From guidovranken at gmail.com Fri Jun 17 20:14:24 2022 From: guidovranken at gmail.com (Guido Vranken) Date: Fri, 17 Jun 2022 20:14:24 +0200 Subject: Reject invalid HKDF key sizes Message-ID: HKDF prohibits output sizes which exceed digest size * 255. See section 2.3 of RFC 5869. In the following code, the abort() should not be reached: #include #define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; } #define OUTSIZE ((32 * 255) + 1) int main(void) { const unsigned char password[] = {0x00}; const unsigned char salt[] = {0x00}; const unsigned char info[] = {0x00}; gcry_kdf_hd_t hd = {0}; uint8_t out[OUTSIZE]; unsigned long param[1] = {OUTSIZE}; CF_CHECK_EQ(gcry_kdf_open( &hd, GCRY_KDF_HKDF, GCRY_MAC_HMAC_SHA256, param, 1, password, sizeof(password), NULL, 0, salt, sizeof(salt), info, sizeof(info)), GPG_ERR_NO_ERROR); CF_CHECK_EQ(gcry_kdf_compute(hd, NULL), GPG_ERR_NO_ERROR); CF_CHECK_EQ(gcry_kdf_final(hd, OUTSIZE, out), GPG_ERR_NO_ERROR); /* Should not be reached */ abort(); end: gcry_kdf_close(hd); return 0; } -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Tue Jun 21 07:01:48 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 21 Jun 2022 14:01:48 +0900 Subject: Reject invalid HKDF key sizes In-Reply-To: References: Message-ID: <87v8su7goz.fsf@akagi.fsij.org> Guido Vranken wrote: > HKDF prohibits output sizes which exceed digest size * 255. See section 2.3 > of RFC 5869. Thank you. Fixed in the commit: e0f0c788dc0f268965c0f63eb33d9f98c0575d58 -- From cllang at redhat.com Tue Jun 21 19:00:48 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:48 +0200 Subject: [PATCH 7/7] fips: Skip selftests of unsupported PK algos In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-8-cllang@redhat.com> * src/fips.c (run_pubkey_selftests): Do not run selftests for disabled public key algorithms. -- Skip running FIPS selftests that are specific for a public key algorithm if that algorithm was disabled using the --enable-pubkey-ciphers configure option. Signed-off-by: Clemens Lang --- src/fips.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/fips.c b/src/fips.c index 89f8204b..a1958b14 100644 --- a/src/fips.c +++ b/src/fips.c @@ -554,8 +554,12 @@ run_pubkey_selftests (int extended) { static int algos[] = { +#if USE_RSA GCRY_PK_RSA, +#endif /* USE_RSA */ +#if USE_ECC GCRY_PK_ECC, +#endif /* USE_ECC */ 0 }; int idx; -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:43 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:43 +0200 Subject: [PATCH 2/7] tests/pubkey: Skip tests if PK algo is unavailable In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-3-cllang@redhat.com> * tests/pubkey.c (check_run, main): Skip tests for unavailable algorithms. -- When libgcrypt is configured with a non-default --enable-pubkey-ciphers option, some of the tests cannot be run because the algorithms are not supported. Skip unsupported tests using preprocessor macros in this case. Signed-off-by: Clemens Lang --- tests/pubkey.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/pubkey.c b/tests/pubkey.c index b352490b..bc44f3a5 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -31,6 +31,7 @@ static int in_fips_mode; +#if USE_RSA /* Sample RSA keys, taken from basic.c. */ static const char sample_private_key_1[] = @@ -151,6 +152,7 @@ static const char sample_public_key_1[] = " (e #010001#)\n" " )\n" ")\n"; +#endif /* USE_RSA */ static void @@ -169,6 +171,7 @@ show_sexp (const char *prefix, gcry_sexp_t a) gcry_free (buf); } +#if USE_RSA /* from ../cipher/pubkey-util.c */ static gpg_err_code_t _gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits) @@ -196,6 +199,7 @@ _gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits) gcry_sexp_release (list); return 0; } +#endif /* USE_RSA */ /* Convert STRING consisting of hex characters into its binary representation and return it as an allocated buffer. The valid @@ -250,6 +254,7 @@ extract_cmp_data (gcry_sexp_t sexp, const char *name, const char *expected) } +#if USE_RSA || USE_ELGAMAL static void check_keys_crypt (gcry_sexp_t pkey, gcry_sexp_t skey, gcry_sexp_t plain0, gpg_err_code_t decrypt_fail_code) @@ -350,7 +355,9 @@ check_keys (gcry_sexp_t pkey, gcry_sexp_t skey, unsigned int nbits_data, check_keys_crypt (pkey, skey, plain, decrypt_fail_code); gcry_sexp_release (plain); } +#endif /* USE_RSA || USE_ELGAMAL */ +#if USE_RSA static void get_keys_sample (gcry_sexp_t *pkey, gcry_sexp_t *skey, int secret_variant) { @@ -440,8 +447,10 @@ get_keys_x931_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) *pkey = pub_key; *skey = sec_key; } +#endif /* USE_RSA */ +#if USE_ELGAMAL static void get_elg_key_new (gcry_sexp_t *pkey, gcry_sexp_t *skey, int fixed_x) { @@ -485,8 +494,10 @@ get_elg_key_new (gcry_sexp_t *pkey, gcry_sexp_t *skey, int fixed_x) *pkey = pub_key; *skey = sec_key; } +#endif /* USE_ELGAMAL */ +#if USE_DSA static void get_dsa_key_new (gcry_sexp_t *pkey, gcry_sexp_t *skey, int transient_key) { @@ -719,6 +730,7 @@ get_dsa_key_fips186_with_seed_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) *pkey = pub_key; *skey = sec_key; } +#endif /* USE_ELGAMAL */ static void @@ -728,6 +740,12 @@ check_run (void) gcry_sexp_t pkey, skey; int variant; + (void) err; + (void) pkey; + (void) skey; + (void) variant; + +#if USE_RSA pkey = skey = NULL; for (variant=0; variant < 3; variant++) { @@ -745,7 +763,9 @@ check_run (void) gcry_sexp_release (skey); pkey = skey = NULL; } +#endif /* USE_RSA */ +#if USE_RSA if (verbose) fprintf (stderr, "Checking generated RSA key.