diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/coreconf/coreconf.dep | 1 | ||||
-rw-r--r-- | security/nss/lib/freebl/dsa.c | 45 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 4 | ||||
-rw-r--r-- | security/nss/lib/softoken/softkver.h | 4 | ||||
-rw-r--r-- | security/nss/lib/util/nssutil.h | 4 |
5 files changed, 42 insertions, 16 deletions
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f7555..590d1bfae 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c index aef353967..389c9de24 100644 --- a/security/nss/lib/freebl/dsa.c +++ b/security/nss/lib/freebl/dsa.c @@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params, static SECStatus dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, - const unsigned char *kb) + const unsigned char *kbytes) { mp_int p, q, g; /* PQG parameters */ mp_int x, k; /* private key & pseudo-random integer */ mp_int r, s; /* tuple (r, s) is signature) */ mp_int t; /* holding tmp values */ mp_int ar; /* holding blinding values */ + mp_digit fuzz; /* blinding multiplier for q */ mp_err err = MP_OKAY; SECStatus rv = SECSuccess; unsigned int dsa_subprime_len, dsa_signature_len, offset; @@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, CHECK_MPI_OK(mp_init(&s)); CHECK_MPI_OK(mp_init(&t)); CHECK_MPI_OK(mp_init(&ar)); + /* ** Convert stored PQG and private key into MPI integers. */ @@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, SECITEM_TO_MPINT(key->params.subPrime, &q); SECITEM_TO_MPINT(key->params.base, &g); SECITEM_TO_MPINT(key->privateValue, &x); - OCTETS_TO_MPINT(kb, &k, dsa_subprime_len); + OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len); + + /* k blinding create a single value that has the high bit set in + * the mp_digit*/ + if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + rv = SECFailure; + goto cleanup; + } + fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1)); /* ** FIPS 186-1, Section 5, Step 1 ** ** r = (g**k mod p) mod q */ - CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */ - CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ + CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */ + CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */ + /* length of t is now fixed, bits in k have been blinded */ + CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */ + /* r is now g**(k+q*fuzz) == g**k mod p */ + CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ + /* ** FIPS 186-1, Section 5, Step 2 ** @@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, /* Using mp_invmod on k directly would leak bits from k. */ CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */ CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ - CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ + /* k is now k*t*ar */ + CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ + /* k is now (k*t*ar)**-1 */ CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ - SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ + /* k is now (k*ar)**-1 */ + SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ /* To avoid leaking secret bits here the addition is blinded. */ - CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ - CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ + CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ + /* x is now x*ar */ + CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ + /* x is now x*r*ar */ CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */ - CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ - CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ + /* t is now hash(M)*ar */ + CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ + /* s is now (HASH(M)+x*r)*ar */ + CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ + /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */ + /* ** verify r != 0 and s != 0 ** mentioned as optional in FIPS 186-1. diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index b8d9da65c..2701a1ea1 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.48" _NSS_CUSTOMIZED +#define NSS_VERSION "3.48.2" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 48 -#define NSS_VPATCH 1 +#define NSS_VPATCH 2 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index 7238d257f..a1c8f8c5c 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -17,10 +17,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.48" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.48.2" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 48 -#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VPATCH 2 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 4a4dd7a53..f067465c8 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,10 +19,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.48" +#define NSSUTIL_VERSION "3.48.2" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 48 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VPATCH 2 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE |