diff options
| author | tb <> | 2018-11-15 05:53:31 +0000 |
|---|---|---|
| committer | tb <> | 2018-11-15 05:53:31 +0000 |
| commit | b48e8a19a37f8c20a0c41e40ccd93d4e06600fb8 (patch) | |
| tree | 4944f49b42f81ad2a367ed1ec8f24bded4432fce /src | |
| parent | df22426effa512ebec9011df9ac79e3c9faf2baa (diff) | |
| download | openbsd-b48e8a19a37f8c20a0c41e40ccd93d4e06600fb8.tar.gz openbsd-b48e8a19a37f8c20a0c41e40ccd93d4e06600fb8.tar.bz2 openbsd-b48e8a19a37f8c20a0c41e40ccd93d4e06600fb8.zip | |
Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigation
for a timing vullnerability in ECDSA signature generation (CVE-2018-0735).
Note that the blinding that we introduced back in June for ECDSA and DSA
should mitigate this and related issues. This simply adds an additional
layer of protection.
discussed with jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/ec/ecp_smpl.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index c64c41130a..3957bd154c 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecp_smpl.c,v 1.28 2018/11/06 07:02:33 tb Exp $ */ | 1 | /* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */ |
| 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> | 2 | /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> |
| 3 | * for the OpenSSL project. | 3 | * for the OpenSSL project. |
| 4 | * Includes code written by Bodo Moeller for the OpenSSL project. | 4 | * Includes code written by Bodo Moeller for the OpenSSL project. |
| @@ -1556,8 +1556,8 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, | |||
| 1556 | */ | 1556 | */ |
| 1557 | cardinality_bits = BN_num_bits(cardinality); | 1557 | cardinality_bits = BN_num_bits(cardinality); |
| 1558 | group_top = cardinality->top; | 1558 | group_top = cardinality->top; |
| 1559 | if ((bn_wexpand(k, group_top + 1) == NULL) || | 1559 | if ((bn_wexpand(k, group_top + 2) == NULL) || |
| 1560 | (bn_wexpand(lambda, group_top + 1) == NULL)) | 1560 | (bn_wexpand(lambda, group_top + 2) == NULL)) |
| 1561 | goto err; | 1561 | goto err; |
| 1562 | 1562 | ||
| 1563 | if (!BN_copy(k, scalar)) | 1563 | if (!BN_copy(k, scalar)) |
| @@ -1584,7 +1584,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, | |||
| 1584 | * k := scalar + 2*cardinality | 1584 | * k := scalar + 2*cardinality |
| 1585 | */ | 1585 | */ |
| 1586 | kbit = BN_is_bit_set(lambda, cardinality_bits); | 1586 | kbit = BN_is_bit_set(lambda, cardinality_bits); |
| 1587 | if (!BN_swap_ct(kbit, k, lambda, group_top + 1)) | 1587 | if (!BN_swap_ct(kbit, k, lambda, group_top + 2)) |
| 1588 | goto err; | 1588 | goto err; |
| 1589 | 1589 | ||
| 1590 | group_top = group->field.top; | 1590 | group_top = group->field.top; |