char *ssh_gcry_bn2dec(bignum bn) {
bignum bndup, num, ten;
char *ret;
int count, count2;
int size, rsize;
char decnum;
size = gcry_mpi_get_nbits(bn) * 3;
rsize = size / 10 + size / 1000 + 2;
ret = malloc(rsize + 1);
if (ret == NULL) {
return NULL;
}
if (!gcry_mpi_cmp_ui(bn, 0)) {
strcpy(ret, "0");
} else {
ten = bignum_new();
if (ten == NULL) {
SAFE_FREE(ret);
return NULL;
}
num = bignum_new();
if (num == NULL) {
SAFE_FREE(ret);
bignum_safe_free(ten);
return NULL;
}
for (bndup = gcry_mpi_copy(bn), bignum_set_word(ten, 10), count = rsize;
count; count--) {
gcry_mpi_div(bndup, num, bndup, ten, 0);
for (decnum = 0, count2 = gcry_mpi_get_nbits(num); count2;
decnum *= 2, decnum += (gcry_mpi_test_bit(num, count2 - 1) ? 1 : 0),
count2--)
;
ret[count - 1] = decnum + '0';
}
for (count = 0; count < rsize && ret[count] == '0'; count++)
;
for (count2 = 0; count2 < rsize - count; ++count2) {
ret[count2] = ret[count2 + count];
}
ret[count2] = 0;
bignum_safe_free(num);
bignum_safe_free(bndup);
bignum_safe_free(ten);
}
return ret;
}
static gcry_mpi_t
calc_dh_key (gcry_mpi_t gex_p, gcry_mpi_t f, gcry_mpi_t x)
{
gcry_mpi_t k, prime;
size_t n = sizeof diffie_hellman_group1_prime;
if (gex_p)
prime = gcry_mpi_copy (gex_p);
else if (gcry_mpi_scan (&prime, GCRYMPI_FMT_STD,
diffie_hellman_group1_prime, n, NULL))
abort ();
n = gcry_mpi_get_nbits (prime);
k = gcry_mpi_snew (n+1);
gcry_mpi_powm (k, f, x, prime);
gcry_mpi_release (prime);
return k;
}
static gsti_error_t
check_dh_mpi_range (gcry_mpi_t gex_p, gcry_mpi_t chk)
{
gsti_error_t err = 0;
gcry_mpi_t p;
/* A value which is not in the range [1, p-1] is considered as a
protocol violation. */
if (gex_p)
p = gcry_mpi_copy (gex_p);
else if (gcry_mpi_scan (&p, GCRYMPI_FMT_STD, diffie_hellman_group1_prime,
sizeof diffie_hellman_group1_prime, NULL))
#warning why abort?
abort ();
if (gcry_mpi_cmp (chk, p) > 0 || gcry_mpi_get_nbits (chk) < 2)
err = gsti_error (GPG_ERR_PROTOCOL_VIOLATION);
gcry_mpi_release (p);
return err;
}
void serialize_mpi(char *outbuf, int outlen, enum disp_format df,
const gcry_mpi_t x)
{
switch(df) {
case DF_BIN: do {
int len = (gcry_mpi_get_nbits(x) + 7) / 8;
assert(len <= outlen);
memset(outbuf, 0, outlen - len);
gcry_mpi_print(GCRYMPI_FMT_USG, (unsigned char*)outbuf + (outlen - len),
len, NULL, x);
} while (0);
break;
case DF_COMPACT:
case DF_BASE36: do {
const char *digits = get_digits(df);
unsigned int digit_count = get_digit_count(df);
gcry_mpi_t base, Q, R;
int i;
base = gcry_mpi_set_ui(NULL, digit_count);
Q = gcry_mpi_copy(x);
R = gcry_mpi_snew(0);
for(i = outlen - 1; i >= 0; i--) {
unsigned char digit = 0;
gcry_mpi_div(Q, R, Q, base, 0);
gcry_mpi_print(GCRYMPI_FMT_USG, &digit, 1, NULL, R);
assert(digit < digit_count);
