Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EC/DSA nonce generation fixes for 3.1 and 3.0 branches #24317

Closed
wants to merge 7 commits into from
Closed

EC/DSA nonce generation fixes for 3.1 and 3.0 branches #24317

wants to merge 7 commits into from

Conversation

t8m
Copy link
Member

@t8m t8m commented May 2, 2024

This is backport of #24265 to 3.1 and 3.0 branches.

t8m added 3 commits May 2, 2024 09:36
@t8m
Make BN_generate_dsa_nonce() constant time and non-biased
2807a64 
Co-authored-by: Paul Dale <ppzgs1@gmail.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit d7d1bdc)
@t8m
Add ossl_bn_is_word_fixed_top()
74cfaa7 
Also correct some BN_FLG_FIXED_TOP flag handling.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit 2d285fa)
@t8m
Add ossl_bn_priv_rand_range_fixed_top() and use it for EC/DSA
edae00b 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit 13b3ca5)
@t8m t8m added approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 tests: exempted The PR is exempt from requirements for testing labels May 2, 2024
@t8m t8m requested review from paulidale and nhorman May 2, 2024 07:55
@t8m t8m mentioned this pull request May 2, 2024
Closed
t8m added 3 commits May 2, 2024 10:01
@t8m
Rename BN_generate_dsa_nonce() to ossl_bn_gen_dsa_nonce_fixed_top()
601518b 
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top.
We do this to avoid leaking fixed top numbers via the public API.

Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top()
and make it LE/BE agnostic.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit 9c85f6c)
@t8m
Adjust FIPS EC/DSA self test data for different nonce generation
1e602b4 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit 8a1f654)
@t8m
Correct top for EC/DSA nonces if BN_DEBUG is on
b514513 
Otherwise following operations would bail out in bn_check_top().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24265)

(cherry picked from commit a380ae8)
@t8m t8m force-pushed the fixed-nonce-generation-3.1 branch from 3ffd54c to b514513 Compare May 2, 2024 08:01
@paulidale paulidale removed the approval: otc review pending This pull request needs review by an OTC member label May 5, 2024
@t8m
Copy link
Member Author

t8m commented May 6, 2024

@nhorman ping for second review

@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels May 6, 2024
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels May 7, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@t8m
Copy link
Member Author

t8m commented May 8, 2024

@nhorman @paulidale please reconfirm - there was discrepancy in the prototypes of ossl_bn_is_word_fixed_top(). IMO no need to restart the timer.

@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 8, 2024
@nhorman
Copy link
Contributor

nhorman commented May 8, 2024

approval holds, agreed, no need to restart the timer

openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Make BN_generate_dsa_nonce() constant time and non-biased
0df711a 
Co-authored-by: Paul Dale <ppzgs1@gmail.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit d7d1bdc)

(Merged from #24317)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add ossl_bn_is_word_fixed_top()
5dbb2a8 
Also correct some BN_FLG_FIXED_TOP flag handling.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 2d285fa)

(Merged from #24317)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add ossl_bn_priv_rand_range_fixed_top() and use it for EC/DSA
a70ca93 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 13b3ca5)

(Merged from #24317)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Rename BN_generate_dsa_nonce() to ossl_bn_gen_dsa_nonce_fixed_top()
fdc3efc 
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top.
We do this to avoid leaking fixed top numbers via the public API.

Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top()
and make it LE/BE agnostic.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 9c85f6c)

(Merged from #24317)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Adjust FIPS EC/DSA self test data for different nonce generation
7ecd90a 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 8a1f654)

(Merged from #24317)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Correct top for EC/DSA nonces if BN_DEBUG is on
549208d 
Otherwise following operations would bail out in bn_check_top().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit a380ae8)

(Merged from #24317)
@t8m
Copy link
Member Author

t8m commented May 9, 2024

Merged to the 3.1 and 3.0 branches. Thank you for the reviews.

@t8m t8m closed this May 9, 2024
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Make BN_generate_dsa_nonce() constant time and non-biased
b169c2c 
Co-authored-by: Paul Dale <ppzgs1@gmail.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit d7d1bdc)

(Merged from #24317)

(cherry picked from commit 0df711a)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add ossl_bn_is_word_fixed_top()
40163b5 
Also correct some BN_FLG_FIXED_TOP flag handling.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 2d285fa)

(Merged from #24317)

(cherry picked from commit 5dbb2a8)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add ossl_bn_priv_rand_range_fixed_top() and use it for EC/DSA
8e4c17b 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 13b3ca5)

(Merged from #24317)

(cherry picked from commit a70ca93)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Rename BN_generate_dsa_nonce() to ossl_bn_gen_dsa_nonce_fixed_top()
51f93c3 
And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top.
We do this to avoid leaking fixed top numbers via the public API.

Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top()
and make it LE/BE agnostic.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit 9c85f6c)

(Merged from #24317)

(cherry picked from commit fdc3efc)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Correct top for EC/DSA nonces if BN_DEBUG is on
d8f4038 
Otherwise following operations would bail out in bn_check_top().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>

(cherry picked from commit a380ae8)

(Merged from #24317)

(cherry picked from commit 549208d)
@tomato42 tomato42 mentioned this pull request May 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhorman nhorman nhorman approved these changes

@paulidale paulidale paulidale approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 severity: fips change The pull request changes FIPS provider sources tests: exempted The PR is exempt from requirements for testing triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@t8m @openssl-machine @nhorman @paulidale