libgcrypt/libgcrypt-ecc-ecdsa-no-blinding.patch

Index: libgcrypt-1.8.5/cipher/ecc.c
===================================================================
--- libgcrypt-1.8.5.orig/cipher/ecc.c
+++ libgcrypt-1.8.5/cipher/ecc.c
@@ -2060,11 +2060,11 @@ selftest_sign (gcry_sexp_t pkey, gcry_se
 {
   /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
   static const char sample_data[] =
-    "(data (flags rfc6979)"
+    "(data (flags rfc6979 no-blinding)"
     " (hash sha256 #af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
     /**/           "62113d8a62add1bf#))";
   static const char sample_data_bad[] =
-    "(data (flags rfc6979)"
+    "(data (flags rfc6979 no-blinding)"
     " (hash sha256 #bf2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e98915"
     /**/           "62113d8a62add1bf#))";
   static const char signature_r[] =
Index: libgcrypt-1.8.5/cipher/ecc-ecdsa.c
===================================================================
--- libgcrypt-1.8.5.orig/cipher/ecc-ecdsa.c
+++ libgcrypt-1.8.5/cipher/ecc-ecdsa.c
@@ -52,6 +52,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
   mpi_ec_t ctx;
   gcry_mpi_t b;                /* Random number needed for blinding.  */
   gcry_mpi_t bi;               /* multiplicative inverse of B.        */
+  int with_blinding = !(flags & PUBKEY_FLAG_NO_BLINDING);
 
   if (DBG_CIPHER)
     log_mpidump ("ecdsa sign hash  ", input );
@@ -65,12 +66,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
 
   b  = mpi_snew (qbits);
   bi = mpi_snew (qbits);
-  do
+  if (with_blinding)
     {
-      _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
-      mpi_mod (b, b, skey->E.n);
+      do
+        {
+          _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
+          mpi_mod (b, b, skey->E.n);
+        }
+      while (!mpi_invm (bi, b, skey->E.n));
     }
-  while (!mpi_invm (bi, b, skey->E.n));
 
   k = NULL;
   dr = mpi_alloc (0);
@@ -128,15 +132,26 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
         }
       while (!mpi_cmp_ui (r, 0));
 
-      /* Computation of dr, sum, and s are blinded with b.  */
-      mpi_mulm (dr, b, skey->d, skey->E.n);
-      mpi_mulm (dr, dr, r, skey->E.n);      /* dr = d*r mod n */
-      mpi_mulm (sum, b, hash, skey->E.n);
-      mpi_addm (sum, sum, dr, skey->E.n);   /* sum = hash + (d*r) mod n */
+      if (!with_blinding)
+        {
+          mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n  */
+          mpi_addm (sum, hash, dr, skey->E.n);  /* sum = hash + (d*r) mod n  */
+	}
+      else
+        {
+          /* Computation of dr, sum, and s are blinded with b.  */
+          mpi_mulm (dr, b, skey->d, skey->E.n);
+          mpi_mulm (dr, dr, r, skey->E.n);      /* dr = d*r mod n */
+          mpi_mulm (sum, b, hash, skey->E.n);
+          mpi_addm (sum, sum, dr, skey->E.n);   /* sum = hash + (d*r) mod n */
+	}
       mpi_invm (k_1, k, skey->E.n);         /* k_1 = k^(-1) mod n  */
       mpi_mulm (s, k_1, sum, skey->E.n);    /* s = k^(-1)*(hash+(d*r)) mod n */
-      /* Undo blinding by b^-1 */
-      mpi_mulm (s, bi, s, skey->E.n);
+      if (with_blinding)
+        {
+          /* Undo blinding by b^-1 */
+          mpi_mulm (s, bi, s, skey->E.n);
+	}
     }
   while (!mpi_cmp_ui (s, 0));