summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authortb <>2023-08-08 13:09:28 +0000
committertb <>2023-08-08 13:09:28 +0000
commit63944d78d9b4693d184874011c01ed8c45b91df2 (patch)
tree53e2912d8befdb105ede8dcdcf70f4b83e3fd1b1 /src/lib
parent979d379b4cd6c6604ce566cb56bd9b4533b74409 (diff)
downloadopenbsd-63944d78d9b4693d184874011c01ed8c45b91df2.tar.gz
openbsd-63944d78d9b4693d184874011c01ed8c45b91df2.tar.bz2
openbsd-63944d78d9b4693d184874011c01ed8c45b91df2.zip
Remove ECDSA nonce padding kludge
This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good. Keep the preallocations as they still help hiding some timing info. ok jsing
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/ecdsa/ecdsa.c23
1 files changed, 1 insertions, 22 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c
index 8160014b3b..52f5044997 100644
--- a/src/lib/libcrypto/ecdsa/ecdsa.c
+++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */ 1/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
341 if (!bn_rand_interval(k, 1, order)) 341 if (!bn_rand_interval(k, 1, order))
342 goto err; 342 goto err;
343 343
344 /*
345 * We do not want timing information to leak the length of k,
346 * so we compute G * k using an equivalent scalar of fixed
347 * bit-length.
348 *
349 * We unconditionally perform both of these additions to prevent
350 * a small timing information leakage. We then choose the sum
351 * that is one bit longer than the order. This guarantees the
352 * code path used in the constant time implementations
353 * elsewhere.
354 *
355 * TODO: revisit the bn_copy aiming for a memory access agnostic
356 * conditional copy.
357 */
358 if (!BN_add(r, k, order) ||
359 !BN_add(x, r, order) ||
360 !bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
361 goto err;
362
363 BN_set_flags(k, BN_FLG_CONSTTIME);
364
365 /* Step 5: P = k * G. */ 344 /* Step 5: P = k * G. */
366 if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { 345 if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
367 ECerror(ERR_R_EC_LIB); 346 ECerror(ERR_R_EC_LIB);