From ametzler at bebt.de Tue Sep 6 19:13:04 2022 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 6 Sep 2022 19:13:04 +0200 Subject: Test message regarding T5816 Message-ID: Hello, testing whether this ML was also fixed. Please ignore. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From derek.cole at gmail.com Wed Sep 7 23:20:20 2022 From: derek.cole at gmail.com (Derek Cole) Date: Wed, 7 Sep 2022 17:20:20 -0400 Subject: Properly Compiling gcrypt for all debug symbols Message-ID: Hello All, I am trying to compile libcrypt to enable all debug symbols. In particular, I am seeing that gcry_mpi_t variables are in GDB. I am using the following which I found online to compile. CFLAGS='-g -O0' CXXFLAGS='-g -O0' ./configure --enable-static --sysconfdir=/etc --sharedstatedir=/var/lib --localstatedir=/var/local --runstatedir=/run --libdir=/usr/local/lib/x86_64-linux-gnu --enable-m-guard --enable-hmac-binary-check --with-capabilities && make -j$(nproc) && make install Any assistance would be greatly appreciated. Thanks, Derek -------------- next part -------------- An HTML attachment was scrubbed... URL: From cllang at redhat.com Wed Sep 21 13:12:08 2022 From: cllang at redhat.com (Clemens Lang) Date: Wed, 21 Sep 2022 13:12:08 +0200 Subject: [PATCH] fips: Skip PCT if RSA keygen test-parms specified Message-ID: <20220921111208.6312-1-cllang@redhat.com> * cipher/rsa.c (rsa_generate): Skip PCT is test-parms were specified. * tests/t-rsa-testparm.c: Add test for this functionality * tests/Makefile.am: Add test to build system -- ACVP testing uses the test-parms option to specify p and q to be checked for primality. When test-parms is specified, generate_fips() always returns keys with p=q=0. These keys then fail the pairwise consistency test, because they cannot be used to successfully sign a message and verify the signature. Skip the PCT when test-parms is specified. Add a regression test to check that this functionality continues to work in the future. Signed-off-by: Clemens Lang --- cipher/rsa.c | 5 +- tests/Makefile.am | 2 +- tests/t-rsa-testparm.c | 130 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 tests/t-rsa-testparm.c diff --git a/cipher/rsa.c b/cipher/rsa.c index 87f57b55..1a935d80 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -1218,6 +1218,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) int flags = 0; gcry_sexp_t l1; gcry_sexp_t swap_info = NULL; + int testparms = 0; memset (&sk, 0, sizeof sk); @@ -1274,6 +1275,8 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) } deriveparms = (genparms? sexp_find_token (genparms, "test-parms", 0) /**/ : NULL); + if (deriveparms) + testparms = 1; /* Generate. */ if (deriveparms || fips_mode ()) @@ -1311,7 +1314,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) mpi_free (sk.u); sexp_release (swap_info); - if (!ec && fips_mode () && test_keys_fips (*r_skey)) + if (!ec && !testparms && fips_mode () && test_keys_fips (*r_skey)) { sexp_release (*r_skey); *r_skey = NULL; fips_signal_error ("self-test after key generation failed"); diff --git a/tests/Makefile.am b/tests/Makefile.am index f65725bc..302d923b 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -28,7 +28,7 @@ tests_bin = \ aeswrap random if USE_RSA -tests_bin += pkcs1v2 t-rsa-pss t-rsa-15 +tests_bin += pkcs1v2 t-rsa-pss t-rsa-15 t-rsa-testparm endif if USE_DSA diff --git a/tests/t-rsa-testparm.c b/tests/t-rsa-testparm.c new file mode 100644 index 00000000..65617855 --- /dev/null +++ b/tests/t-rsa-testparm.c @@ -0,0 +1,130 @@ +/* t-rsa-testparm.c - Check the RSA Key Generation test-parm parameter + * Copyright (C) 2022 g10 Code GmbH + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, see . + */ + +#ifdef HAVE_CONFIG_H +#include +#endif +#include +#include +#include +#include + +#include "stopwatch.h" + +#define PGM "t-rsa-testparm" +#include "t-common.h" + + +static void +check_rsa_testparm () +{ + gpg_error_t err; + gcry_sexp_t keyspec = NULL; + gcry_sexp_t key = NULL; + const char *sexp = "(genkey (rsa (nbits \"2048\") (test-parms " + "(e \"65537\")" + "(p #00bbccabcee15d343944a47e492d4b1f4de79633e20cbb46f7d2d6813392a807ad048" + "cf77528edd19f77e7453f25173b9dcb70423afa2037aae147b81a33d541fc58f875ef" + "f1e852ab55e2e09a3debfbc151b3b0d17fef6f74d81fca14fbae531418e211ef81859" + "2af70de5cec3b92795cc3578572bf456099cd8727150e523261#)" + "(q #00ca87ecf2883f4ed00a9ec65abdeba81d28edbfcc34ecc563d587f166b52d42bfbe2" + "2bbc095b0b8426a2f8bbc55baaa8859b42cbc376ed3067db3ef7b135b63481322911e" + "bbd7014db83aa051e0ca2dbf302b75cd37f2ae8df90e134226e92f6353a284b28bb30" + "af0bbf925b345b955328379866ebac11d55bc80fe84f105d415#)" + ")))"; + + info ("Checking RSA KeyGen test-parm parameter.\n"); + + err = gcry_sexp_build (&keyspec, NULL, sexp); + if (err) + { + fail ("error building SEXP for test: %s", gpg_strerror (err)); + goto leave; + } + + err = gcry_pk_genkey (&key, keyspec); + if (err) + { + fail ("gcry_pk_genkey failed for test: %s", gpg_strerror (err)); + goto leave; + } + +leave: + if (key) + gcry_sexp_release (key); + if (keyspec) + gcry_sexp_release (keyspec); +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + + if (argc) + { argc--; argv++; } + + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + fputs ("usage: " PGM " [options]\n" + "Options:\n" + " --verbose print timings etc.\n" + " --debug flyswatter\n", + stdout); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose++; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose += 2; + debug++; + argc--; argv++; + } + else if (!strncmp (*argv, "--", 2)) + die ("unknown option '%s'", *argv); + + } + + xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0)); + if (!gcry_check_version (GCRYPT_VERSION)) + die ("version mismatch\n"); + if (debug) + xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 0xffffffff, 0)); + + start_timer (); + check_rsa_testparm (); + stop_timer (); + + info ("All tests completed in %s. Errors: %d\n", + elapsed_time (1), error_count); + return !!error_count; +} -- 2.37.3 From gniibe at fsij.org Thu Sep 22 06:55:28 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 22 Sep 2022 13:55:28 +0900 Subject: [PATCH] fips: Skip PCT if RSA keygen test-parms specified In-Reply-To: <20220921111208.6312-1-cllang@redhat.com> References: <20220921111208.6312-1-cllang@redhat.com> Message-ID: <87mtasrosf.fsf@akagi.fsij.org> Clemens Lang wrote: > Skip the PCT when test-parms is specified. Thank you. Applied and pushed to master and 1.10 branch. -- From gniibe at fsij.org Tue Sep 27 02:54:10 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 27 Sep 2022 09:54:10 +0900 Subject: Uninteded Variable Length Array in ec-nist.c Message-ID: <87a66lvdql.fsf@akagi.fsij.org> Hello, While we allow use of some features of C99 for libgcrypt, we don't use variable length array in the code. Thus, I'm considering adding -Wvla option in configure.ac. In master, I found use of variable length array in ec-nist.c. I attach the warning message of compiler when it is compiled with -Wvla option. I think that it's not intended. Unfortunately, even if we added const qualifier to the variable 'wsize', (because what is needed here is a constant expression), it is still considered as variable length array by compilers. I think that use of macro for the size is needed here, although it would not look modern code. ========================== gcc -DHAVE_CONFIG_H -I. -I../../../libgcrypt/mpi -I.. -I../src -I../../../libgcrypt/src -I/usr/local/include/x86_64-linux-gnu -g -O2 -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -Wvla -MT ec-nist.lo -MD -MP -MF .deps/ec-nist.Tpo -c ../../../libgcrypt/mpi/ec-nist.c -fPIC -DPIC -o .libs/ec-nist.o ../../../libgcrypt/mpi/ec-nist.c: In function '_gcry_mpi_ec_nist192_mod': ../../../libgcrypt/mpi/ec-nist.c:98:3: warning: ISO C90 forbids variable length array 's' [-Wvla] 98 | mpi_limb64_t s[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:99:3: warning: ISO C90 forbids variable length array 'o' [-Wvla] 99 | mpi_limb64_t o[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c: In function '_gcry_mpi_ec_nist224_mod': ../../../libgcrypt/mpi/ec-nist.c:191:3: warning: ISO C90 forbids variable length array 's' [-Wvla] 191 | mpi_limb64_t s[wsize]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:192:3: warning: ISO C90 forbids variable length array 'd' [-Wvla] 192 | mpi_limb64_t d[wsize]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c: In function '_gcry_mpi_ec_nist256_mod': ../../../libgcrypt/mpi/ec-nist.c:350:3: warning: ISO C90 forbids variable length array 's' [-Wvla] 350 | mpi_limb64_t s[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:351:3: warning: ISO C90 forbids variable length array 't' [-Wvla] 351 | mpi_limb64_t t[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:352:3: warning: ISO C90 forbids variable length array 'd' [-Wvla] 352 | mpi_limb64_t d[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:353:3: warning: ISO C90 forbids variable length array 'e' [-Wvla] 353 | mpi_limb64_t e[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c: In function '_gcry_mpi_ec_nist384_mod': ../../../libgcrypt/mpi/ec-nist.c:603:3: warning: ISO C90 forbids variable length array 's' [-Wvla] 603 | mpi_limb64_t s[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:604:3: warning: ISO C90 forbids variable length array 't' [-Wvla] 604 | mpi_limb64_t t[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:605:3: warning: ISO C90 forbids variable length array 'd' [-Wvla] 605 | mpi_limb64_t d[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c:606:3: warning: ISO C90 forbids variable length array 'x' [-Wvla] 606 | mpi_limb64_t x[wsize + 1]; | ^~~~~~~~~~~~ ../../../libgcrypt/mpi/ec-nist.c: In function '_gcry_mpi_ec_nist521_mod': ../../../libgcrypt/mpi/ec-nist.c:795:3: warning: ISO C90 forbids variable length array 's' [-Wvla] 795 | mpi_limb_t s[wsize]; | ^~~~~~~~~~ -- From jussi.kivilinna at iki.fi Wed Sep 28 20:23:10 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Wed, 28 Sep 2022 21:23:10 +0300 Subject: Uninteded Variable Length Array in ec-nist.c In-Reply-To: <87a66lvdql.fsf@akagi.fsij.org> References: <87a66lvdql.fsf@akagi.fsij.org> Message-ID: <3a5400f0-39c7-d7af-e5c7-63259b8d8ec6@iki.fi> Hello, On 27.9.2022 3.54, NIIBE Yutaka wrote: > Hello, > > While we allow use of some features of C99 for libgcrypt, we don't use > variable length array in the code. > > Thus, I'm considering adding -Wvla option in configure.ac. In master, > I found use of variable length array in ec-nist.c. I attach the > warning message of compiler when it is compiled with -Wvla option. > > I think that it's not intended. Unfortunately, even if we added const > qualifier to the variable 'wsize', (because what is needed here is a > constant expression), it is still considered as variable length array by > compilers. > > I think that use of macro for the size is needed here, although it would > not look modern code. How about instead define arrays with wanted size and define 'wsize' with sizeof the array. This would avoid having macros. For example like this: index 69b05a6d..0de41e48 100644 --- a/mpi/ec-nist.c +++ b/mpi/ec-nist.c @@ -94,9 +94,9 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) }; const mpi_limb64_t zero = LIMB_TO64(0); mpi_ptr_t wp; - mpi_size_t wsize = 192 / BITS_PER_MPI_LIMB64; - mpi_limb64_t s[wsize + 1]; - mpi_limb64_t o[wsize + 1]; + mpi_limb64_t s[192 / BITS_PER_MPI_LIMB64 + 1]; + mpi_limb64_t o[sizeof(s)]; + const mpi_size_t wsize = DIM(s) - 1; mpi_limb_t mask1; mpi_limb_t mask2; mpi_limb_t s_is_negative; If we want to, we can get rid of VLA in __gcry_burn_stack too. For example, following should work (avoids GCC from turning recursive call to loop and wiping same 64-byte memory over and over again): void NOINLINE_FUNC __gcry_burn_stack_recursive (unsigned int bytes) { __gcry_burn_stack(bytes); } void NOINLINE_FUNC __gcry_burn_stack (unsigned int bytes) { char buf[64]; _gcry_fast_wipememory (buf, sizeof buf); if (bytes > sizeof buf) __gcry_burn_stack_recursive (bytes - sizeof buf); } '__gcry_burn_stack_recursive' could be moved to separate source file just in case compiler does not support noinline function attribute. -Jussi From gniibe at fsij.org Fri Sep 30 10:14:16 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 30 Sep 2022 17:14:16 +0900 Subject: Uninteded Variable Length Array in ec-nist.c In-Reply-To: <3a5400f0-39c7-d7af-e5c7-63259b8d8ec6@iki.fi> References: <87a66lvdql.fsf@akagi.fsij.org> <3a5400f0-39c7-d7af-e5c7-63259b8d8ec6@iki.fi> Message-ID: <87k05ls2hz.fsf@akagi.fsij.org> Thank you for your quick response. Jussi Kivilinna wrote: > How about instead define arrays with wanted size and define 'wsize' with > sizeof the array. This would avoid having macros. For example like this: > > index 69b05a6d..0de41e48 100644 > --- a/mpi/ec-nist.c > +++ b/mpi/ec-nist.c > @@ -94,9 +94,9 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) > }; > const mpi_limb64_t zero = LIMB_TO64(0); > mpi_ptr_t wp; > - mpi_size_t wsize = 192 / BITS_PER_MPI_LIMB64; > - mpi_limb64_t s[wsize + 1]; > - mpi_limb64_t o[wsize + 1]; > + mpi_limb64_t s[192 / BITS_PER_MPI_LIMB64 + 1]; > + mpi_limb64_t o[sizeof(s)]; > + const mpi_size_t wsize = DIM(s) - 1; > mpi_limb_t mask1; > mpi_limb_t mask2; > mpi_limb_t s_is_negative; Looks nice with no macro definition. I like it. > If we want to, we can get rid of VLA in __gcry_burn_stack too. I think that __gcry_burn_stack is OK with VLA, because it's quite special use case and !HAVE_VLA version is available. -- From ian at cypherpunks.ca Fri Sep 30 13:36:06 2022 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 30 Sep 2022 07:36:06 -0400 Subject: Uninteded Variable Length Array in ec-nist.c In-Reply-To: <87k05ls2hz.fsf@akagi.fsij.org> References: <87a66lvdql.fsf@akagi.fsij.org> <3a5400f0-39c7-d7af-e5c7-63259b8d8ec6@iki.fi> <87k05ls2hz.fsf@akagi.fsij.org> Message-ID: <20220930113606.GE7424@yoink.cs.uwaterloo.ca> On Fri, Sep 30, 2022 at 05:14:16PM +0900, NIIBE Yutaka wrote: > Thank you for your quick response. > > Jussi Kivilinna wrote: > > How about instead define arrays with wanted size and define 'wsize' with > > sizeof the array. This would avoid having macros. For example like this: > > > > index 69b05a6d..0de41e48 100644 > > --- a/mpi/ec-nist.c > > +++ b/mpi/ec-nist.c > > @@ -94,9 +94,9 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) > > }; > > const mpi_limb64_t zero = LIMB_TO64(0); > > mpi_ptr_t wp; > > - mpi_size_t wsize = 192 / BITS_PER_MPI_LIMB64; > > - mpi_limb64_t s[wsize + 1]; > > - mpi_limb64_t o[wsize + 1]; > > + mpi_limb64_t s[192 / BITS_PER_MPI_LIMB64 + 1]; > > + mpi_limb64_t o[sizeof(s)]; Note that sizeof(s) is the number of *bytes* of s, not the number of *elements* of s, so the above new code will declare o to be much larger than the old code did.