kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
5691 İşleme
12 Dallar
38 MiB
Ağaç: d8598ce03f
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'd8598ce03f'den
${ noResults }
boringssl/crypto/fipsmodule/bn/bytes.c

bytes.c 6.6 KiB
Ham Normal Görünüm Geçmiş

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Tidy up BN decimal and hex decode functions. Move the bn_expand call inside decode_hex; it's an implementation detail of hex-decoding. decode_dec instead works with BN_mul_word and BN_add_word so it can just rely on BN internally expanding things and check the return value. Also clean up the decode_hex loop so it's somewhat more readable and check for INT_MAX in bn_x2bn. It uses int over size_t rather pervasively, but while I'm here at least make that function check overflow. BUG=517474 Change-Id: I4f043973ee43071a02ea5d4313a8fdaf12404e84 Reviewed-on: https://boringssl-review.googlesource.com/5679 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Move bn/ into crypto/fipsmodule/ Change-Id: I68aa4a740ee1c7f2a308a6536f408929f15b694c Reviewed-on: https://boringssl-review.googlesource.com/15647 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Get overflow checks right in BN_bin2bn. BN_bin2bn takes a size_t as it should, but it passes that into bn_wexpand which takes unsigned. Switch bn_wexpand and bn_expand to take size_t before they check bounds against INT_MAX. BIGNUM itself still uses int everywhere and we may want to audit all the arithmetic at some point. Although I suspect having bn_expand require that the number of bits fit in an int is sufficient to make everything happy, unless we're doing interesting arithmetic on the number of bits somewhere. Change-Id: Id191a4a095adb7c938cde6f5a28bee56644720c6 Reviewed-on: https://boringssl-review.googlesource.com/5680 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Rename bn->top to bn->width. This has no behavior change, but it has a semantic one. This CL is an assertion that all BIGNUM functions tolerate non-minimal BIGNUMs now. Specifically: - Functions that do not touch top/width are assumed to not care. - Functions that do touch top/width will be changed by this CL. These should be checked in review that they tolerate non-minimal BIGNUMs. Subsequent CLs will start adjusting the widths that BIGNUM functions output, to fix timing leaks. Bug: 232 Change-Id: I3a2b41b071f2174452f8d3801bce5c78947bb8f7 Reviewed-on: https://boringssl-review.googlesource.com/25257 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Return int from bn_wexpand, not BIGNUM*. Change-Id: I47d9b1eb256099057ed1158afe76b89758c963bb Reviewed-on: https://boringssl-review.googlesource.com/15365 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Get overflow checks right in BN_bin2bn. BN_bin2bn takes a size_t as it should, but it passes that into bn_wexpand which takes unsigned. Switch bn_wexpand and bn_expand to take size_t before they check bounds against INT_MAX. BIGNUM itself still uses int everywhere and we may want to audit all the arithmetic at some point. Although I suspect having bn_expand require that the number of bits fit in an int is sufficient to make everything happy, unless we're doing interesting arithmetic on the number of bits somewhere. Change-Id: Id191a4a095adb7c938cde6f5a28bee56644720c6 Reviewed-on: https://boringssl-review.googlesource.com/5680 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Rename bn->top to bn->width. This has no behavior change, but it has a semantic one. This CL is an assertion that all BIGNUM functions tolerate non-minimal BIGNUMs now. Specifically: - Functions that do not touch top/width are assumed to not care. - Functions that do touch top/width will be changed by this CL. These should be checked in review that they tolerate non-minimal BIGNUMs. Subsequent CLs will start adjusting the widths that BIGNUM functions output, to fix timing leaks. Bug: 232 Change-Id: I3a2b41b071f2174452f8d3801bce5c78947bb8f7 Reviewed-on: https://boringssl-review.googlesource.com/25257 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Rename bn->top to bn->width. This has no behavior change, but it has a semantic one. This CL is an assertion that all BIGNUM functions tolerate non-minimal BIGNUMs now. Specifically: - Functions that do not touch top/width are assumed to not care. - Functions that do touch top/width will be changed by this CL. These should be checked in review that they tolerate non-minimal BIGNUMs. Subsequent CLs will start adjusting the widths that BIGNUM functions output, to fix timing leaks. Bug: 232 Change-Id: I3a2b41b071f2174452f8d3801bce5c78947bb8f7 Reviewed-on: https://boringssl-review.googlesource.com/25257 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Rename bn->top to bn->width. This has no behavior change, but it has a semantic one. This CL is an assertion that all BIGNUM functions tolerate non-minimal BIGNUMs now. Specifically: - Functions that do not touch top/width are assumed to not care. - Functions that do touch top/width will be changed by this CL. These should be checked in review that they tolerate non-minimal BIGNUMs. Subsequent CLs will start adjusting the widths that BIGNUM functions output, to fix timing leaks. Bug: 232 Change-Id: I3a2b41b071f2174452f8d3801bce5c78947bb8f7 Reviewed-on: https://boringssl-review.googlesource.com/25257 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Add Little-endian BIGNUM conversions Towards an eventual goal of opaquifying BoringSSL structs, we want our consumers -- in this case, Android's libcore -- to not directly manipulate BigNums; and it would be convenient for them if we would perform the appropriate gymnastics to interpret little-endian byte streams. It also seems a priori a bit strange to have only big-endian varieties of BN byte-conversions. This CL provides little-endian equivalents of BN_bn2bin_padded and BN_bin2bn. BUG=97 Change-Id: I0e92483286def86d9bd71a46d6a967a3be50f80b Reviewed-on: https://boringssl-review.googlesource.com/12641 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Make BN_bn2bin_padded work with non-minimal BIGNUMs. Checking the excess words for zero doesn't need to be in constant time, but it's free. BN_bn2bin_padded is a little silly as read_word_padded only exists to work around bn->top being minimal. Once non-minimal BIGNUMs are turned on and the RSA code works right, we can simplify BN_bn2bin_padded. Bug: 232 Change-Id: Ib81e30ca1e5a8ea90ab3278bf4ded219bac481ac Reviewed-on: https://boringssl-review.googlesource.com/25253 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Make BN_bn2bin_padded work with non-minimal BIGNUMs. Checking the excess words for zero doesn't need to be in constant time, but it's free. BN_bn2bin_padded is a little silly as read_word_padded only exists to work around bn->top being minimal. Once non-minimal BIGNUMs are turned on and the RSA code works right, we can simplify BN_bn2bin_padded. Bug: 232 Change-Id: Ib81e30ca1e5a8ea90ab3278bf4ded219bac481ac Reviewed-on: https://boringssl-review.googlesource.com/25253 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Make BN_bn2bin_padded work with non-minimal BIGNUMs. Checking the excess words for zero doesn't need to be in constant time, but it's free. BN_bn2bin_padded is a little silly as read_word_padded only exists to work around bn->top being minimal. Once non-minimal BIGNUMs are turned on and the RSA code works right, we can simplify BN_bn2bin_padded. Bug: 232 Change-Id: Ib81e30ca1e5a8ea90ab3278bf4ded219bac481ac Reviewed-on: https://boringssl-review.googlesource.com/25253 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Make BN_bn2bin_padded work with non-minimal BIGNUMs. Checking the excess words for zero doesn't need to be in constant time, but it's free. BN_bn2bin_padded is a little silly as read_word_padded only exists to work around bn->top being minimal. Once non-minimal BIGNUMs are turned on and the RSA code works right, we can simplify BN_bn2bin_padded. Bug: 232 Change-Id: Ib81e30ca1e5a8ea90ab3278bf4ded219bac481ac Reviewed-on: https://boringssl-review.googlesource.com/25253 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 yıl önce
Simplify BN_bn2bin_padded. There is no more need for the "constant-time" reading beyond bn->top. We can write the bytes out naively because RSA computations no longer call bn_correct_top/bn_set_minimal_width. Specifically, the final computation is a BN_mod_mul_montgomery to remove the blinding, and that keeps the sizes correct. Bug: 237 Change-Id: I6e90d81c323b644e179d899f411479ea16deab98 Reviewed-on: https://boringssl-review.googlesource.com/25324 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Improvements in constant-time OAEP decoding. This change adds a new function, BN_bn2bin_padded, that attempts, as much as possible, to serialise a BIGNUM in constant time. This is used to avoid some timing leaks in RSA decryption.
10 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Add initial support for non-minimal BIGNUMs. Thanks to Andres Erbsen for extremely helpful suggestions on how finally plug this long-standing hole! OpenSSL BIGNUMs are currently minimal-width, which means they cannot be constant-time. We'll need to either excise BIGNUM from RSA and EC or somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to handle non-minimal word widths is probably simpler. The main constraint is BIGNUM's large "calculator" API surface. One could, in theory, do arbitrary math on RSA components, which means all public functions must tolerate non-minimal inputs. This is also useful for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is silly. As a first step, fix comparison-type functions that were assuming minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only until the rest of the library is fixed. bn->top is now a loose upper bound we carry around. It does not affect numerical results, only performance and secrecy. This is a departure from the original meaning, and compiler help in auditing everything is nice, so the final change in this series will rename bn->top to bn->width. Thus these new functions are named per "width", not "top". Looking further ahead, how are output BIGNUM widths determined? There's three notions of correctness here: 1. Do I compute the right answer for all widths? 2. Do I handle secret data in constant time? 3. Does my memory usage not balloon absurdly? For (1), a BIGNUM function must give the same answer for all input widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be wider than |m| by way of leading zeres. The simplest approach is to write code in a width-agnostic way and rely on functions to accept all widths. Where functions need to look at bn->d, we'll a few helper functions to smooth over funny widths. For (2), (1) is little cumbersome. Consider constant-time modular addition. A sane type system would guarantee input widths match. But C is weak here, and bifurcating the internals is a lot of work. Thus, at least for now, I do not propose we move RSA's internal computation out of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to stack-allocate, curves were already specialized, and EC only has two types with many operations on those types. None of these apply to RSA. We've got numbers mod n, mod p, mod q, and their corresponding exponents, each of which is used for basically one operation.) Instead, constant-time BIGNUM functions will output non-minimal widths. This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul, constant-time[*] would dictate r->top = a->top + b->top. A calculator repeatedly multiplying by one would then run out of memory. Those we'll split into a private BN_mul_fixed for crypto, leaving BN_mul for calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top. [*] BN_mul is not constant-time for other reasons, but that will be fixed separately. Bug: 232 Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069 Reviewed-on: https://boringssl-review.googlesource.com/25244 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Re-add |BN_bn2mpi| and |BN_mpi2bn| from OpenSSL at fd682e4c. This benefits mainly M2Crypto. Change-Id: I29bd0fa31b218760055ba467673f3882e46010c7 Reviewed-on: https://boringssl-review.googlesource.com/5722 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Add BN_get_u64 so that Android doesn't have to reach into the BIGNUM structs BUG=97 Change-Id: I4799cc99511e73af44def1d4daa36a8b4699f62d Reviewed-on: https://boringssl-review.googlesource.com/12904 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
Add initial support for non-minimal BIGNUMs. Thanks to Andres Erbsen for extremely helpful suggestions on how finally plug this long-standing hole! OpenSSL BIGNUMs are currently minimal-width, which means they cannot be constant-time. We'll need to either excise BIGNUM from RSA and EC or somehow fix BIGNUM. EC_SCALAR and later EC_FELEM work will excise it from EC, but RSA's BIGNUMs are more transparent. Teaching BIGNUM to handle non-minimal word widths is probably simpler. The main constraint is BIGNUM's large "calculator" API surface. One could, in theory, do arbitrary math on RSA components, which means all public functions must tolerate non-minimal inputs. This is also useful for EC; https://boringssl-review.googlesource.com/c/boringssl/+/24445 is silly. As a first step, fix comparison-type functions that were assuming minimal BIGNUMs. I've also added bn_resize_words, but it is testing-only until the rest of the library is fixed. bn->top is now a loose upper bound we carry around. It does not affect numerical results, only performance and secrecy. This is a departure from the original meaning, and compiler help in auditing everything is nice, so the final change in this series will rename bn->top to bn->width. Thus these new functions are named per "width", not "top". Looking further ahead, how are output BIGNUM widths determined? There's three notions of correctness here: 1. Do I compute the right answer for all widths? 2. Do I handle secret data in constant time? 3. Does my memory usage not balloon absurdly? For (1), a BIGNUM function must give the same answer for all input widths. BN_mod_add_quick may assume |a| < |m|, but |a| may still be wider than |m| by way of leading zeres. The simplest approach is to write code in a width-agnostic way and rely on functions to accept all widths. Where functions need to look at bn->d, we'll a few helper functions to smooth over funny widths. For (2), (1) is little cumbersome. Consider constant-time modular addition. A sane type system would guarantee input widths match. But C is weak here, and bifurcating the internals is a lot of work. Thus, at least for now, I do not propose we move RSA's internal computation out of BIGNUM. (EC_SCALAR/EC_FELEM are valuable for EC because we get to stack-allocate, curves were already specialized, and EC only has two types with many operations on those types. None of these apply to RSA. We've got numbers mod n, mod p, mod q, and their corresponding exponents, each of which is used for basically one operation.) Instead, constant-time BIGNUM functions will output non-minimal widths. This is trivial for BN_bin2bn or modular arithmetic. But for BN_mul, constant-time[*] would dictate r->top = a->top + b->top. A calculator repeatedly multiplying by one would then run out of memory. Those we'll split into a private BN_mul_fixed for crypto, leaving BN_mul for calculators. BN_mul is just BN_mul_fixed followed by bn_correct_top. [*] BN_mul is not constant-time for other reasons, but that will be fixed separately. Bug: 232 Change-Id: Ide2258ae8c09a9a41bb71d6777908d1c27917069 Reviewed-on: https://boringssl-review.googlesource.com/25244 Reviewed-by: Adam Langley <agl@google.com>
6 yıl önce
Add BN_get_u64 so that Android doesn't have to reach into the BIGNUM structs BUG=97 Change-Id: I4799cc99511e73af44def1d4daa36a8b4699f62d Reviewed-on: https://boringssl-review.googlesource.com/12904 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 yıl önce
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/bn.h>

  58. 

  59. #include <assert.h>

  60. #include <limits.h>

  61. 

  62. #include "internal.h"

  63. 

  64. 

  65. BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {

  66.   size_t num_words;

  67.   unsigned m;

  68.   BN_ULONG word = 0;

  69.   BIGNUM *bn = NULL;

  70. 

  71.   if (ret == NULL) {

  72.     ret = bn = BN_new();

  73.   }

  74. 

  75.   if (ret == NULL) {

  76.     return NULL;

  77.   }

  78. 

  79.   if (len == 0) {

  80.     ret->width = 0;

  81.     return ret;

  82.   }

  83. 

  84.   num_words = ((len - 1) / BN_BYTES) + 1;

  85.   m = (len - 1) % BN_BYTES;

  86.   if (!bn_wexpand(ret, num_words)) {

  87.     if (bn) {

  88.       BN_free(bn);

  89.     }

  90.     return NULL;

  91.   }

  92. 

  93.   // |bn_wexpand| must check bounds on |num_words| to write it into

  94.   // |ret->dmax|.

  95.   assert(num_words <= INT_MAX);

  96.   ret->width = (int)num_words;

  97.   ret->neg = 0;

  98. 

  99.   while (len--) {

  100.     word = (word << 8) | *(in++);

  101.     if (m-- == 0) {

  102.       ret->d[--num_words] = word;

  103.       word = 0;

  104.       m = BN_BYTES - 1;

  105.     }

  106.   }

  107. 

  108.   return ret;

  109. }

  110. 

  111. BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {

  112.   BIGNUM *bn = NULL;

  113.   if (ret == NULL) {

  114.     bn = BN_new();

  115.     ret = bn;

  116.   }

  117. 

  118.   if (ret == NULL) {

  119.     return NULL;

  120.   }

  121. 

  122.   if (len == 0) {

  123.     ret->width = 0;

  124.     ret->neg = 0;

  125.     return ret;

  126.   }

  127. 

  128.   // Reserve enough space in |ret|.

  129.   size_t num_words = ((len - 1) / BN_BYTES) + 1;

  130.   if (!bn_wexpand(ret, num_words)) {

  131.     BN_free(bn);

  132.     return NULL;

  133.   }

  134.   ret->width = num_words;

  135. 

  136.   // Make sure the top bytes will be zeroed.

  137.   ret->d[num_words - 1] = 0;

  138. 

  139.   // We only support little-endian platforms, so we can simply memcpy the

  140.   // internal representation.

  141.   OPENSSL_memcpy(ret->d, in, len);

  142.   return ret;

  143. }

  144. 

  145. size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {

  146.   size_t n, i;

  147.   BN_ULONG l;

  148. 

  149.   n = i = BN_num_bytes(in);

  150.   while (i--) {

  151.     l = in->d[i / BN_BYTES];

  152.     *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;

  153.   }

  154.   return n;

  155. }

  156. 

  157. static int fits_in_bytes(const uint8_t *bytes, size_t num_bytes, size_t len) {

  158.   uint8_t mask = 0;

  159.   for (size_t i = len; i < num_bytes; i++) {

  160.     mask |= bytes[i];

  161.   }

  162.   return mask == 0;

  163. }

  164. 

  165. int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {

  166.   const uint8_t *bytes = (const uint8_t *)in->d;

  167.   size_t num_bytes = in->width * BN_BYTES;

  168.   if (len < num_bytes) {

  169.     if (!fits_in_bytes(bytes, num_bytes, len)) {

  170.       return 0;

  171.     }

  172.     num_bytes = len;

  173.   }

  174. 

  175.   // We only support little-endian platforms, so we can simply memcpy into the

  176.   // internal representation.

  177.   OPENSSL_memcpy(out, bytes, num_bytes);

  178.   // Pad out the rest of the buffer with zeroes.

  179.   OPENSSL_memset(out + num_bytes, 0, len - num_bytes);

  180.   return 1;

  181. }

  182. 

  183. int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {

  184.   const uint8_t *bytes = (const uint8_t *)in->d;

  185.   size_t num_bytes = in->width * BN_BYTES;

  186.   if (len < num_bytes) {

  187.     if (!fits_in_bytes(bytes, num_bytes, len)) {

  188.       return 0;

  189.     }

  190.     num_bytes = len;

  191.   }

  192. 

  193.   // We only support little-endian platforms, so we can simply write the buffer

  194.   // in reverse.

  195.   for (size_t i = 0; i < num_bytes; i++) {

  196.     out[len - i - 1] = bytes[i];

  197.   }

  198.   // Pad out the rest of the buffer with zeroes.

  199.   OPENSSL_memset(out, 0, len - num_bytes);

  200.   return 1;

  201. }

  202. 

  203. BN_ULONG BN_get_word(const BIGNUM *bn) {

  204.   switch (bn_minimal_width(bn)) {

  205.     case 0:

  206.       return 0;

  207.     case 1:

  208.       return bn->d[0];

  209.     default:

  210.       return BN_MASK2;

  211.   }

  212. }

  213. 

  214. int BN_get_u64(const BIGNUM *bn, uint64_t *out) {

  215.   switch (bn_minimal_width(bn)) {

  216.     case 0:

  217.       *out = 0;

  218.       return 1;

  219.     case 1:

  220.       *out = bn->d[0];

  221.       return 1;

  222. #if defined(OPENSSL_32_BIT)

  223.     case 2:

  224.       *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32);

  225.       return 1;

  226. #endif

  227.     default:

  228.       return 0;

  229.   }

  230. }