/*
- * Written by Adam Langley (Google) for the OpenSSL project
+ * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* Copyright 2011 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* work which got its smarts from Daniel J. Bernstein's work on the same.
*/
-#include <openssl/opensslconf.h>
+#include <openssl/e_os2.h>
#ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
NON_EMPTY_TRANSLATION_UNIT
#else
-# ifndef OPENSSL_SYS_VMS
-# include <stdint.h>
-# else
-# include <inttypes.h>
-# endif
-
# include <string.h>
# include <openssl/err.h>
# include "ec_lcl.h"
return is_zero;
}
-static int felem_is_zero_int(const felem in)
+static int felem_is_zero_int(const void *in)
{
return (int)(felem_is_zero(in) & ((limb) 1));
}
* adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
*
* This function includes a branch for checking whether the two input points
- * are equal (while not equal to the point at infinity). This case never
- * happens during single point multiplication, so there is no timing leak for
- * ECDH or ECDSA signing. */
+ * are equal (while not equal to the point at infinity). See comment below
+ * on constant-time.
+ */
static void point_add(felem x3, felem y3, felem z3,
const felem x1, const felem y1, const felem z1,
const int mixed, const felem x2, const felem y2,
/* ftmp5[i] < 2^61 */
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
+ /*
+ * This is obviously not constant-time but it will almost-never happen
+ * for ECDH / ECDSA. The case where it can happen is during scalar-mult
+ * where the intermediate value gets very close to the group order.
+ * Since |ec_GFp_nistp_recode_scalar_bits| produces signed digits for
+ * the scalar, it's possible for the intermediate value to be a small
+ * negative multiple of the base point, and for the final signed digit
+ * to be the same value. We believe that this only occurs for the scalar
+ * 1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ * ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
+ * 71e913863f7, in that case the penultimate intermediate is -9G and
+ * the final digit is also -9G. Since this only happens for a single
+ * scalar, the timing leak is irrelevent. (Any attacker who wanted to
+ * check whether a secret scalar was that exact value, can already do
+ * so.)
+ */
point_double(x3, y3, z3, x1, y1, z1);
return;
}
/* Precomputation for the group generator. */
struct nistp521_pre_comp_st {
felem g_pre_comp[16][3];
- int references;
+ CRYPTO_REF_COUNT references;
+ CRYPTO_RWLOCK *lock;
};
const EC_METHOD *EC_GFp_nistp521_method(void)
ec_GFp_nistp521_group_set_curve,
ec_GFp_simple_group_get_curve,
ec_GFp_simple_group_get_degree,
+ ec_group_simple_order_bits,
ec_GFp_simple_group_check_discriminant,
ec_GFp_simple_point_init,
ec_GFp_simple_point_finish,
0 /* field_div */ ,
0 /* field_encode */ ,
0 /* field_decode */ ,
- 0 /* field_set_to_one */
+ 0, /* field_set_to_one */
+ ec_key_simple_priv2oct,
+ ec_key_simple_oct2priv,
+ 0, /* set private */
+ ec_key_simple_generate_key,
+ ec_key_simple_check_key,
+ ec_key_simple_generate_public_key,
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key
};
return &ret;
ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
return ret;
}
+
ret->references = 1;
+
+ ret->lock = CRYPTO_THREAD_lock_new();
+ if (ret->lock == NULL) {
+ ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(ret);
+ return NULL;
+ }
return ret;
}
NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *p)
{
+ int i;
if (p != NULL)
- CRYPTO_add(&p->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
+ CRYPTO_UP_REF(&p->references, &i, p->lock);
return p;
}
void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *p)
{
- if (p == NULL
- || CRYPTO_add(&p->references, -1, CRYPTO_LOCK_EC_PRE_COMP) > 0)
+ int i;
+
+ if (p == NULL)
+ return;
+
+ CRYPTO_DOWN_REF(&p->references, &i, p->lock);
+ REF_PRINT_COUNT("EC_nistp521", x);
+ if (i > 0)
return;
+ REF_ASSERT_ISNT(i < 0);
+
+ CRYPTO_THREAD_lock_free(p->lock);
OPENSSL_free(p);
}
if ((ctx = new_ctx = BN_CTX_new()) == NULL)
return 0;
BN_CTX_start(ctx);
- if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
- ((curve_a = BN_CTX_get(ctx)) == NULL) ||
- ((curve_b = BN_CTX_get(ctx)) == NULL))
+ curve_p = BN_CTX_get(ctx);
+ curve_a = BN_CTX_get(ctx);
+ curve_b = BN_CTX_get(ctx);
+ if (curve_b == NULL)
goto err;
BN_bin2bn(nistp521_curve_params[0], sizeof(felem_bytearray), curve_p);
BN_bin2bn(nistp521_curve_params[1], sizeof(felem_bytearray), curve_a);
sizeof(felem),
tmp_felems,
(void (*)(void *))felem_one,
- (int (*)(const void *))
felem_is_zero_int,
(void (*)(void *, const void *))
felem_assign,
if ((ctx = new_ctx = BN_CTX_new()) == NULL)
return 0;
BN_CTX_start(ctx);
- if (((x = BN_CTX_get(ctx)) == NULL) ||
- ((y = BN_CTX_get(ctx)) == NULL) ||
- ((z = BN_CTX_get(ctx)) == NULL) ||
- ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
+ x = BN_CTX_get(ctx);
+ y = BN_CTX_get(ctx);
+ z = BN_CTX_get(ctx);
+ tmp_scalar = BN_CTX_get(ctx);
+ if (tmp_scalar == NULL)
goto err;
if (scalar != NULL) {
if ((ctx = new_ctx = BN_CTX_new()) == NULL)
return 0;
BN_CTX_start(ctx);
- if (((x = BN_CTX_get(ctx)) == NULL) || ((y = BN_CTX_get(ctx)) == NULL))
+ x = BN_CTX_get(ctx);
+ y = BN_CTX_get(ctx);
+ if (y == NULL)
goto err;
/* get the generator */
if (group->generator == NULL)