generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Correctly set Z_is_one on the return value in the NISTZ256 implementation.

Browse Source 
Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper 2015-04-24 15:19:15 +02:00
parent 6e5d130765
commit 7238a82c8a
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/ec/ecp_nistz256.c
View File

@ -589,6 +589,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group,
for (i = 0; i < num; i++) { for (i = 0; i < num; i++) {
P256_POINT *row = table[i]; P256_POINT *row = table[i];
/* This is an unusual input, we don't guarantee constant-timeness. */
if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {
BIGNUM *mod; BIGNUM *mod;
@ -1300,9 +1301,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group,
memcpy(r->X.d, p.p.X, sizeof(p.p.X)); memcpy(r->X.d, p.p.X, sizeof(p.p.X));
memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y)); memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y));
memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z)); memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z));
/* Not constant-time, but we're only operating on the public output. */
bn_correct_top(&r->X); bn_correct_top(&r->X);
bn_correct_top(&r->Y); bn_correct_top(&r->Y);
bn_correct_top(&r->Z); bn_correct_top(&r->Z);
r->Z_is_one = is_one(p.p.Z);
ret = 1; ret = 1;