crypto/ecdsa: use bigmod and nistec instead of math/big and crypto/elliptic

Ignoring custom curves, this makes the whole package constant-time.
There is a slight loss in performance for P-384 and P-521 because bigmod
is slower than math/big (but P-256 has an assembly scalar field
inversion, so doesn't use bigmod for anything big).

name                old time/op    new time/op    delta
Sign/P256-8           19.2µs ± 2%    19.1µs ± 2%     ~     (p=0.268 n=9+10)
Sign/P384-8            166µs ± 3%     188µs ± 2%  +13.52%  (p=0.000 n=10+10)
Sign/P521-8            337µs ± 2%     359µs ± 2%   +6.46%  (p=0.000 n=10+10)
Verify/P256-8         58.1µs ± 2%    58.1µs ± 2%     ~     (p=0.971 n=10+10)
Verify/P384-8          484µs ± 2%     569µs ±12%  +17.65%  (p=0.000 n=10+10)
Verify/P521-8         1.03ms ± 4%    1.14ms ± 2%  +11.02%  (p=0.000 n=10+10)
GenerateKey/P256-8    12.4µs ±12%    12.0µs ± 2%     ~     (p=0.063 n=10+10)
GenerateKey/P384-8     129µs ±18%     119µs ± 2%     ~     (p=0.190 n=10+10)
GenerateKey/P521-8     241µs ± 2%     240µs ± 2%     ~     (p=0.436 n=10+10)

name                old alloc/op   new alloc/op   delta
Sign/P256-8           3.08kB ± 0%    2.47kB ± 0%  -19.77%  (p=0.000 n=10+10)
Sign/P384-8           6.16kB ± 0%    2.64kB ± 0%  -57.16%  (p=0.000 n=10+10)
Sign/P521-8           7.87kB ± 0%    3.01kB ± 0%  -61.80%  (p=0.000 n=10+10)
Verify/P256-8         1.29kB ± 1%    0.48kB ± 0%  -62.69%  (p=0.000 n=10+10)
Verify/P384-8         2.49kB ± 1%    0.64kB ± 0%  -74.25%  (p=0.000 n=10+10)
Verify/P521-8         3.31kB ± 0%    0.96kB ± 0%  -71.02%  (p=0.000 n=7+10)
GenerateKey/P256-8      720B ± 0%      920B ± 0%  +27.78%  (p=0.000 n=10+10)
GenerateKey/P384-8      921B ± 0%     1120B ± 0%  +21.61%  (p=0.000 n=9+10)
GenerateKey/P521-8    1.30kB ± 0%    1.44kB ± 0%  +10.45%  (p=0.000 n=10+10)

name                old allocs/op  new allocs/op  delta
Sign/P256-8             45.0 ± 0%      33.0 ± 0%  -26.67%  (p=0.000 n=10+10)
Sign/P384-8             69.0 ± 0%      34.0 ± 0%  -50.72%  (p=0.000 n=10+10)
Sign/P521-8             71.0 ± 0%      35.0 ± 0%  -50.70%  (p=0.000 n=10+10)
Verify/P256-8           23.0 ± 0%      10.0 ± 0%  -56.52%  (p=0.000 n=10+10)
Verify/P384-8           43.0 ± 0%      14.0 ± 0%  -67.44%  (p=0.000 n=10+10)
Verify/P521-8           45.0 ± 0%      14.0 ± 0%  -68.89%  (p=0.000 n=7+10)
GenerateKey/P256-8      13.0 ± 0%      14.0 ± 0%   +7.69%  (p=0.000 n=10+10)
GenerateKey/P384-8      16.0 ± 0%      17.0 ± 0%   +6.25%  (p=0.000 n=10+10)
GenerateKey/P521-8      16.5 ± 3%      17.0 ± 0%   +3.03%  (p=0.033 n=10+10)

Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d
Reviewed-on: https://go-review.googlesource.com/c/go/+/353849
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

1 files changed, 39 insertions, 39 deletions

diff --git a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
index 7ae186dd84..36bddc2a93 100644
--- a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
+++ b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
@@ -16,11 +16,11 @@
 000000e0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000000f0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74     |.........._X.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 59 02 00 00  55 03 03 2a 52 95 57 8c  |....Y...U..*R.W.|
-00000010  55 3f d7 82 f0 3f af 57  a1 82 86 00 3a 6b c0 07  |U?...?.W....:k..|
-00000020  4d c3 0e 80 cc 37 2d 51  f4 d3 e2 20 4a f6 c9 8a  |M....7-Q... J...|
-00000030  d2 98 4a ff 22 66 11 da  6f 9a a0 17 b9 96 b0 86  |..J."f..o.......|
-00000040  29 e0 39 86 0a 00 42 78  30 60 61 99 c0 2f 00 00  |).9...Bx0`a../..|
+00000000  16 03 03 00 59 02 00 00  55 03 03 b8 f6 b1 71 c5  |....Y...U.....q.|
+00000010  d0 3f 36 fb 8a b9 15 35  ae c5 08 8e eb c6 d5 ad  |.?6....5........|
+00000020  a1 8a ff 65 2e 78 f5 2a  2b cb f7 20 26 1e c1 94  |...e.x.*+.. &...|
+00000030  85 a9 b1 ca 8d 5f 3f 00  6a 44 c9 ed 28 36 97 f2  |....._?.jD..(6..|
+00000040  7d 38 0a 56 75 a2 12 ac  34 ed 7e 14 c0 2f 00 00  |}8.Vu...4.~../..|
 00000050  0d ff 01 00 01 00 00 0b  00 04 03 00 01 02 16 03  |................|
 00000060  03 02 59 0b 00 02 55 00  02 52 00 02 4f 30 82 02  |..Y...U..R..O0..|
 00000070  4b 30 82 01 b4 a0 03 02  01 02 02 09 00 e8 f0 9d  |K0..............|
@@ -60,17 +60,17 @@
 00000290  77 8d 0c 1c f1 0f a1 d8  40 83 61 c9 4c 72 2b 9d  |w.......@.a.Lr+.|
 000002a0  ae db 46 06 06 4d f4 c1  b3 3e c0 d1 bd 42 d4 db  |..F..M...>...B..|
 000002b0  fe 3d 13 60 84 5c 21 d3  3b e9 fa e7 16 03 03 00  |.=.`.\!.;.......|
-000002c0  ac 0c 00 00 a8 03 00 1d  20 fa 3a 8f b7 50 10 38  |........ .:..P.8|
-000002d0  04 9d fb c4 e4 76 6d 93  86 b2 8a d7 5b 8f 8d 45  |.....vm.....[..E|
-000002e0  41 b7 ba 54 bc cc 7b 07  3c 08 04 00 80 a1 14 65  |A..T..{.<......e|
-000002f0  f6 48 29 ba 08 86 52 65  dd 08 ef b8 b8 77 ef fd  |.H)...Re.....w..|
-00000300  8a ca dc 37 f8 69 fa 04  69 73 84 07 b2 45 f0 a2  |...7.i..is...E..|
-00000310  8c 69 f7 7c 4c 5c 95 c5  66 80 ad 93 04 67 4b 3d  |.i.|L\..f....gK=|
-00000320  f8 53 a9 33 b3 c0 40 17  62 34 f0 f3 1e d2 23 93  |.S.3..@.b4....#.|
-00000330  29 52 bc f4 f0 72 58 b9  76 9c 7b 54 b0 d5 d1 ab  |)R...rX.v.{T....|
-00000340  b3 1b ae f7 f3 46 6a 07  7f f4 91 ee 46 d6 85 43  |.....Fj.....F..C|
-00000350  ea c6 f9 f5 47 89 85 39  72 35 af b4 03 e9 a2 ea  |....G..9r5......|
-00000360  a8 19 09 ea b3 d2 c2 38  59 65 d1 2c 18 16 03 03  |.......8Ye.,....|
+000002c0  ac 0c 00 00 a8 03 00 1d  20 9d 82 84 ba 8e 4b 7e  |........ .....K~|
+000002d0  bc f4 8e ab c1 31 68 42  cb 36 1d 64 60 55 74 11  |.....1hB.6.d`Ut.|
+000002e0  cf 63 d2 f4 c9 e7 a9 bf  7b 08 04 00 80 ce b2 06  |.c......{.......|
+000002f0  a3 54 1e fd f7 c4 a6 54  40 ea 74 8c e0 de ec aa  |.T.....T@.t.....|
+00000300  30 66 c3 e4 a9 7f 86 cc  f7 34 6b 55 a4 97 fd 6e  |0f.......4kU...n|
+00000310  3b 1f c4 e9 17 3c 6d 94  66 78 e0 1a ab 41 64 9b  |;....<m.fx...Ad.|
+00000320  2b 2e 14 99 96 68 aa ef  97 65 ea e7 72 28 9c 0f  |+....h...e..r(..|
+00000330  f9 11 57 b7 1f 31 54 87  1a 36 45 ec c1 0f 72 53  |..W..1T..6E...rS|
+00000340  56 a1 8d e4 d0 93 3e bb  77 8a 32 bd fb 07 0b ce  |V.....>.w.2.....|
+00000350  82 d3 a1 ab 6f 80 ac ac  4e da b7 7f 84 fe 3f 26  |....o...N.....?&|
+00000360  f4 d9 b9 b6 2b 68 1a cc  ef 31 97 22 bf 16 03 03  |....+h...1."....|
 00000370  00 3a 0d 00 00 36 03 01  02 40 00 2e 04 03 05 03  |.:...6...@......|
 00000380  06 03 08 07 08 08 08 09  08 0a 08 0b 08 04 08 05  |................|
 00000390  08 06 04 01 05 01 06 01  03 03 02 03 03 01 02 01  |................|
@@ -112,28 +112,28 @@
 00000200  e4 fa cc b1 8a ce e2 23  a0 87 f0 e1 67 51 eb 16  |.......#....gQ..|
 00000210  03 03 00 25 10 00 00 21  20 2f e5 7d a3 47 cd 62  |...%...! /.}.G.b|
 00000220  43 15 28 da ac 5f bb 29  07 30 ff f6 84 af c4 cf  |C.(.._.).0......|
-00000230  c2 ed 90 99 5f 58 cb 3b  74 16 03 03 00 91 0f 00  |...._X.;t.......|
-00000240  00 8d 04 03 00 89 30 81  86 02 41 63 34 72 b4 70  |......0...Ac4r.p|
-00000250  45 46 9c 3c 06 2c f5 ab  d4 dd a7 91 69 9c 65 0f  |EF.<.,......i.e.|
-00000260  4b d9 2d 90 3d d1 f2 4d  2a 6a 43 4f a7 fd b5 22  |K.-.=..M*jCO..."|
-00000270  83 61 e2 14 33 8c bc 8a  81 52 a1 f4 69 a7 12 c9  |.a..3....R..i...|
-00000280  c3 28 69 85 6d c1 b0 5d  d3 5e ac 4e 02 41 35 cd  |.(i.m..].^.N.A5.|
-00000290  3b c3 f6 ea 9e df 2a a1  ea 80 55 40 d2 13 d3 ff  |;.....*...U@....|
-000002a0  b2 59 bb a0 c7 10 67 6e  9b dc 6c 3c 97 08 07 e0  |.Y....gn..l<....|
-000002b0  db da 79 6b 0e 6c a0 23  13 b1 02 32 ab ee 62 69  |..yk.l.#...2..bi|
-000002c0  f9 d5 7f 24 2e 26 94 36  a4 36 53 63 dd 90 20 14  |...$.&.6.6Sc.. .|
-000002d0  03 03 00 01 01 16 03 03  00 28 00 00 00 00 00 00  |.........(......|
-000002e0  00 00 a7 30 0e b0 f7 ba  51 35 c9 4c c2 24 90 5e  |...0....Q5.L.$.^|
-000002f0  b2 59 57 5d 96 9d ad d1  1e 7d b0 35 09 9c c5 49  |.YW].....}.5...I|
