diff options
author | Tomas Mraz <tomas@openssl.org> | 2024-04-11 13:10:09 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-02 09:16:36 +0200 |
commit | d7d1bdcb6aa3d5000bf7f5ebc5518be5c91fd5a5 (patch) | |
tree | a6d32658325063bae7bf5f7f2280326d620d1bcf /crypto/bn/bn_lib.c | |
parent | fd6be6c55b627204bffd203f563318778e67c388 (diff) | |
download | openssl-d7d1bdcb6aa3d5000bf7f5ebc5518be5c91fd5a5.tar.gz |
Make BN_generate_dsa_nonce() constant time and non-biased
Co-authored-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)
Diffstat (limited to 'crypto/bn/bn_lib.c')
-rw-r--r-- | crypto/bn/bn_lib.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9070647b35..85698885ed 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -708,14 +708,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b) int i; BN_ULONG t1, t2, *ap, *bp; + ap = a->d; + bp = b->d; + + if (BN_get_flags(a, BN_FLG_CONSTTIME) + && a->top == b->top) { + int res = 0; + + for (i = 0; i < b->top; i++) { + res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]), + -1, res); + res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]), + 1, res); + } + return res; + } + bn_check_top(a); bn_check_top(b); i = a->top - b->top; if (i != 0) return i; - ap = a->d; - bp = b->d; + for (i = a->top - 1; i >= 0; i--) { t1 = ap[i]; t2 = bp[i]; @@ -827,11 +842,10 @@ int BN_is_bit_set(const BIGNUM *a, int n) return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); } -int BN_mask_bits(BIGNUM *a, int n) +int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n) { int b, w; - bn_check_top(a); if (n < 0) return 0; @@ -845,10 +859,20 @@ int BN_mask_bits(BIGNUM *a, int n) a->top = w + 1; a->d[w] &= ~(BN_MASK2 << b); } - bn_correct_top(a); return 1; } +int BN_mask_bits(BIGNUM *a, int n) +{ + int ret; + + bn_check_top(a); + ret = ossl_bn_mask_bits_fixed_top(a, n); + if (ret) + bn_correct_top(a); + return ret; +} + void BN_set_negative(BIGNUM *a, int b) { if (b && !BN_is_zero(a)) |