libgcrypt/libgcrypt-PCT-ECC.patch

Index: libgcrypt-1.8.2/cipher/ecc.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/ecc.c
+++ libgcrypt-1.8.2/cipher/ecc.c
@@ -99,7 +99,7 @@ static void *progress_cb_data;
 
 
 /* Local prototypes. */
-static void test_keys (ECC_secret_key * sk, unsigned int nbits);
+static int test_keys (ECC_secret_key * sk, unsigned int nbits);
 static void test_ecdh_only_keys (ECC_secret_key * sk, unsigned int nbits, int flags);
 static unsigned int ecc_get_nbits (gcry_sexp_t parms);
 
@@ -152,6 +152,7 @@ nist_generate_key (ECC_secret_key *sk, e
   gcry_random_level_t random_level;
   gcry_mpi_t x, y;
   const unsigned int pbits = mpi_get_nbits (E->p);
+  int free_skEname = 0;
 
   point_init (&Q);
 
@@ -176,7 +177,6 @@ nist_generate_key (ECC_secret_key *sk, e
   else
     sk->d = _gcry_dsa_gen_k (E->n, random_level);
 
-
   /* Compute Q.  */
   _gcry_mpi_ec_mul_point (&Q, sk->d, &E->G, ctx);
 
@@ -190,6 +190,12 @@ nist_generate_key (ECC_secret_key *sk, e
   point_set (&sk->E.G, &E->G);
   sk->E.n = mpi_copy (E->n);
   sk->E.h = mpi_copy (E->h);
+  if (E->name)
+    {
+      free_skEname = 1;
+      sk->E.name = _gcry_xstrdup(E->name);
+    }
+
   point_init (&sk->Q);
 
   x = mpi_new (pbits);
@@ -261,10 +267,16 @@ nist_generate_key (ECC_secret_key *sk, e
   if ((flags & PUBKEY_FLAG_NO_KEYTEST))
     ; /* User requested to skip the test.  */
   else if (sk->E.model != MPI_EC_MONTGOMERY)
-    test_keys (sk, nbits - 64);
+    {
+      if (test_keys (sk, nbits - 64))
+        return GPG_ERR_BAD_SIGNATURE;
+    }
   else
     test_ecdh_only_keys (sk, nbits - 64, flags);
 
+  if (free_skEname)
+    xfree ((void*)sk->E.name);
+
   return 0;
 }
 
@@ -275,9 +287,10 @@ nist_generate_key (ECC_secret_key *sk, e
  * test if the information is recuperated.
  * Second, test with the sign and verify functions.
  */
-static void
+static int
 test_keys (ECC_secret_key *sk, unsigned int nbits)
 {
+  int result = -1; /* Default to failure. */
   ECC_public_key pk;
   gcry_mpi_t test = mpi_new (nbits);
   mpi_point_struct R_;
@@ -297,17 +310,190 @@ test_keys (ECC_secret_key *sk, unsigned
 
   _gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
 
-  if (_gcry_ecc_ecdsa_sign (test, sk, r, s, 0, 0) )
-    log_fatal ("ECDSA operation: sign failed\n");
+  /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2,
+   * which requires full signature operation for PCT (hashing +
+   * asymmetric operation). */
+  gcry_sexp_t r_sig = NULL;
+  gcry_sexp_t s_skey = NULL;
+  gcry_sexp_t s_pkey = NULL;
+  gcry_sexp_t s_hash = NULL;
+  gcry_mpi_t s_sig_mpi = NULL;
+  gcry_md_hd_t hd = NULL;
+  unsigned char *buf = NULL;
+  size_t buflen;
+  mpi_ec_t ctx;
+  int flags = 0;
+
+  if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
+    {
+      if (DBG_CIPHER)
+        log_debug ("gcry_pk_sign failed: _gcry_md_open\n");
+    }
+
+  _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, test);
+  _gcry_md_write (hd, buf, buflen);
+
+  xfree (buf);
+  buf = NULL;
 
