From 29374bc3eda2f8cccf6e461f40859840e59d2c62 Mon Sep 17 00:00:00 2001 From: Richard W.M. Jones Date: Mar 08 2024 15:40:05 +0000 Subject: Rebase to libgcrypt 1.10.3 to match Fedora (RHBZ#2268272) - Add *.pc (pkgconf) files --- diff --git a/.gitignore b/.gitignore index 6f22957..3359399 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,38 @@ -libgcrypt-1.4.4.tar.bz2 +libgcrypt-1.4.5-hobbled.tar.bz2 +/libgcrypt-1.4.6-hobbled.tar.bz2 /libgcrypt-1.5.0-hobbled.tar.bz2 -/libgcrypt-*-hobbled.tar.xz +/libgcrypt-1.5.1-hobbled.tar.xz +/libgcrypt-1.5.2-hobbled.tar.xz +/libgcrypt-1.5.3-hobbled.tar.xz +/libgcrypt-1.6.1-hobbled.tar.xz +/libgcrypt-1.6.2-hobbled.tar.xz +/libgcrypt-1.6.3-hobbled.tar.xz +/libgcrypt-1.6.4-hobbled.tar.xz +/libgcrypt-1.6.5-hobbled.tar.xz +/libgcrypt-1.6.6-hobbled.tar.xz +/libgcrypt-1.7.3-hobbled.tar.xz +/libgcrypt-1.7.5-hobbled.tar.xz +/libgcrypt-1.7.6-hobbled.tar.xz +/libgcrypt-1.7.7-hobbled.tar.xz +/libgcrypt-1.7.8-hobbled.tar.xz +/libgcrypt-1.8.0-hobbled.tar.xz +/libgcrypt-1.8.1-hobbled.tar.xz +/libgcrypt-1.8.2-hobbled.tar.xz +/libgcrypt-1.8.3-hobbled.tar.xz +/libgcrypt-1.8.4-hobbled.tar.xz +/libgcrypt-1.8.5-hobbled.tar.xz +/libgcrypt-1.8.6-hobbled.tar.xz +/libgcrypt-1.8.7-hobbled.tar.xz +/libgcrypt-1.9.0-hobbled.tar.xz +/libgcrypt-1.9.1-hobbled.tar.xz +/libgcrypt-1.9.2-hobbled.tar.xz +/libgcrypt-1.9.3-hobbled.tar.xz +/libgcrypt-1.9.4-hobbled.tar.xz +/libgcrypt-1.10.0.tar.bz2 +/libgcrypt-1.10.0.tar.bz2.sig +/libgcrypt-1.10.1.tar.bz2 +/libgcrypt-1.10.1.tar.bz2.sig +/libgcrypt-1.10.2.tar.bz2 +/libgcrypt-1.10.2.tar.bz2.sig +/libgcrypt-1.10.3.tar.bz2 +/libgcrypt-1.10.3.tar.bz2.sig diff --git a/curves.c b/curves.c deleted file mode 100644 index b68e0e2..0000000 --- a/curves.c +++ /dev/null @@ -1,144 +0,0 @@ -/* curves.c - ECC curves regression tests - * Copyright (C) 2011 Free Software Foundation, Inc. - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include "../src/gcrypt-int.h" - - -#define PGM "curves" -#include "t-common.h" - -/* Number of curves defined in ../cipger/ecc.c */ -#define N_CURVES 14 - -/* A real world sample public key. */ -static char const sample_key_1[] = -"(public-key\n" -" (ecdsa\n" -" (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)\n" -" (a #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC#)\n" -" (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)\n" -" (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296" - "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)\n" -" (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)\n" -" (h #000000000000000000000000000000000000000000000000000000000000000001#)\n" -" (q #0442B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146EE" - "86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E#)\n" -" ))"; -static char const sample_key_1_curve[] = "NIST P-256"; -static unsigned int sample_key_1_nbits = 256; - - - -static void -list_curves (void) -{ - int idx; - const char *name; - unsigned int nbits; - - for (idx=0; (name = gcry_pk_get_curve (NULL, idx, &nbits)); idx++) - { - if (verbose) - printf ("%s - %u bits\n", name, nbits); - } - if (idx != N_CURVES) - fail ("expected %d curves but got %d\n", N_CURVES, idx); - if (gcry_pk_get_curve (NULL, -1, NULL)) - fail ("curve iteration failed\n"); -} - - -static void -check_matching (void) -{ - gpg_error_t err; - gcry_sexp_t key; - const char *name; - unsigned int nbits; - - err = gcry_sexp_new (&key, sample_key_1, 0, 1); - if (err) - die ("parsing s-expression string failed: %s\n", gpg_strerror (err)); - name = gcry_pk_get_curve (key, 0, &nbits); - if (!name) - fail ("curve name not found for sample_key_1\n"); - else if (strcmp (name, sample_key_1_curve)) - fail ("expected curve name %s but got %s for sample_key_1\n", - sample_key_1_curve, name); - else if (nbits != sample_key_1_nbits) - fail ("expected curve size %u but got %u for sample_key_1\n", - sample_key_1_nbits, nbits); - - gcry_sexp_release (key); - -} - - -static void -check_get_params (void) -{ - gcry_sexp_t param; - const char *name; - - param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_1_curve); - if (!param) - fail ("error gerring parameters for `%s'\n", sample_key_1_curve); - - name = gcry_pk_get_curve (param, 0, NULL); - if (!name) - fail ("get_param: curve name not found for sample_key_1\n"); - else if (strcmp (name, sample_key_1_curve)) - fail ("get_param: expected curve name %s but got %s for sample_key_1\n", - sample_key_1_curve, name); - - gcry_sexp_release (param); - -} - - -int -main (int argc, char **argv) -{ - if (argc > 1 && !strcmp (argv[1], "--verbose")) - verbose = 1; - else if (argc > 1 && !strcmp (argv[1], "--debug")) - verbose = debug = 1; - - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - list_curves (); - check_matching (); - check_get_params (); - - return error_count ? 1 : 0; -} diff --git a/ecc-curves.c b/ecc-curves.c deleted file mode 100644 index 1720778..0000000 --- a/ecc-curves.c +++ /dev/null @@ -1,1207 +0,0 @@ -/* ecc-curves.c - Elliptic Curve parameter mangement - * Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc. - * Copyright (C) 2013 g10 Code GmbH - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, see . - */ - -#include -#include -#include -#include -#include - -#include "g10lib.h" -#include "mpi.h" -#include "cipher.h" -#include "context.h" -#include "ec-context.h" -#include "pubkey-internal.h" -#include "ecc-common.h" - - -/* This tables defines aliases for curve names. */ -static const struct -{ - const char *name; /* Our name. */ - const char *other; /* Other name. */ -} curve_aliases[] = - { - { "Curve25519", "1.3.6.1.4.1.3029.1.5.1" }, - { "Ed25519", "1.3.6.1.4.1.11591.15.1" }, - - { "NIST P-224", "secp224r1" }, - { "NIST P-224", "1.3.132.0.33" }, /* SECP OID. */ - { "NIST P-224", "nistp224" }, /* rfc5656. */ - - { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */ - { "NIST P-256", "prime256v1" }, - { "NIST P-256", "secp256r1" }, - { "NIST P-256", "nistp256" }, /* rfc5656. */ - - { "NIST P-384", "secp384r1" }, - { "NIST P-384", "1.3.132.0.34" }, - { "NIST P-384", "nistp384" }, /* rfc5656. */ - - { "NIST P-521", "secp521r1" }, - { "NIST P-521", "1.3.132.0.35" }, - { "NIST P-521", "nistp521" }, /* rfc5656. */ - - { "GOST2001-test", "1.2.643.2.2.35.0" }, - { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" }, - { "GOST2001-CryptoPro-B", "1.2.643.2.2.35.2" }, - { "GOST2001-CryptoPro-C", "1.2.643.2.2.35.3" }, - { "GOST2001-CryptoPro-A", "GOST2001-CryptoPro-XchA" }, - { "GOST2001-CryptoPro-C", "GOST2001-CryptoPro-XchB" }, - { "GOST2001-CryptoPro-A", "1.2.643.2.2.36.0" }, - { "GOST2001-CryptoPro-C", "1.2.643.2.2.36.1" }, - - { "GOST2012-tc26-A", "1.2.643.7.1.2.1.2.1" }, - { "GOST2012-tc26-B", "1.2.643.7.1.2.1.2.2" }, - - { "secp256k1", "1.3.132.0.10" }, - - { NULL, NULL} - }; - - -typedef struct -{ - const char *desc; /* Description of the curve. */ - unsigned int nbits; /* Number of bits. */ - unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */ - - /* The model describing this curve. This is mainly used to select - the group equation. */ - enum gcry_mpi_ec_models model; - - /* The actual ECC dialect used. This is used for curve specific - optimizations and to select encodings etc. */ - enum ecc_dialects dialect; - - const char *p; /* The prime defining the field. */ - const char *a, *b; /* The coefficients. For Twisted Edwards - Curves b is used for d. For Montgomery - Curves (a,b) has ((A-2)/4,B^-1). */ - const char *n; /* The order of the base point. */ - const char *g_x, *g_y; /* Base point. */ - const char *h; /* Cofactor. */ -} ecc_domain_parms_t; - - -/* This static table defines all available curves. */ -static const ecc_domain_parms_t domain_parms[] = - { - { - /* (-x^2 + y^2 = 1 + dx^2y^2) */ - "Ed25519", 256, 0, - MPI_EC_EDWARDS, ECC_DIALECT_ED25519, - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", - "-0x01", - "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", - "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", - "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", - "0x6666666666666666666666666666666666666666666666666666666666666658", - "0x08" - }, - { - /* (y^2 = x^3 + 486662*x^2 + x) */ - "Curve25519", 256, 0, - MPI_EC_MONTGOMERY, ECC_DIALECT_STANDARD, - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", - "0x01DB41", - "0x01", - "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", - "0x0000000000000000000000000000000000000000000000000000000000000009", - "0x20AE19A1B8A086B4E01EDD2C7748D14C923D4D7E6D7C61B229E9C5A27ECED3D9", - "0x08" - }, - { - "NIST P-224", 224, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffffffffffffffffffffffffffff000000000000000000000001", - "0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe", - "0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", - "0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d" , - - "0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", - "0x01" - }, - { - "NIST P-256", 256, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - - "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - "0x01" - }, - { - "NIST P-384", 384, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000ffffffff", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000fffffffc", - "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" - "c656398d8a2ed19d2a85c8edd3ec2aef", - "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" - "581a0db248b0a77aecec196accc52973", - - "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" - "5502f25dbf55296c3a545e3872760ab7", - "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f", - "0x01" - }, - { - "NIST P-521", 521, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" - "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - - "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d" - "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e" - "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - "0x01" - }, - - { - "GOST2001-test", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000431", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0x5fbff498aa938ce739b8e022fbafef40563f6e6a3472fc2a514c0ce9dae23b7e", - "0x8000000000000000000000000000000150fe8a1892976154c59cfc193accf5b3", - - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x08e2a8a0e65147d4bd6316030e16d19c85c97f0a9ca267122b96abbcea7e8fc8", - "0x01" - }, - { - "GOST2001-CryptoPro-A", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd97", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd94", - "0x00000000000000000000000000000000000000000000000000000000000000a6", - "0xffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14", - "0x01" - }, - { - "GOST2001-CryptoPro-B", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000c99", - "0x8000000000000000000000000000000000000000000000000000000000000c96", - "0x3e1af419a269a5f866a7d3c25c3df80ae979259373ff2b182f49d4ce7e1bbc8b", - "0x800000000000000000000000000000015f700cfff1a624e5e497161bcc8a198f", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efc", - "0x01" - }, - { - "GOST2001-CryptoPro-C", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d759b", - "0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d7598", - "0x000000000000000000000000000000000000000000000000000000000000805a", - "0x9b9f605f5a858107ab1ec85e6b41c8aa582ca3511eddfb74f02f3a6598980bb9", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x41ece55743711a8c3cbf3783cd08c0ee4d4dc440d4641a8f366e550dfdb3bb67", - "0x01" - }, - { - "GOST2012-test", 511, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15d" - "f1d852741af4704a0458047e80e4546d35b8336fac224dd81664bbf528be6373", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0x1cff0806a31116da29d8cfa54e57eb748bc5f377e49400fdd788b649eca1ac4" - "361834013b2ad7322480a89ca58e0cf74bc9e540c2add6897fad0a3084f302adc", - "0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15d" - "a82f2d7ecb1dbac719905c5eecc423f1d86e25edbe23c595d644aaf187e6e6df", - - "0x24d19cc64572ee30f396bf6ebbfd7a6c5213b3b3d7057cc825f91093a68cd762" - "fd60611262cd838dc6b60aa7eee804e28bc849977fac33b4b530f1b120248a9a", - "0x2bb312a43bd2ce6e0d020613c857acddcfbf061e91e5f2c3f32447c259f39b2" - "c83ab156d77f1496bf7eb3351e1ee4e43dc1a18b91b24640b6dbb92cb1add371e", - "0x01" - }, - { - "GOST2012-tc26-A", 512, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc7", - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc4", - "0xe8c2505dedfc86ddc1bd0b2b6667f1da34b82574761cb0e879bd081cfd0b6265" - "ee3cb090f30d27614cb4574010da90dd862ef9d4ebee4761503190785a71c760", - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "27e69532f48d89116ff22b8d4e0560609b4b38abfad2b85dcacdb1411f10b275", - "0x0000000000000000000000000000000000000000000000000000000000000000" - "0000000000000000000000000000000000000000000000000000000000000003", - "0x7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" - "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4", - "0x01" - }, - { - "GOST2012-tc26-B", 512, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000000" - "000000000000000000000000000000000000000000000000000000000000006f", - "0x8000000000000000000000000000000000000000000000000000000000000000" - "000000000000000000000000000000000000000000000000000000000000006c", - "0x687d1b459dc841457e3e06cf6f5e2517b97c7d614af138bcbf85dc806c4b289f" - "3e965d2db1416d217f8b276fad1ab69c50f78bee1fa3106efb8ccbc7c5140116", - "0x8000000000000000000000000000000000000000000000000000000000000001" - "49a1ec142565a545acfdb77bd9d40cfa8b996712101bea0ec6346c54374f25bd", - "0x0000000000000000000000000000000000000000000000000000000000000000" - "0000000000000000000000000000000000000000000000000000000000000002", - "0x1a8f7eda389b094c2c071e3647a8940f3c123b697578c213be6dd9e6c8ec7335" - "dcb228fd1edf4a39152cbcaaf8c0398828041055f94ceeec7e21340780fe41bd", - "0x01" - }, - - { - "secp256k1", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", - "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", - "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", - "0x01" - }, - - { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL } - }; - - - - -/* Return a copy of POINT. */ -static gcry_mpi_point_t -point_copy (gcry_mpi_point_t point) -{ - gcry_mpi_point_t newpoint; - - if (point) - { - newpoint = mpi_point_new (0); - point_set (newpoint, point); - } - else - newpoint = NULL; - return newpoint; -} - - -/* Helper to scan a hex string. */ -static gcry_mpi_t -scanval (const char *string) -{ - gpg_err_code_t rc; - gcry_mpi_t val; - - rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); - if (rc) - log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc)); - return val; -} - - -/* Return the index of the domain_parms table for a curve with NAME. - Return -1 if not found. */ -static int -find_domain_parms_idx (const char *name) -{ - int idx, aliasno; - - /* First check our native curves. */ - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (name, domain_parms[idx].desc)) - return idx; - - /* If not found consult the alias table. */ - if (!domain_parms[idx].desc) - { - for (aliasno = 0; curve_aliases[aliasno].name; aliasno++) - if (!strcmp (name, curve_aliases[aliasno].other)) - break; - if (curve_aliases[aliasno].name) - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (curve_aliases[aliasno].name, domain_parms[idx].desc)) - return idx; - } - } - - return -1; -} - - -/* Generate the crypto system setup. This function takes the NAME of - a curve or the desired number of bits and stores at R_CURVE the - parameters of the named curve or those of a suitable curve. If - R_NBITS is not NULL, the chosen number of bits is stored there. - NULL may be given for R_CURVE, if the value is not required and for - example only a quick test for availability is desired. Note that - the curve fields should be initialized to zero because fields which - are not NULL are skipped. */ -gpg_err_code_t -_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name, - elliptic_curve_t *curve, unsigned int *r_nbits) -{ - int idx; - const char *resname = NULL; /* Set to a found curve name. */ - - if (name) - idx = find_domain_parms_idx (name); - else - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (nbits == domain_parms[idx].nbits - && domain_parms[idx].model == MPI_EC_WEIERSTRASS) - break; - if (!domain_parms[idx].desc) - idx = -1; - } - if (idx < 0) - return GPG_ERR_UNKNOWN_CURVE; - - resname = domain_parms[idx].desc; - - /* In fips mode we only support NIST curves. Note that it is - possible to bypass this check by specifying the curve parameters - directly. */ - if (fips_mode () && !domain_parms[idx].fips ) - return GPG_ERR_NOT_SUPPORTED; - - switch (domain_parms[idx].model) - { - case MPI_EC_WEIERSTRASS: - case MPI_EC_EDWARDS: - case MPI_EC_MONTGOMERY: - break; - default: - return GPG_ERR_BUG; - } - - - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - - if (curve) - { - curve->model = domain_parms[idx].model; - curve->dialect = domain_parms[idx].dialect; - if (!curve->p) - curve->p = scanval (domain_parms[idx].p); - if (!curve->a) - { - curve->a = scanval (domain_parms[idx].a); - if (curve->a->sign) - mpi_add (curve->a, curve->p, curve->a); - } - if (!curve->b) - { - curve->b = scanval (domain_parms[idx].b); - if (curve->b->sign) - mpi_add (curve->b, curve->p, curve->b); - } - if (!curve->n) - curve->n = scanval (domain_parms[idx].n); - if (!curve->h) - curve->h = scanval (domain_parms[idx].h); - if (!curve->G.x) - curve->G.x = scanval (domain_parms[idx].g_x); - if (!curve->G.y) - curve->G.y = scanval (domain_parms[idx].g_y); - if (!curve->G.z) - curve->G.z = mpi_alloc_set_ui (1); - if (!curve->name) - curve->name = resname; - } - - return 0; -} - - -/* Give the name of the curve NAME, store the curve parameters into P, - A, B, G, N, and H if they point to NULL value. Note that G is returned - in standard uncompressed format. Also update MODEL and DIALECT if - they are not NULL. */ -gpg_err_code_t -_gcry_ecc_update_curve_param (const char *name, - enum gcry_mpi_ec_models *model, - enum ecc_dialects *dialect, - gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b, - gcry_mpi_t *g, gcry_mpi_t *n, gcry_mpi_t *h) -{ - int idx; - - idx = find_domain_parms_idx (name); - if (idx < 0) - return GPG_ERR_UNKNOWN_CURVE; - - if (g) - { - char *buf; - size_t len; - - len = 4; - len += strlen (domain_parms[idx].g_x+2); - len += strlen (domain_parms[idx].g_y+2); - len++; - buf = xtrymalloc (len); - if (!buf) - return gpg_err_code_from_syserror (); - strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2), - domain_parms[idx].g_y+2); - _gcry_mpi_release (*g); - *g = scanval (buf); - xfree (buf); - } - if (model) - *model = domain_parms[idx].model; - if (dialect) - *dialect = domain_parms[idx].dialect; - if (p) - { - _gcry_mpi_release (*p); - *p = scanval (domain_parms[idx].p); - } - if (a) - { - _gcry_mpi_release (*a); - *a = scanval (domain_parms[idx].a); - } - if (b) - { - _gcry_mpi_release (*b); - *b = scanval (domain_parms[idx].b); - } - if (n) - { - _gcry_mpi_release (*n); - *n = scanval (domain_parms[idx].n); - } - if (h) - { - _gcry_mpi_release (*h); - *h = scanval (domain_parms[idx].h); - } - return 0; -} - - -/* Return the name matching the parameters in PKEY. This works only - with curves described by the Weierstrass equation. */ -const char * -_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) -{ - gpg_err_code_t rc; - const char *result = NULL; - elliptic_curve_t E; - gcry_mpi_t mpi_g = NULL; - gcry_mpi_t tmp = NULL; - int idx; - - memset (&E, 0, sizeof E); - - if (r_nbits) - *r_nbits = 0; - - if (!keyparms) - { - idx = iterator; - if (idx >= 0 && idx < DIM (domain_parms)) - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - } - return result; - } - - - /* - * Extract the curve parameters.. - */ - rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgnh", - &E.p, &E.a, &E.b, &mpi_g, &E.n, &E.h, - NULL)); - if (rc == GPG_ERR_NO_OBJ) - { - /* This might be the second use case of checking whether a - specific curve given by name is supported. */ - gcry_sexp_t l1; - char *name; - - l1 = sexp_find_token (keyparms, "curve", 5); - if (!l1) - goto leave; /* No curve name parameter. */ - - name = sexp_nth_string (l1, 1); - sexp_release (l1); - if (!name) - goto leave; /* Name missing or out of core. */ - - idx = find_domain_parms_idx (name); - xfree (name); - if (idx >= 0) /* Curve found. */ - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - } - return result; - } - - if (rc) - goto leave; - - if (mpi_g) - { - _gcry_mpi_point_init (&E.G); - if (_gcry_ecc_os2ec (&E.G, mpi_g)) - goto leave; - } - - for (idx = 0; domain_parms[idx].desc; idx++) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].p); - if (!mpi_cmp (tmp, E.p)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].a); - if (!mpi_cmp (tmp, E.a)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].b); - if (!mpi_cmp (tmp, E.b)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].n); - if (!mpi_cmp (tmp, E.n)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].h); - if (!mpi_cmp (tmp, E.h)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_x); - if (!mpi_cmp (tmp, E.G.x)) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_y); - if (!mpi_cmp (tmp, E.G.y)) - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - goto leave; - } - } - } - } - } - } - } - } - - leave: - _gcry_mpi_release (tmp); - _gcry_mpi_release (E.p); - _gcry_mpi_release (E.a); - _gcry_mpi_release (E.b); - _gcry_mpi_release (mpi_g); - _gcry_mpi_point_free_parts (&E.G); - _gcry_mpi_release (E.n); - _gcry_mpi_release (E.h); - return result; -} - - -/* Helper to extract an MPI from key parameters. */ -static gpg_err_code_t -mpi_from_keyparam (gcry_mpi_t *r_a, gcry_sexp_t keyparam, const char *name) -{ - gcry_err_code_t ec = 0; - gcry_sexp_t l1; - - l1 = sexp_find_token (keyparam, name, 0); - if (l1) - { - *r_a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); - sexp_release (l1); - if (!*r_a) - ec = GPG_ERR_INV_OBJ; - } - return ec; -} - -/* Helper to extract a point from key parameters. If no parameter - with NAME is found, the functions tries to find a non-encoded point - by appending ".x", ".y" and ".z" to NAME. ".z" is in this case - optional and defaults to 1. EC is the context which at this point - may not be fully initialized. */ -static gpg_err_code_t -point_from_keyparam (gcry_mpi_point_t *r_a, - gcry_sexp_t keyparam, const char *name, mpi_ec_t ec) -{ - gcry_err_code_t rc; - gcry_sexp_t l1; - gcry_mpi_point_t point; - - l1 = sexp_find_token (keyparam, name, 0); - if (l1) - { - gcry_mpi_t a; - - a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE); - sexp_release (l1); - if (!a) - return GPG_ERR_INV_OBJ; - - point = mpi_point_new (0); - if (ec && ec->dialect == ECC_DIALECT_ED25519) - rc = _gcry_ecc_eddsa_decodepoint (a, ec, point, NULL, NULL); - else - rc = _gcry_ecc_os2ec (point, a); - mpi_free (a); - if (rc) - { - mpi_point_release (point); - return rc; - } - } - else - { - char *tmpname; - gcry_mpi_t x = NULL; - gcry_mpi_t y = NULL; - gcry_mpi_t z = NULL; - - tmpname = xtrymalloc (strlen (name) + 2 + 1); - if (!tmpname) - return gpg_err_code_from_syserror (); - strcpy (stpcpy (tmpname, name), ".x"); - rc = mpi_from_keyparam (&x, keyparam, tmpname); - if (rc) - { - xfree (tmpname); - return rc; - } - strcpy (stpcpy (tmpname, name), ".y"); - rc = mpi_from_keyparam (&y, keyparam, tmpname); - if (rc) - { - mpi_free (x); - xfree (tmpname); - return rc; - } - strcpy (stpcpy (tmpname, name), ".z"); - rc = mpi_from_keyparam (&z, keyparam, tmpname); - if (rc) - { - mpi_free (y); - mpi_free (x); - xfree (tmpname); - return rc; - } - if (!z) - z = mpi_set_ui (NULL, 1); - if (x && y) - point = mpi_point_snatch_set (NULL, x, y, z); - else - { - mpi_free (x); - mpi_free (y); - mpi_free (z); - point = NULL; - } - xfree (tmpname); - } - - if (point) - *r_a = point; - return 0; -} - - -/* This function creates a new context for elliptic curve operations. - Either KEYPARAM or CURVENAME must be given. If both are given and - KEYPARAM has no curve parameter, CURVENAME is used to add missing - parameters. On success 0 is returned and the new context stored at - R_CTX. On error NULL is stored at R_CTX and an error code is - returned. The context needs to be released using - gcry_ctx_release. */ -gpg_err_code_t -_gcry_mpi_ec_new (gcry_ctx_t *r_ctx, - gcry_sexp_t keyparam, const char *curvename) -{ - gpg_err_code_t errc; - gcry_ctx_t ctx = NULL; - enum gcry_mpi_ec_models model = MPI_EC_WEIERSTRASS; - enum ecc_dialects dialect = ECC_DIALECT_STANDARD; - gcry_mpi_t p = NULL; - gcry_mpi_t a = NULL; - gcry_mpi_t b = NULL; - gcry_mpi_point_t G = NULL; - gcry_mpi_t n = NULL; - gcry_mpi_t h = NULL; - gcry_mpi_point_t Q = NULL; - gcry_mpi_t d = NULL; - int flags = 0; - gcry_sexp_t l1; - - *r_ctx = NULL; - - if (keyparam) - { - /* Parse an optional flags list. */ - l1 = sexp_find_token (keyparam, "flags", 0); - if (l1) - { - errc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); - sexp_release (l1); - l1 = NULL; - if (errc) - goto leave; - } - - /* Check whether a curve name was given. */ - l1 = sexp_find_token (keyparam, "curve", 5); - - /* If we don't have a curve name or if override parameters have - explicitly been requested, parse them. */ - if (!l1 || (flags & PUBKEY_FLAG_PARAM)) - { - errc = mpi_from_keyparam (&p, keyparam, "p"); - if (errc) - goto leave; - errc = mpi_from_keyparam (&a, keyparam, "a"); - if (errc) - goto leave; - errc = mpi_from_keyparam (&b, keyparam, "b"); - if (errc) - goto leave; - errc = point_from_keyparam (&G, keyparam, "g", NULL); - if (errc) - goto leave; - errc = mpi_from_keyparam (&n, keyparam, "n"); - if (errc) - goto leave; - errc = mpi_from_keyparam (&h, keyparam, "h"); - if (errc) - goto leave; - } - } - else - l1 = NULL; /* No curvename. */ - - /* Check whether a curve parameter is available and use that to fill - in missing values. If no curve parameter is available try an - optional provided curvename. If only the curvename has been - given use that one. */ - if (l1 || curvename) - { - char *name; - elliptic_curve_t *E; - - if (l1) - { - name = sexp_nth_string (l1, 1); - sexp_release (l1); - if (!name) - { - errc = GPG_ERR_INV_OBJ; /* Name missing or out of core. */ - goto leave; - } - } - else - name = NULL; - - E = xtrycalloc (1, sizeof *E); - if (!E) - { - errc = gpg_err_code_from_syserror (); - xfree (name); - goto leave; - } - - errc = _gcry_ecc_fill_in_curve (0, name? name : curvename, E, NULL); - xfree (name); - if (errc) - { - xfree (E); - goto leave; - } - - model = E->model; - dialect = E->dialect; - - if (!p) - { - p = E->p; - E->p = NULL; - } - if (!a) - { - a = E->a; - E->a = NULL; - } - if (!b) - { - b = E->b; - E->b = NULL; - } - if (!G) - { - G = mpi_point_snatch_set (NULL, E->G.x, E->G.y, E->G.z); - E->G.x = NULL; - E->G.y = NULL; - E->G.z = NULL; - } - if (!n) - { - n = E->n; - E->n = NULL; - } - if (!h) - { - h = E->h; - E->h = NULL; - } - _gcry_ecc_curve_free (E); - xfree (E); - } - - - errc = _gcry_mpi_ec_p_new (&ctx, model, dialect, flags, p, a, b); - if (!errc) - { - mpi_ec_t ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC); - - if (b) - { - mpi_free (ec->b); - ec->b = b; - b = NULL; - } - if (G) - { - ec->G = G; - G = NULL; - } - if (n) - { - ec->n = n; - n = NULL; - } - if (h) - { - ec->h = h; - h = NULL; - } - - /* Now that we know the curve name we can look for the public key - Q. point_from_keyparam needs to know the curve parameters so - that it is able to use the correct decompression. Parsing - the private key D could have been done earlier but it is less - surprising if we do it here as well. */ - if (keyparam) - { - errc = point_from_keyparam (&Q, keyparam, "q", ec); - if (errc) - goto leave; - errc = mpi_from_keyparam (&d, keyparam, "d"); - if (errc) - goto leave; - } - - if (Q) - { - ec->Q = Q; - Q = NULL; - } - if (d) - { - ec->d = d; - d = NULL; - } - - *r_ctx = ctx; - ctx = NULL; - } - - leave: - _gcry_ctx_release (ctx); - mpi_free (p); - mpi_free (a); - mpi_free (b); - _gcry_mpi_point_release (G); - mpi_free (n); - mpi_free (h); - _gcry_mpi_point_release (Q); - mpi_free (d); - return errc; -} - - -/* Return the parameters of the curve NAME as an S-expression. */ -gcry_sexp_t -_gcry_ecc_get_param_sexp (const char *name) -{ - unsigned int nbits; - elliptic_curve_t E; - mpi_ec_t ctx; - gcry_mpi_t g_x, g_y; - gcry_mpi_t pkey[7]; - gcry_sexp_t result; - int i; - - memset (&E, 0, sizeof E); - if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits)) - return NULL; - - g_x = mpi_new (0); - g_y = mpi_new (0); - ctx = _gcry_mpi_ec_p_internal_new (MPI_EC_WEIERSTRASS, - ECC_DIALECT_STANDARD, - 0, - E.p, E.a, NULL); - if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx)) - log_fatal ("ecc get param: Failed to get affine coordinates\n"); - _gcry_mpi_ec_free (ctx); - _gcry_mpi_point_free_parts (&E.G); - - pkey[0] = E.p; - pkey[1] = E.a; - pkey[2] = E.b; - pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p); - pkey[4] = E.n; - pkey[5] = E.h; - pkey[6] = NULL; - - mpi_free (g_x); - mpi_free (g_y); - - if (sexp_build (&result, NULL, - "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5])) - result = NULL; - - for (i=0; pkey[i]; i++) - _gcry_mpi_release (pkey[i]); - - return result; -} - - -/* Return an MPI (or opaque MPI) described by NAME and the context EC. - If COPY is true a copy is returned, if not a const MPI may be - returned. In any case mpi_free must be used. */ -gcry_mpi_t -_gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy) -{ - if (!*name) - return NULL; - - if (!strcmp (name, "p") && ec->p) - return mpi_is_const (ec->p) && !copy? ec->p : mpi_copy (ec->p); - if (!strcmp (name, "a") && ec->a) - return mpi_is_const (ec->a) && !copy? ec->a : mpi_copy (ec->a); - if (!strcmp (name, "b") && ec->b) - return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b); - if (!strcmp (name, "n") && ec->n) - return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n); - if (!strcmp (name, "h") && ec->h) - return mpi_is_const (ec->h) && !copy? ec->h : mpi_copy (ec->h); - if (!strcmp (name, "d") && ec->d) - return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d); - - /* Return a requested point coordinate. */ - if (!strcmp (name, "g.x") && ec->G && ec->G->x) - return mpi_is_const (ec->G->x) && !copy? ec->G->x : mpi_copy (ec->G->x); - if (!strcmp (name, "g.y") && ec->G && ec->G->y) - return mpi_is_const (ec->G->y) && !copy? ec->G->y : mpi_copy (ec->G->y); - if (!strcmp (name, "q.x") && ec->Q && ec->Q->x) - return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x); - if (!strcmp (name, "q.y") && ec->Q && ec->Q->y) - return mpi_is_const (ec->G->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y); - - /* If the base point has been requested, return it in standard - encoding. */ - if (!strcmp (name, "g") && ec->G) - return _gcry_mpi_ec_ec2os (ec->G, ec); - - /* If the public key has been requested, return it by default in - standard uncompressed encoding or if requested in other - encodings. */ - if (*name == 'q' && (!name[1] || name[1] == '@')) - { - /* If only the private key is given, compute the public key. */ - if (!ec->Q) - ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL); - - if (!ec->Q) - return NULL; - - if (name[1] != '@') - return _gcry_mpi_ec_ec2os (ec->Q, ec); - - if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS) - { - unsigned char *encpk; - unsigned int encpklen; - - if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, - &encpk, &encpklen)) - return mpi_set_opaque (NULL, encpk, encpklen*8); - } - } - - return NULL; -} - - -/* Return a point described by NAME and the context EC. */ -gcry_mpi_point_t -_gcry_ecc_get_point (const char *name, mpi_ec_t ec) -{ - if (!strcmp (name, "g") && ec->G) - return point_copy (ec->G); - if (!strcmp (name, "q")) - { - /* If only the private key is given, compute the public key. */ - if (!ec->Q) - ec->Q = _gcry_ecc_compute_public (NULL, ec, NULL, NULL); - - if (ec->Q) - return point_copy (ec->Q); - } - - return NULL; -} - - -/* Store the MPI NEWVALUE into the context EC under NAME. */ -gpg_err_code_t -_gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec) -{ - gpg_err_code_t rc = 0; - - if (!*name) - ; - else if (!strcmp (name, "p")) - { - mpi_free (ec->p); - ec->p = mpi_copy (newvalue); - _gcry_mpi_ec_get_reset (ec); - } - else if (!strcmp (name, "a")) - { - mpi_free (ec->a); - ec->a = mpi_copy (newvalue); - _gcry_mpi_ec_get_reset (ec); - } - else if (!strcmp (name, "b")) - { - mpi_free (ec->b); - ec->b = mpi_copy (newvalue); - } - else if (!strcmp (name, "n")) - { - mpi_free (ec->n); - ec->n = mpi_copy (newvalue); - } - else if (!strcmp (name, "h")) - { - mpi_free (ec->h); - ec->h = mpi_copy (newvalue); - } - else if (*name == 'q' && (!name[1] || name[1] == '@')) - { - if (newvalue) - { - if (!ec->Q) - ec->Q = mpi_point_new (0); - if (ec->dialect == ECC_DIALECT_ED25519) - rc = _gcry_ecc_eddsa_decodepoint (newvalue, ec, ec->Q, NULL, NULL); - else - rc = _gcry_ecc_os2ec (ec->Q, newvalue); - } - if (rc || !newvalue) - { - _gcry_mpi_point_release (ec->Q); - ec->Q = NULL; - } - /* Note: We assume that Q matches d and thus do not reset d. */ - } - else if (!strcmp (name, "d")) - { - mpi_free (ec->d); - ec->d = mpi_copy (newvalue); - if (ec->d) - { - /* We need to reset the public key because it may not - anymore match. */ - _gcry_mpi_point_release (ec->Q); - ec->Q = NULL; - } - } - else - rc = GPG_ERR_UNKNOWN_NAME; - - return rc; -} - - -/* Store the point NEWVALUE into the context EC under NAME. */ -gpg_err_code_t -_gcry_ecc_set_point (const char *name, gcry_mpi_point_t newvalue, mpi_ec_t ec) -{ - if (!strcmp (name, "g")) - { - _gcry_mpi_point_release (ec->G); - ec->G = point_copy (newvalue); - } - else if (!strcmp (name, "q")) - { - _gcry_mpi_point_release (ec->Q); - ec->Q = point_copy (newvalue); - } - else - return GPG_ERR_UNKNOWN_NAME; - - return 0; -} diff --git a/hobble-libgcrypt b/hobble-libgcrypt deleted file mode 100755 index cc53cc1..0000000 --- a/hobble-libgcrypt +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e -x - -# Clean out patent-or-otherwise-encumbered code. -# EC: ????????? ??/??/2015 - -rm -f cipher/ecc-curves.c -rm -f tests/curves.c -rm -f tests/t-mpi-point.c diff --git a/libgcrypt-1.10.1-annobin.patch b/libgcrypt-1.10.1-annobin.patch new file mode 100644 index 0000000..c333c4e --- /dev/null +++ b/libgcrypt-1.10.1-annobin.patch @@ -0,0 +1,22 @@ +diff -rup libgcrypt.orig/src/Makefile.am libgcrypt-1.8.3/src/Makefile.am +--- libgcrypt.orig/src/Makefile.am 2021-10-18 16:36:20.914025497 +0100 ++++ libgcrypt-1.8.3/src/Makefile.am 2021-10-19 12:23:08.652960618 +0100 +@@ -108,6 +108,7 @@ endif !HAVE_W32_SYSTEM + + + libgcrypt_la_LDFLAGS = $(no_undefined) $(export_symbols) $(extra_ltoptions) \ ++ -Wc,-fplugin=annobin \ + $(libgcrypt_version_script_cmd) -version-info \ + @LIBGCRYPT_LT_CURRENT@:@LIBGCRYPT_LT_REVISION@:@LIBGCRYPT_LT_AGE@ + libgcrypt_la_DEPENDENCIES = \ +Only in libgcrypt-1.8.3/src: Makefile.am.annobin +diff -rup libgcrypt.orig/src/Makefile.in libgcrypt-1.8.3/src/Makefile.in +--- libgcrypt.orig/src/Makefile.in 2021-10-18 16:36:20.914025497 +0100 ++++ libgcrypt-1.8.3/src/Makefile.in 2021-10-19 12:23:37.791875325 +0100 +@@ -483,6 +483,7 @@ gcrypt_hwf_modules = @GCRYPT_HWF_MODULES + @HAVE_W32_SYSTEM_TRUE@gcrypt_deps = $(gcrypt_res) libgcrypt.def + @HAVE_W32_SYSTEM_FALSE@gcrypt_res_ldflag = + libgcrypt_la_LDFLAGS = $(no_undefined) $(export_symbols) $(extra_ltoptions) \ ++ -Wc,-fplugin=annobin \ + $(libgcrypt_version_script_cmd) -version-info \ + @LIBGCRYPT_LT_CURRENT@:@LIBGCRYPT_LT_REVISION@:@LIBGCRYPT_LT_AGE@ diff --git a/libgcrypt-1.4.4.tar.bz2.sig b/libgcrypt-1.4.4.tar.bz2.sig deleted file mode 100644 index b5d5e72..0000000 Binary files a/libgcrypt-1.4.4.tar.bz2.sig and /dev/null differ diff --git a/libgcrypt-1.6.1-mpicoder-gccopt.patch b/libgcrypt-1.6.1-mpicoder-gccopt.patch deleted file mode 100644 index 12555d3..0000000 --- a/libgcrypt-1.6.1-mpicoder-gccopt.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -up libgcrypt-1.6.1/mpi/mpicoder.c.gccopt libgcrypt-1.6.1/mpi/mpicoder.c ---- libgcrypt-1.6.1/mpi/mpicoder.c.gccopt 2014-02-28 15:37:53.983139821 +0100 -+++ libgcrypt-1.6.1/mpi/mpicoder.c 2014-02-28 15:47:35.312576387 +0100 -@@ -627,16 +627,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo - extra = 1; - } - -- if (buffer && n > len) -- { -- /* The provided buffer is too short. */ -- xfree (tmp); -- return GPG_ERR_TOO_SHORT; -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (n > len) -+ { -+ /* The provided buffer is too short. */ -+ xfree (tmp); -+ return GPG_ERR_TOO_SHORT; -+ } - if (extra == 1) - *s++ = 0; - else if (extra) -@@ -654,13 +654,12 @@ _gcry_mpi_print (enum gcry_mpi_format fo - /* Note: We ignore the sign for this format. */ - /* FIXME: for performance reasons we should put this into - mpi_aprint because we can then use the buffer directly. */ -- -- if (buffer && n > len) -- return GPG_ERR_TOO_SHORT; - if (buffer) - { - unsigned char *tmp; - -+ if (n > len) -+ return GPG_ERR_TOO_SHORT; - tmp = _gcry_mpi_get_buffer (a, 0, &n, NULL); - if (!tmp) - return gpg_err_code_from_syserror (); -@@ -678,14 +677,14 @@ _gcry_mpi_print (enum gcry_mpi_format fo - if (negative) - return GPG_ERR_INV_ARG; - -- if (buffer && n+2 > len) -- return GPG_ERR_TOO_SHORT; -- - if (buffer) - { - unsigned char *tmp; - unsigned char *s = buffer; - -+ if (n+2 > len) -+ return GPG_ERR_TOO_SHORT; -+ - s[0] = nbits >> 8; - s[1] = nbits; - -@@ -724,16 +723,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo - extra=1; - } - -- if (buffer && n+4 > len) -- { -- xfree(tmp); -- return GPG_ERR_TOO_SHORT; -- } -- - if (buffer) - { - unsigned char *s = buffer; - -+ if (n+4 > len) -+ { -+ xfree(tmp); -+ return GPG_ERR_TOO_SHORT; -+ } -+ - *s++ = n >> 24; - *s++ = n >> 16; - *s++ = n >> 8; -@@ -761,15 +760,15 @@ _gcry_mpi_print (enum gcry_mpi_format fo - if (!n || (*tmp & 0x80)) - extra = 2; - -- if (buffer && 2*n + extra + negative + 1 > len) -- { -- xfree(tmp); -- return GPG_ERR_TOO_SHORT; -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (2*n + extra + negative + 1 > len) -+ { -+ xfree(tmp); -+ return GPG_ERR_TOO_SHORT; -+ } - if (negative) - *s++ = '-'; - if (extra) diff --git a/libgcrypt-1.6.2-use-fipscheck.patch b/libgcrypt-1.6.2-use-fipscheck.patch deleted file mode 100644 index 26af6bf..0000000 --- a/libgcrypt-1.6.2-use-fipscheck.patch +++ /dev/null @@ -1,89 +0,0 @@ -diff -up libgcrypt-1.6.2/src/fips.c.use-fipscheck libgcrypt-1.6.2/src/fips.c ---- libgcrypt-1.6.2/src/fips.c.use-fipscheck 2014-08-21 14:50:39.000000000 +0200 -+++ libgcrypt-1.6.2/src/fips.c 2014-09-26 11:42:20.999588282 +0200 -@@ -578,23 +578,50 @@ run_random_selftests (void) - return !!err; - } - -+#ifdef ENABLE_HMAC_BINARY_CHECK -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+#endif -+ - /* Run an integrity check on the binary. Returns 0 on success. */ - static int - check_binary_integrity (void) - { - #ifdef ENABLE_HMAC_BINARY_CHECK - gpg_error_t err; -- Dl_info info; -+ char libpath[4096]; - unsigned char digest[32]; - int dlen; - char *fname = NULL; -- const char key[] = "What am I, a doctor or a moonshuttle conductor?"; -- -- if (!dladdr ("gcry_check_version", &info)) -+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) - err = gpg_error_from_syserror (); - else - { -- dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname, -+ dlen = _gcry_hmac256_file (digest, sizeof digest, libpath, - key, strlen (key)); - if (dlen < 0) - err = gpg_error_from_syserror (); -@@ -602,7 +629,7 @@ check_binary_integrity (void) - err = gpg_error (GPG_ERR_INTERNAL); - else - { -- fname = xtrymalloc (strlen (info.dli_fname) + 1 + 5 + 1 ); -+ fname = xtrymalloc (strlen (libpath) + 1 + 5 + 1 ); - if (!fname) - err = gpg_error_from_syserror (); - else -@@ -611,7 +638,7 @@ check_binary_integrity (void) - char *p; - - /* Prefix the basename with a dot. */ -- strcpy (fname, info.dli_fname); -+ strcpy (fname, libpath); - p = strrchr (fname, '/'); - if (p) - p++; -diff -up libgcrypt-1.6.2/src/Makefile.in.use-fipscheck libgcrypt-1.6.2/src/Makefile.in ---- libgcrypt-1.6.2/src/Makefile.in.use-fipscheck 2014-08-21 15:14:08.000000000 +0200 -+++ libgcrypt-1.6.2/src/Makefile.in 2014-09-26 11:41:13.271059281 +0200 -@@ -449,7 +449,7 @@ libgcrypt_la_LIBADD = $(gcrypt_res) \ - ../cipher/libcipher.la \ - ../random/librandom.la \ - ../mpi/libmpi.la \ -- ../compat/libcompat.la $(GPG_ERROR_LIBS) -+ ../compat/libcompat.la $(GPG_ERROR_LIBS) -ldl - - dumpsexp_SOURCES = dumpsexp.c - dumpsexp_CFLAGS = $(arch_gpg_error_cflags) diff --git a/libgcrypt-1.7.3-ecc-test-fix.patch b/libgcrypt-1.7.3-ecc-test-fix.patch deleted file mode 100644 index 8ce7aa9..0000000 --- a/libgcrypt-1.7.3-ecc-test-fix.patch +++ /dev/null @@ -1,122 +0,0 @@ -diff -up libgcrypt-1.7.3/tests/benchmark.c.eccfix libgcrypt-1.7.3/tests/benchmark.c ---- libgcrypt-1.7.3/tests/benchmark.c.eccfix 2016-07-14 11:19:17.000000000 +0200 -+++ libgcrypt-1.7.3/tests/benchmark.c 2016-11-22 16:21:00.109004197 +0100 -@@ -1412,7 +1412,7 @@ ecc_bench (int iterations, int print_hea - { - #if USE_ECC - gpg_error_t err; -- const char *p_sizes[] = { "192", "224", "256", "384", "521", "Ed25519", -+ const char *p_sizes[] = { "224", "256", "384", "521", "Ed25519", - "gost256", "gost512" }; - int testno; - -diff -up libgcrypt-1.7.3/tests/dsa-rfc6979.c.eccfix libgcrypt-1.7.3/tests/dsa-rfc6979.c ---- libgcrypt-1.7.3/tests/dsa-rfc6979.c.eccfix 2016-02-18 09:38:03.000000000 +0100 -+++ libgcrypt-1.7.3/tests/dsa-rfc6979.c 2016-11-22 16:22:11.804674008 +0100 -@@ -210,16 +210,6 @@ check_dsa_rfc6979 (void) - " ))" - }, - { -- "ECDSA, 192 bits (prime field)", -- "(private-key" -- " (ecdsa" -- " (curve \"NIST P-192\")" -- " (q #04AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56" -- " 3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43#)" -- " (d #6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4#)" -- " ))" -- }, -- { - "ECDSA, 224 bits (prime field)", - "(private-key" - " (ecdsa" -@@ -443,89 +433,6 @@ check_dsa_rfc6979 (void) - "C9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1" - }, - { -- "ECDSA, 192 bits (prime field)", -- "With SHA-1, message = \"sample\"", -- "sha1", "sample", -- "37D7CA00D2C7B0E5E412AC03BD44BA837FDD5B28CD3B0021", -- "98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF", -- "57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-224, message = \"sample\"", -- "sha224", "sample", -- "4381526B3FC1E7128F202E194505592F01D5FF4C5AF015D8", -- "A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5", -- "E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-256, message = \"sample\"", -- "sha256", "sample", -- "32B1B6D7D42A05CB449065727A84804FB1A3E34D8F261496", -- "4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55", -- "CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-384, message = \"sample\"", -- "sha384", "sample", -- "4730005C4FCB01834C063A7B6760096DBE284B8252EF4311", -- "DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5", -- "C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-512, message = \"sample\"", -- "sha512", "sample", -- "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1", -- "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8", -- "3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-1, message = \"test\"", -- "sha1", "test", -- "D9CF9C3D3297D3260773A1DA7418DB5537AB8DD93DE7FA25", -- "0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D", -- "EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-224, message = \"test\"", -- "sha224", "test", -- "F5DC805F76EF851800700CCE82E7B98D8911B7D510059FBE", -- "6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34", -- "B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-256, message = \"test\"", -- "sha256", "test", -- "5C4CE89CF56D9E7C77C8585339B006B97B5F0680B4306C6C", -- "3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE", -- "5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-384, message = \"test\"", -- "sha384", "test", -- "5AFEFB5D3393261B828DB6C91FBC68C230727B030C975693", -- "B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367", -- "7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A" -- }, -- { -- "ECDSA, 192 bits (prime field)", -- "With SHA-512, message = \"test\"", -- "sha512", "test", -- "0758753A5254759C7CFBAD2E2D9B0792EEE44136C9480527", -- "FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739", -- "74CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290" -- }, -- -- -- -- { - "ECDSA, 224 bits (prime field)", - "With SHA-1, message = \"sample\"", - "sha1", "sample", diff --git a/libgcrypt-1.7.3-fips-cavs.patch b/libgcrypt-1.7.3-fips-cavs.patch deleted file mode 100644 index 42d028e..0000000 --- a/libgcrypt-1.7.3-fips-cavs.patch +++ /dev/null @@ -1,1311 +0,0 @@ -diff -up libgcrypt-1.7.3/tests/cavs_driver.pl.cavs libgcrypt-1.7.3/tests/cavs_driver.pl ---- libgcrypt-1.7.3/tests/cavs_driver.pl.cavs 2013-03-15 20:25:38.000000000 +0100 -+++ libgcrypt-1.7.3/tests/cavs_driver.pl 2016-11-22 17:29:06.067553077 +0100 -@@ -1,9 +1,11 @@ - #!/usr/bin/env perl - # --# $Id: cavs_driver.pl 1497 2009-01-22 14:01:29Z smueller $ -+# $Id: cavs_driver.pl 2124 2010-12-20 07:56:30Z smueller $ - # - # CAVS test driver (based on the OpenSSL driver) - # Written by: Stephan Müller -+# Werner Koch (libgcrypt interface) -+# Tomas Mraz (addition of DSA2) - # Copyright (c) atsec information security corporation - # - # Permission is hereby granted, free of charge, to any person obtaining a copy -@@ -85,13 +87,16 @@ - # T[CBC|CFB??|ECB|OFB]varkey - # T[CBC|CFB??|ECB|OFB]invperm - # T[CBC|CFB??|ECB|OFB]vartext -+# WARNING: TDES in CFB and OFB mode problems see below - # - # ANSI X9.31 RNG - # ANSI931_AES128MCT - # ANSI931_AES128VST - # --# DSA -+# DSA2 - # PQGGen -+# PQGVer -+# KeyPair - # SigGen - # SigVer - # -@@ -101,6 +106,36 @@ - # RC4PltBD - # RC4REGT - # -+# -+# TDES MCT for CFB and OFB: -+# ------------------------- -+# The inner loop cannot be handled by this script. If you want to have tests -+# for these cipher types, implement your own inner loop and add it to -+# crypto_mct. -+# -+# the value $next_source in crypto_mct is NOT set by the standard implementation -+# of this script. It would need to be set as follows for these two (code take -+# from fipsdrv.c from libgcrypt - the value input at the end will contain the -+# the value for $next_source: -+# -+# ... inner loop ... -+# ... -+# get_current_iv (hd, last_iv, blocklen); -+# ... encrypt / decrypt (input is the data to be en/decrypted and output is the -+# result of operation) ... -+# if (encrypt_mode && (cipher_mode == GCRY_CIPHER_MODE_CFB)) -+# memcpy (input, last_iv, blocklen); -+# else if (cipher_mode == GCRY_CIPHER_MODE_OFB) -+# memcpy (input, last_iv, blocklen); -+# else if (!encrypt_mode && cipher_mode == GCRY_CIPHER_MODE_CFB) -+# { -+# /* Reconstruct the output vector. */ -+# int i; -+# for (i=0; i < blocklen; i++) -+# input[i] ^= output[i]; -+# } -+# ... inner loop ends ... -+# ==> now, the value of input is to be put into $next_source - - use strict; - use warnings; -@@ -226,6 +261,8 @@ my $hmac; - # Generate the P, Q, G, Seed, counter, h (value used to generate g) values - # for DSA - # $1: modulus size -+# $2: q size -+# $3: seed (might be empty string) - # return: string with the calculated values in hex format, where each value - # is separated from the previous with a \n in the following order: - # P\n -@@ -236,6 +273,19 @@ my $hmac; - # h - my $dsa_pqggen; - -+# Generate the G value from P and Q -+# for DSA -+# $1: modulus size -+# $2: q size -+# $3: P in hex form -+# $4: Q in hex form -+# return: string with the calculated values in hex format, where each value -+# is separated from the previous with a \n in the following order: -+# P\n -+# Q\n -+# G\n -+my $dsa_ggen; -+ - # - # Generate an DSA public key from the provided parameters: - # $1: Name of file to create -@@ -255,16 +305,30 @@ my $dsa_verify; - - # generate a new DSA key with the following properties: - # PEM format --# $1 keyfile name --# return: file created, hash with keys of P, Q, G in hex format -+# $1: modulus size -+# $2: q size -+# $3 keyfile name -+# return: file created with key, string with values of P, Q, G in hex format - my $gen_dsakey; - -+# generate a new DSA private key XY parameters in domain: -+# PEM format -+# $1: P in hex form -+# $2: Q in hex form -+# $3: G in hex form -+# return: string with values of X, Y in hex format -+my $gen_dsakey_domain; -+ - # Sign a message with DSA - # $1: data to be signed in hex form - # $2: Key file in PEM format with the private key - # return: hash of digest information in hex format with Y, R, S as keys - my $dsa_sign; - -+my $rsa_keygen; -+ -+my $rsa_keygen_kat; -+ - ################################################################ - ##### OpenSSL interface functions - ################################################################ -@@ -404,6 +468,35 @@ sub libgcrypt_rsa_derive($$$$$$$$) { - } - - -+sub libgcrypt_rsa_keygen($) { -+ my $n = shift; -+ my $sexp; -+ -+ $n = sprintf ("%u", $n); -+ $sexp = "(genkey(rsa(nbits " . sprintf ("%u:%s", length($n), $n) . ")))\n"; -+ -+ return pipe_through_program($sexp, "fipsdrv rsa-keygen"); -+} -+ -+ -+sub libgcrypt_rsa_keygen_kat($$$$) { -+ my $n = shift; -+ my $e = shift; -+ my $p = shift; -+ my $q = shift; -+ my $sexp; -+ -+ $n = sprintf ("%u", $n); -+ $sexp = "(genkey(rsa(nbits " . sprintf ("%u:%s", length($n), $n) . ")" -+ . "(test-parms" -+ . "(e #$e#)" -+ . "(p #$p#)" -+ . "(q #$q#))))\n"; -+ -+ return pipe_through_program($sexp, "fipsdrv rsa-keygen-kat"); -+} -+ -+ - sub libgcrypt_rsa_sign($$$) { - my $data = shift; - my $hashalgo = shift; -@@ -500,17 +593,32 @@ sub libgcrypt_hmac($$$$) { - return pipe_through_program($msg, $program); - } - --sub libgcrypt_dsa_pqggen($) { -+sub libgcrypt_dsa_pqggen($$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $seed = shift; -+ -+ my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen"; -+ return pipe_through_program($seed, $program); -+} -+ -+sub libgcrypt_dsa_ggen($$$$) { - my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $domain = "(domain (p #$p#)(q #$q#))"; - -- my $program = "fipsdrv --keysize $mod dsa-pqg-gen"; -+ my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen"; - return pipe_through_program("", $program); - } - --sub libgcrypt_gen_dsakey($) { -+sub libgcrypt_gen_dsakey($$$) { -+ my $mod = shift; -+ my $qsize = shift; - my $file = shift; - -- my $program = "fipsdrv --keysize 1024 --key $file dsa-gen"; -+ my $program = "fipsdrv --keysize $mod --qsize $qsize --key $file dsa-gen"; - my $tmp; - my %ret; - -@@ -519,10 +627,21 @@ sub libgcrypt_gen_dsakey($) { - $tmp = pipe_through_program("", $program); - die "dsa key gen failed: file $file not created" if (! -f $file); - -- @ret{'P', 'Q', 'G', 'Seed', 'c', 'H'} = split(/\n/, $tmp); -+ @ret{'P', 'Q', 'G'} = split(/\n/, $tmp); - return %ret; - } - -+sub libgcrypt_gen_dsakey_domain($$$) { -+ my $p = shift; -+ my $q = shift; -+ my $g = shift; -+ my $domain = "(domain (p #$p#)(q #$q#)(g #$g#))"; -+ -+ my $program = "fipsdrv --key '$domain' dsa-gen-key"; -+ -+ return pipe_through_program("", $program); -+} -+ - sub libgcrypt_dsa_genpubkey($$$$$) { - my $filename = shift; - my $p = shift; -@@ -1139,7 +1258,7 @@ sub hmac_kat($$$$) { - $out .= "Tlen = $tlen\n"; - $out .= "Key = $key\n"; - $out .= "Msg = $msg\n"; -- $out .= "Mac = " . &$hmac($key, $tlen, $msg, $hashtype{$tlen}) . "\n"; -+ $out .= "Mac = " . lc(&$hmac($key, $tlen, $msg, $hashtype{$tlen})) . "\n"; - - return $out; - } -@@ -1205,7 +1324,7 @@ sub crypto_mct($$$$$$$$) { - } - my ($CO, $CI); - my $cipher_imp = &$state_cipher($cipher, $enc, $bufsize, $key1, $iv); -- $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/); -+ $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/ && defined($state_cipher_des)); - my $pid = open2($CO, $CI, $cipher_imp); - - my $calc_data = $iv; # CT[j] -@@ -1213,8 +1332,8 @@ sub crypto_mct($$$$$$$$) { - my $old_old_calc_data; # CT[j-2] - my $next_source; - -- # TDES inner loop implements logic within driver -- if ($cipher =~ /des/) { -+ # TDES inner loop implements logic within driver of libgcrypt -+ if ($cipher =~ /des/ && $opt{'I'} && $opt{'I'} eq 'libgcrypt' ) { - # Need to provide a dummy IV in case of ECB mode. - my $iv_arg = (defined($iv) && $iv ne "") - ? bin2hex($iv) -@@ -1238,6 +1357,10 @@ sub crypto_mct($$$$$$$$) { - $line = <$CO>; - } else { - for (my $j = 0; $j < $iloop; ++$j) { -+ if ($cipher =~ /des-ede3-ofb/ || -+ (!$enc && $cipher =~ /des-ede3-cfb/)) { -+ die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; -+ } - $old_old_calc_data = $old_calc_data; - $old_calc_data = $calc_data; - -@@ -1429,7 +1552,7 @@ sub rsa_sigver($$$$$) { - # $7 xq2 - # $8 Xq - # return: string formatted as expected by CAVS --sub rsa_keygen($$$$$$$$) { -+sub rsa_keygen_x931($$$$$$$$) { - my $modulus = shift; - my $e = shift; - my $xp1 = shift; -@@ -1503,21 +1626,23 @@ sub rngx931($$$$) { - return $out; - } - --# DSA PQGGen test -+# DSA PQGen test - # $1 modulus size --# $2 number of rounds to perform the test -+# $2 q size -+# $3 number of rounds to perform the test - # return: string formatted as expected by CAVS --sub dsa_pqggen_driver($$) { -+sub dsa_pqgen_driver($$$) { - my $mod = shift; -+ my $qsize = shift; - my $rounds = shift; - - my $out = ""; - for(my $i=0; $i<$rounds; $i++) { -- my $ret = &$dsa_pqggen($mod); -+ my $ret = &$dsa_pqggen($mod, $qsize, ""); - my ($P, $Q, $G, $Seed, $c, $H) = split(/\n/, $ret); -- die "Return value does not contain all expected values of P, Q, G, Seed, c, H for dsa_pqggen" -- if (!defined($P) || !defined($Q) || !defined($G) || -- !defined($Seed) || !defined($c) || !defined($H)); -+ die "Return value does not contain all expected values of P, Q, Seed, c for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || -+ !defined($Seed) || !defined($c)); - - # now change the counter to decimal as CAVS wants decimal - # counter value although all other is HEX -@@ -1525,15 +1650,166 @@ sub dsa_pqggen_driver($$) { - - $out .= "P = $P\n"; - $out .= "Q = $Q\n"; -- $out .= "G = $G\n"; -- $out .= "Seed = $Seed\n"; -- $out .= "c = $c\n"; -- $out .= "H = $H\n\n"; -+ $out .= "domain_parameter_seed = $Seed\n"; -+ $out .= "counter = $c\n\n"; - } - - return $out; - } - -+# DSA GGen test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# return: string formatted as expected by CAVS -+sub dsa_ggen_driver($$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_ggen($mod, $qsize, $p, $q); -+ my ($P, $Q, $G) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G for dsa_ggen" -+ if (!defined($P) || !defined($Q) || !defined($G)); -+ -+ $out .= "G = $G\n\n"; -+ -+ return $out; -+} -+ -+sub hexcomp($$) { -+ my $a = lc shift; -+ my $b = lc shift; -+ -+ if (length $a < length $b) { -+ my $c = $a; -+ $a = $b; -+ $b = $a; -+ } -+ -+ while (length $b < length $a) { -+ $b = "00$b"; -+ } -+ -+ return $a eq $b; -+} -+ -+# DSA PQVer test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# $5 seed in hex form -+# $6 c decimal counter -+# return: string formatted as expected by CAVS -+sub dsa_pqver_driver($$$$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $seed = shift; -+ my $c = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_pqggen($mod, $qsize, $seed); -+ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G, seed, c for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || !defined($G) || -+ !defined($seed2) || !defined($c2)); -+ -+ $c2 = hex($c2); -+ -+ $out .= "Seed = $seed\n"; -+ $out .= "c = $c\n"; -+ -+ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($seed, $seed2) && $c == $c2) { -+ $out .= "Result = P\n\n"; -+ } -+ else { -+ $out .= "Result = F\n\n"; -+ } -+ return $out; -+} -+ -+# DSA PQGVer test -+# $1 modulus size -+# $2 q size -+# $3 p in hex form -+# $4 q in hex form -+# $5 g in hex form -+# $6 seed in hex form -+# $7 c decimal counter -+# $8 h in hex form -+# return: string formatted as expected by CAVS -+sub dsa_pqgver_driver($$$$$$$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $p = shift; -+ my $q = shift; -+ my $g = shift; -+ my $seed = shift; -+ my $c = shift; -+ my $h = shift; -+ -+ my $out = ""; -+ my $ret = &$dsa_pqggen($mod, $qsize, $seed); -+ my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of P, Q, G, seed, c, H for dsa_pqggen" -+ if (!defined($P) || !defined($Q) || !defined($G) || -+ !defined($seed2) || !defined($c2) || !defined($h2)); -+ -+ -+ -+ $out .= "Seed = $seed\n"; -+ $out .= "c = $c\n"; -+ $out .= "H = $h\n"; -+ -+ $c2 = hex($c2); -+ -+ if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && -+ $c == $c2 && hex($h) == hex($h2)) { -+ $out .= "Result = P\n\n"; -+ } -+ else { -+ $out .= "Result = F\n\n"; -+ } -+ -+ return $out; -+} -+ -+# DSA Keypair test -+# $1 modulus size -+# $2 q size -+# $3 number of rounds to perform the test -+# return: string formatted as expected by CAVS -+sub dsa_keypair_driver($$$) { -+ my $mod = shift; -+ my $qsize = shift; -+ my $rounds = shift; -+ -+ my $out = ""; -+ my $tmpkeyfile = "dsa_siggen.tmp.$$"; -+ my %pqg = &$gen_dsakey($mod, $qsize, $tmpkeyfile); -+ $out .= "P = " . $pqg{'P'} . "\n"; -+ $out .= "Q = " . $pqg{'Q'} . "\n"; -+ $out .= "G = " . $pqg{'G'} . "\n\n"; -+ unlink($tmpkeyfile); -+ -+ for(my $i=0; $i<$rounds; $i++) { -+ my $ret = &$gen_dsakey_domain($pqg{'P'}, $pqg{'Q'}, $pqg{'G'}); -+ my ($X, $Y) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of X, Y for gen_dsakey_domain" -+ if (!defined($X) || !defined($Y)); -+ -+ $out .= "X = $X\n"; -+ $out .= "Y = $Y\n\n"; -+ } -+ -+ return $out; -+} - - # DSA SigGen test - # $1: Message to be signed in hex form -@@ -1598,6 +1874,53 @@ sub dsa_sigver($$$$$$$$) { - return $out; - } - -+# RSA Keygen RPP test -+# $1 modulus size -+# $2 number of rounds to perform the test -+# return: string formatted as expected by CAVS -+sub rsa_keygen_driver($$) { -+ my $mod = shift; -+ my $rounds = shift; -+ -+ my $out = ""; -+ -+ for(my $i=0; $i<$rounds; $i++) { -+ my $ret = &$rsa_keygen($mod); -+ my ($e, $p, $q, $n, $d) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of e, p, q, n, d for rsa_keygen" -+ if (!defined($e) || !defined($p) || !defined($q) || !defined($n) || !defined($d)); -+ -+ $out .= "e = $e\n"; -+ $out .= "p = $p\n"; -+ $out .= "q = $q\n"; -+ $out .= "n = $n\n"; -+ $out .= "d = $d\n\n"; -+ } -+ -+ return $out; -+} -+ -+# RSA RPP Keygen KAT test -+# $1 modulus size -+# $2 p in hex form -+# $3 q in hex form -+# return: string formatted as expected by CAVS -+sub rsa_keygen_kat_driver($$$) { -+ my $mod = shift; -+ my $p = shift; -+ my $q = shift; -+ -+ my $out = ""; -+ my $ret = &$rsa_keygen_kat($mod, $p, $q); -+ my ($Result) = split(/\n/, $ret); -+ die "Return value does not contain all expected values of Result for rsa_keygen_kat" -+ if (!defined($Result)); -+ -+ $out .= "Result = $Result\n\n"; -+ return $out; -+} -+ -+ - ############################################################## - # Parser of input file and generator of result file - # -@@ -1658,12 +1981,18 @@ sub parse($$) { - my $klen = ""; - my $tlen = ""; - my $modulus = ""; -+ my $qsize = ""; - my $capital_n = 0; -+ my $num = 0; - my $capital_p = ""; - my $capital_q = ""; - my $capital_g = ""; - my $capital_y = ""; - my $capital_r = ""; -+ my $capital_h = ""; -+ my $c = ""; -+ my $prandom = ""; -+ my $qrandom = ""; - my $xp1 = ""; - my $xp2 = ""; - my $Xp = ""; -@@ -1700,7 +2029,7 @@ sub parse($$) { - - ##### Extract cipher - # XXX there may be more - to be added -- if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA)/) { -+ if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA|KeyGen - Random Probably Prime|KeyPair|PQGVer)/) { - if ($tmpline =~ /CBC/) { $mode="cbc"; } - elsif ($tmpline =~ /ECB/) { $mode="ecb"; } - elsif ($tmpline =~ /OFB/) { $mode="ofb"; } -@@ -1749,7 +2078,23 @@ sub parse($$) { - - if ($tt == 0) { - ##### Identify the test type -- if ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { -+ if ($tmpline =~ /KeyGen - Random Probably Prime Known Answer Test/) { -+ $tt = 19; -+ die "Interface function rsa_keygen_kat for RSA key generation KAT not defined for tested library" -+ if (!defined($rsa_keygen_kat)); -+ } elsif ($tmpline =~ /KeyGen - Random Probably Prime Test/) { -+ $tt = 18; -+ die "Interface function rsa_keygen for RSA key generation not defined for tested library" -+ if (!defined($rsa_keygen)); -+ } elsif ($tmpline =~ /PQGVer/) { -+ $tt = 16; -+ die "Interface function for DSA PQGVer testing not defined for tested library" -+ if (!defined($dsa_pqggen)); -+ } elsif ($tmpline =~ /KeyPair/) { -+ $tt = 14; -+ die "Interface function dsa_keygen for DSA key generation not defined for tested library" -+ if (!defined($gen_dsakey_domain)); -+ } elsif ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { - $tt = 13; - die "Interface function rsa_derive for RSA key generation not defined for tested library" - if (!defined($rsa_derive)); -@@ -1760,11 +2105,11 @@ sub parse($$) { - } elsif ($tmpline =~ /SigGen/ && $opt{'D'}) { - $tt = 11; - die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library" -- if (!defined($dsa_sign) || !defined($gen_rsakey)); -+ if (!defined($dsa_sign) || !defined($gen_dsakey)); - } elsif ($tmpline =~ /PQGGen/) { - $tt = 10; - die "Interface function for DSA PQGGen testing not defined for tested library" -- if (!defined($dsa_pqggen)); -+ if (!defined($dsa_pqggen) || !defined($dsa_ggen)); - } elsif ($tmpline =~ /Hash sizes tested/) { - $tt = 9; - die "Interface function hmac for HMAC testing not defined for tested library" -@@ -1792,7 +2137,7 @@ sub parse($$) { - } elsif ($tmpline =~ /Monte|MCT|Carlo/) { - $tt = 2; - die "Interface function state_cipher for Stateful Cipher operation defined for tested library" -- if (!defined($state_cipher) || !defined($state_cipher_des)); -+ if (!defined($state_cipher) && !defined($state_cipher_des)); - } elsif ($cipher =~ /^sha/) { - $tt = 3; - die "Interface function hash for Hashing not defined for tested library" -@@ -1875,18 +2220,44 @@ sub parse($$) { - die "Msg/Seed seen twice - input file crap" if ($pt ne ""); - $pt=$2; - } -- elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests -+ elsif ($line =~ /^\[A.2.1\s.*\]$/) { # found in DSA2 PQGGen request -+ $out .= $line . "\n"; # print it -+ if ($tt == 10) { -+ # now generate G from PQ -+ $tt = 15; -+ } -+ } -+ elsif ($line =~ /^\[A.2.2\s.*\]$/) { # found in DSA2 PQGVer request -+ $out .= $line . "\n"; # print it -+ if ($tt == 16) { -+ # now verify PQG -+ $tt = 17; -+ } -+ } -+ elsif ($line =~ /^\[mod\s*=\s*L=([0-9]*),\s*N=([0-9]*).*\]$/) { # found in DSA2 requests - $modulus = $1; -+ $qsize = $2; - $out .= $line . "\n\n"; # print it -+ # clear eventual PQG -+ $capital_p = ""; -+ $capital_q = ""; -+ $capital_g = ""; - # generate the private key with given bit length now - # as we have the required key length in bit - if ($tt == 11) { - $dsa_keyfile = "dsa_siggen.tmp.$$"; -- my %pqg = &$gen_dsakey($dsa_keyfile); -+ my %pqg = &$gen_dsakey($modulus, $qsize, $dsa_keyfile); - $out .= "P = " . $pqg{'P'} . "\n"; - $out .= "Q = " . $pqg{'Q'} . "\n"; -- $out .= "G = " . $pqg{'G'} . "\n"; -- } elsif ( $tt == 5 ) { -+ $out .= "G = " . $pqg{'G'} . "\n\n"; -+ } -+ } -+ elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests -+ $modulus = $1; -+ $out .= $line . "\n\n"; # print it -+ # generate the private key with given bit length now -+ # as we have the required key length in bit -+ if ( $tt == 5 ) { - # XXX maybe a secure temp file name is better here - # but since it is not run on a security sensitive - # system, I hope that this is fine -@@ -1907,6 +2278,9 @@ sub parse($$) { - } - elsif ($line =~ /^e\s*=\s*(.*)/) { # found in RSA requests - $e=$1; -+ if ($tt == 19) { -+ $out .= $line . "\n"; # print it -+ } - } - elsif ($line =~ /^S\s*=\s*(.*)/) { # found in RSA requests - die "S seen twice - input file crap" if ($signature ne ""); -@@ -1932,11 +2306,16 @@ sub parse($$) { - if ($tlen ne ""); - $tlen=$1; - } -- elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA PQGGen -+ elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA KeyPair - die "N seen twice - check input file" - if ($capital_n); - $capital_n = $1; - } -+ elsif ($line =~ /^Num\s*=\s*(.*)/) { #DSA PQGGen -+ die "Num seen twice - check input file" -+ if ($num); -+ $num = $1; -+ } - elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer - die "P seen twice - check input file" - if ($capital_p); -@@ -1965,6 +2344,16 @@ sub parse($$) { - if ($capital_r); - $capital_r = $1; - } -+ elsif ($line =~ /^H\s*=\s*(.*)/) { #DSA PQGVer -+ die "H seen twice - check input file" -+ if ($capital_h); -+ $capital_h = $1; -+ } -+ elsif ($line =~ /^c\s*=\s*(.*)/) { #DSA PQGVer -+ die "c seen twice - check input file" -+ if ($c); -+ $c = $1; -+ } - elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen - die "xp1 seen twice - check input file" - if ($xp1); -@@ -1995,6 +2384,22 @@ sub parse($$) { - if ($Xq); - $Xq = $1; - } -+ elsif ($line =~ /^prandom\s*=\s*(.*)/) { #RSA key gen KAT -+ die "prandom seen twice - check input file" -+ if ($prandom); -+ $prandom = $1; -+ $out .= $line . "\n"; # print it -+ } -+ elsif ($line =~ /^qrandom\s*=\s*(.*)/) { #RSA key gen KAT -+ die "qrandom seen twice - check input file" -+ if ($qrandom); -+ $qrandom = $1; -+ $out .= $line . "\n"; # print it -+ } -+ elsif ($tt == 19 && $line =~ /^ / && $qrandom eq "") { #RSA key gen KAT -+ $qrandom = "00"; -+ $out .= $line . "\n"; # print it -+ } - else { - $out .= $line . "\n"; - } -@@ -2074,11 +2479,10 @@ sub parse($$) { - } - } - elsif ($tt == 10) { -- if ($modulus ne "" && $capital_n > 0) { -- $out .= dsa_pqggen_driver($modulus, $capital_n); -- #$mod is not resetted -- $capital_n = 0; -- } -+ if ($modulus ne "" && $qsize ne "" && $num > 0) { -+ $out .= dsa_pqgen_driver($modulus, $qsize, $num); -+ $num = 0; -+ } - } - elsif ($tt == 11) { - if ($pt ne "" && $dsa_keyfile ne "") { -@@ -2124,7 +2528,7 @@ sub parse($$) { - $xq1 ne "" && - $xq2 ne "" && - $Xq ne "") { -- $out .= rsa_keygen($modulus, -+ $out .= rsa_keygen_x931($modulus, - $e, - $xp1, - $xp2, -@@ -2141,6 +2545,96 @@ sub parse($$) { - $Xq = ""; - } - } -+ elsif ($tt == 14) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_n > 0) { -+ $out .= dsa_keypair_driver($modulus, -+ $qsize, -+ $capital_n); -+ $capital_n = 0; -+ } -+ } -+ elsif ($tt == 15) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "") { -+ $out .= dsa_ggen_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q); -+ $capital_p = ""; -+ $capital_q = ""; -+ $num--; -+ } -+ } -+ elsif ($tt == 16) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "" && -+ $pt ne "" && -+ $c ne "") { -+ $out .= dsa_pqver_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q, -+ $pt, -+ $c); -+ $capital_p = ""; -+ $capital_q = ""; -+ $pt = ""; -+ $c = ""; -+ } -+ } -+ elsif ($tt == 17) { -+ if ($modulus ne "" && -+ $qsize ne "" && -+ $capital_p ne "" && -+ $capital_q ne "" && -+ $capital_g ne "" && -+ $pt ne "" && -+ $c ne "" && -+ $capital_h ne "") { -+ $out .= dsa_pqgver_driver($modulus, -+ $qsize, -+ $capital_p, -+ $capital_q, -+ $capital_g, -+ $pt, -+ $c, -+ $capital_h); -+ $capital_p = ""; -+ $capital_q = ""; -+ $capital_g = ""; -+ $pt = ""; -+ $c = ""; -+ $capital_h = ""; -+ } -+ } -+ elsif ($tt == 18) { -+ if ($modulus ne "" && -+ $capital_n > 0) { -+ $out .= rsa_keygen_driver($modulus, -+ $capital_n); -+ $capital_n = 0; -+ } -+ } -+ elsif ($tt == 19) { -+ if ($modulus ne "" && -+ $e ne "" && -+ $prandom ne "" && -+ $qrandom ne "") { -+ $out .= rsa_keygen_kat_driver($modulus, -+ $e, -+ $prandom, -+ $qrandom); -+ $prandom = ""; -+ $qrandom = ""; -+ $e = ""; -+ } -+ } - elsif ($tt > 0) { - die "Test case $tt not defined"; - } -@@ -2199,10 +2693,14 @@ sub main() { - $state_rng = \&libgcrypt_state_rng; - $hmac = \&libgcrypt_hmac; - $dsa_pqggen = \&libgcrypt_dsa_pqggen; -+ $dsa_ggen = \&libgcrypt_dsa_ggen; - $gen_dsakey = \&libgcrypt_gen_dsakey; -+ $gen_dsakey_domain = \&libgcrypt_gen_dsakey_domain; - $dsa_sign = \&libgcrypt_dsa_sign; - $dsa_verify = \&libgcrypt_dsa_verify; - $dsa_genpubkey = \&libgcrypt_dsa_genpubkey; -+ $rsa_keygen = \&libgcrypt_rsa_keygen; -+ $rsa_keygen_kat = \&libgcrypt_rsa_keygen_kat; - } else { - die "Invalid interface option given"; - } -diff -up libgcrypt-1.7.3/tests/cavs_tests.sh.cavs libgcrypt-1.7.3/tests/cavs_tests.sh ---- libgcrypt-1.7.3/tests/cavs_tests.sh.cavs 2013-03-15 20:25:38.000000000 +0100 -+++ libgcrypt-1.7.3/tests/cavs_tests.sh 2016-11-22 17:29:06.067553077 +0100 -@@ -55,7 +55,7 @@ function run_one_test () { - [ -d "$respdir" ] || mkdir "$respdir" - [ -f "$rspfile" ] && rm "$rspfile" - -- if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then -+ if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then - dflag="-D" - fi - -diff -up libgcrypt-1.7.3/tests/fipsdrv.c.cavs libgcrypt-1.7.3/tests/fipsdrv.c ---- libgcrypt-1.7.3/tests/fipsdrv.c.cavs 2016-07-14 11:19:17.000000000 +0200 -+++ libgcrypt-1.7.3/tests/fipsdrv.c 2016-11-22 17:33:15.468330859 +0100 -@@ -892,6 +892,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz) - die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err)); - - p = buf; -+ while (*p) -+ *p++ = tolower(*p); -+ p = buf; - if (no_lz && p[0] == '0' && p[1] == '0' && p[2]) - p += 2; - -@@ -1765,14 +1768,14 @@ run_rsa_verify (const void *data, size_t - /* Generate a DSA key of size KEYSIZE and return the complete - S-expression. */ - static gcry_sexp_t --dsa_gen (int keysize) -+dsa_gen (int keysize, int qsize) - { - gpg_error_t err; - gcry_sexp_t keyspec, key; - - err = gcry_sexp_build (&keyspec, NULL, -- "(genkey (dsa (nbits %d)(use-fips186-2)))", -- keysize); -+ "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))", -+ keysize, qsize); - if (err) - die ("gcry_sexp_build failed for DSA key generation: %s\n", - gpg_strerror (err)); -@@ -1790,7 +1793,7 @@ dsa_gen (int keysize) - /* Generate a DSA key of size KEYSIZE and return the complete - S-expression. */ - static gcry_sexp_t --dsa_gen_with_seed (int keysize, const void *seed, size_t seedlen) -+dsa_gen_with_seed (int keysize, int qsize, const void *seed, size_t seedlen) - { - gpg_error_t err; - gcry_sexp_t keyspec, key; -@@ -1799,10 +1802,11 @@ dsa_gen_with_seed (int keysize, const vo - "(genkey" - " (dsa" - " (nbits %d)" -- " (use-fips186-2)" -+ " (qbits %d)" -+ " (use-fips186)" - " (derive-parms" - " (seed %b))))", -- keysize, (int)seedlen, seed); -+ keysize, qsize, (int)seedlen, seed); - if (err) - die ("gcry_sexp_build failed for DSA key generation: %s\n", - gpg_strerror (err)); -@@ -1810,6 +1814,37 @@ dsa_gen_with_seed (int keysize, const vo - err = gcry_pk_genkey (&key, keyspec); - if (err) - die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); -+ -+ gcry_sexp_release (keyspec); -+ -+ return key; -+} -+ -+/* Generate a DSA key with specified domain parameters and return the complete -+ S-expression. */ -+static gcry_sexp_t -+dsa_gen_key (const char *domain) -+{ -+ gpg_error_t err; -+ gcry_sexp_t keyspec, key, domspec; -+ -+ err = gcry_sexp_new (&domspec, domain, strlen(domain), 0); -+ if (err) -+ die ("gcry_sexp_build failed for domain spec: %s\n", -+ gpg_strerror (err)); -+ -+ err = gcry_sexp_build (&keyspec, NULL, -+ "(genkey" -+ " (dsa" -+ " (use-fips186)" -+ " %S))", -+ domspec); -+ if (err) -+ die ("gcry_sexp_build failed for DSA key generation: %s\n", -+ gpg_strerror (err)); -+ err = gcry_pk_genkey (&key, keyspec); -+ if (err) -+ die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); - - gcry_sexp_release (keyspec); - -@@ -1849,7 +1884,7 @@ ecdsa_gen_key (const char *curve) - with one parameter per line in hex format using this order: p, q, - g, seed, counter, h. */ - static void --print_dsa_domain_parameters (gcry_sexp_t key) -+print_dsa_domain_parameters (gcry_sexp_t key, int print_misc) - { - gcry_sexp_t l1, l2; - gcry_mpi_t mpi; -@@ -1885,6 +1920,9 @@ print_dsa_domain_parameters (gcry_sexp_t - } - gcry_sexp_release (l1); - -+ if (!print_misc) -+ return; -+ - /* Extract the seed values. */ - l1 = gcry_sexp_find_token (key, "misc-key-info", 0); - if (!l1) -@@ -1976,38 +2014,106 @@ print_ecdsa_dq (gcry_sexp_t key) - } - - --/* Generate DSA domain parameters for a modulus size of KEYSIZE. The -+/* Print just the XY private key parameters. KEY -+ is the complete key as returned by dsa_gen. We print to stdout -+ with one parameter per line in hex format using this order: x, y. */ -+static void -+print_dsa_xy (gcry_sexp_t key) -+{ -+ gcry_sexp_t l1, l2; -+ gcry_mpi_t mpi; -+ int idx; -+ -+ l1 = gcry_sexp_find_token (key, "private-key", 0); -+ if (!l1) -+ die ("private key not found in genkey result\n"); -+ -+ l2 = gcry_sexp_find_token (l1, "dsa", 0); -+ if (!l2) -+ die ("returned private key not formed as expected\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ /* Extract the parameters from the S-expression and print them to stdout. */ -+ for (idx=0; "xy"[idx]; idx++) -+ { -+ l2 = gcry_sexp_find_token (l1, "xy"+idx, 1); -+ if (!l2) -+ die ("no %c parameter in returned public key\n", "xy"[idx]); -+ mpi = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); -+ if (!mpi) -+ die ("no value for %c parameter in returned private key\n","xy"[idx]); -+ gcry_sexp_release (l2); -+ if (standalone_mode) -+ printf ("%c = ", "XY"[idx]); -+ print_mpi_line (mpi, 1); -+ gcry_mpi_release (mpi); -+ } -+ -+ gcry_sexp_release (l1); -+} -+ -+ -+/* Generate DSA pq domain parameters for a modulus size of KEYSIZE. The - result is printed to stdout with one parameter per line in hex -- format and in this order: p, q, g, seed, counter, h. If SEED is -+ format and in this order: p, q, seed, counter. If SEED is - not NULL this seed value will be used for the generation. */ - static void --run_dsa_pqg_gen (int keysize, const void *seed, size_t seedlen) -+run_dsa_pqg_gen (int keysize, int qsize, const void *seed, size_t seedlen) - { - gcry_sexp_t key; - - if (seed) -- key = dsa_gen_with_seed (keysize, seed, seedlen); -+ key = dsa_gen_with_seed (keysize, qsize, seed, seedlen); - else -- key = dsa_gen (keysize); -- print_dsa_domain_parameters (key); -+ key = dsa_gen (keysize, qsize); -+ print_dsa_domain_parameters (key, 1); -+ gcry_sexp_release (key); -+} -+ -+ -+/* Generate DSA domain parameters for a modulus size of KEYSIZE. The -+ result is printed to stdout with one parameter per line in hex -+ format and in this order: p, q, g, seed, counter, h. If SEED is -+ not NULL this seed value will be used for the generation. */ -+static void -+run_dsa_g_gen (int keysize, int qsize, const char *domain) -+{ -+ gcry_sexp_t key; -+ -+ key = dsa_gen_key (domain); -+ print_dsa_domain_parameters (key, 0); -+ gcry_sexp_release (key); -+} -+ -+/* Generate a DSA key with specified domain parameters -+ and print the XY values. */ -+static void -+run_dsa_gen_key (const char *domain) -+{ -+ gcry_sexp_t key; -+ -+ key = dsa_gen_key (domain); -+ print_dsa_xy (key); -+ - gcry_sexp_release (key); - } - - - /* Generate a DSA key of size of KEYSIZE and write the private key to - FILENAME. Also write the parameters to stdout in the same way as -- run_dsa_pqg_gen. */ -+ run_dsa_g_gen. */ - static void --run_dsa_gen (int keysize, const char *filename) -+run_dsa_gen (int keysize, int qsize, const char *filename) - { - gcry_sexp_t key, private_key; - FILE *fp; - -- key = dsa_gen (keysize); -+ key = dsa_gen (keysize, qsize); - private_key = gcry_sexp_find_token (key, "private-key", 0); - if (!private_key) - die ("private key not found in genkey result\n"); -- print_dsa_domain_parameters (key); -+ print_dsa_domain_parameters (key, 1); - - fp = fopen (filename, "wb"); - if (!fp) -@@ -2020,6 +2126,53 @@ run_dsa_gen (int keysize, const char *fi - } - - -+static int -+dsa_hash_from_key(gcry_sexp_t s_key) -+{ -+ gcry_sexp_t l1, l2; -+ gcry_mpi_t q; -+ unsigned int qbits; -+ -+ l1 = gcry_sexp_find_token (s_key, "public-key", 0); -+ if (!l1) -+ { -+ l1 = gcry_sexp_find_token (s_key, "private-key", 0); -+ if (!l1) -+ die ("neither private nor public key found in the loaded key\n"); -+ } -+ -+ l2 = gcry_sexp_find_token (l1, "dsa", 0); -+ if (!l2) -+ die ("public key not formed as expected - no dsa\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ l2 = gcry_sexp_find_token (l1, "q", 0); -+ if (!l2) -+ die ("public key not formed as expected - no q\n"); -+ gcry_sexp_release (l1); -+ l1 = l2; -+ -+ q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); -+ if (!q) -+ die ("public key not formed as expected - no mpi in q\n"); -+ qbits = gcry_mpi_get_nbits(q); -+ gcry_sexp_release(l1); -+ gcry_mpi_release(q); -+ switch(qbits) -+ { -+ case 160: -+ return GCRY_MD_SHA1; -+ case 224: -+ return GCRY_MD_SHA224; -+ case 256: -+ return GCRY_MD_SHA256; -+ default: -+ die("bad number bits (%d) of q in key\n", qbits); -+ } -+ return GCRY_MD_NONE; -+} -+ - - /* Sign DATA of length DATALEN using the key taken from the S-expression - encoded KEYFILE. */ -@@ -2029,11 +2182,16 @@ run_dsa_sign (const void *data, size_t d - { - gpg_error_t err; - gcry_sexp_t s_data, s_key, s_sig, s_tmp, s_tmp2; -- char hash[20]; -+ char hash[128]; - gcry_mpi_t tmpmpi; -+ int algo; -+ -+ s_key = read_sexp_from_file (keyfile); -+ algo = dsa_hash_from_key(s_key); - -- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); -- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); -+ gcry_md_hash_buffer (algo, hash, data, datalen); -+ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, -+ gcry_md_get_algo_dlen(algo), NULL); - if (!err) - { - err = gcry_sexp_build (&s_data, NULL, -@@ -2044,8 +2202,6 @@ run_dsa_sign (const void *data, size_t d - die ("gcry_sexp_build failed for DSA data input: %s\n", - gpg_strerror (err)); - -- s_key = read_sexp_from_file (keyfile); -- - err = gcry_pk_sign (&s_sig, s_data, s_key); - if (err) - { -@@ -2121,13 +2277,18 @@ run_dsa_verify (const void *data, size_t - { - gpg_error_t err; - gcry_sexp_t s_data, s_key, s_sig; -- char hash[20]; -+ char hash[128]; - gcry_mpi_t tmpmpi; -+ int algo; - -- gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); -+ s_key = read_sexp_from_file (keyfile); -+ algo = dsa_hash_from_key(s_key); -+ -+ gcry_md_hash_buffer (algo, hash, data, datalen); - /* Note that we can't simply use %b with HASH to build the - S-expression, because that might yield a negative value. */ -- err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); -+ err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, -+ gcry_md_get_algo_dlen(algo), NULL); - if (!err) - { - err = gcry_sexp_build (&s_data, NULL, -@@ -2138,7 +2299,6 @@ run_dsa_verify (const void *data, size_t - die ("gcry_sexp_build failed for DSA data input: %s\n", - gpg_strerror (err)); - -- s_key = read_sexp_from_file (keyfile); - s_sig = read_sexp_from_file (sigfile); - - err = gcry_pk_verify (s_sig, s_data, s_key); -@@ -2304,7 +2464,7 @@ usage (int show_help) - "MODE:\n" - " encrypt, decrypt, digest, random, hmac-sha,\n" - " rsa-{derive,gen,sign,verify},\n" -- " dsa-{pqg-gen,gen,sign,verify}, ecdsa-{gen-key,sign,verify}\n" -+ " dsa-{pq-gen,g-gen,gen,sign,verify}, ecdsa-{gen-key,sign,verify}\n" - "OPTIONS:\n" - " --verbose Print additional information\n" - " --binary Input and output is in binary form\n" -@@ -2315,6 +2475,7 @@ usage (int show_help) - " --algo NAME Use algorithm NAME\n" - " --curve NAME Select ECC curve spec NAME\n" - " --keysize N Use a keysize of N bits\n" -+ " --qize N Use a DSA q parameter size of N bits\n" - " --signature NAME Take signature from file NAME\n" - " --chunk N Read in chunks of N bytes (implies --binary)\n" - " --pkcs1 Use PKCS#1 encoding\n" -@@ -2344,6 +2505,7 @@ main (int argc, char **argv) - const char *dt_string = NULL; - const char *algo_string = NULL; - const char *keysize_string = NULL; -+ const char *qsize_string = NULL; - const char *signature_string = NULL; - FILE *input; - void *data; -@@ -2437,6 +2599,14 @@ main (int argc, char **argv) - keysize_string = *argv; - argc--; argv++; - } -+ else if (!strcmp (*argv, "--qsize")) -+ { -+ argc--; argv++; -+ if (!argc) -+ usage (0); -+ qsize_string = *argv; -+ argc--; argv++; -+ } - else if (!strcmp (*argv, "--signature")) - { - argc--; argv++; -@@ -2792,23 +2962,49 @@ main (int argc, char **argv) - } - else if (!strcmp (mode_string, "dsa-pqg-gen")) - { -- int keysize; -+ int keysize, qsize; -+ -+ keysize = keysize_string? atoi (keysize_string) : 0; -+ if (keysize < 1024 || keysize > 3072) -+ die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); -+ run_dsa_pqg_gen (keysize, qsize, datalen? data:NULL, datalen); -+ } -+ else if (!strcmp (mode_string, "dsa-g-gen")) -+ { -+ int keysize, qsize; - - keysize = keysize_string? atoi (keysize_string) : 0; - if (keysize < 1024 || keysize > 3072) - die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -- run_dsa_pqg_gen (keysize, datalen? data:NULL, datalen); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); -+ if (!key_string) -+ die ("option --key containing pq domain parameters is required in this mode\n"); -+ run_dsa_g_gen (keysize, qsize, key_string); -+ } -+ else if (!strcmp (mode_string, "dsa-gen-key")) -+ { -+ if (!key_string) -+ die ("option --key containing pqg domain parameters is required in this mode\n"); -+ run_dsa_gen_key (key_string); - } - else if (!strcmp (mode_string, "dsa-gen")) - { -- int keysize; -+ int keysize, qsize; - - keysize = keysize_string? atoi (keysize_string) : 0; - if (keysize < 1024 || keysize > 3072) - die ("invalid keysize specified; needs to be 1024 .. 3072\n"); -+ qsize = qsize_string? atoi (qsize_string) : 0; -+ if (qsize < 160 || qsize > 256) -+ die ("invalid qsize specified; needs to be 160 .. 256\n"); - if (!key_string) - die ("option --key is required in this mode\n"); -- run_dsa_gen (keysize, key_string); -+ run_dsa_gen (keysize, qsize, key_string); - } - else if (!strcmp (mode_string, "dsa-sign")) - { diff --git a/libgcrypt-1.7.3-fips-reqs.patch b/libgcrypt-1.7.3-fips-reqs.patch deleted file mode 100644 index ef7f765..0000000 --- a/libgcrypt-1.7.3-fips-reqs.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c ---- libgcrypt-1.7.3/src/visibility.c.fips-reqs 2016-03-23 12:59:34.000000000 +0100 -+++ libgcrypt-1.7.3/src/visibility.c 2016-11-22 16:29:36.992042480 +0100 -@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase, - unsigned long iterations, - size_t keysize, void *keybuffer) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo, - salt, saltlen, iterations, - keysize, keybuffer)); -@@ -1343,6 +1345,13 @@ void - gcry_mpi_randomize (gcry_mpi_t w, - unsigned int nbits, enum gcry_random_level level) - { -+ if (!fips_is_operational ()) -+ { -+ (void)fips_not_operational (); -+ fips_signal_fatal_error ("called in non-operational state"); -+ fips_noreturn (); -+ } -+ - _gcry_mpi_randomize (w, nbits, level); - } - -@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime, - gcry_random_level_t random_level, - unsigned int flags) - { -+ if (!fips_is_operational ()) -+ return gpg_error (fips_not_operational ()); - return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits, - factors, cb_func, cb_arg, - random_level, flags)); diff --git a/libgcrypt-1.8.3-fips-ctor.patch b/libgcrypt-1.8.3-fips-ctor.patch deleted file mode 100644 index e04201f..0000000 --- a/libgcrypt-1.8.3-fips-ctor.patch +++ /dev/null @@ -1,256 +0,0 @@ -diff -up libgcrypt-1.8.3/cipher/md.c.fips-ctor libgcrypt-1.8.3/cipher/md.c ---- libgcrypt-1.8.3/cipher/md.c.fips-ctor 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/cipher/md.c 2018-07-12 13:24:54.088403006 +0200 -@@ -411,11 +411,8 @@ md_enable (gcry_md_hd_t hd, int algorith - - if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) - { -- _gcry_inactivate_fips_mode ("MD5 used"); - if (_gcry_enforced_fips_mode () ) - { -- /* We should never get to here because we do not register -- MD5 in enforced fips mode. But better throw an error. */ - err = GPG_ERR_DIGEST_ALGO; - } - } -diff -up libgcrypt-1.8.3/src/fips.c.fips-ctor libgcrypt-1.8.3/src/fips.c ---- libgcrypt-1.8.3/src/fips.c.fips-ctor 2018-07-12 13:24:54.075402698 +0200 -+++ libgcrypt-1.8.3/src/fips.c 2018-07-12 13:24:54.088403006 +0200 -@@ -91,6 +91,31 @@ static void fips_new_state (enum module_ - - - -+/* Initialize the FSM lock - this function may only -+ be called once and is intended to be run from the library -+ constructor */ -+void -+_gcry_initialize_fsm_lock (void) -+{ -+ gpg_error_t err; -+ /* Intitialize the lock to protect the FSM. */ -+ err = gpgrt_lock_init (&fsm_lock); -+ if (err) -+ { -+ /* If that fails we can't do anything but abort the -+ process. We need to use log_info so that the FSM won't -+ get involved. */ -+ log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n", -+ gpg_strerror (err)); -+#ifdef HAVE_SYSLOG -+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " -+ "creating FSM lock failed: %s - abort", -+ gpg_strerror (err)); -+#endif /*HAVE_SYSLOG*/ -+ abort (); -+ } -+} -+ - /* Check whether the OS is in FIPS mode and record that in a module - local variable. If FORCE is passed as true, fips mode will be - enabled anyway. Note: This function is not thread-safe and should -@@ -100,7 +125,6 @@ void - _gcry_initialize_fips_mode (int force) - { - static int done; -- gpg_error_t err; - - /* Make sure we are not accidentally called twice. */ - if (done) -@@ -179,24 +203,6 @@ _gcry_initialize_fips_mode (int force) - /* Yes, we are in FIPS mode. */ - FILE *fp; - -- /* Intitialize the lock to protect the FSM. */ -- err = gpgrt_lock_init (&fsm_lock); -- if (err) -- { -- /* If that fails we can't do anything but abort the -- process. We need to use log_info so that the FSM won't -- get involved. */ -- log_info ("FATAL: failed to create the FSM lock in libgcrypt: %s\n", -- gpg_strerror (err)); --#ifdef HAVE_SYSLOG -- syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " -- "creating FSM lock failed: %s - abort", -- gpg_strerror (err)); --#endif /*HAVE_SYSLOG*/ -- abort (); -- } -- -- - /* If the FIPS force files exists, is readable and has a number - != 0 on its first line, we enable the enforced fips mode. */ - fp = fopen (FIPS_FORCE_FILE, "r"); -@@ -359,16 +365,20 @@ _gcry_fips_is_operational (void) - { - int result; - -- if (!fips_mode ()) -+ lock_fsm (); -+ if (current_state == STATE_POWERON && !fips_mode ()) -+ /* If we are at this point in POWERON state it means the FIPS -+ module installation was not completed. (/etc/system-fips -+ is not present.) */ - result = 1; - else - { -- lock_fsm (); -- if (current_state == STATE_INIT) -+ if (current_state == STATE_INIT || current_state == STATE_SELFTEST) - { -- /* If we are still in the INIT state, we need to run the -- selftests so that the FSM can eventually get into -- operational state. Given that we would need a 2-phase -+ /* If we are still in the INIT (or SELFTEST) state, -+ we need to run (or finish) the selftests so -+ that the FSM can eventually get into operational -+ state. Given that we would need a 2-phase - initialization of libgcrypt, but that has traditionally - not been enforced, we use this on demand self-test - checking. Note that Proper applications would do the -@@ -384,9 +394,11 @@ _gcry_fips_is_operational (void) - lock_fsm (); - } - -- result = (current_state == STATE_OPERATIONAL); -- unlock_fsm (); -+ result = (current_state == STATE_OPERATIONAL) || !fips_mode (); -+ /* We always run the selftests but ignore the result -+ in non-FIPS mode. */ - } -+ unlock_fsm (); - return result; - } - -@@ -709,9 +721,25 @@ _gcry_fips_run_selftests (int extended) - { - enum module_states result = STATE_ERROR; - gcry_err_code_t ec = GPG_ERR_SELFTEST_FAILED; -+ int in_poweron; - -- if (fips_mode ()) -- fips_new_state (STATE_SELFTEST); -+ lock_fsm (); -+ in_poweron = (current_state == STATE_POWERON); -+ unlock_fsm (); -+ -+ fips_new_state (STATE_SELFTEST); -+ -+ /* We first check the integrity of the binary. -+ If run from the constructor we are in POWERON state, -+ we return and finish the remaining selftests before -+ real use of the library. It will be in the POWERON -+ state meanwhile. */ -+ if (in_poweron) -+ if (check_binary_integrity ()) -+ goto leave; -+ -+ if (in_poweron) -+ return 0; - - if (run_cipher_selftests (extended)) - goto leave; -@@ -730,18 +758,12 @@ _gcry_fips_run_selftests (int extended) - if (run_pubkey_selftests (extended)) - goto leave; - -- /* Now check the integrity of the binary. We do this this after -- having checked the HMAC code. */ -- if (check_binary_integrity ()) -- goto leave; -- - /* All selftests passed. */ - result = STATE_OPERATIONAL; - ec = 0; - - leave: -- if (fips_mode ()) -- fips_new_state (result); -+ fips_new_state (result); - - return ec; - } -@@ -797,6 +819,7 @@ fips_new_state (enum module_states new_s - { - case STATE_POWERON: - if (new_state == STATE_INIT -+ || new_state == STATE_SELFTEST - || new_state == STATE_ERROR - || new_state == STATE_FATALERROR) - ok = 1; -@@ -811,6 +834,8 @@ fips_new_state (enum module_states new_s - - case STATE_SELFTEST: - if (new_state == STATE_OPERATIONAL -+ || new_state == STATE_INIT -+ || new_state == STATE_SELFTEST - || new_state == STATE_ERROR - || new_state == STATE_FATALERROR) - ok = 1; -diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c ---- libgcrypt-1.8.3/src/global.c.fips-ctor 2017-11-23 19:25:58.000000000 +0100 -+++ libgcrypt-1.8.3/src/global.c 2018-07-17 19:15:43.933827112 +0200 -@@ -141,6 +141,29 @@ global_init (void) - } - - -+#ifndef FIPS_MODULE_PATH -+#define FIPS_MODULE_PATH "/etc/system-fips" -+#endif -+ -+void __attribute__ ((constructor)) _gcry_global_constructor (void) -+{ -+ int rv; -+ -+ /* We always need the FSM lock to be functional. */ -+ _gcry_initialize_fsm_lock (); -+ -+ rv = access (FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ if (!rv) -+ { -+ /* We run the integrity check at this point. The remaining -+ selftests are run before use of the library by application. */ -+ _gcry_fips_run_selftests (0); -+ } -+} -+ - /* This function is called by the macro fips_is_operational and makes - sure that the minimal initialization has been done. This is far - from a perfect solution and hides problems with an improper -@@ -671,8 +694,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - - case GCRYCTL_FIPS_MODE_P: - if (fips_mode () -- && !_gcry_is_fips_mode_inactive () -- && !no_secure_memory) -+ && !_gcry_is_fips_mode_inactive ()) - rc = GPG_ERR_GENERAL; /* Used as TRUE value */ - break; - -@@ -749,9 +771,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - break; - - case GCRYCTL_SET_ENFORCED_FIPS_FLAG: -- if (!any_init_done) -+ if (fips_mode ()) - { -- /* Not yet initialized at all. Set the enforced fips mode flag */ -+ /* We are in FIPS mode, we can set the enforced fips mode flag. */ - _gcry_set_preferred_rng_type (0); - _gcry_set_enforced_fips_mode (); - } -diff -up libgcrypt-1.8.3/src/g10lib.h.fips-ctor libgcrypt-1.8.3/src/g10lib.h ---- libgcrypt-1.8.3/src/g10lib.h.fips-ctor 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/src/g10lib.h 2018-07-12 13:24:54.089403030 +0200 -@@ -422,6 +422,8 @@ gpg_err_code_t _gcry_sexp_vextract_param - - /*-- fips.c --*/ - -+void _gcry_initialize_fsm_lock (void); -+ - void _gcry_initialize_fips_mode (int force); - - int _gcry_fips_mode (void); diff --git a/libgcrypt-1.8.4-fips-keygen.patch b/libgcrypt-1.8.4-fips-keygen.patch deleted file mode 100644 index 9d3a647..0000000 --- a/libgcrypt-1.8.4-fips-keygen.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c ---- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100 -@@ -457,11 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen); -- else -- ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, -+ else if (!domain->p || !domain->q) -+ ec = _gcry_generate_fips186_3_prime (nbits, qbits, -+ initial_seed.seed, -+ initial_seed.seedlen, - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen, NULL); -+ else -+ { -+ /* Domain parameters p and q are given; use them. */ -+ prime_p = mpi_copy (domain->p); -+ prime_q = mpi_copy (domain->q); -+ gcry_assert (mpi_get_nbits (prime_p) == nbits); -+ gcry_assert (mpi_get_nbits (prime_q) == qbits); -+ ec = 0; -+ } - sexp_release (initial_seed.sexp); - if (ec) - goto leave; -@@ -855,13 +866,12 @@ dsa_generate (const gcry_sexp_t genparms - sexp_release (l1); - sexp_release (domainsexp); - -- /* Check that all domain parameters are available. */ -- if (!domain.p || !domain.q || !domain.g) -+ /* Check that p and q domain parameters are available. */ -+ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186))) - { - _gcry_mpi_release (domain.p); - _gcry_mpi_release (domain.q); - _gcry_mpi_release (domain.g); -- sexp_release (deriveparms); - return GPG_ERR_MISSING_VALUE; - } - -diff -up libgcrypt-1.8.4/cipher/rsa.c.fips-keygen libgcrypt-1.8.4/cipher/rsa.c ---- libgcrypt-1.8.4/cipher/rsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/cipher/rsa.c 2019-02-12 14:29:25.630513971 +0100 -@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig - - if (nbits < 1024 || (nbits & 0x1FF)) - return GPG_ERR_INV_VALUE; -- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072) -+ if (fips_mode() && nbits < 2048) - return GPG_ERR_INV_VALUE; - - /* The random quality depends on the transient_key flag. */ -@@ -696,7 +696,7 @@ generate_x931 (RSA_secret_key *sk, unsig - - *swapped = 0; - -- if (e_value == 1) /* Alias for a secure value. */ -+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ - e_value = 65537; - - /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ diff --git a/libgcrypt-1.8.4-getrandom.patch b/libgcrypt-1.8.4-getrandom.patch deleted file mode 100644 index a2fb7b9..0000000 --- a/libgcrypt-1.8.4-getrandom.patch +++ /dev/null @@ -1,134 +0,0 @@ -diff -up libgcrypt-1.8.4/random/random.c.getrandom libgcrypt-1.8.4/random/random.c ---- libgcrypt-1.8.4/random/random.c.