diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-04-24 15:19:15 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-04-24 17:33:21 +0200 |
commit | c028254b12a8ea0d0f8a677172eda2e2d78073f3 (patch) | |
tree | d62d0a178053add773ff6f3dda9a37cd3c225b9d /crypto/ec | |
parent | 8031d26b0cc7fb277288b106dc4850adf4d77a23 (diff) | |
download | openssl-c028254b12a8ea0d0f8a677172eda2e2d78073f3.tar.gz |
Correctly set Z_is_one on the return value in the NISTZ256 implementation.
Also add a few comments about constant-timeness.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/ec')
-rw-r--r-- | crypto/ec/ecp_nistz256.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index de9fbea515..b6eec7dc2c 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -587,6 +587,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, for (i = 0; i < num; i++) { P256_POINT *row = table[i]; + /* This is an unusual input, we don't guarantee constant-timeness. */ if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { BIGNUM *mod; @@ -1331,9 +1332,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, bn_set_data(r->X, p.p.X, sizeof(p.p.X)); bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y)); bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z)); + /* Not constant-time, but we're only operating on the public output. */ bn_correct_top(r->X); bn_correct_top(r->Y); bn_correct_top(r->Z); + r->Z_is_one = is_one(p.p.Z); ret = 1; |