Skip to content

Commit

Permalink
deps: float 99540ec from openssl (CVE-2018-0735)
Browse files Browse the repository at this point in the history 
Low severity timing vulnerability in ECDSA signature generation

Publicly disclosed but unreleased, pending OpenSSL 1.1.0j

Also includes trivial syntax fix from
openssl/openssl#7516

Ref: https://www.openssl.org/news/secadv/20181029.txt
Ref: openssl/openssl#7486
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: openssl/openssl@99540ec

Original commit message:

    Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

    Preallocate an extra limb for some of the big numbers to avoid a reallocation
    that can potentially provide a side channel.

    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from openssl/openssl#7486)

PR-URL: #23950
Refs: https://www.openssl.org/news/secadv/20181029.txt
Refs: openssl/openssl#7486
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
@rvagg @Trott
rvagg authored and Trott committed Nov 4, 2018
1 parent 213c7d2 commit d8fb81f
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/ec/ec_mult.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL))
if ((bn_wexpand(k, group_top + 2) == NULL)
|| (bn_wexpand(lambda, group_top + 2) == NULL))
goto err;

if (!BN_copy(k, scalar))
Expand All @@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
BN_consttime_swap(kbit, k, lambda, group_top + 2);

group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)
Expand Down

0 comments on commit d8fb81f

Please sign in to comment.