From 7238a82c8ae4dbf9043cb7c253f796615b3277a6 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Fri, 24 Apr 2015 15:19:15 +0200 Subject: [PATCH] Correctly set Z_is_one on the return value in the NISTZ256 implementation. Also add a few comments about constant-timeness. Thanks to Brian Smith for reporting this issue. Reviewed-by: Rich Salz --- crypto/ec/ecp_nistz256.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 2cd6599d85..911c2a6a6a 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -589,6 +589,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, for (i = 0; i < num; i++) { P256_POINT *row = table[i]; + /* This is an unusual input, we don't guarantee constant-timeness. */ if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { BIGNUM *mod; @@ -1300,9 +1301,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, memcpy(r->X.d, p.p.X, sizeof(p.p.X)); memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y)); memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z)); + /* Not constant-time, but we're only operating on the public output. */ bn_correct_top(&r->X); bn_correct_top(&r->Y); bn_correct_top(&r->Z); + r->Z_is_one = is_one(p.p.Z); ret = 1; -- 2.25.1