diff --git a/.gitignore b/.gitignore index 870812f..1bb23eb 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,5 @@ libgcrypt-1.4.5-hobbled.tar.bz2 /libgcrypt-1.9.2-hobbled.tar.xz /libgcrypt-1.9.3-hobbled.tar.xz /libgcrypt-1.9.4-hobbled.tar.xz +/libgcrypt-1.10.0.tar.bz2 +/libgcrypt-1.10.0.tar.bz2.sig diff --git a/curves.c b/curves.c deleted file mode 100644 index 1b190d1..0000000 --- a/curves.c +++ /dev/null @@ -1,271 +0,0 @@ -/* curves.c - ECC curves regression tests - * Copyright (C) 2011 Free Software Foundation, Inc. - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - */ - -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include - -#include "../src/gcrypt-int.h" - - -#define PGM "curves" -#include "t-common.h" - -/* Number of curves defined in ../cipger/ecc-curves.c */ -#define N_CURVES 20 - -/* A real world sample public key. */ -static char const sample_key_1[] = -"(public-key\n" -" (ecdsa\n" -" (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)\n" -" (a #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC#)\n" -" (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)\n" -" (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296" - "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)\n" -" (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)\n" -" (h #000000000000000000000000000000000000000000000000000000000000000001#)\n" -" (q #0442B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146EE" - "86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E#)\n" -" ))"; -static char const sample_key_1_curve[] = "NIST P-256"; -static unsigned int sample_key_1_nbits = 256; - -static void -list_curves (void) -{ - int idx; - const char *name; - unsigned int nbits; - - for (idx=0; (name = gcry_pk_get_curve (NULL, idx, &nbits)); idx++) - { - if (verbose) - printf ("%s - %u bits\n", name, nbits); - } - if (idx != N_CURVES) - fail ("expected %d curves but got %d\n", N_CURVES, idx); - if (gcry_pk_get_curve (NULL, -1, NULL)) - fail ("curve iteration failed\n"); -} - - -static void -check_matching (void) -{ - gpg_error_t err; - gcry_sexp_t key; - const char *name; - unsigned int nbits; - - err = gcry_sexp_new (&key, sample_key_1, 0, 1); - if (err) - die ("parsing s-expression string failed: %s\n", gpg_strerror (err)); - name = gcry_pk_get_curve (key, 0, &nbits); - if (!name) - fail ("curve name not found for sample_key_1\n"); - else if (strcmp (name, sample_key_1_curve)) - fail ("expected curve name %s but got %s for sample_key_1\n", - sample_key_1_curve, name); - else if (nbits != sample_key_1_nbits) - fail ("expected curve size %u but got %u for sample_key_1\n", - sample_key_1_nbits, nbits); - - gcry_sexp_release (key); -} - - -static void -check_get_params (void) -{ - static struct { - int algo; - const char *name; - int error_expected; - } tv[] = - { - { GCRY_PK_ECC, "Ed25519" }, - { GCRY_PK_ECC, "1.3.6.1.4.1.11591.15.1" }, - { GCRY_PK_ECC, "1.3.101.112" }, - - { GCRY_PK_ECC, "Curve25519" }, - { GCRY_PK_ECC, "1.3.6.1.4.1.3029.1.5.1" }, - { GCRY_PK_ECC, "1.3.101.110" }, - { GCRY_PK_ECC, "X25519" }, - - { GCRY_PK_ECC, "Ed448" }, - { GCRY_PK_ECC, "X448" }, - { GCRY_PK_ECC, "1.3.101.113" }, - { GCRY_PK_ECC, "1.3.101.111" }, - - { GCRY_PK_ECC, "NIST P-192" }, - { GCRY_PK_ECC, "1.2.840.10045.3.1.1" }, - { GCRY_PK_ECC, "prime192v1" }, - { GCRY_PK_ECC, "secp192r1" }, - { GCRY_PK_ECC, "nistp192" }, - - { GCRY_PK_ECC, "NIST P-224" }, - { GCRY_PK_ECC, "secp224r1" }, - { GCRY_PK_ECC, "1.3.132.0.33" }, - { GCRY_PK_ECC, "nistp224" }, - - { GCRY_PK_ECC, "NIST P-256" }, - { GCRY_PK_ECC, "1.2.840.10045.3.1.7" }, - { GCRY_PK_ECC, "prime256v1" }, - { GCRY_PK_ECC, "secp256r1" }, - { GCRY_PK_ECC, "nistp256" }, - - { GCRY_PK_ECC, "NIST P-384" }, - { GCRY_PK_ECC, "secp384r1" }, - { GCRY_PK_ECC, "1.3.132.0.34" }, - { GCRY_PK_ECC, "nistp384" }, - - { GCRY_PK_ECC, "NIST P-521" }, - { GCRY_PK_ECC, "secp521r1" }, - { GCRY_PK_ECC, "1.3.132.0.35" }, - { GCRY_PK_ECC, "nistp521" }, - - { GCRY_PK_ECC, "GOST2001-test" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.0" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.1" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.2" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.2.2.35.3" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-XchA" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-XchB" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.2.2.36.0" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.2.2.36.1" }, - - /* Noet that GOST2012-256-tc26-A" is only in the curve alias - * list but has no parameter entry. */ - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.2" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-A" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-B" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.3" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-B" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-C" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.4" }, - { GCRY_PK_ECC, "GOST2001-CryptoPro-C" }, - { GCRY_PK_ECC, "GOST2012-256-tc26-D" }, - - { GCRY_PK_ECC, "GOST2012-512-test" }, - { GCRY_PK_ECC, "GOST2012-test" }, - { GCRY_PK_ECC, "GOST2012-512-test" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.0" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-A" }, - { GCRY_PK_ECC, "GOST2012-tc26-A" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-B" }, - { GCRY_PK_ECC, "GOST2012-tc26-B" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-A" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.1" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-B" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.2" }, - { GCRY_PK_ECC, "GOST2012-512-tc26-C" }, - { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.3" }, - - { GCRY_PK_ECC, "secp256k1" }, - { GCRY_PK_ECC, "1.3.132.0.10" }, - - { GCRY_PK_ECC, "sm2p256v1" }, - { GCRY_PK_ECC, "1.2.156.10197.1.301" }, - - /* Check also the ECC algo mapping. */ - { GCRY_PK_ECDSA, "Ed25519" }, - { GCRY_PK_EDDSA, "Ed25519" }, - { GCRY_PK_ECDH, "Ed25519" }, - { GCRY_PK_ECDSA, "Curve25519" }, - { GCRY_PK_EDDSA, "Curve25519" }, - { GCRY_PK_ECDH, "Curve25519" }, - { GCRY_PK_ECC, "NoSuchCurve", 1 }, - { GCRY_PK_RSA, "rsa", 1 }, - { GCRY_PK_ELG, "elg", 1 }, - { GCRY_PK_DSA, "dsa", 1 } - }; - int idx; - gcry_sexp_t param; - const char *name; - - param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_1_curve); - if (!param) - fail ("error gerring parameters for `%s'\n", sample_key_1_curve); - - name = gcry_pk_get_curve (param, 0, NULL); - if (!name) - fail ("get_param: curve name not found for sample_key_1\n"); - else if (strcmp (name, sample_key_1_curve)) - fail ("get_param: expected curve name %s but got %s for sample_key_1\n", - sample_key_1_curve, name); - - gcry_sexp_release (param); - - /* Some simple tests */ - for (idx=0; idx < DIM (tv); idx++) - { - param = gcry_pk_get_param (tv[idx].algo, tv[idx].name); - if (!param) - { - if (!tv[idx].error_expected) - fail ("get_param: test %d (%s) failed\n", idx, tv[idx].name); - } - else - { - if (tv[idx].error_expected) - fail ("get_param: test %d (%s) failed (error expected)\n", - idx, tv[idx].name); - } - gcry_sexp_release (param); - } -} - - -int -main (int argc, char **argv) -{ - if (argc > 1 && !strcmp (argv[1], "--verbose")) - verbose = 1; - else if (argc > 1 && !strcmp (argv[1], "--debug")) - verbose = debug = 1; - - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - - xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - if (debug) - xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); - list_curves (); - check_matching (); - check_get_params (); - - return error_count ? 1 : 0; -} diff --git a/ecc-curves.c b/ecc-curves.c deleted file mode 100644 index 5236b19..0000000 --- a/ecc-curves.c +++ /dev/null @@ -1,1483 +0,0 @@ -/* ecc-curves.c - Elliptic Curve parameter mangement - * Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc. - * Copyright (C) 2013 g10 Code GmbH - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, see . - */ - -#include -#include -#include -#include -#include - -#include "g10lib.h" -#include "mpi.h" -#include "mpi-internal.h" -#include "cipher.h" -#include "context.h" -#include "ec-context.h" -#include "pubkey-internal.h" -#include "ecc-common.h" - - -static gpg_err_code_t -point_from_keyparam (gcry_mpi_point_t *r_a, - gcry_sexp_t keyparam, const char *name, mpi_ec_t ec); - -/* This tables defines aliases for curve names. */ -static const struct -{ - const char *name; /* Our name. */ - const char *other; /* Other name. */ -} curve_aliases[] = - { - { "Ed25519", "1.3.6.1.4.1.11591.15.1" }, /* OpenPGP */ - { "Ed25519", "1.3.101.112" }, /* rfc8410 */ - - { "Curve25519", "1.3.6.1.4.1.3029.1.5.1" }, /* OpenPGP */ - { "Curve25519", "1.3.101.110" }, /* rfc8410 */ - { "Curve25519", "X25519" }, /* rfc8410 */ - - { "Ed448", "1.3.101.113" }, /* rfc8410 */ - { "X448", "1.3.101.111" }, /* rfc8410 */ - - { "NIST P-192", "1.2.840.10045.3.1.1" }, /* X9.62 OID */ - { "NIST P-192", "prime192v1" }, /* X9.62 name. */ - { "NIST P-192", "secp192r1" }, /* SECP name. */ - { "NIST P-192", "nistp192" }, /* rfc5656. */ - - { "NIST P-224", "secp224r1" }, - { "NIST P-224", "1.3.132.0.33" }, /* SECP OID. */ - { "NIST P-224", "nistp224" }, /* rfc5656. */ - - { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */ - { "NIST P-256", "prime256v1" }, - { "NIST P-256", "secp256r1" }, - { "NIST P-256", "nistp256" }, /* rfc5656. */ - - { "NIST P-384", "secp384r1" }, - { "NIST P-384", "1.3.132.0.34" }, - { "NIST P-384", "nistp384" }, /* rfc5656. */ - - { "NIST P-521", "secp521r1" }, - { "NIST P-521", "1.3.132.0.35" }, - { "NIST P-521", "nistp521" }, /* rfc5656. */ - - { "GOST2001-test", "1.2.643.2.2.35.0" }, - { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" }, - { "GOST2001-CryptoPro-B", "1.2.643.2.2.35.2" }, - { "GOST2001-CryptoPro-C", "1.2.643.2.2.35.3" }, - { "GOST2001-CryptoPro-A", "GOST2001-CryptoPro-XchA" }, - { "GOST2001-CryptoPro-C", "GOST2001-CryptoPro-XchB" }, - { "GOST2001-CryptoPro-A", "1.2.643.2.2.36.0" }, - { "GOST2001-CryptoPro-C", "1.2.643.2.2.36.1" }, - - { "GOST2012-256-tc26-A", "1.2.643.7.1.2.1.1.1" }, - { "GOST2001-CryptoPro-A", "1.2.643.7.1.2.1.1.2" }, - { "GOST2001-CryptoPro-A", "GOST2012-256-tc26-B" }, - { "GOST2001-CryptoPro-B", "1.2.643.7.1.2.1.1.3" }, - { "GOST2001-CryptoPro-B", "GOST2012-256-tc26-C" }, - { "GOST2001-CryptoPro-C", "1.2.643.7.1.2.1.1.4" }, - { "GOST2001-CryptoPro-C", "GOST2012-256-tc26-D" }, - - { "GOST2012-512-test", "GOST2012-test" }, - { "GOST2012-512-test", "1.2.643.7.1.2.1.2.0" }, - { "GOST2012-512-tc26-A", "GOST2012-tc26-A" }, - { "GOST2012-512-tc26-B", "GOST2012-tc26-B" }, - { "GOST2012-512-tc26-A", "1.2.643.7.1.2.1.2.1" }, - { "GOST2012-512-tc26-B", "1.2.643.7.1.2.1.2.2" }, - { "GOST2012-512-tc26-C", "1.2.643.7.1.2.1.2.3" }, - - { "secp256k1", "1.3.132.0.10" }, - - { "sm2p256v1", "1.2.156.10197.1.301" }, - - { NULL, NULL} - }; - - -typedef struct -{ - const char *desc; /* Description of the curve. */ - unsigned int nbits; /* Number of bits. */ - unsigned int fips:1; /* True if this is a FIPS140-2 approved curve. */ - - /* The model describing this curve. This is mainly used to select - the group equation. */ - enum gcry_mpi_ec_models model; - - /* The actual ECC dialect used. This is used for curve specific - optimizations and to select encodings etc. */ - enum ecc_dialects dialect; - - const char *p; /* The prime defining the field. */ - const char *a, *b; /* The coefficients. For Twisted Edwards - Curves b is used for d. For Montgomery - Curves (a,b) has ((A-2)/4,B^-1). */ - const char *n; /* The order of the base point. */ - const char *g_x, *g_y; /* Base point. */ - unsigned int h; /* Cofactor. */ -} ecc_domain_parms_t; - - -/* This static table defines all available curves. */ -static const ecc_domain_parms_t domain_parms[] = - { - { - /* (-x^2 + y^2 = 1 + dx^2y^2) */ - "Ed25519", 255, 0, - MPI_EC_EDWARDS, ECC_DIALECT_ED25519, - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", - "-0x01", - "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", - "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", - "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", - "0x6666666666666666666666666666666666666666666666666666666666666658", - 8 - }, - { - /* (y^2 = x^3 + 486662*x^2 + x) */ - "Curve25519", 255, 0, - MPI_EC_MONTGOMERY, ECC_DIALECT_STANDARD, - "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", - "0x01DB41", - "0x01", - "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", - "0x0000000000000000000000000000000000000000000000000000000000000009", - "0x20AE19A1B8A086B4E01EDD2C7748D14C923D4D7E6D7C61B229E9C5A27ECED3D9", - 8 - /* Note: As per RFC-7748 errata eid4730 the g_y value should be - * "0x5F51E65E475F794B1FE122D388B72EB36DC2B28192839E4DD6163A5D81312C14" - * but that breaks the keygrip. The new value is recovered in - * the function _gcry_ecc_fill_in_curve. See bug #4712. - */ - }, - { - /* (x^2 + y^2 = 1 + dx^2y^2) */ - "Ed448", 448, 0, - MPI_EC_EDWARDS, ECC_DIALECT_SAFECURVE, - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", - "0x01", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6756", - "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "7CCA23E9C44EDB49AED63690216CC2728DC58F552378C292AB5844F3", - "0x4F1970C66BED0DED221D15A622BF36DA9E146570470F1767EA6DE324" - "A3D3A46412AE1AF72AB66511433B80E18B00938E2626A82BC70CC05E", - "0x693F46716EB6BC248876203756C9C7624BEA73736CA3984087789C1E" - "05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD9808795BF230FA14", - 4, - }, - { - /* (y^2 = x^3 + 156326*x^2 + x) */ - "X448", 448, 0, - MPI_EC_MONTGOMERY, ECC_DIALECT_SAFECURVE, - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", - "0x98A9", - "0x01", - "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "7CCA23E9C44EDB49AED63690216CC2728DC58F552378C292AB5844F3", - "0x00000000000000000000000000000000000000000000000000000000" - "00000000000000000000000000000000000000000000000000000005", - "0x7D235D1295F5B1F66C98AB6E58326FCECBAE5D34F55545D060F75DC2" - "8DF3F6EDB8027E2346430D211312C4B150677AF76FD7223D457B5B1A", - 4, - }, -#if 0 /* No real specs yet found. */ - { - /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */ - "Curve3617", - "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF", - MPI_EC_EDWARDS, 0, - "0x01", - "0x0e21", - "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF" - "706022B36F1C0338AD63CF181B0E71A5E106AF79", - "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D" - "6D6BA111301A73FAA8537C64C4FD3812F3CBC595", - "0x22", - 8 - }, -#endif /*0*/ - { - "NIST P-192", 192, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffeffffffffffffffff", - "0xfffffffffffffffffffffffffffffffefffffffffffffffc", - "0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1", - "0xffffffffffffffffffffffff99def836146bc9b1b4d22831", - - "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", - "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811", - 1 - }, - { - "NIST P-224", 224, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffffffffffffffffffffffffffff000000000000000000000001", - "0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe", - "0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", - "0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d" , - - "0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", - 1 - }, - { - "NIST P-256", 256, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - "0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - "0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - - "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - 1 - }, - { - "NIST P-384", 384, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000ffffffff", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe" - "ffffffff0000000000000000fffffffc", - "0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875a" - "c656398d8a2ed19d2a85c8edd3ec2aef", - "0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf" - "581a0db248b0a77aecec196accc52973", - - "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" - "5502f25dbf55296c3a545e3872760ab7", - "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f", - 1 - }, - { - "NIST P-521", 521, 1, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - "0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef10" - "9e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - "0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - - "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d" - "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e" - "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - 1 - }, - - { - "GOST2001-test", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000431", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0x5fbff498aa938ce739b8e022fbafef40563f6e6a3472fc2a514c0ce9dae23b7e", - "0x8000000000000000000000000000000150fe8a1892976154c59cfc193accf5b3", - - "0x0000000000000000000000000000000000000000000000000000000000000002", - "0x08e2a8a0e65147d4bd6316030e16d19c85c97f0a9ca267122b96abbcea7e8fc8", - 1 - }, - { - "GOST2001-CryptoPro-A", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd97", - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd94", - "0x00000000000000000000000000000000000000000000000000000000000000a6", - "0xffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14", - 1 - }, - { - "GOST2001-CryptoPro-B", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000c99", - "0x8000000000000000000000000000000000000000000000000000000000000c96", - "0x3e1af419a269a5f866a7d3c25c3df80ae979259373ff2b182f49d4ce7e1bbc8b", - "0x800000000000000000000000000000015f700cfff1a624e5e497161bcc8a198f", - "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efc", - 1 - }, - { - "GOST2001-CryptoPro-C", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d759b", - "0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d7598", - "0x000000000000000000000000000000000000000000000000000000000000805a", - "0x9b9f605f5a858107ab1ec85e6b41c8aa582ca3511eddfb74f02f3a6598980bb9", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x41ece55743711a8c3cbf3783cd08c0ee4d4dc440d4641a8f366e550dfdb3bb67", - 