[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Thu Jan 23 10:19:30 UTC 2020 

The branch master has been updated
       via  f10048301390283523d3d1623880be7518cf46ac (commit)
      from  2eb875c9257e508eb9fa2bb866c284d388d66cab (commit)


- Log -----------------------------------------------------------------
commit f10048301390283523d3d1623880be7518cf46ac
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Jan 23 20:17:05 2020 +1000

    Check ECC-CDH is compliant with SP800-56A-r3
    
    Added comments and cleared an intermediate result.
    KAT tests already exist in evppkey.txt (Search for "KAS_ECC_CDH_PrimitiveTest")
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10838)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ecdh_ossl.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c
index 5c64ce1a15..30b8837187 100644
--- a/crypto/ec/ecdh_ossl.c
+++ b/crypto/ec/ecdh_ossl.c
@@ -31,9 +31,14 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
 }
 
 /*-
- * This implementation is based on the following primitives in the IEEE 1363 standard:
+ * This implementation is based on the following primitives in the
+ * IEEE 1363 standard:
  *  - ECKAS-DH1
  *  - ECSVDP-DH
+ *
+ * It also conforms to SP800-56A r3
+ * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman
+ * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A.
  */
 int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
                             const EC_POINT *pub_key, const EC_KEY *ecdh)
@@ -64,6 +69,10 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
 
     group = EC_KEY_get0_group(ecdh);
 
+    /*
+     * Step(1) - Compute the point tmp = cofactor * owners_private_key
+     *                                   * peer_public_key.
+     */
     if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {
         if (!EC_GROUP_get_cofactor(group, x, NULL) ||
             !BN_mul(x, x, priv_key, ctx)) {
@@ -83,11 +92,20 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
         goto err;
     }
 
+    /*
+     * Step(2) : If point tmp is at infinity then clear intermediate values and
+     * exit. Note: getting affine coordinates returns 0 if point is at infinity.
+     * Step(3a) : Get x-coordinate of point x = tmp.x
+     */
     if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) {
         ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
         goto err;
     }
 
+    /*
+     * Step(3b) : convert x to a byte string, using the field-element-to-byte
+     * string conversion routine defined in Appendix C.2
+     */
     buflen = (EC_GROUP_get_degree(group) + 7) / 8;
     len = BN_num_bytes(x);
     if (len > buflen) {
@@ -112,6 +130,8 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
     ret = 1;
 
  err:
+    /* Step(4) : Destroy all intermediate calculations */
+    BN_clear(x);
     EC_POINT_clear_free(tmp);
     BN_CTX_end(ctx);
     BN_CTX_free(ctx);

More information about the openssl-commits mailing list