Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit 99540ec)
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, | |
| */ | ||
| cardinality_bits = BN_num_bits(cardinality); | ||
| group_top = bn_get_top(cardinality); | ||
| if ((bn_wexpand(k, group_top + 2) == NULL) | ||
| || (bn_wexpand(lambda, group_top + 2) == NULL)) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
paulidale
via email
Author
Contributor
|
||
| goto err; | ||
|
|
||
| if (!BN_copy(k, scalar)) | ||
|
|
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, | |
| * k := scalar + 2*cardinality | ||
| */ | ||
| kbit = BN_is_bit_set(lambda, cardinality_bits); | ||
| BN_consttime_swap(kbit, k, lambda, group_top + 2); | ||
|
|
||
| group_top = bn_get_top(group->field); | ||
| if ((bn_wexpand(s->X, group_top) == NULL) | ||
|
|
||
The addition of the trailing
{appears to be the cause of compilation failures we are seeing on the CI system the Apache Tomcat project maintains for the OpenSSL versions we depend on.