[libgcrypt] new upstream version breaking ABI compatibility
Tomáš Mráz
tmraz at fedoraproject.org
Fri Feb 28 15:31:53 UTC 2014
commit 247b2115d1358ccc7022ddefa593eb2e35aadce5
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Feb 28 16:32:41 2014 +0100
new upstream version breaking ABI compatibility
- this release temporarily includes old compatibility .so
curves.c | 4 +-
ecc-curves.c | 1007 ++++++++++++
ecc.c | 1677 --------------------
hobble-libgcrypt | 4 +-
libgcrypt-1.5.0-leak.patch | 73 -
libgcrypt-1.5.0-noecc.patch | 12 -
libgcrypt-1.5.0-tests.patch | 214 ---
libgcrypt-1.5.0-use-fipscheck.patch | 2 +-
libgcrypt-1.5.2-mpicoder-gccopt.patch | 102 --
libgcrypt-1.5.3-ecc-test-fix.patch | 12 -
libgcrypt-1.5.3-pbkdf-speedup.patch | 32 -
libgcrypt-1.5.3-whirlpool-bug.patch | 28 -
libgcrypt-1.6.1-ecc-test-fix.patch | 214 +++
...s-cavs.patch => libgcrypt-1.6.1-fips-cavs.patch | 69 +-
...m.patch => libgcrypt-1.6.1-fips-cfgrandom.patch | 105 +-
libgcrypt-1.6.1-leak.patch | 38 +
libgcrypt-1.6.1-mpicoder-gccopt.patch | 104 ++
libgcrypt-1.6.1-tests.patch | 198 +++
...se-poll.patch => libgcrypt-1.6.1-use-poll.patch | 61 +-
libgcrypt.spec | 46 +-
t-mpi-point.c | 970 +++++++++++
21 files changed, 2655 insertions(+), 2317 deletions(-)
---
diff --git a/curves.c b/curves.c
index aa51a3a..fccd1d4 100644
--- a/curves.c
+++ b/curves.c
@@ -26,10 +26,10 @@
#include <string.h>
#include <stdarg.h>
-#include "../src/gcrypt.h"
+#include "../src/gcrypt-int.h"
/* Number of curves defined in ../cipger/ecc.c */
-#define N_CURVES 3
+#define N_CURVES 4
/* A real world sample public key. */
static char const sample_key_1[] =
diff --git a/ecc-curves.c b/ecc-curves.c
new file mode 100644
index 0000000..b8679da
--- /dev/null
+++ b/ecc-curves.c
@@ -0,0 +1,1007 @@
+/* ecc-curves.c - Elliptic Curve parameter mangement
+ * Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2013 g10 Code GmbH
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "g10lib.h"
+#include "mpi.h"
+#include "cipher.h"
+#include "context.h"
+#include "ec-context.h"
+#include "pubkey-internal.h"
+#include "ecc-common.h"
+
+
+/* This tables defines aliases for curve names. */
+static const struct
+{
+ const char *name; /* Our name. */
+ const char *other; /* Other name. */
+} curve_aliases[] =
+ {
+ /*{ "Curve25519", "1.3.6.1.4.1.3029.1.5.1" },*/
+ { "Ed25519", "1.3.6.1.4.1.11591.15.1" },
+
+ { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */
+ { "NIST P-256", "prime256v1" },
+ { "NIST P-256", "secp256r1" },
+ { "NIST P-256", "nistp256" }, /* rfc5656. */
+
+ { "NIST P-384", "secp384r1" },
+ { "NIST P-384", "1.3.132.0.34" },
+ { "NIST P-384", "nistp384" }, /* rfc5656. */
+
+ { "NIST P-521", "secp521r1" },
+ { "NIST P-521", "1.3.132.0.35" },
+ { "NIST P-521", "nistp521" }, /* rfc5656. */
+
+ { NULL, NULL}
+ };
+
+
+typedef struct
+{
+ const char *desc; /* Description of the curve. */
+ unsigned int nbits; /* Number of bits. */
+ unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */
+
+ /* The model describing this curve. This is mainly used to select
+ the group equation. */
+ enum gcry_mpi_ec_models model;
+
+ /* The actual ECC dialect used. This is used for curve specific
+ optimizations and to select encodings etc. */
+ enum ecc_dialects dialect;
+
+ const char *p; /* The prime defining the field. */
+ const char *a, *b; /* The coefficients. For Twisted Edwards
+ Curves b is used for d. */
+ const char *n; /* The order of the base point. */
+ const char *g_x, *g_y; /* Base point. */
+} ecc_domain_parms_t;
+
+
+/* This static table defines all available curves. */
+static const ecc_domain_parms_t domain_parms[] =
+ {
+ {
+ /* (-x^2 + y^2 = 1 + dx^2y^2) */
+ "Ed25519", 256, 0,
+ MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ "-0x01",
+ "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+ "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+ "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ "0x6666666666666666666666666666666666666666666666666666666666666658"
+ },
+ {
+ "NIST P-256", 256, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+
+ "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
+ },
+ {
+ "NIST P-384", 384, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000ffffffff",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000fffffffc",
+ "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a"
+ "c656398d8a2ed19d2a85c8edd3ec2aef",
+ "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf"
+ "581a0db248b0a77aecec196accc52973",
+
+ "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38"
+ "5502f25dbf55296c3a545e3872760ab7",
+ "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0"
+ "0a60b1ce1d7e819d7a431d7c90ea0e5f"
+ },
+ {
+ "NIST P-521", 521, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10"
+ "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+
+ "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d"
+ "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e"
+ "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"
+ },
+
+ { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL }
+ };
+
+
+
+
+/* Return a copy of POINT. */
+static gcry_mpi_point_t
+point_copy (gcry_mpi_point_t point)
+{
+ gcry_mpi_point_t newpoint;
+
+ if (point)
+ {
+ newpoint = mpi_point_new (0);
+ point_set (newpoint, point);
+ }
+ else
+ newpoint = NULL;
+ return newpoint;
+}
+
+
+/* Helper to scan a hex string. */
+static gcry_mpi_t
+scanval (const char *string)
+{
+ gpg_err_code_t rc;
+ gcry_mpi_t val;
+
+ rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+ if (rc)
+ log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
+ return val;
+}
+
+
+/* Return the index of the domain_parms table for a curve with NAME.
+ Return -1 if not found. */
+static int
+find_domain_parms_idx (const char *name)
+{
+ int idx, aliasno;
+
+ /* First check our native curves. */
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (!strcmp (name, domain_parms[idx].desc))
+ return idx;
+
+ /* If not found consult the alias table. */
+ if (!domain_parms[idx].desc)
+ {
+ for (aliasno = 0; curve_aliases[aliasno].name; aliasno++)
+ if (!strcmp (name, curve_aliases[aliasno].other))
+ break;
+ if (curve_aliases[aliasno].name)
+ {
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (!strcmp (curve_aliases[aliasno].name, domain_parms[idx].desc))
+ return idx;
+ }
+ }
+
+ return -1;
+}
+
+
+/* Generate the crypto system setup. This function takes the NAME of
+ a curve or the desired number of bits and stores at R_CURVE the
+ parameters of the named curve or those of a suitable curve. If
+ R_NBITS is not NULL, the chosen number of bits is stored there.
+ NULL may be given for R_CURVE, if the value is not required and for
+ example only a quick test for availability is desired. Note that
+ the curve fields should be initialized to zero because fields which
+ are not NULL are skipped. */
+gpg_err_code_t
+_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name,
+ elliptic_curve_t *curve, unsigned int *r_nbits)
+{
+ int idx;
+ const char *resname = NULL; /* Set to a found curve name. */
+
+ if (name)
+ idx = find_domain_parms_idx (name);
+ else
+ {
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (nbits == domain_parms[idx].nbits
+ && domain_parms[idx].model == MPI_EC_WEIERSTRASS)
+ break;
+ if (!domain_parms[idx].desc)
+ idx = -1;
+ }
+ if (idx < 0)
+ return GPG_ERR_UNKNOWN_CURVE;
+
+ resname = domain_parms[idx].desc;
+
+ /* In fips mode we only support NIST curves. Note that it is
+ possible to bypass this check by specifying the curve parameters
+ directly. */
+ if (fips_mode () && !domain_parms[idx].fips )
+ return GPG_ERR_NOT_SUPPORTED;
+
+ switch (domain_parms[idx].model)
+ {
+ case MPI_EC_WEIERSTRASS:
+ case MPI_EC_TWISTEDEDWARDS:
+ break;
+ case MPI_EC_MONTGOMERY:
+ return GPG_ERR_NOT_SUPPORTED;
+ default:
+ return GPG_ERR_BUG;
+ }
+
+
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+
+ if (curve)
+ {
+ curve->model = domain_parms[idx].model;
+ curve->dialect = domain_parms[idx].dialect;
+ if (!curve->p)
+ curve->p = scanval (domain_parms[idx].p);
+ if (!curve->a)
+ curve->a = scanval (domain_parms[idx].a);
+ if (!curve->b)
+ curve->b = scanval (domain_parms[idx].b);
+ if (!curve->n)
+ curve->n = scanval (domain_parms[idx].n);
+ if (!curve->G.x)
+ curve->G.x = scanval (domain_parms[idx].g_x);
+ if (!curve->G.y)
+ curve->G.y = scanval (domain_parms[idx].g_y);
+ if (!curve->G.z)
+ curve->G.z = mpi_alloc_set_ui (1);
+ if (!curve->name)
+ curve->name = resname;
+ }
+
+ return 0;
+}
+
+
+/* Give the name of the curve NAME, store the curve parameters into P,
+ A, B, G, and N if they point to NULL value. Note that G is returned
+ in standard uncompressed format. Also update MODEL and DIALECT if
+ they are not NULL. */
+gpg_err_code_t
+_gcry_ecc_update_curve_param (const char *name,
+ enum gcry_mpi_ec_models *model,
+ enum ecc_dialects *dialect,
+ gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b,
+ gcry_mpi_t *g, gcry_mpi_t *n)
+{
+ int idx;
+
+ idx = find_domain_parms_idx (name);
+ if (idx < 0)
+ return GPG_ERR_UNKNOWN_CURVE;
+
+ if (g)
+ {
+ char *buf;
+ size_t len;
+
+ len = 4;
+ len += strlen (domain_parms[idx].g_x+2);
+ len += strlen (domain_parms[idx].g_y+2);
+ len++;
+ buf = xtrymalloc (len);
+ if (!buf)
+ return gpg_err_code_from_syserror ();
+ strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2),
+ domain_parms[idx].g_y+2);
+ _gcry_mpi_release (*g);
+ *g = scanval (buf);
+ xfree (buf);
+ }
+ if (model)
+ *model = domain_parms[idx].model;
+ if (dialect)
+ *dialect = domain_parms[idx].dialect;
+ if (p)
+ {
+ _gcry_mpi_release (*p);
+ *p = scanval (domain_parms[idx].p);
+ }
+ if (a)
+ {
+ _gcry_mpi_release (*a);
+ *a = scanval (domain_parms[idx].a);
+ }
+ if (b)
+ {
+ _gcry_mpi_release (*b);
+ *b = scanval (domain_parms[idx].b);
+ }
+ if (n)
+ {
+ _gcry_mpi_release (*n);
+ *n = scanval (domain_parms[idx].n);
+ }
+ return 0;
+}
+
+
+/* Return the name matching the parameters in PKEY. This works only
+ with curves described by the Weierstrass equation. */
+const char *
+_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits)
+{
+ gpg_err_code_t rc;
+ const char *result = NULL;
+ elliptic_curve_t E;
+ gcry_mpi_t mpi_g = NULL;
+ gcry_mpi_t tmp = NULL;
+ int idx;
+
+ memset (&E, 0, sizeof E);
+
+ if (r_nbits)
+ *r_nbits = 0;
+
+ if (!keyparms)
+ {
+ idx = iterator;
+ if (idx >= 0 && idx < DIM (domain_parms))
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ }
+ return result;
+ }
+
+
+ /*
+ * Extract the curve parameters..
