Fri, Apr 12
API which does not require allocation internally would be better. In this case, it is allocated on stack by the caller.
I mean, something like this (for GNU/Linux):
diff --git a/src/misc.c b/src/misc.c index 4db2d9a4..74864334 100644 --- a/src/misc.c +++ b/src/misc.c @@ -577,3 +577,80 @@ _gcry_divide_by_zero (void) gpg_err_set_errno (EDOM); _gcry_fatal_error (gpg_err_code_from_errno (errno), "divide by zero"); } + +#ifdef HAVE_CLOCK_GETTIME +#include <time.h> +# if defined(CLOCK_THREAD_CPUTIME_ID) && defined(CLOCK_TAI) +struct gcry_timedwait +{ + struct timespec ts; +}; + +typedef struct gcry_timedwait *gcry_timedwait_t; + +gcry_err_code_t +_gcry_timedwait_new (gcry_timedwait_t *r_tw, unsigned int flags) +{ + gcry_err_code_t err; + gcry_timedwait_t tw; + + *r_tw = NULL; + + /* Possibly, it would be good to be able to select the wall clock. + * For now, it's CPU time by the thread. */ + if (flags != 0) + return GPG_ERR_INV_ARG; + + tw = xtrymalloc (sizeof (gcry_timedwait_t)); + if (!tw) + return gpg_err_code_from_syserror (); + + if (clock_gettime (CLOCK_THREAD_CPUTIME_ID, &tw->ts) < 0) + { + err = gpg_err_code_from_syserror (); + xfree (tw); + return err; + } + + *r_tw = tw; + return 0; +} + +gcry_err_code_t +_gcry_timedwait_release (gcry_timedwait_t tw, struct timespec ts_r) +{ + gcry_err_code_t err; + struct timespec ts; + u32 negative; + + if (clock_gettime (CLOCK_THREAD_CPUTIME_ID, &ts) < 0) + { + err = gpg_err_code_from_syserror (); + xfree (tw); + return err; + } + + ts.tv_sec -= tw->ts.tv_sec; + ts.tv_nsec -= tw->ts.tv_nsec; + negative = ((u32)ts.tv_nsec) >> 31; + ts.tv_sec -= negative; + ts.tv_nsec += (1000000000 * negative); + + xfree (tw); + + ts_r.tv_sec -= ts.tv_sec; + ts_r.tv_nsec -= ts.tv_nsec; + negative = ((u32)ts_r.tv_nsec) >> 31; + ts_r.tv_sec -= negative; + ts_r.tv_nsec += (1000000000 * negative); + + if (ts_r.tv_sec < 0) + return GPG_ERR_TIME_CONFLICT; + + if (clock_nanosleep (CLOCK_TAI, 0, &ts_r, &ts_r)) + return gpg_err_code_from_syserror (); + + return 0; +} +# endif +#endif
Mar 11 2024
Mar 4 2024
Thank you!
Applied to both (master and 1.10 branch).
Mar 1 2024
Looks good to me. __CLOBBER_CC is needed as PA-RISC has carry/borrow bits in status register for add/sub instructions.
Since I don't like to introduce hppa specific workaround in a way like pragma (and I have no time to fix compiler itself), I tried to improve the ec-nist.c for hppa so that register pressure can be lower.
Here is my solution.
Feb 29 2024
Alternatively (more narrow workaround), when I add a line:
#pragma GCC optimize("O1")
before the function _gcry_mpi_ec_nist256_mod in mpi/ec-nist.c, it works for me on panama.debian.net (Debian porterbox for hppa).
Feb 28 2024
No, hardware barrier is not needed here. Compiler barrier is used here to prevent optimization removing mask generation and usage in following constant-time code.
Clarification from Dave:
Thanks, I can confirm that this patch fixes the issue. I'll let Sam decide if this is how we want to handle it downstream or wait for confirmation from gcc.
Feb 22 2024
A way to generated keys in the usual s-expression way has been added. This allows us to get the keygrip for the key.
Feb 21 2024
FWIW, I posted some ideas at https://lists.gnupg.org/pipermail/librepgp-discuss/2024/000043.html . For official use in Germany we will very likely also add Brainpool curves as a replacement for the IETF curves.
Feb 15 2024
Although, we don't use our usual s-expressions we need to add a way to derive a keygrip from Kyber et al and also to wrap the key into an s-expression to that it can be stored by gpg-agent in its usual files. An exported new API to get the keygrip of a KEM key would be good to avoid encapsulation but for other purposes an encapsulation is still required.
Feb 9 2024
Applied the change. I write the ChangeLog entry by commit message.
Feb 7 2024
Jan 30 2024
Fixed in master.
Thanks for your report. It seems the linker for Android is more strict.
Jan 29 2024
Thank you. I recently fixed for use of egrep rC656ca459e3d8: m4: Update acinclude.m4 to use $GREP., but overlooked this one.
Jan 27 2024
Jan 17 2024
Regading Kyber in GnuPG, there are a couple of open questions. For example whether the implicit lengths used for the key parameters match well with the overall protocol structure. Thus, as soon as we have finished the Libgcrypt part we will address this and implement it in some way. Before we do this we have to do a couple of changes to GnuPG required for FIPS compliance.
I just saw that Niibe is already working on the integration of the ML-KEM code into the master branch of libgcrypt. Apparently, this is an entirely new code base. Currently we are working on the integration of our ML-KEM implementation in libgcrypt into GnuPG. But based on what I see now it seems that apparently another approach is planned and already underway for libgcrypt and probably later also for GnuPG. It would be helpful if you could give us a pointer what your exact plans are, this makes it easier for us to direct our efforts in the optimal way.
Dec 21 2023
Fix for i386 assembly pushed to master and 1.10 branch.
Dec 19 2023
It looks that this is a bit more problematic case than I thought. Now building i386 with "-O2 -fsanitize=undefined" flags fails. I need to think little bit more how to handle this.
Dec 18 2023
@jukivili Thanks a lot. Please push the change to 1.10 branch and master.
Dec 16 2023
Dec 13 2023
Sorry for the fallout and thank you for taking care of it.
Dec 12 2023
Ah... it fails by make check because it does change the text in tests/basic.c which requires update of hash value.
I'm going to take care of this regressions.
Thank you. All applied and pushed to master.
Dec 4 2023
You may better ask on gcrypt-devel at gnupg.org for help.
Dec 1 2023
Nov 30 2023
Nov 28 2023
And another question: in the GnuPG code on the master branch I saw that algorithm identifiers for ML-KEM with Ed25519 and Ed448 are already defined in the code base. Do I understand correctly that the maintainers prefer the inclusion of these two algorithms and not necessarily the inclusion of the ones based on ML-KEM with ECDH using NIST or Brainpool curves?
Nov 27 2023
We have addressed all comments regarding ML-KEM (Kyber) and KMAC. Currently I am working on the GnuPG integration of the the ML-KEM composites. For that purpose I will need a branch of libgcrypt with both ML-KEM and KMAC. I am not sure if you are considering to integrate the ML-KEM version already now before the final NIST standards are release. Some libraries do it, for instance Botan. Appropriate naming of the algorithms can ensure that there arises no confusion which version of the algorithm one is using.
Nov 16 2023
Nov 15 2023
RSA improvement is not that worth now.
OK. When we will need and do, I will open new one.
The fix is in 1.10.3.
Fix is in 1.10.3.
Nov 14 2023
@gniibe: This is a pretty old bug; given all the changes of the last year, should we close it now?