1 - }, - { - "GOST2012-256-A", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd97", - "0xc2173f1513981673af4892c23035a27ce25e2013bf95aa33b22c656f277e7335", - "0x295f9bae7428ed9ccc20e7c359a9d41a22fccd9108e17bf7ba9337a6f8ae9513", - "0x400000000000000000000000000000000fd8cddfc87b6635c115af556c360c67", - "0x91e38443a5e82c0d880923425712b2bb658b9196932e02c78b2582fe742daa28", - "0x32879423ab1a0375895786c4bb46e9565fde0b5344766740af268adb32322e5c", - 4 - }, - { - "GOST2012-512-test", 511, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15d" - "f1d852741af4704a0458047e80e4546d35b8336fac224dd81664bbf528be6373", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0x1cff0806a31116da29d8cfa54e57eb748bc5f377e49400fdd788b649eca1ac4" - "361834013b2ad7322480a89ca58e0cf74bc9e540c2add6897fad0a3084f302adc", - "0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15d" - "a82f2d7ecb1dbac719905c5eecc423f1d86e25edbe23c595d644aaf187e6e6df", - - "0x24d19cc64572ee30f396bf6ebbfd7a6c5213b3b3d7057cc825f91093a68cd762" - "fd60611262cd838dc6b60aa7eee804e28bc849977fac33b4b530f1b120248a9a", - "0x2bb312a43bd2ce6e0d020613c857acddcfbf061e91e5f2c3f32447c259f39b2" - "c83ab156d77f1496bf7eb3351e1ee4e43dc1a18b91b24640b6dbb92cb1add371e", - 1 - }, - { - "GOST2012-512-tc26-A", 512, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc7", - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc4", - "0xe8c2505dedfc86ddc1bd0b2b6667f1da34b82574761cb0e879bd081cfd0b6265" - "ee3cb090f30d27614cb4574010da90dd862ef9d4ebee4761503190785a71c760", - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "27e69532f48d89116ff22b8d4e0560609b4b38abfad2b85dcacdb1411f10b275", - "0x0000000000000000000000000000000000000000000000000000000000000000" - "0000000000000000000000000000000000000000000000000000000000000003", - "0x7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" - "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4", - 1 - }, - { - "GOST2012-512-tc26-B", 512, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0x8000000000000000000000000000000000000000000000000000000000000000" - "000000000000000000000000000000000000000000000000000000000000006f", - "0x8000000000000000000000000000000000000000000000000000000000000000" - "000000000000000000000000000000000000000000000000000000000000006c", - "0x687d1b459dc841457e3e06cf6f5e2517b97c7d614af138bcbf85dc806c4b289f" - "3e965d2db1416d217f8b276fad1ab69c50f78bee1fa3106efb8ccbc7c5140116", - "0x8000000000000000000000000000000000000000000000000000000000000001" - "49a1ec142565a545acfdb77bd9d40cfa8b996712101bea0ec6346c54374f25bd", - "0x0000000000000000000000000000000000000000000000000000000000000000" - "0000000000000000000000000000000000000000000000000000000000000002", - "0x1a8f7eda389b094c2c071e3647a8940f3c123b697578c213be6dd9e6c8ec7335" - "dcb228fd1edf4a39152cbcaaf8c0398828041055f94ceeec7e21340780fe41bd", - 1 - }, - { - "GOST2012-512-tc26-C", 512, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc7", - "0xdc9203e514a721875485a529d2c722fb187bc8980eb866644de41c68e1430645" - "46e861c0e2c9edd92ade71f46fcf50ff2ad97f951fda9f2a2eb6546f39689bd3", - "0xb4c4ee28cebc6c2c8ac12952cf37f16ac7efb6a9f69f4b57ffda2e4f0de5ade0" - "38cbc2fff719d2c18de0284b8bfef3b52b8cc7a5f5bf0a3c8d2319a5312557e1", - "0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "c98cdba46506ab004c33a9ff5147502cc8eda9e7a769a12694623cef47f023ed", - "0xe2e31edfc23de7bdebe241ce593ef5de2295b7a9cbaef021d385f7074cea043a" - "a27272a7ae602bf2a7b9033db9ed3610c6fb85487eae97aac5bc7928c1950148", - "0xf5ce40d95b5eb899abbccff5911cb8577939804d6527378b8c108c3d2090ff9be" - "18e2d33e3021ed2ef32d85822423b6304f726aa854bae07d0396e9a9addc40f", - 4 - }, - - { - "secp256k1", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", - "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x0000000000000000000000000000000000000000000000000000000000000007", - "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", - "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", - "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", - 1 - }, - - { - "sm2p256v1", 256, 0, - MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, - "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", - "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", - "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", - "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", - "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", - "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", - 1 - }, - - { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL } - }; - - - - -/* Return a copy of POINT. */ -static gcry_mpi_point_t -point_copy (gcry_mpi_point_t point) -{ - gcry_mpi_point_t newpoint; - - if (point) - { - newpoint = mpi_point_new (0); - point_set (newpoint, point); - } - else - newpoint = NULL; - return newpoint; -} - - -/* Helper to scan a hex string. */ -static gcry_mpi_t -scanval (const char *string) -{ - gpg_err_code_t rc; - gcry_mpi_t val; - - rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); - if (rc) - log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc)); - return val; -} - - -/* Return the index of the domain_parms table for a curve with NAME. - Return -1 if not found. */ -static int -find_domain_parms_idx (const char *name) -{ - int idx, aliasno; - - /* First check our native curves. */ - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (name, domain_parms[idx].desc)) - return idx; - - /* If not found consult the alias table. */ - if (!domain_parms[idx].desc) - { - for (aliasno = 0; curve_aliases[aliasno].name; aliasno++) - if (!strcmp (name, curve_aliases[aliasno].other)) - break; - if (curve_aliases[aliasno].name) - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (!strcmp (curve_aliases[aliasno].name, domain_parms[idx].desc)) - return idx; - } - } - - return -1; -} - - -/* Generate the crypto system setup. This function takes the NAME of - a curve or the desired number of bits and stores at R_CURVE the - parameters of the named curve or those of a suitable curve. If - R_NBITS is not NULL, the chosen number of bits is stored there. - NULL may be given for R_CURVE, if the value is not required and for - example only a quick test for availability is desired. Note that - the curve fields should be initialized to zero because fields which - are not NULL are skipped. */ -gpg_err_code_t -_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name, - elliptic_curve_t *curve, unsigned int *r_nbits) -{ - int idx; - const char *resname = NULL; /* Set to a found curve name. */ - - if (name) - idx = find_domain_parms_idx (name); - else - { - for (idx = 0; domain_parms[idx].desc; idx++) - if (nbits == domain_parms[idx].nbits - && domain_parms[idx].model == MPI_EC_WEIERSTRASS) - break; - if (!domain_parms[idx].desc) - idx = -1; - } - if (idx < 0) - return GPG_ERR_UNKNOWN_CURVE; - - resname = domain_parms[idx].desc; - - /* In fips mode we only support NIST curves. Note that it is - possible to bypass this check by specifying the curve parameters - directly. */ - if (fips_mode () && !domain_parms[idx].fips ) - return GPG_ERR_NOT_SUPPORTED; - - switch (domain_parms[idx].model) - { - case MPI_EC_WEIERSTRASS: - case MPI_EC_EDWARDS: - case MPI_EC_MONTGOMERY: - break; - default: - return GPG_ERR_BUG; - } - - - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - - if (curve) - { - curve->model = domain_parms[idx].model; - curve->dialect = domain_parms[idx].dialect; - if (!curve->p) - curve->p = scanval (domain_parms[idx].p); - if (!curve->a) - { - curve->a = scanval (domain_parms[idx].a); - if (curve->a->sign) - { - mpi_resize (curve->a, curve->p->nlimbs); - _gcry_mpih_sub_n (curve->a->d, curve->p->d, - curve->a->d, curve->p->nlimbs); - curve->a->nlimbs = curve->p->nlimbs; - curve->a->sign = 0; - } - } - if (!curve->b) - { - curve->b = scanval (domain_parms[idx].b); - if (curve->b->sign) - { - mpi_resize (curve->b, curve->p->nlimbs); - _gcry_mpih_sub_n (curve->b->d, curve->p->d, - curve->b->d, curve->p->nlimbs); - curve->b->nlimbs = curve->p->nlimbs; - curve->b->sign = 0; - } - } - if (!curve->n) - curve->n = scanval (domain_parms[idx].n); - if (!curve->G.x) - curve->G.x = scanval (domain_parms[idx].g_x); - if (!curve->G.y) - curve->G.y = scanval (domain_parms[idx].g_y); - curve->h = domain_parms[idx].h; - - /* - * In the constants of domain_parms, we defined Curve25519 - * domain parameters as the ones in RFC-7748 before the errata - * (eid4730). To keep the computation having exact same values, - * we recover the new value of g_y, here. - */ - if (!strcmp (resname, "Curve25519")) - mpi_sub (curve->G.y, curve->p, curve->G.y); - - if (!curve->G.z) - curve->G.z = mpi_alloc_set_ui (1); - if (!curve->name) - curve->name = resname; - } - - return 0; -} - - -/* Give the name of the curve NAME, store the curve parameters into P, - A, B, G, and N if they point to NULL value. Note that G is - returned in standard uncompressed format. Also update MODEL and - DIALECT if they are not NULL. */ -gpg_err_code_t -_gcry_ecc_update_curve_param (const char *name, - enum gcry_mpi_ec_models *model, - enum ecc_dialects *dialect, - gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b, - gcry_mpi_t *g, gcry_mpi_t *n) -{ - int idx; - - idx = find_domain_parms_idx (name); - if (idx < 0) - return GPG_ERR_UNKNOWN_CURVE; - - if (g) - { - char *buf; - size_t len; - - len = 4; - len += strlen (domain_parms[idx].g_x+2); - len += strlen (domain_parms[idx].g_y+2); - len++; - buf = xtrymalloc (len); - if (!buf) - return gpg_err_code_from_syserror (); - strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2), - domain_parms[idx].g_y+2); - _gcry_mpi_release (*g); - *g = scanval (buf); - xfree (buf); - } - if (model) - *model = domain_parms[idx].model; - if (dialect) - *dialect = domain_parms[idx].dialect; - if (p) - { - _gcry_mpi_release (*p); - *p = scanval (domain_parms[idx].p); - } - if (a) - { - _gcry_mpi_release (*a); - *a = scanval (domain_parms[idx].a); - } - if (b) - { - _gcry_mpi_release (*b); - *b = scanval (domain_parms[idx].b); - } - if (n) - { - _gcry_mpi_release (*n); - *n = scanval (domain_parms[idx].n); - } - return 0; -} - - -/* Return the name matching the parameters in PKEY. This works only - with curves described by the Weierstrass equation. */ -const char * -_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) -{ - gpg_err_code_t rc; - const char *result = NULL; - elliptic_curve_t E; - gcry_mpi_point_t G = NULL; - gcry_mpi_t tmp = NULL; - int idx; - - memset (&E, 0, sizeof E); - - if (r_nbits) - *r_nbits = 0; - - if (!keyparms) - { - idx = iterator; - if (idx >= 0 && idx < DIM (domain_parms)) - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - } - return result; - } - - - /* - * Extract the curve parameters.. - */ - rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "pabn", - &E.p, &E.a, &E.b, &E.n, NULL)); - if (rc == GPG_ERR_NO_OBJ) - { - /* This might be the second use case of checking whether a - specific curve given by name is supported. */ - gcry_sexp_t l1; - char *name; - - l1 = sexp_find_token (keyparms, "curve", 5); - if (!l1) - goto leave; /* No curve name parameter. */ - - name = sexp_nth_string (l1, 1); - sexp_release (l1); - if (!name) - goto leave; /* Name missing or out of core. */ - - idx = find_domain_parms_idx (name); - xfree (name); - if (idx >= 0) /* Curve found. */ - { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - } - return result; - } - - if (rc) - goto leave; - - rc = point_from_keyparam (&G, keyparms, "g", NULL); - if (rc) - goto leave; - - _gcry_mpi_point_init (&E.G); - _gcry_mpi_point_set (&E.G, G->x, G->y, G->z); - - for (idx = 0; domain_parms[idx].desc; idx++) - { - mpi_free (tmp); - tmp = scanval (domain_parms[idx].p); - if (mpi_cmp (tmp, E.p)) - continue; - - mpi_free (tmp); - tmp = scanval (domain_parms[idx].a); - if (tmp->sign) - { - if (!mpi_cmpabs (tmp, E.a)) - /* For backward compatibility to <= libgcrypt 1.8, we - allow this match to support existing keys in SEXP. */ - ; - else - { - mpi_resize (tmp, E.p->nlimbs); - _gcry_mpih_sub_n (tmp->d, E.p->d, - tmp->d, E.p->nlimbs); - tmp->nlimbs = E.p->nlimbs; - tmp->sign = 0; - if (mpi_cmp (tmp, E.a)) - continue; - } - } - else if (mpi_cmp (tmp, E.a)) - continue; - - mpi_free (tmp); - tmp = scanval (domain_parms[idx].b); - if (tmp->sign) - { - if (!mpi_cmpabs (tmp, E.b)) - /* Same for backward compatibility, see above. */ - ; - else - { - mpi_resize (tmp, E.p->nlimbs); - _gcry_mpih_sub_n (tmp->d, E.p->d, - tmp->d, E.p->nlimbs); - tmp->nlimbs = E.p->nlimbs; - tmp->sign = 0; - if (mpi_cmp (tmp, E.b)) - continue; - } - } - else if (mpi_cmp (tmp, E.b)) - continue; - - mpi_free (tmp); - tmp = scanval (domain_parms[idx].n); - if (mpi_cmp (tmp, E.n)) - continue; - - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_x); - if (mpi_cmp (tmp, E.G.x)) - continue; - - mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_y); - if (mpi_cmp (tmp, E.G.y)) - continue; - - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - break; - } - - leave: - _gcry_mpi_point_release (G); - _gcry_mpi_release (tmp); - _gcry_mpi_release (E.p); - _gcry_mpi_release (E.a); - _gcry_mpi_release (E.b); - _gcry_mpi_point_free_parts (&E.G); - _gcry_mpi_release (E.n); - return result; -} - - -/* Helper to extract an MPI from key parameters. */ -static gpg_err_code_t -mpi_from_keyparam (gcry_mpi_t *r_a, gcry_sexp_t keyparam, const char *name, - int opaque) -{ - gcry_err_code_t ec = 0; - gcry_sexp_t l1; - - l1 = sexp_find_token (keyparam, name, 0); - if (l1) - { - *r_a = sexp_nth_mpi (l1, 1, opaque? GCRYMPI_FMT_OPAQUE : GCRYMPI_FMT_USG); - sexp_release (l1); - if (!*r_a) - ec = GPG_ERR_INV_OBJ; - } - return ec; -} - -/* Helper to extract a point from key parameters. If no parameter - with NAME is found, the functions tries to find a non-encoded point - by appending ".x", ".y" and ".z" to NAME. ".z" is in this case - optional and defaults to 1. EC is the context which at this point - may not be fully initialized. */ -static gpg_err_code_t -point_from_keyparam (gcry_mpi_point_t *r_a, - gcry_sexp_t keyparam, const char *name, mpi_ec_t ec) -{ - gcry_err_code_t rc; - gcry_sexp_t l1; - gcry_mpi_point_t point; - - l1 = sexp_find_token (keyparam, name, 0); - if (l1) - { - gcry_mpi_t a; - - a = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE); - sexp_release (l1); - if (!a) - return GPG_ERR_INV_OBJ; - - point = mpi_point_new (0); - rc = _gcry_mpi_ec_decode_point (point, a, ec); - mpi_free (a); - if (rc) - { - mpi_point_release (point); - return rc; - } - } - else - { - char *tmpname; - gcry_mpi_t x = NULL; - gcry_mpi_t y = NULL; - gcry_mpi_t z = NULL; - - tmpname = xtrymalloc (strlen (name) + 2 + 1); - if (!tmpname) - return gpg_err_code_from_syserror (); - strcpy (stpcpy (tmpname, name), ".x"); - rc = mpi_from_keyparam (&x, keyparam, tmpname, 0); - if (rc) - { - xfree (tmpname); - return rc; - } - strcpy (stpcpy (tmpname, name), ".y"); - rc = mpi_from_keyparam (&y, keyparam, tmpname, 0); - if (rc) - { - mpi_free (x); - xfree (tmpname); - return rc; - } - strcpy (stpcpy (tmpname, name), ".z"); - rc = mpi_from_keyparam (&z, keyparam, tmpname, 0); - if (rc) - { - mpi_free (y); - mpi_free (x); - xfree (tmpname); - return rc; - } - if (!z) - z = mpi_set_ui (NULL, 1); - if (x && y) - point = mpi_point_snatch_set (NULL, x, y, z); - else - { - mpi_free (x); - mpi_free (y); - mpi_free (z); - point = NULL; - } - xfree (tmpname); - } - - if (point) - *r_a = point; - return 0; -} - - - -static gpg_err_code_t -mpi_ec_get_elliptic_curve (elliptic_curve_t *E, int *r_flags, - gcry_sexp_t keyparam, const char *curvename) -{ - gpg_err_code_t errc; - unsigned int nbits; - gcry_sexp_t l1; - - errc = _gcry_pk_util_get_nbits (keyparam, &nbits); - if (errc) - return errc; - - E->model = MPI_EC_WEIERSTRASS; - E->dialect = ECC_DIALECT_STANDARD; - E->h = 1; - - if (keyparam) - { - /* Parse an optional flags list. */ - l1 = sexp_find_token (keyparam, "flags", 0); - if (l1) - { - int flags = 0; - - errc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); - sexp_release (l1); - l1 = NULL; - if (errc) - goto leave; - - *r_flags |= flags; - } - - /* Parse the deprecated optional transient-key flag. */ - l1 = sexp_find_token (keyparam, "transient-key", 0); - if (l1) - { - *r_flags |= PUBKEY_FLAG_TRANSIENT_KEY; - sexp_release (l1); - } - - /* Check whether a curve name was given. */ - l1 = sexp_find_token (keyparam, "curve", 5); - - /* If we don't have a curve name or if override parameters have - explicitly been requested, parse them. */ - if (!l1 || (*r_flags & PUBKEY_FLAG_PARAM)) - { - gcry_mpi_point_t G = NULL; - gcry_mpi_t cofactor = NULL; - - errc = mpi_from_keyparam (&E->p, keyparam, "p", 0); - if (errc) - goto leave; - errc = mpi_from_keyparam (&E->a, keyparam, "a", 0); - if (errc) - goto leave; - errc = mpi_from_keyparam (&E->b, keyparam, "b", 0); - if (errc) - goto leave; - errc = point_from_keyparam (&G, keyparam, "g", NULL); - if (errc) - goto leave; - if (G) - { - _gcry_mpi_point_init (&E->G); - mpi_point_set (&E->G, G->x, G->y, G->z); - mpi_point_set (G, NULL, NULL, NULL); - mpi_point_release (G); - } - errc = mpi_from_keyparam (&E->n, keyparam, "n", 0); - if (errc) - goto leave; - errc = mpi_from_keyparam (&cofactor, keyparam, "h", 0); - if (errc) - goto leave; - if (cofactor) - { - mpi_get_ui (&E->h, cofactor); - mpi_free (cofactor); - } - } - } - else - l1 = NULL; /* No curvename. */ - - /* Check whether a curve parameter is available and use that to fill - in missing values. If no curve parameter is available try an - optional provided curvename. If only the curvename has been - given use that one. */ - if (l1 || curvename || nbits) - { - char *name; - - if (l1) - { - name = sexp_nth_string (l1, 1); - sexp_release (l1); - if (!name) - { - errc = GPG_ERR_INV_OBJ; /* Name missing or out of core. */ - goto leave; - } - } - else - name = NULL; - - errc = _gcry_ecc_fill_in_curve (nbits, name? name : curvename, E, NULL); - xfree (name); - if (errc) - goto leave; - } - - leave: - return errc; -} - -static gpg_err_code_t -mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags, - elliptic_curve_t *E, gcry_sexp_t keyparam) -{ - gpg_err_code_t errc = 0; - - ec->G = mpi_point_snatch_set (NULL, E->G.x, E->G.y, E->G.z); - E->G.x = NULL; - E->G.y = NULL; - E->G.z = NULL; - ec->n = E->n; - E->n = NULL; - ec->h = E->h; - ec->name = E->name; - - /* Now that we know the curve name we can look for the public key - Q. point_from_keyparam needs to know the curve parameters so - that it is able to use the correct decompression. Parsing - the private key D could have been done earlier but it is less - surprising if we do it here as well. */ - if (keyparam) - { - int is_opaque_bytes = ((ec->dialect == ECC_DIALECT_ED25519 - && (flags & PUBKEY_FLAG_EDDSA)) - || (ec->dialect == ECC_DIALECT_SAFECURVE)); - - errc = point_from_keyparam (&ec->Q, keyparam, "q", ec); - if (errc) - return errc; - errc = mpi_from_keyparam (&ec->d, keyparam, "d", is_opaque_bytes); - - /* Size of opaque bytes should match size of P. */ - if (!errc && ec->d && is_opaque_bytes) - { - unsigned int n = mpi_get_nbits (ec->d); - unsigned int len; - - len = (ec->nbits+7)/8; - /* EdDSA requires additional bit for sign. */ - if ((ec->nbits%8) == 0 && ec->model == MPI_EC_EDWARDS) - len++; - - if ((n+7)/8 != len) - { - if (ec->dialect == ECC_DIALECT_ED25519) - { - /* - * GnuPG (<= 2.2) or OpenPGP implementations with no - * SOS support may remove zeros at the beginning. - * Recover those zeros. - */ - /* - * Also, GnuPG (<= 2.2) may add additional zero at - * the beginning, when private key is moved from - * OpenPGP to gpg-agent. Remove such a zero-prefix. - */ - const unsigned char *buf; - unsigned char *value; - - buf = mpi_get_opaque (ec->d, &n); - if (!buf) - return GPG_ERR_INV_OBJ; - - value = xtrymalloc_secure (len); - if (!value) - return gpg_err_code_from_syserror (); - - if ((n+7)/8 < len) - /* Recover zeros. */ - { - memset (value, 0, len - (n+7)/8); - memcpy (value + len - (n+7)/8, buf, (n+7)/8); - } - else if ((n+7)/8 == len + 1) - /* Remove a zero. */ - memcpy (value, buf+1, len); - else - { - xfree (value); - return GPG_ERR_INV_OBJ; - } - - mpi_set_opaque (ec->d, value, len*8); - } - else - { - if (DBG_CIPHER) - log_debug ("scalar size (%d) != prime size (%d)", - (n+7)/8, len); - - errc = GPG_ERR_INV_OBJ; - } - } - } - } - - return errc; -} - -gpg_err_code_t -_gcry_mpi_ec_internal_new (mpi_ec_t *r_ec, int *r_flags, const char *name_op, - gcry_sexp_t keyparam, const char *curvename) -{ - gpg_err_code_t errc; - elliptic_curve_t E; - mpi_ec_t ec; - - *r_ec = NULL; - - memset (&E, 0, sizeof E); - errc = mpi_ec_get_elliptic_curve (&E, r_flags, keyparam, curvename); - if (errc) - goto leave; - - ec = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, *r_flags, - E.p, E.a, E.b); - if (!ec) - goto leave; - - errc = mpi_ec_setup_elliptic_curve (ec, *r_flags, &E, keyparam); - if (errc) - { - _gcry_mpi_ec_free (ec); - goto leave; - } - else - *r_ec = ec; - - if (!errc && DBG_CIPHER) - { - gcry_mpi_t mpi_q = NULL; - gcry_sexp_t l1; - char msg[80]; - - l1 = sexp_find_token (keyparam, "q", 0); - if (l1) - { - mpi_q = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_OPAQUE); - sexp_release (l1); - } - - log_debug ("%s info: %s/%s%s\n", name_op, - _gcry_ecc_model2str (ec->model), - _gcry_ecc_dialect2str (ec->dialect), - (*r_flags & PUBKEY_FLAG_EDDSA)? "+EdDSA" : ""); - if (ec->name) - log_debug ("%s name: %s\n", name_op, ec->name); - snprintf (msg, sizeof msg, "%s p", name_op); - log_printmpi (msg, ec->p); - snprintf (msg, sizeof msg, "%s a", name_op); - log_printmpi (msg, ec->a); - snprintf (msg, sizeof msg, "%s b", name_op); - log_printmpi (msg, ec->b); - snprintf (msg, sizeof msg, "%s g", name_op); - log_printpnt (msg, ec->G, NULL); - snprintf (msg, sizeof msg, "%s n", name_op); - log_printmpi (msg, ec->n); - log_debug ("%s h:+%02x\n", name_op, ec->h); - if (mpi_q) - { - snprintf (msg, sizeof msg, "%s q", name_op); - log_printmpi (msg, mpi_q); - mpi_free (mpi_q); - } - if (!fips_mode () && ec->d) - { - snprintf (msg, sizeof msg, "%s d", name_op); - log_printmpi (msg, ec->d); - } - } - - leave: - _gcry_ecc_curve_free (&E); - return errc; -} - -/* This function creates a new context for elliptic curve operations. - Either KEYPARAM or CURVENAME must be given. If both are given and - KEYPARAM has no curve parameter, CURVENAME is used to add missing - parameters. On success 0 is returned and the new context stored at - R_CTX. On error NULL is stored at R_CTX and an error code is - returned. The context needs to be released using - gcry_ctx_release. */ -gpg_err_code_t -_gcry_mpi_ec_new (gcry_ctx_t *r_ctx, - gcry_sexp_t keyparam, const char *curvename) -{ - gpg_err_code_t errc; - elliptic_curve_t E; - gcry_ctx_t ctx = NULL; - int flags = 0; - mpi_ec_t ec; - - *r_ctx = NULL; - - memset (&E, 0, sizeof E); - errc = mpi_ec_get_elliptic_curve (&E, &flags, keyparam, curvename); - if (errc) - goto leave; - - errc = _gcry_mpi_ec_p_new (&ctx, E.model, E.dialect, flags, E.p, E.a, E.b); - if (errc) - goto leave; - - ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC); - errc = mpi_ec_setup_elliptic_curve (ec, flags, &E, keyparam); - if (errc) - goto leave; - - *r_ctx = ctx; - ctx = NULL; - - leave: - _gcry_ecc_curve_free (&E); - _gcry_ctx_release (ctx); - return errc; -} - - -/* Return the parameters of the curve NAME as an S-expression. */ -gcry_sexp_t -_gcry_ecc_get_param_sexp (const char *name) -{ - elliptic_curve_t E; - gcry_mpi_t pkey[5]; - gcry_sexp_t result; - - memset (&E, 0, sizeof E); - if (_gcry_ecc_fill_in_curve (0, name, &E, NULL)) - return NULL; - - pkey[0] = E.p; - pkey[1] = E.a; - pkey[2] = E.b; - pkey[3] = _gcry_ecc_ec2os (E.G.x, E.G.y, E.p); - pkey[4] = E.n; - - if (sexp_build (&result, NULL, - "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], E.h)) - result = NULL; - - _gcry_ecc_curve_free (&E); - _gcry_mpi_release (pkey[3]); - - return result; -} - - -/* Return an MPI (or opaque MPI) described by NAME and the context EC. - If COPY is true a copy is returned, if not a const MPI may be - returned. In any case mpi_free must be used. */ -gcry_mpi_t -_gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy) -{ - if (!*name) - return NULL; - - if (!strcmp (name, "p") && ec->p) - return mpi_is_const (ec->p) && !copy? ec->p : mpi_copy (ec->p); - if (!strcmp (name, "a") && ec->a) - return mpi_is_const (ec->a) && !copy? ec->a : mpi_copy (ec->a); - if (!strcmp (name, "b") && ec->b) - return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b); - if (!strcmp (name, "n") && ec->n) - return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n); - if (!strcmp (name, "h")) - { - gcry_mpi_t h = _gcry_mpi_get_const (ec->h); - - return !copy? h : mpi_set (NULL, h); - } - if (!strcmp (name, "d") && ec->d) - return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d); - - /* Return a requested point coordinate. */ - if (!strcmp (name, "g.x") && ec->G && ec->G->x) - return mpi_is_const (ec->G->x) && !copy? ec->G->x : mpi_copy (ec->G->x); - if (!strcmp (name, "g.y") && ec->G && ec->G->y) - return mpi_is_const (ec->G->y) && !copy? ec->G->y : mpi_copy (ec->G->y); - if (!strcmp (name, "q.x") && ec->Q && ec->Q->x) - return mpi_is_const (ec->Q->x) && !copy? ec->Q->x : mpi_copy (ec->Q->x); - if (!strcmp (name, "q.y") && ec->Q && ec->Q->y) - return mpi_is_const (ec->Q->y) && !copy? ec->Q->y : mpi_copy (ec->Q->y); - - /* If the base point has been requested, return it in standard - encoding. */ - if (!strcmp (name, "g") && ec->G) - return _gcry_mpi_ec_ec2os (ec->G, ec); - - /* If the public key has been requested, return it by default in - standard uncompressed encoding or if requested in other - encodings. */ - if (*name == 'q' && (!name[1] || name[1] == '@')) - { - /* If only the private key is given, compute the public key. */ - if (!ec->Q) - ec->Q = _gcry_ecc_compute_public (NULL, ec); - - if (!ec->Q) - return NULL; - - if (name[1] != '@') - return _gcry_mpi_ec_ec2os (ec->Q, ec); - - if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS) - { - unsigned char *encpk; - unsigned int encpklen; - - if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, - &encpk, &encpklen)) - return mpi_set_opaque (NULL, encpk, encpklen*8); - } - } - - return NULL; -} - - -/* Return a point described by NAME and the context EC. */ -gcry_mpi_point_t -_gcry_ecc_get_point (const char *name, mpi_ec_t ec) -{ - if (!strcmp (name, "g") && ec->G) - return point_copy (ec->G); - if (!strcmp (name, "q")) - { - /* If only the private key is given, compute the public key. */ - if (!ec->Q) - ec->Q = _gcry_ecc_compute_public (NULL, ec); - - if (ec->Q) - return point_copy (ec->Q); - } - - return NULL; -} - - -/* Store the MPI NEWVALUE into the context EC under NAME. */ -gpg_err_code_t -_gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec) -{ - gpg_err_code_t rc = 0; - - if (!*name) - ; - else if (!strcmp (name, "p")) - { - mpi_free (ec->p); - ec->p = mpi_copy (newvalue); - _gcry_mpi_ec_get_reset (ec); - } - else if (!strcmp (name, "a")) - { - mpi_free (ec->a); - ec->a = mpi_copy (newvalue); - _gcry_mpi_ec_get_reset (ec); - } - else if (!strcmp (name, "b")) - { - mpi_free (ec->b); - ec->b = mpi_copy (newvalue); - } - else if (!strcmp (name, "n")) - { - mpi_free (ec->n); - ec->n = mpi_copy (newvalue); - } - else if (!strcmp (name, "h")) - { - mpi_get_ui (&ec->h, newvalue); - } - else if (*name == 'q' && (!name[1] || name[1] == '@')) - { - if (newvalue) - { - if (!ec->Q) - ec->Q = mpi_point_new (0); - rc = _gcry_mpi_ec_decode_point (ec->Q, newvalue, ec); - } - if (rc || !newvalue) - { - _gcry_mpi_point_release (ec->Q); - ec->Q = NULL; - } - /* Note: We assume that Q matches d and thus do not reset d. */ - } - else if (!strcmp (name, "d")) - { - mpi_free (ec->d); - ec->d = mpi_copy (newvalue); - if (ec->d) - { - /* We need to reset the public key because it may not - anymore match. */ - _gcry_mpi_point_release (ec->Q); - ec->Q = NULL; - } - } - else - rc = GPG_ERR_UNKNOWN_NAME; - - return rc; -} - - -/* Store the point NEWVALUE into the context EC under NAME. */ -gpg_err_code_t -_gcry_ecc_set_point (const char *name, gcry_mpi_point_t newvalue, mpi_ec_t ec) -{ - if (!strcmp (name, "g")) - { - _gcry_mpi_point_release (ec->G); - ec->G = point_copy (newvalue); - } - else if (!strcmp (name, "q")) - { - _gcry_mpi_point_release (ec->Q); - ec->Q = point_copy (newvalue); - } - else - return GPG_ERR_UNKNOWN_NAME; - - return 0; -} diff --git a/hobble-libgcrypt b/hobble-libgcrypt deleted file mode 100755 index 1aa88dc..0000000 --- a/hobble-libgcrypt +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e -x - -# Clean out patent-or-otherwise-encumbered code. -# EC: ????????? ??/??/2015 - -rm -f cipher/ecc-curves.c -rm -f tests/curves.c -rm -f tests/keygrip.c diff --git a/keygrip.c b/keygrip.c deleted file mode 100644 index 56fbba8..0000000 --- a/keygrip.c +++ /dev/null @@ -1,341 +0,0 @@ -/* keygrip.c - verifies that keygrips are calculated as expected - * Copyright (C) 2005 Free Software Foundation, Inc. - * - * This file is part of Libgcrypt. - * - * Libgcrypt is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * Libgcrypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include - -#define PGM "keygrip" -#include "t-common.h" - -static int repetitions; - - - -static void -print_hex (const char *text, const void *buf, size_t n) -{ - const unsigned char *p = buf; - - fputs (text, stdout); - for (; n; n--, p++) - printf ("%02X", *p); - putchar ('\n'); -} - - - - -static struct -{ - int algo; - const char *key; - const unsigned char grip[20]; -} key_grips[] = - { - { - GCRY_PK_RSA, - "(private-key" - " (rsa" - " (n #00B6B509596A9ECABC939212F891E656A626BA07DA8521A9CAD4C08E640C04052FBB87F424EF1A0275A48A9299AC9DB69ABE3D0124E6C756B1F7DFB9B842D6251AEA6EE85390495CADA73D671537FCE5850A932F32BAB60AB1AC1F852C1F83C625E7A7D70CDA9EF16D5C8E47739D77DF59261ABE8454807FF441E143FBD37F8545#)" - " (e #010001#)" - " (d #077AD3DE284245F4806A1B82B79E616FBDE821C82D691A65665E57B5FAD3F34E67F401E7BD2E28699E89D9C496CF821945AE83AC7A1231176A196BA6027E77D85789055D50404A7A2A95B1512F91F190BBAEF730ED550D227D512F89C0CDB31AC06FA9A19503DDF6B66D0B42B9691BFD6140EC1720FFC48AE00C34796DC899E5#)" - " (p #00D586C78E5F1B4BF2E7CD7A04CA091911706F19788B93E44EE20AAF462E8363E98A72253ED845CCBF2481BB351E8557C85BCFFF0DABDBFF8E26A79A0938096F27#)" - " (q #00DB0CDF60F26F2A296C88D6BF9F8E5BE45C0DDD713C96CC73EBCB48B061740943F21D2A93D6E42A7211E7F02A95DCED6C390A67AD21ECF739AE8A0CA46FF2EBB3#)" - " (u #33149195F16912DB20A48D020DBC3B9E3881B39D722BF79378F6340F43148A6E9FC5F53E2853B7387BA4443BA53A52FCA8173DE6E85B42F9783D4A7817D0680B#)))", - "\x32\xCF\xFA\x85\xB1\x79\x1F\xBB\x26\x14\xE9\x1A\xFD\xF3\xAF\xE3\x32\x08\x2E\x25" - }, - { - GCRY_PK_DSA, - " (public-key" - " (dsa" - " (p #0084E4C626E16005770BD9509ABF7354492E85B8C0060EFAAAEC617F725B592FAA59DF5460575F41022776A9718CE62EDD542AB73C7720869EBDBC834D174ADCD7136827DF51E2613545A25CA573BC502A61B809000B6E35F5EB7FD6F18C35678C23EA1C3638FB9CFDBA2800EE1B62F41A4479DE824F2834666FBF8DC5B53C2617#)" - " (q #00B0E6F710051002A9F425D98A677B18E0E5B038AB#)" - " (g #44370CEE0FE8609994183DBFEBA7EEA97D466838BCF65EFF506E35616DA93FA4E572A2F08886B74977BC00CA8CD3DBEA7AEB7DB8CBB180E6975E0D2CA76E023E6DE9F8CCD8826EBA2F72B8516532F6001DEFFAE76AA5E59E0FA33DBA3999B4E92D1703098CDEDCC416CF008801964084CDE1980132B2B78CB4CE9C15A559528B#)" - " (y #3D5DD14AFA2BF24A791E285B90232213D0E3BA74AB1109E768AED19639A322F84BB7D959E2BA92EF73DE4C7F381AA9F4053CFA3CD4527EF9043E304E5B95ED0A3A5A9D590AA641C13DB2B6E32B9B964A6A2C730DD3EA7C8E13F7A140AFF1A91CE375E9B9B960384779DC4EA180FA1F827C52288F366C0770A220F50D6D8FD6F6#)))", - "\x04\xA3\x4F\xA0\x2B\x03\x94\xD7\x32\xAD\xD5\x9B\x50\xAF\xDB\x5D\x57\x22\xA6\x10" - - }, - { - GCRY_PK_DSA, - "(private-key" - " (dsa" - " (p #0084E4C626E16005770BD9509ABF7354492E85B8C0060EFAAAEC617F725B592FAA59DF5460575F41022776A9718CE62EDD542AB73C7720869EBDBC834D174ADCD7136827DF51E2613545A25CA573BC502A61B809000B6E35F5EB7FD6F18C35678C23EA1C3638FB9CFDBA2800EE1B62F41A4479DE824F2834666FBF8DC5B53C2617#)" - " (q #00B0E6F710051002A9F425D98A677B18E0E5B038AB#)" - " (g #44370CEE0FE8609994183DBFEBA7EEA97D466838BCF65EFF506E35616DA93FA4E572A2F08886B74977BC00CA8CD3DBEA7AEB7DB8CBB180E6975E0D2CA76E023E6DE9F8CCD8826EBA2F72B8516532F6001DEFFAE76AA5E59E0FA33DBA3999B4E92D1703098CDEDCC416CF008801964084CDE1980132B2B78CB4CE9C15A559528B#)" - " (y #3D5DD14AFA2BF24A791E285B90232213D0E3BA74AB1109E768AED19639A322F84BB7D959E2BA92EF73DE4C7F381AA9F4053CFA3CD4527EF9043E304E5B95ED0A3A5A9D590AA641C13DB2B6E32B9B964A6A2C730DD3EA7C8E13F7A140AFF1A91CE375E9B9B960384779DC4EA180FA1F827C52288F366C0770A220F50D6D8FD6F6#)" - " (x #0087F9E91BFBCC1163DE71ED86D557708E32F8ADDE#)))", - "\x04\xA3\x4F\xA0\x2B\x03\x94\xD7\x32\xAD\xD5\x9B\x50\xAF\xDB\x5D\x57\x22\xA6\x10" - }, - { - GCRY_PK_ECDSA, - "(public-key" - " (ecdsa(flags param)" - " (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)" - " (a #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC#)" - " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" - " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" - " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" - " (h #000000000000000000000000000000000000000000000000000000000000000001#)" - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, - { - GCRY_PK_ECDSA, - "(public-key" - " (ecdsa(flags param)" - " (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)" - " (curve \"NIST P-256\")" - " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" - " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" - " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" - " (h #000000000000000000000000000000000000000000000000000000000000000001#)" - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, - { - GCRY_PK_ECDSA, - "(public-key" - " (ecdsa" - " (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)" - " (curve \"NIST P-256\")" - " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" - " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" - " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" - " (h #000000000000000000000000000000000000000000000000000000000000000001#)" - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, - { - GCRY_PK_ECDSA, - "(public-key" - " (ecdsa" - " (curve secp256r1)" - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, - { - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve secp256r1)" - " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" - }, - { /* Ed25519 standard */ - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve Ed25519)" - " (q #04" - " 1CC662926E7EFF4982B7FB8B928E61CD74CCDD85277CC57196C3AD20B611085F" - " 47BD24842905C049257673B3F5249524E0A41FAA17B25B818D0F97E625F1A1D0#)" - " ))", - "\x0C\xCA\xB2\xFD\x48\x9A\x33\x40\x2C\xE8" - "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1" - }, - { /* Ed25519+EdDSA */ - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve Ed25519)(flags eddsa)" - " (q #773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)" - " ))", - "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" - "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" - }, - { /* Ed25519+EdDSA (with compression prefix) */ - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve Ed25519)(flags eddsa)" - " (q #40" - " 773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)" - " ))", - "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" - "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" - }, - { /* Ed25519+EdDSA (same but uncompressed)*/ - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve Ed25519)(flags eddsa)" - " (q #04" - " 629ad237d1ed04dcd4abe1711dd699a1cf51b1584c4de7a4ef8b8a640180b26f" - " 5bb7c29018ece0f46b01f2960e99041a5779afe7e2292b65f9d51f8c84723e77#)" - " ))", - "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" - "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" - }, - { /* Cv25519 */ - GCRY_PK_ECC, - "(public-key" - " (ecc" - " (curve Curve25519)(flags djb-tweak)" - " (q #40" - " 918C1733127F6BF2646FAE3D081A18AE77111C903B906310B077505EFFF12740#)" - " ))", - "\x0F\x89\xA5\x65\xD3\xEA\x18\x7C\xE8\x39" - "\x33\x23\x98\xF5\xD4\x80\x67\x7D\xF4\x9C" - }, - { /* Random