File 0002-ECDSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package openssl.11276

From 23f7e974d59a576ad7d8cfd9f7ac957a883e361f Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Wed, 1 Nov 2017 09:47:13 +1000
Subject: [PATCH] Address a timing side channel whereby it is possible to
 determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Refer to #4576 for further details.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4623)
---
 crypto/ecdsa/ecs_ossl.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

Index: openssl-1.0.1i/crypto/ecdsa/ecs_ossl.c
===================================================================
--- openssl-1.0.1i.orig/crypto/ecdsa/ecs_ossl.c	2018-11-14 14:26:52.260775521 +0100
+++ openssl-1.0.1i/crypto/ecdsa/ecs_ossl.c	2018-11-14 14:30:03.133859807 +0100
@@ -97,6 +97,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke
 	EC_POINT *tmp_point=NULL;
 	const EC_GROUP *group;
 	int 	 ret = 0;
+    int order_bits;
 
 	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
 	{
@@ -135,6 +136,13 @@ static int ecdsa_sign_setup(EC_KEY *ecke
 		goto err;
 	}
 	
+    /* Preallocate space */
+    order_bits = BN_num_bits(order);
+    if (!BN_set_bit(k, order_bits)
+        || !BN_set_bit(r, order_bits)
+        || !BN_set_bit(X, order_bits))
+        goto err;
+
 	do
 	{
 		/* get random k */	
@@ -149,11 +157,20 @@ static int ecdsa_sign_setup(EC_KEY *ecke
 
 		/* We do not want timing information to leak the length of k,
 		 * so we compute G*k using an equivalent scalar of fixed
-		 * bit-length. */
-
-		if (!BN_add(k, k, order)) goto err;
-		if (BN_num_bits(k) <= BN_num_bits(order))
-			if (!BN_add(k, k, order)) goto err;
+		 * bit-length.
+         *
+         * We unconditionally perform both of these additions to prevent a
+         * small timing information leakage.  We then choose the sum that is
+         * one bit longer than the order.  This guarantees the code
+         * path used in the constant time implementations elsewhere.
+         *
+         * TODO: revisit the BN_copy aiming for a memory access agnostic
+         * conditional copy.
+         */
+
+        if (!BN_add(r, k, order)
+            || !BN_add(X, r, order)
+            || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) goto err;
 
 	        BN_set_flags(k, BN_FLG_CONSTTIME);
 		/* compute r the x-coordinate of generator * k */
openSUSE Build Service is sponsored by