add cleared ECC support

2013-10-21 17:50:29 +01:00 · 2013-10-21 17:50:29 +01:00 · 5eab7fdca5
commit 5eab7fdca5
parent 0551bce381
4 changed files with 1852 additions and 6 deletions
--- a/curves.c
+++ b/curves.c
@ -0,0 +1,166 @@
+/* curves.c -  ECC curves regression tests
+ *	Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include "../src/gcrypt.h"
+
+/* Number of curves defined in ../cipger/ecc.c */
+#define N_CURVES 2
+
+/* A real world sample public key.  */
+static char const sample_key_1[] =
+"(public-key\n"
+" (ecdsa\n"
+"  (p #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF#)\n"
+"  (a #00FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC#)\n"
+"  (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)\n"
+"  (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"
+        "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)\n"
+"  (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)\n"
+"  (q #0442B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146EE"
+      "86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E#)\n"
+"  ))";
+static char const sample_key_1_curve[] = "NIST P-256";
+static unsigned int sample_key_1_nbits = 256;
+
+/* Program option flags.  */
+static int verbose;
+static int error_count;
+
+static void
+fail (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  va_start (arg_ptr, format);
+  vfprintf (stderr, format, arg_ptr);
+  va_end (arg_ptr);
+  error_count++;
+}
+
+static void
+die (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  va_start (arg_ptr, format);
+  vfprintf (stderr, format, arg_ptr);
+  va_end (arg_ptr);
+  exit (1);
+}
+
+
+static void
+list_curves (void)
+{
+  int idx;
+  const char *name;
+  unsigned int nbits;
+
+  for (idx=0; (name = gcry_pk_get_curve (NULL, idx, &nbits)); idx++)
+    {
+      if (verbose)
+        printf ("%s - %u bits\n", name, nbits);
+    }
+  if (idx != N_CURVES)
+    fail ("expected %d curves but got %d\n", N_CURVES, idx);
+  if (gcry_pk_get_curve (NULL, -1, NULL))
+    fail ("curve iteration failed\n");
+}
+
+
+static void
+check_matching (void)
+{
+  gpg_error_t err;
+  gcry_sexp_t key;
+  const char *name;
+  unsigned int nbits;
+
+  err = gcry_sexp_new (&key, sample_key_1, 0, 1);
+  if (err)
+    die ("parsing s-expression string failed: %s\n", gpg_strerror (err));
+  name = gcry_pk_get_curve (key, 0, &nbits);
+  if (!name)
+    fail ("curve name not found for sample_key_1\n");
+  else if (strcmp (name, sample_key_1_curve))
+    fail ("expected curve name %s but got %s for sample_key_1\n",
+          sample_key_1_curve, name);
+  else if (nbits != sample_key_1_nbits)
+    fail ("expected curve size %u but got %u for sample_key_1\n",
+          sample_key_1_nbits, nbits);
+
+  gcry_sexp_release (key);
+
+}
+
+
+static void
+check_get_params (void)
+{
+  gcry_sexp_t param;
+  const char *name;
+
+  param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_1_curve);
+  if (!param)
+    fail ("error gerring parameters for `%s'\n", sample_key_1_curve);
+
+  name = gcry_pk_get_curve (param, 0, NULL);
+  if (!name)
+    fail ("get_param: curve name not found for sample_key_1\n");
+  else if (strcmp (name, sample_key_1_curve))
+    fail ("get_param: expected curve name %s but got %s for sample_key_1\n",
+          sample_key_1_curve, name);
+
+  gcry_sexp_release (param);
+
+}
+
+
+int
+main (int argc, char **argv)
+{
+  int debug = 0;
+
+  if (argc > 1 && !strcmp (argv[1], "--verbose"))
+    verbose = 1;
+  else if (argc > 1 && !strcmp (argv[1], "--debug"))
+    verbose = debug = 1;
+
+  if (!gcry_check_version (GCRYPT_VERSION))
+    die ("version mismatch\n");
+
+  gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+  if (debug)
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+  list_curves ();
+  check_matching ();
+  check_get_params ();
+
+  return error_count ? 1 : 0;
+}
--- a/ecc.c
+++ b/ecc.c
--- a/libgcrypt-1.5.3-ecc-test-fix.patch
+++ b/libgcrypt-1.5.3-ecc-test-fix.patch
@ -0,0 +1,12 @@
+diff -up libgcrypt-1.5.3/tests/benchmark.c.eccfix libgcrypt-1.5.3/tests/benchmark.c
+--- libgcrypt-1.5.3/tests/benchmark.c.eccfix	2013-10-20 23:45:32.157297611 +0100
+++ libgcrypt-1.5.3/tests/benchmark.c	2013-10-20 23:45:42.683275072 +0100
+@@ -962,7 +962,7 @@ ecc_bench (int iterations, int print_hea
+ {
+ #if USE_ECC
+   gpg_error_t err;
+-  int p_sizes[] = { 192, 224, 256, 384, 521 };
+  int p_sizes[] = { 256, 384 };
+   int testno;
+ 
+   if (print_header)
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -1,17 +1,19 @@
 Name: libgcrypt
 Version: 1.5.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
 # cipher support. We have to remove it in the tarball we ship with
 # the hobble-libgcrypt script. 
+# (We replace it with RH approved ECC in Source4-5)
 #Source0: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
 #Source1: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
 Source2: wk@g10code.com
 Source3: hobble-libgcrypt
-# do not run the ecc curves test
-Patch1: libgcrypt-1.5.0-noecc.patch
+# Approved ECC support (from 1.5.3)
+Source4: ecc.c
+Source5: curves.c
 # make FIPS hmac compatible with fipscheck - non upstreamable
 Patch2: libgcrypt-1.5.0-use-fipscheck.patch
 # fix tests in the FIPS mode, fix the FIPS-186-3 DSA keygen
@ -29,6 +31,8 @@ Patch11: libgcrypt-1.5.1-use-poll.patch
 Patch12: libgcrypt-1.5.2-aliasing.patch
 # slight optimalization of mpicoder.c to silence Valgrind (#968288)
 Patch13: libgcrypt-1.5.2-mpicoder-gccopt.patch
+# fix tests to work with approved ECC
+Patch14: libgcrypt-1.5.3-ecc-test-fix.patch

