| commit | 1c2e61efefdd67274f7a52049783c300481ae9b8 | [log] [tgz] |
|---|---|---|
| author | Adam Langley <alangley@gmail.com> | Tue Feb 15 13:29:38 2022 -0800 |
| committer | Adam Langley <alangley@gmail.com> | Sat Feb 19 13:08:10 2022 +0000 |
| tree | 55659851d0b1fc72a48a83fd6eb1aaf6059530bb | |
| parent | 263f4899738dfe97925ba07313fecc90b706d70a [diff] |
Make RSA self-test lazy.
We need to ensure that all public functions that end up doing a
cryptographic RSA operation run the self-tests first. We could do that
by putting calls in the lower-most functions but the self-tests must run
operations without creating a cycle. Therefore calls are placed as low
down as possible except where it would conflict with the self-tests.
Some functions need to be split so that there's a private version that
doesn't require that the self tests have passed.
Here's the call-graph that I used for this:
┌───────────────────────────┐
│ private_decrypt │
└───────────────────────────┘
│
│
▼
┌───────────────────────────┐
│ decrypt │
└───────────────────────────┘
│
│
▼
┌───────────────────────────┐
│ default_decrypt │
└───────────────────────────┘
│
│
▼
┌───────────────────────────┐
│ private_transform │ ◀┐
└───────────────────────────┘ │
│ │
│ │
▼ │
┌───────────────────────────┐ │
│ default_private_transform │ │
└───────────────────────────┘ │
┌───────────────────────────┐ │
│ private_encrypt │ │
└───────────────────────────┘ │
┌───────────────┐ │ │
│ sign_pss_mgf1 │ │ │
└───────────────┘\ ▼ │
┌────────┐ ┌───────────────────────────┐ │
│ sign │ ──▶ │ sign_raw │ │
└────────┘ └───────────────────────────┘ │
│ │
│ │
▼ │
┌───────────────────────────┐ │
│ default_sign_raw │ ─┘
└───────────────────────────┘
┌−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−┐
╎ Verification ╎
╎ ╎
╎ ┌───────────────────────────┐ ╎
╎ │ public_decrypt │ ╎
╎ └───────────────────────────┘ ╎
╎ │ ╎
╎ │ ╎
╎ │ ╎
┌−−−−−−−−−−−−−−−− │ ╎
╎ ▼ ╎
╎ ┌────────┐ ┌───────────────────────────┐ ╎
╎ │ verify │ ────▶ │ verify_raw │ ╎
╎ └────────┘ └───────────────────────────┘ ╎
╎ ╎
└−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−┘
┌−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−┐
╎ Encryption ╎
╎ ╎
╎ ┌───────────────────────────┐ ╎
╎ │ public_encrypt │ ╎
╎ └───────────────────────────┘ ╎
╎ │ ╎
╎ │ ╎
╎ ▼ ╎
╎ ┌───────────────────────────┐ ╎
╎ │ encrypt │ ╎
╎ └───────────────────────────┘ ╎
╎ ╎
└−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−┘
Speed difference looks to be in the noise.
Before:
Did 19716 RSA 2048 signing operations in 10050000us (1961.8 ops/sec)
Did 712000 RSA 2048 verify (same key) operations in 10007156us (71149.1 ops/sec)
Did 590000 RSA 2048 verify (fresh key) operations in 10004296us (58974.7 ops/sec)
Did 101866 RSA 2048 private key parse operations in 10090285us (10095.5 ops/sec)
Did 2919 RSA 4096 signing operations in 10019359us (291.3 ops/sec)
Did 203000 RSA 4096 verify (same key) operations in 10008421us (20282.9 ops/sec)
Did 175000 RSA 4096 verify (fresh key) operations in 10026353us (17454.0 ops/sec)
Did 30900 RSA 4096 private key parse operations in 10090073us (3062.4 ops/sec)
After:
Did 19525 RSA 2048 signing operations in 10000499us (1952.4 ops/sec)
Did 706000 RSA 2048 verify (same key) operations in 10002172us (70584.7 ops/sec)
Did 588000 RSA 2048 verify (fresh key) operations in 10010856us (58736.2 ops/sec)
Did 101864 RSA 2048 private key parse operations in 10063474us (10122.2 ops/sec)
Did 2919 RSA 4096 signing operations in 10037480us (290.8 ops/sec)
Did 203000 RSA 4096 verify (same key) operations in 10026966us (20245.4 ops/sec)
Did 175000 RSA 4096 verify (fresh key) operations in 10032281us (17443.7 ops/sec)
Did 31416 RSA 4096 private key parse operations in 10031047us (3131.9 ops/sec)
Change-Id: I8dec8a33066717b7078f160e3f93c33cd354bb0c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51426
Reviewed-by: David Benjamin <davidben@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
Project links:
There are other files in this directory which might be helpful: