Deterministic DSA

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Sep 8 17:00:52 CEST 2013 

On 09/08/2013 05:26 AM, Werner Koch wrote:
> @@ -177,11 +197,20 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
>    if (mdlen > qbits/8)
>      mdlen = qbits/8;
>  
> -  /* Create the S-expression.  We need to convert to an MPI first
> -     because we want an unsigned integer.  Using %b directly is not
> -     possible because libgcrypt assumes an mpi and uses
> -     GCRYMPI_FMT_STD for parsing and thus possible yielding a negative
> -     value.  */
> +  /* Create the S-expression.  If we are using Libgcrypt 1.6 we make
> +     use of Deterministic DSA.  Libgcrypt < 1.6 does not implement
> +     RFC-6979 and also requires us to convert to an MPI because it
> +     expects an unsigned integer.  Using %b directly is not possible
> +     because Libgcrypt assumes an MPI and uses GCRYMPI_FMT_STD for
> +     parsing and thus possible yielding a negative value.  */
> +#if GCRYPT_VERSION_NUMBER >= 0x010600 /* Libgcrypt >= 1.6 */
> +  {
> +    err = gcry_sexp_build (&hash, NULL,
> +                           "(data (flags rfc6979) (hash %s %b))",
> +                           rfc6979_hash_algo_string (mdlen),
> +                           (int)mdlen, md);
> +  }
> +#else /* Libgcrypt < 1.6 */
>    {
>      gcry_mpi_t mpi;
>  
> @@ -193,6 +222,7 @@ do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
>          gcry_mpi_release (mpi);
>        }
>    }
> +#endif /* Libgcrypt < 1.6 */

is a compile-time check the right solution here?  is this something we
can detect at runtime instead?

since libgcrypt 1.6 doesn't appear to have been released yet, i'm not
sure if it will bump its SONAME from 11 (used by 1.5.3) to something
higher or not.  if that's the case, it's conceivable that a package
linked against 1.6 at compile time will be run against an older version
at runtime (e.g. for people moving binary packages across distributions
that don't track symbol additions).

A runtime check seems like it would be more robust, if that's possible.

maybe the test could be:

 if gcry_check_version("1.6.0") {

instead of

#if GCRYPT_VERSION_NUMBER >= 0x010600

?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130908/f2e02699/attachment-0001.sig>

More information about the Gnupg-devel mailing list