[crypto/ec] remove blinding to support even orders

Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6116)
author: Billy Brumley <bbrumley@gmail.com> 2018-05-05 11:03:02 +0300
committer: Matt Caswell <matt@openssl.org> 2018-06-21 18:08:56 +0100
commit: 262dccc0d5946ea4add79e16882950dfbd8a4ab8 (patch)
tree: b3d7af1a50fc4149001cbb583e241222169c1797 /crypto/ec
parent: c11d372b3b7080dc153902f14a0d4b402e2dfc92 (diff)
1 files changed, 11 insertions, 30 deletions
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 76f05a040a..883284b304 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1020,7 +1020,7 @@ int ec_group_simple_order_bits(const EC_GROUP *group)
 static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
                                     BIGNUM *x, BN_CTX *ctx)
 {
-    BIGNUM *exp = NULL;
+    BIGNUM *e = NULL;
     BN_CTX *new_ctx = NULL;
     int ret = 0;
 
@@ -1028,8 +1028,7 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
         return 0;
 
     BN_CTX_start(ctx);
-    exp = BN_CTX_get(ctx);
-    if (exp == NULL)
+    if ((e = BN_CTX_get(ctx)) == NULL)
         goto err;
 
     /* Check if optimized inverse is implemented */
@@ -1038,48 +1037,30 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
          * We want inverse in constant time, therefore we utilize the fact
          * order must be prime and use Fermats Little Theorem instead.
          */
-        if (!BN_set_word(exp, 2))
+        if (!BN_set_word(e, 2))
             goto err;
-        if (!BN_sub(exp, group->order, exp))
+        if (!BN_sub(e, group->order, e))
             goto err;
         /*-
-         * Exponent X is public.
+         * Exponent e is public.
          * No need for scatter-gather or BN_FLG_CONSTTIME.
          */
-        if (!BN_mod_exp_mont(r, x, exp, group->order, ctx, group->mont_data))
+        if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
             goto err;
         /* Inverse of zero doesn't exist. Let the fallback catch it. */
-        if (BN_is_zero(r))
-            ret = 0;
-        else
-            ret = 1;
+        ret = (BN_is_zero(r)) ? 0 : 1;
     }
 
-    /*-
-     * Fallback to classic inverse, blinded.
-     * BN_FLG_CONSTTIME is a don't care here.
-     */
+    /* Fallback to classic inverse */
     if (ret == 0) {
-        do {
-            if (!BN_priv_rand_range(exp, group->order))
-            goto err;
-        } while (BN_is_zero(exp));
-
-        /* r := x * exp */
-        if (!BN_mod_mul(r, x, exp, group->order, ctx))
-            goto err;
-        /* r := 1/(x * exp) */
-        if (!BN_mod_inverse(r, r, group->order, ctx))
+        if (!BN_mod_inverse(r, x, group->order, ctx))
             goto err;
-        /* r := exp/(x * exp) = 1/x */
-        if (!BN_mod_mul(r, r, exp, group->order, ctx))
-            goto err;
-
         ret = 1;
     }
 
  err:
-    BN_CTX_end(ctx);
+    if (ctx != NULL)
+        BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     return ret;
 }
author	Billy Brumley <bbrumley@gmail.com>	2018-05-05 11:03:02 +0300
committer	Matt Caswell <matt@openssl.org>	2018-06-21 18:08:56 +0100
commit	262dccc0d5946ea4add79e16882950dfbd8a4ab8 (patch)
tree	b3d7af1a50fc4149001cbb583e241222169c1797 /crypto/ec
parent	c11d372b3b7080dc153902f14a0d4b402e2dfc92 (diff)