Commit c028254b authored by Emilia Kasper's avatar Emilia Kasper
Browse files

Correctly set Z_is_one on the return value in the NISTZ256 implementation. 



Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 8031d26b

crypto/ec/ecp_nistz256.c

+3 −0
Original line number Diff line number Diff line
@@ -587,6 +587,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, 
    for (i = 0; i < num; i++) {

        P256_POINT *row = table[i];



        /* This is an unusual input, we don't guarantee constant-timeness. */

        if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) {

            BIGNUM *mod;
@@ -1331,9 +1332,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, 
    bn_set_data(r->X, p.p.X, sizeof(p.p.X));

    bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y));

    bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z));

    /* Not constant-time, but we're only operating on the public output. */

    bn_correct_top(r->X);

    bn_correct_top(r->Y);

    bn_correct_top(r->Z);

    r->Z_is_one = is_one(p.p.Z);



    ret = 1;