From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 9 Jan 2014 19:14:09 +0100 Subject: [PATCH] ecc: Make a macro shorter. * src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage all users. * cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as comment. * mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards. (add_points_twistededwards): Rename to add_points_edwards. Signed-off-by: Werner Koch Upstream-Status: Backport 2ef48ba59c32bfa1a9265d5eea8ab225a658903a CVE: CVE-2015-7511 depend patch Signed-off-by: Armin Kuster --- cipher/ecc-curves.c | 22 +++++++++++++++++++--- cipher/ecc-misc.c | 4 ++-- cipher/ecc.c | 8 ++++---- mpi/ec.c | 22 +++++++++++----------- src/mpi.h | 11 ++++++++--- 5 files changed, 44 insertions(+), 23 deletions(-) Index: libgcrypt-1.6.3/cipher/ecc-curves.c =================================================================== --- libgcrypt-1.6.3.orig/cipher/ecc-curves.c +++ libgcrypt-1.6.3/cipher/ecc-curves.c @@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p { /* (-x^2 + y^2 = 1 + dx^2y^2) */ "Ed25519", 256, 0, - MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519, + MPI_EC_EDWARDS, ECC_DIALECT_ED25519, "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED", "-0x01", "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A", @@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A", "0x6666666666666666666666666666666666666666666666666666666666666658" }, +#if 0 /* No real specs yet found. */ + { + /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */ + "Curve3617", + "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF", + MPI_EC_EDWARDS, 0, + "0x01", + "0x0e21", + "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF" + "706022B36F1C0338AD63CF181B0E71A5E106AF79", + "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D" + "6D6BA111301A73FAA8537C64C4FD3812F3CBC595", + "0x22" + }, +#endif /*0*/ { "NIST P-192", 192, 1, MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD, @@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb switch (domain_parms[idx].model) { case MPI_EC_WEIERSTRASS: - case MPI_EC_TWISTEDEDWARDS: + case MPI_EC_EDWARDS: break; case MPI_EC_MONTGOMERY: return GPG_ERR_NOT_SUPPORTED; @@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi if (name[1] != '@') return _gcry_mpi_ec_ec2os (ec->Q, ec); - if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS) + if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS) { unsigned char *encpk; unsigned int encpklen; Index: libgcrypt-1.6.3/cipher/ecc-misc.c =================================================================== --- libgcrypt-1.6.3.orig/cipher/ecc-misc.c +++ libgcrypt-1.6.3/cipher/ecc-misc.c @@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo { case MPI_EC_WEIERSTRASS: str = "Weierstrass"; break; case MPI_EC_MONTGOMERY: str = "Montgomery"; break; - case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break; + case MPI_EC_EDWARDS: str = "Edwards"; break; } return str; } @@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q, if (!d || !G || !ec->p || !ec->a) return NULL; - if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b) + if (ec->model == MPI_EC_EDWARDS && !ec->b) return NULL; if (ec->dialect == ECC_DIALECT_ED25519 Index: libgcrypt-1.6.3/cipher/ecc.c =================================================================== --- libgcrypt-1.6.3.orig/cipher/ecc.c +++ libgcrypt-1.6.3/cipher/ecc.c @@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar if (!curvename) { sk.E.model = ((flags & PUBKEY_FLAG_EDDSA) - ? MPI_EC_TWISTEDEDWARDS + ? MPI_EC_EDWARDS : MPI_EC_WEIERSTRASS); sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA) ? ECC_DIALECT_ED25519 @@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_ if (!curvename) { sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA) - ? MPI_EC_TWISTEDEDWARDS + ? MPI_EC_EDWARDS : MPI_EC_WEIERSTRASS); sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA) ? ECC_DIALECT_ED25519 @@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp if (!curvename) { pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA) - ? MPI_EC_TWISTEDEDWARDS + ? MPI_EC_EDWARDS : MPI_EC_WEIERSTRASS); pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA) ? ECC_DIALECT_ED25519 @@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s if (!curvename) { model = ((flags & PUBKEY_FLAG_EDDSA) - ? MPI_EC_TWISTEDEDWARDS + ? MPI_EC_EDWARDS : MPI_EC_WEIERSTRASS); dialect = ((flags & PUBKEY_FLAG_EDDSA) ? ECC_DIALECT_ED25519 Index: libgcrypt-1.6.3/mpi/ec.c =================================================================== --- libgcrypt-1.6.3.orig/mpi/ec.c +++ libgcrypt-1.6.3/mpi/ec.c @@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g } return -1; - case MPI_EC_TWISTEDEDWARDS: + case MPI_EC_EDWARDS: { gcry_mpi_t z; @@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result /* RESULT = 2 * POINT (Twisted Edwards version). */ static void -dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx) +dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx) { #define X1 (point->x) #define Y1 (point->y) @@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu case MPI_EC_MONTGOMERY: dup_point_montgomery (result, point, ctx); break; - case MPI_EC_TWISTEDEDWARDS: - dup_point_twistededwards (result, point, ctx); + case MPI_EC_EDWARDS: + dup_point_edwards (result, point, ctx); break; } } @@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul /* RESULT = P1 + P2 (Twisted Edwards version).*/ static void -add_points_twistededwards (mpi_point_t result, - mpi_point_t p1, mpi_point_t p2, - mpi_ec_t ctx) +add_points_edwards (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) { #define X1 (p1->x) #define Y1 (p1->y) @@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res case MPI_EC_MONTGOMERY: add_points_montgomery (result, p1, p2, ctx); break; - case MPI_EC_TWISTEDEDWARDS: - add_points_twistededwards (result, p1, p2, ctx); + case MPI_EC_EDWARDS: + add_points_edwards (result, p1, p2, ctx); break; } } @@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu unsigned int i, loops; mpi_point_struct p1, p2, p1inv; - if (ctx->model == MPI_EC_TWISTEDEDWARDS) + if (ctx->model == MPI_EC_EDWARDS) { /* Simple left to right binary method. GECC Algorithm 3.27 */ unsigned int nbits; @@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point log_fatal ("%s: %s not yet supported\n", "_gcry_mpi_ec_curve_point", "Montgomery"); break; - case MPI_EC_TWISTEDEDWARDS: + case MPI_EC_EDWARDS: { /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */ ec_pow2 (x, x, ctx); Index: libgcrypt-1.6.3/src/mpi.h =================================================================== --- libgcrypt-1.6.3.orig/src/mpi.h +++ libgcrypt-1.6.3/src/mpi.h @@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t /* Models describing an elliptic curve. */ enum gcry_mpi_ec_models { - + /* The Short Weierstrass equation is + y^2 = x^3 + ax + b + */ MPI_EC_WEIERSTRASS = 0, + /* The Montgomery equation is + by^2 = x^3 + ax^2 + x + */ MPI_EC_MONTGOMERY, - MPI_EC_TWISTEDEDWARDS - /* The equation for Twisted Edwards curves is + /* The Twisted Edwards equation is ax^2 + y^2 = 1 + bx^2y^2 Note that we use 'b' instead of the commonly used 'd'. */ + MPI_EC_EDWARDS }; /* Dialects used with elliptic curves. It is easier to keep the