提交 262dccc0 编写于 作者: B Billy Brumley 提交者: Matt Caswell

[crypto/ec] remove blinding to support even orders

Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
上级 c11d372b
......@@ -1020,7 +1020,7 @@ int ec_group_simple_order_bits(const EC_GROUP *group)
static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
BIGNUM *x, BN_CTX *ctx)
{
BIGNUM *exp = NULL;
BIGNUM *e = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
......@@ -1028,8 +1028,7 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
return 0;
BN_CTX_start(ctx);
exp = BN_CTX_get(ctx);
if (exp == NULL)
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
/* Check if optimized inverse is implemented */
......@@ -1038,47 +1037,29 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
* We want inverse in constant time, therefore we utilize the fact
* order must be prime and use Fermats Little Theorem instead.
*/
if (!BN_set_word(exp, 2))
if (!BN_set_word(e, 2))
goto err;
if (!BN_sub(exp, group->order, exp))
if (!BN_sub(e, group->order, e))
goto err;
/*-
* Exponent X is public.
* Exponent e is public.
* No need for scatter-gather or BN_FLG_CONSTTIME.
*/
if (!BN_mod_exp_mont(r, x, exp, group->order, ctx, group->mont_data))
if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
goto err;
/* Inverse of zero doesn't exist. Let the fallback catch it. */
if (BN_is_zero(r))
ret = 0;
else
ret = 1;
ret = (BN_is_zero(r)) ? 0 : 1;
}
/*-
* Fallback to classic inverse, blinded.
* BN_FLG_CONSTTIME is a don't care here.
*/
/* Fallback to classic inverse */
if (ret == 0) {
do {
if (!BN_priv_rand_range(exp, group->order))
if (!BN_mod_inverse(r, x, group->order, ctx))
goto err;
} while (BN_is_zero(exp));
/* r := x * exp */
if (!BN_mod_mul(r, x, exp, group->order, ctx))
goto err;
/* r := 1/(x * exp) */
if (!BN_mod_inverse(r, r, group->order, ctx))
goto err;
/* r := exp/(x * exp) = 1/x */
if (!BN_mod_mul(r, r, exp, group->order, ctx))
goto err;
ret = 1;
}
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册