openssl/crypto
Billy Brumley 48e82c8e22 SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.

The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.

Three implementations are included, each including specific SCA
countermeasures:
  - `ec_GFp_simple_field_inv()`, featuring SCA hardening through
    blinding.
  - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
    Little Theorem (FLT) inversion.
  - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
    already features SCA hardening through blinding.

From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.

This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>

(cherry picked from commit e0033efc30)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
2019-02-20 19:54:19 +02:00
..
aes Fix some CFI issues in x86_64 assembly 2019-02-17 23:41:11 +01:00
aria
asn1 Fix d2i_PublicKey() for EC keys 2019-02-08 10:04:13 +00:00
async arch/async_posix.h: improve portability. 2018-10-19 10:31:04 +02:00
bf Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
bio cygwin: drop explicit O_TEXT 2019-02-18 21:11:53 +01:00
blake2
bn Fix some CFI issues in x86_64 assembly 2019-02-17 23:41:11 +01:00
buffer Update copyright year 2018-04-03 13:57:12 +01:00
camellia Update copyright year 2018-09-11 13:45:17 +01:00
cast Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
chacha AArch64 assembly pack: authenticate return addresses. 2019-02-13 02:39:27 +01:00
cmac Update copyright year 2018-04-17 15:18:40 +02:00
cms Fix null pointer dereference in cms_RecipientInfo_kari_init 2019-02-13 14:30:48 +08:00
comp Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
conf Allow the syntax of the .include directive to optionally have '=' 2019-02-11 15:25:00 +01:00
ct Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
des Remove unnecessary trailing whitespace 2019-02-05 16:29:17 +01:00
dh Harmonize the error handling codepath 2018-09-05 15:22:35 +03:00
dsa DSA: Check for sanity of input parameters 2018-11-14 13:07:54 +01:00
dso Preserve errno on dlopen 2018-12-10 10:22:05 +00:00
ec SCA hardening for mod. field inversion in EC_GROUP 2019-02-20 19:54:19 +02:00
engine Remove unnecessary trailing whitespace 2019-02-05 16:29:17 +01:00
err SCA hardening for mod. field inversion in EC_GROUP 2019-02-20 19:54:19 +02:00
evp EVP_PKEY_size declared to take a const parameter 2018-12-23 00:27:23 +01:00
hmac Fix HMAC SHA3-224 and HMAC SHA3-256. 2018-09-04 08:09:12 +10:00
idea
include/internal bn/bn_{div|shift}.c: introduce fixed-top interfaces. 2018-12-05 10:38:22 +00:00
kdf Reset the HKDF state between operations 2018-10-29 14:11:40 +00:00
lhash Update copyright year 2018-09-11 13:45:17 +01:00
md2
md4
md5 Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
mdc2
modes Fix some CFI issues in x86_64 assembly 2019-02-17 23:41:11 +01:00
objects Update generator copyright year. 2019-01-07 13:53:24 -05:00
ocsp Update copyright year 2018-09-11 13:45:17 +01:00
pem Remove unnecessary trailing whitespace 2019-02-05 16:29:17 +01:00
perlasm Check for unpaired .cfi_remember_state 2019-02-17 23:41:14 +01:00
pkcs7 Update copyright year 2018-09-11 13:45:17 +01:00
pkcs12 Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
poly1305 AArch64 assembly pack: authenticate return addresses. 2019-02-13 02:39:27 +01:00
rand Cleanup vxworks support to be able to compile for VxWorks 7 2019-01-24 17:58:27 +01:00
rc2
rc4 Update copyright year 2018-09-11 13:45:17 +01:00
rc5 Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
ripemd Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
rsa Fix cert with rsa instead of rsaEncryption as public key algorithm 2018-12-31 09:51:04 +01:00
seed Update copyright year 2018-09-11 13:45:17 +01:00
sha AArch64 assembly pack: authenticate return addresses. 2019-02-13 02:39:27 +01:00
siphash Fix SipHash init order. 2018-11-12 07:16:58 +01:00
sm2 EVP module documentation pass 2018-10-17 13:31:59 +03:00
sm3
sm4
srp Remove unnecessary trailing whitespace 2019-02-05 16:29:17 +01:00
stack Revert "stack/stack.c: omit redundant NULL checks." 2018-08-09 14:37:10 +01:00
store crypto/*: address standard-compilance nits. 2018-07-20 13:40:30 +02:00
ts Check conversion return in ASN1_INTEGER_print_bio. 2018-07-31 11:37:05 +10:00
txt_db Update copyright year 2018-04-03 13:57:12 +01:00
ui Cleanup vxworks support to be able to compile for VxWorks 7 2019-01-24 17:58:27 +01:00
whrlpool Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
x509 Fix a crash in reuse of i2d_X509_PUBKEY 2019-01-31 19:27:37 +01:00
x509v3 Update copyright year 2018-09-11 13:45:17 +01:00
alphacpuid.pl
arm64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
arm_arch.h Fix building linux-armv4 with --strict-warnings 2018-04-20 15:49:33 +02:00
armcap.c crypto/armcap.c, crypto/ppccap.c: stricter use of getauxval() 2019-01-16 18:04:22 +01:00
armv4cpuid.pl Update copyright year 2018-05-01 13:34:30 +01:00
build.info Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
c64xpluscpuid.pl
cpt_err.c Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
cryptlib.c Remove unnecessary trailing whitespace 2019-02-05 16:29:17 +01:00
ctype.c
cversion.c
dllmain.c Update copyright year 2018-09-11 13:45:17 +01:00
ebcdic.c
ex_data.c Ensure the thread keys are always allocated in the same order 2018-04-20 15:45:06 +02:00
getenv.c Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
ia64cpuid.S
init.c More configurable crypto and ssl library initialization 2019-01-07 13:53:52 -05:00
LPdir_nyi.c
LPdir_unix.c typo-fixes: miscellaneous typo fixes 2018-09-21 23:59:02 +02:00
LPdir_vms.c
LPdir_win.c
LPdir_win32.c
LPdir_wince.c
mem.c crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG. 2018-08-07 09:08:50 +02:00
mem_clr.c
mem_dbg.c
mem_sec.c test/secmemtest: test secure memory only if it is implemented 2018-10-05 12:23:34 +02:00
mips_arch.h
o_dir.c
o_fips.c
o_fopen.c Add missing include file. 2018-09-17 12:54:20 +10:00
o_init.c
o_str.c
o_time.c Update copyright year 2018-04-03 13:57:12 +01:00
pariscid.pl PA-RISC assembly pack: make it work with GNU assembler for HP-UX. 2018-06-25 16:45:48 +02:00
ppc_arch.h PPC: Try out if mftb works before using it 2019-01-21 15:45:53 +01:00
ppccap.c PPC: Try out if mftb works before using it 2019-01-21 15:45:53 +01:00
ppccpuid.pl PPC: Try out if mftb works before using it 2019-01-21 15:45:53 +01:00
s390x_arch.h s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
s390xcap.c
s390xcpuid.pl s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
sparc_arch.h
sparccpuid.S
sparcv9cap.c
threads_none.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_pthread.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_win.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
uid.c crypto/uid.c: use own macro as guard rather than AT_SECURE 2019-01-16 06:21:32 +01:00
vms_rms.h
x86_64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
x86cpuid.pl Fix issues in ia32 RDRAND asm leading to reduced entropy 2018-03-08 10:27:49 -05:00