sync code with last fixes and improvements from OpenBSD
This commit is contained in:
parent
371ae113c6
commit
454dab66ed
GPG key ID:
F42C07F07E2E35B7
95 changed files with 1784 additions and 2042 deletions
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
|
||||
/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
|
|
@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
|
|||
if (!bn_rand_interval(k, 1, order))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* We do not want timing information to leak the length of k,
|
||||
* so we compute G * k using an equivalent scalar of fixed
|
||||
* bit-length.
|
||||
*
|
||||
* We unconditionally perform both of these additions to prevent
|
||||
* a small timing information leakage. We then choose the sum
|
||||
* that is one bit longer than the order. This guarantees the
|
||||
* code path used in the constant time implementations
|
||||
* elsewhere.
|
||||
*
|
||||
* TODO: revisit the bn_copy aiming for a memory access agnostic
|
||||
* conditional copy.
|
||||
*/
|
||||
if (!BN_add(r, k, order) ||
|
||||
!BN_add(x, r, order) ||
|
||||
!bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
|
||||
goto err;
|
||||
|
||||
BN_set_flags(k, BN_FLG_CONSTTIME);
|
||||
|
||||
/* Step 5: P = k * G. */
|
||||
if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
|
||||
ECerror(ERR_R_EC_LIB);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue