diff options
author | Robert Sloan <varomodt@google.com> | 2018-11-26 12:19:07 -0800 |
---|---|---|
committer | Rob Sloan <varomodt@google.com> | 2018-11-26 23:57:37 +0000 |
commit | c9abfe422b3e387555f922dfcc280299b6e92975 (patch) | |
tree | d14d7f9ab8183be8607f208257356c192b4773a0 /src/third_party | |
parent | a51059f202525842fc0d628a408ad5a5e33a54e7 (diff) | |
download | boringssl-c9abfe422b3e387555f922dfcc280299b6e92975.tar.gz |
external/boringssl: Sync to 9113e0996fd445ce187ae9dfeabfc95805b947a2.android-n-iot-release-ihome-igv1nougat-iot-release
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/fa3aadcd40ec4fd27a6e9492ef099b3dcc6eb2af..9113e0996fd445ce187ae9dfeabfc95805b947a2
Test: atest CtsLibcoreTestCases
Change-Id: I31ed8a7c9481e7b42f0454f0ee64c26e17a85d52
Diffstat (limited to 'src/third_party')
-rw-r--r-- | src/third_party/fiat/curve25519.c | 4 | ||||
-rw-r--r-- | src/third_party/fiat/p256.c | 53 |
2 files changed, 52 insertions, 5 deletions
diff --git a/src/third_party/fiat/curve25519.c b/src/third_party/fiat/curve25519.c index 58a5ed04..15623c64 100644 --- a/src/third_party/fiat/curve25519.c +++ b/src/third_party/fiat/curve25519.c @@ -1396,8 +1396,8 @@ static void fe_copy(fe *h, const fe *f) { } static void fe_copy_lt(fe_loose *h, const fe *f) { - OPENSSL_COMPILE_ASSERT(sizeof(fe_loose) == sizeof(fe), - fe_and_fe_loose_mismatch); + OPENSSL_STATIC_ASSERT(sizeof(fe_loose) == sizeof(fe), + "fe and fe_loose mismatch"); OPENSSL_memmove(h, f, sizeof(fe)); } #if !defined(OPENSSL_SMALL) diff --git a/src/third_party/fiat/p256.c b/src/third_party/fiat/p256.c index c8e42a31..414b7e0c 100644 --- a/src/third_party/fiat/p256.c +++ b/src/third_party/fiat/p256.c @@ -35,6 +35,7 @@ #include <openssl/mem.h> #include <openssl/type_check.h> +#include <assert.h> #include <string.h> #include "../../crypto/fipsmodule/delocate.h" @@ -902,9 +903,9 @@ static void fe_from_generic(fe out, const EC_FELEM *in) { static void fe_to_generic(EC_FELEM *out, const fe in) { // This works because 256 is a multiple of 64, so there are no excess bytes to // zero when rounding up to |BN_ULONG|s. - OPENSSL_COMPILE_ASSERT( + OPENSSL_STATIC_ASSERT( 256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2), - bytes_left_over); + "fe_tobytes leaves bytes uninitialized"); fe_tobytes(out->bytes, in); } @@ -1807,6 +1808,52 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, fe_to_generic(&r->Z, ret[2]); } +static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, + const EC_RAW_POINT *p, + const EC_SCALAR *r) { + if (ec_GFp_simple_is_at_infinity(group, p)) { + return 0; + } + + // We wish to compare X/Z^2 with r. This is equivalent to comparing X with + // r*Z^2. Note that X and Z are represented in Montgomery form, while r is + // not. + fe Z2_mont; + fe_from_generic(Z2_mont, &p->Z); + fe_mul(Z2_mont, Z2_mont, Z2_mont); + + fe r_Z2; + fe_frombytes(r_Z2, r->bytes); // r < order < p, so this is valid. + fe_mul(r_Z2, r_Z2, Z2_mont); + + fe X; + fe_from_generic(X, &p->X); + fe_from_montgomery(X); + + if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) { + return 1; + } + + // During signing the x coefficient is reduced modulo the group order. + // Therefore there is a small possibility, less than 1/2^128, that group_order + // < p.x < P. in that case we need not only to compare against |r| but also to + // compare against r+group_order. + assert(group->field.width == group->order.width); + if (bn_less_than_words(r->words, group->field_minus_order.words, + group->field.width)) { + // We can ignore the carry because: r + group_order < p < 2^256. + EC_FELEM tmp; + bn_add_words(tmp.words, r->words, group->order.d, group->order.width); + fe_from_generic(r_Z2, &tmp); + fe_mul(r_Z2, r_Z2, Z2_mont); + if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) { + return 1; + } + } + + return 0; +} + DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { out->group_init = ec_GFp_mont_group_init; out->group_finish = ec_GFp_mont_group_finish; @@ -1823,7 +1870,7 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { out->felem_to_bignum = ec_GFp_mont_felem_to_bignum; out->scalar_inv_montgomery = ec_simple_scalar_inv_montgomery; out->scalar_inv_montgomery_vartime = ec_GFp_simple_mont_inv_mod_ord_vartime; - out->cmp_x_coordinate = ec_GFp_simple_cmp_x_coordinate; + out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate; }; #undef BORINGSSL_NISTP256_64BIT |