Simplify usage of DHM blinding

This commit is contained in:
Manuel Pégourié-Gonnard 2013-09-17 11:34:11 +02:00 committed by Paul Bakker
parent c83e418149
commit 15d5de1969
8 changed files with 62 additions and 57 deletions

View file

@ -230,13 +230,11 @@ int dhm_make_public( dhm_context *ctx, int x_size,
*
* \return 0 if successful, or an POLARSSL_ERR_DHM_XXX error code
*
* \note If f_rng is not NULL, it is used to blind the input as
* countermeasure against timing attacks. This is only useful
* when this function is called repeatedly with the same
* secret value (X field), eg when using DH key exchange as
* opposed to DHE. It is recommended to use a non-NULL f_rng
* only when needed, since otherwise this countermeasure has
* high overhead.
* \note If non-NULL, f_rng is used to blind the input as
* countermeasure against timing attacks. Blinding is
* automatically used if and only if our secret value X is
* re-used and costs nothing otherwise, so it is recommended
* to always pass a non-NULL f_rng argument.
*/
int dhm_calc_secret( dhm_context *ctx,
unsigned char *output, size_t *olen,

View file

@ -273,15 +273,37 @@ static int dhm_update_blinding( dhm_context *ctx,
int ret, count;
/*
* If Vi is initialized, update it by squaring it
* Don't use any blinding the first time a particular X is used,
* but remember it to use blinding next time.
*/
if( ctx->Vi.p != NULL )
if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) != 0 )
{
MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );
MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );
return( 0 );
}
/*
* Ok, we need blinding. Can we re-use existing values?
* If yes, just update them by squaring them.
*/
if( mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
{
MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
return( 0 );
}
else
{
/*
* We need to generate blinding values from scratch
*/
/* Vi = random( 2, P-1 ) */
count = 0;
do
@ -295,29 +317,11 @@ static int dhm_update_blinding( dhm_context *ctx,
return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
}
while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
}
/*
* If X did not change, update Vf by squaring it too
*/
if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) == 0 )
{
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
return( 0 );
}
/*
* Otherwise, compute Vf from scratch
*/
/* Vf = Vi^-X mod P */
MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
/* Remember secret associated with Vi and Vf */
MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );;
cleanup:
return( ret );
}

View file

@ -1702,11 +1702,10 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
/* No blinding needed for DHE, but will be needed for fixed DH! */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
NULL, NULL ) ) != 0 )
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret );
@ -1834,9 +1833,8 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
/* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
p, &n, NULL, NULL ) ) != 0 )
p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret );

View file

@ -2373,7 +2373,7 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
NULL, NULL ) ) != 0 )
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@ -2460,7 +2460,7 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
/* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
p, &n, NULL, NULL ) ) != 0 )
p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );

View file

@ -239,7 +239,8 @@ int main( int argc, char *argv[] )
fflush( stdout );
n = dhm.len;
if( ( ret = dhm_calc_secret( &dhm, buf, &n, NULL, NULL ) ) != 0 )
if( ( ret = dhm_calc_secret( &dhm, buf, &n,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
printf( " failed\n ! dhm_calc_secret returned %d\n\n", ret );
goto exit;

View file

@ -242,7 +242,8 @@ int main( int argc, char *argv[] )
printf( "\n . Shared secret: " );
fflush( stdout );
if( ( ret = dhm_calc_secret( &dhm, buf, &n, NULL, NULL ) ) != 0 )
if( ( ret = dhm_calc_secret( &dhm, buf, &n,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
printf( " failed\n ! dhm_calc_secret returned %d\n\n", ret );
goto exit;

View file

@ -558,7 +558,7 @@ int main( int argc, char *argv[] )
{
olen = sizeof( buf );
ret |= dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL );
ret |= dhm_calc_secret( &dhm, buf, &olen, NULL, NULL );
ret |= dhm_calc_secret( &dhm, buf, &olen, myrand, NULL );
}
if( ret != 0 )
@ -617,7 +617,7 @@ int main( int argc, char *argv[] )
for( i = 1; ! alarmed && ! ret ; i++ )
{
olen = sizeof( buf );
ret |= dhm_calc_secret( &dhm, buf, &olen, NULL, NULL );
ret |= dhm_calc_secret( &dhm, buf, &olen, myrand, NULL );
}
if( ret != 0 )
@ -643,7 +643,7 @@ int main( int argc, char *argv[] )
{
olen = sizeof( buf );
ret |= dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL );
ret |= dhm_calc_secret( &dhm, buf, &olen, NULL, NULL );
ret |= dhm_calc_secret( &dhm, buf, &olen, myrand, NULL );
}
if( ret != 0 )

View file

@ -22,7 +22,7 @@ void dhm_do_dhm( int radix_P, char *input_P,
size_t pub_cli_len = 0;
size_t sec_srv_len = 1000;
size_t sec_cli_len = 1000;
int x_size;
int x_size, i;
rnd_pseudo_info rnd_info;
memset( &ctx_srv, 0x00, sizeof( dhm_context ) );
@ -59,13 +59,16 @@ void dhm_do_dhm( int radix_P, char *input_P,
TEST_ASSERT( sec_srv_len != 0 );
TEST_ASSERT( memcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
/* Re-do calc_secret on server to test update of blinding values */
/* Re-do calc_secret on server a few times to test update of blinding values */
for( i = 0; i < 3; i++ )
{
sec_srv_len = 1000;
TEST_ASSERT( dhm_calc_secret( &ctx_srv, sec_srv, &sec_srv_len, &rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( sec_srv_len == sec_cli_len );
TEST_ASSERT( sec_srv_len != 0 );
TEST_ASSERT( memcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
}
/*
* Second key exchange to test change of blinding values on server