projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 39eeb64) | patch
Fix timing leak in BN_from_montgomery_word.
authorDavid Benjamin <davidben@google.com>
Wed, 31 Jan 2018 19:47:41 +0000 (14:47 -0500)
committerAndy Polyakov <appro@openssl.org>
Thu, 1 Feb 2018 20:52:17 +0000 (21:52 +0100)
commitf345b1f39d9b4e4c9ef07e7522e9b2a870c9ca09
treee88b0384f90e80d3919f0224863aaed34ccf1ab0tree | snapshot
parent39eeb64f59ff838f976ad305de7d15747d47a41ccommit | diff
Fix timing leak in BN_from_montgomery_word.

BN_from_montgomery_word doesn't have a constant memory access pattern.
Replace the pointer trick with a constant-time select. There is, of
course, still the bn_correct_top leak pervasive in BIGNUM itself.

See also https://boringssl-review.googlesource.com/22904 from BoringSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5228)
crypto/bn/bn_mont.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.