summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_exp.c
diff options
context:
space:
mode:
authorbeck <>2017-01-21 09:38:59 +0000
committerbeck <>2017-01-21 09:38:59 +0000
commitba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7 (patch)
treea68beae7892dad13fd8d76ba1fc45e6570e3360b /src/lib/libcrypto/bn/bn_exp.c
parent0c45e4e4d42eacefe309063241d5a7f6de6674e7 (diff)
downloadopenbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.gz
openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.tar.bz2
openbsd-ba7dab5b77b1e4dd797dbe7a4c31b5f4cbea0cd7.zip
Make explicit _ct and _nonct versions of bn_mod_exp funcitons that
matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
Diffstat (limited to 'src/lib/libcrypto/bn/bn_exp.c')
-rw-r--r--src/lib/libcrypto/bn/bn_exp.c66
1 files changed, 55 insertions, 11 deletions
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 83c62be25a..ed4bc666bf 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_exp.c,v 1.27 2017/01/21 04:34:16 beck Exp $ */ 1/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -172,9 +172,9 @@ err:
172 return (ret); 172 return (ret);
173} 173}
174 174
175int 175static int
176BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, 176BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
177 BN_CTX *ctx) 177 BN_CTX *ctx, int ct)
178{ 178{
179 int ret; 179 int ret;
180 180
@@ -213,12 +213,11 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
213 */ 213 */
214 214
215 if (BN_is_odd(m)) { 215 if (BN_is_odd(m)) {
216 if (a->top == 1 && !a->neg && 216 if (a->top == 1 && !a->neg && !ct) {
217 (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {
218 BN_ULONG A = a->d[0]; 217 BN_ULONG A = a->d[0];
219 ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL); 218 ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL);
220 } else 219 } else
221 ret = BN_mod_exp_mont(r, a,p, m,ctx, NULL); 220 ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL);
222 } else { 221 } else {
223 ret = BN_mod_exp_recp(r, a,p, m, ctx); 222 ret = BN_mod_exp_recp(r, a,p, m, ctx);
224 } 223 }
@@ -228,6 +227,30 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
228} 227}
229 228
230int 229int
230BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
231 BN_CTX *ctx)
232{
233 return BN_mod_exp_internal(r, a, p, m, ctx,
234 (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
235}
236
237int
238BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
239 BN_CTX *ctx)
240{
241 return BN_mod_exp_internal(r, a, p, m, ctx, 1);
242}
243
244
245int
246BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
247 BN_CTX *ctx)
248{
249 return BN_mod_exp_internal(r, a, p, m, ctx, 0);
250}
251
252
253int
231BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, 254BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
232 BN_CTX *ctx) 255 BN_CTX *ctx)
233{ 256{
@@ -361,9 +384,9 @@ err:
361 return (ret); 384 return (ret);
362} 385}
363 386
364int 387static int
365BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, 388BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
366 BN_CTX *ctx, BN_MONT_CTX *in_mont) 389 BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct)
367{ 390{
368 int i, j, bits, ret = 0, wstart, wend, window, wvalue; 391 int i, j, bits, ret = 0, wstart, wend, window, wvalue;
369 int start = 1; 392 int start = 1;
@@ -373,7 +396,7 @@ BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
373 BIGNUM *val[TABLE_SIZE]; 396 BIGNUM *val[TABLE_SIZE];
374 BN_MONT_CTX *mont = NULL; 397 BN_MONT_CTX *mont = NULL;
375 398
376 if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { 399 if (ct) {
377 return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); 400 return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
378 } 401 }
379 402
@@ -513,6 +536,27 @@ err:
513 return (ret); 536 return (ret);
514} 537}
515 538
539int
540BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
541 BN_CTX *ctx, BN_MONT_CTX *in_mont)
542{
543 return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont,
544 (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
545}
546
547int
548BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
549 BN_CTX *ctx, BN_MONT_CTX *in_mont)
550{
551 return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1);
552}
553
554int
555BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
556 BN_CTX *ctx, BN_MONT_CTX *in_mont)
557{
558 return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0);
559}
516 560
517/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout 561/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
518 * so that accessing any of these table values shows the same access pattern as far 562 * so that accessing any of these table values shows the same access pattern as far
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-13 07:24:37 +0000