File 0002-ECDSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package compat-openssl098.32473
From 23f7e974d59a576ad7d8cfd9f7ac957a883e361f Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Wed, 1 Nov 2017 09:47:13 +1000
Subject: [PATCH] Address a timing side channel whereby it is possible to
determine some
information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Refer to #4576 for further details.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4623)
---
crypto/ecdsa/ecs_ossl.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
Index: openssl-0.9.8j/crypto/ecdsa/ecs_ossl.c
===================================================================
--- openssl-0.9.8j.orig/crypto/ecdsa/ecs_ossl.c 2018-11-28 15:32:40.242822924 +0100
+++ openssl-0.9.8j/crypto/ecdsa/ecs_ossl.c 2018-11-28 15:33:24.299062741 +0100
@@ -94,6 +94,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke
EC_POINT *tmp_point=NULL;
const EC_GROUP *group;
int ret = 0;
+ int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
{
@@ -131,6 +132,13 @@ static int ecdsa_sign_setup(EC_KEY *ecke
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
+
+ /* Preallocate space */
+ order_bits = BN_num_bits(order);
+ if (!BN_set_bit(k, order_bits)
+ || !BN_set_bit(r, order_bits)
+ || !BN_set_bit(X, order_bits))
+ goto err;
do
{
@@ -144,15 +152,23 @@ static int ecdsa_sign_setup(EC_KEY *ecke
}
while (BN_is_zero(k));
-#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
- * bit-length. */
+ * bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the order. This guarantees the code
+ * path used in the constant time implementations elsewhere.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
+ */
+
+ if (!BN_add(r, k, order)
+ || !BN_add(X, r, order)
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) goto err;
- if (!BN_add(k, k, order)) goto err;
- if (BN_num_bits(k) <= BN_num_bits(order))
- if (!BN_add(k, k, order)) goto err;
-#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
BN_set_flags(k, BN_FLG_CONSTTIME);
/* compute r the x-coordinate of generator * k */