Commit Graph

211 Commits

Author SHA1 Message Date
Adam Langley
eceb33d3af bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

(Imported from upstream's 3cc546a3bbcbf26cd14fc45fb133d36820ed0a75)
2014-06-20 13:17:40 -07:00
Adam Langley
6887edb917 Improvements in constant-time OAEP decoding.
This change adds a new function, BN_bn2bin_padded, that attempts, as
much as possible, to serialise a BIGNUM in constant time.

This is used to avoid some timing leaks in RSA decryption.
2014-06-20 13:17:37 -07:00
Adam Langley
409766d218 Add function to recover RSA CRT params.
Some RSA private keys are specified with only n, e and d. Although we
can use these keys directly, it's nice to have a uniform representation
that includes the precomputed CRT values. This change adds a function
that can recover the primes from a minimal private key of that form.
2014-06-20 13:17:35 -07:00
Adam Langley
27ae9ed774 Small prime generation.
Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
2014-06-20 13:17:34 -07:00
Adam Langley
61bb3ddfab Ensure that x**0 mod 1 = 0. 2014-06-20 13:17:34 -07:00
Adam Langley
ebebf87d6d Add needed volatile qualifications.
Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.
2014-06-20 13:17:33 -07:00
Adam Langley
d4b4f085d9 Safe (EC)DSA nonces.
This change causes (EC)DSA nonces be to calculated by hashing the
message and private key along with entropy.
2014-06-20 13:17:33 -07:00
Adam Langley
6aea58d0ea Check for invalid divisors in BN_div. 2014-06-20 13:17:33 -07:00
Adam Langley
75b833cc81 OpenSSL: make final reduction in Montgomery multiplication constant-time.
(The issue was reported by Shay Gueron.)

The final reduction in Montgomery multiplication computes if (X >= m) then X =
X - m else X = X

In OpenSSL, this was done by computing T = X - m,  doing a constant-time
selection of the *addresses* of X and T, and loading from the resulting
address. But this is not cache-neutral.

This patch changes the behaviour by loading both X and T into registers, and
doing a constant-time selection of the *values*.

TODO(fork): only some of the fixes from the original patch still apply to
the 1.0.2 code.
2014-06-20 13:17:33 -07:00
Adam Langley
b36a3156b6 Add another bn modexp test.
Add a test based on multiplication optimizations from OpenSSL HEAD
(1.1.0-dev) Based on openssl-SNAP-20111003
2014-06-20 13:17:33 -07:00
Adam Langley
95c29f3cd1 Inital import.
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta).

(This change contains substantial changes from the original and
effectively starts a new history.)
2014-06-20 13:17:32 -07:00