1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
# HG changeset patch
# User Billy Brumley <bbrumley@gmail.com>
# Date 1595283525 0
# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
Timing attack countermeasures are now applied more generally deeper in
the call stack.
Differential Revision: https://phabricator.services.mozilla.com/D82011
diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c
--- a/nss/lib/freebl/ec.c
+++ b/nss/lib/freebl/ec.c
@@ -719,37 +719,16 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
mp_tohex(&n, mpstr);
printf("n : %s \n", mpstr);
#endif
PORT_SetError(SEC_ERROR_NEED_RANDOM);
goto cleanup;
}
/*
- ** We do not want timing information to leak the length of k,
- ** so we compute k*G using an equivalent scalar of fixed
- ** bit-length.
- ** Fix based on patch for ECDSA timing attack in the paper
- ** by Billy Bob Brumley and Nicola Tuveri at
- ** http://eprint.iacr.org/2011/232
- **
- ** How do we convert k to a value of a fixed bit-length?
- ** k starts off as an integer satisfying 0 <= k < n. Hence,
- ** n <= k+n < 2n, which means k+n has either the same number
- ** of bits as n or one more bit than n. If k+n has the same
- ** number of bits as n, the second addition ensures that the
- ** final value has exactly one more bit than n. Thus, we
- ** always end up with a value that exactly one more bit than n.
- */
- CHECK_MPI_OK(mp_add(&k, &n, &k));
- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
- CHECK_MPI_OK(mp_add(&k, &n, &k));
- }
-
- /*
** ANSI X9.62, Section 5.3.2, Step 2
**
** Compute kG
*/
kGpoint.len = EC_GetPointSize(ecParams);
kGpoint.data = PORT_Alloc(kGpoint.len);
if ((kGpoint.data == NULL) ||
(ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess))
|
