From cvs at cvs.gnupg.org Tue Nov 1 06:38:50 2016 From: cvs at cvs.gnupg.org (by NIIBE Yutaka) Date: Tue, 01 Nov 2016 06:38:50 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-11-gbf6d5b1 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via bf6d5b10cb4173826f47ac080506b68bb001acb2 (commit) from bfd732f53a9b5dfe14217a68a0fa289bf6913ec0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit bf6d5b10cb4173826f47ac080506b68bb001acb2 Author: NIIBE Yutaka Date: Tue Nov 1 14:34:16 2016 +0900 cipher: Fix IDEA cipher for clearing memory. * cipher/idea.c (invert_key): Use wipememory, since this kind of memset may be removed by compiler optimization. -- Reported-by: Zhaomo Yang and Brian Johannesmeyer Signed-off-by: NIIBE Yutaka diff --git a/cipher/idea.c b/cipher/idea.c index 14234cf..ffe821d 100644 --- a/cipher/idea.c +++ b/cipher/idea.c @@ -152,7 +152,7 @@ invert_key( u16 *ek, u16 dk[IDEA_KEYLEN] ) *--p = t2; *--p = t1; memcpy(dk, temp, sizeof(temp) ); - memset(temp, 0, sizeof(temp) ); /* burn temp */ + wipememory(temp, sizeof(temp)); } ----------------------------------------------------------------------- Summary of changes: cipher/idea.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From jussi.kivilinna at iki.fi Tue Nov 1 09:51:22 2016 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 1 Nov 2016 10:51:22 +0200 Subject: Certificate for https://git.gnupg.org has expired? Message-ID: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> Hello, I could not access gitweb for gcrypt since certificate for https://git.gnupg.org has expired. -Jussi From wk at gnupg.org Wed Nov 2 08:39:48 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Nov 2016 08:39:48 +0100 Subject: Certificate for https://git.gnupg.org has expired? In-Reply-To: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> (Jussi Kivilinna's message of "Tue, 1 Nov 2016 10:51:22 +0200") References: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> Message-ID: <87wpgm5nzv.fsf@wheatstone.g10code.de> On Tue, 1 Nov 2016 09:51, jussi.kivilinna at iki.fi said: > I could not access gitweb for gcrypt since certificate for https://git.gnupg.org has expired. I fixed it. Sorry, for the trouble. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From scott at paragonie.com Thu Nov 3 18:39:40 2016 From: scott at paragonie.com (Scott Arciszewski) Date: Thu, 3 Nov 2016 13:39:40 -0400 Subject: Patch: Stop using /dev/random Message-ID: I'd like to propose this patch (or something similar) be applied to libgcrypt. What libgcrypt does currently: - Reads from /dev/random which blocks on Linux. What the patch does instead: - Polls /dev/random until it's available, then - Reads from /dev/urandom (the non-blocking interface) instead. Because the Linux kernel (which has the offending /dev/random interface) will make sure /dev/urandom is seeded first, we can rely on the availability of /dev/random signaling that /dev/urandom has been seeded. This means we don't have to worry about racing against the init process and generating insecure random numbers. This gives us usability and performance (no more waiting for "entropy" to gather) without sacrificing security. Most of the code in this patch was lifted from libsodium, which already does this. Libsodium is ISC Licensed (by Frank Denis). Thank you for your time, Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises The patch follows: diff --git a/random/rndlinux.c b/random/rndlinux.c index 2b563bf..59e7fc9 100644 --- a/random/rndlinux.c +++ b/random/rndlinux.c @@ -36,6 +36,7 @@ # include #endif +#include #include "types.h" #include "g10lib.h" #include "rand-internal.h" @@ -66,6 +67,7 @@ static int open_device (const char *name, int retry) { int fd; + _gcry_block_on_dev_random(); if (retry) _gcry_random_progress ("open_dev_random", 'X', 1, 0); @@ -102,6 +104,32 @@ open_device (const char *name, int retry) return fd; } +/* Block until /dev/random is available. This means that /dev/urandom + has already been seeded. */ +static int +_gcry_block_on_dev_random(void) +{ + struct pollfd pfd; + int fd; + int pret; + + fd = open("/dev/random", O_RDONLY); + if (fd == -1) { + return 0; + } + pfd.fd = fd; + pfd.events = POLLIN; + pfd.revents = 0; + do { + pret = poll(&pfd, 1, -1); + } while (pret < 0 && (errno == EINTR || errno == EAGAIN)); + if (pret != 1) { + (void) close(fd); + errno = EIO; + return -1; + } + return close(fd); +} /* Note that the caller needs to make sure that this function is only called by one thread at a time. The function returns 0 on success @@ -114,7 +142,6 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, size_t length, int level ) { static int fd_urandom = -1; - static int fd_random = -1; static unsigned char ever_opened; int fd; int n; @@ -128,11 +155,6 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, if (!add) { /* Special mode to close the descriptors. */ - if (fd_random != -1) - { - close (fd_random); - fd_random = -1; - } if (fd_urandom != -1) { close (fd_urandom); @@ -165,24 +187,12 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, that we always require the device to be existent but want a more graceful behaviour if the rarely needed close operation has been used and the device needs to be re-opened later. */ - if (level >= 2) - { - if (fd_random == -1) - { - fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1)); - ever_opened |= 1; - } - fd = fd_random; - } - else - { if (fd_urandom == -1) { fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); ever_opened |= 2; } fd = fd_urandom; - } /* Enter the read loop. */ delay = 0; /* Start with 0 seconds so that we do no block on the From crypto at brainhub.org Thu Nov 3 21:33:47 2016 From: crypto at brainhub.org (Andrey Jivsov) Date: Thu, 03 Nov 2016 13:33:47 -0700 Subject: Patch: Stop using /dev/random In-Reply-To: References: Message-ID: <581B9F2B.8030202@brainhub.org> Can you please provide references to the statement that Linux makes sure that its pool is seeded before the first read from /dev/urandom? Thank you. On 11/03/2016 10:39 AM, Scott Arciszewski wrote: > I'd like to propose this patch (or something similar) be applied to libgcrypt. > > What libgcrypt does currently: > > - Reads from /dev/random which blocks on Linux. > > What the patch does instead: > > - Polls /dev/random until it's available, then > - Reads from /dev/urandom (the non-blocking interface) instead. > > Because the Linux kernel (which has the offending /dev/random > interface) will make sure /dev/urandom is seeded first, we can rely on > the availability of /dev/random signaling that /dev/urandom has been > seeded. This means we don't have to worry about racing against the > init process and generating insecure random numbers. > > This gives us usability and performance (no more waiting for "entropy" > to gather) without sacrificing security. > > Most of the code in this patch was lifted from libsodium, which > already does this. Libsodium is ISC Licensed (by Frank Denis). > > Thank you for your time, > > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises > > The patch follows: > > diff --git a/random/rndlinux.c b/random/rndlinux.c > index 2b563bf..59e7fc9 100644 > --- a/random/rndlinux.c > +++ b/random/rndlinux.c > @@ -36,6 +36,7 @@ > # include > #endif > > +#include > #include "types.h" > #include "g10lib.h" > #include "rand-internal.h" > @@ -66,6 +67,7 @@ static int > open_device (const char *name, int retry) > { > int fd; > + _gcry_block_on_dev_random(); > > if (retry) > _gcry_random_progress ("open_dev_random", 'X', 1, 0); > @@ -102,6 +104,32 @@ open_device (const char *name, int retry) > return fd; > } > > +/* Block until /dev/random is available. This means that /dev/urandom > + has already been seeded. */ > +static int > +_gcry_block_on_dev_random(void) > +{ > + struct pollfd pfd; > + int fd; > + int pret; > + > + fd = open("/dev/random", O_RDONLY); > + if (fd == -1) { > + return 0; > + } > + pfd.fd = fd; > + pfd.events = POLLIN; > + pfd.revents = 0; > + do { > + pret = poll(&pfd, 1, -1); > + } while (pret < 0 && (errno == EINTR || errno == EAGAIN)); > + if (pret != 1) { > + (void) close(fd); > + errno = EIO; > + return -1; > + } > + return close(fd); > +} > > /* Note that the caller needs to make sure that this function is only > called by one thread at a time. The function returns 0 on success > @@ -114,7 +142,6 @@ _gcry_rndlinux_gather_random (void (*add)(const > void*, size_t, > size_t length, int level ) > { > static int fd_urandom = -1; > - static int fd_random = -1; > static unsigned char ever_opened; > int fd; > int n; > @@ -128,11 +155,6 @@ _gcry_rndlinux_gather_random (void (*add)(const > void*, size_t, > if (!add) > { > /* Special mode to close the descriptors. */ > - if (fd_random != -1) > - { > - close (fd_random); > - fd_random = -1; > - } > if (fd_urandom != -1) > { > close (fd_urandom); > @@ -165,24 +187,12 @@ _gcry_rndlinux_gather_random (void (*add)(const > void*, size_t, > that we always require the device to be existent but want a more > graceful behaviour if the rarely needed close operation has been > used and the device needs to be re-opened later. */ > - if (level >= 2) > - { > - if (fd_random == -1) > - { > - fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1)); > - ever_opened |= 1; > - } > - fd = fd_random; > - } > - else > - { > if (fd_urandom == -1) > { > fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); > ever_opened |= 2; > } > fd = fd_urandom; > - } > > /* Enter the read loop. */ > delay = 0; /* Start with 0 seconds so that we do no block on the > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > From smueller at chronox.de Thu Nov 3 22:47:41 2016 From: smueller at chronox.de (Stephan Mueller) Date: Thu, 03 Nov 2016 22:47:41 +0100 Subject: Patch: Stop using /dev/random In-Reply-To: <581B9F2B.8030202@brainhub.org> References: <581B9F2B.8030202@brainhub.org> Message-ID: <2982552.1RimR5rhF3@myon.chronox.de> Am Donnerstag, 3. November 2016, 13:33:47 CET schrieb Andrey Jivsov: Hi Andrey, > Can you please provide references to the statement that Linux makes sure > that its pool is seeded before the first read from /dev/urandom? Thank you. This statement is not correct. Only getrandom(2) guarantees that. -- Ciao Stephan From fweimer at redhat.com Mon Nov 7 15:39:23 2016 From: fweimer at redhat.com (Florian Weimer) Date: Mon, 7 Nov 2016 15:39:23 +0100 Subject: Fault attacks on RSA in libgcrypt In-Reply-To: <1471887762.11550.159.camel@gnunet.org> References: <1471887762.11550.159.camel@gnunet.org> Message-ID: <5922d300-71bf-5ccb-8ea2-6ab3e57dc6d7@redhat.com> On 08/22/2016 07:42 PM, Jeff Burdges wrote: > > Dear gcrypt-devel, > > I implemented the protection against fault attacks recommended in > "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles > Barthe, Fran?ois Dupressoir, Pierre-Alain Fouque, Benjamin Gr?goire, > Mehdi Tibouchi and Jean-Christophe Zapalowicz. > https://eprint.iacr.org/2014/252 > It worries that a targeted fault attack could subvert the conditional > currently used to protect against fault attacks. Their fault model seems to assume a Harvard architecture, where it is conceivable that powerful attacks targeting data are available, but no such attacks exist for code. Most current systems have a unified memory subsystem which provides pages for both code and data, so this assumption does not seem very realistic. This means that their security proof does not apply to current systems. Thanks, Florian From andre at amorim.me Mon Nov 7 17:17:20 2016 From: andre at amorim.me (Andre Amorim) Date: Mon, 7 Nov 2016 16:17:20 +0000 Subject: Fault attacks on RSA in libgcrypt In-Reply-To: <5922d300-71bf-5ccb-8ea2-6ab3e57dc6d7@redhat.com> References: <1471887762.11550.159.camel@gnunet.org> <5922d300-71bf-5ccb-8ea2-6ab3e57dc6d7@redhat.com> Message-ID: Thanks Jeff On 7 November 2016 at 14:39, Florian Weimer wrote: > On 08/22/2016 07:42 PM, Jeff Burdges wrote: > >> >> Dear gcrypt-devel, >> >> I implemented the protection against fault attacks recommended in >> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles >> Barthe, Fran?ois Dupressoir, Pierre-Alain Fouque, Benjamin Gr?goire, >> Mehdi Tibouchi and Jean-Christophe Zapalowicz. >> https://eprint.iacr.org/2014/252 >> It worries that a targeted fault attack could subvert the conditional >> currently used to protect against fault attacks. >> > > Their fault model seems to assume a Harvard architecture, where it is > conceivable that powerful attacks targeting data are available, but no such > attacks exist for code. Most current systems have a unified memory > subsystem which provides pages for both code and data, so this assumption > does not seem very realistic. This means that their security proof does > not apply to current systems. > > Thanks, > Florian > > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Thu Nov 10 06:37:48 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 09 Nov 2016 23:37:48 -0600 Subject: Certificate for https://git.gnupg.org has expired? In-Reply-To: <87wpgm5nzv.fsf@wheatstone.g10code.de> References: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> <87wpgm5nzv.fsf@wheatstone.g10code.de> Message-ID: <874m3fdheb.fsf@alice.fifthhorseman.net> On Wed 2016-11-02 01:39:48 -0600, Werner Koch wrote: > On Tue, 1 Nov 2016 09:51, jussi.kivilinna at iki.fi said: > >> I could not access gitweb for gcrypt since certificate for https://git.gnupg.org has expired. > > I fixed it. Sorry, for the trouble. https://git.gnupg.org/ says i should be able to do: git clone https://git.gnupg.org/foo.git (for some values of foo, presumably) But if i try, i get a series of failures: 0 dkg at alice:/tmp/cdtemp.LJcWid$ git clone https://git.gnupg.org/gnupg.git Cloning into 'gnupg'... fatal: unable to access 'https://git.gnupg.org/gnupg.git/': GnuTLS recv error (-110): The TLS connection was non-properly terminated. 128 dkg at alice:/tmp/cdtemp.LJcWid$ git clone https://git.gnupg.org/gpg.git Cloning into 'gpg'... fatal: unable to access 'https://git.gnupg.org/gpg.git/': GnuTLS recv error (-110): The TLS connection was non-properly terminated. 128 dkg at alice:/tmp/cdtemp.LJcWid$ git clone https://git.gnupg.org/libgpg-error.git Cloning into 'libgpg-error'... fatal: unable to access 'https://git.gnupg.org/libgpg-error.git/': GnuTLS recv error (-110): The TLS connection was non-properly terminated. 128 dkg at alice:/tmp/cdtemp.LJcWid$ git clone https://git.gnupg.org/gpg-error.git Cloning into 'gpg-error'... fatal: unable to access 'https://git.gnupg.org/gpg-error.git/': GnuTLS recv error (-110): The TLS connection was non-properly terminated. 128 dkg at alice:/tmp/cdtemp.LJcWid$ Am i trying the wrong URLs? I'd prefer to use the https:// URLs over the git:// URLs -- for message integrity, for (some minor) confidentiality, and also for easier bypass of silly restrictive firewalls on some unpleasant networks i occasionally have to attach to. Any suggestions? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From wk at gnupg.org Fri Nov 11 12:20:05 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Nov 2016 12:20:05 +0100 Subject: Certificate for https://git.gnupg.org has expired? In-Reply-To: <874m3fdheb.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 09 Nov 2016 23:37:48 -0600") References: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> <87wpgm5nzv.fsf@wheatstone.g10code.de> <874m3fdheb.fsf@alice.fifthhorseman.net> Message-ID: <87bmxmclga.fsf@wheatstone.g10code.de> On Thu, 10 Nov 2016 06:37, dkg at fifthhorseman.net said: > https://git.gnupg.org/ says i should be able to do: > > git clone https://git.gnupg.org/foo.git The http backend is not even installed - so it never worked :-( Until I have installed this you get a better error message, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From dkg at fifthhorseman.net Fri Nov 11 13:53:56 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 11 Nov 2016 21:53:56 +0900 Subject: Certificate for https://git.gnupg.org has expired? In-Reply-To: <87bmxmclga.fsf@wheatstone.g10code.de> References: <7b6713ee-045d-ad9b-f5f2-93fa4ee7a49b@iki.fi> <87wpgm5nzv.fsf@wheatstone.g10code.de> <874m3fdheb.fsf@alice.fifthhorseman.net> <87bmxmclga.fsf@wheatstone.g10code.de> Message-ID: <87k2cafa8r.fsf@alice.fifthhorseman.net> On Fri 2016-11-11 20:20:05 +0900, Werner Koch wrote: > On Thu, 10 Nov 2016 06:37, dkg at fifthhorseman.net said: > >> https://git.gnupg.org/ says i should be able to do: >> >> git clone https://git.gnupg.org/foo.git > > The http backend is not even installed - so it never worked :-( > Until I have installed this you get a better error message, though. Ah, ok. Please let the list know when you do enable the http backend. Thanks for your work maintaining these systems! --dkg From cvs at cvs.gnupg.org Sat Nov 12 11:38:00 2016 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Sat, 12 Nov 2016 11:38:00 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-12-gb829dfe Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd (commit) from bf6d5b10cb4173826f47ac080506b68bb001acb2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd Author: Werner Koch Date: Sat Nov 12 11:34:49 2016 +0100 Put blocking calls into Libgpg-error's system call clamp. * src/gcrypt.h.in (GCRYCTL_REINIT_SYSCALL_CLAMP): New. * configure.ac: Require Libgpg-error 1.25. Set version number to 1.8.0. * src/gcrypt-int.h: Remove error code emulation. * src/global.c (pre_syscall_func, post_syscall_func): New. (global_init): Call gpgrt_get_syscall_clamp. (_gcry_vcontrol) : Ditto. (_gcry_pre_syscall, _gcry_post_syscall): New. * random/rndlinux.c (_gcry_rndlinux_gather_random): Use the new functions. Signed-off-by: Werner Koch diff --git a/NEWS b/NEWS index cdf1ef4..0aaf863 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,24 @@ -Noteworthy changes in version 1.7.4 (unreleased) [C21/A1/R_] +Noteworthy changes in version 1.8.0 (unreleased) [C21/A1/R_] ------------------------------------------------ + * New interfaces: + + - GCRYCTL_REINIT_SYSCALL_CLAMP allows to init nPth after Libgcrypt. + + * Internal changes: + + - Libgpg-error 1.25 is now required. This avoids stalling of nPth + threads due to contention on internal Libgcrypt locks (e.g. the + random pool lock). + + - The system call clamp of libgpg-error is now used to wrap the + blocking read of /dev/random. This allows other nPth threads to + run while Libgcrypt is gathering entropy. + + + * Interface changes relative to the 1.6.0 release: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + GCRYCTL_REINIT_SYSCALL_CLAMP NEW macro. Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3] ------------------------------------------------ diff --git a/configure.ac b/configure.ac index 7bbf4bd..17ff407 100644 --- a/configure.ac +++ b/configure.ac @@ -29,8 +29,8 @@ min_automake_version="1.14" # commit and push so that the git magic is able to work. See below # for the LT versions. m4_define(mym4_version_major, [1]) -m4_define(mym4_version_minor, [7]) -m4_define(mym4_version_micro, [4]) +m4_define(mym4_version_minor, [8]) +m4_define(mym4_version_micro, [0]) # Below is m4 magic to extract and compute the revision number, the # decimalized short revision number, a beta version string, and a flag @@ -67,7 +67,7 @@ LIBGCRYPT_CONFIG_API_VERSION=1 # If you change the required gpg-error version, please remove # unnecessary error code defines in src/gcrypt-int.h. -NEED_GPG_ERROR_VERSION=1.13 +NEED_GPG_ERROR_VERSION=1.25 PACKAGE=$PACKAGE_NAME VERSION=$PACKAGE_VERSION diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index c2c39ad..933d22d 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -905,6 +905,21 @@ detection code might be run if the feature has been disabled. This command must be used at initialization time; i.e. before calling @code{gcry_check_version}. + at item GCRYCTL_REINIT_SYSCALL_CLAMP; Arguments: none + +Libgcrypt wraps blocking system calls with two functions calls +(``system call clamp'') to give user land threading libraries a hook +for re-scheduling. This works by reading the system call clamp from +Libgpg-error at initialization time. However sometimes Libgcrypt +needs to be initialized before the user land threading systems and at +that point the system call clamp has not been registered with +Libgpg-error and in turn Libgcrypt would not use them. The control +code can be used to tell Libgcrypt that a system call clamp has now +been registered with Libgpg-error and advised it to read the clamp +again. Obviously this control code may only be used before a second +thread is started in a process. + + @end table @end deftypefun diff --git a/random/rndlinux.c b/random/rndlinux.c index 2b563bf..562149a 100644 --- a/random/rndlinux.c +++ b/random/rndlinux.c @@ -220,7 +220,10 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, FD_SET(fd, &rfds); tv.tv_sec = delay; tv.tv_usec = delay? 0 : 100000; - if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) ) + _gcry_pre_syscall (); + rc = select (fd+1, &rfds, NULL, NULL, &tv); + _gcry_post_syscall (); + if (!rc) { any_need_entropy = 1; delay = 3; /* Use 3 seconds henceforth. */ @@ -256,8 +259,10 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t, nbytes = length < sizeof(buffer)? length : sizeof(buffer); if (nbytes > 256) nbytes = 256; + _gcry_pre_syscall (); ret = syscall (__NR_getrandom, (void*)buffer, (size_t)nbytes, (unsigned int)0); + _gcry_post_syscall (); } while (ret == -1 && errno == EINTR); if (ret == -1 && errno == ENOSYS) diff --git a/src/g10lib.h b/src/g10lib.h index 444c868..d4e3fef 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -93,7 +93,9 @@ /*-- src/global.c -*/ int _gcry_global_is_operational (void); gcry_err_code_t _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr); -void _gcry_check_heap (const void *a); +void _gcry_check_heap (const void *a); +void _gcry_pre_syscall (void); +void _gcry_post_syscall (void); int _gcry_get_debug_flag (unsigned int mask); /* Malloc functions and common wrapper macros. */ diff --git a/src/gcrypt-int.h b/src/gcrypt-int.h index d367307..729f54a 100644 --- a/src/gcrypt-int.h +++ b/src/gcrypt-int.h @@ -28,19 +28,8 @@ #include "types.h" /* These error codes are used but not defined in the required - libgpg-error 1.11. Define them here. */ -#if GPG_ERROR_VERSION_NUMBER < 0x010c00 /* 1.12 */ -# define GPG_ERR_NO_CRYPT_CTX 191 -# define GPG_ERR_WRONG_CRYPT_CTX 192 -# define GPG_ERR_BAD_CRYPT_CTX 193 -# define GPG_ERR_CRYPT_CTX_CONFLICT 194 -# define GPG_ERR_BROKEN_PUBKEY 195 -# define GPG_ERR_BROKEN_SECKEY 196 -#endif + * libgpg-error N.MM. Define them here. [None right now.] */ -#if GPG_ERROR_VERSION_NUMBER < 0x010d00 /* 1.13 */ -# define GPG_ERR_MAC_ALGO 197 -#endif /* Context used with elliptic curve functions. */ diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 02b8772..f896a78 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -331,7 +331,8 @@ enum gcry_ctl_cmds GCRYCTL_SET_SBOX = 73, GCRYCTL_DRBG_REINIT = 74, GCRYCTL_SET_TAGLEN = 75, - GCRYCTL_GET_TAGLEN = 76 + GCRYCTL_GET_TAGLEN = 76, + GCRYCTL_REINIT_SYSCALL_CLAMP = 77 }; /* Perform various operations defined by CMD. */ diff --git a/src/global.c b/src/global.c index 8669a46..8e54efe 100644 --- a/src/global.c +++ b/src/global.c @@ -56,6 +56,15 @@ static int force_fips_mode; /* Controlled by global_init(). */ static int any_init_done; +/* + * Functions called before and after blocking syscalls. + * Initialized by global_init and used via + * _gcry_pre_syscall and _gcry_post_syscall. + */ +static void (*pre_syscall_func)(void); +static void (*post_syscall_func)(void); + + /* Memory management. */ static gcry_handler_alloc_t alloc_func; @@ -89,6 +98,10 @@ global_init (void) /* Tell the random module that we have seen an init call. */ _gcry_set_preferred_rng_type (0); + /* Get the system call clamp functions. */ + if (!pre_syscall_func) + gpgrt_get_syscall_clamp (&pre_syscall_func, &post_syscall_func); + /* See whether the system is in FIPS mode. This needs to come as early as possible but after ATH has been initialized. */ _gcry_initialize_fips_mode (force_fips_mode); @@ -673,6 +686,11 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr) } break; + case GCRYCTL_REINIT_SYSCALL_CLAMP: + if (!pre_syscall_func) + gpgrt_get_syscall_clamp (&pre_syscall_func, &post_syscall_func); + break; + default: _gcry_set_preferred_rng_type (0); rc = GPG_ERR_INV_OP; @@ -1059,6 +1077,24 @@ _gcry_xstrdup (const char *string) } +/* Used before blocking system calls. */ +void +_gcry_pre_syscall (void) +{ + if (pre_syscall_func) + pre_syscall_func (); +} + + +/* Used after blocking system calls. */ +void +_gcry_post_syscall (void) +{ + if (post_syscall_func) + post_syscall_func (); +} + + int _gcry_get_debug_flag (unsigned int mask) { ----------------------------------------------------------------------- Summary of changes: NEWS | 20 +++++++++++++++++++- configure.ac | 6 +++--- doc/gcrypt.texi | 15 +++++++++++++++ random/rndlinux.c | 7 ++++++- src/g10lib.h | 4 +++- src/gcrypt-int.h | 13 +------------ src/gcrypt.h.in | 3 ++- src/global.c | 36 ++++++++++++++++++++++++++++++++++++ 8 files changed, 85 insertions(+), 19 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From scott at paragonie.com Wed Nov 16 17:45:52 2016 From: scott at paragonie.com (Scott Arciszewski) Date: Wed, 16 Nov 2016 11:45:52 -0500 Subject: Patch: Stop using /dev/random In-Reply-To: References: Message-ID: > Hi Andrey, > > > Can you please provide references to the statement that Linux makes sure > > that its pool is seeded before the first read from /dev/urandom? Thank you. > > This statement is not correct. > > Only getrandom(2) guarantees that. > > -- > Ciao > Stephan Hi, I didn't receive the responses to my email so I'm just now following up. > This statement is not correct. > > Only getrandom(2) guarantees that. Wrong. The guarantees here are very different. getrandom(2) behaves correctly: If the entropy pool hasn't been seeded, it will block until it has been seeded. What I described is a different phenomenon: The Linux kernel seeds the unblocking pool first, so once /dev/random has at least 1 byte available in its entropy count, you'll know that /dev/urandom has already been seeded and therefore you can just use /dev/urandom. https://github.com/torvalds/linux/blob/523d939ef98fd712632d93a5a2b588e477a7565e/drivers/char/random.c#L805 There's really no reason to rely on /dev/random for anything else but discovering if /dev/urandom has already been seeded. Then, you can safely read from /dev/urandom forever. (Entropy doesn't "run out".) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises From smueller at chronox.de Wed Nov 16 18:50:59 2016 From: smueller at chronox.de (Stephan Mueller) Date: Wed, 16 Nov 2016 18:50:59 +0100 Subject: Patch: Stop using /dev/random In-Reply-To: References: Message-ID: <1612252.0TGJZfMCqC@tauon.atsec.com> Am Mittwoch, 16. November 2016, 11:45:52 CET schrieb Scott Arciszewski: Hi Scott, > Hi, I didn't receive the responses to my email so I'm just now following up. > > This statement is not correct. > > > > Only getrandom(2) guarantees that. > > Wrong. The guarantees here are very different. > > getrandom(2) behaves correctly: If the entropy pool hasn't been > seeded, it will block until it has been seeded. > > What I described is a different phenomenon: The Linux kernel seeds the > unblocking pool first, so once /dev/random has at least 1 byte > available in its entropy count, you'll know that /dev/urandom has > already been seeded and therefore you can just use /dev/urandom. > > https://github.com/torvalds/linux/blob/523d939ef98fd712632d93a5a2b588e477a75 > 65e/drivers/char/random.c#L805 I am aware of that mechanism, but I did not read that you were refering to this functionality from the initial statement. > > There's really no reason to rely on /dev/random for anything else but > discovering if /dev/urandom has already been seeded. Then, you can > safely read from /dev/urandom forever. (Entropy doesn't "run out".) This is a very hacky check. What happens if there is a /dev/urandom hog during boot time? For this, it is likely that /dev/random will not return one byte until that hog is finished. This in turn means your check will wait that long. Ciao Stephan From scott at paragonie.com Wed Nov 16 19:16:54 2016 From: scott at paragonie.com (Scott Arciszewski) Date: Wed, 16 Nov 2016 13:16:54 -0500 Subject: Patch: Stop using /dev/random In-Reply-To: <3019736.DfsuuJ4qHt@tauon.atsec.com> References: <1612252.0TGJZfMCqC@tauon.atsec.com> <3019736.DfsuuJ4qHt@tauon.atsec.com> Message-ID: On Wed, Nov 16, 2016 at 1:09 PM, Stephan Mueller wrote: > Am Mittwoch, 16. November 2016, 12:51:40 CET schrieb Scott Arciszewski: > > Hi Scott, > >> Better to fail closed than fail open. > > If you want to re-implement a getrandom(2) like blocking style rather than > wait for /dev/random to return data, it is probably easier to observe /proc/ > sys/kernel/random/entropy_avail with a poll/select operation. Once that file > increases above 0 for the first time, the nonblocking_pool is seeded. This > test is not prone to /dev/urandom hogs. > > Ciao > Stephan This is a better Linux-specific solution, but this behavior is only needed on older Linux kernels (libgcrypt is already moving to getrandom(2) anyway). Of course, none of this would have ever been necessary if GNU/Linux's implementations of /dev/random and /dev/urandom only blocked until seeded, and then never again, in the first place. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises From smueller at chronox.de Wed Nov 16 19:31:50 2016 From: smueller at chronox.de (Stephan Mueller) Date: Wed, 16 Nov 2016 19:31:50 +0100 Subject: Patch: Stop using /dev/random In-Reply-To: References: <3019736.DfsuuJ4qHt@tauon.atsec.com> Message-ID: <4709246.fd6PjsLVZp@tauon.atsec.com> Am Mittwoch, 16. November 2016, 13:16:54 CET schrieb Scott Arciszewski: Hi Scott, > > Of course, none of this would have ever been necessary if GNU/Linux's > implementations of /dev/random and /dev/urandom only blocked until > seeded, and then never again, in the first place. This will not be implemented. During the course of my re-implementation of / dev/random I played with exactly that idea. This will break user space big time, because systemd will be blocked from initializing before /dev/urandom is fully seeded. The block happens before any device is set up or a driver loaded because these days systemd is used in the initramfs too. Thus, either you always sit on the console and hack on the keyboard until / dev/urandom unblocks and systemd continues or you will wait for (almost) an eternity to have the system booted. Ciao Stephan From ian at cypherpunks.ca Wed Nov 16 20:43:29 2016 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 16 Nov 2016 14:43:29 -0500 Subject: Patch: Stop using /dev/random In-Reply-To: <4709246.fd6PjsLVZp@tauon.atsec.com> References: <3019736.DfsuuJ4qHt@tauon.atsec.com> <4709246.fd6PjsLVZp@tauon.atsec.com> Message-ID: <20161116194329.GW5170@thunk.cs.uwaterloo.ca> On Wed, Nov 16, 2016 at 07:31:50PM +0100, Stephan Mueller wrote: > Am Mittwoch, 16. November 2016, 13:16:54 CET schrieb Scott Arciszewski: > > Hi Scott, > > > > > Of course, none of this would have ever been necessary if GNU/Linux's > > implementations of /dev/random and /dev/urandom only blocked until > > seeded, and then never again, in the first place. > > This will not be implemented. During the course of my re-implementation of / > dev/random I played with exactly that idea. This will break user space big > time, because systemd will be blocked from initializing before /dev/urandom is > fully seeded. The block happens before any device is set up or a driver loaded > because these days systemd is used in the initramfs too. > > Thus, either you always sit on the console and hack on the keyboard until / > dev/urandom unblocks and systemd continues or you will wait for (almost) an > eternity to have the system booted. I'm curious what systemd is using the data read from /dev/urandom at boot time for, if it doesn't care whether there's any actual entropy in that data? Nothing security relevant, hopefully? From dbaryshkov at gmail.com Wed Nov 16 21:36:01 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Wed, 16 Nov 2016 23:36:01 +0300 Subject: [PATCH] cipher/gost28147: fix CryptoPro-B S-BOX Message-ID: <20161116203601.26214-1-dbaryshkov@gmail.com> * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in incorrect encryption/decryption using that s-box. Add missing data. Signed-off-by: Dmitry Eremin-Solenikov --- cipher/gost-s-box.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cipher/gost-s-box.c b/cipher/gost-s-box.c index 0094f65..7bf6041 100644 --- a/cipher/gost-s-box.c +++ b/cipher/gost-s-box.c @@ -132,6 +132,7 @@ struct gost_sbox 0xA, 0x3, 0x8, 0xC, 0x0, 0x7, 0xD, 0x9, 0xC, 0xF, 0xF, 0xF, 0xD, 0xF, 0x0, 0x6, + 0xD, 0xB, 0x3, 0x4, 0x6, 0xA, 0x6, 0xF, 0x6, 0x8, 0x6, 0xE, 0x8, 0x0, 0xF, 0xD, 0x7, 0x6, 0x1, 0x9, 0xE, 0x9, 0x8, 0x5, 0xF, 0xE, 0x4, 0x8, 0x3, 0x5, 0xE, 0xC, -- 2.10.2 From cvs at cvs.gnupg.org Thu Nov 17 04:50:50 2016 From: cvs at cvs.gnupg.org (by Dmitry Eremin-Solenikov) Date: Thu, 17 Nov 2016 04:50:50 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-13-g5ca63c9 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 5ca63c92825453fdb369a97bbc19cb95b49b4296 (commit) from b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 5ca63c92825453fdb369a97bbc19cb95b49b4296 Author: Dmitry Eremin-Solenikov Date: Wed Nov 16 23:36:01 2016 +0300 cipher/gost28147: Fix CryptoPro-B S-BOX. * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in incorrect encryption/decryption using that s-box. Add missing data. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/cipher/gost-s-box.c b/cipher/gost-s-box.c index 0094f65..7bf6041 100644 --- a/cipher/gost-s-box.c +++ b/cipher/gost-s-box.c @@ -132,6 +132,7 @@ struct gost_sbox 0xA, 0x3, 0x8, 0xC, 0x0, 0x7, 0xD, 0x9, 0xC, 0xF, 0xF, 0xF, 0xD, 0xF, 0x0, 0x6, + 0xD, 0xB, 0x3, 0x4, 0x6, 0xA, 0x6, 0xF, 0x6, 0x8, 0x6, 0xE, 0x8, 0x0, 0xF, 0xD, 0x7, 0x6, 0x1, 0x9, 0xE, 0x9, 0x8, 0x5, 0xF, 0xE, 0x4, 0x8, 0x3, 0x5, 0xE, 0xC, ----------------------------------------------------------------------- Summary of changes: cipher/gost-s-box.c | 1 + 1 file changed, 1 insertion(+) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From gniibe at fsij.org Thu Nov 17 04:53:45 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 17 Nov 2016 12:53:45 +0900 Subject: [PATCH] cipher/gost28147: fix CryptoPro-B S-BOX In-Reply-To: <20161116203601.26214-1-dbaryshkov@gmail.com> References: <20161116203601.26214-1-dbaryshkov@gmail.com> Message-ID: On 11/17/2016 05:36 AM, Dmitry Eremin-Solenikov wrote: > * cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in > incorrect encryption/decryption using that s-box. Add missing data. Applied and pushed. Also applied to 1.7 branch. If you have test vectors, I think that it's best to include a program for test cases. -- From smueller at chronox.de Thu Nov 17 07:13:47 2016 From: smueller at chronox.de (Stephan Mueller) Date: Thu, 17 Nov 2016 07:13:47 +0100 Subject: Patch: Stop using /dev/random In-Reply-To: <20161116194329.GW5170@thunk.cs.uwaterloo.ca> References: <4709246.fd6PjsLVZp@tauon.atsec.com> <20161116194329.GW5170@thunk.cs.uwaterloo.ca> Message-ID: <3711397.1ISDevscJa@tauon.atsec.com> Am Mittwoch, 16. November 2016, 14:43:29 CET schrieb Ian Goldberg: Hi Ian, > > I'm curious what systemd is using the data read from /dev/urandom at > boot time for, if it doesn't care whether there's any actual entropy in > that data? Nothing security relevant, hopefully? Please see [1] for the discussion and a complete listing. None of it is cryptographically relevant. [1] http://www.gossamer-threads.com/lists/linux/kernel/2549702 Ciao Stephan From dbaryshkov at gmail.com Wed Nov 23 06:38:31 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Wed, 23 Nov 2016 08:38:31 +0300 Subject: [PATCH 1/3] tests: add test to verify GOST 28147-89 agains known results Message-ID: <20161123053833.21413-1-dbaryshkov@gmail.com> * tests/basic.c (check_gost28147_cipher): new testfunction. -- Currently the only test executed against GOST 28147-89 cipher is a basic cipher test: it checks that decoding of encoded text returns the original plaintext. Add a function to verify the cipher against test vectors. Signed-off-by: Dmitry Eremin-Solenikov --- tests/basic.c | 163 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) diff --git a/tests/basic.c b/tests/basic.c index e5a325b..aa56355 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -3874,6 +3874,168 @@ check_ocb_cipher (void) check_ocb_cipher_splitaad (); } +static void +check_gost28147_cipher (void) +{ +#if USE_GOST28147 + static const struct { + char key[MAX_DATA_LEN]; + const char *oid; + unsigned char plaintext[MAX_DATA_LEN]; + int inlen; + char out[MAX_DATA_LEN]; + } tv[] = + { + { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.7.1.2.5.1.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xce\x5a\x5e\xd7\xe0\x57\x7a\x5f", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.0", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x98\x56\xcf\x8b\xfc\xc2\x82\xf4", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x66\x81\x84\xae\xdc\x48\xc9\x17", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.2", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xdb\xee\x81\x14\x7b\x74\xb0\xf2", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.3", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x31\xa3\x85\x9d\x0a\xee\xb8\x0e", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.4", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xb1\x32\x3e\x0b\x21\x73\xcb\xd1", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.30.0", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xce\xd5\x2a\x7f\xf7\xf2\x60\xd5", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.30.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xe4\x21\x75\xe1\x69\x22\xd0\xa8", + } + }; + + gcry_cipher_hd_t hde, hdd; + unsigned char out[MAX_DATA_LEN]; + int i, keylen; + gcry_error_t err = 0; + + if (verbose) + fprintf (stderr, " Starting GOST28147 cipher checks.