diff options
| author | Billy Brumley <bbrumley@gmail.com> | 2018-07-04 15:35:18 +0300 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-07-04 16:51:49 +0100 |
| commit | de72274d62a9939e833ab2816360228ba2e1a74b (patch) | |
| tree | ee4c38b7d01b62a67e1544721a0ec78f8dd583d7 /crypto/ec | |
| parent | a97d19f7ce93845997a8f75f522f0331899ed5f4 (diff) | |
[crypto/ec] disable SCA mitigations for curves with incomplete parameters
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6648)
Diffstat (limited to 'crypto/ec')
| -rw-r--r-- | crypto/ec/ec_mult.c | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index c821cb8250..663db57f0c 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -389,30 +389,32 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } - /*- - * Handle the common cases where the scalar is secret, enforcing a constant - * time scalar multiplication algorithm. - */ - if ((scalar != NULL) && (num == 0)) { - /*- - * In this case we want to compute scalar * GeneratorPoint: this - * codepath is reached most prominently by (ephemeral) key generation - * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH - * keygen/first half), where the scalar is always secret. This is why - * we ignore if BN_FLG_CONSTTIME is actually set and we always call the - * constant time version. - */ - return ec_mul_consttime(group, r, scalar, NULL, ctx); - } - if ((scalar == NULL) && (num == 1)) { + if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) { /*- - * In this case we want to compute scalar * GenericPoint: this codepath - * is reached most prominently by the second half of ECDH, where the - * secret scalar is multiplied by the peer's public point. To protect - * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and - * we always call the constant time version. + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. */ - return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + if ((scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return ec_mul_consttime(group, r, scalar, NULL, ctx); + } + if ((scalar == NULL) && (num == 1)) { + /*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ + return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + } } for (i = 0; i < num; i++) { |