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/random/random.c 2018-11-20 15:52:41.738708554 +0100 -@@ -110,8 +110,8 @@ _gcry_random_read_conf (void) - unsigned int result = 0; - - fp = fopen (fname, "r"); -- if (!fp) -- return result; -+ if (!fp) /* We make only_urandom the default. */ -+ return RANDOM_CONF_ONLY_URANDOM; - - for (;;) - { -diff -up libgcrypt-1.8.4/random/random-csprng.c.getrandom libgcrypt-1.8.4/random/random-csprng.c ---- libgcrypt-1.8.4/random/random-csprng.c.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/random/random-csprng.c 2018-11-20 15:52:41.738708554 +0100 -@@ -55,6 +55,10 @@ - #ifdef __MINGW32__ - #include - #endif -+#if defined(__linux__) && defined(HAVE_SYSCALL) -+# include -+# include -+#endif - #include "g10lib.h" - #include "random.h" - #include "rand-internal.h" -@@ -1116,6 +1120,22 @@ getfnc_gather_random (void))(void (*)(co - enum random_origins, size_t, int); - - #if USE_RNDLINUX -+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ long ret; -+ char buffer[1]; -+ -+ _gcry_pre_syscall (); -+ ret = syscall (__NR_getrandom, -+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); -+ _gcry_post_syscall (); -+ if (ret != -1 || errno != ENOSYS) -+ { -+ fnc = _gcry_rndlinux_gather_random; -+ return fnc; -+ } -+ else -+ /* The syscall is not supported - fallback to /dev/urandom. */ -+#endif - if ( !access (NAME_OF_DEV_RANDOM, R_OK) - && !access (NAME_OF_DEV_URANDOM, R_OK)) - { -diff -up libgcrypt-1.8.4/random/rndlinux.c.getrandom libgcrypt-1.8.4/random/rndlinux.c ---- libgcrypt-1.8.4/random/rndlinux.c.getrandom 2018-11-20 15:52:41.731708393 +0100 -+++ libgcrypt-1.8.4/random/rndlinux.c 2018-11-20 16:06:45.431207374 +0100 -@@ -35,6 +35,7 @@ - #include - #if defined(__linux__) && defined(HAVE_SYSCALL) - # include -+# include - #endif - - #include "types.h" -@@ -147,12 +148,12 @@ _gcry_rndlinux_gather_random (void (*add - if (!add) - { - /* Special mode to close the descriptors. */ -- if (fd_random != -1) -+ if (fd_random >= 0) - { - close (fd_random); - fd_random = -1; - } -- if (fd_urandom != -1) -+ if (fd_urandom >= 0) - { - close (fd_urandom); - fd_urandom = -1; -@@ -166,12 +167,12 @@ _gcry_rndlinux_gather_random (void (*add - apid = getpid (); - if (my_pid != apid) - { -- if (fd_random != -1) -+ if (fd_random >= 0) - { - close (fd_random); - fd_random = -1; - } -- if (fd_urandom != -1) -+ if (fd_urandom >= 0) - { - close (fd_urandom); - fd_urandom = -1; -@@ -216,6 +217,22 @@ _gcry_rndlinux_gather_random (void (*add - that we always require the device to be existent but want a more - graceful behaviour if the rarely needed close operation has been - used and the device needs to be re-opened later. */ -+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ if (fd_urandom != -2) -+ { -+ long ret; -+ -+ _gcry_pre_syscall (); -+ ret = syscall (__NR_getrandom, -+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); -+ _gcry_post_syscall (); -+ if (ret > -1 || errno == EAGAIN || errno == EINTR) -+ { -+ fd_urandom = -2; -+ fd_random = -2; -+ } -+ } -+#endif - if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom) - { - if (fd_random == -1) -@@ -255,6 +272,7 @@ _gcry_rndlinux_gather_random (void (*add - * syscall and not a new device and thus we are not able to use - * select(2) to have a timeout. */ - #if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ if (fd == -2) - { - long ret; - size_t nbytes; -@@ -270,9 +288,7 @@ _gcry_rndlinux_gather_random (void (*add - _gcry_post_syscall (); - } - while (ret == -1 && errno == EINTR); -- if (ret == -1 && errno == ENOSYS) -- ; /* The syscall is not supported - fallback to pulling from fd. */ -- else -+ if (1) - { /* The syscall is supported. Some sanity checks. */ - if (ret == -1) - log_fatal ("unexpected error from getrandom: %s\n", diff --git a/libgcrypt-1.8.4-tests-fipsmode.patch b/libgcrypt-1.8.4-tests-fipsmode.patch deleted file mode 100644 index 1442a0b..0000000 --- a/libgcrypt-1.8.4-tests-fipsmode.patch +++ /dev/null @@ -1,184 +0,0 @@ -diff -up libgcrypt-1.8.4/tests/basic.c.tests-fipsmode libgcrypt-1.8.4/tests/basic.c ---- libgcrypt-1.8.4/tests/basic.c.tests-fipsmode 2018-04-17 17:29:40.000000000 +0200 -+++ libgcrypt-1.8.4/tests/basic.c 2019-02-12 13:30:48.935791024 +0100 -@@ -6964,7 +6964,7 @@ check_ciphers (void) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_CTR, 0); - if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_CCM_BLOCK_LEN) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_CCM, 0); -- if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN) -+ if (!in_fips_mode && gcry_cipher_get_algo_blklen (algos[i]) == GCRY_GCM_BLOCK_LEN) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_GCM, 0); - if (gcry_cipher_get_algo_blklen (algos[i]) == GCRY_OCB_BLOCK_LEN) - check_one_cipher (algos[i], GCRY_CIPHER_MODE_OCB, 0); -@@ -7010,11 +7010,17 @@ check_cipher_modes(void) - check_cfb_cipher (); - check_ofb_cipher (); - check_ccm_cipher (); -- check_gcm_cipher (); -- check_poly1305_cipher (); -- check_ocb_cipher (); -+ if (!in_fips_mode) -+ { -+ check_gcm_cipher (); -+ check_poly1305_cipher (); -+ check_ocb_cipher (); -+ } - check_xts_cipher (); -- check_gost28147_cipher (); -+ if (!in_fips_mode) -+ { -+ check_gost28147_cipher (); -+ } - check_stream_cipher (); - check_stream_cipher_large_block (); - -@@ -10001,7 +10007,7 @@ check_mac (void) - show_mac_not_available (algos[i].algo); - continue; - } -- if (gcry_mac_test_algo (algos[i].algo) && in_fips_mode) -+ if ((algos[i].algo == GCRY_MAC_GMAC_AES || gcry_mac_test_algo (algos[i].algo)) && in_fips_mode) - { - if (verbose) - fprintf (stderr, " algorithm %d not available in fips mode\n", -@@ -11095,8 +11101,6 @@ main (int argc, char **argv) - /* If we are in fips mode do some more tests. */ - gcry_md_hd_t md; - -- /* First trigger a self-test. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("not in operational state after self-test\n"); - -@@ -11121,15 +11125,6 @@ main (int argc, char **argv) - gcry_md_close (md); - if (gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("expected error state but still in operational state\n"); -- else -- { -- /* Now run a self-test and to get back into -- operational state. */ -- xgcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); -- if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) -- fail ("did not reach operational after error " -- "and self-test\n"); -- } - } - } - -diff -up libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode libgcrypt-1.8.4/tests/benchmark.c ---- libgcrypt-1.8.4/tests/benchmark.c.tests-fipsmode 2019-02-12 11:31:44.859603883 +0100 -+++ libgcrypt-1.8.4/tests/benchmark.c 2019-02-12 14:10:40.271999352 +0100 -@@ -872,8 +872,10 @@ cipher_bench ( const char *algoname ) - || (blklen == 1 && modes[modeidx].mode != GCRY_CIPHER_MODE_STREAM)) - continue; - -- if (modes[modeidx].req_blocksize > 0 -- && blklen != modes[modeidx].req_blocksize) -+ if ((modes[modeidx].req_blocksize > 0 -+ && blklen != modes[modeidx].req_blocksize) -+ || (in_fips_mode -+ && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM)) - { - printf (" %7s %7s", "-", "-" ); - continue; -diff -up libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode libgcrypt-1.8.4/tests/bench-slope.c ---- libgcrypt-1.8.4/tests/bench-slope.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/bench-slope.c 2019-02-12 14:14:33.618763325 +0100 -@@ -1338,7 +1338,7 @@ cipher_bench_one (int algo, struct bench - return; - - /* GCM has restrictions for block-size */ -- if (mode.mode == GCRY_CIPHER_MODE_GCM && blklen != GCRY_GCM_BLOCK_LEN) -+ if (mode.mode == GCRY_CIPHER_MODE_GCM && (gcry_fips_mode_active () || blklen != GCRY_GCM_BLOCK_LEN)) - return; - - /* XTS has restrictions for block-size */ -diff -up libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode libgcrypt-1.8.4/tests/pubkey.c ---- libgcrypt-1.8.4/tests/pubkey.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/pubkey.c 2019-02-12 13:52:25.658746415 +0100 -@@ -504,15 +504,30 @@ get_dsa_key_with_domain_new (gcry_sexp_t - rc = gcry_sexp_new - (&key_spec, - "(genkey (dsa (transient-key)(domain" -- "(p #d3aed1876054db831d0c1348fbb1ada72507e5fbf9a62cbd47a63aeb7859d6921" -- "4adeb9146a6ec3f43520f0fd8e3125dd8bbc5d87405d1ac5f82073cd762a3f8d7" -- "74322657c9da88a7d2f0e1a9ceb84a39cb40876179e6a76e400498de4bb9379b0" -- "5f5feb7b91eb8fea97ee17a955a0a8a37587a272c4719d6feb6b54ba4ab69#)" -- "(q #9c916d121de9a03f71fb21bc2e1c0d116f065a4f#)" -- "(g #8157c5f68ca40b3ded11c353327ab9b8af3e186dd2e8dade98761a0996dda99ab" -- "0250d3409063ad99efae48b10c6ab2bba3ea9a67b12b911a372a2bba260176fad" -- "b4b93247d9712aad13aa70216c55da9858f7a298deb670a403eb1e7c91b847f1e" -- "ccfbd14bd806fd42cf45dbb69cd6d6b43add2a78f7d16928eaa04458dea44#)" -+ " (p #a85378d8fd3f8d72ec7418080da21317e43ec4b62ba8c862" -+ " 3b7e4d04441dd1a0658662596493ca8e9e8fbb7e34aaddb6" -+ " 2e5d67b6d09a6e61b769e7c352aa2b10e20ca0636963b552" -+ " 3e86470decbbeda027e797e7b67635d4d49c30700e74af8a" -+ " 0ff156a801af57a26e7078f1d82f74908ecb6d07e70b3503" -+ " eed94fa32cf17a7fc3d6cf40dc7b00830e6a2566dc073e34" -+ " 3312517c6aa5152b4bfecd2e551fee346318a153423c996b" -+ " 0d5dcb9102aedd38798616f1f1e0d6c403525b1f9b3d4dc7" -+ " 66de2dfc4a56d7b8ba5963d60f3e16318870ad436952e557" -+ " 65374eab85e8ec17d6b9a4547b9b5f2752f3105be809b23a" -+ " 2c8d7469db02e24d592394a7dba069e9#)" -+ " (q #d277044e50f5a4e3f510a50a0b84fdffbca047ed27602056" -+ " 7441a0a5#)" -+ " (g #13d754e21fd241655da891c522a65a72a89bdc64ec9b54a8" -+ " 21ed4a898b490e0c4fcb72192a4a20f541f3f2925399f0ba" -+ " ecf929aafbf79dfe4332393b32cd2e2fcf272f32a627434a" -+ " 0df242b75b414df372121e53a553f222f836b000f016485b" -+ " 6bd0898451801dcd8de64cd5365696ffc532d528c506620a" -+ " 942a0305046d8f1876341f1e570bc3974ba6b9a438e97023" -+ " 02a2e6e67bfd06d32bc679962271d7b40cd72f386e64e0d7" -+ " ef86ca8ca5d14228dc2a4f16e3189886b5990674f4200f3a" -+ " 4cf65a3f0ddba1fa672dff2f5e143d10e4e97ae84f6da095" -+ " 35d5b9df259181a79b63b069e949972b02ba36b3586aab7e" -+ " 45f322f82e4e85ca3ab85591b3c2a966#)" - ")))", 0, 1); - if (rc) - die ("error creating S-expression: %s\n", gcry_strerror (rc)); -@@ -595,7 +610,7 @@ get_dsa_key_fips186_with_seed_new (gcry_ - " (use-fips186)" - " (transient-key)" - " (derive-parms" -- " (seed #0cb1990c1fd3626055d7a0096f8fa99807399871#))))", -+ " (seed #8b4c4d671fff82e8ed932260206d0571e3a1c2cee8cd94cb73fe58f9b67488fa#))))", - 0, 1); - if (rc) - die ("error creating S-expression: %s\n", gcry_strerror (rc)); -diff -up libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode libgcrypt-1.8.4/tests/t-cv25519.c ---- libgcrypt-1.8.4/tests/t-cv25519.c.tests-fipsmode 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/tests/t-cv25519.c 2019-02-12 14:02:35.935705390 +0100 -@@ -560,6 +560,9 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -+ /* Curve25519 isn't supported in fips mode */ -+ if (gcry_fips_mode_active()) -+ return 77; - - start_timer (); - check_cv25519 (); -diff -up libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode libgcrypt-1.8.4/tests/t-secmem.c ---- libgcrypt-1.8.4/tests/t-secmem.c.tests-fipsmode 2017-11-23 19:19:54.000000000 +0100 -+++ libgcrypt-1.8.4/tests/t-secmem.c 2019-02-12 11:51:02.462190538 +0100 -@@ -174,7 +174,8 @@ main (int argc, char **argv) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - xgcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0); -- gcry_set_outofcore_handler (outofcore_handler, NULL); -+ if (!gcry_fips_mode_active ()) -+ gcry_set_outofcore_handler (outofcore_handler, NULL); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - - /* Libgcrypt prints a warning when the first overflow is allocated; -@@ -184,7 +185,8 @@ main (int argc, char **argv) - - - test_secmem (); -- test_secmem_overflow (); -+ if (!gcry_fips_mode_active ()) -+ test_secmem_overflow (); - /* FIXME: We need to improve the tests, for example by registering - * our own log handler and comparing the output of - * PRIV_CTL_DUMP_SECMEM_STATS to expected pattern. */ diff --git a/libgcrypt-1.8.4-use-poll.patch b/libgcrypt-1.8.4-use-poll.patch deleted file mode 100644 index b96c6ce..0000000 --- a/libgcrypt-1.8.4-use-poll.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndlinux.c ---- libgcrypt-1.8.4/random/rndlinux.c.use-poll 2018-10-26 13:50:20.000000000 +0200 -+++ libgcrypt-1.8.4/random/rndlinux.c 2018-11-20 15:51:56.760669058 +0100 -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #if defined(__linux__) && defined(HAVE_SYSCALL) - # include - #endif -@@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add - return with something we will actually use 100ms. */ - while (length) - { -- fd_set rfds; -- struct timeval tv; - int rc; -+ struct pollfd pfd; - - /* If we have a modern Linux kernel, we first try to use the new - * getrandom syscall. That call guarantees that the kernel's -@@ -300,36 +300,25 @@ _gcry_rndlinux_gather_random (void (*add - any_need_entropy = 1; - } - -- /* If the system has no limit on the number of file descriptors -- and we encounter an fd which is larger than the fd_set size, -- we don't use the select at all. The select code is only used -- to emit progress messages. A better solution would be to -- fall back to poll() if available. */ --#ifdef FD_SETSIZE -- if (fd < FD_SETSIZE) --#endif -+ pfd.fd = fd; -+ pfd.events = POLLIN; -+ -+ _gcry_pre_syscall (); -+ rc = poll(&pfd, 1, delay); -+ _gcry_post_syscall (); -+ if (!rc) - { -- FD_ZERO(&rfds); -- FD_SET(fd, &rfds); -- tv.tv_sec = delay; -- tv.tv_usec = delay? 0 : 100000; -- _gcry_pre_syscall (); -- rc = select (fd+1, &rfds, NULL, NULL, &tv); -- _gcry_post_syscall (); -- if (!rc) -- { -- any_need_entropy = 1; -- delay = 3; /* Use 3 seconds henceforth. */ -- continue; -- } -- else if( rc == -1 ) -- { -- log_error ("select() error: %s\n", strerror(errno)); -- if (!delay) -- delay = 1; /* Use 1 second if we encounter an error before -- we have ever blocked. */ -- continue; -- } -+ any_need_entropy = 1; -+ delay = 3000; /* Use 3 seconds henceforth. */ -+ continue; -+ } -+ else if( rc == -1 ) -+ { -+ log_error ("poll() error: %s\n", strerror(errno)); -+ if (!delay) -+ delay = 1000; /* Use 1 second if we encounter an error before -+ we have ever blocked. */ -+ continue; - } - - do diff --git a/mingw-libgcrypt.spec b/mingw-libgcrypt.spec index 7afd0bb..1454c00 100644 --- a/mingw-libgcrypt.spec +++ b/mingw-libgcrypt.spec @@ -3,49 +3,19 @@ %global run_tests 0 Name: mingw-libgcrypt -Version: 1.8.4 -Release: 12%{?dist} +Version: 1.10.3 +Release: 1%{?dist} Summary: MinGW Windows gcrypt encryption library License: LGPLv2+ and GPLv2+ URL: ftp://ftp.gnupg.org/gcrypt/libgcrypt/ -Source0: libgcrypt-%{version}-hobbled.tar.xz -# The original libgcrypt sources now contain potentially patented ECC -# cipher support. We have to remove it in the tarball we ship with -# the hobble-libgcrypt script. -# (We replace it with RH approved ECC in Source4-5) -#Source0: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 -#Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig -Source2: wk@g10code.com -Source3: hobble-libgcrypt -# Approved ECC support (from 1.6.1) -Source4: ecc-curves.c -Source5: curves.c -Source6: t-mpi-point.c -Source7: random.conf - -# make FIPS hmac compatible with fipscheck - non upstreamable -# update on soname bump -Patch2: libgcrypt-1.6.2-use-fipscheck.patch -# modify FIPS RSA and DSA keygen to comply with requirements -Patch5: libgcrypt-1.8.4-fips-keygen.patch -# fix the tests to work correctly in the FIPS mode -Patch6: libgcrypt-1.8.4-tests-fipsmode.patch -# update the CAVS tests -Patch7: libgcrypt-1.7.3-fips-cavs.patch -# use poll instead of select when gathering randomness -Patch11: libgcrypt-1.8.4-use-poll.patch -# slight optimalization of mpicoder.c to silence Valgrind (#968288) -Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch -# fix tests to work with approved ECC -Patch14: libgcrypt-1.7.3-ecc-test-fix.patch -# Run the FIPS mode initialization in the shared library constructor -Patch18: libgcrypt-1.8.3-fips-ctor.patch -# Block some operations if in FIPS non-operational state -Patch22: libgcrypt-1.7.3-fips-reqs.patch -# Do not try to open /dev/urandom if getrandom() works -Patch24: libgcrypt-1.8.4-getrandom.patch +Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 +Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig +Source2: wk@g10code.com + +# Pass the annobin flags to the libgcrypt.so (#2016349) +Patch1: libgcrypt-1.10.1-annobin.patch # MinGW-specific patches @@ -55,7 +25,8 @@ Patch1000: libgcrypt-use-correct-def-file.patch BuildArch: noarch -BuildRequires: make +BuildRequires: autoconf, automake, libtool +BuildRequires: make BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-binutils @@ -125,25 +96,11 @@ Static library for mingw64-libgcrypt development. %prep %setup -q -n libgcrypt-%{version} -%{SOURCE3} -%patch2 -p1 -b .use-fipscheck -%patch5 -p1 -b .fips-keygen -%patch6 -p1 -b .tests-fipsmode -%patch7 -p1 -b .cavs -%patch11 -p1 -b .use-poll -%patch13 -p1 -b .gccopt -%patch14 -p1 -b .eccfix -%patch18 -p1 -b .fips-ctor -%patch22 -p1 -b .fips-reqs -%patch24 -p1 -b .getrandom - -%patch1000 -p0 -b .def +%patch -P1 -p1 -cp %{SOURCE4} cipher/ -cp %{SOURCE5} %{SOURCE6} tests/ +%patch -P1000 -p0 -b .def -# Needed for the asm64 patch -#autoreconf -i --force +autoreconf -i --force %build @@ -191,6 +148,7 @@ rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.la %{mingw32_bindir}/libgcrypt-20.dll %{mingw32_bindir}/libgcrypt-config %{mingw32_libdir}/libgcrypt.dll.a +%{mingw32_libdir}/pkgconfig/libgcrypt.pc %{mingw32_includedir}/gcrypt.h %{mingw32_datadir}/aclocal/libgcrypt.m4 @@ -205,14 +163,20 @@ rm $RPM_BUILD_ROOT%{mingw64_libdir}/libgcrypt.la %{mingw64_bindir}/libgcrypt-20.dll %{mingw64_bindir}/libgcrypt-config %{mingw64_libdir}/libgcrypt.dll.a +%{mingw64_libdir}/pkgconfig/libgcrypt.pc %{mingw64_includedir}/gcrypt.h %{mingw64_datadir}/aclocal/libgcrypt.m4 + %files -n mingw64-libgcrypt-static %{mingw64_libdir}/libgcrypt.a %changelog +* Fri Mar 08 2024 Richard W.M. Jones - 1.10.3-1 +- Rebase to libgcrypt 1.10.3 to match Fedora (RHBZ#2268272) +- Add *.pc (pkgconf) files + * Thu Jan 25 2024 Fedora Release