Change ecp_mul() prototype to allow randomization
(Also improve an error code while at it.)
diff --git a/library/ecdh.c b/library/ecdh.c
index d76596e..8ef02f5 100644
--- a/library/ecdh.c
+++ b/library/ecdh.c
@@ -50,7 +50,9 @@
* Compute shared secret (SEC1 3.3.1)
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
- const ecp_point *Q, const mpi *d )
+ const ecp_point *Q, const mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
ecp_point P;
@@ -62,7 +64,7 @@
*/
MPI_CHK( ecp_check_pubkey( grp, Q ) );
- MPI_CHK( ecp_mul( grp, &P, d, Q ) );
+ MPI_CHK( ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
if( ecp_is_zero( &P ) )
{
@@ -202,16 +204,20 @@
* Derive and export the shared secret
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
- unsigned char *buf, size_t blen )
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
if( ctx == NULL )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
- if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d ) )
- != 0 )
+ if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
+ f_rng, p_rng ) ) != 0 )
+ {
return( ret );
+ }
if( mpi_size( &ctx->z ) > blen )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 67774c9..bbdb5d5 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -161,9 +161,12 @@
/*
* Step 5: R = u1 G + u2 Q
+ *
+ * Since we're not using any secret data, no need to pass a RNG to
+ * ecp_mul() for countermesures.
*/
- MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G ) );
- MPI_CHK( ecp_mul( grp, &P, &u2, Q ) );
+ MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G, NULL, NULL ) );
+ MPI_CHK( ecp_mul( grp, &P, &u2, Q, NULL, NULL ) );
MPI_CHK( ecp_add( grp, &R, &R, &P ) );
if( ecp_is_zero( &R ) )
diff --git a/library/ecp.c b/library/ecp.c
index 09a021b..b4ee042 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1166,7 +1166,8 @@
* random m in the range 0 .. 2^nbits - 1.
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
- const mpi *m, const ecp_point *P )
+ const mpi *m, const ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
unsigned char w, m_is_odd;
@@ -1175,18 +1176,21 @@
ecp_point Q, T[ MAX_PRE_LEN ];
mpi M;
+ ((void) f_rng);
+ ((void) p_rng);
+
if( mpi_cmp_int( m, 0 ) < 0 || mpi_msb( m ) > grp->nbits )
- return( POLARSSL_ERR_ECP_GENERIC );
+ return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
w = grp->nbits >= 521 ? 6 :
grp->nbits >= 224 ? 5 :
- 4;
+ 4;
/*
* Make sure w is within the limits.
* The last test ensures that none of the precomputed points is zero,
* which wouldn't be handled correctly by ecp_normalize_many().
- * It is only useful for small curves, as used in the test suite.
+ * It is only useful for very small curves, as used in the test suite.
*/
if( w > POLARSSL_ECP_WINDOW_SIZE )
w = POLARSSL_ECP_WINDOW_SIZE;
@@ -1348,7 +1352,7 @@
}
while( mpi_cmp_int( d, 1 ) < 0 );
- return( ecp_mul( grp, Q, d, &grp->G ) );
+ return( ecp_mul( grp, Q, d, &grp->G, f_rng, p_rng ) );
}
#if defined(POLARSSL_SELF_TEST)
@@ -1402,12 +1406,12 @@
#endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
if( verbose != 0 )
- printf( " ECP test #1 (SPA resistance): " );
+ printf( " ECP test #1 (resistance to simple timing attacks): " );
add_count = 0;
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[0] ) );
- MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+ MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
{
@@ -1417,7 +1421,7 @@
dbl_count = 0;
MPI_CHK( mpi_read_string( &m, 16, exponents[i] ) );
- MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) );
+ MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
if( add_count != add_c_prev || dbl_count != dbl_c_prev )
{
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 0fccf34..3b9d142 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1748,7 +1748,8 @@
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
- POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+ POLARSSL_MPI_MAX_SIZE,
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( ret );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 5bedcad..adf5a62 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2410,7 +2410,8 @@
if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
- POLARSSL_MPI_MAX_SIZE ) ) != 0 )
+ POLARSSL_MPI_MAX_SIZE,
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );