Google Git
Sign in
boringssl / boringssl / 29564f2b633b1275e3e97703d86b41296211fb79
commit29564f2b633b1275e3e97703d86b41296211fb79[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Feb 03 18:15:09 2023 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Feb 06 20:14:15 2023 +0000
tree7a235b25a9964bda0c420b2220b7db92d251a488
parent582904fdde86be25dfc5ee1a4f5385444c214678 [diff]
Reject even moduli in RSA_check_key.

RSA state management is generally a mess right now, which causes thread
contention issues in highly threaded servers. We need to do a lot
of work within the library to fix it, but in the end state,
RSA_check_key (called by the parser), BN_MONT_CTX_set_locked, and
freeze_private_key should all be unified.

This means that anything which can causes the latter two steps to fail
will be lifted up into the parser, currently RSA_check_key. We've
broadly done that, but odd moduli (n, p, and q) are currently not
covered by RSA_check_key. Fix that. We only need to check for odd n,
because odd p and q are then implied by p * q == n.

Update-Note: RSA keys with even moduli already do not work. (In addition
to being nonsensical, all operations will fail with them because we
cannot do Montgomery reduction on even moduli.) This CL shifts the error
from when you use the key, to when you parse the key, like our other
validation steps. Also after this lands, the check for odd modulus in
cl/447099278 can be removed.

Bug: 316
Change-Id: Ifa4af610316a8f717a026128078a5d38d046bff9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56885
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
3 files changed
tree: 7a235b25a9964bda0c420b2220b7db92d251a488
  1. .github/
  2. cmake/
  3. crypto/
  4. decrepit/
  5. fuzz/
  6. include/
  7. rust/
  8. ssl/
  9. third_party/
  10. tool/
  11. util/
  12. .clang-format
  13. .gitignore
  14. API-CONVENTIONS.md
  15. BREAKING-CHANGES.md
  16. BUILDING.md
  17. CMakeLists.txt
  18. codereview.settings
  19. CONTRIBUTING.md
  20. FUZZING.md
  21. go.mod
  22. go.sum
  23. INCORPORATING.md
  24. LICENSE
  25. PORTING.md
  26. README.md
  27. SANDBOXING.md
  28. sources.cmake
  29. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

There are other files in this directory which might be helpful: