grpc 1.13.0 → 1.14.0

data/third_party/boringssl/crypto/fipsmodule/ec/simple.c

@@ -395,8 +395,8 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   }
 
   // n5, n6
-  if (!bn_mod_sub_quick_ctx(n5, n1, n3, p, ctx) ||
-      !bn_mod_sub_quick_ctx(n6, n2, n4, p, ctx)) {
+  if (!bn_mod_sub_consttime(n5, n1, n3, p, ctx) ||
+      !bn_mod_sub_consttime(n6, n2, n4, p, ctx)) {
     goto end;
   }
   // n5 = n1 - n3
@@ -418,8 +418,8 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   }
 
   // 'n7', 'n8'
-  if (!bn_mod_add_quick_ctx(n1, n1, n3, p, ctx) ||
-      !bn_mod_add_quick_ctx(n2, n2, n4, p, ctx)) {
+  if (!bn_mod_add_consttime(n1, n1, n3, p, ctx) ||
+      !bn_mod_add_consttime(n2, n2, n4, p, ctx)) {
     goto end;
   }
   // 'n7' = n1 + n3
@@ -453,14 +453,14 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   if (!field_sqr(group, n0, n6, ctx) ||
       !field_sqr(group, n4, n5, ctx) ||
       !field_mul(group, n3, n1, n4, ctx) ||
-      !bn_mod_sub_quick_ctx(&r->X, n0, n3, p, ctx)) {
+      !bn_mod_sub_consttime(&r->X, n0, n3, p, ctx)) {
     goto end;
   }
   // X_r = n6^2 - n5^2 * 'n7'
 
   // 'n9'
-  if (!bn_mod_lshift1_quick_ctx(n0, &r->X, p, ctx) ||
-      !bn_mod_sub_quick_ctx(n0, n3, n0, p, ctx)) {
+  if (!bn_mod_lshift1_consttime(n0, &r->X, p, ctx) ||
+      !bn_mod_sub_consttime(n0, n3, n0, p, ctx)) {
     goto end;
   }
   // n9 = n5^2 * 'n7' - 2 * X_r
@@ -471,7 +471,7 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
     goto end;  // now n5 is n5^3
   }
   if (!field_mul(group, n1, n2, n5, ctx) ||
-      !bn_mod_sub_quick_ctx(n0, n0, n1, p, ctx)) {
+      !bn_mod_sub_consttime(n0, n0, n1, p, ctx)) {
     goto end;
   }
   if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
@@ -536,31 +536,31 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   // n1
   if (BN_cmp(&a->Z, &group->one) == 0) {
     if (!field_sqr(group, n0, &a->X, ctx) ||
-        !bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) ||
-        !bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) ||
-        !bn_mod_add_quick_ctx(n1, n0, &group->a, p, ctx)) {
+        !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
+        !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
+        !bn_mod_add_consttime(n1, n0, &group->a, p, ctx)) {
       goto err;
     }
     // n1 = 3 * X_a^2 + a_curve
   } else if (group->a_is_minus3) {
     if (!field_sqr(group, n1, &a->Z, ctx) ||
-        !bn_mod_add_quick_ctx(n0, &a->X, n1, p, ctx) ||
-        !bn_mod_sub_quick_ctx(n2, &a->X, n1, p, ctx) ||
+        !bn_mod_add_consttime(n0, &a->X, n1, p, ctx) ||
+        !bn_mod_sub_consttime(n2, &a->X, n1, p, ctx) ||
         !field_mul(group, n1, n0, n2, ctx) ||
-        !bn_mod_lshift1_quick_ctx(n0, n1, p, ctx) ||
-        !bn_mod_add_quick_ctx(n1, n0, n1, p, ctx)) {
+        !bn_mod_lshift1_consttime(n0, n1, p, ctx) ||
+        !bn_mod_add_consttime(n1, n0, n1, p, ctx)) {
       goto err;
     }
     // n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
     //    = 3 * X_a^2 - 3 * Z_a^4
   } else {
     if (!field_sqr(group, n0, &a->X, ctx) ||
-        !bn_mod_lshift1_quick_ctx(n1, n0, p, ctx) ||
-        !bn_mod_add_quick_ctx(n0, n0, n1, p, ctx) ||
+        !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
+        !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
         !field_sqr(group, n1, &a->Z, ctx) ||
         !field_sqr(group, n1, n1, ctx) ||
         !field_mul(group, n1, n1, &group->a, ctx) ||
-        !bn_mod_add_quick_ctx(n1, n1, n0, p, ctx)) {
+        !bn_mod_add_consttime(n1, n1, n0, p, ctx)) {
       goto err;
     }
     // n1 = 3 * X_a^2 + a_curve * Z_a^4
@@ -574,7 +574,7 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
     goto err;
   }
-  if (!bn_mod_lshift1_quick_ctx(&r->Z, n0, p, ctx)) {
+  if (!bn_mod_lshift1_consttime(&r->Z, n0, p, ctx)) {
     goto err;
   }
   // Z_r = 2 * Y_a * Z_a
@@ -582,30 +582,30 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   // n2
   if (!field_sqr(group, n3, &a->Y, ctx) ||
       !field_mul(group, n2, &a->X, n3, ctx) ||
-      !bn_mod_lshift_quick_ctx(n2, n2, 2, p, ctx)) {
+      !bn_mod_lshift_consttime(n2, n2, 2, p, ctx)) {
     goto err;
   }
   // n2 = 4 * X_a * Y_a^2
 
   // X_r
-  if (!bn_mod_lshift1_quick_ctx(n0, n2, p, ctx) ||
+  if (!bn_mod_lshift1_consttime(n0, n2, p, ctx) ||
       !field_sqr(group, &r->X, n1, ctx) ||
-      !bn_mod_sub_quick_ctx(&r->X, &r->X, n0, p, ctx)) {
+      !bn_mod_sub_consttime(&r->X, &r->X, n0, p, ctx)) {
     goto err;
   }
   // X_r = n1^2 - 2 * n2
 
   // n3
   if (!field_sqr(group, n0, n3, ctx) ||
-      !bn_mod_lshift_quick_ctx(n3, n0, 3, p, ctx)) {
+      !bn_mod_lshift_consttime(n3, n0, 3, p, ctx)) {
     goto err;
   }
   // n3 = 8 * Y_a^4
 
   // Y_r
-  if (!bn_mod_sub_quick_ctx(n0, n2, &r->X, p, ctx) ||
+  if (!bn_mod_sub_consttime(n0, n2, &r->X, p, ctx) ||
       !field_mul(group, n0, n1, n0, ctx) ||
-      !bn_mod_sub_quick_ctx(&r->Y, n0, n3, p, ctx)) {
+      !bn_mod_sub_consttime(&r->Y, n0, n3, p, ctx)) {
     goto err;
   }
   // Y_r = n1 * (n2 - X_r) - n3
@@ -688,15 +688,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 
     // rh := (rh + a*Z^4)*X
     if (group->a_is_minus3) {
-      if (!bn_mod_lshift1_quick_ctx(tmp, Z4, p, ctx) ||
-          !bn_mod_add_quick_ctx(tmp, tmp, Z4, p, ctx) ||
-          !bn_mod_sub_quick_ctx(rh, rh, tmp, p, ctx) ||
+      if (!bn_mod_lshift1_consttime(tmp, Z4, p, ctx) ||
+          !bn_mod_add_consttime(tmp, tmp, Z4, p, ctx) ||
+          !bn_mod_sub_consttime(rh, rh, tmp, p, ctx) ||
           !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
       }
     } else {
       if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
-          !bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx) ||
+          !bn_mod_add_consttime(rh, rh, tmp, p, ctx) ||
           !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
       }
@@ -704,17 +704,17 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 
     // rh := rh + b*Z^6
     if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
-        !bn_mod_add_quick_ctx(rh, rh, tmp, p, ctx)) {
+        !bn_mod_add_consttime(rh, rh, tmp, p, ctx)) {
       goto err;
     }
   } else {
     // rh := (rh + a)*X
-    if (!bn_mod_add_quick_ctx(rh, rh, &group->a, p, ctx) ||
+    if (!bn_mod_add_consttime(rh, rh, &group->a, p, ctx) ||
         !field_mul(group, rh, rh, &point->X, ctx)) {
       goto err;
     }
     // rh := rh + b
-    if (!bn_mod_add_quick_ctx(rh, rh, &group->b, p, ctx)) {
+    if (!bn_mod_add_consttime(rh, rh, &group->b, p, ctx)) {
       goto err;
     }
   }

data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c

@@ -392,17 +392,17 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
   }
 
   const EC_GROUP *group = EC_KEY_get0_group(eckey);
-  const BIGNUM *priv_key_bn = EC_KEY_get0_private_key(eckey);
-  if (group == NULL || priv_key_bn == NULL) {
+  if (group == NULL || eckey->priv_key == NULL) {
     OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
     return NULL;
   }
   const BIGNUM *order = EC_GROUP_get0_order(group);
+  const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
 
   int ok = 0;
   ECDSA_SIG *ret = ECDSA_SIG_new();
   BN_CTX *ctx = BN_CTX_new();
-  EC_SCALAR kinv_mont, priv_key, r_mont, s;
+  EC_SCALAR kinv_mont, r_mont, s;
   EC_LOOSE_SCALAR m, tmp;
   if (ret == NULL || ctx == NULL) {
     OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
@@ -410,14 +410,9 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
   }
 
   digest_to_scalar(group, &m, digest, digest_len);
-  // TODO(davidben): Store the private key as an |EC_SCALAR| so this is obvious
-  // via the type system.
-  if (!ec_bignum_to_scalar_unchecked(group, &priv_key, priv_key_bn)) {
-    goto err;
-  }
   for (;;) {
     if (!ecdsa_sign_setup(eckey, ctx, &kinv_mont, &ret->r, digest, digest_len,
-                          &priv_key)) {
+                          priv_key)) {
       goto err;
     }
 
@@ -427,7 +422,7 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
     if (!ec_bignum_to_scalar(group, &r_mont, ret->r) ||
         !bn_to_montgomery_small(r_mont.words, order->width, r_mont.words,
                                 order->width, group->order_mont) ||
-        !scalar_mod_mul_montgomery(group, &s, &priv_key, &r_mont)) {
+        !scalar_mod_mul_montgomery(group, &s, priv_key, &r_mont)) {
       goto err;
     }
 
@@ -455,7 +450,6 @@ err:
   }
   BN_CTX_free(ctx);
   OPENSSL_cleanse(&kinv_mont, sizeof(kinv_mont));
-  OPENSSL_cleanse(&priv_key, sizeof(priv_key));
   OPENSSL_cleanse(&r_mont, sizeof(r_mont));
   OPENSSL_cleanse(&s, sizeof(s));
   OPENSSL_cleanse(&tmp, sizeof(tmp));

data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c

@@ -215,46 +215,22 @@ int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,
 
 static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,
                                     const BN_MONT_CTX *mont, BN_CTX *ctx) {
-  int retry_counter = 32;
-
-  do {
-    if (!BN_rand_range_ex(b->A, 1, &mont->N)) {
-      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
-      return 0;
-    }
-
-    // |BN_from_montgomery| + |BN_mod_inverse_blinded| is equivalent to, but
-    // more efficient than, |BN_mod_inverse_blinded| + |BN_to_montgomery|.
-    if (!BN_from_montgomery(b->Ai, b->A, mont, ctx)) {
-      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
-      return 0;
-    }
-
-    int no_inverse;
-    if (BN_mod_inverse_blinded(b->Ai, &no_inverse, b->Ai, mont, ctx)) {
-      break;
-    }
-
-    if (!no_inverse) {
-      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
-      return 0;
-    }
-
-    // For reasonably-sized RSA keys, it should almost never be the case that a
-    // random value doesn't have an inverse.
-    if (retry_counter-- == 0) {
-      OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
-      return 0;
-    }
-    ERR_clear_error();
-  } while (1);
-
-  if (!BN_mod_exp_mont(b->A, b->A, e, &mont->N, ctx, mont)) {
-    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-
-  if (!BN_to_montgomery(b->A, b->A, mont, ctx)) {
+  int no_inverse;
+  if (!BN_rand_range_ex(b->A, 1, &mont->N) ||
+      // Compute |b->A|^-1 in Montgomery form. Note |BN_from_montgomery| +
+      // |BN_mod_inverse_blinded| is equivalent to, but more efficient than,
+      // |BN_mod_inverse_blinded| + |BN_to_montgomery|.
+      //
+      // We do not retry if |b->A| has no inverse. Finding a non-invertible
+      // value of |b->A| is equivalent to factoring |mont->N|. There is
+      // negligible probability of stumbling on one at random.
+      !BN_from_montgomery(b->Ai, b->A, mont, ctx) ||
+      !BN_mod_inverse_blinded(b->Ai, &no_inverse, b->Ai, mont, ctx) ||
+      // TODO(davidben): |BN_mod_exp_mont| internally computes the result in
+      // Montgomery form. Save a pair of Montgomery reductions and a
+      // multiplication by returning that value directly.
+      !BN_mod_exp_mont(b->A, b->A, e, &mont->N, ctx, mont) ||
+      !BN_to_montgomery(b->A, b->A, mont, ctx)) {
     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
     return 0;
   }

