Fix crypto/ec/ec_mult.c to work properly with scalars of value 0

diff --git a/CHANGES b/CHANGES
index 5b5c9b352335ab3116d175c9988ccd3ba3874ee4..ce2d6fc9280b2b49435a9a1d3dcbac7ad37f2c17 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8e and 0.9.8f  [xx XXX xxxx]
 
+  *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
+     (which previously caused an internal error).
+     [Bodo Moeller]
+
   *) Squeeze another 10% out of IGE mode when in != out.
      [Ben Laurie]
 

diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 3c96fbd0d86d6ec8f31d42da1c3f73e43445e785..8bc2a235b1a7576bf0cec79362b618599fab8f31 100644 (file)
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -471,6 +471,7 @@ void ERR_load_EC_strings(void);
 #define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP   126
 #define EC_F_EC_POINT_SET_TO_INFINITY                   127
 #define EC_F_EC_PRE_COMP_DUP                            207
+#define EC_F_EC_PRE_COMP_NEW                            196
 #define EC_F_EC_WNAF_MUL                                187
 #define EC_F_EC_WNAF_PRECOMPUTE_MULT                    188
 #define EC_F_I2D_ECPARAMETERS                           190

diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 7be315bac92670ae500eb7990e6137df4879c03f..d04c8955604e097fd203eba99af56ba0795978d4 100644 (file)
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -170,6 +170,7 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP),      "EC_POINT_set_Jprojective_coordinates_GFp"},
 {ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY),      "EC_POINT_set_to_infinity"},
 {ERR_FUNC(EC_F_EC_PRE_COMP_DUP),       "EC_PRE_COMP_DUP"},
+{ERR_FUNC(EC_F_EC_PRE_COMP_NEW),       "EC_PRE_COMP_NEW"},
 {ERR_FUNC(EC_F_EC_WNAF_MUL),   "ec_wNAF_mul"},
 {ERR_FUNC(EC_F_EC_WNAF_PRECOMPUTE_MULT),       "ec_wNAF_precompute_mult"},
 {ERR_FUNC(EC_F_I2D_ECPARAMETERS),      "i2d_ECParameters"},

diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index a045139a0015099360a06b67af6eb142d9ae1498..2ba173ef36422ad1c715fe3ebd5b0dc9b17cb03d 100644 (file)
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -3,7 +3,7 @@
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -104,7 +104,10 @@ static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group)
 
        ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP));
        if (!ret)
+               {
+               ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
                return ret;
+               }
        ret->group = group;
        ret->blocksize = 8; /* default */
        ret->numblocks = 0;
@@ -194,6 +197,19 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
        int bit, next_bit, mask;
        size_t len = 0, j;
        
+       if (BN_is_zero(scalar))
+               {
+               r = OPENSSL_malloc(1);
+               if (!r)
+                       {
+                       ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
+                       goto err;
+                       }
+               r[0] = 0;
+               *ret_len = 1;
+               return r;
+               }
+               
        if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
                {
                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
@@ -212,7 +228,11 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
        r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation
                                      * (*ret_len will be set to the actual length, i.e. at most
                                      * BN_num_bits(scalar) + 1) */
-       if (r == NULL) goto err;
+       if (r == NULL)
+               {
+               ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
 
        if (scalar->d == NULL || scalar->top == 0)
                {
@@ -425,7 +445,10 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
        val_sub  = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
                 
        if (!wsize || !wNAF_len || !wNAF || !val_sub)
+               {
+               ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
                goto err;
+               }
 
        wNAF[0] = NULL; /* preliminary pivot */
 
@@ -538,6 +561,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                                        wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
                                        if (wNAF[i] == NULL)
                                                {
+                                               ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
                                                OPENSSL_free(tmp_wNAF);
                                                goto err;
                                                }
@@ -564,7 +588,11 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         * 'val_sub[i]' is a pointer to the subarray for the i-th point,
         * or to a subarray of 'pre_comp->points' if we already have precomputation. */
        val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
-       if (val == NULL) goto err;
+       if (val == NULL)
+               {
+               ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
        val[num_val] = NULL; /* pivot element */
 
        /* allocate points for precomputation */

diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index 9d469f1cfab47ab7e9c077270eaac32e25de6dd2..6148d553f9d5909e3c6973ab6d069091f9deaf2c 100644 (file)
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -659,13 +659,15 @@ void prime_field_tests()
        if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
 
        {
-               const EC_POINT *points[3];
-               const BIGNUM *scalars[3];
+               const EC_POINT *points[4];
+               const BIGNUM *scalars[4];
+               BIGNUM scalar3;
        
                if (EC_POINT_is_at_infinity(group, Q)) ABORT;
                points[0] = Q;
                points[1] = Q;
                points[2] = Q;
+               points[3] = Q;
 
                if (!BN_add(y, z, BN_value_one())) ABORT;
                if (BN_is_odd(y)) ABORT;
@@ -704,10 +706,16 @@ void prime_field_tests()
                scalars[1] = y;
                scalars[2] = z; /* z = -(x+y) */
 
-               if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
+               BN_init(&scalar3);
+               BN_zero(&scalar3);
+               scalars[3] = &scalar3;
+
+               if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) ABORT;
                if (!EC_POINT_is_at_infinity(group, P)) ABORT;
 
                fprintf(stdout, " ok\n\n");
+
+               BN_free(&scalar3);
        }