/*
- * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
}
while (BN_is_zero(k));
- /*
- * We do not want timing information to leak the length of k, so we
- * compute G*k using an equivalent scalar of fixed bit-length.
- *
- * We unconditionally perform both of these additions to prevent a
- * small timing information leakage. We then choose the sum that is
- * one bit longer than the order. This guarantees the code
- * path used in the constant time implementations elsewhere.
- *
- * TODO: revisit the BN_copy aiming for a memory access agnostic
- * conditional copy.
- */
- if (!BN_add(r, k, order)
- || !BN_add(X, r, order)
- || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
- goto err;
-
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
}
while (BN_is_zero(r));
- /* compute the inverse of k */
- if (EC_GROUP_get_mont_data(group) != NULL) {
- /*
- * We want inverse in constant time, therefore we utilize the fact
- * order must be prime and use Fermat's Little Theorem instead.
- */
- if (!BN_set_word(X, 2)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- if (!BN_mod_sub(X, order, X, order, ctx)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- BN_set_flags(X, BN_FLG_CONSTTIME);
- if (!BN_mod_exp_mont_consttime
- (k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
- }
- } else {
- if (!BN_mod_inverse(k, k, order, ctx)) {
- ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
- goto err;
+ /* Check if optimized inverse is implemented */
+ if (EC_GROUP_do_inverse_ord(group, k, k, ctx) == 0) {
+ /* compute the inverse of k */
+ if (group->mont_data != NULL) {
+ /*
+ * We want inverse in constant time, therefore we utilize the fact
+ * order must be prime and use Fermats Little Theorem instead.
+ */
+ if (!BN_set_word(X, 2)) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!BN_mod_sub(X, order, X, order, ctx)) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+ goto err;
+ }
+ BN_set_flags(X, BN_FLG_CONSTTIME);
+ if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx,
+ group->mont_data)) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+ goto err;
+ }
+ } else {
+ if (!BN_mod_inverse(k, k, order, ctx)) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+ goto err;
+ }
}
}
}
if (BN_is_zero(s)) {
/*
- * if kinv and r have been supplied by the caller don't to
+ * if kinv and r have been supplied by the caller, don't
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
goto err;
}
/* calculate tmp1 = inv(S) mod order */
- if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
- goto err;
+ /* Check if optimized inverse is implemented */
+ if (EC_GROUP_do_inverse_ord(group, u2, sig->s, ctx) == 0) {
+ if (!BN_mod_inverse(u2, sig->s, order, ctx)) {
+ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
}
/* digest -> m */
i = BN_num_bits(order);
projects / openssl.git / blobdiff