Page Menu
Home
GnuPG
Search
Configure Global Search
Log In
Files
F20065057
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Size
120 KB
Subscribers
None
View Options
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 783e249d..1e80200e 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1,2086 +1,2052 @@
/* ecc.c - Elliptic Curve Cryptography
* Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc.
* Copyright (C) 2013, 2015 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* This code is originally based on the Patch 0.1.6 for the gnupg
1.4.x branch as retrieved on 2007-03-21 from
http://www.calcurco.cat/eccGnuPG/src/gnupg-1.4.6-ecc0.2.0beta1.diff.bz2
The original authors are:
Written by
Sergi Blanch i Torne <d4372211 at alumnes.eup.udl.es>,
Ramiro Moreno Chiral <ramiro at eup.udl.es>
Maintainers
Sergi Blanch i Torne
Ramiro Moreno Chiral
Mikael Mylnikov (mmr)
For use in Libgcrypt the code has been heavily modified and cleaned
up. In fact there is not much left of the originally code except for
some variable names and the text book implementaion of the sign and
verification algorithms. The arithmetic functions have entirely
been rewritten and moved to mpi/ec.c.
ECDH encrypt and decrypt code written by Andrey Jivsov.
*/
/* TODO:
- In mpi/ec.c we use mpi_powm for x^2 mod p: Either implement a
special case in mpi_powm or check whether mpi_mulm is faster.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "g10lib.h"
#include "mpi.h"
#include "cipher.h"
#include "context.h"
#include "ec-context.h"
#include "pubkey-internal.h"
#include "ecc-common.h"
static const char *ecc_names[] =
{
"ecc",
"ecdsa",
"ecdh",
"eddsa",
"gost",
"sm2",
NULL,
};
/* Sample NIST P-256 key from RFC 6979 A.2.5 */
static const char sample_public_key_secp256[] =
"(public-key"
" (ecc"
" (curve secp256r1)"
" (q #04"
/**/ "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6"
/**/ "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299#)))";
static const char sample_secret_key_secp256[] =
"(private-key"
" (ecc"
" (curve secp256r1)"
" (d #C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721#)"
" (q #04"
/**/ "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6"
/**/ "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299#)))";
/* Registered progress function and its callback value. */
static void (*progress_cb) (void *, const char*, int, int, int);
static void *progress_cb_data;
/* Local prototypes. */
static void test_keys (mpi_ec_t ec, unsigned int nbits);
-static void test_keys_fips (mpi_ec_t ec, gcry_mpi_t x, gcry_mpi_t y);
+static void test_keys_fips (gcry_sexp_t skey);
static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
static unsigned int ecc_get_nbits (gcry_sexp_t parms);
void
_gcry_register_pk_ecc_progress (void (*cb) (void *, const char *,
int, int, int),
void *cb_data)
{
progress_cb = cb;
progress_cb_data = cb_data;
}
/* static void */
/* progress (int c) */
/* { */
/* if (progress_cb) */
/* progress_cb (progress_cb_data, "pk_ecc", c, 0, 0); */
/* } */
/**
* nist_generate_key - Standard version of the ECC key generation.
* @ec: Elliptic curve computation context.
* @flags: Flags controlling aspects of the creation.
* @r_x: On success this receives an allocated MPI with the affine
* x-coordinate of the poblic key. On error NULL is stored.
* @r_y: Ditto for the y-coordinate.
*
* Return: An error code.
*
* The @flags bits used by this function are %PUBKEY_FLAG_TRANSIENT to
* use a faster RNG, and %PUBKEY_FLAG_NO_KEYTEST to skip the assertion
* that the key works as expected.
*
* FIXME: Check whether N is needed.
*/
static gpg_err_code_t
nist_generate_key (mpi_ec_t ec, int flags,
gcry_mpi_t *r_x, gcry_mpi_t *r_y)
{
mpi_point_struct Q;
gcry_random_level_t random_level;
gcry_mpi_t x, y;
const unsigned int pbits = ec->nbits;
point_init (&Q);
if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
random_level = GCRY_STRONG_RANDOM;
else
random_level = GCRY_VERY_STRONG_RANDOM;
/* Generate a secret. */
if (ec->dialect == ECC_DIALECT_ED25519
|| ec->dialect == ECC_DIALECT_SAFECURVE
|| (flags & PUBKEY_FLAG_DJB_TWEAK))
{
char *rndbuf;
int len = (pbits+7)/8;
rndbuf = _gcry_random_bytes_secure (len, random_level);
if (ec->dialect == ECC_DIALECT_SAFECURVE)
ec->d = mpi_set_opaque (NULL, rndbuf, len*8);
else
{
ec->d = mpi_snew (pbits);
if ((pbits % 8))
rndbuf[0] &= (1 << (pbits % 8)) - 1;
rndbuf[0] |= (1 << ((pbits + 7) % 8));
rndbuf[len-1] &= (256 - ec->h);
_gcry_mpi_set_buffer (ec->d, rndbuf, len, 0);
xfree (rndbuf);
}
}
else
ec->d = _gcry_dsa_gen_k (ec->n, random_level);
/* Compute Q. */
_gcry_mpi_ec_mul_point (&Q, ec->d, ec->G, ec);
x = mpi_new (pbits);
if (r_y == NULL)
y = NULL;
else
y = mpi_new (pbits);
if (_gcry_mpi_ec_get_affine (x, y, &Q, ec))
log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
/* We want the Q=(x,y) be a "compliant key" in terms of the
* http://tools.ietf.org/html/draft-jivsov-ecc-compact, which simply
* means that we choose either Q=(x,y) or -Q=(x,p-y) such that we
* end up with the min(y,p-y) as the y coordinate. Such a public
* key allows the most efficient compression: y can simply be
* dropped because we know that it's a minimum of the two
* possibilities without any loss of security. Note that we don't
* do that for Ed25519 so that we do not violate the special
* construction of the secret key. */
if (r_y == NULL || ec->dialect == ECC_DIALECT_ED25519)
ec->Q = mpi_point_set (NULL, Q.x, Q.y, Q.z);
else
{
gcry_mpi_t negative;
negative = mpi_new (pbits);
if (ec->model == MPI_EC_WEIERSTRASS)
mpi_sub (negative, ec->p, y); /* negative = p - y */
else
mpi_sub (negative, ec->p, x); /* negative = p - x */
if (mpi_cmp (negative, y) < 0) /* p - y < p */
{
/* We need to end up with -Q; this assures that new Q's y is
the smallest one */
if (ec->model == MPI_EC_WEIERSTRASS)
{
mpi_free (y);
y = negative;
}
else
{
mpi_free (x);
x = negative;
}
mpi_sub (ec->d, ec->n, ec->d); /* d = order - d */
ec->Q = mpi_point_set (NULL, x, y, mpi_const (MPI_C_ONE));
if (DBG_CIPHER)
log_debug ("ecgen converted Q to a compliant point\n");
}
else /* p - y >= p */
{
/* No change is needed exactly 50% of the time: just copy. */
mpi_free (negative);
ec->Q = mpi_point_set (NULL, Q.x, Q.y, Q.z);
if (DBG_CIPHER)
log_debug ("ecgen didn't need to convert Q to a compliant point\n");
}
}
*r_x = x;
if (r_y)
*r_y = y;
point_free (&Q);
/* Now we can test our keys (this should never fail!). */
if ((flags & PUBKEY_FLAG_NO_KEYTEST))
; /* User requested to skip the test. */
else if (ec->model == MPI_EC_MONTGOMERY)
test_ecdh_only_keys (ec, ec->nbits - 63, flags);
- else if (fips_mode ())
- test_keys_fips (ec, x, y);
- else
+ else if (!fips_mode ())
test_keys (ec, ec->nbits - 64);
return 0;
}
/*
* To verify correct skey it use a random information.
* First, encrypt and decrypt this dummy value,
* test if the information is recuperated.
* Second, test with the sign and verify functions.
*/
static void
test_keys (mpi_ec_t ec, unsigned int nbits)
{
gcry_mpi_t test = mpi_new (nbits);
mpi_point_struct R_;
gcry_mpi_t c = mpi_new (nbits);
gcry_mpi_t out = mpi_new (nbits);
gcry_mpi_t r = mpi_new (nbits);
gcry_mpi_t s = mpi_new (nbits);
if (DBG_CIPHER)
log_debug ("Testing key.\n");
point_init (&R_);
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
if (_gcry_ecc_ecdsa_sign (test, NULL, ec, r, s, 0, 0) )
log_fatal ("ECDSA operation: sign failed\n");
if (_gcry_ecc_ecdsa_verify (test, ec, r, s, 0, 0))
{
log_fatal ("ECDSA operation: sign, verify failed\n");
}
if (DBG_CIPHER)
log_debug ("ECDSA operation: sign, verify ok.\n");
point_free (&R_);
mpi_free (s);
mpi_free (r);
mpi_free (out);
mpi_free (c);
mpi_free (test);
}
/* We should get here only with the NIST curves as they are the only ones
* having the fips bit set in ecc_domain_parms_t struct so this is slightly
* simpler than the whole ecc_generate function */
static void
-test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
+test_keys_fips (gcry_sexp_t skey)
{
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
- gcry_sexp_t skey = NULL, pkey = NULL;
- gcry_sexp_t curve_info = NULL;
gcry_sexp_t sig = NULL;
- gcry_mpi_t public = NULL;
char plaintext[128];
int rc;
- /* Build keys structures */
- if (ec->name)
- {
- rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
- if (rc)
- log_fatal ("ECDSA operation: failed to build curve_info\n");
- }
-
- public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
- rc = sexp_build (&pkey, NULL,
- "(key-data"
- " (public-key"
- " (ecc%S(q%m)))"
- " )",
- curve_info,
- public);
- if (rc)
- log_fatal ("ECDSA operation: failed to build public key: %s\n", gpg_strerror (rc));
- rc = sexp_build (&skey, NULL,
- "(key-data"
- " (private-key"
- " (ecc%S(q%m)(d%m)))"
- " )",
- curve_info,
- public, ec->d);
- if (rc)
- log_fatal ("ECDSA operation: failed to build private key: %s\n", gpg_strerror (rc));
-
/* Create a random plaintext. */
_gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
/* Open MD context and feed the random data in */
rc = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
if (rc)
log_fatal ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
_gcry_md_write (hd, plaintext, sizeof(plaintext));
/* Sign the data */
rc = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (rc)
log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
/* Verify this signature. */
- rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc)
log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
/* Modify the data and check that the signing fails. */
_gcry_md_reset(hd);
plaintext[sizeof plaintext / 2] ^= 1;
_gcry_md_write (hd, plaintext, sizeof(plaintext));
- rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (rc != GPG_ERR_BAD_SIGNATURE)
log_fatal ("ECDSA operation: signature verification worked on modified data\n");
- mpi_free (public);
- sexp_release (curve_info);
_gcry_md_close (hd);
- sexp_release (pkey);
- sexp_release (skey);
sexp_release (sig);
}
static void
test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags)
{
gcry_mpi_t test;
mpi_point_struct R_;
gcry_mpi_t x0, x1;
if (DBG_CIPHER)
log_debug ("Testing ECDH only key.\n");
point_init (&R_);
if (ec->dialect == ECC_DIALECT_SAFECURVE || (flags & PUBKEY_FLAG_DJB_TWEAK))
{
char *rndbuf;
const unsigned int pbits = ec->nbits;
int len = (pbits+7)/8;
rndbuf = _gcry_random_bytes (len, GCRY_WEAK_RANDOM);
if (ec->dialect == ECC_DIALECT_SAFECURVE)
test = mpi_set_opaque (NULL, rndbuf, len*8);
else
{
test = mpi_new (pbits);
if ((pbits % 8))
rndbuf[0] &= (1 << (pbits % 8)) - 1;
rndbuf[0] |= (1 << ((pbits + 7) % 8));
rndbuf[len-1] &= (256 - ec->h);
_gcry_mpi_set_buffer (test, rndbuf, len, 0);
xfree (rndbuf);
}
}
else
{
test = mpi_new (nbits);
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
}
x0 = mpi_new (0);
x1 = mpi_new (0);
/* R_ = hkQ <=> R_ = hkdG */
_gcry_mpi_ec_mul_point (&R_, test, ec->Q, ec);
if (ec->dialect == ECC_DIALECT_STANDARD && !(flags & PUBKEY_FLAG_DJB_TWEAK))
_gcry_mpi_ec_mul_point (&R_, _gcry_mpi_get_const (ec->h), &R_, ec);
if (_gcry_mpi_ec_get_affine (x0, NULL, &R_, ec))
log_fatal ("ecdh: Failed to get affine coordinates for hkQ\n");
_gcry_mpi_ec_mul_point (&R_, test, ec->G, ec);
_gcry_mpi_ec_mul_point (&R_, ec->d, &R_, ec);
/* R_ = hdkG */
if (ec->dialect == ECC_DIALECT_STANDARD && !(flags & PUBKEY_FLAG_DJB_TWEAK))
_gcry_mpi_ec_mul_point (&R_, _gcry_mpi_get_const (ec->h), &R_, ec);
if (_gcry_mpi_ec_get_affine (x1, NULL, &R_, ec))
log_fatal ("ecdh: Failed to get affine coordinates for hdkG\n");
if (mpi_cmp (x0, x1))
{
log_fatal ("ECDH test failed.\n");
}
mpi_free (x0);
mpi_free (x1);
point_free (&R_);
mpi_free (test);
}
/*
* To check the validity of the value, recalculate the correspondence
* between the public value and the secret one.
*/
static int
check_secret_key (mpi_ec_t ec, int flags)
{
int rc = 1;
mpi_point_struct Q;
gcry_mpi_t x1, y1;
gcry_mpi_t x2 = NULL;
gcry_mpi_t y2 = NULL;
point_init (&Q);
x1 = mpi_new (0);
if (ec->model == MPI_EC_MONTGOMERY)
y1 = NULL;
else
y1 = mpi_new (0);
/* G in E(F_p) */
if (!_gcry_mpi_ec_curve_point (ec->G, ec))
{
if (DBG_CIPHER)
log_debug ("Bad check: Point 'G' does not belong to curve 'E'!\n");
goto leave;
}
/* G != PaI */
if (!mpi_cmp_ui (ec->G->z, 0))
{
if (DBG_CIPHER)
log_debug ("Bad check: 'G' cannot be Point at Infinity!\n");
goto leave;
}
/* Check order of curve. */
if (ec->dialect == ECC_DIALECT_STANDARD && !(flags & PUBKEY_FLAG_DJB_TWEAK))
{
_gcry_mpi_ec_mul_point (&Q, ec->n, ec->G, ec);
if (mpi_cmp_ui (Q.z, 0))
{
if (DBG_CIPHER)
log_debug ("check_secret_key: E is not a curve of order n\n");
goto leave;
}
}
/* Pubkey cannot be PaI */
if (!mpi_cmp_ui (ec->Q->z, 0))
{
if (DBG_CIPHER)
log_debug ("Bad check: Q can not be a Point at Infinity!\n");
goto leave;
}
/* pubkey = [d]G over E */
if (!_gcry_ecc_compute_public (&Q, ec))
{
if (DBG_CIPHER)
log_debug ("Bad check: computation of dG failed\n");
goto leave;
}
if (_gcry_mpi_ec_get_affine (x1, y1, &Q, ec))
{
if (DBG_CIPHER)
log_debug ("Bad check: Q can not be a Point at Infinity!\n");
goto leave;
}
if ((flags & PUBKEY_FLAG_EDDSA)
|| (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE))
; /* Fixme: EdDSA is special. */
else if (!mpi_cmp_ui (ec->Q->z, 1))
{
/* Fast path if Q is already in affine coordinates. */
if (mpi_cmp (x1, ec->Q->x) || (y1 && mpi_cmp (y1, ec->Q->y)))
{
if (DBG_CIPHER)
log_debug
("Bad check: There is NO correspondence between 'd' and 'Q'!\n");
goto leave;
}
}
else
{
x2 = mpi_new (0);
y2 = mpi_new (0);
if (_gcry_mpi_ec_get_affine (x2, y2, ec->Q, ec))
{
if (DBG_CIPHER)
log_debug ("Bad check: Q can not be a Point at Infinity!\n");
goto leave;
}
if (mpi_cmp (x1, x2) || mpi_cmp (y1, y2))
{
if (DBG_CIPHER)
log_debug
("Bad check: There is NO correspondence between 'd' and 'Q'!\n");
goto leave;
}
}
rc = 0; /* Okay. */
leave:
mpi_free (x2);
mpi_free (x1);
mpi_free (y1);
mpi_free (y2);
point_free (&Q);
return rc;
}
/*********************************************
************** interface ******************
*********************************************/
static gcry_err_code_t
ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
{
gpg_err_code_t rc;
gcry_mpi_t Gx = NULL;
gcry_mpi_t Gy = NULL;
gcry_mpi_t Qx = NULL;
gcry_mpi_t Qy = NULL;
mpi_ec_t ec = NULL;
gcry_sexp_t curve_info = NULL;
gcry_sexp_t curve_flags = NULL;
gcry_mpi_t base = NULL;
gcry_mpi_t public = NULL;
int flags = 0;
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecgen curve", genparms, NULL);
if (rc)
goto leave;
if ((flags & PUBKEY_FLAG_EDDSA)
|| (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE))
rc = _gcry_ecc_eddsa_genkey (ec, flags);
else if (ec->model == MPI_EC_MONTGOMERY)
rc = nist_generate_key (ec, flags, &Qx, NULL);
else
rc = nist_generate_key (ec, flags, &Qx, &Qy);
if (rc)
goto leave;
/* Copy data to the result. */
Gx = mpi_new (0);
Gy = mpi_new (0);
if (ec->model != MPI_EC_MONTGOMERY)
{
if (_gcry_mpi_ec_get_affine (Gx, Gy, ec->G, ec))
log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "G");
base = _gcry_ecc_ec2os (Gx, Gy, ec->p);
}
if (((ec->dialect == ECC_DIALECT_SAFECURVE && ec->model == MPI_EC_EDWARDS)
|| ec->dialect == ECC_DIALECT_ED25519 || ec->model == MPI_EC_MONTGOMERY)
&& !(flags & PUBKEY_FLAG_NOCOMP))
{
unsigned char *encpk;
unsigned int encpklen;
if (ec->model == MPI_EC_MONTGOMERY)
rc = _gcry_ecc_mont_encodepoint (Qx, ec->nbits,
ec->dialect != ECC_DIALECT_SAFECURVE,
&encpk, &encpklen);
else
/* (Gx and Gy are used as scratch variables) */
rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, Gx, Gy,
(ec->dialect != ECC_DIALECT_SAFECURVE
&& !!(flags & PUBKEY_FLAG_COMP)),
&encpk, &encpklen);
if (rc)
goto leave;
public = mpi_new (0);
mpi_set_opaque (public, encpk, encpklen*8);
}
else
{
if (!Qx)
{
/* This is the case for a key from _gcry_ecc_eddsa_generate
with no compression. */
Qx = mpi_new (0);
Qy = mpi_new (0);
if (_gcry_mpi_ec_get_affine (Qx, Qy, ec->Q, ec))
log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
}
public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
}
if (ec->name)
{
rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
if (rc)
goto leave;
}
if ((flags & PUBKEY_FLAG_PARAM) || (flags & PUBKEY_FLAG_EDDSA)
|| (flags & PUBKEY_FLAG_DJB_TWEAK))
{
rc = sexp_build
(&curve_flags, NULL,
((flags & PUBKEY_FLAG_PARAM) && (flags & PUBKEY_FLAG_EDDSA))?
"(flags param eddsa)" :
((flags & PUBKEY_FLAG_PARAM) && (flags & PUBKEY_FLAG_DJB_TWEAK))?
"(flags param djb-tweak)" :
((flags & PUBKEY_FLAG_PARAM))?
"(flags param)" : ((flags & PUBKEY_FLAG_EDDSA))?
"(flags eddsa)" : "(flags djb-tweak)" );
if (rc)
goto leave;
}
if ((flags & PUBKEY_FLAG_PARAM) && ec->name)
rc = sexp_build (r_skey, NULL,
"(key-data"
" (public-key"
" (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)(q%m)))"
" (private-key"
" (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)(q%m)(d%m)))"
" )",
curve_info, curve_flags,
ec->p, ec->a, ec->b, base, ec->n, ec->h, public,
curve_info, curve_flags,
ec->p, ec->a, ec->b, base, ec->n, ec->h, public,
ec->d);
else
rc = sexp_build (r_skey, NULL,
"(key-data"
" (public-key"
" (ecc%S%S(q%m)))"
" (private-key"
" (ecc%S%S(q%m)(d%m)))"
" )",
curve_info, curve_flags,
public,
curve_info, curve_flags,
public, ec->d);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_printmpi ("ecgen result p", ec->p);
log_printmpi ("ecgen result a", ec->a);
log_printmpi ("ecgen result b", ec->b);
log_printmpi ("ecgen result G", base);
log_printmpi ("ecgen result n", ec->n);
log_debug ("ecgen result h:+%02x\n", ec->h);
log_printmpi ("ecgen result Q", public);
log_printmpi ("ecgen result d", ec->d);
if ((flags & PUBKEY_FLAG_EDDSA))
log_debug ("ecgen result using Ed25519+EdDSA\n");
}
+ if (!(flags & PUBKEY_FLAG_NO_KEYTEST) && fips_mode ())
+ test_keys_fips (*r_skey);
+
leave:
mpi_free (public);
mpi_free (base);
mpi_free (Gx);
mpi_free (Gy);
mpi_free (Qx);
mpi_free (Qy);
_gcry_mpi_ec_free (ec);
sexp_release (curve_flags);
sexp_release (curve_info);
return rc;
}
static gcry_err_code_t
ecc_check_secret_key (gcry_sexp_t keyparms)
{
gcry_err_code_t rc;
int flags = 0;
mpi_ec_t ec = NULL;
/*
* Extract the key.
*/
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_testkey", keyparms, NULL);
if (rc)
goto leave;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->Q || !ec->d)
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
if (check_secret_key (ec, flags))
rc = GPG_ERR_BAD_SECKEY;
leave:
_gcry_mpi_ec_free (ec);
if (DBG_CIPHER)
log_debug ("ecc_testkey => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gcry_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_mpi_t data = NULL;
gcry_mpi_t k = NULL;
gcry_mpi_t sig_r = NULL;
gcry_mpi_t sig_s = NULL;
mpi_ec_t ec = NULL;
int flags = 0;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, 0);
/*
* Extract the key.
*/
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_sign", keyparms, NULL);
if (rc)
goto leave;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->d)
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
ctx.flags |= flags;
if (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE)
ctx.flags |= PUBKEY_FLAG_EDDSA;
/* Clear hash algo for EdDSA. */
if ((ctx.flags & PUBKEY_FLAG_EDDSA))
ctx.hash_algo = GCRY_MD_NONE;
/* Extract the data. */
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
if (DBG_CIPHER)
log_mpidump ("ecc_sign data", data);
if (ctx.label)
rc = _gcry_mpi_scan (&k, GCRYMPI_FMT_USG, ctx.label, ctx.labellen, NULL);
if (rc)
goto leave;
/* Hash algo is determined by curve in EdDSA. Fill it if not specified. */
if ((ctx.flags & PUBKEY_FLAG_EDDSA) && !ctx.hash_algo)
{
if (ec->dialect == ECC_DIALECT_ED25519)
ctx.hash_algo = GCRY_MD_SHA512;
else if (ec->dialect == ECC_DIALECT_SAFECURVE)
ctx.hash_algo = GCRY_MD_SHAKE256;
}
sig_r = mpi_new (0);
sig_s = mpi_new (0);
if ((ctx.flags & PUBKEY_FLAG_EDDSA))
{
/* EdDSA requires the public key. */
rc = _gcry_ecc_eddsa_sign (data, ec, sig_r, sig_s, &ctx);
if (!rc)
rc = sexp_build (r_sig, NULL,
"(sig-val(eddsa(r%M)(s%M)))", sig_r, sig_s);
}
else if ((ctx.flags & PUBKEY_FLAG_GOST))
{
rc = _gcry_ecc_gost_sign (data, ec, sig_r, sig_s);
if (!rc)
rc = sexp_build (r_sig, NULL,
"(sig-val(gost(r%M)(s%M)))", sig_r, sig_s);
}
else if ((ctx.flags & PUBKEY_FLAG_SM2))
{
rc = _gcry_ecc_sm2_sign (data, ec, sig_r, sig_s,
ctx.flags, ctx.hash_algo);
if (!rc)
rc = sexp_build (r_sig, NULL,
"(sig-val(sm2(r%M)(s%M)))", sig_r, sig_s);
}
else
{
rc = _gcry_ecc_ecdsa_sign (data, k, ec, sig_r, sig_s,
ctx.flags, ctx.hash_algo);
if (!rc)
rc = sexp_build (r_sig, NULL,
"(sig-val(ecdsa(r%M)(s%M)))", sig_r, sig_s);
}
leave:
_gcry_mpi_release (sig_r);
_gcry_mpi_release (sig_s);
_gcry_mpi_release (data);
_gcry_mpi_release (k);
_gcry_mpi_ec_free (ec);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("ecc_sign => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms)
{
gcry_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_sexp_t l1 = NULL;
gcry_mpi_t sig_r = NULL;
gcry_mpi_t sig_s = NULL;
gcry_mpi_t data = NULL;
int sigflags;
mpi_ec_t ec = NULL;
int flags = 0;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY,
ecc_get_nbits (s_keyparms));
/*
* Extract the key.
*/
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_verify",
s_keyparms, NULL);
if (rc)
goto leave;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->Q)
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
if (ec->model == MPI_EC_MONTGOMERY)
{
if (DBG_CIPHER)
log_debug ("ecc_verify: Can't use a Montgomery curve\n");
rc = GPG_ERR_INTERNAL;
goto leave;
}
ctx.flags |= flags;
if (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE)
ctx.flags |= PUBKEY_FLAG_EDDSA;
/* Clear hash algo for EdDSA. */
if ((ctx.flags & PUBKEY_FLAG_EDDSA))
ctx.hash_algo = GCRY_MD_NONE;
/* Extract the data. */
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
if (DBG_CIPHER)
log_mpidump ("ecc_verify data", data);
/* Hash algo is determined by curve in EdDSA. Fill it if not specified. */
if ((ctx.flags & PUBKEY_FLAG_EDDSA) && !ctx.hash_algo)
{
if (ec->dialect == ECC_DIALECT_ED25519)
ctx.hash_algo = GCRY_MD_SHA512;
else if (ec->dialect == ECC_DIALECT_SAFECURVE)
ctx.hash_algo = GCRY_MD_SHAKE256;
}
/*
* Extract the signature value.
*/
rc = _gcry_pk_util_preparse_sigval (s_sig, ecc_names, &l1, &sigflags);
if (rc)
goto leave;
rc = sexp_extract_param (l1, NULL, (sigflags & PUBKEY_FLAG_EDDSA)? "/rs":"rs",
&sig_r, &sig_s, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_mpidump ("ecc_verify s_r", sig_r);
log_mpidump ("ecc_verify s_s", sig_s);
}
if ((ctx.flags & PUBKEY_FLAG_EDDSA) ^ (sigflags & PUBKEY_FLAG_EDDSA))
{
rc = GPG_ERR_CONFLICT; /* Inconsistent use of flag/algoname. */
goto leave;
}
/*
* Verify the signature.
*/
if ((sigflags & PUBKEY_FLAG_EDDSA))
{
rc = _gcry_ecc_eddsa_verify (data, ec, sig_r, sig_s, &ctx);
}
else if ((sigflags & PUBKEY_FLAG_GOST))
{
rc = _gcry_ecc_gost_verify (data, ec, sig_r, sig_s);
}
else if ((sigflags & PUBKEY_FLAG_SM2))
{
rc = _gcry_ecc_sm2_verify (data, ec, sig_r, sig_s);
}
else
{
rc = _gcry_ecc_ecdsa_verify (data, ec, sig_r, sig_s,
ctx.flags, ctx.hash_algo);
}
leave:
_gcry_mpi_release (data);
_gcry_mpi_release (sig_r);
_gcry_mpi_release (sig_s);
_gcry_mpi_ec_free (ec);
sexp_release (l1);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("ecc_verify => %s\n", rc?gpg_strerror (rc):"Good");
return rc;
}
/* ecdh raw is classic 2-round DH protocol published in 1976.
*
* Overview of ecc_encrypt_raw and ecc_decrypt_raw.
*
* As with any PK operation, encrypt version uses a public key and
* decrypt -- private.
*
* Symbols used below:
* G - field generator point
* d - private long-term scalar
* dG - public long-term key
* k - ephemeral scalar
* kG - ephemeral public key
* dkG - shared secret
*
* ecc_encrypt_raw description:
* input:
* data[0] : private scalar (k)
* output: A new S-expression with the parameters:
* s : shared point (kdG)
* e : generated ephemeral public key (kG)
*
* ecc_decrypt_raw description:
* input:
* data[0] : a point kG (ephemeral public key)
* output:
* result[0] : shared point (kdG)
*/
static gcry_err_code_t
ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
unsigned int nbits;
gcry_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_mpi_t mpi_s = NULL;
gcry_mpi_t mpi_e = NULL;
gcry_mpi_t data = NULL;
mpi_ec_t ec = NULL;
int flags = 0;
int no_error_on_infinity;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_ENCRYPT,
(nbits = ecc_get_nbits (keyparms)));
/*
* Extract the key.
*/
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_encrypt", keyparms, NULL);
if (rc)
goto leave;
if (ec->dialect == ECC_DIALECT_SAFECURVE)
{
ctx.flags |= PUBKEY_FLAG_RAW_FLAG;
no_error_on_infinity = 1;
}
else if ((flags & PUBKEY_FLAG_DJB_TWEAK))
no_error_on_infinity = 1;
else
no_error_on_infinity = 0;
/*
* Extract the data.
*/
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
/*
* Tweak the scalar bits by cofactor and number of bits of the field.
* It assumes the cofactor is a power of 2.
