The branch OpenSSL_1_1_0-stable has been updated via 7b3e775a6a78650bbd3e8e19a5aa12981880402b (commit) via cc39f9250957dfe6e9f1b62a4eca1863e8451483 (commit) from 77b6b171a3b0a0f19ffcc8d4e682090fb88f0d10 (commit)
- Log ----------------------------------------------------------------- commit 7b3e775a6a78650bbd3e8e19a5aa12981880402b Author: Billy Brumley <bbrum...@gmail.com> Date: Wed Jun 20 10:56:37 2018 +0300 [crypto/ec] don't assume points are of order group->order (cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006) Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6549) commit cc39f9250957dfe6e9f1b62a4eca1863e8451483 Author: Andy Polyakov <ap...@openssl.org> Date: Mon May 7 10:27:45 2018 +0200 ec/ec_mult.c: get BN_CTX_start,end sequence right. Triggered by Coverity analysis. Reviewed-by: Rich Salz <rs...@openssl.org> (cherry picked from commit 7d859d1c8868b81c5d810021af0b40f355af4e1f) Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6549) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec_mult.c | 32 +++++++++++++++++--------------- test/evptests.txt | 29 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 15 deletions(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index cac9591..106e754 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -136,17 +136,18 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) { - int i, order_bits, group_top, kbit, pbit, Z_is_one; + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; EC_POINT *s = NULL; BIGNUM *k = NULL; BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; BN_CTX *new_ctx = NULL; int ret = 0; if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL) - goto err; + return 0; - order_bits = BN_num_bits(group->order); + BN_CTX_start(ctx); s = EC_POINT_new(group); if (s == NULL) @@ -162,19 +163,20 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); - BN_CTX_start(ctx); + cardinality = BN_CTX_get(ctx); lambda = BN_CTX_get(ctx); k = BN_CTX_get(ctx); - if (k == NULL) + if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx)) goto err; /* - * Group orders are often on a word boundary. + * Group cardinalities are often on a word boundary. * So when we pad the scalar, some timing diff might * pop if it needs to be expanded due to carries. * So expand ahead of time. */ - group_top = bn_get_top(group->order); + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); if ((bn_wexpand(k, group_top + 1) == NULL) || (bn_wexpand(lambda, group_top + 1) == NULL)) goto err; @@ -184,25 +186,25 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, BN_set_flags(k, BN_FLG_CONSTTIME); - if ((BN_num_bits(k) > order_bits) || (BN_is_negative(k))) { + if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { /*- * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(k, k, group->order, ctx)) + if (!BN_nnmod(k, k, cardinality, ctx)) goto err; } - if (!BN_add(lambda, k, group->order)) + if (!BN_add(lambda, k, cardinality)) goto err; BN_set_flags(lambda, BN_FLG_CONSTTIME); - if (!BN_add(k, lambda, group->order)) + if (!BN_add(k, lambda, cardinality)) goto err; /* - * lambda := scalar + order - * k := scalar + 2*order + * lambda := scalar + cardinality + * k := scalar + 2*cardinality */ - kbit = BN_is_bit_set(lambda, order_bits); + kbit = BN_is_bit_set(lambda, cardinality_bits); BN_consttime_swap(kbit, k, lambda, group_top + 1); group_top = bn_get_top(group->field); @@ -292,7 +294,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, * This is XOR. pbit tracks the previous bit of k. */ - for (i = order_bits - 1; i >= 0; i--) { + for (i = cardinality_bits - 1; i >= 0; i--) { kbit = BN_is_bit_set(k, i) ^ pbit; EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); if (!EC_POINT_add(group, s, r, s, ctx)) diff --git a/test/evptests.txt b/test/evptests.txt index fd8d98d..fea0a77 100644 --- a/test/evptests.txt +++ b/test/evptests.txt @@ -19144,6 +19144,35 @@ PeerKey=KAS-ECC-CDH_B-571_C24-Peer-PUBLIC Ctrl=ecdh_cofactor_mode:1 SharedSecret=02da266a269bdc8d8b2a0c6bb5762f102fc801c8d5394a9271539136bd81d4b69cfbb7525cd0a983fb7f7e9deec583b8f8e574c6184b2d79831ec770649e484dc006fa35b0bffd0b +# for cofactor-order points, ECC CDH (co-factor ECDH) should fail. Test that. + +PrivateKey=ALICE_cf_sect283k1 +-----BEGIN PRIVATE KEY----- +MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAHtPwRfQZ9pWgSctyHdt +xt3pd8ESMI3ugVx8MDLkiVB8GkCRoUwDSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3 +n68A32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM +8uKr +-----END PRIVATE KEY----- + +PublicKey=ALICE_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3n68A +32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM8uKr +-----END PUBLIC KEY----- + +PublicKey=BOB_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +-----END PUBLIC KEY----- + +PrivPubKeyPair = ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB + +# ECDH Alice with Bob peer +Derive=ALICE_cf_sect283k1 +PeerKey=BOB_cf_sect283k1_PUB +Ctrl=ecdh_cofactor_mode:1 +Result = DERIVE_ERROR # Test mismatches PrivPubKeyPair = Alice-25519:Bob-25519-PUBLIC _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits