0a211dfe91
BN_FLG_CONSTTIME is a ridiculous API and easy to mess up (CVE-2016-2178). Instead, code that needs a particular algorithm which preserves secrecy of some arguemnt should call into that algorithm directly. This is never set outside the library and is finally unused within the library! Credit for all this goes almost entirely to Brian Smith. I just took care of the last bits. Note there was one BN_FLG_CONSTTIME check that was still reachable, the BN_mod_inverse in RSA key generation. However, it used the same code in both cases for even moduli and φ(n) is even if n is not a power of two. Traditionally, RSA keys are not powers of two, even though it would make the modular reductions a lot easier. When reviewing, check that I didn't remove a BN_FLG_CONSTTIME that led to a BN_mod_exp(_mont) or BN_mod_inverse call (with the exception of the RSA one mentioned above). They should all go to functions for the algorithms themselves like BN_mod_exp_mont_consttime. This CL shows the checks are a no-op for all our tests: https://boringssl-review.googlesource.com/c/12927/ BUG=125 Change-Id: I19cbb375cc75aac202bd76b51ca098841d84f337 Reviewed-on: https://boringssl-review.googlesource.com/12926 Reviewed-by: Adam Langley <alangley@gmail.com> |
||
---|---|---|
.. | ||
check.c | ||
CMakeLists.txt | ||
dh_asn1.c | ||
dh_test.cc | ||
dh.c | ||
params.c |