Use constant time by default for BIGNUMs #6078
Description
The BIGNUM library defaults to a non-constant time implementation of various operations. Where we want to force a constant time implementation we have to remember to set the BN_FLG_CONSTTIME flag. Experience has shown that we often forget to do this. For example see:
- 54f007a (CVE-2018-0737)
- 8db7946
- e913d11
- 6364475
- 6364475
- 3de81a5
- 47ae05b
- 033dc8f
- 3999446 (CVE-2016-2178)
This is not intended to be an exhaustive list - there are probably others cases that I haven't listed.
The difficulty of changing the default is that this will have a performance impact for cases where constant time is not a requirement. It is unclear to me how many of those cases there are and whether we should be worried about it or not.
PR #5969 made one attempt at fixing this. Feedback on that suggested a better approach may be to use separate APIs for constant-time and non-constant time operation:
@briansmith wrote:
See https://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#1-do-not-conditionally-choose-between-constant-and-non-constant-time. I'm biased, but I think BoringSSL's solution, which was to use separate APIs for constant-time and non-constant-time implementations, is better, in general.