)]}' { "commit": "6c428307d153b43882b407bfe62df8aab317fdce", "tree": "947423e4348de22b85242b7e1bbc405df3d82ffb", "parents": [ "d72e47fddbbb2938ff3eb737bb4491647fac8bac" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Thu May 30 00:10:31 2019 -0400" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Thu May 30 20:44:46 2019 +0000" }, "message": "Split ec_point_mul_scalar into two operations.\n\nWhile it appears that we internally support constant-time\ndual multiplication, it is not actually constant-time. Integrating the\ntwo operations means we hit the doubling branch. Instead, replace the\nconstant-time functions with single multiplication functions, one for\narbitrary points and one for the base point. This simplifies timing\nanalysis of the EC_METHODs.\n\nThis CL only changes the wrapper functions. A subsequent CL will change\nthe EC_METHOD hooks. We conservatively assume EC_POINT_mul callers\nexpect secret scalars and split it into two multiplications and an\naddition if needed.\n\nUpdate-Note: EC_POINT_mul may get slower if called with both g_scalar\nand p_scalar non-NULL. If the scalars were secret, this plugs a timing\nleak (note neither ECDH nor ECDSA signing use such an operation). If\nacting on public scalars, notably ECDSA verify, this slowdown is not\ninherently necessary. If necessary, we can expose a public version of\nec_point_mul_scalar_public, but callers should be using BoringSSL\u0027s\nECDSA verify API instead.\n\nChange-Id: I9c20b660ce4b58dc633588cfd5b2e97a40203ec3\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36224\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "6e212751e5fc40c0423a1621bb82a1029fe6c05d", "old_mode": 33188, "old_path": "crypto/ec_extra/ec_asn1.c", "new_id": "31988f3f9eec8f787c36c177859222d6133d6b6e", "new_mode": 33188, "new_path": "crypto/ec_extra/ec_asn1.c" }, { "type": "modify", "old_id": "1e080995de50d115ce7b164c33b299db3fb4d11b", "old_mode": 33188, "old_path": "crypto/ecdh_extra/ecdh_extra.c", "new_id": "b8a099a560cc3bb98523d25b542bf665d30e772f", "new_mode": 33188, "new_path": "crypto/ecdh_extra/ecdh_extra.c" }, { "type": "modify", "old_id": "a0305a654ea6b7c50cbbf1f5a5fc72b31675277d", "old_mode": 33188, "old_path": "crypto/fipsmodule/ec/ec.c", "new_id": "705d45f5f6b0124d6da39885b1daf78e2f871193", "new_mode": 33188, "new_path": "crypto/fipsmodule/ec/ec.c" }, { "type": "modify", "old_id": "3ef17d9905eccf19c2fcef3ecf319d53bffff3f4", "old_mode": 33188, "old_path": "crypto/fipsmodule/ec/ec_key.c", "new_id": "3851c19846065af245cfc7243af04683dafe6727", "new_mode": 33188, "new_path": "crypto/fipsmodule/ec/ec_key.c" }, { "type": "modify", "old_id": "1219e2b468e88d21e71a447ef3c00475af963511", "old_mode": 33188, "old_path": "crypto/fipsmodule/ec/ec_test.cc", "new_id": "c0ad61f55c382eb4920ff7f9508c4683a5e715e0", "new_mode": 33188, "new_path": "crypto/fipsmodule/ec/ec_test.cc" }, { "type": "modify", "old_id": "05175a56c3f3e577f228df192c44b76965f40a40", "old_mode": 33188, "old_path": "crypto/fipsmodule/ec/internal.h", "new_id": "a29468fe686a971fbb404ac08604fadd4d7f6ea7", "new_mode": 33188, "new_path": "crypto/fipsmodule/ec/internal.h" }, { "type": "modify", "old_id": "b9dc2374f86c890d9435411618f5b3c79eac2235", "old_mode": 33188, "old_path": "crypto/fipsmodule/ecdh/ecdh.c", "new_id": "a7b2f08b427703d563c41a30645f5f2ee13b75e3", "new_mode": 33188, "new_path": "crypto/fipsmodule/ecdh/ecdh.c" }, { "type": "modify", "old_id": "010ee02354d57848e003d83e35da81c5aa08fbfc", "old_mode": 33188, "old_path": "crypto/fipsmodule/ecdsa/ecdsa.c", "new_id": "38771d58e6584c58240f6312c7f532131b8d5591", "new_mode": 33188, "new_path": "crypto/fipsmodule/ecdsa/ecdsa.c" } ] }