diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c index 8b32545a..2025cbca 100644 --- a/cipher/ecc-eddsa.c +++ b/cipher/ecc-eddsa.c @@ -1,1185 +1,1083 @@ /* ecc-eddsa.c - Elliptic Curve EdDSA signatures * Copyright (C) 2013, 2014 g10 Code GmbH * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, see . */ #include #include #include #include #include #include "g10lib.h" #include "mpi.h" #include "cipher.h" #include "context.h" #include "ec-context.h" #include "ecc-common.h" void reverse_buffer (unsigned char *buffer, unsigned int length) { unsigned int tmp, i; for (i=0; i < length/2; i++) { tmp = buffer[i]; buffer[i] = buffer[length-1-i]; buffer[length-1-i] = tmp; } } /* Helper to scan a hex string. */ static gcry_mpi_t scanval (const char *string) { gpg_err_code_t rc; gcry_mpi_t val; rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL); if (rc) log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc)); return val; } /* Encode MPI using the EdDSA scheme. MINLEN specifies the required length of the buffer in bytes. On success 0 is returned an a malloced buffer with the encoded point is stored at R_BUFFER; the length of this buffer is stored at R_BUFLEN. */ static gpg_err_code_t eddsa_encodempi (gcry_mpi_t mpi, unsigned int nbits, unsigned char **r_buffer, unsigned int *r_buflen) { unsigned char *rawmpi; unsigned int rawmpilen; unsigned int minlen = (nbits%8) == 0 ? (nbits/8 + 1): (nbits+7)/8; rawmpi = _gcry_mpi_get_buffer (mpi, minlen, &rawmpilen, NULL); if (!rawmpi) return gpg_err_code_from_syserror (); *r_buffer = rawmpi; *r_buflen = rawmpilen; return 0; } /* Encode (X,Y) using the EdDSA scheme. NBITS is the number of bits of the field of the curve. If WITH_PREFIX is set the returned buffer is prefixed with a 0x40 byte. On success 0 is returned and a malloced buffer with the encoded point is stored at R_BUFFER; the length of this buffer is stored at R_BUFLEN. */ static gpg_err_code_t eddsa_encode_x_y (gcry_mpi_t x, gcry_mpi_t y, unsigned int nbits, int with_prefix, unsigned char **r_buffer, unsigned int *r_buflen) { unsigned char *rawmpi; unsigned int rawmpilen; int off = with_prefix? 1:0; unsigned int minlen = (nbits%8) == 0 ? (nbits/8 + 1): (nbits+7)/8; rawmpi = _gcry_mpi_get_buffer_extra (y, minlen, off?-1:0, &rawmpilen, NULL); if (!rawmpi) return gpg_err_code_from_syserror (); if (mpi_test_bit (x, 0) && rawmpilen) rawmpi[off + rawmpilen - 1] |= 0x80; /* Set sign bit. */ if (off) rawmpi[0] = 0x40; *r_buffer = rawmpi; *r_buflen = rawmpilen + off; return 0; } /* Encode POINT using the EdDSA scheme. X and Y are either scratch variables supplied by the caller or NULL. CTX is the usual context. If WITH_PREFIX is set the returned buffer is prefixed with a 0x40 byte. On success 0 is returned and a malloced buffer with the encoded point is stored at R_BUFFER; the length of this buffer is stored at R_BUFLEN. */ gpg_err_code_t _gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ec, gcry_mpi_t x_in, gcry_mpi_t y_in, int with_prefix, unsigned char **r_buffer, unsigned int *r_buflen) { gpg_err_code_t rc; gcry_mpi_t x, y; x = x_in? x_in : mpi_new (0); y = y_in? y_in : mpi_new (0); if (_gcry_mpi_ec_get_affine (x, y, point, ec)) { log_error ("eddsa_encodepoint: Failed to get affine coordinates\n"); rc = GPG_ERR_INTERNAL; } else rc = eddsa_encode_x_y (x, y, ec->nbits, with_prefix, r_buffer, r_buflen); if (!x_in) mpi_free (x); if (!y_in) mpi_free (y); return rc; } /* Make sure that the opaque MPI VALUE is in compact EdDSA format. This function updates MPI if needed. */ gpg_err_code_t _gcry_ecc_eddsa_ensure_compact (gcry_mpi_t value, unsigned int nbits) { gpg_err_code_t rc; const unsigned char *buf; unsigned int rawmpilen; gcry_mpi_t x, y; unsigned char *enc; unsigned int enclen; if (!mpi_is_opaque (value)) return GPG_ERR_INV_OBJ; buf = mpi_get_opaque (value, &rawmpilen); if (!buf) return GPG_ERR_INV_OBJ; rawmpilen = (rawmpilen + 7)/8; if (rawmpilen > 1 && (rawmpilen%2)) { if (buf[0] == 0x04) { /* Buffer is in SEC1 uncompressed format. Extract y and compress. */ rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_USG, buf+1, (rawmpilen-1)/2, NULL); if (rc) return rc; rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_USG, buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2, NULL); if (rc) { mpi_free (x); return rc; } rc = eddsa_encode_x_y (x, y, nbits, 0, &enc, &enclen); mpi_free (x); mpi_free (y); if (rc) return rc; mpi_set_opaque (value, enc, 8*enclen); } else if (buf[0] == 0x40) { /* Buffer is compressed but with our SEC1 alike compression indicator. Remove that byte. FIXME: We should write and use a function to manipulate an opaque MPI in place. */ if (!_gcry_mpi_set_opaque_copy (value, buf + 1, (rawmpilen - 1)*8)) return gpg_err_code_from_syserror (); } } return 0; } static gpg_err_code_t ecc_ed448_recover_x (gcry_mpi_t x, gcry_mpi_t y, int x_0, mpi_ec_t ec) { gpg_err_code_t rc = 0; gcry_mpi_t u, v, u3, v3, t; static gcry_mpi_t p34; /* Hard coded (P-3)/4 */ if (mpi_cmp (y, ec->p) >= 0) rc = GPG_ERR_INV_OBJ; if (!p34) p34 = scanval ("3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); u = mpi_new (0); v = mpi_new (0); u3 = mpi_new (0); v3 = mpi_new (0); t = mpi_new (0); /* Compute u and v */ /* u = y^2 */ mpi_mulm (u, y, y, ec->p); /* v = b*y^2 */ mpi_mulm (v, ec->b, u, ec->p); /* u = y^2-1 */ mpi_sub_ui (u, u, 1); /* v = b*y^2-1 */ mpi_sub_ui (v, v, 1); /* Compute sqrt(u/v) */ /* u3 = u^3 */ mpi_powm (u3, u, mpi_const (MPI_C_THREE), ec->p); mpi_powm (v3, v, mpi_const (MPI_C_THREE), ec->p); /* t = u^4 * u * v3 = u^5 * v^3 */ mpi_powm (t, u, mpi_const (MPI_C_FOUR), ec->p); mpi_mulm (t, t, u, ec->p); mpi_mulm (t, t, v3, ec->p); /* t = t^((p-3)/4) = (u^5 * v^3)^((p-3)/4) */ mpi_powm (t, t, p34, ec->p); /* x = t * u^3 * v = (u^3 * v) * (u^5 * v^3)^((p-3)/4) */ mpi_mulm (t, t, u3, ec->p); mpi_mulm (x, t, v, ec->p); /* t = v * x^2 */ mpi_mulm (t, x, x, ec->p); mpi_mulm (t, t, v, ec->p); if (mpi_cmp (t, u) != 0) rc = GPG_ERR_INV_OBJ; else { if (!mpi_cmp_ui (x, 0) && x_0) rc = GPG_ERR_INV_OBJ; /* Choose the desired square root according to parity */ if (mpi_test_bit (x, 0) != !!x_0) mpi_sub (x, ec->p, x); } mpi_free (t); mpi_free (u3); mpi_free (v3); mpi_free (v); mpi_free (u); return rc; } /* Recover X from Y and SIGN (which actually is a parity bit). */ gpg_err_code_t _gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec) { gpg_err_code_t rc = 0; gcry_mpi_t u, v, v3, t; static gcry_mpi_t p58, seven; /* * This routine is actually curve specific. Now, only supports * Ed25519 and Ed448. */ if (ec->dialect != ECC_DIALECT_ED25519) /* For now, it's only Ed448. */ return ecc_ed448_recover_x (x, y, sign, ec); /* It's Ed25519. */ if (!p58) p58 = scanval ("0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD"); if (!seven) seven = mpi_set_ui (NULL, 7); u = mpi_new (0); v = mpi_new (0); v3 = mpi_new (0); t = mpi_new (0); /* Compute u and v */ /* u = y^2 */ mpi_mulm (u, y, y, ec->p); /* v = b*y^2 */ mpi_mulm (v, ec->b, u, ec->p); /* u = y^2-1 */ mpi_sub_ui (u, u, 1); /* v = b*y^2+1 */ mpi_add_ui (v, v, 1); /* Compute sqrt(u/v) */ /* v3 = v^3 */ mpi_powm (v3, v, mpi_const (MPI_C_THREE), ec->p); /* t = v3 * v3 * u * v = u * v^7 */ mpi_powm (t, v, seven, ec->p); mpi_mulm (t, t, u, ec->p); /* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */ mpi_powm (t, t, p58, ec->p); /* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */ mpi_mulm (t, t, u, ec->p); mpi_mulm (x, t, v3, ec->p); /* Adjust if needed. */ /* t = v * x^2 */ mpi_mulm (t, x, x, ec->p); mpi_mulm (t, t, v, ec->p); /* -t == u ? x = x * sqrt(-1) */ mpi_sub (t, ec->p, t); if (!mpi_cmp (t, u)) { static gcry_mpi_t m1; /* Fixme: this is not thread-safe. */ if (!m1) m1 = scanval ("2B8324804FC1DF0B2B4D00993DFBD7A7" "2F431806AD2FE478C4EE1B274A0EA0B0"); mpi_mulm (x, x, m1, ec->p); /* t = v * x^2 */ mpi_mulm (t, x, x, ec->p); mpi_mulm (t, t, v, ec->p); /* -t == u ? x = x * sqrt(-1) */ mpi_sub (t, ec->p, t); if (!mpi_cmp (t, u)) rc = GPG_ERR_INV_OBJ; } /* Choose the desired square root according to parity */ if (mpi_test_bit (x, 0) != !!sign) mpi_sub (x, ec->p, x); mpi_free (t); mpi_free (v3); mpi_free (v); mpi_free (u); return rc; } /* Decode the EdDSA style encoded PK and set it into RESULT. CTX is the usual curve context. If R_ENCPK is not NULL, the encoded PK is stored at that address; this is a new copy to be released by the caller. In contrast to the supplied PK, this is not an MPI and thus guaranteed to be properly padded. R_ENCPKLEN receives the length of that encoded key. */ gpg_err_code_t _gcry_ecc_eddsa_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result, unsigned char **r_encpk, unsigned int *r_encpklen) { gpg_err_code_t rc; unsigned char *rawmpi; unsigned int rawmpilen; int sign; if (mpi_is_opaque (pk)) { const unsigned char *buf; unsigned int len; len = (ctx->nbits%8) == 0 ? (ctx->nbits/8 + 1): (ctx->nbits+7)/8; buf = mpi_get_opaque (pk, &rawmpilen); if (!buf) return GPG_ERR_INV_OBJ; rawmpilen = (rawmpilen + 7)/8; if (!(rawmpilen == len || rawmpilen == len + 1 || rawmpilen == len * 2 + 1)) return GPG_ERR_INV_OBJ; /* Handle compression prefixes. The size of the buffer will be odd in this case. */ if (rawmpilen > 1 && (rawmpilen == len + 1 || rawmpilen == len * 2 + 1)) { /* First check whether the public key has been given in standard uncompressed format (SEC1). No need to recover x in this case. */ if (buf[0] == 0x04) { gcry_mpi_t x, y; rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_USG, buf+1, (rawmpilen-1)/2, NULL); if (rc) return rc; rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_USG, buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2,NULL); if (rc) { mpi_free (x); return rc; } if (r_encpk) { rc = eddsa_encode_x_y (x, y, ctx->nbits, 0, r_encpk, r_encpklen); if (rc) { mpi_free (x); mpi_free (y); return rc; } } mpi_snatch (result->x, x); mpi_snatch (result->y, y); mpi_set_ui (result->z, 1); return 0; } /* Check whether the public key has been prefixed with a 0x40 byte to explicitly indicate compressed format using a SEC1 alike prefix byte. This is a Libgcrypt extension. */ if (buf[0] == 0x40) { rawmpilen--; buf++; } } /* EdDSA compressed point. */ rawmpi = xtrymalloc (rawmpilen); if (!rawmpi) return gpg_err_code_from_syserror (); memcpy (rawmpi, buf, rawmpilen); reverse_buffer (rawmpi, rawmpilen); } else { /* Note: Without using an opaque MPI it is not reliable possible to find out whether the public key has been given in uncompressed format. Thus we expect native EdDSA format. */ rawmpi = _gcry_mpi_get_buffer (pk, (ctx->nbits+7)/8, &rawmpilen, NULL); if (!rawmpi) return gpg_err_code_from_syserror (); } if (rawmpilen) { sign = !!