Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
9 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 0ebfcc8f 编写于 作者: B Bodo Möller
浏览文件
操作

make sure DSA signing exponentiations really are constant-time

上级 c61f571c
隐藏空白更改
内联 并排
Showing with 34 addition and 3 deletion
CHANGES
浏览文件 @ 0ebfcc8f
...@@ -803,6 +803,13 @@ ...@@ -803,6 +803,13 @@
Changes between 0.9.7g and 0.9.7h [XX xxx XXXX] Changes between 0.9.7g and 0.9.7h [XX xxx XXXX]
*) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
the exponentiation using a fixed-length exponent. (Otherwise,
the information leaked through timing could expose the secret key
after many signatures; cf. Bleichenbacher's attack on DSA with
biased k.)
[Bodo Moeller]
*) Make a new fixed-window mod_exp implementation the default for *) Make a new fixed-window mod_exp implementation the default for
RSA, DSA, and DH private-key operations so that the sequence of RSA, DSA, and DH private-key operations so that the sequence of
squares and multiplies and the memory access pattern are squares and multiplies and the memory access pattern are
......
crypto/dsa/dsa_ossl.c
浏览文件 @ 0ebfcc8f
...@@ -202,7 +202,7 @@ err: ...@@ -202,7 +202,7 @@ err:
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{ {
BN_CTX *ctx; BN_CTX *ctx;
BIGNUM k,*kinv=NULL,*r=NULL; BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
int ret=0; int ret=0;
if (!dsa->p || !dsa->q || !dsa->g) if (!dsa->p || !dsa->q || !dsa->g)
...@@ -212,6 +212,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ...@@ -212,6 +212,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
} }
BN_init(&k); BN_init(&k);
BN_init(&kq);
if (ctx_in == NULL) if (ctx_in == NULL)
{ {
...@@ -221,7 +222,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ...@@ -221,7 +222,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
ctx=ctx_in; ctx=ctx_in;
if ((r=BN_new()) == NULL) goto err; if ((r=BN_new()) == NULL) goto err;
kinv=NULL;
/* Get random k */ /* Get random k */
do do
...@@ -241,7 +241,30 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ...@@ -241,7 +241,30 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
} }
/* Compute r = (g^k mod p) mod q */ /* Compute r = (g^k mod p) mod q */
DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
{
if (!BN_copy(&kq, &k)) goto err;
/* We do not want timing information to leak the length of k,
* so we compute g^k using an equivalent exponent of fixed length.
*
* (This is a kludge that we need because the BN_mod_exp_mont()
* does not let us specify the desired timing behaviour.) */
if (!BN_add(&kq, &kq, dsa->q)) goto err;
if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
{
if (!BN_add(&kq, &kq, dsa->q)) goto err;
}
K = &kq;
}
else
{
K = &k;
}
DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
dsa->method_mont_p); dsa->method_mont_p);
if (!BN_mod(r,r,dsa->q,ctx)) goto err; if (!BN_mod(r,r,dsa->q,ctx)) goto err;
...@@ -264,6 +287,7 @@ err: ...@@ -264,6 +287,7 @@ err:
if (ctx_in == NULL) BN_CTX_free(ctx); if (ctx_in == NULL) BN_CTX_free(ctx);
if (kinv != NULL) BN_clear_free(kinv); if (kinv != NULL) BN_clear_free(kinv);
BN_clear_free(&k); BN_clear_free(&k);
BN_clear_free(&kq);
return(ret); return(ret);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册