/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.cc.inc

Source
// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/ecdsa.h>

#include <assert.h>
#include <string.h>

#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>

#include "../../internal.h"
#include "../bcm_interface.h"
#include "../bn/internal.h"
#include "../ec/internal.h"
#include "../service_indicator/internal.h"
#include "internal.h"


// digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for
// ECDSA.
static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                             const uint8_t *digest, size_t digest_len) {
  const BIGNUM *order = EC_GROUP_get0_order(group);
  size_t num_bits = BN_num_bits(order);
  // Need to truncate digest if it is too long: first truncate whole bytes.
  size_t num_bytes = (num_bits + 7) / 8;
  if (digest_len > num_bytes) {
    digest_len = num_bytes;
  }
  bn_big_endian_to_words(out->words, order->width, digest, digest_len);

  // If it is still too long, truncate remaining bits with a shift.
  if (8 * digest_len > num_bits) {
    bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width);
  }

  // |out| now has the same bit width as |order|, but this only bounds by
  // 2*|order|. Subtract the order if out of range.
  //
  // Montgomery multiplication accepts the looser bounds, so this isn't strictly
  // necessary, but it is a cleaner abstraction and has no performance impact.
  BN_ULONG tmp[EC_MAX_WORDS];
  bn_reduce_once_in_place(out->words, 0 /* no carry */, order->d, tmp,
                          order->width);
}

int ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len,
                                    const uint8_t *sig, size_t sig_len,
                                    const EC_KEY *eckey) {
  const EC_GROUP *group = EC_KEY_get0_group(eckey);
  const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey);
  if (group == nullptr || pub_key == nullptr || sig == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
    return 0;
  }

  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
  EC_SCALAR r, s, u1, u2, s_inv_mont, m;
  if (sig_len != 2 * scalar_len ||
      !ec_scalar_from_bytes(group, &r, sig, scalar_len) ||
      ec_scalar_is_zero(group, &r) ||
      !ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) ||
      ec_scalar_is_zero(group, &s)) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
    return 0;
  }

  // s_inv_mont = s^-1 in the Montgomery domain.
  if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
    return 0;
  }

  // u1 = m * s^-1 mod order
  // u2 = r * s^-1 mod order
  //
  // |s_inv_mont| is in Montgomery form while |m| and |r| are not, so |u1| and
  // |u2| will be taken out of Montgomery form, as desired.
  digest_to_scalar(group, &m, digest, digest_len);
  ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
  ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);

  EC_JACOBIAN point;
  if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
    return 0;
  }

  if (!ec_cmp_x_coordinate(group, &point, &r)) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
    return 0;
  }

  return 1;
}

int ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,
                       const uint8_t *sig, size_t sig_len, const EC_KEY *key) {
  boringssl_ensure_ecc_self_test();

  return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key);
}

static int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig,
                           size_t *out_sig_len, size_t max_sig_len,
                           const EC_SCALAR *priv_key, const EC_SCALAR *k,
                           const uint8_t *digest, size_t digest_len) {
  *out_retry = 0;

  // Check that the size of the group order is FIPS compliant (FIPS 186-4
  // B.5.2).
  const BIGNUM *order = EC_GROUP_get0_order(group);
  if (BN_num_bits(order) < 160) {
    OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
    return 0;
  }

  size_t sig_len = 2 * BN_num_bytes(order);
  if (sig_len > max_sig_len) {
    OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
    return 0;
  }

  // Compute r, the x-coordinate of k * generator.
  EC_JACOBIAN tmp_point;
  EC_SCALAR r;
  if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
      !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
    return 0;
  }

  if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {
    *out_retry = 1;
    return 0;
  }

  // s = priv_key * r. Note if only one parameter is in the Montgomery domain,
  // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal
  // domain.
  EC_SCALAR s;
  ec_scalar_to_montgomery(group, &s, &r);
  ec_scalar_mul_montgomery(group, &s, priv_key, &s);

  // s = m + priv_key * r.
  EC_SCALAR tmp;
  digest_to_scalar(group, &tmp, digest, digest_len);
  ec_scalar_add(group, &s, &s, &tmp);

  // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
  // domain. This is |ec_scalar_to_montgomery| followed by
  // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by
  // |ec_scalar_from_montgomery| is equivalent and slightly more efficient.
  // Then, as above, only one parameter is in the Montgomery domain, so the
  // result is in the normal domain. Finally, note k is non-zero (or computing r
  // would fail), so the inverse must exist.
  ec_scalar_inv0_montgomery(group, &tmp, k);     // tmp = k^-1 R^2
  ec_scalar_from_montgomery(group, &tmp, &tmp);  // tmp = k^-1 R
  ec_scalar_mul_montgomery(group, &s, &s, &tmp);
  if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {
    *out_retry = 1;
    return 0;
  }

  CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));
  CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));
  size_t len;
  ec_scalar_to_bytes(group, sig, &len, &r);
  assert(len == sig_len / 2);
  ec_scalar_to_bytes(group, sig + len, &len, &s);
  assert(len == sig_len / 2);
  *out_sig_len = sig_len;
  return 1;
}

int ecdsa_sign_fixed_with_nonce_for_known_answer_test(
    const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len,
    size_t max_sig_len, const EC_KEY *eckey, const uint8_t *nonce,
    size_t nonce_len) {
  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
    return 0;
  }

  const EC_GROUP *group = EC_KEY_get0_group(eckey);
  if (group == nullptr || eckey->priv_key == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  const EC_SCALAR *priv_key = &eckey->priv_key->scalar;

  EC_SCALAR k;
  if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
    return 0;
  }
  int retry_ignored;
  return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len,
                         priv_key, &k, digest, digest_len);
}

int ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig,
                     size_t *out_sig_len, size_t max_sig_len,
                     const EC_KEY *eckey) {
  boringssl_ensure_ecc_self_test();

  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
    return 0;
  }

  const EC_GROUP *group = EC_KEY_get0_group(eckey);
  if (group == nullptr || eckey->priv_key == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  const BIGNUM *order = EC_GROUP_get0_order(group);
  const EC_SCALAR *priv_key = &eckey->priv_key->scalar;

  // Pass a SHA512 hash of the private key and digest as additional data
  // into the RBG. This is a hardening measure against entropy failure.
  static_assert(SHA512_DIGEST_LENGTH >= 32,
                "additional_data is too large for SHA-512");

  FIPS_service_indicator_lock_state();

  SHA512_CTX sha;
  uint8_t additional_data[SHA512_DIGEST_LENGTH];
  BCM_sha512_init(&sha);
  BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
  BCM_sha512_update(&sha, digest, digest_len);
  BCM_sha512_final(additional_data, &sha);

  // Cap iterations so callers who supply invalid values as custom groups do not
  // infinite loop. This does not impact valid parameters (e.g. those covered by
  // FIPS) because the probability of requiring even one retry is negligible,
  // let alone 32.
  static const int kMaxIterations = 32;
  int ret = 0;
  int iters = 0;
  for (;;) {
    EC_SCALAR k;
    if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
      goto out;
    }

    // TODO(davidben): Move this inside |ec_random_nonzero_scalar| or lower, so
    // that all scalars we generate are, by default, secret.
    CONSTTIME_SECRET(k.words, sizeof(k.words));

    int retry;
    ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len,
                          priv_key, &k, digest, digest_len);
    if (ret || !retry) {
      goto out;
    }

    iters++;
    if (iters > kMaxIterations) {
      OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_TOO_MANY_ITERATIONS);
      goto out;
    }
  }

out:
  FIPS_service_indicator_unlock_state();
  return ret;
}

Coverage Report

Created: 2025-11-17 06:18

Line	Count	Source
1		// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/ecdsa.h>
16
17		#include <assert.h>
18		#include <string.h>
19
20		#include <openssl/bn.h>
21		#include <openssl/err.h>
22		#include <openssl/mem.h>
23
24		#include "../../internal.h"
25		#include "../bcm_interface.h"
26		#include "../bn/internal.h"
27		#include "../ec/internal.h"
28		#include "../service_indicator/internal.h"
29		#include "internal.h"
30
31
32		// digest_to_scalar interprets \|digest_len\| bytes from \|digest\| as a scalar for
33		// ECDSA.
34		static void digest_to_scalar(const EC_GROUP group, EC_SCALAR out,
35	6.80k	const uint8_t *digest, size_t digest_len) {
36	6.80k	const BIGNUM *order = EC_GROUP_get0_order(group);
37	6.80k	size_t num_bits = BN_num_bits(order);
38		// Need to truncate digest if it is too long: first truncate whole bytes.
39	6.80k	size_t num_bytes = (num_bits + 7) / 8;
40	6.80k	if (digest_len > num_bytes) {
41	4.39k	digest_len = num_bytes;
42	4.39k	}
43	6.80k	bn_big_endian_to_words(out->words, order->width, digest, digest_len);
44
45		// If it is still too long, truncate remaining bits with a shift.
46	6.80k	if (8 * digest_len > num_bits) {
47	0	bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width);
48	0	}
49
50		// \|out\| now has the same bit width as \|order\|, but this only bounds by
51		// 2*\|order\|. Subtract the order if out of range.
52		//
53		// Montgomery multiplication accepts the looser bounds, so this isn't strictly
54		// necessary, but it is a cleaner abstraction and has no performance impact.
55	6.80k	BN_ULONG tmp[EC_MAX_WORDS];
56	6.80k	bn_reduce_once_in_place(out->words, 0 /* no carry */, order->d, tmp,
57	6.80k	order->width);
58	6.80k	}
59
60		int ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len,
61		const uint8_t *sig, size_t sig_len,
62	6.92k	const EC_KEY *eckey) {
63	6.92k	const EC_GROUP *group = EC_KEY_get0_group(eckey);
64	6.92k	const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey);
65	6.92k	if (group == nullptr \|\| pub_key == nullptr \|\| sig == nullptr) {
66	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
67	0	return 0;
68	0	}
69
70	6.92k	size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
71	6.92k	EC_SCALAR r, s, u1, u2, s_inv_mont, m;
72	6.92k	if (sig_len != 2 * scalar_len \|\|
73	6.92k	!ec_scalar_from_bytes(group, &r, sig, scalar_len) \|\|
74	6.82k	ec_scalar_is_zero(group, &r) \|\|
75	6.81k	!ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) \|\|
76	6.70k	ec_scalar_is_zero(group, &s)) {
77	231	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
78	231	return 0;
79	231	}
80
81		// s_inv_mont = s^-1 in the Montgomery domain.
82	6.69k	if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {
83	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
84	0	return 0;
85	0	}
86
87		// u1 = m * s^-1 mod order
88		// u2 = r * s^-1 mod order
89		//
90		// \|s_inv_mont\| is in Montgomery form while \|m\| and \|r\| are not, so \|u1\| and
91		// \|u2\| will be taken out of Montgomery form, as desired.
92	6.69k	digest_to_scalar(group, &m, digest, digest_len);
93	6.69k	ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
94	6.69k	ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);
95
96	6.69k	EC_JACOBIAN point;
97	6.69k	if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
98	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
99	0	return 0;
100	0	}
101
102	6.69k	if (!ec_cmp_x_coordinate(group, &point, &r)) {
103	6.68k	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
104	6.68k	return 0;
105	6.68k	}
106
107	14	return 1;
108	6.69k	}
109
110		int ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,
111	6.92k	const uint8_t sig, size_t sig_len, const EC_KEY key) {
112	6.92k	boringssl_ensure_ecc_self_test();
113
114	6.92k	return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key);
115	6.92k	}
116
117		static int ecdsa_sign_impl(const EC_GROUP group, int out_retry, uint8_t *sig,
118		size_t *out_sig_len, size_t max_sig_len,
119		const EC_SCALAR priv_key, const EC_SCALAR k,
120	109	const uint8_t *digest, size_t digest_len) {
121	109	*out_retry = 0;
122
123		// Check that the size of the group order is FIPS compliant (FIPS 186-4
124		// B.5.2).
125	109	const BIGNUM *order = EC_GROUP_get0_order(group);
126	109	if (BN_num_bits(order) < 160) {
127	0	OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
128	0	return 0;
129	0	}
130
131	109	size_t sig_len = 2 * BN_num_bytes(order);
132	109	if (sig_len > max_sig_len) {
133	0	OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
134	0	return 0;
135	0	}
136
137		// Compute r, the x-coordinate of k * generator.
138	109	EC_JACOBIAN tmp_point;
139	109	EC_SCALAR r;
140	109	if (!ec_point_mul_scalar_base(group, &tmp_point, k) \|\|
141	109	!ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
142	0	return 0;
143	0	}
144
145	109	if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {
146	0	*out_retry = 1;