key */ - GCRY_PK_RSA, - "(shadowed-private-key" - " (rsa" - " (n #00B493C79928398DA9D99AC0E949FE6EB62F683CB974FFFBFBC01066F5C9A89B" - " D3DC48EAD7C65F36EA943C2B2C865C26C4884FF9EDFDA8C99C855B737D77EEF6" - " B85DBC0CCEC0E900C1F89A6893A2A93E8B31028469B6927CEB2F08687E547C68" - " 6B0A2F7E50A194FF7AB7637E03DE0912EF7F6E5F1EC37625BD1620CCC2E7A564" - " 31E168CDAFBD1D9E61AE47A69A6FA03EF22F844528A710B2392F262B95A3078C" - " F321DC8325F92A5691EF69F34FD0DE0B22C79D29DC87723FCADE463829E8E5F7" - " D196D73D6C9C180F6A6A0DDBF7B9D8F7FA293C36163B12199EF6A1A95CAE4051" - " E3069C522CC6C4A7110F663A5DAD20F66C13A1674D050088208FAE4F33B3AB51" - " 03#)" - " (e #00010001#)" - " (shadowed t1-v1" - " (#D2760001240102000005000123350000# OPENPGP.1)" - ")))", - "\xE5\x6E\xE6\xEE\x5A\x2F\xDC\x3E\x98\x9D" - "\xFE\x49\xDA\xF5\x67\x43\xE3\x27\x28\x33" - } - }; - - -static void -check (void) -{ - unsigned char buf[20]; - unsigned char *ret; - gcry_error_t err; - gcry_sexp_t sexp; - unsigned int i; - int repn; - - for (i = 0; i < (sizeof (key_grips) / sizeof (*key_grips)); i++) - { - if (gcry_pk_test_algo (key_grips[i].algo)) - { - if (verbose) - fprintf (stderr, "algo %d not available; test skipped\n", - key_grips[i].algo); - continue; - } - err = gcry_sexp_sscan (&sexp, NULL, key_grips[i].key, - strlen (key_grips[i].key)); - if (err) - die ("scanning data %d failed: %s\n", i, gpg_strerror (err)); - - if (debug) - info ("check(%d): s-exp='%s'\n", i, key_grips[i].key); - - for (repn=0; repn < repetitions; repn++) - { - ret = gcry_pk_get_keygrip (sexp, buf); - if (!ret) - die ("gcry_pk_get_keygrip failed for %d\n", i); - - if ( memcmp (key_grips[i].grip, buf, sizeof (buf)) ) - { - print_hex ("keygrip: ", buf, sizeof buf); - die ("keygrip for %d does not match\n", i); - } - else if (debug && !repn) - print_hex ("keygrip: ", buf, sizeof buf); - } - - gcry_sexp_release (sexp); - } -} - - - -static void -progress_handler (void *cb_data, const char *what, int printchar, - int current, int total) -{ - (void)cb_data; - (void)what; - (void)current; - (void)total; - - putchar (printchar); -} - -int -main (int argc, char **argv) -{ - int last_argc = -1; - - if (argc) - { argc--; argv++; } - - while (argc && last_argc != argc ) - { - last_argc = argc; - if (!strcmp (*argv, "--")) - { - argc--; argv++; - break; - } - else if (!strcmp (*argv, "--verbose")) - { - verbose = 1; - argc--; argv++; - } - else if (!strcmp (*argv, "--debug")) - { - verbose = 1; - debug = 1; - argc--; argv++; - } - else if (!strcmp (*argv, "--repetitions")) - { - argc--; argv++; - if (argc) - { - repetitions = atoi(*argv); - argc--; argv++; - } - } - } - - if (repetitions < 1) - repetitions = 1; - - if (!gcry_check_version (GCRYPT_VERSION)) - die ("version mismatch\n"); - - gcry_set_progress_handler (progress_handler, NULL); - - xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - if (debug) - xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); - - check (); - - return 0; -} diff --git a/libgcrypt-1.10.0-disable-brainpool.patch b/libgcrypt-1.10.0-disable-brainpool.patch new file mode 100644 index 0000000..f0c5a72 --- /dev/null +++ b/libgcrypt-1.10.0-disable-brainpool.patch @@ -0,0 +1,239 @@ +From d651e25be0bc0c11f4d3d7c72be8cfbbe82b3874 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 10 Sep 2021 18:39:00 +0200 +Subject: [PATCH] Allow building libgcrypt without Brainpool curves + +* README: Document possibility to build without brainpool curves +* cipher/ecc-curves.c: Conditionalize brainpool curves definitions +* configure.ac: Implement possibility to build without brainpool curves +* tests/curves.c: Skip brainpool curves if they are not built-in +* tests/keygrip.c: Skip brainpool curves if they are not built-in + +-- + +Signed-off-by: Jakub Jelen +--- + README | 3 +++ + cipher/ecc-curves.c | 4 ++++ + configure.ac | 13 +++++++++++++ + tests/curves.c | 46 ++++++++++++++++++++++++++++++--------------- + tests/keygrip.c | 2 ++ + 5 files changed, 53 insertions(+), 15 deletions(-) + +diff --git a/README b/README +index 436b6cd4..1044109c 100644 +--- a/README ++++ b/README +@@ -127,6 +127,9 @@ + the list used with the current build the program + tests/version may be used. + ++ --disable-brainpool ++ Do not build in support for Brainpool curves. ++ + --disable-endian-check + Don't let configure test for the endianness but + try to use the OS provided macros at compile +diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c +index 7c86e12c..8fd95a9c 100644 +--- a/cipher/ecc-curves.c ++++ b/cipher/ecc-curves.c +@@ -77,6 +77,7 @@ static const struct + { "NIST P-521", "1.3.132.0.35" }, + { "NIST P-521", "nistp521" }, /* rfc5656. */ + ++#ifdef ENABLE_BRAINPOOL + { "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" }, + { "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" }, + { "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" }, +@@ -84,6 +85,7 @@ static const struct + { "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" }, + { "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"}, + { "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"}, ++#endif /* ENABLE_BRAINPOOL */ + + { "GOST2001-test", "1.2.643.2.2.35.0" }, + { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" }, +@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] = + 1 + }, + ++#ifdef ENABLE_BRAINPOOL + { "brainpoolP160r1", 160, 0, + MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, + "0xe95e4a5f737059dc60dfc7ad95b3d8139515620f", +@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] = + "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892", + 1 + }, ++#endif /* ENABLE_BRAINPOOL */ + { + "GOST2001-test", 256, 0, + MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, +diff --git a/configure.ac b/configure.ac +index 6efbf139..f4ac1887 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -614,6 +614,14 @@ AC_ARG_WITH(fips-module-version, + AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version", + [Define FIPS module version for certification]) + ++# Implementation of the --disable-brainpool switch. ++AC_MSG_CHECKING([whether we want to disable the use of brainpool curves]) ++AC_ARG_ENABLE(brainpool, ++ AS_HELP_STRING([--disable-brainpool], ++ [Disable the brainpool curves]), ++ use_brainpool="$enableval",use_brainpool=yes) ++AC_MSG_RESULT($use_brainpool) ++ + # Implementation of the --disable-jent-support switch. + AC_MSG_CHECKING([whether jitter entropy support is requested]) + AC_ARG_ENABLE(jent-support, +@@ -2466,6 +2474,10 @@ if test x"$ppccryptosupport" = xyes ; then + AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1, + [Enable support for POWER 8 (PowerISA 2.07) crypto extension.]) + fi ++if test x"$use_brainpool" = xyes ; then ++ AC_DEFINE(ENABLE_BRAINPOOL, 1, ++ [Enable support for the brainpool curves.]) ++fi + if test x"$jentsupport" = xyes ; then + AC_DEFINE(ENABLE_JENT_SUPPORT, 1, + [Enable support for the jitter entropy collector.]) +@@ -3296,6 +3308,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests]) + GCRY_MSG_WRAP([Enabled kdf algorithms: ],[$enabled_kdfs]) + GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers]) + GCRY_MSG_SHOW([Random number generator: ],[$random]) ++GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool]) + GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport]) + GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities]) + GCRY_MSG_SHOW([FIPS module version: ],[$fips_module_version]) +diff --git a/tests/curves.c b/tests/curves.c +index 3c738171..8eb79565 100644 +--- a/tests/curves.c ++++ b/tests/curves.c +@@ -33,7 +33,11 @@ + #include "t-common.h" + + /* Number of curves defined in ../cipher/ecc-curves.c */ +-#define N_CURVES 27 ++#ifdef ENABLE_BRAINPOOL ++# define N_CURVES 27 ++#else ++# define N_CURVES 20 ++#endif + + /* A real world sample public key. */ + static char const sample_key_1[] = +@@ -52,6 +56,7 @@ static char const sample_key_1[] = + static char const sample_key_1_curve[] = "NIST P-256"; + static unsigned int sample_key_1_nbits = 256; + ++#ifdef ENABLE_BRAINPOOL + /* A made up sample public key. */ + static char const sample_key_2[] = + "(public-key\n" +@@ -68,6 +73,7 @@ static char const sample_key_2[] = + " ))"; + static char const sample_key_2_curve[] = "brainpoolP160r1"; + static unsigned int sample_key_2_nbits = 160; ++#endif /* ENABLE_BRAINPOOL */ + + static int in_fips_mode; + +@@ -113,6 +119,7 @@ check_matching (void) + + gcry_sexp_release (key); + ++#ifdef ENABLE_BRAINPOOL + if (!in_fips_mode) + { + err = gcry_sexp_new (&key, sample_key_2, 0, 1); +@@ -130,6 +137,7 @@ check_matching (void) + + gcry_sexp_release (key); + } ++#endif /* ENABLE_BRAINPOOL */ + } + + #define TEST_ERROR_EXPECTED (1 << 0) +@@ -185,20 +193,26 @@ check_get_params (void) + { GCRY_PK_ECC, "1.3.132.0.35" }, + { GCRY_PK_ECC, "nistp521" }, + +- { GCRY_PK_ECC, "brainpoolP160r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP192r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP224r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP256r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP320r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP384r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS }, +- { GCRY_PK_ECC, "brainpoolP512r1", TEST_NOFIPS }, +- { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS }, ++#ifdef ENABLE_BRAINPOOL ++# define BRAINPOOL_FLAGS TEST_NOFIPS ++#else ++# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED ++#endif /* ENABLE_BRAINPOOL */ ++ { GCRY_PK_ECC, "brainpoolP160r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP192r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP224r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP256r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP320r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP384r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "brainpoolP512r1", BRAINPOOL_FLAGS }, ++ { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS }, ++#undef BRAINPOOL_ERROR_EXPECTED + + { GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS }, + { GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS }, +@@ -282,6 +296,7 @@ check_get_params (void) + + gcry_sexp_release (param); + ++#ifdef ENABLE_BRAINPOOL + if (!in_fips_mode) + { + param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve); +@@ -297,6 +312,7 @@ check_get_params (void) + + gcry_sexp_release (param); + } ++#endif /* ENABLE_BRAINPOOL */ + + /* Some simple tests */ + for (idx=0; idx < DIM (tv); idx++) +diff --git a/tests/keygrip.c b/tests/keygrip.c +index 49bd71bc..fc4c17be 100644 +--- a/tests/keygrip.c ++++ b/tests/keygrip.c +@@ -149,6 +149,7 @@ static struct + " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", + "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + }, ++#ifdef ENABLE_BRAINPOOL + { + GCRY_PK_ECC, + "(public-key" +@@ -197,6 +198,7 @@ static struct + "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F", + 1 + }, ++#endif /*ENABLE_BRAINPOOL */ + { /* Ed25519 standard */ + GCRY_PK_ECC, + "(public-key" +-- +2.34.1 + diff --git a/libgcrypt-1.6.1-mpicoder-gccopt.patch b/libgcrypt-1.6.1-mpicoder-gccopt.patch deleted file mode 100644 index 12555d3..0000000 --- a/libgcrypt-1.6.1-mpicoder-gccopt.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -up libgcrypt-1.6.1/mpi/mpicoder.c.gccopt libgcrypt-1.6.1/mpi/mpicoder.c ---- libgcrypt-1.6.1/mpi/mpicoder.c.gccopt 2014-02-28 15:37:53.983139821 +0100 -+++ libgcrypt-1.6.1/mpi/mpicoder.c 2014-02-28 15:47:35.312576387 +0100 -@@ -627,16 +627,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo - extra = 1; - } - -- if (buffer && n > len) -- { -- /* The provided buffer is too short. */ -- xfree (tmp); -- return GPG_ERR_TOO_SHORT; -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (n > len) -+ { -+ /* The provided buffer is too short. */ -+ xfree (tmp); -+ return GPG_ERR_TOO_SHORT; -+ } - if (extra == 1) - *s++ = 0; - else if (extra) -@@ -654,13 +654,12 @@ _gcry_mpi_print (enum gcry_mpi_format fo - /* Note: We ignore the sign for this format. */ - /* FIXME: for performance reasons we should put this into - mpi_aprint because we can then use the buffer directly. */ -- -- if (buffer && n > len) -- return GPG_ERR_TOO_SHORT; - if (buffer) - { - unsigned char *tmp; - -+ if (n > len) -+ return GPG_ERR_TOO_SHORT; - tmp = _gcry_mpi_get_buffer (a, 0, &n, NULL); - if (!tmp) - return gpg_err_code_from_syserror (); -@@ -678,14 +677,14 @@ _gcry_mpi_print (enum gcry_mpi_format fo - if (negative) - return GPG_ERR_INV_ARG; - -- if (buffer && n+2 > len) -- return GPG_ERR_TOO_SHORT; -- - if (buffer) - { - unsigned char *tmp; - unsigned char *s = buffer; - -+ if (n+2 > len) -+ return GPG_ERR_TOO_SHORT; -+ - s[0] = nbits >> 8; - s[1] = nbits; - -@@ -724,16 +723,16 @@ _gcry_mpi_print (enum gcry_mpi_format fo - extra=1; - } - -- if (buffer && n+4 > len) -- { -- xfree(tmp); -- return GPG_ERR_TOO_SHORT; -- } -- - if (buffer) - { - unsigned char *s = buffer; - -+ if (n+4 > len) -+ { -+ xfree(tmp); -+ return GPG_ERR_TOO_SHORT; -+ } -+ - *s++ = n >> 24; - *s++ = n >> 16; - *s++ = n >> 8; -@@ -761,15 +760,15 @@ _gcry_mpi_print (enum gcry_mpi_format fo - if (!n || (*tmp & 0x80)) - extra = 2; - -- if (buffer && 2*n + extra + negative + 1 > len) -- { -- xfree(tmp); -- return GPG_ERR_TOO_SHORT; -- } - if (buffer) - { - unsigned char *s = buffer; - -+ if (2*n + extra + negative + 1 > len) -+ { -+ xfree(tmp); -+ return GPG_ERR_TOO_SHORT; -+ } - if (negative) - *s++ = '-'; - if (extra) diff --git a/libgcrypt-1.8.3-fips-ctor.patch b/libgcrypt-1.8.3-fips-ctor.patch deleted file mode 100644 index a5d3467..0000000 --- a/libgcrypt-1.8.3-fips-ctor.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -up libgcrypt-1.8.3/src/global.c.fips-ctor libgcrypt-1.8.3/src/global.c ---- libgcrypt-1.8.3/src/global.c.fips-ctor 2017-11-23 19:25:58.000000000 +0100 -+++ libgcrypt-1.8.3/src/global.c 2020-04-17 16:29:59.258218015 +0200 -@@ -141,6 +141,34 @@ global_init (void) - } - - -+#ifndef FIPS_MODULE_PATH -+#define FIPS_MODULE_PATH "/etc/system-fips" -+#endif -+ -+void __attribute__ ((constructor)) _gcry_global_constructor (void) -+{ -+ int rv; -+ -+ rv = access (FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ if (!rv) -+ { -+ int no_secmem_save; -+ -+ /* it should be always 0 at this point but let's keep on the safe side */ -+ no_secmem_save = no_secure_memory; -+ no_secure_memory = 1; -+ /* force selftests */ -+ global_init(); -+ _gcry_fips_run_selftests (0); -+ if (!fips_mode()) -+ _gcry_random_close_fds (); -+ no_secure_memory = no_secmem_save; -+ } -+} -+ - /* This function is called by the macro fips_is_operational and makes - sure that the minimal initialization has been done. This is far - from a perfect solution and hides problems with an improper -@@ -671,8 +699,7 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - - case GCRYCTL_FIPS_MODE_P: - if (fips_mode () -- && !_gcry_is_fips_mode_inactive () -- && !no_secure_memory) -+ && !_gcry_is_fips_mode_inactive ()) - rc = GPG_ERR_GENERAL; /* Used as TRUE value */ - break; - -@@ -749,9 +776,9 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, - break; - - case GCRYCTL_SET_ENFORCED_FIPS_FLAG: -- if (!_gcry_global_any_init_done) -+ if (fips_mode ()) - { -- /* Not yet initialized at all. Set the enforced fips mode flag */ -+ /* We are in FIPS mode, we can set the enforced fips mode flag. */ - _gcry_set_preferred_rng_type (0); - _gcry_set_enforced_fips_mode (); - } -diff --git a/tests/t-secmem.c b/tests/t-secmem.c -index 2b769134..1d33bbfd 100644 ---- a/tests/t-secmem.c -+++ b/tests/t-secmem.c -@@ -54,7 +54,7 @@ test_secmem (void) - - /* Allocating another 2k should fail for the default 16k pool. */ - b = gcry_malloc_secure (chunk_size*4); -- if (b) -+ if (b && !gcry_fips_mode_active ()) - fail ("allocation did not fail as expected\n"); - - for (i=0; i < DIM(a); i++) diff --git a/libgcrypt-1.8.3-md-fips-enforce.patch b/libgcrypt-1.8.3-md-fips-enforce.patch deleted file mode 100644 index 3b730a1..0000000 --- a/libgcrypt-1.8.3-md-fips-enforce.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -up libgcrypt-1.8.3/cipher/md.c.fips-enforce libgcrypt-1.8.3/cipher/md.c ---- libgcrypt-1.8.3/cipher/md.c.fips-enforce 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.3/cipher/md.c 2020-04-17 15:07:31.364945130 +0200 -@@ -409,13 +409,10 @@ md_enable (gcry_md_hd_t hd, int algorith - } - - -- if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) -+ if (!err && !spec->flags.fips && fips_mode ()) - { -- _gcry_inactivate_fips_mode ("MD5 used"); - if (_gcry_enforced_fips_mode () ) - { -- /* We should never get to here because we do not register -- MD5 in enforced fips mode. But better throw an error. */ - err = GPG_ERR_DIGEST_ALGO; - } - } -diff --git a/tests/t-kdf.c b/tests/t-kdf.c -index 7a48e98a..48309b9a 100644 ---- a/tests/t-kdf.c -+++ b/tests/t-kdf.c -@@ -1104,6 +1104,13 @@ check_pbkdf2 (void) - GCRY_KDF_PBKDF2, tv[tvidx].hashalgo, - tv[tvidx].salt, tv[tvidx].saltlen, - tv[tvidx].c, tv[tvidx].dklen, outbuf); -+ if (gcry_fips_mode_active() && tvidx > 6) -+ { -+ if (!err) -+ fail ("pbkdf2 test %d unexpectedly passed in FIPS mode: %s\n", -+ tvidx, gpg_strerror (err)); -+ continue; -+ } - if (err) - fail ("pbkdf2 test %d failed: %s\n", tvidx, gpg_strerror (err)); - else if (memcmp (outbuf, tv[tvidx].dk, tv[tvidx].dklen)) - diff --git a/libgcrypt-1.8.4-fips-keygen.patch b/libgcrypt-1.8.4-fips-keygen.patch deleted file mode 100644 index a3e241f..0000000 --- a/libgcrypt-1.8.4-fips-keygen.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -up libgcrypt-1.8.4/cipher/dsa.c.fips-keygen libgcrypt-1.8.4/cipher/dsa.c ---- libgcrypt-1.8.4/cipher/dsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/cipher/dsa.c 2019-02-12 14:29:25.629513989 +0100 -@@ -457,13 +457,22 @@ generate_fips186 (DSA_secret_key *sk, un - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen); -- else -+ else if (!domain->p || !domain->q) - ec = _gcry_generate_fips186_3_prime (nbits, qbits, - initial_seed.seed, - initial_seed.seedlen, - &prime_q, &prime_p, - r_counter, - r_seed, r_seedlen, NULL); -+ else -+ { -+ /* Domain parameters p and q are given; use them. */ -+ prime_p = mpi_copy (domain->p); -+ prime_q = mpi_copy (domain->q); -+ gcry_assert (mpi_get_nbits (prime_p) == nbits); -+ gcry_assert (mpi_get_nbits (prime_q) == qbits); -+ ec = 0; -+ } - sexp_release (initial_seed.sexp); - if (ec) - goto leave; -@@ -855,13 +866,12 @@ dsa_generate (const gcry_sexp_t genparms - sexp_release (l1); - sexp_release (domainsexp); - -- /* Check that all domain parameters are available. */ -- if (!domain.p || !domain.q || !domain.g) -+ /* Check that p and q domain parameters are available. */ -+ if (!domain.p || !domain.q || (!domain.g && !(flags & PUBKEY_FLAG_USE_FIPS186))) - { - _gcry_mpi_release (domain.p); - _gcry_mpi_release (domain.q); - _gcry_mpi_release (domain.g); -- sexp_release (deriveparms); - return GPG_ERR_MISSING_VALUE; - } - -diff -up libgcrypt-1.8.4/cipher/rsa.c.fips-keygen libgcrypt-1.8.4/cipher/rsa.c ---- libgcrypt-1.8.4/cipher/rsa.c.fips-keygen 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.4/cipher/rsa.c 2019-02-12 14:29:25.630513971 +0100 -@@ -389,7 +389,7 @@ generate_fips (RSA_secret_key *sk, unsig - - if (nbits < 1024 || (nbits & 0x1FF)) - return GPG_ERR_INV_VALUE; -- if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072) -+ if (fips_mode() && nbits < 2048) - return GPG_ERR_INV_VALUE; - - /* The random quality depends on the transient_key flag. */ -@@ -696,7 +696,7 @@ generate_x931 (RSA_secret_key *sk, unsig - - *swapped = 0; - -- if (e_value == 1) /* Alias for a secure value. */ -+ if (e_value == 1 || e_value == 0) /* Alias for a secure value. */ - e_value = 65537; - - /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ diff --git a/libgcrypt-1.8.4-use-poll.patch b/libgcrypt-1.8.4-use-poll.patch deleted file mode 100644 index 8032992..0000000 --- a/libgcrypt-1.8.4-use-poll.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up libgcrypt-1.8.4/random/rndlinux.c.use-poll libgcrypt-1.8.4/random/rndlinux.c ---- libgcrypt-1.8.4/random/rndlinux.c.use-poll 2018-10-26 13:50:20.000000000 +0200 -+++ libgcrypt-1.8.4/random/rndlinux.c 2018-11-20 15:51:56.760669058 +0100 -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #if defined(__APPLE__) && defined(__MACH__) - #include - #ifdef __MAC_10_11 -@@ -241,9 +242,8 @@ _gcry_rndlinux_gather_random (void (*add - return with something we will actually use 100ms. */ - while (length) - { -- fd_set rfds; -- struct timeval tv; - int rc; -+ struct pollfd pfd; - - /* If we have a modern operating system, we first try to use the new - * getentropy function. That call guarantees that the kernel's -@@ -300,36 +300,25 @@ _gcry_rndlinux_gather_random (void (*add - any_need_entropy = 1; - } - -- /* If the system has no limit on the number of file descriptors -- and we encounter an fd which is larger than the fd_set size, -- we don't use the select at all. The select code is only used -- to emit progress messages. A better solution would be to -- fall back to poll() if available. */ --#ifdef FD_SETSIZE -- if (fd < FD_SETSIZE) --#endif -+ pfd.fd = fd; -+ pfd.events = POLLIN; -+ -+ _gcry_pre_syscall (); -+ rc = poll(&pfd, 1, delay); -+ _gcry_post_syscall (); -+ if (!rc) - { -- FD_ZERO(&rfds); -- FD_SET(fd, &rfds); -- tv.tv_sec = delay; -- tv.tv_usec = delay? 0 : 100000; -- _gcry_pre_syscall (); -- rc = select (fd+1, &rfds, NULL, NULL, &tv); -- _gcry_post_syscall (); -- if (!rc) -- { -- any_need_entropy = 1; -- delay = 3; /* Use 3 seconds henceforth. */ -- continue; -- } -- else if( rc == -1 ) -- { -- log_error ("select() error: %s\n", strerror(errno)); -- if (!delay) -- delay = 1; /* Use 1 second if we encounter an error before -- we have ever blocked. */ -- continue; -- } -+ any_need_entropy = 1; -+ delay = 3000; /* Use 3 seconds henceforth. */ -+ continue; -+ } -+ else if( rc == -1 ) -+ { -+ log_error ("poll() error: %s\n", strerror(errno)); -+ if (!delay) -+ delay = 1000; /* Use 1 second if we encounter an error before -+ we have ever blocked. */ -+ continue; - } - - do diff --git a/libgcrypt-1.8.5-fips-module.patch b/libgcrypt-1.8.5-fips-module.patch deleted file mode 100644 index 8ffe465..0000000 --- a/libgcrypt-1.8.5-fips-module.patch +++ /dev/null @@ -1,139 +0,0 @@ -diff -up libgcrypt-1.8.5/src/fips.c.fips-module libgcrypt-1.8.5/src/fips.c ---- libgcrypt-1.8.5/src/fips.c.fips-module 2020-04-20 19:07:45.924919645 +0200 -+++ libgcrypt-1.8.5/src/fips.c 2020-04-20 19:10:33.690722470 +0200 -@@ -35,10 +35,6 @@ - #include "hmac256.h" - - --/* The name of the file used to force libgcrypt into fips mode. */ --#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled" -- -- - /* The states of the finite state machine used in fips mode. */ - enum module_states - { -@@ -122,54 +118,6 @@ _gcry_initialize_fips_mode (int force) - goto leave; - } - -- /* For testing the system it is useful to override the system -- provided detection of the FIPS mode and force FIPS mode using a -- file. The filename is hardwired so that there won't be any -- confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is -- actually used. The file itself may be empty. */ -- if ( !access (FIPS_FORCE_FILE, F_OK) ) -- { -- gcry_assert (!_gcry_no_fips_mode_required); -- goto leave; -- } -- -- /* Checking based on /proc file properties. */ -- { -- static const char procfname[] = "/proc/sys/crypto/fips_enabled"; -- FILE *fp; -- int saved_errno; -- -- fp = fopen (procfname, "r"); -- if (fp) -- { -- char line[256]; -- -- if (fgets (line, sizeof line, fp) && atoi (line)) -- { -- /* System is in fips mode. */ -- fclose (fp); -- gcry_assert (!_gcry_no_fips_mode_required); -- goto leave; -- } -- fclose (fp); -- } -- else if ((saved_errno = errno) != ENOENT -- && saved_errno != EACCES -- && !access ("/proc/version", F_OK) ) -- { -- /* Problem reading the fips file despite that we have the proc -- file system. We better stop right away. */ -- log_info ("FATAL: error reading `%s' in libgcrypt: %s\n", -- procfname, strerror (saved_errno)); --#ifdef HAVE_SYSLOG -- syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " -- "reading `%s' failed: %s - abort", -- procfname, strerror (saved_errno)); --#endif /*HAVE_SYSLOG*/ -- abort (); -- } -- } -- - /* Fips not not requested, set flag. */ - _gcry_no_fips_mode_required = 1; - -diff -up libgcrypt-1.8.5/src/g10lib.h.fips-module libgcrypt-1.8.5/src/g10lib.h ---- libgcrypt-1.8.5/src/g10lib.h.fips-module 2020-04-20 19:07:45.918919759 +0200 -+++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 19:11:05.003125740 +0200 -@@ -422,6 +422,9 @@ gpg_err_code_t _gcry_sexp_vextract_param - - /*-- fips.c --*/ - -+/* The name of the file used to force libgcrypt into fips mode. */ -+#define FIPS_FORCE_FILE "/etc/gcrypt/fips_enabled" -+ - extern int _gcry_no_fips_mode_required; - - void _gcry_initialize_fips_mode (int force); -diff -up libgcrypt-1.8.5/src/global.c.fips-module libgcrypt-1.8.5/src/global.c ---- libgcrypt-1.8.5/src/global.c.fips-module 2020-04-20 19:07:45.919919741 +0200 -+++ libgcrypt-1.8.5/src/global.c 2020-04-20 19:07:45.950919149 +0200 -@@ -160,6 +160,53 @@ void __attribute__ ((constructor)) _gcry - rv = access (FIPS_MODULE_PATH, F_OK); - if (rv < 0 && errno != ENOENT) - rv = 0; -+ -+ /* For testing the system it is useful to override the system -+ provided detection of the FIPS mode and force FIPS mode using a -+ file. The filename is hardwired so that there won't be any -+ confusion on whether /etc/gcrypt/ or /usr/local/etc/gcrypt/ is -+ actually used. The file itself may be empty. */ -+ if ( !access (FIPS_FORCE_FILE, F_OK) ) -+ { -+ rv = 0; -+ force_fips_mode = 1; -+ } -+ -+ /* Checking based on /proc file properties. */ -+ { -+ static const char procfname[] = "/proc/sys/crypto/fips_enabled"; -+ FILE *fp; -+ int saved_errno; -+ -+ fp = fopen (procfname, "r"); -+ if (fp) -+ { -+ char line[256]; -+ -+ if (fgets (line, sizeof line, fp) && atoi (line)) -+ { -+ /* System is in fips mode. */ -+ rv = 0; -+ force_fips_mode = 1; -+ } -+ fclose (fp); -+ } -+ else if ((saved_errno = errno) != ENOENT -+ && saved_errno != EACCES -+ && !access ("/proc/version", F_OK) ) -+ { -+ /* Problem reading the fips file despite that we have the proc -+ file system. We better stop right away. */ -+ log_info ("FATAL: error reading `%s' in libgcrypt: %s\n", -+ procfname, strerror (saved_errno)); -+#ifdef HAVE_SYSLOG -+ syslog (LOG_USER|LOG_ERR, "Libgcrypt error: " -+ "reading `%s' failed: %s - abort", -+ procfname, strerror (saved_errno)); -+#endif /*HAVE_SYSLOG*/ -+ abort (); -+ } -+ } - - if (!rv) - { diff --git a/libgcrypt-1.8.5-getrandom.patch b/libgcrypt-1.8.5-getrandom.patch deleted file mode 100644 index 1779dc1..0000000 --- a/libgcrypt-1.8.5-getrandom.patch +++ /dev/null @@ -1,277 +0,0 @@ -diff -up libgcrypt-1.8.5/random/rand-internal.h.getrandom libgcrypt-1.8.5/random/rand-internal.h ---- libgcrypt-1.8.5/random/rand-internal.h.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/random/rand-internal.h 2020-04-20 14:55:34.875949624 +0200 -@@ -47,6 +47,7 @@ void _gcry_random_progress (const char * - - /*-- random-csprng.c --*/ - void _gcry_rngcsprng_initialize (int full); -+void _gcry_rngcsprng_deinit (void); - void _gcry_rngcsprng_close_fds (void); - void _gcry_rngcsprng_dump_stats (void); - void _gcry_rngcsprng_secure_alloc (void); -@@ -68,6 +69,7 @@ void _gcry_rngcsprng_fast_poll (void); - - /*-- random-drbg.c --*/ - void _gcry_rngdrbg_inititialize (int full); -+void _gcry_rngdrbg_deinit (void); - void _gcry_rngdrbg_close_fds (void); - void _gcry_rngdrbg_dump_stats (void); - int _gcry_rngdrbg_is_faked (void); -diff -up libgcrypt-1.8.5/random/random.c.getrandom libgcrypt-1.8.5/random/random.c ---- libgcrypt-1.8.5/random/random.c.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/random/random.c 2020-04-20 14:55:34.876949605 +0200 -@@ -110,8 +110,8 @@ _gcry_random_read_conf (void) - unsigned int result = 0; - - fp = fopen (fname, "r"); -- if (!fp) -- return result; -+ if (!fp) /* We make only_urandom the default. */ -+ return RANDOM_CONF_ONLY_URANDOM; - - for (;;) - { -@@ -228,6 +228,22 @@ _gcry_random_initialize (int full) - } - - -+/* Deinitialize this random subsystem. */ -+void -+_gcry_random_deinit (void) -+{ -+ if (fips_mode ()) -+ _gcry_rngdrbg_deinit (); -+ else if (rng_types.standard) -+ _gcry_rngcsprng_deinit (); -+ else if (rng_types.fips) -+ _gcry_rngdrbg_deinit (); -+ else -+ _gcry_rngcsprng_deinit (); -+ /* not needed for system */ -+} -+ -+ - /* If possible close file descriptors used by the RNG. */ - void - _gcry_random_close_fds (void) -diff -up libgcrypt-1.8.5/random/random-csprng.c.getrandom libgcrypt-1.8.5/random/random-csprng.c ---- libgcrypt-1.8.5/random/random-csprng.c.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/random/random-csprng.c 2020-04-20 15:04:27.182877975 +0200 -@@ -55,6 +55,10 @@ - #ifdef __MINGW32__ - #include - #endif -+#if defined(__linux__) && defined(HAVE_SYSCALL) -+# include -+# include -+#endif - #include "g10lib.h" - #include "random.h" - #include "rand-internal.h" -@@ -343,6 +347,21 @@ _gcry_rngcsprng_initialize (int full) - } - - -+void -+_gcry_rngcsprng_deinit (void) -+{ -+ lock_pool(); -+ pool_writepos = 0; -+ pool_readpos = 0; -+ pool_filled = 0; -+ pool_filled_counter = 0; -+ did_initial_extra_seeding = 0; -+ pool_balance = 0; -+ just_mixed = 0; -+ unlock_pool(); -+} -+ -+ - /* Try to close the FDs of the random gather module. This is - currently only implemented for rndlinux. */ - void -@@ -1116,6 +1135,22 @@ getfnc_gather_random (void))(void (*)(co - enum random_origins, size_t, int); - - #if USE_RNDLINUX -+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ long ret; -+ char buffer[1]; -+ -+ _gcry_pre_syscall (); -+ ret = syscall (__NR_getrandom, -+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); -+ _gcry_post_syscall (); -+ if (ret != -1 || errno != ENOSYS) -+ { -+ fnc = _gcry_rndlinux_gather_random; -+ return fnc; -+ } -+ else -+ /* The syscall is not supported - fallback to /dev/urandom. */ -+#endif - if ( !access (NAME_OF_DEV_RANDOM, R_OK) - && !access (NAME_OF_DEV_URANDOM, R_OK)) - { -diff -up libgcrypt-1.8.5/random/random-drbg.c.getrandom libgcrypt-1.8.5/random/random-drbg.c ---- libgcrypt-1.8.5/random/random-drbg.c.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/random/random-drbg.c 2020-04-20 15:02:37.782947902 +0200 -@@ -1811,6 +1811,22 @@ _gcry_rngdrbg_inititialize (int full) - } - - /* -+ * Deinitialize the DRBG invoked by the libgcrypt API -+ * It will be automatically re-initialized on next call -+ */ -+void -+_gcry_rngdrbg_deinit (void) -+{ -+ drbg_lock (); -+ if (drbg_state) -+ { -+ drbg_uninstantiate (drbg_state); -+ drbg_state = NULL; -+ } -+ drbg_unlock (); -+} -+ -+/* - * Backend handler function for GCRYCTL_DRBG_REINIT - * - * Select a different DRBG type and initialize it. -diff -up libgcrypt-1.8.5/random/random.h.getrandom libgcrypt-1.8.5/random/random.h ---- libgcrypt-1.8.5/random/random.h.getrandom 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/random/random.h 2020-04-20 14:55:34.877949586 +0200 -@@ -29,6 +29,7 @@ void _gcry_register_random_progress (voi - - void _gcry_set_preferred_rng_type (int type); - void _gcry_random_initialize (int full); -+void _gcry_random_deinit (void); - void _gcry_random_close_fds (void); - int _gcry_get_rng_type (int ignore_fips_mode); - void _gcry_random_dump_stats(void); -diff -up libgcrypt-1.8.5/random/rndlinux.c.getrandom libgcrypt-1.8.5/random/rndlinux.c ---- libgcrypt-1.8.5/random/rndlinux.c.getrandom 2020-04-20 15:01:50.159848963 +0200 -+++ libgcrypt-1.8.5/random/rndlinux.c 2020-04-20 16:14:21.901610921 +0200 -@@ -35,6 +35,7 @@ - #if defined(__linux__) || !defined(HAVE_GETENTROPY) - #ifdef HAVE_SYSCALL - # include -+# include - # ifdef __NR_getrandom - # define getentropy(buf,buflen) syscall (__NR_getrandom, buf, buflen, 0) - # endif -@@ -147,12 +148,12 @@ _gcry_rndlinux_gather_random (void (*add - if (!add) - { - /* Special mode to close the descriptors. */ -- if (fd_random != -1) -+ if (fd_random >= 0) - { - close (fd_random); - fd_random = -1; - } -- if (fd_urandom != -1) -+ if (fd_urandom >= 0) - { - close (fd_urandom); - fd_urandom = -1; -@@ -166,12 +167,12 @@ _gcry_rndlinux_gather_random (void (*add - apid = getpid (); - if (my_pid != apid) - { -- if (fd_random != -1) -+ if (fd_random >= 0) - { - close (fd_random); - fd_random = -1; - } -- if (fd_urandom != -1) -+ if (fd_urandom >= 0) - { - close (fd_urandom); - fd_urandom = -1; -@@ -216,7 +217,23 @@ _gcry_rndlinux_gather_random (void (*add - that we always require the device to be existent but want a more - graceful behaviour if the rarely needed close operation has been - used and the device needs to be re-opened later. */ -- if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom) -+#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom) -+ if (fd_urandom != -2 && !_gcry_in_constructor ()) -+ { -+ long ret; -+ -+ _gcry_pre_syscall (); -+ ret = syscall (__NR_getrandom, -+ (void*)buffer, (size_t)1, (unsigned int)GRND_NONBLOCK); -+ _gcry_post_syscall (); -+ if (ret > -1 || errno == EAGAIN || errno == EINTR) -+ { -+ fd_urandom = -2; -+ fd_random = -2; -+ } -+ } -+#endif -+ if (level >= GCRY_VERY_STRONG_RANDOM && !only_urandom && !_gcry_in_constructor ()) - { - if (fd_random == -1) - { -@@ -270,9 +288,7 @@ _gcry_rndlinux_gather_random (void (*add - _gcry_post_syscall (); - } - while (ret == -1 && errno == EINTR); -- if (ret == -1 && errno == ENOSYS) -- ; /* getentropy is not supported - fallback to pulling from fd. */ -- else -+ if (1) - { /* getentropy is supported. Some sanity checks. */ - if (ret == -1) - log_fatal ("unexpected error from getentropy: %s\n", -diff -up libgcrypt-1.8.5/src/g10lib.h.getrandom libgcrypt-1.8.5/src/g10lib.h ---- libgcrypt-1.8.5/src/g10lib.h.getrandom 2020-04-20 15:08:16.528538580 +0200 -+++ libgcrypt-1.8.5/src/g10lib.h 2020-04-20 15:08:28.641309399 +0200 -@@ -464,6 +464,6 @@ gpg_err_code_t _gcry_fips_run_selftests - void _gcry_fips_noreturn (void); - #define fips_noreturn() (_gcry_fips_noreturn ()) - -- -+int _gcry_in_constructor (void); - - #endif /* G10LIB_H */ -diff -up libgcrypt-1.8.5/src/global.c.getrandom libgcrypt-1.8.5/src/global.c ---- libgcrypt-1.8.5/src/global.c.getrandom 2020-04-20 15:06:21.891707597 +0200 -+++ libgcrypt-1.8.5/src/global.c 2020-04-20 15:07:29.018437509 +0200 -@@ -145,10 +145,18 @@ global_init (void) - #define FIPS_MODULE_PATH "/etc/system-fips" - #endif - -+static int in_constructor = 0; -+ -+int _gcry_in_constructor(void) -+{ -+ return in_constructor; -+} -+ - void __attribute__ ((constructor)) _gcry_global_constructor (void) - { - int rv; - -+ in_constructor = 1; - rv = access (FIPS_MODULE_PATH, F_OK); - if (rv < 0 && errno != ENOENT) - rv = 0; -@@ -163,10 +171,12 @@ void __attribute__ ((constructor)) _gcry - /* force selftests */ - global_init(); - _gcry_fips_run_selftests (0); -- if (!fips_mode()) -- _gcry_random_close_fds (); -+ _gcry_random_close_fds (); -+ _gcry_random_deinit (); - no_secure_memory = no_secmem_save; - } -+ -+ in_constructor = 0; - } - - /* This function is called by the macro fips_is_operational and makes diff --git a/libgcrypt-1.8.5-intel-cet.patch b/libgcrypt-1.8.5-intel-cet.patch deleted file mode 100644 index a19d2f1..0000000 --- a/libgcrypt-1.8.5-intel-cet.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b04c0a86b19856071c29d2a6285f3240c606ee7a Mon Sep 17 00:00:00 2001 -From: "H.J. Lu" -Date: Tue, 27 Apr 2021 09:08:41 -0700 -Subject: [PATCH] Always include in cipher assembly codes - -* cipher/poly1305-s390x.S: Always include . - -When Intel CET is enabled, we need to include in assembly codes -to mark Intel CET support even if it is empty. We should always include - in cipher assembly codes so that they will be marked for -Intel CET support when compiling for x86-64 and i686. - -Signed-off-by: H.J. Lu ---- - cipher/poly1305-s390x.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cipher/poly1305-s390x.S b/cipher/poly1305-s390x.S -index 844245f6..28bed560 100644 ---- a/cipher/poly1305-s390x.S -+++ b/cipher/poly1305-s390x.S -@@ -18,8 +18,8 @@ - * License along with this program; if not, see . - */ - --#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 - #include -+#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 - #if defined(HAVE_GCC_INLINE_ASM_S390X) - - #include "asm-poly1305-s390x.h" --- -GitLab - diff --git a/libgcrypt-1.8.5-use-fipscheck.patch b/libgcrypt-1.8.5-use-fipscheck.patch deleted file mode 100644 index 46145d8..0000000 --- a/libgcrypt-1.8.5-use-fipscheck.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up libgcrypt-1.8.5/src/fips.c.use-fipscheck libgcrypt-1.8.5/src/fips.c ---- libgcrypt-1.8.5/src/fips.c.use-fipscheck 2017-11-23 19:16:58.000000000 +0100 -+++ libgcrypt-1.8.5/src/fips.c 2020-04-23 10:18:36.235764741 +0200 -@@ -581,23 +581,50 @@ run_random_selftests (void) - return !!err; - } - -+#ifdef ENABLE_HMAC_BINARY_CHECK -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+#endif -+ - /* Run an integrity check on the binary. Returns 0 on success. */ - static int - check_binary_integrity (void) - { - #ifdef ENABLE_HMAC_BINARY_CHECK - gpg_error_t err; -- Dl_info info; -+ char libpath[4096]; - unsigned char digest[32]; - int dlen; - char *fname = NULL; -- const char key[] = "What am I, a doctor or a moonshuttle conductor?"; -- -- if (!dladdr ("gcry_check_version", &info)) -+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+ if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) - err = gpg_error_from_syserror (); - else - { -- dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname, -+ dlen = _gcry_hmac256_file (digest, sizeof digest, libpath, - key, strlen (key)); - if (dlen < 0) - err = gpg_error_from_syserror (); -@@ -605,7 +632,7 @@ check_binary_integrity (void) - err = gpg_error (GPG_ERR_INTERNAL); - else - { -- fname = xtrymalloc (strlen (info.dli_fname) + 1 + 5 + 1 ); -+ fname = xtrymalloc (strlen (libpath) + 1 + 5 + 1 ); - if (!fname) - err = gpg_error_from_syserror (); - else -@@ -614,7 +641,7 @@ check_binary_integrity (void) - char *p; - - /* Prefix the basename with a dot. */ -- strcpy (fname, info.dli_fname); -+ strcpy (fname, libpath); - p = strrchr (fname, '/'); - if (p) - p++; diff --git a/libgcrypt-1.9.3-fips-tests.patch b/libgcrypt-1.9.3-fips-tests.patch deleted file mode 100644 index 1ddc64f..0000000 --- a/libgcrypt-1.9.3-fips-tests.patch +++ /dev/null @@ -1,1804 +0,0 @@ -commit 57cf83834bc00a7431378aabda692bf700e4876c -Author: Jussi Kivilinna -Date: Sat Apr 17 17:06:40 2021 +0300 - - tests/bench-slope: add ECC benchmarking - - * tests/bench-slope.c (bench_print_result_nsec_per_iteration): New. - (bench_print_header_nsec_per_iteration): New. - (kdf_bench_one, kdf_bench): Use new print helper functions. - [USE_ECC]: New ECC benchmarks. - (ecc_bench): New. - (print_help): Add 'ecc' option. - (main): Add ECC benchmarks. - -- - - Signed-off-by: Jussi Kivilinna - -diff --git a/tests/bench-slope.c b/tests/bench-slope.c -index c8647b6b..9b4a139a 100644 ---- a/tests/bench-slope.c -+++ b/tests/bench-slope.c -@@ -783,6 +783,54 @@ bench_print_result (double nsecs_per_byte) - bench_print_result_std (nsecs_per_byte); - } - -+static void -+bench_print_result_nsec_per_iteration (double nsecs_per_iteration) -+{ -+ double cycles_per_iteration; -+ char nsecpiter_buf[16]; -+ char cpiter_buf[16]; -+ char mhz_buf[16]; -+ -+ strcpy(cpiter_buf, csv_mode ? "" : "-"); -+ strcpy(mhz_buf, csv_mode ? "" : "-"); -+ -+ double_to_str (nsecpiter_buf, sizeof (nsecpiter_buf), nsecs_per_iteration); -+ -+ /* If user didn't provide CPU speed, we cannot show cycles/iter results. */ -+ if (bench_ghz > 0.0) -+ { -+ cycles_per_iteration = nsecs_per_iteration * bench_ghz; -+ double_to_str (cpiter_buf, sizeof (cpiter_buf), cycles_per_iteration); -+ double_to_str (mhz_buf, sizeof (mhz_buf), bench_ghz * 1000); -+ } -+ -+ if (csv_mode) -+ { -+ if (auto_ghz) -+ printf ("%s,%s,%s,,,,,,,,,%s,ns/iter,%s,c/iter,%s,Mhz\n", -+ current_section_name, -+ current_algo_name ? current_algo_name : "", -+ current_mode_name ? current_mode_name : "", -+ nsecpiter_buf, -+ cpiter_buf, -+ mhz_buf); -+ else -+ printf ("%s,%s,%s,,,,,,,,,%s,ns/iter,%s,c/iter\n", -+ current_section_name, -+ current_algo_name ? current_algo_name : "", -+ current_mode_name ? current_mode_name : "", -+ nsecpiter_buf, -+ cpiter_buf); -+ } -+ else -+ { -+ if (auto_ghz) -+ printf ("%14s %13s %9s\n", nsecpiter_buf, cpiter_buf, mhz_buf); -+ else -+ printf ("%14s %13s\n", nsecpiter_buf, cpiter_buf); -+ } -+} -+ - static void - bench_print_section (const char *section_name, const char *print_name) - { -@@ -819,6 +867,28 @@ bench_print_header (int algo_width, const char *algo_name) - } - } - -+static void -+bench_print_header_nsec_per_iteration (int algo_width, const char *algo_name) -+{ -+ if (csv_mode) -+ { -+ gcry_free (current_algo_name); -+ current_algo_name = gcry_xstrdup (algo_name); -+ } -+ else -+ { -+ if (algo_width < 0) -+ printf (" %-*s | ", -algo_width, algo_name); -+ else -+ printf (" %-*s | ", algo_width, algo_name); -+ -+ if (auto_ghz) -+ printf ("%14s %13s %9s\n", "nanosecs/iter", "cycles/iter", "auto Mhz"); -+ else -+ printf ("%14s %13s\n", "nanosecs/iter", "cycles/iter"); -+ } -+} -+ - static void - bench_print_algo (int algo_width, const char *algo_name) - { -@@ -1991,11 +2061,7 @@ kdf_bench_one (int algo, int subalgo) - struct bench_kdf_mode mode = { &kdf_ops }; - struct bench_obj obj = { 0 }; - double nsecs_per_iteration; -- double cycles_per_iteration; - char algo_name[32]; -- char nsecpiter_buf[16]; -- char cpiter_buf[16]; -- char mhz_buf[16]; - - mode.algo = algo; - mode.subalgo = subalgo; -@@ -2030,45 +2096,7 @@ kdf_bench_one (int algo, int subalgo) - obj.priv = &mode; - - nsecs_per_iteration = do_slope_benchmark (&obj); -- -- strcpy(cpiter_buf, csv_mode ? "" : "-"); -- strcpy(mhz_buf, csv_mode ? "" : "-"); -- -- double_to_str (nsecpiter_buf, sizeof (nsecpiter_buf), nsecs_per_iteration); -- -- /* If user didn't provide CPU speed, we cannot show cycles/iter results. */ -- if (bench_ghz > 0.0) -- { -- cycles_per_iteration = nsecs_per_iteration * bench_ghz; -- double_to_str (cpiter_buf, sizeof (cpiter_buf), cycles_per_iteration); -- double_to_str (mhz_buf, sizeof (mhz_buf), bench_ghz * 1000); -- } -- -- if (csv_mode) -- { -- if (auto_ghz) -- printf ("%s,%s,%s,,,,,,,,,%s,ns/iter,%s,c/iter,%s,Mhz\n", -- current_section_name, -- current_algo_name ? current_algo_name : "", -- current_mode_name ? current_mode_name : "", -- nsecpiter_buf, -- cpiter_buf, -- mhz_buf); -- else -- printf ("%s,%s,%s,,,,,,,,,%s,ns/iter,%s,c/iter\n", -- current_section_name, -- current_algo_name ? current_algo_name : "", -- current_mode_name ? current_mode_name : "", -- nsecpiter_buf, -- cpiter_buf); -- } -- else -- { -- if (auto_ghz) -- printf ("%14s %13s %9s\n", nsecpiter_buf, cpiter_buf, mhz_buf); -- else -- printf ("%14s %13s\n", nsecpiter_buf, cpiter_buf); -- } -+ bench_print_result_nsec_per_iteration (nsecs_per_iteration); - } - - void -@@ -2079,14 +2107,7 @@ kdf_bench (char **argv, int argc) - - bench_print_section ("kdf", "KDF"); - -- if (!csv_mode) -- { -- printf (" %-*s | ", 24, ""); -- if (auto_ghz) -- printf ("%14s %13s %9s\n", "nanosecs/iter", "cycles/iter", "auto Mhz"); -- else -- printf ("%14s %13s\n", "nanosecs/iter", "cycles/iter"); -- } -+ bench_print_header_nsec_per_iteration (24, ""); - - if (argv && argc) - { -@@ -2116,13 +2137,571 @@ kdf_bench (char **argv, int argc) - } - - -+/************************************************************ ECC benchmarks. */ -+ -+#if USE_ECC -+enum bench_ecc_algo -+{ -+ ECC_ALGO_ED25519 = 0, -+ ECC_ALGO_ED448, -+ ECC_ALGO_NIST_P192, -+ ECC_ALGO_NIST_P224, -+ ECC_ALGO_NIST_P256, -+ ECC_ALGO_NIST_P384, -+ ECC_ALGO_NIST_P521, -+ ECC_ALGO_SECP256K1, -+ __MAX_ECC_ALGO -+}; -+ -+enum bench_ecc_operation -+{ -+ ECC_OPER_MULT = 0, -+ ECC_OPER_KEYGEN, -+ ECC_OPER_SIGN, -+ ECC_OPER_VERIFY, -+ __MAX_ECC_OPER -+}; -+ -+struct bench_ecc_oper -+{ -+ enum bench_ecc_operation oper; -+ const char *name; -+ struct bench_ops *ops; -+ -+ enum bench_ecc_algo algo; -+}; -+ -+struct bench_ecc_mult_hd -+{ -+ gcry_ctx_t ec; -+ gcry_mpi_t k, x, y; -+ gcry_mpi_point_t G, Q; -+}; -+ -+struct bench_ecc_hd -+{ -+ gcry_sexp_t key_spec; -+ gcry_sexp_t data; -+ gcry_sexp_t pub_key; -+ gcry_sexp_t sec_key; -+ gcry_sexp_t sig; -+}; -+ -+ -+static const char * -+ecc_algo_name (int algo) -+{ -+ switch (algo) -+ { -+ case ECC_ALGO_ED25519: -+ return "Ed25519"; -+ case ECC_ALGO_ED448: -+ return "Ed448"; -+ case ECC_ALGO_NIST_P192: -+ return "NIST-P192"; -+ case ECC_ALGO_NIST_P224: -+ return "NIST-P224"; -+ case ECC_ALGO_NIST_P256: -+ return "NIST-P256"; -+ case ECC_ALGO_NIST_P384: -+ return "NIST-P384"; -+ case ECC_ALGO_NIST_P521: -+ return "NIST-P521"; -+ case ECC_ALGO_SECP256K1: -+ return "secp256k1"; -+ default: -+ return NULL; -+ } -+} -+ -+static const char * -+ecc_algo_curve (int algo) -+{ -+ switch (algo) -+ { -+ case ECC_ALGO_ED25519: -+ return "Ed25519"; -+ case ECC_ALGO_ED448: -+ return "Ed448"; -+ case ECC_ALGO_NIST_P192: -+ return "NIST P-192"; -+ case ECC_ALGO_NIST_P224: -+ return "NIST P-224"; -+ case ECC_ALGO_NIST_P256: -+ return "NIST P-256"; -+ case ECC_ALGO_NIST_P384: -+ return "NIST P-384"; -+ case ECC_ALGO_NIST_P521: -+ return "NIST P-521"; -+ case ECC_ALGO_SECP256K1: -+ return "secp256k1"; -+ default: -+ return NULL; -+ } -+} -+ -+static int -+ecc_nbits (int algo) -+{ -+ switch (algo) -+ { -+ case ECC_ALGO_ED25519: -+ return 255; -+ case ECC_ALGO_ED448: -+ return 448; -+ case ECC_ALGO_NIST_P192: -+ return 192; -+ case ECC_ALGO_NIST_P224: -+ return 224; -+ case ECC_ALGO_NIST_P256: -+ return 256; -+ case ECC_ALGO_NIST_P384: -+ return 384; -+ case ECC_ALGO_NIST_P521: -+ return 521; -+ case ECC_ALGO_SECP256K1: -+ return 256; -+ default: -+ return 0; -+ } -+} -+ -+static int -+ecc_map_name (const char *name) -+{ -+ int i; -+ -+ for (i = 0; i < __MAX_ECC_ALGO; i++) -+ { -+ if (strcmp(ecc_algo_name(i), name) == 0) -+ { -+ return i; -+ } -+ } -+ -+ return -1; -+} -+ -+ -+static int -+bench_ecc_mult_init (struct bench_obj *obj) -+{ -+ struct bench_ecc_oper *oper = obj->priv; -+ struct bench_ecc_mult_hd *hd; -+ int p_size = ecc_nbits (oper->algo); -+ gpg_error_t err; -+ gcry_mpi_t p; -+ -+ obj->min_bufsize = 1; -+ obj->max_bufsize = 4; -+ obj->step_size = 1; -+ obj->num_measure_repetitions = -+ num_measurement_repetitions / obj->max_bufsize; -+ -+ while (obj->num_measure_repetitions == 0) -+ { -+ if (obj->max_bufsize == 2) -+ { -+ obj->num_measure_repetitions = 2; -+ } -+ else -+ { -+ obj->max_bufsize--; -+ obj->num_measure_repetitions = -+ num_measurement_repetitions / obj->max_bufsize; -+ } -+ } -+ -+ hd = calloc (1, sizeof(*hd)); -+ if (!hd) -+ return -1; -+ -+ err = gcry_mpi_ec_new (&hd->ec, NULL, ecc_algo_curve(oper->algo)); -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_mpi_ec_new failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ hd->G = gcry_mpi_ec_get_point ("g", hd->ec, 1); -+ hd->Q = gcry_mpi_point_new (0); -+ hd->x = gcry_mpi_new (0); -+ hd->y = gcry_mpi_new (0); -+ hd->k = gcry_mpi_new (p_size); -+ gcry_mpi_randomize (hd->k, p_size, GCRY_WEAK_RANDOM); -+ p = gcry_mpi_ec_get_mpi ("p", hd->ec, 1); -+ gcry_mpi_mod (hd->k, hd->k, p); -+ gcry_mpi_release (p); -+ -+ obj->hd = hd; -+ return 0; -+} -+ -+static void -+bench_ecc_mult_free (struct bench_obj *obj) -+{ -+ struct bench_ecc_mult_hd *hd = obj->hd; -+ -+ gcry_mpi_release (hd->k); -+ gcry_mpi_release (hd->y); -+ gcry_mpi_release (hd->x); -+ gcry_mpi_point_release (hd->Q); -+ gcry_mpi_point_release (hd->G); -+ gcry_ctx_release (hd->ec); -+ free (hd); -+ obj->hd = NULL; -+} -+ -+static void -+bench_ecc_mult_do_bench (struct bench_obj *obj, void *buf, size_t num_iter) -+{ -+ struct bench_ecc_mult_hd *hd = obj->hd; -+ size_t i; -+ -+ (void)buf; -+ -+ for (i = 0; i < num_iter; i++) -+ { -+ gcry_mpi_ec_mul (hd->Q, hd->k, hd->G, hd->ec); -+ if (gcry_mpi_ec_get_affine (hd->x, hd->y, hd->Q, hd->ec)) -+ { -+ fprintf (stderr, PGM ": gcry_mpi_ec_get_affine failed\n"); -+ exit (1); -+ } -+ } -+} -+ -+ -+static int -+bench_ecc_init (struct bench_obj *obj) -+{ -+ struct bench_ecc_oper *oper = obj->priv; -+ struct bench_ecc_hd *hd; -+ int p_size = ecc_nbits (oper->algo); -+ gpg_error_t err; -+ gcry_mpi_t x; -+ -+ obj->min_bufsize = 1; -+ obj->max_bufsize = 4; -+ obj->step_size = 1; -+ obj->num_measure_repetitions = -+ num_measurement_repetitions / obj->max_bufsize; -+ -+ while (obj->num_measure_repetitions == 0) -+ { -+ if (obj->max_bufsize == 2) -+ { -+ obj->num_measure_repetitions = 2; -+ } -+ else -+ { -+ obj->max_bufsize--; -+ obj->num_measure_repetitions = -+ num_measurement_repetitions / obj->max_bufsize; -+ } -+ } -+ -+ hd = calloc (1, sizeof(*hd)); -+ if (!hd) -+ return -1; -+ -+ x = gcry_mpi_new (p_size); -+ gcry_mpi_randomize (x, p_size, GCRY_WEAK_RANDOM); -+ -+ switch (oper->algo) -+ { -+ default: -+ return -1; -+ -+ case ECC_ALGO_ED25519: -+ err = gcry_sexp_build (&hd->key_spec, NULL, -+ "(genkey (ecdsa (curve \"Ed25519\")" -+ "(flags eddsa)))"); -+ if (err) -+ break; -+ err = gcry_sexp_build (&hd->data, NULL, -+ "(data (flags eddsa)(hash-algo sha512)" -+ " (value %m))", x); -+ break; -+ -+ case ECC_ALGO_ED448: -+ err = gcry_sexp_build (&hd->key_spec, NULL, -+ "(genkey (ecdsa (curve \"Ed448\")" -+ "(flags eddsa)))"); -+ if (err) -+ break; -+ err = gcry_sexp_build (&hd->data, NULL, -+ "(data (flags eddsa)(hash-algo shake256)" -+ " (value %m))", x); -+ break; -+ -+ case ECC_ALGO_NIST_P192: -+ case ECC_ALGO_NIST_P224: -+ case ECC_ALGO_NIST_P256: -+ case ECC_ALGO_NIST_P384: -+ case ECC_ALGO_NIST_P521: -+ err = gcry_sexp_build (&hd->key_spec, NULL, -+ "(genkey (ECDSA (nbits %d)))", p_size); -+ if (err) -+ break; -+ err = gcry_sexp_build (&hd->data, NULL, -+ "(data (flags raw) (value %m))", x); -+ break; -+ } -+ -+ gcry_mpi_release (x); -+ -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_sexp_build failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ -+ obj->hd = hd; -+ return 0; -+} -+ -+static void -+bench_ecc_free (struct bench_obj *obj) -+{ -+ struct bench_ecc_hd *hd = obj->hd; -+ -+ gcry_sexp_release (hd->sig); -+ gcry_sexp_release (hd->pub_key); -+ gcry_sexp_release (hd->sec_key); -+ gcry_sexp_release (hd->data); -+ gcry_sexp_release (hd->key_spec); -+ free (hd); -+ obj->hd = NULL; -+} -+ -+static void -+bench_ecc_keygen (struct bench_ecc_hd *hd) -+{ -+ gcry_sexp_t key_pair; -+ gpg_error_t err; -+ -+ err = gcry_pk_genkey (&key_pair, hd->key_spec); -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_pk_genkey failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ -+ hd->pub_key = gcry_sexp_find_token (key_pair, "public-key", 0); -+ if (!hd->pub_key) -+ { -+ fprintf (stderr, PGM ": public part missing in key\n"); -+ exit (1); -+ } -+ hd->sec_key = gcry_sexp_find_token (key_pair, "private-key", 0); -+ if (!hd->sec_key) -+ { -+ fprintf (stderr, PGM ": private part missing in key\n"); -+ exit (1); -+ } -+ -+ gcry_sexp_release (key_pair); -+} -+ -+static void -+bench_ecc_keygen_do_bench (struct bench_obj *obj, void *buf, size_t num_iter) -+{ -+ struct bench_ecc_hd *hd = obj->hd; -+ size_t i; -+ -+ (void)buf; -+ -+ for (i = 0; i < num_iter; i++) -+ { -+ bench_ecc_keygen (hd); -+ gcry_sexp_release (hd->pub_key); -+ gcry_sexp_release (hd->sec_key); -+ } -+ -+ hd->pub_key = NULL; -+ hd->sec_key = NULL; -+} -+ -+static void -+bench_ecc_sign_do_bench (struct bench_obj *obj, void *buf, size_t num_iter) -+{ -+ struct bench_ecc_hd *hd = obj->hd; -+ gpg_error_t err; -+ size_t i; -+ -+ (void)buf; -+ -+ bench_ecc_keygen (hd); -+ -+ for (i = 0; i < num_iter; i++) -+ { -+ err = gcry_pk_sign (&hd->sig, hd->data, hd->sec_key); -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_pk_sign failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ gcry_sexp_release (hd->sig); -+ } -+ -+ gcry_sexp_release (hd->pub_key); -+ gcry_sexp_release (hd->sec_key); -+ hd->sig = NULL; -+ hd->pub_key = NULL; -+ hd->sec_key = NULL; -+} -+ -+static void -+bench_ecc_verify_do_bench (struct bench_obj *obj, void *buf, size_t num_iter) -+{ -+ struct bench_ecc_hd *hd = obj->hd; -+ gpg_error_t err; -+ int i; -+ -+ (void)buf; -+ -+ bench_ecc_keygen (hd); -+ err = gcry_pk_sign (&hd->sig, hd->data, hd->sec_key); -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_pk_sign failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ -+ for (i = 0; i < num_iter; i++) -+ { -+ err = gcry_pk_verify (hd->sig, hd->data, hd->pub_key); -+ if (err) -+ { -+ fprintf (stderr, PGM ": gcry_pk_verify failed: %s\n", -+ gpg_strerror (err)); -+ exit (1); -+ } -+ } -+ -+ gcry_sexp_release (hd->sig); -+ gcry_sexp_release (hd->pub_key); -+ gcry_sexp_release (hd->sec_key); -+ hd->sig = NULL; -+ hd->pub_key = NULL; -+ hd->sec_key = NULL; -+} -+ -+ -+static struct bench_ops ecc_mult_ops = { -+ &bench_ecc_mult_init, -+ &bench_ecc_mult_free, -+ &bench_ecc_mult_do_bench -+}; -+ -+static struct bench_ops ecc_keygen_ops = { -+ &bench_ecc_init, -+ &bench_ecc_free, -+ &bench_ecc_keygen_do_bench -+}; -+ -+static struct bench_ops ecc_sign_ops = { -+ &bench_ecc_init, -+ &bench_ecc_free, -+ &bench_ecc_sign_do_bench -+}; -+ -+static struct bench_ops ecc_verify_ops = { -+ &bench_ecc_init, -+ &bench_ecc_free, -+ &bench_ecc_verify_do_bench -+}; -+ -+ -+static struct bench_ecc_oper ecc_operations[] = { -+ { ECC_OPER_MULT, "mult", &ecc_mult_ops }, -+ { ECC_OPER_KEYGEN, "keygen", &ecc_keygen_ops }, -+ { ECC_OPER_SIGN, "sign", &ecc_sign_ops }, -+ { ECC_OPER_VERIFY, "verify", &ecc_verify_ops }, -+ { 0, NULL, NULL } -+}; -+ -+ -+static void -+cipher_ecc_one (enum bench_ecc_algo algo, struct bench_ecc_oper *poper) -+{ -+ struct bench_ecc_oper oper = *poper; -+ struct bench_obj obj = { 0 }; -+ double result; -+ -+ if (algo == ECC_ALGO_SECP256K1 && oper.oper != ECC_OPER_MULT) -+ return; -+ -+ oper.algo = algo; -+ -+ bench_print_mode (14, oper.name); -+ -+ obj.ops = oper.ops; -+ obj.priv = &oper; -+ -+ result = do_slope_benchmark (&obj); -+ bench_print_result_nsec_per_iteration (result); -+} -+ -+ -+static void -+_ecc_bench (int algo) -+{ -+ const char *algo_name; -+ int i; -+ -+ algo_name = ecc_algo_name (algo); -+ -+ bench_print_header_nsec_per_iteration (14, algo_name); -+ -+ for (i = 0; ecc_operations[i].name; i++) -+ cipher_ecc_one (algo, &ecc_operations[i]); -+ -+ bench_print_footer (14); -+} -+#endif -+ -+ -+void -+ecc_bench (char **argv, int argc) -+{ -+#if USE_ECC -+ int i, algo; -+ -+ bench_print_section ("ecc", "ECC"); -+ -+ if (argv && argc) -+ { -+ for (i = 0; i < argc; i++) -+ { -+ algo = ecc_map_name (argv[i]); -+ if (algo >= 0) -+ _ecc_bench (algo); -+ } -+ } -+ else -+ { -+ for (i = 0; i < __MAX_ECC_ALGO; i++) -+ _ecc_bench (i); -+ } -+#else -+ (void)argv; -+ (void)argc; -+#endif -+} -+ - /************************************************************** Main program. */ - - void - print_help (void) - { - static const char *help_lines[] = { -- "usage: bench-slope [options] [hash|mac|cipher|kdf [algonames]]", -+ "usage: bench-slope [options] [hash|mac|cipher|kdf|ecc [algonames]]", - "", - " options:", - " --cpu-mhz Set CPU speed for calculating cycles", -@@ -2304,6 +2883,7 @@ main (int argc, char **argv) - mac_bench (NULL, 0); - cipher_bench (NULL, 0); - kdf_bench (NULL, 0); -+ ecc_bench (NULL, 0); - } - else if (!strcmp (*argv, "hash")) - { -@@ -2337,6 +2917,14 @@ main (int argc, char **argv) - warm_up_cpu (); - kdf_bench ((argc == 0) ? NULL : argv, argc); - } -+ else if (!strcmp (*argv, "ecc")) -+ { -+ argc--; -+ argv++; -+ -+ warm_up_cpu (); -+ ecc_bench ((argc == 0) ? NULL : argv, argc); -+ } - else - { - fprintf (stderr, PGM ": unknown argument: %s\n", *argv); - -commit 9911069388e762d2a85bc2a11ca6cfcc4c895e4f -Author: Jussi Kivilinna -Date: Wed Jun 16 20:27:01 2021 +0300 - - bench-slope: add X25519 and X448 scalar multiplication - - * tests/bench-slope.c (ECC_ALGO_X25519, ECC_ALGO_X448): New. - (ecc_algo_name, ecc_algo_curve, ecc_nbits): Add X25519 and X448. - (bench_ecc_mult_do_bench): Pass Y as NULL to ec_get_affine with - X25519 and X448. - (cipher_ecc_one): Run only multiplication bench for X25519 and X448. - -- - - Signed-off-by: Jussi Kivilinna - -diff --git a/tests/bench-slope.c b/tests/bench-slope.c -index 9b4a139a..35272094 100644 ---- a/tests/bench-slope.c -+++ b/tests/bench-slope.c -@@ -2144,6 +2144,8 @@ enum bench_ecc_algo - { - ECC_ALGO_ED25519 = 0, - ECC_ALGO_ED448, -+ ECC_ALGO_X25519, -+ ECC_ALGO_X448, - ECC_ALGO_NIST_P192, - ECC_ALGO_NIST_P224, - ECC_ALGO_NIST_P256, -@@ -2197,6 +2199,10 @@ ecc_algo_name (int algo) - return "Ed25519"; - case ECC_ALGO_ED448: - return "Ed448"; -+ case ECC_ALGO_X25519: -+ return "X25519"; -+ case ECC_ALGO_X448: -+ return "X448"; - case ECC_ALGO_NIST_P192: - return "NIST-P192"; - case ECC_ALGO_NIST_P224: -@@ -2223,6 +2229,10 @@ ecc_algo_curve (int algo) - return "Ed25519"; - case ECC_ALGO_ED448: - return "Ed448"; -+ case ECC_ALGO_X25519: -+ return "Curve25519"; -+ case ECC_ALGO_X448: -+ return "X448"; - case ECC_ALGO_NIST_P192: - return "NIST P-192"; - case ECC_ALGO_NIST_P224: -@@ -2249,6 +2259,10 @@ ecc_nbits (int algo) - return 255; - case ECC_ALGO_ED448: - return 448; -+ case ECC_ALGO_X25519: -+ return 255; -+ case ECC_ALGO_X448: -+ return 448; - case ECC_ALGO_NIST_P192: - return 192; - case ECC_ALGO_NIST_P224: -@@ -2355,15 +2369,26 @@ bench_ecc_mult_free (struct bench_obj *obj) - static void - bench_ecc_mult_do_bench (struct bench_obj *obj, void *buf, size_t num_iter) - { -+ struct bench_ecc_oper *oper = obj->priv; - struct bench_ecc_mult_hd *hd = obj->hd; -+ gcry_mpi_t y; - size_t i; - - (void)buf; - -+ if (oper->algo == ECC_ALGO_X25519 || oper->algo == ECC_ALGO_X448) -+ { -+ y = NULL; -+ } -+ else -+ { -+ y = hd->y; -+ } -+ - for (i = 0; i < num_iter; i++) - { - gcry_mpi_ec_mul (hd->Q, hd->k, hd->G, hd->ec); -- if (gcry_mpi_ec_get_affine (hd->x, hd->y, hd->Q, hd->ec)) -+ if (gcry_mpi_ec_get_affine (hd->x, y, hd->Q, hd->ec)) - { - fprintf (stderr, PGM ": gcry_mpi_ec_get_affine failed\n"); - exit (1); -@@ -2634,7 +2659,8 @@ cipher_ecc_one (enum bench_ecc_algo algo, struct bench_ecc_oper *poper) - struct bench_obj obj = { 0 }; - double result; - -- if (algo == ECC_ALGO_SECP256K1 && oper.oper != ECC_OPER_MULT) -+ if ((algo == ECC_ALGO_X25519 || algo == ECC_ALGO_X448 || -+ algo == ECC_ALGO_SECP256K1) && oper.oper != ECC_OPER_MULT) - return; - - oper.algo = algo; - - -From bd49a4fa915b8a078c341b35f5a51fcb2a004c35 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Mon, 12 Jul 2021 21:35:18 +0200 -Subject: [PATCH 1/8] mac: Disable AES GMAC in FIPS mode - -* cipher/mac-gmac.c (_gcry_mac_type_spec_gmac_aes): Remove FIPS flag --- -The GMAC does not work in FIPS mode until libgcrypt will have internal -IV generator. - -Signed-off-by: Jakub Jelen ---- - cipher/mac-gmac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cipher/mac-gmac.c b/cipher/mac-gmac.c -index e04c6d1e..1d59d085 100644 ---- a/cipher/mac-gmac.c -+++ b/cipher/mac-gmac.c -@@ -157,7 +157,7 @@ static gcry_mac_spec_ops_t gmac_ops = { - - #if USE_AES - gcry_mac_spec_t _gcry_mac_type_spec_gmac_aes = { -- GCRY_MAC_GMAC_AES, {0, 1}, "GMAC_AES", -+ GCRY_MAC_GMAC_AES, {0, 0}, "GMAC_AES", - &gmac_ops - }; - #endif --- -2.31.1 - - -From fd0e1c3e7f6062579869d345875d6ef823706e56 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Mon, 12 Jul 2021 21:36:34 +0200 -Subject: [PATCH 2/8] tests: Do not expect GCM work in FIPS - -* tests/basic.c (check_one_cipher_core): Expect GCM ciphers to fail in - FIPS mode - (check_cipher_modes): Skip GCM ciphers tests as they fail quite late - in gcry_cipher_gettag(). --- - -Signed-off-by: Jakub Jelen ---- - tests/basic.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/tests/basic.c b/tests/basic.c -index 0572c46e..d7b7f496 100644 ---- a/tests/basic.c -+++ b/tests/basic.c -@@ -9510,6 +9510,13 @@ check_one_cipher_core (int algo, int mode, int flags, - - clutter_vector_registers(); - err = gcry_cipher_encrypt (hd, out, nplain, plain, nplain); -+ if (in_fips_mode && mode == GCRY_CIPHER_MODE_GCM) -+ { -+ if (!err) -+ fail ("pass %d, algo %d, mode %d, gcry_cipher_encrypt is expected to " -+ "fail in FIPS mode: %s\n", pass, algo, mode, gpg_strerror (err)); -+ goto err_out_free; -+ } - if (err) - { - fail ("pass %d, algo %d, mode %d, gcry_cipher_encrypt failed: %s\n", -@@ -10257,7 +10264,12 @@ check_cipher_modes(void) - check_cfb_cipher (); - check_ofb_cipher (); - check_ccm_cipher (); -- check_gcm_cipher (); -+ if (!in_fips_mode) -+ { -+ /* This will have to go through modifications as the GCM fails in fips -+ * as late as in gcry_cipher_gettag, but we want to allow it in the end */ -+ check_gcm_cipher (); -+ } - check_poly1305_cipher (); - check_ocb_cipher (); - check_xts_cipher (); --- -2.31.1 - - -From ccbb1694693080822858e2065cf88ab43ec03fbc Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 09:18:52 +0200 -Subject: [PATCH 3/8] tests: Skip unsupported mechanisms in FIPS mode - -* tests/bench-slope.c (cipher_bench_one): Skip GCM mode in FIPS mode - (ecc_algo_fips_allowed): New function - (_ecc_bench): Skip algorithms disabled in FIPS mode - (main): Check for FIPS mode -* tests/benchmark.c (cipher_bench): Skip GCM in FIPS mode --- -In FIPS mode, not all the curves are allowed. This is already checked in -other parts of the code base, but not in the benchmark test. - -Signed-off-by: Jakub Jelen ---- - tests/bench-slope.c | 33 +++++++++++++++++++++++++++++++-- - tests/benchmark.c | 4 ++++ - 2 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/tests/bench-slope.c b/tests/bench-slope.c -index 35272094..5bdb391e 100644 ---- a/tests/bench-slope.c -+++ b/tests/bench-slope.c -@@ -70,6 +70,7 @@ static double bench_ghz; - /* Current accuracy of auto-detected CPU Ghz. */ - static double bench_ghz_diff; - -+static int in_fips_mode = 0; - - /*************************************** Default parameters for measurements. */ - -@@ -1642,8 +1643,8 @@ cipher_bench_one (int algo, struct bench_cipher_mode *pmode) - if (mode.mode == GCRY_CIPHER_MODE_CCM && blklen != GCRY_CCM_BLOCK_LEN) - return; - -- /* GCM has restrictions for block-size */ -- if (mode.mode == GCRY_CIPHER_MODE_GCM && blklen != GCRY_GCM_BLOCK_LEN) -+ /* GCM has restrictions for block-size; not allowed in FIPS mode */ -+ if (mode.mode == GCRY_CIPHER_MODE_GCM && (in_fips_mode || blklen != GCRY_GCM_BLOCK_LEN)) - return; - - /* XTS has restrictions for block-size */ -@@ -2190,6 +2191,27 @@ struct bench_ecc_hd - }; - - -+static int -+ecc_algo_fips_allowed (int algo) -+{ -+ switch (algo) -+ { -+ case ECC_ALGO_NIST_P224: -+ case ECC_ALGO_NIST_P256: -+ case ECC_ALGO_NIST_P384: -+ case ECC_ALGO_NIST_P521: -+ return 1; -+ case ECC_ALGO_SECP256K1: -+ case ECC_ALGO_ED25519: -+ case ECC_ALGO_ED448: -+ case ECC_ALGO_X25519: -+ case ECC_ALGO_X448: -+ case ECC_ALGO_NIST_P192: -+ default: -+ return 0; -+ } -+} -+ - static const char * - ecc_algo_name (int algo) - { -@@ -2681,6 +2703,10 @@ _ecc_bench (int algo) - const char *algo_name; - int i; - -+ /* Skip not allowed mechanisms */ -+ if (!ecc_algo_fips_allowed(algo)) -+ return; -+ - algo_name = ecc_algo_name (algo); - - bench_print_header_nsec_per_iteration (14, algo_name); -@@ -2899,6 +2925,9 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; -+ - if (in_regression_test) - fputs ("Note: " PGM " running in quick regression test mode.\n", stdout); - -diff --git a/tests/benchmark.c b/tests/benchmark.c -index 605b50c6..24141371 100644 ---- a/tests/benchmark.c -+++ b/tests/benchmark.c -@@ -943,6 +943,10 @@ cipher_bench ( const char *algoname ) - && algo != GCRY_CIPHER_CHACHA20) - continue; - -+ /* GCM is not available in FIPS mode */ -+ if (in_fips_mode && modes[modeidx].mode == GCRY_CIPHER_MODE_GCM) -+ continue; -+ - if (modes[modeidx].req_blocksize > 0 - && blklen != modes[modeidx].req_blocksize) - { --- -2.31.1 - - -From 744baa85722da10d7374c6eca6b08b8197819ab6 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 09:20:18 +0200 -Subject: [PATCH 4/8] tests: Expect curves 25519/448 to fail in FIPS mode - -* tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS - mode. - (test_cv_x25519, test_it): Ditto. - (main) Detect FIPS mode. -* tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS - mode. - (main) Detect FIPS mode. -* tests/t-ed448.c (one_test): Expect the operation to fail in FIPS - mode. - (main) Detect FIPS mode. -* tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS - mode. - (test_cv_x448, test_cv): Ditto. - (main) Detect FIPS mode. --- -The ed25519, ed448, cv25519 and cv448 curves are not available in FIPS -mode. Some of the tests already skipped these, but it is always better -to make sure thy are failing, rather than just skipping these. - -Signed-off-by: Jakub Jelen ---- - tests/t-cv25519.c | 37 +++++++++++++++++++++++++++++++++++-- - tests/t-ed25519.c | 18 ++++++++++++++---- - tests/t-ed448.c | 18 ++++++++++++++---- - tests/t-x448.c | 41 +++++++++++++++++++++++++++++++++++++---- - 4 files changed, 100 insertions(+), 14 deletions(-) - -diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c -index 0de50a02..b4126f4c 100644 ---- a/tests/t-cv25519.c -+++ b/tests/t-cv25519.c -@@ -33,6 +33,7 @@ - #include "t-common.h" - #define N_TESTS 18 - -+static int in_fips_mode = 0; - - static void - print_mpi (const char *text, gcry_mpi_t a) -@@ -188,7 +189,17 @@ test_cv_hl (int testno, const char *k_str, const char *u_str, - xfree (buffer); - buffer = NULL; - -- if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk))) -+ err = gcry_pk_encrypt (&s_result, s_data, s_pk); -+ if (in_fips_mode) -+ { -+ if (!err) -+ fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) - fail ("gcry_pk_encrypt failed for test %d: %s", testno, - gpg_strerror (err)); - -@@ -281,7 +292,17 @@ test_cv_x25519 (int testno, const char *k_str, const char *u_str, - goto leave; - } - -- if ((err = gcry_ecc_mul_point (algo, result, scalar, point))) -+ err = gcry_ecc_mul_point (algo, result, scalar, point); -+ if (in_fips_mode) -+ { -+ if (!err) -+ fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) - fail ("gcry_ecc_mul_point failed for test %d: %s", testno, - gpg_strerror (err)); - -@@ -335,6 +356,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str) - info ("Running test %d: iteration=%d\n", testno, iter); - - gcry_mpi_ec_new (&ctx, NULL, "Curve25519"); -+ if (in_fips_mode) -+ { -+ if (ctx) -+ fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ return; -+ } - Q = gcry_mpi_point_new (0); - - if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32) -@@ -640,6 +670,9 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; -+ - start_timer (); - check_cv25519 (); - stop_timer (); -diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c -index a5271c25..567bc797 100644 ---- a/tests/t-ed25519.c -+++ b/tests/t-ed25519.c -@@ -36,6 +36,7 @@ - static int sign_with_pk; - static int no_verify; - static int custom_data_file; -+static int in_fips_mode = 0; - - - static void -@@ -271,7 +272,17 @@ one_test (int testno, const char *sk, const char *pk, - goto leave; - } - -- if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk))) -+ err = gcry_pk_sign (&s_sig, s_msg, s_sk); -+ if (in_fips_mode) -+ { -+ if (!err) -+ fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) - fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err)); - if (debug) - show_sexp ("sig=", s_sig); -@@ -481,9 +492,8 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - -- /* Ed25519 isn't supported in fips mode */ -- if (gcry_fips_mode_active()) -- return 77; -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; - - start_timer (); - check_ed25519 (fname); -diff --git a/tests/t-ed448.c b/tests/t-ed448.c -index 1f445ffc..f38cd10c 100644 ---- a/tests/t-ed448.c -+++ b/tests/t-ed448.c -@@ -36,6 +36,7 @@ - static int sign_with_pk; - static int no_verify; - static int custom_data_file; -+static int in_fips_mode = 0; - - - static void -@@ -302,7 +303,17 @@ one_test (int testno, int ph, const char *sk, const char *pk, - } - } - -- if ((err = gcry_pk_sign (&s_sig, s_msg, s_sk))) -+ err = gcry_pk_sign (&s_sig, s_msg, s_sk); -+ if (in_fips_mode) -+ { -+ if (!err) -+ fail ("gcry_pk_sign is not expected to work in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) - fail ("gcry_pk_sign failed for test %d: %s", testno, gpg_strerror (err)); - if (debug) - show_sexp ("sig=", s_sig); -@@ -521,9 +532,8 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - -- /* Ed448 isn't supported in fips mode */ -- if (gcry_fips_mode_active()) -- return 77; -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; - - start_timer (); - check_ed448 (fname); -diff --git a/tests/t-x448.c b/tests/t-x448.c -index 5c3cbeb9..cc4b10fc 100644 ---- a/tests/t-x448.c -+++ b/tests/t-x448.c -@@ -34,6 +34,7 @@ - #include "t-common.h" - #define N_TESTS 9 - -+static int in_fips_mode = 0; - - static void - print_mpi (const char *text, gcry_mpi_t a) -@@ -179,8 +180,18 @@ test_cv_hl (int testno, const char *k_str, const char *u_str, - xfree (buffer); - buffer = NULL; - -- if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk))) -- fail ("gcry_pk_encrypt failed for test %d: %s", testno, -+ err = gcry_pk_encrypt (&s_result, s_data, s_pk); -+ if (in_fips_mode) -+ { -+ if (!err) -+ fail ("gcry_pk_encrypt is not expected to work in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) -+ fail ("gcry_pk_encrypt goto leavefailed for test %d: %s", testno, - gpg_strerror (err)); - - s_tmp = gcry_sexp_find_token (s_result, "s", 0); -@@ -257,7 +268,17 @@ test_cv_x448 (int testno, const char *k_str, const char *u_str, - goto leave; - } - -- if ((err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point))) -+ err = gcry_ecc_mul_point (GCRY_ECC_CURVE448, result, scalar, point); -+ if (in_fips_mode) -+ { -+ if (err != GPG_ERR_NOT_SUPPORTED) -+ fail ("gcry_ecc_mul_point is not expected to work in FIPS mode for test %d: %s", -+ testno, gpg_strerror (err)); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ goto leave; -+ } -+ if (err) - fail ("gcry_ecc_mul_point failed for test %d: %s", testno, - gpg_strerror (err)); - -@@ -296,7 +317,7 @@ test_cv (int testno, const char *k_str, const char *u_str, - static void - test_it (int testno, const char *k_str, int iter, const char *result_str) - { -- gcry_ctx_t ctx; -+ gcry_ctx_t ctx = NULL; - gpg_error_t err; - void *buffer = NULL; - size_t buflen; -@@ -311,6 +332,15 @@ test_it (int testno, const char *k_str, int iter, const char *result_str) - info ("Running test %d: iteration=%d\n", testno, iter); - - gcry_mpi_ec_new (&ctx, NULL, "X448"); -+ if (in_fips_mode) -+ { -+ if (ctx) -+ fail ("gcry_mpi_ec_new should fail in FIPS mode for test %d", -+ testno); -+ if (verbose > 1) -+ info ("not executed in FIPS mode\n"); -+ return; -+ } - Q = gcry_mpi_point_new (0); - - if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 56) -@@ -583,6 +613,9 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); - -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; -+ - start_timer (); - check_x448 (); - stop_timer (); --- -2.31.1 - - -From d3a603cd4a0ff2a8df35f5bb39efd64c52b2b2c5 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 10:11:42 +0200 -Subject: [PATCH 5/8] tests: Expect the 192b ECDSA tests to fail in fips mode - -* tests/dsa-rfc6979.c (check_dsa_rfc6979): Expect ECDSA 192b keys to - fail in FIPS mode. - (main): Detect FIPS mode. --- -The 192b ECDSA curve is not FIPS approved so it does not work. This adds -a flag to the list of the keys to mark if it is expected to work in FIPS -mode. - -Signed-off-by: Jakub Jelen ---- - tests/dsa-rfc6979.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/tests/dsa-rfc6979.c b/tests/dsa-rfc6979.c -index 7d3d2080..0f124575 100644 ---- a/tests/dsa-rfc6979.c -+++ b/tests/dsa-rfc6979.c -@@ -33,6 +33,7 @@ - #define PGM "dsa-rfc6979" - #include "t-common.h" - -+static int in_fips_mode = 0; - - static void - show_sexp (const char *prefix, gcry_sexp_t a) -@@ -111,6 +112,7 @@ check_dsa_rfc6979 (void) - static struct { - const char *name; - const char *key; -+ int fips; - } keys[] = { - { - "DSA, 1024 bits", -@@ -130,7 +132,7 @@ check_dsa_rfc6979 (void) - " 92195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D" - " 4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E6" - " 82F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B#)" -- " ))" -+ " ))", 1 - }, - { - "DSA, 2048 bits", -@@ -162,7 +164,7 @@ check_dsa_rfc6979 (void) - " 687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D1" - " 23AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA" - " 74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF#)" -- " ))" -+ " ))", 1 - }, - { - "ECDSA, 192 bits (prime field)", -@@ -172,7 +174,7 @@ check_dsa_rfc6979 (void) - " (q #04AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56" - " 3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43#)" - " (d #6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4#)" -- " ))" -+ " ))", 0 - }, - { - "ECDSA, 224 bits (prime field)", -@@ -183,7 +185,7 @@ check_dsa_rfc6979 (void) - " 00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C" - " EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A#)" - " (d #F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1#)" -- " ))" -+ " ))", 1 - }, - { - "ECDSA, 256 bits (prime field)", -@@ -194,7 +196,7 @@ check_dsa_rfc6979 (void) - " 60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6" - " 7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299#)" - " (d #C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721#)" -- " ))" -+ " ))", 1 - }, - { - "ECDSA, 384 bits (prime field)", -@@ -208,7 +210,7 @@ check_dsa_rfc6979 (void) - " 288B231C3AE0D4FE7344FD2533264720#)" - " (d #6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D8" - " 96D5724E4C70A825F872C9EA60D2EDF5#)" -- " ))" -+ " ))", 1 - }, - { - "ECDSA, 521 bits (prime field)", -@@ -225,7 +227,7 @@ check_dsa_rfc6979 (void) - " (d #FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75" - " CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B8" - " 3538#)" -- " ))" -+ " ))", 1 - }, - { NULL } - }; -@@ -937,6 +939,12 @@ check_dsa_rfc6979 (void) - die ("building data sexp failed: %s\n", gpg_strerror (err)); - - err = gcry_pk_sign (&sig, data, seckey); -+ if (in_fips_mode && !keys[i].fips) -+ { -+ if (!err) -+ fail ("signing should not work in FIPS mode: %s\n", gpg_strerror (err)); -+ continue; -+ } - if (err) - fail ("signing failed: %s\n", gpg_strerror (err)); - -@@ -972,6 +980,8 @@ main (int argc, char **argv) - die ("version mismatch; pgm=%s, library=%s\n", - GCRYPT_VERSION,gcry_check_version (NULL)); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; - if (debug) - xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0)); - /* No valuable keys are create, so we can speed up our RNG. */ --- -2.31.1 - - -From d4a52861e7d0d1871f4c1d32bc0815f0824eb9ab Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 10:32:33 +0200 -Subject: [PATCH 6/8] tests: Skip secmem overflow test in FIPS mode - -* tests/t-secmem.c (main): Skip overflow tests in FIPS mode because they - are fatal and there is no way to override the outofcore handler. --- - -Signed-off-by: Jakub Jelen ---- - tests/t-secmem.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tests/t-secmem.c b/tests/t-secmem.c -index 2b769134..692c0f1a 100644 ---- a/tests/t-secmem.c -+++ b/tests/t-secmem.c -@@ -37,6 +37,7 @@ - #define MINIMUM_POOL_SIZE 16384 - static size_t pool_size; - static size_t chunk_size; -+static int in_fips_mode = 0; - - static void - test_secmem (void) -@@ -182,8 +183,11 @@ main (int argc, char **argv) - xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u , 0)); - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - xgcry_control ((GCRYCTL_INIT_SECMEM, pool_size, 0)); -+ /* This is ignored in FIPS Mode */ - gcry_set_outofcore_handler (outofcore_handler, NULL); - xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0)); -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; - - /* Libgcrypt prints a warning when the first overflow is allocated; - * we do not want to see that. */ -@@ -192,7 +196,8 @@ main (int argc, char **argv) - - - test_secmem (); -- test_secmem_overflow (); -+ if (!in_fips_mode) -+ test_secmem_overflow (); - /* FIXME: We need to improve the tests, for example by registering - * our own log handler and comparing the output of - * PRIV_CTL_DUMP_SECMEM_STATS to expected pattern. */ --- -2.31.1 - - -From fc6de9c7b48ab45deb8ea84d1c768e4f056edb08 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 10:52:00 +0200 -Subject: [PATCH 7/8] tests: Transient DSA keys work in FIPS mode - -* tests/pubkey.c (check_run): Enable tests with DSA transient keys which - work in FIPS. --- - -Signed-off-by: Jakub Jelen ---- - tests/pubkey.c | 15 ++++++--------- - 1 file changed, 6 insertions(+), 9 deletions(-) - -diff --git a/tests/pubkey.c b/tests/pubkey.c -index 754952ee..cd51e0a2 100644 ---- a/tests/pubkey.c -+++ b/tests/pubkey.c -@@ -680,15 +680,12 @@ check_run (void) - gcry_sexp_release (pkey); - gcry_sexp_release (skey); - -- if (!gcry_fips_mode_active ()) -- { -- if (verbose) -- fprintf (stderr, "Generating transient DSA key.\n"); -- get_dsa_key_new (&pkey, &skey, 1); -- /* Fixme: Add a check function for DSA keys. */ -- gcry_sexp_release (pkey); -- gcry_sexp_release (skey); -- } -+ if (verbose) -+ fprintf (stderr, "Generating transient DSA key.\n"); -+ get_dsa_key_new (&pkey, &skey, 1); -+ /* Fixme: Add a check function for DSA keys. */ -+ gcry_sexp_release (pkey); -+ gcry_sexp_release (skey); - - if (verbose) - fprintf (stderr, "Generating DSA key (FIPS 186).\n"); --- -2.31.1 - - -From e68b538008063938b9b054f18e56e9f27bb3a720 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 13 Jul 2021 10:53:13 +0200 -Subject: [PATCH 8/8] tests: Generating DSA from domain should fail in FIPS - mode - -* tests/pubkey.c (get_dsa_key_with_domain_new): Expect failure in FIPS - mode - (check_x931_derived_key): Simplify testing for FIPS mode. - (main): Check for fips mode. --- - -Signed-off-by: Jakub Jelen ---- - tests/pubkey.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/tests/pubkey.c b/tests/pubkey.c -index cd51e0a2..7209f44e 100644 ---- a/tests/pubkey.c -+++ b/tests/pubkey.c -@@ -29,6 +29,7 @@ - #define PGM "pubkey" - #include "t-common.h" - -+static int in_fips_mode; - - /* Sample RSA keys, taken from basic.c. */ - -@@ -518,6 +519,14 @@ get_dsa_key_with_domain_new (gcry_sexp_t *pkey, gcry_sexp_t *skey) - die ("error creating S-expression: %s\n", gcry_strerror (rc)); - rc = gcry_pk_genkey (&key, key_spec); - gcry_sexp_release (key_spec); -+ if (in_fips_mode) -+ { -+ if (!rc) -+ die ("generating DSA key should fail in FIPS mode: %s\n", gcry_strerror (rc)); -+ *pkey = NULL; -+ *skey = NULL; -+ return; -+ } - if (rc) - die ("error generating DSA key: %s\n", gcry_strerror (rc)); - -@@ -899,7 +908,7 @@ check_x931_derived_key (int what) - err = _gcry_pk_util_get_nbits(key_spec, &nbits); - if (err) - die ("nbits not found\n"); -- if (gcry_fips_mode_active() && nbits < 2048) -+ if (in_fips_mode && nbits < 2048) - { - info("RSA key test with %d bits skipped in fips mode\n", nbits); - goto leave; -@@ -1186,6 +1195,9 @@ main (int argc, char **argv) - /* No valuable keys are create, so we can speed up our RNG. */ - xgcry_control ((GCRYCTL_ENABLE_QUICK_RANDOM, 0)); - -+ if (gcry_fips_mode_active ()) -+ in_fips_mode = 1; -+ - for (i=0; i < 2; i++) - check_run (); - -@@ -1193,7 +1205,7 @@ main (int argc, char **argv) - check_x931_derived_key (i); - - check_ecc_sample_key (); -- if (!gcry_fips_mode_active ()) -+ if (!in_fips_mode) - check_ed25519ecdsa_sample_key (); - - return !!error_count; --- -2.31.1 - -commit 61c87070abc4baeb9d847db015e6a3031f349483 -Author: NIIBE Yutaka -Date: Wed Jul 7 15:52:06 2021 +0900 - - tests: Skip unavailable ciphers in FIPS mode. - - * tests/basic.c (_check_poly1305_cipher): - (check_ocb_cipher_largebuf_split): Skip unavailable ciphers when - IN_FIPS_MODE. - (check_ocb_cipher_checksum, check_gost28147_cipher_basic): Likewise. - - -- - - GnuPG-bug-id: 5520 - Signed-off-by: NIIBE Yutaka - -diff --git a/tests/basic.c b/tests/basic.c -index 0a1e8293..43ef122e 100644 ---- a/tests/basic.c -+++ b/tests/basic.c -@@ -5026,6 +5026,14 @@ _check_poly1305_cipher (unsigned int step) - - for (i = 0; i < sizeof (tv) / sizeof (tv[0]); i++) - { -+ if (gcry_cipher_test_algo (tv[i].algo) && in_fips_mode) -+ { -+ if (verbose) -+ fprintf (stderr, " algorithm %d not available in fips mode\n", -+ tv[i].algo); -+ continue; -+ } -+ - if (verbose) - fprintf (stderr, " checking POLY1305 mode for %s [%i]\n", - gcry_cipher_algo_name (tv[i].algo), -@@ -6643,6 +6651,14 @@ check_ocb_cipher_largebuf_split (int algo, int keylen, const char *tagexpect, - memcpy(inbuf + i, hash, 16); - } - -+ if (gcry_cipher_test_algo (algo) && in_fips_mode) -+ { -+ if (verbose) -+ fprintf (stderr, " algorithm %d not available in fips mode\n", -+ algo); -+ goto out_free; -+ } -+ - err = gcry_cipher_open (&hde, algo, GCRY_CIPHER_MODE_OCB, 0); - if (!err) - err = gcry_cipher_open (&hdd, algo, GCRY_CIPHER_MODE_OCB, 0); -@@ -6841,6 +6857,14 @@ check_ocb_cipher_checksum (int algo, int keylen) - blk[byteidx] |= 1 << bitpos; - } - -+ if (gcry_cipher_test_algo (algo) && in_fips_mode) -+ { -+ if (verbose) -+ fprintf (stderr, " algorithm %d not available in fips mode\n", -+ algo); -+ goto out_free; -+ } -+ - err = gcry_cipher_open (&hde, algo, GCRY_CIPHER_MODE_OCB, 0); - if (!err) - err = gcry_cipher_open (&hde2, algo, GCRY_CIPHER_MODE_OCB, 0); -@@ -7651,6 +7675,15 @@ check_gost28147_cipher_basic (enum gcry_cipher_algos algo) - - if (verbose) - fprintf (stderr, " Starting GOST28147 cipher checks.\n"); -+ -+ if (gcry_cipher_test_algo (algo) && in_fips_mode) -+ { -+ if (verbose) -+ fprintf (stderr, " algorithm %d not available in fips mode\n", -+ algo); -+ return; -+ } -+ - keylen = gcry_cipher_get_algo_keylen(algo); - if (!keylen) - { -commit b98ca3f798abd17696f52163665204c4e83d9092 -Author: Jussi Kivilinna -Date: Wed Jul 7 18:21:27 2021 +0300 - - tests/basic: use SHA256 instead of RMD160 for SHAKE extract testing - - * tests/basic.c (check_one_md): Use GCRY_MD_SHA256 as 'crcalgo' for - SHAKE128/SHAKE256 testing. - -- - - RMD160 was used to calculate output checksum from two SHAKE extract - streams, which are run with different extract buffer size but for - same total length and with same input. Patch switches to use SHA256 - for checksumming for FIPS support. - - GnuPG-bug-id: 5520 - Signed-off-by: Jussi Kivilinna - -diff --git a/tests/basic.c b/tests/basic.c -index bc34bb99..eb6d1514 100644 ---- a/tests/basic.c -+++ b/tests/basic.c -@@ -10395,7 +10395,7 @@ check_one_md (int algo, const char *data, int len, const char *expect, int elen, - - if (*data == '!' && !data[1]) - { -- int crcalgo = GCRY_MD_RMD160; -+ int crcalgo = GCRY_MD_SHA256; - gcry_md_hd_t crc1, crc2; - size_t startlen; - size_t piecelen; -commit ccb076e8aabb9c49e7026258b3a36a8422f6bbe4 -Author: NIIBE Yutaka -Date: Wed Jul 7 16:29:48 2021 +0900 - - tests: Fix tests/basic.c for FIPS mode. - - * tests/basic.c (main): Use bare gcry_control for - GCRYCTL_FORCE_FIPS_MODE. - - -- - - GnuPG-bug-id: 5520 - Signed-off-by: NIIBE Yutaka - -diff --git a/tests/basic.c b/tests/basic.c -index 43ef122e..bc34bb99 100644 ---- a/tests/basic.c -+++ b/tests/basic.c -@@ -14610,7 +14610,7 @@ main (int argc, char **argv) - gcry_md_hd_t md; - - /* First trigger a self-test. */ -- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); -+ gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("not in operational state after self-test\n"); - -@@ -14639,7 +14639,7 @@ main (int argc, char **argv) - { - /* Now run a self-test and to get back into - operational state. */ -- xgcry_control ((GCRYCTL_FORCE_FIPS_MODE, 0)); -+ gcry_control (GCRYCTL_FORCE_FIPS_MODE, 0); - if (!gcry_control (GCRYCTL_OPERATIONAL_P, 0)) - fail ("did not reach operational after error " - "and self-test\n"); diff --git a/libgcrypt.spec b/libgcrypt.spec index 9880c7f..d657930 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,46 +1,11 @@ Name: libgcrypt -Version: 1.9.4 -Release: 2%{?dist} +Version: 1.10.0 +Release: 1%{?dist} URL: https://www.gnupg.org/ -Source0: libgcrypt-%{version}-hobbled.tar.xz -# The original libgcrypt sources now contain potentially patented ECC -# cipher support. We have to remove it in the tarball we ship with -# the hobble-libgcrypt script. -# (We replace it with RH approved ECC in Source4-5) -# rm -rf libgcrypt-x.y.z # make sure there are no leftover files -# tar -xf libgcrypt-x.y.z.tar.bz2 -# pushd libgcrypt-x.y.z && ../hobble-libgcrypt && popd -# tar -cvJf libgcrypt-x.y.z-hobbled.tar.xz libgcrypt-x.y.z -#Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-{version}.tar.bz2 -#Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-{version}.tar.bz2.sig +Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2 +Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig Source2: wk@g10code.com -Source3: hobble-libgcrypt -# Approved ECC support -Source4: ecc-curves.c -Source5: curves.c -Source7: random.conf -Source8: keygrip.c -# make FIPS hmac compatible with fipscheck - non upstreamable -# update on soname bump -Patch2: libgcrypt-1.8.5-use-fipscheck.patch -# modify FIPS RSA and DSA keygen to comply with requirements -Patch5: libgcrypt-1.8.4-fips-keygen.patch -# fix the tests to work correctly in the FIPS mode -Patch6: libgcrypt-1.9.3-fips-tests.patch -# use poll instead of select when gathering randomness -Patch11: libgcrypt-1.8.4-use-poll.patch -# slight optimalization of mpicoder.c to silence Valgrind (#968288) -Patch13: libgcrypt-1.6.1-mpicoder-gccopt.patch -# Run the FIPS mode initialization in the shared library constructor -Patch18: libgcrypt-1.8.3-fips-ctor.patch -# Do not try to open /dev/urandom if getrandom() works -Patch24: libgcrypt-1.8.5-getrandom.patch -# Disable non-approved FIPS hashes in the enforced FIPS mode -Patch27: libgcrypt-1.8.3-md-fips-enforce.patch -# Missing Intel CET support in the library (#1954049) -Patch28: libgcrypt-1.8.5-intel-cet.patch -# FIPS module is redefined a little bit (implicit by kernel FIPS mode) -Patch30: libgcrypt-1.8.5-fips-module.patch +Patch1: libgcrypt-1.10.0-disable-brainpool.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -76,20 +41,7 @@ applications using libgcrypt. %prep %setup -q -%{SOURCE3} -%patch2 -p1 -b .use-fipscheck -%patch5 -p1 -b .fips-keygen -%patch6 -p1 -b .tests-fipsmode -%patch11 -p1 -b .use-poll -%patch13 -p1 -b .gccopt -%patch18 -p1 -b .fips-ctor -%patch24 -p1 -b .getrandom -%patch27 -p1 -b .fips-enforce -%patch28 -p1 -b .intel-cet -%patch30 -p1 -b .fips-module - -cp %{SOURCE4} cipher/ -cp %{SOURCE5} %{SOURCE8} tests/ +%patch1 -p1 %build # This package has a configure test which uses ASMs, but does not link the @@ -101,29 +53,48 @@ cp %{SOURCE5} %{SOURCE8} tests/ # F34, so we use it here explicitly %define _lto_cflags -flto=auto -ffat-lto-objects +grep "Red Hat" /etc/system-release && \ +export FIPS_SWITCH="--with-fips-module-version=RHEL%{?rhel}-%{name}-%{version}-$(date +%Y%m%d)" +grep "Fedora" /etc/system-release && \ +export FIPS_SWITCH="--with-fips-module-version=Fedora%{?fedora}-%{name}-%{version}-$(date +%Y%m%d)" +grep "CentOS" /etc/system-release && \ +export FIPS_SWITCH="--with-fips-module-version=CentOS%{?centos}-%{name}-%{version}-$(date +%Y%m%d)" + +# should be all algorithms except SM3 and SM4 +export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2' +export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20' + autoreconf -f %configure --disable-static \ %ifarch sparc64 --disable-asm \ %endif --enable-noexecstack \ - --enable-hmac-binary-check \ - --enable-pubkey-ciphers='dsa elgamal rsa ecc' \ - --disable-O-flag-munging + --enable-hmac-binary-check=%{hmackey} \ + --disable-brainpool \ + --enable-digests="$DIGESTS" \ + --enable-ciphers="$CIPHERS" \ + $FIPS_SWITCH sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool %make_build %check -src/hmac256 %{hmackey} src/.libs/%{gcrysoname} | cut -f1 -d ' ' >src/.libs/.%{gcrysoname}.hmac - make check +# try in faked FIPS mode too +LIBGCRYPT_FORCE_FIPS_MODE=1 make check # Add generation of HMAC checksums of the final stripped binaries +%define libpath $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname}.?.? %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - src/hmac256 %{hmackey} $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname} | cut -f1 -d ' ' >$RPM_BUILD_ROOT%{gcrylibdir}/.%{gcrysoname}.hmac \ + dd if=/dev/zero of=%{libpath}.hmac bs=32 count=1 \ + objcopy --update-section .rodata1=%{libpath}.hmac %{libpath} %{libpath}.empty \ + src/hmac256 --binary %{hmackey} %{libpath}.empty > %{libpath}.hmac \ + objcopy --update-section .rodata1=%{libpath}.hmac %{libpath}.empty %{libpath}.new \ + mv -f %{libpath}.new %{libpath} \ + rm -f %{libpath}.hmac %{libpath}.empty %{nil} %install @@ -168,16 +139,13 @@ popd # Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so # that _someone_ owns it. mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt -install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %ldconfig_scriptlets %files %dir /etc/gcrypt -%config(noreplace) /etc/gcrypt/random.conf %{gcrylibdir}/libgcrypt.so.*.* %{gcrylibdir}/%{gcrysoname} -%{gcrylibdir}/.%{gcrysoname}.hmac %license COPYING.LIB %doc AUTHORS NEWS THANKS @@ -196,6 +164,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %license COPYING %changelog +* Wed Feb 02 2022 Jakub Jelen - 1.10.0-1 +- New upstream release (#2049322) + * Thu Jan 20 2022 Fedora Release Engineering - 1.9.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/random.conf b/random.conf deleted file mode 100644 index 6041bcd..0000000 --- a/random.conf +++ /dev/null @@ -1,4 +0,0 @@ -# use only /dev/urandom - see https://www.2uo.de/myths-about-urandom/ -only-urandom -# Keep jitter entropy generator enabled (should do no harm) -#disable-jent diff --git a/sources b/sources index 8d0f1cb..745f52b 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (libgcrypt-1.9.4-hobbled.tar.xz) = 80b1b2159ec3c7795450037d76d81b737f2734f1cff72c8aa6ac8c1a5654ece4fce0aabfbed0cce99d123747831db135df0d040f67081052cb2363bf52f5d4e6 +SHA512 (libgcrypt-1.10.0.tar.bz2) = 785c2e14272308956bb6adcea9567c4097edf103122e18cd3907fb42a110a48a5d59c0057f05a438acd7f221c70c7f7ff87e176bd6d7ed99d16e847f9d7be087 +SHA512 (libgcrypt-1.10.0.tar.bz2.sig) = 75201612225b206faaae284297e92d1b25dcaf0665bcf1f4c5cc9a3a750a803063d0f7bd0af556dbe419f1276c953ce047554fd18a144a90085a42a7ec885168