Elliptic curve scalar multiplication with timing attack defenses

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi> Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6009)
author: Billy Brumley <bbrumley@gmail.com> 2018-04-19 12:21:51 +0300
committer: Matt Caswell <matt@openssl.org> 2018-04-23 19:14:25 +0100
commit: 40e48e54582e46c1a01e184ecf5bd31f4f7f8294 (patch)
tree: 14b7ee75bcd9a2656dd0ee5bdda25313f9ad307a /crypto/bn/bn_lib.c
parent: 5b820d785d6b5f9c3fedcf0ce4e4f0476a1bb9c8 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 57fe45288b..a446880ec7 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -739,6 +739,19 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
     a->top ^= t;
     b->top ^= t;
 
+    t = (a->neg ^ b->neg) & condition;
+    a->neg ^= t;
+    b->neg ^= t;
+
+    /*
+     * cannot just arbitrarily swap flags.
+     * The way a->d is allocated etc.
+     * BN_FLG_MALLOCED, BN_FLG_STATIC_DATA, ...
+     */
+    t = (a->flags ^ b->flags) & condition & BN_FLG_CONSTTIME;
+    a->flags ^= t;
+    b->flags ^= t;
+
 #define BN_CONSTTIME_SWAP(ind) \
         do { \
                 t = (a->d[ind] ^ b->d[ind]) & condition; \
author	Billy Brumley <bbrumley@gmail.com>	2018-04-19 12:21:51 +0300
committer	Matt Caswell <matt@openssl.org>	2018-04-23 19:14:25 +0100
commit	40e48e54582e46c1a01e184ecf5bd31f4f7f8294 (patch)
tree	14b7ee75bcd9a2656dd0ee5bdda25313f9ad307a /crypto/bn/bn_lib.c
parent	5b820d785d6b5f9c3fedcf0ce4e4f0476a1bb9c8 (diff)