gentleknife / rpms / libgcrypt

Forked from rpms/libgcrypt 4 years ago
Clone
Blob Blame History Raw
diff -up libgcrypt-1.5.3/cipher/primegen.c.fips-keygen libgcrypt-1.5.3/cipher/primegen.c
--- libgcrypt-1.5.3/cipher/primegen.c.fips-keygen	2014-10-21 15:05:59.434189992 +0200
+++ libgcrypt-1.5.3/cipher/primegen.c	2014-10-21 15:05:59.458190534 +0200
@@ -1189,6 +1189,22 @@ gcry_prime_check (gcry_mpi_t x, unsigned
   return gcry_error (err);
 }
 
+/* Check whether the number X is prime according to FIPS 186-4 table C.2.  */
+gpg_err_code_t
+_gcry_fips186_4_prime_check (gcry_mpi_t x, unsigned int bits)
+{
+  gpg_err_code_t ec = GPG_ERR_NO_ERROR;
+  gcry_mpi_t val_2 = mpi_alloc_set_ui (2); /* Used by the Fermat test. */
+
+  /* We use 5 or 4 rounds as specified in table C.2 */
+  if (! check_prime (x, val_2, bits > 1024 ? 4 : 5, NULL, NULL))
+    ec = GPG_ERR_NO_PRIME;
+
+  mpi_free (val_2);
+
+  return ec;
+}
+
 /* Find a generator for PRIME where the factorization of (prime-1) is
    in the NULL terminated array FACTORS. Return the generator as a
    newly allocated MPI in R_G.  If START_G is not NULL, use this as s
diff -up libgcrypt-1.5.3/cipher/rsa.c.fips-keygen libgcrypt-1.5.3/cipher/rsa.c
--- libgcrypt-1.5.3/cipher/rsa.c.fips-keygen	2014-10-21 15:05:59.423189744 +0200
+++ libgcrypt-1.5.3/cipher/rsa.c	2014-10-21 15:12:45.200350340 +0200
@@ -328,6 +328,279 @@ generate_std (RSA_secret_key *sk, unsign
 }
 
 
+/****************
+ * Generate a key pair with a key of size NBITS.
+ * USE_E = 0 let Libcgrypt decide what exponent to use.
+ *       = 1 request the use of a "secure" exponent; this is required by some
+ *           specification to be 65537.
+ *       > 2 Use this public exponent.  If the given exponent
+ *           is not odd one is internally added to it.
+ * TESTPARMS: If set, do not generate but test whether the p,q is probably prime
+ *            Returns key with zeroes to not break code calling this function.
+ * TRANSIENT_KEY:  If true, generate the primes using the standard RNG.
+ * Returns: 2 structures filled with all needed values
+ */
+static gpg_err_code_t
+generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+               gcry_sexp_t testparms, int transient_key)
+{
+  gcry_mpi_t p, q; /* the two primes */
+  gcry_mpi_t d;    /* the private key */
+  gcry_mpi_t u;
+  gcry_mpi_t p1, q1;
+  gcry_mpi_t n;    /* the public key */
+  gcry_mpi_t e;    /* the exponent */
+  gcry_mpi_t g;
+  gcry_mpi_t minp;
+  gcry_mpi_t diff, mindiff;
+  gcry_random_level_t random_level;
+  unsigned int pbits = nbits/2;
+  unsigned int i;
+  int pqswitch;
+  gpg_err_code_t ec = GPG_ERR_NO_PRIME;
+
+  if (nbits < 1024 || (nbits & 0x1FF))
+      return GPG_ERR_INV_VALUE;
+  if (_gcry_enforced_fips_mode() && nbits != 2048 && nbits != 3072)
+      return GPG_ERR_INV_VALUE;
+
+  /* The random quality depends on the transient_key flag.  */
+  random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM;
+
+  if (testparms)
+      {
+        /* Parameters to derive the key are given.  */
+        /* Note that we explicitly need to setup the values of tbl
+           because some compilers (e.g. OpenWatcom, IRIX) don't allow
+           to initialize a structure with automatic variables.  */
+        struct { const char *name; gcry_mpi_t *value; } tbl[] = {
+          { "e" },
+          { "p" },
+          { "q" },
+          { NULL }
+        };
+        int idx;
+        gcry_sexp_t oneparm;
+
+        tbl[0].value = &e;
+        tbl[1].value = &p;
+        tbl[2].value = &q;
+
+        for (idx=0; tbl[idx].name; idx++)
+          {
+            oneparm = gcry_sexp_find_token (testparms, tbl[idx].name, 0);
+            if (oneparm)
+              {
+                *tbl[idx].value = gcry_sexp_nth_mpi (oneparm, 1,
+                                                     GCRYMPI_FMT_USG);
+                gcry_sexp_release (oneparm);
+              }
+          }
+        for (idx=0; tbl[idx].name; idx++)
+          if (!*tbl[idx].value)
+            break;
+        if (tbl[idx].name)
+          {
+            /* At least one parameter is missing.  */
+            for (idx=0; tbl[idx].name; idx++)
+              gcry_mpi_release (*tbl[idx].value);
+            return GPG_ERR_MISSING_VALUE;
+          }
+      }
+  else
+      {
+        if (use_e < 65537)
+          use_e = 65537;  /* This is the smallest value allowed by FIPS */
+
+        e = mpi_alloc( (32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
+
+        use_e |= 1; /* make sure this is odd */
+        mpi_set_ui (e, use_e);
+
+        p = gcry_mpi_snew (pbits);
+        q = gcry_mpi_snew (pbits);
+      }
+
+  n = gcry_mpi_new (nbits);
+  d = gcry_mpi_snew (nbits);
+  u = gcry_mpi_snew (nbits);
+
+  /* prepare approximate minimum p and q */
+  minp = gcry_mpi_new (pbits);
+  mpi_set_ui (minp, 0xB504F334);
+  gcry_mpi_lshift (minp, minp, pbits - 32); 
+
+  /* prepare minimum p and q difference */
+  diff = gcry_mpi_new (pbits);
+  mindiff = gcry_mpi_new (pbits - 99);
+  mpi_set_ui (mindiff, 1);
+  gcry_mpi_lshift (mindiff, mindiff, pbits - 100);
+
+  p1 = gcry_mpi_snew (pbits);
+  q1 = gcry_mpi_snew (pbits);
+  g  = gcry_mpi_snew (pbits);
+
+retry:
+  /* generate p and q */
+  for (i = 0; i < 5 * pbits; i++)
+    {
+    ploop:
+      if (!testparms)
+        {
+          gcry_mpi_randomize (p, pbits, random_level);
+        }
+      if (mpi_cmp (p, minp) < 0)
+        {
+          if (testparms) goto err;
+          goto ploop;
+        }
+
+      mpi_sub_ui (p1, p, 1);
+      if (gcry_mpi_gcd (g, p1, e))
+        {
+          if (_gcry_fips186_4_prime_check (p, pbits) != GPG_ERR_NO_ERROR)
+            {
+              /* not a prime */
+              if (testparms) goto err;
+            }
+          else
+            break;
+        } 
+      else if (testparms) goto err;
+    }
+  if (i >= 5 * pbits)
+    goto err;
+
+  for (i = 0; i < 5 * pbits; i++)
+    {
+    qloop:
+      if (!testparms)
+        {
+          gcry_mpi_randomize (q, pbits, random_level);
+        }
+      if (mpi_cmp (q, minp) < 0)
+        {
+          if (testparms) goto err;
+          goto qloop;
+        }
+      if (mpi_cmp (p, q) > 0)
+        {
+          pqswitch = 1;
+          mpi_sub (diff, p, q);
+        }      
+      else
+        {
+          pqswitch = 0;
+          mpi_sub (diff, q, p);
+        }
+      if (mpi_cmp (diff, mindiff) < 0)
+        {
+          if (testparms) goto err;
+          goto qloop;
+        }
+
+      mpi_sub_ui (q1, q, 1);
+      if (gcry_mpi_gcd (g, q1, e))
+        {
+          if (_gcry_fips186_4_prime_check (q, pbits) != GPG_ERR_NO_ERROR)
+            {
+              /* not a prime */
+              if (testparms) goto err;
+            }
+          else
+            break;
+        }
+      else if (testparms) goto err;
+    }
+  if (i >= 5 * pbits)
+    goto err;
+
+  if (testparms)
+    {
+       mpi_clear (p);
+       mpi_clear (q);
+    }
+  else
+    {
+      gcry_mpi_t f;
+
+      if (pqswitch)
+        {
+          gcry_mpi_t tmp;
+
+          tmp = p;
+          p = q;
+          q = tmp;
+        }
+
+      f = gcry_mpi_snew (nbits);
+
+      /* calculate the modulus */
+      mpi_mul(n, p, q);
+
+      /* calculate the secret key d = e^1 mod phi */
+      gcry_mpi_gcd (g, p1, q1);
+      mpi_fdiv_q (f, p1, g);
+      mpi_mul (f, f, q1);
+      
+      mpi_invm (d, e, f);
+
+      gcry_mpi_release (f);
+
+      if (mpi_get_nbits (d) < pbits) goto retry;
+
+      /* calculate the inverse of p and q (used for chinese remainder theorem)*/
+      mpi_invm(u, p, q );
+    }
+
+  ec = 0;
+
+  if( DBG_CIPHER )
+    {
+      log_mpidump("  p= ", p );
+      log_mpidump("  q= ", q );
+      log_mpidump("  n= ", n );
+      log_mpidump("  e= ", e );
+      log_mpidump("  d= ", d );
+      log_mpidump("  u= ", u );
+    }
+
+err:
+
+  gcry_mpi_release (p1);
+  gcry_mpi_release (q1);
+  gcry_mpi_release (g);
+  gcry_mpi_release (minp);
+  gcry_mpi_release (mindiff);
+  gcry_mpi_release (diff);
+
+  sk->n = n;
+  sk->e = e;
+  sk->p = p;
+  sk->q = q;
+  sk->d = d;
+  sk->u = u;
+
+  /* Now we can test our keys. */
+  if (ec || (!testparms && test_keys (sk, nbits - 64)))
+    {
+      gcry_mpi_release (sk->n); sk->n = NULL;
+      gcry_mpi_release (sk->e); sk->e = NULL;
+      gcry_mpi_release (sk->p); sk->p = NULL;
+      gcry_mpi_release (sk->q); sk->q = NULL;
+      gcry_mpi_release (sk->d); sk->d = NULL;
+      gcry_mpi_release (sk->u); sk->u = NULL;
+      if (!ec)
+        {
+          fips_signal_error ("self-test after key generation failed");
+          return GPG_ERR_SELFTEST_FAILED;
+        }
+    }
+
+  return ec;
+}
+
+
 /* Helper for generate_x931.  */
 static gcry_mpi_t
 gen_x931_parm_xp (unsigned int nbits)
@@ -812,7 +1085,7 @@ rsa_generate_ext (int algo, unsigned int
         }
     }
 
-  if (deriveparms || use_x931 || fips_mode ())
+  if (deriveparms || use_x931)
     {
       int swapped;
       ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);
@@ -841,8 +1114,14 @@ rsa_generate_ext (int algo, unsigned int
           transient_key = 1;
           gcry_sexp_release (l1);
         }
+      deriveparms = (genparms?
+                 gcry_sexp_find_token (genparms, "test-parms", 0) : NULL);
       /* Generate.  */
-      ec = generate_std (&sk, nbits, evalue, transient_key);
+      if (deriveparms || fips_mode())
+	ec = generate_fips (&sk, nbits, evalue, deriveparms, transient_key);
+      else
+        ec = generate_std (&sk, nbits, evalue, transient_key);
+      gcry_sexp_release (deriveparms);
     }
 
   if (!ec)
diff -up libgcrypt-1.5.3/src/g10lib.h.fips-keygen libgcrypt-1.5.3/src/g10lib.h
--- libgcrypt-1.5.3/src/g10lib.h.fips-keygen	2013-07-25 11:10:04.000000000 +0200
+++ libgcrypt-1.5.3/src/g10lib.h	2014-10-21 15:05:59.459190556 +0200
@@ -195,6 +195,9 @@ gpg_err_code_t _gcry_generate_fips186_3_
                   int *r_counter,
                   void **r_seed, size_t *r_seedlen, int *r_hashalgo);
 
+gpg_err_code_t _gcry_fips186_4_prime_check
+                 (const gcry_mpi_t x, unsigned int bits);
+
 
 /* Replacements of missing functions (missing-string.c).  */
 #ifndef HAVE_STPCPY
diff -up libgcrypt-1.5.3/tests/keygen.c.fips-keygen libgcrypt-1.5.3/tests/keygen.c
--- libgcrypt-1.5.3/tests/keygen.c.fips-keygen	2014-10-21 15:05:59.424189766 +0200
+++ libgcrypt-1.5.3/tests/keygen.c	2014-10-21 15:05:59.459190556 +0200
@@ -190,12 +190,12 @@ check_rsa_keys (void)
 
 
   if (verbose)
-    fprintf (stderr, "creating 1024 bit RSA key with e=257\n");
+    fprintf (stderr, "creating 1024 bit RSA key with e=65539\n");
   rc = gcry_sexp_new (&keyparm,
                       "(genkey\n"
                       " (rsa\n"
                       "  (nbits 4:1024)\n"
-                      "  (rsa-use-e 3:257)\n"
+                      "  (rsa-use-e 5:65539)\n"
                       " ))", 0, 1);
   if (rc)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
@@ -204,7 +204,7 @@ check_rsa_keys (void)
   if (rc)
     die ("error generating RSA key: %s\n", gpg_strerror (rc));
 
-  check_generated_rsa_key (key, 257);
+  check_generated_rsa_key (key, 65539);
   gcry_sexp_release (key);
 
   if (verbose)