Page MenuHome GnuPG

libgcryptProject
ActivePublic

Recent Activity

Fri, Mar 21

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

I applied some to master (generic improvement parts).

Fri, Mar 21, 7:31 AM · libgcrypt, Bug Report

Thu, Mar 20

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

I think that this may be the last update.
Don't use mpi_powm to avoid normalizing (and to be faster).

Thu, Mar 20, 1:08 AM · libgcrypt, Bug Report

Tue, Mar 18

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

Here is another update (replacing ecc-no-normalize-2025-03-13.patch).
Further, ec_addm is modified to be less leaky.

Tue, Mar 18, 6:30 AM · libgcrypt, Bug Report

Mon, Mar 17

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

There are three (or more) remaining things:
(1) ec_addm can be improved by adding U and V with mpih_add_lli , subtracting P with mpih_sub_n, and adding back P with mpih_add_n_cond
(2) Places with mpi_const for the argument when calling ec_mulm, ec_add or ec_subm should be fixed (it may modify the const MPI)
(3) make sure mpi_resize within ec_addm, ec_mulm, or ec_subm if needed

Mon, Mar 17, 3:24 AM · libgcrypt, Bug Report

Thu, Mar 13

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

Here is update (replacing ecc-no-normalize-2025-03-07.patch).

Thu, Mar 13, 7:18 AM · libgcrypt, Bug Report
gniibe changed the status of T7338: Revamp the FIPS service indicator from Open to Testing.
Thu, Mar 13, 7:05 AM · libgcrypt, FIPS, Feature Request

Fri, Mar 7

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

I think that major signal sources for K have been killed so far.

Fri, Mar 7, 5:35 AM · libgcrypt, Bug Report

Thu, Mar 6

gniibe added a comment to T7490: libgcrypt: constant-time modular exponentiation.

We should only enable least leak implementation for 64-bit, as it's not as fast on 32-bit architecture.

Thu, Mar 6, 2:47 AM · libgcrypt
gniibe added a comment to T7490: libgcrypt: constant-time modular exponentiation.

We should only enable least leak implementation for 64-bit, as it's not as fast on 32-bit architecture.

Thu, Mar 6, 2:42 AM · libgcrypt

Feb 25 2025

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

One more change for _gcry_dsa_gen_k in rC54caef02afa9: cipher:(EC)DSA: Simply use mpi_clear_highbit in _gcry_dsa_gen_k.

Feb 25 2025, 3:47 AM · libgcrypt, Bug Report
gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

One more change for mpi_invm in rCc1da86e45a6e: mpi: Avoid normalizing MPI in _gcry_mpi_invm.

Feb 25 2025, 3:25 AM · libgcrypt, Bug Report

Feb 19 2025

gniibe changed the status of T7519: libgcrypt: (EC)DSA signature generation should be constant-time from Open to Testing.

All changes are pushed to master.

Feb 19 2025, 5:36 AM · libgcrypt, Bug Report
gniibe changed the status of T7490: libgcrypt: constant-time modular exponentiation, a subtask of T3264: Possible RSA improvement, from Open to Testing.
Feb 19 2025, 5:35 AM · libgcrypt
gniibe changed the status of T7490: libgcrypt: constant-time modular exponentiation from Open to Testing.

Pushed the changes by the commit rC2039d93289db: mpi: Add MPI helper modular exponentiation, Least Leak Intended.

Feb 19 2025, 5:35 AM · libgcrypt

Feb 14 2025

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

Use of mpi_cmp is now being fixed, by providing _gcry_mpih_cmp_lli function.
Along with that, we need to fix use of mpi_cmp_ui, since it's skips earlier depending its limbs.

diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
index 170dce12..e010e182 100644
--- a/cipher/dsa-common.c
+++ b/cipher/dsa-common.c
@@ -25,6 +25,7 @@
Feb 14 2025, 1:32 AM · libgcrypt, Bug Report

Feb 10 2025

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

And then, we need to use less leaky version of mpi_cmp (because mpi_cmp calls mpi_normalize, it's not good).

Feb 10 2025, 5:37 AM · libgcrypt, Bug Report
gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

And this is for less leak for _gcry_dsa_modify_k:

Feb 10 2025, 5:36 AM · libgcrypt, Bug Report
gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

This is needed before we remove leaks by mpi_add in _gcry_dsa_modify_k :

Feb 10 2025, 3:34 AM · libgcrypt, Bug Report
gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

Commit rC35a6a6feb9dc: Fix _gcry_dsa_modify_k. is related, but it doesn't matter for usual compilers (it's an issue for MSVC).

Feb 10 2025, 3:24 AM · libgcrypt, Bug Report

Feb 7 2025

gniibe added a comment to T7519: libgcrypt: (EC)DSA signature generation should be constant-time.

This is needed for RFC6979 flag support.

Feb 7 2025, 6:42 AM · libgcrypt, Bug Report
gniibe claimed T7519: libgcrypt: (EC)DSA signature generation should be constant-time.
Feb 7 2025, 6:37 AM · libgcrypt, Bug Report
gniibe created T7519: libgcrypt: (EC)DSA signature generation should be constant-time.
Feb 7 2025, 6:37 AM · libgcrypt, Bug Report

Jan 31 2025

gniibe added a comment to T7490: libgcrypt: constant-time modular exponentiation.

The commit rC58c11aa8 is the improved version by k-ary exponentiation (while rC6dffd105e2e2 is 1-bit at a time) and using heap.

Jan 31 2025, 2:43 AM · libgcrypt

Jan 25 2025

gniibe added a comment to T7490: libgcrypt: constant-time modular exponentiation.

I created https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7490/
The commit rC6dffd105e2e2 works for me.
It is a bit of exponent at time Montgomery exponentiation.
I don't put an optimization for the reduction as I don't know if it's OK for patent-wise (looks like expired, though).

Jan 25 2025, 3:04 AM · libgcrypt

Jan 22 2025

gniibe changed the status of T7486: libgcrypt: Remove WindowsCE support from Open to Testing.
Jan 22 2025, 3:06 AM · libgcrypt

Jan 21 2025

gniibe triaged T7490: libgcrypt: constant-time modular exponentiation as Wishlist priority.
Jan 21 2025, 1:44 AM · libgcrypt

Jan 17 2025

gniibe reopened T3269: (Constant-time) modular reduction, a subtask of T3264: Possible RSA improvement, as Open.
Jan 17 2025, 7:01 AM · libgcrypt
gniibe reopened T3269: (Constant-time) modular reduction as "Open".

Re-open, so that I can pursue constant-time modular exponentiation.

Jan 17 2025, 7:01 AM · libgcrypt

Jan 15 2025

gniibe renamed T7486: libgcrypt: Remove WindowsCE support from libksba, libgcrypt: Remove WindowsCE support to libgcrypt: Remove WindowsCE support.
Jan 15 2025, 7:53 AM · libgcrypt
gniibe removed a project from T7486: libgcrypt: Remove WindowsCE support: libksba.
Jan 15 2025, 7:53 AM · libgcrypt
gniibe triaged T7486: libgcrypt: Remove WindowsCE support as Wishlist priority.
Jan 15 2025, 7:44 AM · libgcrypt

Dec 12 2024

gniibe added a comment to T7338: Revamp the FIPS service indicator.

Here are changes for gcry_md_open and its friends.

Dec 12 2024, 6:43 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

My idea in https://dev.gnupg.org/T7338#195529 doesn't work well when a function call is done multiple times.
Assuming SUCCESS, and marking all non-compliant places in the code works, and it would be good because libgcrypt so far maintains non-compliant path with rejection.

Dec 12 2024, 3:09 AM · libgcrypt, FIPS, Feature Request

Dec 9 2024

gniibe added a comment to T7338: Revamp the FIPS service indicator.

Pushed the change for adding hash tests in rC7faf542f1573: fips,tests: Add t-digest.

Dec 9 2024, 6:34 AM · libgcrypt, FIPS, Feature Request

Dec 6 2024

gniibe added a comment to T7338: Revamp the FIPS service indicator.

It seems that the internal API (as of 2024-12-06) is not enough.
Now, we have _gcry_md_hash_buffer function with the new FIPS service indicator.
It's used for public key crypto, too.
The compliance for hash function is a part of public key crypto, but not all.

Dec 6 2024, 6:54 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

A change for gcry_md_hash_* functions are pushed by rC3478caac62c7: fips,md: Implement new FIPS service indicator for gcry_md_hash_*..
It doesn't have tests with FIPS service indicator yet.

Dec 6 2024, 6:40 AM · libgcrypt, FIPS, Feature Request

Dec 5 2024

gniibe added a comment to T7338: Revamp the FIPS service indicator.

New external API is by GCRYCTL_FIPS_SERVICE_INDICATOR and/or the new macro gcry_get_fips_service_indicator.
This change is pushed by rCf51f4e98930e: fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.

Dec 5 2024, 3:37 AM · libgcrypt, FIPS, Feature Request
gniibe added a comment to T7338: Revamp the FIPS service indicator.

New internal API is introduced with T7340 by the commit rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.

Dec 5 2024, 3:30 AM · libgcrypt, FIPS, Feature Request
gniibe changed the status of T7340: Introduced a context with thread local storage, a subtask of T7338: Revamp the FIPS service indicator, from Open to Testing.
Dec 5 2024, 3:28 AM · libgcrypt, FIPS, Feature Request
gniibe changed the status of T7340: Introduced a context with thread local storage from Open to Testing.

Change is pushed by rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.

Dec 5 2024, 3:28 AM · libgcrypt, FIPS, Feature Request

Dec 4 2024

werner closed T7397: Kleopatra: Support Kyber generation, a subtask of T6636: PQC Implementation, as Resolved.
Dec 4 2024, 2:46 PM · PQC, gnupg, libgcrypt

Nov 14 2024

ikloecker changed the status of T7397: Kleopatra: Support Kyber generation, a subtask of T6636: PQC Implementation, from Open to Testing.
Nov 14 2024, 4:39 PM · PQC, gnupg, libgcrypt

Nov 4 2024

werner triaged T7338: Revamp the FIPS service indicator as High priority.
Nov 4 2024, 12:54 PM · libgcrypt, FIPS, Feature Request

Oct 24 2024

gniibe added a comment to T7340: Introduced a context with thread local storage.

I created a branch: https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7340/

Oct 24 2024, 3:27 AM · libgcrypt, FIPS, Feature Request

Oct 16 2024

gniibe added a comment to T7340: Introduced a context with thread local storage.

Autoconf archive has AX_TLS: https://www.gnu.org/software/autoconf-archive/ax_tls.html
Also, AX_GCC_VAR_ATTRIBUTE(tls_model) could be used: https://www.gnu.org/software/autoconf-archive/ax_gcc_var_attribute.html

Oct 16 2024, 7:31 AM · libgcrypt, FIPS, Feature Request
gniibe updated the task description for T7340: Introduced a context with thread local storage.
Oct 16 2024, 7:28 AM · libgcrypt, FIPS, Feature Request
gniibe updated the task description for T7340: Introduced a context with thread local storage.
Oct 16 2024, 7:22 AM · libgcrypt, FIPS, Feature Request
gniibe triaged T7340: Introduced a context with thread local storage as Normal priority.
Oct 16 2024, 7:21 AM · libgcrypt, FIPS, Feature Request

Oct 15 2024

gniibe claimed T7338: Revamp the FIPS service indicator.
Oct 15 2024, 11:25 AM · libgcrypt, FIPS, Feature Request
werner created T7338: Revamp the FIPS service indicator.
Oct 15 2024, 11:24 AM · libgcrypt, FIPS, Feature Request