Commit 992bdde6 authored May 25, 2011 by Dr. Stephen Henson

Fix the ECDSA timing attack mentioned in the paper at:

	http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

parent bbcf3a9b

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,13 @@

		Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]

		*) Add protection against ECDSA timing attacks as mentioned in the paper
		by Billy Bob Brumley and Nicola Tuveri, see:

		http://eprint.iacr.org/2011/232.pdf

		[Billy Bob Brumley and Nicola Tuveri]

		*) Add TLS v1.2 server support for client authentication.
		[Steve Henson]

crypto/ecdsa/ecs_ossl.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -151,6 +151,16 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,
		}
		while (BN_is_zero(k));

		#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
		/* We do not want timing information to leak the length of k,
		* so we compute G*k using an equivalent scalar of fixed
		* bit-length. */

		if (!BN_add(k, k, order)) goto err;
		if (BN_num_bits(k) <= BN_num_bits(order))
		if (!BN_add(k, k, order)) goto err;
		#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */

		/* compute r the x-coordinate of generator * k */
		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
		{