|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_div.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_div.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_div.c.rohnp-fix 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_div.c 2018-08-14 10:57:21.592518702 +0200
|
|
|
ad56ed |
@@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const
|
|
|
ad56ed |
wnum.neg = 0;
|
|
|
ad56ed |
wnum.d = &(snum->d[loop]);
|
|
|
ad56ed |
wnum.top = div_n;
|
|
|
ad56ed |
+ wnum.flags = BN_FLG_STATIC_DATA;
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* only needed when BN_ucmp messes up the values between top and max
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_exp.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_exp.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_exp.c.rohnp-fix 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_exp.c 2018-08-14 10:57:21.596518798 +0200
|
|
|
ad56ed |
@@ -466,17 +466,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI
|
|
|
ad56ed |
ret = 1;
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
- if (!BN_to_montgomery(val[0], aa, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx))
|
|
|
ad56ed |
goto err; /* 1 */
|
|
|
ad56ed |
|
|
|
ad56ed |
window = BN_window_bits_for_exponent_size(bits);
|
|
|
ad56ed |
if (window > 1) {
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx))
|
|
|
ad56ed |
goto err; /* 2 */
|
|
|
ad56ed |
j = 1 << (window - 1);
|
|
|
ad56ed |
for (i = 1; i < j; i++) {
|
|
|
ad56ed |
if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
|
|
|
ad56ed |
- !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx))
|
|
|
ad56ed |
+ !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -498,19 +498,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI
|
|
|
ad56ed |
for (i = 1; i < j; i++)
|
|
|
ad56ed |
r->d[i] = (~m->d[i]) & BN_MASK2;
|
|
|
ad56ed |
r->top = j;
|
|
|
ad56ed |
- /*
|
|
|
ad56ed |
- * Upper words will be zero if the corresponding words of 'm' were
|
|
|
ad56ed |
- * 0xfff[...], so decrement r->top accordingly.
|
|
|
ad56ed |
- */
|
|
|
ad56ed |
- bn_correct_top(r);
|
|
|
ad56ed |
+ r->flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
} else
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
- if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
for (;;) {
|
|
|
ad56ed |
if (BN_is_bit_set(p, wstart) == 0) {
|
|
|
ad56ed |
if (!start) {
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
if (wstart == 0)
|
|
|
ad56ed |
@@ -541,12 +537,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI
|
|
|
ad56ed |
/* add the 'bytes above' */
|
|
|
ad56ed |
if (!start)
|
|
|
ad56ed |
for (i = 0; i < j; i++) {
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
/* wvalue will be an odd number < 2^window */
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
/* move the 'window' down further */
|
|
|
ad56ed |
@@ -556,6 +552,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI
|
|
|
ad56ed |
if (wstart < 0)
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
|
|
ad56ed |
+ * removes padding [if any] and makes return value suitable for public
|
|
|
ad56ed |
+ * API consumer.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
#if defined(SPARC_T4_MONT)
|
|
|
ad56ed |
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
|
|
ad56ed |
j = mont->N.top; /* borrow j */
|
|
|
ad56ed |
@@ -674,7 +675,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBU
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
b->top = top;
|
|
|
ad56ed |
- bn_correct_top(b);
|
|
|
ad56ed |
+ b->flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
return 1;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
@@ -841,16 +842,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
|
|
|
ad56ed |
tmp.top = top;
|
|
|
ad56ed |
} else
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
- if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
/* prepare a^1 in Montgomery domain */
|
|
|
ad56ed |
if (a->neg || BN_ucmp(a, m) >= 0) {
|
|
|
ad56ed |
if (!BN_mod(&am, a, m, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!BN_to_montgomery(&am, &am, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- } else if (!BN_to_montgomery(&am, a, mont, ctx))
|
|
|
ad56ed |
+ } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
#if defined(SPARC_T4_MONT)
|
|
|
ad56ed |
@@ -1117,14 +1118,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
|
|
|
ad56ed |
* performance advantage of sqr over mul).
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
if (window > 1) {
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
|
|
|
ad56ed |
window))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
for (i = 3; i < numPowers; i++) {
|
|
|
ad56ed |
/* Calculate a^i = a^(i-1) * a */
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
|
|
|
ad56ed |
window))
|
|
|
ad56ed |
@@ -1148,7 +1149,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
|
|
|
ad56ed |
|
|
|
ad56ed |
/* Scan the window, squaring the result as we go */
|
|
|
ad56ed |
for (i = 0; i < window; i++, bits--) {
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -1161,12 +1162,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
/* Multiply the result into the intermediate result */
|
|
|
ad56ed |
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
|
|
|
ad56ed |
+ if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
- /* Convert the final result from montgomery to standard format */
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
|
|
ad56ed |
+ * removes padding [if any] and makes return value suitable for public
|
|
|
ad56ed |
+ * API consumer.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
#if defined(SPARC_T4_MONT)
|
|
|
ad56ed |
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
|
|
ad56ed |
am.d[0] = 1; /* borrow am */
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn.h.rohnp-fix openssl-1.0.2k/crypto/bn/bn.h
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn.h.rohnp-fix 2018-06-20 17:44:01.752387208 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn.h 2018-08-14 10:57:21.592518702 +0200
|
|
|
ad56ed |
@@ -702,6 +702,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, i
|
|
|
ad56ed |
/* We only need assert() when debugging */
|
|
|
ad56ed |
# include <assert.h>
|
|
|
ad56ed |
|
|
|
ad56ed |
+/*
|
|
|
ad56ed |
+ * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
|
|
|
ad56ed |
+ * bn_correct_top, in other words such vectors are permitted to have zeros
|
|
|
ad56ed |
+ * in most significant limbs. Such vectors are used internally to achieve
|
|
|
ad56ed |
+ * execution time invariance for critical operations with private keys.
