1 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 551cf5068f..1bbf328de5 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                        }
                while (BN_is_zero(k));
+                /* We do not want timing information to leak the length of k,
+                 * so we compute G*k using an equivalent scalar of fixed
+                 * bit-length. */
+                if (!BN_add(k, k, order)) goto err;
+                if (BN_num_bits(k) <= BN_num_bits(order))
+                        if (!BN_add(k, k, order)) goto err;
                /* compute r the x-coordinate of generator * k */
                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
                {

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 551cf5068f..1bbf328de5 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
144	}	144	}
145	while (BN_is_zero(k));	145	while (BN_is_zero(k));
146		146
		147	/* We do not want timing information to leak the length of k,
		148	* so we compute G*k using an equivalent scalar of fixed
		149	* bit-length. */
		150
		151	if (!BN_add(k, k, order)) goto err;
		152	if (BN_num_bits(k) <= BN_num_bits(order))
		153	if (!BN_add(k, k, order)) goto err;
		154
147	/* compute r the x-coordinate of generator * k */	155	/* compute r the x-coordinate of generator * k */
148	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))	156	if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
149	{	157	{