Lines Matching +full:low +full:- +full:leakage
2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
11 * DSA low level APIs are deprecated for public use, but still ok for
83 if (dsa->params.p == NULL
84 || dsa->params.q == NULL
85 || dsa->params.g == NULL) {
89 if (dsa->priv_key == NULL) {
97 ret->r = BN_new();
98 ret->s = BN_new();
99 if (ret->r == NULL || ret->s == NULL)
102 ctx = BN_CTX_new_ex(dsa->libctx);
113 if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen))
116 if (dlen > BN_num_bytes(dsa->params.q))
119 * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
122 dlen = BN_num_bytes(dsa->params.q);
129 * s := k^-1 * (m + r * priv_key) mod q
133 * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
141 if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1,
150 if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->params.q, ctx))
152 if (!BN_mod_mul(tmp, tmp, ret->r, dsa->params.q, ctx))
156 if (!BN_mod_mul(blindm, blind, m, dsa->params.q, ctx))
160 if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->params.q))
163 /* s := s * k^-1 mod q */
164 if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->params.q, ctx))
167 /* s:= s * blind^-1 mod q */
168 if (BN_mod_inverse(blind, blind, dsa->params.q, ctx) == NULL)
170 if (!BN_mod_mul(ret->s, ret->s, blind, dsa->params.q, ctx))
174 * Redo if r or s is zero as required by FIPS 186-4: Section 4.6
179 if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) {
219 if (!dsa->params.p || !dsa->params.q || !dsa->params.g) {
225 if (BN_is_zero(dsa->params.p)
226 || BN_is_zero(dsa->params.q)
227 || BN_is_zero(dsa->params.g)
228 || BN_is_negative(dsa->params.p)
229 || BN_is_negative(dsa->params.q)
230 || BN_is_negative(dsa->params.g)) {
234 if (dsa->priv_key == NULL) {
251 q_bits = BN_num_bits(dsa->params.q);
252 q_words = bn_get_top(dsa->params.q);
265 if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q,
266 dsa->priv_key, dgst,
269 } else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx))
276 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
277 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
278 dsa->lock, dsa->params.p, ctx))
286 * compute G^k using an equivalent scalar of fixed bit-length.
289 * small timing information leakage. We then choose the sum that is
297 if (!BN_add(l, k, dsa->params.q)
298 || !BN_add(k, l, dsa->params.q))
303 if ((dsa)->meth->bn_mod_exp != NULL) {
304 if (!dsa->meth->bn_mod_exp(dsa, r, dsa->params.g, k, dsa->params.p,
305 ctx, dsa->method_mont_p))
308 if (!BN_mod_exp_mont(r, dsa->params.g, k, dsa->params.p, ctx,
309 dsa->method_mont_p))
313 if (!BN_mod(r, r, dsa->params.q, ctx))
317 if ((kinv = dsa_mod_inverse_fermat(k, dsa->params.q, ctx)) == NULL)
341 int ret = -1, i;
343 if (dsa->params.p == NULL
344 || dsa->params.q == NULL
345 || dsa->params.g == NULL) {
347 return -1;
350 i = BN_num_bits(dsa->params.q);
351 /* fips 186-3 allows only different sizes for q */
354 return -1;
357 if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
359 return -1;
371 BN_ucmp(r, dsa->params.q) >= 0) {
376 BN_ucmp(s, dsa->params.q) >= 0) {
384 if ((BN_mod_inverse(u2, s, dsa->params.q, ctx)) == NULL)
391 * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
399 if (!BN_mod_mul(u1, u1, u2, dsa->params.q, ctx))
403 if (!BN_mod_mul(u2, r, u2, dsa->params.q, ctx))
406 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
407 mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
408 dsa->lock, dsa->params.p, ctx);
413 if (dsa->meth->dsa_mod_exp != NULL) {
414 if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->params.g, u1, dsa->pub_key, u2,
415 dsa->params.p, ctx, mont))
418 if (!BN_mod_exp2_mont(t1, dsa->params.g, u1, dsa->pub_key, u2,
419 dsa->params.p, ctx, mont))
424 if (!BN_mod(u1, t1, dsa->params.q, ctx))
444 dsa->flags |= DSA_FLAG_CACHE_MONT_P;
445 dsa->dirty_cnt++;
451 BN_MONT_CTX_free(dsa->method_mont_p);
458 * mod-exp operation. Both the exponent and modulus are public information
459 * so a mod-exp that doesn't leak the base is sufficient. A newly allocated