+ */
+ rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgn",
+ &E.p, &E.a, &E.b, &mpi_g, &E.n,
+ NULL));
+ if (rc == GPG_ERR_NO_OBJ)
+ {
+ /* This might be the second use case of checking whether a
+ specific curve given by name is supported. */
+ gcry_sexp_t l1;
+ char *name;
+
+ l1 = sexp_find_token (keyparms, "curve", 5);
+ if (!l1)
+ goto leave; /* No curve name parameter. */
+
+ name = sexp_nth_string (l1, 1);
+ sexp_release (l1);
+ if (!name)
+ goto leave; /* Name missing or out of core. */
+
+ idx = find_domain_parms_idx (name);
+ xfree (name);
+ if (idx >= 0) /* Curve found. */
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ }
+ return result;
+ }
+
+ if (rc)
+ goto leave;
+
+ if (mpi_g)
+ {
+ _gcry_mpi_point_init (&E.G);
+ if (_gcry_ecc_os2ec (&E.G, mpi_g))
+ goto leave;
+ }
+
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].p);
+ if (!mpi_cmp (tmp, E.p))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].a);
+ if (!mpi_cmp (tmp, E.a))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].b);
+ if (!mpi_cmp (tmp, E.b))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].n);
+ if (!mpi_cmp (tmp, E.n))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].g_x);
+ if (!mpi_cmp (tmp, E.G.x))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].g_y);
+ if (!mpi_cmp (tmp, E.G.y))
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ goto leave;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ leave:
+ _gcry_mpi_release (tmp);
+ _gcry_mpi_release (E.p);
+ _gcry_mpi_release (E.a);
+ _gcry_mpi_release (E.b);
+ _gcry_mpi_release (mpi_g);
+ _gcry_mpi_point_free_parts (&E.G);
+ _gcry_mpi_release (E.n);
+ return result;
+}
+
+
+/* Helper to extract an MPI from key parameters. */
+static gpg_err_code_t
+mpi_from_keyparam (gcry_mpi_t *r_a, gcry_sexp_t keyparam, const char *name)
+{
+ gcry_err_code_t ec = 0;
+ gcry_sexp_t l1;
+
+ l1 = sexp_find_token (keyparam, name, 0);
+ if (l1)
+ {
+ *r_a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
+ sexp_release (l1);
+ if (!*r_a)
+ ec = GPG_ERR_INV_OBJ;
+ }
+ return ec;
+}
+
+/* Helper to extract a point from key parameters. If no parameter
+ with NAME is found, the functions tries to find a non-encoded point
+ by appending ".x", ".y" and ".z" to NAME. ".z" is in this case
+ optional and defaults to 1. EC is the context which at this point
+ may not be fully initialized. */
+static gpg_err_code_t
+point_from_keyparam (gcry_mpi_point_t *r_a,
+ gcry_sexp_t keyparam, const char *name, mpi_ec_t ec)
+{
+ gcry_err_code_t rc;
+ gcry_sexp_t l1;
+ gcry_mpi_point_t point;
+
+ l1 = sexp_find_token (keyparam, name, 0);
+ if (l1)
+ {
+ gcry_mpi_t a;
+
+ a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE);
+ sexp_release (l1);
+ if (!a)
+ return GPG_ERR_INV_OBJ;
+
+ point = mpi_point_new (0);
+ if (ec && ec->dialect == ECC_DIALECT_ED25519)
+ rc = _gcry_ecc_eddsa_decodepoint (a, ec, point, NULL, NULL);
+ else
+ rc = _gcry_ecc_os2ec (point, a);
+ mpi_free (a);
+ if (rc)
+ {
+ mpi_point_release (point);
+ return rc;
+ }
+ }
+ else
+ {
+ char *tmpname;
+ gcry_mpi_t x = NULL;
+ gcry_mpi_t y = NULL;
+ gcry_mpi_t z = NULL;
+
+ tmpname = xtrymalloc (strlen (name) + 2 + 1);
+ if (!tmpname)
+ return gpg_err_code_from_syserror ();
+ strcpy (stpcpy (tmpname, name), ".x");
+ rc = mpi_from_keyparam (&x, keyparam, tmpname);
+ if (rc)
+ {
+ xfree (tmpname);
+ return rc;
+ }
+ strcpy (stpcpy (tmpname, name), ".y");
+ rc = mpi_from_keyparam (&y, keyparam, tmpname);
+ if (rc)
+ {
+ mpi_free (x);
+ xfree (tmpname);
+ return rc;
+ }
+ strcpy (stpcpy (tmpname, name), ".z");
+ rc = mpi_from_keyparam (&z, keyparam, tmpname);
+ if (rc)
+ {
+ mpi_free (y);
+ mpi_free (x);
+ xfree (tmpname);
+ return rc;
+ }
+ if (!z)
+ z = mpi_set_ui (NULL, 1);
+ if (x && y)
+ point = mpi_point_snatch_set (NULL, x, y, z);
+ else
+ {
+ mpi_free (x);
+ mpi_free (y);
+ mpi_free (z);
+ point = NULL;
+ }
+ xfree (tmpname);
+ }
+
+ if (point)
+ *r_a = point;
+ return 0;
+}
+
+
+/* This function creates a new context for elliptic curve operations.
+ Either KEYPARAM or CURVENAME must be given. If both are given and
+ KEYPARAM has no curve parameter, CURVENAME is used to add missing
+ parameters. On success 0 is returned and the new context stored at
+ R_CTX. On error NULL is stored at R_CTX and an error code is
+ returned. The context needs to be released using
+ gcry_ctx_release. */
+gpg_err_code_t
+_gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
+ gcry_sexp_t keyparam, const char *curvename)
+{
+ gpg_err_code_t errc;
+ gcry_ctx_t ctx = NULL;
+ enum gcry_mpi_ec_models model = MPI_EC_WEIERSTRASS;
+ enum ecc_dialects dialect = ECC_DIALECT_STANDARD;
+ gcry_mpi_t p = NULL;
+ gcry_mpi_t a = NULL;
+ gcry_mpi_t b = NULL;
+ gcry_mpi_point_t G = NULL;
+ gcry_mpi_t n = NULL;
+ gcry_mpi_point_t Q = NULL;
+ gcry_mpi_t d = NULL;
+ int flags = 0;
+ gcry_sexp_t l1;
+
+ *r_ctx = NULL;
+
+ if (keyparam)
+ {
+ /* Parse an optional flags list. */
+ l1 = sexp_find_token (keyparam, "flags", 0);
+ if (l1)
+ {
+ errc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL);
+ sexp_release (l1);
+ l1 = NULL;
+ if (errc)
+ goto leave;
+ }
+
+ /* Check whether a curve name was given. */
+ l1 = sexp_find_token (keyparam, "curve", 5);
+
+ /* If we don't have a curve name or if override parameters have
+ explicitly been requested, parse them. */
+ if (!l1 || (flags & PUBKEY_FLAG_PARAM))
+ {
+ errc = mpi_from_keyparam (&p, keyparam, "p");
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&a, keyparam, "a");
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&b, keyparam, "b");
+ if (errc)
+ goto leave;
+ errc = point_from_keyparam (&G, keyparam, "g", NULL);
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&n, keyparam, "n");
+ if (errc)
+ goto leave;
+ }
+ }
+ else
+ l1 = NULL; /* No curvename. */
+
+ /* Check whether a curve parameter is available and use that to fill
+ in missing values. If no curve parameter is available try an
+ optional provided curvename. If only the curvename has been
+ given use that one. */
+ if (l1 || curvename)
+ {
+ char *name;
+ elliptic_curve_t *E;
+
+ if (l1)
+ {
+ name = sexp_nth_string (l1, 1);
+ sexp_release (l1);
+ if (!name)
+ {
+ errc = GPG_ERR_INV_OBJ; /* Name missing or out of core. */
+ goto leave;
+ }
+ }
+ else
+ name = NULL;
+
+ E = xtrycalloc (1, sizeof *E);
+ if (!E)
+ {
+ errc = gpg_err_code_from_syserror ();
+ xfree (name);
+ goto leave;
+ }
+
+ errc = _gcry_ecc_fill_in_curve (0, name? name : curvename, E, NULL);
+ xfree (name);
+ if (errc)
+ {
+ xfree (E);
+ goto leave;
+ }
+
+ model = E->model;
+ dialect = E->dialect;
+
+ if (!p)
+ {
+ p = E->p;
+ E->p = NULL;
+ }
+ if (!a)
+ {
+ a = E->a;
+ E->a = NULL;
+ }
+ if (!b)
+ {
+ b = E->b;
+ E->b = NULL;
+ }
+ if (!G)
+ {
+ G = mpi_point_snatch_set (NULL, E->G.x, E->G.y, E->G.z);
+ E->G.x = NULL;
+ E->G.y = NULL;
+ E->G.z = NULL;
+ }
+ if (!n)
+ {
+ n = E->n;
+ E->n = NULL;
+ }
+ _gcry_ecc_curve_free (E);
+ xfree (E);
+ }
+
+
+ errc = _gcry_mpi_ec_p_new (&ctx, model, dialect, flags, p, a, b);
+ if (!errc)
+ {
+ mpi_ec_t ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC);
+
+ if (b)
+ {
+ mpi_free (ec->b);
+ ec->b = b;
+ b = NULL;
+ }
+ if (G)
+ {
+ ec->G = G;
+ G = NULL;
+ }
+ if (n)
+ {
+ ec->n = n;
+ n = NULL;
+ }
+
+ /* Now that we know the curve name we can look for the public key
+ Q. point_from_keyparam needs to know the curve parameters so
+ that it is able to use the correct decompression. Parsing
+ the private key D could have been done earlier but it is less
+ surprising if we do it here as well. */
+ if (keyparam)
+ {
+ errc = point_from_keyparam (&Q, keyparam, "q", ec);
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&d, keyparam, "d");
+ if (errc)
+ goto leave;
+ }
+
+ if (Q)
+ {
+ ec->Q = Q;
+ Q = NULL;
+ }
+ if (d)
+ {
+ ec->d = d;
+ d = NULL;
+ }
+
+ *r_ctx = ctx;
+ ctx = NULL;
+ }
+
+ leave:
+ _gcry_ctx_release (ctx);
+ mpi_free (p);
+ mpi_free (a);
+ mpi_free (b);
+ _gcry_mpi_point_release (G);
+ mpi_free (n);
+ _gcry_mpi_point_release (Q);
+ mpi_free (d);
+ return errc;
+}
+
+
+/* Return the parameters of the curve NAME as an S-expression. */
+gcry_sexp_t
+_gcry_ecc_get_param_sexp (const char *name)
+{
+ unsigned int nbits;
+ elliptic_curve_t E;
+ mpi_ec_t ctx;
+ gcry_mpi_t g_x, g_y;
+ gcry_mpi_t pkey[6];
+ gcry_sexp_t result;
+ int i;
+
+ memset (&E, 0, sizeof E);
+ if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits))
+ return NULL;
+
+ g_x = mpi_new (0);
+ g_y = mpi_new (0);
+ ctx = _gcry_mpi_ec_p_internal_new (MPI_EC_WEIERSTRASS,
+ ECC_DIALECT_STANDARD,
+ 0,
+ E.p, E.a, NULL);
+ if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
+ log_fatal ("ecc get param: Failed to get affine coordinates\n");
+ _gcry_mpi_ec_free (ctx);
+ _gcry_mpi_point_free_parts (&E.G);
+
+ pkey[0] = E.p;
+ pkey[1] = E.a;
+ pkey[2] = E.b;
+ pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p);
+ pkey[4] = E.n;
+ pkey[5] = NULL;
+
+ mpi_free (g_x);
+ mpi_free (g_y);
+
+ if (sexp_build (&result, NULL,
+ "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)))",
+ pkey[0], pkey[1], pkey[2], pkey[3], pkey[4]))
+ result = NULL;
+
+ for (i=0; pkey[i]; i++)
+ _gcry_mpi_release (pkey[i]);
+
+ return result;
+}
+
+
+/* Return an MPI (or opaque MPI) described by NAME and the context EC.
+ If COPY is true a copy is returned, if not a const MPI may be
+ returned. In any case mpi_free must be used. */
+gcry_mpi_t
+_gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy)
+{
+ if (!*name)
+ return NULL;
+
+ if (!strcmp (name, "p") && ec->p)
+ return mpi_is_const (ec->p) && !copy? ec->p : mpi_copy (ec->p);
+ if (!strcmp (name, "a") && ec->a)
+ return mpi_is_const (ec->a) && !copy? ec->a : mpi_copy (ec->a);
+ if (!strcmp (name, "b") && ec->b)
+ return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b);
+ if (!strcmp (name, "n") && ec->n)
+ return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n);
+ if (!strcmp (name, "d") && ec->d)
+ return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d);
+
+ /* Return a requested point coordinate. */
+ if (!strcmp (name, "g.x") && ec->G && ec->G->x)
+ return mpi_is_const (ec->G->x) && !copy? ec->G->x : mpi_copy (ec->G->x);
+ if (!strcmp (name, "g.y") && ec->G && ec->G->y)
+ return mpi_is_const (ec->G->y) && !copy? ec->G->y : mpi_copy (ec->G->y);
+ if (!strcmp (name, "q.x") && ec->Q && ec->Q->x)
+ return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x);
+ if (!strcmp (name, "q.y") && ec->Q && ec->Q->y)
+ return mpi_is_const (ec->G->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y);
+
+ /* If the base point has been requested, return it in standard
+ encoding. */
+ if (!strcmp (name, "g") && ec->G)
+ return _gcry_mpi_ec_ec2os (ec->G, ec);
+
+ /* If the public key has been requested, return it by default in
+ standard uncompressed encoding or if requested in other
+ encodings. */
+ if (*name == 'q' && (!name[1] || name[1] == '@'))
+ {
+ /* If only the private key is given, compute the public key. */
+ if (!ec->Q)
+ ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL);
+
+ if (!ec->Q)
+ return NULL;
+
+ if (name[1] != '@')
+ return _gcry_mpi_ec_ec2os (ec->Q, ec);
+
+ if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
+ {
+ unsigned char *encpk;
+ unsigned int encpklen;
+
+ if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL,
+ &encpk, &encpklen))
+ return mpi_set_opaque (NULL, encpk, encpklen*8);
+ }
+ }
+
+ return NULL;
+}
+
+
+/* Return a point described by NAME and the context EC. */
+gcry_mpi_point_t
+_gcry_ecc_get_point (const char *name, mpi_ec_t ec)
+{
+ if (!strcmp (name, "g") && ec->G)
+ return point_copy (ec->G);
+ if (!strcmp (name, "q"))
+ {
+ /* If only the private key is given, compute the public key. */
+ if (!ec->Q)
+ ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL);
+
+ if (ec->Q)
+ return point_copy (ec->Q);
+ }
+
+ return NULL;
+}
+
+
+/* Store the MPI NEWVALUE into the context EC under NAME. */
+gpg_err_code_t
+_gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec)
+{
+ gpg_err_code_t rc = 0;
+
+ if (!*name)
+ ;
+ else if (!strcmp (name, "p"))
+ {
+ mpi_free (ec->p);
+ ec->p = mpi_copy (newvalue);
+ _gcry_mpi_ec_get_reset (ec);
+ }
+ else if (!strcmp (name, "a"))
+ {
+ mpi_free (ec->a);
+ ec->a = mpi_copy (newvalue);
+ _gcry_mpi_ec_get_reset (ec);
+ }
+ else if (!strcmp (name, "b"))
+ {
+ mpi_free (ec->b);
+ ec->b = mpi_copy (newvalue);
+ }
+ else if (!strcmp (name, "n"))
+ {
+ mpi_free (ec->n);
+ ec->n = mpi_copy (newvalue);
+ }
+ else if (*name == 'q' && (!name[1] || name[1] == '@'))
+ {
+ if (newvalue)
+ {
+ if (!ec->Q)
+ ec->Q = mpi_point_new (0);
+ if (ec->dialect == ECC_DIALECT_ED25519)
+ rc = _gcry_ecc_eddsa_decodepoint (newvalue, ec, ec->Q, NULL, NULL);
+ else
+ rc = _gcry_ecc_os2ec (ec->Q, newvalue);
+ }
+ if (rc || !newvalue)
+ {
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = NULL;
+ }
+ /* Note: We assume that Q matches d and thus do not reset d. */
+ }
+ else if (!strcmp (name, "d"))
+ {
+ mpi_free (ec->d);
+ ec->d = mpi_copy (newvalue);
+ if (ec->d)
+ {
+ /* We need to reset the public key because it may not
+ anymore match. */
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = NULL;
+ }
+ }
+ else
+ rc = GPG_ERR_UNKNOWN_NAME;
+
+ return rc;
+}
+
+
+/* Store the point NEWVALUE into the context EC under NAME. */
+gpg_err_code_t
+_gcry_ecc_set_point (const char *name, gcry_mpi_point_t newvalue, mpi_ec_t ec)
+{
+ if (!strcmp (name, "g"))
+ {
+ _gcry_mpi_point_release (ec->G);
+ ec->G = point_copy (newvalue);
+ }
+ else if (!strcmp (name, "q"))
+ {
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = point_copy (newvalue);
+ }
+ else
+ return GPG_ERR_UNKNOWN_NAME;
+
+ return 0;
+}
diff --git a/hobble-libgcrypt b/hobble-libgcrypt
index 1062d6e..5eade9d 100755
--- a/hobble-libgcrypt
+++ b/hobble-libgcrypt
@@ -6,4 +6,6 @@ set -e -x
# Clean out patent-or-otherwise-encumbered code.
# EC: ????????? ??/??/2015
-rm -f cipher/ecc.c
+rm -f cipher/ecc-curves.c
+rm -f tests/curves.c
+rm -f tests/t_mpi_point.c
diff --git a/libgcrypt-1.5.0-use-fipscheck.patch b/libgcrypt-1.5.0-use-fipscheck.patch
index 1cef010..704bb52 100644
--- a/libgcrypt-1.5.0-use-fipscheck.patch
+++ b/libgcrypt-1.5.0-use-fipscheck.patch
@@ -60,7 +60,7 @@ diff -up libgcrypt-1.5.0/src/fips.c.use-fipscheck libgcrypt-1.5.0/src/fips.c
else
{
- fname = gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
-+ fname = gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
++ fname = _gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
if (!fname)
err = gpg_error_from_syserror ();
else
diff --git a/libgcrypt-1.6.1-ecc-test-fix.patch b/libgcrypt-1.6.1-ecc-test-fix.patch
new file mode 100644
index 0000000..7e12c1b
--- /dev/null
+++ b/libgcrypt-1.6.1-ecc-test-fix.patch
@@ -0,0 +1,214 @@
+diff -up libgcrypt-1.6.1/tests/benchmark.c.eccfix libgcrypt-1.6.1/tests/benchmark.c
+--- libgcrypt-1.6.1/tests/benchmark.c.eccfix 2014-01-27 14:36:43.000000000 +0100
++++ libgcrypt-1.6.1/tests/benchmark.c 2014-02-28 16:14:13.042505538 +0100
+@@ -1087,8 +1087,7 @@ ecc_bench (int iterations, int print_hea
+ {
+ #if USE_ECC
+ gpg_error_t err;
+- const char *p_sizes[] = { "192", "224", "256", "384", "521", "Ed25519",
+- "gost256", "gost512" };
++ const char *p_sizes[] = { "256", "384", "521", "Ed25519" };
+ int testno;
+
+ if (print_header)
+diff -up libgcrypt-1.6.1/tests/dsa-rfc6979.c.eccfix libgcrypt-1.6.1/tests/dsa-rfc6979.c
+--- libgcrypt-1.6.1/tests/dsa-rfc6979.c.eccfix 2013-12-16 18:44:32.000000000 +0100
++++ libgcrypt-1.6.1/tests/dsa-rfc6979.c 2014-02-28 16:18:44.138771523 +0100
+@@ -210,27 +210,6 @@ check_dsa_rfc6979 (void)
+ " ))"
+ },
+ {
+- "ECDSA, 192 bits (prime field)",
+- "(private-key"
+- " (ecdsa"
+- " (curve \"NIST P-192\")"
+- " (q #04AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56"
+- " 3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43#)"
+- " (d #6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4#)"
+- " ))"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "(private-key"
+- " (ecdsa"
+- " (curve \"NIST P-224\")"
+- " (q #04"
+- " 00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C"
+- " EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A#)"
+- " (d #F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1#)"
+- " ))"
+- },
+- {
+ "ECDSA, 256 bits (prime field)",
+ "(private-key"
+ " (ecdsa"
+@@ -443,169 +422,6 @@ check_dsa_rfc6979 (void)
+ "C9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1"
+ },
+ {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-1, message = \"sample\"",
+- "sha1", "sample",
+- "37D7CA00D2C7B0E5E412AC03BD44BA837FDD5B28CD3B0021",
+- "98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF",
+- "57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-224, message = \"sample\"",
+- "sha224", "sample",
+- "4381526B3FC1E7128F202E194505592F01D5FF4C5AF015D8",
+- "A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5",
+- "E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-256, message = \"sample\"",
+- "sha256", "sample",
+- "32B1B6D7D42A05CB449065727A84804FB1A3E34D8F261496",
+- "4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55",
+- "CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-384, message = \"sample\"",
+- "sha384", "sample",
+- "4730005C4FCB01834C063A7B6760096DBE284B8252EF4311",
+- "DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5",
+- "C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-512, message = \"sample\"",
+- "sha512", "sample",
+- "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1",
+- "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8",
+- "3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-1, message = \"test\"",
+- "sha1", "test",
+- "D9CF9C3D3297D3260773A1DA7418DB5537AB8DD93DE7FA25",
+- "0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D",
+- "EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-224, message = \"test\"",
+- "sha224", "test",
+- "F5DC805F76EF851800700CCE82E7B98D8911B7D510059FBE",
+- "6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34",
+- "B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-256, message = \"test\"",
+- "sha256", "test",
+- "5C4CE89CF56D9E7C77C8585339B006B97B5F0680B4306C6C",
+- "3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE",
+- "5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-384, message = \"test\"",
+- "sha384", "test",
+- "5AFEFB5D3393261B828DB6C91FBC68C230727B030C975693",
+- "B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367",
+- "7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A"
+- },
+- {
+- "ECDSA, 192 bits (prime field)",
+- "With SHA-512, message = \"test\"",
+- "sha512", "test",
+- "0758753A5254759C7CFBAD2E2D9B0792EEE44136C9480527",
+- "FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739",
+- "74CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290"
+- },
+-
+-
+-
