Address a timing side channel whereby it is possible to determine some
authorPauli <paul.dale@oracle.com>
Tue, 31 Oct 2017 20:58:39 +0000 (06:58 +1000)
committerMatt Caswell <matt@openssl.org>
Wed, 1 Nov 2017 15:55:11 +0000 (15:55 +0000)
commitab9195255a2616fc1b5511407b2ded4ea2765ad1
tree581610aa8d05ae8a38a7336be4f7ebaa273febb8
parent71844800d543162f709c6a223d993a50506028c2
Address a timing side channel whereby it is possible to determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

(cherry picked from commit 4a089bbdf11f9e231cc68f42bba934c954d81a49)
crypto/ec/ecdsa_ossl.c