diff options
| author | Andy Polyakov <appro@openssl.org> | 2018-04-30 22:59:51 +0200 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2018-05-02 21:55:21 +0200 |
| commit | 774ff8fed67e19d4f5f0df2f59050f2737abab2a (patch) | |
| tree | baadef3cf3ed74ba3068742c4dcac359868625e4 /crypto/bn/asm/x86_64-mont5.pl | |
| parent | 48bc0d99af6df9919ddbe71e4bc6d8690e9b5174 (diff) | |
bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6141)
Diffstat (limited to 'crypto/bn/asm/x86_64-mont5.pl')
| -rwxr-xr-x | crypto/bn/asm/x86_64-mont5.pl | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl index 263543579f..b1ad71fd78 100755 --- a/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/bn/asm/x86_64-mont5.pl @@ -423,18 +423,19 @@ $code.=<<___; jnz .Lsub sbb \$0,%rax # handle upmost overflow bit + mov \$-1,%rbx + xor %rax,%rbx xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax + +.Lcopy: # conditional copy + mov ($rp,$i,8),%rcx + mov (%rsp,$i,8),%rdx + and %rbx,%rcx + and %rax,%rdx mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] + or %rcx,%rdx + mov %rdx,($rp,$i,8) # rp[i]=tp[i] lea 1($i),$i sub \$1,$j jnz .Lcopy |