diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2011-05-25 14:42:27 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2011-05-25 14:42:27 +0000 |
commit | 6ea8d138d36fc3a23876857d4139ae2efc32ba99 (patch) | |
tree | ada1cb03538c19547b0b8146db60830dd58b78b4 /crypto/ecdsa | |
parent | 4159ac43aaa28b5d1fda7cc71b8fa65881057f5a (diff) |
Fix the ECDSA timing attack mentioned in the paper at:
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
Diffstat (limited to 'crypto/ecdsa')
-rw-r--r-- | crypto/ecdsa/ecs_ossl.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 551cf5068f..bbb5588cbe 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, } while (BN_is_zero(k)); +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME + /* We do not want timing information to leak the length of k, + * so we compute G*k using an equivalent scalar of fixed + * bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { |