From 24bd0c62d7cee5a02429b55d731cc85fb5d5e33d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 5 Jan 2017 13:25:52 +0000
Subject: Avoid a side-channel cache-timing attack that can leak the ECDSA
 private keys when signing. This is due to BN_mod_inverse() being used without
 the constant time flag being set.

This issue was reported by Cesar Pereida Garcia and Billy Brumley
(Tampere University of Technology). The fix was developed by Cesar Pereida
Garcia.
---
 src/lib/libcrypto/ecdsa/ecs_ossl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 31102138c0..26158a001b 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.7 2017/01/05 13:25:52 jsing Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project
  */
@@ -142,6 +142,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 			if (!BN_add(k, k, order))
 				goto err;
 
+		BN_set_flags(k, BN_FLG_CONSTTIME);
+
 		/* compute r the x-coordinate of generator * k */
 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
 			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
-- 
cgit v1.2.3-55-g6feb