diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-07-29 14:01:11 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-08-08 13:14:46 +0200 |
commit | 8eb3a29336ea11f6b417ce7e25d53513509bdd87 (patch) | |
tree | e2b29005194ac51d83b540c716088fe32358a6ee /lib | |
parent | 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba (diff) | |
download | gnutls-8eb3a29336ea11f6b417ce7e25d53513509bdd87.tar.gz |
pk: implement deterministic ECDSA/DSA
This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/crypto-backend.h | 16 | ||||
-rw-r--r-- | lib/includes/gnutls/abstract.h | 5 | ||||
-rw-r--r-- | lib/nettle/pk.c | 54 | ||||
-rw-r--r-- | lib/privkey.c | 8 | ||||
-rw-r--r-- | lib/x509/crq.c | 2 | ||||
-rw-r--r-- | lib/x509/pkcs7.c | 2 | ||||
-rw-r--r-- | lib/x509/sign.c | 2 |
7 files changed, 85 insertions, 4 deletions
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h index 43124abafb..33eca6031c 100644 --- a/lib/crypto-backend.h +++ b/lib/crypto-backend.h @@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st { /* if non-zero, the legacy value for PKCS#7 signatures will be * written for RSA signatures. */ unsigned int legacy; + + /* the digest used by ECDSA/DSA */ + gnutls_digest_algorithm_t dsa_dig; + + /* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for + * deterministic ECDSA/DSA */ + unsigned int flags; } gnutls_x509_spki_st; #define GNUTLS_MAX_PK_PARAMS 16 @@ -219,9 +226,16 @@ typedef struct { */ typedef enum { GNUTLS_PK_FLAG_NONE = 0, - GNUTLS_PK_FLAG_PROVABLE = 1 + GNUTLS_PK_FLAG_PROVABLE = 1, + GNUTLS_PK_FLAG_REPRODUCIBLE = 2 } gnutls_pk_flag_t; +#define FIX_SIGN_PARAMS(params, flags, dig) do { \ + if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ + (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ + (params).dsa_dig = (dig); \ + } \ +} while (0) void gnutls_pk_params_release(gnutls_pk_params_st * p); void gnutls_pk_params_clear(gnutls_pk_params_st * p); diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index d4b7da68b2..d8805681a9 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key); * gnutls_privkey_flags: * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol. * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding. - * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt). + * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters. + * For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic + * construction of random parameter according to RFC 6979. Note that + * this only supports the NIST curves and DSA subgroup bits up to 512. * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically * release it when the structure it was imported is released. * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import. diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 08117c2d82..ebd6481cf7 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -54,6 +54,8 @@ #include "gost/gostdsa.h" #include "gost/ecc-gost-curve.h" #endif +#include "int/ecdsa-compute-k.h" +#include "int/dsa-compute-k.h" #include <gnettle.h> #include <fips.h> @@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data) } } +static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) +{ + mpz_t *k = _ctx; + nettle_mpz_get_str_256 (length, data, *k); +} + static void ecc_scalar_zclear (struct ecc_scalar *s) { @@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, struct dsa_signature sig; int curve_id = pk_params->curve; const struct ecc_curve *curve; + mpz_t k; + void *random_ctx; + nettle_random_func *random_func; curve = get_supported_nist_curve(curve_id); if (curve == NULL) @@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, hash_len = vdata->size; } - ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len, + mpz_init(k); + if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { + ret = _gnutls_ecdsa_compute_k(k, + curve_id, + pk_params->params[ECC_K], + sign_params->dsa_dig, + vdata->data, + vdata->size); + if (ret < 0) + goto ecdsa_cleanup; + random_ctx = &k; + random_func = rnd_mpz_func; + } else { + random_ctx = NULL; + random_func = rnd_nonce_func; + } + ecdsa_sign(&priv, random_ctx, random_func, hash_len, vdata->data, &sig); /* prevent memory leaks */ @@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, ecdsa_cleanup: dsa_signature_clear(&sig); ecc_scalar_zclear(&priv); + mpz_clear(k); if (ret < 0) { gnutls_assert(); @@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, struct dsa_params pub; bigint_t priv; struct dsa_signature sig; + mpz_t k; + void *random_ctx; + nettle_random_func *random_func; memset(&priv, 0, sizeof(priv)); memset(&pub, 0, sizeof(pub)); @@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, hash_len = vdata->size; } + mpz_init(k); + if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { + ret = _gnutls_dsa_compute_k(k, + pub.q, + TOMPZ(priv), + sign_params->dsa_dig, + vdata->data, + vdata->size); + if (ret < 0) + goto dsa_fail; + /* cancel-out dsa_sign's addition of 1 to random data */ + mpz_sub_ui (k, k, 1); + random_ctx = &k; + random_func = rnd_mpz_func; + } else { + random_ctx = NULL; + random_func = rnd_nonce_func; + } ret = - dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func, + dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func, hash_len, vdata->data, &sig); if (ret == 0 || HAVE_LIB_ERROR()) { gnutls_assert(); @@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, dsa_fail: dsa_signature_clear(&sig); + mpz_clear(k); if (ret < 0) { gnutls_assert(); diff --git a/lib/privkey.c b/lib/privkey.c index 8683b4e20f..4ef07c8b06 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer, return ret; } + FIX_SIGN_PARAMS(params, flags, hash); + return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, ¶ms); } @@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer, return ret; } + FIX_SIGN_PARAMS(params, flags, se->hash); + return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms); } @@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, return ret; } + FIX_SIGN_PARAMS(params, flags, se->hash); + return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); } @@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, if (unlikely(se == NULL)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + FIX_SIGN_PARAMS(params, flags, hash_algo); + return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); } diff --git a/lib/x509/crq.c b/lib/x509/crq.c index c8899f81a5..4ca67535dd 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, if (se == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + FIX_SIGN_PARAMS(params, flags, dig); + result = privkey_sign_and_hash_data(key, se, &tbs, &signature, ¶ms); gnutls_free(tbs.data); diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 21fff7b07a..98669e8879 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7, goto cleanup; } + FIX_SIGN_PARAMS(params, flags, dig); + ret = privkey_sign_and_hash_data(signer_key, se, &sigdata, &signature, ¶ms); if (ret < 0) { diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 8f7a96f218..461524f5bf 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, return result; } + FIX_SIGN_PARAMS(params, flags, dig); + if (_gnutls_pk_is_not_prehashed(params.pk)) { result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, ¶ms); } else { |