[git] GCRYPT - branch, LIBGCRYPT-1-7-BRANCH, updated. libgcrypt-1.7.0-8-g1f769e3
by Werner Koch
cvs at cvs.gnupg.org
Wed Jun 8 18:20:16 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1-7-BRANCH has been updated
via 1f769e3e8442bae2f1f73c656920bb2df70153c0 (commit)
via 52cdfb1960808aaad48b5a501bbce0e3141c3961 (commit)
via b766ea14ad1c27d6160531b200cc70aaa479c6dc (commit)
via dc76313308c184c92eb78452b503405b90fc7ebd (commit)
via bd39eb9fba47dc8500c83769a679cc8b683d6c6e (commit)
via c05837211e5221d3f56146865e823bc20b4ff1ab (commit)
from caa9d14c914bf6116ec3f773a322a94e2be0c0fb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1f769e3e8442bae2f1f73c656920bb2df70153c0
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jun 3 15:42:53 2016 +0200
rsa: Implement blinding also for signing.
* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--
Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/cipher/rsa.c b/cipher/rsa.c
index cb3c464..ce8e215 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1045,7 +1045,48 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
}
}
+static void
+secret_blinded (gcry_mpi_t output, gcry_mpi_t input,
+ RSA_secret_key *sk, unsigned int nbits)
+{
+ gcry_mpi_t r; /* Random number needed for blinding. */
+ gcry_mpi_t ri; /* Modular multiplicative inverse of r. */
+ gcry_mpi_t bldata; /* Blinded data to decrypt. */
+
+ /* First, we need a random number r between 0 and n - 1, which is
+ * relatively prime to n (i.e. it is neither p nor q). The random
+ * number needs to be only unpredictable, thus we employ the
+ * gcry_create_nonce function by using GCRY_WEAK_RANDOM with
+ * gcry_mpi_randomize. */
+ r = mpi_snew (nbits);
+ ri = mpi_snew (nbits);
+ bldata = mpi_snew (nbits);
+
+ do
+ {
+ _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+ mpi_mod (r, r, sk->n);
+ }
+ while (!mpi_invm (ri, r, sk->n));
+
+ /* Do blinding. We calculate: y = (x * r^e) mod n, where r is the
+ * random number, e is the public exponent, x is the non-blinded
+ * input data and n is the RSA modulus. */
+ mpi_powm (bldata, r, sk->e, sk->n);
+ mpi_mulm (bldata, bldata, input, sk->n);
+ /* Perform decryption. */
+ secret (output, bldata, sk);
+ _gcry_mpi_release (bldata);
+
+ /* Undo blinding. Here we calculate: y = (x * r^-1) mod n, where x
+ * is the blinded decrypted data, ri is the modular multiplicative
+ * inverse of r and n is the RSA modulus. */
+ mpi_mulm (output, output, ri, sk->n);
+
+ _gcry_mpi_release (r);
+ _gcry_mpi_release (ri);
+}
/*********************************************
************** interface ******************
@@ -1266,9 +1307,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
gcry_mpi_t data = NULL;
RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
gcry_mpi_t plain = NULL;
- gcry_mpi_t r = NULL; /* Random number needed for blinding. */
- gcry_mpi_t ri = NULL; /* Modular multiplicative inverse of r. */
- gcry_mpi_t bldata = NULL;/* Blinded data to decrypt. */
unsigned char *unpad = NULL;
size_t unpadlen = 0;
@@ -1321,44 +1359,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
/* We use blinding by default to mitigate timing attacks which can
be practically mounted over the network as shown by Brumley and
Boney in 2003. */
- if (!(ctx.flags & PUBKEY_FLAG_NO_BLINDING))
- {
- /* First, we need a random number r between 0 and n - 1, which
- is relatively prime to n (i.e. it is neither p nor q). The
- random number needs to be only unpredictable, thus we employ
- the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
- gcry_mpi_randomize. */
- r = mpi_snew (ctx.nbits);
- ri = mpi_snew (ctx.nbits);
- bldata = mpi_snew (ctx.nbits);
-
- do
- {
- _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
- mpi_mod (r, r, sk.n);
- }
- while (!mpi_invm (ri, r, sk.n));
-
- /* Do blinding. We calculate: y = (x * r^e) mod n, where r is
- the random number, e is the public exponent, x is the
- non-blinded data and n is the RSA modulus. */
- mpi_powm (bldata, r, sk.e, sk.n);
- mpi_mulm (bldata, bldata, data, sk.n);
-
- /* Perform decryption. */
- secret (plain, bldata, &sk);
- _gcry_mpi_release (bldata); bldata = NULL;
-
- /* Undo blinding. Here we calculate: y = (x * r^-1) mod n,
- where x is the blinded decrypted data, ri is the modular
- multiplicative inverse of r and n is the RSA modulus. */
- mpi_mulm (plain, plain, ri, sk.n);
-
- _gcry_mpi_release (r); r = NULL;
- _gcry_mpi_release (ri); ri = NULL;
- }
- else
+ if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
secret (plain, data, &sk);
+ else
+ secret_blinded (plain, data, &sk, ctx.nbits);
if (DBG_CIPHER)
log_printmpi ("rsa_decrypt res", plain);
@@ -1403,9 +1407,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
_gcry_mpi_release (sk.q);
_gcry_mpi_release (sk.u);
_gcry_mpi_release (data);
- _gcry_mpi_release (r);
- _gcry_mpi_release (ri);
- _gcry_mpi_release (bldata);
sexp_release (l1);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
@@ -1461,7 +1462,10 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
/* Do RSA computation. */
sig = mpi_new (0);
- secret (sig, data, &sk);
+ if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
+ secret (sig, data, &sk);
+ else
+ secret_blinded (sig, data, &sk, ctx.nbits);
if (DBG_CIPHER)
log_printmpi ("rsa_sign res", sig);
commit 52cdfb1960808aaad48b5a501bbce0e3141c3961
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jun 3 15:15:36 2016 +0200
random: Remove debug output for getrandom(2) output.
* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
output.
--
Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/rndlinux.c b/random/rndlinux.c
index 592b9ac..f08c9f9 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -271,7 +271,6 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
log_fatal ("getrandom returned only"
" %ld of %zu requested bytes\n", ret, nbytes);
- log_debug ("getrandom returned %zu requested bytes\n", nbytes);
(*add)(buffer, nbytes, origin);
length -= nbytes;
continue; /* until LENGTH is zero. */
commit b766ea14ad1c27d6160531b200cc70aaa479c6dc
Author: Werner Koch <wk at gnupg.org>
Date: Mon Sep 7 15:38:04 2015 +0200
Fix gcc portability on Solaris 9 SPARC boxes.
* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.
--
This patch has been in use by pkgsrc for
SunOS mentok 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V240
since 2004.
GnuPG-bug-id: 1703
Signed-off-by: Werner Koch <wk at gnupg.org>
[cherry-pick of commit d281624]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
diff --git a/mpi/longlong.h b/mpi/longlong.h
index db98e47..0a5acb6 100644
--- a/mpi/longlong.h
+++ b/mpi/longlong.h
@@ -1293,7 +1293,7 @@ typedef unsigned int UTItype __attribute__ ((mode (TI)));
"rJ" ((USItype)(al)), \
"rI" ((USItype)(bl)) \
__CLOBBER_CC)
-# if defined (__sparc_v8__)
+# if defined (__sparc_v8__) || defined(__sparcv8)
/* Don't match immediate range because, 1) it is not often useful,
2) the 'I' flag thinks of the range as a 13 bit signed interval,
while we want to match a 13 bit interval, sign extended to 32 bits,
commit dc76313308c184c92eb78452b503405b90fc7ebd
Author: Jérémie Courrèges-Anglas <jca at wxcvbn.org>
Date: Mon May 9 04:04:59 2016 +0200
Check for compiler SSE4.1 support in PCLMUL CRC code.
* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
compiler supports PCLMUL *and* SSE4.1
* cipher/crc.c: Ditto
* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.
--
Fixes build with the native gcc on OpenBSD/amd64, which supports PCLMUL
but not SSE4.1.
Signed-off-by: Jérémie Courrèges-Anglas <jca at wxcvbn.org>
diff --git a/cipher/crc-intel-pclmul.c b/cipher/crc-intel-pclmul.c
index c034e2e..2972fb4 100644
--- a/cipher/crc-intel-pclmul.c
+++ b/cipher/crc-intel-pclmul.c
@@ -30,7 +30,8 @@
#include "bufhelp.h"
-#if defined(ENABLE_PCLMUL_SUPPORT) && __GNUC__ >= 4 && \
+#if defined(ENABLE_PCLMUL_SUPPORT) && defined(ENABLE_SSE41_SUPPORT) && \
+ __GNUC__ >= 4 && \
((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
diff --git a/cipher/crc.c b/cipher/crc.c
index ee0e4e2..a1ce50b 100644
--- a/cipher/crc.c
+++ b/cipher/crc.c
@@ -31,10 +31,10 @@
#include "bufhelp.h"
-/* USE_INTEL_PCLMUL indicates whether to compile CRC with Intel PCLMUL
+/* USE_INTEL_PCLMUL indicates whether to compile CRC with Intel PCLMUL/SSE4.1
* code. */
#undef USE_INTEL_PCLMUL
-#ifdef ENABLE_PCLMUL_SUPPORT
+#if defined(ENABLE_PCLMUL_SUPPORT) && defined(ENABLE_SSE41_SUPPORT)
# if ((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
# if __GNUC__ >= 4
# define USE_INTEL_PCLMUL 1
diff --git a/configure.ac b/configure.ac
index ad06dfd..ad0f64d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -597,6 +597,14 @@ AC_ARG_ENABLE(pclmul-support,
pclmulsupport=$enableval,pclmulsupport=yes)
AC_MSG_RESULT($pclmulsupport)
+# Implementation of the --disable-sse41-support switch.
