import OpenSSL 1.0.0e

author: djm <> 2011-11-03 02:32:23 +0000
committer: djm <> 2011-11-03 02:32:23 +0000
commit: 113f799ec7d1728f0a5d7ab5b0e3b42e3de56407 (patch)
tree: 26d712b25a8fa580b8f2dfc6df470ba5ffea9eb7 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent: 829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (diff)
download: openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.gz
openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.bz2
openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 551cf5068f..1bbf328de5 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                        }
                while (BN_is_zero(k));
+                /* We do not want timing information to leak the length of k,
+                 * so we compute G*k using an equivalent scalar of fixed
+                 * bit-length. */
+                if (!BN_add(k, k, order)) goto err;
+                if (BN_num_bits(k) <= BN_num_bits(order))
+                        if (!BN_add(k, k, order)) goto err;
                /* compute r the x-coordinate of generator * k */
                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
                {
author	djm <>	2011-11-03 02:32:23 +0000
committer	djm <>	2011-11-03 02:32:23 +0000
commit	113f799ec7d1728f0a5d7ab5b0e3b42e3de56407 (patch)
tree	26d712b25a8fa580b8f2dfc6df470ba5ffea9eb7 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent	829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (diff)
download	openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.gz openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.tar.bz2 openbsd-113f799ec7d1728f0a5d7ab5b0e3b42e3de56407.zip

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 551cf5068f..1bbf328de5 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
144	}	144	}
145	while (BN_is_zero(k));	145	while (BN_is_zero(k));
146		146
		147	/* We do not want timing information to leak the length of k,
		148	* so we compute G*k using an equivalent scalar of fixed
		149	* bit-length. */
		150
		151	if (!BN_add(k, k, order)) goto err;
		152	if (BN_num_bits(k) <= BN_num_bits(order))
		153	if (!BN_add(k, k, order)) goto err;
		154
147	/* compute r the x-coordinate of generator * k */	155	/* compute r the x-coordinate of generator * k */
148	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))	156	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
149	{	157	{