[mingw-libgcrypt] Update to 1.6.1
Erik van Pienbroek
epienbro at fedoraproject.org
Thu May 29 18:46:02 UTC 2014
commit 188e3769ece2dfb305f592b39a89b854501b7dcf
Author: Erik van Pienbroek <epienbro at fedoraproject.org>
Date: Thu May 29 20:46:01 2014 +0200
Update to 1.6.1
.gitignore | 1 +
curves.c | 166 +++++++++
ecc-curves.c | 1007 ++++++++++++++++++++++++++++++++++++++++++++++++++
hobble-libgcrypt | 4 +-
mingw-libgcrypt.spec | 29 ++-
sources | 2 +-
t-mpi-point.c | 970 ++++++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 2170 insertions(+), 9 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 01743fb..f1e8efa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ libgcrypt-1.4.4.tar.bz2
/libgcrypt-1.5.0-hobbled.tar.bz2
/libgcrypt-1.5.2-hobbled.tar.xz
/libgcrypt-1.5.3-hobbled.tar.xz
+/libgcrypt-1.6.1-hobbled.tar.xz
diff --git a/curves.c b/curves.c
new file mode 100644
index 0000000..fccd1d4
--- /dev/null
+++ b/curves.c
@@ -0,0 +1,166 @@
+/* curves.c - ECC curves regression tests
+ * Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include "../src/gcrypt-int.h"
+
+/* Number of curves defined in ../cipger/ecc.c */
+#define N_CURVES 4
+
+/* A real world sample public key. */
+static char const sample_key_1[] =
+"(public-key\n"
+" (ecdsa\n"
+" (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)\n"
+" (a #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC#)\n"
+" (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)\n"
+" (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"
+ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)\n"
+" (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)\n"
+" (q #0442B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146EE"
+ "86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E#)\n"
+" ))";
+static char const sample_key_1_curve[] = "NIST P-256";
+static unsigned int sample_key_1_nbits = 256;
+
+/* Program option flags. */
+static int verbose;
+static int error_count;
+
+static void
+fail (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ error_count++;
+}
+
+static void
+die (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ exit (1);
+}
+
+
+static void
+list_curves (void)
+{
+ int idx;
+ const char *name;
+ unsigned int nbits;
+
+ for (idx=0; (name = gcry_pk_get_curve (NULL, idx, &nbits)); idx++)
+ {
+ if (verbose)
+ printf ("%s - %u bits\n", name, nbits);
+ }
+ if (idx != N_CURVES)
+ fail ("expected %d curves but got %d\n", N_CURVES, idx);
+ if (gcry_pk_get_curve (NULL, -1, NULL))
+ fail ("curve iteration failed\n");
+}
+
+
+static void
+check_matching (void)
+{
+ gpg_error_t err;
+ gcry_sexp_t key;
+ const char *name;
+ unsigned int nbits;
+
+ err = gcry_sexp_new (&key, sample_key_1, 0, 1);
+ if (err)
+ die ("parsing s-expression string failed: %s\n", gpg_strerror (err));
+ name = gcry_pk_get_curve (key, 0, &nbits);
+ if (!name)
+ fail ("curve name not found for sample_key_1\n");
+ else if (strcmp (name, sample_key_1_curve))
+ fail ("expected curve name %s but got %s for sample_key_1\n",
+ sample_key_1_curve, name);
+ else if (nbits != sample_key_1_nbits)
+ fail ("expected curve size %u but got %u for sample_key_1\n",
+ sample_key_1_nbits, nbits);
+
+ gcry_sexp_release (key);
+
+}
+
+
+static void
+check_get_params (void)
+{
+ gcry_sexp_t param;
+ const char *name;
+
+ param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_1_curve);
+ if (!param)
+ fail ("error gerring parameters for `%s'\n", sample_key_1_curve);
+
+ name = gcry_pk_get_curve (param, 0, NULL);
+ if (!name)
+ fail ("get_param: curve name not found for sample_key_1\n");
+ else if (strcmp (name, sample_key_1_curve))
+ fail ("get_param: expected curve name %s but got %s for sample_key_1\n",
+ sample_key_1_curve, name);
+
+ gcry_sexp_release (param);
+
+}
+
+
+int
+main (int argc, char **argv)
+{
+ int debug = 0;
+
+ if (argc > 1 && !strcmp (argv[1], "--verbose"))
+ verbose = 1;
+ else if (argc > 1 && !strcmp (argv[1], "--debug"))
+ verbose = debug = 1;
+
+ if (!gcry_check_version (GCRYPT_VERSION))
+ die ("version mismatch\n");
+
+ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ if (debug)
+ gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+ list_curves ();
+ check_matching ();
+ check_get_params ();
+
+ return error_count ? 1 : 0;
+}
diff --git a/ecc-curves.c b/ecc-curves.c
new file mode 100644
index 0000000..b8679da
--- /dev/null
+++ b/ecc-curves.c
@@ -0,0 +1,1007 @@
+/* ecc-curves.c - Elliptic Curve parameter mangement
+ * Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2013 g10 Code GmbH
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "g10lib.h"
+#include "mpi.h"
+#include "cipher.h"
+#include "context.h"
+#include "ec-context.h"
+#include "pubkey-internal.h"
+#include "ecc-common.h"
+
+
+/* This tables defines aliases for curve names. */
+static const struct
+{
+ const char *name; /* Our name. */
+ const char *other; /* Other name. */
+} curve_aliases[] =
+ {
+ /*{ "Curve25519", "1.3.6.1.4.1.3029.1.5.1" },*/
+ { "Ed25519", "1.3.6.1.4.1.11591.15.1" },
+
+ { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */
+ { "NIST P-256", "prime256v1" },
+ { "NIST P-256", "secp256r1" },
+ { "NIST P-256", "nistp256" }, /* rfc5656. */
+
+ { "NIST P-384", "secp384r1" },
+ { "NIST P-384", "1.3.132.0.34" },
+ { "NIST P-384", "nistp384" }, /* rfc5656. */
+
+ { "NIST P-521", "secp521r1" },
+ { "NIST P-521", "1.3.132.0.35" },
+ { "NIST P-521", "nistp521" }, /* rfc5656. */
+
+ { NULL, NULL}
+ };
+
+
+typedef struct
+{
+ const char *desc; /* Description of the curve. */
+ unsigned int nbits; /* Number of bits. */
+ unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */
+
+ /* The model describing this curve. This is mainly used to select
+ the group equation. */
+ enum gcry_mpi_ec_models model;
+
+ /* The actual ECC dialect used. This is used for curve specific
+ optimizations and to select encodings etc. */
+ enum ecc_dialects dialect;
+
+ const char *p; /* The prime defining the field. */
+ const char *a, *b; /* The coefficients. For Twisted Edwards
+ Curves b is used for d. */
+ const char *n; /* The order of the base point. */
+ const char *g_x, *g_y; /* Base point. */
+} ecc_domain_parms_t;
+
+
+/* This static table defines all available curves. */
+static const ecc_domain_parms_t domain_parms[] =
+ {
+ {
+ /* (-x^2 + y^2 = 1 + dx^2y^2) */
+ "Ed25519", 256, 0,
+ MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ "-0x01",
+ "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+ "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+ "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ "0x6666666666666666666666666666666666666666666666666666666666666658"
+ },
+ {
+ "NIST P-256", 256, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+
+ "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
+ },
+ {
+ "NIST P-384", 384, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000ffffffff",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000fffffffc",
+ "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a"
+ "c656398d8a2ed19d2a85c8edd3ec2aef",
+ "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf"
+ "581a0db248b0a77aecec196accc52973",
+
+ "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38"
+ "5502f25dbf55296c3a545e3872760ab7",
+ "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0"
+ "0a60b1ce1d7e819d7a431d7c90ea0e5f"
+ },
+ {
+ "NIST P-521", 521, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10"
+ "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+
+ "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d"
+ "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e"
+ "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"
+ },
+
+ { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL }
+ };
+
+
+
+�
+/* Return a copy of POINT. */
+static gcry_mpi_point_t
+point_copy (gcry_mpi_point_t point)
+{
+ gcry_mpi_point_t newpoint;
+
+ if (point)
+ {
+ newpoint = mpi_point_new (0);
+ point_set (newpoint, point);
+ }
+ else
+ newpoint = NULL;
+ return newpoint;
+}
+
+
+/* Helper to scan a hex string. */
+static gcry_mpi_t
+scanval (const char *string)
+{
+ gpg_err_code_t rc;
+ gcry_mpi_t val;
+
+ rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+ if (rc)
+ log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
+ return val;
+}
+
+
+/* Return the index of the domain_parms table for a curve with NAME.
+ Return -1 if not found. */
+static int
+find_domain_parms_idx (const char *name)
+{
+ int idx, aliasno;
+
+ /* First check our native curves. */
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (!strcmp (name, domain_parms[idx].desc))
+ return idx;
+
+ /* If not found consult the alias table. */
+ if (!domain_parms[idx].desc)
+ {
+ for (aliasno = 0; curve_aliases[aliasno].name; aliasno++)
+ if (!strcmp (name, curve_aliases[aliasno].other))
+ break;
+ if (curve_aliases[aliasno].name)
+ {
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (!strcmp (curve_aliases[aliasno].name, domain_parms[idx].desc))
+ return idx;
+ }
+ }
+
+ return -1;
+}
+
+
+/* Generate the crypto system setup. This function takes the NAME of
+ a curve or the desired number of bits and stores at R_CURVE the
+ parameters of the named curve or those of a suitable curve. If
+ R_NBITS is not NULL, the chosen number of bits is stored there.
+ NULL may be given for R_CURVE, if the value is not required and for
+ example only a quick test for availability is desired. Note that
+ the curve fields should be initialized to zero because fields which
+ are not NULL are skipped. */
+gpg_err_code_t
+_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name,
+ elliptic_curve_t *curve, unsigned int *r_nbits)
+{
+ int idx;
+ const char *resname = NULL; /* Set to a found curve name. */
+
+ if (name)
+ idx = find_domain_parms_idx (name);
+ else
+ {
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ if (nbits == domain_parms[idx].nbits
+ && domain_parms[idx].model == MPI_EC_WEIERSTRASS)
+ break;
+ if (!domain_parms[idx].desc)
+ idx = -1;
+ }
+ if (idx < 0)
+ return GPG_ERR_UNKNOWN_CURVE;
+
+ resname = domain_parms[idx].desc;
+
+ /* In fips mode we only support NIST curves. Note that it is
+ possible to bypass this check by specifying the curve parameters
+ directly. */
+ if (fips_mode () && !domain_parms[idx].fips )
+ return GPG_ERR_NOT_SUPPORTED;
+
+ switch (domain_parms[idx].model)
+ {
+ case MPI_EC_WEIERSTRASS:
+ case MPI_EC_TWISTEDEDWARDS:
+ break;
+ case MPI_EC_MONTGOMERY:
+ return GPG_ERR_NOT_SUPPORTED;
+ default:
+ return GPG_ERR_BUG;
+ }
+
+
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+
+ if (curve)
+ {
+ curve->model = domain_parms[idx].model;
+ curve->dialect = domain_parms[idx].dialect;
+ if (!curve->p)
+ curve->p = scanval (domain_parms[idx].p);
+ if (!curve->a)
+ curve->a = scanval (domain_parms[idx].a);
+ if (!curve->b)
+ curve->b = scanval (domain_parms[idx].b);
+ if (!curve->n)
+ curve->n = scanval (domain_parms[idx].n);
+ if (!curve->G.x)
+ curve->G.x = scanval (domain_parms[idx].g_x);
+ if (!curve->G.y)
+ curve->G.y = scanval (domain_parms[idx].g_y);
+ if (!curve->G.z)
+ curve->G.z = mpi_alloc_set_ui (1);
+ if (!curve->name)
+ curve->name = resname;
+ }
+
+ return 0;
+}
+
+
+/* Give the name of the curve NAME, store the curve parameters into P,
+ A, B, G, and N if they point to NULL value. Note that G is returned
+ in standard uncompressed format. Also update MODEL and DIALECT if
+ they are not NULL. */
+gpg_err_code_t
+_gcry_ecc_update_curve_param (const char *name,
+ enum gcry_mpi_ec_models *model,
+ enum ecc_dialects *dialect,
+ gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b,
+ gcry_mpi_t *g, gcry_mpi_t *n)
+{
+ int idx;
+
+ idx = find_domain_parms_idx (name);
+ if (idx < 0)
+ return GPG_ERR_UNKNOWN_CURVE;
+
+ if (g)
+ {
+ char *buf;
+ size_t len;
+
+ len = 4;
+ len += strlen (domain_parms[idx].g_x+2);
+ len += strlen (domain_parms[idx].g_y+2);
+ len++;
+ buf = xtrymalloc (len);
+ if (!buf)
+ return gpg_err_code_from_syserror ();
+ strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2),
+ domain_parms[idx].g_y+2);
+ _gcry_mpi_release (*g);
+ *g = scanval (buf);
+ xfree (buf);
+ }
+ if (model)
+ *model = domain_parms[idx].model;
+ if (dialect)
+ *dialect = domain_parms[idx].dialect;
+ if (p)
+ {
+ _gcry_mpi_release (*p);
+ *p = scanval (domain_parms[idx].p);
+ }
+ if (a)
+ {
+ _gcry_mpi_release (*a);
+ *a = scanval (domain_parms[idx].a);
+ }
+ if (b)
+ {
+ _gcry_mpi_release (*b);
+ *b = scanval (domain_parms[idx].b);
+ }
+ if (n)
+ {
+ _gcry_mpi_release (*n);
+ *n = scanval (domain_parms[idx].n);
+ }
+ return 0;
+}
+
+
+/* Return the name matching the parameters in PKEY. This works only
+ with curves described by the Weierstrass equation. */
+const char *
+_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits)
+{
+ gpg_err_code_t rc;
+ const char *result = NULL;
+ elliptic_curve_t E;
+ gcry_mpi_t mpi_g = NULL;
+ gcry_mpi_t tmp = NULL;
+ int idx;
+
+ memset (&E, 0, sizeof E);
+
+ if (r_nbits)
+ *r_nbits = 0;
+
+ if (!keyparms)
+ {
+ idx = iterator;
+ if (idx >= 0 && idx < DIM (domain_parms))
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ }
+ return result;
+ }
+
+
+ /*
+ * Extract the curve parameters..
+ */
+ rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgn",
+ &E.p, &E.a, &E.b, &mpi_g, &E.n,
+ NULL));
+ if (rc == GPG_ERR_NO_OBJ)
+ {
+ /* This might be the second use case of checking whether a
+ specific curve given by name is supported. */
+ gcry_sexp_t l1;
+ char *name;
+
+ l1 = sexp_find_token (keyparms, "curve", 5);
+ if (!l1)
+ goto leave; /* No curve name parameter. */
+
+ name = sexp_nth_string (l1, 1);
+ sexp_release (l1);
+ if (!name)
+ goto leave; /* Name missing or out of core. */
+
+ idx = find_domain_parms_idx (name);
+ xfree (name);
+ if (idx >= 0) /* Curve found. */
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ }
+ return result;
+ }
+
+ if (rc)
+ goto leave;
+
+ if (mpi_g)
+ {
+ _gcry_mpi_point_init (&E.G);
+ if (_gcry_ecc_os2ec (&E.G, mpi_g))
+ goto leave;
+ }
+
+ for (idx = 0; domain_parms[idx].desc; idx++)
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].p);
+ if (!mpi_cmp (tmp, E.p))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].a);
+ if (!mpi_cmp (tmp, E.a))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].b);
+ if (!mpi_cmp (tmp, E.b))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].n);
+ if (!mpi_cmp (tmp, E.n))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].g_x);
+ if (!mpi_cmp (tmp, E.G.x))
+ {
+ mpi_free (tmp);
+ tmp = scanval (domain_parms[idx].g_y);
+ if (!mpi_cmp (tmp, E.G.y))
+ {
+ result = domain_parms[idx].desc;
+ if (r_nbits)
+ *r_nbits = domain_parms[idx].nbits;
+ goto leave;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ leave:
+ _gcry_mpi_release (tmp);
+ _gcry_mpi_release (E.p);
+ _gcry_mpi_release (E.a);
+ _gcry_mpi_release (E.b);
+ _gcry_mpi_release (mpi_g);
+ _gcry_mpi_point_free_parts (&E.G);
+ _gcry_mpi_release (E.n);
+ return result;
+}
+
+
+/* Helper to extract an MPI from key parameters. */
+static gpg_err_code_t
+mpi_from_keyparam (gcry_mpi_t *r_a, gcry_sexp_t keyparam, const char *name)
+{
+ gcry_err_code_t ec = 0;
+ gcry_sexp_t l1;
+
+ l1 = sexp_find_token (keyparam, name, 0);
+ if (l1)
+ {
+ *r_a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
+ sexp_release (l1);
+ if (!*r_a)
+ ec = GPG_ERR_INV_OBJ;
+ }
+ return ec;
+}
+
+/* Helper to extract a point from key parameters. If no parameter
+ with NAME is found, the functions tries to find a non-encoded point
+ by appending ".x", ".y" and ".z" to NAME. ".z" is in this case
+ optional and defaults to 1. EC is the context which at this point
+ may not be fully initialized. */
+static gpg_err_code_t
+point_from_keyparam (gcry_mpi_point_t *r_a,
+ gcry_sexp_t keyparam, const char *name, mpi_ec_t ec)
+{
+ gcry_err_code_t rc;
+ gcry_sexp_t l1;
+ gcry_mpi_point_t point;
+
+ l1 = sexp_find_token (keyparam, name, 0);
+ if (l1)
+ {
+ gcry_mpi_t a;
+
+ a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE);
+ sexp_release (l1);
+ if (!a)
+ return GPG_ERR_INV_OBJ;
+
+ point = mpi_point_new (0);
+ if (ec && ec->dialect == ECC_DIALECT_ED25519)
+ rc = _gcry_ecc_eddsa_decodepoint (a, ec, point, NULL, NULL);
+ else
+ rc = _gcry_ecc_os2ec (point, a);
+ mpi_free (a);
+ if (rc)
+ {
+ mpi_point_release (point);
+ return rc;
+ }
+ }
+ else
+ {
+ char *tmpname;
+ gcry_mpi_t x = NULL;
+ gcry_mpi_t y = NULL;
+ gcry_mpi_t z = NULL;
+
+ tmpname = xtrymalloc (strlen (name) + 2 + 1);
+ if (!tmpname)
+ return gpg_err_code_from_syserror ();
+ strcpy (stpcpy (tmpname, name), ".x");
+ rc = mpi_from_keyparam (&x, keyparam, tmpname);
+ if (rc)
+ {
+ xfree (tmpname);
+ return rc;
+ }
+ strcpy (stpcpy (tmpname, name), ".y");
+ rc = mpi_from_keyparam (&y, keyparam, tmpname);
+ if (rc)
+ {
+ mpi_free (x);
+ xfree (tmpname);
+ return rc;
+ }
+ strcpy (stpcpy (tmpname, name), ".z");
+ rc = mpi_from_keyparam (&z, keyparam, tmpname);
+ if (rc)
+ {
+ mpi_free (y);
+ mpi_free (x);
+ xfree (tmpname);
+ return rc;
+ }
+ if (!z)
+ z = mpi_set_ui (NULL, 1);
+ if (x && y)
+ point = mpi_point_snatch_set (NULL, x, y, z);
+ else
+ {
+ mpi_free (x);
+ mpi_free (y);
+ mpi_free (z);
+ point = NULL;
+ }
+ xfree (tmpname);
+ }
+
+ if (point)
+ *r_a = point;
+ return 0;
+}
+
+
+/* This function creates a new context for elliptic curve operations.
+ Either KEYPARAM or CURVENAME must be given. If both are given and
+ KEYPARAM has no curve parameter, CURVENAME is used to add missing
+ parameters. On success 0 is returned and the new context stored at
+ R_CTX. On error NULL is stored at R_CTX and an error code is
+ returned. The context needs to be released using
+ gcry_ctx_release. */
+gpg_err_code_t
+_gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
+ gcry_sexp_t keyparam, const char *curvename)
+{
+ gpg_err_code_t errc;
+ gcry_ctx_t ctx = NULL;
+ enum gcry_mpi_ec_models model = MPI_EC_WEIERSTRASS;
+ enum ecc_dialects dialect = ECC_DIALECT_STANDARD;
+ gcry_mpi_t p = NULL;
+ gcry_mpi_t a = NULL;
+ gcry_mpi_t b = NULL;
+ gcry_mpi_point_t G = NULL;
+ gcry_mpi_t n = NULL;
+ gcry_mpi_point_t Q = NULL;
+ gcry_mpi_t d = NULL;
+ int flags = 0;
+ gcry_sexp_t l1;
+
+ *r_ctx = NULL;
+
+ if (keyparam)
+ {
+ /* Parse an optional flags list. */
+ l1 = sexp_find_token (keyparam, "flags", 0);
+ if (l1)
+ {
+ errc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL);
+ sexp_release (l1);
+ l1 = NULL;
+ if (errc)
+ goto leave;
+ }
+
+ /* Check whether a curve name was given. */
+ l1 = sexp_find_token (keyparam, "curve", 5);
+
+ /* If we don't have a curve name or if override parameters have
+ explicitly been requested, parse them. */
+ if (!l1 || (flags & PUBKEY_FLAG_PARAM))
+ {
+ errc = mpi_from_keyparam (&p, keyparam, "p");
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&a, keyparam, "a");
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&b, keyparam, "b");
+ if (errc)
+ goto leave;
+ errc = point_from_keyparam (&G, keyparam, "g", NULL);
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&n, keyparam, "n");
+ if (errc)
+ goto leave;
+ }
+ }
+ else
+ l1 = NULL; /* No curvename. */
+
+ /* Check whether a curve parameter is available and use that to fill
+ in missing values. If no curve parameter is available try an
+ optional provided curvename. If only the curvename has been
+ given use that one. */
+ if (l1 || curvename)
+ {
+ char *name;
+ elliptic_curve_t *E;
+
+ if (l1)
+ {
+ name = sexp_nth_string (l1, 1);
+ sexp_release (l1);
+ if (!name)
+ {
+ errc = GPG_ERR_INV_OBJ; /* Name missing or out of core. */
+ goto leave;
+ }
+ }
+ else
+ name = NULL;
+
+ E = xtrycalloc (1, sizeof *E);
+ if (!E)
+ {
+ errc = gpg_err_code_from_syserror ();
+ xfree (name);
+ goto leave;
+ }
+
+ errc = _gcry_ecc_fill_in_curve (0, name? name : curvename, E, NULL);
+ xfree (name);
+ if (errc)
+ {
+ xfree (E);
+ goto leave;
+ }
+
+ model = E->model;
+ dialect = E->dialect;
+
+ if (!p)
+ {
+ p = E->p;
+ E->p = NULL;
+ }
+ if (!a)
+ {
+ a = E->a;
+ E->a = NULL;
+ }
+ if (!b)
+ {
+ b = E->b;
+ E->b = NULL;
+ }
+ if (!G)
+ {
+ G = mpi_point_snatch_set (NULL, E->G.x, E->G.y, E->G.z);
+ E->G.x = NULL;
+ E->G.y = NULL;
+ E->G.z = NULL;
+ }
+ if (!n)
+ {
+ n = E->n;
+ E->n = NULL;
+ }
+ _gcry_ecc_curve_free (E);
+ xfree (E);
+ }
+
+
+ errc = _gcry_mpi_ec_p_new (&ctx, model, dialect, flags, p, a, b);
+ if (!errc)
+ {
+ mpi_ec_t ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC);
+
+ if (b)
+ {
+ mpi_free (ec->b);
+ ec->b = b;
+ b = NULL;
+ }
+ if (G)
+ {
+ ec->G = G;
+ G = NULL;
+ }
+ if (n)
+ {
+ ec->n = n;
+ n = NULL;
+ }
+
+ /* Now that we know the curve name we can look for the public key
+ Q. point_from_keyparam needs to know the curve parameters so
+ that it is able to use the correct decompression. Parsing
+ the private key D could have been done earlier but it is less
+ surprising if we do it here as well. */
+ if (keyparam)
+ {
+ errc = point_from_keyparam (&Q, keyparam, "q", ec);
+ if (errc)
+ goto leave;
+ errc = mpi_from_keyparam (&d, keyparam, "d");
+ if (errc)
+ goto leave;
+ }
+
+ if (Q)
+ {
+ ec->Q = Q;
+ Q = NULL;
+ }
+ if (d)
+ {
+ ec->d = d;
+ d = NULL;
+ }
+
+ *r_ctx = ctx;
+ ctx = NULL;
+ }
+
+ leave:
+ _gcry_ctx_release (ctx);
+ mpi_free (p);
+ mpi_free (a);
+ mpi_free (b);
+ _gcry_mpi_point_release (G);
+ mpi_free (n);
+ _gcry_mpi_point_release (Q);
+ mpi_free (d);
+ return errc;
+}
+
+
+/* Return the parameters of the curve NAME as an S-expression. */
+gcry_sexp_t
+_gcry_ecc_get_param_sexp (const char *name)
+{
+ unsigned int nbits;
+ elliptic_curve_t E;
+ mpi_ec_t ctx;
+ gcry_mpi_t g_x, g_y;
+ gcry_mpi_t pkey[6];
+ gcry_sexp_t result;
+ int i;
+
+ memset (&E, 0, sizeof E);
+ if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits))
+ return NULL;
+
+ g_x = mpi_new (0);
+ g_y = mpi_new (0);
+ ctx = _gcry_mpi_ec_p_internal_new (MPI_EC_WEIERSTRASS,
+ ECC_DIALECT_STANDARD,
+ 0,
+ E.p, E.a, NULL);
+ if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
+ log_fatal ("ecc get param: Failed to get affine coordinates\n");
+ _gcry_mpi_ec_free (ctx);
+ _gcry_mpi_point_free_parts (&E.G);
+
+ pkey[0] = E.p;
+ pkey[1] = E.a;
+ pkey[2] = E.b;
+ pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p);
+ pkey[4] = E.n;
+ pkey[5] = NULL;
+
+ mpi_free (g_x);
+ mpi_free (g_y);
+
+ if (sexp_build (&result, NULL,
+ "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)))",
+ pkey[0], pkey[1], pkey[2], pkey[3], pkey[4]))
+ result = NULL;
+
+ for (i=0; pkey[i]; i++)
+ _gcry_mpi_release (pkey[i]);
+
+ return result;
+}
+
+
+/* Return an MPI (or opaque MPI) described by NAME and the context EC.
+ If COPY is true a copy is returned, if not a const MPI may be
+ returned. In any case mpi_free must be used. */
+gcry_mpi_t
+_gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy)
+{
+ if (!*name)
+ return NULL;
+
+ if (!strcmp (name, "p") && ec->p)
+ return mpi_is_const (ec->p) && !copy? ec->p : mpi_copy (ec->p);
+ if (!strcmp (name, "a") && ec->a)
+ return mpi_is_const (ec->a) && !copy? ec->a : mpi_copy (ec->a);
+ if (!strcmp (name, "b") && ec->b)
+ return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b);
+ if (!strcmp (name, "n") && ec->n)
+ return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n);
+ if (!strcmp (name, "d") && ec->d)
+ return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d);
+
+ /* Return a requested point coordinate. */
+ if (!strcmp (name, "g.x") && ec->G && ec->G->x)
+ return mpi_is_const (ec->G->x) && !copy? ec->G->x : mpi_copy (ec->G->x);
+ if (!strcmp (name, "g.y") && ec->G && ec->G->y)
+ return mpi_is_const (ec->G->y) && !copy? ec->G->y : mpi_copy (ec->G->y);
+ if (!strcmp (name, "q.x") && ec->Q && ec->Q->x)
+ return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x);
+ if (!strcmp (name, "q.y") && ec->Q && ec->Q->y)
+ return mpi_is_const (ec->G->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y);
+
+ /* If the base point has been requested, return it in standard
+ encoding. */
+ if (!strcmp (name, "g") && ec->G)
+ return _gcry_mpi_ec_ec2os (ec->G, ec);
+
+ /* If the public key has been requested, return it by default in
+ standard uncompressed encoding or if requested in other
+ encodings. */
+ if (*name == 'q' && (!name[1] || name[1] == '@'))
+ {
+ /* If only the private key is given, compute the public key. */
+ if (!ec->Q)
+ ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL);
+
+ if (!ec->Q)
+ return NULL;
+
+ if (name[1] != '@')
+ return _gcry_mpi_ec_ec2os (ec->Q, ec);
+
+ if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
+ {
+ unsigned char *encpk;
+ unsigned int encpklen;
+
+ if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL,
+ &encpk, &encpklen))
+ return mpi_set_opaque (NULL, encpk, encpklen*8);
+ }
+ }
+
+ return NULL;
+}
+
+
+/* Return a point described by NAME and the context EC. */
+gcry_mpi_point_t
+_gcry_ecc_get_point (const char *name, mpi_ec_t ec)
+{
+ if (!strcmp (name, "g") && ec->G)
+ return point_copy (ec->G);
+ if (!strcmp (name, "q"))
+ {
+ /* If only the private key is given, compute the public key. */
+ if (!ec->Q)
+ ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL);
+
+ if (ec->Q)
+ return point_copy (ec->Q);
+ }
+
+ return NULL;
+}
+
+
+/* Store the MPI NEWVALUE into the context EC under NAME. */
+gpg_err_code_t
+_gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec)
+{
+ gpg_err_code_t rc = 0;
+
+ if (!*name)
+ ;
+ else if (!strcmp (name, "p"))
+ {
+ mpi_free (ec->p);
+ ec->p = mpi_copy (newvalue);
+ _gcry_mpi_ec_get_reset (ec);
+ }
+ else if (!strcmp (name, "a"))
+ {
+ mpi_free (ec->a);
+ ec->a = mpi_copy (newvalue);
+ _gcry_mpi_ec_get_reset (ec);
+ }
+ else if (!strcmp (name, "b"))
+ {
+ mpi_free (ec->b);
+ ec->b = mpi_copy (newvalue);
+ }
+ else if (!strcmp (name, "n"))
+ {
+ mpi_free (ec->n);
+ ec->n = mpi_copy (newvalue);
+ }
+ else if (*name == 'q' && (!name[1] || name[1] == '@'))
+ {
+ if (newvalue)
+ {
+ if (!ec->Q)
+ ec->Q = mpi_point_new (0);
+ if (ec->dialect == ECC_DIALECT_ED25519)
+ rc = _gcry_ecc_eddsa_decodepoint (newvalue, ec, ec->Q, NULL, NULL);
+ else
+ rc = _gcry_ecc_os2ec (ec->Q, newvalue);
+ }
+ if (rc || !newvalue)
+ {
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = NULL;
+ }
+ /* Note: We assume that Q matches d and thus do not reset d. */
+ }
+ else if (!strcmp (name, "d"))
+ {
+ mpi_free (ec->d);
+ ec->d = mpi_copy (newvalue);
+ if (ec->d)
+ {
+ /* We need to reset the public key because it may not
+ anymore match. */
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = NULL;
+ }
+ }
+ else
+ rc = GPG_ERR_UNKNOWN_NAME;
+
+ return rc;
+}
+
+
+/* Store the point NEWVALUE into the context EC under NAME. */
+gpg_err_code_t
+_gcry_ecc_set_point (const char *name, gcry_mpi_point_t newvalue, mpi_ec_t ec)
+{
+ if (!strcmp (name, "g"))
+ {
+ _gcry_mpi_point_release (ec->G);
+ ec->G = point_copy (newvalue);
+ }
+ else if (!strcmp (name, "q"))
+ {
+ _gcry_mpi_point_release (ec->Q);
+ ec->Q = point_copy (newvalue);
+ }
+ else
+ return GPG_ERR_UNKNOWN_NAME;
+
+ return 0;
+}
diff --git a/hobble-libgcrypt b/hobble-libgcrypt
index 1062d6e..5eade9d 100755
--- a/hobble-libgcrypt
+++ b/hobble-libgcrypt
@@ -6,4 +6,6 @@ set -e -x
# Clean out patent-or-otherwise-encumbered code.
# EC: ????????? ??/??/2015
-rm -f cipher/ecc.c
+rm -f cipher/ecc-curves.c
+rm -f tests/curves.c
+rm -f tests/t_mpi_point.c
diff --git a/mingw-libgcrypt.spec b/mingw-libgcrypt.spec
index 42a215a..f3dbb93 100644
--- a/mingw-libgcrypt.spec
+++ b/mingw-libgcrypt.spec
@@ -3,7 +3,7 @@
%define run_tests 0
Name: mingw-libgcrypt
-Version: 1.5.3
+Version: 1.6.1
Release: 1%{?dist}
Summary: MinGW Windows gcrypt encryption library
@@ -15,10 +15,15 @@ Source0: libgcrypt-%{version}-hobbled.tar.xz
# The original libgcrypt sources now contain potentially patented ECC
# cipher support. We have to remove it in the tarball we ship with
# the hobble-libgcrypt script.
+# (We replace it with RH approved ECC in Source4-5)
#Source0: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
#Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
Source2: wk at g10code.com
Source3: hobble-libgcrypt
+# Approved ECC support (from 1.6.1)
+Source4: ecc-curves.c
+Source5: curves.c
+Source6: t-mpi-point.c
# Upstream is unwilling to accept this patch...
# https://bugs.g10code.com/gnupg/issue1360
@@ -102,11 +107,13 @@ Static library for mingw64-libgcrypt development.
%patch0 -p0 -b .win64
%patch2 -p0 -b .def
%patch3 -p0 -b .asm64
+cp %{SOURCE4} cipher/
+cp %{SOURCE5} %{SOURCE6} tests/
%build
-MINGW64_CONFIGURE_ARGS="ac_cv_sys_symbol_underscore=no"
-%mingw_configure --enable-shared --enable-static --enable-pubkey-ciphers='dsa elgamal rsa'
+MINGW64_CONFIGURE_ARGS="ac_cv_sys_symbol_underscore=no --disable-padlock-support"
+%mingw_configure --enable-shared --enable-static --enable-pubkey-ciphers='dsa elgamal rsa ecc'
%mingw_make %{?_smp_mflags}
@@ -131,6 +138,9 @@ popd
rm -rf $RPM_BUILD_ROOT%{mingw32_infodir}
rm -rf $RPM_BUILD_ROOT%{mingw64_infodir}
+rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
+rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
+
rm $RPM_BUILD_ROOT%{mingw32_libdir}/libgcrypt.def
rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.def
@@ -142,10 +152,10 @@ rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.la
%doc COPYING COPYING.LIB
%{mingw32_bindir}/dumpsexp.exe
%{mingw32_bindir}/hmac256.exe
-%{mingw32_bindir}/libgcrypt-11.dll
+%{mingw32_bindir}/mpicalc.exe
+%{mingw32_bindir}/libgcrypt-20.dll
%{mingw32_bindir}/libgcrypt-config
%{mingw32_libdir}/libgcrypt.dll.a
-%{mingw32_includedir}/gcrypt-module.h
%{mingw32_includedir}/gcrypt.h
%{mingw32_datadir}/aclocal/libgcrypt.m4
@@ -156,10 +166,10 @@ rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.la
%doc COPYING COPYING.LIB
%{mingw64_bindir}/dumpsexp.exe
%{mingw64_bindir}/hmac256.exe
-%{mingw64_bindir}/libgcrypt-11.dll
+%{mingw64_bindir}/mpicalc.exe
+%{mingw64_bindir}/libgcrypt-20.dll
%{mingw64_bindir}/libgcrypt-config
%{mingw64_libdir}/libgcrypt.dll.a
-%{mingw64_includedir}/gcrypt-module.h
%{mingw64_includedir}/gcrypt.h
%{mingw64_datadir}/aclocal/libgcrypt.m4
@@ -168,6 +178,11 @@ rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.la
%changelog
+* Thu May 29 2014 Erik van Pienbroek <epienbro at fedoraproject.org> - 1.6.1-1
+- Update to 1.6.1
+- Add cleared ECC support
+- Disable padlock support in Win64 for now (breaks compilation)
+
* Wed Nov 20 2013 Erik van Pienbroek <epienbro at fedoraproject.org> - 1.5.3-1
- Update to 1.5.3
diff --git a/sources b/sources
index 4838fbc..c971c98 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-99e0f2dc94dac6eceab709d03d613328 libgcrypt-1.5.3-hobbled.tar.xz
+3f1076b38a407f4775adcf6e9bf43893 libgcrypt-1.6.1-hobbled.tar.xz
diff --git a/t-mpi-point.c b/t-mpi-point.c
new file mode 100644
index 0000000..2c977c5
--- /dev/null
+++ b/t-mpi-point.c
@@ -0,0 +1,970 @@
+/* t-mpi-point.c - Tests for mpi point functions
+ * Copyright (C) 2013 g10 Code GmbH
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stdarg.h>
+
+#include "../src/gcrypt-int.h"
+
+#define PGM "t-mpi-point"
+
+static const char *wherestr;
+static int verbose;
+static int debug;
+static int error_count;
+
+
+#define my_isascii(c) (!((c) & 0x80))
+#define digitp(p) (*(p) >= '0' && *(p) <= '9')
+#define hexdigitp(a) (digitp (a) \
+ || (*(a) >= 'A' && *(a) <= 'F') \
+ || (*(a) >= 'a' && *(a) <= 'f'))
+#define xtoi_1(p) (*(p) <= '9'? (*(p)- '0'): \
+ *(p) <= 'F'? (*(p)-'A'+10):(*(p)-'a'+10))
+#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1))
+#define xmalloc(a) gcry_xmalloc ((a))
+#define xcalloc(a,b) gcry_xcalloc ((a),(b))
+#define xfree(a) gcry_free ((a))
+#define pass() do { ; } while (0)
+
+
+static struct
+{
+ const char *desc; /* Description of the curve. */
+ const char *p; /* Order of the prime field. */
+ const char *a, *b; /* The coefficients. */
+ const char *n; /* The order of the base point. */
+ const char *g_x, *g_y; /* Base point. */
+} test_curve[] =
+ {
+ {
+ "NIST P-256",
+ "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+
+ "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
+ },
+ {
+ "NIST P-384",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000ffffffff",
+ "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
+ "ffffffff0000000000000000fffffffc",
+ "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a"
+ "c656398d8a2ed19d2a85c8edd3ec2aef",
+ "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf"
+ "581a0db248b0a77aecec196accc52973",
+
+ "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38"
+ "5502f25dbf55296c3a545e3872760ab7",
+ "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0"
+ "0a60b1ce1d7e819d7a431d7c90ea0e5f"
+ },
+ {
+ "NIST P-521",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10"
+ "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+
+ "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d"
+ "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6"
+ "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"
+ },
+ {
+ "Ed25519",
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ "-0x01",
+ "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+ "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+ "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ "0x6666666666666666666666666666666666666666666666666666666666666658"
+ },
+ { NULL, NULL, NULL, NULL, NULL }
+ };
+
+/* A sample public key for NIST P-256. */
+static const char sample_p256_q[] =
+ "04"
+ "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E"
+ "E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E";
+static const char sample_p256_q_x[] =
+ "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E";
+static const char sample_p256_q_y[] =
+ "00E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E";
+
+
+/* A sample public key for Ed25519. */
+static const char sample_ed25519_q[] =
+ "04"
+ "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce"
+ "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7";
+static const char sample_ed25519_q_x[] =
+ "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce";
+static const char sample_ed25519_q_y[] =
+ "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7";
+static const char sample_ed25519_q_eddsa[] =
+ "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a";
+static const char sample_ed25519_d[] =
+ "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60";
+
+
+static void
+show (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ if (!verbose)
+ return;
+ fprintf (stderr, "%s: ", PGM);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+}
+
+static void
+fail (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+ if (wherestr)
+ fprintf (stderr, "%s: ", wherestr);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ error_count++;
+}
+
+static void
+die (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+ if (wherestr)
+ fprintf (stderr, "%s: ", wherestr);
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ exit (1);
+}
+
+
+static void
+print_mpi_2 (const char *text, const char *text2, gcry_mpi_t a)
+{
+ gcry_error_t err;
+ char *buf;
+ void *bufaddr = &buf;
+
+ err = gcry_mpi_aprint (GCRYMPI_FMT_HEX, bufaddr, NULL, a);
+ if (err)
+ fprintf (stderr, "%s%s: [error printing number: %s]\n",
+ text, text2? text2:"", gpg_strerror (err));
+ else
+ {
+ fprintf (stderr, "%s%s: %s\n", text, text2? text2:"", buf);
+ gcry_free (buf);
+ }
+}
+
+
+static void
+print_mpi (const char *text, gcry_mpi_t a)
+{
+ print_mpi_2 (text, NULL, a);
+}
+
+
+static void
+print_point (const char *text, gcry_mpi_point_t a)
+{
+ gcry_mpi_t x, y, z;
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_get (x, y, z, a);
+ print_mpi_2 (text, ".x", x);
+ print_mpi_2 (text, ".y", y);
+ print_mpi_2 (text, ".z", z);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+}
+
+
+static void
+print_sexp (const char *prefix, gcry_sexp_t a)
+{
+ char *buf;
+ size_t size;
+
+ if (prefix)
+ fputs (prefix, stderr);
+ size = gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, NULL, 0);
+ buf = gcry_xmalloc (size);
+
+ gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, buf, size);
+ fprintf (stderr, "%.*s", (int)size, buf);
+ gcry_free (buf);
+}
+
+
+static gcry_mpi_t
+hex2mpi (const char *string)
+{
+ gpg_error_t err;
+ gcry_mpi_t val;
+
+ err = gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+ if (err)
+ die ("hex2mpi '%s' failed: %s\n", string, gpg_strerror (err));
+ return val;
+}
+
+
+/* Convert STRING consisting of hex characters into its binary
+ representation and return it as an allocated buffer. The valid
+ length of the buffer is returned at R_LENGTH. The string is
+ delimited by end of string. The function returns NULL on
+ error. */
+static void *
+hex2buffer (const char *string, size_t *r_length)
+{
+ const char *s;
+ unsigned char *buffer;
+ size_t length;
+
+ buffer = xmalloc (strlen(string)/2+1);
+ length = 0;
+ for (s=string; *s; s +=2 )
+ {
+ if (!hexdigitp (s) || !hexdigitp (s+1))
+ return NULL; /* Invalid hex digits. */
+ ((unsigned char*)buffer)[length++] = xtoi_2 (s);
+ }
+ *r_length = length;
+ return buffer;
+}
+
+
+static gcry_mpi_t
+hex2mpiopa (const char *string)
+{
+ char *buffer;
+ size_t buflen;
+ gcry_mpi_t val;
+
+ buffer = hex2buffer (string, &buflen);
+ if (!buffer)
+ die ("hex2mpiopa '%s' failed: parser error\n", string);
+ val = gcry_mpi_set_opaque (NULL, buffer, buflen*8);
+ if (!buffer)
+ die ("hex2mpiopa '%s' failed: set_opaque error%s\n", string);
+ return val;
+}
+
+
+/* Compare A to B, where B is given as a hex string. */
+static int
+cmp_mpihex (gcry_mpi_t a, const char *b)
+{
+ gcry_mpi_t bval;
+ int res;
+
+ if (gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE))
+ bval = hex2mpiopa (b);
+ else
+ bval = hex2mpi (b);
+ res = gcry_mpi_cmp (a, bval);
+ gcry_mpi_release (bval);
+ return res;
+}
+
+
+/* Wrapper to emulate the libgcrypt internal EC context allocation
+ function. */
+static gpg_error_t
+ec_p_new (gcry_ctx_t *r_ctx, gcry_mpi_t p, gcry_mpi_t a)
+{
+ gpg_error_t err;
+ gcry_sexp_t sexp;
+
+ if (p && a)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m)(a %m))", p, a);
+ else if (p)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m))", p);
+ else if (a)
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa (a %m))", a);
+ else
+ err = gcry_sexp_build (&sexp, NULL, "(ecdsa)");
+ if (err)
+ return err;
+ err = gcry_mpi_ec_new (r_ctx, sexp, NULL);
+ gcry_sexp_release (sexp);
+ return err;
+}
+
+
+�
+static void
+set_get_point (void)
+{
+ gcry_mpi_point_t point;
+ gcry_mpi_t x, y, z;
+
+ wherestr = "set_get_point";
+ show ("checking point setting functions\n");
+
+ point = gcry_mpi_point_new (0);
+ x = gcry_mpi_set_ui (NULL, 17);
+ y = gcry_mpi_set_ui (NULL, 42);
+ z = gcry_mpi_set_ui (NULL, 11371);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 0)
+ || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0))
+ fail ("new point not initialized to (0,0,0)\n");
+ gcry_mpi_point_snatch_get (x, y, z, point);
+ point = NULL;
+ if (gcry_mpi_cmp_ui (x, 0)
+ || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0))
+ fail ("snatch_get failed\n");
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+
+ point = gcry_mpi_point_new (0);
+ x = gcry_mpi_set_ui (NULL, 17);
+ y = gcry_mpi_set_ui (NULL, 42);
+ z = gcry_mpi_set_ui (NULL, 11371);
+ gcry_mpi_point_set (point, x, y, z);
+ gcry_mpi_set_ui (x, 23);
+ gcry_mpi_set_ui (y, 24);
+ gcry_mpi_set_ui (z, 25);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 17)
+ || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371))
+ fail ("point_set/point_get failed\n");
+ gcry_mpi_point_snatch_set (point, x, y, z);
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_get (x, y, z, point);
+ if (gcry_mpi_cmp_ui (x, 17)
+ || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371))
+ fail ("point_snatch_set/point_get failed\n");
+
+ gcry_mpi_point_release (point);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+}
+
+
+static void
+context_alloc (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_t p, a;
+
+ wherestr = "context_alloc";
+ show ("checking context functions\n");
+
+ p = gcry_mpi_set_ui (NULL, 1);
+ a = gcry_mpi_set_ui (NULL, 1);
+ err = ec_p_new (&ctx, p, a);
+ if (err)
+ die ("ec_p_new returned an error: %s\n", gpg_strerror (err));
+ gcry_mpi_release (p);
+ gcry_mpi_release (a);
+ gcry_ctx_release (ctx);
+
+ p = gcry_mpi_set_ui (NULL, 0);
+ a = gcry_mpi_set_ui (NULL, 0);
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (1)\n");
+
+ gcry_mpi_set_ui (p, 1);
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (2)\n");
+
+ gcry_mpi_release (p);
+ p = NULL;
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (3)\n");
+
+ gcry_mpi_release (a);
+ a = NULL;
+ err = ec_p_new (&ctx, p, a);
+ if (!err || gpg_err_code (err) != GPG_ERR_EINVAL)
+ fail ("ec_p_new: bad parameter detection failed (4)\n");
+
+}
+
+
+static int
+get_and_cmp_mpi (const char *name, const char *mpistring, const char *desc,
+ gcry_ctx_t ctx)
+{
+ gcry_mpi_t mpi;
+
+ mpi = gcry_mpi_ec_get_mpi (name, ctx, 1);
+ if (!mpi)
+ {
+ fail ("error getting parameter '%s' of curve '%s'\n", name, desc);
+ return 1;
+ }
+ if (debug)
+ print_mpi (name, mpi);
+ if (cmp_mpihex (mpi, mpistring))
+ {
+ fail ("parameter '%s' of curve '%s' does not match\n", name, desc);
+ gcry_mpi_release (mpi);
+ return 1;
+ }
+ gcry_mpi_release (mpi);
+ return 0;
+}
+
+
+static int
+get_and_cmp_point (const char *name,
+ const char *mpi_x_string, const char *mpi_y_string,
+ const char *desc, gcry_ctx_t ctx)
+{
+ gcry_mpi_point_t point;
+ gcry_mpi_t x, y, z;
+ int result = 0;
+
+ point = gcry_mpi_ec_get_point (name, ctx, 1);
+ if (!point)
+ {
+ fail ("error getting point parameter '%s' of curve '%s'\n", name, desc);
+ return 1;
+ }
+ if (debug)
+ print_point (name, point);
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ gcry_mpi_point_snatch_get (x, y, z, point);
+ if (cmp_mpihex (x, mpi_x_string))
+ {
+ fail ("x coordinate of '%s' of curve '%s' does not match\n", name, desc);
+ result = 1;
+ }
+ if (cmp_mpihex (y, mpi_y_string))
+ {
+ fail ("y coordinate of '%s' of curve '%s' does not match\n", name, desc);
+ result = 1;
+ }
+ if (cmp_mpihex (z, "01"))
+ {
+ fail ("z coordinate of '%s' of curve '%s' is not 1\n", name, desc);
+ result = 1;
+ }
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+ return result;
+}
+
+
+static void
+context_param (void)
+{
+ gpg_error_t err;
+ int idx;
+ gcry_ctx_t ctx = NULL;
+ gcry_mpi_t q, d;
+ gcry_sexp_t keyparam;
+
+ wherestr = "context_param";
+
+ show ("checking standard curves\n");
+ for (idx=0; test_curve[idx].desc; idx++)
+ {
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc);
+ if (err)
+ {
+ fail ("can't create context for curve '%s': %s\n",
+ test_curve[idx].desc, gpg_strerror (err));
+ continue;
+ }
+ if (get_and_cmp_mpi ("p", test_curve[idx].p, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("a", test_curve[idx].a, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("b", test_curve[idx].b, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_mpi ("g.x",test_curve[idx].g_x, test_curve[idx].desc,ctx))
+ continue;
+ if (get_and_cmp_mpi ("g.y",test_curve[idx].g_y, test_curve[idx].desc,ctx))
+ continue;
+ if (get_and_cmp_mpi ("n", test_curve[idx].n, test_curve[idx].desc, ctx))
+ continue;
+ if (get_and_cmp_point ("g", test_curve[idx].g_x, test_curve[idx].g_y,
+ test_curve[idx].desc, ctx))
+ continue;
+
+ }
+
+ show ("checking sample public key (nistp256)\n");
+ q = hex2mpi (sample_p256_q);
+ err = gcry_sexp_build (&keyparam, NULL,
+ "(public-key(ecc(curve %s)(q %m)))",
+ "NIST P-256", q);
+ if (err)
+ die ("gcry_sexp_build failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+
+ /* We can't call gcry_pk_testkey because it is only implemented for
+ private keys. */
+ /* err = gcry_pk_testkey (keyparam); */
+ /* if (err) */
+ /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */
+ /* gpg_strerror (err)); */
+
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, keyparam, NULL);
+ if (err)
+ fail ("gcry_mpi_ec_new failed for sample public key (nistp256): %s\n",
+ gpg_strerror (err));
+ else
+ {
+ gcry_sexp_t sexp;
+
+ get_and_cmp_mpi ("q", sample_p256_q, "nistp256", ctx);
+ get_and_cmp_point ("q", sample_p256_q_x, sample_p256_q_y, "nistp256",
+ ctx);
+
+ /* Delete Q. */
+ err = gcry_mpi_ec_set_mpi ("q", NULL, ctx);
+ if (err)
+ fail ("clearing Q for nistp256 failed: %s\n", gpg_strerror (err));
+ if (gcry_mpi_ec_get_mpi ("q", ctx, 0))
+ fail ("clearing Q for nistp256 did not work\n");
+
+ /* Set Q again. */
+ q = hex2mpi (sample_p256_q);
+ err = gcry_mpi_ec_set_mpi ("q", q, ctx);
+ if (err)
+ fail ("setting Q for nistp256 failed: %s\n", gpg_strerror (err));
+ get_and_cmp_mpi ("q", sample_p256_q, "nistp256(2)", ctx);
+ gcry_mpi_release (q);
+
+ /* Get as s-expression. */
+ err = gcry_pubkey_get_sexp (&sexp, 0, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n",
+ gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx);
+ if (gpg_err_code (err) != GPG_ERR_NO_SECKEY)
+ fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n",
+ gpg_strerror (err));
+ gcry_sexp_release (sexp);
+ }
+
+ show ("checking sample public key (Ed25519)\n");
+ q = hex2mpi (sample_ed25519_q);
+ gcry_sexp_release (keyparam);
+ err = gcry_sexp_build (&keyparam, NULL,
+ "(public-key(ecc(curve %s)(flags eddsa)(q %m)))",
+ "Ed25519", q);
+ if (err)
+ die ("gcry_sexp_build failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+
+ /* We can't call gcry_pk_testkey because it is only implemented for
+ private keys. */
+ /* err = gcry_pk_testkey (keyparam); */
+ /* if (err) */
+ /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */
+ /* gpg_strerror (err)); */
+
+ gcry_ctx_release (ctx);
+ err = gcry_mpi_ec_new (&ctx, keyparam, NULL);
+ if (err)
+ fail ("gcry_mpi_ec_new failed for sample public key: %s\n",
+ gpg_strerror (err));
+ else
+ {
+ gcry_sexp_t sexp;
+
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519", ctx);
+ get_and_cmp_point ("q", sample_ed25519_q_x, sample_ed25519_q_y,
+ "Ed25519", ctx);
+ get_and_cmp_mpi ("q at eddsa", sample_ed25519_q_eddsa, "Ed25519", ctx);
+
+ /* Set d to see whether Q is correctly re-computed. */
+ d = hex2mpi (sample_ed25519_d);
+ err = gcry_mpi_ec_set_mpi ("d", d, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (d);
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(recompute Q)", ctx);
+
+ /* Delete Q by setting d and then clearing d. The clearing is
+ required so that we can check whether Q has been cleared and
+ because further tests only expect a public key. */
+ d = hex2mpi (sample_ed25519_d);
+ err = gcry_mpi_ec_set_mpi ("d", d, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (d);
+ err = gcry_mpi_ec_set_mpi ("d", NULL, ctx);
+ if (err)
+ fail ("setting d for Ed25519 failed(2): %s\n", gpg_strerror (err));
+ if (gcry_mpi_ec_get_mpi ("q", ctx, 0))
+ fail ("setting d for Ed25519 did not reset Q\n");
+
+ /* Set Q again. We need to use an opaque MPI here because
+ sample_ed25519_q is in uncompressed format which can only be
+ auto-detected if passed opaque. */
+ q = hex2mpiopa (sample_ed25519_q);
+ err = gcry_mpi_ec_set_mpi ("q", q, ctx);
+ if (err)
+ fail ("setting Q for Ed25519 failed: %s\n", gpg_strerror (err));
+ gcry_mpi_release (q);
+ get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(2)", ctx);
+
+ /* Get as s-expression. */
+ err = gcry_pubkey_get_sexp (&sexp, 0, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx);
+ if (err)
+ fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n",
+ gpg_strerror (err));
+ else if (debug)
+ print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp);
+ gcry_sexp_release (sexp);
+
+ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx);
+ if (gpg_err_code (err) != GPG_ERR_NO_SECKEY)
+ fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n",
+ gpg_strerror (err));
+ gcry_sexp_release (sexp);
+
+ }
+
+ gcry_ctx_release (ctx);
+ gcry_sexp_release (keyparam);
+}
+
+
+
+
+/* Create a new point from (X,Y,Z) given as hex strings. */
+gcry_mpi_point_t
+make_point (const char *x, const char *y, const char *z)
+{
+ gcry_mpi_point_t point;
+
+ point = gcry_mpi_point_new (0);
+ gcry_mpi_point_snatch_set (point, hex2mpi (x), hex2mpi (y), hex2mpi (z));
+
+ return point;
+}
+
+
+/* This tests checks that the low-level EC API yields the same result
+ as using the high level API. The values have been taken from a
+ test run using the high level API. */
+static void
+basic_ec_math (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_t P, A;
+ gcry_mpi_point_t G, Q;
+ gcry_mpi_t d;
+ gcry_mpi_t x, y, z;
+
+ wherestr = "basic_ec_math";
+ show ("checking basic math functions for EC\n");
+
+ P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff");
+ A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc");
+ G = make_point ("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
+ "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
+ "1");
+ d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D");
+ Q = gcry_mpi_point_new (0);
+
+ err = ec_p_new (&ctx, P, A);
+ if (err)
+ die ("ec_p_new failed: %s\n", gpg_strerror (err));
+
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+
+ {
+ /* A quick check that multiply by zero works. */
+ gcry_mpi_t tmp;
+
+ tmp = gcry_mpi_new (0);
+ gcry_mpi_ec_mul (Q, tmp, G, ctx);
+ gcry_mpi_release (tmp);
+ gcry_mpi_point_get (x, y, z, Q);
+ if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0)
+ || gcry_mpi_cmp_ui (z, 0))
+ fail ("multiply a point by zero failed\n");
+ }
+
+ gcry_mpi_ec_mul (Q, d, G, ctx);
+ gcry_mpi_point_get (x, y, z, Q);
+ if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66")
+ || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8")
+ || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F"))
+ fail ("computed public key does not match\n");
+ if (debug)
+ {
+ print_mpi ("Q.x", x);
+ print_mpi ("Q.y", y);
+ print_mpi ("Q.z", z);
+ }
+
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE")
+ || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966"))
+ fail ("computed affine coordinates of public key do not match\n");
+ if (debug)
+ {
+ print_mpi ("q.x", x);
+ print_mpi ("q.y", y);
+ }
+
+ gcry_mpi_release (z);
+ gcry_mpi_release (y);
+ gcry_mpi_release (x);
+ gcry_mpi_point_release (Q);
+ gcry_mpi_release (d);
+ gcry_mpi_point_release (G);
+ gcry_mpi_release (A);
+ gcry_mpi_release (P);
+ gcry_ctx_release (ctx);
+}
+
+
+/* Check the math used with Twisted Edwards curves. */
+static void
+twistededwards_math (void)
+{
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_point_t G, Q;
+ gcry_mpi_t k;
+ gcry_mpi_t w, a, x, y, z, p, n, b, I;
+
+ wherestr = "twistededwards_math";
+ show ("checking basic Twisted Edwards math\n");
+
+ err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519");
+ if (err)
+ die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err));
+
+ k = hex2mpi
+ ("2D3501E723239632802454EE5DDC406EFB0BDF18486A5BDE9C0390A9C2984004"
+ "F47252B628C953625B8DEB5DBCB8DA97AA43A1892D11FA83596F42E0D89CB1B6");
+ G = gcry_mpi_ec_get_point ("g", ctx, 1);
+ if (!G)
+ die ("gcry_mpi_ec_get_point(G) failed\n");
+ Q = gcry_mpi_point_new (0);
+
+
+ w = gcry_mpi_new (0);
+ a = gcry_mpi_new (0);
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+ z = gcry_mpi_new (0);
+ I = gcry_mpi_new (0);
+ p = gcry_mpi_ec_get_mpi ("p", ctx, 1);
+ n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
+ b = gcry_mpi_ec_get_mpi ("b", ctx, 1);
+
+ /* Check: 2^{p-1} mod p == 1 */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, p);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: 2^{p-1} mod p == 1\n");
+
+ /* Check: p % 4 == 1 */
+ gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: p % 4 == 1\n");
+
+ /* Check: 2^{n-1} mod n == 1 */
+ gcry_mpi_sub_ui (a, n, 1);
+ gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, n);
+ if (gcry_mpi_cmp_ui (w, 1))
+ fail ("failed assertion: 2^{n-1} mod n == 1\n");
+
+ /* Check: b^{(p-1)/2} mod p == p-1 */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_TWO, -1);
+ gcry_mpi_powm (w, b, x, p);
+ gcry_mpi_abs (w);
+ if (gcry_mpi_cmp (w, a))
+ fail ("failed assertion: b^{(p-1)/2} mod p == p-1\n");
+
+ /* I := 2^{(p-1)/4} mod p */
+ gcry_mpi_sub_ui (a, p, 1);
+ gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_FOUR, -1);
+ gcry_mpi_powm (I, GCRYMPI_CONST_TWO, x, p);
+
+ /* Check: I^2 mod p == p-1 */
+ gcry_mpi_powm (w, I, GCRYMPI_CONST_TWO, p);
+ if (gcry_mpi_cmp (w, a))
+ fail ("failed assertion: I^2 mod p == p-1\n");
+
+ /* Check: G is on the curve */
+ if (!gcry_mpi_ec_curve_point (G, ctx))
+ fail ("failed assertion: G is on the curve\n");
+
+ /* Check: nG == (0,1) */
+ gcry_mpi_ec_mul (Q, n, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 1))
+ fail ("failed assertion: nG == (0,1)\n");
+
+ /* Now two arbitrary point operations taken from the ed25519.py
+ sample data. */
+ gcry_mpi_release (a);
+ a = hex2mpi
+ ("4f71d012df3c371af3ea4dc38385ca5bb7272f90cb1b008b3ed601c76de1d496"
+ "e30cbf625f0a756a678d8f256d5325595cccc83466f36db18f0178eb9925edd3");
+ gcry_mpi_ec_mul (Q, a, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, ("157f7361c577aad36f67ed33e38dc7be"
+ "00014fecc2165ca5cee9eee19fe4d2c1"))
+ || cmp_mpihex (y, ("5a69dbeb232276b38f3f5016547bb2a2"
+ "4025645f0b820e72b8cad4f0a909a092")))
+ {
+ fail ("sample point multiply failed:\n");
+ print_mpi ("r", a);
+ print_mpi ("Rx", x);
+ print_mpi ("Ry", y);
+ }
+
+ gcry_mpi_release (a);
+ a = hex2mpi
+ ("2d3501e723239632802454ee5ddc406efb0bdf18486a5bde9c0390a9c2984004"
+ "f47252b628c953625b8deb5dbcb8da97aa43a1892d11fa83596f42e0d89cb1b6");
+ gcry_mpi_ec_mul (Q, a, G, ctx);
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ fail ("failed to get affine coordinates\n");
+ if (cmp_mpihex (x, ("6218e309d40065fcc338b3127f468371"
+ "82324bd01ce6f3cf81ab44e62959c82a"))
+ || cmp_mpihex (y, ("5501492265e073d874d9e5b81e7f8784"
+ "8a826e80cce2869072ac60c3004356e5")))
+ {
+ fail ("sample point multiply failed:\n");
+ print_mpi ("r", a);
+ print_mpi ("Rx", x);
+ print_mpi ("Ry", y);
+ }
+
+
+ gcry_mpi_release (I);
+ gcry_mpi_release (b);
+ gcry_mpi_release (n);
+ gcry_mpi_release (p);
+ gcry_mpi_release (w);
+ gcry_mpi_release (a);
+ gcry_mpi_release (x);
+ gcry_mpi_release (y);
+ gcry_mpi_release (z);
+ gcry_mpi_point_release (Q);
+ gcry_mpi_point_release (G);
+ gcry_mpi_release (k);
+ gcry_ctx_release (ctx);
+}
+
+
+int
+main (int argc, char **argv)
+{
+
+ if (argc > 1 && !strcmp (argv[1], "--verbose"))
+ verbose = 1;
+ else if (argc > 1 && !strcmp (argv[1], "--debug"))
+ verbose = debug = 1;
+
+ if (!gcry_check_version (GCRYPT_VERSION))
+ die ("version mismatch\n");
+
+ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+ gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+ if (debug)
+ gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
+ set_get_point ();
+ context_alloc ();
+ context_param ();
+ basic_ec_math ();
+ twistededwards_math ();
+
+ show ("All tests completed. Errors: %d\n", error_count);
+ return error_count ? 1 : 0;
+}
More information about the scm-commits
mailing list