From e1ven at e1ven.com Tue Jul 8 07:45:21 2014 From: e1ven at e1ven.com (Colin Davis) Date: Tue, 8 Jul 2014 01:45:21 -0400 Subject: Make fig2dev optional? Message-ID: <2C2AC47D-8B62-4181-BBFC-C260A7DC782A@e1ven.com> Installing fig2dev is unfortunately rather difficult on OSX, since it has a lot of prerequisites, and is not bundled with homebrew. Unfortunately, I didn't see an easy way to bypass creating these figures, other than manually editing the Makefile every time.. I added a check, which will look to see if fig2dev is installed. If not, it doesn't add the images to BUILT_SOURCES There may be a cleaner way to do this, but this lets me build lib There may well be a cleaner way to do this, but lets me build without fig2dev, while still running it if fig2dev is installed. -CPD https://gist.githubusercontent.com/e1ven/01244536540ae08c7dc1/raw/14b91133ddf0f616856afbab49d3251291606b5f/fig2dev.patch From a038af5b9d747161f79ef0f28dfb848aa50fe81f Mon Sep 17 00:00:00 2001 From: Colin Davis Date: Tue, 8 Jul 2014 01:23:29 -0400 Subject: [PATCH] Make fig2dev optional --- configure.ac | 2 ++ doc/Makefile.am | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index c5952c7..58c276f 100644 --- a/configure.ac +++ b/configure.ac @@ -1334,6 +1334,8 @@ if test "$gcry_cv_cc_arm_arch_is_v6" = "yes" ; then [Defined if ARM architecture is v6 or newer]) fi +AC_CHECK_PROG([fig2dev], fig2dev, yes, no) +AM_CONDITIONAL([FOUND_FIG2DEV], [test "x$fig2dev" = xyes]) # # Check whether GCC inline assembler supports NEON instructions diff --git a/doc/Makefile.am b/doc/Makefile.am index 30330bb..782ec6a 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -17,18 +17,20 @@ # License along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA -EXTRA_DIST = README.apichanges HACKING DCO \ - libgcrypt-modules.eps fips-fsm.eps \ - libgcrypt-modules.png fips-fsm.png \ - libgcrypt-modules.pdf fips-fsm.pdf \ - yat2m.c - -DISTCLEANFILES = gcrypt.cps yat2m-stamp.tmp yat2m-stamp $(myman_pages) -CLEANFILES = yat2m +if FOUND_FIG2DEV BUILT_SOURCES = libgcrypt-modules.eps fips-fsm.eps \ libgcrypt-modules.png fips-fsm.png \ libgcrypt-modules.pdf fips-fsm.pdf +else + BUILT_SOURCES = "" +endif + +EXTRA_DIST = README.apichanges HACKING DCO \ + yat2m.c $(BUILT_SOURCES) + +DISTCLEANFILES = gcrypt.cps yat2m-stamp.tmp yat2m-stamp $(myman_pages) +CLEANFILES = yat2m info_TEXINFOS = gcrypt.texi gcrypt_TEXINFOS = lgpl.texi gpl.texi libgcrypt-modules.fig fips-fsm.fig -- 2.0.1 From cmouse at cmouse.fi Tue Jul 8 09:32:25 2014 From: cmouse at cmouse.fi (Aki Tuomi) Date: Tue, 8 Jul 2014 10:32:25 +0300 Subject: Make fig2dev optional? In-Reply-To: <2C2AC47D-8B62-4181-BBFC-C260A7DC782A@e1ven.com> References: <2C2AC47D-8B62-4181-BBFC-C260A7DC782A@e1ven.com> Message-ID: <20140708073225.GA13767@pi.ip.fi> Usually conditionals like these are named HAVE_FIG2DEV. Can you perhaps consider renaming your conditional? Kind regards, Aki Tuomi On Tue, Jul 08, 2014 at 01:45:21AM -0400, Colin Davis wrote: > Installing fig2dev is unfortunately rather difficult on OSX, since it has a lot of prerequisites, and is not bundled with homebrew. > Unfortunately, I didn't see an easy way to bypass creating these figures, other than manually editing the Makefile every time.. > > I added a check, which will look to see if fig2dev is installed. If not, it doesn't add the images to BUILT_SOURCES > There may be a cleaner way to do this, but this lets me build lib > > There may well be a cleaner way to do this, but lets me build without fig2dev, while still running it if fig2dev is installed. > > -CPD > > > https://gist.githubusercontent.com/e1ven/01244536540ae08c7dc1/raw/14b91133ddf0f616856afbab49d3251291606b5f/fig2dev.patch > From a038af5b9d747161f79ef0f28dfb848aa50fe81f Mon Sep 17 00:00:00 2001 > From: Colin Davis > Date: Tue, 8 Jul 2014 01:23:29 -0400 > Subject: [PATCH] Make fig2dev optional > > --- > configure.ac | 2 ++ > doc/Makefile.am | 18 ++++++++++-------- > 2 files changed, 12 insertions(+), 8 deletions(-) > > diff --git a/configure.ac b/configure.ac > index c5952c7..58c276f 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -1334,6 +1334,8 @@ if test "$gcry_cv_cc_arm_arch_is_v6" = "yes" ; then > [Defined if ARM architecture is v6 or newer]) > fi > > +AC_CHECK_PROG([fig2dev], fig2dev, yes, no) > +AM_CONDITIONAL([FOUND_FIG2DEV], [test "x$fig2dev" = xyes]) > > # > # Check whether GCC inline assembler supports NEON instructions > diff --git a/doc/Makefile.am b/doc/Makefile.am > index 30330bb..782ec6a 100644 > --- a/doc/Makefile.am > +++ b/doc/Makefile.am > @@ -17,18 +17,20 @@ > # License along with this program; if not, write to the Free Software > # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA > > -EXTRA_DIST = README.apichanges HACKING DCO \ > - libgcrypt-modules.eps fips-fsm.eps \ > - libgcrypt-modules.png fips-fsm.png \ > - libgcrypt-modules.pdf fips-fsm.pdf \ > - yat2m.c > - > -DISTCLEANFILES = gcrypt.cps yat2m-stamp.tmp yat2m-stamp $(myman_pages) > -CLEANFILES = yat2m > > +if FOUND_FIG2DEV > BUILT_SOURCES = libgcrypt-modules.eps fips-fsm.eps \ > libgcrypt-modules.png fips-fsm.png \ > libgcrypt-modules.pdf fips-fsm.pdf > +else > + BUILT_SOURCES = "" > +endif > + > +EXTRA_DIST = README.apichanges HACKING DCO \ > + yat2m.c $(BUILT_SOURCES) > + > +DISTCLEANFILES = gcrypt.cps yat2m-stamp.tmp yat2m-stamp $(myman_pages) > +CLEANFILES = yat2m > > info_TEXINFOS = gcrypt.texi > gcrypt_TEXINFOS = lgpl.texi gpl.texi libgcrypt-modules.fig fips-fsm.fig > -- > 2.0.1 > > > > > > > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From eriknyquistdev at gmail.com Tue Jul 8 12:35:36 2014 From: eriknyquistdev at gmail.com (Erik Nyquist) Date: Tue, 8 Jul 2014 11:35:36 +0100 Subject: AES-NI support detection: possible bug? Message-ID: I tried compiling libgcrypt-1.5.0 on a platform with a Quark SoC (intel low- power SoC, which does not support AES instructions): *root at clanton:/media/mmcblk0p1# cat /proc/cpuinfoprocessor : 0vendor_id : GenuineIntelcpu family : 5model : 9model name : 05/09stepping : 0cpu MHz : 399.076cache size : 0 KBfdiv_bug : nohlt_bug : nof00f_bug : yescoma_bug : nofpu : yesfpu_exception : yescpuid level : 7wp : yesflags : fpu vme pse tsc msr pae cx8 apic pbe nx smepbogomips : 798.15clflush size : 32cache_alignment : 32address sizes : 32 bits physical, 32 bits virtualpower management:* During configure, the feature detection for AES-NI appears to return with the result that yes, AES instructions are supported (incorrectly so): * Try using AES-NI crypto: yes* So at run time, I get an 'illegal instruction' error. This was initially noticed while trying to connect to a wifi access point using wpa_supplicant- it can also be seen when running the tests included with libgcrypt: *root at clanton:/media/mmcblk0p1/libgcrypt-1.5.0-beta1# make check* *ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:* *pubkeys:dsa:elgamal:rsa:ecc:* *digests:crc:md4:md5:rmd160:sha1:sha256:sha512:tiger:whirlpool:* *rnd-mod:linux:* *mpi-asm:i586/mpih-add1.S:i586/mpih-sub1.S:i586/mpih-mul1.S:i586/mpih-mul2.S:i586/mpih-mul3.S:i586/mpih-lshift.S:i586/mpih-rshift.S:* *hwflist:* *fips-mode:n:n:* *PASS: version* *PASS: t-mpi-bit* *PASS: prime* *PASS: register* *PASS: ac* *PASS: ac-schemes* *PASS: ac-data* */bin/sh: line 4: 7998 Illegal instruction ${dir}$tst* *FAIL: basic* *PASS: mpitests* *PASS: tsexp* *PASS: keygen* *PASS: pubkey* *PASS: hmac* *PASS: keygrip* *PASS: fips186-dsa* *PASS: aeswrap* *PASS: curves* *PASS: random* *MD5 50ms 120ms 750ms 90ms 50ms* *SHA1 130ms 190ms 830ms 170ms 130ms* *RIPEMD160 140ms 200ms 850ms 190ms 140ms* *TIGER192 250ms 360ms 1150ms 320ms 250ms* *SHA256 290ms 430ms 1140ms 330ms 290ms* *SHA384 500ms 720ms 1330ms 540ms 480ms* *SHA512 490ms 730ms 1320ms 540ms 480ms* *SHA224 290ms 440ms 1130ms 330ms 290ms* *MD4 40ms 100ms 750ms 80ms 40ms* *CRC32 30ms 40ms 570ms 80ms 40ms* *CRC32RFC1510 30ms 30ms 570ms 80ms 40ms* *CRC24RFC2440 260ms 260ms 770ms 300ms 270ms* *WHIRLPOOL 1740ms 1950ms 2530ms 1820ms 1740ms* *TIGER 260ms 350ms 1150ms 320ms 250ms* *TIGER2 260ms 350ms 1150ms 320ms 250ms* * ECB/Stream CBC CFB OFB CTR* * --------------- --------------- --------------- --------------- ---------------* *3DES 1160ms 1160ms 1220ms 1260ms 1200ms 1220ms 1220ms 1210ms 1310ms 1330ms* *CAST5 400ms 410ms 460ms 470ms 440ms 460ms 460ms 460ms 550ms 530ms* *BLOWFISH 380ms 410ms 430ms 490ms 410ms 430ms 430ms 430ms 530ms 520ms* *AES 340ms 350ms/bin/sh: line 4: 8244 Illegal instruction ${dir}$tst* *FAIL: benchmark* *========================================* *2 of 19 tests failed* *Please report to bug-libgcrypt at gnupg.org * *========================================* *make[2]: *** [check-TESTS] Error 1* *make[2]: Leaving directory `/media/mmcblk0p1/libgcrypt-1.5.0-beta1/tests'* *make[1]: *** [check-am] Error 2* *make[1]: Leaving directory `/media/mmcblk0p1/libgcrypt-1.5.0-beta1/tests'* *make: *** [check-recursive] Error 1* Has anyone seen any similar issues with configure failing to detect AES support accurately? Erik. -------------- next part -------------- An HTML attachment was scrubbed... URL: From e1ven at e1ven.com Tue Jul 8 14:08:47 2014 From: e1ven at e1ven.com (Colin Davis) Date: Tue, 8 Jul 2014 08:08:47 -0400 Subject: Make fig2dev optional? In-Reply-To: <20140708073225.GA13767@pi.ip.fi> References: <2C2AC47D-8B62-4181-BBFC-C260A7DC782A@e1ven.com> <20140708073225.GA13767@pi.ip.fi> Message-ID: <53C082D1-E737-40BD-BE99-78CA3CCD4ED4@e1ven.com> Sorry about that! I went back to revise as you suggested, and ended up rewriting multiple time ;( Building the docs on OSX are still more difficult than it should be, since the default apps Apple ships are very old. After playing with it, it seems like it's probably best to just add a flag to skip building the documentation. I'm not sure if something along this line could be added, but it'd make it simpler, rather than trying to patch xfig, makeinfo, etc. https://gist.githubusercontent.com/e1ven/e971b3dd56452e15ac49/raw/598fdce8a14f1bafba5f462d12459b8079d7a1f9/disable-docs.patch From b34dd80872f833a3955a2a4fcf322e3a93a963c7 Mon Sep 17 00:00:00 2001 From: Colin Davis Date: Tue, 8 Jul 2014 07:54:34 -0400 Subject: [PATCH] Allow the --disable-docs config option to bypass building documentation --- Makefile.am | 10 ++++++++-- configure.ac | 8 ++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 937bdaf..0f9a45e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,8 +25,14 @@ DISTCHECK_CONFIGURE_FLAGS = --disable-random-daemon \ # (A suitable gitlog-to-changelog script can be found in GnuPG master.) GITLOG_TO_CHANGELOG=gitlog-to-changelog -DIST_SUBDIRS = m4 compat mpi cipher random src doc tests -SUBDIRS = compat mpi cipher random src doc tests +DIST_SUBDIRS = m4 compat mpi cipher random src tests +SUBDIRS = compat mpi cipher random src tests + +if BUILD_DOCS +then +DIST_SUBDIRS += doc +SUBDIRS += doc +endif EXTRA_DIST = autogen.sh autogen.rc README.GIT LICENSES \ ChangeLog-2011 build-aux/ChangeLog-2011 doc/ChangeLog-2011 \ diff --git a/configure.ac b/configure.ac index c5952c7..1a41460 100644 --- a/configure.ac +++ b/configure.ac @@ -646,6 +646,14 @@ AC_ARG_ENABLE(amd64-as-feature-detection, amd64_as_feature_detection=yes) AC_MSG_RESULT($amd64_as_feature_detection) +# Implementation of the --disable-docs switch. +AC_MSG_CHECKING([whether to build documentation]) +AC_ARG_ENABLE(docs, + AC_HELP_STRING([--disable-docs], + [Disable the building of documentation]), + [:],enable_docs=yes) +AC_MSG_RESULT($enable_docs) +AM_CONDITIONAL([BUILD_DOCS], [test x"${enable_docs}" == xyes]) AC_DEFINE_UNQUOTED(PRINTABLE_OS_NAME, "$PRINTABLE_OS_NAME", [A human readable text with the name of the OS]) -- 2.0.1 On Jul 8, 2014, at 3:32 AM, Aki Tuomi wrote: > Usually conditionals like these are named HAVE_FIG2DEV. Can you perhaps consider > renaming your conditional? > > Kind regards, > Aki Tuomi From jussi.kivilinna at iki.fi Tue Jul 8 17:14:45 2014 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 08 Jul 2014 18:14:45 +0300 Subject: AES-NI support detection: possible bug? In-Reply-To: References: Message-ID: <53BC0AE5.5060501@iki.fi> On 08.07.2014 13:35, Erik Nyquist wrote: > I tried compiling libgcrypt-1.5.0 on a platform with a Quark SoC (intel low- power SoC, which does not support AES instructions): > > *root at clanton:/media/mmcblk0p1# cat /proc/cpuinfo > processor : 0 > vendor_id : GenuineIntel > cpu family : 5 > model : 9 > model name : 05/09 > stepping : 0 > cpu MHz : 399.076 > cache size : 0 KB > fdiv_bug : no > hlt_bug : no > f00f_bug : yes > coma_bug : no > fpu : yes > fpu_exception : yes > cpuid level : 7 > wp : yes > flags : fpu vme pse tsc msr pae cx8 apic pbe nx smep > bogomips : 798.15 > clflush size : 32 > cache_alignment : 32 > address sizes : 32 bits physical, 32 bits virtual > power management:* > * > * > During configure, the feature detection for AES-NI appears to return with the result that yes, AES instructions are supported (incorrectly so): > > * Try using AES-NI crypto: yes* > * > * > * > * > So at run time, I get an 'illegal instruction' error. This was initially noticed while trying to connect to a wifi access point using wpa_supplicant- it can also be seen when running the tests included with libgcrypt: > > *root at clanton:/media/mmcblk0p1/libgcrypt-1.5.0-beta1# make check* > > *ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:* > *pubkeys:dsa:elgamal:rsa:ecc:* > *digests:crc:md4:md5:rmd160:sha1:sha256:sha512:tiger:whirlpool:* > *rnd-mod:linux:* > *mpi-asm:i586/mpih-add1.S:i586/mpih-sub1.S:i586/mpih-mul1.S:i586/mpih-mul2.S:i586/mpih-mul3.S:i586/mpih-lshift.S:i586/mpih-rshift.S:* > *hwflist:* > *fips-mode:n:n:* > *PASS: version* > *PASS: t-mpi-bit* > *PASS: prime* > *PASS: register* > *PASS: ac* > *PASS: ac-schemes* > *PASS: ac-data* > */bin/sh: line 4: 7998 Illegal instruction ${dir}$tst* > *FAIL: basic* > *PASS: mpitests* > *PASS: tsexp* > *PASS: keygen* > *PASS: pubkey* > *PASS: hmac* > *PASS: keygrip* > *PASS: fips186-dsa* > *PASS: aeswrap* > *PASS: curves* > *PASS: random* > *MD5 50ms 120ms 750ms 90ms 50ms* > *SHA1 130ms 190ms 830ms 170ms 130ms* > *RIPEMD160 140ms 200ms 850ms 190ms 140ms* > *TIGER192 250ms 360ms 1150ms 320ms 250ms* > *SHA256 290ms 430ms 1140ms 330ms 290ms* > *SHA384 500ms 720ms 1330ms 540ms 480ms* > *SHA512 490ms 730ms 1320ms 540ms 480ms* > *SHA224 290ms 440ms 1130ms 330ms 290ms* > *MD4 40ms 100ms 750ms 80ms 40ms* > *CRC32 30ms 40ms 570ms 80ms 40ms* > *CRC32RFC1510 30ms 30ms 570ms 80ms 40ms* > *CRC24RFC2440 260ms 260ms 770ms 300ms 270ms* > *WHIRLPOOL 1740ms 1950ms 2530ms 1820ms 1740ms* > *TIGER 260ms 350ms 1150ms 320ms 250ms* > *TIGER2 260ms 350ms 1150ms 320ms 250ms* > * > * > * ECB/Stream CBC CFB OFB CTR* > * --------------- --------------- --------------- --------------- ---------------* > *3DES 1160ms 1160ms 1220ms 1260ms 1200ms 1220ms 1220ms 1210ms 1310ms 1330ms* > *CAST5 400ms 410ms 460ms 470ms 440ms 460ms 460ms 460ms 550ms 530ms* > *BLOWFISH 380ms 410ms 430ms 490ms 410ms 430ms 430ms 430ms 530ms 520ms* > *AES 340ms 350ms/bin/sh: line 4: 8244 Illegal instruction ${dir}$tst* > *FAIL: benchmark* > *========================================* > *2 of 19 tests failed* > *Please report to bug-libgcrypt at gnupg.org * > *========================================* > *make[2]: *** [check-TESTS] Error 1* > *make[2]: Leaving directory `/media/mmcblk0p1/libgcrypt-1.5.0-beta1/tests'* > *make[1]: *** [check-am] Error 2* > *make[1]: Leaving directory `/media/mmcblk0p1/libgcrypt-1.5.0-beta1/tests'* > *make: *** [check-recursive] Error 1* > > > Has anyone seen any similar issues with configure failing to detect AES support accurately? > > Erik. > > Configure just checks that compiler supports AES-NI instructions and then libgcrypt attempts to use AES-NI if supported by CPU. 'make check' shows line "hwflist:" which means that libgcrypt did not detect any hardware acceleration feature (AES-NI, PCMUL, AVX, etc) for this CPU and such code should not be running. However, 1.5.0 did have a bug where XMM registers were used outside AES-NI checks and this was fixed for 1.5.1 by commit: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=e0139f73600ed584f23d57a2baf768e32ea900ec So, please try libgcrypt 1.5.1... or 1.5.3 instead. -Jussi > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 713 bytes Desc: OpenPGP digital signature URL: From grothoff at in.tum.de Thu Jul 10 19:35:24 2014 From: grothoff at in.tum.de (Christian Grothoff) Date: Thu, 10 Jul 2014 19:35:24 +0200 Subject: ec subtract In-Reply-To: <20140710171426.GE32268@trolle> References: <20140710171426.GE32268@trolle> Message-ID: <53BECEDC.106@in.tum.de> Hohey! Sounds like a question for libgcrypt hackers. Extending the API to make it trivial to invert a point would make sense IMO. Happy hacking! Christian On 07/10/2014 07:14 PM, Markus Teich wrote: > Heyho, > > for the ECBD I need to subtract two points on the curve (Z_{i+1} - Z_{i-1}). I > found out[0], that I have to invert the y value of the second point to achieve > this. However in libgcrypt (1.6.1) there seems to be no function, which achieves > that easily[1]. Do I really have to use gcry_mpi_point_get, gcry_mpi_sub and > gcry_mpi_point_set to invert the point? > > A gcry_mpi_ec_sub should definitely be supplied by the libgcrypt API. > > --Markus > > > [0] http://crypto.stackexchange.com/questions/11316/subtracting-a-point-in-elliptic-curve-cryptography > [1] https://www.gnupg.org/documentation/manuals/gcrypt/EC-functions.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x48426C7E.asc Type: application/pgp-keys Size: 25866 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 242 bytes Desc: OpenPGP digital signature URL: From sreeharsha at totakura.in Thu Jul 10 21:12:05 2014 From: sreeharsha at totakura.in (Sree Harsha Totakura) Date: Thu, 10 Jul 2014 21:12:05 +0200 Subject: ec subtract In-Reply-To: <53BECEDC.106@in.tum.de> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> Message-ID: <53BEE585.3000409@totakura.in> On 07/10/2014 07:35 PM, Christian Grothoff wrote: >> for the ECBD I need to subtract two points on the curve (Z_{i+1} - Z_{i-1}). I >> found out[0], that I have to invert the y value of the second point to achieve >> this. However in libgcrypt (1.6.1) there seems to be no function, which achieves >> that easily[1]. Do I really have to use gcry_mpi_point_get, gcry_mpi_sub and >> gcry_mpi_point_set to invert the point? Or, you can add point B to point at infinity, (0, 1, 0) in jacobian coordinates, and then add the result to A to get A - B. So, this could be done as: A + B + INFINITY. Note that simply inverting the affine y value won't be correct for some curves. Sree From j.breier at gmx.de Thu Jul 10 23:46:54 2014 From: j.breier at gmx.de (Jakob Breier) Date: Thu, 10 Jul 2014 23:46:54 +0200 Subject: ec subtract In-Reply-To: <53BEE585.3000409@totakura.in> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> <53BEE585.3000409@totakura.in> Message-ID: <53BF09CE.6090000@gmx.de> On 10.07.2014 21:12, Sree Harsha Totakura wrote: > Or, you can add point B to point at infinity, (0, 1, 0) in jacobian > coordinates, and then add the result to A to get A - B. > > So, this could be done as: A + B + INFINITY. I don't usually follow this list, so there might be something really strange with the implementation I don't know of, but the point at infinity normally is the neutral element of the group. So A+B+Infinity = A+B. Regards, Jakob From sreeharsha at totakura.in Fri Jul 11 00:35:47 2014 From: sreeharsha at totakura.in (Sree Harsha Totakura) Date: Fri, 11 Jul 2014 00:35:47 +0200 Subject: ec subtract In-Reply-To: <53BF09CE.6090000@gmx.de> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> <53BEE585.3000409@totakura.in> <53BF09CE.6090000@gmx.de> Message-ID: <53BF1543.4010403@totakura.in> On 07/10/2014 11:46 PM, Jakob Breier wrote: > On 10.07.2014 21:12, Sree Harsha Totakura wrote: >> Or, you can add point B to point at infinity, (0, 1, 0) in jacobian >> coordinates, and then add the result to A to get A - B. >> >> So, this could be done as: A + B + INFINITY. > > I don't usually follow this list, so there might be something really > strange with the implementation I don't know of, but the point at > infinity normally is the neutral element of the group. So A+B+Infinity = > A+B. Ah, I was wrong. It has nothing to do with the implementation, what I suggested wouldn't work. Sree From gniibe at fsij.org Fri Jul 11 04:14:16 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 11 Jul 2014 11:14:16 +0900 Subject: ec subtract In-Reply-To: <53BECEDC.106@in.tum.de> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> Message-ID: <1405044856.4772.1.camel@cfw2.gniibe.org> Hello, On 2014-07-10 at 19:35 +0200, Christian Grothoff wrote: > Sounds like a question for libgcrypt hackers. Extending the API to > make it trivial to invert a point would make sense IMO. As I only have experience of GnuPG, I'm not sure what kind of API is better for libgcrypt, but, I'm just considering making gcry_mpi_ec_add_points to private function (i.e., opposite direction). So, I'm interested in your situation. On 07/10/2014 07:14 PM, Markus Teich wrote: > for the ECBD I need to subtract two points on the curve (Z_{i+1} - Z_{i-1}). I > found out[0], that I have to invert the y value of the second point to achieve > this. I wonder if you can explain ECBD. If its some crypto protocol, isn't it better to be implemented within libgcrypt? My background is supporting Curve25519, ECDH on Montgomery curve. In its computation, we don't care Y-coordinate, and gcry_mpi_ec_add_points has to return an error as "not supported by the curve". -- From teichm at in.tum.de Fri Jul 11 11:12:41 2014 From: teichm at in.tum.de (Markus Teich) Date: Fri, 11 Jul 2014 11:12:41 +0200 Subject: ec subtract In-Reply-To: <1405044856.4772.1.camel@cfw2.gniibe.org> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> <1405044856.4772.1.camel@cfw2.gniibe.org> Message-ID: <20140711091241.GA2521@trolle> Heyho, NIIBE Yutaka wrote: > As I only have experience of GnuPG, I'm not sure what kind of API is better > for libgcrypt, but, I'm just considering making gcry_mpi_ec_add_points to > private function (i.e., opposite direction). > > So, I'm interested in your situation. Wouldn't that imply that you don't want the user to implement crypto algorithms at all? Then you would probably have to make the mpi API private as well. > I wonder if you can explain ECBD. If its some crypto protocol, isn't it > better to be implemented within libgcrypt? I mean the Burmester-Desmedt Group Key Exchange adapted to elliptic curves[0]. > My background is supporting Curve25519, ECDH on Montgomery curve. In its > computation, we don't care Y-coordinate, and gcry_mpi_ec_add_points has to > return an error as "not supported by the curve". I am kind of new to EC, so which functions from libgcrypt (1.6.1) would you recommend to implement the ECBD? My code is published under LGPL, so if it's not too bad, you could later adopt it into libgcrypt if you like. --Markus [0] http://crypo.cased.de/assets/Publications/MaMASS05.pdf From gniibe at fsij.org Fri Jul 11 15:00:34 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 11 Jul 2014 22:00:34 +0900 Subject: ec subtract In-Reply-To: <20140711091241.GA2521@trolle> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> <1405044856.4772.1.camel@cfw2.gniibe.org> <20140711091241.GA2521@trolle> Message-ID: <1405083634.3861.1.camel@latx1.gniibe.org> On 2014-07-11 at 11:12 +0200, Markus Teich wrote: > Wouldn't that imply that you don't want the user to implement crypto > algorithms at all? I don't say so. With my limited experience, I don't have much knowledge how good crypto library should be organized/structured. I just know that we should not build crypto routines on top of general purpose MPI, and we need to care about possible attacks. I'm afraid if current API or implementation of libgcrypt is good enough for such users who want to implement crypto routines on top of it. > I mean the Burmester-Desmedt Group Key Exchange adapted to elliptic curves[0]. Thank you. I read the paper briefly, and I understand you want to use subtraction, in the Figure 1. "uBD Setup". > I am kind of new to EC, so which functions from libgcrypt (1.6.1) would you > recommend to implement the ECBD? Please don't take my comment as definitive. It's my personal opinion. I think that ECC in libgcrypt is relatively new and there is much room to improve. It is unfortunate now, subtraction of EC point is not exported function. If I were you and I had to stand with such a constraint, I'd use negative scalar for n in [n]P. I mean, I would have to modify the expression: Xi = [ri](Zi+1 - Zi-1) one point subtraction and one scalar multiplication of point into: Xi = [ri]Zi+1 + [-ri]Zi-1 two scalar multiplications of point and one point addition -- From gniibe at fsij.org Wed Jul 16 10:11:58 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 16 Jul 2014 17:11:58 +0900 Subject: [PATCH] Curve25519 patch revised In-Reply-To: <1403270939.3855.0.camel@latx1.gniibe.org> References: <1403157515.2821.8.camel@cfw2.gniibe.org> <1403168653.2821.9.camel@cfw2.gniibe.org> <1403231035.2376.2.camel@cfw2.gniibe.org> <87a998ne2n.fsf@vigenere.g10code.de> <1403270939.3855.0.camel@latx1.gniibe.org> Message-ID: <1405498318.20960.1.camel@cfw2.gniibe.org> Hello, I'm back. On 2014-06-20 at 11:08 +0200, Werner Koch wrote: > Can you change the name to mpi_swap_cond ? I would also prefer to keep > it an internal function for now and add it to the public API only > later. This allows to backport it to 1.6. Here it is. I'm going to commit&push this. No build issue. mpi: Add mpi_swap_cond. * mpi/mpiutil.c (_gcry_mpi_swap_cond): New. * src/mpi.h (mpi_swap_cond): New. -- This is an internal function for now. diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c index fdce578..f74dd91 100644 --- a/mpi/mpiutil.c +++ b/mpi/mpiutil.c @@ -542,6 +542,34 @@ _gcry_mpi_swap (gcry_mpi_t a, gcry_mpi_t b) } +void +_gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap) +{ + size_t i; + size_t nlimbs = a->alloced; + unsigned long mask = 0UL - !!swap; + unsigned long x; + + if (a->alloced != b->alloced) + log_bug ("mpi_swap_cond: different sizes\n"); + + for (i = 0; i < nlimbs; i++) + { + x = mask & (a->d[i] ^ b->d[i]); + a->d[i] = a->d[i] ^ x; + b->d[i] = b->d[i] ^ x; + } + + x = mask & (a->nlimbs ^ b->nlimbs); + a->nlimbs = a->nlimbs ^ x; + b->nlimbs = b->nlimbs ^ x; + + x = mask & (a->sign ^ b->sign); + a->sign = a->sign ^ x; + b->sign = b->sign ^ x; +} + + gcry_mpi_t _gcry_mpi_new (unsigned int nbits) { diff --git a/src/mpi.h b/src/mpi.h index eb0730e..2479560 100644 --- a/src/mpi.h +++ b/src/mpi.h @@ -119,12 +119,14 @@ void _gcry_mpi_immutable_failed (void); #define mpi_alloc_set_ui(a) _gcry_mpi_alloc_set_ui ((a)) #define mpi_m_check(a) _gcry_mpi_m_check ((a)) #define mpi_const(n) _gcry_mpi_const ((n)) +#define mpi_swap_cond(a,b,sw) _gcry_mpi_swap_cond ((a),(b),(sw)) void _gcry_mpi_clear( gcry_mpi_t a ); gcry_mpi_t _gcry_mpi_alloc_like( gcry_mpi_t a ); gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u); void _gcry_mpi_m_check( gcry_mpi_t a ); void _gcry_mpi_swap( gcry_mpi_t a, gcry_mpi_t b); +void _gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap); gcry_mpi_t _gcry_mpi_new (unsigned int nbits); gcry_mpi_t _gcry_mpi_snew (unsigned int nbits); gcry_mpi_t _gcry_mpi_set_opaque_copy (gcry_mpi_t a, -- From cvs at cvs.gnupg.org Wed Jul 16 10:14:46 2014 From: cvs at cvs.gnupg.org (by NIIBE Yutaka) Date: Wed, 16 Jul 2014 10:14:46 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-95-g4846e52 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 4846e52728970e3117f3a046ef9010be089a3ae4 (commit) from 1b9b00bbe41bbed32563f1102049521e703e72bd (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 4846e52728970e3117f3a046ef9010be089a3ae4 Author: NIIBE Yutaka Date: Wed Jul 16 17:05:55 2014 +0900 mpi: Add mpi_swap_cond. * mpi/mpiutil.c (_gcry_mpi_swap_cond): New. * src/mpi.h (mpi_swap_cond): New. -- This is an internal function for now. diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c index fdce578..f74dd91 100644 --- a/mpi/mpiutil.c +++ b/mpi/mpiutil.c @@ -542,6 +542,34 @@ _gcry_mpi_swap (gcry_mpi_t a, gcry_mpi_t b) } +void +_gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap) +{ + size_t i; + size_t nlimbs = a->alloced; + unsigned long mask = 0UL - !!swap; + unsigned long x; + + if (a->alloced != b->alloced) + log_bug ("mpi_swap_cond: different sizes\n"); + + for (i = 0; i < nlimbs; i++) + { + x = mask & (a->d[i] ^ b->d[i]); + a->d[i] = a->d[i] ^ x; + b->d[i] = b->d[i] ^ x; + } + + x = mask & (a->nlimbs ^ b->nlimbs); + a->nlimbs = a->nlimbs ^ x; + b->nlimbs = b->nlimbs ^ x; + + x = mask & (a->sign ^ b->sign); + a->sign = a->sign ^ x; + b->sign = b->sign ^ x; +} + + gcry_mpi_t _gcry_mpi_new (unsigned int nbits) { diff --git a/src/mpi.h b/src/mpi.h index eb0730e..2479560 100644 --- a/src/mpi.h +++ b/src/mpi.h @@ -119,12 +119,14 @@ void _gcry_mpi_immutable_failed (void); #define mpi_alloc_set_ui(a) _gcry_mpi_alloc_set_ui ((a)) #define mpi_m_check(a) _gcry_mpi_m_check ((a)) #define mpi_const(n) _gcry_mpi_const ((n)) +#define mpi_swap_cond(a,b,sw) _gcry_mpi_swap_cond ((a),(b),(sw)) void _gcry_mpi_clear( gcry_mpi_t a ); gcry_mpi_t _gcry_mpi_alloc_like( gcry_mpi_t a ); gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u); void _gcry_mpi_m_check( gcry_mpi_t a ); void _gcry_mpi_swap( gcry_mpi_t a, gcry_mpi_t b); +void _gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap); gcry_mpi_t _gcry_mpi_new (unsigned int nbits); gcry_mpi_t _gcry_mpi_snew (unsigned int nbits); gcry_mpi_t _gcry_mpi_set_opaque_copy (gcry_mpi_t a, ----------------------------------------------------------------------- Summary of changes: mpi/mpiutil.c | 28 ++++++++++++++++++++++++++++ src/mpi.h | 2 ++ 2 files changed, 30 insertions(+) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From gniibe at fsij.org Wed Jul 16 16:02:10 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 16 Jul 2014 23:02:10 +0900 Subject: [PATCH] Curve25519 patch revised In-Reply-To: <1405498318.20960.1.camel@cfw2.gniibe.org> References: <1403157515.2821.8.camel@cfw2.gniibe.org> <1403168653.2821.9.camel@cfw2.gniibe.org> <1403231035.2376.2.camel@cfw2.gniibe.org> <87a998ne2n.fsf@vigenere.g10code.de> <1403270939.3855.0.camel@latx1.gniibe.org> <1405498318.20960.1.camel@cfw2.gniibe.org> Message-ID: <1405519330.3778.0.camel@latx1.gniibe.org> Here is a patch adding cofactor to the domain parameters of ECC. Note that this introduce KEYGRIP value change. diff --git a/cipher/ecc-common.h b/cipher/ecc-common.h index c407c74..779a297 100644 --- a/cipher/ecc-common.h +++ b/cipher/ecc-common.h @@ -32,6 +32,7 @@ typedef struct or d as used by Twisted Edwards curves. */ mpi_point_struct G; /* Base point (generator). */ gcry_mpi_t n; /* Order of G. */ + gcry_mpi_t h; /* Cofactor. */ const char *name; /* Name of the curve or NULL. */ } elliptic_curve_t; @@ -75,7 +76,7 @@ gpg_err_code_t _gcry_ecc_update_curve_param (const char *name, enum ecc_dialects *dialect, gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b, gcry_mpi_t *g, - gcry_mpi_t *n); + gcry_mpi_t *n, gcry_mpi_t *h); const char *_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c index 0f622f7..a6a1171 100644 --- a/cipher/ecc-curves.c +++ b/cipher/ecc-curves.c @@ -110,6 +110,7 @@ typedef struct Curves b is used for d. */ const char *n; /* The order of the base point. */ const char *g_x, *g_y; /* Base point. */ + const char *h; /* Cofactor. */ } ecc_domain_parms_t; @@ -125,7 +126,8 @@ static const ecc_domain_parms_t domain_parms[] = "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", - "0x6666666666666666666666666666666666666666666666666666666666666658" + "0x6666666666666666666666666666666666666666666666666666666666666658", + "0x08" }, #if 0 /* No real specs yet found. */ { @@ -140,7 +142,8 @@ static const ecc_domain_parms_t domain_parms[] = "706022B36F1C0338AD63CF181B0E71A5E106AF79", "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D" "6D6BA111301A73FAA8537C64C4FD3812F3CBC595", - "0x22" + "0x22", + "0x08" }, #endif /*0*/ { @@ -152,7 +155,8 @@ static const ecc_domain_parms_t domain_parms[] = "0xffffffffffffffffffffffff99def836146bc9b1b4d22831", "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", - "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811" + "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811", + "0x01" }, { "NIST P-224", 224, 1, @@ -163,7 +167,8 @@ static const ecc_domain_parms_t domain_parms[] = "0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d" , "0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" + "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", + "0x01" }, { "NIST P-256", 256, 1, @@ -174,7 +179,8 @@ static const ecc_domain_parms_t domain_parms[] = "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "0x01" }, { "NIST P-384", 384, 1, @@ -191,7 +197,8 @@ static const ecc_domain_parms_t domain_parms[] = "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f" + "0a60b1ce1d7e819d7a431d7c90ea0e5f", + "0x01" }, { "NIST P-521", 521, 1, @@ -208,7 +215,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d" "3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", "0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e" - "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" + "662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", + "0x01" }, { "brainpoolP160r1", 160, 0, @@ -218,7 +226,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x1e589a8595423412134faa2dbdec95c8d8675e58", "0xe95e4a5f737059dc60df5991d45029409e60fc09", "0xbed5af16ea3f6a4f62938c4631eb5af7bdbcdbc3", - "0x1667cb477a1a8ec338f94741669c976316da6321" + "0x1667cb477a1a8ec338f94741669c976316da6321", + "0x01" }, { "brainpoolP192r1", 192, 0, @@ -228,7 +237,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x469a28ef7c28cca3dc721d044f4496bcca7ef4146fbf25c9", "0xc302f41d932a36cda7a3462f9e9e916b5be8f1029ac4acc1", "0xc0a0647eaab6a48753b033c56cb0f0900a2f5c4853375fd6", - "0x14b690866abd5bb88b5f4828c1490002e6773fa2fa299b8f" + "0x14b690866abd5bb88b5f4828c1490002e6773fa2fa299b8f", + "0x01" }, { "brainpoolP224r1", 224, 0, @@ -238,7 +248,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x2580f63ccfe44138870713b1a92369e33e2135d266dbb372386c400b", "0xd7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939f", "0x0d9029ad2c7e5cf4340823b2a87dc68c9e4ce3174c1e6efdee12c07d", - "0x58aa56f772c0726f24c6b89e4ecdac24354b9e99caa3f6d3761402cd" + "0x58aa56f772c0726f24c6b89e4ecdac24354b9e99caa3f6d3761402cd", + "0x01" }, { "brainpoolP256r1", 256, 0, @@ -248,7 +259,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6", "0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7", "0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262", - "0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997" + "0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997", + "0x01" }, { "brainpoolP320r1", 320, 0, @@ -264,7 +276,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x43bd7e9afb53d8b85289bcc48ee5bfe6f20137d10a087eb6e7871e2a10a599c7" "10af8d0d39e20611", "0x14fdd05545ec1cc8ab4093247f77275e0743ffed117182eaa9c77877aaac6ac7" - "d35245d1692e8ee1" + "d35245d1692e8ee1", + "0x01" }, { "brainpoolP384r1", 384, 0, @@ -280,7 +293,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8" "e826e03436d646aaef87b2e247d4af1e", "0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff9912928" - "0e4646217791811142820341263c5315" + "0e4646217791811142820341263c5315", + "0x01" }, { "brainpoolP512r1", 512, 0, @@ -296,7 +310,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098e" "ff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822", "0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111" - "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892" + "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892", + "0x01" }, { "GOST2001-test", 256, 0, @@ -308,6 +323,7 @@ static const ecc_domain_parms_t domain_parms[] = "0x0000000000000000000000000000000000000000000000000000000000000002", "0x08e2a8a0e65147d4bd6316030e16d19c85c97f0a9ca267122b96abbcea7e8fc8", + "0x01" }, { "GOST2001-CryptoPro-A", 256, 0, @@ -317,7 +333,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x00000000000000000000000000000000000000000000000000000000000000a6", "0xffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893", "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14" + "0x8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14", + "0x01" }, { "GOST2001-CryptoPro-B", 256, 0, @@ -327,7 +344,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x3e1af419a269a5f866a7d3c25c3df80ae979259373ff2b182f49d4ce7e1bbc8b", "0x800000000000000000000000000000015f700cfff1a624e5e497161bcc8a198f", "0x0000000000000000000000000000000000000000000000000000000000000001", - "0x3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efc" + "0x3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efc", + "0x01" }, { "GOST2001-CryptoPro-C", 256, 0, @@ -337,7 +355,8 @@ static const ecc_domain_parms_t domain_parms[] = "0x000000000000000000000000000000000000000000000000000000000000805a", "0x9b9f605f5a858107ab1ec85e6b41c8aa582ca3511eddfb74f02f3a6598980bb9", "0x0000000000000000000000000000000000000000000000000000000000000000", - "0x41ece55743711a8c3cbf3783cd08c0ee4d4dc440d4641a8f366e550dfdb3bb67" + "0x41ece55743711a8c3cbf3783cd08c0ee4d4dc440d4641a8f366e550dfdb3bb67", + "0x01" }, { "GOST2012-test", 511, 0, @@ -354,6 +373,7 @@ static const ecc_domain_parms_t domain_parms[] = "fd60611262cd838dc6b60aa7eee804e28bc849977fac33b4b530f1b120248a9a", "0x2bb312a43bd2ce6e0d020613c857acddcfbf061e91e5f2c3f32447c259f39b2" "c83ab156d77f1496bf7eb3351e1ee4e43dc1a18b91b24640b6dbb92cb1add371e", + "0x01" }, { "GOST2012-tc26-A", 512, 0, @@ -370,6 +390,7 @@ static const ecc_domain_parms_t domain_parms[] = "0000000000000000000000000000000000000000000000000000000000000003", "0x7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4", + "0x01" }, { "GOST2012-tc26-B", 512, 0, @@ -386,6 +407,7 @@ static const ecc_domain_parms_t domain_parms[] = "0000000000000000000000000000000000000000000000000000000000000002", "0x1a8f7eda389b094c2c071e3647a8940f3c123b697578c213be6dd9e6c8ec7335" "dcb228fd1edf4a39152cbcaaf8c0398828041055f94ceeec7e21340780fe41bd", + "0x01" }, { @@ -396,10 +418,11 @@ static const ecc_domain_parms_t domain_parms[] = "0x0000000000000000000000000000000000000000000000000000000000000007", "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", - "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8" + "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", + "0x01" }, - { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL } + { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL } }; @@ -530,6 +553,8 @@ _gcry_ecc_fill_in_curve (unsigned int nbits, const char *name, curve->b = scanval (domain_parms[idx].b); if (!curve->n) curve->n = scanval (domain_parms[idx].n); + if (!curve->h) + curve->h = scanval (domain_parms[idx].h); if (!curve->G.x) curve->G.x = scanval (domain_parms[idx].g_x); if (!curve->G.y) @@ -545,7 +570,7 @@ _gcry_ecc_fill_in_curve (unsigned int nbits, const char *name, /* Give the name of the curve NAME, store the curve parameters into P, - A, B, G, and N if they point to NULL value. Note that G is returned + A, B, G, N, and H if they point to NULL value. Note that G is returned in standard uncompressed format. Also update MODEL and DIALECT if they are not NULL. */ gpg_err_code_t @@ -553,7 +578,7 @@ _gcry_ecc_update_curve_param (const char *name, enum gcry_mpi_ec_models *model, enum ecc_dialects *dialect, gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b, - gcry_mpi_t *g, gcry_mpi_t *n) + gcry_mpi_t *g, gcry_mpi_t *n, gcry_mpi_t *h) { int idx; @@ -603,6 +628,11 @@ _gcry_ecc_update_curve_param (const char *name, _gcry_mpi_release (*n); *n = scanval (domain_parms[idx].n); } + if (h) + { + _gcry_mpi_release (*h); + *h = scanval (domain_parms[idx].h); + } return 0; } @@ -640,8 +670,8 @@ _gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) /* * Extract the curve parameters.. */ - rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgn", - &E.p, &E.a, &E.b, &mpi_g, &E.n, + rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgnh", + &E.p, &E.a, &E.b, &mpi_g, &E.n, &E.h, NULL)); if (rc == GPG_ERR_NO_OBJ) { @@ -699,17 +729,22 @@ _gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) if (!mpi_cmp (tmp, E.n)) { mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_x); - if (!mpi_cmp (tmp, E.G.x)) + tmp = scanval (domain_parms[idx].h); + if (!mpi_cmp (tmp, E.h)) { mpi_free (tmp); - tmp = scanval (domain_parms[idx].g_y); - if (!mpi_cmp (tmp, E.G.y)) + tmp = scanval (domain_parms[idx].g_x); + if (!mpi_cmp (tmp, E.G.x)) { - result = domain_parms[idx].desc; - if (r_nbits) - *r_nbits = domain_parms[idx].nbits; - goto leave; + mpi_free (tmp); + tmp = scanval (domain_parms[idx].g_y); + if (!mpi_cmp (tmp, E.G.y)) + { + result = domain_parms[idx].desc; + if (r_nbits) + *r_nbits = domain_parms[idx].nbits; + goto leave; + } } } } @@ -726,6 +761,7 @@ _gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits) _gcry_mpi_release (mpi_g); _gcry_mpi_point_free_parts (&E.G); _gcry_mpi_release (E.n); + _gcry_mpi_release (E.h); return result; } @@ -857,6 +893,7 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx, gcry_mpi_t b = NULL; gcry_mpi_point_t G = NULL; gcry_mpi_t n = NULL; + gcry_mpi_t h = NULL; gcry_mpi_point_t Q = NULL; gcry_mpi_t d = NULL; int flags = 0; @@ -899,6 +936,9 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx, errc = mpi_from_keyparam (&n, keyparam, "n"); if (errc) goto leave; + errc = mpi_from_keyparam (&h, keyparam, "h"); + if (errc) + goto leave; } } else @@ -972,6 +1012,11 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx, n = E->n; E->n = NULL; } + if (!h) + { + h = E->h; + E->h = NULL; + } _gcry_ecc_curve_free (E); xfree (E); } @@ -998,6 +1043,11 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx, ec->n = n; n = NULL; } + if (h) + { + ec->h = h; + h = NULL; + } /* Now that we know the curve name we can look for the public key Q. point_from_keyparam needs to know the curve parameters so @@ -1036,6 +1086,7 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx, mpi_free (b); _gcry_mpi_point_release (G); mpi_free (n); + mpi_free (h); _gcry_mpi_point_release (Q); mpi_free (d); return errc; @@ -1050,7 +1101,7 @@ _gcry_ecc_get_param_sexp (const char *name) elliptic_curve_t E; mpi_ec_t ctx; gcry_mpi_t g_x, g_y; - gcry_mpi_t pkey[6]; + gcry_mpi_t pkey[7]; gcry_sexp_t result; int i; @@ -1074,14 +1125,15 @@ _gcry_ecc_get_param_sexp (const char *name) pkey[2] = E.b; pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p); pkey[4] = E.n; - pkey[5] = NULL; + pkey[5] = E.h; + pkey[6] = NULL; mpi_free (g_x); mpi_free (g_y); if (sexp_build (&result, NULL, - "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)))", - pkey[0], pkey[1], pkey[2], pkey[3], pkey[4])) + "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)))", + pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5])) result = NULL; for (i=0; pkey[i]; i++) @@ -1108,6 +1160,8 @@ _gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy) return mpi_is_const (ec->b) && !copy? ec->b : mpi_copy (ec->b); if (!strcmp (name, "n") && ec->n) return mpi_is_const (ec->n) && !copy? ec->n : mpi_copy (ec->n); + if (!strcmp (name, "h") && ec->h) + return mpi_is_const (ec->h) && !copy? ec->h : mpi_copy (ec->h); if (!strcmp (name, "d") && ec->d) return mpi_is_const (ec->d) && !copy? ec->d : mpi_copy (ec->d); @@ -1206,6 +1260,11 @@ _gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec) mpi_free (ec->n); ec->n = mpi_copy (newvalue); } + else if (!strcmp (name, "h")) + { + mpi_free (ec->h); + ec->h = mpi_copy (newvalue); + } else if (*name == 'q' && (!name[1] || name[1] == '@')) { if (newvalue) diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c index d08a84f..6652b98 100644 --- a/cipher/ecc-eddsa.c +++ b/cipher/ecc-eddsa.c @@ -493,6 +493,7 @@ _gcry_ecc_eddsa_genkey (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx, point_init (&sk->E.G); point_set (&sk->E.G, &E->G); sk->E.n = mpi_copy (E->n); + sk->E.h = mpi_copy (E->h); point_init (&sk->Q); point_set (&sk->Q, &Q); diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c index 3f284fe..88266b5 100644 --- a/cipher/ecc-misc.c +++ b/cipher/ecc-misc.c @@ -43,6 +43,7 @@ _gcry_ecc_curve_free (elliptic_curve_t *E) mpi_free (E->b); E->b = NULL; _gcry_mpi_point_free_parts (&E->G); mpi_free (E->n); E->n = NULL; + mpi_free (E->h); E->h = NULL; } @@ -63,6 +64,7 @@ _gcry_ecc_curve_copy (elliptic_curve_t E) _gcry_mpi_point_init (&R.G); point_set (&R.G, &E.G); R.n = mpi_copy (E.n); + R.h = mpi_copy (E.h); return R; } diff --git a/cipher/ecc.c b/cipher/ecc.c index e0be2d4..eb5b3a8 100644 --- a/cipher/ecc.c +++ b/cipher/ecc.c @@ -145,6 +145,7 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx, point_init (&sk->E.G); point_set (&sk->E.G, &E->G); sk->E.n = mpi_copy (E->n); + sk->E.h = mpi_copy (E->h); point_init (&sk->Q); /* We want the Q=(x,y) be a "compliant key" in terms of the @@ -459,6 +460,7 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) log_printmpi ("ecgen curve a", E.a); log_printmpi ("ecgen curve b", E.b); log_printmpi ("ecgen curve n", E.n); + log_printmpi ("ecgen curve h", E.h); log_printpnt ("ecgen curve G", &E.G, NULL); } @@ -525,14 +527,14 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) rc = sexp_build (r_skey, NULL, "(key-data" " (public-key" - " (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)))" + " (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)(q%m)))" " (private-key" - " (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)(d%m)))" + " (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)(q%m)(d%m)))" " )", curve_info, curve_flags, - sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public, + sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, sk.E.h, public, curve_info, curve_flags, - sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public, secret); + sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, sk.E.h, public, secret); else rc = sexp_build (r_skey, NULL, "(key-data" @@ -555,6 +557,7 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) log_printmpi ("ecgen result b", sk.E.b); log_printmpi ("ecgen result G", base); log_printmpi ("ecgen result n", sk.E.n); + log_printmpi ("ecgen result h", sk.E.h); log_printmpi ("ecgen result Q", public); log_printmpi ("ecgen result d", secret); if ((flags & PUBKEY_FLAG_EDDSA)) @@ -605,9 +608,9 @@ ecc_check_secret_key (gcry_sexp_t keyparms) /* Extract the parameters. */ if ((flags & PUBKEY_FLAG_PARAM)) - rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?/q?+d", + rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?h?/q?+d", &sk.E.p, &sk.E.a, &sk.E.b, &mpi_g, &sk.E.n, - &mpi_q, &sk.d, NULL); + &sk.E.h, &mpi_q, &sk.d, NULL); else rc = sexp_extract_param (keyparms, NULL, "/q?+d", &mpi_q, &sk.d, NULL); @@ -625,7 +628,7 @@ ecc_check_secret_key (gcry_sexp_t keyparms) rc = _gcry_ecc_update_curve_param (curvename, &sk.E.model, &sk.E.dialect, &sk.E.p, &sk.E.a, &sk.E.b, - &mpi_g, &sk.E.n); + &mpi_g, &sk.E.n, &sk.E.h); if (rc) return rc; } @@ -661,11 +664,12 @@ ecc_check_secret_key (gcry_sexp_t keyparms) log_printmpi ("ecc_testkey b", sk.E.b); log_printpnt ("ecc_testkey g", &sk.E.G, NULL); log_printmpi ("ecc_testkey n", sk.E.n); + log_printmpi ("ecc_testkey h", sk.E.h); log_printmpi ("ecc_testkey q", mpi_q); if (!fips_mode ()) log_printmpi ("ecc_testkey d", sk.d); } - if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.d) + if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.E.h || !sk.d) { rc = GPG_ERR_NO_OBJ; goto leave; @@ -702,6 +706,7 @@ ecc_check_secret_key (gcry_sexp_t keyparms) _gcry_mpi_release (mpi_g); point_free (&sk.E.G); _gcry_mpi_release (sk.E.n); + _gcry_mpi_release (sk.E.h); _gcry_mpi_release (mpi_q); point_free (&sk.Q); _gcry_mpi_release (sk.d); @@ -742,9 +747,9 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) * Extract the key. */ if ((ctx.flags & PUBKEY_FLAG_PARAM)) - rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?/q?+d", + rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?h?/q?+d", &sk.E.p, &sk.E.a, &sk.E.b, &mpi_g, &sk.E.n, - &mpi_q, &sk.d, NULL); + &sk.E.h, &mpi_q, &sk.d, NULL); else rc = sexp_extract_param (keyparms, NULL, "/q?+d", &mpi_q, &sk.d, NULL); @@ -794,11 +799,12 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) log_printmpi ("ecc_sign b", sk.E.b); log_printpnt ("ecc_sign g", &sk.E.G, NULL); log_printmpi ("ecc_sign n", sk.E.n); + log_printmpi ("ecc_sign h", sk.E.h); log_printmpi ("ecc_sign q", mpi_q); if (!fips_mode ()) log_printmpi ("ecc_sign d", sk.d); } - if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.d) + if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.E.h || !sk.d) { rc = GPG_ERR_NO_OBJ; goto leave; @@ -839,6 +845,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) _gcry_mpi_release (mpi_g); point_free (&sk.E.G); _gcry_mpi_release (sk.E.n); + _gcry_mpi_release (sk.E.h); _gcry_mpi_release (mpi_q); point_free (&sk.Q); _gcry_mpi_release (sk.d); @@ -906,9 +913,9 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) * Extract the key. */ if ((ctx.flags & PUBKEY_FLAG_PARAM)) - rc = sexp_extract_param (s_keyparms, NULL, "-p?a?b?g?n?/q", + rc = sexp_extract_param (s_keyparms, NULL, "-p?a?b?g?n?h?/q", &pk.E.p, &pk.E.a, &pk.E.b, &mpi_g, &pk.E.n, - &mpi_q, NULL); + &pk.E.n, &mpi_q, NULL); else rc = sexp_extract_param (s_keyparms, NULL, "/q", &mpi_q, NULL); @@ -959,9 +966,10 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) log_printmpi ("ecc_verify b", pk.E.b); log_printpnt ("ecc_verify g", &pk.E.G, NULL); log_printmpi ("ecc_verify n", pk.E.n); + log_printmpi ("ecc_verify h", pk.E.h); log_printmpi ("ecc_verify q", mpi_q); } - if (!pk.E.p || !pk.E.a || !pk.E.b || !pk.E.G.x || !pk.E.n || !mpi_q) + if (!pk.E.p || !pk.E.a || !pk.E.b || !pk.E.G.x || !pk.E.n || !pk.E.h || !mpi_q) { rc = GPG_ERR_NO_OBJ; goto leave; @@ -1037,6 +1045,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) _gcry_mpi_release (mpi_g); point_free (&pk.E.G); _gcry_mpi_release (pk.E.n); + _gcry_mpi_release (pk.E.h); _gcry_mpi_release (mpi_q); point_free (&pk.Q); _gcry_mpi_release (data); @@ -1116,8 +1125,8 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms) /* * Extract the key. */ - rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?+q", - &pk.E.p, &pk.E.a, &pk.E.b, &mpi_g, &pk.E.n, + rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?h?