1 files changed, 68 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index a25fd1df84..fe935251d9 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.22 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.23 2018/11/05 20:18:21 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -107,7 +107,8 @@ EC_GFp_simple_method(void)
                .mul_single_ct = ec_GFp_simple_mul_single_ct,
                .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
                .field_mul = ec_GFp_simple_field_mul,
-                .field_sqr = ec_GFp_simple_field_sqr
+                .field_sqr = ec_GFp_simple_field_sqr,
+                .blind_coordinates = ec_GFp_simple_blind_coordinates,
        };
        return &ret;
@@ -1406,13 +1407,70 @@ ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, co
        return BN_mod_mul(r, a, b, &group->field, ctx);
 }
 int 
 ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
 {
        return BN_mod_sqr(r, a, &group->field, ctx);
 }
+/*
+ * Apply randomization of EC point projective coordinates:
+ *
+ *      (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
+ * 
+ * where lambda is in the interval [1, group->field).
+ */
+int
+ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
+{
+        BIGNUM *lambda = NULL;
+        BIGNUM *tmp = NULL;
+        int ret = 0;
+        BN_CTX_start(ctx);
+        if ((lambda = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        /* Generate lambda in [1, group->field - 1] */
+        do {
+                if (!BN_rand_range(lambda, &group->field))
+                        goto err;
+        } while (BN_is_zero(lambda));
+        if (group->meth->field_encode != NULL &&
+            !group->meth->field_encode(group, lambda, lambda, ctx))
+                goto err;
+        /* Z = lambda * Z */
+        if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx))
+                goto err;
+        /* tmp = lambda^2 */
+        if (!group->meth->field_sqr(group, tmp, lambda, ctx))
+                goto err;
+        /* X = lambda^2 * X */
+        if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx))
+                goto err;
+        /* tmp = lambda^3 */
+        if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx))
+                goto err;
+        /* Y = lambda^3 * Y */
+        if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx))
+                goto err;
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
 #define EC_POINT_BN_set_flags(P, flags) do {                            \
        BN_set_flags(&(P)->X, (flags));                                 \
        BN_set_flags(&(P)->Y, (flags));                                 \
@@ -1537,6 +1595,13 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
            (bn_wexpand(&r->Z, group_top) == NULL))
                goto err;
+        /*
+         * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD
+         * implements it.
+         */
+        if (!ec_point_blind_coordinates(group, s, ctx))
+                goto err;
        /* top bit is a 1, in a fixed pos */
        if (!EC_POINT_copy(r, s))
                goto err;

diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index a25fd1df84..fe935251d9 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecp_smpl.c,v 1.22 2018/07/16 17:32:39 tb Exp $ */	1	/* $OpenBSD: ecp_smpl.c,v 1.23 2018/11/05 20:18:21 tb Exp $ */
2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>	2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3	* for the OpenSSL project.	3	* for the OpenSSL project.
4	* Includes code written by Bodo Moeller for the OpenSSL project.	4	* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -107,7 +107,8 @@ EC_GFp_simple_method(void)
107	.mul_single_ct = ec_GFp_simple_mul_single_ct,	107	.mul_single_ct = ec_GFp_simple_mul_single_ct,
108	.mul_double_nonct = ec_GFp_simple_mul_double_nonct,	108	.mul_double_nonct = ec_GFp_simple_mul_double_nonct,
109	.field_mul = ec_GFp_simple_field_mul,	109	.field_mul = ec_GFp_simple_field_mul,
110	.field_sqr = ec_GFp_simple_field_sqr	110	.field_sqr = ec_GFp_simple_field_sqr,
		111	.blind_coordinates = ec_GFp_simple_blind_coordinates,
111	};	112	};
112		113
113	return &ret;	114	return &ret;
@@ -1406,13 +1407,70 @@ ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, co
1406	return BN_mod_mul(r, a, b, &group->field, ctx);	1407	return BN_mod_mul(r, a, b, &group->field, ctx);
1407	}	1408	}
1408		1409
1409
1410	int	1410	int
1411	ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)	1411	ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
1412	{	1412	{
1413	return BN_mod_sqr(r, a, &group->field, ctx);	1413	return BN_mod_sqr(r, a, &group->field, ctx);
1414	}	1414	}
1415		1415
		1416	/*
		1417	* Apply randomization of EC point projective coordinates:
		1418	*
		1419	* (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
		1420	*
		1421	* where lambda is in the interval [1, group->field).
		1422	*/
		1423	int
		1424	ec_GFp_simple_blind_coordinates(const EC_GROUP group, EC_POINT p, BN_CTX *ctx)
		1425	{
		1426	BIGNUM *lambda = NULL;
		1427	BIGNUM *tmp = NULL;
		1428	int ret = 0;
		1429
		1430	BN_CTX_start(ctx);
		1431	if ((lambda = BN_CTX_get(ctx)) == NULL)
		1432	goto err;
		1433	if ((tmp = BN_CTX_get(ctx)) == NULL)
		1434	goto err;
		1435
		1436	/* Generate lambda in [1, group->field - 1] */
		1437	do {
		1438	if (!BN_rand_range(lambda, &group->field))
		1439	goto err;
		1440	} while (BN_is_zero(lambda));
		1441
		1442	if (group->meth->field_encode != NULL &&
		1443	!group->meth->field_encode(group, lambda, lambda, ctx))
		1444	goto err;
		1445
		1446	/* Z = lambda * Z */
		1447	if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx))
		1448	goto err;
		1449
		1450	/* tmp = lambda^2 */
		1451	if (!group->meth->field_sqr(group, tmp, lambda, ctx))
		1452	goto err;
		1453
		1454	/* X = lambda^2 * X */
		1455	if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx))
		1456	goto err;
		1457
		1458	/* tmp = lambda^3 */
		1459	if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx))
		1460	goto err;
		1461
		1462	/* Y = lambda^3 * Y */
		1463	if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx))
		1464	goto err;
		1465
		1466	ret = 1;
		1467
		1468	err:
		1469	BN_CTX_end(ctx);
		1470	return ret;
		1471	}
		1472
		1473
1416	#define EC_POINT_BN_set_flags(P, flags) do { \	1474	#define EC_POINT_BN_set_flags(P, flags) do { \
1417	BN_set_flags(&(P)->X, (flags)); \	1475	BN_set_flags(&(P)->X, (flags)); \
1418	BN_set_flags(&(P)->Y, (flags)); \	1476	BN_set_flags(&(P)->Y, (flags)); \
@@ -1537,6 +1595,13 @@ ec_GFp_simple_mul_ct(const EC_GROUP group, EC_POINT r, const BIGNUM *scalar,
1537	(bn_wexpand(&r->Z, group_top) == NULL))	1595	(bn_wexpand(&r->Z, group_top) == NULL))
1538	goto err;	1596	goto err;
1539		1597
		1598	/*
		1599	* Apply coordinate blinding for EC_POINT if the underlying EC_METHOD
		1600	* implements it.
		1601	*/
		1602	if (!ec_point_blind_coordinates(group, s, ctx))
		1603	goto err;
		1604
1540	/* top bit is a 1, in a fixed pos */	1605	/* top bit is a 1, in a fixed pos */
1541	if (!EC_POINT_copy(r, s))	1606	if (!EC_POINT_copy(r, s))
1542	goto err;	1607	goto err;