Commit 262dccc0 authored by Billy Brumley's avatar Billy Brumley Committed by Matt Caswell
Browse files

[crypto/ec] remove blinding to support even orders 



Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6116)
parent c11d372b

crypto/ec/ec_lib.c

+11 −30
Original line number Diff line number Diff line
@@ -1020,7 +1020,7 @@ int ec_group_simple_order_bits(const EC_GROUP *group) 
static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,

                                    BIGNUM *x, BN_CTX *ctx)

{

    BIGNUM *exp = NULL;

    BIGNUM *e = NULL;

    BN_CTX *new_ctx = NULL;

    int ret = 0;
@@ -1028,8 +1028,7 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, 
        return 0;



    BN_CTX_start(ctx);

    exp = BN_CTX_get(ctx);

    if (exp == NULL)

    if ((e = BN_CTX_get(ctx)) == NULL)

        goto err;



    /* Check if optimized inverse is implemented */
@@ -1038,47 +1037,29 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, 
         * We want inverse in constant time, therefore we utilize the fact

         * order must be prime and use Fermats Little Theorem instead.

         */

        if (!BN_set_word(exp, 2))

        if (!BN_set_word(e, 2))

            goto err;

        if (!BN_sub(exp, group->order, exp))

        if (!BN_sub(e, group->order, e))

            goto err;

        /*-

         * Exponent X is public.

         * Exponent e is public.

         * No need for scatter-gather or BN_FLG_CONSTTIME.

         */

        if (!BN_mod_exp_mont(r, x, exp, group->order, ctx, group->mont_data))

        if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))

            goto err;

        /* Inverse of zero doesn't exist. Let the fallback catch it. */

        if (BN_is_zero(r))

            ret = 0;

        else

            ret = 1;

        ret = (BN_is_zero(r)) ? 0 : 1;

    }



    /*-

     * Fallback to classic inverse, blinded.

     * BN_FLG_CONSTTIME is a don't care here.

     */

    /* Fallback to classic inverse */

    if (ret == 0) {

        do {

            if (!BN_priv_rand_range(exp, group->order))

        if (!BN_mod_inverse(r, x, group->order, ctx))

            goto err;

        } while (BN_is_zero(exp));



        /* r := x * exp */

        if (!BN_mod_mul(r, x, exp, group->order, ctx))

            goto err;

        /* r := 1/(x * exp) */

        if (!BN_mod_inverse(r, r, group->order, ctx))

            goto err;

        /* r := exp/(x * exp) = 1/x */

        if (!BN_mod_mul(r, r, exp, group->order, ctx))

            goto err;



        ret = 1;

    }



 err:

    if (ctx != NULL)

        BN_CTX_end(ctx);

    BN_CTX_free(new_ctx);

    return ret;