timing tests for RSA signingmodexpng

1 files changed, 58 insertions, 10 deletions

diff --git a/rpc_pkey.c b/rpc_pkey.c
index b44eb54..630bf93 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -3,8 +3,10 @@
  * ----------
  * Remote procedure call server-side public key implementation.
  *
- * Authors: Rob Austein
- * Copyright (c) 2015, NORDUnet A/S All rights reserved.
+ * Authors: Rob Austein, Paul Selkirk
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2019-2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -16,9 +18,9 @@
  *   notice, this list of conditions and the following disclaimer in the
  *   documentation and/or other materials provided with the distribution.
  *
- * - Neither the name of the NORDUnet nor the names of its contributors may
- *   be used to endorse or promote products derived from this software
- *   without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -47,6 +49,13 @@
 static hal_pkey_slot_t pkey_slot[HAL_STATIC_PKEY_STATE_BLOCKS];
 #endif
 
+#ifdef DO_TIMING
+#include "stm-dwt.h"
+#else
+#define DWT_start(x)
+#define DWT_stop(x)
+#endif
+
 /*
  * Handle allocation is simple: look for an unused (HAL_HANDLE_NONE)
  * slot in the table, and, assuming we find one, construct a composite
@@ -445,6 +454,9 @@ static hal_error_t pkey_local_generate_rsa(const hal_client_handle_t client,
 
   uint8_t der[hal_rsa_private_key_to_der_len(key)];
   size_t der_len;
+#if 0
+  printf("pkey_local_generate_rsa: key_len = %u, der_len = %u\n", key_length, sizeof(der));
+#endif
 
   if ((err = hal_rsa_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
     err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -503,6 +515,9 @@ static hal_error_t pkey_local_generate_ec(const hal_client_handle_t client,
 
   uint8_t der[hal_ecdsa_private_key_to_der_len(key)];
   size_t der_len;
+#if 0
+  printf("pkey_local_generate_ec: curve = %u, der_len = %u\n", curve, sizeof(der));
+#endif
 
   if ((err = hal_ecdsa_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
     err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -562,6 +577,9 @@ static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client,
 
   uint8_t der[hal_hashsig_private_key_to_der_len(key)];
   size_t der_len;
+#if 0
+  printf("pkey_local_generate_hashsig: hss = %u, lms = %u, lmots = %u, der_len = %u\n", hss_levels, lms_type, lmots_type, sizeof(der));
+#endif
 
   if ((err = hal_hashsig_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
     err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -798,7 +816,10 @@ static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
   hal_assert(signature != NULL && signature_len != NULL);
   hal_assert((hash.handle == HAL_HANDLE_NONE) != (input == NULL || input_len == 0));
 
-  if ((err = hal_rsa_private_key_from_der(&key, keybuf, keybuf_len, der, der_len)) != HAL_OK ||
+  DWT_start(DWT_hal_rsa_private_key_from_der);
+  err = hal_rsa_private_key_from_der(&key, keybuf, keybuf_len, der, der_len);
+  DWT_stop(DWT_hal_rsa_private_key_from_der);
+  if (err != HAL_OK ||
       (err = hal_rsa_key_get_modulus(key, NULL, signature_len, 0))         != HAL_OK)
       return err;
 
@@ -811,15 +832,30 @@ static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
     input = signature;
   }
 
-  if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01)) != HAL_OK ||
-      (err = hal_rsa_decrypt(NULL, NULL, key, signature, *signature_len, signature, *signature_len)) != HAL_OK)
+  if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01)) != HAL_OK)
+    return err;
+  DWT_start(DWT_hal_rsa_decrypt);
+  err = hal_rsa_decrypt(NULL, NULL, key, signature, *signature_len, signature, *signature_len);
+  DWT_stop(DWT_hal_rsa_decrypt);
+  if (err != HAL_OK)
     return err;
 
   if (hal_rsa_key_needs_saving(key)) {
     uint8_t pkcs8[hal_rsa_private_key_to_der_extra_len(key)];
     size_t pkcs8_len = 0;
+#if 0
+    printf("pkey_local_sign_rsa: der_len     = %u\n", sizeof(pkcs8));
+#endif
     if ((err = hal_rsa_private_key_to_der_extra(key, pkcs8, &pkcs8_len, sizeof(pkcs8))) == HAL_OK)
       err = hal_ks_rewrite_der(ks_from_flags(slot->flags), slot, pkcs8, pkcs8_len);
+#if 0
+    size_t i;
+    for (i = 0; i < sizeof(pkcs8); ++i) {
+        printf("%02x%c", pkcs8[i], (i & 0x0f) == 0x0f ? '\n' : ' ');
+    }
+    if (i & 0x0f)
+        printf("\n");
+#endif
     memset(pkcs8, 0, sizeof(pkcs8));
     if (err != HAL_OK)
       return err;
@@ -951,9 +987,15 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
   size_t der_len;
   hal_error_t err;
 
-  if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) == HAL_OK)
+  DWT_start(DWT_hal_ks_fetch);
+  err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der));
+  DWT_stop(DWT_hal_ks_fetch);
+  if (err == HAL_OK) {
+    DWT_start(DWT_pkey_local_sign_rsa);
     err = signer(slot, keybuf, sizeof(keybuf), der, der_len, hash, input, input_len,
                  signature, signature_len, signature_max);
+    DWT_stop(DWT_pkey_local_sign_rsa);
+  }
 
   memset(keybuf, 0, sizeof(keybuf));
   memset(der,    0, sizeof(der));
@@ -1225,6 +1267,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
   case MATCH_STATE_START:
     prev = uuid_zero;
     ++*state;
+    /* fall through */
 
   case MATCH_STATE_TOKEN:
     if (((mask & HAL_KEY_FLAG_TOKEN) == 0 || (mask & flags & HAL_KEY_FLAG_TOKEN) != 0) &&
@@ -1236,6 +1279,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
       return HAL_OK;
     prev = uuid_zero;
     ++*state;
+    /* fall through */
 
   case MATCH_STATE_VOLATILE:
     if (((mask & HAL_KEY_FLAG_TOKEN) == 0 || (mask & flags & HAL_KEY_FLAG_TOKEN) == 0) &&
@@ -1246,6 +1290,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
     if (*result_len == result_max)
       return HAL_OK;
     ++*state;
+    /* fall through */
 
   case MATCH_STATE_DONE:
     return HAL_OK;
@@ -1431,7 +1476,10 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
     goto fail;
   }
 
-  if ((err = hal_rsa_decrypt(NULL, NULL, rsa, data, data_len, der, data_len)) != HAL_OK)
+  DWT_start(DWT_hal_rsa_decrypt);
+  err = hal_rsa_decrypt(NULL, NULL, rsa, data, data_len, der, data_len);
+  DWT_stop(DWT_hal_rsa_decrypt);
+  if (err != HAL_OK)
     goto fail;
 
   if ((err = hal_get_random(NULL, kek, sizeof(kek))) != HAL_OK)