boringssl/crypto/fipsmodule/bn
David Benjamin 32b5940267 Don't leak the exponent bit width in BN_mod_exp_mont_consttime.
(See also https://github.com/openssl/openssl/pull/5154.)

The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its
bit length are both secret. The only public upper bound is the bit width
of the corresponding modulus (RSA n, p, and q, respectively).

Although BN_num_bits is constant-time (sort of; see bn_correct_top notes
in preceding patch), this does not fix the root problem, which is that
the windows are based on the minimal bit width, not the upper bound. We
could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API
and may be called with larger exponents. Instead, use all top*BN_BITS2
bits in the BIGNUM. This is still sensitive to the long-standing
bn_correct_top leak, but we need to fix that regardless.

This may cause us to do a handful of extra multiplications for RSA keys
which are just above a whole number of words, but that is not a standard
RSA key size.

Change-Id: I5e2f12b70c303b27c597a7e513b7bf7288f7b0e3
Reviewed-on: https://boringssl-review.googlesource.com/25185
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-01-23 22:27:37 +00:00
..
asm Silence ARMv8 deprecated IT instruction warnings. 2017-12-14 01:56:22 +00:00
add.c Clear no-op BN_MASK2 masks. 2017-10-27 02:38:45 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Make BN_num_bits_word constant-time. 2018-01-23 22:14:54 +00:00
bn_tests.txt bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2. 2017-12-07 16:54:32 +00:00
bn.c Make BN_num_bits_word constant-time. 2018-01-23 22:14:54 +00:00
bytes.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
check_bn_tests.go
cmp.c Make BN_generate_dsa_nonce internally constant-time. 2017-11-20 16:18:30 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
exponentiation.c Don't leak the exponent bit width in BN_mod_exp_mont_consttime. 2018-01-23 22:27:37 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
jacobi.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
montgomery_inv.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
montgomery.c Add "small" variants of Montgomery logic. 2017-11-20 16:23:01 +00:00
mul.c Include a couple of missing header files. 2017-11-20 20:36:38 +00:00
prime.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
random.c Make ECDSA signing 10% faster and plug some timing leaks. 2017-11-22 22:51:40 +00:00
rsaz_exp.c Fix alignment-violating cast. 2017-12-01 22:32:17 +00:00
rsaz_exp.h
shift.c Add bn_mod_exp_mont_small and bn_mod_inverse_prime_mont_small. 2017-11-20 16:23:48 +00:00
sqrt.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00