grpc 1.37.1 → 1.38.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/err/err.c

@@ -368,84 +368,6 @@ void ERR_clear_system_error(void) {
   errno = 0;
 }
 
-char *ERR_error_string(uint32_t packed_error, char *ret) {
-  static char buf[ERR_ERROR_STRING_BUF_LEN];
-
-  if (ret == NULL) {
-    // TODO(fork): remove this.
-    ret = buf;
-  }
-
-#if !defined(NDEBUG)
-  // This is aimed to help catch callers who don't provide
-  // |ERR_ERROR_STRING_BUF_LEN| bytes of space.
-  OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN);
-#endif
-
-  return ERR_error_string_n(packed_error, ret, ERR_ERROR_STRING_BUF_LEN);
-}
-
-char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) {
-  char lib_buf[64], reason_buf[64];
-  const char *lib_str, *reason_str;
-  unsigned lib, reason;
-
-  if (len == 0) {
-    return NULL;
-  }
-
-  lib = ERR_GET_LIB(packed_error);
-  reason = ERR_GET_REASON(packed_error);
-
-  lib_str = ERR_lib_error_string(packed_error);
-  reason_str = ERR_reason_error_string(packed_error);
-
-  if (lib_str == NULL) {
-    BIO_snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib);
-    lib_str = lib_buf;
-  }
-
- if (reason_str == NULL) {
-    BIO_snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason);
-    reason_str = reason_buf;
-  }
-
-  BIO_snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s",
-               packed_error, lib_str, reason_str);
-
-  if (strlen(buf) == len - 1) {
-    // output may be truncated; make sure we always have 5 colon-separated
-    // fields, i.e. 4 colons.
-    static const unsigned num_colons = 4;
-    unsigned i;
-    char *s = buf;
-
-    if (len <= num_colons) {
-      // In this situation it's not possible to ensure that the correct number
-      // of colons are included in the output.
-      return buf;
-    }
-
-    for (i = 0; i < num_colons; i++) {
-      char *colon = strchr(s, ':');
-      char *last_pos = &buf[len - 1] - num_colons + i;
-
-      if (colon == NULL || colon > last_pos) {
-        // set colon |i| at last possible position (buf[len-1] is the
-        // terminating 0). If we're setting this colon, then all whole of the
-        // rest of the string must be colons in order to have the correct
-        // number.
-        OPENSSL_memset(last_pos, ':', num_colons - i);
-        break;
-      }
-
-      s = colon + 1;
-    }
-  }
-
-  return buf;
-}
-
 // err_string_cmp is a compare function for searching error values with
 // |bsearch| in |err_string_lookup|.
 static int err_string_cmp(const void *a, const void *b) {
@@ -530,7 +452,7 @@ static const char *const kLibraryNames[ERR_NUM_LIBS] = {
     "User defined functions",       // ERR_LIB_USER
 };
 
-const char *ERR_lib_error_string(uint32_t packed_error) {
+static const char *err_lib_error_string(uint32_t packed_error) {
   const uint32_t lib = ERR_GET_LIB(packed_error);
 
   if (lib >= ERR_NUM_LIBS) {
@@ -539,11 +461,16 @@ const char *ERR_lib_error_string(uint32_t packed_error) {
   return kLibraryNames[lib];
 }
 
+const char *ERR_lib_error_string(uint32_t packed_error) {
+  const char *ret = err_lib_error_string(packed_error);
+  return ret == NULL ? "unknown library" : ret;
+}
+
 const char *ERR_func_error_string(uint32_t packed_error) {
   return "OPENSSL_internal";
 }
 
-const char *ERR_reason_error_string(uint32_t packed_error) {
+static const char *err_reason_error_string(uint32_t packed_error) {
   const uint32_t lib = ERR_GET_LIB(packed_error);
   const uint32_t reason = ERR_GET_REASON(packed_error);
 
@@ -579,6 +506,86 @@ const char *ERR_reason_error_string(uint32_t packed_error) {
                            kOpenSSLReasonValuesLen, kOpenSSLReasonStringData);
 }
 
+const char *ERR_reason_error_string(uint32_t packed_error) {
+  const char *ret = err_reason_error_string(packed_error);
+  return ret == NULL ? "unknown error" : ret;
+}
+
+char *ERR_error_string(uint32_t packed_error, char *ret) {
+  static char buf[ERR_ERROR_STRING_BUF_LEN];
+
+  if (ret == NULL) {
+    // TODO(fork): remove this.
+    ret = buf;
+  }
+
+#if !defined(NDEBUG)
+  // This is aimed to help catch callers who don't provide
+  // |ERR_ERROR_STRING_BUF_LEN| bytes of space.
+  OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN);
+#endif
+
+  return ERR_error_string_n(packed_error, ret, ERR_ERROR_STRING_BUF_LEN);
+}
+
+char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) {
+  if (len == 0) {
+    return NULL;
+  }
+
+  unsigned lib = ERR_GET_LIB(packed_error);
+  unsigned reason = ERR_GET_REASON(packed_error);
+
+  const char *lib_str = err_lib_error_string(packed_error);
+  const char *reason_str = err_reason_error_string(packed_error);
+
+  char lib_buf[64], reason_buf[64];
+  if (lib_str == NULL) {
+    BIO_snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib);
+    lib_str = lib_buf;
+  }
+
+ if (reason_str == NULL) {
+    BIO_snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason);
+    reason_str = reason_buf;
+  }
+
+  BIO_snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s",
+               packed_error, lib_str, reason_str);
+
+  if (strlen(buf) == len - 1) {
+    // output may be truncated; make sure we always have 5 colon-separated
+    // fields, i.e. 4 colons.
+    static const unsigned num_colons = 4;
+    unsigned i;
+    char *s = buf;
+
+    if (len <= num_colons) {
+      // In this situation it's not possible to ensure that the correct number
+      // of colons are included in the output.
+      return buf;
+    }
+
+    for (i = 0; i < num_colons; i++) {
+      char *colon = strchr(s, ':');
+      char *last_pos = &buf[len - 1] - num_colons + i;
+
+      if (colon == NULL || colon > last_pos) {
+        // set colon |i| at last possible position (buf[len-1] is the
+        // terminating 0). If we're setting this colon, then all whole of the
+        // rest of the string must be colons in order to have the correct
+        // number.
+        OPENSSL_memset(last_pos, ':', num_colons - i);
+        break;
+      }
+
+      s = colon + 1;
+    }
+  }
+
+  return buf;
+}
+
 void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {
   char buf[ERR_ERROR_STRING_BUF_LEN];
   char buf2[1024];

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c

@@ -97,6 +97,7 @@
 #include "rsa/padding.c"
 #include "rsa/rsa.c"
 #include "rsa/rsa_impl.c"
+#include "self_check/fips.c"
 #include "self_check/self_check.c"
 #include "sha/sha1-altivec.c"
 #include "sha/sha1.c"

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h

@@ -297,7 +297,7 @@ void bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]);
 void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]);
 
 // bn_sqr_comba8 sets |r| to |a|^2.
-void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[4]);
+void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]);
 
 // bn_sqr_comba4 sets |r| to |a|^2.
 void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c

@@ -225,7 +225,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 
   ctx->buf_len = 0;
   ctx->final_used = 0;
-  ctx->block_mask = ctx->cipher->block_size - 1;
   return 1;
 }
 
@@ -239,6 +238,15 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
   return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
 }
 
+// block_remainder returns the number of bytes to remove from |len| to get a
+// multiple of |ctx|'s block size.
+static int block_remainder(const EVP_CIPHER_CTX *ctx, int len) {
+  // |block_size| must be a power of two.
+  assert(ctx->cipher->block_size != 0);
+  assert((ctx->cipher->block_size & (ctx->cipher->block_size - 1)) == 0);
+  return len & (ctx->cipher->block_size - 1);
+}
+
 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
                       const uint8_t *in, int in_len) {
   // Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output
@@ -264,7 +272,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
     return in_len == 0;
   }
 
-  if (ctx->buf_len == 0 && (in_len & ctx->block_mask) == 0) {
+  if (ctx->buf_len == 0 && block_remainder(ctx, in_len) == 0) {
     if (ctx->cipher->cipher(ctx, out, in, in_len)) {
       *out_len = in_len;
       return 1;
@@ -297,7 +305,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
     *out_len = 0;
   }
 
-  i = in_len & ctx->block_mask;
+  i = block_remainder(ctx, in_len);
   in_len -= i;
   if (in_len > 0) {
     if (!ctx->cipher->cipher(ctx, out, in, in_len)) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c

@@ -141,10 +141,22 @@ typedef struct {
 
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
                         const uint8_t *iv, int enc) {
-  int ret, mode;
+  int ret;
   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+  const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
+
+  if (mode == EVP_CIPH_CTR_MODE) {
+    switch (ctx->key_len) {
+      case 16:
+        boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr);
+        break;
+
+      case 32:
+        boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr);
+        break;
+    }
+  }
 
-  mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
   if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
     if (hwaes_capable()) {
       ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
@@ -353,6 +365,17 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
   if (!iv && !key) {
     return 1;
   }
+
+  switch (ctx->key_len) {
+    case 16:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);
+      break;
+
+    case 32:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);
+      break;
+  }
+
   if (key) {
     OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm));
     gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c

@@ -247,13 +247,21 @@ static void sha512_256_init(EVP_MD_CTX *ctx) {
   CHECK(SHA512_256_Init(ctx->md_data));
 }
 
+static void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
+  CHECK(SHA512_256_Update(ctx->md_data, data, count));
+}
+
+static void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) {
+  CHECK(SHA512_256_Final(md, ctx->md_data));
+}
+
 DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) {
   out->type = NID_sha512_256;
   out->md_size = SHA512_256_DIGEST_LENGTH;
   out->flags = 0;
   out->init = sha512_256_init;
-  out->update = sha512_update;
-  out->final = sha512_final;
+  out->update = sha512_256_update;
+  out->final = sha512_256_final;
   out->block_size = 128;
   out->ctx_size = sizeof(SHA512_CTX);
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h

@@ -136,44 +136,6 @@ extern "C" {
 #error "HASH_MAKE_STRING must be defined!"
 #endif
 
-#if defined(DATA_ORDER_IS_BIG_ENDIAN)
-
-#define HOST_c2l(c, l)                     \
-  do {                                     \
-    (l) = (((uint32_t)(*((c)++))) << 24);  \
-    (l) |= (((uint32_t)(*((c)++))) << 16); \
-    (l) |= (((uint32_t)(*((c)++))) << 8);  \
-    (l) |= (((uint32_t)(*((c)++))));       \
-  } while (0)
-
-#define HOST_l2c(l, c)                        \
-  do {                                        \
-    *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
-    *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \
-    *((c)++) = (uint8_t)(((l) >> 8) & 0xff);  \
-    *((c)++) = (uint8_t)(((l)) & 0xff);       \
-  } while (0)
-
-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-
-#define HOST_c2l(c, l)                     \
-  do {                                     \
-    (l) = (((uint32_t)(*((c)++))));        \
-    (l) |= (((uint32_t)(*((c)++))) << 8);  \
-    (l) |= (((uint32_t)(*((c)++))) << 16); \
-    (l) |= (((uint32_t)(*((c)++))) << 24); \
-  } while (0)
-
-#define HOST_l2c(l, c)                        \
-  do {                                        \
-    *((c)++) = (uint8_t)(((l)) & 0xff);       \
-    *((c)++) = (uint8_t)(((l) >> 8) & 0xff);  \
-    *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \
-    *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
-  } while (0)
-
-#endif  // DATA_ORDER
-
 int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) {
   const uint8_t *data = data_;
 
@@ -247,13 +209,12 @@ int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) {
   // Append a 64-bit length to the block and process it.
   uint8_t *p = c->data + HASH_CBLOCK - 8;
 #if defined(DATA_ORDER_IS_BIG_ENDIAN)
-  HOST_l2c(c->Nh, p);
-  HOST_l2c(c->Nl, p);
+  CRYPTO_store_u32_be(p, c->Nh);
+  CRYPTO_store_u32_be(p + 4, c->Nl);
 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-  HOST_l2c(c->Nl, p);
-  HOST_l2c(c->Nh, p);
+  CRYPTO_store_u32_le(p, c->Nl);
+  CRYPTO_store_u32_le(p + 4, c->Nh);
 #endif
-  assert(p == c->data + HASH_CBLOCK);
   HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
   c->num = 0;
   OPENSSL_memset(c->data, 0, HASH_CBLOCK);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c

@@ -1232,6 +1232,10 @@ void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) {
 
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {}
 
+int EC_GROUP_get_asn1_flag(const EC_GROUP *group) {
+  return OPENSSL_EC_NAMED_CURVE;
+}
+
 const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) {
   // This function exists purely to give callers a way to call
   // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of|

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c

@@ -171,7 +171,6 @@ void EC_KEY_free(EC_KEY *r) {
   EC_GROUP_free(r->group);
   EC_POINT_free(r->pub_key);
   ec_wrapped_scalar_free(r->priv_key);
-  BN_free(r->fixed_k);
 
   CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h

@@ -729,10 +729,6 @@ struct ec_key_st {
   EC_POINT *pub_key;
   EC_WRAPPED_SCALAR *priv_key;
 
-  // fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
-  // This is only for the FIPS power-on tests.
-  BIGNUM *fixed_k;
-
   unsigned int enc_flag;
   point_conversion_form_t conv_form;
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c

@@ -61,9 +61,10 @@
 #include <openssl/sha.h>
 #include <openssl/type_check.h>
 
+#include "../../internal.h"
 #include "../bn/internal.h"
 #include "../ec/internal.h"
-#include "../../internal.h"
+#include "internal.h"
 
 
 // digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for
@@ -198,70 +199,74 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
   return 1;
 }
 
-static int ecdsa_sign_setup(const EC_KEY *eckey, EC_SCALAR *out_kinv_mont,
-                            EC_SCALAR *out_r, const uint8_t *digest,
-                            size_t digest_len, const EC_SCALAR *priv_key) {
+static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry,
+                                  const EC_SCALAR *priv_key, const EC_SCALAR *k,
+                                  const uint8_t *digest, size_t digest_len) {
+  *out_retry = 0;
+
   // Check that the size of the group order is FIPS compliant (FIPS 186-4
   // B.5.2).
-  const EC_GROUP *group = EC_KEY_get0_group(eckey);
   const BIGNUM *order = EC_GROUP_get0_order(group);
   if (BN_num_bits(order) < 160) {
     OPENSSL_PUT_ERROR(ECDSA, EC_R_INVALID_GROUP_ORDER);
-    return 0;
+    return NULL;
   }
 
-  int ret = 0;
-  EC_SCALAR k;
+  // Compute r, the x-coordinate of k * generator.
   EC_RAW_POINT tmp_point;
-  do {
-    // Include the private key and message digest in the k generation.
-    if (eckey->fixed_k != NULL) {
-      if (!ec_bignum_to_scalar(group, &k, eckey->fixed_k)) {
-        goto err;
-      }
-      if (ec_scalar_is_zero(group, &k)) {
-        OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
-        goto err;
-      }
-    } else {
-      // Pass a SHA512 hash of the private key and digest as additional data
-      // into the RBG. This is a hardening measure against entropy failure.
-      OPENSSL_STATIC_ASSERT(SHA512_DIGEST_LENGTH >= 32,
-                            "additional_data is too large for SHA-512");
-      SHA512_CTX sha;
-      uint8_t additional_data[SHA512_DIGEST_LENGTH];
-      SHA512_Init(&sha);
-      SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
-      SHA512_Update(&sha, digest, digest_len);
-      SHA512_Final(additional_data, &sha);
-      if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
-        goto err;
-      }
-    }
+  EC_SCALAR r;
+  if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
+      !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
+    return NULL;
+  }
 
-    // Compute k^-1 in the Montgomery domain. This is |ec_scalar_to_montgomery|
-    // followed by |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery|
-    // followed by |ec_scalar_from_montgomery| is equivalent and slightly more
-    // efficient. Note k is non-zero, so the inverse must exist.
-    ec_scalar_inv0_montgomery(group, out_kinv_mont, &k);
-    ec_scalar_from_montgomery(group, out_kinv_mont, out_kinv_mont);
-
-    // Compute r, the x-coordinate of generator * k.
-    if (!ec_point_mul_scalar_base(group, &tmp_point, &k) ||
-        !ec_get_x_coordinate_as_scalar(group, out_r, &tmp_point)) {
-      goto err;
-    }
-  } while (ec_scalar_is_zero(group, out_r));
+  if (ec_scalar_is_zero(group, &r)) {
+    *out_retry = 1;
+    return NULL;
+  }
 
-  ret = 1;
+  // s = priv_key * r. Note if only one parameter is in the Montgomery domain,
+  // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal
+  // domain.
+  EC_SCALAR s;
+  ec_scalar_to_montgomery(group, &s, &r);
+  ec_scalar_mul_montgomery(group, &s, priv_key, &s);
+
+  // s = m + priv_key * r.
+  EC_SCALAR tmp;
+  digest_to_scalar(group, &tmp, digest, digest_len);
+  ec_scalar_add(group, &s, &s, &tmp);
+
+  // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
+  // domain. This is |ec_scalar_to_montgomery| followed by
+  // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by
+  // |ec_scalar_from_montgomery| is equivalent and slightly more efficient.
+  // Then, as above, only one parameter is in the Montgomery domain, so the
+  // result is in the normal domain. Finally, note k is non-zero (or computing r
+  // would fail), so the inverse must exist.
+  ec_scalar_inv0_montgomery(group, &tmp, k);     // tmp = k^-1 R^2
+  ec_scalar_from_montgomery(group, &tmp, &tmp);  // tmp = k^-1 R
+  ec_scalar_mul_montgomery(group, &s, &s, &tmp);
+  if (ec_scalar_is_zero(group, &s)) {
+    *out_retry = 1;
+    return NULL;
+  }
 
-err:
-  OPENSSL_cleanse(&k, sizeof(k));
+  ECDSA_SIG *ret = ECDSA_SIG_new();
+  if (ret == NULL ||  //
+      !bn_set_words(ret->r, r.words, order->width) ||
+      !bn_set_words(ret->s, s.words, order->width)) {
+    ECDSA_SIG_free(ret);
+    return NULL;
+  }
   return ret;
 }
 
-ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
-                         const EC_KEY *eckey) {
+ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest,
+                                                       size_t digest_len,
+                                                       const EC_KEY *eckey,
+                                                       const uint8_t *nonce,
+                                                       size_t nonce_len) {
   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
     return NULL;
@@ -272,57 +277,63 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
     OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
     return NULL;
   }
-  const BIGNUM *order = EC_GROUP_get0_order(group);
   const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
 
-  int ok = 0;
-  ECDSA_SIG *ret = ECDSA_SIG_new();
-  EC_SCALAR kinv_mont, r_mont, s, m, tmp;
-  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
+  EC_SCALAR k;
+  if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
     return NULL;
   }
+  int retry_ignored;
+  return ecdsa_sign_impl(group, &retry_ignored, priv_key, &k, digest,
+                         digest_len);
+}
 
-  digest_to_scalar(group, &m, digest, digest_len);
-  for (;;) {
-    if (!ecdsa_sign_setup(eckey, &kinv_mont, &r_mont, digest, digest_len,
-                          priv_key) ||
-        !bn_set_words(ret->r, r_mont.words, order->width)) {
-      goto err;
-    }
-
-    // Compute priv_key * r (mod order). Note if only one parameter is in the
-    // Montgomery domain, |ec_scalar_mod_mul_montgomery| will compute the answer
-    // in the normal domain.
-    ec_scalar_to_montgomery(group, &r_mont, &r_mont);
-    ec_scalar_mul_montgomery(group, &s, priv_key, &r_mont);
+// This function is only exported for testing and is not called in production
+// code.
+ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing(
+    const uint8_t *digest, size_t digest_len, const EC_KEY *eckey,
+    const uint8_t *nonce, size_t nonce_len) {
+  return ecdsa_sign_with_nonce_for_known_answer_test(digest, digest_len, eckey,
+                                                     nonce, nonce_len);
+}
 
-    // Compute tmp = m + priv_key * r.
-    ec_scalar_add(group, &tmp, &m, &s);
+ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
+                         const EC_KEY *eckey) {
+  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
+    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
+    return NULL;
+  }
 
-    // Finally, multiply s by k^-1. That was retained in Montgomery form, so the
-    // same technique as the previous multiplication works.
-    ec_scalar_mul_montgomery(group, &s, &tmp, &kinv_mont);
-    if (!bn_set_words(ret->s, s.words, order->width)) {
-      goto err;
-    }
-    if (!BN_is_zero(ret->s)) {
-      // s != 0 => we have a valid signature
-      break;
-    }
+  const EC_GROUP *group = EC_KEY_get0_group(eckey);
+  if (group == NULL || eckey->priv_key == NULL) {
+    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
+    return NULL;
   }
+  const BIGNUM *order = EC_GROUP_get0_order(group);
+  const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
 
-  ok = 1;
+  // Pass a SHA512 hash of the private key and digest as additional data
+  // into the RBG. This is a hardening measure against entropy failure.
+  OPENSSL_STATIC_ASSERT(SHA512_DIGEST_LENGTH >= 32,
+                        "additional_data is too large for SHA-512");
+  SHA512_CTX sha;
+  uint8_t additional_data[SHA512_DIGEST_LENGTH];
+  SHA512_Init(&sha);
+  SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
+  SHA512_Update(&sha, digest, digest_len);
+  SHA512_Final(additional_data, &sha);
 
-err:
-  if (!ok) {
-    ECDSA_SIG_free(ret);
-    ret = NULL;
+  for (;;) {
+    EC_SCALAR k;
+    if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
+      return NULL;
+    }
+
+    int retry;
+    ECDSA_SIG *sig =
+        ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len);
+    if (sig != NULL || !retry) {
+      return sig;
+    }
   }
-  OPENSSL_cleanse(&kinv_mont, sizeof(kinv_mont));
-  OPENSSL_cleanse(&r_mont, sizeof(r_mont));
-  OPENSSL_cleanse(&s, sizeof(s));
-  OPENSSL_cleanse(&tmp, sizeof(tmp));
-  OPENSSL_cleanse(&m, sizeof(m));
-  return ret;
 }