diff options
| author | Daiki Ueno <ueno@gnu.org> | 2021-05-11 12:32:31 +0000 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2021-05-11 12:32:31 +0000 |
| commit | 0e82bfeb842c3981db8a494e77d97cec2a4824a9 (patch) | |
| tree | a475ad55126a22524642ba94aab5908bb7457305 | |
| parent | 1bd5c9c7a2b87b7c7ec802f83b1480de388a3a09 (diff) | |
| parent | 0f18f07efe103718ca79f5a206a08c3a3cc6c410 (diff) | |
| download | gnutls-0e82bfeb842c3981db8a494e77d97cec2a4824a9.tar.gz | |
Merge branch 'wip/dueno/ecdsa-verify-3.6.x' into 'gnutls_3_6_x'
nettle: port upstream hardening of EC point multiplication [3.6.x]
See merge request gnutls/gnutls!1407
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | .x-sc_space_tab | 3 | ||||
| -rwxr-xr-x | devel/import-ecc-from-nettle.sh | 4 | ||||
| -rw-r--r-- | lib/nettle/ecc/override/ecc-gostdsa-verify.c.diff | 19 | ||||
| -rw-r--r-- | lib/nettle/ecc/override/ecc-internal.h.diff | 26 | ||||
| -rw-r--r-- | lib/nettle/ecc/override/ecc-mod-arith.c.diff | 19 | ||||
| -rw-r--r-- | lib/nettle/ecc/override/eddsa-hash.c.diff | 30 | ||||
| -rw-r--r-- | lib/nettle/ecc/override/gostdsa-vko.c.diff | 16 |
8 files changed, 119 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore index 2b23292693..fb11a657b4 100644 --- a/.gitignore +++ b/.gitignore @@ -235,7 +235,8 @@ lib/minitasn1/Makefile lib/minitasn1/Makefile.in lib/nettle/libcrypto.la lib/nettle/backport -lib/nettle/ecc +lib/nettle/ecc/* +!lib/nettle/ecc/override lib/opencdk/libminiopencdk.la lib/opencdk/Makefile lib/opencdk/Makefile.in diff --git a/.x-sc_space_tab b/.x-sc_space_tab new file mode 100644 index 0000000000..4311834933 --- /dev/null +++ b/.x-sc_space_tab @@ -0,0 +1,3 @@ +^lib/nettle/ecc/override/ecc-gostdsa-verify.c.diff +^lib/nettle/ecc/override/ecc-internal.h.diff +^lib/nettle/ecc/override/eddsa-hash.c.diff diff --git a/devel/import-ecc-from-nettle.sh b/devel/import-ecc-from-nettle.sh index 2ce6285d39..30b7c58a88 100755 --- a/devel/import-ecc-from-nettle.sh +++ b/devel/import-ecc-from-nettle.sh @@ -96,6 +96,10 @@ for f in $IMPORTS; do echo "Copying file $dst" fi cp $src $dst + if test -e $DST/override/$f.diff; then + echo "Patching file $dst" + patch -s -d $DST -p1 < $DST/override/$f.diff + fi # Use <nettle/*.h> for public headers. for h in $PUBLIC; do p=$(echo $h | sed 's/\./\\./g') diff --git a/lib/nettle/ecc/override/ecc-gostdsa-verify.c.diff b/lib/nettle/ecc/override/ecc-gostdsa-verify.c.diff new file mode 100644 index 0000000000..143143e66d --- /dev/null +++ b/lib/nettle/ecc/override/ecc-gostdsa-verify.c.diff @@ -0,0 +1,19 @@ +diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c +index 29b82c84..906abbf3 100644 +--- a/ecc-gostdsa-verify.c ++++ b/ecc-gostdsa-verify.c +@@ -102,11 +102,11 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc, + ecc->q.invert (&ecc->q, vp, hp, vp + 2*ecc->p.size); + + /* z1 = s / h, P1 = z1 * G */ +- ecc_mod_mul (&ecc->q, z1, sp, vp); ++ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp); + + /* z2 = - r / h, P2 = z2 * Y */ +- ecc_mod_mul (&ecc->q, z2, rp, vp); +- mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); ++ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->q, z2, hp, vp); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size); diff --git a/lib/nettle/ecc/override/ecc-internal.h.diff b/lib/nettle/ecc/override/ecc-internal.h.diff new file mode 100644 index 0000000000..170191836c --- /dev/null +++ b/lib/nettle/ecc/override/ecc-internal.h.diff @@ -0,0 +1,26 @@ +diff --git a/ecc-internal.h b/ecc-internal.h +index 9e24e0ce..2cc9b137 100644 +--- a/ecc-internal.h ++++ b/ecc-internal.h +@@ -49,6 +49,7 @@ + #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 + #define ecc_mod_mul _nettle_ecc_mod_mul + #define ecc_mod_sqr _nettle_ecc_mod_sqr ++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical + #define ecc_mod_random _nettle_ecc_mod_random + #define ecc_mod _nettle_ecc_mod + #define ecc_mod_inv _nettle_ecc_mod_inv +@@ -256,6 +257,13 @@ void + ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap); + ++/* mul function produces a canonical result, 0 <= R < M, needs 2*m->size limbs ++ * at rp. ++ */ ++void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp); ++ + /* mod q operations. */ + void + ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, diff --git a/lib/nettle/ecc/override/ecc-mod-arith.c.diff b/lib/nettle/ecc/override/ecc-mod-arith.c.diff new file mode 100644 index 0000000000..17b2592e30 --- /dev/null +++ b/lib/nettle/ecc/override/ecc-mod-arith.c.diff @@ -0,0 +1,19 @@ +diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c +index f2e47f67..959eae1c 100644 +--- a/ecc-mod-arith.c ++++ b/ecc-mod-arith.c +@@ -125,3 +125,14 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, + mpn_sqr (rp, ap, m->size); + m->reduce (m, rp); + } ++ ++void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp) ++{ ++ mp_limb_t cy; ++ ecc_mod_mul(m, rp, ap, bp); ++ ++ cy = mpn_sub_n (rp + m->size, rp, m->m, m->size); ++ cnd_copy (!cy, rp, rp + m->size, m->size); ++} diff --git a/lib/nettle/ecc/override/eddsa-hash.c.diff b/lib/nettle/ecc/override/eddsa-hash.c.diff new file mode 100644 index 0000000000..f2237e503f --- /dev/null +++ b/lib/nettle/ecc/override/eddsa-hash.c.diff @@ -0,0 +1,30 @@ +diff --git a/eddsa-hash.c b/eddsa-hash.c +index e05f6ac1..743dc4be 100644 +--- a/eddsa-hash.c ++++ b/eddsa-hash.c +@@ -44,13 +44,14 @@ + #include "ecc-internal.h" + #include "nettle-internal.h" + +-/* Convert hash digest to integer, and reduce modulo q, to m->size +- limbs. Needs space for 2*m->size + 1 at rp. */ ++/* Convert hash digest to integer, and reduce canonically modulo q. ++ Needs space for 2*m->size + 1 at rp. */ + void + _eddsa_hash (const struct ecc_modulo *m, + mp_limb_t *rp, size_t digest_size, const uint8_t *digest) + { + mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; ++ mp_limb_t cy; + + mpn_set_base256_le (rp, nlimbs, digest, digest_size); + +@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m, + assert (hi == 0); + } + m->mod (m, rp); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (rp + m->size, rp, m->m, m->size); ++ cnd_copy (cy, rp + m->size, rp, m->size); ++ mpn_copyi (rp, rp + m->size, m->size); + } diff --git a/lib/nettle/ecc/override/gostdsa-vko.c.diff b/lib/nettle/ecc/override/gostdsa-vko.c.diff new file mode 100644 index 0000000000..8a058db99e --- /dev/null +++ b/lib/nettle/ecc/override/gostdsa-vko.c.diff @@ -0,0 +1,16 @@ +diff --git a/gostdsa-vko.c b/gostdsa-vko.c +index 7bdcdfc3..c6697ab3 100644 +--- a/gostdsa-vko.c ++++ b/gostdsa-vko.c +@@ -87,7 +87,8 @@ gostdsa_vko (const struct ecc_scalar *priv, + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + +- ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ ++ ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */ ++ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); +-- +2.31.1 |