SCA hardening for mod. field inversion in EC_GROUP

 Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]

  *) Added SCA hardening for modular field inversion in EC_GROUP through

     a new dedicated field_inv() pointer in EC_METHOD.

     This also addresses a leakage affecting conversions from projective

     to affine coordinates.

     [Billy Bob Brumley, Nicola Tuveri]

  *) Change the info callback signals for the start and end of a post-handshake

     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START

     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get

/*

 * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

        || !group->meth->field_mul(group, t2, t2, t0, ctx)

        || !BN_GF2m_add(t1, t2, t1)

        || !group->meth->field_mul(group, t2, p->X, t0, ctx)

        || !BN_GF2m_mod_inv(t2, t2, group->field, ctx)

        || !group->meth->field_inv(group, t2, t2, ctx)

        || !group->meth->field_mul(group, t1, t1, t2, ctx)

        || !group->meth->field_mul(group, r->X, r->Z, t2, ctx)

        || !BN_GF2m_add(t2, p->X, r->X)

    return ret;

}

/*-

 * Computes the multiplicative inverse of a in GF(2^m), storing the result in r.

 * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.

 * SCA hardening is with blinding: BN_GF2m_mod_inv does that.

 */

static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,

                                    const BIGNUM *a, BN_CTX *ctx)

{

    int ret;

    if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))

        ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);

    return ret;

}

const EC_METHOD *EC_GF2m_simple_method(void)

{

    static const EC_METHOD ret = {

        ec_GF2m_simple_field_mul,

        ec_GF2m_simple_field_sqr,

        ec_GF2m_simple_field_div,

        ec_GF2m_simple_field_inv,

        0, /* field_encode */

        0, /* field_decode */

        0, /* field_set_to_one */

/*

 * Generated by util/mkerr.pl DO NOT EDIT

 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

     "ec_asn1_group2fieldid"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, 0),

     "ec_GF2m_montgomery_point_multiply"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_FIELD_INV, 0),

     "ec_GF2m_simple_field_inv"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),

     "ec_GF2m_simple_group_check_discriminant"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),

     "ec_GFp_mont_field_decode"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_ENCODE, 0),

     "ec_GFp_mont_field_encode"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_INV, 0),

     "ec_GFp_mont_field_inv"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_MUL, 0),

     "ec_GFp_mont_field_mul"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, 0),

     "ec_GFp_nist_group_set_curve"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, 0),

     "ec_GFp_simple_blind_coordinates"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_FIELD_INV, 0),

     "ec_GFp_simple_field_inv"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),

     "ec_GFp_simple_group_check_discriminant"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, 0),

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_BAD_SIGNATURE), "bad signature"},

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "buffer too small"},

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_CANNOT_INVERT), "cannot invert"},

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE),

    "coordinates out of range"},

    {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),

/*

 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

    int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);

    int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                      const BIGNUM *b, BN_CTX *);

    /*-

     * 'field_inv' computes the multipicative inverse of a in the field,

     * storing the result in r.

     *

     * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.

     */

    int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);

    /* e.g. to Montgomery */

    int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                         BN_CTX *);

                            const BIGNUM *b, BN_CTX *);

int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                            BN_CTX *);

int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                            BN_CTX *);

int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,

                                    BN_CTX *ctx);

int ec_GFp_simple_ladder_pre(const EC_GROUP *group,

                          const BIGNUM *b, BN_CTX *);

int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                          BN_CTX *);

int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                          BN_CTX *);

int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

                             BN_CTX *);

int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,

/*

 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

        ec_GFp_mont_field_mul,

        ec_GFp_mont_field_sqr,

        0 /* field_div */ ,

        ec_GFp_mont_field_inv,

        ec_GFp_mont_field_encode,

        ec_GFp_mont_field_decode,

        ec_GFp_mont_field_set_to_one,

    return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);

}

/*-

 * Computes the multiplicative inverse of a in GF(p), storing the result in r.

 * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.

 * We have a Mont structure, so SCA hardening is FLT inversion.

 */

int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,

                            BN_CTX *ctx)

{

    BIGNUM *e = NULL;

    BN_CTX *new_ctx = NULL;

    int ret = 0;

    if (group->field_data1 == NULL)

        return 0;

    if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)

        return 0;

    BN_CTX_start(ctx);

    if ((e = BN_CTX_get(ctx)) == NULL)

        goto err;

    /* Inverse in constant time with Fermats Little Theorem */

    if (!BN_set_word(e, 2))

        goto err;

    if (!BN_sub(e, group->field, e))

        goto err;

    /*-

     * Exponent e is public.

     * No need for scatter-gather or BN_FLG_CONSTTIME.

     */

    if (!BN_mod_exp_mont(r, a, e, group->field, ctx, group->field_data1))

        goto err;

    /* throw an error on zero */

    if (BN_is_zero(r)) {

        ECerr(EC_F_EC_GFP_MONT_FIELD_INV, EC_R_CANNOT_INVERT);

        goto err;

    }

    ret = 1;

  err:

    BN_CTX_end(ctx);

    BN_CTX_free(new_ctx);

    return ret;

}

int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r,

                             const BIGNUM *a, BN_CTX *ctx)

{