Permalink
Browse files

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from #7486)

(cherry picked from commit 99540ec)
  • Loading branch information...
paulidale committed Oct 26, 2018
1 parent ef11e19 commit 56fb454d281a023b3f950d969693553d3f3ceea1
Showing with 3 additions and 3 deletions.
  1. +3 −3 crypto/ec/ec_mult.c
View
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL))
if ((bn_wexpand(k, group_top + 2) == NULL)
|| (bn_wexpand(lambda, group_top + 2) == NULL)) {

This comment has been minimized.

@markt-asf

markt-asf Oct 29, 2018

The addition of the trailing { appears to be the cause of compilation failures we are seeing on the CI system the Apache Tomcat project maintains for the OpenSSL versions we depend on.

This comment has been minimized.

@paulidale

paulidale via email Oct 29, 2018

Contributor
goto err;
if (!BN_copy(k, scalar))
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)

0 comments on commit 56fb454

Please sign in to comment.