*/
if ((flags & PUBKEY_FLAG_DJB_TWEAK))
{
int i;
for (i = 0; (ec->h & (1 << i)) == 0; i++)
mpi_clear_bit (data, i);
mpi_set_highbit (data, ec->nbits - 1);
}
if (DBG_CIPHER)
log_mpidump ("ecc_encrypt data", data);
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->Q)
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
if ((ctx.flags & PUBKEY_FLAG_SM2))
{
/* All encryption will be done, return it. */
rc = _gcry_ecc_sm2_encrypt (r_ciph, data, ec);
goto leave;
}
/* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so */
{
mpi_point_struct R; /* Result that we return. */
gcry_mpi_t x, y;
unsigned char *rawmpi;
unsigned int rawmpilen;
rc = 0;
x = mpi_new (0);
if (ec->model == MPI_EC_MONTGOMERY)
y = NULL;
else
y = mpi_new (0);
point_init (&R);
/* R = kQ <=> R = kdG */
_gcry_mpi_ec_mul_point (&R, data, ec->Q, ec);
if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
{
/*
* Here, X is 0. In the X25519 computation on Curve25519, X0
* function maps infinity to zero. So, when PUBKEY_FLAG_DJB_TWEAK
* is enabled, return the result of 0 not raising an error.
*
* This is a corner case. It never occurs with properly
* generated public keys, but it might happen with blindly
* imported public key which might not follow the key
* generation procedure.
*/
if (!no_error_on_infinity)
{ /* It's not for X25519, then, the input data was simply wrong. */
rc = GPG_ERR_INV_DATA;
goto leave_main;
}
}
if (y)
mpi_s = _gcry_ecc_ec2os (x, y, ec->p);
else
{
rc = _gcry_ecc_mont_encodepoint (x, nbits,
ec->dialect != ECC_DIALECT_SAFECURVE,
&rawmpi, &rawmpilen);
if (rc)
goto leave_main;
mpi_s = mpi_new (0);
mpi_set_opaque (mpi_s, rawmpi, rawmpilen*8);
}
/* R = kG */
_gcry_mpi_ec_mul_point (&R, data, ec->G, ec);
if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
{
rc = GPG_ERR_INV_DATA;
goto leave_main;
}
if (y)
mpi_e = _gcry_ecc_ec2os (x, y, ec->p);
else
{
rc = _gcry_ecc_mont_encodepoint (x, nbits,
ec->dialect != ECC_DIALECT_SAFECURVE,
&rawmpi, &rawmpilen);
if (!rc)
{
mpi_e = mpi_new (0);
mpi_set_opaque (mpi_e, rawmpi, rawmpilen*8);
}
}
leave_main:
mpi_free (x);
mpi_free (y);
point_free (&R);
if (rc)
goto leave;
}
if (!rc)
rc = sexp_build (r_ciph, NULL, "(enc-val(ecdh(s%m)(e%m)))", mpi_s, mpi_e);
leave:
_gcry_mpi_release (data);
_gcry_mpi_release (mpi_s);
_gcry_mpi_release (mpi_e);
_gcry_mpi_ec_free (ec);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("ecc_encrypt => %s\n", gpg_strerror (rc));
return rc;
}
/* input:
* data[0] : a point kG (ephemeral public key)
* output:
* resaddr[0] : shared point kdG
*
* see ecc_encrypt_raw for details.
*/
static gcry_err_code_t
ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
unsigned int nbits;
gpg_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_sexp_t l1 = NULL;
gcry_mpi_t data_e = NULL;
mpi_ec_t ec = NULL;
mpi_point_struct kG;
mpi_point_struct R;
gcry_mpi_t r = NULL;
int flags = 0;
int enable_specific_point_validation;
point_init (&kG);
point_init (&R);
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_DECRYPT,
(nbits = ecc_get_nbits (keyparms)));
/*
* Extract the key.
*/
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_decrypt", keyparms, NULL);
if (rc)
goto leave;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->d)
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
/*
* Extract the data.
*/
rc = _gcry_pk_util_preparse_encval (s_data, ecc_names, &l1, &ctx);
if (rc)
goto leave;
if ((ctx.flags & PUBKEY_FLAG_SM2))
{
/* All decryption will be done, return it. */
rc = _gcry_ecc_sm2_decrypt (r_plain, l1, ec);
goto leave;
}
else
{
rc = sexp_extract_param (l1, NULL, "/e", &data_e, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printmpi ("ecc_decrypt d_e", data_e);
}
if (ec->dialect == ECC_DIALECT_SAFECURVE || (flags & PUBKEY_FLAG_DJB_TWEAK))
enable_specific_point_validation = 1;
else
enable_specific_point_validation = 0;
/*
* Compute the plaintext.
*/
if (ec->model == MPI_EC_MONTGOMERY)
rc = _gcry_ecc_mont_decodepoint (data_e, ec, &kG);
else
rc = _gcry_ecc_sec_decodepoint (data_e, ec, &kG);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printpnt ("ecc_decrypt kG", &kG, NULL);
if (enable_specific_point_validation)
{
/* For X25519, by its definition, validation should not be done. */
/* (Instead, we do output check.)
*
* However, to mitigate secret key leak from our implementation,
* we also do input validation here. For constant-time
* implementation, we can remove this input validation.
*/
if (_gcry_mpi_ec_bad_point (&kG, ec))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
}
else if (!_gcry_mpi_ec_curve_point (&kG, ec))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
/* R = dkG */
_gcry_mpi_ec_mul_point (&R, ec->d, &kG, ec);
/* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so: */
{
gcry_mpi_t x, y;
x = mpi_new (0);
if (ec->model == MPI_EC_MONTGOMERY)
y = NULL;
else
y = mpi_new (0);
if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
{
rc = GPG_ERR_INV_DATA;
goto leave;
/*
* Note for X25519.
*
* By the definition of X25519, this is the case where X25519
* returns 0, mapping infinity to zero. However, we
* deliberately let it return an error.
*
* For X25519 ECDH, comming here means that it might be
* decrypted by anyone with the shared secret of 0 (the result
* of this function could be always 0 by other scalar values,
* other than the private key of D).
*
* So, it looks like an encrypted message but it can be
* decrypted by anyone, or at least something wrong
* happens. Recipient should not proceed as if it were
* properly encrypted message.
*
* This handling is needed for our major usage of GnuPG,
* where it does the One-Pass Diffie-Hellman method,
* C(1, 1, ECC CDH), with an ephemeral key.
*/
}
if (y)
r = _gcry_ecc_ec2os (x, y, ec->p);
else
{
unsigned char *rawmpi;
unsigned int rawmpilen;
rc = _gcry_ecc_mont_encodepoint (x, nbits,
ec->dialect != ECC_DIALECT_SAFECURVE,
&rawmpi, &rawmpilen);
if (rc)
goto leave;
r = mpi_new (0);
mpi_set_opaque (r, rawmpi, rawmpilen*8);
}
if (!r)
rc = gpg_err_code_from_syserror ();
else
rc = 0;
mpi_free (x);
mpi_free (y);
}
if (DBG_CIPHER)
log_printmpi ("ecc_decrypt res", r);
if (!rc)
rc = sexp_build (r_plain, NULL, "(value %m)", r);
leave:
point_free (&R);
point_free (&kG);
_gcry_mpi_release (r);
_gcry_mpi_release (data_e);
sexp_release (l1);
_gcry_mpi_ec_free (ec);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("ecc_decrypt => %s\n", gpg_strerror (rc));
return rc;
}
/* Return the number of bits for the key described by PARMS. On error
* 0 is returned. The format of PARMS starts with the algorithm name;
* for example:
*
* (ecc
* (curve <name>)
* (p <mpi>)
* (a <mpi>)
* (b <mpi>)
* (g <mpi>)
* (n <mpi>)
* (q <mpi>))
*
* More parameters may be given. Either P or CURVE is needed.
*/
static unsigned int
ecc_get_nbits (gcry_sexp_t parms)
{
gcry_sexp_t l1;
gcry_mpi_t p;
unsigned int nbits = 0;
char *curve;
l1 = sexp_find_token (parms, "p", 1);
if (!l1)
{ /* Parameter P not found - check whether we have "curve". */
l1 = sexp_find_token (parms, "curve", 5);
if (!l1)
return 0; /* Neither P nor CURVE found. */
curve = sexp_nth_string (l1, 1);
sexp_release (l1);
if (!curve)
return 0; /* No curve name given (or out of core). */
if (_gcry_ecc_fill_in_curve (0, curve, NULL, &nbits))
nbits = 0;
xfree (curve);
}
else
{
p = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
sexp_release (l1);
if (p)
{
nbits = mpi_get_nbits (p);
_gcry_mpi_release (p);
}
}
return nbits;
}
/* See rsa.c for a description of this function. */
static gpg_err_code_t
compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms)
{
#define N_COMPONENTS 6
static const char names[N_COMPONENTS] = "pabgnq";
gpg_err_code_t rc;
gcry_sexp_t l1;
gcry_mpi_t values[N_COMPONENTS];
int idx;
char *curvename = NULL;
int flags = 0;
enum gcry_mpi_ec_models model = 0;
enum ecc_dialects dialect = 0;
const unsigned char *raw;
unsigned int n;
int maybe_uncompress;
/* Clear the values first. */
for (idx=0; idx < N_COMPONENTS; idx++)
values[idx] = NULL;
/* Look for flags. */
l1 = sexp_find_token (keyparms, "flags", 0);
if (l1)
{
rc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL);
if (rc)
goto leave;
}
/* Extract the parameters. */
if ((flags & PUBKEY_FLAG_PARAM))
rc = sexp_extract_param (keyparms, NULL, "p?a?b?g?n?/q",
&values[0], &values[1], &values[2],
&values[3], &values[4], &values[5],
NULL);
else
rc = sexp_extract_param (keyparms, NULL, "/q", &values[5], NULL);
if (rc)
goto leave;
/* Check whether a curve parameter is available and use that to fill
in missing values. */
sexp_release (l1);
l1 = sexp_find_token (keyparms, "curve", 5);
if (l1)
{
curvename = sexp_nth_string (l1, 1);
if (curvename)
{
rc = _gcry_ecc_update_curve_param (curvename,
&model, &dialect,
&values[0], &values[1], &values[2],
&values[3], &values[4]);
if (rc)
goto leave;
}
}
/* Guess required fields if a curve parameter has not been given.
FIXME: This is a crude hacks. We need to fix that. */
if (!curvename)
{
model = ((flags & PUBKEY_FLAG_EDDSA)
? MPI_EC_EDWARDS
: MPI_EC_WEIERSTRASS);
dialect = ((flags & PUBKEY_FLAG_EDDSA)
? ECC_DIALECT_ED25519
: ECC_DIALECT_STANDARD);
}
/* Check that all parameters are known and normalize all MPIs (that
should not be required but we use an internal function later and
thus we better make 100% sure that they are normalized). */
for (idx = 0; idx < N_COMPONENTS; idx++)
if (!values[idx])
{
rc = GPG_ERR_NO_OBJ;
goto leave;
}
else
_gcry_mpi_normalize (values[idx]);
/* Uncompress the public key with the exception of EdDSA where
compression is the default and we thus compute the keygrip using
the compressed version. Because we don't support any non-eddsa
compression, the only thing we need to do is to compress
EdDSA. */
if ((flags & PUBKEY_FLAG_EDDSA) && dialect == ECC_DIALECT_ED25519)
{
const unsigned int pbits = mpi_get_nbits (values[0]);
rc = _gcry_ecc_eddsa_ensure_compact (values[5], pbits);
if (rc)
goto leave;
maybe_uncompress = 0;
}
else if ((flags & PUBKEY_FLAG_DJB_TWEAK))
{
/* Remove the prefix 0x40 for keygrip computation. */
raw = mpi_get_opaque (values[5], &n);
if (raw)
{
n = (n + 7)/8;
if (n > 1 && (n%2) && raw[0] == 0x40)
if (!_gcry_mpi_set_opaque_copy (values[5], raw + 1, (n - 1)*8))
rc = gpg_err_code_from_syserror ();
}
else
{
rc = GPG_ERR_INV_OBJ;
goto leave;
}
maybe_uncompress = 0;
}
else
maybe_uncompress = 1;
/* Hash them all. */
for (idx = 0; idx < N_COMPONENTS; idx++)
{
char buf[30];
unsigned char *rawbuffer;
unsigned int rawlen;
if (mpi_is_opaque (values[idx]))
{
rawbuffer = NULL;
raw = mpi_get_opaque (values[idx], &rawlen);
rawlen = (rawlen + 7)/8;
}
else
{
rawbuffer = _gcry_mpi_get_buffer (values[idx], 0, &rawlen, NULL);
if (!rawbuffer)
{
rc = gpg_err_code_from_syserror ();
goto leave;
}
raw = rawbuffer;
}
if (maybe_uncompress && idx == 5 && rawlen > 1
&& (*raw == 0x02 || *raw == 0x03))
{
/* This is a compressed Q - uncompress. */
mpi_ec_t ec = NULL;
gcry_mpi_t x, y;
gcry_mpi_t x3;
gcry_mpi_t t;
gcry_mpi_t p1_4;
int y_bit = (*raw == 0x03);
/* We need to get the curve parameters as MPIs so that we
* can do computations. We have them in VALUES but it is
* possible that the caller provided them as opaque MPIs. */
rc = _gcry_mpi_ec_internal_new (&ec, &flags, "ecc_keygrip",
keyparms, NULL);
if (rc)
goto leave;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n)
{
rc = GPG_ERR_NO_OBJ;
_gcry_mpi_ec_free (ec);
goto leave;
}
if (!mpi_test_bit (ec->p, 1))
{
/* No support for point compression for this curve. */
rc = GPG_ERR_NOT_IMPLEMENTED;
_gcry_mpi_ec_free (ec);
xfree (rawbuffer);
goto leave;
}
raw++;
rawlen--;
rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_USG, raw, rawlen, NULL);
if (rc)
{
_gcry_mpi_ec_free (ec);
xfree (rawbuffer);
goto leave;
}
/*
* Recover Y. The Weierstrass curve: y^2 = x^3 + a*x + b
*/
x3 = mpi_new (0);
t = mpi_new (0);
p1_4 = mpi_new (0);
y = mpi_new (0);
/* Compute right hand side. */
mpi_powm (x3, x, mpi_const (MPI_C_THREE), ec->p);
mpi_mul (t, ec->a, x);
mpi_mod (t, t, ec->p);
mpi_add (t, t, ec->b);
mpi_mod (t, t, ec->p);
mpi_add (t, t, x3);
mpi_mod (t, t, ec->p);
/*
* When p mod 4 = 3, modular square root of A can be computed by
* A^((p+1)/4) mod p
*/
/* Compute (p+1)/4 into p1_4 */
mpi_rshift (p1_4, ec->p, 2);
_gcry_mpi_add_ui (p1_4, p1_4, 1);
mpi_powm (y, t, p1_4, ec->p);
if (y_bit != mpi_test_bit (y, 0))
mpi_sub (y, ec->p, y);
mpi_free (p1_4);
mpi_free (t);
mpi_free (x3);
xfree (rawbuffer);
rawbuffer = _gcry_ecc_ec2os_buf (x, y, ec->p, &rawlen);
raw = rawbuffer;
mpi_free (x);
mpi_free (y);
_gcry_mpi_ec_free (ec);
}
snprintf (buf, sizeof buf, "(1:%c%u:", names[idx], rawlen);
_gcry_md_write (md, buf, strlen (buf));
_gcry_md_write (md, raw, rawlen);
_gcry_md_write (md, ")", 1);
xfree (rawbuffer);
}
leave:
xfree (curvename);
sexp_release (l1);
for (idx = 0; idx < N_COMPONENTS; idx++)
_gcry_mpi_release (values[idx]);
return rc;
#undef N_COMPONENTS
}
/*
Low-level API helper functions.
*/
/* This is the worker function for gcry_pubkey_get_sexp for ECC
algorithms. Note that the caller has already stored NULL at
R_SEXP. */
gpg_err_code_t
_gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec)
{
gpg_err_code_t rc;
gcry_mpi_t mpi_G = NULL;
gcry_mpi_t mpi_Q = NULL;
if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n)
return GPG_ERR_BAD_CRYPT_CTX;
if (mode == GCRY_PK_GET_SECKEY && !ec->d)
return GPG_ERR_NO_SECKEY;
/* Compute the public point if it is missing. */
if (!ec->Q && ec->d)
ec->Q = _gcry_ecc_compute_public (NULL, ec);
/* Encode G and Q. */
mpi_G = _gcry_mpi_ec_ec2os (ec->G, ec);
if (!mpi_G)
{
rc = GPG_ERR_BROKEN_PUBKEY;
goto leave;
}
if (!ec->Q)
{
rc = GPG_ERR_BAD_CRYPT_CTX;
goto leave;
}
if (ec->dialect == ECC_DIALECT_ED25519)
{
unsigned char *encpk;
unsigned int encpklen;
rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0,
&encpk, &encpklen);
if (rc)
goto leave;
mpi_Q = mpi_set_opaque (NULL, encpk, encpklen*8);
encpk = NULL;
}
else if (ec->model == MPI_EC_MONTGOMERY)
{
unsigned char *encpk;
unsigned int encpklen;
rc = _gcry_ecc_mont_encodepoint (ec->Q->x, ec->nbits,
ec->dialect != ECC_DIALECT_SAFECURVE,
&encpk, &encpklen);
if (rc)
goto leave;
mpi_Q = mpi_set_opaque (NULL, encpk, encpklen*8);
}
else
{
mpi_Q = _gcry_mpi_ec_ec2os (ec->Q, ec);
}
if (!mpi_Q)
{
rc = GPG_ERR_BROKEN_PUBKEY;
goto leave;
}
/* Fixme: We should return a curve name instead of the parameters if
if know that they match a curve. */
if (ec->d && (!mode || mode == GCRY_PK_GET_SECKEY))
{
/* Let's return a private key. */
rc = sexp_build (r_sexp, NULL,
"(private-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)(q%m)(d%m)))",
ec->p, ec->a, ec->b, mpi_G, ec->n, ec->h, mpi_Q, ec->d);
}
else if (ec->Q)
{
/* Let's return a public key. */
rc = sexp_build (r_sexp, NULL,
"(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)(q%m)))",
ec->p, ec->a, ec->b, mpi_G, ec->n, ec->h, mpi_Q);
}
else
rc = GPG_ERR_BAD_CRYPT_CTX;
leave:
mpi_free (mpi_Q);
mpi_free (mpi_G);
return rc;
}
/*
Self-test section.
*/
static const char *
selftest_hash_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
{
int md_algo = GCRY_MD_SHA256;
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
/* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
static const char sample_data[] = "sample";
static const char sample_data_bad[] = "sbmple";
static const char signature_r[] =
"efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716";
static const char signature_s[] =
"f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8";
const char *errtxt = NULL;
gcry_error_t err;
gcry_sexp_t sig = NULL;
gcry_sexp_t l1 = NULL;
gcry_sexp_t l2 = NULL;
gcry_mpi_t r = NULL;
gcry_mpi_t s = NULL;
gcry_mpi_t calculated_r = NULL;
gcry_mpi_t calculated_s = NULL;
int cmp;
err = _gcry_md_open (&hd, md_algo, 0);
if (err)
{
errtxt = "gcry_md_open failed";
goto leave;
}
_gcry_md_write (hd, sample_data, strlen(sample_data));
err = _gcry_mpi_scan (&r, GCRYMPI_FMT_HEX, signature_r, 0, NULL);
if (!err)
err = _gcry_mpi_scan (&s, GCRYMPI_FMT_HEX, signature_s, 0, NULL);
if (err)
{
errtxt = "converting data failed";
goto leave;
}
err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (err)
{
errtxt = "signing failed";
goto leave;
}
/* check against known signature */
errtxt = "signature validity failed";
l1 = _gcry_sexp_find_token (sig, "sig-val", 0);
if (!l1)
goto leave;
l2 = _gcry_sexp_find_token (l1, "ecdsa", 0);
if (!l2)
goto leave;
sexp_release (l1);
l1 = l2;
l2 = _gcry_sexp_find_token (l1, "r", 0);
if (!l2)
goto leave;
calculated_r = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
if (!calculated_r)
goto leave;
sexp_release (l2);
l2 = _gcry_sexp_find_token (l1, "s", 0);
if (!l2)
goto leave;
calculated_s = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
if (!calculated_s)
goto leave;
errtxt = "known sig check failed";
cmp = _gcry_mpi_cmp (r, calculated_r);
if (cmp)
goto leave;
cmp = _gcry_mpi_cmp (s, calculated_s);
if (cmp)
goto leave;
errtxt = NULL;
/* verify generated signature */
err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
if (err)
{
errtxt = "verify failed";
goto leave;
}
_gcry_md_reset(hd);
_gcry_md_write (hd, sample_data_bad, strlen(sample_data_bad));
err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
{
errtxt = "bad signature not detected";
goto leave;
}
leave:
_gcry_md_close (hd);
sexp_release (sig);
sexp_release (l1);
sexp_release (l2);
mpi_release (r);
mpi_release (s);
mpi_release (calculated_r);
mpi_release (calculated_s);
return errtxt;
}
static const char *
selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
{
/* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
static const char sample_data[] =
"(data (flags rfc6979 prehash)"
" (hash-algo sha256)"
" (value 6:sample))";
static const char sample_data_bad[] =
"(data (flags rfc6979)"
" (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
/**/ "62113d8a62add1bf#))";
static const char signature_r[] =
"efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716";
static const char signature_s[] =
"f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8";
const char *errtxt = NULL;
gcry_error_t err;
gcry_sexp_t data = NULL;
gcry_sexp_t data_bad = NULL;
gcry_sexp_t sig = NULL;
gcry_sexp_t l1 = NULL;
gcry_sexp_t l2 = NULL;
gcry_mpi_t r = NULL;
gcry_mpi_t s = NULL;
gcry_mpi_t calculated_r = NULL;
gcry_mpi_t calculated_s = NULL;
int cmp;
err = sexp_sscan (&data, NULL, sample_data, strlen (sample_data));
if (!err)
err = sexp_sscan (&data_bad, NULL,
sample_data_bad, strlen (sample_data_bad));
if (!err)
err = _gcry_mpi_scan (&r, GCRYMPI_FMT_HEX, signature_r, 0, NULL);
if (!err)
err = _gcry_mpi_scan (&s, GCRYMPI_FMT_HEX, signature_s, 0, NULL);
if (err)
{
errtxt = "converting data failed";
goto leave;
}
err = _gcry_pk_sign (&sig, data, skey);
if (err)
{
errtxt = "signing failed";
goto leave;
}
/* check against known signature */
errtxt = "signature validity failed";
l1 = _gcry_sexp_find_token (sig, "sig-val", 0);
if (!l1)
goto leave;
l2 = _gcry_sexp_find_token (l1, "ecdsa", 0);
if (!l2)
goto leave;
sexp_release (l1);
l1 = l2;
l2 = _gcry_sexp_find_token (l1, "r", 0);
if (!l2)
goto leave;
calculated_r = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
if (!calculated_r)
goto leave;
sexp_release (l2);
l2 = _gcry_sexp_find_token (l1, "s", 0);
if (!l2)
goto leave;
calculated_s = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
if (!calculated_s)
goto leave;
errtxt = "known sig check failed";
cmp = _gcry_mpi_cmp (r, calculated_r);
if (cmp)
goto leave;
cmp = _gcry_mpi_cmp (s, calculated_s);
if (cmp)
goto leave;
errtxt = NULL;
/* verify generated signature */
err = _gcry_pk_verify (sig, data, pkey);
if (err)
{
errtxt = "verify failed";
goto leave;
}
err = _gcry_pk_verify (sig, data_bad, pkey);
if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
{
errtxt = "bad signature not detected";
goto leave;
}
leave:
sexp_release (sig);
sexp_release (data_bad);
sexp_release (data);
sexp_release (l1);
sexp_release (l2);
mpi_release (r);
mpi_release (s);
mpi_release (calculated_r);
mpi_release (calculated_s);
return errtxt;
}
static gpg_err_code_t
selftests_ecdsa (selftest_report_func_t report, int extended)
{
const char *what;
const char *errtxt;
gcry_error_t err;
gcry_sexp_t skey = NULL;
gcry_sexp_t pkey = NULL;
what = "convert";
err = sexp_sscan (&skey, NULL, sample_secret_key_secp256,
strlen (sample_secret_key_secp256));
if (!err)
err = sexp_sscan (&pkey, NULL, sample_public_key_secp256,
strlen (sample_public_key_secp256));
if (err)
{
errtxt = _gcry_strerror (err);
goto failed;
}
what = "key consistency";
err = ecc_check_secret_key(skey);
if (err)
{
errtxt = _gcry_strerror (err);
goto failed;
}
if (extended)
{
what = "sign";
errtxt = selftest_sign (pkey, skey);
if (errtxt)
goto failed;
}
what = "digest sign";
errtxt = selftest_hash_sign (pkey, skey);
if (errtxt)
goto failed;
sexp_release(pkey);
sexp_release(skey);
return 0; /* Succeeded. */
failed:
sexp_release(pkey);
sexp_release(skey);
if (report)
report ("pubkey", GCRY_PK_ECC, what, errtxt);
return GPG_ERR_SELFTEST_FAILED;
}
/* Run a full self-test for ALGO and return 0 on success. */
static gpg_err_code_t
run_selftests (int algo, int extended, selftest_report_func_t report)
{
if (algo != GCRY_PK_ECC)
return GPG_ERR_PUBKEY_ALGO;
return selftests_ecdsa (report, extended);
}
gcry_pk_spec_t _gcry_pubkey_spec_ecc =
{
GCRY_PK_ECC, { 0, 1 },
(GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR),
"ECC", ecc_names,
"pabgnhq", "pabgnhqd", "se", "rs", "pabgnhq",
ecc_generate,
ecc_check_secret_key,
ecc_encrypt_raw,
ecc_decrypt_raw,
ecc_sign,
ecc_verify,
ecc_get_nbits,
run_selftests,
compute_keygrip,
_gcry_ecc_get_curve,
_gcry_ecc_get_param_sexp
};
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 73650ef1..96dba090 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1,2252 +1,2229 @@
/* rsa.c - RSA implementation
* Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn)
* Copyright (C) 2000, 2001, 2002, 2003, 2008 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* This code uses an algorithm protected by U.S. Patent #4,405,829
which expired on September 20, 2000. The patent holder placed that
patent into the public domain on Sep 6th, 2000.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "g10lib.h"
#include "mpi.h"
#include "cipher.h"
#include "pubkey-internal.h"
typedef struct
{
gcry_mpi_t n; /* modulus */
gcry_mpi_t e; /* exponent */
} RSA_public_key;
typedef struct
{
gcry_mpi_t n; /* public modulus */
gcry_mpi_t e; /* public exponent */
gcry_mpi_t d; /* exponent */
gcry_mpi_t p; /* prime p. */
gcry_mpi_t q; /* prime q. */
gcry_mpi_t u; /* inverse of p mod q. */
} RSA_secret_key;
static const char *rsa_names[] =
{
"rsa",
"openpgp-rsa",
"oid.1.2.840.113549.1.1.1",
NULL,
};
/* A sample 2048 bit RSA key used for the selftests. */
static const char sample_secret_key[] =
" (private-key"
" (rsa"
" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6CB#)"
" (e #010001#)"
" (d #07EF82500C403899934FE993AC5A36F14FF2DF38CF1EF315F205EE4C83EDAA19"
" 8890FC23DE9AA933CAFB37B6A8A8DBA675411958337287310D3FF2F1DDC0CB93"
" 7E70F57F75F833C021852B631D2B9A520E4431A03C5C3FCB5742DCD841D9FB12"
" 771AA1620DCEC3F1583426066ED9DC3F7028C5B59202C88FDF20396E2FA0EC4F"
" 5A22D9008F3043673931BC14A5046D6327398327900867E39CC61B2D1AFE2F48"
" EC8E1E3861C68D257D7425F4E6F99ABD77D61F10CA100EFC14389071831B33DD"
" 69CC8EABEF860D1DC2AAA84ABEAE5DFC91BC124DAF0F4C8EF5BBEA436751DE84"
" 3A8063E827A024466F44C28614F93B0732A100D4A0D86D532FE1E22C7725E401#)"
" (p #00C29D438F115825779631CD665A5739367F3E128ADC29766483A46CA80897E0"
" 79B32881860B8F9A6A04C2614A904F6F2578DAE13EA67CD60AE3D0AA00A1FF9B"
" 441485E44B2DC3D0B60260FBFE073B5AC72FAF67964DE15C8212C389D20DB9CF"
" 54AF6AEF5C4196EAA56495DD30CF709F499D5AB30CA35E086C2A1589D6283F1783#)"
" (q #00D1984135231CB243FE959C0CBEF551EDD986AD7BEDF71EDF447BE3DA27AF46"
" 79C974A6FA69E4D52FE796650623DE70622862713932AA2FD9F2EC856EAEAA77"
" 88B4EA6084DC81C902F014829B18EA8B2666EC41586818E0589E18876065F97E"
" 8D22CE2DA53A05951EC132DCEF41E70A9C35F4ACC268FFAC2ADF54FA1DA110B919#)"
" (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04"
" 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4"
" A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9"
" AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7#)))";
/* A sample 2048 bit RSA key used for the selftests (public only). */
static const char sample_public_key[] =
" (public-key"
" (rsa"
" (n #009F56231A3D82E3E7D613D59D53E9AB921BEF9F08A782AED0B6E46ADBC853EC"
" 7C71C422435A3CD8FA0DB9EFD55CD3295BADC4E8E2E2B94E15AE82866AB8ADE8"
" 7E469FAE76DC3577DE87F1F419C4EB41123DFAF8D16922D5EDBAD6E9076D5A1C"
" 958106F0AE5E2E9193C6B49124C64C2A241C4075D4AF16299EB87A6585BAE917"
" DEF27FCDD165764D069BC18D16527B29DAAB549F7BBED4A7C6A842D203ED6613"
" 6E2411744E432CD26D940132F25874483DCAEECDFD95744819CBCF1EA810681C"
" 42907EBCB1C7EAFBE75C87EC32C5413EA10476545D3FC7B2ADB1B66B7F200918"
" 664B0E5261C2895AA28B0DE321E921B3F877172CCCAB81F43EF98002916156F6CB#)"
" (e #010001#)))";
static int test_keys (RSA_secret_key *sk, unsigned nbits);
static int check_secret_key (RSA_secret_key *sk);
static void public (gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *skey);
static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey);
static unsigned int rsa_get_nbits (gcry_sexp_t parms);
/* Check that a freshly generated key actually works. Returns 0 on success. */
static int
test_keys (RSA_secret_key *sk, unsigned int nbits)
{
int result = -1; /* Default to failure. */
RSA_public_key pk;
gcry_mpi_t plaintext = mpi_new (nbits);
gcry_mpi_t ciphertext = mpi_new (nbits);
gcry_mpi_t decr_plaintext = mpi_new (nbits);
gcry_mpi_t signature = mpi_new (nbits);
/* Put the relevant parameters into a public key structure. */
pk.n = sk->n;
pk.e = sk->e;
/* Create a random plaintext. */
_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
/* Encrypt using the public key. */
public (ciphertext, plaintext, &pk);
/* Check that the cipher text does not match the plaintext. */
if (!mpi_cmp (ciphertext, plaintext))
goto leave; /* Ciphertext is identical to the plaintext. */
/* Decrypt using the secret key. */
secret (decr_plaintext, ciphertext, sk);
/* Check that the decrypted plaintext matches the original plaintext. */
if (mpi_cmp (decr_plaintext, plaintext))
goto leave; /* Plaintext does not match. */
/* Create another random plaintext as data for signature checking. */
_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
/* Use the RSA secret function to create a signature of the plaintext. */
secret (signature, plaintext, sk);
/* Use the RSA public function to verify this signature. */
public (decr_plaintext, signature, &pk);
if (mpi_cmp (decr_plaintext, plaintext))
goto leave; /* Signature does not match. */
/* Modify the signature and check that the signing fails. */
mpi_add_ui (signature, signature, 1);
public (decr_plaintext, signature, &pk);
if (!mpi_cmp (decr_plaintext, plaintext))
goto leave; /* Signature matches but should not. */
result = 0; /* All tests succeeded. */
leave:
_gcry_mpi_release (signature);
_gcry_mpi_release (decr_plaintext);
_gcry_mpi_release (ciphertext);
_gcry_mpi_release (plaintext);
return result;
}
static int
-test_keys_fips (RSA_secret_key *sk)
+test_keys_fips (gcry_sexp_t skey)
{
int result = -1; /* Default to failure. */
char plaintext[128];
gcry_sexp_t sig = NULL;
- gcry_sexp_t skey = NULL, pkey = NULL;
const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
gcry_md_hd_t hd = NULL;
int ec;
- /* Put the relevant parameters into a public key structure. */
- ec = sexp_build (&pkey, NULL,
- "(key-data"
- " (public-key"
- " (rsa(n%m)(e%m))))",
- sk->n, sk->e);
- if (ec)
- goto leave;
-
- /* Put the relevant parameters into a secret key structure. */
- ec = sexp_build (&skey, NULL,
- "(key-data"
- " (public-key"
- " (rsa(n%m)(e%m)))"
- " (private-key"
- " (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
- sk->n, sk->e,
- sk->n, sk->e, sk->d, sk->p, sk->q, sk->u);
- if (ec)
- goto leave;
-
/* Create a random plaintext. */
_gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
/* Open MD context and feed the random data in */
ec = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
if (ec)
goto leave;
_gcry_md_write (hd, plaintext, sizeof(plaintext));
/* Use the RSA secret function to create a signature of the plaintext. */
ec = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (ec)
goto leave;
/* Use the RSA public function to verify this signature. */
- ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (ec)
goto leave;
/* Modify the data and check that the signing fails. */
_gcry_md_reset(hd);
plaintext[sizeof plaintext / 2] ^= 1;
_gcry_md_write (hd, plaintext, sizeof(plaintext));
- ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
+ ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
if (ec != GPG_ERR_BAD_SIGNATURE)
goto leave; /* Signature verification worked on modified data */
result = 0; /* All tests succeeded. */
leave:
sexp_release (sig);
_gcry_md_close (hd);
- sexp_release (pkey);
- sexp_release (skey);
return result;
}
/* Callback used by the prime generation to test whether the exponent
is suitable. Returns 0 if the test has been passed. */
static int
check_exponent (void *arg, gcry_mpi_t a)
{
gcry_mpi_t e = arg;
gcry_mpi_t tmp;
int result;
mpi_sub_ui (a, a, 1);
tmp = _gcry_mpi_alloc_like (a);
result = !mpi_gcd(tmp, e, a); /* GCD is not 1. */
_gcry_mpi_release (tmp);
mpi_add_ui (a, a, 1);
return result;
}
/****************
* Generate a key pair with a key of size NBITS.
* USE_E = 0 let Libcgrypt decide what exponent to use.
* = 1 request the use of a "secure" exponent; this is required by some
* specification to be 65537.
* > 2 Use this public exponent. If the given exponent
* is not odd one is internally added to it.
* TRANSIENT_KEY: If true, generate the primes using the standard RNG.
* Returns: 2 structures filled with all needed values
*/
static gpg_err_code_t
generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
int transient_key)
{
gcry_mpi_t p, q; /* the two primes */
gcry_mpi_t d; /* the private key */
gcry_mpi_t u;
gcry_mpi_t t1, t2;
gcry_mpi_t n; /* the public key */
gcry_mpi_t e; /* the exponent */
gcry_mpi_t phi; /* helper: (p-1)(q-1) */
gcry_mpi_t g;
gcry_mpi_t f;
gcry_random_level_t random_level;
/* The random quality depends on the transient_key flag. */
random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM;
/* Make sure that nbits is even so that we generate p, q of equal size. */
if ( (nbits&1) )
nbits++;
if (use_e == 1) /* Alias for a secure value */
use_e = 65537; /* as demanded by Sphinx. */
/* Public exponent:
In general we use 41 as this is quite fast and more secure than the
commonly used 17. Benchmarking the RSA verify function
with a 1024 bit key yields (2001-11-08):
e=17 0.54 ms
e=41 0.75 ms
e=257 0.95 ms
e=65537 1.80 ms
*/
e = mpi_alloc( (32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
if (!use_e)
mpi_set_ui (e, 41); /* This is a reasonable secure and fast value */
else
{
use_e |= 1; /* make sure this is odd */
mpi_set_ui (e, use_e);
}
n = mpi_new (nbits);
p = q = NULL;
do
{
/* select two (very secret) primes */
if (p)
_gcry_mpi_release (p);
if (q)
_gcry_mpi_release (q);
if (use_e)
{ /* Do an extra test to ensure that the given exponent is
suitable. */
p = _gcry_generate_secret_prime (nbits/2, random_level,
check_exponent, e);
q = _gcry_generate_secret_prime (nbits/2, random_level,
check_exponent, e);
}
else
{ /* We check the exponent later. */
p = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL);
q = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL);
}
if (mpi_cmp (p, q) > 0 ) /* p shall be smaller than q (for calc of u)*/
mpi_swap(p,q);
/* calculate the modulus */
mpi_mul( n, p, q );
}
while ( mpi_get_nbits(n) != nbits );
/* calculate Euler totient: phi = (p-1)(q-1) */
t1 = mpi_alloc_secure( mpi_get_nlimbs(p) );
t2 = mpi_alloc_secure( mpi_get_nlimbs(p) );
phi = mpi_snew ( nbits );
g = mpi_snew ( nbits );
f = mpi_snew ( nbits );
mpi_sub_ui( t1, p, 1 );
mpi_sub_ui( t2, q, 1 );
mpi_mul( phi, t1, t2 );
mpi_gcd (g, t1, t2);
mpi_fdiv_q(f, phi, g);
while (!mpi_gcd(t1, e, phi)) /* (while gcd is not 1) */
{
if (use_e)
BUG (); /* The prime generator already made sure that we
never can get to here. */
mpi_add_ui (e, e, 2);
}
/* calculate the secret key d = e^-1 mod phi */
d = mpi_snew ( nbits );
mpi_invm (d, e, f );
/* calculate the inverse of p and q (used for chinese remainder theorem)*/
u = mpi_snew ( nbits );
mpi_invm(u, p, q );
if( DBG_CIPHER )
{
log_mpidump(" p= ", p );
log_mpidump(" q= ", q );
log_mpidump("phi= ", phi );
log_mpidump(" g= ", g );
log_mpidump(" f= ", f );
log_mpidump(" n= ", n );
log_mpidump(" e= ", e );
log_mpidump(" d= ", d );
log_mpidump(" u= ", u );
}
_gcry_mpi_release (t1);
_gcry_mpi_release (t2);
_gcry_mpi_release (phi);
_gcry_mpi_release (f);
_gcry_mpi_release (g);
sk->n = n;
sk->e = e;
sk->p = p;
sk->q = q;
sk->d = d;
sk->u = u;
/* Now we can test our keys. */
if (test_keys (sk, nbits - 64))
{
_gcry_mpi_release (sk->n); sk->n = NULL;
_gcry_mpi_release (sk->e); sk->e = NULL;
_gcry_mpi_release (sk->p); sk->p = NULL;
_gcry_mpi_release (sk->q); sk->q = NULL;
_gcry_mpi_release (sk->d); sk->d = NULL;
_gcry_mpi_release (sk->u); sk->u = NULL;
fips_signal_error ("self-test after key generation failed");
return GPG_ERR_SELFTEST_FAILED;
}
return 0;
}
/* Check the RSA key length is acceptable for key generation or usage */
static gpg_err_code_t
rsa_check_keysize (unsigned int nbits)
{
if (fips_mode () && nbits < 2048)
return GPG_ERR_INV_VALUE;
return GPG_ERR_NO_ERROR;
}
/* Check the RSA key length is acceptable for signature verification
*
* FIPS allows signature verification with RSA keys of size
* 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the
* calling application to decide if the signature is legacy and
* should be accepted.
*/
static gpg_err_code_t
rsa_check_verify_keysize (unsigned int nbits)
{
if (fips_mode ())
{
if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048)
return GPG_ERR_NO_ERROR;
return GPG_ERR_INV_VALUE;
}
return GPG_ERR_NO_ERROR;
}
/****************
* Generate a key pair with a key of size NBITS.
* USE_E = 0 let Libcgrypt decide what exponent to use.
* = 1 request the use of a "secure" exponent; this is required by some
* specification to be 65537.
* > 2 Use this public exponent. If the given exponent
* is not odd one is internally added to it.
* TESTPARMS: If set, do not generate but test whether the p,q is probably prime
* Returns key with zeroes to not break code calling this function.
* TRANSIENT_KEY: If true, generate the primes using the standard RNG.
* Returns: 2 structures filled with all needed values
*/
static gpg_err_code_t
generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
gcry_sexp_t testparms, int transient_key)
{
gcry_mpi_t p, q; /* the two primes */
gcry_mpi_t d; /* the private key */
gcry_mpi_t u;
gcry_mpi_t p1, q1;
gcry_mpi_t n; /* the public key */
gcry_mpi_t e; /* the exponent */
gcry_mpi_t g;
gcry_mpi_t minp;
gcry_mpi_t diff, mindiff;
gcry_random_level_t random_level;
unsigned int pbits = nbits/2;
unsigned int i;
int pqswitch;
gpg_err_code_t ec;
if (nbits <= 1024 || (nbits & 0x1FF))
return GPG_ERR_INV_VALUE;
ec = rsa_check_keysize (nbits);
if (ec)
return ec;
/* Set default error code. */
ec = GPG_ERR_NO_PRIME;
/* The random quality depends on the transient_key flag. */
random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM;
if (testparms)
{
/* Parameters to derive the key are given. */
/* Note that we explicitly need to setup the values of tbl
because some compilers (e.g. OpenWatcom, IRIX) don't allow to
initialize a structure with automatic variables. */
struct { const char *name; gcry_mpi_t *value; } tbl[] = {
{ "e" },
{ "p" },
{ "q" },
{ NULL }
};
int idx;
gcry_sexp_t oneparm;
tbl[0].value = &e;
tbl[1].value = &p;
tbl[2].value = &q;
for (idx=0; tbl[idx].name; idx++)
{
oneparm = sexp_find_token (testparms, tbl[idx].name, 0);
if (oneparm)
{
*tbl[idx].value = sexp_nth_mpi (oneparm, 1, GCRYMPI_FMT_USG);
sexp_release (oneparm);
}
}
for (idx=0; tbl[idx].name; idx++)
if (!*tbl[idx].value)
break;
if (tbl[idx].name)
{
/* At least one parameter is missing. */
for (idx=0; tbl[idx].name; idx++)
_gcry_mpi_release (*tbl[idx].value);
return GPG_ERR_MISSING_VALUE;
}
}
else
{
if (use_e < 65537)
use_e = 65537; /* This is the smallest value allowed by FIPS */
e = mpi_alloc ((32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
use_e |= 1; /* make sure this is odd */
mpi_set_ui (e, use_e);
p = mpi_snew (pbits);
q = mpi_snew (pbits);
}
n = mpi_new (nbits);
d = mpi_snew (nbits);
u = mpi_snew (nbits);
/* prepare approximate minimum p and q */
minp = mpi_new (pbits);
mpi_set_ui (minp, 0xB504F334);
mpi_lshift (minp, minp, pbits - 32);
/* prepare minimum p and q difference */
diff = mpi_new (pbits);
mindiff = mpi_new (pbits - 99);
mpi_set_ui (mindiff, 1);
mpi_lshift (mindiff, mindiff, pbits - 100);
p1 = mpi_snew (pbits);
q1 = mpi_snew (pbits);
g = mpi_snew (pbits);
retry:
/* generate p and q */
for (i = 0; i < 10 * pbits; i++)
{
ploop:
if (!testparms)
{
_gcry_mpi_randomize (p, pbits, random_level);
mpi_set_bit (p, 0);
}
if (mpi_cmp (p, minp) < 0)
{
if (testparms)
goto err;
goto ploop;
}
mpi_sub_ui (p1, p, 1);
if (mpi_gcd (g, p1, e))
{
if (_gcry_fips186_4_prime_check (p, pbits) != GPG_ERR_NO_ERROR)
{
/* not a prime */
if (testparms)
goto err;
}
else
break;
}
else if (testparms)
goto err;
}
if (i >= 10 * pbits)
goto err;
for (i = 0; i < 20 * pbits; i++)
{
qloop:
if (!testparms)
{
_gcry_mpi_randomize (q, pbits, random_level);
mpi_set_bit (q, 0);
}
if (mpi_cmp (q, minp) < 0)
{
if (testparms)
goto err;
goto qloop;
}
if (mpi_cmp (p, q) > 0)
{
pqswitch = 1;
mpi_sub (diff, p, q);
}
else
{
pqswitch = 0;
mpi_sub (diff, q, p);
}
if (mpi_cmp (diff, mindiff) < 0)
{
if (testparms)
goto err;
goto qloop;
}
mpi_sub_ui (q1, q, 1);
if (mpi_gcd (g, q1, e))
{
if (_gcry_fips186_4_prime_check (q, pbits) != GPG_ERR_NO_ERROR)
{
/* not a prime */
if (testparms)
goto err;
}
else
break;
}
else if (testparms)
goto err;
}
if (i >= 20 * pbits)
goto err;
if (testparms)
{
mpi_clear (p);
mpi_clear (q);
}
else
{
gcry_mpi_t f;
if (pqswitch)
{
gcry_mpi_t tmp;
tmp = p;
p = q;
q = tmp;
}
f = mpi_snew (nbits);
/* calculate the modulus */
mpi_mul (n, p, q);
/* calculate the secret key d = e^1 mod phi */
mpi_gcd (g, p1, q1);
mpi_fdiv_q (f, p1, g);
mpi_mul (f, f, q1);
mpi_invm (d, e, f);
_gcry_mpi_release (f);
if (mpi_get_nbits (d) < pbits)
goto retry;
/* calculate the inverse of p and q (used for chinese remainder theorem)*/
mpi_invm (u, p, q );
}
ec = 0; /* Success. */
if (DBG_CIPHER)
{
log_mpidump(" p= ", p );
log_mpidump(" q= ", q );
log_mpidump(" n= ", n );
log_mpidump(" e= ", e );
log_mpidump(" d= ", d );
log_mpidump(" u= ", u );
}
err:
_gcry_mpi_release (p1);
_gcry_mpi_release (q1);
_gcry_mpi_release (g);
_gcry_mpi_release (minp);
_gcry_mpi_release (mindiff);
_gcry_mpi_release (diff);
sk->n = n;
sk->e = e;
sk->p = p;
sk->q = q;
sk->d = d;
sk->u = u;
- /* Now we can test our keys. */
- if (ec || (!testparms && test_keys_fips (sk)))
+ if (ec)
{
_gcry_mpi_release (sk->n); sk->n = NULL;
_gcry_mpi_release (sk->e); sk->e = NULL;
_gcry_mpi_release (sk->p); sk->p = NULL;
_gcry_mpi_release (sk->q); sk->q = NULL;
_gcry_mpi_release (sk->d); sk->d = NULL;
_gcry_mpi_release (sk->u); sk->u = NULL;
- if (!ec)
- {
- fips_signal_error ("self-test after key generation failed");
- return GPG_ERR_SELFTEST_FAILED;
- }
}
return ec;
}
/* Helper for generate_x931. */
static gcry_mpi_t
gen_x931_parm_xp (unsigned int nbits)
{
gcry_mpi_t xp;
xp = mpi_snew (nbits);
_gcry_mpi_randomize (xp, nbits, GCRY_VERY_STRONG_RANDOM);
/* The requirement for Xp is:
sqrt{2}*2^{nbits-1} <= xp <= 2^{nbits} - 1
We set the two high order bits to 1 to satisfy the lower bound.
