# HG changeset patch
# User Billy Brumley <bbrumley@gmail.com>
# Date 1595283525 0
# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
# Parent  ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche

Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.

Timing attack countermeasures are now applied more generally deeper in
the call stack.

Differential Revision: https://phabricator.services.mozilla.com/D82011


Upstream-Status: Backport

CVE: CVE-2020-1240
Signed-off-by: Armin Kuster <akuster@mvista.com>

Index: nss-3.51.1/nss/lib/freebl/ec.c
===================================================================
--- nss-3.51.1.orig/nss/lib/freebl/ec.c
+++ nss-3.51.1/nss/lib/freebl/ec.c
@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
     }
 
     /*
-    ** We do not want timing information to leak the length of k,
-    ** so we compute k*G using an equivalent scalar of fixed
-    ** bit-length.
-    ** Fix based on patch for ECDSA timing attack in the paper
-    ** by Billy Bob Brumley and Nicola Tuveri at
-    **   http://eprint.iacr.org/2011/232
-    **
-    ** How do we convert k to a value of a fixed bit-length?
-    ** k starts off as an integer satisfying 0 <= k < n.  Hence,
-    ** n <= k+n < 2n, which means k+n has either the same number
-    ** of bits as n or one more bit than n.  If k+n has the same
-    ** number of bits as n, the second addition ensures that the
-    ** final value has exactly one more bit than n.  Thus, we
-    ** always end up with a value that exactly one more bit than n.
-    */
-    CHECK_MPI_OK(mp_add(&k, &n, &k));
-    if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
-        CHECK_MPI_OK(mp_add(&k, &n, &k));
-    }
-
-    /*
     ** ANSI X9.62, Section 5.3.2, Step 2
     **
     ** Compute kG