openssl/crypto/ec
Nicola Tuveri 5d92b853f6 Replace GFp ladder implementation with ladd-2002-it-4 from EFD
The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)
2018-08-21 09:51:18 +01:00
..
asm Add ec/asm/x25519-ppc64.pl module. 2018-07-26 14:01:49 +02:00
curve448 Fix some undefined behaviour in the Curve448 code (2nd attempt) 2018-08-03 12:02:14 +02:00
build.info Add ec/asm/x25519-ppc64.pl module. 2018-07-26 14:01:49 +02:00
curve25519.c ec/curve25519.c: reorganize for better accessibility. 2018-07-15 19:06:06 +02:00
ec2_oct.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec2_smpl.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_ameth.c Check for failures, to avoid memory leak 2018-07-25 15:57:18 -04:00
ec_asn1.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_check.c
ec_curve.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_cvt.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_err.c Provide EC functions that are not curve type specific 2018-07-31 09:08:38 +01:00
ec_key.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_kmeth.c
ec_lcl.h Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ec_lib.c Deprecate the EC curve type specific functions in 1.2.0 2018-07-31 09:08:50 +01:00
ec_mult.c EC2M Lopez-Dahab ladder: use it also for ECDSA verify 2018-07-16 10:17:40 +01:00
ec_oct.c Deprecate the EC curve type specific functions in 1.2.0 2018-07-31 09:08:50 +01:00
ec_pmeth.c ec/ec_pmeth.c: minor cleanups and readability fixes. 2018-06-25 16:42:43 +02:00
ec_print.c
ecdh_kdf.c
ecdh_ossl.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecdsa_ossl.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecdsa_sign.c
ecdsa_vrf.c
eck_prn.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecp_mont.c EC GFp ladder 2018-07-26 19:41:16 +02:00
ecp_nist.c EC GFp ladder 2018-07-26 19:41:16 +02:00
ecp_nistp224.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecp_nistp256.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecp_nistp521.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecp_nistputil.c
ecp_nistz256_table.c
ecp_nistz256.c ec/ecp_nistz256.c: fix Coverity nit. 2018-07-25 15:45:18 +02:00
ecp_oct.c Use the new non-curve type specific EC functions internally 2018-07-31 09:08:38 +01:00
ecp_smpl.c Replace GFp ladder implementation with ladd-2002-it-4 from EFD 2018-08-21 09:51:18 +01:00
ecx_meth.c