Inspired by BoringSSL fix by David Benjamin.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18511)
unsigned char *R2 = table_s; /* borrow */
int index;
int wvalue;
+ BN_ULONG tmp[16];
if ((((size_t)p_str & 4095) + 320) >> 12) {
result = p_str;
rsaz_1024_red2norm_avx2(result_norm, result);
+ bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16);
+
OPENSSL_cleanse(storage, sizeof(storage));
+ OPENSSL_cleanse(tmp, sizeof(tmp));
}
/*
unsigned char *p_str = (unsigned char *)exponent;
int index;
unsigned int wvalue;
+ BN_ULONG tmp[8];
/* table[0] = 1_inv */
temp[0] = 0 - m[0];
/* from Montgomery */
rsaz_512_mul_by_one(result, temp, m, k0);
+ bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8);
+
OPENSSL_cleanse(storage, sizeof(storage));
+ OPENSSL_cleanse(tmp, sizeof(tmp));
}
#endif
# define RSAZ_ENABLED
# include <openssl/bn.h>
+# include "internal/constant_time.h"
+# include "bn_local.h"
void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
const BN_ULONG base_norm[16],
const BN_ULONG m_norm[8], BN_ULONG k0,
const BN_ULONG RR[8]);
+static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask,
+ const BN_ULONG *a,
+ const BN_ULONG *b, size_t num)
+{
+ size_t i;
+
+ for (i = 0; i < num; i++) {
+ r[i] = constant_time_select_64(mask, a[i], b[i]);
+ }
+}
+
+static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r,
+ BN_ULONG carry,
+ const BN_ULONG *m,
+ BN_ULONG *tmp, size_t num)
+{
+ carry -= bn_sub_words(tmp, r, m, num);
+ bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
+ return carry;
+}
+
# endif
#endif
M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97
# 1024-bit
-# TODO(davidben): This test breaks the RSAZ implementation. Fix it and enable
-# this test.
-# ModExp = 00
-# A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
-# E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
+ModExp = 00
+A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
# 1025-bit
ModExp = 00