Skip to content

Commit 56fb454

Browse files
committed
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit 99540ec)
1 parent ef11e19 commit 56fb454

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

Diff for: crypto/ec/ec_mult.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
177177
*/
178178
cardinality_bits = BN_num_bits(cardinality);
179179
group_top = bn_get_top(cardinality);
180-
if ((bn_wexpand(k, group_top + 1) == NULL)
181-
|| (bn_wexpand(lambda, group_top + 1) == NULL))
180+
if ((bn_wexpand(k, group_top + 2) == NULL)
181+
|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
182182
goto err;
183183

184184
if (!BN_copy(k, scalar))
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
205205
* k := scalar + 2*cardinality
206206
*/
207207
kbit = BN_is_bit_set(lambda, cardinality_bits);
208-
BN_consttime_swap(kbit, k, lambda, group_top + 1);
208+
BN_consttime_swap(kbit, k, lambda, group_top + 2);
209209

210210
group_top = bn_get_top(group->field);
211211
if ((bn_wexpand(s->X, group_top) == NULL)

0 commit comments

Comments
 (0)