1 files changed, 21 insertions, 24 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 3939d7c8c1..be279b34b6 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.12 2018/06/14 18:51:01 tb Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.13 2018/06/15 05:00:41 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project
 */
@@ -92,7 +92,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        BIGNUM   *k = NULL, *r = NULL, *order = NULL, *X = NULL;
        EC_POINT *tmp_point = NULL;
        const EC_GROUP *group;
-        int      order_bits, ret = 0;
+        int order_bits, ret = 0;
        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
                ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
@@ -124,7 +124,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                goto err;
        }
-        /* Preallocate space */
+        /* Preallocate space. */
        order_bits = BN_num_bits(order);
        if (!BN_set_bit(k, order_bits) ||
            !BN_set_bit(r, order_bits) ||
@@ -135,16 +135,17 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                /* get random k */
                do
                        if (!BN_rand_range(k, order)) {
-                                ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
+                                ECDSAerror(
+                                    ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
                                goto err;
                        }
                while (BN_is_zero(k));
                /*
                 * We do not want timing information to leak the length of k,
-                 * so we compute G*k using an equivalent scalar of fixed
+                 * so we compute G * k using an equivalent scalar of fixed
                 * bit-length.
-                 * 
+                 *
                 * We unconditionally perform both of these additions to prevent
                 * a small timing information leakage.  We then choose the sum
                 * that is one bit longer than the order.  This guarantees the
@@ -175,8 +176,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                        }
                }
 #ifndef OPENSSL_NO_EC2M
-                else /* NID_X9_62_characteristic_two_field */
+                else {  /* NID_X9_62_characteristic_two_field */
-                {
                        if (!EC_POINT_get_affine_coordinates_GF2m(group,
                            tmp_point, X, NULL, ctx)) {
                                ECDSAerror(ERR_R_EC_LIB);
@@ -203,8 +203,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        *kinvp = k;
        ret = 1;
-err:
+ err:
-        if (!ret) {
+        if (ret == 0) {
                BN_clear_free(k);
                BN_clear_free(r);
        }
@@ -259,20 +259,19 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                goto err;
        }
        i = BN_num_bits(order);
-        /* Need to truncate digest if it is too long: first truncate whole
+        /* Truncate digest if it is too long: first truncate whole bytes. */
-         * bytes.
-         */
        if (8 * dgst_len > i)
                dgst_len = (i + 7)/8;
        if (!BN_bin2bn(dgst, dgst_len, m)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        /* If still too long truncate remaining bits with a shift */
+        /* If it is still too long, truncate the remaining bits with a shift. */
        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
        do {
                if (in_kinv == NULL || in_r == NULL) {
                        if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
@@ -298,7 +297,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                 *
                 * where b is a random value in the range [1, order-1].
                 */
-                
                /* Generate b in range [1, order-1]. */
                if (!BN_sub(range, order, BN_value_one())) {
                        ECDSAerror(ERR_R_BN_LIB);
@@ -359,7 +358,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
        ok = 1;
-err:
+ err:
        if (!ok) {
                ECDSA_SIG_free(ret);
                ret = NULL;
@@ -429,16 +428,14 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
        }
        /* digest -> m */
        i = BN_num_bits(order);
-        /* Need to truncate digest if it is too long: first truncate whole
+        /* Truncate digest if it is too long: first truncate whole bytes. */
-         * bytes.
-         */
        if (8 * dgst_len > i)
                dgst_len = (i + 7)/8;
        if (!BN_bin2bn(dgst, dgst_len, m)) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        /* If still too long truncate remaining bits with a shift */
+        /* If it is still too long, truncate the remaining bits with a shift. */
        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
@@ -471,8 +468,7 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
                }
        }
 #ifndef OPENSSL_NO_EC2M
-        else /* NID_X9_62_characteristic_two_field */
+        else { /* NID_X9_62_characteristic_two_field */
-        {
                if (!EC_POINT_get_affine_coordinates_GF2m(group,
                    point, X, NULL, ctx)) {
                        ECDSAerror(ERR_R_EC_LIB);
@@ -484,10 +480,11 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
                ECDSAerror(ERR_R_BN_LIB);
                goto err;
        }
-        /*  if the signature is correct u1 is equal to sig->r */
+        /* If the signature is correct, then u1 is equal to sig->r. */
        ret = (BN_ucmp(u1, sig->r) == 0);
-err:
+ err:
        BN_CTX_end(ctx);
        BN_CTX_free(ctx);
        EC_POINT_free(point);

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 3939d7c8c1..be279b34b6 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.12 2018/06/14 18:51:01 tb Exp $ */	1	/* $OpenBSD: ecs_ossl.c,v 1.13 2018/06/15 05:00:41 tb Exp $ */
2	/*	2	/*
3	* Written by Nils Larsch for the OpenSSL project	3	* Written by Nils Larsch for the OpenSSL project
4	*/	4	*/
@@ -92,7 +92,7 @@ ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
92	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;	92	BIGNUM k = NULL, r = NULL, order = NULL, X = NULL;
93	EC_POINT *tmp_point = NULL;	93	EC_POINT *tmp_point = NULL;
94	const EC_GROUP *group;	94	const EC_GROUP *group;
95	int order_bits, ret = 0;	95	int order_bits, ret = 0;
96		96
97	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL) {	97	if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL) {
98	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);	98	ECDSAerror(ERR_R_PASSED_NULL_PARAMETER);
@@ -124,7 +124,7 @@ ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
124	goto err;	124	goto err;
125	}	125	}
126		126
127	/* Preallocate space */	127	/* Preallocate space. */
128	order_bits = BN_num_bits(order);	128	order_bits = BN_num_bits(order);
129	if (!BN_set_bit(k, order_bits) \|\|	129	if (!BN_set_bit(k, order_bits) \|\|
130	!BN_set_bit(r, order_bits) \|\|	130	!BN_set_bit(r, order_bits) \|\|
@@ -135,16 +135,17 @@ ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
135	/* get random k */	135	/* get random k */
136	do	136	do
137	if (!BN_rand_range(k, order)) {	137	if (!BN_rand_range(k, order)) {
138	ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);	138	ECDSAerror(
		139	ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
139	goto err;	140	goto err;
140	}	141	}
141	while (BN_is_zero(k));	142	while (BN_is_zero(k));
142		143
143	/*	144	/*
144	* We do not want timing information to leak the length of k,	145	* We do not want timing information to leak the length of k,
145	* so we compute G*k using an equivalent scalar of fixed	146	* so we compute G * k using an equivalent scalar of fixed
146	* bit-length.	147	* bit-length.
147	*	148	*
148	* We unconditionally perform both of these additions to prevent	149	* We unconditionally perform both of these additions to prevent
149	* a small timing information leakage. We then choose the sum	150	* a small timing information leakage. We then choose the sum
150	* that is one bit longer than the order. This guarantees the	151	* that is one bit longer than the order. This guarantees the
@@ -175,8 +176,7 @@ ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
175	}	176	}
176	}	177	}
177	#ifndef OPENSSL_NO_EC2M	178	#ifndef OPENSSL_NO_EC2M
178	else /* NID_X9_62_characteristic_two_field */	179	else { /* NID_X9_62_characteristic_two_field */
179	{
180	if (!EC_POINT_get_affine_coordinates_GF2m(group,	180	if (!EC_POINT_get_affine_coordinates_GF2m(group,
181	tmp_point, X, NULL, ctx)) {	181	tmp_point, X, NULL, ctx)) {
182	ECDSAerror(ERR_R_EC_LIB);	182	ECDSAerror(ERR_R_EC_LIB);
@@ -203,8 +203,8 @@ ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
203	*kinvp = k;	203	*kinvp = k;
204	ret = 1;	204	ret = 1;
205		205
206	err:	206	err:
207	if (!ret) {	207	if (ret == 0) {
208	BN_clear_free(k);	208	BN_clear_free(k);
209	BN_clear_free(r);	209	BN_clear_free(r);
210	}	210	}
@@ -259,20 +259,19 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
259	goto err;	259	goto err;
260	}	260	}
261	i = BN_num_bits(order);	261	i = BN_num_bits(order);
262	/* Need to truncate digest if it is too long: first truncate whole	262	/* Truncate digest if it is too long: first truncate whole bytes. */
263	* bytes.
264	*/
265	if (8 * dgst_len > i)	263	if (8 * dgst_len > i)
266	dgst_len = (i + 7)/8;	264	dgst_len = (i + 7)/8;
267	if (!BN_bin2bn(dgst, dgst_len, m)) {	265	if (!BN_bin2bn(dgst, dgst_len, m)) {
268	ECDSAerror(ERR_R_BN_LIB);	266	ECDSAerror(ERR_R_BN_LIB);
269	goto err;	267	goto err;
270	}	268	}
271	/* If still too long truncate remaining bits with a shift */	269	/* If it is still too long, truncate the remaining bits with a shift. */
272	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {	270	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
273	ECDSAerror(ERR_R_BN_LIB);	271	ECDSAerror(ERR_R_BN_LIB);
274	goto err;	272	goto err;
275	}	273	}
		274
276	do {	275	do {
277	if (in_kinv == NULL \|\| in_r == NULL) {	276	if (in_kinv == NULL \|\| in_r == NULL) {
278	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {	277	if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
@@ -298,7 +297,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
298	*	297	*
299	* where b is a random value in the range [1, order-1].	298	* where b is a random value in the range [1, order-1].
300	*/	299	*/
301		300
302	/* Generate b in range [1, order-1]. */	301	/* Generate b in range [1, order-1]. */
303	if (!BN_sub(range, order, BN_value_one())) {	302	if (!BN_sub(range, order, BN_value_one())) {
304	ECDSAerror(ERR_R_BN_LIB);	303	ECDSAerror(ERR_R_BN_LIB);
@@ -359,7 +358,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
359		358
360	ok = 1;	359	ok = 1;
361		360
362	err:	361	err:
363	if (!ok) {	362	if (!ok) {
364	ECDSA_SIG_free(ret);	363	ECDSA_SIG_free(ret);
365	ret = NULL;	364	ret = NULL;
@@ -429,16 +428,14 @@ ecdsa_do_verify(const unsigned char dgst, int dgst_len, const ECDSA_SIG sig,
429	}	428	}
430	/* digest -> m */	429	/* digest -> m */
431	i = BN_num_bits(order);	430	i = BN_num_bits(order);
432	/* Need to truncate digest if it is too long: first truncate whole	431	/* Truncate digest if it is too long: first truncate whole bytes. */
433	* bytes.
434	*/
435	if (8 * dgst_len > i)	432	if (8 * dgst_len > i)
436	dgst_len = (i + 7)/8;	433	dgst_len = (i + 7)/8;
437	if (!BN_bin2bn(dgst, dgst_len, m)) {	434	if (!BN_bin2bn(dgst, dgst_len, m)) {
438	ECDSAerror(ERR_R_BN_LIB);	435	ECDSAerror(ERR_R_BN_LIB);
439	goto err;	436	goto err;
440	}	437	}
441	/* If still too long truncate remaining bits with a shift */	438	/* If it is still too long, truncate the remaining bits with a shift. */
442	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {	439	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
443	ECDSAerror(ERR_R_BN_LIB);	440	ECDSAerror(ERR_R_BN_LIB);
444	goto err;	441	goto err;
@@ -471,8 +468,7 @@ ecdsa_do_verify(const unsigned char dgst, int dgst_len, const ECDSA_SIG sig,
471	}	468	}
472	}	469	}
473	#ifndef OPENSSL_NO_EC2M	470	#ifndef OPENSSL_NO_EC2M
474	else /* NID_X9_62_characteristic_two_field */	471	else { /* NID_X9_62_characteristic_two_field */
475	{
476	if (!EC_POINT_get_affine_coordinates_GF2m(group,	472	if (!EC_POINT_get_affine_coordinates_GF2m(group,
477	point, X, NULL, ctx)) {	473	point, X, NULL, ctx)) {
478	ECDSAerror(ERR_R_EC_LIB);	474	ECDSAerror(ERR_R_EC_LIB);
@@ -484,10 +480,11 @@ ecdsa_do_verify(const unsigned char dgst, int dgst_len, const ECDSA_SIG sig,
484	ECDSAerror(ERR_R_BN_LIB);	480	ECDSAerror(ERR_R_BN_LIB);
485	goto err;	481	goto err;
486	}	482	}
487	/* if the signature is correct u1 is equal to sig->r */	483
		484	/* If the signature is correct, then u1 is equal to sig->r. */
488	ret = (BN_ucmp(u1, sig->r) == 0);	485	ret = (BN_ucmp(u1, sig->r) == 0);
489		486
490	err:	487	err:
491	BN_CTX_end(ctx);	488	BN_CTX_end(ctx);
492	BN_CTX_free(ctx);	489	BN_CTX_free(ctx);
493	EC_POINT_free(point);	490	EC_POINT_free(point);