By using mpi_set_highbit we make sure that the upper bound is
satisfied as well. */
mpi_set_highbit (xp, nbits-1);
mpi_set_bit (xp, nbits-2);
gcry_assert ( mpi_get_nbits (xp) == nbits );
return xp;
}
/* Helper for generate_x931. */
static gcry_mpi_t
gen_x931_parm_xi (void)
{
gcry_mpi_t xi;
xi = mpi_snew (101);
_gcry_mpi_randomize (xi, 101, GCRY_VERY_STRONG_RANDOM);
mpi_set_highbit (xi, 100);
gcry_assert ( mpi_get_nbits (xi) == 101 );
return xi;
}
/* Variant of the standard key generation code using the algorithm
from X9.31. Using this algorithm has the advantage that the
generation can be made deterministic which is required for CAVS
testing. */
static gpg_err_code_t
generate_x931 (RSA_secret_key *sk, unsigned int nbits, unsigned long e_value,
gcry_sexp_t deriveparms, int *swapped)
{
gcry_mpi_t p, q; /* The two primes. */
gcry_mpi_t e; /* The public exponent. */
gcry_mpi_t n; /* The public key. */
gcry_mpi_t d; /* The private key */
gcry_mpi_t u; /* The inverse of p and q. */
gcry_mpi_t pm1; /* p - 1 */
gcry_mpi_t qm1; /* q - 1 */
gcry_mpi_t phi; /* Euler totient. */
gcry_mpi_t f, g; /* Helper. */
*swapped = 0;
if (e_value == 0) /* 65537 is the libgcrypt's selection. */
e_value = 65537;
else if (e_value == 1) /* Alias for a secure value. */
e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
if (nbits < 1024 || (nbits % 256))
return GPG_ERR_INV_VALUE;
/* Point 2: 2 <= bitlength(e) < 2^{k-2}
Note that we do not need to check the upper bound because we use
an unsigned long for E and thus there is no way for E to reach
that limit. */
if (e_value < 3)
return GPG_ERR_INV_VALUE;
/* Our implementation requires E to be odd. */
if (!(e_value & 1))
return GPG_ERR_INV_VALUE;
/* Point 3: e > 0 or e 0 if it is to be randomly generated.
We support only a fixed E and thus there is no need for an extra test. */
/* Compute or extract the derive parameters. */
{
gcry_mpi_t xp1 = NULL;
gcry_mpi_t xp2 = NULL;
gcry_mpi_t xp = NULL;
gcry_mpi_t xq1 = NULL;
gcry_mpi_t xq2 = NULL;
gcry_mpi_t xq = NULL;
gcry_mpi_t tmpval;
if (!deriveparms)
{
/* Not given: Generate them. */
xp = gen_x931_parm_xp (nbits/2);
/* Make sure that |xp - xq| > 2^{nbits - 100} holds. */
tmpval = mpi_snew (nbits/2);
do
{
_gcry_mpi_release (xq);
xq = gen_x931_parm_xp (nbits/2);
mpi_sub (tmpval, xp, xq);
}
while (mpi_get_nbits (tmpval) <= (nbits/2 - 100));
_gcry_mpi_release (tmpval);
xp1 = gen_x931_parm_xi ();
xp2 = gen_x931_parm_xi ();
xq1 = gen_x931_parm_xi ();
xq2 = gen_x931_parm_xi ();
}
else
{
/* Parameters to derive the key are given. */
/* Note that we explicitly need to setup the values of tbl
because some compilers (e.g. OpenWatcom, IRIX) don't allow
to initialize a structure with automatic variables. */
struct { const char *name; gcry_mpi_t *value; } tbl[] = {
{ "Xp1" },
{ "Xp2" },
{ "Xp" },
{ "Xq1" },
{ "Xq2" },
{ "Xq" },
{ NULL }
};
int idx;
gcry_sexp_t oneparm;
tbl[0].value = &xp1;
tbl[1].value = &xp2;
tbl[2].value = &xp;
tbl[3].value = &xq1;
tbl[4].value = &xq2;
tbl[5].value = &xq;
for (idx=0; tbl[idx].name; idx++)
{
oneparm = sexp_find_token (deriveparms, tbl[idx].name, 0);
if (oneparm)
{
*tbl[idx].value = sexp_nth_mpi (oneparm, 1, GCRYMPI_FMT_USG);
sexp_release (oneparm);
}
}
for (idx=0; tbl[idx].name; idx++)
if (!*tbl[idx].value)
break;
if (tbl[idx].name)
{
/* At least one parameter is missing. */
for (idx=0; tbl[idx].name; idx++)
_gcry_mpi_release (*tbl[idx].value);
return GPG_ERR_MISSING_VALUE;
}
}
e = mpi_alloc_set_ui (e_value);
/* Find two prime numbers. */
p = _gcry_derive_x931_prime (xp, xp1, xp2, e, NULL, NULL);
q = _gcry_derive_x931_prime (xq, xq1, xq2, e, NULL, NULL);
_gcry_mpi_release (xp); xp = NULL;
_gcry_mpi_release (xp1); xp1 = NULL;
_gcry_mpi_release (xp2); xp2 = NULL;
_gcry_mpi_release (xq); xq = NULL;
_gcry_mpi_release (xq1); xq1 = NULL;
_gcry_mpi_release (xq2); xq2 = NULL;
if (!p || !q)
{
_gcry_mpi_release (p);
_gcry_mpi_release (q);
_gcry_mpi_release (e);
return GPG_ERR_NO_PRIME;
}
}
/* Compute the public modulus. We make sure that p is smaller than
q to allow the use of the CRT. */
if (mpi_cmp (p, q) > 0 )
{
mpi_swap (p, q);
*swapped = 1;
}
n = mpi_new (nbits);
mpi_mul (n, p, q);
/* Compute the Euler totient: phi = (p-1)(q-1) */
pm1 = mpi_snew (nbits/2);
qm1 = mpi_snew (nbits/2);
phi = mpi_snew (nbits);
mpi_sub_ui (pm1, p, 1);
mpi_sub_ui (qm1, q, 1);
mpi_mul (phi, pm1, qm1);
g = mpi_snew (nbits);
gcry_assert (mpi_gcd (g, e, phi));
/* Compute: f = lcm(p-1,q-1) = phi / gcd(p-1,q-1) */
mpi_gcd (g, pm1, qm1);
f = pm1; pm1 = NULL;
_gcry_mpi_release (qm1); qm1 = NULL;
mpi_fdiv_q (f, phi, g);
_gcry_mpi_release (phi); phi = NULL;
d = g; g = NULL;
/* Compute the secret key: d = e^{-1} mod lcm(p-1,q-1) */
mpi_invm (d, e, f);
/* Compute the inverse of p and q. */
u = f; f = NULL;
mpi_invm (u, p, q );
if( DBG_CIPHER )
{
if (*swapped)
log_debug ("p and q are swapped\n");
log_mpidump(" p", p );
log_mpidump(" q", q );
log_mpidump(" n", n );
log_mpidump(" e", e );
log_mpidump(" d", d );
log_mpidump(" u", u );
}
sk->n = n;
sk->e = e;
sk->p = p;
sk->q = q;
sk->d = d;
sk->u = u;
/* Now we can test our keys. */
if (test_keys (sk, nbits - 64))
{
_gcry_mpi_release (sk->n); sk->n = NULL;
_gcry_mpi_release (sk->e); sk->e = NULL;
_gcry_mpi_release (sk->p); sk->p = NULL;
_gcry_mpi_release (sk->q); sk->q = NULL;
_gcry_mpi_release (sk->d); sk->d = NULL;
_gcry_mpi_release (sk->u); sk->u = NULL;
fips_signal_error ("self-test after key generation failed");
return GPG_ERR_SELFTEST_FAILED;
}
return 0;
}
/****************
* Test whether the secret key is valid.
* Returns: true if this is a valid key.
*/
static int
check_secret_key( RSA_secret_key *sk )
{
int rc;
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(sk->p)*2 );
mpi_mul(temp, sk->p, sk->q );
rc = mpi_cmp( temp, sk->n );
mpi_free(temp);
return !rc;
}
/****************
* Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT.
*
* c = m^e mod n
*
* Where c is OUTPUT, m is INPUT and e,n are elements of PKEY.
*/
static void
public(gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *pkey )
{
if( output == input ) /* powm doesn't like output and input the same */
{
gcry_mpi_t x = mpi_alloc( mpi_get_nlimbs(input)*2 );
mpi_powm( x, input, pkey->e, pkey->n );
mpi_set(output, x);
mpi_free(x);
}
else
mpi_powm( output, input, pkey->e, pkey->n );
}
#if 0
static void
stronger_key_check ( RSA_secret_key *skey )
{
gcry_mpi_t t = mpi_alloc_secure ( 0 );
gcry_mpi_t t1 = mpi_alloc_secure ( 0 );
gcry_mpi_t t2 = mpi_alloc_secure ( 0 );
gcry_mpi_t phi = mpi_alloc_secure ( 0 );
/* check that n == p * q */
mpi_mul( t, skey->p, skey->q);
if (mpi_cmp( t, skey->n) )
log_info ( "RSA Oops: n != p * q\n" );
/* check that p is less than q */
if( mpi_cmp( skey->p, skey->q ) > 0 )
{
log_info ("RSA Oops: p >= q - fixed\n");
_gcry_mpi_swap ( skey->p, skey->q);
}
/* check that e divides neither p-1 nor q-1 */
mpi_sub_ui(t, skey->p, 1 );
mpi_fdiv_r(t, t, skey->e );
if ( !mpi_cmp_ui( t, 0) )
log_info ( "RSA Oops: e divides p-1\n" );
mpi_sub_ui(t, skey->q, 1 );
mpi_fdiv_r(t, t, skey->e );
if ( !mpi_cmp_ui( t, 0) )
log_info ( "RSA Oops: e divides q-1\n" );
/* check that d is correct */
mpi_sub_ui( t1, skey->p, 1 );
mpi_sub_ui( t2, skey->q, 1 );
mpi_mul( phi, t1, t2 );
gcry_mpi_gcd(t, t1, t2);
mpi_fdiv_q(t, phi, t);
mpi_invm(t, skey->e, t );
if ( mpi_cmp(t, skey->d ) )
{
log_info ( "RSA Oops: d is wrong - fixed\n");
mpi_set (skey->d, t);
log_printmpi (" fixed d", skey->d);
}
/* check for correctness of u */
mpi_invm(t, skey->p, skey->q );
if ( mpi_cmp(t, skey->u ) )
{
log_info ( "RSA Oops: u is wrong - fixed\n");
mpi_set (skey->u, t);
log_printmpi (" fixed u", skey->u);
}
log_info ( "RSA secret key check finished\n");
mpi_free (t);
mpi_free (t1);
mpi_free (t2);
mpi_free (phi);
}
#endif
/* Secret key operation - standard version.
*
* m = c^d mod n
*/
static void
secret_core_std (gcry_mpi_t M, gcry_mpi_t C,
gcry_mpi_t D, gcry_mpi_t N)
{
mpi_powm (M, C, D, N);
}
/* Secret key operation - using the CRT.
*
* m1 = c ^ (d mod (p-1)) mod p
* m2 = c ^ (d mod (q-1)) mod q
* h = u * (m2 - m1) mod q
* m = m1 + h * p
*/
static void
secret_core_crt (gcry_mpi_t M, gcry_mpi_t C,
gcry_mpi_t D, unsigned int Nlimbs,
gcry_mpi_t P, gcry_mpi_t Q, gcry_mpi_t U)
{
gcry_mpi_t m1 = mpi_alloc_secure ( Nlimbs + 1 );
gcry_mpi_t m2 = mpi_alloc_secure ( Nlimbs + 1 );
gcry_mpi_t h = mpi_alloc_secure ( Nlimbs + 1 );
gcry_mpi_t D_blind = mpi_alloc_secure ( Nlimbs + 1 );
gcry_mpi_t r;
unsigned int r_nbits;
r_nbits = mpi_get_nbits (P) / 4;
if (r_nbits < 96)
r_nbits = 96;
r = mpi_secure_new (r_nbits);
/* d_blind = (d mod (p-1)) + (p-1) * r */
/* m1 = c ^ d_blind mod p */
_gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
mpi_set_highbit (r, r_nbits - 1);
mpi_sub_ui ( h, P, 1 );
mpi_mul ( D_blind, h, r );
mpi_fdiv_r ( h, D, h );
mpi_add ( D_blind, D_blind, h );
mpi_powm ( m1, C, D_blind, P );
/* d_blind = (d mod (q-1)) + (q-1) * r */
/* m2 = c ^ d_blind mod q */
_gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
mpi_set_highbit (r, r_nbits - 1);
mpi_sub_ui ( h, Q, 1 );
mpi_mul ( D_blind, h, r );
mpi_fdiv_r ( h, D, h );
mpi_add ( D_blind, D_blind, h );
mpi_powm ( m2, C, D_blind, Q );
mpi_free ( r );
mpi_free ( D_blind );
/* h = u * ( m2 - m1 ) mod q */
mpi_sub ( h, m2, m1 );
if ( mpi_has_sign ( h ) )
mpi_add ( h, h, Q );
mpi_mulm ( h, U, h, Q );
/* m = m1 + h * p */
mpi_mul ( h, h, P );
mpi_add ( M, m1, h );
mpi_free ( h );
mpi_free ( m1 );
mpi_free ( m2 );
}
/* Secret key operation.
* Encrypt INPUT with SKEY and put result into
* OUTPUT. SKEY has the secret key parameters.
*/
static void
secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
{
/* Remove superfluous leading zeroes from INPUT. */
mpi_normalize (input);
if (!skey->p || !skey->q || !skey->u)
{
secret_core_std (output, input, skey->d, skey->n);
}
else
{
secret_core_crt (output, input, skey->d, mpi_get_nlimbs (skey->n),
skey->p, skey->q, skey->u);
}
}
static void
secret_blinded (gcry_mpi_t output, gcry_mpi_t input,
RSA_secret_key *sk, unsigned int nbits)
{
gcry_mpi_t r; /* Random number needed for blinding. */
gcry_mpi_t ri; /* Modular multiplicative inverse of r. */
gcry_mpi_t bldata; /* Blinded data to decrypt. */
/* First, we need a random number r between 0 and n - 1, which is
* relatively prime to n (i.e. it is neither p nor q). The random
* number needs to be only unpredictable, thus we employ the
* gcry_create_nonce function by using GCRY_WEAK_RANDOM with
* gcry_mpi_randomize. */
r = mpi_snew (nbits);
ri = mpi_snew (nbits);
bldata = mpi_snew (nbits);
do
{
_gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
mpi_mod (r, r, sk->n);
}
while (!mpi_invm (ri, r, sk->n));
/* Do blinding. We calculate: y = (x * r^e) mod n, where r is the
* random number, e is the public exponent, x is the non-blinded
* input data and n is the RSA modulus. */
mpi_powm (bldata, r, sk->e, sk->n);
mpi_mulm (bldata, bldata, input, sk->n);
/* Perform decryption. */
secret (output, bldata, sk);
_gcry_mpi_release (bldata);
/* Undo blinding. Here we calculate: y = (x * r^-1) mod n, where x
* is the blinded decrypted data, ri is the modular multiplicative
* inverse of r and n is the RSA modulus. */
mpi_mulm (output, output, ri, sk->n);
_gcry_mpi_release (r);
_gcry_mpi_release (ri);
}
/*********************************************
************** interface ******************
*********************************************/
static gcry_err_code_t
rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
{
gpg_err_code_t ec;
unsigned int nbits;
unsigned long evalue;
RSA_secret_key sk;
gcry_sexp_t deriveparms;
int flags = 0;
gcry_sexp_t l1;
gcry_sexp_t swap_info = NULL;
memset (&sk, 0, sizeof sk);
ec = _gcry_pk_util_get_nbits (genparms, &nbits);
if (ec)
return ec;
ec = _gcry_pk_util_get_rsa_use_e (genparms, &evalue);
if (ec)
return ec;
/* Parse the optional flags list. */
l1 = sexp_find_token (genparms, "flags", 0);
if (l1)
{
ec = _gcry_pk_util_parse_flaglist (l1, &flags, NULL);
sexp_release (l1);
if (ec)
return ec;
}
deriveparms = (genparms?
sexp_find_token (genparms, "derive-parms", 0) : NULL);
if (!deriveparms)
{
/* Parse the optional "use-x931" flag. */
l1 = sexp_find_token (genparms, "use-x931", 0);
if (l1)
{
flags |= PUBKEY_FLAG_USE_X931;
sexp_release (l1);
}
}
if (deriveparms || (flags & PUBKEY_FLAG_USE_X931))
{
int swapped;
ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);
sexp_release (deriveparms);
if (!ec && swapped)
ec = sexp_new (&swap_info, "(misc-key-info(p-q-swapped))", 0, 1);
}
else
{
/* Parse the optional "transient-key" flag. */
if (!(flags & PUBKEY_FLAG_TRANSIENT_KEY))
{
l1 = sexp_find_token (genparms, "transient-key", 0);
if (l1)
{
flags |= PUBKEY_FLAG_TRANSIENT_KEY;
sexp_release (l1);
}
}
deriveparms = (genparms? sexp_find_token (genparms, "test-parms", 0)
/**/ : NULL);
/* Generate. */
- if (deriveparms || fips_mode())
+ if (deriveparms || fips_mode ())
{
ec = generate_fips (&sk, nbits, evalue, deriveparms,
!!(flags & PUBKEY_FLAG_TRANSIENT_KEY));
}
else
{
ec = generate_std (&sk, nbits, evalue,
!!(flags & PUBKEY_FLAG_TRANSIENT_KEY));
}
sexp_release (deriveparms);
}
if (!ec)
{
ec = sexp_build (r_skey, NULL,
"(key-data"
" (public-key"
" (rsa(n%m)(e%m)))"
" (private-key"
" (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))"
" %S)",
sk.n, sk.e,
sk.n, sk.e, sk.d, sk.p, sk.q, sk.u,
swap_info);
}
mpi_free (sk.n);
mpi_free (sk.e);
mpi_free (sk.p);
mpi_free (sk.q);
mpi_free (sk.d);
mpi_free (sk.u);
sexp_release (swap_info);
+ if (!ec && fips_mode () && test_keys_fips (*r_skey))
+ {
+ sexp_release (*r_skey); *r_skey = NULL;
+ fips_signal_error ("self-test after key generation failed");
+ return GPG_ERR_SELFTEST_FAILED;
+ }
+
return ec;
}
static gcry_err_code_t
rsa_check_secret_key (gcry_sexp_t keyparms)
{
gcry_err_code_t rc;
RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
/* To check the key we need the optional parameters. */
rc = sexp_extract_param (keyparms, NULL, "nedpqu",
&sk.n, &sk.e, &sk.d, &sk.p, &sk.q, &sk.u,
NULL);
if (rc)
goto leave;
if (!check_secret_key (&sk))
rc = GPG_ERR_BAD_SECKEY;
leave:
_gcry_mpi_release (sk.n);
_gcry_mpi_release (sk.e);
_gcry_mpi_release (sk.d);
_gcry_mpi_release (sk.p);
_gcry_mpi_release (sk.q);
_gcry_mpi_release (sk.u);
if (DBG_CIPHER)
log_debug ("rsa_testkey => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
rsa_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gcry_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_mpi_t data = NULL;
RSA_public_key pk = {NULL, NULL};
gcry_mpi_t ciph = NULL;
unsigned int nbits = rsa_get_nbits (keyparms);
rc = rsa_check_keysize (nbits);
if (rc)
return rc;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_ENCRYPT, nbits);
/* Extract the data. */
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
if (DBG_CIPHER)
log_mpidump ("rsa_encrypt data", data);
if (!data || mpi_is_opaque (data))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
/* Extract the key. */
rc = sexp_extract_param (keyparms, NULL, "ne", &pk.n, &pk.e, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_mpidump ("rsa_encrypt n", pk.n);
log_mpidump ("rsa_encrypt e", pk.e);
}
/* Do RSA computation and build result. */
ciph = mpi_new (0);
public (ciph, data, &pk);
if (DBG_CIPHER)
log_mpidump ("rsa_encrypt res", ciph);
if ((ctx.flags & PUBKEY_FLAG_FIXEDLEN))
{
/* We need to make sure to return the correct length to avoid
problems with missing leading zeroes. */
unsigned char *em;
size_t emlen = (mpi_get_nbits (pk.n)+7)/8;
rc = _gcry_mpi_to_octet_string (&em, NULL, ciph, emlen);
if (!rc)
{
rc = sexp_build (r_ciph, NULL, "(enc-val(rsa(a%b)))", (int)emlen, em);
xfree (em);
}
}
else
rc = sexp_build (r_ciph, NULL, "(enc-val(rsa(a%m)))", ciph);
leave:
_gcry_mpi_release (ciph);
_gcry_mpi_release (pk.n);
_gcry_mpi_release (pk.e);
_gcry_mpi_release (data);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("rsa_encrypt => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gpg_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_sexp_t l1 = NULL;
gcry_mpi_t data = NULL;
RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
gcry_mpi_t plain = NULL;
unsigned char *unpad = NULL;
size_t unpadlen = 0;
unsigned int nbits = rsa_get_nbits (keyparms);
rc = rsa_check_keysize (nbits);
if (rc)
return rc;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_DECRYPT, nbits);
/* Extract the data. */
rc = _gcry_pk_util_preparse_encval (s_data, rsa_names, &l1, &ctx);
if (rc)
goto leave;
rc = sexp_extract_param (l1, NULL, "a", &data, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printmpi ("rsa_decrypt data", data);
if (mpi_is_opaque (data))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))
{
rc = GPG_ERR_INV_FLAG;
goto leave;
}
/* Extract the key. */
rc = sexp_extract_param (keyparms, NULL, "nedp?q?u?",
&sk.n, &sk.e, &sk.d, &sk.p, &sk.q, &sk.u,
NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_printmpi ("rsa_decrypt n", sk.n);
log_printmpi ("rsa_decrypt e", sk.e);
if (!fips_mode ())
{
log_printmpi ("rsa_decrypt d", sk.d);
log_printmpi ("rsa_decrypt p", sk.p);
log_printmpi ("rsa_decrypt q", sk.q);
log_printmpi ("rsa_decrypt u", sk.u);
}
}
/* Better make sure that there are no superfluous leading zeroes in
the input and it has not been "padded" using multiples of N.
This mitigates side-channel attacks (CVE-2013-4576). */
mpi_normalize (data);
mpi_fdiv_r (data, data, sk.n);
/* Allocate MPI for the plaintext. */
plain = mpi_snew (nbits);
/* We use blinding by default to mitigate timing attacks which can
be practically mounted over the network as shown by Brumley and
Boney in 2003. */
if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
secret (plain, data, &sk);
else
secret_blinded (plain, data, &sk, nbits);
if (DBG_CIPHER)
log_printmpi ("rsa_decrypt res", plain);
/* Reverse the encoding and build the s-expression. */
switch (ctx.encoding)
{
case PUBKEY_ENC_PKCS1:
rc = _gcry_rsa_pkcs1_decode_for_enc (&unpad, &unpadlen, nbits, plain);
mpi_free (plain);
plain = NULL;
if (!rc)
rc = sexp_build (r_plain, NULL, "(value %b)", (int)unpadlen, unpad);
break;
case PUBKEY_ENC_OAEP:
rc = _gcry_rsa_oaep_decode (&unpad, &unpadlen,
nbits, ctx.hash_algo,
plain, ctx.label, ctx.labellen);
mpi_free (plain);
plain = NULL;
if (!rc)
rc = sexp_build (r_plain, NULL, "(value %b)", (int)unpadlen, unpad);
break;
default:
/* Raw format. For backward compatibility we need to assume a
signed mpi by using the sexp format string "%m". */
rc = sexp_build (r_plain, NULL,
(ctx.flags & PUBKEY_FLAG_LEGACYRESULT)
? "%m":"(value %m)", plain);
break;
}
leave:
xfree (unpad);
_gcry_mpi_release (plain);
_gcry_mpi_release (sk.n);
_gcry_mpi_release (sk.e);
_gcry_mpi_release (sk.d);
_gcry_mpi_release (sk.p);
_gcry_mpi_release (sk.q);
_gcry_mpi_release (sk.u);
_gcry_mpi_release (data);
sexp_release (l1);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("rsa_decrypt => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gpg_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_mpi_t data = NULL;
RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
RSA_public_key pk;
gcry_mpi_t sig = NULL;
gcry_mpi_t result = NULL;
unsigned int nbits = rsa_get_nbits (keyparms);
rc = rsa_check_keysize (nbits);
if (rc)
return rc;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, nbits);
/* Extract the data. */
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printmpi ("rsa_sign data", data);
if (mpi_is_opaque (data))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
/* Extract the key. */
rc = sexp_extract_param (keyparms, NULL, "nedp?q?u?",
&sk.n, &sk.e, &sk.d, &sk.p, &sk.q, &sk.u,
NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_printmpi ("rsa_sign n", sk.n);
log_printmpi ("rsa_sign e", sk.e);
if (!fips_mode ())
{
log_printmpi ("rsa_sign d", sk.d);
log_printmpi ("rsa_sign p", sk.p);
log_printmpi ("rsa_sign q", sk.q);
log_printmpi ("rsa_sign u", sk.u);
}
}
/* Do RSA computation. */
sig = mpi_new (0);
if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
secret (sig, data, &sk);
else
secret_blinded (sig, data, &sk, nbits);
if (DBG_CIPHER)
log_printmpi ("rsa_sign res", sig);
/* Check that the created signature is good. This detects a failure
of the CRT algorithm (Lenstra's attack on RSA's use of the CRT). */
result = mpi_new (0);
pk.n = sk.n;
pk.e = sk.e;
public (result, sig, &pk);
if (mpi_cmp (result, data))
{
rc = GPG_ERR_BAD_SIGNATURE;
goto leave;
}
/* Convert the result. */
if ((ctx.flags & PUBKEY_FLAG_FIXEDLEN))
{
/* We need to make sure to return the correct length to avoid
problems with missing leading zeroes. */
unsigned char *em;
size_t emlen = (mpi_get_nbits (sk.n)+7)/8;
rc = _gcry_mpi_to_octet_string (&em, NULL, sig, emlen);
if (!rc)
{
rc = sexp_build (r_sig, NULL, "(sig-val(rsa(s%b)))", (int)emlen, em);
xfree (em);
}
}
else
rc = sexp_build (r_sig, NULL, "(sig-val(rsa(s%M)))", sig);
leave:
_gcry_mpi_release (result);
_gcry_mpi_release (sig);
_gcry_mpi_release (sk.n);
_gcry_mpi_release (sk.e);
_gcry_mpi_release (sk.d);
_gcry_mpi_release (sk.p);
_gcry_mpi_release (sk.q);
_gcry_mpi_release (sk.u);
_gcry_mpi_release (data);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("rsa_sign => %s\n", gpg_strerror (rc));
return rc;
}
static gcry_err_code_t
rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gcry_err_code_t rc;
struct pk_encoding_ctx ctx;
gcry_sexp_t l1 = NULL;
gcry_mpi_t sig = NULL;
gcry_mpi_t data = NULL;
RSA_public_key pk = { NULL, NULL };
gcry_mpi_t result = NULL;
unsigned int nbits = rsa_get_nbits (keyparms);
rc = rsa_check_verify_keysize (nbits);
if (rc)
return rc;
_gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY, nbits);
/* Extract the data. */
rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printmpi ("rsa_verify data", data);
if (ctx.encoding != PUBKEY_ENC_PSS && mpi_is_opaque (data))
{
rc = GPG_ERR_INV_DATA;
goto leave;
}
/* Extract the signature value. */
rc = _gcry_pk_util_preparse_sigval (s_sig, rsa_names, &l1, NULL);
if (rc)
goto leave;
rc = sexp_extract_param (l1, NULL, "s", &sig, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printmpi ("rsa_verify sig", sig);
/* Extract the key. */
rc = sexp_extract_param (keyparms, NULL, "ne", &pk.n, &pk.e, NULL);
if (rc)
goto leave;
if (DBG_CIPHER)
{
log_printmpi ("rsa_verify n", pk.n);
log_printmpi ("rsa_verify e", pk.e);
}
/* Do RSA computation and compare. */
result = mpi_new (0);
public (result, sig, &pk);
if (DBG_CIPHER)
log_printmpi ("rsa_verify cmp", result);
if (ctx.verify_cmp)
rc = ctx.verify_cmp (&ctx, result);
else
rc = mpi_cmp (result, data) ? GPG_ERR_BAD_SIGNATURE : 0;
leave:
_gcry_mpi_release (result);
_gcry_mpi_release (pk.n);
_gcry_mpi_release (pk.e);
_gcry_mpi_release (data);
_gcry_mpi_release (sig);
sexp_release (l1);
_gcry_pk_util_free_encoding_ctx (&ctx);
if (DBG_CIPHER)
log_debug ("rsa_verify => %s\n", rc?gpg_strerror (rc):"Good");
return rc;
}
/* Return the number of bits for the key described by PARMS. On error
* 0 is returned. The format of PARMS starts with the algorithm name;
* for example:
*
* (rsa
* (n <mpi>)
* (e <mpi>))
*
* More parameters may be given but we only need N here.
