From b48e8a19a37f8c20a0c41e40ccd93d4e06600fb8 Mon Sep 17 00:00:00 2001 From: tb <> Date: Thu, 15 Nov 2018 05:53:31 +0000 Subject: Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigation for a timing vullnerability in ECDSA signature generation (CVE-2018-0735). Note that the blinding that we introduced back in June for ECDSA and DSA should mitigate this and related issues. This simply adds an additional layer of protection. discussed with jsing --- src/lib/libcrypto/ec/ecp_smpl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index c64c41130a..3957bd154c 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_smpl.c,v 1.28 2018/11/06 07:02:33 tb Exp $ */ +/* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -1556,8 +1556,8 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, */ cardinality_bits = BN_num_bits(cardinality); group_top = cardinality->top; - if ((bn_wexpand(k, group_top + 1) == NULL) || - (bn_wexpand(lambda, group_top + 1) == NULL)) + if ((bn_wexpand(k, group_top + 2) == NULL) || + (bn_wexpand(lambda, group_top + 2) == NULL)) goto err; if (!BN_copy(k, scalar)) @@ -1584,7 +1584,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); - if (!BN_swap_ct(kbit, k, lambda, group_top + 1)) + if (!BN_swap_ct(kbit, k, lambda, group_top + 2)) goto err; group_top = group->field.top; -- cgit v1.2.3-55-g6feb