diff options
| author | bcook <> | 2016-06-21 04:16:53 +0000 |
|---|---|---|
| committer | bcook <> | 2016-06-21 04:16:53 +0000 |
| commit | b789abd90ce8dc508846bc7556ffad3b18c4cd06 (patch) | |
| tree | dd6ba567d5976be5e4a37f408373dc7699d3b21c | |
| parent | d73dc1262008dfcbfe5d8b18f9d8808970caa9d5 (diff) | |
| download | openbsd-b789abd90ce8dc508846bc7556ffad3b18c4cd06.tar.gz openbsd-b789abd90ce8dc508846bc7556ffad3b18c4cd06.tar.bz2 openbsd-b789abd90ce8dc508846bc7556ffad3b18c4cd06.zip | |
Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.
Improved patch from Cesar Pereida. See
https://github.com/libressl-portable/openbsd/pull/61 for more details.
ok beck@
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa.h | 10 | ||||
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_key.c | 20 | ||||
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_ossl.c | 104 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/dsa/dsa.h | 10 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/dsa/dsa_key.c | 20 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/dsa/dsa_ossl.c | 104 |
6 files changed, 92 insertions, 176 deletions
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h index 7fbaa29464..f7f81cfa94 100644 --- a/src/lib/libcrypto/dsa/dsa.h +++ b/src/lib/libcrypto/dsa/dsa.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa.h,v 1.19 2015/10/13 12:31:06 jsing Exp $ */ | 1 | /* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -89,12 +89,8 @@ | |||
| 89 | #endif | 89 | #endif |
| 90 | 90 | ||
| 91 | #define DSA_FLAG_CACHE_MONT_P 0x01 | 91 | #define DSA_FLAG_CACHE_MONT_P 0x01 |
| 92 | #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA | 92 | #define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off |
| 93 | * implementation now uses constant time | 93 | * constant time behaviour. |
| 94 | * modular exponentiation for secret exponents | ||
| 95 | * by default. This flag causes the | ||
| 96 | * faster variable sliding window method to | ||
| 97 | * be used for all exponents. | ||
| 98 | */ | 94 | */ |
| 99 | 95 | ||
| 100 | /* If this flag is set the DSA method is FIPS compliant and can be used | 96 | /* If this flag is set the DSA method is FIPS compliant and can be used |
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index eaf6da8de7..4732c471ed 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_key.c,v 1.20 2014/10/18 17:20:40 jsing Exp $ */ | 1 | /* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -104,18 +104,18 @@ dsa_builtin_keygen(DSA *dsa) | |||
| 104 | pub_key=dsa->pub_key; | 104 | pub_key=dsa->pub_key; |
| 105 | 105 | ||
| 106 | { | 106 | { |
| 107 | BIGNUM local_prk; | 107 | BIGNUM *prk = BN_new(); |
| 108 | BIGNUM *prk; | ||
| 109 | 108 | ||
| 110 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 109 | if (prk == NULL) |
| 111 | BN_init(&local_prk); | 110 | goto err; |
| 112 | prk = &local_prk; | 111 | |
| 113 | BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); | 112 | BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); |
| 114 | } else | ||
| 115 | prk = priv_key; | ||
| 116 | 113 | ||
| 117 | if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) | 114 | if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { |
| 115 | BN_free(prk); | ||
| 118 | goto err; | 116 | goto err; |
| 117 | } | ||
| 118 | BN_free(prk); | ||
| 119 | } | 119 | } |
| 120 | 120 | ||
| 121 | dsa->priv_key = priv_key; | 121 | dsa->priv_key = priv_key; |
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 7e1d494ff3..a28d3e9d1a 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.25 2016/06/06 23:37:37 tedu Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -83,46 +83,6 @@ static DSA_METHOD openssl_dsa_meth = { | |||
| 83 | .finish = dsa_finish | 83 | .finish = dsa_finish |
| 84 | }; | 84 | }; |
| 85 | 85 | ||
| 86 | /* | ||
| 87 | * These macro wrappers replace attempts to use the dsa_mod_exp() and | ||
| 88 | * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of | ||
| 89 | * having a the macro work as an expression by bundling an "err_instr". So; | ||
| 90 | * | ||
| 91 | * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, | ||
| 92 | * dsa->method_mont_p)) goto err; | ||
| 93 | * | ||
| 94 | * can be replaced by; | ||
| 95 | * | ||
| 96 | * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx, | ||
| 97 | * dsa->method_mont_p); | ||
| 98 | */ | ||
| 99 | |||
| 100 | #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ | ||
| 101 | do { \ | ||
| 102 | int _tmp_res53; \ | ||
| 103 | if ((dsa)->meth->dsa_mod_exp) \ | ||
| 104 | _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \ | ||
| 105 | (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | ||
| 106 | else \ | ||
| 107 | _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \ | ||
| 108 | (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | ||
| 109 | if (!_tmp_res53) \ | ||
| 110 | err_instr; \ | ||
| 111 | } while(0) | ||
| 112 | |||
| 113 | #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ | ||
| 114 | do { \ | ||
| 115 | int _tmp_res53; \ | ||
| 116 | if ((dsa)->meth->bn_mod_exp) \ | ||
| 117 | _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \ | ||
| 118 | (a), (p), (m), (ctx), (m_ctx)); \ | ||
| 119 | else \ | ||
| 120 | _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \ | ||
| 121 | (ctx), (m_ctx)); \ | ||
| 122 | if (!_tmp_res53) \ | ||
| 123 | err_instr; \ | ||
| 124 | } while(0) | ||
| 125 | |||
| 126 | const DSA_METHOD * | 86 | const DSA_METHOD * |
| 127 | DSA_OpenSSL(void) | 87 | DSA_OpenSSL(void) |
| 128 | { | 88 | { |
| @@ -222,7 +182,7 @@ static int | |||
| 222 | dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | 182 | dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) |
| 223 | { | 183 | { |
| 224 | BN_CTX *ctx; | 184 | BN_CTX *ctx; |
| 225 | BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; | 185 | BIGNUM k, *kinv = NULL, *r = NULL; |
| 226 | int ret = 0; | 186 | int ret = 0; |
| 227 | 187 | ||
| 228 | if (!dsa->p || !dsa->q || !dsa->g) { | 188 | if (!dsa->p || !dsa->q || !dsa->g) { |
| @@ -231,7 +191,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 231 | } | 191 | } |
| 232 | 192 | ||
| 233 | BN_init(&k); | 193 | BN_init(&k); |
| 234 | BN_init(&kq); | ||
| 235 | 194 | ||
| 236 | if (ctx_in == NULL) { | 195 | if (ctx_in == NULL) { |
| 237 | if ((ctx = BN_CTX_new()) == NULL) | 196 | if ((ctx = BN_CTX_new()) == NULL) |
| @@ -248,6 +207,8 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 248 | goto err; | 207 | goto err; |
| 249 | } while (BN_is_zero(&k)); | 208 | } while (BN_is_zero(&k)); |
| 250 | 209 | ||
| 210 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 211 | |||
| 251 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { | 212 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 252 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 213 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| 253 | CRYPTO_LOCK_DSA, dsa->p, ctx)) | 214 | CRYPTO_LOCK_DSA, dsa->p, ctx)) |
| @@ -256,37 +217,31 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 256 | 217 | ||
| 257 | /* Compute r = (g^k mod p) mod q */ | 218 | /* Compute r = (g^k mod p) mod q */ |
| 258 | 219 | ||
| 259 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 220 | /* |
| 260 | if (!BN_copy(&kq, &k)) | 221 | * We do not want timing information to leak the length of k, |
| 261 | goto err; | 222 | * so we compute g^k using an equivalent exponent of fixed |
| 262 | 223 | * length. | |
| 263 | /* | 224 | * |
| 264 | * We do not want timing information to leak the length of k, | 225 | * (This is a kludge that we need because the BN_mod_exp_mont() |
| 265 | * so we compute g^k using an equivalent exponent of fixed | 226 | * does not let us specify the desired timing behaviour.) |
| 266 | * length. | 227 | */ |
| 267 | * | ||
| 268 | * (This is a kludge that we need because the BN_mod_exp_mont() | ||
| 269 | * does not let us specify the desired timing behaviour.) | ||
| 270 | */ | ||
| 271 | 228 | ||
| 272 | if (!BN_add(&kq, &kq, dsa->q)) | 229 | if (!BN_add(&k, &k, dsa->q)) |
| 230 | goto err; | ||
| 231 | if (BN_num_bits(&k) <= BN_num_bits(dsa->q)) { | ||
| 232 | if (!BN_add(&k, &k, dsa->q)) | ||
| 273 | goto err; | 233 | goto err; |
| 274 | if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { | ||
| 275 | if (!BN_add(&kq, &kq, dsa->q)) | ||
| 276 | goto err; | ||
| 277 | } | ||
| 278 | |||
| 279 | K = &kq; | ||
| 280 | } else { | ||
| 281 | K = &k; | ||
| 282 | } | 234 | } |
| 283 | 235 | ||
| 284 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 236 | if (dsa->meth->bn_mod_exp != NULL) { |
| 285 | BN_set_flags(K, BN_FLG_CONSTTIME); | 237 | if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx, |
| 238 | dsa->method_mont_p)) | ||
| 239 | goto err; | ||
| 240 | } else { | ||
| 241 | if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p)) | ||
| 242 | goto err; | ||
| 286 | } | 243 | } |
| 287 | 244 | ||
| 288 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | ||
| 289 | dsa->method_mont_p); | ||
| 290 | if (!BN_mod(r,r,dsa->q,ctx)) | 245 | if (!BN_mod(r,r,dsa->q,ctx)) |
| 291 | goto err; | 246 | goto err; |
| 292 | 247 | ||
| @@ -308,7 +263,6 @@ err: | |||
| 308 | if (ctx_in == NULL) | 263 | if (ctx_in == NULL) |
| 309 | BN_CTX_free(ctx); | 264 | BN_CTX_free(ctx); |
| 310 | BN_clear_free(&k); | 265 | BN_clear_free(&k); |
| 311 | BN_clear_free(&kq); | ||
| 312 | return ret; | 266 | return ret; |
| 313 | } | 267 | } |
| 314 | 268 | ||
| @@ -386,8 +340,16 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) | |||
| 386 | goto err; | 340 | goto err; |
| 387 | } | 341 | } |
| 388 | 342 | ||
| 389 | DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, | 343 | if (dsa->meth->dsa_mod_exp != NULL) { |
| 390 | ctx, mont); | 344 | if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, |
| 345 | dsa->p, ctx, mont)) | ||
| 346 | goto err; | ||
| 347 | } else { | ||
| 348 | if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, | ||
| 349 | mont)) | ||
| 350 | goto err; | ||
| 351 | } | ||
| 352 | |||
| 391 | /* BN_copy(&u1,&t1); */ | 353 | /* BN_copy(&u1,&t1); */ |
| 392 | /* let u1 = u1 mod q */ | 354 | /* let u1 = u1 mod q */ |
| 393 | if (!BN_mod(&u1, &t1, dsa->q, ctx)) | 355 | if (!BN_mod(&u1, &t1, dsa->q, ctx)) |
diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h b/src/lib/libssl/src/crypto/dsa/dsa.h index 7fbaa29464..f7f81cfa94 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa.h +++ b/src/lib/libssl/src/crypto/dsa/dsa.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa.h,v 1.19 2015/10/13 12:31:06 jsing Exp $ */ | 1 | /* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -89,12 +89,8 @@ | |||
| 89 | #endif | 89 | #endif |
| 90 | 90 | ||
| 91 | #define DSA_FLAG_CACHE_MONT_P 0x01 | 91 | #define DSA_FLAG_CACHE_MONT_P 0x01 |
| 92 | #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA | 92 | #define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off |
| 93 | * implementation now uses constant time | 93 | * constant time behaviour. |
| 94 | * modular exponentiation for secret exponents | ||
| 95 | * by default. This flag causes the | ||
| 96 | * faster variable sliding window method to | ||
| 97 | * be used for all exponents. | ||
| 98 | */ | 94 | */ |
| 99 | 95 | ||
| 100 | /* If this flag is set the DSA method is FIPS compliant and can be used | 96 | /* If this flag is set the DSA method is FIPS compliant and can be used |
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c index eaf6da8de7..4732c471ed 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_key.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_key.c,v 1.20 2014/10/18 17:20:40 jsing Exp $ */ | 1 | /* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -104,18 +104,18 @@ dsa_builtin_keygen(DSA *dsa) | |||
| 104 | pub_key=dsa->pub_key; | 104 | pub_key=dsa->pub_key; |
| 105 | 105 | ||
| 106 | { | 106 | { |
| 107 | BIGNUM local_prk; | 107 | BIGNUM *prk = BN_new(); |
| 108 | BIGNUM *prk; | ||
| 109 | 108 | ||
| 110 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 109 | if (prk == NULL) |
| 111 | BN_init(&local_prk); | 110 | goto err; |
| 112 | prk = &local_prk; | 111 | |
| 113 | BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); | 112 | BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); |
| 114 | } else | ||
| 115 | prk = priv_key; | ||
| 116 | 113 | ||
| 117 | if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) | 114 | if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { |
| 115 | BN_free(prk); | ||
| 118 | goto err; | 116 | goto err; |
| 117 | } | ||
| 118 | BN_free(prk); | ||
| 119 | } | 119 | } |
| 120 | 120 | ||
| 121 | dsa->priv_key = priv_key; | 121 | dsa->priv_key = priv_key; |
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c index 7e1d494ff3..a28d3e9d1a 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.25 2016/06/06 23:37:37 tedu Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -83,46 +83,6 @@ static DSA_METHOD openssl_dsa_meth = { | |||
| 83 | .finish = dsa_finish | 83 | .finish = dsa_finish |
| 84 | }; | 84 | }; |
| 85 | 85 | ||
| 86 | /* | ||
| 87 | * These macro wrappers replace attempts to use the dsa_mod_exp() and | ||
| 88 | * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of | ||
| 89 | * having a the macro work as an expression by bundling an "err_instr". So; | ||
| 90 | * | ||
| 91 | * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, | ||
| 92 | * dsa->method_mont_p)) goto err; | ||
| 93 | * | ||
| 94 | * can be replaced by; | ||
| 95 | * | ||
| 96 | * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx, | ||
| 97 | * dsa->method_mont_p); | ||
| 98 | */ | ||
| 99 | |||
| 100 | #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ | ||
| 101 | do { \ | ||
| 102 | int _tmp_res53; \ | ||
| 103 | if ((dsa)->meth->dsa_mod_exp) \ | ||
| 104 | _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \ | ||
| 105 | (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | ||
| 106 | else \ | ||
| 107 | _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \ | ||
| 108 | (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | ||
| 109 | if (!_tmp_res53) \ | ||
| 110 | err_instr; \ | ||
| 111 | } while(0) | ||
| 112 | |||
| 113 | #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ | ||
| 114 | do { \ | ||
| 115 | int _tmp_res53; \ | ||
| 116 | if ((dsa)->meth->bn_mod_exp) \ | ||
| 117 | _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \ | ||
| 118 | (a), (p), (m), (ctx), (m_ctx)); \ | ||
| 119 | else \ | ||
| 120 | _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \ | ||
| 121 | (ctx), (m_ctx)); \ | ||
| 122 | if (!_tmp_res53) \ | ||
| 123 | err_instr; \ | ||
| 124 | } while(0) | ||
| 125 | |||
| 126 | const DSA_METHOD * | 86 | const DSA_METHOD * |
| 127 | DSA_OpenSSL(void) | 87 | DSA_OpenSSL(void) |
| 128 | { | 88 | { |
| @@ -222,7 +182,7 @@ static int | |||
| 222 | dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | 182 | dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) |
| 223 | { | 183 | { |
| 224 | BN_CTX *ctx; | 184 | BN_CTX *ctx; |
| 225 | BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; | 185 | BIGNUM k, *kinv = NULL, *r = NULL; |
| 226 | int ret = 0; | 186 | int ret = 0; |
| 227 | 187 | ||
| 228 | if (!dsa->p || !dsa->q || !dsa->g) { | 188 | if (!dsa->p || !dsa->q || !dsa->g) { |
| @@ -231,7 +191,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 231 | } | 191 | } |
| 232 | 192 | ||
| 233 | BN_init(&k); | 193 | BN_init(&k); |
| 234 | BN_init(&kq); | ||
| 235 | 194 | ||
| 236 | if (ctx_in == NULL) { | 195 | if (ctx_in == NULL) { |
| 237 | if ((ctx = BN_CTX_new()) == NULL) | 196 | if ((ctx = BN_CTX_new()) == NULL) |
| @@ -248,6 +207,8 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 248 | goto err; | 207 | goto err; |
| 249 | } while (BN_is_zero(&k)); | 208 | } while (BN_is_zero(&k)); |
| 250 | 209 | ||
| 210 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 211 | |||
| 251 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { | 212 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 252 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 213 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| 253 | CRYPTO_LOCK_DSA, dsa->p, ctx)) | 214 | CRYPTO_LOCK_DSA, dsa->p, ctx)) |
| @@ -256,37 +217,31 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 256 | 217 | ||
| 257 | /* Compute r = (g^k mod p) mod q */ | 218 | /* Compute r = (g^k mod p) mod q */ |
| 258 | 219 | ||
| 259 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 220 | /* |
| 260 | if (!BN_copy(&kq, &k)) | 221 | * We do not want timing information to leak the length of k, |
| 261 | goto err; | 222 | * so we compute g^k using an equivalent exponent of fixed |
| 262 | 223 | * length. | |
| 263 | /* | 224 | * |
| 264 | * We do not want timing information to leak the length of k, | 225 | * (This is a kludge that we need because the BN_mod_exp_mont() |
| 265 | * so we compute g^k using an equivalent exponent of fixed | 226 | * does not let us specify the desired timing behaviour.) |
| 266 | * length. | 227 | */ |
| 267 | * | ||
| 268 | * (This is a kludge that we need because the BN_mod_exp_mont() | ||
| 269 | * does not let us specify the desired timing behaviour.) | ||
| 270 | */ | ||
| 271 | 228 | ||
| 272 | if (!BN_add(&kq, &kq, dsa->q)) | 229 | if (!BN_add(&k, &k, dsa->q)) |
| 230 | goto err; | ||
| 231 | if (BN_num_bits(&k) <= BN_num_bits(dsa->q)) { | ||
| 232 | if (!BN_add(&k, &k, dsa->q)) | ||
| 273 | goto err; | 233 | goto err; |
| 274 | if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { | ||
| 275 | if (!BN_add(&kq, &kq, dsa->q)) | ||
| 276 | goto err; | ||
| 277 | } | ||
| 278 | |||
| 279 | K = &kq; | ||
| 280 | } else { | ||
| 281 | K = &k; | ||
| 282 | } | 234 | } |
| 283 | 235 | ||
| 284 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 236 | if (dsa->meth->bn_mod_exp != NULL) { |
| 285 | BN_set_flags(K, BN_FLG_CONSTTIME); | 237 | if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx, |
| 238 | dsa->method_mont_p)) | ||
| 239 | goto err; | ||
| 240 | } else { | ||
| 241 | if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p)) | ||
| 242 | goto err; | ||
| 286 | } | 243 | } |
| 287 | 244 | ||
| 288 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | ||
| 289 | dsa->method_mont_p); | ||
| 290 | if (!BN_mod(r,r,dsa->q,ctx)) | 245 | if (!BN_mod(r,r,dsa->q,ctx)) |
| 291 | goto err; | 246 | goto err; |
| 292 | 247 | ||
| @@ -308,7 +263,6 @@ err: | |||
| 308 | if (ctx_in == NULL) | 263 | if (ctx_in == NULL) |
| 309 | BN_CTX_free(ctx); | 264 | BN_CTX_free(ctx); |
| 310 | BN_clear_free(&k); | 265 | BN_clear_free(&k); |
| 311 | BN_clear_free(&kq); | ||
| 312 | return ret; | 266 | return ret; |
| 313 | } | 267 | } |
| 314 | 268 | ||
| @@ -386,8 +340,16 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) | |||
| 386 | goto err; | 340 | goto err; |
| 387 | } | 341 | } |
| 388 | 342 | ||
| 389 | DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, | 343 | if (dsa->meth->dsa_mod_exp != NULL) { |
| 390 | ctx, mont); | 344 | if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, |
| 345 | dsa->p, ctx, mont)) | ||
| 346 | goto err; | ||
| 347 | } else { | ||
| 348 | if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, | ||
| 349 | mont)) | ||
| 350 | goto err; | ||
| 351 | } | ||
| 352 | |||
| 391 | /* BN_copy(&u1,&t1); */ | 353 | /* BN_copy(&u1,&t1); */ |
| 392 | /* let u1 = u1 mod q */ | 354 | /* let u1 = u1 mod q */ |
| 393 | if (!BN_mod(&u1, &t1, dsa->q, ctx)) | 355 | if (!BN_mod(&u1, &t1, dsa->q, ctx)) |