Index: openssl/crypto/ecdsa/ecs_ossl.c |
=================================================================== |
--- openssl/crypto/ecdsa/ecs_ossl.c (revision 105093) |
+++ openssl/crypto/ecdsa/ecs_ossl.c (working copy) |
@@ -144,6 +144,14 @@ |
} |
while (BN_is_zero(k)); |
+ /* We do not want timing information to leak the length of k, |
+ * so we compute G*k using an equivalent scalar of fixed |
+ * bit-length. */ |
+ |
+ if (!BN_add(k, k, order)) goto err; |
+ if (BN_num_bits(k) <= BN_num_bits(order)) |
+ if (!BN_add(k, k, order)) goto err; |
+ |
/* compute r the x-coordinate of generator * k */ |
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) |
{ |