[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-229-g2bddd94
by Werner Koch
cvs at cvs.gnupg.org
Thu May 21 16:58:43 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via 2bddd947fd1c11b4ec461576db65a5e34fea1b07 (commit)
via 102d68b3bd77813a3ff989526855bb1e283bf9d7 (commit)
via 8124e357b732a719696bfd5271def4e528f2a1e1 (commit)
from 9b0c6c8141ae9bd056392a3f6b5704b505fc8501 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2bddd947fd1c11b4ec461576db65a5e34fea1b07
Author: Werner Koch <wk at gnupg.org>
Date: Thu May 21 16:24:36 2015 +0200
ecc: Add key generation flag "no-keytest".
* src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
"no-keytest". Return an error for invalid flags of length 10.
* cipher/ecc.c (nist_generate_key): Replace arg random_level by flags
set random level depending on flags.
* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
* cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and
remove var random_level.
(nist_generate_key): Implement "no-keytest" flag.
* tests/keygen.c (check_ecc_keys): Add tests for transient-key and
no-keytest.
--
After key creation we usually run a test to check whether the keys
really work. However for transient keys this might be too time
consuming and given that a failed test would anyway abort the process
the optional use of a flag to skip the test is appropriate.
Using Ed25519 for EdDSA and the "no-keytest" flags halves the time to
create such a key. This was measured by looping the last test from
check_ecc_keys() 1000 times with and without the flag.
Due to a bug in the flags parser unknown flags with a length of 10
characters were not detected. Thus the "no-keytest" flag can be
employed by all software even for libraries before this. That bug is
however solved with this version.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/NEWS b/NEWS
index 4c74533..d90ee6d 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,10 @@ Noteworthy changes in version 1.7.0 (unreleased)
* Added OCB mode.
+ * New flag "no-keytest" for ECC key generation. Due to a bug in the
+ parser that flag will also be accepted but ignored by older version
+ of Libgcrypt.
+
* Interface changes relative to the 1.6.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcry_mac_get_algo NEW.
diff --git a/cipher/ecc-common.h b/cipher/ecc-common.h
index 83bf20d..f0d97ea 100644
--- a/cipher/ecc-common.h
+++ b/cipher/ecc-common.h
@@ -123,7 +123,7 @@ gpg_err_code_t _gcry_ecc_eddsa_compute_h_d (unsigned char **r_digest,
gpg_err_code_t _gcry_ecc_eddsa_genkey (ECC_secret_key *sk,
elliptic_curve_t *E,
mpi_ec_t ctx,
- gcry_random_level_t random_level);
+ int flags);
gpg_err_code_t _gcry_ecc_eddsa_sign (gcry_mpi_t input,
ECC_secret_key *sk,
gcry_mpi_t r_r, gcry_mpi_t s,
diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c
index a12ebab..4323d8e 100644
--- a/cipher/ecc-eddsa.c
+++ b/cipher/ecc-eddsa.c
@@ -465,15 +465,28 @@ _gcry_ecc_eddsa_compute_h_d (unsigned char **r_digest,
}
-/* Ed25519 version of the key generation. */
+/**
+ * _gcry_ecc_eddsa_genkey - EdDSA version of the key generation.
+ *
+ * @sk: A struct to receive the secret key.
+ * @E: Parameters of the curve.
+ * @ctx: Elliptic curve computation context.
+ * @flags: Flags controlling aspects of the creation.
+ *
+ * Return: An error code.
+ *
+ * The only @flags bit used by this function is %PUBKEY_FLAG_TRANSIENT
+ * to use a faster RNG.
+ */
gpg_err_code_t
_gcry_ecc_eddsa_genkey (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
- gcry_random_level_t random_level)
+ int flags)
{
gpg_err_code_t rc;
int b = 256/8; /* The only size we currently support. */
gcry_mpi_t a, x, y;
mpi_point_struct Q;
+ gcry_random_level_t random_level;
char *dbuf;
size_t dlen;
gcry_buffer_t hvec[1];
@@ -482,6 +495,11 @@ _gcry_ecc_eddsa_genkey (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
point_init (&Q);
memset (hvec, 0, sizeof hvec);
+ if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
+ random_level = GCRY_STRONG_RANDOM;
+ else
+ random_level = GCRY_VERY_STRONG_RANDOM;
+
a = mpi_snew (0);
x = mpi_new (0);
y = mpi_new (0);
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 262fcd8..5ffe84b 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1,6 +1,6 @@
/* ecc.c - Elliptic Curve Cryptography
* Copyright (C) 2007, 2008, 2010, 2011 Free Software Foundation, Inc.
