Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 69939df2891f62f7f00ff2ac275f1cd81a67454c^! / . / src / crypto / bn / gcd.c
commit69939df2891f62f7f00ff2ac275f1cd81a67454c[log] [tgz]
authorRobert Sloan <varomodt@google.com>Mon Jan 09 10:53:07 2017 -0800
committerRobert Sloan <varomodt@google.com>Mon Jan 09 15:18:23 2017 -0800
tree467d0f510b31deef87dc70b119ea143090cc67a6
parente7531f038363d24a103c820cff38898455ff66fe [diff] [blame]
external/boringssl: Sync to 9c33ae85621ef8e00a42309b5101e0bedd02b816.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/629db8cd0c84628e37aa81242b5b07fec7602f55..9c33ae85621ef8e00a42309b5101e0bedd02b816

Bug: 33622440
Test: BoringSSL tests
Change-Id: I20da15ad995a620b6b2f08db20c77ebd0f05ca10

diff --git a/src/crypto/bn/gcd.c b/src/crypto/bn/gcd.c
index a1ed5d9..9e62da0 100644
--- a/src/crypto/bn/gcd.c
+++ b/src/crypto/bn/gcd.c

@@ -423,9 +423,6 @@
     if (a_reduced == NULL) {
       goto err;
     }
-    if (no_branch) {
-      BN_set_flags(a_reduced, BN_FLG_CONSTTIME);
-    }
     if (!BN_nnmod(a_reduced, a_reduced, n, ctx)) {
       goto err;
     }
@@ -481,15 +478,13 @@
 
 /* bn_mod_inverse_general is the general inversion algorithm that works for
  * both even and odd |n|. It was specifically designed to contain fewer
- * branches that may leak sensitive information. See "New Branch Prediction
+ * branches that may leak sensitive information; see "New Branch Prediction
  * Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
  * Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */
 static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
                                   const BIGNUM *a, const BIGNUM *n,
                                   BN_CTX *ctx) {
   BIGNUM *A, *B, *X, *Y, *M, *D, *T;
-  BIGNUM local_A;
-  BIGNUM *pA;
   int ret = 0;
   int sign;
 
@@ -532,14 +527,8 @@
      *      sign*Y*a  ==  A   (mod |n|)
      */
 
-    /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
-     * BN_div_no_branch will be called eventually.
-     */
-    pA = &local_A;
-    BN_with_flags(pA, A, BN_FLG_CONSTTIME);
-
     /* (D, M) := (A/B, A%B) ... */
-    if (!BN_div(D, M, pA, B, ctx)) {
+    if (!BN_div(D, M, A, B, ctx)) {
       goto err;
     }
 
@@ -626,3 +615,27 @@
   BN_CTX_end(ctx);
   return ret;
 }
+
+int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
+                         BN_CTX *ctx, const BN_MONT_CTX *mont_p) {
+  BN_CTX_start(ctx);
+  BIGNUM *p_minus_2 = BN_CTX_get(ctx);
+  int ok = p_minus_2 != NULL &&
+           BN_copy(p_minus_2, p) &&
+           BN_sub_word(p_minus_2, 2) &&
+           BN_mod_exp_mont(out, a, p_minus_2, p, ctx, mont_p);
+  BN_CTX_end(ctx);
+  return ok;
+}
+
+int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
+                                BN_CTX *ctx, const BN_MONT_CTX *mont_p) {
+  BN_CTX_start(ctx);
+  BIGNUM *p_minus_2 = BN_CTX_get(ctx);
+  int ok = p_minus_2 != NULL &&
+           BN_copy(p_minus_2, p) &&
+           BN_sub_word(p_minus_2, 2) &&
+           BN_mod_exp_mont_consttime(out, a, p_minus_2, p, ctx, mont_p);
+  BN_CTX_end(ctx);
+  return ok;
+}