PublicArchive/gentoo
2
0
Fork 0
mirror of https://anongit.gentoo.org/git/repo/gentoo.git synced 2026-05-06 07:27:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

dev-libs/libgcrypt: fix last leak changes

Browse Source 
From https://lists.gnupg.org/pipermail/gcrypt-devel/2026-February/006040.html
> The changes for ECC least leak assume that the limbs for MPI are
> allocated and enough.  In the past, we had a practice to use
> "mpi_new (0)" to initialize an MPI, which only allocates the
> placeholder of MPI and not the limbs.  This is the fix of those places
> in ECC.

Bug: https://dev.gnupg.org/T8094
Closes: https://bugs.gentoo.org/969501
Signed-off-by: Sam James <sam@gentoo.org>
This commit is contained in:
Sam James
2026-02-15 14:23:53 +00:00
parent cc4c755360
commit 33c6259aae
4 changed files with 1095 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dev-libs/libgcrypt/files/0001-mpi-ec-Make-sure-to-have-MPI-limbs-in-ECC.patch
+736
View File
@@ -0,0 +1,736 @@
diff --git a/cipher/ecc-common.h b/cipher/ecc-common.h
index 01fb9042..54270eab 100644
--- a/cipher/ecc-common.h
+++ b/cipher/ecc-common.h
@@ -47,7 +47,7 @@ point_set (mpi_point_t d, mpi_point_t s)
mpi_set (d->z, s->z);
}
-#define point_init(a) _gcry_mpi_point_init ((a))
+#define point_init(a,nbits) _gcry_mpi_point_init ((a),(nbits))
#define point_free(a) _gcry_mpi_point_free_parts ((a))
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 975f6a07..5478e69d 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -863,7 +863,7 @@ _gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits)
if (rc)
goto leave;
- _gcry_mpi_point_init (&E.G);
+ _gcry_mpi_point_init (&E.G, 0);
_gcry_mpi_point_set (&E.G, G->x, G->y, G->z);
for (idx = 0; domain_parms[idx].desc; idx++)
@@ -991,7 +991,7 @@ point_from_keyparam (gcry_mpi_point_t *r_a,
if (!a)
return GPG_ERR_INV_OBJ;
- point = mpi_point_new (0);
+ point = mpi_point_new (ec->nbits);
rc = _gcry_mpi_ec_decode_point (point, a, ec);
mpi_free (a);
if (rc)
@@ -1120,7 +1120,7 @@ mpi_ec_get_elliptic_curve (elliptic_curve_t *E, int *r_flags,
goto leave;
if (G)
{
- _gcry_mpi_point_init (&E->G);
+ _gcry_mpi_point_init (&E->G, 0);
mpi_point_set (&E->G, G->x, G->y, G->z);
mpi_point_set (G, NULL, NULL, NULL);
mpi_point_release (G);
@@ -1551,7 +1551,7 @@ _gcry_ecc_set_mpi (const char *name, gcry_mpi_t newvalue, mpi_ec_t ec)
if (newvalue)
{
if (!ec->Q)
- ec->Q = mpi_point_new (0);
+ ec->Q = mpi_point_new (ec->nbits);
rc = _gcry_mpi_ec_decode_point (ec->Q, newvalue, ec);
}
if (rc || !newvalue)
diff --git a/cipher/ecc-ecdh.c b/cipher/ecc-ecdh.c
index c690d221..385f5c2a 100644
--- a/cipher/ecc-ecdh.c
+++ b/cipher/ecc-ecdh.c
@@ -131,7 +131,7 @@ _gcry_ecc_curve_keypair (const char *curve,
return GPG_ERR_UNKNOWN_CURVE;
x = mpi_new (nbits);
- point_init (&Q);
+ point_init (&Q, ec->nbits);
_gcry_mpi_ec_mul_point (&Q, mpi_k, ec->G, ec);
@@ -254,14 +254,14 @@ _gcry_ecc_curve_mul_point (const char *curve,
goto leave;
}
- point_init (&Q);
+ point_init (&Q, ec->nbits);
if (point)
{
gcry_mpi_t mpi_u = _gcry_mpi_set_opaque_copy (NULL, point, point_len*8);
mpi_point_struct P;
- point_init (&P);
+ point_init (&P, ec->nbits);
if (ec->model == MPI_EC_WEIERSTRASS)
err = _gcry_ecc_sec_decodepoint (mpi_u, ec, &P);
else /* MPI_EC_MONTGOMERY */
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 6231ae0b..34f2903b 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -89,7 +89,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, gcry_mpi_t k_supplied, mpi_ec_t ec,
sum = mpi_alloc (0);
k_1 = mpi_alloc (0);
x = mpi_alloc (0);
- point_init (&I);
+ point_init (&I, ec->nbits);
/* Two loops to avoid R or S are zero. This is more of a joke than
a real demand because the probability of them being zero is less
@@ -268,9 +268,9 @@ _gcry_ecc_ecdsa_verify (gcry_mpi_t input, mpi_ec_t ec,
h1 = mpi_alloc (0);
h2 = mpi_alloc (0);
x = mpi_alloc (0);
- point_init (&Q);
- point_init (&Q1);
- point_init (&Q2);
+ point_init (&Q, ec->nbits);
+ point_init (&Q1, ec->nbits);