147	0	return 0;
148	0	}
149
150		// s = priv_key * r. Note if only one parameter is in the Montgomery domain,
151		// \|ec_scalar_mod_mul_montgomery\| will compute the answer in the normal
152		// domain.
153	109	EC_SCALAR s;
154	109	ec_scalar_to_montgomery(group, &s, &r);
155	109	ec_scalar_mul_montgomery(group, &s, priv_key, &s);
156
157		// s = m + priv_key * r.
158	109	EC_SCALAR tmp;
159	109	digest_to_scalar(group, &tmp, digest, digest_len);
160	109	ec_scalar_add(group, &s, &s, &tmp);
161
162		// s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
163		// domain. This is \|ec_scalar_to_montgomery\| followed by
164		// \|ec_scalar_inv0_montgomery\|, but \|ec_scalar_inv0_montgomery\| followed by
165		// \|ec_scalar_from_montgomery\| is equivalent and slightly more efficient.
166		// Then, as above, only one parameter is in the Montgomery domain, so the
167		// result is in the normal domain. Finally, note k is non-zero (or computing r
168		// would fail), so the inverse must exist.
169	109	ec_scalar_inv0_montgomery(group, &tmp, k); // tmp = k^-1 R^2
170	109	ec_scalar_from_montgomery(group, &tmp, &tmp); // tmp = k^-1 R
171	109	ec_scalar_mul_montgomery(group, &s, &s, &tmp);
172	109	if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {
173	0	*out_retry = 1;
174	0	return 0;
175	0	}
176
177	109	CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));
178	109	CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));
179	109	size_t len;
180	109	ec_scalar_to_bytes(group, sig, &len, &r);
181	109	assert(len == sig_len / 2);
182	109	ec_scalar_to_bytes(group, sig + len, &len, &s);
183	109	assert(len == sig_len / 2);
184	109	*out_sig_len = sig_len;
185	109	return 1;
186	109	}
187
188		int ecdsa_sign_fixed_with_nonce_for_known_answer_test(
189		const uint8_t digest, size_t digest_len, uint8_t sig, size_t *out_sig_len,
190		size_t max_sig_len, const EC_KEY eckey, const uint8_t nonce,
191	0	size_t nonce_len) {
192	0	if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
193	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
194	0	return 0;
195	0	}
196
197	0	const EC_GROUP *group = EC_KEY_get0_group(eckey);
198	0	if (group == nullptr \|\| eckey->priv_key == nullptr) {
199	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
200	0	return 0;
201	0	}
202	0	const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
203
204	0	EC_SCALAR k;
205	0	if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
206	0	return 0;
207	0	}
208	0	int retry_ignored;
209	0	return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len,
210	0	priv_key, &k, digest, digest_len);
211	0	}
212
213		int ecdsa_sign_fixed(const uint8_t digest, size_t digest_len, uint8_t sig,
214		size_t *out_sig_len, size_t max_sig_len,
215	109	const EC_KEY *eckey) {
216	109	boringssl_ensure_ecc_self_test();
217
218	109	if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
219	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
220	0	return 0;
221	0	}
222
223	109	const EC_GROUP *group = EC_KEY_get0_group(eckey);
224	109	if (group == nullptr \|\| eckey->priv_key == nullptr) {
225	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
226	0	return 0;
227	0	}
228	109	const BIGNUM *order = EC_GROUP_get0_order(group);
229	109	const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
230
231		// Pass a SHA512 hash of the private key and digest as additional data
232		// into the RBG. This is a hardening measure against entropy failure.
233	109	static_assert(SHA512_DIGEST_LENGTH >= 32,
234	109	"additional_data is too large for SHA-512");
235
236	109	FIPS_service_indicator_lock_state();
237
238	109	SHA512_CTX sha;
239	109	uint8_t additional_data[SHA512_DIGEST_LENGTH];
240	109	BCM_sha512_init(&sha);
241	109	BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
242	109	BCM_sha512_update(&sha, digest, digest_len);
243	109	BCM_sha512_final(additional_data, &sha);
244
245		// Cap iterations so callers who supply invalid values as custom groups do not
246		// infinite loop. This does not impact valid parameters (e.g. those covered by
247		// FIPS) because the probability of requiring even one retry is negligible,
248		// let alone 32.
249	109	static const int kMaxIterations = 32;
250	109	int ret = 0;
251	109	int iters = 0;
252	109	for (;;) {
253	109	EC_SCALAR k;
254	109	if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
255	0	goto out;
256	0	}
257
258		// TODO(davidben): Move this inside \|ec_random_nonzero_scalar\| or lower, so
259		// that all scalars we generate are, by default, secret.
260	109	CONSTTIME_SECRET(k.words, sizeof(k.words));
261
262	109	int retry;
263	109	ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len,
264	109	priv_key, &k, digest, digest_len);
265	109	if (ret \|\| !retry) {
266	109	goto out;
267	109	}
268
269	0	iters++;
270	0	if (iters > kMaxIterations) {
271	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_TOO_MANY_ITERATIONS);
272	0	goto out;
273	0	}
274	0	}
275
276	109	out:
277	109	FIPS_service_indicator_unlock_state();
278	109	return ret;
279	109	}