projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Correctly set Z_is_one on the return value in the NISTZ256 implementation.
[openssl.git]
/
crypto
/
ec
/
ecp_nistz256.c
diff --git
a/crypto/ec/ecp_nistz256.c
b/crypto/ec/ecp_nistz256.c
index de9fbea5151f0601fc8cbd88444da64b0b010220..b6eec7dc2cd8ddab7f71513e6830bfffc7852a35 100644
(file)
--- a/
crypto/ec/ecp_nistz256.c
+++ b/
crypto/ec/ecp_nistz256.c
@@
-587,6
+587,7
@@
static void ecp_nistz256_windowed_mul(const EC_GROUP *group,
for (i = 0; i < num; i++) {
P256_POINT *row = table[i];
for (i = 0; i < num; i++) {
P256_POINT *row = table[i];
+ /* This is an unusual input, we don't guarantee constant-timeness. */
if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {
BIGNUM *mod;
if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {
BIGNUM *mod;
@@
-1331,9
+1332,11
@@
static int ecp_nistz256_points_mul(const EC_GROUP *group,
bn_set_data(r->X, p.p.X, sizeof(p.p.X));
bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y));
bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z));
bn_set_data(r->X, p.p.X, sizeof(p.p.X));
bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y));
bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z));
+ /* Not constant-time, but we're only operating on the public output. */
bn_correct_top(r->X);
bn_correct_top(r->Y);
bn_correct_top(r->Z);
bn_correct_top(r->X);
bn_correct_top(r->Y);
bn_correct_top(r->Z);
+ r->Z_is_one = is_one(p.p.Z);
ret = 1;
ret = 1;