Change ecp_mul() prototype to allow randomization

(Also improve an error code while at it.)
2025-08-07 06:42:56 +03:00 · 2013-09-02 14:29:09 +02:00
parent f451bac000
commit e09d2f8261
10 changed files with 99 additions and 37 deletions
--- a/library/ecdh.c
+++ b/library/ecdh.c
@@ -50,7 +50,9 @@ int ecdh_gen_public( const ecp_group *grp, mpi *d, ecp_point *Q,
 * Compute shared secret (SEC1 3.3.1)
 */
 int ecdh_compute_shared( const ecp_group *grp, mpi *z,
-                         const ecp_point *Q, const mpi *d )
+                         const ecp_point *Q, const mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
 {
    int ret;
    ecp_point P;
@@ -62,7 +64,7 @@ int ecdh_compute_shared( const ecp_group *grp, mpi *z,
     */
    MPI_CHK( ecp_check_pubkey( grp, Q ) );

-    MPI_CHK( ecp_mul( grp, &P, d, Q ) );
+    MPI_CHK( ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );

    if( ecp_is_zero( &P ) )
    {
@@ -202,16 +204,20 @@ int ecdh_read_public( ecdh_context *ctx,
 * Derive and export the shared secret
 */
 int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
-                      unsigned char *buf, size_t blen )
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
 {
    int ret;

    if( ctx == NULL )
        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );

-    if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d ) )
-                != 0 )
+    if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
+                                     f_rng, p_rng ) ) != 0 )
+    {
        return( ret );
+    }

    if( mpi_size( &ctx->z ) > blen )
        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -161,9 +161,12 @@ int ecdsa_verify( const ecp_group *grp,

    /*
     * Step 5: R = u1 G + u2 Q
+     *
+     * Since we're not using any secret data, no need to pass a RNG to
+     * ecp_mul() for countermesures.
     */
-    MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G ) );
-    MPI_CHK( ecp_mul( grp, &P, &u2, Q ) );
+    MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G, NULL, NULL ) );
+    MPI_CHK( ecp_mul( grp, &P, &u2, Q, NULL, NULL ) );
    MPI_CHK( ecp_add( grp, &R, &R, &P ) );

    if( ecp_is_zero( &R ) )
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1166,7 +1166,8 @@ cleanup:
 * random m in the range 0 .. 2^nbits - 1.
 */
 int ecp_mul( const ecp_group *grp, ecp_point *R,
-             const mpi *m, const ecp_point *P )
+             const mpi *m, const ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
    int ret;
    unsigned char w, m_is_odd;
@@ -1175,18 +1176,21 @@ int ecp_mul( const ecp_group *grp, ecp_point *R,
    ecp_point Q, T[ MAX_PRE_LEN ];
    mpi M;

+    ((void) f_rng);
+    ((void) p_rng);
+
    if( mpi_cmp_int( m, 0 ) < 0 || mpi_msb( m ) > grp->nbits )
-        return( POLARSSL_ERR_ECP_GENERIC );
+        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );

    w = grp->nbits >= 521 ? 6 :
        grp->nbits >= 224 ? 5 :
-        4;
+                            4;

    /*
     * Make sure w is within the limits.
     * The last test ensures that none of the precomputed points is zero,
     * which wouldn't be handled correctly by ecp_normalize_many().
-     * It is only useful for small curves, as used in the test suite.
+     * It is only useful for very small curves, as used in the test suite.
     */
    if( w > POLARSSL_ECP_WINDOW_SIZE )
        w = POLARSSL_ECP_WINDOW_SIZE;
@@ -1348,7 +1352,7 @@ int ecp_gen_keypair( const ecp_group *grp, mpi *d, ecp_point *Q,
    }
    while( mpi_cmp_int( d, 1 ) < 0 );

-    return( ecp_mul( grp, Q, d, &grp->G ) );
+    return( ecp_mul( grp, Q, d, &grp->G, f_rng, p_rng ) );
 }

 #if defined(POLARSSL_SELF_TEST)
@@ -1402,12 +1406,12 @@ int ecp_self_test( int verbose )
 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */

    if( verbose != 0 )
-        printf( "  ECP test #1 (SPA resistance): " );
+        printf( "  ECP test #1 (resistance to simple timing attacks): " );

    add_count = 0;
    dbl_count = 0;
    MPI_CHK( mpi_read_string( &m, 16, exponents[0] ) );
-    MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+    MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );

    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
    {
@@ -1417,7 +1421,7 @@ int ecp_self_test( int verbose )
        dbl_count = 0;

        MPI_CHK( mpi_read_string( &m, 16, exponents[i] ) );
-        MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+        MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );

        if( add_count != add_c_prev || dbl_count != dbl_c_prev )
        {
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1748,7 +1748,8 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
        if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
                                      &ssl->handshake->pmslen,
                                       ssl->handshake->premaster,
-                                       POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+                                       POLARSSL_MPI_MAX_SIZE,
+                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
        {
            SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
            return( ret );
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2410,7 +2410,8 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
        if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
                                      &ssl->handshake->pmslen,
                                       ssl->handshake->premaster,
-                                       POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+                                       POLARSSL_MPI_MAX_SIZE,
+                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
        {
            SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );