OLD | NEW |
1 /* crypto/ecdsa/ecs_ossl.c */ | 1 /* crypto/ecdsa/ecs_ossl.c */ |
2 /* | 2 /* |
3 * Written by Nils Larsch for the OpenSSL project | 3 * Written by Nils Larsch for the OpenSSL project |
4 */ | 4 */ |
5 /* ==================================================================== | 5 /* ==================================================================== |
6 * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. | 6 * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. |
7 * | 7 * |
8 * Redistribution and use in source and binary forms, with or without | 8 * Redistribution and use in source and binary forms, with or without |
9 * modification, are permitted provided that the following conditions | 9 * modification, are permitted provided that the following conditions |
10 * are met: | 10 * are met: |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
137 /* get random k */ | 137 /* get random k */ |
138 do | 138 do |
139 if (!BN_rand_range(k, order)) | 139 if (!BN_rand_range(k, order)) |
140 { | 140 { |
141 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, | 141 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, |
142 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); | 142 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); |
143 goto err; | 143 goto err; |
144 } | 144 } |
145 while (BN_is_zero(k)); | 145 while (BN_is_zero(k)); |
146 | 146 |
| 147 /* We do not want timing information to leak the length of k, |
| 148 * so we compute G*k using an equivalent scalar of fixed |
| 149 * bit-length. */ |
| 150 |
| 151 if (!BN_add(k, k, order)) goto err; |
| 152 if (BN_num_bits(k) <= BN_num_bits(order)) |
| 153 if (!BN_add(k, k, order)) goto err; |
| 154 |
147 /* compute r the x-coordinate of generator * k */ | 155 /* compute r the x-coordinate of generator * k */ |
148 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) | 156 if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) |
149 { | 157 { |
150 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); | 158 ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); |
151 goto err; | 159 goto err; |
152 } | 160 } |
153 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X
9_62_prime_field) | 161 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X
9_62_prime_field) |
154 { | 162 { |
155 if (!EC_POINT_get_affine_coordinates_GFp(group, | 163 if (!EC_POINT_get_affine_coordinates_GFp(group, |
156 tmp_point, X, NULL, ctx)) | 164 tmp_point, X, NULL, ctx)) |
(...skipping 306 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
463 } | 471 } |
464 /* if the signature is correct u1 is equal to sig->r */ | 472 /* if the signature is correct u1 is equal to sig->r */ |
465 ret = (BN_ucmp(u1, sig->r) == 0); | 473 ret = (BN_ucmp(u1, sig->r) == 0); |
466 err: | 474 err: |
467 BN_CTX_end(ctx); | 475 BN_CTX_end(ctx); |
468 BN_CTX_free(ctx); | 476 BN_CTX_free(ctx); |
469 if (point) | 477 if (point) |
470 EC_POINT_free(point); | 478 EC_POINT_free(point); |
471 return ret; | 479 return ret; |
472 } | 480 } |
OLD | NEW |