diff options
author | Andy Polyakov <appro@openssl.org> | 2007-06-29 13:12:34 +0000 |
---|---|---|
committer | Andy Polyakov <appro@openssl.org> | 2007-06-29 13:12:34 +0000 |
commit | a166e96d1644872b069f5e6ab39524ff55f44cee (patch) | |
tree | c38198a6646a4969715ec0436e9c42c7bfb37f8b /crypto/bn | |
parent | 8dd8ce1dc3806f0461cba6494e2ff5b526bd27f5 (diff) |
bn_mont.c fix [from HEAD].
Diffstat (limited to 'crypto/bn')
-rw-r--r-- | crypto/bn/bn_mont.c | 44 |
1 files changed, 19 insertions, 25 deletions
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index bf45fe916d..30bdeabcd5 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -246,32 +246,26 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, rp=ret->d; ap=&(r->d[ri]); - nrp=ap; - /* This 'if' denotes violation of 2*M<r^(n-1) boundary condition - * formulated by C.D.Walter in "Montgomery exponentiation needs - * no final subtractions." Incurred branch can disclose only - * information about modulus length, which is not really secret. */ - if ((mont->N.d[ri-1]>>(BN_BITS2-2))!=0) - { - size_t m1,m2; - - v=bn_sub_words(rp,ap,mont->N.d,ri); - /* this -----------------------^^ works even in al<ri case - * thanks to zealous zeroing of top of the vector in the - * beginning. */ - - /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */ - /* in other words if subtraction result is real, then - * trick unconditional memcpy below to perform in-place - * "refresh" instead of actual copy. */ - m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1); /* al<ri */ - m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1); /* al>ri */ - m1|=m2; /* (al!=ri) */ - m1|=(0-(size_t)v); /* (al!=ri || v) */ - m1&=~m2; /* (al!=ri || v) && !al>ri */ - nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1)); - } + { + size_t m1,m2; + + v=bn_sub_words(rp,ap,np,ri); + /* this ----------------^^ works even in al<ri case + * thanks to zealous zeroing of top of the vector in the + * beginning. */ + + /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */ + /* in other words if subtraction result is real, then + * trick unconditional memcpy below to perform in-place + * "refresh" instead of actual copy. */ + m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1); /* al<ri */ + m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1); /* al>ri */ + m1|=m2; /* (al!=ri) */ + m1|=(0-(size_t)v); /* (al!=ri || v) */ + m1&=~m2; /* (al!=ri || v) && !al>ri */ + nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1)); + } /* 'i<ri' is chosen to eliminate dependency on input data, even * though it results in redundant copy in al<ri case. */ |