Add blinding to an ECDSA signature (0c27d793) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,10 @@

		Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

		*) Add blinding to an ECDSA signature to protect against side channel attacks
		discovered by Keegan Ryan (NCC Group).
		[Matt Caswell]

		*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
		now allow empty (zero character) pass phrases.
		[Richard Levitte]

crypto/ec/ecdsa_ossl.c

+63 −7

Original line number	Diff line number	Diff line
		@@ -210,7 +210,8 @@ ECDSA_SIG ossl_ecdsa_sign_sig(const unsigned char dgst, int dgst_len,
		EC_KEY *eckey)
		{
		int ok = 0, i;
		BIGNUM kinv = NULL, s, m = NULL, tmp = NULL;
		BIGNUM kinv = NULL, s, m = NULL, tmp = NULL, *blind = NULL;
		BIGNUM *blindm = NULL;
		const BIGNUM order, ckinv;
		BN_CTX *ctx = NULL;
		const EC_GROUP *group;
		@@ -243,8 +244,18 @@ ECDSA_SIG ossl_ecdsa_sign_sig(const unsigned char dgst, int dgst_len,
		}
		s = ret->s;

		if ((ctx = BN_CTX_new()) == NULL \|\|
		(tmp = BN_new()) == NULL \|\| (m = BN_new()) == NULL) {
		ctx = BN_CTX_secure_new();
		if (ctx == NULL) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
		goto err;
		}

		BN_CTX_start(ctx);
		tmp = BN_CTX_get(ctx);
		m = BN_CTX_get(ctx);
		blind = BN_CTX_get(ctx);
		blindm = BN_CTX_get(ctx);
		if (blindm == NULL) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
		goto err;
		}
		@@ -284,18 +295,64 @@ ECDSA_SIG ossl_ecdsa_sign_sig(const unsigned char dgst, int dgst_len,
		}
		}

		if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
		/*
		* The normal signature calculation is:
		*
		* s := k^-1 * (m + r * priv_key) mod order
		*
		* We will blind this to protect against side channel attacks
		*
		* s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
		*/

		/* Generate a blinding value */
		do {
		if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY,
		BN_RAND_BOTTOM_ANY))
		goto err;
		} while (BN_is_zero(blind));
		BN_set_flags(blind, BN_FLG_CONSTTIME);
		BN_set_flags(blindm, BN_FLG_CONSTTIME);
		BN_set_flags(tmp, BN_FLG_CONSTTIME);

		/* tmp := blind * priv_key * r mod order */
		if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}
		if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}

		/* blindm := blind * m mod order */
		if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}
		if (!BN_mod_add_quick(s, tmp, m, order)) {

		/* s : = (blind * priv_key * r) + (blind * m) mod order */
		if (!BN_mod_add_quick(s, tmp, blindm, order)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}

		/* s:= s * blind^-1 mod order */
		if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}
		if (!BN_mod_mul(s, s, blind, order, ctx)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}

		/* s := s * k^-1 mod order */
		if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
		ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
		goto err;
		}

		if (BN_is_zero(s)) {
		/*
		* if kinv and r have been supplied by the caller don't to
		@@ -317,9 +374,8 @@ ECDSA_SIG ossl_ecdsa_sign_sig(const unsigned char dgst, int dgst_len,
		ECDSA_SIG_free(ret);
		ret = NULL;
		}
		BN_CTX_end(ctx);
		BN_CTX_free(ctx);
		BN_clear_free(m);
		BN_clear_free(tmp);
		BN_clear_free(kinv);
		return ret;
		}