Change ecp_mul() prototype to allow randomization
(Also improve an error code while at it.)
diff --git a/include/polarssl/ecdh.h b/include/polarssl/ecdh.h
index 2184ab9..d91aea5 100644
--- a/include/polarssl/ecdh.h
+++ b/include/polarssl/ecdh.h
@@ -70,12 +70,20 @@
* \param z Destination MPI (shared secret)
* \param Q Public key from other party
* \param d Our secret exponent
+ * \param f_rng RNG function (see notes)
+ * \param p_rng RNG parameter
*
* \return 0 if successful,
* or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code
+ *
+ * \note If f_rng is not NULL, it is used to implement
+ * countermeasures against potential elaborate timing
+ * attacks, see \c ecp_mul() for details.
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
- const ecp_point *Q, const mpi *d );
+ const ecp_point *Q, const mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Initialize context
@@ -156,11 +164,15 @@
* \param olen number of bytes written
* \param buf destination buffer
* \param blen buffer length
+ * \param f_rng RNG function, see notes for \c ecdh_compute_shared()
+ * \param p_rng RNG parameter
*
* \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
- unsigned char *buf, size_t blen );
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Checkup routine
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index ad31bff..5942231 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -411,17 +411,29 @@
* \param R Destination point
* \param m Integer by which to multiply
* \param P Point to multiply
+ * \param f_rng RNG function (see notes)
+ * \param p_rng RNG parameter
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- * POLARSSL_ERR_ECP_GENERIC if m < 0 of m has greater bit
- * length than N, the number of points in the group.
+ * POLARSSL_ERR_ECP_BAD_INPUT_DATA if m < 0 of m has greater
+ * bit length than N, the number of points in the group.
*
- * \note This function executes a constant number of operations
- * for random m in the allowed range.
+ * \note In order to prevent simple timing attacks, this function
+ * executes a constant number of operations (that is, point
+ * doubling and addition of distinct points) for random m in
+ * the allowed range.
+ *
+ * \note If f_rng is not NULL, it is used to randomize projective
+ * coordinates of indermediate results, in order to prevent
+ * more elaborate timing attacks relying on intermediate
+ * operations. (This is a prophylactic measure since so such
+ * attack has been published yet.)
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
- const mpi *m, const ecp_point *P );
+ const mpi *m, const ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
/**
* \brief Check that a point is a valid public key on this curve
diff --git a/library/ecdh.c b/library/ecdh.c
index d76596e..8ef02f5 100644
--- a/library/ecdh.c
+++ b/library/ecdh.c
@@ -50,7 +50,9 @@
* Compute shared secret (SEC1 3.3.1)
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
- const ecp_point *Q, const mpi *d )
+ const ecp_point *Q, const mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
ecp_point P;
@@ -62,7 +64,7 @@
*/
MPI_CHK( ecp_check_pubkey( grp, Q ) );
- MPI_CHK( ecp_mul( grp, &P, d, Q ) );
+ MPI_CHK( ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
if( ecp_is_zero( &P ) )
{
@@ -202,16 +204,20 @@
* Derive and export the shared secret
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
- unsigned char *buf, size_t blen )
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
if( ctx == NULL )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
- if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d ) )
- != 0 )
+ if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
+ f_rng, p_rng ) ) != 0 )
+ {
return( ret );
+ }
if( mpi_size( &ctx->z ) > blen )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 67774c9..bbdb5d5 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -161,9 +161,12 @@
/*
* Step 5: R = u1 G + u2 Q
+ *
+ * Since we're not using any secret data, no need to pass a RNG to
+ * ecp_mul() for countermesures.
*/
- MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G ) );
- MPI_CHK( ecp_mul( grp, &P, &u2, Q ) );
+ MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G, NULL, NULL ) );
+ MPI_CHK( ecp_mul( grp, &P, &u2, Q, NULL, NULL ) );
MPI_CHK( ecp_add( grp, &R, &R, &P ) );
if( ecp_is_zero( &R ) )
diff --git a/library/ecp.c b/library/ecp.c
index 09a021b..b4ee042 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1166,7 +1166,8 @@
* random m in the range 0 .. 2^nbits - 1.
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
- const mpi *m, const ecp_point *P )
+ const mpi *m, const ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
unsigned char w, m_is_odd;
@@ -1175,18 +1176,21 @@
ecp_point Q, T[ MAX_PRE_LEN ];
mpi M;
+ ((void) f_rng);
+ ((void) p_rng);
+
if( mpi_cmp_int( m, 0 ) < 0 || mpi_msb( m ) > grp->nbits )
- return( POLARSSL_ERR_ECP_GENERIC );
+ return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
w = grp->nbits >= 521 ? 6 :
grp->nbits >= 224 ? 5 :
- 4;
+ 4;
/*
* Make sure w is within the limits.
* The last test ensures that none of the precomputed points is zero,
* which wouldn't be handled correctly by ecp_normalize_many().
- * It is only useful for small curves, as used in the test suite.
+ * It is only useful for very small curves, as used in the test suite.
*/
if( w > POLARSSL_ECP_WINDOW_SIZE )
w = POLARSSL_ECP_WINDOW_SIZE;
@@ -1348,7 +1352,7 @@
}
while( mpi_cmp_int( d, 1 ) < 0 );
- return( ecp_mul( grp, Q, d, &grp->G ) );
+ return( ecp_mul( grp, Q, d, &grp->G, f_rng, p_rng ) );
}
#if defined(POLARSSL_SELF_TEST)
@@ -1402,12 +1406,12 @@
#endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
if( verbose != 0 )
- printf( " ECP test #1 (SPA resistance): " );
+ printf( " ECP test #1 (resistance to simple timing attacks): " );
add_count = 0;
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[0] ) );
- MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+ MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
{
@@ -1417,7 +1421,7 @@
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[i] ) );
- MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+ MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
if( add_count != add_c_prev || dbl_count != dbl_c_prev )
{
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 0fccf34..3b9d142 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1748,7 +1748,8 @@
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
- POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+ POLARSSL_MPI_MAX_SIZE,
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( ret );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 5bedcad..adf5a62 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2410,7 +2410,8 @@
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
- POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+ POLARSSL_MPI_MAX_SIZE,
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function
index 5bfd63d..ba35c76 100644
--- a/tests/suites/test_suite_ecdh.function
+++ b/tests/suites/test_suite_ecdh.function
@@ -27,8 +27,10 @@
== 0 );
TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, &rnd_pseudo_rand, &rnd_info )
== 0 );
- TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 );
- TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 );
+ TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA,
+ &rnd_pseudo_rand, &rnd_info ) == 0 );
+ TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB,
+ NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zA, &zB ) == 0 );
@@ -70,9 +72,9 @@
TEST_ASSERT( mpi_cmp_mpi( &qB.Y, &check ) == 0 );
TEST_ASSERT( mpi_read_string( &check, 16, z_str ) == 0 );
- TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 );
+ TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zA, &check ) == 0 );
- TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 );
+ TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &zB, &check ) == 0 );
ecp_group_free( &grp );
@@ -107,8 +109,9 @@
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecdh_read_public( &srv, buf, len ) == 0 );
- TEST_ASSERT( ecdh_calc_secret( &srv, &len, buf, 1000 ) == 0 );
- TEST_ASSERT( ecdh_calc_secret( &cli, &len, buf, 1000 ) == 0 );
+ TEST_ASSERT( ecdh_calc_secret( &srv, &len, buf, 1000,
+ &rnd_pseudo_rand, &rnd_info ) == 0 );
+ TEST_ASSERT( ecdh_calc_secret( &cli, &len, buf, 1000, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &srv.z, &cli.z ) == 0 );
ecdh_free( &srv );
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index ce92633..55a3453 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -50,7 +50,7 @@
ecp_small_sub:0:"14":"11":0:"14":"36":0:27:30
ECP small multiplication negative
-ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC
+ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_BAD_INPUT_DATA
ECP small multiplication #0
ecp_small_mul:0:1:0:0:0
@@ -101,7 +101,7 @@
ecp_small_mul:2:0:20:01:0
ECP small multiplication too big
-ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC
+ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_BAD_INPUT_DATA
ECP small check pubkey #1
ecp_small_check_pub:1:1:0:POLARSSL_ERR_ECP_GENERIC
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 62c5de2..5b1ab60 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -101,17 +101,33 @@
ecp_group grp;
ecp_point R;
mpi m;
+ rnd_pseudo_info rnd_info;
ecp_group_init( &grp );
ecp_point_init( &R );
mpi_init( &m );
+ memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
TEST_ASSERT( ecp_group_read_string( &grp, 10,
"47", "4", "17", "42", "13" ) == 0 );
TEST_ASSERT( mpi_lset( &m, m_str ) == 0 );
- TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G ) == ret );
+ TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) == ret );
+
+ if( r_zero )
+ TEST_ASSERT( mpi_cmp_int( &R.Z, 0 ) == 0 );
+ else
+ {
+ TEST_ASSERT( mpi_cmp_int( &R.X, x_r ) == 0 );
+ TEST_ASSERT( mpi_cmp_int( &R.Y, y_r ) == 0 );
+ }
+
+ /* try again with randomization */
+ ecp_point_free( &R );
+
+ TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G,
+ &rnd_pseudo_rand, &rnd_info ) == ret );
if( r_zero )
TEST_ASSERT( mpi_cmp_int( &R.Z, 0 ) == 0 );
@@ -158,10 +174,12 @@
ecp_group grp;
ecp_point R;
mpi dA, xA, yA, dB, xB, yB, xZ, yZ;
+ rnd_pseudo_info rnd_info;
ecp_group_init( &grp ); ecp_point_init( &R );
mpi_init( &dA ); mpi_init( &xA ); mpi_init( &yA ); mpi_init( &dB );
mpi_init( &xB ); mpi_init( &yB ); mpi_init( &xZ ); mpi_init( &yZ );
+ memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
@@ -176,20 +194,22 @@
TEST_ASSERT( mpi_read_string( &xZ, 16, xZ_str ) == 0 );
TEST_ASSERT( mpi_read_string( &yZ, 16, yZ_str ) == 0 );
- TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G ) == 0 );
+ TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G,
+ &rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xA ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yA ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
- TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R ) == 0 );
+ TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
- TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G ) == 0 );
+ TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G, NULL, NULL ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xB ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yB ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
- TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R ) == 0 );
+ TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R,
+ &rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
