"Dr. Stephen Henson" <st...@openssl.org> writes: [...]
> +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME > + /* We do not want timing information to leak the length of k, > + * so we compute G*k using an equivalent scalar of fixed > + * bit-length. */ > + > + if (!BN_add(k, k, order)) goto err; > + if (BN_num_bits(k) <= BN_num_bits(order)) > + if (!BN_add(k, k, order)) goto err; > +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ > + Almost certainly my misunderstanding, but isn't the sense of this wrong? That is, surely the new code should be added if we want the CONSTTIME behaviour (i.e., if NO_CONSTTIME is not defined), and we'd want that by default so it should be #ifndef rather than #ifdef? (I agree it's #ifdef in the eprint too, which increases the likelyhood that I'm just misunderstanding something.) [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