+q", + &pk.E.p, &pk.E.a, &pk.E.b, &mpi_g, &pk.E.n, &pk.E.h, &mpi_q, NULL); if (rc) goto leave; @@ -1160,9 +1169,10 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms) log_printmpi ("ecc_encrypt b", pk.E.b); log_printpnt ("ecc_encrypt g", &pk.E.G, NULL); log_printmpi ("ecc_encrypt n", pk.E.n); + log_printmpi ("ecc_encrypt n", pk.E.h); log_printmpi ("ecc_encrypt q", mpi_q); } - if (!pk.E.p || !pk.E.a || !pk.E.b || !pk.E.G.x || !pk.E.n || !mpi_q) + if (!pk.E.p || !pk.E.a || !pk.E.b || !pk.E.G.x || !pk.E.n || !pk.E.h || !mpi_q) { rc = GPG_ERR_NO_OBJ; goto leave; @@ -1220,6 +1230,7 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms) _gcry_mpi_release (mpi_g); point_free (&pk.E.G); _gcry_mpi_release (pk.E.n); + _gcry_mpi_release (pk.E.h); _gcry_mpi_release (mpi_q); point_free (&pk.Q); _gcry_mpi_release (data); @@ -1283,9 +1294,9 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) /* * Extract the key. */ - rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?+d", + rc = sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?h?+d", &sk.E.p, &sk.E.a, &sk.E.b, &mpi_g, &sk.E.n, - &sk.d, NULL); + &sk.E.h, &sk.d, NULL); if (rc) goto leave; if (mpi_g) @@ -1326,10 +1337,11 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) log_printmpi ("ecc_decrypt b", sk.E.b); log_printpnt ("ecc_decrypt g", &sk.E.G, NULL); log_printmpi ("ecc_decrypt n", sk.E.n); + log_printmpi ("ecc_decrypt h", sk.E.h); if (!fips_mode ()) log_printmpi ("ecc_decrypt d", sk.d); } - if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.d) + if (!sk.E.p || !sk.E.a || !sk.E.b || !sk.E.G.x || !sk.E.n || !sk.E.h || !sk.d) { rc = GPG_ERR_NO_OBJ; goto leave; @@ -1386,6 +1398,7 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) _gcry_mpi_release (mpi_g); point_free (&sk.E.G); _gcry_mpi_release (sk.E.n); + _gcry_mpi_release (sk.E.h); _gcry_mpi_release (sk.d); _gcry_mpi_release (data_e); xfree (curvename); @@ -1455,8 +1468,8 @@ ecc_get_nbits (gcry_sexp_t parms) static gpg_err_code_t compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms) { -#define N_COMPONENTS 6 - static const char names[N_COMPONENTS+1] = "pabgnq"; +#define N_COMPONENTS 7 + static const char names[N_COMPONENTS+1] = "pabgnhq"; gpg_err_code_t rc; gcry_sexp_t l1; gcry_mpi_t values[N_COMPONENTS]; @@ -1484,24 +1497,24 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms) if ((flags & PUBKEY_FLAG_PARAM)) { if ((flags & PUBKEY_FLAG_EDDSA)) - rc = sexp_extract_param (keyparms, NULL, "p?a?b?g?n?/q", + rc = sexp_extract_param (keyparms, NULL, "p?a?b?g?n?h?/q", &values[0], &values[1], &values[2], &values[3], &values[4], &values[5], - NULL); + &values[6], NULL); else - rc = sexp_extract_param (keyparms, NULL, "p?a?b?g?n?q", + rc = sexp_extract_param (keyparms, NULL, "p?a?b?g?n?h?q", &values[0], &values[1], &values[2], &values[3], &values[4], &values[5], - NULL); + &values[6], NULL); } else { if ((flags & PUBKEY_FLAG_EDDSA)) rc = sexp_extract_param (keyparms, NULL, "/q", - &values[5], NULL); + &values[6], NULL); else rc = sexp_extract_param (keyparms, NULL, "q", - &values[5], NULL); + &values[6], NULL); } if (rc) goto leave; @@ -1518,7 +1531,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms) rc = _gcry_ecc_update_curve_param (curvename, &model, &dialect, &values[0], &values[1], &values[2], - &values[3], &values[4]); + &values[3], &values[4], &values[5]); if (rc) goto leave; } @@ -1556,7 +1569,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms) if ((flags & PUBKEY_FLAG_EDDSA)) { if (dialect == ECC_DIALECT_ED25519) - rc = _gcry_ecc_eddsa_ensure_compact (values[5], 256); + rc = _gcry_ecc_eddsa_ensure_compact (values[6], 256); else rc = GPG_ERR_NOT_IMPLEMENTED; if (rc) @@ -1625,7 +1638,7 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec) gcry_mpi_t mpi_G = NULL; gcry_mpi_t mpi_Q = NULL; - if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n) + if (!ec->p || !ec->a || !ec->b || !ec->G || !ec->n || !ec->h) return GPG_ERR_BAD_CRYPT_CTX; if (mode == GCRY_PK_GET_SECKEY && !ec->d) @@ -1677,15 +1690,15 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec) { /* Let's return a private key. */ rc = sexp_build (r_sexp, NULL, - "(private-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)(d%m)))", - ec->p, ec->a, ec->b, mpi_G, ec->n, mpi_Q, ec->d); + "(private-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)(q%m)(d%m)))", + ec->p, ec->a, ec->b, mpi_G, ec->n, ec->h, mpi_Q, ec->d); } else if (ec->Q) { /* Let's return a public key. */ rc = sexp_build (r_sexp, NULL, - "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)))", - ec->p, ec->a, ec->b, mpi_G, ec->n, mpi_Q); + "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)(q%m)))", + ec->p, ec->a, ec->b, mpi_G, ec->n, ec->h, mpi_Q); } else rc = GPG_ERR_BAD_CRYPT_CTX; @@ -1745,7 +1758,7 @@ gcry_pk_spec_t _gcry_pubkey_spec_ecc = GCRY_PK_ECC, { 0, 0 }, (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR), "ECC", ecc_names, - "pabgnq", "pabgnqd", "sw", "rs", "pabgnq", + "pabgnhq", "pabgnhqd", "sw", "rs", "pabgnhq", ecc_generate, ecc_check_secret_key, ecc_encrypt_raw, diff --git a/mpi/ec.c b/mpi/ec.c index 4f35de0..737f12c 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -429,6 +429,7 @@ ec_deinit (void *opaque) mpi_free (ctx->b); _gcry_mpi_point_release (ctx->G); mpi_free (ctx->n); + mpi_free (ctx->h); /* The key. */ _gcry_mpi_point_release (ctx->Q); diff --git a/src/ec-context.h b/src/ec-context.h index 60ca759..c8f2ad0 100644 --- a/src/ec-context.h +++ b/src/ec-context.h @@ -38,6 +38,7 @@ struct mpi_ec_ctx_s gcry_mpi_t b; /* Second coefficient of the Weierstrass equation. */ gcry_mpi_point_t G; /* Base point (generator). */ gcry_mpi_t n; /* Order of G. */ + gcry_mpi_t h; /* Cofactor. */ /* The actual key. May not be set. */ gcry_mpi_point_t Q; /* Public key. */ diff --git a/tests/curves.c b/tests/curves.c index 0581452..178a192 100644 --- a/tests/curves.c +++ b/tests/curves.c @@ -41,6 +41,7 @@ static char const sample_key_1[] = " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296" "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)\n" " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)\n" +" (h #000000000000000000000000000000000000000000000000000000000000000001#)\n" " (q #0442B927242237639A36CE9221B340DB1A9AB76DF2FE3E171277F6A4023DED146EE" "86525E38CCECFF3FB8D152CC6334F70D23A525175C1BCBDDE6E023B2228770E#)\n" " ))"; @@ -57,6 +58,7 @@ static char const sample_key_2[] = " (g #04bed5af16ea3f6a4f62938c4631eb5af7bdbcdbc3" "1667cb477a1a8ec338f94741669c976316da6321#)\n" " (n #00e95e4a5f737059dc60df5991d45029409e60fc09#)\n" +" (h #000000000000000000000000000000000000000000000000000000000000000001#)\n" " (q #041111111111111111111111111111111111111111" "2222222222222222222222222222222222222222#)\n" " ))"; diff --git a/tests/keygrip.c b/tests/keygrip.c index 330935d..d50e59a 100644 --- a/tests/keygrip.c +++ b/tests/keygrip.c @@ -110,8 +110,9 @@ static struct " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" + " (h #000000000000000000000000000000000000000000000000000000000000000001#)" " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + "\xE6\xBA\x0B\x38\xFC\xD0\x5C\x74\x47\x4C\x8E\x92\xD5\xCA\xE4\x69\xED\xEB\xC9\x1F" }, { GCRY_PK_ECDSA, @@ -122,8 +123,9 @@ static struct " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" + " (h #000000000000000000000000000000000000000000000000000000000000000001#)" " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + "\xE6\xBA\x0B\x38\xFC\xD0\x5C\x74\x47\x4C\x8E\x92\xD5\xCA\xE4\x69\xED\xEB\xC9\x1F" }, { GCRY_PK_ECDSA, @@ -134,8 +136,9 @@ static struct " (b #5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B#)" " (g #046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5#)" " (n #00FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551#)" + " (h #000000000000000000000000000000000000000000000000000000000000000001#)" " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + "\xE6\xBA\x0B\x38\xFC\xD0\x5C\x74\x47\x4C\x8E\x92\xD5\xCA\xE4\x69\xED\xEB\xC9\x1F" }, { GCRY_PK_ECDSA, @@ -143,7 +146,7 @@ static struct " (ecdsa" " (curve secp256r1)" " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + "\xE6\xBA\x0B\x38\xFC\xD0\x5C\x74\x47\x4C\x8E\x92\xD5\xCA\xE4\x69\xED\xEB\xC9\x1F" }, { GCRY_PK_ECC, @@ -151,7 +154,7 @@ static struct " (ecc" " (curve secp256r1)" " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))", - "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6" + "\xE6\xBA\x0B\x38\xFC\xD0\x5C\x74\x47\x4C\x8E\x92\xD5\xCA\xE4\x69\xED\xEB\xC9\x1F" }, { /* Ed25519 standard */ GCRY_PK_ECC, @@ -162,8 +165,8 @@ static struct " 1CC662926E7EFF4982B7FB8B928E61CD74CCDD85277CC57196C3AD20B611085F" " 47BD24842905C049257673B3F5249524E0A41FAA17B25B818D0F97E625F1A1D0#)" " ))", - "\x0C\xCA\xB2\xFD\x48\x9A\x33\x40\x2C\xE8" - "\xE0\x4A\x1F\xB2\x45\xEA\x80\x3D\x0A\xF1" + "\x9F\x7F\xED\x00\x5C\x18\x7C\x07\x01\x7D" + "\xFC\xF2\xA2\xD4\xD1\xCE\x11\x59\x4F\x72" }, { /* Ed25519+EdDSA */ GCRY_PK_ECC, @@ -172,8 +175,8 @@ static struct " (curve Ed25519)(flags eddsa)" " (q #773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)" " ))", - "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" - "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" + "\x06\xCC\xA3\x1F\x4D\x23\x08\xF7\x91\xA2" + "\x48\xF7\x0E\x41\x4A\x70\x76\xC2\xA4\x95" }, { /* Ed25519+EdDSA (same but uncompressed)*/ GCRY_PK_ECC, @@ -184,8 +187,8 @@ static struct " 629ad237d1ed04dcd4abe1711dd699a1cf51b1584c4de7a4ef8b8a640180b26f" " 5bb7c29018ece0f46b01f2960e99041a5779afe7e2292b65f9d51f8c84723e77#)" " ))", - "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" - "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" + "\x06\xCC\xA3\x1F\x4D\x23\x08\xF7\x91\xA2" + "\x48\xF7\x0E\x41\x4A\x70\x76\xC2\xA4\x95" } }; diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c index 88bb5bd..d72cd27 100644 --- a/tests/t-mpi-point.c +++ b/tests/t-mpi-point.c @@ -57,6 +57,7 @@ static struct const char *a, *b; /* The coefficients. */ const char *n; /* The order of the base point. */ const char *g_x, *g_y; /* Base point. */ + const char *h; /* Cofactor. */ } test_curve[] = { { @@ -67,7 +68,8 @@ static struct "0xffffffffffffffffffffffff99def836146bc9b1b4d22831", "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", - "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811" + "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811", + "0x01" }, { "NIST P-224", @@ -77,7 +79,8 @@ static struct "0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d" , "0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", - "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" + "0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", + "0x01" }, { "NIST P-256", @@ -87,7 +90,8 @@ static struct "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", "0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + "0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "0x01" }, { "NIST P-384", @@ -103,7 +107,8 @@ static struct "0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f" + "0a60b1ce1d7e819d7a431d7c90ea0e5f", + "0x01" }, { "NIST P-521", @@ -119,7 +124,8 @@ static struct "0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d" "baa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6" - "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" + "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", + "0x01" }, { "Ed25519", @@ -128,9 +134,10 @@ static struct "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED", "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", - "0x6666666666666666666666666666666666666666666666666666666666666658" + "0x6666666666666666666666666666666666666666666666666666666666666658", + "0x08" }, - { NULL, NULL, NULL, NULL, NULL } + { NULL, NULL, NULL, NULL, NULL, NULL } }; /* A sample public key for NIST P-256. */ @@ -556,6 +563,8 @@ context_param (void) if (get_and_cmp_point ("g", test_curve[idx].g_x, test_curve[idx].g_y, test_curve[idx].desc, ctx)) continue; + if (get_and_cmp_mpi ("h", test_curve[idx].h, test_curve[idx].desc, ctx)) + continue; } -- From teichm at in.tum.de Thu Jul 17 15:01:39 2014 From: teichm at in.tum.de (Markus Teich) Date: Thu, 17 Jul 2014 15:01:39 +0200 Subject: ec subtract In-Reply-To: <1405083634.3861.1.camel@latx1.gniibe.org> References: <20140710171426.GE32268@trolle> <53BECEDC.106@in.tum.de> <1405044856.4772.1.camel@cfw2.gniibe.org> <20140711091241.GA2521@trolle> <1405083634.3861.1.camel@latx1.gniibe.org> Message-ID: <20140717130139.GD3110@trolle> NIIBE Yutaka wrote: > Xi = [ri](Zi+1 - Zi-1) > one point subtraction and one scalar multiplication of point > > into: > > Xi = [ri]Zi+1 + [-ri]Zi-1 > two scalar multiplications of point and one point addition Heyho, this seems pretty straight forward, here is what I came up with: void gotr_ecbd_gen_X_value(gcry_mpi_point_t* ret, const gcry_mpi_point_t succ, const gcry_mpi_point_t pred, const gcry_mpi_t priv) { gcry_mpi_t tmp = gcry_mpi_new(0); gcry_mpi_point_t tmpoint = gcry_mpi_point_new(0); gotr_assert(succ && pred && priv); *ret = gcry_mpi_point_new(0); gcry_mpi_ec_mul(*ret, priv, succ, ctx); gcry_mpi_sub(tmp, tmp, priv); gcry_mpi_ec_mul(tmpoint, tmp, pred, ctx); gcry_mpi_ec_add(*ret, *ret, tmpoint, ctx); gcry_mpi_point_release(tmpoint); gcry_mpi_release(tmp); } with ctx beeing a file-static gcry_ctx_t: gcry_mpi_ec_new(&ctx, NULL, "Ed25519"); Any further suggestions? --Markus From wk at gnupg.org Mon Jul 21 17:35:46 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 21 Jul 2014 17:35:46 +0200 Subject: [PATCH] Curve25519 patch revised In-Reply-To: <1405519330.3778.0.camel@latx1.gniibe.org> (NIIBE Yutaka's message of "Wed, 16 Jul 2014 23:02:10 +0900") References: <1403157515.2821.8.camel@cfw2.gniibe.org> <1403168653.2821.9.camel@cfw2.gniibe.org> <1403231035.2376.2.camel@cfw2.gniibe.org> <87a998ne2n.fsf@vigenere.g10code.de> <1403270939.3855.0.camel@latx1.gniibe.org> <1405498318.20960.1.camel@cfw2.gniibe.org> <1405519330.3778.0.camel@latx1.gniibe.org> Message-ID: <87iomq3est.fsf@vigenere.g10code.de> On Wed, 16 Jul 2014 16:02, gniibe at fsij.org said: > Here is a patch adding cofactor to the domain parameters of ECC. > > Note that this introduce KEYGRIP value change. That is bad. Why not exclude it from the keygrip computation? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From markus.teich at stusta.mhn.de Mon Jul 21 19:52:27 2014 From: markus.teich at stusta.mhn.de (Markus Teich) Date: Mon, 21 Jul 2014 19:52:27 +0200 Subject: [PATCH] Add gcry_mpi_ec_sub. In-Reply-To: <20140717130139.GD3110@trolle> References: <20140717130139.GD3110@trolle> Message-ID: <1405965147-6182-1-git-send-email-markus.teich@stusta.mhn.de> This function subtracts two points on the curve. Only Twisted Edwards curves are supported with this change. --- Heyho, I tried to implement it correctly. Beware, this is my first libgcrypt patch. Please review carefully for any bugs. --Markus mpi/ec.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/gcrypt.h.in | 4 ++++ src/visibility.c | 8 +++++++ src/visibility.h | 1 + 4 files changed, 78 insertions(+) diff --git a/mpi/ec.c b/mpi/ec.c index 4f35de0..5cfc208 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -1094,6 +1094,71 @@ _gcry_mpi_ec_add_points (mpi_point_t result, } +/* RESULT = P1 - P2 (Weierstrass version).*/ +static void +sub_points_weierstrass (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Weierstrass"); +} + + +/* RESULT = P1 - P2 (Montgomery version).*/ +static void +sub_points_montgomery (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Montgomery"); +} + + +/* RESULT = P1 - P2 (Twisted Edwards version).*/ +static void +sub_points_edwards (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + mpi_point_t p2i = _gcry_mpi_point_new (0); + point_set (p2i, p2); + _gcry_mpi_neg (p2i->y, p2i->y); + add_points_edwards (result, p1, p2i, ctx); + _gcry_mpi_point_release (p2i); +} + + +/* RESULT = P1 - P2 */ +void +_gcry_mpi_ec_sub_points (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + switch (ctx->model) + { + case MPI_EC_WEIERSTRASS: + sub_points_weierstrass (result, p1, p2, ctx); + break; + case MPI_EC_MONTGOMERY: + sub_points_montgomery (result, p1, p2, ctx); + break; + case MPI_EC_EDWARDS: + sub_points_edwards (result, p1, p2, ctx); + break; + } +} + + /* Scalar point multiplication - the main function for ECC. If takes an integer SCALAR and a POINT as well as the usual context CTX. RESULT will be set to the resulting point. */ diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index a5f8350..7dbad07 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -703,6 +703,10 @@ void gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx); void gcry_mpi_ec_add (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); +/* W = U - V. */ +void gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); + /* W = N * U. */ void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx); diff --git a/src/visibility.c b/src/visibility.c index 6ed57ca..fa23e53 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -567,6 +567,14 @@ gcry_mpi_ec_add (gcry_mpi_point_t w, } void +gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx) +{ + _gcry_mpi_ec_sub_points (w, u, v, + _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC)); +} + +void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx) { diff --git a/src/visibility.h b/src/visibility.h index 96b5235..f7b5ace 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -486,6 +486,7 @@ MARK_VISIBLEX (_gcry_mpi_get_const) #define gcry_mpi_abs _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_add _gcry_USE_THE_UNDERSCORED_FUNCTION +#define gcry_mpi_ec_sub _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_curve_point _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_dup _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_get_affine _gcry_USE_THE_UNDERSCORED_FUNCTION -- 1.8.5.5 From teichm at in.tum.de Mon Jul 21 22:50:27 2014 From: teichm at in.tum.de (Markus Teich) Date: Mon, 21 Jul 2014 22:50:27 +0200 Subject: [PATCH] typo Message-ID: <1405975827-21372-1-git-send-email-teichm@in.tum.de> --- mpi/ec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mpi/ec.c b/mpi/ec.c index 4f35de0..2dd1397 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -999,7 +999,7 @@ add_points_edwards (mpi_point_t result, #define G (ctx->t.scratch[6]) #define tmp (ctx->t.scratch[7]) - /* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_3) */ + /* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_2) */ /* A = Z1 ? Z2 */ ec_mulm (A, Z1, Z2, ctx); -- 1.8.5.5 From ian at cypherpunks.ca Tue Jul 22 02:07:21 2014 From: ian at cypherpunks.ca (Ian Goldberg) Date: Mon, 21 Jul 2014 20:07:21 -0400 Subject: [PATCH] Add gcry_mpi_ec_sub. In-Reply-To: <1405965147-6182-1-git-send-email-markus.teich@stusta.mhn.de> References: <20140717130139.GD3110@trolle> <1405965147-6182-1-git-send-email-markus.teich@stusta.mhn.de> Message-ID: <20140722000721.GB4246@yoink.cs.uwaterloo.ca> On Mon, Jul 21, 2014 at 07:52:27PM +0200, Markus Teich wrote: > This function subtracts two points on the curve. Only Twisted Edwards curves are > supported with this change. > --- > > > Heyho, > > I tried to implement it correctly. Beware, this is my first libgcrypt patch. > Please review carefully for any bugs. > > --Markus > > +/* RESULT = P1 - P2 (Twisted Edwards version).*/ > +static void > +sub_points_edwards (mpi_point_t result, > + mpi_point_t p1, mpi_point_t p2, > + mpi_ec_t ctx) > +{ > + mpi_point_t p2i = _gcry_mpi_point_new (0); > + point_set (p2i, p2); > + _gcry_mpi_neg (p2i->y, p2i->y); > + add_points_edwards (result, p1, p2i, ctx); > + _gcry_mpi_point_release (p2i); > +} Wait: isn't the negation of a point (x,y) on a twisted Edwards curve the point (-x,y)? You're calculating (x,-y) above, it seems to me. - Ian From teichm at in.tum.de Tue Jul 22 10:50:43 2014 From: teichm at in.tum.de (Markus Teich) Date: Tue, 22 Jul 2014 10:50:43 +0200 Subject: [PATCH] Add gcry_mpi_ec_sub. In-Reply-To: <20140722000721.GB4246@yoink.cs.uwaterloo.ca> References: <20140717130139.GD3110@trolle> <1405965147-6182-1-git-send-email-markus.teich@stusta.mhn.de> <20140722000721.GB4246@yoink.cs.uwaterloo.ca> Message-ID: <20140722085043.GN2776@trolle> Ian Goldberg wrote: > Wait: isn't the negation of a point (x,y) on a twisted Edwards curve > the point (-x,y)? You're calculating (x,-y) above, it seems to me. Heyho, indeed I am calculating (x,-y). I took Appendix A from the Curve 25519 paper[0] as reference. If that is indeed wrong, I will of course amend the patch. --Markus [0] http://cr.yp.to/ecdh/curve25519-20060209.pdf From ian at cypherpunks.ca Tue Jul 22 14:24:11 2014 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 22 Jul 2014 08:24:11 -0400 Subject: [PATCH] Add gcry_mpi_ec_sub. In-Reply-To: <20140722085043.GN2776@trolle> References: <20140717130139.GD3110@trolle> <1405965147-6182-1-git-send-email-markus.teich@stusta.mhn.de> <20140722000721.GB4246@yoink.cs.uwaterloo.ca> <20140722085043.GN2776@trolle> Message-ID: <20140722122411.GG4246@yoink.cs.uwaterloo.ca> On Tue, Jul 22, 2014 at 10:50:43AM +0200, Markus Teich wrote: > Ian Goldberg wrote: > > Wait: isn't the negation of a point (x,y) on a twisted Edwards curve > > the point (-x,y)? You're calculating (x,-y) above, it seems to me. > > Heyho, > > indeed I am calculating (x,-y). I took Appendix A from the Curve 25519 paper[0] > as reference. If that is indeed wrong, I will of course amend the patch. To be sure, give it a try: use your code to subtract a random point from itself, and see what you get? - Ian From cvs at cvs.gnupg.org Fri Jul 25 08:21:37 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 25 Jul 2014 08:21:37 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-98-g4556f9b Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 4556f9b19c024f16bdf542da7173395c0741b91d (commit) via 0e10902ad7584277ac966367efc712b183784532 (commit) via 4e0bf1b9190ce08fb23eb3ae0c3be58954ff36ab (commit) from 4846e52728970e3117f3a046ef9010be089a3ae4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 4556f9b19c024f16bdf542da7173395c0741b91d Author: Werner Koch Date: Thu Jul 24 12:30:32 2014 +0200 ecc: Support the non-standard 0x40 compression flag for EdDSA. * cipher/ecc.c (ecc_generate): Check the "comp" flag for EdDSA. * cipher/ecc-eddsa.c (eddsa_encode_x_y): Add arg WITH_PREFIX. (_gcry_ecc_eddsa_encodepoint): Ditto. (_gcry_ecc_eddsa_ensure_compact): Handle the 0x40 compression prefix. (_gcry_ecc_eddsa_decodepoint): Ditto. * tests/keygrip.c: Check an compresssed with prefix Ed25519 key. * tests/t-ed25519.inp: Ditto. diff --git a/cipher/ecc-common.h b/cipher/ecc-common.h index c407c74..f066b4b 100644 --- a/cipher/ecc-common.h +++ b/cipher/ecc-common.h @@ -107,6 +107,7 @@ gpg_err_code_t _gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec); gpg_err_code_t _gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ctx, gcry_mpi_t x, gcry_mpi_t y, + int with_prefix, unsigned char **r_buffer, unsigned int *r_buflen); gpg_err_code_t _gcry_ecc_eddsa_ensure_compact (gcry_mpi_t value, diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c index 0f622f7..cd85361 100644 --- a/cipher/ecc-curves.c +++ b/cipher/ecc-curves.c @@ -1146,7 +1146,7 @@ _gcry_ecc_get_mpi (const char *name, mpi_ec_t ec, int copy) unsigned char *encpk; unsigned int encpklen; - if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, + if (!_gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, &encpk, &encpklen)) return mpi_set_opaque (NULL, encpk, encpklen*8); } diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c index d08a84f..65024a3 100644 --- a/cipher/ecc-eddsa.c +++ b/cipher/ecc-eddsa.c @@ -1,5 +1,5 @@ /* ecc-eddsa.c - Elliptic Curve EdDSA signatures - * Copyright (C) 2013 g10 Code GmbH + * Copyright (C) 2013, 2014 g10 Code GmbH * * This file is part of Libgcrypt. * @@ -83,35 +83,42 @@ eddsa_encodempi (gcry_mpi_t mpi, unsigned int minlen, /* Encode (X,Y) using the EdDSA scheme. MINLEN is the required length - in bytes for the result. On success 0 is returned and a malloced - buffer with the encoded point is stored at R_BUFFER; the length of - this buffer is stored at R_BUFLEN. */ + in bytes for the result. If WITH_PREFIX is set the returned buffer + is prefixed with a 0x40 byte. On success 0 is returned and a + malloced buffer with the encoded point is stored at R_BUFFER; the + length of this buffer is stored at R_BUFLEN. */ static gpg_err_code_t eddsa_encode_x_y (gcry_mpi_t x, gcry_mpi_t y, unsigned int minlen, + int with_prefix, unsigned char **r_buffer, unsigned int *r_buflen) { unsigned char *rawmpi; unsigned int rawmpilen; + int off = with_prefix? 1:0; - rawmpi = _gcry_mpi_get_buffer (y, minlen, &rawmpilen, NULL); + rawmpi = _gcry_mpi_get_buffer_extra (y, minlen, off?