diff options
Diffstat (limited to 'src/crypto/ecdsa/ecdsa.c')
-rw-r--r-- | src/crypto/ecdsa/ecdsa.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/crypto/ecdsa/ecdsa.c b/src/crypto/ecdsa/ecdsa.c index b71799e..86e41bb 100644 --- a/src/crypto/ecdsa/ecdsa.c +++ b/src/crypto/ecdsa/ecdsa.c @@ -322,7 +322,21 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, } while (BN_is_zero(r)); /* compute the inverse of k */ - if (!BN_mod_inverse(k, k, order, ctx)) { + if (ec_group_get_mont_data(group) != NULL) { + /* We want inverse in constant time, therefore we use that the order must + * be prime and thus we can use Fermat's Little Theorem. */ + if (!BN_set_word(X, 2) || + !BN_sub(X, order, X)) { + OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB); + goto err; + } + BN_set_flags(X, BN_FLG_CONSTTIME); + if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, + ec_group_get_mont_data(group))) { + OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB); + goto err; + } + } else if (!BN_mod_inverse(k, k, order, ctx)) { OPENSSL_PUT_ERROR(ECDSA, ecdsa_sign_setup, ERR_R_BN_LIB); goto err; } |