+AC_MSG_CHECKING([whether SSE4.1 support is requested])
+AC_ARG_ENABLE(sse41-support,
+ AC_HELP_STRING([--disable-sse41-support],
+ [Disable support for the Intel SSE4.1 instructions]),
+ sse41support=$enableval,sse41support=yes)
+AC_MSG_RESULT($sse41support)
+
# Implementation of the --disable-drng-support switch.
AC_MSG_CHECKING([whether DRNG support is requested])
AC_ARG_ENABLE(drng-support,
@@ -1109,6 +1117,7 @@ AM_CONDITIONAL(MPI_MOD_C_UDIV_QRNND, test "$mpi_mod_c_udiv_qrnnd" = yes)
if test "$mpi_cpu_arch" != "x86" ; then
aesnisupport="n/a"
pclmulsupport="n/a"
+ sse41support="n/a"
avxsupport="n/a"
avx2support="n/a"
padlocksupport="n/a"
@@ -1257,6 +1266,27 @@ if test "$gcry_cv_gcc_inline_asm_pclmul" = "yes" ; then
[Defined if inline assembler supports PCLMUL instructions])
fi
+#
+# Check whether GCC inline assembler supports SSE4.1 instructions.
+#
+AC_CACHE_CHECK([whether GCC inline assembler supports SSE4.1 instructions],
+ [gcry_cv_gcc_inline_asm_sse41],
+ [if test "$mpi_cpu_arch" != "x86" ; then
+ gcry_cv_gcc_inline_asm_sse41="n/a"
+ else
+ gcry_cv_gcc_inline_asm_sse41=no
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE(
+ [[void a(void) {
+ int i;
+ __asm__("pextrd \$2, %%xmm0, %[out]\n\t" : [out] "=m" (i));
+ }]])],
+ [gcry_cv_gcc_inline_asm_sse41=yes])
+ fi])
+if test "$gcry_cv_gcc_inline_asm_sse41" = "yes" ; then
+ AC_DEFINE(HAVE_GCC_INLINE_ASM_SSE41,1,
+ [Defined if inline assembler supports SSE4.1 instructions])
+fi
+
#
# Check whether GCC inline assembler supports AVX instructions
@@ -1711,6 +1741,11 @@ if test x"$pclmulsupport" = xyes ; then
pclmulsupport="no (unsupported by compiler)"
fi
fi
+if test x"$sse41support" = xyes ; then
+ if test "$gcry_cv_gcc_inline_asm_sse41" != "yes" ; then
+ sse41support="no (unsupported by compiler)"
+ fi
+fi
if test x"$avxsupport" = xyes ; then
if test "$gcry_cv_gcc_inline_asm_avx" != "yes" ; then
avxsupport="no (unsupported by compiler)"
@@ -1735,6 +1770,10 @@ if test x"$pclmulsupport" = xyes ; then
AC_DEFINE(ENABLE_PCLMUL_SUPPORT, 1,
[Enable support for Intel PCLMUL instructions.])
fi
+if test x"$sse41support" = xyes ; then
+ AC_DEFINE(ENABLE_SSE41_SUPPORT, 1,
+ [Enable support for Intel SSE4.1 instructions.])
+fi
if test x"$avxsupport" = xyes ; then
AC_DEFINE(ENABLE_AVX_SUPPORT,1,
[Enable support for Intel AVX instructions.])
@@ -2340,6 +2379,7 @@ GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
GCRY_MSG_SHOW([Try using Padlock crypto: ],[$padlocksupport])
GCRY_MSG_SHOW([Try using AES-NI crypto: ],[$aesnisupport])
GCRY_MSG_SHOW([Try using Intel PCLMUL: ],[$pclmulsupport])
+GCRY_MSG_SHOW([Try using Intel SSE4.1: ],[$sse41support])
GCRY_MSG_SHOW([Try using DRNG (RDRAND): ],[$drngsupport])
GCRY_MSG_SHOW([Try using Intel AVX: ],[$avxsupport])
GCRY_MSG_SHOW([Try using Intel AVX2: ],[$avx2support])
commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Fri May 6 13:21:17 2016 +0900
ecc: Fix ecc_verify for cofactor support.
* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".
--
Thanks to onitake.
GnuPG-bug-id: 2347
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/cipher/ecc.c b/cipher/ecc.c
index a437a1f..b09902e 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1071,7 +1071,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms)
if ((ctx.flags & PUBKEY_FLAG_PARAM))
rc = sexp_extract_param (s_keyparms, NULL, "-p?a?b?g?n?h?/q",
&pk.E.p, &pk.E.a, &pk.E.b, &mpi_g, &pk.E.n,
- &pk.E.n, &mpi_q, NULL);
+ &pk.E.h, &mpi_q, NULL);
else
rc = sexp_extract_param (s_keyparms, NULL, "/q",
&mpi_q, NULL);
commit c05837211e5221d3f56146865e823bc20b4ff1ab
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 26 15:46:30 2016 +0200
random: Try to use getrandom() instead of /dev/urandom (Linux only).
* configure.ac: Check for syscall.
* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
(_gcry_rndlinux_gather_random): Use getrandom is available.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/configure.ac b/configure.ac
index 5f9f711..ad06dfd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1514,7 +1514,7 @@ AC_CHECK_FUNCS(strtoul memmove stricmp atexit raise)
# Other checks
AC_CHECK_FUNCS(strerror rand mmap getpagesize sysconf waitpid wait4)
AC_CHECK_FUNCS(gettimeofday getrusage gethrtime clock_gettime syslog)
-AC_CHECK_FUNCS(fcntl ftruncate flockfile)
+AC_CHECK_FUNCS(syscall fcntl ftruncate flockfile)
GNUPG_CHECK_MLOCK
diff --git a/random/rndlinux.c b/random/rndlinux.c
index 0cb65df..592b9ac 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -32,6 +32,10 @@
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
+#if defined(__linux__) && defined(HAVE_SYSCALL)
+# include <sys/syscall.h>
+#endif
+
#include "types.h"
#include "g10lib.h"
#include "rand-internal.h"
@@ -232,6 +236,50 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
}
}
+ /* If we have a modern Linux kernel and we want to read from the
+ * the non-blocking /dev/urandom, we first try to use the new
+ * getrandom syscall. That call guarantees that the kernel's
+ * RNG has been properly seeded before returning any data. This
+ * is different from /dev/urandom which may, due to its
+ * non-blocking semantics, return data even if the kernel has
+ * not been properly seeded. Unfortunately we need to use a
+ * syscall and not a new device and thus we are not able to use
+ * select(2) to have a timeout. */
+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
+ if (fd == fd_urandom)
+ {
+ long ret;
+ size_t nbytes;
+
+ do
+ {
+ nbytes = length < sizeof(buffer)? length : sizeof(buffer);
+ if (nbytes > 256)
+ nbytes = 256;
+ ret = syscall (__NR_getrandom,
+ (void*)buffer, (size_t)nbytes, (unsigned int)0);
+ }
+ while (ret == -1 && errno == EINTR);
+ if (ret == -1 && errno == ENOSYS)
+ ; /* The syscall is not supported - fallback to /dev/urandom. */
+ else
+ { /* The syscall is supported. Some sanity checks. */
+ if (ret == -1)
+ log_fatal ("unexpected error from getrandom: %s\n",
+ strerror (errno));
+ else if (ret != nbytes)
+ log_fatal ("getrandom returned only"
+ " %ld of %zu requested bytes\n", ret, nbytes);
+
+ log_debug ("getrandom returned %zu requested bytes\n", nbytes);
+ (*add)(buffer, nbytes, origin);
+ length -= nbytes;
+ continue; /* until LENGTH is zero. */
+ }
+ log_debug ("syscall(getrandom) not supported; errno = %d\n", errno);
+ }
+#endif
+
do
{
size_t nbytes;
-----------------------------------------------------------------------
Summary of changes:
cipher/crc-intel-pclmul.c | 3 +-
cipher/crc.c | 4 +--
cipher/ecc.c | 2 +-
cipher/rsa.c | 92 ++++++++++++++++++++++++-----------------------
configure.ac | 42 +++++++++++++++++++++-
mpi/longlong.h | 2 +-
random/rndlinux.c | 47 ++++++++++++++++++++++++
7 files changed, 142 insertions(+), 50 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list