dsa_ossl.c (306195) | dsa_ossl.c (325337) |
---|---|
1/* crypto/dsa/dsa_ossl.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 210 unchanged lines hidden (view full) --- 219 return (ret); 220} 221 222static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 223 BIGNUM **rp) 224{ 225 BN_CTX *ctx; 226 BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; | 1/* crypto/dsa/dsa_ossl.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 210 unchanged lines hidden (view full) --- 219 return (ret); 220} 221 222static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 223 BIGNUM **rp) 224{ 225 BN_CTX *ctx; 226 BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; |
227 BIGNUM l, m; |
|
227 int ret = 0; | 228 int ret = 0; |
229 int q_bits; |
|
228 229 if (!dsa->p || !dsa->q || !dsa->g) { 230 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); 231 return 0; 232 } 233 234 BN_init(&k); 235 BN_init(&kq); | 230 231 if (!dsa->p || !dsa->q || !dsa->g) { 232 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); 233 return 0; 234 } 235 236 BN_init(&k); 237 BN_init(&kq); |
238 BN_init(&l); 239 BN_init(&m); |
|
236 237 if (ctx_in == NULL) { 238 if ((ctx = BN_CTX_new()) == NULL) 239 goto err; 240 } else 241 ctx = ctx_in; 242 243 if ((r = BN_new()) == NULL) 244 goto err; 245 | 240 241 if (ctx_in == NULL) { 242 if ((ctx = BN_CTX_new()) == NULL) 243 goto err; 244 } else 245 ctx = ctx_in; 246 247 if ((r = BN_new()) == NULL) 248 goto err; 249 |
250 /* Preallocate space */ 251 q_bits = BN_num_bits(dsa->q); 252 if (!BN_set_bit(&k, q_bits) 253 || !BN_set_bit(&l, q_bits) 254 || !BN_set_bit(&m, q_bits)) 255 goto err; 256 |
|
246 /* Get random k */ 247 do 248 if (!BN_rand_range(&k, dsa->q)) 249 goto err; 250 while (BN_is_zero(&k)); 251 252 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { 253 BN_set_flags(&k, BN_FLG_CONSTTIME); --- 4 unchanged lines hidden (view full) --- 258 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, 259 CRYPTO_LOCK_DSA, dsa->p, ctx)) 260 goto err; 261 } 262 263 /* Compute r = (g^k mod p) mod q */ 264 265 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | 257 /* Get random k */ 258 do 259 if (!BN_rand_range(&k, dsa->q)) 260 goto err; 261 while (BN_is_zero(&k)); 262 263 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { 264 BN_set_flags(&k, BN_FLG_CONSTTIME); --- 4 unchanged lines hidden (view full) --- 269 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, 270 CRYPTO_LOCK_DSA, dsa->p, ctx)) 271 goto err; 272 } 273 274 /* Compute r = (g^k mod p) mod q */ 275 276 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { |
266 if (!BN_copy(&kq, &k)) 267 goto err; 268 269 BN_set_flags(&kq, BN_FLG_CONSTTIME); 270 | |
271 /* 272 * We do not want timing information to leak the length of k, so we | 277 /* 278 * We do not want timing information to leak the length of k, so we |
273 * compute g^k using an equivalent exponent of fixed length. (This 274 * is a kludge that we need because the BN_mod_exp_mont() does not 275 * let us specify the desired timing behaviour.) | 279 * compute G^k using an equivalent scalar of fixed bit-length. 280 * 281 * We unconditionally perform both of these additions to prevent a 282 * small timing information leakage. We then choose the sum that is 283 * one bit longer than the modulus. 284 * 285 * TODO: revisit the BN_copy aiming for a memory access agnostic 286 * conditional copy. |
276 */ | 287 */ |
277 278 if (!BN_add(&kq, &kq, dsa->q)) | 288 if (!BN_add(&l, &k, dsa->q) 289 || !BN_add(&m, &l, dsa->q) 290 || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) |
279 goto err; | 291 goto err; |
280 if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { 281 if (!BN_add(&kq, &kq, dsa->q)) 282 goto err; 283 } | |
284 | 292 |
293 BN_set_flags(&kq, BN_FLG_CONSTTIME); 294 |
|
285 K = &kq; 286 } else { 287 K = &k; 288 } 289 290 DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, 291 dsa->method_mont_p); 292 if (!BN_mod(r, r, dsa->q, ctx)) --- 16 unchanged lines hidden (view full) --- 309 DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB); 310 if (r != NULL) 311 BN_clear_free(r); 312 } 313 if (ctx_in == NULL) 314 BN_CTX_free(ctx); 315 BN_clear_free(&k); 316 BN_clear_free(&kq); | 295 K = &kq; 296 } else { 297 K = &k; 298 } 299 300 DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, 301 dsa->method_mont_p); 302 if (!BN_mod(r, r, dsa->q, ctx)) --- 16 unchanged lines hidden (view full) --- 319 DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB); 320 if (r != NULL) 321 BN_clear_free(r); 322 } 323 if (ctx_in == NULL) 324 BN_CTX_free(ctx); 325 BN_clear_free(&k); 326 BN_clear_free(&kq); |
317 return (ret); | 327 BN_clear_free(&l); 328 BN_clear_free(&m); 329 return ret; |
318} 319 320static int dsa_do_verify(const unsigned char *dgst, int dgst_len, 321 DSA_SIG *sig, DSA *dsa) 322{ 323 BN_CTX *ctx; 324 BIGNUM u1, u2, t1; 325 BN_MONT_CTX *mont = NULL; --- 102 unchanged lines hidden --- | 330} 331 332static int dsa_do_verify(const unsigned char *dgst, int dgst_len, 333 DSA_SIG *sig, DSA *dsa) 334{ 335 BN_CTX *ctx; 336 BIGNUM u1, u2, t1; 337 BN_MONT_CTX *mont = NULL; --- 102 unchanged lines hidden --- |