[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Jun 21 17:12:09 UTC 2018
The branch master has been updated
via 379f846387348b1090054b56f1d31cdbcbd64196 (commit)
via 792546eb18c3088d7eca0c1ebeb86695bcae18d8 (commit)
via 262dccc0d5946ea4add79e16882950dfbd8a4ab8 (commit)
via c11d372b3b7080dc153902f14a0d4b402e2dfc92 (commit)
from 91860165820daf7a17836597f18752f094b887c8 (commit)
- Log -----------------------------------------------------------------
commit 379f846387348b1090054b56f1d31cdbcbd64196
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date: Tue Jun 19 16:55:29 2018 +0300
[fixup] Add CHANGES entry
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
commit 792546eb18c3088d7eca0c1ebeb86695bcae18d8
Author: Billy Brumley <bbrumley at gmail.com>
Date: Tue May 8 14:00:30 2018 +0300
[crypto/ec] default to FLT or error
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
commit 262dccc0d5946ea4add79e16882950dfbd8a4ab8
Author: Billy Brumley <bbrumley at gmail.com>
Date: Sat May 5 11:03:02 2018 +0300
[crypto/ec] remove blinding to support even orders
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
commit c11d372b3b7080dc153902f14a0d4b402e2dfc92
Author: Billy Brumley <bbrumley at gmail.com>
Date: Fri Apr 27 17:45:51 2018 +0300
make EC_GROUP_do_inverse_ord more robust
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 7 ++++++
crypto/ec/ec_lcl.h | 8 +++----
crypto/ec/ec_lib.c | 60 +++++++++++++++++++++++++++++++++++++++++++++---
crypto/ec/ecdsa_ossl.c | 41 ++++++---------------------------
crypto/ec/ecp_nistz256.c | 2 +-
5 files changed, 76 insertions(+), 42 deletions(-)
diff --git a/CHANGES b/CHANGES
index 4dc0659..8b4a8bb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,13 @@
release branch.
Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
+ *) Make ec_group_do_inverse_ord() more robust and available to other
+ EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
+ mitigations are applied to the fallback BN_mod_inverse().
+ When using this function rather than BN_mod_inverse() directly, new
+ EC cryptosystem implementations are then safer-by-default.
+ [Billy Bob Brumley]
+
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 006e3b6..cf29c7c 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -174,8 +174,8 @@ struct ec_method_st {
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
const EC_POINT *pub_key, const EC_KEY *ecdh);
/* Inverse modulo order */
- int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, BIGNUM *x,
- BN_CTX *ctx);
+ int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
+ const BIGNUM *x, BN_CTX *);
int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
};
@@ -636,7 +636,7 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]);
-int EC_GROUP_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
- BIGNUM *x, BN_CTX *ctx);
+int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
+ const BIGNUM *x, BN_CTX *ctx);
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index d0393e8..6a2d1b5 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1017,13 +1017,67 @@ int ec_group_simple_order_bits(const EC_GROUP *group)
return BN_num_bits(group->order);
}
-int EC_GROUP_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
- BIGNUM *x, BN_CTX *ctx)
+static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
+ const BIGNUM *x, BN_CTX *ctx)
+{
+ BIGNUM *e = NULL;
+ BN_CTX *new_ctx = NULL;
+ int ret = 0;
+
+ if (group->mont_data == NULL)
+ return 0;
+
+ if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /*-
+ * We want inverse in constant time, therefore we utilize the fact
+ * order must be prime and use Fermats Little Theorem instead.
+ */
+ if (!BN_set_word(e, 2))
+ goto err;
+ if (!BN_sub(e, group->order, e))
+ goto err;
+ /*-
+ * Exponent e is public.
+ * No need for scatter-gather or BN_FLG_CONSTTIME.
+ */
+ if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (ctx != NULL)
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return ret;
+}
+
+/*-
+ * Default behavior, if group->meth->field_inverse_mod_ord is NULL:
+ * - When group->order is even, this function returns an error.
+ * - When group->order is otherwise composite, the correctness
+ * of the output is not guaranteed.
+ * - When x is outside the range [1, group->order), the correctness
+ * of the output is not guaranteed.
+ * - Otherwise, this function returns the multiplicative inverse in the
+ * range [1, group->order).
+ *
+ * EC_METHODs must implement their own field_inverse_mod_ord for
+ * other functionality.
+ */
+int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
+ const BIGNUM *x, BN_CTX *ctx)
{
if (group->meth->field_inverse_mod_ord != NULL)
return group->meth->field_inverse_mod_ord(group, res, x, ctx);
else
- return 0;
+ return ec_field_inverse_mod_ord(group, res, x, ctx);
}
/*-
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
index cdd0cf0..277ac16 100644
--- a/crypto/ec/ecdsa_ossl.c
+++ b/crypto/ec/ecdsa_ossl.c
@@ -136,34 +136,10 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
}
while (BN_is_zero(r));
- /* Check if optimized inverse is implemented */
- if (EC_GROUP_do_inverse_ord(group, k, k, ctx) == 0) {
- /* compute the inverse of k */
- if (group->mont_data != NULL) {
- /*
- * We want inverse in constant time, therefore we utilize the fact
- * order must be prime and use Fermats Little Theorem instead.
- */
- if (!BN_set_word(X, 2)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- if (!BN_mod_sub(X, order, X, order, ctx)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- BN_set_flags(X, BN_FLG_CONSTTIME);
- if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx,
- group->mont_data)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- } else {
- if (!BN_mod_inverse(k, k, order, ctx)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- }
+ /* compute the inverse of k */
+ if (!ec_group_do_inverse_ord(group, k, k, ctx)) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+ goto err;
}
/* clear old values if necessary */
@@ -449,12 +425,9 @@ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
goto err;
}
/* calculate tmp1 = inv(S) mod order */
- /* Check if optimized inverse is implemented */
- if (EC_GROUP_do_inverse_ord(group, u2, sig->s, ctx) == 0) {
- if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
- goto err;
- }
+ if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
+ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
}
/* digest -> m */
i = BN_num_bits(order);
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
index 0292561..045c2e7 100644
--- a/crypto/ec/ecp_nistz256.c
+++ b/crypto/ec/ecp_nistz256.c
@@ -1512,7 +1512,7 @@ void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],
int rep);
static int ecp_nistz256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r,
- BIGNUM *x, BN_CTX *ctx)
+ const BIGNUM *x, BN_CTX *ctx)
{
/* RR = 2^512 mod ord(p256) */
static const BN_ULONG RR[P256_LIMBS] = {
More information about the openssl-commits
mailing list