 %define gcrylibdir %{_libdir}

@ -64,7 +68,6 @@ applications using libgcrypt.
 %prep
 %setup -q
 %{SOURCE3}
-%patch1 -p1 -b .noecc
 %patch2 -p1 -b .use-fipscheck
 %patch5 -p1 -b .tests
 %patch6 -p1 -b .cfgrandom
@ -73,6 +76,10 @@ applications using libgcrypt.
 %patch11 -p1 -b .use-poll
 %patch12 -p1 -b .aliasing
 %patch13 -p1 -b .gccopt
+%patch14 -p1 -b .eccfix
+cp %{SOURCE4} cipher/
+rm -rf tests/curves.c
+cp %{SOURCE5} tests/curves.c

 %build
 %configure --disable-static \
@ -81,7 +88,7 @@ applications using libgcrypt.
 %endif
     --enable-noexecstack \
     --enable-hmac-binary-check \
-     --enable-pubkey-ciphers='dsa elgamal rsa' \
+     --enable-pubkey-ciphers='dsa elgamal rsa ecc' \
     --disable-O-flag-munging
 make %{?_smp_mflags}

@ -174,6 +181,9 @@ exit 0
 %doc COPYING

 %changelog
+* Sun Oct 20 2013 Tom Callaway <spot@fedoraproject.org> - 1.5.3-2
+- add cleared ECC support
+
 * Fri Jul 26 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.3-1
 - new upstream version fixing cache side-channel attack on RSA private keys