Commit Graph

21 Commits

Author SHA1 Message Date
Brian Smith
c7fe3b9ac5 Ensure result affine coordinates in nistz256 are fully reduced.
Revert 3f3358ac15. Add documentation
clarifying the misunderstanding that lead to the mistake, and make use
of the recently-added |bn_set_words|.

Change-Id: I58814bace3db3b0b44e2dfe09c44918a4710c621
Reviewed-on: https://boringssl-review.googlesource.com/8831
Reviewed-by: Adam Langley <agl@google.com>
2016-07-19 22:26:53 +00:00
Brian Smith
feff406782 Switch one point addition to a point doubling in p256-x86_64.c.
Change-Id: I67d8e72ff6f7d0b5d2393555b236510c391f2e78
Reviewed-on: https://boringssl-review.googlesource.com/8830
Reviewed-by: Adam Langley <agl@google.com>
2016-07-18 16:07:09 +00:00
David Benjamin
4186b711f4 Don't bother storing the cofactor.
It's always one. We don't support other kinds of curves with this framework.
(Curve25519 uses a much simpler API.) This also allows us to remove the
check_pub_key_order logic.

Change-Id: Ic15e1ecd68662b838c76b1e0aa15c3a93200d744
Reviewed-on: https://boringssl-review.googlesource.com/8350
Reviewed-by: Adam Langley <agl@google.com>
2016-06-20 17:26:02 +00:00
Brian Smith
3f3358ac15 Save one call to |ecp_nistz256_from_mont| in |ecp_nistz256_get_affine|.
Change-Id: I38faa5c4e9101c100614ebadf421bde0a05af360
Reviewed-on: https://boringssl-review.googlesource.com/7589
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:58:36 +00:00
Brian Smith
a7aa2bb8f8 Avoid a multiplication in |ecp_nistz256_get_affine| when |x| is NULL.
This is purely hypothetical, as in real life nobody cares about the
|y| component without also caring about the |x| component, but it
clarifies the code and makes a future change clearer.

Change-Id: Icaa4de83c87b82a8e68cd2942779a06e5db300c3
Reviewed-on: https://boringssl-review.googlesource.com/7588
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:53:46 +00:00
Brian Smith
d860b7b1cd Set output coordinates' |neg| field in |ecp_nistz256_get_affine|.
The result would not be correct if, on input, |x->neg != 0| or
|y->neg != 0|.

Change-Id: I645566a78c2e18e42492fbfca1df17baa05240f7
Reviewed-on: https://boringssl-review.googlesource.com/7587
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:52:45 +00:00
Brian Smith
9d354693ff Small tweak to P-256-x86-64 inversion.
Change-Id: I2a55db93e6140a0adc741b4ee5ee090d524605e0
Reviewed-on: https://boringssl-review.googlesource.com/7593
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-29 00:43:01 +00:00
Brian Smith
d279a21d8c Avoid potential uninitialized memory read in crypto/ec/p256-x86_64.c.
If the function returns early due to an error, then the coordinates of the
result will have their |top| value set to a value beyond what has actually
been been written. Fix that, and make it easier to avoid such issues in the
future by refactoring the code.

As a bonus, avoid a false positive MSVC 64-bit opt build "potentially
uninitialized value used" warning.

Change-Id: I8c48deb63163a27f739c8797962414f8ca2588cd
Reviewed-on: https://boringssl-review.googlesource.com/6579
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-09 19:04:36 +00:00
Brian Smith
081e3f34a2 Remove |EC_POINT::Z_is_one|.
Having |Z_is_one| be out of sync with |Z| could potentially be a very
bad thing, and in the past there have been multiple bugs of this sort,
including one currently in p256-x86_64.c (type confusion: Montgomery-
encoded vs unencoded). Avoid the issue entirely by getting rid of
|Z_is_one|.

Change-Id: Icb5aa0342df41d6bc443f15f952734295d0ee4ba
Reviewed-on: https://boringssl-review.googlesource.com/6576
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-09 18:58:43 +00:00
David Benjamin
9bf1b1b440 Remove group_clear_finish EC_GROUP hooks.
These are never called. Group parameters are not secret anyway. This is
a remnant of upstream's EC_GROUP_clear_free.

Change-Id: I23a4076eae8e4561abddbe74d0ba72641532f229
Reviewed-on: https://boringssl-review.googlesource.com/6823
Reviewed-by: Adam Langley <alangley@gmail.com>
2016-01-28 00:17:43 +00:00
Brian Smith
7cae9f5b6c Use |alignas| for alignment.
MSVC doesn't have stdalign.h and so doesn't support |alignas| in C
code. Define |alignas(x)| as a synonym for |__decltype(align(x))|
instead for it.

This also fixes -Wcast-qual warnings in rsaz_exp.c.

Change-Id: Ifce9031724cb93f5a4aa1f567e7af61b272df9d5
Reviewed-on: https://boringssl-review.googlesource.com/6924
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-01-25 23:05:04 +00:00
Brian Smith
533a273871 Add |EC_METHOD| method for verifying public key order.
In some cases it would be good to restrict the input range of scalars
given to |EC_METHOD::mul| to be [0, order-1]. This is a first step
towards that goal.

Change-Id: I58a25db06f6c7a68a0ac1fe79794b04f7a173b23
Reviewed-on: https://boringssl-review.googlesource.com/6562
Reviewed-by: Adam Langley <agl@google.com>
2015-12-15 18:39:07 +00:00
Brian Smith
c5eb4676b6 Remove dead code in p256-x86_64.
Change-Id: I9d0b3fa39445d08202c67d905d2c676d5d968c33
Reviewed-on: https://boringssl-review.googlesource.com/6561
Reviewed-by: Adam Langley <agl@google.com>
2015-11-20 23:45:43 +00:00
Brian Smith
7af36e1e38 Share common definitions of |TOBN| and |BIGNUM_STATIC|.
Previously, both crypto/dh and crypto/ec defined |TOBN| macros that did
the same thing, but which took their arguments in the opposite order.
This change makes the code consistently use the same macro. It also
makes |STATIC_BIGNUM| available for internal use outside of crypto/bn.

Change-Id: Ide57f6a5b74ea95b3585724c7e1a630c82a864d9
Reviewed-on: https://boringssl-review.googlesource.com/6528
Reviewed-by: Adam Langley <agl@google.com>
2015-11-19 01:38:52 +00:00
Brian Smith
f3376ace43 Remove |EC_POINTs_mul| & simplify p256-x86_64.
Without |EC_POINTs_mul|, there's never more than one variable point
passed to a |EC_METHOD|'s |mul| method. This allows them to be
simplified considerably. In this commit, the p256-x86_64 implementation
has been simplified to eliminate the heap allocation and looping
related that was previously necessary to deal with the possibility of
there being multiple input points. The other implementations were left
mostly as-is; they should be similarly simplified in the future.

Change-Id: I70751d1d5296be2562af0730e7ccefdba7a1acae
Reviewed-on: https://boringssl-review.googlesource.com/6493
Reviewed-by: Adam Langley <agl@google.com>
2015-11-19 01:08:46 +00:00
Brian Smith
301efc8cea Fix error handling in |p256-x86_64|.
This makes similar fixes as were done in the following OpenSSL commits:

    c028254b12a8ea0d0f8a677172eda2e2d78073f3: Correctly set Z_is_one on
    the return value in the NISTZ256 implementation.

    e22d2199e2a5cc9b243f45c2b633d1e31fadecd7: Error checking and memory
    leak leak fixes in NISTZ256.

    4446044a793a9103a4bc70c0214005e6a4463767: NISTZ256: set Z_is_one to
    boolean 0/1 as is customary.

    a4d5269e6d0dba0c276c968448a3576f7604666a: NISTZ256: don't swallow
    malloc errors.

The fixes aren't exactly the same. In particular, the comments "This is
an unusual input, we don't guarantee constant-timeness" and the changes
to |ecp_nistz256_mult_precompute| (which isn't in BoringSSL) were
omitted.

Change-Id: Ia7bb982daa62fb328e8bd2d4dd49a8857e104096
Reviewed-on: https://boringssl-review.googlesource.com/6492
Reviewed-by: Adam Langley <agl@google.com>
2015-11-19 00:52:33 +00:00
Brian Smith
9b26297608 Make |EC_GROUP_precompute_mult|/|EC_KEY_precompute_mult| no-ops.
This moves us closer to having |EC_GROUP| and |EC_KEY| being immutable.
The functions are left as no-ops for backward compatibility.

Change-Id: Ie23921ab0364f0771c03aede37b064804c9f69e0
Reviewed-on: https://boringssl-review.googlesource.com/6485
Reviewed-by: Adam Langley <agl@google.com>
2015-11-19 00:27:39 +00:00
Brian Smith
9f1f04f313 Remove nistz256 dead code for non-default generators.
|EC_GFp_nistz256_method| is not marked |OPENSSL_EXPORT| so only the
built-in P-256 curve uses it. |EC_GROUP_set_generator| doesn't allow
the generator to be changed for any |EC_GROUP| for a built-in curve.
Consequently, there's no way (except some kind of terrible abuse) that
the nistz code could be executed with a non-default generator.

Change-Id: Ib22f00bc74c103b7869ed1e35032b1f3d26cdad2
Reviewed-on: https://boringssl-review.googlesource.com/6446
Reviewed-by: Adam Langley <agl@google.com>
2015-11-12 19:59:16 +00:00
Adam Langley
165248c24f Fix several MSVC warnings.
MSVC reports lots of:
warning C4090: 'function' : different 'const' qualifiers

Change-Id: If8184538c44e657f6234252d0147396d1a18b36c
2015-11-03 14:31:33 -08:00
Adam Langley
8f7ecb8f0c (Hopefully) fix a warning on Windows.
MSVC unhelpfuly says: warning C4146: unary minus operator applied to
unsigned type, result still unsigned.

Change-Id: Ia1e6b9fc415908920abb1bcd98fc7f7a5670c2c7
2015-11-03 14:29:01 -08:00
Adam Langley
1895493868 Add Intel's P-256
This change incorporates Intel's P-256 implementation. The record of
Intel's submission under CLA is in internal bug number 25330687.

Before:
Did 3582 ECDH P-256 operations in 1049114us (3414.3 ops/sec)
Did 8525 ECDSA P-256 signing operations in 1028778us (8286.5 ops/sec)
Did 3487 ECDSA P-256 verify operations in 1008996us (3455.9 ops/sec)
build/tool/bssl is 1434704 bytes after strip -s

After:
Did 8618 ECDH P-256 operations in 1027884us (8384.2 ops/sec)
Did 21000 ECDSA P-256 signing operations in 1049490us (20009.7 ops/sec)
Did 8268 ECDSA P-256 verify operations in 1079481us (7659.2 ops/sec)
build/tool/bssl is 1567216 bytes after strip -s

Change-Id: I147971a8e19849779c8ed7e20310d41bd4962299
Reviewed-on: https://boringssl-review.googlesource.com/6371
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 22:08:47 +00:00