[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-376-gee7e1a0

by NIIBE Yutaka cvs at cvs.gnupg.org
Tue Apr 12 03:12:08 CEST 2016


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5 (commit)
       via  7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de (commit)
      from  5e5d3b90e22a3caa6b48af3b5582d800a9fb73ad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Tue Apr 12 09:58:12 2016 +0900

    ecc: Fix X25519 computation on Curve25519.
    
    * cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
    PUBKEY_FLAG_DJB_TWEAK is enabled.
    (ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
    * tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.
    
    --
    
    X25519 function is not a plain scalar multiplication, but does
    two things; the scalar bits are tweaked before applying scalar
    multiplication and X0 function is applied to the result of
    scalar multiplication.
    
    In libgcrypt, _gcry_mpi_ec_mul_point is a plain scalar multiplication
    and those two things are done in functions for ECDH with X25519.
    
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>

diff --git a/cipher/ecc.c b/cipher/ecc.c
index 7ab7244..f6b2b69 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1282,15 +1282,12 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   rc = _gcry_pk_util_data_to_mpi (s_data, &data, &ctx);
   if (rc)
     goto leave;
-  if (DBG_CIPHER)
-    log_mpidump ("ecc_encrypt data", data);
   if (mpi_is_opaque (data))
     {
       rc = GPG_ERR_INV_DATA;
       goto leave;
     }
 
-
   /*
    * Extract the key.
    */
@@ -1327,6 +1324,21 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
       pk.E.dialect = ECC_DIALECT_STANDARD;
     }
 
+  /*
+   * Tweak the scalar bits by cofactor and number of bits of the field.
+   * It assumes the cofactor is a power of 2.
+   */
+  if ((flags & PUBKEY_FLAG_DJB_TWEAK))
+    {
+      int i;
+
+      for (i = 0; i < mpi_get_nbits (pk.E.h) - 1; i++)
+        mpi_clear_bit (data, i);
+      mpi_set_highbit (data, mpi_get_nbits (pk.E.p) - 1);
+    }
+  if (DBG_CIPHER)
+    log_mpidump ("ecc_encrypt data", data);
+
   if (DBG_CIPHER)
     {
       log_debug ("ecc_encrypt info: %s/%s\n",
@@ -1607,7 +1619,13 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
     else
       y = mpi_new (0);
 
-    if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
+    /*
+     * Here, x is 0.  In the X25519 computation on Curve25519, X0
+     * function maps infinity to zero.  So, when PUBKEY_FLAG_DJB_TWEAK
+     * is enabled, we can just skip the check to get the result of 0.
+     */
+    if (_gcry_mpi_ec_get_affine (x, y, &R, ec)
+        && !(flags & PUBKEY_FLAG_DJB_TWEAK))
       log_fatal ("ecdh: Failed to get affine coordinates\n");
 
     if (y)
diff --git a/tests/t-cv25519.c b/tests/t-cv25519.c
index 69aa005..7e551c2 100644
--- a/tests/t-cv25519.c
+++ b/tests/t-cv25519.c
@@ -192,8 +192,8 @@ test_cv (int testno, const char *k_str, const char *u_str,
   gpg_error_t err;
   void *buffer = NULL;
   size_t buflen;
-  unsigned char *p;
-  gcry_sexp_t s_sk = NULL;
+  gcry_sexp_t s_pk = NULL;
+  gcry_mpi_t mpi_k = NULL;
   gcry_sexp_t s_data = NULL;
   gcry_sexp_t s_result = NULL;
   gcry_sexp_t s_tmp = NULL;
@@ -210,29 +210,22 @@ test_cv (int testno, const char *k_str, const char *u_str,
       goto leave;
     }
 
-  /*
-   * Do what decodeScalar25519 does.
-   */
-  p = (unsigned char *)buffer;
-  p[0] &= 248;
-  p[31] &= 127;
-  p[31] |= 64;
   reverse_buffer (buffer, buflen);
+  if ((err = gcry_mpi_scan (&mpi_k, GCRYMPI_FMT_USG, buffer, buflen, NULL)))
+    {
+      fail ("error converting MPI for test %d: %s", testno, gpg_strerror (err));
+      goto leave;
+    }
 
-  if ((err = gcry_sexp_build (&s_sk, NULL,
-                              "(private-key"
-                              " (ecc"
-                              "  (curve \"Curve25519\")"
-                              "  (flags djb-tweak)"
-                              "  (d %b)))", (int)buflen, buffer)))
+  if ((err = gcry_sexp_build (&s_data, NULL, "%m", mpi_k)))
     {
       fail ("error building s-exp for test %d, %s: %s",
-            testno, "sk", gpg_strerror (err));
+            testno, "data", gpg_strerror (err));
       goto leave;
     }
 
   xfree (buffer);
-  if (!(buffer = hex2buffer (u_str, &buflen)))
+  if (!(buffer = hex2buffer (u_str, &buflen)) || buflen != 32)
     {
       fail ("error building s-exp for test %d, %s: %s",
             testno, "u", "invalid hex string");
@@ -247,26 +240,28 @@ test_cv (int testno, const char *k_str, const char *u_str,
    * We could add the prefix 0x40, but libgcrypt also supports
    * format with no prefix.  So, it is OK not to put the prefix.
    */
-  if ((err = gcry_sexp_build (&s_data, NULL,
-                              "(enc-val"
-                              " (ecdh"
-                              "  (e %b)))", (int)buflen, buffer)))
+  if ((err = gcry_sexp_build (&s_pk, NULL,
+                              "(public-key"
+                              " (ecc"
+                              "  (curve \"Curve25519\")"
+                              "  (flags djb-tweak)"
+                              "  (q%b)))", (int)buflen, buffer)))
     {
       fail ("error building s-exp for test %d, %s: %s",
-            testno, "data", gpg_strerror (err));
+            testno, "pk", gpg_strerror (err));
       goto leave;
     }
 
   xfree (buffer);
   buffer = NULL;
 
-  if ((err = gcry_pk_decrypt (&s_result, s_data, s_sk)))
-    fail ("gcry_pk_decrypt failed for test %d: %s", testno,
+  if ((err = gcry_pk_encrypt (&s_result, s_data, s_pk)))
+    fail ("gcry_pk_encrypt failed for test %d: %s", testno,
           gpg_strerror (err));
 
-  s_tmp = gcry_sexp_find_token (s_result, "value", 0);
+  s_tmp = gcry_sexp_find_token (s_result, "s", 0);
   if (!s_tmp || !(res = gcry_sexp_nth_buffer (s_tmp, 1, &res_len)))
-    fail ("gcry_pk_decrypt failed for test %d: %s", testno, "missing value");
+    fail ("gcry_pk_encrypt failed for test %d: %s", testno, "missing value");
   else
     {
       char *r, *r0;
@@ -275,16 +270,16 @@ test_cv (int testno, const char *k_str, const char *u_str,
       /* To skip the prefix 0x40, for-loop start with i=1 */
       r0 = r = xmalloc (2*(res_len)+1);
       if (!r0)
-	{
-	  fail ("memory allocation", testno);
-	  goto leave;
-	}
+        {
+          fail ("memory allocation", testno);
+          goto leave;
+        }
 
       for (i=1; i < res_len; i++, r += 2)
         snprintf (r, 3, "%02x", res[i]);
       if (strcmp (result_str, r0))
         {
-          fail ("gcry_pk_decrypt failed for test %d: %s",
+          fail ("gcry_pk_encrypt failed for test %d: %s",
                 testno, "wrong value returned");
           show ("  expected: '%s'", result_str);
           show ("       got: '%s'", r0);
@@ -294,10 +289,11 @@ test_cv (int testno, const char *k_str, const char *u_str,
 
  leave:
   xfree (res);
+  gcry_mpi_release (mpi_k);
   gcry_sexp_release (s_tmp);
   gcry_sexp_release (s_result);
   gcry_sexp_release (s_data);
-  gcry_sexp_release (s_sk);
+  gcry_sexp_release (s_pk);
   xfree (buffer);
 }
 
@@ -370,7 +366,7 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
       gcry_mpi_ec_get_affine (mpi_k, NULL, Q, ctx);
 
       if (debug)
-	print_mpi ("k", mpi_k);
+        print_mpi ("k", mpi_k);
     }
 
   {
@@ -383,8 +379,8 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
     r0 = r = xmalloc (65);
     if (!r0)
       {
-	fail ("memory allocation", testno);
-	goto leave;
+        fail ("memory allocation", testno);
+        goto leave;
       }
 
     for (i=0; i < 32; i++, r += 2)
@@ -395,7 +391,7 @@ test_it (int testno, const char *k_str, int iter, const char *result_str)
         fail ("curv25519 failed for test %d: %s",
               testno, "wrong value returned");
         show ("  expected: '%s'", result_str);
-	show ("       got: '%s'", r0);
+        show ("       got: '%s'", r0);
       }
     xfree (r0);
   }

commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Tue Apr 12 09:19:32 2016 +0900

    ecc: Fix initialization of EC context.
    
    * cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
    (ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
    by _gcry_mpi_ec_p_internal_new should carry FLAGS.
    
    --
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>

diff --git a/cipher/ecc.c b/cipher/ecc.c
index 759ca42..7ab7244 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -356,7 +356,7 @@ test_ecdh_only_keys (ECC_secret_key *sk, unsigned int nbits, int flags)
       _gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
     }
 
-  ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, 0,
+  ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, flags,
                                     pk.E.p, pk.E.a, pk.E.b);
   x0 = mpi_new (0);
   x1 = mpi_new (0);
@@ -592,7 +592,7 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
       log_printpnt ("ecgen curve G", &E.G, NULL);
     }
 
-  ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, 0, E.p, E.a, E.b);
+  ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, flags, E.p, E.a, E.b);
 
   if (E.model == MPI_EC_MONTGOMERY)
     rc = nist_generate_key (&sk, &E, ctx, flags, nbits, &Qx, NULL);
@@ -830,7 +830,7 @@ ecc_check_secret_key (gcry_sexp_t keyparms)
       goto leave;
     }
 
-  ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, 0,
+  ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, flags,
                                     sk.E.p, sk.E.a, sk.E.b);
 
   if (mpi_q)
@@ -1349,7 +1349,7 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
     }
 
   /* Compute the encrypted value.  */
-  ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, 0,
+  ec = _gcry_mpi_ec_p_internal_new (pk.E.model, pk.E.dialect, flags,
                                     pk.E.p, pk.E.a, pk.E.b);
 
   /* Convert the public key.  */
@@ -1570,7 +1570,7 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
     }
 
 
-  ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, 0,
+  ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, flags,
                                     sk.E.p, sk.E.a, sk.E.b);
 
   /*

-----------------------------------------------------------------------

Summary of changes:
 cipher/ecc.c      | 36 +++++++++++++++++++++--------
 tests/t-cv25519.c | 68 ++++++++++++++++++++++++++-----------------------------
 2 files changed, 59 insertions(+), 45 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits




More information about the Gcrypt-devel mailing list