|
|
|
ad56ed |
+ * It's BN_DEBUG-only flag, because user application is not supposed to
|
|
|
ad56ed |
+ * observe it anyway. Moreover, optimizing compiler would actually remove
|
|
|
ad56ed |
+ * all operations manipulating the bit in question in non-BN_DEBUG build.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+# define BN_FLG_FIXED_TOP 0x10000
|
|
|
ad56ed |
# ifdef BN_DEBUG_RAND
|
|
|
ad56ed |
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
|
|
|
ad56ed |
# ifndef RAND_pseudo_bytes
|
|
|
ad56ed |
@@ -734,8 +744,10 @@ int RAND_pseudo_bytes(unsigned char *buf
|
|
|
ad56ed |
do { \
|
|
|
ad56ed |
const BIGNUM *_bnum2 = (a); \
|
|
|
ad56ed |
if (_bnum2 != NULL) { \
|
|
|
ad56ed |
- assert((_bnum2->top == 0) || \
|
|
|
ad56ed |
- (_bnum2->d[_bnum2->top - 1] != 0)); \
|
|
|
ad56ed |
+ int _top = _bnum2->top; \
|
|
|
ad56ed |
+ assert((_top == 0) || \
|
|
|
ad56ed |
+ (_bnum2->flags & BN_FLG_FIXED_TOP) || \
|
|
|
ad56ed |
+ (_bnum2->d[_top - 1] != 0)); \
|
|
|
ad56ed |
bn_pollute(_bnum2); \
|
|
|
ad56ed |
} \
|
|
|
ad56ed |
} while(0)
|
|
|
ad56ed |
@@ -753,6 +765,7 @@ int RAND_pseudo_bytes(unsigned char *buf
|
|
|
ad56ed |
|
|
|
ad56ed |
# else /* !BN_DEBUG */
|
|
|
ad56ed |
|
|
|
ad56ed |
+# define BN_FLG_FIXED_TOP 0
|
|
|
ad56ed |
# define bn_pollute(a)
|
|
|
ad56ed |
# define bn_check_top(a)
|
|
|
ad56ed |
# define bn_fix_top(a) bn_correct_top(a)
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_lcl.h.rohnp-fix openssl-1.0.2k/crypto/bn/bn_lcl.h
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_lcl.h.rohnp-fix 2018-06-20 17:44:01.748387114 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_lcl.h 2018-08-14 10:57:21.596518798 +0200
|
|
|
ad56ed |
@@ -113,6 +113,7 @@
|
|
|
ad56ed |
# define HEADER_BN_LCL_H
|
|
|
ad56ed |
|
|
|
ad56ed |
# include <openssl/bn.h>
|
|
|
ad56ed |
+# include "bn_int.h"
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef __cplusplus
|
|
|
ad56ed |
extern "C" {
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_lib.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_lib.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_lib.c.rohnp-fix 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_lib.c 2018-08-14 10:57:21.592518702 +0200
|
|
|
ad56ed |
@@ -290,8 +290,6 @@ static BN_ULONG *bn_expand_internal(cons
|
|
|
ad56ed |
const BN_ULONG *B;
|
|
|
ad56ed |
int i;
|
|
|
ad56ed |
|
|
|
ad56ed |
- bn_check_top(b);
|
|
|
ad56ed |
-
|
|
|
ad56ed |
if (words > (INT_MAX / (4 * BN_BITS2))) {
|
|
|
ad56ed |
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
|
|
|
ad56ed |
return NULL;
|
|
|
ad56ed |
@@ -425,8 +423,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, i
|
|
|
ad56ed |
|
|
|
ad56ed |
BIGNUM *bn_expand2(BIGNUM *b, int words)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
- bn_check_top(b);
|
|
|
ad56ed |
-
|
|
|
ad56ed |
if (words > b->dmax) {
|
|
|
ad56ed |
BN_ULONG *a = bn_expand_internal(b, words);
|
|
|
ad56ed |
if (!a)
|
|
|
ad56ed |
@@ -460,7 +456,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
|
|
|
ad56ed |
assert(A == &(b->d[b->dmax]));
|
|
|
ad56ed |
}
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
- bn_check_top(b);
|
|
|
ad56ed |
return b;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
@@ -572,6 +567,7 @@ void BN_clear(BIGNUM *a)
|
|
|
ad56ed |
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
|
|
|
ad56ed |
a->top = 0;
|
|
|
ad56ed |
a->neg = 0;
|
|
|
ad56ed |
+ a->flags &= ~BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
BN_ULONG BN_get_word(const BIGNUM *a)
|
|
|
ad56ed |
@@ -592,6 +588,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
|
|
|
ad56ed |
a->neg = 0;
|
|
|
ad56ed |
a->d[0] = w;
|
|
|
ad56ed |
a->top = (w ? 1 : 0);
|
|
|
ad56ed |
+ a->flags &= ~BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
bn_check_top(a);
|
|
|
ad56ed |
return (1);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -738,6 +735,7 @@ int BN_set_bit(BIGNUM *a, int n)
|
|
|
ad56ed |
for (k = a->top; k < i + 1; k++)
|
|
|
ad56ed |
a->d[k] = 0;
|
|
|
ad56ed |
a->top = i + 1;
|
|
|
ad56ed |
+ a->flags &= ~BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
a->d[i] |= (((BN_ULONG)1) << j);
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_mod.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_mod.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_mod.c.rohnp-fix 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_mod.c 2018-08-14 10:57:21.601518919 +0200
|
|
|
ad56ed |
@@ -149,18 +149,73 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *
|
|
|
ad56ed |
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* BN_mod_add variant that may be used if both a and b are non-negative and
|
|
|
ad56ed |
- * less than m
|
|
|
ad56ed |
+ * less than m. The original algorithm was
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * if (!BN_uadd(r, a, b))
|
|
|
ad56ed |
+ * return 0;
|
|
|
ad56ed |
+ * if (BN_ucmp(r, m) >= 0)
|
|
|
ad56ed |
+ * return BN_usub(r, r, m);
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * which is replaced with addition, subtracting modulus, and conditional
|
|
|
ad56ed |
+ * move depending on whether or not subtraction borrowed.
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
-int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
- const BIGNUM *m)
|
|
|
ad56ed |
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
+ const BIGNUM *m)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
- if (!BN_uadd(r, a, b))
|
|
|
ad56ed |
+ size_t i, ai, bi, mtop = m->top;
|
|
|
ad56ed |
+ BN_ULONG storage[1024 / BN_BITS2];
|
|
|
ad56ed |
+ BN_ULONG carry, temp, mask, *rp, *tp = storage;
|
|
|
ad56ed |
+ const BN_ULONG *ap, *bp;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (bn_wexpand(r, m->top) == NULL)
|
|
|
ad56ed |
return 0;
|
|
|
ad56ed |
- if (BN_ucmp(r, m) >= 0)
|
|
|
ad56ed |
- return BN_usub(r, r, m);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (mtop > sizeof(storage) / sizeof(storage[0])
|
|
|
ad56ed |
+ && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
|
|
|
ad56ed |
+ return 0;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ ap = a->d != NULL ? a->d : tp;
|
|
|
ad56ed |
+ bp = b->d != NULL ? b->d : tp;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) {
|
|
|
ad56ed |
+ mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
|
|
|
ad56ed |
+ temp = ((ap[ai] & mask) + carry) & BN_MASK2;
|
|
|
ad56ed |
+ carry = (temp < carry);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
|
|
|
ad56ed |
+ tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2;
|
|
|
ad56ed |
+ carry += (tp[i] < temp);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ i++;
|
|
|
ad56ed |
+ ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
|
|
|
ad56ed |
+ bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ rp = r->d;
|
|
|
ad56ed |
+ carry -= bn_sub_words(rp, tp, m->d, mtop);
|
|
|
ad56ed |
+ for (i = 0; i < mtop; i++) {
|
|
|
ad56ed |
+ rp[i] = (carry & tp[i]) | (~carry & rp[i]);
|
|
|
ad56ed |
+ ((volatile BN_ULONG *)tp)[i] = 0;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ r->top = mtop;
|
|
|
ad56ed |
+ r->neg = 0;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (tp != storage)
|
|
|
ad56ed |
+ OPENSSL_free(tp);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
return 1;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
+int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
+ const BIGNUM *m)
|
|
|
ad56ed |
+{
|
|
|
ad56ed |
+ int ret = bn_mod_add_fixed_top(r, a, b, m);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (ret)
|
|
|
ad56ed |
+ bn_correct_top(r);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ return ret;
|
|
|
ad56ed |
+}
|
|
|
ad56ed |
+
|
|
|
ad56ed |
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
|
|
ad56ed |
BN_CTX *ctx)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_mont.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_mont.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_mont.c.rohnp-fix 2018-08-14 10:57:21.589518629 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_mont.c 2018-08-14 11:15:11.425320301 +0200
|
|
|
ad56ed |
@@ -56,7 +56,7 @@
|
|
|
ad56ed |
* [including the GNU Public Licence.]
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
/* ====================================================================
|
|
|
ad56ed |
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
|
|
ad56ed |
+ * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
|
|
ad56ed |
*
|
|
|
ad56ed |
* Redistribution and use in source and binary forms, with or without
|
|
|
ad56ed |
* modification, are permitted provided that the following conditions
|
|
|
ad56ed |
@@ -123,12 +123,23 @@
|
|
|
ad56ed |
#define MONT_WORD /* use the faster word-based algorithm */
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef MONT_WORD
|
|
|
ad56ed |
-static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
|
|
ad56ed |
+static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
|
|
|
ad56ed |
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
BN_MONT_CTX *mont, BN_CTX *ctx)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
+ int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ bn_correct_top(r);
|
|
|
ad56ed |
+ bn_check_top(r);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ return ret;
|
|
|
ad56ed |
+}
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
+ BN_MONT_CTX *mont, BN_CTX *ctx)
|
|
|
ad56ed |
+{
|
|
|
ad56ed |
BIGNUM *tmp;
|
|
|
ad56ed |
int ret = 0;
|
|
|
ad56ed |
#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD)
|
|
|
ad56ed |
@@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, con
|
|
|
ad56ed |
if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
|
|
|
ad56ed |
r->neg = a->neg ^ b->neg;
|
|
|
ad56ed |
r->top = num;
|
|
|
ad56ed |
- bn_correct_top(r);
|
|
|
ad56ed |
- return (1);
|
|
|
ad56ed |
+ r->flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
+ return 1;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
}
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
@@ -161,13 +172,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, con
|
|
|
ad56ed |
}
|
|
|
ad56ed |
/* reduce from aRR to aR */
|
|
|
ad56ed |
#ifdef MONT_WORD
|
|
|
ad56ed |
- if (!BN_from_montgomery_word(r, tmp, mont))
|
|
|
ad56ed |
+ if (!bn_from_montgomery_word(r, tmp, mont))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
#else
|
|
|
ad56ed |
if (!BN_from_montgomery(r, tmp, mont, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
- bn_check_top(r);
|
|
|
ad56ed |
ret = 1;
|
|
|
ad56ed |
err:
|
|
|
ad56ed |
BN_CTX_end(ctx);
|
|
|
ad56ed |
@@ -175,7 +185,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, con
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef MONT_WORD
|
|
|
ad56ed |
-static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|
|
ad56ed |
+static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
BIGNUM *n;
|
|
|
ad56ed |
BN_ULONG *ap, *np, *rp, n0, v, carry;
|
|
|
ad56ed |
@@ -205,28 +215,16 @@ static int BN_from_montgomery_word(BIGNU
|
|
|
ad56ed |
# endif
|
|
|
ad56ed |
|
|
|
ad56ed |
r->top = max;
|
|
|
ad56ed |
+ r->flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
n0 = mont->n0[0];
|
|
|
ad56ed |
|
|
|
ad56ed |
-# ifdef BN_COUNT
|
|
|
ad56ed |
- fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl);
|
|
|
ad56ed |
-# endif
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * Add multiples of |n| to |r| until R = 2^(nl * BN_BITS2) divides it. On
|
|
|
ad56ed |
+ * input, we had |r| < |n| * R, so now |r| < 2 * |n| * R. Note that |r|
|
|
|
ad56ed |
+ * includes |carry| which is stored separately.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
for (carry = 0, i = 0; i < nl; i++, rp++) {
|
|
|
ad56ed |
-# ifdef __TANDEM
|
|
|
ad56ed |
- {
|
|
|
ad56ed |
- long long t1;
|
|
|
ad56ed |
- long long t2;
|
|
|
ad56ed |
- long long t3;
|
|
|
ad56ed |
- t1 = rp[0] * (n0 & 0177777);
|
|
|
ad56ed |
- t2 = 037777600000l;
|
|
|
ad56ed |
- t2 = n0 & t2;
|
|
|
ad56ed |
- t3 = rp[0] & 0177777;
|
|
|
ad56ed |
- t2 = (t3 * t2) & BN_MASK2;
|
|
|
ad56ed |
- t1 = t1 + t2;
|
|
|
ad56ed |
- v = bn_mul_add_words(rp, np, nl, (BN_ULONG)t1);
|
|
|
ad56ed |
- }
|
|
|
ad56ed |
-# else
|
|
|
ad56ed |
v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
|
|
|
ad56ed |
-# endif
|
|
|
ad56ed |
v = (v + carry + rp[nl]) & BN_MASK2;
|
|
|
ad56ed |
carry |= (v != rp[nl]);
|
|
|
ad56ed |
carry &= (v <= rp[nl]);
|
|
|
ad56ed |
@@ -236,52 +234,27 @@ static int BN_from_montgomery_word(BIGNU
|
|
|
ad56ed |
if (bn_wexpand(ret, nl) == NULL)
|
|
|
ad56ed |
return (0);
|
|
|
ad56ed |
ret->top = nl;
|
|
|
ad56ed |
+ ret->flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
ret->neg = r->neg;
|
|
|
ad56ed |
|
|
|
ad56ed |
rp = ret->d;
|
|
|
ad56ed |
- ap = &(r->d[nl]);
|
|
|
ad56ed |
|
|
|
ad56ed |
-# define BRANCH_FREE 1
|
|
|
ad56ed |
-# if BRANCH_FREE
|
|
|
ad56ed |
- {
|
|
|
ad56ed |
- BN_ULONG *nrp;
|
|
|
ad56ed |
- size_t m;
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * Shift |nl| words to divide by R. We have |ap| < 2 * |n|. Note that |ap|
|
|
|
ad56ed |
+ * includes |carry| which is stored separately.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+ ap = &(r->d[nl]);
|
|
|
ad56ed |
|
|
|
ad56ed |
- v = bn_sub_words(rp, ap, np, nl) - carry;
|
|
|
ad56ed |
- /*
|
|
|
ad56ed |
- * if subtraction result is real, then trick unconditional memcpy
|
|
|
ad56ed |
- * below to perform in-place "refresh" instead of actual copy.
