boringssl/crypto/ec
David Benjamin 0b8dc30932 Don't use BN_mod_inverse for inverses mod p in RSA keygen.
Instead, use BN_mod_exp_mont_consttime of p - 2. This removes two more
call sites sensitive to BN_FLG_CONSTTIME. We're down to just that last
BN_mod_inverse modulo φ(n). (Sort of. It's actually not sensitive
because even mod inverses always hit the other codepath. Perhaps we
should just leave it alone.)

Note this comes with a slight behavior change. The BN_MONT_CTXs are
initialized a little earlier. If a caller calls RSA_generate_* and then
reaches into the struct to scrap all the fields on it, they'll get
confused. Before, they had to perform an operation on it to get
confused. This is a completely ridiculous thing to do.

Since we do this a lot, this introduces some convenience functions for
doing the Fermat's Little Theorem mod inverse and fixes a leak in the
DSA code should computing kinv hit a malloc error.

BUG=125

Change-Id: Iafcae2fc6fd379d161f015c90ff7050e2282e905
Reviewed-on: https://boringssl-review.googlesource.com/12925
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-01-04 13:56:11 +00:00
..
asm ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. 2016-11-16 18:16:54 +00:00
CMakeLists.txt Depend all_tests on p256-x86_64_test. 2016-11-17 02:56:51 +00:00
ec_asn1.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
ec_key.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
ec_montgomery.c Don't use BN_mod_inverse for inverses mod p in RSA keygen. 2017-01-04 13:56:11 +00:00
ec_test.cc ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. 2016-11-16 18:16:54 +00:00
ec.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
example_mul.c Remove some easy obj.h dependencies. 2016-03-31 20:50:33 +00:00
internal.h Don't use function wrappers for EC_METHOD. 2016-08-16 19:27:52 +00:00
oct.c Fix error code for unreduced x. 2016-11-29 00:55:04 +00:00
p224-64.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
p256-64.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
p256-x86_64_test.cc Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
p256-x86_64_tests.txt ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. 2016-11-16 18:16:54 +00:00
p256-x86_64-table.h Use |alignas| for alignment. 2016-01-25 23:05:04 +00:00
p256-x86_64.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
p256-x86_64.h Add low-level p256-x86_64 tests. 2016-11-15 17:05:01 +00:00
simple.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
util-64.c Remove unused code for multiple-point ECC multiplication. 2016-03-09 19:47:19 +00:00
wnaf.c signed char => int8_t. 2016-11-29 01:03:52 +00:00