diff options
author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2018-08-14 23:11:54 +0900 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2018-08-16 11:52:37 +1000 |
commit | 6090e1f54d8e6e8c4ba18091e19faf46c0b09ece (patch) | |
tree | a2d2fb7b4b4a5e365ac4b6515cf4d7a5c8262d23 /deps/openssl/openssl/crypto/ec | |
parent | 32902d09b43e9d7f19eb6178ef5db835652d97c1 (diff) | |
download | android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.gz android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.bz2 android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.zip |
deps: upgrade openssl sources to 1.1.0i
This updates all sources in deps/openssl/openssl with openssl-1.1.0i.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'deps/openssl/openssl/crypto/ec')
-rwxr-xr-x | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl | 12 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl | 20 | ||||
-rwxr-xr-x | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl | 4 | ||||
-rwxr-xr-x | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl | 12 | ||||
-rwxr-xr-x | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl | 6 | ||||
-rwxr-xr-x | deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl | 4 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec2_smpl.c | 3 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_ameth.c | 13 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_curve.c | 6 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_lcl.h | 18 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_lib.c | 41 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_mult.c | 250 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ec_oct.c | 10 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ecdsa_ossl.c | 132 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ecp_nistz256.c | 34 | ||||
-rw-r--r-- | deps/openssl/openssl/crypto/ec/ecp_smpl.c | 3 |
16 files changed, 382 insertions, 186 deletions
diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl index 2314b75244..4eb4c68977 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs $index,$index,#1 - strb $mask,[$out,#64*0-1] + strb $mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*1-1] + strb $mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*2-1] + strb $mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*3-1] + strb $mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 @@ -1633,7 +1633,7 @@ ___ $code.=<<___; .Ladd_done: add sp,sp,#32*18+16+16 @ +16 means "skip even over saved r0-r3" -#if __ARM_ARCH__>=5 || defined(__thumb__) +#if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else ldmia sp!,{r4-r12,lr} diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl index d93c4fe957..2a39675bfd 100644 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -660,7 +660,7 @@ __ecp_nistz256_div_by_2: adc $ap,xzr,xzr // zap $ap tst $acc0,#1 // is a even? - csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus + csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus csel $acc1,$acc1,$t1,eq csel $acc2,$acc2,$t2,eq csel $acc3,$acc3,$t3,eq @@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7: prfm pstl1strm,[$out,#4096+64*5] prfm pstl1strm,[$out,#4096+64*6] prfm pstl1strm,[$out,#4096+64*7] - strb w3,[$out,#64*0-1] + strb w3,[$out,#64*0] lsr x3,x3,#8 - strb w3,[$out,#64*1-1] + strb w3,[$out,#64*1] lsr x3,x3,#8 - strb w3,[$out,#64*2-1] + strb w3,[$out,#64*2] lsr x3,x3,#8 - strb w3,[$out,#64*3-1] + strb w3,[$out,#64*3] lsr x3,x3,#8 - strb w3,[$out,#64*4-1] + strb w3,[$out,#64*4] lsr x3,x3,#8 - strb w3,[$out,#64*5-1] + strb w3,[$out,#64*5] lsr x3,x3,#8 - strb w3,[$out,#64*6-1] + strb w3,[$out,#64*6] lsr x3,x3,#8 - strb w3,[$out,#64*7-1] + strb w3,[$out,#64*7] add $out,$out,#64*8 b.ne .Loop_scatter_w7 diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl index 3bdd2cf13f..edd7d01281 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl index ee11069459..0c1af95b13 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1531,13 +1531,13 @@ ecp_nistz256_scatter_w7: ld [$inp],%l0 add $inp,4,$inp subcc $index,1,$index - stb %l0,[$out+64*0-1] + stb %l0,[$out+64*0] srl %l0,8,%l1 - stb %l1,[$out+64*1-1] + stb %l1,[$out+64*1] srl %l0,16,%l2 - stb %l2,[$out+64*2-1] + stb %l2,[$out+64*2] srl %l0,24,%l3 - stb %l3,[$out+64*3-1] + stb %l3,[$out+64*3] bne .Loop_scatter_w7 add $out,64*4,$out @@ -1874,7 +1874,7 @@ $code.=<<___ if ($i<3); ldx [$bp+8*($i+1)],$bi ! bp[$i+1] ___ $code.