[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Emilia Kasper]

The branch OpenSSL_1_0_2-stable has been updated
       via  7238a82c8ae4dbf9043cb7c253f796615b3277a6 (commit)
      from  6e5d13076503e9ec7f1c2c690339f99284b7d283 (commit)


- Log -----------------------------------------------------------------
commit 7238a82c8ae4dbf9043cb7c253f796615b3277a6
Author: Emilia Kasper <emilia at openssl.org>
Date:   Fri Apr 24 15:19:15 2015 +0200

    Correctly set Z_is_one on the return value in the NISTZ256 implementation.
    
    Also add a few comments about constant-timeness.
    
    Thanks to Brian Smith for reporting this issue.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ecp_nistz256.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
index 2cd6599..911c2a6 100644
--- a/crypto/ec/ecp_nistz256.c
+++ b/crypto/ec/ecp_nistz256.c
@@ -589,6 +589,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group,
     for (i = 0; i < num; i++) {
         P256_POINT *row = table[i];
 
+        /* This is an unusual input, we don't guarantee constant-timeness. */
         if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {
             BIGNUM *mod;
 
@@ -1300,9 +1301,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group,
     memcpy(r->X.d, p.p.X, sizeof(p.p.X));
     memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y));
     memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z));
+    /* Not constant-time, but we're only operating on the public output. */
     bn_correct_top(&r->X);
     bn_correct_top(&r->Y);
     bn_correct_top(&r->Z);
+    r->Z_is_one = is_one(p.p.Z);
 
     ret = 1;