Branch: refs/heads/master Home: https://github.openssl.org/openssl/openssl Commit: 0ae365e1f80648f4c52aa3ac9bbc279b6192b23e https://github.openssl.org/openssl/openssl/commit/0ae365e1f80648f4c52aa3ac9bbc279b6192b23e Author: Tomas Mraz <to...@openssl.org> Date: 2022-06-16 (Thu, 16 Jun 2022)
Changed paths: M crypto/bn/asm/x86_64-mont5.pl M crypto/bn/bn_exp.c M test/recipes/10-test_bn_data/bnmod.txt Log Message: ----------- Always end BN_mod_exp_mont_consttime with normal Montgomery reduction. This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime would sometimes return m, the modulus, when it should have returned zero. Thanks to Guido Vranken for reporting it. It is only a partial fix because the same bug also exists in the "rsaz" codepath. The bug only affects zero outputs (with non-zero inputs), so we believe it has no security impact on our cryptographic functions. The fx is to delete lowercase bn_from_montgomery altogether, and have the mont5 path use the same BN_from_montgomery ending as the non-mont5 path. This only impacts the final step of the whole exponentiation and has no measurable perf impact. See the original BoringSSL commit https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315 for further analysis. Original-author: David Benjamin <david...@google.com> Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18510) Commit: 6d702cebfce3ffd9d8c0cb2af80a987d3288e7a3 https://github.openssl.org/openssl/openssl/commit/6d702cebfce3ffd9d8c0cb2af80a987d3288e7a3 Author: Tomas Mraz <to...@openssl.org> Date: 2022-06-16 (Thu, 16 Jun 2022) Changed paths: M crypto/bn/rsaz_exp.c M crypto/bn/rsaz_exp.h M crypto/bn/rsaz_exp_x2.c M test/recipes/10-test_bn_data/bnmod.txt Log Message: ----------- Add an extra reduction step to RSAZ mod_exp implementations Inspired by BoringSSL fix by David Benjamin. Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18510) Compare: https://github.openssl.org/openssl/openssl/compare/b2feb9f0e394...6d702cebfce3