data/third_party/boringssl/crypto/fipsmodule/rsa/internal.h

@@ -114,15 +114,10 @@ int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
                           size_t len);
 
 
-// The following utility functions are exported for test purposes.
-
+// This constant is exported for test purposes.
 extern const BN_ULONG kBoringSSLRSASqrtTwo[];
 extern const size_t kBoringSSLRSASqrtTwoLen;
 
-// rsa_greater_than_pow2 returns one if |b| is greater than 2^|n| and zero
-// otherwise.
-int rsa_greater_than_pow2(const BIGNUM *b, int n);
-
 
 #if defined(__cplusplus)
 }  // extern C

data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c

@@ -634,8 +634,25 @@ err:
   return ret;
 }
 
+static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
+                             const BIGNUM *m, int check_reduced, BN_CTX *ctx) {
+  BN_CTX_start(ctx);
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  int ret = tmp != NULL &&
+            bn_mul_consttime(tmp, a, ainv, ctx) &&
+            bn_div_consttime(NULL, tmp, tmp, m, ctx);
+  if (ret) {
+    *out_ok = BN_is_one(tmp);
+    if (check_reduced && (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0)) {
+      *out_ok = 0;
+    }
+  }
+  BN_CTX_end(ctx);
+  return ret;
+}
+
 int RSA_check_key(const RSA *key) {
-  BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
+  BIGNUM n, pm1, qm1, lcm, dmp1, dmq1, iqmp_times_q;
   BN_CTX *ctx;
   int ok = 0, has_crt_values;
 
@@ -670,26 +687,20 @@ int RSA_check_key(const RSA *key) {
   BN_init(&pm1);
   BN_init(&qm1);
   BN_init(&lcm);
-  BN_init(&gcd);
-  BN_init(&de);
   BN_init(&dmp1);
   BN_init(&dmq1);
   BN_init(&iqmp_times_q);
 
-  if (!BN_mul(&n, key->p, key->q, ctx) ||
+  int d_ok;
+  if (!bn_mul_consttime(&n, key->p, key->q, ctx) ||
       // lcm = lcm(p, q)
-      !BN_sub(&pm1, key->p, BN_value_one()) ||
-      !BN_sub(&qm1, key->q, BN_value_one()) ||
-      !BN_mul(&lcm, &pm1, &qm1, ctx) ||
-      !BN_gcd(&gcd, &pm1, &qm1, ctx)) {
-    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
-    goto out;
-  }
-
-  if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
-      !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
-      // de = d*e mod lcm(p, q).
-      !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
+      !bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
+      !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
+      !bn_lcm_consttime(&lcm, &pm1, &qm1, ctx) ||
+      // Other implementations use the Euler totient rather than the Carmichael
+      // totient, so allow unreduced |key->d|.
+      !check_mod_inverse(&d_ok, key->e, key->d, &lcm,
+                         0 /* don't require reduced */, ctx)) {
     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
     goto out;
   }
@@ -699,11 +710,16 @@ int RSA_check_key(const RSA *key) {
     goto out;
   }
 
-  if (!BN_is_one(&de)) {
+  if (!d_ok) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
     goto out;
   }
 
+  if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
+    goto out;
+  }
+
   has_crt_values = key->dmp1 != NULL;
   if (has_crt_values != (key->dmq1 != NULL) ||
       has_crt_values != (key->iqmp != NULL)) {
@@ -712,20 +728,18 @@ int RSA_check_key(const RSA *key) {
   }
 
   if (has_crt_values) {
-    if (// dmp1 = d mod (p-1)
-        !BN_mod(&dmp1, key->d, &pm1, ctx) ||
-        // dmq1 = d mod (q-1)
-        !BN_mod(&dmq1, key->d, &qm1, ctx) ||
-        // iqmp = q^-1 mod p
-        !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
+    int dmp1_ok, dmq1_ok, iqmp_ok;
+    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1,
+                           1 /* check reduced */, ctx) ||
+        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1,
+                           1 /* check reduced */, ctx) ||
+        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p,
+                           1 /* check reduced */, ctx)) {
       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
       goto out;
     }
 
-    if (BN_cmp(&dmp1, key->dmp1) != 0 ||
-        BN_cmp(&dmq1, key->dmq1) != 0 ||
-        BN_cmp(key->iqmp, key->p) >= 0 ||
-        !BN_is_one(&iqmp_times_q)) {
+    if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
       goto out;
     }
@@ -738,8 +752,6 @@ out:
   BN_free(&pm1);
   BN_free(&qm1);
   BN_free(&lcm);
-  BN_free(&gcd);
-  BN_free(&de);
   BN_free(&dmp1);
   BN_free(&dmq1);
   BN_free(&iqmp_times_q);

data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c

@@ -862,7 +862,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
       !BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) ||
       // Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already
       // fully reduced mod |p|.
-      !bn_mod_sub_quick_ctx(r0, r0, m1, p, ctx) ||
+      !bn_mod_sub_consttime(r0, r0, m1, p, ctx) ||
       // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this
       // in constant time. |inv_small_mod_large_mont| is in Montgomery form and
       // r0 is not, so the result is taken out of Montgomery form.
@@ -873,8 +873,8 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
       // so it is correct mod q. Finally, the result is bounded by [m1, n + m1),
       // and the result is at least |m1|, so this must be the unique answer in
       // [0, n).
-      !bn_mul_fixed(r0, r0, q, ctx) ||
-      !bn_uadd_fixed(r0, r0, m1) ||
+      !bn_mul_consttime(r0, r0, q, ctx) ||
+      !bn_uadd_consttime(r0, r0, m1) ||
       // The result should be bounded by |n|, but fixed-width operations may
       // bound the width slightly higher, so fix it.
       !bn_resize_words(r0, n->width)) {
@@ -924,25 +924,20 @@ const BN_ULONG kBoringSSLRSASqrtTwo[] = {
 };
 const size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);
 
-int rsa_greater_than_pow2(const BIGNUM *b, int n) {
-  if (BN_is_negative(b) || n == INT_MAX) {
-    return 0;
-  }
-
-  int b_bits = BN_num_bits(b);
-  return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b));
-}
-
 // generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
 // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
-// |p|.
+// |p|. |sqrt2| must be ⌊2^(bits-1)×√2⌋ (or a slightly overestimate for large
+// sizes), and |pow2_bits_100| must be 2^(bits-100).
 static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
-                          const BIGNUM *p, const BIGNUM *sqrt2, BN_CTX *ctx,
+                          const BIGNUM *p, const BIGNUM *sqrt2,
+                          const BIGNUM *pow2_bits_100, BN_CTX *ctx,
                           BN_GENCB *cb) {
   if (bits < 128 || (bits % BN_BITS2) != 0) {
     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
     return 0;
   }
+  assert(BN_is_pow2(pow2_bits_100));
+  assert(BN_is_bit_set(pow2_bits_100, bits - 100));
 
   // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.
 
@@ -973,11 +968,10 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
 
     if (p != NULL) {
       // If |p| and |out| are too close, try again (step 5.4).
-      if (!BN_sub(tmp, out, p)) {
+      if (!bn_abs_sub_consttime(tmp, out, p, ctx)) {
         goto err;
       }
-      BN_set_negative(tmp, 0);
-      if (!rsa_greater_than_pow2(tmp, bits - 100)) {
+      if (BN_cmp(tmp, pow2_bits_100) <= 0) {
         continue;
       }
     }
@@ -993,21 +987,26 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
       continue;
     }
 
-    // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
-    if (!BN_sub(tmp, out, BN_value_one()) ||
-        !BN_gcd(tmp, tmp, e, ctx)) {
-      goto err;
-    }
-    if (BN_is_one(tmp)) {
-      // Test |out| for primality (steps 4.5.1 and 5.6.1).
-      int is_probable_prime;
-      if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
-                             cb)) {
+    // RSA key generation's bottleneck is discarding composites. If it fails
+    // trial division, do not bother computing a GCD or performing Rabin-Miller.
+    if (!bn_odd_number_is_obviously_composite(out)) {
+      // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
+      int relatively_prime;
+      if (!BN_sub(tmp, out, BN_value_one()) ||
+          !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) {
         goto err;
       }
-      if (is_probable_prime) {
-        ret = 1;
-        goto err;
+      if (relatively_prime) {
+        // Test |out| for primality (steps 4.5.1 and 5.6.1).
+        int is_probable_prime;
+        if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 0,
+                               cb)) {
+          goto err;
+        }
+        if (is_probable_prime) {
+          ret = 1;
+          goto err;
+        }
       }
     }
 
@@ -1043,7 +1042,19 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
     return 0;
   }
 
+  // Reject excessively large public exponents. Windows CryptoAPI and Go don't
+  // support values larger than 32 bits, so match their limits for generating
+  // keys. (|check_modulus_and_exponent_sizes| uses a slightly more conservative
+  // value, but we don't need to support generating such keys.)
+  // https://github.com/golang/go/issues/3161
+  // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
+  if (BN_num_bits(e_value) > 32) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
+    return 0;
+  }
+
   int ret = 0;
+  int prime_bits = bits / 2;
   BN_CTX *ctx = BN_CTX_new();
   if (ctx == NULL) {
     goto bn_err;
@@ -1052,10 +1063,13 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
   BIGNUM *totient = BN_CTX_get(ctx);
   BIGNUM *pm1 = BN_CTX_get(ctx);
   BIGNUM *qm1 = BN_CTX_get(ctx);
-  BIGNUM *gcd = BN_CTX_get(ctx);
   BIGNUM *sqrt2 = BN_CTX_get(ctx);
-  if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL ||
-      sqrt2 == NULL) {
+  BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx);
+  BIGNUM *pow2_prime_bits = BN_CTX_get(ctx);
+  if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL ||
+      pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL ||
+      !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) ||
+      !BN_set_bit(pow2_prime_bits, prime_bits)) {
     goto bn_err;
   }
 
@@ -1074,8 +1088,6 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
     goto bn_err;
   }
 
-  int prime_bits = bits / 2;
-
   // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
   if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
     goto bn_err;
@@ -1101,9 +1113,11 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
   do {
     // Generate p and q, each of size |prime_bits|, using the steps outlined in
     // appendix FIPS 186-4 appendix B.3.3.
-    if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) ||
+    if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2,
+                        pow2_prime_bits_100, ctx, cb) ||
         !BN_GENCB_call(cb, 3, 0) ||
-        !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) ||
+        !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2,
+                        pow2_prime_bits_100, ctx, cb) ||
         !BN_GENCB_call(cb, 3, 1)) {
       goto bn_err;
     }
@@ -1121,27 +1135,27 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
     // q-1. However, we do operations with Chinese Remainder Theorem, so we only
     // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
     // does not affect those two values.
-    if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
-        !BN_sub(qm1, rsa->q, BN_value_one()) ||
-        !BN_mul(totient, pm1, qm1, ctx) ||
-        !BN_gcd(gcd, pm1, qm1, ctx) ||
-        !BN_div(totient, NULL, totient, gcd, ctx) ||
-        !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) {
+    int no_inverse;
+    if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) ||
+        !bn_usub_consttime(qm1, rsa->q, BN_value_one()) ||
+        !bn_lcm_consttime(totient, pm1, qm1, ctx) ||
+        !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) {
       goto bn_err;
     }
 
-    // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
-    // appendix B.3.1's guidance on values for d.
-  } while (!rsa_greater_than_pow2(rsa->d, prime_bits));
+    // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on
+    // values for d.
+  } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
 
   if (// Calculate n.
-      !BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
+      !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
       // Calculate d mod (p-1).
-      !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
+      !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) ||
       // Calculate d mod (q-1)
-      !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
+      !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) {
     goto bn_err;
   }
+  bn_set_minimal_width(rsa->n);
 
   // Sanity-check that |rsa->n| has the specified size. This is implied by
   // |generate_prime|'s bounds.