)]}' { "commit": "aa83c12069f3d62704fce3d499b068b5bf1b6e31", "tree": "8e3e7ba5653430b743c0e0cf0e365806b17a3c1e", "parents": [ "5bdf5e4ac251e7e9eca5693104d802d94a28f28b" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Wed Feb 01 12:21:56 2023 -0500" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Fri Feb 03 16:47:02 2023 +0000" }, "message": "Clear various false positives in RSA constant-time validation\n\nThis silences a few false positives in the valgrind-based constant-time\nvalidation.\n\nFirst, there are a few precondition checks that are publicly true, but\nvalgrind doesn\u0027t know that. I\u0027ve added a constant_time_declassify_int\nfunction and stuck those in there, since the existing macro is mostly\nsuited for macros. It also adds a value barrier in production code (see\ncomment for why). If we more thoroughly decoupled RSA from BIGNUM, we\ncould probably avoid this, since a lot of comes from going through\npublic BIGNUM APIs.\n\nNext, our BIGNUM strategy is such that bounds on bignums are sometimes\ncomputed pessimally, and then clamped down later. Modular arithmetic is\ntrivially bounded and avoids that, but RSA CRT involves some non-modular\ncomputations. As a result, we actually compute a few more words than\nnecessary in the RSA result, and then bn_resize_words down.\nbn_resize_words also has a precondition check, which checks that all\ndiscarded words are zero. They are, but valgrind does not know that.\n\nSimilarly, the BN_bn2bin_padded call at the end checks for discarded\nnon-zero bytes, but valgrind does not know that, because the output is\nbounded by n, the discarded bytes are zero.\n\nI\u0027ve added a bn_assert_fits_in_bytes to clear this. It\u0027s an assert in\ndebug mode and a declassification in constant-time validation.\n\nI suspect a different secret integer design would avoid needing this. I\nthink this comes from a combination of non-modular arithmetic, not\nhaving callers pass explicit width, and tracking public widths at the\nword granularity, rather than byte or bit. (Bit would actually be most\nideal.) Maybe worth a ponder sometime.\n\nChange-Id: I1bc9443d571d2881e2d857c70be913074deac156\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56825\nCommit-Queue: Bob Beck \u003cbbe@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "da27426c866e320ce586e180082b9ea6c1e4598f", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/bytes.c", "new_id": "331e08596239d0c8089a62235353f5b64ae286e5", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/bytes.c" }, { "type": "modify", "old_id": "859cf65b83b4abdaedb0235800e368722b34b846", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/exponentiation.c", "new_id": "ad3770d6c920703432f5f262b88a5c7c2d210338", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/exponentiation.c" }, { "type": "modify", "old_id": "0bccf1eb1002de250e9809d328a0fe546a24305f", "old_mode": 33188, "old_path": "crypto/fipsmodule/bn/internal.h", "new_id": "ca3e3e7905c4abc8d83b8164f6a9c857d818cdf1", "new_mode": 33188, "new_path": "crypto/fipsmodule/bn/internal.h" }, { "type": "modify", "old_id": "3a069ecfc57b45140640699368999f31fe11dd7f", "old_mode": 33188, "old_path": "crypto/fipsmodule/rsa/rsa_impl.c", "new_id": "b9c47cd0c41e0fc4139a79b41d27ea00ad344536", "new_mode": 33188, "new_path": "crypto/fipsmodule/rsa/rsa_impl.c" }, { "type": "modify", "old_id": "f9a243e670d01ad824124573f7874b0825a01afa", "old_mode": 33188, "old_path": "crypto/internal.h", "new_id": "9bbba9e5a0db91e7e9a667368071c79644dd17a5", "new_mode": 33188, "new_path": "crypto/internal.h" } ] }