commit | 0a211dfe91588d2986a8735e1969dd9202a8b025 | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Sat Dec 17 15:25:55 2016 -0500 |
committer | Adam Langley <alangley@gmail.com> | Thu Jan 12 02:00:44 2017 +0000 |
tree | 0fa493fc4d4ad191056b2f4be35297317e019667 | |
parent | d261004048e25f2ad81fede16cca6736e8697713 [diff] |
Remove BN_FLG_CONSTTIME. BN_FLG_CONSTTIME is a ridiculous API and easy to mess up (CVE-2016-2178). Instead, code that needs a particular algorithm which preserves secrecy of some arguemnt should call into that algorithm directly. This is never set outside the library and is finally unused within the library! Credit for all this goes almost entirely to Brian Smith. I just took care of the last bits. Note there was one BN_FLG_CONSTTIME check that was still reachable, the BN_mod_inverse in RSA key generation. However, it used the same code in both cases for even moduli and φ(n) is even if n is not a power of two. Traditionally, RSA keys are not powers of two, even though it would make the modular reductions a lot easier. When reviewing, check that I didn't remove a BN_FLG_CONSTTIME that led to a BN_mod_exp(_mont) or BN_mod_inverse call (with the exception of the RSA one mentioned above). They should all go to functions for the algorithms themselves like BN_mod_exp_mont_consttime. This CL shows the checks are a no-op for all our tests: https://boringssl-review.googlesource.com/c/12927/ BUG=125 Change-Id: I19cbb375cc75aac202bd76b51ca098841d84f337 Reviewed-on: https://boringssl-review.googlesource.com/12926 Reviewed-by: Adam Langley <alangley@gmail.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: