diff options
author | marha <marha@users.sourceforge.net> | 2014-04-14 23:45:39 +0200 |
---|---|---|
committer | marha <marha@users.sourceforge.net> | 2014-04-14 23:45:39 +0200 |
commit | 7c21629fbeb51b65fd0625bb36d888587d62fd89 (patch) | |
tree | 425433df36d64f529d2222de2d1680e0b0abca3f /openssl/crypto/ec | |
parent | 0bd141efd4832e01c8b269b8566dd5749e30ed55 (diff) | |
parent | 242d48135a12fc9167430f391ba0d27d9ad44c6b (diff) | |
download | vcxsrv-7c21629fbeb51b65fd0625bb36d888587d62fd89.tar.gz vcxsrv-7c21629fbeb51b65fd0625bb36d888587d62fd89.tar.bz2 vcxsrv-7c21629fbeb51b65fd0625bb36d888587d62fd89.zip |
Merge remote-tracking branch 'origin/released'
Conflicts:
openssl/Configure
openssl/Makefile
openssl/util/pl/VC-32.pl
Diffstat (limited to 'openssl/crypto/ec')
-rw-r--r-- | openssl/crypto/ec/ec2_mult.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/openssl/crypto/ec/ec2_mult.c b/openssl/crypto/ec/ec2_mult.c index 26f4a783f..1c575dc47 100644 --- a/openssl/crypto/ec/ec2_mult.c +++ b/openssl/crypto/ec/ec2_mult.c @@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG return ret; } + /* Computes scalar*point and stores the result in r. * point can not equal r. - * Uses algorithm 2P of + * Uses a modified algorithm 2P of * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation" (CHES '99, LNCS 1717). + * + * To protect against side-channel attack the function uses constant time swap, + * avoiding conditional branches. */ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) @@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, x2 = &r->X; z2 = &r->Y; + bn_wexpand(x1, group->field.top); + bn_wexpand(z1, group->field.top); + bn_wexpand(x2, group->field.top); + bn_wexpand(z2, group->field.top); + if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ @@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, word = scalar->d[i]; while (mask) { - if (word & mask) - { - if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; - if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; - } - else - { - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - } + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; + if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); mask >>= 1; } mask = BN_TBIT; |