summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec/ecp_smpl.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/ec/ecp_smpl.c71
1 files changed, 68 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index a25fd1df84..fe935251d9 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ecp_smpl.c,v 1.22 2018/07/16 17:32:39 tb Exp $ */ 1/* $OpenBSD: ecp_smpl.c,v 1.23 2018/11/05 20:18:21 tb Exp $ */
2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> 2/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. 3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project. 4 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -107,7 +107,8 @@ EC_GFp_simple_method(void)
107 .mul_single_ct = ec_GFp_simple_mul_single_ct, 107 .mul_single_ct = ec_GFp_simple_mul_single_ct,
108 .mul_double_nonct = ec_GFp_simple_mul_double_nonct, 108 .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
109 .field_mul = ec_GFp_simple_field_mul, 109 .field_mul = ec_GFp_simple_field_mul,
110 .field_sqr = ec_GFp_simple_field_sqr 110 .field_sqr = ec_GFp_simple_field_sqr,
111 .blind_coordinates = ec_GFp_simple_blind_coordinates,
111 }; 112 };
112 113
113 return &ret; 114 return &ret;
@@ -1406,13 +1407,70 @@ ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, co
1406 return BN_mod_mul(r, a, b, &group->field, ctx); 1407 return BN_mod_mul(r, a, b, &group->field, ctx);
1407} 1408}
1408 1409
1409
1410int 1410int
1411ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) 1411ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
1412{ 1412{
1413 return BN_mod_sqr(r, a, &group->field, ctx); 1413 return BN_mod_sqr(r, a, &group->field, ctx);
1414} 1414}
1415 1415
1416/*
1417 * Apply randomization of EC point projective coordinates:
1418 *
1419 * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
1420 *
1421 * where lambda is in the interval [1, group->field).
1422 */
1423int
1424ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
1425{
1426 BIGNUM *lambda = NULL;
1427 BIGNUM *tmp = NULL;
1428 int ret = 0;
1429
1430 BN_CTX_start(ctx);
1431 if ((lambda = BN_CTX_get(ctx)) == NULL)
1432 goto err;
1433 if ((tmp = BN_CTX_get(ctx)) == NULL)
1434 goto err;
1435
1436 /* Generate lambda in [1, group->field - 1] */
1437 do {
1438 if (!BN_rand_range(lambda, &group->field))
1439 goto err;
1440 } while (BN_is_zero(lambda));
1441
1442 if (group->meth->field_encode != NULL &&
1443 !group->meth->field_encode(group, lambda, lambda, ctx))
1444 goto err;
1445
1446 /* Z = lambda * Z */
1447 if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx))
1448 goto err;
1449
1450 /* tmp = lambda^2 */
1451 if (!group->meth->field_sqr(group, tmp, lambda, ctx))
1452 goto err;
1453
1454 /* X = lambda^2 * X */
1455 if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx))
1456 goto err;
1457
1458 /* tmp = lambda^3 */
1459 if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx))
1460 goto err;
1461
1462 /* Y = lambda^3 * Y */
1463 if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx))
1464 goto err;
1465
1466 ret = 1;
1467
1468 err:
1469 BN_CTX_end(ctx);
1470 return ret;
1471}
1472
1473
1416#define EC_POINT_BN_set_flags(P, flags) do { \ 1474#define EC_POINT_BN_set_flags(P, flags) do { \
1417 BN_set_flags(&(P)->X, (flags)); \ 1475 BN_set_flags(&(P)->X, (flags)); \
1418 BN_set_flags(&(P)->Y, (flags)); \ 1476 BN_set_flags(&(P)->Y, (flags)); \
@@ -1537,6 +1595,13 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
1537 (bn_wexpand(&r->Z, group_top) == NULL)) 1595 (bn_wexpand(&r->Z, group_top) == NULL))
1538 goto err; 1596 goto err;
1539 1597
1598 /*
1599 * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD
1600 * implements it.
1601 */
1602 if (!ec_point_blind_coordinates(group, s, ctx))
1603 goto err;
1604
1540 /* top bit is a 1, in a fixed pos */ 1605 /* top bit is a 1, in a fixed pos */
1541 if (!EC_POINT_copy(r, s)) 1606 if (!EC_POINT_copy(r, s))
1542 goto err; 1607 goto err;