\n"); + keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_GOST28147); + if (!keylen) + { + fail ("gost28147, gcry_cipher_get_algo_keylen failed\n"); + return; + } + + for (i = 0; i < sizeof (tv) / sizeof (tv[0]); i++) + { + err = gcry_cipher_open (&hde, GCRY_CIPHER_GOST28147, GCRY_CIPHER_MODE_ECB, 0); + if (!err) + err = gcry_cipher_open (&hdd, GCRY_CIPHER_GOST28147, GCRY_CIPHER_MODE_ECB, 0); + if (err) + { + fail ("gost28147, gcry_cipher_open failed: %s\n", gpg_strerror (err)); + return; + } + + err = gcry_cipher_setkey (hde, tv[i].key, keylen); + if (!err) + err = gcry_cipher_setkey (hdd, tv[i].key, keylen); + if (err) + { + fail ("gost28147, gcry_cipher_setkey failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + err = gcry_cipher_set_sbox (hde, tv[i].oid); + if (!err) + err = gcry_cipher_set_sbox (hdd, tv[i].oid); + if (err) + { + fail ("gost28147, gcry_cipher_set_sbox failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + err = gcry_cipher_encrypt (hde, out, MAX_DATA_LEN, + tv[i].plaintext, + tv[i].inlen == -1 ? + strlen ((char*)tv[i].plaintext) : + tv[i].inlen); + if (err) + { + fail ("gost28147, gcry_cipher_encrypt (%d) failed: %s\n", + i, gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + if (memcmp (tv[i].out, out, tv[i].inlen)) + { + fail ("gost28147, encrypt mismatch entry %d\n", i); + mismatch (tv[i].out, tv[i].inlen, + out, tv[i].inlen); + } + + err = gcry_cipher_decrypt (hdd, out, tv[i].inlen, NULL, 0); + if (err) + { + fail ("gost28147, gcry_cipher_decrypt (%d) failed: %s\n", + i, gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + if (memcmp (tv[i].plaintext, out, tv[i].inlen)) + { + fail ("gost28147, decrypt mismatch entry %d\n", i); + mismatch (tv[i].plaintext, tv[i].inlen, + out, tv[i].inlen); + } + } + +#endif +} + static void check_stream_cipher (void) @@ -5750,6 +5912,7 @@ check_cipher_modes(void) check_gcm_cipher (); check_poly1305_cipher (); check_ocb_cipher (); + check_gost28147_cipher (); check_stream_cipher (); check_stream_cipher_large_block (); -- 2.10.2 From dbaryshkov at gmail.com Wed Nov 23 06:38:33 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Wed, 23 Nov 2016 08:38:33 +0300 Subject: [PATCH 3/3] Cast oid argument of gcry_cipher_set_sbox to disable compiler warning In-Reply-To: <20161123053833.21413-1-dbaryshkov@gmail.com> References: <20161123053833.21413-1-dbaryshkov@gmail.com> Message-ID: <20161123053833.21413-3-dbaryshkov@gmail.com> * src/gcrypt.h.in (gcry_cipher_set_sbox): cast oid to (void *). Signed-off-by: Dmitry Eremin-Solenikov --- src/gcrypt.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index f896a78..77ff947 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -1062,7 +1062,7 @@ gcry_error_t gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, NULL, on ) #define gcry_cipher_set_sbox(h,oid) gcry_cipher_ctl( (h), GCRYCTL_SET_SBOX, \ - (oid), 0); + (void *) oid, 0); /* Indicate to the encrypt and decrypt functions that the next call provides the final data. Only used with some modes. */ -- 2.10.2 From dbaryshkov at gmail.com Wed Nov 23 06:38:32 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Wed, 23 Nov 2016 08:38:32 +0300 Subject: [PATCH 2/3] gost: rename tc26 s-box from A to Z In-Reply-To: <20161123053833.21413-1-dbaryshkov@gmail.com> References: <20161123053833.21413-1-dbaryshkov@gmail.com> Message-ID: <20161123053833.21413-2-dbaryshkov@gmail.com> * cipher/gost-s-box.c (gost_sboxes): rename TC26_A to TC26_Z as it is the name that ended up in all standards. Signed-off-by: Dmitry Eremin-Solenikov --- cipher/gost-s-box.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipher/gost-s-box.c b/cipher/gost-s-box.c index 7bf6041..7aa5444 100644 --- a/cipher/gost-s-box.c +++ b/cipher/gost-s-box.c @@ -182,7 +182,7 @@ struct gost_sbox 0x3, 0x1, 0x2, 0x8, 0x1, 0x6, 0x7, 0xE, } }, - { "TC26_A", "1.2.643.7.1.2.5.1.1", { + { "TC26_Z", "1.2.643.7.1.2.5.1.1", { 0xc, 0x6, 0xb, 0xc, 0x7, 0x5, 0x8, 0x1, 0x4, 0x8, 0x3, 0x8, 0xf, 0xd, 0xe, 0x7, 0x6, 0x2, 0x5, 0x2, 0x5, 0xf, 0x2, 0xe, -- 2.10.2 From el11151 at mail.ntua.gr Fri Nov 25 00:54:42 2016 From: el11151 at mail.ntua.gr (Kostis Andrikopoulos) Date: Fri, 25 Nov 2016 01:54:42 +0200 Subject: mpi_swap_cond: different sizes error on eddsa key generation Message-ID: Hello, We are using gcrypt in our library and, at some point, we would like to create some eddsa keys on the curve Ed25519. This is how we do it: //... //... gcry_sexp_t key, params; static const char *parmstr = "(genkey (ecc (curve Ed25519 (flags eddsa))))"; /* Create the sexp using the parameter string */ err = gcry_sexp_new(¶ms, parmstr, strlen(parmstr), 0); if(err) { goto error; } /* Generate the keypair */ err = gcry_pk_genkey(&key, params); gcry_sexp_release(params); if(err) { goto error; } // ... // ... We were developing on lubuntu, which provides the 1.6.5 version of libgcrypt and everything is working as expected. Then when we tried to compile in archlinux and manjaro which provide version 1.7.3. Under this version of gcrypt we got a runtime error message stating: Ohhhh jeeee: mpi_swap_cond: different sizes We tried to isolate the seemingly wrong code from the rest of the library and compiled it. The error message did not appear this time. We tried looking at the ChangeLogs but as far as we can tell this is the "correct" way of generating an eddsa keypair over curve Ed25519 both in 1.6.5 and in 1.7.3. Also by going over the gcrypt source code we believe that this error message is internal and shouldn't be generated by the user's actions. On the other hand we are first-time users of the grcypt library so it is very possible that we are doing something wrong. Does this error message in this context seem at all familiar? Could you point us to a set of possible causes of this error? Thanks! From cvs at cvs.gnupg.org Fri Nov 25 04:39:32 2016 From: cvs at cvs.gnupg.org (by Dmitry Eremin-Solenikov) Date: Fri, 25 Nov 2016 04:39:32 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-16-g1a67e31 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 1a67e3195896704f8b3ba09e3db1214bab834491 (commit) via dc8ceb8d2dfef949f3afa14fc75f9de8cd07c7ad (commit) via 4f5c26c73c66daf2e4aff966e43c22b2db7e0138 (commit) from 5ca63c92825453fdb369a97bbc19cb95b49b4296 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1a67e3195896704f8b3ba09e3db1214bab834491 Author: Dmitry Eremin-Solenikov Date: Wed Nov 23 08:38:33 2016 +0300 Cast oid argument of gcry_cipher_set_sbox to disable compiler warning. * src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *). Signed-off-by: Dmitry Eremin-Solenikov diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index f896a78..77ff947 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -1062,7 +1062,7 @@ gcry_error_t gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, NULL, on ) #define gcry_cipher_set_sbox(h,oid) gcry_cipher_ctl( (h), GCRYCTL_SET_SBOX, \ - (oid), 0); + (void *) oid, 0); /* Indicate to the encrypt and decrypt functions that the next call provides the final data. Only used with some modes. */ commit dc8ceb8d2dfef949f3afa14fc75f9de8cd07c7ad Author: Dmitry Eremin-Solenikov Date: Wed Nov 23 08:38:32 2016 +0300 gost: Rename tc26 s-box from A to Z. * cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is the name that ended up in all standards. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/cipher/gost-s-box.c b/cipher/gost-s-box.c index 7bf6041..7aa5444 100644 --- a/cipher/gost-s-box.c +++ b/cipher/gost-s-box.c @@ -182,7 +182,7 @@ struct gost_sbox 0x3, 0x1, 0x2, 0x8, 0x1, 0x6, 0x7, 0xE, } }, - { "TC26_A", "1.2.643.7.1.2.5.1.1", { + { "TC26_Z", "1.2.643.7.1.2.5.1.1", { 0xc, 0x6, 0xb, 0xc, 0x7, 0x5, 0x8, 0x1, 0x4, 0x8, 0x3, 0x8, 0xf, 0xd, 0xe, 0x7, 0x6, 0x2, 0x5, 0x2, 0x5, 0xf, 0x2, 0xe, commit 4f5c26c73c66daf2e4aff966e43c22b2db7e0138 Author: Dmitry Eremin-Solenikov Date: Wed Nov 23 08:38:31 2016 +0300 tests: Add test to verify GOST 28147-89 against known results. * tests/basic.c (check_gost28147_cipher): new test function. -- Currently the only test executed against GOST 28147-89 cipher is a basic cipher test: it checks that decoding of encoded text returns the original plaintext. Add a function to verify the cipher against test vectors. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/tests/basic.c b/tests/basic.c index e5a325b..7f7bce3 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -3874,6 +3874,170 @@ check_ocb_cipher (void) check_ocb_cipher_splitaad (); } +static void +check_gost28147_cipher (void) +{ +#if USE_GOST28147 + static const struct { + char key[MAX_DATA_LEN]; + const char *oid; + unsigned char plaintext[MAX_DATA_LEN]; + int inlen; + char out[MAX_DATA_LEN]; + } tv[] = + { + { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.7.1.2.5.1.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xce\x5a\x5e\xd7\xe0\x57\x7a\x5f", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.0", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x98\x56\xcf\x8b\xfc\xc2\x82\xf4", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x66\x81\x84\xae\xdc\x48\xc9\x17", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.2", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xdb\xee\x81\x14\x7b\x74\xb0\xf2", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.3", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\x31\xa3\x85\x9d\x0a\xee\xb8\x0e", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.31.4", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xb1\x32\x3e\x0b\x21\x73\xcb\xd1", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.30.0", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xce\xd5\x2a\x7f\xf7\xf2\x60\xd5", + }, { + "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" + "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0", + "1.2.643.2.2.30.1", + "\x01\x02\x03\x04\x05\x06\x07\x08", + 8, + "\xe4\x21\x75\xe1\x69\x22\xd0\xa8", + } + }; + + gcry_cipher_hd_t hde, hdd; + unsigned char out[MAX_DATA_LEN]; + int i, keylen; + gcry_error_t err = 0; + + if (verbose) + fprintf (stderr, " Starting GOST28147 cipher checks.\n"); + keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_GOST28147); + if (!keylen) + { + fail ("gost28147, gcry_cipher_get_algo_keylen failed\n"); + return; + } + + for (i = 0; i < sizeof (tv) / sizeof (tv[0]); i++) + { + err = gcry_cipher_open (&hde, GCRY_CIPHER_GOST28147, + GCRY_CIPHER_MODE_ECB, 0); + if (!err) + err = gcry_cipher_open (&hdd, GCRY_CIPHER_GOST28147, + GCRY_CIPHER_MODE_ECB, 0); + if (err) + { + fail ("gost28147, gcry_cipher_open failed: %s\n", gpg_strerror (err)); + return; + } + + err = gcry_cipher_setkey (hde, tv[i].key, keylen); + if (!err) + err = gcry_cipher_setkey (hdd, tv[i].key, keylen); + if (err) + { + fail ("gost28147, gcry_cipher_setkey failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + err = gcry_cipher_set_sbox (hde, tv[i].oid); + if (!err) + err = gcry_cipher_set_sbox (hdd, tv[i].oid); + if (err) + { + fail ("gost28147, gcry_cipher_set_sbox failed: %s\n", + gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + err = gcry_cipher_encrypt (hde, out, MAX_DATA_LEN, + tv[i].plaintext, + tv[i].inlen == -1 ? + strlen ((char*)tv[i].plaintext) : + tv[i].inlen); + if (err) + { + fail ("gost28147, gcry_cipher_encrypt (%d) failed: %s\n", + i, gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + if (memcmp (tv[i].out, out, tv[i].inlen)) + { + fail ("gost28147, encrypt mismatch entry %d\n", i); + mismatch (tv[i].out, tv[i].inlen, + out, tv[i].inlen); + } + + err = gcry_cipher_decrypt (hdd, out, tv[i].inlen, NULL, 0); + if (err) + { + fail ("gost28147, gcry_cipher_decrypt (%d) failed: %s\n", + i, gpg_strerror (err)); + gcry_cipher_close (hde); + gcry_cipher_close (hdd); + return; + } + + if (memcmp (tv[i].plaintext, out, tv[i].inlen)) + { + fail ("gost28147, decrypt mismatch entry %d\n", i); + mismatch (tv[i].plaintext, tv[i].inlen, + out, tv[i].inlen); + } + } + +#endif +} + static void check_stream_cipher (void) @@ -5750,6 +5914,7 @@ check_cipher_modes(void) check_gcm_cipher (); check_poly1305_cipher (); check_ocb_cipher (); + check_gost28147_cipher (); check_stream_cipher (); check_stream_cipher_large_block (); ----------------------------------------------------------------------- Summary of changes: cipher/gost-s-box.c | 2 +- src/gcrypt.h.in | 2 +- tests/basic.c | 165 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 167 insertions(+), 2 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From gniibe at fsij.org Fri Nov 25 04:45:07 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 25 Nov 2016 12:45:07 +0900 Subject: [PATCH 1/3] tests: add test to verify GOST 28147-89 agains known results In-Reply-To: <20161123053833.21413-1-dbaryshkov@gmail.com> References: <20161123053833.21413-1-dbaryshkov@gmail.com> Message-ID: <751a779f-1faf-4db9-4fc9-5919e5395854@fsij.org> On 11/23/2016 02:38 PM, Dmitry Eremin-Solenikov wrote: > * tests/basic.c (check_gost28147_cipher): new testfunction. Thanks a lot. All 3 patches are applied and pushed (both for master and 1.7 branch). -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Fri Nov 25 06:43:40 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 25 Nov 2016 14:43:40 +0900 Subject: mpi_swap_cond: different sizes error on eddsa key generation In-Reply-To: References: Message-ID: <06c25709-dfa9-a965-bd6f-50da51cd2d59@fsij.org> On 11/25/2016 08:54 AM, Kostis Andrikopoulos wrote: > static const char *parmstr = "(genkey (ecc (curve Ed25519 (flags > eddsa))))"; For me, this looks not correct. Before: "(genkey (ecc (curve Ed25519 (flags eddsa))))" I think correct expression is: "(genkey (ecc (curve Ed25519) (flags eddsa)))" Please note the paren difference. -- From cvs at cvs.gnupg.org Fri Nov 25 09:41:33 2016 From: cvs at cvs.gnupg.org (by Justus Winter) Date: Fri, 25 Nov 2016 09:41:33 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-17-g5530a82 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 5530a8234d703ce9b685f78fb6e951136eb0aeb2 (commit) from 1a67e3195896704f8b3ba09e3db1214bab834491 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 5530a8234d703ce9b685f78fb6e951136eb0aeb2 Author: Justus Winter Date: Fri Nov 25 09:38:51 2016 +0100 tests: Fix memory leak. * tests/basic.c (check_gost28147_cipher): Free cipher handles. Fixes-commit: 4f5c26c73c66daf2e4aff966e43c22b2db7e0138 Signed-off-by: Justus Winter diff --git a/tests/basic.c b/tests/basic.c index 7f7bce3..b6f4f4b 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -4033,6 +4033,9 @@ check_gost28147_cipher (void) mismatch (tv[i].plaintext, tv[i].inlen, out, tv[i].inlen); } + + gcry_cipher_close (hde); + gcry_cipher_close (hdd); } #endif ----------------------------------------------------------------------- Summary of changes: tests/basic.c | 3 +++ 1 file changed, 3 insertions(+) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From dbaryshkov at gmail.com Fri Nov 25 13:52:45 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Fri, 25 Nov 2016 15:52:45 +0300 Subject: [PATCH 1/3] Add Stribog OIDs from TC26 space Message-ID: <20161125125247.25885-1-dbaryshkov@gmail.com> * cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New. Signed-off-by: Dmitry Eremin-Solenikov --- cipher/stribog.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/cipher/stribog.c b/cipher/stribog.c index 7f38e6f..7b6e330 100644 --- a/cipher/stribog.c +++ b/cipher/stribog.c @@ -1321,10 +1321,28 @@ stribog_read_256 (void *context) return hd->result + 32; } +static gcry_md_oid_spec_t oid_spec_stribog256[] = + { + /* id-tc26-signwithdigest-gost3410-12-256 */ + { "1.2.643.7.1.1.3.2" }, + /* id-tc26-gost3411-12-256 */ + { "1.2.643.7.1.1.2.2" }, + { NULL }, + }; + +static gcry_md_oid_spec_t oid_spec_stribog512[] = + { + /* id-tc26-signwithdigest-gost3410-12-512 */ + { "1.2.643.7.1.1.3.3" }, + /* id-tc26-gost3411-12-512 */ + { "1.2.643.7.1.1.2.3" }, + { NULL }, + }; + gcry_md_spec_t _gcry_digest_spec_stribog_256 = { GCRY_MD_STRIBOG256, {0, 0}, - "STRIBOG256", NULL, 0, NULL, 32, + "STRIBOG256", NULL, 0, oid_spec_stribog256, 32, stribog_init_256, _gcry_md_block_write, stribog_final, stribog_read_256, NULL, sizeof (STRIBOG_CONTEXT) @@ -1333,7 +1351,7 @@ gcry_md_spec_t _gcry_digest_spec_stribog_256 = gcry_md_spec_t _gcry_digest_spec_stribog_512 = { GCRY_MD_STRIBOG512, {0, 0}, - "STRIBOG512", NULL, 0, NULL, 64, + "STRIBOG512", NULL, 0, oid_spec_stribog512, 64, stribog_init_512, _gcry_md_block_write, stribog_final, stribog_read_512, NULL, sizeof (STRIBOG_CONTEXT) -- 2.10.2 From dbaryshkov at gmail.com Fri Nov 25 13:52:46 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Fri, 25 Nov 2016 15:52:46 +0300 Subject: [PATCH 2/3] Add Stribog HMAC tests from TC26ALG In-Reply-To: <20161125125247.25885-1-dbaryshkov@gmail.com> References: <20161125125247.25885-1-dbaryshkov@gmail.com> Message-ID: <20161125125247.25885-2-dbaryshkov@gmail.com> * tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document for Stribog. Signed-off-by: Dmitry Eremin-Solenikov --- tests/basic.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/basic.c b/tests/basic.c index e5a325b..1b5a1c8 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -7996,6 +7996,22 @@ check_mac (void) "\x5e\xad\x03\xb7\x43\x4f\x87\xa1\x14\x8e\x17\x8f\x2a\x97\x7d\xe8" "\xbd\xb0\x37\x3b\x67\xb9\x97\x36\xa5\x82\x9b\xdc\x0d\xe4\x5a\x8c" "\x5e\xda\xb5\xca\xea\xa9\xb4\x6e\xba\xca\x25\xc8\xbf\xa1\x0e\xb0" }, + { GCRY_MAC_HMAC_STRIBOG256, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + "\xa1\xaa\x5f\x7d\xe4\x02\xd7\xb3\xd3\x23\xf2\x99\x1c\x8d\x45\x34" + "\x01\x31\x37\x01\x0a\x83\x75\x4f\xd0\xaf\x6d\x7c\xd4\x92\x2e\xd9", + NULL, 16, 32 }, + { GCRY_MAC_HMAC_STRIBOG512, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + "\xa5\x9b\xab\x22\xec\xae\x19\xc6\x5f\xbd\xe6\xe5\xf4\xe9\xf5\xd8" + "\x54\x9d\x31\xf0\x37\xf9\xdf\x9b\x90\x55\x00\xe1\x71\x92\x3a\x77" + "\x3d\x5f\x15\x30\xf2\xed\x7e\x96\x4c\xb2\xee\xdc\x29\xe9\xad\x2f" + "\x3a\xfe\x93\xb2\x81\x4f\x79\xf5\x00\x0f\xfc\x03\x66\xc2\x51\xe6", + NULL, 16, 32 }, /* CMAC AES and DES test vectors from http://web.archive.org/web/20130930212819/http://csrc.nist.gov/publica\ tions/nistpubs/800-38B/Updated_CMAC_Examples.pdf */ -- 2.10.2 From dbaryshkov at gmail.com Fri Nov 25 13:52:47 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Fri, 25 Nov 2016 15:52:47 +0300 Subject: [PATCH 3/3] Add PBKDF2 tests for Stribog512 In-Reply-To: <20161125125247.25885-1-dbaryshkov@gmail.com> References: <20161125125247.25885-1-dbaryshkov@gmail.com> Message-ID: <20161125125247.25885-3-dbaryshkov@gmail.com> * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's additions to PKCS#5. Signed-off-by: Dmitry Eremin-Solenikov --- tests/t-kdf.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/tests/t-kdf.c b/tests/t-kdf.c index bf31c83..4299141 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -1047,11 +1047,80 @@ check_pbkdf2 (void) 20, "\x43\xe0\x6c\x55\x90\xb0\x8c\x02\x25\x24" "\x23\x73\x12\x7e\xdf\x9c\x8e\x9c\x32\x91" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 1, + 64, + "\x64\x77\x0a\xf7\xf7\x48\xc3\xb1\xc9\xac\x83\x1d\xbc\xfd\x85\xc2" + "\x61\x11\xb3\x0a\x8a\x65\x7d\xdc\x30\x56\xb8\x0c\xa7\x3e\x04\x0d" + "\x28\x54\xfd\x36\x81\x1f\x6d\x82\x5c\xc4\xab\x66\xec\x0a\x68\xa4" + "\x90\xa9\xe5\xcf\x51\x56\xb3\xa2\xb7\xee\xcd\xdb\xf9\xa1\x6b\x47" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 2, + 64, + "\x5a\x58\x5b\xaf\xdf\xbb\x6e\x88\x30\xd6\xd6\x8a\xa3\xb4\x3a\xc0" + "\x0d\x2e\x4a\xeb\xce\x01\xc9\xb3\x1c\x2c\xae\xd5\x6f\x02\x36\xd4" + "\xd3\x4b\x2b\x8f\xbd\x2c\x4e\x89\xd5\x4d\x46\xf5\x0e\x47\xd4\x5b" + "\xba\xc3\x01\x57\x17\x43\x11\x9e\x8d\x3c\x42\xba\x66\xd3\x48\xde" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 4096, + 64, + "\xe5\x2d\xeb\x9a\x2d\x2a\xaf\xf4\xe2\xac\x9d\x47\xa4\x1f\x34\xc2" + "\x03\x76\x59\x1c\x67\x80\x7f\x04\x77\xe3\x25\x49\xdc\x34\x1b\xc7" + "\x86\x7c\x09\x84\x1b\x6d\x58\xe2\x9d\x03\x47\xc9\x96\x30\x1d\x55" + "\xdf\x0d\x34\xe4\x7c\xf6\x8f\x4e\x3c\x2c\xda\xf1\xd9\xab\x86\xc3" + }, + /* { -- takes toooo long + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 16777216, + 64, + "\x49\xe4\x84\x3b\xba\x76\xe3\x00\xaf\xe2\x4c\x4d\x23\xdc\x73\x92" + "\xde\xf1\x2f\x2c\x0e\x24\x41\x72\x36\x7c\xd7\x0a\x89\x82\xac\x36" + "\x1a\xdb\x60\x1c\x7e\x2a\x31\x4e\x8c\xb7\xb1\xe9\xdf\x84\x0e\x36" + "\xab\x56\x15\xbe\x5d\x74\x2b\x6c\xf2\x03\xfb\x55\xfd\xc4\x80\x71" + }, */ + { + "passwordPASSWORDpassword", 24, + "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, + GCRY_MD_STRIBOG512, + 4096, + 100, + "\xb2\xd8\xf1\x24\x5f\xc4\xd2\x92\x74\x80\x20\x57\xe4\xb5\x4e\x0a" + "\x07\x53\xaa\x22\xfc\x53\x76\x0b\x30\x1c\xf0\x08\x67\x9e\x58\xfe" + "\x4b\xee\x9a\xdd\xca\xe9\x9b\xa2\xb0\xb2\x0f\x43\x1a\x9c\x5e\x50" + "\xf3\x95\xc8\x93\x87\xd0\x94\x5a\xed\xec\xa6\xeb\x40\x15\xdf\xc2" + "\xbd\x24\x21\xee\x9b\xb7\x11\x83\xba\x88\x2c\xee\xbf\xef\x25\x9f" + "\x33\xf9\xe2\x7d\xc6\x17\x8c\xb8\x9d\xc3\x74\x28\xcf\x9c\xc5\x2a" + "\x2b\xaa\x2d\x3a" + }, + { + "pass\0word", 9, + "sa\0lt", 5, + GCRY_MD_STRIBOG512, + 4096, + 64, + "\x50\xdf\x06\x28\x85\xb6\x98\x01\xa3\xc1\x02\x48\xeb\x0a\x27\xab" + "\x6e\x52\x2f\xfe\xb2\x0c\x99\x1c\x66\x0f\x00\x14\x75\xd7\x3a\x4e" + "\x16\x7f\x78\x2c\x18\xe9\x7e\x92\x97\x6d\x9c\x1d\x97\x08\x31\xea" + "\x78\xcc\xb8\x79\xf6\x70\x68\xcd\xac\x19\x10\x74\x08\x44\xe8\x30" } }; int tvidx; gpg_error_t err; - unsigned char outbuf[40]; + unsigned char outbuf[100]; int i; for (tvidx=0; tvidx < DIM(tv); tvidx++) -- 2.10.2 From el11151 at mail.ntua.gr Fri Nov 25 15:15:16 2016 From: el11151 at mail.ntua.gr (Kostis Andrikopoulos) Date: Fri, 25 Nov 2016 16:15:16 +0200 Subject: mpi_swap_cond: different sizes error on eddsa key generation In-Reply-To: <06c25709-dfa9-a965-bd6f-50da51cd2d59@fsij.org> References: <06c25709-dfa9-a965-bd6f-50da51cd2d59@fsij.org> Message-ID: <23536e43-7bf9-d801-2e26-26b8dd9c49ee@mail.ntua.gr> On 11/25/2016 07:43 AM, NIIBE Yutaka wrote: > On 11/25/2016 08:54 AM, Kostis Andrikopoulos wrote: >> static const char *parmstr = "(genkey (ecc (curve Ed25519 (flags >> eddsa))))"; > > For me, this looks not correct. > > Before: > "(genkey (ecc (curve Ed25519 (flags eddsa))))" > > I think correct expression is: > > "(genkey (ecc (curve Ed25519) (flags eddsa)))" > > Please note the paren difference. > Hello, Thanks for the quick reply! I just compiled our library with the fix you suggested. Unfortunately it made no difference. We still get the same error message at the same function call. I should note again that what we did (before the fix) was working in version 1.6.5. It also worked in version 1.7.3 when we isolated the code from the rest of the library. The fix you suggested unfortunately made no difference. Should the version before the fix even work in the first place? Is the code portion we provided enough or should we send more information? Thanks! From gniibe at fsij.org Sat Nov 26 00:11:04 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Sat, 26 Nov 2016 08:11:04 +0900 Subject: mpi_swap_cond: different sizes error on eddsa key generation In-Reply-To: <23536e43-7bf9-d801-2e26-26b8dd9c49ee@mail.ntua.gr> References: <06c25709-dfa9-a965-bd6f-50da51cd2d59@fsij.org> <23536e43-7bf9-d801-2e26-26b8dd9c49ee@mail.ntua.gr> Message-ID: Hello, Since mpi_swap_cond was introduced by me, it is highly likely it's my bug. Please note that it has been used by GnuPG 2.1. On 11/25/2016 11:15 PM, Kostis Andrikopoulos wrote: > Thanks for the quick reply! I just compiled our library with the fix you > suggested. Unfortunately it made no difference. We still get the same > error message at the same function call. > > I should note again that what we did (before the fix) was working in > version 1.6.5. It also worked in version 1.7.3 when we isolated the code > from the rest of the library. The fix you suggested unfortunately made > no difference. I see. I check the code again. The point I suggested does not matter, because parsing flags by the function ecc_generate in ecc.c is tolerant enough. > Should the version before the fix even work in the first place? Yes. > Is the code portion we provided enough or should we send more > information? We need a reproducible test case. The smaller is the better, but it is OK to be large if it is reproducible. If it's difficult, please run your application on debugger and show stack trace on the error (e.g., bt command in GDB). Or..., could you give me information on: Is the call sequence following? ... -> ecc_generate -> _gcry_ecc_eddsa_genkey -> _gcry_mpi_ec_mul_point -> point_swap_cond -> mpi_swap_cond -> log_bug -- From cvs at cvs.gnupg.org Mon Nov 28 01:46:41 2016 From: cvs at cvs.gnupg.org (by Dmitry Eremin-Solenikov) Date: Mon, 28 Nov 2016 01:46:41 +0100 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-20-ga0580d4 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via a0580d446fef648a177ca4ab060d0e449780db84 (commit) via fe6077e6ee8565bfcc91bad14a73e68f45b3c32b (commit) via ccffacaf6c3abe6120a0898db922981d28ab7af2 (commit) from 5530a8234d703ce9b685f78fb6e951136eb0aeb2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a0580d446fef648a177ca4ab060d0e449780db84 Author: Dmitry Eremin-Solenikov Date: Fri Nov 25 15:52:47 2016 +0300 tests: Add PBKDF2 tests for Stribog512. * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's additions to PKCS#5. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/tests/t-kdf.c b/tests/t-kdf.c index bf31c83..4299141 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -1047,11 +1047,80 @@ check_pbkdf2 (void) 20, "\x43\xe0\x6c\x55\x90\xb0\x8c\x02\x25\x24" "\x23\x73\x12\x7e\xdf\x9c\x8e\x9c\x32\x91" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 1, + 64, + "\x64\x77\x0a\xf7\xf7\x48\xc3\xb1\xc9\xac\x83\x1d\xbc\xfd\x85\xc2" + "\x61\x11\xb3\x0a\x8a\x65\x7d\xdc\x30\x56\xb8\x0c\xa7\x3e\x04\x0d" + "\x28\x54\xfd\x36\x81\x1f\x6d\x82\x5c\xc4\xab\x66\xec\x0a\x68\xa4" + "\x90\xa9\xe5\xcf\x51\x56\xb3\xa2\xb7\xee\xcd\xdb\xf9\xa1\x6b\x47" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 2, + 64, + "\x5a\x58\x5b\xaf\xdf\xbb\x6e\x88\x30\xd6\xd6\x8a\xa3\xb4\x3a\xc0" + "\x0d\x2e\x4a\xeb\xce\x01\xc9\xb3\x1c\x2c\xae\xd5\x6f\x02\x36\xd4" + "\xd3\x4b\x2b\x8f\xbd\x2c\x4e\x89\xd5\x4d\x46\xf5\x0e\x47\xd4\x5b" + "\xba\xc3\x01\x57\x17\x43\x11\x9e\x8d\x3c\x42\xba\x66\xd3\x48\xde" + }, + { + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 4096, + 64, + "\xe5\x2d\xeb\x9a\x2d\x2a\xaf\xf4\xe2\xac\x9d\x47\xa4\x1f\x34\xc2" + "\x03\x76\x59\x1c\x67\x80\x7f\x04\x77\xe3\x25\x49\xdc\x34\x1b\xc7" + "\x86\x7c\x09\x84\x1b\x6d\x58\xe2\x9d\x03\x47\xc9\x96\x30\x1d\x55" + "\xdf\x0d\x34\xe4\x7c\xf6\x8f\x4e\x3c\x2c\xda\xf1\xd9\xab\x86\xc3" + }, + /* { -- takes toooo long + "password", 8, + "salt", 4, + GCRY_MD_STRIBOG512, + 16777216, + 64, + "\x49\xe4\x84\x3b\xba\x76\xe3\x00\xaf\xe2\x4c\x4d\x23\xdc\x73\x92" + "\xde\xf1\x2f\x2c\x0e\x24\x41\x72\x36\x7c\xd7\x0a\x89\x82\xac\x36" + "\x1a\xdb\x60\x1c\x7e\x2a\x31\x4e\x8c\xb7\xb1\xe9\xdf\x84\x0e\x36" + "\xab\x56\x15\xbe\x5d\x74\x2b\x6c\xf2\x03\xfb\x55\xfd\xc4\x80\x71" + }, */ + { + "passwordPASSWORDpassword", 24, + "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, + GCRY_MD_STRIBOG512, + 4096, + 100, + "\xb2\xd8\xf1\x24\x5f\xc4\xd2\x92\x74\x80\x20\x57\xe4\xb5\x4e\x0a" + "\x07\x53\xaa\x22\xfc\x53\x76\x0b\x30\x1c\xf0\x08\x67\x9e\x58\xfe" + "\x4b\xee\x9a\xdd\xca\xe9\x9b\xa2\xb0\xb2\x0f\x43\x1a\x9c\x5e\x50" + "\xf3\x95\xc8\x93\x87\xd0\x94\x5a\xed\xec\xa6\xeb\x40\x15\xdf\xc2" + "\xbd\x24\x21\xee\x9b\xb7\x11\x83\xba\x88\x2c\xee\xbf\xef\x25\x9f" + "\x33\xf9\xe2\x7d\xc6\x17\x8c\xb8\x9d\xc3\x74\x28\xcf\x9c\xc5\x2a" + "\x2b\xaa\x2d\x3a" + }, + { + "pass\0word", 9, + "sa\0lt", 5, + GCRY_MD_STRIBOG512, + 4096, + 64, + "\x50\xdf\x06\x28\x85\xb6\x98\x01\xa3\xc1\x02\x48\xeb\x0a\x27\xab" + "\x6e\x52\x2f\xfe\xb2\x0c\x99\x1c\x66\x0f\x00\x14\x75\xd7\x3a\x4e" + "\x16\x7f\x78\x2c\x18\xe9\x7e\x92\x97\x6d\x9c\x1d\x97\x08\x31\xea" + "\x78\xcc\xb8\x79\xf6\x70\x68\xcd\xac\x19\x10\x74\x08\x44\xe8\x30" } }; int tvidx; gpg_error_t err; - unsigned char outbuf[40]; + unsigned char outbuf[100]; int i; for (tvidx=0; tvidx < DIM(tv); tvidx++) commit fe6077e6ee8565bfcc91bad14a73e68f45b3c32b Author: Dmitry Eremin-Solenikov Date: Fri Nov 25 15:52:46 2016 +0300 tests: Add Stribog HMAC tests from TC26ALG. * tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document for Stribog. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/tests/basic.c b/tests/basic.c index b6f4f4b..ffb4397 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -8164,6 +8164,22 @@ check_mac (void) "\x5e\xad\x03\xb7\x43\x4f\x87\xa1\x14\x8e\x17\x8f\x2a\x97\x7d\xe8" "\xbd\xb0\x37\x3b\x67\xb9\x97\x36\xa5\x82\x9b\xdc\x0d\xe4\x5a\x8c" "\x5e\xda\xb5\xca\xea\xa9\xb4\x6e\xba\xca\x25\xc8\xbf\xa1\x0e\xb0" }, + { GCRY_MAC_HMAC_STRIBOG256, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + "\xa1\xaa\x5f\x7d\xe4\x02\xd7\xb3\xd3\x23\xf2\x99\x1c\x8d\x45\x34" + "\x01\x31\x37\x01\x0a\x83\x75\x4f\xd0\xaf\x6d\x7c\xd4\x92\x2e\xd9", + NULL, 16, 32 }, + { GCRY_MAC_HMAC_STRIBOG512, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00", + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f", + "\xa5\x9b\xab\x22\xec\xae\x19\xc6\x5f\xbd\xe6\xe5\xf4\xe9\xf5\xd8" + "\x54\x9d\x31\xf0\x37\xf9\xdf\x9b\x90\x55\x00\xe1\x71\x92\x3a\x77" + "\x3d\x5f\x15\x30\xf2\xed\x7e\x96\x4c\xb2\xee\xdc\x29\xe9\xad\x2f" + "\x3a\xfe\x93\xb2\x81\x4f\x79\xf5\x00\x0f\xfc\x03\x66\xc2\x51\xe6", + NULL, 16, 32 }, /* CMAC AES and DES test vectors from http://web.archive.org/web/20130930212819/http://csrc.nist.gov/publica\ tions/nistpubs/800-38B/Updated_CMAC_Examples.pdf */ commit ccffacaf6c3abe6120a0898db922981d28ab7af2 Author: Dmitry Eremin-Solenikov Date: Fri Nov 25 15:52:45 2016 +0300 cipher: Add Stribog OIDs from TC26 space. * cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New. Signed-off-by: Dmitry Eremin-Solenikov diff --git a/cipher/stribog.c b/cipher/stribog.c index 7f38e6f..7b6e330 100644 --- a/cipher/stribog.c +++ b/cipher/stribog.c @@ -1321,10 +1321,28 @@ stribog_read_256 (void *context) return hd->result + 32; } +static gcry_md_oid_spec_t oid_spec_stribog256[] = + { + /* id-tc26-signwithdigest-gost3410-12-256 */ + { "1.2.643.7.1.1.3.2" }, + /* id-tc26-gost3411-12-256 */ + { "1.2.643.7.1.1.2.2" }, + { NULL }, + }; + +static gcry_md_oid_spec_t oid_spec_stribog512[] = + { + /* id-tc26-signwithdigest-gost3410-12-512 */ + { "1.2.643.7.1.1.3.3" }, + /* id-tc26-gost3411-12-512 */ + { "1.2.643.7.1.1.2.3" }, + { NULL }, + }; + gcry_md_spec_t _gcry_digest_spec_stribog_256 = { GCRY_MD_STRIBOG256, {0, 0}, - "STRIBOG256", NULL, 0, NULL, 32, + "STRIBOG256", NULL, 0, oid_spec_stribog256, 32, stribog_init_256, _gcry_md_block_write, stribog_final, stribog_read_256, NULL, sizeof (STRIBOG_CONTEXT) @@ -1333,7 +1351,7 @@ gcry_md_spec_t _gcry_digest_spec_stribog_256 = gcry_md_spec_t _gcry_digest_spec_stribog_512 = { GCRY_MD_STRIBOG512, {0, 0}, - "STRIBOG512", NULL, 0, NULL, 64, + "STRIBOG512", NULL, 0, oid_spec_stribog512, 64, stribog_init_512, _gcry_md_block_write, stribog_final, stribog_read_512, NULL, sizeof (STRIBOG_CONTEXT) ----------------------------------------------------------------------- Summary of changes: cipher/stribog.c | 22 ++++++++++++++++-- tests/basic.c | 16 +++++++++++++ tests/t-kdf.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 106 insertions(+), 3 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From gniibe at fsij.org Mon Nov 28 01:58:52 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 28 Nov 2016 09:58:52 +0900 Subject: [PATCH 3/3] Add PBKDF2 tests for Stribog512 In-Reply-To: <20161125125247.25885-3-dbaryshkov@gmail.com> References: <20161125125247.25885-1-dbaryshkov@gmail.com> <20161125125247.25885-3-dbaryshkov@gmail.com> Message-ID: On 11/25/2016 09:52 PM, Dmitry Eremin-Solenikov wrote: > * tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's > additions to PKCS#5. Thank you. Applied and pushed to master. Since it's no ABI change, also applied and pushed to 1.7 branch. -- From stefbon at gmail.com Mon Nov 28 15:32:06 2016 From: stefbon at gmail.com (Stef Bon) Date: Mon, 28 Nov 2016 15:32:06 +0100 Subject: Howto implement chacha20-poly1305? Message-ID: Hi, I;m writing a fuse sftp client, and not making use of openssh (like sshfs does). I'm writing all required procedures and functions to do the negotiation and encryption myself, using libgcrypt. This works already very good. It basically uses simple encryption like 3des and blowfish and aes, and mac like hmac-sha1 en hmac-sha256. Now I want also support for newer algo's like chacha20-poly1305 and poly1305-AES. I'm asking cause I cannot find any documentation and the named algo's are encryption and hmac combined, and this requires extra attention. Thanks in advance, Stef Bon the Netherlands From stefbon at gmail.com Mon Nov 28 22:01:50 2016 From: stefbon at gmail.com (Stef Bon) Date: Mon, 28 Nov 2016 22:01:50 +0100 Subject: Howto implement chacha20-poly1305? In-Reply-To: References: Message-ID: 2016-11-28 21:19 GMT+01:00 Dmitry Eremin-Solenikov : > Hello, > > 2016-11-28 17:32 GMT+03:00 Stef Bon : >> I;m writing a fuse sftp client, and not making use of openssh (like > > Would gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, > GCRY_CIPHER_MODE_POLY1305, 0) work for you? > > Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking > tag. > > It is an AEAD cipher mode, so there is no separate encryption and separate > MAC. Ah. Thanks a lot! Stef From dbaryshkov at gmail.com Mon Nov 28 21:19:32 2016 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Mon, 28 Nov 2016 23:19:32 +0300 Subject: Howto implement chacha20-poly1305? In-Reply-To: References: Message-ID: Hello, 2016-11-28 17:32 GMT+03:00 Stef Bon : > I;m writing a fuse sftp client, and not making use of openssh (like > sshfs does). I'm writing all required procedures and functions to do > the negotiation and encryption myself, using libgcrypt. > This works already very good. > It basically uses simple encryption like 3des and blowfish and aes, > and mac like hmac-sha1 en hmac-sha256. > > Now I want also support for newer algo's like chacha20-poly1305 and > poly1305-AES. Would gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_POLY1305, 0) work for you? Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking tag. It is an AEAD cipher mode, so there is no separate encryption and separate MAC. -- With best wishes Dmitry From stefbon at gmail.com Mon Nov 28 23:23:47 2016 From: stefbon at gmail.com (Stef Bon) Date: Mon, 28 Nov 2016 23:23:47 +0100 Subject: Howto implement chacha20-poly1305? In-Reply-To: References: Message-ID: 2016-11-28 22:01 GMT+01:00 Stef Bon : >> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking >> tag. >> >> It is an AEAD cipher mode, so there is no separate encryption and separate >> MAC. > > Ah. Thanks a lot! Do I have to decrypt and encrypt in a special way as described here: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD Stef From jussi.kivilinna at iki.fi Tue Nov 29 17:56:31 2016 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 29 Nov 2016 18:56:31 +0200 Subject: Howto implement chacha20-poly1305? In-Reply-To: References:

Message-ID: Hello, On 29.11.2016 00:23, Stef Bon wrote: > 2016-11-28 22:01 GMT+01:00 Stef Bon : > >>> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking >>> tag. >>> >>> It is an AEAD cipher mode, so there is no separate encryption and separate >>> MAC. >> >> Ah. Thanks a lot! > > Do I have to decrypt and encrypt in a special way as described here: > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD Unfortunately the AEAD cipher mode for "chacha20poly1305 at openssh.com" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series. So, to get "chacha20poly1305 at openssh.com" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually. gcry_mac_open(... GCRY_MAC_POLY1305 ...) gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...) -Jussi > > Stef > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > From stefbon at gmail.com Wed Nov 30 11:32:47 2016 From: stefbon at gmail.com (Stef Bon) Date: Wed, 30 Nov 2016 11:32:47 +0100 Subject: Howto implement chacha20-poly1305? In-Reply-To: References:

Message-ID: 2016-11-29 17:56 GMT+01:00 Jussi Kivilinna : > Hello, > > > Unfortunately the AEAD cipher mode for "chacha20poly1305 at openssh.com" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series. > > So, to get "chacha20poly1305 at openssh.com" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually. > gcry_mac_open(... GCRY_MAC_POLY1305 ...) > gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...) > Sigh and another sigh. Thanks for the answer though, how do I implement AEAD mode manually? I know I have to open the cipher using GCRY_CIPHER_CHACHA20, and open the mac using GCRY_HMAC_POLY1305 (you write GCRY_MAC_... but you mean GCRY_HMAC_... ?) but what then? I've read about the function gcry_cipher_authenticate (and gcry_cipher_gettag and gcry_cipher_checktag). Do I have to set the cipher in a special mode? Maybe good to know I'm using the documentation which is based on 1.6.4, and chacha20 and poly1305 are added later. Stef From wk at gnupg.org Wed Nov 30 16:25:57 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 30 Nov 2016 16:25:57 +0100 Subject: Howto implement chacha20-poly1305? In-Reply-To: (Jussi Kivilinna's message of "Tue, 29 Nov 2016 18:56:31 +0200") References:

Message-ID: <87mvgh56re.fsf@wheatstone.g10code.de> On Tue, 29 Nov 2016 17:56, jussi.kivilinna at iki.fi said: > which libgcrypt implements. Problem is that OpenSSH add > chacha20-poly1305 support based on early draft-RFC and there was > change to data padding later in the draft series. Given that OpenSSH is a cornerstone of our all infrastructure, what about also adding the draft mode to libgcrypt 1.8? Do we have someone who could do that? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Wed Nov 30 20:53:57 2016 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Wed, 30 Nov 2016 21:53:57 +0200 Subject: Howto implement chacha20-poly1305? In-Reply-To: <87mvgh56re.fsf@wheatstone.g10code.de> References:

<87mvgh56re.fsf@wheatstone.g10code.de> Message-ID: On 30.11.2016 17:25, Werner Koch wrote: > On Tue, 29 Nov 2016 17:56, jussi.kivilinna at iki.fi said: > >> which libgcrypt implements. Problem is that OpenSSH add >> chacha20-poly1305 support based on early draft-RFC and there was >> change to data padding later in the draft series. > > Given that OpenSSH is a cornerstone of our all infrastructure, what > about also adding the draft mode to libgcrypt 1.8? Do we have someone > who could do that? > I was thinking of same too. I can do it. Draft mode selection would happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT or GCRY_CIPHER_POLY1305_OPENSSH. -Jussi From stefbon at gmail.com Wed Nov 30 21:16:38 2016 From: stefbon at gmail.com (Stef Bon) Date: Wed, 30 Nov 2016 21:16:38 +0100 Subject: Howto implement chacha20-poly1305? In-Reply-To: References:

<87mvgh56re.fsf@wheatstone.g10code.de> Message-ID: 2016-11-30 20:53 GMT+01:00 Jussi Kivilinna : >> >> Given that OpenSSH is a cornerstone of our all infrastructure, what >> about also adding the draft mode to libgcrypt 1.8? Do we have someone >> who could do that? > > I was thinking of same too. I can do it. Draft mode selection would > happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT > or GCRY_CIPHER_POLY1305_OPENSSH. If you can do that that would be great! Stef