0b8dc30932
Instead, use BN_mod_exp_mont_consttime of p - 2. This removes two more call sites sensitive to BN_FLG_CONSTTIME. We're down to just that last BN_mod_inverse modulo φ(n). (Sort of. It's actually not sensitive because even mod inverses always hit the other codepath. Perhaps we should just leave it alone.) Note this comes with a slight behavior change. The BN_MONT_CTXs are initialized a little earlier. If a caller calls RSA_generate_* and then reaches into the struct to scrap all the fields on it, they'll get confused. Before, they had to perform an operation on it to get confused. This is a completely ridiculous thing to do. Since we do this a lot, this introduces some convenience functions for doing the Fermat's Little Theorem mod inverse and fixes a leak in the DSA code should computing kinv hit a malloc error. BUG=125 Change-Id: Iafcae2fc6fd379d161f015c90ff7050e2282e905 Reviewed-on: https://boringssl-review.googlesource.com/12925 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> |
||
|---|---|---|
| .. | ||
| CMakeLists.txt | ||
| ecdsa_asn1.c | ||
| ecdsa_sign_test.cc | ||
| ecdsa_sign_tests.txt | ||
| ecdsa_test.cc | ||
| ecdsa_verify_test.cc | ||
| ecdsa_verify_tests.txt | ||
| ecdsa.c | ||