diff --git a/CVE-2019-12904-1.patch b/CVE-2019-12904-1.patch deleted file mode 100644 index 444afbf..0000000 --- a/CVE-2019-12904-1.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Sat, 27 Apr 2019 19:33:28 +0300 -Subject: [PATCH 193/222] Prefetch GCM look-up tables - -* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) -(prefetch_tables): New. -(ghash_internal): Call prefetch_tables. --- - -Signed-off-by: Jussi Kivilinna ---- - cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++ - 1 file changed, 33 insertions(+) - -diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c -index c19f09f2..11f119aa 100644 ---- a/cipher/cipher-gcm.c -+++ b/cipher/cipher-gcm.c -@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { - 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, - }; - -+static inline -+void prefetch_table(const void *tab, size_t len) -+{ -+ const volatile byte *vtab = tab; -+ size_t i; -+ -+ for (i = 0; i < len; i += 8 * 32) -+ { -+ (void)vtab[i + 0 * 32]; -+ (void)vtab[i + 1 * 32]; -+ (void)vtab[i + 2 * 32]; -+ (void)vtab[i + 3 * 32]; -+ (void)vtab[i + 4 * 32]; -+ (void)vtab[i + 5 * 32]; -+ (void)vtab[i + 6 * 32]; -+ (void)vtab[i + 7 * 32]; -+ } -+ -+ (void)vtab[len - 1]; -+} -+ -+static inline void -+do_prefetch_tables (const void *gcmM, size_t gcmM_size) -+{ -+ prefetch_table(gcmM, gcmM_size); -+ prefetch_table(gcmR, sizeof(gcmR)); -+} -+ - #ifdef GCM_TABLES_USE_U64 - static void - bshift (u64 * b0, u64 * b1) -@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) - #define fillM(c) \ - do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) - #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) -+#define prefetch_tables(c) \ -+ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) - - #else - -@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) - - #define fillM(c) do { } while (0) - #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) -+#define prefetch_tables(c) do {} while (0) - - #endif /* !GCM_USE_TABLES */ - -@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, - const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; - unsigned int burn = 0; - -+ prefetch_tables (c); -+ - while (nblocks) - { - burn = GHASH (c, result, buf); --- -2.12.3 diff --git a/CVE-2019-12904-2.patch b/CVE-2019-12904-2.patch deleted file mode 100644 index ef31149..0000000 --- a/CVE-2019-12904-2.patch +++ /dev/null @@ -1,168 +0,0 @@ -From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Fri, 31 May 2019 17:27:25 +0300 -Subject: [PATCH] GCM: move look-up table to .data section and unshare between - processes - -* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. -(gcmR): Move to 'gcm_table' structure. -(gcm_table): New structure for look-up table with counters before and -after. -(gcmR): New macro. -(prefetch_table): Handle input with length not multiple of 256. -(do_prefetch_tables): Modify pre- and post-table counters to unshare -look-up table pages between processes. --- - -GnuPG-bug-id: 4541 -Signed-off-by: Jussi Kivilinna ---- - cipher/cipher-gcm.c | 106 +++++++++++++++++++++++++++++--------------- - 1 file changed, 70 insertions(+), 36 deletions(-) - -diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c -index 11f119aa..194e2ec9 100644 ---- a/cipher/cipher-gcm.c -+++ b/cipher/cipher-gcm.c -@@ -30,6 +30,14 @@ - #include "./cipher-internal.h" - - -+/* Helper macro to force alignment to 16 or 64 bytes. */ -+#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED -+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) -+#else -+# define ATTR_ALIGNED_64 -+#endif -+ -+ - #ifdef GCM_USE_INTEL_PCLMUL - extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); - -@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, - - - #ifdef GCM_USE_TABLES --static const u16 gcmR[256] = { -- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, -- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, -- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, -- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, -- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, -- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, -- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, -- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, -- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, -- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, -- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, -- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, -- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, -- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, -- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, -- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, -- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, -- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, -- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, -- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, -- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, -- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, -- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, -- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, -- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, -- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, -- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, -- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, -- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, -- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, -- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, -- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, --}; -+static struct -+{ -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; -+ u16 R[256]; -+ volatile u32 counter_tail; -+} gcm_table ATTR_ALIGNED_64 = -+ { -+ 0, -+ { 0, }, -+ { -+ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, -+ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, -+ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, -+ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, -+ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, -+ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, -+ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, -+ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, -+ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, -+ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, -+ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, -+ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, -+ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, -+ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, -+ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, -+ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, -+ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, -+ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, -+ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, -+ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, -+ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, -+ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, -+ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, -+ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, -+ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, -+ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, -+ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, -+ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, -+ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, -+ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, -+ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, -+ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, -+ }, -+ 0 -+ }; -+ -+#define gcmR gcm_table.R - - static inline - void prefetch_table(const void *tab, size_t len) -@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) - const volatile byte *vtab = tab; - size_t i; - -- for (i = 0; i < len; i += 8 * 32) -+ for (i = 0; len - i >= 8 * 32; i += 8 * 32) - { - (void)vtab[i + 0 * 32]; - (void)vtab[i + 1 * 32]; -@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) - (void)vtab[i + 6 * 32]; - (void)vtab[i + 7 * 32]; - } -+ for (; i < len; i += 32) -+ { -+ (void)vtab[i]; -+ } - - (void)vtab[len - 1]; - } -@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) - static inline void - do_prefetch_tables (const void *gcmM, size_t gcmM_size) - { -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ gcm_table.counter_head++; -+ gcm_table.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ - prefetch_table(gcmM, gcmM_size); -- prefetch_table(gcmR, sizeof(gcmR)); -+ prefetch_table(&gcm_table, sizeof(gcm_table)); - } - - #ifdef GCM_TABLES_USE_U64 diff --git a/CVE-2019-12904-3.patch b/CVE-2019-12904-3.patch deleted file mode 100644 index 10233f3..0000000 --- a/CVE-2019-12904-3.patch +++ /dev/null @@ -1,323 +0,0 @@ -From daedbbb5541cd8ecda1459d3b843ea4d92788762 Mon Sep 17 00:00:00 2001 -From: Jussi Kivilinna -Date: Fri, 31 May 2019 17:18:09 +0300 -Subject: [PATCH] AES: move look-up tables to .data section and unshare between - processes - -* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. -* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. -(enc_tables): New structure for encryption table with counters before -and after. -(encT): New macro. -(dec_tables): Add counters before and after encryption table; Move -from .rodata to .data section. -(do_encrypt): Change 'encT' to 'enc_tables.T'. -(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. -* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input -with length not multiple of 256. -(prefetch_enc, prefetch_dec): Modify pre- and post-table counters -to unshare look-up table pages between processes. --- - -GnuPG-bug-id: 4541 -Signed-off-by: Jussi Kivilinna ---- - cipher/rijndael-internal.h | 4 +- - cipher/rijndael-tables.h | 155 +++++++++++++++++++++---------------- - cipher/rijndael.c | 35 +++++++-- - 3 files changed, 118 insertions(+), 76 deletions(-) - -diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h -index 160fb8c..a62d4b7 100644 ---- a/cipher/rijndael-internal.h -+++ b/cipher/rijndael-internal.h -@@ -29,11 +29,13 @@ - #define BLOCKSIZE (128/8) - - --/* Helper macro to force alignment to 16 bytes. */ -+/* Helper macro to force alignment to 16 or 64 bytes. */ - #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED - # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) -+# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) - #else - # define ATTR_ALIGNED_16 -+# define ATTR_ALIGNED_64 - #endif - - -diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h -index 8359470..b54d959 100644 ---- a/cipher/rijndael-tables.h -+++ b/cipher/rijndael-tables.h -@@ -21,80 +21,98 @@ - /* To keep the actual implementation at a readable size we use this - include file to define the tables. */ - --static const u32 encT[256] = -+static struct -+{ -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; -+ u32 T[256]; -+ volatile u32 counter_tail; -+} enc_tables ATTR_ALIGNED_64 = - { -- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, -- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, -- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, -- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, -- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, -- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, -- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, -- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, -- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, -- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, -- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, -- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, -- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, -- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, -- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, -- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, -- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, -- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, -- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, -- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, -- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, -- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, -- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, -- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, -- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, -- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, -- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, -- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, -- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, -- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, -- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, -- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, -- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, -- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, -- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, -- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, -- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, -- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, -- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, -- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, -- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, -- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, -- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, -- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, -- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, -- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, -- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, -- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, -- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, -- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, -- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, -- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, -- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, -- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, -- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, -- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, -- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, -- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, -- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, -- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, -- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, -- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, -- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, -- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c -+ 0, -+ { 0, }, -+ { -+ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, -+ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, -+ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, -+ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, -+ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, -+ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, -+ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, -+ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, -+ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, -+ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, -+ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, -+ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, -+ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, -+ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, -+ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, -+ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, -+ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, -+ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, -+ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, -+ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, -+ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, -+ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, -+ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, -+ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, -+ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, -+ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, -+ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, -+ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, -+ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, -+ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, -+ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, -+ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, -+ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, -+ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, -+ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, -+ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, -+ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, -+ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, -+ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, -+ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, -+ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, -+ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, -+ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, -+ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, -+ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, -+ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, -+ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, -+ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, -+ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, -+ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, -+ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, -+ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, -+ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, -+ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, -+ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, -+ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, -+ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, -+ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, -+ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, -+ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, -+ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, -+ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, -+ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, -+ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c -+ }, -+ 0 - }; - --static const struct -+#define encT enc_tables.T -+ -+static struct - { -+ volatile u32 counter_head; -+ u32 cacheline_align[64 / 4 - 1]; - u32 T[256]; - byte inv_sbox[256]; --} dec_tables = -+ volatile u32 counter_tail; -+} dec_tables ATTR_ALIGNED_64 = - { -+ 0, -+ { 0, }, - { - 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, - 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, -@@ -194,7 +212,8 @@ static const struct - 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, - 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, - 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d -- } -+ }, -+ 0 - }; - - #define decT dec_tables.T -diff --git a/cipher/rijndael.c b/cipher/rijndael.c -index 8637195..d0edab2 100644 ---- a/cipher/rijndael.c -+++ b/cipher/rijndael.c -@@ -227,11 +227,11 @@ static const char *selftest(void); - - - /* Prefetching for encryption/decryption tables. */ --static void prefetch_table(const volatile byte *tab, size_t len) -+static inline void prefetch_table(const volatile byte *tab, size_t len) - { - size_t i; - -- for (i = 0; i < len; i += 8 * 32) -+ for (i = 0; len - i >= 8 * 32; i += 8 * 32) - { - (void)tab[i + 0 * 32]; - (void)tab[i + 1 * 32]; -@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) - (void)tab[i + 6 * 32]; - (void)tab[i + 7 * 32]; - } -+ for (; i < len; i += 32) -+ { -+ (void)tab[i]; -+ } - - (void)tab[len - 1]; - } - - static void prefetch_enc(void) - { -- prefetch_table((const void *)encT, sizeof(encT)); -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ enc_tables.counter_head++; -+ enc_tables.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ -+ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); - } - - static void prefetch_dec(void) - { -+ /* Modify counters to trigger copy-on-write and unsharing if physical pages -+ * of look-up table are shared between processes. Modifying counters also -+ * causes checksums for pages to change and hint same-page merging algorithm -+ * that these pages are frequently changing. */ -+ dec_tables.counter_head++; -+ dec_tables.counter_tail++; -+ -+ /* Prefetch look-up tables to cache. */ - prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); - } - -@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, - #ifdef USE_AMD64_ASM - # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS - return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, -- encT); -+ enc_tables.T); - # else - /* Call SystemV ABI function without storing non-volatile XMM registers, - * as target function does not use vector instruction sets. */ -@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, - return ret; - # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ - #elif defined(USE_ARM_ASM) -- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); -+ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, -+ enc_tables.T); - #else - return do_encrypt_fn (ctx, bx, ax); - #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ -@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, - #ifdef USE_AMD64_ASM - # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS - return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, -- &dec_tables); -+ dec_tables.T); - # else - /* Call SystemV ABI function without storing non-volatile XMM registers, - * as target function does not use vector instruction sets. */ -@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, - # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ - #elif defined(USE_ARM_ASM) - return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, -- &dec_tables); -+ dec_tables.T); - #else - return do_decrypt_fn (ctx, bx, ax); - #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ - diff --git a/CVE-2021-33560.patch b/CVE-2021-33560.patch deleted file mode 100644 index f0085ef..0000000 --- a/CVE-2021-33560.patch +++ /dev/null @@ -1,73 +0,0 @@ -From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka -Date: Tue, 13 Apr 2021 10:00:00 +0900 -Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding - too. - -* cipher/elgamal.c (do_encrypt): Also do exponent blinding. - --- - -Base blinding had been introduced with USE_BLINDING. This patch add -exponent blinding as well to mitigate side-channel attack on mpi_powm. - -GnuPG-bug-id: 5328 -Signed-off-by: NIIBE Yutaka ---- - cipher/elgamal.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/cipher/elgamal.c b/cipher/elgamal.c -index 4eb52d6..9835122 100644 ---- a/cipher/elgamal.c -+++ b/cipher/elgamal.c -@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) - static void - decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) - { -- gcry_mpi_t t1, t2, r; -+ gcry_mpi_t t1, t2, r, r1, h; - unsigned int nbits = mpi_get_nbits (skey->p); -+ gcry_mpi_t x_blind; - - mpi_normalize (a); - mpi_normalize (b); -@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) - - t2 = mpi_snew (nbits); - r = mpi_new (nbits); -+ r1 = mpi_new (nbits); -+ h = mpi_new (nbits); -+ x_blind = mpi_snew (nbits); - - /* We need a random number of about the prime size. The random - number merely needs to be unpredictable; thus we use level 0. */ - _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); - -+ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */ -+ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM); -+ mpi_set_highbit (r1, nbits - 1); -+ mpi_sub_ui (h, skey->p, 1); -+ mpi_mul (x_blind, h, r1); -+ mpi_add (x_blind, skey->x, x_blind); -+ - /* t1 = r^x mod p */ -- mpi_powm (t1, r, skey->x, skey->p); -+ mpi_powm (t1, r, x_blind, skey->p); - /* t2 = (a * r)^-x mod p */ - mpi_mulm (t2, a, r, skey->p); -- mpi_powm (t2, t2, skey->x, skey->p); -+ mpi_powm (t2, t2, x_blind, skey->p); - mpi_invm (t2, t2, skey->p); - /* t1 = (t1 * t2) mod p*/ - mpi_mulm (t1, t1, t2, skey->p); - -+ mpi_free (x_blind); -+ mpi_free (h); -+ mpi_free (r1); - mpi_free (r); - mpi_free (t2); - --- -1.8.3.1 - diff --git a/CVE-2021-40528.patch b/CVE-2021-40528.patch deleted file mode 100644 index 7e1ac44..0000000 --- a/CVE-2021-40528.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka -Date: Fri, 21 May 2021 11:15:07 +0900 -Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. - -* cipher/elgamal.c (gen_k): Remove support of smaller K. -(do_encrypt): Never use smaller K. -(sign): Folllow the change of gen_k. - --- - -Cherry-pick master commit of: - 632d80ef30e13de6926d503aa697f92b5dbfbc5e - -This change basically reverts encryption changes in two commits: - - 74386120dad6b3da62db37f7044267c8ef34689b - 78531373a342aeb847950f404343a05e36022065 - -Use of smaller K for ephemeral key in ElGamal encryption is only good, -when we can guarantee that recipient's key is generated by our -implementation (or compatible). - -For detail, please see: - - Luca De Feo, Bertram Poettering, Alessandro Sorniotti, - "On the (in)security of ElGamal in OpenPGP"; - in the proceedings of CCS'2021. - -CVE-id: CVE-2021-33560(This patch actually modifies CVE-2021-40528,see:https://dev.gnupg.org/T5328#149606) -GnuPG-bug-id: 5328 -Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti -Signed-off-by: NIIBE Yutaka ---- - cipher/elgamal.c | 24 ++++++------------------ - 1 file changed, 6 insertions(+), 18 deletions(-) - -diff --git a/cipher/elgamal.c b/cipher/elgamal.c -index 9835122..eead450 100644 ---- a/cipher/elgamal.c -+++ b/cipher/elgamal.c -@@ -66,7 +66,7 @@ static const char *elg_names[] = - - - static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); --static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); -+static gcry_mpi_t gen_k (gcry_mpi_t p); - static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, - gcry_mpi_t **factors); - static int check_secret_key (ELG_secret_key *sk); -@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) - - /**************** - * Generate a random secret exponent k from prime p, so that k is -- * relatively prime to p-1. With SMALL_K set, k will be selected for -- * better encryption performance - this must never be used signing! -+ * relatively prime to p-1. - */ - static gcry_mpi_t --gen_k( gcry_mpi_t p, int small_k ) -+gen_k( gcry_mpi_t p ) - { - gcry_mpi_t k = mpi_alloc_secure( 0 ); - gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); -@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) - unsigned int nbits, nbytes; - char *rndbuf = NULL; - -- if (small_k) -- { -- /* Using a k much lesser than p is sufficient for encryption and -- * it greatly improves the encryption performance. We use -- * Wiener's table and add a large safety margin. */ -- nbits = wiener_map( orig_nbits ) * 3 / 2; -- if( nbits >= orig_nbits ) -- BUG(); -- } -- else -- nbits = orig_nbits; -- -+ nbits = orig_nbits; - - nbytes = (nbits+7)/8; - if( DBG_CIPHER ) -@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) - * error code. - */ - -- k = gen_k( pkey->p, 1 ); -+ k = gen_k( pkey->p ); - mpi_powm (a, pkey->g, k, pkey->p); - - /* b = (y^k * input) mod p -@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) - * - */ - mpi_sub_ui(p_1, p_1, 1); -- k = gen_k( skey->p, 0 /* no small K ! */ ); -+ k = gen_k( skey->p ); - mpi_powm( a, skey->g, k, skey->p ); - mpi_mul(t, skey->x, a ); - mpi_subm(t, input, t, p_1 ); --- -1.8.3.1 - diff --git a/backport-add-crypto-hash-sm3.patch b/backport-add-crypto-hash-sm3.patch deleted file mode 100644 index 94476be..0000000 --- a/backport-add-crypto-hash-sm3.patch +++ /dev/null @@ -1,730 +0,0 @@ -From 78cb95d8fbd76159c1162c4ff72643f2c9984bf6 Mon Sep 17 00:00:00 2001 -From: zhujianwei001 -Date: Fri, 13 Aug 2021 08:51:20 +0800 -Subject: [PATCH] add support sm3 md -Reference: https://github.com/gpg/libgcrypt/commit/4423bf3cc4432b9bfe801ff74cb05e6f0dd3eccd#diff-4cfeaaa70bbeb65cd0cbb0bec58738e97bd585f3acb1f6ddc63cfa3a9abeb5dd -Conflict: fetch sm3.c from 1.9.3 tag, but remove _gcry_sm3_hash_buffer, _gcry_sm3_hash_buffers in struct _gcry_digest_spec_sm3, adjust hd->bctx.blocksize init in sm3_init; add some build support - -Add crypto hash SM3. -* configure.ac (available_digests): Add sm3. -* src/cipher.h: Add declarations for SM3. -* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm3.c. -* cipher/md.c [USE_SM3] (digest_list): Add _gcry_digest_spec_sm3. -* cipher/pubkey-util.c (hashnames): Add "sm3". -* cipher/sm3.c: New. -* tests/basic.c (check_digests): Add test vectors for SM3. -* tests/hashtest-256g.in (algos): Add SM3. -* tests/hashtest.c (testvectors): Add for SM3. --- -GnuPG-bug-id: 3454 -Signed-off-by: Jia Zhang ---- - cipher/Makefile.am | 1 + - cipher/md.c | 11 + - cipher/pubkey-util.c | 1 + - cipher/sm3.c | 472 +++++++++++++++++++++++++++++++++++++++++ - configure.ac | 7 + - doc/gcrypt.texi | 4 + - src/cipher.h | 7 + - src/gcrypt.h.in | 3 +- - tests/basic.c | 25 +++ - tests/hashtest-256g.in | 2 +- - tests/hashtest.c | 11 + - 11 files changed, 542 insertions(+), 2 deletions(-) - create mode 100644 cipher/sm3.c -diff --git a/cipher/Makefile.am b/cipher/Makefile.am -index 85a5b5f..d44dfea 100644 ---- a/cipher/Makefile.am -+++ b/cipher/Makefile.am -@@ -97,6 +97,7 @@ sha256.c sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S \ - sha256-armv8-aarch32-ce.S sha256-armv8-aarch64-ce.S \ - sha512.c sha512-ssse3-amd64.S sha512-avx-amd64.S sha512-avx2-bmi2-amd64.S \ - sha512-armv7-neon.S sha512-arm.S \ -+sm3.c \ - keccak.c keccak_permute_32.h keccak_permute_64.h keccak-armv7-neon.S \ - stribog.c \ - tiger.c \ -diff --git a/cipher/md.c b/cipher/md.c -index 0d07854..13e3b3e 100644 ---- a/cipher/md.c -+++ b/cipher/md.c -@@ -94,6 +94,9 @@ static gcry_md_spec_t *digest_list[] = - &_gcry_digest_spec_blake2s_224, - &_gcry_digest_spec_blake2s_160, - &_gcry_digest_spec_blake2s_128, -+#endif -+#if USE_SM3 -+ &_gcry_digest_spec_sm3, - #endif - NULL - }; -@@ -1042,6 +1045,10 @@ _gcry_md_hash_buffer (int algo, void *digest, - #if USE_RMD160 - else if (algo == GCRY_MD_RMD160 && !fips_mode () ) - _gcry_rmd160_hash_buffer (digest, buffer, length); -+#endif -+#if USE_SM3 -+ else if (algo == GCRY_MD_SM3) -+ _gcry_sm3_hash_buffer (digest, buffer, length); - #endif - else - { -@@ -1115,6 +1122,10 @@ _gcry_md_hash_buffers (int algo, unsigned int flags, void *digest, - #if USE_SHA1 - else if (algo == GCRY_MD_SHA1 && !hmac) - _gcry_sha1_hash_buffers (digest, iov, iovcnt); -+#endif -+#if USE_SM3 -+ else if (algo == GCRY_MD_SM3 && !hmac) -+ _gcry_sm3_hash_buffers (digest, iov, iovcnt); - #endif - else - { -diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c -index c40ef97..ae0e1c4 100644 ---- a/cipher/pubkey-util.c -+++ b/cipher/pubkey-util.c -@@ -221,6 +221,7 @@ get_hash_algo (const char *s, size_t n) - { "sha3-256", GCRY_MD_SHA3_256 }, - { "sha3-384", GCRY_MD_SHA3_384 }, - { "sha3-512", GCRY_MD_SHA3_512 }, -+ { "sm3", GCRY_MD_SM3 }, - { NULL, 0 } - }; - int algo; -diff --git a/cipher/sm3.c b/cipher/sm3.c -new file mode 100644 -index 0000000..274b14e ---- /dev/null -+++ b/cipher/sm3.c -@@ -0,0 +1,472 @@ -+/* sm3.c - SM3 hash function -+ * Copyright (C) 2017 Jia Zhang -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ */ -+ -+ -+/* Test vectors: -+ * -+ * "abc" -+ * SM3: 66c7f0f4 62eeedd9 d1f2d46b dc10e4e2 4167c487 5cf2f7a2 297da02b 8f4ba8e0 -+ * -+ * "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd" -+ * SM3: debe9ff9 2275b8a1 38604889 c18e5a4d 6fdb70e5 387e5765 293dcba3 9c0c5732 -+ * -+ * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -+ * SM3: 639b6cc5 e64d9e37 a390b192 df4fa1ea 0720ab74 7ff692b9 f38c4e66 ad7b8c05 -+ * -+ * "a" one million times -+ * SM3: c8aaf894 29554029 e231941a 2acc0ad6 1ff2a5ac d8fadd25 847a3a73 2b3b02c3 -+ * -+ */ -+ -+ -+#include -+#include -+#include -+#include -+ -+#include "g10lib.h" -+#include "bithelp.h" -+#include "bufhelp.h" -+#include "cipher.h" -+#include "hash-common.h" -+ -+ -+typedef struct { -+ gcry_md_block_ctx_t bctx; -+ u32 h0,h1,h2,h3,h4,h5,h6,h7; -+} SM3_CONTEXT; -+ -+ -+static unsigned int -+transform (void *c, const unsigned char *data, size_t nblks); -+ -+ -+static void -+sm3_init (void *context, unsigned int flags) -+{ -+ SM3_CONTEXT *hd = context; -+ unsigned int features = _gcry_get_hw_features (); -+ -+ (void)flags; -+ -+ hd->h0 = 0x7380166f; -+ hd->h1 = 0x4914b2b9; -+ hd->h2 = 0x172442d7; -+ hd->h3 = 0xda8a0600; -+ hd->h4 = 0xa96f30bc; -+ hd->h5 = 0x163138aa; -+ hd->h6 = 0xe38dee4d; -+ hd->h7 = 0xb0fb0e4e; -+ -+ hd->bctx.nblocks = 0; -+ hd->bctx.nblocks_high = 0; -+ hd->bctx.count = 0; -+ hd->bctx.blocksize = 64; -+ hd->bctx.bwrite = transform; -+ -+ (void)features; -+} -+ -+ -+/* -+ * Transform the message X which consists of 16 32-bit-words. See -+ * GM/T 004-2012 for details. */ -+#define R(i,a,b,c,d,e,f,g,h,t,w1,w2) do \ -+ { \ -+ ss1 = rol ((rol ((a), 12) + (e) + (t)), 7); \ -+ ss2 = ss1 ^ rol ((a), 12); \ -+ d += FF##i(a,b,c) + ss2 + ((w1) ^ (w2)); \ -+ h += GG##i(e,f,g) + ss1 + (w1); \ -+ b = rol ((b), 9); \ -+ f = rol ((f), 19); \ -+ h = P0 ((h)); \ -+ } while (0) -+ -+#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2) -+#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2) -+ -+#define FF1(x, y, z) (x ^ y ^ z) -+ -+#define FF2(x, y, z) ((x & y) | (x & z) | (y & z)) -+ -+#define GG1(x, y, z) (x ^ y ^ z) -+ -+#define GG2(x, y, z) ((x & y) | ( ~x & z)) -+ -+/* Message expansion */ -+#define P0(x) ((x) ^ rol ((x), 9) ^ rol ((x), 17)) -+#define P1(x) ((x) ^ rol ((x), 15) ^ rol ((x), 23)) -+#define I(i) ( w[i] = buf_get_be32(data + i * 4) ) -+#define W1(i) ( w[i&0x0f] ) -+#define W2(i) ( w[i&0x0f] = P1(w[i &0x0f] \ -+ ^ w[(i-9)&0x0f] \ -+ ^ rol (w[(i-3)&0x0f], 15)) \ -+ ^ rol (w[(i-13)&0x0f], 7) \ -+ ^ w[(i-6)&0x0f] ) -+ -+static unsigned int -+transform_blk (void *ctx, const unsigned char *data) -+{ -+ SM3_CONTEXT *hd = ctx; -+ static const u32 K[64] = { -+ 0x79cc4519, 0xf3988a32, 0xe7311465, 0xce6228cb, -+ 0x9cc45197, 0x3988a32f, 0x7311465e, 0xe6228cbc, -+ 0xcc451979, 0x988a32f3, 0x311465e7, 0x6228cbce, -+ 0xc451979c, 0x88a32f39, 0x11465e73, 0x228cbce6, -+ 0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c, -+ 0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce, -+ 0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec, -+ 0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5, -+ 0x7a879d8a, 0xf50f3b14, 0xea1e7629, 0xd43cec53, -+ 0xa879d8a7, 0x50f3b14f, 0xa1e7629e, 0x43cec53d, -+ 0x879d8a7a, 0x0f3b14f5, 0x1e7629ea, 0x3cec53d4, -+ 0x79d8a7a8, 0xf3b14f50, 0xe7629ea1, 0xcec53d43, -+ 0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c, -+ 0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce, -+ 0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec, -+ 0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5 -+ }; -+ -+ u32 a,b,c,d,e,f,g,h,ss1,ss2; -+ u32 w[16]; -+ -+ a = hd->h0; -+ b = hd->h1; -+ c = hd->h2; -+ d = hd->h3; -+ e = hd->h4; -+ f = hd->h5; -+ g = hd->h6; -+ h = hd->h7; -+ -+ R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4)); -+ R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5)); -+ R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6)); -+ R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7)); -+ R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8)); -+ R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9)); -+ R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10)); -+ R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11)); -+ R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12)); -+ R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13)); -+ R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14)); -+ R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15)); -+ R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16)); -+ R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17)); -+ R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18)); -+ R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19)); -+ -+ R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20)); -+ R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21)); -+ R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22)); -+ R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23)); -+ R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24)); -+ R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25)); -+ R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26)); -+ R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27)); -+ R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28)); -+ R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29)); -+ R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30)); -+ R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31)); -+ R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32)); -+ R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33)); -+ R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34)); -+ R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35)); -+ -+ R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36)); -+ R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37)); -+ R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38)); -+ R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39)); -+ R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40)); -+ R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41)); -+ R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42)); -+ R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43)); -+ R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44)); -+ R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45)); -+ R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46)); -+ R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47)); -+ R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48)); -+ R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49)); -+ R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50)); -+ R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51)); -+ -+ R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52)); -+ R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53)); -+ R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54)); -+ R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55)); -+ R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56)); -+ R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57)); -+ R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58)); -+ R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59)); -+ R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60)); -+ R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61)); -+ R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62)); -+ R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63)); -+ R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64)); -+ R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65)); -+ R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66)); -+ R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67)); -+ -+ hd->h0 ^= a; -+ hd->h1 ^= b; -+ hd->h2 ^= c; -+ hd->h3 ^= d; -+ hd->h4 ^= e; -+ hd->h5 ^= f; -+ hd->h6 ^= g; -+ hd->h7 ^= h; -+ -+ return /*burn_stack*/ 26*4+32; -+} -+#undef P0 -+#undef P1 -+#undef R -+#undef R1 -+#undef R2 -+ -+static unsigned int -+transform (void *ctx, const unsigned char *data, size_t nblks) -+{ -+ SM3_CONTEXT *hd = ctx; -+ unsigned int burn; -+ -+ do -+ { -+ burn = transform_blk (hd, data); -+ data += 64; -+ } -+ while (--nblks); -+ -+ return burn; -+} -+ -+ -+/* -+ * The routine finally terminates the computation and returns the -+ * digest. The handle is prepared for a new cycle, but adding bytes -+ * to the handle will the destroy the returned buffer. Returns: 32 -+ * bytes with the message the digest. */ -+static void -+sm3_final(void *context) -+{ -+ SM3_CONTEXT *hd = context; -+ u32 t, th, msb, lsb; -+ byte *p; -+ unsigned int burn; -+ -+ t = hd->bctx.nblocks; -+ if (sizeof t == sizeof hd->bctx.nblocks) -+ th = hd->bctx.nblocks_high; -+ else -+ th = hd->bctx.nblocks >> 32; -+ -+ /* multiply by 64 to make a byte count */ -+ lsb = t << 6; -+ msb = (th << 6) | (t >> 26); -+ /* add the count */ -+ t = lsb; -+ if ((lsb += hd->bctx.count) < t) -+ msb++; -+ /* multiply by 8 to make a bit count */ -+ t = lsb; -+ lsb <<= 3; -+ msb <<= 3; -+ msb |= t >> 29; -+ -+ if (hd->bctx.count < 56) /* enough room */ -+ { -+ hd->bctx.buf[hd->bctx.count++] = 0x80; /* pad */ -+ if (hd->bctx.count < 56) -+ memset (&hd->bctx.buf[hd->bctx.count], 0, 56 - hd->bctx.count); -+ -+ /* append the 64 bit count */ -+ buf_put_be32(hd->bctx.buf + 56, msb); -+ buf_put_be32(hd->bctx.buf + 60, lsb); -+ burn = (*hd->bctx.bwrite) ( hd, hd->bctx.buf, 1 ); -+ } -+ else /* need one extra block */ -+ { -+ hd->bctx.buf[hd->bctx.count++] = 0x80; /* pad character */ -+ /* fill pad and next block with zeroes */ -+ memset (&hd->bctx.buf[hd->bctx.count], 0, 64 - hd->bctx.count + 56); -+ -+ /* append the 64 bit count */ -+ buf_put_be32(hd->bctx.buf + 64 + 56, msb); -+ buf_put_be32(hd->bctx.buf + 64 + 60, lsb); -+ burn = (*hd->bctx.bwrite) ( hd, hd->bctx.buf, 2 ); -+ } -+ -+ p = hd->bctx.buf; -+#define X(a) do { buf_put_be32(p, hd->h##a); p += 4; } while(0) -+ X(0); -+ X(1); -+ X(2); -+ X(3); -+ X(4); -+ X(5); -+ X(6); -+ X(7); -+#undef X -+ -+ hd->bctx.count = 0; -+ -+ _gcry_burn_stack (burn); -+} -+ -+static byte * -+sm3_read (void *context) -+{ -+ SM3_CONTEXT *hd = context; -+ -+ return hd->bctx.buf; -+} -+ -+ -+/* Shortcut functions which puts the hash value of the supplied buffer -+ * into outbuf which must have a size of 32 bytes. */ -+void -+_gcry_sm3_hash_buffer (void *outbuf, const void *buffer, size_t length) -+{ -+ SM3_CONTEXT hd; -+ -+ sm3_init (&hd, 0); -+ _gcry_md_block_write (&hd, buffer, length); -+ sm3_final (&hd); -+ memcpy (outbuf, hd.bctx.buf, 32); -+} -+ -+ -+/* Variant of the above shortcut function using multiple buffers. */ -+void -+_gcry_sm3_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt) -+{ -+ SM3_CONTEXT hd; -+ -+ sm3_init (&hd, 0); -+ for (;iovcnt > 0; iov++, iovcnt--) -+ _gcry_md_block_write (&hd, -+ (const char*)iov[0].data + iov[0].off, iov[0].len); -+ sm3_final (&hd); -+ memcpy (outbuf, hd.bctx.buf, 32); -+} -+ -+ -+ -+/* -+ * Self-test section. -+ */ -+ -+ -+static gpg_err_code_t -+selftests_sm3 (int extended, selftest_report_func_t report) -+{ -+ const char *what; -+ const char *errtxt; -+ -+ what = "short string (spec example 1)"; -+ errtxt = _gcry_hash_selftest_check_one -+ (GCRY_MD_SM3, 0, -+ "abc", 3, -+ "\x66\xc7\xf0\xf4\x62\xee\xed\xd9\xd1\xf2\xd4\x6b\xdc\x10\xe4\xe2" -+ "\x41\x67\xc4\x87\x5c\xf2\xf7\xa2\x29\x7d\xa0\x2b\x8f\x4b\xa8\xe0", 32); -+ if (errtxt) -+ goto failed; -+ -+ if (extended) -+ { -+ what = "long string (spec example 2)"; -+ errtxt = _gcry_hash_selftest_check_one -+ (GCRY_MD_SM3, 0, -+ "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd", 64, -+ "\xde\xbe\x9f\xf9\x22\x75\xb8\xa1\x38\x60\x48\x89\xc1\x8e\x5a\x4d" -+ "\x6f\xdb\x70\xe5\x38\x7e\x57\x65\x29\x3d\xcb\xa3\x9c\x0c\x57\x32", -+ 32); -+ if (errtxt) -+ goto failed; -+ -+ what = "long string"; -+ errtxt = _gcry_hash_selftest_check_one -+ (GCRY_MD_SM3, 0, -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56, -+ "\x63\x9b\x6c\xc5\xe6\x4d\x9e\x37\xa3\x90\xb1\x92\xdf\x4f\xa1\xea" -+ "\x07\x20\xab\x74\x7f\xf6\x92\xb9\xf3\x8c\x4e\x66\xad\x7b\x8c\x05", -+ 32); -+ if (errtxt) -+ goto failed; -+ -+ what = "one million \"a\""; -+ errtxt = _gcry_hash_selftest_check_one -+ (GCRY_MD_SM3, 1, -+ NULL, 0, -+ "\xc8\xaa\xf8\x94\x29\x55\x40\x29\xe2\x31\x94\x1a\x2a\xcc\x0a\xd6" -+ "\x1f\xf2\xa5\xac\xd8\xfa\xdd\x25\x84\x7a\x3a\x73\x2b\x3b\x02\xc3", -+ 32); -+ if (errtxt) -+ goto failed; -+ } -+ -+ return 0; /* Succeeded. */ -+ -+ failed: -+ if (report) -+ report ("digest", GCRY_MD_SM3, what, errtxt); -+ return GPG_ERR_SELFTEST_FAILED; -+} -+ -+ -+/* Run a full self-test for ALGO and return 0 on success. */ -+static gpg_err_code_t -+run_selftests (int algo, int extended, selftest_report_func_t report) -+{ -+ gpg_err_code_t ec; -+ -+ switch (algo) -+ { -+ case GCRY_MD_SM3: -+ ec = selftests_sm3 (extended, report); -+ break; -+ default: -+ ec = GPG_ERR_DIGEST_ALGO; -+ break; -+ -+ } -+ return ec; -+} -+ -+static byte asn_sm3[] = /* Object ID is 1.2.156.10197.401 */ -+ { 0x30, 0x2F, 0x30, 0x0B, 0x06, 0x07, 0x2A, 0x81, -+ 0x1C, 0xCF, 0x55, 0x83, 0x11, 0x05, 0x00, 0x04, -+ 0x20 }; -+ -+static gcry_md_oid_spec_t oid_spec_sm3[] = -+ { -+ /* China Electronics Standardization Instutute, -+ OID White paper (2015), Table 6 */ -+ { "1.2.156.10197.401" }, -+ { NULL }, -+ }; -+ -+gcry_md_spec_t _gcry_digest_spec_sm3 = -+ { -+ GCRY_MD_SM3, {0, 0}, -+ "SM3", asn_sm3, DIM (asn_sm3), oid_spec_sm3, 32, -+ sm3_init, _gcry_md_block_write, sm3_final, sm3_read, NULL, -+ sizeof (SM3_CONTEXT), -+ run_selftests -+ }; -diff --git a/configure.ac b/configure.ac -index c588af4..d52b61f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -204,6 +204,7 @@ enabled_pubkey_ciphers="" - # Definitions for message digests. - available_digests="crc gostr3411-94 md2 md4 md5 rmd160 sha1 sha256 sha512" - available_digests="$available_digests sha3 tiger whirlpool stribog blake2" -+available_digests="$available_digests sm3" - enabled_digests="" - - # Definitions for kdfs (optional ones) -@@ -2603,6 +2604,12 @@ case "${host}" in - ;; - esac - -+LIST_MEMBER(sm3, $enabled_digests) -+if test "$found" = "1" ; then -+ GCRYPT_DIGESTS="$GCRYPT_DIGESTS sm3.lo" -+ AC_DEFINE(USE_SM3, 1, [Defined if this module should be included]) -+fi -+ - LIST_MEMBER(scrypt, $enabled_kdfs) - if test "$found" = "1" ; then - GCRYPT_KDFS="$GCRYPT_KDFS scrypt.lo" -diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi -index 7cd1b0f..8119e89 100644 ---- a/doc/gcrypt.texi -+++ b/doc/gcrypt.texi -@@ -3122,6 +3122,7 @@ are also supported. - @cindex MD2, MD4, MD5 - @cindex TIGER, TIGER1, TIGER2 - @cindex HAVAL -+@cindex SM3 - @cindex Whirlpool - @cindex BLAKE2b-512, BLAKE2b-384, BLAKE2b-256, BLAKE2b-160 - @cindex BLAKE2s-256, BLAKE2s-224, BLAKE2s-160, BLAKE2s-128 -@@ -3281,6 +3282,9 @@ See RFC 7693 for the specification. - This is the BLAKE2s-128 algorithm which yields a message digest of 16 bytes. - See RFC 7693 for the specification. - -+@item GCRY_MD_SM3 -+This is the SM3 algorithm which yields a message digest of 32 bytes. -+ - @end table - @c end table of hash algorithms - -diff --git a/src/cipher.h b/src/cipher.h -index d9e0ac6..7c2e5d9 100644 ---- a/src/cipher.h -+++ b/src/cipher.h -@@ -133,6 +133,12 @@ void _gcry_sha512_hash_buffer (void *outbuf, - void _gcry_sha512_hash_buffers (void *outbuf, - const gcry_buffer_t *iov, int iovcnt); - -+/*-- sm3.c --*/ -+void _gcry_sm3_hash_buffer (void *outbuf, -+ const void *buffer, size_t length); -+void _gcry_sm3_hash_buffers (void *outbuf, -+ const gcry_buffer_t *iov, int iovcnt); -+ - /*-- blake2.c --*/ - gcry_err_code_t _gcry_blake2_init_with_key(void *ctx, unsigned int flags, - const unsigned char *key, -@@ -329,6 +335,7 @@ extern gcry_md_spec_t _gcry_digest_spec_blake2s_256; - extern gcry_md_spec_t _gcry_digest_spec_blake2s_224; - extern gcry_md_spec_t _gcry_digest_spec_blake2s_160; - extern gcry_md_spec_t _gcry_digest_spec_blake2s_128; -+extern gcry_md_spec_t _gcry_digest_spec_sm3; - - /* Declarations for the pubkey cipher specifications. */ - extern gcry_pk_spec_t _gcry_pubkey_spec_rsa; -diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in -index 75c49a0..72b09a9 100644 ---- a/src/gcrypt.h.in -+++ b/src/gcrypt.h.in -@@ -1240,7 +1240,8 @@ enum gcry_md_algos - GCRY_MD_BLAKE2S_256 = 322, - GCRY_MD_BLAKE2S_224 = 323, - GCRY_MD_BLAKE2S_160 = 324, -- GCRY_MD_BLAKE2S_128 = 325 -+ GCRY_MD_BLAKE2S_128 = 325, -+ GCRY_MD_SM3 = 326, - }; - - /* Flags used with the open function. */ -diff --git a/tests/basic.c b/tests/basic.c -index 0bd8020..f932b2b 100644 ---- a/tests/basic.c -+++ b/tests/basic.c -@@ -8457,6 +8457,31 @@ check_digests (void) - "\x0e\xfc\x29\xde" }, - { GCRY_MD_BLAKE2S_128, "?", - "\x70\x0b\x8a\x71\x1d\x34\x0a\xf0\x13\x93\x19\x93\x5e\xd7\x54\x9c" }, -+ -+ { GCRY_MD_SM3, "abc", -+ "\x66\xc7\xf0\xf4\x62\xee\xed\xd9\xd1\xf2\xd4\x6b\xdc\x10\xe4\xe2" -+ "\x41\x67\xc4\x87\x5c\xf2\xf7\xa2\x29\x7d\xa0\x2b\x8f\x4b\xa8\xe0" }, -+ { GCRY_MD_SM3, -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", -+ "\x63\x9b\x6c\xc5\xe6\x4d\x9e\x37\xa3\x90\xb1\x92\xdf\x4f\xa1\xea" -+ "\x07\x20\xab\x74\x7f\xf6\x92\xb9\xf3\x8c\x4e\x66\xad\x7b\x8c\x05" }, -+ { GCRY_MD_SM3, "!", -+ "\xc8\xaa\xf8\x94\x29\x55\x40\x29\xe2\x31\x94\x1a\x2a\xcc\x0a\xd6" -+ "\x1f\xf2\xa5\xac\xd8\xfa\xdd\x25\x84\x7a\x3a\x73\x2b\x3b\x02\xc3" }, -+ { GCRY_MD_SM3, "?", -+ "\x3a\x3f\x53\xfc\x96\xc2\xde\xb2\xd9\x12\x3a\x1b\xd8\x47\x71\x28" -+ "\xbc\x5d\x5e\x94\xea\x08\x86\x3d\xfb\xe4\x00\x5a\xd9\xed\x79\x26" }, -+ { GCRY_MD_SM3, -+ "Libgcrypt is free software; you can redistribute it and/or modif" -+ "y it under the terms of the GNU Lesser general Public License as" -+ " published by the Free Software Foundation; either version 2.1 o" -+ "f the License, or (at your option) any later version.\nLibgcrypt" -+ " is distributed in the hope that it will be useful, but WITHOUT " -+ "ANY WARRANTY; without even the implied warranty of MERCHANTABILI" -+ "TY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser Gene" -+ "ral Public License for more details.", -+ "\x8b\x91\x3f\x0e\x85\xae\x43\x25\x6d\x28\x38\x6c\x09\x5c\xc7\x72" -+ "\xcc\x2e\x78\x89\x7e\x2e\x4e\x5a\x3d\xf6\x55\xfe\x87\xbe\xa6\xbc" }, - { 0 } - }; - gcry_error_t err; -diff --git a/tests/hashtest-256g.in b/tests/hashtest-256g.in -index 92b1c1b..a52b869 100755 ---- a/tests/hashtest-256g.in -+++ b/tests/hashtest-256g.in -@@ -1,6 +1,6 @@ - #!/bin/sh - --algos="SHA1 SHA256 SHA512" -+algos="SHA1 SHA256 SHA512 SM3" - - test "@RUN_LARGE_DATA_TESTS@" = yes || exit 77 - echo " now running 256 GiB tests for $algos - this takes looong" -diff --git a/tests/hashtest.c b/tests/hashtest.c -index 2ecbc1f..3394594 100644 ---- a/tests/hashtest.c -+++ b/tests/hashtest.c -@@ -102,6 +102,17 @@ static struct { - "0c91b91665ceaf7af5102e0ed31aa4f050668ab3c57b1f4763946d567efe66b3" - "ab9a2016cf238dee5b44eae9f0cdfbf7b7a6eb1e759986273243dc35894706b6" }, - -+ { GCRY_MD_SM3, 256, -64, -+ "4ceb893abeb43965d4cac7626da9a4be895585b5b2f16f302626801308b1c02a" }, -+ { GCRY_MD_SM3, 256, -1, -+ "825f01e4f2b6084136abc356fa1b343a9411d844a4dc1474293aad817cd2a48f" }, -+ { GCRY_MD_SM3, 256, +0, -+ "d948a4025ac3ea0aa8989f43203411bd22ad17eaa5fd92ebdf9cabf869f1ba1b" }, -+ { GCRY_MD_SM3, 256, +1, -+ "4f6d0e260299c1f286ef1dbb4638a0770979f266b6c007c55410ee6849cba2a8" }, -+ { GCRY_MD_SM3, 256, +64, -+ "ed34869dbadd62e3bec1f511004d7bbfc9cafa965477cc48843b248293bbe867" }, -+ - { 0 } - }; - --- -2.19.1 \ No newline at end of file diff --git a/libgcrypt-1.6.1-mpicoder-gccopt.patch b/backport-libgcrypt-1.6.1-mpicoder-gccopt.patch similarity index 100% rename from libgcrypt-1.6.1-mpicoder-gccopt.patch rename to backport-libgcrypt-1.6.1-mpicoder-gccopt.patch diff --git a/libgcrypt-1.7.3-ecc-test-fix.patch b/backport-libgcrypt-1.7.3-ecc-test-fix.patch similarity index 100% rename from libgcrypt-1.7.3-ecc-test-fix.patch rename to backport-libgcrypt-1.7.3-ecc-test-fix.patch diff --git a/libgcrypt-1.7.3-fips-cavs.patch b/backport-libgcrypt-1.7.3-fips-cavs.patch similarity index 99% rename from libgcrypt-1.7.3-fips-cavs.patch rename to backport-libgcrypt-1.7.3-fips-cavs.patch index 42d028e..1056218 100644 --- a/libgcrypt-1.7.3-fips-cavs.patch +++ b/backport-libgcrypt-1.7.3-fips-cavs.patch @@ -262,7 +262,7 @@ diff -up libgcrypt-1.7.3/tests/cavs_driver.pl.cavs libgcrypt-1.7.3/tests/cavs_dr for (my $j = 0; $j < $iloop; ++$j) { + if ($cipher =~ /des-ede3-ofb/ || + (!$enc && $cipher =~ /des-ede3-cfb/)) { -+ die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; ++ die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; + } $old_old_calc_data = $old_calc_data; $old_calc_data = $calc_data; @@ -426,7 +426,7 @@ diff -up libgcrypt-1.7.3/tests/cavs_driver.pl.cavs libgcrypt-1.7.3/tests/cavs_dr + if (!defined($P) || !defined($Q) || !defined($G) || + !defined($seed2) || !defined($c2) || !defined($h2)); + -+ ++ + + $out .= "Seed = $seed\n"; + $out .= "c = $c\n"; @@ -434,7 +434,7 @@ diff -up libgcrypt-1.7.3/tests/cavs_driver.pl.cavs libgcrypt-1.7.3/tests/cavs_dr + + $c2 = hex($c2); + -+ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && ++ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && + $c == $c2 && hex($h) == hex($h2)) { + $out .= "Result = P\n\n"; + } @@ -932,7 +932,7 @@ diff -up libgcrypt-1.7.3/tests/fipsdrv.c.cavs libgcrypt-1.7.3/tests/fipsdrv.c err = gcry_pk_genkey (&key, keyspec); if (err) die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); -+ ++ + gcry_sexp_release (keyspec); + + return key; @@ -993,7 +993,7 @@ diff -up libgcrypt-1.7.3/tests/fipsdrv.c.cavs libgcrypt-1.7.3/tests/fipsdrv.c +/* Print just the XY private key parameters. KEY + is the complete key as returned by dsa_gen. We print to stdout + with one parameter per line in hex format using this order: x, y. */ -+static void ++static void +print_dsa_xy (gcry_sexp_t key) +{ + gcry_sexp_t l1, l2; @@ -1011,7 +1011,7 @@ diff -up libgcrypt-1.7.3/tests/fipsdrv.c.cavs libgcrypt-1.7.3/tests/fipsdrv.c + l1 = l2; + + /* Extract the parameters from the S-expression and print them to stdout. */ -+ for (idx=0; "xy"[idx]; idx++) ++ for (idx=0; "xy"[idx]; idx++) + { + l2 = gcry_sexp_find_token (l1, "xy"+idx, 1); + if (!l2) diff --git a/libgcrypt-1.8.3-fips-ctor.patch b/backport-libgcrypt-1.8.3-fips-ctor.patch similarity index 80% rename from libgcrypt-1.8.3-fips-ctor.patch rename to backport-libgcrypt-1.8.3-fips-ctor.patch index 66abd59..a5d3467 100644 --- a/libgcrypt-1.8.3-fips-ctor.patch +++ b/backport-libgcrypt-1.8.3-fips-ctor.patch @@ -50,7 +50,7 @@ diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c break; case GCRYCTL_SET_ENFORCED_FIPS_FLAG: -- if (!any_init_done) +- if (!_gcry_global_any_init_done) + if (fips_mode ()) { - /* Not yet initialized at all. Set the enforced fips mode flag */ @@ -58,3 +58,16 @@ diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c _gcry_set_preferred_rng_type (0); _gcry_set_enforced_fips_mode (); } +diff --git a/tests/t-secmem.c b/tests/t-secmem.c +index 2b769134..1d33bbfd 100644 +--- a/tests/t-secmem.c ++++ b/tests/t-secmem.c +@@ -54,7 +54,7 @@ test_secmem (void) + + /* Allocating another 2k should fail for the default 16k pool. */ + b = gcry_malloc_secure (chunk_size*4); +- if (b) ++ if (b && !gcry_fips_mode_active ()) + fail ("allocation did not fail as expected\n"); + + for (i=0; i < DIM(a); i++) diff --git a/libgcrypt-1.8.3-fips-enttest.patch b/backport-libgcrypt-1.8.3-fips-enttest.patch similarity index 98% rename from libgcrypt-1.8.3-fips-enttest.patch rename to backport-libgcrypt-1.8.3-fips-enttest.patch index b6b09ba..34e54bf 100644 --- a/libgcrypt-1.8.3-fips-enttest.patch +++ b/backport-libgcrypt-1.8.3-fips-enttest.patch @@ -2,7 +2,7 @@ diff -up libgcrypt-1.8.3/random/random-drbg.c.fips-enttest libgcrypt-1.8.3/rando --- libgcrypt-1.8.3/random/random-drbg.c.fips-enttest 2017-11-23 19:16:58.000000000 +0100 +++ libgcrypt-1.8.3/random/random-drbg.c 2019-06-24 10:04:23.219547141 +0200 @@ -317,6 +317,7 @@ struct drbg_state_s - unsigned char *ctr_null; /* CTR mode zero buffer */ + gcry_cipher_hd_t ctr_handle; /* CTR mode cipher handle */ int seeded:1; /* DRBG fully seeded? */ int pr:1; /* Prediction resistance enabled? */ + int ent_primed:1; /* Previous entropy data primed? */ diff --git a/backport-libgcrypt-1.8.3-md-fips-enforce.patch b/backport-libgcrypt-1.8.3-md-fips-enforce.patch new file mode 100644 index 0000000..3b730a1 --- /dev/null +++ b/backport-libgcrypt-1.8.3-md-fips-enforce.patch @@ -0,0 +1,37 @@ +diff -up libgcrypt-1.8.3/cipher/md.c.fips-enforce libgcrypt-1.8.3/cipher/md.c +--- libgcrypt-1.8.3/cipher/md.c.fips-enforce 2017-11-23 19:16:58.000000000 +0100 ++++ libgcrypt-1.8.3/cipher/md.c 2020-04-17 15:07:31.364945130 +0200 +@@ -409,13 +409,10 @@ md_enable (gcry_md_hd_t hd, int algorith + } + + +- if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) ++ if (!err && !spec->flags.fips && fips_mode ()) + { +- _gcry_inactivate_fips_mode ("MD5 used"); + if (_gcry_enforced_fips_mode () ) + { +- /* We should never get to here because we do not register +- MD5 in enforced fips mode. But better throw an error. */ + err = GPG_ERR_DIGEST_ALGO; + } + } +diff --git a/tests/t-kdf.c b/tests/t-kdf.c +index 7a48e98a..48309b9a 100644 +--- a/tests/t-kdf.c ++++ b/tests/t-kdf.c +@@ -1104,6 +1104,13 @@ check_pbkdf2 (void) + GCRY_KDF_PBKDF2, tv[tvidx].hashalgo, + tv[tvidx].salt, tv[tvidx].saltlen, + tv[tvidx].c, tv[tvidx].dklen, outbuf); ++ if (gcry_fips_mode_active() && tvidx > 6) ++ { ++ if (!err) ++ fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n", ++ tvidx, gpg_strerror (err)); ++ continue; ++ } + if (err) + fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err)); + else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen)) + diff --git a/libgcrypt-1.8.4-fips-keygen.patch b/backport-libgcrypt-1.8.4-fips-keygen.patch similarity index 88% rename from libgcrypt-1.8.4-fips-keygen.patch rename to backport-libgcrypt-1.8.4-fips-keygen.patch index 9d3a647..a3e241f 100644 --- a/libgcrypt-1.8.4-fips-keygen.patch +++ b/backport-libgcrypt-1.8.4-fips-keygen.patch @@ -1,16 +1,15 @@ diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c --- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 +++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100 -@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un +@@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un &prime_q, &prime_p, r_counter, r_seed, r_seedlen); - else -- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, + else if (!domain->p || !domain->q) -+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, -+ initial_seed.seed, -+ initial_seed.seedlen, + ec = _gcry_generate_fips186_3_prime (nbits, qbits, + initial_seed.seed, + initial_seed.seedlen, &prime_q, &prime_p, r_counter, r_seed, r_seedlen, NULL); diff --git a/libgcrypt-1.8.4-tests-fipsmode.patch b/backport-libgcrypt-1.8.4-tests-fipsmode.patch similarity index 90% rename from libgcrypt-1.8.4-tests-fipsmode.patch rename to backport-libgcrypt-1.8.4-tests-fipsmode.patch index 1442a0b..80addd2 100644 --- a/libgcrypt-1.8.4-tests-fipsmode.patch +++ b/backport-libgcrypt-1.8.4-tests-fipsmode.patch @@ -2,7 +2,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi --- libgcrypt-1.8.4/tests/basic.c.tests-fipsmode 2018-04-17 17:29:40.000000000 +0200 +++ libgcrypt-1.8.4/tests/basic.c 2019-02-12 13:30:48.935791024 +0100 @@ -6964,7 +6964,7 @@ check_ciphers (void) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0); + check_one_cipher (algos[i], GCRY_CIPHER_MODE_EAX, 0); if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN) check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0); - if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN) @@ -10,7 +10,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0); if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN) check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0); -@@ -7010,11 +7010,17 @@ check_cipher_modes(void) +@@ -7010,12 +7010,18 @@ check_cipher_modes(void) check_cfb_cipher (); check_ofb_cipher (); check_ccm_cipher (); @@ -24,6 +24,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi + check_ocb_cipher (); + } check_xts_cipher (); + check_eax_cipher (); - check_gost28147_cipher (); + if (!in_fips_mode) + { @@ -46,7 +47,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi gcry_md_hd_t md; - /* First trigger a self-test. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); +- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) fail ("not in operational state after self-test\n"); @@ -58,7 +59,7 @@ diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basi - { - /* Now run a self-test and to get back into - operational state. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); +- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("did not reach operational after error " - "and self-test\n"); @@ -70,14 +71,14 @@ diff -up libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode libgcrypt-1.8.4/tests/ --- libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode 2019-02-12 11:31:44.859603883 +0100 +++ libgcrypt-1.8.4/tests/benchmark.c 2019-02-12 14:10:40.271999352 +0100 @@ -872,8 +872,10 @@ cipher_bench ( const char *algoname ) - || (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) + && algo != GCRY_CIPHER_CHACHA20) continue; - if (modes[modeidx].req_blocksize > 0 - && blklen != modes[modeidx].req_blocksize) + if ((modes[modeidx].req_blocksize > 0 + && blklen != modes[modeidx].req_blocksize) -+ || (in_fips_mode ++ || (in_fips_mode + && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM)) { printf (" %7s %7s", "-", "-" ); @@ -141,7 +142,7 @@ diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pub " (use-fips186)" " (transient-key)" " (derive-parms" -- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", +- " (seed #f770a4598ff756931fc529764513b103ce57d85f4ad8c5cf297c9b4d48241c5b#))))", + " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", 0, 1); if (rc) @@ -150,9 +151,9 @@ diff -up libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode libgcrypt-1.8.4/tests/ --- libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 +++ libgcrypt-1.8.4/tests/t-cv25519.c 2019-02-12 14:02:35.935705390 +0100 @@ -560,6 +560,9 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); + /* Curve25519 isn't supported in fips mode */ + if (gcry_fips_mode_active()) + return 77; @@ -163,13 +164,13 @@ diff -up libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode libgcrypt-1.8.4/tests/t --- libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode 2017-11-23 19:19:54.000000000 +0100 +++ libgcrypt-1.8.4/tests/t-secmem.c 2019-02-12 11:51:02.462190538 +0100 @@ -174,7 +174,8 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0); + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); + xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); + xgcry_control ((GCRYCTL_INIT_SECMEM, pool_size, 0)); - gcry_set_outofcore_handler (outofcore_handler, NULL); + if (!gcry_fips_mode_active ()) + gcry_set_outofcore_handler (outofcore_handler, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); /* Libgcrypt prints a warning when the first overflow is allocated; @@ -184,7 +185,8 @@ main (int argc, char **argv) diff --git a/libgcrypt-1.8.4-use-poll.patch b/backport-libgcrypt-1.8.4-use-poll.patch similarity index 90% rename from libgcrypt-1.8.4-use-poll.patch rename to backport-libgcrypt-1.8.4-use-poll.patch index b96c6ce..8032992 100644 --- a/libgcrypt-1.8.4-use-poll.patch +++ b/backport-libgcrypt-1.8.4-use-poll.patch @@ -6,9 +6,9 @@ diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndli #include #include +#include - #if defined(__linux__) && defined(HAVE_SYSCALL) - # include - #endif + #if defined(__APPLE__) && defined(__MACH__) + #include + #ifdef __MAC_10_11 @@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add return with something we will actually use 100ms. */ while (length) @@ -18,8 +18,8 @@ diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndli int rc; + struct pollfd pfd; - /* If we have a modern Linux kernel, we first try to use the new - * getrandom syscall. That call guarantees that the kernel's + /* If we have a modern operating system, we first try to use the new + * getentropy function. That call guarantees that the kernel's @@ -300,36 +300,25 @@ _gcry_rndlinux_gather_random (void (*add any_need_entropy = 1; } diff --git a/libgcrypt-1.8.5-fips-module.patch b/backport-libgcrypt-1.8.5-fips-module.patch similarity index 96% rename from libgcrypt-1.8.5-fips-module.patch rename to backport-libgcrypt-1.8.5-fips-module.patch index 60b9ce2..8ffe465 100644 --- a/libgcrypt-1.8.5-fips-module.patch +++ b/backport-libgcrypt-1.8.5-fips-module.patch @@ -23,7 +23,7 @@ diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c - actually used. The file itself may be empty. */ - if ( !access (FIPS_FORCE_FILE, F_OK) ) - { -- gcry_assert (!no_fips_mode_required); +- gcry_assert (!_gcry_no_fips_mode_required); - goto leave; - } - @@ -42,7 +42,7 @@ diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c - { - /* System is in fips mode. */ - fclose (fp); -- gcry_assert (!no_fips_mode_required); +- gcry_assert (!_gcry_no_fips_mode_required); - goto leave; - } - fclose (fp); @@ -65,7 +65,7 @@ diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c - } - /* Fips not not requested, set flag. */ - no_fips_mode_required = 1; + _gcry_no_fips_mode_required = 1; diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h --- libgcrypt-1.8.5/src/g10lib.h.fips-module 2020-04-20 19:07:45.918919759 +0200 @@ -77,9 +77,9 @@ diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h +/* The name of the file used to force libgcrypt into fips mode. */ +#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled" + - void _gcry_initialize_fips_mode (int force); + extern int _gcry_no_fips_mode_required; - int _gcry_fips_mode (void); + void _gcry_initialize_fips_mode (int force); diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c --- libgcrypt-1.8.5/src/global.c.fips-module 2020-04-20 19:07:45.919919741 +0200 +++ libgcrypt-1.8.5/src/global.c 2020-04-20 19:07:45.950919149 +0200 diff --git a/libgcrypt-1.8.5-getrandom.patch b/backport-libgcrypt-1.8.5-getrandom.patch similarity index 92% rename from libgcrypt-1.8.5-getrandom.patch rename to backport-libgcrypt-1.8.5-getrandom.patch index ff2ef3b..1779dc1 100644 --- a/libgcrypt-1.8.5-getrandom.patch +++ b/backport-libgcrypt-1.8.5-getrandom.patch @@ -154,13 +154,13 @@ diff -up libgcrypt-1.8.5/random/rndlinux.c.getrandom libgcrypt-1.8.5/random/rndl --- libgcrypt-1.8.5/random/rndlinux.c.getrandom 2020-04-20 15:01:50.159848963 +0200 +++ libgcrypt-1.8.5/random/rndlinux.c 2020-04-20 16:14:21.901610921 +0200 @@ -35,6 +35,7 @@ - #include - #if defined(__linux__) && defined(HAVE_SYSCALL) + #if defined(__linux__) || !defined(HAVE_GETENTROPY) + #ifdef HAVE_SYSCALL # include +# include - #endif - - #include "types.h" + # ifdef __NR_getrandom + # define getentropy(buf,buflen) syscall (__NR_getrandom, buf, buflen, 0) + # endif @@ -147,12 +148,12 @@ _gcry_rndlinux_gather_random (void (*add if (!add) { @@ -216,25 +216,17 @@ diff -up libgcrypt-1.8.5/random/rndlinux.c.getrandom libgcrypt-1.8.5/random/rndl { if (fd_random == -1) { -@@ -255,6 +272,7 @@ _gcry_rndlinux_gather_random (void (*add - * syscall and not a new device and thus we are not able to use - * select(2) to have a timeout. */ - #if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ if (fd == -2) - { - long ret; - size_t nbytes; @@ -270,9 +288,7 @@ _gcry_rndlinux_gather_random (void (*add _gcry_post_syscall (); } while (ret == -1 && errno == EINTR); - if (ret == -1 && errno == ENOSYS) -- ; /* The syscall is not supported - fallback to pulling from fd. */ +- ; /* getentropy is not supported - fallback to pulling from fd. */ - else + if (1) - { /* The syscall is supported. Some sanity checks. */ + { /* getentropy is supported. Some sanity checks. */ if (ret == -1) - log_fatal ("unexpected error from getrandom: %s\n", + log_fatal ("unexpected error from getentropy: %s\n", diff -up libgcrypt-1.8.5/src/g10lib.h.getrandom libgcrypt-1.8.5/src/g10lib.h --- libgcrypt-1.8.5/src/g10lib.h.getrandom 2020-04-20 15:08:16.528538580 +0200 +++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 15:08:28.641309399 +0200 diff --git a/backport-libgcrypt-1.8.5-intel-cet.patch b/backport-libgcrypt-1.8.5-intel-cet.patch new file mode 100644 index 0000000..a19d2f1 --- /dev/null +++ b/backport-libgcrypt-1.8.5-intel-cet.patch @@ -0,0 +1,34 @@ +From b04c0a86b19856071c29d2a6285f3240c606ee7a Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 27 Apr 2021 09:08:41 -0700 +Subject: [PATCH] Always include in cipher assembly codes + +* cipher/poly1305-s390x.S: Always include . + +When Intel CET is enabled, we need to include in assembly codes +to mark Intel CET support even if it is empty. We should always include + in cipher assembly codes so that they will be marked for +Intel CET support when compiling for x86-64 and i686. + +Signed-off-by: H.J. Lu +--- + cipher/poly1305-s390x.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/poly1305-s390x.S b/cipher/poly1305-s390x.S +index 844245f6..28bed560 100644 +--- a/cipher/poly1305-s390x.S ++++ b/cipher/poly1305-s390x.S +@@ -18,8 +18,8 @@ + * License along with this program; if not, see . + */ + +-#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 + #include ++#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 + #if defined(HAVE_GCC_INLINE_ASM_S390X) + + #include "asm-poly1305-s390x.h" +-- +GitLab + diff --git a/libgcrypt-1.8.5-use-fipscheck.patch b/backport-libgcrypt-1.8.5-use-fipscheck.patch similarity index 82% rename from libgcrypt-1.8.5-use-fipscheck.patch rename to backport-libgcrypt-1.8.5-use-fipscheck.patch index 298ec4c..46145d8 100644 --- a/libgcrypt-1.8.5-use-fipscheck.patch +++ b/backport-libgcrypt-1.8.5-use-fipscheck.patch @@ -75,15 +75,3 @@ diff -up libgcrypt-1.8.5/src/fips.c.use-fipscheck libgcrypt-1.8.5/src/fips.c p = strrchr (fname, '/'); if (p) p++; -diff -up libgcrypt-1.8.5/src/Makefile.am.use-fipscheck libgcrypt-1.8.5/src/Makefile.am ---- libgcrypt-1.8.5/src/Makefile.am.use-fipscheck 2020-04-23 10:18:36.237764702 +0200 -+++ libgcrypt-1.8.5/src/Makefile.am 2020-04-23 10:19:03.186247455 +0200 -@@ -125,7 +125,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ - ../cipher/libcipher.la \ - ../random/librandom.la \ - ../mpi/libmpi.la \ -- ../compat/libcompat.la $(GPG_ERROR_LIBS) -+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl - - - dumpsexp_SOURCES = dumpsexp.c diff --git a/libgcrypt-1.7.3-fips-reqs.patch b/libgcrypt-1.7.3-fips-reqs.patch deleted file mode 100644 index ef7f765..0000000 --- a/libgcrypt-1.7.3-fips-reqs.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c ---- libgcrypt-1.7.3/src/visibility.c.fips-reqs 2016-03-23 12:59:34.000000000 +0100 -+++ libgcrypt-1.7.3/src/visibility.c 2016-11-22 16:29:36.992042480 +0100 -@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase, - unsigned long iterations, - size_t keysize, void *keybuffer) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo, - salt, saltlen, iterations, - keysize, keybuffer)); -@@ -1343,6 +1345,13 @@ void - gcry_mpi_randomize (gcry_mpi_t w, - unsigned int nbits, enum gcry_random_level level) - { -+ if (!fips_is_operational ()) -+ { -+ (void)fips_not_operational (); -+ fips_signal_fatal_error ("called in non-operational state"); -+ fips_noreturn (); -+ } -+ - _gcry_mpi_randomize (w, nbits, level); - } - -@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime, - gcry_random_level_t random_level, - unsigned int flags) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits, - factors, cb_func, cb_arg, - random_level, flags)); diff --git a/libgcrypt-1.8.3-cmac-selftest.patch b/libgcrypt-1.8.3-cmac-selftest.patch deleted file mode 100644 index d480092..0000000 --- a/libgcrypt-1.8.3-cmac-selftest.patch +++ /dev/null @@ -1,322 +0,0 @@ -diff -up libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest libgcrypt-1.8.3/cipher/cipher-cmac.c ---- libgcrypt-1.8.3/cipher/cipher-cmac.c.cmac-selftest 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/cipher/cipher-cmac.c 2019-05-31 17:33:35.594407152 +0200 -@@ -251,3 +251,246 @@ _gcry_cipher_cmac_set_subkeys (gcry_ciph - - return GPG_ERR_NO_ERROR; - } -+ -+/* CMAC selftests. -+ * Copyright (C) 2008 Free Software Foundation, Inc. -+ * Copyright (C) 2019 Red Hat, Inc. -+ */ -+ -+ -+ -+/* Check one MAC with MAC ALGO using the regular MAC -+ * API. (DATA,DATALEN) is the data to be MACed, (KEY,KEYLEN) the key -+ * and (EXPECT,EXPECTLEN) the expected result. If TRUNC is set, the -+ * EXPECTLEN may be less than the digest length. Returns NULL on -+ * success or a string describing the failure. */ -+static const char * -+check_one (int algo, -+ const void *data, size_t datalen, -+ const void *key, size_t keylen, -+ const void *expect, size_t expectlen) -+{ -+ gcry_mac_hd_t hd; -+ unsigned char mac[512]; /* hardcoded to avoid allocation */ -+ size_t macoutlen = expectlen; -+ -+/* printf ("MAC algo %d\n", algo); */ -+ if (_gcry_mac_get_algo_maclen (algo) != expectlen || -+ expectlen > sizeof (mac)) -+ return "invalid tests data"; -+ if (_gcry_mac_open (&hd, algo, 0, NULL)) -+ return "gcry_mac_open failed"; -+ if (_gcry_mac_setkey (hd, key, keylen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_md_setkey failed"; -+ } -+ if (_gcry_mac_write (hd, data, datalen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_mac_write failed"; -+ } -+ if (_gcry_mac_read (hd, mac, &macoutlen)) -+ { -+ _gcry_mac_close (hd); -+ return "gcry_mac_read failed"; -+ } -+ _gcry_mac_close (hd); -+ if (macoutlen != expectlen || memcmp (mac, expect, expectlen)) -+ { -+/* int i; */ -+ -+/* fputs (" {", stdout); */ -+/* for (i=0; i < expectlen-1; i++) */ -+/* { */ -+/* if (i && !(i % 8)) */ -+/* fputs ("\n ", stdout); */ -+/* printf (" 0x%02x,", mac[i]); */ -+/* } */ -+/* printf (" 0x%02x } },\n", mac[i]); */ -+ -+ return "does not match"; -+ } -+ return NULL; -+} -+ -+ -+static gpg_err_code_t -+selftests_cmac_tdes (int extended, selftest_report_func_t report) -+{ -+ const char *what; -+ const char *errtxt; -+ -+ what = "Basic TDES"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57", 20, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x74\x3d\xdb\xe0\xce\x2d\xc2\xed", 8); -+ if (errtxt) -+ goto failed; -+ -+ if (extended) -+ { -+ what = "Extended TDES #1"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "", 0, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\xb7\xa6\x88\xe1\x22\xff\xaf\x95", 8); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended TDES #2"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96", 8, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x8e\x8f\x29\x31\x36\x28\x37\x97", 8); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended TDES #3"; -+ errtxt = check_one (GCRY_MAC_CMAC_3DES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51", 32, -+ "\x8a\xa8\x3b\xf8\xcb\xda\x10\x62\x0b\xc1\xbf\x19\xfb\xb6\xcd\x58" -+ "\xbc\x31\x3d\x4a\x37\x1c\xa8\xb5", 24, -+ "\x33\xe6\xb1\x09\x24\x00\xea\xe5", 8); -+ if (errtxt) -+ goto failed; -+ } -+ -+ return 0; /* Succeeded. */ -+ -+ failed: -+ if (report) -+ report ("cmac", GCRY_MAC_CMAC_3DES, what, errtxt); -+ return GPG_ERR_SELFTEST_FAILED; -+} -+ -+ -+ -+static gpg_err_code_t -+selftests_cmac_aes (int extended, selftest_report_func_t report) -+{ -+ const char *what; -+ const char *errtxt; -+ -+ what = "Basic AES128"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16, -+ "\xdf\xa6\x67\x47\xde\x9a\xe6\x30\x30\xca\x32\x61\x14\x97\xc8\x27", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Basic AES192"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5" -+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24, -+ "\x8a\x1d\xe5\xbe\x2e\xb3\x1a\xad\x08\x9a\x82\xe6\xee\x90\x8b\x0e", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Basic AES256"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11", 40, -+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81" -+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32, -+ "\xaa\xf3\xd8\xf1\xde\x56\x40\xc2\x32\xf5\xb1\x69\xb9\xc9\x11\xe6", 16); -+ if (errtxt) -+ goto failed; -+ if (extended) -+ { -+ what = "Extended AES #1"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "", 0, -+ "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 16, -+ "\xbb\x1d\x69\x29\xe9\x59\x37\x28\x7f\xa3\x7d\x12\x9b\x75\x67\x46", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended AES #2"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a", 16, -+ "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5" -+ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 24, -+ "\x9e\x99\xa7\xbf\x31\xe7\x10\x90\x06\x62\xf6\x5e\x61\x7c\x51\x84", 16); -+ if (errtxt) -+ goto failed; -+ -+ what = "Extended AES #3"; -+ errtxt = check_one (GCRY_MAC_CMAC_AES, -+ "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a" -+ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" -+ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" -+ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 64, -+ "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81" -+ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 32, -+ "\xe1\x99\x21\x90\x54\x9f\x6e\xd5\x69\x6a\x2c\x05\x6c\x31\x54\x10", 16 ); -+ if (errtxt) -+ goto failed; -+ } -+ -+ return 0; /* Succeeded. */ -+ -+ failed: -+ if (report) -+ report ("cmac", GCRY_MAC_CMAC_AES, what, errtxt); -+ return GPG_ERR_SELFTEST_FAILED; -+} -+ -+ -+/* Run a full self-test for ALGO and return 0 on success. */ -+static gpg_err_code_t -+run_cmac_selftests (int algo, int extended, selftest_report_func_t report) -+{ -+ gpg_err_code_t ec; -+ -+ switch (algo) -+ { -+ case GCRY_MAC_CMAC_3DES: -+ ec = selftests_cmac_tdes (extended, report); -+ break; -+ case GCRY_MAC_CMAC_AES: -+ ec = selftests_cmac_aes (extended, report); -+ break; -+ -+ default: -+ ec = GPG_ERR_MAC_ALGO; -+ break; -+ } -+ return ec; -+} -+ -+ -+ -+ -+/* Run the selftests for CMAC with CMAC algorithm ALGO with optional -+ reporting function REPORT. */ -+gpg_error_t -+_gcry_cmac_selftest (int algo, int extended, selftest_report_func_t report) -+{ -+ gcry_err_code_t ec = 0; -+ -+ if (!_gcry_mac_algo_info( algo, GCRYCTL_TEST_ALGO, NULL, NULL )) -+ { -+ ec = run_cmac_selftests (algo, extended, report); -+ } -+ else -+ { -+ ec = GPG_ERR_MAC_ALGO; -+ if (report) -+ report ("mac", algo, "module", "algorithm not available"); -+ } -+ return gpg_error (ec); -+} -diff -up libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest libgcrypt-1.8.3/src/cipher-proto.h ---- libgcrypt-1.8.3/src/cipher-proto.h.cmac-selftest 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/src/cipher-proto.h 2019-05-31 17:29:34.574588234 +0200 -@@ -256,6 +256,8 @@ gcry_error_t _gcry_pk_selftest (int algo - selftest_report_func_t report); - gcry_error_t _gcry_hmac_selftest (int algo, int extended, - selftest_report_func_t report); -+gcry_error_t _gcry_cmac_selftest (int algo, int extended, -+ selftest_report_func_t report); - - gcry_error_t _gcry_random_selftest (selftest_report_func_t report); - -diff -up libgcrypt-1.8.3/src/fips.c.cmac-selftest libgcrypt-1.8.3/src/fips.c ---- libgcrypt-1.8.3/src/fips.c.cmac-selftest 2018-11-01 15:40:36.051865535 +0100 -+++ libgcrypt-1.8.3/src/fips.c 2019-05-31 17:31:20.157756640 +0200 -@@ -521,29 +521,32 @@ run_digest_selftests (int extended) - - /* Run self-tests for all HMAC algorithms. Return 0 on success. */ - static int --run_hmac_selftests (int extended) -+run_mac_selftests (int extended) - { -- static int algos[] = -+ static int algos[][2] = - { -- GCRY_MD_SHA1, -- GCRY_MD_SHA224, -- GCRY_MD_SHA256, -- GCRY_MD_SHA384, -- GCRY_MD_SHA512, -- GCRY_MD_SHA3_224, -- GCRY_MD_SHA3_256, -- GCRY_MD_SHA3_384, -- GCRY_MD_SHA3_512, -- 0 -+ { GCRY_MD_SHA1, 0 }, -+ { GCRY_MD_SHA224, 0 }, -+ { GCRY_MD_SHA256, 0 }, -+ { GCRY_MD_SHA384, 0 }, -+ { GCRY_MD_SHA512, 0 }, -+ { GCRY_MD_SHA3_224, 0 }, -+ { GCRY_MD_SHA3_256, 0 }, -+ { GCRY_MD_SHA3_384, 0 }, -+ { GCRY_MD_SHA3_512, 0 }, -+ { GCRY_MAC_CMAC_3DES, 1 }, -+ { GCRY_MAC_CMAC_AES, 1 }, -+ { 0, 0 } - }; - int idx; - gpg_error_t err; - int anyerr = 0; - -- for (idx=0; algos[idx]; idx++) -+ for (idx=0; algos[idx][0]; idx++) - { -- err = _gcry_hmac_selftest (algos[idx], extended, reporter); -- reporter ("hmac", algos[idx], NULL, -+ err = algos[idx][1] ? _gcry_cmac_selftest (algos[idx][0], extended, reporter) : -+ _gcry_hmac_selftest (algos[idx][0], extended, reporter); -+ reporter (algos[idx][1] ? "cmac" : "hmac", algos[idx][0], NULL, - err? gpg_strerror (err):NULL); - if (err) - anyerr = 1; -@@ -747,7 +750,7 @@ _gcry_fips_run_selftests (int extended) - if (run_digest_selftests (extended)) - goto leave; - -- if (run_hmac_selftests (extended)) -+ if (run_mac_selftests (extended)) - goto leave; - - /* Run random tests before the pubkey tests because the latter diff --git a/libgcrypt-1.8.3-md-fips-enforce.patch b/libgcrypt-1.8.3-md-fips-enforce.patch deleted file mode 100644 index eed7fa5..0000000 --- a/libgcrypt-1.8.3-md-fips-enforce.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up libgcrypt-1.8.3/cipher/md.c.fips-enforce libgcrypt-1.8.3/cipher/md.c ---- libgcrypt-1.8.3/cipher/md.c.fips-enforce 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/cipher/md.c 2020-04-17 15:07:31.364945130 +0200 -@@ -409,13 +409,10 @@ md_enable (gcry_md_hd_t hd, int algorith - } - - -- if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) -+ if (!err && !spec->flags.fips && fips_mode ()) - { -- _gcry_inactivate_fips_mode ("MD5 used"); - if (_gcry_enforced_fips_mode () ) - { -- /* We should never get to here because we do not register -- MD5 in enforced fips mode. But better throw an error. */ - err = GPG_ERR_DIGEST_ALGO; - } - } diff --git a/libgcrypt-1.8.5-aes-perf.patch b/libgcrypt-1.8.5-aes-perf.patch deleted file mode 100644 index 268ce70..0000000 --- a/libgcrypt-1.8.5-aes-perf.patch +++ /dev/null @@ -1,8156 +0,0 @@ -diff -up libgcrypt-1.8.5/cipher/arcfour.c.aes-perf libgcrypt-1.8.5/cipher/arcfour.c ---- libgcrypt-1.8.5/cipher/arcfour.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/arcfour.c 2020-04-22 18:29:41.662862382 +0200 -@@ -184,10 +184,12 @@ do_arcfour_setkey (void *context, const - } - - static gcry_err_code_t --arcfour_setkey ( void *context, const byte *key, unsigned int keylen ) -+arcfour_setkey ( void *context, const byte *key, unsigned int keylen, -+ gcry_cipher_hd_t hd ) - { - ARCFOUR_context *ctx = (ARCFOUR_context *) context; - gcry_err_code_t rc = do_arcfour_setkey (ctx, key, keylen ); -+ (void)hd; - return rc; - } - -@@ -207,11 +209,11 @@ selftest(void) - static const byte ciphertext_1[] = - { 0xF1, 0x38, 0x29, 0xC9, 0xDE }; - -- arcfour_setkey( &ctx, key_1, sizeof(key_1)); -+ arcfour_setkey( &ctx, key_1, sizeof(key_1), NULL); - encrypt_stream( &ctx, scratch, plaintext_1, sizeof(plaintext_1)); - if ( memcmp (scratch, ciphertext_1, sizeof (ciphertext_1))) - return "Arcfour encryption test 1 failed."; -- arcfour_setkey( &ctx, key_1, sizeof(key_1)); -+ arcfour_setkey( &ctx, key_1, sizeof(key_1), NULL); - encrypt_stream(&ctx, scratch, scratch, sizeof(plaintext_1)); /* decrypt */ - if ( memcmp (scratch, plaintext_1, sizeof (plaintext_1))) - return "Arcfour decryption test 1 failed."; -diff -up libgcrypt-1.8.5/cipher/blowfish.c.aes-perf libgcrypt-1.8.5/cipher/blowfish.c ---- libgcrypt-1.8.5/cipher/blowfish.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/blowfish.c 2020-04-22 18:29:41.663862363 +0200 -@@ -37,6 +37,7 @@ - #include "g10lib.h" - #include "cipher.h" - #include "bufhelp.h" -+#include "cipher-internal.h" - #include "cipher-selftest.h" - - #define BLOWFISH_BLOCKSIZE 8 -@@ -67,7 +68,8 @@ typedef struct { - u32 p[BLOWFISH_ROUNDS+2]; - } BLOWFISH_context; - --static gcry_err_code_t bf_setkey (void *c, const byte *key, unsigned keylen); -+static gcry_err_code_t bf_setkey (void *c, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd); - static unsigned int encrypt_block (void *bc, byte *outbuf, const byte *inbuf); - static unsigned int decrypt_block (void *bc, byte *outbuf, const byte *inbuf); - -@@ -703,7 +705,7 @@ _gcry_blowfish_ctr_enc(void *context, un - /* Encrypt the counter. */ - do_encrypt_block(ctx, tmpbuf, ctr); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, BLOWFISH_BLOCKSIZE); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, BLOWFISH_BLOCKSIZE); - outbuf += BLOWFISH_BLOCKSIZE; - inbuf += BLOWFISH_BLOCKSIZE; - /* Increment the counter. */ -@@ -771,7 +773,7 @@ _gcry_blowfish_cbc_dec(void *context, un - the intermediate result to SAVEBUF. */ - do_decrypt_block (ctx, savebuf, inbuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, BLOWFISH_BLOCKSIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, BLOWFISH_BLOCKSIZE); - inbuf += BLOWFISH_BLOCKSIZE; - outbuf += BLOWFISH_BLOCKSIZE; - } -@@ -828,7 +830,7 @@ _gcry_blowfish_cfb_dec(void *context, un - for ( ;nblocks; nblocks-- ) - { - do_encrypt_block(ctx, iv, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, BLOWFISH_BLOCKSIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, BLOWFISH_BLOCKSIZE); - outbuf += BLOWFISH_BLOCKSIZE; - inbuf += BLOWFISH_BLOCKSIZE; - } -@@ -897,7 +899,7 @@ selftest(void) - const char *r; - - bf_setkey( (void *) &c, -- (const unsigned char*)"abcdefghijklmnopqrstuvwxyz", 26 ); -+ (const unsigned char*)"abcdefghijklmnopqrstuvwxyz", 26, NULL ); - encrypt_block( (void *) &c, buffer, plain ); - if( memcmp( buffer, "\x32\x4E\xD0\xFE\xF4\x13\xA2\x03", 8 ) ) - return "Blowfish selftest failed (1)."; -@@ -905,7 +907,7 @@ selftest(void) - if( memcmp( buffer, plain, 8 ) ) - return "Blowfish selftest failed (2)."; - -- bf_setkey( (void *) &c, key3, 8 ); -+ bf_setkey( (void *) &c, key3, 8, NULL ); - encrypt_block( (void *) &c, buffer, plain3 ); - if( memcmp( buffer, cipher3, 8 ) ) - return "Blowfish selftest failed (3)."; -@@ -1095,10 +1097,12 @@ do_bf_setkey (BLOWFISH_context *c, const - - - static gcry_err_code_t --bf_setkey (void *context, const byte *key, unsigned keylen) -+bf_setkey (void *context, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd) - { - BLOWFISH_context *c = (BLOWFISH_context *) context; - gcry_err_code_t rc = do_bf_setkey (c, key, keylen); -+ (void)hd; - return rc; - } - -diff -up libgcrypt-1.8.5/cipher/bufhelp.h.aes-perf libgcrypt-1.8.5/cipher/bufhelp.h ---- libgcrypt-1.8.5/cipher/bufhelp.h.aes-perf 2018-04-17 17:35:28.000000000 +0200 -+++ libgcrypt-1.8.5/cipher/bufhelp.h 2020-04-22 18:29:41.663862363 +0200 -@@ -450,7 +450,21 @@ static inline void buf_put_le64(void *_b - out->a = le_bswap64(val); - } - -- - #endif /*BUFHELP_UNALIGNED_ACCESS*/ - -+ -+/* Host-endian get/put macros */ -+#ifdef WORDS_BIGENDIAN -+# define buf_get_he32 buf_get_be32 -+# define buf_put_he32 buf_put_be32 -+# define buf_get_he64 buf_get_be64 -+# define buf_put_he64 buf_put_be64 -+#else -+# define buf_get_he32 buf_get_le32 -+# define buf_put_he32 buf_put_le32 -+# define buf_get_he64 buf_get_le64 -+# define buf_put_he64 buf_put_le64 -+#endif -+ -+ - #endif /*GCRYPT_BUFHELP_H*/ -diff -up libgcrypt-1.8.5/cipher/camellia-glue.c.aes-perf libgcrypt-1.8.5/cipher/camellia-glue.c ---- libgcrypt-1.8.5/cipher/camellia-glue.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/camellia-glue.c 2020-04-22 18:29:41.664862344 +0200 -@@ -204,7 +204,8 @@ extern void _gcry_camellia_aesni_avx2_oc - static const char *selftest(void); - - static gcry_err_code_t --camellia_setkey(void *c, const byte *key, unsigned keylen) -+camellia_setkey(void *c, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd) - { - CAMELLIA_context *ctx=c; - static int initialized=0; -@@ -213,6 +214,8 @@ camellia_setkey(void *c, const byte *key - unsigned int hwf = _gcry_get_hw_features (); - #endif - -+ (void)hd; -+ - if(keylen!=16 && keylen!=24 && keylen!=32) - return GPG_ERR_INV_KEYLEN; - -@@ -427,7 +430,7 @@ _gcry_camellia_ctr_enc(void *context, un - /* Encrypt the counter. */ - Camellia_EncryptBlock(ctx->keybitlength, ctr, ctx->keytable, tmpbuf); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, CAMELLIA_BLOCK_SIZE); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, CAMELLIA_BLOCK_SIZE); - outbuf += CAMELLIA_BLOCK_SIZE; - inbuf += CAMELLIA_BLOCK_SIZE; - /* Increment the counter. */ -@@ -520,7 +523,8 @@ _gcry_camellia_cbc_dec(void *context, un - the intermediate result to SAVEBUF. */ - Camellia_DecryptBlock(ctx->keybitlength, inbuf, ctx->keytable, savebuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, CAMELLIA_BLOCK_SIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, -+ CAMELLIA_BLOCK_SIZE); - inbuf += CAMELLIA_BLOCK_SIZE; - outbuf += CAMELLIA_BLOCK_SIZE; - } -@@ -602,7 +606,7 @@ _gcry_camellia_cfb_dec(void *context, un - for ( ;nblocks; nblocks-- ) - { - Camellia_EncryptBlock(ctx->keybitlength, iv, ctx->keytable, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, CAMELLIA_BLOCK_SIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, CAMELLIA_BLOCK_SIZE); - outbuf += CAMELLIA_BLOCK_SIZE; - inbuf += CAMELLIA_BLOCK_SIZE; - } -@@ -991,7 +995,7 @@ selftest(void) - 0x20,0xef,0x7c,0x91,0x9e,0x3a,0x75,0x09 - }; - -- camellia_setkey(&ctx,key_128,sizeof(key_128)); -+ camellia_setkey(&ctx,key_128,sizeof(key_128),NULL); - camellia_encrypt(&ctx,scratch,plaintext); - if(memcmp(scratch,ciphertext_128,sizeof(ciphertext_128))!=0) - return "CAMELLIA-128 test encryption failed."; -@@ -999,7 +1003,7 @@ selftest(void) - if(memcmp(scratch,plaintext,sizeof(plaintext))!=0) - return "CAMELLIA-128 test decryption failed."; - -- camellia_setkey(&ctx,key_192,sizeof(key_192)); -+ camellia_setkey(&ctx,key_192,sizeof(key_192),NULL); - camellia_encrypt(&ctx,scratch,plaintext); - if(memcmp(scratch,ciphertext_192,sizeof(ciphertext_192))!=0) - return "CAMELLIA-192 test encryption failed."; -@@ -1007,7 +1011,7 @@ selftest(void) - if(memcmp(scratch,plaintext,sizeof(plaintext))!=0) - return "CAMELLIA-192 test decryption failed."; - -- camellia_setkey(&ctx,key_256,sizeof(key_256)); -+ camellia_setkey(&ctx,key_256,sizeof(key_256),NULL); - camellia_encrypt(&ctx,scratch,plaintext); - if(memcmp(scratch,ciphertext_256,sizeof(ciphertext_256))!=0) - return "CAMELLIA-256 test encryption failed."; -diff -up libgcrypt-1.8.5/cipher/cast5.c.aes-perf libgcrypt-1.8.5/cipher/cast5.c ---- libgcrypt-1.8.5/cipher/cast5.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cast5.c 2020-04-22 18:29:41.665862325 +0200 -@@ -44,6 +44,7 @@ - #include "cipher.h" - #include "bithelp.h" - #include "bufhelp.h" -+#include "cipher-internal.h" - #include "cipher-selftest.h" - - /* USE_AMD64_ASM indicates whether to use AMD64 assembly code. */ -@@ -72,7 +73,8 @@ typedef struct { - #endif - } CAST5_context; - --static gcry_err_code_t cast_setkey (void *c, const byte *key, unsigned keylen); -+static gcry_err_code_t cast_setkey (void *c, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd); - static unsigned int encrypt_block (void *c, byte *outbuf, const byte *inbuf); - static unsigned int decrypt_block (void *c, byte *outbuf, const byte *inbuf); - -@@ -671,7 +673,7 @@ _gcry_cast5_ctr_enc(void *context, unsig - /* Encrypt the counter. */ - do_encrypt_block(ctx, tmpbuf, ctr); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, CAST5_BLOCKSIZE); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, CAST5_BLOCKSIZE); - outbuf += CAST5_BLOCKSIZE; - inbuf += CAST5_BLOCKSIZE; - /* Increment the counter. */ -@@ -739,7 +741,7 @@ _gcry_cast5_cbc_dec(void *context, unsig - the intermediate result to SAVEBUF. */ - do_decrypt_block (ctx, savebuf, inbuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, CAST5_BLOCKSIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, CAST5_BLOCKSIZE); - inbuf += CAST5_BLOCKSIZE; - outbuf += CAST5_BLOCKSIZE; - } -@@ -795,7 +797,7 @@ _gcry_cast5_cfb_dec(void *context, unsig - for ( ;nblocks; nblocks-- ) - { - do_encrypt_block(ctx, iv, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, CAST5_BLOCKSIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, CAST5_BLOCKSIZE); - outbuf += CAST5_BLOCKSIZE; - inbuf += CAST5_BLOCKSIZE; - } -@@ -863,7 +865,7 @@ selftest(void) - byte buffer[8]; - const char *r; - -- cast_setkey( &c, key, 16 ); -+ cast_setkey( &c, key, 16, NULL ); - encrypt_block( &c, buffer, plain ); - if( memcmp( buffer, cipher, 8 ) ) - return "1"; -@@ -884,10 +886,10 @@ selftest(void) - 0x80,0xAC,0x05,0xB8,0xE8,0x3D,0x69,0x6E }; - - for(i=0; i < 1000000; i++ ) { -- cast_setkey( &c, b0, 16 ); -+ cast_setkey( &c, b0, 16, NULL ); - encrypt_block( &c, a0, a0 ); - encrypt_block( &c, a0+8, a0+8 ); -- cast_setkey( &c, a0, 16 ); -+ cast_setkey( &c, a0, 16, NULL ); - encrypt_block( &c, b0, b0 ); - encrypt_block( &c, b0+8, b0+8 ); - } -@@ -1029,10 +1031,12 @@ do_cast_setkey( CAST5_context *c, const - } - - static gcry_err_code_t --cast_setkey (void *context, const byte *key, unsigned keylen ) -+cast_setkey (void *context, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd ) - { - CAST5_context *c = (CAST5_context *) context; - gcry_err_code_t rc = do_cast_setkey (c, key, keylen); -+ (void)hd; - return rc; - } - -diff -up libgcrypt-1.8.5/cipher/chacha20.c.aes-perf libgcrypt-1.8.5/cipher/chacha20.c ---- libgcrypt-1.8.5/cipher/chacha20.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/chacha20.c 2020-04-22 18:29:41.665862325 +0200 -@@ -419,10 +419,12 @@ chacha20_do_setkey (CHACHA20_context_t * - - - static gcry_err_code_t --chacha20_setkey (void *context, const byte * key, unsigned int keylen) -+chacha20_setkey (void *context, const byte *key, unsigned int keylen, -+ gcry_cipher_hd_t hd) - { - CHACHA20_context_t *ctx = (CHACHA20_context_t *) context; - gcry_err_code_t rc = chacha20_do_setkey (ctx, key, keylen); -+ (void)hd; - _gcry_burn_stack (4 + sizeof (void *) + 4 * sizeof (void *)); - return rc; - } -@@ -569,7 +571,7 @@ selftest (void) - /* 16-byte alignment required for amd64 implementation. */ - ctx = (CHACHA20_context_t *)((uintptr_t)(ctxbuf + 15) & ~(uintptr_t)15); - -- chacha20_setkey (ctx, key_1, sizeof key_1); -+ chacha20_setkey (ctx, key_1, sizeof key_1, NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - scratch[sizeof (scratch) - 1] = 0; - chacha20_encrypt_stream (ctx, scratch, plaintext_1, sizeof plaintext_1); -@@ -577,7 +579,7 @@ selftest (void) - return "ChaCha20 encryption test 1 failed."; - if (scratch[sizeof (scratch) - 1]) - return "ChaCha20 wrote too much."; -- chacha20_setkey (ctx, key_1, sizeof (key_1)); -+ chacha20_setkey (ctx, key_1, sizeof (key_1), NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - chacha20_encrypt_stream (ctx, scratch, scratch, sizeof plaintext_1); - if (memcmp (scratch, plaintext_1, sizeof plaintext_1)) -@@ -585,12 +587,12 @@ selftest (void) - - for (i = 0; i < sizeof buf; i++) - buf[i] = i; -- chacha20_setkey (ctx, key_1, sizeof key_1); -+ chacha20_setkey (ctx, key_1, sizeof key_1, NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - /*encrypt */ - chacha20_encrypt_stream (ctx, buf, buf, sizeof buf); - /*decrypt */ -- chacha20_setkey (ctx, key_1, sizeof key_1); -+ chacha20_setkey (ctx, key_1, sizeof key_1, NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - chacha20_encrypt_stream (ctx, buf, buf, 1); - chacha20_encrypt_stream (ctx, buf + 1, buf + 1, (sizeof buf) - 1 - 1); -@@ -600,13 +602,13 @@ selftest (void) - if (buf[i] != (byte) i) - return "ChaCha20 encryption test 2 failed."; - -- chacha20_setkey (ctx, key_1, sizeof key_1); -+ chacha20_setkey (ctx, key_1, sizeof key_1, NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - /* encrypt */ - for (i = 0; i < sizeof buf; i++) - chacha20_encrypt_stream (ctx, &buf[i], &buf[i], 1); - /* decrypt */ -- chacha20_setkey (ctx, key_1, sizeof key_1); -+ chacha20_setkey (ctx, key_1, sizeof key_1, NULL); - chacha20_setiv (ctx, nonce_1, sizeof nonce_1); - chacha20_encrypt_stream (ctx, buf, buf, sizeof buf); - for (i = 0; i < sizeof buf; i++) -diff -up libgcrypt-1.8.5/cipher/cipher-aeswrap.c.aes-perf libgcrypt-1.8.5/cipher/cipher-aeswrap.c ---- libgcrypt-1.8.5/cipher/cipher-aeswrap.c.aes-perf 2018-04-17 17:49:00.000000000 +0200 -+++ libgcrypt-1.8.5/cipher/cipher-aeswrap.c 2020-04-22 18:29:41.665862325 +0200 -@@ -99,7 +99,7 @@ _gcry_cipher_aeswrap_encrypt (gcry_ciphe - break; - } - /* A := MSB_64(B) ^ t */ -- buf_xor(a, b, t, 8); -+ cipher_block_xor(a, b, t, 8); - /* R[i] := LSB_64(B) */ - memcpy (r+i*8, b+8, 8); - } -@@ -170,7 +170,7 @@ _gcry_cipher_aeswrap_decrypt (gcry_ciphe - for (i = n; i >= 1; i--) - { - /* B := AES_k^1( (A ^ t)| R[i] ) */ -- buf_xor(b, a, t, 8); -+ cipher_block_xor(b, a, t, 8); - memcpy (b+8, r+(i-1)*8, 8); - nburn = c->spec->decrypt (&c->context.c, b, b); - burn = nburn > burn ? nburn : burn; -diff -up libgcrypt-1.8.5/cipher/cipher.c.aes-perf libgcrypt-1.8.5/cipher/cipher.c ---- libgcrypt-1.8.5/cipher/cipher.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher.c 2020-04-22 18:29:41.666862306 +0200 -@@ -92,6 +92,8 @@ static gcry_cipher_spec_t *cipher_list[] - - - -+static void _gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode); -+ - - static int - map_algo (int algo) -@@ -532,6 +534,7 @@ _gcry_cipher_open_internal (gcry_cipher_ - h->bulk.ctr_enc = _gcry_aes_ctr_enc; - h->bulk.ocb_crypt = _gcry_aes_ocb_crypt; - h->bulk.ocb_auth = _gcry_aes_ocb_auth; -+ h->bulk.xts_crypt = _gcry_aes_xts_crypt; - break; - #endif /*USE_AES*/ - #ifdef USE_BLOWFISH -@@ -592,6 +595,9 @@ _gcry_cipher_open_internal (gcry_cipher_ - break; - } - -+ /* Setup mode routines. */ -+ _gcry_cipher_setup_mode_ops(h, mode); -+ - /* Setup defaults depending on the mode. */ - switch (mode) - { -@@ -609,8 +615,7 @@ _gcry_cipher_open_internal (gcry_cipher_ - default: - break; - } -- -- } -+ } - } - - /* Done. */ -@@ -675,7 +680,7 @@ cipher_setkey (gcry_cipher_hd_t c, byte - } - } - -- rc = c->spec->setkey (&c->context.c, key, keylen); -+ rc = c->spec->setkey (&c->context.c, key, keylen, c); - if (!rc) - { - /* Duplicate initial context. */ -@@ -701,7 +706,7 @@ cipher_setkey (gcry_cipher_hd_t c, byte - case GCRY_CIPHER_MODE_XTS: - /* Setup tweak cipher with second part of XTS key. */ - rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen, -- keylen); -+ keylen, c); - if (!rc) - { - /* Duplicate initial tweak context. */ -@@ -872,85 +877,78 @@ do_ecb_decrypt (gcry_cipher_hd_t c, - } - - --/**************** -- * Encrypt INBUF to OUTBUF with the mode selected at open. -- * inbuf and outbuf may overlap or be the same. -- * Depending on the mode some constraints apply to INBUFLEN. -- */ - static gcry_err_code_t --cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, -- const byte *inbuf, size_t inbuflen) -+do_stream_encrypt (gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen) -+{ -+ (void)outbuflen; -+ c->spec->stencrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen); -+ return 0; -+} -+ -+static gcry_err_code_t -+do_stream_decrypt (gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen) -+{ -+ (void)outbuflen; -+ c->spec->stdecrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen); -+ return 0; -+} -+ -+ -+static gcry_err_code_t -+do_encrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, -+ const byte *inbuf, size_t inbuflen) - { - gcry_err_code_t rc; - -- if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key) -- { -- log_error ("cipher_encrypt: key not set\n"); -- return GPG_ERR_MISSING_KEY; -- } -+ (void)outbuflen; - - switch (c->mode) - { -- case GCRY_CIPHER_MODE_ECB: -- rc = do_ecb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CBC: -- rc = _gcry_cipher_cbc_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CFB: -- rc = _gcry_cipher_cfb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -+ case GCRY_CIPHER_MODE_CMAC: -+ rc = GPG_ERR_INV_CIPHER_MODE; - break; - -- case GCRY_CIPHER_MODE_CFB8: -- rc = _gcry_cipher_cfb8_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -+ case GCRY_CIPHER_MODE_NONE: -+ if (fips_mode () || !_gcry_get_debug_flag (0)) -+ { -+ fips_signal_error ("cipher mode NONE used"); -+ rc = GPG_ERR_INV_CIPHER_MODE; -+ } -+ else -+ { -+ if (inbuf != outbuf) -+ memmove (outbuf, inbuf, inbuflen); -+ rc = 0; -+ } - break; - -- case GCRY_CIPHER_MODE_OFB: -- rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -+ default: -+ log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode ); -+ rc = GPG_ERR_INV_CIPHER_MODE; - break; -+ } - -- case GCRY_CIPHER_MODE_CTR: -- rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -+ return rc; -+} - -- case GCRY_CIPHER_MODE_AESWRAP: -- rc = _gcry_cipher_aeswrap_encrypt (c, outbuf, outbuflen, -- inbuf, inbuflen); -- break; -+static gcry_err_code_t -+do_decrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, -+ const byte *inbuf, size_t inbuflen) -+{ -+ gcry_err_code_t rc; - -- case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -+ (void)outbuflen; - -+ switch (c->mode) -+ { - case GCRY_CIPHER_MODE_CMAC: - rc = GPG_ERR_INV_CIPHER_MODE; - break; - -- case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_encrypt (c, outbuf, outbuflen, -- inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_XTS: -- rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1); -- break; -- -- case GCRY_CIPHER_MODE_STREAM: -- c->spec->stencrypt (&c->context.c, -- outbuf, (byte*)/*arggg*/inbuf, inbuflen); -- rc = 0; -- break; -- - case GCRY_CIPHER_MODE_NONE: - if (fips_mode () || !_gcry_get_debug_flag (0)) - { -@@ -966,7 +964,7 @@ cipher_encrypt (gcry_cipher_hd_t c, byte - break; - - default: -- log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode ); -+ log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode ); - rc = GPG_ERR_INV_CIPHER_MODE; - break; - } -@@ -991,7 +989,13 @@ _gcry_cipher_encrypt (gcry_cipher_hd_t h - inlen = outsize; - } - -- rc = cipher_encrypt (h, out, outsize, in, inlen); -+ if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key) -+ { -+ log_error ("cipher_decrypt: key not set\n"); -+ return GPG_ERR_MISSING_KEY; -+ } -+ -+ rc = h->mode_ops.encrypt (h, out, outsize, in, inlen); - - /* Failsafe: Make sure that the plaintext will never make it into - OUT if the encryption returned an error. */ -@@ -1002,110 +1006,10 @@ _gcry_cipher_encrypt (gcry_cipher_hd_t h - } - - -- - /**************** -- * Decrypt INBUF to OUTBUF with the mode selected at open. -- * inbuf and outbuf may overlap or be the same. -- * Depending on the mode some some constraints apply to INBUFLEN. -+ * Decrypt IN and write it to OUT. If IN is NULL, in-place encryption has -+ * been requested. - */ --static gcry_err_code_t --cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen, -- const byte *inbuf, size_t inbuflen) --{ -- gcry_err_code_t rc; -- -- if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key) -- { -- log_error ("cipher_decrypt: key not set\n"); -- return GPG_ERR_MISSING_KEY; -- } -- -- switch (c->mode) -- { -- case GCRY_CIPHER_MODE_ECB: -- rc = do_ecb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CBC: -- rc = _gcry_cipher_cbc_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CFB: -- rc = _gcry_cipher_cfb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CFB8: -- rc = _gcry_cipher_cfb8_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_OFB: -- rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CTR: -- rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_AESWRAP: -- rc = _gcry_cipher_aeswrap_decrypt (c, outbuf, outbuflen, -- inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_CMAC: -- rc = GPG_ERR_INV_CIPHER_MODE; -- break; -- -- case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_decrypt (c, outbuf, outbuflen, -- inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen); -- break; -- -- case GCRY_CIPHER_MODE_XTS: -- rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0); -- break; -- -- case GCRY_CIPHER_MODE_STREAM: -- c->spec->stdecrypt (&c->context.c, -- outbuf, (byte*)/*arggg*/inbuf, inbuflen); -- rc = 0; -- break; -- -- case GCRY_CIPHER_MODE_NONE: -- if (fips_mode () || !_gcry_get_debug_flag (0)) -- { -- fips_signal_error ("cipher mode NONE used"); -- rc = GPG_ERR_INV_CIPHER_MODE; -- } -- else -- { -- if (inbuf != outbuf) -- memmove (outbuf, inbuf, inbuflen); -- rc = 0; -- } -- break; -- -- default: -- log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode ); -- rc = GPG_ERR_INV_CIPHER_MODE; -- break; -- } -- -- return rc; --} -- -- - gcry_err_code_t - _gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize, - const void *in, size_t inlen) -@@ -1116,9 +1020,14 @@ _gcry_cipher_decrypt (gcry_cipher_hd_t h - inlen = outsize; - } - -- return cipher_decrypt (h, out, outsize, in, inlen); --} -+ if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key) -+ { -+ log_error ("cipher_decrypt: key not set\n"); -+ return GPG_ERR_MISSING_KEY; -+ } - -+ return h->mode_ops.decrypt (h, out, outsize, in, inlen); -+} - - - /**************** -@@ -1149,33 +1058,10 @@ _gcry_cipher_setkey (gcry_cipher_hd_t hd - gcry_err_code_t - _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen) - { -- gcry_err_code_t rc = 0; -- -- switch (hd->mode) -- { -- case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_set_nonce (hd, iv, ivlen); -- break; -- -- case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_setiv (hd, iv, ivlen); -- break; -- -- case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_setiv (hd, iv, ivlen); -- break; -- -- case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_set_nonce (hd, iv, ivlen); -- break; -- -- default: -- rc = cipher_setiv (hd, iv, ivlen); -- break; -- } -- return rc; -+ return hd->mode_ops.setiv (hd, iv, ivlen); - } - -+ - /* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of - block size length, or (NULL,0) to set the CTR to the all-zero - block. */ -@@ -1209,38 +1095,40 @@ _gcry_cipher_getctr (gcry_cipher_hd_t hd - return 0; - } - -+ - gcry_err_code_t - _gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf, - size_t abuflen) - { - gcry_err_code_t rc; - -- switch (hd->mode) -+ if (hd->mode_ops.authenticate) - { -- case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_authenticate (hd, abuf, abuflen); -- break; -- -- case GCRY_CIPHER_MODE_CMAC: -- rc = _gcry_cipher_cmac_authenticate (hd, abuf, abuflen); -- break; -+ rc = hd->mode_ops.authenticate (hd, abuf, abuflen); -+ } -+ else -+ { -+ log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode); -+ rc = GPG_ERR_INV_CIPHER_MODE; -+ } - -- case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_authenticate (hd, abuf, abuflen); -- break; -+ return rc; -+} - -- case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_authenticate (hd, abuf, abuflen); -- break; - -- case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_authenticate (hd, abuf, abuflen); -- break; -+gcry_err_code_t -+_gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen) -+{ -+ gcry_err_code_t rc; - -- default: -- log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode); -+ if (hd->mode_ops.get_tag) -+ { -+ rc = hd->mode_ops.get_tag (hd, outtag, taglen); -+ } -+ else -+ { -+ log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode); - rc = GPG_ERR_INV_CIPHER_MODE; -- break; - } - - return rc; -@@ -1248,76 +1136,166 @@ _gcry_cipher_authenticate (gcry_cipher_h - - - gcry_err_code_t --_gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen) -+_gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen) - { - gcry_err_code_t rc; - -- switch (hd->mode) -+ if (hd->mode_ops.check_tag) - { -- case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_get_tag (hd, outtag, taglen); -+ rc = hd->mode_ops.check_tag (hd, intag, taglen); -+ } -+ else -+ { -+ log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode); -+ rc = GPG_ERR_INV_CIPHER_MODE; -+ } -+ -+ return rc; -+} -+ -+ -+ -+static void -+_gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode) -+{ -+ /* Setup encryption and decryption routines. */ -+ switch (mode) -+ { -+ case GCRY_CIPHER_MODE_STREAM: -+ c->mode_ops.encrypt = do_stream_encrypt; -+ c->mode_ops.decrypt = do_stream_decrypt; - break; - -- case GCRY_CIPHER_MODE_CMAC: -- rc = _gcry_cipher_cmac_get_tag (hd, outtag, taglen); -+ case GCRY_CIPHER_MODE_ECB: -+ c->mode_ops.encrypt = do_ecb_encrypt; -+ c->mode_ops.decrypt = do_ecb_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_CBC: -+ c->mode_ops.encrypt = _gcry_cipher_cbc_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_cbc_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_CFB: -+ c->mode_ops.encrypt = _gcry_cipher_cfb_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_cfb_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_CFB8: -+ c->mode_ops.encrypt = _gcry_cipher_cfb8_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_cfb8_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_OFB: -+ c->mode_ops.encrypt = _gcry_cipher_ofb_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_ofb_encrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_CTR: -+ c->mode_ops.encrypt = _gcry_cipher_ctr_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_ctr_encrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_AESWRAP: -+ c->mode_ops.encrypt = _gcry_cipher_aeswrap_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_aeswrap_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_CCM: -+ c->mode_ops.encrypt = _gcry_cipher_ccm_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_ccm_decrypt; - break; - - case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_get_tag (hd, outtag, taglen); -+ c->mode_ops.encrypt = _gcry_cipher_gcm_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_gcm_decrypt; - break; - - case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_get_tag (hd, outtag, taglen); -+ c->mode_ops.encrypt = _gcry_cipher_poly1305_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_poly1305_decrypt; - break; - - case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_get_tag (hd, outtag, taglen); -+ c->mode_ops.encrypt = _gcry_cipher_ocb_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_ocb_decrypt; -+ break; -+ -+ case GCRY_CIPHER_MODE_XTS: -+ c->mode_ops.encrypt = _gcry_cipher_xts_encrypt; -+ c->mode_ops.decrypt = _gcry_cipher_xts_decrypt; - break; - - default: -- log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode); -- rc = GPG_ERR_INV_CIPHER_MODE; -+ c->mode_ops.encrypt = do_encrypt_none_unknown; -+ c->mode_ops.decrypt = do_decrypt_none_unknown; - break; - } - -- return rc; --} -+ /* Setup IV setting routine. */ -+ switch (mode) -+ { -+ case GCRY_CIPHER_MODE_CCM: -+ c->mode_ops.setiv = _gcry_cipher_ccm_set_nonce; -+ break; -+ -+ case GCRY_CIPHER_MODE_GCM: -+ c->mode_ops.setiv = _gcry_cipher_gcm_setiv; -+ break; - -+ case GCRY_CIPHER_MODE_POLY1305: -+ c->mode_ops.setiv = _gcry_cipher_poly1305_setiv; -+ break; - --gcry_err_code_t --_gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen) --{ -- gcry_err_code_t rc; -+ case GCRY_CIPHER_MODE_OCB: -+ c->mode_ops.setiv = _gcry_cipher_ocb_set_nonce; -+ break; - -- switch (hd->mode) -+ default: -+ c->mode_ops.setiv = cipher_setiv; -+ break; -+ } -+ -+ -+ /* Setup authentication routines for AEAD modes. */ -+ switch (mode) - { - case GCRY_CIPHER_MODE_CCM: -- rc = _gcry_cipher_ccm_check_tag (hd, intag, taglen); -+ c->mode_ops.authenticate = _gcry_cipher_ccm_authenticate; -+ c->mode_ops.get_tag = _gcry_cipher_ccm_get_tag; -+ c->mode_ops.check_tag = _gcry_cipher_ccm_check_tag; - break; - - case GCRY_CIPHER_MODE_CMAC: -- rc = _gcry_cipher_cmac_check_tag (hd, intag, taglen); -+ c->mode_ops.authenticate = _gcry_cipher_cmac_authenticate; -+ c->mode_ops.get_tag = _gcry_cipher_cmac_get_tag; -+ c->mode_ops.check_tag = _gcry_cipher_cmac_check_tag; - break; - - case GCRY_CIPHER_MODE_GCM: -- rc = _gcry_cipher_gcm_check_tag (hd, intag, taglen); -+ c->mode_ops.authenticate = _gcry_cipher_gcm_authenticate; -+ c->mode_ops.get_tag = _gcry_cipher_gcm_get_tag; -+ c->mode_ops.check_tag = _gcry_cipher_gcm_check_tag; - break; - - case GCRY_CIPHER_MODE_POLY1305: -- rc = _gcry_cipher_poly1305_check_tag (hd, intag, taglen); -+ c->mode_ops.authenticate = _gcry_cipher_poly1305_authenticate; -+ c->mode_ops.get_tag = _gcry_cipher_poly1305_get_tag; -+ c->mode_ops.check_tag = _gcry_cipher_poly1305_check_tag; - break; - - case GCRY_CIPHER_MODE_OCB: -- rc = _gcry_cipher_ocb_check_tag (hd, intag, taglen); -+ c->mode_ops.authenticate = _gcry_cipher_ocb_authenticate; -+ c->mode_ops.get_tag = _gcry_cipher_ocb_get_tag; -+ c->mode_ops.check_tag = _gcry_cipher_ocb_check_tag; - break; - - default: -- log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode); -- rc = GPG_ERR_INV_CIPHER_MODE; -+ c->mode_ops.authenticate = NULL; -+ c->mode_ops.get_tag = NULL; -+ c->mode_ops.check_tag = NULL; - break; - } -- -- return rc; - } - - -diff -up libgcrypt-1.8.5/cipher/cipher-cbc.c.aes-perf libgcrypt-1.8.5/cipher/cipher-cbc.c ---- libgcrypt-1.8.5/cipher/cipher-cbc.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-cbc.c 2020-04-22 18:29:41.666862306 +0200 -@@ -79,7 +79,7 @@ _gcry_cipher_cbc_encrypt (gcry_cipher_hd - - for (n=0; n < nblocks; n++ ) - { -- buf_xor (outbuf, inbuf, ivp, blocksize); -+ cipher_block_xor (outbuf, inbuf, ivp, blocksize); - nburn = enc_fn ( &c->context.c, outbuf, outbuf ); - burn = nburn > burn ? nburn : burn; - ivp = outbuf; -@@ -116,7 +116,7 @@ _gcry_cipher_cbc_encrypt (gcry_cipher_hd - - nburn = enc_fn (&c->context.c, outbuf, outbuf); - burn = nburn > burn ? nburn : burn; -- buf_cpy (c->u_iv.iv, outbuf, blocksize); -+ cipher_block_cpy (c->u_iv.iv, outbuf, blocksize); - } - - if (burn > 0) -@@ -158,7 +158,7 @@ _gcry_cipher_cbc_decrypt (gcry_cipher_hd - nblocks--; - if ((inbuflen % blocksize) == 0) - nblocks--; -- buf_cpy (c->lastiv, c->u_iv.iv, blocksize); -+ cipher_block_cpy (c->lastiv, c->u_iv.iv, blocksize); - } - - if (c->bulk.cbc_dec) -@@ -176,7 +176,8 @@ _gcry_cipher_cbc_decrypt (gcry_cipher_hd - storage here because it is not used otherwise. */ - nburn = dec_fn ( &c->context.c, c->lastiv, inbuf ); - burn = nburn > burn ? nburn : burn; -- buf_xor_n_copy_2(outbuf, c->lastiv, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor_n_copy_2 (outbuf, c->lastiv, c->u_iv.iv, inbuf, -+ blocksize); - inbuf += blocksize; - outbuf += blocksize; - } -@@ -191,7 +192,7 @@ _gcry_cipher_cbc_decrypt (gcry_cipher_hd - else - restbytes = inbuflen % blocksize; - -- buf_cpy (c->lastiv, c->u_iv.iv, blocksize ); /* Save Cn-2. */ -+ cipher_block_cpy (c->lastiv, c->u_iv.iv, blocksize ); /* Save Cn-2. */ - buf_cpy (c->u_iv.iv, inbuf + blocksize, restbytes ); /* Save Cn. */ - - nburn = dec_fn ( &c->context.c, outbuf, inbuf ); -@@ -203,7 +204,7 @@ _gcry_cipher_cbc_decrypt (gcry_cipher_hd - c->u_iv.iv[i] = outbuf[i]; - nburn = dec_fn (&c->context.c, outbuf, c->u_iv.iv); - burn = nburn > burn ? nburn : burn; -- buf_xor(outbuf, outbuf, c->lastiv, blocksize); -+ cipher_block_xor(outbuf, outbuf, c->lastiv, blocksize); - /* c->lastiv is now really lastlastiv, does this matter? */ - } - -diff -up libgcrypt-1.8.5/cipher/cipher-ccm.c.aes-perf libgcrypt-1.8.5/cipher/cipher-ccm.c ---- libgcrypt-1.8.5/cipher/cipher-ccm.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-ccm.c 2020-04-22 18:29:41.666862306 +0200 -@@ -67,7 +67,8 @@ do_cbc_mac (gcry_cipher_hd_t c, const un - if (unused > 0) - { - /* Process one block from macbuf. */ -- buf_xor(c->u_iv.iv, c->u_iv.iv, c->u_mode.ccm.macbuf, blocksize); -+ cipher_block_xor(c->u_iv.iv, c->u_iv.iv, c->u_mode.ccm.macbuf, -+ blocksize); - set_burn (burn, enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv )); - - unused = 0; -@@ -86,7 +87,7 @@ do_cbc_mac (gcry_cipher_hd_t c, const un - { - while (inlen >= blocksize) - { -- buf_xor(c->u_iv.iv, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor(c->u_iv.iv, c->u_iv.iv, inbuf, blocksize); - - set_burn (burn, enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv )); - -@@ -272,7 +273,7 @@ _gcry_cipher_ccm_tag (gcry_cipher_hd_t c - burn = do_cbc_mac (c, NULL, 0, 1); /* Perform final padding. */ - - /* Add S_0 */ -- buf_xor (c->u_iv.iv, c->u_iv.iv, c->u_mode.ccm.s0, 16); -+ cipher_block_xor (c->u_iv.iv, c->u_iv.iv, c->u_mode.ccm.s0, 16); - - wipememory (c->u_ctr.ctr, 16); - wipememory (c->u_mode.ccm.s0, 16); -diff -up libgcrypt-1.8.5/cipher/cipher-cfb.c.aes-perf libgcrypt-1.8.5/cipher/cipher-cfb.c ---- libgcrypt-1.8.5/cipher/cipher-cfb.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-cfb.c 2020-04-22 18:29:41.667862287 +0200 -@@ -91,7 +91,7 @@ _gcry_cipher_cfb_encrypt (gcry_cipher_hd - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - /* XOR the input with the IV and store input into IV. */ -- buf_xor_2dst(outbuf, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor_2dst(outbuf, c->u_iv.iv, inbuf, blocksize); - outbuf += blocksize; - inbuf += blocksize; - inbuflen -= blocksize; -@@ -101,11 +101,11 @@ _gcry_cipher_cfb_encrypt (gcry_cipher_hd - if ( inbuflen >= blocksize ) - { - /* Save the current IV and then encrypt the IV. */ -- buf_cpy( c->lastiv, c->u_iv.iv, blocksize ); -+ cipher_block_cpy( c->lastiv, c->u_iv.iv, blocksize ); - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - /* XOR the input with the IV and store input into IV */ -- buf_xor_2dst(outbuf, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor_2dst(outbuf, c->u_iv.iv, inbuf, blocksize); - outbuf += blocksize; - inbuf += blocksize; - inbuflen -= blocksize; -@@ -113,7 +113,7 @@ _gcry_cipher_cfb_encrypt (gcry_cipher_hd - if ( inbuflen ) - { - /* Save the current IV and then encrypt the IV. */ -- buf_cpy( c->lastiv, c->u_iv.iv, blocksize ); -+ cipher_block_cpy( c->lastiv, c->u_iv.iv, blocksize ); - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - c->unused = blocksize; -@@ -193,7 +193,7 @@ _gcry_cipher_cfb_decrypt (gcry_cipher_hd - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - /* XOR the input with the IV and store input into IV. */ -- buf_xor_n_copy(outbuf, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor_n_copy(outbuf, c->u_iv.iv, inbuf, blocksize); - outbuf += blocksize; - inbuf += blocksize; - inbuflen -= blocksize; -@@ -203,11 +203,11 @@ _gcry_cipher_cfb_decrypt (gcry_cipher_hd - if (inbuflen >= blocksize ) - { - /* Save the current IV and then encrypt the IV. */ -- buf_cpy ( c->lastiv, c->u_iv.iv, blocksize); -+ cipher_block_cpy ( c->lastiv, c->u_iv.iv, blocksize); - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - /* XOR the input with the IV and store input into IV */ -- buf_xor_n_copy(outbuf, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor_n_copy(outbuf, c->u_iv.iv, inbuf, blocksize); - outbuf += blocksize; - inbuf += blocksize; - inbuflen -= blocksize; -@@ -216,7 +216,7 @@ _gcry_cipher_cfb_decrypt (gcry_cipher_hd - if (inbuflen) - { - /* Save the current IV and then encrypt the IV. */ -- buf_cpy ( c->lastiv, c->u_iv.iv, blocksize ); -+ cipher_block_cpy ( c->lastiv, c->u_iv.iv, blocksize ); - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; - c->unused = blocksize; -diff -up libgcrypt-1.8.5/cipher/cipher-cmac.c.aes-perf libgcrypt-1.8.5/cipher/cipher-cmac.c ---- libgcrypt-1.8.5/cipher/cipher-cmac.c.aes-perf 2020-04-22 18:29:41.643862745 +0200 -+++ libgcrypt-1.8.5/cipher/cipher-cmac.c 2020-04-22 18:29:41.667862287 +0200 -@@ -63,7 +63,7 @@ cmac_write (gcry_cipher_hd_t c, const by - for (; inlen && c->unused < blocksize; inlen--) - c->lastiv[c->unused++] = *inbuf++; - -- buf_xor (c->u_iv.iv, c->u_iv.iv, c->lastiv, blocksize); -+ cipher_block_xor (c->u_iv.iv, c->u_iv.iv, c->lastiv, blocksize); - set_burn (burn, enc_fn (&c->context.c, c->u_iv.iv, c->u_iv.iv)); - - c->unused = 0; -@@ -83,7 +83,7 @@ cmac_write (gcry_cipher_hd_t c, const by - else - while (inlen > blocksize) - { -- buf_xor (c->u_iv.iv, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor (c->u_iv.iv, c->u_iv.iv, inbuf, blocksize); - set_burn (burn, enc_fn (&c->context.c, c->u_iv.iv, c->u_iv.iv)); - inlen -= blocksize; - inbuf += blocksize; -@@ -174,9 +174,9 @@ cmac_final (gcry_cipher_hd_t c) - c->lastiv[count++] = 0; - } - -- buf_xor (c->lastiv, c->lastiv, subkey, blocksize); -+ cipher_block_xor (c->lastiv, c->lastiv, subkey, blocksize); - -- buf_xor (c->u_iv.iv, c->u_iv.iv, c->lastiv, blocksize); -+ cipher_block_xor (c->u_iv.iv, c->u_iv.iv, c->lastiv, blocksize); - burn = c->spec->encrypt (&c->context.c, c->u_iv.iv, c->u_iv.iv); - if (burn) - _gcry_burn_stack (burn + 4 * sizeof (void *)); -diff -up libgcrypt-1.8.5/cipher/cipher-ctr.c.aes-perf libgcrypt-1.8.5/cipher/cipher-ctr.c ---- libgcrypt-1.8.5/cipher/cipher-ctr.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-ctr.c 2020-04-22 18:29:41.667862287 +0200 -@@ -81,24 +81,34 @@ _gcry_cipher_ctr_encrypt (gcry_cipher_hd - { - unsigned char tmp[MAX_BLOCKSIZE]; - -- do { -- nburn = enc_fn (&c->context.c, tmp, c->u_ctr.ctr); -- burn = nburn > burn ? nburn : burn; -- -- for (i = blocksize; i > 0; i--) -- { -- c->u_ctr.ctr[i-1]++; -- if (c->u_ctr.ctr[i-1] != 0) -- break; -- } -- -- n = blocksize < inbuflen ? blocksize : inbuflen; -- buf_xor(outbuf, inbuf, tmp, n); -- -- inbuflen -= n; -- outbuf += n; -- inbuf += n; -- } while (inbuflen); -+ do -+ { -+ nburn = enc_fn (&c->context.c, tmp, c->u_ctr.ctr); -+ burn = nburn > burn ? nburn : burn; -+ -+ for (i = blocksize; i > 0; i--) -+ { -+ c->u_ctr.ctr[i-1]++; -+ if (c->u_ctr.ctr[i-1] != 0) -+ break; -+ } -+ -+ if (inbuflen < blocksize) -+ break; -+ n = blocksize; -+ cipher_block_xor(outbuf, inbuf, tmp, blocksize); -+ -+ inbuflen -= n; -+ outbuf += n; -+ inbuf += n; -+ } -+ while (inbuflen); -+ -+ if (inbuflen) -+ { -+ n = inbuflen; -+ buf_xor(outbuf, inbuf, tmp, inbuflen); -+ } - - /* Save the unused bytes of the counter. */ - c->unused = blocksize - n; -diff -up libgcrypt-1.8.5/cipher/cipher-gcm.c.aes-perf libgcrypt-1.8.5/cipher/cipher-gcm.c ---- libgcrypt-1.8.5/cipher/cipher-gcm.c.aes-perf 2018-04-17 17:27:25.000000000 +0200 -+++ libgcrypt-1.8.5/cipher/cipher-gcm.c 2020-04-22 18:29:41.667862287 +0200 -@@ -150,7 +150,7 @@ do_ghash (unsigned char *result, const u - u32 A; - int i; - -- buf_xor (V, result, buf, 16); -+ cipher_block_xor (V, result, buf, 16); - V[0] = be_bswap64 (V[0]); - V[1] = be_bswap64 (V[1]); - -@@ -259,7 +259,7 @@ do_ghash (unsigned char *result, const u - u32 T[3]; - int i; - -- buf_xor (V, result, buf, 16); /* V is big-endian */ -+ cipher_block_xor (V, result, buf, 16); /* V is big-endian */ - - /* First round can be manually tweaked based on fact that 'tmp' is zero. */ - i = 15; -@@ -342,7 +342,7 @@ do_ghash (unsigned char *hsub, unsigned - #else - unsigned long T[4]; - -- buf_xor (V, result, buf, 16); -+ cipher_block_xor (V, result, buf, 16); - for (i = 0; i < 4; i++) - { - V[i] = (V[i] & 0x00ff00ff) << 8 | (V[i] & 0xff00ff00) >> 8; -@@ -358,7 +358,7 @@ do_ghash (unsigned char *hsub, unsigned - for (j = 0x80; j; j >>= 1) - { - if (hsub[i] & j) -- buf_xor (p, p, V, 16); -+ cipher_block_xor (p, p, V, 16); - if (bshift (V)) - V[0] ^= 0xe1000000; - } -@@ -598,7 +598,7 @@ gcm_ctr_encrypt (gcry_cipher_hd_t c, byt - } - - fix_ctr = 1; -- buf_cpy(ctr_copy, c->u_ctr.ctr, GCRY_GCM_BLOCK_LEN); -+ cipher_block_cpy(ctr_copy, c->u_ctr.ctr, GCRY_GCM_BLOCK_LEN); - } - } - -@@ -928,8 +928,8 @@ _gcry_cipher_gcm_tag (gcry_cipher_hd_t c - /* Add bitlengths to tag. */ - do_ghash_buf(c, c->u_mode.gcm.u_tag.tag, (byte*)bitlengths, - GCRY_GCM_BLOCK_LEN, 1); -- buf_xor (c->u_mode.gcm.u_tag.tag, c->u_mode.gcm.tagiv, -- c->u_mode.gcm.u_tag.tag, GCRY_GCM_BLOCK_LEN); -+ cipher_block_xor (c->u_mode.gcm.u_tag.tag, c->u_mode.gcm.tagiv, -+ c->u_mode.gcm.u_tag.tag, GCRY_GCM_BLOCK_LEN); - c->marks.tag = 1; - - wipememory (bitlengths, sizeof (bitlengths)); -diff -up libgcrypt-1.8.5/cipher/cipher-gcm-intel-pclmul.c.aes-perf libgcrypt-1.8.5/cipher/cipher-gcm-intel-pclmul.c ---- libgcrypt-1.8.5/cipher/cipher-gcm-intel-pclmul.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-gcm-intel-pclmul.c 2020-04-22 18:29:41.668862268 +0200 -@@ -248,7 +248,8 @@ static inline void gfmul_pclmul_aggr4(vo - void - _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c) - { -- u64 tmp[2]; -+ static const unsigned char be_mask[16] __attribute__ ((aligned (16))) = -+ { 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; - #if defined(__x86_64__) && defined(__WIN64__) - char win64tmp[3 * 16]; - -@@ -262,15 +263,19 @@ _gcry_ghash_setup_intel_pclmul (gcry_cip - #endif - - /* Swap endianness of hsub. */ -- tmp[0] = buf_get_be64(c->u_mode.gcm.u_ghash_key.key + 8); -- tmp[1] = buf_get_be64(c->u_mode.gcm.u_ghash_key.key + 0); -- buf_cpy (c->u_mode.gcm.u_ghash_key.key, tmp, GCRY_GCM_BLOCK_LEN); -+ asm volatile ("movdqu (%[key]), %%xmm0\n\t" -+ "pshufb %[be_mask], %%xmm0\n\t" -+ "movdqu %%xmm0, (%[key])\n\t" -+ : -+ : [key] "r" (c->u_mode.gcm.u_ghash_key.key), -+ [be_mask] "m" (*be_mask) -+ : "memory"); - - #ifdef __x86_64__ -- asm volatile ("movdqu %[h_1], %%xmm0\n\t" -- "movdqa %%xmm0, %%xmm1\n\t" -+ asm volatile ("movdqa %%xmm0, %%xmm1\n\t" -+ : - : -- : [h_1] "m" (*tmp)); -+ : "memory"); - - gfmul_pclmul (); /* H•H => H² */ - -@@ -324,8 +329,6 @@ _gcry_ghash_setup_intel_pclmul (gcry_cip - ::: "cc" ); - #endif - #endif -- -- wipememory (tmp, sizeof(tmp)); - } - - -diff -up libgcrypt-1.8.5/cipher/cipher-internal.h.aes-perf libgcrypt-1.8.5/cipher/cipher-internal.h ---- libgcrypt-1.8.5/cipher/cipher-internal.h.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-internal.h 2020-04-22 18:29:41.668862268 +0200 -@@ -121,6 +121,25 @@ struct gcry_cipher_handle - interface does not easily allow to retrieve this value. */ - int algo; - -+ /* A structure with function pointers for mode operations. */ -+ struct { -+ gcry_err_code_t (*encrypt)(gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen); -+ gcry_err_code_t (*decrypt)(gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen); -+ gcry_err_code_t (*setiv)(gcry_cipher_hd_t c, const unsigned char *iv, -+ size_t ivlen); -+ -+ gcry_err_code_t (*authenticate)(gcry_cipher_hd_t c, -+ const unsigned char *abuf, size_t abuflen); -+ gcry_err_code_t (*get_tag)(gcry_cipher_hd_t c, unsigned char *outtag, -+ size_t taglen); -+ gcry_err_code_t (*check_tag)(gcry_cipher_hd_t c, const unsigned char *intag, -+ size_t taglen); -+ } mode_ops; -+ - /* A structure with function pointers for bulk operations. Due to - limitations of the module system (we don't want to change the - API) we need to keep these function pointers here. The cipher -@@ -146,7 +165,7 @@ struct gcry_cipher_handle - const void *inbuf_arg, size_t nblocks, int encrypt); - size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg, - size_t nblocks); -- void (*xts_crypt)(gcry_cipher_hd_t c, unsigned char *tweak, -+ void (*xts_crypt)(void *context, unsigned char *tweak, - void *outbuf_arg, const void *inbuf_arg, - size_t nblocks, int encrypt); - } bulk; -@@ -479,9 +498,12 @@ gcry_err_code_t _gcry_cipher_ocb_check_t - - - /*-- cipher-xts.c --*/ --gcry_err_code_t _gcry_cipher_xts_crypt -+gcry_err_code_t _gcry_cipher_xts_encrypt - /* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen, -- const unsigned char *inbuf, size_t inbuflen, int encrypt); -+ const unsigned char *inbuf, size_t inbuflen); -+gcry_err_code_t _gcry_cipher_xts_decrypt -+/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen); - - - /* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N -@@ -506,4 +528,145 @@ ocb_get_l (gcry_cipher_hd_t c, u64 n) - return c->u_mode.ocb.L[ntz]; - } - -+/* Optimized function for cipher block copying */ -+static inline void -+cipher_block_cpy(void *_dst, const void *_src, size_t blocksize) -+{ -+ byte *dst = _dst; -+ const byte *src = _src; -+ u64 s[2]; -+ -+ if (blocksize == 8) -+ { -+ buf_put_he64(dst + 0, buf_get_he64(src + 0)); -+ } -+ else /* blocksize == 16 */ -+ { -+ s[0] = buf_get_he64(src + 0); -+ s[1] = buf_get_he64(src + 8); -+ buf_put_he64(dst + 0, s[0]); -+ buf_put_he64(dst + 8, s[1]); -+ } -+} -+ -+ -+/* Optimized function for cipher block xoring */ -+static inline void -+cipher_block_xor(void *_dst, const void *_src1, const void *_src2, -+ size_t blocksize) -+{ -+ byte *dst = _dst; -+ const byte *src1 = _src1; -+ const byte *src2 = _src2; -+ u64 s1[2]; -+ u64 s2[2]; -+ -+ if (blocksize == 8) -+ { -+ buf_put_he64(dst + 0, buf_get_he64(src1 + 0) ^ buf_get_he64(src2 + 0)); -+ } -+ else /* blocksize == 16 */ -+ { -+ s1[0] = buf_get_he64(src1 + 0); -+ s1[1] = buf_get_he64(src1 + 8); -+ s2[0] = buf_get_he64(src2 + 0); -+ s2[1] = buf_get_he64(src2 + 8); -+ buf_put_he64(dst + 0, s1[0] ^ s2[0]); -+ buf_put_he64(dst + 8, s1[1] ^ s2[1]); -+ } -+} -+ -+ -+/* Optimized function for in-place cipher block xoring */ -+static inline void -+cipher_block_xor_1(void *_dst, const void *_src, size_t blocksize) -+{ -+ cipher_block_xor (_dst, _dst, _src, blocksize); -+} -+ -+ -+/* Optimized function for cipher block xoring with two destination cipher -+ blocks. Used mainly by CFB mode encryption. */ -+static inline void -+cipher_block_xor_2dst(void *_dst1, void *_dst2, const void *_src, -+ size_t blocksize) -+{ -+ byte *dst1 = _dst1; -+ byte *dst2 = _dst2; -+ const byte *src = _src; -+ u64 d2[2]; -+ u64 s[2]; -+ -+ if (blocksize == 8) -+ { -+ d2[0] = buf_get_he64(dst2 + 0) ^ buf_get_he64(src + 0); -+ buf_put_he64(dst2 + 0, d2[0]); -+ buf_put_he64(dst1 + 0, d2[0]); -+ } -+ else /* blocksize == 16 */ -+ { -+ s[0] = buf_get_he64(src + 0); -+ s[1] = buf_get_he64(src + 8); -+ d2[0] = buf_get_he64(dst2 + 0); -+ d2[1] = buf_get_he64(dst2 + 8); -+ d2[0] = d2[0] ^ s[0]; -+ d2[1] = d2[1] ^ s[1]; -+ buf_put_he64(dst2 + 0, d2[0]); -+ buf_put_he64(dst2 + 8, d2[1]); -+ buf_put_he64(dst1 + 0, d2[0]); -+ buf_put_he64(dst1 + 8, d2[1]); -+ } -+} -+ -+ -+/* Optimized function for combined cipher block xoring and copying. -+ Used by mainly CBC mode decryption. */ -+static inline void -+cipher_block_xor_n_copy_2(void *_dst_xor, const void *_src_xor, -+ void *_srcdst_cpy, const void *_src_cpy, -+ size_t blocksize) -+{ -+ byte *dst_xor = _dst_xor; -+ byte *srcdst_cpy = _srcdst_cpy; -+ const byte *src_xor = _src_xor; -+ const byte *src_cpy = _src_cpy; -+ u64 sc[2]; -+ u64 sx[2]; -+ u64 sdc[2]; -+ -+ if (blocksize == 8) -+ { -+ sc[0] = buf_get_he64(src_cpy + 0); -+ buf_put_he64(dst_xor + 0, -+ buf_get_he64(srcdst_cpy + 0) ^ buf_get_he64(src_xor + 0)); -+ buf_put_he64(srcdst_cpy + 0, sc[0]); -+ } -+ else /* blocksize == 16 */ -+ { -+ sc[0] = buf_get_he64(src_cpy + 0); -+ sc[1] = buf_get_he64(src_cpy + 8); -+ sx[0] = buf_get_he64(src_xor + 0); -+ sx[1] = buf_get_he64(src_xor + 8); -+ sdc[0] = buf_get_he64(srcdst_cpy + 0); -+ sdc[1] = buf_get_he64(srcdst_cpy + 8); -+ sx[0] ^= sdc[0]; -+ sx[1] ^= sdc[1]; -+ buf_put_he64(dst_xor + 0, sx[0]); -+ buf_put_he64(dst_xor + 8, sx[1]); -+ buf_put_he64(srcdst_cpy + 0, sc[0]); -+ buf_put_he64(srcdst_cpy + 8, sc[1]); -+ } -+} -+ -+ -+/* Optimized function for combined cipher block xoring and copying. -+ Used by mainly CFB mode decryption. */ -+static inline void -+cipher_block_xor_n_copy(void *_dst_xor, void *_srcdst_cpy, const void *_src, -+ size_t blocksize) -+{ -+ cipher_block_xor_n_copy_2(_dst_xor, _src, _srcdst_cpy, _src, blocksize); -+} -+ -+ - #endif /*G10_CIPHER_INTERNAL_H*/ -diff -up libgcrypt-1.8.5/cipher/cipher-ocb.c.aes-perf libgcrypt-1.8.5/cipher/cipher-ocb.c ---- libgcrypt-1.8.5/cipher/cipher-ocb.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-ocb.c 2020-04-22 18:29:41.668862268 +0200 -@@ -82,7 +82,7 @@ static void - double_block_cpy (unsigned char *d, const unsigned char *s) - { - if (d != s) -- buf_cpy (d, s, OCB_BLOCK_LEN); -+ cipher_block_cpy (d, s, OCB_BLOCK_LEN); - double_block (d); - } - -@@ -181,8 +181,8 @@ _gcry_cipher_ocb_set_nonce (gcry_cipher_ - nburn = c->spec->encrypt (&c->context.c, ktop, ktop); - burn = nburn > burn ? nburn : burn; - /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */ -- buf_cpy (stretch, ktop, OCB_BLOCK_LEN); -- buf_xor (stretch + OCB_BLOCK_LEN, ktop, ktop + 1, 8); -+ cipher_block_cpy (stretch, ktop, OCB_BLOCK_LEN); -+ cipher_block_xor (stretch + OCB_BLOCK_LEN, ktop, ktop + 1, 8); - /* Offset_0 = Stretch[1+bottom..128+bottom] - (We use the IV field to store the offset) */ - bit_copy (c->u_iv.iv, stretch, bottom, OCB_BLOCK_LEN); -@@ -267,18 +267,18 @@ _gcry_cipher_ocb_authenticate (gcry_ciph - } - else - { -- buf_cpy (l_tmp, ocb_get_l (c, c->u_mode.ocb.aad_nblocks), -- OCB_BLOCK_LEN); -+ cipher_block_cpy (l_tmp, ocb_get_l (c, c->u_mode.ocb.aad_nblocks), -+ OCB_BLOCK_LEN); - } - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); - /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -- buf_xor (l_tmp, c->u_mode.ocb.aad_offset, -- c->u_mode.ocb.aad_leftover, OCB_BLOCK_LEN); -+ cipher_block_xor (l_tmp, c->u_mode.ocb.aad_offset, -+ c->u_mode.ocb.aad_leftover, OCB_BLOCK_LEN); - nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); - - c->u_mode.ocb.aad_nleftover = 0; - } -@@ -309,12 +309,13 @@ _gcry_cipher_ocb_authenticate (gcry_ciph - ocb_get_L_big(c, c->u_mode.ocb.aad_nblocks, l_tmp); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_offset, l_tmp, OCB_BLOCK_LEN); - /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -- buf_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, OCB_BLOCK_LEN); -+ cipher_block_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, -+ OCB_BLOCK_LEN); - nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); - - abuf += OCB_BLOCK_LEN; - abuflen -= OCB_BLOCK_LEN; -@@ -349,14 +350,15 @@ _gcry_cipher_ocb_authenticate (gcry_ciph - gcry_assert(c->u_mode.ocb.aad_nblocks & table_size_mask); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_mode.ocb.aad_offset, -- ocb_get_l (c, c->u_mode.ocb.aad_nblocks), -- OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_offset, -+ ocb_get_l (c, c->u_mode.ocb.aad_nblocks), -+ OCB_BLOCK_LEN); - /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -- buf_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, OCB_BLOCK_LEN); -+ cipher_block_xor (l_tmp, c->u_mode.ocb.aad_offset, abuf, -+ OCB_BLOCK_LEN); - nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); - - abuf += OCB_BLOCK_LEN; - abuflen -= OCB_BLOCK_LEN; -@@ -397,18 +399,18 @@ ocb_aad_finalize (gcry_cipher_hd_t c) - if (c->u_mode.ocb.aad_nleftover) - { - /* Offset_* = Offset_m xor L_* */ -- buf_xor_1 (c->u_mode.ocb.aad_offset, -- c->u_mode.ocb.L_star, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_offset, -+ c->u_mode.ocb.L_star, OCB_BLOCK_LEN); - /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */ - buf_cpy (l_tmp, c->u_mode.ocb.aad_leftover, c->u_mode.ocb.aad_nleftover); - memset (l_tmp + c->u_mode.ocb.aad_nleftover, 0, - OCB_BLOCK_LEN - c->u_mode.ocb.aad_nleftover); - l_tmp[c->u_mode.ocb.aad_nleftover] = 0x80; -- buf_xor_1 (l_tmp, c->u_mode.ocb.aad_offset, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (l_tmp, c->u_mode.ocb.aad_offset, OCB_BLOCK_LEN); - /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */ - nburn = c->spec->encrypt (&c->context.c, l_tmp, l_tmp); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_sum, l_tmp, OCB_BLOCK_LEN); - - c->u_mode.ocb.aad_nleftover = 0; - } -@@ -431,7 +433,7 @@ ocb_checksum (unsigned char *chksum, con - while (nblks > 0) - { - /* Checksum_i = Checksum_{i-1} xor P_i */ -- buf_xor_1(chksum, plainbuf, OCB_BLOCK_LEN); -+ cipher_block_xor_1(chksum, plainbuf, OCB_BLOCK_LEN); - - plainbuf += OCB_BLOCK_LEN; - nblks--; -@@ -491,12 +493,12 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - } - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_iv.iv, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_iv.iv, l_tmp, OCB_BLOCK_LEN); - /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -- buf_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); -+ cipher_block_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); - nburn = crypt_fn (&c->context.c, outbuf, outbuf); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); - - if (!encrypt) - { -@@ -551,14 +553,14 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - gcry_assert(c->u_mode.ocb.data_nblocks & table_size_mask); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_iv.iv, -- ocb_get_l (c, c->u_mode.ocb.data_nblocks), -- OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_iv.iv, -+ ocb_get_l (c, c->u_mode.ocb.data_nblocks), -+ OCB_BLOCK_LEN); - /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -- buf_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); -+ cipher_block_xor (outbuf, c->u_iv.iv, inbuf, OCB_BLOCK_LEN); - nburn = crypt_fn (&c->context.c, outbuf, outbuf); - burn = nburn > burn ? nburn : burn; -- buf_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (outbuf, c->u_iv.iv, OCB_BLOCK_LEN); - - inbuf += OCB_BLOCK_LEN; - inbuflen -= OCB_BLOCK_LEN; -@@ -584,7 +586,7 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - unsigned char pad[OCB_BLOCK_LEN]; - - /* Offset_* = Offset_m xor L_* */ -- buf_xor_1 (c->u_iv.iv, c->u_mode.ocb.L_star, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_iv.iv, c->u_mode.ocb.L_star, OCB_BLOCK_LEN); - /* Pad = ENCIPHER(K, Offset_*) */ - nburn = c->spec->encrypt (&c->context.c, pad, c->u_iv.iv); - burn = nburn > burn ? nburn : burn; -@@ -596,7 +598,7 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - buf_cpy (l_tmp, inbuf, inbuflen); - memset (l_tmp + inbuflen, 0, OCB_BLOCK_LEN - inbuflen); - l_tmp[inbuflen] = 0x80; -- buf_xor_1 (c->u_ctr.ctr, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_ctr.ctr, l_tmp, OCB_BLOCK_LEN); - /* C_* = P_* xor Pad[1..bitlen(P_*)] */ - buf_xor (outbuf, inbuf, pad, inbuflen); - } -@@ -604,13 +606,13 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - { - /* P_* = C_* xor Pad[1..bitlen(C_*)] */ - /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */ -- buf_cpy (l_tmp, pad, OCB_BLOCK_LEN); -+ cipher_block_cpy (l_tmp, pad, OCB_BLOCK_LEN); - buf_cpy (l_tmp, inbuf, inbuflen); -- buf_xor_1 (l_tmp, pad, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (l_tmp, pad, OCB_BLOCK_LEN); - l_tmp[inbuflen] = 0x80; - buf_cpy (outbuf, l_tmp, inbuflen); - -- buf_xor_1 (c->u_ctr.ctr, l_tmp, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_ctr.ctr, l_tmp, OCB_BLOCK_LEN); - } - } - -@@ -618,8 +620,10 @@ ocb_crypt (gcry_cipher_hd_t c, int encry - if (c->marks.finalize) - { - /* Tag = ENCIPHER(K, Checksum xor Offset xor L_$) xor HASH(K,A) */ -- buf_xor (c->u_mode.ocb.tag, c->u_ctr.ctr, c->u_iv.iv, OCB_BLOCK_LEN); -- buf_xor_1 (c->u_mode.ocb.tag, c->u_mode.ocb.L_dollar, OCB_BLOCK_LEN); -+ cipher_block_xor (c->u_mode.ocb.tag, c->u_ctr.ctr, c->u_iv.iv, -+ OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.tag, c->u_mode.ocb.L_dollar, -+ OCB_BLOCK_LEN); - nburn = c->spec->encrypt (&c->context.c, - c->u_mode.ocb.tag, c->u_mode.ocb.tag); - burn = nburn > burn ? nburn : burn; -@@ -672,7 +676,8 @@ compute_tag_if_needed (gcry_cipher_hd_t - if (!c->marks.tag) - { - ocb_aad_finalize (c); -- buf_xor_1 (c->u_mode.ocb.tag, c->u_mode.ocb.aad_sum, OCB_BLOCK_LEN); -+ cipher_block_xor_1 (c->u_mode.ocb.tag, c->u_mode.ocb.aad_sum, -+ OCB_BLOCK_LEN); - c->marks.tag = 1; - } - } -diff -up libgcrypt-1.8.5/cipher/cipher-ofb.c.aes-perf libgcrypt-1.8.5/cipher/cipher-ofb.c ---- libgcrypt-1.8.5/cipher/cipher-ofb.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-ofb.c 2020-04-22 18:29:41.668862268 +0200 -@@ -76,7 +76,7 @@ _gcry_cipher_ofb_encrypt (gcry_cipher_hd - /* Encrypt the IV (and save the current one). */ - nburn = enc_fn ( &c->context.c, c->u_iv.iv, c->u_iv.iv ); - burn = nburn > burn ? nburn : burn; -- buf_xor(outbuf, c->u_iv.iv, inbuf, blocksize); -+ cipher_block_xor(outbuf, c->u_iv.iv, inbuf, blocksize); - outbuf += blocksize; - inbuf += blocksize; - inbuflen -= blocksize; -diff -up libgcrypt-1.8.5/cipher/cipher-selftest.c.aes-perf libgcrypt-1.8.5/cipher/cipher-selftest.c ---- libgcrypt-1.8.5/cipher/cipher-selftest.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-selftest.c 2020-04-22 18:29:41.669862248 +0200 -@@ -105,7 +105,7 @@ _gcry_selftest_helper_cbc (const char *c - ciphertext = plaintext2 + nblocks * blocksize; - - /* Initialize ctx */ -- if (setkey_func (ctx, key, sizeof(key)) != GPG_ERR_NO_ERROR) -+ if (setkey_func (ctx, key, sizeof(key), NULL) != GPG_ERR_NO_ERROR) - { - xfree(mem); - return "setkey failed"; -@@ -228,7 +228,7 @@ _gcry_selftest_helper_cfb (const char *c - ciphertext = plaintext2 + nblocks * blocksize; - - /* Initialize ctx */ -- if (setkey_func (ctx, key, sizeof(key)) != GPG_ERR_NO_ERROR) -+ if (setkey_func (ctx, key, sizeof(key), NULL) != GPG_ERR_NO_ERROR) - { - xfree(mem); - return "setkey failed"; -@@ -351,7 +351,7 @@ _gcry_selftest_helper_ctr (const char *c - ciphertext2 = ciphertext + nblocks * blocksize; - - /* Initialize ctx */ -- if (setkey_func (ctx, key, sizeof(key)) != GPG_ERR_NO_ERROR) -+ if (setkey_func (ctx, key, sizeof(key), NULL) != GPG_ERR_NO_ERROR) - { - xfree(mem); - return "setkey failed"; -diff -up libgcrypt-1.8.5/cipher/cipher-xts.c.aes-perf libgcrypt-1.8.5/cipher/cipher-xts.c ---- libgcrypt-1.8.5/cipher/cipher-xts.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/cipher-xts.c 2020-04-22 18:29:41.669862248 +0200 -@@ -93,7 +93,8 @@ _gcry_cipher_xts_crypt (gcry_cipher_hd_t - /* Use a bulk method if available. */ - if (nblocks && c->bulk.xts_crypt) - { -- c->bulk.xts_crypt (c, c->u_ctr.ctr, outbuf, inbuf, nblocks, encrypt); -+ c->bulk.xts_crypt (&c->context.c, c->u_ctr.ctr, outbuf, inbuf, nblocks, -+ encrypt); - inbuf += nblocks * GCRY_XTS_BLOCK_LEN; - outbuf += nblocks * GCRY_XTS_BLOCK_LEN; - inbuflen -= nblocks * GCRY_XTS_BLOCK_LEN; -@@ -106,10 +107,10 @@ _gcry_cipher_xts_crypt (gcry_cipher_hd_t - while (nblocks) - { - /* Xor-Encrypt/Decrypt-Xor block. */ -- buf_xor (tmp.x64, inbuf, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (tmp.x64, inbuf, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); - nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1); - burn = nburn > burn ? nburn : burn; -- buf_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); - - outbuf += GCRY_XTS_BLOCK_LEN; - inbuf += GCRY_XTS_BLOCK_LEN; -@@ -132,10 +133,10 @@ _gcry_cipher_xts_crypt (gcry_cipher_hd_t - xts_gfmul_byA (tmp.x1, c->u_ctr.ctr); - - /* Decrypt last block first. */ -- buf_xor (outbuf, inbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (outbuf, inbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); - nburn = crypt_fn (&c->context.c, outbuf, outbuf); - burn = nburn > burn ? nburn : burn; -- buf_xor (outbuf, outbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (outbuf, outbuf, tmp.x64, GCRY_XTS_BLOCK_LEN); - - inbuflen -= GCRY_XTS_BLOCK_LEN; - inbuf += GCRY_XTS_BLOCK_LEN; -@@ -146,15 +147,15 @@ _gcry_cipher_xts_crypt (gcry_cipher_hd_t - outbuf -= GCRY_XTS_BLOCK_LEN; - - /* Steal ciphertext from previous block. */ -- buf_cpy (tmp.x64, outbuf, GCRY_XTS_BLOCK_LEN); -+ cipher_block_cpy (tmp.x64, outbuf, GCRY_XTS_BLOCK_LEN); - buf_cpy (tmp.x64, inbuf, inbuflen); - buf_cpy (outbuf + GCRY_XTS_BLOCK_LEN, outbuf, inbuflen); - - /* Decrypt/Encrypt last block. */ -- buf_xor (tmp.x64, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (tmp.x64, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); - nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1); - burn = nburn > burn ? nburn : burn; -- buf_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); -+ cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN); - } - - /* Auto-increment data-unit sequence number */ -@@ -168,3 +169,21 @@ _gcry_cipher_xts_crypt (gcry_cipher_hd_t - - return 0; - } -+ -+ -+gcry_err_code_t -+_gcry_cipher_xts_encrypt (gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen) -+{ -+ return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1); -+} -+ -+ -+gcry_err_code_t -+_gcry_cipher_xts_decrypt (gcry_cipher_hd_t c, -+ unsigned char *outbuf, size_t outbuflen, -+ const unsigned char *inbuf, size_t inbuflen) -+{ -+ return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0); -+} -diff -up libgcrypt-1.8.5/cipher/des.c.aes-perf libgcrypt-1.8.5/cipher/des.c ---- libgcrypt-1.8.5/cipher/des.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/des.c 2020-04-22 18:29:41.669862248 +0200 -@@ -119,6 +119,7 @@ - #include "g10lib.h" - #include "cipher.h" - #include "bufhelp.h" -+#include "cipher-internal.h" - #include "cipher-selftest.h" - - -@@ -197,7 +198,8 @@ static unsigned int do_tripledes_encrypt - static unsigned int do_tripledes_decrypt(void *context, byte *outbuf, - const byte *inbuf ); - static gcry_err_code_t do_tripledes_setkey(void *context, const byte *key, -- unsigned keylen); -+ unsigned keylen, -+ gcry_cipher_hd_t hd); - - static int initialized; - -@@ -940,7 +942,7 @@ _gcry_3des_ctr_enc(void *context, unsign - /* Encrypt the counter. */ - tripledes_ecb_encrypt (ctx, ctr, tmpbuf); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, DES_BLOCKSIZE); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, DES_BLOCKSIZE); - outbuf += DES_BLOCKSIZE; - inbuf += DES_BLOCKSIZE; - /* Increment the counter. */ -@@ -996,7 +998,7 @@ _gcry_3des_cbc_dec(void *context, unsign - the intermediate result to SAVEBUF. */ - tripledes_ecb_decrypt (ctx, inbuf, savebuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, DES_BLOCKSIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, DES_BLOCKSIZE); - inbuf += DES_BLOCKSIZE; - outbuf += DES_BLOCKSIZE; - } -@@ -1041,7 +1043,7 @@ _gcry_3des_cfb_dec(void *context, unsign - for ( ;nblocks; nblocks-- ) - { - tripledes_ecb_encrypt (ctx, iv, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, DES_BLOCKSIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, DES_BLOCKSIZE); - outbuf += DES_BLOCKSIZE; - inbuf += DES_BLOCKSIZE; - } -@@ -1086,7 +1088,8 @@ is_weak_key ( const byte *key ) - - /* Alternative setkey for selftests; need larger key than default. */ - static gcry_err_code_t --bulk_selftest_setkey (void *context, const byte *__key, unsigned __keylen) -+bulk_selftest_setkey (void *context, const byte *__key, unsigned __keylen, -+ gcry_cipher_hd_t hd) - { - static const unsigned char key[24] ATTR_ALIGNED_16 = { - 0x66,0x9A,0x00,0x7F,0xC7,0x6A,0x45,0x9F, -@@ -1094,10 +1097,11 @@ bulk_selftest_setkey (void *context, con - 0x18,0x2A,0x39,0x47,0x5E,0x6F,0x75,0x82 - }; - -+ (void)hd; - (void)__key; - (void)__keylen; - -- return do_tripledes_setkey(context, key, sizeof(key)); -+ return do_tripledes_setkey(context, key, sizeof(key), NULL); - } - - -@@ -1349,10 +1353,13 @@ selftest (void) - - - static gcry_err_code_t --do_tripledes_setkey ( void *context, const byte *key, unsigned keylen ) -+do_tripledes_setkey ( void *context, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd ) - { - struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; - -+ (void)hd; -+ - if( keylen != 24 ) - return GPG_ERR_INV_KEYLEN; - -@@ -1413,10 +1420,13 @@ do_tripledes_decrypt( void *context, byt - } - - static gcry_err_code_t --do_des_setkey (void *context, const byte *key, unsigned keylen) -+do_des_setkey (void *context, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd) - { - struct _des_ctx *ctx = (struct _des_ctx *) context; - -+ (void)hd; -+ - if (keylen != 8) - return GPG_ERR_INV_KEYLEN; - -diff -up libgcrypt-1.8.5/cipher/gost28147.c.aes-perf libgcrypt-1.8.5/cipher/gost28147.c ---- libgcrypt-1.8.5/cipher/gost28147.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/gost28147.c 2020-04-22 18:29:41.669862248 +0200 -@@ -39,11 +39,14 @@ - #include "gost-sb.h" - - static gcry_err_code_t --gost_setkey (void *c, const byte *key, unsigned keylen) -+gost_setkey (void *c, const byte *key, unsigned keylen, -+ gcry_cipher_hd_t hd) - { - int i; - GOST28147_context *ctx = c; - -+ (void)hd; -+ - if (keylen != 256 / 8) - return GPG_ERR_INV_KEYLEN; - -diff -up libgcrypt-1.8.5/cipher/idea.c.aes-perf libgcrypt-1.8.5/cipher/idea.c ---- libgcrypt-1.8.5/cipher/idea.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/idea.c 2020-04-22 18:29:41.670862229 +0200 -@@ -258,10 +258,12 @@ do_setkey( IDEA_context *c, const byte * - } - - static gcry_err_code_t --idea_setkey (void *context, const byte *key, unsigned int keylen) -+idea_setkey (void *context, const byte *key, unsigned int keylen, -+ gcry_cipher_hd_t hd) - { - IDEA_context *ctx = context; - int rc = do_setkey (ctx, key, keylen); -+ (void)hd; - _gcry_burn_stack (23+6*sizeof(void*)); - return rc; - } -diff -up libgcrypt-1.8.5/cipher/Makefile.am.aes-perf libgcrypt-1.8.5/cipher/Makefile.am ---- libgcrypt-1.8.5/cipher/Makefile.am.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/Makefile.am 2020-04-22 18:29:41.670862229 +0200 -@@ -83,7 +83,8 @@ rijndael.c rijndael-internal.h rijndael- - rijndael-padlock.c rijndael-amd64.S rijndael-arm.S \ - rijndael-ssse3-amd64.c rijndael-ssse3-amd64-asm.S \ - rijndael-armv8-ce.c rijndael-armv8-aarch32-ce.S rijndael-armv8-aarch64-ce.S \ -- rijndael-aarch64.S \ -+ rijndael-aarch64.S rijndael-ppc.c rijndael-ppc9le.c \ -+ rijndael-ppc-common.h rijndael-ppc-functions.h \ - rmd160.c \ - rsa.c \ - salsa20.c salsa20-amd64.S salsa20-armv7-neon.S \ -@@ -128,3 +129,23 @@ tiger.o: $(srcdir)/tiger.c - - tiger.lo: $(srcdir)/tiger.c - `echo $(LTCOMPILE) -c $(srcdir)/tiger.c | $(o_flag_munging) ` -+ -+if ENABLE_PPC_VCRYPTO_EXTRA_CFLAGS -+ppc_vcrypto_cflags = -maltivec -mvsx -mcrypto -+else -+ppc_vcrypto_cflags = -+endif -+ -+rijndael-ppc.o: $(srcdir)/rijndael-ppc.c Makefile -+ `echo $(COMPILE) $(ppc_vcrypto_cflags) -c $< ` -+ -+rijndael-ppc.lo: $(srcdir)/rijndael-ppc.c Makefile -+ `echo $(LTCOMPILE) $(ppc_vcrypto_cflags) -c $< ` -+ -+rijndael-ppc9le.o: $(srcdir)/rijndael-ppc9le.c Makefile -+ `echo $(COMPILE) $(ppc_vcrypto_cflags) -c $< ` -+ -+rijndael-ppc9le.lo: $(srcdir)/rijndael-ppc9le.c Makefile -+ `echo $(LTCOMPILE) $(ppc_vcrypto_cflags) -c $< ` -+ -+ -diff -up libgcrypt-1.8.5/cipher/rfc2268.c.aes-perf libgcrypt-1.8.5/cipher/rfc2268.c ---- libgcrypt-1.8.5/cipher/rfc2268.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rfc2268.c 2020-04-22 18:29:41.670862229 +0200 -@@ -262,8 +262,10 @@ setkey_core (void *context, const unsign - } - - static gpg_err_code_t --do_setkey (void *context, const unsigned char *key, unsigned int keylen) -+do_setkey (void *context, const unsigned char *key, unsigned int keylen, -+ gcry_cipher_hd_t hd) - { -+ (void)hd; - return setkey_core (context, key, keylen, 1); - } - -diff -up libgcrypt-1.8.5/cipher/rijndael-aesni.c.aes-perf libgcrypt-1.8.5/cipher/rijndael-aesni.c ---- libgcrypt-1.8.5/cipher/rijndael-aesni.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-aesni.c 2020-04-28 11:22:26.025519954 +0200 -@@ -327,8 +327,8 @@ _gcry_aes_aesni_do_setkey (RIJNDAEL_cont - - - /* Make a decryption key from an encryption key. */ --void --_gcry_aes_aesni_prepare_decryption (RIJNDAEL_context *ctx) -+static inline void -+do_aesni_prepare_decryption (RIJNDAEL_context *ctx) - { - /* The AES-NI decrypt instructions use the Equivalent Inverse - Cipher, thus we can't use the the standard decrypt key -@@ -338,8 +338,6 @@ _gcry_aes_aesni_prepare_decryption (RIJN - int rr; - int r; - -- aesni_prepare(); -- - #define DO_AESNI_AESIMC() \ - asm volatile ("movdqa %[ekey], %%xmm1\n\t" \ - /*"aesimc %%xmm1, %%xmm1\n\t"*/ \ -@@ -375,7 +373,13 @@ _gcry_aes_aesni_prepare_decryption (RIJN - dkey[r] = ekey[0]; - - #undef DO_AESNI_AESIMC -+} - -+void -+_gcry_aes_aesni_prepare_decryption (RIJNDAEL_context *ctx) -+{ -+ aesni_prepare(); -+ do_aesni_prepare_decryption (ctx); - aesni_cleanup(); - } - -@@ -1023,8 +1027,8 @@ _gcry_aes_aesni_encrypt (const RIJNDAEL_ - - - void --_gcry_aes_aesni_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_aesni_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - aesni_prepare (); -@@ -1059,8 +1063,8 @@ _gcry_aes_aesni_cfb_enc (RIJNDAEL_contex - - - void --_gcry_aes_aesni_cbc_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_aesni_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks, int cbc_mac) - { - aesni_prepare_2_6_variable; -@@ -1105,8 +1109,8 @@ _gcry_aes_aesni_cbc_enc (RIJNDAEL_contex - - - void --_gcry_aes_aesni_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *ctr, -+_gcry_aes_aesni_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - static const unsigned char be_mask[16] __attribute__ ((aligned (16))) = -@@ -1160,8 +1164,8 @@ _gcry_aes_aesni_decrypt (const RIJNDAEL_ - - - void --_gcry_aes_aesni_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_aesni_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - aesni_prepare_2_6_variable; -@@ -1245,15 +1249,21 @@ _gcry_aes_aesni_cfb_dec (RIJNDAEL_contex - - - void --_gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -- size_t nblocks) -+_gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) - { - aesni_prepare_2_6_variable; - - aesni_prepare (); - aesni_prepare_2_6(); - -+ if ( !ctx->decryption_prepared ) -+ { -+ do_aesni_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ - asm volatile - ("movdqu %[iv], %%xmm5\n\t" /* use xmm5 as fast IV storage */ - : /* No output */ -@@ -1514,6 +1524,12 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void - aesni_prepare (); - aesni_prepare_2_6 (); - -+ if ( !ctx->decryption_prepared ) -+ { -+ do_aesni_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ - /* Preload Offset and Checksum */ - asm volatile ("movdqu %[iv], %%xmm5\n\t" - "movdqu %[ctr], %%xmm6\n\t" -@@ -1665,7 +1681,7 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void - } - - --void -+size_t - _gcry_aes_aesni_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, - const void *inbuf_arg, size_t nblocks, int encrypt) - { -@@ -1673,10 +1689,12 @@ _gcry_aes_aesni_ocb_crypt(gcry_cipher_hd - aesni_ocb_enc(c, outbuf_arg, inbuf_arg, nblocks); - else - aesni_ocb_dec(c, outbuf_arg, inbuf_arg, nblocks); -+ -+ return 0; - } - - --void -+size_t - _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, - size_t nblocks) - { -@@ -1810,7 +1828,306 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd - - aesni_cleanup (); - aesni_cleanup_2_6 (); -+ -+ return 0; - } - - -+static const u64 xts_gfmul_const[16] __attribute__ ((aligned (16))) = -+ { 0x87, 0x01 }; -+ -+ -+static void -+_gcry_aes_aesni_xts_enc (RIJNDAEL_context *ctx, unsigned char *tweak, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) -+{ -+ aesni_prepare_2_6_variable; -+ -+ aesni_prepare (); -+ aesni_prepare_2_6 (); -+ -+ /* Preload Tweak */ -+ asm volatile ("movdqu %[tweak], %%xmm5\n\t" -+ "movdqa %[gfmul], %%xmm6\n\t" -+ : -+ : [tweak] "m" (*tweak), -+ [gfmul] "m" (*xts_gfmul_const) -+ : "memory" ); -+ -+ for ( ;nblocks >= 4; nblocks -= 4 ) -+ { -+ asm volatile ("pshufd $0x13, %%xmm5, %%xmm4\n\t" -+ "movdqu %[inbuf0], %%xmm1\n\t" -+ "pxor %%xmm5, %%xmm1\n\t" -+ "movdqu %%xmm5, %[outbuf0]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf0] "=m" (*(outbuf + 0 * 16)) -+ : [inbuf0] "m" (*(inbuf + 0 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqu %[inbuf1], %%xmm2\n\t" -+ "pxor %%xmm5, %%xmm2\n\t" -+ "movdqu %%xmm5, %[outbuf1]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf1] "=m" (*(outbuf + 1 * 16)) -+ : [inbuf1] "m" (*(inbuf + 1 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqu %[inbuf2], %%xmm3\n\t" -+ "pxor %%xmm5, %%xmm3\n\t" -+ "movdqu %%xmm5, %[outbuf2]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf2] "=m" (*(outbuf + 2 * 16)) -+ : [inbuf2] "m" (*(inbuf + 2 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqa %%xmm4, %%xmm0\n\t" -+ "movdqu %[inbuf3], %%xmm4\n\t" -+ "pxor %%xmm5, %%xmm4\n\t" -+ "movdqu %%xmm5, %[outbuf3]\n\t" -+ -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf3] "=m" (*(outbuf + 3 * 16)) -+ : [inbuf3] "m" (*(inbuf + 3 * 16)) -+ : "memory" ); -+ -+ do_aesni_enc_vec4 (ctx); -+ -+ asm volatile ("movdqu %[outbuf0], %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm1\n\t" -+ "movdqu %[outbuf1], %%xmm0\n\t" -+ "movdqu %%xmm1, %[outbuf0]\n\t" -+ "movdqu %[outbuf2], %%xmm1\n\t" -+ "pxor %%xmm0, %%xmm2\n\t" -+ "movdqu %[outbuf3], %%xmm0\n\t" -+ "pxor %%xmm1, %%xmm3\n\t" -+ "pxor %%xmm0, %%xmm4\n\t" -+ "movdqu %%xmm2, %[outbuf1]\n\t" -+ "movdqu %%xmm3, %[outbuf2]\n\t" -+ "movdqu %%xmm4, %[outbuf3]\n\t" -+ : [outbuf0] "+m" (*(outbuf + 0 * 16)), -+ [outbuf1] "+m" (*(outbuf + 1 * 16)), -+ [outbuf2] "+m" (*(outbuf + 2 * 16)), -+ [outbuf3] "+m" (*(outbuf + 3 * 16)) -+ : -+ : "memory" ); -+ -+ outbuf += BLOCKSIZE * 4; -+ inbuf += BLOCKSIZE * 4; -+ } -+ -+ for ( ;nblocks; nblocks-- ) -+ { -+ asm volatile ("movdqu %[inbuf], %%xmm0\n\t" -+ "pxor %%xmm5, %%xmm0\n\t" -+ "movdqa %%xmm5, %%xmm4\n\t" -+ -+ "pshufd $0x13, %%xmm5, %%xmm1\n\t" -+ "psrad $31, %%xmm1\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm1\n\t" -+ "pxor %%xmm1, %%xmm5\n\t" -+ : -+ : [inbuf] "m" (*inbuf) -+ : "memory" ); -+ -+ do_aesni_enc (ctx); -+ -+ asm volatile ("pxor %%xmm4, %%xmm0\n\t" -+ "movdqu %%xmm0, %[outbuf]\n\t" -+ : [outbuf] "=m" (*outbuf) -+ : -+ : "memory" ); -+ -+ outbuf += BLOCKSIZE; -+ inbuf += BLOCKSIZE; -+ } -+ -+ asm volatile ("movdqu %%xmm5, %[tweak]\n\t" -+ : [tweak] "=m" (*tweak) -+ : -+ : "memory" ); -+ -+ aesni_cleanup (); -+ aesni_cleanup_2_6 (); -+} -+ -+ -+static void -+_gcry_aes_aesni_xts_dec (RIJNDAEL_context *ctx, unsigned char *tweak, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) -+{ -+ aesni_prepare_2_6_variable; -+ -+ aesni_prepare (); -+ aesni_prepare_2_6 (); -+ -+ if ( !ctx->decryption_prepared ) -+ { -+ do_aesni_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ -+ /* Preload Tweak */ -+ asm volatile ("movdqu %[tweak], %%xmm5\n\t" -+ "movdqa %[gfmul], %%xmm6\n\t" -+ : -+ : [tweak] "m" (*tweak), -+ [gfmul] "m" (*xts_gfmul_const) -+ : "memory" ); -+ -+ for ( ;nblocks >= 4; nblocks -= 4 ) -+ { -+ asm volatile ("pshufd $0x13, %%xmm5, %%xmm4\n\t" -+ "movdqu %[inbuf0], %%xmm1\n\t" -+ "pxor %%xmm5, %%xmm1\n\t" -+ "movdqu %%xmm5, %[outbuf0]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf0] "=m" (*(outbuf + 0 * 16)) -+ : [inbuf0] "m" (*(inbuf + 0 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqu %[inbuf1], %%xmm2\n\t" -+ "pxor %%xmm5, %%xmm2\n\t" -+ "movdqu %%xmm5, %[outbuf1]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf1] "=m" (*(outbuf + 1 * 16)) -+ : [inbuf1] "m" (*(inbuf + 1 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqu %[inbuf2], %%xmm3\n\t" -+ "pxor %%xmm5, %%xmm3\n\t" -+ "movdqu %%xmm5, %[outbuf2]\n\t" -+ -+ "movdqa %%xmm4, %%xmm0\n\t" -+ "paddd %%xmm4, %%xmm4\n\t" -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf2] "=m" (*(outbuf + 2 * 16)) -+ : [inbuf2] "m" (*(inbuf + 2 * 16)) -+ : "memory" ); -+ -+ asm volatile ("movdqa %%xmm4, %%xmm0\n\t" -+ "movdqu %[inbuf3], %%xmm4\n\t" -+ "pxor %%xmm5, %%xmm4\n\t" -+ "movdqu %%xmm5, %[outbuf3]\n\t" -+ -+ "psrad $31, %%xmm0\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm5\n\t" -+ : [outbuf3] "=m" (*(outbuf + 3 * 16)) -+ : [inbuf3] "m" (*(inbuf + 3 * 16)) -+ : "memory" ); -+ -+ do_aesni_dec_vec4 (ctx); -+ -+ asm volatile ("movdqu %[outbuf0], %%xmm0\n\t" -+ "pxor %%xmm0, %%xmm1\n\t" -+ "movdqu %[outbuf1], %%xmm0\n\t" -+ "movdqu %%xmm1, %[outbuf0]\n\t" -+ "movdqu %[outbuf2], %%xmm1\n\t" -+ "pxor %%xmm0, %%xmm2\n\t" -+ "movdqu %[outbuf3], %%xmm0\n\t" -+ "pxor %%xmm1, %%xmm3\n\t" -+ "pxor %%xmm0, %%xmm4\n\t" -+ "movdqu %%xmm2, %[outbuf1]\n\t" -+ "movdqu %%xmm3, %[outbuf2]\n\t" -+ "movdqu %%xmm4, %[outbuf3]\n\t" -+ : [outbuf0] "+m" (*(outbuf + 0 * 16)), -+ [outbuf1] "+m" (*(outbuf + 1 * 16)), -+ [outbuf2] "+m" (*(outbuf + 2 * 16)), -+ [outbuf3] "+m" (*(outbuf + 3 * 16)) -+ : -+ : "memory" ); -+ -+ outbuf += BLOCKSIZE * 4; -+ inbuf += BLOCKSIZE * 4; -+ } -+ -+ for ( ;nblocks; nblocks-- ) -+ { -+ asm volatile ("movdqu %[inbuf], %%xmm0\n\t" -+ "pxor %%xmm5, %%xmm0\n\t" -+ "movdqa %%xmm5, %%xmm4\n\t" -+ -+ "pshufd $0x13, %%xmm5, %%xmm1\n\t" -+ "psrad $31, %%xmm1\n\t" -+ "paddq %%xmm5, %%xmm5\n\t" -+ "pand %%xmm6, %%xmm1\n\t" -+ "pxor %%xmm1, %%xmm5\n\t" -+ : -+ : [inbuf] "m" (*inbuf) -+ : "memory" ); -+ -+ do_aesni_dec (ctx); -+ -+ asm volatile ("pxor %%xmm4, %%xmm0\n\t" -+ "movdqu %%xmm0, %[outbuf]\n\t" -+ : [outbuf] "=m" (*outbuf) -+ : -+ : "memory" ); -+ -+ outbuf += BLOCKSIZE; -+ inbuf += BLOCKSIZE; -+ } -+ -+ asm volatile ("movdqu %%xmm5, %[tweak]\n\t" -+ : [tweak] "=m" (*tweak) -+ : -+ : "memory" ); -+ -+ aesni_cleanup (); -+ aesni_cleanup_2_6 (); -+} -+ -+ -+void -+_gcry_aes_aesni_xts_crypt (RIJNDAEL_context *ctx, unsigned char *tweak, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks, int encrypt) -+{ -+ if (encrypt) -+ _gcry_aes_aesni_xts_enc(ctx, tweak, outbuf, inbuf, nblocks); -+ else -+ _gcry_aes_aesni_xts_dec(ctx, tweak, outbuf, inbuf, nblocks); -+} -+ - #endif /* USE_AESNI */ -diff -up libgcrypt-1.8.5/cipher/rijndael-armv8-aarch32-ce.S.aes-perf libgcrypt-1.8.5/cipher/rijndael-armv8-aarch32-ce.S ---- libgcrypt-1.8.5/cipher/rijndael-armv8-aarch32-ce.S.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-armv8-aarch32-ce.S 2020-04-22 18:29:41.673862172 +0200 -@@ -1517,6 +1517,317 @@ _gcry_aes_ocb_auth_armv8_ce: - .size _gcry_aes_ocb_auth_armv8_ce,.-_gcry_aes_ocb_auth_armv8_ce; - - -+ -+/* -+ * void _gcry_aes_xts_enc_armv8_ce (const void *keysched, -+ * unsigned char *outbuf, -+ * const unsigned char *inbuf, -+ * unsigned char *iv, unsigned int nrounds); -+ */ -+ -+.align 3 -+.globl _gcry_aes_xts_enc_armv8_ce -+.type _gcry_aes_xts_enc_armv8_ce,%function; -+_gcry_aes_xts_enc_armv8_ce: -+ /* input: -+ * r0: keysched -+ * r1: outbuf -+ * r2: inbuf -+ * r3: iv -+ * %st+0: nblocks => r4 -+ * %st+4: nrounds => r5 -+ */ -+ -+ vpush {q4-q7} -+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */ -+ ldr r4, [sp, #(104+0)] -+ ldr r5, [sp, #(104+4)] -+ cmp r4, #0 -+ beq .Lxts_enc_skip -+ -+ cmp r5, #12 -+ -+ vld1.8 {q0}, [r3] /* load tweak */ -+ mov r7, #0x87; -+ -+ aes_preload_keys(r0, r6); -+ -+ beq .Lxts_enc_entry_192 -+ bhi .Lxts_enc_entry_256 -+ -+#define CTR_XTS(bits, ...) \ -+ .Lxts_enc_entry_##bits: \ -+ cmp r4, #4; \ -+ blo .Lxts_enc_loop_##bits; \ -+ \ -+ .Lxts_enc_loop4_##bits: \ -+ sub r4, r4, #4; \ -+ veor q9, q9, q9; \ -+ \ -+ vld1.8 {q1-q2}, [r2]!; /* load plaintext */ \ -+ veor q1, q1, q0; \ -+ cmp r4, #4; \ -+ vmov.u32 d18[0], r7; \ -+ vst1.8 {q0}, [r1]!; /* store tweak0 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ vld1.8 {q3-q4}, [r2]!; /* load plaintext */ \ -+ veor q2, q2, q0; \ -+ vst1.8 {q0}, [r1]!; /* store tweak1 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ veor q3, q3, q0; \ -+ vst1.8 {q0}, [r1]!; /* store tweak2 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ veor q4, q4, q0; \ -+ vst1.8 {q0}, [r1]; /* store tweak3 to temp */ \ -+ sub r1, r1, #48; \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ do_aes_4_##bits(e, mc, q1, q2, q3, q4, ##__VA_ARGS__); \ -+ \ -+ vld1.8 {q8-q9}, [r1]!; /* load tweak from temp */ \ -+ veor q1, q1, q8; \ -+ veor q2, q2, q9; \ -+ vld1.8 {q8-q9}, [r1]; /* load tweak from temp */ \ -+ sub r1, r1, #32; \ -+ veor q3, q3, q8; \ -+ veor q4, q4, q9; \ -+ vst1.8 {q1-q2}, [r1]!; /* store plaintext */ \ -+ vst1.8 {q3-q4}, [r1]!; /* store plaintext */ \ -+ \ -+ bhs .Lxts_enc_loop4_##bits; \ -+ cmp r4, #0; \ -+ beq .Lxts_enc_done; \ -+ \ -+ .Lxts_enc_loop_##bits: \ -+ \ -+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \ -+ \ -+ veor q9, q9, q9; \ -+ veor q1, q1, q0; \ -+ vmov.u32 d18[0], r7; \ -+ vmov q2, q0; \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ subs r4, r4, #1; \ -+ \ -+ do_aes_one##bits(e, mc, q1, q1, ##__VA_ARGS__); \ -+ \ -+ veor q1, q1, q2; \ -+ vst1.8 {q1}, [r1]!; /* store plaintext */ \ -+ \ -+ bne .Lxts_enc_loop_##bits; \ -+ b .Lxts_enc_done; -+ -+ CTR_XTS(128re, r0, r6) -+ CTR_XTS(192, r0, r6) -+ CTR_XTS(256, r0, r6) -+ -+#undef CTR_XTS -+ -+.Lxts_enc_done: -+ vst1.8 {q0}, [r3] /* store tweak */ -+ -+ CLEAR_REG(q0) -+ CLEAR_REG(q1) -+ CLEAR_REG(q2) -+ CLEAR_REG(q3) -+ CLEAR_REG(q8) -+ CLEAR_REG(q9) -+ CLEAR_REG(q10) -+ CLEAR_REG(q11) -+ CLEAR_REG(q12) -+ CLEAR_REG(q13) -+ CLEAR_REG(q14) -+ -+.Lxts_enc_skip: -+ pop {r4-r12,lr} -+ vpop {q4-q7} -+ bx lr -+.size _gcry_aes_xts_enc_armv8_ce,.-_gcry_aes_xts_enc_armv8_ce; -+ -+ -+/* -+ * void _gcry_aes_xts_dec_armv8_ce (const void *keysched, -+ * unsigned char *outbuf, -+ * const unsigned char *inbuf, -+ * unsigned char *iv, unsigned int nrounds); -+ */ -+ -+.align 3 -+.globl _gcry_aes_xts_dec_armv8_ce -+.type _gcry_aes_xts_dec_armv8_ce,%function; -+_gcry_aes_xts_dec_armv8_ce: -+ /* input: -+ * r0: keysched -+ * r1: outbuf -+ * r2: inbuf -+ * r3: iv -+ * %st+0: nblocks => r4 -+ * %st+4: nrounds => r5 -+ */ -+ -+ vpush {q4-q7} -+ push {r4-r12,lr} /* 4*16 + 4*10 = 104b */ -+ ldr r4, [sp, #(104+0)] -+ ldr r5, [sp, #(104+4)] -+ cmp r4, #0 -+ beq .Lxts_dec_skip -+ -+ cmp r5, #12 -+ -+ vld1.8 {q0}, [r3] /* load tweak */ -+ mov r7, #0x87; -+ -+ aes_preload_keys(r0, r6); -+ -+ beq .Lxts_dec_entry_192 -+ bhi .Lxts_dec_entry_256 -+ -+#define CTR_XTS(bits, ...) \ -+ .Lxts_dec_entry_##bits: \ -+ cmp r4, #4; \ -+ blo .Lxts_dec_loop_##bits; \ -+ \ -+ .Lxts_dec_loop4_##bits: \ -+ sub r4, r4, #4; \ -+ veor q9, q9, q9; \ -+ \ -+ vld1.8 {q1-q2}, [r2]!; /* load plaintext */ \ -+ veor q1, q1, q0; \ -+ cmp r4, #4; \ -+ vmov.u32 d18[0], r7; \ -+ vst1.8 {q0}, [r1]!; /* store tweak0 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ vld1.8 {q3-q4}, [r2]!; /* load plaintext */ \ -+ veor q2, q2, q0; \ -+ vst1.8 {q0}, [r1]!; /* store tweak1 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ veor q3, q3, q0; \ -+ vst1.8 {q0}, [r1]!; /* store tweak2 to temp */ \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ veor q4, q4, q0; \ -+ vst1.8 {q0}, [r1]; /* store tweak3 to temp */ \ -+ sub r1, r1, #48; \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ \ -+ do_aes_4_##bits(d, imc, q1, q2, q3, q4, ##__VA_ARGS__); \ -+ \ -+ vld1.8 {q8-q9}, [r1]!; /* load tweak from temp */ \ -+ veor q1, q1, q8; \ -+ veor q2, q2, q9; \ -+ vld1.8 {q8-q9}, [r1]; /* load tweak from temp */ \ -+ sub r1, r1, #32; \ -+ veor q3, q3, q8; \ -+ veor q4, q4, q9; \ -+ vst1.8 {q1-q2}, [r1]!; /* store plaintext */ \ -+ vst1.8 {q3-q4}, [r1]!; /* store plaintext */ \ -+ \ -+ bhs .Lxts_dec_loop4_##bits; \ -+ cmp r4, #0; \ -+ beq .Lxts_dec_done; \ -+ \ -+ .Lxts_dec_loop_##bits: \ -+ \ -+ vld1.8 {q1}, [r2]!; /* load ciphertext */ \ -+ \ -+ veor q9, q9, q9; \ -+ veor q1, q1, q0; \ -+ vmov.u32 d18[0], r7; \ -+ vmov q2, q0; \ -+ \ -+ vshr.s64 d16, d1, #63; \ -+ vshr.u64 d17, d0, #63; \ -+ vadd.u64 q0, q0, q0; \ -+ vand d16, d16, d18; \ -+ veor q0, q0, q8; \ -+ subs r4, r4, #1; \ -+ \ -+ do_aes_one##bits(d, imc, q1, q1, ##__VA_ARGS__); \ -+ \ -+ veor q1, q1, q2; \ -+ vst1.8 {q1}, [r1]!; /* store plaintext */ \ -+ \ -+ bne .Lxts_dec_loop_##bits; \ -+ b .Lxts_dec_done; -+ -+ CTR_XTS(128re, r0, r6) -+ CTR_XTS(192, r0, r6) -+ CTR_XTS(256, r0, r6) -+ -+#undef CTR_XTS -+ -+.Lxts_dec_done: -+ vst1.8 {q0}, [r3] /* store tweak */ -+ -+ CLEAR_REG(q0) -+ CLEAR_REG(q1) -+ CLEAR_REG(q2) -+ CLEAR_REG(q3) -+ CLEAR_REG(q8) -+ CLEAR_REG(q9) -+ CLEAR_REG(q10) -+ CLEAR_REG(q11) -+ CLEAR_REG(q12) -+ CLEAR_REG(q13) -+ CLEAR_REG(q14) -+ -+.Lxts_dec_skip: -+ pop {r4-r12,lr} -+ vpop {q4-q7} -+ bx lr -+.size _gcry_aes_xts_dec_armv8_ce,.-_gcry_aes_xts_dec_armv8_ce; -+ -+ - /* - * u32 _gcry_aes_sbox4_armv8_ce(u32 in4b); - */ -diff -up libgcrypt-1.8.5/cipher/rijndael-armv8-aarch64-ce.S.aes-perf libgcrypt-1.8.5/cipher/rijndael-armv8-aarch64-ce.S ---- libgcrypt-1.8.5/cipher/rijndael-armv8-aarch64-ce.S.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-armv8-aarch64-ce.S 2020-04-22 18:29:41.674862153 +0200 -@@ -1157,8 +1157,8 @@ _gcry_aes_ocb_auth_armv8_ce: - * w6: nrounds => w7 - * w7: blkn => w12 - */ -- mov x12, x7 -- mov x7, x6 -+ mov w12, w7 -+ mov w7, w6 - mov x6, x5 - mov x5, x4 - mov x4, x3 -@@ -1277,6 +1277,284 @@ _gcry_aes_ocb_auth_armv8_ce: - - - /* -+ * void _gcry_aes_xts_enc_armv8_ce (const void *keysched, -+ * unsigned char *outbuf, -+ * const unsigned char *inbuf, -+ * unsigned char *tweak, -+ * size_t nblocks, -+ * unsigned int nrounds); -+ */ -+ -+.align 3 -+.globl _gcry_aes_xts_enc_armv8_ce -+.type _gcry_aes_xts_enc_armv8_ce,%function; -+_gcry_aes_xts_enc_armv8_ce: -+ /* input: -+ * r0: keysched -+ * r1: outbuf -+ * r2: inbuf -+ * r3: tweak -+ * x4: nblocks -+ * w5: nrounds -+ */ -+ -+ cbz x4, .Lxts_enc_skip -+ -+ /* load tweak */ -+ ld1 {v0.16b}, [x3] -+ -+ /* load gfmul mask */ -+ mov x6, #0x87 -+ mov x7, #0x01 -+ mov v16.D[0], x6 -+ mov v16.D[1], x7 -+ -+ aes_preload_keys(x0, w5); -+ -+ b.eq .Lxts_enc_entry_192 -+ b.hi .Lxts_enc_entry_256 -+ -+#define XTS_ENC(bits) \ -+ .Lxts_enc_entry_##bits: \ -+ cmp x4, #4; \ -+ b.lo .Lxts_enc_loop_##bits; \ -+ \ -+ .Lxts_enc_loop4_##bits: \ -+ \ -+ ext v4.16b, v0.16b, v0.16b, #8; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v5.2d, v0.2d, v0.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v5.16b, v5.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v6.2d, v5.2d, v5.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v6.16b, v6.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v7.2d, v6.2d, v6.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v7.16b, v7.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v3.2d, v7.2d, v7.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v3.16b, v3.16b, v2.16b; \ -+ ld1 {v1.16b-v2.16b}, [x2], #32; /* load plaintext */ \ -+ st1 {v3.16b}, [x3]; \ -+ sub x4, x4, #4; \ -+ eor v1.16b, v1.16b, v0.16b; \ -+ \ -+ ld1 {v3.16b-v4.16b}, [x2], #32; /* load plaintext */ \ -+ cmp x4, #4; \ -+ eor v2.16b, v2.16b, v5.16b; \ -+ eor v3.16b, v3.16b, v6.16b; \ -+ eor v4.16b, v4.16b, v7.16b; \ -+ \ -+ do_aes_4_##bits(e, mc, v1, v2, v3, v4); \ -+ \ -+ eor v1.16b, v1.16b, v0.16b; \ -+ ld1 {v0.16b}, [x3]; \ -+ eor v2.16b, v2.16b, v5.16b; \ -+ eor v3.16b, v3.16b, v6.16b; \ -+ eor v4.16b, v4.16b, v7.16b; \ -+ st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \ -+ \ -+ b.hs .Lxts_enc_loop4_##bits; \ -+ CLEAR_REG(v3); \ -+ CLEAR_REG(v4); \ -+ CLEAR_REG(v5); \ -+ CLEAR_REG(v6); \ -+ CLEAR_REG(v7); \ -+ cbz x4, .Lxts_enc_done; \ -+ \ -+ .Lxts_enc_loop_##bits: \ -+ \ -+ ld1 {v1.16b}, [x2], #16; /* load plaintext */ \ -+ ext v3.16b, v0.16b, v0.16b, #8; \ -+ mov v2.16b, v0.16b; \ -+ sshr v3.2d, v3.2d, #63; \ -+ add v0.2d, v0.2d, v0.2d; \ -+ and v3.16b, v3.16b, v16.16b; \ -+ eor v1.16b, v1.16b, v2.16b; \ -+ eor v0.16b, v0.16b, v3.16b; \ -+ sub x4, x4, #1; \ -+ \ -+ do_aes_one##bits(e, mc, v1, v1); \ -+ \ -+ eor v1.16b, v1.16b, v2.16b; \ -+ st1 {v1.16b}, [x1], #16; /* store ciphertext */ \ -+ \ -+ cbnz x4, .Lxts_enc_loop_##bits; \ -+ b .Lxts_enc_done; -+ -+ XTS_ENC(128) -+ XTS_ENC(192) -+ XTS_ENC(256) -+ -+#undef XTS_ENC -+ -+.Lxts_enc_done: -+ aes_clear_keys(w5) -+ -+ st1 {v0.16b}, [x3] /* store tweak */ -+ -+ CLEAR_REG(v0) -+ CLEAR_REG(v1) -+ CLEAR_REG(v2) -+ -+.Lxts_enc_skip: -+ ret -+ -+.size _gcry_aes_xts_enc_armv8_ce,.-_gcry_aes_xts_enc_armv8_ce; -+ -+ -+/* -+ * void _gcry_aes_xts_dec_armv8_ce (const void *keysched, -+ * unsigned char *outbuf, -+ * const unsigned char *inbuf, -+ * unsigned char *tweak, -+ * size_t nblocks, -+ * unsigned int nrounds); -+ */ -+ -+.align 3 -+.globl _gcry_aes_xts_dec_armv8_ce -+.type _gcry_aes_xts_dec_armv8_ce,%function; -+_gcry_aes_xts_dec_armv8_ce: -+ /* input: -+ * r0: keysched -+ * r1: outbuf -+ * r2: inbuf -+ * r3: tweak -+ * x4: nblocks -+ * w5: nrounds -+ */ -+ -+ cbz x4, .Lxts_dec_skip -+ -+ /* load tweak */ -+ ld1 {v0.16b}, [x3] -+ -+ /* load gfmul mask */ -+ mov x6, #0x87 -+ mov x7, #0x01 -+ mov v16.D[0], x6 -+ mov v16.D[1], x7 -+ -+ aes_preload_keys(x0, w5); -+ -+ b.eq .Lxts_dec_entry_192 -+ b.hi .Lxts_dec_entry_256 -+ -+#define XTS_DEC(bits) \ -+ .Lxts_dec_entry_##bits: \ -+ cmp x4, #4; \ -+ b.lo .Lxts_dec_loop_##bits; \ -+ \ -+ .Lxts_dec_loop4_##bits: \ -+ \ -+ ext v4.16b, v0.16b, v0.16b, #8; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v5.2d, v0.2d, v0.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v5.16b, v5.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v6.2d, v5.2d, v5.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v6.16b, v6.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v7.2d, v6.2d, v6.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v7.16b, v7.16b, v2.16b; \ -+ \ -+ sshr v2.2d, v4.2d, #63; \ -+ add v3.2d, v7.2d, v7.2d; \ -+ and v2.16b, v2.16b, v16.16b; \ -+ add v4.2d, v4.2d, v4.2d; \ -+ eor v3.16b, v3.16b, v2.16b; \ -+ ld1 {v1.16b-v2.16b}, [x2], #32; /* load plaintext */ \ -+ st1 {v3.16b}, [x3]; \ -+ sub x4, x4, #4; \ -+ eor v1.16b, v1.16b, v0.16b; \ -+ \ -+ ld1 {v3.16b-v4.16b}, [x2], #32; /* load plaintext */ \ -+ cmp x4, #4; \ -+ eor v2.16b, v2.16b, v5.16b; \ -+ eor v3.16b, v3.16b, v6.16b; \ -+ eor v4.16b, v4.16b, v7.16b; \ -+ \ -+ do_aes_4_##bits(d, imc, v1, v2, v3, v4); \ -+ \ -+ eor v1.16b, v1.16b, v0.16b; \ -+ ld1 {v0.16b}, [x3]; \ -+ eor v2.16b, v2.16b, v5.16b; \ -+ eor v3.16b, v3.16b, v6.16b; \ -+ eor v4.16b, v4.16b, v7.16b; \ -+ st1 {v1.16b-v4.16b}, [x1], #64; /* store plaintext */ \ -+ \ -+ b.hs .Lxts_dec_loop4_##bits; \ -+ CLEAR_REG(v3); \ -+ CLEAR_REG(v4); \ -+ CLEAR_REG(v5); \ -+ CLEAR_REG(v6); \ -+ CLEAR_REG(v7); \ -+ cbz x4, .Lxts_dec_done; \ -+ \ -+ .Lxts_dec_loop_##bits: \ -+ \ -+ ld1 {v1.16b}, [x2], #16; /* load plaintext */ \ -+ ext v3.16b, v0.16b, v0.16b, #8; \ -+ mov v2.16b, v0.16b; \ -+ sshr v3.2d, v3.2d, #63; \ -+ add v0.2d, v0.2d, v0.2d; \ -+ and v3.16b, v3.16b, v16.16b; \ -+ eor v1.16b, v1.16b, v2.16b; \ -+ eor v0.16b, v0.16b, v3.16b; \ -+ sub x4, x4, #1; \ -+ \ -+ do_aes_one##bits(d, imc, v1, v1); \ -+ \ -+ eor v1.16b, v1.16b, v2.16b; \ -+ st1 {v1.16b}, [x1], #16; /* store ciphertext */ \ -+ \ -+ cbnz x4, .Lxts_dec_loop_##bits; \ -+ b .Lxts_dec_done; -+ -+ XTS_DEC(128) -+ XTS_DEC(192) -+ XTS_DEC(256) -+ -+#undef XTS_DEC -+ -+.Lxts_dec_done: -+ aes_clear_keys(w5) -+ -+ st1 {v0.16b}, [x3] /* store tweak */ -+ -+ CLEAR_REG(v0) -+ CLEAR_REG(v1) -+ CLEAR_REG(v2) -+ -+.Lxts_dec_skip: -+ ret -+ -+.size _gcry_aes_xts_dec_armv8_ce,.-_gcry_aes_xts_dec_armv8_ce; -+ -+ -+/* - * u32 _gcry_aes_sbox4_armv8_ce(u32 in4b); - */ - .align 3 -diff -up libgcrypt-1.8.5/cipher/rijndael-armv8-ce.c.aes-perf libgcrypt-1.8.5/cipher/rijndael-armv8-ce.c ---- libgcrypt-1.8.5/cipher/rijndael-armv8-ce.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-armv8-ce.c 2020-04-22 18:29:41.675862134 +0200 -@@ -101,6 +101,16 @@ extern void _gcry_aes_ocb_auth_armv8_ce - size_t nblocks, - unsigned int nrounds, - unsigned int blkn); -+extern void _gcry_aes_xts_enc_armv8_ce (const void *keysched, -+ unsigned char *outbuf, -+ const unsigned char *inbuf, -+ unsigned char *tweak, -+ size_t nblocks, unsigned int nrounds); -+extern void _gcry_aes_xts_dec_armv8_ce (const void *keysched, -+ unsigned char *outbuf, -+ const unsigned char *inbuf, -+ unsigned char *tweak, -+ size_t nblocks, unsigned int nrounds); - - typedef void (*ocb_crypt_fn_t) (const void *keysched, unsigned char *outbuf, - const unsigned char *inbuf, -@@ -108,6 +118,11 @@ typedef void (*ocb_crypt_fn_t) (const vo - unsigned char *L_table, size_t nblocks, - unsigned int nrounds, unsigned int blkn); - -+typedef void (*xts_crypt_fn_t) (const void *keysched, unsigned char *outbuf, -+ const unsigned char *inbuf, -+ unsigned char *tweak, size_t nblocks, -+ unsigned int nrounds); -+ - void - _gcry_aes_armv8_ce_setkey (RIJNDAEL_context *ctx, const byte *key) - { -@@ -269,8 +284,8 @@ _gcry_aes_armv8_ce_decrypt (const RIJNDA - } - - void --_gcry_aes_armv8_ce_cbc_enc (const RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_armv8_ce_cbc_enc (const RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks, int cbc_mac) - { - const void *keysched = ctx->keyschenc32; -@@ -281,19 +296,25 @@ _gcry_aes_armv8_ce_cbc_enc (const RIJNDA - } - - void --_gcry_aes_armv8_ce_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_armv8_ce_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - const void *keysched = ctx->keyschdec32; - unsigned int nrounds = ctx->rounds; - -+ if ( !ctx->decryption_prepared ) -+ { -+ _gcry_aes_armv8_ce_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ - _gcry_aes_cbc_dec_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds); - } - - void --_gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - const void *keysched = ctx->keyschenc32; -@@ -303,8 +324,8 @@ _gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_con - } - - void --_gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - const void *keysched = ctx->keyschenc32; -@@ -314,8 +335,8 @@ _gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_con - } - - void --_gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -+_gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, - size_t nblocks) - { - const void *keysched = ctx->keyschenc32; -@@ -324,7 +345,7 @@ _gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_con - _gcry_aes_ctr_enc_armv8_ce(keysched, outbuf, inbuf, iv, nblocks, nrounds); - } - --void -+size_t - _gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, - const void *inbuf_arg, size_t nblocks, - int encrypt) -@@ -338,13 +359,21 @@ _gcry_aes_armv8_ce_ocb_crypt (gcry_ciphe - unsigned int nrounds = ctx->rounds; - u64 blkn = c->u_mode.ocb.data_nblocks; - -+ if ( !encrypt && !ctx->decryption_prepared ) -+ { -+ _gcry_aes_armv8_ce_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ - c->u_mode.ocb.data_nblocks = blkn + nblocks; - - crypt_fn(keysched, outbuf, inbuf, c->u_iv.iv, c->u_ctr.ctr, - c->u_mode.ocb.L[0], nblocks, nrounds, (unsigned int)blkn); -+ -+ return 0; - } - --void -+size_t - _gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c, void *abuf_arg, - size_t nblocks) - { -@@ -359,6 +388,27 @@ _gcry_aes_armv8_ce_ocb_auth (gcry_cipher - _gcry_aes_ocb_auth_armv8_ce(keysched, abuf, c->u_mode.ocb.aad_offset, - c->u_mode.ocb.aad_sum, c->u_mode.ocb.L[0], - nblocks, nrounds, (unsigned int)blkn); -+ -+ return 0; -+} -+ -+void -+_gcry_aes_armv8_ce_xts_crypt (RIJNDAEL_context *ctx, unsigned char *tweak, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks, int encrypt) -+{ -+ const void *keysched = encrypt ? ctx->keyschenc32 : ctx->keyschdec32; -+ xts_crypt_fn_t crypt_fn = encrypt ? _gcry_aes_xts_enc_armv8_ce -+ : _gcry_aes_xts_dec_armv8_ce; -+ unsigned int nrounds = ctx->rounds; -+ -+ if ( !encrypt && !ctx->decryption_prepared ) -+ { -+ _gcry_aes_armv8_ce_prepare_decryption ( ctx ); -+ ctx->decryption_prepared = 1; -+ } -+ -+ crypt_fn(keysched, outbuf, inbuf, tweak, nblocks, nrounds); - } - - #endif /* USE_ARM_CE */ -diff -up libgcrypt-1.8.5/cipher/rijndael.c.aes-perf libgcrypt-1.8.5/cipher/rijndael.c ---- libgcrypt-1.8.5/cipher/rijndael.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael.c 2020-04-22 18:29:41.676862114 +0200 -@@ -77,32 +77,29 @@ extern unsigned int _gcry_aes_aesni_encr - extern unsigned int _gcry_aes_aesni_decrypt (const RIJNDAEL_context *ctx, - unsigned char *dst, - const unsigned char *src); --extern void _gcry_aes_aesni_cfb_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_aesni_cbc_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks, -- int cbc_mac); --extern void _gcry_aes_aesni_ctr_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *ctr, size_t nblocks); --extern void _gcry_aes_aesni_cfb_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_aesni_cbc_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_aesni_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -- const void *inbuf_arg, size_t nblocks, -- int encrypt); --extern void _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, -- size_t nblocks); -+extern void _gcry_aes_aesni_cfb_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_aesni_cbc_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int cbc_mac); -+extern void _gcry_aes_aesni_ctr_enc (void *context, unsigned char *ctr, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_aesni_cfb_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_aesni_cbc_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern size_t _gcry_aes_aesni_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt); -+extern size_t _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_aesni_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int encrypt); - #endif - - #ifdef USE_SSSE3 -@@ -116,32 +113,27 @@ extern unsigned int _gcry_aes_ssse3_encr - extern unsigned int _gcry_aes_ssse3_decrypt (const RIJNDAEL_context *ctx, - unsigned char *dst, - const unsigned char *src); --extern void _gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks, -+extern void _gcry_aes_ssse3_cfb_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ssse3_cbc_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, - int cbc_mac); --extern void _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *ctr, size_t nblocks); --extern void _gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_ssse3_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -- const void *inbuf_arg, size_t nblocks, -- int encrypt); --extern void _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, -- size_t nblocks); -+extern void _gcry_aes_ssse3_ctr_enc (void *context, unsigned char *ctr, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ssse3_cfb_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ssse3_cbc_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern size_t _gcry_aes_ssse3_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt); -+extern size_t _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, -+ size_t nblocks); - #endif - - #ifdef USE_PADLOCK -@@ -180,34 +172,110 @@ extern unsigned int _gcry_aes_armv8_ce_d - unsigned char *dst, - const unsigned char *src); - --extern void _gcry_aes_armv8_ce_cfb_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_armv8_ce_cbc_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks, -+extern void _gcry_aes_armv8_ce_cfb_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_armv8_ce_cbc_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, - int cbc_mac); --extern void _gcry_aes_armv8_ce_ctr_enc (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *ctr, size_t nblocks); --extern void _gcry_aes_armv8_ce_cfb_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_armv8_ce_cbc_dec (RIJNDAEL_context *ctx, -- unsigned char *outbuf, -- const unsigned char *inbuf, -- unsigned char *iv, size_t nblocks); --extern void _gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -- const void *inbuf_arg, size_t nblocks, -- int encrypt); --extern void _gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c, -- const void *abuf_arg, size_t nblocks); -+extern void _gcry_aes_armv8_ce_ctr_enc (void *context, unsigned char *ctr, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_armv8_ce_cfb_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_armv8_ce_cbc_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern size_t _gcry_aes_armv8_ce_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt); -+extern size_t _gcry_aes_armv8_ce_ocb_auth (gcry_cipher_hd_t c, -+ const void *abuf_arg, size_t nblocks); -+extern void _gcry_aes_armv8_ce_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, -+ const void *inbuf_arg, -+ size_t nblocks, int encrypt); - #endif /*USE_ARM_ASM*/ - -+#ifdef USE_PPC_CRYPTO -+/* PowerPC Crypto implementations of AES */ -+extern void _gcry_aes_ppc8_setkey(RIJNDAEL_context *ctx, const byte *key); -+extern void _gcry_aes_ppc8_prepare_decryption(RIJNDAEL_context *ctx); -+ -+extern unsigned int _gcry_aes_ppc8_encrypt(const RIJNDAEL_context *ctx, -+ unsigned char *dst, -+ const unsigned char *src); -+extern unsigned int _gcry_aes_ppc8_decrypt(const RIJNDAEL_context *ctx, -+ unsigned char *dst, -+ const unsigned char *src); -+ -+extern void _gcry_aes_ppc8_cfb_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc8_cbc_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int cbc_mac); -+extern void _gcry_aes_ppc8_ctr_enc (void *context, unsigned char *ctr, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc8_cfb_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc8_cbc_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+ -+extern size_t _gcry_aes_ppc8_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt); -+extern size_t _gcry_aes_ppc8_ocb_auth (gcry_cipher_hd_t c, -+ const void *abuf_arg, size_t nblocks); -+ -+extern void _gcry_aes_ppc8_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, -+ const void *inbuf_arg, -+ size_t nblocks, int encrypt); -+#endif /*USE_PPC_CRYPTO*/ -+ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+/* Power9 little-endian crypto implementations of AES */ -+extern unsigned int _gcry_aes_ppc9le_encrypt(const RIJNDAEL_context *ctx, -+ unsigned char *dst, -+ const unsigned char *src); -+extern unsigned int _gcry_aes_ppc9le_decrypt(const RIJNDAEL_context *ctx, -+ unsigned char *dst, -+ const unsigned char *src); -+ -+extern void _gcry_aes_ppc9le_cfb_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc9le_cbc_enc (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int cbc_mac); -+extern void _gcry_aes_ppc9le_ctr_enc (void *context, unsigned char *ctr, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc9le_cfb_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+extern void _gcry_aes_ppc9le_cbc_dec (void *context, unsigned char *iv, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks); -+ -+extern size_t _gcry_aes_ppc9le_ocb_crypt (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt); -+extern size_t _gcry_aes_ppc9le_ocb_auth (gcry_cipher_hd_t c, -+ const void *abuf_arg, size_t nblocks); -+ -+extern void _gcry_aes_ppc9le_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, -+ const void *inbuf_arg, -+ size_t nblocks, int encrypt); -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+ - static unsigned int do_encrypt (const RIJNDAEL_context *ctx, unsigned char *bx, - const unsigned char *ax); - static unsigned int do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, -@@ -260,7 +328,8 @@ static void prefetch_dec(void) - - /* Perform the key setup. */ - static gcry_err_code_t --do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen) -+do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen, -+ gcry_cipher_hd_t hd) - { - static int initialized = 0; - static const char *selftest_failed = 0; -@@ -268,7 +337,7 @@ do_setkey (RIJNDAEL_context *ctx, const - int i,j, r, t, rconpointer = 0; - int KC; - #if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3) \ -- || defined(USE_ARM_CE) -+ || defined(USE_ARM_CE) || defined(USE_PPC_CRYPTO) - unsigned int hwfeatures; - #endif - -@@ -310,7 +379,7 @@ do_setkey (RIJNDAEL_context *ctx, const - ctx->rounds = rounds; - - #if defined(USE_AESNI) || defined(USE_PADLOCK) || defined(USE_SSSE3) \ -- || defined(USE_ARM_CE) -+ || defined(USE_ARM_CE) || defined(USE_PPC_CRYPTO) - hwfeatures = _gcry_get_hw_features (); - #endif - -@@ -327,6 +396,12 @@ do_setkey (RIJNDAEL_context *ctx, const - #ifdef USE_ARM_CE - ctx->use_arm_ce = 0; - #endif -+#ifdef USE_PPC_CRYPTO -+ ctx->use_ppc_crypto = 0; -+#endif -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ ctx->use_ppc9le_crypto = 0; -+#endif - - if (0) - { -@@ -340,6 +415,17 @@ do_setkey (RIJNDAEL_context *ctx, const - ctx->prefetch_enc_fn = NULL; - ctx->prefetch_dec_fn = NULL; - ctx->use_aesni = 1; -+ if (hd) -+ { -+ hd->bulk.cfb_enc = _gcry_aes_aesni_cfb_enc; -+ hd->bulk.cfb_dec = _gcry_aes_aesni_cfb_dec; -+ hd->bulk.cbc_enc = _gcry_aes_aesni_cbc_enc; -+ hd->bulk.cbc_dec = _gcry_aes_aesni_cbc_dec; -+ hd->bulk.ctr_enc = _gcry_aes_aesni_ctr_enc; -+ hd->bulk.ocb_crypt = _gcry_aes_aesni_ocb_crypt; -+ hd->bulk.ocb_auth = _gcry_aes_aesni_ocb_auth; -+ hd->bulk.xts_crypt = _gcry_aes_aesni_xts_crypt; -+ } - } - #endif - #ifdef USE_PADLOCK -@@ -361,6 +447,16 @@ do_setkey (RIJNDAEL_context *ctx, const - ctx->prefetch_enc_fn = NULL; - ctx->prefetch_dec_fn = NULL; - ctx->use_ssse3 = 1; -+ if (hd) -+ { -+ hd->bulk.cfb_enc = _gcry_aes_ssse3_cfb_enc; -+ hd->bulk.cfb_dec = _gcry_aes_ssse3_cfb_dec; -+ hd->bulk.cbc_enc = _gcry_aes_ssse3_cbc_enc; -+ hd->bulk.cbc_dec = _gcry_aes_ssse3_cbc_dec; -+ hd->bulk.ctr_enc = _gcry_aes_ssse3_ctr_enc; -+ hd->bulk.ocb_crypt = _gcry_aes_ssse3_ocb_crypt; -+ hd->bulk.ocb_auth = _gcry_aes_ssse3_ocb_auth; -+ } - } - #endif - #ifdef USE_ARM_CE -@@ -371,6 +467,60 @@ do_setkey (RIJNDAEL_context *ctx, const - ctx->prefetch_enc_fn = NULL; - ctx->prefetch_dec_fn = NULL; - ctx->use_arm_ce = 1; -+ if (hd) -+ { -+ hd->bulk.cfb_enc = _gcry_aes_armv8_ce_cfb_enc; -+ hd->bulk.cfb_dec = _gcry_aes_armv8_ce_cfb_dec; -+ hd->bulk.cbc_enc = _gcry_aes_armv8_ce_cbc_enc; -+ hd->bulk.cbc_dec = _gcry_aes_armv8_ce_cbc_dec; -+ hd->bulk.ctr_enc = _gcry_aes_armv8_ce_ctr_enc; -+ hd->bulk.ocb_crypt = _gcry_aes_armv8_ce_ocb_crypt; -+ hd->bulk.ocb_auth = _gcry_aes_armv8_ce_ocb_auth; -+ hd->bulk.xts_crypt = _gcry_aes_armv8_ce_xts_crypt; -+ } -+ } -+#endif -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if ((hwfeatures & HWF_PPC_VCRYPTO) && (hwfeatures & HWF_PPC_ARCH_3_00)) -+ { -+ ctx->encrypt_fn = _gcry_aes_ppc9le_encrypt; -+ ctx->decrypt_fn = _gcry_aes_ppc9le_decrypt; -+ ctx->prefetch_enc_fn = NULL; -+ ctx->prefetch_dec_fn = NULL; -+ ctx->use_ppc_crypto = 1; /* same key-setup as USE_PPC_CRYPTO */ -+ ctx->use_ppc9le_crypto = 1; -+ if (hd) -+ { -+ hd->bulk.cfb_enc = _gcry_aes_ppc9le_cfb_enc; -+ hd->bulk.cfb_dec = _gcry_aes_ppc9le_cfb_dec; -+ hd->bulk.cbc_enc = _gcry_aes_ppc9le_cbc_enc; -+ hd->bulk.cbc_dec = _gcry_aes_ppc9le_cbc_dec; -+ hd->bulk.ctr_enc = _gcry_aes_ppc9le_ctr_enc; -+ hd->bulk.ocb_crypt = _gcry_aes_ppc9le_ocb_crypt; -+ hd->bulk.ocb_auth = _gcry_aes_ppc9le_ocb_auth; -+ hd->bulk.xts_crypt = _gcry_aes_ppc9le_xts_crypt; -+ } -+ } -+#endif -+#ifdef USE_PPC_CRYPTO -+ else if (hwfeatures & HWF_PPC_VCRYPTO) -+ { -+ ctx->encrypt_fn = _gcry_aes_ppc8_encrypt; -+ ctx->decrypt_fn = _gcry_aes_ppc8_decrypt; -+ ctx->prefetch_enc_fn = NULL; -+ ctx->prefetch_dec_fn = NULL; -+ ctx->use_ppc_crypto = 1; -+ if (hd) -+ { -+ hd->bulk.cfb_enc = _gcry_aes_ppc8_cfb_enc; -+ hd->bulk.cfb_dec = _gcry_aes_ppc8_cfb_dec; -+ hd->bulk.cbc_enc = _gcry_aes_ppc8_cbc_enc; -+ hd->bulk.cbc_dec = _gcry_aes_ppc8_cbc_dec; -+ hd->bulk.ctr_enc = _gcry_aes_ppc8_ctr_enc; -+ hd->bulk.ocb_crypt = _gcry_aes_ppc8_ocb_crypt; -+ hd->bulk.ocb_auth = _gcry_aes_ppc8_ocb_auth; -+ hd->bulk.xts_crypt = _gcry_aes_ppc8_xts_crypt; -+ } - } - #endif - else -@@ -399,6 +549,10 @@ do_setkey (RIJNDAEL_context *ctx, const - else if (ctx->use_arm_ce) - _gcry_aes_armv8_ce_setkey (ctx, key); - #endif -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ _gcry_aes_ppc8_setkey (ctx, key); -+#endif - else - { - const byte *sbox = ((const byte *)encT) + 1; -@@ -503,10 +657,11 @@ do_setkey (RIJNDAEL_context *ctx, const - - - static gcry_err_code_t --rijndael_setkey (void *context, const byte *key, const unsigned keylen) -+rijndael_setkey (void *context, const byte *key, const unsigned keylen, -+ gcry_cipher_hd_t hd) - { - RIJNDAEL_context *ctx = context; -- return do_setkey (ctx, key, keylen); -+ return do_setkey (ctx, key, keylen, hd); - } - - -@@ -535,7 +690,19 @@ prepare_decryption( RIJNDAEL_context *ct - { - _gcry_aes_armv8_ce_prepare_decryption (ctx); - } --#endif /*USE_SSSE3*/ -+#endif /*USE_ARM_CE*/ -+#ifdef USE_ARM_CE -+ else if (ctx->use_arm_ce) -+ { -+ _gcry_aes_armv8_ce_prepare_decryption (ctx); -+ } -+#endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_prepare_decryption (ctx); -+ } -+#endif - #ifdef USE_PADLOCK - else if (ctx->use_padlock) - { -@@ -790,42 +957,56 @@ _gcry_aes_cfb_enc (void *context, unsign - const unsigned char *inbuf = inbuf_arg; - unsigned int burn_depth = 0; - -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_cfb_enc (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_aesni_cfb_enc (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_cfb_enc (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_ssse3_cfb_enc (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_cfb_enc (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_armv8_ce_cfb_enc (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_cfb_enc (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_cfb_enc (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - /* Encrypt the IV. */ - burn_depth = encrypt_fn (ctx, iv, iv); - /* XOR the input with the IV and store input into IV. */ -- buf_xor_2dst(outbuf, iv, inbuf, BLOCKSIZE); -+ cipher_block_xor_2dst(outbuf, iv, inbuf, BLOCKSIZE); - outbuf += BLOCKSIZE; - inbuf += BLOCKSIZE; - } -@@ -851,41 +1032,55 @@ _gcry_aes_cbc_enc (void *context, unsign - unsigned char *last_iv; - unsigned int burn_depth = 0; - -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_cbc_enc (ctx, outbuf, inbuf, iv, nblocks, cbc_mac); -- burn_depth = 0; -+ _gcry_aes_aesni_cbc_enc (ctx, iv, outbuf, inbuf, nblocks, cbc_mac); -+ return; - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_cbc_enc (ctx, outbuf, inbuf, iv, nblocks, cbc_mac); -- burn_depth = 0; -+ _gcry_aes_ssse3_cbc_enc (ctx, iv, outbuf, inbuf, nblocks, cbc_mac); -+ return; - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_cbc_enc (ctx, outbuf, inbuf, iv, nblocks, cbc_mac); -- burn_depth = 0; -+ _gcry_aes_armv8_ce_cbc_enc (ctx, iv, outbuf, inbuf, nblocks, cbc_mac); -+ return; - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_cbc_enc (ctx, iv, outbuf, inbuf, nblocks, cbc_mac); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_cbc_enc (ctx, iv, outbuf, inbuf, nblocks, cbc_mac); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - last_iv = iv; - - for ( ;nblocks; nblocks-- ) - { -- buf_xor(outbuf, inbuf, last_iv, BLOCKSIZE); -+ cipher_block_xor(outbuf, inbuf, last_iv, BLOCKSIZE); - - burn_depth = encrypt_fn (ctx, outbuf, outbuf); - -@@ -896,7 +1091,7 @@ _gcry_aes_cbc_enc (void *context, unsign - } - - if (last_iv != iv) -- buf_cpy (iv, last_iv, BLOCKSIZE); -+ cipher_block_cpy (iv, last_iv, BLOCKSIZE); - } - - if (burn_depth) -@@ -920,43 +1115,57 @@ _gcry_aes_ctr_enc (void *context, unsign - unsigned int burn_depth = 0; - int i; - -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_ctr_enc (ctx, outbuf, inbuf, ctr, nblocks); -- burn_depth = 0; -+ _gcry_aes_aesni_ctr_enc (ctx, ctr, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_ctr_enc (ctx, outbuf, inbuf, ctr, nblocks); -- burn_depth = 0; -+ _gcry_aes_ssse3_ctr_enc (ctx, ctr, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_ctr_enc (ctx, outbuf, inbuf, ctr, nblocks); -- burn_depth = 0; -+ _gcry_aes_armv8_ce_ctr_enc (ctx, ctr, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_ctr_enc (ctx, ctr, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_ctr_enc (ctx, ctr, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } tmp; - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - /* Encrypt the counter. */ - burn_depth = encrypt_fn (ctx, tmp.x1, ctr); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmp.x1, inbuf, BLOCKSIZE); -+ cipher_block_xor(outbuf, tmp.x1, inbuf, BLOCKSIZE); - outbuf += BLOCKSIZE; - inbuf += BLOCKSIZE; - /* Increment the counter. */ -@@ -1187,40 +1396,54 @@ _gcry_aes_cfb_dec (void *context, unsign - const unsigned char *inbuf = inbuf_arg; - unsigned int burn_depth = 0; - -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_cfb_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_aesni_cfb_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_cfb_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_ssse3_cfb_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_cfb_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_armv8_ce_cfb_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_cfb_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_cfb_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - burn_depth = encrypt_fn (ctx, iv, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, BLOCKSIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, BLOCKSIZE); - outbuf += BLOCKSIZE; - inbuf += BLOCKSIZE; - } -@@ -1245,39 +1468,53 @@ _gcry_aes_cbc_dec (void *context, unsign - const unsigned char *inbuf = inbuf_arg; - unsigned int burn_depth = 0; - -- check_decryption_preparation (ctx); -- -- if (ctx->prefetch_dec_fn) -- ctx->prefetch_dec_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_cbc_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_aesni_cbc_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_cbc_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_ssse3_cbc_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_cbc_dec (ctx, outbuf, inbuf, iv, nblocks); -- burn_depth = 0; -+ _gcry_aes_armv8_ce_cbc_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_cbc_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_cbc_dec (ctx, iv, outbuf, inbuf, nblocks); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - unsigned char savebuf[BLOCKSIZE] ATTR_ALIGNED_16; - rijndael_cryptfn_t decrypt_fn = ctx->decrypt_fn; - -+ check_decryption_preparation (ctx); -+ -+ if (ctx->prefetch_dec_fn) -+ ctx->prefetch_dec_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - /* INBUF is needed later and it may be identical to OUTBUF, so store -@@ -1285,7 +1522,7 @@ _gcry_aes_cbc_dec (void *context, unsign - - burn_depth = decrypt_fn (ctx, savebuf, inbuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, BLOCKSIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, BLOCKSIZE); - inbuf += BLOCKSIZE; - outbuf += BLOCKSIZE; - } -@@ -1309,62 +1546,61 @@ _gcry_aes_ocb_crypt (gcry_cipher_hd_t c, - const unsigned char *inbuf = inbuf_arg; - unsigned int burn_depth = 0; - -- if (encrypt) -- { -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- } -- else -- { -- check_decryption_preparation (ctx); -- -- if (ctx->prefetch_dec_fn) -- ctx->prefetch_dec_fn(); -- } -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); -- burn_depth = 0; -+ return _gcry_aes_aesni_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); -- burn_depth = 0; -+ return _gcry_aes_ssse3_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); -- burn_depth = 0; -+ return _gcry_aes_armv8_ce_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ return _gcry_aes_ppc9le_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ return _gcry_aes_ppc8_ocb_crypt (c, outbuf, inbuf, nblocks, encrypt); -+ } -+#endif /*USE_PPC_CRYPTO*/ - else if (encrypt) - { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - u64 i = ++c->u_mode.ocb.data_nblocks; - const unsigned char *l = ocb_get_l(c, i); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_iv.iv, l, BLOCKSIZE); -- buf_cpy (l_tmp.x1, inbuf, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_iv.iv, l, BLOCKSIZE); -+ cipher_block_cpy (l_tmp.x1, inbuf, BLOCKSIZE); - /* Checksum_i = Checksum_{i-1} xor P_i */ -- buf_xor_1 (c->u_ctr.ctr, l_tmp.x1, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_ctr.ctr, l_tmp.x1, BLOCKSIZE); - /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -- buf_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); -+ cipher_block_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); - burn_depth = encrypt_fn (ctx, l_tmp.x1, l_tmp.x1); -- buf_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); -- buf_cpy (outbuf, l_tmp.x1, BLOCKSIZE); -+ cipher_block_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); -+ cipher_block_cpy (outbuf, l_tmp.x1, BLOCKSIZE); - - inbuf += BLOCKSIZE; - outbuf += BLOCKSIZE; -@@ -1375,21 +1611,26 @@ _gcry_aes_ocb_crypt (gcry_cipher_hd_t c, - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; - rijndael_cryptfn_t decrypt_fn = ctx->decrypt_fn; - -+ check_decryption_preparation (ctx); -+ -+ if (ctx->prefetch_dec_fn) -+ ctx->prefetch_dec_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - u64 i = ++c->u_mode.ocb.data_nblocks; - const unsigned char *l = ocb_get_l(c, i); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_iv.iv, l, BLOCKSIZE); -- buf_cpy (l_tmp.x1, inbuf, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_iv.iv, l, BLOCKSIZE); -+ cipher_block_cpy (l_tmp.x1, inbuf, BLOCKSIZE); - /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -- buf_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); -+ cipher_block_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); - burn_depth = decrypt_fn (ctx, l_tmp.x1, l_tmp.x1); -- buf_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); -+ cipher_block_xor_1 (l_tmp.x1, c->u_iv.iv, BLOCKSIZE); - /* Checksum_i = Checksum_{i-1} xor P_i */ -- buf_xor_1 (c->u_ctr.ctr, l_tmp.x1, BLOCKSIZE); -- buf_cpy (outbuf, l_tmp.x1, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_ctr.ctr, l_tmp.x1, BLOCKSIZE); -+ cipher_block_cpy (outbuf, l_tmp.x1, BLOCKSIZE); - - inbuf += BLOCKSIZE; - outbuf += BLOCKSIZE; -@@ -1411,48 +1652,58 @@ _gcry_aes_ocb_auth (gcry_cipher_hd_t c, - const unsigned char *abuf = abuf_arg; - unsigned int burn_depth = 0; - -- if (ctx->prefetch_enc_fn) -- ctx->prefetch_enc_fn(); -- - if (0) - ; - #ifdef USE_AESNI - else if (ctx->use_aesni) - { -- _gcry_aes_aesni_ocb_auth (c, abuf, nblocks); -- burn_depth = 0; -+ return _gcry_aes_aesni_ocb_auth (c, abuf, nblocks); - } - #endif /*USE_AESNI*/ - #ifdef USE_SSSE3 - else if (ctx->use_ssse3) - { -- _gcry_aes_ssse3_ocb_auth (c, abuf, nblocks); -- burn_depth = 0; -+ return _gcry_aes_ssse3_ocb_auth (c, abuf, nblocks); - } - #endif /*USE_SSSE3*/ - #ifdef USE_ARM_CE - else if (ctx->use_arm_ce) - { -- _gcry_aes_armv8_ce_ocb_auth (c, abuf, nblocks); -- burn_depth = 0; -+ return _gcry_aes_armv8_ce_ocb_auth (c, abuf, nblocks); - } - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ return _gcry_aes_ppc9le_ocb_auth (c, abuf, nblocks); -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ return _gcry_aes_ppc8_ocb_auth (c, abuf, nblocks); -+ } -+#endif /*USE_PPC_CRYPTO*/ - else - { - union { unsigned char x1[16] ATTR_ALIGNED_16; u32 x32[4]; } l_tmp; - rijndael_cryptfn_t encrypt_fn = ctx->encrypt_fn; - -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ - for ( ;nblocks; nblocks-- ) - { - u64 i = ++c->u_mode.ocb.aad_nblocks; - const unsigned char *l = ocb_get_l(c, i); - - /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -- buf_xor_1 (c->u_mode.ocb.aad_offset, l, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_offset, l, BLOCKSIZE); - /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -- buf_xor (l_tmp.x1, c->u_mode.ocb.aad_offset, abuf, BLOCKSIZE); -+ cipher_block_xor (l_tmp.x1, c->u_mode.ocb.aad_offset, abuf, -+ BLOCKSIZE); - burn_depth = encrypt_fn (ctx, l_tmp.x1, l_tmp.x1); -- buf_xor_1 (c->u_mode.ocb.aad_sum, l_tmp.x1, BLOCKSIZE); -+ cipher_block_xor_1 (c->u_mode.ocb.aad_sum, l_tmp.x1, BLOCKSIZE); - - abuf += BLOCKSIZE; - } -@@ -1467,6 +1718,106 @@ _gcry_aes_ocb_auth (gcry_cipher_hd_t c, - } - - -+/* Bulk encryption/decryption of complete blocks in XTS mode. */ -+void -+_gcry_aes_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int encrypt) -+{ -+ RIJNDAEL_context *ctx = context; -+ unsigned char *outbuf = outbuf_arg; -+ const unsigned char *inbuf = inbuf_arg; -+ unsigned int burn_depth = 0; -+ rijndael_cryptfn_t crypt_fn; -+ u64 tweak_lo, tweak_hi, tweak_next_lo, tweak_next_hi, tmp_lo, tmp_hi, carry; -+ -+ if (0) -+ ; -+#ifdef USE_AESNI -+ else if (ctx->use_aesni) -+ { -+ _gcry_aes_aesni_xts_crypt (ctx, tweak, outbuf, inbuf, nblocks, encrypt); -+ return; -+ } -+#endif /*USE_AESNI*/ -+#ifdef USE_ARM_CE -+ else if (ctx->use_arm_ce) -+ { -+ _gcry_aes_armv8_ce_xts_crypt (ctx, tweak, outbuf, inbuf, nblocks, encrypt); -+ return; -+ } -+#endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ else if (ctx->use_ppc9le_crypto) -+ { -+ _gcry_aes_ppc9le_xts_crypt (ctx, tweak, outbuf, inbuf, nblocks, encrypt); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO_WITH_PPC9LE*/ -+#ifdef USE_PPC_CRYPTO -+ else if (ctx->use_ppc_crypto) -+ { -+ _gcry_aes_ppc8_xts_crypt (ctx, tweak, outbuf, inbuf, nblocks, encrypt); -+ return; -+ } -+#endif /*USE_PPC_CRYPTO*/ -+ else -+ { -+ if (encrypt) -+ { -+ if (ctx->prefetch_enc_fn) -+ ctx->prefetch_enc_fn(); -+ -+ crypt_fn = ctx->encrypt_fn; -+ } -+ else -+ { -+ check_decryption_preparation (ctx); -+ -+ if (ctx->prefetch_dec_fn) -+ ctx->prefetch_dec_fn(); -+ -+ crypt_fn = ctx->decrypt_fn; -+ } -+ -+ tweak_next_lo = buf_get_le64 (tweak + 0); -+ tweak_next_hi = buf_get_le64 (tweak + 8); -+ -+ while (nblocks) -+ { -+ tweak_lo = tweak_next_lo; -+ tweak_hi = tweak_next_hi; -+ -+ /* Xor-Encrypt/Decrypt-Xor block. */ -+ tmp_lo = buf_get_le64 (inbuf + 0) ^ tweak_lo; -+ tmp_hi = buf_get_le64 (inbuf + 8) ^ tweak_hi; -+ -+ buf_put_le64 (outbuf + 0, tmp_lo); -+ buf_put_le64 (outbuf + 8, tmp_hi); -+ -+ /* Generate next tweak. */ -+ carry = -(tweak_next_hi >> 63) & 0x87; -+ tweak_next_hi = (tweak_next_hi << 1) + (tweak_next_lo >> 63); -+ tweak_next_lo = (tweak_next_lo << 1) ^ carry; -+ -+ burn_depth = crypt_fn (ctx, outbuf, outbuf); -+ -+ buf_put_le64 (outbuf + 0, buf_get_le64 (outbuf + 0) ^ tweak_lo); -+ buf_put_le64 (outbuf + 8, buf_get_le64 (outbuf + 8) ^ tweak_hi); -+ -+ outbuf += GCRY_XTS_BLOCK_LEN; -+ inbuf += GCRY_XTS_BLOCK_LEN; -+ nblocks--; -+ } -+ -+ buf_put_le64 (tweak + 0, tweak_next_lo); -+ buf_put_le64 (tweak + 8, tweak_next_hi); -+ } -+ -+ if (burn_depth) -+ _gcry_burn_stack (burn_depth + 5 * sizeof(void *)); -+} -+ - - /* Run the self-tests for AES 128. Returns NULL on success. */ - static const char* -@@ -1522,7 +1873,7 @@ selftest_basic_128 (void) - if (!ctx) - return "failed to allocate memory"; - -- rijndael_setkey (ctx, key_128, sizeof (key_128)); -+ rijndael_setkey (ctx, key_128, sizeof (key_128), NULL); - rijndael_encrypt (ctx, scratch, plaintext_128); - if (memcmp (scratch, ciphertext_128, sizeof (ciphertext_128))) - { -@@ -1565,7 +1916,7 @@ selftest_basic_192 (void) - ctx = _gcry_cipher_selftest_alloc_ctx (sizeof *ctx, &ctxmem); - if (!ctx) - return "failed to allocate memory"; -- rijndael_setkey (ctx, key_192, sizeof(key_192)); -+ rijndael_setkey (ctx, key_192, sizeof(key_192), NULL); - rijndael_encrypt (ctx, scratch, plaintext_192); - if (memcmp (scratch, ciphertext_192, sizeof (ciphertext_192))) - { -@@ -1610,7 +1961,7 @@ selftest_basic_256 (void) - ctx = _gcry_cipher_selftest_alloc_ctx (sizeof *ctx, &ctxmem); - if (!ctx) - return "failed to allocate memory"; -- rijndael_setkey (ctx, key_256, sizeof(key_256)); -+ rijndael_setkey (ctx, key_256, sizeof(key_256), NULL); - rijndael_encrypt (ctx, scratch, plaintext_256); - if (memcmp (scratch, ciphertext_256, sizeof (ciphertext_256))) - { -diff -up libgcrypt-1.8.5/cipher/rijndael-internal.h.aes-perf libgcrypt-1.8.5/cipher/rijndael-internal.h ---- libgcrypt-1.8.5/cipher/rijndael-internal.h.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-internal.h 2020-04-22 18:29:41.676862114 +0200 -@@ -73,7 +73,7 @@ - # define USE_PADLOCK 1 - # endif - # endif --#endif /*ENABLE_PADLOCK_SUPPORT*/ -+#endif /* ENABLE_PADLOCK_SUPPORT */ - - /* USE_AESNI inidicates whether to compile with Intel AES-NI code. We - need the vector-size attribute which seems to be available since -@@ -102,6 +102,23 @@ - # endif - #endif /* ENABLE_ARM_CRYPTO_SUPPORT */ - -+/* USE_PPC_CRYPTO indicates whether to enable PowerPC vector crypto -+ * accelerated code. USE_PPC_CRYPTO_WITH_PPC9LE indicates whether to -+ * enable POWER9 optimized variant. */ -+#undef USE_PPC_CRYPTO -+#undef USE_PPC_CRYPTO_WITH_PPC9LE -+#ifdef ENABLE_PPC_CRYPTO_SUPPORT -+# if defined(HAVE_COMPATIBLE_CC_PPC_ALTIVEC) && \ -+ defined(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC) -+# if __GNUC__ >= 4 -+# define USE_PPC_CRYPTO 1 -+# if !defined(WORDS_BIGENDIAN) && defined(HAVE_GCC_INLINE_ASM_PPC_ARCH_3_00) -+# define USE_PPC_CRYPTO_WITH_PPC9LE 1 -+# endif -+# endif -+# endif -+#endif /* ENABLE_PPC_CRYPTO_SUPPORT */ -+ - struct RIJNDAEL_context_s; - - typedef unsigned int (*rijndael_cryptfn_t)(const struct RIJNDAEL_context_s *ctx, -@@ -150,6 +167,12 @@ typedef struct RIJNDAEL_context_s - #ifdef USE_ARM_CE - unsigned int use_arm_ce:1; /* ARMv8 CE shall be used. */ - #endif /*USE_ARM_CE*/ -+#ifdef USE_PPC_CRYPTO -+ unsigned int use_ppc_crypto:1; /* PowerPC crypto shall be used. */ -+#endif /*USE_PPC_CRYPTO*/ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ unsigned int use_ppc9le_crypto:1; /* POWER9 LE crypto shall be used. */ -+#endif - rijndael_cryptfn_t encrypt_fn; - rijndael_cryptfn_t decrypt_fn; - rijndael_prefetchfn_t prefetch_enc_fn; -diff -up libgcrypt-1.8.5/cipher/rijndael-ppc9le.c.aes-perf libgcrypt-1.8.5/cipher/rijndael-ppc9le.c ---- libgcrypt-1.8.5/cipher/rijndael-ppc9le.c.aes-perf 2020-04-22 18:29:41.677862096 +0200 -+++ libgcrypt-1.8.5/cipher/rijndael-ppc9le.c 2020-04-22 18:29:41.677862096 +0200 -@@ -0,0 +1,102 @@ -+/* Rijndael (AES) for GnuPG - PowerPC Vector Crypto AES implementation -+ * Copyright (C) 2019 Shawn Landden -+ * Copyright (C) 2019-2020 Jussi Kivilinna -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ * -+ * Alternatively, this code may be used in OpenSSL from The OpenSSL Project, -+ * and Cryptogams by Andy Polyakov, and if made part of a release of either -+ * or both projects, is thereafter dual-licensed under the license said project -+ * is released under. -+ */ -+ -+#include -+ -+#include "rijndael-internal.h" -+#include "cipher-internal.h" -+#include "bufhelp.h" -+ -+#ifdef USE_PPC_CRYPTO_WITH_PPC9LE -+ -+#include "rijndael-ppc-common.h" -+ -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_load_be_const(void) -+{ -+ static const block vec_dummy = { 0 }; -+ return vec_dummy; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_be_swap(block vec, block be_bswap_const) -+{ -+ (void)be_bswap_const; -+ return vec; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_load_be_noswap(unsigned long offset, const void *ptr) -+{ -+ block vec; -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("lxvb16x %x0,0,%1\n\t" -+ : "=wa" (vec) -+ : "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("lxvb16x %x0,%1,%2\n\t" -+ : "=wa" (vec) -+ : "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+ return vec; -+} -+ -+static ASM_FUNC_ATTR_INLINE void -+asm_store_be_noswap(block vec, unsigned long offset, void *ptr) -+{ -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("stxvb16x %x0,0,%1\n\t" -+ : -+ : "wa" (vec), "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("stxvb16x %x0,%1,%2\n\t" -+ : -+ : "wa" (vec), "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+} -+ -+ -+#define GCRY_AES_PPC9LE 1 -+#define ENCRYPT_BLOCK_FUNC _gcry_aes_ppc9le_encrypt -+#define DECRYPT_BLOCK_FUNC _gcry_aes_ppc9le_decrypt -+#define CFB_ENC_FUNC _gcry_aes_ppc9le_cfb_enc -+#define CFB_DEC_FUNC _gcry_aes_ppc9le_cfb_dec -+#define CBC_ENC_FUNC _gcry_aes_ppc9le_cbc_enc -+#define CBC_DEC_FUNC _gcry_aes_ppc9le_cbc_dec -+#define CTR_ENC_FUNC _gcry_aes_ppc9le_ctr_enc -+#define OCB_CRYPT_FUNC _gcry_aes_ppc9le_ocb_crypt -+#define OCB_AUTH_FUNC _gcry_aes_ppc9le_ocb_auth -+#define XTS_CRYPT_FUNC _gcry_aes_ppc9le_xts_crypt -+ -+#include -+ -+#endif /* USE_PPC_CRYPTO */ -diff -up libgcrypt-1.8.5/cipher/rijndael-ppc.c.aes-perf libgcrypt-1.8.5/cipher/rijndael-ppc.c ---- libgcrypt-1.8.5/cipher/rijndael-ppc.c.aes-perf 2020-04-22 18:29:41.677862096 +0200 -+++ libgcrypt-1.8.5/cipher/rijndael-ppc.c 2020-04-22 18:29:41.677862096 +0200 -@@ -0,0 +1,259 @@ -+/* Rijndael (AES) for GnuPG - PowerPC Vector Crypto AES implementation -+ * Copyright (C) 2019 Shawn Landden -+ * Copyright (C) 2019-2020 Jussi Kivilinna -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ * -+ * Alternatively, this code may be used in OpenSSL from The OpenSSL Project, -+ * and Cryptogams by Andy Polyakov, and if made part of a release of either -+ * or both projects, is thereafter dual-licensed under the license said project -+ * is released under. -+ */ -+ -+#include -+ -+#include "rijndael-internal.h" -+#include "cipher-internal.h" -+#include "bufhelp.h" -+ -+#ifdef USE_PPC_CRYPTO -+ -+#include "rijndael-ppc-common.h" -+ -+ -+#ifdef WORDS_BIGENDIAN -+static const block vec_bswap32_const = -+ { 3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12 }; -+#else -+static const block vec_bswap32_const_neg = -+ { ~3, ~2, ~1, ~0, ~7, ~6, ~5, ~4, ~11, ~10, ~9, ~8, ~15, ~14, ~13, ~12 }; -+#endif -+ -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_load_be_const(void) -+{ -+#ifndef WORDS_BIGENDIAN -+ return ALIGNED_LOAD (&vec_bswap32_const_neg, 0); -+#else -+ static const block vec_dummy = { 0 }; -+ return vec_dummy; -+#endif -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_be_swap(block vec, block be_bswap_const) -+{ -+ (void)be_bswap_const; -+#ifndef WORDS_BIGENDIAN -+ return asm_vperm1 (vec, be_bswap_const); -+#else -+ return vec; -+#endif -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_load_be_noswap(unsigned long offset, const void *ptr) -+{ -+ block vec; -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("lxvw4x %x0,0,%1\n\t" -+ : "=wa" (vec) -+ : "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("lxvw4x %x0,%1,%2\n\t" -+ : "=wa" (vec) -+ : "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+ /* NOTE: vec needs to be be-swapped using 'asm_be_swap' by caller */ -+ return vec; -+} -+ -+static ASM_FUNC_ATTR_INLINE void -+asm_store_be_noswap(block vec, unsigned long offset, void *ptr) -+{ -+ /* NOTE: vec be-swapped using 'asm_be_swap' by caller */ -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("stxvw4x %x0,0,%1\n\t" -+ : -+ : "wa" (vec), "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("stxvw4x %x0,%1,%2\n\t" -+ : -+ : "wa" (vec), "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+} -+ -+ -+static ASM_FUNC_ATTR_INLINE u32 -+_gcry_aes_sbox4_ppc8(u32 fourbytes) -+{ -+ union -+ { -+ PROPERLY_ALIGNED_TYPE dummy; -+ block data_vec; -+ u32 data32[4]; -+ } u; -+ -+ u.data32[0] = fourbytes; -+ u.data_vec = vec_sbox_be(u.data_vec); -+ return u.data32[0]; -+} -+ -+void -+_gcry_aes_ppc8_setkey (RIJNDAEL_context *ctx, const byte *key) -+{ -+ const block bige_const = asm_load_be_const(); -+ union -+ { -+ PROPERLY_ALIGNED_TYPE dummy; -+ byte data[MAXKC][4]; -+ u32 data32[MAXKC]; -+ } tkk[2]; -+ unsigned int rounds = ctx->rounds; -+ int KC = rounds - 6; -+ unsigned int keylen = KC * 4; -+ u128_t *ekey = (u128_t *)(void *)ctx->keyschenc; -+ unsigned int i, r, t; -+ byte rcon = 1; -+ int j; -+#define k tkk[0].data -+#define k_u32 tkk[0].data32 -+#define tk tkk[1].data -+#define tk_u32 tkk[1].data32 -+#define W (ctx->keyschenc) -+#define W_u32 (ctx->keyschenc32) -+ -+ for (i = 0; i < keylen; i++) -+ { -+ k[i >> 2][i & 3] = key[i]; -+ } -+ -+ for (j = KC-1; j >= 0; j--) -+ { -+ tk_u32[j] = k_u32[j]; -+ } -+ r = 0; -+ t = 0; -+ /* Copy values into round key array. */ -+ for (j = 0; (j < KC) && (r < rounds + 1); ) -+ { -+ for (; (j < KC) && (t < 4); j++, t++) -+ { -+ W_u32[r][t] = le_bswap32(tk_u32[j]); -+ } -+ if (t == 4) -+ { -+ r++; -+ t = 0; -+ } -+ } -+ while (r < rounds + 1) -+ { -+ tk_u32[0] ^= -+ le_bswap32( -+ _gcry_aes_sbox4_ppc8(rol(le_bswap32(tk_u32[KC - 1]), 24)) ^ rcon); -+ -+ if (KC != 8) -+ { -+ for (j = 1; j < KC; j++) -+ { -+ tk_u32[j] ^= tk_u32[j-1]; -+ } -+ } -+ else -+ { -+ for (j = 1; j < KC/2; j++) -+ { -+ tk_u32[j] ^= tk_u32[j-1]; -+ } -+ -+ tk_u32[KC/2] ^= -+ le_bswap32(_gcry_aes_sbox4_ppc8(le_bswap32(tk_u32[KC/2 - 1]))); -+ -+ for (j = KC/2 + 1; j < KC; j++) -+ { -+ tk_u32[j] ^= tk_u32[j-1]; -+ } -+ } -+ -+ /* Copy values into round key array. */ -+ for (j = 0; (j < KC) && (r < rounds + 1); ) -+ { -+ for (; (j < KC) && (t < 4); j++, t++) -+ { -+ W_u32[r][t] = le_bswap32(tk_u32[j]); -+ } -+ if (t == 4) -+ { -+ r++; -+ t = 0; -+ } -+ } -+ -+ rcon = (rcon << 1) ^ (-(rcon >> 7) & 0x1b); -+ } -+ -+ /* Store in big-endian order. */ -+ for (r = 0; r <= rounds; r++) -+ { -+#ifndef WORDS_BIGENDIAN -+ VEC_STORE_BE(ekey, r, ALIGNED_LOAD (ekey, r), bige_const); -+#else -+ block rvec = ALIGNED_LOAD (ekey, r); -+ ALIGNED_STORE (ekey, r, -+ vec_perm(rvec, rvec, vec_bswap32_const)); -+ (void)bige_const; -+#endif -+ } -+ -+#undef W -+#undef tk -+#undef k -+#undef W_u32 -+#undef tk_u32 -+#undef k_u32 -+ wipememory(&tkk, sizeof(tkk)); -+} -+ -+void -+_gcry_aes_ppc8_prepare_decryption (RIJNDAEL_context *ctx) -+{ -+ internal_aes_ppc_prepare_decryption (ctx); -+} -+ -+ -+#define GCRY_AES_PPC8 1 -+#define ENCRYPT_BLOCK_FUNC _gcry_aes_ppc8_encrypt -+#define DECRYPT_BLOCK_FUNC _gcry_aes_ppc8_decrypt -+#define CFB_ENC_FUNC _gcry_aes_ppc8_cfb_enc -+#define CFB_DEC_FUNC _gcry_aes_ppc8_cfb_dec -+#define CBC_ENC_FUNC _gcry_aes_ppc8_cbc_enc -+#define CBC_DEC_FUNC _gcry_aes_ppc8_cbc_dec -+#define CTR_ENC_FUNC _gcry_aes_ppc8_ctr_enc -+#define OCB_CRYPT_FUNC _gcry_aes_ppc8_ocb_crypt -+#define OCB_AUTH_FUNC _gcry_aes_ppc8_ocb_auth -+#define XTS_CRYPT_FUNC _gcry_aes_ppc8_xts_crypt -+ -+#include -+ -+#endif /* USE_PPC_CRYPTO */ -diff -up libgcrypt-1.8.5/cipher/rijndael-ppc-common.h.aes-perf libgcrypt-1.8.5/cipher/rijndael-ppc-common.h ---- libgcrypt-1.8.5/cipher/rijndael-ppc-common.h.aes-perf 2020-04-22 18:29:41.678862076 +0200 -+++ libgcrypt-1.8.5/cipher/rijndael-ppc-common.h 2020-04-22 18:29:41.678862076 +0200 -@@ -0,0 +1,342 @@ -+/* Rijndael (AES) for GnuPG - PowerPC Vector Crypto AES implementation -+ * Copyright (C) 2019 Shawn Landden -+ * Copyright (C) 2019-2020 Jussi Kivilinna -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ * -+ * Alternatively, this code may be used in OpenSSL from The OpenSSL Project, -+ * and Cryptogams by Andy Polyakov, and if made part of a release of either -+ * or both projects, is thereafter dual-licensed under the license said project -+ * is released under. -+ */ -+ -+#ifndef G10_RIJNDAEL_PPC_COMMON_H -+#define G10_RIJNDAEL_PPC_COMMON_H -+ -+#include -+ -+ -+typedef vector unsigned char block; -+ -+typedef union -+{ -+ u32 data32[4]; -+} __attribute__((packed, aligned(1), may_alias)) u128_t; -+ -+ -+#define ALWAYS_INLINE inline __attribute__((always_inline)) -+#define NO_INLINE __attribute__((noinline)) -+#define NO_INSTRUMENT_FUNCTION __attribute__((no_instrument_function)) -+ -+#define ASM_FUNC_ATTR NO_INSTRUMENT_FUNCTION -+#define ASM_FUNC_ATTR_INLINE ASM_FUNC_ATTR ALWAYS_INLINE -+#define ASM_FUNC_ATTR_NOINLINE ASM_FUNC_ATTR NO_INLINE -+ -+ -+#define ALIGNED_LOAD(in_ptr, offs) \ -+ (asm_aligned_ld ((offs) * 16, (const void *)(in_ptr))) -+ -+#define ALIGNED_STORE(out_ptr, offs, vec) \ -+ (asm_aligned_st ((vec), (offs) * 16, (void *)(out_ptr))) -+ -+#define VEC_BE_SWAP(vec, bige_const) (asm_be_swap ((vec), (bige_const))) -+ -+#define VEC_LOAD_BE(in_ptr, offs, bige_const) \ -+ (asm_be_swap (asm_load_be_noswap ((offs) * 16, (const void *)(in_ptr)), \ -+ bige_const)) -+ -+#define VEC_LOAD_BE_NOSWAP(in_ptr, offs) \ -+ (asm_load_be_noswap ((offs) * 16, (const unsigned char *)(in_ptr))) -+ -+#define VEC_STORE_BE(out_ptr, offs, vec, bige_const) \ -+ (asm_store_be_noswap (asm_be_swap ((vec), (bige_const)), (offs) * 16, \ -+ (void *)(out_ptr))) -+ -+#define VEC_STORE_BE_NOSWAP(out_ptr, offs, vec) \ -+ (asm_store_be_noswap ((vec), (offs) * 16, (void *)(out_ptr))) -+ -+ -+#define ROUND_KEY_VARIABLES \ -+ block rkey0, rkeylast -+ -+#define PRELOAD_ROUND_KEYS(nrounds) \ -+ do { \ -+ rkey0 = ALIGNED_LOAD (rk, 0); \ -+ rkeylast = ALIGNED_LOAD (rk, nrounds); \ -+ } while (0) -+ -+#define AES_ENCRYPT(blk, nrounds) \ -+ do { \ -+ blk ^= rkey0; \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 1)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 2)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 3)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 4)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 5)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 6)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 7)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 8)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 9)); \ -+ if (nrounds >= 12) \ -+ { \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 10)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 11)); \ -+ if (rounds > 12) \ -+ { \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 12)); \ -+ blk = asm_cipher_be (blk, ALIGNED_LOAD (rk, 13)); \ -+ } \ -+ } \ -+ blk = asm_cipherlast_be (blk, rkeylast); \ -+ } while (0) -+ -+#define AES_DECRYPT(blk, nrounds) \ -+ do { \ -+ blk ^= rkey0; \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 1)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 2)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 3)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 4)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 5)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 6)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 7)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 8)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 9)); \ -+ if (nrounds >= 12) \ -+ { \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 10)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 11)); \ -+ if (rounds > 12) \ -+ { \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 12)); \ -+ blk = asm_ncipher_be (blk, ALIGNED_LOAD (rk, 13)); \ -+ } \ -+ } \ -+ blk = asm_ncipherlast_be (blk, rkeylast); \ -+ } while (0) -+ -+ -+#define ROUND_KEY_VARIABLES_ALL \ -+ block rkey0, rkey1, rkey2, rkey3, rkey4, rkey5, rkey6, rkey7, rkey8, \ -+ rkey9, rkey10, rkey11, rkey12, rkey13, rkeylast -+ -+#define PRELOAD_ROUND_KEYS_ALL(nrounds) \ -+ do { \ -+ rkey0 = ALIGNED_LOAD (rk, 0); \ -+ rkey1 = ALIGNED_LOAD (rk, 1); \ -+ rkey2 = ALIGNED_LOAD (rk, 2); \ -+ rkey3 = ALIGNED_LOAD (rk, 3); \ -+ rkey4 = ALIGNED_LOAD (rk, 4); \ -+ rkey5 = ALIGNED_LOAD (rk, 5); \ -+ rkey6 = ALIGNED_LOAD (rk, 6); \ -+ rkey7 = ALIGNED_LOAD (rk, 7); \ -+ rkey8 = ALIGNED_LOAD (rk, 8); \ -+ rkey9 = ALIGNED_LOAD (rk, 9); \ -+ if (nrounds >= 12) \ -+ { \ -+ rkey10 = ALIGNED_LOAD (rk, 10); \ -+ rkey11 = ALIGNED_LOAD (rk, 11); \ -+ if (rounds > 12) \ -+ { \ -+ rkey12 = ALIGNED_LOAD (rk, 12); \ -+ rkey13 = ALIGNED_LOAD (rk, 13); \ -+ } \ -+ } \ -+ rkeylast = ALIGNED_LOAD (rk, nrounds); \ -+ } while (0) -+ -+#define AES_ENCRYPT_ALL(blk, nrounds) \ -+ do { \ -+ blk ^= rkey0; \ -+ blk = asm_cipher_be (blk, rkey1); \ -+ blk = asm_cipher_be (blk, rkey2); \ -+ blk = asm_cipher_be (blk, rkey3); \ -+ blk = asm_cipher_be (blk, rkey4); \ -+ blk = asm_cipher_be (blk, rkey5); \ -+ blk = asm_cipher_be (blk, rkey6); \ -+ blk = asm_cipher_be (blk, rkey7); \ -+ blk = asm_cipher_be (blk, rkey8); \ -+ blk = asm_cipher_be (blk, rkey9); \ -+ if (nrounds >= 12) \ -+ { \ -+ blk = asm_cipher_be (blk, rkey10); \ -+ blk = asm_cipher_be (blk, rkey11); \ -+ if (rounds > 12) \ -+ { \ -+ blk = asm_cipher_be (blk, rkey12); \ -+ blk = asm_cipher_be (blk, rkey13); \ -+ } \ -+ } \ -+ blk = asm_cipherlast_be (blk, rkeylast); \ -+ } while (0) -+ -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_aligned_ld(unsigned long offset, const void *ptr) -+{ -+ block vec; -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("lvx %0,0,%1\n\t" -+ : "=v" (vec) -+ : "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("lvx %0,%1,%2\n\t" -+ : "=v" (vec) -+ : "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+ return vec; -+} -+ -+static ASM_FUNC_ATTR_INLINE void -+asm_aligned_st(block vec, unsigned long offset, void *ptr) -+{ -+#if __GNUC__ >= 4 -+ if (__builtin_constant_p (offset) && offset == 0) -+ __asm__ volatile ("stvx %0,0,%1\n\t" -+ : -+ : "v" (vec), "r" ((uintptr_t)ptr) -+ : "memory"); -+ else -+#endif -+ __asm__ volatile ("stvx %0,%1,%2\n\t" -+ : -+ : "v" (vec), "r" (offset), "r" ((uintptr_t)ptr) -+ : "memory", "r0"); -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_vperm1(block vec, block mask) -+{ -+ block o; -+ __asm__ volatile ("vperm %0,%1,%1,%2\n\t" -+ : "=v" (o) -+ : "v" (vec), "v" (mask)); -+ return o; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_add_uint128(block a, block b) -+{ -+ block res; -+ __asm__ volatile ("vadduqm %0,%1,%2\n\t" -+ : "=v" (res) -+ : "v" (a), "v" (b)); -+ return res; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_add_uint64(block a, block b) -+{ -+ block res; -+ __asm__ volatile ("vaddudm %0,%1,%2\n\t" -+ : "=v" (res) -+ : "v" (a), "v" (b)); -+ return res; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_sra_int64(block a, block b) -+{ -+ block res; -+ __asm__ volatile ("vsrad %0,%1,%2\n\t" -+ : "=v" (res) -+ : "v" (a), "v" (b)); -+ return res; -+} -+ -+static block -+asm_swap_uint64_halfs(block a) -+{ -+ block res; -+ __asm__ volatile ("xxswapd %x0, %x1" -+ : "=wa" (res) -+ : "wa" (a)); -+ return res; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_xor(block a, block b) -+{ -+ block res; -+ __asm__ volatile ("vxor %0,%1,%2\n\t" -+ : "=v" (res) -+ : "v" (a), "v" (b)); -+ return res; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_cipher_be(block b, block rk) -+{ -+ block o; -+ __asm__ volatile ("vcipher %0, %1, %2\n\t" -+ : "=v" (o) -+ : "v" (b), "v" (rk)); -+ return o; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_cipherlast_be(block b, block rk) -+{ -+ block o; -+ __asm__ volatile ("vcipherlast %0, %1, %2\n\t" -+ : "=v" (o) -+ : "v" (b), "v" (rk)); -+ return o; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_ncipher_be(block b, block rk) -+{ -+ block o; -+ __asm__ volatile ("vncipher %0, %1, %2\n\t" -+ : "=v" (o) -+ : "v" (b), "v" (rk)); -+ return o; -+} -+ -+static ASM_FUNC_ATTR_INLINE block -+asm_ncipherlast_be(block b, block rk) -+{ -+ block o; -+ __asm__ volatile ("vncipherlast %0, %1, %2\n\t" -+ : "=v" (o) -+ : "v" (b), "v" (rk)); -+ return o; -+} -+ -+ -+/* Make a decryption key from an encryption key. */ -+static ASM_FUNC_ATTR_INLINE void -+internal_aes_ppc_prepare_decryption (RIJNDAEL_context *ctx) -+{ -+ u128_t *ekey = (u128_t *)(void *)ctx->keyschenc; -+ u128_t *dkey = (u128_t *)(void *)ctx->keyschdec; -+ int rounds = ctx->rounds; -+ int rr; -+ int r; -+ -+ r = 0; -+ rr = rounds; -+ for (r = 0, rr = rounds; r <= rounds; r++, rr--) -+ { -+ ALIGNED_STORE (dkey, r, ALIGNED_LOAD (ekey, rr)); -+ } -+} -+ -+#endif /* G10_RIJNDAEL_PPC_COMMON_H */ -diff -up libgcrypt-1.8.5/cipher/rijndael-ppc-functions.h.aes-perf libgcrypt-1.8.5/cipher/rijndael-ppc-functions.h ---- libgcrypt-1.8.5/cipher/rijndael-ppc-functions.h.aes-perf 2020-04-22 18:29:41.679862057 +0200 -+++ libgcrypt-1.8.5/cipher/rijndael-ppc-functions.h 2020-04-22 18:29:41.679862057 +0200 -@@ -0,0 +1,2020 @@ -+/* Rijndael (AES) for GnuPG - PowerPC Vector Crypto AES implementation -+ * Copyright (C) 2019 Shawn Landden -+ * Copyright (C) 2019-2020 Jussi Kivilinna -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ * -+ * Alternatively, this code may be used in OpenSSL from The OpenSSL Project, -+ * and Cryptogams by Andy Polyakov, and if made part of a release of either -+ * or both projects, is thereafter dual-licensed under the license said project -+ * is released under. -+ */ -+ -+unsigned int ENCRYPT_BLOCK_FUNC (const RIJNDAEL_context *ctx, -+ unsigned char *out, -+ const unsigned char *in) -+{ -+ const block bige_const = asm_load_be_const(); -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES; -+ block b; -+ -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ AES_ENCRYPT (b, rounds); -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ return 0; /* does not use stack */ -+} -+ -+ -+unsigned int DECRYPT_BLOCK_FUNC (const RIJNDAEL_context *ctx, -+ unsigned char *out, -+ const unsigned char *in) -+{ -+ const block bige_const = asm_load_be_const(); -+ const u128_t *rk = (u128_t *)&ctx->keyschdec; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES; -+ block b; -+ -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ AES_DECRYPT (b, rounds); -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ return 0; /* does not use stack */ -+} -+ -+ -+void CFB_ENC_FUNC (void *context, unsigned char *iv_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES_ALL; -+ block rkeylast_orig; -+ block iv; -+ -+ iv = VEC_LOAD_BE (iv_arg, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS_ALL (rounds); -+ rkeylast_orig = rkeylast; -+ -+ for (; nblocks >= 2; nblocks -= 2) -+ { -+ block in2, iv1; -+ -+ rkeylast = rkeylast_orig ^ VEC_LOAD_BE (in, 0, bige_const); -+ in2 = VEC_LOAD_BE (in + 1, 0, bige_const); -+ in += 2; -+ -+ AES_ENCRYPT_ALL (iv, rounds); -+ -+ iv1 = iv; -+ rkeylast = rkeylast_orig ^ in2; -+ -+ AES_ENCRYPT_ALL (iv, rounds); -+ -+ VEC_STORE_BE (out++, 0, iv1, bige_const); -+ VEC_STORE_BE (out++, 0, iv, bige_const); -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ rkeylast = rkeylast_orig ^ VEC_LOAD_BE (in++, 0, bige_const); -+ -+ AES_ENCRYPT_ALL (iv, rounds); -+ -+ VEC_STORE_BE (out++, 0, iv, bige_const); -+ } -+ -+ VEC_STORE_BE (iv_arg, 0, iv, bige_const); -+} -+ -+void CFB_DEC_FUNC (void *context, unsigned char *iv_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES; -+ block rkeylast_orig; -+ block iv, b, bin; -+ block in0, in1, in2, in3, in4, in5, in6, in7; -+ block b0, b1, b2, b3, b4, b5, b6, b7; -+ block rkey; -+ -+ iv = VEC_LOAD_BE (iv_arg, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ rkeylast_orig = rkeylast; -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ in0 = iv; -+ in1 = VEC_LOAD_BE_NOSWAP (in, 0); -+ in2 = VEC_LOAD_BE_NOSWAP (in, 1); -+ in3 = VEC_LOAD_BE_NOSWAP (in, 2); -+ in4 = VEC_LOAD_BE_NOSWAP (in, 3); -+ in1 = VEC_BE_SWAP (in1, bige_const); -+ in2 = VEC_BE_SWAP (in2, bige_const); -+ in5 = VEC_LOAD_BE_NOSWAP (in, 4); -+ in6 = VEC_LOAD_BE_NOSWAP (in, 5); -+ in3 = VEC_BE_SWAP (in3, bige_const); -+ in4 = VEC_BE_SWAP (in4, bige_const); -+ in7 = VEC_LOAD_BE_NOSWAP (in, 6); -+ iv = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ in5 = VEC_BE_SWAP (in5, bige_const); -+ in6 = VEC_BE_SWAP (in6, bige_const); -+ b0 = asm_xor (rkey0, in0); -+ b1 = asm_xor (rkey0, in1); -+ in7 = VEC_BE_SWAP (in7, bige_const); -+ iv = VEC_BE_SWAP (iv, bige_const); -+ b2 = asm_xor (rkey0, in2); -+ b3 = asm_xor (rkey0, in3); -+ b4 = asm_xor (rkey0, in4); -+ b5 = asm_xor (rkey0, in5); -+ b6 = asm_xor (rkey0, in6); -+ b7 = asm_xor (rkey0, in7); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); \ -+ b4 = asm_cipher_be (b4, rkey); \ -+ b5 = asm_cipher_be (b5, rkey); \ -+ b6 = asm_cipher_be (b6, rkey); \ -+ b7 = asm_cipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ in3 = asm_xor (rkeylast, in3); -+ in4 = asm_xor (rkeylast, in4); -+ b0 = asm_cipherlast_be (b0, in1); -+ b1 = asm_cipherlast_be (b1, in2); -+ in5 = asm_xor (rkeylast, in5); -+ in6 = asm_xor (rkeylast, in6); -+ b2 = asm_cipherlast_be (b2, in3); -+ b3 = asm_cipherlast_be (b3, in4); -+ in7 = asm_xor (rkeylast, in7); -+ in0 = asm_xor (rkeylast, iv); -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b4 = asm_cipherlast_be (b4, in5); -+ b5 = asm_cipherlast_be (b5, in6); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b6 = asm_cipherlast_be (b6, in7); -+ b7 = asm_cipherlast_be (b7, in0); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4) -+ { -+ in0 = iv; -+ in1 = VEC_LOAD_BE (in, 0, bige_const); -+ in2 = VEC_LOAD_BE (in, 1, bige_const); -+ in3 = VEC_LOAD_BE (in, 2, bige_const); -+ iv = VEC_LOAD_BE (in, 3, bige_const); -+ -+ b0 = asm_xor (rkey0, in0); -+ b1 = asm_xor (rkey0, in1); -+ b2 = asm_xor (rkey0, in2); -+ b3 = asm_xor (rkey0, in3); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ in3 = asm_xor (rkeylast, in3); -+ in0 = asm_xor (rkeylast, iv); -+ b0 = asm_cipherlast_be (b0, in1); -+ b1 = asm_cipherlast_be (b1, in2); -+ b2 = asm_cipherlast_be (b2, in3); -+ b3 = asm_cipherlast_be (b3, in0); -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ bin = VEC_LOAD_BE (in, 0, bige_const); -+ rkeylast = rkeylast_orig ^ bin; -+ b = iv; -+ iv = bin; -+ -+ AES_ENCRYPT (b, rounds); -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ out++; -+ in++; -+ } -+ -+ VEC_STORE_BE (iv_arg, 0, iv, bige_const); -+} -+ -+ -+void CBC_ENC_FUNC (void *context, unsigned char *iv_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int cbc_mac) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ byte *out = (byte *)outbuf_arg; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES_ALL; -+ block lastiv, b; -+ unsigned int outadd = -(!cbc_mac) & 16; -+ -+ lastiv = VEC_LOAD_BE (iv_arg, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS_ALL (rounds); -+ -+ for (; nblocks >= 2; nblocks -= 2) -+ { -+ block in2, lastiv1; -+ -+ b = lastiv ^ VEC_LOAD_BE (in, 0, bige_const); -+ in2 = VEC_LOAD_BE (in + 1, 0, bige_const); -+ in += 2; -+ -+ AES_ENCRYPT_ALL (b, rounds); -+ -+ lastiv1 = b; -+ b = lastiv1 ^ in2; -+ -+ AES_ENCRYPT_ALL (b, rounds); -+ -+ lastiv = b; -+ VEC_STORE_BE ((u128_t *)out, 0, lastiv1, bige_const); -+ out += outadd; -+ VEC_STORE_BE ((u128_t *)out, 0, lastiv, bige_const); -+ out += outadd; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ b = lastiv ^ VEC_LOAD_BE (in++, 0, bige_const); -+ -+ AES_ENCRYPT_ALL (b, rounds); -+ -+ lastiv = b; -+ VEC_STORE_BE ((u128_t *)out, 0, b, bige_const); -+ out += outadd; -+ } -+ -+ VEC_STORE_BE (iv_arg, 0, lastiv, bige_const); -+} -+ -+void CBC_DEC_FUNC (void *context, unsigned char *iv_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *rk = (u128_t *)&ctx->keyschdec; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES; -+ block rkeylast_orig; -+ block in0, in1, in2, in3, in4, in5, in6, in7; -+ block b0, b1, b2, b3, b4, b5, b6, b7; -+ block rkey; -+ block iv, b; -+ -+ if (!ctx->decryption_prepared) -+ { -+ internal_aes_ppc_prepare_decryption (ctx); -+ ctx->decryption_prepared = 1; -+ } -+ -+ iv = VEC_LOAD_BE (iv_arg, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ rkeylast_orig = rkeylast; -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ in0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ in1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ in2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ in3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ in0 = VEC_BE_SWAP (in0, bige_const); -+ in1 = VEC_BE_SWAP (in1, bige_const); -+ in4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ in5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ in2 = VEC_BE_SWAP (in2, bige_const); -+ in3 = VEC_BE_SWAP (in3, bige_const); -+ in6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ in7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ b0 = asm_xor (rkey0, in0); -+ b1 = asm_xor (rkey0, in1); -+ in4 = VEC_BE_SWAP (in4, bige_const); -+ in5 = VEC_BE_SWAP (in5, bige_const); -+ b2 = asm_xor (rkey0, in2); -+ b3 = asm_xor (rkey0, in3); -+ in6 = VEC_BE_SWAP (in6, bige_const); -+ in7 = VEC_BE_SWAP (in7, bige_const); -+ b4 = asm_xor (rkey0, in4); -+ b5 = asm_xor (rkey0, in5); -+ b6 = asm_xor (rkey0, in6); -+ b7 = asm_xor (rkey0, in7); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); \ -+ b4 = asm_ncipher_be (b4, rkey); \ -+ b5 = asm_ncipher_be (b5, rkey); \ -+ b6 = asm_ncipher_be (b6, rkey); \ -+ b7 = asm_ncipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ iv = asm_xor (rkeylast, iv); -+ in0 = asm_xor (rkeylast, in0); -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ b0 = asm_ncipherlast_be (b0, iv); -+ iv = in7; -+ b1 = asm_ncipherlast_be (b1, in0); -+ in3 = asm_xor (rkeylast, in3); -+ in4 = asm_xor (rkeylast, in4); -+ b2 = asm_ncipherlast_be (b2, in1); -+ b3 = asm_ncipherlast_be (b3, in2); -+ in5 = asm_xor (rkeylast, in5); -+ in6 = asm_xor (rkeylast, in6); -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b4 = asm_ncipherlast_be (b4, in3); -+ b5 = asm_ncipherlast_be (b5, in4); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b6 = asm_ncipherlast_be (b6, in5); -+ b7 = asm_ncipherlast_be (b7, in6); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4) -+ { -+ in0 = VEC_LOAD_BE (in, 0, bige_const); -+ in1 = VEC_LOAD_BE (in, 1, bige_const); -+ in2 = VEC_LOAD_BE (in, 2, bige_const); -+ in3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ b0 = asm_xor (rkey0, in0); -+ b1 = asm_xor (rkey0, in1); -+ b2 = asm_xor (rkey0, in2); -+ b3 = asm_xor (rkey0, in3); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ iv = asm_xor (rkeylast, iv); -+ in0 = asm_xor (rkeylast, in0); -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ -+ b0 = asm_ncipherlast_be (b0, iv); -+ iv = in3; -+ b1 = asm_ncipherlast_be (b1, in0); -+ b2 = asm_ncipherlast_be (b2, in1); -+ b3 = asm_ncipherlast_be (b3, in2); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ rkeylast = rkeylast_orig ^ iv; -+ -+ iv = VEC_LOAD_BE (in, 0, bige_const); -+ b = iv; -+ AES_DECRYPT (b, rounds); -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in++; -+ out++; -+ } -+ -+ VEC_STORE_BE (iv_arg, 0, iv, bige_const); -+} -+ -+ -+void CTR_ENC_FUNC (void *context, unsigned char *ctr_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks) -+{ -+ static const unsigned char vec_one_const[16] = -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 }; -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ ROUND_KEY_VARIABLES; -+ block rkeylast_orig; -+ block ctr, b, one; -+ -+ ctr = VEC_LOAD_BE (ctr_arg, 0, bige_const); -+ one = VEC_LOAD_BE (&vec_one_const, 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ rkeylast_orig = rkeylast; -+ -+ if (nblocks >= 4) -+ { -+ block in0, in1, in2, in3, in4, in5, in6, in7; -+ block b0, b1, b2, b3, b4, b5, b6, b7; -+ block two, three, four; -+ block rkey; -+ -+ two = asm_add_uint128 (one, one); -+ three = asm_add_uint128 (two, one); -+ four = asm_add_uint128 (two, two); -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b1 = asm_add_uint128 (ctr, one); -+ b2 = asm_add_uint128 (ctr, two); -+ b3 = asm_add_uint128 (ctr, three); -+ b4 = asm_add_uint128 (ctr, four); -+ b5 = asm_add_uint128 (b1, four); -+ b6 = asm_add_uint128 (b2, four); -+ b7 = asm_add_uint128 (b3, four); -+ b0 = asm_xor (rkey0, ctr); -+ rkey = ALIGNED_LOAD (rk, 1); -+ ctr = asm_add_uint128 (b4, four); -+ b1 = asm_xor (rkey0, b1); -+ b2 = asm_xor (rkey0, b2); -+ b3 = asm_xor (rkey0, b3); -+ b0 = asm_cipher_be (b0, rkey); -+ b1 = asm_cipher_be (b1, rkey); -+ b2 = asm_cipher_be (b2, rkey); -+ b3 = asm_cipher_be (b3, rkey); -+ b4 = asm_xor (rkey0, b4); -+ b5 = asm_xor (rkey0, b5); -+ b6 = asm_xor (rkey0, b6); -+ b7 = asm_xor (rkey0, b7); -+ b4 = asm_cipher_be (b4, rkey); -+ b5 = asm_cipher_be (b5, rkey); -+ b6 = asm_cipher_be (b6, rkey); -+ b7 = asm_cipher_be (b7, rkey); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); \ -+ b4 = asm_cipher_be (b4, rkey); \ -+ b5 = asm_cipher_be (b5, rkey); \ -+ b6 = asm_cipher_be (b6, rkey); \ -+ b7 = asm_cipher_be (b7, rkey); -+ -+ in0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ DO_ROUND(2); -+ in1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ DO_ROUND(3); -+ in2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ DO_ROUND(4); -+ in3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ DO_ROUND(5); -+ in4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ DO_ROUND(6); -+ in5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ DO_ROUND(7); -+ in6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ DO_ROUND(8); -+ in7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ DO_ROUND(9); -+ -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ in0 = VEC_BE_SWAP (in0, bige_const); -+ in1 = VEC_BE_SWAP (in1, bige_const); -+ in2 = VEC_BE_SWAP (in2, bige_const); -+ in3 = VEC_BE_SWAP (in3, bige_const); -+ in4 = VEC_BE_SWAP (in4, bige_const); -+ in5 = VEC_BE_SWAP (in5, bige_const); -+ in6 = VEC_BE_SWAP (in6, bige_const); -+ in7 = VEC_BE_SWAP (in7, bige_const); -+ -+ in0 = asm_xor (rkeylast, in0); -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ in3 = asm_xor (rkeylast, in3); -+ b0 = asm_cipherlast_be (b0, in0); -+ b1 = asm_cipherlast_be (b1, in1); -+ in4 = asm_xor (rkeylast, in4); -+ in5 = asm_xor (rkeylast, in5); -+ b2 = asm_cipherlast_be (b2, in2); -+ b3 = asm_cipherlast_be (b3, in3); -+ in6 = asm_xor (rkeylast, in6); -+ in7 = asm_xor (rkeylast, in7); -+ b4 = asm_cipherlast_be (b4, in4); -+ b5 = asm_cipherlast_be (b5, in5); -+ b6 = asm_cipherlast_be (b6, in6); -+ b7 = asm_cipherlast_be (b7, in7); -+ -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4) -+ { -+ b1 = asm_add_uint128 (ctr, one); -+ b2 = asm_add_uint128 (ctr, two); -+ b3 = asm_add_uint128 (ctr, three); -+ b0 = asm_xor (rkey0, ctr); -+ ctr = asm_add_uint128 (ctr, four); -+ b1 = asm_xor (rkey0, b1); -+ b2 = asm_xor (rkey0, b2); -+ b3 = asm_xor (rkey0, b3); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ -+ in0 = VEC_LOAD_BE (in, 0, bige_const); -+ in1 = VEC_LOAD_BE (in, 1, bige_const); -+ in2 = VEC_LOAD_BE (in, 2, bige_const); -+ in3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ in0 = asm_xor (rkeylast, in0); -+ in1 = asm_xor (rkeylast, in1); -+ in2 = asm_xor (rkeylast, in2); -+ in3 = asm_xor (rkeylast, in3); -+ -+ b0 = asm_cipherlast_be (b0, in0); -+ b1 = asm_cipherlast_be (b1, in1); -+ b2 = asm_cipherlast_be (b2, in2); -+ b3 = asm_cipherlast_be (b3, in3); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ b = ctr; -+ ctr = asm_add_uint128 (ctr, one); -+ rkeylast = rkeylast_orig ^ VEC_LOAD_BE (in, 0, bige_const); -+ -+ AES_ENCRYPT (b, rounds); -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ out++; -+ in++; -+ } -+ -+ VEC_STORE_BE (ctr_arg, 0, ctr, bige_const); -+} -+ -+ -+size_t OCB_CRYPT_FUNC (gcry_cipher_hd_t c, void *outbuf_arg, -+ const void *inbuf_arg, size_t nblocks, -+ int encrypt) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = (void *)&c->context.c; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ u64 data_nblocks = c->u_mode.ocb.data_nblocks; -+ block l0, l1, l2, l; -+ block b0, b1, b2, b3, b4, b5, b6, b7, b; -+ block iv0, iv1, iv2, iv3, iv4, iv5, iv6, iv7; -+ block rkey, rkeylf; -+ block ctr, iv; -+ ROUND_KEY_VARIABLES; -+ -+ iv = VEC_LOAD_BE (c->u_iv.iv, 0, bige_const); -+ ctr = VEC_LOAD_BE (c->u_ctr.ctr, 0, bige_const); -+ -+ l0 = VEC_LOAD_BE (c->u_mode.ocb.L[0], 0, bige_const); -+ l1 = VEC_LOAD_BE (c->u_mode.ocb.L[1], 0, bige_const); -+ l2 = VEC_LOAD_BE (c->u_mode.ocb.L[2], 0, bige_const); -+ -+ if (encrypt) -+ { -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ for (; nblocks >= 8 && data_nblocks % 8; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* Checksum_i = Checksum_{i-1} xor P_i */ -+ ctr ^= b; -+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -+ b ^= iv; -+ AES_ENCRYPT (b, rounds); -+ b ^= iv; -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in += 1; -+ out += 1; -+ } -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ b1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ b2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ b3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ b4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ b5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ b6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ b7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ l = VEC_LOAD_BE_NOSWAP (ocb_get_l (c, data_nblocks += 8), 0); -+ b0 = VEC_BE_SWAP(b0, bige_const); -+ b1 = VEC_BE_SWAP(b1, bige_const); -+ b2 = VEC_BE_SWAP(b2, bige_const); -+ b3 = VEC_BE_SWAP(b3, bige_const); -+ b4 = VEC_BE_SWAP(b4, bige_const); -+ b5 = VEC_BE_SWAP(b5, bige_const); -+ b6 = VEC_BE_SWAP(b6, bige_const); -+ b7 = VEC_BE_SWAP(b7, bige_const); -+ l = VEC_BE_SWAP(l, bige_const); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3 ^ b4 ^ b5 ^ b6 ^ b7; -+ -+ iv ^= rkey0; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l2; -+ iv4 = iv ^ l1 ^ l2 ^ l0; -+ iv5 = iv ^ l2 ^ l0; -+ iv6 = iv ^ l2; -+ iv7 = iv ^ l2 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ b4 ^= iv4; -+ b5 ^= iv5; -+ b6 ^= iv6; -+ b7 ^= iv7; -+ iv = iv7 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); \ -+ b4 = asm_cipher_be (b4, rkey); \ -+ b5 = asm_cipher_be (b5, rkey); \ -+ b6 = asm_cipher_be (b6, rkey); \ -+ b7 = asm_cipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ -+ rkeylf = asm_xor (rkeylast, rkey0); -+ -+ DO_ROUND(8); -+ -+ iv0 = asm_xor (rkeylf, iv0); -+ iv1 = asm_xor (rkeylf, iv1); -+ iv2 = asm_xor (rkeylf, iv2); -+ iv3 = asm_xor (rkeylf, iv3); -+ iv4 = asm_xor (rkeylf, iv4); -+ iv5 = asm_xor (rkeylf, iv5); -+ iv6 = asm_xor (rkeylf, iv6); -+ iv7 = asm_xor (rkeylf, iv7); -+ -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ b0 = asm_cipherlast_be (b0, iv0); -+ b1 = asm_cipherlast_be (b1, iv1); -+ b2 = asm_cipherlast_be (b2, iv2); -+ b3 = asm_cipherlast_be (b3, iv3); -+ b4 = asm_cipherlast_be (b4, iv4); -+ b5 = asm_cipherlast_be (b5, iv5); -+ b6 = asm_cipherlast_be (b6, iv6); -+ b7 = asm_cipherlast_be (b7, iv7); -+ -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4 && (data_nblocks % 4) == 0) -+ { -+ b0 = VEC_LOAD_BE (in, 0, bige_const); -+ b1 = VEC_LOAD_BE (in, 1, bige_const); -+ b2 = VEC_LOAD_BE (in, 2, bige_const); -+ b3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ l = VEC_LOAD_BE (ocb_get_l (c, data_nblocks += 4), 0, bige_const); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3; -+ -+ iv ^= rkey0; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ iv = iv3 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast ^ rkey0; -+ b0 = asm_cipherlast_be (b0, rkey ^ iv0); -+ b1 = asm_cipherlast_be (b1, rkey ^ iv1); -+ b2 = asm_cipherlast_be (b2, rkey ^ iv2); -+ b3 = asm_cipherlast_be (b3, rkey ^ iv3); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* Checksum_i = Checksum_{i-1} xor P_i */ -+ ctr ^= b; -+ /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ -+ b ^= iv; -+ AES_ENCRYPT (b, rounds); -+ b ^= iv; -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in += 1; -+ out += 1; -+ } -+ } -+ else -+ { -+ const u128_t *rk = (u128_t *)&ctx->keyschdec; -+ -+ if (!ctx->decryption_prepared) -+ { -+ internal_aes_ppc_prepare_decryption (ctx); -+ ctx->decryption_prepared = 1; -+ } -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ for (; nblocks >= 8 && data_nblocks % 8; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ -+ b ^= iv; -+ AES_DECRYPT (b, rounds); -+ b ^= iv; -+ /* Checksum_i = Checksum_{i-1} xor P_i */ -+ ctr ^= b; -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in += 1; -+ out += 1; -+ } -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ b1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ b2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ b3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ b4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ b5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ b6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ b7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ l = VEC_LOAD_BE_NOSWAP (ocb_get_l (c, data_nblocks += 8), 0); -+ b0 = VEC_BE_SWAP(b0, bige_const); -+ b1 = VEC_BE_SWAP(b1, bige_const); -+ b2 = VEC_BE_SWAP(b2, bige_const); -+ b3 = VEC_BE_SWAP(b3, bige_const); -+ b4 = VEC_BE_SWAP(b4, bige_const); -+ b5 = VEC_BE_SWAP(b5, bige_const); -+ b6 = VEC_BE_SWAP(b6, bige_const); -+ b7 = VEC_BE_SWAP(b7, bige_const); -+ l = VEC_BE_SWAP(l, bige_const); -+ -+ iv ^= rkey0; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l2; -+ iv4 = iv ^ l1 ^ l2 ^ l0; -+ iv5 = iv ^ l2 ^ l0; -+ iv6 = iv ^ l2; -+ iv7 = iv ^ l2 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ b4 ^= iv4; -+ b5 ^= iv5; -+ b6 ^= iv6; -+ b7 ^= iv7; -+ iv = iv7 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); \ -+ b4 = asm_ncipher_be (b4, rkey); \ -+ b5 = asm_ncipher_be (b5, rkey); \ -+ b6 = asm_ncipher_be (b6, rkey); \ -+ b7 = asm_ncipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ -+ rkeylf = asm_xor (rkeylast, rkey0); -+ -+ DO_ROUND(8); -+ -+ iv0 = asm_xor (rkeylf, iv0); -+ iv1 = asm_xor (rkeylf, iv1); -+ iv2 = asm_xor (rkeylf, iv2); -+ iv3 = asm_xor (rkeylf, iv3); -+ iv4 = asm_xor (rkeylf, iv4); -+ iv5 = asm_xor (rkeylf, iv5); -+ iv6 = asm_xor (rkeylf, iv6); -+ iv7 = asm_xor (rkeylf, iv7); -+ -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ b0 = asm_ncipherlast_be (b0, iv0); -+ b1 = asm_ncipherlast_be (b1, iv1); -+ b2 = asm_ncipherlast_be (b2, iv2); -+ b3 = asm_ncipherlast_be (b3, iv3); -+ b4 = asm_ncipherlast_be (b4, iv4); -+ b5 = asm_ncipherlast_be (b5, iv5); -+ b6 = asm_ncipherlast_be (b6, iv6); -+ b7 = asm_ncipherlast_be (b7, iv7); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3 ^ b4 ^ b5 ^ b6 ^ b7; -+ -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4 && (data_nblocks % 4) == 0) -+ { -+ b0 = VEC_LOAD_BE (in, 0, bige_const); -+ b1 = VEC_LOAD_BE (in, 1, bige_const); -+ b2 = VEC_LOAD_BE (in, 2, bige_const); -+ b3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ l = VEC_LOAD_BE (ocb_get_l (c, data_nblocks += 4), 0, bige_const); -+ -+ iv ^= rkey0; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ iv = iv3 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast ^ rkey0; -+ b0 = asm_ncipherlast_be (b0, rkey ^ iv0); -+ b1 = asm_ncipherlast_be (b1, rkey ^ iv1); -+ b2 = asm_ncipherlast_be (b2, rkey ^ iv2); -+ b3 = asm_ncipherlast_be (b3, rkey ^ iv3); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3; -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (in, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ -+ b ^= iv; -+ AES_DECRYPT (b, rounds); -+ b ^= iv; -+ /* Checksum_i = Checksum_{i-1} xor P_i */ -+ ctr ^= b; -+ -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in += 1; -+ out += 1; -+ } -+ } -+ -+ VEC_STORE_BE (c->u_iv.iv, 0, iv, bige_const); -+ VEC_STORE_BE (c->u_ctr.ctr, 0, ctr, bige_const); -+ c->u_mode.ocb.data_nblocks = data_nblocks; -+ -+ return 0; -+} -+ -+size_t OCB_AUTH_FUNC (gcry_cipher_hd_t c, void *abuf_arg, size_t nblocks) -+{ -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = (void *)&c->context.c; -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ const u128_t *abuf = (const u128_t *)abuf_arg; -+ int rounds = ctx->rounds; -+ u64 data_nblocks = c->u_mode.ocb.aad_nblocks; -+ block l0, l1, l2, l; -+ block b0, b1, b2, b3, b4, b5, b6, b7, b; -+ block iv0, iv1, iv2, iv3, iv4, iv5, iv6, iv7; -+ block rkey, frkey; -+ block ctr, iv; -+ ROUND_KEY_VARIABLES; -+ -+ iv = VEC_LOAD_BE (c->u_mode.ocb.aad_offset, 0, bige_const); -+ ctr = VEC_LOAD_BE (c->u_mode.ocb.aad_sum, 0, bige_const); -+ -+ l0 = VEC_LOAD_BE (c->u_mode.ocb.L[0], 0, bige_const); -+ l1 = VEC_LOAD_BE (c->u_mode.ocb.L[1], 0, bige_const); -+ l2 = VEC_LOAD_BE (c->u_mode.ocb.L[2], 0, bige_const); -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ for (; nblocks >= 8 && data_nblocks % 8; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (abuf, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -+ b ^= iv; -+ AES_ENCRYPT (b, rounds); -+ ctr ^= b; -+ -+ abuf += 1; -+ } -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b0 = VEC_LOAD_BE (abuf, 0, bige_const); -+ b1 = VEC_LOAD_BE (abuf, 1, bige_const); -+ b2 = VEC_LOAD_BE (abuf, 2, bige_const); -+ b3 = VEC_LOAD_BE (abuf, 3, bige_const); -+ b4 = VEC_LOAD_BE (abuf, 4, bige_const); -+ b5 = VEC_LOAD_BE (abuf, 5, bige_const); -+ b6 = VEC_LOAD_BE (abuf, 6, bige_const); -+ b7 = VEC_LOAD_BE (abuf, 7, bige_const); -+ -+ l = VEC_LOAD_BE (ocb_get_l (c, data_nblocks += 8), 0, bige_const); -+ -+ frkey = rkey0; -+ iv ^= frkey; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l2; -+ iv4 = iv ^ l1 ^ l2 ^ l0; -+ iv5 = iv ^ l2 ^ l0; -+ iv6 = iv ^ l2; -+ iv7 = iv ^ l2 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ b4 ^= iv4; -+ b5 ^= iv5; -+ b6 ^= iv6; -+ b7 ^= iv7; -+ iv = iv7 ^ frkey; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); \ -+ b4 = asm_cipher_be (b4, rkey); \ -+ b5 = asm_cipher_be (b5, rkey); \ -+ b6 = asm_cipher_be (b6, rkey); \ -+ b7 = asm_cipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast; -+ b0 = asm_cipherlast_be (b0, rkey); -+ b1 = asm_cipherlast_be (b1, rkey); -+ b2 = asm_cipherlast_be (b2, rkey); -+ b3 = asm_cipherlast_be (b3, rkey); -+ b4 = asm_cipherlast_be (b4, rkey); -+ b5 = asm_cipherlast_be (b5, rkey); -+ b6 = asm_cipherlast_be (b6, rkey); -+ b7 = asm_cipherlast_be (b7, rkey); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3 ^ b4 ^ b5 ^ b6 ^ b7; -+ -+ abuf += 8; -+ } -+ -+ if (nblocks >= 4 && (data_nblocks % 4) == 0) -+ { -+ b0 = VEC_LOAD_BE (abuf, 0, bige_const); -+ b1 = VEC_LOAD_BE (abuf, 1, bige_const); -+ b2 = VEC_LOAD_BE (abuf, 2, bige_const); -+ b3 = VEC_LOAD_BE (abuf, 3, bige_const); -+ -+ l = VEC_LOAD_BE (ocb_get_l (c, data_nblocks += 4), 0, bige_const); -+ -+ frkey = rkey0; -+ iv ^= frkey; -+ -+ iv0 = iv ^ l0; -+ iv1 = iv ^ l0 ^ l1; -+ iv2 = iv ^ l1; -+ iv3 = iv ^ l1 ^ l; -+ -+ b0 ^= iv0; -+ b1 ^= iv1; -+ b2 ^= iv2; -+ b3 ^= iv3; -+ iv = iv3 ^ frkey; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast; -+ b0 = asm_cipherlast_be (b0, rkey); -+ b1 = asm_cipherlast_be (b1, rkey); -+ b2 = asm_cipherlast_be (b2, rkey); -+ b3 = asm_cipherlast_be (b3, rkey); -+ -+ ctr ^= b0 ^ b1 ^ b2 ^ b3; -+ -+ abuf += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ l = VEC_LOAD_BE (ocb_get_l (c, ++data_nblocks), 0, bige_const); -+ b = VEC_LOAD_BE (abuf, 0, bige_const); -+ -+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ -+ iv ^= l; -+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ -+ b ^= iv; -+ AES_ENCRYPT (b, rounds); -+ ctr ^= b; -+ -+ abuf += 1; -+ } -+ -+ VEC_STORE_BE (c->u_mode.ocb.aad_offset, 0, iv, bige_const); -+ VEC_STORE_BE (c->u_mode.ocb.aad_sum, 0, ctr, bige_const); -+ c->u_mode.ocb.aad_nblocks = data_nblocks; -+ -+ return 0; -+} -+ -+ -+void XTS_CRYPT_FUNC (void *context, unsigned char *tweak_arg, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int encrypt) -+{ -+#ifdef WORDS_BIGENDIAN -+ static const block vec_bswap128_const = -+ { 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; -+#else -+ static const block vec_bswap128_const = -+ { ~15, ~14, ~13, ~12, ~11, ~10, ~9, ~8, ~7, ~6, ~5, ~4, ~3, ~2, ~1, ~0 }; -+#endif -+ static const unsigned char vec_tweak_const[16] = -+ { 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0x87 }; -+ static const vector unsigned long long vec_shift63_const = -+ { 63, 63 }; -+ const block bige_const = asm_load_be_const(); -+ RIJNDAEL_context *ctx = context; -+ const u128_t *in = (const u128_t *)inbuf_arg; -+ u128_t *out = (u128_t *)outbuf_arg; -+ int rounds = ctx->rounds; -+ block tweak; -+ block b0, b1, b2, b3, b4, b5, b6, b7, b, rkey, rkeylf; -+ block tweak0, tweak1, tweak2, tweak3, tweak4, tweak5, tweak6, tweak7; -+ block tweak_const, bswap128_const, shift63_const; -+ ROUND_KEY_VARIABLES; -+ -+ tweak_const = VEC_LOAD_BE (&vec_tweak_const, 0, bige_const); -+ bswap128_const = ALIGNED_LOAD (&vec_bswap128_const, 0); -+ shift63_const = ALIGNED_LOAD (&vec_shift63_const, 0); -+ -+ tweak = VEC_LOAD_BE (tweak_arg, 0, bige_const); -+ tweak = asm_vperm1 (tweak, bswap128_const); -+ -+#define GEN_TWEAK(tout, tin) /* Generate next tweak. */ \ -+ do { \ -+ block tmp1, tmp2; \ -+ tmp1 = asm_swap_uint64_halfs(tin); \ -+ tmp2 = asm_add_uint64(tin, tin); \ -+ tmp1 = asm_sra_int64(tmp1, shift63_const) & tweak_const; \ -+ tout = asm_xor(tmp1, tmp2); \ -+ } while (0) -+ -+ if (encrypt) -+ { -+ const u128_t *rk = (u128_t *)&ctx->keyschenc; -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ b1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ b2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ b3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ tweak0 = tweak; -+ GEN_TWEAK (tweak1, tweak0); -+ tweak0 = asm_vperm1 (tweak0, bswap128_const); -+ b4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ b5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ GEN_TWEAK (tweak2, tweak1); -+ tweak1 = asm_vperm1 (tweak1, bswap128_const); -+ b6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ b7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ -+ b0 = VEC_BE_SWAP(b0, bige_const); -+ b1 = VEC_BE_SWAP(b1, bige_const); -+ GEN_TWEAK (tweak3, tweak2); -+ tweak2 = asm_vperm1 (tweak2, bswap128_const); -+ GEN_TWEAK (tweak4, tweak3); -+ tweak3 = asm_vperm1 (tweak3, bswap128_const); -+ b2 = VEC_BE_SWAP(b2, bige_const); -+ b3 = VEC_BE_SWAP(b3, bige_const); -+ GEN_TWEAK (tweak5, tweak4); -+ tweak4 = asm_vperm1 (tweak4, bswap128_const); -+ GEN_TWEAK (tweak6, tweak5); -+ tweak5 = asm_vperm1 (tweak5, bswap128_const); -+ b4 = VEC_BE_SWAP(b4, bige_const); -+ b5 = VEC_BE_SWAP(b5, bige_const); -+ GEN_TWEAK (tweak7, tweak6); -+ tweak6 = asm_vperm1 (tweak6, bswap128_const); -+ GEN_TWEAK (tweak, tweak7); -+ tweak7 = asm_vperm1 (tweak7, bswap128_const); -+ b6 = VEC_BE_SWAP(b6, bige_const); -+ b7 = VEC_BE_SWAP(b7, bige_const); -+ -+ tweak0 = asm_xor (tweak0, rkey0); -+ tweak1 = asm_xor (tweak1, rkey0); -+ tweak2 = asm_xor (tweak2, rkey0); -+ tweak3 = asm_xor (tweak3, rkey0); -+ tweak4 = asm_xor (tweak4, rkey0); -+ tweak5 = asm_xor (tweak5, rkey0); -+ tweak6 = asm_xor (tweak6, rkey0); -+ tweak7 = asm_xor (tweak7, rkey0); -+ -+ b0 = asm_xor (b0, tweak0); -+ b1 = asm_xor (b1, tweak1); -+ b2 = asm_xor (b2, tweak2); -+ b3 = asm_xor (b3, tweak3); -+ b4 = asm_xor (b4, tweak4); -+ b5 = asm_xor (b5, tweak5); -+ b6 = asm_xor (b6, tweak6); -+ b7 = asm_xor (b7, tweak7); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); \ -+ b4 = asm_cipher_be (b4, rkey); \ -+ b5 = asm_cipher_be (b5, rkey); \ -+ b6 = asm_cipher_be (b6, rkey); \ -+ b7 = asm_cipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ -+ rkeylf = asm_xor (rkeylast, rkey0); -+ -+ DO_ROUND(8); -+ -+ tweak0 = asm_xor (tweak0, rkeylf); -+ tweak1 = asm_xor (tweak1, rkeylf); -+ tweak2 = asm_xor (tweak2, rkeylf); -+ tweak3 = asm_xor (tweak3, rkeylf); -+ tweak4 = asm_xor (tweak4, rkeylf); -+ tweak5 = asm_xor (tweak5, rkeylf); -+ tweak6 = asm_xor (tweak6, rkeylf); -+ tweak7 = asm_xor (tweak7, rkeylf); -+ -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ b0 = asm_cipherlast_be (b0, tweak0); -+ b1 = asm_cipherlast_be (b1, tweak1); -+ b2 = asm_cipherlast_be (b2, tweak2); -+ b3 = asm_cipherlast_be (b3, tweak3); -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b4 = asm_cipherlast_be (b4, tweak4); -+ b5 = asm_cipherlast_be (b5, tweak5); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b6 = asm_cipherlast_be (b6, tweak6); -+ b7 = asm_cipherlast_be (b7, tweak7); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4) -+ { -+ tweak0 = tweak; -+ GEN_TWEAK (tweak1, tweak0); -+ GEN_TWEAK (tweak2, tweak1); -+ GEN_TWEAK (tweak3, tweak2); -+ GEN_TWEAK (tweak, tweak3); -+ -+ b0 = VEC_LOAD_BE (in, 0, bige_const); -+ b1 = VEC_LOAD_BE (in, 1, bige_const); -+ b2 = VEC_LOAD_BE (in, 2, bige_const); -+ b3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ tweak0 = asm_vperm1 (tweak0, bswap128_const); -+ tweak1 = asm_vperm1 (tweak1, bswap128_const); -+ tweak2 = asm_vperm1 (tweak2, bswap128_const); -+ tweak3 = asm_vperm1 (tweak3, bswap128_const); -+ -+ b0 ^= tweak0 ^ rkey0; -+ b1 ^= tweak1 ^ rkey0; -+ b2 ^= tweak2 ^ rkey0; -+ b3 ^= tweak3 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_cipher_be (b0, rkey); \ -+ b1 = asm_cipher_be (b1, rkey); \ -+ b2 = asm_cipher_be (b2, rkey); \ -+ b3 = asm_cipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast; -+ b0 = asm_cipherlast_be (b0, rkey ^ tweak0); -+ b1 = asm_cipherlast_be (b1, rkey ^ tweak1); -+ b2 = asm_cipherlast_be (b2, rkey ^ tweak2); -+ b3 = asm_cipherlast_be (b3, rkey ^ tweak3); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ tweak0 = asm_vperm1 (tweak, bswap128_const); -+ -+ /* Xor-Encrypt/Decrypt-Xor block. */ -+ b = VEC_LOAD_BE (in, 0, bige_const) ^ tweak0; -+ -+ /* Generate next tweak. */ -+ GEN_TWEAK (tweak, tweak); -+ -+ AES_ENCRYPT (b, rounds); -+ -+ b ^= tweak0; -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in++; -+ out++; -+ } -+ } -+ else -+ { -+ const u128_t *rk = (u128_t *)&ctx->keyschdec; -+ -+ if (!ctx->decryption_prepared) -+ { -+ internal_aes_ppc_prepare_decryption (ctx); -+ ctx->decryption_prepared = 1; -+ } -+ -+ PRELOAD_ROUND_KEYS (rounds); -+ -+ for (; nblocks >= 8; nblocks -= 8) -+ { -+ b0 = VEC_LOAD_BE_NOSWAP (in, 0); -+ b1 = VEC_LOAD_BE_NOSWAP (in, 1); -+ b2 = VEC_LOAD_BE_NOSWAP (in, 2); -+ b3 = VEC_LOAD_BE_NOSWAP (in, 3); -+ tweak0 = tweak; -+ GEN_TWEAK (tweak1, tweak0); -+ tweak0 = asm_vperm1 (tweak0, bswap128_const); -+ b4 = VEC_LOAD_BE_NOSWAP (in, 4); -+ b5 = VEC_LOAD_BE_NOSWAP (in, 5); -+ GEN_TWEAK (tweak2, tweak1); -+ tweak1 = asm_vperm1 (tweak1, bswap128_const); -+ b6 = VEC_LOAD_BE_NOSWAP (in, 6); -+ b7 = VEC_LOAD_BE_NOSWAP (in, 7); -+ in += 8; -+ -+ b0 = VEC_BE_SWAP(b0, bige_const); -+ b1 = VEC_BE_SWAP(b1, bige_const); -+ GEN_TWEAK (tweak3, tweak2); -+ tweak2 = asm_vperm1 (tweak2, bswap128_const); -+ GEN_TWEAK (tweak4, tweak3); -+ tweak3 = asm_vperm1 (tweak3, bswap128_const); -+ b2 = VEC_BE_SWAP(b2, bige_const); -+ b3 = VEC_BE_SWAP(b3, bige_const); -+ GEN_TWEAK (tweak5, tweak4); -+ tweak4 = asm_vperm1 (tweak4, bswap128_const); -+ GEN_TWEAK (tweak6, tweak5); -+ tweak5 = asm_vperm1 (tweak5, bswap128_const); -+ b4 = VEC_BE_SWAP(b4, bige_const); -+ b5 = VEC_BE_SWAP(b5, bige_const); -+ GEN_TWEAK (tweak7, tweak6); -+ tweak6 = asm_vperm1 (tweak6, bswap128_const); -+ GEN_TWEAK (tweak, tweak7); -+ tweak7 = asm_vperm1 (tweak7, bswap128_const); -+ b6 = VEC_BE_SWAP(b6, bige_const); -+ b7 = VEC_BE_SWAP(b7, bige_const); -+ -+ tweak0 = asm_xor (tweak0, rkey0); -+ tweak1 = asm_xor (tweak1, rkey0); -+ tweak2 = asm_xor (tweak2, rkey0); -+ tweak3 = asm_xor (tweak3, rkey0); -+ tweak4 = asm_xor (tweak4, rkey0); -+ tweak5 = asm_xor (tweak5, rkey0); -+ tweak6 = asm_xor (tweak6, rkey0); -+ tweak7 = asm_xor (tweak7, rkey0); -+ -+ b0 = asm_xor (b0, tweak0); -+ b1 = asm_xor (b1, tweak1); -+ b2 = asm_xor (b2, tweak2); -+ b3 = asm_xor (b3, tweak3); -+ b4 = asm_xor (b4, tweak4); -+ b5 = asm_xor (b5, tweak5); -+ b6 = asm_xor (b6, tweak6); -+ b7 = asm_xor (b7, tweak7); -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); \ -+ b4 = asm_ncipher_be (b4, rkey); \ -+ b5 = asm_ncipher_be (b5, rkey); \ -+ b6 = asm_ncipher_be (b6, rkey); \ -+ b7 = asm_ncipher_be (b7, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ -+ rkeylf = asm_xor (rkeylast, rkey0); -+ -+ DO_ROUND(8); -+ -+ tweak0 = asm_xor (tweak0, rkeylf); -+ tweak1 = asm_xor (tweak1, rkeylf); -+ tweak2 = asm_xor (tweak2, rkeylf); -+ tweak3 = asm_xor (tweak3, rkeylf); -+ tweak4 = asm_xor (tweak4, rkeylf); -+ tweak5 = asm_xor (tweak5, rkeylf); -+ tweak6 = asm_xor (tweak6, rkeylf); -+ tweak7 = asm_xor (tweak7, rkeylf); -+ -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ b0 = asm_ncipherlast_be (b0, tweak0); -+ b1 = asm_ncipherlast_be (b1, tweak1); -+ b2 = asm_ncipherlast_be (b2, tweak2); -+ b3 = asm_ncipherlast_be (b3, tweak3); -+ b0 = VEC_BE_SWAP (b0, bige_const); -+ b1 = VEC_BE_SWAP (b1, bige_const); -+ b4 = asm_ncipherlast_be (b4, tweak4); -+ b5 = asm_ncipherlast_be (b5, tweak5); -+ b2 = VEC_BE_SWAP (b2, bige_const); -+ b3 = VEC_BE_SWAP (b3, bige_const); -+ b6 = asm_ncipherlast_be (b6, tweak6); -+ b7 = asm_ncipherlast_be (b7, tweak7); -+ VEC_STORE_BE_NOSWAP (out, 0, b0); -+ VEC_STORE_BE_NOSWAP (out, 1, b1); -+ b4 = VEC_BE_SWAP (b4, bige_const); -+ b5 = VEC_BE_SWAP (b5, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 2, b2); -+ VEC_STORE_BE_NOSWAP (out, 3, b3); -+ b6 = VEC_BE_SWAP (b6, bige_const); -+ b7 = VEC_BE_SWAP (b7, bige_const); -+ VEC_STORE_BE_NOSWAP (out, 4, b4); -+ VEC_STORE_BE_NOSWAP (out, 5, b5); -+ VEC_STORE_BE_NOSWAP (out, 6, b6); -+ VEC_STORE_BE_NOSWAP (out, 7, b7); -+ out += 8; -+ } -+ -+ if (nblocks >= 4) -+ { -+ tweak0 = tweak; -+ GEN_TWEAK (tweak1, tweak0); -+ GEN_TWEAK (tweak2, tweak1); -+ GEN_TWEAK (tweak3, tweak2); -+ GEN_TWEAK (tweak, tweak3); -+ -+ b0 = VEC_LOAD_BE (in, 0, bige_const); -+ b1 = VEC_LOAD_BE (in, 1, bige_const); -+ b2 = VEC_LOAD_BE (in, 2, bige_const); -+ b3 = VEC_LOAD_BE (in, 3, bige_const); -+ -+ tweak0 = asm_vperm1 (tweak0, bswap128_const); -+ tweak1 = asm_vperm1 (tweak1, bswap128_const); -+ tweak2 = asm_vperm1 (tweak2, bswap128_const); -+ tweak3 = asm_vperm1 (tweak3, bswap128_const); -+ -+ b0 ^= tweak0 ^ rkey0; -+ b1 ^= tweak1 ^ rkey0; -+ b2 ^= tweak2 ^ rkey0; -+ b3 ^= tweak3 ^ rkey0; -+ -+#define DO_ROUND(r) \ -+ rkey = ALIGNED_LOAD (rk, r); \ -+ b0 = asm_ncipher_be (b0, rkey); \ -+ b1 = asm_ncipher_be (b1, rkey); \ -+ b2 = asm_ncipher_be (b2, rkey); \ -+ b3 = asm_ncipher_be (b3, rkey); -+ -+ DO_ROUND(1); -+ DO_ROUND(2); -+ DO_ROUND(3); -+ DO_ROUND(4); -+ DO_ROUND(5); -+ DO_ROUND(6); -+ DO_ROUND(7); -+ DO_ROUND(8); -+ DO_ROUND(9); -+ if (rounds >= 12) -+ { -+ DO_ROUND(10); -+ DO_ROUND(11); -+ if (rounds > 12) -+ { -+ DO_ROUND(12); -+ DO_ROUND(13); -+ } -+ } -+ -+#undef DO_ROUND -+ -+ rkey = rkeylast; -+ b0 = asm_ncipherlast_be (b0, rkey ^ tweak0); -+ b1 = asm_ncipherlast_be (b1, rkey ^ tweak1); -+ b2 = asm_ncipherlast_be (b2, rkey ^ tweak2); -+ b3 = asm_ncipherlast_be (b3, rkey ^ tweak3); -+ -+ VEC_STORE_BE (out, 0, b0, bige_const); -+ VEC_STORE_BE (out, 1, b1, bige_const); -+ VEC_STORE_BE (out, 2, b2, bige_const); -+ VEC_STORE_BE (out, 3, b3, bige_const); -+ -+ in += 4; -+ out += 4; -+ nblocks -= 4; -+ } -+ -+ for (; nblocks; nblocks--) -+ { -+ tweak0 = asm_vperm1 (tweak, bswap128_const); -+ -+ /* Xor-Encrypt/Decrypt-Xor block. */ -+ b = VEC_LOAD_BE (in, 0, bige_const) ^ tweak0; -+ -+ /* Generate next tweak. */ -+ GEN_TWEAK (tweak, tweak); -+ -+ AES_DECRYPT (b, rounds); -+ -+ b ^= tweak0; -+ VEC_STORE_BE (out, 0, b, bige_const); -+ -+ in++; -+ out++; -+ } -+ } -+ -+ tweak = asm_vperm1 (tweak, bswap128_const); -+ VEC_STORE_BE (tweak_arg, 0, tweak, bige_const); -+ -+#undef GEN_TWEAK -+} -diff -up libgcrypt-1.8.5/cipher/rijndael-ssse3-amd64.c.aes-perf libgcrypt-1.8.5/cipher/rijndael-ssse3-amd64.c ---- libgcrypt-1.8.5/cipher/rijndael-ssse3-amd64.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/rijndael-ssse3-amd64.c 2020-04-22 18:29:41.679862057 +0200 -@@ -208,11 +208,11 @@ _gcry_aes_ssse3_do_setkey (RIJNDAEL_cont - - - /* Make a decryption key from an encryption key. */ --void --_gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) -+static inline void -+do_ssse3_prepare_decryption (RIJNDAEL_context *ctx, -+ byte ssse3_state[SSSE3_STATE_SIZE]) - { - unsigned int keybits = (ctx->rounds - 10) * 32 + 128; -- byte ssse3_state[SSSE3_STATE_SIZE]; - - vpaes_ssse3_prepare(); - -@@ -237,6 +237,14 @@ _gcry_aes_ssse3_prepare_decryption (RIJN - vpaes_ssse3_cleanup(); - } - -+void -+_gcry_aes_ssse3_prepare_decryption (RIJNDAEL_context *ctx) -+{ -+ byte ssse3_state[SSSE3_STATE_SIZE]; -+ -+ do_ssse3_prepare_decryption(ctx, ssse3_state); -+} -+ - - /* Encrypt one block using the Intel SSSE3 instructions. Block is input - * and output through SSE register xmm0. */ -@@ -295,9 +303,9 @@ _gcry_aes_ssse3_encrypt (const RIJNDAEL_ - - - void --_gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -- size_t nblocks) -+_gcry_aes_ssse3_cfb_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) - { - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; -@@ -334,9 +342,9 @@ _gcry_aes_ssse3_cfb_enc (RIJNDAEL_contex - - - void --_gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -- size_t nblocks, int cbc_mac) -+_gcry_aes_ssse3_cbc_enc (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks, int cbc_mac) - { - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; -@@ -379,9 +387,9 @@ _gcry_aes_ssse3_cbc_enc (RIJNDAEL_contex - - - void --_gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *ctr, -- size_t nblocks) -+_gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *ctr, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) - { - static const unsigned char be_mask[16] __attribute__ ((aligned (16))) = - { 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 }; -@@ -447,7 +455,7 @@ _gcry_aes_ssse3_ctr_enc (RIJNDAEL_contex - - unsigned int - _gcry_aes_ssse3_decrypt (const RIJNDAEL_context *ctx, unsigned char *dst, -- const unsigned char *src) -+ const unsigned char *src) - { - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; -@@ -468,9 +476,9 @@ _gcry_aes_ssse3_decrypt (const RIJNDAEL_ - - - void --_gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -- size_t nblocks) -+_gcry_aes_ssse3_cfb_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) - { - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; -@@ -508,13 +516,19 @@ _gcry_aes_ssse3_cfb_dec (RIJNDAEL_contex - - - void --_gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, unsigned char *outbuf, -- const unsigned char *inbuf, unsigned char *iv, -- size_t nblocks) -+_gcry_aes_ssse3_cbc_dec (RIJNDAEL_context *ctx, unsigned char *iv, -+ unsigned char *outbuf, const unsigned char *inbuf, -+ size_t nblocks) - { - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; - -+ if ( !ctx->decryption_prepared ) -+ { -+ do_ssse3_prepare_decryption ( ctx, ssse3_state ); -+ ctx->decryption_prepared = 1; -+ } -+ - vpaes_ssse3_prepare_dec (); - - asm volatile ("movdqu %[iv], %%xmm7\n\t" /* use xmm7 as fast IV storage */ -@@ -626,6 +640,12 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void - unsigned int nrounds = ctx->rounds; - byte ssse3_state[SSSE3_STATE_SIZE]; - -+ if ( !ctx->decryption_prepared ) -+ { -+ do_ssse3_prepare_decryption ( ctx, ssse3_state ); -+ ctx->decryption_prepared = 1; -+ } -+ - vpaes_ssse3_prepare_dec (); - - /* Preload Offset and Checksum */ -@@ -679,7 +699,7 @@ ssse3_ocb_dec (gcry_cipher_hd_t c, void - } - - --void -+size_t - _gcry_aes_ssse3_ocb_crypt(gcry_cipher_hd_t c, void *outbuf_arg, - const void *inbuf_arg, size_t nblocks, int encrypt) - { -@@ -687,10 +707,12 @@ _gcry_aes_ssse3_ocb_crypt(gcry_cipher_hd - ssse3_ocb_enc(c, outbuf_arg, inbuf_arg, nblocks); - else - ssse3_ocb_dec(c, outbuf_arg, inbuf_arg, nblocks); -+ -+ return 0; - } - - --void -+size_t - _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, - size_t nblocks) - { -@@ -746,6 +768,8 @@ _gcry_aes_ssse3_ocb_auth (gcry_cipher_hd - : "memory" ); - - vpaes_ssse3_cleanup (); -+ -+ return 0; - } - - #endif /* USE_SSSE3 */ -diff -up libgcrypt-1.8.5/cipher/salsa20.c.aes-perf libgcrypt-1.8.5/cipher/salsa20.c ---- libgcrypt-1.8.5/cipher/salsa20.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/salsa20.c 2020-04-22 18:29:41.679862057 +0200 -@@ -366,10 +366,12 @@ salsa20_do_setkey (SALSA20_context_t *ct - - - static gcry_err_code_t --salsa20_setkey (void *context, const byte *key, unsigned int keylen) -+salsa20_setkey (void *context, const byte *key, unsigned int keylen, -+ gcry_cipher_hd_t hd) - { - SALSA20_context_t *ctx = (SALSA20_context_t *)context; - gcry_err_code_t rc = salsa20_do_setkey (ctx, key, keylen); -+ (void)hd; - _gcry_burn_stack (4 + sizeof (void *) + 4 * sizeof (void *)); - return rc; - } -@@ -522,7 +524,7 @@ selftest (void) - /* 16-byte alignment required for amd64 implementation. */ - ctx = (SALSA20_context_t *)((uintptr_t)(ctxbuf + 15) & ~(uintptr_t)15); - -- salsa20_setkey (ctx, key_1, sizeof key_1); -+ salsa20_setkey (ctx, key_1, sizeof key_1, NULL); - salsa20_setiv (ctx, nonce_1, sizeof nonce_1); - scratch[8] = 0; - salsa20_encrypt_stream (ctx, scratch, plaintext_1, sizeof plaintext_1); -@@ -530,7 +532,7 @@ selftest (void) - return "Salsa20 encryption test 1 failed."; - if (scratch[8]) - return "Salsa20 wrote too much."; -- salsa20_setkey( ctx, key_1, sizeof(key_1)); -+ salsa20_setkey( ctx, key_1, sizeof(key_1), NULL); - salsa20_setiv (ctx, nonce_1, sizeof nonce_1); - salsa20_encrypt_stream (ctx, scratch, scratch, sizeof plaintext_1); - if (memcmp (scratch, plaintext_1, sizeof plaintext_1)) -@@ -538,12 +540,12 @@ selftest (void) - - for (i = 0; i < sizeof buf; i++) - buf[i] = i; -- salsa20_setkey (ctx, key_1, sizeof key_1); -+ salsa20_setkey (ctx, key_1, sizeof key_1, NULL); - salsa20_setiv (ctx, nonce_1, sizeof nonce_1); - /*encrypt*/ - salsa20_encrypt_stream (ctx, buf, buf, sizeof buf); - /*decrypt*/ -- salsa20_setkey (ctx, key_1, sizeof key_1); -+ salsa20_setkey (ctx, key_1, sizeof key_1, NULL); - salsa20_setiv (ctx, nonce_1, sizeof nonce_1); - salsa20_encrypt_stream (ctx, buf, buf, 1); - salsa20_encrypt_stream (ctx, buf+1, buf+1, (sizeof buf)-1-1); -diff -up libgcrypt-1.8.5/cipher/seed.c.aes-perf libgcrypt-1.8.5/cipher/seed.c ---- libgcrypt-1.8.5/cipher/seed.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/seed.c 2020-04-22 18:29:41.680862038 +0200 -@@ -309,11 +309,12 @@ do_setkey (SEED_context *ctx, const byte - } - - static gcry_err_code_t --seed_setkey (void *context, const byte *key, const unsigned keylen) -+seed_setkey (void *context, const byte *key, const unsigned keylen, -+ gcry_cipher_hd_t hd) - { - SEED_context *ctx = context; -- - int rc = do_setkey (ctx, key, keylen); -+ (void)hd; - _gcry_burn_stack (4*6 + sizeof(void*)*2 + sizeof(int)*2); - return rc; - } -@@ -446,7 +447,7 @@ selftest (void) - 0x22, 0x6B, 0xC3, 0x14, 0x2C, 0xD4, 0x0D, 0x4A, - }; - -- seed_setkey (&ctx, key, sizeof(key)); -+ seed_setkey (&ctx, key, sizeof(key), NULL); - seed_encrypt (&ctx, scratch, plaintext); - if (memcmp (scratch, ciphertext, sizeof (ciphertext))) - return "SEED test encryption failed."; -diff -up libgcrypt-1.8.5/cipher/serpent.c.aes-perf libgcrypt-1.8.5/cipher/serpent.c ---- libgcrypt-1.8.5/cipher/serpent.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/serpent.c 2020-04-22 18:29:41.680862038 +0200 -@@ -748,13 +748,16 @@ serpent_setkey_internal (serpent_context - /* Initialize CTX with the key KEY of KEY_LENGTH bytes. */ - static gcry_err_code_t - serpent_setkey (void *ctx, -- const byte *key, unsigned int key_length) -+ const byte *key, unsigned int key_length, -+ gcry_cipher_hd_t hd) - { - serpent_context_t *context = ctx; - static const char *serpent_test_ret; - static int serpent_init_done; - gcry_err_code_t ret = GPG_ERR_NO_ERROR; - -+ (void)hd; -+ - if (! serpent_init_done) - { - /* Execute a self-test the first time, Serpent is used. */ -@@ -999,7 +1002,7 @@ _gcry_serpent_ctr_enc(void *context, uns - /* Encrypt the counter. */ - serpent_encrypt_internal(ctx, ctr, tmpbuf); - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, sizeof(serpent_block_t)); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, sizeof(serpent_block_t)); - outbuf += sizeof(serpent_block_t); - inbuf += sizeof(serpent_block_t); - /* Increment the counter. */ -@@ -1114,7 +1117,8 @@ _gcry_serpent_cbc_dec(void *context, uns - the intermediate result to SAVEBUF. */ - serpent_decrypt_internal (ctx, inbuf, savebuf); - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, sizeof(serpent_block_t)); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, -+ sizeof(serpent_block_t)); - inbuf += sizeof(serpent_block_t); - outbuf += sizeof(serpent_block_t); - } -@@ -1218,7 +1222,7 @@ _gcry_serpent_cfb_dec(void *context, uns - for ( ;nblocks; nblocks-- ) - { - serpent_encrypt_internal(ctx, iv, iv); -- buf_xor_n_copy(outbuf, iv, inbuf, sizeof(serpent_block_t)); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, sizeof(serpent_block_t)); - outbuf += sizeof(serpent_block_t); - inbuf += sizeof(serpent_block_t); - } -diff -up libgcrypt-1.8.5/cipher/twofish.c.aes-perf libgcrypt-1.8.5/cipher/twofish.c ---- libgcrypt-1.8.5/cipher/twofish.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/twofish.c 2020-04-22 18:29:41.680862038 +0200 -@@ -734,12 +734,15 @@ do_twofish_setkey (TWOFISH_context *ctx, - } - - static gcry_err_code_t --twofish_setkey (void *context, const byte *key, unsigned int keylen) -+twofish_setkey (void *context, const byte *key, unsigned int keylen, -+ gcry_cipher_hd_t hd) - { - TWOFISH_context *ctx = context; - unsigned int hwfeatures = _gcry_get_hw_features (); - int rc; - -+ (void)hd; -+ - rc = do_twofish_setkey (ctx, key, keylen); - - #ifdef USE_AVX2 -@@ -1245,7 +1248,7 @@ _gcry_twofish_ctr_enc(void *context, uns - burn_stack_depth = burn; - - /* XOR the input with the encrypted counter and store in output. */ -- buf_xor(outbuf, tmpbuf, inbuf, TWOFISH_BLOCKSIZE); -+ cipher_block_xor(outbuf, tmpbuf, inbuf, TWOFISH_BLOCKSIZE); - outbuf += TWOFISH_BLOCKSIZE; - inbuf += TWOFISH_BLOCKSIZE; - /* Increment the counter. */ -@@ -1327,7 +1330,7 @@ _gcry_twofish_cbc_dec(void *context, uns - if (burn > burn_stack_depth) - burn_stack_depth = burn; - -- buf_xor_n_copy_2(outbuf, savebuf, iv, inbuf, TWOFISH_BLOCKSIZE); -+ cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, TWOFISH_BLOCKSIZE); - inbuf += TWOFISH_BLOCKSIZE; - outbuf += TWOFISH_BLOCKSIZE; - } -@@ -1399,7 +1402,7 @@ _gcry_twofish_cfb_dec(void *context, uns - if (burn > burn_stack_depth) - burn_stack_depth = burn; - -- buf_xor_n_copy(outbuf, iv, inbuf, TWOFISH_BLOCKSIZE); -+ cipher_block_xor_n_copy(outbuf, iv, inbuf, TWOFISH_BLOCKSIZE); - outbuf += TWOFISH_BLOCKSIZE; - inbuf += TWOFISH_BLOCKSIZE; - } -@@ -1710,7 +1713,7 @@ selftest (void) - 0x05, 0x93, 0x1C, 0xB6, 0xD4, 0x08, 0xE7, 0xFA - }; - -- twofish_setkey (&ctx, key, sizeof(key)); -+ twofish_setkey (&ctx, key, sizeof(key), NULL); - twofish_encrypt (&ctx, scratch, plaintext); - if (memcmp (scratch, ciphertext, sizeof (ciphertext))) - return "Twofish-128 test encryption failed."; -@@ -1718,7 +1721,7 @@ selftest (void) - if (memcmp (scratch, plaintext, sizeof (plaintext))) - return "Twofish-128 test decryption failed."; - -- twofish_setkey (&ctx, key_256, sizeof(key_256)); -+ twofish_setkey (&ctx, key_256, sizeof(key_256), NULL); - twofish_encrypt (&ctx, scratch, plaintext_256); - if (memcmp (scratch, ciphertext_256, sizeof (ciphertext_256))) - return "Twofish-256 test encryption failed."; -@@ -1800,13 +1803,13 @@ main() - /* Encryption test. */ - for (i = 0; i < 125; i++) - { -- twofish_setkey (&ctx, buffer[0], sizeof (buffer[0])); -+ twofish_setkey (&ctx, buffer[0], sizeof (buffer[0]), NULL); - for (j = 0; j < 1000; j++) - twofish_encrypt (&ctx, buffer[2], buffer[2]); -- twofish_setkey (&ctx, buffer[1], sizeof (buffer[1])); -+ twofish_setkey (&ctx, buffer[1], sizeof (buffer[1]), NULL); - for (j = 0; j < 1000; j++) - twofish_encrypt (&ctx, buffer[3], buffer[3]); -- twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2); -+ twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2, NULL); - for (j = 0; j < 1000; j++) { - twofish_encrypt (&ctx, buffer[0], buffer[0]); - twofish_encrypt (&ctx, buffer[1], buffer[1]); -@@ -1818,15 +1821,15 @@ main() - /* Decryption test. */ - for (i = 0; i < 125; i++) - { -- twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2); -+ twofish_setkey (&ctx, buffer[2], sizeof (buffer[2])*2, NULL); - for (j = 0; j < 1000; j++) { - twofish_decrypt (&ctx, buffer[0], buffer[0]); - twofish_decrypt (&ctx, buffer[1], buffer[1]); - } -- twofish_setkey (&ctx, buffer[1], sizeof (buffer[1])); -+ twofish_setkey (&ctx, buffer[1], sizeof (buffer[1]), NULL); - for (j = 0; j < 1000; j++) - twofish_decrypt (&ctx, buffer[3], buffer[3]); -- twofish_setkey (&ctx, buffer[0], sizeof (buffer[0])); -+ twofish_setkey (&ctx, buffer[0], sizeof (buffer[0]), NULL); - for (j = 0; j < 1000; j++) - twofish_decrypt (&ctx, buffer[2], buffer[2]); - } -diff -up libgcrypt-1.8.5/configure.ac.aes-perf libgcrypt-1.8.5/configure.ac ---- libgcrypt-1.8.5/configure.ac.aes-perf 2020-04-22 18:29:41.655862516 +0200 -+++ libgcrypt-1.8.5/configure.ac 2020-04-22 18:29:41.681862019 +0200 -@@ -649,6 +649,14 @@ AC_ARG_ENABLE(arm-crypto-support, - armcryptosupport=$enableval,armcryptosupport=yes) - AC_MSG_RESULT($armcryptosupport) - -+# Implementation of the --disable-ppc-crypto-support switch. -+AC_MSG_CHECKING([whether PPC crypto support is requested]) -+AC_ARG_ENABLE(ppc-crypto-support, -+ AC_HELP_STRING([--disable-ppc-crypto-support], -+ [Disable support for the PPC crypto instructions introduced in POWER 8 (PowerISA 2.07)]), -+ ppccryptosupport=$enableval,ppccryptosupport=yes) -+AC_MSG_RESULT($ppccryptosupport) -+ - # Implementation of the --disable-O-flag-munging switch. - AC_MSG_CHECKING([whether a -O flag munging is requested]) - AC_ARG_ENABLE([O-flag-munging], -@@ -1196,6 +1204,9 @@ if test "$mpi_cpu_arch" != "arm" ; then - fi - fi - -+if test "$mpi_cpu_arch" != "ppc"; then -+ ppccryptosupport="n/a" -+fi - - ############################################# - #### #### -@@ -1722,6 +1733,113 @@ if test "$gcry_cv_gcc_inline_asm_aarch64 - fi - - -+# -+# Check whether PowerPC AltiVec/VSX intrinsics -+# -+AC_CACHE_CHECK([whether compiler supports PowerPC AltiVec/VSX intrinsics], -+ [gcry_cv_cc_ppc_altivec], -+ [if test "$mpi_cpu_arch" != "ppc" ; then -+ gcry_cv_cc_ppc_altivec="n/a" -+ else -+ gcry_cv_cc_ppc_altivec=no -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[#include -+ typedef vector unsigned char block; -+ block fn(block in) -+ { -+ block t = vec_perm (in, in, vec_vsx_ld (0, (unsigned char*)0)); -+ return vec_cipher_be (t, in); -+ } -+ ]])], -+ [gcry_cv_cc_ppc_altivec=yes]) -+ fi]) -+if test "$gcry_cv_cc_ppc_altivec" = "yes" ; then -+ AC_DEFINE(HAVE_COMPATIBLE_CC_PPC_ALTIVEC,1, -+ [Defined if underlying compiler supports PowerPC AltiVec/VSX/crypto intrinsics]) -+fi -+ -+_gcc_cflags_save=$CFLAGS -+CFLAGS="$CFLAGS -maltivec -mvsx -mcrypto" -+ -+if test "$gcry_cv_cc_ppc_altivec" = "no" && -+ test "$mpi_cpu_arch" = "ppc" ; then -+ AC_CACHE_CHECK([whether compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags], -+ [gcry_cv_cc_ppc_altivec_cflags], -+ [gcry_cv_cc_ppc_altivec_cflags=no -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[#include -+ typedef vector unsigned char block; -+ block fn(block in) -+ { -+ block t = vec_perm (in, in, vec_vsx_ld (0, (unsigned char*)0)); -+ return vec_cipher_be (t, in); -+ }]])], -+ [gcry_cv_cc_ppc_altivec_cflags=yes])]) -+ if test "$gcry_cv_cc_ppc_altivec_cflags" = "yes" ; then -+ AC_DEFINE(HAVE_COMPATIBLE_CC_PPC_ALTIVEC,1, -+ [Defined if underlying compiler supports PowerPC AltiVec/VSX/crypto intrinsics]) -+ AC_DEFINE(HAVE_COMPATIBLE_CC_PPC_ALTIVEC_WITH_CFLAGS,1, -+ [Defined if underlying compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags]) -+ fi -+fi -+ -+AM_CONDITIONAL(ENABLE_PPC_VCRYPTO_EXTRA_CFLAGS, -+ test "$gcry_cv_cc_ppc_altivec_cflags" = "yes") -+ -+# Restore flags. -+CFLAGS=$_gcc_cflags_save; -+ -+ -+# -+# Check whether GCC inline assembler supports PowerPC AltiVec/VSX/crypto instructions -+# -+AC_CACHE_CHECK([whether GCC inline assembler supports PowerPC AltiVec/VSX/crypto instructions], -+ [gcry_cv_gcc_inline_asm_ppc_altivec], -+ [if test "$mpi_cpu_arch" != "ppc" ; then -+ gcry_cv_gcc_inline_asm_ppc_altivec="n/a" -+ else -+ gcry_cv_gcc_inline_asm_ppc_altivec=no -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[__asm__(".globl testfn;\n" -+ "testfn:\n" -+ "stvx %v31,%r12,%r0;\n" -+ "lvx %v20,%r12,%r0;\n" -+ "vcipher %v0, %v1, %v22;\n" -+ "lxvw4x %vs32, %r0, %r1;\n" -+ "vadduwm %v0, %v1, %v22;\n" -+ ); -+ ]])], -+ [gcry_cv_gcc_inline_asm_ppc_altivec=yes]) -+ fi]) -+if test "$gcry_cv_gcc_inline_asm_ppc_altivec" = "yes" ; then -+ AC_DEFINE(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC,1, -+ [Defined if inline assembler supports PowerPC AltiVec/VSX/crypto instructions]) -+fi -+ -+ -+# -+# Check whether GCC inline assembler supports PowerISA 3.00 instructions -+# -+AC_CACHE_CHECK([whether GCC inline assembler supports PowerISA 3.00 instructions], -+ [gcry_cv_gcc_inline_asm_ppc_arch_3_00], -+ [if test "$mpi_cpu_arch" != "ppc" ; then -+ gcry_cv_gcc_inline_asm_ppc_arch_3_00="n/a" -+ else -+ gcry_cv_gcc_inline_asm_ppc_arch_3_00=no -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[__asm__(".globl testfn;\n" -+ "testfn:\n" -+ "stxvb16x %r1,%v12,%v30;\n" -+ ); -+ ]])], -+ [gcry_cv_gcc_inline_asm_ppc_arch_3_00=yes]) -+ fi]) -+if test "$gcry_cv_gcc_inline_asm_ppc_arch_3_00" = "yes" ; then -+ AC_DEFINE(HAVE_GCC_INLINE_ASM_PPC_ARCH_3_00,1, -+ [Defined if inline assembler supports PowerISA 3.00 instructions]) -+fi -+ -+ - ####################################### - #### Checks for library functions. #### - ####################################### -@@ -1999,6 +2117,10 @@ if test x"$armcryptosupport" = xyes ; th - AC_DEFINE(ENABLE_ARM_CRYPTO_SUPPORT,1, - [Enable support for ARMv8 Crypto Extension instructions.]) - fi -+if test x"$ppccryptosupport" = xyes ; then -+ AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1, -+ [Enable support for POWER 8 (PowerISA 2.07) crypto extension.]) -+fi - if test x"$jentsupport" = xyes ; then - AC_DEFINE(ENABLE_JENT_SUPPORT, 1, - [Enable support for the jitter entropy collector.]) -@@ -2106,6 +2228,21 @@ if test "$found" = "1" ; then - GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-ce.lo" - GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-armv8-aarch64-ce.lo" - ;; -+ powerpc64le-*-*) -+ # Build with the crypto extension implementation -+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ppc.lo" -+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ppc9le.lo" -+ ;; -+ powerpc64-*-*) -+ # Big-Endian. -+ # Build with the crypto extension implementation -+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ppc.lo" -+ ;; -+ powerpc-*-*) -+ # Big-Endian. -+ # Build with the crypto extension implementation -+ GCRYPT_CIPHERS="$GCRYPT_CIPHERS rijndael-ppc.lo" -+ ;; - esac - - case "$mpi_cpu_arch" in -@@ -2555,6 +2692,7 @@ case "$mpi_cpu_arch" in - ;; - ppc) - AC_DEFINE(HAVE_CPU_ARCH_PPC, 1, [Defined for PPC platforms]) -+ GCRYPT_HWF_MODULES="hwf-ppc.lo" - ;; - arm) - AC_DEFINE(HAVE_CPU_ARCH_ARM, 1, [Defined for ARM platforms]) -@@ -2653,6 +2791,7 @@ GCRY_MSG_SHOW([Try using Intel AVX: - GCRY_MSG_SHOW([Try using Intel AVX2: ],[$avx2support]) - GCRY_MSG_SHOW([Try using ARM NEON: ],[$neonsupport]) - GCRY_MSG_SHOW([Try using ARMv8 crypto: ],[$armcryptosupport]) -+GCRY_MSG_SHOW([Try using PPC crypto: ],[$ppccryptosupport]) - GCRY_MSG_SHOW([],[]) - - if test "x${gpg_config_script_warn}" != x; then -diff -up libgcrypt-1.8.5/src/cipher.h.aes-perf libgcrypt-1.8.5/src/cipher.h ---- libgcrypt-1.8.5/src/cipher.h.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/src/cipher.h 2020-04-22 18:29:41.681862019 +0200 -@@ -158,6 +158,9 @@ size_t _gcry_aes_ocb_crypt (gcry_cipher_ - const void *inbuf_arg, size_t nblocks, int encrypt); - size_t _gcry_aes_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg, - size_t nblocks); -+void _gcry_aes_xts_crypt (void *context, unsigned char *tweak, -+ void *outbuf_arg, const void *inbuf_arg, -+ size_t nblocks, int encrypt); - - /*-- blowfish.c --*/ - void _gcry_blowfish_cfb_dec (void *context, unsigned char *iv, -diff -up libgcrypt-1.8.5/src/cipher-proto.h.aes-perf libgcrypt-1.8.5/src/cipher-proto.h ---- libgcrypt-1.8.5/src/cipher-proto.h.aes-perf 2020-04-22 18:29:41.643862745 +0200 -+++ libgcrypt-1.8.5/src/cipher-proto.h 2020-04-22 18:29:41.681862019 +0200 -@@ -132,7 +132,8 @@ typedef struct gcry_pk_spec - /* Type for the cipher_setkey function. */ - typedef gcry_err_code_t (*gcry_cipher_setkey_t) (void *c, - const unsigned char *key, -- unsigned keylen); -+ unsigned keylen, -+ gcry_cipher_hd_t hd); - - /* Type for the cipher_encrypt function. */ - typedef unsigned int (*gcry_cipher_encrypt_t) (void *c, -diff -up libgcrypt-1.8.5/src/g10lib.h.aes-perf libgcrypt-1.8.5/src/g10lib.h ---- libgcrypt-1.8.5/src/g10lib.h.aes-perf 2020-04-22 18:29:41.660862420 +0200 -+++ libgcrypt-1.8.5/src/g10lib.h 2020-04-22 18:50:46.990661309 +0200 -@@ -233,7 +233,9 @@ char **_gcry_strtokenize (const char *st - - #define HWF_INTEL_RDTSC (1 << 20) - -- -+#define HWF_PPC_VCRYPTO (1 << 22) -+#define HWF_PPC_ARCH_3_00 (1 << 23) -+#define HWF_PPC_ARCH_2_07 (1 << 24) - - gpg_err_code_t _gcry_disable_hw_feature (const char *name); - void _gcry_detect_hw_features (void); -diff -up libgcrypt-1.8.5/src/hwf-common.h.aes-perf libgcrypt-1.8.5/src/hwf-common.h ---- libgcrypt-1.8.5/src/hwf-common.h.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/src/hwf-common.h 2020-04-22 18:29:41.682862000 +0200 -@@ -22,6 +22,6 @@ - - unsigned int _gcry_hwf_detect_x86 (void); - unsigned int _gcry_hwf_detect_arm (void); -- -+unsigned int _gcry_hwf_detect_ppc (void); - - #endif /*HWF_COMMON_H*/ -diff -up libgcrypt-1.8.5/src/hwfeatures.c.aes-perf libgcrypt-1.8.5/src/hwfeatures.c ---- libgcrypt-1.8.5/src/hwfeatures.c.aes-perf 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/src/hwfeatures.c 2020-04-22 18:51:48.326487879 +0200 -@@ -42,6 +42,7 @@ static struct - const char *desc; - } hwflist[] = - { -+#if defined(HAVE_CPU_ARCH_X86) - { HWF_PADLOCK_RNG, "padlock-rng" }, - { HWF_PADLOCK_AES, "padlock-aes" }, - { HWF_PADLOCK_SHA, "padlock-sha" }, -@@ -58,11 +59,17 @@ static struct - { HWF_INTEL_AVX2, "intel-avx2" }, - { HWF_INTEL_FAST_VPGATHER, "intel-fast-vpgather" }, - { HWF_INTEL_RDTSC, "intel-rdtsc" }, -+#elif defined(HAVE_CPU_ARCH_ARM) - { HWF_ARM_NEON, "arm-neon" }, - { HWF_ARM_AES, "arm-aes" }, - { HWF_ARM_SHA1, "arm-sha1" }, - { HWF_ARM_SHA2, "arm-sha2" }, -- { HWF_ARM_PMULL, "arm-pmull" } -+ { HWF_ARM_PMULL, "arm-pmull" }, -+#elif defined(HAVE_CPU_ARCH_PPC) -+ { HWF_PPC_VCRYPTO, "ppc-vcrypto" }, -+ { HWF_PPC_ARCH_3_00, "ppc-arch_3_00" }, -+ { HWF_PPC_ARCH_2_07, "ppc-arch_2_07" }, -+#endif - }; - - /* A bit vector with the hardware features which shall not be used. -@@ -207,12 +214,14 @@ _gcry_detect_hw_features (void) - { - hw_features = _gcry_hwf_detect_x86 (); - } --#endif /* HAVE_CPU_ARCH_X86 */ --#if defined (HAVE_CPU_ARCH_ARM) -+#elif defined (HAVE_CPU_ARCH_ARM) - { - hw_features = _gcry_hwf_detect_arm (); - } --#endif /* HAVE_CPU_ARCH_ARM */ -- -+#elif defined (HAVE_CPU_ARCH_PPC) -+ { -+ hw_features = _gcry_hwf_detect_ppc (); -+ } -+#endif - hw_features &= ~disabled_hw_features; - } -diff -up libgcrypt-1.8.5/src/hwf-ppc.c.aes-perf libgcrypt-1.8.5/src/hwf-ppc.c ---- libgcrypt-1.8.5/src/hwf-ppc.c.aes-perf 2020-04-22 18:29:41.682862000 +0200 -+++ libgcrypt-1.8.5/src/hwf-ppc.c 2020-04-22 18:50:21.396150974 +0200 -@@ -0,0 +1,243 @@ -+/* hwf-ppc.c - Detect hardware features - PPC part -+ * Copyright (C) 2013,2019 Jussi Kivilinna -+ * Copyright (C) 2019 Shawn Landden -+ * -+ * This file is part of Libgcrypt. -+ * -+ * Libgcrypt is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as -+ * published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * Libgcrypt is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this program; if not, see . -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#if defined(HAVE_SYS_AUXV_H) && (defined(HAVE_GETAUXVAL) || \ -+ defined(HAVE_ELF_AUX_INFO)) -+#include -+#endif -+ -+#include "g10lib.h" -+#include "hwf-common.h" -+ -+#if !defined (__powerpc__) && !defined (__powerpc64__) -+# error Module build for wrong CPU. -+#endif -+ -+ -+#if defined(HAVE_SYS_AUXV_H) && defined(HAVE_ELF_AUX_INFO) && \ -+ !defined(HAVE_GETAUXVAL) && defined(AT_HWCAP) -+#define HAVE_GETAUXVAL -+static unsigned long getauxval(unsigned long type) -+{ -+ unsigned long auxval = 0; -+ int err; -+ -+ /* FreeBSD provides 'elf_aux_info' function that does the same as -+ * 'getauxval' on Linux. */ -+ -+ err = elf_aux_info (type, &auxval, sizeof(auxval)); -+ if (err) -+ { -+ errno = err; -+ auxval = 0; -+ } -+ -+ return auxval; -+} -+#endif -+ -+ -+#undef HAS_SYS_AT_HWCAP -+#if defined(__linux__) || \ -+ (defined(HAVE_SYS_AUXV_H) && defined(HAVE_GETAUXVAL)) -+#define HAS_SYS_AT_HWCAP 1 -+ -+struct feature_map_s -+ { -+ unsigned int hwcap_flag; -+ unsigned int hwcap2_flag; -+ unsigned int hwf_flag; -+ }; -+ -+#if defined(__powerpc__) || defined(__powerpc64__) -+ -+/* Note: These macros have same values on Linux and FreeBSD. */ -+#ifndef AT_HWCAP -+# define AT_HWCAP 16 -+#endif -+#ifndef AT_HWCAP2 -+# define AT_HWCAP2 26 -+#endif -+ -+#ifndef PPC_FEATURE2_ARCH_2_07 -+# define PPC_FEATURE2_ARCH_2_07 0x80000000 -+#endif -+#ifndef PPC_FEATURE2_VEC_CRYPTO -+# define PPC_FEATURE2_VEC_CRYPTO 0x02000000 -+#endif -+#ifndef PPC_FEATURE2_ARCH_3_00 -+# define PPC_FEATURE2_ARCH_3_00 0x00800000 -+#endif -+ -+static const struct feature_map_s ppc_features[] = -+ { -+ { 0, PPC_FEATURE2_ARCH_2_07, HWF_PPC_ARCH_2_07 }, -+#ifdef ENABLE_PPC_CRYPTO_SUPPORT -+ { 0, PPC_FEATURE2_VEC_CRYPTO, HWF_PPC_VCRYPTO }, -+#endif -+ { 0, PPC_FEATURE2_ARCH_3_00, HWF_PPC_ARCH_3_00 }, -+ }; -+#endif -+ -+static int -+get_hwcap(unsigned int *hwcap, unsigned int *hwcap2) -+{ -+ struct { unsigned long a_type; unsigned long a_val; } auxv; -+ FILE *f; -+ int err = -1; -+ static int hwcap_initialized = 0; -+ static unsigned int stored_hwcap = 0; -+ static unsigned int stored_hwcap2 = 0; -+ -+ if (hwcap_initialized) -+ { -+ *hwcap = stored_hwcap; -+ *hwcap2 = stored_hwcap2; -+ return 0; -+ } -+ -+#if 0 // TODO: configure.ac detection for __builtin_cpu_supports -+ // TODO: move to 'detect_ppc_builtin_cpu_supports' -+#if defined(__GLIBC__) && defined(__GNUC__) && __GNUC__ >= 6 -+ /* __builtin_cpu_supports returns 0 if glibc support doesn't exist, so -+ * we can only trust positive results. */ -+#ifdef ENABLE_PPC_CRYPTO_SUPPORT -+ if (__builtin_cpu_supports("vcrypto")) /* TODO: Configure.ac */ -+ { -+ stored_hwcap2 |= PPC_FEATURE2_VEC_CRYPTO; -+ hwcap_initialized = 1; -+ } -+#endif -+ -+ if (__builtin_cpu_supports("arch_3_00")) /* TODO: Configure.ac */ -+ { -+ stored_hwcap2 |= PPC_FEATURE2_ARCH_3_00; -+ hwcap_initialized = 1; -+ } -+#endif -+#endif -+ -+#if defined(HAVE_SYS_AUXV_H) && defined(HAVE_GETAUXVAL) -+ errno = 0; -+ auxv.a_val = getauxval (AT_HWCAP); -+ if (errno == 0) -+ { -+ stored_hwcap |= auxv.a_val; -+ hwcap_initialized = 1; -+ } -+ -+ if (AT_HWCAP2 >= 0) -+ { -+ errno = 0; -+ auxv.a_val = getauxval (AT_HWCAP2); -+ if (errno == 0) -+ { -+ stored_hwcap2 |= auxv.a_val; -+ hwcap_initialized = 1; -+ } -+ } -+ -+ if (hwcap_initialized && (stored_hwcap || stored_hwcap2)) -+ { -+ *hwcap = stored_hwcap; -+ *hwcap2 = stored_hwcap2; -+ return 0; -+ } -+#endif -+ -+ f = fopen("/proc/self/auxv", "r"); -+ if (!f) -+ { -+ *hwcap = stored_hwcap; -+ *hwcap2 = stored_hwcap2; -+ return -1; -+ } -+ -+ while (fread(&auxv, sizeof(auxv), 1, f) > 0) -+ { -+ if (auxv.a_type == AT_HWCAP) -+ { -+ stored_hwcap |= auxv.a_val; -+ hwcap_initialized = 1; -+ } -+ -+ if (auxv.a_type == AT_HWCAP2) -+ { -+ stored_hwcap2 |= auxv.a_val; -+ hwcap_initialized = 1; -+ } -+ } -+ -+ if (hwcap_initialized) -+ err = 0; -+ -+ fclose(f); -+ -+ *hwcap = stored_hwcap; -+ *hwcap2 = stored_hwcap2; -+ return err; -+} -+ -+static unsigned int -+detect_ppc_at_hwcap(void) -+{ -+ unsigned int hwcap; -+ unsigned int hwcap2; -+ unsigned int features = 0; -+ unsigned int i; -+ -+ if (get_hwcap(&hwcap, &hwcap2) < 0) -+ return features; -+ -+ for (i = 0; i < DIM(ppc_features); i++) -+ { -+ if (hwcap & ppc_features[i].hwcap_flag) -+ features |= ppc_features[i].hwf_flag; -+ -+ if (hwcap2 & ppc_features[i].hwcap2_flag) -+ features |= ppc_features[i].hwf_flag; -+ } -+ -+ return features; -+} -+ -+#endif -+ -+unsigned int -+_gcry_hwf_detect_ppc (void) -+{ -+ unsigned int ret = 0; -+ unsigned int broken_hwfs = 0; -+ -+#if defined (HAS_SYS_AT_HWCAP) -+ ret |= detect_ppc_at_hwcap (); -+#endif -+ -+ ret &= ~broken_hwfs; -+ -+ return ret; -+} -diff -up libgcrypt-1.8.5/src/Makefile.am.aes-perf libgcrypt-1.8.5/src/Makefile.am ---- libgcrypt-1.8.5/src/Makefile.am.aes-perf 2018-11-14 14:16:40.000000000 +0100 -+++ libgcrypt-1.8.5/src/Makefile.am 2020-04-22 18:29:41.683861981 +0200 -@@ -66,7 +66,7 @@ libgcrypt_la_SOURCES = \ - hmac256.c hmac256.h context.c context.h \ - ec-context.h - --EXTRA_libgcrypt_la_SOURCES = hwf-x86.c hwf-arm.c -+EXTRA_libgcrypt_la_SOURCES = hwf-x86.c hwf-arm.c hwf-ppc.c - gcrypt_hwf_modules = @GCRYPT_HWF_MODULES@ - - diff --git a/libgcrypt-1.8.5-intel-cet.patch b/libgcrypt-1.8.5-intel-cet.patch deleted file mode 100644 index f58084e..0000000 --- a/libgcrypt-1.8.5-intel-cet.patch +++ /dev/null @@ -1,348 +0,0 @@ -diff -up libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S ---- libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/camellia-aesni-avx2-amd64.S 2020-01-23 15:36:44.148972045 +0100 -@@ -18,8 +18,9 @@ - * License along with this program; if not, see . - */ - --#ifdef __x86_64 - #include -+ -+#ifdef __x86_64 - #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ - defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ - defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT) -diff -up libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S.intel-cet libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S ---- libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/camellia-aesni-avx-amd64.S 2020-01-23 15:36:44.145972088 +0100 -@@ -18,8 +18,9 @@ - * License along with this program; if not, see . - */ - --#ifdef __x86_64 - #include -+ -+#ifdef __x86_64 - #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ - defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ - defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT) -diff -up libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S ---- libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/chacha20-avx2-amd64.S 2020-01-23 15:36:16.780250066 +0100 -@@ -48,6 +48,9 @@ - .globl _gcry_chacha20_amd64_avx2_blocks - ELF(.type _gcry_chacha20_amd64_avx2_blocks,@function;) - _gcry_chacha20_amd64_avx2_blocks: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lchacha_blocks_avx2_local: - vzeroupper - pushq %rbx -diff -up libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S ---- libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/chacha20-sse2-amd64.S 2020-01-23 15:36:16.783250095 +0100 -@@ -41,6 +41,9 @@ - .globl _gcry_chacha20_amd64_sse2_blocks - ELF(.type _gcry_chacha20_amd64_sse2_blocks,@function;) - _gcry_chacha20_amd64_sse2_blocks: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lchacha_blocks_sse2_local: - pushq %rbx - pushq %rbp -diff -up libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S ---- libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/poly1305-avx2-amd64.S 2020-01-23 15:36:16.784250105 +0100 -@@ -43,6 +43,9 @@ - .globl _gcry_poly1305_amd64_avx2_init_ext - ELF(.type _gcry_poly1305_amd64_avx2_init_ext,@function;) - _gcry_poly1305_amd64_avx2_init_ext: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_init_ext_avx2_local: - xor %edx, %edx - vzeroupper -@@ -406,6 +409,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_init - .globl _gcry_poly1305_amd64_avx2_blocks - ELF(.type _gcry_poly1305_amd64_avx2_blocks,@function;) - _gcry_poly1305_amd64_avx2_blocks: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_blocks_avx2_local: - vzeroupper - pushq %rbp -@@ -732,6 +738,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_bloc - .globl _gcry_poly1305_amd64_avx2_finish_ext - ELF(.type _gcry_poly1305_amd64_avx2_finish_ext,@function;) - _gcry_poly1305_amd64_avx2_finish_ext: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_finish_ext_avx2_local: - vzeroupper - pushq %rbp -diff -up libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S ---- libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/poly1305-sse2-amd64.S 2020-01-23 15:36:16.787250134 +0100 -@@ -42,6 +42,9 @@ - .globl _gcry_poly1305_amd64_sse2_init_ext - ELF(.type _gcry_poly1305_amd64_sse2_init_ext,@function;) - _gcry_poly1305_amd64_sse2_init_ext: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_init_ext_x86_local: - xor %edx, %edx - pushq %r12 -@@ -288,6 +291,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_init - .globl _gcry_poly1305_amd64_sse2_finish_ext - ELF(.type _gcry_poly1305_amd64_sse2_finish_ext,@function;) - _gcry_poly1305_amd64_sse2_finish_ext: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_finish_ext_x86_local: - pushq %rbp - movq %rsp, %rbp -@@ -439,6 +445,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_fini - .globl _gcry_poly1305_amd64_sse2_blocks - ELF(.type _gcry_poly1305_amd64_sse2_blocks,@function;) - _gcry_poly1305_amd64_sse2_blocks: -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - .Lpoly1305_blocks_x86_local: - pushq %rbp - movq %rsp, %rbp -diff -up libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S.intel-cet libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S ---- libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/cipher/serpent-avx2-amd64.S 2020-01-23 15:36:44.151972003 +0100 -@@ -18,8 +18,9 @@ - * License along with this program; if not, see . - */ - --#ifdef __x86_64 - #include -+ -+#ifdef __x86_64 - #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ - defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && defined(USE_SERPENT) && \ - defined(ENABLE_AVX2_SUPPORT) -diff -up libgcrypt-1.8.5/configure.ac.intel-cet libgcrypt-1.8.5/configure.ac ---- libgcrypt-1.8.5/configure.ac.intel-cet 2019-08-29 15:00:08.000000000 +0200 -+++ libgcrypt-1.8.5/configure.ac 2020-01-23 15:35:28.147774463 +0100 -@@ -95,6 +95,12 @@ AH_TOP([ - AH_BOTTOM([ - #define _GCRYPT_IN_LIBGCRYPT 1 - -+/* Add .note.gnu.property section for Intel CET in assembler sources -+ when CET is enabled. */ -+#if defined(__ASSEMBLER__) && defined(__CET__) -+# include -+#endif -+ - /* If the configure check for endianness has been disabled, get it from - OS macros. This is intended for making fat binary builds on OS X. */ - #ifdef DISABLED_ENDIAN_CHECK -diff -up libgcrypt-1.8.5/mpi/config.links.intel-cet libgcrypt-1.8.5/mpi/config.links ---- libgcrypt-1.8.5/mpi/config.links.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/mpi/config.links 2020-01-23 15:35:46.398952954 +0100 -@@ -382,6 +382,16 @@ if test x"$mpi_cpu_arch" = x ; then - mpi_cpu_arch="unknown" - fi - -+# Add .note.gnu.property section for Intel CET in assembler sources -+# when CET is enabled. */ -+if test x"$mpi_cpu_arch" = xx86 ; then -+ cat <> ./mpi/asm-syntax.h -+ -+#if defined(__ASSEMBLER__) && defined(__CET__) -+# include -+#endif -+EOF -+fi - - # Make sysdep.h - echo '/* created by config.links - do not edit */' >./mpi/sysdep.h -diff -up libgcrypt-1.8.5/mpi/i386/mpih-add1.S.intel-cet libgcrypt-1.8.5/mpi/i386/mpih-add1.S ---- libgcrypt-1.8.5/mpi/i386/mpih-add1.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/mpi/i386/mpih-add1.S 2020-01-23 15:37:40.470175379 +0100 -@@ -52,6 +52,10 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:) - movl 20(%esp),%edx /* s2_ptr */ - movl 24(%esp),%ecx /* size */ - -+#if defined __CET__ && (__CET__ & 1) != 0 -+ pushl %ebx -+#endif -+ - movl %ecx,%eax - shrl $3,%ecx /* compute count for unrolled loop */ - negl %eax -@@ -63,6 +67,9 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:) - subl %eax,%esi /* ... by a constant when we ... */ - subl %eax,%edx /* ... enter the loop */ - shrl $2,%eax /* restore previous value */ -+#if defined __CET__ && (__CET__ & 1) != 0 -+ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */ -+#endif - #ifdef PIC - /* Calculate start address in loop for PIC. Due to limitations in some - assemblers, Loop-L0-3 cannot be put into the leal */ -@@ -75,29 +82,53 @@ L0: leal (%eax,%eax,8),%eax - /* Calculate start address in loop for non-PIC. */ - leal (Loop - 3)(%eax,%eax,8),%eax - #endif -+#if defined __CET__ && (__CET__ & 1) != 0 -+ addl %ebx,%eax /* Adjust for endbr32 */ -+#endif - jmp *%eax /* jump into loop */ - ALIGN (3) - Loop: movl (%esi),%eax - adcl (%edx),%eax - movl %eax,(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 4(%esi),%eax - adcl 4(%edx),%eax - movl %eax,4(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 8(%esi),%eax - adcl 8(%edx),%eax - movl %eax,8(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 12(%esi),%eax - adcl 12(%edx),%eax - movl %eax,12(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 16(%esi),%eax - adcl 16(%edx),%eax - movl %eax,16(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 20(%esi),%eax - adcl 20(%edx),%eax - movl %eax,20(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 24(%esi),%eax - adcl 24(%edx),%eax - movl %eax,24(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 28(%esi),%eax - adcl 28(%edx),%eax - movl %eax,28(%edi) -@@ -110,6 +141,10 @@ Loop: movl (%esi),%eax - sbbl %eax,%eax - negl %eax - -+#if defined __CET__ && (__CET__ & 1) != 0 -+ popl %ebx -+#endif -+ - popl %esi - popl %edi - ret -diff -up libgcrypt-1.8.5/mpi/i386/mpih-sub1.S.intel-cet libgcrypt-1.8.5/mpi/i386/mpih-sub1.S ---- libgcrypt-1.8.5/mpi/i386/mpih-sub1.S.intel-cet 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/mpi/i386/mpih-sub1.S 2020-01-23 15:37:40.472175351 +0100 -@@ -53,6 +53,10 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:) - movl 20(%esp),%edx /* s2_ptr */ - movl 24(%esp),%ecx /* size */ - -+#if defined __CET__ && (__CET__ & 1) != 0 -+ pushl %ebx -+#endif -+ - movl %ecx,%eax - shrl $3,%ecx /* compute count for unrolled loop */ - negl %eax -@@ -64,6 +68,9 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:) - subl %eax,%esi /* ... by a constant when we ... */ - subl %eax,%edx /* ... enter the loop */ - shrl $2,%eax /* restore previous value */ -+#if defined __CET__ && (__CET__ & 1) != 0 -+ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */ -+#endif - #ifdef PIC - /* Calculate start address in loop for PIC. Due to limitations in some - assemblers, Loop-L0-3 cannot be put into the leal */ -@@ -76,29 +83,53 @@ L0: leal (%eax,%eax,8),%eax - /* Calculate start address in loop for non-PIC. */ - leal (Loop - 3)(%eax,%eax,8),%eax - #endif -+#if defined __CET__ && (__CET__ & 1) != 0 -+ addl %ebx,%eax /* Adjust for endbr32 */ -+#endif - jmp *%eax /* jump into loop */ - ALIGN (3) - Loop: movl (%esi),%eax - sbbl (%edx),%eax - movl %eax,(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 4(%esi),%eax - sbbl 4(%edx),%eax - movl %eax,4(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 8(%esi),%eax - sbbl 8(%edx),%eax - movl %eax,8(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 12(%esi),%eax - sbbl 12(%edx),%eax - movl %eax,12(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 16(%esi),%eax - sbbl 16(%edx),%eax - movl %eax,16(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 20(%esi),%eax - sbbl 20(%edx),%eax - movl %eax,20(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 24(%esi),%eax - sbbl 24(%edx),%eax - movl %eax,24(%edi) -+#ifdef _CET_ENDBR -+ _CET_ENDBR -+#endif - movl 28(%esi),%eax - sbbl 28(%edx),%eax - movl %eax,28(%edi) -@@ -111,6 +142,10 @@ Loop: movl (%esi),%eax - sbbl %eax,%eax - negl %eax - -+#if defined __CET__ && (__CET__ & 1) != 0 -+ popl %ebx -+#endif -+ - popl %esi - popl %edi - ret diff --git a/libgcrypt-1.8.7.tar.bz2 b/libgcrypt-1.8.7.tar.bz2 deleted file mode 100644 index 895685a..0000000 Binary files a/libgcrypt-1.8.7.tar.bz2 and /dev/null differ diff --git a/libgcrypt-1.9.4.tar.bz2 b/libgcrypt-1.9.4.tar.bz2 new file mode 100644 index 0000000..0eb0863 Binary files /dev/null and b/libgcrypt-1.9.4.tar.bz2 differ diff --git a/libgcrypt.spec b/libgcrypt.spec index d2f518d..37f041c 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -3,36 +3,27 @@ %global hmackey orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version: 1.8.7 -Release: 5 +Version: 1.9.4 +Release: 1 Summary: A general-purpose cryptography library License: LGPLv2+ URL: https://www.gnupg.org/ Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 Source7: random.conf -Patch0: libgcrypt-1.8.5-use-fipscheck.patch -Patch1: libgcrypt-1.8.4-fips-keygen.patch -Patch2: libgcrypt-1.8.4-tests-fipsmode.patch -Patch3: libgcrypt-1.7.3-fips-cavs.patch -Patch4: libgcrypt-1.8.4-use-poll.patch -Patch5: libgcrypt-1.6.1-mpicoder-gccopt.patch -Patch6: libgcrypt-1.7.3-ecc-test-fix.patch -Patch7: libgcrypt-1.8.3-fips-ctor.patch -Patch8: libgcrypt-1.7.3-fips-reqs.patch -Patch9: libgcrypt-1.8.5-getrandom.patch -Patch10: libgcrypt-1.8.3-cmac-selftest.patch -Patch11: libgcrypt-1.8.3-fips-enttest.patch -Patch12: libgcrypt-1.8.3-md-fips-enforce.patch -Patch13: libgcrypt-1.8.5-intel-cet.patch -Patch14: libgcrypt-1.8.5-fips-module.patch -Patch15: libgcrypt-1.8.5-aes-perf.patch -Patch16: CVE-2019-12904-1.patch -Patch17: CVE-2019-12904-2.patch -Patch18: CVE-2019-12904-3.patch -Patch19: CVE-2021-33560.patch -Patch20: CVE-2021-40528.patch -Patch21: backport-add-crypto-hash-sm3.patch +Patch0: backport-libgcrypt-1.8.5-use-fipscheck.patch +Patch1: backport-libgcrypt-1.8.4-fips-keygen.patch +Patch2: backport-libgcrypt-1.8.4-tests-fipsmode.patch +Patch3: backport-libgcrypt-1.7.3-fips-cavs.patch +Patch4: backport-libgcrypt-1.8.4-use-poll.patch +Patch5: backport-libgcrypt-1.6.1-mpicoder-gccopt.patch +Patch6: backport-libgcrypt-1.7.3-ecc-test-fix.patch +Patch7: backport-libgcrypt-1.8.3-fips-ctor.patch +Patch8: backport-libgcrypt-1.8.5-getrandom.patch +Patch9: backport-libgcrypt-1.8.3-fips-enttest.patch +Patch10: backport-libgcrypt-1.8.3-md-fips-enforce.patch +Patch11: backport-libgcrypt-1.8.5-intel-cet.patch +Patch12: backport-libgcrypt-1.8.5-fips-module.patch BuildRequires: gcc texinfo autoconf automake libtool BuildRequires: gawk libgpg-error-devel >= 1.11 pkgconfig @@ -140,6 +131,12 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %{_infodir}/gcrypt.info* %changelog +* Thu Dec 30 2021 zoulin - 1.9.4-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:Update version to 1.9.4 + * Wed Oct 27 2021 zhujianwei001 - 1.8.7-5 - Type:requirements - ID:NA