(rawmpi[0] & 0x80); rawmpi[0] &= 0x7f; } else sign = 0; _gcry_mpi_set_buffer (result->y, rawmpi, rawmpilen, 0); if (r_encpk) { /* Revert to little endian. */ if (sign && rawmpilen) rawmpi[0] |= 0x80; reverse_buffer (rawmpi, rawmpilen); *r_encpk = rawmpi; if (r_encpklen) *r_encpklen = rawmpilen; } else xfree (rawmpi); rc = _gcry_ecc_eddsa_recover_x (result->x, result->y, sign, ctx); mpi_set_ui (result->z, 1); return rc; } /* Compute the A value as used by EdDSA. The caller needs to provide the context EC and the actual secret D as an MPI. The function returns a newly allocated 64 byte buffer at r_digest; the first 32 bytes represent the A value. NULL is returned on error and NULL stored at R_DIGEST. */ gpg_err_code_t _gcry_ecc_eddsa_compute_h_d (unsigned char **r_digest, mpi_ec_t ec) { gpg_err_code_t rc; unsigned char *rawmpi = NULL; unsigned int rawmpilen; unsigned char *digest; - int hashalgo, b; + int hashalgo, b, digestlen; + gcry_buffer_t hvec[2]; *r_digest = NULL; b = (ec->nbits+7)/8; /* * Choice of hashalgo is curve specific. * For now, it's determine by the bit size of the field. */ if (ec->nbits == 255) - hashalgo = GCRY_MD_SHA512; + { + hashalgo = GCRY_MD_SHA512; + digestlen = 64; + } else if (ec->nbits == 448) { b++; hashalgo = GCRY_MD_SHAKE256; + digestlen = 2 * b; } else return GPG_ERR_NOT_IMPLEMENTED; /* Note that we clear DIGEST so we can use it as input to left pad the key with zeroes for hashing. */ digest = xtrycalloc_secure (2, b); if (!digest) return gpg_err_code_from_syserror (); rawmpi = _gcry_mpi_get_buffer (ec->d, 0, &rawmpilen, NULL); if (!rawmpi) { xfree (digest); return gpg_err_code_from_syserror (); } - if (hashalgo == GCRY_MD_SHAKE256) - { - gcry_error_t err; - gcry_md_hd_t hd; + memset (hvec, 0, sizeof hvec); - err = _gcry_md_open (&hd, hashalgo, 0); - if (err) - rc = gcry_err_code (err); - else - { - _gcry_md_write (hd, rawmpi, rawmpilen); - _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd, GCRY_MD_SHAKE256, digest, 2*b); - _gcry_md_close (hd); - rc = 0; - } - } - else - { - gcry_buffer_t hvec[2]; - - memset (hvec, 0, sizeof hvec); - - hvec[0].data = digest; - hvec[0].len = b > rawmpilen? b - rawmpilen : 0; - hvec[1].data = rawmpi; - hvec[1].len = rawmpilen; - rc = _gcry_md_hash_buffers (hashalgo, 0, digest, hvec, 2); - } + hvec[0].data = digest; + hvec[0].len = (hashalgo == GCRY_MD_SHA512 && b > rawmpilen) + ? b - rawmpilen : 0; + hvec[1].data = rawmpi; + hvec[1].len = rawmpilen; + rc = _gcry_md_hash_buffers_extract (hashalgo, 0, digest, digestlen, hvec, 2); xfree (rawmpi); if (rc) { xfree (digest); return rc; } /* Compute the A value. */ reverse_buffer (digest, b); /* Only the first half of the hash. */ /* Field specific handling of clearing/setting bits. */ if (ec->nbits == 255) { digest[0] = (digest[0] & 0x7f) | 0x40; digest[31] &= 0xf8; } else { digest[0] = 0; digest[1] |= 0x80; digest[56] &= 0xfc; } *r_digest = digest; return 0; } /** * _gcry_ecc_eddsa_genkey - EdDSA version of the key generation. * * @ec: Elliptic curve computation context. * @flags: Flags controlling aspects of the creation. * * Return: An error code. * * The only @flags bit used by this function is %PUBKEY_FLAG_TRANSIENT * to use a faster RNG. */ gpg_err_code_t _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags) { gpg_err_code_t rc; int b; gcry_mpi_t a, x, y; mpi_point_struct Q; gcry_random_level_t random_level; char *dbuf; size_t dlen; unsigned char *hash_d = NULL; point_init (&Q); if ((flags & PUBKEY_FLAG_TRANSIENT_KEY)) random_level = GCRY_STRONG_RANDOM; else random_level = GCRY_VERY_STRONG_RANDOM; b = (ec->nbits+7)/8; if (ec->nbits == 255) ; else if (ec->nbits == 448) b++; else return GPG_ERR_NOT_IMPLEMENTED; dlen = b; a = mpi_snew (0); x = mpi_new (0); y = mpi_new (0); /* Generate a secret. */ dbuf = _gcry_random_bytes_secure (dlen, random_level); ec->d = _gcry_mpi_set_opaque (NULL, dbuf, dlen*8); rc = _gcry_ecc_eddsa_compute_h_d (&hash_d, ec); if (rc) { point_free (&Q); goto leave; } _gcry_mpi_set_buffer (a, hash_d, b, 0); xfree (hash_d); /* log_printmpi ("ecgen a", a); */ /* Compute Q. */ _gcry_mpi_ec_mul_point (&Q, a, ec->G, ec); if (DBG_CIPHER) log_printpnt ("ecgen pk", &Q, ec); ec->Q = mpi_point_snatch_set (NULL, Q.x, Q.y, Q.z); Q.x = NULL; Q.y = NULL; Q.x = NULL; leave: _gcry_mpi_release (a); _gcry_mpi_release (x); _gcry_mpi_release (y); return rc; } /* Compute an EdDSA signature. See: * [ed25519] 23pp. (PDF) Daniel J. Bernstein, Niels Duif, Tanja * Lange, Peter Schwabe, Bo-Yin Yang. High-speed high-security * signatures. Journal of Cryptographic Engineering 2 (2012), 77-89. * Document ID: a1a62a2f76d23f65d622484ddd09caf8. * URL: http://cr.yp.to/papers.html#ed25519. Date: 2011.09.26. * * Despite that this function requires the specification of a hash * algorithm, we only support what has been specified by the paper. * This may change in the future. * * Return the signature struct (r,s) from the message hash. The caller * must have allocated R_R and S. */ /* String to be used with Ed448 */ #define DOM25519 "SigEd25519 no Ed25519 collisions" #define DOM25519_LEN 32 #define DOM448 "SigEd448" #define DOM448_LEN 8 gpg_err_code_t _gcry_ecc_eddsa_sign (gcry_mpi_t input, mpi_ec_t ec, gcry_mpi_t r_r, gcry_mpi_t s, struct pk_encoding_ctx *ctx) { int rc; unsigned int tmp; unsigned char *digest = NULL; const void *mbuf; size_t mlen; unsigned char *rawmpi = NULL; unsigned int rawmpilen; unsigned char *encpk = NULL; /* Encoded public key. */ unsigned int encpklen; mpi_point_struct I; /* Intermediate value. */ gcry_mpi_t a, x, y, r; - int b; + const char *dom; + int domlen, digestlen; + int b, i; unsigned char x_olen[2]; unsigned char prehashed_msg[64]; + gcry_buffer_t hvec[6]; + gcry_buffer_t hvec2[1]; b = (ec->nbits+7)/8; if (ec->nbits == 255) - ; + { + dom = DOM25519; + domlen = DOM25519_LEN; + digestlen = 64; + } else if (ec->nbits == 448) - b++; + { + b++; + dom = DOM448; + domlen = DOM448_LEN; + digestlen = 2 * b; + } else return GPG_ERR_NOT_IMPLEMENTED; if (!mpi_is_opaque (input)) return GPG_ERR_INV_DATA; /* Initialize some helpers. */ point_init (&I); a = mpi_snew (0); x = mpi_new (0); y = mpi_new (0); r = mpi_snew (0); rc = _gcry_ecc_eddsa_compute_h_d (&digest, ec); if (rc) goto leave; _gcry_mpi_set_buffer (a, digest, b, 0); /* Compute the public key if it's not available (only secret part). */ if (ec->Q == NULL) { mpi_point_struct Q; point_init (&Q); _gcry_mpi_ec_mul_point (&Q, a, ec->G, ec); ec->Q = mpi_point_snatch_set (NULL, Q.x, Q.y, Q.z); } rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, x, y, 0, &encpk, &encpklen); if (rc) goto leave; if (DBG_CIPHER) log_printhex (" e_pk", encpk, encpklen); /* Compute R. */ mbuf = mpi_get_opaque (input, &tmp); mlen = (tmp +7)/8; if (DBG_CIPHER) log_printhex (" m", mbuf, mlen); - if (ctx->hash_algo == GCRY_MD_SHAKE256) + memset (hvec, 0, sizeof hvec); + i = 0; + + if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen || ec->nbits == 448) { - gcry_error_t err; - gcry_md_hd_t hd; + hvec[i].data = (void *)dom; + hvec[i].len = domlen; + i++; + x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); + x_olen[1] = ctx->labellen; + hvec[i].data = x_olen; + hvec[i].len = 2; + i++; + if (ctx->labellen) + { + hvec[i].data = ctx->label; + hvec[i].len = ctx->labellen; + i++; + } + } - err = _gcry_md_open (&hd, ctx->hash_algo, 0); - if (err) - rc = gcry_err_code (err); - else - { - _gcry_md_write (hd, DOM448, DOM448_LEN); - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - _gcry_md_write (hd, x_olen, 2); - if (ctx->labellen) - _gcry_md_write (hd, ctx->label, ctx->labellen); - _gcry_md_write (hd, digest+b, b); - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - { - gcry_md_hd_t hd2; + hvec[i].data = digest; + hvec[i].off = b; + hvec[i].len = b; + i++; + if ((ctx->flags & PUBKEY_FLAG_PREHASH)) + { + memset (hvec2, 0, sizeof hvec2); - err = _gcry_md_open (&hd2, ctx->hash_algo, 0); - if (err) - { - rc = gcry_err_code (err); - _gcry_md_close (hd); - goto leave; - } - _gcry_md_write (hd2, mbuf, mlen); - _gcry_md_ctl (hd2, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd2, GCRY_MD_SHAKE256, prehashed_msg, 64); - _gcry_md_close (hd2); - _gcry_md_write (hd, prehashed_msg, 64); - } - else - _gcry_md_write (hd, mbuf, mlen); - _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd, GCRY_MD_SHAKE256, digest, 2*b); - _gcry_md_close (hd); - rc = 0; - } + hvec2[0].data = (char*)mbuf; + hvec2[0].len = mlen; + + _gcry_md_hash_buffers_extract (ctx->hash_algo, 0, prehashed_msg, 64, + hvec2, 1); + hvec[i].data = (char*)prehashed_msg; + hvec[i].len = 64; } else { - gcry_buffer_t hvec[6]; - int i = 0; - - memset (hvec, 0, sizeof hvec); - - if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen) - { - hvec[i].data = (void *)DOM25519; - hvec[i].len = DOM25519_LEN; - i++; - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - hvec[i].data = x_olen; - hvec[i].len = 2; - i++; - if (ctx->labellen) - { - hvec[i].data = ctx->label; - hvec[i].len = ctx->labellen; - i++; - } - } - - hvec[i].data = digest; - hvec[i].off = b; - hvec[i].len = b; - i++; - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - { - _gcry_md_hash_buffer (ctx->hash_algo, prehashed_msg, mbuf, mlen); - hvec[i].data = (char*)prehashed_msg; - hvec[i].len = 64; - } - else - { - hvec[i].data = (char*)mbuf; - hvec[i].len = mlen; - } - i++; - rc = _gcry_md_hash_buffers (ctx->hash_algo, 0, digest, hvec, i); + hvec[i].data = (char*)mbuf; + hvec[i].len = mlen; } + i++; + rc = _gcry_md_hash_buffers_extract (ctx->hash_algo, 0, digest, digestlen, + hvec, i); if (rc) goto leave; - reverse_buffer (digest, 2*b); + reverse_buffer (digest, digestlen); if (DBG_CIPHER) - log_printhex (" r", digest, 2*b); - _gcry_mpi_set_buffer (r, digest, 2*b, 0); + log_printhex (" r", digest, digestlen); + _gcry_mpi_set_buffer (r, digest, digestlen, 0); mpi_mod (r, r, ec->n); _gcry_mpi_ec_mul_point (&I, r, ec->G, ec); if (DBG_CIPHER) log_printpnt (" r", &I, ec); /* Convert R into affine coordinates and apply encoding. */ rc = _gcry_ecc_eddsa_encodepoint (&I, ec, x, y, 0, &rawmpi, &rawmpilen); if (rc) goto leave; if (DBG_CIPHER) log_printhex (" e_r", rawmpi, rawmpilen); - if (ctx->hash_algo == GCRY_MD_SHAKE256) + memset (hvec, 0, sizeof hvec); + i = 0; + + if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen || ec->nbits == 448) { - gcry_error_t err; - gcry_md_hd_t hd; + hvec[i].data = (void *)dom; + hvec[i].len = domlen; + i++; + x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); + x_olen[1] = ctx->labellen; + hvec[i].data = x_olen; + hvec[i].len = 2; + i++; + if (ctx->labellen) + { + hvec[i].data = ctx->label; + hvec[i].len = ctx->labellen; + i++; + } + } - err = _gcry_md_open (&hd, ctx->hash_algo, 0); - if (err) - rc = gcry_err_code (err); - else - { - _gcry_md_write (hd, DOM448, DOM448_LEN); - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - _gcry_md_write (hd, x_olen, 2); - if (ctx->labellen) - _gcry_md_write (hd, ctx->label, ctx->labellen); - _gcry_md_write (hd, rawmpi, rawmpilen); - _gcry_md_write (hd, encpk, encpklen); - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - _gcry_md_write (hd, prehashed_msg, 64); - else - _gcry_md_write (hd, mbuf, mlen); - _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd, GCRY_MD_SHAKE256, digest, 2*b); - _gcry_md_close (hd); - rc = 0; - } + /* S = r + a * H(dom2(F,C)+encodepoint(R)+encodepoint(pk)+m) mod n */ + hvec[i].data = rawmpi; /* (this is R) */ + hvec[i].len = rawmpilen; + i++; + hvec[i].data = encpk; + hvec[i].len = encpklen; + i++; + if ((ctx->flags & PUBKEY_FLAG_PREHASH)) + { + hvec[i].data = (char*)prehashed_msg; + hvec[i].len = 64; } else { - gcry_buffer_t hvec[6]; - int i = 0; - - memset (hvec, 0, sizeof hvec); - - if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen) - { - hvec[i].data = (void *)DOM25519; - hvec[i].len = DOM25519_LEN; - i++; - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - hvec[i].data = x_olen; - hvec[i].len = 2; - i++; - if (ctx->labellen) - { - hvec[i].data = ctx->label; - hvec[i].len = ctx->labellen; - i++; - } - } - - /* S = r + a * H(dom2(F,C)+encodepoint(R)+encodepoint(pk)+m) mod n */ - hvec[i].data = rawmpi; /* (this is R) */ - hvec[i].len = rawmpilen; - i++; - hvec[i].data = encpk; - hvec[i].len = encpklen; - i++; - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - { - hvec[i].data = (char*)prehashed_msg; - hvec[i].len = 64; - } - else - { - hvec[i].data = (char*)mbuf; - hvec[i].len = mlen; - } - i++; - rc = _gcry_md_hash_buffers (ctx->hash_algo, 0, digest, hvec, i); + hvec[i].data = (char*)mbuf; + hvec[i].len = mlen; } + i++; + rc = _gcry_md_hash_buffers_extract (ctx->hash_algo, 0, digest, digestlen, + hvec, i); if (rc) goto leave; /* No more need for RAWMPI thus we now transfer it to R_R. */ mpi_set_opaque (r_r, rawmpi, rawmpilen*8); rawmpi = NULL; - reverse_buffer (digest, 2*b); + reverse_buffer (digest, digestlen); if (DBG_CIPHER) - log_printhex (" H(R+)", digest, 2*b); - _gcry_mpi_set_buffer (s, digest, 2*b, 0); + log_printhex (" H(R+)", digest, digestlen); + _gcry_mpi_set_buffer (s, digest, digestlen, 0); mpi_mulm (s, s, a, ec->n); mpi_addm (s, s, r, ec->n); rc = eddsa_encodempi (s, ec->nbits, &rawmpi, &rawmpilen); if (rc) goto leave; if (DBG_CIPHER) log_printhex (" e_s", rawmpi, rawmpilen); mpi_set_opaque (s, rawmpi, rawmpilen*8); rawmpi = NULL; rc = 0; leave: _gcry_mpi_release (a); _gcry_mpi_release (x); _gcry_mpi_release (y); _gcry_mpi_release (r); xfree (digest); point_free (&I); xfree (encpk); xfree (rawmpi); return rc; } /* Verify an EdDSA signature. See sign_eddsa for the reference. * Check if R_IN and S_IN verifies INPUT. */ gpg_err_code_t _gcry_ecc_eddsa_verify (gcry_mpi_t input, mpi_ec_t ec, gcry_mpi_t r_in, gcry_mpi_t s_in, struct pk_encoding_ctx *ctx) { int rc; int b; unsigned int tmp; unsigned char *encpk = NULL; /* Encoded public key. */ unsigned int encpklen; const void *mbuf, *rbuf; unsigned char *tbuf = NULL; size_t mlen, rlen; unsigned int tlen; unsigned char digest[114]; gcry_mpi_t h, s; mpi_point_struct Ia, Ib; + const char *dom; + int domlen, digestlen; + int i; unsigned char x_olen[2]; unsigned char prehashed_msg[64]; + gcry_buffer_t hvec[6]; + gcry_buffer_t hvec2[1]; if (!mpi_is_opaque (input) || !mpi_is_opaque (r_in) || !mpi_is_opaque (s_in)) return GPG_ERR_INV_DATA; b = (ec->nbits+7)/8; if (ec->nbits == 255) - ; + { + dom = DOM25519; + domlen = DOM25519_LEN; + digestlen = 64; + } else if (ec->nbits == 448) - b++; + { + b++; + dom = DOM448; + domlen = DOM448_LEN; + digestlen = 2 * b; + } else return GPG_ERR_NOT_IMPLEMENTED; point_init (&Ia); point_init (&Ib); h = mpi_new (0); s = mpi_new (0); /* Encode and check the public key. */ rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, &encpk, &encpklen); if (rc) goto leave; if (!_gcry_mpi_ec_curve_point (ec->Q, ec)) { rc = GPG_ERR_BROKEN_PUBKEY; goto leave; } if (DBG_CIPHER) log_printhex (" e_pk", encpk, encpklen); if (encpklen != b) { rc = GPG_ERR_INV_LENGTH; goto leave; } /* Convert the other input parameters. */ mbuf = mpi_get_opaque (input, &tmp); mlen = (tmp +7)/8; if (DBG_CIPHER) log_printhex (" m", mbuf, mlen); rbuf = mpi_get_opaque (r_in, &tmp); rlen = (tmp +7)/8; if (DBG_CIPHER) log_printhex (" r", rbuf, rlen); if (rlen != b) { rc = GPG_ERR_INV_LENGTH; goto leave; } - if (ctx->hash_algo == GCRY_MD_SHAKE256) + memset (hvec, 0, sizeof hvec); + i = 0; + + /* h = H(dom2(F,C)+encodepoint(R)+encodepoint(pk)+m) */ + if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen || ec->nbits == 448) { - gcry_error_t err; - gcry_md_hd_t hd; + hvec[i].data = (void *)dom; + hvec[i].len = domlen; + i++; + x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); + x_olen[1] = ctx->labellen; + hvec[i].data = x_olen; + hvec[i].len = 2; + i++; + if (ctx->labellen) + { + hvec[i].data = ctx->label; + hvec[i].len = ctx->labellen; + i++; + } + } - err = _gcry_md_open (&hd, ctx->hash_algo, 0); - if (err) - rc = gcry_err_code (err); - else - { - _gcry_md_write (hd, DOM448, DOM448_LEN); - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - _gcry_md_write (hd, x_olen, 2); - if (ctx->labellen) - _gcry_md_write (hd, ctx->label, ctx->labellen); - _gcry_md_write (hd, rbuf, rlen); - _gcry_md_write (hd, encpk, encpklen); - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - { - gcry_md_hd_t hd2; + hvec[i].data = (char*)rbuf; + hvec[i].len = rlen; + i++; + hvec[i].data = encpk; + hvec[i].len = encpklen; + i++; + if ((ctx->flags & PUBKEY_FLAG_PREHASH)) + { + memset (hvec2, 0, sizeof hvec2); - err = _gcry_md_open (&hd2, ctx->hash_algo, 0); - if (err) - { - rc = gcry_err_code (err); - _gcry_md_close (hd); - goto leave; - } - _gcry_md_write (hd2, mbuf, mlen); - _gcry_md_ctl (hd2, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd2, GCRY_MD_SHAKE256, prehashed_msg, 64); - _gcry_md_close (hd2); - _gcry_md_write (hd, prehashed_msg, 64); - } - else - _gcry_md_write (hd, mbuf, mlen); - _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); - _gcry_md_extract (hd, GCRY_MD_SHAKE256, digest, 2*b); - _gcry_md_close (hd); - rc = 0; - } + hvec2[0].data = (char*)mbuf; + hvec2[0].len = mlen; + + _gcry_md_hash_buffers_extract (ctx->hash_algo, 0, prehashed_msg, 64, + hvec2, 1); + hvec[i].data = (char*)prehashed_msg; + hvec[i].len = 64; } else { - gcry_buffer_t hvec[6]; - int i = 0; - - memset (hvec, 0, sizeof hvec); - - /* h = H(dom2(F,C)+encodepoint(R)+encodepoint(pk)+m) */ - if ((ctx->flags & PUBKEY_FLAG_PREHASH) || ctx->labellen) - { - hvec[i].data = (void *)DOM25519; - hvec[i].len = DOM25519_LEN; - i++; - x_olen[0] = !!(ctx->flags & PUBKEY_FLAG_PREHASH); - x_olen[1] = ctx->labellen; - hvec[i].data = x_olen; - hvec[i].len = 2; - i++; - if (ctx->labellen) - { - hvec[i].data = ctx->label; - hvec[i].len = ctx->labellen; - i++; - } - } - - hvec[i].data = (char*)rbuf; - hvec[i].len = rlen; - i++; - hvec[i].data = encpk; - hvec[i].len = encpklen; - i++; - if ((ctx->flags & PUBKEY_FLAG_PREHASH)) - { - _gcry_md_hash_buffer (ctx->hash_algo, prehashed_msg, mbuf, mlen); - hvec[i].data = (char*)prehashed_msg; - hvec[i].len = 64; - } - else - { - hvec[i].data = (char*)mbuf; - hvec[i].len = mlen; - } - i++; - rc = _gcry_md_hash_buffers (ctx->hash_algo, 0, digest, hvec, i); + hvec[i].data = (char*)mbuf; + hvec[i].len = mlen; } + i++; + rc = _gcry_md_hash_buffers_extract (ctx->hash_algo, 0, digest, digestlen, + hvec, i); if (rc) goto leave; - reverse_buffer (digest, 2*b); + reverse_buffer (digest, digestlen); if (DBG_CIPHER) - log_printhex (" H(R+)", digest, 2*b); - _gcry_mpi_set_buffer (h, digest, 2*b, 0); + log_printhex (" H(R+)", digest, digestlen); + _gcry_mpi_set_buffer (h, digest, digestlen, 0); /* According to the paper the best way for verification is: encodepoint(sG - h·Q) = encodepoint(r) because we don't need to decode R. */ { void *sbuf; unsigned int slen; sbuf = _gcry_mpi_get_opaque_copy (s_in, &tmp); slen = (tmp +7)/8; reverse_buffer (sbuf, slen); if (DBG_CIPHER) log_printhex (" s", sbuf, slen); _gcry_mpi_set_buffer (s, sbuf, slen, 0); xfree (sbuf); if (slen != b) { rc = GPG_ERR_INV_LENGTH; goto leave; } } _gcry_mpi_ec_mul_point (&Ia, s, ec->G, ec); _gcry_mpi_ec_mul_point (&Ib, h, ec->Q, ec); _gcry_mpi_sub (Ib.x, ec->p, Ib.x); _gcry_mpi_ec_add_points (&Ia, &Ia, &Ib, ec); rc = _gcry_ecc_eddsa_encodepoint (&Ia, ec, s, h, 0, &tbuf, &tlen); if (rc) goto leave; if (tlen != rlen || memcmp (tbuf, rbuf, tlen)) { rc = GPG_ERR_BAD_SIGNATURE; goto leave; } rc = 0; leave: xfree (encpk); xfree (tbuf); _gcry_mpi_release (s); _gcry_mpi_release (h); point_free (&Ia); point_free (&Ib); return rc; } diff --git a/cipher/md.c b/cipher/md.c index efb7376a..87979059 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -1,1639 +1,1666 @@ /* md.c - message digest dispatcher * Copyright (C) 1998, 1999, 2002, 2003, 2006, * 2008 Free Software Foundation, Inc. * Copyright (C) 2013, 2014 g10 Code GmbH * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser general Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, see . */ #include #include #include #include #include #include "g10lib.h" #include "cipher.h" /* This is the list of the digest implementations included in libgcrypt. */ static gcry_md_spec_t * const digest_list[] = { #if USE_CRC &_gcry_digest_spec_crc32, &_gcry_digest_spec_crc32_rfc1510, &_gcry_digest_spec_crc24_rfc2440, #endif #if USE_SHA1 &_gcry_digest_spec_sha1, #endif #if USE_SHA256 &_gcry_digest_spec_sha256, &_gcry_digest_spec_sha224, #endif #if USE_SHA512 &_gcry_digest_spec_sha512, &_gcry_digest_spec_sha384, &_gcry_digest_spec_sha512_256, &_gcry_digest_spec_sha512_224, #endif #if USE_SHA3 &_gcry_digest_spec_sha3_224, &_gcry_digest_spec_sha3_256, &_gcry_digest_spec_sha3_384, &_gcry_digest_spec_sha3_512, &_gcry_digest_spec_shake128, &_gcry_digest_spec_shake256, #endif #if USE_GOST_R_3411_94 &_gcry_digest_spec_gost3411_94, &_gcry_digest_spec_gost3411_cp, #endif #if USE_GOST_R_3411_12 &_gcry_digest_spec_stribog_256, &_gcry_digest_spec_stribog_512, #endif #if USE_WHIRLPOOL &_gcry_digest_spec_whirlpool, #endif #if USE_RMD160 &_gcry_digest_spec_rmd160, #endif #if USE_TIGER &_gcry_digest_spec_tiger, &_gcry_digest_spec_tiger1, &_gcry_digest_spec_tiger2, #endif #if USE_MD5 &_gcry_digest_spec_md5, #endif #if USE_MD4 &_gcry_digest_spec_md4, #endif #if USE_MD2 &_gcry_digest_spec_md2, #endif #if USE_BLAKE2 &_gcry_digest_spec_blake2b_512, &_gcry_digest_spec_blake2b_384, &_gcry_digest_spec_blake2b_256, &_gcry_digest_spec_blake2b_160, &_gcry_digest_spec_blake2s_256, &_gcry_digest_spec_blake2s_224, &_gcry_digest_spec_blake2s_160, &_gcry_digest_spec_blake2s_128, #endif #if USE_SM3 &_gcry_digest_spec_sm3, #endif NULL }; /* Digest implementations starting with index 0 (enum gcry_md_algos) */ static gcry_md_spec_t * const digest_list_algo0[] = { NULL, /* GCRY_MD_NONE */ #if USE_MD5 &_gcry_digest_spec_md5, #else NULL, #endif #if USE_SHA1 &_gcry_digest_spec_sha1, #else NULL, #endif #if USE_RMD160 &_gcry_digest_spec_rmd160, #else NULL, #endif NULL, /* Unused index 4 */ #if USE_MD2 &_gcry_digest_spec_md2, #else NULL, #endif #if USE_TIGER &_gcry_digest_spec_tiger, #else NULL, #endif NULL, /* GCRY_MD_HAVAL */ #if USE_SHA256 &_gcry_digest_spec_sha256, #else NULL, #endif #if USE_SHA512 &_gcry_digest_spec_sha384, &_gcry_digest_spec_sha512, #else NULL, NULL, #endif #if USE_SHA256 &_gcry_digest_spec_sha224 #else NULL #endif }; /* Digest implementations starting with index 301 (enum gcry_md_algos) */ static gcry_md_spec_t * const digest_list_algo301[] = { #if USE_MD4 &_gcry_digest_spec_md4, #else NULL, #endif #if USE_CRC &_gcry_digest_spec_crc32, &_gcry_digest_spec_crc32_rfc1510, &_gcry_digest_spec_crc24_rfc2440, #else NULL, NULL, NULL, #endif #if USE_WHIRLPOOL &_gcry_digest_spec_whirlpool, #else NULL, #endif #if USE_TIGER &_gcry_digest_spec_tiger1, &_gcry_digest_spec_tiger2, #else NULL, NULL, #endif #if USE_GOST_R_3411_94 &_gcry_digest_spec_gost3411_94, #else NULL, #endif #if USE_GOST_R_3411_12 &_gcry_digest_spec_stribog_256, &_gcry_digest_spec_stribog_512, #else NULL, NULL, #endif #if USE_GOST_R_3411_94 &_gcry_digest_spec_gost3411_cp, #else NULL, #endif #if USE_SHA3 &_gcry_digest_spec_sha3_224, &_gcry_digest_spec_sha3_256, &_gcry_digest_spec_sha3_384, &_gcry_digest_spec_sha3_512, &_gcry_digest_spec_shake128, &_gcry_digest_spec_shake256, #else NULL, NULL, NULL, NULL, NULL, NULL, #endif #if USE_BLAKE2 &_gcry_digest_spec_blake2b_512, &_gcry_digest_spec_blake2b_384, &_gcry_digest_spec_blake2b_256, &_gcry_digest_spec_blake2b_160, &_gcry_digest_spec_blake2s_256, &_gcry_digest_spec_blake2s_224, &_gcry_digest_spec_blake2s_160, &_gcry_digest_spec_blake2s_128, #else NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, #endif #if USE_SM3 &_gcry_digest_spec_sm3, #else NULL, #endif #if USE_SHA512 &_gcry_digest_spec_sha512_256, &_gcry_digest_spec_sha512_224, #else NULL, NULL, #endif }; typedef struct gcry_md_list { gcry_md_spec_t *spec; struct gcry_md_list *next; size_t actual_struct_size; /* Allocated size of this structure. */ PROPERLY_ALIGNED_TYPE context[1]; } GcryDigestEntry; /* This structure is put right after the gcry_md_hd_t buffer, so that * only one memory block is needed. */ struct gcry_md_context { int magic; size_t actual_handle_size; /* Allocated size of this handle. */ FILE *debug; struct { unsigned int secure:1; unsigned int finalized:1; unsigned int bugemu1:1; unsigned int hmac:1; } flags; GcryDigestEntry *list; }; #define CTX_MAGIC_NORMAL 0x11071961 #define CTX_MAGIC_SECURE 0x16917011 static gcry_err_code_t md_enable (gcry_md_hd_t hd, int algo); static void md_close (gcry_md_hd_t a); static void md_write (gcry_md_hd_t a, const void *inbuf, size_t inlen); static byte *md_read( gcry_md_hd_t a, int algo ); static int md_get_algo( gcry_md_hd_t a ); static int md_digest_length( int algo ); static void md_start_debug ( gcry_md_hd_t a, const char *suffix ); static void md_stop_debug ( gcry_md_hd_t a ); static int map_algo (int algo) { return algo; } /* Return the spec structure for the hash algorithm ALGO. For an unknown algorithm NULL is returned. */ static gcry_md_spec_t * spec_from_algo (int algo) { gcry_md_spec_t *spec = NULL; algo = map_algo (algo); if (algo >= 0 && algo < DIM(digest_list_algo0)) spec = digest_list_algo0[algo]; else if (algo >= 301 && algo < 301 + DIM(digest_list_algo301)) spec = digest_list_algo301[algo - 301]; if (spec) gcry_assert (spec->algo == algo); return spec; } /* Lookup a hash's spec by its name. */ static gcry_md_spec_t * spec_from_name (const char *name) { gcry_md_spec_t *spec; int idx; for (idx=0; (spec = digest_list[idx]); idx++) { if (!stricmp (name, spec->name)) return spec; } return NULL; } /* Lookup a hash's spec by its OID. */ static gcry_md_spec_t * spec_from_oid (const char *oid) { gcry_md_spec_t *spec; gcry_md_oid_spec_t *oid_specs; int idx, j; for (idx=0; (spec = digest_list[idx]); idx++) { oid_specs = spec->oids; if (oid_specs) { for (j = 0; oid_specs[j].oidstring; j++) if (!stricmp (oid, oid_specs[j].oidstring)) return spec; } } return NULL; } static gcry_md_spec_t * search_oid (const char *oid, gcry_md_oid_spec_t *oid_spec) { gcry_md_spec_t *spec; int i; if (!oid) return NULL; if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4)) oid += 4; spec = spec_from_oid (oid); if (spec && spec->oids) { for (i = 0; spec->oids[i].oidstring; i++) if (!stricmp (oid, spec->oids[i].oidstring)) { if (oid_spec) *oid_spec = spec->oids[i]; return spec; } } return NULL; } /**************** * Map a string to the digest algo */ int _gcry_md_map_name (const char *string) { gcry_md_spec_t *spec; if (!string) return 0; /* If the string starts with a digit (optionally prefixed with either "OID." or "oid."), we first look into our table of ASN.1 object identifiers to figure out the algorithm */ spec = search_oid (string, NULL); if (spec) return spec->algo; /* Not found, search a matching digest name. */ spec = spec_from_name (string); if (spec) return spec->algo; return 0; } /**************** * This function simply returns the name of the algorithm or some constant * string when there is no algo. It will never return NULL. * Use the macro gcry_md_test_algo() to check whether the algorithm * is valid. */ const char * _gcry_md_algo_name (int algorithm) { gcry_md_spec_t *spec; spec = spec_from_algo (algorithm); return spec ? spec->name : "?"; } static gcry_err_code_t check_digest_algo (int algorithm) { gcry_md_spec_t *spec; spec = spec_from_algo (algorithm); if (spec && !spec->flags.disabled) return 0; return GPG_ERR_DIGEST_ALGO; } /**************** * Open a message digest handle for use with algorithm ALGO. * More algorithms may be added by md_enable(). The initial algorithm * may be 0. */ static gcry_err_code_t md_open (gcry_md_hd_t *h, int algo, unsigned int flags) { gcry_err_code_t err = 0; int secure = !!(flags & GCRY_MD_FLAG_SECURE); int hmac = !!(flags & GCRY_MD_FLAG_HMAC); int bufsize = secure ? 512 : 1024; struct gcry_md_context *ctx; gcry_md_hd_t hd; size_t n; /* Allocate a memory area to hold the caller visible buffer with it's * control information and the data required by this module. Set the * context pointer at the beginning to this area. * We have to use this strange scheme because we want to hide the * internal data but have a variable sized buffer. * * +---+------+---........------+-------------+ * !ctx! bctl ! buffer ! private ! * +---+------+---........------+-------------+ * ! ^ * !---------------------------! * * We have to make sure that private is well aligned. */ n = sizeof (struct gcry_md_handle) + bufsize; n = ((n + sizeof (PROPERLY_ALIGNED_TYPE) - 1) / sizeof (PROPERLY_ALIGNED_TYPE)) * sizeof (PROPERLY_ALIGNED_TYPE); /* Allocate and set the Context pointer to the private data */ if (secure) hd = xtrymalloc_secure (n + sizeof (struct gcry_md_context)); else hd = xtrymalloc (n + sizeof (struct gcry_md_context)); if (! hd) err = gpg_err_code_from_errno (errno); if (! err) { hd->ctx = ctx = (void *) ((char *) hd + n); /* Setup the globally visible data (bctl in the diagram).*/ hd->bufsize = n - sizeof (struct gcry_md_handle) + 1; hd->bufpos = 0; /* Initialize the private data. */ memset (hd->ctx, 0, sizeof *hd->ctx); ctx->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL; ctx->actual_handle_size = n + sizeof (struct gcry_md_context); ctx->flags.secure = secure; ctx->flags.hmac = hmac; ctx->flags.bugemu1 = !!(flags & GCRY_MD_FLAG_BUGEMU1); } if (! err) { /* Hmmm, should we really do that? - yes [-wk] */ _gcry_fast_random_poll (); if (algo) { err = md_enable (hd, algo); if (err) md_close (hd); } } if (! err) *h = hd; return err; } /* Create a message digest object for algorithm ALGO. FLAGS may be given as an bitwise OR of the gcry_md_flags values. ALGO may be given as 0 if the algorithms to be used are later set using gcry_md_enable. H is guaranteed to be a valid handle or NULL on error. */ gcry_err_code_t _gcry_md_open (gcry_md_hd_t *h, int algo, unsigned int flags) { gcry_err_code_t rc; gcry_md_hd_t hd; if ((flags & ~(GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC | GCRY_MD_FLAG_BUGEMU1))) rc = GPG_ERR_INV_ARG; else rc = md_open (&hd, algo, flags); *h = rc? NULL : hd; return rc; } static gcry_err_code_t md_enable (gcry_md_hd_t hd, int algorithm) { struct gcry_md_context *h = hd->ctx; gcry_md_spec_t *spec; GcryDigestEntry *entry; gcry_err_code_t err = 0; for (entry = h->list; entry; entry = entry->next) if (entry->spec->algo == algorithm) return 0; /* Already enabled */ spec = spec_from_algo (algorithm); if (!spec) { log_debug ("md_enable: algorithm %d not available\n", algorithm); err = GPG_ERR_DIGEST_ALGO; } if (!err && algorithm == GCRY_MD_MD5 && fips_mode ()) { _gcry_inactivate_fips_mode ("MD5 used"); if (_gcry_enforced_fips_mode () ) { /* We should never get to here because we do not register MD5 in enforced fips mode. But better throw an error. */ err = GPG_ERR_DIGEST_ALGO; } } if (!err && h->flags.hmac && spec->read == NULL) { /* Expandable output function cannot act as part of HMAC. */ err = GPG_ERR_DIGEST_ALGO; } if (!err) { size_t size = (sizeof (*entry) + spec->contextsize * (h->flags.hmac? 3 : 1) - sizeof (entry->context)); /* And allocate a new list entry. */ if (h->flags.secure) entry = xtrymalloc_secure (size); else entry = xtrymalloc (size); if (! entry) err = gpg_err_code_from_errno (errno); else { entry->spec = spec; entry->next = h->list; entry->actual_struct_size = size; h->list = entry; /* And init this instance. */ entry->spec->init (entry->context, h->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); } } return err; } gcry_err_code_t _gcry_md_enable (gcry_md_hd_t hd, int algorithm) { return md_enable (hd, algorithm); } static gcry_err_code_t md_copy (gcry_md_hd_t ahd, gcry_md_hd_t *b_hd) { gcry_err_code_t err = 0; struct gcry_md_context *a = ahd->ctx; struct gcry_md_context *b; GcryDigestEntry *ar, *br; gcry_md_hd_t bhd; size_t n; if (ahd->bufpos) md_write (ahd, NULL, 0); n = (char *) ahd->ctx - (char *) ahd; if (a->flags.secure) bhd = xtrymalloc_secure (n + sizeof (struct gcry_md_context)); else bhd = xtrymalloc (n + sizeof (struct gcry_md_context)); if (!bhd) { err = gpg_err_code_from_syserror (); goto leave; } bhd->ctx = b = (void *) ((char *) bhd + n); /* No need to copy the buffer due to the write above. */ gcry_assert (ahd->bufsize == (n - sizeof (struct gcry_md_handle) + 1)); bhd->bufsize = ahd->bufsize; bhd->bufpos = 0; gcry_assert (! ahd->bufpos); memcpy (b, a, sizeof *a); b->list = NULL; b->debug = NULL; /* Copy the complete list of algorithms. The copied list is reversed, but that doesn't matter. */ for (ar = a->list; ar; ar = ar->next) { if (a->flags.secure) br = xtrymalloc_secure (ar->actual_struct_size); else br = xtrymalloc (ar->actual_struct_size); if (!br) { err = gpg_err_code_from_syserror (); md_close (bhd); goto leave; } memcpy (br, ar, ar->actual_struct_size); br->next = b->list; b->list = br; } if (a->debug) md_start_debug (bhd, "unknown"); *b_hd = bhd; leave: return err; } gcry_err_code_t _gcry_md_copy (gcry_md_hd_t *handle, gcry_md_hd_t hd) { gcry_err_code_t rc; rc = md_copy (hd, handle); if (rc) *handle = NULL; return rc; } /* * Reset all contexts and discard any buffered stuff. This may be used * instead of a md_close(); md_open(). */ void _gcry_md_reset (gcry_md_hd_t a) { GcryDigestEntry *r; /* Note: We allow this even in fips non operational mode. */ a->bufpos = a->ctx->flags.finalized = 0; if (a->ctx->flags.hmac) for (r = a->ctx->list; r; r = r->next) { memcpy (r->context, (char *)r->context + r->spec->contextsize, r->spec->contextsize); } else for (r = a->ctx->list; r; r = r->next) { memset (r->context, 0, r->spec->contextsize); (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); } } static void md_close (gcry_md_hd_t a) { GcryDigestEntry *r, *r2; if (! a) return; if (a->ctx->debug) md_stop_debug (a); for (r = a->ctx->list; r; r = r2) { r2 = r->next; wipememory (r, r->actual_struct_size); xfree (r); } wipememory (a, a->ctx->actual_handle_size); xfree(a); } void _gcry_md_close (gcry_md_hd_t hd) { /* Note: We allow this even in fips non operational mode. */ md_close (hd); } static void md_write (gcry_md_hd_t a, const void *inbuf, size_t inlen) { GcryDigestEntry *r; if (a->ctx->debug) { if (a->bufpos && fwrite (a->buf, a->bufpos, 1, a->ctx->debug) != 1) BUG(); if (inlen && fwrite (inbuf, inlen, 1, a->ctx->debug) != 1) BUG(); } for (r = a->ctx->list; r; r = r->next) { if (a->bufpos) (*r->spec->write) (r->context, a->buf, a->bufpos); (*r->spec->write) (r->context, inbuf, inlen); } a->bufpos = 0; } /* Note that this function may be used after finalize and read to keep on writing to the transform function so to mitigate timing attacks. */ void _gcry_md_write (gcry_md_hd_t hd, const void *inbuf, size_t inlen) { md_write (hd, inbuf, inlen); } static void md_final (gcry_md_hd_t a) { GcryDigestEntry *r; if (a->ctx->flags.finalized) return; if (a->bufpos) md_write (a, NULL, 0); for (r = a->ctx->list; r; r = r->next) (*r->spec->final) (r->context); a->ctx->flags.finalized = 1; if (!a->ctx->flags.hmac) return; for (r = a->ctx->list; r; r = r->next) { byte *p; size_t dlen = r->spec->mdlen; byte *hash; gcry_err_code_t err; if (r->spec->read == NULL) continue; p = r->spec->read (r->context); if (a->ctx->flags.secure) hash = xtrymalloc_secure (dlen); else hash = xtrymalloc (dlen); if (!hash) { err = gpg_err_code_from_errno (errno); _gcry_fatal_error (err, NULL); } memcpy (hash, p, dlen); memcpy (r->context, (char *)r->context + r->spec->contextsize * 2, r->spec->contextsize); (*r->spec->write) (r->context, hash, dlen); (*r->spec->final) (r->context); xfree (hash); } } static gcry_err_code_t md_setkey (gcry_md_hd_t h, const unsigned char *key, size_t keylen) { gcry_err_code_t rc = 0; GcryDigestEntry *r; int algo_had_setkey = 0; if (!h->ctx->list) return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ if (h->ctx->flags.hmac) return GPG_ERR_DIGEST_ALGO; /* Tried md_setkey for HMAC md. */ for (r = h->ctx->list; r; r = r->next) { switch (r->spec->algo) { #if USE_BLAKE2 /* TODO? add spec->init_with_key? */ case GCRY_MD_BLAKE2B_512: case GCRY_MD_BLAKE2B_384: case GCRY_MD_BLAKE2B_256: case GCRY_MD_BLAKE2B_160: case GCRY_MD_BLAKE2S_256: case GCRY_MD_BLAKE2S_224: case GCRY_MD_BLAKE2S_160: case GCRY_MD_BLAKE2S_128: algo_had_setkey = 1; memset (r->context, 0, r->spec->contextsize); rc = _gcry_blake2_init_with_key (r->context, h->ctx->flags.bugemu1 ? GCRY_MD_FLAG_BUGEMU1:0, key, keylen, r->spec->algo); break; #endif default: rc = GPG_ERR_DIGEST_ALGO; break; } if (rc) break; } if (rc && !algo_had_setkey) { /* None of algorithms had setkey implementation, so contexts were not * modified. Just return error. */ return rc; } else if (rc && algo_had_setkey) { /* Some of the contexts have been modified, but got error. Reset * all contexts. */ _gcry_md_reset (h); return rc; } /* Successful md_setkey implies reset. */ h->bufpos = h->ctx->flags.finalized = 0; return 0; } static gcry_err_code_t prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) { GcryDigestEntry *r; if (!a->ctx->list) return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled. */ if (!a->ctx->flags.hmac) return GPG_ERR_DIGEST_ALGO; /* Tried prepare_macpads for non-HMAC md. */ for (r = a->ctx->list; r; r = r->next) { const unsigned char *k; size_t k_len; unsigned char *key_allocated = NULL; int macpad_Bsize; int i; switch (r->spec->algo) { /* TODO: add spec->blocksize */ case GCRY_MD_SHA3_224: macpad_Bsize = 1152 / 8; break; case GCRY_MD_SHA3_256: macpad_Bsize = 1088 / 8; break; case GCRY_MD_SHA3_384: macpad_Bsize = 832 / 8; break; case GCRY_MD_SHA3_512: macpad_Bsize = 576 / 8; break; case GCRY_MD_SHA384: case GCRY_MD_SHA512: case GCRY_MD_SHA512_256: case GCRY_MD_SHA512_224: case GCRY_MD_BLAKE2B_512: case GCRY_MD_BLAKE2B_384: case GCRY_MD_BLAKE2B_256: case GCRY_MD_BLAKE2B_160: macpad_Bsize = 128; break; case GCRY_MD_GOSTR3411_94: case GCRY_MD_GOSTR3411_CP: macpad_Bsize = 32; break; default: macpad_Bsize = 64; break; } if ( keylen > macpad_Bsize ) { k = key_allocated = xtrymalloc_secure (r->spec->mdlen); if (!k) return gpg_err_code_from_errno (errno); _gcry_md_hash_buffer (r->spec->algo, key_allocated, key, keylen); k_len = r->spec->mdlen; gcry_assert ( k_len <= macpad_Bsize ); } else { k = key; k_len = keylen; } (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); a->bufpos = 0; for (i=0; i < k_len; i++ ) _gcry_md_putc (a, k[i] ^ 0x36); for (; i < macpad_Bsize; i++ ) _gcry_md_putc (a, 0x36); (*r->spec->write) (r->context, a->buf, a->bufpos); memcpy ((char *)r->context + r->spec->contextsize, r->context, r->spec->contextsize); (*r->spec->init) (r->context, a->ctx->flags.bugemu1? GCRY_MD_FLAG_BUGEMU1:0); a->bufpos = 0; for (i=0; i < k_len; i++ ) _gcry_md_putc (a, k[i] ^ 0x5c); for (; i < macpad_Bsize; i++ ) _gcry_md_putc (a, 0x5c); (*r->spec->write) (r->context, a->buf, a->bufpos); memcpy ((char *)r->context + r->spec->contextsize*2, r->context, r->spec->contextsize); xfree (key_allocated); } a->bufpos = 0; return 0; } gcry_err_code_t _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen) { gcry_err_code_t rc = 0; (void)buflen; /* Currently not used. */ switch (cmd) { case GCRYCTL_FINALIZE: md_final (hd); break; case GCRYCTL_START_DUMP: md_start_debug (hd, buffer); break; case GCRYCTL_STOP_DUMP: md_stop_debug ( hd ); break; default: rc = GPG_ERR_INV_OP; } return rc; } gcry_err_code_t _gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen) { gcry_err_code_t rc; if (hd->ctx->flags.hmac) { rc = prepare_macpads (hd, key, keylen); if (!rc) _gcry_md_reset (hd); } else { rc = md_setkey (hd, key, keylen); } return rc; } /* The new debug interface. If SUFFIX is a string it creates an debug file for the context HD. IF suffix is NULL, the file is closed and debugging is stopped. */ void _gcry_md_debug (gcry_md_hd_t hd, const char *suffix) { if (suffix) md_start_debug (hd, suffix); else md_stop_debug (hd); } /**************** * If ALGO is null get the digest for the used algo (which should be * only one) */ static byte * md_read( gcry_md_hd_t a, int algo ) { GcryDigestEntry *r = a->ctx->list; if (! algo) { /* Return the first algorithm */ if (r) { if (r->next) log_debug ("more than one algorithm in md_read(0)\n"); if (r->spec->read) return r->spec->read (r->context); } } else { for (r = a->ctx->list; r; r = r->next) if (r->spec->algo == algo) { if (r->spec->read) return r->spec->read (r->context); break; } } if (r && !r->spec->read) _gcry_fatal_error (GPG_ERR_DIGEST_ALGO, "requested algo has no fixed digest length"); else _gcry_fatal_error (GPG_ERR_DIGEST_ALGO, "requested algo not in md context"); return NULL; } /* * Read out the complete digest, this function implictly finalizes * the hash. */ byte * _gcry_md_read (gcry_md_hd_t hd, int algo) { /* This function is expected to always return a digest, thus we can't return an error which we actually should do in non-operational state. */ _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); return md_read (hd, algo); } /**************** * If ALGO is null get the digest for the used algo (which should be * only one) */ static gcry_err_code_t md_extract(gcry_md_hd_t a, int algo, void *out, size_t outlen) { GcryDigestEntry *r = a->ctx->list; if (!algo) { /* Return the first algorithm */ if (r && r->spec->extract) { if (r->next) log_debug ("more than one algorithm in md_extract(0)\n"); r->spec->extract (r->context, out, outlen); return 0; } } else { for (r = a->ctx->list; r; r = r->next) if (r->spec->algo == algo && r->spec->extract) { r->spec->extract (r->context, out, outlen); return 0; } } return GPG_ERR_DIGEST_ALGO; } /* * Expand the output from XOF class digest, this function implictly finalizes * the hash. */ gcry_err_code_t _gcry_md_extract (gcry_md_hd_t hd, int algo, void *out, size_t outlen) { _gcry_md_ctl (hd, GCRYCTL_FINALIZE, NULL, 0); return md_extract (hd, algo, out, outlen); } /* * Read out an intermediate digest. Not yet functional. */ gcry_err_code_t _gcry_md_get (gcry_md_hd_t hd, int algo, byte *buffer, int buflen) { (void)hd; (void)algo; (void)buffer; (void)buflen; /*md_digest ... */ fips_signal_error ("unimplemented function called"); return GPG_ERR_INTERNAL; } /* * Shortcut function to hash a buffer with a given algo. The only * guaranteed supported algorithms are RIPE-MD160 and SHA-1. The * supplied digest buffer must be large enough to store the resulting * hash. No error is returned, the function will abort on an invalid * algo. DISABLED_ALGOS are ignored here. */ void _gcry_md_hash_buffer (int