[openssl] OpenSSL_1_1_1-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Sun Apr 14 09:27:11 UTC 2019 

The branch OpenSSL_1_1_1-stable has been updated
       via  e861d659c0b2ddccc5eff577b322d2fd4a8f9616 (commit)
      from  dbd233b8038a0daba891335548d95a0d6f26807d (commit)


- Log -----------------------------------------------------------------
commit e861d659c0b2ddccc5eff577b322d2fd4a8f9616
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Fri Apr 12 14:28:00 2019 +0200

    Don't use coordinate blinding when scalar is group order
    
    This happens in ec_key_simple_check_key and EC_GROUP_check.
    Since the the group order is not a secret scalar, it is
    unnecessary to use coordinate blinding.
    
    Fixes: #8731
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/8734)
    
    (cherry picked from commit 3051bf2afab7ac8b7b9c64e68755d1addd2fb8ff)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_mult.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index ce5796d..11c7be1 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
          * scalar multiplication implementation based on a Montgomery ladder,
          * with various timing attack defenses.
          */
-        if ((scalar != NULL) && (num == 0)) {
+        if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {
             /*-
              * In this case we want to compute scalar * GeneratorPoint: this
              * codepath is reached most prominently by (ephemeral) key
@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
              */
             return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
         }
-        if ((scalar == NULL) && (num == 1)) {
+        if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {
             /*-
              * In this case we want to compute scalar * VariablePoint: this
              * codepath is reached most prominently by the second half of ECDH,

More information about the openssl-commits mailing list