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-1, message = \"sample\"",
+- "sha1", "sample",
+- "7EEFADD91110D8DE6C2C470831387C50D3357F7F4D477054B8B426BC",
+- "22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC",
+- "66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-224, message = \"sample\"",
+- "sha224", "sample",
+- "C1D1F2F10881088301880506805FEB4825FE09ACB6816C36991AA06D",
+- "1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E",
+- "A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-256, message = \"sample\"",
+- "sha256", "sample",
+- "AD3029E0278F80643DE33917CE6908C70A8FF50A411F06E41DEDFCDC",
+- "61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA",
+- "BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-384, message = \"sample\"",
+- "sha384", "sample",
+- "52B40F5A9D3D13040F494E83D3906C6079F29981035C7BD51E5CAC40",
+- "0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953",
+- "830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-512, message = \"sample\"",
+- "sha512", "sample",
+- "9DB103FFEDEDF9CFDBA05184F925400C1653B8501BAB89CEA0FBEC14",
+- "074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397",
+- "A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-1, message = \"test\"",
+- "sha1", "test",
+- "2519178F82C3F0E4F87ED5883A4E114E5B7A6E374043D8EFD329C253",
+- "DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C",
+- "95987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-224, message = \"test\"",
+- "sha224", "test",
+- "DF8B38D40DCA3E077D0AC520BF56B6D565134D9B5F2EAE0D34900524",
+- "C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019",
+- "902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-256, message = \"test\"",
+- "sha256", "test",
+- "FF86F57924DA248D6E44E8154EB69F0AE2AEBAEE9931D0B5A969F904",
+- "AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6",
+- "178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-384, message = \"test\"",
+- "sha384", "test",
+- "7046742B839478C1B5BD31DB2E862AD868E1A45C863585B5F22BDC2D",
+- "389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4",
+- "414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB"
+- },
+- {
+- "ECDSA, 224 bits (prime field)",
+- "With SHA-512, message = \"test\"",
+- "sha512", "test",
+- "E39C2AA4EA6BE2306C72126D40ED77BF9739BB4D6EF2BBB1DCB6169D",
+- "049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C",
+- "077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF"
+- },
+- {
+ "ECDSA, 256 bits (prime field)",
+ "With SHA-1, message = \"sample\"",
+ "sha1", "sample",
diff --git a/libgcrypt-1.5.0-fips-cavs.patch b/libgcrypt-1.6.1-fips-cavs.patch
similarity index 91%
rename from libgcrypt-1.5.0-fips-cavs.patch
rename to libgcrypt-1.6.1-fips-cavs.patch
index ac999f9..55aa66a 100644
--- a/libgcrypt-1.5.0-fips-cavs.patch
+++ b/libgcrypt-1.6.1-fips-cavs.patch
@@ -1,57 +1,6 @@
-diff -up libgcrypt-1.5.0/cipher/dsa.c.cavs libgcrypt-1.5.0/cipher/dsa.c
---- libgcrypt-1.5.0/cipher/dsa.c.cavs 2011-07-21 14:56:35.000000000 +0200
-+++ libgcrypt-1.5.0/cipher/dsa.c 2011-07-21 14:58:06.000000000 +0200
-@@ -479,7 +479,6 @@ generate_fips186 (DSA_secret_key *sk, un
- initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
- &initial_seed.seedlen);
- }
--
- if (use_fips186_2)
- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
- initial_seed.seed,
-@@ -487,13 +486,22 @@ generate_fips186 (DSA_secret_key *sk, un
- &prime_q, &prime_p,
- r_counter,
- r_seed, r_seedlen);
-- else
-+ else if (!domain->p || !domain->q)
- ec = _gcry_generate_fips186_3_prime (nbits, qbits,
- initial_seed.seed,
- initial_seed.seedlen,
- &prime_q, &prime_p,
- r_counter,
- r_seed, r_seedlen, NULL);
-+ else
-+ {
-+ /* Domain parameters p and q are given; use them. */
-+ prime_p = mpi_copy (domain->p);
-+ prime_q = mpi_copy (domain->q);
-+ gcry_assert (mpi_get_nbits (prime_p) == nbits);
-+ gcry_assert (mpi_get_nbits (prime_q) == qbits);
-+ ec = 0;
-+ }
- gcry_sexp_release (initial_seed.sexp);
- if (ec)
- goto leave;
-@@ -784,13 +792,12 @@ dsa_generate_ext (int algo, unsigned int
- gcry_sexp_release (l1);
- gcry_sexp_release (domainsexp);
-
-- /* Check that all domain parameters are available. */
-- if (!domain.p || !domain.q || !domain.g)
-+ /* Check that p and q domain parameters are available. */
-+ if (!domain.p || !domain.q || (!domain.g && !use_fips186))
- {
- gcry_mpi_release (domain.p);
- gcry_mpi_release (domain.q);
- gcry_mpi_release (domain.g);
-- gcry_sexp_release (deriveparms);
- return GPG_ERR_MISSING_VALUE;
- }
-
-diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_driver.pl
---- libgcrypt-1.5.0/tests/cavs_driver.pl.cavs 2011-02-04 20:18:20.000000000 +0100
-+++ libgcrypt-1.5.0/tests/cavs_driver.pl 2011-07-21 15:01:47.000000000 +0200
+diff -up libgcrypt-1.6.1/tests/cavs_driver.pl.cavs libgcrypt-1.6.1/tests/cavs_driver.pl
+--- libgcrypt-1.6.1/tests/cavs_driver.pl.cavs 2013-03-15 20:25:38.000000000 +0100
++++ libgcrypt-1.6.1/tests/cavs_driver.pl 2014-02-28 14:46:16.436544639 +0100
@@ -1,9 +1,11 @@
#!/usr/bin/env perl
#
@@ -725,9 +674,9 @@ diff -up libgcrypt-1.5.0/tests/cavs_driver.pl.cavs libgcrypt-1.5.0/tests/cavs_dr
$dsa_sign = \&libgcrypt_dsa_sign;
$dsa_verify = \&libgcrypt_dsa_verify;
$dsa_genpubkey = \&libgcrypt_dsa_genpubkey;
-diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tests.sh
---- libgcrypt-1.5.0/tests/cavs_tests.sh.cavs 2011-02-04 20:18:20.000000000 +0100
-+++ libgcrypt-1.5.0/tests/cavs_tests.sh 2011-07-21 15:02:16.000000000 +0200
+diff -up libgcrypt-1.6.1/tests/cavs_tests.sh.cavs libgcrypt-1.6.1/tests/cavs_tests.sh
+--- libgcrypt-1.6.1/tests/cavs_tests.sh.cavs 2013-03-15 20:25:38.000000000 +0100
++++ libgcrypt-1.6.1/tests/cavs_tests.sh 2014-02-28 14:46:16.437544662 +0100
@@ -55,7 +55,7 @@ function run_one_test () {
[ -d "$respdir" ] || mkdir "$respdir"
[ -f "$rspfile" ] && rm "$rspfile"
@@ -737,9 +686,9 @@ diff -up libgcrypt-1.5.0/tests/cavs_tests.sh.cavs libgcrypt-1.5.0/tests/cavs_tes
dflag="-D"
fi
-diff -up libgcrypt-1.5.0/tests/fipsdrv.c.cavs libgcrypt-1.5.0/tests/fipsdrv.c
---- libgcrypt-1.5.0/tests/fipsdrv.c.cavs 2011-02-04 20:18:20.000000000 +0100
-+++ libgcrypt-1.5.0/tests/fipsdrv.c 2011-07-21 15:06:44.000000000 +0200
+diff -up libgcrypt-1.6.1/tests/fipsdrv.c.cavs libgcrypt-1.6.1/tests/fipsdrv.c
+--- libgcrypt-1.6.1/tests/fipsdrv.c.cavs 2013-12-16 18:44:32.000000000 +0100
++++ libgcrypt-1.6.1/tests/fipsdrv.c 2014-02-28 14:46:16.437544662 +0100
@@ -893,6 +893,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz)
die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err));
diff --git a/libgcrypt-1.5.0-fips-cfgrandom.patch b/libgcrypt-1.6.1-fips-cfgrandom.patch
similarity index 50%
rename from libgcrypt-1.5.0-fips-cfgrandom.patch
rename to libgcrypt-1.6.1-fips-cfgrandom.patch
index 1384c25..8aae15f 100644
--- a/libgcrypt-1.5.0-fips-cfgrandom.patch
+++ b/libgcrypt-1.6.1-fips-cfgrandom.patch
@@ -1,6 +1,6 @@
-diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/random-fips.c
---- libgcrypt-1.5.0/random/random-fips.c.cfgrandom 2011-07-21 14:50:34.000000000 +0200
-+++ libgcrypt-1.5.0/random/random-fips.c 2011-07-21 14:50:34.000000000 +0200
+diff -up libgcrypt-1.6.1/random/random-fips.c.cfgrandom libgcrypt-1.6.1/random/random-fips.c
+--- libgcrypt-1.6.1/random/random-fips.c.cfgrandom 2014-02-28 16:06:20.026572478 +0100
++++ libgcrypt-1.6.1/random/random-fips.c 2014-02-28 16:06:34.851915121 +0100
@@ -27,10 +27,10 @@
There are 3 random context which map to the different levels of
random quality:
@@ -44,65 +44,76 @@ diff -up libgcrypt-1.5.0/random/random-fips.c.cfgrandom libgcrypt-1.5.0/random/r
#elif USE_RNDW32
do
{
-diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndlinux.c
---- libgcrypt-1.5.0/random/rndlinux.c.cfgrandom 2011-02-04 20:16:03.000000000 +0100
-+++ libgcrypt-1.5.0/random/rndlinux.c 2011-07-21 14:50:34.000000000 +0200
+@@ -713,7 +719,7 @@ get_random (void *buffer, size_t length,
+ || rng_ctx->seed_init_pid != getpid ())
+ {
+ /* Just reinitialize the key & seed. */
+- gcry_cipher_close(rng_ctx->cipher_hd);
++ _gcry_cipher_close(rng_ctx->cipher_hd);
+ rng_ctx->cipher_hd = NULL;
+ rng_ctx->is_seeded = 0;
+ goto reinitialize;
+diff -up libgcrypt-1.6.1/random/rndlinux.c.cfgrandom libgcrypt-1.6.1/random/rndlinux.c
+--- libgcrypt-1.6.1/random/rndlinux.c.cfgrandom 2013-12-16 18:44:32.000000000 +0100
++++ libgcrypt-1.6.1/random/rndlinux.c 2014-02-28 16:06:20.027572501 +0100
@@ -36,7 +36,9 @@
#include "g10lib.h"
#include "rand-internal.h"
--static int open_device ( const char *name );
+-static int open_device (const char *name, int retry);
+#define NAME_OF_CFG_RNGSEED "/etc/gcrypt/rngseed"
+
-+static int open_device ( const char *name, int fatal );
++static int open_device (const char *name, int retry, int fatal);
static int
-@@ -57,13 +59,17 @@ set_cloexec_flag (int fd)
- * Used to open the /dev/random devices (Linux, xBSD, Solaris (if it exists)).
+@@ -59,7 +61,7 @@ set_cloexec_flag (int fd)
+ * a fatal error but retries until it is able to reopen the device.
*/
static int
--open_device ( const char *name )
-+open_device ( const char *name, int fatal )
+-open_device (const char *name, int retry)
++open_device (const char *name, int retry, int fatal)
{
int fd;
- fd = open ( name, O_RDONLY );
- if ( fd == -1 )
-- log_fatal ("can't open %s: %s\n", name, strerror(errno) );
-+ {
-+ if (! fatal)
-+ return fd;
-+ log_fatal ("can't open %s: %s\n", name, strerror(errno) );
-+ }
-
- if (set_cloexec_flag (fd))
- log_error ("error setting FD_CLOEXEC on fd %d: %s\n",
-@@ -92,6 +98,7 @@ _gcry_rndlinux_gather_random (void (*add
+@@ -67,6 +69,8 @@ open_device (const char *name, int retry
