Change ecp_mul() prototype to allow randomization

(Also improve an error code while at it.)
This commit is contained in:
Manuel Pégourié-Gonnard 2013-09-02 14:29:09 +02:00
parent f451bac000
commit e09d2f8261
10 changed files with 99 additions and 37 deletions

View file

@ -70,12 +70,20 @@ int ecdh_gen_public( const ecp_group *grp, mpi *d, ecp_point *Q,
* \param z Destination MPI (shared secret)
* \param Q Public key from other party
* \param d Our secret exponent
* \param f_rng RNG function (see notes)
* \param p_rng RNG parameter
*
* \return 0 if successful,
* or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code
*
* \note If f_rng is not NULL, it is used to implement
* countermeasures against potential elaborate timing
* attacks, see \c ecp_mul() for details.
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
const ecp_point *Q, const mpi *d );
const ecp_point *Q, const mpi *d,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Initialize context
@ -156,11 +164,15 @@ int ecdh_read_public( ecdh_context *ctx,
* \param olen number of bytes written
* \param buf destination buffer
* \param blen buffer length
* \param f_rng RNG function, see notes for \c ecdh_compute_shared()
* \param p_rng RNG parameter
*
* \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen );
unsigned char *buf, size_t blen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Checkup routine

View file

@ -411,17 +411,29 @@ int ecp_sub( const ecp_group *grp, ecp_point *R,
* \param R Destination point
* \param m Integer by which to multiply
* \param P Point to multiply
* \param f_rng RNG function (see notes)
* \param p_rng RNG parameter
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
* POLARSSL_ERR_ECP_GENERIC if m < 0 of m has greater bit
* length than N, the number of points in the group.
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if m < 0 of m has greater
* bit length than N, the number of points in the group.
*
* \note This function executes a constant number of operations
* for random m in the allowed range.
* \note In order to prevent simple timing attacks, this function
* executes a constant number of operations (that is, point
* doubling and addition of distinct points) for random m in
* the allowed range.
*
* \note If f_rng is not NULL, it is used to randomize projective
* coordinates of indermediate results, in order to prevent
* more elaborate timing attacks relying on intermediate
* operations. (This is a prophylactic measure since so such
* attack has been published yet.)
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
const mpi *m, const ecp_point *P );
const mpi *m, const ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Check that a point is a valid public key on this curve

View file

@ -50,7 +50,9 @@ int ecdh_gen_public( const ecp_group *grp, mpi *d, ecp_point *Q,
* Compute shared secret (SEC1 3.3.1)
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
const ecp_point *Q, const mpi *d )
const ecp_point *Q, const mpi *d,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret;
ecp_point P;
@ -62,7 +64,7 @@ int ecdh_compute_shared( const ecp_group *grp, mpi *z,
*/
MPI_CHK( ecp_check_pubkey( grp, Q ) );
MPI_CHK( ecp_mul( grp, &P, d, Q ) );
MPI_CHK( ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
if( ecp_is_zero( &P ) )
{
@ -202,16 +204,20 @@ int ecdh_read_public( ecdh_context *ctx,
* Derive and export the shared secret
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen )
unsigned char *buf, size_t blen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret;
if( ctx == NULL )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d ) )
!= 0 )
if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
f_rng, p_rng ) ) != 0 )
{
return( ret );
}
if( mpi_size( &ctx->z ) > blen )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );

View file

@ -161,9 +161,12 @@ int ecdsa_verify( const ecp_group *grp,
/*
* Step 5: R = u1 G + u2 Q
*
* Since we're not using any secret data, no need to pass a RNG to
* ecp_mul() for countermesures.
*/
MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G ) );
MPI_CHK( ecp_mul( grp, &P, &u2, Q ) );
MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G, NULL, NULL ) );
MPI_CHK( ecp_mul( grp, &P, &u2, Q, NULL, NULL ) );
MPI_CHK( ecp_add( grp, &R, &R, &P ) );
if( ecp_is_zero( &R ) )

View file

@ -1166,7 +1166,8 @@ cleanup:
* random m in the range 0 .. 2^nbits - 1.
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
const mpi *m, const ecp_point *P )
const mpi *m, const ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
unsigned char w, m_is_odd;
@ -1175,18 +1176,21 @@ int ecp_mul( const ecp_group *grp, ecp_point *R,
ecp_point Q, T[ MAX_PRE_LEN ];
mpi M;
((void) f_rng);
((void) p_rng);
if( mpi_cmp_int( m, 0 ) < 0 || mpi_msb( m ) > grp->nbits )
return( POLARSSL_ERR_ECP_GENERIC );
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
w = grp->nbits >= 521 ? 6 :
grp->nbits >= 224 ? 5 :
4;
4;
/*
* Make sure w is within the limits.
* The last test ensures that none of the precomputed points is zero,
* which wouldn't be handled correctly by ecp_normalize_many().
* It is only useful for small curves, as used in the test suite.
* It is only useful for very small curves, as used in the test suite.
*/
if( w > POLARSSL_ECP_WINDOW_SIZE )
w = POLARSSL_ECP_WINDOW_SIZE;
@ -1348,7 +1352,7 @@ int ecp_gen_keypair( const ecp_group *grp, mpi *d, ecp_point *Q,
}
while( mpi_cmp_int( d, 1 ) < 0 );
return( ecp_mul( grp, Q, d, &grp->G ) );
return( ecp_mul( grp, Q, d, &grp->G, f_rng, p_rng ) );
}
#if defined(POLARSSL_SELF_TEST)
@ -1402,12 +1406,12 @@ int ecp_self_test( int verbose )
#endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
if( verbose != 0 )
printf( " ECP test #1 (SPA resistance): " );
printf( " ECP test #1 (resistance to simple timing attacks): " );
add_count = 0;
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[0] ) );
MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
{
@ -1417,7 +1421,7 @@ int ecp_self_test( int verbose )
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[i] ) );
MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
if( add_count != add_c_prev || dbl_count != dbl_c_prev )
{

View file

@ -1748,7 +1748,8 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
POLARSSL_MPI_MAX_SIZE ) ) != 0 )
POLARSSL_MPI_MAX_SIZE,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( ret );

View file

@ -2410,7 +2410,8 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
POLARSSL_MPI_MAX_SIZE ) ) != 0 )
POLARSSL_MPI_MAX_SIZE,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );

View file

@ -27,8 +27,10 @@ void ecdh_primitive_random( int id )
== 0 );
TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, &rnd_pseudo_rand, &rnd_info )
== 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB,
NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zA, &zB ) == 0 );
@ -70,9 +72,9 @@ void ecdh_primitive_testvec( int id, char *dA_str, char *xA_str, char *yA_str,
TEST_ASSERT( mpi_cmp_mpi( &qB.Y, &check ) == 0 );
TEST_ASSERT( mpi_read_string( &check, 16, z_str ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zA, &check ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 );
TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zB, &check ) == 0 );
ecp_group_free( &grp );
@ -107,8 +109,9 @@ void ecdh_exchange( int id )
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecdh_read_public( &srv, buf, len ) == 0 );
TEST_ASSERT( ecdh_calc_secret( &srv, &len, buf, 1000 ) == 0 );
TEST_ASSERT( ecdh_calc_secret( &cli, &len, buf, 1000 ) == 0 );
TEST_ASSERT( ecdh_calc_secret( &srv, &len, buf, 1000,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecdh_calc_secret( &cli, &len, buf, 1000, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &srv.z, &cli.z ) == 0 );
ecdh_free( &srv );

View file

@ -50,7 +50,7 @@ ECP small subtraction #9
ecp_small_sub:0:"14":"11":0:"14":"36":0:27:30
ECP small multiplication negative
ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC
ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_BAD_INPUT_DATA
ECP small multiplication #0
ecp_small_mul:0:1:0:0:0
@ -101,7 +101,7 @@ ECP small multiplication #15
ecp_small_mul:2:0:20:01:0
ECP small multiplication too big
ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC
ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_BAD_INPUT_DATA
ECP small check pubkey #1
ecp_small_check_pub:1:1:0:POLARSSL_ERR_ECP_GENERIC

View file

@ -101,17 +101,33 @@ void ecp_small_mul( int m_str, int r_zero, int x_r, int y_r, int ret )
ecp_group grp;
ecp_point R;
mpi m;
rnd_pseudo_info rnd_info;
ecp_group_init( &grp );
ecp_point_init( &R );
mpi_init( &m );
memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
TEST_ASSERT( ecp_group_read_string( &grp, 10,
"47", "4", "17", "42", "13" ) == 0 );
TEST_ASSERT( mpi_lset( &m, m_str ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G ) == ret );
TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) == ret );
if( r_zero )
TEST_ASSERT( mpi_cmp_int( &R.Z, 0 ) == 0 );
else
{
TEST_ASSERT( mpi_cmp_int( &R.X, x_r ) == 0 );
TEST_ASSERT( mpi_cmp_int( &R.Y, y_r ) == 0 );
}
/* try again with randomization */
ecp_point_free( &R );
TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G,
&rnd_pseudo_rand, &rnd_info ) == ret );
if( r_zero )
TEST_ASSERT( mpi_cmp_int( &R.Z, 0 ) == 0 );
@ -158,10 +174,12 @@ void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
ecp_group grp;
ecp_point R;
mpi dA, xA, yA, dB, xB, yB, xZ, yZ;
rnd_pseudo_info rnd_info;
ecp_group_init( &grp ); ecp_point_init( &R );
mpi_init( &dA ); mpi_init( &xA ); mpi_init( &yA ); mpi_init( &dB );
mpi_init( &xB ); mpi_init( &yB ); mpi_init( &xZ ); mpi_init( &yZ );
memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
@ -176,20 +194,22 @@ void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
TEST_ASSERT( mpi_read_string( &xZ, 16, xZ_str ) == 0 );
TEST_ASSERT( mpi_read_string( &yZ, 16, yZ_str ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xA ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yA ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xB ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yB ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );