diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 517e3c29fc70f08b77266de8ffe6da6b4df1c096..1f64f35cba476132a2d78ef501ea8cef75104721 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, * out by Colin Percival, * http://www.daemonology.net/hyperthreading-considered-harmful/) */ -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { @@ -618,12 +618,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, unsigned int t4 = 0; #endif - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); - if (!BN_is_odd(m)) { - BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); + BNerr(BN_F_BN_MOD_EXP_MONT_FIXED_TOP, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } @@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; } else #endif - if (!BN_from_montgomery(rr, &tmp, mont, ctx)) + if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) goto err; ret = 1; err: @@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, return ret; } +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) +{ + bn_check_top(a); + bn_check_top(p); + bn_check_top(m); + if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) + return 0; + bn_correct_top(rr); + return 1; +} + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 08db89fceeb5c05628f983f75a6708a78ce1c1db..9f0b4807054bb6673a7410df6023c77216898244 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -12,8 +12,8 @@ #include #include - #include "ec_local.h" +#include "crypto/bn.h" /* functions for EC_GROUP objects */ @@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, if (!BN_sub(e, group->order, e)) goto err; /*- - * Exponent e is public. - * No need for scatter-gather or BN_FLG_CONSTTIME. + * Although the exponent is public we want the result to be + * fixed top. */ - if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) + if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) goto err; ret = 1; diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 250914c46a28c0e8e41321dcad22c216e2e6b7ba..8484047fd02b924eb6cdb96414ae099ad5f46cce 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); */ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont); int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h index 5c83777f9f06a8b0d3c43429e9fbb152740baca9..f6aef13441fc9c27194a2f4fa58fcddcf69fed99 100644 --- a/include/openssl/bnerr.h +++ b/include/openssl/bnerr.h @@ -73,6 +73,7 @@ int ERR_load_BN_strings(void); # define BN_F_BN_STACK_PUSH 148 # define BN_F_BN_USUB 115 # define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 +# define BN_F_BN_MOD_EXP_MONT_FIXED_TOP 152 /* * BN reason codes.