[openssl/openssl] 0ed27f: Always end BN_mod_exp_mont_consttime with normal M...

Tomas Mraz noreply at reply.github.openssl.org
Thu Jun 16 13:32:01 UTC 2022 

  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.openssl.org/openssl/openssl
  Commit: 0ed27fb7a8d85685cb671bf0a1e41bcdfc2624dc
      https://github.openssl.org/openssl/openssl/commit/0ed27fb7a8d85685cb671bf0a1e41bcdfc2624dc
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2022-06-16 (Thu, 16 Jun 2022)

  Changed paths:
    M crypto/bn/asm/x86_64-mont5.pl
    M crypto/bn/bn_exp.c
    M test/recipes/10-test_bn_data/bnmod.txt

  Log Message:
  -----------
  Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.

The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.

The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.

See the original BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315
for further analysis.

Original-author: David Benjamin <davidben at google.com>

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18511)


  Commit: 8438d3a7b7309cbea521d3628fddeda7bd6d6e20
      https://github.openssl.org/openssl/openssl/commit/8438d3a7b7309cbea521d3628fddeda7bd6d6e20
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2022-06-16 (Thu, 16 Jun 2022)

  Changed paths:
    M crypto/bn/rsaz_exp.c
    M crypto/bn/rsaz_exp.h
    M test/recipes/10-test_bn_data/bnmod.txt

  Log Message:
  -----------
  Add an extra reduction step to RSAZ mod_exp implementations

Inspired by BoringSSL fix by David Benjamin.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18511)


Compare: https://github.openssl.org/openssl/openssl/compare/8f078819556d...8438d3a7b730

More information about the openssl-commits mailing list