be837402a9
Alas, the existence of RSA keys with q > p is obnoxious, but we can canonicalize it away. To my knowledge, the remaining leaks in RSA are: - Key generation. This is kind of hopelessly non-constant-time but perhaps deserves a more careful ponder. Though hopefully it does not come in at a measurable point for practical purposes. - Private key serialization. RSAPrivateKey inherently leaks the magnitudes of d, dmp1, dmq1, and iqmp. This is unavoidable but hopefully does not come in at a measurable point for practical purposes. - If p and q have different word widths, we currently fall back to the variable-time BN_mod rather than Montgomery reduction at the start of CRT. I can think of ways to apply Montgomery reduction, but it's probably better to deny CRT to such keys, if not reject them outright. - bn_mul_fixed and bn_sqr_fixed which affect the Montgomery multiplication bn_mul_mont-less configurations, as well as the final CRT multiplication. We should fix this. Bug: 233 Change-Id: I8c2ecf8f8ec104e9f26299b66ac8cbb0cad04616 Reviewed-on: https://boringssl-review.googlesource.com/25263 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
aead.h | ||
aes.h | ||
arm_arch.h | ||
asn1_mac.h | ||
asn1.h | ||
asn1t.h | ||
base64.h | ||
base.h | ||
bio.h | ||
blowfish.h | ||
bn.h | ||
buf.h | ||
buffer.h | ||
bytestring.h | ||
cast.h | ||
chacha.h | ||
cipher.h | ||
cmac.h | ||
conf.h | ||
cpu.h | ||
crypto.h | ||
curve25519.h | ||
des.h | ||
dh.h | ||
digest.h | ||
dsa.h | ||
dtls1.h | ||
ec_key.h | ||
ec.h | ||
ecdh.h | ||
ecdsa.h | ||
engine.h | ||
err.h | ||
evp.h | ||
ex_data.h | ||
hkdf.h | ||
hmac.h | ||
is_boringssl.h | ||
lhash_macros.h | ||
lhash.h | ||
md4.h | ||
md5.h | ||
mem.h | ||
nid.h | ||
obj_mac.h | ||
obj.h | ||
objects.h | ||
opensslconf.h | ||
opensslv.h | ||
ossl_typ.h | ||
pem.h | ||
pkcs7.h | ||
pkcs8.h | ||
pkcs12.h | ||
poly1305.h | ||
pool.h | ||
rand.h | ||
rc4.h | ||
ripemd.h | ||
rsa.h | ||
safestack.h | ||
sha.h | ||
span.h | ||
srtp.h | ||
ssl3.h | ||
ssl.h | ||
stack.h | ||
thread.h | ||
tls1.h | ||
type_check.h | ||
x509_vfy.h | ||
x509.h | ||
x509v3.h |