Skip to content

Commit

Permalink
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Browse files Browse the repository at this point in the history
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from #7486)

(cherry picked from commit 99540ec)
  • Loading branch information
paulidale committed Oct 28, 2018
1 parent ef11e19 commit 56fb454
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions crypto/ec/ec_mult.c
Expand Up @@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL))
if ((bn_wexpand(k, group_top + 2) == NULL)
|| (bn_wexpand(lambda, group_top + 2) == NULL)) {

This comment has been minimized.

Copy link
@markt-asf

markt-asf Oct 29, 2018

The addition of the trailing { appears to be the cause of compilation failures we are seeing on the CI system the Apache Tomcat project maintains for the OpenSSL versions we depend on.

This comment has been minimized.

Copy link
@paulidale

paulidale via email Oct 29, 2018

Author Contributor
goto err;

if (!BN_copy(k, scalar))
Expand All @@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
BN_consttime_swap(kbit, k, lambda, group_top + 2);

group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)
Expand Down

0 comments on commit 56fb454

Please sign in to comment.