Factor out duplicate code. Parameterize the code on the size of the
scalar it works on and move it to a place that can be used by the
upcoming ecp_nistz384.
The code is still only used on x86-64, but in the future *ring* will
use it on more platforms. With that in mind, switch to the old OpenSSL
names, which reflect that better. The table was renamed to have an
".inc" extension because we're #including it in ecp_nistz256.c. The
and making sure the `alignas` stuff stays in sync.
Remove the assembly language changes to p256-x86_64-asm from
commit ee8b0e68ccabbb976ef835be8ec26417b1e431c2. Import the changes
that Shay Gueron posted to the openssl-dev mailing list, subject
"[openssl-dev] [openssl.org #3810] [PATCH] Improved P256 ECC
performance by means of a dedicated function for modular inversion
modulo the P256 group order".
Adjust the code in the new file so that it builds on Windows using Yasm
by using the new label names that come from a later version of the
patch in response to my code review long ago. Also, clean up the
whitespace a bit.
Now we don't have to trust that `num` is doing the math correctly. The
code generator is going away anyway. It's a good idea in theory but in
practice it wasn't worth its complexity.
Avoid using the heap during private key generation. Use constant time
comparisons when verifying that the private key is in range. Move the
logic that doesn't need to be constant-time to Rust, leaving only the
constant-time comparisons in C. Adjust the rest of the internal
private key stuff to take into account these changes.
This unfortunately required a lot of refactoring. The inversion mod q
is now implemented with using a constant-time algorithm, unlike before,
but the point multiplications themselves are still using variable-time
implementations on most platforms, like before.
Note that the inversion algorithm is constant-time, but the primitive
operations that it is comprised of might not be fully constant-time
(yet).
Also remove BIGNUM code that's no longer used after removing RSA
keygen.
Note in particular that `BN_mod_word` has a bug in it. There is a patch
in OpenSSL and BoringSSL; see BoringSSL
67cb49d045f04973ddba0f92fe8a8ad483c7da89 and OpenSSL
e82fd1b4574c8908b2c3bb68e1237f057a981820 and OpenSSL
e4c4b2766bb97b34ea3479252276ab7c66311809. The BoringSSL/OpenSSL fixes
don't look 100% right to me, because the callers of `BN_mod_word` don't
appear to be checking for the `(BN_ULONG)-1` error return value
correctly.
The upcoming refactoring of the ECDSA signature verification involves
always using Montgomery-encoded field elements, but nistp256 doesn't
use Montgomery encoding.
Split P-256 and P-384 stuff into its own submodule of `ring::ec` in
preparation for implementing more of the logic for those curves in
Rust. Use the name "Suite B" instead of "NIST" to be more precise.
Move some of the non-ECC-specific key agreement logic into
`ring::agreement.
New ECDSA verification tests were added to `ring::ec::ecdsa`, and
ECDSA signing isn't exposed as part of the API, so it is OK to
remove the bad testing that is done here.
In particular, note that ecdsa_test cannot find a problem in the ECC
math that would cause both the signer and verifier to compute the same
(wrong) answer, since the signature generation and signature
verification use the same math routines.
Instead of having `ring::agreement::EphemeralKeyPair`, we now have
`ring::agreement::EphemeralPrivateKey`, which doesn't store the public
key. This is slightly more memory-efficient because in real-world
protocols we don't need to do anything with the public key except send
it to the peer.
The interface between the Rust and C code was changed with an eye
towards making it easy to add X25519 support. New, simpler, C code
implementing ECDH (for NIST curves) replaces the old code in
crypto/ecdh. In particular, now `EC_KEY` isn't used at all for ECDH.
Finally, add the test vectors for ECDH P-256 and P-384 from the NIST
website. These test vectors don't test the most interesting cases,
however.
Use ubuntu's gcc packages for 32 and 64-bit ARM. Use hard-float on
32-bit ARM. Use travis_wait on slow arm tests.
I agree to license my contributions to each file under the terms given
at the top of each file I changed.
Debug info is already generated for asm code on Windows
by psasing `--dformat=cv8` to yasm. Do similar on other platforms.
Hopefully this will improve code coverage analysis of the asm code.
