diff options
| author | tb <> | 2023-08-08 13:09:28 +0000 |
|---|---|---|
| committer | tb <> | 2023-08-08 13:09:28 +0000 |
| commit | 63944d78d9b4693d184874011c01ed8c45b91df2 (patch) | |
| tree | 53e2912d8befdb105ede8dcdcf70f4b83e3fd1b1 /src/lib | |
| parent | 979d379b4cd6c6604ce566cb56bd9b4533b74409 (diff) | |
| download | openbsd-63944d78d9b4693d184874011c01ed8c45b91df2.tar.gz openbsd-63944d78d9b4693d184874011c01ed8c45b91df2.tar.bz2 openbsd-63944d78d9b4693d184874011c01ed8c45b91df2.zip | |
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.
Keep the preallocations as they still help hiding some timing info.
ok jsing
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecdsa.c | 23 |
1 files changed, 1 insertions, 22 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c index 8160014b3b..52f5044997 100644 --- a/src/lib/libcrypto/ecdsa/ecdsa.c +++ b/src/lib/libcrypto/ecdsa/ecdsa.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */ | 1 | /* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r) | |||
| 341 | if (!bn_rand_interval(k, 1, order)) | 341 | if (!bn_rand_interval(k, 1, order)) |
| 342 | goto err; | 342 | goto err; |
| 343 | 343 | ||
| 344 | /* | ||
| 345 | * We do not want timing information to leak the length of k, | ||
| 346 | * so we compute G * k using an equivalent scalar of fixed | ||
| 347 | * bit-length. | ||
| 348 | * | ||
| 349 | * We unconditionally perform both of these additions to prevent | ||
| 350 | * a small timing information leakage. We then choose the sum | ||
| 351 | * that is one bit longer than the order. This guarantees the | ||
| 352 | * code path used in the constant time implementations | ||
| 353 | * elsewhere. | ||
| 354 | * | ||
| 355 | * TODO: revisit the bn_copy aiming for a memory access agnostic | ||
| 356 | * conditional copy. | ||
| 357 | */ | ||
| 358 | if (!BN_add(r, k, order) || | ||
| 359 | !BN_add(x, r, order) || | ||
| 360 | !bn_copy(k, BN_num_bits(r) > order_bits ? r : x)) | ||
| 361 | goto err; | ||
| 362 | |||
| 363 | BN_set_flags(k, BN_FLG_CONSTTIME); | ||
| 364 | |||
| 365 | /* Step 5: P = k * G. */ | 344 | /* Step 5: P = k * G. */ |
| 366 | if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { | 345 | if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { |
| 367 | ECerror(ERR_R_EC_LIB); | 346 | ECerror(ERR_R_EC_LIB); |