generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix the ECDSA timing attack mentioned in the paper at:

Browse Source 
http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
This commit is contained in:
Dr. Stephen Henson 2011-05-25 14:43:05 +00:00
parent 4e5755cd85
commit e82d6a2019
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@ -4,7 +4,12 @@
Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
*) *) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 1.0.0c and 1.0.0d [8 Feb 2011] Changes between 1.0.0c and 1.0.0d [8 Feb 2011]

10
crypto/ecdsa/ecs_ossl.c
View File

@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
} }
while (BN_is_zero(k)); while (BN_is_zero(k));
#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
if (!BN_add(k, k, order)) goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order)) goto err;
#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
/* compute r the x-coordinate of generator * k */ /* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{ {