- * Copyright (C) 2013 g10 Code GmbH
+ * Copyright (C) 2013, 2015 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
@@ -106,12 +106,11 @@ _gcry_register_pk_ecc_progress (void (*cb) (void *, const char *,
�
/**
- * nist_generate_key - Standard version of the key generation.
- *
+ * nist_generate_key - Standard version of the ECC key generation.
* @sk: A struct to receive the secret key.
* @E: Parameters of the curve.
* @ctx: Elliptic curve computation context.
- * @random_level: The quality of the random.
+ * @flags: Flags controlling aspects of the creation.
* @nbits: Only for testing
* @r_x: On success this receives an allocated MPI with the affine
* x-coordinate of the poblic key. On error NULL is stored.
@@ -119,19 +118,29 @@ _gcry_register_pk_ecc_progress (void (*cb) (void *, const char *,
*
* Return: An error code.
*
+ * The @flags bits used by this function are %PUBKEY_FLAG_TRANSIENT to
+ * use a faster RNG, and %PUBKEY_FLAG_NO_KEYTEST to skip the assertion
+ * that the key works as expected.
+ *
* FIXME: Check whether N is needed.
*/
static gpg_err_code_t
nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
- gcry_random_level_t random_level, unsigned int nbits,
+ int flags, unsigned int nbits,
gcry_mpi_t *r_x, gcry_mpi_t *r_y)
{
mpi_point_struct Q;
+ gcry_random_level_t random_level;
gcry_mpi_t x, y;
const unsigned int pbits = mpi_get_nbits (E->p);
point_init (&Q);
+ if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
+ random_level = GCRY_STRONG_RANDOM;
+ else
+ random_level = GCRY_VERY_STRONG_RANDOM;
+
/* Generate a secret. */
if (ctx->dialect == ECC_DIALECT_ED25519)
{
@@ -226,7 +235,9 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
point_free (&Q);
/* Now we can test our keys (this should never fail!). */
- if (sk->E.model != MPI_EC_MONTGOMERY)
+ if ((flags & PUBKEY_FLAG_NO_KEYTEST))
+ ; /* User requested to skip the test. */
+ else if (sk->E.model != MPI_EC_MONTGOMERY)
test_keys (sk, nbits - 64);
else
test_ecdh_only_keys (sk, nbits - 64);
@@ -492,7 +503,6 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
gcry_mpi_t Qy = NULL;
char *curve_name = NULL;
gcry_sexp_t l1;
- gcry_random_level_t random_level;
mpi_ec_t ctx = NULL;
gcry_sexp_t curve_info = NULL;
gcry_sexp_t curve_flags = NULL;
@@ -560,17 +570,12 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
log_printpnt ("ecgen curve G", &E.G, NULL);
}
- if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
- random_level = GCRY_STRONG_RANDOM;
- else
- random_level = GCRY_VERY_STRONG_RANDOM;
-
ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, 0, E.p, E.a, E.b);
if ((flags & PUBKEY_FLAG_EDDSA))
- rc = _gcry_ecc_eddsa_genkey (&sk, &E, ctx, random_level);
+ rc = _gcry_ecc_eddsa_genkey (&sk, &E, ctx, flags);
else
- rc = nist_generate_key (&sk, &E, ctx, random_level, nbits, &Qx, &Qy);
+ rc = nist_generate_key (&sk, &E, ctx, flags, nbits, &Qx, &Qy);
if (rc)
goto leave;
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index 514f1eb..afa3454 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -1,7 +1,7 @@
/* pubkey-util.c - Supporting functions for all pubkey modules.
* Copyright (C) 1998, 1999, 2000, 2002, 2003, 2005,
* 2007, 2008, 2011 Free Software Foundation, Inc.
- * Copyright (C) 2013 g10 Code GmbH
+ * Copyright (C) 2013, 2015 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
@@ -155,6 +155,10 @@ _gcry_pk_util_parse_flaglist (gcry_sexp_t list,
case 10:
if (!memcmp (s, "igninvflag", 10))
igninvflag = 1;
+ else if (!memcmp (s, "no-keytest", 10))
+ flags |= PUBKEY_FLAG_NO_KEYTEST;
+ else if (!igninvflag)
+ rc = GPG_ERR_INV_FLAG;
break;
case 11:
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index ab4f685..f13695a 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -2327,6 +2327,13 @@ random number generator. This flag may be used for keys which are
only used for a short time or per-message and do not require full
cryptographic strength.
+ at item no-keytest
+ at cindex no-keytest
+This flag skips internal failsafe tests to assert that a generated key
+is properly working. It currently has an effect only for standard ECC
+key generation. It is mostly useful along with transient-key to
+achieve fastest ECC key generation.
+
@item use-x931
@cindex X9.31
Force the use of the ANSI X9.31 key generation algorithm instead of
diff --git a/src/cipher.h b/src/cipher.h
index 7ad0b2c..ef183fd 100644
--- a/src/cipher.h
+++ b/src/cipher.h
@@ -40,6 +40,7 @@
#define PUBKEY_FLAG_NOCOMP (1 << 11)
#define PUBKEY_FLAG_EDDSA (1 << 12)
#define PUBKEY_FLAG_GOST (1 << 13)
+#define PUBKEY_FLAG_NO_KEYTEST (1 << 14)
enum pk_operation
diff --git a/tests/keygen.c b/tests/keygen.c
index 4aff9c9..8b9a1d5 100644
--- a/tests/keygen.c
+++ b/tests/keygen.c
@@ -1,5 +1,6 @@
/* keygen.c - key generation regression tests
* Copyright (C) 2003, 2005, 2012 Free Software Foundation, Inc.
+ * Copyright (C) 2013, 2015 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
@@ -14,8 +15,7 @@
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
- * License along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifdef HAVE_CONFIG_H
@@ -432,7 +432,43 @@ check_ecc_keys (void)
show_sexp ("ECC key:\n", key);
check_generated_ecc_key (key);
+ gcry_sexp_release (key);
+
+
+ if (verbose)
+ show ("creating ECC key using curve Ed25519 for ECDSA (transient-key)\n");
+ rc = gcry_sexp_build (&keyparm, NULL,
+ "(genkey(ecc(curve Ed25519)(flags transient-key)))");
+ if (rc)
+ die ("error creating S-expression: %s\n", gpg_strerror (rc));
+ rc = gcry_pk_genkey (&key, keyparm);
+ gcry_sexp_release (keyparm);
+ if (rc)
+ die ("error generating ECC key using curve Ed25519 for ECDSA"
+ " (transient-key): %s\n",
+ gpg_strerror (rc));
+ if (verbose > 1)
+ show_sexp ("ECC key:\n", key);
+ check_generated_ecc_key (key);
+ gcry_sexp_release (key);
+ if (verbose)
+ show ("creating ECC key using curve Ed25519 for ECDSA "
+ "(transient-key no-keytest)\n");
+ rc = gcry_sexp_build (&keyparm, NULL,
+ "(genkey(ecc(curve Ed25519)"
+ "(flags transient-key no-keytest)))");
+ if (rc)
+ die ("error creating S-expression: %s\n", gpg_strerror (rc));
+ rc = gcry_pk_genkey (&key, keyparm);
+ gcry_sexp_release (keyparm);
+ if (rc)
+ die ("error generating ECC key using curve Ed25519 for ECDSA"
+ " (transient-key no-keytest): %s\n",
+ gpg_strerror (rc));
+ if (verbose > 1)
+ show_sexp ("ECC key:\n", key);
+ check_generated_ecc_key (key);
gcry_sexp_release (key);
}
commit 102d68b3bd77813a3ff989526855bb1e283bf9d7
Author: Werner Koch <wk at gnupg.org>
Date: Thu May 21 11:12:42 2015 +0200
ecc: Avoid double conversion to affine coordinates in keygen.
* cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
(ecc_generate): Rename vars. Convert to affine coordinates only if
not returned by the lower level generation function.
--
nist_generate_key already needs to convert to affine coordinates to
implement Jivsov's trick. Thus we can return them and avoid calling
it in ecc_generate again.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 2f5e401..262fcd8 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -105,12 +105,30 @@ _gcry_register_pk_ecc_progress (void (*cb) (void *, const char *,
�
-/* Standard version of the key generation. */
+/**
+ * nist_generate_key - Standard version of the key generation.
+ *
+ * @sk: A struct to receive the secret key.
