|
|
8dd812 |
From e94ab6b703ee50ea020565e1b8729a9b1d524d84 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Mon, 29 Jul 2019 14:00:30 +0200
|
|
|
8dd812 |
Subject: [PATCH 1/6] nettle: add functions for deterministic ECDSA/DSA
|
|
|
8dd812 |
|
|
|
8dd812 |
This adds functions to perform deterministic ECDSA/DSA, namely
|
|
|
8dd812 |
_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according
|
|
|
8dd812 |
to RFC 6979. The retrieved k value can be given to
|
|
|
8dd812 |
nettle_{ecdsa,dsa}_sign() through a wrapper random function.
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/nettle/Makefile.am | 5 +-
|
|
|
8dd812 |
lib/nettle/int/dsa-compute-k.c | 209 +++++++++++++++++++++++++++++++
|
|
|
8dd812 |
lib/nettle/int/dsa-compute-k.h | 37 ++++++
|
|
|
8dd812 |
lib/nettle/int/ecdsa-compute-k.c | 95 ++++++++++++++
|
|
|
8dd812 |
lib/nettle/int/ecdsa-compute-k.h | 37 ++++++
|
|
|
8dd812 |
lib/nettle/int/mpn-base256.c | 97 ++++++++++++++
|
|
|
8dd812 |
lib/nettle/int/mpn-base256.h | 48 +++++++
|
|
|
8dd812 |
7 files changed, 527 insertions(+), 1 deletion(-)
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/dsa-compute-k.c
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/dsa-compute-k.h
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/ecdsa-compute-k.c
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/ecdsa-compute-k.h
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/mpn-base256.c
|
|
|
8dd812 |
create mode 100644 lib/nettle/int/mpn-base256.h
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am
|
|
|
8dd812 |
index 1c60d3244..bd9dd753a 100644
|
|
|
8dd812 |
--- a/lib/nettle/Makefile.am
|
|
|
8dd812 |
+++ b/lib/nettle/Makefile.am
|
|
|
8dd812 |
@@ -45,7 +45,10 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \
|
|
|
8dd812 |
backport/xts.c backport/xts.h \
|
|
|
8dd812 |
rnd.c int/rsa-fips.h int/rsa-keygen-fips186.c int/provable-prime.c \
|
|
|
8dd812 |
int/dsa-fips.h int/dsa-keygen-fips186.c int/dsa-validate.c \
|
|
|
8dd812 |
- int/tls1-prf.c int/tls1-prf.h
|
|
|
8dd812 |
+ int/tls1-prf.c int/tls1-prf.h \
|
|
|
8dd812 |
+ int/dsa-compute-k.c int/dsa-compute-k.h \
|
|
|
8dd812 |
+ int/ecdsa-compute-k.c int/ecdsa-compute-k.h \
|
|
|
8dd812 |
+ int/mpn-base256.c int/mpn-base256.h
|
|
|
8dd812 |
|
|
|
8dd812 |
if WINDOWS
|
|
|
8dd812 |
libcrypto_la_SOURCES += sysrng-windows.c
|
|
|
8dd812 |
diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..17d63318c
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/dsa-compute-k.c
|
|
|
8dd812 |
@@ -0,0 +1,209 @@
|
|
|
8dd812 |
+/*
|
|
|
8dd812 |
+ * Copyright (C) 2019 Red Hat, Inc.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * Author: Daiki Ueno
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This file is part of GNUTLS.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * The GNUTLS library is free software; you can redistribute it and/or
|
|
|
8dd812 |
+ * modify it under the terms of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
|
8dd812 |
+ * the License, or (at your option) any later version.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This library is distributed in the hope that it will be useful, but
|
|
|
8dd812 |
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ * Lesser General Public License for more details.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * You should have received a copy of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#if HAVE_CONFIG_H
|
|
|
8dd812 |
+# include "config.h"
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include "dsa-compute-k.h"
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include "gnutls_int.h"
|
|
|
8dd812 |
+#include "mem.h"
|
|
|
8dd812 |
+#include "mpn-base256.h"
|
|
|
8dd812 |
+#include <string.h>
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+/* The maximum size of q, choosen from the fact that we support
|
|
|
8dd812 |
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
|
|
|
8dd812 |
+ * maximum. */
|
|
|
8dd812 |
+#define MAX_Q_BITS 521
|
|
|
8dd812 |
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
|
|
|
8dd812 |
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
|
|
|
8dd812 |
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+int
|
|
|
8dd812 |
+_gnutls_dsa_compute_k(mpz_t k,
|
|
|
8dd812 |
+ const mpz_t q,
|
|
|
8dd812 |
+ const mpz_t x,
|
|
|
8dd812 |
+ gnutls_mac_algorithm_t mac,
|
|
|
8dd812 |
+ const uint8_t *digest,
|
|
|
8dd812 |
+ size_t length)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ uint8_t V[MAX_HASH_SIZE];
|
|
|
8dd812 |
+ uint8_t K[MAX_HASH_SIZE];
|
|
|
8dd812 |
+ uint8_t xp[MAX_Q_SIZE];
|
|
|
8dd812 |
+ uint8_t tp[MAX_Q_SIZE];
|
|
|
8dd812 |
+ mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
|
|
|
8dd812 |
+ mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
|
|
|
8dd812 |
+ mp_size_t qn = mpz_size(q);
|
|
|
8dd812 |
+ mp_bitcnt_t h_bits = length * 8;
|
|
|
8dd812 |
+ mp_size_t hn = BITS_TO_LIMBS(h_bits);
|
|
|
8dd812 |
+ size_t nbytes = (q_bits + 7) / 8;
|
|
|
8dd812 |
+ const uint8_t c0 = 0x00;
|
|
|
8dd812 |
+ const uint8_t c1 = 0x01;
|
|
|
8dd812 |
+ mp_limb_t cy;
|
|
|
8dd812 |
+ gnutls_hmac_hd_t hd;
|
|
|
8dd812 |
+ int ret = 0;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ if (unlikely(q_bits > MAX_Q_BITS))
|
|
|
8dd812 |
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
+ if (unlikely(length > MAX_HASH_SIZE))
|
|
|
8dd812 |
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* int2octets(x) */
|
|
|
8dd812 |
+ mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* bits2octets(h) */
|
|
|
8dd812 |
+ mpn_set_base256(h, hn, digest, length);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ if (hn < qn)
|
|
|
8dd812 |
+ /* qlen > blen: add zero bits to the left */
|
|
|
8dd812 |
+ mpn_zero(&h[hn], qn - hn);
|
|
|
8dd812 |
+ else if (h_bits > q_bits) {
|
|
|
8dd812 |
+ /* qlen < blen: keep the leftmost qlen bits. We do this in 2
|
|
|
8dd812 |
+ * steps because mpn_rshift only accepts shift count in the
|
|
|
8dd812 |
+ * range 1 to mp_bits_per_limb-1.
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+ mp_bitcnt_t shift = h_bits - q_bits;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ if (shift / GMP_NUMB_BITS > 0) {
|
|
|
8dd812 |
+ mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn);
|
|
|
8dd812 |
+ hn -= shift / GMP_NUMB_BITS;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ if (shift % GMP_NUMB_BITS > 0)
|
|
|
8dd812 |
+ mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
|
|
|
8dd812 |
+ /* Fall back to addmul_1, if nettle is linked with mini-gmp. */
|
|
|
8dd812 |
+#ifdef mpn_cnd_add_n
|
|
|
8dd812 |
+ mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
|
|
|
8dd812 |
+#else
|
|
|
8dd812 |
+ mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+ mpn_get_base256(tp, nbytes, h, qn);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step b */
|
|
|
8dd812 |
+ memset(V, c1, length);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step c */
|
|
|
8dd812 |
+ memset(K, c0, length);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step d */
|
|
|
8dd812 |
+ ret = gnutls_hmac_init(&hd, mac, K, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, V, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, &c0, 1);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, xp, nbytes);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, tp, nbytes);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ gnutls_hmac_deinit(hd, K);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step e */
|
|
|
8dd812 |
+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step f */
|
|
|
8dd812 |
+ ret = gnutls_hmac_init(&hd, mac, K, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, V, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, &c1, 1);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, xp, nbytes);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, tp, nbytes);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ gnutls_hmac_deinit(hd, K);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step g */
|
|
|
8dd812 |
+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step h */
|
|
|
8dd812 |
+ for (;;) {
|
|
|
8dd812 |
+ /* Step 1 */
|
|
|
8dd812 |
+ size_t tlen = 0;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step 2 */
|
|
|
8dd812 |
+ while (tlen < nbytes) {
|
|
|
8dd812 |
+ size_t remaining = MIN(nbytes - tlen, length);
|
|
|
8dd812 |
+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ memcpy (&tp[tlen], V, remaining);
|
|
|
8dd812 |
+ tlen += remaining;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* Step 3 */
|
|
|
8dd812 |
+ mpn_set_base256 (h, qn, tp, tlen);
|
|
|
8dd812 |
+ if (tlen * 8 > q_bits)
|
|
|
8dd812 |
+ mpn_rshift (h, h, qn, tlen * 8 - q_bits);
|
|
|
8dd812 |
+ /* Check if k is in [1,q-1] */
|
|
|
8dd812 |
+ if (!mpn_zero_p (h, qn) &&
|
|
|
8dd812 |
+ mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
|
|
|
8dd812 |
+ mpn_copyi(mpz_limbs_write(k, qn), h, qn);
|
|
|
8dd812 |
+ mpz_limbs_finish(k, qn);
|
|
|
8dd812 |
+ break;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_hmac_init(&hd, mac, K, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, V, length);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ ret = gnutls_hmac(hd, &c0, 1);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ gnutls_hmac_deinit(hd, K);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto out;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ out:
|
|
|
8dd812 |
+ zeroize_key(xp, sizeof(xp));
|
|
|
8dd812 |
+ zeroize_key(tp, sizeof(tp));
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ return ret;
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..64e90e0ca
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/dsa-compute-k.h
|
|
|
8dd812 |
@@ -0,0 +1,37 @@
|
|
|
8dd812 |
+/*
|
|
|
8dd812 |
+ * Copyright (C) 2019 Red Hat, Inc.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * Author: Daiki Ueno
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This file is part of GnuTLS.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * The GnuTLS is free software; you can redistribute it and/or
|
|
|
8dd812 |
+ * modify it under the terms of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
|
8dd812 |
+ * the License, or (at your option) any later version.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This library is distributed in the hope that it will be useful, but
|
|
|
8dd812 |
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ * Lesser General Public License for more details.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * You should have received a copy of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#ifndef GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
|
|
|
8dd812 |
+#define GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include <gnutls/gnutls.h>
|
|
|
8dd812 |
+#include <nettle/bignum.h> /* includes gmp.h */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+int
|
|
|
8dd812 |
+_gnutls_dsa_compute_k(mpz_t k,
|
|
|
8dd812 |
+ const mpz_t q,
|
|
|
8dd812 |
+ const mpz_t x,
|
|
|
8dd812 |
+ gnutls_mac_algorithm_t mac,
|
|
|
8dd812 |
+ const uint8_t *digest,
|
|
|
8dd812 |
+ size_t length);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
|
|
|
8dd812 |
diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..94914ebdf
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/ecdsa-compute-k.c
|
|
|
8dd812 |
@@ -0,0 +1,95 @@
|
|
|
8dd812 |
+/*
|
|
|
8dd812 |
+ * Copyright (C) 2019 Red Hat, Inc.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * Author: Daiki Ueno
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This file is part of GNUTLS.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * The GNUTLS library is free software; you can redistribute it and/or
|
|
|
8dd812 |
+ * modify it under the terms of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
|
8dd812 |
+ * the License, or (at your option) any later version.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This library is distributed in the hope that it will be useful, but
|
|
|
8dd812 |
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ * Lesser General Public License for more details.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * You should have received a copy of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#if HAVE_CONFIG_H
|
|
|
8dd812 |
+# include "config.h"
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include "ecdsa-compute-k.h"
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include "dsa-compute-k.h"
|
|
|
8dd812 |
+#include "gnutls_int.h"
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+static inline int
|
|
|
8dd812 |
+_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ switch (curve) {
|
|
|
8dd812 |
+#ifdef ENABLE_NON_SUITEB_CURVES
|
|
|
8dd812 |
+ case GNUTLS_ECC_CURVE_SECP192R1:
|
|
|
8dd812 |
+ mpz_init_set_str(*q,
|
|
|
8dd812 |
+ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
|
|
|
8dd812 |
+ "146BC9B1B4D22831",
|
|
|
8dd812 |
+ 16);
|
|
|
8dd812 |
+ return 0;
|
|
|
8dd812 |
+ case GNUTLS_ECC_CURVE_SECP224R1:
|
|
|
8dd812 |
+ mpz_init_set_str(*q,
|
|
|
8dd812 |
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
|
|
|
8dd812 |
+ "E0B8F03E13DD29455C5C2A3D",
|
|
|
8dd812 |
+ 16);
|
|
|
8dd812 |
+ return 0;
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+ case GNUTLS_ECC_CURVE_SECP256R1:
|
|
|
8dd812 |
+ mpz_init_set_str(*q,
|
|
|
8dd812 |
+ "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
|
|
8dd812 |
+ "BCE6FAADA7179E84F3B9CAC2FC632551",
|
|
|
8dd812 |
+ 16);
|
|
|
8dd812 |
+ return 0;
|
|
|
8dd812 |
+ case GNUTLS_ECC_CURVE_SECP384R1:
|
|
|
8dd812 |
+ mpz_init_set_str(*q,
|
|
|
8dd812 |
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
|
8dd812 |
+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
|
|
8dd812 |
+ "581A0DB248B0A77AECEC196ACCC52973",
|
|
|
8dd812 |
+ 16);
|
|
|
8dd812 |
+ return 0;
|
|
|
8dd812 |
+ case GNUTLS_ECC_CURVE_SECP521R1:
|
|
|
8dd812 |
+ mpz_init_set_str(*q,
|
|
|
8dd812 |
+ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
|
8dd812 |
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
|
|
8dd812 |
+ "FFA51868783BF2F966B7FCC0148F709A"
|
|
|
8dd812 |
+ "5D03BB5C9B8899C47AEBB6FB71E91386"
|
|
|
8dd812 |
+ "409",
|
|
|
8dd812 |
+ 16);
|
|
|
8dd812 |
+ return 0;
|
|
|
8dd812 |
+ default:
|
|
|
8dd812 |
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+int
|
|
|
8dd812 |
+_gnutls_ecdsa_compute_k (mpz_t k,
|
|
|
8dd812 |
+ gnutls_ecc_curve_t curve,
|
|
|
8dd812 |
+ const mpz_t x,
|
|
|
8dd812 |
+ gnutls_mac_algorithm_t mac,
|
|
|
8dd812 |
+ const uint8_t *digest,
|
|
|
8dd812 |
+ size_t length)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ mpz_t q;
|
|
|
8dd812 |
+ int ret;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ return gnutls_assert_val(ret);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
|
|
|
8dd812 |
+ mpz_clear(q);
|
|
|
8dd812 |
+ return ret;
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..7ca401d6e
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/ecdsa-compute-k.h
|
|
|
8dd812 |
@@ -0,0 +1,37 @@
|
|
|
8dd812 |
+/*
|
|
|
8dd812 |
+ * Copyright (C) 2019 Red Hat, Inc.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * Author: Daiki Ueno
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This file is part of GnuTLS.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * The GnuTLS is free software; you can redistribute it and/or
|
|
|
8dd812 |
+ * modify it under the terms of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
|
8dd812 |
+ * the License, or (at your option) any later version.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This library is distributed in the hope that it will be useful, but
|
|
|
8dd812 |
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ * Lesser General Public License for more details.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * You should have received a copy of the GNU Lesser General Public License
|
|
|
8dd812 |
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#ifndef GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
|
|
|
8dd812 |
+#define GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include <gnutls/gnutls.h>
|
|
|
8dd812 |
+#include <nettle/bignum.h> /* includes gmp.h */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+int
|
|
|
8dd812 |
+_gnutls_ecdsa_compute_k (mpz_t k,
|
|
|
8dd812 |
+ gnutls_ecc_curve_t curve,
|
|
|
8dd812 |
+ const mpz_t x,
|
|
|
8dd812 |
+ gnutls_mac_algorithm_t mac,
|
|
|
8dd812 |
+ const uint8_t *digest,
|
|
|
8dd812 |
+ size_t length);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
|
|
|
8dd812 |
diff --git a/lib/nettle/int/mpn-base256.c b/lib/nettle/int/mpn-base256.c
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..88dd00bd2
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/mpn-base256.c
|
|
|
8dd812 |
@@ -0,0 +1,97 @@
|
|
|
8dd812 |
+/* gmp-glue.c
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ Copyright (C) 2013 Niels Möller
|
|
|
8dd812 |
+ Copyright (C) 2013 Red Hat
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ This file is part of GNU Nettle.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ GNU Nettle is free software: you can redistribute it and/or
|
|
|
8dd812 |
+ modify it under the terms of either:
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ * the GNU Lesser General Public License as published by the Free
|
|
|
8dd812 |
+ Software Foundation; either version 3 of the License, or (at your
|
|
|
8dd812 |
+ option) any later version.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ or
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ * the GNU General Public License as published by the Free
|
|
|
8dd812 |
+ Software Foundation; either version 2 of the License, or (at your
|
|
|
8dd812 |
+ option) any later version.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ or both in parallel, as here.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ GNU Nettle is distributed in the hope that it will be useful,
|
|
|
8dd812 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ General Public License for more details.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ You should have received copies of the GNU General Public License and
|
|
|
8dd812 |
+ the GNU Lesser General Public License along with this program. If
|
|
|
8dd812 |
+ not, see http://www.gnu.org/licenses/.
|
|
|
8dd812 |
+*/
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#if HAVE_CONFIG_H
|
|
|
8dd812 |
+# include "config.h"
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include "mpn-base256.h"
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+void
|
|
|
8dd812 |
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
|
|
|
8dd812 |
+ const uint8_t *xp, size_t xn)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ size_t xi;
|
|
|
8dd812 |
+ mp_limb_t out;
|
|
|
8dd812 |
+ unsigned bits;
|
|
|
8dd812 |
+ for (xi = xn, out = bits = 0; xi > 0 && rn > 0; )
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ mp_limb_t in = xp[--xi];
|
|
|
8dd812 |
+ out |= (in << bits) & GMP_NUMB_MASK;
|
|
|
8dd812 |
+ bits += 8;
|
|
|
8dd812 |
+ if (bits >= GMP_NUMB_BITS)
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ *rp++ = out;
|
|
|
8dd812 |
+ rn--;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ bits -= GMP_NUMB_BITS;
|
|
|
8dd812 |
+ out = in >> (8 - bits);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ if (rn > 0)
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ *rp++ = out;
|
|
|
8dd812 |
+ if (--rn > 0)
|
|
|
8dd812 |
+ mpn_zero (rp, rn);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+void
|
|
|
8dd812 |
+mpn_get_base256 (uint8_t *rp, size_t rn,
|
|
|
8dd812 |
+ const mp_limb_t *xp, mp_size_t xn)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ unsigned bits;
|
|
|
8dd812 |
+ mp_limb_t in;
|
|
|
8dd812 |
+ for (bits = in = 0; xn > 0 && rn > 0; )
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ if (bits >= 8)
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ rp[--rn] = in;
|
|
|
8dd812 |
+ in >>= 8;
|
|
|
8dd812 |
+ bits -= 8;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ else
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ uint8_t old = in;
|
|
|
8dd812 |
+ in = *xp++;
|
|
|
8dd812 |
+ xn--;
|
|
|
8dd812 |
+ rp[--rn] = old | (in << bits);
|
|
|
8dd812 |
+ in >>= (8 - bits);
|
|
|
8dd812 |
+ bits += GMP_NUMB_BITS - 8;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ while (rn > 0)
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ rp[--rn] = in;
|
|
|
8dd812 |
+ in >>= 8;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
diff --git a/lib/nettle/int/mpn-base256.h b/lib/nettle/int/mpn-base256.h
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..b5ca4af03
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/lib/nettle/int/mpn-base256.h
|
|
|
8dd812 |
@@ -0,0 +1,48 @@
|
|
|
8dd812 |
+/* gmp-glue.h
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ Copyright (C) 2013 Niels Möller
|
|
|
8dd812 |
+ Copyright (C) 2013 Red Hat
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ This file is part of GNU Nettle.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ GNU Nettle is free software: you can redistribute it and/or
|
|
|
8dd812 |
+ modify it under the terms of either:
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ * the GNU Lesser General Public License as published by the Free
|
|
|
8dd812 |
+ Software Foundation; either version 3 of the License, or (at your
|
|
|
8dd812 |
+ option) any later version.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ or
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ * the GNU General Public License as published by the Free
|
|
|
8dd812 |
+ Software Foundation; either version 2 of the License, or (at your
|
|
|
8dd812 |
+ option) any later version.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ or both in parallel, as here.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ GNU Nettle is distributed in the hope that it will be useful,
|
|
|
8dd812 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ General Public License for more details.
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ You should have received copies of the GNU General Public License and
|
|
|
8dd812 |
+ the GNU Lesser General Public License along with this program. If
|
|
|
8dd812 |
+ not, see http://www.gnu.org/licenses/.
|
|
|
8dd812 |
+*/
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#ifndef NETTLE_GMP_GLUE_H_INCLUDED
|
|
|
8dd812 |
+#define NETTLE_GMP_GLUE_H_INCLUDED
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include <nettle/bignum.h>
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+/* Like mpn_set_str, but always writes rn limbs. If input is larger,
|
|
|
8dd812 |
+ higher bits are ignored. */
|
|
|
8dd812 |
+void
|
|
|
8dd812 |
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
|
|
|
8dd812 |
+ const uint8_t *xp, size_t xn);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+void
|
|
|
8dd812 |
+mpn_get_base256 (uint8_t *rp, size_t rn,
|
|
|
8dd812 |
+ const mp_limb_t *xp, mp_size_t xn);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#endif /* NETTLE_GMP_GLUE_H_INCLUDED */
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
|
|
|
8dd812 |
From f42d96451a654ccc3523b0a0086e18f19ba3fecc Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Mon, 29 Jul 2019 15:10:51 +0200
|
|
|
8dd812 |
Subject: [PATCH 2/6] privkey_sign_raw_data: remove unnecessary local variable
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/privkey.c | 4 +---
|
|
|
8dd812 |
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/privkey.c b/lib/privkey.c
|
|
|
8dd812 |
index 8e353c5e5..2fee8777a 100644
|
|
|
8dd812 |
--- a/lib/privkey.c
|
|
|
8dd812 |
+++ b/lib/privkey.c
|
|
|
8dd812 |
@@ -1492,8 +1492,6 @@ privkey_sign_raw_data(gnutls_privkey_t key,
|
|
|
8dd812 |
0,
|
|
|
8dd812 |
data, signature);
|
|
|
8dd812 |
} else if (key->key.ext.sign_hash_func) {
|
|
|
8dd812 |
- unsigned int flags = 0;
|
|
|
8dd812 |
-
|
|
|
8dd812 |
if (se->pk == GNUTLS_PK_RSA) {
|
|
|
8dd812 |
se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW);
|
|
|
8dd812 |
assert(se != NULL);
|
|
|
8dd812 |
@@ -1502,7 +1500,7 @@ privkey_sign_raw_data(gnutls_privkey_t key,
|
|
|
8dd812 |
/* se may not be set here if we are doing legacy RSA */
|
|
|
8dd812 |
return key->key.ext.sign_hash_func(key, se->id,
|
|
|
8dd812 |
key->key.ext.userdata,
|
|
|
8dd812 |
- flags,
|
|
|
8dd812 |
+ 0,
|
|
|
8dd812 |
data, signature);
|
|
|
8dd812 |
} else {
|
|
|
8dd812 |
if (!PK_IS_OK_FOR_EXT2(se->pk))
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
|
|
|
8dd812 |
From 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Wed, 7 Aug 2019 14:37:00 +0200
|
|
|
8dd812 |
Subject: [PATCH 3/6] privkey_sign_prehashed: remove unused argument
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/privkey.c | 9 ++++-----
|
|
|
8dd812 |
1 file changed, 4 insertions(+), 5 deletions(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/privkey.c b/lib/privkey.c
|
|
|
8dd812 |
index 2fee8777a..8683b4e20 100644
|
|
|
8dd812 |
--- a/lib/privkey.c
|
|
|
8dd812 |
+++ b/lib/privkey.c
|
|
|
8dd812 |
@@ -43,7 +43,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
|
|
|
8dd812 |
const gnutls_sign_entry_st *se,
|
|
|
8dd812 |
const gnutls_datum_t * hash_data,
|
|
|
8dd812 |
gnutls_datum_t * signature,
|
|
|
8dd812 |
- gnutls_x509_spki_st * params, unsigned flags);
|
|
|
8dd812 |
+ gnutls_x509_spki_st * params);
|
|
|
8dd812 |
|
|
|
8dd812 |
/**
|
|
|
8dd812 |
* gnutls_privkey_get_type:
|
|
|
8dd812 |
@@ -1253,7 +1253,7 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
|
|
|
8dd812 |
return ret;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms, flags);
|
|
|
8dd812 |
+ return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
int
|
|
|
8dd812 |
@@ -1377,7 +1377,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
|
|
|
8dd812 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
|
|
|
8dd812 |
return privkey_sign_prehashed(signer, se,
|
|
|
8dd812 |
- hash_data, signature, ¶ms, flags);
|
|
|
8dd812 |
+ hash_data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
static int
|
|
|
8dd812 |
@@ -1385,8 +1385,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
|
|
|
8dd812 |
const gnutls_sign_entry_st *se,
|
|
|
8dd812 |
const gnutls_datum_t * hash_data,
|
|
|
8dd812 |
gnutls_datum_t * signature,
|
|
|
8dd812 |
- gnutls_x509_spki_st * params,
|
|
|
8dd812 |
- unsigned flags)
|
|
|
8dd812 |
+ gnutls_x509_spki_st * params)
|
|
|
8dd812 |
{
|
|
|
8dd812 |
int ret;
|
|
|
8dd812 |
gnutls_datum_t digest;
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
|
|
|
8dd812 |
From 8eb3a29336ea11f6b417ce7e25d53513509bdd87 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Mon, 29 Jul 2019 14:01:11 +0200
|
|
|
8dd812 |
Subject: [PATCH 4/6] pk: implement deterministic ECDSA/DSA
|
|
|
8dd812 |
|
|
|
8dd812 |
This exposes the deterministic ECDSA/DSA functionality through the
|
|
|
8dd812 |
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
.gitignore | 1 +
|
|
|
8dd812 |
NEWS | 7 ++
|
|
|
8dd812 |
lib/crypto-backend.h | 16 ++-
|
|
|
8dd812 |
lib/includes/gnutls/abstract.h | 5 +-
|
|
|
8dd812 |
lib/nettle/pk.c | 54 +++++++-
|
|
|
8dd812 |
lib/privkey.c | 8 ++
|
|
|
8dd812 |
lib/x509/crq.c | 2 +
|
|
|
8dd812 |
lib/x509/pkcs7.c | 2 +
|
|
|
8dd812 |
lib/x509/sign.c | 2 +
|
|
|
8dd812 |
tests/Makefile.am | 2 +-
|
|
|
8dd812 |
tests/sign-verify-deterministic.c | 196 ++++++++++++++++++++++++++++++
|
|
|
8dd812 |
11 files changed, 290 insertions(+), 5 deletions(-)
|
|
|
8dd812 |
create mode 100644 tests/sign-verify-deterministic.c
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
|
|
|
8dd812 |
index 43124abaf..33eca6031 100644
|
|
|
8dd812 |
--- a/lib/crypto-backend.h
|
|
|
8dd812 |
+++ b/lib/crypto-backend.h
|
|
|
8dd812 |
@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st {
|
|
|
8dd812 |
/* if non-zero, the legacy value for PKCS#7 signatures will be
|
|
|
8dd812 |
* written for RSA signatures. */
|
|
|
8dd812 |
unsigned int legacy;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* the digest used by ECDSA/DSA */
|
|
|
8dd812 |
+ gnutls_digest_algorithm_t dsa_dig;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ /* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
|
|
|
8dd812 |
+ * deterministic ECDSA/DSA */
|
|
|
8dd812 |
+ unsigned int flags;
|
|
|
8dd812 |
} gnutls_x509_spki_st;
|
|
|
8dd812 |
|
|
|
8dd812 |
#define GNUTLS_MAX_PK_PARAMS 16
|
|
|
8dd812 |
@@ -219,9 +226,16 @@ typedef struct {
|
|
|
8dd812 |
*/
|
|
|
8dd812 |
typedef enum {
|
|
|
8dd812 |
GNUTLS_PK_FLAG_NONE = 0,
|
|
|
8dd812 |
- GNUTLS_PK_FLAG_PROVABLE = 1
|
|
|
8dd812 |
+ GNUTLS_PK_FLAG_PROVABLE = 1,
|
|
|
8dd812 |
+ GNUTLS_PK_FLAG_REPRODUCIBLE = 2
|
|
|
8dd812 |
} gnutls_pk_flag_t;
|
|
|
8dd812 |
|
|
|
8dd812 |
+#define FIX_SIGN_PARAMS(params, flags, dig) do { \
|
|
|
8dd812 |
+ if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \
|
|
|
8dd812 |
+ (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \
|
|
|
8dd812 |
+ (params).dsa_dig = (dig); \
|
|
|
8dd812 |
+ } \
|
|
|
8dd812 |
+} while (0)
|
|
|
8dd812 |
|
|
|
8dd812 |
void gnutls_pk_params_release(gnutls_pk_params_st * p);
|
|
|
8dd812 |
void gnutls_pk_params_clear(gnutls_pk_params_st * p);
|
|
|
8dd812 |
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
|
|
|
8dd812 |
index d4b7da68b..d8805681a 100644
|
|
|
8dd812 |
--- a/lib/includes/gnutls/abstract.h
|
|
|
8dd812 |
+++ b/lib/includes/gnutls/abstract.h
|
|
|
8dd812 |
@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key);
|
|
|
8dd812 |
* gnutls_privkey_flags:
|
|
|
8dd812 |
* @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
|
|
|
8dd812 |
* @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
|
|
|
8dd812 |
- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
|
|
|
8dd812 |
+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
|
|
|
8dd812 |
+ * For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
|
|
|
8dd812 |
+ * construction of random parameter according to RFC 6979. Note that
|
|
|
8dd812 |
+ * this only supports the NIST curves and DSA subgroup bits up to 512.
|
|
|
8dd812 |
* @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
|
|
|
8dd812 |
* release it when the structure it was imported is released.
|
|
|
8dd812 |
* @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
|
|
|
8dd812 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
8dd812 |
index 08117c2d8..ebd6481cf 100644
|
|
|
8dd812 |
--- a/lib/nettle/pk.c
|
|
|
8dd812 |
+++ b/lib/nettle/pk.c
|
|
|
8dd812 |
@@ -54,6 +54,8 @@
|
|
|
8dd812 |
#include "gost/gostdsa.h"
|
|
|
8dd812 |
#include "gost/ecc-gost-curve.h"
|
|
|
8dd812 |
#endif
|
|
|
8dd812 |
+#include "int/ecdsa-compute-k.h"
|
|
|
8dd812 |
+#include "int/dsa-compute-k.h"
|
|
|
8dd812 |
#include <gnettle.h>
|
|
|
8dd812 |
#include <fips.h>
|
|
|
8dd812 |
|
|
|
8dd812 |
@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
|
|
|
8dd812 |
}
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ mpz_t *k = _ctx;
|
|
|
8dd812 |
+ nettle_mpz_get_str_256 (length, data, *k);
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
+
|
|
|
8dd812 |
static void
|
|
|
8dd812 |
ecc_scalar_zclear (struct ecc_scalar *s)
|
|
|
8dd812 |
{
|
|
|
8dd812 |
@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
struct dsa_signature sig;
|
|
|
8dd812 |
int curve_id = pk_params->curve;
|
|
|
8dd812 |
const struct ecc_curve *curve;
|
|
|
8dd812 |
+ mpz_t k;
|
|
|
8dd812 |
+ void *random_ctx;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
|
|
|
8dd812 |
curve = get_supported_nist_curve(curve_id);
|
|
|
8dd812 |
if (curve == NULL)
|
|
|
8dd812 |
@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
hash_len = vdata->size;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
- ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len,
|
|
|
8dd812 |
+ mpz_init(k);
|
|
|
8dd812 |
+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
|
|
|
8dd812 |
+ ret = _gnutls_ecdsa_compute_k(k,
|
|
|
8dd812 |
+ curve_id,
|
|
|
8dd812 |
+ pk_params->params[ECC_K],
|
|
|
8dd812 |
+ sign_params->dsa_dig,
|
|
|
8dd812 |
+ vdata->data,
|
|
|
8dd812 |
+ vdata->size);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto ecdsa_cleanup;
|
|
|
8dd812 |
+ random_ctx = &k;
|
|
|
8dd812 |
+ random_func = rnd_mpz_func;
|
|
|
8dd812 |
+ } else {
|
|
|
8dd812 |
+ random_ctx = NULL;
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+ ecdsa_sign(&priv, random_ctx, random_func, hash_len,
|
|
|
8dd812 |
vdata->data, &sig);
|
|
|
8dd812 |
|
|
|
8dd812 |
/* prevent memory leaks */
|
|
|
8dd812 |
@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
ecdsa_cleanup:
|
|
|
8dd812 |
dsa_signature_clear(&sig);
|
|
|
8dd812 |
ecc_scalar_zclear(&priv;;
|
|
|
8dd812 |
+ mpz_clear(k);
|
|
|
8dd812 |
|
|
|
8dd812 |
if (ret < 0) {
|
|
|
8dd812 |
gnutls_assert();
|
|
|
8dd812 |
@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
struct dsa_params pub;
|
|
|
8dd812 |
bigint_t priv;
|
|
|
8dd812 |
struct dsa_signature sig;
|
|
|
8dd812 |
+ mpz_t k;
|
|
|
8dd812 |
+ void *random_ctx;
|
|
|
8dd812 |
+ nettle_random_func *random_func;
|
|
|
8dd812 |
|
|
|
8dd812 |
memset(&priv, 0, sizeof(priv));
|
|
|
8dd812 |
memset(&pub, 0, sizeof(pub));
|
|
|
8dd812 |
@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
hash_len = vdata->size;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ mpz_init(k);
|
|
|
8dd812 |
+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
|
|
|
8dd812 |
+ ret = _gnutls_dsa_compute_k(k,
|
|
|
8dd812 |
+ pub.q,
|
|
|
8dd812 |
+ TOMPZ(priv),
|
|
|
8dd812 |
+ sign_params->dsa_dig,
|
|
|
8dd812 |
+ vdata->data,
|
|
|
8dd812 |
+ vdata->size);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ goto dsa_fail;
|
|
|
8dd812 |
+ /* cancel-out dsa_sign's addition of 1 to random data */
|
|
|
8dd812 |
+ mpz_sub_ui (k, k, 1);
|
|
|
8dd812 |
+ random_ctx = &k;
|
|
|
8dd812 |
+ random_func = rnd_mpz_func;
|
|
|
8dd812 |
+ } else {
|
|
|
8dd812 |
+ random_ctx = NULL;
|
|
|
8dd812 |
+ random_func = rnd_nonce_func;
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
ret =
|
|
|
8dd812 |
- dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func,
|
|
|
8dd812 |
+ dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
|
|
|
8dd812 |
hash_len, vdata->data, &sig);
|
|
|
8dd812 |
if (ret == 0 || HAVE_LIB_ERROR()) {
|
|
|
8dd812 |
gnutls_assert();
|
|
|
8dd812 |
@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
|
|
|
8dd812 |
dsa_fail:
|
|
|
8dd812 |
dsa_signature_clear(&sig);
|
|
|
8dd812 |
+ mpz_clear(k);
|
|
|
8dd812 |
|
|
|
8dd812 |
if (ret < 0) {
|
|
|
8dd812 |
gnutls_assert();
|
|
|
8dd812 |
diff --git a/lib/privkey.c b/lib/privkey.c
|
|
|
8dd812 |
index 8683b4e20..4ef07c8b0 100644
|
|
|
8dd812 |
--- a/lib/privkey.c
|
|
|
8dd812 |
+++ b/lib/privkey.c
|
|
|
8dd812 |
@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
|
|
|
8dd812 |
return ret;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, hash);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer,
|
|
|
8dd812 |
return ret;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, se->hash);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
|
|
|
8dd812 |
return ret;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, se->hash);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
|
|
|
8dd812 |
if (unlikely(se == NULL))
|
|
|
8dd812 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, hash_algo);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
return privkey_sign_prehashed(signer, se,
|
|
|
8dd812 |
hash_data, signature, ¶ms);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
|
|
|
8dd812 |
index c8899f81a..4ca67535d 100644
|
|
|
8dd812 |
--- a/lib/x509/crq.c
|
|
|
8dd812 |
+++ b/lib/x509/crq.c
|
|
|
8dd812 |
@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key,
|
|
|
8dd812 |
if (se == NULL)
|
|
|
8dd812 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, dig);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
result = privkey_sign_and_hash_data(key, se,
|
|
|
8dd812 |
&tbs, &signature, ¶ms);
|
|
|
8dd812 |
gnutls_free(tbs.data);
|
|
|
8dd812 |
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
|
|
|
8dd812 |
index 21fff7b07..98669e887 100644
|
|
|
8dd812 |
--- a/lib/x509/pkcs7.c
|
|
|
8dd812 |
+++ b/lib/x509/pkcs7.c
|
|
|
8dd812 |
@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
|
|
|
8dd812 |
goto cleanup;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, dig);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
ret = privkey_sign_and_hash_data(signer_key, se,
|
|
|
8dd812 |
&sigdata, &signature, ¶ms);
|
|
|
8dd812 |
if (ret < 0) {
|
|
|
8dd812 |
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
|
|
|
8dd812 |
index 8f7a96f21..461524f5b 100644
|
|
|
8dd812 |
--- a/lib/x509/sign.c
|
|
|
8dd812 |
+++ b/lib/x509/sign.c
|
|
|
8dd812 |
@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
|
|
|
8dd812 |
return result;
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ FIX_SIGN_PARAMS(params, flags, dig);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
if (_gnutls_pk_is_not_prehashed(params.pk)) {
|
|
|
8dd812 |
result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, ¶ms);
|
|
|
8dd812 |
} else {
|
|
|
8dd812 |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
8dd812 |
index 7970ad6b3..a8c2d152e 100644
|
|
|
8dd812 |
--- a/tests/Makefile.am
|
|
|
8dd812 |
+++ b/tests/Makefile.am
|
|
|
8dd812 |
@@ -211,7 +211,8 @@ ctests += mini-record-2 simple gnutls_hm
|
|
|
8dd812 |
tls13-server-kx-neg gnutls_ext_raw_parse_dtls key-export-pkcs8 \
|
|
|
8dd812 |
null_retrieve_function tls-record-size-limit tls-crt_type-neg \
|
|
|
8dd812 |
resume-with-stek-expiration resume-with-previous-stek rawpk-api \
|
|
|
8dd812 |
- tls-record-size-limit-asym dh-compute ecdh-compute
|
|
|
8dd812 |
+ tls-record-size-limit-asym dh-compute ecdh-compute \
|
|
|
8dd812 |
+ sign-verify-deterministic
|
|
|
8dd812 |
|
|
|
8dd812 |
if HAVE_SECCOMP_TESTS
|
|
|
8dd812 |
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
|
|
|
8dd812 |
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
|
|
|
8dd812 |
new file mode 100644
|
|
|
8dd812 |
index 000000000..fe4873fc8
|
|
|
8dd812 |
--- /dev/null
|
|
|
8dd812 |
+++ b/tests/sign-verify-deterministic.c
|
|
|
8dd812 |
@@ -0,0 +1,196 @@
|
|
|
8dd812 |
+/*
|
|
|
8dd812 |
+ * Copyright (C) 2017-2019 Red Hat, Inc.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * This file is part of GnuTLS.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * GnuTLS is free software; you can redistribute it and/or modify it
|
|
|
8dd812 |
+ * under the terms of the GNU General Public License as published by
|
|
|
8dd812 |
+ * the Free Software Foundation; either version 3 of the License, or
|
|
|
8dd812 |
+ * (at your option) any later version.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * GnuTLS is distributed in the hope that it will be useful, but
|
|
|
8dd812 |
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8dd812 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
8dd812 |
+ * General Public License for more details.
|
|
|
8dd812 |
+ *
|
|
|
8dd812 |
+ * You should have received a copy of the GNU General Public License
|
|
|
8dd812 |
+ * along with GnuTLS; if not, write to the Free Software Foundation,
|
|
|
8dd812 |
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
|
|
|
8dd812 |
+ */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#ifdef HAVE_CONFIG_H
|
|
|
8dd812 |
+#include <config.h>
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#include <stdio.h>
|
|
|
8dd812 |
+#include <stdlib.h>
|
|
|
8dd812 |
+#include <string.h>
|
|
|
8dd812 |
+#include <sys/types.h>
|
|
|
8dd812 |
+#ifndef _WIN32
|
|
|
8dd812 |
+# include <netinet/in.h>
|
|
|
8dd812 |
+# include <sys/socket.h>
|
|
|
8dd812 |
+# include <arpa/inet.h>
|
|
|
8dd812 |
+#endif
|
|
|
8dd812 |
+#include <unistd.h>
|
|
|
8dd812 |
+#include <gnutls/gnutls.h>
|
|
|
8dd812 |
+#include <gnutls/x509.h>
|
|
|
8dd812 |
+#include <gnutls/abstract.h>
|
|
|
8dd812 |
+#include "utils.h"
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+/* verifies whether the sign-data and verify-data APIs
|
|
|
8dd812 |
+ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+static void tls_log_func(int level, const char *str)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ fprintf(stderr, "<%d> %s", level, str);
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+struct _key_tests_st {
|
|
|
8dd812 |
+ const char *name;
|
|
|
8dd812 |
+ gnutls_datum_t key;
|
|
|
8dd812 |
+ gnutls_datum_t msg;
|
|
|
8dd812 |
+ gnutls_datum_t sig;
|
|
|
8dd812 |
+ gnutls_pk_algorithm_t pk;
|
|
|
8dd812 |
+ gnutls_digest_algorithm_t digest;
|
|
|
8dd812 |
+ gnutls_sign_algorithm_t sigalgo;
|
|
|
8dd812 |
+ unsigned int sign_flags;
|
|
|
8dd812 |
+};
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+/* Test vectors from RFC 6979 */
|
|
|
8dd812 |
+static const char dsa_privkey_rfc6979[] =
|
|
|
8dd812 |
+ "-----BEGIN DSA PRIVATE KEY-----\n"
|
|
|
8dd812 |
+ "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n"
|
|
|
8dd812 |
+ "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n"
|
|
|
8dd812 |
+ "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n"
|
|
|
8dd812 |
+ "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n"
|
|
|
8dd812 |
+ "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n"
|
|
|
8dd812 |
+ "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n"
|
|
|
8dd812 |
+ "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n"
|
|
|
8dd812 |
+ "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n"
|
|
|
8dd812 |
+ "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n"
|
|
|
8dd812 |
+ "zMNElNedmO8eftWvJfc=\n"
|
|
|
8dd812 |
+ "-----END DSA PRIVATE KEY-----\n";
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+static const char ecdsa_secp256r1_privkey_rfc6979[] =
|
|
|
8dd812 |
+ "-----BEGIN EC PRIVATE KEY-----\n"
|
|
|
8dd812 |
+ "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n"
|
|
|
8dd812 |
+ "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n"
|
|
|
8dd812 |
+ "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n"
|
|
|
8dd812 |
+ "-----END EC PRIVATE KEY-----\n";
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+static const char sample[] = "sample";
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+static const
|
|
|
8dd812 |
+struct _key_tests_st tests[] = {
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ .name = "dsa key",
|
|
|
8dd812 |
+ .key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1},
|
|
|
8dd812 |
+ .msg = {(void *) sample, sizeof(sample)-1},
|
|
|
8dd812 |
+ .sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47},
|
|
|
8dd812 |
+ .pk = GNUTLS_PK_DSA,
|
|
|
8dd812 |
+ .digest = GNUTLS_DIG_SHA256,
|
|
|
8dd812 |
+ .sigalgo = GNUTLS_SIGN_DSA_SHA256,
|
|
|
8dd812 |
+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
|
|
|
8dd812 |
+ },
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ .name = "ecdsa key",
|
|
|
8dd812 |
+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
|
|
|
8dd812 |
+ .msg = {(void *) sample, sizeof(sample)-1},
|
|
|
8dd812 |
+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
|
|
|
8dd812 |
+ .pk = GNUTLS_PK_ECDSA,
|
|
|
8dd812 |
+ .digest = GNUTLS_DIG_SHA256,
|
|
|
8dd812 |
+ .sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
|
|
|
8dd812 |
+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
|
|
|
8dd812 |
+ },
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ .name = "ecdsa key",
|
|
|
8dd812 |
+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
|
|
|
8dd812 |
+ .msg = {(void *) sample, sizeof(sample)-1},
|
|
|
8dd812 |
+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
|
|
|
8dd812 |
+ .pk = GNUTLS_PK_ECDSA,
|
|
|
8dd812 |
+ .digest = GNUTLS_DIG_SHA256,
|
|
|
8dd812 |
+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA256,
|
|
|
8dd812 |
+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
|
|
|
8dd812 |
+ },
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ .name = "ecdsa key (q bits < h bits)",
|
|
|
8dd812 |
+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
|
|
|
8dd812 |
+ .msg = {(void *) sample, sizeof(sample)-1},
|
|
|
8dd812 |
+ .sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70},
|
|
|
8dd812 |
+ .pk = GNUTLS_PK_ECDSA,
|
|
|
8dd812 |
+ .digest = GNUTLS_DIG_SHA384,
|
|
|
8dd812 |
+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA384,
|
|
|
8dd812 |
+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
|
|
|
8dd812 |
+ },
|
|
|
8dd812 |
+ {
|
|
|
8dd812 |
+ .name = "ecdsa key (q bits > h bits)",
|
|
|
8dd812 |
+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
|
|
|
8dd812 |
+ .msg = {(void *) sample, sizeof(sample)-1},
|
|
|
8dd812 |
+ .sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71},
|
|
|
8dd812 |
+ .pk = GNUTLS_PK_ECDSA,
|
|
|
8dd812 |
+ .digest = GNUTLS_DIG_SHA224,
|
|
|
8dd812 |
+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA224,
|
|
|
8dd812 |
+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+};
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+#define testfail(fmt, ...) \
|
|
|
8dd812 |
+ fail("%s: "fmt, tests[i].name, ##__VA_ARGS__)
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+void doit(void)
|
|
|
8dd812 |
+{
|
|
|
8dd812 |
+ gnutls_pubkey_t pubkey;
|
|
|
8dd812 |
+ gnutls_privkey_t privkey;
|
|
|
8dd812 |
+ gnutls_datum_t signature;
|
|
|
8dd812 |
+ int ret;
|
|
|
8dd812 |
+ size_t i;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ global_init();
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ gnutls_global_set_log_function(tls_log_func);
|
|
|
8dd812 |
+ if (debug)
|
|
|
8dd812 |
+ gnutls_global_set_log_level(6);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
|
|
|
8dd812 |
+ success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_privkey_init(&privkey);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_privkey_init\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_privkey_import_x509_raw\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
|
|
|
8dd812 |
+ &tests[i].msg, &signature);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_privkey_sign_data\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ if (signature.size != tests[i].sig.size ||
|
|
|
8dd812 |
+ memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
|
|
|
8dd812 |
+ testfail("signature does not match");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_pubkey_init(&pubkey);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_pubkey_init\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_pubkey_import_privkey\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret =
|
|
|
8dd812 |
+ gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg,
|
|
|
8dd812 |
+ &signature);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_pubkey_verify_data2\n");
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ gnutls_free(signature.data);
|
|
|
8dd812 |
+ gnutls_privkey_deinit(privkey);
|
|
|
8dd812 |
+ gnutls_pubkey_deinit(pubkey);
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ gnutls_global_deinit();
|
|
|
8dd812 |
+}
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
|
|
|
8dd812 |
From 1adee9e136176a8fe26bae036ebb275fe4c26f64 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Mon, 5 Aug 2019 15:21:55 +0200
|
|
|
8dd812 |
Subject: [PATCH 5/6] nettle: enable deterministic ECDSA/DSA during FIPS
|
|
|
8dd812 |
selftests
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/nettle/pk.c | 6 ++++--
|
|
|
8dd812 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
8dd812 |
index ebd6481cf..1f8e7f931 100644
|
|
|
8dd812 |
--- a/lib/nettle/pk.c
|
|
|
8dd812 |
+++ b/lib/nettle/pk.c
|
|
|
8dd812 |
@@ -820,7 +820,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
mpz_init(k);
|
|
|
8dd812 |
- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
|
8dd812 |
+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
|
8dd812 |
ret = _gnutls_ecdsa_compute_k(k,
|
|
|
8dd812 |
curve_id,
|
|
|
8dd812 |
pk_params->params[ECC_K],
|
|
|
8dd812 |
@@ -888,7 +889,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
mpz_init(k);
|
|
|
8dd812 |
- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
|
|
|
8dd812 |
+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
|
|
|
8dd812 |
+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
|
|
|
8dd812 |
ret = _gnutls_dsa_compute_k(k,
|
|
|
8dd812 |
pub.q,
|
|
|
8dd812 |
TOMPZ(priv),
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
|
|
|
8dd812 |
From 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Wed, 7 Aug 2019 15:55:44 +0200
|
|
|
8dd812 |
Subject: [PATCH 6/6] nettle: prohibit deterministic ECDSA/DSA under FIPS
|
|
|
8dd812 |
except selftests
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/nettle/pk.c | 8 ++++++++
|
|
|
8dd812 |
tests/sign-verify-deterministic.c | 27 ++++++++++++++++++++-------
|
|
|
8dd812 |
2 files changed, 28 insertions(+), 7 deletions(-)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
8dd812 |
index 1f8e7f931..b2d27cf74 100644
|
|
|
8dd812 |
--- a/lib/nettle/pk.c
|
|
|
8dd812 |
+++ b/lib/nettle/pk.c
|
|
|
8dd812 |
@@ -703,6 +703,14 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
|
|
|
8dd812 |
return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
|
|
|
8dd812 |
}
|
|
|
8dd812 |
|
|
|
8dd812 |
+ /* deterministic ECDSA/DSA is prohibited under FIPS except in
|
|
|
8dd812 |
+ * the selftests */
|
|
|
8dd812 |
+ if (_gnutls_fips_mode_enabled() &&
|
|
|
8dd812 |
+ _gnutls_get_lib_state() != LIB_STATE_SELFTEST &&
|
|
|
8dd812 |
+ (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) &&
|
|
|
8dd812 |
+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE))
|
|
|
8dd812 |
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
8dd812 |
+
|
|
|
8dd812 |
switch (algo) {
|
|
|
8dd812 |
case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
|
|
|
8dd812 |
{
|
|
|
8dd812 |
diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
|
|
|
8dd812 |
index fe4873fc8..6e907288e 100644
|
|
|
8dd812 |
--- a/tests/sign-verify-deterministic.c
|
|
|
8dd812 |
+++ b/tests/sign-verify-deterministic.c
|
|
|
8dd812 |
@@ -154,29 +154,40 @@ void doit(void)
|
|
|
8dd812 |
gnutls_global_set_log_level(6);
|
|
|
8dd812 |
|
|
|
8dd812 |
for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
|
|
|
8dd812 |
- success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
|
|
|
8dd812 |
+ success("testing: %s - %s", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
|
|
|
8dd812 |
+
|
|
|
8dd812 |
+ ret = gnutls_pubkey_init(&pubkey);
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_pubkey_init\n");
|
|
|
8dd812 |
|
|
|
8dd812 |
ret = gnutls_privkey_init(&privkey);
|
|
|
8dd812 |
if (ret < 0)
|
|
|
8dd812 |
testfail("gnutls_privkey_init\n");
|
|
|
8dd812 |
|
|
|
8dd812 |
+ signature.data = NULL;
|
|
|
8dd812 |
+ signature.size = 0;
|
|
|
8dd812 |
+
|
|
|
8dd812 |
ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
|
|
|
8dd812 |
if (ret < 0)
|
|
|
8dd812 |
testfail("gnutls_privkey_import_x509_raw\n");
|
|
|
8dd812 |
|
|
|
8dd812 |
ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
|
|
|
8dd812 |
&tests[i].msg, &signature);
|
|
|
8dd812 |
- if (ret < 0)
|
|
|
8dd812 |
- testfail("gnutls_privkey_sign_data\n");
|
|
|
8dd812 |
+ if (gnutls_fips140_mode_enabled()) {
|
|
|
8dd812 |
+ /* deterministic ECDSA/DSA is prohibited under FIPS */
|
|
|
8dd812 |
+ if (ret != GNUTLS_E_INVALID_REQUEST)
|
|
|
8dd812 |
+ testfail("gnutls_privkey_sign_data unexpectedly succeeds\n");
|
|
|
8dd812 |
+ success(" - skipping\n");
|
|
|
8dd812 |
+ goto next;
|
|
|
8dd812 |
+ } else {
|
|
|
8dd812 |
+ if (ret < 0)
|
|
|
8dd812 |
+ testfail("gnutls_privkey_sign_data\n");
|
|
|
8dd812 |
+ }
|
|
|
8dd812 |
|
|
|
8dd812 |
if (signature.size != tests[i].sig.size ||
|
|
|
8dd812 |
memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
|
|
|
8dd812 |
testfail("signature does not match");
|
|
|
8dd812 |
|
|
|
8dd812 |
- ret = gnutls_pubkey_init(&pubkey);
|
|
|
8dd812 |
- if (ret < 0)
|
|
|
8dd812 |
- testfail("gnutls_pubkey_init\n");
|
|
|
8dd812 |
-
|
|
|
8dd812 |
ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
|
|
|
8dd812 |
if (ret < 0)
|
|
|
8dd812 |
testfail("gnutls_pubkey_import_privkey\n");
|
|
|
8dd812 |
@@ -186,7 +197,9 @@ void doit(void)
|
|
|
8dd812 |
&signature);
|
|
|
8dd812 |
if (ret < 0)
|
|
|
8dd812 |
testfail("gnutls_pubkey_verify_data2\n");
|
|
|
8dd812 |
+ success(" - pass");
|
|
|
8dd812 |
|
|
|
8dd812 |
+ next:
|
|
|
8dd812 |
gnutls_free(signature.data);
|
|
|
8dd812 |
gnutls_privkey_deinit(privkey);
|
|
|
8dd812 |
gnutls_pubkey_deinit(pubkey);
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|
|
|
8dd812 |
From 6cb58f18280bedfec9d7c8ac411574b868b3d758 Mon Sep 17 00:00:00 2001
|
|
|
8dd812 |
From: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
Date: Fri, 16 Aug 2019 14:59:03 +0200
|
|
|
8dd812 |
Subject: [PATCH] crypto-backend: always set sign_params.dsa_sig when ECDSA/DSA
|
|
|
8dd812 |
|
|
|
8dd812 |
In FIPS selftests we create deterministic signature and the
|
|
|
8dd812 |
information about the digest algorithm is necessary.
|
|
|
8dd812 |
|
|
|
8dd812 |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
8dd812 |
---
|
|
|
8dd812 |
lib/crypto-backend.h | 3 +++
|
|
|
8dd812 |
1 file changed, 3 insertions(+)
|
|
|
8dd812 |
|
|
|
8dd812 |
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
|
|
|
8dd812 |
index 33eca6031..664ba4377 100644
|
|
|
8dd812 |
--- a/lib/crypto-backend.h
|
|
|
8dd812 |
+++ b/lib/crypto-backend.h
|
|
|
8dd812 |
@@ -233,6 +233,9 @@ typedef enum {
|
|
|
8dd812 |
#define FIX_SIGN_PARAMS(params, flags, dig) do { \
|
|
|
8dd812 |
if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \
|
|
|
8dd812 |
(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \
|
|
|
8dd812 |
+ } \
|
|
|
8dd812 |
+ if ((params).pk == GNUTLS_PK_DSA || \
|
|
|
8dd812 |
+ (params).pk == GNUTLS_PK_ECDSA) { \
|
|
|
8dd812 |
(params).dsa_dig = (dig); \
|
|
|
8dd812 |
} \
|
|
|
8dd812 |
} while (0)
|
|
|
8dd812 |
--
|
|
|
8dd812 |
2.21.0
|
|
|
8dd812 |
|