libgcrypt/libgcrypt-ecc-ecdsa-no-blinding.patch

Index: libgcrypt-1.9.0/cipher/ecc.c
===================================================================
--- libgcrypt-1.9.0.orig/cipher/ecc.c
+++ libgcrypt-1.9.0/cipher/ecc.c
@@ -1581,11 +1581,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se
 {
   /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
   static const char sample_data[] =
-    "(data (flags rfc6979)"
+    "(data (flags rfc6979 no-blinding)"
     " (hash sha256 #af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
     /**/           "62113d8a62add1bf#))";
   static const char sample_data_bad[] =
-    "(data (flags rfc6979)"
+    "(data (flags rfc6979 no-blinding)"
     " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
     /**/           "62113d8a62add1bf#))";
   static const char signature_r[] =
Index: libgcrypt-1.9.0/cipher/ecc-ecdsa.c
===================================================================
--- libgcrypt-1.9.0.orig/cipher/ecc-ecdsa.c
+++ libgcrypt-1.9.0/cipher/ecc-ecdsa.c
@@ -51,6 +51,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
   unsigned int abits, qbits;
   gcry_mpi_t b;                /* Random number needed for blinding.  */
   gcry_mpi_t bi;               /* multiplicative inverse of B.        */
+  int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING);
 
   if (DBG_CIPHER)
     log_mpidump ("ecdsa sign hash  ", input );
@@ -64,12 +65,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
 
   b  = mpi_snew (qbits);
   bi = mpi_snew (qbits);
-  do
+  if (with_blinding)
     {
-      _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
-      mpi_mod (b, b, ec->n);
+      do
+        {
+          _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
+          mpi_mod (b, b, ec->n);
+        }
+      while (!mpi_invm (bi, b, ec->n));
     }
-  while (!mpi_invm (bi, b, ec->n));
 
   k = NULL;
   dr = mpi_alloc (0);
@@ -126,14 +130,23 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
         }
       while (!mpi_cmp_ui (r, 0));
 
-      /* Computation of dr, sum, and s are blinded with b.  */
-      mpi_mulm (dr, b, ec->d, ec->n);
-      mpi_mulm (dr, dr, r, ec->n);      /* dr = d*r mod n */
-      mpi_mulm (sum, b, hash, ec->n);
-      mpi_addm (sum, sum, dr, ec->n);   /* sum = hash + (d*r) mod n */
-      mpi_mulm (s, k_1, sum, ec->n);    /* s = k^(-1)*(hash+(d*r)) mod n */
-      /* Undo blinding by b^-1 */
-      mpi_mulm (s, bi, s, ec->n);
+      if (!with_blinding)
+        {
+          mpi_mulm (dr, ec->d, r, ec->n);    /* dr = d*r mod n */
+          mpi_addm (sum, hash, dr, ec->n);   /* sum = hash + (d*r) mod n */
+        }
+      else
+        {
+          mpi_mulm (dr, b, ec->d, ec->n);
+          mpi_mulm (dr, dr, r, ec->n);       /* dr = d*r mod n */
+          mpi_mulm (sum, b, hash, ec->n);
+          mpi_addm (sum, sum, dr, ec->n);    /* sum = hash + (d*r) mod n */
+        }
+      mpi_mulm (s, k_1, sum, ec->n);         /* s = k^(-1)*(hash+(d*r)) mod n */
+      if (with_blinding)
+        {
+          mpi_mulm (s, bi, s, ec->n);        /* Undo blinding by b^-1 */
+        }
     }
   while (!mpi_cmp_ui (s, 0));