/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.cc.inc

Source
// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/ecdsa.h>

#include <assert.h>
#include <string.h>

#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>

#include "../../internal.h"
#include "../bcm_interface.h"
#include "../bn/internal.h"
#include "../ec/internal.h"
#include "../service_indicator/internal.h"
#include "internal.h"


using namespace bssl;

// digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for
// ECDSA.
static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                             const uint8_t *digest, size_t digest_len) {
  const BIGNUM *order = EC_GROUP_get0_order(group);
  size_t num_bits = BN_num_bits(order);
  // Need to truncate digest if it is too long: first truncate whole bytes.
  size_t num_bytes = (num_bits + 7) / 8;
  if (digest_len > num_bytes) {
    digest_len = num_bytes;
  }
  bn_big_endian_to_words(out->words, order->width, digest, digest_len);

  // If it is still too long, truncate remaining bits with a shift.
  if (8 * digest_len > num_bits) {
    bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width);
  }

  // |out| now has the same bit width as |order|, but this only bounds by
  // 2*|order|. Subtract the order if out of range.
  //
  // Montgomery multiplication accepts the looser bounds, so this isn't strictly
  // necessary, but it is a cleaner abstraction and has no performance impact.
  BN_ULONG tmp[EC_MAX_WORDS];
  bn_reduce_once_in_place(out->words, 0 /* no carry */, order->d, tmp,
                          order->width);
}

int bssl::ecdsa_verify_fixed_no_self_test(const uint8_t *digest,
                                          size_t digest_len, const uint8_t *sig,
                                          size_t sig_len, const EC_KEY *eckey) {
  const EC_GROUP *group = EC_KEY_get0_group(eckey);
  const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey);
  if (group == nullptr || pub_key == nullptr || sig == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
    return 0;
  }

  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
  EC_SCALAR r, s, u1, u2, s_inv_mont, m;
  if (sig_len != 2 * scalar_len ||
      !ec_scalar_from_bytes(group, &r, sig, scalar_len) ||
      ec_scalar_is_zero(group, &r) ||
      !ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) ||
      ec_scalar_is_zero(group, &s)) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
    return 0;
  }

  // s_inv_mont = s^-1 in the Montgomery domain.
  if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
    return 0;
  }

  // u1 = m * s^-1 mod order
  // u2 = r * s^-1 mod order
  //
  // |s_inv_mont| is in Montgomery form while |m| and |r| are not, so |u1| and
  // |u2| will be taken out of Montgomery form, as desired.
  digest_to_scalar(group, &m, digest, digest_len);
  ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
  ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);

  EC_JACOBIAN point;
  if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
    return 0;
  }

  if (!ec_cmp_x_coordinate(group, &point, &r)) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
    return 0;
  }

  return 1;
}

int bssl::ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,
                             const uint8_t *sig, size_t sig_len,
                             const EC_KEY *key) {
  boringssl_ensure_ecc_self_test();

  return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key);
}

static int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig,
                           size_t *out_sig_len, size_t max_sig_len,
                           const EC_SCALAR *priv_key, const EC_SCALAR *k,
                           const uint8_t *digest, size_t digest_len) {
  *out_retry = 0;

  const BIGNUM *order = EC_GROUP_get0_order(group);
  size_t sig_len = 2 * BN_num_bytes(order);
  if (sig_len > max_sig_len) {
    OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
    return 0;
  }

  // Compute r, the x-coordinate of k * generator.
  EC_JACOBIAN tmp_point;
  EC_SCALAR r;
  if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
      !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
    return 0;
  }

  if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {
    *out_retry = 1;
    return 0;
  }

  // s = priv_key * r. Note if only one parameter is in the Montgomery domain,
  // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal
  // domain.
  EC_SCALAR s;
  ec_scalar_to_montgomery(group, &s, &r);
  ec_scalar_mul_montgomery(group, &s, priv_key, &s);

  // s = m + priv_key * r.
  EC_SCALAR tmp;
  digest_to_scalar(group, &tmp, digest, digest_len);
  ec_scalar_add(group, &s, &s, &tmp);

  // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
  // domain. This is |ec_scalar_to_montgomery| followed by
  // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by
  // |ec_scalar_from_montgomery| is equivalent and slightly more efficient.
  // Then, as above, only one parameter is in the Montgomery domain, so the
  // result is in the normal domain. Finally, note k is non-zero (or computing r
  // would fail), so the inverse must exist.
  ec_scalar_inv0_montgomery(group, &tmp, k);     // tmp = k^-1 R^2
  ec_scalar_from_montgomery(group, &tmp, &tmp);  // tmp = k^-1 R
  ec_scalar_mul_montgomery(group, &s, &s, &tmp);
  if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {
    *out_retry = 1;
    return 0;
  }

  CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));
  CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));
  size_t len;
  ec_scalar_to_bytes(group, sig, &len, &r);
  assert(len == sig_len / 2);
  ec_scalar_to_bytes(group, sig + len, &len, &s);
  assert(len == sig_len / 2);
  *out_sig_len = sig_len;
  return 1;
}

int bssl::ecdsa_sign_fixed_with_nonce_for_known_answer_test(
    const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len,
    size_t max_sig_len, const EC_KEY *eckey, const uint8_t *nonce,
    size_t nonce_len) {
  const ECKey *impl = FromOpaque(eckey);

  if (impl->ecdsa_meth && impl->ecdsa_meth->sign) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
    return 0;
  }

  const EC_GROUP *group = EC_KEY_get0_group(impl);
  if (group == nullptr || impl->priv_key == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  const EC_SCALAR *priv_key = &impl->priv_key->scalar;

  EC_SCALAR k;
  if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
    return 0;
  }
  int retry_ignored;
  return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len,
                         priv_key, &k, digest, digest_len);
}

int bssl::ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len,
                           uint8_t *sig, size_t *out_sig_len,
                           size_t max_sig_len, const EC_KEY *eckey) {
  const ECKey *impl = FromOpaque(eckey);

  boringssl_ensure_ecc_self_test();

  if (impl->ecdsa_meth && impl->ecdsa_meth->sign) {
    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
    return 0;
  }

  const EC_GROUP *group = EC_KEY_get0_group(impl);
  if (group == nullptr || impl->priv_key == nullptr) {
    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  const BIGNUM *order = EC_GROUP_get0_order(group);
  const EC_SCALAR *priv_key = &impl->priv_key->scalar;

  // Generate the ECDSA per-message secret number by rejection sampling. This
  // function implements FIPS 186-5, A.3.2, repeating the process on failure.

  // Check the group order is large enough. See step 1 of FIPS 186-5, A.3.2.
  if (BN_num_bits(order) < 224) {
    OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
    return 0;
  }

  // Pass a SHA512 hash of the private key and digest as additional data
  // into the RBG. This is a hardening measure against entropy failure.
  static_assert(SHA512_DIGEST_LENGTH >= 32,
                "additional_data is too large for SHA-512");

  FIPS_service_indicator_lock_state();

  SHA512_CTX sha;
  uint8_t additional_data[SHA512_DIGEST_LENGTH];
  BCM_sha512_init(&sha);
  BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
  BCM_sha512_update(&sha, digest, digest_len);
  BCM_sha512_final(additional_data, &sha);

  // Cap iterations so callers who supply invalid values as custom groups do not
  // infinite loop. This does not impact valid parameters (e.g. those covered by
  // FIPS) because the probability of requiring even one retry is negligible,
  // let alone 32.
  static const int kMaxIterations = 32;
  int ret = 0;
  int iters = 0;
  for (;;) {
    EC_SCALAR k;
    if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
      goto out;
    }

