1 files changed, 33 insertions, 0 deletions

diff --git a/security/openssl-devel/files/patch-CVE-2018-0735 b/security/openssl-devel/files/patch-CVE-2018-0735
new file mode 100644
index 000000000000..8166b91cfda1
--- /dev/null
+++ b/security/openssl-devel/files/patch-CVE-2018-0735
@@ -0,0 +1,33 @@
+Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from #7486)
+
+(cherry picked from commit 99540ec)
+
+https://www.openssl.org/news/secadv/20181029.txt
+--- crypto/ec/ec_mult.c.orig	2018-08-14 12:45:07 UTC
++++ crypto/ec/ec_mult.c
+@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GRO
+      */
+     cardinality_bits = BN_num_bits(cardinality);
+     group_top = bn_get_top(cardinality);
+-    if ((bn_wexpand(k, group_top + 1) == NULL)
+-        || (bn_wexpand(lambda, group_top + 1) == NULL))
++    if ((bn_wexpand(k, group_top + 2) == NULL)
++        || (bn_wexpand(lambda, group_top + 2) == NULL)) 
+         goto err;
+ 
+     if (!BN_copy(k, scalar))
+@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GRO
+      * k := scalar + 2*cardinality
+      */
+     kbit = BN_is_bit_set(lambda, cardinality_bits);
+-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
++    BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+     group_top = bn_get_top(group->field);
+     if ((bn_wexpand(s->X, group_top) == NULL)