Skip to content
Snippets Groups Projects
Commit 992bdde6 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Fix the ECDSA timing attack mentioned in the paper at:

	http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
parent bbcf3a9b
No related branches found
No related tags found
No related merge requests found
......@@ -4,6 +4,13 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
*) Add TLS v1.2 server support for client authentication.
[Steve Henson]
......
......@@ -151,6 +151,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
}
while (BN_is_zero(k));
#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
if (!BN_add(k, k, order)) goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order)) goto err;
#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment