From dbaryshkov at gmail.com Sat May 4 23:37:03 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Sun, 5 May 2019 00:37:03 +0300 Subject: [PATCH] Fix carry overflow in Stribog in 512-bit addition Message-ID: <20190504213703.12153-1-dbaryshkov@gmail.com> * cipher/stribog.c (transform_bits): properly calculate carry flag * tests/basic.c (check_digests): add two more test cases Signed-off-by: Dmitry Eremin-Solenikov --- cipher/stribog.c | 12 +++++++----- tests/basic.c | 27 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/cipher/stribog.c b/cipher/stribog.c index 3eb0773564ef..267872474fb1 100644 --- a/cipher/stribog.c +++ b/cipher/stribog.c @@ -1223,7 +1223,7 @@ static void transform_bits (STRIBOG_CONTEXT *hd, const unsigned char *data, unsigned count) { u64 M[8]; - u64 l; + u64 l, cf; int i; for (i = 0; i < 8; i++) @@ -1243,11 +1243,13 @@ transform_bits (STRIBOG_CONTEXT *hd, const unsigned char *data, unsigned count) } hd->Sigma[0] += M[0]; + cf = 0; for (i = 1; i < 8; i++) - if (hd->Sigma[i-1] < M[i-1]) - hd->Sigma[i] += M[i] + 1; - else - hd->Sigma[i] += M[i]; + { + if (hd->Sigma[i-1] != M[i-1]) + cf = (hd->Sigma[i-1] < M[i-1]); + hd->Sigma[i] += M[i] + cf; + } } static unsigned int diff --git a/tests/basic.c b/tests/basic.c index 3efd3744a34a..55a8b72f2731 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -9168,6 +9168,33 @@ check_digests (void) "\x20\xc8\xe3\xee\xf0\xe5\xe2\xfb", "\x9d\xd2\xfe\x4e\x90\x40\x9e\x5d\xa8\x7f\x53\x97\x6d\x74\x05\xb0" "\xc0\xca\xc6\x28\xfc\x66\x9a\x74\x1d\x50\x06\x3c\x55\x7e\x8f\x50" }, + /* Special tests for carry flag in addition */ + { GCRY_MD_STRIBOG512, + "\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE" + "\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE" + "\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE" + "\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE" + "\x16\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" + "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" + "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" + "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x16", + "\x8b\x06\xf4\x1e\x59\x90\x7d\x96\x36\xe8\x92\xca\xf5\x94\x2f\xcd" + "\xfb\x71\xfa\x31\x16\x9a\x5e\x70\xf0\xed\xb8\x73\x66\x4d\xf4\x1c" + "\x2c\xce\x6e\x06\xdc\x67\x55\xd1\x5a\x61\xcd\xeb\x92\xbd\x60\x7c" + "\xc4\xaa\xca\x67\x32\xbf\x35\x68\xa2\x3a\x21\x0d\xd5\x20\xfd\x41" }, + { GCRY_MD_STRIBOG512, + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", + "\x90\xa1\x61\xd1\x2a\xd3\x09\x49\x8d\x3f\xe5\xd4\x82\x02\xd8\xa4" + "\xe9\xc4\x06\xd6\xa2\x64\xae\xab\x25\x8a\xc5\xec\xc3\x7a\x79\x62" + "\xaa\xf9\x58\x7a\x5a\xbb\x09\xb6\xbb\x81\xec\x4b\x37\x52\xa3\xff" + "\x5a\x83\x8e\xf1\x75\xbe\x57\x72\x05\x6b\xc5\xfe\x54\xfc\xfc\x7e" }, #include "./sha3-224.h" #include "./sha3-256.h" #include "./sha3-384.h" -- 2.20.1 From jussi.kivilinna at iki.fi Mon May 6 20:18:08 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Mon, 6 May 2019 21:18:08 +0300 Subject: [PATCH] Fix carry overflow in Stribog in 512-bit addition In-Reply-To: <20190504213703.12153-1-dbaryshkov@gmail.com> References: <20190504213703.12153-1-dbaryshkov@gmail.com> Message-ID: On 5.5.2019 0.37, Dmitry Eremin-Solenikov wrote: > * cipher/stribog.c (transform_bits): properly calculate carry flag > * tests/basic.c (check_digests): add two more test cases > Applied to master. Thanks. -Jussi From guidovranken at gmail.com Wed May 8 15:31:45 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Wed, 8 May 2019 15:31:45 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer Message-ID: Hi, I've been building a differential cryptography fuzzer that has been finding some nice bugs in major cryptographic libraries: https://github.com/guidovranken/cryptofuzz#hall-of-fame It's very effective as it can find the Whirlpool bug (before 1.60.0) and the recent Stribog bug instantly. It finds errors in message digests like RipeMD160 in the current master branch that are not present in 1.8.4. I still have to research the cause.. I can post demonstration code later. It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers interested in participating in the OSS-Fuzz project? This entails that results for message digests, HMACs, CMACs and symmetric ciphers are compared to other libraries, and if there is a mismatch, everyone gets an e-mail. At that point we have to find out which library is emitting the wrong result, and the bug has to be fixed. For this I need one or more e-mail addresses linked to a Google account. Read more about OSS-Fuzz here: https://github.com/google/oss-fuzz Guido -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Wed May 8 21:48:56 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Wed, 8 May 2019 22:48:56 +0300 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: Message-ID: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> Hello, On 8.5.2019 16.31, Guido Vranken wrote: > Hi, > > I've been building a differential cryptography fuzzer that has been finding some nice bugs in major cryptographic libraries: https://github.com/guidovranken/cryptofuzz#hall-of-fame > It's very effective as it can find the Whirlpool bug (before 1.60.0) and the recent Stribog bug instantly. > > It finds errors in message digests like RipeMD160 in the current master branch that are not present in 1.8.4. I still have to research the cause.. I can post demonstration code later. Thanks! It looks like culprit commit is 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. Quickly looking at code, this happens when input size is '64*nblks + 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra block */" and when writing bit count to buffer. Buffer offsets there should be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message digests modified in that commit appear to get this right. Bigger issue here is that there is quite big cap in testing coverage for digest finalization functions.. fuzzing against different libraries would definitely help. > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers interested in participating in the OSS-Fuzz project? This entails that results for message digests, HMACs, CMACs and symmetric ciphers are compared to other libraries, and if there is a mismatch, everyone gets an e-mail. At that point we have to find out which library is emitting the wrong result, and the bug has to be fixed. > I'd be interested getting emails of such mismatches. What do others think? Werner? Niibe? -Jussi From guidovranken at gmail.com Wed May 8 21:58:49 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Wed, 8 May 2019 21:58:49 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> Message-ID: While we're on the subject, can you comment on which ciphers/cipher modes allow for "chunked updating"? Eg. if you have a cleartext of 16 bytes, when is it allowed to call gcry_cipher_encrypt with the first 10 bytes, then another 3 bytes, then the final 3 bytes (for example)? I've been noticing a host of wrong outputs if I allow "chunked updating" with libgcrypt. The documentation states "Depending on the selected algorithms and encryption mode, the length of the buffers must be a multiple of the block size." but this doesn't make it clear when it is allowed exactly. And should the function not just fail if chunked input is attempted when full blocks are expected? Also, I consistently get the error message "selftest for CFB failed - see syslog for details" both from git master and 1.8.4. Is this expected? Thanks Guido On Wed, May 8, 2019 at 9:48 PM Jussi Kivilinna wrote: > Hello, > > On 8.5.2019 16.31, Guido Vranken wrote: > > Hi, > > > > I've been building a differential cryptography fuzzer that has been > finding some nice bugs in major cryptographic libraries: > https://github.com/guidovranken/cryptofuzz#hall-of-fame > > It's very effective as it can find the Whirlpool bug (before 1.60.0) and > the recent Stribog bug instantly. > > > > It finds errors in message digests like RipeMD160 in the current master > branch that are not present in 1.8.4. I still have to research the cause.. > I can post demonstration code later. > > Thanks! It looks like culprit commit is > 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. > Quickly looking at code, this happens when input size is '64*nblks + > 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra > block */" and when writing bit count to buffer. Buffer offsets there should > be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message > digests modified in that commit appear to get this right. > > Bigger issue here is that there is quite big cap in testing coverage for > digest finalization functions.. fuzzing against different libraries would > definitely help. > > > > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers > interested in participating in the OSS-Fuzz project? This entails that > results for message digests, HMACs, CMACs and symmetric ciphers are > compared to other libraries, and if there is a mismatch, everyone gets an > e-mail. At that point we have to find out which library is emitting the > wrong result, and the bug has to be fixed. > > > > I'd be interested getting emails of such mismatches. > > What do others think? Werner? Niibe? > > > -Jussi > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Wed May 8 22:53:48 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Wed, 8 May 2019 23:53:48 +0300 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> Message-ID: <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi> On 8.5.2019 22.58, Guido Vranken wrote: > While we're on the subject, can you comment on which ciphers/cipher modes allow for "chunked updating"? Eg. if you have a cleartext of 16 bytes, when is it allowed to call gcry_cipher_encrypt with the first 10 bytes, then another 3 bytes, then the final 3 bytes (for example)? I've been noticing a host of wrong outputs if I allow "chunked updating" with libgcrypt. Following modes should work with "chunked updating": GCRY_CIPHER_MODE_STREAM GCRY_CIPHER_MODE_OFB GCRY_CIPHER_MODE_CTR GCRY_CIPHER_MODE_CFB GCRY_CIPHER_MODE_CCM GCRY_CIPHER_MODE_GCM GCRY_CIPHER_MODE_EAX GCRY_CIPHER_MODE_POLY1305 ECB and CBC require input length in multiples of cipher blocksize. For XTS input length can be from 16 to 16*2^20 bytes. OCB requires first N-1 input buffer lengths to be multiples of cipher blocksize. Before last input buffer 'gcry_cipher_final()' needs to be called and last Nth input buffer does not have restriction on input size. > The documentation states "Depending on the selected algorithms and encryption mode, the length of the buffers must be a multiple of the block size." but this doesn't make it clear when it is allowed exactly. And should the function not just fail if chunked input is attempted when full blocks are expected? Modes that do not accept chunked input return error. > > Also, I consistently get the error message "selftest for CFB failed - see syslog for details" both from git master and 1.8.4. Is this expected? That is not expected. Which compiler and what kind of configuration are you using? Do you get these errors when running libgcrypt build tests, "make check"? -Jussi > > Thanks > > Guido > > On Wed, May 8, 2019 at 9:48 PM Jussi Kivilinna > wrote: > > Hello, > > On 8.5.2019 16.31, Guido Vranken wrote: > > Hi, > > > > I've been building a differential cryptography fuzzer that has been finding some nice bugs in major cryptographic libraries: https://github.com/guidovranken/cryptofuzz#hall-of-fame > > It's very effective as it can find the Whirlpool bug (before 1.60.0) and the recent Stribog bug instantly. > > > > It finds errors in message digests like RipeMD160 in the current master branch that are not present in 1.8.4. I still have to research the cause.. I can post demonstration code later. > > Thanks! It looks like culprit commit is 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. Quickly looking at code, this happens when input size is '64*nblks + 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra block */" and when writing bit count to buffer. Buffer offsets there should be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message digests modified in that commit appear to get this right. > > Bigger issue here is that there is quite big cap in testing coverage for digest finalization functions.. fuzzing against different libraries would definitely help. > > > > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers interested in participating in the OSS-Fuzz project? This entails that results for message digests, HMACs, CMACs and symmetric ciphers are compared to other libraries, and if there is a mismatch, everyone gets an e-mail. At that point we have to find out which library is emitting the wrong result, and the bug has to be fixed. > > > > I'd be interested getting emails of such mismatches. > > What do others think? Werner? Niibe? > > > -Jussi > From guidovranken at gmail.com Thu May 9 02:35:19 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Thu, 9 May 2019 02:35:19 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi> References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi> Message-ID: Here's an example of different outputs with chunked input: #include #include #include #define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; } int main(void) { uint8_t out[1024]; const uint8_t cleartext[16] = {0}; const uint8_t iv[16] = {0}; const uint8_t key[32] = {0}; size_t idx = 0; gcry_cipher_hd_t h; bool hOpen = false; CF_CHECK_EQ(gcry_cipher_open(&h, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_STREAM, 0), GPG_ERR_NO_ERROR); hOpen = true; CF_CHECK_EQ(gcry_cipher_setkey(h, key, sizeof(key)), GPG_ERR_NO_ERROR); CF_CHECK_EQ(gcry_cipher_setiv(h, iv, sizeof(iv)), GPG_ERR_NO_ERROR); #if defined(CHUNKED) const int lengths[] = {1, 15}; #else const int lengths[] = {16}; #endif for (size_t i = 0; i < sizeof(lengths) / sizeof(lengths[0]); i++) { CF_CHECK_EQ(gcry_cipher_encrypt(h, out, sizeof(out) - idx, cleartext + idx, lengths[i]), GPG_ERR_NO_ERROR); idx += lengths[i]; } for (size_t i = 0; i < idx; i++) { printf("%02X ", out[i]); } printf("\n"); end: if ( hOpen == true ) { gcry_cipher_close(h); } } Compile with and without -DCHUNKED. Am I doing something wrong? 'make check' did not report any errors but I'll look into it further. Guido On Wed, May 8, 2019 at 10:53 PM Jussi Kivilinna wrote: > On 8.5.2019 22.58, Guido Vranken wrote: > > While we're on the subject, can you comment on which ciphers/cipher > modes allow for "chunked updating"? Eg. if you have a cleartext of 16 > bytes, when is it allowed to call gcry_cipher_encrypt with the first 10 > bytes, then another 3 bytes, then the final 3 bytes (for example)? I've > been noticing a host of wrong outputs if I allow "chunked updating" with > libgcrypt. > > Following modes should work with "chunked updating": > GCRY_CIPHER_MODE_STREAM > GCRY_CIPHER_MODE_OFB > GCRY_CIPHER_MODE_CTR > GCRY_CIPHER_MODE_CFB > GCRY_CIPHER_MODE_CCM > GCRY_CIPHER_MODE_GCM > GCRY_CIPHER_MODE_EAX > GCRY_CIPHER_MODE_POLY1305 > > ECB and CBC require input length in multiples of cipher blocksize. > > For XTS input length can be from 16 to 16*2^20 bytes. > > OCB requires first N-1 input buffer lengths to be multiples of cipher > blocksize. Before last input buffer 'gcry_cipher_final()' needs to be > called and last Nth input buffer does not have restriction on input size. > > > The documentation states "Depending on the selected algorithms and > encryption mode, the length of the buffers must be a multiple of the block > size." but this doesn't make it clear when it is allowed exactly. And > should the function not just fail if chunked input is attempted when full > blocks are expected? > > Modes that do not accept chunked input return error. > > > > > Also, I consistently get the error message "selftest for CFB failed - > see syslog for details" both from git master and 1.8.4. Is this expected? > > That is not expected. Which compiler and what kind of configuration are > you using? Do you get these errors when running libgcrypt build tests, > "make check"? > > -Jussi > > > > > Thanks > > > > Guido > > > > On Wed, May 8, 2019 at 9:48 PM Jussi Kivilinna > wrote: > > > > Hello, > > > > On 8.5.2019 16.31, Guido Vranken wrote: > > > Hi, > > > > > > I've been building a differential cryptography fuzzer that has > been finding some nice bugs in major cryptographic libraries: > https://github.com/guidovranken/cryptofuzz#hall-of-fame > > > It's very effective as it can find the Whirlpool bug (before > 1.60.0) and the recent Stribog bug instantly. > > > > > > It finds errors in message digests like RipeMD160 in the current > master branch that are not present in 1.8.4. I still have to research the > cause.. I can post demonstration code later. > > > > Thanks! It looks like culprit commit is > 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. > Quickly looking at code, this happens when input size is '64*nblks + > 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra > block */" and when writing bit count to buffer. Buffer offsets there should > be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message > digests modified in that commit appear to get this right. > > > > Bigger issue here is that there is quite big cap in testing coverage > for digest finalization functions.. fuzzing against different libraries > would definitely help. > > > > > > > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt > maintainers interested in participating in the OSS-Fuzz project? This > entails that results for message digests, HMACs, CMACs and symmetric > ciphers are compared to other libraries, and if there is a mismatch, > everyone gets an e-mail. At that point we have to find out which library is > emitting the wrong result, and the bug has to be fixed. > > > > > > > I'd be interested getting emails of such mismatches. > > > > What do others think? Werner? Niibe? > > > > > > -Jussi > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guidovranken at gmail.com Thu May 9 03:08:07 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Thu, 9 May 2019 03:08:07 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi> Message-ID: Never mind, I've noticed my bug, please ignore :). On Thu, May 9, 2019 at 2:35 AM Guido Vranken wrote: > Here's an example of different outputs with chunked input: > > #include > #include > #include > > #define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; } > > int main(void) > { > uint8_t out[1024]; > const uint8_t cleartext[16] = {0}; > const uint8_t iv[16] = {0}; > const uint8_t key[32] = {0}; > size_t idx = 0; > > gcry_cipher_hd_t h; > bool hOpen = false; > CF_CHECK_EQ(gcry_cipher_open(&h, GCRY_CIPHER_CHACHA20, > GCRY_CIPHER_MODE_STREAM, 0), GPG_ERR_NO_ERROR); > hOpen = true; > CF_CHECK_EQ(gcry_cipher_setkey(h, key, sizeof(key)), GPG_ERR_NO_ERROR); > CF_CHECK_EQ(gcry_cipher_setiv(h, iv, sizeof(iv)), GPG_ERR_NO_ERROR); > > #if defined(CHUNKED) > const int lengths[] = {1, 15}; > #else > const int lengths[] = {16}; > #endif > > for (size_t i = 0; i < sizeof(lengths) / sizeof(lengths[0]); i++) { > CF_CHECK_EQ(gcry_cipher_encrypt(h, out, sizeof(out) - idx, > cleartext + idx, lengths[i]), GPG_ERR_NO_ERROR); > idx += lengths[i]; > } > > for (size_t i = 0; i < idx; i++) { > printf("%02X ", out[i]); > } > printf("\n"); > > end: > if ( hOpen == true ) { > gcry_cipher_close(h); > } > } > > Compile with and without -DCHUNKED. Am I doing something wrong? > > 'make check' did not report any errors but I'll look into it further. > > Guido > > On Wed, May 8, 2019 at 10:53 PM Jussi Kivilinna > wrote: > >> On 8.5.2019 22.58, Guido Vranken wrote: >> > While we're on the subject, can you comment on which ciphers/cipher >> modes allow for "chunked updating"? Eg. if you have a cleartext of 16 >> bytes, when is it allowed to call gcry_cipher_encrypt with the first 10 >> bytes, then another 3 bytes, then the final 3 bytes (for example)? I've >> been noticing a host of wrong outputs if I allow "chunked updating" with >> libgcrypt. >> >> Following modes should work with "chunked updating": >> GCRY_CIPHER_MODE_STREAM >> GCRY_CIPHER_MODE_OFB >> GCRY_CIPHER_MODE_CTR >> GCRY_CIPHER_MODE_CFB >> GCRY_CIPHER_MODE_CCM >> GCRY_CIPHER_MODE_GCM >> GCRY_CIPHER_MODE_EAX >> GCRY_CIPHER_MODE_POLY1305 >> >> ECB and CBC require input length in multiples of cipher blocksize. >> >> For XTS input length can be from 16 to 16*2^20 bytes. >> >> OCB requires first N-1 input buffer lengths to be multiples of cipher >> blocksize. Before last input buffer 'gcry_cipher_final()' needs to be >> called and last Nth input buffer does not have restriction on input size. >> >> > The documentation states "Depending on the selected algorithms and >> encryption mode, the length of the buffers must be a multiple of the block >> size." but this doesn't make it clear when it is allowed exactly. And >> should the function not just fail if chunked input is attempted when full >> blocks are expected? >> >> Modes that do not accept chunked input return error. >> >> > >> > Also, I consistently get the error message "selftest for CFB failed - >> see syslog for details" both from git master and 1.8.4. Is this expected? >> >> That is not expected. Which compiler and what kind of configuration are >> you using? Do you get these errors when running libgcrypt build tests, >> "make check"? >> >> -Jussi >> >> > >> > Thanks >> > >> > Guido >> > >> > On Wed, May 8, 2019 at 9:48 PM Jussi Kivilinna > > wrote: >> > >> > Hello, >> > >> > On 8.5.2019 16.31, Guido Vranken wrote: >> > > Hi, >> > > >> > > I've been building a differential cryptography fuzzer that has >> been finding some nice bugs in major cryptographic libraries: >> https://github.com/guidovranken/cryptofuzz#hall-of-fame >> > > It's very effective as it can find the Whirlpool bug (before >> 1.60.0) and the recent Stribog bug instantly. >> > > >> > > It finds errors in message digests like RipeMD160 in the current >> master branch that are not present in 1.8.4. I still have to research the >> cause.. I can post demonstration code later. >> > >> > Thanks! It looks like culprit commit is >> 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. >> Quickly looking at code, this happens when input size is '64*nblks + >> 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra >> block */" and when writing bit count to buffer. Buffer offsets there should >> be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message >> digests modified in that commit appear to get this right. >> > >> > Bigger issue here is that there is quite big cap in testing >> coverage for digest finalization functions.. fuzzing against different >> libraries would definitely help. >> > >> > > >> > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt >> maintainers interested in participating in the OSS-Fuzz project? This >> entails that results for message digests, HMACs, CMACs and symmetric >> ciphers are compared to other libraries, and if there is a mismatch, >> everyone gets an e-mail. At that point we have to find out which library is >> emitting the wrong result, and the bug has to be fixed. >> > > >> > >> > I'd be interested getting emails of such mismatches. >> > >> > What do others think? Werner? Niibe? >> > >> > >> > -Jussi >> > >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From guidovranken at gmail.com Thu May 9 13:52:35 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Thu, 9 May 2019 13:52:35 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi>

Message-ID: It found a difference with Veracrypt's Stribog. This is libgcrypt with the carry overflow bug fix incorporated (commit da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c) Operation: operation name: Digest digest: STREEBOG-256 cleartext: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0xbc, 0x6b, 0xa8, 0xb3, 0x68, 0xb9, 0x68, 0xbb, 0x53, 0x80, 0xe1, 0x06, 0x90} (65 bytes) Module libgcrypt result: {0x0f, 0xbe, 0x0b, 0x3f, 0x89, 0x8d, 0x49, 0x22, 0xe8, 0x77, 0xc5, 0x1f, 0xfd, 0x4b, 0xef, 0x76, 0xc6, 0x34, 0x03, 0x04, 0x00, 0xd0, 0x0c, 0x43, 0x06, 0x5a, 0xed, 0xc5, 0x74, 0x72, 0x34, 0x7b} (32 bytes) Module Veracrypt result: {0xbf, 0x49, 0x33, 0x72, 0x84, 0x00, 0x45, 0xa6, 0x9f, 0x21, 0xff, 0xc7, 0xa2, 0x07, 0x02, 0x99, 0x8d, 0x76, 0x62, 0xf0, 0xb7, 0x2c, 0x02, 0x19, 0x9e, 0xf6, 0x72, 0xf8, 0x4b, 0x14, 0xc8, 0xb3} (32 bytes) ---------------------- On Thu, May 9, 2019 at 3:08 AM Guido Vranken wrote: > Never mind, I've noticed my bug, please ignore :). > > On Thu, May 9, 2019 at 2:35 AM Guido Vranken > wrote: > >> Here's an example of different outputs with chunked input: >> >> #include >> #include >> #include >> >> #define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; } >> >> int main(void) >> { >> uint8_t out[1024]; >> const uint8_t cleartext[16] = {0}; >> const uint8_t iv[16] = {0}; >> const uint8_t key[32] = {0}; >> size_t idx = 0; >> >> gcry_cipher_hd_t h; >> bool hOpen = false; >> CF_CHECK_EQ(gcry_cipher_open(&h, GCRY_CIPHER_CHACHA20, >> GCRY_CIPHER_MODE_STREAM, 0), GPG_ERR_NO_ERROR); >> hOpen = true; >> CF_CHECK_EQ(gcry_cipher_setkey(h, key, sizeof(key)), >> GPG_ERR_NO_ERROR); >> CF_CHECK_EQ(gcry_cipher_setiv(h, iv, sizeof(iv)), GPG_ERR_NO_ERROR); >> >> #if defined(CHUNKED) >> const int lengths[] = {1, 15}; >> #else >> const int lengths[] = {16}; >> #endif >> >> for (size_t i = 0; i < sizeof(lengths) / sizeof(lengths[0]); i++) { >> CF_CHECK_EQ(gcry_cipher_encrypt(h, out, sizeof(out) - idx, >> cleartext + idx, lengths[i]), GPG_ERR_NO_ERROR); >> idx += lengths[i]; >> } >> >> for (size_t i = 0; i < idx; i++) { >> printf("%02X ", out[i]); >> } >> printf("\n"); >> >> end: >> if ( hOpen == true ) { >> gcry_cipher_close(h); >> } >> } >> >> Compile with and without -DCHUNKED. Am I doing something wrong? >> >> 'make check' did not report any errors but I'll look into it further. >> >> Guido >> >> On Wed, May 8, 2019 at 10:53 PM Jussi Kivilinna >> wrote: >> >>> On 8.5.2019 22.58, Guido Vranken wrote: >>> > While we're on the subject, can you comment on which ciphers/cipher >>> modes allow for "chunked updating"? Eg. if you have a cleartext of 16 >>> bytes, when is it allowed to call gcry_cipher_encrypt with the first 10 >>> bytes, then another 3 bytes, then the final 3 bytes (for example)? I've >>> been noticing a host of wrong outputs if I allow "chunked updating" with >>> libgcrypt. >>> >>> Following modes should work with "chunked updating": >>> GCRY_CIPHER_MODE_STREAM >>> GCRY_CIPHER_MODE_OFB >>> GCRY_CIPHER_MODE_CTR >>> GCRY_CIPHER_MODE_CFB >>> GCRY_CIPHER_MODE_CCM >>> GCRY_CIPHER_MODE_GCM >>> GCRY_CIPHER_MODE_EAX >>> GCRY_CIPHER_MODE_POLY1305 >>> >>> ECB and CBC require input length in multiples of cipher blocksize. >>> >>> For XTS input length can be from 16 to 16*2^20 bytes. >>> >>> OCB requires first N-1 input buffer lengths to be multiples of cipher >>> blocksize. Before last input buffer 'gcry_cipher_final()' needs to be >>> called and last Nth input buffer does not have restriction on input size. >>> >>> > The documentation states "Depending on the selected algorithms and >>> encryption mode, the length of the buffers must be a multiple of the block >>> size." but this doesn't make it clear when it is allowed exactly. And >>> should the function not just fail if chunked input is attempted when full >>> blocks are expected? >>> >>> Modes that do not accept chunked input return error. >>> >>> > >>> > Also, I consistently get the error message "selftest for CFB failed - >>> see syslog for details" both from git master and 1.8.4. Is this expected? >>> >>> That is not expected. Which compiler and what kind of configuration are >>> you using? Do you get these errors when running libgcrypt build tests, >>> "make check"? >>> >>> -Jussi >>> >>> > >>> > Thanks >>> > >>> > Guido >>> > >>> > On Wed, May 8, 2019 at 9:48 PM Jussi Kivilinna >> > wrote: >>> > >>> > Hello, >>> > >>> > On 8.5.2019 16.31, Guido Vranken wrote: >>> > > Hi, >>> > > >>> > > I've been building a differential cryptography fuzzer that has >>> been finding some nice bugs in major cryptographic libraries: >>> https://github.com/guidovranken/cryptofuzz#hall-of-fame >>> > > It's very effective as it can find the Whirlpool bug (before >>> 1.60.0) and the recent Stribog bug instantly. >>> > > >>> > > It finds errors in message digests like RipeMD160 in the current >>> master branch that are not present in 1.8.4. I still have to research the >>> cause.. I can post demonstration code later. >>> > >>> > Thanks! It looks like culprit commit is >>> 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. >>> Quickly looking at code, this happens when input size is '64*nblks + >>> 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra >>> block */" and when writing bit count to buffer. Buffer offsets there should >>> be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message >>> digests modified in that commit appear to get this right. >>> > >>> > Bigger issue here is that there is quite big cap in testing >>> coverage for digest finalization functions.. fuzzing against different >>> libraries would definitely help. >>> > >>> > > >>> > > It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt >>> maintainers interested in participating in the OSS-Fuzz project? This >>> entails that results for message digests, HMACs, CMACs and symmetric >>> ciphers are compared to other libraries, and if there is a mismatch, >>> everyone gets an e-mail. At that point we have to find out which library is >>> emitting the wrong result, and the bug has to be fixed. >>> > > >>> > >>> > I'd be interested getting emails of such mismatches. >>> > >>> > What do others think? Werner? Niibe? >>> > >>> > >>> > -Jussi >>> > >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu May 9 17:48:36 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 May 2019 17:48:36 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> (Jussi Kivilinna's message of "Wed, 8 May 2019 22:48:56 +0300") References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> Message-ID: <87pnory6gb.fsf@wheatstone.g10code.de> On Wed, 8 May 2019 22:48, jussi.kivilinna at iki.fi said: > What do others think? Werner? Niibe? I am not interested in that for the simple reason that you can see the details of a report only when using a Google account. I closed my Google account a decade or even longer ago and won't open one again. Feel free to use or forward the reports, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Thu May 9 18:17:54 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 9 May 2019 19:17:54 +0300 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi>

Message-ID: Hello, On 9.5.2019 14.52, Guido Vranken wrote: > It found a difference with Veracrypt's Stribog. This is libgcrypt with the carry overflow bug fix incorporated (commit da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c) > > Operation: > operation name: Digest > digest: STREEBOG-256 > cleartext: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > ?0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > ?0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > ?0xff, 0xff, 0xff, 0x80, 0xbc, 0x6b, 0xa8, 0xb3, 0x68, 0xb9, 0x68, 0xbb, 0x53, 0x80, 0xe1, 0x06, > ?0x90} (65 bytes) > > Module libgcrypt result: > > {0x0f, 0xbe, 0x0b, 0x3f, 0x89, 0x8d, 0x49, 0x22, 0xe8, 0x77, 0xc5, 0x1f, 0xfd, 0x4b, 0xef, 0x76, > ?0xc6, 0x34, 0x03, 0x04, 0x00, 0xd0, 0x0c, 0x43, 0x06, 0x5a, 0xed, 0xc5, 0x74, 0x72, 0x34, 0x7b} (32 bytes) > > Module Veracrypt result: > > {0xbf, 0x49, 0x33, 0x72, 0x84, 0x00, 0x45, 0xa6, 0x9f, 0x21, 0xff, 0xc7, 0xa2, 0x07, 0x02, 0x99, > ?0x8d, 0x76, 0x62, 0xf0, 0xb7, 0x2c, 0x02, 0x19, 0x9e, 0xf6, 0x72, 0xf8, 0x4b, 0x14, 0xc8, 0xb3} (32 bytes) Maybe it is carry-bit overflow handling difference in Veracrypt's Streebog.c:add512: https://www.veracrypt.fr/code/VeraCrypt/tree/src/Crypto/Streebog.c#n1868 It also looks like that function handles carry overflow differently for big-endian vs little-endian. -Jussi From dbaryshkov at gmail.com Thu May 9 18:24:18 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Thu, 9 May 2019 19:24:18 +0300 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <5f7d14f9-a3d1-895c-5247-708d38d69be1@iki.fi>

Message-ID: Hello, ??, 9 ??? 2019 ?. ? 14:53, Guido Vranken : > > It found a difference with Veracrypt's Stribog. This is libgcrypt with the carry overflow bug fix incorporated (commit da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c) > > Operation: > operation name: Digest > digest: STREEBOG-256 > cleartext: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > 0xff, 0xff, 0xff, 0x80, 0xbc, 0x6b, 0xa8, 0xb3, 0x68, 0xb9, 0x68, 0xbb, 0x53, 0x80, 0xe1, 0x06, > 0x90} (65 bytes) > > Module libgcrypt result: > > {0x0f, 0xbe, 0x0b, 0x3f, 0x89, 0x8d, 0x49, 0x22, 0xe8, 0x77, 0xc5, 0x1f, 0xfd, 0x4b, 0xef, 0x76, > 0xc6, 0x34, 0x03, 0x04, 0x00, 0xd0, 0x0c, 0x43, 0x06, 0x5a, 0xed, 0xc5, 0x74, 0x72, 0x34, 0x7b} (32 bytes) > > Module Veracrypt result: > > {0xbf, 0x49, 0x33, 0x72, 0x84, 0x00, 0x45, 0xa6, 0x9f, 0x21, 0xff, 0xc7, 0xa2, 0x07, 0x02, 0x99, > 0x8d, 0x76, 0x62, 0xf0, 0xb7, 0x2c, 0x02, 0x19, 0x9e, 0xf6, 0x72, 0xf8, 0x4b, 0x14, 0xc8, 0xb3} (32 bytes) OpenSSL's gost engine results in 0x0f, 0xbe, 0x0b, ... result: echo -ne '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x80\xbc\x6b\xa8\xb3\x68\xb9\x68\xbb\x53\x80\xe1\x06\x90' | openssl dgst -md_gost12_256 (stdin)= 0fbe0b3f898d4922e877c51ffd4bef76c634030400d00c43065aedc57472347b -- With best wishes Dmitry From jussi.kivilinna at iki.fi Thu May 9 20:57:36 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 9 May 2019 21:57:36 +0300 Subject: [PATCH] Fix message digest final function for MD4, MD5 and RMD160 Message-ID: <155742825603.27188.12860918675711744600.stgit@localhost.localdomain> * cipher/md4.c (md4_final): Use buffer offset '64 + 56' for bit count on 'need one extra block' path. * cipher/md5.c (md5_final): Ditto. * cipher/rmd160.c (rmd160_final): Ditto. * tests/basic.c (check_one_md_final): New. (check_digest): Add new '*' test vectors and handle them with check_one_md_final. -- This commit fixes bug introduced with commit 46d7dbbc293fdc to MD4, MD5 and RMD160 where digest ended up being wrong for input message sizes 64*x+56..64. Patch also adds new test case that runs message digest algorithms with different message lengths from 0 to 289. Reported-by: Guido Vranken Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/cipher/md4.c b/cipher/md4.c index f6258893e..b75bc5e69 100644 --- a/cipher/md4.c +++ b/cipher/md4.c @@ -252,8 +252,8 @@ md4_final( void *context ) hd->bctx.count = 64 + 56; /* append the 64 bit count */ - buf_put_le32(hd->bctx.buf + 56, lsb); - buf_put_le32(hd->bctx.buf + 60, msb); + buf_put_le32(hd->bctx.buf + 64 + 56, lsb); + buf_put_le32(hd->bctx.buf + 64 + 60, msb); burn = transform (hd, hd->bctx.buf, 2); } diff --git a/cipher/md5.c b/cipher/md5.c index 67511ba01..94fcdf033 100644 --- a/cipher/md5.c +++ b/cipher/md5.c @@ -276,8 +276,8 @@ md5_final( void *context) hd->bctx.count = 64 + 56; /* append the 64 bit count */ - buf_put_le32(hd->bctx.buf + 56, lsb); - buf_put_le32(hd->bctx.buf + 60, msb); + buf_put_le32(hd->bctx.buf + 64 + 56, lsb); + buf_put_le32(hd->bctx.buf + 64 + 60, msb); burn = transform (hd, hd->bctx.buf, 2); } diff --git a/cipher/rmd160.c b/cipher/rmd160.c index f15eec225..24210a077 100644 --- a/cipher/rmd160.c +++ b/cipher/rmd160.c @@ -449,8 +449,8 @@ rmd160_final( void *context ) hd->bctx.count = 64 + 56; /* append the 64 bit count */ - buf_put_le32(hd->bctx.buf + 56, lsb); - buf_put_le32(hd->bctx.buf + 60, msb); + buf_put_le32(hd->bctx.buf + 64 + 56, lsb); + buf_put_le32(hd->bctx.buf + 64 + 60, msb); burn = transform (hd, hd->bctx.buf, 2); } diff --git a/tests/basic.c b/tests/basic.c index 55a8b72f2..31595d0bb 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -8592,6 +8592,56 @@ check_one_md_multi (int algo, const char *data, int len, const char *expect) } +static void +check_one_md_final(int algo, const char *expect, unsigned int expectlen) +{ + char inbuf[288 + 1]; + char xorbuf[64]; + char digest[64]; + unsigned int mdlen; + int i, j; + + mdlen = gcry_md_get_algo_dlen (algo); + if (mdlen < 1 || mdlen > 64) + { + return; + } + + if (expectlen == 0) + expectlen = mdlen; + + if (expectlen != mdlen) + { + fail ("check_one_md_final: algo %d, digest length mismatch\n", algo); + return; + } + + for (i = 0; i < sizeof(inbuf); i++) + inbuf[i] = i; + + gcry_md_hash_buffer (algo, xorbuf, NULL, 0); + for (i = 1; i < sizeof(inbuf); i++) + { + gcry_md_hash_buffer (algo, digest, inbuf, i); + for (j = 0; j < expectlen; j++) + xorbuf[j] ^= digest[j]; + } + + if (memcmp(expect, xorbuf, expectlen) != 0) + { + printf ("computed: "); + for (i = 0; i < expectlen; i++) + printf ("%02x ", xorbuf[i] & 0xFF); + printf ("\nexpected: "); + for (i = 0; i < expectlen; i++) + printf ("%02x ", expect[i] & 0xFF); + printf ("\n"); + + fail ("check_one_md_final: algo %d, digest mismatch\n", algo); + } +} + + static void check_digests (void) { @@ -9734,6 +9784,142 @@ check_digests (void) "ral Public License for more details.", "\x8b\x91\x3f\x0e\x85\xae\x43\x25\x6d\x28\x38\x6c\x09\x5c\xc7\x72" "\xcc\x2e\x78\x89\x7e\x2e\x4e\x5a\x3d\xf6\x55\xfe\x87\xbe\xa6\xbc" }, + + { GCRY_MD_GOSTR3411_CP, + "*", + "\x72\xd7\xe3\xbf\xa0\x08\xc9\x62\xae\xa9\xc5\xd8\x93\x5f\x17\xd7" + "\x3f\xf2\x52\xb4\xc1\x16\xcf\x63\xa4\xcc\x4a\x8c\x7f\xe5\x60\x2c" }, + { GCRY_MD_MD4, + "*", + "\xe8\xb9\xe4\x59\x61\x08\xc0\xfe\x54\xef\xc5\x8e\x20\x7c\x9b\x37" }, + { GCRY_MD_MD5, + "*", + "\x0b\x1e\xab\xa2\x5e\x48\x76\x92\xae\x16\x12\xde\x5f\xb3\x29\x41" }, + { GCRY_MD_RMD160, + "*", + "\x28\xfd\xd6\xa8\x95\x29\x43\x6b\x5e\xd9\xa0\x06\x82\xbb\xe6\x10" + "\xd3\xcc\x79\x33" }, + { GCRY_MD_SHA1, + "*", + "\xd8\x37\x46\x1a\x46\xfe\x42\x11\x7d\x50\xca\xf7\x3d\x7e\x0c\x36" + "\x42\x0c\x15\xb6" }, + { GCRY_MD_SHA224, + "*", + "\x2e\xba\x51\x6c\x71\x5a\x1d\xb8\x6b\x57\xfb\xf1\x46\xa0\xa7\x1d" + "\x72\x66\xaf\x90\xb8\x01\x18\xc8\x58\x57\xa5\x63" }, + { GCRY_MD_SHA256, + "*", + "\x30\xed\xe4\x69\xf3\x1c\x70\x8a\x6d\x92\x00\xac\xd8\x08\x89\xea" + "\x7e\x92\xff\x02\x0b\x72\x4a\xdf\xa9\x2b\x9f\x80\xba\xd0\x25\xd0" }, + { GCRY_MD_SHA384, + "*", + "\x21\xd7\x40\xdf\x34\x13\xcf\x56\xf7\x61\x0a\x1b\x11\xb7\x1e\x01" + "\x87\xad\xbb\x3e\x9a\xe8\xaa\xaa\xbc\x3a\x89\x39\x0a\xa9\xcb\x4f" + "\x09\x75\x4c\x44\x59\x42\xf5\x13\x5f\xe5\xa6\x2b\x16\xbe\xfc\xdf" }, + { GCRY_MD_SHA512, + "*", + "\x5c\xbe\x01\x03\xbd\x8d\xa1\x38\x5e\x87\x00\x94\x8d\x14\xd0\xb3" + "\x2c\x88\xeb\xb8\xf6\xcc\x06\x44\x54\xb1\x58\x88\xa9\x67\xa0\xe3" + "\x0d\x28\x8b\xf4\x2c\xc6\x7a\xdc\x1a\x35\xbf\x0c\xc8\x35\xf0\x24" + "\x69\xb5\xfe\x15\x6f\x71\xbd\x87\x07\x52\x27\xcc\xdc\x21\x84\x21" }, + { GCRY_MD_SHA3_224, + "*", + "\x1a\xa6\x6f\x1a\x3c\x62\x14\x75\xea\x9d\x49\x4d\x39\x01\x2b\xbd" + "\x4d\xe1\x58\xbc\x32\xac\x48\xcf\x6a\x1a\x54\x34" }, + { GCRY_MD_SHA3_256, + "*", + "\x87\xf8\x0e\x78\xc1\x7b\x0c\x36\x4c\xbb\x8d\xca\x5e\x77\xc3\xfd" + "\x95\xbd\xaf\x94\x85\xc6\x0c\xe6\x22\x52\xeb\x22\x50\x32\x48\x57" }, + { GCRY_MD_SHA3_384, + "*", + "\x89\x5a\xd6\xc8\x60\x20\x66\xe7\x9e\xb3\x6d\x5c\x07\xd7\x5e\xd0" + "\x48\x84\x9d\x51\x75\x14\x77\xdb\xcd\xbf\x70\x18\xdc\x64\x53\x85" + "\x94\x95\xa5\xd3\x26\x9c\xf1\x63\x14\x8d\x11\xa0\xfc\xd8\x05\x9e" }, + { GCRY_MD_SHA3_512, + "*", + "\x53\x0b\x1c\xb7\xff\x2c\xaa\x7e\x62\x15\xa7\x57\x9a\xd0\xcf\x4f" + "\xa5\xae\xe0\x05\x1c\x77\x0f\x29\x5b\x3f\xba\xab\x88\x0c\x0b\x8e" + "\x10\xcf\x3d\xa9\x0d\x1e\x97\x98\x96\xeb\x24\x2e\x70\x30\xd0\x78" + "\x2b\x9e\x30\xad\x5d\xcf\x56\xcf\xd0\xc1\x58\x95\x53\x09\x78\xd6" }, + { GCRY_MD_SM3, + "*", + "\xb6\xfc\x1e\xc4\xad\x9b\x88\xbd\x08\xaa\xf3\xb3\xfa\x4f\x1b\x9c" + "\xd6\x9a\x32\x09\x28\x9e\xda\x3a\x99\xb6\x09\x8f\x35\x99\xa6\x11" }, + { GCRY_MD_STRIBOG256, + "*", + "\x35\x0b\xec\x46\x1f\x98\x19\xe7\x33\x12\xda\x9f\xaf\x3d\x32\xa6" + "\xe4\xa5\x80\x38\x1b\x56\x68\x13\x2d\x0d\xa6\xfd\xfa\xe5\x3d\xf2" }, + { GCRY_MD_STRIBOG512, + "*", + "\x01\x4c\xbd\xd4\x3a\x1a\x51\x9e\xa8\x7c\x1f\xd2\xc3\x2e\x71\x78" + "\x03\x46\xd0\x1b\x30\xdd\x07\xf6\x82\x2b\xa4\x43\x8f\x95\x44\x9d" + "\x92\x3a\x17\x70\x1b\xdd\xfc\x8f\x71\x20\xc6\xa0\xd8\x6f\xb2\x06" + "\xb6\x61\x27\x48\x45\x94\x96\xe7\xdc\xf5\x7a\x2f\x83\x82\x03\x08" }, + { GCRY_MD_TIGER1, + "*", + "\x95\xe1\x25\x8f\xc5\x4b\x82\x12\x69\x83\xfa\xfd\x79\x7d\x87\x38" + "\x01\x4f\xf9\x24\xa2\xf0\x8f\x85" }, + { GCRY_MD_WHIRLPOOL, + "*", + "\x8e\x02\x8e\x8d\xeb\x03\xcc\x37\xf2\x67\x61\x4e\x16\x27\x06\x13" + "\x26\x8c\x35\x17\x0c\xab\x3c\x8b\x25\xc3\x3a\x2b\x7d\x54\xbf\xcf" + "\x7e\xa2\xe4\x4f\x8d\x67\xb7\x85\xfa\x54\x76\x7c\xb0\x24\x87\xd5" + "\x0e\x7d\x3b\x02\x8f\x30\x9e\x91\x78\xea\xc6\xdc\x0e\xee\x71\xca" }, + { GCRY_MD_CRC24_RFC2440, + "*", + "\x44\x53\xd8" }, + { GCRY_MD_CRC32, + "*", + "\x96\x11\x46\x4d" }, + { GCRY_MD_TIGER, + "*", + "\x12\x82\x4b\xc5\x8f\x25\xe1\x95\x38\x87\x7d\x79\xfd\xfa\x83\x69" + "\x85\x8f\xf0\xa2\x24\xf9\x4f\x01" }, + { GCRY_MD_TIGER2, + "*", + "\xc6\x8f\x98\x71\xee\xb3\x1a\xf6\x77\x50\x8e\x74\x98\x08\x6c\x42" + "\xc0\x37\x43\xc2\x17\x89\x5f\x98" }, + { GCRY_MD_CRC32_RFC1510, + "*", + "\xf4\x45\xfd\x43" }, + { GCRY_MD_BLAKE2B_512, + "*", + "\xe0\xf7\x38\x87\x07\xf9\xfd\xeb\x58\x8d\xb9\xb8\xa4\x85\x21\x8e" + "\x56\xa9\xe6\x8d\x64\x4d\xfb\xe8\x8a\x84\xa4\x45\xc7\x80\x4b\x1f" + "\x63\x0b\x27\x84\x96\xd4\xeb\x99\x19\xcb\xc6\x37\x01\x42\xb9\x03" + "\x50\x63\xdf\xb9\x5e\xc5\xb1\xda\x2d\x19\xeb\x65\x73\xd2\xfa\xfa" }, + { GCRY_MD_BLAKE2B_384, + "*", + "\x44\xde\xb8\x2b\x46\x22\xe5\xc6\xa5\x66\x8a\x88\x2b\xc3\x2c\x27" + "\xc1\x4e\x4f\x6b\x70\x96\xcb\x1a\x99\x04\x67\x54\x8a\x0a\x55\xb4" + "\xdb\x8b\xf6\x36\xfc\x2e\xf6\x2a\x6b\xe2\x1d\x09\x0e\x2f\x65\x33" }, + { GCRY_MD_BLAKE2B_256, + "*", + "\x75\xd1\x62\xad\x02\xf1\x3f\xa3\x95\x2f\x5f\x89\x13\x2c\xf4\x2f" + "\xc3\x84\xd2\x46\xbc\x35\x2b\x13\x01\xe0\x9e\x46\x55\x92\x40\x5a" }, + { GCRY_MD_BLAKE2B_160, + "*", + "\x8c\x67\x38\x0e\xf8\xc7\xb6\x3e\x7f\x8e\x32\x73\x8a\xba\xa4\x71" + "\x87\x9a\xb0\x4c" }, + { GCRY_MD_BLAKE2S_256, + "*", + "\x71\x4a\x6d\xe4\xbb\x6c\x9f\x22\xff\x50\x02\xba\x5f\x54\xa6\x39" + "\x9d\x07\x95\x82\x38\x98\xac\x62\xab\xc6\x13\x12\x65\x64\x9e\x69" }, + { GCRY_MD_BLAKE2S_224, + "*", + "\x4c\x01\xe6\x67\xa2\x02\xd1\x62\x9b\xc3\x3b\xb5\x93\xc4\x3c\xa9" + "\x90\x7b\x96\x70\xfd\xdf\xd1\xc3\xad\x09\xa9\xe7" }, + { GCRY_MD_BLAKE2S_160, + "*", + "\x21\xca\x18\x74\x76\x3c\x6b\xe4\x92\x01\xd6\xd5\x91\xd1\x53\xfb" + "\x37\x73\x99\xb9" }, + { GCRY_MD_BLAKE2S_128, + "*", + "\x1d\x87\xfa\x69\xe0\x93\xd9\xcd\xb0\x3c\x52\x00\x35\xe1\xa3\xee" }, + { GCRY_MD_GOSTR3411_94, + "*", + "\x6e\xa9\x9e\x23\xde\x5f\x7a\xb7\x7f\xa7\xdc\xe1\xc8\x05\x46\xae" + "\x1e\x7c\x76\xbb\x52\x0f\x52\x07\x78\x59\xd3\xc1\x64\xdb\x51\xac" }, { 0 } }; gcry_error_t err; @@ -9756,6 +9942,19 @@ check_digests (void) algos[i].md); continue; } + + if (!strcmp (algos[i].data, "*")) + { + if (verbose) + fprintf (stderr, " checking %s [%i] for final handling\n", + gcry_md_algo_name (algos[i].md), + algos[i].md); + + check_one_md_final (algos[i].md, algos[i].expect, algos[i].expectlen); + + continue; + } + if (verbose) fprintf (stderr, " checking %s [%i] for length %d\n", gcry_md_algo_name (algos[i].md), From jussi.kivilinna at iki.fi Thu May 9 21:07:46 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 9 May 2019 22:07:46 +0300 Subject: [PATCH] Fix message digest final function for MD4, MD5 and RMD160 In-Reply-To: <155742825603.27188.12860918675711744600.stgit@localhost.localdomain> References: <155742825603.27188.12860918675711744600.stgit@localhost.localdomain> Message-ID: On 9.5.2019 21.57, Jussi Kivilinna wrote: > * cipher/md4.c (md4_final): Use buffer offset '64 + 56' for bit count > on 'need one extra block' path. > * cipher/md5.c (md5_final): Ditto. > * cipher/rmd160.c (rmd160_final): Ditto. > * tests/basic.c (check_one_md_final): New. > (check_digest): Add new '*' test vectors and handle them with > check_one_md_final. > -- > > This commit fixes bug introduced with commit 46d7dbbc293fdc to MD4, Actually that's wrong commit id (revert commit on my workarea). Actual broken commit is e76cd0e2b1f6025c1319576a5848815d1d231aeb, "Optimizations for digest final functions". -Jussi From gniibe at fsij.org Fri May 10 08:45:17 2019 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 10 May 2019 15:45:17 +0900 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> Message-ID: <878sveolj6.fsf@iwagami.gniibe.org> Hello, Jussi Kivilinna wrote: >> It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers interested in participating in the OSS-Fuzz project? This entails that results for message digests, HMACs, CMACs and symmetric ciphers are compared to other libraries, and if there is a mismatch, everyone gets an e-mail. At that point we have to find out which library is emitting the wrong result, and the bug has to be fixed. >> > > I'd be interested getting emails of such mismatches. > > What do others think? Werner? Niibe? Getting email report is fine for me. If Google account is required, I have old one (not in use currently). (It was created when I joined Google SoC as a mentor org admin in 2005. And it was used until 2009.) -- From guidovranken at gmail.com Fri May 10 20:23:22 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Fri, 10 May 2019 20:23:22 +0200 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: <878sveolj6.fsf@iwagami.gniibe.org> References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <878sveolj6.fsf@iwagami.gniibe.org> Message-ID: I hadn't noticed Veracrypt deliberately disabled the carry overflow check. Thanks for the suggestion; I've modified the Veracrypt code and there are no differences anymore. Can people who are interested in receiving messages from OSS-Fuzz send their Google account-linked address to guidovranken at gmail.com ? Thanks Dimitry/others: was the carry overflow bug in Stribog in libgcrypt found because I notified LibreSSL about the same bug ( https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/gost/streebog.c?rev=1.6&content-type=text/x-cvsweb-markup). Would it be fair to say, then, that my fuzzer found the libgcrypt Stribog bug? If so I'll add it to my HoF. Thanks On Fri, May 10, 2019 at 8:45 AM NIIBE Yutaka wrote: > Hello, > > Jussi Kivilinna wrote: > >> It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers > interested in participating in the OSS-Fuzz project? This entails that > results for message digests, HMACs, CMACs and symmetric ciphers are > compared to other libraries, and if there is a mismatch, everyone gets an > e-mail. At that point we have to find out which library is emitting the > wrong result, and the bug has to be fixed. > >> > > > > I'd be interested getting emails of such mismatches. > > > > What do others think? Werner? Niibe? > > Getting email report is fine for me. > > If Google account is required, I have old one (not in use currently). > (It was created when I joined Google SoC as a mentor org admin in 2005. > And it was used until 2009.) > -- > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Fri May 10 21:38:07 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 10 May 2019 22:38:07 +0300 Subject: [PATCH] tests/basic: mark CFB and CFB8 as stream block cipher modes Message-ID: <155751708698.632.7793885505353651938.stgit@localhost.localdomain> * tests/basic.c (get_algo_mode_blklen): Return '1' for CFB and CFB8. -- This commit marks CFB and CFB8 modes as stream ciphers so that they get run through tests/basic.c's split input buffer testing (input split&feed to cipher in variating sized parts). Signed-off-by: Jussi Kivilinna --- tests/basic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/basic.c b/tests/basic.c index 31595d0bb..b0c292a0e 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -7490,6 +7490,8 @@ get_algo_mode_blklen (int algo, int mode) case GCRY_CIPHER_MODE_STREAM: case GCRY_CIPHER_MODE_OFB: case GCRY_CIPHER_MODE_CTR: + case GCRY_CIPHER_MODE_CFB: + case GCRY_CIPHER_MODE_CFB8: case GCRY_CIPHER_MODE_CCM: case GCRY_CIPHER_MODE_GCM: case GCRY_CIPHER_MODE_EAX: From HeikoStamer at gmx.net Fri May 10 21:00:25 2019 From: HeikoStamer at gmx.net (Heiko Stamer) Date: Fri, 10 May 2019 21:00:25 +0200 Subject: Possible flaw in MPI code w.r.t. sign flag Message-ID: Hey developers, during my tests I discovered IMHO a small flaw in libgcrypt's MPI code. It seems that for zero the handling of the sign flag leads to some trouble with comparison functions. Consider the following example: gcry_mpi_t a = gcry_mpi_new(1), b = gcry_mpi_new(1); gcry_mpi_set_ui(a, 42UL), gcry_mpi_set_ui(b, 42UL); // a = +42, b = +42 gcry_mpi_neg(a, a), gcry_mpi_neg(b, b); // a = -42, b = -42 gcry_mpi_sub(a, a, b); // a = -0, b = -42 gcry_mpi_set_ui(b, 0UL); // a = -0, b = +0 assert(gcry_mpi_cmp(a, b)); // SHOULD be 0, but returns -1 gcry_mpi_release(a), gcry_mpi_release(b); Any suggestions? -- Heiko From dbaryshkov at gmail.com Fri May 10 23:48:50 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Sat, 11 May 2019 00:48:50 +0300 Subject: libgcrypt integration into OSS-Fuzz differential cryptography fuzzer In-Reply-To: References: <0fb39b8a-eb44-c0a5-8e73-c1ea0a9ce731@iki.fi> <878sveolj6.fsf@iwagami.gniibe.org> Message-ID: Hello, ??, 10 ??? 2019 ?. ? 21:23, Guido Vranken : > > I hadn't noticed Veracrypt deliberately disabled the carry overflow check. Thanks for the suggestion; I've modified the Veracrypt code and there are no differences anymore. > > Can people who are interested in receiving messages from OSS-Fuzz send their Google account-linked address to guidovranken at gmail.com ? Thanks > > Dimitry/others: was the carry overflow bug in Stribog in libgcrypt found because I notified LibreSSL about the same bug (https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/gost/streebog.c?rev=1.6&content-type=text/x-cvsweb-markup). Would it be fair to say, then, that my fuzzer found the libgcrypt Stribog bug? If so I'll add it to my HoF. I've received a report from another Russian developer (https://habr.com/ru/post/450024/). He was using Kleopatra, thus he stumbled upon an issue in libgcrypt. -- With best wishes Dmitry From wk at gnupg.org Mon May 13 16:31:00 2019 From: wk at gnupg.org (Werner Koch) Date: Mon, 13 May 2019 16:31:00 +0200 Subject: Possible flaw in MPI code w.r.t. sign flag In-Reply-To: (Heiko Stamer's message of "Fri, 10 May 2019 21:00:25 +0200") References: Message-ID: <874l5ywhnf.fsf@wheatstone.g10code.de> On Fri, 10 May 2019 21:00, HeikoStamer at gmx.net said: > gcry_mpi_set_ui(b, 0UL); // a = -0, b = +0 > assert(gcry_mpi_cmp(a, b)); // SHOULD be 0, but returns -1 > gcry_mpi_release(a), gcry_mpi_release(b); > > Any suggestions? We need to handle the +-0 case first. What about this: --8<---------------cut here---------------start------------->8--- diff --git a/mpi/mpi-cmp.c b/mpi/mpi-cmp.c index 66e09612..0c349b96 100644 --- a/mpi/mpi-cmp.c +++ b/mpi/mpi-cmp.c @@ -89,6 +89,10 @@ do_mpi_cmp (gcry_mpi_t u, gcry_mpi_t v, int absmode) usign = absmode? 0 : u->sign; vsign = absmode? 0 : v->sign; + /* Special treatment for +0 == -0 */ + if (!usize && !vsize) + return 0; + /* Compare sign bits. */ if (!usign && vsign) --8<---------------cut here---------------end--------------->8--- Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Tue May 14 18:45:55 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 14 May 2019 19:45:55 +0300 Subject: [PATCH 1/3] tests: do not use GCC variadic macro extension for xgcry_control Message-ID: <155785235507.17567.1835236794730028877.stgit@localhost.localdomain> * tests/t-common.h (xgcry_control): Use doubly nested parenthesis for passing arguments for gcry_control instead of GCC specific variadic macro extension. * tests/aeswrap.c: Change xgcry_control to use doubly nested parenthesis. * tests/basic.c: Ditto. * tests/bench-slope.c: Ditto. * tests/benchmark.c: Ditto. * tests/curves.c: Ditto. * tests/dsa-rfc6979.c: Ditto. * tests/fips186-dsa: Ditto. * tests/fipsdrv.c: Ditto. * tests/fipsrngdrv.c: Ditto. * tests/gchash.c: Ditto. * tests/hashtest.c: Ditto. * tests/hmac.c: Ditto. * tests/keygen.c: Ditto. * tests/keygrip.c: Ditto. * tests/mpitests.c: Ditto. * tests/pkbench.c: Ditto. * tests/pkcs1v2.c: Ditto. * tests/prime.c: Ditto. * tests/pubkey.c: Ditto. * tests/random.c: Ditto. * tests/rsacvt.c: Ditto. * tests/t-convert.c: Ditto. * tests/t-cv25519.c: Ditto. * tests/t-ed25519.c: Ditto. * tests/t-kdf.c: Ditto. * tests/t-lock.c: Ditto. * tests/t-mpi-bit.c: Ditto. * tests/t-mpi-point.c: Ditto. * tests/t-secmem.c: Ditto. * tests/t-sexp.c: Ditto. * tests/version.c: Ditto. -- GnuPG-bug-id: 4499 Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/tests/aeswrap.c b/tests/aeswrap.c index dbbd7dd9a..7c7e60bf1 100644 --- a/tests/aeswrap.c +++ b/tests/aeswrap.c @@ -274,10 +274,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); check_all (); return error_count ? 1 : 0; diff --git a/tests/basic.c b/tests/basic.c index b0c292a0e..fd074cba7 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -12520,10 +12520,10 @@ main (int argc, char **argv) } } - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (use_fips) - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); /* Check that we test exactly our version - including the patchlevel. */ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) @@ -12534,16 +12534,16 @@ main (int argc, char **argv) in_fips_mode = 1; if (!in_fips_mode) - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (verbose) gcry_set_progress_handler (progress_handler, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); do { @@ -12580,7 +12580,7 @@ main (int argc, char **argv) gcry_md_hd_t md; /* First trigger a self-test. */ - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("not in operational state after self-test\n"); @@ -12609,7 +12609,7 @@ main (int argc, char **argv) { /* Now run a self-test and to get back into operational state. */ - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("did not reach operational after error " "and self-test\n"); diff --git a/tests/bench-slope.c b/tests/bench-slope.c index 2ead3c9e2..63f8f7ae5 100644 --- a/tests/bench-slope.c +++ b/tests/bench-slope.c @@ -2292,7 +2292,7 @@ main (int argc, char **argv) } } - xgcry_control (GCRYCTL_SET_VERBOSITY, (int) verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int) verbose)); if (!gcry_check_version (GCRYPT_VERSION)) { @@ -2302,11 +2302,11 @@ main (int argc, char **argv) } if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (in_regression_test) fputs ("Note: " PGM " running in quick regression test mode.\n", stdout); diff --git a/tests/benchmark.c b/tests/benchmark.c index 418f92913..0f15c0d89 100644 --- a/tests/benchmark.c +++ b/tests/benchmark.c @@ -461,7 +461,7 @@ random_bench (int very_strong) putchar ('\n'); if (verbose) - xgcry_control (GCRYCTL_DUMP_RANDOM_STATS); + xgcry_control ((GCRYCTL_DUMP_RANDOM_STATS)); } @@ -1791,17 +1791,17 @@ main( int argc, char **argv ) { /* This is anyway the default, but we may want to use it for debugging. */ - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD)); argc--; argv++; } else if (!strcmp (*argv, "--prefer-fips-rng")) { - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS)); argc--; argv++; } else if (!strcmp (*argv, "--prefer-system-rng")) { - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM)); argc--; argv++; } else if (!strcmp (*argv, "--no-blinding")) @@ -1884,7 +1884,7 @@ main( int argc, char **argv ) { argc--; argv++; /* This command needs to be called before gcry_check_version. */ - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); } else if (!strcmp (*argv, "--progress")) { @@ -1896,7 +1896,7 @@ main( int argc, char **argv ) if (buffer_alignment < 1 || buffer_alignment > 16) die ("value for --alignment must be in the range 1 to 16\n"); - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (!gcry_check_version (GCRYPT_VERSION)) { @@ -1906,20 +1906,20 @@ main( int argc, char **argv ) } if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); if (gcry_fips_mode_active ()) in_fips_mode = 1; else if (!use_secmem) - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (use_random_daemon) - xgcry_control (GCRYCTL_USE_RANDOM_DAEMON, 1); + xgcry_control ((GCRYCTL_USE_RANDOM_DAEMON, 1)); if (with_progress) gcry_set_progress_handler (progress_cb, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (cipher_repetitions < 1) cipher_repetitions = 1; @@ -1933,7 +1933,7 @@ main( int argc, char **argv ) if ( !argc ) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); md_bench (NULL); putchar ('\n'); mac_bench (NULL); @@ -1955,9 +1955,9 @@ main( int argc, char **argv ) random_bench ((**argv == 's')); else if (argc == 2) { - xgcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, argv[1]); + xgcry_control ((GCRYCTL_SET_RANDOM_SEED_FILE, argv[1])); random_bench ((**argv == 's')); - xgcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE); + xgcry_control ((GCRYCTL_UPDATE_RANDOM_SEED_FILE)); } else fputs ("usage: benchmark [strong]random [seedfile]\n", stdout); @@ -1992,7 +1992,7 @@ main( int argc, char **argv ) } else if ( !strcmp (*argv, "pubkey")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); rsa_bench (pk_count, 1, no_blinding); elg_bench (pk_count, 0); dsa_bench (pk_count, 0); @@ -2000,27 +2000,27 @@ main( int argc, char **argv ) } else if ( !strcmp (*argv, "rsa")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); rsa_bench (pk_count, 1, no_blinding); } else if ( !strcmp (*argv, "elg")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); elg_bench (pk_count, 1); } else if ( !strcmp (*argv, "dsa")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); dsa_bench (pk_count, 1); } else if ( !strcmp (*argv, "ecc")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); ecc_bench (pk_count, 1); } else if ( !strcmp (*argv, "prime")) { - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); prime_bench (); } else diff --git a/tests/curves.c b/tests/curves.c index 9e75fd554..dc5ebe77f 100644 --- a/tests/curves.c +++ b/tests/curves.c @@ -178,10 +178,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); list_curves (); check_matching (); check_get_params (); diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c index 2cfa94a83..7d3d20803 100644 --- a/tests/dsa-rfc6979.c +++ b/tests/dsa-rfc6979.c @@ -966,16 +966,16 @@ main (int argc, char **argv) debug = 1; } - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); /* Check that we test exactly our version - including the patchlevel. */ if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) die ("version mismatch; pgm=%s, library=%s\n", GCRYPT_VERSION,gcry_check_version (NULL)); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); check_dsa_rfc6979 (); diff --git a/tests/fips186-dsa.c b/tests/fips186-dsa.c index b5f0cf0b5..5ed5653b6 100644 --- a/tests/fips186-dsa.c +++ b/tests/fips186-dsa.c @@ -411,14 +411,14 @@ main (int argc, char **argv) debug = 1; } - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); check_dsa_gen_186_2 (); diff --git a/tests/fipsdrv.c b/tests/fipsdrv.c index 71554e236..f6268e2ac 100644 --- a/tests/fipsdrv.c +++ b/tests/fipsdrv.c @@ -929,7 +929,7 @@ run_external_rng_test (void *context, void *buffer, size_t buflen) static void deinit_external_rng_test (void *context) { - xgcry_control (PRIV_CTL_DEINIT_EXTRNG_TEST, context); + xgcry_control ((PRIV_CTL_DEINIT_EXTRNG_TEST, context)); } @@ -2476,16 +2476,16 @@ main (int argc, char **argv) if (verbose) fprintf (stderr, PGM ": started (mode=%s)\n", mode_string); - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (!no_fips) - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_check_version ("1.4.3")) die ("Libgcrypt is not sufficient enough\n"); if (verbose) fprintf (stderr, PGM ": using Libgcrypt %s\n", gcry_check_version (NULL)); if (no_fips) - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* Most operations need some input data. */ if (!chunksize diff --git a/tests/fipsrngdrv.c b/tests/fipsrngdrv.c index d6023c7f8..17cc92041 100644 --- a/tests/fipsrngdrv.c +++ b/tests/fipsrngdrv.c @@ -111,7 +111,7 @@ run_external_test (void *context, void *buffer, size_t buflen) static void deinit_external_test (void *context) { - xgcry_control (60, context); + xgcry_control ((60, context)); } @@ -208,13 +208,13 @@ main (int argc, char **argv) if (verbose) fputs (PGM ": started\n", stderr); - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (!no_fips) - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_check_version ("1.4.3")) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* The flag value 1 disables the dup check, so that the RNG returns all generated data. */ diff --git a/tests/gchash.c b/tests/gchash.c index 83dc7b559..43ce53ba3 100644 --- a/tests/gchash.c +++ b/tests/gchash.c @@ -43,15 +43,15 @@ init_gcrypt (void) exit (2); } - xgcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + xgcry_control ((GCRYCTL_SUSPEND_SECMEM_WARN)); /* Allocate a pool of 16k secure memory. This make the secure memory * available and also drops privileges where needed. */ - xgcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + xgcry_control ((GCRYCTL_INIT_SECMEM, 16384, 0)); - xgcry_control (GCRYCTL_RESUME_SECMEM_WARN); + xgcry_control ((GCRYCTL_RESUME_SECMEM_WARN)); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); } int diff --git a/tests/hashtest.c b/tests/hashtest.c index 339459494..4c9704f3f 100644 --- a/tests/hashtest.c +++ b/tests/hashtest.c @@ -394,13 +394,13 @@ main (int argc, char **argv) if (gigs < 0 || gigs > 1024*1024) die ("value for --gigs must be in the range 0 to %d", 1024*1024); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* A quick check that all given algorithms are valid. */ for (idx=0; idx < argc; idx++) diff --git a/tests/hmac.c b/tests/hmac.c index 5852ee4a5..2b4c0f9f9 100644 --- a/tests/hmac.c +++ b/tests/hmac.c @@ -192,10 +192,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); check_hmac (); check_hmac_multi (); diff --git a/tests/keygen.c b/tests/keygen.c index 6b6a60a4e..4e7dfd35d 100644 --- a/tests/keygen.c +++ b/tests/keygen.c @@ -733,22 +733,22 @@ main (int argc, char **argv) break; } - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (opt_fips) - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (!opt_fips) - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); /* No valuable keys are create, so we can speed up our RNG. */ if (!no_quick) - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (with_progress) gcry_set_progress_handler (progress_cb, NULL); diff --git a/tests/keygrip.c b/tests/keygrip.c index 73a6f812a..63171502c 100644 --- a/tests/keygrip.c +++ b/tests/keygrip.c @@ -319,10 +319,10 @@ main (int argc, char **argv) gcry_set_progress_handler (progress_handler, NULL); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); check (); diff --git a/tests/mpitests.c b/tests/mpitests.c index 9b4a66c29..96e015516 100644 --- a/tests/mpitests.c +++ b/tests/mpitests.c @@ -595,7 +595,7 @@ main (int argc, char* argv[]) fputs ("version mismatch\n", stderr); exit (1); } - xgcry_control(GCRYCTL_DISABLE_SECMEM); + xgcry_control ((GCRYCTL_DISABLE_SECMEM)); test_const_and_immutable (); test_opaque (); diff --git a/tests/pkbench.c b/tests/pkbench.c index e458b4295..a7665f461 100644 --- a/tests/pkbench.c +++ b/tests/pkbench.c @@ -441,12 +441,12 @@ main (int argc, char **argv) } } - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (fips_mode) - xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); + xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); - xgcry_control (GCRYCTL_DISABLE_SECMEM); + xgcry_control ((GCRYCTL_DISABLE_SECMEM)); if (!gcry_check_version (GCRYPT_VERSION)) { fprintf (stderr, PGM ": version mismatch\n"); @@ -456,11 +456,11 @@ main (int argc, char **argv) if (genkey_mode) { /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); } if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (genkey_mode && argc == 2) diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c index b52bff810..968d3fea2 100644 --- a/tests/pkcs1v2.c +++ b/tests/pkcs1v2.c @@ -650,15 +650,15 @@ main (int argc, char **argv) if (!run_oaep && !run_pss && !run_v15c && !run_v15s) run_oaep = run_pss = run_v15c = run_v15s = 1; - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version ("1.5.0")) die ("version mismatch\n"); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (run_oaep) check_oaep (); diff --git a/tests/prime.c b/tests/prime.c index 5e90ce063..422649806 100644 --- a/tests/prime.c +++ b/tests/prime.c @@ -224,13 +224,13 @@ main (int argc, char **argv) else if ((argc > 1) && (! strcmp (argv[1], "--42"))) verbose = debug = mode42 = 1; - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (! gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); if (mode42) create_42prime (); diff --git a/tests/pubkey.c b/tests/pubkey.c index fbb7bbb5b..748d051ea 100644 --- a/tests/pubkey.c +++ b/tests/pubkey.c @@ -1179,14 +1179,14 @@ main (int argc, char **argv) debug = 1; } - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); for (i=0; i < 2; i++) check_run (); diff --git a/tests/random.c b/tests/random.c index 2f48323f3..22927a613 100644 --- a/tests/random.c +++ b/tests/random.c @@ -292,7 +292,7 @@ check_close_random_device (void) die ("fork failed: %s\n", strerror (errno)); if (!pid) { - xgcry_control (GCRYCTL_CLOSE_RANDOM_DEVICE, 0); + xgcry_control ((GCRYCTL_CLOSE_RANDOM_DEVICE, 0)); /* The next call will re-open the device. */ gcry_randomize (buf, sizeof buf, GCRY_STRONG_RANDOM); @@ -345,7 +345,7 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM)); rngtype = rng_type (); if (debug) @@ -358,7 +358,7 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS)); rngtype = rng_type (); if (debug) @@ -371,7 +371,7 @@ check_rng_type_switching (void) if (rngtype != rng_type ()) die ("RNG type unexpectedly changed\n"); - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD)); rngtype = rng_type (); if (debug) @@ -399,7 +399,7 @@ check_early_rng_type_switching (void) info ("rng type: %d\n", rngtype); initial = rngtype; - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM)); rngtype = rng_type (); if (debug) @@ -407,7 +407,7 @@ check_early_rng_type_switching (void) if (initial >= GCRY_RNG_TYPE_SYSTEM && rngtype != GCRY_RNG_TYPE_SYSTEM) die ("switching to System RNG failed\n"); - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS)); rngtype = rng_type (); if (debug) @@ -415,7 +415,7 @@ check_early_rng_type_switching (void) if (initial >= GCRY_RNG_TYPE_FIPS && rngtype != GCRY_RNG_TYPE_FIPS) die ("switching to FIPS RNG failed\n"); - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_STANDARD)); rngtype = rng_type (); if (debug) @@ -659,18 +659,18 @@ main (int argc, char **argv) { /* This is anyway the default, but we may want to use it for debugging. */ - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, - GCRY_RNG_TYPE_STANDARD); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, + GCRY_RNG_TYPE_STANDARD)); argc--; argv++; } else if (!strcmp (*argv, "--prefer-fips-rng")) { - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_FIPS)); argc--; argv++; } else if (!strcmp (*argv, "--prefer-system-rng")) { - xgcry_control (GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); + xgcry_control ((GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM)); argc--; argv++; } else if (!strcmp (*argv, "--disable-hwf")) @@ -701,7 +701,7 @@ main (int argc, char **argv) check_early_rng_type_switching (); } - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); @@ -718,9 +718,9 @@ main (int argc, char **argv) xfree (fname); } - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); if (benchmark) { @@ -760,7 +760,7 @@ main (int argc, char **argv) } if (debug) - xgcry_control (GCRYCTL_DUMP_RANDOM_STATS); + xgcry_control ((GCRYCTL_DUMP_RANDOM_STATS)); return 0; } diff --git a/tests/rsacvt.c b/tests/rsacvt.c index 3d832640f..3cc50d799 100644 --- a/tests/rsacvt.c +++ b/tests/rsacvt.c @@ -361,11 +361,11 @@ main (int argc, char **argv) else input = stdin; - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); if (!gcry_check_version ("1.4.0")) die ("Libgcrypt is not sufficient enough\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); do { diff --git a/tests/t-common.h b/tests/t-common.h index 2040f099e..e356c39ab 100644 --- a/tests/t-common.h +++ b/tests/t-common.h @@ -151,9 +151,9 @@ info (const char *format, ...) /* Convenience macro for initializing gcrypt with error checking. */ -#define xgcry_control(cmd...) \ +#define xgcry_control(cmd) \ do { \ - gcry_error_t err__ = gcry_control (cmd); \ + gcry_error_t err__ = gcry_control cmd; \ if (err__) \ die ("line %d: gcry_control (%s) failed: %s", \ __LINE__, #cmd, gcry_strerror (err__)); \ diff --git a/tests/t-convert.c b/tests/t-convert.c index 121039c73..4450a9e3f 100644 --- a/tests/t-convert.c +++ b/tests/t-convert.c @@ -520,11 +520,11 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); negative_zero (); check_formats (); diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c index 8c4a53eb4..5634312d3 100644 --- a/tests/t-cv25519.c +++ b/tests/t-cv25519.c @@ -553,13 +553,13 @@ main (int argc, char **argv) die ("unknown option '%s'", *argv); } - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); start_timer (); check_cv25519 (); diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c index 73628a815..a5271c25d 100644 --- a/tests/t-ed25519.c +++ b/tests/t-ed25519.c @@ -473,13 +473,13 @@ main (int argc, char **argv) else custom_data_file = 1; - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* Ed25519 isn't supported in fips mode */ if (gcry_fips_mode_active()) diff --git a/tests/t-kdf.c b/tests/t-kdf.c index e011ef4f1..7a48e98ac 100644 --- a/tests/t-kdf.c +++ b/tests/t-kdf.c @@ -1274,10 +1274,10 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); if (s2kcount) bench_s2k (s2kcount); diff --git a/tests/t-lock.c b/tests/t-lock.c index 7e5732e09..9f30ec56d 100644 --- a/tests/t-lock.c +++ b/tests/t-lock.c @@ -429,15 +429,15 @@ main (int argc, char **argv) srand (time(NULL)*getpid()); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch"); /* We are using non-public interfaces - check the exact version. */ if (strcmp (gcry_check_version (NULL), GCRYPT_VERSION)) die ("exact version match failed"); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); check_nonce_lock (); diff --git a/tests/t-mpi-bit.c b/tests/t-mpi-bit.c index 91116ca98..b66809f01 100644 --- a/tests/t-mpi-bit.c +++ b/tests/t-mpi-bit.c @@ -340,12 +340,12 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); one_bit_only (0); one_bit_only (1); diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c index f2378bffc..1ee1caf2c 100644 --- a/tests/t-mpi-point.c +++ b/tests/t-mpi-point.c @@ -1322,11 +1322,11 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); set_get_point (); context_alloc (); diff --git a/tests/t-secmem.c b/tests/t-secmem.c index baf013d3b..c4d8c66df 100644 --- a/tests/t-secmem.c +++ b/tests/t-secmem.c @@ -76,13 +76,13 @@ test_secmem_overflow (void) { a[i] = gcry_xmalloc_secure (chunk_size); if (verbose && !(i %40)) - xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control ((GCRYCTL_DUMP_SECMEM_STATS, 0 , 0)); } if (debug) - xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control ((PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0)); if (verbose) - xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control ((GCRYCTL_DUMP_SECMEM_STATS, 0 , 0)); for (i=0; i < DIM(a); i++) xfree (a[i]); } @@ -103,7 +103,7 @@ outofcore_handler (void *opaque, size_t req_n, unsigned int flags) been_here = 1; info ("outofcore handler invoked"); - xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control ((PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0)); fail ("out of core%s while allocating %lu bytes", (flags & 1)?" in secure memory":"", (unsigned long)req_n); @@ -171,16 +171,16 @@ main (int argc, char **argv) die ("version mismatch; pgm=%s, library=%s\n", GCRYPT_VERSION, gcry_check_version (NULL)); if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INIT_SECMEM, pool_size, 0)); gcry_set_outofcore_handler (outofcore_handler, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* Libgcrypt prints a warning when the first overflow is allocated; * we do not want to see that. */ if (!verbose) - xgcry_control (GCRYCTL_DISABLE_SECMEM_WARN, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM_WARN, 0)); test_secmem (); @@ -191,11 +191,11 @@ main (int argc, char **argv) if (verbose) { - xgcry_control (PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0); - xgcry_control (GCRYCTL_DUMP_SECMEM_STATS, 0 , 0); + xgcry_control ((PRIV_CTL_DUMP_SECMEM_STATS, 0 , 0)); + xgcry_control ((GCRYCTL_DUMP_SECMEM_STATS, 0 , 0)); } info ("All tests completed. Errors: %d\n", error_count); - xgcry_control (GCRYCTL_TERM_SECMEM, 0 , 0); + xgcry_control ((GCRYCTL_TERM_SECMEM, 0 , 0)); return !!error_count; } diff --git a/tests/t-sexp.c b/tests/t-sexp.c index 2b33520f0..d45f44ae8 100644 --- a/tests/t-sexp.c +++ b/tests/t-sexp.c @@ -1169,17 +1169,17 @@ main (int argc, char **argv) } if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_DISABLE_SECMEM_WARN); - xgcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); + xgcry_control ((GCRYCTL_DISABLE_SECMEM_WARN)); + xgcry_control ((GCRYCTL_INIT_SECMEM, 16384, 0)); if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch"); /* #include "../src/gcrypt-int.h" indicates that internal interfaces may be used; thus better do an exact version check. */ if (strcmp (gcry_check_version (NULL), GCRYPT_VERSION)) die ("exact version match failed"); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); basic (); canon_len (); diff --git a/tests/version.c b/tests/version.c index 7e68cd605..1d540ba49 100644 --- a/tests/version.c +++ b/tests/version.c @@ -145,9 +145,9 @@ main (int argc, char **argv) } } - xgcry_control (GCRYCTL_SET_VERBOSITY, (int)verbose); + xgcry_control ((GCRYCTL_SET_VERBOSITY, (int)verbose)); - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); if (strcmp (GCRYPT_VERSION, gcry_check_version (NULL))) { int oops = !gcry_check_version (GCRYPT_VERSION); @@ -157,7 +157,7 @@ main (int argc, char **argv) exit (1); } - xgcry_control (GCRYCTL_PRINT_CONFIG, NULL); + xgcry_control ((GCRYCTL_PRINT_CONFIG, NULL)); test_get_config (); From jussi.kivilinna at iki.fi Tue May 14 18:46:05 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 14 May 2019 19:46:05 +0300 Subject: [PATCH 3/3] tests/basic: fix signed interger overflow In-Reply-To: <155785235507.17567.1835236794730028877.stgit@localhost.localdomain> References: <155785235507.17567.1835236794730028877.stgit@localhost.localdomain> Message-ID: <155785236543.17567.11148978562364118509.stgit@localhost.localdomain> * tests/basic.c (check_ocb_cipher_largebuf_split): Cast to unsigned when generating buffer values. -- Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/tests/basic.c b/tests/basic.c index fd074cba7..0ce88e291 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -5044,7 +5044,7 @@ check_ocb_cipher_largebuf_split (int algo, int keylen, const char *tagexpect, } for (i = 0; i < buflen; i++) - inbuf[i] = (i + 181081) * 5039; + inbuf[i] = (unsigned int)(i + 181081) * 5039U; err = gcry_cipher_open (&hde, algo, GCRY_CIPHER_MODE_OCB, 0); if (!err) From jussi.kivilinna at iki.fi Tue May 14 18:46:00 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 14 May 2019 19:46:00 +0300 Subject: [PATCH 2/3] mpi/mpiutil: define constant number structures statically In-Reply-To: <155785235507.17567.1835236794730028877.stgit@localhost.localdomain> References: <155785235507.17567.1835236794730028877.stgit@localhost.localdomain> Message-ID: <155785236028.17567.10989619737967194100.stgit@localhost.localdomain> * mpi/mpiutil.c (constant_limbs): New. (constants): Change from array of pointers to array of mpi strucutres, and initialize constant structures. (_gcry_mpi_init): Remove constant initialization. (_gcry_mpi_count): Adjust to structure change. -- GnuPG-bug-id: 4499 Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c index 9dde37fb4..fabb55a57 100644 --- a/mpi/mpiutil.c +++ b/mpi/mpiutil.c @@ -43,8 +43,21 @@ #endif -/* Constants allocated right away at startup. */ -static gcry_mpi_t constants[MPI_NUMBER_OF_CONSTANTS]; +/* Fixed constants allocated staticly. */ +static mpi_limb_t constant_limbs[MPI_NUMBER_OF_CONSTANTS] = +{ + 0, 1, 2, 3, 4, 8 +}; + +static struct gcry_mpi constants[MPI_NUMBER_OF_CONSTANTS] = +{ + /* [MPI_C_ZERO] = */ { 1, 0, 0, (16 | 32), &constant_limbs[0] }, + /* [MPI_C_ONE] = */ { 1, 1, 0, (16 | 32), &constant_limbs[1] }, + /* [MPI_C_TWO] = */ { 1, 1, 0, (16 | 32), &constant_limbs[2] }, + /* [MPI_C_THREE] = */ { 1, 1, 0, (16 | 32), &constant_limbs[3] }, + /* [MPI_C_FOUR] = */ { 1, 1, 0, (16 | 32), &constant_limbs[4] }, + /* [MPI_C_EIGHT] = */ { 1, 1, 0, (16 | 32), &constant_limbs[5] }, +}; @@ -60,25 +73,6 @@ _gcry_mpi_get_hw_config (void) gcry_err_code_t _gcry_mpi_init (void) { - int idx; - unsigned long value; - - for (idx=0; idx < MPI_NUMBER_OF_CONSTANTS; idx++) - { - switch (idx) - { - case MPI_C_ZERO: value = 0; break; - case MPI_C_ONE: value = 1; break; - case MPI_C_TWO: value = 2; break; - case MPI_C_THREE: value = 3; break; - case MPI_C_FOUR: value = 4; break; - case MPI_C_EIGHT: value = 8; break; - default: log_bug ("invalid mpi_const selector %d\n", idx); - } - constants[idx] = mpi_alloc_set_ui (value); - constants[idx]->flags = (16|32); - } - return 0; } @@ -756,7 +750,5 @@ _gcry_mpi_const (enum gcry_mpi_constants no) { if ((int)no < 0 || no > MPI_NUMBER_OF_CONSTANTS) log_bug("invalid mpi_const selector %d\n", no); - if (!constants[no]) - log_bug("MPI subsystem not initialized\n"); - return constants[no]; + return &constants[no]; } From HeikoStamer at gmx.net Tue May 14 20:58:52 2019 From: HeikoStamer at gmx.net (Heiko Stamer) Date: Tue, 14 May 2019 20:58:52 +0200 Subject: Possible flaw in MPI code w.r.t. sign flag In-Reply-To: <874l5ywhnf.fsf@wheatstone.g10code.de> References: <874l5ywhnf.fsf@wheatstone.g10code.de> Message-ID: Hi Werner, On 13 May 2019 16:31, Werner Koch wrote: > We need to handle the +-0 case first. What about this: I am not sure whether the fix in do_mpi_cmp() is enough. Perhaps other comparison operators or output functions of the MPI code have to be changed too. However, I have not looked at this yet. Another solution to the underlying issue: avoid setting the sign flag for that special case in all arithmetic operators (add, ...). -- Heiko From jussi.kivilinna at iki.fi Tue May 14 22:49:27 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 14 May 2019 23:49:27 +0300 Subject: [PATCH] Disable instrumentation on mixed Intel SSE C/assembly implementions Message-ID: <155786696771.27770.17702048339789441031.stgit@localhost.localdomain> * cipher/Makefile.am: Make 'tiger.o' and 'tiger.lo' depend on Makefile; Add instrumentation option munging. * cipher/cipher-gcm-intel-pcmul.c (ALWAYS_INLINE) (NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New. (reduction, gfmul_pclmul, gfmul_pclmul_aggr4, gfmul_pclmul_aggr8) (gcm_lsh): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'. (_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): Define with 'ASM_FUNC_ATTR'. * cipher/crc-intel-pcmul.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION) (ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New. (crc32_reflected_bulk, crc32_reflected_less_than_16, crc32_bulk) (crc32_less_than_16): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'. (_gcry_crc32_intel_pclmul, _gcry_crc24rfc2440_intel_pclmul): Define with 'ASM_FUNC_ATTR'. * cipher/rijndael-aesni.c (NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR) (ASM_FUNC_ATTR_INLINE, ASM_FUNC_ATTR_NOINLINE): New. (aes_ocb_get_l, do_aesni_prepare_decryption, do_aesni_enc) (do_aesni_dec, do_aesni_enc_vec4, do_aesni_dec_vec4, do_aesni_enc_vec8) (do_aesni_dec_vec8, aesni_ocb_checksum): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'. (do_aesni_ctr, do_aesni_ctr_4, do_aesni_ctr_8): Define wtih 'ASM_FUNC_ATTR_INLINE'. (aesni_ocb_enc, aesni_ocb_dec): Define with 'ASM_FUNC_ATTR_NOINLINE' instead of 'NO_INLINE'. (_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_prepare_decryption) (_gcry_aes_aesni_encrypt, _gcry_aes_aesni_cfg_enc) (_gcry_aes_aesni_cbc_enc, _gcry_aes_aesni_ctr_enc) (_gcry_aes_aesni_decrypt, _gcry_aes_aesni_cfb_dec) (_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt) (_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_enc) (_gcry_aes_aesni_xts_dec, _gcry_aes_aesni_xts_crypt): Define with 'ASM_FUNC_ATTR'. * cipher/rijndael-ssse3-amd64.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION) (ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New. (aes_ocb_get_l, do_ssse3_prepare_decryption, do_vpaes_ssse3_enc) (do_vpaes_ssse3_dec): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'. (_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption) (_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc) (_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc) (_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec) (_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec) (_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Define with 'ASM_FUNC_ATTR'. * cipher/sha1-intel-shaext.c (NO_INSTRUMENT_FUNCTION) (ASM_FUNC_ATTR): New. (_gcry_sha1_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'. * cipher/sha256-intel-shaext.c (NO_INSTRUMENT_FUNCTION) (ASM_FUNC_ATTR): New. (_gcry_sha256_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'. * configure.ac (ENABLE_INSTRUMENTATION_MUNGING): New. -- This commit disables instrumentation for mixed C/assembly implementations for i386 and amd64 that make use of XMM registers. These implementations use cc as thin assembly front-end and do not tolerate instrumentation function calls inserted by compiler as those functions may clobber the XMM registers. Signed-off-by: Jussi Kivilinna --- cipher/Makefile.am | 56 ++++++++++++++++++++++++++++++++--- cipher/cipher-gcm-intel-pclmul.c | 26 +++++++++++----- cipher/crc-intel-pclmul.c | 19 ++++++++---- cipher/rijndael-aesni.c | 61 +++++++++++++++++++++----------------- cipher/rijndael-ssse3-amd64.c | 41 +++++++++++++++----------- cipher/sha1-intel-shaext.c | 6 +++- cipher/sha256-intel-shaext.c | 6 +++- configure.ac | 11 +++++++ 8 files changed, 160 insertions(+), 66 deletions(-) diff --git a/cipher/Makefile.am b/cipher/Makefile.am index 2acd7cb38..19420bf4e 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -142,8 +142,56 @@ endif # We need to lower the optimization for this module. -tiger.o: $(srcdir)/tiger.c - `echo $(COMPILE) -c $(srcdir)/tiger.c | $(o_flag_munging) ` +tiger.o: $(srcdir)/tiger.c Makefile + `echo $(COMPILE) -c $< | $(o_flag_munging) ` -tiger.lo: $(srcdir)/tiger.c - `echo $(LTCOMPILE) -c $(srcdir)/tiger.c | $(o_flag_munging) ` +tiger.lo: $(srcdir)/tiger.c Makefile + `echo $(LTCOMPILE) -c $< | $(o_flag_munging) ` + + +# We need to disable instrumentation for these modules as they use cc as +# thin assembly front-end and do not tolerate in-between function calls +# inserted by compiler as those functions may clobber the XMM registers. +if ENABLE_INSTRUMENTATION_MUNGING +instrumentation_munging = sed \ + -e 's/-fsanitize[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ + -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' +else +instrumentation_munging = cat +endif + +rijndael-aesni.o: $(srcdir)/rijndael-aesni.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +rijndael-aesni.lo: $(srcdir)/rijndael-aesni.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` + +rijndael-ssse3-amd64.o: $(srcdir)/rijndael-ssse3-amd64.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +rijndael-ssse3-amd64.lo: $(srcdir)/rijndael-ssse3-amd64.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` + +cipher-gcm-intel-pclmul.o: $(srcdir)/cipher-gcm-intel-pclmul.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +cipher-gcm-intel-pclmul.lo: $(srcdir)/cipher-gcm-intel-pclmul.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` + +sha1-intel-shaext.o: $(srcdir)/sha1-intel-shaext.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +sha1-intel-shaext.lo: $(srcdir)/sha1-intel-shaext.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` + +sha256-intel-shaext.o: $(srcdir)/sha256-intel-shaext.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +sha256-intel-shaext.lo: $(srcdir)/sha256-intel-shaext.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` + +crc-intel-pclmul.o: $(srcdir)/crc-intel-pclmul.c Makefile + `echo $(COMPILE) -c $< | $(instrumentation_munging) ` + +crc-intel-pclmul.lo: $(srcdir)/crc-intel-pclmul.c Makefile + `echo $(LTCOMPILE) -c $< | $(instrumentation_munging) ` diff --git a/cipher/cipher-gcm-intel-pclmul.c b/cipher/cipher-gcm-intel-pclmul.c index 8e109ba3c..28165c653 100644 --- a/cipher/cipher-gcm-intel-pclmul.c +++ b/cipher/cipher-gcm-intel-pclmul.c @@ -42,12 +42,19 @@ #endif +#define ALWAYS_INLINE inline __attribute__((always_inline)) +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION +#define ASM_FUNC_ATTR_INLINE ASM_FUNC_ATTR ALWAYS_INLINE + + /* Intel PCLMUL ghash based on white paper: "Intel? Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode - Rev 2.01"; Shay Gueron, Michael E. Kounavis. */ -static inline void reduction(void) +static ASM_FUNC_ATTR_INLINE void reduction(void) { /* input: */ @@ -76,7 +83,7 @@ static inline void reduction(void) ::: "memory" ); } -static inline void gfmul_pclmul(void) +static ASM_FUNC_ATTR_INLINE void gfmul_pclmul(void) { /* Input: XMM0 and XMM1, Output: XMM1. Input XMM0 stays unmodified. Input must be converted to little-endian. @@ -107,9 +114,9 @@ static inline void gfmul_pclmul(void) reduction(); } -static inline void gfmul_pclmul_aggr4(const void *buf, const void *h_1, - const void *h_table, - const unsigned char *be_mask) +static ASM_FUNC_ATTR_INLINE void +gfmul_pclmul_aggr4(const void *buf, const void *h_1, const void *h_table, + const unsigned char *be_mask) { /* Input: Hash: XMM1 @@ -208,7 +215,8 @@ static inline void gfmul_pclmul_aggr4(const void *buf, const void *h_1, } #ifdef __x86_64__ -static inline void gfmul_pclmul_aggr8(const void *buf, const void *h_table) +static ASM_FUNC_ATTR_INLINE void +gfmul_pclmul_aggr8(const void *buf, const void *h_table) { /* Input: H?: XMM0 @@ -372,7 +380,7 @@ static inline void gfmul_pclmul_aggr8(const void *buf, const void *h_table) } #endif -static inline void gcm_lsh(void *h, unsigned int hoffs) +static ASM_FUNC_ATTR_INLINE void gcm_lsh(void *h, unsigned int hoffs) { static const u64 pconst[2] __attribute__ ((aligned (16))) = { U64_C(0x0000000000000001), U64_C(0xc200000000000000) }; @@ -394,7 +402,7 @@ static inline void gcm_lsh(void *h, unsigned int hoffs) : "memory" ); } -void +void ASM_FUNC_ATTR _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c) { static const unsigned char be_mask[16] __attribute__ ((aligned (16))) = @@ -548,7 +556,7 @@ _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c) } -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_ghash_intel_pclmul (gcry_cipher_hd_t c, byte *result, const byte *buf, size_t nblocks) { diff --git a/cipher/crc-intel-pclmul.c b/cipher/crc-intel-pclmul.c index 482b260bf..8c8b1915a 100644 --- a/cipher/crc-intel-pclmul.c +++ b/cipher/crc-intel-pclmul.c @@ -44,6 +44,13 @@ #endif +#define ALWAYS_INLINE inline __attribute__((always_inline)) +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION +#define ASM_FUNC_ATTR_INLINE ASM_FUNC_ATTR ALWAYS_INLINE + + #define ALIGNED_16 __attribute__ ((aligned (16))) @@ -135,7 +142,7 @@ static const u64 crc32_merge5to7_shuf[7 - 5 + 1][2] ALIGNED_16 = }; /* PCLMUL functions for reflected CRC32. */ -static inline void +static ASM_FUNC_ATTR_INLINE void crc32_reflected_bulk (u32 *pcrc, const byte *inbuf, size_t inlen, const struct crc32_consts_s *consts) { @@ -331,7 +338,7 @@ crc32_reflected_bulk (u32 *pcrc, const byte *inbuf, size_t inlen, ); } -static inline void +static ASM_FUNC_ATTR_INLINE void crc32_reflected_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, const struct crc32_consts_s *consts) { @@ -480,7 +487,7 @@ crc32_reflected_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, } /* PCLMUL functions for non-reflected CRC32. */ -static inline void +static ASM_FUNC_ATTR_INLINE void crc32_bulk (u32 *pcrc, const byte *inbuf, size_t inlen, const struct crc32_consts_s *consts) { @@ -695,7 +702,7 @@ crc32_bulk (u32 *pcrc, const byte *inbuf, size_t inlen, : "eax" ); } -static inline void +static ASM_FUNC_ATTR_INLINE void crc32_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, const struct crc32_consts_s *consts) { @@ -857,7 +864,7 @@ crc32_less_than_16 (u32 *pcrc, const byte *inbuf, size_t inlen, } } -void +void ASM_FUNC_ATTR _gcry_crc32_intel_pclmul (u32 *pcrc, const byte *inbuf, size_t inlen) { const struct crc32_consts_s *consts = &crc32_consts; @@ -890,7 +897,7 @@ _gcry_crc32_intel_pclmul (u32 *pcrc, const byte *inbuf, size_t inlen) #endif } -void +void ASM_FUNC_ATTR _gcry_crc24rfc2440_intel_pclmul (u32 *pcrc, const byte *inbuf, size_t inlen) { const struct crc32_consts_s *consts = &crc24rfc2440_consts; diff --git a/cipher/rijndael-aesni.c b/cipher/rijndael-aesni.c index a2a62abd8..b26449a77 100644 --- a/cipher/rijndael-aesni.c +++ b/cipher/rijndael-aesni.c @@ -46,6 +46,11 @@ #define ALWAYS_INLINE inline __attribute__((always_inline)) #define NO_INLINE __attribute__((noinline)) +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION +#define ASM_FUNC_ATTR_INLINE ASM_FUNC_ATTR ALWAYS_INLINE +#define ASM_FUNC_ATTR_NOINLINE ASM_FUNC_ATTR NO_INLINE typedef struct u128_s @@ -56,7 +61,7 @@ typedef struct u128_s /* Copy of ocb_get_l needed here as GCC is unable to inline ocb_get_l because of 'pragma target'. */ -static ALWAYS_INLINE const unsigned char * +static ASM_FUNC_ATTR_INLINE const unsigned char * aes_ocb_get_l (gcry_cipher_hd_t c, u64 n) { unsigned long ntz; @@ -161,7 +166,7 @@ aes_ocb_get_l (gcry_cipher_hd_t c, u64 n) # endif #endif -void +void ASM_FUNC_ATTR _gcry_aes_aesni_do_setkey (RIJNDAEL_context *ctx, const byte *key) { aesni_prepare_2_7_variable; @@ -395,7 +400,7 @@ _gcry_aes_aesni_do_setkey (RIJNDAEL_context *ctx, const byte *key) /* Make a decryption key from an encryption key. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_prepare_decryption (RIJNDAEL_context *ctx) { /* The AES-NI decrypt instructions use the Equivalent Inverse @@ -443,7 +448,7 @@ do_aesni_prepare_decryption (RIJNDAEL_context *ctx) #undef DO_AESNI_AESIMC } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_prepare_decryption (RIJNDAEL_context *ctx) { aesni_prepare(); @@ -454,7 +459,7 @@ _gcry_aes_aesni_prepare_decryption (RIJNDAEL_context *ctx) /* Encrypt one block using the Intel AES-NI instructions. Block is input * and output through SSE register xmm0. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_enc (const RIJNDAEL_context *ctx) { #define aesenc_xmm1_xmm0 ".byte 0x66, 0x0f, 0x38, 0xdc, 0xc1\n\t" @@ -507,7 +512,7 @@ do_aesni_enc (const RIJNDAEL_context *ctx) /* Decrypt one block using the Intel AES-NI instructions. Block is input * and output through SSE register xmm0. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_dec (const RIJNDAEL_context *ctx) { #define aesdec_xmm1_xmm0 ".byte 0x66, 0x0f, 0x38, 0xde, 0xc1\n\t" @@ -560,7 +565,7 @@ do_aesni_dec (const RIJNDAEL_context *ctx) /* Encrypt four blocks using the Intel AES-NI instructions. Blocks are input * and output through SSE registers xmm1 to xmm4. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_enc_vec4 (const RIJNDAEL_context *ctx) { #define aesenc_xmm0_xmm1 ".byte 0x66, 0x0f, 0x38, 0xdc, 0xc8\n\t" @@ -669,7 +674,7 @@ do_aesni_enc_vec4 (const RIJNDAEL_context *ctx) /* Decrypt four blocks using the Intel AES-NI instructions. Blocks are input * and output through SSE registers xmm1 to xmm4. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_dec_vec4 (const RIJNDAEL_context *ctx) { #define aesdec_xmm0_xmm1 ".byte 0x66, 0x0f, 0x38, 0xde, 0xc8\n\t" @@ -780,7 +785,7 @@ do_aesni_dec_vec4 (const RIJNDAEL_context *ctx) /* Encrypt eight blocks using the Intel AES-NI instructions. Blocks are input * and output through SSE registers xmm1 to xmm4 and xmm8 to xmm11. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_enc_vec8 (const RIJNDAEL_context *ctx) { asm volatile ("movdqa (%[key]), %%xmm0\n\t" @@ -932,7 +937,7 @@ do_aesni_enc_vec8 (const RIJNDAEL_context *ctx) /* Decrypt eight blocks using the Intel AES-NI instructions. Blocks are input * and output through SSE registers xmm1 to xmm4 and xmm8 to xmm11. */ -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void do_aesni_dec_vec8 (const RIJNDAEL_context *ctx) { asm volatile ("movdqa (%[key]), %%xmm0\n\t" @@ -1087,7 +1092,7 @@ do_aesni_dec_vec8 (const RIJNDAEL_context *ctx) /* Perform a CTR encryption round using the counter CTR and the input block A. Write the result to the output block B and update CTR. CTR needs to be a 16 byte aligned little-endian value. */ -static void +static ASM_FUNC_ATTR_INLINE void do_aesni_ctr (const RIJNDAEL_context *ctx, unsigned char *ctr, unsigned char *b, const unsigned char *a) { @@ -1166,7 +1171,7 @@ do_aesni_ctr (const RIJNDAEL_context *ctx, /* Four blocks at a time variant of do_aesni_ctr. */ -static void +static ASM_FUNC_ATTR_INLINE void do_aesni_ctr_4 (const RIJNDAEL_context *ctx, unsigned char *ctr, unsigned char *b, const unsigned char *a) { @@ -1386,7 +1391,7 @@ do_aesni_ctr_4 (const RIJNDAEL_context *ctx, #ifdef __x86_64__ /* Eight blocks at a time variant of do_aesni_ctr. */ -static void +static ASM_FUNC_ATTR_INLINE void do_aesni_ctr_8 (const RIJNDAEL_context *ctx, unsigned char *ctr, unsigned char *b, const unsigned char *a) { @@ -1704,7 +1709,7 @@ do_aesni_ctr_8 (const RIJNDAEL_context *ctx, #endif /* __x86_64__ */ -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_aes_aesni_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { @@ -1723,7 +1728,7 @@ _gcry_aes_aesni_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -1759,7 +1764,7 @@ _gcry_aes_aesni_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks, int cbc_mac) @@ -1805,7 +1810,7 @@ _gcry_aes_aesni_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -1859,7 +1864,7 @@ _gcry_aes_aesni_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, } -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_aes_aesni_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { @@ -1878,7 +1883,7 @@ _gcry_aes_aesni_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -2033,7 +2038,7 @@ _gcry_aes_aesni_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -2198,7 +2203,7 @@ _gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, } -static ALWAYS_INLINE void +static ASM_FUNC_ATTR_INLINE void aesni_ocb_checksum (gcry_cipher_hd_t c, const unsigned char *plaintext, size_t nblocks) { @@ -2362,7 +2367,7 @@ aesni_ocb_checksum (gcry_cipher_hd_t c, const unsigned char *plaintext, } -static unsigned int NO_INLINE +static unsigned int ASM_FUNC_ATTR_NOINLINE aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { @@ -2849,7 +2854,7 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, } -static unsigned int NO_INLINE +static unsigned int ASM_FUNC_ATTR_NOINLINE aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks_arg) { @@ -3324,7 +3329,7 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, } -size_t +size_t ASM_FUNC_ATTR _gcry_aes_aesni_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks, int encrypt) { @@ -3335,7 +3340,7 @@ _gcry_aes_aesni_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, } -size_t +size_t ASM_FUNC_ATTR _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks) { @@ -3586,7 +3591,7 @@ static const u64 xts_gfmul_const[16] __attribute__ ((aligned (16))) = { 0x87, 0x01 }; -static void +static void ASM_FUNC_ATTR _gcry_aes_aesni_xts_enc (RIJNDAEL_context *ctx, unsigned char *tweak, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -3724,7 +3729,7 @@ _gcry_aes_aesni_xts_enc (RIJNDAEL_context *ctx, unsigned char *tweak, } -static void +static void ASM_FUNC_ATTR _gcry_aes_aesni_xts_dec (RIJNDAEL_context *ctx, unsigned char *tweak, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -3868,7 +3873,7 @@ _gcry_aes_aesni_xts_dec (RIJNDAEL_context *ctx, unsigned char *tweak, } -void +void ASM_FUNC_ATTR _gcry_aes_aesni_xts_crypt (RIJNDAEL_context *ctx, unsigned char *tweak, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks, int encrypt) diff --git a/cipher/rijndael-ssse3-amd64.c b/cipher/rijndael-ssse3-amd64.c index 0c1ae6e6e..b07238531 100644 --- a/cipher/rijndael-ssse3-amd64.c +++ b/cipher/rijndael-ssse3-amd64.c @@ -60,9 +60,16 @@ #endif +#define ALWAYS_INLINE inline __attribute__((always_inline)) +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION +#define ASM_FUNC_ATTR_INLINE ASM_FUNC_ATTR ALWAYS_INLINE + + /* Copy of ocb_get_l needed here as GCC is unable to inline ocb_get_l because of 'pragma target'. */ -static inline const unsigned char * +static ASM_FUNC_ATTR_INLINE const unsigned char * aes_ocb_get_l (gcry_cipher_hd_t c, u64 n) { unsigned long ntz; @@ -156,7 +163,7 @@ extern void _gcry_aes_ssse3_decrypt_core(const void *key, u64 nrounds); _gcry_aes_ssse3_dec_preload(); -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_do_setkey (RIJNDAEL_context *ctx, const byte *key) { unsigned int keybits = (ctx->rounds - 10) * 32 + 128; @@ -195,7 +202,7 @@ _gcry_aes_ssse3_do_setkey (RIJNDAEL_context *ctx, const byte *key) /* Make a decryption key from an encryption key. */ -static inline void +static ASM_FUNC_ATTR_INLINE void do_ssse3_prepare_decryption (RIJNDAEL_context *ctx, byte ssse3_state[SSSE3_STATE_SIZE]) { @@ -210,7 +217,7 @@ do_ssse3_prepare_decryption (RIJNDAEL_context *ctx, vpaes_ssse3_cleanup(); } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) { byte ssse3_state[SSSE3_STATE_SIZE]; @@ -221,7 +228,7 @@ _gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) /* Encrypt one block using the Intel SSSE3 instructions. Block is input * and output through SSE register xmm0. */ -static inline void +static ASM_FUNC_ATTR_INLINE void do_vpaes_ssse3_enc (const RIJNDAEL_context *ctx, unsigned int nrounds) { _gcry_aes_ssse3_encrypt_core(ctx->keyschenc32, nrounds); @@ -230,14 +237,14 @@ do_vpaes_ssse3_enc (const RIJNDAEL_context *ctx, unsigned int nrounds) /* Decrypt one block using the Intel SSSE3 instructions. Block is input * and output through SSE register xmm0. */ -static inline void +static ASM_FUNC_ATTR_INLINE void do_vpaes_ssse3_dec (const RIJNDAEL_context *ctx, unsigned int nrounds) { _gcry_aes_ssse3_decrypt_core(ctx->keyschdec32, nrounds); } -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_aes_ssse3_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { @@ -259,7 +266,7 @@ _gcry_aes_ssse3_encrypt (const RIJNDAEL_context *ctx, unsigned char *dst, } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -298,7 +305,7 @@ _gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks, int cbc_mac) @@ -343,7 +350,7 @@ _gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -410,7 +417,7 @@ _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, } -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_aes_ssse3_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, const unsigned char *src) { @@ -432,7 +439,7 @@ _gcry_aes_ssse3_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -472,7 +479,7 @@ _gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, } -void +void ASM_FUNC_ATTR _gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, unsigned char *outbuf, const unsigned char *inbuf, size_t nblocks) @@ -523,7 +530,7 @@ _gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, } -static void +static void ASM_FUNC_ATTR ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { @@ -586,7 +593,7 @@ ssse3_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg, vpaes_ssse3_cleanup (); } -static void +static void ASM_FUNC_ATTR ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks) { @@ -656,7 +663,7 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg, } -size_t +size_t ASM_FUNC_ATTR _gcry_aes_ssse3_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, const void *inbuf_arg, size_t nblocks, int encrypt) { @@ -669,7 +676,7 @@ _gcry_aes_ssse3_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, } -size_t +size_t ASM_FUNC_ATTR _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks) { diff --git a/cipher/sha1-intel-shaext.c b/cipher/sha1-intel-shaext.c index d7e3d4f8e..ddf2be2aa 100644 --- a/cipher/sha1-intel-shaext.c +++ b/cipher/sha1-intel-shaext.c @@ -33,6 +33,10 @@ # pragma clang attribute push (__attribute__((target("no-sse"))), apply_to = function) #endif +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION + /* Two macros to be called prior and after the use of SHA-EXT instructions. There should be no external function calls between the use of these macros. There purpose is to make sure that the @@ -89,7 +93,7 @@ /* * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA. */ -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_sha1_transform_intel_shaext(void *state, const unsigned char *data, size_t nblks) { diff --git a/cipher/sha256-intel-shaext.c b/cipher/sha256-intel-shaext.c index 2eda42d8d..48c09eefe 100644 --- a/cipher/sha256-intel-shaext.c +++ b/cipher/sha256-intel-shaext.c @@ -33,6 +33,10 @@ # pragma clang attribute push (__attribute__((target("no-sse"))), apply_to = function) #endif +#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) + +#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION + /* Two macros to be called prior and after the use of SHA-EXT instructions. There should be no external function calls between the use of these macros. There purpose is to make sure that the @@ -94,7 +98,7 @@ typedef struct u128_s /* * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA. */ -unsigned int +unsigned int ASM_FUNC_ATTR _gcry_sha256_transform_intel_shaext(u32 state[8], const unsigned char *data, size_t nblks) { diff --git a/configure.ac b/configure.ac index c9cbdefc3..af68e61bb 100644 --- a/configure.ac +++ b/configure.ac @@ -691,6 +691,17 @@ AC_ARG_ENABLE([O-flag-munging], AC_MSG_RESULT($enable_o_flag_munging) AM_CONDITIONAL(ENABLE_O_FLAG_MUNGING, test "$enable_o_flag_munging" = "yes") +# Implementation of the --disable-instrumentation-munging switch. +AC_MSG_CHECKING([whether a instrumentation (-fprofile, -fsanitize) munging is requested]) +AC_ARG_ENABLE([instrumentation-munging], + AC_HELP_STRING([--disable-instrumentation-munging], + [Disable modification of the cc instrumentation options]), + [enable_instrumentation_munging=$enableval], + [enable_instrumentation_munging=yes]) +AC_MSG_RESULT($enable_instrumentation_munging) +AM_CONDITIONAL(ENABLE_INSTRUMENTATION_MUNGING, + test "$enable_instrumentation_munging" = "yes") + # Implementation of the --disable-amd64-as-feature-detection switch. AC_MSG_CHECKING([whether to enable AMD64 as(1) feature detection]) AC_ARG_ENABLE(amd64-as-feature-detection, From dkg at fifthhorseman.net Tue May 14 22:56:17 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 14 May 2019 16:56:17 -0400 Subject: why is GPG_ERR_SEXP_ZERO_PREFIX an error for gcry_sexp_canon_len()? Message-ID: <87v9ycu55a.fsf@fifthhorseman.net> Over in https://dev.gnupg.org/T4501 i discovered that gcry_sexp_canon_len() can fail and report an error if the S-expression contains a zero-length string. In particular, it will fail with errcode returning GPG_ERR_SEXP_ZERO_PREFIX. Why is it an error to have a string of zero-length in an s-expression in canonical form? i tried to do some testing with higher-level S-expression tools, including dumpsexp (from gcrypt) and sexp-conv (from nettle). nettle doesn't seem to have a problem with it, and dumpsexp also doesn't have a problem with it in non-canonical form, but it reports an error in "canonical" form. Here is a simple test that shows the weirdness: ---------------------- 0 dkg at alice:~$ echo '(foo: (bar: ""))' > sexp 0 dkg at alice:~$ sexp-conv -s canonical < sexp | hd 00000000 28 34 3a 66 6f 6f 3a 28 34 3a 62 61 72 3a 30 3a |(4:foo:(4:bar:0:| 00000010 29 29 |))| 00000012 0 dkg at alice:~$ dumpsexp < sexp foo:bar:00000000 28 66 6f 6f 3a 20 28 62 61 72 3a 20 22 22 29 29 |(foo: (bar: ""))| 00000010 0a |.