GOST VKO support in ECDH: multiply by an optional UKM value

.gitignore

@@ -32,6 +32,8 @@ cipher/libcipher.la
 compat/Makefile
 compat/libcompat.la
 doc/gcrypt.info
+doc/gcrypt.info-1
+doc/gcrypt.info-2
 doc/stamp-vti
 doc/version.texi
 doc/Makefile
@@ -65,6 +67,7 @@ src/gcrypt.h
 src/hmac256
 src/libgcrypt-config
 src/libgcrypt.la
+src/libgcrypt.pc
 src/mpicalc
 src/versioninfo.rc
 src/*.exe
@@ -103,6 +106,8 @@ tests/t-lock
 tests/t-mpi-bit
 tests/t-mpi-point
 tests/t-sexp
+tests/t-secmem
+tests/t-x448
 tests/tsexp
 tests/version
 tests/*.exe

AUTHORS

@@ -157,6 +157,9 @@ Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
 2012-12-14:50CAE2DB.80302@intel.com:
 
+H.J. Lu <hjl.tools@gmail.com>
+2020-01-19:20200119135241.GA4970@gmail.com:
+
 Jia Zhang <qianyue.zj@alibaba-inc.com>
 2017-10-17:59E56E30.9060503@alibaba-inc.com:
 
@@ -199,6 +202,9 @@ Shawn Landden <shawn@git.icu>
 Stephan Mueller <smueller@chronox.de>
 2014-08-22:2008899.25OeoelVVA@myon.chronox.de:
 
+Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+2020-01-08:dcda0127-2f45-93a3-0736-27259a33bffa@linux.alibaba.com:
+
 Tomáš Mráz <tm@t8m.info>
 2012-04-16:1334571250.5056.52.camel@vespa.frost.loc:
 

cipher/Makefile.am

@@ -87,7 +87,7 @@ EXTRA_libcipher_la_SOURCES = \
 	dsa.c \
 	elgamal.c \
 	ecc.c ecc-curves.c ecc-misc.c ecc-common.h \
-	ecc-ecdh.c ecc-ecdsa.c ecc-eddsa.c ecc-gost.c \
+	ecc-ecdh.c ecc-ecdsa.c ecc-eddsa.c ecc-gost.c ecc-sm2.c \
 	idea.c \
 	gost28147.c gost.h \
 	gostr3411-94.c \

cipher/camellia-aesni-avx-amd64.S

@@ -18,8 +18,9 @@
  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-#ifdef __x86_64
 #include <config.h>
+
+#ifdef __x86_64
 #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
      defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \
     defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT)

cipher/camellia-aesni-avx2-amd64.S

@@ -18,8 +18,9 @@
  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-#ifdef __x86_64
 #include <config.h>
+
+#ifdef __x86_64
 #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
      defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \
     defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT)

cipher/cipher-gcm-armv8-aarch64-ce.S

@@ -385,6 +385,8 @@ _gcry_ghash_setup_armv8_ce_pmull:
 
   GET_DATA_POINTER(x2, .Lrconst)
 
+  eor vZZ.16b, vZZ.16b, vZZ.16b
+
   /* H¹ */
   ld1 {rh1.16b}, [x0]
   rbit rh1.16b, rh1.16b

cipher/cipher.c

@@ -1125,7 +1125,7 @@ _gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
 
   if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
     {
-      log_error ("cipher_decrypt: key not set\n");
+      log_error ("cipher_encrypt: key not set\n");
       return GPG_ERR_MISSING_KEY;
     }
 

cipher/ecc-common.h

@@ -125,4 +125,16 @@ gpg_err_code_t _gcry_ecc_gost_verify (gcry_mpi_t input, mpi_ec_t ec,
                                       gcry_mpi_t r, gcry_mpi_t s);
 
 
+/*-- ecc-sm2.c --*/
+gpg_err_code_t _gcry_ecc_sm2_encrypt (gcry_sexp_t *r_ciph,
+                                      gcry_mpi_t input, mpi_ec_t ec);
+gpg_err_code_t _gcry_ecc_sm2_decrypt (gcry_sexp_t *r_plain,
+                                      gcry_sexp_t data_list, mpi_ec_t ec);
+gpg_err_code_t _gcry_ecc_sm2_sign (gcry_mpi_t input, mpi_ec_t ec,
+                                   gcry_mpi_t r, gcry_mpi_t s,
+                                   int flags, int hashalgo);
+gpg_err_code_t _gcry_ecc_sm2_verify (gcry_mpi_t input, mpi_ec_t ec,
+                                     gcry_mpi_t r, gcry_mpi_t s);
+
+
 #endif /*GCRY_ECC_COMMON_H*/

cipher/ecc-curves.c

@@ -115,6 +115,8 @@ static const struct
 
     { "secp256k1", "1.3.132.0.10" },
 
+    { "sm2p256v1", "1.2.156.10197.1.301" },
+
     { NULL, NULL}
   };
 
@@ -512,6 +514,18 @@ static const ecc_domain_parms_t domain_parms[] =
       1
     },
 
+    {
+      "sm2p256v1", 256, 0,
+      MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+      "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
+      "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
+      "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
+      "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
+      "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
+      "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
+      1
+    },
+
     { NULL, 0, 0, 0, 0, NULL, NULL, NULL, NULL, NULL }
   };
 
@@ -1044,6 +1058,7 @@ mpi_ec_get_elliptic_curve (elliptic_curve_t *E, int *r_flags,
             goto leave;
           if (G)
             {
+              _gcry_mpi_point_init (&E->G);
               mpi_point_set (&E->G, G->x, G->y, G->z);
               mpi_point_set (G, NULL, NULL, NULL);
               mpi_point_release (G);

cipher/ecc-gost.c

@@ -45,27 +45,17 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, mpi_ec_t ec,
   gcry_mpi_t k, dr, sum, ke, x, e;
   mpi_point_struct I;
   gcry_mpi_t hash;
-  const void *abuf;
-  unsigned int abits, qbits;
+  unsigned int qbits;
 
   if (DBG_CIPHER)
     log_mpidump ("gost sign hash  ", input );
 
   qbits = mpi_get_nbits (ec->n);
 
   /* Convert the INPUT into an MPI if needed.  */
-  if (mpi_is_opaque (input))
-    {
-      abuf = mpi_get_opaque (input, &abits);
-      rc = _gcry_mpi_scan (&hash, GCRYMPI_FMT_USG, abuf, (abits+7)/8, NULL);
-      if (rc)
-        return rc;
-      if (abits > qbits)
-        mpi_rshift (hash, hash, abits - qbits);
-    }
-  else
-    hash = input;
-
+  rc = _gcry_dsa_normalize_hash (input, &hash, qbits);
+  if (rc)
+    return rc;
 
   k = NULL;
   dr = mpi_alloc (0);