diff --git a/curves.c b/curves.c index aa51a3a..fccd1d4 100644 --- a/curves.c +++ b/curves.c @@ -26,10 +26,10 @@ #include #include -#include "../src/gcrypt.h" +#include "../src/gcrypt-int.h" /* Number of curves defined in ../cipger/ecc.c */ -#define N_CURVES 3 +#define N_CURVES 4 /* A real world sample public key. */ static char const sample_key_1[] = diff --git a/ecc-curves.c b/ecc-curves.c new file mode 100644 index 0000000..b8679da --- /dev/null +++ b/ecc-curves.c @@ -0,0 +1,1007 @@ +/* ecc-curves.c - Elliptic Curve parameter mangement + * Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc. + * Copyright (C) 2013 g10 Code GmbH + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#include +#include +#include +#include +#include + +#include "g10lib.h" +#include "mpi.h" +#include "cipher.h" +#include "context.h" +#include "ec-context.h" +#include "pubkey-internal.h" +#include "ecc-common.h" + + +/* This tables defines aliases for curve names. */ +static const struct +{ + const char *name; /* Our name. */ + const char *other; /* Other name. */ +} curve_aliases[] = + { + /*{ "Curve25519", "1.3.6.1.4.1.3029.1.5.1" },*/ + { "Ed25519", "1.3.6.1.4.1.11591.15.1" }, + + { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */ + { "NIST P-256", "prime256v1" }, + { "NIST P-256", "secp256r1" }, + { "NIST P-256", "nistp256" }, /* rfc5656. */ + + { "NIST P-384", "secp384r1" }, + { "NIST P-384", "1.3.132.0.34" }, + { "NIST P-384", "nistp384" }, /* rfc5656. */ + + { "NIST P-521", "secp521r1" }, + { "NIST P-521", "1.3.132.0.35" }, + { "NIST P-521", "nistp521" }, /* rfc5656. */ + + { NULL, NULL} + }; + + +typedef struct +{ + const char *desc; /* Description of the curve. */ + unsigned int nbits; /* Number of bits. */ + unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */ + + /* The model describing this curve. This is mainly used to select + the group equation. */ + enum gcry_mpi_ec_models model; + + /* The actual ECC dialect used. This is used for curve specific + optimizations and to select encodings etc. */ + enum ecc_dialects dialect; + + const char *p; /* The prime defining the field. */ + const char *a, *b; /* The coefficients. For Twisted Edwards + Curves b is used for d. */ + const char *n; /* The order of the base point. */ + const char *g_x, *g_y; /* Base point. */ +} ecc_domain_parms_t; + + +/* This static table defines all available curves. */ +static const ecc_domain_parms_t domain_parms[] = + { + { + /* (-x^2 + y^2 = 1 + dx^2y^2) */ + "Ed25519", 256, 0, + MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519, + "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", + "-0x01", + "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", + "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", + "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", + "0x6666666666666666666666666666666666666666666666666666666666666658" + }, + { + "NIST P-256", 256, 1, + MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, + "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", + "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", + "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + + "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + }, + { + "NIST P-384", 384, 1, + MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, + "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" + "ffffffff0000000000000000ffffffff", + "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" + "ffffffff0000000000000000fffffffc", + "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" + "c656398d8a2ed19d2a85c8edd3ec2aef", + "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" + "581a0db248b0a77aecec196accc52973", + + "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" + "5502f25dbf55296c3a545e3872760ab7", + "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" + "0a60b1ce1d7e819d7a431d7c90ea0e5f" + }, + { + "NIST P-521", 521, 1, + MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, + "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", + "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" + "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", + "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", + + "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d" + "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e" + "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" + }, + + { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL } + }; + + + + +/* Return a copy of POINT. */ +static gcry_mpi_point_t +point_copy (gcry_mpi_point_t point) +{ + gcry_mpi_point_t newpoint; + + if (point) + { + newpoint = mpi_point_new (0); + point_set (newpoint, point); + } + else + newpoint = NULL; + return newpoint; +} + + +/* Helper to scan a hex string. */ +static gcry_mpi_t +scanval (const char *string) +{ + gpg_err_code_t rc; + gcry_mpi_t val; + + rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); + if (rc) + log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc)); + return val; +} + + +/* Return the index of the domain_parms table for a curve with NAME. + Return -1 if not found. */ +static int +find_domain_parms_idx (const char *name) +{ + int idx, aliasno; + + /* First check our native curves. */ + for (idx = 0; domain_parms[idx].desc; idx++) + if (!strcmp (name, domain_parms[idx].desc)) + return idx; + + /* If not found consult the alias table. */ + if (!domain_parms[idx].desc) + { + for (aliasno = 0; curve_aliases[aliasno].name; aliasno++) + if (!strcmp (name, curve_aliases[aliasno].other)) + break; + if (curve_aliases[aliasno].name) + { + for (idx = 0; domain_parms[idx].desc; idx++) + if (!strcmp (curve_aliases[aliasno].name, domain_parms[idx].desc)) + return idx; + } + } + + return -1; +} + + +/* Generate the crypto system setup. This function takes the NAME of + a curve or the desired number of bits and stores at R_CURVE the + parameters of the named curve or those of a suitable curve. If + R_NBITS is not NULL, the chosen number of bits is stored there. + NULL may be given for R_CURVE, if the value is not required and for + example only a quick test for availability is desired. Note that + the curve fields should be initialized to zero because fields which + are not NULL are skipped. */ +gpg_err_code_t +_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name, + elliptic_curve_t *curve, unsigned int *r_nbits) +{ + int idx; + const char *resname = NULL; /* Set to a found curve name. */ + + if (name) + idx = find_domain_parms_idx (name); + else + { + for (idx = 0; domain_parms[idx].desc; idx++) + if (nbits == domain_parms[idx].nbits + && domain_parms[idx].model == MPI_EC_WEIERSTRASS) + break; + if (!domain_parms[idx].desc) + idx = -1; + } + if (idx < 0) + return GPG_ERR_UNKNOWN_CURVE; + + resname = domain_parms[idx].desc; + + /* In fips mode we only support NIST curves. Note that it is + possible to bypass this check by specifying the curve parameters + directly. */ + if (fips_mode () && !domain_parms[idx].fips ) + return GPG_ERR_NOT_SUPPORTED; + + switch (domain_parms[idx].model) + { + case MPI_EC_WEIERSTRASS: + case MPI_EC_TWISTEDEDWARDS: + break; + case MPI_EC_MONTGOMERY: + return GPG_ERR_NOT_SUPPORTED; + default: + return GPG_ERR_BUG; + } + + + if (r_nbits) + *r_nbits = domain_parms[idx].nbits; + + if (curve) + { + curve->model = domain_parms[idx].model; + curve->dialect = domain_parms[idx].dialect; + if (!curve->p) + curve->p = scanval (domain_parms[idx].p); + if (!curve->a) + curve->a = scanval (domain_parms[idx].a); + if (!curve->b) + curve->b = scanval (domain_parms[idx].b); + if (!curve->n) + curve->n = scanval (domain_parms[idx].n); + if (!curve->G.x) + curve->G.x = scanval (domain_parms[idx].g_x); + if (!curve->G.y) + curve->G.y = scanval (domain_parms[idx].g_y); + if (!curve->G.z) + curve->G.z = mpi_alloc_set_ui (1); + if (!curve->name) + curve->name = resname; + } + + return 0; +} + + +/* Give the name of the curve NAME, store the curve parameters into P, + A, B, G, and N if they point to NULL value. Note that G is returned + in standard uncompressed format. Also update MODEL and DIALECT if + they are not NULL. */ +gpg_err_code_t +_gcry_ecc_update_curve_param (const char *name, + enum gcry_mpi_ec_models *model, + enum ecc_dialects *dialect, + gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b, + gcry_mpi_t *g, gcry_mpi_t *n) +{ + int idx; + + idx = find_domain_parms_idx (name); + if (idx < 0) + return GPG_ERR_UNKNOWN_CURVE; + + if (g) + { + char *buf; + size_t len; + + len = 4; + len += strlen (domain_parms[idx].g_x+2); + len += strlen (domain_parms[idx].g_y+2); + len++; + buf = xtrymalloc (len); + if (!buf) + return gpg_err_code_from_syserror (); + strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2), + domain_parms[idx].g_y+2); + _gcry_mpi_release (*g); + *g = scanval (buf); + xfree (buf); + } + if (model) + *model = domain_parms[idx].model; + if (dialect) + *dialect = domain_parms[idx].dialect; + if (p) + { + _gcry_mpi_release (*p); + *p = scanval (domain_parms[idx].p); + } + if (a) + { + _gcry_mpi_release (*a); + *a = scanval (domain_parms[idx].a); + } + if (b) + { + _gcry_mpi_release (*b); + *b = scanval (domain_parms[idx].b); + } + if (n) + { + _gcry_mpi_release (*n); + *n = scanval (domain_parms[idx].n); + } + return 0; +} + + +/* Return the name matching the parameters in PKEY. This works only + with curves described by the Weierstrass equation. */ +const char * +_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) +{ + gpg_err_code_t rc; + const char *result = NULL; + elliptic_curve_t E; + gcry_mpi_t mpi_g = NULL; + gcry_mpi_t tmp = NULL; + int idx; + + memset (&E, 0, sizeof E); + + if (r_nbits) + *r_nbits = 0; + + if (!keyparms) + { + idx = iterator; + if (idx >= 0 && idx < DIM (domain_parms)) + { + result = domain_parms[idx].desc; + if (r_nbits) + *r_nbits = domain_parms[idx].nbits; + } + return result; + } + + + /* + * Extract the curve parameters.. + */ + rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgn", + &E.p, &E.a, &E.b, &mpi_g, &E.n, + NULL)); + if (rc == GPG_ERR_NO_OBJ) + { + /* This might be the second use case of checking whether a + specific curve given by name is supported. */ + gcry_sexp_t l1; + char *name; + + l1 = sexp_find_token (keyparms, "curve", 5); + if (!l1) + goto leave; /* No curve name parameter. */ + + name = sexp_nth_string (l1, 1); + sexp_release (l1); + if (!name) + goto leave; /* Name missing or out of core. */ + + idx = find_domain_parms_idx (name); + xfree (name); + if (idx >= 0) /* Curve found. */ + { + result = domain_parms[idx].desc; + if (r_nbits) + *r_nbits = domain_parms[idx].nbits; + } + return result; + } + + if (rc) + goto leave; + + if (mpi_g) + { + _gcry_mpi_point_init (&E.G); + if (_gcry_ecc_os2ec (&E.G, mpi_g)) + goto leave; + } + + for (idx = 0; domain_parms[idx].desc; idx++) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].p); + if (!mpi_cmp (tmp, E.p)) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].a); + if (!mpi_cmp (tmp, E.a)) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].b); + if (!mpi_cmp (tmp, E.b)) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].n); + if (!mpi_cmp (tmp, E.n)) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].g_x); + if (!mpi_cmp (tmp, E.G.x)) + { + mpi_free (tmp); + tmp = scanval (domain_parms[idx].g_y); + if (!mpi_cmp (tmp, E.G.y)) + { + result = domain_parms[idx].desc; + if (r_nbits) + *r_nbits = domain_parms[idx].nbits; + goto leave; + } + } + } + } + } + } + } + + leave: + _gcry_mpi_release (tmp); + _gcry_mpi_release (E.p); + _gcry_mpi_release (E.a); + _gcry_mpi_release (E.b); + _gcry_mpi_release (mpi_g); + _gcry_mpi_point_free_parts (&E.G); + _gcry_mpi_release (E.n); + return result; +} + + +/* Helper to extract an MPI from key parameters. */ +static gpg_err_code_t +mpi_from_keyparam (gcry_mpi_t *r_a, gcry_sexp_t keyparam, const char *name) +{ + gcry_err_code_t ec = 0; + gcry_sexp_t l1; + + l1 = sexp_find_token (keyparam, name, 0); + if (l1) + { + *r_a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); + sexp_release (l1); + if (!*r_a) + ec = GPG_ERR_INV_OBJ; + } + return ec; +} + +/* Helper to extract a point from key parameters. If no parameter + with NAME is found, the functions tries to find a non-encoded point + by appending ".x", ".y" and ".z" to NAME. ".z" is in this case + optional and defaults to 1. EC is the context which at this point + may not be fully initialized. */ +static gpg_err_code_t +point_from_keyparam (gcry_mpi_point_t *r_a, + gcry_sexp_t keyparam, const char *name, mpi_ec_t ec) +{ + gcry_err_code_t rc; + gcry_sexp_t l1; + gcry_mpi_point_t point; + + l1 = sexp_find_token (keyparam, name, 0); + if (l1) + { + gcry_mpi_t a; + + a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE); + sexp_release (l1); + if (!a) + return GPG_ERR_INV_OBJ; + + point = mpi_point_new (0); + if (ec && ec->dialect == ECC_DIALECT_ED25519) + rc = _gcry_ecc_eddsa_decodepoint (a, ec, point, NULL, NULL); + else + rc = _gcry_ecc_os2ec (point, a); + mpi_free (a); + if (rc) + { + mpi_point_release (point); + return rc; + } + } + else + { + char *tmpname; + gcry_mpi_t x = NULL; + gcry_mpi_t y = NULL; + gcry_mpi_t z = NULL; + + tmpname = xtrymalloc (strlen (name) + 2 + 1); + if (!tmpname) + return gpg_err_code_from_syserror (); + strcpy (stpcpy (tmpname, name), ".x"); + rc = mpi_from_keyparam (&x, keyparam, tmpname); + if (rc) + { + xfree (tmpname); + return rc; + } + strcpy (stpcpy (tmpname, name), ".y"); + rc = mpi_from_keyparam (&y, keyparam, tmpname); + if (rc) + { + mpi_free (x); + xfree (tmpname); + return rc; + } + strcpy (stpcpy (tmpname, name), ".z"); + rc = mpi_from_keyparam (&z, keyparam, tmpname); + if (rc) + { + mpi_free (y); + mpi_free (x); + xfree (tmpname); + return rc; + } + if (!z) + z = mpi_set_ui (NULL, 1); + if (x && y) + point = mpi_point_snatch_set (NULL, x, y, z); + else + { + mpi_free (x); + mpi_free (y); + mpi_free (z); + point = NULL; + } + xfree (tmpname); + } + + if (point) + *r_a = point; + return 0; +} + + +/* This function creates a new context for elliptic curve operations. + Either KEYPARAM or CURVENAME must be given. If both are given and + KEYPARAM has no curve parameter, CURVENAME is used to add missing + parameters. On success 0 is returned and the new context stored at + R_CTX. On error NULL is stored at R_CTX and an error code is + returned. The context needs to be released using + gcry_ctx_release. */ +gpg_err_code_t +_gcry_mpi_ec_new (gcry_ctx_t *r_ctx, + gcry_sexp_t keyparam, const char *curvename) +{ + gpg_err_code_t errc; + gcry_ctx_t ctx = NULL; + enum gcry_mpi_ec_models model = MPI_EC_WEIERSTRASS; + enum ecc_dialects dialect = ECC_DIALECT_STANDARD; + gcry_mpi_t p = NULL; + gcry_mpi_t a = NULL; + gcry_mpi_t b = NULL; + gcry_mpi_point_t G = NULL; + gcry_mpi_t n = NULL; + gcry_mpi_point_t Q = NULL; + gcry_mpi_t d = NULL; + int flags = 0; + gcry_sexp_t l1; + + *r_ctx = NULL; + + if (keyparam) + { + /* Parse an optional flags list. */ + l1 = sexp_find_token (keyparam, "flags", 0); + if (l1) + { + errc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); + sexp_release (l1); + l1 = NULL; + if (errc) + goto leave; + } + + /* Check whether a curve name was given. */ + l1 = sexp_find_token (keyparam, "curve", 5); + + /* If we don't have a curve name or if override parameters have + explicitly been requested, parse them. */ + if (!l1 || (flags & PUBKEY_FLAG_PARAM)) + { + errc = mpi_from_keyparam (&p, keyparam, "p"); + if (errc) + goto leave; + errc = mpi_from_keyparam (&a, keyparam, "a"); + if (errc) + goto leave; + errc = mpi_from_keyparam (&b, keyparam, "b"); + if (errc) + goto leave; + errc = point_from_keyparam (&G, keyparam, "g", NULL); + if (errc) + goto leave; + errc = mpi_from_keyparam (&n, keyparam, "n"); + if (errc) + goto leave; + } + } + else + l1 = NULL; /* No curvename. */ + + /* Check whether a curve parameter is available and use that to fill + in missing values. If no curve parameter is available try an + optional provided curvename. If only the curvename has been + given use that one. */ + if (l1 || curvename) + { + char *name; + elliptic_curve_t *E; + + if (l1) + { + name = sexp_nth_string (l1, 1); + sexp_release (l1); + if (!name) + { + errc = GPG_ERR_INV_OBJ; /* Name missing or out of core. */ + goto leave; + } + } + else + name = NULL; + + E = xtrycalloc (1, sizeof *E); + if (!E) + { + errc = gpg_err_code_from_syserror (); + xfree (name); + goto leave; + } + + errc = _gcry_ecc_fill_in_curve (0, name? name : curvename, E, NULL); + xfree (name); + if (errc) + { + xfree (E); + goto leave; + } + + model = E->model; + dialect = E->dialect; + + if (!p) + { + p = E->p; + E->p = NULL; + } + if (!a) + { + a = E->a; + E->a = NULL; + } + if (!b) + { + b = E->b; + E->b = NULL; + } + if (!G) + { + G = mpi_point_snatch_set (NULL, E->G.x, E->G.y, E->G.z); + E->G.x = NULL; + E->G.y = NULL; + E->G.z = NULL; + } + if (!n) + { + n = E->n; + E->n = NULL; + } + _gcry_ecc_curve_free (E); + xfree (E); + } + + + errc = _gcry_mpi_ec_p_new (&ctx, model, dialect, flags, p, a, b); + if (!errc) + { + mpi_ec_t ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC); + + if (b) + { + mpi_free (ec->b); + ec->b = b; + b = NULL; + } + if (G) + { + ec->G = G; + G = NULL; + } + if (n) + { + ec->n = n; + n = NULL; + } + + /* Now that we know the curve name we can look for the public key + Q. point_from_keyparam needs to know the curve parameters so + that it is able to use the correct decompression. Parsing + the private key D could have been done earlier but it is less + surprising if we do it here as well. */ + if (keyparam) + { + errc = point_from_keyparam (&Q, keyparam, "q", ec); + if (errc) + goto leave; + errc = mpi_from_keyparam (&d, keyparam, "d"); + if (errc) + goto leave; + } + + if (Q) + { + ec->Q = Q; + Q = NULL; + } + if (d) + { + ec->d = d; + d = NULL; + } + + *r_ctx = ctx; + ctx = NULL; + } + + leave: + _gcry_ctx_release (ctx); + mpi_free (p); + mpi_free (a); + mpi_free (b); + _gcry_mpi_point_release (G); + mpi_free (n); + _gcry_mpi_point_release (Q); + mpi_free (d); + return errc; +} + + +/* Return the parameters of the curve NAME as an S-expression. */ +gcry_sexp_t +_gcry_ecc_get_param_sexp (const char *name) +{ + unsigned int nbits; + elliptic_curve_t E; + mpi_ec_t ctx; + gcry_mpi_t g_x, g_y; + gcry_mpi_t pkey[6]; + gcry_sexp_t result; + int i; + + memset (&E, 0, sizeof E); + if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits)) + return NULL; + + g_x = mpi_new (0); + g_y = mpi_new (0); + ctx = _gcry_mpi_ec_p_internal_new (MPI_EC_WEIERSTRASS, + ECC_DIALECT_STANDARD, + 0, + E.p, E.a, NULL); + if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx)) + log_fatal ("ecc get param: Failed to get affine coordinates\n"); + _gcry_mpi_ec_free (ctx); + _gcry_mpi_point_free_parts (&E.G); + + pkey[0] = E.p; + pkey[1] = E.a; + pkey[2] = E.b; + pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p); + pkey[4] = E.n; + pkey[5] = NULL; + + mpi_free (g_x); + mpi_free (g_y); + + if (sexp_build (&result, NULL, + "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)))", + pkey[0], pkey[1], pkey[2], pkey[3], pkey[4])) + result = NULL; + + for (i=0; pkey[i]; i++) + _gcry_mpi_release (pkey[i]); + + return result; +} + + +/* Return an MPI (or opaque MPI) described by NAME and the context EC. + If COPY is true a copy is returned, if not a const MPI may be + returned. In any case mpi_free must be used. */ +gcry_mpi_t +_gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy) +{ + if (!*name) + return NULL; + + if (!strcmp (name, "p") && ec->p) + return mpi_is_const (ec->p) && !copy? ec->p : mpi_copy (ec->p); + if (!strcmp (name, "a") && ec->a) + return mpi_is_const (ec->a) && !copy? ec->a : mpi_copy (ec->a); + if (!strcmp (name, "b") && ec->b) + return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b); + if (!strcmp (name, "n") && ec->n) + return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n); + if (!strcmp (name, "d") && ec->d) + return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d); + + /* Return a requested point coordinate. */ + if (!strcmp (name, "g.x") && ec->G && ec->G->x) + return mpi_is_const (ec->G->x) && !copy? ec->G->x : mpi_copy (ec->G->x); + if (!strcmp (name, "g.y") && ec->G && ec->G->y) + return mpi_is_const (ec->G->y) && !copy? ec->G->y : mpi_copy (ec->G->y); + if (!strcmp (name, "q.x") && ec->Q && ec->Q->x) + return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x); + if (!strcmp (name, "q.y") && ec->Q && ec->Q->y) + return mpi_is_const (ec->G->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y); + + /* If the base point has been requested, return it in standard + encoding. */ + if (!strcmp (name, "g") && ec->G) + return _gcry_mpi_ec_ec2os (ec->G, ec); + + /* If the public key has been requested, return it by default in + standard uncompressed encoding or if requested in other + encodings. */ + if (*name == 'q' && (!name[1] || name[1] == '@')) + { + /* If only the private key is given, compute the public key. */ + if (!ec->Q) + ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL); + + if (!ec->Q) + return NULL; + + if (name[1] != '@') + return _gcry_mpi_ec_ec2os (ec->Q, ec); + + if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS) + { + unsigned char *encpk; + unsigned int encpklen; + + if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, + &encpk, &encpklen)) + return mpi_set_opaque (NULL, encpk, encpklen*8); + } + } + + return NULL; +} + + +/* Return a point described by NAME and the context EC. */ +gcry_mpi_point_t +_gcry_ecc_get_point (const char *name, mpi_ec_t ec) +{ + if (!strcmp (name, "g") && ec->G) + return point_copy (ec->G); + if (!strcmp (name, "q")) + { + /* If only the private key is given, compute the public key. */ + if (!ec->Q) + ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL); + + if (ec->Q) + return point_copy (ec->Q); + } + + return NULL; +} + + +/* Store the MPI NEWVALUE into the context EC under NAME. */ +gpg_err_code_t +_gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec) +{ + gpg_err_code_t rc = 0; + + if (!