    // TODO(davidben): Move this inside |ec_random_nonzero_scalar| or lower, so
    // that all scalars we generate are, by default, secret.
    CONSTTIME_SECRET(k.words, sizeof(k.words));

    int retry;
    ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len,
                          priv_key, &k, digest, digest_len);
    if (ret || !retry) {
      goto out;
    }

    iters++;
    if (iters > kMaxIterations) {
      OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_TOO_MANY_ITERATIONS);
      goto out;
    }
  }

out:
  FIPS_service_indicator_unlock_state();
  return ret;
}

Coverage Report

Created: 2026-04-15 06:25

Line	Count	Source
1		// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/ecdsa.h>
16
17		#include <assert.h>
18		#include <string.h>
19
20		#include <openssl/bn.h>
21		#include <openssl/err.h>
22		#include <openssl/mem.h>
23
24		#include "../../internal.h"
25		#include "../bcm_interface.h"
26		#include "../bn/internal.h"
27		#include "../ec/internal.h"
28		#include "../service_indicator/internal.h"
29		#include "internal.h"
30
31
32		using namespace bssl;
33
34		// digest_to_scalar interprets \|digest_len\| bytes from \|digest\| as a scalar for
35		// ECDSA.
36		static void digest_to_scalar(const EC_GROUP group, EC_SCALAR out,
37	9.61k	const uint8_t *digest, size_t digest_len) {
38	9.61k	const BIGNUM *order = EC_GROUP_get0_order(group);
39	9.61k	size_t num_bits = BN_num_bits(order);
40		// Need to truncate digest if it is too long: first truncate whole bytes.
41	9.61k	size_t num_bytes = (num_bits + 7) / 8;
42	9.61k	if (digest_len > num_bytes) {
43	6.47k	digest_len = num_bytes;
44	6.47k	}
45	9.61k	bn_big_endian_to_words(out->words, order->width, digest, digest_len);
46
47		// If it is still too long, truncate remaining bits with a shift.
48	9.61k	if (8 * digest_len > num_bits) {
49	0	bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width);
50	0	}
51
52		// \|out\| now has the same bit width as \|order\|, but this only bounds by
53		// 2*\|order\|. Subtract the order if out of range.
54		//
55		// Montgomery multiplication accepts the looser bounds, so this isn't strictly
56		// necessary, but it is a cleaner abstraction and has no performance impact.
57	9.61k	BN_ULONG tmp[EC_MAX_WORDS];
58	9.61k	bn_reduce_once_in_place(out->words, 0 /* no carry */, order->d, tmp,
59	9.61k	order->width);
60	9.61k	}
61
62		int bssl::ecdsa_verify_fixed_no_self_test(const uint8_t *digest,
63		size_t digest_len, const uint8_t *sig,
64	9.36k	size_t sig_len, const EC_KEY *eckey) {
65	9.36k	const EC_GROUP *group = EC_KEY_get0_group(eckey);
66	9.36k	const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey);
67	9.36k	if (group == nullptr \|\| pub_key == nullptr \|\| sig == nullptr) {
68	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
69	0	return 0;
70	0	}
71
72	9.36k	size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
73	9.36k	EC_SCALAR r, s, u1, u2, s_inv_mont, m;
74	9.36k	if (sig_len != 2 * scalar_len \|\|
75	9.36k	!ec_scalar_from_bytes(group, &r, sig, scalar_len) \|\|
76	9.23k	ec_scalar_is_zero(group, &r) \|\|
77	9.23k	!ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) \|\|
78	9.06k	ec_scalar_is_zero(group, &s)) {
79	301	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
80	301	return 0;
81	301	}
82
83		// s_inv_mont = s^-1 in the Montgomery domain.
84	9.06k	if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {
85	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
86	0	return 0;
87	0	}
88
89		// u1 = m * s^-1 mod order
90		// u2 = r * s^-1 mod order
91		//
92		// \|s_inv_mont\| is in Montgomery form while \|m\| and \|r\| are not, so \|u1\| and
