Index: libgcrypt-1.9.0/cipher/ecc.c =================================================================== --- libgcrypt-1.9.0.orig/cipher/ecc.c +++ libgcrypt-1.9.0/cipher/ecc.c @@ -1581,11 +1581,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se { /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */ static const char sample_data[] = - "(data (flags rfc6979)" + "(data (flags rfc6979 no-blinding)" " (hash sha256 #af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915" /**/ "62113d8a62add1bf#))"; static const char sample_data_bad[] = - "(data (flags rfc6979)" + "(data (flags rfc6979 no-blinding)" " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915" /**/ "62113d8a62add1bf#))"; static const char signature_r[] = Index: libgcrypt-1.9.0/cipher/ecc-ecdsa.c =================================================================== --- libgcrypt-1.9.0.orig/cipher/ecc-ecdsa.c +++ libgcrypt-1.9.0/cipher/ecc-ecdsa.c @@ -51,6 +51,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, unsigned int abits, qbits; gcry_mpi_t b; /* Random number needed for blinding. */ gcry_mpi_t bi; /* multiplicative inverse of B. */ + int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING); if (DBG_CIPHER) log_mpidump ("ecdsa sign hash ", input ); @@ -64,12 +65,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, b = mpi_snew (qbits); bi = mpi_snew (qbits); - do + if (with_blinding) { - _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); - mpi_mod (b, b, ec->n); + do + { + _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); + mpi_mod (b, b, ec->n); + } + while (!mpi_invm (bi, b, ec->n)); } - while (!mpi_invm (bi, b, ec->n)); k = NULL; dr = mpi_alloc (0); @@ -126,14 +130,23 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, } while (!mpi_cmp_ui (r, 0)); - /* Computation of dr, sum, and s are blinded with b. */ - mpi_mulm (dr, b, ec->d, ec->n); - mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */ - mpi_mulm (sum, b, hash, ec->n); - mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */ - mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */ - /* Undo blinding by b^-1 */ - mpi_mulm (s, bi, s, ec->n); + if (!with_blinding) + { + mpi_mulm (dr, ec->d, r, ec->n); /* dr = d*r mod n */ + mpi_addm (sum, hash, dr, ec->n); /* sum = hash + (d*r) mod n */ + } + else + { + mpi_mulm (dr, b, ec->d, ec->n); + mpi_mulm (dr, dr, r, ec->n); /* dr = d*r mod n */ + mpi_mulm (sum, b, hash, ec->n); + mpi_addm (sum, sum, dr, ec->n); /* sum = hash + (d*r) mod n */ + } + mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */ + if (with_blinding) + { + mpi_mulm (s, bi, s, ec->n); /* Undo blinding by b^-1 */ + } } while (!mpi_cmp_ui (s, 0));