[openssl-commits] [openssl] master update
Emilia Kasper
emilia at openssl.org
Fri Apr 24 15:41:04 UTC 2015
The branch master has been updated
via c028254b12a8ea0d0f8a677172eda2e2d78073f3 (commit)
from 8031d26b0cc7fb277288b106dc4850adf4d77a23 (commit)
- Log -----------------------------------------------------------------
commit c028254b12a8ea0d0f8a677172eda2e2d78073f3
Author: Emilia Kasper <emilia at openssl.org>
Date: Fri Apr 24 15:19:15 2015 +0200
Correctly set Z_is_one on the return value in the NISTZ256 implementation.
Also add a few comments about constant-timeness.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ecp_nistz256.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
index de9fbea..b6eec7d 100644
--- a/crypto/ec/ecp_nistz256.c
+++ b/crypto/ec/ecp_nistz256.c
@@ -587,6 +587,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group,
for (i = 0; i < num; i++) {
P256_POINT *row = table[i];
+ /* This is an unusual input, we don't guarantee constant-timeness. */
if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {
BIGNUM *mod;
@@ -1331,9 +1332,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group,
bn_set_data(r->X, p.p.X, sizeof(p.p.X));
bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y));
bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z));
+ /* Not constant-time, but we're only operating on the public output. */
bn_correct_top(r->X);
bn_correct_top(r->Y);
bn_correct_top(r->Z);
+ r->Z_is_one = is_one(p.p.Z);
ret = 1;
More information about the openssl-commits
mailing list