aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/dsa/dsa.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-06-05 18:40:14 -0400
committerJack Lloyd <[email protected]>2018-06-13 11:01:17 -0400
commit48fc8df51d99f9d8ba251219367b3d629cc848e3 (patch)
treee590824907e7522f11396177a2ea1562549e3f9c /src/lib/pubkey/dsa/dsa.cpp
parent55774de0ca0ed49c3be98786390b55f6eb486b77 (diff)
Address DSA/ECDSA side channel
Diffstat (limited to 'src/lib/pubkey/dsa/dsa.cpp')
-rw-r--r--src/lib/pubkey/dsa/dsa.cpp38
1 files changed, 28 insertions, 10 deletions
diff --git a/src/lib/pubkey/dsa/dsa.cpp b/src/lib/pubkey/dsa/dsa.cpp
index 172804972..7142e4788 100644
--- a/src/lib/pubkey/dsa/dsa.cpp
+++ b/src/lib/pubkey/dsa/dsa.cpp
@@ -74,7 +74,9 @@ namespace {
class DSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
{
public:
- DSA_Signature_Operation(const DSA_PrivateKey& dsa, const std::string& emsa) :
+ DSA_Signature_Operation(const DSA_PrivateKey& dsa,
+ const std::string& emsa,
+ RandomNumberGenerator& rng) :
PK_Ops::Signature_with_EMSA(emsa),
m_group(dsa.get_group()),
m_x(dsa.get_x()),
@@ -83,6 +85,9 @@ class DSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
m_rfc6979_hash = hash_for_emsa(emsa);
#endif
+
+ m_b = BigInt::random_integer(rng, 2, dsa.group_q());
+ m_b_inv = inverse_mod(m_b, dsa.group_q());
}
size_t max_input_bits() const override { return m_group.get_q().bits(); }
@@ -96,6 +101,8 @@ class DSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
std::string m_rfc6979_hash;
#endif
+
+ BigInt m_b, m_b_inv;
};
secure_vector<uint8_t>
@@ -104,22 +111,32 @@ DSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
{
const BigInt& q = m_group.get_q();
- BigInt i(msg, msg_len, q.bits());
+ BigInt m(msg, msg_len, q.bits());
- while(i >= q)
- i -= q;
+ while(m >= q)
+ m -= q;
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
BOTAN_UNUSED(rng);
- const BigInt k = generate_rfc6979_nonce(m_x, q, i, m_rfc6979_hash);
+ const BigInt k = generate_rfc6979_nonce(m_x, q, m, m_rfc6979_hash);
#else
const BigInt k = BigInt::random_integer(rng, 1, q);
#endif
- BigInt s = inverse_mod(k, q);
+ const BigInt k_inv = inverse_mod(k, q);
+
const BigInt r = m_mod_q.reduce(m_group.power_g_p(k));
- s = m_mod_q.multiply(s, mul_add(m_x, r, i));
+ /*
+ * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
+ */
+ m_b = m_mod_q.square(m_b);
+ m_b_inv = m_mod_q.square(m_b_inv);
+
+ m = m_mod_q.multiply(m_b, m);
+ const BigInt xr = m_mod_q.multiply(m_mod_q.multiply(m_x, m_b), r);
+
+ const BigInt s = m_mod_q.multiply(m_b_inv, m_mod_q.multiply(k_inv, xr + m));
// With overwhelming probability, a bug rather than actual zero r/s
if(r.is_zero() || s.is_zero())
@@ -140,7 +157,8 @@ class DSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
m_group(dsa.get_group()),
m_y(dsa.get_y()),
m_mod_q(dsa.group_q())
- {}
+ {
+ }
size_t max_input_bits() const override { return m_group.get_q().bits(); }
@@ -193,12 +211,12 @@ DSA_PublicKey::create_verification_op(const std::string& params,
}
std::unique_ptr<PK_Ops::Signature>
-DSA_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
+DSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
const std::string& params,
const std::string& provider) const
{
if(provider == "base" || provider.empty())
- return std::unique_ptr<PK_Ops::Signature>(new DSA_Signature_Operation(*this, params));
+ return std::unique_ptr<PK_Ops::Signature>(new DSA_Signature_Operation(*this, params, rng));
throw Provider_Not_Found(algo_name(), provider);
}