projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4981e6f) | patch
Fix timing leak in BN_from_montgomery_word.
authorAndy Polyakov <appro@openssl.org>
Thu, 1 Feb 2018 21:03:59 +0000 (22:03 +0100)
committerAndy Polyakov <appro@openssl.org>
Fri, 2 Feb 2018 22:13:48 +0000 (23:13 +0100)
commit48081cf988fc8f50215a2b18babd6a7859defd36
tree3493d7ebaf34510c51981e50b5f96676ead5a301tree | snapshot
parent4981e6fc1da4aec6775fc248643c91dd1e87e0b7commit | diff
Fix timing leak in BN_from_montgomery_word.

BN_from_montgomery_word doesn't have a constant memory access pattern.
Replace the pointer trick with a constant-time select. There is, of
course, still the bn_correct_top leak pervasive in BIGNUM itself.

See also https://boringssl-review.googlesource.com/22904 from BoringSSL.

(backport from f345b1f39d9b4e4c9ef07e7522e9b2a870c9ca09 signed off by
David Benjamin <davidben@google.com>)

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
crypto/bn/bn_mont.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.