[openssl] OpenSSL_1_1_1-stable update
nicola.tuveri at ibm.com
nicola.tuveri at ibm.com
Tue Apr 7 13:03:07 UTC 2020
The branch OpenSSL_1_1_1-stable has been updated
via 43c242b0f687fc48c57ae3d721960db28e079ef6 (commit)
from 5dc91f44a90b72f5c0a79ab9a19d0f2fa0bbac1f (commit)
- Log -----------------------------------------------------------------
commit 43c242b0f687fc48c57ae3d721960db28e079ef6
Author: Billy Brumley <bbrumley at gmail.com>
Date: Wed Apr 1 21:15:58 2020 +0300
[crypto/ec] blind coordinates in ec_wNAF_mul for robustness
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Nicola Tuveri <nicola.tuveri at ibm.com>
(Merged from https://github.com/openssl/openssl/pull/11439)
(cherry picked from commit c61ced5ec50fc68707c7cea79f7df1d170f03f13)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ec_mult.c | 14 ++++++++++++++
crypto/ec/ecp_smpl.c | 42 ++++++++++++++++++++++--------------------
2 files changed, 36 insertions(+), 20 deletions(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index d9b18b82de..d2e4773270 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -740,6 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
goto err;
+
+ /*-
+ * Apply coordinate blinding for EC_POINT.
+ *
+ * The underlying EC_METHOD can optionally implement this function:
+ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
+ * success or if coordinate blinding is not implemented for this
+ * group.
+ */
+ if (!ec_point_blind_coordinates(group, r, ctx)) {
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
+ goto err;
+ }
+
r_is_at_infinity = 0;
} else {
if (!EC_POINT_add
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index cb9be38fc1..6903db58ff 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -1432,36 +1432,38 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto end;
}
- /* make sure lambda is not zero */
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
do {
- if (!BN_priv_rand_range(lambda, group->field)) {
- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
- goto err;
+ ERR_set_mark();
+ ret = BN_priv_rand_range(lambda, group->field);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
- if (group->meth->field_encode != NULL
- && !group->meth->field_encode(group, lambda, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
- goto err;
- if (!group->meth->field_sqr(group, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
- goto err;
- if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
- goto err;
- p->Z_is_one = 0;
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+ p->Z_is_one = 0;
ret = 1;
- err:
+ end:
BN_CTX_end(ctx);
return ret;
}
More information about the openssl-commits
mailing list