93		// \|u2\| will be taken out of Montgomery form, as desired.
94	9.06k	digest_to_scalar(group, &m, digest, digest_len);
95	9.06k	ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);
96	9.06k	ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);
97
98	9.06k	EC_JACOBIAN point;
99	9.06k	if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {
100	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
101	0	return 0;
102	0	}
103
104	9.06k	if (!ec_cmp_x_coordinate(group, &point, &r)) {
105	9.04k	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
106	9.04k	return 0;
107	9.04k	}
108
109	15	return 1;
110	9.06k	}
111
112		int bssl::ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,
113		const uint8_t *sig, size_t sig_len,
114	9.36k	const EC_KEY *key) {
115	9.36k	boringssl_ensure_ecc_self_test();
116
117	9.36k	return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key);
118	9.36k	}
119
120		static int ecdsa_sign_impl(const EC_GROUP group, int out_retry, uint8_t *sig,
121		size_t *out_sig_len, size_t max_sig_len,
122		const EC_SCALAR priv_key, const EC_SCALAR k,
123	553	const uint8_t *digest, size_t digest_len) {
124	553	*out_retry = 0;
125
126	553	const BIGNUM *order = EC_GROUP_get0_order(group);
127	553	size_t sig_len = 2 * BN_num_bytes(order);
128	553	if (sig_len > max_sig_len) {
129	0	OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
130	0	return 0;
131	0	}
132
133		// Compute r, the x-coordinate of k * generator.
134	553	EC_JACOBIAN tmp_point;
135	553	EC_SCALAR r;
136	553	if (!ec_point_mul_scalar_base(group, &tmp_point, k) \|\|
137	553	!ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
138	0	return 0;
139	0	}
140
141	553	if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {
142	0	*out_retry = 1;
143	0	return 0;
144	0	}
145
146		// s = priv_key * r. Note if only one parameter is in the Montgomery domain,
147		// \|ec_scalar_mod_mul_montgomery\| will compute the answer in the normal
148		// domain.
149	553	EC_SCALAR s;
150	553	ec_scalar_to_montgomery(group, &s, &r);
151	553	ec_scalar_mul_montgomery(group, &s, priv_key, &s);
152
153		// s = m + priv_key * r.
154	553	EC_SCALAR tmp;
155	553	digest_to_scalar(group, &tmp, digest, digest_len);
156	553	ec_scalar_add(group, &s, &s, &tmp);
157
158		// s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
159		// domain. This is \|ec_scalar_to_montgomery\| followed by
160		// \|ec_scalar_inv0_montgomery\|, but \|ec_scalar_inv0_montgomery\| followed by
161		// \|ec_scalar_from_montgomery\| is equivalent and slightly more efficient.
162		// Then, as above, only one parameter is in the Montgomery domain, so the
163		// result is in the normal domain. Finally, note k is non-zero (or computing r
164		// would fail), so the inverse must exist.
165	553	ec_scalar_inv0_montgomery(group, &tmp, k); // tmp = k^-1 R^2
166	553	ec_scalar_from_montgomery(group, &tmp, &tmp); // tmp = k^-1 R
167	553	ec_scalar_mul_montgomery(group, &s, &s, &tmp);
168	553	if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {
169	0	*out_retry = 1;
170	0	return 0;
171	0	}
172
173	553	CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));
174	553	CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));
175	553	size_t len;
176	553	ec_scalar_to_bytes(group, sig, &len, &r);
177	553	assert(len == sig_len / 2);
178	553	ec_scalar_to_bytes(group, sig + len, &len, &s);
179	553	assert(len == sig_len / 2);
180	553	*out_sig_len = sig_len;
181	553	return 1;
182	553	}
183
184		int bssl::ecdsa_sign_fixed_with_nonce_for_known_answer_test(
185		const uint8_t digest, size_t digest_len, uint8_t sig, size_t *out_sig_len,
