76ce04bec8
Give a non-minimal modulus, there are two possible values of R we might pick: 2^(BN_BITS2 * width) or 2^(BN_BITS2 * bn_minimal_width). Potentially secret moduli would make the former attractive and things might even work, but our only secret moduli (RSA) have public bit widths. It's more cases to test and the usual BIGNUM invariant is that widths do not affect numerical output. Thus, settle on minimizing mont->N for now. With the top explicitly made minimal, computing |lgBigR| is also a little simpler. This CL also abstracts out the < R check in the RSA code, and implements it in a width-agnostic way. Bug: 232 Change-Id: I354643df30530db7866bb7820e34241d7614f3c2 Reviewed-on: https://boringssl-review.googlesource.com/25250 Reviewed-by: Adam Langley <agl@google.com> |
||
|---|---|---|
| .. | ||
| blinding.c | ||
| internal.h | ||
| padding.c | ||
| rsa_impl.c | ||
| rsa.c | ||