393
417
if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
398
420
if (a->neg || BN_ucmp(a,m) >= 0)
400
if (!BN_nnmod(&(val[0]),a,m,ctx))
422
if (!BN_nnmod(val[0],a,m,ctx))
406
428
if (BN_is_zero(aa))
411
if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */
434
if (!BN_to_montgomery(val[0],aa,mont,ctx)) goto err; /* 1 */
413
436
window = BN_window_bits_for_exponent_size(bits);
416
if (!BN_mod_mul_montgomery(d,&(val[0]),&(val[0]),mont,ctx)) goto err; /* 2 */
439
if (!BN_mod_mul_montgomery(d,val[0],val[0],mont,ctx)) goto err; /* 2 */
418
441
for (i=1; i<j; i++)
421
if (!BN_mod_mul_montgomery(&(val[i]),&(val[i-1]),d,mont,ctx))
443
if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
444
!BN_mod_mul_montgomery(val[i],val[i-1],
427
450
start=1; /* This is used to avoid multiplication etc
489
512
if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
492
BN_clear_free(&(val[i]));
519
/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
520
* so that accessing any of these table values shows the same access pattern as far
521
* as cache lines are concerned. The following functions are used to transfer a BIGNUM
522
* from/to that table. */
524
static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
528
if (bn_wexpand(b, top) == NULL)
535
for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
537
buf[j] = ((unsigned char*)b->d)[i];
544
static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
548
if (bn_wexpand(b, top) == NULL)
551
for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
553
((unsigned char*)b->d)[i] = buf[j];
561
/* Given a pointer value, compute the next address that is a cache line multiple. */
562
#define MOD_EXP_CTIME_ALIGN(x_) \
563
((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
565
/* This variant of BN_mod_exp_mont() uses fixed windows and the special
566
* precomputation memory layout to limit data-dependency to a minimum
567
* to protect secret exponents (cf. the hyper-threading timing attacks
568
* pointed out by Colin Percival,
569
* http://www.daemonology.net/hyperthreading-considered-harmful/)
571
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
572
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
574
int i,bits,ret=0,idx,window,wvalue;
578
BN_MONT_CTX *mont=NULL;
581
unsigned char *powerbufFree=NULL;
583
unsigned char *powerbuf=NULL;
584
BIGNUM *computeTemp=NULL, *am=NULL;
594
BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
604
/* Initialize BIGNUM context and allocate intermediate result */
607
if (r == NULL) goto err;
609
/* Allocate a montgomery context if it was not supplied by the caller.
610
* If this is not done, things will break in the montgomery part.
616
if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
617
if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
620
/* Get the window size to use with size of p. */
621
window = BN_window_bits_for_ctime_exponent_size(bits);
623
/* Allocate a buffer large enough to hold all of the pre-computed
626
numPowers = 1 << window;
627
powerbufLen = sizeof(m->d[0])*top*numPowers;
628
if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
631
powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
632
memset(powerbuf, 0, powerbufLen);
634
/* Initialize the intermediate result. Do this early to save double conversion,
635
* once each for a^0 and intermediate result.
637
if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
638
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
640
/* Initialize computeTemp as a^1 with montgomery precalcs */
641
computeTemp = BN_CTX_get(ctx);
642
am = BN_CTX_get(ctx);
643
if (computeTemp==NULL || am==NULL) goto err;
645
if (a->neg || BN_ucmp(a,m) >= 0)
647
if (!BN_mod(am,a,m,ctx))
653
if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
654
if (!BN_copy(computeTemp, am)) goto err;
655
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
657
/* If the window size is greater than 1, then calculate
658
* val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
659
* (even powers could instead be computed as (a^(i/2))^2
660
* to use the slight performance advantage of sqr over mul).
664
for (i=2; i<numPowers; i++)
666
/* Calculate a^i = a^(i-1) * a */
667
if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
669
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
673
/* Adjust the number of bits up to a multiple of the window size.
674
* If the exponent length is not a multiple of the window size, then
675
* this pads the most significant bits with zeros to normalize the
676
* scanning loop to there's no special cases.
678
* * NOTE: Making the window size a power of two less than the native
679
* * word size ensures that the padded bits won't go past the last
680
* * word in the internal BIGNUM structure. Going past the end will
681
* * still produce the correct result, but causes a different branch
682
* * to be taken in the BN_is_bit_set function.
684
bits = ((bits+window-1)/window)*window;
685
idx=bits-1; /* The top bit of the window */
687
/* Scan the exponent one window at a time starting from the most
692
wvalue=0; /* The 'value' of the window */
694
/* Scan the window, squaring the result as we go */
695
for (i=0; i<window; i++,idx--)
697
if (!BN_mod_mul_montgomery(r,r,r,mont,ctx)) goto err;
698
wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
701
/* Fetch the appropriate pre-computed value from the pre-buf */
702
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
704
/* Multiply the result into the intermediate result */
705
if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
708
/* Convert the final result from montgomery to standard format */
709
if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
712
if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
715
OPENSSL_cleanse(powerbuf,powerbufLen);
716
OPENSSL_free(powerbufFree);
718
if (am!=NULL) BN_clear(am);
719
if (computeTemp!=NULL) BN_clear(computeTemp);
631
867
if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
637
874
/* The old fallback, simple version :-) */
638
int BN_mod_exp_simple(BIGNUM *r,
639
const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
875
int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
876
const BIGNUM *m, BN_CTX *ctx)
642
int i,j,bits,ret=0,wstart,wend,window,wvalue,ts=0;
878
int i,j,bits,ret=0,wstart,wend,window,wvalue;
645
BIGNUM val[TABLE_SIZE];
881
/* Table of variables obtained from 'ctx' */
882
BIGNUM *val[TABLE_SIZE];
884
if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
886
/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
887
BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
647
891
bits=BN_num_bits(p);
655
899
BN_CTX_start(ctx);
656
if ((d = BN_CTX_get(ctx)) == NULL) goto err;
901
val[0] = BN_CTX_get(ctx);
902
if(!d || !val[0]) goto err;
660
if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err; /* 1 */
661
if (BN_is_zero(&(val[0])))
904
if (!BN_nnmod(val[0],a,m,ctx)) goto err; /* 1 */
905
if (BN_is_zero(val[0]))
667
912
window = BN_window_bits_for_exponent_size(bits);
670
if (!BN_mod_mul(d,&(val[0]),&(val[0]),m,ctx))
915
if (!BN_mod_mul(d,val[0],val[0],m,ctx))
671
916
goto err; /* 2 */
673
918
for (i=1; i<j; i++)
676
if (!BN_mod_mul(&(val[i]),&(val[i-1]),d,m,ctx))
920
if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
921
!BN_mod_mul(val[i],val[i-1],d,m,ctx))
682
926
start=1; /* This is used to avoid multiplication etc
added
removed
crypto/bn/bn_exp.c