-  if (_gcry_ecc_ecdsa_verify (test, &pk, r, s))
+  sexp_build (&s_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))");
+
+  /* Assemble the point Q from affine coordinates by simple
+   * concatenation. */
+  gcry_mpi_t Qx = NULL;
+  gcry_mpi_t Qy = NULL;
+  Qx = mpi_new (0);
+  Qy = mpi_new (0);
+  ctx = _gcry_mpi_ec_p_internal_new (sk->E.model, sk->E.dialect, flags,
+                                     sk->E.p, sk->E.a, sk->E.b);
+  if (_gcry_mpi_ec_get_affine (Qx, Qy, &(sk->Q), ctx))
     {
-      log_fatal ("ECDSA operation: sign, verify failed\n");
+      if (DBG_CIPHER)
+        log_debug ("ecdh: Failed to get affine coordinates for Q\n");
+    }
+
+  unsigned char *rawqx, *rawqy;
+  unsigned int rawqxlen, rawqylen;
+  rawqx = _gcry_mpi_get_buffer (Qx, 0, &rawqxlen, NULL);
+  rawqy = _gcry_mpi_get_buffer (Qy, 0, &rawqylen, NULL);
+
+  if (rawqxlen != rawqylen)
+    {
+      if (rawqxlen < rawqylen)
+        {
+          size_t diff = rawqylen - rawqxlen;
+          unsigned char *zeros = xmalloc (rawqxlen + diff);
+          memset (zeros, 0, rawqxlen + diff);
+          memmove (zeros + diff, rawqx, rawqxlen);
+          xfree (rawqx);
+          rawqx = zeros;
+          rawqxlen += diff;
+        }
+      if (rawqylen < rawqxlen)
+        {
+          size_t diff = rawqxlen - rawqylen;
+          unsigned char *zeros = xmalloc (rawqylen + diff);
+          memset (zeros, 0, rawqylen + diff);
+          memmove (zeros + diff, rawqy, rawqylen);
+          xfree (rawqy);
+          rawqy = zeros;
+          rawqylen += diff;
+        }
+    }
+
+  unsigned char q[1 + rawqxlen + rawqxlen];
+  size_t qlen;
+  memset (&q, 0, sizeof(q));
+  *q = 4;
+  memcpy (q + 1, rawqx, rawqxlen);
+  memcpy (q + 1 + rawqxlen, rawqy, rawqylen);
+  qlen = 1 + rawqxlen + rawqylen;
+
+  _gcry_mpi_release (Qx);
+  _gcry_mpi_release (Qy);
+  xfree (rawqx);
+  xfree (rawqy);
+
+  /* build ECC private key sexp in s_skey */
+  if (sk->E.name)
+    {
+      if (sexp_build (&s_skey, NULL,
+                      "(private-key (ecc (curve %s)(d %m)(q %b)))",
+                      sk->E.name, sk->d, qlen, q))
+        {
+          if (DBG_CIPHER)
+            log_debug ("ecc: Failed to build sexp for private key.\n");
+        }
+    }
+  else
+    {
+      if (sexp_build (&s_skey, NULL,
+                      "(private-key"
+                      " (ecc (curve %s)(d %m)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))",
+                      "NIST P-512", sk->d, sk->E.p, sk->E.a, sk->E.b, sk->E.n, sk->E.h,
+                      qlen, q))
+        {
+          if (DBG_CIPHER)
+            log_debug ("ecc: Failed to build sexp for private key.\n");
+        }
+    }
+
+  if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey))
+    {
+      if (DBG_CIPHER)
+        log_debug ("ecc: gcry_pk_sign failed\n");
+      goto leave;
+    }
+
+  /* Check that the signature and the original test differ. */
+  if (_gcry_sexp_extract_param (r_sig, NULL, "s", &s_sig_mpi, NULL))
+    {
+      if (DBG_CIPHER)
+        log_debug ("extracting signature data failed\n");
+      goto leave;
+    }
+
+  if (!mpi_cmp (s_sig_mpi, test))
+    {
+      if (DBG_CIPHER)
+        log_debug ("Signature failed\n");
+      goto leave; /* Signature and test match but should not. */
+    }
+
+  /* verify */
+  /* build public key sexp in s_pkey */
+  if (pk.E.name)
+    {
+      if (sexp_build (&s_pkey, NULL,
+                      "(public-key (ecc (curve %s)(q %b)))", pk.E.name, qlen, q))
+        {
+          if (DBG_CIPHER)
+            log_debug ("ecc: Failed to build sexp for public key.\n");
+        }
+    }
+  else
+    {
+      if (sexp_build (&s_pkey, NULL,
+                      "(public-key"
+                      " (ecc (curve %s)(p %m)(a %m)(b %m)(n %m)(h %m)(q %b)))",
+                      "NIST P-512", pk.E.p, pk.E.a, pk.E.b, pk.E.n, pk.E.h, qlen, q))
+        {
+          if (DBG_CIPHER)
+            log_debug ("ecc: Failed to build sexp for private key.\n");
+        }
+    }
+
+  _gcry_md_close (hd);
+
+  if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0))
+    {
+      if (DBG_CIPHER)
+        log_debug ("gcry_pk_verify failed: _gcry_md_open\n");
+    }
+
+  _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, test);
+  _gcry_md_write (hd, buf, buflen);
+
+  xfree (buf);
+  buf = NULL;
+
+  /* verify the signature */
+  if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey))
+    {
+      if (DBG_CIPHER)
+        log_debug ("ecc: gcry_pk_verify failed\n");
+      goto leave; /* Signature does not match. */
     }
 
   if (DBG_CIPHER)
-    log_debug ("ECDSA operation: sign, verify ok.\n");
+    {
+      if (DBG_CIPHER)
+        log_debug ("ECDSA operation: sign, verify ok.\n");
+    }
+
+  result = 0; /* The test succeeded. */
 
+ leave:
   point_free (&pk.Q);
   _gcry_ecc_curve_free (&pk.E);
 
@@ -317,6 +503,16 @@ test_keys (ECC_secret_key *sk, unsigned
   mpi_free (out);
   mpi_free (c);
   mpi_free (test);
+
+  _gcry_sexp_release (r_sig);
+  _gcry_sexp_release (s_skey);
+  _gcry_sexp_release (s_pkey);
+  _gcry_sexp_release (s_hash);
+  _gcry_mpi_release (s_sig_mpi);
+  _gcry_md_close (hd);
+  xfree (ctx);
+
+  return result;
 }
 
 
Index: libgcrypt-1.8.2/cipher/pubkey.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey.c
+++ libgcrypt-1.8.2/cipher/pubkey.c
@@ -390,6 +390,7 @@ calculate_hash (gcry_md_hd_t hd, gcry_se
   gcry_err_code_t rc;
   const unsigned char *digest;
   int algo;
+  const char *flags;
 
   if (!hd)
     return 0;
@@ -398,16 +399,21 @@ calculate_hash (gcry_md_hd_t hd, gcry_se
   if (rc)
     return rc;
 
+  rc = _gcry_pk_util_get_flags (*s_hash, &flags);
+  if (rc)
+    return rc;
+
   digest = _gcry_md_read(hd, algo);
   if (!digest)
     return GPG_ERR_DIGEST_ALGO;
 
   rc = _gcry_sexp_build (s_hash, NULL,
-                         "(data (flags pkcs1)(hash %s %b))",
+                         "(data (flags %s)(hash %s %b))", flags,
                          _gcry_md_algo_name(algo),
                          (int) _gcry_md_get_algo_dlen(algo),
                          digest);
 
+  xfree ((void *)flags);
   return rc;
 }
 
Index: libgcrypt-1.8.2/cipher/pubkey-internal.h
===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-internal.h
+++ libgcrypt-1.8.2/cipher/pubkey-internal.h
@@ -45,6 +45,8 @@ gcry_err_code_t _gcry_pk_util_data_to_mp
                                            struct pk_encoding_ctx *ctx);
 gcry_err_code_t _gcry_pk_util_get_algo (gcry_sexp_t input,
                                         int *algo);
+gcry_err_code_t _gcry_pk_util_get_flags (gcry_sexp_t input,
+                                         const char **flags);
 
 
 
Index: libgcrypt-1.8.2/cipher/pubkey-util.c
===================================================================
--- libgcrypt-1.8.2.orig/cipher/pubkey-util.c
+++ libgcrypt-1.8.2/cipher/pubkey-util.c
@@ -1120,6 +1120,40 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t i
   return rc;
 }
 
+gcry_err_code_t
+_gcry_pk_util_get_flags (gcry_sexp_t input, const char **flags)
+{
+  gcry_err_code_t rc = 0;
+  gcry_sexp_t ldata, list = NULL;
+
+  ldata = sexp_find_token (input, "data", 0);
+  if (!ldata)
+    {
+      rc = GPG_ERR_INV_OBJ;
+      goto leave;
+    }
+
+  list = sexp_find_token (ldata, "flags", 0);
+  if (!list)
+    {
+      rc = GPG_ERR_INV_OBJ;
+      goto leave;
+    }
+
+  /* FIXME: gets only the first flag */
+  *flags = sexp_nth_string (list, 1);
+  if (!*flags)
+    {
+      rc = GPG_ERR_NO_OBJ;
+      goto leave;
+    }
+
+ leave:
+  sexp_release (ldata);
+  sexp_release (list);
+
+  return rc;
+}
 
 gcry_err_code_t
 _gcry_pk_util_get_algo (gcry_sexp_t input, int *algo)