|
@@ -21,6 +21,15 @@
|
|
|
#include "ec_local.h"
|
|
|
#include "internal/deterministic_nonce.h"
|
|
|
|
|
|
+#define MIN_ECDSA_SIGN_ORDERBITS 64
|
|
|
+/*
|
|
|
+ * It is highly unlikely that a retry will happen,
|
|
|
+ * Multiple retries would indicate that something is wrong
|
|
|
+ * with the group parameters (which would normally only happen
|
|
|
+ * with a bad custom group).
|
|
|
+ */
|
|
|
+#define MAX_ECDSA_SIGN_RETRIES 8
|
|
|
+
|
|
|
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
|
|
|
BIGNUM **kinvp, BIGNUM **rp,
|
|
|
const unsigned char *dgst, int dlen,
|
|
@@ -157,13 +166,15 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
|
|
|
|
|
|
/* Preallocate space */
|
|
|
order_bits = BN_num_bits(order);
|
|
|
- if (!BN_set_bit(k, order_bits)
|
|
|
+ /* Check the number of bits here so that an infinite loop is not possible */
|
|
|
+ if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
|
|
|
+ || !BN_set_bit(k, order_bits)
|
|
|
|| !BN_set_bit(r, order_bits)
|
|
|
|| !BN_set_bit(X, order_bits))
|
|
|
goto err;
|
|
|
|
|
|
do {
|
|
|
- /* get random or determinstic value of k */
|
|
|
+ /* get random or deterministic value of k */
|
|
|
do {
|
|
|
int res = 0;
|
|
|
|
|
@@ -243,6 +254,7 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
|
EC_KEY *eckey)
|
|
|
{
|
|
|
int ok = 0, i;
|
|
|
+ int retries = 0;
|
|
|
BIGNUM *kinv = NULL, *s, *m = NULL;
|
|
|
const BIGNUM *order, *ckinv;
|
|
|
BN_CTX *ctx = NULL;
|
|
@@ -353,6 +365,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
|
ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
|
|
|
goto err;
|
|
|
}
|
|
|
+ /* Avoid infinite loops cause by invalid group parameters */
|
|
|
+ if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
|
|
|
+ ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
} else {
|
|
|
/* s != 0 => we have a valid signature */
|
|
|
break;
|