kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
8eadca50a2
boringssl/crypto/fipsmodule
History
David Benjamin 8eadca50a2 Don't leak |a| in the primality test. 
(This is actually slightly silly as |a|'s probability distribution falls
off exponentially, but it's easy enough to do right.)

Instead, we run the loop to the end. This is still performant because we
can, as before, return early on composite numbers. Only two calls
actually run to the end. Moreover, running to the end has comparable
cost to BN_mod_exp_mont_consttime.

Median time goes from 0.140s to 0.231s. That cost some, but we're still
faster than the original implementation.

We're down to one more leak, which is that the BN_rand_range_ex call
does not hide |w1|. That one may only be solved probabilistically...

Median of 29 RSA keygens: 0m0.123s -> 0m0.145s
(Accuracy beyond 0.1s is questionable.)

Bug: 238
Change-Id: I4847cb0053118c572d2dd5f855388b5199fa6ce2
Reviewed-on: https://boringssl-review.googlesource.com/25888
Reviewed-by: Adam Langley <agl@google.com>
2018-03-28 01:44:31 +00:00
..
aes Always use adr with __thumb2__. 2018-02-22 22:28:15 +00:00
bn Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
cipher Require only that the nonce be strictly monotonic in TLS's AES-GCM 2018-01-26 20:09:44 +00:00
des Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
digest Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
ec Add some EC base point multiplication test vectors. 2018-03-27 23:33:24 +00:00
ecdsa Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
hmac Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
md4 Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
md5 Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
modes Actually use the u64 cast. 2018-02-16 20:02:56 +00:00
policydocs Update FIPS documentation with pointer to the cert and security policy. 2017-07-20 03:32:08 +00:00
rand Fix up CTR_DRBG_update comment. 2018-01-23 22:19:03 +00:00
rsa Don't bother retrying in bn_blinding_create_param. 2018-03-05 20:48:41 +00:00
self_check Split BORINGSSL_self_test into its own file. 2018-01-22 23:06:41 +00:00
sha Sync up some perlasm license headers and easy fixes. 2018-02-11 01:00:35 +00:00
tls add missing #includes 2018-01-22 21:54:08 +00:00
bcm.c Add AES_128_CCM AEAD. 2018-02-16 15:57:27 +00:00
CMakeLists.txt Convert example_mul to GTest. 2017-07-10 19:28:29 +00:00
delocate.h Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
FIPS.md Update link to CMVP certificate. 2018-02-26 22:14:35 +00:00
intcheck1.png
intcheck2.png Inject FIPS hash without running module. 2017-04-12 23:09:38 +00:00
intcheck3.png
is_fips.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00