Fix timing leak in BN_from_montgomery_word. (db91094a) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Commit db91094a authored Jan 31, 2018 by

David Benjamin Committed by Andy Polyakov Feb 01, 2018

Fix timing leak in BN_from_montgomery_word.

BN_from_montgomery_word doesn't have a constant memory access pattern.
Replace the pointer trick with a constant-time select. There is, of
course, still the bn_correct_top leak pervasive in BIGNUM itself.

See also https://boringssl-review.googlesource.com/22904

 from BoringSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5228)

(cherry picked from commit f345b1f3)

parent 723183b5

Hide whitespace changes

Inline Side-by-side

Please register or to comment