diff options
| author | tb <> | 2018-11-05 20:18:21 +0000 |
|---|---|---|
| committer | tb <> | 2018-11-05 20:18:21 +0000 |
| commit | cf97742ffbfc84800478e34a8d383f39db8618e9 (patch) | |
| tree | 15bb018f88451b1ff3d30a3ff79a6062bbeb9da5 /src/lib/libcrypto/ec/ec_lib.c | |
| parent | 6b72d5e8e18c526ac7df6014aad4e30541eeb0cb (diff) | |
| download | openbsd-cf97742ffbfc84800478e34a8d383f39db8618e9.tar.gz openbsd-cf97742ffbfc84800478e34a8d383f39db8618e9.tar.bz2 openbsd-cf97742ffbfc84800478e34a8d383f39db8618e9.zip | |
Implement coordinate blinding for EC_POINT.
Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50
by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri.
ok beck jsing
commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb
Author: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Date: Sat Jun 16 17:07:40 2018 +0300
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)
Diffstat (limited to 'src/lib/libcrypto/ec/ec_lib.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_lib.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 7e0ea017f9..bf2f652fc7 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_lib.c,v 1.29 2018/07/16 17:32:39 tb Exp $ */ | 1 | /* $OpenBSD: ec_lib.c,v 1.30 2018/11/05 20:18:21 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -533,6 +533,23 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx) | |||
| 533 | return -1; | 533 | return -1; |
| 534 | } | 534 | } |
| 535 | 535 | ||
| 536 | /* | ||
| 537 | * Coordinate blinding for EC_POINT. | ||
| 538 | * | ||
| 539 | * The underlying EC_METHOD can optionally implement this function: | ||
| 540 | * underlying implementations should return 0 on errors, or 1 on success. | ||
| 541 | * | ||
| 542 | * This wrapper returns 1 in case the underlying EC_METHOD does not support | ||
| 543 | * coordinate blinding. | ||
| 544 | */ | ||
| 545 | int | ||
| 546 | ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) | ||
| 547 | { | ||
| 548 | if (group->meth->blind_coordinates == NULL) | ||
| 549 | return 1; | ||
| 550 | |||
| 551 | return group->meth->blind_coordinates(group, p, ctx); | ||
| 552 | } | ||
| 536 | 553 | ||
| 537 | /* this has 'package' visibility */ | 554 | /* this has 'package' visibility */ |
| 538 | int | 555 | int |