artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2cf255e)
Remove ECDSA nonce padding kludge
authortb <tb@openbsd.org>
Tue, 8 Aug 2023 13:09:28 +0000 (13:09 +0000)
committertb <tb@openbsd.org>
Tue, 8 Aug 2023 13:09:28 +0000 (13:09 +0000)
This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.

Keep the preallocations as they still help hiding some timing info.

ok jsing

lib/libcrypto/ecdsa/ecdsa.c patch | blob | history

diff --git a/lib/libcrypto/ecdsa/ecdsa.c b/lib/libcrypto/ecdsa/ecdsa.c
index 8160014..52f5044 100644 (file)
--- a/lib/libcrypto/ecdsa/ecdsa.c
+++ b/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
+/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
                if (!bn_rand_interval(k, 1, order))
                        goto err;
 
-               /*
-                * We do not want timing information to leak the length of k,
-                * so we compute G * k using an equivalent scalar of fixed
-                * bit-length.
-                *
-                * We unconditionally perform both of these additions to prevent
-                * a small timing information leakage.  We then choose the sum
-                * that is one bit longer than the order.  This guarantees the
-                * code path used in the constant time implementations
-                * elsewhere.
-                *
-                * TODO: revisit the bn_copy aiming for a memory access agnostic
-                * conditional copy.
-                */
-               if (!BN_add(r, k, order) ||
-                   !BN_add(x, r, order) ||
-                   !bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
-                       goto err;
-
-               BN_set_flags(k, BN_FLG_CONSTTIME);
-
                /* Step 5: P = k * G. */
                if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
                        ECerror(ERR_R_EC_LIB);
OpenBSD src
by Ahmet Artu Yildirim