Backported to ver. 1.17 from the original upstream commit plus rand_bn: From f0a51bbdbd50e03a43914c9ee912c451b6ad82e5 Mon Sep 17 00:00:00 2001 From: Karel Miko <karel.miko@gmail.com> Date: Sun, 17 Jun 2018 12:54:01 +0200 Subject: [PATCH] ecc_sign_hash blinding CVE-2018-12437 Index: libtomcrypt-1.17/src/pk/ecc/ecc_sign_hash.c =================================================================== --- libtomcrypt-1.17/src/pk/ecc/ecc_sign_hash.c +++ libtomcrypt-1.17/src/pk/ecc/ecc_sign_hash.c 2018-07-21 22:06:36.643264415 +0200 @@ -39,7 +39,7 @@ prng_state *prng, int wprng, ecc_key *key) { ecc_key pubkey; - void *r, *s, *e, *p; + void *r, *s, *e, *p, *b; int err; LTC_ARGCHK(in != NULL); @@ -63,7 +63,7 @@ /* get the hash and load it as a bignum into 'e' */ /* init the bignums */ - if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) { + if ((err = mp_init_multi(&r, &s, &p, &e, &b, NULL)) != CRYPT_OK) { return err; } if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; } @@ -81,12 +81,15 @@ if (mp_iszero(r) == LTC_MP_YES) { ecc_free(&pubkey); } else { + if ((err = rand_bn_upto(b, p, prng, wprng)) != CRYPT_OK) { goto error; } /* b = blinding value */ /* find s = (e + xr)/k */ - if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */ + if ((err = mp_mulmod(pubkey.k, b, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = kb */ + if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/kb */ if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */ - if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ - if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */ - if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */ + if ((err = mp_mulmod(pubkey.k, s, p, s)) != CRYPT_OK) { goto error; } /* s = xr/kb */ + if ((err = mp_mulmod(pubkey.k, e, p, e)) != CRYPT_OK) { goto error; } /* e = e/kb */ + if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e/kb + xr/kb */ + if ((err = mp_mulmod(s, b, p, s)) != CRYPT_OK) { goto error; } /* s = b(e/kb + xr/kb) = (e + xr)/k */ ecc_free(&pubkey); if (mp_iszero(s) == LTC_MP_NO) { break; @@ -103,7 +106,7 @@ error: ecc_free(&pubkey); errnokey: - mp_clear_multi(r, s, p, e, NULL); + mp_clear_multi(r, s, p, e, b, NULL); return err; } Index: libtomcrypt-1.17/makefile.shared =================================================================== --- libtomcrypt-1.17/makefile.shared +++ libtomcrypt-1.17/makefile.shared 2018-07-21 22:23:37.341863922 +0200 @@ -133,6 +133,7 @@ src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \ src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \ src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \ +src/math/rand_bn.o \ src/math/rand_prime.o src/math/tfm_desc.o src/misc/base64/base64_decode.o \ src/misc/base64/base64_encode.o src/misc/burn_stack.o src/misc/crypt/crypt_argchk.o \ src/misc/crypt/crypt.o src/misc/crypt/crypt_cipher_descriptor.o src/misc/crypt/crypt_cipher_is_valid.o \ Index: libtomcrypt-1.17/makefile.unix =================================================================== --- libtomcrypt-1.17/makefile.unix +++ libtomcrypt-1.17/makefile.unix 2018-07-21 22:23:44.607775742 +0200 @@ -74,6 +74,7 @@ src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \ src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \ src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \ +src/math/rand_bn.o \ src/math/rand_prime.o src/math/tfm_desc.o src/misc/base64/base64_decode.o \ src/misc/base64/base64_encode.o src/misc/burn_stack.o src/misc/crypt/crypt_argchk.o \ src/misc/crypt/crypt.o src/misc/crypt/crypt_cipher_descriptor.o src/misc/crypt/crypt_cipher_is_valid.o \ Index: libtomcrypt-1.17/src/math/rand_bn.c =================================================================== --- libtomcrypt-1.17/src/math/rand_bn.c +++ libtomcrypt-1.17/src/math/rand_bn.c 2018-07-21 22:22:05.687976335 +0200 @@ -0,0 +1,75 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + */ +#include "tomcrypt.h" + +#if defined(LTC_MDSA) || defined(LTC_MECC) +/** + Generate a random number N with given bitlength (note: MSB can be 0) +*/ + +int rand_bn_bits(void *N, int bits, prng_state *prng, int wprng) +{ + int res, bytes; + unsigned char *buf, mask; + + LTC_ARGCHK(N != NULL); + LTC_ARGCHK(bits > 1); + + /* check PRNG */ + if ((res = prng_is_valid(wprng)) != CRYPT_OK) return res; + + bytes = (bits+7) >> 3; + mask = 0xff << (8 - bits % 8); + + /* allocate buffer */ + if ((buf = XCALLOC(1, bytes)) == NULL) return CRYPT_MEM; + + /* generate random bytes */ + if (prng_descriptor[wprng].read(buf, bytes, prng) != (unsigned long)bytes) { + res = CRYPT_ERROR_READPRNG; + goto cleanup; + } + /* mask bits */ + buf[0] &= ~mask; + /* load value */ + if ((res = mp_read_unsigned_bin(N, buf, bytes)) != CRYPT_OK) goto cleanup; + + res = CRYPT_OK; + +cleanup: +#ifdef LTC_CLEAN_STACK + zeromem(buf, bytes); +#endif + XFREE(buf); + return res; +} + +/** + Generate a random number N in a range: 1 <= N < limit +*/ +int rand_bn_upto(void *N, void *limit, prng_state *prng, int wprng) +{ + int res, bits; + + LTC_ARGCHK(N != NULL); + LTC_ARGCHK(limit != NULL); + + bits = mp_count_bits(limit); + do { + res = rand_bn_bits(N, bits, prng, wprng); + if (res != CRYPT_OK) return res; + } while (mp_cmp_d(N, 0) != LTC_MP_GT || mp_cmp(N, limit) != LTC_MP_LT); + + return CRYPT_OK; +} +#endif + +/* ref: $Format:%D$ */ +/* git commit: $Format:%H$ */ +/* commit time: $Format:%ai$ */ Index: libtomcrypt-1.17/src/headers/tomcrypt_pk.h =================================================================== --- libtomcrypt-1.17/src/headers/tomcrypt_pk.h +++ libtomcrypt-1.17/src/headers/tomcrypt_pk.h 2018-07-21 22:34:07.550243194 +0200 @@ -7,6 +7,9 @@ int rand_prime(void *N, long len, prng_state *prng, int wprng); +int rand_bn_bits(void *N, int bits, prng_state *prng, int wprng); +int rand_bn_upto(void *N, void *limit, prng_state *prng, int wprng); + /* ---- RSA ---- */ #ifdef LTC_MRSA