boringssl/include/openssl
David Benjamin 232a6be6f1 Make primality testing mostly constant-time.
The extra details in Enhanced Rabin-Miller are only used in
RSA_check_key_fips, on the public RSA modulus, which the static linker
will drop in most of our consumers anyway. Implement normal Rabin-Miller
for RSA keygen and use Montgomery reduction so it runs in constant-time.

Note that we only need to avoid leaking information about the input if
it's a large prime. If the number ends up composite, or we find it in
our table of small primes, we can return immediately.

The leaks not addressed by this CL are:

- The difficulty of selecting |b| leaks information about |w|.
- The distribution of whether step 4.4 runs leaks information about w.
- We leak |a| (the largest power of two which divides w) everywhere.
- BN_mod_word in the trial division is not constant-time.

These will be resolved in follow-up changes.

Median of 29 RSA keygens: 0m0.521 -> 0m0.621s
(Accuracy beyond 0.1s is questionable.)

Bug: 238
Change-Id: I0cf0ff22079732a0a3ababfe352bb4327e95b879
Reviewed-on: https://boringssl-review.googlesource.com/25886
Reviewed-by: Adam Langley <agl@google.com>
2018-03-28 01:42:06 +00:00
..
aead.h Add M=8 L=2 AES-128-CCM as well. 2018-03-02 18:45:06 +00:00
aes.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
arm_arch.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
asn1_mac.h Purge the remainder of asn1_mac.h. 2016-08-03 21:37:31 +00:00
asn1.h Limit ASN.1 constructed types recursive definition depth 2018-03-27 15:40:37 +00:00
asn1t.h Remove ASN1_template_(i2d,d2i). 2017-09-15 22:53:43 +00:00
base64.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
base.h Configure asmjs and wasm as generic, 32-bit machines. 2018-03-20 23:24:06 +00:00
bio.h Fix reference to nonexistent function. 2018-01-16 16:23:36 +00:00
blowfish.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
bn.h Make primality testing mostly constant-time. 2018-03-28 01:42:06 +00:00
buf.h Always process handshake records in full. 2017-10-17 14:53:11 +00:00
buffer.h
bytestring.h bytestring: document that |CBS_get_optional_asn1| can have a NULL output. 2018-03-19 20:22:25 +00:00
cast.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
chacha.h Add chacha.h to the list of documented headers. 2017-10-12 15:27:34 +00:00
cipher.h Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
cmac.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
conf.h Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
cpu.h Add CRYPTO_needs_hwcap2_workaround. 2017-09-18 14:05:46 +00:00
crypto.h Extract FIPS KAT tests into a function. 2018-01-22 20:16:38 +00:00
curve25519.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
des.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
dh.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
digest.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
dsa.h Remove DSA_sign_setup too. 2017-11-22 21:01:11 +00:00
dtls1.h
ec_key.h Fold EC_KEY_copy into EC_KEY_dup. 2018-03-07 21:17:02 +00:00
ec.h Document preferences for EC_GROUP_new_by_curve_name. 2018-03-20 20:15:06 +00:00
ecdh.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
ecdsa.h Remove ECDSA_sign_setup and friends. 2017-11-22 20:23:40 +00:00
engine.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
err.h Bring ERR_ERROR_STRING_BUF_LEN down to 120. 2017-12-14 19:47:23 +00:00
evp.h Documentation typo. 2018-01-25 14:47:06 +00:00
ex_data.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
hkdf.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
hmac.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
is_boringssl.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
lhash_macros.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
lhash.h Unexport more of lhash. 2017-10-25 04:17:18 +00:00
md4.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
md5.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
mem.h Remove redundant calls to |OPENSSL_cleanse| and |OPENSSL_realloc_clean|. 2017-09-18 19:16:51 +00:00
nid.h Add OpenSSL 1.1.0's cipher property functions. 2017-08-11 02:08:58 +00:00
obj_mac.h Rename obj_mac.h to nid.h and make it a multiply-includable header. 2016-03-31 20:45:35 +00:00
obj.h Reimplement OBJ_txt2obj and add a lower-level function. 2017-11-27 21:29:00 +00:00
objects.h
opensslconf.h Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
opensslv.h
ossl_typ.h
pem.h Switch a number of files to C++. 2017-07-12 20:54:02 +00:00
pkcs7.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
pkcs8.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
pkcs12.h
poly1305.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
pool.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
rand.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
rc4.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
ripemd.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
rsa.h Fix threading issues with RSA freeze_private_key. 2018-02-09 22:17:11 +00:00
safestack.h
sha.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
span.h Push Span down a layer. 2017-10-10 14:27:58 +00:00
srtp.h
ssl3.h Remove remnants of the HRR message. 2018-03-13 21:10:03 +00:00
ssl.h Add |SSL_COMP_get[0_name|_id]|. 2018-03-15 17:34:33 +00:00
stack.h Tidy up some warnings. 2018-01-09 16:01:32 +00:00
thread.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
tls1.h Remove draft22 and experiment2. 2018-01-31 18:07:53 +00:00
type_check.h Run comment conversion script on include/ 2017-08-18 23:38:51 +00:00
x509_vfy.h Unexport more of lhash. 2017-10-25 04:17:18 +00:00
x509.h Add RSA_PSS_PARAMS to bssl::UniquePtr. 2018-03-22 20:34:07 +00:00
x509v3.h Add bssl::UniquePtr<AUTHORITY_INFO_ACCESS> 2018-03-26 15:36:33 +00:00