commit | 23af438ccd9304b94922cf299d0614ee40a47d9c | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Sun Mar 04 00:38:00 2018 -0500 |
committer | Adam Langley <alangley@gmail.com> | Fri Mar 30 19:53:28 2018 +0000 |
tree | 6bc92ca0bff0b565501529be3b1751097cb6677f | |
parent | 8d9ee7d1fe89f424ad36b9f389692e777e9ba782 [diff] |
Compute p - q in constant time. Expose the constant-time abs_sub functions from the fixed Karatsuba code in BIGNUM form for RSA to call into. RSA key generation involves checking if |p - q| is above some lower bound. BN_sub internally branches on which of p or q is bigger. For any given iteration, this is not secret---one of p or q is necessarily the larger, and whether we happened to pick the larger or smaller first is irrelevant. Accordingly, there is no need to perform the p/q swap at the end in constant-time. However, this stage of the algorithm picks p first, sticks with it, and then computes |p - q| for various q candidates. The distribution of comparisons leaks information about p. The leak is unlikely to be problematic, but plug it anyway. Median of 29 RSA keygens: 0m0.210s -> 0m0.212s (Accuracy beyond 0.1s is questionable.) Bug: 238 Change-Id: I024b4e51b364f5ca2bcb419a0393e7be13249aec Reviewed-on: https://boringssl-review.googlesource.com/26368 Reviewed-by: Adam Langley <alangley@gmail.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: