# HG changeset patch # User Billy Brumley # Date 1595283525 0 # Node ID aeb2e583ee957a699d949009c7ba37af76515c20 # Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6 Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. Timing attack countermeasures are now applied more generally deeper in the call stack. Differential Revision: https://phabricator.services.mozilla.com/D82011 diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c --- a/nss/lib/freebl/ec.c +++ b/nss/lib/freebl/ec.c @@ -719,37 +719,16 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k mp_tohex(&n, mpstr); printf("n : %s \n", mpstr); #endif PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* - ** We do not want timing information to leak the length of k, - ** so we compute k*G using an equivalent scalar of fixed - ** bit-length. - ** Fix based on patch for ECDSA timing attack in the paper - ** by Billy Bob Brumley and Nicola Tuveri at - ** http://eprint.iacr.org/2011/232 - ** - ** How do we convert k to a value of a fixed bit-length? - ** k starts off as an integer satisfying 0 <= k < n. Hence, - ** n <= k+n < 2n, which means k+n has either the same number - ** of bits as n or one more bit than n. If k+n has the same - ** number of bits as n, the second addition ensures that the - ** final value has exactly one more bit than n. Thus, we - ** always end up with a value that exactly one more bit than n. - */ - CHECK_MPI_OK(mp_add(&k, &n, &k)); - if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { - CHECK_MPI_OK(mp_add(&k, &n, &k)); - } - - /* ** ANSI X9.62, Section 5.3.2, Step 2 ** ** Compute kG */ kGpoint.len = EC_GetPointSize(ecParams); kGpoint.data = PORT_Alloc(kGpoint.len); if ((kGpoint.data == NULL) || (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess))