)]}' { "commit": "a6a049a6fb51a052347611d41583a0622bc89d60", "tree": "4834cf3772e8c6c7d064008a1ea2e841e41c44a3", "parents": [ "c2897a158a02a05a4d7d1115e1d81f34166ef729" ], "author": { "name": "Adam Langley", "email": "alangley@gmail.com", "time": "Thu Dec 06 17:15:58 2018 -0800" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Tue Dec 18 22:43:02 2018 +0000" }, "message": "Add start of infrastructure for checking constant-time properties.\n\nValgrind\u0027s checking of uninitialised memory behaves very much like a\ncheck for constant-time code: branches and memory indexes based on\nuninitialised memory trigger warnings. Therefore, if we can tell\nValgrind that some secret is “uninitialised”, it\u0027ll give us a warning if\nwe do something non-constant-time with it.\n\nThis was the idea behind https://github.com/agl/ctgrind. But tricks like\nthat are no longer needed because Valgrind now comes with support for\nmarking regions of memory as defined or not. Therefore we can use that\nAPI to check constant-time code.\n\nThis CL defines |CONSTTIME_SECRET| and |CONSTTIME_DECLASSIFY|, which are\nno-ops unless the code is built with\n|BORINGSSL_CONSTANT_TIME_VALIDATION| defined, which it isn\u0027t by default.\nSo this CL is a no-op itself so far. But it does show that a couple of\nbits of constant-time time are, in fact, constant-time—seemingly even\nwhen compiled with optimisations, which is nice.\n\nThe annotations in the RSA code are a) probably not marking all the\nsecrets as secret, and b) triggers warnings that are a little\ninteresting:\n\nThe anti-glitch check calls |BN_mod_exp_mont| which checks that the\ninput is less than the modulus. Of course, it is because the input is\nthe RSA plaintext that we just decrypted, but the plaintext is supposed\nto be secret and so branching based on its contents isn\u0027t allows by\nValgrind. The answer isn\u0027t totally clear, but I\u0027ve run out of time on\nthis for now.\n\nChange-Id: I1608ed0b22d201e97595fafe46127159e02d5b1b\nReviewed-on: https://boringssl-review.googlesource.com/c/33504\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nReviewed-by: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "bfde5d58809247d895b4d48e096c57d6a06170ee", "old_mode": 33188, "old_path": "CMakeLists.txt", "new_id": "1f18782f38ef0b47cd424d96f61489c89f3837ef", "new_mode": 33188, "new_path": "CMakeLists.txt" }, { "type": "modify", "old_id": "ff41989c700e5f32a7b7f06f5081d54f54ea2d0e", "old_mode": 33188, "old_path": "crypto/cipher_extra/e_tls.c", "new_id": "c812b6b866e076d443a494903e4b575aef5280ec", "new_mode": 33188, "new_path": "crypto/cipher_extra/e_tls.c" }, { "type": "modify", "old_id": "b7998fe3c1dd810a1676e8c7c6e5074f5f06b1a3", "old_mode": 33188, "old_path": "crypto/fipsmodule/rsa/padding.c", "new_id": "28f1b45b46e5f12b2ba3776410a16c9f4a76c7a0", "new_mode": 33188, "new_path": "crypto/fipsmodule/rsa/padding.c" }, { "type": "modify", "old_id": "895408dfec53940eddb6d50d789a970f6ff8dc4f", "old_mode": 33188, "old_path": "crypto/fipsmodule/rsa/rsa_impl.c", "new_id": "903ba9a9a9aa05c1c9184b2757aeda1def9d5742", "new_mode": 33188, "new_path": "crypto/fipsmodule/rsa/rsa_impl.c" }, { "type": "modify", "old_id": "b98b556c4aee31fa70f32631f32450da465dc919", "old_mode": 33188, "old_path": "crypto/internal.h", "new_id": "52799e899db85bff0805b7ba3da9ba1914b65f8e", "new_mode": 33188, "new_path": "crypto/internal.h" }, { "type": "modify", "old_id": "8b3b94283bd4340b32991c65592fd40804d0b9eb", "old_mode": 33188, "old_path": "ssl/handshake_server.cc", "new_id": "15720967e44e124e92dbcc6e2a4829afddda4152", "new_mode": 33188, "new_path": "ssl/handshake_server.cc" } ] }