From 34663717cb0860420c3d4eefddf19adb17f26237 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 8 Aug 2023 13:09:28 +0000 Subject: [PATCH] Remove ECDSA nonce padding kludge This was a workaround due to the historically non-constant time scalar multiplication in the EC code. Since Brumley and Tuveri implemented the Montgomery ladder, this is no longer useful and should have been removed a long time ago, as it now does more harm than good. Keep the preallocations as they still help hiding some timing info. ok jsing --- lib/libcrypto/ecdsa/ecdsa.c | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/lib/libcrypto/ecdsa/ecdsa.c b/lib/libcrypto/ecdsa/ecdsa.c index 8160014b3b2..52f5044997b 100644 --- a/lib/libcrypto/ecdsa/ecdsa.c +++ b/lib/libcrypto/ecdsa/ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */ +/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */ /* ==================================================================== * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. * @@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r) if (!bn_rand_interval(k, 1, order)) goto err; - /* - * We do not want timing information to leak the length of k, - * so we compute G * k using an equivalent scalar of fixed - * bit-length. - * - * We unconditionally perform both of these additions to prevent - * a small timing information leakage. We then choose the sum - * that is one bit longer than the order. This guarantees the - * code path used in the constant time implementations - * elsewhere. - * - * TODO: revisit the bn_copy aiming for a memory access agnostic - * conditional copy. - */ - if (!BN_add(r, k, order) || - !BN_add(x, r, order) || - !bn_copy(k, BN_num_bits(r) > order_bits ? r : x)) - goto err; - - BN_set_flags(k, BN_FLG_CONSTTIME); - /* Step 5: P = k * G. */ if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { ECerror(ERR_R_EC_LIB); -- 2.20.1