[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
nic.tuv at gmail.com
nic.tuv at gmail.com
Fri Aug 24 15:17:17 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via 5eee95a54de6854e60886c8e662a902184b12d04 (commit)
from 837017b4748d587912d9d218894644d6ca86721f (commit)
- Log -----------------------------------------------------------------
commit 5eee95a54de6854e60886c8e662a902184b12d04
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date: Tue Aug 21 00:50:01 2018 +0300
Backport #6648 to OpenSSL_1_1_0-stable
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7015)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ec_mult.c | 46 ++++++++++++++++++++++++----------------------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 56c7767..71ec910 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -382,30 +382,32 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
return EC_POINT_set_to_infinity(group, r);
}
- /*-
- * Handle the common cases where the scalar is secret, enforcing a constant
- * time scalar multiplication algorithm.
- */
- if ((scalar != NULL) && (num == 0)) {
- /*-
- * In this case we want to compute scalar * GeneratorPoint: this
- * codepath is reached most prominently by (ephemeral) key generation
- * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
- * keygen/first half), where the scalar is always secret. This is why
- * we ignore if BN_FLG_CONSTTIME is actually set and we always call the
- * constant time version.
- */
- return ec_mul_consttime(group, r, scalar, NULL, ctx);
- }
- if ((scalar == NULL) && (num == 1)) {
+ if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {
/*-
- * In this case we want to compute scalar * GenericPoint: this codepath
- * is reached most prominently by the second half of ECDH, where the
- * secret scalar is multiplied by the peer's public point. To protect
- * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
- * we always call the constant time version.
+ * Handle the common cases where the scalar is secret, enforcing a constant
+ * time scalar multiplication algorithm.
*/
- return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+ if ((scalar != NULL) && (num == 0)) {
+ /*-
+ * In this case we want to compute scalar * GeneratorPoint: this
+ * codepath is reached most prominently by (ephemeral) key generation
+ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
+ * keygen/first half), where the scalar is always secret. This is why
+ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the
+ * constant time version.
+ */
+ return ec_mul_consttime(group, r, scalar, NULL, ctx);
+ }
+ if ((scalar == NULL) && (num == 1)) {
+ /*-
+ * In this case we want to compute scalar * GenericPoint: this codepath
+ * is reached most prominently by the second half of ECDH, where the
+ * secret scalar is multiplied by the peer's public point. To protect
+ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
+ * we always call the constant time version.
+ */
+ return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+ }
}
for (i = 0; i < num; i++) {
More information about the openssl-commits
mailing list