/*
- * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
+ * Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * Portions of this software developed by SUN MICROSYSTEMS, INC.,
- * and contributed to the OpenSSL project.
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/err.h>
+#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "ec_lcl.h"
+#include "internal/refcount.h"
/*
* This file implements the wNAF-based interleaving multi-exponentiation method
- * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>);
- * for multiplication with precomputation, we use wNAF splitting
- * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>).
+ * Formerly at:
+ * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp
+ * You might now find it here:
+ * http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
+ * http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
+ * For multiplication with precomputation, we use wNAF splitting, formerly at:
+ * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp
*/
/* structure for precomputed multiples of the generator */
* generator: 'num' pointers to EC_POINT
* objects followed by a NULL */
size_t num; /* numblocks * 2^(w-1) */
- int references;
+ CRYPTO_REF_COUNT references;
+ CRYPTO_RWLOCK *lock;
};
static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group)
ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
return ret;
}
+
ret->group = group;
ret->blocksize = 8; /* default */
ret->w = 4; /* default */
ret->references = 1;
+
+ ret->lock = CRYPTO_THREAD_lock_new();
+ if (ret->lock == NULL) {
+ ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(ret);
+ return NULL;
+ }
return ret;
}
EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *pre)
{
+ int i;
if (pre != NULL)
- CRYPTO_add(&pre->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
+ CRYPTO_UP_REF(&pre->references, &i, pre->lock);
return pre;
}
void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
{
- if (pre == NULL
- || CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP) > 0)
+ int i;
+
+ if (pre == NULL)
return;
+ CRYPTO_DOWN_REF(&pre->references, &i, pre->lock);
+ REF_PRINT_COUNT("EC_ec", pre);
+ if (i > 0)
+ return;
+ REF_ASSERT_ISNT(i < 0);
+
if (pre->points != NULL) {
EC_POINT **pts;
EC_POINT_free(*pts);
OPENSSL_free(pre->points);
}
+ CRYPTO_THREAD_lock_free(pre->lock);
OPENSSL_free(pre);
}
+#define EC_POINT_BN_set_flags(P, flags) do { \
+ BN_set_flags((P)->X, (flags)); \
+ BN_set_flags((P)->Y, (flags)); \
+ BN_set_flags((P)->Z, (flags)); \
+} while(0)
+
+/*
+ * This functions computes (in constant time) a point multiplication over the
+ * EC group.
+ *
+ * It performs either a fixed scalar point multiplication
+ * (scalar * generator)
+ * when point is NULL, or a generic scalar point multiplication
+ * (scalar * point)
+ * when point is not NULL.
+ *
+ * scalar should be in the range [0,n) otherwise all constant time bets are off.
+ *
+ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
+ * which of course are not constant time themselves.
+ *
+ * The product is stored in r.
+ *
+ * Returns 1 on success, 0 otherwise.
+ */
+static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ const EC_POINT *point, BN_CTX *ctx)
+{
+ int i, order_bits, group_top, kbit, pbit, Z_is_one;
+ EC_POINT *s = NULL;
+ BIGNUM *k = NULL;
+ BIGNUM *lambda = NULL;
+ BN_CTX *new_ctx = NULL;
+ int ret = 0;
+
+ if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
+ goto err;
+
+ if ((group->order == NULL) || (group->field == NULL))
+ goto err;
+
+ order_bits = BN_num_bits(group->order);
+
+ s = EC_POINT_new(group);
+ if (s == NULL)
+ goto err;
+
+ if (point == NULL) {
+ if (group->generator == NULL)
+ goto err;
+ if (!EC_POINT_copy(s, group->generator))
+ goto err;
+ } else {
+ if (!EC_POINT_copy(s, point))
+ goto err;
+ }
+
+ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
+
+ BN_CTX_start(ctx);
+ lambda = BN_CTX_get(ctx);
+ k = BN_CTX_get(ctx);
+ if (k == NULL)
+ goto err;
+
+ /*
+ * Group orders are often on a word boundary.
+ * So when we pad the scalar, some timing diff might
+ * pop if it needs to be expanded due to carries.
+ * So expand ahead of time.
+ */
+ group_top = bn_get_top(group->order);
+ if ((bn_wexpand(k, group_top + 1) == NULL)
+ || (bn_wexpand(lambda, group_top + 1) == NULL))
+ goto err;
+
+ if (!BN_copy(k, scalar))
+ goto err;
+
+ BN_set_flags(k, BN_FLG_CONSTTIME);
+
+ if ((BN_num_bits(k) > order_bits) || (BN_is_negative(k))) {
+ /*
+ * this is an unusual input, and we don't guarantee
+ * constant-timeness
+ */
+ if(!BN_nnmod(k, k, group->order, ctx))
+ goto err;
+ }
+
+ if (!BN_add(lambda, k, group->order))
+ goto err;
+ BN_set_flags(lambda, BN_FLG_CONSTTIME);
+ if (!BN_add(k, lambda, group->order))
+ goto err;
+ /*
+ * lambda := scalar + order
+ * k := scalar + 2*order
+ */
+ kbit = BN_is_bit_set(lambda, order_bits);
+ BN_consttime_swap(kbit, k, lambda, group_top + 1);
+
+ group_top = bn_get_top(group->field);
+ if ((bn_wexpand(s->X, group_top) == NULL)
+ || (bn_wexpand(s->Y, group_top) == NULL)
+ || (bn_wexpand(s->Z, group_top) == NULL)
+ || (bn_wexpand(r->X, group_top) == NULL)
+ || (bn_wexpand(r->Y, group_top) == NULL)
+ || (bn_wexpand(r->Z, group_top) == NULL))
+ goto err;
+
+ /* top bit is a 1, in a fixed pos */
+ if (!EC_POINT_copy(r, s))
+ goto err;
+
+ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
+
+ if (!EC_POINT_dbl(group, s, s, ctx))
+ goto err;
+
+ pbit = 0;
+
+#define EC_POINT_CSWAP(c, a, b, w, t) do { \
+ BN_consttime_swap(c, (a)->X, (b)->X, w); \
+ BN_consttime_swap(c, (a)->Y, (b)->Y, w); \
+ BN_consttime_swap(c, (a)->Z, (b)->Z, w); \
+ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
+ (a)->Z_is_one ^= (t); \
+ (b)->Z_is_one ^= (t); \
+} while(0)
+
+ for (i = order_bits - 1; i >= 0; i--) {
+ kbit = BN_is_bit_set(k, i) ^ pbit;
+ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
+ if (!EC_POINT_add(group, s, r, s, ctx))
+ goto err;
+ if (!EC_POINT_dbl(group, r, r, ctx))
+ goto err;
+ /*
+ * pbit logic merges this cswap with that of the
+ * next iteration
+ */
+ pbit ^= kbit;
+ }
+ /* one final cswap to move the right value into r */
+ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
+#undef EC_POINT_CSWAP
+
+ ret = 1;
+
+err:
+ EC_POINT_free(s);
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+
+ return ret;
+}
+#undef EC_POINT_BN_set_flags
+
/*
* TODO: table should be optimised for the wNAF-based implementation,
* sometimes smaller windows will give better performance (thus the
* precomputation is not available */
int ret = 0;
+ /* Handle the common cases where the scalar is secret, enforcing a
+ * constant time scalar multiplication algorithm.
+ */
+ if ((scalar != NULL) && (num == 0)) {
+ /* In this case we want to compute scalar * GeneratorPoint:
+ * this codepath is reached most prominently by (ephemeral) key
+ * generation of EC cryptosystems (i.e. ECDSA keygen and sign setup,
+ * ECDH keygen/first half), where the scalar is always secret.
+ * This is why we ignore if BN_FLG_CONSTTIME is actually set and we
+ * always call the constant time version.
+ */
+ return ec_mul_consttime(group, r, scalar, NULL, ctx);
+ }
+ if ((scalar == NULL) && (num == 1)) {
+ /* In this case we want to compute scalar * GenericPoint:
+ * this codepath is reached most prominently by the second half of
+ * ECDH, where the secret scalar is multiplied by the peer's public
+ * point.
+ * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is
+ * actually set and we always call the constant time version.
+ */
+ return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+ }
+
+
if (group->meth != r->meth) {
ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
totalnum = num + numblocks;
- wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
- wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
- wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space
- * for pivot */
- val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
+ wsize = OPENSSL_malloc(totalnum * sizeof(wsize[0]));
+ wNAF_len = OPENSSL_malloc(totalnum * sizeof(wNAF_len[0]));
+ /* include space for pivot */
+ wNAF = OPENSSL_malloc((totalnum + 1) * sizeof(wNAF[0]));
+ val_sub = OPENSSL_malloc(totalnum * sizeof(val_sub[0]));
/* Ensure wNAF is initialised in case we end up going to err */
if (wNAF != NULL)
numblocks = (tmp_len + blocksize - 1) / blocksize;
if (numblocks > pre_comp->numblocks) {
ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+ OPENSSL_free(tmp_wNAF);
goto err;
}
totalnum = num + numblocks;
wNAF_len[i] = blocksize;
if (tmp_len < blocksize) {
ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+ OPENSSL_free(tmp_wNAF);
goto err;
}
tmp_len -= blocksize;
* 'val_sub[i]' is a pointer to the subarray for the i-th point, or to a
* subarray of 'pre_comp->points' if we already have precomputation.
*/
- val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
+ val = OPENSSL_malloc((num_val + 1) * sizeof(val[0]));
if (val == NULL) {
ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
goto err;
projects / openssl.git / blobdiff