kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
34a2c5e476
boringssl/crypto/fipsmodule/bn
History
David Benjamin 34a2c5e476 Make bn_mul_recursive constant-time. 
I left the input length as int because the calling convention passes
these messy deltas around. This micro-optimization is almost certainly
pointless, but bn_sub_part_words is written in assembly, so I've left it
alone for now. The documented preconditions were also all completely
wrong, so I've fixed them. We actually only call them for even tighter
bounds (one of dna or dnb is 0 and the other is 0 or -1), at least
outside bn_mul_part_recursive which I still need to read through.

This leaves bn_mul_part_recursive, which is reachable for RSA keys which
are not a power of two in bit width.

The first iteration of this had an uncaught bug, so I added a few more
aggressive tests generated with:

  A = 0x...
  B = 0x...

  # Chop off 0, 1 and > 1 word for both 32 and 64-bit.
  for i in (0, 1, 2, 4):
    for j in (0, 1, 2, 4):
      a = A >> (32*i)
      b = B >> (32*j)
      p = a * b
      print "Product = %x" % p
      print "A = %x" % a
      print "B = %x" % b
      print

Bug: 234
Change-Id: I72848d992637c0390cdd3c4f81cb919393b59eb8
Reviewed-on: https://boringssl-review.googlesource.com/25344
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-02-06 02:51:34 +00:00
..
asm Silence ARMv8 deprecated IT instruction warnings. 2017-12-14 01:56:22 +00:00
add.c Split BN_uadd into a bn_uadd_fixed. 2018-02-06 02:39:45 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
bn_tests.txt Make bn_mul_recursive constant-time. 2018-02-06 02:51:34 +00:00
bn.c Make bn_sqr_recursive constant-time. 2018-02-06 02:47:34 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go
cmp.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Make bn_sqr_recursive constant-time. 2018-02-06 02:47:34 +00:00
exponentiation.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Make bn_sqr_recursive constant-time. 2018-02-06 02:47:34 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
montgomery.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
mul.c Make bn_mul_recursive constant-time. 2018-02-06 02:51:34 +00:00
prime.c Add a function which folds BN_MONT_CTX_{new,set} together. 2018-02-02 20:23:25 +00:00
random.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
rsaz_exp.c Fix alignment-violating cast. 2017-12-01 22:32:17 +00:00
rsaz_exp.h
shift.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
sqrt.c Make BN_mod_*_quick constant-time. 2018-02-06 01:16:04 +00:00