diff options
| author | tb <> | 2018-07-23 18:24:22 +0000 |
|---|---|---|
| committer | tb <> | 2018-07-23 18:24:22 +0000 |
| commit | a414a4a58297604ed0b1b4f44bb62271788eb36c (patch) | |
| tree | 24b3b33e9a20ed5690fba25bdf488fc8a2ac11e3 | |
| parent | ce83f868728bea42458168feadca75b7580a116d (diff) | |
| download | openbsd-a414a4a58297604ed0b1b4f44bb62271788eb36c.tar.gz openbsd-a414a4a58297604ed0b1b4f44bb62271788eb36c.tar.bz2 openbsd-a414a4a58297604ed0b1b4f44bb62271788eb36c.zip | |
Use BN_swap_ct() instead of BN_consttime_swap() in
ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.
ok inoguchi, jsing
| -rw-r--r-- | src/lib/libcrypto/ec/ec2_mult.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c index b4f771b2b5..3e5d1dca85 100644 --- a/src/lib/libcrypto/ec/ec2_mult.c +++ b/src/lib/libcrypto/ec/ec2_mult.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec2_mult.c,v 1.12 2018/07/15 16:27:39 tb Exp $ */ | 1 | /* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | 3 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 4 | * | 4 | * |
| @@ -71,6 +71,7 @@ | |||
| 71 | 71 | ||
| 72 | #include <openssl/err.h> | 72 | #include <openssl/err.h> |
| 73 | 73 | ||
| 74 | #include "bn_lcl.h" | ||
| 74 | #include "ec_lcl.h" | 75 | #include "ec_lcl.h" |
| 75 | 76 | ||
| 76 | #ifndef OPENSSL_NO_EC2M | 77 | #ifndef OPENSSL_NO_EC2M |
| @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, | |||
| 324 | for (; i >= 0; i--) { | 325 | for (; i >= 0; i--) { |
| 325 | word = scalar->d[i]; | 326 | word = scalar->d[i]; |
| 326 | while (mask) { | 327 | while (mask) { |
| 327 | BN_consttime_swap(word & mask, x1, x2, group->field.top); | 328 | if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) |
| 328 | BN_consttime_swap(word & mask, z1, z2, group->field.top); | 329 | goto err; |
| 330 | if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) | ||
| 331 | goto err; | ||
| 329 | if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) | 332 | if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) |
| 330 | goto err; | 333 | goto err; |
| 331 | if (!gf2m_Mdouble(group, x1, z1, ctx)) | 334 | if (!gf2m_Mdouble(group, x1, z1, ctx)) |
| 332 | goto err; | 335 | goto err; |
| 333 | BN_consttime_swap(word & mask, x1, x2, group->field.top); | 336 | if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) |
| 334 | BN_consttime_swap(word & mask, z1, z2, group->field.top); | 337 | goto err; |
| 338 | if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) | ||
| 339 | goto err; | ||
| 335 | mask >>= 1; | 340 | mask >>= 1; |
| 336 | } | 341 | } |
| 337 | mask = BN_TBIT; | 342 | mask = BN_TBIT; |