+ _gcry_random_progress ("open_dev_random", 'X', 1, 0);
+ again:
+ fd = open (name, O_RDONLY);
++ if (fd == -1 && !fatal)
++ return fd;
+ if (fd == -1 && retry)
+ {
+ struct timeval tv;
+@@ -111,6 +115,7 @@ _gcry_rndlinux_gather_random (void (*add
{
static int fd_urandom = -1;
static int fd_random = -1;
+ static int fd_configured = -1;
+ static unsigned char ever_opened;
int fd;
int n;
- byte buffer[768];
-@@ -100,6 +107,7 @@ _gcry_rndlinux_gather_random (void (*add
- size_t last_so_far = 0;
- int any_need_entropy = 0;
- int delay;
-+ size_t orig_length = length;
-
- /* First read from a hardware source. However let it account only
- for up to 50% of the requested bytes. */
-@@ -110,16 +118,26 @@ _gcry_rndlinux_gather_random (void (*add
- length -= n_hw;
+@@ -134,6 +139,11 @@ _gcry_rndlinux_gather_random (void (*add
+ close (fd_urandom);
+ fd_urandom = -1;
+ }
++ if (fd_configured != -1)
++ {
++ close (fd_configured);
++ fd_configured = -1;
++ }
+ return 0;
+ }
- /* Open the requested device. */
+@@ -153,20 +163,30 @@ _gcry_rndlinux_gather_random (void (*add
+ that we always require the device to be existent but want a more
+ graceful behaviour if the rarely needed close operation has been
+ used and the device needs to be re-opened later. */
+
+ if (level == -1)
+ {
+ if (fd_configured == -1)
-+ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0 );
++ fd_configured = open_device ( NAME_OF_CFG_RNGSEED, 0, 0 );
+ fd = fd_configured;
+ if (fd == -1)
+ return -1;
@@ -110,17 +121,21 @@ diff -up libgcrypt-1.5.0/random/rndlinux.c.cfgrandom libgcrypt-1.5.0/random/rndl
+
if (level >= 2)
{
- if( fd_random == -1 )
-- fd_random = open_device ( NAME_OF_DEV_RANDOM );
-+ fd_random = open_device ( NAME_OF_DEV_RANDOM, 1 );
+ if (fd_random == -1)
+ {
+- fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1));
++ fd_random = open_device (NAME_OF_DEV_RANDOM, (ever_opened & 1), 1);
+ ever_opened |= 1;
+ }
fd = fd_random;
}
- else
+ else if (level != -1)
{
- if( fd_urandom == -1 )
-- fd_urandom = open_device ( NAME_OF_DEV_URANDOM );
-+ fd_urandom = open_device ( NAME_OF_DEV_URANDOM, 1 );
+ if (fd_urandom == -1)
+ {
+- fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2));
++ fd_urandom = open_device (NAME_OF_DEV_URANDOM, (ever_opened & 2), 1);
+ ever_opened |= 2;
+ }
fd = fd_urandom;
- }
-
diff --git a/libgcrypt-1.6.1-leak.patch b/libgcrypt-1.6.1-leak.patch
new file mode 100644
index 0000000..df3cc08
--- /dev/null
+++ b/libgcrypt-1.6.1-leak.patch
@@ -0,0 +1,38 @@
+diff -up libgcrypt-1.6.1/cipher/primegen.c.leak libgcrypt-1.6.1/cipher/primegen.c
+--- libgcrypt-1.6.1/cipher/primegen.c.leak 2014-02-28 15:06:24.394464790 +0100
++++ libgcrypt-1.6.1/cipher/primegen.c 2014-02-28 15:09:22.938591664 +0100
+@@ -1204,10 +1204,7 @@ _gcry_prime_group_generator (gcry_mpi_t
+ gcry_mpi_t prime, gcry_mpi_t *factors,
+ gcry_mpi_t start_g)
+ {
+- gcry_mpi_t tmp = mpi_new (0);
+- gcry_mpi_t b = mpi_new (0);
+- gcry_mpi_t pmin1 = mpi_new (0);
+- gcry_mpi_t g = start_g? mpi_copy (start_g) : mpi_set_ui (NULL, 3);
++ gcry_mpi_t tmp, b, pmin1, g;
+ int first = 1;
+ int i, n;
+
+@@ -1220,6 +1217,11 @@ _gcry_prime_group_generator (gcry_mpi_t
+ if (n < 2)
+ return GPG_ERR_INV_ARG;
+
++ tmp = mpi_new (0);
++ b = mpi_new (0);
++ pmin1 = mpi_new (0);
++ g = start_g? mpi_copy (start_g) : mpi_set_ui (NULL, 3);
++
+ /* Extra sanity check - usually disabled. */
+ /* mpi_set (tmp, factors[0]); */
+ /* for(i = 1; i < n; i++) */
+diff -up libgcrypt-1.6.1/src/hmac256.c.leak libgcrypt-1.6.1/src/hmac256.c
+--- libgcrypt-1.6.1/src/hmac256.c.leak 2013-12-16 18:44:32.000000000 +0100
++++ libgcrypt-1.6.1/src/hmac256.c 2014-02-28 15:06:24.394464790 +0100
+@@ -427,7 +427,6 @@ _gcry_hmac256_finalize (hmac256_context_
+ tmphd = _gcry_hmac256_new (NULL, 0);
+ if (!tmphd)
+ {
+- free (hd);
+ return NULL;
+ }
+ _gcry_hmac256_update (tmphd, hd->opad, 64);
diff --git a/libgcrypt-1.6.1-mpicoder-gccopt.patch b/libgcrypt-1.6.1-mpicoder-gccopt.patch
new file mode 100644
index 0000000..12555d3
--- /dev/null
+++ b/libgcrypt-1.6.1-mpicoder-gccopt.patch
@@ -0,0 +1,104 @@
+diff -up libgcrypt-1.6.1/mpi/mpicoder.c.gccopt libgcrypt-1.6.1/mpi/mpicoder.c
+--- libgcrypt-1.6.1/mpi/mpicoder.c.gccopt 2014-02-28 15:37:53.983139821 +0100
++++ libgcrypt-1.6.1/mpi/mpicoder.c 2014-02-28 15:47:35.312576387 +0100
+@@ -627,16 +627,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo
+ extra = 1;
+ }
+
+- if (buffer && n > len)
+- {
+- /* The provided buffer is too short. */
+- xfree (tmp);
+- return GPG_ERR_TOO_SHORT;
+- }
+ if (buffer)
+ {
+ unsigned char *s = buffer;
+
++ if (n > len)
++ {
++ /* The provided buffer is too short. */
++ xfree (tmp);
++ return GPG_ERR_TOO_SHORT;
++ }
+ if (extra == 1)
+ *s++ = 0;
+ else if (extra)
+@@ -654,13 +654,12 @@ _gcry_mpi_print (enum gcry_mpi_format fo
+ /* Note: We ignore the sign for this format. */
+ /* FIXME: for performance reasons we should put this into
+ mpi_aprint because we can then use the buffer directly. */
+-
+- if (buffer && n > len)
+- return GPG_ERR_TOO_SHORT;
+ if (buffer)
+ {
+ unsigned char *tmp;
+
++ if (n > len)
++ return GPG_ERR_TOO_SHORT;
+ tmp = _gcry_mpi_get_buffer (a, 0, &n, NULL);
+ if (!tmp)
+ return gpg_err_code_from_syserror ();
+@@ -678,14 +677,14 @@ _gcry_mpi_print (enum gcry_mpi_format fo
+ if (negative)
+ return GPG_ERR_INV_ARG;
+
+- if (buffer && n+2 > len)
+- return GPG_ERR_TOO_SHORT;
+-
+ if (buffer)
+ {
+ unsigned char *tmp;
+ unsigned char *s = buffer;
+
++ if (n+2 > len)
++ return GPG_ERR_TOO_SHORT;
++
+ s[0] = nbits >> 8;
+ s[1] = nbits;
+
+@@ -724,16 +723,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo
+ extra=1;
+ }
+
+- if (buffer && n+4 > len)
+- {
+- xfree(tmp);
+- return GPG_ERR_TOO_SHORT;
+- }
+-
+ if (buffer)
+ {
+ unsigned char *s = buffer;
+
++ if (n+4 > len)
++ {
++ xfree(tmp);
++ return GPG_ERR_TOO_SHORT;
++ }
++
+ *s++ = n >> 24;
+ *s++ = n >> 16;
+ *s++ = n >> 8;
+@@ -761,15 +760,15 @@ _gcry_mpi_print (enum gcry_mpi_format fo
+ if (!n || (*tmp & 0x80))
+ extra = 2;
+
+- if (buffer && 2*n + extra + negative + 1 > len)
+- {
+- xfree(tmp);
+- return GPG_ERR_TOO_SHORT;
+- }
+ if (buffer)
+ {
+ unsigned char *s = buffer;
+
++ if (2*n + extra + negative + 1 > len)
++ {
++ xfree(tmp);
++ return GPG_ERR_TOO_SHORT;
++ }
+ if (negative)
+ *s++ = '-';
+ if (extra)
diff --git a/libgcrypt-1.6.1-tests.patch b/libgcrypt-1.6.1-tests.patch
new file mode 100644
index 0000000..0c00458
--- /dev/null
+++ b/libgcrypt-1.6.1-tests.patch
@@ -0,0 +1,198 @@
+diff -up libgcrypt-1.6.1/cipher/dsa.c.tests libgcrypt-1.6.1/cipher/dsa.c
+--- libgcrypt-1.6.1/cipher/dsa.c.tests 2014-02-28 13:39:01.727288335 +0100
++++ libgcrypt-1.6.1/cipher/dsa.c 2014-02-28 13:46:21.727458285 +0100
+@@ -423,22 +423,29 @@ generate_fips186 (DSA_secret_key *sk, un
+ initial_seed.seed = sexp_nth_data (initial_seed.sexp, 1,
+ &initial_seed.seedlen);
+ }
+-
+- /* Fixme: Enable 186-3 after it has been approved and after fixing
+- the generation function. */
+- /* if (use_fips186_2) */
+- (void)use_fips186_2;
+- ec = _gcry_generate_fips186_2_prime (nbits, qbits,
++ if (use_fips186_2)
++ ec = _gcry_generate_fips186_2_prime (nbits, qbits,
+ initial_seed.seed,
+ initial_seed.seedlen,
+ &prime_q, &prime_p,
+ r_counter,
+ r_seed, r_seedlen);
+- /* else */
+- /* ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */
+- /* &prime_q, &prime_p, */
+- /* r_counter, */
+- /* r_seed, r_seedlen, NULL); */
++ else if (!domain->p || !domain->q)
++ ec = _gcry_generate_fips186_3_prime (nbits, qbits,
++ initial_seed.seed,
++ initial_seed.seedlen,
++ &prime_q, &prime_p,
++ r_counter,
++ r_seed, r_seedlen, NULL);
++ else
++ {
++ /* Domain parameters p and q are given; use them. */
++ prime_p = mpi_copy (domain->p);
++ prime_q = mpi_copy (domain->q);
++ gcry_assert (mpi_get_nbits (prime_p) == nbits);
++ gcry_assert (mpi_get_nbits (prime_q) == qbits);
++ ec = 0;
++ }
+ sexp_release (initial_seed.sexp);
+ if (ec)
+ goto leave;
+@@ -829,13 +829,12 @@ dsa_generate (const gcry_sexp_t genparms
+ sexp_release (l1);
+ sexp_release (domainsexp);
+
+- /* Check that all domain parameters are available. */
+- if (!domain.p || !domain.q || !domain.g)
++ /* Check that p and q domain parameters are available. */
++ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186)))
+ {
+ _gcry_mpi_release (domain.p);
+ _gcry_mpi_release (domain.q);
+ _gcry_mpi_release (domain.g);
+- sexp_release (deriveparms);
+ return GPG_ERR_MISSING_VALUE;
+ }
+
+diff -up libgcrypt-1.6.1/cipher/primegen.c.tests libgcrypt-1.6.1/cipher/primegen.c
+--- libgcrypt-1.6.1/cipher/primegen.c.tests 2014-01-29 10:48:38.000000000 +0100
++++ libgcrypt-1.6.1/cipher/primegen.c 2014-02-28 13:49:52.291325147 +0100
+@@ -1649,7 +1649,7 @@ _gcry_generate_fips186_3_prime (unsigned
+ gpg_err_code_t ec;
+ unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */
+ unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */
+- unsigned char digest[256/8]; /* Helper buffer for SHA-1 digest. */
++ unsigned char digest[256/8]; /* Helper buffer for SHA-x digest. */
+ gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */
+ gcry_mpi_t tmpval = NULL; /* Helper variable. */
+ int hashalgo; /* The id of the Approved Hash Function. */
+@@ -1739,7 +1739,7 @@ _gcry_generate_fips186_3_prime (unsigned
+ }
+ _gcry_mpi_release (prime_q); prime_q = NULL;
+ ec = _gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
+- value_u, sizeof value_u, NULL);
++ value_u, qbits/8, NULL);
+ if (ec)
+ goto leave;
+ mpi_set_highbit (prime_q, qbits-1 );
+@@ -1784,11 +1784,11 @@ _gcry_generate_fips186_3_prime (unsigned
+ if (seed_plus[i])
+ break;
+ }
+- _gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
++ _gcry_md_hash_buffer (hashalgo, digest, seed_plus, seedlen);
+
+ _gcry_mpi_release (tmpval); tmpval = NULL;
+ ec = _gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
+- digest, sizeof digest, NULL);
++ digest, qbits/8, NULL);
+ if (ec)
+ goto leave;
+ if (value_j == value_n)
+@@ -1824,11 +1824,11 @@ _gcry_generate_fips186_3_prime (unsigned
+ }
+
+ /* Step 12: Save p, q, counter and seed. */
+- log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n",
++ /* log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n",
+ mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter);
+ log_printhex ("fips186-3 seed", seed, seedlen);
+ log_printmpi ("fips186-3 p", prime_p);
+- log_printmpi ("fips186-3 q", prime_q);
++ log_printmpi ("fips186-3 q", prime_q); */
+ if (r_q)
+ {
+ *r_q = prime_q;
+diff -up libgcrypt-1.6.1/cipher/rsa.c.tests libgcrypt-1.6.1/cipher/rsa.c
+--- libgcrypt-1.6.1/cipher/rsa.c.tests 2014-01-29 08:49:49.000000000 +0100
++++ libgcrypt-1.6.1/cipher/rsa.c 2014-02-28 13:39:01.727288335 +0100
+@@ -399,7 +399,7 @@ generate_x931 (RSA_secret_key *sk, unsig
+
+ *swapped = 0;
+
+- if (e_value == 1) /* Alias for a secure value. */
++ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */
+ e_value = 65537;
+
+ /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
+diff -up libgcrypt-1.6.1/random/random-fips.c.tests libgcrypt-1.6.1/random/random-fips.c
+--- libgcrypt-1.6.1/random/random-fips.c.tests 2014-01-29 10:48:38.000000000 +0100
++++ libgcrypt-1.6.1/random/random-fips.c 2014-02-28 13:39:01.727288335 +0100
+@@ -692,6 +692,7 @@ get_random (void *buffer, size_t length,
+
+ check_guards (rng_ctx);
+
++ reinitialize:
+ /* Initialize the cipher handle and thus setup the key if needed. */
+ if (!rng_ctx->cipher_hd)
+ {
+@@ -711,13 +712,11 @@ get_random (void *buffer, size_t length,
+ if (rng_ctx->key_init_pid != getpid ()
+ || rng_ctx->seed_init_pid != getpid ())
+ {
+- /* We are in a child of us. Because we have no way yet to do
+- proper re-initialization (including self-checks etc), the
+- only chance we have is to bail out. Obviusly a fork/exec
+- won't harm because the exec overwrites the old image. */
+- fips_signal_error ("fork without proper re-initialization "
+- "detected in RNG");
+- goto bailout;
++ /* Just reinitialize the key & seed. */
++ gcry_cipher_close(rng_ctx->cipher_hd);
++ rng_ctx->cipher_hd = NULL;
++ rng_ctx->is_seeded = 0;
++ goto reinitialize;
+ }
+
+ if (x931_aes_driver (buffer, length, rng_ctx))
+diff -up libgcrypt-1.6.1/tests/keygen.c.tests libgcrypt-1.6.1/tests/keygen.c
+--- libgcrypt-1.6.1/tests/keygen.c.tests 2014-02-28 13:39:01.728288358 +0100
++++ libgcrypt-1.6.1/tests/keygen.c 2014-02-28 13:42:18.288831563 +0100
+@@ -215,11 +215,11 @@ check_rsa_keys (void)
+
+
+ if (verbose)
+- show ("creating 512 bit RSA key with e=257\n");
++ show ("creating 1024 bit RSA key with e=257\n");
+ rc = gcry_sexp_new (&keyparm,
+ "(genkey\n"
+ " (rsa\n"
+- " (nbits 3:512)\n"
++ " (nbits 4:1024)\n"
+ " (rsa-use-e 3:257)\n"
+ " ))", 0, 1);
+ if (rc)
+@@ -233,11 +233,11 @@ check_rsa_keys (void)
+ gcry_sexp_release (key);
+
+ if (verbose)
+- show ("creating 512 bit RSA key with default e\n");
++ show ("creating 1024 bit RSA key with default e\n");
+ rc = gcry_sexp_new (&keyparm,
+ "(genkey\n"
+ " (rsa\n"
+- " (nbits 3:512)\n"
++ " (nbits 4:1024)\n"
+ " (rsa-use-e 1:0)\n"
+ " ))", 0, 1);
+ if (rc)
+@@ -307,12 +307,12 @@ check_dsa_keys (void)
+ }
+
+ if (verbose)
+- show ("creating 1536 bit DSA key\n");
++ show ("creating 2048 bit DSA key\n");
+ rc = gcry_sexp_new (&keyparm,
+ "(genkey\n"
+ " (dsa\n"
+- " (nbits 4:1536)\n"
+- " (qbits 3:224)\n"
++ " (nbits 4:2048)\n"
++ " (qbits 3:256)\n"
+ " ))", 0, 1);
+ if (rc)
+ die ("error creating S-expression: %s\n", gpg_strerror (rc));
diff --git a/libgcrypt-1.5.1-use-poll.patch b/libgcrypt-1.6.1-use-poll.patch
similarity index 54%
rename from libgcrypt-1.5.1-use-poll.patch
rename to libgcrypt-1.6.1-use-poll.patch
index f6ed0b7..2fcaebf 100644
--- a/libgcrypt-1.5.1-use-poll.patch
+++ b/libgcrypt-1.6.1-use-poll.patch
@@ -1,6 +1,6 @@
-diff -up libgcrypt-1.5.1/random/rndlinux.c.use-poll libgcrypt-1.5.1/random/rndlinux.c
---- libgcrypt-1.5.1/random/rndlinux.c.use-poll 2013-03-20 15:33:26.504867356 +0100
-+++ libgcrypt-1.5.1/random/rndlinux.c 2013-03-20 15:37:24.999944048 +0100
+diff -up libgcrypt-1.6.1/random/rndlinux.c.use-poll libgcrypt-1.6.1/random/rndlinux.c
+--- libgcrypt-1.6.1/random/rndlinux.c.use-poll 2014-02-28 15:17:55.294433915 +0100
++++ libgcrypt-1.6.1/random/rndlinux.c 2014-02-28 15:34:52.505945274 +0100
@@ -32,6 +32,7 @@
#include <string.h>
#include <unistd.h>
@@ -9,14 +9,7 @@ diff -up libgcrypt-1.5.1/random/rndlinux.c.use-poll libgcrypt-1.5.1/random/rndli
#include "types.h"
#include "g10lib.h"
#include "rand-internal.h"
-@@ -142,49 +143,37 @@ _gcry_rndlinux_gather_random (void (*add
- }
-
- /* Enter the read loop. */
-- delay = 0; /* Start with 0 seconds so that we do no block on the
-+ delay = 100; /* Start with 0 seconds so that we do no block on the
- first iteration and in turn call the progress function
- before blocking. To give the OS a better chance to
+@@ -199,9 +200,11 @@ _gcry_rndlinux_gather_random (void (*add
return with something we will actually use 100ms. */
while (length)
{
@@ -24,6 +17,15 @@ diff -up libgcrypt-1.5.1/random/rndlinux.c.use-poll libgcrypt-1.5.1/random/rndli
- struct timeval tv;
int rc;
+ struct pollfd pfd;
++
++ pfd.fd = fd;
++ pfd.events = POLLIN;
+
+ /* If we collected some bytes update the progress indicator. We
+ do this always and not just if the select timed out because
+@@ -215,33 +218,18 @@ _gcry_rndlinux_gather_random (void (*add
+ any_need_entropy = 1;
+ }
- /* If the system has no limit on the number of file descriptors
- and we encounter an fd which is larger than the fd_set size,
@@ -33,49 +35,36 @@ diff -up libgcrypt-1.5.1/random/rndlinux.c.use-poll libgcrypt-1.5.1/random/rndli
-#ifdef FD_SETSIZE
- if (fd < FD_SETSIZE)
-#endif
-+ pfd.fd = fd;
-+ pfd.events = POLLIN;
-+
-+ if ( !(rc=poll(&pfd, 1, delay)) )
- {
+- {
- FD_ZERO(&rfds);
- FD_SET(fd, &rfds);
- tv.tv_sec = delay;
- tv.tv_usec = delay? 0 : 100000;
- if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) )
- {
-- if (!any_need_entropy || last_so_far != (want - length) )
-- {
-- last_so_far = want - length;
-- _gcry_random_progress ("need_entropy", 'X',
-- (int)last_so_far, (int)want);
-- any_need_entropy = 1;
-- }
+- any_need_entropy = 1;
- delay = 3; /* Use 3 seconds henceforth. */
- continue;
- }
- else if( rc == -1 )
-+ if (!any_need_entropy || last_so_far != (want - length) )
- {
+- {
- log_error ("select() error: %s\n", strerror(errno));
- if (!delay)
- delay = 1; /* Use 1 second if we encounter an error before
-+ last_so_far = want - length;
-+ _gcry_random_progress ("need_entropy", 'X',
-+ (int)last_so_far, (int)want);
-+ any_need_entropy = 1;
-+ }
+- we have ever blocked. */
+- continue;
+- }
++ if ( !(rc=poll(&pfd, 1, delay)) )
++ {
+ delay = 3000; /* Use 3 seconds henceforth. */
-+ continue;
-+ }
-+ else if( rc == -1 )
++ continue;
++ }
++ else if( rc == -1 )
+ {
+ log_error ("poll() error: %s\n", strerror(errno));
+ if (!delay)
+ delay = 1000; /* Use 1 second if we encounter an error before
- we have ever blocked. */
-- continue;
-- }
++ we have ever blocked. */
+ continue;
}
diff --git a/libgcrypt.spec b/libgcrypt.spec
index cd41803..f2f1916 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
Name: libgcrypt
-Version: 1.5.3
-Release: 3%{?dist}
+Version: 1.6.1
+Release: 1%{?dist}
URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz
# The original libgcrypt sources now contain potentially patented ECC
@@ -11,34 +11,29 @@ Source0: libgcrypt-%{version}-hobbled.tar.xz
#Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk at g10code.com
Source3: hobble-libgcrypt
-# Approved ECC support (from 1.5.3)
-Source4: ecc.c
+# Approved ECC support (from 1.6.1)
+Source4: ecc-curves.c
Source5: curves.c
+Source6: t-mpi-point.c
# make FIPS hmac compatible with fipscheck - non upstreamable
Patch2: libgcrypt-1.5.0-use-fipscheck.patch
# fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
-Patch5: libgcrypt-1.5.0-tests.patch
+Patch5: libgcrypt-1.6.1-tests.patch
# add configurable source of RNG seed and seed by default
# from /dev/urandom in the FIPS mode
-Patch6: libgcrypt-1.5.0-fips-cfgrandom.patch
+Patch6: libgcrypt-1.6.1-fips-cfgrandom.patch
# make the FIPS-186-3 DSA CAVS testable
-Patch7: libgcrypt-1.5.0-fips-cavs.patch
+Patch7: libgcrypt-1.6.1-fips-cavs.patch
# fix for memory leaks an other errors found by Coverity scan
-Patch9: libgcrypt-1.5.0-leak.patch
+Patch9: libgcrypt-1.6.1-leak.patch
# use poll instead of select when gathering randomness
-Patch11: libgcrypt-1.5.1-use-poll.patch
+Patch11: libgcrypt-1.6.1-use-poll.patch
# compile rijndael with -fno-strict-aliasing
Patch12: libgcrypt-1.5.2-aliasing.patch
# slight optimalization of mpicoder.c to silence Valgrind (#968288)
-Patch13: libgcrypt-1.5.2-mpicoder-gccopt.patch
+Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch
# fix tests to work with approved ECC
-Patch14: libgcrypt-1.5.3-ecc-test-fix.patch
-# pbkdf2 speedup - upstream
-Patch15: libgcrypt-1.5.3-pbkdf-speedup.patch
-# fix bug in whirlpool implementation (for backwards compatibility
-# with files generated with buggy version set environment
-# varible GCRYPT_WHIRLPOOL_BUG
-Patch16: libgcrypt-1.5.3-whirlpool-bug.patch
+Patch14: libgcrypt-1.6.1-ecc-test-fix.patch
%define gcrylibdir %{_libdir}
@@ -80,14 +75,11 @@ applications using libgcrypt.
%patch7 -p1 -b .cavs
%patch9 -p1 -b .leak
%patch11 -p1 -b .use-poll
-%patch12 -p1 -b .aliasing
+#%patch12 -p1 -b .aliasing
%patch13 -p1 -b .gccopt
%patch14 -p1 -b .eccfix
-%patch15 -p1 -b .pbkdf-speedup
-%patch16 -p1 -b .whirlpool-bug
cp %{SOURCE4} cipher/
-rm -rf tests/curves.c
-cp %{SOURCE5} tests/curves.c
+cp %{SOURCE5} %{SOURCE6} tests/
%build
%configure --disable-static \
@@ -98,6 +90,7 @@ cp %{SOURCE5} tests/curves.c
--enable-hmac-binary-check \
--enable-pubkey-ciphers='dsa elgamal rsa ecc' \
--disable-O-flag-munging
+sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool
make %{?_smp_mflags}
%check
@@ -147,8 +140,11 @@ popd
# Add soname symlink.
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/
+
%endif
+# temporary compat library for buildroots
+install %{gcrylibdir}/libgcrypt.so.11.*.* $RPM_BUILD_ROOT/%{_libdir}
# Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so
# that _someone_ owns it.
@@ -181,14 +177,20 @@ exit 0
%{_bindir}/%{name}-config
%{_bindir}/dumpsexp
%{_bindir}/hmac256
+%{_bindir}/mpicalc
%{_includedir}/*
%{_libdir}/*.so
%{_datadir}/aclocal/*
+%{_mandir}/man1/*
%{_infodir}/gcrypt.info*
%doc COPYING
%changelog
+* Fri Feb 28 2014 Tomáš Mráz <tmraz at redhat.com> 1.6.1-1
+- new upstream version breaking ABI compatibility
+- this release temporarily includes old compatibility .so
+
* Tue Jan 21 2014 Tomáš Mráz <tmraz at redhat.com> 1.5.3-3
- add back the nistp521r1 EC curve
- fix a bug in the Whirlpool hash implementation
diff --git a/t-mpi-point.c b/t-mpi-point.c
new file mode 100644
index 0000000..2c977c5
--- /dev/null
+++ b/t-mpi-point.c
@@ -0,0 +1,970 @@
+/* t-mpi-point.c - Tests for mpi point functions
+ * Copyright (C) 2013 g10 Code GmbH
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stdarg.h>
+
+#include "../src/gcrypt-int.h"
+
+#define PGM "t-mpi-point"
+
+static const char *wherestr;
+static int verbose;
+static int debug;
+static int error_count;
+
+
+#define my_isascii(c) (!((c) & 0x80))
+#define digitp(p) (*(p) >= '0' && *(p) <= '9')
+#define hexdigitp(a) (digitp (a) \
+ || (*(a) >= 'A' && *(a) <= 'F') \
+ || (*(a) >= 'a' && *(a) <= 'f'))
+#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \
+ *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10))
+#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1))
+#define xmalloc(a) gcry_xmalloc ((a))
+#define xcalloc(a,b) gcry_xcalloc ((a),(b))
+#define xfree(a) gcry_free ((a))
+#define pass() do { ; } while (0)
+
+
+static struct
+{
+ const char *desc; /* Description of the curve. */
+ const char *p; /* Order of the prime field. */
+ const char *a, *b; /* The coefficients. */
+ const char *n; /* The order of the base point. */
+ const char *g_x, *g_y; /* Base point. */
+} test_curve[] =
+ {
+ {
+ "NIST P-256",
+ "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+
+ "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
+ },
+ {
+ "NIST P-384",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000ffffffff",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000fffffffc",
+ "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a"
+ "c656398d8a2ed19d2a85c8edd3ec2aef",
+ "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf"
+ "581a0db248b0a77aecec196accc52973",
+
+ "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38"
+ "5502f25dbf55296c3a545e3872760ab7",
+ "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0"
+ "0a60b1ce1d7e819d7a431d7c90ea0e5f"
+ },
+ {
+ "NIST P-521",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10"
+ "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+
+ "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d"
+ "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6"
+ "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"
+ },
+ {
+ "Ed25519",
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ "-0x01",
+ "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+ "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+ "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ "0x6666666666666666666666666666666666666666666666666666666666666658"
+ },
+ { NULL, NULL, NULL, NULL, NULL }
+ };
+
+/* A sample public key for NIST P-256. */
+static const char sample_p256_q[] =
+ "04"
+ "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E"
+ "E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E";
+static const char sample_p256_q_x[] =
+ "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E";
+static const char sample_p256_q_y[] =
+ "00E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E";
+
+
+/* A sample public key for Ed25519. */
+static const char sample_ed25519_q[] =
+ "04"
+ "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce"
+ "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7";
+static const char sample_ed25519_q_x[] =
+ "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce";
+static const char sample_ed25519_q_y[] =
+ "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7";
+static const char sample_ed25519_q_eddsa[] =
+ "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a";
+static const char sample_ed25519_d[] =
+ "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60";
+
+
+static void
+show (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ if (!verbose)
+ return;
+ fprintf (stderr, "%s: ", PGM);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+}
+
+static void
+fail (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+ if (wherestr)
+ fprintf (stderr, "%s: ", wherestr);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ error_count++;
+}
+
+static void
+die (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+ if (wherestr)
+ fprintf (stderr, "%s: ", wherestr);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ exit (1);
+}
+
+
+static void
+print_mpi_2 (const char *text, const char *text2, gcry_mpi_t a)
+{
+ gcry_error_t err;
+ char *buf;
+ void *bufaddr = &buf;
+
+ err = gcry_mpi_aprint (GCRYMPI_FMT_HEX, bufaddr, NULL, a);
+ if (err)
+ fprintf (stderr, "%s%s: [error printing number: %s]\n",
+ text, text2? text2:"", gpg_strerror (err));
+ else
+ {
+ fprintf (stderr, "%s%s: %s\n", text, text2? text2:"", buf);
+ gcry_free (buf);
+ }
+}
+
+
+static void
+print_mpi (const char *text, gcry_mpi_t a)
+{
+ print_mpi_2 (text, NULL, a);
+}
+
+
+static void
+print_point (const char *text, gcry_mpi_point_t a)
+{
+ gcry_mpi_t x, y, z;
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_get (x, y, z, a);
+ print_mpi_2 (text, ".x", x);
+ print_mpi_2 (text, ".y", y);
+ print_mpi_2 (text, ".z", z);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+}
+
+
+static void
+print_sexp (const char *prefix, gcry_sexp_t a)
+{
+ char *buf;
+ size_t size;
+
+ if (prefix)
+ fputs (prefix, stderr);
+ size = gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, NULL, 0);
+ buf = gcry_xmalloc (size);
+
+ gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, buf, size);
+ fprintf (stderr, "%.*s", (int)size, buf);
+ gcry_free (buf);
+}
+
+
+static gcry_mpi_t
+hex2mpi (const char *string)
+{
+ gpg_error_t err;
+ gcry_mpi_t val;
+
+ err = gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+ if (err)
+ die ("hex2mpi '%s' failed: %s\n", string, gpg_strerror (err));
+ return val;
+}
+
+
+/* Convert STRING consisting of hex characters into its binary
+ representation and return it as an allocated buffer. The valid
+ length of the buffer is returned at R_LENGTH. The string is
+ delimited by end of string. The function returns NULL on
+ error. */
+static void *
+hex2buffer (const char *string, size_t *r_length)
+{
+ const char *s;
+ unsigned char *buffer;
+ size_t length;
+
+ buffer = xmalloc (strlen(string)/2+1);
+ length = 0;
+ for (s=string; *s; s +=2 )
+ {
+ if (!hexdigitp (s) || !hexdigitp (s+1))
+ return NULL; /* Invalid hex digits. */
+ ((unsigned char*)buffer)[length++] = xtoi_2 (s);
+ }
+ *r_length = length;
+ return buffer;
+}
+
+
+static gcry_mpi_t
+hex2mpiopa (const char *string)
+{
+ char *buffer;
+ size_t buflen;
+ gcry_mpi_t val;
+
+ buffer = hex2buffer (string, &buflen);
+ if (!buffer)
+ die ("hex2mpiopa '%s' failed: parser error\n", string);
+ val = gcry_mpi_set_opaque (NULL, buffer, buflen*8);
+ if (!buffer)
+ die ("hex2mpiopa '%s' failed: set_opaque error%s\n", string);
+ return val;
+}
+
+
+/* Compare A to B, where B is given as a hex string. */
+static int
+cmp_mpihex (gcry_mpi_t a, const char *b)
+{
+ gcry_mpi_t bval;
+ int res;
+
+ if (gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE))
+ bval = hex2mpiopa (b);
+ else
+ bval = hex2mpi (b);
+ res = gcry_mpi_cmp (a, bval);
+ gcry_mpi_release (bval);
+ return res;
+}
+
+
+/* Wrapper to emulate the libgcrypt internal EC context allocation
+ function. */
+static gpg_error_t
+ec_p_new (gcry_ctx_t *r_ctx, gcry_mpi_t p, gcry_mpi_t a)
+{
+ gpg_error_t err;
+ gcry_sexp_t sexp;
+
+ if (p && a)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m)(a %m))", p, a);
+ else if (p)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m))", p);
+ else if (a)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (a %m))", a);
+ else
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa)");
+ if (err)
+ return err;
+ err = gcry_mpi_ec_new (r_ctx, sexp, NULL);
+ gcry_sexp_release (sexp);
+ return err;
+}
+
+
+
+static void
+set_get_point (void)
+{
+ gcry_mpi_point_t point;
+ gcry_mpi_t x, y, z;
+
+ wherestr = "set_get_point";
+ show ("checking point setting functions\n");
+
+ point = gcry_mpi_point_new (0);
+ x = gcry_mpi_set_ui (NULL, 17);
+ y = gcry_mpi_set_ui (NULL, 42);
+ z = gcry_mpi_set_ui (NULL, 11371);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 0)
+ || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0))
+ fail ("new point not initialized to (0,0,0)\n");
+ gcry_mpi_point_snatch_get (x, y, z, point);
+ point = NULL;
+ if (gcry_mpi_cmp_ui (x, 0)
+ || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0))
+ fail ("snatch_get failed\n");
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+
+ point = gcry_mpi_point_new (0);
+ x = gcry_mpi_set_ui (NULL, 17);
+ y = gcry_mpi_set_ui (NULL, 42);
+ z = gcry_mpi_set_ui (NULL, 11371);
+ gcry_mpi_point_set (point, x, y, z);
+ gcry_mpi_set_ui (x, 23);
+ gcry_mpi_set_ui (y, 24);
+ gcry_mpi_set_ui (z, 25);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 17)
+ || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371))
+ fail ("point_set/point_get failed\n");
+ gcry_mpi_point_snatch_set (point, x, y, z);
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 17)
+ || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371))
+ fail ("point_snatch_set/point_get failed\n");
+
+ gcry_mpi_point_release (point);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+}
+
+
+static void
+context_alloc (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_t p, a;
+
+ wherestr = "context_alloc";
+ show ("checking context functions\n");
+
+ p = gcry_mpi_set_ui (NULL, 1);
+ a = gcry_mpi_set_ui (NULL, 1);
+ err = ec_p_new (&ctx, p, a);
+ if (err)
+ die ("ec_p_new returned an error: %s\n", gpg_strerror (err));
+ gcry_mpi_release (p);
+ gcry_mpi_release (a);
+ gcry_ctx_release (ctx);
+
+ p = gcry_mpi_set_ui (NULL, 0);
+ a = gcry_mpi_set_ui (NULL, 0);
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (1)\n");
+
+ gcry_mpi_set_ui (p, 1);
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (2)\n");
+
+ gcry_mpi_release (p);
+ p = NULL;
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (3)\n");
+
+ gcry_mpi_release (a);
+ a = NULL;
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (4)\n");
+
+}
+
+
+static int
+get_and_cmp_mpi (const char *name, const char *mpistring, const char *desc,
+ gcry_ctx_t ctx)
+{
+ gcry_mpi_t mpi;
+
+ mpi = gcry_mpi_ec_get_mpi (name, ctx, 1);
+ if (!mpi)
+ {
+ fail ("error getting parameter '%s' of curve '%s'\n", name, desc);
+ return 1;
+ }
+ if (debug)
+ print_mpi (name, mpi);
+ if (cmp_mpihex (mpi, mpistring))
+ {
+ fail ("parameter '%s' of curve '%s' does not match\n", name, desc);
+ gcry_mpi_release (mpi);
+ return 1;
+ }
+ gcry_mpi_release (mpi);
+ return 0;
+}
+
+
+static int
+get_and_cmp_point (const char *name,
+ const char *mpi_x_string, const char *mpi_y_string,
+ const char *desc, gcry_ctx_t ctx)
+{
+ gcry_mpi_point_t point;
+ gcry_mpi_t x, y, z;
+ int result = 0;
+
+ point = gcry_mpi_ec_get_point (name, ctx, 1);
+ if (!point)
+ {
+ fail ("error getting point parameter '%s' of curve '%s'\n", name, desc);
+ return 1;
+ }
+ if (debug)
+ print_point (name, point);
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_snatch_get (x, y, z, point);
+ if (cmp_mpihex (x, mpi_x_string))
+ {
+ fail ("x coordinate of '%s' of curve '%s' does not match\n", name, desc);
+ result = 1;
+ }
+ if (cmp_mpihex (y, mpi_y_string))
+ {
+ fail ("y coordinate of '%s' of curve '%s' does not match\n", name, desc);
+ result = 1;
+ }
+ if (cmp_mpihex (z, "01"))
+ {
+ fail ("z coordinate of '%s' of curve '%s' is not 1\n", name, desc);
+ result = 1;
+ }
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+ return result;
+}
+
+
+static void
+context_param (void)
+{
+ gpg_error_t err;
+ int idx;
+ gcry_ctx_t ctx = NULL;
+ gcry_mpi_t q, d;
+ gcry_sexp_t keyparam;
+
+ wherestr = "context_param";
+
+ show ("checking standard curves\n");
+ for (idx=0; test_curve[idx].desc; idx++)
+ {
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc);
+ if (err)
+ {
+ fail ("can't create context for curve '%s': %s\n",
+ test_curve[idx].desc, gpg_strerror (err));
+ continue;
+ }
+ if (get_and_cmp_mpi ("p", test_curve[idx].p, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("a", test_curve[idx].a, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("b", test_curve[idx].b, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("g.x",test_curve[idx].g_x, test_curve[idx].desc,ctx))
+ continue;
+ if (get_and_cmp_mpi ("g.y",test_curve[idx].g_y, test_curve[idx].desc,ctx))
+ continue;
+ if (get_and_cmp_mpi ("n", test_curve[idx].n, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_point ("g", test_curve[idx].g_x, test_curve[idx].g_y,
+ test_curve[idx].desc, ctx))
+ continue;
+
+ }
+
+ show ("checking sample public key (nistp256)\n");
+ q = hex2mpi (sample_p256_q);
+ err = gcry_sexp_build (&keyparam, NULL,
+ "(public-key(ecc(curve %s)(q %m)))",
+ "NIST P-256", q);
+ if (err)
+ die ("gcry_sexp_build failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+
+ /* We can't call gcry_pk_testkey because it is only implemented for
+ private keys. */
+ /* err = gcry_pk_testkey (keyparam); */
+ /* if (err) */
+ /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */
+ /* gpg_strerror (err)); */
+
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, keyparam, NULL);
+ if (err)
+ fail ("gcry_mpi_ec_new failed for sample public key (nistp256): %s\n",
+ gpg_strerror (err));
+ else
+ {
+ gcry_sexp_t sexp;
+
+ get_and_cmp_mpi ("q", sample_p256_q, "nistp256", ctx);
+ get_and_cmp_point ("q", sample_p256_q_x, sample_p256_q_y, "nistp256",
+ ctx);
+
+ /* Delete Q. */
+ err = gcry_mpi_ec_set_mpi ("q", NULL, ctx);
+ if (err)
+ fail ("clearing Q for nistp256 failed: %s\n", gpg_strerror (err));
+ if (gcry_mpi_ec_get_mpi ("q", ctx, 0))
+ fail ("clearing Q for nistp256 did not work\n");
+
+ /* Set Q again. */
+ q = hex2mpi (sample_p256_q);
+ err = gcry_mpi_ec_set_mpi ("q", q, ctx);
+ if (err)
+ fail ("setting Q for nistp256 failed: %s\n", gpg_strerror (err));
+ get_and_cmp_mpi ("q", sample_p256_q, "nistp256(2)", ctx);
+ gcry_mpi_release (q);
+
+ /* Get as s-expression. */
+ err = gcry_pubkey_get_sexp (&sexp, 0, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n",
+ gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx);
+ if (gpg_err_code (err) != GPG_ERR_NO_SECKEY)
+ fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n",
+ gpg_strerror (err));
+ gcry_sexp_release (sexp);
+ }
+
+ show ("checking sample public key (Ed25519)\n");
+ q = hex2mpi (sample_ed25519_q);
+ gcry_sexp_release (keyparam);
+ err = gcry_sexp_build (&keyparam, NULL,
+ "(public-key(ecc(curve %s)(flags eddsa)(q %m)))",
+ "Ed25519", q);
+ if (err)
+ die ("gcry_sexp_build failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+
+ /* We can't call gcry_pk_testkey because it is only implemented for
+ private keys. */
+ /* err = gcry_pk_testkey (keyparam); */
+ /* if (err) */
+ /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */
+ /* gpg_strerror (err)); */
+
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, keyparam, NULL);
+ if (err)
+ fail ("gcry_mpi_ec_new failed for sample public key: %s\n",
+ gpg_strerror (err));
+ else
+ {
+ gcry_sexp_t sexp;
+
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519", ctx);
+ get_and_cmp_point ("q", sample_ed25519_q_x, sample_ed25519_q_y,
+ "Ed25519", ctx);
+ get_and_cmp_mpi ("q at eddsa", sample_ed25519_q_eddsa, "Ed25519", ctx);
+
+ /* Set d to see whether Q is correctly re-computed. */
+ d = hex2mpi (sample_ed25519_d);
+ err = gcry_mpi_ec_set_mpi ("d", d, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (d);
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(recompute Q)", ctx);
+
+ /* Delete Q by setting d and then clearing d. The clearing is
+ required so that we can check whether Q has been cleared and
+ because further tests only expect a public key. */
+ d = hex2mpi (sample_ed25519_d);
+ err = gcry_mpi_ec_set_mpi ("d", d, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (d);
+ err = gcry_mpi_ec_set_mpi ("d", NULL, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed(2): %s\n", gpg_strerror (err));
+ if (gcry_mpi_ec_get_mpi ("q", ctx, 0))
+ fail ("setting d for Ed25519 did not reset Q\n");
+
+ /* Set Q again. We need to use an opaque MPI here because
+ sample_ed25519_q is in uncompressed format which can only be
+ auto-detected if passed opaque. */
+ q = hex2mpiopa (sample_ed25519_q);
+ err = gcry_mpi_ec_set_mpi ("q", q, ctx);
+ if (err)
+ fail ("setting Q for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(2)", ctx);
+
+ /* Get as s-expression. */
+ err = gcry_pubkey_get_sexp (&sexp, 0, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n",
+ gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx);
+ if (gpg_err_code (err) != GPG_ERR_NO_SECKEY)
+ fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n",
+ gpg_strerror (err));
+ gcry_sexp_release (sexp);
+
+ }
+
+ gcry_ctx_release (ctx);
+ gcry_sexp_release (keyparam);
+}
+
+
+
+
+/* Create a new point from (X,Y,Z) given as hex strings. */
+gcry_mpi_point_t
+make_point (const char *x, const char *y, const char *z)
+{
+ gcry_mpi_point_t point;
+
+ point = gcry_mpi_point_new (0);
+ gcry_mpi_point_snatch_set (point, hex2mpi (x), hex2mpi (y), hex2mpi (z));
+
+ return point;
+}
+
+
+/* This tests checks that the low-level EC API yields the same result
+ as using the high level API. The values have been taken from a
+ test run using the high level API. */
+static void
+basic_ec_math (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_t P, A;
+ gcry_mpi_point_t G, Q;
+ gcry_mpi_t d;
+ gcry_mpi_t x, y, z;
+
+ wherestr = "basic_ec_math";
+ show ("checking basic math functions for EC\n");
+
+ P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff");
+ A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc");
+ G = make_point ("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
+ "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
+ "1");
+ d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D");
+ Q = gcry_mpi_point_new (0);
+
+ err = ec_p_new (&ctx, P, A);
+ if (err)
+ die ("ec_p_new failed: %s\n", gpg_strerror (err));
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+
+ {
+ /* A quick check that multiply by zero works. */
+ gcry_mpi_t tmp;
+
+ tmp = gcry_mpi_new (0);
+ gcry_mpi_ec_mul (Q, tmp, G, ctx);
+ gcry_mpi_release (tmp);
+ gcry_mpi_point_get (x, y, z, Q);
+ if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0)
+ || gcry_mpi_cmp_ui (z, 0))
+ fail ("multiply a point by zero failed\n");
+ }
+
+ gcry_mpi_ec_mul (Q, d, G, ctx);
+ gcry_mpi_point_get (x, y, z, Q);
+ if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66")
+ || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8")
+ || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F"))
+ fail ("computed public key does not match\n");
+ if (debug)
+ {
+ print_mpi ("Q.x", x);
+ print_mpi ("Q.y", y);
+ print_mpi ("Q.z", z);
+ }
+
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE")
+ || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966"))
+ fail ("computed affine coordinates of public key do not match\n");
+ if (debug)
+ {
+ print_mpi ("q.x", x);
+ print_mpi ("q.y", y);
+ }
+
+ gcry_mpi_release (z);
+ gcry_mpi_release (y);
+ gcry_mpi_release (x);
+ gcry_mpi_point_release (Q);
+ gcry_mpi_release (d);
+ gcry_mpi_point_release (G);
+ gcry_mpi_release (A);
+ gcry_mpi_release (P);
+ gcry_ctx_release (ctx);
+}
+
+
+/* Check the math used with Twisted Edwards curves. */
+static void
+twistededwards_math (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_point_t G, Q;
+ gcry_mpi_t k;
+ gcry_mpi_t w, a, x, y, z, p, n, b, I;
+
+ wherestr = "twistededwards_math";
+ show ("checking basic Twisted Edwards math\n");
+
+ err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519");
+ if (err)
+ die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err));
+
+ k = hex2mpi
+ ("2D3501E723239632802454EE5DDC406EFB0BDF18486A5BDE9C0390A9C2984004"
+ "F47252B628C953625B8DEB5DBCB8DA97AA43A1892D11FA83596F42E0D89CB1B6");
+ G = gcry_mpi_ec_get_point ("g", ctx, 1);
+ if (!G)
+ die ("gcry_mpi_ec_get_point(G) failed\n");
+ Q = gcry_mpi_point_new (0);
+
+
+ w = gcry_mpi_new (0);
+ a = gcry_mpi_new (0);
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ I = gcry_mpi_new (0);
+ p = gcry_mpi_ec_get_mpi ("p", ctx, 1);
+ n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
+ b = gcry_mpi_ec_get_mpi ("b", ctx, 1);
+
+ /* Check: 2^{p-1} mod p == 1 */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, p);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: 2^{p-1} mod p == 1\n");
+
+ /* Check: p % 4 == 1 */
+ gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: p % 4 == 1\n");
+
+ /* Check: 2^{n-1} mod n == 1 */
+ gcry_mpi_sub_ui (a, n, 1);
+ gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, n);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: 2^{n-1} mod n == 1\n");
+
+ /* Check: b^{(p-1)/2} mod p == p-1 */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_TWO, -1);
+ gcry_mpi_powm (w, b, x, p);
+ gcry_mpi_abs (w);
+ if (gcry_mpi_cmp (w, a))
+ fail ("failed assertion: b^{(p-1)/2} mod p == p-1\n");
+
+ /* I := 2^{(p-1)/4} mod p */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_FOUR, -1);
+ gcry_mpi_powm (I, GCRYMPI_CONST_TWO, x, p);
+
+ /* Check: I^2 mod p == p-1 */
+ gcry_mpi_powm (w, I, GCRYMPI_CONST_TWO, p);
+ if (gcry_mpi_cmp (w, a))
+ fail ("failed assertion: I^2 mod p == p-1\n");
+
+ /* Check: G is on the curve */
+ if (!gcry_mpi_ec_curve_point (G, ctx))
+ fail ("failed assertion: G is on the curve\n");
+
+ /* Check: nG == (0,1) */
+ gcry_mpi_ec_mul (Q, n, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 1))
+ fail ("failed assertion: nG == (0,1)\n");
+
+ /* Now two arbitrary point operations taken from the ed25519.py
+ sample data. */
+ gcry_mpi_release (a);
+ a = hex2mpi
+ ("4f71d012df3c371af3ea4dc38385ca5bb7272f90cb1b008b3ed601c76de1d496"
+ "e30cbf625f0a756a678d8f256d5325595cccc83466f36db18f0178eb9925edd3");
+ gcry_mpi_ec_mul (Q, a, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, ("157f7361c577aad36f67ed33e38dc7be"
+ "00014fecc2165ca5cee9eee19fe4d2c1"))
+ || cmp_mpihex (y, ("5a69dbeb232276b38f3f5016547bb2a2"
+ "4025645f0b820e72b8cad4f0a909a092")))
+ {
+ fail ("sample point multiply failed:\n");
+ print_mpi ("r", a);
+ print_mpi ("Rx", x);
+ print_mpi ("Ry", y);
+ }
+
+ gcry_mpi_release (a);
+ a = hex2mpi
+ ("2d3501e723239632802454ee5ddc406efb0bdf18486a5bde9c0390a9c2984004"
+ "f47252b628c953625b8deb5dbcb8da97aa43a1892d11fa83596f42e0d89cb1b6");
+ gcry_mpi_ec_mul (Q, a, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, ("6218e309d40065fcc338b3127f468371"
+ "82324bd01ce6f3cf81ab44e62959c82a"))
+ || cmp_mpihex (y, ("5501492265e073d874d9e5b81e7f8784"
+ "8a826e80cce2869072ac60c3004356e5")))
+ {
+ fail ("sample point multiply failed:\n");
+ print_mpi ("r", a);
+ print_mpi ("Rx", x);
+ print_mpi ("Ry", y);
+ }
+
+
+ gcry_mpi_release (I);
+ gcry_mpi_release (b);
+ gcry_mpi_release (n);
+ gcry_mpi_release (p);
+ gcry_mpi_release (w);
+ gcry_mpi_release (a);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+ gcry_mpi_point_release (Q);
+ gcry_mpi_point_release (G);
+ gcry_mpi_release (k);
+ gcry_ctx_release (ctx);
+}
+
+
+int
+main (int argc, char **argv)
+{
+
+ if (argc > 1 && !strcmp (argv[1], "--verbose"))
+ verbose = 1;
+ else if (argc > 1 && !strcmp (argv[1], "--debug"))
+ verbose = debug = 1;
+
+ if (!gcry_check_version (GCRYPT_VERSION))
+ die ("version mismatch\n");
+
+ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+ gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+ if (debug)
+ gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
+ set_get_point ();
+ context_alloc ();
+ context_param ();
+ basic_ec_math ();
+ twistededwards_math ();
+
+ show ("All tests completed. Errors: %d\n", error_count);
+ return error_count ? 1 : 0;
+}
More information about the scm-commits
mailing list