mirror of
https://github.com/openssl/openssl.git
synced 2025-01-06 13:26:43 +08:00
0ae365e1f8
This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime would sometimes return m, the modulus, when it should have returned zero. Thanks to Guido Vranken for reporting it. It is only a partial fix because the same bug also exists in the "rsaz" codepath. The bug only affects zero outputs (with non-zero inputs), so we believe it has no security impact on our cryptographic functions. The fx is to delete lowercase bn_from_montgomery altogether, and have the mont5 path use the same BN_from_montgomery ending as the non-mont5 path. This only impacts the final step of the whole exponentiation and has no measurable perf impact. See the original BoringSSL commit https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315 for further analysis. Original-author: David Benjamin <davidben@google.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18510) |
||
|---|---|---|
| .. | ||
| alpha-mont.pl | ||
| armv4-gf2m.pl | ||
| armv4-mont.pl | ||
| armv8-mont.pl | ||
| bn-586.pl | ||
| bn-c64xplus.asm | ||
| c64xplus-gf2m.pl | ||
| co-586.pl | ||
| ia64-mont.pl | ||
| ia64.S | ||
| mips-mont.pl | ||
| mips.pl | ||
| parisc-mont.pl | ||
| ppc64-mont-fixed.pl | ||
| ppc64-mont.pl | ||
| ppc-mont.pl | ||
| ppc.pl | ||
| rsaz-2k-avx512.pl | ||
| rsaz-3k-avx512.pl | ||
| rsaz-4k-avx512.pl | ||
| rsaz-avx2.pl | ||
| rsaz-x86_64.pl | ||
| s390x-gf2m.pl | ||
| s390x-mont.pl | ||
| s390x.S | ||
| sparct4-mont.pl | ||
| sparcv8.S | ||
| sparcv8plus.S | ||
| sparcv9-gf2m.pl | ||
| sparcv9-mont.pl | ||
| sparcv9a-mont.pl | ||
| via-mont.pl | ||
| vis3-mont.pl | ||
| x86_64-gcc.c | ||
| x86_64-gf2m.pl | ||
| x86_64-mont5.pl | ||
| x86_64-mont.pl | ||
| x86-gf2m.pl | ||
| x86-mont.pl | ||