pk: implement deterministic ECDSA/DSA

This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

7 files changed, 85 insertions, 4 deletions

diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 43124abafb..33eca6031c 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st {
 	/* if non-zero, the legacy value for PKCS#7 signatures will be
 	 * written for RSA signatures. */
 	unsigned int legacy;
+
+	/* the digest used by ECDSA/DSA */
+	gnutls_digest_algorithm_t dsa_dig;
+
+	/* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
+	 * deterministic ECDSA/DSA */
+	unsigned int flags;
 } gnutls_x509_spki_st;
 
 #define GNUTLS_MAX_PK_PARAMS 16
@@ -219,9 +226,16 @@ typedef struct {
  */
 typedef enum {
 	GNUTLS_PK_FLAG_NONE = 0,
-	GNUTLS_PK_FLAG_PROVABLE = 1
+	GNUTLS_PK_FLAG_PROVABLE = 1,
+	GNUTLS_PK_FLAG_REPRODUCIBLE = 2
 } gnutls_pk_flag_t;
 
+#define FIX_SIGN_PARAMS(params, flags, dig) do {		\
+	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
+		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
+		(params).dsa_dig = (dig);			\
+	}							\
+} while (0)
 
 void gnutls_pk_params_release(gnutls_pk_params_st * p);
 void gnutls_pk_params_clear(gnutls_pk_params_st * p);
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index d4b7da68b2..d8805681a9 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key);
  * gnutls_privkey_flags:
  * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
  * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
+ *   For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
+ *   construction of random parameter according to RFC 6979. Note that
+ *   this only supports the NIST curves and DSA subgroup bits up to 512.
  * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
  *   release it when the structure it was imported is released.
  * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 08117c2d82..ebd6481cf7 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -54,6 +54,8 @@
 #include "gost/gostdsa.h"
 #include "gost/ecc-gost-curve.h"
 #endif
+#include "int/ecdsa-compute-k.h"
+#include "int/dsa-compute-k.h"
 #include <gnettle.h>
 #include <fips.h>
 
@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
 	}
 }
 
+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+{
+	mpz_t *k = _ctx;
+	nettle_mpz_get_str_256 (length, data, *k);
+}
+
 static void
 ecc_scalar_zclear (struct ecc_scalar *s)
 {
@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_signature sig;
 			int curve_id = pk_params->curve;
 			const struct ecc_curve *curve;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			curve = get_supported_nist_curve(curve_id);
 			if (curve == NULL)
@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
-			ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len,
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_ecdsa_compute_k(k,
+							      curve_id,
+							      pk_params->params[ECC_K],
+							      sign_params->dsa_dig,
+							      vdata->data,
+							      vdata->size);
+				if (ret < 0)
+					goto ecdsa_cleanup;
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
+			ecdsa_sign(&priv, random_ctx, random_func, hash_len,
 				   vdata->data, &sig);
 
 			/* prevent memory leaks */
@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
  ecdsa_cleanup:
 			dsa_signature_clear(&sig);
 			ecc_scalar_zclear(&priv);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_params pub;
 			bigint_t priv;
 			struct dsa_signature sig;
+			mpz_t k;
+			void *random_ctx;
+			nettle_random_func *random_func;
 
 			memset(&priv, 0, sizeof(priv));
 			memset(&pub, 0, sizeof(pub));
@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 
+			mpz_init(k);
+			if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
+				ret = _gnutls_dsa_compute_k(k,
+							    pub.q,
+							    TOMPZ(priv),
+							    sign_params->dsa_dig,
+							    vdata->data,
+							    vdata->size);
+				if (ret < 0)
+					goto dsa_fail;
+				/* cancel-out dsa_sign's addition of 1 to random data */
+				mpz_sub_ui (k, k, 1);
+				random_ctx = &k;
+				random_func = rnd_mpz_func;
+			} else {
+				random_ctx = NULL;
+				random_func = rnd_nonce_func;
+			}
 			ret =
-			    dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func,
+			    dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
 				     hash_len, vdata->data, &sig);
 			if (ret == 0 || HAVE_LIB_ERROR()) {
 				gnutls_assert();
@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
  dsa_fail:
 			dsa_signature_clear(&sig);
+			mpz_clear(k);
 
 			if (ret < 0) {
 				gnutls_assert();
diff --git a/lib/privkey.c b/lib/privkey.c
index 8683b4e20f..4ef07c8b06 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, hash);
+
 	return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, &params);
 }
 
@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_and_hash_data(signer, se, data, signature, &params);
 }
 
@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
 		return ret;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, se->hash);
+
 	return privkey_sign_prehashed(signer, se, hash_data, signature, &params);
 }
 
@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
 	if (unlikely(se == NULL))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, hash_algo);
+
 	return privkey_sign_prehashed(signer, se,
 				      hash_data, signature, &params);
 }
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index c8899f81a5..4ca67535dd 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key,
 	if (se == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	result = privkey_sign_and_hash_data(key, se,
 					    &tbs, &signature, &params);
 	gnutls_free(tbs.data);
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 21fff7b07a..98669e8879 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
 		goto cleanup;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	ret = privkey_sign_and_hash_data(signer_key, se,
 					 &sigdata, &signature, &params);
 	if (ret < 0) {
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 8f7a96f218..461524f5bf 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
 		return result;
 	}
 
+	FIX_SIGN_PARAMS(params, flags, dig);
+
 	if (_gnutls_pk_is_not_prehashed(params.pk)) {
 		result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, &params);
 	} else {