)]}' { "commit": "fee8709f691f7a35070a76cb38b7dca6116e7687", "tree": "7ea5055249b82bcbecd03564c5434e86663c76b1", "parents": [ "63e2a081231715573d17a35c737e292553d668d7" ], "author": { "name": "Brian Smith", "email": "brian@briansmith.org", "time": "Wed May 16 17:24:20 2018 -1000" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Mon May 21 19:43:05 2018 +0000" }, "message": "Replace |alloca| in |BN_mod_exp_mont_consttime|.\n\n|alloca| is dangerous and poorly specified, according to any\ndescription of |alloca|. It\u0027s also hard for some analysis tools to\nreason about.\n\nThe code here assumed |alloca| is a macro, which isn\u0027t a valid\nassumption. Depending on what which headers are included and what\ntoolchain is being used, |alloca| may or may not be defined as a macro,\nand this might change over time if/when toolchains are updated. Or, we\nmight be doing static analysis and/or dynamic analysis with a different\nconfiguration w.r.t. the availability of |alloca| than production\nbuilds use.\n\nRegardless, the |alloca| code path only kicked in when the inputs are\n840 bits or smaller. Since the multi-prime RSA support was removed, for\ninteresting RSA key sizes the input will be at least 1024 bits and this\ncode path won\u0027t be triggered since powerbufLen will be larger than 3072\nbytes in those cases. ECC inversion via Fermat\u0027s Little Theorem has its\nown constant-time exponentiation so there are no cases where smaller\ninputs need to be fast.\n\nThe RSAZ code avoids the |OPENSSL_malloc| for 2048-bit RSA keys.\nIncreasingly the RSAZ code won\u0027t be used though, since it will be\nskipped over on Broadwell+ CPUs. Generalize the RSAZ stack allocation\nto work for non-RSAZ code paths. In order to ensure this doesn\u0027t cause\ntoo much stack usage on platforms where RSAZ wasn\u0027t already being used,\nonly do so on x86-64, which already has this large stack size\nrequirement due to RSAZ.\n\nThis change will make it easier to refactor |BN_mod_exp_mont_consttime|\nto do that more safely and in a way that\u0027s more compatible with various\nanalysis tools.\n\nThis is also a step towards eliminating the |uintptr_t|-based alignment\nhack.\n\nSince this change increases the number of times |OPENSSL_free| is\nskipped, I\u0027ve added an explicit |OPENSSL_cleanse| to ensure the\nzeroization is done. This should be done regardless of the other changes\nhere.\n\nChange-Id: I8a161ce2720a26127e85fff7513f394883e50b2e\nReviewed-on: https://boringssl-review.googlesource.com/28584\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nCQ-Verified: CQ bot account: commit-bot@chromium.org \u003ccommit-bot@chromium.org\u003e\nReviewed-by: David Benjamin \u003cdavidben@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "b07111e0b1cdd0a9d162429ec83a8405eafe1b6d", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/exponentiation.c", "new_id": "5187f4a13bfe8dcdd07319b4a9b53ca894f952ea", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/exponentiation.c" }, { "type": "modify", "old_id": "ab2a9256034668d3ca9aab03791d9818da5dd450", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/internal.h", "new_id": "9796831f553ade35232928122fdc1a54f6bf2bc7", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/internal.h" }, { "type": "modify", "old_id": "97c58bad6cabe0520a2880aa2f3c999aa16e1cb6", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/rsaz_exp.c", "new_id": "79a04e2e5e5a14bd09bc7491fa7ae8f493800eaf", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/rsaz_exp.c" }, { "type": "modify", "old_id": "af973a5c77f0fb6982cabec338ad4c40da2a3488", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/rsaz_exp.h", "new_id": "4819fdcd94d603f318b23f208fc2008dfa2ce6f1", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/rsaz_exp.h" } ] }