diff options
author | Billy Brumley <bbrumley@gmail.com> | 2018-05-05 11:03:02 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-06-21 18:08:56 +0100 |
commit | 262dccc0d5946ea4add79e16882950dfbd8a4ab8 (patch) | |
tree | b3d7af1a50fc4149001cbb583e241222169c1797 | |
parent | c11d372b3b7080dc153902f14a0d4b402e2dfc92 (diff) |
[crypto/ec] remove blinding to support even orders
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
-rw-r--r-- | crypto/ec/ec_lib.c | 41 |
1 files changed, 11 insertions, 30 deletions
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 76f05a040a..883284b304 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1020,7 +1020,7 @@ int ec_group_simple_order_bits(const EC_GROUP *group) static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, BIGNUM *x, BN_CTX *ctx) { - BIGNUM *exp = NULL; + BIGNUM *e = NULL; BN_CTX *new_ctx = NULL; int ret = 0; @@ -1028,8 +1028,7 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, return 0; BN_CTX_start(ctx); - exp = BN_CTX_get(ctx); - if (exp == NULL) + if ((e = BN_CTX_get(ctx)) == NULL) goto err; /* Check if optimized inverse is implemented */ @@ -1038,48 +1037,30 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, * We want inverse in constant time, therefore we utilize the fact * order must be prime and use Fermats Little Theorem instead. */ - if (!BN_set_word(exp, 2)) + if (!BN_set_word(e, 2)) goto err; - if (!BN_sub(exp, group->order, exp)) + if (!BN_sub(e, group->order, e)) goto err; /*- - * Exponent X is public. + * Exponent e is public. * No need for scatter-gather or BN_FLG_CONSTTIME. */ - if (!BN_mod_exp_mont(r, x, exp, group->order, ctx, group->mont_data)) + if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) goto err; /* Inverse of zero doesn't exist. Let the fallback catch it. */ - if (BN_is_zero(r)) - ret = 0; - else - ret = 1; + ret = (BN_is_zero(r)) ? 0 : 1; } - /*- - * Fallback to classic inverse, blinded. - * BN_FLG_CONSTTIME is a don't care here. - */ + /* Fallback to classic inverse */ if (ret == 0) { - do { - if (!BN_priv_rand_range(exp, group->order)) - goto err; - } while (BN_is_zero(exp)); - - /* r := x * exp */ - if (!BN_mod_mul(r, x, exp, group->order, ctx)) - goto err; - /* r := 1/(x * exp) */ - if (!BN_mod_inverse(r, r, group->order, ctx)) + if (!BN_mod_inverse(r, x, group->order, ctx)) goto err; - /* r := exp/(x * exp) = 1/x */ - if (!BN_mod_mul(r, r, exp, group->order, ctx)) - goto err; - ret = 1; } err: - BN_CTX_end(ctx); + if (ctx != NULL) + BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; } |