Google Git
Sign in
boringssl / boringssl / 3529cba4a554fde0ece75a07178c0dd63f73e409
commit3529cba4a554fde0ece75a07178c0dd63f73e409[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Aug 09 16:59:53 2024 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Aug 14 16:15:39 2024 +0000
tree2234e245053cc3e7205da6fcb76a06d33e5c4fe2
parent24bd38f452eb34669d607da4f17e8ca6fc44b30e [diff]
Cite where BN_div actually comes from

After spending a while trying to divine where all the bounds came from,
and coming up with some of the messy proofs for why it works, I found
this exact algorithm in Knuth, Volume 2, with... different messy proofs.
Sadly, this algorithm seems to just be messy. Cite it as reference
rather than trying to repeat it in code.

As part of this, update the discussion on branches. That was added in
https://boringssl-review.googlesource.com/c/boringssl/+/9105, back when
BN_div was used on secret inputs. It no longer is and, back then, the
function still wasn't constant-time anyway.

We could, in principle, restore the special cases now. But this would be
more complicated and diverge from Knuth's formulation, so let's just
keep it simple. (Although it might actually be a hair faster. We care
about this function to compute R^2 mod n, and the special case would
save an extra iteration through the loop. Though I think that
optimization could actually be restored with much, much less code than
OpenSSL originally did it. Probably not worth the fuss.)

Subsequent CLs will clean this code up in reference to Knuth's
formulation.

Bug: 358687140
Change-Id: I56da99c560b845f1736ab86edc79b8e711890fe3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/70170
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
1 file changed
tree: 2234e245053cc3e7205da6fcb76a06d33e5c4fe2
  1. .github/
  2. cmake/
  3. crypto/
  4. decrepit/
  5. fuzz/
  6. gen/
  7. include/
  8. pki/
  9. rust/
  10. ssl/
  11. third_party/
  12. tool/
  13. util/
  14. .bazelignore
  15. .bazelrc
  16. .clang-format
  17. .gitignore
  18. API-CONVENTIONS.md
  19. BREAKING-CHANGES.md
  20. BUILD.bazel
  21. build.json
  22. BUILDING.md
  23. CMakeLists.txt
  24. codereview.settings
  25. CONTRIBUTING.md
  26. FUZZING.md
  27. go.mod
  28. go.sum
  29. INCORPORATING.md
  30. LICENSE
  31. MODULE.bazel
  32. MODULE.bazel.lock
  33. PORTING.md
  34. PrivacyInfo.xcprivacy
  35. README.md
  36. SANDBOXING.md
  37. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

There are other files in this directory which might be helpful: