X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fecdsa%2Fecs_ossl.c;h=c23343b64d885c3e9a7e4852c6ce21574737f9c0;hp=3ead1af94e7351c5e4bf76aefe146e61b1e636a5;hb=8aed2a7548362e88e84a7feb795a3a97e8395008;hpb=3d11b8f89617edc81d01329dbb5bf134fcda3303 diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 3ead1af94e..c23343b64d 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, } while (BN_is_zero(k)); + /* We do not want timing information to leak the length of k, + * so we compute G*k using an equivalent scalar of fixed + * bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { @@ -159,6 +167,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; } } +#ifndef OPENSSL_NO_EC2M else /* NID_X9_62_characteristic_two_field */ { if (!EC_POINT_get_affine_coordinates_GF2m(group, @@ -168,6 +177,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; } } +#endif if (!BN_nnmod(r, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); @@ -177,11 +187,37 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, while (BN_is_zero(r)); /* compute the inverse of k */ - if (!BN_mod_inverse(k, k, order, ctx)) - { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); - goto err; - } + if (EC_GROUP_get_mont_data(group) != NULL) + { + /* We want inverse in constant time, therefore we utilize the + * fact order must be prime and use Fermats Little Theorem + * instead. */ + if (!BN_set_word(X, 2) ) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_sub(X, order, X, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + BN_set_flags(X, BN_FLG_CONSTTIME); + if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + } + else + { + if (!BN_mod_inverse(k, k, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + } + /* clear old values if necessary */ if (*rp != NULL) BN_clear_free(*rp); @@ -212,7 +248,7 @@ err: static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { - int ok = 0; + int ok = 0, i; BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL; const BIGNUM *ckinv; BN_CTX *ctx = NULL; @@ -251,22 +287,19 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); goto err; } - if (8 * dgst_len > BN_num_bits(order)) + i = BN_num_bits(order); + /* Need to truncate digest if it is too long: first truncate whole + * bytes. + */ + if (8 * dgst_len > i) + dgst_len = (i + 7)/8; + if (!BN_bin2bn(dgst, dgst_len, m)) { - /* XXX - * - * Should provide for optional hash truncation: - * Keep the BN_num_bits(order) leftmost bits of dgst - * (see March 2006 FIPS 186-3 draft, which has a few - * confusing errors in this part though) - */ - - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, - ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } - - if (!BN_bin2bn(dgst, dgst_len, m)) + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; @@ -346,7 +379,7 @@ err: static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) { - int ret = -1; + int ret = -1, i; BN_CTX *ctx; BIGNUM *order, *u1, *u2, *m, *X; EC_POINT *point = NULL; @@ -384,21 +417,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } - if (8 * dgst_len > BN_num_bits(order)) - { - /* XXX - * - * Should provide for optional hash truncation: - * Keep the BN_num_bits(order) leftmost bits of dgst - * (see March 2006 FIPS 186-3 draft, which has a few - * confusing errors in this part though) - */ - - ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, - ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - ret = 0; - goto err; - } if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || @@ -415,11 +433,23 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; } /* digest -> m */ + i = BN_num_bits(order); + /* Need to truncate digest if it is too long: first truncate whole + * bytes. + */ + if (8 * dgst_len > i) + dgst_len = (i + 7)/8; if (!BN_bin2bn(dgst, dgst_len, m)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); + goto err; + } /* u1 = m * tmp mod order */ if (!BN_mod_mul(u1, m, u2, order, ctx)) { @@ -452,6 +482,7 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; } } +#ifndef OPENSSL_NO_EC2M else /* NID_X9_62_characteristic_two_field */ { if (!EC_POINT_get_affine_coordinates_GF2m(group, @@ -461,7 +492,7 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; } } - +#endif if (!BN_nnmod(u1, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);