diff options
author | Fedor Indutny <fedor@indutny.com> | 2014-04-08 00:58:37 +0400 |
---|---|---|
committer | Fedor Indutny <fedor@indutny.com> | 2014-04-08 00:58:37 +0400 |
commit | d6fd118727604bb94ca295f706e40119ad9de0a4 (patch) | |
tree | 97de27e6ac3fb8f0f454769b347fb6d49b0d13af /deps/openssl/openssl/crypto/ec/ec2_mult.c | |
parent | f2b297cc7ca1a7a4f4abd356bd1ad0af09e1b26b (diff) | |
download | android-node-v8-d6fd118727604bb94ca295f706e40119ad9de0a4.tar.gz android-node-v8-d6fd118727604bb94ca295f706e40119ad9de0a4.tar.bz2 android-node-v8-d6fd118727604bb94ca295f706e40119ad9de0a4.zip |
deps: update openssl to 1.0.1g
Diffstat (limited to 'deps/openssl/openssl/crypto/ec/ec2_mult.c')
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec2_mult.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/deps/openssl/openssl/crypto/ec/ec2_mult.c b/deps/openssl/openssl/crypto/ec/ec2_mult.c index 26f4a783fc..1c575dc47a 100644 --- a/deps/openssl/openssl/crypto/ec/ec2_mult.c +++ b/deps/openssl/openssl/crypto/ec/ec2_mult.c @@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG return ret; } + /* Computes scalar*point and stores the result in r. * point can not equal r. - * Uses algorithm 2P of + * Uses a modified algorithm 2P of * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation" (CHES '99, LNCS 1717). + * + * To protect against side-channel attack the function uses constant time swap, + * avoiding conditional branches. */ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) @@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, x2 = &r->X; z2 = &r->Y; + bn_wexpand(x1, group->field.top); + bn_wexpand(z1, group->field.top); + bn_wexpand(x2, group->field.top); + bn_wexpand(z2, group->field.top); + if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ @@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, word = scalar->d[i]; while (mask) { - if (word & mask) - { - if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; - if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; - } - else - { - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - } + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; + if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; + BN_consttime_swap(word & mask, x1, x2, group->field.top); + BN_consttime_swap(word & mask, z1, z2, group->field.top); mask >>= 1; } mask = BN_TBIT; |