import OpenSSL 1.0.0e

2 files changed, 8 insertions, 2 deletions

diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index 85e8a3a7ed..2ebae3aa27 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -83,7 +83,6 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
 
 int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth)
 {
-        const ECDSA_METHOD *mtmp;
         ECDSA_DATA *ecdsa;
 
         ecdsa = ecdsa_check(eckey);
@@ -91,7 +90,6 @@ int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth)
         if (ecdsa == NULL)
                 return 0;
 
-        mtmp = ecdsa->meth;
 #ifndef OPENSSL_NO_ENGINE
         if (ecdsa->engine)
         {
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 551cf5068f..1bbf328de5 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                         }
                 while (BN_is_zero(k));
 
+                /* We do not want timing information to leak the length of k,
+                 * so we compute G*k using an equivalent scalar of fixed
+                 * bit-length. */
+
+                if (!BN_add(k, k, order)) goto err;
+                if (BN_num_bits(k) <= BN_num_bits(order))
+                        if (!BN_add(k, k, order)) goto err;
+
                 /* compute r the x-coordinate of generator * k */
                 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
                 {