diff options
author | Brian Smith <brian@briansmith.org> | 2016-08-03 05:58:57 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-08-06 01:09:35 +0300 |
commit | a432757acb22705df050269b4ced34198603266e (patch) | |
tree | d2dea44392ee4e176b3c4dd24bdb5036dfa35269 /include | |
parent | 4cfdf417893767235fe0a82ac40aacc0cf25affb (diff) |
Use BN_mod_inverse_odd instead of |BN_mod_inverse| for ECC.
BN_mod_inverse_odd was always being used on 64-bit platforms and was being used
for all curves with an order of 450 bits or smaller (basically, everything but
P-521). We generally don't care much about minor differences in the speed of
verifying signatures using curves other than P-256 and P-384. It is better to
always use the same algorithm.
This also allows |bn_mod_inverse_general|, |bn_mod_inverse_no_branch|, and
|BN_mod_inverse| to be dropped from programs that can somehow avoid linking in
the RSA key generation and RSA CRT recovery code.
Change-Id: I79b94bff23d2b07d5e0c704f7d44538797f8c7a0
Reviewed-on: https://boringssl-review.googlesource.com/9103
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/bn.h | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/include/openssl/bn.h b/include/openssl/bn.h index 7d3cb3d5..ff9d6806 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -746,6 +746,18 @@ OPENSSL_EXPORT BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx); +/* BN_mod_inverse_odd sets |out| equal to |a|^-1, mod |n|. |a| must be + * non-negative and must be less than |n|. |n| must be odd. This function + * shouldn't be used for secret values; use |BN_mod_inverse_blinded| instead. + * Or, if |n| is guaranteed to be prime, use + * |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking + * advantage of Fermat's Little Theorem. It returns one on success or zero on + * failure. On failure, if the failure was caused by |a| having no inverse mod + * |n| then |*out_no_inverse| will be set to one; otherwise it will be set to + * zero. */ +int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, + const BIGNUM *n, BN_CTX *ctx); + /* BN_kronecker returns the Kronecker symbol of |a| and |b| (which is -1, 0 or * 1), or -2 on error. */ OPENSSL_EXPORT int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); |