diff options
author | Robert Sloan <varomodt@google.com> | 2018-02-05 09:07:34 -0800 |
---|---|---|
committer | Robert Sloan <varomodt@google.com> | 2018-02-05 09:07:39 -0800 |
commit | 8542c08a00c332af2ebca2a0c64b8d4d5fbd4cd2 (patch) | |
tree | 65345a0acda3104c65b39662f207fbc9239e9ad5 /src/third_party | |
parent | 309a31e32558286a3b92c754bd3051b962527c25 (diff) | |
download | boringssl-8542c08a00c332af2ebca2a0c64b8d4d5fbd4cd2.tar.gz |
external/boringssl: Sync to 45210dd4e21ace9d28cb76b3f83303fcdd2efcce.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/a62dbf88d8a3c04446db833a1eb80a620cb1514d..45210dd4e21ace9d28cb76b3f83303fcdd2efcce
Test: BoringSSL CTS Presubmits.
Change-Id: I2f3cc22fb906078f64bc2af020fa14c3d0875c81
Diffstat (limited to 'src/third_party')
-rw-r--r-- | src/third_party/fiat/curve25519.c | 65 | ||||
-rw-r--r-- | src/third_party/fiat/internal.h | 9 |
2 files changed, 26 insertions, 48 deletions
diff --git a/src/third_party/fiat/curve25519.c b/src/third_party/fiat/curve25519.c index dfa4a392..ecf00e53 100644 --- a/src/third_party/fiat/curve25519.c +++ b/src/third_party/fiat/curve25519.c @@ -512,8 +512,6 @@ static void fe_sq_tt(fe *h, const fe *f) { fe_sqr_impl(h->v, f->v); } -#if !defined(BORINGSSL_X25519_X86_64) - // Replace (f,g) with (g,f) if b == 1; // replace (f,g) with (f,g) if b == 0. // @@ -589,8 +587,6 @@ static void fe_mul121666(fe *h, const fe_loose *f) { assert_fe(h->v); } -#endif // !BORINGSSL_X25519_X86_64 - // Adapted from Fiat-synthesized |fe_sub_impl| with |out| = 0. static void fe_neg_impl(uint64_t out[5], const uint64_t in2[5]) { { const uint64_t x10 = 0; @@ -1201,8 +1197,6 @@ static void fe_sq_tt(fe *h, const fe *f) { fe_sqr_impl(h->v, f->v); } -#if !defined(BORINGSSL_X25519_X86_64) - // Replace (f,g) with (g,f) if b == 1; // replace (f,g) with (f,g) if b == 0. // @@ -1342,8 +1336,6 @@ static void fe_mul121666(fe *h, const fe_loose *f) { assert_fe(h->v); } -#endif // !BORINGSSL_X25519_X86_64 - // Adapted from Fiat-synthesized |fe_sub_impl| with |out| = 0. static void fe_neg_impl(uint32_t out[10], const uint32_t in2[10]) { { const uint32_t x20 = 0; @@ -3022,8 +3014,31 @@ int ED25519_verify(const uint8_t *message, size_t message_len, OPENSSL_memcpy(pkcopy, public_key, 32); uint8_t rcopy[32]; OPENSSL_memcpy(rcopy, signature, 32); - uint8_t scopy[32]; - OPENSSL_memcpy(scopy, signature + 32, 32); + union { + uint64_t u64[4]; + uint8_t u8[32]; + } scopy; + OPENSSL_memcpy(&scopy.u8[0], signature + 32, 32); + + // https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in + // the range [0, order) in order to prevent signature malleability. + + // kOrder is the order of Curve25519 in little-endian form. + static const uint64_t kOrder[4] = { + UINT64_C(0x5812631a5cf5d3ed), + UINT64_C(0x14def9dea2f79cd6), + 0, + UINT64_C(0x1000000000000000), + }; + for (size_t i = 3;; i--) { + if (scopy.u64[i] > kOrder[i]) { + return 0; + } else if (scopy.u64[i] < kOrder[i]) { + break; + } else if (i == 0) { + return 0; + } + } SHA512_CTX hash_ctx; SHA512_Init(&hash_ctx); @@ -3036,7 +3051,7 @@ int ED25519_verify(const uint8_t *message, size_t message_len, x25519_sc_reduce(h); ge_p2 R; - ge_double_scalarmult_vartime(&R, h, &A, scopy); + ge_double_scalarmult_vartime(&R, h, &A, scopy.u8); uint8_t rcheck[32]; x25519_ge_tobytes(rcheck, &R); @@ -3063,15 +3078,6 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32], } -#if defined(BORINGSSL_X25519_X86_64) - -static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], - const uint8_t point[32]) { - x25519_x86_64(out, scalar, point); -} - -#else - static void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]) { @@ -3166,9 +3172,6 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], x25519_scalar_mult_generic(out, scalar, point); } -#endif // BORINGSSL_X25519_X86_64 - - void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) { RAND_bytes(out_private_key, 32); @@ -3200,20 +3203,6 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0; } -#if defined(BORINGSSL_X25519_X86_64) - -// When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with -// the Montgomery ladder because it's faster. Otherwise it's done using the -// Ed25519 tables. - -void X25519_public_from_private(uint8_t out_public_value[32], - const uint8_t private_key[32]) { - static const uint8_t kMongomeryBasePoint[32] = {9}; - x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint); -} - -#else - void X25519_public_from_private(uint8_t out_public_value[32], const uint8_t private_key[32]) { #if defined(BORINGSSL_X25519_NEON) @@ -3243,5 +3232,3 @@ void X25519_public_from_private(uint8_t out_public_value[32], fe_mul_tlt(&zminusy_inv, &zplusy, &zminusy_inv); fe_tobytes(out_public_value, &zminusy_inv); } - -#endif // BORINGSSL_X25519_X86_64 diff --git a/src/third_party/fiat/internal.h b/src/third_party/fiat/internal.h index c5dcc047..be3e265a 100644 --- a/src/third_party/fiat/internal.h +++ b/src/third_party/fiat/internal.h @@ -32,15 +32,6 @@ extern "C" { #include "../../crypto/internal.h" -#if defined(OPENSSL_X86_64) && !defined(OPENSSL_SMALL) && \ - !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_ASM) -#define BORINGSSL_X25519_X86_64 - -void x25519_x86_64(uint8_t out[32], const uint8_t scalar[32], - const uint8_t point[32]); -#endif - - #if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE) #define BORINGSSL_X25519_NEON |