constant-time-invm: Calculate k^-1 before dsa_modify_k.gniibe/const-invm

* cipher/dsa.c (sign): Call mpi_invm before _gcry_dsa_modify_k.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

2 files changed, 6 insertions, 5 deletions

diff --git a/cipher/dsa.c b/cipher/dsa.c
index 24a53528..b93e385e 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -635,16 +635,16 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
       k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
     }
 
+  /* kinv = k^(-1) mod q */
+  kinv = mpi_alloc( mpi_get_nlimbs(k) );
+  mpi_invm(kinv, k, skey->q );
+
   _gcry_dsa_modify_k (k, skey->q, qbits);
 
   /* r = (a^k mod p) mod q */
   mpi_powm( r, skey->g, k, skey->p );
   mpi_fdiv_r( r, r, skey->q );
 
-  /* kinv = k^(-1) mod q */
-  kinv = mpi_alloc( mpi_get_nlimbs(k) );
-  mpi_invm(kinv, k, skey->q );
-
   /* s = (kinv * ( hash + x * r)) mod q */
   tmp = mpi_alloc( mpi_get_nlimbs(skey->p) );
   mpi_mul( tmp, skey->x, r );
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 256f478b..d540578e 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -110,6 +110,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, mpi_ec_t ec,
           else
             k = _gcry_dsa_gen_k (ec->n, GCRY_STRONG_RANDOM);
 
+          mpi_invm (k_1, k, ec->n);     /* k_1 = k^(-1) mod n  */
+
           _gcry_dsa_modify_k (k, ec->n, qbits);
 
           _gcry_mpi_ec_mul_point (&I, k, ec->G, ec);
@@ -129,7 +131,6 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, mpi_ec_t ec,
       mpi_mulm (dr, dr, r, ec->n);      /* dr = d*r mod n */
       mpi_mulm (sum, b, hash, ec->n);
       mpi_addm (sum, sum, dr, ec->n);   /* sum = hash + (d*r) mod n */
-      mpi_invm (k_1, k, ec->n);         /* k_1 = k^(-1) mod n  */
       mpi_mulm (s, k_1, sum, ec->n);    /* s = k^(-1)*(hash+(d*r)) mod n */
       /* Undo blinding by b^-1 */
       mpi_mulm (s, bi, s, ec->n);