[openssl] master update

Matt Caswell matt at openssl.org
Thu Oct 31 11:09:39 UTC 2019


The branch master has been updated
       via  305bf9c8668aff78e668131061f4eb088457be5f (commit)
      from  8e8901e1e497d2a2bc0f56aa711f7462d88820f3 (commit)


- Log -----------------------------------------------------------------
commit 305bf9c8668aff78e668131061f4eb088457be5f
Author: Billy Brumley <bbrumley at gmail.com>
Date:   Thu Oct 17 23:30:18 2019 +0300

    [crypto/bn] fix a few small timing leaks in BN_lshift1 and BN_rshift1
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10209)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_shift.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c
index cdf66933e9..5481609d0f 100644
--- a/crypto/bn/bn_shift.c
+++ b/crypto/bn/bn_shift.c
@@ -34,12 +34,10 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
     for (i = 0; i < a->top; i++) {
         t = *(ap++);
         *(rp++) = ((t << 1) | c) & BN_MASK2;
-        c = (t & BN_TBIT) ? 1 : 0;
-    }
-    if (c) {
-        *rp = 1;
-        r->top++;
+        c = t >> (BN_BITS2 - 1);
     }
+    *rp = c;
+    r->top += c;
     bn_check_top(r);
     return 1;
 }
@@ -47,7 +45,7 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
 int BN_rshift1(BIGNUM *r, const BIGNUM *a)
 {
     BN_ULONG *ap, *rp, t, c;
-    int i, j;
+    int i;
 
     bn_check_top(r);
     bn_check_top(a);
@@ -58,23 +56,22 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
     }
     i = a->top;
     ap = a->d;
-    j = i - (ap[i - 1] == 1);
     if (a != r) {
-        if (bn_wexpand(r, j) == NULL)
+        if (bn_wexpand(r, i) == NULL)
             return 0;
         r->neg = a->neg;
     }
     rp = r->d;
+    r->top = i;
     t = ap[--i];
-    c = (t & 1) ? BN_TBIT : 0;
-    if (t >>= 1)
-        rp[i] = t;
+    rp[i] = t >> 1;
+    c = t << (BN_BITS2 - 1);
+    r->top -= (t == 1);
     while (i > 0) {
         t = ap[--i];
         rp[i] = ((t >> 1) & BN_MASK2) | c;
-        c = (t & 1) ? BN_TBIT : 0;
+        c = t << (BN_BITS2 - 1);
     }
-    r->top = j;
     if (!r->top)
         r->neg = 0; /* don't allow negative zero */
     bn_check_top(r);


More information about the openssl-commits mailing list