bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.

Montgomery multiplication post-conditions in some of code paths were formally non-constant time. Cache access pattern was result-neutral, but a little bit asymmetric, which might have produced a signal [if processor reordered load and stores at run-time]. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6141)
author: Andy Polyakov <appro@openssl.org> 2018-04-30 22:59:51 +0200
committer: Andy Polyakov <appro@openssl.org> 2018-05-02 21:55:21 +0200
commit: 774ff8fed67e19d4f5f0df2f59050f2737abab2a (patch)
tree: baadef3cf3ed74ba3068742c4dcac359868625e4 /crypto/bn/asm/ia64-mont.pl
parent: 48bc0d99af6df9919ddbe71e4bc6d8690e9b5174 (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/crypto/bn/asm/ia64-mont.pl b/crypto/bn/asm/ia64-mont.pl
index 9d1ecf6a4e..96d312f2c2 100644
--- a/crypto/bn/asm/ia64-mont.pl
+++ b/crypto/bn/asm/ia64-mont.pl
@@ -341,19 +341,19 @@ bn_mul_mont_general:
 { .mmb;	sub	rptr=rptr,len		// rewind
 	sub	tptr=tptr,len
 	clrrrb.pr			};;
-{ .mmi;	and	aptr=tptr,topbit
-	andcm	bptr=rptr,topbit
+{ .mmi;	mov	aptr=rptr
+	mov	bptr=tptr
 	mov	pr.rot=1<<16		};;
-{ .mii;	or	nptr=aptr,bptr
+{ .mii;	cmp.eq	p0,p6=topbit,r0
 	mov	ar.lc=lc
-	mov	ar.ec=3			};;
+	mov	ar.ec=2			};;
 
 .Lcopy_ctop:
-{ .mmb;	(p16)	ld8	n[0]=[nptr],8
-	(p18)	st8	[tptr]=r0,8
-	(p16)	nop.b	0		}
-{ .mmb;	(p16)	nop.m	0
-	(p18)	st8	[rptr]=n[2],8
+{ .mmi;	(p16)	ld8	a[0]=[aptr],8
+	(p16)	ld8	t[0]=[bptr],8
+	(p6)	mov	a[1]=t[1]	};;	// (p17)
+{ .mmb;	(p17)	st8	[rptr]=a[1],8
+	(p17)	st8	[tptr]=r0,8
 	br.ctop.sptk	.Lcopy_ctop	};;
 .Lcopy_cend:
author	Andy Polyakov <appro@openssl.org>	2018-04-30 22:59:51 +0200
committer	Andy Polyakov <appro@openssl.org>	2018-05-02 21:55:21 +0200
commit	774ff8fed67e19d4f5f0df2f59050f2737abab2a (patch)
tree	baadef3cf3ed74ba3068742c4dcac359868625e4 /crypto/bn/asm/ia64-mont.pl
parent	48bc0d99af6df9919ddbe71e4bc6d8690e9b5174 (diff)