kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
232a6be6f1
boringssl/crypto/fipsmodule/bn
History
David Benjamin 232a6be6f1 Make primality testing mostly constant-time. 
The extra details in Enhanced Rabin-Miller are only used in
RSA_check_key_fips, on the public RSA modulus, which the static linker
will drop in most of our consumers anyway. Implement normal Rabin-Miller
for RSA keygen and use Montgomery reduction so it runs in constant-time.

Note that we only need to avoid leaking information about the input if
it's a large prime. If the number ends up composite, or we find it in
our table of small primes, we can return immediately.

The leaks not addressed by this CL are:

- The difficulty of selecting |b| leaks information about |w|.
- The distribution of whether step 4.4 runs leaks information about w.
- We leak |a| (the largest power of two which divides w) everywhere.
- BN_mod_word in the trial division is not constant-time.

These will be resolved in follow-up changes.

Median of 29 RSA keygens: 0m0.521 -> 0m0.621s
(Accuracy beyond 0.1s is questionable.)

Bug: 238
Change-Id: I0cf0ff22079732a0a3ababfe352bb4327e95b879
Reviewed-on: https://boringssl-review.googlesource.com/25886
Reviewed-by: Adam Langley <agl@google.com>
2018-03-28 01:42:06 +00:00
..
asm Merge Intel copyright notice into standard 2018-02-12 21:44:27 +00:00
add.c Add bn_usub_fixed. 2018-03-26 18:53:43 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Make primality testing mostly constant-time. 2018-03-28 01:42:06 +00:00
bn_tests.txt Add some BN_mod_inverse tests. 2018-03-20 16:11:45 +00:00
bn.c Make bn_sqr_recursive constant-time. 2018-02-06 02:47:34 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go Add some tests for BN_gcd. 2018-03-20 16:08:56 +00:00
cmp.c Make various BIGNUM comparisons constant-time. 2018-03-26 18:53:53 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Return NULL instead of zero in |bn_resized_from_ctx|. 2018-02-10 23:10:54 +00:00
exponentiation.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Add bn_usub_fixed. 2018-03-26 18:53:43 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
montgomery.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
mul.c Simplify bn_mul_part_recursive. 2018-02-06 03:04:04 +00:00
prime.c Make primality testing mostly constant-time. 2018-03-28 01:42:06 +00:00
random.c Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
rsaz_exp.c Document RSAZ slightly better. 2018-02-15 18:14:04 +00:00
rsaz_exp.h clang-format RSAZ C code. 2018-02-13 22:30:03 +00:00
shift.c Fix 20-year-old typo in BN_mask_bits. 2018-03-08 21:53:06 +00:00
sqrt.c Make BN_mod_*_quick constant-time. 2018-02-06 01:16:04 +00:00