update jsrsasign

chrisgbaker · Jan 29, 2021 · d5cf30a · d5cf30a
1 parent da25a95
commit d5cf30a
Show file tree

Hide file tree

Showing 24 changed files with 70 additions and 41 deletions.
diff --git a/jsrsasign/dist/jsrsasign.js b/jsrsasign/dist/jsrsasign.js
diff --git a/jsrsasign/ext/ec-min.js b/jsrsasign/ext/ec-min.js
diff --git a/jsrsasign/ext/ec.js b/jsrsasign/ext/ec.js
@@ -182,16 +182,25 @@ function pointFpTwice() {
 
 // Simple NAF (Non-Adjacent Form) multiplication algorithm
 // TODO: modularize the multiplication algorithm
+// UPDATE: 2020.03.30 mitigate Minerva timing attack https://minerva.crocs.fi.muni.cz/
+//                    Constant time execution on multiply method.
 function pointFpMultiply(k) {
     if(this.isInfinity()) return this;
     if(k.signum() == 0) return this.curve.getInfinity();
 
-    var e = k;
+    // initialize for multiply
+    var e = k; // e = k
     var h = e.multiply(new BigInteger("3"));
-
     var neg = this.negate();
     var R = this;
 
+    // initialize for dummy to mitigate timing attack
+    var e2 = this.curve.q.subtract(k); // e2 = q - k
+    var h2 = e2.multiply(new BigInteger("3"));
+    var R2 = new ECPointFp(this.curve, this.x, this.y);
+    var neg2 = R2.negate();
+
+    // calculate multiply
     var i;
     for(i = h.bitLength() - 2; i > 0; --i) {
 	R = R.twice();
@@ -204,6 +213,18 @@ function pointFpMultiply(k) {
 	}
     }
 
+    // calculate dummy to mitigate timing attack
+    for(i = h2.bitLength() - 2; i > 0; --i) {
+	R2 = R2.twice();
+
+	var h2Bit = h2.testBit(i);
+	var e2Bit = e2.testBit(i);
+
+	if (h2Bit != e2Bit) {
+	    R2 = R2.add(h2Bit ? R2 : neg2);
+	}
+    }
+
     return R;
 }