*name) + ; + else if (!strcmp (name, "p")) + { + mpi_free (ec->p); + ec->p = mpi_copy (newvalue); + _gcry_mpi_ec_get_reset (ec); + } + else if (!strcmp (name, "a")) + { + mpi_free (ec->a); + ec->a = mpi_copy (newvalue); + _gcry_mpi_ec_get_reset (ec); + } + else if (!strcmp (name, "b")) + { + mpi_free (ec->b); + ec->b = mpi_copy (newvalue); + } + else if (!strcmp (name, "n")) + { + mpi_free (ec->n); + ec->n = mpi_copy (newvalue); + } + else if (*name == 'q' && (!name[1] || name[1] == '@')) + { + if (newvalue) + { + if (!ec->Q) + ec->Q = mpi_point_new (0); + if (ec->dialect == ECC_DIALECT_ED25519) + rc = _gcry_ecc_eddsa_decodepoint (newvalue, ec, ec->Q, NULL, NULL); + else + rc = _gcry_ecc_os2ec (ec->Q, newvalue); + } + if (rc || !newvalue) + { + _gcry_mpi_point_release (ec->Q); + ec->Q = NULL; + } + /* Note: We assume that Q matches d and thus do not reset d. */ + } + else if (!strcmp (name, "d")) + { + mpi_free (ec->d); + ec->d = mpi_copy (newvalue); + if (ec->d) + { + /* We need to reset the public key because it may not + anymore match. */ + _gcry_mpi_point_release (ec->Q); + ec->Q = NULL; + } + } + else + rc = GPG_ERR_UNKNOWN_NAME; + + return rc; +} + + +/* Store the point NEWVALUE into the context EC under NAME. */ +gpg_err_code_t +_gcry_ecc_set_point (const char *name, gcry_mpi_point_t newvalue, mpi_ec_t ec) +{ + if (!strcmp (name, "g")) + { + _gcry_mpi_point_release (ec->G); + ec->G = point_copy (newvalue); + } + else if (!strcmp (name, "q")) + { + _gcry_mpi_point_release (ec->Q); + ec->Q = point_copy (newvalue); + } + else + return GPG_ERR_UNKNOWN_NAME; + + return 0; +} diff --git a/ecc.c b/ecc.c deleted file mode 100644 index 5e4717e..0000000 --- a/ecc.c +++ /dev/null @@ -1,1677 +0,0 @@ -/* ecc.c - Elliptic Curve Cryptography - Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc. - - This file is part of Libgcrypt. - - Libgcrypt is free software; you can redistribute it and/or modify - it under the terms of the GNU Lesser General Public License as - published by the Free Software Foundation; either version 2.1 of - the License, or (at your option) any later version. - - Libgcrypt is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - USA. */ - -/* This code is originally based on the Patch 0.1.6 for the gnupg - 1.4.x branch as retrieved on 2007-03-21 from - http://www.calcurco.cat/eccGnuPG/src/gnupg-1.4.6-ecc0.2.0beta1.diff.bz2 - The original authors are: - Written by - Sergi Blanch i Torne , - Ramiro Moreno Chiral - Maintainers - Sergi Blanch i Torne - Ramiro Moreno Chiral - Mikael Mylnikov (mmr) - For use in Libgcrypt the code has been heavily modified and cleaned - up. In fact there is not much left of the orginally code except for - some variable names and the text book implementaion of the sign and - verification algorithms. The arithmetic functions have entirely - been rewritten and moved to mpi/ec.c. - - ECDH encrypt and decrypt code written by Andrey Jivsov, -*/ - - -/* TODO: - - - If we support point compression we need to uncompress before - computing the keygrip - - - In mpi/ec.c we use mpi_powm for x^2 mod p: Either implement a - special case in mpi_powm or check whether mpi_mulm is faster. - - - Decide whether we should hide the mpi_point_t definition. -*/ - - -#include -#include -#include -#include - -#include "g10lib.h" -#include "mpi.h" -#include "cipher.h" - -/* Definition of a curve. */ -typedef struct -{ - gcry_mpi_t p; /* Prime specifying the field GF(p). */ - gcry_mpi_t a; /* First coefficient of the Weierstrass equation. */ - gcry_mpi_t b; /* Second coefficient of the Weierstrass equation. */ - mpi_point_t G; /* Base point (generator). */ - gcry_mpi_t n; /* Order of G. */ - const char *name; /* Name of curve or NULL. */ -} elliptic_curve_t; - - -typedef struct -{ - elliptic_curve_t E; - mpi_point_t Q; /* Q = [d]G */ -} ECC_public_key; - -typedef struct -{ - elliptic_curve_t E; - mpi_point_t Q; - gcry_mpi_t d; -} ECC_secret_key; - - -/* This tables defines aliases for curve names. */ -static const struct -{ - const char *name; /* Our name. */ - const char *other; /* Other name. */ -} curve_aliases[] = - { - { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */ - { "NIST P-256", "prime256v1" }, - { "NIST P-256", "secp256r1" }, - - { "NIST P-384", "secp384r1" }, - { "NIST P-384", "1.3.132.0.34" }, - - { "NIST P-521", "secp521r1" }, - { "NIST P-521", "1.3.132.0.35" }, - - { NULL, NULL} - }; - -typedef struct { - const char *desc; /* Description of the curve. */ - unsigned int nbits; /* Number of bits. */ - unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */ - const char *p; /* Order of the prime field. */ - const char *a, *b; /* The coefficients. */ - const char *n; /* The order of the base point. */ - const char *g_x, *g_y; /* Base point. */ -} ecc_domain_parms_t; - -/* This static table defines all available curves. */ -static const ecc_domain_parms_t domain_parms[] = - { - { - "NIST P-256", 256, 1, - "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - - "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" - }, - { - "NIST P-384", 384, 1, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000ffffffff", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000fffffffc", - "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" - "c656398d8a2ed19d2a85c8edd3ec2aef", - "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" - "581a0db248b0a77aecec196accc52973", - - "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" - "5502f25dbf55296c3a545e3872760ab7", - "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f" - }, - { - "NIST P-521", 521, 1, - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" - "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - - "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d" - "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6" - "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" - }, - - { NULL, 0, 0, NULL, NULL, NULL, NULL } - }; - - -/* Registered progress function and its callback value. */ -static void (*progress_cb) (void *, const char*, int, int, int); -static void *progress_cb_data; - - -#define point_init(a) _gcry_mpi_ec_point_init ((a)) -#define point_free(a) _gcry_mpi_ec_point_free ((a)) - - - -/* Local prototypes. */ -static gcry_mpi_t gen_k (gcry_mpi_t p, int security_level); -static void test_keys (ECC_secret_key * sk, unsigned int nbits); -static int check_secret_key (ECC_secret_key * sk); -static gpg_err_code_t sign (gcry_mpi_t input, ECC_secret_key *skey, - gcry_mpi_t r, gcry_mpi_t s); -static gpg_err_code_t verify (gcry_mpi_t input, ECC_public_key *pkey, - gcry_mpi_t r, gcry_mpi_t s); - - -static gcry_mpi_t gen_y_2 (gcry_mpi_t x, elliptic_curve_t * base); - - - - -void -_gcry_register_pk_ecc_progress (void (*cb) (void *, const char *, - int, int, int), - void *cb_data) -{ - progress_cb = cb; - progress_cb_data = cb_data; -} - -/* static void */ -/* progress (int c) */ -/* { */ -/* if (progress_cb) */ -/* progress_cb (progress_cb_data, "pk_ecc", c, 0, 0); */ -/* } */ - - - - -/* Set the value from S into D. */ -static void -point_set (mpi_point_t *d, mpi_point_t *s) -{ - mpi_set (d->x, s->x); - mpi_set (d->y, s->y); - mpi_set (d->z, s->z); -} - - -/* - * Release a curve object. - */ -static void -curve_free (elliptic_curve_t *E) -{ - mpi_free (E->p); E->p = NULL; - mpi_free (E->a); E->a = NULL; - mpi_free (E->b); E->b = NULL; - point_free (&E->G); - mpi_free (E->n); E->n = NULL; -} - - -/* - * Return a copy of a curve object. - */ -static elliptic_curve_t -curve_copy (elliptic_curve_t E) -{ - elliptic_curve_t R; - - R.p = mpi_copy (E.p); - R.a = mpi_copy (E.a); - R.b = mpi_copy (E.b); - point_init (&R.G); - point_set (&R.G, &E.G); - R.n = mpi_copy (E.n); - - return R; -} - - -/* Helper to scan a hex string. */ -static gcry_mpi_t -scanval (const char *string) -{ - gpg_error_t err; - gcry_mpi_t val; - - err = gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); - if (err) - log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (err)); - return val; -} - - - - - -/**************** - * Solve the right side of the equation that defines a curve. - */ -static gcry_mpi_t -gen_y_2 (gcry_mpi_t x, elliptic_curve_t *base) -{ - gcry_mpi_t three, x_3, axb, y; - - three = mpi_alloc_set_ui (3); - x_3 = mpi_new (0); - axb = mpi_new (0); - y = mpi_new (0); - - mpi_powm (x_3, x, three, base->p); - mpi_mulm (axb, base->a, x, base->p); - mpi_addm (axb, axb, base->b, base->p); - mpi_addm (y, x_3, axb, base->p); - - mpi_free (x_3); - mpi_free (axb); - mpi_free (three); - return y; /* The quadratic value of the coordinate if it exist. */ -} - - -/* Generate a random secret scalar k with an order of p - - At the beginning this was identical to the code is in elgamal.c. - Later imporved by mmr. Further simplified by wk. */ -static gcry_mpi_t -gen_k (gcry_mpi_t p, int security_level) -{ - gcry_mpi_t k; - unsigned int nbits; - - nbits = mpi_get_nbits (p); - k = mpi_snew (nbits); - if (DBG_CIPHER) - log_debug ("choosing a random k of %u bits at seclevel %d\n", - nbits, security_level); - - gcry_mpi_randomize (k, nbits, security_level); - - mpi_mod (k, k, p); /* k = k mod p */ - - return k; -} - - -/* Generate the crypto system setup. This function takes the NAME of - a curve or the desired number of bits and stores at R_CURVE the - parameters of the named curve or those of a suitable curve. The - chosen number of bits is stored on R_NBITS. */ -static gpg_err_code_t -fill_in_curve (unsigned int nbits, const char *name, - elliptic_curve_t *curve, unsigned int *r_nbits) -{ - int idx, aliasno; - const char *resname = NULL; /* Set to a found curve name. */ - - if (name) - { - /* First check our native curves. */ - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (name, domain_parms[idx].desc)) - { - resname = domain_parms[idx].desc; - break; - } - /* If not found consult the alias table. */ - if (!domain_parms[idx].desc) - { - for (aliasno = 0; curve_aliases[aliasno].name; aliasno++) - if (!strcmp (name, curve_aliases[aliasno].other)) - break; - if (curve_aliases[aliasno].name) - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (curve_aliases[aliasno].name, - domain_parms[idx].desc)) - { - resname = domain_parms[idx].desc; - break; - } - } - } - } - else - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (nbits == domain_parms[idx].nbits) - break; - } - if (!domain_parms[idx].desc) - return GPG_ERR_INV_VALUE; - - /* In fips mode we only support NIST curves. Note that it is - possible to bypass this check by specifying the curve parameters - directly. */ - if (fips_mode () && !domain_parms[idx].fips ) - return GPG_ERR_NOT_SUPPORTED; - - *r_nbits = domain_parms[idx].nbits; - curve->p = scanval (domain_parms[idx].p); - curve->a = scanval (domain_parms[idx].a); - curve->b = scanval (domain_parms[idx].b); - curve->n = scanval (domain_parms[idx].n); - curve->G.x = scanval (domain_parms[idx].g_x); - curve->G.y = scanval (domain_parms[idx].g_y); - curve->G.z = mpi_alloc_set_ui (1); - curve->name = resname; - - return 0; -} - - -/* - * First obtain the setup. Over the finite field randomize an scalar - * secret value, and calculate the public point. - */ -static gpg_err_code_t -generate_key (ECC_secret_key *sk, unsigned int nbits, const char *name, - int transient_key, - gcry_mpi_t g_x, gcry_mpi_t g_y, - gcry_mpi_t q_x, gcry_mpi_t q_y, - const char **r_usedcurve) -{ - gpg_err_code_t err; - elliptic_curve_t E; - gcry_mpi_t d; - mpi_point_t Q; - mpi_ec_t ctx; - gcry_random_level_t random_level; - - *r_usedcurve = NULL; - - err = fill_in_curve (nbits, name, &E, &nbits); - if (err) - return err; - - if (DBG_CIPHER) - { - log_mpidump ("ecgen curve p", E.p); - log_mpidump ("ecgen curve a", E.a); - log_mpidump ("ecgen curve b", E.b); - log_mpidump ("ecgen curve n", E.n); - log_mpidump ("ecgen curve Gx", E.G.x); - log_mpidump ("ecgen curve Gy", E.G.y); - log_mpidump ("ecgen curve Gz", E.G.z); - if (E.name) - log_debug ("ecgen curve used: %s\n", E.name); - } - - random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM; - d = gen_k (E.n, random_level); - - /* Compute Q. */ - point_init (&Q); - ctx = _gcry_mpi_ec_init (E.p, E.a); - _gcry_mpi_ec_mul_point (&Q, d, &E.G, ctx); - - /* Copy the stuff to the key structures. */ - sk->E.p = mpi_copy (E.p); - sk->E.a = mpi_copy (E.a); - sk->E.b = mpi_copy (E.b); - point_init (&sk->E.G); - point_set (&sk->E.G, &E.G); - sk->E.n = mpi_copy (E.n); - point_init (&sk->Q); - point_set (&sk->Q, &Q); - sk->d = mpi_copy (d); - /* We also return copies of G and Q in affine coordinates if - requested. */ - if (g_x && g_y) - { - if (_gcry_mpi_ec_get_affine (g_x, g_y, &sk->E.G, ctx)) - log_fatal ("ecgen: Failed to get affine coordinates\n"); - } - if (q_x && q_y) - { - if (_gcry_mpi_ec_get_affine (q_x, q_y, &sk->Q, ctx)) - log_fatal ("ecgen: Failed to get affine coordinates\n"); - } - _gcry_mpi_ec_free (ctx); - - point_free (&Q); - mpi_free (d); - - *r_usedcurve = E.name; - curve_free (&E); - - /* Now we can test our keys (this should never fail!). */ - test_keys (sk, nbits - 64); - - return 0; -} - - -/* - * To verify correct skey it use a random information. - * First, encrypt and decrypt this dummy value, - * test if the information is recuperated. - * Second, test with the sign and verify functions. - */ -static void -test_keys (ECC_secret_key *sk, unsigned int nbits) -{ - ECC_public_key pk; - gcry_mpi_t test = mpi_new (nbits); - mpi_point_t R_; - gcry_mpi_t c = mpi_new (nbits); - gcry_mpi_t out = mpi_new (nbits); - gcry_mpi_t r = mpi_new (nbits); - gcry_mpi_t s = mpi_new (nbits); - - if (DBG_CIPHER) - log_debug ("Testing key.\n"); - - point_init (&R_); - - pk.E = curve_copy (sk->E); - point_init (&pk.Q); - point_set (&pk.Q, &sk->Q); - - gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM); - - if (sign (test, sk, r, s) ) - log_fatal ("ECDSA operation: sign failed\n"); - - if (verify (test, &pk, r, s)) - { - log_fatal ("ECDSA operation: sign, verify failed\n"); - } - - if (DBG_CIPHER) - log_debug ("ECDSA operation: sign, verify ok.\n"); - - point_free (&pk.Q); - curve_free (&pk.E); - - point_free (&R_); - mpi_free (s); - mpi_free (r); - mpi_free (out); - mpi_free (c); - mpi_free (test); -} - - -/* - * To check the validity of the value, recalculate the correspondence - * between the public value and the secret one. - */ -static int -check_secret_key (ECC_secret_key * sk) -{ - int rc = 1; - mpi_point_t Q; - gcry_mpi_t y_2, y2; - mpi_ec_t ctx = NULL; - - point_init (&Q); - - /* ?primarity test of 'p' */ - /* (...) //!! */ - /* G in E(F_p) */ - y_2 = gen_y_2 (sk->E.G.x, &sk->E); /* y^2=x^3+a*x+b */ - y2 = mpi_alloc (0); - mpi_mulm (y2, sk->E.G.y, sk->E.G.y, sk->E.p); /* y^2=y*y */ - if (mpi_cmp (y_2, y2)) - { - if (DBG_CIPHER) - log_debug ("Bad check: Point 'G' does not belong to curve 'E'!\n"); - goto leave; - } - /* G != PaI */ - if (!mpi_cmp_ui (sk->E.G.z, 0)) - { - if (DBG_CIPHER) - log_debug ("Bad check: 'G' cannot be Point at Infinity!\n"); - goto leave; - } - - ctx = _gcry_mpi_ec_init (sk->E.p, sk->E.a); - - _gcry_mpi_ec_mul_point (&Q, sk->E.n, &sk->E.G, ctx); - if (mpi_cmp_ui (Q.z, 0)) - { - if (DBG_CIPHER) - log_debug ("check_secret_key: E is not a curve of order n\n"); - goto leave; - } - /* pubkey cannot be PaI */ - if (!mpi_cmp_ui (sk->Q.z, 0)) - { - if (DBG_CIPHER) - log_debug ("Bad check: Q can not be a Point at Infinity!\n"); - goto leave; - } - /* pubkey = [d]G over E */ - _gcry_mpi_ec_mul_point (&Q, sk->d, &sk->E.G, ctx); - if ((Q.x == sk->Q.x) && (Q.y == sk->Q.y) && (Q.z == sk->Q.z)) - { - if (DBG_CIPHER) - log_debug - ("Bad check: There is NO correspondence between 'd' and 'Q'!\n"); - goto leave; - } - rc = 0; /* Okay. */ - - leave: - _gcry_mpi_ec_free (ctx); - mpi_free (y2); - mpi_free (y_2); - point_free (&Q); - return rc; -} - - -/* - * Return the signature struct (r,s) from the message hash. The caller - * must have allocated R and S. - */ -static gpg_err_code_t -sign (gcry_mpi_t input, ECC_secret_key *skey, gcry_mpi_t r, gcry_mpi_t s) -{ - gpg_err_code_t err = 0; - gcry_mpi_t k, dr, sum, k_1, x; - mpi_point_t I; - mpi_ec_t ctx; - - if (DBG_CIPHER) - log_mpidump ("ecdsa sign hash ", input ); - - k = NULL; - dr = mpi_alloc (0); - sum = mpi_alloc (0); - k_1 = mpi_alloc (0); - x = mpi_alloc (0); - point_init (&I); - - mpi_set_ui (s, 0); - mpi_set_ui (r, 0); - - ctx = _gcry_mpi_ec_init (skey->E.p, skey->E.a); - - while (!mpi_cmp_ui (s, 0)) /* s == 0 */ - { - while (!mpi_cmp_ui (r, 0)) /* r == 0 */ - { - /* Note, that we are guaranteed to enter this loop at least - once because r has been intialized to 0. We can't use a - do_while because we want to keep the value of R even if S - has to be recomputed. */ - mpi_free (k); - k = gen_k (skey->E.n, GCRY_STRONG_RANDOM); - _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); - if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) - { - if (DBG_CIPHER) - log_debug ("ecc sign: Failed to get affine coordinates\n"); - err = GPG_ERR_BAD_SIGNATURE; - goto leave; - } - mpi_mod (r, x, skey->E.n); /* r = x mod n */ - } - mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */ - mpi_addm (sum, input, dr, skey->E.n); /* sum = hash + (d*r) mod n */ - mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */ - mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */ - } - - if (DBG_CIPHER) - { - log_mpidump ("ecdsa sign result r ", r); - log_mpidump ("ecdsa sign result s ", s); - } - - leave: - _gcry_mpi_ec_free (ctx); - point_free (&I); - mpi_free (x); - mpi_free (k_1); - mpi_free (sum); - mpi_free (dr); - mpi_free (k); - - return err; -} - - -/* - * Check if R and S verifies INPUT. - */ -static gpg_err_code_t -verify (gcry_mpi_t input, ECC_public_key *pkey, gcry_mpi_t r, gcry_mpi_t s) -{ - gpg_err_code_t err = 0; - gcry_mpi_t h, h1, h2, x, y; - mpi_point_t Q, Q1, Q2; - mpi_ec_t ctx; - - if( !(mpi_cmp_ui (r, 0) > 0 && mpi_cmp (r, pkey->E.n) < 0) ) - return GPG_ERR_BAD_SIGNATURE; /* Assertion 0 < r < n failed. */ - if( !(mpi_cmp_ui (s, 0) > 0 && mpi_cmp (s, pkey->E.n) < 0) ) - return GPG_ERR_BAD_SIGNATURE; /* Assertion 0 < s < n failed. */ - - h = mpi_alloc (0); - h1 = mpi_alloc (0); - h2 = mpi_alloc (0); - x = mpi_alloc (0); - y = mpi_alloc (0); - point_init (&Q); - point_init (&Q1); - point_init (&Q2); - - ctx = _gcry_mpi_ec_init (pkey->E.p, pkey->E.a); - - /* h = s^(-1) (mod n) */ - mpi_invm (h, s, pkey->E.n); -/* log_mpidump (" h", h); */ - /* h1 = hash * s^(-1) (mod n) */ - mpi_mulm (h1, input, h, pkey->E.n); -/* log_mpidump (" h1", h1); */ - /* Q1 = [ hash * s^(-1) ]G */ - _gcry_mpi_ec_mul_point (&Q1, h1, &pkey->E.G, ctx); -/* log_mpidump ("Q1.x", Q1.x); */ -/* log_mpidump ("Q1.y", Q1.y); */ -/* log_mpidump ("Q1.z", Q1.z); */ - /* h2 = r * s^(-1) (mod n) */ - mpi_mulm (h2, r, h, pkey->E.n); -/* log_mpidump (" h2", h2); */ - /* Q2 = [ r * s^(-1) ]Q */ - _gcry_mpi_ec_mul_point (&Q2, h2, &pkey->Q, ctx); -/* log_mpidump ("Q2.x", Q2.x); */ -/* log_mpidump ("Q2.y", Q2.y); */ -/* log_mpidump ("Q2.z", Q2.z); */ - /* Q = ([hash * s^(-1)]G) + ([r * s^(-1)]Q) */ - _gcry_mpi_ec_add_points (&Q, &Q1, &Q2, ctx); -/* log_mpidump (" Q.x", Q.x); */ -/* log_mpidump (" Q.y", Q.y); */ -/* log_mpidump (" Q.z", Q.z); */ - - if (!mpi_cmp_ui (Q.z, 0)) - { - if (DBG_CIPHER) - log_debug ("ecc verify: Rejected\n"); - err = GPG_ERR_BAD_SIGNATURE; - goto leave; - } - if (_gcry_mpi_ec_get_affine (x, y, &Q, ctx)) - { - if (DBG_CIPHER) - log_debug ("ecc verify: Failed to get affine coordinates\n"); - err = GPG_ERR_BAD_SIGNATURE; - goto leave; - } - mpi_mod (x, x, pkey->E.n); /* x = x mod E_n */ - if (mpi_cmp (x, r)) /* x != r */ - { - if (DBG_CIPHER) - { - log_mpidump (" x", x); - log_mpidump (" y", y); - log_mpidump (" r", r); - log_mpidump (" s", s); - log_debug ("ecc verify: Not verified\n"); - } - err = GPG_ERR_BAD_SIGNATURE; - goto leave; - } - if (DBG_CIPHER) - log_debug ("ecc verify: Accepted\n"); - - leave: - _gcry_mpi_ec_free (ctx); - point_free (&Q2); - point_free (&Q1); - point_free (&Q); - mpi_free (y); - mpi_free (x); - mpi_free (h2); - mpi_free (h1); - mpi_free (h); - return err; -} - - - -/********************************************* - ************** interface ****************** - *********************************************/ -static gcry_mpi_t -ec2os (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t p) -{ - gpg_error_t err; - int pbytes = (mpi_get_nbits (p)+7)/8; - size_t n; - unsigned char *buf, *ptr; - gcry_mpi_t result; - - buf = gcry_xmalloc ( 1 + 2*pbytes ); - *buf = 04; /* Uncompressed point. */ - ptr = buf+1; - err = gcry_mpi_print (GCRYMPI_FMT_USG, ptr, pbytes, &n, x); - if (err) - log_fatal ("mpi_print failed: %s\n", gpg_strerror (err)); - if (n < pbytes) - { - memmove (ptr+(pbytes-n), ptr, n); - memset (ptr, 0, (pbytes-n)); - } - ptr += pbytes; - err = gcry_mpi_print (GCRYMPI_FMT_USG, ptr, pbytes, &n, y); - if (err) - log_fatal ("mpi_print failed: %s\n", gpg_strerror (err)); - if (n < pbytes) - { - memmove (ptr+(pbytes-n), ptr, n); - memset (ptr, 0, (pbytes-n)); - } - - err = gcry_mpi_scan (&result, GCRYMPI_FMT_USG, buf, 1+2*pbytes, NULL); - if (err) - log_fatal ("mpi_scan failed: %s\n", gpg_strerror (err)); - gcry_free (buf); - - return result; -} - - -/* RESULT must have been initialized and is set on success to the - point given by VALUE. */ -static gcry_error_t -os2ec (mpi_point_t *result, gcry_mpi_t value) -{ - gcry_error_t err; - size_t n; - unsigned char *buf; - gcry_mpi_t x, y; - - n = (mpi_get_nbits (value)+7)/8; - buf = gcry_xmalloc (n); - err = gcry_mpi_print (GCRYMPI_FMT_USG, buf, n, &n, value); - if (err) - { - gcry_free (buf); - return err; - } - if (n < 1) - { - gcry_free (buf); - return GPG_ERR_INV_OBJ; - } - if (*buf != 4) - { - gcry_free (buf); - return GPG_ERR_NOT_IMPLEMENTED; /* No support for point compression. */ - } - if ( ((n-1)%2) ) - { - gcry_free (buf); - return GPG_ERR_INV_OBJ; - } - n = (n-1)/2; - err = gcry_mpi_scan (&x, GCRYMPI_FMT_USG, buf+1, n, NULL); - if (err) - { - gcry_free (buf); - return err; - } - err = gcry_mpi_scan (&y, GCRYMPI_FMT_USG, buf+1+n, n, NULL); - gcry_free (buf); - if (err) - { - mpi_free (x); - return err; - } - - mpi_set (result->x, x); - mpi_set (result->y, y); - mpi_set_ui (result->z, 1); - - mpi_free (x); - mpi_free (y); - - return 0; -} - - -/* Extended version of ecc_generate. */ -static gcry_err_code_t -ecc_generate_ext (int algo, unsigned int nbits, unsigned long evalue, - const gcry_sexp_t genparms, - gcry_mpi_t *skey, gcry_mpi_t **retfactors, - gcry_sexp_t *r_extrainfo) -{ - gpg_err_code_t ec; - ECC_secret_key sk; - gcry_mpi_t g_x, g_y, q_x, q_y; - char *curve_name = NULL; - gcry_sexp_t l1; - int transient_key = 0; - const char *usedcurve = NULL; - - (void)algo; - (void)evalue; - - if (genparms) - { - /* Parse the optional "curve" parameter. */ - l1 = gcry_sexp_find_token (genparms, "curve", 0); - if (l1) - { - curve_name = _gcry_sexp_nth_string (l1, 1); - gcry_sexp_release (l1); - if (!curve_name) - return GPG_ERR_INV_OBJ; /* No curve name or value too large. */ - } - - /* Parse the optional transient-key flag. */ - l1 = gcry_sexp_find_token (genparms, "transient-key", 0); - if (l1) - { - transient_key = 1; - gcry_sexp_release (l1); - } - } - - /* NBITS is required if no curve name has been given. */ - if (!nbits && !curve_name) - return GPG_ERR_NO_OBJ; /* No NBITS parameter. */ - - g_x = mpi_new (0); - g_y = mpi_new (0); - q_x = mpi_new (0); - q_y = mpi_new (0); - ec = generate_key (&sk, nbits, curve_name, transient_key, g_x, g_y, q_x, q_y, - &usedcurve); - gcry_free (curve_name); - if (ec) - return ec; - if (usedcurve) /* Fixme: No error return checking. */ - gcry_sexp_build (r_extrainfo, NULL, "(curve %s)", usedcurve); - - skey[0] = sk.E.p; - skey[1] = sk.E.a; - skey[2] = sk.E.b; - skey[3] = ec2os (g_x, g_y, sk.E.p); - skey[4] = sk.E.n; - skey[5] = ec2os (q_x, q_y, sk.E.p); - skey[6] = sk.d; - - mpi_free (g_x); - mpi_free (g_y); - mpi_free (q_x); - mpi_free (q_y); - - point_free (&sk.E.G); - point_free (&sk.Q); - - /* Make an empty list of factors. */ - *retfactors = gcry_calloc ( 1, sizeof **retfactors ); - if (!*retfactors) - return gpg_err_code_from_syserror (); /* Fixme: relase mem? */ - - if (DBG_CIPHER) - { - log_mpidump ("ecgen result p", skey[0]); - log_mpidump ("ecgen result a", skey[1]); - log_mpidump ("ecgen result b", skey[2]); - log_mpidump ("ecgen result G", skey[3]); - log_mpidump ("ecgen result n", skey[4]); - log_mpidump ("ecgen result Q", skey[5]); - log_mpidump ("ecgen result d", skey[6]); - } - - return 0; -} - - -static gcry_err_code_t -ecc_generate (int algo, unsigned int nbits, unsigned long evalue, - gcry_mpi_t *skey, gcry_mpi_t **retfactors) -{ - (void)evalue; - return ecc_generate_ext (algo, nbits, 0, NULL, skey, retfactors, NULL); -} - - -/* Return the parameters of the curve NAME in an MPI array. */ -static gcry_err_code_t -ecc_get_param (const char *name, gcry_mpi_t *pkey) -{ - gpg_err_code_t err; - unsigned int nbits; - elliptic_curve_t E; - mpi_ec_t ctx; - gcry_mpi_t g_x, g_y; - - err = fill_in_curve (0, name, &E, &nbits); - if (err) - return err; - - g_x = mpi_new (0); - g_y = mpi_new (0); - ctx = _gcry_mpi_ec_init (E.p, E.a); - if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx)) - log_fatal ("ecc get param: Failed to get affine coordinates\n"); - _gcry_mpi_ec_free (ctx); - point_free (&E.G); - - pkey[0] = E.p; - pkey[1] = E.a; - pkey[2] = E.b; - pkey[3] = ec2os (g_x, g_y, E.p); - pkey[4] = E.n; - pkey[5] = NULL; - - mpi_free (g_x); - mpi_free (g_y); - - return 0; -} - - -/* Return the parameters of the curve NAME as an S-expression. */ -static gcry_sexp_t -ecc_get_param_sexp (const char *name) -{ - gcry_mpi_t pkey[6]; - gcry_sexp_t result; - int i; - - if (ecc_get_param (name, pkey)) - return NULL; - - if (gcry_sexp_build (&result, NULL, - "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4])) - result = NULL; - - for (i=0; pkey[i]; i++) - gcry_mpi_release (pkey[i]); - - return result; -} - - -/* Return the name matching the parameters in PKEY. */ -static const char * -ecc_get_curve (gcry_mpi_t *pkey, int iterator, unsigned int *r_nbits) -{ - gpg_err_code_t err; - elliptic_curve_t E; - int idx; - gcry_mpi_t tmp; - const char *result = NULL; - - if (r_nbits) - *r_nbits = 0; - - if (!pkey) - { - idx = iterator; - if (idx >= 0 && idx < DIM (domain_parms)) - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - } - return result; - } - - if (!pkey[0] || !pkey[1] || !pkey[2] || !pkey[3] || !pkey[4]) - return NULL; - - E.p = pkey[0]; - E.a = pkey[1]; - E.b = pkey[2]; - point_init (&E.G); - err = os2ec (&E.G, pkey[3]); - if (err) - { - point_free (&E.G); - return NULL; - } - E.n = pkey[4]; - - for (idx = 0; domain_parms[idx].desc; idx++) - { - tmp = scanval (domain_parms[idx].p); - if (!mpi_cmp (tmp, E.p)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].a); - if (!mpi_cmp (tmp, E.a)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].b); - if (!mpi_cmp (tmp, E.b)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].n); - if (!mpi_cmp (tmp, E.n)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_x); - if (!mpi_cmp (tmp, E.G.x)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_y); - if (!mpi_cmp (tmp, E.G.y)) - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - break; - } - } - } - } - } - } - mpi_free (tmp); - } - - point_free (&E.G); - - return result; -} - - -static gcry_err_code_t -ecc_check_secret_key (int algo, gcry_mpi_t *skey) -{ - gpg_err_code_t err; - ECC_secret_key sk; - - (void)algo; - - /* FIXME: This check looks a bit fishy: Now long is the array? */ - if (!skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] || !skey[5] - || !skey[6]) - return GPG_ERR_BAD_MPI; - - sk.E.p = skey[0]; - sk.E.a = skey[1]; - sk.E.b = skey[2]; - point_init (&sk.E.G); - err = os2ec (&sk.E.G, skey[3]); - if (err) - { - point_free (&sk.E.G); - return err; - } - sk.E.n = skey[4]; - point_init (&sk.Q); - err = os2ec (&sk.Q, skey[5]); - if (err) - { - point_free (&sk.E.G); - point_free (&sk.Q); - return err; - } - - sk.d = skey[6]; - - if (check_secret_key (&sk)) - { - point_free (&sk.E.G); - point_free (&sk.Q); - return GPG_ERR_BAD_SECKEY; - } - point_free (&sk.E.G); - point_free (&sk.Q); - return 0; -} - - -static gcry_err_code_t -ecc_sign (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, gcry_mpi_t *skey) -{ - gpg_err_code_t err; - ECC_secret_key sk; - - (void)algo; - - if (!data || !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] - || !skey[5] || !skey[6] ) - return GPG_ERR_BAD_MPI; - - sk.E.p = skey[0]; - sk.E.a = skey[1]; - sk.E.b = skey[2]; - point_init (&sk.E.G); - err = os2ec (&sk.E.G, skey[3]); - if (err) - { - point_free (&sk.E.G); - return err; - } - sk.E.n = skey[4]; - point_init (&sk.Q); - err = os2ec (&sk.Q, skey[5]); - if (err) - { - point_free (&sk.E.G); - point_free (&sk.Q); - return err; - } - sk.d = skey[6]; - - resarr[0] = mpi_alloc (mpi_get_nlimbs (sk.E.p)); - resarr[1] = mpi_alloc (mpi_get_nlimbs (sk.E.p)); - err = sign (data, &sk, resarr[0], resarr[1]); - if (err) - { - mpi_free (resarr[0]); - mpi_free (resarr[1]); - resarr[0] = NULL; /* Mark array as released. */ - } - point_free (&sk.E.G); - point_free (&sk.Q); - return err; -} - - -static gcry_err_code_t -ecc_verify (int algo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey, - int (*cmp)(void *, gcry_mpi_t), void *opaquev) -{ - gpg_err_code_t err; - ECC_public_key pk; - - (void)algo; - (void)cmp; - (void)opaquev; - - if (!data[0] || !data[1] || !hash || !pkey[0] || !pkey[1] || !pkey[2] - || !pkey[3] || !pkey[4] || !pkey[5] ) - return GPG_ERR_BAD_MPI; - - pk.E.p = pkey[0]; - pk.E.a = pkey[1]; - pk.E.b = pkey[2]; - point_init (&pk.E.G); - err = os2ec (&pk.E.G, pkey[3]); - if (err) - { - point_free (&pk.E.G); - return err; - } - pk.E.n = pkey[4]; - point_init (&pk.Q); - err = os2ec (&pk.Q, pkey[5]); - if (err) - { - point_free (&pk.E.G); - point_free (&pk.Q); - return err; - } - - err = verify (hash, &pk, data[0], data[1]); - - point_free (&pk.E.G); - point_free (&pk.Q); - return err; -} - - -/* ecdh raw is classic 2-round DH protocol published in 1976. - * - * Overview of ecc_encrypt_raw and ecc_decrypt_raw. - * - * As with any PK operation, encrypt version uses a public key and - * decrypt -- private. - * - * Symbols used below: - * G - field generator point - * d - private long-term scalar - * dG - public long-term key - * k - ephemeral scalar - * kG - ephemeral public key - * dkG - shared secret - * - * ecc_encrypt_raw description: - * input: - * data[0] : private scalar (k) - * output: - * result[0] : shared point (kdG) - * result[1] : generated ephemeral public key (kG) - * - * ecc_decrypt_raw description: - * input: - * data[0] : a point kG (ephemeral public key) - * output: - * result[0] : shared point (kdG) - */ -static gcry_err_code_t -ecc_encrypt_raw (int algo, gcry_mpi_t *resarr, gcry_mpi_t k, - gcry_mpi_t *pkey, int flags) -{ - ECC_public_key pk; - mpi_ec_t ctx; - gcry_mpi_t result[2]; - int err; - - (void)algo; - (void)flags; - - if (!k - || !pkey[0] || !pkey[1] || !pkey[2] || !pkey[3] || !pkey[4] || !pkey[5]) - return GPG_ERR_BAD_MPI; - - pk.E.p = pkey[0]; - pk.E.a = pkey[1]; - pk.E.b = pkey[2]; - point_init (&pk.E.G); - err = os2ec (&pk.E.G, pkey[3]); - if (err) - { - point_free (&pk.E.G); - return err; - } - pk.E.n = pkey[4]; - point_init (&pk.Q); - err = os2ec (&pk.Q, pkey[5]); - if (err) - { - point_free (&pk.E.G); - point_free (&pk.Q); - return err; - } - - ctx = _gcry_mpi_ec_init (pk.E.p, pk.E.a); - - /* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so */ - { - mpi_point_t R; /* Result that we return. */ - gcry_mpi_t x, y; - - x = mpi_new (0); - y = mpi_new (0); - - point_init (&R); - - /* R = kQ <=> R = kdG */ - _gcry_mpi_ec_mul_point (&R, k, &pk.Q, ctx); - - if (_gcry_mpi_ec_get_affine (x, y, &R, ctx)) - log_fatal ("ecdh: Failed to get affine coordinates for kdG\n"); - - result[0] = ec2os (x, y, pk.E.p); - - /* R = kG */ - _gcry_mpi_ec_mul_point (&R, k, &pk.E.G, ctx); - - if (_gcry_mpi_ec_get_affine (x, y, &R, ctx)) - log_fatal ("ecdh: Failed to get affine coordinates for kG\n"); - - result[1] = ec2os (x, y, pk.E.p); - - mpi_free (x); - mpi_free (y); - - point_free (&R); - } - - _gcry_mpi_ec_free (ctx); - point_free (&pk.E.G); - point_free (&pk.Q); - - if (!result[0] || !result[1]) - { - mpi_free (result[0]); - mpi_free (result[1]); - return GPG_ERR_ENOMEM; - } - - /* Success. */ - resarr[0] = result[0]; - resarr[1] = result[1]; - - return 0; -} - -/* input: - * data[0] : a point kG (ephemeral public key) - * output: - * resaddr[0] : shared point kdG - * - * see ecc_encrypt_raw for details. - */ -static gcry_err_code_t -ecc_decrypt_raw (int algo, gcry_mpi_t *result, gcry_mpi_t *data, - gcry_mpi_t *skey, int flags) -{ - ECC_secret_key sk; - mpi_point_t R; /* Result that we return. */ - mpi_point_t kG; - mpi_ec_t ctx; - gcry_mpi_t r; - int err; - - (void)algo; - (void)flags; - - *result = NULL; - - if (!data || !data[0] - || !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] - || !skey[5] || !skey[6] ) - return GPG_ERR_BAD_MPI; - - point_init (&kG); - err = os2ec (&kG, data[0]); - if (err) - { - point_free (&kG); - return err; - } - - - sk.E.p = skey[0]; - sk.E.a = skey[1]; - sk.E.b = skey[2]; - point_init (&sk.E.G); - err = os2ec (&sk.E.G, skey[3]); - if (err) - { - point_free (&kG); - point_free (&sk.E.G); - return err; - } - sk.E.n = skey[4]; - point_init (&sk.Q); - err = os2ec (&sk.Q, skey[5]); - if (err) - { - point_free (&kG); - point_free (&sk.E.G); - point_free (&sk.Q); - return err; - } - sk.d = skey[6]; - - ctx = _gcry_mpi_ec_init (sk.E.p, sk.E.a); - - /* R = dkG */ - point_init (&R); - _gcry_mpi_ec_mul_point (&R, sk.d, &kG, ctx); - - point_free (&kG); - - /* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so: */ - { - gcry_mpi_t x, y; - - x = mpi_new (0); - y = mpi_new (0); - - if (_gcry_mpi_ec_get_affine (x, y, &R, ctx)) - log_fatal ("ecdh: Failed to get affine coordinates\n"); - - r = ec2os (x, y, sk.E.p); - mpi_free (x); - mpi_free (y); - } - - point_free (&R); - _gcry_mpi_ec_free (ctx); - point_free (&kG); - point_free (&sk.E.G); - point_free (&sk.Q); - - if (!r) - return GPG_ERR_ENOMEM; - - /* Success. */ - - *result = r; - - return 0; -} - - -static unsigned int -ecc_get_nbits (int algo, gcry_mpi_t *pkey) -{ - (void)algo; - - return mpi_get_nbits (pkey[0]); -} - - -/* See rsa.c for a description of this function. */ -static gpg_err_code_t -compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam) -{ -#define N_COMPONENTS 6 - static const char names[N_COMPONENTS+1] = "pabgnq"; - gpg_err_code_t ec = 0; - gcry_sexp_t l1; - gcry_mpi_t values[N_COMPONENTS]; - int idx; - - /* Clear the values for easier error cleanup. */ - for (idx=0; idx < N_COMPONENTS; idx++) - values[idx] = NULL; - - /* Fill values with all provided parameters. */ - for (idx=0; idx < N_COMPONENTS; idx++) - { - l1 = gcry_sexp_find_token (keyparam, names+idx, 1); - if (l1) - { - values[idx] = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); - gcry_sexp_release (l1); - if (!values[idx]) - { - ec = GPG_ERR_INV_OBJ; - goto leave; - } - } - } - - /* Check whether a curve parameter is available and use that to fill - in missing values. */ - l1 = gcry_sexp_find_token (keyparam, "curve", 5); - if (l1) - { - char *curve; - gcry_mpi_t tmpvalues[N_COMPONENTS]; - - for (idx = 0; idx < N_COMPONENTS; idx++) - tmpvalues[idx] = NULL; - - curve = _gcry_sexp_nth_string (l1, 1); - gcry_sexp_release (l1); - if (!curve) - { - ec = GPG_ERR_INV_OBJ; /* Name missing or out of core. */ - goto leave; - } - ec = ecc_get_param (curve, tmpvalues); - gcry_free (curve); - if (ec) - goto leave; - - for (idx = 0; idx < N_COMPONENTS; idx++) - { - if (!values[idx]) - values[idx] = tmpvalues[idx]; - else - mpi_free (tmpvalues[idx]); - } - } - - /* Check that all parameters are known and normalize all MPIs (that - should not be required but we use an internal function later and - thus we better make 100% sure that they are normalized). */ - for (idx = 0; idx < N_COMPONENTS; idx++) - if (!values[idx]) - { - ec = GPG_ERR_NO_OBJ; - goto leave; - } - else - _gcry_mpi_normalize (values[idx]); - - /* Hash them all. */ - for (idx = 0; idx < N_COMPONENTS; idx++) - { - char buf[30]; - unsigned char *rawmpi; - unsigned int rawmpilen; - - rawmpi = _gcry_mpi_get_buffer (values[idx], &rawmpilen, NULL); - if (!rawmpi) - { - ec = gpg_err_code_from_syserror (); - goto leave; - } - snprintf (buf, sizeof buf, "(1:%c%u:", names[idx], rawmpilen); - gcry_md_write (md, buf, strlen (buf)); - gcry_md_write (md, rawmpi, rawmpilen); - gcry_md_write (md, ")", 1); - gcry_free (rawmpi); - } - - leave: - for (idx = 0; idx < N_COMPONENTS; idx++) - _gcry_mpi_release (values[idx]); - - return ec; -#undef N_COMPONENTS -} - - - - - -/* - Self-test section. - */ - - -static gpg_err_code_t -selftests_ecdsa (selftest_report_func_t report) -{ - const char *what; - const char *errtxt; - - what = "low-level"; - errtxt = NULL; /*selftest ();*/ - if (errtxt) - goto failed; - - /* FIXME: need more tests. */ - - return 0; /* Succeeded. */ - - failed: - if (report) - report ("pubkey", GCRY_PK_ECDSA, what, errtxt); - return GPG_ERR_SELFTEST_FAILED; -} - - -/* Run a full self-test for ALGO and return 0 on success. */ -static gpg_err_code_t -run_selftests (int algo, int extended, selftest_report_func_t report) -{ - gpg_err_code_t ec; - - (void)extended; - - switch (algo) - { - case GCRY_PK_ECDSA: - ec = selftests_ecdsa (report); - break; - default: - ec = GPG_ERR_PUBKEY_ALGO; - break; - - } - return ec; -} - - - - -static const char *ecdsa_names[] = - { - "ecdsa", - "ecc", - NULL, - }; -static const char *ecdh_names[] = - { - "ecdh", - "ecc", - NULL, - }; - -gcry_pk_spec_t _gcry_pubkey_spec_ecdsa = - { - "ECDSA", ecdsa_names, - "pabgnq", "pabgnqd", "", "rs", "pabgnq", - GCRY_PK_USAGE_SIGN, - ecc_generate, - ecc_check_secret_key, - NULL, - NULL, - ecc_sign, - ecc_verify, - ecc_get_nbits - }; - -gcry_pk_spec_t _gcry_pubkey_spec_ecdh = - { - "ECDH", ecdh_names, - "pabgnq", "pabgnqd", "se", "", "pabgnq", - GCRY_PK_USAGE_ENCR, - ecc_generate, - ecc_check_secret_key, - ecc_encrypt_raw, - ecc_decrypt_raw, - NULL, - NULL, - ecc_get_nbits - }; - - -pk_extra_spec_t _gcry_pubkey_extraspec_ecdsa = - { - run_selftests, - ecc_generate_ext, - compute_keygrip, - ecc_get_param, - ecc_get_curve, - ecc_get_param_sexp - }; diff --git a/hobble-libgcrypt b/hobble-libgcrypt index 1062d6e..5eade9d 100755 --- a/hobble-libgcrypt +++ b/hobble-libgcrypt @@ -6,4 +6,6 @@ set -e -x # Clean out patent-or-otherwise-encumbered code. # EC: ????????? ??/??/2015 -rm -f cipher/ecc.c +rm -f cipher/ecc-curves.c +rm -f tests/curves.c +rm -f tests/t_mpi_point.c diff --git a/libgcrypt-1.5.0-fips-cavs.patch b/libgcrypt-1.5.0-fips-cavs.patch deleted file mode 100644 index ac999f9..0000000 --- a/libgcrypt-1.5.0-fips-cavs.patch +++ /dev/null @@ -1,1174 +0,0 @@ -diff -up libgcrypt-1.5.0/cipher/dsa.c.cavs libgcrypt-1.5.0/cipher/dsa.c ---- libgcrypt-1.5.0/cipher/dsa.c.cavs 2011-07-21 14:56:35.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-21 14:58:06.000000000 +0200 -@@ -479,7 +479,6 @@ generate_fips186 (DSA_secret_key *sk, un - initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1, - &initial_seed.seedlen); - } -- - if (use_fips186_2) - ec = _gcry_generate_fips186_2_prime (nbits, qbits, - initial_seed.seed, -@@ -487,13 +486,22 @@ generate_fips186 (DSA_secret_key *sk, un - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen); -- else -+ else if (!domain->p || !domain->q) - ec = _gcry_generate_fips186_3_prime (nbits, qbits, - initial_seed.seed, - initial_seed.seedlen, - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen, NULL); -+ else -+ { -+ /* Domain parameters p and q are given; use them. */ -+ prime_p = mpi_copy (domain->p); -+ prime_q = mpi_copy (domain->q); -+ gcry_assert (mpi_get_nbits (prime_p) == nbits); -+ gcry_assert (mpi_get_nbits (prime_q) == qbits); -+ ec = 0; -+ } - gcry_sexp_release (initial_seed.sexp); - if (ec) - goto leave; -@@ -784,13 +792,12 @@ dsa_generate_ext (int algo, unsigned int - gcry_sexp_release (l1); - gcry_sexp_release (domainsexp); - -- /* Check that all domain parameters are available. */ -- if (!domain.p || !domain.q || !domain.g) -+ /* Check that p and q domain parameters are available. */ -+ if (!domain.p || !domain.q || (!domain.g && !use_fips186)) - { - gcry_mpi_release (domain.p); - gcry_mpi_release (domain.q); - gcry_mpi_release (domain.g); -- gcry_sexp_release (deriveparms); - return GPG_ERR_MISSING_VALUE; - } - -diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_driver.pl ---- libgcrypt-1.5.0/tests/cavs_driver.pl.cavs 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/cavs_driver.pl 2011-07-21 15:01:47.000000000 +0200 -@@ -1,9 +1,11 @@ - #!/usr/bin/env perl - # --# $Id: cavs_driver.pl 1497 2009-01-22 14:01:29Z smueller $ -+# $Id: cavs_driver.pl 2124 2010-12-20 07:56:30Z smueller $ - # - # CAVS test driver (based on the OpenSSL driver) - # Written by: Stephan Müller -+# Werner Koch (libgcrypt interface) -+# Tomas Mraz (addition of DSA2) - # Copyright (c) atsec information security corporation - # - # Permission is hereby granted, free of charge, to any person obtaining a copy -@@ -85,13 +87,16 @@ - # T[CBC|CFB??|ECB|OFB]varkey - # T[CBC|CFB??|ECB|OFB]invperm - # T[CBC|CFB??|ECB|OFB]vartext -+# WARNING: TDES in CFB and OFB mode problems see below - # - # ANSI X9.31 RNG - # ANSI931_AES128MCT - # ANSI931_AES128VST - # --# DSA -+# DSA2 - # PQGGen -+# PQGVer -+# KeyPair - # SigGen - # SigVer - # -@@ -101,6 +106,36 @@ - # RC4PltBD - # RC4REGT - # -+# -+# TDES MCT for CFB and OFB: -+# ------------------------- -+# The inner loop cannot be handled by this script. If you want to have tests -+# for these cipher types, implement your own inner loop and add it to -+# crypto_mct. -+# -+# the value $next_source in crypto_mct is NOT set by the standard implementation -+# of this script. It would need to be set as follows for these two (code take -+# from fipsdrv.c from libgcrypt - the value input at the end will contain the -+# the value for $next_source: -+# -+# ... inner loop ... -+# ... -+# get_current_iv (hd, last_iv, blocklen); -+# ... encrypt / decrypt (input is the data to be en/decrypted and output is the -+# result of operation) ... -+# if (encrypt_mode && (cipher_mode == GCRY_CIPHER_MODE_CFB)) -+# memcpy (input, last_iv, blocklen); -+# else if (cipher_mode == GCRY_CIPHER_MODE_OFB) -+# memcpy (input, last_iv, blocklen); -+# else if (!encrypt_mode && cipher_mode == GCRY_CIPHER_MODE_CFB) -+# { -+# /* Reconstruct the output vector. */ -+# int i; -+# for (i=0; i < blocklen; i++) -+# input[i] ^= output[i]; -+# } -+# ... inner loop ends ... -+# ==> now, the value of input is to be put into $next_source - - use strict; - use warnings; -@@ -226,6 +261,8 @@ my $hmac; - # Generate the P, Q, G, Seed, counter, h (value used to generate g) values - # for DSA - # $1: modulus size -+# $2: q size -+# $3: seed (might be empty string) - # return: string with the calculated values in hex format, where each value - # is separated from the previous with a \n in the following order: - # P\n -@@ -236,6 +273,19 @@ my $hmac; - # h - my $dsa_pqggen; - -+# Generate the G value from P and Q -+# for DSA -+# $1: modulus size -+# $2: q size -+# $3: P in hex form -+# $4: Q in hex form -+# return: string with the calculated values in hex format, where each value -+# is separated from the previous with a \n in the following order: -+# P\n -+# Q\n -+# G\n -+my $dsa_ggen; -+ - # - # Generate an DSA public key from the provided parameters: - # $1: Name of file to create -@@ -255,10 +305,20 @@ my $dsa_verify; - - # generate a new DSA key with the following properties: - # PEM format --# $1 keyfile name --# return: file created, hash with keys of P, Q, G in hex format -+# $1: modulus size -+# $2: q size -+# $3 keyfile name -+# return: file created with key, string with values of P, Q, G in hex format - my $gen_dsakey; - -+# generate a new DSA private key XY parameters in domain: -+# PEM format -+# $1: P in hex form -+# $2: Q in hex form -+# $3: G in hex form -+# return: string with values of X, Y in hex format -+my $gen_dsakey_domain; -+ - # Sign a message with DSA - # $1: data to be signed in hex form - # $2: Key file in PEM format with the private key -@@ -500,17 +560,32 @@ sub libgcrypt_hmac($$$$) { - return pipe_through_program($msg, $program); - } - --sub libgcrypt_dsa_pqggen($) { -+sub libgcrypt_dsa_pqggen($$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $seed = shift; -+ -+ my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen"; -+ return pipe_through_program($seed, $program); -+} -+ -+sub libgcrypt_dsa_ggen($$$$) { - my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $domain = "(domain (p #$p#)(q #$q#))"; - -- my $program = "fipsdrv --keysize $mod dsa-pqg-gen"; -+ my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen"; - return pipe_through_program("", $program); - } - --sub libgcrypt_gen_dsakey($) { -+sub libgcrypt_gen_dsakey($$$) { -+ my $mod = shift; -+ my $qsize = shift; - my $file = shift; - -- my $program = "fipsdrv --keysize 1024 --key $file dsa-gen"; -+ my $program = "fipsdrv --keysize $mod --qsize $qsize --key $file dsa-gen"; - my $tmp; - my %ret; - -@@ -519,10 +594,21 @@ sub libgcrypt_gen_dsakey($) { - $tmp = pipe_through_program("", $program); - die "dsa key gen failed: file $file not created" if (! -f $file); - -- @ret{'P', 'Q', 'G', 'Seed', 'c', 'H'} = split(/\n/, $tmp); -+ @ret{'P', 'Q', 'G'} = split(/\n/, $tmp); - return %ret; - } - -+sub libgcrypt_gen_dsakey_domain($$$) { -+ my $p = shift; -+ my $q = shift; -+ my $g = shift; -+ my $domain = "(domain (p #$p#)(q #$q#)(g #$g#))"; -+ -+ my $program = "fipsdrv --key '$domain' dsa-gen-key"; -+ -+ return pipe_through_program("", $program); -+} -+ - sub libgcrypt_dsa_genpubkey($$$$$) { - my $filename = shift; - my $p = shift; -@@ -1139,7 +1225,7 @@ sub hmac_kat($$$$) { - $out .= "Tlen = $tlen\n"; - $out .= "Key = $key\n"; - $out .= "Msg = $msg\n"; -- $out .= "Mac = " . &$hmac($key, $tlen, $msg, $hashtype{$tlen}) . "\n"; -+ $out .= "Mac = " . lc(&$hmac($key, $tlen, $msg, $hashtype{$tlen})) . "\n"; - - return $out; - } -@@ -1205,7 +1291,7 @@ sub crypto_mct($$$$$$$$) { - } - my ($CO, $CI); - my $cipher_imp = &$state_cipher($cipher, $enc, $bufsize, $key1, $iv); -- $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/); -+ $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/ && defined($state_cipher_des)); - my $pid = open2($CO, $CI, $cipher_imp); - - my $calc_data = $iv; # CT[j] -@@ -1213,8 +1299,8 @@ sub crypto_mct($$$$$$$$) { - my $old_old_calc_data; # CT[j-2] - my $next_source; - -- # TDES inner loop implements logic within driver -- if ($cipher =~ /des/) { -+ # TDES inner loop implements logic within driver of libgcrypt -+ if ($cipher =~ /des/ && $opt{'I'} && $opt{'I'} eq 'libgcrypt' ) { - # Need to provide a dummy IV in case of ECB mode. - my $iv_arg = (defined($iv) && $iv ne "") - ? bin2hex($iv) -@@ -1238,6 +1324,10 @@ sub crypto_mct($$$$$$$$) { - $line = <$CO>; - } else { - for (my $j = 0; $j < $iloop; ++$j) { -+ if ($cipher =~ /des-ede3-ofb/ || -+ (!$enc && $cipher =~ /des-ede3-cfb/)) { -+ die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; -+ } - $old_old_calc_data = $old_calc_data; - $old_calc_data = $calc_data; - -@@ -1503,21 +1593,23 @@ sub rngx931($$$$) { - return $out; - } - --# DSA PQGGen test -+# DSA PQGen test - # $1 modulus size --# $2 number of rounds to perform the test -+# $2 q size -+# $3 number of rounds to perform the test - # return: string formatted as expected by CAVS --sub dsa_pqggen_driver($$) { -+sub dsa_pqgen_driver($$$) { - my $mod = shift; -+ my $qsize = shift; - my $rounds = shift; - - my $out = ""; - for(my $i=0; $i<$rounds; $i++) { -- my $ret = &$dsa_pqggen($mod); -+ my $ret = &$dsa_pqggen($mod, $qsize, ""); - my ($P, $Q, $G, $Seed, $c, $H) = split(/\n/, $ret); -- die "Return value does not contain all expected values of P, Q, G, Seed, c, H for dsa_pqggen" -- if (!defined($P) || !defined($Q) || !defined($G) || -- !defined($Seed) || !defined($c) || !defined($H)); -+ die "Return value does not contain all expected values of P, Q, Seed, c for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || -+ !defined($Seed) || !defined($c)); - - # now change the counter to decimal as CAVS wants decimal - # counter value although all other is HEX -@@ -1525,15 +1617,166 @@ sub dsa_pqggen_driver($$) { - - $out .= "P = $P\n"; - $out .= "Q = $Q\n"; -- $out .= "G = $G\n"; -- $out .= "Seed = $Seed\n"; -- $out .= "c = $c\n"; -- $out .= "H = $H\n\n"; -+ $out .= "domain_parameter_seed = $Seed\n"; -+ $out .= "counter = $c\n\n"; - } - - return $out; - } - -+# DSA GGen test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# return: string formatted as expected by CAVS -+sub dsa_ggen_driver($$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_ggen($mod, $qsize, $p, $q); -+ my ($P, $Q, $G) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G for dsa_ggen" -+ if (!defined($P) || !defined($Q) || !defined($G)); -+ -+ $out .= "G = $G\n\n"; -+ -+ return $out; -+} -+ -+sub hexcomp($$) { -+ my $a = lc shift; -+ my $b = lc shift; -+ -+ if (length $a < length $b) { -+ my $c = $a; -+ $a = $b; -+ $b = $a; -+ } -+ -+ while (length $b < length $a) { -+ $b = "00$b"; -+ } -+ -+ return $a eq $b; -+} -+ -+# DSA PQVer test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# $5 seed in hex form -+# $6 c decimal counter -+# return: string formatted as expected by CAVS -+sub dsa_pqver_driver($$$$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $seed = shift; -+ my $c = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_pqggen($mod, $qsize, $seed); -+ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G, seed, c for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || !defined($G) || -+ !defined($seed2) || !defined($c2)); -+ -+ $c2 = hex($c2); -+ -+ $out .= "Seed = $seed\n"; -+ $out .= "c = $c\n"; -+ -+ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($seed, $seed2) && $c == $c2) { -+ $out .= "Result = P\n\n"; -+ } -+ else { -+ $out .= "Result = F\n\n"; -+ } -+ return $out; -+} -+ -+# DSA PQGVer test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# $5 g in hex form -+# $6 seed in hex form -+# $7 c decimal counter -+# $8 h in hex form -+# return: string formatted as expected by CAVS -+sub dsa_pqgver_driver($$$$$$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $g = shift; -+ my $seed = shift; -+ my $c = shift; -+ my $h = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_pqggen($mod, $qsize, $seed); -+ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G, seed, c, H for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || !defined($G) || -+ !defined($seed2) || !defined($c2) || !defined($h2)); -+ -+ -+ -+ $out .= "Seed = $seed\n"; -+ $out .= "c = $c\n"; -+ $out .= "H = $h\n"; -+ -+ $c2 = hex($c2); -+ -+ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && -+ $c == $c2 && hex($h) == hex($h2)) { -+ $out .= "Result = P\n\n"; -+ } -+ else { -+ $out .= "Result = F\n\n"; -+ } -+ -+ return $out; -+} -+ -+# DSA Keypair test -+# $1 modulus size -+# $2 q size -+# $3 number of rounds to perform the test -+# return: string formatted as expected by CAVS -+sub dsa_keypair_driver($$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $rounds = shift; -+ -+ my $out = ""; -+ my $tmpkeyfile = "dsa_siggen.tmp.$$"; -+ my %pqg = &$gen_dsakey($mod, $qsize, $tmpkeyfile); -+ $out .= "P = " . $pqg{'P'} . "\n"; -+ $out .= "Q = " . $pqg{'Q'} . "\n"; -+ $out .= "G = " . $pqg{'G'} . "\n\n"; -+ unlink($tmpkeyfile); -+ -+ for(my $i=0; $i<$rounds; $i++) { -+ my $ret = &$gen_dsakey_domain($pqg{'P'}, $pqg{'Q'}, $pqg{'G'}); -+ my ($X, $Y) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of X, Y for gen_dsakey_domain" -+ if (!defined($X) || !defined($Y)); -+ -+ $out .= "X = $X\n"; -+ $out .= "Y = $Y\n\n"; -+ } -+ -+ return $out; -+} - - # DSA SigGen test - # $1: Message to be signed in hex form -@@ -1658,12 +1901,16 @@ sub parse($$) { - my $klen = ""; - my $tlen = ""; - my $modulus = ""; -+ my $qsize = ""; - my $capital_n = 0; -+ my $num = 0; - my $capital_p = ""; - my $capital_q = ""; - my $capital_g = ""; - my $capital_y = ""; - my $capital_r = ""; -+ my $capital_h = ""; -+ my $c = ""; - my $xp1 = ""; - my $xp2 = ""; - my $Xp = ""; -@@ -1700,7 +1947,7 @@ sub parse($$) { - - ##### Extract cipher - # XXX there may be more - to be added -- if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA)/) { -+ if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA|KeyPair|PQGVer)/) { - if ($tmpline =~ /CBC/) { $mode="cbc"; } - elsif ($tmpline =~ /ECB/) { $mode="ecb"; } - elsif ($tmpline =~ /OFB/) { $mode="ofb"; } -@@ -1749,7 +1996,15 @@ sub parse($$) { - - if ($tt == 0) { - ##### Identify the test type -- if ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { -+ if ($tmpline =~ /PQGVer/) { -+ $tt = 16; -+ die "Interface function for DSA PQGVer testing not defined for tested library" -+ if (!defined($dsa_pqggen)); -+ } elsif ($tmpline =~ /KeyPair/) { -+ $tt = 14; -+ die "Interface function dsa_keygen for DSA key generation not defined for tested library" -+ if (!defined($gen_dsakey_domain)); -+ } elsif ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { - $tt = 13; - die "Interface function rsa_derive for RSA key generation not defined for tested library" - if (!defined($rsa_derive)); -@@ -1760,11 +2015,11 @@ sub parse($$) { - } elsif ($tmpline =~ /SigGen/ && $opt{'D'}) { - $tt = 11; - die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library" -- if (!defined($dsa_sign) || !defined($gen_rsakey)); -+ if (!defined($dsa_sign) || !defined($gen_dsakey)); - } elsif ($tmpline =~ /PQGGen/) { - $tt = 10; - die "Interface function for DSA PQGGen testing not defined for tested library" -- if (!defined($dsa_pqggen)); -+ if (!defined($dsa_pqggen) || !defined($dsa_ggen)); - } elsif ($tmpline =~ /Hash sizes tested/) { - $tt = 9; - die "Interface function hmac for HMAC testing not defined for tested library" -@@ -1792,7 +2047,7 @@ sub parse($$) { - } elsif ($tmpline =~ /Monte|MCT|Carlo/) { - $tt = 2; - die "Interface function state_cipher for Stateful Cipher operation defined for tested library" -- if (!defined($state_cipher) || !defined($state_cipher_des)); -+ if (!defined($state_cipher) && !defined($state_cipher_des)); - } elsif ($cipher =~ /^sha/) { - $tt = 3; - die "Interface function hash for Hashing not defined for tested library" -@@ -1875,18 +2130,44 @@ sub parse($$) { - die "Msg/Seed seen twice - input file crap" if ($pt ne ""); - $pt=$2; - } -- elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests -+ elsif ($line =~ /^\[A.2.1\s.*\]$/) { # found in DSA2 PQGGen request -+ $out .= $line . "\n"; # print it -+ if ($tt == 10) { -+ # now generate G from PQ -+ $tt = 15; -+ } -+ } -+ elsif ($line =~ /^\[A.2.2\s.*\]$/) { # found in DSA2 PQGVer request -+ $out .= $line . "\n"; # print it -+ if ($tt == 16) { -+ # now verify PQG -+ $tt = 17; -+ } -+ } -+ elsif ($line =~ /^\[mod\s*=\s*L=([0-9]*),\s*N=([0-9]*).*\]$/) { # found in DSA2 requests - $modulus = $1; -+ $qsize = $2; - $out .= $line . "\n\n"; # print it -+ # clear eventual PQG -+ $capital_p = ""; -+ $capital_q = ""; -+ $capital_g = ""; - # generate the private key with given bit length now - # as we have the required key length in bit - if ($tt == 11) { - $dsa_keyfile = "dsa_siggen.tmp.$$"; -- my %pqg = &$gen_dsakey($dsa_keyfile); -+ my %pqg = &$gen_dsakey($modulus, $qsize, $dsa_keyfile); - $out .= "P = " . $pqg{'P'} . "\n"; - $out .= "Q = " . $pqg{'Q'} . "\n"; -- $out .= "G = " . $pqg{'G'} . "\n"; -- } elsif ( $tt == 5 ) { -+ $out .= "G = " . $pqg{'G'} . "\n\n"; -+ } -+ } -+ elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests -+ $modulus = $1; -+ $out .= $line . "\n\n"; # print it -+ # generate the private key with given bit length now -+ # as we have the required key length in bit -+ if ( $tt == 5 ) { - # XXX maybe a secure temp file name is better here - # but since it is not run on a security sensitive - # system, I hope that this is fine -@@ -1932,11 +2213,16 @@ sub parse($$) { - if ($tlen ne ""); - $tlen=$1; - } -- elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA PQGGen -+ elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA KeyPair - die "N seen twice - check input file" - if ($capital_n); - $capital_n = $1; - } -+ elsif ($line =~ /^Num\s*=\s*(.*)/) { #DSA PQGGen -+ die "Num seen twice - check input file" -+ if ($num); -+ $num = $1; -+ } - elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer - die "P seen twice - check input file" - if ($capital_p); -@@ -1965,6 +2251,16 @@ sub parse($$) { - if ($capital_r); - $capital_r = $1; - } -+ elsif ($line =~ /^H\s*=\s*(.*)/) { #DSA PQGVer -+ die "H seen twice - check input file" -+ if ($capital_h); -+ $capital_h = $1; -+ } -+ elsif ($line =~ /^c\s*=\s*(.*)/) { #DSA PQGVer -+ die "c seen twice - check input file" -+ if ($c); -+ $c = $1; -+ } - elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen - die "xp1 seen twice - check input file" - if ($xp1); -@@ -2074,11 +2370,10 @@ sub parse($$) { - } - } - elsif ($tt == 10) { -- if ($modulus ne "" && $capital_n > 0) { -- $out .= dsa_pqggen_driver($modulus, $capital_n); -- #$mod is not resetted -- $capital_n = 0; -- } -+ if ($modulus ne "" && $qsize ne "" && $num > 0) { -+ $out .= dsa_pqgen_driver($modulus, $qsize, $num); -+ $num = 0; -+ } - } - elsif ($tt == 11) { - if ($pt ne "" && $dsa_keyfile ne "") { -@@ -2141,6 +2436,74 @@ sub parse($$) { - $Xq = ""; - } - } -+ elsif ($tt == 14) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_n > 0) { -+ $out .= dsa_keypair_driver($modulus, -+ $qsize, -+ $capital_n); -+ $capital_n = 0; -+ } -+ } -+ elsif ($tt == 15) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "") { -+ $out .= dsa_ggen_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q); -+ $capital_p = ""; -+ $capital_q = ""; -+ $num--; -+ } -+ } -+ elsif ($tt == 16) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "" && -+ $pt ne "" && -+ $c ne "") { -+ $out .= dsa_pqver_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q, -+ $pt, -+ $c); -+ $capital_p = ""; -+ $capital_q = ""; -+ $pt = ""; -+ $c = ""; -+ } -+ } -+ elsif ($tt == 17) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "" && -+ $capital_g ne "" && -+ $pt ne "" && -+ $c ne "" && -+ $capital_h ne "") { -+ $out .= dsa_pqgver_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q, -+ $capital_g, -+ $pt, -+ $c, -+ $capital_h); -+ $capital_p = ""; -+ $capital_q = ""; -+ $capital_g = ""; -+ $pt = ""; -+ $c = ""; -+ $capital_h = ""; -+ } -+ } - elsif ($tt > 0) { - die "Test case $tt not defined"; - } -@@ -2199,7 +2562,9 @@ sub main() { - $state_rng = \&libgcrypt_state_rng; - $hmac = \&libgcrypt_hmac; - $dsa_pqggen = \&libgcrypt_dsa_pqggen; -+ $dsa_ggen = \&libgcrypt_dsa_ggen; - $gen_dsakey = \&libgcrypt_gen_dsakey; -+ $gen_dsakey_domain = \&libgcrypt_gen_dsakey_domain; - $dsa_sign = \&libgcrypt_dsa_sign; - $dsa_verify = \&libgcrypt_dsa_verify; - $dsa_genpubkey = \&libgcrypt_dsa_genpubkey; -diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tests.sh ---- libgcrypt-1.5.0/tests/cavs_tests.sh.cavs 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/cavs_tests.sh 2011-07-21 15:02:16.000000000 +0200 -@@ -55,7 +55,7 @@ function run_one_test () { - [ -d "$respdir" ] || mkdir "$respdir" - [ -f "$rspfile" ] && rm "$rspfile" - -- if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then -+ if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then - dflag="-D" - fi - -diff -up libgcrypt-1.5.0/tests/fipsdrv.c.cavs libgcrypt-1.5.0/tests/fipsdrv.c ---- libgcrypt-1.5.0/tests/fipsdrv.c.cavs 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/fipsdrv.c 2011-07-21 15:06:44.000000000 +0200 -@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz) - die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err)); - - p = buf; -+ while (*p) -+ *p++ = tolower(*p); -+ p = buf; - if (no_lz && p[0] == '0' && p[1] == '0' && p[2]) - p += 2; - -@@ -1675,14 +1678,14 @@ run_rsa_verify (const void *data, size_t - /* Generate a DSA key of size KEYSIZE and return the complete - S-expression. */ - static gcry_sexp_t --dsa_gen (int keysize) -+dsa_gen (int keysize, int qsize) - { - gpg_error_t err; - gcry_sexp_t keyspec, key; - - err = gcry_sexp_build (&keyspec, NULL, -- "(genkey (dsa (nbits %d)(use-fips186-2)))", -- keysize); -+ "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))", -+ keysize, qsize); - if (err) - die ("gcry_sexp_build failed for DSA key generation: %s\n", - gpg_strerror (err)); -@@ -1700,7 +1703,7 @@ dsa_gen (int keysize) - /* Generate a DSA key of size KEYSIZE and return the complete - S-expression. */ - static gcry_sexp_t --dsa_gen_with_seed (int keysize, const void *seed, size_t seedlen) -+dsa_gen_with_seed (int keysize, int qsize, const void *seed, size_t seedlen) - { - gpg_error_t err; - gcry_sexp_t keyspec, key; -@@ -1709,10 +1712,11 @@ dsa_gen_with_seed (int keysize, const vo - "(genkey" - " (dsa" - " (nbits %d)" -- " (use-fips186-2)" -+ " (qbits %d)" -+ " (use-fips186)" - " (derive-parms" - " (seed %b))))", -- keysize, (int)seedlen, seed); -+ keysize, qsize, (int)seedlen, seed); - if (err) - die ("gcry_sexp_build failed for DSA key generation: %s\n", - gpg_strerror (err)); -@@ -1720,6 +1724,37 @@ dsa_gen_with_seed (int keysize, const vo - err = gcry_pk_genkey (&key, keyspec); - if (err) - die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); -+ -+ gcry_sexp_release (keyspec); -+ -+ return key; -+} -+ -+/* Generate a DSA key with specified domain parameters and return the complete -+ S-expression. */ -+static gcry_sexp_t -+dsa_gen_key (const char *domain) -+{ -+ gpg_error_t err; -+ gcry_sexp_t keyspec, key, domspec; -+ -+ err = gcry_sexp_new (&domspec, domain, strlen(domain), 0); -+ if (err) -+ die ("gcry_sexp_build failed for domain spec: %s\n", -+ gpg_strerror (err)); -+ -+ err = gcry_sexp_build (&keyspec, NULL, -+ "(genkey" -+ " (dsa" -+ " (use-fips186)" -+ " %S))", -+ domspec); -+ if (err) -+ die ("gcry_sexp_build failed for DSA key generation: %s\n", -+ gpg_strerror (err)); -+ err = gcry_pk_genkey (&key, keyspec); -+ if (err) -+ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); - - gcry_sexp_release (keyspec); - -@@ -1732,7 +1767,7 @@ dsa_gen_with_seed (int keysize, const vo - with one parameter per line in hex format using this order: p, q, - g, seed, counter, h. */ - static void --print_dsa_domain_parameters (gcry_sexp_t key) -+print_dsa_domain_parameters (gcry_sexp_t key, int print_misc) - { - gcry_sexp_t l1, l2; - gcry_mpi_t mpi; -@@ -1768,6 +1803,9 @@ print_dsa_domain_parameters (gcry_sexp_t - } - gcry_sexp_release (l1); - -+ if (!print_misc) -+ return; -+ - /* Extract the seed values. */ - l1 = gcry_sexp_find_token (key, "misc-key-info", 0); - if (!l1) -@@ -1819,38 +1857,106 @@ print_dsa_domain_parameters (gcry_sexp_t - } - - --/* Generate DSA domain parameters for a modulus size of KEYSIZE. The -+/* Print just the XY private key parameters. KEY -+ is the complete key as returned by dsa_gen. We print to stdout -+ with one parameter per line in hex format using this order: x, y. */ -+static void -+print_dsa_xy (gcry_sexp_t key) -+{ -+ gcry_sexp_t l1, l2; -+ gcry_mpi_t mpi; -+ int idx; -+ -+ l1 = gcry_sexp_find_token (key, "private-key", 0); -+ if (!l1) -+ die ("private key not found in genkey result\n"); -+ -+ l2 = gcry_sexp_find_token (l1, "dsa", 0); -+ if (!l2) -+ die ("returned private key not formed as expected\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ /* Extract the parameters from the S-expression and print them to stdout. */ -+ for (idx=0; "xy"[idx]; idx++) -+ { -+ l2 = gcry_sexp_find_token (l1, "xy"+idx, 1); -+ if (!l2) -+ die ("no %c parameter in returned public key\n", "xy"[idx]); -+ mpi = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); -+ if (!mpi) -+ die ("no value for %c parameter in returned private key\n","xy"[idx]); -+ gcry_sexp_release (l2); -+ if (standalone_mode) -+ printf ("%c = ", "XY"[idx]); -+ print_mpi_line (mpi, 1); -+ gcry_mpi_release (mpi); -+ } -+ -+ gcry_sexp_release (l1); -+} -+ -+ -+/* Generate DSA pq domain parameters for a modulus size of KEYSIZE. The - result is printed to stdout with one parameter per line in hex -- format and in this order: p, q, g, seed, counter, h. If SEED is -+ format and in this order: p, q, seed, counter. If SEED is - not NULL this seed value will be used for the generation. */ - static void --run_dsa_pqg_gen (int keysize, const void *seed, size_t seedlen) -+run_dsa_pqg_gen (int keysize, int qsize, const void *seed, size_t seedlen) - { - gcry_sexp_t key; - - if (seed) -- key = dsa_gen_with_seed (keysize, seed, seedlen); -+ key = dsa_gen_with_seed (keysize, qsize, seed, seedlen); - else -- key = dsa_gen (keysize); -- print_dsa_domain_parameters (key); -+ key = dsa_gen (keysize, qsize); -+ print_dsa_domain_parameters (key, 1); -+ gcry_sexp_release (key); -+} -+ -+ -+/* Generate DSA domain parameters for a modulus size of KEYSIZE. The -+ result is printed to stdout with one parameter per line in hex -+ format and in this order: p, q, g, seed, counter, h. If SEED is -+ not NULL this seed value will be used for the generation. */ -+static void -+run_dsa_g_gen (int keysize, int qsize, const char *domain) -+{ -+ gcry_sexp_t key; -+ -+ key = dsa_gen_key (domain); -+ print_dsa_domain_parameters (key, 0); -+ gcry_sexp_release (key); -+} -+ -+/* Generate a DSA key with specified domain parameters -+ and print the XY values. */ -+static void -+run_dsa_gen_key (const char *domain) -+{ -+ gcry_sexp_t key; -+ -+ key = dsa_gen_key (domain); -+ print_dsa_xy (key); -+ - gcry_sexp_release (key); - } - - - /* Generate a DSA key of size of KEYSIZE and write the private key to - FILENAME. Also write the parameters to stdout in the same way as -- run_dsa_pqg_gen. */ -+ run_dsa_g_gen. */ - static void --run_dsa_gen (int keysize, const char *filename) -+run_dsa_gen (int keysize, int qsize, const char *filename) - { - gcry_sexp_t key, private_key; - FILE *fp; - -- key = dsa_gen (keysize); -+ key = dsa_gen (keysize, qsize); - private_key = gcry_sexp_find_token (key, "private-key", 0); - if (!private_key) - die ("private key not found in genkey result\n"); -- print_dsa_domain_parameters (key); -+ print_dsa_domain_parameters (key, 1); - - fp = fopen (filename, "wb"); - if (!fp) -@@ -1863,6 +1969,53 @@ run_dsa_gen (int keysize, const char *fi - } - - -+static int -+dsa_hash_from_key(gcry_sexp_t s_key) -+{ -+ gcry_sexp_t l1, l2; -+ gcry_mpi_t q; -+ unsigned int qbits; -+ -+ l1 = gcry_sexp_find_token (s_key, "public-key", 0); -+ if (!l1) -+ { -+ l1 = gcry_sexp_find_token (s_key, "private-key", 0); -+ if (!l1) -+ die ("neither private nor public key found in the loaded key\n"); -+ } -+ -+ l2 = gcry_sexp_find_token (l1, "dsa", 0); -+ if (!l2) -+ die ("public key not formed as expected - no dsa\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ l2 = gcry_sexp_find_token (l1, "q", 0); -+ if (!l2) -+ die ("public key not formed as expected - no q\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); -+ if (!q) -+ die ("public key not formed as expected - no mpi in q\n"); -+ qbits = gcry_mpi_get_nbits(q); -+ gcry_sexp_release(l1); -+ gcry_mpi_release(q); -+ switch(qbits) -+ { -+ case 160: -+ return GCRY_MD_SHA1; -+ case 224: -+ return GCRY_MD_SHA224; -+ case 256: -+ return GCRY_MD_SHA256; -+ default: -+ die("bad number bits (%d) of q in key\n", qbits); -+ } -+ return GCRY_MD_NONE; -+} -+ - - /* Sign DATA of length DATALEN using the key taken from the S-expression - encoded KEYFILE. */ -@@ -1872,11 +2025,16 @@ run_dsa_sign (const void *data, size_t d - { - gpg_error_t err; - gcry_sexp_t s_data, s_key, s_sig, s_tmp, s_tmp2; -- char hash[20]; -+ char hash[128]; - gcry_mpi_t tmpmpi; -+ int algo; -+ -+ s_key = read_sexp_from_file (keyfile); -+ algo = dsa_hash_from_key(s_key); - -- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); -- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); -+ gcry_md_hash_buffer (algo, hash, data, datalen); -+ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, -+ gcry_md_get_algo_dlen(algo), NULL); - if (!err) - { - err = gcry_sexp_build (&s_data, NULL, -@@ -1887,8 +2045,6 @@ run_dsa_sign (const void *data, size_t d - die ("gcry_sexp_build failed for DSA data input: %s\n", - gpg_strerror (err)); - -- s_key = read_sexp_from_file (keyfile); -- - err = gcry_pk_sign (&s_sig, s_data, s_key); - if (err) - { -@@ -1964,13 +2120,18 @@ run_dsa_verify (const void *data, size_t - { - gpg_error_t err; - gcry_sexp_t s_data, s_key, s_sig; -- char hash[20]; -+ char hash[128]; - gcry_mpi_t tmpmpi; -+ int algo; -+ -+ s_key = read_sexp_from_file (keyfile); -+ algo = dsa_hash_from_key(s_key); - -- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); -+ gcry_md_hash_buffer (algo, hash, data, datalen); - /* Note that we can't simply use %b with HASH to build the - S-expression, because that might yield a negative value. */ -- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); -+ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, -+ gcry_md_get_algo_dlen(algo), NULL); - if (!err) - { - err = gcry_sexp_build (&s_data, NULL, -@@ -1981,7 +2142,6 @@ run_dsa_verify (const void *data, size_t - die ("gcry_sexp_build failed for DSA data input: %s\n", - gpg_strerror (err)); - -- s_key = read_sexp_from_file (keyfile); - s_sig = read_sexp_from_file (sigfile); - - err = gcry_pk_verify (s_sig, s_data, s_key); -@@ -2014,7 +2174,7 @@ usage (int show_help) - "Run a crypto operation using hex encoded input and output.\n" - "MODE:\n" - " encrypt, decrypt, digest, random, hmac-sha,\n" -- " rsa-{derive,gen,sign,verify}, dsa-{pqg-gen,gen,sign,verify}\n" -+ " rsa-{derive,gen,sign,verify}, dsa-{pq-gen,g-gen,gen,sign,verify}\n" - "OPTIONS:\n" - " --verbose Print additional information\n" - " --binary Input and output is in binary form\n" -@@ -2024,6 +2184,7 @@ usage (int show_help) - " --dt DT Use the hex encoded DT for the RNG\n" - " --algo NAME Use algorithm NAME\n" - " --keysize N Use a keysize of N bits\n" -+ " --qize N Use a DSA q parameter size of N bits\n" - " --signature NAME Take signature from file NAME\n" - " --chunk N Read in chunks of N bytes (implies --binary)\n" - " --pkcs1 Use PKCS#1 encoding\n" -@@ -2050,6 +2211,7 @@ main (int argc, char **argv) - const char *dt_string = NULL; - const char *algo_string = NULL; - const char *keysize_string = NULL; -+ const char *qsize_string = NULL; - const char *signature_string = NULL; - FILE *input; - void *data; -@@ -2143,6 +2305,14 @@ main (int argc, char **argv) - keysize_string = *argv; - argc--; argv++; - } -+ else if (!strcmp (*argv, "--qsize")) -+ { -+ argc--; argv++; -+ if (!argc) -+ usage (0); -+ qsize_string = *argv; -+ argc--; argv++; -+ } - else if (!strcmp (*argv, "--signature")) - { - argc--; argv++; -@@ -2463,23 +2633,49 @@ main (int argc, char **argv) - } - else if (!strcmp (mode_string, "dsa-pqg-gen")) - { -- int keysize; -+ int keysize, qsize; - - keysize = keysize_string? atoi (keysize_string) : 0; - if (keysize < 1024 || keysize > 3072) - die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -- run_dsa_pqg_gen (keysize, datalen? data:NULL, datalen); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); -+ run_dsa_pqg_gen (keysize, qsize, datalen? data:NULL, datalen); -+ } -+ else if (!strcmp (mode_string, "dsa-g-gen")) -+ { -+ int keysize, qsize; -+ -+ keysize = keysize_string? atoi (keysize_string) : 0; -+ if (keysize < 1024 || keysize > 3072) -+ die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); -+ if (!key_string) -+ die ("option --key containing pq domain parameters is required in this mode\n"); -+ run_dsa_g_gen (keysize, qsize, key_string); -+ } -+ else if (!strcmp (mode_string, "dsa-gen-key")) -+ { -+ if (!key_string) -+ die ("option --key containing pqg domain parameters is required in this mode\n"); -+ run_dsa_gen_key (key_string); - } - else if (!strcmp (mode_string, "dsa-gen")) - { -- int keysize; -+ int keysize, qsize; - - keysize = keysize_string? atoi (keysize_string) : 0; - if (keysize < 1024 || keysize > 3072) - die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); - if (!key_string) - die ("option --key is required in this mode\n"); -- run_dsa_gen (keysize, key_string); -+ run_dsa_gen (keysize, qsize, key_string); - } - else if (!strcmp (mode_string, "dsa-sign")) - { diff --git a/libgcrypt-1.5.0-fips-cfgrandom.patch b/libgcrypt-1.5.0-fips-cfgrandom.patch deleted file mode 100644 index 1384c25..0000000 --- a/libgcrypt-1.5.0-fips-cfgrandom.patch +++ /dev/null @@ -1,126 +0,0 @@ -diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/random-fips.c ---- libgcrypt-1.5.0/random/random-fips.c.cfgrandom 2011-07-21 14:50:34.000000000 +0200 -+++ libgcrypt-1.5.0/random/random-fips.c 2011-07-21 14:50:34.000000000 +0200 -@@ -27,10 +27,10 @@ - There are 3 random context which map to the different levels of - random quality: - -- Generator Seed and Key Kernel entropy (init/reseed) -- ------------------------------------------------------------ -- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits -- GCRY_STRONG_RANDOM /dev/random 256/128 bits -+ Generator Seed and Key Kernel entropy (init/reseed) -+ --------------------------------------------------------------------------------------- -+ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits -+ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits - gcry_create_nonce GCRY_STRONG_RANDOM n/a - - All random generators return their data in 128 bit blocks. If the -@@ -40,8 +40,10 @@ - (SEED_TTL) output blocks; the re-seeding is disabled in test mode. - - The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are -- keyed and seeded from the /dev/random device. Thus these -- generators may block until the kernel has collected enough entropy. -+ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed -+ if the device or symlink to device exists xored with the data -+ from the /dev/urandom device. This allows the system administrator -+ to always seed the RNGs from /dev/random if it is required. - - The gcry_create_nonce generator is keyed and seeded from the - GCRY_STRONG_RANDOM generator. It may also block if the -@@ -560,9 +562,13 @@ get_entropy (size_t nbytes) - entropy_collect_buffer_len = 0; - - #if USE_RNDLINUX -+ _gcry_rndlinux_gather_random (entropy_collect_cb, 0, -+ X931_AES_KEYLEN, -+ -1); -+ entropy_collect_buffer_len = 0; - rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, - X931_AES_KEYLEN, -- GCRY_VERY_STRONG_RANDOM); -+ GCRY_STRONG_RANDOM); - #elif USE_RNDW32 - do - { -diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndlinux.c ---- libgcrypt-1.5.0/random/rndlinux.c.cfgrandom 2011-02-04 20:16:03.000000000 +0100 -+++ libgcrypt-1.5.0/random/rndlinux.c 2011-07-21 14:50:34.000000000 +0200 -@@ -36,7 +36,9 @@ - #include "g10lib.h" - #include "rand-internal.h" - --static int open_device ( const char *name ); -+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" -+ -+static int open_device ( const char *name, int fatal ); - - - static int -@@ -57,13 +59,17 @@ set_cloexec_flag (int fd) - * Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)). - */ - static int --open_device ( const char *name ) -+open_device ( const char *name, int fatal ) - { - int fd; - - fd = open ( name, O_RDONLY ); - if ( fd == -1 ) -- log_fatal ("can't open %s: %s\n", name, strerror(errno) ); -+ { -+ if (! fatal) -+ return fd; -+ log_fatal ("can't open %s: %s\n", name, strerror(errno) ); -+ } - - if (set_cloexec_flag (fd)) - log_error ("error setting FD_CLOEXEC on fd %d: %s\n", -@@ -92,6 +98,7 @@ _gcry_rndlinux_gather_random (void (*add - { - static int fd_urandom = -1; - static int fd_random = -1; -+ static int fd_configured = -1; - int fd; - int n; - byte buffer[768]; -@@ -100,6 +107,7 @@ _gcry_rndlinux_gather_random (void (*add - size_t last_so_far = 0; - int any_need_entropy = 0; - int delay; -+ size_t orig_length = length; - - /* First read from a hardware source. However let it account only - for up to 50% of the requested bytes. */ -@@ -110,16 +118,26 @@ _gcry_rndlinux_gather_random (void (*add - length -= n_hw; - - /* Open the requested device. */ -+ -+ if (level == -1) -+ { -+ if (fd_configured == -1) -+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 ); -+ fd = fd_configured; -+ if (fd == -1) -+ return -1; -+ } -+ - if (level >= 2) - { - if( fd_random == -1 ) -- fd_random = open_device ( NAME_OF_DEV_RANDOM ); -+ fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 ); - fd = fd_random; - } -- else -+ else if (level != -1) - { - if( fd_urandom == -1 ) -- fd_urandom = open_device ( NAME_OF_DEV_URANDOM ); -+ fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 ); - fd = fd_urandom; - } - diff --git a/libgcrypt-1.5.0-leak.patch b/libgcrypt-1.5.0-leak.patch deleted file mode 100644 index 5f0d191..0000000 --- a/libgcrypt-1.5.0-leak.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -up libgcrypt-1.5.0/cipher/elgamal.c.leak libgcrypt-1.5.0/cipher/elgamal.c ---- libgcrypt-1.5.0/cipher/elgamal.c.leak 2011-02-04 20:09:38.000000000 +0100 -+++ libgcrypt-1.5.0/cipher/elgamal.c 2012-12-03 14:51:10.743067964 +0100 -@@ -641,7 +641,10 @@ elg_generate_ext (int algo, unsigned int - } - - if (xvalue) -- ec = generate_using_x (&sk, nbits, xvalue, retfactors); -+ { -+ ec = generate_using_x (&sk, nbits, xvalue, retfactors); -+ gcry_mpi_release(xvalue); -+ } - else - { - generate (&sk, nbits, retfactors); -diff -up libgcrypt-1.5.0/cipher/primegen.c.leak libgcrypt-1.5.0/cipher/primegen.c ---- libgcrypt-1.5.0/cipher/primegen.c.leak 2012-04-05 15:37:52.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/primegen.c 2012-12-03 14:44:14.610010867 +0100 -@@ -1198,10 +1198,7 @@ gcry_prime_group_generator (gcry_mpi_t * - gcry_mpi_t prime, gcry_mpi_t *factors, - gcry_mpi_t start_g) - { -- gcry_mpi_t tmp = gcry_mpi_new (0); -- gcry_mpi_t b = gcry_mpi_new (0); -- gcry_mpi_t pmin1 = gcry_mpi_new (0); -- gcry_mpi_t g = start_g? gcry_mpi_copy (start_g) : gcry_mpi_set_ui (NULL, 3); -+ gcry_mpi_t tmp, b, pmin1, g; - int first = 1; - int i, n; - -@@ -1214,6 +1211,11 @@ gcry_prime_group_generator (gcry_mpi_t * - if (n < 2) - return gpg_error (GPG_ERR_INV_ARG); - -+ tmp = gcry_mpi_new (0); -+ b = gcry_mpi_new (0); -+ pmin1 = gcry_mpi_new (0); -+ g = start_g? gcry_mpi_copy (start_g) : gcry_mpi_set_ui (NULL, 3); -+ - /* Extra sanity check - usually disabled. */ - /* mpi_set (tmp, factors[0]); */ - /* for(i = 1; i < n; i++) */ -diff -up libgcrypt-1.5.0/cipher/pubkey.c.leak libgcrypt-1.5.0/cipher/pubkey.c ---- libgcrypt-1.5.0/cipher/pubkey.c.leak 2011-06-13 12:23:50.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/pubkey.c 2012-12-03 15:23:42.377183489 +0100 -@@ -2853,6 +2853,8 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gc - - REGISTER_DEFAULT_PUBKEYS; - -+ init_encoding_ctx (&ctx, PUBKEY_OP_ENCRYPT, gcry_pk_get_nbits (s_pkey)); -+ - /* Get the key. */ - rc = sexp_to_key (s_pkey, 0, NULL, &pkey, &module); - if (rc) -@@ -2873,7 +2875,6 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gc - algo_elems = pubkey->elements_enc; - - /* Get the stuff we want to encrypt. */ -- init_encoding_ctx (&ctx, PUBKEY_OP_ENCRYPT, gcry_pk_get_nbits (s_pkey)); - rc = sexp_data_to_mpi (s_data, &data, &ctx); - if (rc) - goto leave; -diff -up libgcrypt-1.5.0/src/hmac256.c.leak libgcrypt-1.5.0/src/hmac256.c ---- libgcrypt-1.5.0/src/hmac256.c.leak 2011-02-04 20:17:33.000000000 +0100 -+++ libgcrypt-1.5.0/src/hmac256.c 2012-12-03 15:37:36.504955809 +0100 -@@ -435,7 +435,6 @@ _gcry_hmac256_finalize (hmac256_context_ - tmphd = _gcry_hmac256_new (NULL, 0); - if (!tmphd) - { -- free (hd); - return NULL; - } - _gcry_hmac256_update (tmphd, hd->opad, 64); diff --git a/libgcrypt-1.5.0-noecc.patch b/libgcrypt-1.5.0-noecc.patch deleted file mode 100644 index 7905c71..0000000 --- a/libgcrypt-1.5.0-noecc.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up libgcrypt-1.5.0/tests/Makefile.noecc libgcrypt-1.5.0/tests/Makefile ---- libgcrypt-1.5.0/tests/Makefile.in.noecc 2011-07-21 15:34:33.000000000 +0200 -+++ libgcrypt-1.5.0/tests/Makefile.in 2011-07-21 15:39:35.000000000 +0200 -@@ -57,7 +57,7 @@ TESTS = version$(EXEEXT) t-mpi-bit$(EXEE - ac-data$(EXEEXT) basic$(EXEEXT) mpitests$(EXEEXT) \ - tsexp$(EXEEXT) keygen$(EXEEXT) pubkey$(EXEEXT) hmac$(EXEEXT) \ - keygrip$(EXEEXT) fips186-dsa$(EXEEXT) aeswrap$(EXEEXT) \ -- curves$(EXEEXT) t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \ -+ t-kdf$(EXEEXT) pkcs1v2$(EXEEXT) \ - $(am__EXEEXT_1) benchmark$(EXEEXT) - - # random.c uses fork() thus a test for W32 does not make any sense. diff --git a/libgcrypt-1.5.0-tests.patch b/libgcrypt-1.5.0-tests.patch deleted file mode 100644 index 277438f..0000000 --- a/libgcrypt-1.5.0-tests.patch +++ /dev/null @@ -1,214 +0,0 @@ -diff -up libgcrypt-1.5.0/cipher/dsa.c.tests libgcrypt-1.5.0/cipher/dsa.c ---- libgcrypt-1.5.0/cipher/dsa.c.tests 2011-06-13 12:24:46.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-20 16:44:51.000000000 +0200 -@@ -479,22 +479,21 @@ generate_fips186 (DSA_secret_key *sk, un - initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1, - &initial_seed.seedlen); - } -- -- /* Fixme: Enable 186-3 after it has been approved and after fixing -- the generation function. */ -- /* if (use_fips186_2) */ -- (void)use_fips186_2; -- ec = _gcry_generate_fips186_2_prime (nbits, qbits, -- initial_seed.seed, -+ -+ if (use_fips186_2) -+ ec = _gcry_generate_fips186_2_prime (nbits, qbits, -+ initial_seed.seed, - initial_seed.seedlen, - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen); -- /* else */ -- /* ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */ -- /* &prime_q, &prime_p, */ -- /* r_counter, */ -- /* r_seed, r_seedlen, NULL); */ -+ else -+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, -+ initial_seed.seed, -+ initial_seed.seedlen, -+ &prime_q, &prime_p, -+ r_counter, -+ r_seed, r_seedlen, NULL); - gcry_sexp_release (initial_seed.sexp); - if (ec) - goto leave; -diff -up libgcrypt-1.5.0/cipher/primegen.c.tests libgcrypt-1.5.0/cipher/primegen.c ---- libgcrypt-1.5.0/cipher/primegen.c.tests 2011-03-28 14:19:52.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/primegen.c 2011-07-21 14:36:03.000000000 +0200 -@@ -1647,7 +1647,7 @@ _gcry_generate_fips186_3_prime (unsigned - gpg_err_code_t ec; - unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */ - unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */ -- unsigned char digest[256/8]; /* Helper buffer for SHA-1 digest. */ -+ unsigned char digest[256/8]; /* Helper buffer for SHA-x digest. */ - gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */ - gcry_mpi_t tmpval = NULL; /* Helper variable. */ - int hashalgo; /* The id of the Approved Hash Function. */ -@@ -1737,7 +1737,7 @@ _gcry_generate_fips186_3_prime (unsigned - } - gcry_mpi_release (prime_q); prime_q = NULL; - ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, -- value_u, sizeof value_u, NULL)); -+ value_u, qbits/8, NULL)); - if (ec) - goto leave; - mpi_set_highbit (prime_q, qbits-1 ); -@@ -1782,11 +1782,11 @@ _gcry_generate_fips186_3_prime (unsigned - if (seed_plus[i]) - break; - } -- gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen); -+ gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen); - - gcry_mpi_release (tmpval); tmpval = NULL; - ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG, -- digest, sizeof digest, NULL)); -+ digest, qbits/8, NULL)); - if (ec) - goto leave; - if (value_j == value_n) -@@ -1822,11 +1822,11 @@ _gcry_generate_fips186_3_prime (unsigned - } - - /* Step 12: Save p, q, counter and seed. */ -- log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", -+/* log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", - mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter); - log_printhex("fips186-3 seed:", seed, seedlen); - log_mpidump ("fips186-3 prime p", prime_p); -- log_mpidump ("fips186-3 prime q", prime_q); -+ log_mpidump ("fips186-3 prime q", prime_q); */ - if (r_q) - { - *r_q = prime_q; -diff -up libgcrypt-1.5.0/cipher/rsa.c.tests libgcrypt-1.5.0/cipher/rsa.c ---- libgcrypt-1.5.0/cipher/rsa.c.tests 2011-06-10 10:53:41.000000000 +0200 -+++ libgcrypt-1.5.0/cipher/rsa.c 2011-07-21 14:36:59.000000000 +0200 -@@ -388,7 +388,7 @@ generate_x931 (RSA_secret_key *sk, unsig - - *swapped = 0; - -- if (e_value == 1) /* Alias for a secure value. */ -+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ - e_value = 65537; - - /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ -diff -up libgcrypt-1.5.0/random/random-fips.c.tests libgcrypt-1.5.0/random/random-fips.c ---- libgcrypt-1.5.0/random/random-fips.c.tests 2011-07-20 16:40:59.000000000 +0200 -+++ libgcrypt-1.5.0/random/random-fips.c 2011-07-20 16:40:59.000000000 +0200 -@@ -691,6 +691,7 @@ get_random (void *buffer, size_t length, - - check_guards (rng_ctx); - -+ reinitialize: - /* Initialize the cipher handle and thus setup the key if needed. */ - if (!rng_ctx->cipher_hd) - { -@@ -710,13 +711,11 @@ get_random (void *buffer, size_t length, - if (rng_ctx->key_init_pid != getpid () - || rng_ctx->seed_init_pid != getpid ()) - { -- /* We are in a child of us. Because we have no way yet to do -- proper re-initialization (including self-checks etc), the -- only chance we have is to bail out. Obviusly a fork/exec -- won't harm because the exec overwrites the old image. */ -- fips_signal_error ("fork without proper re-initialization " -- "detected in RNG"); -- goto bailout; -+ /* Just reinitialize the key & seed. */ -+ gcry_cipher_close(rng_ctx->cipher_hd); -+ rng_ctx->cipher_hd = NULL; -+ rng_ctx->is_seeded = 0; -+ goto reinitialize; - } - - if (x931_aes_driver (buffer, length, rng_ctx)) -diff -up libgcrypt-1.5.0/tests/ac.c.tests libgcrypt-1.5.0/tests/ac.c ---- libgcrypt-1.5.0/tests/ac.c.tests 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/ac.c 2011-07-20 16:40:59.000000000 +0200 -@@ -150,6 +150,9 @@ main (int argc, char **argv) - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ if (gcry_fips_mode_active()) -+ /* ac not functional in the fips mode, skip it */ -+ return 77; - if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - /* No valuable keys are create, so we can speed up our RNG. */ -diff -up libgcrypt-1.5.0/tests/ac-data.c.tests libgcrypt-1.5.0/tests/ac-data.c ---- libgcrypt-1.5.0/tests/ac-data.c.tests 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/ac-data.c 2011-07-20 16:40:59.000000000 +0200 -@@ -198,6 +198,9 @@ main (int argc, char **argv) - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ if (gcry_fips_mode_active()) -+ /* ac not functional in the fips mode, skip it */ -+ return 77; - if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - -diff -up libgcrypt-1.5.0/tests/ac-schemes.c.tests libgcrypt-1.5.0/tests/ac-schemes.c ---- libgcrypt-1.5.0/tests/ac-schemes.c.tests 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/ac-schemes.c 2011-07-20 16:40:59.000000000 +0200 -@@ -338,6 +338,9 @@ main (int argc, char **argv) - if (! gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ if (gcry_fips_mode_active()) -+ /* ac not functional in the fips mode, skip it */ -+ return 77; - if (debug) - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - -diff -up libgcrypt-1.5.0/tests/keygen.c.tests libgcrypt-1.5.0/tests/keygen.c ---- libgcrypt-1.5.0/tests/keygen.c.tests 2011-02-04 20:18:20.000000000 +0100 -+++ libgcrypt-1.5.0/tests/keygen.c 2011-07-21 14:39:03.000000000 +0200 -@@ -148,12 +148,12 @@ check_rsa_keys (void) - } - - if (verbose) -- fprintf (stderr, "creating 1536 bit DSA key\n"); -+ fprintf (stderr, "creating 2048 bit DSA key\n"); - rc = gcry_sexp_new (&keyparm, - "(genkey\n" - " (dsa\n" -- " (nbits 4:1536)\n" -- " (qbits 3:224)\n" -+ " (nbits 4:2048)\n" -+ " (qbits 3:256)\n" - " ))", 0, 1); - if (rc) - die ("error creating S-expression: %s\n", gpg_strerror (rc)); -@@ -190,11 +190,11 @@ check_rsa_keys (void) - - - if (verbose) -- fprintf (stderr, "creating 512 bit RSA key with e=257\n"); -+ fprintf (stderr, "creating 1024 bit RSA key with e=257\n"); - rc = gcry_sexp_new (&keyparm, - "(genkey\n" - " (rsa\n" -- " (nbits 3:512)\n" -+ " (nbits 4:1024)\n" - " (rsa-use-e 3:257)\n" - " ))", 0, 1); - if (rc) -@@ -208,11 +208,11 @@ check_rsa_keys (void) - gcry_sexp_release (key); - - if (verbose) -- fprintf (stderr, "creating 512 bit RSA key with default e\n"); -+ fprintf (stderr, "creating 1024 bit RSA key with default secure e\n"); - rc = gcry_sexp_new (&keyparm, - "(genkey\n" - " (rsa\n" -- " (nbits 3:512)\n" -+ " (nbits 4:1024)\n" - " (rsa-use-e 1:0)\n" - " ))", 0, 1); - if (rc) diff --git a/libgcrypt-1.5.0-use-fipscheck.patch b/libgcrypt-1.5.0-use-fipscheck.patch index 1cef010..704bb52 100644 --- a/libgcrypt-1.5.0-use-fipscheck.patch +++ b/libgcrypt-1.5.0-use-fipscheck.patch @@ -60,7 +60,7 @@ diff -up libgcrypt-1.5.0/src/fips.c.use-fipscheck libgcrypt-1.5.0/src/fips.c else { - fname = gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 ); -+ fname = gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); ++ fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 ); if (!fname) err = gpg_error_from_syserror (); else diff --git a/libgcrypt-1.5.1-use-poll.patch b/libgcrypt-1.5.1-use-poll.patch deleted file mode 100644 index f6ed0b7..0000000 --- a/libgcrypt-1.5.1-use-poll.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff -up libgcrypt-1.5.1/random/rndlinux.c.use-poll libgcrypt-1.5.1/random/rndlinux.c ---- libgcrypt-1.5.1/random/rndlinux.c.use-poll 2013-03-20 15:33:26.504867356 +0100 -+++ libgcrypt-1.5.1/random/rndlinux.c 2013-03-20 15:37:24.999944048 +0100 -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #include "types.h" - #include "g10lib.h" - #include "rand-internal.h" -@@ -142,49 +143,37 @@ _gcry_rndlinux_gather_random (void (*add - } - - /* Enter the read loop. */ -- delay = 0; /* Start with 0 seconds so that we do no block on the -+ delay = 100; /* Start with 0 seconds so that we do no block on the - first iteration and in turn call the progress function - before blocking. To give the OS a better chance to - return with something we will actually use 100ms. */ - while (length) - { -- fd_set rfds; -- struct timeval tv; - int rc; -+ struct pollfd pfd; - -- /* If the system has no limit on the number of file descriptors -- and we encounter an fd which is larger than the fd_set size, -- we don't use the select at all. The select code is only used -- to emit progress messages. A better solution would be to -- fall back to poll() if available. */ --#ifdef FD_SETSIZE -- if (fd < FD_SETSIZE) --#endif -+ pfd.fd = fd; -+ pfd.events = POLLIN; -+ -+ if ( !(rc=poll(&pfd, 1, delay)) ) - { -- FD_ZERO(&rfds); -- FD_SET(fd, &rfds); -- tv.tv_sec = delay; -- tv.tv_usec = delay? 0 : 100000; -- if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) ) -- { -- if (!any_need_entropy || last_so_far != (want - length) ) -- { -- last_so_far = want - length; -- _gcry_random_progress ("need_entropy", 'X', -- (int)last_so_far, (int)want); -- any_need_entropy = 1; -- } -- delay = 3; /* Use 3 seconds henceforth. */ -- continue; -- } -- else if( rc == -1 ) -+ if (!any_need_entropy || last_so_far != (want - length) ) - { -- log_error ("select() error: %s\n", strerror(errno)); -- if (!delay) -- delay = 1; /* Use 1 second if we encounter an error before -+ last_so_far = want - length; -+ _gcry_random_progress ("need_entropy", 'X', -+ (int)last_so_far, (int)want); -+ any_need_entropy = 1; -+ } -+ delay = 3000; /* Use 3 seconds henceforth. */ -+ continue; -+ } -+ else if( rc == -1 ) -+ { -+ log_error ("poll() error: %s\n", strerror(errno)); -+ if (!delay) -+ delay = 1000; /* Use 1 second if we encounter an error before - we have ever blocked. */ -- continue; -- } -+ continue; - } - - do diff --git a/libgcrypt-1.5.2-mpicoder-gccopt.patch b/libgcrypt-1.5.2-mpicoder-gccopt.patch deleted file mode 100644 index c374709..0000000 --- a/libgcrypt-1.5.2-mpicoder-gccopt.patch +++ /dev/null @@ -1,102 +0,0 @@ -diff -up libgcrypt-1.5.2/mpi/mpicoder.c.gccopt libgcrypt-1.5.2/mpi/mpicoder.c ---- libgcrypt-1.5.2/mpi/mpicoder.c.gccopt 2013-04-18 16:48:42.000000000 +0200 -+++ libgcrypt-1.5.2/mpi/mpicoder.c 2013-06-20 10:24:57.241510589 +0200 -@@ -555,16 +555,16 @@ gcry_mpi_print (enum gcry_mpi_format for - extra=1; - } - -- if (buffer && n > len) -- { -- /* The provided buffer is too short. */ -- gcry_free (tmp); -- return gcry_error (GPG_ERR_TOO_SHORT); -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (n > len) -+ { -+ /* The provided buffer is too short. */ -+ gcry_free (tmp); -+ return gcry_error (GPG_ERR_TOO_SHORT); -+ } - if (extra) - *s++ = 0; - memcpy (s, tmp, n-extra); -@@ -580,12 +580,12 @@ gcry_mpi_print (enum gcry_mpi_format for - /* Note: We ignore the sign for this format. */ - /* FIXME: for performance reasons we should put this into - mpi_aprint because we can then use the buffer directly. */ -- if (buffer && n > len) -- return gcry_error (GPG_ERR_TOO_SHORT); - if (buffer) - { - unsigned char *tmp; - -+ if (n > len) -+ return gcry_error (GPG_ERR_TOO_SHORT); - tmp = _gcry_mpi_get_buffer (a, &n, NULL); - if (!tmp) - return gpg_error_from_syserror (); -@@ -603,14 +603,13 @@ gcry_mpi_print (enum gcry_mpi_format for - if( a->sign ) - return gcry_error (GPG_ERR_INV_ARG); - -- if (buffer && n+2 > len) -- return gcry_error (GPG_ERR_TOO_SHORT); -- - if (buffer) - { - unsigned char *tmp; - unsigned char *s = buffer; - -+ if (n+2 > len) -+ return gcry_error (GPG_ERR_TOO_SHORT); - s[0] = nbits >> 8; - s[1] = nbits; - -@@ -641,16 +640,16 @@ gcry_mpi_print (enum gcry_mpi_format for - extra=1; - } - -- if (buffer && n+4 > len) -- { -- gcry_free(tmp); -- return gcry_error (GPG_ERR_TOO_SHORT); -- } -- - if (buffer) - { - unsigned char *s = buffer; - -+ if (n+4 > len) -+ { -+ gcry_free(tmp); -+ return gcry_error (GPG_ERR_TOO_SHORT); -+ } -+ - *s++ = n >> 24; - *s++ = n >> 16; - *s++ = n >> 8; -@@ -677,15 +676,15 @@ gcry_mpi_print (enum gcry_mpi_format for - if (!n || (*tmp & 0x80)) - extra = 2; - -- if (buffer && 2*n + extra + !!a->sign + 1 > len) -- { -- gcry_free(tmp); -- return gcry_error (GPG_ERR_TOO_SHORT); -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (2*n + extra + !!a->sign + 1 > len) -+ { -+ gcry_free(tmp); -+ return gcry_error (GPG_ERR_TOO_SHORT); -+ } - if (a->sign) - *s++ = '-'; - if (extra) diff --git a/libgcrypt-1.5.3-ecc-test-fix.patch b/libgcrypt-1.5.3-ecc-test-fix.patch deleted file mode 100644 index a5cca64..0000000 --- a/libgcrypt-1.5.3-ecc-test-fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up libgcrypt-1.5.3/tests/benchmark.c.eccfix libgcrypt-1.5.3/tests/benchmark.c ---- libgcrypt-1.5.3/tests/benchmark.c.eccfix 2013-10-20 23:45:32.157297611 +0100 -+++ libgcrypt-1.5.3/tests/benchmark.c 2013-10-20 23:45:42.683275072 +0100 -@@ -962,7 +962,7 @@ ecc_bench (int iterations, int print_hea - { - #if USE_ECC - gpg_error_t err; -- int p_sizes[] = { 192, 224, 256, 384, 521 }; -+ int p_sizes[] = { 256, 384 }; - int testno; - - if (print_header) diff --git a/libgcrypt-1.5.3-pbkdf-speedup.patch b/libgcrypt-1.5.3-pbkdf-speedup.patch deleted file mode 100644 index 7017367..0000000 --- a/libgcrypt-1.5.3-pbkdf-speedup.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up libgcrypt-1.5.3/cipher/kdf.c.pbkdf-speedup libgcrypt-1.5.3/cipher/kdf.c ---- libgcrypt-1.5.3/cipher/kdf.c.pbkdf-speedup 2014-01-21 15:49:22.676638703 +0100 -+++ libgcrypt-1.5.3/cipher/kdf.c 2014-01-21 15:52:40.115047218 +0100 -@@ -172,19 +172,21 @@ pkdf2 (const void *passphrase, size_t pa - return ec; - } - -+ ec = gpg_err_code (gcry_md_setkey (md, passphrase, passphraselen)); -+ if (ec) -+ { -+ gcry_md_close (md); -+ gcry_free (sbuf); -+ return ec; -+ } -+ - /* Step 3 and 4. */ - memcpy (sbuf, salt, saltlen); - for (lidx = 1; lidx <= l; lidx++) - { - for (iter = 0; iter < iterations; iter++) - { -- ec = gpg_err_code (gcry_md_setkey (md, passphrase, passphraselen)); -- if (ec) -- { -- gcry_md_close (md); -- gcry_free (sbuf); -- return ec; -- } -+ gcry_md_reset (md); - if (!iter) /* Compute U_1: */ - { - sbuf[saltlen] = (lidx >> 24); diff --git a/libgcrypt-1.5.3-whirlpool-bug.patch b/libgcrypt-1.5.3-whirlpool-bug.patch deleted file mode 100644 index f64c94f..0000000 --- a/libgcrypt-1.5.3-whirlpool-bug.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up libgcrypt-1.5.3/cipher/whirlpool.c.whirlpool-bug libgcrypt-1.5.3/cipher/whirlpool.c ---- libgcrypt-1.5.3/cipher/whirlpool.c.whirlpool-bug 2013-05-22 18:02:54.000000000 +0200 -+++ libgcrypt-1.5.3/cipher/whirlpool.c 2014-01-21 15:45:51.308919415 +0100 -@@ -56,6 +56,7 @@ typedef struct { - unsigned char buffer[BLOCK_SIZE]; - size_t count; - unsigned char length[32]; -+ int bug; - } whirlpool_context_t; - - -@@ -1185,6 +1186,7 @@ whirlpool_init (void *ctx) - whirlpool_context_t *context = ctx; - - memset (context, 0, sizeof (*context)); -+ context->bug = secure_getenv("GCRYPT_WHIRLPOOL_BUG") != NULL; - } - - -@@ -1316,7 +1318,7 @@ whirlpool_add (whirlpool_context_t *cont - buffer_n--; - } - whirlpool_add (context, NULL, 0); -- if (!buffer_n) -+ if (context->bug && !buffer_n) - /* Done. */ - return; - } diff --git a/libgcrypt-1.6.1-ecc-test-fix.patch b/libgcrypt-1.6.1-ecc-test-fix.patch new file mode 100644 index 0000000..7e12c1b --- /dev/null +++ b/libgcrypt-1.6.1-ecc-test-fix.patch @@ -0,0 +1,214 @@ +diff -up libgcrypt-1.6.1/tests/benchmark.c.eccfix libgcrypt-1.6.1/tests/benchmark.c +--- libgcrypt-1.6.1/tests/benchmark.c.eccfix 2014-01-27 14:36:43.000000000 +0100 ++++ libgcrypt-1.6.1/tests/benchmark.c 2014-02-28 16:14:13.042505538 +0100 +@@ -1087,8 +1087,7 @@ ecc_bench (int iterations, int print_hea + { + #if USE_ECC + gpg_error_t err; +- const char *p_sizes[] = { "192", "224", "256", "384", "521", "Ed25519", +- "gost256", "gost512" }; ++ const char *p_sizes[] = { "256", "384", "521", "Ed25519" }; + int testno; + + if (print_header) +diff -up libgcrypt-1.6.1/tests/dsa-rfc6979.c.eccfix libgcrypt-1.6.1/tests/dsa-rfc6979.c +--- libgcrypt-1.6.1/tests/dsa-rfc6979.c.eccfix 2013-12-16 18:44:32.000000000 +0100 ++++ libgcrypt-1.6.1/tests/dsa-rfc6979.c 2014-02-28 16:18:44.138771523 +0100 +@@ -210,27 +210,6 @@ check_dsa_rfc6979 (void) + " ))" + }, + { +- "ECDSA, 192 bits (prime field)", +- "(private-key" +- " (ecdsa" +- " (curve \"NIST P-192\")" +- " (q #04AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56" +- " 3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43#)" +- " (d #6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4#)" +- " ))" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "(private-key" +- " (ecdsa" +- " (curve \"NIST P-224\")" +- " (q #04" +- " 00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C" +- " EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A#)" +- " (d #F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1#)" +- " ))" +- }, +- { + "ECDSA, 256 bits (prime field)", + "(private-key" + " (ecdsa" +@@ -443,169 +422,6 @@ check_dsa_rfc6979 (void) + "C9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1" + }, + { +- "ECDSA, 192 bits (prime field)", +- "With SHA-1, message = \"sample\"", +- "sha1", "sample", +- "37D7CA00D2C7B0E5E412AC03BD44BA837FDD5B28CD3B0021", +- "98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF", +- "57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-224, message = \"sample\"", +- "sha224", "sample", +- "4381526B3FC1E7128F202E194505592F01D5FF4C5AF015D8", +- "A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5", +- "E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-256, message = \"sample\"", +- "sha256", "sample", +- "32B1B6D7D42A05CB449065727A84804FB1A3E34D8F261496", +- "4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55", +- "CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-384, message = \"sample\"", +- "sha384", "sample", +- "4730005C4FCB01834C063A7B6760096DBE284B8252EF4311", +- "DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5", +- "C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-512, message = \"sample\"", +- "sha512", "sample", +- "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1", +- "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8", +- "3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-1, message = \"test\"", +- "sha1", "test", +- "D9CF9C3D3297D3260773A1DA7418DB5537AB8DD93DE7FA25", +- "0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D", +- "EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-224, message = \"test\"", +- "sha224", "test", +- "F5DC805F76EF851800700CCE82E7B98D8911B7D510059FBE", +- "6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34", +- "B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-256, message = \"test\"", +- "sha256", "test", +- "5C4CE89CF56D9E7C77C8585339B006B97B5F0680B4306C6C", +- "3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE", +- "5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-384, message = \"test\"", +- "sha384", "test", +- "5AFEFB5D3393261B828DB6C91FBC68C230727B030C975693", +- "B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367", +- "7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A" +- }, +- { +- "ECDSA, 192 bits (prime field)", +- "With SHA-512, message = \"test\"", +- "sha512", "test", +- "0758753A5254759C7CFBAD2E2D9B0792EEE44136C9480527", +- "FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739", +- "74CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290" +- }, +- +- +- +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-1, message = \"sample\"", +- "sha1", "sample", +- "7EEFADD91110D8DE6C2C470831387C50D3357F7F4D477054B8B426BC", +- "22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC", +- "66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-224, message = \"sample\"", +- "sha224", "sample", +- "C1D1F2F10881088301880506805FEB4825FE09ACB6816C36991AA06D", +- "1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E", +- "A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-256, message = \"sample\"", +- "sha256", "sample", +- "AD3029E0278F80643DE33917CE6908C70A8FF50A411F06E41DEDFCDC", +- "61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA", +- "BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-384, message = \"sample\"", +- "sha384", "sample", +- "52B40F5A9D3D13040F494E83D3906C6079F29981035C7BD51E5CAC40", +- "0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953", +- "830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-512, message = \"sample\"", +- "sha512", "sample", +- "9DB103FFEDEDF9CFDBA05184F925400C1653B8501BAB89CEA0FBEC14", +- "074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397", +- "A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-1, message = \"test\"", +- "sha1", "test", +- "2519178F82C3F0E4F87ED5883A4E114E5B7A6E374043D8EFD329C253", +- "DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C", +- "95987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-224, message = \"test\"", +- "sha224", "test", +- "DF8B38D40DCA3E077D0AC520BF56B6D565134D9B5F2EAE0D34900524", +- "C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019", +- "902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-256, message = \"test\"", +- "sha256", "test", +- "FF86F57924DA248D6E44E8154EB69F0AE2AEBAEE9931D0B5A969F904", +- "AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6", +- "178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-384, message = \"test\"", +- "sha384", "test", +- "7046742B839478C1B5BD31DB2E862AD868E1A45C863585B5F22BDC2D", +- "389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4", +- "414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB" +- }, +- { +- "ECDSA, 224 bits (prime field)", +- "With SHA-512, message = \"test\"", +- "sha512", "test", +- "E39C2AA4EA6BE2306C72126D40ED77BF9739BB4D6EF2BBB1DCB6169D", +- "049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C", +- "077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF" +- }, +- { + "ECDSA, 256 bits (prime field)", + "With SHA-1, message = \"sample\"", + "sha1", "sample", diff --git a/libgcrypt-1.6.1-fips-cavs.patch b/libgcrypt-1.6.1-fips-cavs.patch new file mode 100644 index 0000000..55aa66a --- /dev/null +++ b/libgcrypt-1.6.1-fips-cavs.patch @@ -0,0 +1,1123 @@ +diff -up libgcrypt-1.6.1/tests/cavs_driver.pl.cavs libgcrypt-1.6.1/tests/cavs_driver.pl +--- libgcrypt-1.6.1/tests/cavs_driver.pl.cavs 2013-03-15 20:25:38.000000000 +0100 ++++ libgcrypt-1.6.1/tests/cavs_driver.pl 2014-02-28 14:46:16.436544639 +0100 +@@ -1,9 +1,11 @@ + #!/usr/bin/env perl + # +-# $Id: cavs_driver.pl 1497 2009-01-22 14:01:29Z smueller $ ++# $Id: cavs_driver.pl 2124 2010-12-20 07:56:30Z smueller $ + # + # CAVS test driver (based on the OpenSSL driver) + # Written by: Stephan Müller ++# Werner Koch (libgcrypt interface) ++# Tomas Mraz (addition of DSA2) + # Copyright (c) atsec information security corporation + # + # Permission is hereby granted, free of charge, to any person obtaining a copy +@@ -85,13 +87,16 @@ + # T[CBC|CFB??|ECB|OFB]varkey + # T[CBC|CFB??|ECB|OFB]invperm + # T[CBC|CFB??|ECB|OFB]vartext ++# WARNING: TDES in CFB and OFB mode problems see below + # + # ANSI X9.31 RNG + # ANSI931_AES128MCT + # ANSI931_AES128VST + # +-# DSA ++# DSA2 + # PQGGen ++# PQGVer ++# KeyPair + # SigGen + # SigVer + # +@@ -101,6 +106,36 @@ + # RC4PltBD + # RC4REGT + # ++# ++# TDES MCT for CFB and OFB: ++# ------------------------- ++# The inner loop cannot be handled by this script. If you want to have tests ++# for these cipher types, implement your own inner loop and add it to ++# crypto_mct. ++# ++# the value $next_source in crypto_mct is NOT set by the standard implementation ++# of this script. It would need to be set as follows for these two (code take ++# from fipsdrv.c from libgcrypt - the value input at the end will contain the ++# the value for $next_source: ++# ++# ... inner loop ... ++# ... ++# get_current_iv (hd, last_iv, blocklen); ++# ... encrypt / decrypt (input is the data to be en/decrypted and output is the ++# result of operation) ... ++# if (encrypt_mode && (cipher_mode == GCRY_CIPHER_MODE_CFB)) ++# memcpy (input, last_iv, blocklen); ++# else if (cipher_mode == GCRY_CIPHER_MODE_OFB) ++# memcpy (input, last_iv, blocklen); ++# else if (!encrypt_mode && cipher_mode == GCRY_CIPHER_MODE_CFB) ++# { ++# /* Reconstruct the output vector. */ ++# int i; ++# for (i=0; i < blocklen; i++) ++# input[i] ^= output[i]; ++# } ++# ... inner loop ends ... ++# ==> now, the value of input is to be put into $next_source + + use strict; + use warnings; +@@ -226,6 +261,8 @@ my $hmac; + # Generate the P, Q, G, Seed, counter, h (value used to generate g) values + # for DSA + # $1: modulus size ++# $2: q size ++# $3: seed (might be empty string) + # return: string with the calculated values in hex format, where each value + # is separated from the previous with a \n in the following order: + # P\n +@@ -236,6 +273,19 @@ my $hmac; + # h + my $dsa_pqggen; + ++# Generate the G value from P and Q ++# for DSA ++# $1: modulus size ++# $2: q size ++# $3: P in hex form ++# $4: Q in hex form ++# return: string with the calculated values in hex format, where each value ++# is separated from the previous with a \n in the following order: ++# P\n ++# Q\n ++# G\n ++my $dsa_ggen; ++ + # + # Generate an DSA public key from the provided parameters: + # $1: Name of file to create +@@ -255,10 +305,20 @@ my $dsa_verify; + + # generate a new DSA key with the following properties: + # PEM format +-# $1 keyfile name +-# return: file created, hash with keys of P, Q, G in hex format ++# $1: modulus size ++# $2: q size ++# $3 keyfile name ++# return: file created with key, string with values of P, Q, G in hex format + my $gen_dsakey; + ++# generate a new DSA private key XY parameters in domain: ++# PEM format ++# $1: P in hex form ++# $2: Q in hex form ++# $3: G in hex form ++# return: string with values of X, Y in hex format ++my $gen_dsakey_domain; ++ + # Sign a message with DSA + # $1: data to be signed in hex form + # $2: Key file in PEM format with the private key +@@ -500,17 +560,32 @@ sub libgcrypt_hmac($$$$) { + return pipe_through_program($msg, $program); + } + +-sub libgcrypt_dsa_pqggen($) { ++sub libgcrypt_dsa_pqggen($$$) { ++ my $mod = shift; ++ my $qsize = shift; ++ my $seed = shift; ++ ++ my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen"; ++ return pipe_through_program($seed, $program); ++} ++ ++sub libgcrypt_dsa_ggen($$$$) { + my $mod = shift; ++ my $qsize = shift; ++ my $p = shift; ++ my $q = shift; ++ my $domain = "(domain (p #$p#)(q #$q#))"; + +- my $program = "fipsdrv --keysize $mod dsa-pqg-gen"; ++ my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen"; + return pipe_through_program("", $program); + } + +-sub libgcrypt_gen_dsakey($) { ++sub libgcrypt_gen_dsakey($$$) { ++ my $mod = shift; ++ my $qsize = shift; + my $file = shift; + +- my $program = "fipsdrv --keysize 1024 --key $file dsa-gen"; ++ my $program = "fipsdrv --keysize $mod --qsize $qsize --key $file dsa-gen"; + my $tmp; + my %ret; + +@@ -519,10 +594,21 @@ sub libgcrypt_gen_dsakey($) { + $tmp = pipe_through_program("", $program); + die "dsa key gen failed: file $file not created" if (! -f $file); + +- @ret{'P', 'Q', 'G', 'Seed', 'c', 'H'} = split(/\n/, $tmp); ++ @ret{'P', 'Q', 'G'} = split(/\n/, $tmp); + return %ret; + } + ++sub libgcrypt_gen_dsakey_domain($$$) { ++ my $p = shift; ++ my $q = shift; ++ my $g = shift; ++ my $domain = "(domain (p #$p#)(q #$q#)(g #$g#))"; ++ ++ my $program = "fipsdrv --key '$domain' dsa-gen-key"; ++ ++ return pipe_through_program("", $program); ++} ++ + sub libgcrypt_dsa_genpubkey($$$$$) { + my $filename = shift; + my $p = shift; +@@ -1139,7 +1225,7 @@ sub hmac_kat($$$$) { + $out .= "Tlen = $tlen\n"; + $out .= "Key = $key\n"; + $out .= "Msg = $msg\n"; +- $out .= "Mac = " . &$hmac($key, $tlen, $msg, $hashtype{$tlen}) . "\n"; ++ $out .= "Mac = " . lc(&$hmac($key, $tlen, $msg, $hashtype{$tlen})) . "\n"; + + return $out; + } +@@ -1205,7 +1291,7 @@ sub crypto_mct($$$$$$$$) { + } + my ($CO, $CI); + my $cipher_imp = &$state_cipher($cipher, $enc, $bufsize, $key1, $iv); +- $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/); ++ $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/ && defined($state_cipher_des)); + my $pid = open2($CO, $CI, $cipher_imp); + + my $calc_data = $iv; # CT[j] +@@ -1213,8 +1299,8 @@ sub crypto_mct($$$$$$$$) { + my $old_old_calc_data; # CT[j-2] + my $next_source; + +- # TDES inner loop implements logic within driver +- if ($cipher =~ /des/) { ++ # TDES inner loop implements logic within driver of libgcrypt ++ if ($cipher =~ /des/ && $opt{'I'} && $opt{'I'} eq 'libgcrypt' ) { + # Need to provide a dummy IV in case of ECB mode. + my $iv_arg = (defined($iv) && $iv ne "") + ? bin2hex($iv) +@@ -1238,6 +1324,10 @@ sub crypto_mct($$$$$$$$) { + $line = <$CO>; + } else { + for (my $j = 0; $j < $iloop; ++$j) { ++ if ($cipher =~ /des-ede3-ofb/ || ++ (!$enc && $cipher =~ /des-ede3-cfb/)) { ++ die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; ++ } + $old_old_calc_data = $old_calc_data; + $old_calc_data = $calc_data; + +@@ -1503,21 +1593,23 @@ sub rngx931($$$$) { + return $out; + } + +-# DSA PQGGen test ++# DSA PQGen test + # $1 modulus size +-# $2 number of rounds to perform the test ++# $2 q size ++# $3 number of rounds to perform the test + # return: string formatted as expected by CAVS +-sub dsa_pqggen_driver($$) { ++sub dsa_pqgen_driver($$$) { + my $mod = shift; ++ my $qsize = shift; + my $rounds = shift; + + my $out = ""; + for(my $i=0; $i<$rounds; $i++) { +- my $ret = &$dsa_pqggen($mod); ++ my $ret = &$dsa_pqggen($mod, $qsize, ""); + my ($P, $Q, $G, $Seed, $c, $H) = split(/\n/, $ret); +- die "Return value does not contain all expected values of P, Q, G, Seed, c, H for dsa_pqggen" +- if (!defined($P) || !defined($Q) || !defined($G) || +- !defined($Seed) || !defined($c) || !defined($H)); ++ die "Return value does not contain all expected values of P, Q, Seed, c for dsa_pqggen" ++ if (!defined($P) || !defined($Q) || ++ !defined($Seed) || !defined($c)); + + # now change the counter to decimal as CAVS wants decimal + # counter value although all other is HEX +@@ -1525,15 +1617,166 @@ sub dsa_pqggen_driver($$) { + + $out .= "P = $P\n"; + $out .= "Q = $Q\n"; +- $out .= "G = $G\n"; +- $out .= "Seed = $Seed\n"; +- $out .= "c = $c\n"; +- $out .= "H = $H\n\n"; ++ $out .= "domain_parameter_seed = $Seed\n"; ++ $out .= "counter = $c\n\n"; + } + + return $out; + } + ++# DSA GGen test ++# $1 modulus size ++# $2 q size ++# $3 p in hex form ++# $4 q in hex form ++# return: string formatted as expected by CAVS ++sub dsa_ggen_driver($$$$) { ++ my $mod = shift; ++ my $qsize = shift; ++ my $p = shift; ++ my $q = shift; ++ ++ my $out = ""; ++ my $ret = &$dsa_ggen($mod, $qsize, $p, $q); ++ my ($P, $Q, $G) = split(/\n/, $ret); ++ die "Return value does not contain all expected values of P, Q, G for dsa_ggen" ++ if (!defined($P) || !defined($Q) || !defined($G)); ++ ++ $out .= "G = $G\n\n"; ++ ++ return $out; ++} ++ ++sub hexcomp($$) { ++ my $a = lc shift; ++ my $b = lc shift; ++ ++ if (length $a < length $b) { ++ my $c = $a; ++ $a = $b; ++ $b = $a; ++ } ++ ++ while (length $b < length $a) { ++ $b = "00$b"; ++ } ++ ++ return $a eq $b; ++} ++ ++# DSA PQVer test ++# $1 modulus size ++# $2 q size ++# $3 p in hex form ++# $4 q in hex form ++# $5 seed in hex form ++# $6 c decimal counter ++# return: string formatted as expected by CAVS ++sub dsa_pqver_driver($$$$$$) { ++ my $mod = shift; ++ my $qsize = shift; ++ my $p = shift; ++ my $q = shift; ++ my $seed = shift; ++ my $c = shift; ++ ++ my $out = ""; ++ my $ret = &$dsa_pqggen($mod, $qsize, $seed); ++ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); ++ die "Return value does not contain all expected values of P, Q, G, seed, c for dsa_pqggen" ++ if (!defined($P) || !defined($Q) || !defined($G) || ++ !defined($seed2) || !defined($c2)); ++ ++ $c2 = hex($c2); ++ ++ $out .= "Seed = $seed\n"; ++ $out .= "c = $c\n"; ++ ++ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($seed, $seed2) && $c == $c2) { ++ $out .= "Result = P\n\n"; ++ } ++ else { ++ $out .= "Result = F\n\n"; ++ } ++ return $out; ++} ++ ++# DSA PQGVer test ++# $1 modulus size ++# $2 q size ++# $3 p in hex form ++# $4 q in hex form ++# $5 g in hex form ++# $6 seed in hex form ++# $7 c decimal counter ++# $8 h in hex form ++# return: string formatted as expected by CAVS ++sub dsa_pqgver_driver($$$$$$$$) { ++ my $mod = shift; ++ my $qsize = shift; ++ my $p = shift; ++ my $q = shift; ++ my $g = shift; ++ my $seed = shift; ++ my $c = shift; ++ my $h = shift; ++ ++ my $out = ""; ++ my $ret = &$dsa_pqggen($mod, $qsize, $seed); ++ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); ++ die "Return value does not contain all expected values of P, Q, G, seed, c, H for dsa_pqggen" ++ if (!defined($P) || !defined($Q) || !defined($G) || ++ !defined($seed2) || !defined($c2) || !defined($h2)); ++ ++ ++ ++ $out .= "Seed = $seed\n"; ++ $out .= "c = $c\n"; ++ $out .= "H = $h\n"; ++ ++ $c2 = hex($c2); ++ ++ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && ++ $c == $c2 && hex($h) == hex($h2)) { ++ $out .= "Result = P\n\n"; ++ } ++ else { ++ $out .= "Result = F\n\n"; ++ } ++ ++ return $out; ++} ++ ++# DSA Keypair test ++# $1 modulus size ++# $2 q size ++# $3 number of rounds to perform the test ++# return: string formatted as expected by CAVS ++sub dsa_keypair_driver($$$) { ++ my $mod = shift; ++ my $qsize = shift; ++ my $rounds = shift; ++ ++ my $out = ""; ++ my $tmpkeyfile = "dsa_siggen.tmp.$$"; ++ my %pqg = &$gen_dsakey($mod, $qsize, $tmpkeyfile); ++ $out .= "P = " . $pqg{'P'} . "\n"; ++ $out .= "Q = " . $pqg{'Q'} . "\n"; ++ $out .= "G = " . $pqg{'G'} . "\n\n"; ++ unlink($tmpkeyfile); ++ ++ for(my $i=0; $i<$rounds; $i++) { ++ my $ret = &$gen_dsakey_domain($pqg{'P'}, $pqg{'Q'}, $pqg{'G'}); ++ my ($X, $Y) = split(/\n/, $ret); ++ die "Return value does not contain all expected values of X, Y for gen_dsakey_domain" ++ if (!defined($X) || !defined($Y)); ++ ++ $out .= "X = $X\n"; ++ $out .= "Y = $Y\n\n"; ++ } ++ ++ return $out; ++} + + # DSA SigGen test + # $1: Message to be signed in hex form +@@ -1658,12 +1901,16 @@ sub parse($$) { + my $klen = ""; + my $tlen = ""; + my $modulus = ""; ++ my $qsize = ""; + my $capital_n = 0; ++ my $num = 0; + my $capital_p = ""; + my $capital_q = ""; + my $capital_g = ""; + my $capital_y = ""; + my $capital_r = ""; ++ my $capital_h = ""; ++ my $c = ""; + my $xp1 = ""; + my $xp2 = ""; + my $Xp = ""; +@@ -1700,7 +1947,7 @@ sub parse($$) { + + ##### Extract cipher + # XXX there may be more - to be added +- if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA)/) { ++ if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA|KeyPair|PQGVer)/) { + if ($tmpline =~ /CBC/) { $mode="cbc"; } + elsif ($tmpline =~ /ECB/) { $mode="ecb"; } + elsif ($tmpline =~ /OFB/) { $mode="ofb"; } +@@ -1749,7 +1996,15 @@ sub parse($$) { + + if ($tt == 0) { + ##### Identify the test type +- if ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { ++ if ($tmpline =~ /PQGVer/) { ++ $tt = 16; ++ die "Interface function for DSA PQGVer testing not defined for tested library" ++ if (!defined($dsa_pqggen)); ++ } elsif ($tmpline =~ /KeyPair/) { ++ $tt = 14; ++ die "Interface function dsa_keygen for DSA key generation not defined for tested library" ++ if (!defined($gen_dsakey_domain)); ++ } elsif ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { + $tt = 13; + die "Interface function rsa_derive for RSA key generation not defined for tested library" + if (!defined($rsa_derive)); +@@ -1760,11 +2015,11 @@ sub parse($$) { + } elsif ($tmpline =~ /SigGen/ && $opt{'D'}) { + $tt = 11; + die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library" +- if (!defined($dsa_sign) || !defined($gen_rsakey)); ++ if (!defined($dsa_sign) || !defined($gen_dsakey)); + } elsif ($tmpline =~ /PQGGen/) { + $tt = 10; + die "Interface function for DSA PQGGen testing not defined for tested library" +- if (!defined($dsa_pqggen)); ++ if (!defined($dsa_pqggen) || !defined($dsa_ggen)); + } elsif ($tmpline =~ /Hash sizes tested/) { + $tt = 9; + die "Interface function hmac for HMAC testing not defined for tested library" +@@ -1792,7 +2047,7 @@ sub parse($$) { + } elsif ($tmpline =~ /Monte|MCT|Carlo/) { + $tt = 2; + die "Interface function state_cipher for Stateful Cipher operation defined for tested library" +- if (!defined($state_cipher) || !defined($state_cipher_des)); ++ if (!defined($state_cipher) && !defined($state_cipher_des)); + } elsif ($cipher =~ /^sha/) { + $tt = 3; + die "Interface function hash for Hashing not defined for tested library" +@@ -1875,18 +2130,44 @@ sub parse($$) { + die "Msg/Seed seen twice - input file crap" if ($pt ne ""); + $pt=$2; + } +- elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests ++ elsif ($line =~ /^\[A.2.1\s.*\]$/) { # found in DSA2 PQGGen request ++ $out .= $line . "\n"; # print it ++ if ($tt == 10) { ++ # now generate G from PQ ++ $tt = 15; ++ } ++ } ++ elsif ($line =~ /^\[A.2.2\s.*\]$/) { # found in DSA2 PQGVer request ++ $out .= $line . "\n"; # print it ++ if ($tt == 16) { ++ # now verify PQG ++ $tt = 17; ++ } ++ } ++ elsif ($line =~ /^\[mod\s*=\s*L=([0-9]*),\s*N=([0-9]*).*\]$/) { # found in DSA2 requests + $modulus = $1; ++ $qsize = $2; + $out .= $line . "\n\n"; # print it ++ # clear eventual PQG ++ $capital_p = ""; ++ $capital_q = ""; ++ $capital_g = ""; + # generate the private key with given bit length now + # as we have the required key length in bit + if ($tt == 11) { + $dsa_keyfile = "dsa_siggen.tmp.$$"; +- my %pqg = &$gen_dsakey($dsa_keyfile); ++ my %pqg = &$gen_dsakey($modulus, $qsize, $dsa_keyfile); + $out .= "P = " . $pqg{'P'} . "\n"; + $out .= "Q = " . $pqg{'Q'} . "\n"; +- $out .= "G = " . $pqg{'G'} . "\n"; +- } elsif ( $tt == 5 ) { ++ $out .= "G = " . $pqg{'G'} . "\n\n"; ++ } ++ } ++ elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests ++ $modulus = $1; ++ $out .= $line . "\n\n"; # print it ++ # generate the private key with given bit length now ++ # as we have the required key length in bit ++ if ( $tt == 5 ) { + # XXX maybe a secure temp file name is better here + # but since it is not run on a security sensitive + # system, I hope that this is fine +@@ -1932,11 +2213,16 @@ sub parse($$) { + if ($tlen ne ""); + $tlen=$1; + } +- elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA PQGGen ++ elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA KeyPair + die "N seen twice - check input file" + if ($capital_n); + $capital_n = $1; + } ++ elsif ($line =~ /^Num\s*=\s*(.*)/) { #DSA PQGGen ++ die "Num seen twice - check input file" ++ if ($num); ++ $num = $1; ++ } + elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer + die "P seen twice - check input file" + if ($capital_p); +@@ -1965,6 +2251,16 @@ sub parse($$) { + if ($capital_r); + $capital_r = $1; + } ++ elsif ($line =~ /^H\s*=\s*(.*)/) { #DSA PQGVer ++ die "H seen twice - check input file" ++ if ($capital_h); ++ $capital_h = $1; ++ } ++ elsif ($line =~ /^c\s*=\s*(.*)/) { #DSA PQGVer ++ die "c seen twice - check input file" ++ if ($c); ++ $c = $1; ++ } + elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen + die "xp1 seen twice - check input file" + if ($xp1); +@@ -2074,11 +2370,10 @@ sub parse($$) { + } + } + elsif ($tt == 10) { +- if ($modulus ne "" && $capital_n > 0) { +- $out .= dsa_pqggen_driver($modulus, $capital_n); +- #$mod is not resetted +- $capital_n = 0; +- } ++ if ($modulus ne "" && $qsize ne "" && $num > 0) { ++ $out .= dsa_pqgen_driver($modulus, $qsize, $num); ++ $num = 0; ++ } + } + elsif ($tt == 11) { + if ($pt ne "" && $dsa_keyfile ne "") { +@@ -2141,6 +2436,74 @@ sub parse($$) { + $Xq = ""; + } + } ++ elsif ($tt == 14) { ++ if ($modulus ne "" && ++ $qsize ne "" && ++ $capital_n > 0) { ++ $out .= dsa_keypair_driver($modulus, ++ $qsize, ++ $capital_n); ++ $capital_n = 0; ++ } ++ } ++ elsif ($tt == 15) { ++ if ($modulus ne "" && ++ $qsize ne "" && ++ $capital_p ne "" && ++ $capital_q ne "") { ++ $out .= dsa_ggen_driver($modulus, ++ $qsize, ++ $capital_p, ++ $capital_q); ++ $capital_p = ""; ++ $capital_q = ""; ++ $num--; ++ } ++ } ++ elsif ($tt == 16) { ++ if ($modulus ne "" && ++ $qsize ne "" && ++ $capital_p ne "" && ++ $capital_q ne "" && ++ $pt ne "" && ++ $c ne "") { ++ $out .= dsa_pqver_driver($modulus, ++ $qsize, ++ $capital_p, ++ $capital_q, ++ $pt, ++ $c); ++ $capital_p = ""; ++ $capital_q = ""; ++ $pt = ""; ++ $c = ""; ++ } ++ } ++ elsif ($tt == 17) { ++ if ($modulus ne "" && ++ $qsize ne "" && ++ $capital_p ne "" && ++ $capital_q ne "" && ++ $capital_g ne "" && ++ $pt ne "" && ++ $c ne "" && ++ $capital_h ne "") { ++ $out .= dsa_pqgver_driver($modulus, ++ $qsize, ++ $capital_p, ++ $capital_q, ++ $capital_g, ++ $pt, ++ $c, ++ $capital_h); ++ $capital_p = ""; ++ $capital_q = ""; ++ $capital_g = ""; ++ $pt = ""; ++ $c = ""; ++ $capital_h = ""; ++ } ++ } + elsif ($tt > 0) { + die "Test case $tt not defined"; + } +@@ -2199,7 +2562,9 @@ sub main() { + $state_rng = \&libgcrypt_state_rng; + $hmac = \&libgcrypt_hmac; + $dsa_pqggen = \&libgcrypt_dsa_pqggen; ++ $dsa_ggen = \&libgcrypt_dsa_ggen; + $gen_dsakey = \&libgcrypt_gen_dsakey; ++ $gen_dsakey_domain = \&libgcrypt_gen_dsakey_domain; + $dsa_sign = \&libgcrypt_dsa_sign; + $dsa_verify = \&libgcrypt_dsa_verify; + $dsa_genpubkey = \&libgcrypt_dsa_genpubkey; +diff -up libgcrypt-1.6.1/tests/cavs_tests.sh.cavs libgcrypt-1.6.1/tests/cavs_tests.sh +--- libgcrypt-1.6.1/tests/cavs_tests.sh.cavs 2013-03-15 20:25:38.000000000 +0100 ++++ libgcrypt-1.6.1/tests/cavs_tests.sh 2014-02-28 14:46:16.437544662 +0100 +@@ -55,7 +55,7 @@ function run_one_test () { + [ -d "$respdir" ] || mkdir "$respdir" + [ -f "$rspfile" ] && rm "$rspfile" + +- if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then ++ if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then + dflag="-D" + fi + +diff -up libgcrypt-1.6.1/tests/fipsdrv.c.cavs libgcrypt-1.6.1/tests/fipsdrv.c +--- libgcrypt-1.6.1/tests/fipsdrv.c.cavs 2013-12-16 18:44:32.000000000 +0100 ++++ libgcrypt-1.6.1/tests/fipsdrv.c 2014-02-28 14:46:16.437544662 +0100 +@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz) + die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err)); + + p = buf; ++ while (*p) ++ *p++ = tolower(*p); ++ p = buf; + if (no_lz && p[0] == '0' && p[1] == '0' && p[2]) + p += 2; + +@@ -1675,14 +1678,14 @@ run_rsa_verify (const void *data, size_t + /* Generate a DSA key of size KEYSIZE and return the complete + S-expression. */ + static gcry_sexp_t +-dsa_gen (int keysize) ++dsa_gen (int keysize, int qsize) + { + gpg_error_t err; + gcry_sexp_t keyspec, key; + + err = gcry_sexp_build (&keyspec, NULL, +- "(genkey (dsa (nbits %d)(use-fips186-2)))", +- keysize); ++ "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))", ++ keysize, qsize); + if (err) + die ("gcry_sexp_build failed for DSA key generation: %s\n", + gpg_strerror (err)); +@@ -1700,7 +1703,7 @@ dsa_gen (int keysize) + /* Generate a DSA key of size KEYSIZE and return the complete + S-expression. */ + static gcry_sexp_t +-dsa_gen_with_seed (int keysize, const void *seed, size_t seedlen) ++dsa_gen_with_seed (int keysize, int qsize, const void *seed, size_t seedlen) + { + gpg_error_t err; + gcry_sexp_t keyspec, key; +@@ -1709,10 +1712,11 @@ dsa_gen_with_seed (int keysize, const vo + "(genkey" + " (dsa" + " (nbits %d)" +- " (use-fips186-2)" ++ " (qbits %d)" ++ " (use-fips186)" + " (derive-parms" + " (seed %b))))", +- keysize, (int)seedlen, seed); ++ keysize, qsize, (int)seedlen, seed); + if (err) + die ("gcry_sexp_build failed for DSA key generation: %s\n", + gpg_strerror (err)); +@@ -1720,6 +1724,37 @@ dsa_gen_with_seed (int keysize, const vo + err = gcry_pk_genkey (&key, keyspec); + if (err) + die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); ++ ++ gcry_sexp_release (keyspec); ++ ++ return key; ++} ++ ++/* Generate a DSA key with specified domain parameters and return the complete ++ S-expression. */ ++static gcry_sexp_t ++dsa_gen_key (const char *domain) ++{ ++ gpg_error_t err; ++ gcry_sexp_t keyspec, key, domspec; ++ ++ err = gcry_sexp_new (&domspec, domain, strlen(domain), 0); ++ if (err) ++ die ("gcry_sexp_build failed for domain spec: %s\n", ++ gpg_strerror (err)); ++ ++ err = gcry_sexp_build (&keyspec, NULL, ++ "(genkey" ++ " (dsa" ++ " (use-fips186)" ++ " %S))", ++ domspec); ++ if (err) ++ die ("gcry_sexp_build failed for DSA key generation: %s\n", ++ gpg_strerror (err)); ++ err = gcry_pk_genkey (&key, keyspec); ++ if (err) ++ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); + + gcry_sexp_release (keyspec); + +@@ -1732,7 +1767,7 @@ dsa_gen_with_seed (int keysize, const vo + with one parameter per line in hex format using this order: p, q, + g, seed, counter, h. */ + static void +-print_dsa_domain_parameters (gcry_sexp_t key) ++print_dsa_domain_parameters (gcry_sexp_t key, int print_misc) + { + gcry_sexp_t l1, l2; + gcry_mpi_t mpi; +@@ -1768,6 +1803,9 @@ print_dsa_domain_parameters (gcry_sexp_t + } + gcry_sexp_release (l1); + ++ if (!print_misc) ++ return; ++ + /* Extract the seed values. */ + l1 = gcry_sexp_find_token (key, "misc-key-info", 0); + if (!l1) +@@ -1819,38 +1857,106 @@ print_dsa_domain_parameters (gcry_sexp_t + } + + +-/* Generate DSA domain parameters for a modulus size of KEYSIZE. The ++/* Print just the XY private key parameters. KEY ++ is the complete key as returned by dsa_gen. We print to stdout ++ with one parameter per line in hex format using this order: x, y. */ ++static void ++print_dsa_xy (gcry_sexp_t key) ++{ ++ gcry_sexp_t l1, l2; ++ gcry_mpi_t mpi; ++ int idx; ++ ++ l1 = gcry_sexp_find_token (key, "private-key", 0); ++ if (!l1) ++ die ("private key not found in genkey result\n"); ++ ++ l2 = gcry_sexp_find_token (l1, "dsa", 0); ++ if (!l2) ++ die ("returned private key not formed as expected\n"); ++ gcry_sexp_release (l1); ++ l1 = l2; ++ ++ /* Extract the parameters from the S-expression and print them to stdout. */ ++ for (idx=0; "xy"[idx]; idx++) ++ { ++ l2 = gcry_sexp_find_token (l1, "xy"+idx, 1); ++ if (!l2) ++ die ("no %c parameter in returned public key\n", "xy"[idx]); ++ mpi = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); ++ if (!mpi) ++ die ("no value for %c parameter in returned private key\n","xy"[idx]); ++ gcry_sexp_release (l2); ++ if (standalone_mode) ++ printf ("%c = ", "XY"[idx]); ++ print_mpi_line (mpi, 1); ++ gcry_mpi_release (mpi); ++ } ++ ++ gcry_sexp_release (l1); ++} ++ ++ ++/* Generate DSA pq domain parameters for a modulus size of KEYSIZE. The + result is printed to stdout with one parameter per line in hex +- format and in this order: p, q, g, seed, counter, h. If SEED is ++ format and in this order: p, q, seed, counter. If SEED is + not NULL this seed value will be used for the generation. */ + static void +-run_dsa_pqg_gen (int keysize, const void *seed, size_t seedlen) ++run_dsa_pqg_gen (int keysize, int qsize, const void *seed, size_t seedlen) + { + gcry_sexp_t key; + + if (seed) +- key = dsa_gen_with_seed (keysize, seed, seedlen); ++ key = dsa_gen_with_seed (keysize, qsize, seed, seedlen); + else +- key = dsa_gen (keysize); +- print_dsa_domain_parameters (key); ++ key = dsa_gen (keysize, qsize); ++ print_dsa_domain_parameters (key, 1); ++ gcry_sexp_release (key); ++} ++ ++ ++/* Generate DSA domain parameters for a modulus size of KEYSIZE. The ++ result is printed to stdout with one parameter per line in hex ++ format and in this order: p, q, g, seed, counter, h. If SEED is ++ not NULL this seed value will be used for the generation. */ ++static void ++run_dsa_g_gen (int keysize, int qsize, const char *domain) ++{ ++ gcry_sexp_t key; ++ ++ key = dsa_gen_key (domain); ++ print_dsa_domain_parameters (key, 0); ++ gcry_sexp_release (key); ++} ++ ++/* Generate a DSA key with specified domain parameters ++ and print the XY values. */ ++static void ++run_dsa_gen_key (const char *domain) ++{ ++ gcry_sexp_t key; ++ ++ key = dsa_gen_key (domain); ++ print_dsa_xy (key); ++ + gcry_sexp_release (key); + } + + + /* Generate a DSA key of size of KEYSIZE and write the private key to + FILENAME. Also write the parameters to stdout in the same way as +- run_dsa_pqg_gen. */ ++ run_dsa_g_gen. */ + static void +-run_dsa_gen (int keysize, const char *filename) ++run_dsa_gen (int keysize, int qsize, const char *filename) + { + gcry_sexp_t key, private_key; + FILE *fp; + +- key = dsa_gen (keysize); ++ key = dsa_gen (keysize, qsize); + private_key = gcry_sexp_find_token (key, "private-key", 0); + if (!private_key) + die ("private key not found in genkey result\n"); +- print_dsa_domain_parameters (key); ++ print_dsa_domain_parameters (key, 1); + + fp = fopen (filename, "wb"); + if (!fp) +@@ -1863,6 +1969,53 @@ run_dsa_gen (int keysize, const char *fi + } + + ++static int ++dsa_hash_from_key(gcry_sexp_t s_key) ++{ ++ gcry_sexp_t l1, l2; ++ gcry_mpi_t q; ++ unsigned int qbits; ++ ++ l1 = gcry_sexp_find_token (s_key, "public-key", 0); ++ if (!l1) ++ { ++ l1 = gcry_sexp_find_token (s_key, "private-key", 0); ++ if (!l1) ++ die ("neither private nor public key found in the loaded key\n"); ++ } ++ ++ l2 = gcry_sexp_find_token (l1, "dsa", 0); ++ if (!l2) ++ die ("public key not formed as expected - no dsa\n"); ++ gcry_sexp_release (l1); ++ l1 = l2; ++ ++ l2 = gcry_sexp_find_token (l1, "q", 0); ++ if (!l2) ++ die ("public key not formed as expected - no q\n"); ++ gcry_sexp_release (l1); ++ l1 = l2; ++ ++ q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); ++ if (!q) ++ die ("public key not formed as expected - no mpi in q\n"); ++ qbits = gcry_mpi_get_nbits(q); ++ gcry_sexp_release(l1); ++ gcry_mpi_release(q); ++ switch(qbits) ++ { ++ case 160: ++ return GCRY_MD_SHA1; ++ case 224: ++ return GCRY_MD_SHA224; ++ case 256: ++ return GCRY_MD_SHA256; ++ default: ++ die("bad number bits (%d) of q in key\n", qbits); ++ } ++ return GCRY_MD_NONE; ++} ++ + + /* Sign DATA of length DATALEN using the key taken from the S-expression + encoded KEYFILE. */ +@@ -1872,11 +2025,16 @@ run_dsa_sign (const void *data, size_t d + { + gpg_error_t err; + gcry_sexp_t s_data, s_key, s_sig, s_tmp, s_tmp2; +- char hash[20]; ++ char hash[128]; + gcry_mpi_t tmpmpi; ++ int algo; ++ ++ s_key = read_sexp_from_file (keyfile); ++ algo = dsa_hash_from_key(s_key); + +- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); +- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); ++ gcry_md_hash_buffer (algo, hash, data, datalen); ++ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, ++ gcry_md_get_algo_dlen(algo), NULL); + if (!err) + { + err = gcry_sexp_build (&s_data, NULL, +@@ -1887,8 +2045,6 @@ run_dsa_sign (const void *data, size_t d + die ("gcry_sexp_build failed for DSA data input: %s\n", + gpg_strerror (err)); + +- s_key = read_sexp_from_file (keyfile); +- + err = gcry_pk_sign (&s_sig, s_data, s_key); + if (err) + { +@@ -1964,13 +2120,18 @@ run_dsa_verify (const void *data, size_t + { + gpg_error_t err; + gcry_sexp_t s_data, s_key, s_sig; +- char hash[20]; ++ char hash[128]; + gcry_mpi_t tmpmpi; ++ int algo; ++ ++ s_key = read_sexp_from_file (keyfile); ++ algo = dsa_hash_from_key(s_key); + +- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); ++ gcry_md_hash_buffer (algo, hash, data, datalen); + /* Note that we can't simply use %b with HASH to build the + S-expression, because that might yield a negative value. */ +- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); ++ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, ++ gcry_md_get_algo_dlen(algo), NULL); + if (!err) + { + err = gcry_sexp_build (&s_data, NULL, +@@ -1981,7 +2142,6 @@ run_dsa_verify (const void *data, size_t + die ("gcry_sexp_build failed for DSA data input: %s\n", + gpg_strerror (err)); + +- s_key = read_sexp_from_file (keyfile); + s_sig = read_sexp_from_file (sigfile); + + err = gcry_pk_verify (s_sig, s_data, s_key); +@@ -2014,7 +2174,7 @@ usage (int show_help) + "Run a crypto operation using hex encoded input and output.\n" + "MODE:\n" + " encrypt, decrypt, digest, random, hmac-sha,\n" +- " rsa-{derive,gen,sign,verify}, dsa-{pqg-gen,gen,sign,verify}\n" ++ " rsa-{derive,gen,sign,verify}, dsa-{pq-gen,g-gen,gen,sign,verify}\n" + "OPTIONS:\n" + " --verbose Print additional information\n" + " --binary Input and output is in binary form\n" +@@ -2024,6 +2184,7 @@ usage (int show_help) + " --dt DT Use the hex encoded DT for the RNG\n" + " --algo NAME Use algorithm NAME\n" + " --keysize N Use a keysize of N bits\n" ++ " --qize N Use a DSA q parameter size of N bits\n" + " --signature NAME Take signature from file NAME\n" + " --chunk N Read in chunks of N bytes (implies --binary)\n" + " --pkcs1 Use PKCS#1 encoding\n" +@@ -2050,6 +2211,7 @@ main (int argc, char **argv) + const char *dt_string = NULL; + const char *algo_string = NULL; + const char *keysize_string = NULL; ++ const char *qsize_string = NULL; + const char *signature_string = NULL; + FILE *input; + void *data; +@@ -2143,6 +2305,14 @@ main (int argc, char **argv) + keysize_string = *argv; + argc--; argv++; + } ++ else if (!strcmp (*argv, "--qsize")) ++ { ++ argc--; argv++; ++ if (!argc) ++ usage (0); ++ qsize_string = *argv; ++ argc--; argv++; ++ } + else if (!strcmp (*argv, "--signature")) + { + argc--; argv++; +@@ -2463,23 +2633,49 @@ main (int argc, char **argv) + } + else if (!strcmp (mode_string, "dsa-pqg-gen")) + { +- int keysize; ++ int keysize, qsize; + + keysize = keysize_string? atoi (keysize_string) : 0; + if (keysize < 1024 || keysize > 3072) + die ("invalid keysize specified; needs to be 1024 .. 3072\n"); +- run_dsa_pqg_gen (keysize, datalen? data:NULL, datalen); ++ qsize = qsize_string? atoi (qsize_string) : 0; ++ if (qsize < 160 || qsize > 256) ++ die ("invalid qsize specified; needs to be 160 .. 256\n"); ++ run_dsa_pqg_gen (keysize, qsize, datalen? data:NULL, datalen); ++ } ++ else if (!strcmp (mode_string, "dsa-g-gen")) ++ { ++ int keysize, qsize; ++ ++ keysize = keysize_string? atoi (keysize_string) : 0; ++ if (keysize < 1024 || keysize > 3072) ++ die ("invalid keysize specified; needs to be 1024 .. 3072\n"); ++ qsize = qsize_string? atoi (qsize_string) : 0; ++ if (qsize < 160 || qsize > 256) ++ die ("invalid qsize specified; needs to be 160 .. 256\n"); ++ if (!key_string) ++ die ("option --key containing pq domain parameters is required in this mode\n"); ++ run_dsa_g_gen (keysize, qsize, key_string); ++ } ++ else if (!strcmp (mode_string, "dsa-gen-key")) ++ { ++ if (!key_string) ++ die ("option --key containing pqg domain parameters is required in this mode\n"); ++ run_dsa_gen_key (key_string); + } + else if (!strcmp (mode_string, "dsa-gen")) + { +- int keysize; ++ int keysize, qsize; + + keysize = keysize_string? atoi (keysize_string) : 0; + if (keysize < 1024 || keysize > 3072) + die ("invalid keysize specified; needs to be 1024 .. 3072\n"); ++ qsize = qsize_string? atoi (qsize_string) : 0; ++ if (qsize < 160 || qsize > 256) ++ die ("invalid qsize specified; needs to be 160 .. 256\n"); + if (!key_string) + die ("option --key is required in this mode\n"); +- run_dsa_gen (keysize, key_string); ++ run_dsa_gen (keysize, qsize, key_string); + } + else if (!strcmp (mode_string, "dsa-sign")) + { diff --git a/libgcrypt-1.6.1-fips-cfgrandom.patch b/libgcrypt-1.6.1-fips-cfgrandom.patch new file mode 100644 index 0000000..8aae15f --- /dev/null +++ b/libgcrypt-1.6.1-fips-cfgrandom.patch @@ -0,0 +1,141 @@ +diff -up libgcrypt-1.6.1/random/random-fips.c.cfgrandom libgcrypt-1.6.1/random/random-fips.c +--- libgcrypt-1.6.1/random/random-fips.c.cfgrandom 2014-02-28 16:06:20.026572478 +0100 ++++ libgcrypt-1.6.1/random/random-fips.c 2014-02-28 16:06:34.851915121 +0100 +@@ -27,10 +27,10 @@ + There are 3 random context which map to the different levels of + random quality: + +- Generator Seed and Key Kernel entropy (init/reseed) +- ------------------------------------------------------------ +- GCRY_VERY_STRONG_RANDOM /dev/random 256/128 bits +- GCRY_STRONG_RANDOM /dev/random 256/128 bits ++ Generator Seed and Key Kernel entropy (init/reseed) ++ --------------------------------------------------------------------------------------- ++ GCRY_VERY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits ++ GCRY_STRONG_RANDOM /etc/gcrypt/rngseed+/dev/urandom 256/128 bits + gcry_create_nonce GCRY_STRONG_RANDOM n/a + + All random generators return their data in 128 bit blocks. If the +@@ -40,8 +40,10 @@ + (SEED_TTL) output blocks; the re-seeding is disabled in test mode. + + The GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are +- keyed and seeded from the /dev/random device. Thus these +- generators may block until the kernel has collected enough entropy. ++ keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed ++ if the device or symlink to device exists xored with the data ++ from the /dev/urandom device. This allows the system administrator ++ to always seed the RNGs from /dev/random if it is required. + + The gcry_create_nonce generator is keyed and seeded from the + GCRY_STRONG_RANDOM generator. It may also block if the +@@ -560,9 +562,13 @@ get_entropy (size_t nbytes) + entropy_collect_buffer_len = 0; + + #if USE_RNDLINUX ++ _gcry_rndlinux_gather_random (entropy_collect_cb, 0, ++ X931_AES_KEYLEN, ++ -1); ++ entropy_collect_buffer_len = 0; + rc = _gcry_rndlinux_gather_random (entropy_collect_cb, 0, + X931_AES_KEYLEN, +- GCRY_VERY_STRONG_RANDOM); ++ GCRY_STRONG_RANDOM); + #elif USE_RNDW32 + do + { +@@ -713,7 +719,7 @@ get_random (void *buffer, size_t length, + || rng_ctx->seed_init_pid != getpid ()) + { + /* Just reinitialize the key & seed. */ +- gcry_cipher_close(rng_ctx->cipher_hd); ++ _gcry_cipher_close(rng_ctx->cipher_hd); + rng_ctx->cipher_hd = NULL; + rng_ctx->is_seeded = 0; + goto reinitialize; +diff -up libgcrypt-1.6.1/random/rndlinux.c.cfgrandom libgcrypt-1.6.1/random/rndlinux.c +--- libgcrypt-1.6.1/random/rndlinux.c.cfgrandom 2013-12-16 18:44:32.000000000 +0100 ++++ libgcrypt-1.6.1/random/rndlinux.c 2014-02-28 16:06:20.027572501 +0100 +@@ -36,7 +36,9 @@ + #include "g10lib.h" + #include "rand-internal.h" + +-static int open_device (const char *name, int retry); ++#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed" ++ ++static int open_device (const char *name, int retry, int fatal); + + + static int +@@ -59,7 +61,7 @@ set_cloexec_flag (int fd) + * a fatal error but retries until it is able to reopen the device. + */ + static int +-open_device (const char *name, int retry) ++open_device (const char *name, int retry, int fatal) + { + int fd; + +@@ -67,6 +69,8 @@ open_device (const char *name, int retry + _gcry_random_progress ("open_dev_random", 'X', 1, 0); + again: + fd = open (name, O_RDONLY); ++ if (fd == -1 && !fatal) ++ return fd; + if (fd == -1 && retry) + { + struct timeval tv; +@@ -111,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add + { + static int fd_urandom = -1; + static int fd_random = -1; ++ static int fd_configured = -1; + static unsigned char ever_opened; + int fd; + int n; +@@ -134,6 +139,11 @@ _gcry_rndlinux_gather_random (void (*add + close (fd_urandom); + fd_urandom = -1; + } ++ if (fd_configured != -1) ++ { ++ close (fd_configured); ++ fd_configured = -1; ++ } + return 0; + } + +@@ -153,20 +163,30 @@ _gcry_rndlinux_gather_random (void (*add + that we always require the device to be existent but want a more + graceful behaviour if the rarely needed close operation has been + used and the device needs to be re-opened later. */ ++ ++ if (level == -1) ++ { ++ if (fd_configured == -1) ++ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 ); ++ fd = fd_configured; ++ if (fd == -1) ++ return -1; ++ } ++ + if (level >= 2) + { + if (fd_random == -1) + { +- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1)); ++ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1); + ever_opened |= 1; + } + fd = fd_random; + } +- else ++ else if (level != -1) + { + if (fd_urandom == -1) + { +- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2)); ++ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1); + ever_opened |= 2; + } + fd = fd_urandom; diff --git a/libgcrypt-1.6.1-leak.patch b/libgcrypt-1.6.1-leak.patch new file mode 100644 index 0000000..df3cc08 --- /dev/null +++ b/libgcrypt-1.6.1-leak.patch @@ -0,0 +1,38 @@ +diff -up libgcrypt-1.6.1/cipher/primegen.c.leak libgcrypt-1.6.1/cipher/primegen.c +--- libgcrypt-1.6.1/cipher/primegen.c.leak 2014-02-28 15:06:24.394464790 +0100 ++++ libgcrypt-1.6.1/cipher/primegen.c 2014-02-28 15:09:22.938591664 +0100 +@@ -1204,10 +1204,7 @@ _gcry_prime_group_generator (gcry_mpi_t + gcry_mpi_t prime, gcry_mpi_t *factors, + gcry_mpi_t start_g) + { +- gcry_mpi_t tmp = mpi_new (0); +- gcry_mpi_t b = mpi_new (0); +- gcry_mpi_t pmin1 = mpi_new (0); +- gcry_mpi_t g = start_g? mpi_copy (start_g) : mpi_set_ui (NULL, 3); ++ gcry_mpi_t tmp, b, pmin1, g; + int first = 1; + int i, n; + +@@ -1220,6 +1217,11 @@ _gcry_prime_group_generator (gcry_mpi_t + if (n < 2) + return GPG_ERR_INV_ARG; + ++ tmp = mpi_new (0); ++ b = mpi_new (0); ++ pmin1 = mpi_new (0); ++ g = start_g? mpi_copy (start_g) : mpi_set_ui (NULL, 3); ++ + /* Extra sanity check - usually disabled. */ + /* mpi_set (tmp, factors[0]); */ + /* for(i = 1; i < n; i++) */ +diff -up libgcrypt-1.6.1/src/hmac256.c.leak libgcrypt-1.6.1/src/hmac256.c +--- libgcrypt-1.6.1/src/hmac256.c.leak 2013-12-16 18:44:32.000000000 +0100 ++++ libgcrypt-1.6.1/src/hmac256.c 2014-02-28 15:06:24.394464790 +0100 +@@ -427,7 +427,6 @@ _gcry_hmac256_finalize (hmac256_context_ + tmphd = _gcry_hmac256_new (NULL, 0); + if (!tmphd) + { +- free (hd); + return NULL; + } + _gcry_hmac256_update (tmphd, hd->opad, 64); diff --git a/libgcrypt-1.6.1-mpicoder-gccopt.patch b/libgcrypt-1.6.1-mpicoder-gccopt.patch new file mode 100644 index 0000000..12555d3 --- /dev/null +++ b/libgcrypt-1.6.1-mpicoder-gccopt.patch @@ -0,0 +1,104 @@ +diff -up libgcrypt-1.6.1/mpi/mpicoder.c.gccopt libgcrypt-1.6.1/mpi/mpicoder.c +--- libgcrypt-1.6.1/mpi/mpicoder.c.gccopt 2014-02-28 15:37:53.983139821 +0100 ++++ libgcrypt-1.6.1/mpi/mpicoder.c 2014-02-28 15:47:35.312576387 +0100 +@@ -627,16 +627,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo + extra = 1; + } + +- if (buffer && n > len) +- { +- /* The provided buffer is too short. */ +- xfree (tmp); +- return GPG_ERR_TOO_SHORT; +- } + if (buffer) + { + unsigned char *s = buffer; + ++ if (n > len) ++ { ++ /* The provided buffer is too short. */ ++ xfree (tmp); ++ return GPG_ERR_TOO_SHORT; ++ } + if (extra == 1) + *s++ = 0; + else if (extra) +@@ -654,13 +654,12 @@ _gcry_mpi_print (enum gcry_mpi_format fo + /* Note: We ignore the sign for this format. */ + /* FIXME: for performance reasons we should put this into + mpi_aprint because we can then use the buffer directly. */ +- +- if (buffer && n > len) +- return GPG_ERR_TOO_SHORT; + if (buffer) + { + unsigned char *tmp; + ++ if (n > len) ++ return GPG_ERR_TOO_SHORT; + tmp = _gcry_mpi_get_buffer (a, 0, &n, NULL); + if (!tmp) + return gpg_err_code_from_syserror (); +@@ -678,14 +677,14 @@ _gcry_mpi_print (enum gcry_mpi_format fo + if (negative) + return GPG_ERR_INV_ARG; + +- if (buffer && n+2 > len) +- return GPG_ERR_TOO_SHORT; +- + if (buffer) + { + unsigned char *tmp; + unsigned char *s = buffer; + ++ if (n+2 > len) ++ return GPG_ERR_TOO_SHORT; ++ + s[0] = nbits >> 8; + s[1] = nbits; + +@@ -724,16 +723,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo + extra=1; + } + +- if (buffer && n+4 > len) +- { +- xfree(tmp); +- return GPG_ERR_TOO_SHORT; +- } +- + if (buffer) + { + unsigned char *s = buffer; + ++ if (n+4 > len) ++ { ++ xfree(tmp); ++ return GPG_ERR_TOO_SHORT; ++ } ++ + *s++ = n >> 24; + *s++ = n >> 16; + *s++ = n >> 8; +@@ -761,15 +760,15 @@ _gcry_mpi_print (enum gcry_mpi_format fo + if (!n || (*tmp & 0x80)) + extra = 2; + +- if (buffer && 2*n + extra + negative + 1 > len) +- { +- xfree(tmp); +- return GPG_ERR_TOO_SHORT; +- } + if (buffer) + { + unsigned char *s = buffer; + ++ if (2*n + extra + negative + 1 > len) ++ { ++ xfree(tmp); ++ return GPG_ERR_TOO_SHORT; ++ } + if (negative) + *s++ = '-'; + if (extra) diff --git a/libgcrypt-1.6.1-tests.patch b/libgcrypt-1.6.1-tests.patch new file mode 100644 index 0000000..0c00458 --- /dev/null +++ b/libgcrypt-1.6.1-tests.patch @@ -0,0 +1,198 @@ +diff -up libgcrypt-1.6.1/cipher/dsa.c.tests libgcrypt-1.6.1/cipher/dsa.c +--- libgcrypt-1.6.1/cipher/dsa.c.tests 2014-02-28 13:39:01.727288335 +0100 ++++ libgcrypt-1.6.1/cipher/dsa.c 2014-02-28 13:46:21.727458285 +0100 +@@ -423,22 +423,29 @@ generate_fips186 (DSA_secret_key *sk, un + initial_seed.seed = sexp_nth_data (initial_seed.sexp, 1, + &initial_seed.seedlen); + } +- +- /* Fixme: Enable 186-3 after it has been approved and after fixing +- the generation function. */ +- /* if (use_fips186_2) */ +- (void)use_fips186_2; +- ec = _gcry_generate_fips186_2_prime (nbits, qbits, ++ if (use_fips186_2) ++ ec = _gcry_generate_fips186_2_prime (nbits, qbits, + initial_seed.seed, + initial_seed.seedlen, + &prime_q, &prime_p, + r_counter, + r_seed, r_seedlen); +- /* else */ +- /* ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */ +- /* &prime_q, &prime_p, */ +- /* r_counter, */ +- /* r_seed, r_seedlen, NULL); */ ++ else if (!domain->p || !domain->q) ++ ec = _gcry_generate_fips186_3_prime (nbits, qbits, ++ initial_seed.seed, ++ initial_seed.seedlen, ++ &prime_q, &prime_p, ++ r_counter, ++ r_seed, r_seedlen, NULL); ++ else ++ { ++ /* Domain parameters p and q are given; use them. */ ++ prime_p = mpi_copy (domain->p); ++ prime_q = mpi_copy (domain->q); ++ gcry_assert (mpi_get_nbits (prime_p) == nbits); ++ gcry_assert (mpi_get_nbits (prime_q) == qbits); ++ ec = 0; ++ } + sexp_release (initial_seed.sexp); + if (ec) + goto leave; +@@ -829,13 +829,12 @@ dsa_generate (const gcry_sexp_t genparms + sexp_release (l1); + sexp_release (domainsexp); + +- /* Check that all domain parameters are available. */ +- if (!domain.p || !domain.q || !domain.g) ++ /* Check that p and q domain parameters are available. */ ++ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186))) + { + _gcry_mpi_release (domain.p); + _gcry_mpi_release (domain.q); + _gcry_mpi_release (domain.g); +- sexp_release (deriveparms); + return GPG_ERR_MISSING_VALUE; + } + +diff -up libgcrypt-1.6.1/cipher/primegen.c.tests libgcrypt-1.6.1/cipher/primegen.c +--- libgcrypt-1.6.1/cipher/primegen.c.tests 2014-01-29 10:48:38.000000000 +0100 ++++ libgcrypt-1.6.1/cipher/primegen.c 2014-02-28 13:49:52.291325147 +0100 +@@ -1649,7 +1649,7 @@ _gcry_generate_fips186_3_prime (unsigned + gpg_err_code_t ec; + unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */ + unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */ +- unsigned char digest[256/8]; /* Helper buffer for SHA-1 digest. */ ++ unsigned char digest[256/8]; /* Helper buffer for SHA-x digest. */ + gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */ + gcry_mpi_t tmpval = NULL; /* Helper variable. */ + int hashalgo; /* The id of the Approved Hash Function. */ +@@ -1739,7 +1739,7 @@ _gcry_generate_fips186_3_prime (unsigned + } + _gcry_mpi_release (prime_q); prime_q = NULL; + ec = _gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG, +- value_u, sizeof value_u, NULL); ++ value_u, qbits/8, NULL); + if (ec) + goto leave; + mpi_set_highbit (prime_q, qbits-1 ); +@@ -1784,11 +1784,11 @@ _gcry_generate_fips186_3_prime (unsigned + if (seed_plus[i]) + break; + } +- _gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen); ++ _gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen); + + _gcry_mpi_release (tmpval); tmpval = NULL; + ec = _gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG, +- digest, sizeof digest, NULL); ++ digest, qbits/8, NULL); + if (ec) + goto leave; + if (value_j == value_n) +@@ -1824,11 +1824,11 @@ _gcry_generate_fips186_3_prime (unsigned + } + + /* Step 12: Save p, q, counter and seed. */ +- log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", ++ /* log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n", + mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter); + log_printhex ("fips186-3 seed", seed, seedlen); + log_printmpi ("fips186-3 p", prime_p); +- log_printmpi ("fips186-3 q", prime_q); ++ log_printmpi ("fips186-3 q", prime_q); */ + if (r_q) + { + *r_q = prime_q; +diff -up libgcrypt-1.6.1/cipher/rsa.c.tests libgcrypt-1.6.1/cipher/rsa.c +--- libgcrypt-1.6.1/cipher/rsa.c.tests 2014-01-29 08:49:49.000000000 +0100 ++++ libgcrypt-1.6.1/cipher/rsa.c 2014-02-28 13:39:01.727288335 +0100 +@@ -399,7 +399,7 @@ generate_x931 (RSA_secret_key *sk, unsig + + *swapped = 0; + +- if (e_value == 1) /* Alias for a secure value. */ ++ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ + e_value = 65537; + + /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ +diff -up libgcrypt-1.6.1/random/random-fips.c.tests libgcrypt-1.6.1/random/random-fips.c +--- libgcrypt-1.6.1/random/random-fips.c.tests 2014-01-29 10:48:38.000000000 +0100 ++++ libgcrypt-1.6.1/random/random-fips.c 2014-02-28 13:39:01.727288335 +0100 +@@ -692,6 +692,7 @@ get_random (void *buffer, size_t length, + + check_guards (rng_ctx); + ++ reinitialize: + /* Initialize the cipher handle and thus setup the key if needed. */ + if (!rng_ctx->cipher_hd) + { +@@ -711,13 +712,11 @@ get_random (void *buffer, size_t length, + if (rng_ctx->key_init_pid != getpid () + || rng_ctx->seed_init_pid != getpid ()) + { +- /* We are in a child of us. Because we have no way yet to do +- proper re-initialization (including self-checks etc), the +- only chance we have is to bail out. Obviusly a fork/exec +- won't harm because the exec overwrites the old image. */ +- fips_signal_error ("fork without proper re-initialization " +- "detected in RNG"); +- goto bailout; ++ /* Just reinitialize the key & seed. */ ++ gcry_cipher_close(rng_ctx->cipher_hd); ++ rng_ctx->cipher_hd = NULL; ++ rng_ctx->is_seeded = 0; ++ goto reinitialize; + } + + if (x931_aes_driver (buffer, length, rng_ctx)) +diff -up libgcrypt-1.6.1/tests/keygen.c.tests libgcrypt-1.6.1/tests/keygen.c +--- libgcrypt-1.6.1/tests/keygen.c.tests 2014-02-28 13:39:01.728288358 +0100 ++++ libgcrypt-1.6.1/tests/keygen.c 2014-02-28 13:42:18.288831563 +0100 +@@ -215,11 +215,11 @@ check_rsa_keys (void) + + + if (verbose) +- show ("creating 512 bit RSA key with e=257\n"); ++ show ("creating 1024 bit RSA key with e=257\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" +- " (nbits 3:512)\n" ++ " (nbits 4:1024)\n" + " (rsa-use-e 3:257)\n" + " ))", 0, 1); + if (rc) +@@ -233,11 +233,11 @@ check_rsa_keys (void) + gcry_sexp_release (key); + + if (verbose) +- show ("creating 512 bit RSA key with default e\n"); ++ show ("creating 1024 bit RSA key with default e\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (rsa\n" +- " (nbits 3:512)\n" ++ " (nbits 4:1024)\n" + " (rsa-use-e 1:0)\n" + " ))", 0, 1); + if (rc) +@@ -307,12 +307,12 @@ check_dsa_keys (void) + } + + if (verbose) +- show ("creating 1536 bit DSA key\n"); ++ show ("creating 2048 bit DSA key\n"); + rc = gcry_sexp_new (&keyparm, + "(genkey\n" + " (dsa\n" +- " (nbits 4:1536)\n" +- " (qbits 3:224)\n" ++ " (nbits 4:2048)\n" ++ " (qbits 3:256)\n" + " ))", 0, 1); + if (rc) + die ("error creating S-expression: %s\n", gpg_strerror (rc)); diff --git a/libgcrypt-1.6.1-use-poll.patch b/libgcrypt-1.6.1-use-poll.patch new file mode 100644 index 0000000..2fcaebf --- /dev/null +++ b/libgcrypt-1.6.1-use-poll.patch @@ -0,0 +1,71 @@ +diff -up libgcrypt-1.6.1/random/rndlinux.c.use-poll libgcrypt-1.6.1/random/rndlinux.c +--- libgcrypt-1.6.1/random/rndlinux.c.use-poll 2014-02-28 15:17:55.294433915 +0100 ++++ libgcrypt-1.6.1/random/rndlinux.c 2014-02-28 15:34:52.505945274 +0100 +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include "types.h" + #include "g10lib.h" + #include "rand-internal.h" +@@ -199,9 +200,11 @@ _gcry_rndlinux_gather_random (void (*add + return with something we will actually use 100ms. */ + while (length) + { +- fd_set rfds; +- struct timeval tv; + int rc; ++ struct pollfd pfd; ++ ++ pfd.fd = fd; ++ pfd.events = POLLIN; + + /* If we collected some bytes update the progress indicator. We + do this always and not just if the select timed out because +@@ -215,33 +218,18 @@ _gcry_rndlinux_gather_random (void (*add + any_need_entropy = 1; + } + +- /* If the system has no limit on the number of file descriptors +- and we encounter an fd which is larger than the fd_set size, +- we don't use the select at all. The select code is only used +- to emit progress messages. A better solution would be to +- fall back to poll() if available. */ +-#ifdef FD_SETSIZE +- if (fd < FD_SETSIZE) +-#endif +- { +- FD_ZERO(&rfds); +- FD_SET(fd, &rfds); +- tv.tv_sec = delay; +- tv.tv_usec = delay? 0 : 100000; +- if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) ) +- { +- any_need_entropy = 1; +- delay = 3; /* Use 3 seconds henceforth. */ +- continue; +- } +- else if( rc == -1 ) +- { +- log_error ("select() error: %s\n", strerror(errno)); +- if (!delay) +- delay = 1; /* Use 1 second if we encounter an error before +- we have ever blocked. */ +- continue; +- } ++ if ( !(rc=poll(&pfd, 1, delay)) ) ++ { ++ delay = 3000; /* Use 3 seconds henceforth. */ ++ continue; ++ } ++ else if( rc == -1 ) ++ { ++ log_error ("poll() error: %s\n", strerror(errno)); ++ if (!delay) ++ delay = 1000; /* Use 1 second if we encounter an error before ++ we have ever blocked. */ ++ continue; + } + + do diff --git a/libgcrypt.spec b/libgcrypt.spec index cd41803..f2f1916 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt -Version: 1.5.3 -Release: 3%{?dist} +Version: 1.6.1 +Release: 1%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -11,34 +11,29 @@ Source0: libgcrypt-%{version}-hobbled.tar.xz #Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source2: wk@g10code.com Source3: hobble-libgcrypt -# Approved ECC support (from 1.5.3) -Source4: ecc.c +# Approved ECC support (from 1.6.1) +Source4: ecc-curves.c Source5: curves.c +Source6: t-mpi-point.c # make FIPS hmac compatible with fipscheck - non upstreamable Patch2: libgcrypt-1.5.0-use-fipscheck.patch # fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen -Patch5: libgcrypt-1.5.0-tests.patch +Patch5: libgcrypt-1.6.1-tests.patch # add configurable source of RNG seed and seed by default # from /dev/urandom in the FIPS mode -Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch +Patch6: libgcrypt-1.6.1-fips-cfgrandom.patch # make the FIPS-186-3 DSA CAVS testable -Patch7: libgcrypt-1.5.0-fips-cavs.patch +Patch7: libgcrypt-1.6.1-fips-cavs.patch # fix for memory leaks an other errors found by Coverity scan -Patch9: libgcrypt-1.5.0-leak.patch +Patch9: libgcrypt-1.6.1-leak.patch # use poll instead of select when gathering randomness -Patch11: libgcrypt-1.5.1-use-poll.patch +Patch11: libgcrypt-1.6.1-use-poll.patch # compile rijndael with -fno-strict-aliasing Patch12: libgcrypt-1.5.2-aliasing.patch # slight optimalization of mpicoder.c to silence Valgrind (#968288) -Patch13: libgcrypt-1.5.2-mpicoder-gccopt.patch +Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch # fix tests to work with approved ECC -Patch14: libgcrypt-1.5.3-ecc-test-fix.patch -# pbkdf2 speedup - upstream -Patch15: libgcrypt-1.5.3-pbkdf-speedup.patch -# fix bug in whirlpool implementation (for backwards compatibility -# with files generated with buggy version set environment -# varible GCRYPT_WHIRLPOOL_BUG -Patch16: libgcrypt-1.5.3-whirlpool-bug.patch +Patch14: libgcrypt-1.6.1-ecc-test-fix.patch %define gcrylibdir %{_libdir} @@ -80,14 +75,11 @@ applications using libgcrypt. %patch7 -p1 -b .cavs %patch9 -p1 -b .leak %patch11 -p1 -b .use-poll -%patch12 -p1 -b .aliasing +#%patch12 -p1 -b .aliasing %patch13 -p1 -b .gccopt %patch14 -p1 -b .eccfix -%patch15 -p1 -b .pbkdf-speedup -%patch16 -p1 -b .whirlpool-bug cp %{SOURCE4} cipher/ -rm -rf tests/curves.c -cp %{SOURCE5} tests/curves.c +cp %{SOURCE5} %{SOURCE6} tests/ %build %configure --disable-static \ @@ -98,6 +90,7 @@ cp %{SOURCE5} tests/curves.c --enable-hmac-binary-check \ --enable-pubkey-ciphers='dsa elgamal rsa ecc' \ --disable-O-flag-munging +sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool make %{?_smp_mflags} %check @@ -147,8 +140,11 @@ popd # Add soname symlink. /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/ + %endif +# temporary compat library for buildroots +install %{gcrylibdir}/libgcrypt.so.11.*.* $RPM_BUILD_ROOT/%{_libdir} # Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so # that _someone_ owns it. @@ -181,14 +177,20 @@ exit 0 %{_bindir}/%{name}-config %{_bindir}/dumpsexp %{_bindir}/hmac256 +%{_bindir}/mpicalc %{_includedir}/* %{_libdir}/*.so %{_datadir}/aclocal/* +%{_mandir}/man1/* %{_infodir}/gcrypt.info* %doc COPYING %changelog +* Fri Feb 28 2014 Tomáš Mráz 1.6.1-1 +- new upstream version breaking ABI compatibility +- this release temporarily includes old compatibility .so + * Tue Jan 21 2014 Tomáš Mráz 1.5.3-3 - add back the nistp521r1 EC curve - fix a bug in the Whirlpool hash implementation diff --git a/t-mpi-point.c b/t-mpi-point.c new file mode 100644 index 0000000..2c977c5 --- /dev/null +++ b/t-mpi-point.c @@ -0,0 +1,970 @@ +/* t-mpi-point.c - Tests for mpi point functions + * Copyright (C) 2013 g10 Code GmbH + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#ifdef HAVE_CONFIG_H +# include +#endif +#include +#include +#include +#include +#include + +#include "../src/gcrypt-int.h" + +#define PGM "t-mpi-point" + +static const char *wherestr; +static int verbose; +static int debug; +static int error_count; + + +#define my_isascii(c) (!((c) & 0x80)) +#define digitp(p) (*(p) >= '0' && *(p) <= '9') +#define hexdigitp(a) (digitp (a) \ + || (*(a) >= 'A' && *(a) <= 'F') \ + || (*(a) >= 'a' && *(a) <= 'f')) +#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \ + *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10)) +#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1)) +#define xmalloc(a) gcry_xmalloc ((a)) +#define xcalloc(a,b) gcry_xcalloc ((a),(b)) +#define xfree(a) gcry_free ((a)) +#define pass() do { ; } while (0) + + +static struct +{ + const char *desc; /* Description of the curve. */ + const char *p; /* Order of the prime field. */ + const char *a, *b; /* The coefficients. */ + const char *n; /* The order of the base point. */ + const char *g_x, *g_y; /* Base point. */ +} test_curve[] = + { + { + "NIST P-256", + "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", + "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", + "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + + "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + }, + { + "NIST P-384", + "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" + "ffffffff0000000000000000ffffffff", + "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" + "ffffffff0000000000000000fffffffc", + "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" + "c656398d8a2ed19d2a85c8edd3ec2aef", + "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" + "581a0db248b0a77aecec196accc52973", + + "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" + "5502f25dbf55296c3a545e3872760ab7", + "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" + "0a60b1ce1d7e819d7a431d7c90ea0e5f" + }, + { + "NIST P-521", + "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", + "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" + "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", + "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", + + "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d" + "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6" + "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" + }, + { + "Ed25519", + "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", + "-0x01", + "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", + "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", + "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", + "0x6666666666666666666666666666666666666666666666666666666666666658" + }, + { NULL, NULL, NULL, NULL, NULL } + }; + +/* A sample public key for NIST P-256. */ +static const char sample_p256_q[] = + "04" + "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E" + "E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E"; +static const char sample_p256_q_x[] = + "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E"; +static const char sample_p256_q_y[] = + "00E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E"; + + +/* A sample public key for Ed25519. */ +static const char sample_ed25519_q[] = + "04" + "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce" + "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7"; +static const char sample_ed25519_q_x[] = + "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce"; +static const char sample_ed25519_q_y[] = + "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7"; +static const char sample_ed25519_q_eddsa[] = + "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"; +static const char sample_ed25519_d[] = + "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60"; + + +static void +show (const char *format, ...) +{ + va_list arg_ptr; + + if (!verbose) + return; + fprintf (stderr, "%s: ", PGM); + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); +} + +static void +fail (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + if (wherestr) + fprintf (stderr, "%s: ", wherestr); + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + error_count++; +} + +static void +die (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + if (wherestr) + fprintf (stderr, "%s: ", wherestr); + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + exit (1); +} + + +static void +print_mpi_2 (const char *text, const char *text2, gcry_mpi_t a) +{ + gcry_error_t err; + char *buf; + void *bufaddr = &buf; + + err = gcry_mpi_aprint (GCRYMPI_FMT_HEX, bufaddr, NULL, a); + if (err) + fprintf (stderr, "%s%s: [error printing number: %s]\n", + text, text2? text2:"", gpg_strerror (err)); + else + { + fprintf (stderr, "%s%s: %s\n", text, text2? text2:"", buf); + gcry_free (buf); + } +} + + +static void +print_mpi (const char *text, gcry_mpi_t a) +{ + print_mpi_2 (text, NULL, a); +} + + +static void +print_point (const char *text, gcry_mpi_point_t a) +{ + gcry_mpi_t x, y, z; + + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + z = gcry_mpi_new (0); + gcry_mpi_point_get (x, y, z, a); + print_mpi_2 (text, ".x", x); + print_mpi_2 (text, ".y", y); + print_mpi_2 (text, ".z", z); + gcry_mpi_release (x); + gcry_mpi_release (y); + gcry_mpi_release (z); +} + + +static void +print_sexp (const char *prefix, gcry_sexp_t a) +{ + char *buf; + size_t size; + + if (prefix) + fputs (prefix, stderr); + size = gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, NULL, 0); + buf = gcry_xmalloc (size); + + gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, buf, size); + fprintf (stderr, "%.*s", (int)size, buf); + gcry_free (buf); +} + + +static gcry_mpi_t +hex2mpi (const char *string) +{ + gpg_error_t err; + gcry_mpi_t val; + + err = gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); + if (err) + die ("hex2mpi '%s' failed: %s\n", string, gpg_strerror (err)); + return val; +} + + +/* Convert STRING consisting of hex characters into its binary + representation and return it as an allocated buffer. The valid + length of the buffer is returned at R_LENGTH. The string is + delimited by end of string. The function returns NULL on + error. */ +static void * +hex2buffer (const char *string, size_t *r_length) +{ + const char *s; + unsigned char *buffer; + size_t length; + + buffer = xmalloc (strlen(string)/2+1); + length = 0; + for (s=string; *s; s +=2 ) + { + if (!hexdigitp (s) || !hexdigitp (s+1)) + return NULL; /* Invalid hex digits. */ + ((unsigned char*)buffer)[length++] = xtoi_2 (s); + } + *r_length = length; + return buffer; +} + + +static gcry_mpi_t +hex2mpiopa (const char *string) +{ + char *buffer; + size_t buflen; + gcry_mpi_t val; + + buffer = hex2buffer (string, &buflen); + if (!buffer) + die ("hex2mpiopa '%s' failed: parser error\n", string); + val = gcry_mpi_set_opaque (NULL, buffer, buflen*8); + if (!buffer) + die ("hex2mpiopa '%s' failed: set_opaque error%s\n", string); + return val; +} + + +/* Compare A to B, where B is given as a hex string. */ +static int +cmp_mpihex (gcry_mpi_t a, const char *b) +{ + gcry_mpi_t bval; + int res; + + if (gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) + bval = hex2mpiopa (b); + else + bval = hex2mpi (b); + res = gcry_mpi_cmp (a, bval); + gcry_mpi_release (bval); + return res; +} + + +/* Wrapper to emulate the libgcrypt internal EC context allocation + function. */ +static gpg_error_t +ec_p_new (gcry_ctx_t *r_ctx, gcry_mpi_t p, gcry_mpi_t a) +{ + gpg_error_t err; + gcry_sexp_t sexp; + + if (p && a) + err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m)(a %m))", p, a); + else if (p) + err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m))", p); + else if (a) + err = gcry_sexp_build (&sexp, NULL, "(ecdsa (a %m))", a); + else + err = gcry_sexp_build (&sexp, NULL, "(ecdsa)"); + if (err) + return err; + err = gcry_mpi_ec_new (r_ctx, sexp, NULL); + gcry_sexp_release (sexp); + return err; +} + + + +static void +set_get_point (void) +{ + gcry_mpi_point_t point; + gcry_mpi_t x, y, z; + + wherestr = "set_get_point"; + show ("checking point setting functions\n"); + + point = gcry_mpi_point_new (0); + x = gcry_mpi_set_ui (NULL, 17); + y = gcry_mpi_set_ui (NULL, 42); + z = gcry_mpi_set_ui (NULL, 11371); + gcry_mpi_point_get (x, y, z, point); + if (gcry_mpi_cmp_ui (x, 0) + || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) + fail ("new point not initialized to (0,0,0)\n"); + gcry_mpi_point_snatch_get (x, y, z, point); + point = NULL; + if (gcry_mpi_cmp_ui (x, 0) + || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) + fail ("snatch_get failed\n"); + gcry_mpi_release (x); + gcry_mpi_release (y); + gcry_mpi_release (z); + + point = gcry_mpi_point_new (0); + x = gcry_mpi_set_ui (NULL, 17); + y = gcry_mpi_set_ui (NULL, 42); + z = gcry_mpi_set_ui (NULL, 11371); + gcry_mpi_point_set (point, x, y, z); + gcry_mpi_set_ui (x, 23); + gcry_mpi_set_ui (y, 24); + gcry_mpi_set_ui (z, 25); + gcry_mpi_point_get (x, y, z, point); + if (gcry_mpi_cmp_ui (x, 17) + || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) + fail ("point_set/point_get failed\n"); + gcry_mpi_point_snatch_set (point, x, y, z); + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + z = gcry_mpi_new (0); + gcry_mpi_point_get (x, y, z, point); + if (gcry_mpi_cmp_ui (x, 17) + || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) + fail ("point_snatch_set/point_get failed\n"); + + gcry_mpi_point_release (point); + gcry_mpi_release (x); + gcry_mpi_release (y); + gcry_mpi_release (z); +} + + +static void +context_alloc (void) +{ + gpg_error_t err; + gcry_ctx_t ctx; + gcry_mpi_t p, a; + + wherestr = "context_alloc"; + show ("checking context functions\n"); + + p = gcry_mpi_set_ui (NULL, 1); + a = gcry_mpi_set_ui (NULL, 1); + err = ec_p_new (&ctx, p, a); + if (err) + die ("ec_p_new returned an error: %s\n", gpg_strerror (err)); + gcry_mpi_release (p); + gcry_mpi_release (a); + gcry_ctx_release (ctx); + + p = gcry_mpi_set_ui (NULL, 0); + a = gcry_mpi_set_ui (NULL, 0); + err = ec_p_new (&ctx, p, a); + if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) + fail ("ec_p_new: bad parameter detection failed (1)\n"); + + gcry_mpi_set_ui (p, 1); + err = ec_p_new (&ctx, p, a); + if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) + fail ("ec_p_new: bad parameter detection failed (2)\n"); + + gcry_mpi_release (p); + p = NULL; + err = ec_p_new (&ctx, p, a); + if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) + fail ("ec_p_new: bad parameter detection failed (3)\n"); + + gcry_mpi_release (a); + a = NULL; + err = ec_p_new (&ctx, p, a); + if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) + fail ("ec_p_new: bad parameter detection failed (4)\n"); + +} + + +static int +get_and_cmp_mpi (const char *name, const char *mpistring, const char *desc, + gcry_ctx_t ctx) +{ + gcry_mpi_t mpi; + + mpi = gcry_mpi_ec_get_mpi (name, ctx, 1); + if (!mpi) + { + fail ("error getting parameter '%s' of curve '%s'\n", name, desc); + return 1; + } + if (debug) + print_mpi (name, mpi); + if (cmp_mpihex (mpi, mpistring)) + { + fail ("parameter '%s' of curve '%s' does not match\n", name, desc); + gcry_mpi_release (mpi); + return 1; + } + gcry_mpi_release (mpi); + return 0; +} + + +static int +get_and_cmp_point (const char *name, + const char *mpi_x_string, const char *mpi_y_string, + const char *desc, gcry_ctx_t ctx) +{ + gcry_mpi_point_t point; + gcry_mpi_t x, y, z; + int result = 0; + + point = gcry_mpi_ec_get_point (name, ctx, 1); + if (!point) + { + fail ("error getting point parameter '%s' of curve '%s'\n", name, desc); + return 1; + } + if (debug) + print_point (name, point); + + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + z = gcry_mpi_new (0); + gcry_mpi_point_snatch_get (x, y, z, point); + if (cmp_mpihex (x, mpi_x_string)) + { + fail ("x coordinate of '%s' of curve '%s' does not match\n", name, desc); + result = 1; + } + if (cmp_mpihex (y, mpi_y_string)) + { + fail ("y coordinate of '%s' of curve '%s' does not match\n", name, desc); + result = 1; + } + if (cmp_mpihex (z, "01")) + { + fail ("z coordinate of '%s' of curve '%s' is not 1\n", name, desc); + result = 1; + } + gcry_mpi_release (x); + gcry_mpi_release (y); + gcry_mpi_release (z); + return result; +} + + +static void +context_param (void) +{ + gpg_error_t err; + int idx; + gcry_ctx_t ctx = NULL; + gcry_mpi_t q, d; + gcry_sexp_t keyparam; + + wherestr = "context_param"; + + show ("checking standard curves\n"); + for (idx=0; test_curve[idx].desc; idx++) + { + gcry_ctx_release (ctx); + err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc); + if (err) + { + fail ("can't create context for curve '%s': %s\n", + test_curve[idx].desc, gpg_strerror (err)); + continue; + } + if (get_and_cmp_mpi ("p", test_curve[idx].p, test_curve[idx].desc, ctx)) + continue; + if (get_and_cmp_mpi ("a", test_curve[idx].a, test_curve[idx].desc, ctx)) + continue; + if (get_and_cmp_mpi ("b", test_curve[idx].b, test_curve[idx].desc, ctx)) + continue; + if (get_and_cmp_mpi ("g.x",test_curve[idx].g_x, test_curve[idx].desc,ctx)) + continue; + if (get_and_cmp_mpi ("g.y",test_curve[idx].g_y, test_curve[idx].desc,ctx)) + continue; + if (get_and_cmp_mpi ("n", test_curve[idx].n, test_curve[idx].desc, ctx)) + continue; + if (get_and_cmp_point ("g", test_curve[idx].g_x, test_curve[idx].g_y, + test_curve[idx].desc, ctx)) + continue; + + } + + show ("checking sample public key (nistp256)\n"); + q = hex2mpi (sample_p256_q); + err = gcry_sexp_build (&keyparam, NULL, + "(public-key(ecc(curve %s)(q %m)))", + "NIST P-256", q); + if (err) + die ("gcry_sexp_build failed: %s\n", gpg_strerror (err)); + gcry_mpi_release (q); + + /* We can't call gcry_pk_testkey because it is only implemented for + private keys. */ + /* err = gcry_pk_testkey (keyparam); */ + /* if (err) */ + /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */ + /* gpg_strerror (err)); */ + + gcry_ctx_release (ctx); + err = gcry_mpi_ec_new (&ctx, keyparam, NULL); + if (err) + fail ("gcry_mpi_ec_new failed for sample public key (nistp256): %s\n", + gpg_strerror (err)); + else + { + gcry_sexp_t sexp; + + get_and_cmp_mpi ("q", sample_p256_q, "nistp256", ctx); + get_and_cmp_point ("q", sample_p256_q_x, sample_p256_q_y, "nistp256", + ctx); + + /* Delete Q. */ + err = gcry_mpi_ec_set_mpi ("q", NULL, ctx); + if (err) + fail ("clearing Q for nistp256 failed: %s\n", gpg_strerror (err)); + if (gcry_mpi_ec_get_mpi ("q", ctx, 0)) + fail ("clearing Q for nistp256 did not work\n"); + + /* Set Q again. */ + q = hex2mpi (sample_p256_q); + err = gcry_mpi_ec_set_mpi ("q", q, ctx); + if (err) + fail ("setting Q for nistp256 failed: %s\n", gpg_strerror (err)); + get_and_cmp_mpi ("q", sample_p256_q, "nistp256(2)", ctx); + gcry_mpi_release (q); + + /* Get as s-expression. */ + err = gcry_pubkey_get_sexp (&sexp, 0, ctx); + if (err) + fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err)); + else if (debug) + print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp); + gcry_sexp_release (sexp); + + err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx); + if (err) + fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n", + gpg_strerror (err)); + else if (debug) + print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp); + gcry_sexp_release (sexp); + + err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx); + if (gpg_err_code (err) != GPG_ERR_NO_SECKEY) + fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n", + gpg_strerror (err)); + gcry_sexp_release (sexp); + } + + show ("checking sample public key (Ed25519)\n"); + q = hex2mpi (sample_ed25519_q); + gcry_sexp_release (keyparam); + err = gcry_sexp_build (&keyparam, NULL, + "(public-key(ecc(curve %s)(flags eddsa)(q %m)))", + "Ed25519", q); + if (err) + die ("gcry_sexp_build failed: %s\n", gpg_strerror (err)); + gcry_mpi_release (q); + + /* We can't call gcry_pk_testkey because it is only implemented for + private keys. */ + /* err = gcry_pk_testkey (keyparam); */ + /* if (err) */ + /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */ + /* gpg_strerror (err)); */ + + gcry_ctx_release (ctx); + err = gcry_mpi_ec_new (&ctx, keyparam, NULL); + if (err) + fail ("gcry_mpi_ec_new failed for sample public key: %s\n", + gpg_strerror (err)); + else + { + gcry_sexp_t sexp; + + get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519", ctx); + get_and_cmp_point ("q", sample_ed25519_q_x, sample_ed25519_q_y, + "Ed25519", ctx); + get_and_cmp_mpi ("q@eddsa", sample_ed25519_q_eddsa, "Ed25519", ctx); + + /* Set d to see whether Q is correctly re-computed. */ + d = hex2mpi (sample_ed25519_d); + err = gcry_mpi_ec_set_mpi ("d", d, ctx); + if (err) + fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err)); + gcry_mpi_release (d); + get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(recompute Q)", ctx); + + /* Delete Q by setting d and then clearing d. The clearing is + required so that we can check whether Q has been cleared and + because further tests only expect a public key. */ + d = hex2mpi (sample_ed25519_d); + err = gcry_mpi_ec_set_mpi ("d", d, ctx); + if (err) + fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err)); + gcry_mpi_release (d); + err = gcry_mpi_ec_set_mpi ("d", NULL, ctx); + if (err) + fail ("setting d for Ed25519 failed(2): %s\n", gpg_strerror (err)); + if (gcry_mpi_ec_get_mpi ("q", ctx, 0)) + fail ("setting d for Ed25519 did not reset Q\n"); + + /* Set Q again. We need to use an opaque MPI here because + sample_ed25519_q is in uncompressed format which can only be + auto-detected if passed opaque. */ + q = hex2mpiopa (sample_ed25519_q); + err = gcry_mpi_ec_set_mpi ("q", q, ctx); + if (err) + fail ("setting Q for Ed25519 failed: %s\n", gpg_strerror (err)); + gcry_mpi_release (q); + get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(2)", ctx); + + /* Get as s-expression. */ + err = gcry_pubkey_get_sexp (&sexp, 0, ctx); + if (err) + fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err)); + else if (debug) + print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp); + gcry_sexp_release (sexp); + + err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx); + if (err) + fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n", + gpg_strerror (err)); + else if (debug) + print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp); + gcry_sexp_release (sexp); + + err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx); + if (gpg_err_code (err) != GPG_ERR_NO_SECKEY) + fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n", + gpg_strerror (err)); + gcry_sexp_release (sexp); + + } + + gcry_ctx_release (ctx); + gcry_sexp_release (keyparam); +} + + + + +/* Create a new point from (X,Y,Z) given as hex strings. */ +gcry_mpi_point_t +make_point (const char *x, const char *y, const char *z) +{ + gcry_mpi_point_t point; + + point = gcry_mpi_point_new (0); + gcry_mpi_point_snatch_set (point, hex2mpi (x), hex2mpi (y), hex2mpi (z)); + + return point; +} + + +/* This tests checks that the low-level EC API yields the same result + as using the high level API. The values have been taken from a + test run using the high level API. */ +static void +basic_ec_math (void) +{ + gpg_error_t err; + gcry_ctx_t ctx; + gcry_mpi_t P, A; + gcry_mpi_point_t G, Q; + gcry_mpi_t d; + gcry_mpi_t x, y, z; + + wherestr = "basic_ec_math"; + show ("checking basic math functions for EC\n"); + + P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff"); + A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc"); + G = make_point ("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", + "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", + "1"); + d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D"); + Q = gcry_mpi_point_new (0); + + err = ec_p_new (&ctx, P, A); + if (err) + die ("ec_p_new failed: %s\n", gpg_strerror (err)); + + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + z = gcry_mpi_new (0); + + { + /* A quick check that multiply by zero works. */ + gcry_mpi_t tmp; + + tmp = gcry_mpi_new (0); + gcry_mpi_ec_mul (Q, tmp, G, ctx); + gcry_mpi_release (tmp); + gcry_mpi_point_get (x, y, z, Q); + if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0) + || gcry_mpi_cmp_ui (z, 0)) + fail ("multiply a point by zero failed\n"); + } + + gcry_mpi_ec_mul (Q, d, G, ctx); + gcry_mpi_point_get (x, y, z, Q); + if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66") + || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8") + || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F")) + fail ("computed public key does not match\n"); + if (debug) + { + print_mpi ("Q.x", x); + print_mpi ("Q.y", y); + print_mpi ("Q.z", z); + } + + if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) + fail ("failed to get affine coordinates\n"); + if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE") + || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966")) + fail ("computed affine coordinates of public key do not match\n"); + if (debug) + { + print_mpi ("q.x", x); + print_mpi ("q.y", y); + } + + gcry_mpi_release (z); + gcry_mpi_release (y); + gcry_mpi_release (x); + gcry_mpi_point_release (Q); + gcry_mpi_release (d); + gcry_mpi_point_release (G); + gcry_mpi_release (A); + gcry_mpi_release (P); + gcry_ctx_release (ctx); +} + + +/* Check the math used with Twisted Edwards curves. */ +static void +twistededwards_math (void) +{ + gpg_error_t err; + gcry_ctx_t ctx; + gcry_mpi_point_t G, Q; + gcry_mpi_t k; + gcry_mpi_t w, a, x, y, z, p, n, b, I; + + wherestr = "twistededwards_math"; + show ("checking basic Twisted Edwards math\n"); + + err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519"); + if (err) + die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err)); + + k = hex2mpi + ("2D3501E723239632802454EE5DDC406EFB0BDF18486A5BDE9C0390A9C2984004" + "F47252B628C953625B8DEB5DBCB8DA97AA43A1892D11FA83596F42E0D89CB1B6"); + G = gcry_mpi_ec_get_point ("g", ctx, 1); + if (!G) + die ("gcry_mpi_ec_get_point(G) failed\n"); + Q = gcry_mpi_point_new (0); + + + w = gcry_mpi_new (0); + a = gcry_mpi_new (0); + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + z = gcry_mpi_new (0); + I = gcry_mpi_new (0); + p = gcry_mpi_ec_get_mpi ("p", ctx, 1); + n = gcry_mpi_ec_get_mpi ("n", ctx, 1); + b = gcry_mpi_ec_get_mpi ("b", ctx, 1); + + /* Check: 2^{p-1} mod p == 1 */ + gcry_mpi_sub_ui (a, p, 1); + gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, p); + if (gcry_mpi_cmp_ui (w, 1)) + fail ("failed assertion: 2^{p-1} mod p == 1\n"); + + /* Check: p % 4 == 1 */ + gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR); + if (gcry_mpi_cmp_ui (w, 1)) + fail ("failed assertion: p % 4 == 1\n"); + + /* Check: 2^{n-1} mod n == 1 */ + gcry_mpi_sub_ui (a, n, 1); + gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, n); + if (gcry_mpi_cmp_ui (w, 1)) + fail ("failed assertion: 2^{n-1} mod n == 1\n"); + + /* Check: b^{(p-1)/2} mod p == p-1 */ + gcry_mpi_sub_ui (a, p, 1); + gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_TWO, -1); + gcry_mpi_powm (w, b, x, p); + gcry_mpi_abs (w); + if (gcry_mpi_cmp (w, a)) + fail ("failed assertion: b^{(p-1)/2} mod p == p-1\n"); + + /* I := 2^{(p-1)/4} mod p */ + gcry_mpi_sub_ui (a, p, 1); + gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_FOUR, -1); + gcry_mpi_powm (I, GCRYMPI_CONST_TWO, x, p); + + /* Check: I^2 mod p == p-1 */ + gcry_mpi_powm (w, I, GCRYMPI_CONST_TWO, p); + if (gcry_mpi_cmp (w, a)) + fail ("failed assertion: I^2 mod p == p-1\n"); + + /* Check: G is on the curve */ + if (!gcry_mpi_ec_curve_point (G, ctx)) + fail ("failed assertion: G is on the curve\n"); + + /* Check: nG == (0,1) */ + gcry_mpi_ec_mul (Q, n, G, ctx); + if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) + fail ("failed to get affine coordinates\n"); + if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 1)) + fail ("failed assertion: nG == (0,1)\n"); + + /* Now two arbitrary point operations taken from the ed25519.py + sample data. */ + gcry_mpi_release (a); + a = hex2mpi + ("4f71d012df3c371af3ea4dc38385ca5bb7272f90cb1b008b3ed601c76de1d496" + "e30cbf625f0a756a678d8f256d5325595cccc83466f36db18f0178eb9925edd3"); + gcry_mpi_ec_mul (Q, a, G, ctx); + if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) + fail ("failed to get affine coordinates\n"); + if (cmp_mpihex (x, ("157f7361c577aad36f67ed33e38dc7be" + "00014fecc2165ca5cee9eee19fe4d2c1")) + || cmp_mpihex (y, ("5a69dbeb232276b38f3f5016547bb2a2" + "4025645f0b820e72b8cad4f0a909a092"))) + { + fail ("sample point multiply failed:\n"); + print_mpi ("r", a); + print_mpi ("Rx", x); + print_mpi ("Ry", y); + } + + gcry_mpi_release (a); + a = hex2mpi + ("2d3501e723239632802454ee5ddc406efb0bdf18486a5bde9c0390a9c2984004" + "f47252b628c953625b8deb5dbcb8da97aa43a1892d11fa83596f42e0d89cb1b6"); + gcry_mpi_ec_mul (Q, a, G, ctx); + if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) + fail ("failed to get affine coordinates\n"); + if (cmp_mpihex (x, ("6218e309d40065fcc338b3127f468371" + "82324bd01ce6f3cf81ab44e62959c82a")) + || cmp_mpihex (y, ("5501492265e073d874d9e5b81e7f8784" + "8a826e80cce2869072ac60c3004356e5"))) + { + fail ("sample point multiply failed:\n"); + print_mpi ("r", a); + print_mpi ("Rx", x); + print_mpi ("Ry", y); + } + + + gcry_mpi_release (I); + gcry_mpi_release (b); + gcry_mpi_release (n); + gcry_mpi_release (p); + gcry_mpi_release (w); + gcry_mpi_release (a); + gcry_mpi_release (x); + gcry_mpi_release (y); + gcry_mpi_release (z); + gcry_mpi_point_release (Q); + gcry_mpi_point_release (G); + gcry_mpi_release (k); + gcry_ctx_release (ctx); +} + + +int +main (int argc, char **argv) +{ + + if (argc > 1 && !strcmp (argv[1], "--verbose")) + verbose = 1; + else if (argc > 1 && !strcmp (argv[1], "--debug")) + verbose = debug = 1; + + if (!gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch\n"); + + gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + if (debug) + gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + + set_get_point (); + context_alloc (); + context_param (); + basic_ec_math (); + twistededwards_math (); + + show ("All tests completed. Errors: %d\n", error_count); + return error_count ? 1 : 0; +}