On Wed, Mar 28, 2007 at 10:56:54AM -0700, Wood, Matthew D wrote: > We intentionally use BN_with_flags() to set BN_FLG_CONSTTIME for d > before d mod (p-1) and d mod (q-1) are computed. > > The reason is that BN_mod(rem,num,divisor,ctx) is equivalent to > BN_div(NULL,(rem),(num),(divisor),(ctx)). BN_div invokes > BN_div_no_branch only if num has the BN_FLG_CONSTTIME flag on. > > Therefore, we need to set BN_FLG_CONSTTIME for d, rather than p-1 and > q-1.
Yes, of course. Somehow I had assumed that it's the flag for the divisor being looked at, by analogy with the BN_mod_inverse() case, where it's the flag for the modulus that matters. I guess I could explain this by the time of day when I was reading the patch (around 1:30 am), but I actually do think that it makes sense to expect what I expected. I'll at least have to fix my description in the CHANGES files. But I think the best choice here is to make both BN_div() and BN_mod_inverse() more fool-proof, by having them check BN_FLG_CONSTTIME on *both* input BIGNUMs and use the no_branch variant if either of these is set. Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
