Reserve option to use BN_mod_exp_mont_consttime in ECDSA.

Submitted by Shay Gueron, Intel Corp.
RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

1 files changed, 31 insertions, 5 deletions

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index adab1f74b4..97541a24b5 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -219,11 +219,37 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
 	while (BN_is_zero(r));
 
 	/* compute the inverse of k */
-	if (!BN_mod_inverse(k, k, order, ctx))
-	{
-		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
-		goto err;	
-	}
+	if (EC_GROUP_get_mont_data(group) != NULL)
+		{
+		/* We want inverse in constant time, therefore we utilize the
+		 * fact order must be prime and use Fermats Little Theorem
+		 * instead. */
+		if (!BN_set_word(X, 2) )
+			{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+			goto err;
+			}
+		if (!BN_mod_sub(X, order, X, order, ctx))
+			{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+			goto err;
+			}
+		BN_set_flags(X, BN_FLG_CONSTTIME);
+		if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, EC_GROUP_get_mont_data(group)))
+			{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+			goto err;
+			}
+		}
+	else
+		{
+		if (!BN_mod_inverse(k, k, order, ctx))
+			{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+			goto err;	
+			}
+		}
+
 	/* clear old values if necessary */
 	if (*rp != NULL)
 		BN_clear_free(*rp);