diff --git a/libgcrypt-1.10.3.tar.bz2 b/libgcrypt-1.10.3.tar.bz2 deleted file mode 100644 index 653803f..0000000 --- a/libgcrypt-1.10.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa -size 3783827 diff --git a/libgcrypt-1.10.3.tar.bz2.sig b/libgcrypt-1.10.3.tar.bz2.sig deleted file mode 100644 index 4172518..0000000 Binary files a/libgcrypt-1.10.3.tar.bz2.sig and /dev/null differ diff --git a/libgcrypt-1.11.0.tar.bz2 b/libgcrypt-1.11.0.tar.bz2 new file mode 100644 index 0000000..28d1068 --- /dev/null +++ b/libgcrypt-1.11.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09120c9867ce7f2081d6aaa1775386b98c2f2f246135761aae47d81f58685b9c +size 4180345 diff --git a/libgcrypt-1.11.0.tar.bz2.sig b/libgcrypt-1.11.0.tar.bz2.sig new file mode 100644 index 0000000..2debe94 Binary files /dev/null and b/libgcrypt-1.11.0.tar.bz2.sig differ diff --git a/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch b/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch deleted file mode 100644 index 5877fee..0000000 --- a/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +++ /dev/null @@ -1,1993 +0,0 @@ -commit 88fe7ac33eb4cb4dff76a5cc7fca50da5fb0ee3a -Author: Danny Tsen -Date: Sun Jun 12 21:30:19 2022 +0300 - - Chacha20 poly1305 Optimized chacha20 poly1305 for P10 operation - - * configure.ac: Added chacha20 and poly1305 assembly implementations. - * cipher/chacha20-p10le-8x.s: (New) - support 8 blocks (512 bytes) - unrolling. - * cipher/poly1305-p10le.s: (New) - support 4 blocks (128 bytes) - unrolling. - * cipher/Makefile.am: Added new chacha20 and poly1305 files. - * cipher/chacha20.c: Added PPC p10 le support for 8x chacha20. - * cipher/poly1305.c: Added PPC p10 le support for 4x poly1305. - * cipher/poly1305-internal.h: Added PPC p10 le support for poly1305. - --- - - GnuPG-bug-id: 6006 - Signed-off-by: Danny Tsen - [jk: cosmetic changes to C code] - [jk: fix building on ppc64be] - Signed-off-by: Jussi Kivilinna - -Index: libgcrypt-1.10.2/cipher/Makefile.am -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/Makefile.am -+++ libgcrypt-1.10.2/cipher/Makefile.am -@@ -83,6 +83,7 @@ EXTRA_libcipher_la_SOURCES = \ - chacha20.c chacha20-amd64-ssse3.S chacha20-amd64-avx2.S \ - chacha20-armv7-neon.S chacha20-aarch64.S \ - chacha20-ppc.c chacha20-s390x.S \ -+ chacha20-p10le-8x.s \ - cipher-gcm-ppc.c cipher-gcm-intel-pclmul.c cipher-gcm-armv7-neon.S \ - cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \ - crc.c crc-intel-pclmul.c crc-armv8-ce.c \ -@@ -99,6 +100,7 @@ EXTRA_libcipher_la_SOURCES = \ - md4.c \ - md5.c \ - poly1305-s390x.S \ -+ poly1305-p10le.s \ - rijndael.c rijndael-internal.h rijndael-tables.h \ - rijndael-aesni.c rijndael-padlock.c \ - rijndael-amd64.S rijndael-arm.S \ -Index: libgcrypt-1.10.2/cipher/chacha20-p10le-8x.s -=================================================================== ---- /dev/null -+++ libgcrypt-1.10.2/cipher/chacha20-p10le-8x.s -@@ -0,0 +1,864 @@ -+# Copyright 2021- IBM Inc. All rights reserved -+# -+# This file is part of Libgcrypt. -+# -+# Libgcrypt is free software; you can redistribute it and/or modify -+# it under the terms of the GNU Lesser General Public License as -+# published by the Free Software Foundation; either version 2.1 of -+# the License, or (at your option) any later version. -+# -+# Libgcrypt is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU Lesser General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public -+# License along with this program; if not, see . -+# -+#=================================================================================== -+# Written by Danny Tsen -+# -+# This function handles multiple 64-byte block data length -+# and the length should be more than 512 bytes. -+# -+# unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, const byte *src, size_t len); -+# -+# r1 - top of the stack -+# r3 to r10 input parameters -+# r3 - out -+# r4 - inp -+# r5 - len -+# r6 - key[8] -+# r7 - counter[4] -+# -+# do rounds, 8 quarter rounds -+# 1. a += b; d ^= a; d <<<= 16; -+# 2. c += d; b ^= c; b <<<= 12; -+# 3. a += b; d ^= a; d <<<= 8; -+# 4. c += d; b ^= c; b <<<= 7 -+# -+# row1 = (row1 + row2), row4 = row1 xor row4, row4 rotate each word by 16 -+# row3 = (row3 + row4), row2 = row3 xor row2, row2 rotate each word by 12 -+# row1 = (row1 + row2), row4 = row1 xor row4, row4 rotate each word by 8 -+# row3 = (row3 + row4), row2 = row3 xor row2, row2 rotate each word by 7 -+# -+# 4 blocks (a b c d) -+# -+# a0 b0 c0 d0 -+# a1 b1 c1 d1 -+# ... -+# a4 b4 c4 d4 -+# ... -+# a8 b8 c8 d8 -+# ... -+# a12 b12 c12 d12 -+# a13 ... -+# a14 ... -+# a15 b15 c15 d15 -+# -+# Column round (v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) -+# Diagnal round (v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) -+# -+.text -+ -+.macro QT_loop_8x -+ # QR(v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 20, 20 -+ vadduwm 0, 0, 4 -+ vadduwm 1, 1, 5 -+ vadduwm 2, 2, 6 -+ vadduwm 3, 3, 7 -+ vadduwm 16, 16, 20 -+ vadduwm 17, 17, 21 -+ vadduwm 18, 18, 22 -+ vadduwm 19, 19, 23 -+ -+ vpermxor 12, 12, 0, 25 -+ vpermxor 13, 13, 1, 25 -+ vpermxor 14, 14, 2, 25 -+ vpermxor 15, 15, 3, 25 -+ vpermxor 28, 28, 16, 25 -+ vpermxor 29, 29, 17, 25 -+ vpermxor 30, 30, 18, 25 -+ vpermxor 31, 31, 19, 25 -+ xxlor 32+25, 0, 0 -+ vadduwm 8, 8, 12 -+ vadduwm 9, 9, 13 -+ vadduwm 10, 10, 14 -+ vadduwm 11, 11, 15 -+ vadduwm 24, 24, 28 -+ vadduwm 25, 25, 29 -+ vadduwm 26, 26, 30 -+ vadduwm 27, 27, 31 -+ vxor 4, 4, 8 -+ vxor 5, 5, 9 -+ vxor 6, 6, 10 -+ vxor 7, 7, 11 -+ vxor 20, 20, 24 -+ vxor 21, 21, 25 -+ vxor 22, 22, 26 -+ vxor 23, 23, 27 -+ -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 21, 21 -+ vrlw 4, 4, 25 # -+ vrlw 5, 5, 25 -+ vrlw 6, 6, 25 -+ vrlw 7, 7, 25 -+ vrlw 20, 20, 25 # -+ vrlw 21, 21, 25 -+ vrlw 22, 22, 25 -+ vrlw 23, 23, 25 -+ xxlor 32+25, 0, 0 -+ vadduwm 0, 0, 4 -+ vadduwm 1, 1, 5 -+ vadduwm 2, 2, 6 -+ vadduwm 3, 3, 7 -+ vadduwm 16, 16, 20 -+ vadduwm 17, 17, 21 -+ vadduwm 18, 18, 22 -+ vadduwm 19, 19, 23 -+ -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 22, 22 -+ vpermxor 12, 12, 0, 25 -+ vpermxor 13, 13, 1, 25 -+ vpermxor 14, 14, 2, 25 -+ vpermxor 15, 15, 3, 25 -+ vpermxor 28, 28, 16, 25 -+ vpermxor 29, 29, 17, 25 -+ vpermxor 30, 30, 18, 25 -+ vpermxor 31, 31, 19, 25 -+ xxlor 32+25, 0, 0 -+ vadduwm 8, 8, 12 -+ vadduwm 9, 9, 13 -+ vadduwm 10, 10, 14 -+ vadduwm 11, 11, 15 -+ vadduwm 24, 24, 28 -+ vadduwm 25, 25, 29 -+ vadduwm 26, 26, 30 -+ vadduwm 27, 27, 31 -+ xxlor 0, 32+28, 32+28 -+ xxlor 32+28, 23, 23 -+ vxor 4, 4, 8 -+ vxor 5, 5, 9 -+ vxor 6, 6, 10 -+ vxor 7, 7, 11 -+ vxor 20, 20, 24 -+ vxor 21, 21, 25 -+ vxor 22, 22, 26 -+ vxor 23, 23, 27 -+ vrlw 4, 4, 28 # -+ vrlw 5, 5, 28 -+ vrlw 6, 6, 28 -+ vrlw 7, 7, 28 -+ vrlw 20, 20, 28 # -+ vrlw 21, 21, 28 -+ vrlw 22, 22, 28 -+ vrlw 23, 23, 28 -+ xxlor 32+28, 0, 0 -+ -+ # QR(v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 20, 20 -+ vadduwm 0, 0, 5 -+ vadduwm 1, 1, 6 -+ vadduwm 2, 2, 7 -+ vadduwm 3, 3, 4 -+ vadduwm 16, 16, 21 -+ vadduwm 17, 17, 22 -+ vadduwm 18, 18, 23 -+ vadduwm 19, 19, 20 -+ -+ vpermxor 15, 15, 0, 25 -+ vpermxor 12, 12, 1, 25 -+ vpermxor 13, 13, 2, 25 -+ vpermxor 14, 14, 3, 25 -+ vpermxor 31, 31, 16, 25 -+ vpermxor 28, 28, 17, 25 -+ vpermxor 29, 29, 18, 25 -+ vpermxor 30, 30, 19, 25 -+ -+ xxlor 32+25, 0, 0 -+ vadduwm 10, 10, 15 -+ vadduwm 11, 11, 12 -+ vadduwm 8, 8, 13 -+ vadduwm 9, 9, 14 -+ vadduwm 26, 26, 31 -+ vadduwm 27, 27, 28 -+ vadduwm 24, 24, 29 -+ vadduwm 25, 25, 30 -+ vxor 5, 5, 10 -+ vxor 6, 6, 11 -+ vxor 7, 7, 8 -+ vxor 4, 4, 9 -+ vxor 21, 21, 26 -+ vxor 22, 22, 27 -+ vxor 23, 23, 24 -+ vxor 20, 20, 25 -+ -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 21, 21 -+ vrlw 5, 5, 25 -+ vrlw 6, 6, 25 -+ vrlw 7, 7, 25 -+ vrlw 4, 4, 25 -+ vrlw 21, 21, 25 -+ vrlw 22, 22, 25 -+ vrlw 23, 23, 25 -+ vrlw 20, 20, 25 -+ xxlor 32+25, 0, 0 -+ -+ vadduwm 0, 0, 5 -+ vadduwm 1, 1, 6 -+ vadduwm 2, 2, 7 -+ vadduwm 3, 3, 4 -+ vadduwm 16, 16, 21 -+ vadduwm 17, 17, 22 -+ vadduwm 18, 18, 23 -+ vadduwm 19, 19, 20 -+ -+ xxlor 0, 32+25, 32+25 -+ xxlor 32+25, 22, 22 -+ vpermxor 15, 15, 0, 25 -+ vpermxor 12, 12, 1, 25 -+ vpermxor 13, 13, 2, 25 -+ vpermxor 14, 14, 3, 25 -+ vpermxor 31, 31, 16, 25 -+ vpermxor 28, 28, 17, 25 -+ vpermxor 29, 29, 18, 25 -+ vpermxor 30, 30, 19, 25 -+ xxlor 32+25, 0, 0 -+ -+ vadduwm 10, 10, 15 -+ vadduwm 11, 11, 12 -+ vadduwm 8, 8, 13 -+ vadduwm 9, 9, 14 -+ vadduwm 26, 26, 31 -+ vadduwm 27, 27, 28 -+ vadduwm 24, 24, 29 -+ vadduwm 25, 25, 30 -+ -+ xxlor 0, 32+28, 32+28 -+ xxlor 32+28, 23, 23 -+ vxor 5, 5, 10 -+ vxor 6, 6, 11 -+ vxor 7, 7, 8 -+ vxor 4, 4, 9 -+ vxor 21, 21, 26 -+ vxor 22, 22, 27 -+ vxor 23, 23, 24 -+ vxor 20, 20, 25 -+ vrlw 5, 5, 28 -+ vrlw 6, 6, 28 -+ vrlw 7, 7, 28 -+ vrlw 4, 4, 28 -+ vrlw 21, 21, 28 -+ vrlw 22, 22, 28 -+ vrlw 23, 23, 28 -+ vrlw 20, 20, 28 -+ xxlor 32+28, 0, 0 -+.endm -+ -+.macro QT_loop_4x -+ # QR(v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) -+ vadduwm 0, 0, 4 -+ vadduwm 1, 1, 5 -+ vadduwm 2, 2, 6 -+ vadduwm 3, 3, 7 -+ vpermxor 12, 12, 0, 20 -+ vpermxor 13, 13, 1, 20 -+ vpermxor 14, 14, 2, 20 -+ vpermxor 15, 15, 3, 20 -+ vadduwm 8, 8, 12 -+ vadduwm 9, 9, 13 -+ vadduwm 10, 10, 14 -+ vadduwm 11, 11, 15 -+ vxor 4, 4, 8 -+ vxor 5, 5, 9 -+ vxor 6, 6, 10 -+ vxor 7, 7, 11 -+ vrlw 4, 4, 21 -+ vrlw 5, 5, 21 -+ vrlw 6, 6, 21 -+ vrlw 7, 7, 21 -+ vadduwm 0, 0, 4 -+ vadduwm 1, 1, 5 -+ vadduwm 2, 2, 6 -+ vadduwm 3, 3, 7 -+ vpermxor 12, 12, 0, 22 -+ vpermxor 13, 13, 1, 22 -+ vpermxor 14, 14, 2, 22 -+ vpermxor 15, 15, 3, 22 -+ vadduwm 8, 8, 12 -+ vadduwm 9, 9, 13 -+ vadduwm 10, 10, 14 -+ vadduwm 11, 11, 15 -+ vxor 4, 4, 8 -+ vxor 5, 5, 9 -+ vxor 6, 6, 10 -+ vxor 7, 7, 11 -+ vrlw 4, 4, 23 -+ vrlw 5, 5, 23 -+ vrlw 6, 6, 23 -+ vrlw 7, 7, 23 -+ -+ # QR(v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) -+ vadduwm 0, 0, 5 -+ vadduwm 1, 1, 6 -+ vadduwm 2, 2, 7 -+ vadduwm 3, 3, 4 -+ vpermxor 15, 15, 0, 20 -+ vpermxor 12, 12, 1, 20 -+ vpermxor 13, 13, 2, 20 -+ vpermxor 14, 14, 3, 20 -+ vadduwm 10, 10, 15 -+ vadduwm 11, 11, 12 -+ vadduwm 8, 8, 13 -+ vadduwm 9, 9, 14 -+ vxor 5, 5, 10 -+ vxor 6, 6, 11 -+ vxor 7, 7, 8 -+ vxor 4, 4, 9 -+ vrlw 5, 5, 21 -+ vrlw 6, 6, 21 -+ vrlw 7, 7, 21 -+ vrlw 4, 4, 21 -+ vadduwm 0, 0, 5 -+ vadduwm 1, 1, 6 -+ vadduwm 2, 2, 7 -+ vadduwm 3, 3, 4 -+ vpermxor 15, 15, 0, 22 -+ vpermxor 12, 12, 1, 22 -+ vpermxor 13, 13, 2, 22 -+ vpermxor 14, 14, 3, 22 -+ vadduwm 10, 10, 15 -+ vadduwm 11, 11, 12 -+ vadduwm 8, 8, 13 -+ vadduwm 9, 9, 14 -+ vxor 5, 5, 10 -+ vxor 6, 6, 11 -+ vxor 7, 7, 8 -+ vxor 4, 4, 9 -+ vrlw 5, 5, 23 -+ vrlw 6, 6, 23 -+ vrlw 7, 7, 23 -+ vrlw 4, 4, 23 -+.endm -+ -+# Transpose -+.macro TP_4x a0 a1 a2 a3 -+ xxmrghw 10, 32+\a0, 32+\a1 # a0, a1, b0, b1 -+ xxmrghw 11, 32+\a2, 32+\a3 # a2, a3, b2, b3 -+ xxmrglw 12, 32+\a0, 32+\a1 # c0, c1, d0, d1 -+ xxmrglw 13, 32+\a2, 32+\a3 # c2, c3, d2, d3 -+ xxpermdi 32+\a0, 10, 11, 0 # a0, a1, a2, a3 -+ xxpermdi 32+\a1, 10, 11, 3 # b0, b1, b2, b3 -+ xxpermdi 32+\a2, 12, 13, 0 # c0, c1, c2, c3 -+ xxpermdi 32+\a3, 12, 13, 3 # d0, d1, d2, d3 -+.endm -+ -+# key stream = working state + state -+.macro Add_state S -+ vadduwm \S+0, \S+0, 16-\S -+ vadduwm \S+4, \S+4, 17-\S -+ vadduwm \S+8, \S+8, 18-\S -+ vadduwm \S+12, \S+12, 19-\S -+ -+ vadduwm \S+1, \S+1, 16-\S -+ vadduwm \S+5, \S+5, 17-\S -+ vadduwm \S+9, \S+9, 18-\S -+ vadduwm \S+13, \S+13, 19-\S -+ -+ vadduwm \S+2, \S+2, 16-\S -+ vadduwm \S+6, \S+6, 17-\S -+ vadduwm \S+10, \S+10, 18-\S -+ vadduwm \S+14, \S+14, 19-\S -+ -+ vadduwm \S+3, \S+3, 16-\S -+ vadduwm \S+7, \S+7, 17-\S -+ vadduwm \S+11, \S+11, 18-\S -+ vadduwm \S+15, \S+15, 19-\S -+.endm -+ -+# -+# write 256 bytes -+# -+.macro Write_256 S -+ add 9, 14, 5 -+ add 16, 14, 4 -+ lxvw4x 0, 0, 9 -+ lxvw4x 1, 17, 9 -+ lxvw4x 2, 18, 9 -+ lxvw4x 3, 19, 9 -+ lxvw4x 4, 20, 9 -+ lxvw4x 5, 21, 9 -+ lxvw4x 6, 22, 9 -+ lxvw4x 7, 23, 9 -+ lxvw4x 8, 24, 9 -+ lxvw4x 9, 25, 9 -+ lxvw4x 10, 26, 9 -+ lxvw4x 11, 27, 9 -+ lxvw4x 12, 28, 9 -+ lxvw4x 13, 29, 9 -+ lxvw4x 14, 30, 9 -+ lxvw4x 15, 31, 