New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate EC/DSA nonces in a way that does not reveal whether top bits are set #24265
Conversation
Co-authored-by: Paul Dale <ppzgs1@gmail.com>
@GeorgePantelakis @tomato42 please test the ossl_bn_priv_rand_range_fixed_top() code path. |
@mattcaswell PTAL |
504662c
to
fa04415
Compare
Otherwise following operations would bail out in bn_check_top().
@paulidale please reconfirm |
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit 9c85f6c)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit 8a1f654)
Otherwise following operations would bail out in bn_check_top(). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit a380ae8)
Co-authored-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
Otherwise following operations would bail out in bn_check_top(). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265)
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265) (cherry picked from commit 9c85f6c)
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #24265) (cherry picked from commit 9c85f6c)
Merged to the master, 3.3 and 3.2 branches. Created #24317 for 3.1 and 3.0. Thank you for the reviews. |
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit 9c85f6c)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit 8a1f654)
Otherwise following operations would bail out in bn_check_top(). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from openssl#24265) (cherry picked from commit a380ae8)
Function declarations in .c/.h need to be same. will break compile in MSVC warning check |
This would be a |
maybe you can fix this msvc compile issue quickly ,thanks for your hard working. |
Partially fixes #23860
This does not resolve the problem completely as there are architecture-specific issues in the point multiplication that can still leak the information by timing and it also won't work with BN_DEBUG defined.