[openssl/openssl] cf6593: Always end BN_mod_exp_mont_consttime with normal M...
noreply at reply.github.openssl.org
Thu Jun 16 13:28:10 UTC 2022
Author: Tomas Mraz <tomas at openssl.org>
Date: 2022-06-16 (Thu, 16 Jun 2022)
Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.
This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.
The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.
The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.
See the original BoringSSL commit
for further analysis.
Original-author: David Benjamin <davidben at google.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18510)
(cherry picked from commit 0ae365e1f80648f4c52aa3ac9bbc279b6192b23e)
More information about the openssl-commits