Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12-SP3:GA
compat-openssl098.29129
0002-ECDSA-Address-a-timing-side-channel-whereb...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-ECDSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package compat-openssl098.29129
From 23f7e974d59a576ad7d8cfd9f7ac957a883e361f Mon Sep 17 00:00:00 2001 From: Pauli <paul.dale@oracle.com> Date: Wed, 1 Nov 2017 09:47:13 +1000 Subject: [PATCH] Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Refer to #4576 for further details. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4623) --- crypto/ecdsa/ecs_ossl.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) Index: openssl-0.9.8j/crypto/ecdsa/ecs_ossl.c =================================================================== --- openssl-0.9.8j.orig/crypto/ecdsa/ecs_ossl.c 2018-11-28 15:32:40.242822924 +0100 +++ openssl-0.9.8j/crypto/ecdsa/ecs_ossl.c 2018-11-28 15:33:24.299062741 +0100 @@ -94,6 +94,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke EC_POINT *tmp_point=NULL; const EC_GROUP *group; int ret = 0; + int order_bits; if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { @@ -131,6 +132,13 @@ static int ecdsa_sign_setup(EC_KEY *ecke ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } + + /* Preallocate space */ + order_bits = BN_num_bits(order); + if (!BN_set_bit(k, order_bits) + || !BN_set_bit(r, order_bits) + || !BN_set_bit(X, order_bits)) + goto err; do { @@ -144,15 +152,23 @@ static int ecdsa_sign_setup(EC_KEY *ecke } while (BN_is_zero(k)); -#ifdef ECDSA_POINT_MUL_NO_CONSTTIME /* We do not want timing information to leak the length of k, * so we compute G*k using an equivalent scalar of fixed - * bit-length. */ + * bit-length. + * + * We unconditionally perform both of these additions to prevent a + * small timing information leakage. We then choose the sum that is + * one bit longer than the order. This guarantees the code + * path used in the constant time implementations elsewhere. + * + * TODO: revisit the BN_copy aiming for a memory access agnostic + * conditional copy. + */ + + if (!BN_add(r, k, order) + || !BN_add(X, r, order) + || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) goto err; - if (!BN_add(k, k, order)) goto err; - if (BN_num_bits(k) <= BN_num_bits(order)) - if (!BN_add(k, k, order)) goto err; -#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ BN_set_flags(k, BN_FLG_CONSTTIME); /* compute r the x-coordinate of generator * k */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor