boringssl/crypto/err/ec.errordata

35 lines
897 B
Plaintext
Raw Normal View History

EC,126,BIGNUM_OUT_OF_RANGE
EC,100,BUFFER_TOO_SMALL
EC,101,COORDINATES_OUT_OF_RANGE
EC,102,D2I_ECPKPARAMETERS_FAILURE
EC,128,DECODE_ERROR
EC,103,EC_GROUP_NEW_BY_NAME_FAILURE
EC,129,ENCODE_ERROR
EC,104,GROUP2PKPARAMETERS_FAILURE
EC,130,GROUP_MISMATCH
EC,105,I2D_ECPKPARAMETERS_FAILURE
EC,106,INCOMPATIBLE_OBJECTS
EC,131,INVALID_COFACTOR
EC,107,INVALID_COMPRESSED_POINT
EC,108,INVALID_COMPRESSION_BIT
EC,109,INVALID_ENCODING
EC,110,INVALID_FIELD
EC,111,INVALID_FORM
EC,112,INVALID_GROUP_ORDER
EC,113,INVALID_PRIVATE_KEY
Make ECDSA signing 10% faster and plug some timing leaks. None of the asymmetric crypto we inherented from OpenSSL is constant-time because of BIGNUM. BIGNUM chops leading zeros off the front of everything, so we end up leaking information about the first word, in theory. BIGNUM functions additionally tend to take the full range of inputs and then call into BN_nnmod at various points. All our secret values should be acted on in constant-time, but k in ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an attempt to mitigate the BIGNUM leaks, would add a couple copies of the order. This does not work at all. k is used to compute two values: k^-1 and kG. The first operation when computing k^-1 is to call BN_nnmod if k is out of range. The entry point to our tuned constant-time curve implementations is to call BN_nnmod if the scalar has too many bits, which this causes. The result is both corrections are immediately undone but cause us to do more variable-time work in the meantime. Replace all these computations around k with the word-based functions added in the various preceding CLs. In doing so, replace the BN_mod_mul calls (which internally call BN_nnmod) with Montgomery reduction. We can avoid taking k^-1 out of Montgomery form, which combines nicely with Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along the way, we avoid some unnecessary mallocs. BIGNUM still affects the private key itself, as well as the EC_POINTs. But this should hopefully be much better now. Also it's 10% faster: Before: Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec) Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec) Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec) Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec) After: Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec) Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec) Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec) Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec) Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1 Reviewed-on: https://boringssl-review.googlesource.com/23075 Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
EC,133,INVALID_SCALAR
EC,114,MISSING_PARAMETERS
EC,115,MISSING_PRIVATE_KEY
EC,116,NON_NAMED_CURVE
EC,117,NOT_INITIALIZED
EC,118,PKPARAMETERS2GROUP_FAILURE
EC,119,POINT_AT_INFINITY
EC,120,POINT_IS_NOT_ON_CURVE
EC,132,PUBLIC_KEY_VALIDATION_FAILED
EC,121,SLOT_FULL
EC,122,UNDEFINED_GENERATOR
EC,123,UNKNOWN_GROUP
EC,124,UNKNOWN_ORDER
EC,127,WRONG_CURVE_PARAMETERS
EC,125,WRONG_ORDER