Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | CVE: CVE-2018-0735 |
| 2 | |
| 3 | Upstream-Status: Backport |
| 4 | |
| 5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 6 | |
| 7 | From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001 |
| 8 | From: Pauli <paul.dale@oracle.com> |
| 9 | Date: Fri, 26 Oct 2018 10:54:58 +1000 |
| 10 | Subject: [PATCH] Timing vulnerability in ECDSA signature generation |
| 11 | (CVE-2018-0735) |
| 12 | |
| 13 | Preallocate an extra limb for some of the big numbers to avoid a reallocation |
| 14 | that can potentially provide a side channel. |
| 15 | |
| 16 | Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> |
| 17 | (Merged from https://github.com/openssl/openssl/pull/7486) |
| 18 | |
| 19 | (cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) |
| 20 | --- |
| 21 | crypto/ec/ec_mult.c | 6 +++--- |
| 22 | 1 file changed, 3 insertions(+), 3 deletions(-) |
| 23 | |
| 24 | diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c |
| 25 | index 7e1b3650e7..0e0a5e1394 100644 |
| 26 | --- a/crypto/ec/ec_mult.c |
| 27 | +++ b/crypto/ec/ec_mult.c |
| 28 | @@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, |
| 29 | */ |
| 30 | cardinality_bits = BN_num_bits(cardinality); |
| 31 | group_top = bn_get_top(cardinality); |
| 32 | - if ((bn_wexpand(k, group_top + 1) == NULL) |
| 33 | - || (bn_wexpand(lambda, group_top + 1) == NULL)) { |
| 34 | + if ((bn_wexpand(k, group_top + 2) == NULL) |
| 35 | + || (bn_wexpand(lambda, group_top + 2) == NULL)) { |
| 36 | ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); |
| 37 | goto err; |
| 38 | } |
| 39 | @@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, |
| 40 | * k := scalar + 2*cardinality |
| 41 | */ |
| 42 | kbit = BN_is_bit_set(lambda, cardinality_bits); |
| 43 | - BN_consttime_swap(kbit, k, lambda, group_top + 1); |
| 44 | + BN_consttime_swap(kbit, k, lambda, group_top + 2); |
| 45 | |
| 46 | group_top = bn_get_top(group->field); |
| 47 | if ((bn_wexpand(s->X, group_top) == NULL) |
| 48 | -- |
| 49 | 2.17.0 |
| 50 | |