outbuf[i] = digits[digit];
}
assert(! gcry_mpi_cmp_ui(Q, 0));
gcry_mpi_release(base);
gcry_mpi_release(Q);
gcry_mpi_release(R);
} while(0);
break;
default:
assert(0);
}
}
/* Rotate in a new DH public key for our correspondent. Be sure to keep
* the sesskeys array in sync. */
static gcry_error_t rotate_y_keys(ConnContext *context, gcry_mpi_t new_y)
{
gcry_error_t err;
/* Rotate the public key */
gcry_mpi_release(context->context_priv->their_old_y);
context->context_priv->their_old_y = context->context_priv->their_y;
/* Rotate the session keys */
err = reveal_macs(context, &(context->context_priv->sesskeys[0][1]),
&(context->context_priv->sesskeys[1][1]));
if (err) return err;
otrl_dh_session_free(&(context->context_priv->sesskeys[0][1]));
otrl_dh_session_free(&(context->context_priv->sesskeys[1][1]));
memmove(&(context->context_priv->sesskeys[0][1]),
&(context->context_priv->sesskeys[0][0]),
sizeof(DH_sesskeys));
memmove(&(context->context_priv->sesskeys[1][1]),
&(context->context_priv->sesskeys[1][0]),
sizeof(DH_sesskeys));
/* Copy in the new public key */
context->context_priv->their_y = gcry_mpi_copy(new_y);
context->context_priv->their_keyid++;
/* Make the session keys */
err = otrl_dh_session(&(context->context_priv->sesskeys[0][0]),
&(context->context_priv->our_dh_key),
context->context_priv->their_y);
if (err) return err;
err = otrl_dh_session(&(context->context_priv->sesskeys[1][0]),
&(context->context_priv->our_old_dh_key),
context->context_priv->their_y);
if (err) return err;
return gcry_error(GPG_ERR_NO_ERROR);
}
cdk_error_t
_cdk_copy_pubkey (cdk_pkt_pubkey_t* dst, cdk_pkt_pubkey_t src)
{
cdk_pkt_pubkey_t k;
int i;
if (!dst || !src)
return CDK_Inv_Value;
*dst = NULL;
k = cdk_calloc (1, sizeof *k);
if (!k)
return CDK_Out_Of_Core;
memcpy (k, src, sizeof *k);
if (src->uid)
_cdk_copy_userid (&k->uid, src->uid);
if (src->prefs)
k->prefs = _cdk_copy_prefs (src->prefs);
for (i = 0; i < cdk_pk_get_npkey (src->pubkey_algo); i++)
k->mpi[i] = gcry_mpi_copy (src->mpi[i]);
*dst = k;
return 0;
}
int get_serialization_len(const gcry_mpi_t x, enum disp_format df)
{
int res;
switch(df) {
case DF_BIN:
res = (gcry_mpi_get_nbits(x) + 7) / 8;
break;
case DF_BASE36:
case DF_COMPACT:
do {
gcry_mpi_t base, Q;
base = gcry_mpi_set_ui(NULL, get_digit_count(df));
Q = gcry_mpi_copy(x);
for(res = 0; gcry_mpi_cmp_ui(Q, 0); res++)
gcry_mpi_div(Q, NULL, Q, base, 0);
gcry_mpi_release(base);
gcry_mpi_release(Q);
} while (0);
break;
default:
assert(0);
}
return res;
}
/* Generate a key pair with a key of size NBITS not using a random
value for the secret key but the one given as X. This is useful to
implement a passphrase based decryption for a public key based
encryption. It has appliactions in backup systems.
Returns: A structure filled with all needed values and an array
with n-1 factors of (p-1). */
static gcry_err_code_t
generate_using_x (ELG_secret_key *sk, unsigned int nbits, gcry_mpi_t x,
gcry_mpi_t **ret_factors )
{
gcry_mpi_t p; /* The prime. */
gcry_mpi_t p_min1; /* The prime minus 1. */
gcry_mpi_t g; /* The generator. */
gcry_mpi_t y; /* g^x mod p. */
unsigned int qbits;
unsigned int xbits;
sk->p = NULL;
sk->g = NULL;
sk->y = NULL;
sk->x = NULL;
/* Do a quick check to see whether X is suitable. */
xbits = mpi_get_nbits (x);
if ( xbits < 64 || xbits >= nbits )
return GPG_ERR_INV_VALUE;
p_min1 = gcry_mpi_new ( nbits );
qbits = wiener_map ( nbits );
if ( (qbits & 1) ) /* Better have an even one. */
qbits++;
g = mpi_alloc (1);
p = _gcry_generate_elg_prime ( 0, nbits, qbits, g, ret_factors );
mpi_sub_ui (p_min1, p, 1);
if (DBG_CIPHER)
log_debug ("using a supplied x of size %u", xbits );
if ( !(mpi_cmp_ui ( x, 0 ) > 0 && mpi_cmp ( x, p_min1 ) <0 ) )
{
gcry_mpi_release ( p_min1 );
gcry_mpi_release ( p );
gcry_mpi_release ( g );
return GPG_ERR_INV_VALUE;
}
y = gcry_mpi_new (nbits);
gcry_mpi_powm ( y, g, x, p );
if ( DBG_CIPHER )
{
progress ('\n');
log_mpidump ("elg p= ", p );
log_mpidump ("elg g= ", g );
log_mpidump ("elg y= ", y );
log_mpidump ("elg x= ", x );
}
/* Copy the stuff to the key structures */
sk->p = p;
sk->g = g;
sk->y = y;
sk->x = gcry_mpi_copy (x);
gcry_mpi_release ( p_min1 );
/* Now we can test our keys. */
if ( test_keys ( sk, nbits - 64, 1 ) )
{
gcry_mpi_release ( sk->p ); sk->p = NULL;
gcry_mpi_release ( sk->g ); sk->g = NULL;
gcry_mpi_release ( sk->y ); sk->y = NULL;
gcry_mpi_release ( sk->x ); sk->x = NULL;
return GPG_ERR_BAD_SECKEY;
}
return 0;
}
/* Find a generator for PRIME where the factorization of (prime-1) is
in the NULL terminated array FACTORS. Return the generator as a
newly allocated MPI in R_G. If START_G is not NULL, use this as s
atart for the search. Returns 0 on success.*/
gcry_error_t
gcry_prime_group_generator (gcry_mpi_t *r_g,
gcry_mpi_t prime, gcry_mpi_t *factors,
gcry_mpi_t start_g)
{
gcry_mpi_t tmp = gcry_mpi_new (0);
gcry_mpi_t b = gcry_mpi_new (0);
gcry_mpi_t pmin1 = gcry_mpi_new (0);
gcry_mpi_t g = start_g? gcry_mpi_copy (start_g) : gcry_mpi_set_ui (NULL, 3);
int first = 1;
int i, n;
if (!factors || !r_g || !prime)
return gpg_error (GPG_ERR_INV_ARG);
*r_g = NULL;
for (n=0; factors[n]; n++)
;
if (n < 2)
return gpg_error (GPG_ERR_INV_ARG);
/* Extra sanity check - usually disabled. */
/* mpi_set (tmp, factors[0]); */
/* for(i = 1; i < n; i++) */
/* mpi_mul (tmp, tmp, factors[i]); */
/* mpi_add_ui (tmp, tmp, 1); */
/* if (mpi_cmp (prime, tmp)) */
/* return gpg_error (GPG_ERR_INV_ARG); */
gcry_mpi_sub_ui (pmin1, prime, 1);
do
{
if (first)
first = 0;
else
gcry_mpi_add_ui (g, g, 1);
if (DBG_CIPHER)
{
log_debug ("checking g:");
gcry_mpi_dump (g);
log_debug ("\n");
}
else
progress('^');
for (i = 0; i < n; i++)
{
mpi_fdiv_q (tmp, pmin1, factors[i]);
gcry_mpi_powm (b, g, tmp, prime);
if (! mpi_cmp_ui (b, 1))
break;
}
if (DBG_CIPHER)
progress('\n');
}
while (i < n);
gcry_mpi_release (tmp);
gcry_mpi_release (b);
gcry_mpi_release (pmin1);
*r_g = g;
return 0;
}
/* Check that left shifting works correctly. */
static void
test_lshift (int pass)
{
static int size_list[] = {1, 31, 32, 63, 64, 65, 70, 0};
int size_idx;
gcry_mpi_t a, b;
char *tmpstr, *result, *result2;
int i;
wherestr = "test_lshift";
show ("checking that lshift works as expected (pass %d)\n", pass);
for (size_idx=0; size_list[size_idx]; size_idx++)
{
a = gcry_mpi_new (0);
b = gcry_mpi_new (0);
/* gcry_mpi_randomize rounds up to full bytes, thus we need to
use gcry_mpi_clear_highbit to fix that. */
gcry_mpi_randomize (a, size_list[size_idx], GCRY_WEAK_RANDOM);
gcry_mpi_clear_highbit (a, size_list[size_idx]);
for (i=0; i < 75; i++)
{
gcry_mpi_lshift (b, a, i);
result = mpi2bitstr_nlz (b);
tmpstr = mpi2bitstr_nlz (a);
result2 = lshiftbitstring (tmpstr, i);
xfree (tmpstr);
if (strcmp (result, result2))
{
show ("got =%s\n", result);
show ("want=%s\n", result2);
fail ("lshift by %d failed\n", i);
}
xfree (result);
xfree (result2);
}
/* Again. This time using in-place operation. */
gcry_mpi_randomize (a, size_list[size_idx], GCRY_WEAK_RANDOM);
