mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-06-01 01:41:37 +00:00
#627: M1631573
This commit is contained in:
parent
2373458b58
commit
0abd0fc5d5
|
@ -723,27 +723,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
** We do not want timing information to leak the length of k,
|
|
||||||
** so we compute k*G using an equivalent scalar of fixed
|
|
||||||
** bit-length.
|
|
||||||
** Fix based on patch for ECDSA timing attack in the paper
|
|
||||||
** by Billy Bob Brumley and Nicola Tuveri at
|
|
||||||
** http://eprint.iacr.org/2011/232
|
|
||||||
**
|
|
||||||
** How do we convert k to a value of a fixed bit-length?
|
|
||||||
** k starts off as an integer satisfying 0 <= k < n. Hence,
|
|
||||||
** n <= k+n < 2n, which means k+n has either the same number
|
|
||||||
** of bits as n or one more bit than n. If k+n has the same
|
|
||||||
** number of bits as n, the second addition ensures that the
|
|
||||||
** final value has exactly one more bit than n. Thus, we
|
|
||||||
** always end up with a value that exactly one more bit than n.
|
|
||||||
*/
|
|
||||||
CHECK_MPI_OK(mp_add(&k, &n, &k));
|
|
||||||
if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
|
|
||||||
CHECK_MPI_OK(mp_add(&k, &n, &k));
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
** ANSI X9.62, Section 5.3.2, Step 2
|
** ANSI X9.62, Section 5.3.2, Step 2
|
||||||
**
|
**
|
||||||
|
|
Loading…
Reference in New Issue
Block a user