1 files changed, 15 insertions, 1 deletions

diff --git a/src/crypto/ecdsa/ecdsa.c b/src/crypto/ecdsa/ecdsa.c
index b71799e..86e41bb 100644
--- a/src/crypto/ecdsa/ecdsa.c
+++ b/src/crypto/ecdsa/ecdsa.c
@@ -322,7 +322,21 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
   } while (BN_is_zero(r));
 
   /* compute the inverse of k */
-  if (!BN_mod_inverse(k, k, order, ctx)) {
+  if (ec_group_get_mont_data(group) != NULL) {
+    /* We want inverse in constant time, therefore we use that the order must
+     * be prime and thus we can use Fermat's Little Theorem. */
+    if (!BN_set_word(X, 2) ||
+        !BN_sub(X, order, X)) {
+      OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB);
+      goto err;
+    }
+    BN_set_flags(X, BN_FLG_CONSTTIME);
+    if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx,
+                                   ec_group_get_mont_data(group))) {
+      OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB);
+      goto err;
+    }
+  } else if (!BN_mod_inverse(k, k, order, ctx)) {
     OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB);
     goto err;
   }