|
|
|
ad56ed |
- */
|
|
|
ad56ed |
- m = (0 - (size_t)v);
|
|
|
ad56ed |
- nrp =
|
|
|
ad56ed |
- (BN_ULONG *)(((PTR_SIZE_INT) rp & ~m) | ((PTR_SIZE_INT) ap & m));
|
|
|
ad56ed |
-
|
|
|
ad56ed |
- for (i = 0, nl -= 4; i < nl; i += 4) {
|
|
|
ad56ed |
- BN_ULONG t1, t2, t3, t4;
|
|
|
ad56ed |
-
|
|
|
ad56ed |
- t1 = nrp[i + 0];
|
|
|
ad56ed |
- t2 = nrp[i + 1];
|
|
|
ad56ed |
- t3 = nrp[i + 2];
|
|
|
ad56ed |
- ap[i + 0] = 0;
|
|
|
ad56ed |
- t4 = nrp[i + 3];
|
|
|
ad56ed |
- ap[i + 1] = 0;
|
|
|
ad56ed |
- rp[i + 0] = t1;
|
|
|
ad56ed |
- ap[i + 2] = 0;
|
|
|
ad56ed |
- rp[i + 1] = t2;
|
|
|
ad56ed |
- ap[i + 3] = 0;
|
|
|
ad56ed |
- rp[i + 2] = t3;
|
|
|
ad56ed |
- rp[i + 3] = t4;
|
|
|
ad56ed |
- }
|
|
|
ad56ed |
- for (nl += 4; i < nl; i++)
|
|
|
ad56ed |
- rp[i] = nrp[i], ap[i] = 0;
|
|
|
ad56ed |
+ carry -= bn_sub_words(rp, ap, np, nl);
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note
|
|
|
ad56ed |
+ * |carry| cannot be 1. That would imply the subtraction did not fit in
|
|
|
ad56ed |
+ * |nl| words, and we know at most one subtraction is needed.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+ for (i = 0; i < nl; i++) {
|
|
|
ad56ed |
+ rp[i] = (carry & ap[i]) | (~carry & rp[i]);
|
|
|
ad56ed |
+ ap[i] = 0;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
-# else
|
|
|
ad56ed |
- if (bn_sub_words(rp, ap, np, nl) - carry)
|
|
|
ad56ed |
- memcpy(rp, ap, nl * sizeof(BN_ULONG));
|
|
|
ad56ed |
-# endif
|
|
|
ad56ed |
- bn_correct_top(r);
|
|
|
ad56ed |
- bn_correct_top(ret);
|
|
|
ad56ed |
- bn_check_top(ret);
|
|
|
ad56ed |
|
|
|
ad56ed |
return (1);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -295,8 +268,11 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
|
|
ad56ed |
BIGNUM *t;
|
|
|
ad56ed |
|
|
|
ad56ed |
BN_CTX_start(ctx);
|
|
|
ad56ed |
- if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
|
|
|
ad56ed |
- retn = BN_from_montgomery_word(ret, t, mont);
|
|
|
ad56ed |
+ if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
|
|
|
ad56ed |
+ retn = bn_from_montgomery_word(ret, t, mont);
|
|
|
ad56ed |
+ bn_correct_top(ret);
|
|
|
ad56ed |
+ bn_check_top(ret);
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
BN_CTX_end(ctx);
|
|
|
ad56ed |
#else /* !MONT_WORD */
|
|
|
ad56ed |
BIGNUM *t1, *t2;
|
|
|
ad56ed |
@@ -334,6 +310,12 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
|
|
ad56ed |
return (retn);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
|
|
ad56ed |
+ BN_CTX *ctx)
|
|
|
ad56ed |
+{
|
|
|
ad56ed |
+ return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx);
|
|
|
ad56ed |
+}
|
|
|
ad56ed |
+
|
|
|
ad56ed |
BN_MONT_CTX *BN_MONT_CTX_new(void)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
BN_MONT_CTX *ret;
|
|
|
ad56ed |
@@ -370,7 +352,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
|
|
|
ad56ed |
|
|
|
ad56ed |
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
- int ret = 0;
|
|
|
ad56ed |
+ int i, ret = 0;
|
|
|
ad56ed |
BIGNUM *Ri, *R;
|
|
|
ad56ed |
|
|
|
ad56ed |
if (BN_is_zero(mod))
|
|
|
ad56ed |
@@ -382,6 +364,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, c
|
|
|
ad56ed |
R = &(mont->RR); /* grab RR as a temp */
|
|
|
ad56ed |
if (!BN_copy(&(mont->N), mod))
|
|
|
ad56ed |
goto err; /* Set N */
|
|
|
ad56ed |
+ if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
|
|
|
ad56ed |
+ BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
|
|
|
ad56ed |
mont->N.neg = 0;
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef MONT_WORD
|
|
|
ad56ed |
@@ -394,6 +378,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, c
|
|
|
ad56ed |
tmod.dmax = 2;
|
|
|
ad56ed |
tmod.neg = 0;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
|
|
|
ad56ed |
+ BN_set_flags(&tmod, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
|
|
|
ad56ed |
|
|
|
ad56ed |
# if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
|
|
|
ad56ed |
@@ -496,6 +483,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, c
|
|
|
ad56ed |
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ for (i = mont->RR.top, ret = mont->N.top; i < ret; i++)
|
|
|
ad56ed |
+ mont->RR.d[i] = 0;
|
|
|
ad56ed |
+ mont->RR.top = ret;
|
|
|
ad56ed |
+ mont->RR.flags |= BN_FLG_FIXED_TOP;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
ret = 1;
|
|
|
ad56ed |
err:
|
|
|
ad56ed |
BN_CTX_end(ctx);
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn/bn_sqr.c.rohnp-fix openssl-1.0.2k/crypto/bn/bn_sqr.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn/bn_sqr.c.rohnp-fix 2017-01-26 14:22:03.000000000 +0100
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn/bn_sqr.c 2018-08-14 10:57:21.593518726 +0200
|
|
|
ad56ed |
@@ -135,14 +135,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, B
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
rr->neg = 0;
|
|
|
ad56ed |
- /*
|
|
|
ad56ed |
- * If the most-significant half of the top word of 'a' is zero, then the
|
|
|
ad56ed |
- * square of 'a' will max-1 words.
|
|
|
ad56ed |
- */
|
|
|
ad56ed |
- if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
|
|
|
ad56ed |
- rr->top = max - 1;
|
|
|
ad56ed |
- else
|
|
|
ad56ed |
- rr->top = max;
|
|
|
ad56ed |
+ rr->top = max;
|
|
|
ad56ed |
+ bn_correct_top(rr);
|
|
|
ad56ed |
if (r != rr && BN_copy(r, rr) == NULL)
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/bn_int.h.rohnp-fix openssl-1.0.2k/crypto/bn_int.h
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/bn_int.h.rohnp-fix 2018-08-14 10:57:21.597518822 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/bn_int.h 2018-08-14 10:57:21.599518871 +0200
|
|
|
ad56ed |
@@ -0,0 +1,13 @@
|
|
|
ad56ed |
+/*
|
|
|
ad56ed |
+ * Some BIGNUM functions assume most significant limb to be non-zero, which
|
|
|
ad56ed |
+ * is customarily arranged by bn_correct_top. Output from below functions
|
|
|
ad56ed |
+ * is not processed with bn_correct_top, and for this reason it may not be
|
|
|
ad56ed |
+ * returned out of public API. It may only be passed internally into other
|
|
|
ad56ed |
+ * functions known to support non-minimal or zero-padded BIGNUMs.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
+ BN_MONT_CTX *mont, BN_CTX *ctx);
|
|
|
ad56ed |
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
|
|
ad56ed |
+ BN_CTX *ctx);
|
|
|
ad56ed |
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
|
ad56ed |
+ const BIGNUM *m);
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/dsa/dsa_ossl.c.rohnp-fix openssl-1.0.2k/crypto/dsa/dsa_ossl.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/dsa/dsa_ossl.c.rohnp-fix 2018-06-20 17:44:02.153396702 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/dsa/dsa_ossl.c 2018-06-20 17:44:02.577406741 +0200
|
|
|
ad56ed |
@@ -136,8 +136,7 @@ const DSA_METHOD *DSA_OpenSSL(void)
|
|
|
ad56ed |
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
|
|
|
ad56ed |
- BIGNUM m;
|
|
|
ad56ed |
- BIGNUM xr;
|
|
|
ad56ed |
+ BIGNUM *m, *blind, *blindm, *tmp;
|
|
|
ad56ed |
BN_CTX *ctx = NULL;
|
|
|
ad56ed |
int reason = ERR_R_BN_LIB;
|
|
|
ad56ed |
DSA_SIG *ret = NULL;
|
|
|
ad56ed |
@@ -156,9 +155,6 @@ static DSA_SIG *dsa_do_sign(const unsign
|
|
|
ad56ed |
}
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
|
|
|
ad56ed |
- BN_init(&m);
|
|
|
ad56ed |
- BN_init(&xr);
|
|
|
ad56ed |
-
|
|
|
ad56ed |
if (!dsa->p || !dsa->q || !dsa->g) {
|
|
|
ad56ed |
reason = DSA_R_MISSING_PARAMETERS;
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
@@ -170,6 +166,14 @@ static DSA_SIG *dsa_do_sign(const unsign
|
|
|
ad56ed |
ctx = BN_CTX_new();
|
|
|
ad56ed |
if (ctx == NULL)
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
+ BN_CTX_start(ctx);
|
|
|
ad56ed |
+ m = BN_CTX_get(ctx);
|
|
|
ad56ed |
+ blind = BN_CTX_get(ctx);
|
|
|
ad56ed |
+ blindm = BN_CTX_get(ctx);
|
|
|
ad56ed |
+ tmp = BN_CTX_get(ctx);
|
|
|
ad56ed |
+ if (tmp == NULL)
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
redo:
|
|
|
ad56ed |
if ((dsa->kinv == NULL) || (dsa->r == NULL)) {
|
|
|
ad56ed |
if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
|
|
|
ad56ed |
@@ -189,20 +193,52 @@ static DSA_SIG *dsa_do_sign(const unsign
|
|
|
ad56ed |
* 4.2
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
dlen = BN_num_bytes(dsa->q);
|
|
|
ad56ed |
- if (BN_bin2bn(dgst, dlen, &m) == NULL)
|
|
|
ad56ed |
+ if (BN_bin2bn(dgst, dlen, m) == NULL)
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
- /* Compute s = inv(k) (m + xr) mod q */
|
|
|
ad56ed |
- if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))
|
|
|
ad56ed |
- goto err; /* s = xr */
|
|
|
ad56ed |
- if (!BN_add(s, &xr, &m))
|
|
|
ad56ed |
- goto err; /* s = m + xr */
|
|
|
ad56ed |
- if (BN_cmp(s, dsa->q) > 0)
|
|
|
ad56ed |
- if (!BN_sub(s, s, dsa->q))
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * The normal signature calculation is:
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * s := k^-1 * (m + r * priv_key) mod q
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * We will blind this to protect against side channel attacks
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /* Generate a blinding value */
|
|
|
ad56ed |
+ do {
|
|
|
ad56ed |
+ if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
+ } while (BN_is_zero(blind));
|
|
|
ad56ed |
+ BN_set_flags(blind, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(blindm, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(tmp, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /* tmp := blind * priv_key * r mod q */
|
|
|
ad56ed |
+ if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /* blindm := blind * m mod q */
|
|
|
ad56ed |
+ if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /* s : = (blind * priv_key * r) + (blind * m) mod q */
|
|
|
ad56ed |
+ if (!BN_mod_add_quick(s, tmp, blindm, dsa->q))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /* s := s * k^-1 mod q */
|
|
|
ad56ed |
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ /* s:= s * blind^-1 mod q */
|
|
|
ad56ed |
+ if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ if (!BN_mod_mul(s, s, blind, dsa->q, ctx))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* Redo if r or s is zero as required by FIPS 186-3: this is very
|
|
|
ad56ed |
* unlikely.
|
|
|
ad56ed |
@@ -226,13 +262,12 @@ static DSA_SIG *dsa_do_sign(const unsign
|
|
|
ad56ed |
BN_free(r);
|
|
|
ad56ed |
BN_free(s);
|
|
|
ad56ed |
}
|
|
|
ad56ed |
- if (ctx != NULL)
|
|
|
ad56ed |
+ if (ctx != NULL) {
|
|
|
ad56ed |
+ BN_CTX_end(ctx);
|
|
|
ad56ed |
BN_CTX_free(ctx);
|
|
|
ad56ed |
- BN_clear_free(&m);
|
|
|
ad56ed |
- BN_clear_free(&xr);
|
|
|
ad56ed |
- if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
|
|
|
ad56ed |
- BN_clear_free(kinv);
|
|
|
ad56ed |
- return (ret);
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ BN_clear_free(kinv);
|
|
|
ad56ed |
+ return ret;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/ecdsa/ecs_ossl.c.rohnp-fix openssl-1.0.2k/crypto/ecdsa/ecs_ossl.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/ecdsa/ecs_ossl.c.rohnp-fix 2018-06-20 17:44:02.205397934 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/ecdsa/ecs_ossl.c 2018-08-14 11:18:02.062439755 +0200
|
|
|
ad56ed |
@@ -63,6 +63,7 @@
|
|
|
ad56ed |
#ifdef OPENSSL_FIPS
|
|
|
ad56ed |
# include <openssl/fips.h>
|
|
|
ad56ed |
#endif
|
|
|
ad56ed |
+#include "bn_int.h"
|
|
|
ad56ed |
|
|
|
ad56ed |
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
|
|
|
ad56ed |
const BIGNUM *, const BIGNUM *,
|
|
|
ad56ed |
@@ -98,6 +99,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
|
ad56ed |
EC_POINT *tmp_point = NULL;
|
|
|
ad56ed |
const EC_GROUP *group;
|
|
|
ad56ed |
int ret = 0;
|
|
|
ad56ed |
+ int order_bits;
|
|
|
ad56ed |
|
|
|
ad56ed |
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
|
|
|
ad56ed |
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
|
|
|
ad56ed |
@@ -129,6 +131,13 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
+ /* Preallocate space */
|
|
|
ad56ed |
+ order_bits = BN_num_bits(order);
|
|
|
ad56ed |
+ if (!BN_set_bit(k, order_bits)
|
|
|
ad56ed |
+ || !BN_set_bit(r, order_bits)
|
|
|
ad56ed |
+ || !BN_set_bit(X, order_bits))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
do {
|
|
|
ad56ed |
/* get random k */
|
|
|
ad56ed |
do
|
|
|
ad56ed |
@@ -142,13 +151,19 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* We do not want timing information to leak the length of k, so we
|
|
|
ad56ed |
* compute G*k using an equivalent scalar of fixed bit-length.
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * We unconditionally perform both of these additions to prevent a
|
|
|
ad56ed |
+ * small timing information leakage. We then choose the sum that is
|
|
|
ad56ed |
+ * one bit longer than the order. This guarantees the code
|
|
|
ad56ed |
+ * path used in the constant time implementations elsewhere.
|
|
|
ad56ed |
+ *
|
|
|
ad56ed |
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
|
|
|
ad56ed |
+ * conditional copy.
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
-
|
|
|
ad56ed |
- if (!BN_add(k, k, order))
|
|
|
ad56ed |
+ if (!BN_add(r, k, order)
|
|
|
ad56ed |
+ || !BN_add(X, r, order)
|
|
|
ad56ed |
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (BN_num_bits(k) <= BN_num_bits(order))
|
|
|
ad56ed |
- if (!BN_add(k, k, order))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
/* compute r the x-coordinate of generator * k */
|
|
|
ad56ed |
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
|
|
|
ad56ed |
@@ -240,13 +255,14 @@ static ECDSA_SIG *ecdsa_do_sign(const un
|
|
|
ad56ed |
EC_KEY *eckey)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
int ok = 0, i;
|
|
|
ad56ed |
- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
|
|
|
ad56ed |
+ BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
|
|
|
ad56ed |
const BIGNUM *ckinv;
|
|
|
ad56ed |
BN_CTX *ctx = NULL;
|
|
|
ad56ed |
const EC_GROUP *group;
|
|
|
ad56ed |
ECDSA_SIG *ret;
|
|
|
ad56ed |
ECDSA_DATA *ecdsa;
|
|
|
ad56ed |
const BIGNUM *priv_key;
|
|
|
ad56ed |
+ BN_MONT_CTX *mont_data;
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef OPENSSL_FIPS
|
|
|
ad56ed |
if (FIPS_selftest_failed()) {
|
|
|
ad56ed |
@@ -272,7 +288,7 @@ static ECDSA_SIG *ecdsa_do_sign(const un
|
|
|
ad56ed |
s = ret->s;
|
|
|
ad56ed |
|
|
|
ad56ed |
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
|
|
|
ad56ed |
- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
|
|
|
ad56ed |
+ (m = BN_new()) == NULL) {
|
|
|
ad56ed |
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -281,6 +297,8 @@ static ECDSA_SIG *ecdsa_do_sign(const un
|
|
|
ad56ed |
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
+ mont_data = EC_GROUP_get_mont_data(group);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
i = BN_num_bits(order);
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
* Need to truncate digest if it is too long: first truncate whole bytes.
|
|
|
ad56ed |
@@ -311,21 +329,33 @@ static ECDSA_SIG *ecdsa_do_sign(const un
|
|
|
ad56ed |
}
|
|
|
ad56ed |
}
|
|
|
ad56ed |
|
|
|
ad56ed |
- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
|
|
|
ad56ed |
- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * With only one multiplicant being in Montgomery domain
|
|
|
ad56ed |
+ * multiplication yields real result without post-conversion.
|
|
|
ad56ed |
+ * Also note that all operations but last are performed with
|
|
|
ad56ed |
+ * zero-padded vectors. Last operation, BN_mod_mul_montgomery
|
|
|
ad56ed |
+ * below, returns user-visible value with removed zero padding.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
|
|
|
ad56ed |
+ || !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
- if (!BN_mod_add_quick(s, tmp, m, order)) {
|
|
|
ad56ed |
+ if (!bn_mod_add_fixed_top(s, s, m, order)) {
|
|
|
ad56ed |
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
- if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * |s| can still be larger than modulus, because |m| can be. In
|
|
|
ad56ed |
+ * such case we count on Montgomery reduction to tie it up.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+ if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
|
|
|
ad56ed |
+ || !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
|
|
|
ad56ed |
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
if (BN_is_zero(s)) {
|
|
|
ad56ed |
/*
|
|
|
ad56ed |
- * if kinv and r have been supplied by the caller don't to
|
|
|
ad56ed |
+ * if kinv and r have been supplied by the caller don't
|
|
|
ad56ed |
* generate new kinv and r values
|
|
|
ad56ed |
*/
|
|
|
ad56ed |
if (in_kinv != NULL && in_r != NULL) {
|
|
|
ad56ed |
@@ -349,8 +379,6 @@ static ECDSA_SIG *ecdsa_do_sign(const un
|
|
|
ad56ed |
BN_CTX_free(ctx);
|
|
|
ad56ed |
if (m)
|
|
|
ad56ed |
BN_clear_free(m);
|
|
|
ad56ed |
- if (tmp)
|
|
|
ad56ed |
- BN_clear_free(tmp);
|
|
|
ad56ed |
if (order)
|
|
|
ad56ed |
BN_free(order);
|
|
|
ad56ed |
if (kinv)
|
|
|
ad56ed |
diff -up openssl-1.0.2k/crypto/Makefile.rohnp-fix openssl-1.0.2k/crypto/Makefile
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/Makefile.rohnp-fix 2018-06-20 17:44:02.467404137 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/Makefile 2018-08-14 10:57:21.595518774 +0200
|
|
|
ad56ed |
@@ -45,7 +45,7 @@ SRC= $(LIBSRC)
|
|
|
ad56ed |
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
|
|
|
ad56ed |
ossl_typ.h
|
|
|
ad56ed |
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
|
|
|
ad56ed |
- constant_time_locl.h $(EXHEADER)
|
|
|
ad56ed |
+ constant_time_locl.h bn_int.h $(EXHEADER)
|
|
|
ad56ed |
|
|
|
ad56ed |
ALL= $(GENERAL) $(SRC) $(HEADER)
|
|
|
ad56ed |
|