\n"); get_keys_new (&pkey, &skey); @@ -761,7 +781,9 @@ check_run (void) gcry_sexp_release (pkey); gcry_sexp_release (skey); pkey = skey = NULL; +#endif /* USE_RSA */ +#if USE_ELGAMAL if (verbose) fprintf (stderr, "Checking generated Elgamal key.\n"); get_elg_key_new (&pkey, &skey, 0); @@ -779,7 +801,9 @@ check_run (void) gcry_sexp_release (pkey); gcry_sexp_release (skey); pkey = skey = NULL; +#endif /* USE_ELGAMAL */ +#if USE_DSA if (verbose) fprintf (stderr, "Generating DSA key.\n"); get_dsa_key_new (&pkey, &skey, 0); @@ -849,10 +873,12 @@ check_run (void) gcry_sexp_release (pkey); gcry_sexp_release (skey); pkey = skey = NULL; +#endif /* USE_DSA */ } +#ifdef USE_RSA static gcry_mpi_t key_param_from_sexp (gcry_sexp_t sexp, const char *topname, const char *name) { @@ -1080,9 +1106,11 @@ leave: gcry_sexp_release (pub_key); gcry_sexp_release (sec_key); } +#endif /* USE_RSA */ +#if USE_ECC static void check_ecc_sample_key (void) { @@ -1296,6 +1324,7 @@ check_ed25519ecdsa_sample_key (void) gcry_sexp_release (key); gcry_sexp_release (hash); } +#endif /* USE_ECC */ int @@ -1326,12 +1355,16 @@ main (int argc, char **argv) for (i=0; i < 2; i++) check_run (); +#ifdef USE_RSA for (i=0; i < 4; i++) check_x931_derived_key (i); +#endif /* USE_RSA */ +#ifdef USE_ECC check_ecc_sample_key (); if (!in_fips_mode) check_ed25519ecdsa_sample_key (); +#endif /* USE_ECC */ return !!error_count; } -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:41 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:41 +0200 Subject: Test suite fixes with --enable-pubkey-ciphers=ecc Message-ID: <20220621170048.146023-1-cllang@redhat.com> Hello, I'm currently working on extending the GitLab CI system at [1] with a reduced configuration to catch issues where code does not use the appropriate pre-processor defines for one of the --enable-{ciphers,pubkey-ciphers,digests,kdfs,random} configure options. I compiled what one might call a very modern configuration (see below) and was pleasntly surprised that most of the tests seems to work just fine. The only issues I noticed were that the tests really expect to be compiled with support for RSA (that's reasonable, I'd say) and ElGamal and DSA (where I'd say it's more likely for users to actually do that). I tested: --enable-ciphers="aes salsa20 chacha20" \ --enable-pubkey-ciphers="ecc" \ --enable-digests="sha256 sha512 sha3 blake2" \ --enable-kdfs="pkdf2 scrypt" \ --enable-random="getentropy" \ --enable-static \ --disable-shared \ --enable-maintainer-mode \ --disable-asm This patch series fixes the issues caused by --enable-pubkey-ciphers=ecc (and hopefully also fixes the use of ECC without a proper #if or runtime check). [1] https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror HTH, Clemens -- Clemens Lang RHEL Crypto Team Red Hat From cllang at redhat.com Tue Jun 21 19:00:42 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:42 +0200 Subject: [PATCH 1/7] kdf: Skip tests if hash algo is not available In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-2-cllang@redhat.com> * tests/t-kdf.c (check_openpgp, check_pbkdf2): Test digest availability. -- Skip tests that would fail if libgcrypt is compiled with an --enable-digests option that does not include the required digest algorithms for the test vectors. Signed-off-by: Clemens Lang --- tests/t-kdf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/t-kdf.c b/tests/t-kdf.c index 4596c5c7..18c0602d 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -862,6 +862,8 @@ check_openpgp (void) /* MD5 isn't supported in fips mode */ if (in_fips_mode && tv[tvidx].hashalgo == GCRY_MD_MD5) continue; + if (gcry_md_test_algo (tv[tvidx].hashalgo) != 0) + continue; if (verbose) fprintf (stderr, "checking S2K test vector %d\n", tvidx); assert (tv[tvidx].dklen <= sizeof outbuf); @@ -1097,6 +1099,8 @@ check_pbkdf2 (void) { if (tv[tvidx].disabled) continue; + if (gcry_md_test_algo (tv[tvidx].hashalgo) != 0) + continue; if (verbose) fprintf (stderr, "checking PBKDF2 test vector %d algo %d\n", tvidx, tv[tvidx].hashalgo); -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:44 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:44 +0200 Subject: [PATCH 3/7] tests/basic: Skip tests if PK algo is unavailable In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-4-cllang@redhat.com> * tests/basic.c (check_pubkey): Skip tests if the required public key algorithm is not available. -- When libgcrypt is configured with a non-default --enable-pubkey-ciphers option (e.g., without RSA), some of the tests cannot be run because the algorithms are not supported. Check for unsupported algorithms using gcry_pk_test_algo and print a message if they are not available. Signed-off-by: Clemens Lang --- tests/basic.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/tests/basic.c b/tests/basic.c index ab00667e..ecbe58c2 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -206,6 +206,22 @@ show_mac_not_available (int algo) } +static void +show_pk_not_available (int algo) +{ + static int list[100]; + static int listlen; + int i; + + for (i = 0; i < listlen; i++) + if (algo == list[i]) + return; /* Note already printed. */ + if (listlen < DIM (list)) + list[listlen++] = algo; + show_note ("PK algorithm %d not available - skipping tests", algo); +} + + static void progress_handler (void *cb_data, const char *what, int printchar, @@ -9428,6 +9444,8 @@ check_gost28147_cipher_basic (enum gcry_cipher_algos algo) gcry_cipher_close (hdd); } +#else + (void) algo; #endif } @@ -17079,7 +17097,7 @@ check_pubkey (void) } else { - fail ("gcry_pk_test_algo failed: %s\n", gpg_strerror (err)); + show_pk_not_available (pubkeys[i].id); continue; } } @@ -17090,7 +17108,10 @@ check_pubkey (void) if (verbose) fprintf (stderr, "Starting additional public key check.\n"); - check_one_pubkey_new (i); + if (gcry_pk_test_algo (GCRY_PK_RSA) == 0) + check_one_pubkey_new (i); + else + show_pk_not_available (GCRY_PK_RSA); if (verbose) fprintf (stderr, "Completed additional public key check.\n"); -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:46 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:46 +0200 Subject: [PATCH 5/7] tests/keygen.c: Skip unavailable PK algorithms In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-6-cllang@redhat.com> * tests/keygen.c (show_mpi, check_rsa_keys, check_elg_keys, check_dsa_keys, check_generated_ecc_key, check_ecc_keys): Skip tests if the required public key algorithm is not available. -- When libgcrypt is configured with a non-default --enable-pubkey-ciphers option, some of the keygen tests cannot be run because the algorithms are not supported. Disable those using preprocessor macros. Signed-off-by: Clemens Lang --- tests/keygen.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/keygen.c b/tests/keygen.c index 5b154c94..45cd0dcc 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -69,6 +69,7 @@ show_sexp (const char *prefix, gcry_sexp_t a) } +#if USE_RSA static void show_mpi (const char *prefix, gcry_mpi_t a) { @@ -131,11 +132,13 @@ check_generated_rsa_key (gcry_sexp_t key, unsigned long expected_e) gcry_sexp_release (skey); } } +#endif /* USE_RSA */ static void check_rsa_keys (void) { +#if USE_RSA gcry_sexp_t keyparm, key; int rc; @@ -249,12 +252,14 @@ check_rsa_keys (void) if (!rc) check_generated_rsa_key (key, 0); /* We don't expect a constant exponent. */ gcry_sexp_release (key); +#endif /* USE_RSA */ } static void check_elg_keys (void) { +#if USE_ELGAMAL gcry_sexp_t keyparm, key; int rc; @@ -276,12 +281,14 @@ check_elg_keys (void) if (verbose > 1) show_sexp ("1024 bit Elgamal key:\n", key); gcry_sexp_release (key); +#endif /* USE_ELGAMAL */ } static void check_dsa_keys (void) { +#if USE_DSA gcry_sexp_t keyparm, key; int rc; int i; @@ -389,9 +396,11 @@ check_dsa_keys (void) if (verbose > 1) show_sexp ("2048 bit DSA key:\n", key); gcry_sexp_release (key); +#endif /* USE_DSA */ } +#if USE_ECC static void check_generated_ecc_key (gcry_sexp_t key) { @@ -425,11 +434,13 @@ check_generated_ecc_key (gcry_sexp_t key) fail ("gcry_pk_testkey failed on key pair: %s\n", gpg_strerror (rc)); } } +#endif /* USE_ECC */ static void check_ecc_keys (void) { +#if USE_ECC const char *curves[] = { "NIST P-521", "NIST P-384", "NIST P-256", "Ed25519", NULL }; int testno; @@ -611,6 +622,7 @@ check_ecc_keys (void) check_generated_ecc_key (key); } gcry_sexp_release (key); +#endif /* USE_ECC */ } -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:47 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:47 +0200 Subject: [PATCH 6/7] build: Skip PK-specific tests if algo is disabled In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-7-cllang@redhat.com> * configure.ac: Define AM_CONDITIONALs for USE_DSA, USE_RSA, USE_ELGAMAL, USE_ECC so Makefiles can depend on them. * tests/Makefile.am: Skip tests that test only one public key algorithm if that algorithm is disabled. -- Skip building and running tests that are specific for a public key algorithm if that algorithm was disabled using the --enable-pubkey-ciphers configure option. Signed-off-by: Clemens Lang --- configure.ac | 4 ++++ tests/Makefile.am | 19 +++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 52741db2..946659c5 100644 --- a/configure.ac +++ b/configure.ac @@ -2860,24 +2860,28 @@ if test "$found" = "1" ; then fi LIST_MEMBER(dsa, $enabled_pubkey_ciphers) +AM_CONDITIONAL(USE_DSA, [test "$found" = "1"]) if test "$found" = "1" ; then GCRYPT_PUBKEY_CIPHERS="$GCRYPT_PUBKEY_CIPHERS dsa.lo" AC_DEFINE(USE_DSA, 1, [Defined if this module should be included]) fi LIST_MEMBER(rsa, $enabled_pubkey_ciphers) +AM_CONDITIONAL(USE_RSA, [test "$found" = "1"]) if test "$found" = "1" ; then GCRYPT_PUBKEY_CIPHERS="$GCRYPT_PUBKEY_CIPHERS rsa.lo" AC_DEFINE(USE_RSA, 1, [Defined if this module should be included]) fi LIST_MEMBER(elgamal, $enabled_pubkey_ciphers) +AM_CONDITIONAL(USE_ELGAMAL, [test "$found" = "1"]) if test "$found" = "1" ; then GCRYPT_PUBKEY_CIPHERS="$GCRYPT_PUBKEY_CIPHERS elgamal.lo" AC_DEFINE(USE_ELGAMAL, 1, [Defined if this module should be included]) fi LIST_MEMBER(ecc, $enabled_pubkey_ciphers) +AM_CONDITIONAL(USE_ECC, [test "$found" = "1"]) if test "$found" = "1" ; then GCRYPT_PUBKEY_CIPHERS="$GCRYPT_PUBKEY_CIPHERS \ ecc.lo ecc-curves.lo ecc-misc.lo \ diff --git a/tests/Makefile.am b/tests/Makefile.am index e6953fd3..f65725bc 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -23,11 +23,22 @@ # the driver is only used for cross-compiling. tests_bin = \ version t-secmem mpitests t-sexp t-convert \ - t-mpi-bit t-mpi-point curves t-lock \ + t-mpi-bit t-mpi-point t-lock \ prime basic keygen pubkey hmac hashtest t-kdf keygrip \ - fips186-dsa aeswrap pkcs1v2 random dsa-rfc6979 \ - t-dsa t-ecdsa t-rsa-pss t-rsa-15 \ - t-ed25519 t-cv25519 t-x448 t-ed448 + aeswrap random + +if USE_RSA +tests_bin += pkcs1v2 t-rsa-pss t-rsa-15 +endif + +if USE_DSA +tests_bin += fips186-dsa dsa-rfc6979 t-dsa +endif + +if USE_ECC +tests_bin += curves t-ecdsa t-ed25519 t-cv25519 t-x448 t-ed448 +endif + tests_bin_last = benchmark bench-slope -- 2.35.3 From cllang at redhat.com Tue Jun 21 19:00:45 2022 From: cllang at redhat.com (Clemens Lang) Date: Tue, 21 Jun 2022 19:00:45 +0200 Subject: [PATCH 4/7] tests/benchmark: Skip unavailable PK algorithms In-Reply-To: <20220621170048.146023-1-cllang@redhat.com> References: <20220621170048.146023-1-cllang@redhat.com> Message-ID: <20220621170048.146023-5-cllang@redhat.com> * tests/benchmark.c (cipher_bench, rsa_bench, elg_bench, dsa_bench, ecc_bench): Do not run benchmarks for PK algorithms that are not supported in the current build. -- When libgcrypt is configured with a non-default --enable-pubkey-ciphers option, some of the benchmarks cannot be run because the algorithms are not supported. Disable those using preprocessor macros, but add explicit uses of the function parameters to avoid compiler warnings. Signed-off-by: Clemens Lang --- tests/benchmark.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/benchmark.c b/tests/benchmark.c index a45fc5ff..a23cf74b 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -71,6 +71,7 @@ static int with_progress; static int single_char_progress; +#if USE_DSA static const char sample_private_dsa_key_1024[] = "(private-key\n" " (dsa\n" @@ -256,8 +257,10 @@ static const char sample_public_dsa_key_3072[] = "3DB98C4297CB678046ED55C0DBE60BF7142C594603E4D705DC3D17270F9F086EC561" "2703D518D8D49FF0EBE6#)\n" "))\n"; +#endif /* USE_DSA */ +#if USE_ELGAMAL static const char sample_public_elg_key_1024[] = "(public-key" " (elg" @@ -392,6 +395,7 @@ static const char sample_private_elg_key_3072[] = " (x #03A73F0389E470AAC831B039F8AA0C4EBD3A47DD083E32EEA08E4911236CD597C272" "9823D47A51C8535DA52FE6DAB3E8D1C20D#)" " ))"; +#endif /* USE_ELGAMAL */ #define BUG() do {fprintf ( stderr, "Ooops at %s:%d\n", __FILE__ , __LINE__ );\ @@ -1136,6 +1140,7 @@ cipher_bench ( const char *algoname ) static void rsa_bench (int iterations, int print_header, int no_blinding) { +#if USE_RSA gpg_error_t err; int p_sizes[] = { 1024, 2048, 3072, 4096 }; int testno; @@ -1257,12 +1262,18 @@ rsa_bench (int iterations, int print_header, int no_blinding) gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } +#else /* USE_RSA */ + (void) iterations; + (void) print_header; + (void) no_blinding; +#endif /* USE_RSA */ } static void elg_bench (int iterations, int print_header) { +#ifdef USE_ELGAMAL gpg_error_t err; gcry_sexp_t pub_key[3], sec_key[3]; int p_sizes[3] = { 1024, 2048, 3072 }; @@ -1374,12 +1385,17 @@ elg_bench (int iterations, int print_header) gcry_sexp_release (sec_key[i]); gcry_sexp_release (pub_key[i]); } +#else /* USE_ELGAMAL */ + (void) iterations; + (void) print_header; +#endif /* USE_ELGAMAL */ } static void dsa_bench (int iterations, int print_header) { +#ifdef USE_DSA gpg_error_t err; gcry_sexp_t pub_key[3], sec_key[3]; int p_sizes[3] = { 1024, 2048, 3072 }; @@ -1485,6 +1501,10 @@ dsa_bench (int iterations, int print_header) gcry_sexp_release (sec_key[i]); gcry_sexp_release (pub_key[i]); } +#else + (void) iterations; + (void) print_header; +#endif /* USE_DSA */ } @@ -1648,6 +1668,9 @@ ecc_bench (int iterations, int print_header) gcry_sexp_release (sec_key); gcry_sexp_release (pub_key); } +#else + (void) iterations; + (void) print_header; #endif /*USE_ECC*/ } -- 2.35.3 From jussi.kivilinna at iki.fi Tue Jun 28 11:20:15 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 28 Jun 2022 12:20:15 +0300 Subject: [PATCH 2/2] camellia/gfni/avx512: add missing register clearing on function exits In-Reply-To: <20220628092015.406945-1-jussi.kivilinna@iki.fi> References: <20220628092015.406945-1-jussi.kivilinna@iki.fi> Message-ID: <20220628092015.406945-2-jussi.kivilinna@iki.fi> * cipher/camellia-gfni-avx512-amd64.S: Add clear_regs() at externally visible function epilogues. --- Signed-off-by: Jussi Kivilinna --- cipher/camellia-gfni-avx512-amd64.S | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cipher/camellia-gfni-avx512-amd64.S b/cipher/camellia-gfni-avx512-amd64.S index 70e10460..eb9c01f2 100644 --- a/cipher/camellia-gfni-avx512-amd64.S +++ b/cipher/camellia-gfni-avx512-amd64.S @@ -972,6 +972,8 @@ _gcry_camellia_gfni_avx512_ctr_enc: %zmm15, %zmm14, %zmm13, %zmm12, %zmm11, %zmm10, %zmm9, %zmm8, %rsi); + clear_regs(); + ret_spec_stop; CFI_ENDPROC(); ELF(.size _gcry_camellia_gfni_avx512_ctr_enc,.-_gcry_camellia_gfni_avx512_ctr_enc;) @@ -1032,6 +1034,8 @@ _gcry_camellia_gfni_avx512_cbc_dec: /* store new IV */ vmovdqu64 %xmm16, (0)(%r9); + clear_regs(); + ret_spec_stop; CFI_ENDPROC(); ELF(.size _gcry_camellia_gfni_avx512_cbc_dec,.-_gcry_camellia_gfni_avx512_cbc_dec;) @@ -1103,6 +1107,8 @@ _gcry_camellia_gfni_avx512_cfb_dec: %zmm15, %zmm14, %zmm13, %zmm12, %zmm11, %zmm10, %zmm9, %zmm8, %rsi); + clear_regs(); + ret_spec_stop; CFI_ENDPROC(); ELF(.size _gcry_camellia_gfni_avx512_cfb_dec,.-_gcry_camellia_gfni_avx512_cfb_dec;) @@ -1254,6 +1260,8 @@ _gcry_camellia_gfni_avx512_ocb_enc: %zmm15, %zmm14, %zmm13, %zmm12, %zmm11, %zmm10, %zmm9, %zmm8, %rsi); + clear_regs(); + popq %rbx; CFI_RESTORE(%rbx); popq %r15; @@ -1264,6 +1272,7 @@ _gcry_camellia_gfni_avx512_ocb_enc: CFI_RESTORE(%r12); popq %r12; CFI_RESTORE(%r13); + ret_spec_stop; CFI_ENDPROC(); ELF(.size _gcry_camellia_gfni_avx512_ocb_enc,.-_gcry_camellia_gfni_avx512_ocb_enc;) @@ -1420,6 +1429,8 @@ _gcry_camellia_gfni_avx512_ocb_dec: vpternlogq $0x96, (%r8), %xmm0, %xmm8; vmovdqu64 %xmm8, (%r8); + clear_regs(); + popq %rbx; CFI_RESTORE(%rbx); popq %r15; @@ -1430,6 +1441,7 @@ _gcry_camellia_gfni_avx512_ocb_dec: CFI_RESTORE(%r12); popq %r12; CFI_RESTORE(%r13); + ret_spec_stop; CFI_ENDPROC(); ELF(.size _gcry_camellia_gfni_avx512_ocb_dec,.-_gcry_camellia_gfni_avx512_ocb_dec;) -- 2.34.1 From jussi.kivilinna at iki.fi Tue Jun 28 11:20:14 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 28 Jun 2022 12:20:14 +0300 Subject: [PATCH 1/2] tests/basic: enable IV checks for CBC/CFB/CTR bulk tests Message-ID: <20220628092015.406945-1-jussi.kivilinna@iki.fi> * cipher/cipher.c (_gcry_cipher_ctl): Add handling for 'PRIV_CIPHERCTL_GET_COUNTER'. * src/gcrypt-testapi.h (PRIV_CIPHERCTL_GET_COUNTER): New. * tests/basic.c (cipher_cbc_bulk_test, cipher_cfb_bulk_test): Restore IV checks by reading current IV from CBC/CFB cipher handle using PRIV_CIPHERCTL_GET_INPUT_VECTOR. (cipher_ctr_bulk_test): Restore counter checks by reading current counter from CTR cipher handle using PRIV_CIPHERCTL_GET_COUNTER. --- Signed-off-by: Jussi Kivilinna --- cipher/cipher.c | 24 ++++ src/gcrypt-testapi.h | 1 + tests/basic.c | 263 +++++++++++++++++++++++++++---------------- 3 files changed, 192 insertions(+), 96 deletions(-) diff --git a/cipher/cipher.c b/cipher/cipher.c index d1443a62..9e850470 100644 --- a/cipher/cipher.c +++ b/cipher/cipher.c @@ -1651,6 +1651,30 @@ _gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen) } break; + case PRIV_CIPHERCTL_GET_COUNTER: /* (private) */ + /* This is the input block as used in CTR mode which has + initially been set as IV. The returned format is: + 1 byte Actual length of the block in bytes. + n byte The block. + If the provided buffer is too short, an error is returned. */ + if (buflen < (1 + h->spec->blocksize)) + rc = GPG_ERR_TOO_SHORT; + else + { + unsigned char *ctrp; + unsigned char *dst = buffer; + int n = h->unused; + + if (!n) + n = h->spec->blocksize; + gcry_assert (n <= h->spec->blocksize); + *dst++ = n; + ctrp = h->u_ctr.ctr + h->spec->blocksize - n; + while (n--) + *dst++ = *ctrp++; + } + break; + case GCRYCTL_SET_SBOX: if (h->spec->set_extra_info) rc = h->spec->set_extra_info diff --git a/src/gcrypt-testapi.h b/src/gcrypt-testapi.h index 0417754f..f5608084 100644 --- a/src/gcrypt-testapi.h +++ b/src/gcrypt-testapi.h @@ -41,6 +41,7 @@ /* For use with gcry_cipher_ctl: */ #define PRIV_CIPHERCTL_DISABLE_WEAK_KEY 61 #define PRIV_CIPHERCTL_GET_INPUT_VECTOR 62 +#define PRIV_CIPHERCTL_GET_COUNTER 63 /* Private interfaces for testing of random-drbg.c. */ diff --git a/tests/basic.c b/tests/basic.c index ab00667e..05934891 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -36,6 +36,7 @@ #endif #include "../src/gcrypt-int.h" +#include "../src/gcrypt-testapi.h" #define PGM "basic" #include "t-common.h" @@ -11717,6 +11718,7 @@ cipher_cbc_bulk_test (int cipher_algo) gcry_cipher_hd_t hd_cbc; gcry_error_t err = 0; unsigned char *plaintext, *plaintext2, *ciphertext, *iv, *iv2, *mem; + unsigned char *getivbuf; unsigned int memsize; unsigned int keylen; @@ -11740,7 +11742,7 @@ cipher_cbc_bulk_test (int cipher_algo) return -1; } - memsize = (blocksize * 2) + (blocksize * nblocks * 3) + 16; + memsize = (blocksize * 2) + (blocksize * nblocks * 3) + 16 + (blocksize + 1); mem = xcalloc (1, memsize); if (!mem) @@ -11752,6 +11754,7 @@ cipher_cbc_bulk_test (int cipher_algo) plaintext = iv2 + blocksize; plaintext2 = plaintext + nblocks * blocksize; ciphertext = plaintext2 + nblocks * blocksize; + getivbuf = ciphertext + nblocks * blocksize; err = gcry_cipher_open (&hd_one, cipher_algo, GCRY_CIPHER_MODE_ECB, 0); if (err) @@ -11830,8 +11833,17 @@ cipher_cbc_bulk_test (int cipher_algo) return -1; } -#if 0 /* missing interface for reading IV */ - if (memcmp (iv2, iv, blocksize)) + err = gcry_cipher_ctl (hd_cbc, PRIV_CIPHERCTL_GET_INPUT_VECTOR, getivbuf, + blocksize + 1); + if (err || getivbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_cbc); + xfree(mem); + fail ("%s-CBC-%d test failed (CBC getiv fail)", cipher, blocksize * 8); + return -1; + } + if (memcmp (getivbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_cbc); @@ -11839,7 +11851,6 @@ cipher_cbc_bulk_test (int cipher_algo) fail ("%s-CBC-%d test failed (IV mismatch)", cipher, blocksize * 8); return -1; } -#endif /* Test parallelized code paths */ memset (iv, 0x5f, blocksize); @@ -11895,8 +11906,18 @@ cipher_cbc_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#if 0 /* missing interface for reading IV */ - if (memcmp (iv2, iv, blocksize)) + err = gcry_cipher_ctl (hd_cbc, PRIV_CIPHERCTL_GET_INPUT_VECTOR, getivbuf, + blocksize + 1); + if (err || getivbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_cbc); + xfree(mem); + fail ("%s-CBC-%d test failed (CBC getiv fail, parallel path)", + cipher, blocksize * 8); + return -1; + } + if (memcmp (getivbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_cbc); @@ -11905,7 +11926,6 @@ cipher_cbc_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#endif gcry_cipher_close (hd_one); gcry_cipher_close (hd_cbc); @@ -11938,6 +11958,7 @@ cipher_cfb_bulk_test (int cipher_algo) gcry_error_t err = 0; int i, offs; unsigned char *plaintext, *plaintext2, *ciphertext, *iv, *iv2, *mem; + unsigned char *getivbuf; unsigned int memsize; unsigned int keylen; @@ -11961,7 +11982,7 @@ cipher_cfb_bulk_test (int cipher_algo) return -1; } - memsize = (blocksize * 2) + (blocksize * nblocks * 3) + 16; + memsize = (blocksize * 2) + (blocksize * nblocks * 3) + 16 + (blocksize + 1); mem = xcalloc (1, memsize); if (!mem) @@ -11973,6 +11994,7 @@ cipher_cfb_bulk_test (int cipher_algo) plaintext = iv2 + blocksize; plaintext2 = plaintext + nblocks * blocksize; ciphertext = plaintext2 + nblocks * blocksize; + getivbuf = ciphertext + nblocks * blocksize; err = gcry_cipher_open (&hd_one, cipher_algo, GCRY_CIPHER_MODE_ECB, 0); if (err) @@ -12049,8 +12071,17 @@ cipher_cfb_bulk_test (int cipher_algo) return -1; } -#if 0 - if (memcmp(iv2, iv, blocksize)) + err = gcry_cipher_ctl (hd_cfb, PRIV_CIPHERCTL_GET_INPUT_VECTOR, getivbuf, + blocksize + 1); + if (err || getivbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_cfb); + xfree(mem); + fail ("%s-CFB-%d test failed (CFB getiv fail)", cipher, blocksize * 8); + return -1; + } + if (memcmp(getivbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_cfb); @@ -12059,7 +12090,6 @@ cipher_cfb_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#endif /* Test parallelized code paths */ memset(iv, 0xe6, blocksize); @@ -12114,8 +12144,19 @@ cipher_cfb_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#if 0 - if (memcmp(iv2, iv, blocksize)) + + err = gcry_cipher_ctl (hd_cfb, PRIV_CIPHERCTL_GET_INPUT_VECTOR, getivbuf, + blocksize + 1); + if (err || getivbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_cfb); + xfree(mem); + fail ("%s-CFB-%d test failed (CFB getiv fail, parallel path)", + cipher, blocksize * 8); + return -1; + } + if (memcmp(getivbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_cfb); @@ -12124,7 +12165,6 @@ cipher_cfb_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#endif gcry_cipher_close (hd_one); gcry_cipher_close (hd_cfb); @@ -12147,6 +12187,7 @@ cipher_ctr_bulk_test (int cipher_algo) int i, j, offs, diff; unsigned char *plaintext, *plaintext2, *ciphertext, *ciphertext2, *iv, *iv2, *mem; + unsigned char *getctrbuf; unsigned int memsize; unsigned int keylen; @@ -12170,7 +12211,7 @@ cipher_ctr_bulk_test (int cipher_algo) return -1; } - memsize = (blocksize * 2) + (blocksize * nblocks * 4) + 16; + memsize = (blocksize * 2) + (blocksize * nblocks * 4) + 16 + (blocksize + 1); mem = xcalloc (1, memsize); if (!mem) @@ -12183,6 +12224,7 @@ cipher_ctr_bulk_test (int cipher_algo) plaintext2 = plaintext + nblocks * blocksize; ciphertext = plaintext2 + nblocks * blocksize; ciphertext2 = ciphertext + nblocks * blocksize; + getctrbuf = ciphertext2 + nblocks * blocksize; err = gcry_cipher_open (&hd_one, cipher_algo, GCRY_CIPHER_MODE_ECB, 0); if (err) @@ -12266,8 +12308,17 @@ cipher_ctr_bulk_test (int cipher_algo) return -1; } -#if 0 - if (memcmp (iv2, iv, blocksize)) + err = gcry_cipher_ctl (hd_ctr, PRIV_CIPHERCTL_GET_COUNTER, getctrbuf, + blocksize + 1); + if (err || getctrbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (CTR getctr fail)", cipher, blocksize * 8); + return -1; + } + if (memcmp(getctrbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_ctr); @@ -12275,7 +12326,6 @@ cipher_ctr_bulk_test (int cipher_algo) fail ("%s-CTR-%d test failed (IV mismatch)", cipher, blocksize * 8); return -1; } -#endif /* Test bulk encryption with typical IV. */ memset(iv, 0x57, blocksize-4); @@ -12345,8 +12395,19 @@ cipher_ctr_bulk_test (int cipher_algo) cipher, blocksize * 8); return -1; } -#if 0 - if (memcmp (iv2, iv, blocksize)) + + err = gcry_cipher_ctl (hd_ctr, PRIV_CIPHERCTL_GET_COUNTER, getctrbuf, + blocksize + 1); + if (err || getctrbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (CTR getctr fail, bulk)", + cipher, blocksize * 8); + return -1; + } + if (memcmp(getctrbuf + 1, iv, blocksize)) { gcry_cipher_close (hd_one); gcry_cipher_close (hd_ctr); @@ -12354,89 +12415,99 @@ cipher_ctr_bulk_test (int cipher_algo) fail ("%s-CTR-%d test failed (IV mismatch, bulk)", cipher, blocksize * 8); return -1; } -#endif /* Test parallelized code paths (check counter overflow handling) */ - for (diff = 0; diff < nblocks; diff++) { - memset(iv, 0xff, blocksize); - iv[blocksize-1] -= diff; - iv[0] = iv[1] = 0; - iv[2] = 0x07; + for (diff = 0; diff < nblocks; diff++) + { + memset(iv, 0xff, blocksize); + iv[blocksize-1] -= diff; + iv[0] = iv[1] = 0; + iv[2] = 0x07; - for (i = 0; i < blocksize * nblocks; i++) - plaintext[i] = i; + for (i = 0; i < blocksize * nblocks; i++) + plaintext[i] = i; - /* Create CTR ciphertext manually. */ - for (i = 0; i < blocksize * nblocks; i+=blocksize) - { - err = gcry_cipher_encrypt (hd_one, &ciphertext[i], blocksize, - iv, blocksize); - if (err) - { - gcry_cipher_close (hd_one); - gcry_cipher_close (hd_ctr); - xfree(mem); - fail ("%s-CTR-%d test failed (ECB encrypt fail)", - cipher, blocksize * 8); - return -1; - } - for (j = 0; j < blocksize; j++) - ciphertext[i+j] ^= plaintext[i+j]; - for (j = blocksize; j > 0; j--) - { - iv[j-1]++; - if (iv[j-1]) - break; - } - } + /* Create CTR ciphertext manually. */ + for (i = 0; i < blocksize * nblocks; i+=blocksize) + { + err = gcry_cipher_encrypt (hd_one, &ciphertext[i], blocksize, + iv, blocksize); + if (err) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (ECB encrypt fail)", + cipher, blocksize * 8); + return -1; + } + for (j = 0; j < blocksize; j++) + ciphertext[i+j] ^= plaintext[i+j]; + for (j = blocksize; j > 0; j--) + { + iv[j-1]++; + if (iv[j-1]) + break; + } + } - /* Decrypt using bulk CTR and compare result. */ - memset(iv2, 0xff, blocksize); - iv2[blocksize-1] -= diff; - iv2[0] = iv2[1] = 0; - iv2[2] = 0x07; + /* Decrypt using bulk CTR and compare result. */ + memset(iv2, 0xff, blocksize); + iv2[blocksize-1] -= diff; + iv2[0] = iv2[1] = 0; + iv2[2] = 0x07; - err = gcry_cipher_setctr (hd_ctr, iv2, blocksize); - if (err) - { - gcry_cipher_close (hd_one); - gcry_cipher_close (hd_ctr); - xfree(mem); - fail ("%s-CTR-%d test failed (setiv fail)", cipher, blocksize * 8); - return -1; - } - err = gcry_cipher_decrypt (hd_ctr, plaintext2, blocksize * nblocks, - ciphertext, blocksize * nblocks); - if (err) - { - gcry_cipher_close (hd_one); - gcry_cipher_close (hd_ctr); - xfree(mem); - fail ("%s-CTR-%d test failed (CTR decrypt fail)", cipher, blocksize * 8); - return -1; - } + err = gcry_cipher_setctr (hd_ctr, iv2, blocksize); + if (err) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (setiv fail)", cipher, blocksize * 8); + return -1; + } + err = gcry_cipher_decrypt (hd_ctr, plaintext2, blocksize * nblocks, + ciphertext, blocksize * nblocks); + if (err) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (CTR decrypt fail)", cipher, blocksize * 8); + return -1; + } - if (memcmp (plaintext2, plaintext, blocksize * nblocks)) - { - gcry_cipher_close (hd_one); - gcry_cipher_close (hd_ctr); - xfree(mem); - fail ("%s-CTR-%d test failed (plaintext mismatch, diff: %d)", - cipher, blocksize * 8, diff); - return -1; - } -#if 0 - if (memcmp(iv2, iv, blocksize)) - { - gcry_cipher_close (hd_one); - gcry_cipher_close (hd_ctr); - xfree(mem); - fail ("%s-CTR-%d test failed (IV mismatch, diff: %d)", - cipher, blocksize * 8, diff); - return -1; - } -#endif - } + if (memcmp (plaintext2, plaintext, blocksize * nblocks)) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (plaintext mismatch, diff: %d)", + cipher, blocksize * 8, diff); + return -1; + } + + err = gcry_cipher_ctl (hd_ctr, PRIV_CIPHERCTL_GET_COUNTER, getctrbuf, + blocksize + 1); + if (err || getctrbuf[0] != blocksize) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (CTR getctr fail, diff: %d)", + cipher, blocksize * 8, diff); + return -1; + } + if (memcmp(getctrbuf + 1, iv, blocksize)) + { + gcry_cipher_close (hd_one); + gcry_cipher_close (hd_ctr); + xfree(mem); + fail ("%s-CTR-%d test failed (IV mismatch, diff: %d)", + cipher, blocksize * 8, diff); + return -1; + } + } gcry_cipher_close (hd_one); gcry_cipher_close (hd_ctr); -- 2.34.1 From jussi.kivilinna at iki.fi Thu Jun 30 09:14:03 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 Jun 2022 10:14:03 +0300 Subject: [PATCH 3/3] sm4: fix wrong macro used for GFNI/AVX2 code-path In-Reply-To: <20220630071403.913631-1-jussi.kivilinna@iki.fi> References: <20220630071403.913631-1-jussi.kivilinna@iki.fi> Message-ID: <20220630071403.913631-3-jussi.kivilinna@iki.fi> * cipher/sm4.c (sm4_get_crypt_blk1_16_fn): Use USE_GFNI_AVX2 for GFNI/AVX2 block. -- Signed-off-by: Jussi Kivilinna --- cipher/sm4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cipher/sm4.c b/cipher/sm4.c index d4711603..1c54b339 100644 --- a/cipher/sm4.c +++ b/cipher/sm4.c @@ -784,7 +784,7 @@ sm4_get_crypt_blk1_16_fn(SM4_context *ctx) { if (0) ; -#ifdef USE_AESNI_AVX +#ifdef USE_GFNI_AVX2 else if (ctx->use_gfni_avx2) { return &sm4_gfni_avx2_crypt_blk1_16; -- 2.34.1 From jussi.kivilinna at iki.fi Thu Jun 30 09:14:02 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 Jun 2022 10:14:02 +0300 Subject: [PATCH 2/3] sm4: fix use of GFNI/AVX2 accelerated key expansion In-Reply-To: <20220630071403.913631-1-jussi.kivilinna@iki.fi> References: <20220630071403.913631-1-jussi.kivilinna@iki.fi> Message-ID: <20220630071403.913631-2-jussi.kivilinna@iki.fi> * cipher/sm4.c [USE_GFNI_AVX2] (_gcry_sm4_gfni_avx_expand_key): Remove. [USE_GFNI_AVX2] (_gcry_sm4_gfni_avx2_expand_key): New. (sm4_expand_key): Change '_gcry_sm4_gfni_avx_expand_key' to '_gcry_sm4_gfni_avx2_expand_key'. -- Signed-off-by: Jussi Kivilinna --- cipher/sm4.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cipher/sm4.c b/cipher/sm4.c index 5f8bf224..d4711603 100644 --- a/cipher/sm4.c +++ b/cipher/sm4.c @@ -311,9 +311,9 @@ sm4_aesni_avx2_crypt_blk1_16(const void *rk, byte *out, const byte *in, #endif /* USE_AESNI_AVX2 */ #ifdef USE_GFNI_AVX2 -extern void _gcry_sm4_gfni_avx_expand_key(const byte *key, u32 *rk_enc, - u32 *rk_dec, const u32 *fk, - const u32 *ck) ASM_FUNC_ABI; +extern void _gcry_sm4_gfni_avx2_expand_key(const byte *key, u32 *rk_enc, + u32 *rk_dec, const u32 *fk, + const u32 *ck) ASM_FUNC_ABI; extern void _gcry_sm4_gfni_avx2_ctr_enc(const u32 *rk_enc, byte *out, const byte *in, @@ -516,11 +516,11 @@ sm4_expand_key (SM4_context *ctx, const byte *key) u32 rk[4]; int i; -#ifdef USE_GFNI_AVX - if (ctx->use_gfni_avx) +#ifdef USE_GFNI_AVX2 + if (ctx->use_gfni_avx2) { - _gcry_sm4_gfni_avx_expand_key (key, ctx->rkey_enc, ctx->rkey_dec, - fk, ck); + _gcry_sm4_gfni_avx2_expand_key (key, ctx->rkey_enc, ctx->rkey_dec, + fk, ck); return; } #endif -- 2.34.1 From jussi.kivilinna at iki.fi Thu Jun 30 09:14:01 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 Jun 2022 10:14:01 +0300 Subject: [PATCH 1/3] camellia-gfni-avx512: remove copy-paste / leftover extra instructions Message-ID: <20220630071403.913631-1-jussi.kivilinna@iki.fi> * cipher/camellia-gfni-avx512-amd64.S: Remove extranous copy-pasted instructions after `.Lbswap128_mask` constant; Remove left-over plaintext xorring in OCB encryption input loading macro. -- Signed-off-by: Jussi Kivilinna --- cipher/camellia-gfni-avx512-amd64.S | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/cipher/camellia-gfni-avx512-amd64.S b/cipher/camellia-gfni-avx512-amd64.S index eb9c01f2..15b2dc90 100644 --- a/cipher/camellia-gfni-avx512-amd64.S +++ b/cipher/camellia-gfni-avx512-amd64.S @@ -1,4 +1,4 @@ -/* camellia-gfni-avx512-amd64.h - GFNI/AVX512 implementation of Camellia +/* camellia-gfni-avx512-amd64.S - GFNI/AVX512 implementation of Camellia * * Copyright (C) 2022 Jussi Kivilinna * @@ -622,11 +622,6 @@ ELF(.type _gcry_camellia_gfni_avx512__constants, at object;) .Lbswap128_mask: .byte 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 - vbroadcasti64x2 .Lcounter4444_lo rRIP, %zmm22; - vbroadcasti64x2 .Lcounter8888_lo rRIP, %zmm23; - vbroadcasti64x2 .Lcounter16161616_lo rRIP, %zmm24; - vbroadcasti64x2 .Lcounter1111_hi rRIP, %zmm25; - .Lbyte_ones: .byte 1, 1, 1, 1, 1, 1, 1, 1 @@ -1155,7 +1150,6 @@ _gcry_camellia_gfni_avx512_ocb_enc: vinserti64x2 $2, %xmm30, %zmm16, %zmm16; \ vpxorq (l3reg), %xmm30, %xmm30; \ vinserti64x2 $3, %xmm30, %zmm16, %zmm16; \ - vpxorq zplain, %zmm31, %zmm31; \ vpxorq zplain, %zmm16, zreg; \ vmovdqu64 %zmm16, (n * 64)(%rsi); -- 2.34.1