| 0 dkg at alice:~$ sexp-conv -s canonical < sexp | dumpsexp 00000000 28 34 3a 66 6f 6f 3a 28 34 3a 62 61 72 3a 30 |(4:foo:(4:bar:0| ^ ^ Error: zero prefixed length 0000000f 3a | :| ^ ^ Error: no data length 00000010 | | 00000010 29 29 |))| 0 dkg at alice:~$ ---------------------- Can someone who understands S-Expressions better than me point me to documentation that will help me understand why gcry_sexp_canon_len() should treat this as an error? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed May 15 08:27:22 2019 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 May 2019 08:27:22 +0200 Subject: why is GPG_ERR_SEXP_ZERO_PREFIX an error for gcry_sexp_canon_len()? In-Reply-To: <87v9ycu55a.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 14 May 2019 16:56:17 -0400") References: <87v9ycu55a.fsf@fifthhorseman.net> Message-ID: <87v9ycs051.fsf@wheatstone.g10code.de> On Tue, 14 May 2019 16:56, dkg at fifthhorseman.net said: > Can someone who understands S-Expressions better than me point me to > documentation that will help me understand why gcry_sexp_canon_len() > should treat this as an error? From the specs: http://theory.lcs.mit.edu/~rivest/sexp.html | 10. Utilization of S-expressions | | This note has described S-expressions in general form. Application writers | may wish to restrict their use of S-expressions in various ways. Here are | some possible restrictions that might be considered: | | -- no display-hints | -- no lengths on hexadecimal, quoted-strings, or base-64 encodings | -- no empty lists | -- no empty octet-strings Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Wed May 15 19:45:17 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Wed, 15 May 2019 20:45:17 +0300 Subject: [PATCH] md: fix UBSAN warning Message-ID: <155794231762.26732.18141573731593705446.stgit@localhost.localdomain> * cipher/md.c (gcry_md_list): Define 'context' as array of PROPERLY_ALIGNED_TYPE. (md_enable, _gcry_md_reset, _gcry_md_close, md_final, md_set_key) (prepare_macpads, md_read, md_extract): Access md context through 'gcry_md_list->context' pointer instead of 'gcry_md_list->context.c'. -- This commit fixes error output seen with undefined behavior sanitizer: md.c:980:28: runtime error: index 184 out of bounds for type 'char [1]' md.c:991:28: runtime error: index 368 out of bounds for type 'char [1]' md.c:713:44: runtime error: index 184 out of bounds for type 'char [1]' md.c:830:42: runtime error: index 368 out of bounds for type 'char [1]' Issue was reported in dev.gnupg.org task T3247 and Cryptofuzz. GnuPG-bug-id: 3247 Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/cipher/md.c b/cipher/md.c index 6ca390ff6..efb7376a1 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -253,7 +253,7 @@ typedef struct gcry_md_list gcry_md_spec_t *spec; struct gcry_md_list *next; size_t actual_struct_size; /* Allocated size of this structure. */ - PROPERLY_ALIGNED_TYPE context; + PROPERLY_ALIGNED_TYPE context[1]; } GcryDigestEntry; /* This structure is put right after the gcry_md_hd_t buffer, so that @@ -601,7 +601,7 @@ md_enable (gcry_md_hd_t hd, int algorithm) h->list = entry; /* And init this instance. */ - entry->spec->init (&entry->context.c, + entry->spec->init (entry->context, h->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); } } @@ -710,14 +710,14 @@ _gcry_md_reset (gcry_md_hd_t a) if (a->ctx->flags.hmac) for (r = a->ctx->list; r; r = r->next) { - memcpy (r->context.c, r->context.c + r->spec->contextsize, + memcpy (r->context, (char *)r->context + r->spec->contextsize, r->spec->contextsize); } else for (r = a->ctx->list; r; r = r->next) { - memset (r->context.c, 0, r->spec->contextsize); - (*r->spec->init) (&r->context.c, + memset (r->context, 0, r->spec->contextsize); + (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); } } @@ -768,8 +768,8 @@ md_write (gcry_md_hd_t a, const void *inbuf, size_t inlen) for (r = a->ctx->list; r; r = r->next) { if (a->bufpos) - (*r->spec->write) (&r->context.c, a->buf, a->bufpos); - (*r->spec->write) (&r->context.c, inbuf, inlen); + (*r->spec->write) (r->context, a->buf, a->bufpos); + (*r->spec->write) (r->context, inbuf, inlen); } a->bufpos = 0; } @@ -797,7 +797,7 @@ md_final (gcry_md_hd_t a) md_write (a, NULL, 0); for (r = a->ctx->list; r; r = r->next) - (*r->spec->final) (&r->context.c); + (*r->spec->final) (r->context); a->ctx->flags.finalized = 1; @@ -814,7 +814,7 @@ md_final (gcry_md_hd_t a) if (r->spec->read == NULL) continue; - p = r->spec->read (&r->context.c); + p = r->spec->read (r->context); if (a->ctx->flags.secure) hash = xtrymalloc_secure (dlen); @@ -827,10 +827,10 @@ md_final (gcry_md_hd_t a) } memcpy (hash, p, dlen); - memcpy (r->context.c, r->context.c + r->spec->contextsize * 2, + memcpy (r->context, (char *)r->context + r->spec->contextsize * 2, r->spec->contextsize); - (*r->spec->write) (&r->context.c, hash, dlen); - (*r->spec->final) (&r->context.c); + (*r->spec->write) (r->context, hash, dlen); + (*r->spec->final) (r->context); xfree (hash); } } @@ -864,8 +864,8 @@ md_setkey (gcry_md_hd_t h, const unsigned char *key, size_t keylen) case GCRY_MD_BLAKE2S_160: case GCRY_MD_BLAKE2S_128: algo_had_setkey = 1; - memset (r->context.c, 0, r->spec->contextsize); - rc = _gcry_blake2_init_with_key (r->context.c, + memset (r->context, 0, r->spec->contextsize); + rc = _gcry_blake2_init_with_key (r->context, h->ctx->flags.bugemu1 ? GCRY_MD_FLAG_BUGEMU1:0, key, keylen, r->spec->algo); @@ -969,26 +969,26 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) k_len = keylen; } - (*r->spec->init) (&r->context.c, + (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); a->bufpos = 0; for (i=0; i < k_len; i++ ) _gcry_md_putc (a, k[i] ^ 0x36); for (; i < macpad_Bsize; i++ ) _gcry_md_putc (a, 0x36); - (*r->spec->write) (&r->context.c, a->buf, a->bufpos); - memcpy (r->context.c + r->spec->contextsize, r->context.c, + (*r->spec->write) (r->context, a->buf, a->bufpos); + memcpy ((char *)r->context + r->spec->contextsize, r->context, r->spec->contextsize); - (*r->spec->init) (&r->context.c, + (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); a->bufpos = 0; for (i=0; i < k_len; i++ ) _gcry_md_putc (a, k[i] ^ 0x5c); for (; i < macpad_Bsize; i++ ) _gcry_md_putc (a, 0x5c); - (*r->spec->write) (&r->context.c, a->buf, a->bufpos); - memcpy (r->context.c + r->spec->contextsize*2, r->context.c, + (*r->spec->write) (r->context, a->buf, a->bufpos); + memcpy ((char *)r->context + r->spec->contextsize*2, r->context, r->spec->contextsize); xfree (key_allocated); @@ -1074,7 +1074,7 @@ md_read( gcry_md_hd_t a, int algo ) if (r->next) log_debug ("more than one algorithm in md_read(0)\n"); if (r->spec->read) - return r->spec->read (&r->context.c); + return r->spec->read (r->context); } } else @@ -1083,7 +1083,7 @@ md_read( gcry_md_hd_t a, int algo ) if (r->spec->algo == algo) { if (r->spec->read) - return r->spec->read (&r->context.c); + return r->spec->read (r->context); break; } } @@ -1128,7 +1128,7 @@ md_extract(gcry_md_hd_t a, int algo, void *out, size_t outlen) { if (r->next) log_debug ("more than one algorithm in md_extract(0)\n"); - r->spec->extract (&r->context.c, out, outlen); + r->spec->extract (r->context, out, outlen); return 0; } } @@ -1137,7 +1137,7 @@ md_extract(gcry_md_hd_t a, int algo, void *out, size_t outlen) for (r = a->ctx->list; r; r = r->next) if (r->spec->algo == algo && r->spec->extract) { - r->spec->extract (&r->context.c, out, outlen); + r->spec->extract (r->context, out, outlen); return 0; } } From dkg at fifthhorseman.net Fri May 17 07:59:15 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 17 May 2019 01:59:15 -0400 Subject: why is GPG_ERR_SEXP_ZERO_PREFIX an error for gcry_sexp_canon_len()? In-Reply-To: <87v9ycs051.fsf@wheatstone.g10code.de> References: <87v9ycu55a.fsf@fifthhorseman.net> <87v9ycs051.fsf@wheatstone.g10code.de> Message-ID: <87bm01tydo.fsf@fifthhorseman.net> Thanks for the response Werner-- On Wed 2019-05-15 08:27:22 +0200, Werner Koch wrote: > On Tue, 14 May 2019 16:56, dkg at fifthhorseman.net said: > >> Can someone who understands S-Expressions better than me point me to >> documentation that will help me understand why gcry_sexp_canon_len() >> should treat this as an error? > > From the specs: http://theory.lcs.mit.edu/~rivest/sexp.html > > | 10. Utilization of S-expressions > | > | This note has described S-expressions in general form. Application writers > | may wish to restrict their use of S-expressions in various ways. Here are > | some possible restrictions that might be considered: > | > | -- no display-hints > | -- no lengths on hexadecimal, quoted-strings, or base-64 encodings > | -- no empty lists > | -- no empty octet-strings Hm, i don't see this text on that webpage at all. Can you tell me where you're getting it from? Wherever it came from, this doesn't read like an actual justification to me, though: there is no explanation of why that might be a good or useful restriction, or what contexts it might be appropriate to do so or not. It's just a statement (presumably from an authority) that says it's ok to constrain in some contexts. But the choice gcrypt makes is also inconsistent with this list -- why say "no empty octet-strings" but not "no empty lists", for example? 0 dkg at alice:~$ printf '()' | dumpsexp 00000000 28 29 |()| 0 dkg at alice:~$ Moreover, on: https://people.csail.mit.edu/rivest/Sexp.txt it says: >>> 4. Octet string representations >>> >>> This section describes in detail the ways in which an octet-string may >>> be represented. >>> >>> We recall that an octet-string is any finite sequence of octets, and >>> that the octet-string may have length zero. So i still don't understand the rationale, and would appreciate a clearer justification. what is the benefit here? what risks would we see if gcry_sexp_canon_len() *didn't* treat that as an error? What are the implications for interoperability with other tools that use S-expressions that may or may not have chosen the same representations? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Sat May 18 05:46:01 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sat, 18 May 2019 06:46:01 +0300 Subject: GOST-R-34.11-94 output difference between LibreSSL and libgcrypt In-Reply-To: References: Message-ID: Hello, On 17.5.2019 19.00, Guido Vranken wrote: > OSS-Fuzz recently found a new bug. Cryptofuzz always abort()s at the same place if it detects mismatching results, and this confuses OSS-Fuzz, thinking that multiple distinct bugs are the same bug. This is why nobody got an e-mail about it. > > But about the bug: > > https://oss-fuzz.com/testcase-detail/5651343798173696 > > > ??? Operation: > ??? operation name: Digest > ??? digest: GOST-R-34.11-94 > ??? cleartext: {} > ??? > ??? Module OpenSSL result: > ??? > ??? {0x98, 0x1e, 0x5f, 0x3c, 0xa3, 0x0c, 0x84, 0x14, 0x87, 0x83, 0x0f, 0x84, 0xfb, 0x43, 0x3e, 0x13, > ??? ?0xac, 0x11, 0x01, 0x56, 0x9b, 0x9c, 0x13, 0x58, 0x4a, 0xc4, 0x83, 0x23, 0x4c, 0xd6, 0x56, 0xc0} (32 bytes) > ??? > ??? Module libgcrypt result: > ??? > ??? {0xce, 0x85, 0xb9, 0x9c, 0xc4, 0x67, 0x52, 0xff, 0xfe, 0xe3, 0x5c, 0xab, 0x9a, 0x7b, 0x02, 0x78, > ??? ?0xab, 0xb4, 0xc2, 0xd2, 0x05, 0x5c, 0xff, 0x68, 0x5a, 0xf4, 0x91, 0x2c, 0x49, 0x49, 0x0f, 0x8d} (32 bytes) > > > In LibreSSL I use EVP_gostr341194(), and in libgcrypt I use GCRY_MD_GOSTR3411_94. > Libgcrypt digest GCRY_MD_GOSTR3411_CP gives same output as EVP_gostr341194(). Output from gchash: $ tests/gchash GOSTR3411_CP /dev/null 981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0 /dev/null CP in the digest name means CryptoPro parameters and appears those parameters are used by EVP_gostr341194(). -Jussi From guidovranken at gmail.com Sat May 18 20:18:45 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Sat, 18 May 2019 20:18:45 +0200 Subject: GOST-R-34.11-94 output difference between LibreSSL and libgcrypt In-Reply-To: References:

Message-ID: Ah, thanks! Sorry for the false positive everyone. On Sat, May 18, 2019 at 5:46 AM Jussi Kivilinna wrote: > Hello, > > On 17.5.2019 19.00, Guido Vranken wrote: > > OSS-Fuzz recently found a new bug. Cryptofuzz always abort()s at the > same place if it detects mismatching results, and this confuses OSS-Fuzz, > thinking that multiple distinct bugs are the same bug. This is why nobody > got an e-mail about it. > > > > But about the bug: > > > > https://oss-fuzz.com/testcase-detail/5651343798173696 > > > > > > Operation: > > operation name: Digest > > digest: GOST-R-34.11-94 > > cleartext: {} > > > > Module OpenSSL result: > > > > {0x98, 0x1e, 0x5f, 0x3c, 0xa3, 0x0c, 0x84, 0x14, 0x87, 0x83, 0x0f, > 0x84, 0xfb, 0x43, 0x3e, 0x13, > > 0xac, 0x11, 0x01, 0x56, 0x9b, 0x9c, 0x13, 0x58, 0x4a, 0xc4, 0x83, > 0x23, 0x4c, 0xd6, 0x56, 0xc0} (32 bytes) > > > > Module libgcrypt result: > > > > {0xce, 0x85, 0xb9, 0x9c, 0xc4, 0x67, 0x52, 0xff, 0xfe, 0xe3, 0x5c, > 0xab, 0x9a, 0x7b, 0x02, 0x78, > > 0xab, 0xb4, 0xc2, 0xd2, 0x05, 0x5c, 0xff, 0x68, 0x5a, 0xf4, 0x91, > 0x2c, 0x49, 0x49, 0x0f, 0x8d} (32 bytes) > > > > > > In LibreSSL I use EVP_gostr341194(), and in libgcrypt I use > GCRY_MD_GOSTR3411_94. > > > > Libgcrypt digest GCRY_MD_GOSTR3411_CP gives same output as > EVP_gostr341194(). Output from gchash: > > $ tests/gchash GOSTR3411_CP /dev/null > 981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0 > /dev/null > > CP in the digest name means CryptoPro parameters and appears those > parameters are used by EVP_gostr341194(). > > -Jussi > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Sun May 19 13:38:49 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sun, 19 May 2019 14:38:49 +0300 Subject: [PATCH] cipher/Makefile.am: add '-fcoverage-*' to instrumentation munging Message-ID: <155826592919.12293.17650985431175228066.stgit@localhost.localdomain> * cipher/Makefile.am: Remove '-fcoverage-*' flag for mixed asm/C i386+amd64 implementations. -- Combination '-fprofile-instr-generate -fcoverage-mapping' was causing build error as former was removed by munging and latter requires thay. Signed-off-by: Jussi Kivilinna --- 0 files changed diff --git a/cipher/Makefile.am b/cipher/Makefile.am index 19420bf4e..690d9d98b 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -155,7 +155,8 @@ tiger.lo: $(srcdir)/tiger.c Makefile if ENABLE_INSTRUMENTATION_MUNGING instrumentation_munging = sed \ -e 's/-fsanitize[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ - -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' + -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ + -e 's/-fcoverage[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' else instrumentation_munging = cat endif From guidovranken at gmail.com Sun May 19 13:50:12 2019 From: guidovranken at gmail.com (Guido Vranken) Date: Sun, 19 May 2019 13:50:12 +0200 Subject: [PATCH] cipher/Makefile.am: add '-fcoverage-*' to instrumentation munging In-Reply-To: <155826592919.12293.17650985431175228066.stgit@localhost.localdomain> References: <155826592919.12293.17650985431175228066.stgit@localhost.localdomain> Message-ID: I was working on resolving it by adding --disable-instrumentation-munging to the configure command. Is this patch a better way? On Sun, May 19, 2019 at 1:39 PM Jussi Kivilinna wrote: > * cipher/Makefile.am: Remove '-fcoverage-*' flag for mixed asm/C > i386+amd64 implementations. > -- > > Combination '-fprofile-instr-generate -fcoverage-mapping' was causing > build error as former was removed by munging and latter requires thay. > > Signed-off-by: Jussi Kivilinna > --- > 0 files changed > > diff --git a/cipher/Makefile.am b/cipher/Makefile.am > index 19420bf4e..690d9d98b 100644 > --- a/cipher/Makefile.am > +++ b/cipher/Makefile.am > @@ -155,7 +155,8 @@ tiger.lo: $(srcdir)/tiger.c Makefile > if ENABLE_INSTRUMENTATION_MUNGING > instrumentation_munging = sed \ > -e 's/-fsanitize[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ > - -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' > + -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ > + -e 's/-fcoverage[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' > else > instrumentation_munging = cat > endif > > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Sun May 19 16:01:18 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sun, 19 May 2019 17:01:18 +0300 Subject: [PATCH] cipher/Makefile.am: add '-fcoverage-*' to instrumentation munging In-Reply-To: References: <155826592919.12293.17650985431175228066.stgit@localhost.localdomain> Message-ID: <7296e0cd-90fc-e5f5-2f36-69df90d24ede@iki.fi> Hello, On 19.5.2019 14.50, Guido Vranken wrote: > I was working on resolving it by adding --disable-instrumentation-munging to the configure command. Is this patch a better way? > Probably. If you use --disable-instrumentation-munging you need to make sure some other way that following files are compiled without instrumentation so that compiler does not inject function calls that may modify XMM registers: - cipher/cipher-gcm-intel-pclmul.c - cipher/crc-intel-pclmul.c - cipher/rijndael-aesni.c - cipher/rijndael-ssse3-amd64.c - cipher/sha1-intel-shaext.c - cipher/sha256-intel-shaext.c Otherwise there is not guarantees that these implementations give correct results. -Jussi > On Sun, May 19, 2019 at 1:39 PM Jussi Kivilinna > wrote: > > * cipher/Makefile.am: Remove '-fcoverage-*' flag for mixed asm/C > i386+amd64 implementations. > -- > > Combination '-fprofile-instr-generate -fcoverage-mapping' was causing > build error as former was removed by munging and latter requires thay. > > Signed-off-by: Jussi Kivilinna > > --- > ?0 files changed > > diff --git a/cipher/Makefile.am b/cipher/Makefile.am > index 19420bf4e..690d9d98b 100644 > --- a/cipher/Makefile.am > +++ b/cipher/Makefile.am > @@ -155,7 +155,8 @@ tiger.lo: $(srcdir)/tiger.c Makefile > ?if ENABLE_INSTRUMENTATION_MUNGING > ?instrumentation_munging = sed \ > ? ? ? ? -e 's/-fsanitize[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ > -? ? ? ?-e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' > +? ? ? ?-e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' \ > +? ? ? ?-e 's/-fcoverage[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' > ?else > ?instrumentation_munging = cat > ?endif > > From wk at gnupg.org Tue May 21 10:32:21 2019 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 May 2019 10:32:21 +0200 Subject: why is GPG_ERR_SEXP_ZERO_PREFIX an error for gcry_sexp_canon_len()? In-Reply-To: <87bm01tydo.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri, 17 May 2019 01:59:15 -0400") References: <87v9ycu55a.fsf@fifthhorseman.net> <87v9ycs051.fsf@wheatstone.g10code.de> <87bm01tydo.fsf@fifthhorseman.net> Message-ID: <87lfz0nr6y.fsf@wheatstone.g10code.de> On Fri, 17 May 2019 01:59, dkg at fifthhorseman.net said: > Hm, i don't see this text on that webpage at all. Can you tell me where > you're getting it from? Second heading ("References and Documentarion"), first line: SEXP 1.0 guide (text) --> http://people.csail.mit.edu/rivest/Sexp.txt > But the choice gcrypt makes is also inconsistent with this list -- why > say "no empty octet-strings" but not "no empty lists", for example? Because it has been implemented in this way 17 years ago and any changes now may result in broken applications. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dkg at fifthhorseman.net Tue May 21 16:28:50 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 21 May 2019 10:28:50 -0400 Subject: why is GPG_ERR_SEXP_ZERO_PREFIX an error for gcry_sexp_canon_len()? In-Reply-To: <87lfz0nr6y.fsf@wheatstone.g10code.de> References: <87v9ycu55a.fsf@fifthhorseman.net> <87v9ycs051.fsf@wheatstone.g10code.de> <87bm01tydo.fsf@fifthhorseman.net> <87lfz0nr6y.fsf@wheatstone.g10code.de> Message-ID: <87k1ejankt.fsf@fifthhorseman.net> On Tue 2019-05-21 10:32:21 +0200, Werner Koch wrote: > On Fri, 17 May 2019 01:59, dkg at fifthhorseman.net said: >> Hm, i don't see this text on that webpage at all. Can you tell me where >> you're getting it from? > > Second heading ("References and Documentarion"), first line: > > SEXP 1.0 guide (text) --> http://people.csail.mit.edu/rivest/Sexp.txt > >> But the choice gcrypt makes is also inconsistent with this list -- why >> say "no empty octet-strings" but not "no empty lists", for example? > > Because it has been implemented in this way 17 years ago and any changes > now may result in broken applications. Do you have an example of an application that might be broken by dropping this constraint? Nothing in the documentation of libgcrypt guarantees that gcry_sexp_canon_len() will continue to enforce this constraint. Rather, it says "for a valid S-expression, it should never return 0", but it does in fact return zero for the valid S-expression (x: ""). I've opened https://dev.gnupg.org/T4534, which identifies the inconsistency between the documentation and the behavior of the function. If gcrypt intends to rigidly enforce arbitrary limits like this, it needs to declare it explicitly, so that applications that need to deal with S-expressions from the outside world (which may actually contain zero-length octet strings) can select a more suitable library for S-expression parsing. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dbaryshkov at gmail.com Thu May 23 17:20:58 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Thu, 23 May 2019 18:20:58 +0300 Subject: Backporting Stribog fix to 1.8.x Message-ID: Hello, Since Stribog fix corrects calculations of hashes, would it be possible to push this fix to 1.8 branch and create a bugfix release? The patch da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c applies to 1.8/1.7 without any issues. -- With best wishes Dmitry From wk at gnupg.org Thu May 23 18:42:07 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 May 2019 18:42:07 +0200 Subject: Backporting Stribog fix to 1.8.x In-Reply-To: (Dmitry Eremin-Solenikov's message of "Thu, 23 May 2019 18:20:58 +0300") References: Message-ID: <87imu15di8.fsf@wheatstone.g10code.de> On Thu, 23 May 2019 18:20, dbaryshkov at gmail.com said: > Since Stribog fix corrects calculations of hashes, would it be > possible to push this fix to 1.8 branch and create a bugfix release? > The patch da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c applies to 1.8/1.7 Do you know applications which use that Stribog version in Libgcrypt and which would have a regression if this is fixed? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dbaryshkov at gmail.com Thu May 23 20:12:43 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Thu, 23 May 2019 21:12:43 +0300 Subject: Backporting Stribog fix to 1.8.x In-Reply-To: <87imu15di8.fsf@wheatstone.g10code.de> References: <87imu15di8.fsf@wheatstone.g10code.de> Message-ID: ??, 23 ??? 2019 ?. ? 19:45, Werner Koch : > > On Thu, 23 May 2019 18:20, dbaryshkov at gmail.com said: > > > Since Stribog fix corrects calculations of hashes, would it be > > possible to push this fix to 1.8 branch and create a bugfix release? > > The patch da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c applies to 1.8/1.7 > > Do you know applications which use that Stribog version in Libgcrypt > and which would have a regression if this is fixed? Not the public ones. AltLinux developers are working on GnuPG fork which supports GOST S/MIME and GOST OpenPGP support. Other developers are supporting Kleopatra patches for GOST support. -- With best wishes Dmitry From wk at gnupg.org Fri May 24 15:09:13 2019 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 May 2019 15:09:13 +0200 Subject: Backporting Stribog fix to 1.8.x In-Reply-To: (Dmitry Eremin-Solenikov's message of "Thu, 23 May 2019 21:12:43 +0300") References: <87imu15di8.fsf@wheatstone.g10code.de> Message-ID: <87d0k8ngna.fsf@wheatstone.g10code.de> On Thu, 23 May 2019 21:12, dbaryshkov at gmail.com said: > Not the public ones. AltLinux developers are working on GnuPG fork > which supports GOST S/MIME and GOST OpenPGP support. Other > developers are supporting Kleopatra patches for GOST support. Does that mean they would anyway patch Libgcrypt? Jussi: Do you think it is okay to backport tghe fix? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Sat May 25 14:57:10 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sat, 25 May 2019 15:57:10 +0300 Subject: Backporting Stribog fix to 1.8.x In-Reply-To: <87d0k8ngna.fsf@wheatstone.g10code.de> References: <87imu15di8.fsf@wheatstone.g10code.de> <87d0k8ngna.fsf@wheatstone.g10code.de> Message-ID: On 24.5.2019 16.09, Werner Koch wrote: > On Thu, 23 May 2019 21:12, dbaryshkov at gmail.com said: > >> Not the public ones. AltLinux developers are working on GnuPG fork >> which supports GOST S/MIME and GOST OpenPGP support. Other >> developers are supporting Kleopatra patches for GOST support. > > Does that mean they would anyway patch Libgcrypt? > > Jussi: Do you think it is okay to backport tghe fix? Yes, it would be ok to backport the fix. I'm a bit concerned about potential breakage for users but that is going to happen with 1.9 anyway and if needed we can add bug-emu flag for Stribog to support the broken algorithm variant. -Jussi From wk at gnupg.org Mon May 27 08:51:11 2019 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 May 2019 08:51:11 +0200 Subject: Backporting Stribog fix to 1.8.x In-Reply-To: (Jussi Kivilinna's message of "Sat, 25 May 2019 15:57:10 +0300") References: <87imu15di8.fsf@wheatstone.g10code.de> <87d0k8ngna.fsf@wheatstone.g10code.de> Message-ID: <87imtwmluo.fsf@wheatstone.g10code.de> On Sat, 25 May 2019 15:57, jussi.kivilinna at iki.fi said: > Yes, it would be ok to backport the fix. I'm a bit concerned about > potential breakage for users but that is going to happen with 1.9 > anyway and if needed we can add bug-emu flag for Stribog to support > the broken algorithm variant. Well, we already did this for Whirlpool and it even states that this very flag may be reused for other algorithms: @item GCRY_MD_FLAG_BUGEMU1 @cindex bug emulation Versions of Libgcrypt before 1.6.0 had a bug in the Whirlpool code which led to a wrong result for certain input sizes and write [...] Note that this flag works for the entire hash context. If needed arises it may be used to enable bug emulation for other hash algorithms. Thus you should not use this flag for a multi-algorithm hash context. I would propose to do this now for Stribog. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Thu May 30 19:17:37 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 May 2019 20:17:37 +0300 Subject: [PATCH] AES & GCM: copy look-up tables from .rodata section to .data Message-ID: <155923665689.2676.9573632659566173610.stgit@localhost.localdomain> * cipher/cipher-gcm.c (gcmR): Rename to ... (gcmR_const): ... this. (gcmR): New. (do_prefetch_tables): Copy gcmR_const to gcmR. * cipher/rijndael-tables.h (encT): Rename to ... (encT_const): ... this. (encT): New. (dec_tables): Rename to ... (dec_tables_const): ... this. (dec_tables): New. * cipher/rijndael.c (prepare_enc_tables, prepare_dec_tables): New. (do_setkey): Prepare encryption tables instead of prefetching. (prepare_decryption): Prepare decryption tables instead of prefetching. -- GnuPG-bug-id: 4541 Signed-off-by: Jussi Kivilinna --- cipher/cipher-gcm.c | 21 +++++++++++++++++---- cipher/rijndael-tables.h | 17 +++++++++++++---- cipher/rijndael.c | 33 +++++++++++++++++++++++++++++++-- 3 files changed, 61 insertions(+), 10 deletions(-) diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c index 11f119aa7..f237906bb 100644 --- a/cipher/cipher-gcm.c +++ b/cipher/cipher-gcm.c @@ -83,7 +83,10 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, #ifdef GCM_USE_TABLES -static const u16 gcmR[256] = { + +static u16 gcmR[256]; + +static const u16 gcmR_const[256] = { 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, @@ -119,7 +122,7 @@ static const u16 gcmR[256] = { }; static inline -void prefetch_table(const void *tab, size_t len) +void prefetch_table (const void *tab, size_t len) { const volatile byte *vtab = tab; size_t i; @@ -142,8 +145,18 @@ void prefetch_table(const void *tab, size_t len) static inline void do_prefetch_tables (const void *gcmM, size_t gcmM_size) { - prefetch_table(gcmM, gcmM_size); - prefetch_table(gcmR, sizeof(gcmR)); + prefetch_table (gcmM, gcmM_size); + + if (gcmR[1] != gcmR_const[1] || gcmR[255] != gcmR_const[255]) + { + /* Copy look-up tables from .rodata section to .data to avoid + * sharing physical memory between processes. */ + buf_cpy (gcmR, gcmR_const, sizeof(gcmR_const)); + } + else + { + prefetch_table (gcmR, sizeof(gcmR)); + } } #ifdef GCM_TABLES_USE_U64 diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h index 835947001..0940006cc 100644 --- a/cipher/rijndael-tables.h +++ b/cipher/rijndael-tables.h @@ -21,7 +21,16 @@ /* To keep the actual implementation at a readable size we use this include file to define the tables. */ -static const u32 encT[256] = + +static u32 encT[256]; + +static struct +{ + u32 T[256]; + byte inv_sbox[256]; +} dec_tables; + +static const u32 encT_const[256] = { 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, @@ -91,9 +100,9 @@ static const u32 encT[256] = static const struct { - u32 T[256]; - byte inv_sbox[256]; -} dec_tables = + u32 T_const[256]; + byte inv_sbox_const[256]; +} dec_tables_const = { { 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, diff --git a/cipher/rijndael.c b/cipher/rijndael.c index 1001b1d52..4843e9770 100644 --- a/cipher/rijndael.c +++ b/cipher/rijndael.c @@ -247,6 +247,35 @@ static void prefetch_dec(void) prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); } +static void prepare_enc_tables(void) +{ + if (encT[0] != encT_const[0] || encT[255] != encT_const[255]) + { + /* Copy look-up tables from .rodata section to .data to avoid + * sharing physical memory between processes. */ + buf_cpy(encT, encT_const, sizeof(encT_const)); + } + else + { + prefetch_enc(); + } +} + +static void prepare_dec_tables(void) +{ + if (decT[0] != dec_tables_const.T_const[0] || + inv_sbox[255] != dec_tables_const.inv_sbox_const[255]) + { + /* Copy look-up tables from .rodata section to .data to avoid + * sharing physical memory between processes. */ + buf_cpy(&dec_tables, &dec_tables_const, sizeof(dec_tables_const)); + } + else + { + prefetch_dec(); + } +} + /* Perform the key setup. */ @@ -443,7 +472,7 @@ do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen, #define W (ctx->keyschenc) #define W_u32 (ctx->keyschenc32) - prefetch_enc(); + prepare_enc_tables(); for (i = 0; i < keylen; i++) { @@ -575,8 +604,8 @@ prepare_decryption( RIJNDAEL_context *ctx ) { const byte *sbox = ((const byte *)encT) + 1; + prepare_dec_tables(); prefetch_enc(); - prefetch_dec(); ctx->keyschdec32[0][0] = ctx->keyschenc32[0][0]; ctx->keyschdec32[0][1] = ctx->keyschenc32[0][1]; From jussi.kivilinna at iki.fi Thu May 30 19:18:12 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 May 2019 20:18:12 +0300 Subject: [PATCH] stribog: add carry bug emulation Message-ID: <155923669236.2916.9033839866791839363.stgit@localhost.localdomain> * cipher/stribog.c (STRIBOG_CONTEXT): Add 'use_carry_bugemu'. (stribog_init_512): Set 'use_carry_bugemu' if GCRY_MD_FLAG_BUGEMU1 flag is set. (transform_bits): Add 'use_carry_bugemu' path. * tests/basic.c (check_one_md): Add 'flags' parameter. (check_digests): Add Stribug bog emulation check. -- Signed-off-by: Jussi Kivilinna --- cipher/stribog.c | 29 +++++++++++++++++++++++------ tests/basic.c | 36 +++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 13 deletions(-) diff --git a/cipher/stribog.c b/cipher/stribog.c index 267872474..9d45047d8 100644 --- a/cipher/stribog.c +++ b/cipher/stribog.c @@ -39,6 +39,7 @@ typedef struct }; u64 N[8]; u64 Sigma[8]; + int use_carry_bugemu; } STRIBOG_CONTEXT; @@ -1208,6 +1209,9 @@ stribog_init_512 (void *context, unsigned int flags) hd->bctx.blocksize = 64; hd->bctx.bwrite = transform; + + if ((flags & GCRY_MD_FLAG_BUGEMU1)) + hd->use_carry_bugemu = 1; } static void @@ -1242,13 +1246,26 @@ transform_bits (STRIBOG_CONTEXT *hd, const unsigned char *data, unsigned count) } } - hd->Sigma[0] += M[0]; - cf = 0; - for (i = 1; i < 8; i++) + if (hd->use_carry_bugemu) { - if (hd->Sigma[i-1] != M[i-1]) - cf = (hd->Sigma[i-1] < M[i-1]); - hd->Sigma[i] += M[i] + cf; + /* Bug compatibility Stribog version. */ + hd->Sigma[0] += M[0]; + for (i = 1; i < 8; i++) + if (hd->Sigma[i-1] < M[i-1]) + hd->Sigma[i] += M[i] + 1; + else + hd->Sigma[i] += M[i]; + } + else + { + hd->Sigma[0] += M[0]; + cf = 0; + for (i = 1; i < 8; i++) + { + if (hd->Sigma[i-1] != M[i-1]) + cf = (hd->Sigma[i-1] < M[i-1]); + hd->Sigma[i] += M[i] + cf; + } } } diff --git a/tests/basic.c b/tests/basic.c index 0ce88e291..3273c9e7a 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -8193,8 +8193,8 @@ fillbuf_count (char *buf, size_t buflen, unsigned char pos) static void -check_one_md (int algo, const char *data, int len, const char *expect, int elen, - const char *key, int klen) +check_one_md (int algo, int flags, const char *data, int len, + const char *expect, int elen, const char *key, int klen) { gcry_md_hd_t hd, hd2; unsigned char *p; @@ -8203,7 +8203,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, int xof = 0; gcry_error_t err = 0; - err = gcry_md_open (&hd, algo, 0); + err = gcry_md_open (&hd, algo, flags); if (err) { fail ("algo %d, gcry_md_open failed: %s\n", algo, gpg_strerror (err)); @@ -8244,7 +8244,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, /* Test hashing small input sizes first as full block, then byte-by-byte * and check that resulting digests are the same. */ - err = gcry_md_open (&hd2, algo, 0); + err = gcry_md_open (&hd2, algo, flags); if (err) { gcry_md_close (hd); @@ -8438,7 +8438,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, crclen = gcry_md_get_algo_dlen (crcalgo); - err = gcry_md_open (&crc1, crcalgo, 0); + err = gcry_md_open (&crc1, crcalgo, flags); if (err) { fail ("algo %d, crcalgo: %d, gcry_md_open failed: %s\n", algo, @@ -8446,7 +8446,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, return; } - err = gcry_md_open (&crc2, crcalgo, 0); + err = gcry_md_open (&crc2, crcalgo, flags); if (err) { fail ("algo %d, crcalgo: %d, gcry_md_open failed: %s\n", algo, @@ -9964,7 +9964,7 @@ check_digests (void) (!strcmp (algos[i].data, "!") || !strcmp (algos[i].data, "?"))? 1000000 : (int)strlen(algos[i].data)); - check_one_md (algos[i].md, algos[i].data, + check_one_md (algos[i].md, 0, algos[i].data, algos[i].datalen > 0 ? algos[i].datalen : strlen (algos[i].data), algos[i].expect, algos[i].expectlen, @@ -10030,6 +10030,28 @@ check_digests (void) gcry_md_close (hd); } + /* Check the Stribog bug emulation. */ + if (!gcry_md_test_algo (GCRY_MD_STRIBOG512) && !in_fips_mode) + { + const char *data = + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; + const char *expect = + "\xc5\xe8\xac\x15\x6e\x3c\xd7\xf3\x95\xfa\x9c\x8b\xf8\xfb\x39\x95" + "\xdc\xfa\xdc\x0e\xe5\x39\xd5\x6e\x51\x38\x80\x4b\x48\x8e\x17\xb8" + "\x46\xfc\x7b\xcc\xf8\x83\xb2\x19\x14\xac\xfd\x0a\xdd\x48\xe5\x5a" + "\xc3\x59\xa7\x56\x4f\x39\x61\x9c\xd6\xad\x9d\x93\xa3\x5b\xf9\xa9"; + + check_one_md (GCRY_MD_STRIBOG512, GCRY_MD_FLAG_BUGEMU1, data, + strlen (data), expect, 0, NULL, 0); + } + leave: if (verbose) fprintf (stderr, "Completed hash checks.\n"); From ian at cypherpunks.ca Fri May 31 01:42:26 2019 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 30 May 2019 19:42:26 -0400 Subject: [PATCH] AES & GCM: copy look-up tables from .rodata section to .data In-Reply-To: <155923665689.2676.9573632659566173610.stgit@localhost.localdomain> References: <155923665689.2676.9573632659566173610.stgit@localhost.localdomain> Message-ID: <20190530234226.GV4932@yoink.cs.uwaterloo.ca> On Thu, May 30, 2019 at 08:17:37PM +0300, Jussi Kivilinna wrote: > + /* Copy look-up tables from .rodata section to .data to avoid > + * sharing physical memory between processes. */ Are you keeping some unique data on the same page to avoid kernel same-page merging? From stanermetin at gmail.com Fri May 31 10:01:55 2019 From: stanermetin at gmail.com (Tan) Date: Fri, 31 May 2019 10:01:55 +0200 Subject: Android compat Message-ID: Hello all, I am newbie to Android native development and want to benefit Gcrypt in application. Has anyone recently compiled libgcrypt for Android recently. I saw few commands and flags on regarding the toolchain but was not really clear to me. Could anyone point me a right direction or share his/her experience? BW, Taner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jussi.kivilinna at iki.fi Fri May 31 16:35:53 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 31 May 2019 17:35:53 +0300 Subject: [PATCH] AES & GCM: copy look-up tables from .rodata section to .data In-Reply-To: <20190530234226.GV4932@yoink.cs.uwaterloo.ca> References: <155923665689.2676.9573632659566173610.stgit@localhost.localdomain> <20190530234226.GV4932@yoink.cs.uwaterloo.ca> Message-ID: <3db55918-c64f-6f46-08e6-af2957f46404@iki.fi> On 31.5.2019 2.42, Ian Goldberg wrote: > On Thu, May 30, 2019 at 08:17:37PM +0300, Jussi Kivilinna wrote: >> + /* Copy look-up tables from .rodata section to .data to avoid >> + * sharing physical memory between processes. */ > > Are you keeping some unique data on the same page to avoid kernel > same-page merging? > Thanks for pointing about same-page merging. I'll take different approach to handle page merging. -Jussi From jussi.kivilinna at iki.fi Fri May 31 17:15:06 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 31 May 2019 18:15:06 +0300 Subject: [PATCH 1/2] AES: move look-up tables to .data section and unshare between processes Message-ID: <155931570592.9029.2489299146721383328.stgit@localhost.localdomain> * cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. * cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. (enc_tables): New structure for encryption table with counters before and after. (encT): New macro. (dec_tables): Add counters before and after encryption table; Move from .rodata to .data section. (do_encrypt): Change 'encT' to 'enc_tables.T'. (do_decrypt): Change '&dec_tables' to 'dec_tables.T'. * cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input with length not multiple of 256. (prefetch_enc, prefetch_dec): Modify pre- and post-table counters to unshare look-up table pages between processes. -- GnuPG-bug-id: 4541 Signed-off-by: Jussi Kivilinna --- cipher/rijndael-internal.h | 4 + cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++------------------- cipher/rijndael.c | 35 ++++++++-- 3 files changed, 118 insertions(+), 76 deletions(-) diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h index 876d55fe3..78b08e8f8 100644 --- a/cipher/rijndael-internal.h +++ b/cipher/rijndael-internal.h @@ -29,11 +29,13 @@ #define BLOCKSIZE (128/8) -/* Helper macro to force alignment to 16 bytes. */ +/* Helper macro to force alignment to 16 or 64 bytes. */ #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) +# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) #else # define ATTR_ALIGNED_16 +# define ATTR_ALIGNED_64 #endif diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h index 835947001..b54d95939 100644 --- a/cipher/rijndael-tables.h +++ b/cipher/rijndael-tables.h @@ -21,80 +21,98 @@ /* To keep the actual implementation at a readable size we use this include file to define the tables. */ -static const u32 encT[256] = +static struct +{ + volatile u32 counter_head; + u32 cacheline_align[64 / 4 - 1]; + u32 T[256]; + volatile u32 counter_tail; +} enc_tables ATTR_ALIGNED_64 = { - 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, - 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, - 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, - 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, - 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, - 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, - 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, - 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, - 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, - 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, - 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, - 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, - 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, - 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, - 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, - 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, - 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, - 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, - 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, - 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, - 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, - 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, - 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, - 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, - 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, - 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, - 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, - 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, - 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, - 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, - 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, - 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, - 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, - 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, - 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, - 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, - 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, - 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, - 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, - 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, - 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, - 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, - 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, - 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, - 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, - 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, - 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, - 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, - 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, - 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, - 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, - 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, - 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, - 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, - 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, - 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, - 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, - 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, - 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, - 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, - 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, - 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, - 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, - 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c + 0, + { 0, }, + { + 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, + 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, + 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, + 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, + 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, + 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, + 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, + 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, + 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, + 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, + 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, + 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, + 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, + 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, + 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, + 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, + 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, + 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, + 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, + 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, + 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, + 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, + 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, + 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, + 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, + 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, + 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, + 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, + 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, + 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, + 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, + 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, + 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, + 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, + 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, + 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, + 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, + 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, + 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, + 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, + 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, + 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, + 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, + 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, + 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, + 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, + 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, + 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, + 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, + 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, + 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, + 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, + 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, + 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, + 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, + 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, + 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, + 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, + 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, + 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, + 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, + 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, + 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, + 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c + }, + 0 }; -static const struct +#define encT enc_tables.T + +static struct { + volatile u32 counter_head; + u32 cacheline_align[64 / 4 - 1]; u32 T[256]; byte inv_sbox[256]; -} dec_tables = + volatile u32 counter_tail; +} dec_tables ATTR_ALIGNED_64 = { + 0, + { 0, }, { 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, @@ -194,7 +212,8 @@ static const struct 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d - } + }, + 0 }; #define decT dec_tables.T diff --git a/cipher/rijndael.c b/cipher/rijndael.c index 1001b1d52..2c9aa6733 100644 --- a/cipher/rijndael.c +++ b/cipher/rijndael.c @@ -218,11 +218,11 @@ static const char *selftest(void); /* Prefetching for encryption/decryption tables. */ -static void prefetch_table(const volatile byte *tab, size_t len) +static inline void prefetch_table(const volatile byte *tab, size_t len) { size_t i; - for (i = 0; i < len; i += 8 * 32) + for (i = 0; len - i >= 8 * 32; i += 8 * 32) { (void)tab[i + 0 * 32]; (void)tab[i + 1 * 32]; @@ -233,17 +233,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) (void)tab[i + 6 * 32]; (void)tab[i + 7 * 32]; } + for (; i < len; i += 32) + { + (void)tab[i]; + } (void)tab[len - 1]; } static void prefetch_enc(void) { - prefetch_table((const void *)encT, sizeof(encT)); + /* Modify counters to trigger copy-on-write and unsharing if physical pages + * of look-up table are shared between processes. Modifying counters also + * causes checksums for pages to change and hint same-page merging algorithm + * that these pages are frequently changing. */ + enc_tables.counter_head++; + enc_tables.counter_tail++; + + /* Prefetch look-up tables to cache. */ + prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); } static void prefetch_dec(void) { + /* Modify counters to trigger copy-on-write and unsharing if physical pages + * of look-up table are shared between processes. Modifying counters also + * causes checksums for pages to change and hint same-page merging algorithm + * that these pages are frequently changing. */ + dec_tables.counter_head++; + dec_tables.counter_tail++; + + /* Prefetch look-up tables to cache. */ prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); } @@ -765,9 +785,10 @@ do_encrypt (const RIJNDAEL_context *ctx, { #ifdef USE_AMD64_ASM return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, - encT); + enc_tables.T); #elif defined(USE_ARM_ASM) - return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); + return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, + enc_tables.T); #else return do_encrypt_fn (ctx, bx, ax); #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ @@ -1123,10 +1144,10 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, { #ifdef USE_AMD64_ASM return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, - &dec_tables); + dec_tables.T); #elif defined(USE_ARM_ASM) return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, - &dec_tables); + dec_tables.T); #else return do_decrypt_fn (ctx, bx, ax); #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ From jussi.kivilinna at iki.fi Fri May 31 17:15:11 2019 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 31 May 2019 18:15:11 +0300 Subject: [PATCH 2/2] GCM: move look-up table to .data section and unshare between processes In-Reply-To: <155931570592.9029.2489299146721383328.stgit@localhost.localdomain> References: <155931570592.9029.2489299146721383328.stgit@localhost.localdomain> Message-ID: <155931571111.9029.3501850777788846318.stgit@localhost.localdomain> * cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. (gcmR): Move to 'gcm_table' structure. (gcm_table): New structure for look-up table with counters before and after. (gcmR): New macro. (prefetch_table): Handle input with length not multiple of 256. (do_prefetch_tables): Modify pre- and post-table counters to unshare look-up table pages between processes. -- GnuPG-bug-id: 4541 Signed-off-by: Jussi Kivilinna --- cipher/cipher-gcm.c | 106 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 70 insertions(+), 36 deletions(-) diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c index 11f119aa7..194e2ec9d 100644 --- a/cipher/cipher-gcm.c +++ b/cipher/cipher-gcm.c @@ -30,6 +30,14 @@ #include "./cipher-internal.h" +/* Helper macro to force alignment to 16 or 64 bytes. */ +#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED +# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) +#else +# define ATTR_ALIGNED_64 +#endif + + #ifdef GCM_USE_INTEL_PCLMUL extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); @@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, #ifdef GCM_USE_TABLES -static const u16 gcmR[256] = { - 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, - 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, - 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, - 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, - 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, - 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, - 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, - 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, - 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, - 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, - 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, - 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, - 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, - 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, - 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, - 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, - 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, - 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, - 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, - 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, - 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, - 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, - 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, - 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, - 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, - 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, - 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, - 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, - 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, - 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, - 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, - 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, -}; +static struct +{ + volatile u32 counter_head; + u32 cacheline_align[64 / 4 - 1]; + u16 R[256]; + volatile u32 counter_tail; +} gcm_table ATTR_ALIGNED_64 = + { + 0, + { 0, }, + { + 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, + 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, + 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, + 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, + 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, + 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, + 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, + 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, + 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, + 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, + 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, + 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, + 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, + 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, + 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, + 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, + 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, + 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, + 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, + 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, + 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, + 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, + 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, + 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, + 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, + 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, + 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, + 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, + 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, + 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, + 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }, + 0 + }; + +#define gcmR gcm_table.R static inline void prefetch_table(const void *tab, size_t len) @@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) const volatile byte *vtab = tab; size_t i; - for (i = 0; i < len; i += 8 * 32) + for (i = 0; len - i >= 8 * 32; i += 8 * 32) { (void)vtab[i + 0 * 32]; (void)vtab[i + 1 * 32]; @@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) (void)vtab[i + 6 * 32]; (void)vtab[i + 7 * 32]; } + for (; i < len; i += 32) + { + (void)vtab[i]; + } (void)vtab[len - 1]; } @@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) static inline void do_prefetch_tables (const void *gcmM, size_t gcmM_size) { + /* Modify counters to trigger copy-on-write and unsharing if physical pages + * of look-up table are shared between processes. Modifying counters also + * causes checksums for pages to change and hint same-page merging algorithm + * that these pages are frequently changing. */ + gcm_table.counter_head++; + gcm_table.counter_tail++; + + /* Prefetch look-up tables to cache. */ prefetch_table(gcmM, gcmM_size); - prefetch_table(gcmR, sizeof(gcmR)); + prefetch_table(&gcm_table, sizeof(gcm_table)); } #ifdef GCM_TABLES_USE_U64 From stanermetin at gmail.com Fri May 31 18:06:06 2019 From: stanermetin at gmail.com (Tan) Date: Fri, 31 May 2019 18:06:06 +0200 Subject: Libgcrypt for Android development Message-ID: Hello all, I am newbie to Android native development and want to benefit Gcrypt in application. Has anyone recently compiled libgcrypt for Android recently. I saw few commands and flags on regarding the toolchain but was not really clear to me. Could anyone point me a right direction or share his/her experience? BW, Taner -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbaryshkov at gmail.com Fri May 31 19:47:01 2019 From: dbaryshkov at gmail.com (Dmitry Eremin-Solenikov) Date: Fri, 31 May 2019 20:47:01 +0300 Subject: [PATCH] stribog: add carry bug emulation In-Reply-To: <155923669236.2916.9033839866791839363.stgit@localhost.localdomain> References: <155923669236.2916.9033839866791839363.stgit@localhost.localdomain> Message-ID: Hello, ??, 30 ??? 2019 ?. ? 20:21, Jussi Kivilinna : > > * cipher/stribog.c (STRIBOG_CONTEXT): Add 'use_carry_bugemu'. > (stribog_init_512): Set 'use_carry_bugemu' if GCRY_MD_FLAG_BUGEMU1 flag > is set. > (transform_bits): Add 'use_carry_bugemu' path. > * tests/basic.c (check_one_md): Add 'flags' parameter. > (check_digests): Add Stribug bog emulation check. Thank you for your effort. However after small discussion with other developers, it doesn't look like there is a need for such compatibility flag. > -- > > Signed-off-by: Jussi Kivilinna > --- > cipher/stribog.c | 29 +++++++++++++++++++++++------ > tests/basic.c | 36 +++++++++++++++++++++++++++++------- > 2 files changed, 52 insertions(+), 13 deletions(-) > > diff --git a/cipher/stribog.c b/cipher/stribog.c > index 267872474..9d45047d8 100644 > --- a/cipher/stribog.c > +++ b/cipher/stribog.c > @@ -39,6 +39,7 @@ typedef struct > }; > u64 N[8]; > u64 Sigma[8]; > + int use_carry_bugemu; > } STRIBOG_CONTEXT; > > > @@ -1208,6 +1209,9 @@ stribog_init_512 (void *context, unsigned int flags) > > hd->bctx.blocksize = 64; > hd->bctx.bwrite = transform; > + > + if ((flags & GCRY_MD_FLAG_BUGEMU1)) > + hd->use_carry_bugemu = 1; > } > > static void > @@ -1242,13 +1246,26 @@ transform_bits (STRIBOG_CONTEXT *hd, const unsigned char *data, unsigned count) > } > } > > - hd->Sigma[0] += M[0]; > - cf = 0; > - for (i = 1; i < 8; i++) > + if (hd->use_carry_bugemu) > { > - if (hd->Sigma[i-1] != M[i-1]) > - cf = (hd->Sigma[i-1] < M[i-1]); > - hd->Sigma[i] += M[i] + cf; > + /* Bug compatibility Stribog version. */ > + hd->Sigma[0] += M[0]; > + for (i = 1; i < 8; i++) > + if (hd->Sigma[i-1] < M[i-1]) > + hd->Sigma[i] += M[i] + 1; > + else > + hd->Sigma[i] += M[i]; > + } > + else > + { > + hd->Sigma[0] += M[0]; > + cf = 0; > + for (i = 1; i < 8; i++) > + { > + if (hd->Sigma[i-1] != M[i-1]) > + cf = (hd->Sigma[i-1] < M[i-1]); > + hd->Sigma[i] += M[i] + cf; > + } > } > } > > diff --git a/tests/basic.c b/tests/basic.c > index 0ce88e291..3273c9e7a 100644 > --- a/tests/basic.c > +++ b/tests/basic.c > @@ -8193,8 +8193,8 @@ fillbuf_count (char *buf, size_t buflen, unsigned char pos) > > > static void > -check_one_md (int algo, const char *data, int len, const char *expect, int elen, > - const char *key, int klen) > +check_one_md (int algo, int flags, const char *data, int len, > + const char *expect, int elen, const char *key, int klen) > { > gcry_md_hd_t hd, hd2; > unsigned char *p; > @@ -8203,7 +8203,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, > int xof = 0; > gcry_error_t err = 0; > > - err = gcry_md_open (&hd, algo, 0); > + err = gcry_md_open (&hd, algo, flags); > if (err) > { > fail ("algo %d, gcry_md_open failed: %s\n", algo, gpg_strerror (err)); > @@ -8244,7 +8244,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, > /* Test hashing small input sizes first as full block, then byte-by-byte > * and check that resulting digests are the same. */ > > - err = gcry_md_open (&hd2, algo, 0); > + err = gcry_md_open (&hd2, algo, flags); > if (err) > { > gcry_md_close (hd); > @@ -8438,7 +8438,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, > > crclen = gcry_md_get_algo_dlen (crcalgo); > > - err = gcry_md_open (&crc1, crcalgo, 0); > + err = gcry_md_open (&crc1, crcalgo, flags); > if (err) > { > fail ("algo %d, crcalgo: %d, gcry_md_open failed: %s\n", algo, > @@ -8446,7 +8446,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, > return; > } > > - err = gcry_md_open (&crc2, crcalgo, 0); > + err = gcry_md_open (&crc2, crcalgo, flags); > if (err) > { > fail ("algo %d, crcalgo: %d, gcry_md_open failed: %s\n", algo, > @@ -9964,7 +9964,7 @@ check_digests (void) > (!strcmp (algos[i].data, "!") || !strcmp (algos[i].data, "?"))? > 1000000 : (int)strlen(algos[i].data)); > > - check_one_md (algos[i].md, algos[i].data, > + check_one_md (algos[i].md, 0, algos[i].data, > algos[i].datalen > 0 ? algos[i].datalen > : strlen (algos[i].data), > algos[i].expect, algos[i].expectlen, > @@ -10030,6 +10030,28 @@ check_digests (void) > gcry_md_close (hd); > } > > + /* Check the Stribog bug emulation. */ > + if (!gcry_md_test_algo (GCRY_MD_STRIBOG512) && !in_fips_mode) > + { > + const char *data = > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" > + "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; > + const char *expect = > + "\xc5\xe8\xac\x15\x6e\x3c\xd7\xf3\x95\xfa\x9c\x8b\xf8\xfb\x39\x95" > + "\xdc\xfa\xdc\x0e\xe5\x39\xd5\x6e\x51\x38\x80\x4b\x48\x8e\x17\xb8" > + "\x46\xfc\x7b\xcc\xf8\x83\xb2\x19\x14\xac\xfd\x0a\xdd\x48\xe5\x5a" > + "\xc3\x59\xa7\x56\x4f\x39\x61\x9c\xd6\xad\x9d\x93\xa3\x5b\xf9\xa9"; > + > + check_one_md (GCRY_MD_STRIBOG512, GCRY_MD_FLAG_BUGEMU1, data, > + strlen (data), expect, 0, NULL, 0); > + } > + > leave: > if (verbose) > fprintf (stderr, "Completed hash checks.\n"); > > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel -- With best wishes Dmitry