generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix for CVE-2014-0076 backported to 0.9.8 branch

Browse Source 
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.

Thanks for mancha for backporting the fix to OpenSSL 0.9.8 branch.
This commit is contained in:
mancha
2014-03-27 00:55:08 +00:00
committed by Dr. Stephen Henson
parent a375025e4d
commit fff69a7d8c
4 changed files with 89 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
crypto/ec/ec2_mult.c
View File

@@ -208,9 +208,12 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
/* Computes scalar*point and stores the result in r.
* point can not equal r.
* Uses algorithm 2P of
* Uses a modified algorithm 2P of
* Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
* GF(2^m) without precomputation".
*
* To protect against side-channel attack the function uses constant time
* swap avoiding conditional branches.
*/
static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
const EC_POINT *point, BN_CTX *ctx)
@@ -244,6 +247,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
x2 = &r->X;
z2 = &r->Y;
bn_wexpand(x1, group->field.top);
bn_wexpand(z1, group->field.top);
bn_wexpand(x2, group->field.top);
bn_wexpand(z2, group->field.top);
if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
if (!BN_one(z1)) goto err; /* z1 = 1 */
if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@@ -266,16 +274,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
{
for (; j >= 0; j--)
{
if (scalar->d[i] & mask)
{
if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
}
else
{
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
}
BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
mask >>= 1;
}
j = BN_BITS2 - 1;