*/
static unsigned int
rsa_get_nbits (gcry_sexp_t parms)
{
gcry_sexp_t l1;
gcry_mpi_t n;
unsigned int nbits;
l1 = sexp_find_token (parms, "n", 1);
if (!l1)
return 0; /* Parameter N not found. */
n = sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
sexp_release (l1);
nbits = n? mpi_get_nbits (n) : 0;
_gcry_mpi_release (n);
return nbits;
}
/* Compute a keygrip. MD is the hash context which we are going to
update. KEYPARAM is an S-expression with the key parameters, this
is usually a public key but may also be a secret key. An example
of such an S-expression is:
(rsa
(n #00B...#)
(e #010001#))
PKCS-15 says that for RSA only the modulus should be hashed -
however, it is not clear whether this is meant to use the raw bytes
(assuming this is an unsigned integer) or whether the DER required
0 should be prefixed. We hash the raw bytes. */
static gpg_err_code_t
compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam)
{
gcry_sexp_t l1;
const char *data;
size_t datalen;
l1 = sexp_find_token (keyparam, "n", 1);
if (!l1)
return GPG_ERR_NO_OBJ;
data = sexp_nth_data (l1, 1, &datalen);
if (!data)
{
sexp_release (l1);
return GPG_ERR_NO_OBJ;
}
_gcry_md_write (md, data, datalen);
sexp_release (l1);
return 0;
}
/*
Self-test section.
*/
static const char *
selftest_hash_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
{
int md_algo = GCRY_MD_SHA256;
gcry_md_hd_t hd = NULL;
const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
static const char sample_data[] =
"11223344556677889900aabbccddeeff"
"102030405060708090a0b0c0d0f01121";
static const char sample_data_bad[] =
"11223344556677889900aabbccddeeff"
"802030405060708090a0b0c0d0f01121";
const char *errtxt = NULL;
gcry_error_t err;
gcry_sexp_t sig = NULL;
/* raw signature data reference */
const char ref_data[] =
"518f41dea3ad884e93eefff8d7ca68a6f4c30d923632e35673651d675cebd652"
"a44ed66f6879b18f3d48b2d235b1dd78f6189be1440352cc94231a55c1f93109"
"84616b2841c42fe9a6e37be34cd188207209bd028e2fa93e721fbac40c31a068"
"1253b312d4e07addb9c7f3d508fa89f218ea7c7f7b9f6a9b1e522c19fa1cd839"
"93f9d4ca2f16c3d0b9abafe5e63e848152afc72ce7ee19ea45353116f85209ea"
"b9de42129dbccdac8faa461e8e8cc2ae801101cc6add4ba76ccb752030b0e827"
"7352b11cdecebae9cdc9a626c4701cd9c85cd287618888c5fae8b4d0ba48915d"
"e5cc64e3aee2ba2862d04348ea71f65454f74f9fd1e3108005cc367ca41585a4";
gcry_mpi_t ref_mpi = NULL;
gcry_mpi_t sig_mpi = NULL;
err = _gcry_md_open (&hd, md_algo, 0);
if (err)
{
errtxt = "gcry_md_open failed";
goto leave;
}
_gcry_md_write (hd, sample_data, sizeof(sample_data));
err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
if (err)
{
errtxt = "signing failed";
goto leave;
}
err = _gcry_mpi_scan(&ref_mpi, GCRYMPI_FMT_HEX, ref_data, 0, NULL);
if (err)
{
errtxt = "converting ref_data to mpi failed";
goto leave;
}
err = _gcry_sexp_extract_param(sig, "sig-val!rsa", "s", &sig_mpi, NULL);
if (err)
{
errtxt = "extracting signature data failed";
goto leave;
}
if (mpi_cmp (sig_mpi, ref_mpi))
{
errtxt = "signature does not match reference data";
goto leave;
}
err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
if (err)
{
errtxt = "verify failed";
goto leave;
}
_gcry_md_reset(hd);
_gcry_md_write (hd, sample_data_bad, sizeof(sample_data_bad));
err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
{
errtxt = "bad signature not detected";
goto leave;
}
leave:
sexp_release (sig);
_gcry_md_close (hd);
_gcry_mpi_release (ref_mpi);
_gcry_mpi_release (sig_mpi);
return errtxt;
}
static const char *
selftest_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
{
static const char sample_data[] =
"(data (flags pkcs1)"
" (hash sha256 #11223344556677889900aabbccddeeff"
/**/ "102030405060708090a0b0c0d0f01121#))";
static const char sample_data_bad[] =
"(data (flags pkcs1)"
" (hash sha256 #11223344556677889900aabbccddeeff"
/**/ "802030405060708090a0b0c0d0f01121#))";
const char *errtxt = NULL;
gcry_error_t err;
gcry_sexp_t data = NULL;
gcry_sexp_t data_bad = NULL;
gcry_sexp_t sig = NULL;
/* raw signature data reference */
const char ref_data[] =
"6252a19a11e1d5155ed9376036277193d644fa239397fff03e9b92d6f86415d6"
"d30da9273775f290e580d038295ff8ff89522becccfa6ae870bf76b76df402a8"
"54f69347e3db3de8e1e7d4dada281ec556810c7a8ecd0b5f51f9b1c0e7aa7557"
"61aa2b8ba5f811304acc6af0eca41fe49baf33bf34eddaf44e21e036ac7f0b68"
"03cdef1c60021fb7b5b97ebacdd88ab755ce29af568dbc5728cc6e6eff42618d"
"62a0386ca8beed46402bdeeef29b6a3feded906bace411a06a39192bf516ae10"
"67e4320fa8ea113968525f4574d022a3ceeaafdc41079efe1f22cc94bf59d8d3"
"328085da9674857db56de5978a62394aab48aa3b72e23a1b16260cfd9daafe65";
gcry_mpi_t ref_mpi = NULL;
gcry_mpi_t sig_mpi = NULL;
err = sexp_sscan (&data, NULL, sample_data, strlen (sample_data));
if (!err)
err = sexp_sscan (&data_bad, NULL,
sample_data_bad, strlen (sample_data_bad));
if (err)
{
errtxt = "converting data failed";
goto leave;
}
err = _gcry_pk_sign (&sig, data, skey);
if (err)
{
errtxt = "signing failed";
goto leave;
}
err = _gcry_mpi_scan(&ref_mpi, GCRYMPI_FMT_HEX, ref_data, 0, NULL);
if (err)
{
errtxt = "converting ref_data to mpi failed";
goto leave;
}
err = _gcry_sexp_extract_param(sig, "sig-val!rsa", "s", &sig_mpi, NULL);
if (err)
{
errtxt = "extracting signature data failed";
goto leave;
}
if (mpi_cmp (sig_mpi, ref_mpi))
{
errtxt = "signature does not match reference data";
goto leave;
}
err = _gcry_pk_verify (sig, data, pkey);
if (err)
{
errtxt = "verify failed";
goto leave;
}
err = _gcry_pk_verify (sig, data_bad, pkey);
if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
{
errtxt = "bad signature not detected";
goto leave;
}
leave:
sexp_release (sig);
sexp_release (data_bad);
sexp_release (data);
_gcry_mpi_release (ref_mpi);
_gcry_mpi_release (sig_mpi);
return errtxt;
}
/* Given an S-expression ENCR_DATA of the form:
(enc-val
(rsa
(a a-value)))
as returned by gcry_pk_decrypt, return the the A-VALUE. On error,
return NULL. */
static gcry_mpi_t
extract_a_from_sexp (gcry_sexp_t encr_data)
{
gcry_sexp_t l1, l2, l3;
gcry_mpi_t a_value;
l1 = sexp_find_token (encr_data, "enc-val", 0);
if (!l1)
return NULL;
l2 = sexp_find_token (l1, "rsa", 0);
sexp_release (l1);
if (!l2)
return NULL;
l3 = sexp_find_token (l2, "a", 0);
sexp_release (l2);
if (!l3)
return NULL;
a_value = sexp_nth_mpi (l3, 1, 0);
sexp_release (l3);
return a_value;
}
static const char *
selftest_encr_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
{
const char *errtxt = NULL;
gcry_error_t err;
static const char plaintext[] =
"Jim quickly realized that the beautiful gowns are expensive.";
gcry_sexp_t plain = NULL;
gcry_sexp_t encr = NULL;
gcry_mpi_t ciphertext = NULL;
gcry_sexp_t decr = NULL;
char *decr_plaintext = NULL;
gcry_sexp_t tmplist = NULL;
/* expected result of encrypting the plaintext with sample_secret_key */
static const char ref_data[] =
"18022e2593a402a737caaa93b4c7e750e20ca265452980e1d6b7710fbd3e"
"7dce72be5c2110fb47691cb38f42170ee3b4a37f2498d4a51567d762585e"
"4cb81d04fbc7df4144f8e5eac2d4b8688521b64011f11d7ad53f4c874004"
"819856f2e2a6f83d1c9c4e73ac26089789c14482b0b8d44139133c88c4a5"
"2dba9dd6d6ffc622666b7d129168333d999706af30a2d7d272db7734e5ed"
"fb8c64ea3018af3ad20f4a013a5060cb0f5e72753967bebe294280a6ed0d"
"dbd3c4f11d0a8696e9d32a0dc03deb0b5e49b2cbd1503392642d4e1211f3"
"e8e2ee38abaa3671ccd57fcde8ca76e85fd2cb77c35706a970a213a27352"
"cec92a9604d543ddb5fc478ff50e0622";
gcry_mpi_t ref_mpi = NULL;
/* Put the plaintext into an S-expression. */
err = sexp_build (&plain, NULL, "(data (flags raw) (value %s))", plaintext);
if (err)
{
errtxt = "converting data failed";
goto leave;
}
/* Encrypt. */
err = _gcry_pk_encrypt (&encr, plain, pkey);
if (err)
{
errtxt = "encrypt failed";
goto leave;
}
err = _gcry_mpi_scan(&ref_mpi, GCRYMPI_FMT_HEX, ref_data, 0, NULL);
if (err)
{
errtxt = "converting encrydata to mpi failed";
goto leave;
}
/* Extraxt the ciphertext from the returned S-expression. */
/*sexp_dump (encr);*/
ciphertext = extract_a_from_sexp (encr);
if (!ciphertext)
{
errtxt = "gcry_pk_encrypt returned garbage";
goto leave;
}
/* Check that the ciphertext does no match the plaintext. */
/* _gcry_log_printmpi ("plaintext", plaintext); */
/* _gcry_log_printmpi ("ciphertxt", ciphertext); */
if (mpi_cmp (ref_mpi, ciphertext))
{
errtxt = "ciphertext doesn't match reference data";
goto leave;
}
/* Decrypt. */
err = _gcry_pk_decrypt (&decr, encr, skey);
if (err)
{
errtxt = "decrypt failed";
goto leave;
}
/* Extract the decrypted data from the S-expression. Note that the
output of gcry_pk_decrypt depends on whether a flags lists occurs
in its input data. Because we passed the output of
gcry_pk_encrypt directly to gcry_pk_decrypt, such a flag value
won't be there as of today. To be prepared for future changes we
take care of it anyway. */
tmplist = sexp_find_token (decr, "value", 0);
if (tmplist)
decr_plaintext = sexp_nth_string (tmplist, 1);
else
decr_plaintext = sexp_nth_string (decr, 0);
if (!decr_plaintext)
{
errtxt = "decrypt returned no plaintext";
goto leave;
}
/* Check that the decrypted plaintext matches the original plaintext. */
if (strcmp (plaintext, decr_plaintext))
{
errtxt = "mismatch";
goto leave;
}
leave:
sexp_release (tmplist);
xfree (decr_plaintext);
sexp_release (decr);
_gcry_mpi_release (ciphertext);
_gcry_mpi_release (ref_mpi);
sexp_release (encr);
sexp_release (plain);
return errtxt;
}
static gpg_err_code_t
selftests_rsa (selftest_report_func_t report, int extended)
{
const char *what;
const char *errtxt;
gcry_error_t err;
gcry_sexp_t skey = NULL;
gcry_sexp_t pkey = NULL;
/* Convert the S-expressions into the internal representation. */
what = "convert";
err = sexp_sscan (&skey, NULL, sample_secret_key, strlen (sample_secret_key));
if (!err)
err = sexp_sscan (&pkey, NULL,
sample_public_key, strlen (sample_public_key));
if (err)
{
errtxt = _gcry_strerror (err);
goto failed;
}
what = "key consistency";
err = _gcry_pk_testkey (skey);
if (err)
{
errtxt = _gcry_strerror (err);
goto failed;
}
if (extended)
{
what = "sign";
errtxt = selftest_sign_2048 (pkey, skey);
if (errtxt)
goto failed;
}
what = "digest sign";
errtxt = selftest_hash_sign_2048 (pkey, skey);
if (errtxt)
goto failed;
what = "encrypt";
errtxt = selftest_encr_2048 (pkey, skey);
if (errtxt)
goto failed;
sexp_release (pkey);
sexp_release (skey);
return 0; /* Succeeded. */
failed:
sexp_release (pkey);
sexp_release (skey);
if (report)
report ("pubkey", GCRY_PK_RSA, what, errtxt);
return GPG_ERR_SELFTEST_FAILED;
}
/* Run a full self-test for ALGO and return 0 on success. */
static gpg_err_code_t
run_selftests (int algo, int extended, selftest_report_func_t report)
{
gpg_err_code_t ec;
switch (algo)
{
case GCRY_PK_RSA:
ec = selftests_rsa (report, extended);
break;
default:
ec = GPG_ERR_PUBKEY_ALGO;
break;
}
return ec;
}
gcry_pk_spec_t _gcry_pubkey_spec_rsa =
{
GCRY_PK_RSA, { 0, 1 },
(GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR),
"RSA", rsa_names,
"ne", "nedpqu", "a", "s", "n",
rsa_generate,
rsa_check_secret_key,
rsa_encrypt,
rsa_decrypt,
rsa_sign,
rsa_verify,
rsa_get_nbits,
run_selftests,
compute_keygrip
};
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sun, Feb 23, 7:59 PM (5 h, 24 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
fe/20/026261470ab281bbff572bbc8767
Attached To
rC libgcrypt
Event Timeline
Log In to Comment