Implement coordinate blinding for EC_POINT.

Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50
by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri.

ok beck jsing

commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb
Author: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Date:   Sat Jun 16 17:07:40 2018 +0300

    Implement coordinate blinding for EC_POINT

    This commit implements coordinate blinding, i.e., it randomizes the
    representative of an elliptic curve point in its equivalence class, for
    prime curves implemented through EC_GFp_simple_method,
    EC_GFp_mont_method, and EC_GFp_nist_method.

    This commit is derived from the patch
    https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.

    Coordinate blinding is a generally useful side-channel countermeasure
    and is (mostly) free. The function itself takes a few field
    multiplicationss, but is usually only necessary at the beginning of a
    scalar multiplication (as implemented in the patch). When used this way,
    it makes the values that variables take (i.e., field elements in an
    algorithm state) unpredictable.

    For instance, this mitigates chosen EC point side-channel attacks for
    settings such as ECDH and EC private key decryption, for the
    aforementioned curves.

    For EC_METHODs using different coordinate representations this commit
    does nothing, but the corresponding coordinate blinding function can be
    easily added in the future to extend these changes to such curves.

    Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
    Co-authored-by: Billy Brumley <bbrumley@gmail.com>

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
    Reviewed-by: Andy Polyakov <appro@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6526)

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
index e430b3f64d..c177246f36 100644
--- a/src/lib/libcrypto/ec/ec_lcl.h
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lcl.h,v 1.10 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ec_lcl.h,v 1.11 2018/11/05 20:18:21 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -182,6 +182,7 @@ struct ec_method_st {
         int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
         int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
         int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+        int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
 } /* EC_METHOD */;
 
 typedef struct ec_extra_data_st {
@@ -339,6 +340,7 @@ int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
 int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
 int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
 int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar,
         const EC_POINT *point, BN_CTX *);
@@ -358,6 +360,7 @@ int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CT
 int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
 int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
 
+int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
 
 /* method functions in ecp_nist.c */
 int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);