commit 4cfdf417893767235fe0a82ac40aacc0cf25affb
author Brian Smith <brian@briansmith.org> Tue Aug 02 15:04:03 2016 -1000
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Fri Aug 05 22:09:00 2016 +0000
tree 66af9747db706e68b3d2607b1935724ee7c16d2b
parent f9bdcc11087d84ba3c908bfe773d4ab0a5c50585

Use bn_mod_inverse_odd for RSA/inversion blinding.

The main RSA public modulus size of concern is 2048 bits.
bn_mod_inverse_odd is already used for public moduli of 2048 bits and
smaller on 64-bit platforms, so for 64-bit it is a no-op. For 32-bit
x86, this seems to slightly decrease the speed of RSA signing, but not
by a lot, and plus we don't care about RSA signing performance much on
32-bit platforms. It's better to have all platforms using the same
algorithms.

Change-Id: I869dbfc98994e36a04a535c1fe63b14a902a4f13
Reviewed-on: https://boringssl-review.googlesource.com/9102
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

crypto/bn/gcd.c

diff --git a/crypto/bn/gcd.c b/crypto/bn/gcd.c
index 526843b..cb61186 100644
--- a/crypto/bn/gcd.c
+++ b/crypto/bn/gcd.c
@@ -670,7 +670,7 @@
 
   if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N) ||
       !BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx) ||
-      !bn_mod_inverse_ex(out, out_no_inverse, out, &mont->N, ctx) ||
+      !bn_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) ||
       !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) {
     OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
     goto err;