=<<___; - addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication + addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication sllx $acc0,32,$t0 addxccc $acc2,$t1,$acc2 srlx $acc0,32,$t1 diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl index f637c844c4..b3bec23228 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -443,7 +443,7 @@ for(1..37) { &mov (&DWP(20,"esp"),"eax"); &mov (&DWP(24,"esp"),"eax"); &mov (&DWP(28,"esp"),"eax"); - + &call ("_ecp_nistz256_sub"); &stack_pop(8); @@ -1179,7 +1179,7 @@ for ($i=0;$i<7;$i++) { &mov ("esi",&wparam(1)); &mov ("ebp",&wparam(2)); - &lea ("edi",&DWP(-1,"edi","ebp")); + &lea ("edi",&DWP(0,"edi","ebp")); &mov ("ebp",64/4); &set_label("scatter_w7_loop"); &mov ("eax",&DWP(0,"esi")); diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl index 183137e5f0..714e852a18 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -3051,8 +3051,8 @@ ___ ######################################################################## # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7 # -open TABLE,"<ecp_nistz256_table.c" or -open TABLE,"<${dir}../ecp_nistz256_table.c" or +open TABLE,"<ecp_nistz256_table.c" or +open TABLE,"<${dir}../ecp_nistz256_table.c" or die "failed to open ecp_nistz256_table.c:",$!; use integer; diff --git a/deps/openssl/openssl/crypto/ec/ec2_smpl.c b/deps/openssl/openssl/crypto/ec/ec2_smpl.c index cfeef5fc74..28b91d5102 100644 --- a/deps/openssl/openssl/crypto/ec/ec2_smpl.c +++ b/deps/openssl/openssl/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -330,6 +330,7 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } diff --git a/deps/openssl/openssl/crypto/ec/ec_ameth.c b/deps/openssl/openssl/crypto/ec/ec_ameth.c index b66adf2bbc..f8f1e2c842 100644 --- a/deps/openssl/openssl/crypto/ec/ec_ameth.c +++ b/deps/openssl/openssl/crypto/ec/ec_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -92,19 +92,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) static EC_KEY *eckey_type2param(int ptype, const void *pval) { EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + if (ptype == V_ASN1_SEQUENCE) { const ASN1_STRING *pstr = pval; - const unsigned char *pm = NULL; - int pmlen; - pm = pstr->data; - pmlen = pstr->length; + const unsigned char *pm = pstr->data; + int pmlen = pstr->length; + if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { const ASN1_OBJECT *poid = pval; - EC_GROUP *group; /* * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID @@ -129,6 +129,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval) ecerr: EC_KEY_free(eckey); + EC_GROUP_free(group); return NULL; } diff --git a/deps/openssl/openssl/crypto/ec/ec_curve.c b/deps/openssl/openssl/crypto/ec/ec_curve.c index f8a3846fd5..b022528be2 100644 --- a/deps/openssl/openssl/crypto/ec/ec_curve.c +++ b/deps/openssl/openssl/crypto/ec/ec_curve.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -3036,6 +3036,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) } #endif + EC_GROUP_set_curve_name(group, curve.nid); + if ((P = EC_POINT_new(group)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); goto err; @@ -3101,8 +3103,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) return NULL; } - EC_GROUP_set_curve_name(ret, nid); - return ret; } diff --git a/deps/openssl/openssl/crypto/ec/ec_lcl.h b/deps/openssl/openssl/crypto/ec/ec_lcl.h index ded35a72a0..d8141704cf 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lcl.h +++ b/deps/openssl/openssl/crypto/ec/ec_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -269,6 +269,8 @@ struct ec_key_st { struct ec_point_st { const EC_METHOD *meth; + /* NID for the curve if known */ + int curve_name; /* * All members except 'meth' are handled by the method functions, even if * they appear generic @@ -281,6 +283,20 @@ struct ec_point_st { * special case */ }; + +static ossl_inline int ec_point_is_compat(const EC_POINT *point, + const EC_GROUP *group) +{ + if (group->meth != point->meth + || (group->curve_name != 0 + && point->curve_name != 0 + && group->curve_name != point->curve_name)) + return 0; + + return 1; +} + + NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); diff --git a/deps/openssl/openssl/crypto/ec/ec_lib.c b/deps/openssl/openssl/crypto/ec/ec_lib.c index 7cb4bfee28..e256e4e511 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lib.c +++ b/deps/openssl/openssl/crypto/ec/ec_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,8 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) if (dest == src) return 1; + dest->curve_name = src->curve_name; + /* Copy precomputed */ dest->pre_comp_type = src->pre_comp_type; switch (src->pre_comp_type) { @@ -202,7 +204,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) return 0; } - dest->curve_name = src->curve_name; dest->asn1_flag = src->asn1_flag; dest->asn1_form = src->asn1_form; @@ -563,6 +564,7 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group) } ret->meth = group->meth; + ret->curve_name = group->curve_name; if (!ret->meth->point_init(ret)) { OPENSSL_free(ret); @@ -600,7 +602,10 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (dest->meth != src->meth) { + if (dest->meth != src->meth + || (dest->curve_name != src->curve_name + && dest->curve_name != 0 + && src->curve_name != 0)) { ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -657,7 +662,7 @@ int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -676,7 +681,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -694,7 +699,7 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -720,7 +725,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -746,7 +751,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -764,7 +769,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -780,8 +785,8 @@ int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth) - || (a->meth != b->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group) + || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -795,7 +800,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -808,7 +813,7 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != a->meth) { + if (!ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -822,7 +827,7 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -843,7 +848,7 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -857,7 +862,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } - if ((group->meth != a->meth) || (a->meth != b->meth)) { + if (!ec_point_is_compat(a, group) || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); return -1; } @@ -870,7 +875,7 @@ int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -887,7 +892,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, return 0; } for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ec_mult.c b/deps/openssl/openssl/crypto/ec/ec_mult.c index b39777fbf2..56c7767772 100644 --- a/deps/openssl/openssl/crypto/ec/ec_mult.c +++ b/deps/openssl/openssl/crypto/ec/ec_mult.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -105,6 +105,224 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre) OPENSSL_free(pre); } +#define EC_POINT_BN_set_flags(P, flags) do { \ + BN_set_flags((P)->X, (flags)); \ + BN_set_flags((P)->Y, (flags)); \ + BN_set_flags((P)->Z, (flags)); \ +} while(0) + +/*- + * This functions computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed scalar point multiplication + * (scalar * generator) + * when point is NULL, or a generic scalar point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx) +{ + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; + EC_POINT *s = NULL; + BIGNUM *k = NULL; + BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; + BN_CTX *new_ctx = NULL; + int ret = 0; + + if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + + s = EC_POINT_new(group); + if (s == NULL) + goto err; + + if (point == NULL) { + if (!EC_POINT_copy(s, group->generator)) + goto err; + } else { + if (!EC_POINT_copy(s, point)) + goto err; + } + + EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); + + cardinality = BN_CTX_get(ctx); + lambda = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx)) + goto err; + + /* + * Group cardinalities are often on a word boundary. + * So when we pad the scalar, some timing diff might + * pop if it needs to be expanded due to carries. + * So expand ahead of time. + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); + if ((bn_wexpand(k, group_top + 1) == NULL) + || (bn_wexpand(lambda, group_top + 1) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) + goto err; + + BN_set_flags(k, BN_FLG_CONSTTIME); + + if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { + /*- + * this is an unusual input, and we don't guarantee + * constant-timeness + */ + if (!BN_nnmod(k, k, cardinality, ctx)) + goto err; + } + + if (!BN_add(lambda, k, cardinality)) + goto err; + BN_set_flags(lambda, BN_FLG_CONSTTIME); + if (!BN_add(k, lambda, cardinality)) + goto err; + /* + * lambda := scalar + cardinality + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); + BN_consttime_swap(kbit, k, lambda, group_top + 1); + + group_top = bn_get_top(group->field); + if ((bn_wexpand(s->X, group_top) == NULL) + || (bn_wexpand(s->Y, group_top) == NULL) + || (bn_wexpand(s->Z, group_top) == NULL) + || (bn_wexpand(r->X, group_top) == NULL) + || (bn_wexpand(r->Y, group_top) == NULL) + || (bn_wexpand(r->Z, group_top) == NULL)) + goto err; + + /* top bit is a 1, in a fixed pos */ + if (!EC_POINT_copy(r, s)) + goto err; + + EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); + + if (!EC_POINT_dbl(group, s, s, ctx)) + goto err; + + pbit = 0; + +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ + BN_consttime_swap(c, (a)->X, (b)->X, w); \ + BN_consttime_swap(c, (a)->Y, (b)->Y, w); \ + BN_consttime_swap(c, (a)->Z, (b)->Z, w); \ + t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ + (a)->Z_is_one ^= (t); \ + (b)->Z_is_one ^= (t); \ +} while(0) + + /*- + * The ladder step, with branches, is + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * Swapping R, S conditionally on k[i] leaves you with state + * + * k[i] == 0: T, U = R, S + * k[i] == 1: T, U = S, R + * + * Then perform the ECC ops. + * + * U = add(T, U) + * T = dbl(T) + * + * Which leaves you with state + * + * k[i] == 0: U = add(R, S), T = dbl(R) + * k[i] == 1: U = add(S, R), T = dbl(S) + * + * Swapping T, U conditionally on k[i] leaves you with state + * + * k[i] == 0: R, S = T, U + * k[i] == 1: R, S = U, T + * + * Which leaves you with state + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * So we get the same logic, but instead of a branch it's a + * conditional swap, followed by ECC ops, then another conditional swap. + * + * Optimization: The end of iteration i and start of i-1 looks like + * + * ... + * CSWAP(k[i], R, S) + * ECC + * CSWAP(k[i], R, S) + * (next iteration) + * CSWAP(k[i-1], R, S) + * ECC + * CSWAP(k[i-1], R, S) + * ... + * + * So instead of two contiguous swaps, you can merge the condition + * bits and do a single swap. + * + * k[i] k[i-1] Outcome + * 0 0 No Swap + * 0 1 Swap + * 1 0 Swap + * 1 1 No Swap + * + * This is XOR. pbit tracks the previous bit of k. + */ + + for (i = cardinality_bits - 1; i >= 0; i--) { + kbit = BN_is_bit_set(k, i) ^ pbit; + EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); + if (!EC_POINT_add(group, s, r, s, ctx)) + goto err; + if (!EC_POINT_dbl(group, r, r, ctx)) + goto err; + /* + * pbit logic merges this cswap with that of the + * next iteration + */ + pbit ^= kbit; + } + /* one final cswap to move the right value into r */ + EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); +#undef EC_POINT_CSWAP + + ret = 1; + + err: + EC_POINT_free(s); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + return ret; +} + +#undef EC_POINT_BN_set_flags + /* * TODO: table should be optimised for the wNAF-based implementation, * sometimes smaller windows will give better performance (thus the @@ -155,7 +373,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * precomputation is not available */ int ret = 0; - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -164,8 +382,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } + /*- + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. + */ + if ((scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return ec_mul_consttime(group, r, scalar, NULL, ctx); + } + if ((scalar == NULL) && (num == 1)) { + /*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ + return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + } + for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ec_oct.c b/deps/openssl/openssl/crypto/ec/ec_oct.c index effc42a344..e185df6edf 100644 --- a/deps/openssl/openssl/crypto/ec/ec_oct.c +++ b/deps/openssl/openssl/crypto/ec/ec_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -66,7 +66,7 @@ int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -93,7 +93,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -123,7 +123,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c b/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c index 449be0e92a..9e4a68d9ca 100644 --- a/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c +++ b/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,9 +10,8 @@ #include <string.h> #include <openssl/err.h> #include <openssl/obj_mac.h> -#include <openssl/bn.h> #include <openssl/rand.h> -#include <openssl/ec.h> +#include "internal/bn_int.h" #include "ec_lcl.h" int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, @@ -53,13 +52,12 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, return 0; } - if (ctx_in == NULL) { + if ((ctx = ctx_in) == NULL) { if ((ctx = BN_CTX_new()) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); return 0; } - } else - ctx = ctx_in; + } k = BN_new(); /* this value is later returned in *kinvp */ r = BN_new(); /* this value is later returned in *rp */ @@ -73,10 +71,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); - goto err; - } /* Preallocate space */ order_bits = BN_num_bits(order); @@ -87,23 +81,23 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, do { /* get random k */ - do + do { if (dgst != NULL) { - if (!BN_generate_dsa_nonce - (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen, - ctx)) { + if (!BN_generate_dsa_nonce(k, order, + EC_KEY_get0_private_key(eckey), + dgst, dlen, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } else { if (!BN_rand_range(k, order)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } - while (BN_is_zero(k)); + } while (BN_is_zero(k)); /* * We do not want timing information to leak the length of k, so we @@ -129,18 +123,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp - (group, tmp_point, X, NULL, ctx)) { + if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M else { /* NID_X9_62_characteristic_two_field */ - - if (!EC_POINT_get_affine_coordinates_GF2m(group, - tmp_point, X, NULL, - ctx)) { + if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } @@ -150,8 +142,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } - } - while (BN_is_zero(r)); + } while (BN_is_zero(r)); /* compute the inverse of k */ if (EC_GROUP_get_mont_data(group) != NULL) { @@ -210,8 +201,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; - BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; - BIGNUM *blindm = NULL; + BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; const EC_GROUP *group; @@ -244,27 +234,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } s = ret->s; - ctx = BN_CTX_secure_new(); - if (ctx == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); - goto err; - } - - BN_CTX_start(ctx); - tmp = BN_CTX_get(ctx); - m = BN_CTX_get(ctx); - blind = BN_CTX_get(ctx); - blindm = BN_CTX_get(ctx); - if (blindm == NULL) { + if ((ctx = BN_CTX_new()) == NULL + || (m = BN_new()) == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB); - goto err; - } i = BN_num_bits(order); /* * Need to truncate digest if it is too long: first truncate whole bytes. @@ -275,7 +251,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - /* If still too long truncate remaining bits with a shift */ + /* If still too long, truncate remaining bits with a shift */ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; @@ -296,59 +272,27 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } /* - * The normal signature calculation is: - * - * s := k^-1 * (m + r * priv_key) mod order - * - * We will blind this to protect against side channel attacks - * - * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order + * With only one multiplicant being in Montgomery domain + * multiplication yields real result without post-conversion. + * Also note that all operations but last are performed with + * zero-padded vectors. Last operation, BN_mod_mul_montgomery + * below, returns user-visible value with removed zero padding. */ - - /* Generate a blinding value */ - do { - if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, - BN_RAND_BOTTOM_ANY)) - goto err; - } while (BN_is_zero(blind)); - BN_set_flags(blind, BN_FLG_CONSTTIME); - BN_set_flags(blindm, BN_FLG_CONSTTIME); - BN_set_flags(tmp, BN_FLG_CONSTTIME); - - /* tmp := blind * priv_key * r mod order */ - if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* blindm := blind * m mod order */ - if (!BN_mod_mul(blindm, blind, m, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* s : = (blind * priv_key * r) + (blind * m) mod order */ - if (!BN_mod_add_quick(s, tmp, blindm, order)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* s:= s * blind^-1 mod order */ - if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - if (!BN_mod_mul(s, s, blind, order, ctx)) { + if (!bn_mod_add_fixed_top(s, s, m, order)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - - /* s := s * k^-1 mod order */ - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + /* + * |s| can still be larger than modulus, because |m| can be. In + * such case we count on Montgomery reduction to tie it up. + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } @@ -362,11 +306,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); goto err; } - } else + } else { /* s != 0 => we have a valid signature */ break; - } - while (1); + } + } while (1); ok = 1; err: @@ -374,8 +318,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECDSA_SIG_free(ret); ret = NULL; } - BN_CTX_end(ctx); BN_CTX_free(ctx); + BN_clear_free(m); BN_clear_free(kinv); return ret; } diff --git a/deps/openssl/openssl/crypto/ec/ecp_nistz256.c b/deps/openssl/openssl/crypto/ec/ecp_nistz256.c index 246189833e..4dbe216927 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_nistz256.c +++ b/deps/openssl/openssl/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1110,28 +1110,12 @@ __owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *gr const P256_POINT_AFFINE *in, BN_CTX *ctx) { - BIGNUM *x, *y; - BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; int ret = 0; - x = BN_new(); - if (x == NULL) - return 0; - y = BN_new(); - if (y == NULL) { - BN_free(x); - return 0; - } - memcpy(d_x, in->X, sizeof(d_x)); - bn_set_static_words(x, d_x, P256_LIMBS); - - memcpy(d_y, in->Y, sizeof(d_y)); - bn_set_static_words(y, d_y, P256_LIMBS); - - ret = EC_POINT_set_affine_coordinates_GFp(group, out, x, y, ctx); - - BN_free(x); - BN_free(y); + if ((ret = bn_set_words(out->X, in->X, P256_LIMBS)) + && (ret = bn_set_words(out->Y, in->Y, P256_LIMBS)) + && (ret = bn_set_words(out->Z, ONE, P256_LIMBS))) + out->Z_is_one = 1; return ret; } @@ -1168,7 +1152,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return 0; } - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1177,7 +1161,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return EC_POINT_set_to_infinity(group, r); for (j = 0; j < num; j++) { - if (group->meth != points[j]->meth) { + if (!ec_point_is_compat(points[j], group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1210,9 +1194,9 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, if (pre_comp_generator == NULL) goto err; + ecp_nistz256_gather_w7(&p.a, pre_comp->precomp[0], 1); if (!ecp_nistz256_set_from_affine(pre_comp_generator, - group, pre_comp->precomp[0], - ctx)) { + group, &p.a, ctx)) { EC_POINT_free(pre_comp_generator); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ecp_smpl.c b/deps/openssl/openssl/crypto/ec/ecp_smpl.c index abd3795046..e3b88315fd 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_smpl.c +++ b/deps/openssl/openssl/crypto/ec/ecp_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -352,6 +352,7 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } |