blob: c15dc803214625c5fc2628bbb9b31df3c5c8521a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Description: Fix CVE-2011-1945, timing attacks against ECDHE_ECDSA makes
it easier to determine private keys.
Origin: http://cvs.openssl.org/chngview?cn=20892
Index: openssl-0.9.8o/crypto/ecdsa/ecs_ossl.c
===================================================================
--- openssl-0.9.8o.orig/crypto/ecdsa/ecs_ossl.c
+++ openssl-0.9.8o/crypto/ecdsa/ecs_ossl.c
@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *ecke
}
while (BN_is_zero(k));
+ /* We do not want timing information to leak the length of k,
+ * so we compute G*k using an equivalent scalar of fixed
+ * bit-length. */
+
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k) <= BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
|
