From d879e299366895d7d80d83cfbbe05bc6a09e2a27 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Tue, 22 Mar 2016 17:30:42 -1000 Subject: [PATCH] Further optimize Montgomery math in RSA blinding. Change-Id: I830c6115ce2515a7b9d1dcb153c4cd8928fb978f Reviewed-on: https://boringssl-review.googlesource.com/7591 Reviewed-by: David Benjamin --- crypto/rsa/blinding.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/crypto/rsa/blinding.c b/crypto/rsa/blinding.c index db03d565..776839e5 100644 --- a/crypto/rsa/blinding.c +++ b/crypto/rsa/blinding.c @@ -247,8 +247,15 @@ static int bn_blinding_create_param(BN_BLINDING *b, const BN_MONT_CTX *mont, return 0; } + /* |BN_from_montgomery| + |BN_mod_inverse_no_branch| is equivalent to, but + * more efficient than, |BN_mod_inverse_no_branch| + |BN_to_montgomery|. */ + if (!BN_from_montgomery(b->Ai, b->A, mont, ctx)) { + OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); + return 0; + } + int no_inverse; - if (BN_mod_inverse_ex(b->Ai, &no_inverse, b->A, &mont_N_consttime, ctx) == + if (BN_mod_inverse_ex(b->Ai, &no_inverse, b->Ai, &mont_N_consttime, ctx) == NULL) { /* this should almost never happen for good RSA keys */ if (no_inverse) { @@ -271,8 +278,7 @@ static int bn_blinding_create_param(BN_BLINDING *b, const BN_MONT_CTX *mont, return 0; } - if (!BN_to_montgomery(b->A, b->A, mont, ctx) || - !BN_to_montgomery(b->Ai, b->Ai, mont, ctx)) { + if (!BN_to_montgomery(b->A, b->A, mont, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; }