[openssl-commits] [openssl] master update

Andy Polyakov appro at openssl.org
Mon Jun 25 14:41:17 UTC 2018 

The branch master has been updated
       via  469c2c4a455007ca3465b64e88a1dcfc864e3f0e (commit)
       via  5a2124620cb2893b2d5c40be75579cd9c35c839c (commit)
      from  c35e96691ff3415e68531076ff9f011703524c0a (commit)


- Log -----------------------------------------------------------------
commit 469c2c4a455007ca3465b64e88a1dcfc864e3f0e
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Thu Jun 21 19:15:50 2018 +0300

    Use ec_group_do_inverse_ord() in SM2
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6521)

commit 5a2124620cb2893b2d5c40be75579cd9c35c839c
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Thu Jun 21 19:08:50 2018 +0300

    Add inter-module private header for EC functions
    
    Internal submodules of libcrypto may require non-public functions from
    the EC submodule.
    
    In preparation to use `ec_group_do_inverse_ord()` (from #6116) inside
    the SM2 submodule to apply a SCA mitigation on the modular inversion,
    this commit moves the `ec_group_do_inverse_ord()` prototype declaration
    from the EC-local `crypto/ec/ec_lcl.h` header to the
    `crypto/include/internal/ec_int.h` inter-module private header.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6521)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_lcl.h               |  4 +---
 crypto/include/internal/ec_int.h | 45 ++++++++++++++++++++++++++++++++++++++++
 crypto/sm2/sm2_sign.c            |  3 ++-
 3 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 crypto/include/internal/ec_int.h

diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index cf29c7c..ae38029 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -14,6 +14,7 @@
 #include <openssl/ec.h>
 #include <openssl/bn.h>
 #include "internal/refcount.h"
+#include "internal/ec_int.h"
 #include "curve448/curve448_lcl.h"
 
 #if defined(__SUNPRO_C)
@@ -636,7 +637,4 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
 void X25519_public_from_private(uint8_t out_public_value[32],
                                 const uint8_t private_key[32]);
 
-int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
-                            const BIGNUM *x, BN_CTX *ctx);
-
 int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
diff --git a/crypto/include/internal/ec_int.h b/crypto/include/internal/ec_int.h
new file mode 100644
index 0000000..bb4b512
--- /dev/null
+++ b/crypto/include/internal/ec_int.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Internal EC functions for other submodules: not for application use */
+
+#ifndef HEADER_OSSL_EC_INTERNAL_H
+# define HEADER_OSSL_EC_INTERNAL_H
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_EC
+
+#  include <openssl/ec.h>
+
+/*-
+ * Computes the multiplicative inverse of x in the range
+ * [1,EC_GROUP::order), where EC_GROUP::order is the cardinality of the
+ * subgroup generated by the generator G:
+ *
+ *         res := x^(-1) (mod EC_GROUP::order).
+ *
+ * This function expects the following two conditions to hold:
+ *  - the EC_GROUP order is prime, and
+ *  - x is included in the range [1, EC_GROUP::order).
+ *
+ * This function returns 1 on success, 0 on error.
+ *
+ * If the EC_GROUP order is even, this function explicitly returns 0 as
+ * an error.
+ * In case any of the two conditions stated above is not satisfied,
+ * the correctness of its output is not guaranteed, even if the return
+ * value could still be 1 (as primality testing and a conditional modular
+ * reduction round on the input can be omitted by the underlying
+ * implementations for better SCA properties on regular input values).
+ */
+__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
+                                   const BIGNUM *x, BN_CTX *ctx);
+
+# endif /* OPENSSL_NO_EC */
+#endif
diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c
index 9d19054..14576ca 100644
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c
@@ -11,6 +11,7 @@
 
 #include "internal/sm2.h"
 #include "internal/sm2err.h"
+#include "internal/ec_int.h" /* ec_group_do_inverse_ord() */
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -133,7 +134,7 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
             continue;
 
         if (!BN_add(s, dA, BN_value_one())
-                || !BN_mod_inverse(s, s, order, ctx)
+                || !ec_group_do_inverse_ord(group, s, s, ctx)
                 || !BN_mod_mul(tmp, dA, r, order, ctx)
                 || !BN_sub(tmp, k, tmp)
                 || !BN_mod_mul(s, s, tmp, order, ctx)) {

More information about the openssl-commits mailing list