external/boringssl: Sync to 9113e0996fd445ce187ae9dfeabfc95805b947a2.android-n-iot-release-ihome-igv1nougat-iot-release

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/fa3aadcd40ec4fd27a6e9492ef099b3dcc6eb2af..9113e0996fd445ce187ae9dfeabfc95805b947a2

Test: atest CtsLibcoreTestCases
Change-Id: I31ed8a7c9481e7b42f0454f0ee64c26e17a85d52

2 files changed, 52 insertions, 5 deletions

diff --git a/src/third_party/fiat/curve25519.c b/src/third_party/fiat/curve25519.c
index 58a5ed04..15623c64 100644
--- a/src/third_party/fiat/curve25519.c
+++ b/src/third_party/fiat/curve25519.c
@@ -1396,8 +1396,8 @@ static void fe_copy(fe *h, const fe *f) {
 }
 
 static void fe_copy_lt(fe_loose *h, const fe *f) {
-  OPENSSL_COMPILE_ASSERT(sizeof(fe_loose) == sizeof(fe),
-                         fe_and_fe_loose_mismatch);
+  OPENSSL_STATIC_ASSERT(sizeof(fe_loose) == sizeof(fe),
+                        "fe and fe_loose mismatch");
   OPENSSL_memmove(h, f, sizeof(fe));
 }
 #if !defined(OPENSSL_SMALL)
diff --git a/src/third_party/fiat/p256.c b/src/third_party/fiat/p256.c
index c8e42a31..414b7e0c 100644
--- a/src/third_party/fiat/p256.c
+++ b/src/third_party/fiat/p256.c
@@ -35,6 +35,7 @@
 #include <openssl/mem.h>
 #include <openssl/type_check.h>
 
+#include <assert.h>
 #include <string.h>
 
 #include "../../crypto/fipsmodule/delocate.h"
@@ -902,9 +903,9 @@ static void fe_from_generic(fe out, const EC_FELEM *in) {
 static void fe_to_generic(EC_FELEM *out, const fe in) {
   // This works because 256 is a multiple of 64, so there are no excess bytes to
   // zero when rounding up to |BN_ULONG|s.
-  OPENSSL_COMPILE_ASSERT(
+  OPENSSL_STATIC_ASSERT(
       256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2),
-      bytes_left_over);
+      "fe_tobytes leaves bytes uninitialized");
   fe_tobytes(out->bytes, in);
 }
 
@@ -1807,6 +1808,52 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
   fe_to_generic(&r->Z, ret[2]);
 }
 
+static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
+                                            const EC_RAW_POINT *p,
+                                            const EC_SCALAR *r) {
+  if (ec_GFp_simple_is_at_infinity(group, p)) {
+    return 0;
+  }
+
+  // We wish to compare X/Z^2 with r. This is equivalent to comparing X with
+  // r*Z^2. Note that X and Z are represented in Montgomery form, while r is
+  // not.
+  fe Z2_mont;
+  fe_from_generic(Z2_mont, &p->Z);
+  fe_mul(Z2_mont, Z2_mont, Z2_mont);
+
+  fe r_Z2;
+  fe_frombytes(r_Z2, r->bytes);  // r < order < p, so this is valid.
+  fe_mul(r_Z2, r_Z2, Z2_mont);
+
+  fe X;
+  fe_from_generic(X, &p->X);
+  fe_from_montgomery(X);
+
+  if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
+    return 1;
+  }
+
+  // During signing the x coefficient is reduced modulo the group order.
+  // Therefore there is a small possibility, less than 1/2^128, that group_order
+  // < p.x < P. in that case we need not only to compare against |r| but also to
+  // compare against r+group_order.
+  assert(group->field.width == group->order.width);
+  if (bn_less_than_words(r->words, group->field_minus_order.words,
+                         group->field.width)) {
+    // We can ignore the carry because: r + group_order < p < 2^256.
+    EC_FELEM tmp;
+    bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
+    fe_from_generic(r_Z2, &tmp);
+    fe_mul(r_Z2, r_Z2, Z2_mont);
+    if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
+      return 1;
+    }
+  }
+
+  return 0;
+}
+
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
   out->group_init = ec_GFp_mont_group_init;
   out->group_finish = ec_GFp_mont_group_finish;
@@ -1823,7 +1870,7 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
   out->felem_to_bignum = ec_GFp_mont_felem_to_bignum;
   out->scalar_inv_montgomery = ec_simple_scalar_inv_montgomery;
   out->scalar_inv_montgomery_vartime = ec_GFp_simple_mont_inv_mod_ord_vartime;
-  out->cmp_x_coordinate = ec_GFp_simple_cmp_x_coordinate;
+  out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate;
 };
 
 #undef BORINGSSL_NISTP256_64BIT