Loading crypto/bn/bn_mont.c +19 −25 Original line number Diff line number Diff line Loading @@ -246,18 +246,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, rp=ret->d; ap=&(r->d[ri]); nrp=ap; /* This 'if' denotes violation of 2*M<r^(n-1) boundary condition * formulated by C.D.Walter in "Montgomery exponentiation needs * no final subtractions." Incurred branch can disclose only * information about modulus length, which is not really secret. */ if ((mont->N.d[ri-1]>>(BN_BITS2-2))!=0) { size_t m1,m2; v=bn_sub_words(rp,ap,mont->N.d,ri); /* this -----------------------^^ works even in al<ri case v=bn_sub_words(rp,ap,np,ri); /* this ----------------^^ works even in al<ri case * thanks to zealous zeroing of top of the vector in the * beginning. */ Loading Loading
crypto/bn/bn_mont.c +19 −25 Original line number Diff line number Diff line Loading @@ -246,18 +246,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, rp=ret->d; ap=&(r->d[ri]); nrp=ap; /* This 'if' denotes violation of 2*M<r^(n-1) boundary condition * formulated by C.D.Walter in "Montgomery exponentiation needs * no final subtractions." Incurred branch can disclose only * information about modulus length, which is not really secret. */ if ((mont->N.d[ri-1]>>(BN_BITS2-2))!=0) { size_t m1,m2; v=bn_sub_words(rp,ap,mont->N.d,ri); /* this -----------------------^^ works even in al<ri case v=bn_sub_words(rp,ap,np,ri); /* this ----------------^^ works even in al<ri case * thanks to zealous zeroing of top of the vector in the * beginning. */ Loading
