- /*
- * The normal signature calculation is:
- *
- * s := k^-1 * (m + r * priv_key) mod order
- *
- * We will blind this to protect against side channel attacks
- *
- * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod order
- */
-
- /* Generate a blinding value */
- do {
- if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0))
- goto err;
- } while (BN_is_zero(blind));
- BN_set_flags(blind, BN_FLG_CONSTTIME);
- BN_set_flags(blindm, BN_FLG_CONSTTIME);
- BN_set_flags(tmp, BN_FLG_CONSTTIME);
-
- /* tmp := blind * priv_key * r mod order */
- if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
- goto err;
- }
- if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
- goto err;
- }
-
- /* blindm := blind * m mod order */
- if (!BN_mod_mul(blindm, blind, m, order, ctx)) {