-00000300  bd 82                                             |..|
+00000230  c2 ed 90 99 5f 58 cb 3b  74 16 03 03 00 93 0f 00  |...._X.;t.......|
+00000240  00 8f 04 03 00 8b 30 81  88 02 42 01 d0 ef 2f 75  |......0...B.../u|
+00000250  25 6e 4b 2a 16 21 c4 73  59 80 a8 c9 27 45 1b 06  |%nK*.!.sY...'E..|
+00000260  75 20 61 01 db aa c4 90  25 16 1b fb ec 92 54 f7  |u a.....%.....T.|
+00000270  16 9b 8c e0 34 48 3e 62  57 92 99 42 7f d1 35 09  |....4H>bW..B..5.|
+00000280  e1 55 4c 32 cc ed 9d 3e  18 25 1d 31 b8 02 42 01  |.UL2...>.%.1..B.|
+00000290  dd d8 20 b1 12 a2 7d 3b  6b 40 f3 db 59 2b 33 db  |.. ...};k@..Y+3.|
+000002a0  5f 85 4d b4 5f 6f 23 ae  d2 a2 74 2b 22 94 60 51  |_.M._o#...t+".`Q|
+000002b0  75 aa 66 88 2f 5a db f5  91 b2 7c f4 c4 e9 25 fa  |u.f./Z....|...%.|
+000002c0  f7 74 20 00 c3 08 22 8e  88 28 1c 72 4b 36 cd 03  |.t ..."..(.rK6..|
+000002d0  46 14 03 03 00 01 01 16  03 03 00 28 00 00 00 00  |F..........(....|
+000002e0  00 00 00 00 2c 30 d5 ee  d2 79 8c 68 62 7a c7 36  |....,0...y.hbz.6|
+000002f0  ce c9 39 25 4b 6d 3e 59  7d 42 21 72 65 00 41 45  |..9%Km>Y}B!re.AE|
+00000300  ba 47 88 64                                       |.G.d|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 28 09 ff 53 e8 0f  |..........(..S..|
-00000010  ad 86 30 ca 96 54 da 72  45 13 7a cd 51 f6 b3 a5  |..0..T.rE.z.Q...|
-00000020  27 4c 7c 26 81 6d 76 6f  19 8e f3 13 77 49 59 73  |'L|&.mvo....wIYs|
-00000030  4e 98 3e                                          |N.>|
+00000000  14 03 03 00 01 01 16 03  03 00 28 9c e9 30 06 da  |..........(..0..|
+00000010  ef 89 4a 77 db 17 d4 51  79 36 c1 97 45 8a b0 c9  |..Jw...Qy6..E...|
+00000020  b7 d4 69 8d fc f2 5e 1a  c8 e3 43 6c 7a b4 0a 40  |..i...^...Clz..@|
+00000030  ec 35 c9                                          |.5.|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 99 7b 4c  |..............{L|
-00000010  1d 0a b1 89 0d ac fa a7  39 eb 9a ff 8f 06 60 d1  |........9.....`.|
-00000020  88 e8 ef 15 03 03 00 1a  00 00 00 00 00 00 00 02  |................|
-00000030  99 42 7f c8 35 79 f3 a0  10 5c 05 25 c1 ac ab aa  |.B..5y...\.%....|
-00000040  d5 9e                                             |..|
+00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 f2 3b 7e  |..............;~|
+00000010  59 d0 c1 2f 93 f8 8a 48  8d e6 f4 54 70 63 4a 2d  |Y../...H...TpcJ-|
+00000020  90 5d 9b 15 03 03 00 1a  00 00 00 00 00 00 00 02  |.]..............|
+00000030  42 1f 5c b2 d3 14 4d 6e  30 85 59 89 5a 34 80 00  |B.\...Mn0.Y.Z4..|
+00000040  fe ab                                             |..|