[gnome-keyring/dbus-api] [pkcs11] Fix bugs in DH key generation.

[Stefan Walter <stefw src gnome org>]

commit b318b8a2d875ae0f4683a091784b38aa69bde202
Author: Stef Walter <stef memberwebs com>
Date:   Sat Dec 12 18:03:03 2009 +0000

    [pkcs11] Fix bugs in DH key generation.
    
    The public and private keys were accidentally interchanged.

 egg/egg-dh.c                  |   41 +++++++++++++++++++++--------------------
 pkcs11/gck/gck-dh-mechanism.c |    6 +++---
 2 files changed, 24 insertions(+), 23 deletions(-)
---
diff --git a/egg/egg-dh.c b/egg/egg-dh.c
index f162f4d..d192aeb 100644
--- a/egg/egg-dh.c
+++ b/egg/egg-dh.c
@@ -24,6 +24,7 @@
 #include "egg-dh.h"
 #include "egg-secure-memory.h"
 
+/* Enabling this is a complete security compromise */
 #define DEBUG_DH_SECRET 0
 
 typedef struct _DHGroup {
@@ -259,17 +260,17 @@ egg_dh_default_params (const gchar *name, gcry_mpi_t *prime, gcry_mpi_t *base)
 }
 
 gboolean
-egg_dh_gen_pair (gcry_mpi_t p, gcry_mpi_t g, guint bits,
-                 gcry_mpi_t *X, gcry_mpi_t *x)
+egg_dh_gen_pair (gcry_mpi_t prime, gcry_mpi_t base, guint bits,
+                 gcry_mpi_t *pub, gcry_mpi_t *priv)
 {
 	guint pbits;
 
-	g_return_val_if_fail (g, FALSE);
-	g_return_val_if_fail (p, FALSE);
-	g_return_val_if_fail (X, FALSE);
-	g_return_val_if_fail (x, FALSE);
+	g_return_val_if_fail (prime, FALSE);
+	g_return_val_if_fail (base, FALSE);
+	g_return_val_if_fail (pub, FALSE);
+	g_return_val_if_fail (priv, FALSE);
 
-	pbits = gcry_mpi_get_nbits (p);
+	pbits = gcry_mpi_get_nbits (prime);
 	g_return_val_if_fail (pbits > 1, FALSE);
 
 	if (bits == 0) {
@@ -281,24 +282,24 @@ egg_dh_gen_pair (gcry_mpi_t p, gcry_mpi_t g, guint bits,
 	/*
 	 * Generate a strong random number of bits, and not zero.
 	 * gcry_mpi_randomize bumps up to the next byte. Since we
-	 * need to have a value less than half of p, we make sure
+	 * need to have a value less than half of prime, we make sure
 	 * we bump down.
 	 */
-	*x = gcry_mpi_snew (bits);
-	g_return_val_if_fail (*x, FALSE);
-	while (gcry_mpi_cmp_ui (*x, 0) == 0)
-		gcry_mpi_randomize (*x, bits, GCRY_STRONG_RANDOM);
+	*priv = gcry_mpi_snew (bits);
+	g_return_val_if_fail (*priv, FALSE);
+	while (gcry_mpi_cmp_ui (*priv, 0) == 0)
+		gcry_mpi_randomize (*priv, bits, GCRY_STRONG_RANDOM);
 
 	/* Secret key value must be less than half of p */
-	if (gcry_mpi_get_nbits (*x) > bits)
-		gcry_mpi_clear_highbit (*x, bits);
-	if (gcry_mpi_get_nbits (*x) > pbits - 1)
-		gcry_mpi_clear_highbit (*x, pbits - 1);
-	g_assert (gcry_mpi_cmp (p, *x) > 0);
-
-	*X = gcry_mpi_new (gcry_mpi_get_nbits (*x));
-	g_return_val_if_fail (*X, FALSE);
-	gcry_mpi_powm (*X, g, *x, p);
+	if (gcry_mpi_get_nbits (*priv) > bits)
+		gcry_mpi_clear_highbit (*priv, bits);
+	if (gcry_mpi_get_nbits (*priv) > pbits - 1)
+		gcry_mpi_clear_highbit (*priv, pbits - 1);
+	g_assert (gcry_mpi_cmp (prime, *priv) > 0);
+
+	*pub = gcry_mpi_new (gcry_mpi_get_nbits (*priv));
+	g_return_val_if_fail (*pub, FALSE);
+	gcry_mpi_powm (*pub, base, *priv, prime);
 
 	return TRUE;
 }
diff --git a/pkcs11/gck/gck-dh-mechanism.c b/pkcs11/gck/gck-dh-mechanism.c
index f85ac02..d2a559a 100644
--- a/pkcs11/gck/gck-dh-mechanism.c
+++ b/pkcs11/gck/gck-dh-mechanism.c
@@ -130,7 +130,7 @@ gck_dh_mechanism_generate (GckSession *session, CK_ATTRIBUTE_PTR pub_atts,
 		return CKR_TEMPLATE_INCONSISTENT;
 	}
 
-	ret = egg_dh_gen_pair (prime, base, bits, &priv, &pub);
+	ret = egg_dh_gen_pair (prime, base, bits, &pub, &priv);
 
 	gcry_mpi_release (prime);
 	gcry_mpi_release (base);
@@ -167,10 +167,10 @@ gck_dh_mechanism_generate (GckSession *session, CK_ATTRIBUTE_PTR pub_atts,
 
 		/* Write the private key out to raw data */
 		value.type = CKA_VALUE;
-		gcry = gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &length, pub);
+		gcry = gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &length, priv);
 		g_return_val_if_fail (gcry == 0, CKR_GENERAL_ERROR);
 		value.pValue = egg_secure_alloc (length);
-		gcry = gcry_mpi_print (GCRYMPI_FMT_USG, value.pValue, length, &length, pub);
+		gcry = gcry_mpi_print (GCRYMPI_FMT_USG, value.pValue, length, &length, priv);
 		g_return_val_if_fail (gcry == 0, CKR_GENERAL_ERROR);
 		value.ulValueLen = length;