diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_lib.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 315a8130cf..36f42ecc05 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_lib.c,v 1.121 2025/03/09 15:42:19 tb Exp $ */ | 1 | /* $OpenBSD: ec_lib.c,v 1.126 2025/08/02 15:47:27 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -68,12 +68,12 @@ | |||
| 68 | 68 | ||
| 69 | #include <openssl/bn.h> | 69 | #include <openssl/bn.h> |
| 70 | #include <openssl/ec.h> | 70 | #include <openssl/ec.h> |
| 71 | #include <openssl/err.h> | ||
| 72 | #include <openssl/objects.h> | 71 | #include <openssl/objects.h> |
| 73 | #include <openssl/opensslv.h> | 72 | #include <openssl/opensslv.h> |
| 74 | 73 | ||
| 75 | #include "bn_local.h" | 74 | #include "bn_local.h" |
| 76 | #include "ec_local.h" | 75 | #include "ec_local.h" |
| 76 | #include "err_local.h" | ||
| 77 | 77 | ||
| 78 | EC_GROUP * | 78 | EC_GROUP * |
| 79 | EC_GROUP_new(const EC_METHOD *meth) | 79 | EC_GROUP_new(const EC_METHOD *meth) |
| @@ -165,6 +165,10 @@ EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src) | |||
| 165 | 165 | ||
| 166 | dst->a_is_minus3 = src->a_is_minus3; | 166 | dst->a_is_minus3 = src->a_is_minus3; |
| 167 | 167 | ||
| 168 | memcpy(&dst->fm, &src->fm, sizeof(src->fm)); | ||
| 169 | memcpy(&dst->fe_a, &src->fe_a, sizeof(src->fe_a)); | ||
| 170 | memcpy(&dst->fe_b, &src->fe_b, sizeof(src->fe_b)); | ||
| 171 | |||
| 168 | BN_MONT_CTX_free(dst->mont_ctx); | 172 | BN_MONT_CTX_free(dst->mont_ctx); |
| 169 | dst->mont_ctx = NULL; | 173 | dst->mont_ctx = NULL; |
| 170 | if (src->mont_ctx != NULL) { | 174 | if (src->mont_ctx != NULL) { |
| @@ -860,6 +864,10 @@ EC_POINT_copy(EC_POINT *dst, const EC_POINT *src) | |||
| 860 | return 0; | 864 | return 0; |
| 861 | dst->Z_is_one = src->Z_is_one; | 865 | dst->Z_is_one = src->Z_is_one; |
| 862 | 866 | ||
| 867 | memcpy(&dst->fe_x, &src->fe_x, sizeof(dst->fe_x)); | ||
| 868 | memcpy(&dst->fe_y, &src->fe_y, sizeof(dst->fe_y)); | ||
| 869 | memcpy(&dst->fe_z, &src->fe_z, sizeof(dst->fe_z)); | ||
| 870 | |||
| 863 | return 1; | 871 | return 1; |
| 864 | } | 872 | } |
| 865 | LCRYPTO_ALIAS(EC_POINT_copy); | 873 | LCRYPTO_ALIAS(EC_POINT_copy); |
| @@ -894,11 +902,7 @@ EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) | |||
| 894 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); | 902 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); |
| 895 | return 0; | 903 | return 0; |
| 896 | } | 904 | } |
| 897 | 905 | return point->meth->point_set_to_infinity(group, point); | |
| 898 | BN_zero(point->Z); | ||
| 899 | point->Z_is_one = 0; | ||
| 900 | |||
| 901 | return 1; | ||
| 902 | } | 906 | } |
| 903 | LCRYPTO_ALIAS(EC_POINT_set_to_infinity); | 907 | LCRYPTO_ALIAS(EC_POINT_set_to_infinity); |
| 904 | 908 | ||
| @@ -1200,8 +1204,7 @@ EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) | |||
| 1200 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); | 1204 | ECerror(EC_R_INCOMPATIBLE_OBJECTS); |
| 1201 | return 0; | 1205 | return 0; |
| 1202 | } | 1206 | } |
| 1203 | 1207 | return point->meth->point_is_at_infinity(group, point); | |
| 1204 | return BN_is_zero(point->Z); | ||
| 1205 | } | 1208 | } |
| 1206 | LCRYPTO_ALIAS(EC_POINT_is_at_infinity); | 1209 | LCRYPTO_ALIAS(EC_POINT_is_at_infinity); |
| 1207 | 1210 | ||
| @@ -1319,6 +1322,11 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, | |||
| 1319 | goto err; | 1322 | goto err; |
| 1320 | } | 1323 | } |
| 1321 | 1324 | ||
| 1325 | if (g_scalar != NULL && group->generator == NULL) { | ||
| 1326 | ECerror(EC_R_UNDEFINED_GENERATOR); | ||
| 1327 | goto err; | ||
| 1328 | } | ||
| 1329 | |||
| 1322 | if (g_scalar != NULL && point == NULL && p_scalar == NULL) { | 1330 | if (g_scalar != NULL && point == NULL && p_scalar == NULL) { |
| 1323 | /* | 1331 | /* |
| 1324 | * In this case we want to compute g_scalar * GeneratorPoint: | 1332 | * In this case we want to compute g_scalar * GeneratorPoint: |
| @@ -1328,8 +1336,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, | |||
| 1328 | * secret. This is why we ignore if BN_FLG_CONSTTIME is actually | 1336 | * secret. This is why we ignore if BN_FLG_CONSTTIME is actually |
| 1329 | * set and we always call the constant time version. | 1337 | * set and we always call the constant time version. |
| 1330 | */ | 1338 | */ |
| 1331 | ret = group->meth->mul_single_ct(group, r, g_scalar, | 1339 | ret = group->meth->mul_single_ct(group, r, |
| 1332 | group->generator, ctx); | 1340 | g_scalar, group->generator, ctx); |
| 1333 | } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) { | 1341 | } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) { |
| 1334 | /* | 1342 | /* |
| 1335 | * In this case we want to compute p_scalar * GenericPoint: | 1343 | * In this case we want to compute p_scalar * GenericPoint: |
| @@ -1347,8 +1355,8 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, | |||
| 1347 | * this codepath is reached most prominently by ECDSA signature | 1355 | * this codepath is reached most prominently by ECDSA signature |
| 1348 | * verification. So we call the non-ct version. | 1356 | * verification. So we call the non-ct version. |
| 1349 | */ | 1357 | */ |
| 1350 | ret = group->meth->mul_double_nonct(group, r, g_scalar, | 1358 | ret = group->meth->mul_double_nonct(group, r, |
| 1351 | p_scalar, point, ctx); | 1359 | g_scalar, group->generator, p_scalar, point, ctx); |
| 1352 | } else { | 1360 | } else { |
| 1353 | /* Anything else is an error. */ | 1361 | /* Anything else is an error. */ |
| 1354 | ECerror(ERR_R_EC_LIB); | 1362 | ECerror(ERR_R_EC_LIB); |