fb8b763e51
FIPS prescribes a slightly different key generation algorithm than we use. Specifically: - Rather than using BN_RAND_TOP_TWO (so using 1.5 as an upper bound for sqrt(2)), it prescribes using sqrt(2) itself. To avoid unnecessary squaring, we do a comparison against a hard-coded approximation for sqrt(2) good enough for the largest FIPS key size. I went ahead and made it constant-time since it was easy, but all this is far from constant-time. - FIPS requires a check that |p-q| is sufficiently large. - FIPS requires a check that d is sufficiently large. - BN_generate_prime_ex adds some delta to clear a table of prime numbers. FIPS does not specify any of that, so implement a separate routine here. The primality test itself will be aligned in a follow-up. For now, it is left unchanged, except that trial division is turned back on. That makes things faster and is analogous the original algorithm's delta-munging logic. Change-Id: If32f0635bfb67a8c4740dedd7781d00647bbf60b Reviewed-on: https://boringssl-review.googlesource.com/14948 Reviewed-by: Adam Langley <agl@google.com> |
||
|---|---|---|
| .. | ||
| blinding.c | ||
| CMakeLists.txt | ||
| internal.h | ||
| padding.c | ||
| rsa_asn1.c | ||
| rsa_impl.c | ||
| rsa_test.cc | ||
| rsa.c | ||