From 1e368ab08fccdb824cb91bd7765880de0dbf2ea8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 25 May 2011 14:43:47 +0000 Subject: [PATCH] Fix the ECDSA timing attack mentioned in the paper at: http://eprint.iacr.org/2011/232.pdf Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for bringing this to our attention. --- CHANGES | 7 ++++++- crypto/ecdsa/ecs_ossl.c | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 43299af8ec..a3ee3b0bc6 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,12 @@ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] - *) + *) Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + + http://eprint.iacr.org/2011/232.pdf + + [Billy Bob Brumley and Nicola Tuveri] Changes between 0.9.8q and 0.9.8r [8 Feb 2011] diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 551cf5068f..bbb5588cbe 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, } while (BN_is_zero(k)); +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME + /* We do not want timing information to leak the length of k, + * so we compute G*k using an equivalent scalar of fixed + * bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { -- 2.25.1