diff options
author | Andy Polyakov <appro@openssl.org> | 2014-09-12 00:13:20 +0200 |
---|---|---|
committer | Andy Polyakov <appro@openssl.org> | 2014-09-12 00:13:20 +0200 |
commit | f54be179aa4cbbd944728771d7d59ed588158a12 (patch) | |
tree | 0dc5e2fa108f0db85230a0ce2d040eb7597642b4 /crypto/ecdsa | |
parent | 902b30df193afc3417a96ba72a81ed390bd50de3 (diff) | |
download | openssl-f54be179aa4cbbd944728771d7d59ed588158a12.tar.gz |
Reserve option to use BN_mod_exp_mont_consttime in ECDSA.
Submitted by Shay Gueron, Intel Corp.
RT: 3149
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/ecdsa')
-rw-r--r-- | crypto/ecdsa/ecs_ossl.c | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index adab1f74b4..97541a24b5 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -219,11 +219,37 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, while (BN_is_zero(r)); /* compute the inverse of k */ - if (!BN_mod_inverse(k, k, order, ctx)) - { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); - goto err; - } + if (EC_GROUP_get_mont_data(group) != NULL) + { + /* We want inverse in constant time, therefore we utilize the + * fact order must be prime and use Fermats Little Theorem + * instead. */ + if (!BN_set_word(X, 2) ) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_sub(X, order, X, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + BN_set_flags(X, BN_FLG_CONSTTIME); + if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + } + else + { + if (!BN_mod_inverse(k, k, order, ctx)) + { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); + goto err; + } + } + /* clear old values if necessary */ if (*rp != NULL) BN_clear_free(*rp); |