gcry_mpi_clear_highbit (a, size_list[size_idx]);
for (i=0; i < 75; i++)
{
gcry_mpi_release (b);
b = gcry_mpi_copy (a);
gcry_mpi_lshift (b, b, i);
result = mpi2bitstr_nlz (b);
tmpstr = mpi2bitstr_nlz (a);
result2 = lshiftbitstring (tmpstr, i);
xfree (tmpstr);
if (strcmp (result, result2))
{
show ("got =%s\n", result);
show ("want=%s\n", result2);
fail ("in-place lshift by %d failed\n", i);
}
xfree (result2);
xfree (result);
}
gcry_mpi_release (b);
gcry_mpi_release (a);
}
}
static int
test_const_and_immutable (void)
{
gcry_mpi_t one, second_one;
one = gcry_mpi_set_ui (NULL, 1);
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE)
|| gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("immutable or const flag initially set\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag set after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag set after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_set_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to set immutable flag\n");
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_clear_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to clear immutable flag\n");
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set\n");
gcry_mpi_set_flag (one, GCRYMPI_FLAG_CONST);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("failed to set const flag\n");
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to set immutable flag with const flag\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_clear_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("clearing immutable flag not ignored for a constant MPI\n");
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly cleared\n");
second_one = gcry_mpi_set (NULL, GCRYMPI_CONST_ONE);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared by mpi_set (NULL,x)\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared by mpi_set (NULL,x)\n");
gcry_mpi_release (second_one);
second_one = gcry_mpi_set_ui (NULL, 42);
gcry_mpi_set (second_one, GCRYMPI_CONST_ONE);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after mpi_set (a,x)\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared mpi_set (a,x)\n");
gcry_mpi_release (second_one);
/* Due to the the constant flag the release below should be a NOP
and will leak memory. */
gcry_mpi_release (one);
return 1;
}
/* Check that the RSA secret key SKEY is valid. Swap parameters to
the libgcrypt standard. */
static gpg_error_t
rsa_key_check (struct rsa_secret_key_s *skey)
{
int err = 0;
gcry_mpi_t t = gcry_mpi_snew (0);
gcry_mpi_t t1 = gcry_mpi_snew (0);
gcry_mpi_t t2 = gcry_mpi_snew (0);
gcry_mpi_t phi = gcry_mpi_snew (0);
/* Check that n == p * q. */
gcry_mpi_mul (t, skey->p, skey->q);
if (gcry_mpi_cmp( t, skey->n) )
{
log_error ("RSA oops: n != p * q\n");
err++;
}
/* Check that p is less than q. */
if (gcry_mpi_cmp (skey->p, skey->q) > 0)
{
gcry_mpi_t tmp;
log_info ("swapping secret primes\n");
tmp = gcry_mpi_copy (skey->p);
gcry_mpi_set (skey->p, skey->q);
gcry_mpi_set (skey->q, tmp);
gcry_mpi_release (tmp);
/* Recompute u. */
gcry_mpi_invm (skey->u, skey->p, skey->q);
}
/* Check that e divides neither p-1 nor q-1. */
gcry_mpi_sub_ui (t, skey->p, 1 );
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0) )
{
log_error ("RSA oops: e divides p-1\n");
err++;
}
gcry_mpi_sub_ui (t, skey->q, 1);
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0))
{
log_info ("RSA oops: e divides q-1\n" );
err++;
}
/* Check that d is correct. */
gcry_mpi_sub_ui (t1, skey->p, 1);
gcry_mpi_sub_ui (t2, skey->q, 1);
gcry_mpi_mul (phi, t1, t2);
gcry_mpi_invm (t, skey->e, phi);
if (gcry_mpi_cmp (t, skey->d))
{
/* No: try universal exponent. */
gcry_mpi_gcd (t, t1, t2);
gcry_mpi_div (t, NULL, phi, t, 0);
gcry_mpi_invm (t, skey->e, t);
if (gcry_mpi_cmp (t, skey->d))
{
log_error ("RSA oops: bad secret exponent\n");
err++;
}
}
/* Check for correctness of u. */
gcry_mpi_invm (t, skey->p, skey->q);
if (gcry_mpi_cmp (t, skey->u))
{
log_info ("RSA oops: bad u parameter\n");
err++;
}
if (err)
log_info ("RSA secret key check failed\n");
gcry_mpi_release (t);
gcry_mpi_release (t1);
gcry_mpi_release (t2);
gcry_mpi_release (phi);
return err? gpg_error (GPG_ERR_BAD_SECKEY):0;
}
/*
* Test iterative X25519 computation through lower layer MPI routines.
*
* Input: K (as hex string), ITER, R (as hex string)
*
* where R is expected result of iterating X25519 by ITER times.
*
*/
static void
test_it (int testno, const char *k_str, int iter, const char *result_str)
{
gcry_ctx_t ctx;
gpg_error_t err;
void *buffer = NULL;
size_t buflen;
gcry_mpi_t mpi_k = NULL;
gcry_mpi_t mpi_x = NULL;
gcry_mpi_point_t P = NULL;
gcry_mpi_point_t Q;
int i;
gcry_mpi_t mpi_kk = NULL;
if (verbose > 1)
info ("Running test %d: iteration=%d\n", testno, iter);
gcry_mpi_ec_new (&ctx, NULL, "Curve25519");
Q = gcry_mpi_point_new (0);
if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32)
{
fail ("error scanning MPI for test %d, %s: %s",
testno, "k", "invalid hex string");
goto leave;
}
reverse_buffer (buffer, buflen);
if ((err = gcry_mpi_scan (&mpi_x, GCRYMPI_FMT_USG, buffer, buflen, NULL)))
{
fail ("error scanning MPI for test %d, %s: %s",
testno, "x", gpg_strerror (err));
goto leave;
}
xfree (buffer);
buffer = NULL;
P = gcry_mpi_point_set (NULL, mpi_x, NULL, GCRYMPI_CONST_ONE);
mpi_k = gcry_mpi_copy (mpi_x);
if (debug)
print_mpi ("k", mpi_k);
for (i = 0; i < iter; i++)
{
/*
* Another variant of decodeScalar25519 thing.
*/
mpi_kk = gcry_mpi_set (mpi_kk, mpi_k);
gcry_mpi_set_bit (mpi_kk, 254);
gcry_mpi_clear_bit (mpi_kk, 255);
gcry_mpi_clear_bit (mpi_kk, 0);
gcry_mpi_clear_bit (mpi_kk, 1);
gcry_mpi_clear_bit (mpi_kk, 2);
gcry_mpi_ec_mul (Q, mpi_kk, P, ctx);
P = gcry_mpi_point_set (P, mpi_k, NULL, GCRYMPI_CONST_ONE);
gcry_mpi_ec_get_affine (mpi_k, NULL, Q, ctx);
if (debug)
print_mpi ("k", mpi_k);
}
{
unsigned char res[32];
char *r, *r0;
gcry_mpi_print (GCRYMPI_FMT_USG, res, 32, NULL, mpi_k);
reverse_buffer (res, 32);
r0 = r = xmalloc (65);
if (!r0)
{
fail ("memory allocation for test %d", testno);
goto leave;
}
for (i=0; i < 32; i++, r += 2)
snprintf (r, 3, "%02x", res[i]);
if (strcmp (result_str, r0))
{
fail ("curv25519 failed for test %d: %s",
testno, "wrong value returned");
info (" expected: '%s'", result_str);
info (" got: '%s'", r0);
}
xfree (r0);
}
leave:
gcry_mpi_release (mpi_kk);
gcry_mpi_release (mpi_k);
gcry_mpi_point_release (P);
gcry_mpi_release (mpi_x);
xfree (buffer);
gcry_mpi_point_release (Q);
gcry_ctx_release (ctx);
}