-1:0, &rawmpilen, NULL); if (!rawmpi) return gpg_err_code_from_syserror (); if (mpi_test_bit (x, 0) && rawmpilen) - rawmpi[rawmpilen - 1] |= 0x80; /* Set sign bit. */ + rawmpi[off + rawmpilen - 1] |= 0x80; /* Set sign bit. */ + if (off) + rawmpi[0] = 0x40; *r_buffer = rawmpi; - *r_buflen = rawmpilen; + *r_buflen = rawmpilen + off; return 0; } /* Encode POINT using the EdDSA scheme. X and Y are either scratch variables supplied by the caller or NULL. CTX is the usual - context. On success 0 is returned and a malloced buffer with the - encoded point is stored at R_BUFFER; the length of this buffer is - stored at R_BUFLEN. */ + context. If WITH_PREFIX is set the returned buffer is prefixed + with a 0x40 byte. On success 0 is returned and a malloced buffer + with the encoded point is stored at R_BUFFER; the length of this + buffer is stored at R_BUFLEN. */ gpg_err_code_t _gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ec, gcry_mpi_t x_in, gcry_mpi_t y_in, + int with_prefix, unsigned char **r_buffer, unsigned int *r_buflen) { gpg_err_code_t rc; @@ -126,7 +133,7 @@ _gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ec, rc = GPG_ERR_INTERNAL; } else - rc = eddsa_encode_x_y (x, y, ec->nbits/8, r_buffer, r_buflen); + rc = eddsa_encode_x_y (x, y, ec->nbits/8, with_prefix, r_buffer, r_buflen); if (!x_in) mpi_free (x); @@ -155,29 +162,40 @@ _gcry_ecc_eddsa_ensure_compact (gcry_mpi_t value, unsigned int nbits) return GPG_ERR_INV_OBJ; rawmpilen = (rawmpilen + 7)/8; - /* Check whether the public key has been given in standard - uncompressed format. In this case extract y and compress. */ - if (rawmpilen > 1 && buf[0] == 0x04 && (rawmpilen%2)) + if (rawmpilen > 1 && (rawmpilen%2)) { - rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_STD, - buf+1, (rawmpilen-1)/2, NULL); - if (rc) - return rc; - rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_STD, - buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2, NULL); - if (rc) + if (buf[0] == 0x04) { - mpi_free (x); - return rc; - } + /* Buffer is in SEC1 uncompressed format. Extract y and + compress. */ + rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_STD, + buf+1, (rawmpilen-1)/2, NULL); + if (rc) + return rc; + rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_STD, + buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2, NULL); + if (rc) + { + mpi_free (x); + return rc; + } - rc = eddsa_encode_x_y (x, y, nbits/8, &enc, &enclen); - mpi_free (x); - mpi_free (y); - if (rc) - return rc; + rc = eddsa_encode_x_y (x, y, nbits/8, 0, &enc, &enclen); + mpi_free (x); + mpi_free (y); + if (rc) + return rc; - mpi_set_opaque (value, enc, 8*enclen); + mpi_set_opaque (value, enc, 8*enclen); + } + else if (buf[0] == 0x40) + { + /* Buffer is compressed but with our SEC1 alike compression + indicator. Remove that byte. FIXME: We should write and + use a function to manipulate an opaque MPI in place. */ + if (!_gcry_mpi_set_opaque_copy (value, buf + 1, (rawmpilen - 1)*8)) + return gpg_err_code_from_syserror (); + } } return 0; @@ -267,7 +285,7 @@ _gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec) the usual curve context. If R_ENCPK is not NULL, the encoded PK is stored at that address; this is a new copy to be released by the caller. In contrast to the supplied PK, this is not an MPI and - thus guarnateed to be properly padded. R_ENCPKLEN receives the + thus guaranteed to be properly padded. R_ENCPKLEN receives the length of that encoded key. */ gpg_err_code_t _gcry_ecc_eddsa_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result, @@ -287,40 +305,54 @@ _gcry_ecc_eddsa_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result, return GPG_ERR_INV_OBJ; rawmpilen = (rawmpilen + 7)/8; - /* First check whether the public key has been given in standard - uncompressed format. No need to recover x in this case. - Detection is easy: The size of the buffer will be odd and the - first byte be 0x04. */ - if (rawmpilen > 1 && buf[0] == 0x04 && (rawmpilen%2)) + /* Handle compression prefixes. The size of the buffer will be + odd in this case. */ + if (rawmpilen > 1 && (rawmpilen%2)) { - gcry_mpi_t x, y; - - rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_STD, - buf+1, (rawmpilen-1)/2, NULL); - if (rc) - return rc; - rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_STD, - buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2, NULL); - if (rc) + /* First check whether the public key has been given in + standard uncompressed format (SEC1). No need to recover + x in this case. */ + if (buf[0] == 0x04) { - mpi_free (x); - return rc; - } + gcry_mpi_t x, y; - if (r_encpk) - { - rc = eddsa_encode_x_y (x, y, ctx->nbits/8, r_encpk, r_encpklen); + rc = _gcry_mpi_scan (&x, GCRYMPI_FMT_STD, + buf+1, (rawmpilen-1)/2, NULL); + if (rc) + return rc; + rc = _gcry_mpi_scan (&y, GCRYMPI_FMT_STD, + buf+1+(rawmpilen-1)/2, (rawmpilen-1)/2,NULL); if (rc) { mpi_free (x); - mpi_free (y); return rc; } + + if (r_encpk) + { + rc = eddsa_encode_x_y (x, y, ctx->nbits/8, 0, + r_encpk, r_encpklen); + if (rc) + { + mpi_free (x); + mpi_free (y); + return rc; + } + } + mpi_snatch (result->x, x); + mpi_snatch (result->y, y); + mpi_set_ui (result->z, 1); + return 0; + } + + /* Check whether the public key has been prefixed with a 0x40 + byte to explicitly indicate compressed format using a SEC1 + alike prefix byte. This is a Libgcrypt extension. */ + if (buf[0] == 0x40) + { + rawmpilen--; + buf++; } - mpi_snatch (result->x, x); - mpi_snatch (result->y, y); - mpi_set_ui (result->z, 1); - return 0; } /* EdDSA compressed point. */ @@ -334,7 +366,7 @@ _gcry_ecc_eddsa_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result, { /* Note: Without using an opaque MPI it is not reliable possible to find out whether the public key has been given in - uncompressed format. Thus we expect EdDSA format here. */ + uncompressed format. Thus we expect native EdDSA format. */ rawmpi = _gcry_mpi_get_buffer (pk, ctx->nbits/8, &rawmpilen, NULL); if (!rawmpi) return gpg_err_code_from_syserror (); @@ -582,7 +614,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, else { _gcry_mpi_ec_mul_point (&Q, a, &skey->E.G, ctx); - rc = _gcry_ecc_eddsa_encodepoint (&Q, ctx, x, y, &encpk, &encpklen); + rc = _gcry_ecc_eddsa_encodepoint (&Q, ctx, x, y, 0, &encpk, &encpklen); if (rc) goto leave; if (DBG_CIPHER) @@ -612,7 +644,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, log_printpnt (" r", &I, ctx); /* Convert R into affine coordinates and apply encoding. */ - rc = _gcry_ecc_eddsa_encodepoint (&I, ctx, x, y, &rawmpi, &rawmpilen); + rc = _gcry_ecc_eddsa_encodepoint (&I, ctx, x, y, 0, &rawmpi, &rawmpilen); if (rc) goto leave; if (DBG_CIPHER) @@ -784,7 +816,7 @@ _gcry_ecc_eddsa_verify (gcry_mpi_t input, ECC_public_key *pkey, _gcry_mpi_ec_mul_point (&Ib, h, &Q, ctx); _gcry_mpi_neg (Ib.x, Ib.x); _gcry_mpi_ec_add_points (&Ia, &Ia, &Ib, ctx); - rc = _gcry_ecc_eddsa_encodepoint (&Ia, ctx, s, h, &tbuf, &tlen); + rc = _gcry_ecc_eddsa_encodepoint (&Ia, ctx, s, h, 0, &tbuf, &tlen); if (rc) goto leave; if (tlen != rlen || memcmp (tbuf, rbuf, tlen)) diff --git a/cipher/ecc.c b/cipher/ecc.c index e0be2d4..a27d2c6 100644 --- a/cipher/ecc.c +++ b/cipher/ecc.c @@ -35,15 +35,12 @@ verification algorithms. The arithmetic functions have entirely been rewritten and moved to mpi/ec.c. - ECDH encrypt and decrypt code written by Andrey Jivsov, + ECDH encrypt and decrypt code written by Andrey Jivsov. */ /* TODO: - - If we support point compression we need to uncompress before - computing the keygrip - - In mpi/ec.c we use mpi_powm for x^2 mod p: Either implement a special case in mpi_powm or check whether mpi_mulm is faster. @@ -487,7 +484,9 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) unsigned char *encpk; unsigned int encpklen; - rc = _gcry_ecc_eddsa_encodepoint (&sk.Q, ctx, x, y, &encpk, &encpklen); + rc = _gcry_ecc_eddsa_encodepoint (&sk.Q, ctx, x, y, + !!(flags & PUBKEY_FLAG_COMP), + &encpk, &encpklen); if (rc) return rc; public = mpi_new (0); @@ -1653,7 +1652,7 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec) unsigned char *encpk; unsigned int encpklen; - rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, + rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, &encpk, &encpklen); if (rc) goto leave; diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index d59c095..23efc52 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -2162,7 +2162,9 @@ The private key @math{d} All point values are encoded in standard format; Libgcrypt does in general only support uncompressed points, thus the first byte needs to be @code{0x04}. However ``EdDSA'' describes its own compression -scheme which is used by default. +scheme which is used by default; the non-standard first byte + at code{0x40} may optionally be used to explicit flag the use of the +algorithm?s native compression method. The public key is similar with "private-key" replaced by "public-key" and no @var{d-mpi}. @@ -2232,9 +2234,11 @@ are known: If supported by the algorithm and curve the @code{comp} flag requests that points are returned in compact (compressed) representation. The @code{nocomp} flag requests that points are returned with full -coordinates. The default depends on the the algorithm and curve. -The compact representation requires a small overhead before a point -can be used but halves the size of a to be conveyed public key. +coordinates. The default depends on the the algorithm and curve. The +compact representation requires a small overhead before a point can be +used but halves the size of a to be conveyed public key. If + at code{comp} is used with the ``EdDSA'' algorithm the key generation +prefix the public key with a @code{0x40} byte. @item pkcs1 @cindex PKCS1 diff --git a/tests/keygrip.c b/tests/keygrip.c index 330935d..72960ea 100644 --- a/tests/keygrip.c +++ b/tests/keygrip.c @@ -175,6 +175,17 @@ static struct "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" }, + { /* Ed25519+EdDSA (with compression prefix) */ + GCRY_PK_ECC, + "(public-key" + " (ecc" + " (curve Ed25519)(flags eddsa)" + " (q #40" + " 773E72848C1FD5F9652B29E2E7AF79571A04990E96F2016BF4E0EC1890C2B7DB#)" + " ))", + "\x9D\xB6\xC6\x4A\x38\x83\x0F\x49\x60\x70" + "\x17\x89\x47\x55\x20\xBE\x8C\x82\x1F\x47" + }, { /* Ed25519+EdDSA (same but uncompressed)*/ GCRY_PK_ECC, "(public-key" diff --git a/tests/t-ed25519.c b/tests/t-ed25519.c index 465a217..b7f3307 100644 --- a/tests/t-ed25519.c +++ b/tests/t-ed25519.c @@ -32,7 +32,7 @@ #include "stopwatch.h" #define PGM "t-ed25519" -#define N_TESTS 1025 +#define N_TESTS 1026 #define my_isascii(c) (!((c) & 0x80)) #define digitp(p) (*(p) >= '0' && *(p) <= '9') diff --git a/tests/t-ed25519.inp b/tests/t-ed25519.inp index 61387c4..e13566f 100644 --- a/tests/t-ed25519.inp +++ b/tests/t-ed25519.inp @@ -6162,3 +6162,11 @@ SK: 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 PK: 0455d0e09a2b9d34292297e08d60d0f620c513d47253187c24b12786bd777645ce1a5107f7681a02af2523a6daf372e10e3a0764c9d3fe4bd5b70ab18201985ad7 MSG: SIG: e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b + +# Now an additional test with the data from test 1 but using an +# compressed prefix. +TST: 1 +SK: 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 +PK: 40d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a +MSG: +SIG: e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b commit 0e10902ad7584277ac966367efc712b183784532 Author: Werner Koch Date: Thu Jul 24 16:16:53 2014 +0200 mpi: Extend the internal mpi_get_buffer. * mpi/mpicoder.c (do_get_buffer): Add arg EXTRAALLOC. (_gcry_mpi_get_buffer_extra): New. diff --git a/mpi/mpicoder.c b/mpi/mpicoder.c index 58a4240..896dda1 100644 --- a/mpi/mpicoder.c +++ b/mpi/mpicoder.c @@ -1,7 +1,7 @@ /* mpicoder.c - Coder for the external representation of MPIs * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 * 2008 Free Software Foundation, Inc. - * Copyright (C) 2013 g10 Code GmbH + * Copyright (C) 2013, 2014 g10 Code GmbH * * This file is part of Libgcrypt. * @@ -181,19 +181,27 @@ mpi_fromstr (gcry_mpi_t val, const char *str) returned value is stored as little endian and right padded with zeroes so that the returned buffer has at least FILL_LE bytes. + If EXTRAALLOC > 0 the returned buffer has these number of bytes + extra allocated at the end; if EXTRAALLOC < 0 the returned buffer + has the absolute value of EXTRAALLOC allocated at the begin of the + buffer (the are not initialized) and the MPI is stored right after + this. This feature is useful to allow the caller to prefix the + returned value. EXTRAALLOC is _not_ included in the value stored + at NBYTES. + Caller must free the return string. This function returns an allocated buffer with NBYTES set to zero if the value of A is zero. If sign is not NULL, it will be set to the sign of the A. On error NULL is returned and ERRNO set appropriately. */ static unsigned char * -do_get_buffer (gcry_mpi_t a, unsigned int fill_le, +do_get_buffer (gcry_mpi_t a, unsigned int fill_le, int extraalloc, unsigned int *nbytes, int *sign, int force_secure) { - unsigned char *p, *buffer; + unsigned char *p, *buffer, *retbuffer; unsigned int length, tmp; mpi_limb_t alimb; int i; - size_t n; + size_t n, n2; if (sign) *sign = a->sign; @@ -202,10 +210,20 @@ do_get_buffer (gcry_mpi_t a, unsigned int fill_le, n = *nbytes? *nbytes:1; /* Allocate at least one byte. */ if (n < fill_le) n = fill_le; - p = buffer = (force_secure || mpi_is_secure(a))? xtrymalloc_secure (n) - : xtrymalloc (n); - if (!buffer) + if (extraalloc < 0) + n2 = n + -extraalloc; + else + n2 = n + extraalloc; + + retbuffer = (force_secure || mpi_is_secure(a))? xtrymalloc_secure (n2) + : xtrymalloc (n2); + if (!retbuffer) return NULL; + if (extraalloc < 0) + buffer = retbuffer + -extraalloc; + else + buffer = retbuffer; + p = buffer; for (i=a->nlimbs-1; i >= 0; i--) { @@ -244,7 +262,7 @@ do_get_buffer (gcry_mpi_t a, unsigned int fill_le, *p++ = 0; *nbytes = length; - return buffer; + return retbuffer; } /* This is sub-optimal but we need to do the shift operation because @@ -252,8 +270,8 @@ do_get_buffer (gcry_mpi_t a, unsigned int fill_le, for (p=buffer; *nbytes && !*p; p++, --*nbytes) ; if (p != buffer) - memmove (buffer,p, *nbytes); - return buffer; + memmove (buffer, p, *nbytes); + return retbuffer; } @@ -261,14 +279,21 @@ byte * _gcry_mpi_get_buffer (gcry_mpi_t a, unsigned int fill_le, unsigned int *r_nbytes, int *sign) { - return do_get_buffer (a, fill_le, r_nbytes, sign, 0); + return do_get_buffer (a, fill_le, 0, r_nbytes, sign, 0); +} + +byte * +_gcry_mpi_get_buffer_extra (gcry_mpi_t a, unsigned int fill_le, int extraalloc, + unsigned int *r_nbytes, int *sign) +{ + return do_get_buffer (a, fill_le, extraalloc, r_nbytes, sign, 0); } byte * _gcry_mpi_get_secure_buffer (gcry_mpi_t a, unsigned int fill_le, unsigned int *r_nbytes, int *sign) { - return do_get_buffer (a, fill_le, r_nbytes, sign, 1); + return do_get_buffer (a, fill_le, 0, r_nbytes, sign, 1); } diff --git a/src/mpi.h b/src/mpi.h index 2479560..7407b7f 100644 --- a/src/mpi.h +++ b/src/mpi.h @@ -158,6 +158,9 @@ void _gcry_log_mpidump( const char *text, gcry_mpi_t a ); u32 _gcry_mpi_get_keyid( gcry_mpi_t a, u32 *keyid ); byte *_gcry_mpi_get_buffer (gcry_mpi_t a, unsigned int fill_le, unsigned int *r_nbytes, int *sign); +byte *_gcry_mpi_get_buffer_extra (gcry_mpi_t a, unsigned int fill_le, + int extraalloc, + unsigned int *r_nbytes, int *sign); byte *_gcry_mpi_get_secure_buffer (gcry_mpi_t a, unsigned int fill_le, unsigned *r_nbytes, int *sign); void _gcry_mpi_set_buffer ( gcry_mpi_t a, const void *buffer, commit 4e0bf1b9190ce08fb23eb3ae0c3be58954ff36ab Author: Werner Koch Date: Thu Jul 24 11:12:37 2014 +0200 cipher: Fix compiler warning for chacha20. * cipher/chacha20.c (chacha20_blocks) [!USE_SSE2]: Do not build. diff --git a/cipher/chacha20.c b/cipher/chacha20.c index 03416d4..ebba2fc 100644 --- a/cipher/chacha20.c +++ b/cipher/chacha20.c @@ -121,6 +121,8 @@ static const char *selftest (void); #define QOUT(ai, bi, ci, di) \ DO_OUT(ai); DO_OUT(bi); DO_OUT(ci); DO_OUT(di) + +#ifndef USE_SSE2 static unsigned int chacha20_blocks (u32 *state, const byte *src, byte *dst, size_t bytes) { @@ -240,6 +242,7 @@ chacha20_blocks (u32 *state, const byte *src, byte *dst, size_t bytes) /* burn_stack */ return (2 * CHACHA20_INPUT_LENGTH * sizeof(u32) + 6 * sizeof(void *)); } +#endif /*!USE_SSE2*/ #undef QROUND #undef QOUT ----------------------------------------------------------------------- Summary of changes: cipher/chacha20.c | 3 + cipher/ecc-common.h | 1 + cipher/ecc-curves.c | 2 +- cipher/ecc-eddsa.c | 152 +++++++++++++++++++++++++++++++-------------------- cipher/ecc.c | 11 ++-- doc/gcrypt.texi | 12 ++-- mpi/mpicoder.c | 49 +++++++++++++---- src/mpi.h | 3 + tests/keygrip.c | 11 ++++ tests/t-ed25519.c | 2 +- tests/t-ed25519.inp | 8 +++ 11 files changed, 170 insertions(+), 84 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org _______________________________________________ Gnupg-commits mailing list Gnupg-commits at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-commits From kristian.fiskerstrand at sumptuouscapital.com Tue Jul 29 19:37:32 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Tue, 29 Jul 2014 19:37:32 +0200 Subject: [PATCH] Fix a segfault for x32 ABIs resulting in erronuous detection, of size for BYTES_PER_MPI_LIMB Message-ID: <53D7DBDC.9010206@sumptuouscapital.com> Please find enclosed a patch for libgcrypt versus current git master that fixes gnupg segfault for x32 ABIs reported at https://bugs.gentoo.org/show_bug.cgi?id=512762 -- ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Ne nuntium necare Don't kill the messenger -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-a-segfault-for-x32-ABIs-resulting-in-erronuous-d.patch Type: text/x-patch Size: 1107 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From teichm at in.tum.de Wed Jul 30 18:39:35 2014 From: teichm at in.tum.de (Markus Teich) Date: Wed, 30 Jul 2014 18:39:35 +0200 Subject: [PATCH revised] Add gcry_mpi_ec_sub. In-Reply-To: <20140722122411.GG4246@yoink.cs.uwaterloo.ca> References: <20140722122411.GG4246@yoink.cs.uwaterloo.ca> Message-ID: <1406738375-14267-1-git-send-email-teichm@in.tum.de> This function subtracts two points on the curve. Only Twisted Edwards curves are supported with this change. --- Heyho Ian, of course you were correct, the x value have to be negated. Attached is the fixed patch. Since I could not build the current master of libgcrypt (configure fails with: error: cannot find input file: `tests/Makefile.in') I tested it with this snippet: gcry_mpi_t vx = gcry_mpi_new(0); gcry_mpi_t vy = gcry_mpi_new(0); gcry_mpi_t vz = gcry_mpi_new(0); gcry_mpi_point_t p; gcry_mpi_point_t tmp; p = gcry_mpi_ec_get_point("g", ctx, 0); tmp = gcry_mpi_ec_get_point("g", ctx, 0); gcry_log_debugpnt("g ", p, ctx); gcry_mpi_ec_add(p, p, tmp, ctx); gcry_log_debugpnt("g+g ", p, ctx); gcry_mpi_point_get(vx, vy, vz, tmp); gcry_mpi_neg(vx, vx); gcry_mpi_point_set(tmp, vx, vy, vz); gcry_mpi_ec_add(p, p, tmp, ctx); gcry_log_debugpnt("g+g-g ", p, ctx); gcry_mpi_ec_add(p, p, tmp, ctx); gcry_log_debugpnt("g+g-g-g ", p, ctx); leading to the output: g .x:+216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a g .y:+6666666666666666666666666666666666666666666666666666666666666658 g+g .x:+36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e g+g .y:+2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9 g+g-g .x:+216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a g+g-g .y:+6666666666666666666666666666666666666666666666666666666666666658 g+g-g-g .x:-00 g+g-g-g .y:+01 Negating the y value leads to something where the first subtraction fails, but after another one the result is correct again? g .x:+216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a g .y:+6666666666666666666666666666666666666666666666666666666666666658 g+g .x:+36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e g+g .y:+2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9 g+g-g .x:+5e96c92c3291ac013f5b1dce022923a396d3389f6ada584d36a9d29f70da2ad3 g+g-g .y:+1999999999999999999999999999999999999999999999999999999999999995 g+g-g-g .x:-00 g+g-g-g .y:+01 --Markus mpi/ec.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/gcrypt.h.in | 4 ++++ src/visibility.c | 8 +++++++ src/visibility.h | 1 + 4 files changed, 78 insertions(+) diff --git a/mpi/ec.c b/mpi/ec.c index 4f35de0..f535ac0 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -1094,6 +1094,71 @@ _gcry_mpi_ec_add_points (mpi_point_t result, } +/* RESULT = P1 - P2 (Weierstrass version).*/ +static void +sub_points_weierstrass (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Weierstrass"); +} + + +/* RESULT = P1 - P2 (Montgomery version).*/ +static void +sub_points_montgomery (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Montgomery"); +} + + +/* RESULT = P1 - P2 (Twisted Edwards version).*/ +static void +sub_points_edwards (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + mpi_point_t p2i = _gcry_mpi_point_new (0); + point_set (p2i, p2); + _gcry_mpi_neg (p2i->x, p2i->x); + add_points_edwards (result, p1, p2i, ctx); + _gcry_mpi_point_release (p2i); +} + + +/* RESULT = P1 - P2 */ +void +_gcry_mpi_ec_sub_points (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + switch (ctx->model) + { + case MPI_EC_WEIERSTRASS: + sub_points_weierstrass (result, p1, p2, ctx); + break; + case MPI_EC_MONTGOMERY: + sub_points_montgomery (result, p1, p2, ctx); + break; + case MPI_EC_EDWARDS: + sub_points_edwards (result, p1, p2, ctx); + break; + } +} + + /* Scalar point multiplication - the main function for ECC. If takes an integer SCALAR and a POINT as well as the usual context CTX. RESULT will be set to the resulting point. */ diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index a5f8350..7dbad07 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -703,6 +703,10 @@ void gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx); void gcry_mpi_ec_add (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); +/* W = U - V. */ +void gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); + /* W = N * U. */ void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx); diff --git a/src/visibility.c b/src/visibility.c index 6ed57ca..fa23e53 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -567,6 +567,14 @@ gcry_mpi_ec_add (gcry_mpi_point_t w, } void +gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx) +{ + _gcry_mpi_ec_sub_points (w, u, v, + _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC)); +} + +void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx) { diff --git a/src/visibility.h b/src/visibility.h index 96b5235..f7b5ace 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -486,6 +486,7 @@ MARK_VISIBLEX (_gcry_mpi_get_const) #define gcry_mpi_abs _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_add _gcry_USE_THE_UNDERSCORED_FUNCTION +#define gcry_mpi_ec_sub _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_curve_point _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_dup _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_get_affine _gcry_USE_THE_UNDERSCORED_FUNCTION -- 1.8.5.5 From dgoulet at ev0ke.net Wed Jul 30 18:01:15 2014 From: dgoulet at ev0ke.net (David Goulet) Date: Wed, 30 Jul 2014 12:01:15 -0400 Subject: _gcry_ath_mutex_lock: Assertion Message-ID: <20140730160115.GC6050@thessa> Hello! We are currently working on a test suite for libotr[1] which heavily uses libgcrypt (version 1.5.3 in Debian). We use a small client that exchanges OTR messages between two threads using libotr for stress, regression and fuzzing tests. While receiving messages at the same time, we can end up with this from the gcry_md_read() call. lt-client: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t) 0)' failed. You can find a full gdb backtrace here --> http://pastebin.com/cqJDe7dR Part are optimized out but let me know, I can provide you a -O0 version. I did a small investiguation and it seems that there is contention on this lock which for some reasons assert() when it's locked. ath_mutex_lock (&digests_registered_lock); I see that in libgcrypt 1.6, it has been removed so is there a way to avoid the issue for < 1.6 without defining NDEBUG? Thanks! David [1] https://bugs.otr.im/projects/libotr -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: Digital signature URL: From chris at chatsecure.org Thu Jul 31 02:10:21 2014 From: chris at chatsecure.org (Chris Ballinger) Date: Wed, 30 Jul 2014 17:10:21 -0700 Subject: _gcry_ath_mutex_lock: Assertion In-Reply-To: <20140730160115.GC6050@thessa> References: <20140730160115.GC6050@thessa> Message-ID: For what it's worth, I discovered this as well when trying to write tests for OTRKit (which uses libotr internally) On Wed, Jul 30, 2014 at 9:01 AM, David Goulet wrote: > Hello! > > We are currently working on a test suite for libotr[1] which heavily > uses libgcrypt (version 1.5.3 in Debian). We use a small client that > exchanges OTR messages between two threads using libotr for stress, > regression and fuzzing tests. > > While receiving messages at the same time, we can end up with this from > the gcry_md_read() call. > > lt-client: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == > ((ath_mutex_t) 0)' failed. > > You can find a full gdb backtrace here --> http://pastebin.com/cqJDe7dR > Part are optimized out but let me know, I can provide you a -O0 version. > > I did a small investiguation and it seems that there is contention on > this lock which for some reasons assert() when it's locked. > > ath_mutex_lock (&digests_registered_lock); > > I see that in libgcrypt 1.6, it has been removed so is there a way to > avoid the issue for < 1.6 without defining NDEBUG? > > Thanks! > David > > [1] https://bugs.otr.im/projects/libotr > > _______________________________________________ > Gcrypt-devel mailing list > Gcrypt-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: