diff options
Diffstat (limited to 'src/lib/libcrypto/ecdsa/ecs_ossl.c')
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecs_ossl.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index c7f4bcbe03..4ac140a020 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: ecs_ossl.c,v 1.10 2018/04/28 14:17:56 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project | 3 | * Written by Nils Larsch for the OpenSSL project |
| 4 | */ | 4 | */ |
| @@ -92,7 +92,7 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 92 | BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; | 92 | BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; |
| 93 | EC_POINT *tmp_point = NULL; | 93 | EC_POINT *tmp_point = NULL; |
| 94 | const EC_GROUP *group; | 94 | const EC_GROUP *group; |
| 95 | int ret = 0; | 95 | int order_bits, ret = 0; |
| 96 | 96 | ||
| 97 | if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { | 97 | if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { |
| 98 | ECDSAerror(ERR_R_PASSED_NULL_PARAMETER); | 98 | ECDSAerror(ERR_R_PASSED_NULL_PARAMETER); |
| @@ -124,6 +124,13 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 124 | goto err; | 124 | goto err; |
| 125 | } | 125 | } |
| 126 | 126 | ||
| 127 | /* Preallocate space */ | ||
| 128 | order_bits = BN_num_bits(order); | ||
| 129 | if (!BN_set_bit(k, order_bits) || | ||
| 130 | !BN_set_bit(r, order_bits) || | ||
| 131 | !BN_set_bit(X, order_bits)) | ||
| 132 | goto err; | ||
| 133 | |||
| 127 | do { | 134 | do { |
| 128 | /* get random k */ | 135 | /* get random k */ |
| 129 | do | 136 | do |
| @@ -133,14 +140,24 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 133 | } | 140 | } |
| 134 | while (BN_is_zero(k)); | 141 | while (BN_is_zero(k)); |
| 135 | 142 | ||
| 136 | /* We do not want timing information to leak the length of k, | 143 | /* |
| 144 | * We do not want timing information to leak the length of k, | ||
| 137 | * so we compute G*k using an equivalent scalar of fixed | 145 | * so we compute G*k using an equivalent scalar of fixed |
| 138 | * bit-length. */ | 146 | * bit-length. |
| 139 | if (!BN_add(k, k, order)) | 147 | * |
| 148 | * We unconditionally perform both of these additions to prevent | ||
| 149 | * a small timing information leakage. We then choose the sum | ||
| 150 | * that is one bit longer than the order. This guarantees the | ||
| 151 | * code path used in the constant time implementations | ||
| 152 | * elsewhere. | ||
| 153 | * | ||
| 154 | * TODO: revisit the BN_copy aiming for a memory access agnostic | ||
| 155 | * conditional copy. | ||
| 156 | */ | ||
| 157 | if (!BN_add(r, k, order) || | ||
| 158 | !BN_add(X, r, order) || | ||
| 159 | !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) | ||
| 140 | goto err; | 160 | goto err; |
| 141 | if (BN_num_bits(k) <= BN_num_bits(order)) | ||
| 142 | if (!BN_add(k, k, order)) | ||
| 143 | goto err; | ||
| 144 | 161 | ||
| 145 | BN_set_flags(k, BN_FLG_CONSTTIME); | 162 | BN_set_flags(k, BN_FLG_CONSTTIME); |
| 146 | 163 | ||