+ point_init (&Q2, ec->nbits);
/* h = s^(-1) (mod n) */
mpi_invm (h, s, ec->n);
diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c
index fb952baf..d3c6b6f2 100644
--- a/cipher/ecc-eddsa.c
+++ b/cipher/ecc-eddsa.c
@@ -126,8 +126,8 @@ _gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ec,
gpg_err_code_t rc;
gcry_mpi_t x, y;
- x = x_in? x_in : mpi_new (0);
- y = y_in? y_in : mpi_new (0);
+ x = x_in? x_in : mpi_new (ec->nbits);
+ y = y_in? y_in : mpi_new (ec->nbits);
if (_gcry_mpi_ec_get_affine (x, y, point, ec))
{
@@ -219,11 +219,11 @@ ecc_ed448_recover_x (gcry_mpi_t x, gcry_mpi_t y, int x_0, mpi_ec_t ec)
p34 = scanval ("3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
- u = mpi_new (0);
- v = mpi_new (0);
- u3 = mpi_new (0);
- v3 = mpi_new (0);
- t = mpi_new (0);
+ u = mpi_new (ec->nbits);
+ v = mpi_new (ec->nbits);
+ u3 = mpi_new (ec->nbits);
+ v3 = mpi_new (ec->nbits);
+ t = mpi_new (ec->nbits);
/* Compute u and v */
/* u = y^2 */
@@ -300,10 +300,10 @@ _gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec)
if (!seven)
seven = mpi_set_ui (NULL, 7);
- u = mpi_new (0);
- v = mpi_new (0);
- v3 = mpi_new (0);
- t = mpi_new (0);
+ u = mpi_new (ec->nbits);
+ v = mpi_new (ec->nbits);
+ v3 = mpi_new (ec->nbits);
+ t = mpi_new (ec->nbits);
/* Compute u and v */
/* u = y^2 */
@@ -592,7 +592,7 @@ _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags)
{
gpg_err_code_t rc;
int b;
- gcry_mpi_t a, x, y;
+ gcry_mpi_t a;
mpi_point_struct Q;
gcry_random_level_t random_level;
char *dbuf;
@@ -616,8 +616,6 @@ _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags)
dlen = b;
a = mpi_snew (0);
- x = mpi_new (0);
- y = mpi_new (0);
/* Generate a secret. */
dbuf = _gcry_random_bytes_secure (dlen, random_level);
@@ -631,7 +629,7 @@ _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags)
/* log_printmpi ("ecgen a", a); */
/* Compute Q. */
- point_init (&Q);
+ point_init (&Q, ec->nbits);
_gcry_mpi_ec_mul_point (&Q, a, ec->G, ec);
if (DBG_CIPHER)
log_printpnt ("ecgen pk", &Q, ec);
@@ -643,8 +641,6 @@ _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags)
leave:
_gcry_mpi_release (a);
- _gcry_mpi_release (x);
- _gcry_mpi_release (y);
return rc;
}
@@ -716,11 +712,11 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, mpi_ec_t ec,
return GPG_ERR_INV_DATA;
/* Initialize some helpers. */
- point_init (&I);
+ point_init (&I, ec->nbits);
a = mpi_snew (0);
- x = mpi_new (0);
- y = mpi_new (0);
- r = mpi_snew (0);
+ x = mpi_new (ec->nbits);
+ y = mpi_new (ec->nbits);
+ r = mpi_snew (ec->nbits);
rc = _gcry_ecc_eddsa_compute_h_d (&digest, ec);
if (rc)
@@ -732,7 +728,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, mpi_ec_t ec,
{
mpi_point_struct Q;
- point_init (&Q);
+ point_init (&Q, ec->nbits);
_gcry_mpi_ec_mul_point (&Q, a, ec->G, ec);
ec->Q = mpi_point_snatch_set (NULL, Q.x, Q.y, Q.z);
}
@@ -939,8 +935,8 @@ _gcry_ecc_eddsa_verify (gcry_mpi_t input, mpi_ec_t ec,
else
return GPG_ERR_NOT_IMPLEMENTED;
- point_init (&Ia);
- point_init (&Ib);
+ point_init (&Ia, ec->nbits);
+ point_init (&Ib, ec->nbits);
h = mpi_new (0);
s = mpi_new (0);
diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
index 36230f8a..179660fa 100644
--- a/cipher/ecc-gost.c
+++ b/cipher/ecc-gost.c
@@ -63,7 +63,7 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, mpi_ec_t ec,
ke = mpi_alloc (0);
e = mpi_alloc (0);
x = mpi_alloc (0);
- point_init (&I);
+ point_init (&I, ec->nbits);
mpi_mod (e, input, ec->n); /* e = hash mod n */
@@ -148,9 +148,9 @@ _gcry_ecc_gost_verify (gcry_mpi_t input, mpi_ec_t ec,
rv = mpi_alloc (0);
zero = mpi_alloc (0);
- point_init (&Q);
- point_init (&Q1);
- point_init (&Q2);
+ point_init (&Q, ec->nbits);
+ point_init (&Q1, ec->nbits);
+ point_init (&Q2, ec->nbits);
mpi_mod (e, input, ec->n); /* e = hash mod n */
if (!mpi_cmp_ui (e, 0))
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index 6796ba2c..40303ac4 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -60,7 +60,7 @@ _gcry_ecc_curve_copy (elliptic_curve_t E)
R.p = mpi_copy (E.p);
R.a = mpi_copy (E.a);
R.b = mpi_copy (E.b);
- _gcry_mpi_point_init (&R.G);
+ _gcry_mpi_point_init (&R.G, 0);
point_set (&R.G, &E.G);
R.n = mpi_copy (E.n);
R.h = E.h;
@@ -159,8 +159,8 @@ _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ec)
{
gcry_mpi_t g_x, g_y, result;
- g_x = mpi_new (0);
- g_y = mpi_new (0);
+ g_x = mpi_new (ec->nbits);
+ g_y = mpi_new (ec->nbits);
if (_gcry_mpi_ec_get_affine (g_x, g_y, point, ec))
result = NULL;
else
@@ -236,10 +236,10 @@ _gcry_ecc_sec_decodepoint (gcry_mpi_t value, mpi_ec_t ec, mpi_point_t result)
* Recover Y. The Weierstrass curve: y^2 = x^3 + a*x + b
*/
- x3 = mpi_new (0);
- t = mpi_new (0);
- p1_4 = mpi_new (0);
- y = mpi_new (0);
+ x3 = mpi_new (ec->nbits);
+ t = mpi_new (ec->nbits);
+ p1_4 = mpi_new (ec->nbits);
+ y = mpi_new (ec->nbits);
/* Compute right hand side. */
mpi_powm (x3, x, mpi_const (MPI_C_THREE), ec->p);
@@ -344,7 +344,7 @@ _gcry_ecc_compute_public (mpi_point_t Q, mpi_ec_t ec)
/* And finally the public key. */
if (!Q)
- Q = mpi_point_new (0);
+ Q = mpi_point_new (ec->nbits);
if (Q)
_gcry_mpi_ec_mul_point (Q, a, ec->G, ec);
mpi_free (a);
@@ -352,7 +352,7 @@ _gcry_ecc_compute_public (mpi_point_t Q, mpi_ec_t ec)
else
{
if (!Q)
- Q = mpi_point_new (0);
+ Q = mpi_point_new (ec->nbits);
if (Q)
_gcry_mpi_ec_mul_point (Q, ec->d, ec->G, ec);
}
diff --git a/cipher/ecc-sm2.c b/cipher/ecc-sm2.c
index c52629fd..8c3241e4 100644
--- a/cipher/ecc-sm2.c
+++ b/cipher/ecc-sm2.c
@@ -114,12 +114,12 @@ _gcry_ecc_sm2_encrypt (gcry_sexp_t *r_ciph, gcry_mpi_t input, mpi_ec_t ec)
unsigned char *cipher = NULL;
int i;
- point_init (&kG);
- point_init (&kP);
- x1 = mpi_new (0);
- y1 = mpi_new (0);
- x2 = mpi_new (0);
- y2 = mpi_new (0);
+ point_init (&kG, ec->nbits);
+ point_init (&kP, ec->nbits);
+ x1 = mpi_new (ec->nbits);
+ y1 = mpi_new (ec->nbits);
+ x2 = mpi_new (ec->nbits);
+ y2 = mpi_new (ec->nbits);
in = _gcry_mpi_get_buffer (input, 0, &inlen, NULL);
if (!in)
@@ -268,10 +268,10 @@ _gcry_ecc_sm2_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t data_list, mpi_ec_t ec)
unsigned int c3_len;
int i;
- point_init (&c1);
- point_init (&kP);
- x2 = mpi_new (0);
- y2 = mpi_new (0);
+ point_init (&c1, ec->nbits);
+ point_init (&kP, ec->nbits);
+ x2 = mpi_new (ec->nbits);
+ y2 = mpi_new (ec->nbits);
in = mpi_get_opaque (data_c2, &inlen);
inlen = (inlen + 7) / 8;
@@ -401,10 +401,10 @@ _gcry_ecc_sm2_sign (gcry_mpi_t input, mpi_ec_t ec,
if (rc)
return rc;
- point_init (&kG);
- x1 = mpi_new (0);
- rk = mpi_new (0);
- tmp = mpi_new (0);
+ point_init (&kG, ec->nbits);
+ x1 = mpi_new (ec->nbits);
+ rk = mpi_new (ec->nbits);
+ tmp = mpi_new (ec->nbits);
for (;;)
{
@@ -514,11 +514,11 @@ _gcry_ecc_sm2_verify (gcry_mpi_t input, mpi_ec_t ec,
if (err)
return err;
- point_init (&sG);
- point_init (&tP);
- x1 = mpi_new (0);
- y1 = mpi_new (0);
- t = mpi_new (0);
+ point_init (&sG, ec->nbits);
+ point_init (&tP, ec->nbits);
+ x1 = mpi_new (ec->nbits);
+ y1 = mpi_new (ec->nbits);
+ t = mpi_new (ec->nbits);
/* t = (r + s) % n, t != 0 */
mpi_addm (t, r, s, ec->n);
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 51364b64..95dc0535 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -256,7 +256,7 @@ nist_generate_key (mpi_ec_t ec, int flags,
gcry_mpi_t x, y;
const unsigned int pbits = ec->nbits;
- point_init (&Q);
+ point_init (&Q, ec->nbits);
if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
random_level = GCRY_STRONG_RANDOM;
@@ -387,7 +387,7 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
if (DBG_CIPHER)
log_debug ("Testing key.\n");
- point_init (&R_);
+ point_init (&R_, ec->nbits);
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
@@ -544,7 +544,7 @@ test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags)
if (DBG_CIPHER)
log_debug ("Testing ECDH only key.\n");
- point_init (&R_);
+ point_init (&R_, ec->nbits);
if (ec->dialect == ECC_DIALECT_SAFECURVE || (flags & PUBKEY_FLAG_DJB_TWEAK))
{
@@ -572,8 +572,8 @@ test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags)
_gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
}
- x0 = mpi_new (0);
- x1 = mpi_new (0);
+ x0 = mpi_new (ec->nbits);
+ x1 = mpi_new (ec->nbits);
/* R_ = hkQ <=> R_ = hkdG */
_gcry_mpi_ec_mul_point (&R_, test, ec->Q, ec);
@@ -617,12 +617,12 @@ check_secret_key (mpi_ec_t ec, int flags)
gcry_mpi_t x2 = NULL;
gcry_mpi_t y2 = NULL;
- point_init (&Q);
- x1 = mpi_new (0);
+ point_init (&Q, ec->nbits);
+ x1 = mpi_new (ec->nbits);
if (ec->model == MPI_EC_MONTGOMERY)
y1 = NULL;
else
- y1 = mpi_new (0);
+ y1 = mpi_new (ec->nbits);
/* G in E(F_p) */
if (!_gcry_mpi_ec_curve_point (ec->G, ec))
@@ -687,8 +687,8 @@ check_secret_key (mpi_ec_t ec, int flags)
}
else
{
- x2 = mpi_new (0);
- y2 = mpi_new (0);
+ x2 = mpi_new (ec->nbits);
+ y2 = mpi_new (ec->nbits);
if (_gcry_mpi_ec_get_affine (x2, y2, ec->Q, ec))
{
if (DBG_CIPHER)
@@ -751,8 +751,8 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
goto leave;
/* Copy data to the result. */
- Gx = mpi_new (0);
- Gy = mpi_new (0);
+ Gx = mpi_new (ec->nbits);
+ Gy = mpi_new (ec->nbits);
if (ec->model != MPI_EC_MONTGOMERY)
{
if (_gcry_mpi_ec_get_affine (Gx, Gy, ec->G, ec))
@@ -787,8 +787,8 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
{
/* This is the case for a key from _gcry_ecc_eddsa_generate
with no compression. */
- Qx = mpi_new (0);
- Qy = mpi_new (0);
+ Qx = mpi_new (ec->nbits);
+ Qy = mpi_new (ec->nbits);
if (_gcry_mpi_ec_get_affine (Qx, Qy, ec->Q, ec))
log_fatal ("ecgen: Failed to get affine coordinates for %s\n", "Q");
}
@@ -1369,13 +1369,13 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t keyparms)
unsigned int rawmpilen;
rc = 0;
- x = mpi_new (0);
+ x = mpi_new (ec->nbits);
if (ec->model == MPI_EC_MONTGOMERY)
y = NULL;
else
- y = mpi_new (0);
+ y = mpi_new (ec->nbits);
- point_init (&R);
+ point_init (&R, ec->nbits);
/* R = kQ <=> R = kdG */
_gcry_mpi_ec_mul_point (&R, data, ec->Q, ec);
@@ -1478,11 +1478,12 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
int flags = GCRYECC_FLAG_LEAST_LEAK;
int enable_specific_point_validation;
- point_init (&kG);
- point_init (&R);
+ nbits = ecc_get_nbits (keyparms);
- _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_DECRYPT,
- (nbits = ecc_get_nbits (keyparms)));
+ point_init (&kG, nbits);
+ point_init (&R, nbits);
+
+ _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_DECRYPT, nbits);
/*
* Extract the key.
@@ -1564,11 +1565,11 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
{
gcry_mpi_t x, y;
- x = mpi_new (0);
+ x = mpi_new (ec->nbits);
if (ec->model == MPI_EC_MONTGOMERY)
y = NULL;
else
- y = mpi_new (0);
+ y = mpi_new (ec->nbits);
if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
{
@@ -1887,10 +1888,10 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparms)
* Recover Y. The Weierstrass curve: y^2 = x^3 + a*x + b
*/
- x3 = mpi_new (0);
- t = mpi_new (0);
- p1_4 = mpi_new (0);
- y = mpi_new (0);
+ x3 = mpi_new (ec->nbits);
+ t = mpi_new (ec->nbits);
+ p1_4 = mpi_new (ec->nbits);
+ y = mpi_new (ec->nbits);
/* Compute right hand side. */
mpi_powm (x3, x, mpi_const (MPI_C_THREE), ec->p);
diff --git a/mpi/ec-hw-s390x.c b/mpi/ec-hw-s390x.c
index 149a061d..d5d72a9b 100644
--- a/mpi/ec-hw-s390x.c
+++ b/mpi/ec-hw-s390x.c
@@ -242,8 +242,8 @@ _gcry_s390x_ec_hw_mul_point (mpi_point_t result, gcry_mpi_t scalar,
if (!(pcc_query () & km_function_to_mask (pcc_func)))
return -1; /* HW does not support acceleration for this curve. */
- x = mpi_new (0);
- y = mpi_new (0);
+ x = mpi_new (ctx->nbits);
+ y = mpi_new (ctx->nbits);
if (_gcry_mpi_ec_get_affine (x, y, point, ctx) < 0)
{
@@ -352,7 +352,7 @@ s390_mul_point_montgomery (mpi_point_t result, gcry_mpi_t scalar,
if (!(pcc_query () & km_function_to_mask (pcc_func)))
return -1; /* HW does not support acceleration for this curve. */
- x = mpi_new (0);
+ x = mpi_new (ctx->nbits);
if (mpi_is_opaque (scalar))
{
diff --git a/mpi/ec.c b/mpi/ec.c
index b0b6f427..1ab45594 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -33,7 +33,7 @@
extern void reverse_buffer (unsigned char *buffer, unsigned int length);
-#define point_init(a) _gcry_mpi_point_init ((a))
+#define point_init(a, nbits) _gcry_mpi_point_init ((a), (nbits))
#define point_free(a) _gcry_mpi_point_free_parts ((a))
@@ -55,8 +55,8 @@ _gcry_mpi_point_log (const char *name, mpi_point_t point, mpi_ec_t ctx)
if (ctx)
{
- x = mpi_new (0);
- y = mpi_new (0);
+ x = mpi_new (ctx->nbits);
+ y = mpi_new (ctx->nbits);
}
if (!ctx || _gcry_mpi_ec_get_affine (x, y, point, ctx))
{
@@ -90,10 +90,8 @@ _gcry_mpi_point_new (unsigned int nbits)
{
mpi_point_t p;
- (void)nbits; /* Currently not used. */
-
p = xmalloc (sizeof *p);
- _gcry_mpi_point_init (p);
+ _gcry_mpi_point_init (p, nbits);
return p;
}
@@ -113,11 +111,11 @@ _gcry_mpi_point_release (mpi_point_t p)
/* Initialize the fields of a point object. gcry_mpi_point_free_parts
may be used to release the fields. */
void
-_gcry_mpi_point_init (mpi_point_t p)
+_gcry_mpi_point_init (mpi_point_t p, unsigned int nbits)
{
- p->x = mpi_new (0);
- p->y = mpi_new (0);
- p->z = mpi_new (0);
+ p->x = mpi_new (nbits);
+ p->y = mpi_new (nbits);
+ p->z = mpi_new (nbits);
}
@@ -1213,8 +1211,8 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
saved_flags = ctx->flags;
ctx->flags |= GCRYECC_FLAG_LEAST_LEAK;
- z1 = mpi_new (0);
- z2 = mpi_new (0);
+ z1 = mpi_new (ctx->nbits);
+ z2 = mpi_new (ctx->nbits);
ec_invm (z1, point->z, ctx); /* z1 = z^(-1) mod p */
ec_mulm_lli (z2, z1, z1, ctx); /* z2 = z^(-2) mod p */
@@ -1231,7 +1229,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
mpi_set (y, point->y);
mpi_resize (y, ctx->p->nlimbs);
y->nlimbs = ctx->p->nlimbs;
- z3 = mpi_new (0);
+ z3 = mpi_new (ctx->nbits);
ec_mulm_lli (z3, z2, z1, ctx); /* z3 = z^(-3) mod p */
ec_mulm_lli (y, y, z3, ctx);
mpi_free (z3);
@@ -1271,7 +1269,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
return 0;
}
- z = mpi_new (0);
+ z = mpi_new (ctx->nbits);
ec_invm (z, point->z, ctx);
mpi_resize (z, ctx->p->nlimbs);
@@ -2113,10 +2111,10 @@ montgomery_mul_point (mpi_point_t result,
int scalar_copied = 0;
nbits = mpi_get_nbits (scalar);
- point_init (&p1);
- point_init (&p2);
- point_init (&p1_);
- point_init (&p2_);
+ point_init (&p1, ctx->nbits);
+ point_init (&p2, ctx->nbits);
+ point_init (&p1_, ctx->nbits);
+ point_init (&p2_, ctx->nbits);
mpi_set_ui (p1.x, 1);
mpi_free (p2.x);
p2.x = mpi_copy (point->x);
@@ -2186,7 +2184,7 @@ montgomery_mul_point (mpi_point_t result,
}
else
{
- z1 = mpi_new (0);
+ z1 = mpi_new (ctx->nbits);
ec_invm (z1, p1.z, ctx);
ec_mulm (result->x, p1.x, z1, ctx);
mpi_set_ui (result->z, 1);
@@ -2218,13 +2216,13 @@ mpi_ec_mul_point_lli (mpi_point_t result,
/* Convert POINT1 into affine coordinate, so that we can use
add_points_*_a routine with affine coordinate. */
- point_init (point);
+ point_init (point, ctx->nbits);
if (_gcry_mpih_cmp_ui (point1->z->d, ctx->p->nlimbs, 1))
{
gcry_mpi_t x, y;
- x = mpi_new (0);
- y = mpi_new (0);
+ x = mpi_new (ctx->nbits);
+ y = mpi_new (ctx->nbits);
if (_gcry_mpi_ec_get_affine (x, y, point1, ctx))
{
@@ -2263,7 +2261,7 @@ mpi_ec_mul_point_lli (mpi_point_t result,
mpi_set_ui (result->z, 1);
}
- point_init (&tmppnt);
+ point_init (&tmppnt, ctx->nbits);
mpi_point_resize (result, ctx);
mpi_point_resize (&tmppnt, ctx);
if (ctx->model == MPI_EC_WEIERSTRASS)
@@ -2420,8 +2418,8 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
p1.x = x1; x1 = NULL;
p1.y = y1; y1 = NULL;
p1.z = z1; z1 = NULL;
- point_init (&p2);
- point_init (&p1inv);
+ point_init (&p2, ctx->nbits);
+ point_init (&p1inv, ctx->nbits);
/* Invert point: y = p - y mod p */
point_set (&p1inv, &p1);
@@ -2457,9 +2455,9 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
int res = 0;
gcry_mpi_t x, y, w;
- x = mpi_new (0);
- y = mpi_new (0);
- w = mpi_new (0);
+ x = mpi_new (ctx->nbits);
+ y = mpi_new (ctx->nbits);
+ w = mpi_new (ctx->nbits);
/* Check that the point is in range. This needs to be done here and
* not after conversion to affine coordinates. */
@@ -2479,7 +2477,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
if (_gcry_mpi_ec_get_affine (x, y, point, ctx))
goto leave;
- xxx = mpi_new (0);
+ xxx = mpi_new (ctx->nbits);
/* y^2 == x^3 + a·x + b */
ec_pow2 (y, y, ctx);
diff --git a/src/mpi.h b/src/mpi.h
index 2a314a21..0edbda52 100644
--- a/src/mpi.h
+++ b/src/mpi.h
@@ -243,7 +243,7 @@ struct gcry_mpi_point
typedef struct gcry_mpi_point mpi_point_struct;
typedef struct gcry_mpi_point *mpi_point_t;
-void _gcry_mpi_point_init (mpi_point_t p);
+void _gcry_mpi_point_init (mpi_point_t p, unsigned int nbits);
void _gcry_mpi_point_free_parts (mpi_point_t p);
void _gcry_mpi_get_point (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z,
mpi_point_t point);
dev-libs/libgcrypt/files/0002-mpi-ec-Use-mpi_new-with-NBITS-instead-of-mpi_alloc.patch
+89
View File
@@ -0,0 +1,89 @@
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 34f2903b..d91922d0 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -85,10 +85,10 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, gcry_mpi_t k_supplied, mpi_ec_t ec,
while (!mpi_invm (bi, b, ec->n));
k = NULL;
- dr = mpi_alloc (0);
- sum = mpi_alloc (0);
- k_1 = mpi_alloc (0);
- x = mpi_alloc (0);
+ dr = mpi_new (ec->nbits);
+ sum = mpi_new (ec->nbits);
+ k_1 = mpi_new (ec->nbits);
+ x = mpi_new (ec->nbits);
point_init (&I, ec->nbits);
/* Two loops to avoid R or S are zero. This is more of a joke than
@@ -264,10 +264,10 @@ _gcry_ecc_ecdsa_verify (gcry_mpi_t input, mpi_ec_t ec,
return err;
}
- h = mpi_alloc (0);
- h1 = mpi_alloc (0);
- h2 = mpi_alloc (0);
- x = mpi_alloc (0);
+ h = mpi_new (ec->nbits);
+ h1 = mpi_new (ec->nbits);
+ h2 = mpi_new (ec->nbits);
+ x = mpi_new (ec->nbits);
point_init (&Q, ec->nbits);
point_init (&Q1, ec->nbits);
point_init (&Q2, ec->nbits);
diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
index 179660fa..455d529e 100644
--- a/cipher/ecc-gost.c
+++ b/cipher/ecc-gost.c
@@ -58,11 +58,11 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, mpi_ec_t ec,
return rc;
k = NULL;
- dr = mpi_alloc (0);
- sum = mpi_alloc (0);
- ke = mpi_alloc (0);
- e = mpi_alloc (0);
- x = mpi_alloc (0);
+ dr = mpi_new (ec->nbits);
+ sum = mpi_new (ec->nbits);
+ ke = mpi_new (ec->nbits);
+ e = mpi_new (ec->nbits);
+ x = mpi_new (ec->nbits);
point_init (&I, ec->nbits);
mpi_mod (e, input, ec->n); /* e = hash mod n */
@@ -140,13 +140,13 @@ _gcry_ecc_gost_verify (gcry_mpi_t input, mpi_ec_t ec,
if( !(mpi_cmp_ui (s, 0) > 0 && mpi_cmp (s, ec->n) < 0) )
return GPG_ERR_BAD_SIGNATURE; /* Assertion 0 < s < n failed. */
- x = mpi_alloc (0);
- e = mpi_alloc (0);
- z1 = mpi_alloc (0);
- z2 = mpi_alloc (0);
- v = mpi_alloc (0);
- rv = mpi_alloc (0);
- zero = mpi_alloc (0);
+ x = mpi_new (ec->nbits);
+ e = mpi_new (ec->nbits);
+ z1 = mpi_new (ec->nbits);
+ z2 = mpi_new (ec->nbits);
+ v = mpi_new (ec->nbits);
+ rv = mpi_new (ec->nbits);
+ zero = mpi_new (ec->nbits);
point_init (&Q, ec->nbits);
point_init (&Q1, ec->nbits);
diff --git a/mpi/ec.c b/mpi/ec.c
index 1ab45594..6f6a7f8d 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -827,7 +827,7 @@ ec_get_two_inv_p (mpi_ec_t ec)
{
ec->t.valid.two_inv_p = 1;
if (!ec->t.two_inv_p)
- ec->t.two_inv_p = mpi_alloc (0);
+ ec->t.two_inv_p = mpi_new (ec->nbits);
ec_invm (ec->t.two_inv_p, mpi_const (MPI_C_TWO), ec);
}
return ec->t.two_inv_p;
dev-libs/libgcrypt/files/0003-cipher-ecc-Fix-Weierstrass-curve-with-PUBKEY_FLAG_PA.patch
+80
View File
@@ -0,0 +1,80 @@
>From 07efee1de2dac1b2a6ce29698b2abec9dd1f6820 Mon Sep 17 00:00:00 2001
Message-ID: <07efee1de2dac1b2a6ce29698b2abec9dd1f6820.1771055590.git.gniibe@fsij.org>
In-Reply-To: <43b648f0465fb449471944a84bb40f45996f6de3.1771055590.git.gniibe@fsij.org>
References: <43b648f0465fb449471944a84bb40f45996f6de3.1771055590.git.gniibe@fsij.org>
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Sat, 14 Feb 2026 16:49:05 +0900
Subject: [PATCH 3/3] cipher:ecc: Fix Weierstrass curve with PUBKEY_FLAG_PARAM.
To: gcrypt-devel@gnupg.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------2.47.3"
This is a multi-part message in MIME format.
--------------2.47.3
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit
* cipher/ecc-curves.c (point_from_keyparam): Handle the case where
EC==NULL.
* cipher/ecc-misc.c (_gcry_ecc_sec_decodepoint): Care about
EC==NULL.
--
GnuPG-bug-id: 8094
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/ecc-curves.c | 6 +++++-
cipher/ecc-misc.c | 4 ++--
2 files changed, 7 insertions(+), 3 deletions(-)
--------------2.47.3
Content-Type: text/x-patch; name="0003-cipher-ecc-Fix-Weierstrass-curve-with-PUBKEY_FLAG_PA.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="0003-cipher-ecc-Fix-Weierstrass-curve-with-PUBKEY_FLAG_PA.patch"
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 5478e69d..08b374d5 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -991,7 +991,11 @@ point_from_keyparam (gcry_mpi_point_t *r_a,
if (!a)
return GPG_ERR_INV_OBJ;
- point = mpi_point_new (ec->nbits);
+ /* NOTE: EC may be NULL, when it's for Weierstrass curve for
+ * parameter "g". And it's OK for _gcry_mpi_ec_decode_point
+ * (and _gcry_ecc_sec_decodepoint) to be called with EC=NULL.
+ */
+ point = mpi_point_new (ec? ec->nbits: 0);
rc = _gcry_mpi_ec_decode_point (point, a, ec);
mpi_free (a);
if (rc)
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index 40303ac4..615b0df2 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -176,7 +176,7 @@ _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ec)
RESULT must have been initialized and is set on success to the
point given by VALUE. */
gpg_err_code_t
-_gcry_ecc_sec_decodepoint (gcry_mpi_t value, mpi_ec_t ec, mpi_point_t result)
+_gcry_ecc_sec_decodepoint (gcry_mpi_t value, mpi_ec_t ec, mpi_point_t result)
{
gpg_err_code_t rc;
size_t n;
@@ -220,7 +220,7 @@ _gcry_ecc_sec_decodepoint (gcry_mpi_t value, mpi_ec_t ec, mpi_point_t result)
gcry_mpi_t p1_4;
int y_bit = (*buf == 3);
- if (!mpi_test_bit (ec->p, 1))
+ if (ec == NULL || !mpi_test_bit (ec->p, 1))
{
xfree (buf_memory);
return GPG_ERR_NOT_IMPLEMENTED; /* No support for point compression. */
--------------2.47.3--
dev-libs/libgcrypt/libgcrypt-1.12.0-r3.ebuild
+190
View File
@@ -0,0 +1,190 @@
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
inherit autotools flag-o-matic linux-info multilib-minimal toolchain-funcs verify-sig
DESCRIPTION="General purpose crypto library based on the code used in GnuPG"
HOMEPAGE="https://www.gnupg.org/"
SRC_URI="mirror://gnupg/${PN}/${P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/${PN}/${P}.tar.bz2.sig )"
LICENSE="LGPL-2.1+ GPL-2+ MIT"
SLOT="0/20" # subslot = soname major version
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
IUSE="+asm doc +getentropy static-libs"
IUSE+=" cpu_flags_arm_neon cpu_flags_arm_aes cpu_flags_arm_sha1 cpu_flags_arm_sha2 cpu_flags_arm_sve"
IUSE+=" cpu_flags_ppc_altivec cpu_flags_ppc_vsx2 cpu_flags_ppc_vsx3"
IUSE+=" cpu_flags_x86_aes cpu_flags_x86_avx cpu_flags_x86_avx2 cpu_flags_x86_avx512f cpu_flags_x86_padlock cpu_flags_x86_sha cpu_flags_x86_sse4_1"
# Build system only has --disable-arm-crypto-support right now
# If changing this, update src_configure logic too.
# ARM CPUs seem to, right now, support all-or-nothing for crypto extensions,
# but this looks like it might change in future. This is just a safety check
# in case people somehow do have a CPU which only supports some. They must
# for now disable them all if that's the case.
REQUIRED_USE="
cpu_flags_arm_aes? ( cpu_flags_arm_sha1 cpu_flags_arm_sha2 )
cpu_flags_arm_sha1? ( cpu_flags_arm_aes cpu_flags_arm_sha2 )
cpu_flags_arm_sha2? ( cpu_flags_arm_aes cpu_flags_arm_sha1 )
cpu_flags_ppc_vsx3? ( cpu_flags_ppc_altivec cpu_flags_ppc_vsx2 )
cpu_flags_ppc_vsx2? ( cpu_flags_ppc_altivec )
"
RDEPEND="
>=dev-libs/libgpg-error-1.56[${MULTILIB_USEDEP}]
getentropy? (
kernel_linux? (
elibc_glibc? ( >=sys-libs/glibc-2.25 )
elibc_musl? ( >=sys-libs/musl-1.1.20 )
)
)
"
DEPEND="${RDEPEND}"
BDEPEND="
doc? ( virtual/texi2dvi )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
PATCHES=(
"${FILESDIR}"/${PN}-1.12.0-multilib-syspath.patch
"${FILESDIR}"/${PN}-powerpc-darwin.patch
"${FILESDIR}"/0001-rijndael-vaes-avx512-add-PIC-PLT-for-AVX2-function-j.patch
"${FILESDIR}"/0002-mpi-ec-Don-t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch
"${FILESDIR}"/0001-mpi-ec-Make-sure-to-have-MPI-limbs-in-ECC.patch
"${FILESDIR}"/0002-mpi-ec-Use-mpi_new-with-NBITS-instead-of-mpi_alloc.patch
"${FILESDIR}"/0003-cipher-ecc-Fix-Weierstrass-curve-with-PUBKEY_FLAG_PA.patch
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/libgcrypt-config
)
pkg_pretend() {
if [[ ${MERGE_TYPE} == buildonly ]]; then
return
fi
if use kernel_linux && use getentropy; then
unset KV_FULL
get_running_version
if [[ -n ${KV_FULL} ]] && kernel_is -lt 3 17; then
eerror "The getentropy function requires the getrandom syscall."
eerror "This was introduced in Linux 3.17."
eerror "Your system is currently running Linux ${KV_FULL}."
eerror "Disable the 'getentropy' USE flag or upgrade your kernel."
die "Kernel is too old for getentropy"
fi
fi
}
pkg_setup() {
:
}
src_prepare() {
default
eautoreconf
}
src_configure() {
# Temporary workaround for a build failure (known gcc issue):
# * https://bugs.gentoo.org/956605
# * https://gcc.gnu.org/PR110812
use riscv && filter-lto
# Temporary workaround for mfpmath=sse on x86 causing issues when -msse is
# stripped as it's not clear cut on how to handle in flag-o-matic we can at
# least solve it the ebuild see https://bugs.gentoo.org/959349
use x86 && filter-flags -mfpmath=sse
# Hardcodes the path to FGREP in libgcrypt-config
export ac_cv_path_SED="sed"
export ac_cv_path_EGREP="grep -E"
export ac_cv_path_EGREP_TRADITIONAL="grep -E"
export ac_cv_path_FGREP="grep -F"
export ac_cv_path_GREP="grep"
multilib-minimal_src_configure
}
multilib_src_configure() {
if [[ ${CHOST} == powerpc* ]] ; then
# ./configure does a lot of automagic, prevent that
# generic ppc32+ppc64 altivec
use cpu_flags_ppc_altivec || local -x gcry_cv_cc_ppc_altivec=no
use cpu_flags_ppc_altivec || local -x gcry_cv_cc_ppc_altivec_cflags=no
# power8 vector extension, aka arch 2.07 ISA, also checked below via ppc-crypto-support
use cpu_flags_ppc_vsx2 || local -x gcry_cv_gcc_inline_asm_ppc_altivec=no
# power9 vector extension, aka arch 3.00 ISA
use cpu_flags_ppc_vsx3 || local -x gcry_cv_gcc_inline_asm_ppc_arch_3_00=no
fi
append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
local myeconfargs=(
CC_FOR_BUILD="$(tc-getBUILD_CC)"
--enable-noexecstack
$(use_enable cpu_flags_arm_neon neon-support)
# See REQUIRED_USE comment above
$(use_enable cpu_flags_arm_aes arm-crypto-support)
$(use_enable cpu_flags_arm_sve sve-support)
$(use_enable cpu_flags_ppc_vsx2 ppc-crypto-support)
$(use_enable cpu_flags_x86_aes aesni-support)
$(use_enable cpu_flags_x86_avx avx-support)
$(use_enable cpu_flags_x86_avx2 avx2-support)
$(use_enable cpu_flags_x86_avx512f avx512-support)
$(use_enable cpu_flags_x86_padlock padlock-support)
$(use_enable cpu_flags_x86_sha shaext-support)
$(use_enable cpu_flags_x86_sse4_1 sse41-support)
# required for sys-power/suspend[crypt], bug 751568
$(use_enable static-libs static)
# disabled due to various applications requiring privileges
# after libgcrypt drops them (bug #468616)
--without-capabilities
$(use asm || echo "--disable-asm")
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
)
if use kernel_linux; then
# --enable-random=getentropy requires getentropy/getrandom.
# --enable-random=linux enables legacy code that tries getrandom
# and falls back to reading /dev/random.
myeconfargs+=( --enable-random=$(usex getentropy getentropy linux) )
fi
ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" \
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
}
multilib_src_compile() {
default
multilib_is_native_abi && use doc && VARTEXFONTS="${T}/fonts" emake -C doc gcrypt.pdf
}
multilib_src_test() {
# t-secmem and t-sexp need mlock which requires extra privileges; nspawn
# at least disallows that by default.
local -x GCRYPT_IN_ASAN_TEST=1
# Avoid running (very) expensive bench-slope test. On hppa, it
# takes at least 7 hours.
local -x GCRYPT_NO_BENCHMARKS=1
default
}
multilib_src_install() {
emake DESTDIR="${D}" install
multilib_is_native_abi && use doc && dodoc doc/gcrypt.pdf
}
multilib_src_install_all() {
default
find "${ED}" -type f -name '*.la' -delete || die
}