On Wed, Mar 28, 2007 at 10:56:54AM -0700, Wood, Matthew D wrote:
We intentionally use BN_with_flags() to set BN_FLG_CONSTTIME for d
before d mod (p-1) and d mod (q-1) are computed.
The reason is that BN_mod(rem,num,divisor,ctx) is equivalent to
BN_div(NULL,(rem),(num),(divisor),(ctx)). BN_div invokes
BN_div_no_branch only if num has the BN_FLG_CONSTTIME flag on.
Therefore, we need to set BN_FLG_CONSTTIME for d, rather than p-1 and
q-1.
Yes, of course. Somehow I had assumed that it's the flag for the
divisor being looked at, by analogy with the BN_mod_inverse() case,
where it's the flag for the modulus that matters.
I guess I could explain this by the time of day when I was reading the
patch (around 1:30 am), but I actually do think that it makes sense
to expect what I expected.
I'll at least have to fix my description in the CHANGES files. But I
think the best choice here is to make both BN_div() and
BN_mod_inverse() more fool-proof, by having them check
BN_FLG_CONSTTIME on *both* input BIGNUMs and use the no_branch variant
if either of these is set.
Bodo
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]