/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# include <openssl/err.h>
# include "ec_lcl.h"
-# if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit
* platforms */
# else
-# error "Need GCC 3.1 or later to define type uint128_t"
+# error "Your compiler doesn't appear to support 128-bit integer types"
# endif
typedef uint8_t u8;
typedef uint64_t u64;
-typedef int64_t s64;
/*
* The underlying field. P521 operates over GF(2^521-1). We can serialise an
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
- if (num_bytes > sizeof b_out) {
+ if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
{
felem_bytearray b_in, b_out;
felem_to_bin66(b_in, in);
- flip_endian(b_out, b_in, sizeof b_out);
- return BN_bin2bn(b_out, sizeof b_out, out);
+ flip_endian(b_out, b_in, sizeof(b_out));
+ return BN_bin2bn(b_out, sizeof(b_out), out);
}
/*-
* We know that ftmp[i] < 2^63, therefore the only way that the top bit
* can be set is if is_zero was 0 before the decrement.
*/
- is_zero = ((s64) is_zero) >> 63;
+ is_zero = 0 - (is_zero >> 63);
is_p = ftmp[0] ^ kPrime[0];
is_p |= ftmp[1] ^ kPrime[1];
is_p |= ftmp[8] ^ kPrime[8];
is_p--;
- is_p = ((s64) is_p) >> 63;
+ is_p = 0 - (is_p >> 63);
is_zero |= is_p;
return is_zero;
is_p &= is_p << 4;
is_p &= is_p << 2;
is_p &= is_p << 1;
- is_p = ((s64) is_p) >> 63;
+ is_p = 0 - (is_p >> 63);
is_p = ~is_p;
/* is_p is 0 iff |out| == 2^521-1 and all ones otherwise */
is_greater |= is_greater << 4;
is_greater |= is_greater << 2;
is_greater |= is_greater << 1;
- is_greater = ((s64) is_greater) >> 63;
+ is_greater = 0 - (is_greater >> 63);
out[0] -= kPrime[0] & is_greater;
out[1] -= kPrime[1] & is_greater;
* adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
*
* This function includes a branch for checking whether the two input points
- * are equal (while not equal to the point at infinity). This case never
- * happens during single point multiplication, so there is no timing leak for
- * ECDH or ECDSA signing. */
+ * are equal (while not equal to the point at infinity). See comment below
+ * on constant-time.
+ */
static void point_add(felem x3, felem y3, felem z3,
const felem x1, const felem y1, const felem z1,
const int mixed, const felem x2, const felem y2,
/* ftmp5[i] < 2^61 */
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
+ /*
+ * This is obviously not constant-time but it will almost-never happen
+ * for ECDH / ECDSA. The case where it can happen is during scalar-mult
+ * where the intermediate value gets very close to the group order.
+ * Since |ec_GFp_nistp_recode_scalar_bits| produces signed digits for
+ * the scalar, it's possible for the intermediate value to be a small
+ * negative multiple of the base point, and for the final signed digit
+ * to be the same value. We believe that this only occurs for the scalar
+ * 1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ * ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
+ * 71e913863f7, in that case the penultimate intermediate is -9G and
+ * the final digit is also -9G. Since this only happens for a single
+ * scalar, the timing leak is irrelevent. (Any attacker who wanted to
+ * check whether a secret scalar was that exact value, can already do
+ * so.)
+ */
point_double(x3, y3, z3, x1, y1, z1);
return;
}
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
- ecdh_simple_compute_key
+ ecdh_simple_compute_key,
+ 0, /* field_inverse_mod_ord */
+ 0, /* blind_coordinates */
+ 0, /* ladder_pre */
+ 0, /* ladder_step */
+ 0 /* ladder_post */
};
return &ret;
* FUNCTIONS TO MANAGE PRECOMPUTATION
*/
-static NISTP521_PRE_COMP *nistp521_pre_comp_new()
+static NISTP521_PRE_COMP *nistp521_pre_comp_new(void)
{
NISTP521_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret));
int ret = 0;
int j;
int mixed = 0;
- BN_CTX *new_ctx = NULL;
BIGNUM *x, *y, *z, *tmp_scalar;
felem_bytearray g_secret;
felem_bytearray *secrets = NULL;
const EC_POINT *p = NULL;
const BIGNUM *p_scalar = NULL;
- if (ctx == NULL)
- if ((ctx = new_ctx = BN_CTX_new()) == NULL)
- return 0;
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
err:
BN_CTX_end(ctx);
EC_POINT_free(generator);
- BN_CTX_free(new_ctx);
OPENSSL_free(secrets);
OPENSSL_free(pre_comp);
OPENSSL_free(tmp_felems);