Fix timing leak in BN_from_montgomery_word.
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. (backport from f345b1f3 signed off by David Benjamin <davidben@google.com>) Reviewed-by:Kurt Roeckx <kurt@roeckx.be>
Please register or sign in to comment