boringssl/crypto
David Benjamin eda47f5d98 Make generic point arithmetic slightly less variable-time.
The generic code special-cases affine points, but this leaks
information. (Of course, the generic code also doesn't have a
constant-time multiply and other problems, but one thing at a time.)

The optimization in point doubling is not useful. Point multiplication
more-or-less never doubles an affine point. The optimization in point
addition *is* useful because the wNAF code converts the tables to
affine. Accordingly, align with the P-256 code which adds a 'mixed'
parameter.

(I haven't aligned the formally-verified point formulas themselves yet;
initial testing suggests that the large number of temporaries take a
perf hit with BIGNUM. I'll check the results in EC_FELEM, which will be
stack-allocated, to see if we still need to help the compiler out.)

Strangly, it actually got a bit faster with this change. I'm guessing
because now it doesn't need to bother with unnecessary comparisons and
maybe was kinder to the branch predictor?

Before:
Did 2201 ECDH P-384 operations in 3068341us (717.3 ops/sec)
Did 4092 ECDSA P-384 signing operations in 3076981us (1329.9 ops/sec)
Did 3503 ECDSA P-384 verify operations in 3024753us (1158.1 ops/sec)
Did 992 ECDH P-521 operations in 3017884us (328.7 ops/sec)
Did 1798 ECDSA P-521 signing operations in 3059000us (587.8 ops/sec)
Did 1581 ECDSA P-521 verify operations in 3033142us (521.2 ops/sec)

After:
Did 2310 ECDH P-384 operations in 3092648us (746.9 ops/sec)
Did 4080 ECDSA P-384 signing operations in 3044588us (1340.1 ops/sec)
Did 3520 ECDSA P-384 verify operations in 3056070us (1151.8 ops/sec)
Did 992 ECDH P-521 operations in 3012779us (329.3 ops/sec)
Did 1792 ECDSA P-521 signing operations in 3019459us (593.5 ops/sec)
Did 1600 ECDSA P-521 verify operations in 3047749us (525.0 ops/sec)

Bug: 239
Change-Id: If5d13825fc98e4c58bdd1580cf0245bf7ce93a82
Reviewed-on: https://boringssl-review.googlesource.com/27004
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-04-04 21:33:22 +00:00
..
asn1 Limit ASN.1 constructed types recursive definition depth 2018-03-27 15:40:37 +00:00
base64
bio Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
bn_extra Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
buf
bytestring bytestring: document that |CBS_get_optional_asn1| can have a NULL output. 2018-03-19 20:22:25 +00:00
chacha Sync up some perlasm license headers and easy fixes. 2018-02-11 01:00:35 +00:00
cipher_extra Add M=8 L=2 AES-128-CCM as well. 2018-03-02 18:45:06 +00:00
cmac
conf Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
curve25519 Require that Ed25519 |s| values be < order. 2018-02-02 20:45:08 +00:00
dh
digest_extra
dsa Remove DSA k+q kludge. 2018-02-06 00:51:54 +00:00
ec_extra Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
ecdh Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
ecdsa_extra Remove ECDSA_sign_setup and friends. 2017-11-22 20:23:40 +00:00
engine
err Check d is mostly-reduced in RSA_check_key. 2018-03-30 19:54:10 +00:00
evp Perform the RSA CRT reductions with Montgomery reduction. 2017-12-18 18:59:18 +00:00
fipsmodule Make generic point arithmetic slightly less variable-time. 2018-04-04 21:33:22 +00:00
hkdf
hmac_extra
lhash
obj Also add a decoupled OBJ_obj2txt. 2017-11-30 18:21:48 +00:00
pem
perlasm Sync up some perlasm license headers and easy fixes. 2018-02-11 01:00:35 +00:00
pkcs7
pkcs8
poly1305 Remove custom memcpy and memset from poly1305_vec. 2017-11-10 20:53:30 +00:00
pool
rand_extra
rc4
rsa_extra Check d is mostly-reduced in RSA_check_key. 2018-03-30 19:54:10 +00:00
stack
test Support KAS tests for NIAP. 2018-01-16 22:57:01 +00:00
x509 Tighten and test name-checking functions. 2018-03-30 16:50:11 +00:00
x509v3 Pretty-print large INTEGERs and ENUMERATEDs in hex. 2017-11-27 18:38:50 +00:00
CMakeLists.txt Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
compiler_test.cc
constant_time_test.cc Add a test for CRYPTO_memcmp. 2018-03-27 16:22:47 +00:00
cpu-aarch64-fuchsia.c Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
cpu-aarch64-linux.c Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
cpu-arm-linux.c
cpu-arm.c
cpu-intel.c Use unsigned integers for masks. 2017-10-30 18:39:58 +00:00
cpu-ppc64le.c
crypto.c
ex_data.c
internal.h Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
mem.c Remove unused strings.h #include from crypto/mem.c 2018-02-14 01:40:23 +00:00
refcount_c11.c
refcount_lock.c
refcount_test.cc
self_test.cc Extract FIPS KAT tests into a function. 2018-01-22 20:16:38 +00:00
thread_none.c
thread_pthread.c Delete |pthread_key_t| on dlclose. 2018-02-20 19:53:24 +00:00
thread_test.cc
thread_win.c
thread.c