[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Richard Levitte
levitte at openssl.org
Thu Jun 21 09:58:33 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via 7b3e775a6a78650bbd3e8e19a5aa12981880402b (commit)
via cc39f9250957dfe6e9f1b62a4eca1863e8451483 (commit)
from 77b6b171a3b0a0f19ffcc8d4e682090fb88f0d10 (commit)
- Log -----------------------------------------------------------------
commit 7b3e775a6a78650bbd3e8e19a5aa12981880402b
Author: Billy Brumley <bbrumley at gmail.com>
Date: Wed Jun 20 10:56:37 2018 +0300
[crypto/ec] don't assume points are of order group->order
(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006)
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
commit cc39f9250957dfe6e9f1b62a4eca1863e8451483
Author: Andy Polyakov <appro at openssl.org>
Date: Mon May 7 10:27:45 2018 +0200
ec/ec_mult.c: get BN_CTX_start,end sequence right.
Triggered by Coverity analysis.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 7d859d1c8868b81c5d810021af0b40f355af4e1f)
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ec_mult.c | 32 +++++++++++++++++---------------
test/evptests.txt | 29 +++++++++++++++++++++++++++++
2 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index cac9591..106e754 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -136,17 +136,18 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
const BIGNUM *scalar, const EC_POINT *point,
BN_CTX *ctx)
{
- int i, order_bits, group_top, kbit, pbit, Z_is_one;
+ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
EC_POINT *s = NULL;
BIGNUM *k = NULL;
BIGNUM *lambda = NULL;
+ BIGNUM *cardinality = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
- goto err;
+ return 0;
- order_bits = BN_num_bits(group->order);
+ BN_CTX_start(ctx);
s = EC_POINT_new(group);
if (s == NULL)
@@ -162,19 +163,20 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
- BN_CTX_start(ctx);
+ cardinality = BN_CTX_get(ctx);
lambda = BN_CTX_get(ctx);
k = BN_CTX_get(ctx);
- if (k == NULL)
+ if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx))
goto err;
/*
- * Group orders are often on a word boundary.
+ * Group cardinalities are often on a word boundary.
* So when we pad the scalar, some timing diff might
* pop if it needs to be expanded due to carries.
* So expand ahead of time.
*/
- group_top = bn_get_top(group->order);
+ cardinality_bits = BN_num_bits(cardinality);
+ group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL))
goto err;
@@ -184,25 +186,25 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
BN_set_flags(k, BN_FLG_CONSTTIME);
- if ((BN_num_bits(k) > order_bits) || (BN_is_negative(k))) {
+ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {
/*-
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
- if (!BN_nnmod(k, k, group->order, ctx))
+ if (!BN_nnmod(k, k, cardinality, ctx))
goto err;
}
- if (!BN_add(lambda, k, group->order))
+ if (!BN_add(lambda, k, cardinality))
goto err;
BN_set_flags(lambda, BN_FLG_CONSTTIME);
- if (!BN_add(k, lambda, group->order))
+ if (!BN_add(k, lambda, cardinality))
goto err;
/*
- * lambda := scalar + order
- * k := scalar + 2*order
+ * lambda := scalar + cardinality
+ * k := scalar + 2*cardinality
*/
- kbit = BN_is_bit_set(lambda, order_bits);
+ kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
group_top = bn_get_top(group->field);
@@ -292,7 +294,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
* This is XOR. pbit tracks the previous bit of k.
*/
- for (i = order_bits - 1; i >= 0; i--) {
+ for (i = cardinality_bits - 1; i >= 0; i--) {
kbit = BN_is_bit_set(k, i) ^ pbit;
EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
if (!EC_POINT_add(group, s, r, s, ctx))
diff --git a/test/evptests.txt b/test/evptests.txt
index fd8d98d..fea0a77 100644
--- a/test/evptests.txt
+++ b/test/evptests.txt
@@ -19144,6 +19144,35 @@ PeerKey=KAS-ECC-CDH_B-571_C24-Peer-PUBLIC
Ctrl=ecdh_cofactor_mode:1
SharedSecret=02da266a269bdc8d8b2a0c6bb5762f102fc801c8d5394a9271539136bd81d4b69cfbb7525cd0a983fb7f7e9deec583b8f8e574c6184b2d79831ec770649e484dc006fa35b0bffd0b
+# for cofactor-order points, ECC CDH (co-factor ECDH) should fail. Test that.
+
+PrivateKey=ALICE_cf_sect283k1
+-----BEGIN PRIVATE KEY-----
+MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAHtPwRfQZ9pWgSctyHdt
+xt3pd8ESMI3ugVx8MDLkiVB8GkCRoUwDSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3
+n68A32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM
+8uKr
+-----END PRIVATE KEY-----
+
+PublicKey=ALICE_cf_sect283k1_PUB
+-----BEGIN PUBLIC KEY-----
+MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3n68A
+32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM8uKr
+-----END PUBLIC KEY-----
+
+PublicKey=BOB_cf_sect283k1_PUB
+-----BEGIN PUBLIC KEY-----
+MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
+-----END PUBLIC KEY-----
+
+PrivPubKeyPair = ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB
+
+# ECDH Alice with Bob peer
+Derive=ALICE_cf_sect283k1
+PeerKey=BOB_cf_sect283k1_PUB
+Ctrl=ecdh_cofactor_mode:1
+Result = DERIVE_ERROR
# Test mismatches
PrivPubKeyPair = Alice-25519:Bob-25519-PUBLIC
More information about the openssl-commits
mailing list