, arg_ptr); - va_end (arg_ptr); - exit (1); -} - - static void print_mpi_2 (const char *text, const char *text2, gcry_mpi_t a) { @@ -321,7 +256,7 @@ hex2mpiopa (const char *string) die ("hex2mpiopa '%s' failed: parser error\n", string); val = gcry_mpi_set_opaque (NULL, buffer, buflen*8); if (!buffer) - die ("hex2mpiopa '%s' failed: set_opaque error%s\n", string); + die ("hex2mpiopa '%s' failed: set_opaque error\n", string); return val; } @@ -371,11 +306,11 @@ ec_p_new (gcry_ctx_t *r_ctx, gcry_mpi_t p, gcry_mpi_t a) static void set_get_point (void) { - gcry_mpi_point_t point; + gcry_mpi_point_t point, point2; gcry_mpi_t x, y, z; wherestr = "set_get_point"; - show ("checking point setting functions\n"); + info ("checking point setting functions\n"); point = gcry_mpi_point_new (0); x = gcry_mpi_set_ui (NULL, 17); @@ -415,7 +350,22 @@ set_get_point (void) || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) fail ("point_snatch_set/point_get failed\n"); + point2 = gcry_mpi_point_copy (point); + + gcry_mpi_point_get (x, y, z, point2); + if (gcry_mpi_cmp_ui (x, 17) + || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) + fail ("point_copy failed (1)\n"); + gcry_mpi_point_release (point); + + gcry_mpi_point_get (x, y, z, point2); + if (gcry_mpi_cmp_ui (x, 17) + || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) + fail ("point_copy failed (2)\n"); + + gcry_mpi_point_release (point2); + gcry_mpi_release (x); gcry_mpi_release (y); gcry_mpi_release (z); @@ -430,7 +380,7 @@ context_alloc (void) gcry_mpi_t p, a; wherestr = "context_alloc"; - show ("checking context functions\n"); + info ("checking context functions\n"); p = gcry_mpi_set_ui (NULL, 1); a = gcry_mpi_set_ui (NULL, 1); @@ -537,7 +487,7 @@ context_param (void) wherestr = "context_param"; - show ("checking standard curves\n"); + info ("checking standard curves\n"); for (idx=0; test_curve[idx].desc; idx++) { /* P-192 and Ed25519 are not supported in fips mode */ @@ -546,7 +496,7 @@ context_param (void) if (!strcmp(test_curve[idx].desc, "NIST P-192") || !strcmp(test_curve[idx].desc, "Ed25519")) { - show("skipping %s in fips mode\n", test_curve[idx].desc ); + info ("skipping %s in fips mode\n", test_curve[idx].desc ); continue; } } @@ -579,7 +529,7 @@ context_param (void) } - show ("checking sample public key (nistp256)\n"); + info ("checking sample public key (nistp256)\n"); q = hex2mpi (sample_p256_q); err = gcry_sexp_build (&keyparam, NULL, "(public-key(ecc(curve %s)(q %m)))", @@ -650,7 +600,7 @@ context_param (void) if (gcry_fips_mode_active()) goto cleanup; - show ("checking sample public key (Ed25519)\n"); + info ("checking sample public key (Ed25519)\n"); q = hex2mpi (sample_ed25519_q); gcry_sexp_release (keyparam); err = gcry_sexp_build (&keyparam, NULL, @@ -772,7 +722,7 @@ basic_ec_math (void) gcry_mpi_t x, y, z; wherestr = "basic_ec_math"; - show ("checking basic math functions for EC\n"); + info ("checking basic math functions for EC\n"); P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff"); A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc"); @@ -852,7 +802,7 @@ basic_ec_math_simplified (void) gcry_sexp_t sexp; wherestr = "basic_ec_math_simplified"; - show ("checking basic math functions for EC (variant)\n"); + info ("checking basic math functions for EC (variant)\n"); d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D"); Q = gcry_mpi_point_new (0); @@ -969,7 +919,7 @@ twistededwards_math (void) gcry_mpi_t w, a, x, y, z, p, n, b, I; wherestr = "twistededwards_math"; - show ("checking basic Twisted Edwards math\n"); + info ("checking basic Twisted Edwards math\n"); err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519"); if (err) @@ -1003,7 +953,7 @@ twistededwards_math (void) /* Check: p % 4 == 1 */ gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR); if (gcry_mpi_cmp_ui (w, 1)) - fail ("failed assertion: p % 4 == 1\n"); + fail ("failed assertion: p %% 4 == 1\n"); /* Check: 2^{n-1} mod n == 1 */ gcry_mpi_sub_ui (a, n, 1); @@ -1107,11 +1057,11 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); set_get_point (); context_alloc (); @@ -1126,6 +1076,6 @@ main (int argc, char **argv) twistededwards_math (); } - show ("All tests completed. Errors: %d\n", error_count); + info ("All tests completed. Errors: %d\n", error_count); return error_count ? 1 : 0; } diff --git a/tests/t-secmem.c b/tests/t-secmem.c new file mode 100644 index 0000000..8f4cce1 --- /dev/null +++ b/tests/t-secmem.c @@ -0,0 +1,181 @@ +/* t-secmem.c - Test the secmem memory allocator + * Copyright (C) 2016 g10 Code GmbH + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#ifdef HAVE_CONFIG_H +# include +#endif +#include +#include +#include +#include +#include + +#define PGM "t-secmem" + +#include "t-common.h" +#include "../src/gcrypt-testapi.h" + + +static void +test_secmem (void) +{ + void *a[28]; + void *b; + int i; + + memset (a, 0, sizeof a); + + /* Allocating 28*512=14k should work in the default 16k pool even + * with extrem alignment requirements. */ + for (i=0; i < DIM(a); i++) + a[i] = gcry_xmalloc_secure (512); + + /* Allocating another 2k should fail for the default 16k pool. */ + b = gcry_malloc_secure (2048); + if (b) + fail ("allocation did not fail as expected\n"); + + for (i=0; i < DIM(a); i++) + xfree (a[i]); + xfree (b); +} + + +static void +test_secmem_overflow (void) +{ + void *a[150]; + int i; + + memset (a, 0, sizeof a); + + /* Allocating 150*512=75k should require more than one overflow buffer. */ + for (i=0; i < DIM(a); i++) + { + a[i] = gcry_xmalloc_secure (512); + if (verbose && !(i %40)) + xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + } + + if (debug) + xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); + if (verbose) + xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + for (i=0; i < DIM(a); i++) + xfree (a[i]); +} + + +/* This function is called when we ran out of core and there is no way + * to return that error to the caller (xmalloc or mpi allocation). */ +static int +outofcore_handler (void *opaque, size_t req_n, unsigned int flags) +{ + static int been_here; /* Used to protect against recursive calls. */ + + (void)opaque; + + /* Protect against a second call. */ + if (been_here) + return 0; /* Let libgcrypt call its own fatal error handler. */ + been_here = 1; + + info ("outofcore handler invoked"); + xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); + fail ("out of core%s while allocating %lu bytes", + (flags & 1)?" in secure memory":"", (unsigned long)req_n); + + die ("stopped"); + /*NOTREACHED*/ + return 0; +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + + if (argc) + { argc--; argv++; } + + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + fputs ("usage: " PGM " [options]\n" + "Options:\n" + " --verbose print timings etc.\n" + " --debug flyswatter\n" + , stdout); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose++; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose += 2; + debug++; + argc--; argv++; + } + else if (!strncmp (*argv, "--", 2)) + die ("unknown option '%s'", *argv); + } + + if (!gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch; pgm=%s, library=%s\n", + GCRYPT_VERSION, gcry_check_version (NULL)); + if (debug) + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_set_outofcore_handler (outofcore_handler, NULL); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + + /* Libgcrypt prints a warning when the first overflow is allocated; + * we do not want to see that. */ + if (!verbose) + xgcry_control (GCRYCTL_DISABLE_SECMEM_WARN, 0); + + + test_secmem (); + test_secmem_overflow (); + /* FIXME: We need to improve the tests, for example by registering + * our own log handler and comparing the output of + * PRIV_CTL_DUMP_SECMEM_STATS to expected pattern. */ + + if (verbose) + { + xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + } + + info ("All tests completed. Errors: %d\n", error_count); + xgcry_control (GCRYCTL_TERM_SECMEM, 0 , 0); + return !!error_count; +} diff --git a/tests/t-sexp.c b/tests/t-sexp.c index edb37a2..2b33520 100644 --- a/tests/t-sexp.c +++ b/tests/t-sexp.c @@ -28,7 +28,7 @@ #include #include "../src/gcrypt-int.h" -#define PGMNAME "t-sexp" +#define PGM "t-sexp" #include "t-common.h" @@ -1146,7 +1146,7 @@ main (int argc, char **argv) else if (!strcmp (*argv, "--help")) { puts ( -"usage: " PGMNAME " [options]\n" +"usage: " PGM " [options]\n" "\n" "Options:\n" " --verbose Show what is going on\n" @@ -1169,17 +1169,17 @@ main (int argc, char **argv) } if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - gcry_control (GCRYCTL_DISABLE_SECMEM_WARN); - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control (GCRYCTL_DISABLE_SECMEM_WARN); + xgcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch"); /* #include "../src/gcrypt-int.h" indicates that internal interfaces may be used; thus better do an exact version check. */ if (strcmp (gcry_check_version (NULL), GCRYPT_VERSION)) die ("exact version match failed"); - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); basic (); canon_len (); @@ -1188,5 +1188,5 @@ main (int argc, char **argv) check_extract_param (); bug_1594 (); - return errorcount? 1:0; + return error_count? 1:0; } diff --git a/tests/testapi.c b/tests/testapi.c index 0dc9092..38b18b9 100644 --- a/tests/testapi.c +++ b/tests/testapi.c @@ -86,7 +86,7 @@ test_genkey ( int argc, char **argv ) (void)argc; (void)argv; - gcry_control( GCRYCTL_INIT_SECMEM, 16384, 0 ); + xgcry_control( GCRYCTL_INIT_SECMEM, 16384, 0 ); rc = gcry_sexp_build ( &s_parms, NULL, "(genkey(dsa(nbits %d)))", nbits ); rc = gcry_pk_genkey( &s_key, s_parms ); if ( rc ) { diff --git a/tests/version.c b/tests/version.c index 1332c7c..7e68cd6 100644 --- a/tests/version.c +++ b/tests/version.c @@ -32,19 +32,122 @@ #include #include #include +#include #include "../src/gcrypt-int.h" #define PGM "version" +#include "t-common.h" + +static void +test_get_config (void) +{ + char *string; + const char *s; + int i; + + string = gcry_get_config (0, NULL); + if (!string) + fail ("gcry_get_config does not return anything: %s\n", + gpg_strerror (gpg_error_from_syserror ())); + else if ( !strchr (string, '\n') ) + fail ("gcry_get_config(0, NULL) did not return multiple lines\n"); + + xfree (string); + string = gcry_get_config (0, "version"); + if (!string) + fail ("gcry_get_config(\"version\") returned NULL: %s\n", + gpg_strerror (gpg_error_from_syserror ())); + else if ( strchr (string, '\n') ) + fail ("gcry_get_config(\"version\") returned more than one line\n"); + else if ( strncmp (string, "version:", 8) ) + fail ("gcry_get_config(\"version\") returned wrong line\n"); + + /* Test an item which is not the first. */ + xfree (string); + string = gcry_get_config (0, "cpu-arch"); + if (!string) + fail ("gcry_get_config(\"cpu-arch\") returned NULL: %s\n", + gpg_strerror (gpg_error_from_syserror ())); + else if ( strchr (string, '\n') ) + fail ("gcry_get_config(\"cpu-arch\") returned more than one line\n"); + else if ( strncmp (string, "cpu-arch:", 9) ) + fail ("gcry_get_config(\"cpu-arch\") returned wrong line\n"); + + /* Test that an unknown item return sthe correct error. */ + xfree (string); + string = gcry_get_config (0, "no-such-item"); + if (string) + fail ("gcry_get_config(\"no-such-item\") returned something\n"); + else if (errno) + fail ("gcry_get_config(\"no-such-item\") returned wrong error: %s\n", + gpg_strerror (gpg_error_from_syserror ())); + + /* Check the rng-type. */ + xfree (string); + string = gcry_get_config (0, "rng-type"); + if (!string) + fail ("gcry_get_config(\"rng-type\") not returned\n"); + else + { + for (i=0, s = string; *s; s++) + if (*s == ':') + i++; + if (i < 5) + fail ("gcry_get_config(\"rng-type\") has not enough fields\n"); + } + + + xfree (string); +} int main (int argc, char **argv) { - (void)argc; - (void)argv; + int last_argc = -1; + + if (argc) + { argc--; argv++; } - gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--verbose")) + { + verbose++; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + /* Dummy option */ + argc--; argv++; + } + else if (!strcmp (*argv, "--disable-hwf")) + { + argc--; + argv++; + if (argc) + { + if (gcry_control (GCRYCTL_DISABLE_HWF, *argv, NULL)) + fprintf (stderr, + PGM + ": unknown hardware feature '%s' - option ignored\n", + *argv); + argc--; + argv++; + } + } + } + + xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + + xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) { int oops = !gcry_check_version (GCRYPT_VERSION); @@ -54,7 +157,10 @@ main (int argc, char **argv) exit (1); } - gcry_control (GCRYCTL_PRINT_CONFIG, NULL); + xgcry_control (GCRYCTL_PRINT_CONFIG, NULL); + + test_get_config (); + return 0; }