186		size_t max_sig_len, const EC_KEY eckey, const uint8_t nonce,
187	0	size_t nonce_len) {
188	0	const ECKey *impl = FromOpaque(eckey);
189
190	0	if (impl->ecdsa_meth && impl->ecdsa_meth->sign) {
191	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
192	0	return 0;
193	0	}
194
195	0	const EC_GROUP *group = EC_KEY_get0_group(impl);
196	0	if (group == nullptr \|\| impl->priv_key == nullptr) {
197	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
198	0	return 0;
199	0	}
200	0	const EC_SCALAR *priv_key = &impl->priv_key->scalar;
201
202	0	EC_SCALAR k;
203	0	if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
204	0	return 0;
205	0	}
206	0	int retry_ignored;
207	0	return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len,
208	0	priv_key, &k, digest, digest_len);
209	0	}
210
211		int bssl::ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len,
212		uint8_t sig, size_t out_sig_len,
213	553	size_t max_sig_len, const EC_KEY *eckey) {
214	553	const ECKey *impl = FromOpaque(eckey);
215
216	553	boringssl_ensure_ecc_self_test();
217
218	553	if (impl->ecdsa_meth && impl->ecdsa_meth->sign) {
219	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
220	0	return 0;
221	0	}
222
223	553	const EC_GROUP *group = EC_KEY_get0_group(impl);
224	553	if (group == nullptr \|\| impl->priv_key == nullptr) {
225	0	OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
226	0	return 0;
227	0	}
228	553	const BIGNUM *order = EC_GROUP_get0_order(group);
229	553	const EC_SCALAR *priv_key = &impl->priv_key->scalar;
230
231		// Generate the ECDSA per-message secret number by rejection sampling. This
232		// function implements FIPS 186-5, A.3.2, repeating the process on failure.
233
234		// Check the group order is large enough. See step 1 of FIPS 186-5, A.3.2.
235	553	if (BN_num_bits(order) < 224) {
236	0	OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
237	0	return 0;
238	0	}
239
240		// Pass a SHA512 hash of the private key and digest as additional data
241		// into the RBG. This is a hardening measure against entropy failure.
242	553	static_assert(SHA512_DIGEST_LENGTH >= 32,
243	553	"additional_data is too large for SHA-512");
244
245	553	FIPS_service_indicator_lock_state();
246
247	553	SHA512_CTX sha;
248	553	uint8_t additional_data[SHA512_DIGEST_LENGTH];
249	553	BCM_sha512_init(&sha);
250	553	BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
251	553	BCM_sha512_update(&sha, digest, digest_len);
252	553	BCM_sha512_final(additional_data, &sha);
253
254		// Cap iterations so callers who supply invalid values as custom groups do not
255		// infinite loop. This does not impact valid parameters (e.g. those covered by
256		// FIPS) because the probability of requiring even one retry is negligible,
257		// let alone 32.
258	553	static const int kMaxIterations = 32;
259	553	int ret = 0;
260	553	int iters = 0;
261	553	for (;;) {
262	553	EC_SCALAR k;
263	553	if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
264	0	goto out;
265	0	}
266
267		// TODO(davidben): Move this inside \|ec_random_nonzero_scalar\| or lower, so
268		// that all scalars we generate are, by default, secret.
269	553	CONSTTIME_SECRET(k.words, sizeof(k.words));
270
271	553	int retry;
272	553	ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len,
273	553	priv_key, &k, digest, digest_len);
274	553	if (ret \|\| !retry) {
275	553	goto out;
276	553	}
277
278	0	iters++;
279	0	if (iters > kMaxIterations) {
280	0	OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_TOO_MANY_ITERATIONS);
281	0	goto out;
282	0	}
283	0	}
284
285	553	out:
286	553	FIPS_service_indicator_unlock_state();
287	553	return ret;
288	553	}