Simplify usage of DHM blinding
diff --git a/library/dhm.c b/library/dhm.c
index 625837e..dc815d9 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -273,51 +273,55 @@
int ret, count;
/*
- * If Vi is initialized, update it by squaring it
+ * Don't use any blinding the first time a particular X is used,
+ * but remember it to use blinding next time.
*/
- if( ctx->Vi.p != NULL )
+ if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) != 0 )
{
- MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
- MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
- }
- else
- {
- /* Vi = random( 2, P-1 ) */
- count = 0;
- do
- {
- mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );
+ MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );
+ MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
+ MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );
- while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
- mpi_shift_r( &ctx->Vi, 1 );
-
- if( count++ > 10 )
- return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
- }
- while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
- }
-
- /*
- * If X did not change, update Vf by squaring it too
- */
- if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) == 0 )
- {
- MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
- MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
return( 0 );
}
/*
- * Otherwise, compute Vf from scratch
+ * Ok, we need blinding. Can we re-use existing values?
+ * If yes, just update them by squaring them.
*/
+ if( mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
+ {
+ MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+ MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+
+ MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+ MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+ return( 0 );
+ }
+
+ /*
+ * We need to generate blinding values from scratch
+ */
+
+ /* Vi = random( 2, P-1 ) */
+ count = 0;
+ do
+ {
+ mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );
+
+ while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
+ mpi_shift_r( &ctx->Vi, 1 );
+
+ if( count++ > 10 )
+ return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
+ }
+ while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
/* Vf = Vi^-X mod P */
MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
- /* Remember secret associated with Vi and Vf */
- MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );;
-
cleanup:
return( ret );
}
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 300001e..4cc28c3 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1702,11 +1702,10 @@
ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
- /* No blinding needed for DHE, but will be needed for fixed DH! */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
- NULL, NULL ) ) != 0 )
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret );
@@ -1834,9 +1833,8 @@
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
- /* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
- p, &n, NULL, NULL ) ) != 0 )
+ p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 88afc84..0ef3423 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2373,7 +2373,7 @@
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
&ssl->handshake->pmslen,
- NULL, NULL ) ) != 0 )
+ ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@@ -2460,7 +2460,7 @@
/* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
- p, &n, NULL, NULL ) ) != 0 )
+ p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );