Fix the ECDSA timing attack mentioned in the paper at:
[openssl.git] / crypto / ecdsa / ecs_ossl.c
index 3518bb0..50d02ed 100644 (file)
@@ -151,6 +151,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
                        }
                while (BN_is_zero(k));
 
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+               /* We do not want timing information to leak the length of k,
+                * so we compute G*k using an equivalent scalar of fixed
+                * bit-length. */
+
+               if (!BN_add(k, k, order)) goto err;
+               if (BN_num_bits(k) <= BN_num_bits(order))
+                       if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
                /* compute r the x-coordinate of generator * k */
                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
                {