diff options
author | Billy Brumley <bbrumley@gmail.com> | 2018-04-19 12:21:51 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-04-23 19:14:25 +0100 |
commit | 40e48e54582e46c1a01e184ecf5bd31f4f7f8294 (patch) | |
tree | 14b7ee75bcd9a2656dd0ee5bdda25313f9ad307a /crypto/bn/bn_lib.c | |
parent | 5b820d785d6b5f9c3fedcf0ce4e4f0476a1bb9c8 (diff) |
Elliptic curve scalar multiplication with timing attack defenses
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Diffstat (limited to 'crypto/bn/bn_lib.c')
-rw-r--r-- | crypto/bn/bn_lib.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 57fe45288b..a446880ec7 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -739,6 +739,19 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) a->top ^= t; b->top ^= t; + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /* + * cannot just arbitrarily swap flags. + * The way a->d is allocated etc. + * BN_FLG_MALLOCED, BN_FLG_STATIC_DATA, ... + */ + t = (a->flags ^ b->flags) & condition & BN_FLG_CONSTTIME; + a->flags ^= t; + b->flags ^= t; + #define BN_CONSTTIME_SWAP(ind) \ do { \ t = (a->d[ind] ^ b->d[ind]) & condition; \ |