[openssl-dev] ecp_nistz256 correctness/constant-timedness

Emilia Käsper emilia at openssl.org
Tue Apr 28 10:54:58 UTC 2015


On Sun, Apr 26, 2015 at 10:37 PM, Brian Smith <brian at briansmith.org> wrote:

> On Fri, Apr 24, 2015 at 5:54 AM, Emilia Käsper <emilia at openssl.org> wrote:
>
>> commit c028254b12 fixes 1., 2. and 3. (also applied to 1.0.2).
>> commit 53dd4ddf71 fixes 5 and some of 4.
>>
>> Still ploughing my way through the rest of error checking.
>>
>>
>
> Great.
>
> I want to call your attention to one particularly non-obvious failure to
> handle errors correctly:
>
> static void ecp_nistz256_windowed_mul([...], P256_POINT *r, [...])
> {
>     [...]
>
>     if ((num * 16 + 6) > OPENSSL_MALLOC_MAX_NELEMS(P256_POINT)
>         || (table_storage =
>             OPENSSL_malloc((num * 16 + 5) * sizeof(P256_POINT) + 64)) ==
> NULL
>         || (p_str =
>             OPENSSL_malloc(num * 33 * sizeof(unsigned char))) == NULL
>         || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL) {
>         ECerr(EC_F_ECP_NISTZ256_WINDOWED_MUL, ERR_R_MALLOC_FAILURE);
>         goto err;
>     }
>
>     [...]
>
> err:
>     [...]
> }
>
> ecp_nistz256_windowed_mul checks for errors, but it doesn't report the
> fact that an error occurred to the caller, because it has return type
> |void|. And, the caller doesn't check that ecp_nistz256_windowed_mul
> failed; it can't because of the void return type.
>

Thanks again, I would have missed that!

I hope I got it all now. Scroll past commit 5956b110e3 (master) or
07977739f0 (1.0.2) for all the changes.

Cheers,
Emilia



> Cheers,
> Brian
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150428/48945aaf/attachment-0001.html>


More information about the openssl-dev mailing list