In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL,

carefully document constant time vs. non-constant time operation
of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3).

Until the work that is required on the ill-designed BN_exp(3) and
BN_gcd(3) interfaces can be undertaken, also document the imperfections
in their behaviour, for now.  Finally, mention BN_mod_exp(3) behaviour
for even moduli.

Delete the vague statement about some functions automatically
setting BN_FLG_CONSTTIME.  It created a false sense of security.
Do not rely on it: not all relevant functions do that.

Topic brought up by beck@, significant feedback and OK jsing@.

0 files changed, 0 insertions, 0 deletions