boringssl/include/openssl
David Benjamin be837402a9 Make the rest of RSA CRT constant-time.
Alas, the existence of RSA keys with q > p is obnoxious, but we can
canonicalize it away. To my knowledge, the remaining leaks in RSA are:

- Key generation. This is kind of hopelessly non-constant-time but
  perhaps deserves a more careful ponder. Though hopefully it does not
  come in at a measurable point for practical purposes.

- Private key serialization. RSAPrivateKey inherently leaks the
  magnitudes of d, dmp1, dmq1, and iqmp. This is unavoidable but
  hopefully does not come in at a measurable point for practical
  purposes.

- If p and q have different word widths, we currently fall back to the
  variable-time BN_mod rather than Montgomery reduction at the start of
  CRT. I can think of ways to apply Montgomery reduction, but it's
  probably better to deny CRT to such keys, if not reject them outright.

- bn_mul_fixed and bn_sqr_fixed which affect the Montgomery
  multiplication bn_mul_mont-less configurations, as well as the final
  CRT multiplication. We should fix this.

Bug: 233
Change-Id: I8c2ecf8f8ec104e9f26299b66ac8cbb0cad04616
Reviewed-on: https://boringssl-review.googlesource.com/25263
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-02-06 02:40:34 +00:00
..
aead.h
aes.h
arm_arch.h
asn1_mac.h
asn1.h Add ASN1_INTEGET_set_uint64. 2018-01-02 16:01:31 +00:00
asn1t.h Remove ASN1_template_(i2d,d2i). 2017-09-15 22:53:43 +00:00
base64.h
base.h Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
bio.h Fix reference to nonexistent function. 2018-01-16 16:23:36 +00:00
blowfish.h
bn.h Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
buf.h Always process handshake records in full. 2017-10-17 14:53:11 +00:00
buffer.h Add buffer.h for compatibility. 2015-05-12 00:09:57 +00:00
bytestring.h Add some more utility functions to bytestring. 2018-01-25 23:51:36 +00:00
cast.h
chacha.h Add chacha.h to the list of documented headers. 2017-10-12 15:27:34 +00:00
cipher.h Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
cmac.h
conf.h Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
cpu.h Add CRYPTO_needs_hwcap2_workaround. 2017-09-18 14:05:46 +00:00
crypto.h Extract FIPS KAT tests into a function. 2018-01-22 20:16:38 +00:00
curve25519.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
des.h
dh.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
digest.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
dsa.h Remove DSA_sign_setup too. 2017-11-22 21:01:11 +00:00
dtls1.h
ec_key.h Tighten EC_KEY's association with its group. 2018-01-03 22:15:11 +00:00
ec.h Make ECDSA signing 10% faster and plug some timing leaks. 2017-11-22 22:51:40 +00:00
ecdh.h
ecdsa.h Remove ECDSA_sign_setup and friends. 2017-11-22 20:23:40 +00:00
engine.h
err.h Bring ERR_ERROR_STRING_BUF_LEN down to 120. 2017-12-14 19:47:23 +00:00
evp.h Documentation typo. 2018-01-25 14:47:06 +00:00
ex_data.h
hkdf.h
hmac.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
is_boringssl.h
lhash_macros.h
lhash.h Unexport more of lhash. 2017-10-25 04:17:18 +00:00
md4.h
md5.h
mem.h Remove redundant calls to |OPENSSL_cleanse| and |OPENSSL_realloc_clean|. 2017-09-18 19:16:51 +00:00
nid.h
obj_mac.h
obj.h Reimplement OBJ_txt2obj and add a lower-level function. 2017-11-27 21:29:00 +00:00
objects.h
opensslconf.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
opensslv.h Get version-related functions from crypto.h rather than ssl.h. 2015-05-20 22:58:14 +00:00
ossl_typ.h
pem.h
pkcs7.h
pkcs8.h
pkcs12.h
poly1305.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
pool.h
rand.h
rc4.h
ripemd.h
rsa.h Make the rest of RSA CRT constant-time. 2018-02-06 02:40:34 +00:00
safestack.h
sha.h
span.h Push Span down a layer. 2017-10-10 14:27:58 +00:00
srtp.h
ssl3.h Adding support for draft 21 as a TLS 1.3 variant. 2017-11-01 21:32:36 +00:00
ssl.h Push an error if custom private keys fail. 2018-02-01 21:43:42 +00:00
stack.h Tidy up some warnings. 2018-01-09 16:01:32 +00:00
thread.h
tls1.h Remove draft22 and experiment2. 2018-01-31 18:07:53 +00:00
type_check.h
x509_vfy.h Unexport more of lhash. 2017-10-25 04:17:18 +00:00
x509.h Add X509_NAME_get0_der from OpenSSL 1.1.0. 2017-12-06 17:49:04 +00:00
x509v3.h Unexport more of lhash. 2017-10-25 04:17:18 +00:00