9 -+ -+ xxlxor \S+32, \S+32, 0 -+ xxlxor \S+36, \S+36, 1 -+ xxlxor \S+40, \S+40, 2 -+ xxlxor \S+44, \S+44, 3 -+ xxlxor \S+33, \S+33, 4 -+ xxlxor \S+37, \S+37, 5 -+ xxlxor \S+41, \S+41, 6 -+ xxlxor \S+45, \S+45, 7 -+ xxlxor \S+34, \S+34, 8 -+ xxlxor \S+38, \S+38, 9 -+ xxlxor \S+42, \S+42, 10 -+ xxlxor \S+46, \S+46, 11 -+ xxlxor \S+35, \S+35, 12 -+ xxlxor \S+39, \S+39, 13 -+ xxlxor \S+43, \S+43, 14 -+ xxlxor \S+47, \S+47, 15 -+ -+ stxvw4x \S+32, 0, 16 -+ stxvw4x \S+36, 17, 16 -+ stxvw4x \S+40, 18, 16 -+ stxvw4x \S+44, 19, 16 -+ -+ stxvw4x \S+33, 20, 16 -+ stxvw4x \S+37, 21, 16 -+ stxvw4x \S+41, 22, 16 -+ stxvw4x \S+45, 23, 16 -+ -+ stxvw4x \S+34, 24, 16 -+ stxvw4x \S+38, 25, 16 -+ stxvw4x \S+42, 26, 16 -+ stxvw4x \S+46, 27, 16 -+ -+ stxvw4x \S+35, 28, 16 -+ stxvw4x \S+39, 29, 16 -+ stxvw4x \S+43, 30, 16 -+ stxvw4x \S+47, 31, 16 -+ -+.endm -+ -+# -+# unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, const byte *src, size_t len); -+# -+.global _gcry_chacha20_p10le_8x -+.align 5 -+_gcry_chacha20_p10le_8x: -+ cmpdi 6, 512 -+ blt Out_no_chacha -+ -+ stdu 1,-1024(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ std 22,176(1) -+ std 23,184(1) -+ std 24,192(1) -+ std 25,200(1) -+ std 26,208(1) -+ std 27,216(1) -+ std 28,224(1) -+ std 29,232(1) -+ std 30,240(1) -+ std 31,248(1) -+ std 0, 1040(1) -+ -+ li 17, 16 -+ li 18, 32 -+ li 19, 48 -+ li 20, 64 -+ li 21, 80 -+ li 22, 96 -+ li 23, 112 -+ li 24, 128 -+ li 25, 144 -+ li 26, 160 -+ li 27, 176 -+ li 28, 192 -+ li 29, 208 -+ li 30, 224 -+ li 31, 240 -+ addi 9, 1, 256 -+ stvx 20, 0, 9 -+ stvx 21, 17, 9 -+ stvx 22, 18, 9 -+ stvx 23, 19, 9 -+ stvx 24, 20, 9 -+ stvx 25, 21, 9 -+ stvx 26, 22, 9 -+ stvx 27, 23, 9 -+ stvx 28, 24, 9 -+ stvx 29, 25, 9 -+ stvx 30, 26, 9 -+ stvx 31, 27, 9 -+ -+ add 9, 9, 27 -+ addi 14, 17, 16 -+ stxvx 14, 14, 9 -+ addi 14, 14, 16 -+ stxvx 15, 14, 9 -+ addi 14, 14, 16 -+ stxvx 16, 14, 9 -+ addi 14, 14, 16 -+ stxvx 17, 14, 9 -+ addi 14, 14, 16 -+ stxvx 18, 14, 9 -+ addi 14, 14, 16 -+ stxvx 19, 14, 9 -+ addi 14, 14, 16 -+ stxvx 20, 14, 9 -+ addi 14, 14, 16 -+ stxvx 21, 14, 9 -+ addi 14, 14, 16 -+ stxvx 22, 14, 9 -+ addi 14, 14, 16 -+ stxvx 23, 14, 9 -+ addi 14, 14, 16 -+ stxvx 24, 14, 9 -+ addi 14, 14, 16 -+ stxvx 25, 14, 9 -+ addi 14, 14, 16 -+ stxvx 26, 14, 9 -+ addi 14, 14, 16 -+ stxvx 27, 14, 9 -+ addi 14, 14, 16 -+ stxvx 28, 14, 9 -+ addi 14, 14, 16 -+ stxvx 29, 14, 9 -+ addi 14, 14, 16 -+ stxvx 30, 14, 9 -+ addi 14, 14, 16 -+ stxvx 31, 14, 9 -+ -+ mr 15, 6 # len -+ li 14, 0 # offset to inp and outp -+ -+ ld 10, sigma@got(2) -+ -+ lxvw4x 48, 0, 3 # vr16, constants -+ lxvw4x 49, 17, 3 # vr17, key 1 -+ lxvw4x 50, 18, 3 # vr18, key 2 -+ lxvw4x 51, 19, 3 # vr19, counter, nonce -+ -+ lxvw4x 62, 19, 10 # vr30, 4 -+ -+ vspltisw 21, 12 -+ vspltisw 23, 7 -+ -+ ld 11, permx@got(2) -+ lxvw4x 32+20, 0, 11 -+ lxvw4x 32+22, 17, 11 -+ -+ li 8, 10 -+ mtctr 8 -+ -+ xxlor 16, 48, 48 -+ xxlor 17, 49, 49 -+ xxlor 18, 50, 50 -+ xxlor 19, 51, 51 -+ -+ vspltisw 25, 4 -+ vspltisw 26, 8 -+ -+ xxlor 16, 48, 48 -+ xxlor 17, 49, 49 -+ xxlor 18, 50, 50 -+ xxlor 19, 51, 51 -+ -+ xxlor 25, 32+26, 32+26 -+ xxlor 24, 32+25, 32+25 -+ -+ vadduwm 31, 30, 25 # (0, 1, 2, 3) + (4, 4, 4, 4) -+ xxlor 30, 32+30, 32+30 -+ xxlor 31, 32+31, 32+31 -+ -+ xxlor 20, 32+20, 32+20 -+ xxlor 21, 32+21, 32+21 -+ xxlor 22, 32+22, 32+22 -+ xxlor 23, 32+23, 32+23 -+ -+Loop_8x: -+ lvx 0, 20, 10 -+ lvx 1, 21, 10 -+ lvx 2, 22, 10 -+ lvx 3, 23, 10 -+ xxspltw 32+4, 17, 0 -+ xxspltw 32+5, 17, 1 -+ xxspltw 32+6, 17, 2 -+ xxspltw 32+7, 17, 3 -+ xxspltw 32+8, 18, 0 -+ xxspltw 32+9, 18, 1 -+ xxspltw 32+10, 18, 2 -+ xxspltw 32+11, 18, 3 -+ xxspltw 32+12, 19, 0 -+ xxspltw 32+13, 19, 1 -+ xxspltw 32+14, 19, 2 -+ xxspltw 32+15, 19, 3 -+ vadduwm 12, 12, 30 # increase counter -+ -+ lvx 16, 20, 10 -+ lvx 17, 21, 10 -+ lvx 18, 22, 10 -+ lvx 19, 23, 10 -+ xxspltw 32+20, 17, 0 -+ xxspltw 32+21, 17, 1 -+ xxspltw 32+22, 17, 2 -+ xxspltw 32+23, 17, 3 -+ xxspltw 32+24, 18, 0 -+ xxspltw 32+25, 18, 1 -+ xxspltw 32+26, 18, 2 -+ xxspltw 32+27, 18, 3 -+ xxspltw 32+28, 19, 0 -+ xxspltw 32+29, 19, 1 -+ vadduwm 28, 28, 31 # increase counter -+ xxspltw 32+30, 19, 2 -+ xxspltw 32+31, 19, 3 -+ -+.align 5 -+quarter_loop_8x: -+ QT_loop_8x -+ -+ bdnz quarter_loop_8x -+ -+ xxlor 0, 32+30, 32+30 -+ xxlor 32+30, 30, 30 -+ vadduwm 12, 12, 30 -+ xxlor 32+30, 0, 0 -+ TP_4x 0, 1, 2, 3 -+ TP_4x 4, 5, 6, 7 -+ TP_4x 8, 9, 10, 11 -+ TP_4x 12, 13, 14, 15 -+ -+ xxlor 0, 48, 48 -+ xxlor 1, 49, 49 -+ xxlor 2, 50, 50 -+ xxlor 3, 51, 51 -+ xxlor 48, 16, 16 -+ xxlor 49, 17, 17 -+ xxlor 50, 18, 18 -+ xxlor 51, 19, 19 -+ Add_state 0 -+ xxlor 48, 0, 0 -+ xxlor 49, 1, 1 -+ xxlor 50, 2, 2 -+ xxlor 51, 3, 3 -+ Write_256 0 -+ addi 14, 14, 256 -+ addi 15, 15, -256 -+ -+ xxlor 5, 32+31, 32+31 -+ xxlor 32+31, 31, 31 -+ vadduwm 28, 28, 31 -+ xxlor 32+31, 5, 5 -+ TP_4x 16+0, 16+1, 16+2, 16+3 -+ TP_4x 16+4, 16+5, 16+6, 16+7 -+ TP_4x 16+8, 16+9, 16+10, 16+11 -+ TP_4x 16+12, 16+13, 16+14, 16+15 -+ -+ xxlor 32, 16, 16 -+ xxlor 33, 17, 17 -+ xxlor 34, 18, 18 -+ xxlor 35, 19, 19 -+ Add_state 16 -+ Write_256 16 -+ addi 14, 14, 256 -+ addi 15, 15, -256 -+ -+ # should update counter before out? -+ xxlor 32+24, 24, 24 -+ xxlor 32+25, 25, 25 -+ xxlor 32+30, 30, 30 -+ vadduwm 30, 30, 25 -+ vadduwm 31, 30, 24 -+ xxlor 30, 32+30, 32+30 -+ xxlor 31, 32+31, 32+31 -+ -+ cmpdi 15, 0 -+ beq Out_loop -+ -+ cmpdi 15, 512 -+ blt Loop_last -+ -+ mtctr 8 -+ b Loop_8x -+ -+Loop_last: -+ lxvw4x 48, 0, 3 # vr16, constants -+ lxvw4x 49, 17, 3 # vr17, key 1 -+ lxvw4x 50, 18, 3 # vr18, key 2 -+ lxvw4x 51, 19, 3 # vr19, counter, nonce -+ -+ vspltisw 21, 12 -+ vspltisw 23, 7 -+ lxvw4x 32+20, 0, 11 -+ lxvw4x 32+22, 17, 11 -+ -+ li 8, 10 -+ mtctr 8 -+ -+Loop_4x: -+ lvx 0, 20, 10 -+ lvx 1, 21, 10 -+ lvx 2, 22, 10 -+ lvx 3, 23, 10 -+ vspltw 4, 17, 0 -+ vspltw 5, 17, 1 -+ vspltw 6, 17, 2 -+ vspltw 7, 17, 3 -+ vspltw 8, 18, 0 -+ vspltw 9, 18, 1 -+ vspltw 10, 18, 2 -+ vspltw 11, 18, 3 -+ vspltw 12, 19, 0 -+ vadduwm 12, 12, 30 # increase counter -+ vspltw 13, 19, 1 -+ vspltw 14, 19, 2 -+ vspltw 15, 19, 3 -+ -+.align 5 -+quarter_loop: -+ QT_loop_4x -+ -+ bdnz quarter_loop -+ -+ vadduwm 12, 12, 30 -+ TP_4x 0, 1, 2, 3 -+ TP_4x 4, 5, 6, 7 -+ TP_4x 8, 9, 10, 11 -+ TP_4x 12, 13, 14, 15 -+ -+ Add_state 0 -+ Write_256 0 -+ addi 14, 14, 256 -+ addi 15, 15, -256 -+ -+ # Update state counter -+ vspltisw 25, 4 -+ vadduwm 30, 30, 25 -+ -+ cmpdi 15, 0 -+ beq Out_loop -+ -+ mtctr 8 -+ b Loop_4x -+ -+Out_loop: -+ # -+ # Update state counter -+ # -+ vspltisb 16, -1 # first 16 bytes - 0xffff...ff -+ vspltisb 17, 0 # second 16 bytes - 0x0000...00 -+ vsldoi 18, 16, 17, 12 -+ vand 18, 18, 30 -+ xxlor 32+19, 19, 19 -+ vadduwm 18, 19, 18 -+ stxvw4x 32+18, 19, 3 -+ li 3, 0 -+ -+ addi 9, 1, 256 -+ lvx 20, 0, 9 -+ lvx 21, 17, 9 -+ lvx 22, 18, 9 -+ lvx 23, 19, 9 -+ lvx 24, 20, 9 -+ lvx 25, 21, 9 -+ lvx 26, 22, 9 -+ lvx 27, 23, 9 -+ lvx 28, 24, 9 -+ lvx 29, 25, 9 -+ lvx 30, 26, 9 -+ lvx 31, 27, 9 -+ -+ add 9, 9, 27 -+ addi 14, 17, 16 -+ lxvx 14, 14, 9 -+ addi 14, 14, 16 -+ lxvx 15, 14, 9 -+ addi 14, 14, 16 -+ lxvx 16, 14, 9 -+ addi 14, 14, 16 -+ lxvx 17, 14, 9 -+ addi 14, 14, 16 -+ lxvx 18, 14, 9 -+ addi 14, 14, 16 -+ lxvx 19, 14, 9 -+ addi 14, 14, 16 -+ lxvx 20, 14, 9 -+ addi 14, 14, 16 -+ lxvx 21, 14, 9 -+ addi 14, 14, 16 -+ lxvx 22, 14, 9 -+ addi 14, 14, 16 -+ lxvx 23, 14, 9 -+ addi 14, 14, 16 -+ lxvx 24, 14, 9 -+ addi 14, 14, 16 -+ lxvx 25, 14, 9 -+ addi 14, 14, 16 -+ lxvx 26, 14, 9 -+ addi 14, 14, 16 -+ lxvx 27, 14, 9 -+ addi 14, 14, 16 -+ lxvx 28, 14, 9 -+ addi 14, 14, 16 -+ lxvx 29, 14, 9 -+ addi 14, 14, 16 -+ lxvx 30, 14, 9 -+ addi 14, 14, 16 -+ lxvx 31, 14, 9 -+ -+ ld 0, 1040(1) -+ ld 14,112(1) -+ ld 15,120(1) -+ ld 16,128(1) -+ ld 17,136(1) -+ ld 18,144(1) -+ ld 19,152(1) -+ ld 20,160(1) -+ ld 21,168(1) -+ ld 22,176(1) -+ ld 23,184(1) -+ ld 24,192(1) -+ ld 25,200(1) -+ ld 26,208(1) -+ ld 27,216(1) -+ ld 28,224(1) -+ ld 29,232(1) -+ ld 30,240(1) -+ ld 31,248(1) -+ -+ mtlr 0 -+ addi 1, 1, 1024 -+ blr -+ -+Out_no_chacha: -+ li 3, 0 -+ blr -+ -+.data -+.align 4 -+sigma: -+.long 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 -+.long 0x0c0d0e0f, 0x08090a0b, 0x04050607, 0x00010203 -+.long 1, 0, 0, 0 -+.long 0, 1, 2, 3 -+.long 0x61707865, 0x61707865, 0x61707865, 0x61707865 -+.long 0x3320646e, 0x3320646e, 0x3320646e, 0x3320646e -+.long 0x79622d32, 0x79622d32, 0x79622d32, 0x79622d32 -+.long 0x6b206574, 0x6b206574, 0x6b206574, 0x6b206574 -+permx: -+.long 0x22330011, 0x66774455, 0xaabb8899, 0xeeffccdd -+.long 0x11223300, 0x55667744, 0x99aabb88, 0xddeeffcc -Index: libgcrypt-1.10.2/cipher/chacha20.c -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/chacha20.c -+++ libgcrypt-1.10.2/cipher/chacha20.c -@@ -125,6 +125,7 @@ typedef struct CHACHA20_context_s - unsigned int use_avx2:1; - unsigned int use_neon:1; - unsigned int use_ppc:1; -+ unsigned int use_p10:1; - unsigned int use_s390x:1; - } CHACHA20_context_t; - -@@ -163,6 +164,12 @@ unsigned int _gcry_chacha20_poly1305_amd - - #ifdef USE_PPC_VEC - -+#ifndef WORDS_BIGENDIAN -+unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, -+ const byte *src, -+ size_t len); -+#endif -+ - unsigned int _gcry_chacha20_ppc8_blocks4(u32 *state, byte *dst, - const byte *src, - size_t nblks); -@@ -475,6 +482,9 @@ chacha20_do_setkey (CHACHA20_context_t * - #endif - #ifdef USE_PPC_VEC - ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0; -+# ifndef WORDS_BIGENDIAN -+ ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; -+# endif - #endif - #ifdef USE_S390X_VX - ctx->use_s390x = (features & HWF_S390X_VX) != 0; -@@ -571,7 +581,22 @@ do_chacha20_encrypt_stream_tail (CHACHA2 - { - size_t nblocks = length / CHACHA20_BLOCK_SIZE; - nblocks -= nblocks % 4; -- nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, nblocks); -+#ifndef WORDS_BIGENDIAN -+ /* -+ * A workaround to skip counter overflow. This is rare. -+ */ -+ if (ctx->use_p10 && nblocks >= 8 -+ && ((u64)ctx->input[12] + nblocks) <= 0xffffffffU) -+ { -+ size_t len = nblocks * CHACHA20_BLOCK_SIZE; -+ nburn = _gcry_chacha20_p10le_8x(ctx->input, outbuf, inbuf, len); -+ } -+ else -+#endif -+ { -+ nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, -+ nblocks); -+ } - burn = nburn > burn ? nburn : burn; - length -= nblocks * CHACHA20_BLOCK_SIZE; - outbuf += nblocks * CHACHA20_BLOCK_SIZE; -@@ -760,6 +785,11 @@ _gcry_chacha20_poly1305_encrypt(gcry_cip - } - #endif - #ifdef USE_PPC_VEC_POLY1305 -+ else if (ctx->use_ppc && ctx->use_p10) -+ { -+ /* Skip stitched chacha20-poly1305 for P10. */ -+ authptr = NULL; -+ } - else if (ctx->use_ppc && length >= CHACHA20_BLOCK_SIZE * 4) - { - nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, 4); -@@ -998,6 +1028,7 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip - { - CHACHA20_context_t *ctx = (void *) &c->context.c; - unsigned int nburn, burn = 0; -+ int skip_stitched = 0; - - if (!length) - return 0; -@@ -1049,6 +1080,13 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip - inbuf += nblocks * CHACHA20_BLOCK_SIZE; - } - #endif -+#ifdef USE_PPC_VEC_POLY1305 -+ if (ctx->use_ppc && ctx->use_p10) -+ { -+ /* Skip stitched chacha20-poly1305 for P10. */ -+ skip_stitched = 1; -+ } -+#endif - - #ifdef USE_SSSE3 - if (ctx->use_ssse3) -@@ -1102,7 +1140,8 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip - #endif - - #ifdef USE_PPC_VEC_POLY1305 -- if (ctx->use_ppc && length >= 4 * CHACHA20_BLOCK_SIZE) -+ /* skip stitch for p10 */ -+ if (!skip_stitched && ctx->use_ppc && length >= 4 * CHACHA20_BLOCK_SIZE) - { - size_t nblocks = length / CHACHA20_BLOCK_SIZE; - nblocks -= nblocks % 4; -Index: libgcrypt-1.10.2/cipher/poly1305-internal.h -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/poly1305-internal.h -+++ libgcrypt-1.10.2/cipher/poly1305-internal.h -@@ -33,6 +33,17 @@ - #define POLY1305_KEYLEN 32 - #define POLY1305_BLOCKSIZE 16 - -+/* POLY1305_USE_PPC_VEC indicates whether to enable PowerPC vector code. */ -+#undef POLY1305_USE_PPC_VEC -+#ifdef ENABLE_PPC_CRYPTO_SUPPORT -+# if defined(HAVE_COMPATIBLE_CC_PPC_ALTIVEC) && \ -+ defined(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC) && \ -+ !defined(WORDS_BIGENDIAN) -+# if __GNUC__ >= 4 -+# define POLY1305_USE_PPC_VEC 1 -+# endif -+# endif -+#endif - - typedef struct - { -@@ -46,6 +57,9 @@ typedef struct poly1305_context_s - POLY1305_STATE state; - byte buffer[POLY1305_BLOCKSIZE]; - unsigned int leftover; -+#ifdef POLY1305_USE_PPC_VEC -+ unsigned int use_p10:1; -+#endif - } poly1305_context_t; - - -Index: libgcrypt-1.10.2/cipher/poly1305-p10le.s -=================================================================== ---- /dev/null -+++ libgcrypt-1.10.2/cipher/poly1305-p10le.s -@@ -0,0 +1,841 @@ -+# Copyright 2021- IBM Inc. All rights reserved -+# -+# This file is part of Libgcrypt. -+# -+# Libgcrypt is free software; you can redistribute it and/or modify -+# it under the terms of the GNU Lesser General Public License as -+# published by the Free Software Foundation; either version 2.1 of -+# the License, or (at your option) any later version. -+# -+# Libgcrypt is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU Lesser General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public -+# License along with this program; if not, see . -+# -+#=================================================================================== -+# Written by Danny Tsen -+# -+# Poly1305 - this version mainly using vector/VSX/Scalar -+# - 26 bits limbs -+# - Handle multiple 64 byte blcoks but need at least 2 64 bytes block -+# -+# Improve performance by breaking down polynominal to the sum of products with -+# h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r -+# -+# 07/22/21 - this revison based on the above sum of products. Setup r^4, r^3, r^2, r and s3, s2, s1, s0 -+# to 9 vectors for multiplications. -+# -+# setup r^4, r^3, r^2, r vectors -+# vs [r^1, r^3, r^2, r^4] -+# vs0 = [r0,.....] -+# vs1 = [r1,.....] -+# vs2 = [r2,.....] -+# vs3 = [r3,.....] -+# vs4 = [r4,.....] -+# vs5 = [r1*5,...] -+# vs6 = [r2*5,...] -+# vs7 = [r2*5,...] -+# vs8 = [r4*5,...] -+# -+# Each word in a vector consists a member of a "r/s" in [a * r/s]. -+# -+# r0, r4*5, r3*5, r2*5, r1*5; -+# r1, r0, r4*5, r3*5, r2*5; -+# r2, r1, r0, r4*5, r3*5; -+# r3, r2, r1, r0, r4*5; -+# r4, r3, r2, r1, r0 ; -+# -+# -+# gcry_poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) -+# k = 32 bytes key -+# r3 = k (r, s) -+# r4 = mlen -+# r5 = m -+# -+.text -+ -+# Block size 16 bytes -+# key = (r, s) -+# clamp r &= 0x0FFFFFFC0FFFFFFC 0x0FFFFFFC0FFFFFFF -+# p = 2^130 - 5 -+# a += m -+# a = (r + a) % p -+# a += s -+# 16 bytes (a) -+# -+# p[0] = a0*r0 + a1*r4*5 + a2*r3*5 + a3*r2*5 + a4*r1*5; -+# p[1] = a0*r1 + a1*r0 + a2*r4*5 + a3*r3*5 + a4*r2*5; -+# p[2] = a0*r2 + a1*r1 + a2*r0 + a3*r4*5 + a4*r3*5; -+# p[3] = a0*r3 + a1*r2 + a2*r1 + a3*r0 + a4*r4*5; -+# p[4] = a0*r4 + a1*r3 + a2*r2 + a3*r1 + a4*r0 ; -+# -+# [r^2, r^3, r^1, r^4] -+# [m3, m2, m4, m1] -+# -+# multiply odd and even words -+.macro mul_odd -+ vmulouw 14, 4, 26 -+ vmulouw 10, 5, 3 -+ vmulouw 11, 6, 2 -+ vmulouw 12, 7, 1 -+ vmulouw 13, 8, 0 -+ vmulouw 15, 4, 27 -+ vaddudm 14, 14, 10 -+ vaddudm 14, 14, 11 -+ vmulouw 10, 5, 26 -+ vmulouw 11, 6, 3 -+ vaddudm 14, 14, 12 -+ vaddudm 14, 14, 13 # x0 -+ vaddudm 15, 15, 10 -+ vaddudm 15, 15, 11 -+ vmulouw 12, 7, 2 -+ vmulouw 13, 8, 1 -+ vaddudm 15, 15, 12 -+ vaddudm 15, 15, 13 # x1 -+ vmulouw 16, 4, 28 -+ vmulouw 10, 5, 27 -+ vmulouw 11, 6, 26 -+ vaddudm 16, 16, 10 -+ vaddudm 16, 16, 11 -+ vmulouw 12, 7, 3 -+ vmulouw 13, 8, 2 -+ vaddudm 16, 16, 12 -+ vaddudm 16, 16, 13 # x2 -+ vmulouw 17, 4, 29 -+ vmulouw 10, 5, 28 -+ vmulouw 11, 6, 27 -+ vaddudm 17, 17, 10 -+ vaddudm 17, 17, 11 -+ vmulouw 12, 7, 26 -+ vmulouw 13, 8, 3 -+ vaddudm 17, 17, 12 -+ vaddudm 17, 17, 13 # x3 -+ vmulouw 18, 4, 30 -+ vmulouw 10, 5, 29 -+ vmulouw 11, 6, 28 -+ vaddudm 18, 18, 10 -+ vaddudm 18, 18, 11 -+ vmulouw 12, 7, 27 -+ vmulouw 13, 8, 26 -+ vaddudm 18, 18, 12 -+ vaddudm 18, 18, 13 # x4 -+.endm -+ -+.macro mul_even -+ vmuleuw 9, 4, 26 -+ vmuleuw 10, 5, 3 -+ vmuleuw 11, 6, 2 -+ vmuleuw 12, 7, 1 -+ vmuleuw 13, 8, 0 -+ vaddudm 14, 14, 9 -+ vaddudm 14, 14, 10 -+ vaddudm 14, 14, 11 -+ vaddudm 14, 14, 12 -+ vaddudm 14, 14, 13 # x0 -+ -+ vmuleuw 9, 4, 27 -+ vmuleuw 10, 5, 26 -+ vmuleuw 11, 6, 3 -+ vmuleuw 12, 7, 2 -+ vmuleuw 13, 8, 1 -+ vaddudm 15, 15, 9 -+ vaddudm 15, 15, 10 -+ vaddudm 15, 15, 11 -+ vaddudm 15, 15, 12 -+ vaddudm 15, 15, 13 # x1 -+ -+ vmuleuw 9, 4, 28 -+ vmuleuw 10, 5, 27 -+ vmuleuw 11, 6, 26 -+ vmuleuw 12, 7, 3 -+ vmuleuw 13, 8, 2 -+ vaddudm 16, 16, 9 -+ vaddudm 16, 16, 10 -+ vaddudm 16, 16, 11 -+ vaddudm 16, 16, 12 -+ vaddudm 16, 16, 13 # x2 -+ -+ vmuleuw 9, 4, 29 -+ vmuleuw 10, 5, 28 -+ vmuleuw 11, 6, 27 -+ vmuleuw 12, 7, 26 -+ vmuleuw 13, 8, 3 -+ vaddudm 17, 17, 9 -+ vaddudm 17, 17, 10 -+ vaddudm 17, 17, 11 -+ vaddudm 17, 17, 12 -+ vaddudm 17, 17, 13 # x3 -+ -+ vmuleuw 9, 4, 30 -+ vmuleuw 10, 5, 29 -+ vmuleuw 11, 6, 28 -+ vmuleuw 12, 7, 27 -+ vmuleuw 13, 8, 26 -+ vaddudm 18, 18, 9 -+ vaddudm 18, 18, 10 -+ vaddudm 18, 18, 11 -+ vaddudm 18, 18, 12 -+ vaddudm 18, 18, 13 # x4 -+.endm -+ -+# setup r^4, r^3, r^2, r vectors -+# [r, r^3, r^2, r^4] -+# vs0 = [r0,...] -+# vs1 = [r1,...] -+# vs2 = [r2,...] -+# vs3 = [r3,...] -+# vs4 = [r4,...] -+# vs5 = [r4*5,...] -+# vs6 = [r3*5,...] -+# vs7 = [r2*5,...] -+# vs8 = [r1*5,...] -+# -+# r0, r4*5, r3*5, r2*5, r1*5; -+# r1, r0, r4*5, r3*5, r2*5; -+# r2, r1, r0, r4*5, r3*5; -+# r3, r2, r1, r0, r4*5; -+# r4, r3, r2, r1, r0 ; -+# -+.macro poly1305_setup_r -+ -+ # save r -+ xxlor 26, 58, 58 -+ xxlor 27, 59, 59 -+ xxlor 28, 60, 60 -+ xxlor 29, 61, 61 -+ xxlor 30, 62, 62 -+ -+ xxlxor 31, 31, 31 -+ -+# [r, r^3, r^2, r^4] -+ # compute r^2 -+ vmr 4, 26 -+ vmr 5, 27 -+ vmr 6, 28 -+ vmr 7, 29 -+ vmr 8, 30 -+ bl do_mul # r^2 r^1 -+ xxpermdi 58, 58, 36, 0x3 # r0 -+ xxpermdi 59, 59, 37, 0x3 # r1 -+ xxpermdi 60, 60, 38, 0x3 # r2 -+ xxpermdi 61, 61, 39, 0x3 # r3 -+ xxpermdi 62, 62, 40, 0x3 # r4 -+ xxpermdi 36, 36, 36, 0x3 -+ xxpermdi 37, 37, 37, 0x3 -+ xxpermdi 38, 38, 38, 0x3 -+ xxpermdi 39, 39, 39, 0x3 -+ xxpermdi 40, 40, 40, 0x3 -+ vspltisb 13, 2 -+ vsld 9, 27, 13 -+ vsld 10, 28, 13 -+ vsld 11, 29, 13 -+ vsld 12, 30, 13 -+ vaddudm 0, 9, 27 -+ vaddudm 1, 10, 28 -+ vaddudm 2, 11, 29 -+ vaddudm 3, 12, 30 -+ -+ bl do_mul # r^4 r^3 -+ vmrgow 26, 26, 4 -+ vmrgow 27, 27, 5 -+ vmrgow 28, 28, 6 -+ vmrgow 29, 29, 7 -+ vmrgow 30, 30, 8 -+ vspltisb 13, 2 -+ vsld 9, 27, 13 -+ vsld 10, 28, 13 -+ vsld 11, 29, 13 -+ vsld 12, 30, 13 -+ vaddudm 0, 9, 27 -+ vaddudm 1, 10, 28 -+ vaddudm 2, 11, 29 -+ vaddudm 3, 12, 30 -+ -+ # r^2 r^4 -+ xxlor 0, 58, 58 -+ xxlor 1, 59, 59 -+ xxlor 2, 60, 60 -+ xxlor 3, 61, 61 -+ xxlor 4, 62, 62 -+ xxlor 5, 32, 32 -+ xxlor 6, 33, 33 -+ xxlor 7, 34, 34 -+ xxlor 8, 35, 35 -+ -+ vspltw 9, 26, 3 -+ vspltw 10, 26, 2 -+ vmrgow 26, 10, 9 -+ vspltw 9, 27, 3 -+ vspltw 10, 27, 2 -+ vmrgow 27, 10, 9 -+ vspltw 9, 28, 3 -+ vspltw 10, 28, 2 -+ vmrgow 28, 10, 9 -+ vspltw 9, 29, 3 -+ vspltw 10, 29, 2 -+ vmrgow 29, 10, 9 -+ vspltw 9, 30, 3 -+ vspltw 10, 30, 2 -+ vmrgow 30, 10, 9 -+ -+ vsld 9, 27, 13 -+ vsld 10, 28, 13 -+ vsld 11, 29, 13 -+ vsld 12, 30, 13 -+ vaddudm 0, 9, 27 -+ vaddudm 1, 10, 28 -+ vaddudm 2, 11, 29 -+ vaddudm 3, 12, 30 -+.endm -+ -+do_mul: -+ mul_odd -+ -+ # do reduction ( h %= p ) -+ # carry reduction -+ vspltisb 9, 2 -+ vsrd 10, 14, 31 -+ vsrd 11, 17, 31 -+ vand 7, 17, 25 -+ vand 4, 14, 25 -+ vaddudm 18, 18, 11 -+ vsrd 12, 18, 31 -+ vaddudm 15, 15, 10 -+ -+ vsrd 11, 15, 31 -+ vand 8, 18, 25 -+ vand 5, 15, 25 -+ vaddudm 4, 4, 12 -+ vsld 10, 12, 9 -+ vaddudm 6, 16, 11 -+ -+ vsrd 13, 6, 31 -+ vand 6, 6, 25 -+ vaddudm 4, 4, 10 -+ vsrd 10, 4, 31 -+ vaddudm 7, 7, 13 -+ -+ vsrd 11, 7, 31 -+ vand 7, 7, 25 -+ vand 4, 4, 25 -+ vaddudm 5, 5, 10 -+ vaddudm 8, 8, 11 -+ blr -+ -+# -+# init key -+# -+do_poly1305_init: -+ ld 10, rmask@got(2) -+ ld 11, 0(10) -+ ld 12, 8(10) -+ -+ li 14, 16 -+ li 15, 32 -+ ld 10, cnum@got(2) -+ lvx 25, 0, 10 # v25 - mask -+ lvx 31, 14, 10 # v31 = 1a -+ lvx 19, 15, 10 # v19 = 1 << 24 -+ lxv 24, 48(10) # vs24 -+ lxv 25, 64(10) # vs25 -+ -+ # initialize -+ # load key from r3 to vectors -+ ld 9, 16(3) -+ ld 10, 24(3) -+ ld 11, 0(3) -+ ld 12, 8(3) -+ -+ # break 26 bits -+ extrdi 14, 9, 26, 38 -+ extrdi 15, 9, 26, 12 -+ extrdi 16, 9, 12, 0 -+ mtvsrdd 58, 0, 14 -+ insrdi 16, 10, 14, 38 -+ mtvsrdd 59, 0, 15 -+ extrdi 17, 10, 26, 24 -+ mtvsrdd 60, 0, 16 -+ extrdi 18, 10, 24, 0 -+ mtvsrdd 61, 0, 17 -+ mtvsrdd 62, 0, 18 -+ -+ # r1 = r1 * 5, r2 = r2 * 5, r3 = r3 * 5, r4 = r4 * 5 -+ li 9, 5 -+ mtvsrdd 36, 0, 9 -+ vmulouw 0, 27, 4 # v0 = rr0 -+ vmulouw 1, 28, 4 # v1 = rr1 -+ vmulouw 2, 29, 4 # v2 = rr2 -+ vmulouw 3, 30, 4 # v3 = rr3 -+ blr -+ -+# -+# gcry_poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) -+# k = 32 bytes key -+# r3 = k (r, s) -+# r4 = mlen -+# r5 = m -+# -+.global gcry_poly1305_p10le_4blocks -+.align 5 -+gcry_poly1305_p10le_4blocks: -+_gcry_poly1305_p10le_4blocks: -+ cmpdi 5, 128 -+ blt Out_no_poly1305 -+ -+ stdu 1,-1024(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ std 31,248(1) -+ li 14, 256 -+ stvx 20, 14, 1 -+ addi 14, 14, 16 -+ stvx 21, 14, 1 -+ addi 14, 14, 16 -+ stvx 22, 14, 1 -+ addi 14, 14, 16 -+ stvx 23, 14, 1 -+ addi 14, 14, 16 -+ stvx 24, 14, 1 -+ addi 14, 14, 16 -+ stvx 25, 14, 1 -+ addi 14, 14, 16 -+ stvx 26, 14, 1 -+ addi 14, 14, 16 -+ stvx 27, 14, 1 -+ addi 14, 14, 16 -+ stvx 28, 14, 1 -+ addi 14, 14, 16 -+ stvx 29, 14, 1 -+ addi 14, 14, 16 -+ stvx 30, 14, 1 -+ addi 14, 14, 16 -+ stvx 31, 14, 1 -+ -+ addi 14, 14, 16 -+ stxvx 14, 14, 1 -+ addi 14, 14, 16 -+ stxvx 15, 14, 1 -+ addi 14, 14, 16 -+ stxvx 16, 14, 1 -+ addi 14, 14, 16 -+ stxvx 17, 14, 1 -+ addi 14, 14, 16 -+ stxvx 18, 14, 1 -+ addi 14, 14, 16 -+ stxvx 19, 14, 1 -+ addi 14, 14, 16 -+ stxvx 20, 14, 1 -+ addi 14, 14, 16 -+ stxvx 21, 14, 1 -+ addi 14, 14, 16 -+ stxvx 22, 14, 1 -+ addi 14, 14, 16 -+ stxvx 23, 14, 1 -+ addi 14, 14, 16 -+ stxvx 24, 14, 1 -+ addi 14, 14, 16 -+ stxvx 25, 14, 1 -+ addi 14, 14, 16 -+ stxvx 26, 14, 1 -+ addi 14, 14, 16 -+ stxvx 27, 14, 1 -+ addi 14, 14, 16 -+ stxvx 28, 14, 1 -+ addi 14, 14, 16 -+ stxvx 29, 14, 1 -+ addi 14, 14, 16 -+ stxvx 30, 14, 1 -+ addi 14, 14, 16 -+ stxvx 31, 14, 1 -+ std 0, 1040(1) -+ -+ bl do_poly1305_init -+ -+ li 21, 0 # counter to message -+ -+ poly1305_setup_r -+ -+ # load previous state -+ # break/convert r6 to 26 bits -+ ld 9, 32(3) -+ ld 10, 40(3) -+ lwz 19, 48(3) -+ sldi 19, 19, 24 -+ mtvsrdd 41, 0, 19 -+ extrdi 14, 9, 26, 38 -+ extrdi 15, 9, 26, 12 -+ extrdi 16, 9, 12, 0 -+ mtvsrdd 36, 0, 14 -+ insrdi 16, 10, 14, 38 -+ mtvsrdd 37, 0, 15 -+ extrdi 17, 10, 26, 24 -+ mtvsrdd 38, 0, 16 -+ extrdi 18, 10, 24, 0 -+ mtvsrdd 39, 0, 17 -+ mtvsrdd 40, 0, 18 -+ vor 8, 8, 9 -+ -+ # input m1 m2 -+ add 20, 4, 21 -+ xxlor 49, 24, 24 -+ xxlor 50, 25, 25 -+ lxvw4x 43, 0, 20 -+ addi 17, 20, 16 -+ lxvw4x 44, 0, 17 -+ vperm 14, 11, 12, 17 -+ vperm 15, 11, 12, 18 -+ vand 9, 14, 25 # a0 -+ vsrd 10, 14, 31 # >> 26 -+ vsrd 11, 10, 31 # 12 bits left -+ vand 10, 10, 25 # a1 -+ vspltisb 13, 12 -+ vand 16, 15, 25 -+ vsld 12, 16, 13 -+ vor 11, 11, 12 -+ vand 11, 11, 25 # a2 -+ vspltisb 13, 14 -+ vsrd 12, 15, 13 # >> 14 -+ vsrd 13, 12, 31 # >> 26, a4 -+ vand 12, 12, 25 # a3 -+ -+ vaddudm 20, 4, 9 -+ vaddudm 21, 5, 10 -+ vaddudm 22, 6, 11 -+ vaddudm 23, 7, 12 -+ vaddudm 24, 8, 13 -+ -+ # m3 m4 -+ addi 17, 17, 16 -+ lxvw4x 43, 0, 17 -+ addi 17, 17, 16 -+ lxvw4x 44, 0, 17 -+ vperm 14, 11, 12, 17 -+ vperm 15, 11, 12, 18 -+ vand 9, 14, 25 # a0 -+ vsrd 10, 14, 31 # >> 26 -+ vsrd 11, 10, 31 # 12 bits left -+ vand 10, 10, 25 # a1 -+ vspltisb 13, 12 -+ vand 16, 15, 25 -+ vsld 12, 16, 13 -+ vspltisb 13, 14 -+ vor 11, 11, 12 -+ vand 11, 11, 25 # a2 -+ vsrd 12, 15, 13 # >> 14 -+ vsrd 13, 12, 31 # >> 26, a4 -+ vand 12, 12, 25 # a3 -+ -+ # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] -+ vmrgow 4, 9, 20 -+ vmrgow 5, 10, 21 -+ vmrgow 6, 11, 22 -+ vmrgow 7, 12, 23 -+ vmrgow 8, 13, 24 -+ vaddudm 8, 8, 19 -+ -+ addi 5, 5, -64 -+ addi 21, 21, 64 -+ -+ li 9, 64 -+ divdu 31, 5, 9 -+ -+ mtctr 31 -+ -+# h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r -+# Rewrite the polynominal sum of product as follows, -+# h1 = (h0 + m1) * r^2, h2 = (h0 + m2) * r^2 -+# h3 = (h1 + m3) * r^2, h4 = (h2 + m4) * r^2 --> (h0 + m1) r*4 + (h3 + m3) r^2, (h0 + m2) r^4 + (h0 + m4) r^2 -+# .... Repeat -+# h5 = (h3 + m5) * r^2, h6 = (h4 + m6) * r^2 --> -+# h7 = (h5 + m7) * r^2, h8 = (h6 + m8) * r^1 --> m5 * r^4 + m6 * r^3 + m7 * r^2 + m8 * r -+# -+loop_4blocks: -+ -+ # Multiply odd words and even words -+ mul_odd -+ mul_even -+ # carry reduction -+ vspltisb 9, 2 -+ vsrd 10, 14, 31 -+ vsrd 11, 17, 31 -+ vand 7, 17, 25 -+ vand 4, 14, 25 -+ vaddudm 18, 18, 11 -+ vsrd 12, 18, 31 -+ vaddudm 15, 15, 10 -+ -+ vsrd 11, 15, 31 -+ vand 8, 18, 25 -+ vand 5, 15, 25 -+ vaddudm 4, 4, 12 -+ vsld 10, 12, 9 -+ vaddudm 6, 16, 11 -+ -+ vsrd 13, 6, 31 -+ vand 6, 6, 25 -+ vaddudm 4, 4, 10 -+ vsrd 10, 4, 31 -+ vaddudm 7, 7, 13 -+ -+ vsrd 11, 7, 31 -+ vand 7, 7, 25 -+ vand 4, 4, 25 -+ vaddudm 5, 5, 10 -+ vaddudm 8, 8, 11 -+ -+ # input m1 m2 m3 m4 -+ add 20, 4, 21 -+ xxlor 49, 24, 24 -+ xxlor 50, 25, 25 -+ lxvw4x 43, 0, 20 -+ addi 17, 20, 16 -+ lxvw4x 44, 0, 17 -+ vperm 14, 11, 12, 17 -+ vperm 15, 11, 12, 18 -+ addi 17, 17, 16 -+ lxvw4x 43, 0, 17 -+ addi 17, 17, 16 -+ lxvw4x 44, 0, 17 -+ vperm 17, 11, 12, 17 -+ vperm 18, 11, 12, 18 -+ -+ vand 20, 14, 25 # a0 -+ vand 9, 17, 25 # a0 -+ vsrd 21, 14, 31 # >> 26 -+ vsrd 22, 21, 31 # 12 bits left -+ vsrd 10, 17, 31 # >> 26 -+ vsrd 11, 10, 31 # 12 bits left -+ -+ vand 21, 21, 25 # a1 -+ vand 10, 10, 25 # a1 -+ -+ vspltisb 13, 12 -+ vand 16, 15, 25 -+ vsld 23, 16, 13 -+ vor 22, 22, 23 -+ vand 22, 22, 25 # a2 -+ vand 16, 18, 25 -+ vsld 12, 16, 13 -+ vor 11, 11, 12 -+ vand 11, 11, 25 # a2 -+ vspltisb 13, 14 -+ vsrd 23, 15, 13 # >> 14 -+ vsrd 24, 23, 31 # >> 26, a4 -+ vand 23, 23, 25 # a3 -+ vsrd 12, 18, 13 # >> 14 -+ vsrd 13, 12, 31 # >> 26, a4 -+ vand 12, 12, 25 # a3 -+ -+ vaddudm 4, 4, 20 -+ vaddudm 5, 5, 21 -+ vaddudm 6, 6, 22 -+ vaddudm 7, 7, 23 -+ vaddudm 8, 8, 24 -+ -+ # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] -+ vmrgow 4, 9, 4 -+ vmrgow 5, 10, 5 -+ vmrgow 6, 11, 6 -+ vmrgow 7, 12, 7 -+ vmrgow 8, 13, 8 -+ vaddudm 8, 8, 19 -+ -+ addi 5, 5, -64 -+ addi 21, 21, 64 -+ -+ bdnz loop_4blocks -+ -+ xxlor 58, 0, 0 -+ xxlor 59, 1, 1 -+ xxlor 60, 2, 2 -+ xxlor 61, 3, 3 -+ xxlor 62, 4, 4 -+ xxlor 32, 5, 5 -+ xxlor 33, 6, 6 -+ xxlor 34, 7, 7 -+ xxlor 35, 8, 8 -+ -+ # Multiply odd words and even words -+ mul_odd -+ mul_even -+ -+ # Sum the products. -+ xxpermdi 41, 31, 46, 0 -+ xxpermdi 42, 31, 47, 0 -+ vaddudm 4, 14, 9 -+ xxpermdi 36, 31, 36, 3 -+ vaddudm 5, 15, 10 -+ xxpermdi 37, 31, 37, 3 -+ xxpermdi 43, 31, 48, 0 -+ vaddudm 6, 16, 11 -+ xxpermdi 38, 31, 38, 3 -+ xxpermdi 44, 31, 49, 0 -+ vaddudm 7, 17, 12 -+ xxpermdi 39, 31, 39, 3 -+ xxpermdi 45, 31, 50, 0 -+ vaddudm 8, 18, 13 -+ xxpermdi 40, 31, 40, 3 -+ -+ # carry reduction -+ vspltisb 9, 2 -+ vsrd 10, 4, 31 -+ vsrd 11, 7, 31 -+ vand 7, 7, 25 -+ vand 4, 4, 25 -+ vaddudm 8, 8, 11 -+ vsrd 12, 8, 31 -+ vaddudm 5, 5, 10 -+ -+ vsrd 11, 5, 31 -+ vand 8, 8, 25 -+ vand 5, 5, 25 -+ vaddudm 4, 4, 12 -+ vsld 10, 12, 9 -+ vaddudm 6, 6, 11 -+ -+ vsrd 13, 6, 31 -+ vand 6, 6, 25 -+ vaddudm 4, 4, 10 -+ vsrd 10, 4, 31 -+ vaddudm 7, 7, 13 -+ -+ vsrd 11, 7, 31 -+ vand 7, 7, 25 -+ vand 4, 4, 25 -+ vaddudm 5, 5, 10 -+ vaddudm 8, 8, 11 -+ -+ b do_final_update -+ -+do_final_update: -+ # v4, v5, v6, v7 and v8 are 26 bit vectors -+ vsld 5, 5, 31 -+ vor 20, 4, 5 -+ vspltisb 11, 12 -+ vsrd 12, 6, 11 -+ vsld 6, 6, 31 -+ vsld 6, 6, 31 -+ vor 20, 20, 6 -+ vspltisb 11, 14 -+ vsld 7, 7, 11 -+ vor 21, 7, 12 -+ mfvsrld 16, 40 # save last 2 bytes -+ vsld 8, 8, 11 -+ vsld 8, 8, 31 -+ vor 21, 21, 8 -+ mfvsrld 17, 52 -+ mfvsrld 19, 53 -+ srdi 16, 16, 24 -+ -+ std 17, 32(3) -+ std 19, 40(3) -+ stw 16, 48(3) -+ -+Out_loop: -+ li 3, 0 -+ -+ li 14, 256 -+ lvx 20, 14, 1 -+ addi 14, 14, 16 -+ lvx 21, 14, 1 -+ addi 14, 14, 16 -+ lvx 22, 14, 1 -+ addi 14, 14, 16 -+ lvx 23, 14, 1 -+ addi 14, 14, 16 -+ lvx 24, 14, 1 -+ addi 14, 14, 16 -+ lvx 25, 14, 1 -+ addi 14, 14, 16 -+ lvx 26, 14, 1 -+ addi 14, 14, 16 -+ lvx 27, 14, 1 -+ addi 14, 14, 16 -+ lvx 28, 14, 1 -+ addi 14, 14, 16 -+ lvx 29, 14, 1 -+ addi 14, 14, 16 -+ lvx 30, 14, 1 -+ addi 14, 14, 16 -+ lvx 31, 14, 1 -+ -+ addi 14, 14, 16 -+ lxvx 14, 14, 1 -+ addi 14, 14, 16 -+ lxvx 15, 14, 1 -+ addi 14, 14, 16 -+ lxvx 16, 14, 1 -+ addi 14, 14, 16 -+ lxvx 17, 14, 1 -+ addi 14, 14, 16 -+ lxvx 18, 14, 1 -+ addi 14, 14, 16 -+ lxvx 19, 14, 1 -+ addi 14, 14, 16 -+ lxvx 20, 14, 1 -+ addi 14, 14, 16 -+ lxvx 21, 14, 1 -+ addi 14, 14, 16 -+ lxvx 22, 14, 1 -+ addi 14, 14, 16 -+ lxvx 23, 14, 1 -+ addi 14, 14, 16 -+ lxvx 24, 14, 1 -+ addi 14, 14, 16 -+ lxvx 25, 14, 1 -+ addi 14, 14, 16 -+ lxvx 26, 14, 1 -+ addi 14, 14, 16 -+ lxvx 27, 14, 1 -+ addi 14, 14, 16 -+ lxvx 28, 14, 1 -+ addi 14, 14, 16 -+ lxvx 29, 14, 1 -+ addi 14, 14, 16 -+ lxvx 30, 14, 1 -+ addi 14, 14, 16 -+ lxvx 31, 14, 1 -+ -+ ld 0, 1040(1) -+ ld 14,112(1) -+ ld 15,120(1) -+ ld 16,128(1) -+ ld 17,136(1) -+ ld 18,144(1) -+ ld 19,152(1) -+ ld 20,160(1) -+ ld 21,168(1) -+ ld 31,248(1) -+ -+ mtlr 0 -+ addi 1, 1, 1024 -+ blr -+ -+Out_no_poly1305: -+ li 3, 0 -+ blr -+ -+.data -+.align 5 -+rmask: -+.byte 0xff, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f -+cnum: -+.long 0x03ffffff, 0x00000000, 0x03ffffff, 0x00000000 -+.long 0x1a, 0x00, 0x1a, 0x00 -+.long 0x01000000, 0x01000000, 0x01000000, 0x01000000 -+.long 0x00010203, 0x04050607, 0x10111213, 0x14151617 -+.long 0x08090a0b, 0x0c0d0e0f, 0x18191a1b, 0x1c1d1e1f -+.long 0x05, 0x00, 0x00, 0x00 -+.long 0x02020202, 0x02020202, 0x02020202, 0x02020202 -+.long 0xffffffff, 0xffffffff, 0x00000000, 0x00000000 -Index: libgcrypt-1.10.2/cipher/poly1305.c -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/poly1305.c -+++ libgcrypt-1.10.2/cipher/poly1305.c -@@ -78,11 +78,23 @@ poly1305_blocks (poly1305_context_t *ctx - #endif /* USE_S390X_ASM */ - - -+#ifdef POLY1305_USE_PPC_VEC -+ -+extern unsigned int -+gcry_poly1305_p10le_4blocks(unsigned char *key, const byte *m, size_t len); -+ -+#endif /* POLY1305_USE_PPC_VEC */ -+ -+ - static void poly1305_init (poly1305_context_t *ctx, - const byte key[POLY1305_KEYLEN]) - { - POLY1305_STATE *st = &ctx->state; - -+#ifdef POLY1305_USE_PPC_VEC -+ ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0; -+#endif -+ - ctx->leftover = 0; - - st->h[0] = 0; -@@ -533,6 +545,7 @@ _gcry_poly1305_update_burn (poly1305_con - size_t bytes) - { - unsigned int burn = 0; -+ unsigned int nburn; - - /* handle leftover */ - if (ctx->leftover) -@@ -546,15 +559,31 @@ _gcry_poly1305_update_burn (poly1305_con - ctx->leftover += want; - if (ctx->leftover < POLY1305_BLOCKSIZE) - return 0; -- burn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 1); -+ nburn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 1); -+ burn = nburn > burn ? nburn : burn; - ctx->leftover = 0; - } - -+#ifdef POLY1305_USE_PPC_VEC -+ /* PPC-P10/little-endian: bulk process multiples of eight blocks */ -+ if (ctx->use_p10 && bytes >= POLY1305_BLOCKSIZE * 8) -+ { -+ size_t nblks = bytes / (POLY1305_BLOCKSIZE * 8); -+ size_t len = nblks * (POLY1305_BLOCKSIZE * 8); -+ POLY1305_STATE *st = &ctx->state; -+ nburn = gcry_poly1305_p10le_4blocks ((unsigned char *) st, m, len); -+ burn = nburn > burn ? nburn : burn; -+ m += len; -+ bytes -= len; -+ } -+#endif /* POLY1305_USE_PPC_VEC */ -+ - /* process full blocks */ - if (bytes >= POLY1305_BLOCKSIZE) - { - size_t nblks = bytes / POLY1305_BLOCKSIZE; -- burn = poly1305_blocks (ctx, m, nblks * POLY1305_BLOCKSIZE, 1); -+ nburn = poly1305_blocks (ctx, m, nblks * POLY1305_BLOCKSIZE, 1); -+ burn = nburn > burn ? nburn : burn; - m += nblks * POLY1305_BLOCKSIZE; - bytes -= nblks * POLY1305_BLOCKSIZE; - } -Index: libgcrypt-1.10.2/configure.ac -=================================================================== ---- libgcrypt-1.10.2.orig/configure.ac -+++ libgcrypt-1.10.2/configure.ac -@@ -2779,6 +2779,11 @@ if test "$found" = "1" ; then - powerpc64le-*-*) - # Build with the ppc8 vector implementation - GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-ppc.lo" -+ # Build with the assembly implementation -+ if test "$gcry_cv_gcc_inline_asm_ppc_altivec" = "yes" && -+ test "$gcry_cv_gcc_inline_asm_ppc_arch_3_00" = "yes" ; then -+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-p10le-8x.lo" -+ fi - ;; - powerpc64-*-*) - # Build with the ppc8 vector implementation -@@ -3117,6 +3122,13 @@ case "${host}" in - s390x-*-*) - GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS poly1305-s390x.lo" - ;; -+ powerpc64le-*-*) -+ # Build with the assembly implementation -+ if test "$gcry_cv_gcc_inline_asm_ppc_altivec" = "yes" && -+ test "$gcry_cv_gcc_inline_asm_ppc_arch_3_00" = "yes" ; then -+ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS poly1305-p10le.lo" -+ fi -+ ;; - esac - - LIST_MEMBER(scrypt, $enabled_kdfs) diff --git a/libgcrypt-FIPS-SLI-hash-mac.patch b/libgcrypt-FIPS-SLI-hash-mac.patch index b3fa94d..f0f56f2 100644 --- a/libgcrypt-FIPS-SLI-hash-mac.patch +++ b/libgcrypt-FIPS-SLI-hash-mac.patch @@ -1,8 +1,8 @@ -Index: libgcrypt-1.10.2/doc/gcrypt.texi +Index: libgcrypt-1.11.0/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.2.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.2/doc/gcrypt.texi -@@ -985,13 +985,21 @@ certification. If the function is approv +--- libgcrypt-1.11.0.orig/doc/gcrypt.texi ++++ libgcrypt-1.11.0/doc/gcrypt.texi +@@ -998,13 +998,21 @@ certification. If the function is approv @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. @@ -28,11 +28,11 @@ Index: libgcrypt-1.10.2/doc/gcrypt.texi @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos Check if the given message digest algorithm is approved under the current -Index: libgcrypt-1.10.2/src/fips.c +Index: libgcrypt-1.11.0/src/fips.c =================================================================== ---- libgcrypt-1.10.2.orig/src/fips.c -+++ libgcrypt-1.10.2/src/fips.c -@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg +--- libgcrypt-1.11.0.orig/src/fips.c ++++ libgcrypt-1.11.0/src/fips.c +@@ -378,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg } } @@ -64,7 +64,7 @@ Index: libgcrypt-1.10.2/src/fips.c /* FIPS approved curves, extracted from: * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ static const struct -@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a +@@ -602,6 +577,62 @@ _gcry_fips_indicator_pk_flags (va_list a return GPG_ERR_NOT_SUPPORTED; } @@ -127,11 +127,11 @@ Index: libgcrypt-1.10.2/src/fips.c /* This is a test on whether the library is in the error or operational state. */ -Index: libgcrypt-1.10.2/src/g10lib.h +Index: libgcrypt-1.11.0/src/g10lib.h =================================================================== ---- libgcrypt-1.10.2.orig/src/g10lib.h -+++ libgcrypt-1.10.2/src/g10lib.h -@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char +--- libgcrypt-1.11.0.orig/src/g10lib.h ++++ libgcrypt-1.11.0/src/g10lib.h +@@ -469,6 +469,7 @@ void _gcry_fips_signal_error (const char #endif int _gcry_fips_indicator_cipher (va_list arg_ptr); @@ -139,25 +139,25 @@ Index: libgcrypt-1.10.2/src/g10lib.h int _gcry_fips_indicator_mac (va_list arg_ptr); int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); -Index: libgcrypt-1.10.2/src/gcrypt.h.in +Index: libgcrypt-1.11.0/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.2.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.2/src/gcrypt.h.in -@@ -335,7 +335,8 @@ enum gcry_ctl_cmds - GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, +--- libgcrypt-1.11.0.orig/src/gcrypt.h.in ++++ libgcrypt-1.11.0/src/gcrypt.h.in +@@ -336,7 +336,8 @@ enum gcry_ctl_cmds GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, -- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89 + GCRYCTL_MD_CUSTOMIZE = 88, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 90 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.2/src/global.c +Index: libgcrypt-1.11.0/src/global.c =================================================================== ---- libgcrypt-1.10.2.orig/src/global.c -+++ libgcrypt-1.10.2/src/global.c -@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +--- libgcrypt-1.11.0.orig/src/global.c ++++ libgcrypt-1.11.0/src/global.c +@@ -794,6 +794,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, rc = _gcry_fips_indicator_cipher (arg_ptr); break; diff --git a/libgcrypt-FIPS-SLI-pk.patch b/libgcrypt-FIPS-SLI-pk.patch index 541c08b..304fd37 100644 --- a/libgcrypt-FIPS-SLI-pk.patch +++ b/libgcrypt-FIPS-SLI-pk.patch @@ -1,7 +1,7 @@ -Index: libgcrypt-1.10.2/src/fips.c +Index: libgcrypt-1.11.0/src/fips.c =================================================================== ---- libgcrypt-1.10.2.orig/src/fips.c -+++ libgcrypt-1.10.2/src/fips.c +--- libgcrypt-1.11.0.orig/src/fips.c ++++ libgcrypt-1.11.0/src/fips.c @@ -38,6 +38,7 @@ #include "g10lib.h" @@ -10,7 +10,7 @@ Index: libgcrypt-1.10.2/src/fips.c #include "../random/random.h" /* The states of the finite state machine used in fips mode. */ -@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt +@@ -400,6 +401,94 @@ _gcry_fips_indicator_mac (va_list arg_pt default: return GPG_ERR_NOT_SUPPORTED; } @@ -105,25 +105,25 @@ Index: libgcrypt-1.10.2/src/fips.c } int -Index: libgcrypt-1.10.2/src/gcrypt.h.in +Index: libgcrypt-1.11.0/src/gcrypt.h.in =================================================================== ---- libgcrypt-1.10.2.orig/src/gcrypt.h.in -+++ libgcrypt-1.10.2/src/gcrypt.h.in -@@ -334,7 +334,8 @@ enum gcry_ctl_cmds - GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, +--- libgcrypt-1.11.0.orig/src/gcrypt.h.in ++++ libgcrypt-1.11.0/src/gcrypt.h.in +@@ -335,7 +335,8 @@ enum gcry_ctl_cmds GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, -- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87 -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, -+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, +- GCRYCTL_MD_CUSTOMIZE = 88 ++ GCRYCTL_MD_CUSTOMIZE = 88, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89 }; /* Perform various operations defined by CMD. */ -Index: libgcrypt-1.10.2/doc/gcrypt.texi +Index: libgcrypt-1.11.0/doc/gcrypt.texi =================================================================== ---- libgcrypt-1.10.2.orig/doc/gcrypt.texi -+++ libgcrypt-1.10.2/doc/gcrypt.texi -@@ -997,6 +997,19 @@ Check if the given message digest algori +--- libgcrypt-1.11.0.orig/doc/gcrypt.texi ++++ libgcrypt-1.11.0/doc/gcrypt.texi +@@ -1010,6 +1010,19 @@ Check if the given message digest algori FIPS 140-3 certification. If the algorithm is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. @@ -143,11 +143,11 @@ Index: libgcrypt-1.10.2/doc/gcrypt.texi @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * Check if the given public key operation flag or s-expression object name is -Index: libgcrypt-1.10.2/src/g10lib.h +Index: libgcrypt-1.11.0/src/g10lib.h =================================================================== ---- libgcrypt-1.10.2.orig/src/g10lib.h -+++ libgcrypt-1.10.2/src/g10lib.h -@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar +--- libgcrypt-1.11.0.orig/src/g10lib.h ++++ libgcrypt-1.11.0/src/g10lib.h +@@ -473,6 +473,7 @@ int _gcry_fips_indicator_mac (va_list ar int _gcry_fips_indicator_md (va_list arg_ptr); int _gcry_fips_indicator_kdf (va_list arg_ptr); int _gcry_fips_indicator_function (va_list arg_ptr); @@ -155,11 +155,11 @@ Index: libgcrypt-1.10.2/src/g10lib.h int _gcry_fips_indicator_pk_flags (va_list arg_ptr); int _gcry_fips_is_operational (void); -Index: libgcrypt-1.10.2/src/global.c +Index: libgcrypt-1.11.0/src/global.c =================================================================== ---- libgcrypt-1.10.2.orig/src/global.c -+++ libgcrypt-1.10.2/src/global.c -@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, +--- libgcrypt-1.11.0.orig/src/global.c ++++ libgcrypt-1.11.0/src/global.c +@@ -828,6 +828,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, rc = _gcry_fips_indicator_pk_flags (arg_ptr); break; diff --git a/libgcrypt-FIPS-jitter-errorcodes.patch b/libgcrypt-FIPS-jitter-errorcodes.patch new file mode 100644 index 0000000..d6d314e --- /dev/null +++ b/libgcrypt-FIPS-jitter-errorcodes.patch @@ -0,0 +1,16 @@ +Index: libgcrypt-1.10.3/random/rndjent.c +=================================================================== +--- libgcrypt-1.10.3.orig/random/rndjent.c ++++ libgcrypt-1.10.3/random/rndjent.c +@@ -319,7 +319,10 @@ _gcry_rndjent_poll (void (*add)(const vo + jent_rng_totalcalls++; + rc = jent_read_entropy_safe (&jent_rng_collector, buffer, n); + if (rc < 0) +- break; ++ { ++ fips_signal_error ("jitter entropy failed"); ++ break; ++ } + /* We need to hash the output to conform to the BSI + * NTG.1 specs. */ + _gcry_md_hash_buffer (GCRY_MD_SHA256, buffer, buffer, rc); diff --git a/libgcrypt-FIPS-jitter-standalone.patch b/libgcrypt-FIPS-jitter-standalone.patch new file mode 100644 index 0000000..4f931c3 --- /dev/null +++ b/libgcrypt-FIPS-jitter-standalone.patch @@ -0,0 +1,183 @@ +Index: libgcrypt-1.10.3/random/Makefile.am +=================================================================== +--- libgcrypt-1.10.3.orig/random/Makefile.am ++++ libgcrypt-1.10.3/random/Makefile.am +@@ -21,7 +21,7 @@ + # Need to include ../src in addition to top_srcdir because gcrypt.h is + # a built header. + AM_CPPFLAGS = -I../src -I$(top_srcdir)/src +-AM_CFLAGS = $(GPG_ERROR_CFLAGS) ++AM_CFLAGS = $(GPG_ERROR_CFLAGS) -ljitterentropy + + noinst_LTLIBRARIES = librandom.la + +@@ -45,14 +45,7 @@ rndoldlinux.c \ + rndegd.c \ + rndunix.c \ + rndw32.c \ +-rndw32ce.c \ +-jitterentropy-gcd.c jitterentropy-gcd.h \ +-jitterentropy-health.c jitterentropy-health.h \ +-jitterentropy-noise.c jitterentropy-noise.h \ +-jitterentropy-sha3.c jitterentropy-sha3.h \ +-jitterentropy-timer.c jitterentropy-timer.h \ +-jitterentropy-base.h \ +-jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h ++rndw32ce.c + + # The rndjent module needs to be compiled without optimization. */ + if ENABLE_O_FLAG_MUNGING +@@ -61,20 +54,8 @@ else + o_flag_munging = cat + endif + +-rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ +- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \ +- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \ +- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \ +- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ +- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ +- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h ++rndjent.o: $(srcdir)/rndjent.c + `echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + +-rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ +- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \ +- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \ +- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \ +- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ +- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ +- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h ++rndjent.lo: $(srcdir)/rndjent.c + `echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` +Index: libgcrypt-1.10.3/random/rndjent.c +=================================================================== +--- libgcrypt-1.10.3.orig/random/rndjent.c ++++ libgcrypt-1.10.3/random/rndjent.c +@@ -94,17 +94,12 @@ + * jitterentropy-user-base.h file. */ + + /* Tell jitterentropy* that all functions shall be static. */ +-#define JENT_PRIVATE_COMPILE 1 ++#undef JENT_PRIVATE_COMPILE + +-#include "jitterentropy-base.c" + #ifdef JENT_CONF_ENABLE_INTERNAL_TIMER + #include + #endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */ +-#include "jitterentropy-gcd.c" +-#include "jitterentropy-health.c" +-#include "jitterentropy-noise.c" +-#include "jitterentropy-sha3.c" +-#include "jitterentropy-timer.c" ++#include + + /* This is the lock we use to serialize access to this RNG. The extra + * integer variable is only used to check the locking state; that is, +Index: libgcrypt-1.10.3/random/Makefile.in +=================================================================== +--- libgcrypt-1.10.3.orig/random/Makefile.in ++++ libgcrypt-1.10.3/random/Makefile.in +@@ -147,12 +147,7 @@ am__v_at_1 = + DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) + depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp + am__maybe_remake_depfiles = depfiles +-am__depfiles_remade = ./$(DEPDIR)/jitterentropy-base.Plo \ +- ./$(DEPDIR)/jitterentropy-gcd.Plo \ +- ./$(DEPDIR)/jitterentropy-health.Plo \ +- ./$(DEPDIR)/jitterentropy-noise.Plo \ +- ./$(DEPDIR)/jitterentropy-sha3.Plo \ +- ./$(DEPDIR)/jitterentropy-timer.Plo \ ++am__depfiles_remade = \ + ./$(DEPDIR)/random-csprng.Plo ./$(DEPDIR)/random-drbg.Plo \ + ./$(DEPDIR)/random-system.Plo ./$(DEPDIR)/random.Plo \ + ./$(DEPDIR)/rndegd.Plo ./$(DEPDIR)/rndgetentropy.Plo \ +@@ -378,7 +373,7 @@ top_srcdir = @top_srcdir@ + # Need to include ../src in addition to top_srcdir because gcrypt.h is + # a built header. + AM_CPPFLAGS = -I../src -I$(top_srcdir)/src +-AM_CFLAGS = $(GPG_ERROR_CFLAGS) ++AM_CFLAGS = $(GPG_ERROR_CFLAGS) -ljitterentropy + noinst_LTLIBRARIES = librandom.la + GCRYPT_MODULES = @GCRYPT_RANDOM@ + librandom_la_DEPENDENCIES = $(GCRYPT_MODULES) +@@ -398,14 +393,7 @@ rndoldlinux.c \ + rndegd.c \ + rndunix.c \ + rndw32.c \ +-rndw32ce.c \ +-jitterentropy-gcd.c jitterentropy-gcd.h \ +-jitterentropy-health.c jitterentropy-health.h \ +-jitterentropy-noise.c jitterentropy-noise.h \ +-jitterentropy-sha3.c jitterentropy-sha3.h \ +-jitterentropy-timer.c jitterentropy-timer.h \ +-jitterentropy-base.h \ +-jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h ++rndw32ce.c + + @ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat + +@@ -465,12 +453,6 @@ mostlyclean-compile: + distclean-compile: + -rm -f *.tab.c + +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-base.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-gcd.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-health.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-noise.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-sha3.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jitterentropy-timer.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-csprng.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-drbg.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-system.Plo@am__quote@ # am--include-marker +@@ -641,12 +623,6 @@ clean-am: clean-generic clean-libtool cl + mostlyclean-am + + distclean: distclean-am +- -rm -f ./$(DEPDIR)/jitterentropy-base.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-gcd.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-health.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-noise.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-sha3.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-timer.Plo + -rm -f ./$(DEPDIR)/random-csprng.Plo + -rm -f ./$(DEPDIR)/random-drbg.Plo + -rm -f ./$(DEPDIR)/random-system.Plo +@@ -704,12 +680,6 @@ install-ps-am: + installcheck-am: + + maintainer-clean: maintainer-clean-am +- -rm -f ./$(DEPDIR)/jitterentropy-base.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-gcd.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-health.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-noise.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-sha3.Plo +- -rm -f ./$(DEPDIR)/jitterentropy-timer.Plo + -rm -f ./$(DEPDIR)/random-csprng.Plo + -rm -f ./$(DEPDIR)/random-drbg.Plo + -rm -f ./$(DEPDIR)/random-system.Plo +@@ -759,22 +729,10 @@ uninstall-am: + .PRECIOUS: Makefile + + +-rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ +- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \ +- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \ +- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \ +- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ +- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ +- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h ++rndjent.o: $(srcdir)/rndjent.c + `echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + +-rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ +- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \ +- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \ +- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \ +- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ +- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ +- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h ++rndjent.lo: $(srcdir)/rndjent.c + `echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + + # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/libgcrypt-FIPS-jitter-whole-entropy.patch b/libgcrypt-FIPS-jitter-whole-entropy.patch new file mode 100644 index 0000000..6c16472 --- /dev/null +++ b/libgcrypt-FIPS-jitter-whole-entropy.patch @@ -0,0 +1,41 @@ +Index: libgcrypt-1.10.3/random/rndgetentropy.c +=================================================================== +--- libgcrypt-1.10.3.orig/random/rndgetentropy.c ++++ libgcrypt-1.10.3/random/rndgetentropy.c +@@ -53,16 +53,30 @@ _gcry_rndgetentropy_gather_random (void + + /* When using a blocking random generator try to get some entropy + * from the jitter based RNG. In this case we take up to 50% of the +- * remaining requested bytes. */ ++ * remaining requested bytes. In FIPS mode, we get all the entropy ++ * from the jitter RNG. */ + if (level >= GCRY_VERY_STRONG_RANDOM) + { + size_t n; + +- n = _gcry_rndjent_poll (add, origin, length/2); +- if (n > length/2) +- n = length/2; +- if (length > 1) +- length -= n; ++ /* In FIPS mode, use the whole length of the entropy buffer from ++ * Jitter RNG */ ++ if (fips_mode ()) ++ { ++ n = _gcry_rndjent_poll (add, origin, length); ++ if (n != length) ++ fips_signal_error ("jitter entropy failed"); ++ else ++ length = 0; ++ } ++ else ++ { ++ n = _gcry_rndjent_poll (add, origin, length/2); ++ if (n > length/2) ++ n = length/2; ++ if (length > 1) ++ length -= n; ++ } + } + + /* Enter the loop. */ diff --git a/libgcrypt-jitterentropy-3.4.0.patch b/libgcrypt-jitterentropy-3.4.0.patch deleted file mode 100644 index dbb77ba..0000000 --- a/libgcrypt-jitterentropy-3.4.0.patch +++ /dev/null @@ -1,618 +0,0 @@ -Index: libgcrypt-1.10.0/random/jitterentropy-base.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-base.c -+++ libgcrypt-1.10.0/random/jitterentropy-base.c -@@ -42,7 +42,7 @@ - * require consumer to be updated (as long as this number - * is zero, the API is not considered stable and can - * change without a bump of the major version) */ --#define MINVERSION 3 /* API compatible, ABI may change, functional -+#define MINVERSION 4 /* API compatible, ABI may change, functional - * enhancements only, consumer can be left unchanged if - * enhancements are not considered */ - #define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no -@@ -200,29 +200,38 @@ ssize_t jent_read_entropy(struct rand_da - tocopy = (DATA_SIZE_BITS / 8); - else - tocopy = len; -- memcpy(p, &ec->data, tocopy); -+ -+ jent_read_random_block(ec, p, tocopy); - - len -= tocopy; - p += tocopy; - } - - /* -- * To be on the safe side, we generate one more round of entropy -- * which we do not give out to the caller. That round shall ensure -- * that in case the calling application crashes, memory dumps, pages -- * out, or due to the CPU Jitter RNG lingering in memory for long -- * time without being moved and an attacker cracks the application, -- * all he reads in the entropy pool is a value that is NEVER EVER -- * being used for anything. Thus, he does NOT see the previous value -- * that was returned to the caller for cryptographic purposes. -+ * Enhanced backtracking support: At this point, the hash state -+ * contains the digest of the previous Jitter RNG collection round -+ * which is inserted there by jent_read_random_block with the SHA -+ * update operation. At the current code location we completed -+ * one request for a caller and we do not know how long it will -+ * take until a new request is sent to us. To guarantee enhanced -+ * backtracking resistance at this point (i.e. ensure that an attacker -+ * cannot obtain information about prior random numbers we generated), -+ * but still stirring the hash state with old data the Jitter RNG -+ * obtains a new message digest from its state and re-inserts it. -+ * After this operation, the Jitter RNG state is still stirred with -+ * the old data, but an attacker who gets access to the memory after -+ * this point cannot deduce the random numbers produced by the -+ * Jitter RNG prior to this point. - */ - /* -- * If we use secured memory, do not use that precaution as the secure -- * memory protects the entropy pool. Moreover, note that using this -- * call reduces the speed of the RNG by up to half -+ * If we use secured memory, where backtracking support may not be -+ * needed because the state is protected in a different method, -+ * it is permissible to drop this support. But strongly weigh the -+ * pros and cons considering that the SHA3 operation is not that -+ * expensive. - */ - #ifndef JENT_CPU_JITTERENTROPY_SECURE_MEMORY -- jent_random_data(ec); -+ jent_read_random_block(ec, NULL, 0); - #endif - - err: -@@ -379,6 +388,7 @@ static struct rand_data - *jent_entropy_collector_alloc_internal(unsigned int osr, unsigned int flags) - { - struct rand_data *entropy_collector; -+ uint32_t memsize = 0; - - /* - * Requesting disabling and forcing of internal timer -@@ -405,7 +415,7 @@ static struct rand_data - return NULL; - - if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { -- uint32_t memsize = jent_memsize(flags); -+ memsize = jent_memsize(flags); - - entropy_collector->mem = _gcry_calloc (1, memsize); - -@@ -431,13 +441,19 @@ static struct rand_data - entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; - } - -+ if (sha3_alloc(&entropy_collector->hash_state)) -+ goto err; -+ -+ /* Initialize the hash state */ -+ sha3_256_init(entropy_collector->hash_state); -+ - /* verify and set the oversampling rate */ - if (osr < JENT_MIN_OSR) - osr = JENT_MIN_OSR; - entropy_collector->osr = osr; - entropy_collector->flags = flags; - -- if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS)) -+ if ((flags & JENT_FORCE_FIPS) || jent_fips_enabled()) - entropy_collector->fips_enabled = 1; - - /* Initialize the APT */ -@@ -469,7 +485,7 @@ static struct rand_data - - err: - if (entropy_collector->mem != NULL) -- jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); -+ jent_zfree(entropy_collector->mem, memsize); - jent_zfree(entropy_collector, sizeof(struct rand_data)); - return NULL; - } -@@ -511,6 +527,7 @@ JENT_PRIVATE_STATIC - void jent_entropy_collector_free(struct rand_data *entropy_collector) - { - if (entropy_collector != NULL) { -+ sha3_dealloc(entropy_collector->hash_state); - jent_notime_disable(entropy_collector); - if (entropy_collector->mem != NULL) { - jent_zfree(entropy_collector->mem, -@@ -664,6 +681,7 @@ static inline int jent_entropy_init_comm - int ret; - - jent_notime_block_switch(); -+ jent_health_cb_block_switch(); - - if (sha3_tester()) - return EHASH; -@@ -710,6 +728,8 @@ int jent_entropy_init_ex(unsigned int os - if (ret) - return ret; - -+ ret = ENOTIME; -+ - /* Test without internal timer unless caller does not want it */ - if (!(flags & JENT_FORCE_INTERNAL_TIMER)) - ret = jent_time_entropy_init(osr, -@@ -732,3 +752,9 @@ int jent_entropy_switch_notime_impl(stru - return jent_notime_switch(new_thread); - } - #endif -+ -+JENT_PRIVATE_STATIC -+int jent_set_fips_failure_callback(jent_fips_failure_cb cb) -+{ -+ return jent_set_fips_failure_callback_internal(cb); -+} -Index: libgcrypt-1.10.0/random/jitterentropy-gcd.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-gcd.c -+++ libgcrypt-1.10.0/random/jitterentropy-gcd.c -@@ -113,12 +113,8 @@ int jent_gcd_analyze(uint64_t *delta_his - goto out; - } - -- /* -- * Ensure that we have variations in the time stamp below 100 for at -- * least 10% of all checks -- on some platforms, the counter increments -- * in multiples of 100, but not always -- */ -- if (running_gcd >= 100) { -+ /* Set a sensible maximum value. */ -+ if (running_gcd >= UINT32_MAX / 2) { - ret = ECOARSETIME; - goto out; - } -Index: libgcrypt-1.10.0/random/jitterentropy-health.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-health.c -+++ libgcrypt-1.10.0/random/jitterentropy-health.c -@@ -19,9 +19,24 @@ - * DAMAGE. - */ - --#include "jitterentropy.h" - #include "jitterentropy-health.h" - -+static jent_fips_failure_cb fips_cb = NULL; -+static int jent_health_cb_switch_blocked = 0; -+ -+void jent_health_cb_block_switch(void) -+{ -+ jent_health_cb_switch_blocked = 1; -+} -+ -+int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb) -+{ -+ if (jent_health_cb_switch_blocked) -+ return -EAGAIN; -+ fips_cb = cb; -+ return 0; -+} -+ - /*************************************************************************** - * Lag Predictor Test - * -@@ -434,5 +449,9 @@ unsigned int jent_health_failure(struct - if (!ec->fips_enabled) - return 0; - -+ if (fips_cb && ec->health_failure) { -+ fips_cb(ec, ec->health_failure); -+ } -+ - return ec->health_failure; - } -Index: libgcrypt-1.10.0/random/jitterentropy-health.h -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-health.h -+++ libgcrypt-1.10.0/random/jitterentropy-health.h -@@ -20,11 +20,16 @@ - #ifndef JITTERENTROPY_HEALTH_H - #define JITTERENTROPY_HEALTH_H - -+#include "jitterentropy.h" -+ - #ifdef __cplusplus - extern "C" - { - #endif - -+void jent_health_cb_block_switch(void); -+int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb); -+ - static inline uint64_t jent_delta(uint64_t prev, uint64_t next) - { - return (next - prev); -Index: libgcrypt-1.10.0/random/jitterentropy-noise.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-noise.c -+++ libgcrypt-1.10.0/random/jitterentropy-noise.c -@@ -33,7 +33,7 @@ - * Update of the loop count used for the next round of - * an entropy collection. - * -- * @ec [in] entropy collector struct -- may be NULL -+ * @ec [in] entropy collector struct - * @bits [in] is the number of low bits of the timer to consider - * @min [in] is the number of bits we shift the timer value to the right at - * the end to make sure we have a guaranteed minimum value -@@ -61,16 +61,13 @@ static uint64_t jent_loop_shuffle(struct - * Mix the current state of the random number into the shuffle - * calculation to balance that shuffle a bit more. - */ -- if (ec) { -- jent_get_nstime_internal(ec, &time); -- time ^= ec->data[0]; -- } -+ jent_get_nstime_internal(ec, &time); - - /* - * We fold the time value as much as possible to ensure that as many - * bits of the time stamp are included as possible. - */ -- for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { -+ for (i = 0; (((sizeof(time) << 3) + bits - 1) / bits) > i; i++) { - shuffle ^= time & mask; - time = time >> bits; - } -@@ -91,11 +88,11 @@ static uint64_t jent_loop_shuffle(struct - * This function injects the individual bits of the time value into the - * entropy pool using a hash. - * -- * @ec [in] entropy collector struct -- may be NULL -- * @time [in] time stamp to be injected -+ * @ec [in] entropy collector struct -+ * @time [in] time delta to be injected - * @loop_cnt [in] if a value not equal to 0 is set, use the given value as - * number of loops to perform the hash operation -- * @stuck [in] Is the time stamp identified as stuck? -+ * @stuck [in] Is the time delta identified as stuck? - * - * Output: - * updated hash context -@@ -104,17 +101,19 @@ static void jent_hash_time(struct rand_d - uint64_t loop_cnt, unsigned int stuck) - { - HASH_CTX_ON_STACK(ctx); -- uint8_t itermediary[SHA3_256_SIZE_DIGEST]; -+ uint8_t intermediary[SHA3_256_SIZE_DIGEST]; - uint64_t j = 0; -- uint64_t hash_loop_cnt; - #define MAX_HASH_LOOP 3 - #define MIN_HASH_LOOP 0 - - /* Ensure that macros cannot overflow jent_loop_shuffle() */ - BUILD_BUG_ON((MAX_HASH_LOOP + MIN_HASH_LOOP) > 63); -- hash_loop_cnt = -+ uint64_t hash_loop_cnt = - jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP); - -+ /* Use the memset to shut up valgrind */ -+ memset(intermediary, 0, sizeof(intermediary)); -+ - sha3_256_init(&ctx); - - /* -@@ -125,35 +124,54 @@ static void jent_hash_time(struct rand_d - hash_loop_cnt = loop_cnt; - - /* -- * This loop basically slows down the SHA-3 operation depending -- * on the hash_loop_cnt. Each iteration of the loop generates the -- * same result. -+ * This loop fills a buffer which is injected into the entropy pool. -+ * The main reason for this loop is to execute something over which we -+ * can perform a timing measurement. The injection of the resulting -+ * data into the pool is performed to ensure the result is used and -+ * the compiler cannot optimize the loop away in case the result is not -+ * used at all. Yet that data is considered "additional information" -+ * considering the terminology from SP800-90A without any entropy. -+ * -+ * Note, it does not matter which or how much data you inject, we are -+ * interested in one Keccack1600 compression operation performed with -+ * the sha3_final. - */ - for (j = 0; j < hash_loop_cnt; j++) { -- sha3_update(&ctx, ec->data, SHA3_256_SIZE_DIGEST); -- sha3_update(&ctx, (uint8_t *)&time, sizeof(uint64_t)); -+ sha3_update(&ctx, intermediary, sizeof(intermediary)); -+ sha3_update(&ctx, (uint8_t *)&ec->rct_count, -+ sizeof(ec->rct_count)); -+ sha3_update(&ctx, (uint8_t *)&ec->apt_cutoff, -+ sizeof(ec->apt_cutoff)); -+ sha3_update(&ctx, (uint8_t *)&ec->apt_observations, -+ sizeof(ec->apt_observations)); -+ sha3_update(&ctx, (uint8_t *)&ec->apt_count, -+ sizeof(ec->apt_count)); -+ sha3_update(&ctx,(uint8_t *) &ec->apt_base, -+ sizeof(ec->apt_base)); - sha3_update(&ctx, (uint8_t *)&j, sizeof(uint64_t)); -+ sha3_final(&ctx, intermediary); -+ } - -- /* -- * If the time stamp is stuck, do not finally insert the value -- * into the entropy pool. Although this operation should not do -- * any harm even when the time stamp has no entropy, SP800-90B -- * requires that any conditioning operation to have an identical -- * amount of input data according to section 3.1.5. -- */ -+ /* -+ * Inject the data from the previous loop into the pool. This data is -+ * not considered to contain any entropy, but it stirs the pool a bit. -+ */ -+ sha3_update(ec->hash_state, intermediary, sizeof(intermediary)); - -- /* -- * The sha3_final operations re-initialize the context for the -- * next loop iteration. -- */ -- if (stuck || (j < hash_loop_cnt - 1)) -- sha3_final(&ctx, itermediary); -- else -- sha3_final(&ctx, ec->data); -- } -+ /* -+ * Insert the time stamp into the hash context representing the pool. -+ * -+ * If the time stamp is stuck, do not finally insert the value into the -+ * entropy pool. Although this operation should not do any harm even -+ * when the time stamp has no entropy, SP800-90B requires that any -+ * conditioning operation to have an identical amount of input data -+ * according to section 3.1.5. -+ */ -+ if (!stuck) -+ sha3_update(ec->hash_state, (uint8_t *)&time, sizeof(uint64_t)); - - jent_memset_secure(&ctx, SHA_MAX_CTX_SIZE); -- jent_memset_secure(itermediary, sizeof(itermediary)); -+ jent_memset_secure(intermediary, sizeof(intermediary)); - } - - #define MAX_ACC_LOOP_BIT 7 -@@ -184,13 +202,12 @@ static inline uint32_t xoshiro128starsta - - static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) - { -- uint64_t i = 0; -+ uint64_t i = 0, time = 0; - union { - uint32_t u[4]; - uint8_t b[sizeof(uint32_t) * 4]; - } prngState = { .u = {0x8e93eec0, 0xce65608a, 0xa8d46b46, 0xe83cef69} }; - uint32_t addressMask; -- uint64_t acc_loop_cnt; - - if (NULL == ec || NULL == ec->mem) - return; -@@ -199,7 +216,7 @@ static void jent_memaccess(struct rand_d - - /* Ensure that macros cannot overflow jent_loop_shuffle() */ - BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63); -- acc_loop_cnt = -+ uint64_t acc_loop_cnt = - jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); - - /* -@@ -213,8 +230,10 @@ static void jent_memaccess(struct rand_d - * "per-update: timing, it gets you mostly independent "per-update" - * timing, so we can now benefit from the Central Limit Theorem! - */ -- for (i = 0; i < sizeof(prngState); i++) -- prngState.b[i] ^= ec->data[i]; -+ for (i = 0; i < sizeof(prngState); i++) { -+ jent_get_nstime_internal(ec, &time); -+ prngState.b[i] ^= (uint8_t)(time & 0xff); -+ } - - /* - * testing purposes -- allow test app to set the counter, not -@@ -358,21 +377,21 @@ unsigned int jent_measure_jitter(struct - - /** - * Generator of one 256 bit random number -- * Function fills rand_data->data -+ * Function fills rand_data->hash_state - * - * @ec [in] Reference to entropy collector - */ - void jent_random_data(struct rand_data *ec) - { -- unsigned int k = 0, safety_factor = ENTROPY_SAFETY_FACTOR; -+ unsigned int k = 0, safety_factor = 0; - -- if (!ec->fips_enabled) -- safety_factor = 0; -+ if (ec->fips_enabled) -+ safety_factor = ENTROPY_SAFETY_FACTOR; - - /* priming of the ->prev_time value */ - jent_measure_jitter(ec, 0, NULL); - -- while (1) { -+ while (!jent_health_failure(ec)) { - /* If a stuck measurement is received, repeat measurement */ - if (jent_measure_jitter(ec, 0, NULL)) - continue; -@@ -385,3 +404,22 @@ void jent_random_data(struct rand_data * - break; - } - } -+ -+void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len) -+{ -+ uint8_t jent_block[SHA3_256_SIZE_DIGEST]; -+ -+ BUILD_BUG_ON(SHA3_256_SIZE_DIGEST != (DATA_SIZE_BITS / 8)); -+ -+ /* The final operation automatically re-initializes the ->hash_state */ -+ sha3_final(ec->hash_state, jent_block); -+ if (dst_len) -+ memcpy(dst, jent_block, dst_len); -+ -+ /* -+ * Stir the new state with the data from the old state - the digest -+ * of the old data is not considered to have entropy. -+ */ -+ sha3_update(ec->hash_state, jent_block, sizeof(jent_block)); -+ jent_memset_secure(jent_block, sizeof(jent_block)); -+} -Index: libgcrypt-1.10.0/random/jitterentropy-noise.h -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-noise.h -+++ libgcrypt-1.10.0/random/jitterentropy-noise.h -@@ -31,6 +31,7 @@ unsigned int jent_measure_jitter(struct - uint64_t loop_cnt, - uint64_t *ret_current_delta); - void jent_random_data(struct rand_data *ec); -+void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len); - - #ifdef __cplusplus - } -Index: libgcrypt-1.10.0/random/jitterentropy-sha3.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.c -+++ libgcrypt-1.10.0/random/jitterentropy-sha3.c -@@ -19,6 +19,7 @@ - */ - - #include "jitterentropy-sha3.h" -+#include "jitterentropy.h" - - /*************************************************************************** - * Message Digest Implementation -@@ -380,3 +381,23 @@ int sha3_tester(void) - - return 0; - } -+ -+int sha3_alloc(void **hash_state) -+{ -+ struct sha_ctx *tmp; -+ -+ tmp = jent_zalloc(SHA_MAX_CTX_SIZE); -+ if (!tmp) -+ return 1; -+ -+ *hash_state = tmp; -+ -+ return 0; -+} -+ -+void sha3_dealloc(void *hash_state) -+{ -+ struct sha_ctx *ctx = (struct sha_ctx *)hash_state; -+ -+ jent_zfree(ctx, SHA_MAX_CTX_SIZE); -+} -Index: libgcrypt-1.10.0/random/jitterentropy-sha3.h -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.h -+++ libgcrypt-1.10.0/random/jitterentropy-sha3.h -@@ -47,6 +47,8 @@ struct sha_ctx { - void sha3_256_init(struct sha_ctx *ctx); - void sha3_update(struct sha_ctx *ctx, const uint8_t *in, size_t inlen); - void sha3_final(struct sha_ctx *ctx, uint8_t *digest); -+int sha3_alloc(void **hash_state); -+void sha3_dealloc(void *hash_state); - int sha3_tester(void); - - #ifdef __cplusplus -Index: libgcrypt-1.10.0/random/jitterentropy-timer.c -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-timer.c -+++ libgcrypt-1.10.0/random/jitterentropy-timer.c -@@ -202,8 +202,8 @@ int jent_notime_enable(struct rand_data - if (jent_force_internal_timer || (flags & JENT_FORCE_INTERNAL_TIMER)) { - /* Self test not run yet */ - if (!jent_force_internal_timer && -- jent_time_entropy_init(flags | JENT_FORCE_INTERNAL_TIMER, -- ec->osr)) -+ jent_time_entropy_init(ec->osr, -+ flags | JENT_FORCE_INTERNAL_TIMER)) - return EHEALTH; - - ec->enable_notime = 1; -Index: libgcrypt-1.10.0/random/jitterentropy.h -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy.h -+++ libgcrypt-1.10.0/random/jitterentropy.h -@@ -49,7 +49,7 @@ - ***************************************************************************/ - - /* -- * Enable timer-less timer support -+ * Enable timer-less timer support with JENT_CONF_ENABLE_INTERNAL_TIMER - * - * In case the hardware is identified to not provide a high-resolution time - * stamp, this option enables a built-in high-resolution time stamp mechanism. -@@ -166,7 +166,7 @@ struct rand_data - * of the RNG are marked as SENSITIVE. A user must not - * access that information while the RNG executes its loops to - * calculate the next random value. */ -- uint8_t data[SHA3_256_SIZE_DIGEST]; /* SENSITIVE Actual random number */ -+ void *hash_state; /* SENSITIVE hash state entropy pool */ - uint64_t prev_time; /* SENSITIVE Previous time stamp */ - #define DATA_SIZE_BITS (SHA3_256_SIZE_DIGEST_BITS) - -@@ -378,28 +378,34 @@ int jent_entropy_init(void); - JENT_PRIVATE_STATIC - int jent_entropy_init_ex(unsigned int osr, unsigned int flags); - -+/* -+ * Set a callback to run on health failure in FIPS mode. -+ * This function will take an action determined by the caller. -+ */ -+typedef void (*jent_fips_failure_cb)(struct rand_data *ec, -+ unsigned int health_failure); -+JENT_PRIVATE_STATIC -+int jent_set_fips_failure_callback(jent_fips_failure_cb cb); -+ - /* return version number of core library */ - JENT_PRIVATE_STATIC - unsigned int jent_version(void); - --#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER - /* Set a different thread handling logic for the notimer support */ - JENT_PRIVATE_STATIC - int jent_entropy_switch_notime_impl(struct jent_notime_thread *new_thread); --#endif - - /* -- END of Main interface functions -- */ - - /* -- BEGIN timer-less threading support functions to prevent code dupes -- */ - --struct jent_notime_ctx { - #ifdef JENT_CONF_ENABLE_INTERNAL_TIMER -+ -+struct jent_notime_ctx { - pthread_attr_t notime_pthread_attr; /* pthreads library */ - pthread_t notime_thread_id; /* pthreads thread ID */ --#endif - }; - --#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER - - JENT_PRIVATE_STATIC - int jent_notime_init(void **ctx); -Index: libgcrypt-1.10.0/random/jitterentropy-base-user.h -=================================================================== ---- libgcrypt-1.10.0.orig/random/jitterentropy-base-user.h -+++ libgcrypt-1.10.0/random/jitterentropy-base-user.h -@@ -213,12 +213,12 @@ static inline void jent_get_cachesize(lo - ext = strstr(buf, "K"); - if (ext) { - shift = 10; -- ext = '\0'; -+ *ext = '\0'; - } else { - ext = strstr(buf, "M"); - if (ext) { - shift = 20; -- ext = '\0'; -+ *ext = '\0'; - } - } - diff --git a/libgcrypt-no-deprecated-grep-alias.patch b/libgcrypt-no-deprecated-grep-alias.patch deleted file mode 100644 index ba0dde8..0000000 --- a/libgcrypt-no-deprecated-grep-alias.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- libgcrypt-1.10.3.orig/acinclude.m4 -+++ libgcrypt-1.10.3/acinclude.m4 -@@ -130,10 +130,10 @@ EOF - ac_nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \| cut -d \' \' -f 2 \> $ac_nlist) && test -s "$ac_nlist"; then - # See whether the symbols have a leading underscore. -- if egrep '^_nm_test_func' "$ac_nlist" >/dev/null; then -+ if grep -E '^_nm_test_func' "$ac_nlist" >/dev/null; then - ac_cv_sys_symbol_underscore=yes - else -- if egrep '^nm_test_func ' "$ac_nlist" >/dev/null; then -+ if grep -E '^nm_test_func ' "$ac_nlist" >/dev/null; then - : - else - echo "configure: cannot find nm_test_func in $ac_nlist" >&AS_MESSAGE_LOG_FD ---- libgcrypt-1.10.3.orig/src/libgcrypt-config.in -+++ libgcrypt-1.10.3/src/libgcrypt-config.in -@@ -154,7 +154,7 @@ if test "$echo_cflags" = "yes"; then - - tmp="" - for i in $includes $cflags_final; do -- if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then -+ if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then - tmp="$tmp $i" - fi - done -@@ -175,7 +175,7 @@ if test "$echo_libs" = "yes"; then - - tmp="" - for i in $libdirs $libs_final; do -- if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then -+ if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then - tmp="$tmp $i" - fi - done diff --git a/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch b/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch deleted file mode 100644 index 8ef3197..0000000 --- a/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch +++ /dev/null @@ -1,76 +0,0 @@ -commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14 -Author: Jussi Kivilinna -Date: Sun Jun 12 21:51:34 2022 +0300 - - ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00 - - * cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable - P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is - defined. - * cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise. - * cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise. - --- - - This change allows testing P10 implementations with P9 and with QEMU-PPC. - - GnuPG-bug-id: 6006 - Signed-off-by: Jussi Kivilinna - -Index: libgcrypt-1.10.2/cipher/chacha20.c -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/chacha20.c -+++ libgcrypt-1.10.2/cipher/chacha20.c -@@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t * - ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0; - # ifndef WORDS_BIGENDIAN - ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; -+# ifdef ENABLE_FORCE_SOFT_HWFEATURES -+ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. -+ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ -+ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; -+# endif - # endif - #endif - #ifdef USE_S390X_VX -Index: libgcrypt-1.10.2/cipher/poly1305.c -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/poly1305.c -+++ libgcrypt-1.10.2/cipher/poly1305.c -@@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont - const byte key[POLY1305_KEYLEN]) - { - POLY1305_STATE *st = &ctx->state; -+ unsigned int features = _gcry_get_hw_features (); - - #ifdef POLY1305_USE_PPC_VEC -- ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0; -+ ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; -+# ifdef ENABLE_FORCE_SOFT_HWFEATURES -+ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. -+ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ -+ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; -+# endif - #endif - -+ (void)features; -+ - ctx->leftover = 0; - - st->h[0] = 0; -Index: libgcrypt-1.10.2/cipher/rijndael.c -=================================================================== ---- libgcrypt-1.10.2.orig/cipher/rijndael.c -+++ libgcrypt-1.10.2/cipher/rijndael.c -@@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const - bulk_ops->xts_crypt = _gcry_aes_ppc9le_xts_crypt; - if (hwfeatures & HWF_PPC_ARCH_3_10) /* for P10 */ - bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt; -+# ifdef ENABLE_FORCE_SOFT_HWFEATURES -+ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. -+ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ -+ if (hwfeatures & HWF_PPC_ARCH_3_00) -+ bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt; -+# endif - } - #endif - #ifdef USE_PPC_CRYPTO diff --git a/libgcrypt.changes b/libgcrypt.changes index 08131b2..a1b3614 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal + +- Update to 1.11.0: + * New and extended interfaces: + - Add an API for Key Encapsulation Mechanism (KEM). [T6755] + - Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5] + - Add Kyber algorithm according to FIPS 203 ipd 2023-08-24. [rC18e5c0d268] + - Add Classic McEliece algorithm. [rC003367b912] + - Add One-Step KDF with hash and MAC. [T5964] + - Add KDF algorithm HKDF of RFC-5869. [T5964] + - Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3] + - Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4] + - Add ARIA block cipher algorithm. [rC316c6d7715] + - Add explicit FIPS indicators for MD and MAC algorithms. [T6376] + - Add support for SHAKE as MGF in RSA. [T6557] + - Add gcry_md_read support for SHAKE algorithms. [T6539] + - Add gcry_md_hash_buffers_ext function. [T7035] + - Add cSHAKE hash algorithm. [rC065b3f4e02] + - Support internal generation of IV for AEAD cipher mode. [T4873] + * Performance: + - Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3] + - Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1] + - Add SM4 GFNI/AVX2 and GFI/AVX512 implementation. [rC5095d60af4,rCeaed633c16] + - Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006] + - Add PowerPC vector implementation of SM4. [rC0b2da804ee] + - Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006] + - Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5] + - Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4 + and Camellia. [rCcf956793af] + - Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f] + - Add AVX2 and AVX512 accelerated implementations for GHASH (GCM) + and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193] + - Add AVX512 implementation for SHA512. [rC089223aa3b] + - Add AVX512 implementation for Serpent. [rCce95b6ec35] + - Add AVX512 implementation for Poly1305 and ChaCha20. [rCcd3ed49770, rC9a63cfd617] + - Add AVX512 accelerated implementation for SHA3 and Blake2. [rCbeaad75f46,rC909daa700e] + - Add VAES/AVX2 accelerated i386 implementation for AES. [rC4a42a042bc] + - Add bulk processing for XTS mode of Camellia and SM4. [rC32b18cdb87, rCaad3381e93] + - Accelerate XTS and ECB modes for Twofish and Serpent. [rCd078a928f5,rC8a1fe5f78f] + - Add AArch64 crypto/SHA512 extension implementation for SHA512. [rCe51d3b8330] + - Add AArch64 crypto-extension implementation for Camellia. [rC898c857206] + - Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65] + * Bug fixes: + - For PowerPC check for missing optimization level for vector register usage. [T5785] + - Fix EdDSA secret key check. [T6511] + - Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792] + - Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976] + - Fix AESWRAP padding length check. [T7130] + * Other: + - Allow empty password for Argon2 KDF. [rCa20700c55f] + - Various constant time operation imporvements. + - Add "bp256", "bp384", "bp512" aliases for Brainpool curves. + - Support for the random server has been removed. [T5811] + - The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not + supported any more. Please use valgrind or other tools. [T5822] + - Logging is now done via the libgpg-error logging functions. [rCab0bdc72c7] + * Remove patches fixed upstream: + - libgcrypt-no-deprecated-grep-alias.patch + - libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch + - libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch + * Rebase patches: + - libgcrypt-FIPS-jitter-errorcodes.patch + - libgcrypt-FIPS-jitter-whole-entropy.patch + +------------------------------------------------------------------- +Wed Mar 20 20:31:40 UTC 2024 - Pedro Monreal + +- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG + for the whole length entropy buffer in FIPS mode. [bsc#1220893] + * Add libgcrypt-FIPS-jitter-whole-entropy.patch + +------------------------------------------------------------------- +Wed Mar 20 15:13:04 UTC 2024 - Pedro Monreal + +- FIPS: Set the FSM into error state if Jitter RNG is returning an + error code to the caller when an health test error occurs when + random bytes are requested through the jent_read_entropy_safe() + function. [bsc#1220895] + * Add libgcrypt-FIPS-jitter-errorcodes.patch + +------------------------------------------------------------------- +Mon Mar 11 16:02:55 UTC 2024 - Pedro Monreal + +- FIPS: Replace the built-in jitter rng with standalone version + * Remove the internal jitterentropy copy [bsc#1220896] + * Add libgcrypt-FIPS-jitter-standalone.patch + * Remove not needed libgcrypt-jitterentropy-3.4.0.patch + +------------------------------------------------------------------- +Mon Feb 26 12:13:56 UTC 2024 - Pedro Monreal + +- Update upstream libgcrypt.keyring + ------------------------------------------------------------------- Sat Jan 27 13:37:34 UTC 2024 - Dirk Müller diff --git a/libgcrypt.spec b/libgcrypt.spec index 637be48..07d0dbb 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -20,7 +20,7 @@ %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version: 1.10.3 +Version: 1.11.0 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -31,14 +31,12 @@ Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz Source2: baselibs.conf Source3: random.conf Source4: hwf.deny -# https://gnupg.org/signature_key.asc -Source5: libgcrypt.keyring +# https://www.gnupg.org/signature_key.html +Source5: https://gnupg.org/signature_key.asc#/%{name}.keyring Source99: libgcrypt.changes Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run Patch2: libgcrypt-nobetasuffix.patch -# https://dev.gnupg.org/T6964 -Patch3: libgcrypt-no-deprecated-grep-alias.patch # FIPS patches: #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK Patch100: libgcrypt-FIPS-SLI-pk.patch @@ -46,15 +44,16 @@ Patch100: libgcrypt-FIPS-SLI-pk.patch Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch #PATCH-FIX-SUSE bsc#1190700 FIPS add indicators Patch102: libgcrypt-FIPS-SLI-hash-mac.patch -#PATCH-FIX-SUSE bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy -Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll Patch104: libgcrypt-FIPS-rndjent_poll.patch -# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography -Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch -Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch +#PATCH-FIX-SUSE bsc#1220896 FIPS: Replace the built-in jitter rng with standalone version +Patch105: libgcrypt-FIPS-jitter-standalone.patch +#PATCH-FIX-SUSE bsc#1220895 FIPS: Enforce the interpretation and use of jitter rng +Patch106: libgcrypt-FIPS-jitter-errorcodes.patch +#PATCH-FIX-SUSE bsc#1220893 FIPS: Use Jitter RNG for the whole length entropy buffer +Patch107: libgcrypt-FIPS-jitter-whole-entropy.patch BuildRequires: automake >= 1.14 -BuildRequires: libgpg-error-devel >= 1.27 +BuildRequires: libgpg-error-devel >= 1.49 BuildRequires: libtool BuildRequires: makeinfo BuildRequires: pkgconfig @@ -70,6 +69,8 @@ understanding of applied cryptography is required to use Libgcrypt. Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: System/Libraries +BuildRequires: jitterentropy-devel >= 3.4.0 +Requires: libjitterentropy3 >= 3.4.0 Provides: %{libsoname}-hmac = %{version}-%{release} Obsoletes: %{libsoname}-hmac < %{version}-%{release} @@ -83,7 +84,8 @@ License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: glibc-devel -Requires: libgpg-error-devel >= 1.27 +Requires: jitterentropy-devel >= 3.4.0 +Requires: libgpg-error-devel >= 1.49 %description devel Libgcrypt is a general purpose library of cryptographic building @@ -100,9 +102,12 @@ library. # Rename the internal .hmac file to include the so library version sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in +# Replace the built-in jitter rng with the standalone version [bsc#1220896] +find . -type f -name "jitterentropy*" -print -delete + %build export PUBKEYS="dsa elgamal rsa ecc" -export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4" +export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4 aria" export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3" export KDFS="s2k pkdf2 scrypt" @@ -124,6 +129,7 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" --disable-asm \ %endif --enable-random=getentropy \ + --enable-jent-support \ %{nil} %make_build @@ -140,7 +146,6 @@ LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. - %define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \