diff options
Diffstat (limited to '')
-rw-r--r-- | src/lib/libcrypto/ec/ecp_smpl.c | 71 |
1 files changed, 68 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index a25fd1df84..fe935251d9 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ecp_smpl.c,v 1.22 2018/07/16 17:32:39 tb Exp $ */ | 1 | /* $OpenBSD: ecp_smpl.c,v 1.23 2018/11/05 20:18:21 tb Exp $ */ |
2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> | 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> |
3 | * for the OpenSSL project. | 3 | * for the OpenSSL project. |
4 | * Includes code written by Bodo Moeller for the OpenSSL project. | 4 | * Includes code written by Bodo Moeller for the OpenSSL project. |
@@ -107,7 +107,8 @@ EC_GFp_simple_method(void) | |||
107 | .mul_single_ct = ec_GFp_simple_mul_single_ct, | 107 | .mul_single_ct = ec_GFp_simple_mul_single_ct, |
108 | .mul_double_nonct = ec_GFp_simple_mul_double_nonct, | 108 | .mul_double_nonct = ec_GFp_simple_mul_double_nonct, |
109 | .field_mul = ec_GFp_simple_field_mul, | 109 | .field_mul = ec_GFp_simple_field_mul, |
110 | .field_sqr = ec_GFp_simple_field_sqr | 110 | .field_sqr = ec_GFp_simple_field_sqr, |
111 | .blind_coordinates = ec_GFp_simple_blind_coordinates, | ||
111 | }; | 112 | }; |
112 | 113 | ||
113 | return &ret; | 114 | return &ret; |
@@ -1406,13 +1407,70 @@ ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, co | |||
1406 | return BN_mod_mul(r, a, b, &group->field, ctx); | 1407 | return BN_mod_mul(r, a, b, &group->field, ctx); |
1407 | } | 1408 | } |
1408 | 1409 | ||
1409 | |||
1410 | int | 1410 | int |
1411 | ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) | 1411 | ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) |
1412 | { | 1412 | { |
1413 | return BN_mod_sqr(r, a, &group->field, ctx); | 1413 | return BN_mod_sqr(r, a, &group->field, ctx); |
1414 | } | 1414 | } |
1415 | 1415 | ||
1416 | /* | ||
1417 | * Apply randomization of EC point projective coordinates: | ||
1418 | * | ||
1419 | * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z) | ||
1420 | * | ||
1421 | * where lambda is in the interval [1, group->field). | ||
1422 | */ | ||
1423 | int | ||
1424 | ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) | ||
1425 | { | ||
1426 | BIGNUM *lambda = NULL; | ||
1427 | BIGNUM *tmp = NULL; | ||
1428 | int ret = 0; | ||
1429 | |||
1430 | BN_CTX_start(ctx); | ||
1431 | if ((lambda = BN_CTX_get(ctx)) == NULL) | ||
1432 | goto err; | ||
1433 | if ((tmp = BN_CTX_get(ctx)) == NULL) | ||
1434 | goto err; | ||
1435 | |||
1436 | /* Generate lambda in [1, group->field - 1] */ | ||
1437 | do { | ||
1438 | if (!BN_rand_range(lambda, &group->field)) | ||
1439 | goto err; | ||
1440 | } while (BN_is_zero(lambda)); | ||
1441 | |||
1442 | if (group->meth->field_encode != NULL && | ||
1443 | !group->meth->field_encode(group, lambda, lambda, ctx)) | ||
1444 | goto err; | ||
1445 | |||
1446 | /* Z = lambda * Z */ | ||
1447 | if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx)) | ||
1448 | goto err; | ||
1449 | |||
1450 | /* tmp = lambda^2 */ | ||
1451 | if (!group->meth->field_sqr(group, tmp, lambda, ctx)) | ||
1452 | goto err; | ||
1453 | |||
1454 | /* X = lambda^2 * X */ | ||
1455 | if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx)) | ||
1456 | goto err; | ||
1457 | |||
1458 | /* tmp = lambda^3 */ | ||
1459 | if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx)) | ||
1460 | goto err; | ||
1461 | |||
1462 | /* Y = lambda^3 * Y */ | ||
1463 | if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx)) | ||
1464 | goto err; | ||
1465 | |||
1466 | ret = 1; | ||
1467 | |||
1468 | err: | ||
1469 | BN_CTX_end(ctx); | ||
1470 | return ret; | ||
1471 | } | ||
1472 | |||
1473 | |||
1416 | #define EC_POINT_BN_set_flags(P, flags) do { \ | 1474 | #define EC_POINT_BN_set_flags(P, flags) do { \ |
1417 | BN_set_flags(&(P)->X, (flags)); \ | 1475 | BN_set_flags(&(P)->X, (flags)); \ |
1418 | BN_set_flags(&(P)->Y, (flags)); \ | 1476 | BN_set_flags(&(P)->Y, (flags)); \ |
@@ -1537,6 +1595,13 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, | |||
1537 | (bn_wexpand(&r->Z, group_top) == NULL)) | 1595 | (bn_wexpand(&r->Z, group_top) == NULL)) |
1538 | goto err; | 1596 | goto err; |
1539 | 1597 | ||
1598 | /* | ||
1599 | * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD | ||
1600 | * implements it. | ||
1601 | */ | ||
1602 | if (!ec_point_blind_coordinates(group, s, ctx)) | ||
1603 | goto err; | ||
1604 | |||
1540 | /* top bit is a 1, in a fixed pos */ | 1605 | /* top bit is a 1, in a fixed pos */ |
1541 | if (!EC_POINT_copy(r, s)) | 1606 | if (!EC_POINT_copy(r, s)) |
1542 | goto err; | 1607 | goto err; |