diff options
Diffstat (limited to 'CVE-2020-12401.patch')
| -rw-r--r-- | CVE-2020-12401.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/CVE-2020-12401.patch b/CVE-2020-12401.patch new file mode 100644 index 0000000..fe22dfb --- /dev/null +++ b/CVE-2020-12401.patch @@ -0,0 +1,57 @@ + +# HG changeset patch +# User Billy Brumley <bbrumley@gmail.com> +# Date 1595283525 0 +# Node ID aeb2e583ee957a699d949009c7ba37af76515c20 +# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6 +Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche + +Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. + +Timing attack countermeasures are now applied more generally deeper in +the call stack. + +Differential Revision: https://phabricator.services.mozilla.com/D82011 + +diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c +--- a/nss/lib/freebl/ec.c ++++ b/nss/lib/freebl/ec.c +@@ -719,37 +719,16 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k + mp_tohex(&n, mpstr); + printf("n : %s \n", mpstr); + #endif + PORT_SetError(SEC_ERROR_NEED_RANDOM); + goto cleanup; + } + + /* +- ** We do not want timing information to leak the length of k, +- ** so we compute k*G using an equivalent scalar of fixed +- ** bit-length. +- ** Fix based on patch for ECDSA timing attack in the paper +- ** by Billy Bob Brumley and Nicola Tuveri at +- ** http://eprint.iacr.org/2011/232 +- ** +- ** How do we convert k to a value of a fixed bit-length? +- ** k starts off as an integer satisfying 0 <= k < n. Hence, +- ** n <= k+n < 2n, which means k+n has either the same number +- ** of bits as n or one more bit than n. If k+n has the same +- ** number of bits as n, the second addition ensures that the +- ** final value has exactly one more bit than n. Thus, we +- ** always end up with a value that exactly one more bit than n. +- */ +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- } +- +- /* + ** ANSI X9.62, Section 5.3.2, Step 2 + ** + ** Compute kG + */ + kGpoint.len = EC_GetPointSize(ecParams); + kGpoint.data = PORT_Alloc(kGpoint.len); + if ((kGpoint.data == NULL) || + (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess)) + |