--- libgcrypt-1.8.2.orig/cipher/rsa.c 2020-03-26 07:23:17.392861551 +0100 +++ libgcrypt-1.8.2.orig/cipher/rsa.c 2020-03-26 15:43:29.556282072 +0100 @@ -91,10 +91,16 @@ static const char sample_secret_key[] = " 79C974A6FA69E4D52FE796650623DE70622862713932AA2FD9F2EC856EAEAA77" " 88B4EA6084DC81C902F014829B18EA8B2666EC41586818E0589E18876065F97E" " 8D22CE2DA53A05951EC132DCEF41E70A9C35F4ACC268FFAC2ADF54FA1DA110B919#)" +"))"; +/* We need to get rid of the u value, in order to end in + * secret_core_std when called from secret. It's not used anyway. */ + +/* " (u #67CF0FD7635205DD80FA814EE9E9C267C17376BF3209FB5D1BC42890D2822A04" " 479DAF4D5B6ED69D0F8D1AF94164D07F8CD52ECEFE880641FA0F41DDAB1785E4" " A37A32F997A516480B4CD4F6482B9466A1765093ED95023CA32D5EDC1E34CEE9" " AF595BC51FE43C4BF810FA225AF697FB473B83815966188A4312C048B885E3F7#)))"; +*/ /* A sample 2048 bit RSA key used for the selftests (public only). */ static const char sample_public_key[] = @@ -1252,8 +1258,8 @@ rsa_check_secret_key (gcry_sexp_t keypar RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL}; /* To check the key we need the optional parameters. */ - rc = sexp_extract_param (keyparms, NULL, "nedpqu", - &sk.n, &sk.e, &sk.d, &sk.p, &sk.q, &sk.u, + rc = sexp_extract_param (keyparms, NULL, "npq", + &sk.n, &sk.p, &sk.q, NULL); if (rc) goto leave; @@ -1263,11 +1269,8 @@ rsa_check_secret_key (gcry_sexp_t keypar leave: _gcry_mpi_release (sk.n); - _gcry_mpi_release (sk.e); - _gcry_mpi_release (sk.d); _gcry_mpi_release (sk.p); _gcry_mpi_release (sk.q); - _gcry_mpi_release (sk.u); if (DBG_CIPHER) log_debug ("rsa_testkey => %s\n", gpg_strerror (rc)); return rc; @@ -1710,11 +1713,11 @@ static const char * selftest_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey) { static const char sample_data[] = - "(data (flags pkcs1)" + "(data (flags pkcs1 no-blinding)" " (hash sha256 #11223344556677889900aabbccddeeff" /**/ "102030405060708090a0b0c0d0f01121#))"; static const char sample_data_bad[] = - "(data (flags pkcs1)" + "(data (flags pkcs1 no-blinding)" " (hash sha256 #11223344556677889900aabbccddeeff" /**/ "802030405060708090a0b0c0d0f01121#))"; @@ -1857,7 +1860,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc gcry_mpi_t ref_mpi = NULL; /* Put the plaintext into an S-expression. */ - err = sexp_build (&plain, NULL, "(data (flags raw) (value %s))", plaintext); + err = sexp_build (&plain, NULL, "(data (flags raw no-blinding) (value %s))", plaintext); if (err) { errtxt = "converting data failed"; @@ -1897,6 +1900,26 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc goto leave; } + /* This sexp trickery is to prevent the use of blinding. + * The flag doesn't get inherited by encr, so we have to + * derive a new sexp from the ciphertext */ + char buf[1024]; + memset(buf, 0, sizeof(buf)); + err = _gcry_mpi_print (GCRYMPI_FMT_STD, buf, sizeof buf, NULL, ciphertext); + if (err) + { + errtxt = "Dumping ciphertext mpi to buffer failed"; + goto leave; + } + + sexp_release (encr); + err = sexp_build (&encr, NULL, "(enc-val (flags no-blinding) (rsa (a %s)))", buf); + if (err) + { + errtxt = "Adding no-blinding flag to ciphertext failed"; + goto leave; + } + /* Decrypt. */ err = _gcry_pk_decrypt (&decr, encr, skey); if (err)