commit | 802523aa5f7b216d559ff8287e12d47b12b51df5 | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Wed Apr 22 14:51:20 2020 -0400 |
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | Tue May 05 16:55:18 2020 +0000 |
tree | 76394e8848cb1d9e43724faf07281aca12b89b06 | |
parent | 73e0401e3d434b17c6799d6ce2dcd4de76e885b1 [diff] |
Introduce an EC_AFFINE abstraction. PMBTokens ends up converting the same point to affine coordinates repeatedly. Additionally, it converts many affine coordinates at once, which we can batch. Introduce an EC_AFFINE type to store affine points and move the inversion to the Jacobian -> affine conversion. This does mean we lose the (negligible) Montgomery reduction optimization in EC_GFp_mont. point_get_affine_coordinates no longer breaks the EC_FELEM abstraction around Montgomery form. Unfortunately, this complicates hardening of the callers not checking return values because EC_AFFINE cannot represent the point at infinity and, due to OpenSSL's API limitations, groups may not have generators available and the generator is not affine at the type level. (EC_AFFINE cannot represent the point at infinity.) Thus this CL: - Tidies up some duplicate code in setting up the generator and ensures it always has Z = 1. - ec_point_set_affine_coordinates hardens against unused results if the generator is configured. But this is ultimately an internal function. - Retains the hardening on the public APIs by adding calls to ec_set_to_safe_point in two places. This CL does not apply the optimization to Trust Tokens, only introduces the EC_AFFINE abstraction. It additionally continues to store EC_POINTs (used in ECDH and ECDSA) in Jacobian form. See https://crbug.com/boringssl/326#c4 for a discussion on why this is tricky. Those protocols are hopefully simple enough that they don't need complexity around inversions. Having an EC_AFFINE type will also be useful for computing custom tables for Trust Token public keys, which gives a nice speedup. Bug: 326 Change-Id: I11b010a33f36a15bac9939351df5205bd35cc665 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41084 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
Project links:
There are other files in this directory which might be helpful: