Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigation

for a timing vullnerability in ECDSA signature generation (CVE-2018-0735).

Note that the blinding that we introduced back in June for ECDSA and DSA
should mitigate this and related issues. This simply adds an additional
layer of protection.

discussed with jsing

1 files changed, 4 insertions, 4 deletions

diff --git a/lib/libcrypto/ec/ecp_smpl.c b/lib/libcrypto/ec/ecp_smpl.c
index c64c41130a7..3957bd154c2 100644
--- a/lib/libcrypto/ec/ecp_smpl.c
+++ b/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.28 2018/11/06 07:02:33 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1556,8 +1556,8 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	 */
 	cardinality_bits = BN_num_bits(cardinality);
 	group_top = cardinality->top;
-	if ((bn_wexpand(k, group_top + 1) == NULL) ||
-	    (bn_wexpand(lambda, group_top + 1) == NULL))
+	if ((bn_wexpand(k, group_top + 2) == NULL) ||
+	    (bn_wexpand(lambda, group_top + 2) == NULL))
 		goto err;
 
 	if (!BN_copy(k, scalar))
@@ -1584,7 +1584,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	 * k := scalar + 2*cardinality
 	 */
 	kbit = BN_is_bit_set(lambda, cardinality_bits);
-	if (!BN_swap_ct(kbit, k, lambda, group_top + 1))
+	if (!BN_swap_ct(kbit, k, lambda, group_top + 2))
 		goto err;
 
 	group_top = group->field.top;