Merge tag 'release/1.2.16' into 67-openssh-9-gnuk-1.2.16

Gnuk: Version 1.2.16
Nitrokey · Jun 13, 2022 · 94c82d7 · 94c82d7
2 parents db51995 + e515857
commit 94c82d7
Show file tree

Hide file tree

Showing 10 changed files with 205 additions and 112 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,58 @@
+2020-09-10  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* VERSION: 1.2.16.
+
+2020-09-09  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/modp256k1.c (modp256k1_add, modp256k1_sub): Use memcpy with
+	dummy memory area.
+	* src/modp256r1.c (modp256r1_add, modp256r1_sub)
+	(modp256r1_reduce): Likewise.
+
+2020-09-08  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/modp256k1.c (modp256k1_add, modp256k1_reduce): Avoid
+	optimization to remove call of memmove.
+	* src/modp256r1.c (modp256r1_add, modp256r1_sub)
+	(modp256r1_reduce): Likewise.
+
+2020-09-07  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (gpg_get_firmware_update_key): Use an array.
+
+	* src/modp256k1.c (modp256k1_add, modp256k1_sub): Use memmove.
+	* src/modp256r1.c (modp256r1_add, modp256r1_sub)
+	(modp256r1_reduce): Likewise.
+
+2020-09-04  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp-do.c (GPG_DO_ALG_INFO): New.
+	(do_fp_all, do_cafp_all, do_kgtime_all, do_openpgpcard_aid)
+	(do_ds_count): Return nothing.
+	(copy_do): Change the API for DO_PROC_READ.
+	(do_alg_info): New for GPG_DO_ALG_INFO.
+	(gpg_do_table): Add an entry for GPG_DO_ALG_INFO.
+
+2020-09-03  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (cmd_internal_authenticate): Remove checking
+	against EDDSA_HASH_LEN_MAX.
+	(cmd_pso): Likewise.
+
+2020-08-28  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (cmd_reset_user_password): Add passphrase length
+	check.
+
+2020-08-26  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/ac.c (verify_user_0): Fix for a use case of having
+	signing key only.
+	(verify_admin_00): Clean up.
+
+	* tests/test_000_empty_card.py (test_name_lang_sex): Support
+	OpenPGP card version 3.3.
+
 2020-01-24  NIIBE Yutaka  <gniibe@fsij.org>
 
 	* VERSION: 1.2.15.

diff --git a/NEWS b/NEWS
@@ -1,6 +1,24 @@
 Gnuk NEWS - User visible changes
 
 
+* Major changes in Gnuk 1.2.16
+
+  Released 2020-09-10, by NIIBE Yutaka
+
+** New Data Object (Algorithm Information) of OpenPGP card v3.4
+The tag is 0x00FA.  This is useful for user interaction to show which
+algorithms are supported by the device.
+
+** Ed25519 signing allowing longer message
+For OpenPGP, it does hashing on host side before requesting signing to
+the device.  Thus, the length of message to be signed is limited and
+determined by the hash algorithm.  That's good feature of OpenPGP.  On
+the other hand, there is a use case, like OpenSSH certificate signing,
+where the length of message is a kind of arbitrary.  Even though Gnuk
+(or OpenPGP card protocol itself) has limitation, we removed the
+length check against EDDSA_HASH_LEN_MAX at cmd_pso.
+
+
 * Major changes in Gnuk 1.2.15
 
   Released 2020-01-24, by NIIBE Yutaka

diff --git a/README b/README
@@ -1,24 +1,23 @@
 Gnuk - An Implementation of USB Cryptographic Token for GnuPG
 
-							 Version 1.2.15
-							     2020-01-24
+							 Version 1.2.16
+							     2020-09-10
 							   Niibe Yutaka
 				      Free Software Initiative of Japan
 
 Release Notes
 =============
 
-This is the release of Gnuk, version 1.2.15, which has major
+This is the release of Gnuk, version 1.2.16, which has major
 incompatible changes to Gnuk 1.0.x.  Specifically, it now supports
 overriding key import, but importing keys (or generating keys) results
 password reset.  Also, you need to import private keys before changing
 your password.  Please update your documentation for Gnuk Token, so
 that the instruction of importing keys won't cause any confusion.
 
-It has supports of EdDSA, ECDSA (with NIST P256 and secp256k1), and
-ECDH (with X25519, NIST P256 and secp256k1), but this ECC feature is
-somehow experimental, and it requires modern GnuPG 2.2 with libgcrypt
-1.7.0 or later.
+It has supports of Ed25519 and X25519 (ECDH on Curve25519).  It also
+has experimental support of ECDSA (on NIST P256 and secp256k1) and
+ECDH (on NIST P256 and secp256k1).
 
 It also supports RSA-4096, but users should know that it takes more
 than 8 seconds to sign/decrypt.  Key generation of RSA-4096 just fails,
@@ -54,7 +53,7 @@ FAQ
 ===
 
 Q0: How Gnuk USB Token is superior than other solutions (OpenPGP
-    card 2.0, YubiKey, etc.) ?
+    card 2.0/3.3/3.4, YubiKey, etc.) ?
     https://www.g10code.de/p-card.html
     https://www.yubico.com/
 A0: Good points of Gnuk are:
@@ -79,13 +78,12 @@ A2: It takes a second and a half or so for RSA-2048.
 
 Q3: What's your recommendation for target board?
 A3: Orthodox choice is Olimex STM32-H103.
-    FST-01 (Flying Stone Tiny 01) is available for sale, and it is a
-    kind of the best choice, hopefully.
-    If you have a skill of electronics, STM32 Nucleo F103 is the best
-    choice for experiment.
+    FST-01SZ (Flying Stone Tiny 01 SZ) is available for sale, and it
+    is a kind of the best choice, hopefully.  If you have a skill of
+    electronics, STM32 Nucleo F103 is the best choice for experiment.
 
 Q4: What's version of GnuPG are you using?
-A4: In Debian GNU/Linux system, I use GnuPG modern 2.2.12.
+A4: In Debian GNU/Linux system, I use GnuPG modern 2.2.23.
 
 Q5: What's version of pcscd and libccid are you using?
 A5: I don't use them, pcscd and libccid are optional, you can use Gnuk
@@ -146,14 +144,20 @@ Ac: That's because gnome-keyring-daemon interferes GnuPG.  Please
 Qd: Do you know a good SWD debugger to connect FST-01 or something?
 Ad: ST-Link/V2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
     writer program.  STM32 Nucleo F103 comes with the valiant of
-    ST-Link/V2.  However, the firmware of ST-Link/V2 is proprietary.
-    Now, I develop BBG-SWD, SWD debugger by BeagleBone Green.
+    ST-Link/V2.  Note that the firmware of ST-Link/V2 is proprietary.
+    So, in case of transparency matters, ST-Link/V2 would not be your
+    choice.
+    I care transparency for our process of manufacturing FST-01SZ (and
+    better control by Free Software, in general), thus, I develop
+    BBG-SWD, SWD debugger by BeagleBone Green.
+    I use ST-Link/V2 for daily development.  For serious task like
+    flashing product, I use BBG-SWD.
 
 
 Tested features
 ===============
 
-Gnuk is tested by test suite.  Please see the test directory.
+Gnuk is tested by test suite.  Please see the "tests" directory.
 
 	* Personalization of the card
 	  * Changing Login name, URL, Name, Sex, Language, etc.
@@ -190,16 +194,6 @@ DfuSe is for experiment only, because it is impossible for DfuSe to
 disable read from flash.  For real use, please consider killing DfuSe
 and enabling read protection using JTAG debugger.
 
-For experimental PIN-pad support, I connect a consumer IR receive
-module to FST-01, and use controller for TV.  PIN verification is
-supported by this configuration.  Yes, it is not secure at all, since
-it is very easy to monitor IR output of the controllers.  It is just
-an experiment.  Note that hardware needed for this experiment is only
-a consumer IR receive module which is as cheap as 50 JPY.
-
-Note that you need pinpad support for GnuPG to use PIN-pad enabled
-Gnuk.  The pinpad support for GnuPG is only available in version 2.
-
 
 Build system and Host system
 ============================
@@ -210,8 +204,8 @@ If your bash is not installed as /bin/bash, you need to run configure
 script prepending 'bash' before './configure'.
 
 Some tools are written in Python.  If your Python is not installed as
-/usr/bin/python, please prepend 'python' for your command invocation.
-I use Python 3.7 and PyUSB 1.0.0.
+/usr/bin/python, please prepend 'python' or 'python3' for your command
+invocation.  I use Python 3.8 and PyUSB 1.0.2.
 
 
 Source code

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-release/1.2.15
+release/1.2.16
diff --git a/src/ac.c b/src/ac.c
@@ -63,7 +63,7 @@ verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len, int pw_len_known,
 	       const uint8_t *ks_pw1, int save_ks)
 {
   int pw_len;
-  int r1, r2;
+  int r;
   uint8_t keystring[KEYSTRING_MD_SIZE];
   const uint8_t *salt;
   int salt_len;
@@ -99,21 +99,31 @@ verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len, int pw_len_known,
     memcpy (keystring_md_pw3, keystring, KEYSTRING_MD_SIZE);
 
   if (access == AC_PSO_CDS_AUTHORIZED)
-    {
-      r1 = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
-      r2 = 0;
-    }
+    r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
   else
     {
+      int r1, r2;
+
       r1 = gpg_do_load_prvkey (GPG_KEY_FOR_DECRYPTION, BY_USER, keystring);
       r2 = gpg_do_load_prvkey (GPG_KEY_FOR_AUTHENTICATION, BY_USER, keystring);
+
+      if (r1 < 0 || r2 < 0)
+	r = -1;
+      else if (r1 == 0)
+	{
+	  if (r2 == 0)
+	    /* No encryption/authentication keys, then, check signing key.  */
+	    r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
+	  else
+	    r = r2;
+	}
+      else if (r2 == 0)
+	r = r1;
+      else
+	r = 1;
     }
 
-  if (r1 < 0 || r2 < 0
-      || (r1 == 0 && r2 == 0 && ks_pw1 != NULL
-	  && ((ks_pw1[0] & PW_LEN_KEYSTRING_BIT) == 0
-	      || memcmp (KS_GET_KEYSTRING (ks_pw1),
-			 keystring, KEYSTRING_MD_SIZE) != 0)))
+  if (r < 0)
     {
     failure:
       gpg_pw_increment_err_counter (PW_ERR_PW1);
@@ -163,7 +173,7 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
 		 const uint8_t *ks, int save_ks)
 {
   int pw_len;
-  int r1, r2;
+  int r;
   uint8_t keystring[KEYSTRING_MD_SIZE];
   const uint8_t *salt;
   int salt_len;
@@ -179,12 +189,11 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
   if (save_ks)
     memcpy (keystring_md_pw3, keystring, KEYSTRING_MD_SIZE);
 
-  r1 = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_ADMIN, keystring);
-  r2 = 0;
+  r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_ADMIN, keystring);
 
-  if (r1 < 0 || r2 < 0)
+  if (r < 0)
     return -1;
-  else if (r1 == 0 && r2 == 0)
+  else if (r == 0)
     if ((ks[0] & PW_LEN_KEYSTRING_BIT) == 0
 	|| memcmp (KS_GET_KEYSTRING (ks), keystring, KEYSTRING_MD_SIZE) != 0)
       return -1;

diff --git a/src/modp256k1.c b/src/modp256k1.c
@@ -1,7 +1,7 @@
 /*
  * modp256k1.c -- modulo arithmetic for p256k1
  *
- * Copyright (C) 2014, 2016 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2016, 2020 Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -71,14 +71,12 @@ modp256k1_add (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t cond;
   bn256 tmp[1];
+  bn256 dummy[1];
 
   cond = (bn256_add (X, A, B) == 0);
   cond &= bn256_sub (tmp, X, P256K1);
-  if (cond)
-    /* No-carry AND borrow */
-    memcpy (tmp, tmp, sizeof (bn256));
-  else
-    memcpy (X, tmp, sizeof (bn256));
+  memcpy (cond?dummy:X, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**
@@ -89,13 +87,12 @@ modp256k1_sub (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t borrow;
   bn256 tmp[1];
+  bn256 dummy[1];
 
   borrow = bn256_sub (X, A, B);
   bn256_add (tmp, X, P256K1);
-  if (borrow)
-    memcpy (X, tmp, sizeof (bn256));
-  else
-    memcpy (tmp, tmp, sizeof (bn256));
+  memcpy (borrow?X:dummy, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**