kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
a63d0ad40d
boringssl/crypto/fipsmodule/bn
History
David Benjamin a63d0ad40d Require BN_mod_exp_mont* inputs be reduced. 
If the caller asked for the base to be treated as secret, we should
provide that. Allowing unbounded inputs is not compatible with being
constant-time.

Additionally, this aligns with the guidance here:
https://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#1-do-not-conditionally-choose-between-constant-and-non-constant-time

Update-Note: BN_mod_exp_mont_consttime and BN_mod_exp_mont now require
inputs be fully reduced. I believe current callers tolerate this.

Additionally, due to a quirk of how certain operations were ordered,
using (publicly) zero exponent tolerated a NULL BN_CTX while other
exponents required non-NULL BN_CTX. Non-NULL BN_CTX is now required
uniformly. This is unlikely to cause problems. Any call site where the
exponent is always zero should just be replaced with BN_value_one().

Change-Id: I7c941953ea05f36dc2754facb9f4cf83a6789c61
Reviewed-on: https://boringssl-review.googlesource.com/27665
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
2018-04-24 18:29:29 +00:00
..
asm Merge Intel copyright notice into standard 2018-02-12 21:44:27 +00:00
add.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Require BN_mod_exp_mont* inputs be reduced. 2018-04-24 18:29:29 +00:00
bn_tests.txt Fix bn_mod_exp_mont_small when exponentiating to zero. 2018-04-18 22:13:16 +00:00
bn.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go Add new GCD and related primitives. 2018-03-30 19:53:36 +00:00
cmp.c Make various BIGNUM comparisons constant-time. 2018-03-26 18:53:53 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Remove EC_LOOSE_SCALAR. 2018-04-02 18:22:58 +00:00
exponentiation.c Require BN_mod_exp_mont* inputs be reduced. 2018-04-24 18:29:29 +00:00
gcd.c Add a constant-time generic modular inverse function. 2018-03-30 19:53:44 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Remove return values from bn_*_small. 2018-04-24 15:34:32 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Restore the BN_mod codepath for public Montgomery moduli. 2018-04-20 20:50:15 +00:00
montgomery.c Remove return values from bn_*_small. 2018-04-24 15:34:32 +00:00
mul.c Remove return values from bn_*_small. 2018-04-24 15:34:32 +00:00
prime.c Restore the BN_mod codepath for public Montgomery moduli. 2018-04-20 20:50:15 +00:00
random.c Rewrite BN_rand without an extra malloc. 2018-04-02 18:07:12 +00:00
rsaz_exp.c Document RSAZ slightly better. 2018-02-15 18:14:04 +00:00
rsaz_exp.h clang-format RSAZ C code. 2018-02-13 22:30:03 +00:00
shift.c Use bn_rshift_words for the ECDSA bit-shift. 2018-04-02 18:17:39 +00:00
sqrt.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00