diff options
author | Andy Polyakov <appro@openssl.org> | 2018-07-06 15:55:34 +0200 |
---|---|---|
committer | Andy Polyakov <appro@openssl.org> | 2018-07-18 16:08:59 +0200 |
commit | 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f (patch) | |
tree | 47fd1b4a09f2482d51d461450f1cc21b6cb970f0 /crypto/include | |
parent | 83e034379fa3f6f0d308ec75fbcb137e26154aec (diff) |
ec/ecdsa_ossl.c: revert blinding in ECDSA signature.
Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)
Diffstat (limited to 'crypto/include')
-rw-r--r-- | crypto/include/internal/bn_int.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/include/internal/bn_int.h b/crypto/include/internal/bn_int.h index e7fd8992f4..f7d37d5827 100644 --- a/crypto/include/internal/bn_int.h +++ b/crypto/include/internal/bn_int.h @@ -71,5 +71,7 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); #endif |