Engineering - 1.8.4-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/random.conf b/random.conf deleted file mode 100644 index 6041bcd..0000000 --- a/random.conf +++ /dev/null @@ -1,4 +0,0 @@ -# use only /dev/urandom - see https://www.2uo.de/myths-about-urandom/ -only-urandom -# Keep jitter entropy generator enabled (should do no harm) -#disable-jent diff --git a/sources b/sources index 465ff20..09e5e42 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (libgcrypt-1.8.4-hobbled.tar.xz) = 9f124d84a401f6b63faabe46b983e157573a20064e9652fe47b4d18b58d580eab9458a47eb24694b26e8e8e7e8c82002f354f075a0fc7037e61fb4ab0eafdf19 +SHA512 (libgcrypt-1.10.3.tar.bz2) = 8a8d4c61a6622d8481ceb9edc88ec43f58da32e316f79f8d4775325a48f8936aaa9eb355923b39e2c267b784e9c390600daeb62e0c94f00e30bbadb0d8c0865d +SHA512 (libgcrypt-1.10.3.tar.bz2.sig) = 7b240b40992bbfd117ba6453377c3c8734aa70a43bc4e7d24b412b5f2446b85cd41e70950d2e973cc7e2da1f7669e267e276fd5f603e991b9a04919cb9bedab2 diff --git a/t-mpi-point.c b/t-mpi-point.c deleted file mode 100644 index b12a8ba..0000000 --- a/t-mpi-point.c +++ /dev/null @@ -1,1225 +0,0 @@ -/* t-mpi-point.c - Tests for mpi point functions - * Copyright (C) 2013 g10 Code GmbH - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, see . - */ - -#ifdef HAVE_CONFIG_H -# include -#endif -#include -#include -#include -#include -#include - -#define PGM "t-mpi-point" -#include "t-common.h" - -static struct -{ - const char *desc; /* Description of the curve. */ - const char *p; /* Order of the prime field. */ - const char *a, *b; /* The coefficients. */ - const char *n; /* The order of the base point. */ - const char *g_x, *g_y; /* Base point. */ - const char *h; /* Cofactor. */ -} test_curve[] = - { - { - "NIST P-224", - "0xffffffffffffffffffffffffffffffff000000000000000000000001", - "0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe", - "0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", - "0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d" , - - "0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", - "0x01" - }, - { - "NIST P-256", - "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - - "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - "0x01" - }, - { - "NIST P-384", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000ffffffff", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000fffffffc", - "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" - "c656398d8a2ed19d2a85c8edd3ec2aef", - "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" - "581a0db248b0a77aecec196accc52973", - - "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" - "5502f25dbf55296c3a545e3872760ab7", - "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f", - "0x01" - }, - { - "NIST P-521", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" - "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - - "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d" - "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6" - "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - "0x01" - }, - { - "Ed25519", - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC", - "0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3", - "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", - "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", - "0x6666666666666666666666666666666666666666666666666666666666666658", - "0x08" - }, - { NULL, NULL, NULL, NULL, NULL, NULL } - }; - -/* A sample public key for NIST P-256. */ -static const char sample_p256_q[] = - "04" - "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E" - "E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E"; -static const char sample_p256_q_x[] = - "42B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146E"; -static const char sample_p256_q_y[] = - "00E86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E"; - - -/* A sample public key for Ed25519. */ -static const char sample_ed25519_q[] = - "04" - "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce" - "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7"; -static const char sample_ed25519_q_x[] = - "55d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce"; -static const char sample_ed25519_q_y[] = - "1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7"; -static const char sample_ed25519_q_eddsa[] = - "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"; -static const char sample_ed25519_d[] = - "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60"; - - -static void -print_mpi_2 (const char *text, const char *text2, gcry_mpi_t a) -{ - gcry_error_t err; - char *buf; - void *bufaddr = &buf; - - err = gcry_mpi_aprint (GCRYMPI_FMT_HEX, bufaddr, NULL, a); - if (err) - fprintf (stderr, "%s%s: [error printing number: %s]\n", - text, text2? text2:"", gpg_strerror (err)); - else - { - fprintf (stderr, "%s%s: %s\n", text, text2? text2:"", buf); - gcry_free (buf); - } -} - - -static void -print_mpi (const char *text, gcry_mpi_t a) -{ - print_mpi_2 (text, NULL, a); -} - - -static void -print_point (const char *text, gcry_mpi_point_t a) -{ - gcry_mpi_t x, y, z; - - x = gcry_mpi_new (0); - y = gcry_mpi_new (0); - z = gcry_mpi_new (0); - gcry_mpi_point_get (x, y, z, a); - print_mpi_2 (text, ".x", x); - print_mpi_2 (text, ".y", y); - print_mpi_2 (text, ".z", z); - gcry_mpi_release (x); - gcry_mpi_release (y); - gcry_mpi_release (z); -} - - -static void -print_sexp (const char *prefix, gcry_sexp_t a) -{ - char *buf; - size_t size; - - if (prefix) - fputs (prefix, stderr); - size = gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, NULL, 0); - buf = gcry_xmalloc (size); - - gcry_sexp_sprint (a, GCRYSEXP_FMT_ADVANCED, buf, size); - fprintf (stderr, "%.*s", (int)size, buf); - gcry_free (buf); -} - - -static gcry_mpi_t -hex2mpi (const char *string) -{ - gpg_error_t err; - gcry_mpi_t val; - - err = gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); - if (err) - die ("hex2mpi '%s' failed: %s\n", string, gpg_strerror (err)); - return val; -} - - -/* Convert STRING consisting of hex characters into its binary - representation and return it as an allocated buffer. The valid - length of the buffer is returned at R_LENGTH. The string is - delimited by end of string. The function returns NULL on - error. */ -static void * -hex2buffer (const char *string, size_t *r_length) -{ - const char *s; - unsigned char *buffer; - size_t length; - - buffer = xmalloc (strlen(string)/2+1); - length = 0; - for (s=string; *s; s +=2 ) - { - if (!hexdigitp (s) || !hexdigitp (s+1)) - return NULL; /* Invalid hex digits. */ - ((unsigned char*)buffer)[length++] = xtoi_2 (s); - } - *r_length = length; - return buffer; -} - - -static gcry_mpi_t -hex2mpiopa (const char *string) -{ - char *buffer; - size_t buflen; - gcry_mpi_t val; - - buffer = hex2buffer (string, &buflen); - if (!buffer) - die ("hex2mpiopa '%s' failed: parser error\n", string); - val = gcry_mpi_set_opaque (NULL, buffer, buflen*8); - if (!buffer) - die ("hex2mpiopa '%s' failed: set_opaque error\n", string); - return val; -} - - -/* Compare A to B, where B is given as a hex string. */ -static int -cmp_mpihex (gcry_mpi_t a, const char *b) -{ - gcry_mpi_t bval; - int res; - - if (gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) - bval = hex2mpiopa (b); - else - bval = hex2mpi (b); - res = gcry_mpi_cmp (a, bval); - gcry_mpi_release (bval); - return res; -} - - -/* Wrapper to emulate the libgcrypt internal EC context allocation - function. */ -static gpg_error_t -ec_p_new (gcry_ctx_t *r_ctx, gcry_mpi_t p, gcry_mpi_t a) -{ - gpg_error_t err; - gcry_sexp_t sexp; - - if (p && a) - err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m)(a %m))", p, a); - else if (p) - err = gcry_sexp_build (&sexp, NULL, "(ecdsa (p %m))", p); - else if (a) - err = gcry_sexp_build (&sexp, NULL, "(ecdsa (a %m))", a); - else - err = gcry_sexp_build (&sexp, NULL, "(ecdsa)"); - if (err) - return err; - err = gcry_mpi_ec_new (r_ctx, sexp, NULL); - gcry_sexp_release (sexp); - return err; -} - - - -static void -set_get_point (void) -{ - gcry_mpi_point_t point, point2; - gcry_mpi_t x, y, z; - - wherestr = "set_get_point"; - info ("checking point setting functions\n"); - - point = gcry_mpi_point_new (0); - x = gcry_mpi_set_ui (NULL, 17); - y = gcry_mpi_set_ui (NULL, 42); - z = gcry_mpi_set_ui (NULL, 11371); - gcry_mpi_point_get (x, y, z, point); - if (gcry_mpi_cmp_ui (x, 0) - || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) - fail ("new point not initialized to (0,0,0)\n"); - gcry_mpi_point_snatch_get (x, y, z, point); - point = NULL; - if (gcry_mpi_cmp_ui (x, 0) - || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) - fail ("snatch_get failed\n"); - gcry_mpi_release (x); - gcry_mpi_release (y); - gcry_mpi_release (z); - - point = gcry_mpi_point_new (0); - x = gcry_mpi_set_ui (NULL, 17); - y = gcry_mpi_set_ui (NULL, 42); - z = gcry_mpi_set_ui (NULL, 11371); - gcry_mpi_point_set (point, x, y, z); - gcry_mpi_set_ui (x, 23); - gcry_mpi_set_ui (y, 24); - gcry_mpi_set_ui (z, 25); - gcry_mpi_point_get (x, y, z, point); - if (gcry_mpi_cmp_ui (x, 17) - || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) - fail ("point_set/point_get failed\n"); - gcry_mpi_point_snatch_set (point, x, y, z); - x = gcry_mpi_new (0); - y = gcry_mpi_new (0); - z = gcry_mpi_new (0); - gcry_mpi_point_get (x, y, z, point); - if (gcry_mpi_cmp_ui (x, 17) - || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) - fail ("point_snatch_set/point_get failed\n"); - - point2 = gcry_mpi_point_copy (point); - - gcry_mpi_point_get (x, y, z, point2); - if (gcry_mpi_cmp_ui (x, 17) - || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) - fail ("point_copy failed (1)\n"); - - gcry_mpi_point_release (point); - - gcry_mpi_point_get (x, y, z, point2); - if (gcry_mpi_cmp_ui (x, 17) - || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) - fail ("point_copy failed (2)\n"); - - gcry_mpi_point_release (point2); - - gcry_mpi_release (x); - gcry_mpi_release (y); - gcry_mpi_release (z); -} - - -static void -context_alloc (void) -{ - gpg_error_t err; - gcry_ctx_t ctx; - gcry_mpi_t p, a; - - wherestr = "context_alloc"; - info ("checking context functions\n"); - - p = gcry_mpi_set_ui (NULL, 1); - a = gcry_mpi_set_ui (NULL, 1); - err = ec_p_new (&ctx, p, a); - if (err) - die ("ec_p_new returned an error: %s\n", gpg_strerror (err)); - gcry_mpi_release (p); - gcry_mpi_release (a); - gcry_ctx_release (ctx); - - p = NULL; - a = gcry_mpi_set_ui (NULL, 0); - - err = ec_p_new (&ctx, p, a); - if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) - fail ("ec_p_new: bad parameter detection failed (1)\n"); - - gcry_mpi_release (a); - a = NULL; - err = ec_p_new (&ctx, p, a); - if (!err || gpg_err_code (err) != GPG_ERR_EINVAL) - fail ("ec_p_new: bad parameter detection failed (2)\n"); - -} - - -static int -get_and_cmp_mpi (const char *name, const char *mpistring, const char *desc, - gcry_ctx_t ctx) -{ - gcry_mpi_t mpi; - - mpi = gcry_mpi_ec_get_mpi (name, ctx, 1); - if (!mpi) - { - fail ("error getting parameter '%s' of curve '%s'\n", name, desc); - return 1; - } - if (debug) - print_mpi (name, mpi); - if (cmp_mpihex (mpi, mpistring)) - { - fail ("parameter '%s' of curve '%s' does not match\n", name, desc); - gcry_mpi_release (mpi); - return 1; - } - gcry_mpi_release (mpi); - return 0; -} - - -static int -get_and_cmp_point (const char *name, - const char *mpi_x_string, const char *mpi_y_string, - const char *desc, gcry_ctx_t ctx) -{ - gcry_mpi_point_t point; - gcry_mpi_t x, y, z; - int result = 0; - - point = gcry_mpi_ec_get_point (name, ctx, 1); - if (!point) - { - fail ("error getting point parameter '%s' of curve '%s'\n", name, desc); - return 1; - } - if (debug) - print_point (name, point); - - x = gcry_mpi_new (0); - y = gcry_mpi_new (0); - z = gcry_mpi_new (0); - gcry_mpi_point_snatch_get (x, y, z, point); - if (cmp_mpihex (x, mpi_x_string)) - { - fail ("x coordinate of '%s' of curve '%s' does not match\n", name, desc); - result = 1; - } - if (cmp_mpihex (y, mpi_y_string)) - { - fail ("y coordinate of '%s' of curve '%s' does not match\n", name, desc); - result = 1; - } - if (cmp_mpihex (z, "01")) - { - fail ("z coordinate of '%s' of curve '%s' is not 1\n", name, desc); - result = 1; - } - gcry_mpi_release (x); - gcry_mpi_release (y); - gcry_mpi_release (z); - return result; -} - - -static void -context_param (void) -{ - gpg_error_t err; - int idx; - gcry_ctx_t ctx = NULL; - gcry_mpi_t q, d; - gcry_sexp_t keyparam; - - wherestr = "context_param"; - - info ("checking standard curves\n"); - for (idx=0; test_curve[idx].desc; idx++) - { - /* P-192 and Ed25519 are not supported in fips mode */ - if (gcry_fips_mode_active()) - { - if (!strcmp(test_curve[idx].desc, "NIST P-192") - || !strcmp(test_curve[idx].desc, "Ed25519")) - { - info ("skipping %s in fips mode\n", test_curve[idx].desc ); - continue; - } - } - - gcry_ctx_release (ctx); - err = gcry_mpi_ec_new (&ctx, NULL, test_curve[idx].desc); - if (err) - { - fail ("can't create context for curve '%s': %s\n", - test_curve[idx].desc, gpg_strerror (err)); - continue; - } - if (get_and_cmp_mpi ("p", test_curve[idx].p, test_curve[idx].desc, ctx)) - continue; - if (get_and_cmp_mpi ("a", test_curve[idx].a, test_curve[idx].desc, ctx)) - continue; - if (get_and_cmp_mpi ("b", test_curve[idx].b, test_curve[idx].desc, ctx)) - continue; - if (get_and_cmp_mpi ("g.x",test_curve[idx].g_x, test_curve[idx].desc,ctx)) - continue; - if (get_and_cmp_mpi ("g.y",test_curve[idx].g_y, test_curve[idx].desc,ctx)) - continue; - if (get_and_cmp_mpi ("n", test_curve[idx].n, test_curve[idx].desc, ctx)) - continue; - if (get_and_cmp_point ("g", test_curve[idx].g_x, test_curve[idx].g_y, - test_curve[idx].desc, ctx)) - continue; - if (get_and_cmp_mpi ("h", test_curve[idx].h, test_curve[idx].desc, ctx)) - continue; - - } - - info ("checking sample public key (nistp256)\n"); - q = hex2mpi (sample_p256_q); - err = gcry_sexp_build (&keyparam, NULL, - "(public-key(ecc(curve %s)(q %m)))", - "NIST P-256", q); - if (err) - die ("gcry_sexp_build failed: %s\n", gpg_strerror (err)); - gcry_mpi_release (q); - - /* We can't call gcry_pk_testkey because it is only implemented for - private keys. */ - /* err = gcry_pk_testkey (keyparam); */ - /* if (err) */ - /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */ - /* gpg_strerror (err)); */ - - gcry_ctx_release (ctx); - err = gcry_mpi_ec_new (&ctx, keyparam, NULL); - if (err) - fail ("gcry_mpi_ec_new failed for sample public key (nistp256): %s\n", - gpg_strerror (err)); - else - { - gcry_sexp_t sexp; - - get_and_cmp_mpi ("q", sample_p256_q, "nistp256", ctx); - get_and_cmp_point ("q", sample_p256_q_x, sample_p256_q_y, "nistp256", - ctx); - - /* Delete Q. */ - err = gcry_mpi_ec_set_mpi ("q", NULL, ctx); - if (err) - fail ("clearing Q for nistp256 failed: %s\n", gpg_strerror (err)); - if (gcry_mpi_ec_get_mpi ("q", ctx, 0)) - fail ("clearing Q for nistp256 did not work\n"); - - /* Set Q again. */ - q = hex2mpi (sample_p256_q); - err = gcry_mpi_ec_set_mpi ("q", q, ctx); - if (err) - fail ("setting Q for nistp256 failed: %s\n", gpg_strerror (err)); - get_and_cmp_mpi ("q", sample_p256_q, "nistp256(2)", ctx); - gcry_mpi_release (q); - - /* Get as s-expression. */ - err = gcry_pubkey_get_sexp (&sexp, 0, ctx); - if (err) - fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err)); - else if (debug) - print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp); - gcry_sexp_release (sexp); - - err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx); - if (err) - fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n", - gpg_strerror (err)); - else if (debug) - print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp); - gcry_sexp_release (sexp); - - err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx); - if (gpg_err_code (err) != GPG_ERR_NO_SECKEY) - fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n", - gpg_strerror (err)); - gcry_sexp_release (sexp); - } - - /* Skipping Ed25519 if in FIPS mode (it isn't supported) */ - if (gcry_fips_mode_active()) - goto cleanup; - - info ("checking sample public key (Ed25519)\n"); - q = hex2mpi (sample_ed25519_q); - gcry_sexp_release (keyparam); - err = gcry_sexp_build (&keyparam, NULL, - "(public-key(ecc(curve %s)(flags eddsa)(q %m)))", - "Ed25519", q); - if (err) - die ("gcry_sexp_build failed: %s\n", gpg_strerror (err)); - gcry_mpi_release (q); - - /* We can't call gcry_pk_testkey because it is only implemented for - private keys. */ - /* err = gcry_pk_testkey (keyparam); */ - /* if (err) */ - /* fail ("gcry_pk_testkey failed for sample public key: %s\n", */ - /* gpg_strerror (err)); */ - - gcry_ctx_release (ctx); - err = gcry_mpi_ec_new (&ctx, keyparam, NULL); - if (err) - fail ("gcry_mpi_ec_new failed for sample public key: %s\n", - gpg_strerror (err)); - else - { - gcry_sexp_t sexp; - - get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519", ctx); - get_and_cmp_point ("q", sample_ed25519_q_x, sample_ed25519_q_y, - "Ed25519", ctx); - get_and_cmp_mpi ("q@eddsa", sample_ed25519_q_eddsa, "Ed25519", ctx); - - /* Set d to see whether Q is correctly re-computed. */ - d = hex2mpi (sample_ed25519_d); - err = gcry_mpi_ec_set_mpi ("d", d, ctx); - if (err) - fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err)); - gcry_mpi_release (d); - get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(recompute Q)", ctx); - - /* Delete Q by setting d and then clearing d. The clearing is - required so that we can check whether Q has been cleared and - because further tests only expect a public key. */ - d = hex2mpi (sample_ed25519_d); - err = gcry_mpi_ec_set_mpi ("d", d, ctx); - if (err) - fail ("setting d for Ed25519 failed: %s\n", gpg_strerror (err)); - gcry_mpi_release (d); - err = gcry_mpi_ec_set_mpi ("d", NULL, ctx); - if (err) - fail ("setting d for Ed25519 failed(2): %s\n", gpg_strerror (err)); - if (gcry_mpi_ec_get_mpi ("q", ctx, 0)) - fail ("setting d for Ed25519 did not reset Q\n"); - - /* Set Q again. We need to use an opaque MPI here because - sample_ed25519_q is in uncompressed format which can only be - auto-detected if passed opaque. */ - q = hex2mpiopa (sample_ed25519_q); - err = gcry_mpi_ec_set_mpi ("q", q, ctx); - if (err) - fail ("setting Q for Ed25519 failed: %s\n", gpg_strerror (err)); - gcry_mpi_release (q); - get_and_cmp_mpi ("q", sample_ed25519_q, "Ed25519(2)", ctx); - - /* Get as s-expression. */ - err = gcry_pubkey_get_sexp (&sexp, 0, ctx); - if (err) - fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err)); - else if (debug) - print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp); - gcry_sexp_release (sexp); - - err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx); - if (err) - fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n", - gpg_strerror (err)); - else if (debug) - print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp); - gcry_sexp_release (sexp); - - err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx); - if (gpg_err_code (err) != GPG_ERR_NO_SECKEY) - fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n", - gpg_strerror (err)); - gcry_sexp_release (sexp); - - } - - cleanup: - gcry_ctx_release (ctx); - gcry_sexp_release (keyparam); -} - - - - -/* Create a new point from (X,Y,Z) given as hex strings. */ -gcry_mpi_point_t -make_point (const char *x, const char *y, const char *z) -{ - gcry_mpi_point_t point; - - point = gcry_mpi_point_new (0); - gcry_mpi_point_snatch_set (point, hex2mpi (x), hex2mpi (y), hex2mpi (z)); - - return point; -} - - -/* This tests checks that the low-level EC API yields the same result - as using the high level API. The values have been taken from a - test run using the high level API. */ -static void -basic_ec_math (void) -{ - gpg_error_t err; - gcry_ctx_t ctx; - gcry_mpi_t P, A; - gcry_mpi_point_t G, Q; - gcry_mpi_t d; - gcry_mpi_t x, y, z; - - wherestr = "basic_ec_math"; - info ("checking basic math functions for EC\n"); - - P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff"); - A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc"); - G = make_point ("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", - "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", - "1"); - d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D"); - Q = gcry_mpi_point_new (0); - - err = ec_p_new (&ctx, P, A); - if (err) - die ("ec_p_new failed: %s\n", gpg_strerror (err)); - - x = gcry_mpi_new (0); - y = gcry_mpi_new (0); - z = gcry_mpi_new (0); - - { - /* A quick check that multiply by zero works. */ - gcry_mpi_t tmp; - - tmp = gcry_mpi_new (0); - gcry_mpi_ec_mul (Q, tmp, G, ctx); - gcry_mpi_release (tmp); - gcry_mpi_point_get (x, y, z, Q); - if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0) - || gcry_mpi_cmp_ui (z, 0)) - fail ("multiply a point by zero failed\n"); - } - - gcry_mpi_ec_mul (Q, d, G, ctx); - gcry_mpi_point_get (x, y, z, Q); - if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66") - || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8") - || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F")) - fail ("computed public key does not match\n"); - if (debug) - { - print_mpi ("Q.x", x); - print_mpi ("Q.y", y); - print_mpi ("Q.z", z); - } - - if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) - fail ("failed to get affine coordinates\n"); - if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE") - || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966")) - fail ("computed affine coordinates of public key do not match\n"); - if (debug) - { - print_mpi ("q.x", x); - print_mpi ("q.y", y); - } - - gcry_mpi_release (z); - gcry_mpi_release (y); - gcry_mpi_release (x); - gcry_mpi_point_release (Q); - gcry_mpi_release (d); - gcry_mpi_point_release (G); - gcry_mpi_release (A); - gcry_mpi_release (P); - gcry_ctx_release (ctx); -} - - -/* This is the same as basic_ec_math but uses more advanced - features. */ -static void -basic_ec_math_simplified (void) -{ -} - - -/* Check the math used with Twisted Edwards curves. */ -static void -twistededwards_math (void) -{ - gpg_error_t err; - gcry_ctx_t ctx; - gcry_mpi_point_t G, Q; - gcry_mpi_t k; - gcry_mpi_t w, a, x, y, z, p, n, b, I; - - wherestr = "twistededwards_math"; - info ("checking basic Twisted Edwards math\n"); - - err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519"); - if (err) - die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err)); - - k = hex2mpi - ("2D3501E723239632802454EE5DDC406EFB0BDF18486A5BDE9C0390A9C2984004" - "F47252B628C953625B8DEB5DBCB8DA97AA43A1892D11FA83596F42E0D89CB1B6"); - G = gcry_mpi_ec_get_point ("g", ctx, 1); - if (!G) - die ("gcry_mpi_ec_get_point(G) failed\n"); - Q = gcry_mpi_point_new (0); - - - w = gcry_mpi_new (0); - a = gcry_mpi_new (0); - x = gcry_mpi_new (0); - y = gcry_mpi_new (0); - z = gcry_mpi_new (0); - I = gcry_mpi_new (0); - p = gcry_mpi_ec_get_mpi ("p", ctx, 1); - n = gcry_mpi_ec_get_mpi ("n", ctx, 1); - b = gcry_mpi_ec_get_mpi ("b", ctx, 1); - - /* Check: 2^{p-1} mod p == 1 */ - gcry_mpi_sub_ui (a, p, 1); - gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, p); - if (gcry_mpi_cmp_ui (w, 1)) - fail ("failed assertion: 2^{p-1} mod p == 1\n"); - - /* Check: p % 4 == 1 */ - gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR); - if (gcry_mpi_cmp_ui (w, 1)) - fail ("failed assertion: p %% 4 == 1\n"); - - /* Check: 2^{n-1} mod n == 1 */ - gcry_mpi_sub_ui (a, n, 1); - gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, n); - if (gcry_mpi_cmp_ui (w, 1)) - fail ("failed assertion: 2^{n-1} mod n == 1\n"); - - /* Check: b^{(p-1)/2} mod p == p-1 */ - gcry_mpi_sub_ui (a, p, 1); - gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_TWO, -1); - gcry_mpi_powm (w, b, x, p); - gcry_mpi_abs (w); - if (gcry_mpi_cmp (w, a)) - fail ("failed assertion: b^{(p-1)/2} mod p == p-1\n"); - - /* I := 2^{(p-1)/4} mod p */ - gcry_mpi_sub_ui (a, p, 1); - gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_FOUR, -1); - gcry_mpi_powm (I, GCRYMPI_CONST_TWO, x, p); - - /* Check: I^2 mod p == p-1 */ - gcry_mpi_powm (w, I, GCRYMPI_CONST_TWO, p); - if (gcry_mpi_cmp (w, a)) - fail ("failed assertion: I^2 mod p == p-1\n"); - - /* Check: G is on the curve */ - if (!gcry_mpi_ec_curve_point (G, ctx)) - fail ("failed assertion: G is on the curve\n"); - - /* Check: nG == (0,1) */ - gcry_mpi_ec_mul (Q, n, G, ctx); - if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) - fail ("failed to get affine coordinates\n"); - if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 1)) - fail ("failed assertion: nG == (0,1)\n"); - - /* Now two arbitrary point operations taken from the ed25519.py - sample data. */ - gcry_mpi_release (a); - a = hex2mpi - ("4f71d012df3c371af3ea4dc38385ca5bb7272f90cb1b008b3ed601c76de1d496" - "e30cbf625f0a756a678d8f256d5325595cccc83466f36db18f0178eb9925edd3"); - gcry_mpi_ec_mul (Q, a, G, ctx); - if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) - fail ("failed to get affine coordinates\n"); - if (cmp_mpihex (x, ("157f7361c577aad36f67ed33e38dc7be" - "00014fecc2165ca5cee9eee19fe4d2c1")) - || cmp_mpihex (y, ("5a69dbeb232276b38f3f5016547bb2a2" - "4025645f0b820e72b8cad4f0a909a092"))) - { - fail ("sample point multiply failed:\n"); - print_mpi ("r", a); - print_mpi ("Rx", x); - print_mpi ("Ry", y); - } - - gcry_mpi_release (a); - a = hex2mpi - ("2d3501e723239632802454ee5ddc406efb0bdf18486a5bde9c0390a9c2984004" - "f47252b628c953625b8deb5dbcb8da97aa43a1892d11fa83596f42e0d89cb1b6"); - gcry_mpi_ec_mul (Q, a, G, ctx); - if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) - fail ("failed to get affine coordinates\n"); - if (cmp_mpihex (x, ("6218e309d40065fcc338b3127f468371" - "82324bd01ce6f3cf81ab44e62959c82a")) - || cmp_mpihex (y, ("5501492265e073d874d9e5b81e7f8784" - "8a826e80cce2869072ac60c3004356e5"))) - { - fail ("sample point multiply failed:\n"); - print_mpi ("r", a); - print_mpi ("Rx", x); - print_mpi ("Ry", y); - } - - - gcry_mpi_release (I); - gcry_mpi_release (b); - gcry_mpi_release (n); - gcry_mpi_release (p); - gcry_mpi_release (w); - gcry_mpi_release (a); - gcry_mpi_release (x); - gcry_mpi_release (y); - gcry_mpi_release (z); - gcry_mpi_point_release (Q); - gcry_mpi_point_release (G); - gcry_mpi_release (k); - gcry_ctx_release (ctx); -} - - -/* Check the point on curve function. */ -static void -point_on_curve (void) -{ - static struct { - const char *curve; - int oncurve; /* Point below is on the curve. */ - const char *qx; - const char *qy; - } t[] = { - { - "NIST P-256", 0, - "015B4F6775D68D4D2E2192C6B8027FC5A3D49957E453CB251155AA3FF5D3EC9974", - "4BC4C87B57A25E1056831208AB5B8F091142F891E9FF19F1E090B030DF1087B3" - }, { - "NIST P-256", 0, - "D22C316E7EBE7B293BD66808E000806F0754398A5D72A4F9BBC21C26EAC0A651", - "3C8DB80CC3CDE5E530D040536E6A58AAB41C33FA70B30896943513FF3690132D" - }, { - "NIST P-256", 0, - "0130F7E7BC52854CA493A0DE87DC4AB3B4343758F2B634F15B10D70DBC0A5A5291", - "86F9CA73C25CE86D54CB21C181AECBB52A5971334FF5040F76CAE9845ED46023" - }, { - "NIST P-256", 1, - "14957B602C7849F28858C7407696F014BC091D6D68C449560B7A38147D6E6A9B", - "A8E09EFEECFE00C797A0848F38B61992D30C61FAB13021E88C8BD3545B3A6C63" - }, { - "NIST P-256", 0, - "923DE4957241DD97780841C76294DB0D4F5DC04C3045081174764D2D32AD2D53", - "01B4B1A2027C02F0F520A3B01E4CE3C668BF481346A74499C5D1044A53E210B600" - }, { - "NIST P-256", 1, - "9021DFAB8B4DAEAADA634AAA26D6E5FFDF8C0476FF5CA31606C870A1B933FB36", - "9AFC65EEB24E46C7B75712EF29A981CB09FAC56E2B81D3ED024748CCAB1CB77E" - }, { - "NIST P-256", 0, - "011529F0B26DE5E0EB2DA4BFB6C149C802CB52EE479DD666553286928A4005E990", - "0EBC63DB2104884456DC0AA81A3F4E99D93B7AE2CD4B1489655EA9BE6289CF9E" - }, { - "NIST P-256", 1, - "216EC5DE8CA989199D31F0DFCD381DCC9270A0785365EC3E34CA347C070A87BE", - "87A88897BA763509ECC1DBE28D9D37F6F4E70E3B99B1CD3C0B934D4190968A6D" - }, { - "NIST P-256", 1, - "7ABAA44ACBC6016FDB52A6F45F6178E65CBFC35F9920D99149CA9999612CE945", - "88F7684BDCDA31EAFB6CAD859F8AB29B5D921D7DB2B34DF7E40CE36235F45B63" - }, { - "NIST P-256", 0, - "E765B4272D211DD0064189B55421FB76BB3A7756364A6CB1627FAED848157A84", - "C13171CFFB243E06B203F0996BBDD16F52292AD11F2DA81106E9C2FD87F4FA0F" - }, { - "NIST P-256", 0, - "EE4999DFC3A1871EE7A592BE26A09BEC9D9B561613EE9EFB6ED42F17985C9CDC", - "8399E967338A7A618336AF70DA67D9CAC1C19267809652F5C5183C8B129E0902" - }, { - "NIST P-256", 0, - "F755D0CF2642A2C7FBACCC8E9E442B8B047A99C6E052B2FA5AB0544B36B4D51C", - "AA080F17657B6565D9A4D94BD260B54D92FEE8DC4A78C4FC9C19209933AF39B0" - } , { - "NIST P-384", 0, - "CBFC7DBEBF15BEAD682549757F9BBA0E3F67669DF13FCE0EBE8024B725B38B00" - "83EC46A8F2FF3203C5C7F8C7E722A5EF", - "0548FE281BEAB18FD1AB86F59B0CA524479A4A81373C83B78AFFD801FAC75922" - "96470753DCF46173C9AA4A8A4C2FBE51" - }, { - "NIST P-384", 0, - "1DC8E054A883DB81EAEDE6C487B26816C927B8196780525A6CA8F675D2557752" - "02CE06CCBE705EA8A38AA2894D4BEEE6", - "010191050E867AFAA96A199FE9C591CF8B853D81486786DA889124881FB39D2F" - "8E0875F4C4BB1E3D0F8535C7A52306FB82" - }, { - "NIST P-384", 1, - "2539FC368CE1D5E464B6C0FBB12D557B712327DB086975255AD7D17F7E7E4F23" - "D719ED4116E2CC907AEB92CF22331A60", - "8843FDBA742CB64323E49CEBE8DD74908CFC9C3AA0015662DFBB7219E92CF32E" - "9FC63F61EF19DE9B3CEA98D163ABF254" - }, { - "NIST P-384", 0, - "0B786DACF400D43575394349EDD9F9CD145FC7EF737A3C5F69B253BE7639DB24" - "EC2F0CA62FF1F90B6515DE356EC2A404", - "225D6B2939CC7F7133F43353946A682C68DAC6BB75EE9CF6BD9A1609FA915692" - "72F4D3A87E88529754E109BB9B61B03B" - }, { - "NIST P-384", 0, - "76C660C9F58CF2051F9F8B06049694AB6FE418009DE6F0A0833BC690CEC06CC2" - "9A440AD51C94CF5BC28817C8C6E2D302", - "012974E5D9E55304ED294AB6C7A3C65B663E67ABC5E6F6C0F6498B519F2F6CA1" - "8306976291F3ADC0B5ABA42DED376EA9A5" - }, { - "NIST P-384", 0, - "23D758B1EDB8E12E9E707C53C131A19D9464B20EE05C99766F5ABDF9F906AD03" - "B958BF28B022E54E320672C4BAD4EEC0", - "01E9E72870C88F4C82A5AB3CC8A3398E8F006BF3EC05FFBB1EFF8AEE88020FEA" - "9E558E9F58ED1D324C9DCBCB4E8F2A5970" - }, { - "NIST P-384", 0, - "D062B96D5A10F715ACF361F99262ABF0F7693A8BB60ECB1DF459CF95750E4293" - "18BCB9FC60499D009F949298F3F9F47B", - "9089C6328E4B39A73D7EE6FAE1A77E48CE354B83BBCE432082C32C8FD6784B86" - "CFE9C552E2E720F5DA5806503D3784CD" - }, { - "NIST P-384", 0, - "2A951D4D6EB35C43D94866280D37365B82441BC84D62CBFF3365CAB1FD0A3E20" - "823CA8F84D2BBF4EA687885437DE7839", - "01CC7D762AFE613F7B5568BC516568A421159C40599E8D52DE10E8F9488931E1" - "69F3656C322DE45C4A70DC6DB9A661E599" - }, { - "NIST P-384", 1, - "A4BAEE6CDAF3AEB69032B3FBA811707C54F5753670DA5173D891547E8CBAEEF3" - "89B92C9A55573A596123415FBFA26991", - "3241EA716583C11C71BB30AF6C5E3A6637956F17ADBBE641BAB52E8539F9FC7B" - "F3B04F46DBFFE08151E0F0950CC70081" - }, { - "NIST P-384", 0, - "5C0E18B0DE3261BCBCFC7B702C2D75CF481336BFBADF420BADC616235C1966AB" - "4C0F876575DDEC1BDB3F3F04061C9AE4", - "E90C78550D1C922F1D8161D8C9C0576E29BD09CA665376FA887D13FA8DF48352" - "D7BBEEFB803F6CC8FC7895E47F348D33" - }, { - "NIST P-384", 1, - "2015864CD50F0A1A50E6401F44191665C19E4AD4B4903EA9EB464E95D1070E36" - "F1D8325E45734D5A0FDD103F4DF6F83E", - "5FB3E9A5C59DD5C5262A8176CB7032A00AE33AED08485884A3E5D68D9EEB990B" - "F26E8D87EC175577E782AD51A6A12C02" - }, { - "NIST P-384", 1, - "56EBF5310EEF5A5D8D001F570A18625383ECD4882B3FC738A69874E7C9D8F89C" - "187BECA23369DFD6C15CC0DA0629958F", - "C1230B349FB662CB762563DB8F9FCB32D5CCA16120681C474D67D279CCA6F6DB" - "73DE6AA96140B5C457B7486E06D318CE" - }, { - "NIST P-521", 0, - "01E4D82EE5CD6DA37080252295EFA273BBBA6952012D0120EAF131E73F1E5024" - "36E3324624471040030E1C345D65490ECEE9B64E03B15B6C7EB69A39C618BAFEED70", - "03EE3A3C88A6933B7B16016BE4CC4E3BF5EA0625CB3DB2604CDCBBD02CABBC90" - "8904D9DB42998F6C5101D4D4318ACFC9643C9CD641F636D1810ED86F1840EA74F3C0" - }, { - "NIST P-521", 0, - "01F3DFCB5433387B6B2E3F74177F4F3D7300F05E1AD49DE112630E27B1C8A437" - "1E742CB020E0039B5477FC897D17332034F9660B3066764EFF5FB440EB8856E782E3", - "02D337616C9D202DC5E290C486F5855CBD6A8470AE62CA96245834CF49257D8D" - "96D4041B15007650DEE668C00DDBF749054256C571F60980AC74D0DBCA7FB96C2F48" - }, { - "NIST P-521", 1, - "822A846606DC9E96452CAC373567A8B57D9ACA15B177F75DD7EF10C635F52CE4" - "EF6ABEEDB90D3F48F50A0C9015A95C955A25C45DE8413DE3BF899B6B1E62CF7CB8", - "0102771B5F3EC8C36838CEC04DCBC28AD1E38C37DAB0EA89B5EE92D21F7A35CE" - "ABC8B155EDC70154D6DFA2E77EC1D8C4A3406A6BD0ECF8F1EE2AC33A02464CB70C97" - }, { - "NIST P-521", 0, - "F733D48467912D1FFE46CF442F27FDD218D190E7B8A829D822DA3B6BAF9B987E" - "5B4BCCE34499248F59EEAF74F63ED15FF73F243C6FC3FD5E5842F6A3BA34C2022D", - "0281AAAD1B7EEBABEB6EC67932CB7E95717AFA3B4CF7A2DB151CD537C419C3A5" - "156ED9160758190B47696CDC15E81BBAD12975283907A571604DB23F702AEA4B38FF" - }, { - "NIST P-521", 0, - "03B1B274175AAEB5907152E5114CCAEADA28A7ADD4A2B1831C3D8302E8596489" - "E2C98B9B8D0CAE98C03BB11E28CE66D4736449758AF58BAFE40EF5A5FA22C9A43117", - "94C5951F81D544E959EDFC5DC1D5F42FE427871D4FB91A43A0B4A6BEA6B35B9E" - "BC5FB444C70BE4FD47B4ED16704F8C86EF019FC47C7FF2271F8B0DDEA9E2D3BCDD" - }, { - "NIST P-521", 1, - "F2248C318055DE37CD706D4FCAF7E7D96737A4A7B6B8067A66DCD58B6B8DFC55" - "90ECE67F6AA67F9C51B57E7B023075F2F42909BF47361CB6881C10F55FB7215B56", - "0162F735CE6A2ADA54CAF96A12D6888C02DE0A74638CF34CE39DABBACA4D651B" - "7E6ED1A65B551B36BAE7BE474BB6E6905ED0E33C7BA2021885027C7C6E40C5613004" - }, { - "NIST P-521", 0, - "9F08E97FEADCF0A391CA1EA4D97B5FE62D3B164593E12027EB967BD6E1FA841A" - "9831158DF164BCAD0BF3ADA96127745E25F349BDDD52EEA1654892B35960C9C023", - "AE2A25F5440F258AFACA6925C4C9F7AEAD3CB67153C4FACB31AC33F58B43A78C" - "B14F682FF726CEE2A6B6F6B481AEEB29A9B3150F02D1CFB764672BA8294C477291" - }, { - "NIST P-521", 0, - "01047B52014748C904980716953206A93F0D01B34CA94A997407FA93FE304F86" - "17BB6E402B2BB8B434C2671ECE953ABE7BADB75713CD9DF950943A33A9A19ACCDABE", - "7433533F098037DEA616337986887D01C5CC8DEC3DC1FDB9CDF7287EF27CC125" - "54FCF3A5E212DF9DAD9F8A3A7173B23FC6E15930704F3AEE1B074BDDB0ED6823E4" - }, { - "NIST P-521", 0, - "01C2A9EBF51592FE6589F618EAADA1697D9B2EC7CE5D48C9E80FC597642B23F1" - "F0EBE953449762BD3F094F57791D9850AFE98BBDA9872BE399B7BDD617860076BB03", - "0B822E27692F63DB8E12C59BB3CCA172B9BBF613CAE5F9D1474186E45E8B26FF" - "962084E1C6BE74821EDBB60941A3B75516F603719563433383812BFEA89EC14B89" - }, { - "NIST P-521", 0, - "99390F342C3F0D46E80C5B65C61E8AA8ACA0B6D4E1352404586364A05D8398E9" - "2BC71A644E8663F0A9B87D0B3ACAEE32F2AB9B321317AD23059D045EBAB91C5D93", - "82FCF93AE4467EB57766F2B150E736636727E7282500CD482DA70D153D195F2B" - "DF9B96D689A0DC1BB9137B41557A33F202F1B71840544CBEFF03072E77E4BB6F0B" - }, { - "NIST P-521", 1, - "018E48E80594FF5496D8CC7DF8A19D6AA18805A4EF4490038AED6A1E9AA18056" - "D0244A97DCF6D132C6804E3F4F369922119544B4C057D783C848FB798B48730A382C", - "01AF510B4F5E1C40BC9C110216D35E7C6D7A2BEE52914FC98258676288449901" - "F27A07EE91DF2D5D79259712906C3E18A990CBF35BCAC41A952820CE2BA8D0220080" - }, { - "NIST P-521", 1, - "ADCEF3539B4BC831DC0AFD173137A4426152058AFBAE06A17FCB89F4DB6E48B5" - "335CB88F8E4DB475A1E390E5656072F06605BFB84CBF9795B7992ECA04A8E10CA1", - "01BCB985AFD6404B9EDA49B6190AAA346BF7D5909CA440C0F7E505C62FAC8635" - "31D3EB7B2AC4DD4F4404E4B12E9D6D3C596179587F3724B1EFFF684CFDB4B21826B9" - } - }; - gpg_error_t err; - int tidx; - const char *lastcurve = NULL; - gcry_ctx_t ctx = NULL; - gcry_mpi_t qx = NULL; - gcry_mpi_t qy = NULL; - gcry_mpi_point_t Q; - int oncurve; - - wherestr = "point_on_curve"; - for (tidx=0; tidx < DIM (t); tidx++) - { - if (!t[tidx].curve) - { - if (!lastcurve || !ctx) - die ("invalid test vectors at idx %d\n", tidx); - } - else if (!ctx || !lastcurve || strcmp (t[tidx].curve, lastcurve)) - { - lastcurve = t[tidx].curve; - gcry_ctx_release (ctx); - err = gcry_mpi_ec_new (&ctx, NULL, lastcurve); - if (err) - die ("error creating context for curve %s at idx %d: %s\n", - lastcurve, tidx, gpg_strerror (err)); - - info ("checking points on curve %s\n", lastcurve); - } - - gcry_mpi_release (qx); - gcry_mpi_release (qy); - qx = hex2mpi (t[tidx].qx); - qy = hex2mpi (t[tidx].qy); - - Q = gcry_mpi_point_set (NULL, qx, qy, GCRYMPI_CONST_ONE); - if (!Q) - die ("gcry_mpi_point_set(Q) failed at idx %d\n", tidx); - - oncurve = gcry_mpi_ec_curve_point (Q, ctx); - - if (t[tidx].oncurve && !oncurve) - { - fail ("point expected on curve but not identified as such (i=%d):\n", - tidx); - print_point (" Q", Q); - } - else if (!t[tidx].oncurve && oncurve) - { - fail ("point not expected on curve but identified as such (i=%d):\n", - tidx); - print_point (" Q", Q); - } - gcry_mpi_point_release (Q); - } - - gcry_mpi_release (qx); - gcry_mpi_release (qy); - gcry_ctx_release (ctx); -} - - -int -main (int argc, char **argv) -{ - - if (argc > 1 && !strcmp (argv[1], "--verbose")) - verbose = 1; - else if (argc > 1 && !strcmp (argv[1], "--debug")) - verbose = debug = 1; - - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - - xgcry_control (GCRYCTL_DISABLE_SECMEM, 0); - xgcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); - if (debug) - xgcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0); - xgcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - - set_get_point (); - context_alloc (); - context_param (); - basic_ec_math (); - point_on_curve (); - - /* The tests are for P-192 and ed25519 which are not supported in - FIPS mode. */ - if (!gcry_fips_mode_active()) - { - basic_ec_math_simplified (); - twistededwards_math (); - } - - info ("All tests completed. Errors: %d\n", error_count); - return error_count ? 1 : 0; -}