Skip to content
  1. May 29, 2018
  2. May 28, 2018
  3. May 27, 2018
  4. May 26, 2018
  5. May 25, 2018
  6. May 24, 2018
  7. May 23, 2018
  8. May 22, 2018
  9. May 21, 2018
  10. May 20, 2018
  11. May 18, 2018
  12. May 17, 2018
    • Matt Caswell's avatar
      Make BN_GF2m_mod_arr more constant time · b336ce57
      Matt Caswell authored
      
      
      Experiments have shown that the lookup table used by BN_GF2m_mod_arr
      introduces sufficient timing signal to recover the private key for an
      attacker with access to cache timing information on the victim's host.
      This only affects binary curves (which are less frequently used).
      
      No CVE is considered necessary for this issue.
      
      The fix is to replace the lookup table with an on-the-fly calculation of
      the value from the table instead, which can be performed in constant time.
      
      Thanks to Youngjoo Shin for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6270)
      b336ce57