Are we ready for 1.7 ?
NIIBE Yutaka
gniibe at fsij.org
Mon Apr 11 11:35:05 CEST 2016
On 04/08/2016 10:22 PM, Werner Koch wrote:
> On Fri, 8 Apr 2016 10:31, gniibe at fsij.org said:
>
>> I encountered this issue when I wrote tests/t-cv25519.c. If we keep
>> current API, the user would be confused. That's my concern.
>
> Depends on what the user wants to do.
Yes.
I was confused because it was not clear where it does the tweak of
bits. It had bugs and I wrote tests/t-cv25519.c without fixing bugs.
> Including cipher.h is not good because it mixes the MPI computations
> with the cipher operations.
I see. It is because PUBKEY_FLAG_DJB_TWEAK is defined in cipher.h.
Well, I should try different approach.
Let me show the fix at first. Then, I'll modify tests/t-cv25519.c.
Here is the possible fix.
It is not a final version as it assumes PUBKEY_FLAG_DJB_TWEAK is only
used for Curve25519; I will modify it with co-factor to be generic.
* When calling gcry_mpi_ec_p_internal_new, flags should not be forgotten.
* ecc_encrypt_raw should do the tweak of bits.
* ecc_decrypt_raw should allow the result of O for Montgomery Curve with
the flag PUBKEY_FLAG_DJB_TWEAK
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 759ca42..8de75b6 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -356,7 +356,7 @@ test_ecdh_only_keys (ECC_secret_key *sk, unsigned
int nbits, int flags)
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
}
- ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, 0,
+ ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, flags,
pk.E.p, pk.E.a, pk.E.b);
x0 = mpi_new (0);
x1 = mpi_new (0);
@@ -592,7 +592,7 @@ ecc_generate (const gcry_sexp_t genparms,
gcry_sexp_t *r_skey)
log_printpnt ("ecgen curve G", &E.G, NULL);
}
- ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, 0, E.p, E.a, E.b);
+ ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, flags, E.p,
E.a, E.b);
if (E.model == MPI_EC_MONTGOMERY)
rc = nist_generate_key (&sk, &E, ctx, flags, nbits, &Qx, NULL);
@@ -830,7 +830,7 @@ ecc_check_secret_key (gcry_sexp_t keyparms)
goto leave;
}
- ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, 0,
+ ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, flags,
sk.E.p, sk.E.a, sk.E.b);
if (mpi_q)
@@ -1289,7 +1289,13 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
rc = GPG_ERR_INV_DATA;
goto leave;
}
-
+ if ((flags & PUBKEY_FLAG_DJB_TWEAK))
+ {
+ mpi_set_highbit (data, 254);
+ mpi_clear_bit (data, 0);
+ mpi_clear_bit (data, 1);
+ mpi_clear_bit (data, 2);
+ }
/*
* Extract the key.
@@ -1349,7 +1355,7 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
}
/* Compute the encrypted value. */
- ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, 0,
+ ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, flags,
pk.E.p, pk.E.a, pk.E.b);
/* Convert the public key. */
@@ -1570,7 +1576,7 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
}
- ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, 0,
+ ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, flags,
sk.E.p, sk.E.a, sk.E.b);
/*
@@ -1607,7 +1613,8 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t
s_data, gcry_sexp_t keyparms)
else
y = mpi_new (0);
- if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
+ if (_gcry_mpi_ec_get_affine (x, y, &R, ec)
+ && !(flags & PUBKEY_FLAG_DJB_TWEAK))
log_fatal ("ecdh: Failed to get affine coordinates\n");
if (y)
--
More information about the Gcrypt-devel
mailing list