1 files changed, 1 insertions, 22 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c
index 8160014b3b..52f5044997 100644
--- a/src/lib/libcrypto/ecdsa/ecdsa.c
+++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
+/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
                if (!bn_rand_interval(k, 1, order))
                        goto err;
-                /*
-                 * We do not want timing information to leak the length of k,
-                 * so we compute G * k using an equivalent scalar of fixed
-                 * bit-length.
-                 *
-                 * We unconditionally perform both of these additions to prevent
-                 * a small timing information leakage.  We then choose the sum
-                 * that is one bit longer than the order.  This guarantees the
-                 * code path used in the constant time implementations
-                 * elsewhere.
-                 *
-                 * TODO: revisit the bn_copy aiming for a memory access agnostic
-                 * conditional copy.
-                 */
-                if (!BN_add(r, k, order) ||
-                    !BN_add(x, r, order) ||
-                    !bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
-                        goto err;
-                BN_set_flags(k, BN_FLG_CONSTTIME);
                /* Step 5: P = k * G. */
                if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
                        ECerror(ERR_R_EC_LIB);

diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c index 8160014b3b..52f5044997 100644 --- a/src/lib/libcrypto/ecdsa/ecdsa.c +++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */	1	/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY key, BN_CTX in_ctx, BIGNUM out_kinv, BIGNUM out_r)
341	if (!bn_rand_interval(k, 1, order))	341	if (!bn_rand_interval(k, 1, order))
342	goto err;	342	goto err;
343		343
344	/*
345	* We do not want timing information to leak the length of k,
346	* so we compute G * k using an equivalent scalar of fixed
347	* bit-length.
348	*
349	* We unconditionally perform both of these additions to prevent
350	* a small timing information leakage. We then choose the sum
351	* that is one bit longer than the order. This guarantees the
352	* code path used in the constant time implementations
353	* elsewhere.
354	*
355	* TODO: revisit the bn_copy aiming for a memory access agnostic
356	* conditional copy.
357	*/
358	if (!BN_add(r, k, order) \|\|
359	!BN_add(x, r, order) \|\|
360	!bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
361	goto err;
362
363	BN_set_flags(k, BN_FLG_CONSTTIME);
364
365	/* Step 5: P = k * G. */	344	/* Step 5: P = k * G. */
366	if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {	345	if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
367	ECerror(ERR_R_EC_LIB);	346	ECerror(ERR_R_EC_LIB);