Zero-initialize tmp in ec_GFp_simple_mul_single.
Although the original value of tmp does not matter, the selects ultimately do bit operations on the uninitialized values and thus depend on them behaving like *some* consistent concrete value. The C spec appears to allow uninitialized values to resolve to trap representations, which means this isn't quite valid.. (If I'm reading it wrong and the compiler must behave as if there were a consistent value in there, it's probably fine, but there's no sense in risking compiler bugs on a subtle corner of things.) Change-Id: Id4547b0ec702414b387e906c4de55595e6214ddb Reviewed-on: https://boringssl-review.googlesource.com/29124 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
6ff2ba80b7
commit
dd935202c9
@ -58,6 +58,7 @@ static void ec_GFp_simple_mul_single(const EC_GROUP *group, EC_RAW_POINT *r,
|
|||||||
|
|
||||||
// Select the entry in constant-time.
|
// Select the entry in constant-time.
|
||||||
EC_RAW_POINT tmp;
|
EC_RAW_POINT tmp;
|
||||||
|
OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
|
||||||
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
|
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
|
||||||
BN_ULONG mask = constant_time_eq_w(j, window);
|
BN_ULONG mask = constant_time_eq_w(j, window);
|
||||||
ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);
|
ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);
|
||||||
|
Loading…
Reference in New Issue
Block a user