Fix the ECDSA timing attack mentioned in the paper at:

http://eprint.iacr.org/2011/232.pdf Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for bringing this to our attention.
author: Dr. Stephen Henson <steve@openssl.org> 2011-05-25 14:41:56 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-05-25 14:41:56 +0000
commit: 992bdde62d2eea57bb85935a0c1a0ef0ca59b3da (patch)
tree: 3833d8b6feee3840da25922b816694449be5fbe0 /crypto/ecdsa
parent: bbcf3a9b300bc8109bb306a53f6f3445ba02e8e9 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 3518bb02e1..50d02ed069 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -151,6 +151,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
 			}
 		while (BN_is_zero(k));
 
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+		/* We do not want timing information to leak the length of k,
+		 * so we compute G*k using an equivalent scalar of fixed
+		 * bit-length. */
+
+		if (!BN_add(k, k, order)) goto err;
+		if (BN_num_bits(k) <= BN_num_bits(order))
+			if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
 		/* compute r the x-coordinate of generator * k */
 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
 		{
author	Dr. Stephen Henson <steve@openssl.org>	2011-05-25 14:41:56 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-05-25 14:41:56 +0000
commit	992bdde62d2eea57bb85935a0c1a0ef0ca59b3da (patch)
tree	3833d8b6feee3840da25922b816694449be5fbe0 /crypto/ecdsa
parent	bbcf3a9b300bc8109bb306a53f6f3445ba02e8e9 (diff)