algo, void *digest, const void *buffer, size_t length) { gcry_md_spec_t *spec; spec = spec_from_algo (algo); if (!spec) { log_debug ("md_hash_buffer: algorithm %d not available\n", algo); return; } if (algo == GCRY_MD_MD5 && fips_mode ()) { _gcry_inactivate_fips_mode ("MD5 used"); if (_gcry_enforced_fips_mode () ) { /* We should never get to here because we do not register MD5 in enforced fips mode. */ _gcry_fips_noreturn (); } } if (spec->hash_buffer != NULL) { spec->hash_buffer (digest, buffer, length); } else if (spec->hash_buffers != NULL) { gcry_buffer_t iov; iov.size = 0; iov.data = (void *)buffer; iov.off = 0; iov.len = length; spec->hash_buffers (digest, &iov, 1); } else { /* For the others we do not have a fast function, so we use the normal functions. */ gcry_md_hd_t h; gpg_err_code_t err; err = md_open (&h, algo, 0); if (err) log_bug ("gcry_md_open failed for algo %d: %s", algo, gpg_strerror (gcry_error(err))); md_write (h, (byte *) buffer, length); md_final (h); memcpy (digest, md_read (h, algo), md_digest_length (algo)); md_close (h); } } /* Shortcut function to hash multiple buffers with a given algo. In contrast to gcry_md_hash_buffer, this function returns an error on invalid arguments or on other problems; disabled algorithms are _not_ ignored but flagged as an error. The data to sign is taken from the array IOV which has IOVCNT items. The only supported flag in FLAGS is GCRY_MD_FLAG_HMAC which turns this function into a HMAC function; the first item in IOV is then used as the key. On success 0 is returned and resulting hash or HMAC is stored at - DIGEST which must have been provided by the caller with an - appropriate length. */ + DIGEST. DIGESTLEN may be given as -1, in which case DIGEST must + have been provided by the caller with an appropriate length. + DIGESTLEN may also be the appropriate length or, in case of XOF + algorithms, DIGESTLEN indicates number bytes to extract from XOF + to DIGEST. */ gpg_err_code_t -_gcry_md_hash_buffers (int algo, unsigned int flags, void *digest, - const gcry_buffer_t *iov, int iovcnt) +_gcry_md_hash_buffers_extract (int algo, unsigned int flags, void *digest, + int digestlen, const gcry_buffer_t *iov, + int iovcnt) { gcry_md_spec_t *spec; int hmac; if (!iov || iovcnt < 0) return GPG_ERR_INV_ARG; if (flags & ~(GCRY_MD_FLAG_HMAC)) return GPG_ERR_INV_ARG; hmac = !!(flags & GCRY_MD_FLAG_HMAC); if (hmac && iovcnt < 1) return GPG_ERR_INV_ARG; spec = spec_from_algo (algo); if (!spec) { log_debug ("md_hash_buffers: algorithm %d not available\n", algo); return GPG_ERR_DIGEST_ALGO; } if (algo == GCRY_MD_MD5 && fips_mode ()) { _gcry_inactivate_fips_mode ("MD5 used"); if (_gcry_enforced_fips_mode () ) { /* We should never get to here because we do not register MD5 in enforced fips mode. */ _gcry_fips_noreturn (); } } + if (spec->mdlen > 0 && digestlen != -1 && digestlen != spec->mdlen) + return GPG_ERR_DIGEST_ALGO; + if (spec->mdlen == 0 && digestlen == -1) + return GPG_ERR_DIGEST_ALGO; + if (!hmac && spec->hash_buffers) { spec->hash_buffers (digest, iov, iovcnt); } else { /* For the others we do not have a fast function, so we use the normal functions. */ gcry_md_hd_t h; gpg_err_code_t rc; - int dlen; - - /* Detect SHAKE128 like algorithms which we can't use because - * our API does not allow for a variable length digest. */ - dlen = md_digest_length (algo); - if (!dlen) - return GPG_ERR_DIGEST_ALGO; rc = md_open (&h, algo, (hmac? GCRY_MD_FLAG_HMAC:0)); if (rc) return rc; if (hmac) { rc = _gcry_md_setkey (h, (const char*)iov[0].data + iov[0].off, iov[0].len); if (rc) { md_close (h); return rc; } iov++; iovcnt--; } for (;iovcnt; iov++, iovcnt--) md_write (h, (const char*)iov[0].data + iov[0].off, iov[0].len); md_final (h); - memcpy (digest, md_read (h, algo), dlen); + if (spec->mdlen > 0) + memcpy (digest, md_read (h, algo), spec->mdlen); + else if (digestlen > 0) + md_extract (h, algo, digest, digestlen); md_close (h); } return 0; } +/* Shortcut function to hash multiple buffers with a given algo. In + contrast to gcry_md_hash_buffer, this function returns an error on + invalid arguments or on other problems; disabled algorithms are + _not_ ignored but flagged as an error. + + The data to sign is taken from the array IOV which has IOVCNT items. + + The only supported flag in FLAGS is GCRY_MD_FLAG_HMAC which turns + this function into a HMAC function; the first item in IOV is then + used as the key. + + On success 0 is returned and resulting hash or HMAC is stored at + DIGEST which must have been provided by the caller with an + appropriate length. */ +gpg_err_code_t +_gcry_md_hash_buffers (int algo, unsigned int flags, void *digest, + const gcry_buffer_t *iov, int iovcnt) +{ + return _gcry_md_hash_buffers_extract(algo, flags, digest, -1, iov, iovcnt); +} + + static int md_get_algo (gcry_md_hd_t a) { GcryDigestEntry *r = a->ctx->list; if (r && r->next) { fips_signal_error ("possible usage error"); log_error ("WARNING: more than one algorithm in md_get_algo()\n"); } return r ? r->spec->algo : 0; } int _gcry_md_get_algo (gcry_md_hd_t hd) { return md_get_algo (hd); } /**************** * Return the length of the digest */ static int md_digest_length (int algorithm) { gcry_md_spec_t *spec; spec = spec_from_algo (algorithm); return spec? spec->mdlen : 0; } /**************** * Return the length of the digest in bytes. * This function will return 0 in case of errors. */ unsigned int _gcry_md_get_algo_dlen (int algorithm) { return md_digest_length (algorithm); } /* Hmmm: add a mode to enumerate the OIDs * to make g10/sig-check.c more portable */ static const byte * md_asn_oid (int algorithm, size_t *asnlen, size_t *mdlen) { gcry_md_spec_t *spec; const byte *asnoid = NULL; spec = spec_from_algo (algorithm); if (spec) { if (asnlen) *asnlen = spec->asnlen; if (mdlen) *mdlen = spec->mdlen; asnoid = spec->asnoid; } else log_bug ("no ASN.1 OID for md algo %d\n", algorithm); return asnoid; } /**************** * Return information about the given cipher algorithm * WHAT select the kind of information returned: * GCRYCTL_TEST_ALGO: * Returns 0 when the specified algorithm is available for use. * buffer and nbytes must be zero. * GCRYCTL_GET_ASNOID: * Return the ASNOID of the algorithm in buffer. if buffer is NULL, only * the required length is returned. * GCRYCTL_SELFTEST * Helper for the regression tests - shall not be used by applications. * * Note: Because this function is in most cases used to return an * integer value, we can make it easier for the caller to just look at * the return value. The caller will in all cases consult the value * and thereby detecting whether a error occurred or not (i.e. while checking * the block size) */ gcry_err_code_t _gcry_md_algo_info (int algo, int what, void *buffer, size_t *nbytes) { gcry_err_code_t rc; switch (what) { case GCRYCTL_TEST_ALGO: if (buffer || nbytes) rc = GPG_ERR_INV_ARG; else rc = check_digest_algo (algo); break; case GCRYCTL_GET_ASNOID: /* We need to check that the algo is available because md_asn_oid would otherwise raise an assertion. */ rc = check_digest_algo (algo); if (!rc) { const char unsigned *asn; size_t asnlen; asn = md_asn_oid (algo, &asnlen, NULL); if (buffer && (*nbytes >= asnlen)) { memcpy (buffer, asn, asnlen); *nbytes = asnlen; } else if (!buffer && nbytes) *nbytes = asnlen; else { if (buffer) rc = GPG_ERR_TOO_SHORT; else rc = GPG_ERR_INV_ARG; } } break; case GCRYCTL_SELFTEST: /* Helper function for the regression tests. */ rc = gpg_err_code (_gcry_md_selftest (algo, nbytes? (int)*nbytes : 0, NULL)); break; default: rc = GPG_ERR_INV_OP; break; } return rc; } static void md_start_debug ( gcry_md_hd_t md, const char *suffix ) { static int idx=0; char buf[50]; if (fips_mode ()) return; if ( md->ctx->debug ) { log_debug("Oops: md debug already started\n"); return; } idx++; snprintf (buf, DIM(buf)-1, "dbgmd-%05d.%.10s", idx, suffix ); md->ctx->debug = fopen(buf, "w"); if ( !md->ctx->debug ) log_debug("md debug: can't open %s\n", buf ); } static void md_stop_debug( gcry_md_hd_t md ) { if ( md->ctx->debug ) { if ( md->bufpos ) md_write ( md, NULL, 0 ); fclose (md->ctx->debug); md->ctx->debug = NULL; } { /* a kludge to pull in the __muldi3 for Solaris */ volatile u32 a = (u32)(uintptr_t)md; volatile u64 b = 42; volatile u64 c; c = a * b; (void)c; } } /* * Return information about the digest handle. * GCRYCTL_IS_SECURE: * Returns 1 when the handle works on secured memory * otherwise 0 is returned. There is no error return. * GCRYCTL_IS_ALGO_ENABLED: * Returns 1 if the algo is enabled for that handle. * The algo must be passed as the address of an int. */ gcry_err_code_t _gcry_md_info (gcry_md_hd_t h, int cmd, void *buffer, size_t *nbytes) { gcry_err_code_t rc = 0; switch (cmd) { case GCRYCTL_IS_SECURE: *nbytes = h->ctx->flags.secure; break; case GCRYCTL_IS_ALGO_ENABLED: { GcryDigestEntry *r; int algo; if ( !buffer || !nbytes || *nbytes != sizeof (int)) rc = GPG_ERR_INV_ARG; else { algo = *(int*)buffer; *nbytes = 0; for(r=h->ctx->list; r; r = r->next ) { if (r->spec->algo == algo) { *nbytes = 1; break; } } } break; } default: rc = GPG_ERR_INV_OP; } return rc; } /* Explicitly initialize this module. */ gcry_err_code_t _gcry_md_init (void) { if (fips_mode()) { /* disable algorithms that are disallowed in fips */ int idx; gcry_md_spec_t *spec; for (idx = 0; (spec = digest_list[idx]); idx++) if (!spec->flags.fips) spec->flags.disabled = 1; } return 0; } int _gcry_md_is_secure (gcry_md_hd_t a) { size_t value; if (_gcry_md_info (a, GCRYCTL_IS_SECURE, NULL, &value)) value = 1; /* It seems to be better to assume secure memory on error. */ return value; } int _gcry_md_is_enabled (gcry_md_hd_t a, int algo) { size_t value; value = sizeof algo; if (_gcry_md_info (a, GCRYCTL_IS_ALGO_ENABLED, &algo, &value)) value = 0; return value; } /* Run the selftests for digest algorithm ALGO with optional reporting function REPORT. */ gpg_error_t _gcry_md_selftest (int algo, int extended, selftest_report_func_t report) { gcry_err_code_t ec = 0; gcry_md_spec_t *spec; spec = spec_from_algo (algo); if (spec && !spec->flags.disabled && spec->selftest) ec = spec->selftest (algo, extended, report); else { ec = (spec && spec->selftest) ? GPG_ERR_DIGEST_ALGO /* */ : GPG_ERR_NOT_IMPLEMENTED; if (report) report ("digest", algo, "module", (spec && !spec->flags.disabled)? "no selftest available" : spec? "algorithm disabled" : "algorithm not found"); } return gpg_error (ec); } diff --git a/src/gcrypt-int.h b/src/gcrypt-int.h index 858b92ce..9193ebcd 100644 --- a/src/gcrypt-int.h +++ b/src/gcrypt-int.h @@ -1,536 +1,540 @@ /* gcrypt-int.h - Internal version of gcrypt.h * Copyright (C) 2013 g10 Code GmbH * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, see . */ #ifndef GCRY_GCRYPT_INT_H #define GCRY_GCRYPT_INT_H #ifdef _GCRYPT_H #error gcrypt.h already included #endif #include "gcrypt.h" #include "types.h" /* These error codes are used but not defined in the required * libgpg-error N.MM. Define them here. [None right now.] */ /* Context used with elliptic curve functions. */ struct mpi_ec_ctx_s; typedef struct mpi_ec_ctx_s *mpi_ec_t; /* Underscore prefixed internal versions of the public functions. They return gpg_err_code_t and not gpg_error_t. Some macros also need an underscore prefixed internal version. Note that the memory allocation functions and macros (xmalloc etc.) are not defined here but in g10lib.h because this file here is included by some test programs which define theie own xmalloc macros. */ gpg_err_code_t _gcry_cipher_open (gcry_cipher_hd_t *handle, int algo, int mode, unsigned int flags); void _gcry_cipher_close (gcry_cipher_hd_t h); gpg_err_code_t _gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen); gpg_err_code_t _gcry_cipher_info (gcry_cipher_hd_t h, int what, void *buffer, size_t *nbytes); gpg_err_code_t _gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes); const char *_gcry_cipher_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE; int _gcry_cipher_map_name (const char *name) _GCRY_GCC_ATTR_PURE; int _gcry_cipher_mode_from_oid (const char *string) _GCRY_GCC_ATTR_PURE; gpg_err_code_t _gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize, const void *in, size_t inlen); gpg_err_code_t _gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize, const void *in, size_t inlen); gcry_err_code_t _gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen); gcry_err_code_t _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen); gpg_err_code_t _gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf, size_t abuflen); gpg_err_code_t _gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen); gpg_err_code_t _gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen); gpg_err_code_t _gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen); gpg_err_code_t _gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen); size_t _gcry_cipher_get_algo_keylen (int algo); size_t _gcry_cipher_get_algo_blklen (int algo); #define _gcry_cipher_reset(h) _gcry_cipher_ctl ((h), GCRYCTL_RESET, NULL, 0) gpg_err_code_t _gcry_pk_encrypt (gcry_sexp_t *result, gcry_sexp_t data, gcry_sexp_t pkey); gpg_err_code_t _gcry_pk_decrypt (gcry_sexp_t *result, gcry_sexp_t data, gcry_sexp_t skey); gpg_err_code_t _gcry_pk_sign (gcry_sexp_t *result, gcry_sexp_t data, gcry_sexp_t skey); gpg_err_code_t _gcry_pk_verify (gcry_sexp_t sigval, gcry_sexp_t data, gcry_sexp_t pkey); gpg_err_code_t _gcry_pk_testkey (gcry_sexp_t key); gpg_err_code_t _gcry_pk_genkey (gcry_sexp_t *r_key, gcry_sexp_t s_parms); gpg_err_code_t _gcry_pk_ctl (int cmd, void *buffer, size_t buflen); gpg_err_code_t _gcry_pk_algo_info (int algo, int what, void *buffer, size_t *nbytes); const char *_gcry_pk_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE; int _gcry_pk_map_name (const char* name) _GCRY_GCC_ATTR_PURE; unsigned int _gcry_pk_get_nbits (gcry_sexp_t key) _GCRY_GCC_ATTR_PURE; unsigned char *_gcry_pk_get_keygrip (gcry_sexp_t key, unsigned char *array); const char *_gcry_pk_get_curve (gcry_sexp_t key, int iterator, unsigned int *r_nbits); gcry_sexp_t _gcry_pk_get_param (int algo, const char *name); gpg_err_code_t _gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp, int mode, gcry_ctx_t ctx); unsigned int _gcry_ecc_get_algo_keylen (int algo); gpg_error_t _gcry_ecc_mul_point (int algo, unsigned char *result, const unsigned char *scalar, const unsigned char *point); gpg_err_code_t _gcry_md_open (gcry_md_hd_t *h, int algo, unsigned int flags); void _gcry_md_close (gcry_md_hd_t hd); gpg_err_code_t _gcry_md_enable (gcry_md_hd_t hd, int algo); gpg_err_code_t _gcry_md_copy (gcry_md_hd_t *bhd, gcry_md_hd_t ahd); void _gcry_md_reset (gcry_md_hd_t hd); gpg_err_code_t _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen); void _gcry_md_write (gcry_md_hd_t hd, const void *buffer, size_t length); unsigned char *_gcry_md_read (gcry_md_hd_t hd, int algo); gpg_err_code_t _gcry_md_extract (gcry_md_hd_t hd, int algo, void *buffer, size_t length); void _gcry_md_hash_buffer (int algo, void *digest, const void *buffer, size_t length); +gpg_err_code_t _gcry_md_hash_buffers_extract (int algo, unsigned int flags, + void *digest, int digestlen, + const gcry_buffer_t *iov, + int iovcnt); gpg_err_code_t _gcry_md_hash_buffers (int algo, unsigned int flags, void *digest, const gcry_buffer_t *iov, int iovcnt); int _gcry_md_get_algo (gcry_md_hd_t hd); unsigned int _gcry_md_get_algo_dlen (int algo); int _gcry_md_is_enabled (gcry_md_hd_t a, int algo); int _gcry_md_is_secure (gcry_md_hd_t a); gpg_err_code_t _gcry_md_info (gcry_md_hd_t h, int what, void *buffer, size_t *nbytes); gpg_err_code_t _gcry_md_algo_info (int algo, int what, void *buffer, size_t *nbytes); const char *_gcry_md_algo_name (int algo) _GCRY_GCC_ATTR_PURE; int _gcry_md_map_name (const char* name) _GCRY_GCC_ATTR_PURE; gpg_err_code_t _gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen); void _gcry_md_debug (gcry_md_hd_t hd, const char *suffix); #define _gcry_md_test_algo(a) \ _gcry_md_algo_info ((a), GCRYCTL_TEST_ALGO, NULL, NULL) #define _gcry_md_final(a) \ _gcry_md_ctl ((a), GCRYCTL_FINALIZE, NULL, 0) #define _gcry_md_putc(h,c) \ do { \ gcry_md_hd_t h__ = (h); \ if( (h__)->bufpos == (h__)->bufsize ) \ _gcry_md_write( (h__), NULL, 0 ); \ (h__)->buf[(h__)->bufpos++] = (c) & 0xff; \ } while(0) gpg_err_code_t _gcry_mac_open (gcry_mac_hd_t *handle, int algo, unsigned int flags, gcry_ctx_t ctx); void _gcry_mac_close (gcry_mac_hd_t h); gpg_err_code_t _gcry_mac_ctl (gcry_mac_hd_t h, int cmd, void *buffer, size_t buflen); gpg_err_code_t _gcry_mac_algo_info (int algo, int what, void *buffer, size_t *nbytes); gpg_err_code_t _gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen); gpg_err_code_t _gcry_mac_setiv (gcry_mac_hd_t hd, const void *iv, size_t ivlen); gpg_err_code_t _gcry_mac_write (gcry_mac_hd_t hd, const void *buffer, size_t length); gpg_err_code_t _gcry_mac_read (gcry_mac_hd_t hd, void *buffer, size_t *buflen); gpg_err_code_t _gcry_mac_verify (gcry_mac_hd_t hd, const void *buffer, size_t buflen); int _gcry_mac_get_algo (gcry_mac_hd_t hd); unsigned int _gcry_mac_get_algo_maclen (int algo); unsigned int _gcry_mac_get_algo_keylen (int algo); const char *_gcry_mac_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE; int _gcry_mac_map_name (const char *name) _GCRY_GCC_ATTR_PURE; #define _gcry_mac_reset(h) _gcry_mac_ctl ((h), GCRYCTL_RESET, NULL, 0) gpg_err_code_t _gcry_kdf_derive (const void *passphrase, size_t passphraselen, int algo, int subalgo, const void *salt, size_t saltlen, unsigned long iterations, size_t keysize, void *keybuffer); gpg_err_code_t _gcry_prime_generate (gcry_mpi_t *prime, unsigned int prime_bits, unsigned int factor_bits, gcry_mpi_t **factors, gcry_prime_check_func_t cb_func, void *cb_arg, gcry_random_level_t random_level, unsigned int flags); gpg_err_code_t _gcry_prime_group_generator (gcry_mpi_t *r_g, gcry_mpi_t prime, gcry_mpi_t *factors, gcry_mpi_t start_g); void _gcry_prime_release_factors (gcry_mpi_t *factors); gpg_err_code_t _gcry_prime_check (gcry_mpi_t x, unsigned int flags); void _gcry_randomize (void *buffer, size_t length, enum gcry_random_level level); gpg_err_code_t _gcry_random_add_bytes (const void *buffer, size_t length, int quality); void *_gcry_random_bytes (size_t nbytes, enum gcry_random_level level) _GCRY_GCC_ATTR_MALLOC; void *_gcry_random_bytes_secure (size_t nbytes, enum gcry_random_level level) _GCRY_GCC_ATTR_MALLOC; void _gcry_mpi_randomize (gcry_mpi_t w, unsigned int nbits, enum gcry_random_level level); void _gcry_create_nonce (void *buffer, size_t length); void _gcry_ctx_release (gcry_ctx_t ctx); const char *_gcry_check_version (const char *req_version); void _gcry_set_allocation_handler (gcry_handler_alloc_t func_alloc, gcry_handler_alloc_t func_alloc_secure, gcry_handler_secure_check_t func_secure_check, gcry_handler_realloc_t func_realloc, gcry_handler_free_t func_free); void _gcry_set_outofcore_handler (gcry_handler_no_mem_t h, void *opaque); void _gcry_set_fatalerror_handler (gcry_handler_error_t fnc, void *opaque); void _gcry_set_log_handler (gcry_handler_log_t f, void *opaque); void _gcry_set_gettext_handler (const char *(*f)(const char*)); void _gcry_set_progress_handler (gcry_handler_progress_t cb, void *cb_data); /* Return a pointer to a string containing a description of the error code in the error value ERR. */ static inline const char * _gcry_strerror (gcry_error_t err) { return gpg_strerror (err); } /* Return a pointer to a string containing a description of the error source in the error value ERR. */ static inline const char * _gcry_strsource (gcry_error_t err) { return gpg_strsource (err); } /* Retrieve the error code for the system error ERR. This returns GPG_ERR_UNKNOWN_ERRNO if the system error is not mapped (report this). */ static inline gcry_err_code_t _gcry_err_code_from_errno (int err) { return gpg_err_code_from_errno (err); } /* Retrieve the system error for the error code CODE. This returns 0 if CODE is not a system error code. */ static inline int _gcry_err_code_to_errno (gcry_err_code_t code) { return gpg_err_code_from_errno (code); } /* Return an error value with the error source SOURCE and the system error ERR. */ static inline gcry_error_t _gcry_err_make_from_errno (gpg_err_source_t source, int err) { return gpg_err_make_from_errno (source, err); } /* Return an error value with the system error ERR. */ static inline gcry_error_t _gcry_error_from_errno (int err) { return gpg_error (gpg_err_code_from_errno (err)); } gpg_err_code_t _gcry_sexp_new (gcry_sexp_t *retsexp, const void *buffer, size_t length, int autodetect); gpg_err_code_t _gcry_sexp_create (gcry_sexp_t *retsexp, void *buffer, size_t length, int autodetect, void (*freefnc) (void *)); gpg_err_code_t _gcry_sexp_sscan (gcry_sexp_t *retsexp, size_t *erroff, const char *buffer, size_t length); gpg_err_code_t _gcry_sexp_build (gcry_sexp_t *retsexp, size_t *erroff, const char *format, ...); gpg_err_code_t _gcry_sexp_build_array (gcry_sexp_t *retsexp, size_t *erroff, const char *format, void **arg_list); void _gcry_sexp_release (gcry_sexp_t sexp); size_t _gcry_sexp_canon_len (const unsigned char *buffer, size_t length, size_t *erroff, gcry_err_code_t *errcode); size_t _gcry_sexp_sprint (gcry_sexp_t sexp, int mode, void *buffer, size_t maxlength); void _gcry_sexp_dump (const gcry_sexp_t a); gcry_sexp_t _gcry_sexp_cons (const gcry_sexp_t a, const gcry_sexp_t b); gcry_sexp_t _gcry_sexp_alist (const gcry_sexp_t *array); gcry_sexp_t _gcry_sexp_vlist (const gcry_sexp_t a, ...); gcry_sexp_t _gcry_sexp_append (const gcry_sexp_t a, const gcry_sexp_t n); gcry_sexp_t _gcry_sexp_prepend (const gcry_sexp_t a, const gcry_sexp_t n); gcry_sexp_t _gcry_sexp_find_token (gcry_sexp_t list, const char *tok, size_t toklen); int _gcry_sexp_length (const gcry_sexp_t list); gcry_sexp_t _gcry_sexp_nth (const gcry_sexp_t list, int number); gcry_sexp_t _gcry_sexp_car (const gcry_sexp_t list); gcry_sexp_t _gcry_sexp_cdr (const gcry_sexp_t list); gcry_sexp_t _gcry_sexp_cadr (const gcry_sexp_t list); const char *_gcry_sexp_nth_data (const gcry_sexp_t list, int number, size_t *datalen); void *_gcry_sexp_nth_buffer (const gcry_sexp_t list, int number, size_t *rlength); char *_gcry_sexp_nth_string (gcry_sexp_t list, int number); gcry_mpi_t _gcry_sexp_nth_mpi (gcry_sexp_t list, int number, int mpifmt); gpg_err_code_t _gcry_sexp_extract_param (gcry_sexp_t sexp, const char *path, const char *list, ...) _GCRY_GCC_ATTR_SENTINEL(0); #define sexp_new(a, b, c, d) _gcry_sexp_new ((a), (b), (c), (d)) #define sexp_create(a, b, c, d, e) _gcry_sexp_create ((a), (b), (c), (d), (e)) #define sexp_sscan(a, b, c, d) _gcry_sexp_sscan ((a), (b), (c), (d)) #define sexp_build _gcry_sexp_build #define sexp_build_array(a, b, c, d) _gcry_sexp_build_array ((a), (b), (c), (d)) #define sexp_release(a) _gcry_sexp_release ((a)) #define sexp_canon_len(a, b, c, d) _gcry_sexp_canon_len ((a), (b), (c), (d)) #define sexp_sprint(a, b, c, d) _gcry_sexp_sprint ((a), (b), (c), (d)) #define sexp_dump(a) _gcry_sexp_dump ((a)) #define sexp_cons(a, b) _gcry_sexp_cons ((a), (b)) #define sexp_alist(a) _gcry_sexp_alist ((a)) #define sexp_vlist _gcry_sexp_vlist #define sexp_append(a, b) _gcry_sexp_append ((a), (b)) #define sexp_prepend(a, b) _gcry_sexp_prepend ((a), (b)) #define sexp_find_token(a, b, c) _gcry_sexp_find_token ((a), (b), (c)) #define sexp_length(a) _gcry_sexp_length ((a)) #define sexp_nth(a, b) _gcry_sexp_nth ((a), (b)) #define sexp_car(a) _gcry_sexp_car ((a)) #define sexp_cdr(a) _gcry_sexp_cdr ((a)) #define sexp_cadr(a) _gcry_sexp_cadr ((a)) #define sexp_nth_data(a, b, c) _gcry_sexp_nth_data ((a), (b), (c)) #define sexp_nth_buffer(a, b, c) _gcry_sexp_nth_buffer ((a), (b), (c)) #define sexp_nth_string(a, b) _gcry_sexp_nth_string ((a), (b)) #define sexp_nth_mpi(a, b, c) _gcry_sexp_nth_mpi ((a), (b), (c)) #define sexp_extract_param _gcry_sexp_extract_param gcry_mpi_t _gcry_mpi_new (unsigned int nbits); gcry_mpi_t _gcry_mpi_snew (unsigned int nbits); void _gcry_mpi_release (gcry_mpi_t a); gcry_mpi_t _gcry_mpi_copy (const gcry_mpi_t a); void _gcry_mpi_snatch (gcry_mpi_t w, gcry_mpi_t u); gcry_mpi_t _gcry_mpi_set (gcry_mpi_t w, const gcry_mpi_t u); gcry_mpi_t _gcry_mpi_set_ui (gcry_mpi_t w, unsigned long u); gcry_err_code_t _gcry_mpi_get_ui (unsigned int *w, gcry_mpi_t u); void _gcry_mpi_swap (gcry_mpi_t a, gcry_mpi_t b); int _gcry_mpi_is_neg (gcry_mpi_t a); void _gcry_mpi_neg (gcry_mpi_t w, gcry_mpi_t u); void _gcry_mpi_abs (gcry_mpi_t w); int _gcry_mpi_cmp (const gcry_mpi_t u, const gcry_mpi_t v); int _gcry_mpi_cmpabs (const gcry_mpi_t u, const gcry_mpi_t v); int _gcry_mpi_cmp_ui (const gcry_mpi_t u, unsigned long v); gpg_err_code_t _gcry_mpi_scan (gcry_mpi_t *ret_mpi, enum gcry_mpi_format format, const void *buffer, size_t buflen, size_t *nscanned); gpg_err_code_t _gcry_mpi_print (enum gcry_mpi_format format, unsigned char *buffer, size_t buflen, size_t *nwritten, const gcry_mpi_t a); gpg_err_code_t _gcry_mpi_aprint (enum gcry_mpi_format format, unsigned char **buffer, size_t *nwritten, const gcry_mpi_t a); void _gcry_mpi_dump (const gcry_mpi_t a); void _gcry_mpi_add (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v); void _gcry_mpi_add_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v); void _gcry_mpi_addm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m); void _gcry_mpi_sub (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v); void _gcry_mpi_sub_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v ); void _gcry_mpi_subm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m); void _gcry_mpi_mul (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v); void _gcry_mpi_mul_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v ); void _gcry_mpi_mulm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m); void _gcry_mpi_mul_2exp (gcry_mpi_t w, gcry_mpi_t u, unsigned long cnt); void _gcry_mpi_div (gcry_mpi_t q, gcry_mpi_t r, gcry_mpi_t dividend, gcry_mpi_t divisor, int round); void _gcry_mpi_mod (gcry_mpi_t r, gcry_mpi_t dividend, gcry_mpi_t divisor); void _gcry_mpi_powm (gcry_mpi_t w, const gcry_mpi_t b, const gcry_mpi_t e, const gcry_mpi_t m); int _gcry_mpi_gcd (gcry_mpi_t g, gcry_mpi_t a, gcry_mpi_t b); int _gcry_mpi_invm (gcry_mpi_t x, gcry_mpi_t a, gcry_mpi_t m); gcry_mpi_point_t _gcry_mpi_point_new (unsigned int nbits); void _gcry_mpi_point_release (gcry_mpi_point_t point); gcry_mpi_point_t _gcry_mpi_point_copy (gcry_mpi_point_t point); void _gcry_mpi_point_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, gcry_mpi_point_t point); void _gcry_mpi_point_snatch_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z, gcry_mpi_point_t point); gcry_mpi_point_t _gcry_mpi_point_set (gcry_mpi_point_t point, gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z); gcry_mpi_point_t _gcry_mpi_point_snatch_set (gcry_mpi_point_t point, gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z); gcry_mpi_t _gcry_mpi_ec_get_mpi (const char *name, gcry_ctx_t ctx, int copy); gcry_mpi_point_t _gcry_mpi_ec_get_point (const char *name, gcry_ctx_t ctx, int copy); int _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_point_t point, mpi_ec_t ctx); void _gcry_mpi_ec_point_resize (gcry_mpi_point_t p, mpi_ec_t ctx); void _gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx); void _gcry_mpi_ec_add (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, mpi_ec_t ctx); void _gcry_mpi_ec_sub (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, mpi_ec_t ctx); void _gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, mpi_ec_t ctx); int _gcry_mpi_ec_curve_point (gcry_mpi_point_t w, mpi_ec_t ctx); unsigned int _gcry_mpi_get_nbits (gcry_mpi_t a); int _gcry_mpi_test_bit (gcry_mpi_t a, unsigned int n); void _gcry_mpi_set_bit (gcry_mpi_t a, unsigned int n); void _gcry_mpi_clear_bit (gcry_mpi_t a, unsigned int n); void _gcry_mpi_set_highbit (gcry_mpi_t a, unsigned int n); void _gcry_mpi_clear_highbit (gcry_mpi_t a, unsigned int n); void _gcry_mpi_rshift (gcry_mpi_t x, gcry_mpi_t a, unsigned int n); void _gcry_mpi_lshift (gcry_mpi_t x, gcry_mpi_t a, unsigned int n); gcry_mpi_t _gcry_mpi_set_opaque (gcry_mpi_t a, void *p, unsigned int nbits); gcry_mpi_t _gcry_mpi_set_opaque_copy (gcry_mpi_t a, const void *p, unsigned int nbits); void *_gcry_mpi_get_opaque (gcry_mpi_t a, unsigned int *nbits); void _gcry_mpi_set_flag (gcry_mpi_t a, enum gcry_mpi_flag flag); void _gcry_mpi_clear_flag (gcry_mpi_t a, enum gcry_mpi_flag flag); int _gcry_mpi_get_flag (gcry_mpi_t a, enum gcry_mpi_flag flag); /* Private function - do not use. */ /* gcry_mpi_t _gcry_mpi_get_const (int no); */ /* We need our internal versions of the macros. */ #ifndef GCRYPT_NO_MPI_MACROS # error GCRYPT_NO_MPI_MACROS is not defined #endif #define mpi_new(n) _gcry_mpi_new ((n)) #define mpi_secure_new( n ) _gcry_mpi_snew ((n)) #define mpi_snew(n) _gcry_mpi_snew ((n)) #define mpi_release(a) \ do \ { \ _gcry_mpi_release ((a));\ (a) = NULL; \ } \ while (0) #define mpi_snatch( w, u) _gcry_mpi_snatch( (w), (u) ) #define mpi_set( w, u) _gcry_mpi_set( (w), (u) ) #define mpi_set_ui( w, u) _gcry_mpi_set_ui( (w), (u) ) #define mpi_get_ui(w,u) _gcry_mpi_get_ui( (w), (u) ) #define mpi_swap(a,b) _gcry_mpi_swap ((a),(b)) #define mpi_abs( w ) _gcry_mpi_abs( (w) ) #define mpi_neg( w, u) _gcry_mpi_neg( (w), (u) ) #define mpi_cmp( u, v ) _gcry_mpi_cmp( (u), (v) ) #define mpi_cmpabs( u, v ) _gcry_mpi_cmpabs( (u), (v) ) #define mpi_cmp_ui( u, v ) _gcry_mpi_cmp_ui( (u), (v) ) #define mpi_is_neg( a ) _gcry_mpi_is_neg ((a)) #define mpi_add_ui(w,u,v) _gcry_mpi_add_ui((w),(u),(v)) #define mpi_add(w,u,v) _gcry_mpi_add ((w),(u),(v)) #define mpi_addm(w,u,v,m) _gcry_mpi_addm ((w),(u),(v),(m)) #define mpi_sub_ui(w,u,v) _gcry_mpi_sub_ui ((w),(u),(v)) #define mpi_sub(w,u,v) _gcry_mpi_sub ((w),(u),(v)) #define mpi_subm(w,u,v,m) _gcry_mpi_subm ((w),(u),(v),(m)) #define mpi_mul_ui(w,u,v) _gcry_mpi_mul_ui ((w),(u),(v)) #define mpi_mul_2exp(w,u,v) _gcry_mpi_mul_2exp ((w),(u),(v)) #define mpi_mul(w,u,v) _gcry_mpi_mul ((w),(u),(v)) #define mpi_mulm(w,u,v,m) _gcry_mpi_mulm ((w),(u),(v),(m)) #define mpi_powm(w,b,e,m) _gcry_mpi_powm ( (w), (b), (e), (m) ) #define mpi_tdiv(q,r,a,m) _gcry_mpi_div ( (q), (r), (a), (m), 0) #define mpi_fdiv(q,r,a,m) _gcry_mpi_div ( (q), (r), (a), (m), -1) #define mpi_mod(r,a,m) _gcry_mpi_mod ((r), (a), (m)) #define mpi_gcd(g,a,b) _gcry_mpi_gcd ( (g), (a), (b) ) #define mpi_invm(g,a,b) _gcry_mpi_invm ( (g), (a), (b) ) #define mpi_point_new(n) _gcry_mpi_point_new((n)) #define mpi_point_release(p) \ do \ { \ _gcry_mpi_point_release ((p)); \ (p) = NULL; \ } \ while (0) #define mpi_point_copy(p) _gcry_mpi_point_copy((p)) #define mpi_point_get(x,y,z,p) _gcry_mpi_point_get((x),(y),(z),(p)) #define mpi_point_snatch_get(x,y,z,p) _gcry_mpi_point_snatch_get((x),(y), \ (z),(p)) #define mpi_point_set(p,x,y,z) _gcry_mpi_point_set((p),(x),(y),(z)) #define mpi_point_snatch_set(p,x,y,z) _gcry_mpi_point_snatch_set((p),(x), \ (y),(z)) #define mpi_point_resize(p,ctx) _gcry_mpi_ec_point_resize (p, ctx) #define mpi_get_nbits(a) _gcry_mpi_get_nbits ((a)) #define mpi_test_bit(a,b) _gcry_mpi_test_bit ((a),(b)) #define mpi_set_bit(a,b) _gcry_mpi_set_bit ((a),(b)) #define mpi_set_highbit(a,b) _gcry_mpi_set_highbit ((a),(b)) #define mpi_clear_bit(a,b) _gcry_mpi_clear_bit ((a),(b)) #define mpi_clear_highbit(a,b) _gcry_mpi_clear_highbit ((a),(b)) #define mpi_rshift(a,b,c) _gcry_mpi_rshift ((a),(b),(c)) #define mpi_lshift(a,b,c) _gcry_mpi_lshift ((a),(b),(c)) #define mpi_set_opaque(a,b,c) _gcry_mpi_set_opaque ((a), (b), (c)) #define mpi_get_opaque(a,b) _gcry_mpi_get_opaque ((a), (b)) #define mpi_set_flag(a,f) _gcry_mpi_set_flag ((a), (f)) #define mpi_set_flag(a,f) _gcry_mpi_set_flag ((a), (f)) #define mpi_clear_flag(a,f) _gcry_mpi_clear_flag ((a), (f)) #define mpi_get_flag(a,f) _gcry_mpi_get_flag ((a), (f)) #endif /*GCRY_GCRYPT_INT_H*/