+ * @E: Parameters of the curve.
+ * @ctx: Elliptic curve computation context.
+ * @random_level: The quality of the random.
+ * @nbits: Only for testing
+ * @r_x: On success this receives an allocated MPI with the affine
+ * x-coordinate of the poblic key. On error NULL is stored.
+ * @r_y: Ditto for the y-coordinate.
+ *
+ * Return: An error code.
+ *
+ * FIXME: Check whether N is needed.
+ */
static gpg_err_code_t
nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
- gcry_random_level_t random_level, unsigned int nbits)
+ gcry_random_level_t random_level, unsigned int nbits,
+ gcry_mpi_t *r_x, gcry_mpi_t *r_y)
{
mpi_point_struct Q;
+ gcry_mpi_t x, y;
+ const unsigned int pbits = mpi_get_nbits (E->p);
point_init (&Q);
@@ -146,6 +164,11 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
sk->E.h = mpi_copy (E->h);
point_init (&sk->Q);
+ x = mpi_new (pbits);
+ y = mpi_new (pbits);
+ if (_gcry_mpi_ec_get_affine (x, y, &Q, ctx))
+ log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
+
/* We want the Q=(x,y) be a "compliant key" in terms of the
* http://tools.ietf.org/html/draft-jivsov-ecc-compact, which simply
* means that we choose either Q=(x,y) or -Q=(x,p-y) such that we
@@ -159,16 +182,10 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
point_set (&sk->Q, &Q);
else
{
- gcry_mpi_t x, y, negative;
- const unsigned int pbits = mpi_get_nbits (E->p);
+ gcry_mpi_t negative;
- x = mpi_new (pbits);
- y = mpi_new (pbits);
negative = mpi_new (pbits);
- if (_gcry_mpi_ec_get_affine (x, y, &Q, ctx))
- log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
-
if (E->model == MPI_EC_WEIERSTRASS)
mpi_sub (negative, E->p, y); /* negative = p - y */
else
@@ -178,12 +195,18 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
{
/* We need to end up with -Q; this assures that new Q's y is
the smallest one */
- mpi_sub (sk->d, E->n, sk->d); /* d = order - d */
if (E->model == MPI_EC_WEIERSTRASS)
- mpi_point_snatch_set (&sk->Q, x, negative,
- mpi_alloc_set_ui (1));
+ {
+ mpi_free (y);
+ y = negative;
+ }
else
- mpi_point_snatch_set (&sk->Q, negative, y, mpi_alloc_set_ui (1));
+ {
+ mpi_free (x);
+ x = negative;
+ }
+ mpi_sub (sk->d, E->n, sk->d); /* d = order - d */
+ mpi_point_set (&sk->Q, x, y, mpi_const (MPI_C_ONE));
if (DBG_CIPHER)
log_debug ("ecgen converted Q to a compliant point\n");
@@ -191,23 +214,16 @@ nist_generate_key (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
else /* p - y >= p */
{
/* No change is needed exactly 50% of the time: just copy. */
+ mpi_free (negative);
point_set (&sk->Q, &Q);
if (DBG_CIPHER)
log_debug ("ecgen didn't need to convert Q to a compliant point\n");
-
- mpi_free (negative);
- if (E->model == MPI_EC_WEIERSTRASS)
- mpi_free (x);
- else
- mpi_free (y);
}
-
- if (E->model == MPI_EC_WEIERSTRASS)
- mpi_free (y);
- else
- mpi_free (x);
}
+ *r_x = x;
+ *r_y = y;
+
point_free (&Q);
/* Now we can test our keys (this should never fail!). */
if (sk->E.model != MPI_EC_MONTGOMERY)
@@ -470,8 +486,10 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
unsigned int nbits;
elliptic_curve_t E;
ECC_secret_key sk;
- gcry_mpi_t x = NULL;
- gcry_mpi_t y = NULL;
+ gcry_mpi_t Gx = NULL;
+ gcry_mpi_t Gy = NULL;
+ gcry_mpi_t Qx = NULL;
+ gcry_mpi_t Qy = NULL;
char *curve_name = NULL;
gcry_sexp_t l1;
gcry_random_level_t random_level;
@@ -548,26 +566,27 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
random_level = GCRY_VERY_STRONG_RANDOM;
ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, 0, E.p, E.a, E.b);
- x = mpi_new (0);
- y = mpi_new (0);
if ((flags & PUBKEY_FLAG_EDDSA))
rc = _gcry_ecc_eddsa_genkey (&sk, &E, ctx, random_level);
else
- rc = nist_generate_key (&sk, &E, ctx, random_level, nbits);
+ rc = nist_generate_key (&sk, &E, ctx, random_level, nbits, &Qx, &Qy);
if (rc)
goto leave;
/* Copy data to the result. */
- if (_gcry_mpi_ec_get_affine (x, y, &sk.E.G, ctx))
+ Gx = mpi_new (0);
+ Gy = mpi_new (0);
+ if (_gcry_mpi_ec_get_affine (Gx, Gy, &sk.E.G, ctx))
log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "G");
- base = _gcry_ecc_ec2os (x, y, sk.E.p);
+ base = _gcry_ecc_ec2os (Gx, Gy, sk.E.p);
if (sk.E.dialect == ECC_DIALECT_ED25519 && !(flags & PUBKEY_FLAG_NOCOMP))
{
unsigned char *encpk;
unsigned int encpklen;
- rc = _gcry_ecc_eddsa_encodepoint (&sk.Q, ctx, x, y,
+ /* (Gx and Gy are used as scratch variables) */
+ rc = _gcry_ecc_eddsa_encodepoint (&sk.Q, ctx, Gx, Gy,
!!(flags & PUBKEY_FLAG_COMP),
&encpk, &encpklen);
if (rc)
@@ -578,9 +597,16 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
}
else
{
- if (_gcry_mpi_ec_get_affine (x, y, &sk.Q, ctx))
- log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
- public = _gcry_ecc_ec2os (x, y, sk.E.p);
+ if (!Qx)
+ {
+ /* This is the case for a key from _gcry_ecc_eddsa_generate
+ with no compression. */
+ Qx = mpi_new (0);
+ Qy = mpi_new (0);
+ if (_gcry_mpi_ec_get_affine (Qx, Qy, &sk.Q, ctx))
+ log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
+ }
+ public = _gcry_ecc_ec2os (Qx, Qy, sk.E.p);
}
secret = sk.d; sk.d = NULL;
if (E.name)
@@ -614,7 +640,8 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
curve_info, curve_flags,
sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, sk.E.h, public,
curve_info, curve_flags,
- sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, sk.E.h, public, secret);
+ sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, sk.E.h, public,
+ secret);
else
rc = sexp_build (r_skey, NULL,
"(key-data"
@@ -654,8 +681,10 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
mpi_free (sk.d);
}
_gcry_ecc_curve_free (&E);
- mpi_free (x);
- mpi_free (y);
+ mpi_free (Gx);
+ mpi_free (Gy);
+ mpi_free (Qx);
+ mpi_free (Qy);
_gcry_mpi_ec_free (ctx);
sexp_release (curve_flags);
sexp_release (curve_info);
commit 8124e357b732a719696bfd5271def4e528f2a1e1
Author: Werner Koch <wk at gnupg.org>
Date: Mon May 4 16:46:02 2015 +0200
random: Change initial extra seeding from 2400 bits to 128 bits.
* random/random-csprng.c (read_pool): Reduce initial seeding.
--
See discussion starting at
https://lists.gnupg.org/pipermail/gnupg-devel/2015-April/029750.html
and also in May.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/random-csprng.c b/random/random-csprng.c
index 332744b..da50fda 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -973,8 +973,8 @@ read_pool (byte *buffer, size_t length, int level)
pool_balance = 0;
needed = length - pool_balance;
- if (needed < POOLSIZE/2)
- needed = POOLSIZE/2;
+ if (needed < 16) /* At least 128 bits. */
+ needed = 16;
else if( needed > POOLSIZE )
BUG ();
read_random_source (RANDOM_ORIGIN_EXTRAPOLL, needed,
-----------------------------------------------------------------------
Summary of changes:
NEWS | 4 ++
cipher/ecc-common.h | 2 +-
cipher/ecc-eddsa.c | 22 ++++++++-
cipher/ecc.c | 128 +++++++++++++++++++++++++++++++------------------
cipher/pubkey-util.c | 6 ++-
doc/gcrypt.texi | 7 +++
random/random-csprng.c | 4 +-
src/cipher.h | 1 +
tests/keygen.c | 40 +++++++++++++++-
9 files changed, 159 insertions(+), 55 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list