diff options
| author |   jsing <jsing@openbsd.org> | 2017-01-05 13:25:52 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-01-05 13:25:52 +0000 |
| commit | 034c8d31c85d2025657348d5e1cebe6b36ceebbe (patch) | |
| tree | b6f9f3e9017b927f9c6cd3240e0803dcdea79f9f /lib/libcrypto/ecdsa | |
| parent | Checking whether mbuf list is empty is done by the if_input now (diff) | |
| download | wireguard-openbsd-034c8d31c85d2025657348d5e1cebe6b36ceebbe.tar.xz wireguard-openbsd-034c8d31c85d2025657348d5e1cebe6b36ceebbe.zip | |
Avoid a side-channel cache-timing attack that can leak the ECDSA private
keys when signing. This is due to BN_mod_inverse() being used without the
constant time flag being set.
This issue was reported by Cesar Pereida Garcia and Billy Brumley
(Tampere University of Technology). The fix was developed by Cesar Pereida
Garcia.
Diffstat (limited to 'lib/libcrypto/ecdsa')
| -rw-r--r-- | lib/libcrypto/ecdsa/ecs_ossl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libcrypto/ecdsa/ecs_ossl.c b/lib/libcrypto/ecdsa/ecs_ossl.c index 31102138c0a..26158a001b0 100644 --- a/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/lib/libcrypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.7 2017/01/05 13:25:52 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -142,6 +142,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) if (!BN_add(k, k, order)) goto err; + BN_set_flags(k, BN_FLG_CONSTTIME); + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); |