summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/freebl/dsa.c
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-14 07:52:35 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-14 16:42:52 +0200
commitab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch)
tree5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/lib/freebl/dsa.c
parentf44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff)
downloadUXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.lz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.xz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.zip
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/lib/freebl/dsa.c')
-rw-r--r--security/nss/lib/freebl/dsa.c37
1 files changed, 26 insertions, 11 deletions
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
index 9324d306b..aef353967 100644
--- a/security/nss/lib/freebl/dsa.c
+++ b/security/nss/lib/freebl/dsa.c
@@ -16,14 +16,11 @@
#include "blapi.h"
#include "nssilock.h"
#include "secitem.h"
-#include "blapi.h"
+#include "blapit.h"
#include "mpi.h"
#include "secmpi.h"
#include "pqg.h"
-/* XXX to be replaced by define in blapit.h */
-#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
-
/*
* FIPS 186-2 requires result from random output to be reduced mod q when
* generating random numbers for DSA.
@@ -168,7 +165,7 @@ dsa_NewKeyExtended(const PQGParams *params, const SECItem *seed,
return SECFailure;
}
/* Initialize an arena for the DSA key. */
- arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
+ arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
if (!arena) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
@@ -213,8 +210,9 @@ cleanup:
mp_clear(&g);
mp_clear(&x);
mp_clear(&y);
- if (key)
+ if (key) {
PORT_FreeArena(key->params.arena, PR_TRUE);
+ }
if (err) {
translate_mpi_error(err);
return SECFailure;
@@ -321,6 +319,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
mp_int x, k; /* private key & pseudo-random integer */
mp_int r, s; /* tuple (r, s) is signature) */
mp_int t; /* holding tmp values */
+ mp_int ar; /* holding blinding values */
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
unsigned int dsa_subprime_len, dsa_signature_len, offset;
@@ -364,6 +363,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
MP_DIGITS(&r) = 0;
MP_DIGITS(&s) = 0;
MP_DIGITS(&t) = 0;
+ MP_DIGITS(&ar) = 0;
CHECK_MPI_OK(mp_init(&p));
CHECK_MPI_OK(mp_init(&q));
CHECK_MPI_OK(mp_init(&g));
@@ -372,6 +372,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
CHECK_MPI_OK(mp_init(&r));
CHECK_MPI_OK(mp_init(&s));
CHECK_MPI_OK(mp_init(&t));
+ CHECK_MPI_OK(mp_init(&ar));
/*
** Convert stored PQG and private key into MPI integers.
*/
@@ -397,14 +398,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
rv = SECFailure;
goto cleanup;
}
- SECITEM_TO_MPINT(t2, &t); /* t <-$ Zq */
+ SECITEM_TO_MPINT(t2, &t); /* t <-$ Zq */
+ SECITEM_FreeItem(&t2, PR_FALSE);
+ if (DSA_NewRandom(NULL, &key->params.subPrime, &t2) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ rv = SECFailure;
+ goto cleanup;
+ }
+ SECITEM_TO_MPINT(t2, &ar); /* ar <-$ Zq */
+ SECITEM_FreeItem(&t2, PR_FALSE);
+
+ /* Using mp_invmod on k directly would leak bits from k. */
+ CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
- CHECK_MPI_OK(mp_addmod(&s, &x, &q, &s)); /* s = s + x mod q */
- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
+ /* To avoid leaking secret bits here the addition is blinded. */
+ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
+ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
+ CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
+ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
+ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
/*
** verify r != 0 and s != 0
** mentioned as optional in FIPS 186-1.
@@ -438,7 +453,7 @@ cleanup:
mp_clear(&r);
mp_clear(&s);
mp_clear(&t);
- SECITEM_FreeItem(&t2, PR_FALSE);
+ mp_clear(&ar);
if (err) {
translate_mpi_error(err);
rv = SECFailure;