commit | a63d0ad40dd621d5b9472dc9f1756692f969451e | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Tue Apr 17 11:59:28 2018 -0400 |
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | Tue Apr 24 18:29:29 2018 +0000 |
tree | f383f17c092f29d726ca531dbacbaad86b2a4158 | |
parent | 52a68a9b430a1575753d5c3a5987985b67db7281 [diff] |
Require BN_mod_exp_mont* inputs be reduced. If the caller asked for the base to be treated as secret, we should provide that. Allowing unbounded inputs is not compatible with being constant-time. Additionally, this aligns with the guidance here: https://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#1-do-not-conditionally-choose-between-constant-and-non-constant-time Update-Note: BN_mod_exp_mont_consttime and BN_mod_exp_mont now require inputs be fully reduced. I believe current callers tolerate this. Additionally, due to a quirk of how certain operations were ordered, using (publicly) zero exponent tolerated a NULL BN_CTX while other exponents required non-NULL BN_CTX. Non-NULL BN_CTX is now required uniformly. This is unlikely to cause problems. Any call site where the exponent is always zero should just be replaced with BN_value_one(). Change-Id: I7c941953ea05f36dc2754facb9f4cf83a6789c61 Reviewed-on: https://boringssl-review.googlesource.com/27665 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: